2024-11-25 Todd C. Miller * .hgtags: Added tag SUDO_1_9_16p2 for changeset 3c721fa0ff0c [fc7155e744b1] [tip] <1.9> * NEWS, configure, configure.ac, plugins/sudoers/policy.c, plugins/sudoers/sudoreplay.c, src/ttyname.c: Merge sudo 1.9.16p2 from tip. [3c721fa0ff0c] [SUDO_1_9_16p2] <1.9> * NEWS, configure, configure.ac: Sudo 1.9.16p2 [568fe8e4e386] 2024-11-18 Todd C. Miller * plugins/sudoers/sudoreplay.c: Work around a bug in UBSan that is causing CI failures. https://gcc.gnu.org/bugzilla/show_bug.cgi?id=116834 [44f078101f66] 2024-11-17 Todd C. Miller * lib/util/setgroups.c, plugins/sudoers/sudo_printf.c, src/conversation.c: Add some casts to quiet -Wconversion [fb1af4a05d82] * plugins/sudoers/cvtsudoers_pwutil.c, plugins/sudoers/pwutil_impl.c: Avoid multiple calls to sysonf() via the MAX macro. The expansion of MAX would result in multiple calls to sysconf(). It is less error-prone to store the result of sysconf() in a long. [3f38162aebb4] 2024-11-16 Todd C. Miller * lib/util/regress/parse_gids/parse_gids_test.c: Use NULL, not false, in the terminating entry of test_data[]. [67f1ffea52d9] * include/sudo_plugin.h, plugins/sudoers/policy.c, src/hooks.c: Cast hook functions to sudo_hook_fn_t to fix C23 compile error. The sudo plugin API defines sudo_hook_fn_t as a function with unspecified arguments. This is no longer supported in C23 so use a variadic function for sudo_hook_fn_t instead. Moving to a union may be a better long-term fix. GitHub issue #420. [4a4b001eba09] * plugins/sudoers/cvtsudoers_ldif.c: Pass NULL, not false, to sudoers_format_default_line(). [32103ea85e25] * lib/util/ttyname_dev.c: sudo_ttyname_dev: On Linux try to use /proc/self/fd/{0,1,2} if possible. If one of std{in,out,err} matches the specified device, try to resolve it to a path by using /proc/self/fd/{0,1,2}. This avoids searching all of /dev and works in a chroot where /proc is mounted but /dev/pts is not. GitHub issue #421. [2a77c7832b1e] 2024-11-15 Todd C. Miller * src/sudo.c, src/ttyname.c: get_process_ttyname: always return the terminal device if we find one. If sudo cannot map the device number to a device file, set name to the empty string. The caller now checks for an empty name and only passes the tty path to the plugin if it is non-empty. This allows sudo to run without warnings in a chroot() jail where the terminal device files are not present. GitHub issue #421. [7e479d2b32b1] 2024-11-12 Todd C. Miller * .hgtags: Added tag SUDO_1_9_16p1 for changeset d6059bdf2a76 [8a2928639e34] <1.9> * NEWS, configure, configure.ac, docs/sudoers.man.in, docs/sudoers.mdoc.in, plugins/sudoers/logging.c, src/exec_ptrace.c, src/ttyname.c: Merge sudo 1.9.16p1 from tip. [d6059bdf2a76] [SUDO_1_9_16p1] <1.9> * NEWS, configure, configure.ac: Sudo 1.9.16p1 [492349e04aa7] 2024-11-11 Todd C. Miller * plugins/sudoers/auth/pam.c: pam_get_item() takes a void ** arg, not const void **, on Solaris [b8fd77ac4e8e] * docs/sudoers.man.in, docs/sudoers.mdoc.in: Shell-style substitution is not supported in env_file. Also document that comments are supported. [ee616aa9d246] 2024-10-29 Todd C. Miller * plugins/sudoers/logging.c: Do not send mail for "sudo -nv" or "sudo -nl" This avoids sending mail for users running "sudo -nv" or "sudo -nl" even when mail_badpass or mail_always are enabled. We already avoid logging in that case but mailing was not disabled when that change was made. Bug #1072. [b15d01444677] 2024-10-28 Todd C. Miller * NEWS, README.LDAP.md, docs/Makefile.in, docs/SECURITY.md, docs/TROUBLESHOOTING.md, docs/UPGRADE.md: Run igor on other docs too, not just man pages [49d84f5232ca] * INSTALL.md, LICENSE.md, docs/CONTRIBUTING.md, docs/UPGRADE.md: Remove trailing whitespace [9219d497664f] 2024-10-28 Ikko Eltociear Ashimine * NEWS: docs: update NEWS minor fix [b0f8bffb891c] 2024-10-05 Todd C. Miller * plugins/sudoers/auth/pam.c: sudo_pam_verify: move PAM_USER after getpass_error check Move it into the PAM_SUCCESS case of the switch *pam_status switch. [6aa4d591afd7] * plugins/sudoers/auth/pam.c: Fix indentation [cf33bc5ecdce] 2024-10-02 Marco Trevisan (Treviño) * plugins/sudoers/auth/pam.c: plugins/pam: Check the user didn't change during PAM transaction PAM modules can change the user during their execution, in such case, sudo would still use the user that has been provided giving potentially access to another user with the credentials of another one. So prevent this to happen, by ensuring that the final PAM user is matching the one which started the transaction [f92dac8249ec] 2024-09-28 Célestin Matte * plugins/sudoers/sudoers.in: Fix typo in sudoer file comment [76eff2fe253e] 2024-09-21 Todd C. Miller * INSTALL.md: Document "--with-secure-path-value=no" [b34d043d306a] 2024-09-17 Andy Fiddaman * configure.ac, plugins/sudoers/sudoers.in: Allow --secure-path-value=no This adds support for --with-secure-path-value=no to allow packagers to ship the sudoers configuration file with the secure path line commented out if required. [b8056ecccf22] 2024-09-13 Todd C. Miller * .github/workflows/main.yml: Update CIFuzz GitHub action [42d9f793924c] * plugins/sudoers/gram.c, plugins/sudoers/gram.y: alias_error: display the file and line info for the duplicate alias Having the file and line of the previous alias definition should make it easier to fix duplicate alias errors. [d4d8f3edeaca] 2024-09-11 Todd C. Miller * src/ttyname.c: On AIX, psinfo.pr_ttydev is 0 when a process has no terminal. On most other systems, psinfo.pr_ttydev is -1 for processes with no associated terminal. GitHub issue #408 [f06249487180] 2024-09-10 Ferdinand Bachmann * plugins/sudoers/sudoers.in: Add pam_silent setting to sudoers example config [456873661f91] 2024-09-09 Ferdinand Bachmann * docs/sudoers.man.in, docs/sudoers.mdoc.in: Fix version typo for pam_silent option in sudoers man page [8de684d1172e] 2024-09-06 Todd C. Miller * lib/eventlog/eventlog.c, logsrvd/logsrvd_local.c, plugins/sudoers/logging.c: Fix the date written used by the exit record in sudo-format log files The change to always get the current time when building a struct evlog in sudoers broke the data and time written for exit records. This only affected file-based logs, not syslog. GitHub issue #405. [969e326eab50] 2024-09-04 Arjen Lentz * src/exec_ptrace.c: Fixed typo in exec_ptrace.c [077c8f197b46] 2024-09-02 Todd C. Miller * configure, configure.ac: Better test for cross-compiling when checking for C99 snprintf We want to avoid calling AX_FUNC_SNPRINTF entirely if cross- compiling since it is not possible to undo the setting of PREFER_PORTABLE_SNPRINTF. The previous attempt to do this failed to take into account that PREFER_PORTABLE_SNPRINTF would still be defined. GitHub issue #969 [71e3f5a288e1] 2024-08-17 Rose * plugins/sudoers/strvec_join.c, plugins/sudoers/sudoers.h: Put restrict qualifers in strvec_join function pointer [e646803c1669] 2024-08-17 Todd C. Miller * .hgtags: Added tag SUDO_1_9_16 for changeset 28c38a84aced [2674374a08eb] <1.9> * MANIFEST, NEWS, config.h.in, configure, configure.ac, docs/sudoers.man.in, docs/sudoers.mdoc.in, include/sudo_compat.h, include/sudo_util.h, lib/util/hexchar.c, lib/util/term.c, logsrvd/iolog_writer.c, plugins/python/regress/testhelpers.c, plugins/sudoers/Makefile.in, plugins/sudoers/defaults.c, plugins/sudoers/log_client.c, plugins/sudoers/logging.c, plugins/sudoers/lookup.c, plugins/sudoers/match_command.c, plugins/sudoers/parse.h, plugins/sudoers/policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/timestamp.c, src/exec_monitor.c, src/exec_ptrace.c, src/exec_pty.c, src/sudo.h, src/ttyname.c: Merge sudo 1.9.16 from tip. [28c38a84aced] [SUDO_1_9_16] <1.9> 2024-08-15 Todd C. Miller * plugins/sudoers/policy.c: Make a ttydev parse error non-fatal for now This is new for sudo 1.9.16 so we don't want to break sudo if there ends up being a bug in formatting dev_t from the front-end. [84f38b553ef7] 2024-08-14 Todd C. Miller * docs/sudo_plugin.man.in, docs/sudo_plugin.mdoc.in: Document that ttydev is formatted as a long long. [888ebc218c13] * config.h.in, configure, configure.ac, src/regress/ttyname/check_ttyname.c, src/sudo.c: Format ttydev as (signed) long long, not unsigned. Now that we parse ttydev as a long long it makes more sense to format it the same way. This completely avoids the sign extension issue on systems where dev_t is signed. [d4e61663685c] 2024-08-13 Todd C. Miller * src/sudo.c: Fix sign compare warning Store the result of asprintf() in an int, not size_t. [8b784b3da399] * config.h.in, configure, configure.ac, src/regress/ttyname/check_ttyname.c, src/sudo.c: Fix formatting of ttydev on systems with signed 32-bit dev_t If dev_t is 32-bit and signed, formatting as an unsigned long long may result in a bogus value due to sign extension. [a00cd79a0805] * src/regress/ttyname/check_ttyname.c: get_process_ttyname() now returns a dev_t, not a string. [ba9be5ea56be] * plugins/sudoers/policy.c: Use sudo_strtonum() instead of strtoull(). Fixes building on systems that lack strtoull(). While dev_t is unsigned on most systems, we can still use sudo_strtonum() here as long as we allow the full range of values [LLONG_MIN,LLONG_MAX]. We don't use strtoul() here since some 32-bit systems have 64-bit dev_t. [c53bcb633bb1] * include/sudo_compat.h: Include time.h if missing utimensat() or futimens(). Now that we declare these as taking a timespec array we cannot get away with a simple forward declaration. [50fb0feb77cb] 2024-08-13 Rose * src/load_plugins.c: Replace sudo_stat_plugin with sudo_qualify_plugin, as sudo_stat_plugin does not exist sudo_qualify_plugin was probably meant instead. [34f9a3d7544a] * include/sudo_util.h, lib/util/multiarch.c: Restrict-qualify stat_multiarch [4560116cc24c] * include/compat/glob.h, lib/util/glob.c: Restrict-qualify glob and its functions glob is restrict-qualified in the standard [073d9c8a836c] * include/sudo_util.h, lib/util/hexchar.c: Restrict-qualify sudo_hexchar_v1 sudo_hexchar_v1 requires an array of at least size-2, and is not aliased. [45b46285386a] 2024-08-13 Todd C. Miller * plugins/sudoers/regress/parser/check_base64.c: Sync base64_encode and base64_decode prototypes with parse.h. [78753e5c0986] 2024-08-13 Rose * include/sudo_util.h, lib/util/uuid.c: Use static declaration for array sizes to uuid functions [170398a514af] 2024-08-12 Rose Silicon * plugins/sudoers/parse.h: Restrict-qualify dst in base64_decode Definition restrict qualifies but not declaration in header. [f2331447dbdb] 2024-08-12 Rose * include/sudo_compat.h, lib/util/fstatat.c, lib/util/gmtime_r.c, lib/util/inet_pton.c, lib/util/localtime_r.c, lib/util/utimens.c: Use the full definition of the emulated function that is missing [be203a3c16d0] * plugins/sudoers/b64_decode.c, plugins/sudoers/b64_encode.c, plugins/sudoers/parse.h: Add restrict qualifiers to base64_decode and base64_encode [9efa1d67d12b] * include/sudo_util.h, lib/util/uuid.c: Use restrict to optimize sudo_uuid_to_string_v1 [b3c62ffc4b5d] * include/sudo_iolog.h, plugins/sudoers/iolog_path_escapes.c: Restrict-qualify iolog_path_escapes like we do with check_iolog_path Also add it to the function pointer definition to act as a hint to use restrict in the various copy functions. [549ebf72051a] * include/sudo_util.h, lib/util/uuid.c: sudo_uuid_to_string_v1's first argument should be const uuid is not modified. [feb62b110dbd] 2024-08-02 Todd C. Miller * plugins/sudoers/sudoers.c: Use FD_CLOEXEC instead of just 1 [adfb8e81f872] 2024-07-28 Todd C. Miller * NEWS: Mention --with-secure-path-value configure option [5eb0179bc97b] * INSTALL.md, configure, configure.ac: Add --with-secure-path-value option This can be used by package maintainers to set the value of secure_path that is substituted into the default sudoers file. [e31490007b92] * docs/sudo_logsrvd.man.in, docs/sudo_sendlog.man.in, docs/sudoers.man.in: regen [21176573dc75] * configure, configure.ac, docs/sudoers.man.in, docs/sudoers.mdoc.in: Rename secure_path_set -> secure_path_status [d81c73260a8d] 2024-07-27 Todd C. Miller * plugins/sudoers/po/fr.mo, plugins/sudoers/po/fr.po, po/fr.mo, po/fr.po: Updated translations from translationproject.org [23df3ee904ca] 2024-07-14 Todd C. Miller * docs/sudo_logsrvd.mdoc.in, docs/sudo_sendlog.mdoc.in, docs/sudoers.mdoc.in: Add sudo_logsrv.proto manual cross-reference. [f8c6bc110415] 2024-07-07 Todd C. Miller * NEWS: Late changes for 1.9.16 [1dc5a42c2906] 2024-07-02 Todd C. Miller * configure, configure.ac: If cross-compiling with a C99 compiler, assume snprintf is compliant. This is a better default than assuming it is not compliant (the previous behavior) when cross-compiling. These days it is rare for sudo to be built on pre-C99 systems. GitHub issue #969 [0037c70db352] 2024-06-25 Todd C. Miller * docs/sudoers.ldap.man.in, docs/sudoers.ldap.mdoc.in: Reference schema.IBM_LDAP. [52ec640462f0] * MANIFEST, plugins/sudoers/po/cs.mo, plugins/sudoers/po/cs.po, plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, plugins/sudoers/po/hr.mo, plugins/sudoers/po/hr.po, plugins/sudoers/po/id.mo, plugins/sudoers/po/id.po, plugins/sudoers/po/ja.mo, plugins/sudoers/po/ja.po, plugins/sudoers/po/ko.mo, plugins/sudoers/po/ko.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/ro.mo, plugins/sudoers/po/ro.po, plugins/sudoers/po/ru.mo, plugins/sudoers/po/ru.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po, po/cs.mo, po/cs.po, po/de.mo, po/de.po, po/eo.mo, po/eo.po, po/hr.mo, po/hr.po, po/id.mo, po/id.po, po/ja.mo, po/ja.po, po/ko.mo, po/ko.po, po/pl.mo, po/pl.po, po/ro.mo, po/ro.po, po/ru.mo, po/ru.po, po/sv.mo, po/sv.po, po/uk.mo, po/uk.po, po/zh_CN.mo, po/zh_CN.po: Updated translations from translationproject.org [f72ae022e1fb] * MANIFEST, README.LDAP.md, docs/schema.IBM_LDAP: Add schema for IBM Directory Server in LDIF format. GitHub issue #384 [5b7fe088a994] 2024-06-16 Todd C. Miller * NEWS: Remove an errant line that should have been removed. [4e1d495e0d56] 2024-06-15 Todd C. Miller * NEWS: Mention changes to the default sudoers file. [d7c8d85d922d] 2024-06-11 Todd C. Miller * docs/sudoers.man.in, docs/sudoers.mdoc.in: Improve the description of secure_path. [6eb51ab0b84f] 2024-06-10 Todd C. Miller * INSTALL.md, configure, configure.ac, docs/sudoers.mdoc.in, plugins/sudoers/sudoers.in: Enable secure_path in default sudoers file. It is still disabled by default in the sudo binary. [564699389bb8] * configure, configure.ac, plugins/sudoers/sudoers.in: Preserve SUDO_EDITOR, EDITOR, and VISUAL for visudo. [fa4746fb1caf] 2024-06-08 Todd C. Miller * plugins/sudoers/po/sudoers.pot, po/sudo.pot: Update .pot files for 1.9.16 [181210704ac8] * NEWS, configure, configure.ac: Sudo 1.9.16 [16110cfa4a13] * INSTALL.md, configure, configure.ac: Compile in support for insults by default. Insults are still disabled by default but can be enabled in the sudoers file. To completely disable insult support, use the --without-insults configure option. [d753f92cc7cb] 2024-06-07 Todd C. Miller * plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/regress/cvtsudoers/test41.out.ok, plugins/sudoers/regress/cvtsudoers/test41.sh: Treat unresolvable User_Alias/Host_Alias as non-aliases in JSON output. This matches the behavior of the sudoers parser. There is no way to tell for sure if an upper case word is an alias or a user or host name. An unresolvable command alias is never a command since it doesn't start with a '/'. GitHub issue #381 [c1bac476f593] * lib/util/json.c: Set need_comma when closing an array or object. This fixes an issue where an empty array or object would not have a comma after it. GitHub issue #381 [f43cbdff918f] 2024-05-28 Todd C. Miller * docs/Makefile.in: Add comment that the .mdoc files are generated from .mdoc.in [fcf5c893ce58] * docs/cvtsudoers.man.in, docs/cvtsudoers.mdoc.in, docs/sudo.conf.man.in, docs/sudo.conf.mdoc.in, docs/sudo.man.in, docs/sudo.mdoc.in, docs/sudo_logsrv.proto.man.in, docs/sudo_logsrv.proto.mdoc.in, docs/sudo_logsrvd.conf.man.in, docs/sudo_logsrvd.conf.mdoc.in, docs/sudo_logsrvd.man.in, docs/sudo_logsrvd.mdoc.in, docs/sudo_plugin.man.in, docs/sudo_plugin.mdoc.in, docs/sudo_plugin_python.man.in, docs/sudo_plugin_python.mdoc.in, docs/sudo_sendlog.man.in, docs/sudo_sendlog.mdoc.in, docs/sudoers.ldap.man.in, docs/sudoers.ldap.mdoc.in, docs/sudoers.man.in, docs/sudoers.mdoc.in, docs/sudoers_timestamp.man.in, docs/sudoers_timestamp.mdoc.in, docs/sudoreplay.man.in, docs/sudoreplay.mdoc.in, docs/visudo.man.in, docs/visudo.mdoc.in: Sync BUGS section with the bugs section of README.md. Also mention how to report security issues based on SECURITY.md. GitHub issue #377. [3efcd5725175] 2024-05-26 Todd C. Miller * plugins/sudoers/regress/sudoers/test24.in, plugins/sudoers/regress/sudoers/test24.json.ok, plugins/sudoers/regress/sudoers/test24.ldif.ok, plugins/sudoers/regress/sudoers/test24.ldif2sudo.ok, plugins/sudoers/regress/sudoers/test24.out.ok, plugins/sudoers/regress/sudoers/test24.toke.ok, plugins/sudoers/toke.c, plugins/sudoers/toke.l: Allow the path in Chdir_Spec | Chroot_Spec to be double-quoted. The other values of an Option_Spec could already be quoted but path names are treated specially. [4249e3de7959] 2024-05-21 Todd C. Miller * docs/cvtsudoers.man.in, docs/sudo.conf.man.in, docs/sudo.man.in, docs/sudo_logsrv.proto.man.in, docs/sudo_logsrvd.conf.man.in, docs/sudo_logsrvd.man.in, docs/sudo_plugin.man.in, docs/sudo_plugin_python.man.in, docs/sudo_sendlog.man.in, docs/sudoers.ldap.man.in, docs/sudoers.man.in, docs/sudoers_timestamp.man.in, docs/sudoreplay.man.in, docs/visudo.man.in: regen [592d85185e9e] * docs/Makefile.in: Include the name of the original .mdoc.in file in the .man.in file. This should make it more obvious which is the authoritative file. [0d2b135ba7a6] 2024-05-18 Todd C. Miller * scripts/pp: Fix a syntax error in the systemd sudo-logsrvd.postinst script: sudo-logsrvd.postinst: 120: [: -eq: unexpected operator [108d20c4a419] * src/exec_monitor.c, src/exec_pty.c, src/sudo.h: When revoking the pty, kill the foreground process from the parent sudo. There's no need to send messages back and forth to the monitor when the main process can just do it. GitHub issue #367. [c900ae4e24d6] * scripts/mkpkg: Fix check for libaudit package on Debian-based systems. Newer systems only have /usr/lib with /lib as a symbolic link. [5e3ec90ad10c] 2024-05-17 Todd C. Miller * docs/schema.ActiveDirectory: Add double quotes around #schemaNamingContext in example. GitHub issue #376 [220ca840fb59] 2024-05-15 Robert Manner * logsrvd/logsrvd.c, logsrvd/tls_client.c, plugins/sudoers/log_client.c: logsrvd,plugins/sudoers: add debug log on TLS verification error [0febc8521ac7] 2024-05-06 Todd C. Miller * plugins/sudoers/lookup.c: apply_cmndspec: plug potential memory leak If apply_cmndspec() is called where the cmndspec defines an apparmor profile or Solaris privileges, and then is called again with a cmndspec that does not have those set we would leak the original value. [e16977b54b3b] * plugins/sudoers/policy.c, src/parse_args.c, src/sudo.h: We do not pass apparmor_profile from the front-end to the policy. There is no command line option to specify a profile, it is only passed from the policy to the front-end. [eb44161484c8] 2024-05-03 Todd C. Miller * plugins/sudoers/regress/fuzz/fuzz_sudoers.dict: Sync fuzz_sudoers dictionary with def_data.in. [d5e5fe67b687] * plugins/sudoers/lookup.c: apply_cmndspec: plug apparmor_profile leak Also override existing Solaris privs if specified. [988c0c1281b9] * plugins/sudoers/gram.c, plugins/sudoers/gram.y: free_cmndspec: plug apparmor_profile leak [bf0c3a2cb1c3] 2024-05-02 Todd C. Miller * plugins/python/regress/testhelpers.c: Python 3.12 backtraces use '~' in addition to '^' when underlining. GitHub issue #374 [e0241596c632] 2024-05-01 Todd C. Miller * plugins/sudoers/regress/sudoers/test31.in, plugins/sudoers/regress/sudoers/test31.json.ok, plugins/sudoers/regress/sudoers/test31.ldif.ok, plugins/sudoers/regress/sudoers/test31.ldif2sudo.ok, plugins/sudoers/regress/sudoers/test31.out.ok, plugins/sudoers/regress/sudoers/test31.toke.ok: Add test for parsing SELinux, AppArmor and Solaris privileges. [b42890f216f8] * plugins/sudoers/check.c, plugins/sudoers/cvtsudoers_csv.c, plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/cvtsudoers_merge.c, plugins/sudoers/display.c, plugins/sudoers/fmtsudoers.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/ldap_util.c, plugins/sudoers/lookup.c, plugins/sudoers/parse.h, plugins/sudoers/policy.c, plugins/sudoers/sudoers.h, plugins/sudoers/sudoers_ctx_free.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l: Unifdef parser support for SELinux, AppArmor and Solaris privileges. [86e2a47837ba] 2024-04-30 Todd C. Miller * plugins/sudoers/display.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/ldap_util.c: Add some missing AppArmor bits. o Display ApparmorProfile in "long list" format. o Propagate apparmor_profile setting to commands in a list. o Support apparmor_profile in an LDAP sudoOption. [5f21bbd855af] * src/exec_monitor.c: Quiet compiler warning on Solaris 10 [ae794b45287f] * configure, configure.ac, plugins/sudoers/regress/harness.in: Check JSON output with jq if present. [b661df83a15c] * plugins/sudoers/cvtsudoers_json.c: Format SELinux, AppArmor and Solaris privileges as Options. Previously these were output as separate arrays without an enclosing object. GitHub issue #373 [35f090b7c0cf] 2024-04-29 Todd C. Miller * docs/sudo_logsrvd.mdoc.in, docs/sudo_plugin.mdoc.in, docs/sudoers.mdoc.in, docs/sudoers_timestamp.mdoc.in, etc/codespell.exclude, lib/util/lbuf.c, logsrvd/logsrvd_journal.c, plugins/sudoers/parse_ldif.c, src/exec_intercept.c: Pass "make spell" with updated codespell. [20339782866b] * src/exec_monitor.c: mon_handle_revoke: only send SIGHUP to the foreground process group. There's no need to signal both the foreground process group and the command itself (if different). This matches the behavior of the session leader exiting, which is what we want to simulate. [2f5f7666c8b1] 2024-04-28 Todd C. Miller * src/exec_monitor.c, src/exec_pty.c, src/sudo.h: Avoid using ioctl(TIOCNOTTY) in the monitor. We don't need to revoke the terminal in the monitor, just signal the foreground process group. This is more portable and has the same effect as ioctl(TIOCNOTTY) would on Linux. Since we now signal the command from the monitor, there is no reason to forward SIGHUP from the kernel. GitHub issue #367. [45dbbe36e3da] * plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/regress/sudoers/test24.json.ok: Fix copy and paste error in the fix for GitHub issue #369 Fixes GitHub issue #371 [f8eb25025dbd] 2024-04-27 Todd C. Miller * src/exec_monitor.c, src/exec_pty.c, src/sudo.h: If user's tty goes away, tell monitor to revoke the tty in its session. Previously, we would simply close the pty leader in the main sudo process. This had the effect of revoking the pty, but the foreground process would not necessarily receive SIGHUP. By using TIOCNOTTY in the monitor, the running command has a better chance of getting SIGHUP. Once the monitor has revoked the pty, the main sudo process will close the pty leader, invalidating the pty. GitHub issue #367. [3d5708b425df] 2024-04-26 Todd C. Miller * docs/cvtsudoers.man.in, docs/cvtsudoers.mdoc.in: Commands with multiple digests of the same type are stored in an array. [0eefa91fd695] 2024-04-25 Todd C. Miller * plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/regress/sudoers/test14.json.ok: Store mulitple command digests of the same type as an array. Otherwise, we end up with duplicated keys in the object. GitHub issue #370 [b5005381fa87] 2024-04-22 Todd C. Miller * plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/ins_2001.h, plugins/sudoers/ins_classic.h, plugins/sudoers/ins_csops.h, plugins/sudoers/ins_goons.h, plugins/sudoers/ins_python.h: Call gettext() on insults when displayed, not when declared. [db2415febdda] 2024-04-19 Todd C. Miller * plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/regress/sudoers/test24.json.ok: When converting CWD and CHROOT tags, store them as objects. Fixes GitHub issue #369 [bf7c37a8477c] 2024-04-17 Todd C. Miller * docs/sudoers.man.in, docs/sudoers.mdoc.in, plugins/sudoers/auth/pam.c, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/defaults.c: Add pam_silent sudoers option. Inspired by PR #368 GitHub issue #216 [767f06c8f2cd] 2024-04-01 alberic89 * plugins/sudoers/ins_2001.h, plugins/sudoers/ins_classic.h, plugins/sudoers/ins_csops.h, plugins/sudoers/ins_goons.h, plugins/sudoers/ins_python.h: Make insults translatable [75e3a8130abc] 2024-03-18 Todd C. Miller * INSTALL.md, config.h.in, configure, configure.ac, plugins/sudoers/ins_classic.h, plugins/sudoers/ins_csops.h: Remove offensive insults that were disabled by default anyway. Bug #1058 [1dc8bd05e7b4] 2024-03-09 Todd C. Miller * include/sudo_eventlog.h, lib/eventlog/eventlog.c, logsrvd/logsrvd_conf.c, plugins/sudoers/logging.c, plugins/sudoers/sudoers.c: Remove EVLOG_JSON, callers must use EVLOG_JSON_COMPACT or EVLOG_JSON_PRETTY [ce2530f471e7] * docs/sudo_logsrvd.conf.man.in, docs/sudo_logsrvd.conf.mdoc.in, docs/sudoers.man.in, docs/sudoers.mdoc.in, include/sudo_eventlog.h, lib/eventlog/eventlog.c, logsrvd/logsrvd_conf.c, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/logging.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/sudoers_cb.c: Add "json_pretty" log format, currently the same as "json". In a future version, "json" will be an alias for "json_compact" instead. GitHub issue #357. [3bc19566a59d] 2024-03-08 Todd C. Miller * docs/sudo_logsrvd.conf.man.in, docs/sudo_logsrvd.conf.mdoc.in, docs/sudoers.man.in, docs/sudoers.mdoc.in, include/sudo_eventlog.h, lib/eventlog/eventlog.c, logsrvd/logsrvd_conf.c, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/logging.c, plugins/sudoers/sudoers_cb.c: Add json_compact log type for compact/minified JSON. The "json_compact" log type logs one event per line in compact/minified JSON format. GitHub issue #357. [d5f74fbe0529] * plugins/sudoers/logging.c: Fix typo [e6a5f8530460] * docs/sudo.man.in, docs/sudo.mdoc.in, plugins/sudoers/env.c: Set SUDO_HOME to the invoking user's home directory. GitHub issue #358 [07353b9b45c9] 2024-03-02 Martin * etc/sudo-logsrvd.pp: sudo-logsrvd.pp: Remove syslog.target (non-existent upstream since 11~ years ago) Remove syslog.target from service file, this target hasn't existed for over a decade. https://github.com/systemd/systemd/blob/6aa8d43ade72e24c9426e604f7fc 4b7582b9db7c/NEWS#L72-L73 [e40ad004d8fa] 2024-02-29 Todd C. Miller * plugins/sudoers/Makefile.in: Explicitly link check_symbols with zlib. Fixes a test failure on some systems when using sudo's built-in zlib. [be0e77798f08] 2024-02-22 Fabrice Fontaine * m4/openssl.m4: m4/openssl.m4: fix cross-compilation with wolfssl Do not append -I/usr/include/wolfssl when cross-compiling Signed-off-by: Fabrice Fontaine [369865095dea] 2024-02-21 Todd C. Miller * lib/eventlog/Makefile.in, lib/fuzzstub/Makefile.in, lib/iolog/Makefile.in, lib/protobuf-c/Makefile.in, lib/ssl_compat/Makefile.in, lib/util/Makefile.in, logsrvd/Makefile.in, plugins/audit_json/Makefile.in, plugins/group_file/Makefile.in, plugins/python/Makefile.in, plugins/sample/Makefile.in, plugins/sample_approval/Makefile.in, plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in, src/Makefile.in: Regenerate dependencies [00ed81bc1e04] * Makefile.in: Add missing subdirs to depend target. [2f9beb329893] * lib/util/Makefile.in, scripts/mkdep.pl: Using $< in a non-suffix rule context is a GNU make extension. [011aaca5f363] * lib/eventlog/Makefile.in, lib/fuzzstub/Makefile.in, lib/iolog/Makefile.in, lib/logsrv/Makefile.in, lib/protobuf-c/Makefile.in, lib/ssl_compat/Makefile.in, lib/util/Makefile.in, logsrvd/Makefile.in, plugins/audit_json/Makefile.in, plugins/group_file/Makefile.in, plugins/python/Makefile.in, plugins/sample/Makefile.in, plugins/sample_approval/Makefile.in, plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in, src/Makefile.in: Use $(CPP) instead if $(CC) -E when buiding .i files from .c. [5b5ce9a47757] 2024-02-18 Todd C. Miller * configure: Regen with autoconf 2.72 [15cb2275fa29] * configure.ac: Check if ac_cv_sys_file_offset_bits is "64", not "yes" This is used for determining whether to set _TIME_BITS with autoconf versions before 2.72. [b5fc00b41b7f] 2024-02-17 Yann E. MORIN * lib/util/Makefile.in: lib/utils: detect failure to generate signals list and names Currently, we generate the signal list and names by running cpp on our header, and piping the result into sed. However, when cpp fails [0], we do not catch that failure, as the error code of the LHS of a pipe is lost, with the pipe returning the RHS-most return code. Fix that by introducing two new intermediate rules, each to generate the preprocessed .i files, and use those as dependencies and input to the rule that generates the headers. Those two .i files will be cleaned up by the existing *.i glob. [0] a failure happens on recent hosts, due to inconsistency with time64_t and large-file support (lines elided and wrapped for readability): /usr/bin/cpp [...] ./sys_signame.h \ | /usr/bin/sed -e '1,/^int sudo_end_of_headers;/d' -e '/^#/d' > mksigname.h In file included from /usr/include/features.h:394, from /usr/include/sys/types.h:25, from ./sys_signame.h:4: /usr/include/features-time64.h:26:5: error: #error "_TIME_BITS=64 is allowed only with _FILE_OFFSET_BITS=64" 26 | # error "_TIME_BITS=64 is allowed only with _FILE_OFFSET_BITS=64" | ^~~~~ /usr/bin/gcc [...] ./mksigname.c -o mksigname In file included from /usr/include/features.h:394, from /usr/include/bits/libc-header-start.h:33, from /usr/include/stdlib.h:26, from ./mksigname.c:27: /usr/include/features-time64.h:26:5: error: #error "_TIME_BITS=64 is allowed only with _FILE_OFFSET_BITS=64" 26 | # error "_TIME_BITS=64 is allowed only with _FILE_OFFSET_BITS=64" | ^~~~~ make[2]: *** [Makefile:263: mksigname] Error 1 In that case, we were lucky that the subsequent gcc call also failed, and for the same reason. That time64_t and lfs issue should be fixed (at least investigated), but that does not mean we should not be more robust when parsing the header either. Signed-off-by: Yann E. MORIN [8a8b019b4c14] * src/exec_ptrace.c: src/exec_ptrace: fix build without precess_vm_readv() Commit 32f4b98f6b4a (sudo frontend: silence most -Wconversion warnings.) broke the build on C libraries that miss process_vm_readv(), like uClibc-ng. Indeed, the ssize_t nwritten is declared guarded by HAVE_PROCESS_VM_READV, but is then re-assigned and used a few lines below, outside any guard. Fix that by always declaring the object, as it is always needed. Signed-off-by: Yann E. MORIN [d910c4d9bc54] 2024-01-31 Todd C. Miller * docs/HISTORY.md: Quest no longer sponsors sudo development. [a9cb1edcb8fd] 2024-01-23 Todd C. Miller * src/exec_pty.c: Correct a misleading debug message. [052f0ccd800f] * LICENSE.md, lib/zlib/deflate.c, lib/zlib/deflate.h, lib/zlib/gzguts.h, lib/zlib/gzlib.c, lib/zlib/inflate.c, lib/zlib/inftrees.c, lib/zlib/inftrees.h, lib/zlib/trees.c, lib/zlib/zconf.h.in, lib/zlib/zlib.h, lib/zlib/zutil.h: Update embedded copy of zlib to version 1.3.1. [0f2a995be814] 2024-01-18 Todd C. Miller * etc/sudo-logsrvd.pp, etc/sudo-python.pp, etc/sudo.pp: Update copyright data in the package files. [0c7a31bc825c] 2024-01-13 Rose <83477269+AtariDreams@users.noreply.github.com> * plugins/sudoers/iolog_path_escapes.c: Add restrict qualifiers to strlcpy_no_slash It's just strlcpy except it replaces '/' with '_'. [c357706bb1f5] 2024-01-12 Rose <83477269+AtariDreams@users.noreply.github.com> * lib/util/glob.c, plugins/sudoers/tsdump.c: Prefer putchar over fputc where possible putchar is easier to understand than fputc and printf and does less work than those two do. [25b05cac7581] 2024-01-10 Todd C. Miller * plugins/sudoers/logging.c: Only log "a password is required" for "sudo -n" if a command is specified. This means that it is not logged for "sudo -nv" and "sudo -nl". We only log this message when sudo's -n flag is specified (and not when the user presses ^C at the password prompt) so that there is a record of failed non-interactive commands. [80bef089b555] 2024-01-08 Todd C. Miller * docs/sudoers.man.in, docs/sudoers.mdoc.in: Document side-effects of enabling the use_pty option. [255a6563d27c] * plugins/sudoers/sudoers.in: Update "!use_pty" example to only disable it for non-root users. Also add a commented out entry for "exec_background" which can also be used to prevent sudo from consuming tty input. Related to GitHub issue #338 [bc8530773486] 2024-01-01 Todd C. Miller * src/sudo_edit.c: sudo_edit_mktemp: remove useless cast [636d4b873903] * lib/util/regress/mktemp/mktemp_test.c: Add check for sysconf(_SC_PAGESIZE) failure. [c632a57c20e2] 2023-12-31 Todd C. Miller * LICENSE.md: Welcome to 2024 [3ebaa0a06851] * LICENSE.md: Bump zlib copyright date for version 1.3 [9b123ff195f4] 2023-12-30 Todd C. Miller * scripts/mkpkg: Restore the ability to override default configure settings. The user-specified options must go last... [6b33cb2d4fba] 2023-12-29 Todd C. Miller * .hgtags: Added tag SUDO_1_9_15p5 for changeset 4418cfdc5b2a [c1df7aef0fa8] <1.9> * NEWS, configure, configure.ac: Sudo 1.9.15p5 [4418cfdc5b2a] [SUDO_1_9_15p5] <1.9> * NEWS, configure, configure.ac: Sudo 1.9.15p5 [fef0597593b1] 2023-12-28 Todd C. Miller * scripts/mkpkg: Handle Debian GNU Hurd [fcfa0426a289] * plugins/sudoers/cvtsudoers_pwutil.c, plugins/sudoers/pwutil_impl.c: Properly handle sysconf(_SC_LOGIN_NAME_MAX) returning -1 on failure. The cast to size_t needs to be outside the MAX() macro or the -1 will get cast to unsigned. [343b22c1fc59] <1.9> * plugins/sudoers/cvtsudoers_pwutil.c, plugins/sudoers/pwutil_impl.c: Properly handle sysconf(_SC_LOGIN_NAME_MAX) returning -1 on failure. The cast to size_t needs to be outside the MAX() macro or the -1 will get cast to unsigned. [8917f7d6a464] 2023-12-22 Todd C. Miller * config.h.in, configure, configure.ac, plugins/sudoers/timestamp.c: Automatically migrate lecture file path from name-based to uid- based. GitHub issue #342. [cfa82cf5ac29] <1.9> * config.h.in, configure, configure.ac, plugins/sudoers/timestamp.c: Automatically migrate lecture file path from name-based to uid- based. GitHub issue #342. [9fcfdf6e8882] 2023-12-21 Todd C. Miller * lib/iolog/regress/iolog_path/check_iolog_path.c: Add missing checks for strdup() failure. [d5d20569c6aa] 2023-12-19 Todd C. Miller * plugins/sudoers/ldap_conf.c: Disable netgroup_query when netgroup_base is not set. The logic was inverted when support for netgroup_query was added. This supercedes PR #341. [a575b106220e] <1.9> * plugins/sudoers/ldap_conf.c: Disable netgroup_query when netgroup_base is not set. The logic was inverted when support for netgroup_query was added. This supercedes PR #341. [76765198ff73] * docs/sudoers.man.in, docs/sudoers.mdoc.in: In the NOEXEC example make it clear that "shanty" is a host. Bug #1064 [18e3b6a981d4] <1.9> * docs/sudoers.man.in, docs/sudoers.mdoc.in: In the NOEXEC example make it clear that "shanty" is a host. Bug #1064 [a8acf089535e] 2023-12-18 Todd C. Miller * lib/eventlog/eventlog.c: closefrom_nodebug: skip fds < 0 This can only happen if lowfd < 0, which is never the case. Quiets a static analyzer warning. [222886d48308] 2023-12-16 Todd C. Miller * plugins/sudoers/defaults.c: Fix printing of warning when a Defaults setting is missing a value. This is a bug in parse_default_entry() introduced in sudo 1.8.19 when support for using the default syslog facility was added at the wrong place in a switch(). [f9de87a2f501] <1.9> * plugins/sudoers/defaults.c: Fix printing of warning when a Defaults setting is missing a value. This is a bug in parse_default_entry() introduced in sudo 1.8.19 when support for using the default syslog facility was added at the wrong place in a switch(). [b9fec7aa7319] 2023-12-15 Todd C. Miller * plugins/sudoers/defaults.c, plugins/sudoers/defaults.h: Sprinkle some more const in defaults.c. [e1ef878f08b3] * plugins/sudoers/defaults.c: Fix evaluation of a tuple used in "true" boolean context. Previously, a tuple in boolean context was always treated as a negated entry, which doesn't match the documentation. We assume that there are at least two tuple entries where the first maps to boolean false and the second maps to boolean true. [39a6e634c9d6] <1.9> * plugins/sudoers/defaults.c: Fix evaluation of a tuple used in "true" boolean context. Previously, a tuple in boolean context was always treated as a negated entry, which doesn't match the documentation. We assume that there are at least two tuple entries where the first maps to boolean false and the second maps to boolean true. [4be36c6cab1c] * .hgtags: Added tag SUDO_1_9_15p4 for changeset cc9d22d261de [382e15393814] <1.9> * NEWS, configure, configure.ac: Sudo 1.9.15p4 [cc9d22d261de] [SUDO_1_9_15p4] <1.9> * NEWS, configure, configure.ac: Sudo 1.9.15p4 [47d08cb6f0a7] * plugins/sudoers/lookup.c: sudoers_lookup_pseudo: init match to UNSPEC for sudo_nss_can_continue(). Otherwise, processing will stop after the first sudoers nsswitch service specification where [SUCCESS=return] is present. [053be548771c] <1.9> * plugins/sudoers/lookup.c: sudoers_lookup_pseudo: init match to UNSPEC for sudo_nss_can_continue(). Otherwise, processing will stop after the first sudoers nsswitch service specification where [SUCCESS=return] is present. [cac08bcb42f7] 2023-12-13 Todd C. Miller * .hgtags: Added tag SUDO_1_9_15p3 for changeset 20d368229c6a [e01ee9945d11] <1.9> * NEWS, configure, configure.ac: Sudo 1.9.15p3 [20d368229c6a] [SUDO_1_9_15p3] <1.9> * NEWS, configure, configure.ac: Sudo 1.9.15p3 [8aa5696e8235] 2023-12-11 Todd C. Miller * plugins/sudoers/policy.c: Pass back Solaris privs as "runas_privs" and "runas_limitprivs". The "runas_" prefix got inadvertantly removed in the big sudoers_context refactor. [25f183bdd61e] <1.9> * plugins/sudoers/policy.c: Pass back Solaris privs as "runas_privs" and "runas_limitprivs". The "runas_" prefix got inadvertantly removed in the big sudoers_context refactor. [304fe94b7f00] 2023-12-09 Todd C. Miller * include/sudo_util.h, lib/util/term.c, lib/util/ttysize.c, lib/util/util.exp.in, src/sudo.h, src/ttyname.c: sudo_term_is_raw: only try to lock the fd if it is a tty This moves sudo_isatty() to libsudo_util so sudo_term_is_raw() can use it. Fixes GitHub issue #335 [5e7dd2580c9b] <1.9> * include/sudo_util.h, lib/util/term.c, lib/util/ttysize.c, lib/util/util.exp.in, src/sudo.h, src/ttyname.c: sudo_term_is_raw: only try to lock the fd if it is a tty This moves sudo_isatty() to libsudo_util so sudo_term_is_raw() can use it. Fixes GitHub issue #335 [aa4c13345801] 2023-12-07 Todd C. Miller * plugins/sudoers/sudoreplay.c: setup_terminal: fix an editing error introduced in 1.9.15. [690c82d4ebd4] <1.9> * plugins/sudoers/sudoreplay.c: setup_terminal: fix an editing error introduced in 1.9.15. [a49d25d2c3ea] 2023-12-06 Todd C. Miller * plugins/sudoers/match_command.c: command_matches_regex: retry with canonicalized path if possible If ctx->user.cmnd doesn't match, use ctx->user.cmnd_dir (if present) to construct a canonicalized path and match on that. [c24a4083224b] 2023-12-04 Todd C. Miller * plugins/sudoers/match_command.c: command_matches_fnmatch: retry with canonicalized path if possible If ctx->user.cmnd doesn't match, use ctx->user.cmnd_dir (if present) to construct a canonicalized path and match on that. [88563830f0c5] * lib/util/gethostname.c: If sysconf(_SC_HOST_NAME_MAX) returns 0, just use 255. This should not actually be possible. [770391d1b7a9] * plugins/sudoers/sethost.c: Fall back to "localhost" if gethostname() fails. GitHub issue #332 [c6993fd61aac] <1.9> * plugins/sudoers/sethost.c: Fall back to "localhost" if gethostname() fails. GitHub issue #332 [37dff0fc09fe] * plugins/sudoers/match_command.c: command_matches_glob: fix comparison of canonicalized parent directories Bug #1062 [78b789de1df8] <1.9> * plugins/sudoers/match_command.c: command_matches_glob: fix comparison of canonicalized parent directories Bug #1062 [e7545a3736c6] 2023-12-01 Todd C. Miller * plugins/sudoers/cvtsudoers_csv.c: Add missing print_member_list_csv() return value check. [289474dabf3a] * plugins/sudoers/tsdump.c: Check sudoers_debug_register() return value. [d41cd0e91271] 2023-11-30 Todd C. Miller * configure, scripts/config.guess, scripts/config.sub: Regenerate with the autoconf 2.72d snapshot. [d155689bd4d1] 2023-11-28 Todd C. Miller * plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in: Add cmddenial_message to def_data.in [5da99b926451] * docs/sudoers.man.in, docs/sudoers.mdoc.in: Reword the description of cmddenial_message. [2542c62dc70e] * docs/sudoreplay.man.in: Regenerate from sudoreplay.mdoc.in [469fc2ca26e1] 2023-11-28 THE-Spellchecker * INSTALL.md, docs/UPGRADE.md, lib/util/event.c, lib/util/fatal.c, lib/util/fnmatch.c, lib/util/lbuf.c, lib/util/snprintf.c, lib/util/sudo_dso.c, plugins/python/example_io_plugin.py, plugins/python/example_policy_plugin.py, plugins/sample/sample_plugin.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/def_data.c, plugins/sudoers/def_data.in, plugins/sudoers/ldap.c, plugins/sudoers/lookup.c, plugins/sudoers/parse.h, plugins/sudoers/parse_ldif.c, plugins/sudoers/policy.c, plugins/sudoers/pwutil.h, plugins/sudoers/set_perms.c, plugins/sudoers/sssd.c, plugins/sudoers/sudoers.c, src/exec.c, src/exec_monitor.c, src/exec_ptrace.c, src/exec_pty.c: Typographical and Grammatical fixes [e38efca3fdca] 2023-11-26 Todd C. Miller * lib/util/ttyname_dev.c: No need to include sys/param.h here. [aa51309bbbf1] * plugins/sudoers/tsdump.c: tsdump: quiet compiler warnings on some platforms. Quiet a -Wshadow warning from gcc. Cast major() and minor() to unsigned int when printing. [f684294d67cc] * plugins/sudoers/tsdump.c: tsdump: display both the terminal path and device number. If no terminal device can be found, print "major, minor" device numbers instead. [11bc7d9447b6] * docs/sudoers_timestamp.man.in, docs/sudoers_timestamp.mdoc.in: Sync time stamp defines with sudoers timestamp.h The types and flags are now explicitly unsigned. [b879cc9adcb2] * docs/sudoers.man.in, docs/sudoers.mdoc.in, docs/sudoers_timestamp.man.in, docs/sudoers_timestamp.mdoc.in: Mention the tsdump utility [8f175644a965] * plugins/sudoers/Makefile.in: Build tsdump by default so it does not suffer bit rot. [3c5f70c4eb28] * include/sudo_debug.h: Add sudo_debug_exit_dev_t stub for fuzzing. [3a7f59a57c03] * lib/util/chacha_private.h, lib/util/inet_pton.c: Avoid using the u_int type, which is not portable. [7dbfe37f8687] * plugins/sudoers/tsdump.c: tsdump: update to use a uid-based path by default This matches the changes in sudo 1.9.15 to the sudoers policy module. [cab576f101c7] 2023-11-25 Todd C. Miller * plugins/python/regress/testdata/check_multiple_approval_plugin_and_a rguments.stdout: Update for plugin version 1.22. [6abaf23b44b5] * docs/sudo_plugin.man.in, docs/sudo_plugin.mdoc.in, include/sudo_plugin.h: Document ttydev and bump plugin version to 1.22 [9cee78e466c6] * plugins/sudoers/policy.c, plugins/sudoers/sudoers.h, plugins/sudoers/timestamp.c: Add ttydev to sudoers_user_context and use for timestamp file. GitHub issue #329 [2378fa73b48d] * include/sudo_debug.h, src/sudo.c, src/sudo.h, src/ttyname.c: Pass tty device number from front-end to policy module. GitHub issue #329 [d383c81bb3a6] 2023-11-23 Todd C. Miller * plugins/sudoers/audit.c, plugins/sudoers/log_client.c, plugins/sudoers/logging.c, plugins/sudoers/logging.h: log_server_alert: struct timespec argument was not actually used The struct timespec argument is used to initialize the command start time, which is not used for an alert message. [2f0c4dd9b41e] * plugins/sudoers/log_client.c, plugins/sudoers/log_client.h, plugins/sudoers/logging.c: log_server_alert: use fmt_alert_message not fmt_reject_message Only affects intercepted commands. [1a3defb146dc] * plugins/sudoers/audit.c, plugins/sudoers/iolog.c, plugins/sudoers/log_client.c, plugins/sudoers/log_client.h, plugins/sudoers/logging.c: log_server_open: always pass in awake time, not wallclock time. The timespec passed to log_server_open() should be from sudo_gettime_awake() since it is used to build the command run time. [c68a03d4695c] * plugins/sudoers/logging.c, plugins/sudoers/policy.c, plugins/sudoers/sudoers.h: Replace submit_time in struct sudoers_context with start_time. We need to track the (monotonic) command start time to be able to generate an accurate run time. Instead of setting submit time when the policy initializes (and using that time for logging purposes), set evlog->submit_time to the current wallclock time when we need to perform logging. This is more consistent with how sudo logging was performed in the past. Fixes GitHub issues #327. [e57f9145945b] * plugins/sudoers/audit.c, plugins/sudoers/logging.c: We can use evlog.submit_time in the call to eventlog_alert(). This is set to the current wallclock time by sudoers_to_eventlog(). [f16ff52d85bd] * include/sudo_eventlog.h, lib/eventlog/eventlog.c, lib/eventlog/parse_json.c, lib/iolog/iolog_legacy.c, lib/iolog/iolog_loginfo.c, logsrvd/iolog_writer.c, logsrvd/logsrvd_local.c, logsrvd/sendlog.c, plugins/sudoers/audit.c, plugins/sudoers/iolog.c, plugins/sudoers/logging.c, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/sudoreplay.c: Rename submit_time -> event_time in struct eventlog. [fdd5cf4716f8] 2023-11-20 Guillaume Destuynder * docs/sudoers.man.in, docs/sudoers.mdoc.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/logging.c, plugins/sudoers/regress/sudoers/test26.in, plugins/sudoers/regress/sudoers/test26.json.ok, plugins/sudoers/regress/sudoers/test26.ldif.ok, plugins/sudoers/regress/sudoers/test26.ldif2sudo.ok, plugins/sudoers/regress/sudoers/test26.out.ok, plugins/sudoers/regress/sudoers/test26.toke.ok: Add support for a custom message when the command execution is denied. [fe85c9713bcf] 2023-11-11 Todd C. Miller * plugins/sudoers/cvtsudoers_csv.c: cvtsudoers_csv.c: remove most sudo_fatal() calls. Errors are now propagated up the call stack. [de66055c58a0] * plugins/sudoers/cvtsudoers_ldif.c: No need for sudo_fatalx() here, just pass back an error. [e27822406648] * plugins/sudoers/cvtsudoers_ldif.c: cvtsudoers_ldif: display warning on write error [aa4b6e791808] * plugins/sudoers/cvtsudoers_merge.c: cvtsudoers_merge.c: remove sudo_fatal() calls. Errors are now propagated up the call stack. [2ae3ed90c650] 2023-11-10 Todd C. Miller * plugins/sudoers/cvtsudoers_merge.c: Make new_member() return NULL on failure and adjust callers. [de40dd7b70b2] * plugins/sudoers/cvtsudoers_ldif.c: Pass return values back instead of using sudo_fatal(). [b2b363922d27] * plugins/sudoers/cvtsudoers_ldif.c: Add printf_attribute_ldif() to printf-format an LDIF attribute. This replaces multiple sequences of asprintf() and print_attribute_ldif(). [a7cc31ef064a] 2023-11-09 Todd C. Miller * plugins/sudoers/cvtsudoers_json.c: cvtsudoers_json.c: check sudo_json_* return values. Previously, we set memfatal to true in sudo_json_init() instead. This also gets rid of a number of sudo_fatalx() calls. [cf5ab9602976] * plugins/audit_json/audit_json.c: add_timestamp: check sudo_json_* return values. [65cebaa3a1ec] * plugins/sudoers/alias.c, plugins/sudoers/check_aliases.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers_csv.c, plugins/sudoers/parse.h, plugins/sudoers/testsudoers.c: alias_apply: change return type to bool We can use the rbapply() return value to detect failure. [e5bf4f575eae] * src/sudo.c: Always disable core dumps when sudo sends itself a fatal signal. When a command exits due to a fatal signal, sudo will re-send that signal to itself so the shell does not ignore keyboard-generated signals. However, now that sudo disables core dumps by default for the command, we cannot rely on WCOREDUMP() telling us whether or not the signal will lead to a core dump. It is safest to always disable core dumps before sending the signal to ourself. [4ce4bedf84fe] <1.9> * src/sudo.c: Always disable core dumps when sudo sends itself a fatal signal. When a command exits due to a fatal signal, sudo will re-send that signal to itself so the shell does not ignore keyboard-generated signals. However, now that sudo disables core dumps by default for the command, we cannot rely on WCOREDUMP() telling us whether or not the signal will lead to a core dump. It is safest to always disable core dumps before sending the signal to ourself. [0383034bc54e] * .hgtags: Added tag SUDO_1_9_15p2 for changeset 4d03c1608a23 [b46c7b3c67b4] <1.9> 2023-11-08 Todd C. Miller * NEWS, configure, configure.ac, lib/util/term.c: Merge sudo 1.9.15p2 from tip. [4d03c1608a23] [SUDO_1_9_15p2] <1.9> * NEWS, configure, configure.ac: Sudo 1.9.15p2 [7a5afe66a935] * scripts/pp: Update PolyPkg from upstream. [fef8f49977c3] * lib/util/term.c: sudo_term_restore: don't check c_cflag on systems with TCSASOFT. If TCSASOFT is present, tcsetattr() will ignore c_cflag. Fixes a bug where sudo_term_restore() would refuse to change the terminal settings back if the PARENB control flag was set. GitHub issue #326. [bcd3c9f5736a] * scripts/mkpkg: Quote $osversion since it may include whitespace. [fb4aac7003c6] 2023-11-07 Todd C. Miller * plugins/sudoers/sudoers.h: Use C99 designated struct initializers. This is less error-prone and would have avoided GitHub issue #325. [f7fad7f54d1b] * .hgtags: Added tag SUDO_1_9_15p1 for changeset d23f72517e07 [f67d129d3e36] <1.9> * NEWS, configure, configure.ac: Merge sudo 1.9.15p1 from tip. [d23f72517e07] [SUDO_1_9_15p1] <1.9> * NEWS, configure, configure.ac: Sudo 1.9.15p1 [9aae361b70ef] * plugins/sudoers/sudoers.h: Correct the order of the strings in SUDOERS_CONTEXT_INITIALIZER. Fixes GitHub issue #325, a bug introduced in sudo 1.9.15. [0266ed6c95f9] 2023-11-06 Todd C. Miller * NEWS: In the sudo 1.9.14p3 section, "Python python" should be "Python plugin". [dee39187deda] * .hgtags: Added tag SUDO_1_9_15 for changeset 277833c12efb [3517bf78fcf5] <1.9> * MANIFEST, NEWS, config.h.in, configure, configure.ac, include/sudo_compat.h, include/sudo_util.h, lib/util/hexchar.c, lib/util/regress/hexchar/hexchar_test.c, lib/util/term.c, logsrvd/iolog_writer.c, logsrvd/tls_init.c, plugins/python/pyhelpers.c, plugins/python/python_convmessage.c, plugins/python/python_loghandler.c, plugins/python/python_plugin_common.c, plugins/python/regress/testhelpers.c, plugins/python/sudo_python_module.c, plugins/sudoers/Makefile.in, plugins/sudoers/log_client.c, plugins/sudoers/logging.c, plugins/sudoers/lookup.c, plugins/sudoers/match_command.c, plugins/sudoers/parse.c, plugins/sudoers/parse.h, plugins/sudoers/regress/cvtsudoers/test31.sh, plugins/sudoers/regress/cvtsudoers/test32.sh, plugins/sudoers/regress/cvtsudoers/test35.sh, plugins/sudoers/regress/cvtsudoers/test36.sh, plugins/sudoers/regress/cvtsudoers/test39.sh, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/regress/testsudoers/test20.sh, plugins/sudoers/regress/testsudoers/test21.sh, plugins/sudoers/regress/testsudoers/test22.sh, plugins/sudoers/regress/testsudoers/test23.sh, plugins/sudoers/sudoers.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c, src/exec_monitor.c, src/exec_nopty.c, src/exec_ptrace.c, src/exec_pty.c: Merge sudo 1.9.15 from tip. [277833c12efb] [SUDO_1_9_15] <1.9> * NEWS: Sudo now logs the submitenv in the JSON logs. [c1a5e609352f] * docs/sudo.conf.man.in, docs/sudo.conf.mdoc.in, docs/sudoers.man.in, docs/sudoers.mdoc.in: Document special cases for AIX-style shared libraries. The shared object is a member of an archive file that is specified in parentheses. [bb9a50249072] 2023-11-04 Todd C. Miller * docs/sudo.conf.man.in, docs/sudo.conf.mdoc.in: Add sudoers plugin Debug example and x-ref sudoers man page for details. [ef23f00ac8ad] * docs/sudo.conf.man.in, docs/sudo.conf.mdoc.in: The HP-UX getgrouplist() code has been disabled due to bugs. [0bc060c69389] 2023-11-03 Todd C. Miller * lib/util/sudo_conf.c: sudo_conf_debug_files: special handling of DSO members for AIX When matching debug files for AIX-style DSOs like sudoers.a(sudoers.so) we want to match on the full name, the name without the member and on the member itself. This makes it possible to use the existing examples in the sudo.conf fiile on AIX. [2ec138dbc507] * plugins/sudoers/pwutil.c: sudo_set_grlist and sudo_set_gidlist: set auth registry based on username Previously we used the global registry but since we have the user's passwd info we should use that when storing the group and gid lists. [71b6647d4cb0] 2023-11-02 Todd C. Miller * plugins/sudoers/parse_ldif.c: role_to_sudoers: only try to reuse a privilege if one is present [91207af2554c] * plugins/sudoers/defaults.c: store_plugin: avoid potential NULL deref in boolean context Coverity CID 330466 [5c7ebbaf83c4] * plugins/sudoers/sudoreplay.c, src/conversation.c: Avoid passing sudo_term_is_raw() -1 for the fd. Coverity CID 330472 Coverity CID 330468 [b28a472152ab] * logsrvd/sendlog.c: fmt_info_messages: bump info_msgs_size for submitenv [e36bfd74abb9] * NEWS: Better log message when rejecting a setid command in intercept mode. [06d161998e22] * plugins/sudoers/logging.c, plugins/sudoers/lookup.c, plugins/sudoers/match_command.c, plugins/sudoers/parse.h, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: Move the check for running setid commands in intercept mode to later. Checking for setid commands in intercept mode after command matching allows us to log a proper error message. Previously, we simply ignored setid commands when matching and the only indication of why was in the debug logs. [b07b8fcff911] * plugins/sudoers/timestamp.c: timestamp_open: add some debugging [dc7070cbadd9] 2023-10-31 Todd C. Miller * plugins/sudoers/auth/sia.c: sudo_sia_begin_session: add missing struct sudoers_context * arg. [4caf619af53b] * plugins/sudoers/auth/kerb5.c: verify_krb_v5_tgt: auth name must be const to match struct sudo_auth. [e4d6a0b15003] * .circleci/config.yml: Disable PAM before enabling Kerberos V. [55523956e9ff] * .circleci/config.yml, docker/debian/latest/Dockerfile, docker/debian/testing/Dockerfile, docker/fedora/latest/Dockerfile, docker/fedora/rawhide/Dockerfile, docker/ubuntu/devel/Dockerfile, docker/ubuntu/latest/Dockerfile, docker/ubuntu/rolling/Dockerfile: Add Kerberos V build and test to CI. [7cf8ab128064] 2023-10-31 Renato Botelho * plugins/sudoers/auth/kerb5.c: Add missing sudoers_context to verify_krb_v5_tgt() Commit 244017495421 added ctx variable to log_warningx() call but that variable was not declared in that context, breaking the build. [7b89c1b61e19] 2023-10-30 Todd C. Miller * plugins/sudoers/po/cs.mo, plugins/sudoers/po/cs.po, plugins/sudoers/po/ko.mo, plugins/sudoers/po/ko.po: Updated translations from translationproject.org [2a5a4f1350ee] 2023-10-27 Todd C. Miller * logsrvd/logsrvd.c: Set the open file descriptor limit to the maximum allowed value. Each connection can require up to 9 descriptors. [72b6593b631d] 2023-10-23 Todd C. Miller * NEWS: Mention new Indonesian translation and sudo_logsrvd fd limit change. [753002967fc0] * plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, plugins/sudoers/po/fr.mo, plugins/sudoers/po/fr.po, plugins/sudoers/po/hr.mo, plugins/sudoers/po/hr.po, plugins/sudoers/po/ja.mo, plugins/sudoers/po/ja.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/ro.mo, plugins/sudoers/po/ro.po, plugins/sudoers/po/ru.mo, plugins/sudoers/po/ru.po, plugins/sudoers/po/sr.mo, plugins/sudoers/po/sr.po, plugins/sudoers/po/sv.mo, plugins/sudoers/po/sv.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, plugins/sudoers/po/zh_TW.mo, plugins/sudoers/po/zh_TW.po, po/hr.mo, po/hr.po, po/ja.mo, po/ja.po, po/sr.mo, po/sr.po, po/zh_CN.mo, po/zh_CN.po: Updated translations from translationproject.org [619098603afe] * docs/CONTRIBUTORS.md: Add Andika Triwidada [7e6293a4a00a] * MANIFEST, po/id.mo, po/id.po: New Indonesian translation from translationproject.org [568e33cb694c] 2023-10-22 Todd C. Miller * NEWS: Mention GitHub issue #318 [4b4c1d8da478] * plugins/sudoers/env.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: Avoid a double-free in fuzz_policy caused by the early env_init(NULL). This adds an env_free() function to explicitly free both the old and new copies of the environment. It is really only needed by fuzz_policy, which calls the policy module multiple times. [9cb4400fe76c] * include/sudo_eventlog.h, lib/eventlog/eventlog.c, lib/eventlog/eventlog_free.c, lib/eventlog/parse_json.c, logsrvd/iolog_writer.c, logsrvd/sendlog.c, plugins/sudoers/iolog.c, plugins/sudoers/log_client.c, plugins/sudoers/logging.c, plugins/sudoers/logging.h: Store submitenv in eventlog and pass it to sudo_logsrvd. [3ef684a6f888] 2023-10-21 Todd C. Miller * include/sudo_eventlog.h, lib/eventlog/eventlog.c, lib/eventlog/eventlog_free.c, lib/eventlog/parse_json.c, lib/iolog/iolog_loginfo.c, logsrvd/iolog_writer.c, logsrvd/sendlog.c, plugins/sudoers/iolog.c, plugins/sudoers/log_client.c, plugins/sudoers/logging.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/sudoreplay.c: struct eventlog: rename argv/env to runargv/runenv. This matches the JSON logs. [df2ac695bcf7] * plugins/sudoers/logging.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: struct sudoers_user_context: rename env_vars to env_add [f57859bca061] * plugins/sudoers/audit.c, plugins/sudoers/logging.c: Only log the run environment for commands that are allowed. It may not be available otherwise and unless the command is being run it has no real meaning. [98b79f16e06e] * plugins/sudoers/policy.c, plugins/sudoers/sudoers.c: Free the private copy of the environment in sudoers_check_cmnd(). This reverts 5118eb5797fb, which had the side-effect of the PAM session code running with the run environment instead of the invoking user's environment. Issue #318 [6b4abada2e55] 2023-10-19 Todd C. Miller * lib/iolog/iolog_swapids.c: iolog_swapids: short circuit if effective ids match iolog ids. [6871a2a50eae] * lib/iolog/iolog_mkdirs.c, logsrvd/iolog_writer.c: logsrvd: display error string in message if iolog_mkpath() fails [4a601c7e1248] * plugins/sudoers/po/sudoers.pot, po/sudo.pot: Update .pot files for 1.9.15 [39ac757a80c9] 2023-10-18 Todd C. Miller * plugins/sudoers/sudoers.in: Add example for disabling intercept/log_subcmds for certain commands. [52d01bcd6e3a] * lib/util/mksiglist.c, lib/util/mksigname.c: Use NSIG instead of nitems(array) for the loop bound. This matches the sudo_sys_siglist[] and sudo_sys_signame[] declarations. [d515abb232ae] * plugins/sudoers/tsdump.c: tsdump: fix compiler warnings [4e5d80f29845] 2023-10-17 Todd C. Miller * lib/eventlog/regress/logwrap/check_wrap.c, lib/util/mksiglist.c, lib/util/mksigname.c, logsrvd/sendlog.c, plugins/python/regress/iohelpers.c, plugins/sudoers/tsdump.c: Avoid using %zu or %zd with printf() and fprintf(). This prevents problems on systems where the system printf(3) is not C99-compliant. We use our own snprintf() on such systems so that is safe. [7ff250c66e05] * plugins/sudoers/sudo_printf.c, src/conversation.c: Use vsnprintf() instead of vfprintf() for sudo_printf() to avoid problems on systems where the system printf(3) is not C99-compliant. We use our own snprintf() on such systems. [053c94c3db03] * include/sudo_compat.h, lib/util/getdelim.c, lib/util/realpath.c, lib/util/regress/getdelim/getdelim_test.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l: strlcpy_expand_host, sudo_getdelim, sudo_realpath: add restrict qualifier [8669d4d9b4d9] * NEWS: Fixed GitHub issue #312. [b6e269e7eeaa] 2023-10-16 Todd C. Miller * lib/util/term.c: Better handling of multiple sudo processes modifying terminal settings. 1. Lock the terminal before tcgetattr/tcsetattr 2. Don't restore terminal settings if changed by another process 3. Don't set terminal to raw mode if it is already raw GitHub issue #312 [8d5664300c7e] 2023-10-16 Rose <83477269+AtariDreams@users.noreply.github.com> * plugins/sudoers/prompt.c, plugins/sudoers/strlcpy_unesc.c, plugins/sudoers/sudoers.h: Add restrict to strlcpy and expand_prompt [b26d50f82d2f] 2023-10-16 Todd C. Miller * src/exec_pty.c: Add a little extra debugging info. [b2533548f50b] 2023-10-15 Rose <83477269+AtariDreams@users.noreply.github.com> * lib/util/regress/hexchar/hexchar_test.c, lib/util/regress/parse_gids/parse_gids_test.c, lib/util/sudo_conf.c: Swap calloc arguments to use them properly. [1d4877da5233] 2023-10-14 Todd C. Miller * src/exec_ptrace.c: ptrace_intercept_execve: make flags unsigned to match command_details [97ee796e74ec] 2023-10-13 Rose <83477269+AtariDreams@users.noreply.github.com> * include/sudo_util.h, src/exec_ptrace.h: Specify 1U over 1 for bitmaps [8eaecce2e3c6] 2023-10-12 Todd C. Miller * plugins/sudoers/auth/sudo_auth.h, plugins/sudoers/parse.h, plugins/sudoers/sudoers.h: Fix spelling: resistent -> resistant [df6b986b8d31] 2023-10-05 Todd C. Miller * .gitignore, .hgignore: Add plugins/sudoers/tsgetusershell.c to ignore files. [5e9538b2aaae] 2023-10-02 Todd C. Miller * plugins/sudoers/mkdefaults: Fix compatibility with older versions of (new) awk. Do not rely on awk supporting "-f -" to read the program from stdin. Avoid using POSIX character classes in regular expressions. [0e67e9ba4ddf] 2023-10-02 Alexander F. Rødseth * plugins/sudoers/visudo.c: Add Orbiton ("o") to the list of editors that supports +lineno [28e192d4be9b] * plugins/sudoers/visudo.c: Sort the list of editors that supports +lineno [6467309f5ac3] 2023-09-28 Todd C. Miller * docs/sudoers.man.in, docs/sudoers.mdoc.in: Mention potential problems with log_subcmds and intercept. [9c93f9315924] * src/sudo.c: Add more user info to the list of objects to be garbage-collected at exit. [caeb35967cd2] 2023-09-27 Todd C. Miller * plugins/python/pyhelpers.c, plugins/python/pyhelpers.h: Use long, not long long, when getting/setting numeric attributes. We use int or long, not long long, in the Python plugin. [d1008ce69cf6] * plugins/sudoers/file.c: sudo_file_open: initialize parser before calling open_sudoers(). Otherwise, the parser_conf settings in the context passed to sudo_file_open() will not be honored by open_sudoers(). Affected settings include ignore_perms, sudoers mode, uid and gid. [21e56d49521a] * lib/eventlog/parse_json.c, lib/iolog/iolog_legacy.c, lib/iolog/iolog_timing.c, logsrvd/iolog_writer.c, logsrvd/logsrvd_conf.c, logsrvd/logsrvd_journal.c, logsrvd/logsrvd_local.c, logsrvd/sendlog.c, plugins/sudoers/defaults.c, plugins/sudoers/iolog.c, plugins/sudoers/log_client.c: Add casts when storing values in a struct timespec. Fixes -Wconversion warnings on some 32-bit systems where time_t is still 32-bit. [b090ed40a1d0] 2023-09-27 Rose <83477269+AtariDreams@users.noreply.github.com> * lib/util/roundup.c: Use U, not UL, for 32-bit platforms size_t is an unsigned int on 32-bit platforms, not an unsigned long. [9f4a9b73c954] 2023-09-26 Todd C. Miller * plugins/sudoers/match_digest.c: digest_matches: actually use fd2 in place of fd as needed. [9db51e4a8521] * plugins/sudoers/match_digest.c: digest_matches: if fd argument is -1, try to open path before failing [5b323859cbd0] * plugins/sudoers/regress/cvtsudoers/test31.sh, plugins/sudoers/regress/cvtsudoers/test32.sh, plugins/sudoers/regress/cvtsudoers/test35.sh, plugins/sudoers/regress/cvtsudoers/test36.sh, plugins/sudoers/regress/cvtsudoers/test39.sh, plugins/sudoers/regress/testsudoers/test20.sh, plugins/sudoers/regress/testsudoers/test21.sh, plugins/sudoers/regress/testsudoers/test22.sh, plugins/sudoers/regress/testsudoers/test23.sh, plugins/sudoers/regress/testsudoers/test24.sh, plugins/sudoers/regress/testsudoers/test25.sh, plugins/sudoers/regress/testsudoers/test26.sh, plugins/sudoers/regress/testsudoers/test27.sh, plugins/sudoers/regress/testsudoers/test28.sh, plugins/sudoers/regress/testsudoers/test29.sh, plugins/sudoers/regress/testsudoers/test30.sh, plugins/sudoers/regress/testsudoers/test31.sh: Add missing execute bit on some test scripts. [07af3341fc1a] 2023-09-25 Todd C. Miller * plugins/sudoers/sudoers.h: max_groups in sudoers_plugin_settings is no longer used. [99848d0ee951] * include/sudo_conf.h, include/sudo_debug.h, include/sudo_event.h, include/sudo_eventlog.h, include/sudo_fatal.h, include/sudo_json.h, include/sudo_util.h, lib/eventlog/eventlog.c, lib/eventlog/eventlog_conf.c, lib/eventlog/eventlog_free.c, lib/eventlog/logwrap.c, lib/eventlog/parse_json.c, lib/eventlog/parse_json.h, lib/eventlog/regress/eventlog_store/store_json_test.c, lib/eventlog/regress/eventlog_store/store_sudo_test.c, lib/eventlog/regress/logwrap/check_wrap.c, lib/eventlog/regress/parse_json/check_parse_json.c, lib/fuzzstub/fuzzstub.c, lib/iolog/host_port.c, lib/iolog/hostcheck.c, lib/iolog/iolog_clearerr.c, lib/iolog/iolog_close.c, lib/iolog/iolog_conf.c, lib/iolog/iolog_eof.c, lib/iolog/iolog_filter.c, lib/iolog/iolog_flush.c, lib/iolog/iolog_gets.c, lib/iolog/iolog_json.c, lib/iolog/iolog_legacy.c, lib/iolog/iolog_loginfo.c, lib/iolog/iolog_mkdirs.c, lib/iolog/iolog_mkdtemp.c, lib/iolog/iolog_mkpath.c, lib/iolog/iolog_nextid.c, lib/iolog/iolog_open.c, lib/iolog/iolog_openat.c, lib/iolog/iolog_path.c, lib/iolog/iolog_read.c, lib/iolog/iolog_seek.c, lib/iolog/iolog_swapids.c, lib/iolog/iolog_timing.c, lib/iolog/iolog_util.c, lib/iolog/iolog_write.c, lib/iolog/regress/fuzz/fuzz_iolog_json.c, lib/iolog/regress/fuzz/fuzz_iolog_legacy.c, lib/iolog/regress/fuzz/fuzz_iolog_timing.c, lib/iolog/regress/host_port/host_port_test.c, lib/iolog/regress/iolog_filter/check_iolog_filter.c, lib/iolog/regress/iolog_mkpath/check_iolog_mkpath.c, lib/iolog/regress/iolog_path/check_iolog_path.c, lib/iolog/regress/iolog_timing/check_iolog_timing.c, lib/logsrv/log_server.pb-c.c, lib/protobuf-c/protobuf-c.c, lib/ssl_compat/ssl_compat.c, lib/util/aix.c, lib/util/arc4random.c, lib/util/arc4random_buf.c, lib/util/arc4random_uniform.c, lib/util/basename.c, lib/util/cfmakeraw.c, lib/util/closefrom.c, lib/util/digest.c, lib/util/digest_gcrypt.c, lib/util/digest_openssl.c, lib/util/dup3.c, lib/util/event.c, lib/util/event_poll.c, lib/util/event_select.c, lib/util/explicit_bzero.c, lib/util/fatal.c, lib/util/fchmodat.c, lib/util/fchownat.c, lib/util/fnmatch.c, lib/util/freezero.c, lib/util/fstatat.c, lib/util/getaddrinfo.c, lib/util/getdelim.c, lib/util/getentropy.c, lib/util/getgrouplist.c, lib/util/gethostname.c, lib/util/getopt_long.c, lib/util/gettime.c, lib/util/getusershell.c, lib/util/gidlist.c, lib/util/glob.c, lib/util/gmtime_r.c, lib/util/hexchar.c, lib/util/inet_ntop.c, lib/util/inet_pton.c, lib/util/isblank.c, lib/util/json.c, lib/util/key_val.c, lib/util/lbuf.c, lib/util/localtime_r.c, lib/util/locking.c, lib/util/logfac.c, lib/util/logpri.c, lib/util/memrchr.c, lib/util/mkdir_parents.c, lib/util/mkdirat.c, lib/util/mksiglist.c, lib/util/mksigname.c, lib/util/mktemp.c, lib/util/mmap_alloc.c, lib/util/multiarch.c, lib/util/nanosleep.c, lib/util/openat.c, lib/util/parseln.c, lib/util/pipe2.c, lib/util/pread.c, lib/util/progname.c, lib/util/pw_dup.c, lib/util/pwrite.c, lib/util/rcstr.c, lib/util/reallocarray.c, lib/util/regex.c, lib/util/regress/closefrom/closefrom_test.c, lib/util/regress/digest/digest_test.c, lib/util/regress/fnmatch/fnm_test.c, lib/util/regress/fuzz/fuzz_sudo_conf.c, lib/util/regress/getdelim/getdelim_test.c, lib/util/regress/getgrouplist/getgids.c, lib/util/regress/getgrouplist/getgrouplist_test.c, lib/util/regress/glob/globtest.c, lib/util/regress/hexchar/hexchar_test.c, lib/util/regress/json/json_test.c, lib/util/regress/mktemp/mktemp_test.c, lib/util/regress/multiarch/multiarch_test.c, lib/util/regress/open_parent_dir/open_parent_dir_test.c, lib/util/regress/parse_gids/parse_gids_test.c, lib/util/regress/progname/progname_test.c, lib/util/regress/regex/regex_test.c, lib/util/regress/strsig/strsig_test.c, lib/util/regress/strsplit/strsplit_test.c, lib/util/regress/strtofoo/strtobool_test.c, lib/util/regress/strtofoo/strtoid_test.c, lib/util/regress/strtofoo/strtomode_test.c, lib/util/regress/strtofoo/strtonum_test.c, lib/util/regress/sudo_conf/conf_test.c, lib/util/regress/sudo_parseln/parseln_test.c, lib/util/regress/tailq/hltq_test.c, lib/util/regress/uuid/uuid_test.c, lib/util/roundup.c, lib/util/secure_path.c, lib/util/setgroups.c, lib/util/sha2.c, lib/util/sig2str.c, lib/util/snprintf.c, lib/util/str2sig.c, lib/util/strlcat.c, lib/util/strlcpy.c, lib/util/strndup.c, lib/util/strnlen.c, lib/util/strsignal.c, lib/util/strsplit.c, lib/util/strtobool.c, lib/util/strtoid.c, lib/util/strtomode.c, lib/util/strtonum.c, lib/util/sudo_conf.c, lib/util/sudo_debug.c, lib/util/sudo_dso.c, lib/util/sys_siglist.h, lib/util/sys_signame.h, lib/util/term.c, lib/util/timegm.c, lib/util/ttyname_dev.c, lib/util/ttysize.c, lib/util/unlinkat.c, lib/util/utimens.c, lib/util/uuid.c, logsrvd/iolog_writer.c, logsrvd/logsrv_util.c, logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c, logsrvd/logsrvd_journal.c, logsrvd/logsrvd_local.c, logsrvd/logsrvd_queue.c, logsrvd/logsrvd_relay.c, logsrvd/regress/fuzz/fuzz_logsrvd_conf.c, logsrvd/regress/logsrvd_conf/logsrvd_conf_test.c, logsrvd/sendlog.c, logsrvd/sendlog.h, logsrvd/tls_client.c, logsrvd/tls_common.h, logsrvd/tls_init.c, plugins/audit_json/audit_json.c, plugins/group_file/getgrent.c, plugins/group_file/group_file.c, plugins/group_file/plugin_test.c, plugins/python/pyhelpers.c, plugins/python/pyhelpers.h, plugins/python/python_plugin_common.c, plugins/python/regress/check_python_examples.c, plugins/python/regress/iohelpers.h, plugins/python/regress/testhelpers.h, plugins/python/sudo_python_debug.c, plugins/python/sudo_python_debug.h, plugins/sample/sample_plugin.c, plugins/sample_approval/sample_approval.c, plugins/sudoers/alias.c, plugins/sudoers/audit.c, plugins/sudoers/auth/afs.c, plugins/sudoers/auth/aix_auth.c, plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/dce.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/kerb5.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/passwd.c, plugins/sudoers/auth/rfc1938.c, plugins/sudoers/auth/secureware.c, plugins/sudoers/auth/securid5.c, plugins/sudoers/auth/sia.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/b64_decode.c, plugins/sudoers/b64_encode.c, plugins/sudoers/boottime.c, plugins/sudoers/bsm_audit.c, plugins/sudoers/canon_path.c, plugins/sudoers/check.c, plugins/sudoers/check_aliases.c, plugins/sudoers/check_util.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers.h, plugins/sudoers/cvtsudoers_csv.c, plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/cvtsudoers_merge.c, plugins/sudoers/cvtsudoers_pwutil.c, plugins/sudoers/defaults.c, plugins/sudoers/defaults.h, plugins/sudoers/digestname.c, plugins/sudoers/display.c, plugins/sudoers/editor.c, plugins/sudoers/env.c, plugins/sudoers/env_pattern.c, plugins/sudoers/exptilde.c, plugins/sudoers/file.c, plugins/sudoers/filedigest.c, plugins/sudoers/find_path.c, plugins/sudoers/fmtsudoers.c, plugins/sudoers/fmtsudoers_cvt.c, plugins/sudoers/gc.c, plugins/sudoers/gentime.c, plugins/sudoers/getdate.c, plugins/sudoers/getdate.y, plugins/sudoers/getspwuid.c, plugins/sudoers/goodpath.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/group_plugin.c, plugins/sudoers/insults.h, plugins/sudoers/interfaces.c, plugins/sudoers/iolog.c, plugins/sudoers/iolog_path_escapes.c, plugins/sudoers/ldap.c, plugins/sudoers/ldap_conf.c, plugins/sudoers/ldap_innetgr.c, plugins/sudoers/ldap_util.c, plugins/sudoers/linux_audit.c, plugins/sudoers/locale.c, plugins/sudoers/log_client.c, plugins/sudoers/log_client.h, plugins/sudoers/logging.c, plugins/sudoers/lookup.c, plugins/sudoers/match.c, plugins/sudoers/match_addr.c, plugins/sudoers/match_command.c, plugins/sudoers/match_digest.c, plugins/sudoers/parse.h, plugins/sudoers/parse_ldif.c, plugins/sudoers/parser_warnx.c, plugins/sudoers/pivot.c, plugins/sudoers/policy.c, plugins/sudoers/prompt.c, plugins/sudoers/pwutil.c, plugins/sudoers/pwutil_impl.c, plugins/sudoers/redblack.c, plugins/sudoers/regress/check_symbols/check_symbols.c, plugins/sudoers/regress/editor/check_editor.c, plugins/sudoers/regress/env_match/check_env_pattern.c, plugins/sudoers/regress/exptilde/check_exptilde.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/regress/fuzz/fuzz_stubs.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/regress/parser/check_addr.c, plugins/sudoers/regress/parser/check_base64.c, plugins/sudoers/regress/parser/check_digest.c, plugins/sudoers/regress/parser/check_fill.c, plugins/sudoers/regress/parser/check_gentime.c, plugins/sudoers/regress/serialize_list/check_serialize_list.c, plugins/sudoers/regress/starttime/check_starttime.c, plugins/sudoers/regress/unescape/check_unesc.c, plugins/sudoers/resolve_cmnd.c, plugins/sudoers/serialize_list.c, plugins/sudoers/set_perms.c, plugins/sudoers/sethost.c, plugins/sudoers/solaris_audit.c, plugins/sudoers/sssd.c, plugins/sudoers/starttime.c, plugins/sudoers/strlcpy_unesc.c, plugins/sudoers/strlist.c, plugins/sudoers/strvec_join.c, plugins/sudoers/stubs.c, plugins/sudoers/sudo_nss.c, plugins/sudoers/sudo_printf.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/sudoers_cb.c, plugins/sudoers/sudoers_ctx_free.c, plugins/sudoers/sudoers_debug.c, plugins/sudoers/sudoers_debug.h, plugins/sudoers/sudoers_hooks.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/testsudoers_pwutil.c, plugins/sudoers/testsudoers_pwutil.h, plugins/sudoers/timeout.c, plugins/sudoers/timestamp.c, plugins/sudoers/timestr.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/toke_util.c, plugins/sudoers/tsdump.c, plugins/sudoers/tsgetgrpw.c, plugins/sudoers/unesc_str.c, plugins/sudoers/visudo.c, plugins/sudoers/visudo_cb.c, plugins/system_group/system_group.c, src/apparmor.c, src/conversation.c, src/copy_file.c, src/edit_open.c, src/env_hooks.c, src/exec.c, src/exec_common.c, src/exec_intercept.c, src/exec_iolog.c, src/exec_monitor.c, src/exec_nopty.c, src/exec_preload.c, src/exec_ptrace.c, src/exec_pty.c, src/get_pty.c, src/hooks.c, src/intercept.pb-c.c, src/limits.c, src/load_plugins.c, src/openbsd.c, src/parse_args.c, src/preload.c, src/preserve_fds.c, src/regress/net_ifs/check_net_ifs.c, src/regress/noexec/check_noexec.c, src/regress/ttyname/check_ttyname.c, src/selinux.c, src/sesh.c, src/signal.c, src/solaris.c, src/sudo.c, src/sudo.h, src/sudo_edit.c, src/sudo_intercept.c, src/sudo_intercept_common.c, src/sudo_noexec.c, src/suspend_parent.c, src/tgetpass.c, src/ttyname.c, src/utmp.c: Use #include instead of #include "foo.h" in most cases. We rely on the include path to find many of these headers. It especially doesn't make sense to use #include "foo.h" for headers in the top-level include directory. [4a7d27e429e9] * .circleci/config.yml: Bump xcode to 14.2.0 [f4775577c9b0] 2023-09-24 Todd C. Miller * plugins/sudoers/defaults.c, plugins/sudoers/defaults.h, plugins/sudoers/mkdefaults: Add support for "plugin" defaults type. [423dc640d220] * plugins/sudoers/mkdefaults: Support multiple input files. [1fff41f962f5] 2023-09-22 Todd C. Miller * src/exec_monitor.c, src/exec_pty.c: No need to loop reading from/writing to a blocking socketpair. This removes some infinite loops that can cause static analyzer warnings. The fds are not in non-blocking mode and we use restartable system calls so there is no need to loop. [132aad609392] * plugins/sudoers/check.c: check_user: fix return value for intercept mode Also use early return on error to quiet a PVS-Studio warning. [ecd721208013] 2023-09-21 Todd C. Miller * src/exec_pty.c: Set ec->term_raw to false even if sudo_term_restore() fails. Either the fd is not a terminal or we don't have the controlling terminal. Either way, we can't know the current status of the terminal and will need to set to raw mode again (if possible). Also make sure to set ec->term_raw to false if sudo_term_raw() fails. [6287218771a9] 2023-09-20 Todd C. Miller * pathnames.h.in, plugins/sudoers/env.c, plugins/sudoers/sudoers.c: Only define _PATH_ENVIRONMENT on systems where we use /etc/environment. [5a3752401dc9] * config.h.in, configure, configure.ac: Sudo assumes that a uid_t can be cast to unsigned int without problems. Add a configure check and error out if sizeof(uid_t) > 4. [4b7657e4ce3d] * docs/UPGRADE.md: Mention the time stamp and lecture file name changes in 1.9.15. [8c23b36928ad] * docs/sudoers.man.in, docs/sudoers.mdoc.in, plugins/sudoers/iolog_path_escapes.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l: Replace '/' with '_' in paths using the user, group or host name. [2862df9bcab7] 2023-09-19 Todd C. Miller * config.h.in, configure, configure.ac, m4/sudo.m4, plugins/sudoers/cvtsudoers_pwutil.c, plugins/sudoers/env.c, plugins/sudoers/iolog.c, plugins/sudoers/ldap.c, plugins/sudoers/policy.c, src/sudo.c, src/sudo_edit.c: Replace MAX_UID_T_LEN with calls to STRLEN_MAX_UNSIGNED. [f2f1ee9c5a16] * include/sudo_util.h, lib/eventlog/eventlog.c, lib/iolog/iolog_timing.c, lib/util/json.c, lib/util/lbuf.c, lib/util/sudo_debug.c, plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/display.c, plugins/sudoers/fmtsudoers.c, plugins/sudoers/logging.c, src/exec_preload.c, src/limits.c: Add macros to determine the length of an integer type in string form. Adapted from answer #6 in: https://stackoverflow.com/questions/10536207/ansi-c-maximum-number- of-characters-printing-a-decimal-int [e62734abe89c] 2023-09-18 Todd C. Miller * plugins/sudoers/visudo.c: visudo: use verbose and strict in parser_conf Where the sudoers_context is available we can use the values of verbose and strict instead of passing around quiet and strict flags. [bc7a60ce0e36] * MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/callbacks.c, plugins/sudoers/sudoers.h, plugins/sudoers/sudoers_cb.c: Rename callbacks.c -> sudoers_cb.c. [558d6896ebfa] * MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/visudo.c, plugins/sudoers/visudo_cb.c: Add a separate file for visudo callbacks. [72e491607a4e] * MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/check_aliases.c, plugins/sudoers/defaults.c, plugins/sudoers/parse.h, plugins/sudoers/parser_warnx.c: Add parser_warnx() and parser_vwarnx() that displays file:line:col Used by defaults.c and check_aliases.c. [1b4eff914e92] * plugins/sudoers/sudoers.h, plugins/sudoers/visudo.c: Promote strict field in sudoers_parser_config from bool to int. This will be used by visudo to indicate when "visudo -s" is run. [d0f6c8c37e4a] * MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/find_path.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/resolve_cmnd.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: Add resolve_cmnd(), a wrapper around find_path(). This is a convenience function that sets PERM_RUNAS and calls find_path(). If the command is not found it will retry with PERM_USER instead. [c7831c462fb9] * src/exec_monitor.c: Wait on a socketpair for the parent to grant child the controlling tty. This upgrades the error pipe to a bi-directional socketpair that the parent will write to after it has granted the child process the controlling terminal. That fixes an issue where the child could end up in a tight CPU loop waiting on the parent which may not be scheduled immediately. [36e87999dae1] 2023-09-15 Todd C. Miller * plugins/sudoers/sudoers.h: Undefine AUTH_{SUCCESS,FAILURE,ERROR} before defining them. Quiets a warning on AIX where usersec.h defines AUTH_SUCCESS and AUTH_FAILURE. We avoided this problem in the past because the old values for AUTH_SUCCESS and AUTH_FAILURE match what AIX defines. [c37c51f861f1] * config.h.in, configure, configure.ac, lib/util/term.c, m4/sudo.m4, src/exec_pty.c: Only cast TIOCSWINSZ to int on systems that might require it (AIX). Otherwise we end up with a -Wconversion warning on systems where the ioctl() request argument is unsigned long. [a467e228981f] * plugins/sudoers/display.c, plugins/sudoers/parse.h, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: Promote verbose flag to int for display_privs and display_cmnd. A negative verbosity will prevent non-error output from being displayed. [c7646497b580] 2023-09-13 Todd C. Miller * plugins/sudoers/stubs.c: No need to include cvtsudoers.h here. [d838f2ed5483] * plugins/sudoers/match_command.c, plugins/sudoers/pivot.c, plugins/sudoers/pivot.h, plugins/sudoers/regress/fuzz/fuzz_stubs.c, plugins/sudoers/stubs.c, plugins/sudoers/testsudoers.c: Remove pivot_get_root() and pivot_get_cwd(). They are unnecessary since struct sudoers_pivot is not opaque. The implementation details are private to match_command.c. [ca522bffdf37] * plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/regress/parser/check_fill.c: Quiet some -Wconversion warnings in the tests. [ebe02fc397e7] * plugins/sudoers/defaults.c, plugins/sudoers/defaults.h, plugins/sudoers/editor.c, plugins/sudoers/find_path.c, plugins/sudoers/regress/editor/check_editor.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/sudoers.h: Make flag in union sudo_defs_val bool to match how it is used. Adjust find_path()'s ignore_dot function argument to match. [52d5311ca360] * plugins/sudoers/audit.c, plugins/sudoers/bsm_audit.c, plugins/sudoers/bsm_audit.h, plugins/sudoers/policy.c, plugins/sudoers/sudoers.h: Parse euid and egid from sudo front-end. These are needed by bsm_audit.c. [ca240f519b46] * plugins/sudoers/policy.c, plugins/sudoers/sudoers.h, plugins/sudoers/timestamp.c: Parse pid and ppid from sudo front-end. We can now use the stored ppid in ts_init_key(). [4955c478f849] * plugins/sudoers/match_command.c, plugins/sudoers/pivot.c, plugins/sudoers/pivot.h, plugins/sudoers/regress/fuzz/fuzz_stubs.c, plugins/sudoers/stubs.c, plugins/sudoers/sudoers.c, plugins/sudoers/testsudoers.c: Use struct sudoers_pivot instead of defining sudoers_pivot_t. We want to pass around a pointer, not the struct itself. [8c6806cee428] 2023-09-11 Todd C. Miller * MANIFEST, plugins/sudoers/pivot.h: Don't expose the implementation of the pivot_root state. [1d1696c7ad78] * plugins/sudoers/match_command.c, plugins/sudoers/pivot.c, plugins/sudoers/regress/fuzz/fuzz_stubs.c, plugins/sudoers/stubs.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c: Don't expose the implementation of the pivot_root state. [efaa8955cbf0] * src/exec_ptrace.c: Only call ptrace_verify_post_exec() for intercept, not log_subcmds. This fixes a logic goof introduced in sudo 1.9.14. [49df34bb0494] * docs/sudoers.man.in, docs/sudoers.mdoc.in, docs/sudoers_timestamp.man.in, docs/sudoers_timestamp.mdoc.in, plugins/sudoers/check.c, plugins/sudoers/timestamp.c, plugins/sudoers/timestamp.h: Use the user-ID instead of user-name for the timestamp and lecture file. This avoids problems if the user name itself contains a path separator. [c93459e59f30] 2023-09-10 Todd C. Miller * plugins/sudoers/Makefile.in: tsgetusershell.c: don't rely on GNU sed extensions. [65e7d8099122] * plugins/sudoers/testsudoers.c: testsudoers: add -S option to specify /etc/shells path. [2efe9b01120a] * Makefile.in, lib/util/getusershell.c, plugins/sudoers/Makefile.in, plugins/sudoers/pwutil_impl.c, plugins/sudoers/tsgetgrpw.h: Add testsudoers_setshellfile() and use it in testsudoers. [4065e0f1c9ac] * plugins/sudoers/Makefile.in: regen [044181c21564] * lib/util/Makefile.in, lib/util/getusershell.c: Remove unnecessary sudo_gettext.h include and add missing const. [ca4266370ff6] 2023-09-09 Todd C. Miller * plugins/sudoers/auth/sudo_auth.h, plugins/sudoers/check.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/timestamp.h: Return AUTH_* flags from check_user() instead of 1/0/-1. [824e8943fa47] * plugins/sudoers/cvtsudoers.c, plugins/sudoers/pwutil.c, plugins/sudoers/pwutil.h, plugins/sudoers/pwutil_impl.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c, plugins/sudoers/testsudoers_pwutil.h: Wrap valid_shell and add to sudo_pwutil_set_backend(). This will make it possible to support a different getusershell() implementation for testsudoers in the future. [03da23d61efe] * plugins/sudoers/check_util.c, plugins/sudoers/pwutil.c, plugins/sudoers/pwutil.h, plugins/sudoers/pwutil_impl.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c: Move check_user_shell() to pwutil.c as user_shell_valid() This will make it possible to support a different backend which may be used by testsudoers in the future. [44a7540fb761] * plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/check.c, plugins/sudoers/timestamp.h: Merge check_user() and check_user_interactive(), move getpass callbacks. The getpass callbacks are now defined in sudo_auth.c, which implements auth_getpass(). As a result, struct getpass_closure is now public and defined in timestamp.h. [1babbb56de42] * plugins/sudoers/Makefile.in, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/auth/sudo_auth.h, plugins/sudoers/check.c, plugins/sudoers/timestamp.h: Make most sudo_auth functions return AUTH_{SUCCESS,FAILURE,FATAL}. [54471c0a890d] * plugins/sudoers/ldap.c, plugins/sudoers/lookup.c, plugins/sudoers/match.c, plugins/sudoers/match_addr.c, plugins/sudoers/match_command.c, plugins/sudoers/match_digest.c, plugins/sudoers/parse.h, plugins/sudoers/regress/parser/check_addr.c, plugins/sudoers/sssd.c: Make all match functions return ALLOW/DENY not true/false. [d22f1dc85b40] * plugins/sudoers/auth/passwd.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/auth/sudo_auth.h, plugins/sudoers/lookup.c, plugins/sudoers/match.c, plugins/sudoers/parse.h: Try to make sudo less vulnerable to ROWHAMMER attacks. We now use ROWHAMMER-resistent values for ALLOW, DENY, AUTH_SUCCESS, AUTH_FAILURE, AUTH_ERROR and AUTH_NONINTERACTIVE. In addition, we explicitly test for expected values instead of using a negated test against an error value. In the parser match functions this means explicitly checking for ALLOW or DENY instead of accepting anything that is not set to UNSPEC. Thanks to Andrew J. Adiletta, M. Caner Tol, Yarkin Doroz, and Berk Sunar, all affiliated with the Vernam Applied Cryptography and Cybersecurity Lab at Worcester Polytechnic Institute, for the report. Paper preprint: https://arxiv.org/abs/2309.02545 [df81a335db65] * plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/toke.c, plugins/sudoers/toke.h, plugins/sudoers/toke.l: Honor ignore_perms plugin argument for @include and @includedir. [55307bdf721d] 2023-09-06 Todd C. Miller * plugins/sudoers/check.c: Don't set on_suspend and on_resume twice. [f1db05f66740] 2023-09-02 Todd C. Miller * MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers.h, plugins/sudoers/policy.c, plugins/sudoers/sethost.c, plugins/sudoers/stubs.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c: sudoers_sethost: refactor code to set host names in sudoers_context. The sudoers_sethost() function can be shared by the sudoers plugin, visudo, cvtsudoers and testsudoers. [6cece4f67add] 2023-09-01 Todd C. Miller * plugins/sudoers/toke.c, plugins/sudoers/toke.l: sudoers_trace_print: use debug_decl_vars instead of doing it by hand. [0baf94e3e380] * include/sudo_compat.h: sudo_realpath() returns char *, not void *. [96746a992f65] 2023-08-31 Todd C. Miller * plugins/sudoers/sudoers.c: Only print "no valid sudoers sources found, quitting" for multiple sources. If there is only a single source (usually the sudoers file), the open function provide enough of an error message. Printing two error messages is just confusing. [99a282277084] 2023-08-30 Todd C. Miller * plugins/sudoers/pwutil.c: user_in_group: the user's group vector already includes the primary group. There's no need to look up the name of user's primary group (pw_gid), we always include the primary group ID in the group vector. [53f36984ebc8] 2023-08-29 Todd C. Miller * plugins/sudoers/sudoers.h, plugins/sudoers/sudoers_debug.h: Move sudoers_debug.c prototypes to sudoers_debug.h. [3d4c971912a3] * plugins/sudoers/sudoers.h: sudo_conv, sudo_printf and plugin_event_alloc live in policy.c. [52bced1bff2a] * include/sudo_iolog.h, plugins/sudoers/defaults.c: Move default value for "iolog_file" to sudo_iolog.h. [489101c36995] * MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/auth/afs.c, plugins/sudoers/auth/dce.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/callbacks.c, plugins/sudoers/check.c, plugins/sudoers/check.h, plugins/sudoers/policy.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/regress/fuzz/fuzz_stubs.c, plugins/sudoers/regress/starttime/check_starttime.c, plugins/sudoers/set_perms.c, plugins/sudoers/starttime.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/timestamp.c, plugins/sudoers/timestamp.h, plugins/sudoers/tsdump.c: Rename check.h -> timestamp.h and add remaining timestamp.c prototypes. [402c837776df] * plugins/sudoers/auth/API, plugins/sudoers/auth/aix_auth.c, plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/sia.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/auth/sudo_auth.h: Restore AUTH_INTR support, it is still needed. We still need AUTH_INTR to know when to break out of the password prompt loop. [618807782033] * docs/sudoers.man.in, docs/sudoers.mdoc.in, plugins/sudoers/policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: Add ignore_perms plugin argument to skip the sudoers file security checks. This is not intended to be used in a production environment. [92ae0335ee5b] 2023-08-28 Todd C. Miller * configure, m4/sudo.m4: Fix test for unsetenv() returning void with clang 16. Clang has dropped support for K&R function definitions so rewrite the test to require a unsetenv() prototype in stdlib.h. Fixes GitHub issue #302. [1a0ce3a79ee2] * plugins/sudoers/defaults.c: Disable fast_glob and fdexec if SUDOERS_NAME_MATCH is defined. We use SUDOERS_NAME_MATCH for fuzzing when we want to avoid searching the file system for commands. [2e6bc1f8fb22] 2023-08-26 Todd C. Miller * plugins/sudoers/auth/API, plugins/sudoers/auth/aix_auth.c, plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/kerb5.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/passwd.c, plugins/sudoers/auth/rfc1938.c, plugins/sudoers/auth/secureware.c, plugins/sudoers/auth/securid5.c, plugins/sudoers/auth/sia.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/auth/sudo_auth.h: Rename AUTH_FATAL -> AUTH_ERROR. [1da161db2f0f] * plugins/sudoers/cvtsudoers.c, plugins/sudoers/match.c: Do not rely on the definition of ALLOW/DENY being true/false. We now explicitly check for ALLOW and DENY when checking return values and negating values. [1e4420b64b5d] * plugins/sudoers/auth/API, plugins/sudoers/auth/aix_auth.c, plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/sia.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/auth/sudo_auth.h: Replace AUTH_INTR return with AUTH_FAILURE. The two were treated identically by the caller. [e54b06561de1] 2023-08-25 Todd C. Miller * plugins/sudoers/policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: Move tty_present() into policy.c as sudoers_tty_present(). This function is policy-dependent. For the modern sudo front-end it will simply check tcpgid and/or ttypath. [36a5ece4027a] * plugins/sudoers/callbacks.c: Only set I/O logging callbacks if SESSID_MAX is defined. [3cec54b1fe9a] * plugins/sudoers/defaults.c: Don't set defaults values for features that are not present. This means that lecture_status_dir and timestampdir are only set if _PATH_SUDO_LECTURE_DIR and _PATH_SUDO_TIMEDIR respectively are set. Also, the log server defaults are only set when SUDOERS_LOG_CLIENT is defined. [bb328fffe142] * plugins/sudoers/audit.c: Call log_allowed() even when "log_allowed" is disabled. Otherwise, sudo will not send mail if "mail_always" or "mail_all_cmnds" is set. [71d3f06fbee5] 2023-08-24 Todd C. Miller * NEWS, configure, configure.ac: sudo 1.9.15 [9e7aa0238aca] 2023-08-23 Todd C. Miller * lib/util/event_poll.c, lib/util/getentropy.c, plugins/sudoers/ldap.c: Silence a few remaining -Wconversion warnings. [8f1180e72c0b] * plugins/sudoers/sudoers.c: No need to inclue auth/sudo_auth.h [61ec4a47c885] * configure, m4/sudo.m4: --enable-pvs-studio: check for license file in the default location [35e596d1fdb7] 2023-08-23 ken <41325712+rtczza@users.noreply.github.com> * plugins/sudoers/timestamp.c: modify ret type from int to bool (#298) * modify ret type from int to bool * change debug_return_int to debug_return_bool * modify ret type [cf8c33ecdce0] 2023-08-22 Todd C. Miller * plugins/sudoers/callbacks.c, plugins/sudoers/check.h, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/regress/fuzz/fuzz_stubs.c, plugins/sudoers/sudoers.h, plugins/sudoers/timestamp.c: Move timestampowner sudoers callback to timestamp.c. [34520a083145] * plugins/sudoers/set_perms.c: Quiet a PVS-Studio false positive about possible NULL dereference. set_perms() is only called with a NULL ctx for PERM_ROOT, PERM_SUDOERS and PERM_TIMESTAMP. [0ec4b81df902] 2023-08-21 Todd C. Miller * plugins/sudoers/set_perms.c: set_perms: ctx may be NULL for PERM_ROOT, PERM_SUDOERS, PERM_TIMESTAMP. [299c5cacb05a] * plugins/sudoers/audit.c, plugins/sudoers/iolog_path_escapes.c, plugins/sudoers/logging.c, plugins/sudoers/policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/sudoers_ctx_free.c: Move a few fields from sudoers_user_contect to sudoers_context. They are not really specific to the user or user-specified. [0e166cff8c3b] * plugins/sudoers/policy.c: Remove dead code dealing with unknown user and MODE_INVALIDATE. The timestamp unlink code does not need the user's struct passwd pointer, just the user name (which we already have). Found by PVS- Studio. [dd41395692e5] * lib/iolog/iolog_read.c, lib/iolog/iolog_write.c, lib/util/sudo_dso.c: Suppress some other PVS-Studio false positives. [36d0f8d41e6e] * plugins/sudoers/set_perms.c: Quiet a PVS-Studio false positive about possible NULL dereference. set_perms() is only called with a NULL ctx for PERM_ROOT, PERM_SUDOERS and PERM_TIMESTAMP. [a6f38a82c80c] * plugins/sudoers/policy.c, plugins/sudoers/sudoers.h: MODE_KILL is never set in the sudoers plugin, remove it. [5a64ba098c4f] * plugins/sample/sample_plugin.c, plugins/sudoers/editor.c, plugins/sudoers/group_plugin.c, plugins/sudoers/policy.c, plugins/sudoers/sudoreplay.c, src/exec_ptrace.c: Cast int to size_t before adding instead of casting the result. Quiets PVS-Studio warning V1028. [39b9d54ae277] * plugins/sudoers/audit.c: Fix log_server_accept() definition for --disable-log-client builds. [9ef55e556801] * src/exec_pty.c: Use a global static struct exec_closure for the cleanup hook. This is safer than storing a pointer to a stack variable in the cleanup function since we don't need to worry about it ever going out of scope. Quiets a clang 15 analyzer warning. [bfb06721d43f] * lib/eventlog/eventlog.c, plugins/sudoers/testsudoers.c: Eliminate some clang analyzer false positives. [ded09455af48] * plugins/sudoers/logging.c: Plug memory leak if journal_parse_error() fails. Found by the clang 15 analyzer. [0d7e0567187e] * plugins/sudoers/policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: Move sudoedit_nfiles into struct sudoers_context. [0f67b3c5c5b2] * plugins/sudoers/audit.c, plugins/sudoers/auth/pam.c, plugins/sudoers/check.c, plugins/sudoers/env.c, plugins/sudoers/logging.c, plugins/sudoers/logging.h, plugins/sudoers/lookup.c, plugins/sudoers/policy.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c: Move sudo_mode into struct sudoers_context. [649e74125300] * plugins/sudoers/audit.c, plugins/sudoers/auth/sia.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/logging.c, plugins/sudoers/logging.h, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/sudoers_ctx_free.c: Move NewArgv, NewArgc and saved_argv into struct sudoers_context. [46db0662eaf7] * plugins/sudoers/cvtsudoers.c, plugins/sudoers/file.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/parse.h, plugins/sudoers/policy.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c: Add struct sudoers_conf to struct sudoers_plugin_context. There's now no need to pass this directly to init_parser() since we already pass in a pointer to a sudoers_context struct. [4a60e7b19a1a] * plugins/sudoers/cvtsudoers.c, plugins/sudoers/group_plugin.c, plugins/sudoers/ldap.c, plugins/sudoers/ldap_conf.c, plugins/sudoers/policy.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c, plugins/sudoers/sudo_ldap_conf.h, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c: Store policy paths in struct sudoers_context. This removes the need for the getters in policy.c. [8ff3016dc8ad] * MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/cvtsudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/stubs.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/sudoers_ctx_free.c, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c: Add sudoers_ctx_free() and use it for freeing struct sudoers context. This replaces sudoers_user_ctx_free() and sudoers_runas_ctx_free(). [ba25344753c3] * plugins/sudoers/audit.c, plugins/sudoers/auth/afs.c, plugins/sudoers/auth/aix_auth.c, plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/dce.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/kerb5.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/passwd.c, plugins/sudoers/auth/rfc1938.c, plugins/sudoers/auth/secureware.c, plugins/sudoers/auth/securid5.c, plugins/sudoers/auth/sia.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/auth/sudo_auth.h, plugins/sudoers/callbacks.c, plugins/sudoers/check.c, plugins/sudoers/check.h, plugins/sudoers/check_aliases.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers.h, plugins/sudoers/cvtsudoers_pwutil.c, plugins/sudoers/defaults.c, plugins/sudoers/defaults.h, plugins/sudoers/display.c, plugins/sudoers/env.c, plugins/sudoers/file.c, plugins/sudoers/fmtsudoers.c, plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y, plugins/sudoers/group_plugin.c, plugins/sudoers/iolog.c, plugins/sudoers/iolog_path_escapes.c, plugins/sudoers/ldap.c, plugins/sudoers/locale.c, plugins/sudoers/logging.c, plugins/sudoers/logging.h, plugins/sudoers/lookup.c, plugins/sudoers/match.c, plugins/sudoers/match_command.c, plugins/sudoers/parse.h, plugins/sudoers/policy.c, plugins/sudoers/prompt.c, plugins/sudoers/pwutil.c, plugins/sudoers/pwutil.h, plugins/sudoers/pwutil_impl.c, plugins/sudoers/regress/exptilde/check_exptilde.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/regress/fuzz/fuzz_stubs.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/set_perms.c, plugins/sudoers/solaris_audit.c, plugins/sudoers/solaris_audit.h, plugins/sudoers/sssd.c, plugins/sudoers/stubs.c, plugins/sudoers/sudo_nss.h, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c, plugins/sudoers/testsudoers_pwutil.h, plugins/sudoers/timestamp.c, plugins/sudoers/toke.c, plugins/sudoers/toke.h, plugins/sudoers/toke.l, plugins/sudoers/visudo.c: Make struct sudoers_context private to sudoers.c. We now pass a pointer to the context where necessary. There are a few cases where we need to request the context from sudoers via sudoers_get_context() for the plugin API functions. If the plugin API was able to pass around a closure pointer this would not be necessary. [534d55781084] 2023-08-20 Todd C. Miller * plugins/sudoers/audit.c, plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/passwd.c, plugins/sudoers/auth/sia.c, plugins/sudoers/callbacks.c, plugins/sudoers/check.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/defaults.c, plugins/sudoers/display.c, plugins/sudoers/env.c, plugins/sudoers/fmtsudoers.c, plugins/sudoers/iolog_path_escapes.c, plugins/sudoers/ldap.c, plugins/sudoers/logging.c, plugins/sudoers/lookup.c, plugins/sudoers/match.c, plugins/sudoers/match_command.c, plugins/sudoers/policy.c, plugins/sudoers/prompt.c, plugins/sudoers/pwutil_impl.c, plugins/sudoers/regress/exptilde/check_exptilde.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/set_perms.c, plugins/sudoers/solaris_audit.c, plugins/sudoers/sssd.c, plugins/sudoers/stubs.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c, plugins/sudoers/timestamp.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/visudo.c: Add a sudoers_context struct that embeds the user and runas structs. [7c72e0c26dc0] 2023-08-18 Todd C. Miller * plugins/sudoers/gram.c, plugins/sudoers/gram.y: free_parse_tree: clear the nss pointer when freeing. [658fef1bd3c0] * plugins/sudoers/parse_ldif.c: sudoers_parse_ldif: do not free parse_tree before using The user is expected to pass in an initialized and empty parse_tree so there is no need to free it first. [4d6371e98087] * lib/zlib/adler32.c, lib/zlib/compress.c, lib/zlib/crc32.c, lib/zlib/deflate.c, lib/zlib/deflate.h, lib/zlib/gzclose.c, lib/zlib/gzguts.h, lib/zlib/gzlib.c, lib/zlib/gzread.c, lib/zlib/gzwrite.c, lib/zlib/infback.c, lib/zlib/inffast.c, lib/zlib/inffast.h, lib/zlib/inflate.c, lib/zlib/inftrees.c, lib/zlib/inftrees.h, lib/zlib/trees.c, lib/zlib/uncompr.c, lib/zlib/zconf.h.in, lib/zlib/zlib.h, lib/zlib/zutil.c, lib/zlib/zutil.h: Update embedded copy of zlib to version 1.3. [bfd6de199f8a] 2023-08-15 Todd C. Miller * plugins/sudoers/pwutil_impl.c: We still need to clamp ngids if getgrouplist2() returns -1. Otherwise, we end up with ngids set to the number of gids the user belongs to which may be larger than what the front-end specified. Fixes a regression introduced in the last commit here. [4a2aeaf67236] 2023-08-14 Todd C. Miller * plugins/sudoers/policy.c: No need to clear errno when using sudo_strtonum(). [f62f2580c6a5] * plugins/sudoers/policy.c, plugins/sudoers/pwutil.c, plugins/sudoers/pwutil_impl.c, plugins/sudoers/sudoers.h: Move max_groups out of sudoers_user_context and into pwutil.c. It is only used by the local password pwutil implementation. [c33497cc3291] * plugins/sudoers/check_util.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c: Pass in directory to check_user_runchroot() and check_user_runcwd(). This way we do not rely on the runas_ctx global. [f70888bdedf6] * plugins/sudoers/regress/exptilde/check_exptilde.c: check_exptilde: don't need runas_ctx here [520483cdb2ae] * plugins/sudoers/match.c, plugins/sudoers/policy.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c: Move RUNAS_{USER,GROUP}_SPECIFIED flags into struct sudoers_runas_context. [2024629414ed] 2023-08-13 Todd C. Miller * plugins/sudoers/group_plugin.c, plugins/sudoers/policy.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c: Make path_plugin_dir private to policy.c and add getter. [2bf12c839083] * plugins/sudoers/cvtsudoers.c, plugins/sudoers/fmtsudoers.c, plugins/sudoers/logging.c, plugins/sudoers/lookup.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c: Move list_pw global into struct runas_context. [32faa515c324] 2023-08-12 Todd C. Miller * plugins/sudoers/auth/bsdauth.c, plugins/sudoers/callbacks.c, plugins/sudoers/check.c, plugins/sudoers/check_util.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/display.c, plugins/sudoers/env.c, plugins/sudoers/iolog_path_escapes.c, plugins/sudoers/ldap.c, plugins/sudoers/logging.c, plugins/sudoers/lookup.c, plugins/sudoers/match.c, plugins/sudoers/match_command.c, plugins/sudoers/policy.c, plugins/sudoers/prompt.c, plugins/sudoers/regress/exptilde/check_exptilde.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/set_perms.c, plugins/sudoers/sssd.c, plugins/sudoers/stubs.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c: Add struct sudoers_runas_context and move runas-specific bits into it. [d6a5f5b3c136] * plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/passwd.c, plugins/sudoers/auth/sia.c, plugins/sudoers/callbacks.c, plugins/sudoers/check.c, plugins/sudoers/check_util.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/display.c, plugins/sudoers/env.c, plugins/sudoers/fmtsudoers.c, plugins/sudoers/iolog_path_escapes.c, plugins/sudoers/ldap.c, plugins/sudoers/logging.c, plugins/sudoers/lookup.c, plugins/sudoers/match.c, plugins/sudoers/match_command.c, plugins/sudoers/policy.c, plugins/sudoers/prompt.c, plugins/sudoers/pwutil_impl.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/set_perms.c, plugins/sudoers/solaris_audit.c, plugins/sudoers/sssd.c, plugins/sudoers/stubs.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c, plugins/sudoers/timestamp.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/visudo.c: Expand the user_* (and more) macros to user_ctx.foo. [b62e24d53e3f] * plugins/sudoers/check.h, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/timestamp.c: Pass explicit struct passwd * to create_admin_success_flag(). [120bb08f53bb] * plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: Make sudoers_user_ctx_free() private to sudoers.c [ed512916a444] * plugins/sudoers/audit.c, plugins/sudoers/callbacks.c, plugins/sudoers/check.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/defaults.c, plugins/sudoers/display.c, plugins/sudoers/logging.c, plugins/sudoers/lookup.c, plugins/sudoers/match.c, plugins/sudoers/policy.c, plugins/sudoers/pwutil_impl.c, plugins/sudoers/regress/exptilde/check_exptilde.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/sssd.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c, plugins/sudoers/timestamp.c, plugins/sudoers/visudo.c: Rename struct sudo_user -> struct sudo_user_context. Also rename the sudo_user global to user_ctx. [d4b68657a430] * src/exec.c: fd_matches_tty: only zero out fd_sb if fstat(2) fails. We need to preserve the contents of the struct stat if the fd is some other type so the check for piped output works correctly. Bug #1057 [ac80d75699d1] 2023-08-10 Todd C. Miller * plugins/sudoers/callbacks.c: Leave the I/O log callbacks in iolog.c Otherwise, check_iolog_plugin will not link. [4e2304f22e89] * MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/callbacks.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c: Move sudoers parser callbacks to callbacks.c. [396d1dcdb35a] 2023-08-09 Todd C. Miller * logsrvd/sendlog.c: Bump info_msgs_size to make room for the source. [627f659fc180] * .circleci/config.yml: Update Xcode version from 13.2.1 to 13.4.1. [6c32e86975be] * include/sudo_event.h, lib/util/event.c, lib/util/event_poll.c, lib/util/event_select.c, lib/util/util.exp.in: Use int, not short for events in the event API. This fixes some -Wconversion warnings and fixes an inconsistency between the libsudo_util event API and the plugin event API. The actual struct internals still use shorts to avoid changing the ABI. [2d7fcd66f7e7] * plugins/sudoers/display.c, plugins/sudoers/fmtsudoers.c, plugins/sudoers/fmtsudoers_cvt.c, plugins/sudoers/parse.h, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/testsudoers.c: Use const pointers where possible in the display code. [87fd1def96b6] * docs/sudo.man.in, docs/sudo.mdoc.in: Document "sudo -ll command" output. [3e837165e978] * plugins/sudoers/display.c, plugins/sudoers/lookup.c, plugins/sudoers/parse.h, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/testsudoers.c: Add verbose version of "sudo -l command" by using an extra -l. The output of "sudo -ll command" consists of the matching sudoers rule (in long form) with the addition of a "Matched" entry that shows the fully-qualfied path along with any arguments. [038d8555e50c] * plugins/sudoers/display.c: Move code to display a cmndspec in long form to display_cmndspec_long(). [a9887101de7c] * plugins/sudoers/display.c: sudo -ll: display the sudoers file the rule came from. [ca6d31966f5c] 2023-08-08 Todd C. Miller * lib/ssl_compat/ssl_compat.c, logsrvd/logsrvd.c, logsrvd/logsrvd_relay.c, logsrvd/sendlog.c, plugins/sudoers/log_client.c: Fix checking of SSL_{read,write}_ex() return value. These have a boolean-style return value. However, our emulated versions can return -1 on error, which we need to preserve for older versions of SSL_get_error() which expect it. [4e812f2456f1] * plugins/sudoers/iolog.c, plugins/sudoers/log_client.c, plugins/sudoers/logging.c, plugins/sudoers/policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: Store the source of the matching rule and store in the event log. The JSON logs will store the matching rule source. [c7ee4ab87610] * include/sudo_eventlog.h, lib/eventlog/eventlog.c, lib/eventlog/eventlog_free.c, lib/eventlog/parse_json.c, lib/eventlog/regress/eventlog_store/test1.json.in, lib/eventlog/regress/eventlog_store/test1.json.out.ok, lib/eventlog/regress/eventlog_store/test2.json.in, lib/eventlog/regress/eventlog_store/test2.json.out.ok, lib/eventlog/regress/eventlog_store/test3.json.in, lib/eventlog/regress/eventlog_store/test3.json.out.ok, lib/eventlog/regress/eventlog_store/test4.json.in, lib/eventlog/regress/eventlog_store/test4.json.out.ok, logsrvd/iolog_writer.c, logsrvd/sendlog.c: Log source in JSON logs This makes it possible to tell which rule resulted in a match. [a2573ce8ce3f] 2023-08-07 Todd C. Miller * plugins/sudoers/lookup.c, plugins/sudoers/parse.h, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/sudoers.c, plugins/sudoers/testsudoers.c: Use a single callback for sudoers_lookup() and add a closure pointer. The single callback now receives all the match info (or UNSPEC if no match was attempted). This makes it possible to use the callback for more than just printing testsudoers output. [547d0256f22a] * lib/util/regress/digest/digest_test.c: Fix printf format string mismatch now that 'i' is size_t. [366084860303] * include/sudo_digest.h, lib/util/digest.c, lib/util/digest_gcrypt.c, lib/util/digest_openssl.c, lib/util/getentropy.c, lib/util/regress/digest/digest_test.c, lib/util/util.exp.in, plugins/sudoers/filedigest.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l: sudo_digest_getlen: return size_t, and 0 on error instead of -1 This is an API change, sudo_digest_getlen_v1 remains for binary compatibility. [5866df2f4aab] * logsrvd/logsrvd_relay.c, logsrvd/sendlog.c, plugins/sudoers/log_client.c: ERR_get_error() returns unsigned long, not int. [94b2d963f279] * plugins/sudoers/log_client.c: We now must pass "err" SSL_get_error(), not "nread". [b4cc206a2cf8] 2023-08-06 Todd C. Miller * include/hostcheck.h, lib/iolog/hostcheck.c: Move compat definition of ASN1_STRING_get0_data to hostcheck.c. It is not used anywhere else. [39984513eb00] 2023-08-05 Todd C. Miller * include/hostcheck.h, include/sudo_compat.h, include/sudo_ssl_compat.h: Move OpenSSL compat defines to sudo_ssl_compat.h [ad6b8bc3f054] * MANIFEST, Makefile.in, configure, configure.ac, include/sudo_ssl_compat.h, lib/ssl_compat/Makefile.in, lib/ssl_compat/ssl_compat.c, logsrvd/Makefile.in, logsrvd/tls_common.h, m4/openssl.m4, plugins/sudoers/Makefile.in, plugins/sudoers/log_client.h, src/Makefile.in: Add implementation of SSL_read_ex/SSL_write_ex for those without. [9456c3c5c91c] * config.h.in, configure, logsrvd/logsrvd.c, logsrvd/logsrvd_relay.c, logsrvd/sendlog.c, m4/openssl.m4, plugins/sudoers/log_client.c: Use SSL_read_ex() and SSL_write_ex() instead of SSL_read() and SSL_write(). [5ac82bf78109] 2023-08-01 Todd C. Miller * etc/sudo-logsrvd.pp, etc/sudo-python.pp, etc/sudo.pp: Don't use sudo when building AIX packages PolyPkg uses "sudo installp -l" to list the built package by default but we may not have sudo privileges on the build host. [e8ed6064193d] * scripts/mkpkg: Add --configure-only option to quit after the configure run. This will be used to avoid building the entire package when we just want the 32 or 64 bit sudo_intercept.so and sudo_noexec.so. [22c7cec5a6a1] * scripts/mkpkg: Parse --disable-python in mkpkg and don't override -m32 for Solaris. We want to be able to build without python and to specify the memory model when building 32-bit .so's for Solaris. [bf21f6e67ff5] 2023-07-31 Todd C. Miller * INSTALL.md, Makefile.in, configure, configure.ac: Add --enable-postinstall, an optional phase when building packages. This makes it possible to run an arbitrary script between "make install" and the polypkg run. This will be used to copy different word size versions of sudo_intercept.so and sudo_noexec.so. [d4e84fa16ccf] * INSTALL.md, config.h.in, configure, configure.ac, docs/sudo.conf.man.in, docs/sudo.conf.mdoc.in, src/exec_preload.c: Add basic support for 32-bit and 64-bit LD_PRELOAD equivalents. The noexec and intercept DSO settings may now include both a 32-bit DSO and a 64-bit DSO specified by a colon. For example: /usr/libexe c/sudo/sudo_intercept.so:/usr/libexec/sudo/sudo_intercept_64.so. [9489d8625acb] * lib/util/term.c, src/exec_pty.c: Cast TIOCSWINSZ to int to avoid overflow warning on 64-bit AIX. [20919db351c1] 2023-07-28 Todd C. Miller * src/sudo_intercept_common.c: Read path section of sudo.conf for sudo_conf_intercept_path(). [d5748f68b9cb] 2023-07-27 Todd C. Miller * docs/visudo.man.in, docs/visudo.mdoc.in: visudo: document that a new file is only created if the editor writes it. If visudo is used to create a new file, the file will only be created if the user writes to the file via the editor. Simply running visudo and exiting the editor will no longer cause the file to be created. There is an exception for file created due to the addition of a @include directive, which need to be present for the sudoers file to parse properly. GitHub issue #294. [21e4d5cc5f43] * plugins/sudoers/visudo.c: visudo: do not create a new file if the user made no changes This prevents visudo from creating a new zero-length sudoers file if the user exited the editor without making any changes. Files created via a @include directive are preserved, even if empty, to avoid a parse error. GitHub issue #294. [4f086bb7ecdd] * README.md, docs/CONTRIBUTING.md: Make the sections on bug reporting consistent with each other. GitHub issue #292 [d02253b4533d] 2023-07-26 Todd C. Miller * src/exec.c: Remove unused variable introduced in last commit. [94e0708ad331] * src/exec.c, src/exec_nopty.c, src/exec_pty.c, src/sudo_exec.h: Don't assume that if std{in,out,err} is a tty, it is the user's tty. Previously, sudo only checked that the fd was a terminal, not that it matched sudo's idea of the user's terminal. This matters when input or output is redirected to a different terminal. In that case we want to interpose the fd with a pipe even if it refers to a terminal. Bug #1056. [42838100b526] * MANIFEST, plugins/sudoers/regress/testsudoers/test29.out.ok, plugins/sudoers/regress/testsudoers/test29.sh, plugins/sudoers/regress/testsudoers/test30.out.ok, plugins/sudoers/regress/testsudoers/test30.sh, plugins/sudoers/regress/testsudoers/test31.out.ok, plugins/sudoers/regress/testsudoers/test31.sh: testsudoers: add -L, -l and -v tests [250e9abba14e] * plugins/sudoers/regress/testsudoers/test1.out.ok, plugins/sudoers/regress/testsudoers/test10.out.ok, plugins/sudoers/regress/testsudoers/test11.out.ok, plugins/sudoers/regress/testsudoers/test15.out.ok, plugins/sudoers/regress/testsudoers/test16.out.ok, plugins/sudoers/regress/testsudoers/test17.out.ok, plugins/sudoers/regress/testsudoers/test18.out.ok, plugins/sudoers/regress/testsudoers/test19.out.ok, plugins/sudoers/regress/testsudoers/test2.out.ok, plugins/sudoers/regress/testsudoers/test20.out.ok, plugins/sudoers/regress/testsudoers/test21.out.ok, plugins/sudoers/regress/testsudoers/test22.out.ok, plugins/sudoers/regress/testsudoers/test23.out.ok, plugins/sudoers/regress/testsudoers/test24.out.ok, plugins/sudoers/regress/testsudoers/test25.out.ok, plugins/sudoers/regress/testsudoers/test26.out.ok, plugins/sudoers/regress/testsudoers/test27.out.ok, plugins/sudoers/regress/testsudoers/test28.out.ok, plugins/sudoers/regress/testsudoers/test3.out.ok, plugins/sudoers/regress/testsudoers/test4.out.ok, plugins/sudoers/regress/testsudoers/test5.out.ok, plugins/sudoers/regress/testsudoers/test6.out.ok, plugins/sudoers/regress/testsudoers/test7.out.ok, plugins/sudoers/regress/testsudoers/test8.out.ok, plugins/sudoers/regress/testsudoers/test9.out.ok, plugins/sudoers/testsudoers.c: testsudoers: display when a password is required [bf540275b47d] * plugins/sudoers/testsudoers.c: testsudoers: add -L, -l and -v options. This makes it possible to test "sudo -l" and "sudo -v" using testsudoers. [871563fd71f0] 2023-07-25 Todd C. Miller * plugins/sudoers/lookup.c: sudoers_lookup_pseudo: sync with sudoers_lookup_check This makes sudoers_lookup_pseudo(), which is used for pseudo-command like "list" and "validate" a bit more like sudoers_lookup_check(). Time of day checks are performed, and callbacks are supported. We cannot use the same code for regular commands and pseudo-commands due to the "pwcheck == all" case. [534b5e02dc34] * plugins/sudoers/logging.c: Fix user warning message for "sudo -l command" when not allowed. Reported by the sudo-rs project. There was a missing space between "list" and the actual command. This also changes the output to include the command as specified by the user, not the path found in the path. Previously, if the command did not exist it would not be included in the message. [f509188ce041] * plugins/python/python_convmessage.c, plugins/python/python_loghandler.c, plugins/python/python_plugin_common.c, plugins/python/sudo_python_module.c, plugins/python/sudo_python_module.h: Add free function for sudo Python module. This reduces the amount of memory leaked on unload. [71e459d071be] 2023-07-24 Todd C. Miller * .hgtags: Added tag SUDO_1_9_14p3 for changeset 6902151970b6 [0083fdf4fc08] <1.9> * configure, configure.ac: sudo 1.9.14p3 [6902151970b6] [SUDO_1_9_14p3] <1.9> * NEWS: Document bug fixes in 1.9.14p3. [538b0d8db69d] <1.9> * NEWS: Document bug fixes in 1.9.14p3. [01b3a5943678] * plugins/python/python_loghandler.c, plugins/python/python_plugin_common.c, plugins/python/sudo_python_module.c, plugins/python/sudo_python_module.h: Merge sudo_module_register_loghandler and sudo_module_set_default_loghandler. We now create the LogHandler class for each interpreter in python_plugin_init() instead of just once in sudo_module_init(). This fixes the crash seen in Py_EndInterpreter() with Python 3.12 and significantly reduces the number of leaked objects tracked by MemorySanitizer. [92156e042c81] <1.9> * plugins/python/python_loghandler.c, plugins/python/python_plugin_common.c, plugins/python/sudo_python_module.c, plugins/python/sudo_python_module.h: Merge sudo_module_register_loghandler and sudo_module_set_default_loghandler. We now create the LogHandler class for each interpreter in python_plugin_init() instead of just once in sudo_module_init(). This fixes the crash seen in Py_EndInterpreter() with Python 3.12 and significantly reduces the number of leaked objects tracked by MemorySanitizer. [d257e01240c1] * plugins/python/python_convmessage.c: sudo_module_register_conv_message: fix copy pasta in debug_decl [de399cdf465c] 2023-07-22 Todd C. Miller * plugins/python/python_baseplugin.c, plugins/python/python_convmessage.c, plugins/python/python_loghandler.c, plugins/python/sudo_python_module.c: sudo_module_register_loghandler: clear sudo_type_LogHandler on error Also add comments about PyModule_AddObject stealing a ref on success. [8f500926c894] <1.9> * plugins/python/python_baseplugin.c, plugins/python/python_convmessage.c, plugins/python/python_loghandler.c, plugins/python/sudo_python_module.c: sudo_module_register_loghandler: clear sudo_type_LogHandler on error Also add comments about PyModule_AddObject stealing a ref on success. [cd6ffb5ec1be] * plugins/python/pyhelpers.c: Use Py_XDECREF instead of manual NULL check + Py_DECREF [9dababbb90ab] 2023-07-21 Todd C. Miller * plugins/python/python_loghandler.c: Work around a crash with Python 3.12. In sudo_module_set_default_loghandler() if we don't leak the reference to py_loghandler we get a crash in Py_EndInterpreter() with Python 3.12. This probably indicates a reference counting bug elsewhere. [77e8641b7b40] <1.9> * plugins/python/python_loghandler.c: Work around a crash with Python 3.12. In sudo_module_set_default_loghandler() if we don't leak the reference to py_loghandler we get a crash in Py_EndInterpreter() with Python 3.12. This probably indicates a reference counting bug elsewhere. [89fb0311367c] * plugins/python/regress/check_python_examples.c: Unbuffer stdout so we don't miss output during a crash. [07222dfccfe2] * plugins/python/python_loghandler.c: Use PyObject_CallNoArgs() where possible. [abd4dcbee072] <1.9> * plugins/python/python_loghandler.c: Use PyObject_CallNoArgs() where possible. [5a1bef07358a] * plugins/python/python_convmessage.c, plugins/python/python_loghandler.c, plugins/python/sudo_python_module.h: Make sudo_type_ConvMessage and sudo_type_LogHandler static. They are not used outside their respective compilation units. [c8dfb695dba1] <1.9> * plugins/python/python_convmessage.c, plugins/python/python_loghandler.c, plugins/python/sudo_python_module.h: Make sudo_type_ConvMessage and sudo_type_LogHandler static. They are not used outside their respective compilation units. [9ec37d3a2f64] 2023-07-20 Todd C. Miller * lib/eventlog/Makefile.in, lib/iolog/Makefile.in, lib/util/Makefile.in, plugins/python/Makefile.in, plugins/sudoers/Makefile.in: Pass TEST_VERBOSE to all test programs. [39c17a66b02e] * lib/iolog/regress/host_port/host_port_test.c, plugins/sudoers/regress/check_symbols/check_symbols.c, plugins/sudoers/regress/editor/check_editor.c, plugins/sudoers/regress/env_match/check_env_pattern.c, plugins/sudoers/regress/exptilde/check_exptilde.c, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/regress/parser/check_addr.c, plugins/sudoers/regress/parser/check_base64.c, plugins/sudoers/regress/parser/check_digest.c, plugins/sudoers/regress/parser/check_fill.c, plugins/sudoers/regress/parser/check_gentime.c, plugins/sudoers/regress/serialize_list/check_serialize_list.c, plugins/sudoers/regress/starttime/check_starttime.c, plugins/sudoers/regress/unescape/check_unesc.c: All test programs should accept the -v option, even if it is ignored. [d4cb95054f73] * plugins/python/python_plugin_common.c: Revert last change, wrong diff committed. [d266c05853ce] * plugins/python/regress/testhelpers.c: Adapt to changed formatting of a rejected result in Python 3.12 [2f89b9e6a104] <1.9> * plugins/python/regress/testhelpers.c: Adapt to changed formatting of a rejected result in Python 3.12 [138957911238] * plugins/python/python_plugin_common.c: _python_plugin_new_interpreter switches to the new interpreter No need to do PyThreadState_Swap in the caller. [c848e20f3e93] * plugins/python/example_audit_plugin.py, plugins/python/pyhelpers.c, p lugins/python/regress/testdata/check_example_audit_plugin_receives_a ccept.stdout, plugins/python/regress/testdata/check_example_audit_pl ugin_receives_error.stdout, plugins/python/regress/testdata/check_ex ample_audit_plugin_receives_reject.stdout, plugins/python/regress/te stdata/check_example_audit_plugin_version_display.stdout, plugins/py thon/regress/testdata/check_example_audit_plugin_workflow_multiple.s tdout, plugins/python/regress/testdata/check_example_debugging_c_cal ls@diag.log, plugins/python/regress/testdata/check_example_debugging _c_calls@info.log, plugins/python/regress/testdata/check_example_gro up_plugin_is_able_to_debug.log, plugins/python/regress/testdata/chec k_example_policy_plugin_validate_invalidate.log: Remove trailing whitespace from test output. [11db46e923fc] <1.9> * plugins/python/example_audit_plugin.py, plugins/python/pyhelpers.c, p lugins/python/regress/testdata/check_example_audit_plugin_receives_a ccept.stdout, plugins/python/regress/testdata/check_example_audit_pl ugin_receives_error.stdout, plugins/python/regress/testdata/check_ex ample_audit_plugin_receives_reject.stdout, plugins/python/regress/te stdata/check_example_audit_plugin_version_display.stdout, plugins/py thon/regress/testdata/check_example_audit_plugin_workflow_multiple.s tdout, plugins/python/regress/testdata/check_example_debugging_c_cal ls@diag.log, plugins/python/regress/testdata/check_example_debugging _c_calls@info.log, plugins/python/regress/testdata/check_example_gro up_plugin_is_able_to_debug.log, plugins/python/regress/testdata/chec k_example_policy_plugin_validate_invalidate.log: Remove trailing whitespace from test output. [38f03683001d] 2023-07-19 Todd C. Miller * plugins/python/python_plugin_common.c: We can rely on Py_FinalizeEx() to free sub-interpreters. [0c84c411a6a0] * plugins/python/python_plugin_common.c: Call PyImport_AppendInittab after pre-initialization. Also remove redundant PyConfig settings. [e4f463e1094a] 2023-07-18 Todd C. Miller * plugins/python/python_plugin_common.c: Use Py_InitializeFromConfig() not Py_InitializeEx() for Python >= 3.8. Avoids deprecation warnings on Python 3.12. [99dc5948416d] <1.9> * plugins/python/python_plugin_common.c: Use Py_InitializeFromConfig() not Py_InitializeEx() for Python >= 3.8. Avoids deprecation warnings on Python 3.12. [56e4c7111744] 2023-07-18 Rose <83477269+AtariDreams@users.noreply.github.com> * lib/eventlog/regress/logwrap/check_wrap.c, lib/util/glob.c, lib/util/mksiglist.c, lib/util/mksigname.c, lib/util/regress/glob/globtest.c, logsrvd/sendlog.c, plugins/group_file/plugin_test.c, plugins/python/regress/check_python_examples.c, plugins/sudoers/getdate.c, plugins/sudoers/getdate.y, plugins/sudoers/sudoreplay.c, plugins/sudoers/tsdump.c: Prefer fputs over fprintf where possible fprintf does extra work and meant for formatting strings. [c31cdbe6f23f] 2023-07-18 Todd C. Miller * NEWS: The sudoers option is "use_pty", not "log_pty" GitHub issue #291 [08b582beb2c9] <1.9> * NEWS: The sudoers option is "use_pty", not "log_pty" GitHub issue #291 [31cf599c73d5] 2023-07-17 Todd C. Miller * lib/util/term.c: Quiet a warning false positive with older versions of gcc. [8556d6c1cd37] * plugins/sudoers/sudoers.c: sudoers_check_common: MODE_PRESERVE_ENV is not valid with MODE_CHECK. We should only check for MODE_PRESERVE_ENV when running a command. [8fc6f392cc43] 2023-07-15 Todd C. Miller * .hgtags: Added tag SUDO_1_9_14p2 for changeset 47c0bf9a7ebb [6bbe51d30496] <1.9> * configure, configure.ac: sudo 1.9.14p2 [47c0bf9a7ebb] [SUDO_1_9_14p2] <1.9> * plugins/sudoers/match.c: runas_userlist_matches: fix matching a Runas_Spec with an empty runas user. We should only match a rule with an empty runas user if a group was specified on the command line (sudo -g) without a user (no -u option) or the user specified their own name on the command line. GitHub issue #290 [164428126ee6] <1.9> * MANIFEST, plugins/sudoers/match.c, plugins/sudoers/regress/testsudoers/test28.out.ok, plugins/sudoers/regress/testsudoers/test28.sh: runas_userlist_matches: fix matching a Runas_Spec with an empty runas user. We should only match a rule with an empty runas user if a group was specified on the command line (sudo -g) without a user (no -u option) or the user specified their own name on the command line. GitHub issue #290 [ba9da369370e] 2023-07-14 Todd C. Miller * NEWS: Document bug fixes in 1.9.14p2. [e5cd975816b8] <1.9> * NEWS: Document bug fixes in 1.9.14p2. [cb5ece49ad53] * src/exec_pty.c: Pass SUDO_TERM_OFLAG to sudo_term_raw() when sudo output is piped. This fixes a problem with "stair-stepped" output when the sudo-run command's output is piped to another program and the command reads input from the terminal. [17009f9817b0] <1.9> * src/exec_pty.c: Pass SUDO_TERM_OFLAG to sudo_term_raw() when sudo output is piped. This fixes a problem with "stair-stepped" output when the sudo-run command's output is piped to another program and the command reads input from the terminal. [faa06b1e8913] * src/exec_monitor.c, src/exec_pty.c: Simplify the exec_monitor() foreground flag. Add cmnd_foreground flag that is only true if sudo is the foreground process and the CD_EXEC_BG flag is not set and pass it to exec_monitor(). This means exec_monitor() no longer needs to check for CD_EXEC_BG. [6cc420fea368] <1.9> * src/exec_monitor.c, src/exec_pty.c: Simplify the exec_monitor() foreground flag. Add cmnd_foreground flag that is only true if sudo is the foreground process and the CD_EXEC_BG flag is not set and pass it to exec_monitor(). This means exec_monitor() no longer needs to check for CD_EXEC_BG. [65ac52524254] * include/sudo_util.h, lib/util/term.c, plugins/sudoers/sudoreplay.c: sudo_term_raw: change the isig argument into a flags field There are current two flags: SUDO_TERM_ISIG (enable terminal signals) and SUDO_TERM_OFLAG (preserve output flags). [15fdaae9fa3b] <1.9> * include/sudo_util.h, lib/util/term.c, plugins/sudoers/sudoreplay.c: sudo_term_raw: change the isig argument into a flags field There are current two flags: SUDO_TERM_ISIG (enable terminal signals) and SUDO_TERM_OFLAG (preserve output flags). [09eced2fb202] 2023-07-12 Todd C. Miller * src/exec_ptrace.c: Fix a crash in intercept mode running a command with NULL argv[0]. Newer Linux kernels replace a NULL argv[0] with the empty string, we should as well. [74e81e6d373a] <1.9> * src/exec_ptrace.c: Fix a crash in intercept mode running a command with NULL argv[0]. Newer Linux kernels replace a NULL argv[0] with the empty string, we should as well. [d1cb1882d7e8] * src/conversation.c: sudo_conversation_printf: simplify \n -> \r\n handling [de2ddc08f262] * src/conversation.c: sudo_conversation: zero out reply even if no password is requested. This avoids a potential invalid free in the err label and provides more predictable behavior when mixing message types in a conversation. [79cc9efe3dbf] 2023-07-11 Todd C. Miller * .hgtags: Added tag SUDO_1_9_14p1 for changeset fc033946b1a9 [ee6033290e91] <1.9> * configure, configure.ac: sudo 1.9.14p1 [fc033946b1a9] [SUDO_1_9_14p1] <1.9> * NEWS: Docume bug fixes in 1.9.14p1. [f526fda905de] <1.9> * NEWS: Docume bug fixes in 1.9.14p1. [7e4a4b7ed53b] * plugins/sudoers/log_client.c: fmt_info_messages: don't include ttyname if it is NULL The NULL check was commented out for testing but should have been restored. Fixes a potential protocol error message from sudo_logsrvd. [12cf2b87355a] <1.9> * plugins/sudoers/log_client.c: fmt_info_messages: don't include ttyname if it is NULL The NULL check was commented out for testing but should have been restored. Fixes a potential protocol error message from sudo_logsrvd. [c983428b3ad8] * logsrvd/iolog_writer.c: evlog_new: store a new copy of peeraddr, not a pointer to a buffer. Starting in sudo 1.9.14, eventlog_free() will free the peeraddr member too so it needs to be dynamically allocated. [4c984e3e6aef] <1.9> * logsrvd/iolog_writer.c: evlog_new: store a new copy of peeraddr, not a pointer to a buffer. Starting in sudo 1.9.14, eventlog_free() will free the peeraddr member too so it needs to be dynamically allocated. [846cf82b8eab] 2023-07-10 Todd C. Miller * config.h.in, configure, configure.ac, include/sudo_compat.h, lib/util/realpath.c: realpath.c: include limits.h and use sysconf(_SC_SYMLOOP_MAX) This is more portable and eliminates the need to check for SYMLOOP_MAX (and provide it if missing) in configure. Also quiet some -Wconversion warnings. [beabc1e73e11] * plugins/sudoers/ldap_conf.c: sudo_krb5_ccname_path: avoid gcc false positive for ccname being NULL The callers all verify that they don't pass a NULL ccname so I'm not sure how the compiler is getting confused (and why now?). [93043879e7f2] * include/sudo_debug.h: Work around unused variable warning when fuzzing in enabled. [ac4bd3bfeb71] * plugins/sudoers/check_util.c, plugins/sudoers/regress/testsudoers/test25.out.ok, plugins/sudoers/regress/testsudoers/test25.sh, plugins/sudoers/regress/testsudoers/test26.out.ok, plugins/sudoers/regress/testsudoers/test26.sh: Only allow the user to specify -D or -R for the special "*" value. The sudoers file must now explicitly allow the user to specify a directory (sudo -D) or chroot (sudo -R) by setting cwd or chroot to "*". If a specific cwd or chroot value is set in sudoers, the user may not use the -D or -R options, even if they match the value in sudoers. [790d60c6ed4b] * docs/sudo_plugin.man.in, docs/sudo_plugin.mdoc.in: Add restrict keyword to sudo_printf_t in plugin docs. [46c15d2647cc] * include/sudo_debug.h, lib/util/sudo_debug.c: Convert sudo_debug_enter and sudo_debug_exit into macros. In most cases, these simply expand to a call to sudo_debug_printf2(). We need to keep the function versions around in libsudo_util for backwards compatibility. [b76b35e12afa] * lib/util/sudo_debug.c: Fix sudo_debug_exit_uint_v1 declaration for fuzzers. [d4edc2fb3299] * lib/util/sudo_debug.c: Add missing sudo_debug_exit_uint_v1 stub for fuzzers. [71a4a37fbc90] * src/conversation.c, src/edit_open.c, src/exec_common.c, src/parse_args.c, src/selinux.c, src/sesh.c, src/sudo.c, src/sudo.h, src/sudo_edit.h, src/sudo_exec.h, src/tgetpass.c: sudo frontend: make more bit flags unsigned. [f353bc889b26] * plugins/sudoers/auth/API, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/auth/sudo_auth.h, plugins/sudoers/check.c, plugins/sudoers/check.h, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers.h, plugins/sudoers/logging.c, plugins/sudoers/logging.h, plugins/sudoers/lookup.c, plugins/sudoers/parse.h, plugins/sudoers/policy.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c: sudoers plugin: make more bit flags unsigned. [77a583ebe2e7] * include/sudo_debug.h, include/sudo_event.h, lib/util/event.c, lib/util/event_poll.c, lib/util/event_select.c, lib/util/sudo_debug.c, lib/util/util.exp.in: libsudo_util: make more bit flags unsigned. [005d0be694f5] 2023-07-08 Todd C. Miller * plugins/sudoers/timeout.c: parse_timeout: move overflow check to the correct location It was not covering all cases in its original location. Fixes oss- fuzz issue 60454 with fuzz_sudoers. [e40119f18e83] 2023-07-07 Todd C. Miller * Merge pull request #287 from AtariDreams/restrict Give every printf-like function restrict qualifiers [4945ab27d6c4] * src/exec_nopty.c, src/exec_pty.c, src/sudo_exec.h: struct exec_closure: make rows and cols int, not short There's no real space saved by using short and using int avoids a few casts. [8385add04ed2] * plugins/sudoers/testsudoers.c: testsudoers: avoid extern definitions where possible [ef4bed9a6a41] * include/sudo_json.h, include/sudo_lbuf.h, lib/util/closefrom.c, lib/util/digest.c, lib/util/event_poll.c, lib/util/fatal.c, lib/util/getentropy.c, lib/util/getgrouplist.c, lib/util/gidlist.c, lib/util/json.c, lib/util/lbuf.c, lib/util/mkdir_parents.c, lib/util/parseln.c, lib/util/regex.c, lib/util/regress/fuzz/fuzz_sudo_conf.c, lib/util/regress/hexchar/hexchar_test.c, lib/util/regress/mktemp/mktemp_test.c, lib/util/regress/strtofoo/strtoid_test.c, lib/util/secure_path.c, lib/util/setgroups.c, lib/util/sig2str.c, lib/util/str2sig.c, lib/util/strlcat.c, lib/util/strlcpy.c, lib/util/strtoid.c, lib/util/strtonum.c, lib/util/sudo_conf.c, lib/util/sudo_debug.c, lib/util/ttysize.c: libsudo_util: silence most -Wconversion warnings. [420705f9796a] * include/sudo_eventlog.h, lib/eventlog/eventlog.c, lib/eventlog/eventlog_conf.c, lib/eventlog/logwrap.c, lib/eventlog/parse_json.c, lib/eventlog/regress/eventlog_store/store_json_test.c, lib/eventlog/regress/eventlog_store/store_sudo_test.c, lib/eventlog/regress/logwrap/check_wrap.c, lib/eventlog/regress/parse_json/check_parse_json.c: libevent: silence -Wconversion warnings. [f00cb5679a19] * lib/fuzzstub/fuzzstub.c: libfuzzstub: silence -Wconversion warnings. [164d2412d209] * include/sudo_iolog.h, lib/iolog/hostcheck.c, lib/iolog/iolog_filter.c, lib/iolog/iolog_legacy.c, lib/iolog/iolog_mkdirs.c, lib/iolog/iolog_mkdtemp.c, lib/iolog/iolog_read.c, lib/iolog/iolog_timing.c, lib/iolog/iolog_write.c, lib/iolog/regress/iolog_path/check_iolog_path.c, lib/iolog/regress/iolog_timing/check_iolog_timing.c: libiolog: silence -Wconversion warnings. [d8c1a0869ef4] * logsrvd/iolog_writer.c, logsrvd/logsrv_util.c, logsrvd/logsrvd.c, logsrvd/logsrvd_conf.c, logsrvd/logsrvd_journal.c, logsrvd/logsrvd_local.c, logsrvd/logsrvd_queue.c, logsrvd/logsrvd_relay.c, logsrvd/regress/fuzz/fuzz_logsrvd_conf.c, logsrvd/sendlog.c: sudo_logsrvd: silence most -Wconversion warnings. [bf3f40ec4645] * plugins/sudoers/alias.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/b64_encode.c, plugins/sudoers/check_aliases.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers.h, plugins/sudoers/cvtsudoers_csv.c, plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/cvtsudoers_merge.c, plugins/sudoers/cvtsudoers_pwutil.c, plugins/sudoers/defaults.c, plugins/sudoers/defaults.h, plugins/sudoers/display.c, plugins/sudoers/editor.c, plugins/sudoers/env.c, plugins/sudoers/filedigest.c, plugins/sudoers/fmtsudoers.c, plugins/sudoers/fmtsudoers_cvt.c, plugins/sudoers/getdate.c, plugins/sudoers/getdate.y, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/group_plugin.c, plugins/sudoers/iolog.c, plugins/sudoers/iolog_path_escapes.c, plugins/sudoers/ldap.c, plugins/sudoers/ldap_conf.c, plugins/sudoers/ldap_innetgr.c, plugins/sudoers/ldap_util.c, plugins/sudoers/linux_audit.c, plugins/sudoers/log_client.c, plugins/sudoers/logging.c, plugins/sudoers/match_addr.c, plugins/sudoers/match_command.c, plugins/sudoers/parse.h, plugins/sudoers/parse_ldif.c, plugins/sudoers/policy.c, plugins/sudoers/pwutil.c, plugins/sudoers/pwutil_impl.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/regress/parser/check_addr.c, plugins/sudoers/regress/parser/check_fill.c, plugins/sudoers/set_perms.c, plugins/sudoers/sssd.c, plugins/sudoers/starttime.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/timeout.c, plugins/sudoers/timestamp.c, plugins/sudoers/toke.c, plugins/sudoers/toke.h, plugins/sudoers/toke.l, plugins/sudoers/toke_util.c, plugins/sudoers/tsgetgrpw.c, plugins/sudoers/visudo.c: sudoers plugin: silence most -Wconversion warnings. [074179cbc3a8] * plugins/python/pyhelpers.c, plugins/python/python_convmessage.c, plugins/python/regress/iohelpers.c, plugins/python/regress/testhelpers.c, plugins/python/sudo_python_module.c: python plugin: silence -Wconversion warnings. [a59d980f2793] * plugins/sample/sample_plugin.c, src/conversation.c, src/copy_file.c, src/env_hooks.c, src/exec.c, src/exec_common.c, src/exec_intercept.c, src/exec_monitor.c, src/exec_nopty.c, src/exec_preload.c, src/exec_ptrace.c, src/exec_pty.c, src/net_ifs.c, src/parse_args.c, src/preserve_fds.c, src/sudo.c, src/sudo.h, src/sudo_edit.c, src/sudo_exec.h, src/sudo_intercept.c, src/sudo_intercept_common.c, src/tgetpass.c, src/ttyname.c: sudo frontend: silence most -Wconversion warnings. [0dbece7ccb47] * config.h.in, configure, configure.ac: Add configure check for restrict keyword. [f02ab280d8df] * plugins/sudoers/sudoers.c: sudoers_check_common: remove extraneous return statement. [0df4297873b9] 2023-07-07 Rose <83477269+AtariDreams@users.noreply.github.com> * include/sudo_compat.h, include/sudo_debug.h, include/sudo_fatal.h, include/sudo_lbuf.h, include/sudo_plugin.h, include/sudo_util.h, lib/eventlog/logwrap.c, lib/util/fatal.c, lib/util/inet_ntop.c, lib/util/lbuf.c, lib/util/snprintf.c, lib/util/strlcat.c, lib/util/strlcpy.c, lib/util/sudo_debug.c, lib/util/ttyname_dev.c, logsrvd/iolog_writer.c, logsrvd/logsrvd_journal.c, plugins/audit_json/audit_json.c, plugins/group_file/plugin_test.c, plugins/python/pyhelpers.c, plugins/python/regress/iohelpers.c, plugins/python/regress/iohelpers.h, plugins/python/regress/testhelpers.c, plugins/python/regress/testhelpers.h, plugins/sudoers/audit.c, plugins/sudoers/check_aliases.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers.h, plugins/sudoers/cvtsudoers_csv.c, plugins/sudoers/defaults.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/ldap_util.c, plugins/sudoers/logging.c, plugins/sudoers/logging.h, plugins/sudoers/parse.h, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/sudo_ldap.h, plugins/sudoers/sudo_printf.c, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c, src/conversation.c, src/exec_preload.c, src/parse_args.c, src/sudo_plugin_int.h: Give every printf-like function restrict qualifiers The format value has to be a string literal, every time. Otherwise, you are not using these functions correctly. To reinforce this fact, I putrestrict over every non-contrib example of this I could find. [e0f8bc0d596a] 2023-07-06 Todd C. Miller * include/sudo_digest.h, lib/util/digest.c, lib/util/digest_gcrypt.c, lib/util/digest_openssl.c, lib/util/regress/digest/digest_test.c: Make the remaining instances of digest_type unsigned. [409adc30cce2] 2023-07-05 Todd C. Miller * plugins/sudoers/iolog_path_escapes.c: Copy, don't append group ID in fill_group() and fill_runas_group() This only affects the case where a group ID cannot be resolved. [74cc29b9f7f0] * lib/iolog/Makefile.in: Remove regress corpus directories correctly [406b862a7f2f] * include/sudo_debug.h, include/sudo_util.h, lib/util/strtomode.c, lib/util/sudo_debug.c, lib/util/util.exp.in: Change sudo_strtomode() to return mode_t. [5dc42fb5c2ad] 2023-07-04 Todd C. Miller * plugins/sudoers/cvtsudoers.c, plugins/sudoers/sudoreplay.c: Rename print_usage() to display_usage() [9e8390bb1ed0] * logsrvd/logsrvd.c, logsrvd/sendlog.c: Move display of usage text into display_usage() so usage() always exits. [ded72aceb6f4] * lib/util/parseln.c, logsrvd/logsrvd_journal.c: Fix some indentation. [bb84e5596d9c] * plugins/sudoers/Makefile.in, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers.h, plugins/sudoers/testsudoers.c: Include testsudoers_pwutil.h for testsudoers_pwutil.c prototypes. [8f494aca5cd9] * MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/pwutil_impl.c, plugins/sudoers/testsudoers_pwutil.c, plugins/sudoers/testsudoers_pwutil.h, plugins/sudoers/tsgetgrpw.c, plugins/sudoers/tsgetgrpw.h: Fix wrapping of libc getpwnam/getpwuid/getgrnam/getgrgid on NetBSD. [be23d201add2] * MANIFEST, aclocal.m4, config.h.in, configure, configure.ac, lib/util/roundup.c, m4/ax_gcc_builtin.m4: Add configure tests for __builtin_clz/__builtin_clzl [d7b341700a0a] * lib/util/roundup.c: Add fallback for compilers without __builtin_clz/__builtin_clzl [d9f23c7a8fc0] * lib/util/roundup.c: sudo_pow2_roundup: fix 64-bit version when shifting 31 or more places Shift 1UL instead of 1 to avoid overflowing an int. [4d45af829af0] * Merge pull request #286 from AtariDreams/one-more Optimize sudo_pow2_roundup_v1 [5cff0594a45c] 2023-07-03 Rose <83477269+AtariDreams@users.noreply.github.com> * lib/util/roundup.c: Optimize sudo_pow2_roundup_v1 No need to call sudo_pow2_roundup_v2. [0bcd411174c0] 2023-07-03 Todd C. Miller * lib/util/roundup.c: Merge pull request #285 from AtariDreams/bug Remove comment about algorithm being from bit-twiddling hacks [869552550451] 2023-07-03 Rose <83477269+AtariDreams@users.noreply.github.com> * lib/util/roundup.c: Remove comment about algorithm being from bit-twiddling hacks Said comment no longer applies. [e2fc0106c79f] 2023-07-03 Todd C. Miller * Merge pull request #284 from AtariDreams/fix Fix fuzzing errors [4abff6645036] * Merge pull request #283 from AtariDreams/bug Fixed even more signedness and conversion issues [bbf1887a5132] 2023-07-03 Rose <83477269+AtariDreams@users.noreply.github.com> * lib/util/parseln.c, lib/util/roundup.c, logsrvd/logsrvd_journal.c: Fix fuzzing errors We should be checking for integer overflow, rather than checking if size is 0. Additionally, we should set errno to ENOMEM when this overflow happens. Finally, the most efficient implementation of the round-up-to-2 algorithm involves the clz intrinsic. [db08a808004d] 2023-07-03 Todd C. Miller * lib/util/lbuf.c: sudo_lbuf_expand: limit allocation to UINT_MAX [1cb5a458baaa] * lib/util/parseln.c: sudo_parseln: use sudo_pow2_roundup() instead of hand-rolling it. [0582d18df65a] * logsrvd/logsrv_util.c, logsrvd/logsrv_util.h, logsrvd/logsrvd.c, logsrvd/logsrvd_relay.c, logsrvd/sendlog.c, plugins/sudoers/log_client.c, plugins/sudoers/log_client.h: Promote length/size/offset in struct connection_buffer to size_t. [5e5a2a39c8e5] * include/sudo_util.h, lib/util/lbuf.c, lib/util/roundup.c, lib/util/util.exp.in, logsrvd/logsrv_util.c, logsrvd/logsrvd.c, plugins/sudoers/log_client.c: Make sudo_pow2_roundup() operate on size_t. [cbae7a651a94] 2023-07-03 Rose <83477269+AtariDreams@users.noreply.github.com> * plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/timestamp.c, plugins/sudoers/tsgetgrpw.c, src/sudo.c: Fixed even more signedness and conversion issues This should be the last of them. [ccd65d72c6ac] 2023-07-01 Todd C. Miller * include/sudo_debug.h, lib/util/sudo_debug.c, plugins/python/pyhelpers.c, plugins/python/pyhelpers.h, plugins/python/python_loghandler.c, plugins/python/sudo_python_debug.c, plugins/python/sudo_python_debug.h: Make the debug subsystem unsigned. It was already unsigned in sudoers but not in the front-end or the python plugin. Making this consistent resolves a lot of -Wconversion warnings. Also clean up some other -Wconversion warnings in sudo_debug.c. [c6d20404141c] * lib/eventlog/eventlog.c, lib/eventlog/regress/eventlog_store/store_json_test.c, lib/eventlog/regress/eventlog_store/store_sudo_test.c, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c, src/exec_monitor.c, src/sudo.c: Fix up indentation. [d4ed4eaf46bd] * Merge pull request #280 from AtariDreams/bug Mark functions not returning as sudo_noreturn [eaa69a6d85c6] 2023-07-01 Rose <83477269+AtariDreams@users.noreply.github.com> * lib/eventlog/eventlog.c, lib/eventlog/regress/eventlog_store/store_json_test.c, lib/eventlog/regress/eventlog_store/store_sudo_test.c, lib/eventlog/regress/logwrap/check_wrap.c, lib/eventlog/regress/parse_json/check_parse_json.c, lib/iolog/regress/iolog_path/check_iolog_path.c, lib/util/regress/hexchar/hexchar_test.c, lib/util/regress/strsplit/strsplit_test.c, lib/util/regress/sudo_conf/conf_test.c, logsrvd/logsrvd.c, logsrvd/regress/logsrvd_conf/logsrvd_conf_test.c, logsrvd/sendlog.c, plugins/group_file/plugin_test.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/regress/check_symbols/check_symbols.c, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/regress/parser/check_addr.c, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c, src/exec_monitor.c, src/exec_nopty.c, src/exec_pty.c, src/sesh.c, src/sudo.c: Mark functions not returning as sudo_noreturn We also put NOTREACHED where it applies. [d688d55f3c4c] 2023-07-01 Todd C. Miller * plugins/sudoers/toke.c, plugins/sudoers/toke.l, src/limits.c: Avoid passing debug_return_size_t() a negative number. [7876d918030c] * Merge pull request #279 from AtariDreams/bison Regenerate toke.c using updated flex [3fc1517ec05d] 2023-06-30 Todd C. Miller * plugins/sudoers/regress/exptilde/check_exptilde.c, plugins/sudoers/testsudoers.c: Fix a few memory leaks in the tests. [c76134b329b3] * MANIFEST, plugins/sudoers/regress/testsudoers/group, plugins/sudoers/regress/testsudoers/passwd, plugins/sudoers/regress/testsudoers/test27.out.ok, plugins/sudoers/regress/testsudoers/test27.sh, plugins/sudoers/testsudoers.c: Add test for runas_check_shell and check_user_shell() [8e220e34840d] * MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/regress/testsudoers/test25.out.ok, plugins/sudoers/regress/testsudoers/test25.sh, plugins/sudoers/regress/testsudoers/test26.out.ok, plugins/sudoers/regress/testsudoers/test26.sh, plugins/sudoers/testsudoers.c: testsudoers: add -D and -R options to set cwd and chroot like sudo [a34c5ca239ca] * MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/check.c, plugins/sudoers/check_util.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: Move check_user_* functions to check_util.c so testsudoers can use them. [109830a316ee] 2023-06-29 Todd C. Miller * plugins/sudoers/testsudoers.c: testsudoers: make lbuf private to dump_sudoers() It is no longer used directly in main. [c2c5e7b3db6b] * plugins/sudoers/regress/testsudoers/test11.out.ok, plugins/sudoers/regress/testsudoers/test4.out.ok, plugins/sudoers/regress/testsudoers/test5.out.ok, plugins/sudoers/testsudoers.c: testsudoers: display "Parse error" if there was a parse error. Previously, we just printed "Command unmatched" which makes it harder to see that an error occurred. [099360b56cc6] * plugins/sudoers/regress/testsudoers/test1.out.ok, plugins/sudoers/regress/testsudoers/test10.out.ok, plugins/sudoers/regress/testsudoers/test15.out.ok, plugins/sudoers/regress/testsudoers/test16.out.ok, plugins/sudoers/regress/testsudoers/test17.out.ok, plugins/sudoers/regress/testsudoers/test18.out.ok, plugins/sudoers/regress/testsudoers/test19.out.ok, plugins/sudoers/regress/testsudoers/test2.out.ok, plugins/sudoers/regress/testsudoers/test20.out.ok, plugins/sudoers/regress/testsudoers/test21.out.ok, plugins/sudoers/regress/testsudoers/test22.out.ok, plugins/sudoers/regress/testsudoers/test23.out.ok, plugins/sudoers/regress/testsudoers/test24.out.ok, plugins/sudoers/regress/testsudoers/test3.out.ok, plugins/sudoers/regress/testsudoers/test6.out.ok, plugins/sudoers/regress/testsudoers/test7.out.ok, plugins/sudoers/regress/testsudoers/test8.out.ok, plugins/sudoers/regress/testsudoers/test9.out.ok, plugins/sudoers/testsudoers.c: testsudoers: use allowed/denied/unmatched instead of just matched/unmatched This makes it possible to tell whether an entry was rejected due to a negative match (explicitly denied) as opposed to a non-match. Also fixes a bug where the runas status was only printed for positive matches. [3e9fc5fd7bb9] * plugins/sudoers/Makefile.in, plugins/sudoers/regress/testsudoers/test20.out.ok, plugins/sudoers/testsudoers.c: testsudoers: use sudoers_lookup() instead of a custom loop. [a0ca73d81fa4] * plugins/sudoers/lookup.c, plugins/sudoers/parse.h, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/sudoers.c: Add callbacks to sudoers_lookup() so we can use it in testsudoers. Also pass in the time to be used for NOTBEFORE/NOTAFTER checks. [bcd59528055a] 2023-06-29 Rose <83477269+AtariDreams@users.noreply.github.com> * plugins/sudoers/toke.c, plugins/sudoers/toke.l: Regenerate toke.c using updated flex Use the current version of flex to generate toke.c [118d001d189c] 2023-06-29 Todd C. Miller * plugins/sudoers/testsudoers.c: Merge pull request #278 from AtariDreams/types Avoid compiler casting warnings Part 2 [894767f88afa] * plugins/sudoers/sudoers.c: check_user_runcwd: only allow sudo's -D option if sudoers specifies a runcwd. Previously, the user could specify the runas user's home dir for "sudo -i" or the user's existing cwd when -i is not specified. This behavior was never documented and is inconsistent with how the -R option is handled. [e79eddc35325] * MANIFEST, plugins/sudoers/regress/testsudoers/test24.out.ok, plugins/sudoers/regress/testsudoers/test24.sh, plugins/sudoers/testsudoers.c: testsudoers: add support for NOTBEFORE and NOTAFTER Also adds -T option to set the value of "now". [b2d95b4a131d] * MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/lookup.c, plugins/sudoers/parse.c: Rename parse.c -> lookup.c now that it only contains sudoers_lookup. [141000ce5f24] * MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/display.c, plugins/sudoers/parse.c, plugins/sudoers/parse.h: Split display_privs() and display_cmnd() out of parse.c into display.c [d654dd871e43] * lib/util/snprintf.c: No need to round up to page size with sudo_mmap_alloc(). [a57803434010] * logsrvd/logsrvd.c: Merge pull request #265 from AtariDreams/types Avoid compiler casting warnings by assigning to variables of the same type where possible [16d8e7383e3e] * Merge pull request #277 from AtariDreams/debug_return_int(1); We should be returning 0, not 1, when logservd finishes without errors [19289d607981] 2023-06-28 Rose <83477269+AtariDreams@users.noreply.github.com> * logsrvd/logsrvd.c: We should be returning 0, not 1, when logservd finishes without errors 1 is for failure, 0 is for no failure, and this does not look like a failure. [7a0d2f4bf5d3] 2023-06-28 Todd C. Miller * config.h.in, configure, configure.ac, src/sudo_intercept.c, src/sudo_intercept_common.c: Fix undefined symbol on macOS for intercept mode and log_subcmds. macOS does not support direct access to the environ pointer from a shared object. We need to redirect through _NSGetEnviron() instead. Fixes GitHub issue #276. [2cbebcb8082c] * plugins/sudoers/policy.c, plugins/sudoers/sudoers.c: check_user_runcwd: allow -D option if it matches the cwd in sudoers Previously, check_user_runcwd() would return true if the runcwd matched the user's cwd, even if sudoers specified a different one. The user-specified runcwd was ignored but it is better to error out in this case. It is now also possible to use "sudo -D" with the directory specified in sudoers. [d32e07966e0e] 2023-06-27 Todd C. Miller * .hgtags: Added tag SUDO_1_9_14 for changeset 8010d7515347 [ff70094a18c0] <1.9> * MANIFEST, NEWS, config.h.in, configure, configure.ac, include/sudo_compat.h, plugins/sudoers/Makefile.in, plugins/sudoers/logging.c, plugins/sudoers/match_command.c, plugins/sudoers/parse.c, plugins/sudoers/parse.h, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c, src/exec_nopty.c: Merge sudo 1.9.14 from tip. [8010d7515347] [SUDO_1_9_14] <1.9> 2023-06-26 Todd C. Miller * Merge pull request #275 from AtariDreams/emergency Set command_info to NULL once it is freed [6d1e55f4e7b9] 2023-06-26 Rose <83477269+AtariDreams@users.noreply.github.com> * plugins/sudoers/policy.c: Set command_info to NULL once it is freed The lack of setting to NULL is a holdover from when command_info was a local variable and not a global one. However, we given how other global variables are set to NULL, it is best that we do the same here to avoid potential issues should sudoers_policy_store_result be called again after the first time failed, otherwise we could get a double-free. [a1a462a52a98] 2023-06-25 Todd C. Miller * Merge pull request #274 from bin-ly/main Modify the is_script function for match_command.c [05675d16bd52] 2023-06-25 binlingyu * plugins/sudoers/match_command.c: Modify the is_script function for match_command.c [ce944a838c33] 2023-06-21 Todd C. Miller * NEWS: Mention C99 requirement. [f12a7b68e0b2] 2023-06-20 Todd C. Miller * docs/sudoers.man.in, docs/sudoers.mdoc.in: Reference SETENV-related settings in the command environment section. Based on GitHub PR #273 from Ilya Kulakov. [f8b5ef533800] * INSTALL.md: Sudo requires a C99 compiler due to the use of flexible array members. [bb80666c7382] * Merge pull request #266 from AtariDreams/c99 Do variable length arrays the C99 way [690561b17683] 2023-06-19 Todd C. Miller * Merge pull request #269 from trackers-lover/main correct the return value type of function alias_find_used [30dc3eb4a59a] 2023-06-18 Todd C. Miller * docs/sudoers.man.in, docs/sudoers.mdoc.in: Clarify that use_pty is on by default starting with 1.9.14. [984048215229] * docs/sudo.man.in, docs/sudo.mdoc.in: Sudo runs the command in a pty by default in 1.9.14 and above. [92ec41fdf7c9] * plugins/sudoers/sudoers.in: Add commented out example for disabling use_pty. [9a59b831f363] 2023-06-15 Todd C. Miller * .circleci/config.yml: Update Xcode version from 13.2.1 to 13.4.1. [10bbb25b415e] 2023-06-14 Todd C. Miller * MANIFEST: Add plugins/sudoers/regress/testsudoers/passwd to MANIFEST. [016644afd8ae] * plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, po/eo.mo, po/eo.po, po/pl.mo, po/pl.po: Updated translations from translationproject.org [97167b63ffbd] * NEWS: Document recent bug fixes. [34d8ffa919c6] * MANIFEST, plugins/sudoers/regress/testsudoers/group, plugins/sudoers/regress/testsudoers/passwd, plugins/sudoers/regress/testsudoers/test22.out.ok, plugins/sudoers/regress/testsudoers/test22.sh, plugins/sudoers/regress/testsudoers/test23.out.ok, plugins/sudoers/regress/testsudoers/test23.sh: Add tests to exercise recent runas user and group bug fixes. [20f19831ed34] * MANIFEST, plugins/sudoers/regress/testsudoers/passwd, plugins/sudoers/regress/testsudoers/test21.out.ok, plugins/sudoers/regress/testsudoers/test21.sh: Add test to exercise the bug that prevented the group specified via "sudo -g" from matching when a Runas_Alias was used in the user or group portion of a Runas_Spec. [16c0668b5c4b] 2023-06-13 Todd C. Miller * plugins/sudoers/match.c: runaslist_matches: split out user_list and group_list matching. This makes it possible to call the appropriate runas user or group list match function when resolving aliases instead of calling runaslist_matches() itself. Fixes a bug that prevented the group specified via "sudo -g" from matching when a Runas_Alias was used in the user or group portion of a Runas_Spec. [3e0885e96418] * plugins/sudoers/match.c: runaslist_matches: remove special case to handle "sudo -g group" Now that we are guaranteed to have a runas user list for all sudoers rules that contain a runas list, we can remove support for the special case where user_matched is set in the runas group matching conditional. This fixes a bug where "sudo -u myuser -g mygroup" was permitted by a rule like "myuser ALL = (root) ALL". [d80e907efe77] * plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/regress/sudoers/test27.json.ok, plugins/sudoers/regress/sudoers/test27.ldif.ok, plugins/sudoers/regress/sudoers/test27.out.ok: Populate runasusers even when only a grouplist is specified. When a sudoers rule permits the user to run commands as a group, not a user, we should set the runasusers to single member with the special MYSELF token. This guarantees that the only time runasusers will be NULL is when no runaslist is present. [25c293ae5053] * plugins/sudoers/match.c: runaslist_matches: fix bug when no runas list is specified in sudoers. If a sudoers rule has no runas list, a user-specified runas group should only be allowed if it matches a group that the default runas user belongs to. Instead, a missing group check allowed the user run commands as the default runas user with an arbitrary group. This means that a rule like "somebody host = ALL", which should be equivalent to "somebody host = (root) ALL", had the same effect as "somebody host = (root:ALL) ALL". [eeb075b3b79c] 2023-06-11 Todd C. Miller * plugins/python/pyhelpers.h: Python may be built with 32-bit time_t support on 32-bit platforms. We need to undef the SIZEOF_TIME_T from pyconfig.h so it does not conflict with our own. [c8bf985eb777] 2023-06-10 Todd C. Miller * Merge pull request #272 from millert/main Avoid use of variable length arrays and add ctype(3) casts. [806b2266f6ab] * lib/util/lbuf.c: Avoid use of variable length arrays and add ctype(3) casts. [d8c80d4905b3] * Merge pull request #270 from moehanabi/main Add %n$s support for sudo_lbuf_append_v1 [53ad2cdaaabe] 2023-06-09 Brilliant Hanabi <130747944+moehanabi@users.noreply.github.com> * lib/util/lbuf.c: Add %n$s support for sudo_lbuf_append_v1 [f48fa0250fdc] 2023-06-09 bianguangze * plugins/sudoers/alias.c: correct the return value type of function alias_find_used [f689f55fef3f] 2023-06-07 Todd C. Miller * plugins/sudoers/po/cs.mo, plugins/sudoers/po/cs.po, plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, plugins/sudoers/po/fr.mo, plugins/sudoers/po/fr.po, plugins/sudoers/po/hr.mo, plugins/sudoers/po/hr.po, plugins/sudoers/po/ko.mo, plugins/sudoers/po/ko.po, plugins/sudoers/po/ro.mo, plugins/sudoers/po/ro.po, plugins/sudoers/po/ru.mo, plugins/sudoers/po/ru.po, plugins/sudoers/po/sr.mo, plugins/sudoers/po/sr.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, po/cs.mo, po/cs.po, po/de.mo, po/de.po, po/eo.mo, po/eo.po, po/fr.mo, po/fr.po, po/hr.mo, po/hr.po, po/ko.mo, po/ko.po, po/ro.mo, po/ro.po, po/ru.mo, po/ru.po, po/sr.mo, po/sr.po, po/uk.mo, po/uk.po, po/vi.mo, po/vi.po: Updated translations from translationproject.org [966147718ed3] * plugins/sudoers/po/sudoers.pot, po/sudo.pot: Update .pot files for 1.9.14 [b79b44520c46] * NEWS: Mention Bug #1050 fix. [c4af7e56a515] * docs/sudoers.ldap.man.in, docs/sudoers.ldap.mdoc.in, plugins/sudoers/ldap.c, plugins/sudoers/ldap_conf.c, plugins/sudoers/sudo_ldap_conf.h: Add NETGROUP_QUERY option for servers that can't match nisNetgroupTriple. This can be used to support netgroup queries on systems that lack the innetgr() function and where the LDAP server cannot query the nisNetgroup by nisNetgroupTriple. [98b293bee424] 2023-06-06 Todd C. Miller * plugins/sudoers/defaults.c, plugins/sudoers/ldap.c, plugins/sudoers/match.c, plugins/sudoers/parse.h: sudo_ldap_check_non_unix_group: pass nss pointer to netgr_matches() This allows us to use the LDAP-specific version of innetgr() when possible. Also enable "use_netgroups" by default even on systems without innetgr() since we can now query netgroups directly via LDAP. [a443919be48c] 2023-06-05 Todd C. Miller * src/exec_ptrace.c: Only call ptrace_verify_post_exec() for intercept, not log_subcmds. [9f55dcdd66cd] * NEWS, configure, configure.ac: sudo 1.9.14 [73c25828ffc8] 2023-06-04 Todd C. Miller * plugins/sudoers/visudo.c: run_command: back out changes to run editor in its own process group. It unnecessarily complicates things to work around bugs in an OS almost no one runs. [8790d32a4f99] * MANIFEST, include/sudo_util.h, lib/util/Makefile.in, lib/util/suspend_parent.c, lib/util/util.exp.in, plugins/sudoers/Makefile.in, src/Makefile.in, src/sudo_exec.h, src/suspend_parent.c: Make suspend_parent.c out of lib/util and into src. Nothing else uses it now. [69eda3d690e4] 2023-06-03 Todd C. Miller * plugins/sudoers/digestname.c, plugins/sudoers/filedigest.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/parse.h, plugins/sudoers/regress/parser/check_digest.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l: Initialize digest_type to SUDO_DIGEST_INVALID, not -1 and make it unsigned. This makes the digest type consistently unsigned instead of a mix of signed (for the -1 value in the tokenizer) and unsigned. [49ef7c33450f] 2023-05-25 Todd C. Miller * docs/sudo_plugin_python.man.in, docs/sudo_plugin_python.mdoc.in, etc/codespell.exclude, etc/codespell.ignore, plugins/sudoers/getdate.c, plugins/sudoers/getdate.y, plugins/sudoers/pivot.c, plugins/sudoers/visudo.c: Fix typos and update excluded/ignored codespell lists. [bdb70620b4e4] 2023-05-19 Todd C. Miller * plugins/sudoers/visudo.c: run_command: check that ttyfd is not -1 before using it [990cbd169a37] 2023-05-18 Rose <83477269+AtariDreams@users.noreply.github.com> * include/sudo_event.h, lib/util/event.c, lib/util/rcstr.c, plugins/sudoers/canon_path.c, plugins/sudoers/ldap_conf.c, plugins/sudoers/sudo_ldap_conf.h: Do variable length arrays the C99 way Variable length arrays are supported by C99, but having it denoted as "1" confused the compiler and is not defined. Note that because we don't get the inferred NULL terminator, we have to increase the malloc size by one. [4e33419e940e] * lib/eventlog/eventlog.c, lib/eventlog/eventlog_free.c, lib/eventlog/parse_json.c, lib/iolog/hostcheck.c, lib/iolog/regress/iolog_path/check_iolog_path.c, lib/util/event.c, lib/util/explicit_bzero.c, lib/util/fatal.c, lib/util/getaddrinfo.c, lib/util/getentropy.c, lib/util/hexchar.c, lib/util/inet_ntop.c, lib/util/json.c, lib/util/lbuf.c, lib/util/mksiglist.c, lib/util/mksigname.c, lib/util/multiarch.c, lib/util/progname.c, lib/util/sig2str.c, lib/util/snprintf.c, lib/util/sudo_conf.c, lib/util/term.c, lib/util/uuid.c, logsrvd/iolog_writer.c, logsrvd/logsrvd.c, logsrvd/sendlog.c, plugins/audit_json/audit_json.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers_pwutil.c, plugins/sudoers/editor.c, plugins/sudoers/getdate.c, plugins/sudoers/getdate.y, plugins/sudoers/iolog.c, plugins/sudoers/parse.c, plugins/sudoers/policy.c, plugins/sudoers/pwutil.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/regress/starttime/check_starttime.c, plugins/sudoers/sssd.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/timestr.c, plugins/sudoers/tsdump.c, plugins/sudoers/visudo.c, src/conversation.c, src/exec_monitor.c, src/limits.c, src/parse_args.c, src/sesh.c, src/sudo.c, src/sudo.h: Avoid compiler casting warnings by assigning to the same type where possible This saves instructions that are related to casting as well as compiler warnings. [d47033551fca] * lib/util/mktemp.c, lib/util/regress/tailq/hltq_test.c, lib/util/sudo_debug.c, lib/util/ttyname_dev.c, plugins/group_file/plugin_test.c, plugins/sudoers/editor.c, plugins/sudoers/filedigest.c, plugins/sudoers/match_addr.c, plugins/sudoers/match_digest.c, plugins/sudoers/regress/env_match/check_env_pattern.c, plugins/sudoers/regress/exptilde/check_exptilde.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/tsdump.c, plugins/sudoers/visudo.c, src/exec_monitor.c, src/limits.c, src/sesh.c, src/sudo.c, src/sudo.h, src/sudo_edit.c: Avoid compiler casting warnings Part 2 This saves instructions that are related to casting as well as compiler warnings. [685a954b019f] 2023-05-11 Todd C. Miller * plugins/sudoers/visudo.c: Work around a macOS a kernel bug where tcsetpgrp() does not restart. I reported this bug to Apple over 12 years ago. [77871464e563] * plugins/sudoers/visudo.c: run_command: run editor in foreground if visudo is the foreground process The command is now always run in its own process group. If visudo is run in the foreground, the command is run in the foreground too. Otherwise, run the command in the background. There is a race between the tcsetpgrp() call in the parent and the execve() in the child. If we lose the race and the command needs the controlling terminal, it will be stopped with SIGTTOU or SIGTTIN, which the waitpid() loop will handle. [e8e14e0024da] * plugins/sudoers/visudo.c: Accept carriage return for EOL in addition to newline. Since visudo doesn't alter the terminal settings it is possible for the terminal to have the ONLCR bit set in the output control flags. In that case, we will get a CR, not a NL when the user presses enter/return. One way this can happen is if visudo is run in the background from a shell that supports line editing and the editor restores the (cbreak-style) terminal mode when it finishes. [14538e74fd02] 2023-05-09 Todd C. Miller * plugins/sudoers/regress/parser/check_fill.c: check_fill: sudoers_strict() is now a function, not a global variable [8b8e72d283df] * plugins/sudoers/parse.h, plugins/sudoers/sudoers.h, plugins/sudoers/toke.h: Move parser prototypes / externs from sudoers.h to parse.h or toke.h. [79a52390c46b] * plugins/sudoers/file.c, plugins/sudoers/sudoers.c: parse.h is already included by sudoers.h. [f6faa3f782a2] * plugins/sudoers/policy.c, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c: Rename parser_conf -> sudoers_conf in all but the parser itself. [61614621341e] 2023-05-08 Todd C. Miller * plugins/sudoers/cvtsudoers.c, plugins/sudoers/file.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/parse.h, plugins/sudoers/policy.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c: Move sudoers search path to struct sudoers_parser_config. That way we can avoid passing it to init_parser() directly. We still need sudoers_search_path to be shared between the lexer and the parser. [5e6c6a08aded] * plugins/sudoers/cvtsudoers.c, plugins/sudoers/file.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/parse.h, plugins/sudoers/policy.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/set_perms.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/toke_util.c, plugins/sudoers/visudo.c: Add struct sudoers_parser_config and pass it to init_parser(). This struct contains parser configuration such as the sudoers file uid/gid/mode and parse flags such as verbose, strict and recovery. [ed8042e7a49a] * plugins/sudoers/toke.c, plugins/sudoers/toke.l: push_include_int: Avoid passing close(2) a negative value on error. Coverity CID 314108 [bbbdfa87543e] * plugins/sudoers/ldap.c: Eliminate dead store. Coverity CID 315032. [6b48998e4db1] 2023-05-05 Todd C. Miller * include/sudo_iolog.h, lib/iolog/iolog_gets.c: iolog_gets: change size parameter to int to match fgets/gzgets Return an error, setting errno to EINVAL, for negative sizes. [27534bcb58a7] 2023-05-05 Rose <83477269+AtariDreams@users.noreply.github.com> * plugins/sudoers/sudoers_hooks.c: Redundant cast removal in sudoers_hooks def_sudoers_locale is already a char* [2f79add9136d] 2023-05-04 Todd C. Miller * plugins/sudoers/policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: Rename force_umask to override_umask and make it private to sudoers.c. Add getter for policy.c. [1c8a56c767f3] * plugins/sudoers/check.h, plugins/sudoers/regress/fuzz/fuzz_stubs.c, plugins/sudoers/set_perms.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/timestamp.c: Make timestamp_uid and timestamp_gid private to timestamp.c. Add getter (for set_perms.c) and setter (for sudoers.c). [ad49d0ee7e6f] * plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/sudo_auth.h, plugins/sudoers/policy.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/sudoers.h: Make login_style private to bsdauth.c Add a setter for policy.c to handle auth_type from the front-end. [962af1d3d0fd] 2023-05-03 Todd C. Miller * lib/util/sudo_debug.c: Back out last change, len must be int, not size_t, for %.*s. [a82bbd86fa29] * src/exec_pty.c: Use a "%s" format instead of using a translated string as the format. [1a73a1b4fa94] * Merge pull request #260 from AtariDreams/size_t Prefer size_t over int, as casting can take extra instructions [c0fd1027e105] 2023-05-03 Rose <83477269+AtariDreams@users.noreply.github.com> * lib/eventlog/parse_json.c, lib/util/sudo_debug.c, plugins/sudoers/fmtsudoers.c: Prefer size_t over int, as casting can take extra instructions [96fc138b2009] 2023-05-02 Todd C. Miller * plugins/sudoers/cvtsudoers.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/parse.h, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c: Rename init_parser_ext() to init_parser() and remove old wrapper. There was only one consumer of the init_parser() wrapper now that reset_parser() has been introduced. [4be1b8965ce6] * plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/parse.h, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/sudoers.c: Add reset_parser() and use in place of init_parser(NULL). [f85227ac1182] * plugins/sudoers/ldap.c, plugins/sudoers/ldap_conf.c, plugins/sudoers/policy.c, plugins/sudoers/sudoers.h: Make path_ldap_conf and path_ldap_secret private to policy.c. Add getters for both so the ldap code can access them. [90a2107d6ec7] * plugins/sudoers/file.c, plugins/sudoers/policy.c, plugins/sudoers/sudoers.h, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/visudo.c: Make sudoers_file private to policy.c and visudo.c. We just need a way for the policy (and visudo) to override the default sudoers path. This adds a getter to be used in file.c when sudoers is first opened. [657aa80f3af8] * plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/parse.h, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/visudo.c: Support adminconfdir for relative include paths in sudoers. [7ebdbd46b47b] * plugins/sudoers/visudo.c: Track the destination sudoers path for each parsed file. When adminconfdir is enabled, the destination pathh may be different from the path we opened. We always store an edited file in the adminconfdir (if enabled). This makes it possible to use visudo when /etc/sudoers is located on a read-only file system. [de896a012d81] * INSTALL.md, Makefile.in, configure, configure.ac, docs/Makefile.in, examples/Makefile.in, include/Makefile.in, lib/util/Makefile.in, lib/zlib/Makefile.in, logsrvd/Makefile.in, m4/sudo.m4, plugins/audit_json/Makefile.in, plugins/group_file/Makefile.in, plugins/python/Makefile.in, plugins/sample/Makefile.in, plugins/sample_approval/Makefile.in, plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in, src/Makefile.in: Add adminconfdir and --enable-adminconf to set it. Configuration paths in sudo are now a colon-separated list of files with the adminconfdir instance first (if enabled), followed by a sysconfdir instance. [be1f672878ae] * configure, configure.ac, include/sudo_util.h, lib/util/Makefile.in, lib/util/secure_path.c, lib/util/sudo_conf.c, lib/util/util.exp.in, logsrvd/Makefile.in, logsrvd/logsrvd.c, logsrvd/logsrvd_conf.c, plugins/sudoers/Makefile.in, plugins/sudoers/cvtsudoers.c, plugins/sudoers/sudoers.c, src/Makefile.in: Convert config file paths to colon-separated path list. This means that _PATH_SUDO_CONF, _PATH_SUDOERS, _PATH_SUDO_LOGSRVD_CONF, and _PATH_CVTSUDOERS_CONF can now specify multiple files. The first file that exists is used. [902d9da6a941] * plugins/sudoers/cvtsudoers.c, plugins/sudoers/file.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/visudo.c: Support sudoers_file being a colon-separated path of files. The first file found is used. [bebe005e2d32] 2023-05-01 Todd C. Miller * config.h.in, configure: Regenerate with latest autoconf from git. [0996570205bf] 2023-04-28 Todd C. Miller * logsrvd/logsrvd_conf.c: No longer need to set AI_NUMERICSERV while fuzzing. Now that getaddrinfo() is stubbed out while fuzzing we can remove the hack that set AI_NUMERICSERV. [8e3deb584c1c] 2023-04-26 Todd C. Miller * logsrvd/regress/fuzz/fuzz_logsrvd_conf.c, plugins/sudoers/regress/fuzz/fuzz_policy.c: getaddrinfo stub: set sin_port [019eb2da9944] * logsrvd/regress/fuzz/fuzz_logsrvd_conf.c, plugins/sudoers/regress/fuzz/fuzz_policy.c: Avoid NULL deref in stub getaddrinfo() when nodename is NULL. Also add support for parsing servname. We only need to support a subset of getaddrinfo() functionality in the fuzzer. [a605cc43bbaf] * configure, m4/hardening.m4: Add missing stdio.h include for the _FORTIFY_SOURCE=2 check. Implementations of _FORTIFY_SOURCE require the header file to be included. Also remove the useless test of an empty program with _FORTIFY_SOURCE defined. Pointed out by Florian Weimer. [511b9bdddbdc] * configure, m4/ldap.m4: Use ldap_msgfree() instead of ldap_init() for the lber.h test. The ldap_init() function is marked as deprecated and not defined by default on some systems. This can cause an error for compilers that do not support implicit function declarations. From Florian Weimer. [1b1ce2072403] 2023-04-25 Todd C. Miller * logsrvd/regress/fuzz/fuzz_logsrvd_conf.c: Include arpa/inet.h for inet_pton() prototype. [50d3b09376f7] * logsrvd/regress/fuzz/fuzz_logsrvd_conf.c: Add netdb.h for struct addrinfo and EAI_* error codes. [92d33c6f8a23] * logsrvd/regress/fuzz/fuzz_logsrvd_conf.c: Stub out getaddrinfo() and freeaddrinfo(). We may not be able have access to DNS in the fuzzing environment. [b3d2e6c04076] * lib/eventlog/regress/eventlog_store/store_sudo_test.c: Plug memory leaks in store_sudo_test found by LSAN. [5f1d68d01c0c] 2023-04-24 Todd C. Miller * src/limits.c: disable_coredump: only change the soft limit, leave the hard limit as-is This should avoid problems on Linux in cases where sudo does not have CAP_SYS_RESOURCE which may be the case in an unprivileged container. GitHub issue #42 [4e65c3923119] 2023-04-19 Todd C. Miller * scripts/build_pkgs: Add basic support for remote power on/off via net-snmp. [ca021941fd58] * src/exec.c: More accurate description of what happens for "sudo -b". [a9158169fcac] * src/exec_pty.c: Better support for "sudo -b" when running the command in a pty. When a command is run via "sudo -b" it has no access to terminal input. In non-pty mode, the command runs in an orphaned process group and reads from the controlling terminal fail with EIO. We cannot do the same while running in a pty but if we set stdin to a half-closed pipe, reads from it will get EOF. That is close enough. [a284611a18fd] 2023-04-18 Todd C. Miller * src/exec_nopty.c, src/exec_pty.c, src/selinux.c, src/sudo.h, src/ttyname.c: Avoid calling isatty()/ttyname() on std{in,out,err} if not a char dev. The user controls these fds so we should avoid calling ioctl(2) on them unless they correspond to actual character device files. [745430b563db] * src/parse_args.c, src/sudo_usage.h.in: Hard-code usage() and help() for an 80-column terminal. Trying to tailor the help and usage output to the terminal width is simply not worth it and could be abused to mark a socket as "trusted" on Linux if there are additional kernel bugs like CVE-2023-2002. [d06fa6322ffb] * config.h.in, configure, configure.ac, src/sudo.c, src/sudo_usage.h.in: Move CONFIGURE_ARGS from sudo_usage.h.in to config.h.in. [e3149b6f4392] 2023-04-17 Todd C. Miller * lib/util/ttysize.c, src/sudo.c: get_user_info: call sudo_get_ttysize() even if no /dev/tty We still want to initialize rows and cols based on the environment if possible. [4f3801c2f264] 2023-04-16 Todd C. Miller * src/parse_args.c: Get the tty size using stdout, not stderr, when printing help output. While usage() prints to stderr, help() prints to stdout. [0bdf411ebc7f] * src/sudo.c: get_user_info: pass sudo_get_ttysize() the fd of /dev/tty, not stderr. Both the plugin API and the main event loop expect lines/cols to refer to the user's terminal, so using /dev/tty is better here. [2e7ba199f4c7] * include/sudo_util.h, lib/util/ttysize.c, lib/util/util.exp.in, plugins/sudoers/sudoreplay.c, src/parse_args.c, src/sudo.c: Add an fd argument to sudo_get_ttysize() instead of always using stderr. For sudoreplay we open /dev/tty, so use that instead of stderr when determining the terminal size. [4afc292d3cf4] * lib/util/ttysize.c: Check whether stderr is a tty before trying TIOCGWINSZ. [4a0d367e49c6] 2023-04-14 Todd C. Miller * configure, configure.ac: Use -no-undefined on macOS to avoid "-undefined dynamic_lookup" warnings. Starting with macOS 13, the linker warns when "-undefined dynamic_lookup" is used. This is added by libtool by default on macOS but we can suppress it by passing -no-undefined to libtool. [afeb9acd894c] 2023-04-08 Todd C. Miller * docker/debian/latest/Dockerfile, docker/debian/testing/Dockerfile, docker/fedora/latest/Dockerfile, docker/fedora/rawhide/Dockerfile, docker/ubuntu/devel/Dockerfile, docker/ubuntu/latest/Dockerfile, docker/ubuntu/rolling/Dockerfile: Add make to Dockerfile and sort packages. [fa937cbf8a23] 2023-04-06 Todd C. Miller * docs/UPGRADE.md, docs/sudoers.man.in, docs/sudoers.mdoc.in, plugins/sudoers/defaults.c: Enable the use_pty option by default for sudo 1.9.14. GitHub issue #258 [86a1a6da1878] 2023-04-05 Todd C. Miller * plugins/sudoers/policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: Split up the monolithic sudoers_policy_main() function. This splits the code to find the command, perform a sudoers lookup, ask for a password as needed, and perform post-lokup checks out into sudoers_check_common(). The old sudoers_policy_main() has been replaced by sudoers_check_cmnd() (called by sudoers_policy_check()), sudoers_validate_user() (called by sudoers_policy_validate()) and sudoers_list() (called by sudoers_policy_list()). The list_user lookup is now performed in sudoers_list(). [59e0b245c776] * plugins/sudoers/sudoers.c: Move the root_sudo check until after we apply per-command Defaults. It is possible, though unlikely, for "root_sudo" to be used in a per-command Defaults statement. [ca1903576e0d] 2023-04-01 Todd C. Miller * plugins/sudoers/sudoers.c: sudoers_policy_main: restore locale if sudoers_lookup() fails. Previously, if sudoers_lookup() set VALIDATE_ERROR, the sudoers locale would still be in effect instead of the original locale. [24df4eebbfc8] * plugins/sudoers/parse.c: sudoers_lookup_pseudo: remove validated function argument This was always set to FLAG_NO_USER|FLAG_NO_HOST which are cleared at the top of the fuction. Make validated a local variables, initialized to 0, instead. No change in behavior. [72e6207850fc] 2023-03-31 Todd C. Miller * plugins/sudoers/audit.c, plugins/sudoers/iolog.c: The I/O log file name is not just the basename of the full iolog_path. The audit plugin already has the correct value for iolog_file, don't overwrite it with basename(iolog_path). In the future we may wish to pass in iolog_file and iolog_dir in addition to iolog_path. Fixes Bug #1046. [f272de885273] 2023-03-29 Todd C. Miller * plugins/sudoers/sudoers.c: Warn with "unknown user" not "unknown uid" if user cannot be resolved. Prior to sudo 1.8 this was after a getpwuid() but now we use getpwnam(). [9a523881df41] * plugins/sudoers/sudoers.c: Set timestamp_uid and timestamp_gid via a callback. This also makes it possible to include the location of the line in the sudoers file in the warning message (and mail). [5588cf3cb55b] 2023-03-28 Todd C. Miller * docs/sudoers.ldap.man.in, docs/sudoers.ldap.mdoc.in: Fix display of escape sequencees in ldapsearch example. [08dc98162160] * docs/sudoers.man.in, docs/sudoers.mdoc.in: White space is not allowed between Defaults and '@', ':', '!', '>'. The EBNF made it appear that this is allowed when it really is not. [74bba755afaf] 2023-03-27 Todd C. Miller * src/edit_open.c, src/exec.c, src/exec_intercept.c, src/exec_intercept.h, src/exec_monitor.c, src/exec_nopty.c, src/exec_pty.c, src/sudo.c, src/sudo.h, src/sudo_edit.c, src/sudo_edit.h, src/sudo_exec.h, src/tgetpass.c: Make struct {command,user}_details pointers const where possible. [dcfa95a24789] * src/sudo.c, src/sudo.h, src/sudo_edit.c, src/tgetpass.c: Make user_details private to main. [43477263455b] * src/exec.c, src/exec_nopty.c, src/exec_pty.c, src/parse_args.c, src/sudo.c, src/sudo.h, src/sudo_edit.c, src/sudo_exec.h, src/tgetpass.c: Make user_details private to sudo.c. [fec5df7605dc] * configure, scripts/config.sub: Regenerate with the autoconf 2.72c snapshot. [6dda0f9323b1] 2023-03-25 Todd C. Miller * src/parse_args.c: Use sudo_get_ttysize() in help() and usage(). This eliminates a dependency on the user_details global. [ecbc8afc1630] * src/exec.c, src/sudo.c, src/sudo.h: Store submitcwd (from user_details) in struct command_details. This eliminates use of the user_details global from exec_setup(). [ed37b2a451f8] 2023-03-24 Todd C. Miller * src/utmp.c: utmp_fill: user is now always non-NULL, no need for user_details. [76bdecaaad07] * src/parse_args.c, src/sudo.c, src/sudo.h: Remove list_user global. [fd397db04688] * src/conversation.c: No need to declare tgetpass_flags, it is already in sudo.h. [c7e1b8ef75c8] * src/sudo.c: No need for sudo_mode to be global anymore. [f746eba12bd9] * src/sudo.c: Make command_details private to main(). [311fd705cce4] * src/exec_iolog.c, src/exec_nopty.c, src/exec_pty.c, src/sudo_exec.h: Make iobufs private to exec_iolog.c. [80861a209ddd] * src/sudo_exec.h: Remove ttymode and its associated values. [efb4e04097ab] * src/exec.c, src/exec_pty.c, src/get_pty.c, src/sudo.h, src/sudo_exec.h: Move ptyname to struct exec_closure [d4080a4262bd] * src/exec_monitor.c, src/exec_pty.c, src/sudo_exec.h: Move pty_make_controlling() to exec_monitor.c where it is called. We can use details->tty to access the pty follower path. [9875f0b136f4] * src/exec_pty.c, src/sudo.c: Eliminate utmp_user global, just use the value in struct command details. [95b28adcb0f3] * src/exec_iolog.c, src/exec_nopty.c, src/exec_pty.c, src/sudo_exec.h: Replace tty_mode global with term_raw flag in struct exec_closure. The pty_cleanup hook needs access to the closure so add pty_cleanup_init() to store a pointer to the closure for use by pty_cleanup_hook(). [cc01f0da46d9] * src/exec_monitor.c, src/exec_pty.c, src/sudo_exec.h: Register pty cleanup function in exec_pty(), not exec_cmnd_pty(). We want it to execute in the main sudo process, not the monitor. [279e370adc01] * src/exec_iolog.c: Make ttyblock private to exec_iolog.c [61243eba350d] 2023-03-23 Todd C. Miller * src/exec_pty.c, src/sudo_exec.h: exec_pty.c: move foreground flag to struct exec_closure. Also make pipeline flag private to exec_pty() and remove the unneeded check_foreground() prototype. [dd25f1d91008] * src/exec_pty.c: On resume, always sync the pty terminal settings with /dev/tty. Changes made to the terminal settings while the command is suspended are now reflected in the pty when the command is resumed. This is more consistent with the non-pty behavior and allows for the removal of the "tty_initialized" global. One downside to this change is that if a terminal-based program using the pty is stopped with SIGSTOP it may have the wrong terminal settings on resume. However, this is no different from the non-pty case. [3e59765dea31] * lib/util/suspend_parent.c, lib/util/term.c: Correct a comment. [393a4d472507] 2023-03-22 Todd C. Miller * .github/FUNDING.yml: GitHub sponsor settings. [7bd778b9adef] * config.h.in, configure, configure.ac: Use built-in tests for bit types instead of using AC_CHECK_TYPES. This should be more portable as it handles the quirks of some older systems. [7e471f2a914d] * plugins/sudoers/visudo.c, src/regress/intercept/test_ptrace.c: Quiet compiler warnings on systems where pid_t is not an int. Historically, pid_t was a long on some 32-bit systems like Solaris. [c31393da893d] * plugins/sudoers/visudo.c: Silence "used uninitialized" false positives with older gcc versions. [40f0ee142249] * src/exec_pty.c: exec_pty: always copy the terminal settings from /dev/tty the pty. Previously, we only did this when running in the foreground but this can cause problems when running a program that reads the terminal settings or window size in the background. If sudo is running in the background, the terminal settings will be updated if it transitions to the foreground process. Based on a suggestion from From Duncan Overbruck. [51a70eadc7fc] * src/exec_pty.c: check_foreground: use SFD_LEADER not SFD_FOLLOWER (which was closed). Also use SFD_LEADER for sudo_term_copy() in exec_pty() for consistency. From Duncan Overbruck. [172962b90aa6] * src/exec_pty.c: suspend_sudo_pty: fix cut & pasto in last commit to catch SIGCONT. Also set sa.sa_handler to SIG_DFL instead of SIG_IGN. There is no difference for SIGCONT but it means we can re-use sa as-is later. [e07725c8c939] 2023-03-21 Todd C. Miller * src/exec_pty.c: Catch SIGCONT and restore terminal settings on resume from SIGSTOP. While we cannot catch SIGSTOP, we _can_ catch SIGCONT and set /dev/tty to raw mode when running in the foreground. Ignore SIGCONT in suspend_sudo_pty() so we don't call resume_terminal() twice. [b5b2d739e44d] * src/exec_monitor.c, src/exec_pty.c: Only convert a signal number to a name if we are going to use it. It is mostly used for debug logging. [225c3630ffff] * src/exec_monitor.c, src/exec_pty.c, src/sudo.h: Move updating of the window size back to the main sudo process. We can use the leader file descriptor with TIOCGWINSZ to set the window size of the pty. Thanks to Duncan Overbruck for the hint. [6e3f7622038a] * plugins/sudoers/visudo.c: visudo: restore controlling terminal after running the editor. Otherwise, visudo will get SIGTTOU if it tries to write to the terminal after the editor finishes. Also avoid races by setting the process group ID in both the parent and child, and grant the controlling terminal in the parent, not the child. [c0f339a84be8] 2023-03-20 Todd C. Miller * docs/visudo.man.in, docs/visudo.mdoc.in, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/sudoers.h, plugins/sudoers/toke.c, plugins/sudoers/toke.h, plugins/sudoers/toke.l: Warn about ignored files in sudoers.d in visudo. [61f8def2d666] * plugins/sudoers/cvtsudoers.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/parse.h, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/visudo.c: Replace sudoers_warnings with sudoers_verbose. This is now an int, with values > 1 reserved for visudo. [d1d7b559b904] * plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/toke.c, plugins/sudoers/toke.h, plugins/sudoers/toke.l: Split push_include() into push_include() and push_includedir(). This moves the "isdir" function argument to the internal version. [d454beb6eebf] 2023-03-17 Todd C. Miller * plugins/sudoers/file.c, plugins/sudoers/ldap.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/regress/fuzz/fuzz_stubs.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/sssd.c, plugins/sudoers/sudo_nss.c, plugins/sudoers/sudo_nss.h: Pass around const struct sudo_nss pointers where possible. [d13437078d19] * plugins/sudoers/alias.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers.h, plugins/sudoers/cvtsudoers_csv.c, plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/defaults.c, plugins/sudoers/defaults.h, plugins/sudoers/fmtsudoers.c, plugins/sudoers/fmtsudoers_cvt.c, plugins/sudoers/match.c, plugins/sudoers/parse.h: Pass around const struct sudoers_parse_tree pointers where possible. [1aa8b9069b39] * plugins/sudoers/sudo_ldap.h, plugins/sudoers/sudo_ldap_conf.h: Move non-config-related macros to from sudo_ldap_conf.h to sudo_ldap.h. [16e67a765a30] 2023-03-16 Todd C. Miller * MANIFEST, config.h.in, configure, configure.ac, include/sudo_compat.h, lib/util/Makefile.in, lib/util/getcwd.c, scripts/mkdep.pl: Remove portable getcwd.c, nothing uses it anymore. Any operating system supported by sudo already includes getcwd(3). [8f0584066f6f] * src/Makefile.in: Use LIBPROTOBUF_C and LIBUTIL variables and use them. [062142fa5ae8] 2023-03-15 Todd C. Miller * include/sudo_util.h: Remove now-unused sudo_timeval* macros. [3448dce21b9c] * lib/util/nanosleep.c: nanosleep: clear remainder on successful completion Also switch to doing everything in terms of struct timespec except for the actual select(2) call. [d67451eb618e] * lib/eventlog/Makefile.in, lib/iolog/Makefile.in: Add lib dependencies for fuzzer and test targets. [60605bcc3905] * lib/eventlog/eventlog_free.c: eventlog_free: free peeraddr [42670e45e57f] * plugins/sudoers/ldap_innetgr.c: sudo_ldap_netgroup_match_str: "-" in a netgroup can never match. We already check for a NULL value above so "str == NULL" is always false. Found by PVS-Studio. [c9cfdd013e92] 2023-03-14 Todd C. Miller * lib/iolog/Makefile.in: Fix static compilation. [5a18337c03d3] * MANIFEST: Replace eventlog_json.h with parse_json.h. [cc68fe24ee0d] * lib/eventlog/eventlog_free.c, lib/eventlog/parse_json.c: Add support for parsing all fields of struct eventlog. [3828e55bdaff] 2023-03-13 Todd C. Miller * MANIFEST, lib/eventlog/Makefile.in, lib/eventlog/regress/eventlog_store/store_json_test.c, lib/eventlog/regress/eventlog_store/store_sudo_test.c, lib/eventlog/regress/eventlog_store/test1.json.in, lib/eventlog/regress/eventlog_store/test1.json.out.ok, lib/eventlog/regress/eventlog_store/test1.sudo.out.ok, lib/eventlog/regress/eventlog_store/test2.json.in, lib/eventlog/regress/eventlog_store/test2.json.out.ok, lib/eventlog/regress/eventlog_store/test2.sudo.out.ok, lib/eventlog/regress/eventlog_store/test3.json.in, lib/eventlog/regress/eventlog_store/test3.json.out.ok, lib/eventlog/regress/eventlog_store/test3.sudo.out.ok, lib/eventlog/regress/eventlog_store/test4.json.in, lib/eventlog/regress/eventlog_store/test4.json.out.ok, lib/eventlog/regress/eventlog_store/test4.sudo.out.ok, lib/eventlog/regress/parse_json/check_parse_json.c: Add tests for JSON and sudo-style log output. [3a923f86fff2] * plugins/sudoers/match.c: Declare domain even if the system lacks innetgr(). Fixes a build error on musl-based systems like Alpine. [34cfa5ad4cdc] * lib/eventlog/Makefile.in: Add missing definition of $(SED). [9a614b90c852] * MANIFEST, include/sudo_eventlog.h, lib/eventlog/Makefile.in, lib/eventlog/parse_json.c, lib/eventlog/parse_json.h, lib/eventlog/regress/parse_json/check_parse_json.c, lib/eventlog/regress/parse_json/test1.in, lib/eventlog/regress/parse_json/test2.in, lib/eventlog/regress/parse_json/test2.out.ok, lib/eventlog/regress/parse_json/test3.in, lib/eventlog/regress/parse_json/test3.out.ok, lib/iolog/Makefile.in, lib/iolog/iolog_json.c, lib/iolog/iolog_json.h, lib/iolog/regress/fuzz/fuzz_iolog_json.c, lib/iolog/regress/iolog_json/check_iolog_json.c, lib/iolog/regress/iolog_json/test1.in, lib/iolog/regress/iolog_json/test2.in, lib/iolog/regress/iolog_json/test2.out.ok, lib/iolog/regress/iolog_json/test3.in, lib/iolog/regress/iolog_json/test3.out.ok: Move JSON log parsing from libsudo_iolog.la to libsudo_eventlog.la It will be used in the upcoming log output tests. [1a8dd741b666] * lib/eventlog/eventlog.c: Add missing " ; " separator between environment variables and command. This is a regression introduced in sudo 1.9.13. GitHub issue #254. [a3c09b724b7a] 2023-03-12 Todd C. Miller * docs/sudoers.ldap.man.in, docs/sudoers.ldap.mdoc.in: Add example to verify support for searching by nisNetgroupTriple. [090ffa785e56] 2023-03-11 Todd C. Miller * plugins/sudoers/gc.c: Remove unused sudoers_gc_init() function. [b2ee61f8f11d] 2023-03-10 Todd C. Miller * docs/sudoers.ldap.man.in, docs/sudoers.ldap.mdoc.in: Sudo now does its own netgroup lookups if NETGROUP_BASE is set. Previously, it only performed netgroup queries to determine the list of netgroups a user was a member of. [932613f6868a] * plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/sudoers.c: sudoers_cleanup: free cached environment before running g/c. Avoids a double free in fuzz_policy. [e616d4a038b6] * plugins/sudoers/policy.c, plugins/sudoers/sudoers.c: sudoers_cleanup: run the garbage collector at the end [cbc28a012f8b] * plugins/sudoers/sudoers.c: Plugin a memory leak in intercept mode. [f63fb51ff972] * src/exec_intercept.c: Sync non-intercept version of intercept_cleanup() declaration. [712ff6c2f6bd] * plugins/sudoers/ldap_innetgr.c: Plug memory leak if ldap_get_option() fails with LDAP_NO_MEMORY. [0be36e3e9473] * src/exec.c, src/exec_intercept.c, src/sudo_exec.h: Plug a memory leak with ptrace-based intercept. [3b411be9fe37] * src/exec_intercept.c: Plug memory leak when log_subcmds is enabled. [1d5b21665ced] * lib/util/suspend_parent.c: Pass closure to callback, not the callback pointer itself. [a4e433840f16] * MANIFEST, configure, m4/ldap.m4, plugins/sudoers/Makefile.in, plugins/sudoers/ldap.c, plugins/sudoers/ldap_innetgr.c, plugins/sudoers/sudo_ldap.h, scripts/mkdep.pl: Add LDAP-specific innetgr() implementation. Wheh netgroup_base is set we now do out own netgroup lookups using LDAP. Previously, LDAP was queried directly to get a list of the netgroups the user belongs to but other netgroups queries went through innetgr(3). This makes it possible to use netgroups in LDAP sudoers on systems that don't have an innetgr() function. GitHub issue #251. [aa7304a533e0] * plugins/sudoers/ldap.c, plugins/sudoers/ldap_conf.c, plugins/sudoers/ldap_util.c, plugins/sudoers/sudo_ldap.h: Move some functions from ldap.c to ldap_util.c. These will be used by the LDAP innetgr() implementation. [70fd74041c5d] 2023-03-08 Todd C. Miller * lib/zlib/Makefile.in: fix typo in uninstall target [e3c1b8427d01] * Merge pull request #252 from bin-ly/main fix typo in uninstall target [4a1d3542345c] 2023-03-09 bin-ly * lib/util/Makefile.in: fix command error for lib/util/Makefile.in [7dd4e9e6d976] 2023-03-08 Todd C. Miller * plugins/sudoers/cvtsudoers.c, plugins/sudoers/file.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/ldap.c, plugins/sudoers/match.c, plugins/sudoers/parse.h, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c, plugins/sudoers/sssd.c, plugins/sudoers/sudo_nss.h: Add per-source innetgr function pointer and use it in netgr_matches(). This will be used to implement LDAP-specific netgroup lookups when netgroup_base is set in ldap.conf. [f7c89d6e8d6b] 2023-03-07 Todd C. Miller * MANIFEST, lib/util/Makefile.in, lib/util/regress/digest/digest_test.c: Add tests for SHA2 digest support. This uses the NIST byte-oriented short message test vectors. [06e01abf7943] 2023-03-04 Todd C. Miller * .hgtags: Added tag SUDO_1_9_13p3 for changeset 0bdd0b8469e3 [fc4e872d6d89] <1.9> * NEWS, configure, configure.ac: Sudo 1.9.13p3 [0bdd0b8469e3] [SUDO_1_9_13p3] <1.9> * NEWS, configure, configure.ac: Sudo 1.9.13p3 [0c4b7112dde9] 2023-03-03 Todd C. Miller * plugins/sudoers/match.c, plugins/sudoers/parse.c, plugins/sudoers/parse.h: A user with "list" privs for root may not list all users. A user with "sudo ALL" for root _is_ allowed to list any user. [a3f7301ba4d3] <1.9> * plugins/sudoers/match.c, plugins/sudoers/parse.c, plugins/sudoers/parse.h: A user with "list" privs for root may not list all users. A user with "sudo ALL" for root _is_ allowed to list any user. [fe758ae9d0bb] * plugins/sudoers/policy.c: sudoers_policy_list: do not set runas_pw to list_pw when listing This change introduced in sudo 1.9.13 is not actually needed. The "list" pseudo-command checks are performed via runas_matches_pw() which does not use runas_pw. GitHub issue #248 [84effa5ffaa1] <1.9> * plugins/sudoers/policy.c: sudoers_policy_list: do not set runas_pw to list_pw when listing This change introduced in sudo 1.9.13 is not actually needed. The "list" pseudo-command checks are performed via runas_matches_pw() which does not use runas_pw. GitHub issue #248 [94c1f6d9bc6d] * plugins/sudoers/logging.c, plugins/sudoers/parse.c, plugins/sudoers/sudoers.c: Fix "sudo -l command args", broken in sudo 1.9.13. The value of user_args should not contain the command to be run in "sudo -l command args", only the arguments of the command being checked. This restores the pre-1.9.13 behavior. GitHub issue #249 [3e1225e7bf33] <1.9> * plugins/sudoers/logging.c, plugins/sudoers/parse.c, plugins/sudoers/sudoers.c: Fix "sudo -l command args", broken in sudo 1.9.13. The value of user_args should not contain the command to be run in "sudo -l command args", only the arguments of the command being checked. This restores the pre-1.9.13 behavior. GitHub issue #249 [2773b6d91cf1] 2023-03-01 Todd C. Miller * logsrvd/logsrv_util.c, logsrvd/logsrvd.c, logsrvd/logsrvd_journal.c, logsrvd/sendlog.c, plugins/sudoers/log_client.c: Check for sudo_pow2_roundup() overflow. Calling sudo_pow2_roundup(INT_MAX+2) will return since there is no power of 2 larger than INT_MAX+1 that fits in an unsigned int. This is not an issue in practice since we restrict messages to 2Mib. [d76de48704d0] * src/exec_nopty.c, src/exec_pty.c: write_callback: only enable /dev/tty reader if the command is running This fixes a hang when there is /dev/tty data in a buffer to be flushed by the final call to del_io_events(). We do not want to re-enable the reader when flushing the buffers as part of pty_finish(). See PR #247 for analysis of the problem and how to reproduce it. [b7ea5b5e6a88] <1.9> * src/exec_nopty.c, src/exec_pty.c: write_callback: only enable /dev/tty reader if the command is running This fixes a hang when there is /dev/tty data in a buffer to be flushed by the final call to del_io_events(). We do not want to re-enable the reader when flushing the buffers as part of pty_finish(). See PR #247 for analysis of the problem and how to reproduce it. [2cf041ccbd98] 2023-02-28 Todd C. Miller * plugins/sudoers/regress/testsudoers/test12.out.ok, plugins/sudoers/regress/testsudoers/test12.sh: Test non-fully qualified path name. [0a9e6e83fe15] <1.9> * plugins/sudoers/regress/testsudoers/test12.out.ok, plugins/sudoers/regress/testsudoers/test12.sh: Test non-fully qualified path name. [b653458b1758] * plugins/sudoers/Makefile.in: Fix removal of y.tab.[ch] when generating gram.[ch]. [f69c86ecae66] <1.9> * plugins/sudoers/Makefile.in: Fix removal of y.tab.[ch] when generating gram.[ch]. [9c5f5be26ad0] * MANIFEST, plugins/sudoers/regress/sudoers/test30.in, plugins/sudoers/regress/sudoers/test30.json.ok, plugins/sudoers/regress/sudoers/test30.ldif.ok, plugins/sudoers/regress/sudoers/test30.ldif2sudo.ok, plugins/sudoers/regress/sudoers/test30.out.ok, plugins/sudoers/regress/sudoers/test30.sudo.ok, plugins/sudoers/regress/sudoers/test30.toke.ok: Add test for using "list" as user, runas and host. [ae2c84c73371] <1.9> * MANIFEST, plugins/sudoers/regress/sudoers/test30.in, plugins/sudoers/regress/sudoers/test30.json.ok, plugins/sudoers/regress/sudoers/test30.ldif.ok, plugins/sudoers/regress/sudoers/test30.ldif2sudo.ok, plugins/sudoers/regress/sudoers/test30.out.ok, plugins/sudoers/regress/sudoers/test30.sudo.ok, plugins/sudoers/regress/sudoers/test30.toke.ok: Add test for using "list" as user, runas and host. [712c96af942d] * plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/toke.c, plugins/sudoers/toke.l: Move handling of the "list" pseudo-command from lexer to parser. The special handling of "list" in the lexer meant it could not be used as a user, group or host, which was unintentional. GitHub issue #246. [efb3a4dea1da] <1.9> * plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/toke.c, plugins/sudoers/toke.l: Move handling of the "list" pseudo-command from lexer to parser. The special handling of "list" in the lexer meant it could not be used as a user, group or host, which was unintentional. GitHub issue #246. [d36f1d686343] 2023-02-27 Todd C. Miller * include/sudo_compat.h: Make the check for HAVE_DECL_NSIG consistent with other decl checks. [616c42c4adce] <1.9> * include/sudo_compat.h: Make the check for HAVE_DECL_NSIG consistent with other decl checks. [4e6e627062af] * plugins/sudoers/match_command.c: Plug memory leak with multiple matching CHROOT= entries. Found by oss-fuzz. [a4982b468985] 2023-02-25 Todd C. Miller * .hgtags: Added tag SUDO_1_9_13p2 for changeset 2db7cee1cb77 [b0af73801130] <1.9> * NEWS, configure, configure.ac: Sudo 1.9.13p2. [2db7cee1cb77] [SUDO_1_9_13p2] <1.9> * NEWS, configure, configure.ac: Sudo 1.9.13p2. [251788b2308b] 2023-02-23 Todd C. Miller * plugins/sudoers/logging.c: Include error string when formatting a SLOG_PARSE_ERROR message if present. [b4254bf84300] * lib/util/lbuf.c: Add missing include of errno.h. [65ddd70d0c18] <1.9> * lib/util/lbuf.c: Add missing include of errno.h. [669e4a4ab3ad] * lib/util/lbuf.c: sudo_lbuf_expand: check for overflow when rounding to the nearest power of 2. Problem deteced by oss-fuzz using the fuzz_sudoers fuzzer. [9357396fdaa0] <1.9> * lib/util/lbuf.c: sudo_lbuf_expand: check for overflow when rounding to the nearest power of 2. Problem deteced by oss-fuzz using the fuzz_sudoers fuzzer. [7d433e75c858] * src/load_plugins.c: Fix --enable-static-sudoers, broken in sudo 1.9.13. sudo_qualify_plugin() should not try to fully-qualify the path to a statically-compiled plugin. GitHub issue #245 [eca5f1f6555e] <1.9> * src/load_plugins.c: Fix --enable-static-sudoers, broken in sudo 1.9.13. sudo_qualify_plugin() should not try to fully-qualify the path to a statically-compiled plugin. GitHub issue #245 [f323e3f0a5c0] 2023-02-22 Todd C. Miller * plugins/sudoers/logging.c, plugins/sudoers/logging.h, plugins/sudoers/sudoers.c: Add sudoers open errors to the list of parse errors sent via mail. Previously there would be one email for the open failure and a separate one describing the parse error. Now a single email message contains everything. [b81299ccdad8] * plugins/sudoers/visudo.c: visudo: quiet a compiler warning on Solaris 10. Also explicitly close /dev/tty fd instead of relying on closefrom() in case the fd ends up being a value 0-2. [d839cc458245] * Merge pull request #244 from ffontaine/main configure.ac: fix openssl static build [af40f67e9771] * configure, configure.ac, lib/util/Makefile.in: Replace LIBMD with LIBCRYPTO display crypto/tls libs in summary. We can only have one of either -lmd, -lgcrypt or -lcrypto so there is no need to have more than one variable. [da65125af8c6] 2023-02-22 Fabrice Fontaine * m4/openssl.m4: configure.ac: fix openssl static build Do not use AX_APPEND_FLAG as it will break static builds by removing duplicates such as -lz or -latomic which are needed by -lssl and -lcrypto. This will fix the following build failure with sparc which needs -latomic: Checking for X509_STORE_CTX_get0_cert configure:21215: /home/thomas/autobuild/instance-3/output-1/host/bin/sparc-buildroot- linux-uclibc-gcc -o conftest -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -Os -g0 -static -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -DZLIB_CONST -static conftest.c -L/home/thomas/autobuild/instance-3/output-1/host/bin/../sparc- buildroot-linux-uclibc/sysroot/usr/lib -lssl -lz -pthread -latomic -lcrypto >&5 /home/thomas/autobuild/instance-3/output-1/host/lib/gcc/sparc- buildroot-linux-uclibc/10.4.0/../../../../sparc-buildroot-linux- uclibc/bin/ld: /home/thomas/autobuild/instance-3/output-1/host/bin/../sparc- buildroot-linux-uclibc/sysroot/usr/lib/libcrypto.a(x509cset.o): in function `X509_CRL_up_ref': x509cset.c:(.text+0x108): undefined reference to `__atomic_fetch_add_4' [...] In file included from ./hostcheck.c:38: ../../include/sudo_compat.h:342:41: error: conflicting types for 'ASN1_STRING_data' 342 | # define ASN1_STRING_get0_data(x) ASN1_STRING_data(x) | ^~~~~~~~~~~~~~~~ Fixes: - http://autobuild.buildroot.org/results/8be59dd94e4916f9457cb435104e3 6e62a28373b Signed-off-by: Fabrice Fontaine [487cfc17c742] 2023-02-21 Todd C. Miller * MANIFEST, plugins/sudoers/match_command.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/testsudoers/test20.out.ok, plugins/sudoers/regress/testsudoers/test20.sh, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c: Fix potential double free for rules that include a CHROOT= option. If a rule with a CHROOT= option matches the user, host and runas, the user_cmnd variable could be freed twice. [2c1477233f48] <1.9> * MANIFEST, plugins/sudoers/match_command.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/testsudoers/test20.out.ok, plugins/sudoers/regress/testsudoers/test20.sh, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c: Fix potential double free for rules that include a CHROOT= option. If a rule with a CHROOT= option matches the user, host and runas, the user_cmnd variable could be freed twice. [a988ae0045a2] * plugins/sudoers/visudo.c: Check tcsetpgrp() return value. [5d9bdb2fea15] * MANIFEST, include/sudo_util.h, lib/util/Makefile.in, lib/util/suspend_parent.c, lib/util/util.exp.in, plugins/sudoers/visudo.c, src/Makefile.in, src/exec_iolog.c, src/exec_nopty.c, src/regress/intercept/test_ptrace.c, src/sudo.h, src/sudo_exec.h, src/suspend_nopty.c, src/tcsetpgrp_nobg.c: Run the editor in its own process group. This fixes suspending the editor on GNU Hurd which doesn't seem to have proper process group signal handling. [210e058101af] * plugins/sudoers/Makefile.in, plugins/sudoers/regress/fuzz/fuzz_stubs.c, plugins/sudoers/stubs.c, plugins/sudoers/testsudoers.c: Stub out pivot_root() and unpivot_root() for all but the sudoers module. [967f706e6bff] * plugins/sudoers/match_command.c: Fix build when SUDOERS_NAME_MATCH is defined. [79e4613fbd85] * MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/pivot.c, plugins/sudoers/sudoers.h: Add pivot_root() and unpivot_root() to switch the root dir and restore it. This will be used to more accurately handling command resolution and path matching when a new root directory is specified. [77300a0e1537] * plugins/sudoers/editor.c, plugins/sudoers/find_path.c, plugins/sudoers/goodpath.c, plugins/sudoers/regress/editor/check_editor.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: set_cmnd_path: apply runchroot if set when finding the command path Previously we would prepend runchroot to the path we were checking but that does not properly handle symbolic links. [3fb7ca4631c0] * plugins/sudoers/match_command.c, plugins/sudoers/match_digest.c, plugins/sudoers/parse.h: match_command: apply runchroot if set when matching the command Previously we would prepend runchroot to the path we were checking but that does not properly handle symbolic links. [41dc8f445f78] * MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/canon_path.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: Add canon_path(), a realpath() wrapper that performs caching. This also adds a new user_cmnd_dir variable that stores the canonicalized parent directory of the command to be run. [6065f5e76387] * plugins/sudoers/match_command.c: Match using canonicalized directories where possible. [020d4ad53d07] * src/exec_ptrace.c: ptrace_intercept_execve: preserve old argv[0] after policy check. We have to replace argv[0] with the pathname for the policy check but want to restore it afterwards if the policy has not changed the command's path name to avoid a mismatch later on. [5dcd96a5c369] * configure, configure.ac: Move initial values into AC_SUBST() where possible. [3db7feb16577] * configure, configure.ac: No need to AC_SUBST() standard autoconf variables. [48ce145c9e40] 2023-02-19 Todd C. Miller * INSTALL.md: Document --disable-largefile and --disable-year2038. [424d17d1b83d] * configure, configure.ac: Fix indentation of intercept file in summary output. [3cf0104bd2e5] * plugins/sudoers/regress/starttime/check_starttime.c, plugins/sudoers/starttime.c: get_starttime: add support for GNU Hurd using the mach task_info call. This is currently Hurd-specific but could be made Mach-generic as long as the equivalent of pid2task() is available. [a81de7fb1f83] 2023-02-18 Todd C. Miller * plugins/sudoers/regress/starttime/check_starttime.c: Only test get_starttime() on platforms where we support it. Fixes a test failure on systems where we have no way to determine a process's start time. [bf8dbe59b2c6] 2023-02-16 Todd C. Miller * .hgtags: Added tag SUDO_1_9_13p1 for changeset 49e64402924f [97ae12488007] <1.9> * NEWS, configure, configure.ac: Merge sudo 1.9.13p1 from tip. [49e64402924f] [SUDO_1_9_13p1] <1.9> * NEWS, configure, configure.ac: Sudo 1.9.13p1 [0a9817096e03] * configure.ac: Use m4_bmatch, m4_case does not support shell-style globbing. [b7a743baf22e] * configure, configure.ac: Allow configure.ac to be processed by autoconf 2.69. AC_PROG_CC_STDC is deprecated in autoconf 2.70 and above but it is necessary for autoconf 2.69. [324ba83acd63] * configure.ac: Only use AC_SYS_YEAR2038 if it is defined. Otherwise, use the method from 1.9.12. GitHub issue #242 [16fcec5264cc] 2023-02-15 Todd C. Miller * scripts/mkpkg: Sudo-specific executables moved to /usr/libexec/sudo starting in Debian 12 (Bookworm) and Ubuntu 22.04 (Jammy Jellyfish). Previously, they were stored in /usr/lib/sudo. [a2aa15b72312] * lib/eventlog/Makefile.in, lib/iolog/Makefile.in, lib/util/Makefile.in, logsrvd/Makefile.in, plugins/python/Makefile.in, plugins/sudoers/Makefile.in, src/Makefile.in: Handle "locale -a" returning both C.UTF-8 and C.utf8. It is possible to have mutiple matches from the output of "locale -a". Just take the first one. Fixes GitHub issue #241. [aeba71610439] * lib/util/Makefile.in, logsrvd/Makefile.in, plugins/sudoers/Makefile.in, src/Makefile.in: Add some missing files to the clean and distclean targets. [5dedbe519db1] * Merge pull request #240 from thesamesam/c23 sudo_fatal: Fix build where compiler recognises [[noreturn]] attribut… [22ae0d4402ac] 2023-02-15 Sam James * include/sudo_fatal.h: sudo_fatal: Fix build where compiler recognises [[noreturn]] attribute (C23) If the compiler supports [[noreturn]] as a attribute as in C23, then we define sudo_noreturn to be it. When that's the case, we must place it at the beginning of the declaration, before any other *extension* attributes (__attribute(...)). A bug has been filed with GCC regarding rejecting/accepting mixed attribute styles. sudo_dso_public is always an extension attribute, while sudo_noreturn only might be, so put it first. This only shows up with GCC 13 so far (see the linked GCC bug for a bit more exploration). Clang 16 does support the attribute but doesn't let you use it for earlier language versions (need to pass explicit -std=c2x, unlike with GCC here). This is essentially a followup to e707ffe58b3ccfe5c72f54c38eac1d7069d5021e. Tested with GCC 13.0.1 20230212 (unreleased), GCC 12.2.1 20230211, Clang 16.0.0_rc2, and Clang 15.0.7. Bug: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108796 Closes: https://github.com/sudo-project/sudo/issues/239 Fixes: e707ffe58b3ccfe5c72f54c38eac1d7069d5021e Fixes: 16ae61dcd7d3cd8bf6eb10a22fa742d4505da4e9 [806b5f3a6485] 2023-02-14 Todd C. Miller * configure, configure.ac: Add missing '[' to AS_IF() call. Fixes GitHub issue #238. [48372d73d4bb] * .hgtags: Added tag SUDO_1_9_13 for changeset 813f6addf7cf [8df54fde3b7a] <1.9> * NEWS, config.h.in, configure, configure.ac, include/sudo_compat.h, lib/util/hexchar.c, lib/util/regress/hexchar/hexchar_test.c, plugins/sudoers/parse.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/visudo.c: Merge sudo 1.9.13 from tip. [813f6addf7cf] [SUDO_1_9_13] <1.9> * MANIFEST, plugins/sudoers/po/ka.mo: Add compiled version of the sudoers Georgian translation. [35007cc1c867] * .gitignore, .hgignore: Do not ignore .mo files. Otherwise we are likely to miss uncommitted changes in them. [d76a98baaf15] * plugins/sudoers/po/ru.mo, plugins/sudoers/po/zh_CN.mo, po/zh_CN.mo: Regenerate .mo files. [a7a708d8bf34] 2023-02-12 Todd C. Miller * MANIFEST, config.h.in, configure, configure.ac, include/sudo_compat.h, lib/util/Makefile.in, lib/util/realpath.c, scripts/mkdep.pl: Add checks for realpath(3) and a version from NetBSD for those without it. [121fb2ed88de] 2023-02-09 Todd C. Miller * plugins/sudoers/regress/fuzz/fuzz_sudoers.c: No longer need to define sudoers_recovery here. [11a365a8a218] * NEWS: Mention that a missing include file is no longer fatal. [ba0bd554435e] * plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y, plugins/sudoers/policy.c: Recover from missing include file unless error_recovery is disabled. It is still treated as an error from a logging perspective, and mail is still sent. [e1cac68917cc] * include/sudo_eventlog.h, lib/eventlog/eventlog.c, plugins/sudoers/logging.c: Add eventlog_mail() to send a log message via mail. This is used by mail_parse_errors() to send multi-line messages. Previously, the newlines would be escaped as control characters. [97e516576212] * lib/eventlog/eventlog.c: send_mail: pass a single string instead of using varargs These days we only ever pass in a const string. [700e72ca42c0] 2023-02-08 Todd C. Miller * configure, configure.ac, m4/sudo.m4, pathnames.h.in, plugins/sudoers/visudo.c: Substitute for _PATH_SUDO* variables in pathnames.h. Previously these were hard-coded with Makefile overrides. [53c8be4b6af3] 2023-02-05 Todd C. Miller * configure, configure.ac: Use AS_IF instead of if; then where possible. [56946f4ac23a] 2023-02-03 Todd C. Miller * NEWS: Mention the fix for GitHub #237. [70aafdaced09] * plugins/sudoers/po/ja.mo, plugins/sudoers/po/ja.po, plugins/sudoers/po/zh_TW.mo, plugins/sudoers/po/zh_TW.po, po/fur.mo, po/fur.po, po/ja.mo, po/ja.po, po/zh_TW.mo, po/zh_TW.po: Updated translations from translationproject.org [c3be19c34043] * src/exec_pty.c, src/tgetpass.c: Display error in error message if we can't restore the terminal. [aa2c60802b33] 2023-02-02 Todd C. Miller * src/exec_pty.c, src/tgetpass.c: Display an error message if unable to restore terminal settings. [a1efb1dca169] * Makefile.in, etc/sudo.pp, plugins/sudoers/Makefile.in: Get rid of sudoersdir and just use sysconfdir. There is no need for sudoersdir when it is always just set to sysconfdir. [690b44edcec2] * src/exec_pty.c: pty_finish: only restore the terminal if sudo is the foreground process [357d90f11750] * src/exec_pty.c: Better background job detection when running a command in a pty. If sudo is not the process group leader and stdin is not a tty, we may be running as a background job via a shell script. Start the command in the background to avoid changing the terminal mode from a background process. GitHub issue #237 [6c74910ea869] * src/exec_pty.c: suspend_sudo_pty: stop the process group even if sudo is not the leader. When sudo is not the process group leader, we still need to stop sudo's process group and not just the sudo process itself. If we only send the signal to sudo itself, the shell will not notice if it is not in monitor mode. This can happen when sudo is run from a shell script, for example. In this case we need to signal the shell itself. If the process group leader is no longer present, we must kill the command since there will be no one to resume us. [44bb3267a55e] * lib/util/term.c: Add debug tracing to tcsetattr_nobg(). [b7a17174f1cf] 2023-01-31 Todd C. Miller * plugins/sudoers/regress/fuzz/fuzz_policy.c: Avoid compilation errors if getaddrinfo() or freeaddrinfo() are macros. If this is the case we probably can't stub out the functions but at least the fuzzer will compile. [2482db79d3b9] * src/net_ifs.c: Initialize the integer result parameter passed to SIOCGIFANUM. It appears that passing in a non-zero value causes the ioctl() to fail. From Tim Rice. [071633f9929c] * logsrvd/logsrvd.c, logsrvd/logsrvd_relay.c, plugins/sudoers/log_client.c: Protect use of AF_INET6 with HAVE_STRUCT_IN6_ADDR guards. From Tim Rice. [661c26064544] * config.h.in, configure, configure.ac, include/sudo_compat.h: Add configure test for NSIG, _NSIG or __NSIG. This is better than just defining NSIG in sudo_compat.h if it is not defined since signal.h may not have been included. [f1c94c5f825b] * logsrvd/logsrvd_conf.c: Avoid DNS lookups when fuzzing. [384ffdead655] 2023-01-30 Todd C. Miller * etc/sudo-logsrvd.pp, etc/sudo-python.pp, etc/sudo.pp, scripts/mkpkg, scripts/pp: No longer need to treat Rocky or Alma Linux specially. We now treat them the same as RHEL. [190afa102ca6] 2023-01-29 Todd C. Miller * Merge pull request #230 from trackers-lover/main Return value does not match [1dc4317beaf7] 2023-01-29 bianguangze@uniontech.com * lib/util/sudo_conf.c: Modify return value parameter [eb1e78bb2f91] 2023-01-27 Todd C. Miller * scripts/build_pkgs: Store conf hash in vm_servers instead of vmid. Add a shutdown command fallback to the conf file. [2f7eeb5c3f04] * plugins/sudoers/po/cs.mo, plugins/sudoers/po/cs.po, plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, plugins/sudoers/po/fr.mo, plugins/sudoers/po/fr.po, plugins/sudoers/po/hr.mo, plugins/sudoers/po/hr.po, plugins/sudoers/po/ko.mo, plugins/sudoers/po/ko.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/ro.mo, plugins/sudoers/po/ro.po, plugins/sudoers/po/ru.po, plugins/sudoers/po/sv.mo, plugins/sudoers/po/sv.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, plugins/sudoers/po/zh_CN.po, plugins/sudoers/po/zh_TW.po, po/cs.mo, po/cs.po, po/de.mo, po/de.po, po/eo.mo, po/eo.po, po/fr.mo, po/fr.po, po/hr.mo, po/hr.po, po/ko.mo, po/ko.po, po/pl.mo, po/pl.po, po/ro.mo, po/ro.po, po/sv.mo, po/sv.po, po/uk.mo, po/uk.po, po/zh_CN.po, po/zh_TW.po: Updated translations from translationproject.org [fa9569203e16] * configure, m4/hardening.m4: Fix a typo. [ebf4c16e0079] * config.h.in, configure, scripts/config.guess, scripts/config.sub: Regen with latest autoconf git. [9a0bbbb682fc] * etc/sudo-logsrvd.pp, etc/sudo-python.pp, etc/sudo.pp, scripts/mkpkg, scripts/pp: Recognize Alma Linux and Rocky Linux (Open Source RHEL clones) [b1dbb7b75824] * NEWS: Mention the recent intercept/log_subcmds fix. [cbd60701de52] * scripts/mkpkg: Fix determination of the number of CPU cores on Linux. [6ac6a9b074bf] 2023-01-26 Todd C. Miller * MANIFEST, plugins/sudoers/po/ka.po: New Georgian translation from translationproject.org [17681b870666] * Merge pull request #235 from kernelmethod/apparmor_dependencies Replace the Debian libselinux1 dependency with libapparmor1 [ca29638c5c34] 2023-01-26 kernelmethod <17100608+kernelmethod@users.noreply.github.com> * etc/sudo.pp: Replace the Debian libselinux1 dependency with libapparmor1 Debian >= 10 uses AppArmor by default instead of SELinux, so SELinux-related sudo features are typically going to be unusable in Debian installs. This changes the dependency on libselinux1 to be a dependency on libapparmor1 for .deb packages built with `make package`. [5779ce23a161] 2023-01-25 Todd C. Miller * src/exec_ptrace.c: get_execve_info: defer setting pathname until argbuf is finalized If we reallocate the buffer (via growbuf()) in ptrace_read_vec(), the address of argbuf may change. If so, the value stored in pathname will no longer be valid. GitHub issue #194. [f75aa1eb5d95] * src/exec_intercept.c, src/exec_ptrace.c: Correct error message when command doesn't exist in intercept mode. Previously, we would always use EACCES, even when ENOENT was appropriate. This also affected log_subcmds. [5bc0ecd5d4e6] 2023-01-24 Todd C. Miller * plugins/sudoers/po/sudoers.pot, po/sudo.pot: Update .pot files for 1.9.13 [c6a247e05a91] 2023-01-23 Todd C. Miller * NEWS: Update for 1.9.13. [c9c5b6af5ea5] * src/exec_ptrace.h: Include elf.h, not linux/elf.h but define NT_ARM_SYSTEM_CALL if missing. Older kernel headers are missing the definition of EM_ARM in linux/elf.h. GitHub issue #232 [8bed5e7f8857] * lib/util/regress/regex/regex_test.c: Add tests for escaped digits. [7e5b7e5e2409] * lib/util/regex.c: check_pattern: handle escaped digits since GNU libc accepts them. [a20d5a047963] 2023-01-22 Todd C. Miller * include/sudo_eventlog.h, lib/eventlog/eventlog.c, plugins/sudoers/sudoreplay.c: Add eventlog_store_sudo() and use it in sudoreplay. This replaces the custom log formatting used by "sudoreplay -l". [26dd2367fbdd] 2023-01-21 Todd C. Miller * scripts/build_pkgs, scripts/mkpkg: Add --build-only flag to skip building packages. [46c0213b2668] 2023-01-20 Todd C. Miller * scripts/mkpkg, scripts/pp: Suport building packages on DragonFly BSD. [65920923add2] * configure, configure.ac, m4/visibility.m4: Try to link a simple shared object with -Wl,--no-undefined. This only works for gcc-style compilers, which should not be a problem. The source uses environ (FreeBSD) and errno (OpenBSD). [1c2d9f90bc6d] * scripts/build_pkgs: Pass the name to the config.cache file to the build script. If --cache-file is not specified, no config.cache file will be used. Add an "omit_artifacts" setting for platforms where we don't publish artifacts. [c87221f36bf4] 2023-01-19 Todd C. Miller * lib/util/regex.c: check_pattern: accept a backslash before the numeric bound like glibc. This helps avoid out-of-memory conditions when fuzzing on Linux. [07f14dba22ed] * configure, configure.ac: Don't use -Wl,--no-undefined with the sanitizers/fuzzers. It breaks linking when using -fsanitize with clang at least. [a6331135bd73] * docs/SECURITY.md: Add a link to the sudo security advisories archive. [7137d1d214e5] * config.h.in, configure, configure.ac: Eliminate usage of obsolete 2-argument AC_CHECK_TYPE macro. [96b37c574fc2] * config.h.in, configure, configure.ac, plugins/sudoers/starttime.c, src/regress/ttyname/check_ttyname.c, src/ttyname.c: Add support for the struct kinfo_proc on Dragonfly BSD. [4c1a7d223d66] * configure, configure.ac: Need to link sudo and sudoers with -lutil on Dragonfly BSD. It is safer to just search for setusercontext() in libc and libutil instead of matching on the operating system. [b91a288c9968] * configure, configure.ac: Elminate the $OS variable, we can just use $host_os instead. [0293bf9d4dd4] * plugins/sudoers/editor.c: Restore the line that set errno to ENOENT when find_path() fails. This was inadvertently removed when the "goto bad" was added. [b957909a1a75] * configure, configure.ac, m4/ldap.m4: Add -Wl,--no-undefined to LDFLAGS if it is supported. This will find missing symbols at build-time instead of run-time. Don't use it on FreeBSD where environ is filled in by the dynamic loader. We also need to pull in -llber with -lldap where possible (instead of relying on DT_NEEDED) to avoid undefined symbol errors when building with LDAP support. [c88bd9fd05c9] * plugins/sample/README: The sample plugin is now built by default to avoid bit rot. GitHub issue #234. [aac2a29136e1] * plugins/sample/sample_plugin.c: The change from sudo_printf -> sudo_plugin_printf was incomplete. Fixes GitHub issue #234. [4f8333e3f7b8] 2023-01-18 Todd C. Miller * configure, m4/pie.m4: Solaris: use lt_prog_compiler_pic instead of assuming -KPIC [36b94699ad63] * configure, m4/hardening.m4, m4/pie.m4: Solaris: the aslr, nxheap and nxstack link options are only for executables. Move them back to PIE_LDFLAGS, which is only used when linking a binary. [970d533cd9b2] * configure, m4/hardening.m4, m4/pie.m4: Solaris: move aslr linker option to hardening and try to build real PIEs These flags are specific to the Solaris linker. [c5439fec5cb3] * configure, m4/hardening.m4, m4/pie.m4: Enable non-executable heap and stack options for Solaris ld. [5be638b9bd79] * configure, configure.ac, m4/hardening.m4: Limit some of the hardening tests to compilers that define __GNUC__. This should avoid false positives on other compilers. [1b3b36a2ff2b] * plugins/python/regress/testdata/check_multiple_approval_plugin_and_a rguments.stdout: Update expected plugin version. [19b2963008a2] * docs/sudo_plugin.man.in, docs/sudo_plugin.mdoc.in, include/sudo_plugin.h, plugins/sudoers/policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, src/sudo.c, src/sudo.h, src/sudo_edit.c: Pass back the number of files to edit when using sudoedit. The sudo front-end can use this to determine where the list of files to edit begins. [c9c1e6e81438] * docs/sudoers.man.in, docs/sudoers.mdoc.in, docs/sudoreplay.man.in, docs/sudoreplay.mdoc.in, include/sudo_lbuf.h, lib/eventlog/eventlog.c, lib/iolog/iolog_json.c, lib/util/lbuf.c, lib/util/util.exp.in, plugins/sudoers/sudoreplay.c: Escape control characters in log messages and "sudoreplay -l" output. The log message contains user-controlled strings that could include things like terminal control characters. Space characters in the command path are now also escaped. Command line arguments that contain spaces are surrounded with single quotes and any literal single quote or backslash characters are escaped with a backslash. This makes it possible to distinguish multiple command line arguments from a single argument that contains spaces. Issue found by Matthieu Barjole and Victor Cutillas of Synacktiv (https://synacktiv.com). [1cd37144190c] * NEWS: Merge in sudo 1.9.12p2 changes. [d5a2cd780f27] * .hgtags: Added tag SUDO_1_9_12p2 for changeset 05149e3ee7db [8763a9e70ddd] <1.9> 2023-01-17 Todd C. Miller * configure, configure.ac: Add back the linker check for -fstack-clash-protection. This is expected to fix GitHub issue #231. [40bda374ae08] <1.9> * configure, m4/hardening.m4: Add back the linker check for -fstack-clash-protection. This is expected to fix GitHub issue #231. [c08c0a7c8613] 2023-01-17 trackers-love * lib/util/sudo_conf.c: Return value does not match [2c7c350c3d97] 2023-01-16 Todd C. Miller * docs/cvtsudoers.man.in, docs/cvtsudoers.mdoc.in, docs/sudo.conf.man.in, docs/sudo.conf.mdoc.in, docs/sudo_logsrvd.conf.man.in, docs/sudo_logsrvd.conf.mdoc.in, docs/sudoers.ldap.man.in, docs/sudoers.ldap.mdoc.in, docs/sudoers.man.in, docs/sudoers.mdoc.in, docs/visudo.man.in, docs/visudo.mdoc.in: Stop using 8n width in tagged lists. Use either 4n, when the body is expected to wrap or the width of the longest tag when no wrapping is expected. [2b1bc5d31250] * docs/cvtsudoers.man.in, docs/cvtsudoers.mdoc.in, docs/sudo.man.in, docs/sudo.mdoc.in, docs/sudo_logsrvd.man.in, docs/sudo_logsrvd.mdoc.in, docs/sudo_sendlog.man.in, docs/sudo_sendlog.mdoc.in, docs/sudoreplay.man.in, docs/sudoreplay.mdoc.in, docs/visudo.man.in, docs/visudo.mdoc.in: Use -width Ds for the options list, not -width Fl. [598dbf3d2fea] * docs/sudo.man.in, docs/sudo.mdoc.in, docs/sudo_logsrvd.conf.man.in, docs/sudo_logsrvd.conf.mdoc.in, docs/sudo_plugin_python.man.in, docs/sudo_plugin_python.mdoc.in: Reduce the offset of bullet lists to 1n. [893b6fd25564] * INSTALL.md: Shorten --with-passprompt and --with-mailsubject arguments to a single word. The script that generates the web version of this file doesn't expect options to include whitespace. [063dc2c168aa] 2023-01-15 Todd C. Miller * INSTALL.md: Shorten --with-badpass-message argument to a single word. The fix_install script can't deal with whitespace in options. [17761c19a4b8] * LICENSE.md: Make numbered lists more markdown-friendly. Also add line breaks when there are multiple authors. [d22146e06e27] * INSTALL.md: Make lists of directories more markdown-friendly. [b3295e422b33] 2023-01-12 Todd C. Miller * lib/iolog/regress/iolog_mkpath/check_iolog_mkpath.c: Check for errors when removing the temp directory. If we cannot remove the directory tree that may indicate a file or directory mode problem. [4a162644b61f] * lib/iolog/iolog_mkdtemp.c: iolog_mkdtemp: fix pasto in last commit Set mode to iolog_dirmode, not iolog_filemode [9926f1c92729] <1.9> * lib/iolog/iolog_mkdtemp.c: iolog_mkdtemp: fix pasto in last commit Set mode to iolog_dirmode, not iolog_filemode [713773e23472] * NEWS, configure, configure.ac: Sudo 1.9.2p2 [05149e3ee7db] [SUDO_1_9_12p2] <1.9> * plugins/sudoers/editor.c, plugins/sudoers/sudoers.c, plugins/sudoers/visudo.c: sudoedit: do not permit editor arguments to include "--" (CVE-2023-22809) We use "--" to separate the editor and arguments from the files to edit. If the editor arguments include "--", sudo can be tricked into allowing the user to edit a file not permitted by the security policy. Thanks to Matthieu Barjole and Victor Cutillas of Synacktiv (https://synacktiv.com) for finding this bug. [eb7f573a4a92] <1.9> * plugins/sudoers/editor.c, plugins/sudoers/sudoers.c, plugins/sudoers/visudo.c: sudoedit: do not permit editor arguments to include "--" (CVE-2023-22809) We use "--" to separate the editor and arguments from the files to edit. If the editor arguments include "--", sudo can be tricked into allowing the user to edit a file not permitted by the security policy. Thanks to Matthieu Barjole and Victor Cutillas of Synacktiv (https://synacktiv.com) for finding this bug. [2ca90805f471] 2023-01-09 Todd C. Miller * lib/util/sha2.c: In SHA256Pad and SHA512Pad use 511 and 1023 respectively for bitwise AND. Previously we were using 504 and 1016 which still produces the correct result since padding is done in 8-bit bytes. However, using size-1 for the bitwise AND makes the intent clearer and likely would have prevented the previous bug in SHA512Pad. From Matthieu Barjole and Victor Cutillas of Synacktiv (https://synacktiv.com) [4b6a50800ecd] * plugins/sudoers/env.c: env_file_next_local: change the order of the val_len check. It makes more sense to verify that val_len > 1 before using it. This is not a problem in practice because val[val_len - 1] is guaranteed not to underflow but it can confuse reviewers and static analyzers. [9d6bed4e3fd0] * plugins/sudoers/env.c: Fix typo in check for environment variables that start with '='. [6dc466c8bf82] * lib/util/lbuf.c: sudo_lbuf_print: no longer need to check for lbuf->len > 0. Now that lbuf length is unsigned the earlier check for len == 0 is sufficient. [bdfc863f5b5c] * lib/util/lbuf.c: Increase minimum allocation size from 256 to 1024 bytes. [0f49c8728151] * plugins/sudoers/sudoreplay.c: Fix IS_IDLOG macro, it was testing the wrong byte for the NUL. This causes the macro to evaluate to false even for valid TSIDs. [77686e4508d3] 2023-01-04 Todd C. Miller * plugins/sudoers/toke.c, plugins/sudoers/toke.l: sudoers_trace_print: this is a no-op if not debugging [df34de2e60f4] * lib/util/lbuf.c: sudo_lbuf_expand: don't allocate less than 256 bytes at a time. [a747682156e6] 2023-01-03 Todd C. Miller * lib/util/lbuf.c: sudo_lbuf_expand: round nearest power of two instead of multiple of 256. [840855b501de] * LICENSE.md: Update copyright year. [5ff97b5e6bcd] * include/sudo_lbuf.h, lib/util/lbuf.c: sudo_lbuf_expand: check for possible integer overflow The numeric fields in struct sudo_lbuf are now unsigned so that wraparound is defined, this make the overflow checks simpler. Problem deteced by oss-fuzz using the fuzz_sudoers fuzzer. [6dc670d15276] * MANIFEST, lib/iolog/iolog_json.c, lib/iolog/regress/iolog_json/test3.in, lib/iolog/regress/iolog_json/test3.out.ok: Decode \u00XX in a JSON string now that we escape control chars. We don't write Unicode to the log.json file, only 8-bit ASCII. [83dcacb35309] * MANIFEST, include/sudo_util.h, lib/util/Makefile.in, lib/util/hexchar.c, lib/util/regress/hexchar/hexchar_test.c, lib/util/util.exp.in, plugins/sudoers/Makefile.in, plugins/sudoers/hexchar.c, plugins/sudoers/match_digest.c, plugins/sudoers/parse.h, plugins/sudoers/regress/parser/check_hexchar.c, plugins/sudoers/toke_util.c: Move hexchar() from the sudoers plugin to lib/util. [4a6c57c1b66a] * lib/util/mkdir_parents.c: sudo_open_parent_dir: adjust loop terminating condition Checking for ep < pathend should be a bit clearer than ep != '\0' and has the advantage of working when pathend doesn't point to a NUL byte. No intended change in behavior. [cee4e0c71070] * lib/iolog/iolog_mkdtemp.c: iolog_mkdtemp: fix failure when the specified path contains subdirectories. This fixes a bug introduced in sudo 1.9.12. [ac86f3b0d94b] <1.9> * lib/iolog/iolog_mkdtemp.c: iolog_mkdtemp: fix failure when the specified path contains subdirectories. This fixes a bug introduced in sudo 1.9.12. [3a1d5b01b446] * lib/iolog/regress/iolog_mkpath/check_iolog_mkpath.c: check_iolog_mkpath: fix exit value [9ac13d6657f6] 2023-01-02 Todd C. Miller * Merge pull request #227 from sohomdatta1/integer_underflow Prevent integer underflow due to environment variable [c6c716352077] 2023-01-02 Sohom * plugins/sudoers/env.c: Prevent integer underflow due to environment variable Gaurd against replacing quotes when the environment variable val_len is 1. [1b926824dcf8] 2023-01-01 Todd C. Miller * lib/util/regex.c: glibc allows the ',' in {low,high} to be escaped with a backslash. Adjust bound parsing to match this. [b2bbac2bab6a] 2022-12-31 Todd C. Miller * configure, configure.ac: Fix logic goof in 05781ba6f1f3, disable replacements when fuzzing. Not the other way around. [abcf2deb9d0e] 2022-12-30 Todd C. Miller * configure, configure.ac, docs/sudo_plugin_python.man.in, docs/sudo_plugin_python.mdoc.in, docs/sudoers.man.in, docs/sudoers.mdoc.in: Substitute python plugin file name in sudo_plugin_python documentation. Also use prefix for group plugin fallback path section in sudoers manual. [e245808fbe74] * lib/iolog/Makefile.in, lib/iolog/regress/fuzz/fuzz_iolog_legacy.dict, lib/iolog/regress/fuzz/fuzz_iolog_timing.dict: Use correct dictionary file format. Also use the new dictionaries in the Makefile fuzz target. [c39e699cb9b6] * MANIFEST, lib/iolog/regress/corpus/seed/log_legacy/less.log, lib/iolog/regress/corpus/seed/log_legacy/smtpctl.log, lib/iolog/regress/corpus/seed/log_legacy/vi.log, lib/iolog/regress/corpus/seed/timing/timing.5, lib/iolog/regress/corpus/seed/timing/timing.6, lib/iolog/regress/corpus/seed/timing/timing.7, lib/iolog/regress/corpus/seed/timing/timing.8, lib/iolog/regress/corpus/seed/timing/timing.9: Add some addition entries for the I/O log fuzzer seed corpus. [51d4bf5f014c] * MANIFEST, lib/iolog/regress/fuzz/fuzz_iolog_legacy.dict, lib/iolog/regress/fuzz/fuzz_iolog_timing.dict: Add dictionaries for fuzz_iolog_legacy and fuzz_iolog_timing. [84d1e53ea8eb] * include/sudo_fatal.h: Don't send warn/fatal output to the debug file when fuzzing. [968fedf79f23] * lib/util/getentropy.c: Back out the genentropy.c portion of c648cfe9ff0f We don't need to special-case FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION now that we use the glibc arc4random() where available. [7d69e44e3e9b] 2022-12-29 Todd C. Miller * lib/iolog/regress/fuzz/fuzz_iolog_json.c, lib/iolog/regress/fuzz/fuzz_iolog_legacy.c, lib/iolog/regress/fuzz/fuzz_iolog_timing.c, lib/util/regress/fuzz/fuzz_sudo_conf.c, logsrvd/regress/fuzz/fuzz_logsrvd_conf.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c: Use initprogname(), not setprogname() in the fuzzers. This results in better coverage for progname.c. [dede53f4b0db] * lib/util/regress/sudo_conf/conf_test.c, lib/util/regress/sudo_conf/test1.out.ok, lib/util/regress/sudo_conf/test2.out.ok, lib/util/regress/sudo_conf/test3.out.ok, lib/util/regress/sudo_conf/test4.out.ok, lib/util/regress/sudo_conf/test5.out.ok, lib/util/regress/sudo_conf/test6.out.ok, lib/util/regress/sudo_conf/test7.out.ok: Add probe_interfaces and intercept_path. [f00ecf67a5e1] * lib/util/regress/fuzz/fuzz_sudo_conf.c: Exercise getter functions. [3208a9508724] * configure, configure.ac: Avoid using our function replacements when fuzzing (where possible). We don't want to fuzz the function replacements themselves as this can skew the coverage reports. [05781ba6f1f3] * plugins/python/regress/check_python_examples.c: Disable sudo_debug tests when fuzzing. The debug code is disable when fuzzing is enabled to avoid coverage issues. [2c90549a0918] * lib/util/fatal.c, lib/util/getentropy.c, lib/util/sudo_conf.c: Avoid compiling some code paths that are unreachable when fuzzing. [c648cfe9ff0f] * plugins/sudoers/regress/serialize_list/check_serialize_list.c: Plug memory leak. [6189ff1db193] 2022-12-28 Todd C. Miller * plugins/sudoers/regress/fuzz/fuzz_policy.dict: Update fuzz_policy keywords to match current policy settings. [0db960f83cf1] * plugins/sudoers/regress/fuzz/fuzz_sudoers.dict: Add example users and groups to the dictionary. [6fd8ad758aed] * plugins/sudoers/env.c, plugins/sudoers/sudoers.c, src/parse_args.c: parse_args: an environment variable may not start with '='. Also check VAR=val format in validate_env_vars() and add an error message if insert_env_vars() fails. [b9b9acae1671] * plugins/sudoers/env.c: rebuild_env: avoid a potential NULL dereference in fuzz_policy [90f5d579dd69] * plugins/sudoers/sudoers.c: sudoers_policy_main: plug memory leak of iolog_path on error. [99cbe3d513e6] * plugins/sudoers/env.c: rebuild_env: avoid a potential NULL dereference in fuzz_policy [de05b4f00f35] * plugins/sudoers/regress/fuzz/fuzz_policy.c: The contents of the env_add array should not include the leading "env=" prefix. The previous fix for this was incomplete. [849fee26133a] * plugins/sudoers/env.c: validate_env_vars: more efficient errbuf handling Also avoid appending to errbuf if it is already full. [1ffd174fa0ea] 2022-12-27 Todd C. Miller * docs/sudo.man.in, docs/sudo.mdoc.in: Document that -k does not interfere with sudo on other terminals. This should help clarify the difference between "sudo -k" and "sudo -K". [589d750faf30] * lib/util/regex.c, lib/util/regress/regex/regex_test.c: Check for bound values larger than 255 and reject them. This is to prevent the fuzzers from running out of memory. [f172a6d64a34] * scripts/pp: Use the POSIX shell "command -v" instead of "which" to find programs. Fix false detection of init.d/service status. [aee53eddfc18] * etc/sudo.pp: Fix example dir mode on RedHat/Fedora. [f5fd86f35bc5] * etc/sudo.pp: Use sed instead of ed to modify the packaged sudoers file. Some Linux distros do not include /bin/ed by default. [217ef1afaacb] 2022-12-26 Todd C. Miller * docs/sudo.conf.man.in, docs/sudo.conf.mdoc.in: Use @intercept_file@ and @noexec_file@ like the example file. [726e060da20e] * docs/sudoers.man.in, docs/sudoers.mdoc.in: There is a @pam_login_service@ substitution but no @pam_service@. Just use sudo instead of @pam_service@. [b16f28ccc847] * examples/sudo.conf.in: Use @sudoers_plugin@ instead of @sudoers_module@. [4c92b9ef93b5] * docs/sudo.conf.man.in, docs/sudo.conf.mdoc.in, docs/sudoers.man.in, docs/sudoers.mdoc.in, docs/visudo.man.in, docs/visudo.mdoc.in: Use @sudoers_plugin@ instead of @sudoers_module@. [3c50a97c1bbd] * INSTALL.md, NEWS, config.h.in, configure, configure.ac, docs/UPGRADE.md, scripts/config.guess, scripts/config.sub: sudo 1.9.13 Document the changes to AIX plugins in docs/UPGRADE.md and regenerate configure using the latest autoconf from git. [b897ca965a0f] * scripts/build_pkgs: Remove anything after whitespace in MANIFEST when building tarball. This is consistent with how sudo's Makefile builds the tarball. [db48ecf91964] * MANIFEST: Zap trailing whitespace. [7be2d953e0ca] * configure, configure.ac, docs/sudo.conf.man.in, docs/sudo.conf.mdoc.in, docs/sudoers.man.in, docs/sudoers.mdoc.in, docs/visudo.man.in, docs/visudo.mdoc.in, examples/sudo.conf.in, pathnames.h.in, src/load_plugins.c, src/preload.c: Use AIX-style shared libraries on AIX by default instead of SVR4-style. This removes the need to use the -brtl linker flag which can cause problems when there are both a .so and .a version of the same library but with different versions. This was particularly problematic when using the AIX freeware version of OpenSSL. The --with-aix-soname=svr4 option can be used to build SVR4-style shared libs instead. [268bd3bc7717] * lib/util/sudo_dso.c, src/load_plugins.c: sudo_dso_load: add AIX fallback path from shlib.so to shlib.a(shlib.so). If the .so file is missing but the .a file exists, try to dlopen() the AIX .a file using the .so name as the member. We need to avoid breaking existing configurations if the type of AIX shared library changes when sudo is upgraded. [f64cf05bb2c2] * plugins/sudoers/group_plugin.c, src/load_plugins.c: Remove the owner and mode checks when loading a sudo plugin. The sudo.conf file is considered a trusted source of information and these checks suffer from TOCTOU issues anyway. The checks complicate loading of shared objects since we need to perform fallback processing twice. [60a811d58138] * MANIFEST, plugins/python/Makefile.in, plugins/python/python_importblocker.c, plugins/python/python_plugin_common.c, plugins/python/regress/check_python_examples.c, plugins/python/regress/testdata/sudo.conf.developer_mode, plugins/python/regress/testdata/sudo.conf.normal_mode, plugins/python/regress/testhelpers.c, plugins/python/regress/testhelpers.h, plugins/python/sudo_python_module.h: Remove the Python plugin import blocker code. The sudo.conf file is considered a trusted source of information and these checks suffer from TOCTOU issues anyway. [1d261d802b82] * MANIFEST, docs/sudo.conf.man.in, docs/sudo.conf.mdoc.in, docs/sudo_plugin_python.man.in, docs/sudo_plugin_python.mdoc.in, examples/sudo.conf.in, lib/util/regress/corpus/seed/sudo_conf/sudo.conf.1, lib/util/regress/corpus/seed/sudo_conf/sudo.conf.2, lib/util/regress/corpus/seed/sudo_conf/sudo.conf.3, lib/util/regress/fuzz/fuzz_sudo_conf.dict, lib/util/regress/sudo_conf/conf_test.c, lib/util/regress/sudo_conf/test1.in, lib/util/regress/sudo_conf/test1.out.ok, lib/util/regress/sudo_conf/test2.out.ok, lib/util/regress/sudo_conf/test3.out.ok, lib/util/regress/sudo_conf/test4.out.ok, lib/util/regress/sudo_conf/test5.out.ok, lib/util/regress/sudo_conf/test6.out.ok, lib/util/regress/sudo_conf/test7.out.ok, lib/util/regress/sudo_conf/test8.err.ok, lib/util/regress/sudo_conf/test8.in, lib/util/regress/sudo_conf/test8.out.ok, lib/util/sudo_conf.c: Remove developer mode from sudo.conf, it is no longer used. [2b350bfe4d7c] * plugins/sudoers/sudoers_version.h: Bump SUDOERS_GRAMMAR_VERSION to 50 for the new list pseudo-command. [60e6e3b59b1e] 2022-12-25 Todd C. Miller * docs/Makefile.in, docs/sudo.man.in, docs/sudo.mdoc.in, docs/sudo_plugin_python.man.in, docs/sudo_plugin_python.mdoc.in, docs/sudoreplay.man.in, docs/sudoreplay.mdoc.in: Use ".Sy root" instead of ".Em root" when talking about the root user. Replace MANDOCPROG with "mandoc" now that MANDOCPROG has been removed. [a0b80a88eb7c] 2022-12-22 Todd C. Miller * Merge pull request #226 from rtczza/main debug_return_int use error [7743f67838ae] 2022-12-23 wanglujun * src/exec_pty.c: debug_return_int use error [b69796b9b10b] 2022-12-22 Todd C. Miller * lib/util/sudo_dso.c, src/load_plugins.c: Fix support for AIX-style path(module) syntax in sudo.conf Plugin lines. [b8666283d2f2] 2022-12-20 Todd C. Miller * docs/sudo.man.in, docs/sudo.mdoc.in: Mention the "list" privilege in the description of the -U option. [f5416004ef2e] * docs/sudo.man.in, docs/sudo.mdoc.in, src/parse_args.c, src/sudo_usage.h.in: Add [arg ...] after command in SYNOPSIS and usage output. Use Ar markup when referring to the command and args. [40fca0824680] 2022-12-17 Todd C. Miller * src/exec_preload.c: fmtstr: call va_arg() for %c when computing length. Even though we don't need to read the actual char to know its length, we do need to consume it to get the correct value for the next format. [fadd0047868b] * configure, m4/sanitizer.m4: SUDO_CHECK_SANITIZER: quote "$3" in awk script so m4 doesn't eat it. [fcf1661bfebd] * lib/util/regress/json/json_test.c: Add missing sudo_json_free(). [fa5e5af55927] * MANIFEST, lib/util/Makefile.in, lib/util/regex.c, lib/util/regress/regex/regex_test.c: check_pattern: check bounds as a repetition operator too. Add regess to verify check_pattern() via sudo_regex_compile(). [48cbddf476a5] * lib/util/regex.c: Instead of collapsing duplicate repetition characters, reject them. This is implementation-specific behavior--some regcomp(3) will reject duplicate repetition characters (BSD), others will try to support them (Glibc) but may allocate excessive amounts of memory. [a0cb75d9b5e5] * MANIFEST, docs/CONTRIBUTORS.md, po/sq.mo, po/sq.po: New Albanian translation from translationproject.org [4a8dedc6500d] 2022-12-15 Todd C. Miller * MANIFEST, include/sudo_json.h, lib/eventlog/eventlog.c, lib/iolog/iolog_loginfo.c, lib/iolog/regress/iolog_json/check_iolog_json.c, lib/util/Makefile.in, lib/util/json.c, lib/util/regress/json/json_test.c, lib/util/util.exp.in, logsrvd/logsrvd_local.c, plugins/audit_json/audit_json.c, plugins/sudoers/cvtsudoers_json.c: Add basic regress for JSON functions. Fix a bug in escaped control character handling. Roll back changes to buffer if sudo_json_add_value() fails. [8b61266511fe] * plugins/python/regress/iohelpers.c, plugins/python/regress/testhelpers.c: Add missing memory allocation failure checks. Inspired by GitHub PR #221 [9f09479191e9] 2022-12-14 Todd C. Miller * lib/util/json.c: Escape control characters in strings. [9668cd68daee] 2022-12-12 Todd C. Miller * docs/sudo.man.in, docs/sudo.mdoc.in: Mention the audit plugin in the "Process model" section. Remove extraneous information describing how sudo may exec the command directly, this is already included in the non-pty section. [9d01a9682ed2] 2022-12-11 Todd C. Miller * plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/sudoers.c: Plug a memory leak of list_cmnd in the fuzzers. [b413becfb8db] * plugins/sudoers/cvtsudoers.c: Suppress PVS Studio watning about reassigning a variable the same value. Working around the warning would result in more fragile code. [b4227e531fb7] * lib/util/regress/multiarch/multiarch_test.c: Fix memory leak in multiarch_test to quiet leak sanitizer. [1491ce67725c] * plugins/python/python_plugin_audit.c, plugins/python/python_plugin_common.c, plugins/python/python_plugin_io.c, plugins/python/python_plugin_policy.c: Fix some dead stores noted by PVS Studio. Since rc is initialized to SUDO_RC_ERROR there is no need to set it to SUDO_RC_ERROR again on failure if rc has not been changed since initialization. [f6c075dedfe3] * docs/sudoers.man.in, docs/sudoers.mdoc.in, plugins/sudoers/logging.c, plugins/sudoers/match_command.c, plugins/sudoers/parse.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/toke.c, plugins/sudoers/toke.l: Add "list" pseudo-command to allow a user to list another user's privs. Previously, only root or a user with the ability to run any command as either root or the target user on the current host could use the -U option. For "sudo -l [-U otheruser] command", NewArgv[0] is now set to "list" (just like "sudo -l") and the actual command to be checked starts with NewArgv[1]. [225eac96d11f] 2022-12-09 Todd C. Miller * etc/codespell.exclude: Adjust a line to quiet codespell warning. [f920076a902d] 2022-12-08 Todd C. Miller * Makefile.in: Only build ChangeLog from a repo checkout, not a release tarball. The CODEOWNERS file is not present in the release tarball so we can use that when determining what is (or is not) a repo checkout. [290ce43f0f66] * docs/CODEOWNERS: Add CODEOWNERS file, currently all owned by @millert. [3becb02b5cd6] * .gitignore, .hgignore, Makefile.in: Only regenerate ChangeLog if there have been changes. Also check that "hg --version" or "git --version" works before using hg or git. Bug #1043. [d9a28bb02621] 2022-12-07 Todd C. Miller * plugins/sudoers/parse.c: Fix potential crash introduced in the fix for GitHub issue #134. If a user's sudoers entry did not have any RunAs user's set, running "sudo -U otheruser -l" would dereference a NULL pointer. We need to compare the default RunAs user if the sudoers entry does not specify one explicitly. Problem reported by Andreas Mueller who also suggested a different solution in PR #219. [360e04f13024] <1.9> * plugins/sudoers/parse.c: Fix potential crash introduced in the fix for GitHub issue #134. If a user's sudoers entry did not have any RunAs user's set, running "sudo -U otheruser -l" would dereference a NULL pointer. We need to compare the default RunAs user if the sudoers entry does not specify one explicitly. Problem reported by Andreas Mueller who also suggested a different solution in PR #219. [3d12dfeef26b] * scripts/build_pkgs: Defer installing the SIGCHLD handler until after non-job commands run. Lock the socket dir to avoid races in open_persistent_connection(). Also avoid using "ssh -f" since that may return before the socket is created. Strip carriage returns from log when running in a pty. [d0da1a261fbc] 2022-12-06 Todd C. Miller * configure, m4/sudo.m4: Fix a typo in SUDO_CHECK_NET_FUNC. [08cb2ba84897] * lib/util/inet_ntop.c: Fix -Wsign-compare warning. [45e2716ece56] * configure, m4/sudo.m4: Initialize "found" in SUDO_CHECK_NET_FUNC. [a5daeb77e6bb] * configure, m4/sudo.m4: Fix pasto introduced in last commit. [7e1b09977be3] * lib/eventlog/Makefile.in, lib/iolog/Makefile.in, lib/util/Makefile.in, logsrvd/Makefile.in, plugins/python/Makefile.in, plugins/sudoers/Makefile.in, src/Makefile.in: Fix failure in check targets when there is no UTF-8 C locale. [721c8bdff28f] * configure, configure.ac, m4/sudo.m4: Add SUDO_CHECK_NET_FUNC to check functions in the network libraries. If a function is not found, check again with "-lsocket", "-linet", "-lsocket -lnsl", or "-lresolv". Also display network libs in final summary as well as the different linker flags. [a0ce3347cd8d] * configure, m4/sudo.m4: Make sure HAVE_MAILLOCK_H is defined on Solaris 10. [bb9f3a1beff5] * configure, configure.ac: Remove extraneous "(cached)" line when the -C option is used. We do not need to call AC_CACHE_VAL() to ensure that a variable is cached, its name just needs to match the pattern *_cv_*. [b8ffa09d0cd7] * configure, m4/sudo.m4: Make path checks in sudo.m4 cachable. [0bcfa73702d3] * configure, configure.ac: Use AC_PATH_PROGS_FEATURE_CHECK to find mandoc/nroff. We don't use the NROFFPROG or MANDOCPROG any longer so no need to set those. [7d96680046a6] * configure, configure.ac: Don't check for _sys_siglist if sys_siglist is found. [2c70aba3935c] * configure, configure.ac: Fix check for sys_sigabbrev. [b8537a76815f] 2022-12-05 Todd C. Miller * configure, configure.ac: Skip test for __func__ on C99 and above, avoid extra _sys_signame test. [71f3497a6a3a] * MANIFEST, aclocal.m4, configure, configure.ac, m4/gettext.m4: Move gettext checks to m4/gettext.m4 [693029542e06] * MANIFEST, aclocal.m4, configure, configure.ac, m4/ldap.m4: Move LDAP library checks to m4/ldap.m4 and make more tests cacheable. [85fa1f49298a] * MANIFEST, aclocal.m4, configure, configure.ac, m4/openssl.m4: Move OpenSSL/wolfSSL checks to m4/openssl.m4 [08b90f3cef52] * MANIFEST, aclocal.m4, configure, configure.ac, m4/pie.m4: Move PIE executable checks to m4/pie.m4 [6b5cac6cecd5] * MANIFEST, aclocal.m4, configure, configure.ac, m4/sanitizer.m4: Move address sanitizer and fuzzer checks to m4/sanitizer.m4 [a6372917d53b] * MANIFEST, aclocal.m4, configure, configure.ac, m4/visibility.m4: Move symbol visibility checks to m4/visibility.m4 [4684049c2d2c] * MANIFEST, aclocal.m4, configure, configure.ac, m4/hardening.m4: Move hardening checks to m4/hardening.m4 [c03abb3c9f55] * configure, configure.ac, m4/sudo.m4: Make cpp variadic arguments check into a macro and move to sudo.m4. Also move the PVS-Studio.cfg generation to sudo.m4. [c1a8d3b46be1] 2022-12-03 Todd C. Miller * lib/util/snprintf.c: Sync with OpenBSD. [157439118867] * Merge pull request #218 from sohomdatta1/snprintf [snprintf] Check for '\0' to prevent undef memory read [050882923c98] 2022-12-03 Sohom * lib/util/snprintf.c: [snprintf] Check for '\0' to prevent undef memory read [aff60c479c10] 2022-12-01 Todd C. Miller * lib/eventlog/eventlog.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/tsdump.c, plugins/sudoers/visudo.c, src/parse_args.c, src/regress/noexec/check_noexec.c: Place C23 attributes before keywords in function declarations. In practice this means we must use "sudo_noreturn static foo(void)" instead of "static sudo_noreturn foo(void)". [6c1836dcb2d6] 2022-11-30 Todd C. Miller * scripts/build_pkgs: Convert from using IPC::Open3 to IPC::Run. Run tests in a pty so check_ttyname works as expected. Explicitly set short command line options letters in GetOptions(). Add a debug flag to help see what is going on internally. Add hook for die() to kill running jobs when we are dying. SSH_AGENT_PID will not be present if the agent is forwarded. In close_persistent_connections() only close active connections. [d49e1ac7e2f2] 2022-11-29 Todd C. Miller * config.h.in, configure.ac, include/sudo_compat.h: Use C23 [[__fallthrough__]] and [[__noreturn__]] attributes if supported. If the C23 attributes are not supported, use gcc-style attributes where possible. [57676068e9a9] * configure, configure.ac: Move the check for the fallthrough attribute outside the warnings block. Use AX_APPEND_FLAG instead of addind to CFLAGS directly. [dc22d8238827] 2022-11-28 Todd C. Miller * scripts/build_pkgs: The distributed package build script I use to build all sudo packages. This is not included in the release tarball because it is of limited use to other people. [94c58cc272c8] 2022-11-25 Todd C. Miller * Makefile.in: Pass the list of files to include in the tarball on stdin. This avoids any limit on the size of argv. [0af8578c89fe] 2022-11-23 Todd C. Miller * Merge pull request #214 from BornThisWay/1124_repeated_invocation check_syntax(): Remove duplicate calls to init_defaults() [3383fb0a6f5f] 2022-11-24 modric * plugins/sudoers/visudo.c: check_syntax(): Remove duplicate calls to init_defaults() [048ccd968df9] 2022-11-22 Todd C. Miller * plugins/sample/sample_plugin.c: build_command_info: free command_info on failure. Once upon a time, command_info was a stack variable, now it is dynamically allocated. Coverity CID 299987. [a80110e49952] * plugins/sample/sample_plugin.c: Better handling of out-of-memory conditions. [ee3e47c4d272] * plugins/group_file/group_file.c: Keep group file open until the call to myendgrent(). This restores the previous behavior. [79751f7308d7] * lib/util/json.c, plugins/group_file/getgrent.c, plugins/sudoers/cvtsudoers_merge.c, plugins/sudoers/env.c, plugins/sudoers/iolog.c, plugins/sudoers/ldap.c, plugins/sudoers/ldap_conf.c, plugins/sudoers/log_client.c, plugins/sudoers/match_command.c, plugins/sudoers/strvec_join.c, plugins/sudoers/tsgetgrpw.c, plugins/sudoers/visudo.c, src/sudo.c: Eliminate a few harmless dead stores. Quiets warnings from Infer. [8bed7579b75d] * plugins/sudoers/ldap_util.c: sudo_ldap_parse_option: add explicit NULL check for strchr(). This should not be needed since we only use the returned pointer if it is larger than the string passed to strchr(). Quiets a warning from Infer. [852aec3e0450] * logsrvd/logsrvd_journal.c: journal_fdopen: free journal_path and close journal before setting Fixes a potential resource leak that currently cannot happen. Quiets a warning from Infer. [bfe41e247c35] * plugins/sudoers/ldap.c: sudo_ldap_result_add_entry: check sudo_ldap_get_values_len() return value. Previously, we just compared the error code with LDAP_NO_MEMORY when checking for sudoOrder since this is the only error we care about. We now return NULL for LDAP_NO_MEMORY and ignore other errors. Quiets a warning from Infer. [6e5a490b735c] * plugins/group_file/getgrent.c, plugins/sudoers/tsgetgrpw.c, plugins/sudoers/tsgetgrpw.h: Refactor code to open passwd/group file and add setpassent/setgroupent. This makes the "stayopen" semantics match the system passwd/group functions. The getpwent/getgrent functions now open the database if it is not already open. [27bfa97ad47c] * plugins/sudoers/Makefile.in, plugins/sudoers/gram.h: gram.h: #line directives should reference gram.h not y.tab.h. [7a2d4a24d839] * scripts/mkpkg: Use clang, not /usr/bin/cc on FreeBSD and macOS. While /usr/bin/cc _is_ clang on those platforms, some static analyzers get confused if we don't run it as clang. [d0c1f5940789] 2022-11-21 Todd C. Miller * Merge pull request #212 from BornThisWay/1122_null_deref sudo_rcstr_dup: Fix potential NULL pointer deref [58fcefa888fa] 2022-11-22 modric * lib/util/rcstr.c: sudo_rcstr_dup: Fix potential NULL pointer deref [f45acaded1e5] 2022-11-21 Todd C. Miller * plugins/sudoers/check.c: Add a reminder to the default lecture that the password will not echo. This line is only displayed when the pwfeedback option is disabled. GitHub issue #195. [7bc25043c760] * Merge pull request #210 from BornThisWay/1121_typo Fix some typos [9d1e9278effb] 2022-11-21 modric * plugins/python/regress/testhelpers.h, plugins/sudoers/parse.c: Fix some typos [d7d1c3ade748] 2022-11-20 Todd C. Miller * Merge pull request #208 from BornThisWay/1121_return intercept_read: Print and then return. [615c2d5fca36] 2022-11-21 modric * src/exec_intercept.c: intercept_read: Print and then return. [049547eb7ac0] 2022-11-20 Todd C. Miller * Merge pull request #205 from BornThisWay/1119_access_null_pointer sudo_mmap_strdup_v1: Fix potential NULL pointer deref [bad55afc72bb] 2022-11-19 modric * lib/util/mmap_alloc.c: sudo_mmap_strdup_v1: Fix potential NULL pointer deref [f8da23aff2ec] 2022-11-18 Todd C. Miller * src/sudo_intercept.c: copy_vector: plug memory leak in error path Only the array was being freed, not the contents. GitHub issue #202. [cd1407dbe65f] 2022-11-17 Todd C. Miller * scripts/mkpkg: Better matching of macOS version to SDK path. [db7f2cbdb023] * Merge pull request #200 from BornThisWay/fix_mem_leak_converse Fix memory leak of pass in converse(). [b411801abdf7] * plugins/sudoers/auth/passwd.c: sudo_passwd_cleanup: Set auth->data to NULL after freeing. GitHub issue #201 [e558188bd99d] 2022-11-17 modric * plugins/sudoers/auth/pam.c: Fix memory leak of pass in converse(). [052c99eaad8f] 2022-11-16 Todd C. Miller * config.h.in, configure, configure.ac: Use AC_SYS_YEAR2038 instead of setting _TIME_BITS by hand. [049113d798e9] * configure, m4/ax_append_flag.m4, m4/ax_check_compile_flag.m4, m4/ax_func_snprintf.m4, m4/ax_prog_cc_for_build.m4: Update macros from autoconf-archive. [48b960c883df] * plugins/sudoers/regress/corpus/seed/ldif/pr196.ldif, plugins/sudoers/regress/visudo/test3.sh: Fix typo; excerise -> exercise [42cdb396b72b] * config.h.in, configure, scripts/config.guess, scripts/config.sub: Regenerate with the autoconf 2.72a pre-release. [51d043878181] * configure.ac: Fix insufficient quoting in AC_CHECK_LIB() calls. [78d37b60a912] * autogen.sh: If AUTOCONF_VERSION is unset, use version 2.71 not 2.69. [108faf700aa7] * configure.ac, m4/ax_func_getaddrinfo.m4, m4/sudo.m4: Replace `foo` in descriptions with 'foo' [ba63cef7bbe8] 2022-11-15 Todd C. Miller * configure, configure.ac: Add -Wvla and -Walloca to --enable-warnings [7b9b59e35905] 2022-11-11 Todd C. Miller * plugins/sudoers/pwutil.c: sudo_debug_group_list: short-circuit if groups is NULL [0f8f11ef82b6] * configure, configure.ac: configure: only check for getauxval() if getentropy() is missing. [c056c2fc3898] * config.h.in, configure, configure.ac: Remove checks for random() and lrand48(), they are no longer used. Also remove duplicate checks for arc4random() and getentropy(). [e3433874211d] * configure, configure.ac: Skip check for cpp variadic macro support if the compiler supports C99. [42efc9934ef5] * configure, configure.ac: HI-UX/MPP is based on OSF-1, not HP-UX Completely untested. [c55ba59cd24d] * configure, configure.ac: Only check for utmps.h on HP-UX. [682bb16545cf] * configure, configure.ac: Only check for sys/syscall.h on Linux. We only use it in the Linux- specific getentropy() emulation code. [eac313bfc142] * config.h.in, configure, configure.ac: configure: avoid running unnecessary tests on modern systems. Remove AC_SYS_POSIX_TERMIOS, AC_TYPE_MODE_T, AC_TYPE_UID_T. Add missing checks for int16_t, uint16_t, int32_t, and int64_t. Only check for intmax_t, uintmax_t and bit-width types if missing both inttypes.h and stdint.h. Remove unused clockid_t replacement. [9f1f9d365f60] * MANIFEST, plugins/sudoers/regress/cvtsudoers/test40.out.ok, plugins/sudoers/regress/cvtsudoers/test40.sh: Add a regress check for the cvtsudoers filter crash. GitHub issue #198. [f0abea1f10d0] * Makefile.in, lib/eventlog/Makefile.in, lib/iolog/Makefile.in, lib/util/Makefile.in, logsrvd/Makefile.in, plugins/python/Makefile.in, plugins/sudoers/Makefile.in, src/Makefile.in: The name of the C locale w/ UTF-8 support is not always C.UTF-8. Use a pattern to find it (if present) and use that value instead of hard-coding C.UTF-8. This works around a leak sanitizer crash on certain inputs. [99aeb5a875f7] 2022-11-10 Todd C. Miller * plugins/sudoers/parse_ldif.c: Fix a potential use-after-free bug with cvtsudoers filtering. In role_to_sudoers() when merging a privilege to the previous one where the runas lists are the same we need to re-use the runas lists of the last command in the previous privilege, not the first. Otherwise, the check in free_cmndspec() will not notice the re-used runas lists. Reported/analyzed by Sohom Datta. GitHub issue #198. [29d1380d2fe0] * MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/regress/corpus/seed/ldif/invalid_b64.ldif, plugins/sudoers/regress/corpus/seed/ldif/pr196.ldif, plugins/sudoers/regress/corpus/seed/ldif/sample.ldif, plugins/sudoers/regress/corpus/seed/ldif/valid_b64.ldif, plugins/sudoers/regress/cvtsudoers/test39.sh: Copy some LDIF test data from the cvtsudoers tests to the seed corpus. This includes a test to exercise the fix in PR #196. [f74d65cf34d1] * plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c: Set LDAP base for sudoers_parse_ldif(). Without this set the fuzzer will not exercise the dn parsing. [c154b1a5d287] * src/exec_ptrace.h: Include linux/elf.h, not elf.h to make sure we get NT_ARM_SYSTEM_CALL. The NT_PRSTATUS define is present in both files. [161f41f644ca] <1.9> * src/exec_ptrace.h: Include linux/elf.h, not elf.h to make sure we get NT_ARM_SYSTEM_CALL. The NT_PRSTATUS define is present in both files. [4a4e3142381a] 2022-11-09 Todd C. Miller * include/sudo_compat.h: Remove CMSG_* compatibility macros, they are no longer used. [5914434ecb5c] * lib/util/multiarch.c, lib/util/sudo_dso.c: Add missing include of sys/stat.h [d3b0f701c75f] * include/sudo_util.h: Move forward declaration of struct stat before its first use. [f3cc645d197c] * plugins/sudoers/regress/cvtsudoers/test28.sh, plugins/sudoers/regress/cvtsudoers/test29.sh, plugins/sudoers/regress/cvtsudoers/test33.sh, plugins/sudoers/regress/cvtsudoers/test39.sh: Use a consistent base when testing cvtsudoers conversion from ldif. [a22cb486b2a3] * MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/regress/cvtsudoers/test39.out.ok, plugins/sudoers/regress/cvtsudoers/test39.sh, plugins/sudoers/regress/harness.in: Test parsing LDIF when a backslash is the last char of the file. If run with address sanitizer, this test will crash when the fix in ceaf706ab74b is reverted. [f50c78b7ed32] * Merge pull request #196 from sohomdatta1/main Prevent cvtsudoers from reading into undefined memory [f21c417bbbb3] 2022-11-09 Sohom * plugins/sudoers/parse_ldif.c: [cvtsudoers]: Prevent sudo from reading into undefined memory [ceaf706ab74b] 2022-11-08 Todd C. Miller * plugins/sudoers/auth/passwd.c: sudo_passwd_verify: zero out des_pass before returning. [c809232fdb7d] 2022-11-07 Todd C. Miller * src/exec_pty.c: Don't kill the parent process group on suspend if it is not sudo's pid. If sudo is not the process group leader we must only send the suspend signal to sudo itself. When sudo is run via a shell script, it usually has the same process group as the shell script interpreter. We do not want to suspend the script itself when the command run by sudo is suspended. [e6715ec62335] * src/exec_nopty.c, src/regress/intercept/test_ptrace.c, src/sudo_exec.h, src/suspend_nopty.c: Pass sudo's process ID to suspend_sudo_nopty() since we already know it. Saves an unnecessary getpid(2) call. [1e12d9b0ce53] * src/exec_nopty.c: Call terminate_command() with use_pgrp = false when not running in a pty. When sudo runs a command in the user's existing terminal the command is run in the same process group as sudo itself. The proper way to terminate it is to use kill(2), not killpg(3) [3d9862963e92] * src/exec_monitor.c, src/exec_nopty.c, src/exec_pty.c, src/sudo_exec.h: Fix handling of signal forwarding when running commands in a script. We need to forward signals from a process in the same pgrp if the pgrp leader is not either sudo or the command itself. [d1bf60eac57f] * src/regress/intercept/test_ptrace.c: Make test_ptrace compile again after recent changes. [e766db5aa9d4] * src/exec_intercept.c, src/exec_intercept.h, src/exec_ptrace.c: Update the cwd for log_subcmds too. Fixes a problem for intercept_method=trace when running a relative command from a different directory than what sudo ws started from. GitHub issue #194 [b831f2397d9f] 2022-11-04 Todd C. Miller * .hgtags: Added tag SUDO_1_9_12p1 for changeset 39cf4d8052ff [28ed2d994f40] <1.9> * NEWS, configure, configure.ac: Merge sudo 1.9.12p1 from tip. [39cf4d8052ff] [SUDO_1_9_12p1] <1.9> * NEWS, aclocal.m4, configure, configure.ac: sudo 1.9.12p1 [6268fbabdb16] 2022-11-03 Todd C. Miller * lib/iolog/host_port.c: Include time.h for struct timespec used by sudo_iolog.h. [369c8e799652] * src/sudo.c: Display sudo_mode in hex in debug log. This makes it easier to match against the MODE_ defines. [971e8f88bc12] 2022-11-01 Todd C. Miller * plugins/sudoers/auth/bsdauth.c: bsdauth_verify: do not write to prompt, it is now const [1969a562cf14] * plugins/sudoers/toke.c, plugins/sudoers/toke.l: Store raw sudoers lines in the debug log. Also add a "sudoerslex" prefix to the token debug info in sudoers_trace_print(). [be03aef496cb] 2022-10-31 Todd C. Miller * plugins/sudoers/toke.c, plugins/sudoers/toke.l: The line numbers in sudoers_trace_print() were off by one. The line counter is incremented when a newline is seen so the output actually refers to the previous line. [a97182a63419] * plugins/sudoers/auth/API, plugins/sudoers/auth/afs.c, plugins/sudoers/auth/aix_auth.c, plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/dce.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/kerb5.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/passwd.c, plugins/sudoers/auth/rfc1938.c, plugins/sudoers/auth/secureware.c, plugins/sudoers/auth/securid5.c, plugins/sudoers/auth/sia.c, plugins/sudoers/auth/sudo_auth.h: Make the second arg to the sudo auth verify function const. This may be either a plaintext password or a password prompt. Either way it should not be modified by the verify function. [11aefc2bc3da] 2022-10-29 Todd C. Miller * plugins/sudoers/match.c: Move debugging info from hostname_matches() to host_matches(). [2a53d2dcd1f5] 2022-10-28 Todd C. Miller * plugins/sudoers/pwutil.c: Add debugging to sudo_set_grlist() and sudo_set_gidlist(). [620d6f7fb4f8] * plugins/sudoers/auth/passwd.c: Fix CVE-2022-43995, potential heap overflow for passwords < 8 characters. Starting with sudo 1.8.0 the plaintext password buffer is dynamically sized so it is not safe to assume that it is at least 9 bytes in size. Found by Hugo Lefeuvre (University of Manchester) with ConfFuzz. [a6229aa26fbf] 2022-10-27 Todd C. Miller * configure, configure.ac: configure: better test for -fstack-clash-protection The gcc front- end may accept -fstack-clash-protection even if the machine-specific code does not support it. We use a test program with a large stack allocation to try to cause the compiler to insert the stack clash protection code, or fail if not supported. GitHub issue #191 [bbfbe758258c] * configure, configure.ac: Check that compiler accepts -fstack-clash-protection and -fcf- protection. Previously, we only checked that linker accepted them. GitHub issue #191 [7d36b89b6e4d] 2022-10-26 Todd C. Miller * src/exec_ptrace.c: Fix compilation error on Linux/mips. [ae4c28d8a050] 2022-10-21 Todd C. Miller * .hgtags: Added tag SUDO_1_9_12 for changeset b53d725f7c88 [dd962ed18037] <1.9> * NEWS, config.h.in, configure, configure.ac, include/sudo_compat.h, logsrvd/tls_init.c, plugins/sudoers/regress/fuzz/fuzz_policy.c: Merge sudo 1.9.12 from tip. [b53d725f7c88] [SUDO_1_9_12] <1.9> * src/Makefile.in: Regenerate dependencies for src/sesh.c. [ada8f04afc6d] * plugins/audit_json/Makefile.in, plugins/sample_approval/Makefile.in: Sync clean target with other Makefile.in files. [8048628a554e] * Makefile.in, plugins/sample/Makefile.in: Build the sample plugin but do not install it by default. We no longer install the sample approval plugin. [a8644924b6a1] * plugins/sample/sample_plugin.c: Adapt to current plugin API and fix warnings. [d822f1a10361] 2022-10-20 Todd C. Miller * plugins/sudoers/sudoers.c: Disable admin_flag by setting to NULL, not false. Found by cppcheck. [6e32481e0555] * NEWS: Bug #1042. [85d508b6d5e5] * include/sudo_util.h, lib/util/fatal.c, lib/util/term.c, lib/util/util.exp.in, src/conversation.c: Only add trailing carriage return to messages if output is a raw tty. If output is being written to a terminal in "raw" mode, we need to add a carriage return after the newline to avoid "stair-step" output. However, we should not write the carriage return if the terminal is in "cooked" mode, output to a pipe, or output redirected to a file. Bug #1042. [14f5bf04245f] * docs/sudoers.man.in, docs/sudoers.mdoc.in: Make it clear that runas_default sets the default user for Runas_Spec. Also use mention runas_default in other parts of the manual, use @runas_default@ instead of root and add markup around user names. GitHub issue #186. [73f0b82a2b22] * lib/util/multiarch.c, lib/util/sudo_dso.c: Fix a typo, muti-arch -> multi-arch GitHub issue #185 [d88270b9e98f] 2022-10-19 Todd C. Miller * NEWS: Mention log_servers eventlog fix. [484b76589309] * plugins/sudoers/policy.c: Don't NULL out the plugin close function when logging to a log server. If sudo calls execve(2) directly the accept info will not be sent. We also need the sudo front-end to wait until the command finishes to send the exit status. [11976aa84040] 2022-10-17 Todd C. Miller * INSTALL.md: Fix numbering in "Simple sudo installation" [695bec2a6223] 2022-10-14 Todd C. Miller * NEWS: zlib 1.2.13 update [2119981787f0] * plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/fr.mo, plugins/sudoers/po/fr.po, plugins/sudoers/po/ja.mo, plugins/sudoers/po/ja.po, plugins/sudoers/po/ko.mo, plugins/sudoers/po/ko.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/ro.mo, plugins/sudoers/po/ro.po, plugins/sudoers/po/sr.mo, plugins/sudoers/po/sr.po, plugins/sudoers/po/sv.mo, plugins/sudoers/po/sv.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, po/cs.mo, po/cs.po, po/de.mo, po/de.po, po/fr.mo, po/fr.po, po/ja.mo, po/ja.po, po/ka.mo, po/ka.po, po/ko.mo, po/ko.po, po/pl.mo, po/pl.po, po/ro.mo, po/ro.po, po/sr.mo, po/sr.po, po/sv.mo, po/sv.po, po/uk.mo, po/uk.po: Updated translations from translationproject.org [b1f28405c58d] * lib/zlib/zconf.h.in: Don't define _LARGEFILE64_SOURCE or _LFS64_LARGEFILE. We don't need them and the missing prototype for crc32_combine_gen64() issue has been fixed upstream. [39eb41f1dba4] 2022-10-13 Todd C. Miller * lib/zlib/compress.c, lib/zlib/crc32.c, lib/zlib/deflate.c, lib/zlib/deflate.h, lib/zlib/gzlib.c, lib/zlib/gzread.c, lib/zlib/gzwrite.c, lib/zlib/infback.c, lib/zlib/inflate.c, lib/zlib/inftrees.c, lib/zlib/inftrees.h, lib/zlib/trees.c, lib/zlib/uncompr.c, lib/zlib/zconf.h.in, lib/zlib/zlib.h, lib/zlib/zutil.c, lib/zlib/zutil.h: Update embedded copy of zlib to version 1.2.13. Fixes CVE-2022-37434. [737d6de5253c] * lib/util/fchownat.c: Add fchownat() for systems without it. [7c4aeda51522] 2022-10-10 Todd C. Miller * NEWS: Update NEWS for 1.9.12. [a4b090f3f6c8] * plugins/sudoers/po/sudoers.pot, po/sudo.pot: Update .pot files for 1.9.12 [179fba83936d] * src/selinux.c, src/sesh.c, src/sudo_edit.c: Use getopt() and getopt_long() for sesh command line options. [fbaa6c75e2ef] * plugins/sudoers/def_data.c, plugins/sudoers/def_data.in: Update the description of intercept_verify [63f80a7cd4a6] 2022-10-07 Todd C. Miller * src/load_plugins.c: Silence a warning from the Solaris Studio compiler. [49a3c72cb539] * docs/sudo_plugin.man.in, docs/sudo_plugin.mdoc.in, include/sudo_eventlog.h, include/sudo_json.h, include/sudo_plugin.h, lib/eventlog/eventlog.c, lib/iolog/iolog_loginfo.c, lib/iolog/regress/iolog_json/check_iolog_json.c, lib/util/json.c, logsrvd/logsrvd_local.c, plugins/audit_json/audit_json.c, plugins/sudoers/sudoers.h, src/env_hooks.c, src/exec_intercept.c, src/net_ifs.c, src/sudo_intercept_common.c, src/sudo_plugin_int.h: Avoid a -Wshadow warning on Solaris 9. [e6bc419fa976] * lib/util/mmap_alloc.c: Fix a build error on Solaris 9. [679b60caf5a3] 2022-10-06 Todd C. Miller * plugins/sudoers/parse.c: Fix display of command tags and options in "sudo -l" when RunAs changes. A new line is started when RunAs changes which means we need to display the command tags and options again. GitHub issue #184 [3180777986de] * plugins/sudoers/fmtsudoers.c: Fix printing of MYSELF when listing another user's privileges. We need to use list_pw if it is set instead of user_name. GitHub issue #183 [268044635b44] * NEWS: Update NEWS file with recent changes. [200ac32d330b] * MANIFEST, include/sudo_util.h, lib/util/Makefile.in, lib/util/multiarch.c, lib/util/regress/multiarch/multiarch_test.c, lib/util/sudo_dso.c, lib/util/util.exp.in, src/load_plugins.c: Apply multiarch rules when loading plugins too. [f53fe06fce06] 2022-10-05 Todd C. Miller * lib/util/sudo_dso.c: sudo_dso_load: try multi-arch on Linux if we can't load the path. For example, if loading /usr/lib/libsss_sudo.so fails, try again with /usr/lib/x86_64-linux-gnu/libsss_sudo.so. [4eabffa486b5] * MANIFEST, lib/util/Makefile.in, lib/util/regress/open_parent_dir/open_parent_dir_test.c: Add test for sudo open_parent_dir() [2d6b1be616c9] * MANIFEST, plugins/sudoers/regress/testsudoers/test19.out.ok, plugins/sudoers/regress/testsudoers/test19.sh: Add test for matching a literal "" command line argument as "" in sudoers. GitHub issue #182. [ccb5dc8b23ee] 2022-10-04 Todd C. Miller * docs/visudo.man.in, docs/visudo.mdoc.in, plugins/sudoers/visudo.c: Add -I flag to disable editing include files unless there is an error. This can be used when you only want to edit a single sudoers file unless there is a pre-existing syntax error. [18fbf720fdbf] * plugins/sudoers/match_command.c: Do not match a literal "" command line argument as "" in sudoers. If the empty string is specified in sudoers, no user args are allowed. GitHub issue #182. [5de0370eddcb] * lib/util/sudo_conf.c, plugins/sudoers/sudoers.c, plugins/sudoers/testsudoers.c, plugins/sudoers/timestamp.c: sudo_secure_open_{file,dir}: always check thatreturn value is not -1. Avoids false positives from static analyzers that can't figure out that the fd is always valid when error is SUDO_PATH_SECURE. [f0ebb2b836b9] * lib/iolog/iolog_mkdtemp.c: Correct return value when mkdtempat() fails. [5a491fac8f49] * lib/util/mkdir_parents.c: sudo_open_parent_dir: stop before creating the last path component Fix a regression introduced in sudo 1.9.9 where the entire directory path was created instead of just the parent directory. [fdaa5aeb744b] 2022-10-01 Todd C. Miller * Makefile.in, scripts/log2cl.pl: Use "hg log --template" instead of "hg log --style". [63f020404fbb] 2022-09-29 Todd C. Miller * plugins/sudoers/strlcpy_unesc.c, plugins/sudoers/sudoers.c, src/parse_args.c: Mark code that escapes/unescapes "sudo -s cmd args..." for removal. A future version of the plugin API will defer any such escaping to the policy plugin so it can be configurable. [658d1bba4319] * NEWS: Update with recent changes. [4a739e30c77f] * docs/cvtsudoers.man.in, docs/cvtsudoers.mdoc.in: Improve the description of JSON output. [258b57ce22ab] 2022-09-28 Todd C. Miller * INSTALL.md, etc/codespell.ignore, lib/eventlog/eventlog.c, plugins/group_file/getgrent.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/tsgetgrpw.c, plugins/sudoers/tsgetgrpw.h, src/exec_nopty.c: Fix typos found by codespell 2.2.1. [3beaf856c861] * logsrvd/iolog_writer.c: Change max user-ID and group-ID from INT_MAX to UINT_MAX. [0971e5f9f398] * logsrvd/logsrvd_local.c: Add support for NumberList stored in an InfoMessage. [a762fe45e5cc] * logsrvd/iolog_writer.c, logsrvd/logsrvd.c, logsrvd/logsrvd_local.c, plugins/sudoers/log_client.c: Add missing NULL checks for mandatory fields in protobuf messages. Also no longer reject an InfoMessage with an unknown value_case, just log and ignore it. [41c38e7f075b] 2022-09-27 Todd C. Miller * plugins/sudoers/log_client.c: Don't send ttyname to log server if it is NULL. Otherwise the log server will reject the AcceptMessage because a NULL string is not allowed. [df7fea4bef26] * src/exec_nopty.c: HP-UX has struct winsize in termios.h. [5827a1f234fe] * plugins/python/Makefile.in, src/Makefile.in: Regen dependencies [817623addc62] * docs/sudoers.man.in, docs/sudoers.mdoc.in, src/exec.c, src/exec_nopty.c, src/exec_pty.c, src/regress/intercept/test_ptrace.c, src/sudo_exec.h, src/suspend_nopty.c: Add support for logging stdin/stdout/stderr in the non-pty exec path. If we are logging I/O but not terminal input/output (either because no terminal is present or because that is what the plugin requested), the non-pty exec path is now taken. [205c68d452df] * MANIFEST, src/Makefile.in, src/exec.c, src/exec_iolog.c, src/exec_nopty.c, src/exec_pty.c, src/regress/noexec/check_noexec.c, src/sudo_exec.h, src/sudo_intercept_common.c: Move exec code to call into I/O log plugin to exec_iolog.c. This will be shared with exec_nopty.c in the future to log stdin/stdout/stderr without running the command in a pty. Both exec_pty.c and exec_nopty.c now use the same closure. [45a19e8e3721] * plugins/python/python_importblocker.c: Implement find_spec, not the deprecated find_module. Fixes a test failure due to find_module having removed from setuptools. [cc1e68c0ee1e] 2022-09-23 Todd C. Miller * plugins/sudoers/editor.c, plugins/sudoers/regress/editor/check_editor.c: copy_arg: fix copying an escaped backslash GitHub issue #179 [d21d95ec5cb0] 2022-09-22 Todd C. Miller * config.h.in, configure, configure.ac, include/sudo_compat.h, lib/util/mktemp.c: Use mkdtempat_np() and mkostempsat_np() on macOS [ad0cd430347e] 2022-09-21 Todd C. Miller * include/sudo_iolog.h, lib/iolog/iolog_mkdirs.c, lib/iolog/iolog_mkdtemp.c, lib/util/mkdir_parents.c, logsrvd/logsrvd.c, logsrvd/logsrvd_journal.c: Convert remaining uses of sudo_mkdir_parents() to sudo_open_parent_dir(). [62fd9644a605] * MANIFEST, config.h.in, configure, configure.ac, include/sudo_compat.h, lib/util/Makefile.in, scripts/mkdep.pl: Add fchownat() systems without it. [d51316f1026d] * config.h.in, configure, configure.ac, include/sudo_compat.h, lib/util/mktemp.c, plugins/python/regress/iohelpers.h: Add mkdtempat() and mkostempsat() for systems without them. [099468742d16] * docs/sudoers.man.in, docs/sudoers.mdoc.in, include/sudo_util.h, lib/util/secure_path.c, lib/util/sudo_conf.c, plugins/sudoers/regress/testsudoers/test11.out.ok, plugins/sudoers/sudoers.c, plugins/sudoers/testsudoers.c, plugins/sudoers/timestamp.c: Use sudo_secure_open_file() instead of sudo_secure_file() where possible. Both sudo_secure_open_file() and sudo_secure_open_dir() are now passed a struct stat pointer like sudo_secure_file() and sudo_secure_dir(). [c4e4c3f74ea4] * include/sudo_util.h, lib/util/mkdir_parents.c, lib/util/secure_path.c, lib/util/util.exp.in, plugins/sudoers/timestamp.c: Fix potential TOCTOU when creating time stamp directory and file. [d36591f966c5] * lib/util/mkdir_parents.c: sudo_mkdir_parents: just use memcpy() to copy the path component. Using snprintf() for this is overkill, we need to do the same length check either way. [8ea754871a54] * lib/util/Makefile.in: regen [ab40def3376c] 2022-09-20 Todd C. Miller * lib/util/digest_gcrypt.c: Quiet libgcrypt run-time warning about not being initialized. Fixes Debian bug #1019428 and Ubuntu bug #1397663. [ebf9a6477d5d] * docs/sudoers.man.in, docs/sudoers.mdoc.in, plugins/sudoers/audit.c, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/defaults.h, plugins/sudoers/parse.c, plugins/sudoers/policy.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: Split log_{input,output} into log_{stdin,ttyin} and log_{ttyout,stdout,stderr} If log_input is set, log_{stdin,ttyin} will be set as well. If log_output is set, log_{stdout,stderr,ttyout} will be set as well. This provides more fine-grained control over I/O logging and makes it possible to disable logging piped or redirected intput or output. [5b7ea42ac63b] * LICENSE.md, include/protobuf-c/protobuf-c.h, lib/protobuf-c/protobuf-c.c: Update to protobuf-c 1.4.1 We already had all the relevant fixes so this is just cosmetic. [aa51e48afe49] * src/load_plugins.c: new_container: no need to initialize container pointer in declaration. From Li zeming. [729a8a417d88] 2022-09-15 Todd C. Miller * plugins/sudoers/policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: Use tcpgid if passed from sudo front-end and use it in tty_present(). This can be used as another indicator that a terminal is present without having to open /dev/tty. [b804b8b7fc03] 2022-09-13 Todd C. Miller * docs/cvtsudoers.man.in, docs/cvtsudoers.mdoc.in, docs/sudo.conf.man.in, docs/sudo.conf.mdoc.in, docs/sudo.man.in, docs/sudo.mdoc.in, docs/sudo_logsrv.proto.man.in, docs/sudo_logsrv.proto.mdoc.in, docs/sudo_logsrvd.conf.man.in, docs/sudo_logsrvd.conf.mdoc.in, docs/sudo_logsrvd.man.in, docs/sudo_logsrvd.mdoc.in, docs/sudo_plugin.man.in, docs/sudo_plugin.mdoc.in, docs/sudo_sendlog.man.in, docs/sudo_sendlog.mdoc.in, docs/sudoers.ldap.man.in, docs/sudoers.ldap.mdoc.in, docs/sudoers.man.in, docs/sudoers.mdoc.in, docs/sudoers_timestamp.man.in, docs/sudoers_timestamp.mdoc.in, docs/sudoreplay.man.in, docs/sudoreplay.mdoc.in, docs/visudo.man.in, docs/visudo.mdoc.in: Remove most uses of the deprecated Li macro which has no effect. Also fix some other incorrect markup. [8f94cc555092] 2022-09-12 Todd C. Miller * Makefile.in, lib/eventlog/Makefile.in, lib/iolog/Makefile.in, lib/util/Makefile.in, logsrvd/Makefile.in, plugins/python/Makefile.in, plugins/sudoers/Makefile.in, src/Makefile.in: Use $(GREP) and $(EGREP) variables in Makefile.in files. [cf8d7fb45169] * Merge pull request #177 from a1346054/fixes Makefile.in: replace `egrep` and fix target name [751aa03eb470] 2022-09-12 a1346054 <36859588+a1346054@users.noreply.github.com> * Makefile.in: Fix incorrect makefile target name [318288fb712f] * Makefile.in: Use `grep -E` instead of `egrep` [4a2d9543643c] 2022-09-11 Todd C. Miller * docs/sudo_plugin.man.in, docs/sudo_plugin.mdoc.in: Document apparmor_profile, intercept_verify, and update_ticket. [d55caa1af788] * docs/sudo_plugin_python.man.in, docs/sudo_plugin_python.mdoc.in: Fix some of the markup to be more consistent with sudo_plugin.mdoc.in. Also reword a few awkward phrases. [8682c067c38b] * docs/sudo_plugin.man.in, docs/sudo_plugin.mdoc.in: Use correct markup of function arguments and struct members. Also remove most uses of the deprecated Li macro which has no effect. [59b01b9ff183] * docs/sudo_plugin.man.in, docs/sudo_plugin.mdoc.in: Move the init_session() errstr description to where it belongs. [8c1e7cb23d1f] * docs/sudoers.man.in, docs/sudoers.mdoc.in: Fix a typo [591b75013070] 2022-09-07 Todd C. Miller * plugins/sudoers/logging.c: log_parse_error: make errstr const to quiet a -Wwrite-strings warning [9827a2a01316] * config.h.in, configure.ac, include/sudo_compat.h, include/sudo_debug.h, include/sudo_fatal.h, include/sudo_lbuf.h, include/sudo_util.h, lib/eventlog/eventlog.c, plugins/sudoers/check_aliases.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers.h, plugins/sudoers/defaults.c, plugins/sudoers/logging.h, plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/toke.h, plugins/sudoers/tsdump.c, plugins/sudoers/visudo.c, src/parse_args.c, src/regress/noexec/check_noexec.c, src/sudo.h: Move gcc-style __attribute__ macros to config.h.in Renamed __malloc -> sudo_malloclike, __printflike -> sudo_printflike, __printf0like -> sudo_printf0like. Add sudo_noreturn instead of __attribute__((__noreturn__)). We do not use stdnoreturn.h since it has been deprecated in C23 in favor of the [[noreturn]] attribute. [ad3c04a1bbb0] * plugins/sudoers/visudo.c: Add __printf0like to visudo_track_error(). [7a118c40d360] 2022-09-06 Todd C. Miller * plugins/sudoers/gram.y: Back out unintended change in last commit. [5d52c966212d] * plugins/sudoers/gram.y, plugins/sudoers/logging.c, plugins/sudoers/logging.h: It is possibble for sudoerserrorf() to be called with a NULL format. So log_parse_error() needs to check fmt for NULL before using it. [5b779a6888c9] 2022-09-03 Todd C. Miller * docs/UPGRADE.md: Mention how to restore the historic core resource limit behavior. [bfd792bd9d07] * plugins/sudoers/audit.c: Set MODE_POLICY_INTERCEPTED for log_subcmds too. This fixes a problem where sub-commands were not being logged to the remote log server, if configured. Since we don't go through sudoers_policy_main() again for log_subcmds, we set the flag in sudoers_audit_accept() instead. The reason this is complicated is that when I/O logging is enabled the initial accept message gets sent as part of the remote logging handshake. GitHub issue #174 [297fa6bbd769] 2022-09-02 Todd C. Miller * NEWS: Update with latest changes. [d7ca5db7adc7] * docs/cvtsudoers.mdoc.in: Fix typo. [7629516758e2] * plugins/sudoers/sudoers.c: Only check the admin flag file once in intercept mode. [c439914e08e1] * docs/cvtsudoers.man.in, docs/cvtsudoers.mdoc.in: Document cvtsudoers CSV output format [c5164466cae2] 2022-08-31 Todd C. Miller * docs/cvtsudoers.man.in, docs/cvtsudoers.mdoc.in: Document cvtsudoers JSON output format [9fce227c2c61] 2022-08-30 Todd C. Miller * src/exec_ptrace.c: Zero out register struct before calling ptrace_getregs(). Quiets a spurious valgrind warning. [32f19e2e508f] 2022-08-29 Todd C. Miller * docs/sudoers.man.in, docs/sudoers.mdoc.in: intercept_verify is fast, but the policy check is (relatively) slow. [0a120a78bd37] * src/exec_ptrace.c: Realloc the buffer used to store argv and envp as needed. We now store the vector immediately after the string table. It is possible for argv and its contents to be invalidated by realloc() when reading envp so we store the pointers as offsets until we are done allocating. [7620f3dceac4] 2022-08-28 Todd C. Miller * src/exec_ptrace.c, src/exec_ptrace.h: ptrace_verify_post_exec: use /proc/PID/cmdline and /proc/PID/environ There is no reason to read these directly from the tracee when we rely on /proc being mounted to access /proc/PID/exe. [5da938210647] * src/exec_ptrace.c: Protect ptrace_readv_string() with #ifdef HAVE_PROCESS_VM_READV [cc8e71c4c529] 2022-08-25 Todd C. Miller * docs/sudoers.man.in, docs/sudoers.mdoc.in: Rework the intercept section in "Preventing shell escapes". [5e5b1ea90ce1] * .github/workflows/codeql-analysis.yml: Update CodeQL Action to v2 using current example config. [d0aa8b4dda28] * lib/util/arc4random.c: Suppress PVS-Studio false positive. [32fd02734378] * src/exec_intercept.c: intercept_check_policy_req: an empty argv[] is now supported [a668708cc0a9] * config.h.in, configure, configure.ac, src/exec_ptrace.c: Use process_vm_readv(2) and process_vm_writev(2) if available. This is faster than reading/writing from/to the remote process one word at a time using PTRACE_PEEKDATA and PTRACE_POKEDATA. [d0c5ed82738c] * plugins/sudoers/check.c: Skip all of check_user() for intercept unless intercept_authenticate set. Previously we were calling the PAM approval modules even in intercept mode which can take a lot of time. We may wish to make PAM approval configurable in intercept mode in the future. [e06fbc7e4ca6] * plugins/sudoers/sudoers.c: Only set MODE_POLICY_INTERCEPTED on subsequent policy checks. This fixes a bug where MODE_POLICY_INTERCEPTED was set too early if the intercept option was set globally in sudoers. It should only be set after the original command has executed. [8f5d47c2635a] 2022-08-23 Todd C. Miller * docs/sudoers.man.in, docs/sudoers.mdoc.in: intercept_verify also compares the environment. Also mention the overhead involved in checking things. [44da04558285] 2022-08-22 Todd C. Miller * src/exec_ptrace.c: ptrace_getregs: make compat check more generic No need to use different checks for mips and non-mips, the compiler will optimize away the superfluous check. [0f2ff0f3f388] * src/preload.c: Correct type of sudoers_audit. GitHub issue #61 [17a7806ad3ba] 2022-08-20 Todd C. Miller * src/sesh.c: Fix shadowed variable warning. [e200b6b5b4fd] 2022-08-19 Todd C. Miller * src/exec_ptrace.h: Fix shadowed variable warning on aarch64. [84169692bd1c] * src/regress/intercept/test_ptrace.c: Quiet another -Wwrite-strings warning. [ff2860056976] * src/exec_ptrace.c: ptrace_getregs: try to determine compat mode if caller doesn't know. In ptrace_verify_post_exec(), we don't know whether the executable that is now running is a native or compat binary. In most cases ptrace_getregs() will be able to figure it out for us. [fb0fa29ff554] * src/exec_ptrace.c: ptrace_intercept_execve: fail syscall rather than killing process on error. If the execve(2) args are bogus pointers, we should just return an error instead of killing the process. For consistency with the kernel, convert EIO from ptrace(2) to EFAULT. Also convert some ptrace(2) warnings to debug printfs so sudo is less chatty. [3d30c6d28005] 2022-08-18 Todd C. Miller * src/exec_ptrace.c: Treat argv and closure->run_argv of different sizes as a mismatch. If argv and closure->run_argv match up to the point where we hit a NULL but one of them has additional entries, we still need to rewrite argv. [91d522d9c3b6] * src/exec_ptrace.c: Handle the case where argc is 0 when allocating space for argv. We need to pass the pathname to the policy plugin in argv[0] so we must be sure to allocate space for it even if argc is 0. [953f92c9e7a5] * src/sudo_intercept.c: copy_vector: treat a NULL pointer as an empty vector. Linux execve(2) allows argv to be NULL so we must allocate an empty vector in this case and not return an error. [cf30608ed6cb] * src/exec_preload.c: Update debug_decl name for sudo_preload_dso -> sudo_preload_dso_alloc change. [b0db53a62c7a] * src/exec_intercept.c: Handle the case where argc is 0 when rebuilding argv. We need to pass the pathname to the policy plugin in argv[0] so we must be sure to allocate space for it even if argc is 0. [10358fc408a1] * src/exec_ptrace.c: Handle sysconf(_SC_ARG_MAX) failure, Coverity CID 276504. [ddb88da56bd7] * plugins/sudoers/match_digest.c: Avoid a Coverity false positive. [dd9fd747bd7f] * plugins/sudoers/getdate.c, plugins/sudoers/getdate.y: Remove cast from time_t to int to avoid a Coverity false positive. The cast should not be required. [a305b10eb17e] 2022-08-11 Todd C. Miller * docs/sudoers.man.in, docs/sudoers.mdoc.in, plugins/sudoers/group_plugin.c: Use multilib rules to look for a 64-bit group plugin on failure. If sudo_dso_load() fails on a 64-bit system, try to load a 64-bit native version of the file using system-dependent multilib rules. If we don't support multilib on the platform, check for a version of the file that ends in "64" before the .so suffix. [d36bcc89ee34] * docs/sudo_plugin.man.in: regen [c14c0882a07d] 2022-08-08 Todd C. Miller * plugins/sudoers/env.c, src/env_hooks.c: In putenv(3) replacement reject a string with no '=' or that starts with one. [59c6e6e5232b] 2022-08-05 Todd C. Miller * LICENSE.md: Update copyright year for embedded zlib. [2c52d016e583] 2022-08-04 Todd C. Miller * configure, configure.ac: Use our own arc4random() in preference to the glibc version. The glibc arc4random() may fail in chroot on older kernels and exit. [9b4a62c9f468] * lib/util/sudo_dso.c: sudo_dso_load: restore original error for AIX on failure. For AIX, if dlopen() fails we try again with RTLD_MEMBER set and a default member (shr.o or shr_64.o). However, if that also fails, the user will receive a useless error message that doesn't correspond to the actual problem. We now retry the original dlopen() if the fallback to RTLD_MEMBER fails, which has the effect of restoring the original error message. [ec539996a4aa] 2022-08-02 Todd C. Miller * Merge pull request #165 from bdrung/xdg-current-desktop Add XDG_CURRENT_DESKTOP to initial_keepenv_table [3d2e82e32ea8] * NEWS, configure, configure.ac: Sudo 1.9.12. [08c096ada8b2] * docs/sudo_plugin.mdoc.in, include/sudo_plugin.h, plugins/python/regr ess/testdata/check_multiple_approval_plugin_and_arguments.stdout, src/exec.c: Bump the sudo plugin minor version. The "update_ticket" entry was added to the settings list and the "intercept_verify" entry was added to the command_info list. [3259f3199798] * docs/sudo.man.in, docs/sudo.mdoc.in, plugins/sudoers/check.c, plugins/sudoers/policy.c, plugins/sudoers/sudoers.h, src/parse_args.c, src/sudo.c, src/sudo.h, src/sudo_usage.h.in: Add a way to run a command without updating the cached credentials. This can also be used to test for whether or not the user's credentials are currently cached. [f5825a6f881b] * Merge pull request #168 from likunyur/lky Remove unnecessary initialization and casts. [fcb251c895ce] * Merge pull request #169 from kempstonjoystick/main Fix incorrect SHA384/512 digest calculation. [f016c3a37255] 2022-08-02 Tim Shearer * lib/util/sha2.c: Fix incorrect SHA384/512 digest calculation. Resolves an issue where certain message sizes result in an incorrect checksum. Specifically, when: (n*8) mod 1024 == 896 where n is the file size in bytes. [e9f235a8d432] 2022-08-01 Todd C. Miller * src/exec.c, src/selinux.c, src/sesh.c, src/sudo.c, src/sudo.h: Defer chdir(2) until sesh when running with SELinux. We need to be running with the correct security context or the chdir(2) may fail. GitHub issue #160. [a8713dd21be9] 2022-08-01 Li zeming * lib/util/arc4random.c: util/arc4random: (void*) type pointer passing address could remove cast Signed-off-by: Li zeming [aa4e8c73f131] * lib/iolog/hostcheck.c: iolog/hostcheck: These two parameters do not need to be initialized and assigned, the following code is directly assigned Signed-off-by: Li zeming [dd657435f277] 2022-07-31 Todd C. Miller * Merge pull request #166 from c4rlo/patch-1 visudo.c: add nvim (Neovim) to lineno_editor list [97e0a7b00daa] 2022-07-31 Carlo Teubner <435950+c4rlo@users.noreply.github.com> * plugins/sudoers/visudo.c: visudo.c: add nvim (Neovim) to lineno_editor list Neovim supports it: https://neovim.io/doc/user/starting.html#-+ [020b59cf0f6b] 2022-07-29 Todd C. Miller * docs/sudoers.man.in, docs/sudoers.mdoc.in: Document the TOCTOU issue with intercept mode. Describe how intercept_verify attempts to reduce the risk. [b118de8d4c66] * etc/codespell.exclude, etc/codespell.ignore: Update a codespell exclude pattern. [3193ffb4c938] * docs/sudoers.man.in, docs/sudoers.mdoc.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/defaults.c, plugins/sudoers/policy.c, src/exec_ptrace.c, src/sudo.c, src/sudo.h: Add intercept_verify sudoers option to control execve(2) argument checking. [79131cfb0125] * src/exec_ptrace.c: Use PTRACE_EVENT_EXEC to stop execution before return from execve(2). We can now verify that the arguments match what we accepted before the command actually runs. If there is a mismatch, the process is killed. Shell scripts must be handled specially since the path executed will be the interpreter, not the script name. Linux allows interpreters to be nested up to 4 deep. [5e7b1828dbb0] * plugins/sudoers/sudoers.c: Only set MODE_POLICY_INTERCEPTED if we are running a command. Fixes an error with "sudo -l" when intercept is enabled globally. [7a1d0ff5a498] 2022-07-29 Benjamin Drung * plugins/sudoers/env.c: Add XDG_CURRENT_DESKTOP to initial_keepenv_table Qt needs `XDG_CURRENT_DESKTOP` to be set to determine the correct theme. Since `DISPLAY` and `XAUTHORITY` are already in the default table of variables to preserve in the environment, just add `XDG_CURRENT_DESKTOP` to it. Bug: https://launchpad.net/bugs/1958055 Signed-off-by: Benjamin Drung [aa5132684c89] 2022-07-27 Todd C. Miller * src/exec_ptrace.c: The length returned by ptrace_read_string() include the NUL. We were wasting a extra byte in the string table for each entry. [b1220aae7141] 2022-07-26 Todd C. Miller * include/sudo_compat.h, include/sudo_util.h: Use gcc's malloc attribute for malloc-like allocation functions. [bff3b0ab89c5] * lib/util/mmap_alloc.c: Avoid a Coverity positive. [81f526688296] * src/exec_preload.c: fmtstr: add missing va_end() for the overflow case Coverity CID 275335 [42a4f4467ca5] * lib/util/sudo_debug.c: Fix potential NULL pointer deference found by clang-analyzer. [5b0a9c0f2e71] * src/sudo.c, src/sudo_intercept_common.c: Quiet some harmless PVS-Studio warnings. [9b9cc92f0585] * src/exec_intercept.c: Reject relative command paths if runcwd is not set. This is now treated as a policy rejection. [bf35a6818c77] * src/exec_intercept.c: intercept_check_policy: close saved_dir before returning [04adba5e85fa] * src/exec_intercept.c: Change to runcwd during the policy check where possible. Otherwise, attempts to run "./command" from a shell with intercept set will fail if the current working directory is different from the main sudo process. [cd218f081cf2] 2022-07-25 Todd C. Miller * include/sudo_util.h, lib/util/mmap_alloc.c, lib/util/util.exp.in, src/sudo_intercept.c: For preload DSO make copies of cmnd, argv, envp and map them read- only. [56a160c55e4c] * src/exec_preload.c, src/sudo_exec.h, src/sudo_intercept.c, src/sudo_intercept_common.c: Use sudo_mmap_alloc functions in DSO-based intercept code. [806dacd141ad] * lib/util/snprintf.c: Use sudo_mmap_alloc functions instead of private versions. We no longer need to keep track of the allocation size. [6f375ed7a927] * MANIFEST, include/sudo_util.h, lib/util/Makefile.in, lib/util/mmap_alloc.c, lib/util/util.exp.in: Add sudo_mmap_{alloc,allocarrary,strdup,free} functions. These allocate memory via mmap anonymous regions and store the mapped size immediately before the returned pointer as an unsigned long. They are intended to be used in cases where malloc(3) and free(3) are unsuitable due to concerns about corrupting global state in multi- threaded programs or signal handlers. [803b4a82bedd] * docs/sudoers.ldap.man.in, docs/sudoers.ldap.mdoc.in: Sync with schema.OpenLDAP for user/group utf8 support. [14705b52a4f9] * Merge pull request #163 from Firstyear/20220725-sudo-ldap-schema Update sudoUser to be utf8 in ldap schemas [91354fc2ed23] * src/sudo_intercept.c: resolve_path: skip non-regular files [2ed5efdb48ea] 2022-07-25 William Brown * docs/schema.OpenLDAP, docs/schema.iPlanet, docs/schema.olcSudo: Update sudoUser to be utf8 in ldap schemas In most unix-style LDAP servers, uid is a utf8 string defined by OID 1.3.6.1.4.1.1466.115.121.1.15. However, sudoUser was defined as an IA5 String (OID 1.3.6.1.4.1.1466.115.121.1.26) which meant that sudoUser could only represent a subset of possible values. In some cases when using sudoers.ldap, the uid from the machine which was utf8 was fed back into sudo which would then issue a search for sudoUsers. If this uid contained utf8 characters, the ldap server would refuse to match into sudoUsers because these were limited to IA5. This is a safe-forward upgrade as IA5 is a subset of UTF8 meaning that this change will not impact existing deployments and their rules. [7a47e711ca88] 2022-07-14 Todd C. Miller * src/exec_intercept.c, src/sudo.c: Make sure the plugin provides a command, argv and envp. [7e4e93118622] * lib/util/sudo_debug.c, src/exec_intercept.c, src/exec_preload.c, src/exec_ptrace.c, src/sudo_intercept.c, src/sudo_intercept_common.c: Linux execve(2) allows argv or envp to be NULL. Add checks to make sure we don't deference a NULL pointer. [be380b71df62] 2022-07-13 Todd C. Miller * src/exec_intercept.c: intercept_check_policy: add oom label and fix approval failure case. If the approval plugin fails we need to set the state to POLICY_REJECT just like we do if the policy rejected the command. [e7ba37e32af7] 2022-07-09 Todd C. Miller * plugins/sudoers/cvtsudoers_csv.c, plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/cvtsudoers_merge.c, plugins/sudoers/def_data.in, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/parse.c, plugins/sudoers/parse.h, plugins/sudoers/policy.c, src/apparmor.c: Fix a few whitespace issues. [deb6391a3ba0] * plugins/sudoers/regress/fuzz/fuzz_policy.c: Increase the realloc increment from 128 to 1024. The contents of the env_add array should not include the leading "env=" prefix. [d8c0067fc3fd] * plugins/sudoers/env.c: sudo_putenv_nodebug: require that the environment string include a '=' [fb200f301070] 2022-07-08 Todd C. Miller * plugins/sudoers/visudo.c: If update_defaults() fails, treat it as a parse error. [d9860eb2257a] * plugins/sudoers/getdate.c, plugins/sudoers/getdate.y, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/toke.c, plugins/sudoers/toke.l: Add additional PVS-studio suppression comments for generated code. [dfb89944dcce] 2022-07-07 Todd C. Miller * plugins/sudoers/match_command.c: Fix compilation error when SUDOERS_NAME_MATCH is defined. [3b76707bc5fa] * plugins/sudoers/match_command.c: Fix a NOPASSWD issue with a non-existent command when fdexec=always In command_matches_all(), if the command is fully-qualified and open_cmnd() return false, only treat it as an error if we are able to stat(2) the command. For "sudo ALL" a non-existent command is not an error. [e2d756137ce9] * plugins/sudoers/regress/testsudoers/test18.sh: Quote ^foo$ on command line to protect it from the shell. [0f1274e0be93] 2022-07-05 Todd C. Miller * lib/eventlog/regress/logwrap/check_wrap.c, lib/util/regress/closefrom/closefrom_test.c, lib/util/regress/fnmatch/fnm_test.c, lib/util/regress/getgrouplist/getgrouplist_test.c, lib/util/regress/glob/globtest.c, lib/util/regress/parse_gids/parse_gids_test.c, lib/util/regress/progname/progname_test.c, lib/util/regress/strsig/strsig_test.c, lib/util/regress/strsplit/strsplit_test.c, lib/util/regress/strtofoo/strtobool_test.c, lib/util/regress/strtofoo/strtoid_test.c, lib/util/regress/strtofoo/strtomode_test.c, lib/util/regress/strtofoo/strtonum_test.c, lib/util/regress/sudo_conf/conf_test.c, lib/util/regress/sudo_parseln/parseln_test.c, lib/util/regress/tailq/hltq_test.c, lib/util/regress/uuid/uuid_test.c, logsrvd/regress/logsrvd_conf/logsrvd_conf_test.c, plugins/python/regress/check_python_examples.c, src/exec_ptrace.c: Add explicit include of unistd.h for getopt(3) and related variables. [e1c369cd5ae8] 2022-07-04 Todd C. Miller * plugins/sudoers/cvtsudoers.c, src/sudo_intercept_common.c: Merge pull request #161 from likunyur/lky sudoers/cvtsudoers: Remove the repeated ';' from code [9b961a3b9c86] 2022-07-04 Li kunyu * src/sudo_intercept_common.c: src/send: Remove the repeated ';' from code Signed-off-by: Li kunyu [6fc809eac0b1] * plugins/sudoers/cvtsudoers.c: sudoers/cvtsudoers: Remove the repeated ';' from code Signed-off-by: Li kunyu [75582c880c30] 2022-07-01 Todd C. Miller * lib/util/timegm.c: In timegm() initialize tm_isdst to 0 like tzcode does. [d3f2d10c3559] 2022-06-30 Todd C. Miller * include/intercept.pb-c.h, include/sudo_event.h, src/exec_intercept.c, src/exec_intercept.h, src/intercept.pb-c.c, src/intercept.proto, src/sudo_intercept_common.c: Stop sending an InterceptResponse to a PolicyCheckRequest for log_subcmds. There's no real reason for the command to wait for sudo send back a response that will always be a PolicyAcceptMessage. [d2fe28a652d0] * plugins/sudoers/sudoers.c: sudoers_main: defer setting return value until the end when running a command Otherwise, we could return success when there was an error from a system call or memory allocation failure. [bd993a2948ce] * plugins/sudoers/audit.c, plugins/sudoers/logging.c, plugins/sudoers/logging.h, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: Save the initial command run via sudo and use it when logging exit status. Otherwise, if we are in intercept mode or logging sub- commands the exit status will be logged with the wrong command. [54e3494473ac] 2022-06-29 Todd C. Miller * lib/zlib/zconf.h.in: Define _LARGEFILE64_SOURCE if _FILE_OFFSET_BITS == 64. Fixes a -Wwrite-strings warning on 32-bit systems. [61eff691496f] * lib/util/strsignal.c: Quiet another -Wwrite-strings warning. [a03bb85d581d] * lib/protobuf-c/protobuf-c.c: Fix a clang analyzer 14 warning about a possible NULL deref. [4c0db4ac3e1d] * lib/iolog/Makefile.in, lib/logsrv/Makefile.in, lib/protobuf-c/Makefile.in, plugins/sudoers/Makefile.in, src/Makefile.in: Regenerate dependencies [ff7de2b59097] * scripts/mkdep.pl: Do not check files generated by protbuf-c with PVS-Studio [86f56c21339f] * logsrvd/logsrv_util.c, logsrvd/logsrvd.c, logsrvd/logsrvd_conf.c, logsrvd/logsrvd_queue.c, logsrvd/sendlog.c, logsrvd/tls_client.c, plugins/sudoers/log_client.c, src/sudo_intercept_common.c: Quiet some harmless PVS Studio warnings. [476fbef7a0c4] * logsrvd/logsrvd_conf.c, logsrvd/sendlog.c: Use "unable to allocate memory" warning on malloc failure. This is consistent with the rest of the sudo source code. [5954fc067647] * lib/eventlog/Makefile.in, lib/fuzzstub/Makefile.in, lib/iolog/Makefile.in, lib/iolog/host_port.c, lib/logsrv/Makefile.in, lib/protobuf-c/Makefile.in, lib/util/Makefile.in, lib/util/getentropy.c, lib/util/roundup.c, logsrvd/iolog_writer.c, logsrvd/logsrv_util.c, logsrvd/logsrvd.c, logsrvd/logsrvd_conf.c, logsrvd/logsrvd_journal.c, logsrvd/logsrvd_local.c, logsrvd/logsrvd_queue.c, logsrvd/logsrvd_relay.c, logsrvd/sendlog.c, logsrvd/tls_client.c, logsrvd/tls_init.c, plugins/sudoers/log_client.c, src/Makefile.in, src/apparmor.c: Add missing PVS Studio Open Source comments. Also avoid checking protobuf-c source and protobuf-c generated files. [e1277c1f6585] * lib/iolog/host_port.c, lib/iolog/hostcheck.c, lib/util/roundup.c, logsrvd/iolog_writer.c, logsrvd/logsrv_util.c, logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c, logsrvd/logsrvd_journal.c, logsrvd/logsrvd_local.c, logsrvd/logsrvd_queue.c, logsrvd/logsrvd_relay.c, logsrvd/sendlog.c, logsrvd/sendlog.h, logsrvd/tls_client.c, logsrvd/tls_common.h, logsrvd/tls_init.c, plugins/python/pyhelpers.h, plugins/python/regress/iohelpers.h, plugins/sudoers/log_client.c: Use #include not #include "config.h" for consistency. Otherwise, some compilers may do the wrong thing in a build dir if there is a config.h file in the source dir too. [79aaab18dc6d] 2022-06-28 Todd C. Miller * plugins/sudoers/group_plugin.c: Update group_plugin_load() stub to match its prototype. [9ea7126e6d5c] * configure, configure.ac, include/sudo_iolog.h, lib/eventlog/eventlog.c, lib/eventlog/logwrap.c, lib/iolog/host_port.c, lib/iolog/regress/host_port/host_port_test.c, lib/iolog/regress/iolog_mkpath/check_iolog_mkpath.c, lib/util/aix.c, lib/util/getgrouplist.c, lib/util/getopt_long.c, lib/util/lbuf.c, lib/util/logfac.c, lib/util/logpri.c, lib/util/regress/progname/progname_test.c, lib/util/snprintf.c, lib/util/sudo_conf.c, lib/util/sudo_debug.c, logsrvd/logsrvd_conf.c, logsrvd/logsrvd_local.c, logsrvd/logsrvd_relay.c, logsrvd/sendlog.c, plugins/audit_json/audit_json.c, plugins/python/python_convmessage.c, plugins/python/python_plugin_common.c, plugins/python/regress/check_python_examples.c, plugins/python/sudo_python_module.c, plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/sudo_auth.h, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers_csv.c, plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/cvtsudoers_pwutil.c, plugins/sudoers/defaults.c, plugins/sudoers/defaults.h, plugins/sudoers/editor.c, plugins/sudoers/env.c, plugins/sudoers/exptilde.c, plugins/sudoers/getdate.c, plugins/sudoers/getdate.y, plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y, plugins/sudoers/group_plugin.c, plugins/sudoers/insults.h, plugins/sudoers/iolog.c, plugins/sudoers/ldap.c, plugins/sudoers/ldap_conf.c, plugins/sudoers/log_client.c, plugins/sudoers/logging.c, plugins/sudoers/parse.c, plugins/sudoers/policy.c, plugins/sudoers/pwutil.c, plugins/sudoers/regress/editor/check_editor.c, plugins/sudoers/regress/exptilde/check_exptilde.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/regress/parser/check_gentime.c, plugins/sudoers/regress/serialize_list/check_serialize_list.c, plugins/sudoers/regress/unescape/check_unesc.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/sudoers_hooks.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c, src/edit_open.c, src/exec_common.c, src/parse_args.c, src/regress/noexec/check_noexec.c, src/selinux.c, src/sudo.c, src/sudo_edit.c, src/sudo_intercept.c: Make sudo pass -Wwrite-strings [7ac3dd7b1634] * configure, configure.ac: A typo prevented -Wno-deprecated-declarations from being used on macOS. [4d6d4b9e7191] 2022-06-27 Todd C. Miller * src/preload.c: Fix missing prototype warning. [66e460d3c1d2] * lib/zlib/zconf.h.in: Define _LFS64_LARGEFILE, _LARGEFILE64_SOURCE if 64-bit or _LARGE_FILES set. autoconf does not define _LARGEFILE64_SOURCE by default but zlib expects it (its own configure script will define it). Fixes a missing prototype for crc32_combine_gen64() on AIX and HP-UX. [c5b314bebbcb] * configure, configure.ac, include/sudo_iolog.h, include/sudo_util.h, lib/iolog/host_port.c, lib/iolog/regress/fuzz/fuzz_iolog_json.c, lib/iolog/regress/fuzz/fuzz_iolog_legacy.c, lib/iolog/regress/fuzz/fuzz_iolog_timing.c, lib/iolog/regress/iolog_json/check_iolog_json.c, lib/iolog/regress/iolog_timing/check_iolog_timing.c, lib/util/regress/fuzz/fuzz_sudo_conf.c, lib/util/regress/glob/globtest.c, lib/util/regress/mktemp/mktemp_test.c, lib/util/strtoid.c, logsrvd/logsrvd.c, logsrvd/logsrvd_relay.c, logsrvd/regress/fuzz/fuzz_logsrvd_conf.c, logsrvd/sendlog.c, plugins/python/pyhelpers.c, plugins/python/python_plugin_approval.c, plugins/python/python_plugin_approval_multi.inc, plugins/python/python_plugin_audit.c, plugins/python/python_plugin_audit_multi.inc, plugins/python/python_plugin_common.c, plugins/python/python_plugin_group.c, plugins/python/python_plugin_io.c, plugins/python/python_plugin_io_multi.inc, plugins/python/python_plugin_policy.c, plugins/python/regress/check_python_examples.c, plugins/python/sudo_python_module.c, plugins/sudoers/audit.c, plugins/sudoers/getdate.c, plugins/sudoers/getdate.y, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/iolog.c, plugins/sudoers/log_client.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/regress/fuzz/fuzz_stubs.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/stubs.c, plugins/sudoers/timestamp.c, plugins/sudoers/timestr.c, plugins/sudoers/tsgetgrpw.h, plugins/sudoers/unesc_str.c, src/copy_file.c, src/exec_ptrace.c, src/load_plugins.c, src/net_ifs.c, src/sudo.h, src/sudo_intercept.c, src/sudo_intercept_common.c, src/sudo_noexec.c: Make sudo pass -Wmissing-prototypes [195b024b9f54] * src/exec_ptrace.c: Include inttypes.h if stdint.h is not present. Bug #1035 [da6185c4c418] 2022-06-21 Todd C. Miller * src/exec_ptrace.c: readlink(2) does NUL-terminate the buffer, do it manually. Fixes a bug where the current working directory could include garbage in intercept mode using ptrace(2). [dc7c547f518f] * src/exec_preload.c, src/sudo_exec.h, src/sudo_intercept_common.c: sudo_preload_dso: make the envp function argument const This lets us fix an inappropriate cast in sudo_intercept_common.c. [c2fa860b684e] * src/exec_intercept.c: intercept_write: remove unused CD_USE_PTRACE code. It is not possible to end up in intercept_write when CD_USE_PTRACE is set. [f8bdc5e37294] 2022-06-20 Todd C. Miller * .hgtags: Added tag SUDO_1_9_11p3 for changeset 6e671475b373 [59e5766213e9] <1.9> * NEWS, configure, configure.ac: Merge sudo 1.9.11p3 from tip. [6e671475b373] [SUDO_1_9_11p3] <1.9> * NEWS, configure, configure.ac: Sudo 1.9.11p3 [c96ded63ae46] * src/exec_intercept.c, src/sudo_intercept_common.c: Set TCP_NODELAY on the socket used for intercept IPC to reduce latency. On some systems, Nagle's algorithm was delaying receipt of the data, causing commands with intercept or log_subcmds to run slowly. Related to Bug #1034. [11b129850ac1] * src/sudo_intercept_common.c: Use blocking I/O when talking to the sudo process. Also check for EAGAIN/EINTR when reading the message size. Fixes a problem seen on AIX where recv_intercept_response() could fail unexpectedly. Bug #1034. [8554618665a2] * src/exec_intercept.c: Add debug printfs when send/recv return EAGAIN or EINTR. These are not actually errors but can help gain insight into what is going on and, in the case of EAGAIN, whether or not there may be a kernel resource starvation problem. [fd2dee906d2f] 2022-06-14 Todd C. Miller * plugins/sudoers/logging.c: log_exit_status: make local variables match struct evlog members. [f93d5141e818] 2022-06-13 Todd C. Miller * lib/util/getgrouplist.c: Quiet a compiler warning on macOS. The getgrouplist() groups array on macOS is int * instead of gid_t *. [c64bf72a1416] 2022-06-12 Todd C. Miller * .hgtags: Added tag SUDO_1_9_11p2 for changeset 9e4705cb1db5 [2a4b6b814432] <1.9> * NEWS, configure, configure.ac, include/sudo_compat.h: Merge sudo 1.9.11p2 from tip. [9e4705cb1db5] [SUDO_1_9_11p2] <1.9> * NEWS, configure, configure.ac: Sudo 1.9.11p2 [9505276e5c97] 2022-06-11 Todd C. Miller * src/exec_ptrace.h: Fix compilation on Linux/x32; GitHub issue #158 [8cebfdd49205] 2022-06-10 Todd C. Miller * plugins/sudoers/policy.c: Fix pasto in comment after HAVE_PRIV_SET #endif [2275ab3b016d] * include/sudo_compat.h: Fix typo, we should define SSIZE_MAX if it is not defined. [51c68f801479] 2022-06-09 Todd C. Miller * plugins/sudoers/env.c: Change black list -> blocklist This was missed in the previous conversion. [da610ebb5cb1] * plugins/sudoers/audit.c, plugins/sudoers/iolog.c, plugins/sudoers/log_client.c, plugins/sudoers/log_client.h, plugins/sudoers/logging.c, plugins/sudoers/logging.h, plugins/sudoers/policy.c, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/sudoers.h: Save a pointer to the event_alloc parameter in the plugin open function. That way we don't need to pass event_alloc around to the log client functions. [a8a47f3770b3] * lib/protobuf-c/protobuf-c.c: Fix regression with zero-length messages introduced in protobuf-c PR 500. [42062b9f75d5] 2022-06-08 Todd C. Miller * .hgtags: Added tag SUDO_1_9_11p1 for changeset 06b0f12fe91c [feb8ae553833] <1.9> * NEWS, config.h.in, configure, configure.ac: Merge sudo 1.9.11p1 from tip. [06b0f12fe91c] [SUDO_1_9_11p1] <1.9> * NEWS, configure, configure.ac: Sudo 1.9.11p1 [7fcfdaacb15e] 2022-06-07 Todd C. Miller * src/exec_pty.c: Make read and write events persistent and disable as needed. For the read callback, disable reader when the buffer is full. For the write callback, disable writer when the buffer is consumed. [2b6953dc4224] * config.h.in, configure, configure.ac, src/sudo_exec.h, src/sudo_noexec.c: Check for SECCOMP_MODE_FILTER not SECCOMP_SET_MODE_FILTER. This matches the actual prctl() call we use. [4222768293d1] * Merge pull request #157 from 0x2b3bfa0/improve-tag-spec-ebnf-docs Improve Tag_Spec EBNF documentation [f528335aded5] * logsrvd/logsrvd.c, logsrvd/logsrvd_relay.c, logsrvd/sendlog.c: Treat EINTR in a callback like we do EAGAIN. We shouldn't get EINTR in practice since we set SA_RESTART when registering signal handlers but it doesn't hurt to be consistent. [acf3394e2df2] * Merge pull request #156 from delroth/aarch64-build exec_ptrace: fix missing sudo_pt_regs on aarch64 [a7062c609a96] 2022-06-07 Pierre Bourdon * src/exec_ptrace.h: exec_ptrace: fix missing sudo_pt_regs on aarch64 AArch64 already had an existing "user_pt_regs" struct and didn't need a struct alias before the renaming to "sudo_pt_regs". Make the code build again by adding the now missing alias. Fixes: 2eb8ff17 [3b55f40e9b83] 2022-06-07 Helio Machado <0x2b3bfa0+git@googlemail.com> * docs/sudoers.man.in, docs/sudoers.mdoc.in: Improve Tag_Spec EBNF documentation [7e23ec31d124] 2022-06-07 Todd C. Miller * Merge pull request #154 from 0x2b3bfa0/fix-tag-spec-docs Add missing colon in Tag_Spec documentation [ec8f4610b677] * Merge pull request #152 from particleflux/fix-sudoers-typo Fix typo in sudoers comment [bbbcff4c14ba] 2022-06-07 Helio Machado <0x2b3bfa0+git@googlemail.com> * docs/sudoers.man.in, docs/sudoers.mdoc.in: Add missing colon in Tag_Spec documentation [e6f4c612e22a] 2022-06-07 Stefan Linke * plugins/sudoers/sudoers.in: Fix typo in sudoers comment Fix a typo in the sudoers comment about `maxseq` param. Introduced by 906eb19ece47023c659b4b3db2e7a6bb57dff0d9 in 1.9.11. [b38fae41b3eb] 2022-06-06 Todd C. Miller * lib/protobuf-c/protobuf-c.c: Only shift unsigned values to avoid implementation-specific behavior. This converts the arithmetic shifts to logical shifts. [e25aa8e9891a] * lib/protobuf-c/protobuf-c.c: Fix issue protobuf-c#499: unsigned integer overflow Signed-off-by: 10054172 [f3637be4df4f] * include/sudo_event.h, lib/util/event_select.c: Fix building with select (not poll) when fd_set is not defined in sys/types.h. We can use a void * for the fd_set arrays and just add a cast when using the FD_SET macros. [5c636cbc11f0] * src/exec_pty.c: Reinstall the event handler if we get EAGAIN from read/write callback. The read and write events do not set SUDO_EV_PERSIST so we need to explicitly re-enable the event if there is still data to be read. Bug #963. [0006cb6531f4] * logsrvd/logsrvd.c, logsrvd/logsrvd_relay.c, logsrvd/sendlog.c: If write(2) returns EAGAIN just re-enter the event loop. This is consistent with how we handle EAGAIN for read(2). [e6478d917a0f] * .hgtags: Added tag SUDO_1_9_11 for changeset d495c99554f7 [74c59bc5c323] <1.9> * NEWS, config.h.in, configure, configure.ac, include/sudo_compat.h, logsrvd/tls_init.c, plugins/sudoers/regress/fuzz/fuzz_policy.c: Merge sudo 1.9.11 from tip. [d495c99554f7] [SUDO_1_9_11] <1.9> * docs/sudo_plugin_python.man.in, docs/sudo_plugin_python.mdoc.in: Document how setting ModulePath affects the Python search path. Also advise the user to use a unique prefix to avoid name space collisions with installed Python modules. Bug #1031. [68a9d50d7806] * configure, configure.ac, docs/sudo_plugin_python.man.in, docs/sudo_plugin_python.mdoc.in: Add EXAMPLES variables for use in the man pages for the examples directory. [148272d9a6d3] 2022-06-04 Todd C. Miller * plugins/sudoers/po/cs.mo, plugins/sudoers/po/cs.po: Updated translations from translationproject.org [985902730e5b] * plugins/sudoers/po/hr.mo, po/hr.mo: Rebuild Croatian message catalog. [438136f65c13] 2022-06-03 Todd C. Miller * .gitignore, .hgignore: Add new test binaries to the ignore files. [ea9de2ded48d] * po/cs.mo, po/cs.po: Updated translations from translationproject.org [eac0aba546ed] * lib/protobuf-c/protobuf-c.c: Define WORDS_BIGENDIAN on big endian systems. Instead of a configure check, we use endian.h (or a fallback). [4d5603a9528c] * include/intercept.pb-c.h, include/log_server.pb-c.h, include/protobuf-c/protobuf-c.h, lib/protobuf-c/protobuf-c.c, scripts/unanon: Update to protobuf-c 1.4.0 [47ff9b8bab21] * logsrvd/logsrvd.c, plugins/sudoers/cvtsudoers_csv.c: Quiet two clang analyzer false positives. [2c878f7853cc] * src/exec_intercept.c: Move a comment to the correct location. [caacb3fae078] * logsrvd/logsrvd.c: union sockaddr_union: pass in sockaddr_union * instead of sockaddr *. This eliminates the need for a few casts and is consistent with how create_listener() is written. [4def05f8d895] * src/exec_ptrace.c: Eliminate some dead stores that clang-analyzer complains about. [3aac29fe0101] * src/exec_ptrace.c: ptrace_read_vec: don't try to free memory on the error path This is leftover from when ptrace_read_string() allocated its own memory. [7f5b5d21bce9] * config.h.in, configure, configure.ac, src/sudo_intercept.c: Avoid using vfork(2) in the DSO system(3) wrapper. Traditional vfork(2) semantics make it unsafe for use for more than just vfork(2) + execve(2). [9a8ce7aef55d] 2022-06-02 Todd C. Miller * po/vi.mo, po/vi.po: Updated translations from translationproject.org [e3197ef8a98d] * NEWS: Mention sudo_logsrvd.conf "log_server" parsing fix. [575a31b83bfd] * MANIFEST, logsrvd/Makefile.in, logsrvd/regress/logsrvd_conf/sudo_logsrvd.conf.1.in, logsrvd/regress/logsrvd_conf/sudo_logsrvd.conf.2.in, logsrvd/regress/logsrvd_conf/tls/sudo_logsrvd.conf.1.in, logsrvd/regress/logsrvd_conf/tls/sudo_logsrvd.conf.2.in: For logsrvd_conf_test include both tls and non-tls configs. [ec1815793aab] * MANIFEST, logsrvd/Makefile.in, logsrvd/regress/logsrvd_conf/cacert.pem, logsrvd/regress/logsrvd_conf/logsrvd_cert.pem, logsrvd/regress/logsrvd_conf/logsrvd_conf_test.c, logsrvd/regress/logsrvd_conf/logsrvd_dhparams.pem, logsrvd/regress/logsrvd_conf/logsrvd_key.pem, logsrvd/regress/logsrvd_conf/sudo_logsrvd.conf.1.in, logsrvd/regress/logsrvd_conf/sudo_logsrvd.conf.2.in: Add a simple regression test for logsrvd.conf parser. Unlike the parser fuzzer, this includes sample certs and keys. This test would have detected the BIO_new_file() bug in set_dhparams(). [7ddabb9d022f] * logsrvd/logsrvd_conf.c: Fix inverted logic when setting server_log. A value that starts with a '/' should be treated as a path. [8941fd924fbf] * plugins/audit_json/Makefile.in, plugins/sample_approval/Makefile.in: Use abs_top_builddir instead of `pwd`/$(top_builddir). [0f4e20a7aeed] 2022-06-01 Todd C. Miller * lib/util/regress/parse_gids/parse_gids_test.c: Plug a memory leak. [8a9eb498ed55] * plugins/sudoers/parse_ldif.c: Fix bug in last commit, need to reinitialize role to NULL. [1e454b967993] * plugins/sudoers/parse_ldif.c: Simplify the check for when we can reuse the previous user and host specs. This makes the code easier to read and quiets a cppcheck false positive. [037c4943f1ac] * docs/Makefile.in: Install the plugin man pages in section 5 (or 4 for System V). The manual had the correct section in the text but was installed in the wrong directory. [5df7d3f9a010] * plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, plugins/sudoers/po/fr.mo, plugins/sudoers/po/fr.po, plugins/sudoers/po/hr.mo, plugins/sudoers/po/hr.po, plugins/sudoers/po/ko.mo, plugins/sudoers/po/ko.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/ro.mo, plugins/sudoers/po/ro.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, po/de.mo, po/de.po, po/eo.mo, po/eo.po, po/fr.mo, po/fr.po, po/hr.mo, po/hr.po, po/ko.mo, po/ko.po, po/pl.mo, po/pl.po, po/ro.mo, po/ro.po, po/uk.mo, po/uk.po: Updated translations from translationproject.org [9ac84e5c9250] * NEWS: Sudo now supports intercepting system(3). [a46db96a3b03] 2022-05-31 Todd C. Miller * plugins/sudoers/log_client.c: Only display "unable to connect to log server" warning once. Previously, in intercept mode, if the log server is unreachable the message would be printed for each sub-command. [df4c53518bb7] * src/exec.c, src/exec_monitor.c, src/exec_nopty.c, src/sudo_exec.h: When using ptrace(2), push the point where we suspend into exec_cmnd(). This should reduce the amount of time the child has to wait for the parent to use PTRACE_SEIZE to seize control and then PTRACE_CONT to continue the child. [f9caab4bf18b] * config.h.in, configure, configure.ac, src/sudo_intercept.c: Add configure check for vfork(2) and fall back to fork(2) if missing. [ddfaba8d2a09] * docs/sudo.conf.man.in, docs/sudo.conf.mdoc.in, docs/sudoers.man.in, docs/sudoers.mdoc.in, src/intercept.exp.in, src/sudo_intercept.c: Add support for intercepting the system(3) function. This also means we can log system(3) with log_subcmds. [aca241d96c0b] * include/compat/endian.h: Newer compilers define __BYTE_ORDER__ and __ORDER_{BIG,LITTLE}_ENDIAN__ Also add riscv the little endian list. [55731e5517fc] 2022-05-29 Todd C. Miller * configure, configure.ac: On AIX, fmemopen(3) has a bug where feof() returns false at EOF. See https://www.ibm.com/support/pages/apar/IJ11845 [a703278bceed] 2022-05-27 Todd C. Miller * plugins/sudoers/defaults.c: Fix potential signed integer overflow on 32-bit CPUs. Converting fractional minutes to nanoseconds could overflow a 32-bit integer, use long long instead. [b1d2afc0cc4d] * plugins/sudoers/Makefile.in: Fix path to example sudoers file, it is now in the build dir. [899850a04adf] * plugins/sudoers/gram.c, plugins/sudoers/gram.y: init_options: initialize apparmor_profile to NULL [ad0de9e0474f] * NEWS: Update with latest 1.9.11 changes. [12650d2b6184] * docs/sudoers.man.in, docs/sudoers.mdoc.in: Fix typo [ce83f628330c] * docs/CONTRIBUTORS.md: Update contributors. [5b69f27ea398] * logsrvd/tls_init.c: Fix uninitialized use of ca_store when building with wolfSSL. [e7cc6d8d9f7e] * docker/debian/testing/Dockerfile, docker/ubuntu/devel/Dockerfile, docker/ubuntu/latest/Dockerfile, docker/ubuntu/rolling/Dockerfile: Newer Debian/Ubuntu uses libsepol-dev not libsepol1-dev. [b2c1326bfb0d] * configure, configure.ac, plugins/sudoers/def_data.h, plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/toke.c, src/Makefile.in: Regenerate files after merging AppArmor integration. [d24fcec2cb87] * Merge pull request #148 from kernelmethod/apparmor_support Add AppArmor support to sudo [fcbfb2410afd] * docs/sudoers.man.in, docs/sudoers.mdoc.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, src/parse_args.c, src/sudo.c, src/sudo.h: Merge branch 'main' into apparmor_support [7832ecc5eb7f] 2022-05-26 Todd C. Miller * src/sudo_intercept.c: Pass envp, not environ, to real execve() from exec_wrapper() if possible. The replacement execve() function was passing the global environ to exec_wrapper() instead of the envp parameter. This caused the command to be run with the wrong environment on AIX systems, and possibly others, when intercept or log_subcmds was enabled. Bug #1030. [dc0187c68c1b] * plugins/sudoers/po/sudoers.pot, po/sudo.pot: Update .pot files for 1.9.11 [b4c8ec57842f] * src/exec_ptrace.c: Consolidate some translatable strings. [05dae7c3c8da] * logsrvd/logsrvd.c, logsrvd/logsrvd_journal.c, logsrvd/logsrvd_relay.c, logsrvd/sendlog.c, plugins/sudoers/log_client.c, src/exec_intercept.c: Standardize protobuf "unable to unpack" warning messages. [6f4e026c7a02] * docs/sudo_plugin.man.in, docs/sudo_plugin.mdoc.in, include/sudo_plugin.h, plugins/python/regress/testdata/check_multipl e_approval_plugin_and_arguments.stdout, src/exec.c: Bump plugin minor version and document new intercept-related settings. There should have been a minor version bump for sudo 1.9.8 when intercept was originally implemented. [2b7591704df4] 2022-05-25 Todd C. Miller * plugins/sudoers/policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: Reset intercept_allow_setid if intercept_type changes from trace to dso. But only reset intercept_allow_setid if the user didn't explicitly set it. [e398111d824e] 2022-05-24 Todd C. Miller * etc/sudo-logsrvd.pp, etc/sudo-python.pp, etc/sudo.pp: CentOS Stream only uses a major version number, no minor version. This prevents the packages from being created as foo.el.arch.rpm since we were assuming that the version number was two digits. [a3caed91ea8c] * src/exec_ptrace.c, src/exec_ptrace.h: Add support for running o32 and n32 binaries on mips64. [887ab363f2a4] * src/exec_ptrace.c, src/exec_ptrace.h, src/sudo_exec.h: Enable ptrace support for MIPS but only for log_subcmds. It is not possible to change the syscall return value on MIPS so we cannot support full intercept mode. Another complication on MIPS is that if a system call is invoked via syscall(__NR_###), v0 holds __NR_O32_Linux and the real syscall is in the first arg (a0) and other args are shifted by one. [0345a4137047] * docs/sudoers.man.in, docs/sudoers.mdoc.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/defaults.c, plugins/sudoers/policy.c, plugins/sudoers/sudoers.h, src/exec_ptrace.c, src/parse_args.c, src/sudo.c, src/sudo.h, src/sudo_exec.h: Add intercept_type sudoers option to set intercept/log_subcmds mechanism. [b97e461f7da1] 2022-05-23 kernelmethod * MANIFEST, include/sudo_debug.h, src/Makefile.in, src/apparmor.c, src/parse_args.c, src/sudo.c, src/sudo.h: Add an apparmor_profile sudo setting Define a new sudo setting, `apparmor_profile`, that can be used to pass in an AppArmor profile that should be used to confine commands. If apparmor_profile is specified, sudo will execute the command using the new `apparmor_execve` function, which confines the command under the provided profile before exec'ing it. [a54897efe031] * plugins/sudoers/check.c, plugins/sudoers/cvtsudoers_csv.c, plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/cvtsudoers_merge.c, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/fmtsudoers.c, plugins/sudoers/gram.y, plugins/sudoers/parse.c, plugins/sudoers/parse.h, plugins/sudoers/policy.c, plugins/sudoers/regress/fuzz/fuzz_policy.dict, plugins/sudoers/regress/fuzz/fuzz_sudoers.dict, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/toke.l: Add an APPARMOR_PROFILE user spec option to sudoers sudoers now supports an APPARMOR_PROFILE option, which can be specified as e.g. alice ALL=(ALL:ALL) APPARMOR_PROFILE=foo ALL The line above says "user alice can run any command as any user/group, under confinement by the AppArmor profile 'foo'." Profiles can be specified in any way that complies with the rules of aa_change_profile(2). For instance, the sudoers configuration alice ALL=(ALL:ALL) APPARMOR_PROFILE=unconfined ALL allows alice to run any command unconfined (i.e., without an AppArmor profile), while alice ALL=(ALL:ALL) APPARMOR_PROFILE=foo//&bar ALL tells sudoers that alice can run any command under the stacked AppArmor profiles 'foo' and 'bar'. The intention of this option is to give sysadmins on Linux distros supporting AppArmor better options for fine-grained access control. Among other things, this option can enforce mandatory access control (MAC) over the operations that a privileged user is able to perform to ensure that they cannot privesc past the boundaries of a specified profile. It can also be used to limit which users are able to get unconfined system access, by enforcing a default AppArmor profile on all users and then specifying 'APPARMOR_PROFILE=unconfined' for a privileged subset of users. [2afe8c910959] * config.h.in, configure.ac, scripts/mkdep.pl, scripts/mkpkg: Add a --with-apparmor build flag Add a new build flag, --with-apparmor, that builds sudo with AppArmor support. Modify the build script for Debian and Ubuntu to enable this flag by default. [596b4e6dce4d] * INSTALL.md, docs/sudoers.man.in, docs/sudoers.mdoc.in: Add documentation for AppArmor support - Document the AppArmor userspec option in the sudoers man pages. - Add information about the --with-apparmor build configuration option to INSTALL.md. [524dde965b94] 2022-05-22 kernelmethod * docker/debian/latest/Dockerfile, docker/debian/testing/Dockerfile, docker/ubuntu/devel/Dockerfile, docker/ubuntu/latest/Dockerfile, docker/ubuntu/rolling/Dockerfile: Add libapparmor-dev to the Debian and Ubuntu Dockerfiles Install libapparmor-dev on Debian- and Ubuntu-based Docker images so that they can build sudo with AppArmor support. [8491c8b6d240] 2022-05-19 Todd C. Miller * src/exec_nopty.c, src/exec_pty.c: Pass the WUNTRACED flag to waitpid() even if __WALL is present. Otherwise, we won't get the wait status of a suspended command that is not being traced. [7c2b46ec73be] * configure, configure.ac, lib/iolog/Makefile.in, lib/logsrv/Makefile.in, logsrvd/Makefile.in, plugins/sudoers/Makefile.in: Use explicit library dependencies instead of implicit. We now include all the dependent libraries when linking. Fixes a linking problem on CentOS Stream 9. [6f06cdbb1552] * plugins/sudoers/logging.c: mail_parse_errors: allocate the correct amount of space for mail body. Use strlen(), not sizeof(), on "problem parsing sudoers" since it is a tranlated string and not a constant. This was caught by the existing overflow checks. [5aa53136cd9d] 2022-05-18 Todd C. Miller * MANIFEST, src/Makefile.in, src/exec_nopty.c, src/exec_pty.c, src/regress/intercept/test_ptrace.c, src/sudo_exec.h, src/suspend_nopty.c: Move code to suspend sudo when no pty is in use to separate file. Use this in test_ptrace.c to be able to suspend just like sudo does. [ddef421918b7] 2022-05-17 Todd C. Miller * src/exec_nopty.c, src/exec_ptrace.c, src/exec_pty.c, src/regress/intercept/test_ptrace.c, src/sudo_exec.h: Fix suspending a sudo-run shell in ptrace intercept mode with no pty. When ptracing a process, we receive the signal-delivery-stop signal before the group-stop signal. If sudo is running the command in the same terminal, we need to wait until the stop signal is actually delivered to the command before we can suspend sudo itself. If we suspend sudo before receiving the group-stop, the command will be restarted with PTRACE_LISTEN too late and will miss the SIGCONT from sudo. [bf9a482ecddd] * docs/TROUBLESHOOTING.md, docs/sudo_logsrvd.man.in, docs/sudo_logsrvd.mdoc.in: OpenSSL 3.x requires the key usage extension be present in CA and certs. Certificates generated with a CA that doesn't set the key usage extension will fail to validate if "tls_verify" is enabled. [3ae4ef1ecf57] * logsrvd/tls_init.c: Include the cert or ca file in error messages where applicable. [3e0558886a3d] * logsrvd/tls_init.c: Add missing include of string.h for strerror(3). [253a5634d441] * logsrvd/logsrvd.c, logsrvd/logsrvd_relay.c, logsrvd/sendlog.c, logsrvd/tls_client.c, logsrvd/tls_init.c, plugins/sudoers/log_client.c: If ERR_reason_error_string() returns NULL, fall back on strerror(errno). That way we get reasonable error messages for missing files, etc. [d2423ef0e284] * logsrvd/tls_init.c: set_dhparams: pass BIO_new_file() "r" for the file mode, not O_RDONLY. Unlike BIO_new_fp(), BIO_new_file() takes an fopen-style mode string. [7a67aec88cb4] * src/exec_ptrace.c: The set_sc_arg3, get_sc_arg3 and set_sc_arg4 functions are not used. Use ifdef notyet to disable for now since they may be used in the future. [99d2f2a42da5] 2022-05-16 Todd C. Miller * src/exec_ptrace.h, src/sudo_exec.h: Use __x86_64__ preprocessor symbol, not __amd64__ Also clarify a comment about MIPS ptrace. [b02ad513eb64] * src/exec_ptrace.h, src/sudo_exec.h: ptrace support has been tested on Debian/s390x. It should also work on s390 but this has not been tested. I have not added a compat mode to trace 31-bit binaries on s390x due to the lack of a test system. [3176433e7456] * src/exec_ptrace.h: Define sudo_pt_regs instead of user_pt_regs and include the struct keyword. On s390, the struct is typedef'd without a name. [b2b74f378eef] * src/exec_ptrace.h, src/sudo_exec.h: ptrace support has been tested on Debian/riscv64. [e1011074d984] 2022-05-15 Todd C. Miller * plugins/sudoers/sudoers.in: Add maxseq setting to log_output example. This should make it more obvious that you need to adjust maxseq unless you have (virtually) unlimited disk space. [5203240a248b] * scripts/mkpkg: Fix dependency check for libssl on Debian/Ubuntu with OpenSSL 3. Also add check for python 3.10 and 3.11 and remove versions < 3.4. Fixes building on Ubuntu 22.04. [c9114582911c] 2022-05-14 Todd C. Miller * src/exec_ptrace.h: Tracing 32-bit arm binaries from a 64-bit sudo works. [c1e1602874ed] * src/exec_ptrace.c: ptrace_write_string: the terminating NUL fix was reverted by mistake. [587dd11b2783] * src/exec_ptrace.h, src/sudo_exec.h: ptrace-based intercept has now been tested on 32-bit arm [493b17a89e63] 2022-05-13 Todd C. Miller * src/exec_ptrace.h: Don't use PTRACE_SET_SYSCALL for 32-bit arm binaries running on aarch64. Use PTRACE_SETREGSET with NT_ARM_SYSTEM_CALL instead just like we would for a 64-bit binary. Newer Linux headers don't define PTRACE_SET_SYSCALL for aarch64. [5930846e9c9e] * src/regress/intercept/test_ptrace.c: Replace verbose flag with debug flag. This is more accurate since it actually uses the debug subsystem. [dda8b8af8bd2] * src/exec_ptrace.h: Initial cut at MIPS support, untested. Mips is a bit different in that most Linux distros appear to use the n32 ABI on 64-bit CPUs. We don't currently support tracing a 64-bit binary from a 32-bit sudo. We could suport tracing o32 ABI binaries in compat mode, though. [05e5e246463a] 2022-05-12 Todd C. Miller * src/regress/intercept/test_ptrace.c: Add have_seccomp_action("trap") call to check for SECCOMP_MODE_FILTER. [250c6b72c4f4] * src/exec_ptrace.c, src/exec_ptrace.h: Add arm-specific code to set the system call number. Fixes rejection of commands due to policy on arm when in intercept mode. [74c5bd26713b] * scripts/mkpkg: Fix OS major version detection on CentOS Stream [cd4d5aaf59a7] * src/exec_ptrace.c: Repair ptrace_write_vec() for compat binaries. [77ee302b0631] * src/regress/intercept/test_ptrace.c: Fix a crash when not run in verbose mode. [adf481623228] * src/exec_ptrace.c: ptrace_intercept_execve: read back the updated syscall args in test mode. This makes it easier to detect problems with the syscall rewrite code when testing with test_ptrace. [4eb9e09d90d9] 2022-05-11 Todd C. Miller * src/exec_ptrace.c, src/exec_ptrace.h, src/sudo_exec.h: Enable ptrace intercept on powerpc. Tested on ppc64 and ppc64le. [fbd12baa1a02] * src/exec_ptrace.c: Fix tracing compat binaries on big endian systems. We need to swap the order of the two 32-bit addresses for big-endian. [375004a3ef09] * src/exec_ptrace.c: Move code to write a string vector to ptrace_write_vec(). [8401e0397f11] * src/exec_ptrace.c: Fix compilation error on systems with no compat arch. Currently only affects i386. [b95c707298c5] * MANIFEST, src/Makefile.in, src/exec_intercept.h, src/exec_ptrace.c, src/regress/intercept/test_ptrace.c, src/sudo_exec.h: Add test_ptrace program to test ptrace-based intercept support. [5f7162bcdbfd] * src/exec_ptrace.c: Use unsigned long for addresses so we don't have to worry about sign extension. [7a0d4ea2fa70] 2022-05-10 Todd C. Miller * src/exec_ptrace.c: ptrace_write_string: make sure we always write the terminating NUL. We can't check *str for NUL since it may not have been written yet. [9d95217981ac] * src/exec_ptrace.c: Fix compilation error when SECCOMP_AUDIT_ARCH_COMPAT is not defined. [3162054bac24] 2022-05-09 Todd C. Miller * src/exec_ptrace.c, src/exec_ptrace.h: It is now safe to make WORDALIGN use compat (not native) aligment. We allocate space for an extra pointer between argv and the string table for compat binaries so there is no need to align address to sizeof(long). [898626f1cdf6] * src/exec_ptrace.c, src/exec_ptrace.h: Use the entire word in ptrace_get_vec_len() and ptrace_read_vec(). For compat binaries, use the upper 32-bits as the next word instead of calling ptrace(2) to get it. This reduces the number of ptrace(2) calls when reading argv and envp for compat binaries. [cf5d1ae47dbe] 2022-05-07 Todd C. Miller * src/exec_ptrace.c: We don't need to align strings in the string table. We align the start of the string table to a word boundary to help prevent overlap when writing the pointers. However, the actual strings themselves don't need to be aligned. [219a1a07fc2e] 2022-05-06 Todd C. Miller * src/exec_ptrace.c: Avoid potentially overwriting string table when writing argv. In compat mode, if argc is odd, writing the last pointer of argv will overlap with the address of argv[0], so leave an extra word in between. Also remove incorrect comments about PTRACE_PEEKDATA unaligned access. [13f7e63a31bd] * src/exec_ptrace.c, src/exec_ptrace.h: Use native word size for padding and when reading/writing strings. If we try to use the compat word size we can end up in a situation where a subsequent PTRACE_POKEDATA overwrites part of what we've already written since it always writes in sizeof(long) units. [e0d7fdc3f8e2] 2022-05-05 Todd C. Miller * src/exec_ptrace.c: ptrace_intercept_execve: rewrite path to exec if changed by the policy [089f0e32cf2a] * src/exec_ptrace.c: ptrace_intercept_execve: plug memory leak of get_execve_info() buffer [5ce2cf252c80] * MANIFEST, src/Makefile.in, src/exec_intercept.h, src/exec_ptrace.c, src/exec_ptrace.h: Move register definitions to exec_ptrace.h [59cc9bec6925] * src/exec_ptrace.c: Add support for intercepting 32-bit binaries on 64-bit systems. We need to define the ptrace register struct ourselves for the 32-bit system since there is no good way to get it from the system headers. Currently only implemented for x86_64 and aarch64. [a0407bb1fee0] * src/exec_ptrace.c: Add setters and getters for ptrace(2) register access. This will be used when running 32-bit binaries from a 64-bit sudo. [f7da9453d9fa] * src/exec_ptrace.c: exec_ptrace_handled: don't return early if ptrace_intercept_execve() fails. We need to continue the traced process even if there is a fatal error. Otherwise, sudo will appear to hang as the running process is left in PTRACE_EVENT stop. [5b3bd75c4486] * src/exec_ptrace.c: Don't use PTRACE_GETREGS, it is too complicated when runing compat binaries. Unlike PTRACE_GETREGSET, PTRACE_GETREGS requires that we manually map registers from 64-bit to 32-bit layouts when running, e.g. a 32-bit binary from a 64-bit sudo process. [bb3476230373] 2022-05-04 Todd C. Miller * docs/sudoers.man.in, docs/sudoers.mdoc.in, plugins/sudoers/defaults.c, plugins/sudoers/policy.c, plugins/sudoers/sudoers.h, src/exec_nopty.c, src/exec_pty.c, src/parse_args.c, src/sudo.c, src/sudo.h, src/sudo_exec.h: Initialize intercept_allow_setid to true if we use ptrace(2) and seccomp(2). [57e58c0ada44] 2022-05-03 Todd C. Miller * src/exec_nopty.c, src/exec_ptrace.c, src/exec_pty.c, src/sudo_exec.h: If the process is already being traced, just resume it and clear flags. This makes it possible to run sudo in ptrace intercept mode from within a shell (or other process) that is already being traced by sudo. [db4d7cd5f673] * src/exec_ptrace.c: exec_ptrace_handled: fix delivery of non-stop signals. We need to deliver signals to the tracee as long as it is not a group stop. Fixes a hang while tracing another sudo process. [4ede8b4cfbd9] * src/exec_nopty.c: Make SIGCHLD handler more consistent with the pty version. No real change other than a few debug statements. [bd52284b1e2a] * plugins/sudoers/parse.c: sudoers_lookup_check: preserve intercepted flag when reinitializing cmnd_info Otherwise we may not reject an attempt to run a set-user- ID command. [43d72d1537b2] * src/exec_nopty.c, src/exec_pty.c: Kill the command if intercept_setup() or ptrace_seize() fail. [1037f81b327b] 2022-05-02 Todd C. Miller * plugins/sudoers/match_command.c: Move intercept setid check out of do_stat() and into its own function. For command_matches_all() we should only perform the setid check if the file exists and intercept is enabled. Otherwise, we can end up returning an error if the fully-qualified command does not exist. Fixes a regression introduced in sudo 1.9.0 with the support for digests in conjunction with "sudo ALL". [1b5f9ed2160a] * src/exec_ptrace.c: Add support for intercepting x32 binaries on Linux x64_64. [c5fc89f38c43] 2022-04-29 Todd C. Miller * NEWS, configure, configure.ac: Sudo 1.9.11 [d3e832f94348] * plugins/sudoers/auth/kerb5.c, src/exec_ptrace.c: Fix typos [8ef3e84fc62e] * MANIFEST, docs/CONTRIBUTORS.md, po/ka.mo, po/ka.po: New Georgian translation from translationproject.org [f6b9c7d2192c] * src/exec_ptrace.c: Short-circuit the policy check if the command doesn't exist. Otherwise, both sudo and the shell will report the error. [f16f1b6705d9] * src/exec_ptrace.c: Add support for replacing argv in ptrace intecept mode. The new argv is written below the tracee's stack and the system call argument is replaced with the new argv address. [3974c784be8b] * src/exec_ptrace.c: Check architecture in the seccomp filter. Currently only supports the native architecture. [13f88e436ae0] * src/exec_common.c, src/exec_monitor.c, src/exec_nopty.c, src/exec_ptrace.c: Suspend the child process and wait for SIGUSR when using ptrace. This fixes a race condition in ptrace-based intercept mode when running the command in a pty. It was possible for the monitor to receive SIGCHLD when the command sent itself SIGSTOP before the main sudo process did. [cf1f0bea9931] * plugins/sudoers/parse.c, src/exec.c, src/selinux.c, src/sudo.h: Enable intercept and log_subcmds for SELinux using ptrace and seccomp. [5d7a3df4457e] * src/exec_intercept.c, src/exec_intercept.h, src/exec_ptrace.c, src/sudo.c, src/sudo.h: For ptrace intercept mode, do not do a policy check for the initial command. We can skip the policy check for the execve(2) of the initial command since it has already been check. Otherwise, we would log the command twice. When using fexecve(2) due to a digest check, there should be no need to skip the initial command since it will be executed via execveat(2) not execve(2). However, on older kernels without execveat(2), glibc will emulate fexecve(2) using /proc which will result in the extra log entry. [e411d6bc3855] * docs/sudo.conf.man.in, docs/sudo.conf.mdoc.in, docs/sudoers.man.in, docs/sudoers.mdoc.in: Update intercept documentation. [f44f1cb2a5d2] * src/exec_intercept.c, src/exec_ptrace.c: In ptrace(2) intercept mode, add execveat to the seccomp(2) filter. This allows us to avoid logging the initial command twice regardless of whether the kernel supports execveat(2) or not. [d39bd5adac13] * src/exec_ptrace.c: Use PTRACE_GETREGS/PTRACE_SETREGS on platforms that support it. This has a better chance of working on things like user-mode Linux. [c53475bd4020] * MANIFEST, src/Makefile.in, src/exec_intercept.c, src/exec_intercept.h, src/exec_nopty.c, src/exec_ptrace.c, src/exec_pty.c, src/sudo_exec.h: Check the policy for ptrace-based intercept mode. [6eadd667ca6d] * src/exec_ptrace.c: Add support for getting the execve(2) arguments via ptrace(2). This will be used to perform a policy check in intercept mode. [84b23ae53e2f] * MANIFEST, src/Makefile.in, src/exec.c, src/exec_common.c, src/exec_intercept.c, src/exec_nopty.c, src/exec_ptrace.c, src/exec_pty.c, src/sudo.h, src/sudo_exec.h: Add scaffolding for ptrace-based intercept mode. [34a6269ac4eb] * include/sudo_compat.h, src/exec_monitor.c, src/exec_nopty.c, src/exec_pty.c: Stop using the WCONTINUED flag with waitpid(2). We don't use it for anything other than a debug message and it will cause problems when intercept mode starts using ptrace(2). [1f55993d68eb] * src/exec_nopty.c, src/exec_pty.c: Handle multiple child processes in the SIGCHLD handler. This is required by the uncoming ptrace intercept code. [6dd72fb8f53f] 2022-04-24 Todd C. Miller * logsrvd/iolog_writer.c, logsrvd/logsrvd_journal.c, plugins/sudoers/log_client.c: sudo_logsrvd: update elapsed time for winsize and suspend in journal mode Fixes a bug in store-first relay mode where the commit point messages sent by the server were incorrect. [5607e8c7b559] 2022-04-23 Todd C. Miller * docs/visudo.man.in, docs/visudo.mdoc.in: Fix typo; GitHub issue #144 [fb1a539569b4] 2022-04-20 Todd C. Miller * docs/TROUBLESHOOTING.md: Expand section about expired accounts to include /etc/shadow info. GitHub issue #143 [78368dadddfb] * src/exec_monitor.c: Add struct command details * to struct monitor_closure. This will be used in the future by the ptrace intercept code. [0603acf1ff96] * src/exec.c: Translate "unable to set limit privileges" strings. [a8426e224497] * ABOUT-NLS, MANIFEST, docs/CONTRIBUTING.md: Remove ABOUT-NLS file, it is no longer maintained as part of GNU gettext. Expand the Translations section in CONTRIBUTING.md. [b4f0269a8f13] * src/exec.c, src/exec_intercept.c: Don't require a pty for intercept or log_subcmmds. The code to take back control of the tty before a policy check doesn't appear to be needed. If the command is run in its own pty, sudo has control over the user's tty. If the command is run in the user's tty, sudo should be in the foreground process group. [bddcc0d9fee6] 2022-04-19 Todd C. Miller * config.h.in, configure, configure.ac: Define _TIME_BITS=64 on systems that define __TIMESIZE, like GNU libc. This should be replaced by a specialized autoconf macro when one becomes available. [f63b7f9ea5c2] 2022-04-11 Todd C. Miller * plugins/python/regress/testdata/check_example_group_plugin_is_able_t o_debug.log, plugins/python/regress/testhelpers.c: clean_output: prune lines that consisting of '^' characters and whitespace. Starting with Python 3.11, backtraces may contain a line with '^' characters to bring attention to the important part of the line. Also replace "REJECT" with "0" in backtrace output for Python 3.11. [f6a5d1c05b2b] 2022-04-04 Todd C. Miller * configure, configure.ac: Fix check for EVP_MD_CTX_new() when -pthread is in Libs.private. [4f3fd0d1fd34] 2022-04-01 Todd C. Miller * configure, configure.ac, lib/eventlog/Makefile.in, lib/fuzzstub/Makefile.in, lib/iolog/Makefile.in, lib/logsrv/Makefile.in, lib/protobuf-c/Makefile.in, lib/util/Makefile.in, lib/zlib/Makefile.in, logsrvd/Makefile.in, plugins/audit_json/Makefile.in, plugins/group_file/Makefile.in, plugins/python/Makefile.in, plugins/sample/Makefile.in, plugins/sample_approval/Makefile.in, plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in, src/Makefile.in: Rename SSP_(C|LD)FLAGS -> HARDENING_(C|LD)FLAGS [92aa57606481] * INSTALL.md: Mention other hardening compilation and linker options. [7da9cf428e39] 2022-03-31 Todd C. Miller * configure, configure.ac: Fix check for EVP_MD_CTX_new using static libcrypto with dependencies. [c02d6b6e474c] * configure, m4/libtool.m4, m4/ltoptions.m4, m4/ltsugar.m4, m4/ltversion.m4, m4/lt~obsolete.m4, scripts/ltmain.sh: Update to libtool 2.4.7. [b8824f6b792c] 2022-03-30 Todd C. Miller * configure, configure.ac: --enable-openssl: don't add non-existent directories to PKG_CONFIG_LIBDIR [daa9cab172da] 2022-03-29 Todd C. Miller * scripts/mkpkg: Fix a typo in the AIX section. [4d122a222632] 2022-03-28 Todd C. Miller * lib/zlib/crc32.c, lib/zlib/crc32.h, lib/zlib/deflate.c, lib/zlib/deflate.h, lib/zlib/gzguts.h, lib/zlib/gzlib.c, lib/zlib/gzread.c, lib/zlib/gzwrite.c, lib/zlib/infback.c, lib/zlib/inffast.c, lib/zlib/inflate.c, lib/zlib/inflate.h, lib/zlib/inftrees.c, lib/zlib/trees.c, lib/zlib/zlib.exp, lib/zlib/zlib.h, lib/zlib/zutil.c, lib/zlib/zutil.h: Update embedded copy of zlib to version 1.2.12. Fixes CVE-2018-25032 [3e2517079d86] 2022-03-16 Todd C. Miller * plugins/sudoers/auth/kerb5.c: Minor style nit. [9bdde2c81a3d] * Merge pull request #138 from dfskoll/main If we're using Kerberos, don't overwrite a custom prompt [266b04c9ee0a] 2022-03-16 Dianne Skoll * plugins/sudoers/auth/kerb5.c: If we're using Kerberos, don't overwrite a custom prompt if one was given with -p Thanks to @thend20 for testing this patch. [e62136f88c3e] 2022-03-15 Todd C. Miller * src/conversation.c: Write the \r\n pair to ttyfp if possible, falling back on fp. This is consistent with the vfprintf() call and fixes a problem introduced by the last commit where the newline could be written before the message instead of after. [3aaebbec4ee5] * include/sudo_util.h, plugins/sudoers/regress/starttime/check_starttime.c: Adjust starttime test when run under Debian faketime. Bug #1026 [b8ac7dec6e11] 2022-03-14 Todd C. Miller * src/conversation.c: sudo_conversation_printf: convert trailing nl to cr + nl combo. This fixes output when the terminal is in raw mode and is consistent with how sudo_conversation() behaves. [e377f2a71021] * lib/eventlog/eventlog.c, src/exec_monitor.c, src/exec_nopty.c, src/exec_pty.c, src/tgetpass.c: Block SIGCHLD when forking the mailer. Otherwise, it may be picked up by the signal handler instead of our waitpid(2) call. Don't warn if waitpid() returns 0 in a SIGCHLD handler. [e34a3f90de5b] * plugins/sudoers/sudoers.c: Do not warn, log or send mail for errors when reinitializing defaults. If there is a problem, we would have already warned, logged or mailed it. The one exception is the initial defaults, which should never fail. [0d273f4d307d] * plugins/sudoers/logging.c, plugins/sudoers/logging.h, plugins/sudoers/parse.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/sudoers.c: If there are multiple parse errors, send them in a single mail message. [5de37ad1101f] * lib/eventlog/Makefile.in, lib/iolog/Makefile.in, lib/util/Makefile.in, logsrvd/Makefile.in, plugins/python/Makefile.in, plugins/sudoers/Makefile.in, src/Makefile.in: Unset LANGUAGE when running tests, otherwise it may override LC_ALL. Bug #1025. [87573102f25b] 2022-03-11 Todd C. Miller * plugins/sudoers/visudo.c: Looser owner/permission checks for an uninstalled sudoers file. We don't check the owner or permissions on a sudoers file that is specified as an argument to visudo by default. However, the owner and mode of files included via @includedir were still checked. This commit makes the owner and permissions checks for filed included via @includedir follow the same as for the original sudoers file. [db78857306d4] * lib/util/regress/getdelim/getdelim_test.c: getdelim_test: increase longstr to check end pointer after realloc This would have caught the recent bug in our getdelim replacement when run under address-sanitizer or valgrind. [6559a42a3205] * plugins/sudoers/check_aliases.c: Add missing va_start/va_end around call to sudoers_error_hook(). Coverity CID 250885 [49d026ba67b2] * lib/util/getdelim.c: Correctly update the end pointer when we expand the buffer. From Robert Manner. [99617ae8332d] 2022-03-10 Todd C. Miller * lib/util/secure_path.c: sudo_secure_path: pass the struct stat * argument directly to stat(2) Set the pointer to a struct stat on the stack if st is NULL. Avoids a needless memcpy() at the end. [11636745ce29] * plugins/sudoers/gram.c, plugins/sudoers/gram.y: Fix off-by-one when storing line number in userspec. We store the line number *after* parsing the newline so we need to subtract one. [40d6521a966e] * lib/eventlog/eventlog.c: For alert messages, the command or runuser may not be set. This fixes the logging of parse errors when JSON logging is enabled. [cfde228ef422] * plugins/sudoers/defaults.c, plugins/sudoers/defaults.h, plugins/sudoers/group_plugin.c, plugins/sudoers/iolog.c, plugins/sudoers/locale.c, plugins/sudoers/logging.h, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c: Pass file, line and column to sudoers defaults callbacks. [04a26b1a224c] * plugins/sudoers/audit.c, plugins/sudoers/check_aliases.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/defaults.c, plugins/sudoers/file.c, plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y, plugins/sudoers/logging.c, plugins/sudoers/logging.h, plugins/sudoers/parse.h, plugins/sudoers/policy.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/regress/sudoers/test18.toke.ok, plugins/sudoers/regress/visudo/test2.err.ok, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/visudo.c: Add a hook for sudoers parse errors (including defaults and aliases). The hook can be used to log parser errors (sudoers module) or keep track of which files have an error (visudo). Previously, we only kept track of a single parse error. [601915bb6265] 2022-03-09 Todd C. Miller * plugins/sudoers/file.c, plugins/sudoers/ldap.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/regress/sudoers/test18.out.ok, plugins/sudoers/sssd.c, plugins/sudoers/sudo_nss.h, plugins/sudoers/sudoers.c, plugins/sudoers/testsudoers.c: Add a source to struct sudo_nss and use it if getdefs() fails. Also remove useless "Problem with defaults entries" warning in testsudoers. [f9ba65e975a0] 2022-03-08 Todd C. Miller * lib/iolog/regress/iolog_path/check_iolog_path.c, lib/util/regress/getgrouplist/getgrouplist_test.c: Plug a few test memory leaks now that they return from main(). [dc4db97a1d57] 2022-03-06 Todd C. Miller * lib/eventlog/regress/logwrap/check_wrap.c, plugins/sudoers/regress/parser/check_addr.c: Remove extra newline in sudo_warnx() calls. [3366401671fc] * plugins/sudoers/check_aliases.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/file.c, plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y, plugins/sudoers/sudoers.h, plugins/sudoers/visudo.c: Preserve the column and error message when there is a syntax error. This information is now included in the error mail sent to root. [a224b006bfb3] * plugins/python/python_plugin_common.c: Deinit python subinterpreters in reverse order (last to first). This appears to work around a crash on OpenBSD with Python 3.9.10. [ad4d7b33da9b] 2022-03-03 Todd C. Miller * .hgtags: Added tag SUDO_1_9_10 for changeset 3557db693da4 [edcb9bf4d4c3] <1.9> * NEWS, config.h.in, configure, configure.ac, include/sudo_compat.h, plugins/sudoers/regress/fuzz/fuzz_policy.c: Merge sudo 1.9.10 from tip. [3557db693da4] [SUDO_1_9_10] <1.9> * lib/eventlog/Makefile.in, lib/iolog/Makefile.in, lib/util/Makefile.in, logsrvd/Makefile.in, plugins/python/Makefile.in, plugins/sudoers/Makefile.in, src/Makefile.in: For 'make check-verbose' run fuzzers with -verbose=1 This is the default for libFuzzer but not for the stub fuzzer lib. [7f2551a87c08] 2022-03-02 Todd C. Miller * INSTALL.md: INSTALL.md: Mention "make check" and "make check-verbose" [17a30e329ba7] * scripts/generate_test_coverage.sh: Repair generate_test_coverage.sh after move to scripts directory. [ffef93da0436] * Makefile.in, docs/Makefile.in, examples/Makefile.in, include/Makefile.in, lib/eventlog/Makefile.in, lib/fuzzstub/Makefile.in, lib/iolog/Makefile.in, lib/logsrv/Makefile.in, lib/protobuf-c/Makefile.in, lib/util/Makefile.in, lib/zlib/Makefile.in, logsrvd/Makefile.in, plugins/audit_json/Makefile.in, plugins/group_file/Makefile.in, plugins/python/Makefile.in, plugins/sample/Makefile.in, plugins/sample_approval/Makefile.in, plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in, src/Makefile.in: Add check-verbose Makefile target that runs tests in verbose mode. [929d079dbfc7] * lib/eventlog/regress/logwrap/check_wrap.c, lib/iolog/regress/host_port/host_port_test.c, lib/iolog/regress/iolog_filter/check_iolog_filter.c, lib/iolog/regress/iolog_json/check_iolog_json.c, lib/iolog/regress/iolog_mkpath/check_iolog_mkpath.c, lib/iolog/regress/iolog_path/check_iolog_path.c, lib/iolog/regress/iolog_timing/check_iolog_timing.c, lib/util/regress/closefrom/closefrom_test.c, lib/util/regress/fnmatch/fnm_test.c, lib/util/regress/getdelim/getdelim_test.c, lib/util/regress/getgrouplist/getgids.c, lib/util/regress/getgrouplist/getgrouplist_test.c, lib/util/regress/glob/globtest.c, lib/util/regress/mktemp/mktemp_test.c, lib/util/regress/parse_gids/parse_gids_test.c, lib/util/regress/progname/progname_test.c, lib/util/regress/strsig/strsig_test.c, lib/util/regress/strsplit/strsplit_test.c, lib/util/regress/strtofoo/strtobool_test.c, lib/util/regress/strtofoo/strtoid_test.c, lib/util/regress/strtofoo/strtomode_test.c, lib/util/regress/strtofoo/strtonum_test.c, lib/util/regress/sudo_conf/conf_test.c, lib/util/regress/sudo_parseln/parseln_test.c, lib/util/regress/tailq/hltq_test.c, lib/util/regress/uuid/uuid_test.c: Add -v option parsing to regress tests, currently a no-op. This will be used by a "check-verbose" target in the future. [9cdcc23e6a70] 2022-03-01 Todd C. Miller * plugins/python/regress/check_python_examples.c, plugins/python/regress/testhelpers.h: Less verbose output unless the -v option is used. Also display a test summary at the end. [b18a8f6526e9] * src/regress/net_ifs/check_net_ifs.c, src/regress/noexec/check_noexec.c, src/regress/ttyname/check_ttyname.c: verbose flag is boolean, not int [8663ac48be27] * configure.ac: Update copyright year. [461698b72a64] * plugins/sudoers/Makefile.in, src/Makefile.in: Regenerate dependencies. [f007ec225986] * MANIFEST, configure, configure.ac, lib/util/Makefile.in, lib/util/regress/closefrom/closefrom_test.c: Add sudo_closefrom() regression test. [14f4439a8437] * NEWS, config.h.in, configure, configure.ac, lib/util/closefrom.c: Use close_range(2) in closefrom() emulation if available. On Linux, prefer our own closefrom() emulation since the glibc version may fail if /proc is not present and close_range() is not supported. On FreeBSD, closefrom(3) will either call the closefrom or close_range system call, depending on which is available. [d84eff07783f] * configure, configure.ac: Repair --enable-pvs-studio on Linux. [add3c7fff7f5] * configure, configure.ac: Mention apple radar 3710161 in the comment about broken macOS poll(2). [ffb6c8c070dc] 2022-02-28 Todd C. Miller * src/regress/net_ifs/check_net_ifs.c, src/regress/noexec/check_noexec.c, src/regress/ttyname/check_ttyname.c: Only display test totals unless run in verbose mode. [f543b41f226e] * lib/util/regress/harness.in, plugins/sudoers/regress/harness.in: Allow test harness to be run from any directory. Also add missing copyright notice. [5e60bc5beb52] * lib/util/regress/harness.in: Adapt test harness for lib/util and move to regress directory. [f415d958bca7] * .gitignore, .hgignore, MANIFEST, configure, configure.ac, lib/util/Makefile.in, plugins/sudoers/Makefile.in, plugins/sudoers/harness.in, plugins/sudoers/regress/harness.in: Adapt test harness for lib/util and move to regress directory. [5f488712f797] * lib/fuzzstub/fuzzstub.c: Make fuzzer stub main() quiet by default. LLVM LibFuzzer displays the input and running time by default but we don't care about that for the stub fuzzer library. [728005c2de78] * .gitignore, .hgignore, MANIFEST, configure, configure.ac, plugins/sudoers/Makefile.in, plugins/sudoers/harness.in: Move the cvtsudoers/sudoers/testsudoers/visudo tests into a script. It is easier to maintain these tests in script form. The output now more closely matches that of the other tests. The harness script can be invoked directly and supports running specific tests. [fbad6e93201e] 2022-02-27 Todd C. Miller * plugins/sudoers/po/fi.mo, plugins/sudoers/po/fi.po: Updated translations from translationproject.org [b2622a56fcbc] 2022-02-25 Todd C. Miller * logsrvd/regress/fuzz/fuzz_logsrvd_conf.c: sudo_regex_compile_v1 stub: set errstr on error [2da61535e60d] * logsrvd/Makefile.in, logsrvd/regress/fuzz/fuzz_logsrvd_conf.c: fuzz_logsrvd_conf: add stub version of sudo_regex_compile_v1(). We want to fuzz our parser, not the libc regular expression code. [2662a181acc8] * plugins/sudoers/regress/testsudoers/test18.out.ok, plugins/sudoers/regress/testsudoers/test18.sh: testsudoers/test18: don't rely on /usr/bin/w being present Fixes a test failure on Alpine Linux. [5b3915cef32b] 2022-02-24 Todd C. Miller * configure, configure.ac: Add configure check for gzclearerr() when using system zlib. [388dd60cd577] * configure, configure.ac: Fix PVS-Studio platform check for macOS. [cc46ae5d60a3] * plugins/sudoers/ldap.c: sudo_ldap_parse_options: fix memory leak of sudoRole cn string. Coverity CID 249976 [bcf86c362e05] * src/sudo_intercept_common.c: command_allowed: plug memory leak on strdup() failure. Coverity CID 249972 [f15a58ed68d6] 2022-02-23 Todd C. Miller * plugins/sudoers/check.c: display_lecture: just return if callback is NULL [3e7352fbc28b] * lib/eventlog/eventlog.c: For alert messages it is possible for evlog to be NULL. Coverity CID 238641 [3e89523699fd] * logsrvd/logsrv_util.c: iolog_seekto: initialize struct timing_closure before using. Coverity CID 249977 [ea53680a2367] * logsrvd/iolog_writer.c: iolog_rewrite: initialize struct timing_closure before using. Coverity CID 249971 [d214237f3ce8] * scripts/mkpkg: Allow ARCH_FLAGS to be overridden and handle macOS 12. [f04f3405fa50] * scripts/mkpkg: Prefer if [ ... ]; then over if test ...; then. [4ba3e6ed7280] * .circleci/config.yml: Do not build with -Werror on macOS. Some macOS warnings are bogus, for instance it has an incorrect getgrouplist(3) definition. [7e5f469cb0ec] * .circleci/config.yml: Build and test macos with circleci. [fc62dc986646] 2022-02-22 Todd C. Miller * NEWS: Mention lecture behavior change. [cc034a54eb11] * lib/iolog/regress/iolog_filter/check_iolog_filter.c: Fix compilation on systems without a real openat(2). [25067ad6772b] * plugins/sudoers/match_digest.c: Better warning message when the digest in sudoers is the wrong length. [c2043906f356] * lib/iolog/regress/fuzz/fuzz_iolog_json.c, lib/iolog/regress/fuzz/fuzz_iolog_legacy.c, lib/iolog/regress/fuzz/fuzz_iolog_timing.c, lib/util/regress/fuzz/fuzz_sudo_conf.c, logsrvd/regress/fuzz/fuzz_logsrvd_conf.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c: Do not disable fuzzer output if SUDO_FUZZ_VERBOSE env variable is set. [fd3d5706ffda] 2022-02-21 Todd C. Miller * plugins/sudoers/auth/afs.c, plugins/sudoers/auth/dce.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/check.c, plugins/sudoers/check.h, plugins/sudoers/timestamp.c: Display the lecture immediately before prompting for a password. This means we no longer display the lecture unless the user is going to enter a password. Authentication methods that don't interact with the user via the terminal don't trigger the lecture. [17ef981664c3] * NEWS, plugins/sudoers/logging.c: Add back warning when a user is not allowed to run a command. Previously, the warning was displayed when a user was not in the sudoers file, or was present but not listed for the local host. The new behavior is to display the warning if a command is denied and mail is sent to the administrator. Whether or not mail is sent is controlled by the "mail_*" flags in sudoers. The warning text is now "This incident has been reported to the administrator." which is hopefully less confusing. The message will not be printed if either the "mailto" or "mailerpath" sudoers settings are disabled. [dcaeadb7e558] * docs/sudoers.man.in, docs/sudoers.mdoc.in: Document that negating mailto or mailerpath disables sending mail. [02d8aabd9af3] * TODO: Remove obsolete TODO file. [98e112abab92] 2022-02-20 Todd C. Miller * plugins/sudoers/logging.c: Don't try to send mail if mailto not set or the mailer is not present. [37166e692a9c] 2022-02-18 Todd C. Miller * plugins/sudoers/po/cs.mo, plugins/sudoers/po/cs.po, plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, plugins/sudoers/po/fr.mo, plugins/sudoers/po/fr.po, plugins/sudoers/po/hr.mo, plugins/sudoers/po/hr.po, plugins/sudoers/po/ja.mo, plugins/sudoers/po/ja.po, plugins/sudoers/po/ko.mo, plugins/sudoers/po/ko.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/sr.mo, plugins/sudoers/po/sr.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po, plugins/sudoers/po/zh_TW.mo, plugins/sudoers/po/zh_TW.po, po/cs.mo, po/cs.po, po/de.mo, po/de.po, po/eo.mo, po/eo.po, po/fi.mo, po/fi.po, po/fr.mo, po/fr.po, po/hr.mo, po/hr.po, po/ja.mo, po/ja.po, po/ko.mo, po/ko.po, po/pl.mo, po/pl.po, po/ro.mo, po/ro.po, po/sr.mo, po/sr.po, po/uk.mo, po/uk.po, po/vi.mo, po/vi.po, po/zh_CN.mo, po/zh_CN.po, po/zh_TW.mo, po/zh_TW.po: Updated translations from translationproject.org [194b42011062] * MANIFEST, lib/iolog/Makefile.in, lib/iolog/regress/iolog_filter/check_iolog_filter.c, lib/iolog/regress/iolog_filter/test1/log, lib/iolog/regress/iolog_filter/test1/timing, lib/iolog/regress/iolog_filter/test1/ttyin, lib/iolog/regress/iolog_filter/test1/ttyin.filtered, lib/iolog/regress/iolog_filter/test1/ttyout, lib/iolog/regress/iolog_filter/test2/log, lib/iolog/regress/iolog_filter/test2/timing, lib/iolog/regress/iolog_filter/test2/ttyin, lib/iolog/regress/iolog_filter/test2/ttyin.filtered, lib/iolog/regress/iolog_filter/test2/ttyout, lib/iolog/regress/iolog_filter/test3/log, lib/iolog/regress/iolog_filter/test3/timing, lib/iolog/regress/iolog_filter/test3/ttyin, lib/iolog/regress/iolog_filter/test3/ttyin.filtered, lib/iolog/regress/iolog_filter/test3/ttyout: Add tests for iolog filtering. This is the functionality used by the log_passwords and passprompt_regex options. [07e587dfd765] * lib/iolog/iolog_filter.c: iolog_pwfilt_run: apply regex on ttyout even if we disabled filtering. The heuristic used to decide when to disable filtering is when we see another ttyout buffer or find a cr or nl in the ttyin buffer. However, we should also check the buffer that caused us to disable filtering for a matching regex that would re-enable filtering. Programs that prompt for a password twice might otherwise not have the second password filtered. [f34bf167c3b4] 2022-02-16 Todd C. Miller * INSTALL.md, README.LDAP.md, docs/TROUBLESHOOTING.md, docs/UPGRADE.md, docs/sudo.conf.man.in, docs/sudo.conf.mdoc.in, docs/sudo.man.in, docs/sudo.mdoc.in, docs/sudo_logsrv.proto.man.in, docs/sudo_logsrv.proto.mdoc.in, docs/sudo_logsrvd.conf.man.in, docs/sudo_logsrvd.conf.mdoc.in, docs/sudo_plugin.man.in, docs/sudo_plugin.mdoc.in, docs/sudo_plugin_python.man.in, docs/sudo_plugin_python.mdoc.in, docs/sudoers.ldap.man.in, docs/sudoers.ldap.mdoc.in, docs/sudoers.man.in, docs/sudoers.mdoc.in, docs/sudoreplay.man.in, docs/sudoreplay.mdoc.in, docs/visudo.man.in, docs/visudo.mdoc.in, examples/sudo_logsrvd.conf.in: Avoid using "note that" and "note: " in documentation. [d75995c86fe0] * INSTALL.md, README.LDAP.md, README.md, docs/CONTRIBUTING.md, docs/CONTRIBUTORS.md, docs/SECURITY.md, docs/TROUBLESHOOTING.md, docs/UPGRADE.md, docs/cvtsudoers.man.in, docs/cvtsudoers.mdoc.in, docs/sudo.conf.man.in, docs/sudo.conf.mdoc.in, docs/sudo.man.in, docs/sudo.mdoc.in, docs/sudo_logsrv.proto.man.in, docs/sudo_logsrv.proto.mdoc.in, docs/sudo_logsrvd.conf.man.in, docs/sudo_logsrvd.conf.mdoc.in, docs/sudo_logsrvd.man.in, docs/sudo_logsrvd.mdoc.in, docs/sudo_plugin.man.in, docs/sudo_plugin.mdoc.in, docs/sudo_plugin_python.man.in, docs/sudo_plugin_python.mdoc.in, docs/sudo_sendlog.man.in, docs/sudo_sendlog.mdoc.in, docs/sudoers.ldap.man.in, docs/sudoers.ldap.mdoc.in, docs/sudoers.man.in, docs/sudoers.mdoc.in, docs/sudoers_timestamp.man.in, docs/sudoers_timestamp.mdoc.in, docs/sudoreplay.man.in, docs/sudoreplay.mdoc.in, docs/visudo.man.in, docs/visudo.mdoc.in: Remove "please" from the documentation, it is considered bad style. [9c4a7bc1b48c] * docs/UPGRADE.md: Mention regular expressions and "sudo -l -U user" behavior change. [9bf947ed3e30] * docs/sudoers.man.in, docs/sudoers.mdoc.in: Add security notes about regular expressions in sudoers rules. [1748e3a05906] * NEWS: Update NEWS for GitHub issue #134. [c69636554901] 2022-02-15 Todd C. Miller * lib/eventlog/eventlog.c: do_logfile_sudo: plug memory leak of full_line Coverity CID 249329 [d1d2bc51077a] * plugins/sudoers/logging.c: log_server_alert: plug potential memory leak Coverity CID 249328 [4d01a8e7dffb] * plugins/sudoers/logging.c: fmt_authfail_message: compute the exact amount of space needed. Instead of truncating on overflow, warn and return NULL. [96542ddc9674] * plugins/sudoers/parse.c: Fix potential NULL deref if getpwuid(0) fails. Coverity CID 249326 [23249273cd01] 2022-02-14 Todd C. Miller * docs/sudo.man.in, docs/sudo.mdoc.in, plugins/sudoers/parse.c, plugins/sudoers/policy.c: Restrict "sudo -U other -l" to users with sudo ALL for root or "other". Having "sudo ALL" permissions in no longer sufficient to be able to list another user's privileges. The invoking user must now have "sudo ALL" for root or the target user. GitHub issue #134 [e2b4f8400599] 2022-02-13 Todd C. Miller * NEWS: Reword some of the NEWS items for 1.9.10. [b2d757e7889c] 2022-02-12 Todd C. Miller * docs/sudo_logsrvd.conf.man.in, docs/sudo_logsrvd.conf.mdoc.in, docs/sudoers.man.in, docs/sudoers.mdoc.in, lib/util/regex.c, po/sudo.pot: Limit regular expressions to 1024 characters each. Avoids a problem with the fuzzer creating large regular expressions that blow up the glibc regcomp(). [83b1cac11c79] 2022-02-11 Todd C. Miller * .gitignore, .hgignore, MANIFEST, configure, configure.ac, examples/Makefile.in, examples/sudo.conf.in, examples/syslog.conf, examples/syslog.conf.in: Substitute values in the example syslog.conf too. Also update ignore files for example changes [b13a7e6a630c] * MANIFEST, configure, configure.ac, docs/sudo.conf.man.in, docs/sudo.conf.mdoc.in, docs/sudo.man.in, docs/sudo.mdoc.in, docs/sudo_logsrvd.conf.man.in, docs/sudo_logsrvd.conf.mdoc.in, docs/sudo_plugin_python.man.in, docs/sudo_plugin_python.mdoc.in, docs/sudoers.man.in, docs/sudoers.mdoc.in, examples/Makefile.in, examples/sudo_logsrvd.conf, examples/sudo_logsrvd.conf.in, examples/sudoers, examples/sudoers.in: Substitute paths set by configure in examples. Bug #1023 [f528fe7a8f88] * plugins/sudoers/po/sudoers.pot, po/sudo.pot: Update Project-Id-Version to 1.9.10. [0ad7934baa9f] * plugins/sudoers/po/sudoers.pot: Update .pot files for 1.9.10 [c7a477455e2e] * NEWS, configure, configure.ac: Sudo 1.9.10 [b437c4c37971] * MANIFEST, docs/sudo_logsrvd.conf.man.in, docs/sudo_logsrvd.conf.mdoc.in, docs/sudoers.man.in, docs/sudoers.mdoc.in, include/sudo_util.h, lib/iolog/iolog_filter.c, lib/util/Makefile.in, lib/util/regex.c, lib/util/util.exp.in, plugins/sudoers/defaults.c, plugins/sudoers/match_command.c, plugins/sudoers/regress/sudoers/test28.in, plugins/sudoers/regress/sudoers/test28.json.ok, plugins/sudoers/regress/sudoers/test28.ldif.ok, plugins/sudoers/regress/sudoers/test28.ldif2sudo.ok, plugins/sudoers/regress/sudoers/test28.out.ok, plugins/sudoers/regress/sudoers/test28.toke.ok, plugins/sudoers/sudoreplay.c, plugins/sudoers/toke.c, plugins/sudoers/toke.h, plugins/sudoers/toke.l, plugins/sudoers/toke_util.c: Add helper function to compile a regex that supports (?i). [d680d423d2df] 2022-02-10 Todd C. Miller * MANIFEST, configure, configure.ac, docs/sudoers.man.in, docs/sudoers.mdoc.in, examples/sudoers, plugins/sudoers/fmtsudoers.c, plugins/sudoers/match_command.c, plugins/sudoers/parse.h, plugins/sudoers/regress/sudoers/test28.in, plugins/sudoers/regress/sudoers/test28.json.ok, plugins/sudoers/regress/sudoers/test28.ldif.ok, plugins/sudoers/regress/sudoers/test28.ldif2sudo.ok, plugins/sudoers/regress/sudoers/test28.out.ok, plugins/sudoers/regress/sudoers/test28.toke.ok, plugins/sudoers/regress/sudoers/test29.in, plugins/sudoers/regress/sudoers/test29.json.ok, plugins/sudoers/regress/sudoers/test29.ldif.ok, plugins/sudoers/regress/sudoers/test29.out.ok, plugins/sudoers/regress/sudoers/test29.toke.ok, plugins/sudoers/regress/testsudoers/test18.out.ok, plugins/sudoers/regress/testsudoers/test18.sh, plugins/sudoers/toke.c, plugins/sudoers/toke.h, plugins/sudoers/toke.l, plugins/sudoers/toke_util.c: Add support for matching command and args using regular expressions. Either the command, its arguments or both may be (separate) regular expressions. [bef0b1a14771] * plugins/sudoers/gram.c, plugins/sudoers/gram.y: Clear sudoers_errstr after it is used. This way we avoid printing the same error message more than once if there are multiple ERROR tokens returned from the lexer. [8a7509cd1c46] * logsrvd/logsrvd_local.c: store_iobuf_local: fix potential double free on the error path. [f9a0e3cb3c7f] * docs/cvtsudoers.man.in, docs/cvtsudoers.mdoc.in, docs/sudo.conf.man.in, docs/sudo.conf.mdoc.in, docs/sudo.man.in, docs/sudo.mdoc.in, docs/sudo_logsrv.proto.man.in, docs/sudo_logsrv.proto.mdoc.in, docs/sudo_logsrvd.conf.man.in, docs/sudo_logsrvd.conf.mdoc.in, docs/sudo_logsrvd.man.in, docs/sudo_logsrvd.mdoc.in, docs/sudo_plugin.man.in, docs/sudo_plugin.mdoc.in, docs/sudo_plugin_python.man.in, docs/sudo_plugin_python.mdoc.in, docs/sudo_sendlog.man.in, docs/sudo_sendlog.mdoc.in, docs/sudoers.ldap.man.in, docs/sudoers.ldap.mdoc.in, docs/sudoers.man.in, docs/sudoers.mdoc.in, docs/sudoers_timestamp.man.in, docs/sudoers_timestamp.mdoc.in, docs/sudoreplay.man.in, docs/sudoreplay.mdoc.in, docs/visudo.man.in, docs/visudo.mdoc.in: Update links to sudo web site and reference markdown docs. [da9a9eb04f04] * docs/cvtsudoers.man.in, docs/cvtsudoers.mdoc.in, docs/sudo.conf.man.in, docs/sudo.conf.mdoc.in, docs/sudo.man.in, docs/sudo.mdoc.in, docs/sudo_logsrvd.man.in, docs/sudo_logsrvd.mdoc.in, docs/sudo_plugin_python.man.in, docs/sudo_plugin_python.mdoc.in, docs/sudoers.man.in, docs/sudoers.mdoc.in, docs/sudoreplay.man.in, docs/sudoreplay.mdoc.in, docs/visudo.man.in, docs/visudo.mdoc.in: Use a 4n indent for code blocks instead of the default 6n. [7322dd26a3d4] * plugins/sudoers/testsudoers.c: testsudoers: disable argument permutation in GNU getopt This makes it easier to test commands with arguments. [fb005b03a75e] * lib/iolog/iolog_filter.c: iolog_pwfilt_run: fix types in error return [663deea257d0] * lib/iolog/iolog_filter.c, plugins/sudoers/iolog.c: Free potential leaks of passprompt_regex_handle. Coverity CID 249057 [d562ea42ab66] 2022-02-09 Todd C. Miller * Merge pull request #133 from Dzejrou/main Do not unset user timeout when no default timeout is set. [58504381014e] 2022-02-09 Jaroslav Jindrak * plugins/sudoers/policy.c: Do not unset user timeout when no default timeout is set. [25f32be7d18d] 2022-02-08 Todd C. Miller * plugins/sudoers/fmtsudoers.c, plugins/sudoers/parse.h, plugins/sudoers/regress/sudoers/test2.in, plugins/sudoers/regress/sudoers/test2.json.ok, plugins/sudoers/regress/sudoers/test2.ldif.ok, plugins/sudoers/regress/sudoers/test2.ldif2sudo.ok, plugins/sudoers/regress/sudoers/test2.out.ok, plugins/sudoers/regress/sudoers/test2.toke.ok: Don't escape double quotes (") in a command when printing it. Previously, cvtsudoers and "sudo -l" would escape double quotes in a command or command line argument, which is not valid sudoers syntax. [3bd0505b03e2] * docs/sudoers.man.in, docs/sudoers.mdoc.in: A few minor (mostly cosmetic) fixes. Add missing ALL to Runas_Member and Host. Replace some tabs with spaces. Fix the syntax of a sudoedit example. [a943116eb35b] 2022-02-04 Todd C. Miller * Merge pull request #132 from ninedotnine/patch-1 Sync example sudoers with default sudoers [8c903452e624] 2022-02-04 dan soucy * examples/sudoers: Sync example sudoers with default sudoers `sudoers.in` was changed by 1d13533 [f34657ff9345] 2022-02-04 Todd C. Miller * ABOUT-NLS, INSTALL.md, NEWS, README.LDAP.md, docs/CONTRIBUTING.md, plugins/sudoers/po/README, po/README: Upgrade http links to https where possible and fix some broken links. [e33d61fdafdb] 2022-02-03 Todd C. Miller * plugins/sudoers/logging.c: Remove "This incident will be reported." from user warnings. This used to indicate that email had been sent to the administrator telling them that someone tried to run sudo. Whether or not sudo sends email is now configurable, so the warning may not be accurate. It is also confusing to the user since they will not know who the incident is being reported to. See also https://xkcd.com/838/ [b2860bb51393] * plugins/sudoers/sssd.c: Log fn_get_values() return code in the debug log on error. Also move a nested switch() statement out of 'case 0' for improved readability. [ad609804a70c] * plugins/sudoers/sssd.c: Do not return an error if we cannot connect to the SSSD connector. This may simply mean that nsswitch.conf lists sss as a sudoers source but SSSD is not configured for sudo. Otherwise, the user will receive a useless "problem with defaults entries" when the sssd backend tries to fetch the global defaults. Bug #1022. [60bb147ed3e6] * plugins/sudoers/log_client.c, plugins/sudoers/logging.c: Set client_closure to NULL after freeing it. [20da8f0c9226] * plugins/sudoers/log_client.c: client_closure_alloc: init write_bufs/free_bufs before other allocations. We must initialize the tail queues before any possible call to client_closure_free(), such as due to malloc() failure. [5dd7d1ba2b76] * logsrvd/logsrvd_journal.c: Add missing default return in last commit. [e17820ba6ff8] * logsrvd/logsrvd_journal.c: sudo_logsrvd: make sure journal exists before writing the alert message. Fixes a potential NULL dereference when journaling an alert message. [19d109fb1420] * include/sudo_compat.h: Fix compilation on Debian kFreeBSD. The configure script correctly detects that utimensat() and futimens() are missing but the headers define stub versions of the functions. Including sys/stat.h pulls in the system definitions so we can override them safely. Bug #1021. [10775e14164a] 2022-02-02 Todd C. Miller * src/ttyname.c: Add fallback if /proc/self/stat or /proc/pid/psinfo is missing or invalid. If the /proc file indicates no terminal is present there is no fallback. Bug #1020 [c32620c9f115] 2022-02-01 Todd C. Miller * docs/sudoers.man.in, docs/sudoers.mdoc.in, plugins/sudoers/check.c, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/defaults.c: Add sudoers option to perform authentication even in non-interative mode. If noninteractive_auth is set, authentication methods that do not require input from the user's terminal may proceed. It is off by default, which restores the pre-1.9.9 behavior of "sudo -n". [f06dcd0957d0] * MANIFEST, lib/iolog/iolog_filter.c, logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.7: Work around a glibc regcomp() bug with repeated '+' operators. Glibc regcomp() has a bug where it uses excessive memory for repeated '+' ops. Collapse them to avoid running the fuzzer out of memory. [db423326311f] * logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.1, logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.2, logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.3, logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.4, logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.5, logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.6: Rebase seed corpus on updated sudo_logsrvd.conf example. [1f30b95c6ce6] * logsrvd/logsrvd_conf.c: Fix parsing of "retry_interval" in the relay section. The setting was present but the callback was missing so it could not be parsed in the conf file. [09666425a392] * logsrvd/logsrvd_conf.c: Use TIME_T_MAX as the upper limit when parsing timeouts. [989eaa812d4e] * plugins/sudoers/auth/pam.c: converse: don't set response pointer on error Linux pam_conv(3) says not to set the pointer on PAM_CONV_ERR. [79934c8631c0] 2022-01-31 Todd C. Miller * MANIFEST, plugins/sudoers/regress/cvtsudoers/sudoers4: Add missing sudoers4 test file for new cvtsudoers test. [5b9f3084d9e9] * MANIFEST, plugins/sudoers/cvtsudoers_merge.c, plugins/sudoers/regress/cvtsudoers/test38.out.ok, plugins/sudoers/regress/cvtsudoers/test38.sh: defaults_check_conflict: it is only really a conflict if the binding match If the Defaults name matched but the binding does not, we can simply leave it be. Fixes a problem where given two sudoers sources that have a host specified, if they contain conflicting Defaults entries we would drop one of the Defaults instead of keeping both after making them host-specific. [9b8ad3d1e163] * MANIFEST, plugins/sudoers/cvtsudoers_merge.c, plugins/sudoers/regress/cvtsudoers/sudoers1, plugins/sudoers/regress/cvtsudoers/sudoers2, plugins/sudoers/regress/cvtsudoers/sudoers3, plugins/sudoers/regress/cvtsudoers/test34.out.ok, plugins/sudoers/regress/cvtsudoers/test34.sh, plugins/sudoers/regress/cvtsudoers/test35.out.ok, plugins/sudoers/regress/cvtsudoers/test35.sh, plugins/sudoers/regress/cvtsudoers/test36.out.ok, plugins/sudoers/regress/cvtsudoers/test36.sh, plugins/sudoers/regress/cvtsudoers/test37.out.ok, plugins/sudoers/regress/cvtsudoers/test37.sh: Make it possible to merge a host-based Defaults with a global one. We convert the global Defaults to a host-based one with a single "ALL" member. Later, when we simplify the host list, we'll convert this back to a global Defaults. [152c16a608c1] 2022-01-29 Todd C. Miller * logsrvd/logsrvd_conf.c: Check for garbage after [section] in sudo_logsrvd.conf. [46a222b60747] * logsrvd/regress/fuzz/fuzz_logsrvd_conf.dict, plugins/sudoers/regress/fuzz/fuzz_sudoers.dict: Sync fuzzing dictionary with current configuration keyword list. [9af3929a2f6a] 2022-01-28 Todd C. Miller * docs/sudo_logsrvd.conf.man.in, docs/sudo_logsrvd.conf.mdoc.in, examples/sudo_logsrvd.conf, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c, logsrvd/logsrvd_local.c: Add new log_passwords and passprompt_regex settings. When logging terminal input, if log_passwords is false and any of the regular expressions in the passprompt_regex list are found in the terminal output, terminal input will be replaced with '*' characters until a newline or carriage return is found in the input or an output character is received. [1d07eaada99c] * MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/iolog.c, plugins/sudoers/policy.c, plugins/sudoers/regress/serialize_list/check_serialize_list.c, plugins/sudoers/regress/unescape/check_unesc.c, plugins/sudoers/serialize_list.c, plugins/sudoers/sudoers.h, plugins/sudoers/unesc_str.c: Escape/unescape commas when serializing/deserializing a stringlist. [17c422c0b236] * plugins/sudoers/defaults.c, plugins/sudoers/defaults.h, plugins/sudoers/group_plugin.c, plugins/sudoers/iolog.c, plugins/sudoers/locale.c, plugins/sudoers/logging.h, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c: Pass the operator to the Defaults callback too. That way we can tell what to do in callbacks for lists. [d541809b62bf] * MANIFEST, include/sudo_iolog.h, lib/iolog/Makefile.in, lib/iolog/iolog_filter.c: lib/iolog: add support for filtering password out of tty input If a password regex is found in the tty output, tty input will be replaced with '*' chars until a newline or another tty output character is received. [19c3a58dfe29] * docs/sudoers.man.in, docs/sudoers.mdoc.in, plugins/sudoers/Makefile.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/defaults.c, plugins/sudoers/defaults.h, plugins/sudoers/iolog.c, plugins/sudoers/policy.c, plugins/sudoers/sudoers.c: Add a new sudoers settings log_passwords and passprompt_regex. When logging terminal input, if log_passwords is disabled and any of the regular expressions in the passprompt_regex list are found in the terminal output, terminal input will be replaced with '*' characters until a newline or carriage return is found in the input or an output character is received. [5fa969cfdef4] * plugins/sudoers/def_data.c, plugins/sudoers/def_data.in, plugins/sudoers/defaults.c, plugins/sudoers/defaults.h: Add a flag to avoid splitting list entries on white space. [32ac4cd5eae7] 2022-01-27 Todd C. Miller * .hgtags: Added tag SUDO_1_9_9 for changeset 296f4f986a7a [cba838829505] <1.9> * NEWS, config.h.in, configure, configure.ac, include/sudo_compat.h, logsrvd/tls_init.c, plugins/sudoers/regress/fuzz/fuzz_policy.c: Merge sudo 1.9.9 from tip. [296f4f986a7a] [SUDO_1_9_9] <1.9> * docs/sudoers.ldap.man.in, docs/sudoers.ldap.mdoc.in: "plain text" -> "plaintext" for consistency. [6cbefac27286] 2022-01-25 Todd C. Miller * po/ro.mo, po/ro.po: Updated translations from translationproject.org [c264de490846] * INSTALL.configure: Sync with autoconf git. [efd6e2df1b4f] * scripts/mkdep.pl: Fix potential infinite loop when trying to format long lines. [e17a3b7b657b] 2022-01-20 Todd C. Miller * docs/sudo.man.in, docs/sudo.mdoc.in: Document how commands are passed to the shell for the -i and -s options. The concatenation of command and arguments and escaping of special characters was not documented. Text adapted from GitHub issue #121 from Kris Rinzwind [852f803234af] * docs/TROUBLESHOOTING.md: Also mention no_new_privs error in the troubleshooting guide. [70cc0679098f] * INSTALL.md, docs/TROUBLESHOOTING.md, docs/sudo.conf.man.in, docs/sudo.conf.mdoc.in, docs/sudo.man.in, docs/sudo.mdoc.in, docs/sudo_plugin.man.in, docs/sudo_plugin.mdoc.in, docs/sudo_plugin_python.man.in, docs/sudo_plugin_python.mdoc.in, docs/sudoers.ldap.man.in, docs/sudoers.ldap.mdoc.in, docs/sudoers.man.in, docs/sudoers.mdoc.in, docs/visudo.man.in, docs/visudo.mdoc.in: Replace uid and gid with user-ID and group-ID in more places. [2b6bc95509fd] 2022-01-19 Todd C. Miller * INSTALL.md: PAM is enabled on NetBSD by default too. [3bc31511f687] * INSTALL.md, README.LDAP.md, docs/HISTORY.md, docs/TROUBLESHOOTING.md, docs/UPGRADE.md: Use the Oxford comma consistently, it is helpful in technical documents. [3df4b26d035e] * docs/sudo.man.in, docs/sudo.mdoc.in: Document the error message when no_new_privs is set. [492a154dec10] * docs/sudoers.ldap.man.in, docs/sudoers.ldap.mdoc.in: Sudo now recovers from sudoers syntax errors. [77d457c4e722] * docs/cvtsudoers.man.in, docs/cvtsudoers.mdoc.in, docs/sudo.conf.man.in, docs/sudo.conf.mdoc.in, docs/sudo.man.in, docs/sudo.mdoc.in, docs/sudo_logsrv.proto.man.in, docs/sudo_logsrv.proto.mdoc.in, docs/sudo_logsrvd.conf.man.in, docs/sudo_logsrvd.conf.mdoc.in, docs/sudo_plugin.man.in, docs/sudo_plugin.mdoc.in, docs/sudo_plugin_python.man.in, docs/sudo_plugin_python.mdoc.in, docs/sudoers.ldap.man.in, docs/sudoers.ldap.mdoc.in, docs/sudoers.man.in, docs/sudoers.mdoc.in, docs/sudoreplay.man.in, docs/sudoreplay.mdoc.in, docs/visudo.man.in, docs/visudo.mdoc.in, examples/sudo.conf.in, examples/sudo_logsrvd.conf: Use the Oxford comma consistently, it is helpful in technical documents. [e8d29c772963] * INSTALL.md: Mention docker configuration. [8312350518cb] * plugins/sudoers/ldap_util.c: Quiet a cppcheck false positive. [023468af3269] * docs/CONTRIBUTING.md: Mention https://www.sudo.ws/security/fuzzing/ in the fuzzing section. [87767f7b89ad] * plugins/sudoers/sssd.c: Fix logic inversion when setting negated flag. [3e4051bc9f30] * src/sudo.c: Quiet a PVS-Studio format string warning. [77e953f3c46f] 2022-01-18 Todd C. Miller * plugins/sudoers/po/sudoers.pot, po/sudo.pot: Regen .pot files. [b999972bc90d] * NEWS: Bug #1016, #1017 and negated sudoUser in LDAP. [4ec54e728437] * plugins/sudoers/defaults.c: Don't set/run early Defaults if a custom defaults_list is specified. Defaults settings passed in by the front end are already "early" so there is no need to treat any of them as special. Otherwise, we end up running the early defaults callbacks before sudoers has been parsed. This means that, for instance, it is not possible to disable the fqdn flag before its callback is run if sudo is build with the --with-fqdn option. Bug #1016. [8c6eaa503793] * plugins/sudoers/defaults.c, plugins/sudoers/defaults.h: Mark is_early_default(), run_early_defaults(), set_early_default() static. They are not used outside of defaults.c. [1045e8c7a92e] * plugins/sudoers/sssd.c: Add support in SSSD for negated users. [bca3d02cdd8b] * docs/sudoers.ldap.man.in, docs/sudoers.ldap.mdoc.in, plugins/sudoers/ldap.c: Add support in the LDAP filter for negated users. Based on a diff from Simon Lees [e1d48d44229e] 2022-01-12 Todd C. Miller * lib/util/mkdir_parents.c: Use PATH_MAX, not NAME_MAX+1 for the directory entry length. On some systems, such as Solaris, the max length of a directory entry is filesystem-dependent. We could use fpathconf() and dynamically allocate the name but it is simpler to just use PATH_MAX here. [d1a097783717] * plugins/python/python_plugin_common.c: Only emulate Py_FinalizeEx for Python 3.[0-5]. [b314942c0f2f] * lib/util/getcwd.c, lib/util/mkdir_parents.c: Use POSIX NAME_MAX, not the obsolete MAXNAMLEN define. Fixes compilation with musl libc. [a1609b2d968f] 2022-01-11 Todd C. Miller * src/limits.c: When applying fallback limits, make sure we don't reduce rlim_max. Fixes a problem where sudo could reduce the max stack size on some systems if the original limit was higher than the fallback limit, but not unlimited/infinity. [1fef77204f17] * src/limits.c: Don't modify the stack limit if it is >= SUDO_STACK_MIN. [b9e473780083] * plugins/sudoers/Makefile.in: The pre-install target requires visudo, add an explicit dependency. [b5b073d2fc9b] 2022-01-09 Todd C. Miller * src/sudo.c: If sudo is not set-user-ID root, check for the no_new_privs flag on Linux. This flag disables set-user-ID at execve(2) time and may be set by default for some containers. GitHub issue #129. [462249058274] 2022-01-08 Todd C. Miller * docs/sudoers.man.in, docs/sudoers.mdoc.in, plugins/sudoers/auth/pam.c, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/policy.c, plugins/sudoers/sudoers.h, src/parse_args.c: Add pam_askpass_service sudoers setting for "sudo -A". This makes it possible to use a different PAM configuration for when "sudo -A" is used. The main use case is to only use PAM modules that can interact with the askpass program. GitHub issue #112. [5f59bc3f9d81] 2022-01-07 Todd C. Miller * lib/iolog/iolog_loginfo.c: Improve debugging info when fdopen() fails. [0d9711d8564a] 2022-01-06 Todd C. Miller * plugins/sudoers/sssd.c: sss_sudo_free_values() checks for NULL, no need to do it manually. [ccf012907a01] * plugins/sudoers/getdate.c, plugins/sudoers/getdate.y: Quiet a clang analyzer false positive. [90b6791616b0] 2022-01-05 Todd C. Miller * plugins/sudoers/getdate.c, plugins/sudoers/getdate.y: Quiet a clang analyzer false positive. [3c66e9be5f24] * plugins/sudoers/auth/sudo_auth.c: Fix return value for non-interactive mode for non-standalone auth methods. AUTH_NONINTERACTIVE was being stored in the wrong variable. [199a180e7fab] * plugins/sudoers/po/fi.mo, plugins/sudoers/po/fi.po, plugins/sudoers/po/ja.mo, plugins/sudoers/po/ja.po, plugins/sudoers/po/ko.mo, plugins/sudoers/po/ko.po, po/fi.mo, po/fi.po, po/ko.mo, po/ko.po, po/tr.mo, po/tr.po: Updated translations from translationproject.org [032877650fe6] * plugins/sudoers/cvtsudoers_merge.c: defaults_var_matches() should return bool, not enum match_result. Remove enum match_result as it is no longer used. [6559769ddcd1] * plugins/sudoers/audit.c, plugins/sudoers/auth/sudo_auth.c: Quiet two PVS-studio warnings. [3a7c89cff3d6] * plugins/sudoers/auth/pam.c: Remove PAM_TTY workaround for old, buggy PAM modules. In the past, some PAM modules assumed that PAM_TTY was set and would misbehave (or crash) if not. This was primarily obsolete versions of Linux- PAM, so it should now be safe to remove this. Setting PAM_TTY to an empty string can cause its own set of issues. GitHub issue #74 [491cb67ea43b] 2022-01-04 Todd C. Miller * NEWS: Mention fix for Bug #956 and GitHub issue #83. [8692b9985381] * plugins/sudoers/auth/API, plugins/sudoers/auth/afs.c, plugins/sudoers/auth/aix_auth.c, plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/dce.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/securid5.c, plugins/sudoers/auth/sia.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/auth/sudo_auth.h, plugins/sudoers/check.c, plugins/sudoers/logging.c, plugins/sudoers/sudoers.h: Push non-interactive mode checking down into the auth methods. For "sudo -n" we only want to reject a command if user input is actually required. In the case of PAM at least, we may not need to interact with the user. Bug #956, GitHub issue #83 [bc9653ffe82f] 2022-01-03 Todd C. Miller * plugins/sudoers/cvtsudoers_merge.c, plugins/sudoers/regress/cvtsudoers/sudoers1, plugins/sudoers/regress/cvtsudoers/sudoers2, plugins/sudoers/regress/cvtsudoers/sudoers3, plugins/sudoers/regress/cvtsudoers/test34.out.ok, plugins/sudoers/regress/cvtsudoers/test35.out.ok, plugins/sudoers/regress/cvtsudoers/test36.out.ok: userspec_overridden: fix checks when there is more than one userspec [199996d29f50] * MANIFEST, plugins/sudoers/cvtsudoers_merge.c, plugins/sudoers/regress/cvtsudoers/test35.out.ok, plugins/sudoers/regress/cvtsudoers/test36.out.ok, plugins/sudoers/regress/cvtsudoers/test36.sh: Fix merging of global/ALL entries when each input file has a host. If a host is specified for the input file, cvtsudoers will bind global Defaults to that host and change host "ALL" in a userspec to the host name. However, if all the input files have matching hosts we can simplify the merged file by converting back to ALL after resolving conflicts. [bfdb2edfca71] * LICENSE.md: Welcome to 2022. [039e8c0efd7e] * docs/Makefile.in: LICENSE.md moved to the top-level src dir. [b1c2687eef9d] 2021-12-22 Todd C. Miller * Merge pull request #127 from Tyler887/main Typo [c4780c2a3056] 2021-12-22 Tyler887 * INSTALL.md: Typo [b650bec9f275] 2021-12-22 Todd C. Miller * NEWS, docs/UPGRADE.md, plugins/sudoers/policy.c, src/selinux.c, src/sudo.c: Back out changes to enable SELinux by default. This may return in a future release in a different form. [73e46fbe5c27] * LICENSE.md, MANIFEST, README.md, docs/LICENSE.md: Move LICENSE.md out of docs and back to the top-level. GitHub expects it to be in the top-level directory. [3c62dd396aff] 2021-12-20 Todd C. Miller * MANIFEST, plugins/sudoers/cvtsudoers_merge.c, plugins/sudoers/regress/cvtsudoers/test35.out.ok, plugins/sudoers/regress/cvtsudoers/test35.sh: cvtsudoers: fix a regression when merging matching Defaults. If a host is specified with a sudoers file, we have to treat Defaults as Defaults@host checking for duplicates. [9db413953938] 2021-12-18 Todd C. Miller * plugins/sudoers/gram.c, plugins/sudoers/gram.y: add_defaults: add defs == NULL check to quiet coverity false positive [a534eee04069] 2021-12-17 Todd C. Miller * plugins/sudoers/cvtsudoers_merge.c, plugins/sudoers/regress/cvtsudoers/test34.out.ok, plugins/sudoers/regress/cvtsudoers/test34.sh: When merging Defaults, allow a subsequent global Defaults (no binding) to override a prior Defaults setting with a binding. [0be52fa6d4d8] * plugins/sudoers/gram.c, plugins/sudoers/gram.y: add_defaults: defs can never be NULL [9ba97823b757] * plugins/sudoers/cvtsudoers_merge.c: Plug memory leak when making a default host-specific. We don't need to allocate new space for the binding list, just the members of the list. [5667d09136f2] 2021-12-16 Todd C. Miller * MANIFEST, examples/Makefile.in, examples/cvtsudoers.conf: Add an example cvtsudoers.conf file. [aa738148e712] * docs/cvtsudoers.man.in, docs/cvtsudoers.mdoc.in, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers.h: Add group_file, match_local, and passwd_file to cvtsudoers.conf. Previously, these were only settable via command line options. [a7a8b0af3c42] 2021-12-12 Todd C. Miller * docs/TROUBLESHOOTING.md: Remove question about running Solaris 11 binaries on Solaris 10. Current versions of sudo use many APIs that are not present on Solaris 10. If you want a sudo Solaris 10 binary, build it on Solaris 10, not 11. [0346a46cf595] * MANIFEST, plugins/sudoers/regress/cvtsudoers/test34.out.ok, plugins/sudoers/regress/cvtsudoers/test34.sh: Add simple test for cvtsudoers merge functionality. [fda86b17249a] * plugins/sudoers/po/cs.mo, plugins/sudoers/po/cs.po, plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, plugins/sudoers/po/fr.mo, plugins/sudoers/po/fr.po, plugins/sudoers/po/hr.mo, plugins/sudoers/po/hr.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/sr.mo, plugins/sudoers/po/sr.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po, plugins/sudoers/po/zh_TW.mo, plugins/sudoers/po/zh_TW.po, po/cs.mo, po/cs.po, po/de.mo, po/de.po, po/eo.mo, po/eo.po, po/fr.mo, po/fr.po, po/hr.mo, po/hr.po, po/ja.mo, po/ja.po, po/pl.mo, po/pl.po, po/sr.mo, po/sr.po, po/uk.mo, po/uk.po, po/zh_CN.mo, po/zh_CN.po, po/zh_TW.mo, po/zh_TW.po: Updated translations from translationproject.org [edfdaac9b1e7] * MANIFEST, plugins/sudoers/po/es.mo, plugins/sudoers/po/es.po: Add sudoers Spanish translation from translationproject.org [502d45c0af5f] 2021-12-11 Todd C. Miller * NEWS: Bugs #1013 and #1014 [1a7b533c5829] * lib/util/mkdir_parents.c: sudo_mkdir_parents: make sure the path we created is a directory For extra paranoia, verify that the directory we created is still a directory before we fchown() it. [75c23aaa9fca] * docs/sudo.man.in, docs/sudo.mdoc.in: In SECURITY NOTES, clarify that PATH may be overridden by the policy. Bug #1014 [4f7035d6b921] * MANIFEST, config.h.in, configure, configure.ac, include/sudo_compat.h, include/sudo_util.h, lib/util/Makefile.in, lib/util/mkdir_parents.c, lib/util/mkdirat.c, logsrvd/logsrvd.c, plugins/sudoers/timestamp.c, scripts/mkdep.pl: Avoid TOCTOU in sudo_mkdir_parents() using openat(2) and mkdirat(2). This also allows us to make path const as it should be. [46db77e4afb8] * plugins/sudoers/ldap_conf.c, plugins/sudoers/sudo_ldap_conf.h: Sudo parsed "deref" and "tls_reqcert" in ldap.conf but didn't set the options. The switch() in the sudo_ldap_set_options_table() function needed to be updated to treat CONF_DEREF_VAL and CONF_REQCERT_VAL data types as int. Fix from Dennis Filder. Bug #1013. [5f5bdf9010d7] 2021-12-10 Todd C. Miller * docs/SECURITY.md: Minor formatting tweak so we can import into the sudo web site. [220c647b6635] * plugins/sudoers/defaults.c, plugins/sudoers/pwutil_impl.c: Fix CodeQL "Multiplication result converted to larger type" warnings. [a17db0b94018] 2021-12-09 Todd C. Miller * docs/SECURITY.md: Surround email addresses with angle brackets, not square backets. [b9514c0165f2] 2021-12-08 Todd C. Miller * plugins/sudoers/po/fi.mo, plugins/sudoers/po/fi.po, plugins/sudoers/po/ja.mo, plugins/sudoers/po/ja.po, plugins/sudoers/po/sr.mo, plugins/sudoers/po/sr.po, po/fa.mo, po/fa.po, po/fi.mo, po/fi.po, po/ja.mo, po/ja.po, po/sr.mo, po/sr.po, po/zh_CN.mo, po/zh_CN.po, po/zh_TW.mo, po/zh_TW.po: Updated translations from translationproject.org [b2815226875b] * plugins/sudoers/po/sudoers.pot, po/sudo.pot: Update .pot files for 1.9.9 [e4e903808160] 2021-12-06 Todd C. Miller * README.LDAP.md, docs/CONTRIBUTING.md, docs/TROUBLESHOOTING.md, docs/UPGRADE.md: Minor formatting tweaks. [eee91b1fc68c] 2021-12-05 Todd C. Miller * INSTALL, INSTALL.md, MANIFEST, README, README.LDAP, README.LDAP.md, README.md, docs/CONTRIBUTING.md, docs/CONTRIBUTORS, docs/CONTRIBUTORS.md, docs/HISTORY, docs/HISTORY.md, docs/LICENSE, docs/LICENSE.md, docs/Makefile.in, docs/TROUBLESHOOTING, docs/TROUBLESHOOTING.md, docs/UPGRADE, docs/UPGRADE.md, etc/sudo- logsrvd.pp, etc/sudo-python.pp, etc/sudo.pp: Convert README and docs files to markdown. This makes things look better on GitHub and we can use the markdown version directly in the new sudo web site. [1cdcbce74a73] 2021-12-04 Todd C. Miller * docs/SECURITY.md: Policy -> Disclosure Policy [13f278869e03] * Merge pull request #124 from juspence/main Allow sudo -g anyone and sudo -u anyone -g anytwo [1a000f5aaba1] 2021-12-04 juspence <87657842+juspence@users.noreply.github.com> * plugins/sudoers/sudoers.in: Allow sudo -g anyone and sudo -u anyone -g anytwo When only the user (ALL) is specified explicitly, and the group is implied, only sudo -u works. Specifying both the user and group, like (ALL:ALL), is required to: 1) Use sudo -g by itself (with no -u user) 2) Use sudo -u and -g together, with a -g group that is different from the -u user's primary group [ca31aaa0b074] 2021-12-02 Todd C. Miller * lib/util/Makefile.in: Add build dir to include search path for mksiglist.h and mksigname.h Fixes out of tree builds on systems without sys_siglist[] or sys_signame[]. GitHub issue #123. [fccd76813052] 2021-11-29 Todd C. Miller * MANIFEST, plugins/sudoers/cvtsudoers_merge.c, plugins/sudoers/regress/cvtsudoers/sudoers1, plugins/sudoers/regress/cvtsudoers/sudoers2, plugins/sudoers/regress/cvtsudoers/sudoers3: cvtsudoers: better merging of lists that are not exact duplicates When merging rules, if one list would be overridden by another, remove the overridden rule and continue merging. [19dc52bd9c6f] 2021-11-28 Todd C. Miller * NEWS: Update NEWS with latest changes. [fafe74e0b20f] 2021-11-27 Todd C. Miller * src/edit_open.c: dir_is_writable: don't treat EPERM from faccessat() as a fatal error. We can get EPERM on Linux with SELinux. GitHub issue #122. [25bbc56b2f6d] 2021-11-24 Todd C. Miller * docs/cvtsudoers.man.in, docs/cvtsudoers.mdoc.in, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers.h, plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/cvtsudoers_merge.c: cvtsudoers: add -l option to log merge actions The "-l logfile" option can be used to store a log of what actions cvtsudoers took when merging multiple files. For example, which aliases were renamed, which entries were overriden or removed as duplicated. [fa96976882aa] * NEWS, configure, configure.ac: Sudo 1.9.9 [dad415a982bc] 2021-11-21 Todd C. Miller * MANIFEST, docs/CONTRIBUTORS, po/fa.mo, po/fa.po: New Persian (Farsi) translation from translationproject.org [3665533a7219] 2021-11-20 Todd C. Miller * plugins/sudoers/cvtsudoers_csv.c: Quiet a PVS Studio warning. The warning that need_comma is always false is correct but in this case it is better to use a consistent construct so that if the code is re-ordered no bugs are introduced. [5109a34444f5] * lib/util/getentropy.c: Pass correct size to free_zero(). Coverity CID 241233 [2ba51f57deb5] * plugins/sudoers/alias.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers_csv.c, plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/cvtsudoers_merge.c, plugins/sudoers/defaults.c, plugins/sudoers/fmtsudoers_cvt.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/parse.c, plugins/sudoers/parse.h, plugins/sudoers/parse_ldif.c: Add reference counting to Defaults bindings. Previously, we checked that the previous entry's binding pointer was not the same while freeing. However, to be able to merge Defaults records we cannot rely on Defaults entries with the same binding being immediately adjacent. This removes the prev_binding checks in favor of a reference count which allows us to plug the memory leak in cvtsudoers when merging Defaults. [0a789516622b] 2021-11-19 Todd C. Miller * MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/alias.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers.h, plugins/sudoers/cvtsudoers_merge.c, plugins/sudoers/parse.h: cvtsudoers: merge aliases when multiple sudoers files are specified Duplicate aliases are remove. If there are conflicting alias names, the conflicts are renamed by appending a numerical suffix. For example, if there are two SERVERS Host_Aliases, the second one will be renamed to SERVERS_1. [d9b602626b8c] * plugins/sudoers/cvtsudoers_merge.c: cvtsudoers: merge Defaults when multiple sudoers files are specified If a hostname is specified with the sudoers file, it will be used to make the Defaults setting host-specific, if possible. Duplicate Defaults settings are removed and conflicts are warned about. It is not possible to resolve all conflicts automatically. [756b05304ccb] * plugins/sudoers/cvtsudoers_merge.c: cvtsudoers: merge userspecs when multiple sudoers files are specified If a hostname is specified with the sudoers file, it will be used to make the userspec host-specific, if possible. Duplicate userspecs are removed but conflicting entries are not currently pruned. [643b533bb4f4] * docs/cvtsudoers.man.in, docs/cvtsudoers.mdoc.in: Document how to merge sudoers files with cvtsudoers. [241c3786f5a8] * plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/parse.h, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/sssd.c: init_parse_tree() now takes ownership of lhost and shost, if any. This means that lhost and shost in struct sudoers_parse_tree are no longer const and that free_parse_tree() will free lhost/shost. The only consumer that passed in lho.st/shost was the SSSD back-end which has been updated to avoid a double-free. [650bb75666fb] * plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers_merge.c: cvtsudoers: use init_parse_tree() to initialize a parse tree. Also free the parse tree before exit. [9d8f8bb88192] * MANIFEST, Makefile.in, etc/macos-background.png, etc/sudo- logsrvd.pp, etc/sudo-python.pp, etc/sudo.pp: Add a background image for the macOS installer. [39889307b278] * scripts/pp: Update PolyPkg [44b1d08be1b0] 2021-11-18 Todd C. Miller * scripts/mkpkg: mkpkg: handle a macOS SDK that just uses the major version. For example, MacOSX11.sdk instead of MacOSX11.3.sdk. [ce41fc5aa672] * lib/util/Makefile.in: Add missing dependencies for timegm. [b20c4936504b] 2021-11-16 Todd C. Miller * plugins/sudoers/cvtsudoers.c: Add support for specifying the hostname as a prefix to the sudoers file. If present, the host name is copied into the struct sudoers_parse_tree. [e87e11cccb6e] 2021-11-11 Todd C. Miller * plugins/sudoers/cvtsudoers.c: cvtsudoers: parse multiple sudoers files and store them in a tail queue In the future the parsed files will be merged before they are output. [89c77b3f4157] * plugins/sudoers/cvtsudoers.c, plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y, plugins/sudoers/parse.h: Add sudoers_parse_tree_list, a tail queue of struct sudoers_parse_tree. This will be used to store multiple parse trees and merge them into a single sudoers_parse_tree. [073ada18f18b] * docs/CONTRIBUTING.md: Fix formatting of links. [df50208b3f70] * MANIFEST, docs/CONTRIBUTING.md: Add contributing guide. [a99f3a0757f6] * .github/workflows/codeql-analysis.yml: Create codeql-analysis.yml [efab25dab29c] 2021-11-10 Todd C. Miller * MANIFEST, docs/SECURITY.md: Add security doc, inspired by the Microsoft template. [0a8012f8ee35] * .gitignore, .hgignore, INSTALL, MANIFEST, Makefile.in, README, configure, configure.ac, doc/CONTRIBUTORS, doc/HISTORY, doc/LICENSE, doc/Makefile.in, doc/TROUBLESHOOTING, doc/UPGRADE, doc/cvtsudoers.man.in, doc/cvtsudoers.mdoc.in, doc/fixman.sh, doc/fixmdoc.sed, doc/schema.ActiveDirectory, doc/schema.OpenLDAP, doc/schema.iPlanet, doc/schema.olcSudo, doc/sudo.conf.man.in, doc/sudo.conf.man.in.sed, doc/sudo.conf.mdoc.in, doc/sudo.man.in, doc/sudo.man.in.sed, doc/sudo.mdoc.in, doc/sudo_logsrv.proto.man.in, doc/sudo_logsrv.proto.mdoc.in, doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in, doc/sudo_logsrvd.man.in, doc/sudo_logsrvd.mdoc.in, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, doc/sudo_plugin_python.man.in, doc/sudo_plugin_python.mdoc.in, doc/sudo_sendlog.man.in, doc/sudo_sendlog.mdoc.in, doc/sudoers.ldap.man.in, doc/sudoers.ldap.mdoc.in, doc/sudoers.man.in, doc/sudoers.man.in.sed, doc/sudoers.mdoc.in, doc/sudoers_timestamp.man.in, doc/sudoers_timestamp.mdoc.in, doc/sudoreplay.man.in, doc/sudoreplay.mdoc.in, doc/visudo.man.in, doc/visudo.mdoc.in, docs/CONTRIBUTORS, docs/HISTORY, docs/LICENSE, docs/Makefile.in, docs/TROUBLESHOOTING, docs/UPGRADE, docs/cvtsudoers.man.in, docs/cvtsudoers.mdoc.in, docs/fixman.sh, docs/fixmdoc.sed, docs/schema.ActiveDirectory, docs/schema.OpenLDAP, docs/schema.iPlanet, docs/schema.olcSudo, docs/sudo.conf.man.in, docs/sudo.conf.man.in.sed, docs/sudo.conf.mdoc.in, docs/sudo.man.in, docs/sudo.man.in.sed, docs/sudo.mdoc.in, docs/sudo_logsrv.proto.man.in, docs/sudo_logsrv.proto.mdoc.in, docs/sudo_logsrvd.conf.man.in, docs/sudo_logsrvd.conf.mdoc.in, docs/sudo_logsrvd.man.in, docs/sudo_logsrvd.mdoc.in, docs/sudo_plugin.man.in, docs/sudo_plugin.mdoc.in, docs/sudo_plugin_python.man.in, docs/sudo_plugin_python.mdoc.in, docs/sudo_sendlog.man.in, docs/sudo_sendlog.mdoc.in, docs/sudoers.ldap.man.in, docs/sudoers.ldap.mdoc.in, docs/sudoers.man.in, docs/sudoers.man.in.sed, docs/sudoers.mdoc.in, docs/sudoers_timestamp.man.in, docs/sudoers_timestamp.mdoc.in, docs/sudoreplay.man.in, docs/sudoreplay.mdoc.in, docs/visudo.man.in, docs/visudo.mdoc.in, etc/codespell.skip: Rename "doc" directory to "docs" for better GitHub compatibility. [1268c3ae0916] * lib/util/Makefile.in: Use $(SED), not sed, when generating mksiglist.h/mksigname.h [7a7b636a3f32] * configure, configure.ac, lib/iolog/Makefile.in, lib/util/Makefile.in, logsrvd/Makefile.in, plugins/sudoers/Makefile.in: Add configure check for sha1sum and use "openssh dgst -sha1" if missing. Only needed when building the seed corpus zip files. [3c74ceba0446] * include/sudo_compat.h: sudo_compat.h: include unistd.h regardless of OS type This helps to avoid issues with mismatched headers and libraries. [4a22435a2832] 2021-11-09 Todd C. Miller * plugins/sudoers/visudo.c: install_sudoers: fix return value when there is no temp file to install This can happen when no changes were made. Also preserve the edited temp file on error if we are unable to move it into place. [01c1052ac874] * plugins/python/regress/testdata/check_multiple_approval_plugin_and_a rguments.stdout: Bump plugin version in test data to 1.18. [138b9f6a6143] * plugins/sudoers/defaults.c: free_defs_val: free rlimits like strings (which they are). [ade32de829cb] * plugins/sudoers/visudo.c: Rename {check,set}_perms variable to {check,set}_mode. Avoids a name clash with the set_perms() function. [a2dfa0d36690] * src/edit_open.c: Avoid symbol name clash with is_writable() function variable. Rename "is_writable" variable to "writable". [a52bd106933b] * doc/sudoers.man.in, doc/sudoers.mdoc.in: Document new resource limit settings. [022e51bff860] * doc/UPGRADE: Mention that the core dump size resource limit now defaults to 0. [22997e8008c9] * doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, include/sudo_plugin.h, src/exec.c: Document resource limit support in command_info[] and Bump plugin API minor. This is supported beginning with sudo 1.9.9 and plugin API 1.17. [2004a71a11b3] 2021-11-08 Todd C. Miller * config.h.in, configure, configure.ac, plugins/sudoers/defaults.c, src/limits.c: Use strtoul() on systems without strtoull(). We can assume that systems without strtoull() have 32-bit resource limits. [59c1be5a0387] * src/exec.c, src/limits.c, src/sudo.c, src/sudo.h: Add front-end support for setting resouce limits. The special value "user" means preserve the invoking user's limit. The value "default" means don't override the default limit for the user as assigned by the system (PAM, loging.conf, userdb, etc). [7ad6961d5d72] * plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/defaults.c, plugins/sudoers/defaults.h, plugins/sudoers/mkdefaults, plugins/sudoers/policy.c: Add basic support for setting resource limits in sudoers. The default for rlimit_core is "0,0" Resource limits are passed back to the front-end in command_info[] when set. [298d5e228635] * src/edit_open.c: switch_user_nonfatal: only define if using faccessat() [1a6b2c0240f5] 2021-11-06 Todd C. Miller * doc/visudo.man.in, doc/visudo.mdoc.in, plugins/sudoers/visudo.c: visudo: add -O and -P options to check/set owner and permissions. This can be used in conjunction with the -c option to check that the sudoers file ownership and permissions are correct. Bug #1007 [1f20721148b0] 2021-11-05 Todd C. Miller * doc/UPGRADE: UPGRADE: mention SELinux behavior change. [0b8cef633225] * src/selinux.c, src/sudo.h, src/sudo_edit.c: Rename selinux_setcon -> selinux_setexeccon [50bde2e4d922] * src/selinux.c: In the SELinux role is "unconfined_r", disable SELinux support. We only want to apply SELinux to confined users. This is a bit of a hack as unconfined_r is specific to the targeted policy. [aaa8ee97f31e] * src/exec_monitor.c, src/exec_nopty.c, src/selinux.c, src/sudo.c, src/sudo.h, src/sudo_edit.c: Separate out the code to compute the context from selinux_setup(). This makes it possible to determine whether we really need to execute the command via the sesh helper. What was left of selinux_setup() is now selinux_relabel_tty() and selinux_audit_role_change(). [687a81e59fdd] * plugins/sudoers/policy.c, src/selinux.c, src/sudo.c: Pass status of selinux sudoers setting to front-end as selinux-rbac. The front-end uses this to decide whether or not to enable SELinux. If selinux-rbac is true _or_ if it is not present and selinux_role or selinux_type are set, SELinux support is enabled. Previously, SELinux support was only enabled if a role was specified. [2f21ae08ebbd] * src/edit_open.c: dir_is_writable: add fallback if changing UIDs fails The SELinux policy may not allow uid/gid changes which will break the writability checks and cause sudoedit to fail. [5c5928a0c314] 2021-11-04 Todd C. Miller * scripts/mkpkg: Build python package on Fedora [7261434fc60c] 2021-11-01 Todd C. Miller * src/selinux.c: Make get_exec_context static, it is unused outside selinux.c. [be59f91e53dd] * doc/sudo.conf.mdoc.in: Fix lint warning: skipping paragraph macro: Pp before Bd [f84297a652d8] 2021-10-31 Todd C. Miller * doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, doc/sudo_plugin_python.man.in, doc/sudo_plugin_python.mdoc.in: Escape some minus signs ('-') as required by newer groff. [4a1a2d6d5c19] * MANIFEST, config.h.in, configure, configure.ac, include/sudo_compat.h, lib/util/timegm.c, plugins/sudoers/Makefile.in, plugins/sudoers/gentime.c, plugins/sudoers/gmtoff.c, plugins/sudoers/parse.h, scripts/mkdep.pl: parse_gentime: use timegm() to generate time since the epoch The timegm() function is non-standard but widely available. Provide an implementation for those systems that lack it. Bug #1006 [3ca20dfdb44c] * include/sudo_compat.h, lib/util/Makefile.in, scripts/mkdep.pl: Fix pasto in gmtime_r and localtime_r macros. Also add missing Makefile targets for them. [2310e188fdd4] * plugins/sudoers/gmtoff.c: Take daylight saving time into consideration when computing offset. Otherwise, the resulting time may be off by and hour, depending on whether DST is currently active compared to the target time. [20c60fe8e8fc] 2021-10-29 Todd C. Miller * scripts/mkpkg: Back out f2d82771e7dd, arm64e on macOS is still in preview state. Until arm64e on macOS is finalized, continue to build arm64 packages. [6c3bbd6ffc3a] 2021-10-27 Todd C. Miller * scripts/mkpkg: Build arm64e ABI binaries on macOS 11 and above. We originally used arm64 here but the correct ABI is arm64e. The arm64 arch will be removed in a future release. [f2d82771e7dd] * logsrvd/logsrvd_local.c: Use iolog_openat() when opening the log.json file in the I/O log dir. [9041b20b8d01] 2021-10-26 Todd C. Miller * logsrvd/tls_init.c: Use BIO_new_file() not BIO_new_fd() to read dhparams file. Older versions of OpenSSL and wolfSSL lack BIO_new_fd(). Also explicitly include openssl/bio.h and openssl/dh.h for wolfSSL. [8338f58d5ba0] * INSTALL, config.h.in, configure, configure.ac: wolfSSL not WolfSSL [4ee7f96ef87c] * .circleci/config.yml: Add wolfSSL variant to continuous integration tests. [dbbab23e069c] * docker/debian/latest/Dockerfile, docker/debian/testing/Dockerfile, docker/ubuntu/devel/Dockerfile, docker/ubuntu/latest/Dockerfile, docker/ubuntu/rolling/Dockerfile: Add libwolfssl-dev to Debian and Ubuntu Dockerfiles Fedora does not appear to have an official wolfssl package. [12c0feaa0ebb] * doc/sudoers.man.in, doc/sudoers.mdoc.in: White space in an include file path supported by sudo 1.9.1 or higher. [9a22034de181] 2021-10-25 Todd C. Miller * INSTALL, config.h.in, configure, configure.ac, include/sudo_compat.h, lib/iolog/hostcheck.c, lib/util/digest_openssl.c, lib/util/getentropy.c, logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_relay.c, logsrvd/sendlog.c, logsrvd/sendlog.h, logsrvd/tls_client.c, logsrvd/tls_common.h, logsrvd/tls_init.c, plugins/sudoers/log_client.c, plugins/sudoers/log_client.h: Add support for WolfSSL's OpenSSL compatibility layer. Based on changes from Hayden Roche [568557ecb77b] * lib/util/Makefile.in, plugins/sudoers/Makefile.in: regenerate dependencies [d36bf7724e49] * logsrvd/iolog_writer.c, logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c, logsrvd/logsrvd_journal.c, logsrvd/logsrvd_local.c, logsrvd/logsrvd_queue.c, logsrvd/logsrvd_relay.c, logsrvd/regress/fuzz/fuzz_logsrvd_conf.c, logsrvd/sendlog.c, logsrvd/sendlog.h: Move include of log_server.pb-c.h into logsrvd.h and sendlog.h This way there is no include file order issue with the PROTOBUF_C_VERSION_NUMBER check. [23678487ffaf] * docker/debian/latest/Dockerfile, docker/debian/testing/Dockerfile, docker/fedora/latest/Dockerfile, docker/fedora/rawhide/Dockerfile, docker/ubuntu/devel/Dockerfile, docker/ubuntu/latest/Dockerfile, docker/ubuntu/rolling/Dockerfile: Add pkg-config to all Dockerfile [63457bb84c4d] 2021-10-24 Todd C. Miller * logsrvd/tls_init.c: Use SSL_FILETYPE_PEM with SSL_CTX_use_PrivateKey_file, not X509_FILETYPE_PEM While they are defined to the same value in OpenSSL one should not rely on this. [1a1557931dbf] 2021-10-23 Todd C. Miller * configure, configure.ac: Fix setting _PATH_ASAN_LIB, need to double up the square brackets. [98143164620a] * logsrvd/sendlog.c: sudo_sendlog: send runenv, rungid and runuid from log.json too With this change, sudo_sendlog can now round-trip sudo-style I/O logs that use the newer log.json format without losing any information. [d9d3dad6cca3] 2021-10-22 Todd C. Miller * config.h.in, configure, configure.ac, lib/util/arc4random.c: arc4random: need to include sys/random.h on Solaris too. This was removed when Linux genentropy() was disabled. [18ea9b386950] 2021-10-21 Todd C. Miller * lib/iolog/hostcheck.c, lib/util/inet_ntop.c, logsrvd/logsrv_util.h, plugins/sudoers/log_client.h: Make sure INET_ADDRSTRLEN and INET6_ADDRSTRLEN are defined. [e347465e0a05] * plugins/sudoers/audit.c, plugins/sudoers/iolog.c, plugins/sudoers/log_client.c, plugins/sudoers/log_client.h, plugins/sudoers/logging.c, plugins/sudoers/logging.h: Only include log_client.h if SUDOERS_LOG_CLIENT is defined. [c318f74cf2a8] * Merge pull request #118 from larb0b/main Define MAP_FAILED where relevant if undefined [74f3e9f1a1f4] 2021-10-21 Larkin Nickle * lib/util/getentropy.c, lib/util/regress/mktemp/mktemp_test.c, lib/util/snprintf.c: Define MAP_FAILED where relevant if undefined On systems such as HP-UX 10.20, MAP_FAILED is not defined. [9f4976caa567] 2021-10-20 Todd C. Miller * configure, m4/libtool.m4: Improve macOS version detection to support macOS 11 and simplify legacy logic From Jeremy Huddleston Sequoia [f09b45ab460a] * logsrvd/sendlog.c: sudo_sendlog: send multiple I/O log records together if possible Try to fill the write buffer and then send to the server instead of sending records one at a time. [0b084cd75d64] * logsrvd/sendlog.c, logsrvd/sendlog.h: sudo_sendlog: support multiple write buffers like sudo_logsrvd [a46b88eff200] * configure, configure.ac, lib/util/Makefile.in: Always link libsudo_util.so with libcrypto.so if using OpenSSL. We may need to use RAND_bytes() in the getentropy() emulation. [9c805a008d76] * config.h.in, configure, configure.ac, lib/util/getentropy.c, plugins/sudoers/boottime.c: Add an explicit check for sys/sysctl.h. This test needs to be done after AC_LANG_WERROR to avoid including sys/sysctl.h on systems where it is marked as deprecated via a #warning directive. [d9f1f97b0f37] * config.h.in, configure, configure.ac, lib/util/arc4random.c: Use our own getentropy() by default on Linux. The glibc getentropy() emulation will fail on older kernels that don't support getrandom(). Also use sudo_fatal() instead of sending SIGKILL on getentropy() failure. GitHub issue #117. [1ca9d10ff780] * lib/util/getentropy.c: Use the OpenSSL RAND_bytes() function if getrandom() fails. [5f82f6d2ea36] * lib/util/Makefile.in, lib/util/arc4random_buf.c, scripts/mkdep.pl: Fix compilation of standalone arc4random_buf(). Apparently this code was never compiled anywhere. [a66c68c3a976] * lib/util/uuid.c: sudo_uuid_create: no longer need a union for the uuid. [a9277bf0078c] 2021-10-19 Todd C. Miller * lib/eventlog/eventlog_free.c: eventlog_free: free signal_name too [1da686483f2a] * lib/iolog/regress/fuzz/fuzz_iolog_json.dict: Add new log.json keywords [f4a30fc6c4ed] * lib/iolog/regress/fuzz/fuzz_iolog_json.c: fuzz_iolog_json: initialize exit_value to -1 [bac9826b95a1] * logsrvd/logsrvd.c: Fix potential use-after-free when calling iolog_flush_all(). We need to call iolog_flush_all() _before_ scheduling the commit point. If we fail to schedule to commit point, the closure will be freed. Coverity CID 220557 [364736f15a06] * logsrvd/sendlog.c: sendlog: use runargv from log.json if available [88a0f4d7bb94] * logsrvd/sendlog.c: sudo_sendlog: send exit data in eventlog if present [fdacc0f68c56] * include/sudo_eventlog.h, lib/eventlog/eventlog.c, logsrvd/logsrvd_local.c, plugins/sudoers/logging.c: No longer need to pass exit params to eventlog_exit(), use struct eventlog. Now that struct eventlog includes the exit parameters we can simplify how eventlog_exit() is called. [8580c0e8334d] * include/sudo_eventlog.h, lib/iolog/iolog_json.c, lib/iolog/iolog_loginfo.c, logsrvd/iolog_writer.c: Read command run_time, signal and exit_value from I/O log log.json file. [05223c4cca0c] * logsrvd/logsrvd_local.c: Log the command run-time and exit status in the I/O log. [8b02b373f79b] * lib/eventlog/eventlog.c: format_json: fix pasto when setting dumped_core boolean [ca11285c088a] 2021-10-18 Todd C. Miller * lib/eventlog/eventlog.c, logsrvd/logsrvd_local.c: Handle a missing run_time in an ExitMessage. It is now possible to pass a NULL run_time to eventlog_exit(). [f3e989682931] 2021-10-16 Todd C. Miller * doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in, logsrvd/logsrvd.c: No need to flush logs before commit point if we flush after each write. Also document that logs are flushed before sending a commit point even when flushing is disabled. [50323241569d] 2021-10-15 Todd C. Miller * MANIFEST, include/sudo_iolog.h, lib/iolog/Makefile.in, lib/iolog/iolog_conf.c, lib/iolog/iolog_flush.c, logsrvd/iolog_writer.c, logsrvd/logsrvd.c, logsrvd/logsrvd.h: Flush I/O logs before we send a commit point. The commit point message means we have written the data to disk so we should not be buffering it any longer. We do not currently fsync(2) the data after flushing, perhaps we should. [5233172b7531] * logsrvd/logsrv_util.c: Do not treat a resume point of [0, 0] as an error. If the connecton is interrupted before sudo sends back a commit_point message, resuming at [0, 0] is correct. Also add a warning on unexpected EOF parsing the timing file. [105f29878ad7] 2021-10-11 Todd C. Miller * plugins/sudoers/sudoers.c: Display a more helpful message if the user tries to run "sudo cd". Since "cd" is a shell built-in command it cannot be run directly via sudo. The user either needs to spawn a shell via "sudo -s" or use the -D option to run a command in a specific directory. [4d45797dfb11] * configure, configure.ac: Don't install sudoers.a when configured with --enable-static- sudoers. We already avoid installing it when --disable-shared-util is specified. [0d2022bc07cb] 2021-10-10 Todd C. Miller * scripts/mkpkg: mkpkg: preserve make exit value on exit Fixes a problem where the exit value from mkpkg was 0 even on error. [0d0f15bf10cf] * plugins/sudoers/cvtsudoers_csv.c: Fix typos in SELinux and Solaris priv support. [16b9a1459f1d] * MANIFEST, doc/cvtsudoers.man.in, doc/cvtsudoers.mdoc.in, plugins/sudoers/Makefile.in, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers.h, plugins/sudoers/cvtsudoers_csv.c: cvtsudoers: initial support for CSV output For CSV output we double quotes strings that contain commas. For each literal double quote character present inside the string, two double quotes are output. [8f7763b74563] * lib/iolog/Makefile.in, lib/util/Makefile.in, logsrvd/Makefile.in, plugins/sudoers/Makefile.in: regenerate dependencies [09d11b5c7d41] * docker/README, etc/codespell.ignore: Fix typo and avoid a codespell false positive. [81a365b29c3c] 2021-10-08 Todd C. Miller * .circleci/config.yml: Add build-nointercept and test-nointercept [d39877327ccc] 2021-10-07 Todd C. Miller * .circleci/config.yml: circleci: test multiple build options We now do separate builds with LDAP/SSSD enabled, logsrv client/server disabled, and static-sudoers enabled. [4d8a9b45156c] * configure, configure.ac, plugins/sudoers/Makefile.in: Fix fuzzer build with when --enable-static-sudoers is used. This introduces a sudoers-specific version of LT_STATIC instead of appending the --tag=disable-shared to SUDOERS_LDFLAGS. I've also removed the -static flag as it should not be needed. [864a2fd4e3f7] 2021-10-05 Todd C. Miller * docker/README: Mention --security-opt=seccomp=unconfined workaround for bleeding edge. May be needed for Fedora rawhide and Ubuntu testing, among others. [a465fdb0a7de] * configure, configure.ac: Try to handle the case where libasan.so is a linker script. Fixes check_noexec with ASAN on Fedora where libasan.so just includes the actual library file. [f96d1d0cea53] * .circleci/config.yml, docker/README, docker/fedora/latest/Dockerfile, docker/fedora/rawhide/Dockerfile: Enable address and undefined behavior sanitizers in CI builds. We need to disable leak sanitizer during "make check" because it uses ptrace which is not allowed for unprivileged containers. [9378e3856a60] 2021-10-04 Todd C. Miller * .circleci/config.yml: Switch to Ubuntu latest for circleci build. [1270ca1ba47d] * .circleci/config.yml, docker/debian/latest/Dockerfile, docker/debian/testing/Dockerfile, docker/fedora/latest/Dockerfile, docker/fedora/rawhide/Dockerfile, docker/ubuntu/devel/Dockerfile, docker/ubuntu/latest/Dockerfile, docker/ubuntu/rolling/Dockerfile: Add build user for circleci instead of running as root. [27dcb5218cb2] * .circleci/config.yml, MANIFEST, docker/README, docker/debian/latest/Dockerfile, docker/debian/testing/Dockerfile, docker/fedora/latest/Dockerfile, docker/fedora/rawhide/Dockerfile, docker/ubuntu/devel/Dockerfile, docker/ubuntu/latest/Dockerfile, docker/ubuntu/rolling/Dockerfile: Use circleci for continuous integegration. Build container descriptions are in the new docker directory. [d5b5b16b0624] 2021-10-03 Todd C. Miller * .gitignore, .hgignore: Update ignore file. [7fe8afa88e96] 2021-10-01 Todd C. Miller * plugins/sudoers/sudoreplay.c: Sync "sudo -l" output with normal sudo log format. It now prints runchroot and runcwd (falling back on cwd). As a result, submithost is now printed first, matching sudo. Also avoid printing NULL pointers and skip entries that don't have at least command, submituser and runuser set. [0d6b96ec88a1] * lib/iolog/iolog_json.c: iolog_parse_json_object: optimize for large argv [5fa1929189a3] 2021-09-29 Todd C. Miller * configure, configure.ac: Add "-fcf-protection" to SSP_CFLAGS and SSP_LDFLAGS if supported. Can be disabled via --disable-hardening. [589507ecadf4] * configure, configure.ac: Add "-z now" to hardened link options if supported. Can be disabled via --disable-hardening. [11ff1d86440b] * doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/editor.c, plugins/sudoers/regress/editor/check_editor.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/visudo.c: find_editor: remove the env_error argument There is no case where we should fail to find an editor just because the values of EDITOR, VISUAL and SUDO_EDITOR are unavailable. Both sudoedit and the "env_editor" sudoers setting are documented as falling back on the hard-coded list of editors in the "editors" sudoers setting. Bug #1000 [caa529a0cab6] * plugins/sudoers/check_aliases.c: Use sudo_printf(SUDO_CONV_ERROR_MSG) instead of fprintf(stderr). Avoids extraneous output in the fuzzer. [981d3abd96c7] * plugins/sudoers/Makefile.in, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c: Stub out sudo_printf() and avoid other use of stderr in fuzzers. This makes it possible to parse sudoers without using quiet mode, resulting in better coverage. [3215cad4174f] 2021-09-28 Todd C. Miller * lib/iolog/regress/fuzz/fuzz_iolog_json.c, lib/iolog/regress/fuzz/fuzz_iolog_legacy.c, lib/iolog/regress/fuzz/fuzz_iolog_timing.c, lib/util/regress/fuzz/fuzz_sudo_conf.c, logsrvd/regress/fuzz/fuzz_logsrvd_conf.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c: Use a consistent version of fuzz_conversation() with all fuzzers. Also undo a change to fuzz_sudoers.c that snuck in to the last commit. [8a94b06302b7] * lib/iolog/regress/fuzz/fuzz_iolog_json.c, lib/iolog/regress/fuzz/fuzz_iolog_legacy.c, lib/iolog/regress/fuzz/fuzz_iolog_timing.c, lib/util/regress/fuzz/fuzz_sudo_conf.c, logsrvd/regress/fuzz/fuzz_logsrvd_conf.c, plugins/sudoers/Makefile.in, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c: Fuzzers should not produce output. Excessive output makes the fuzzer runs much less efficient. [b9c485009c0f] * logsrvd/logsrv_util.c: expand_buf: fix conditional for when we need to preserve existing data It is possible for the buffer offset to be zero when the length is non-zero. The proper value to use is the same as is used for the memcpy/memmove size. Fixes buffer corruption caused by a very long command line that usually results in a dropped connection. [59a4319b3463] 2021-09-27 Todd C. Miller * config.h.in, configure, configure.ac, lib/util/closefrom.c: Emulate closefrom() on macOS using proc_pidinfo(). This avoids relying on /dev/fd which may not exist in a chroot jail. Adapted from a change in OpenSSH by likan_999.student AT sina.com [2e86d4150ce5] 2021-09-26 Todd C. Miller * src/edit_open.c: Handle EMLINK and EFTYPE errno values for O_NOFOLLOW failure. FreeBSD returns EMLINK and NetBSD returns EFTYPE instead of ELOOP. This is only used to present the user with a more appropriate error message. [ca5499c8c40f] 2021-09-24 Todd C. Miller * plugins/sudoers/cvtsudoers.c: Fix typo in last commit, use boolean AND not bitwise. [685bd5d9ce6f] * doc/cvtsudoers.man.in, doc/cvtsudoers.mdoc.in, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers.h, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/parse.h: Add the ability to filter/match by command via the -m option. For example "cvtsudoers -m cmd=/bin/ls" would only display entries that would allow /bin/ls to be allowed or denied. [3534a0170c59] 2021-09-23 Todd C. Miller * doc/cvtsudoers.man.in, doc/cvtsudoers.mdoc.in, plugins/sudoers/Makefile.in, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers.h, plugins/sudoers/pwutil.c: Add --group-file and --passwd-file options to cvtsudoers. These are based on the code in testsudoers. [3286dd5dd0bf] 2021-09-22 Todd C. Miller * lib/util/mkdir_parents.c: Move cppcheck suppression annotation to where it needs to be. [17d601bc91f3] * lib/util/mksigname.c: format string fix: print signal number as unsigned. Quiets a cppcheck warning; mksiglist.c already has this fixed. [a28b72dceec4] * plugins/sudoers/ldap_util.c: Fix memory leak on error path if snprintf() overflows. Coverity CID 188804 [73872d2e2cd0] 2021-09-21 Todd C. Miller * plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/kerb5.c, plugins/sudoers/auth/passwd.c, plugins/sudoers/auth/secureware.c, plugins/sudoers/auth/securid5.c: Avoid reinitializing other auth methods. [af0495460943] * plugins/sudoers/toke.c, plugins/sudoers/toke.l: expand_include: add bounds checking when expanding %h escape. [3c0ca1f0d4e5] * plugins/sudoers/iolog.c, plugins/sudoers/ldap.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l: Check snprintf() return values even if we preallocated the correct amount. There are no remaining unchecked snprintf() that can actually overflow. [0eaf1d4daa84] * include/sudo_iolog.h, lib/iolog/iolog_nextid.c: iolog_nextid(): make iolog_dir argument const. We make a copy of the directory so there's no real reason that parameter can't be const. [f278847ca9aa] * plugins/sudoers/ldap_util.c: Amend truncation fix, the real problem was the size passed to snprintf(). sudo_rcstr_alloc() takes a length (not a size) parameter so when calling snprintf() we need to add one to the length. [92f8a8b86d20] * plugins/sudoers/ldap_util.c: Fix truncation of the last char of the sudoRole cn passed to append_default(). This string is primarily used for warning messages. Also check the snprintf() return value to avoid silent truncation. GitHub issue #115 [22b8d7bc62f8] 2021-09-20 Todd C. Miller * .hgtags: Added tag SUDO_1_9_8p2 for changeset 9edebc604c58 [67357c8687d3] <1.9> * NEWS, configure, configure.ac: Sudo 1.9.8p2 [9edebc604c58] [SUDO_1_9_8p2] <1.9> * NEWS, configure, configure.ac: Sudo 1.9.8p2 [f29fdeb8ae5b] * etc/codespell.exclude: Standardize on "front-end" not "front end" in the man pages. [b0ad634852e7] * configure, configure.ac: fix typo [4d8738449daa] * logsrvd/logsrvd_journal.c: Reuse existing journal file for an accepted/rejected sub-command. Otherwise we end up with zero-length files in the incoming queue dir and may end up relaying one of those instead of the actual journal file. [4789371a43f3] <1.9> * logsrvd/logsrvd_journal.c: Reuse existing journal file for an accepted/rejected sub-command. Otherwise we end up with zero-length files in the incoming queue dir and may end up relaying one of those instead of the actual journal file. [545897a2761c] * plugins/sudoers/regress/fuzz/fuzz_sudoers.c: Re-enable error output for the sudoers parser. It is only the alias and defaults warnings we need to suppress. [114bd7756a7c] * src/exec_intercept.c: Add intercept_cleanup() stub for when building w/o intercept support. [bd6f32a90787] * src/exec_intercept.c, src/exec_nopty.c, src/exec_pty.c, src/sudo_exec.h: Add intercept_cleanup() to free the closure used by intercept_accept_cb(). [55f6aea8b517] * plugins/sudoers/auth/pam.c: Don't re-initialize PAM for sub-commands. [41d7d61e4ac5] <1.9> * plugins/sudoers/auth/pam.c: Don't re-initialize PAM for sub-commands. [faa7aec4d145] * logsrvd/logsrvd_local.c: sudo_logsrvd: only send log ID for first command of a session There is no need to send the log ID for each sub-command. [e21b40af74f2] <1.9> * logsrvd/logsrvd_local.c: sudo_logsrvd: only send log ID for first command of a session There is no need to send the log ID for each sub-command. [625b18c5f821] * plugins/sudoers/log_client.c: Only store the first log id received from the server. Plugs a small memory leak in intercept mode if the log server sends the log ID again for sub-commands. [e20563f3e152] <1.9> * plugins/sudoers/log_client.c: Only store the first log id received from the server. Plugs a small memory leak in intercept mode if the log server sends the log ID again for sub-commands. [ca2ad5b219cd] 2021-09-19 Todd C. Miller * plugins/sudoers/regress/fuzz/fuzz_sudoers.c: fuzz_sudoers: don't warn about unknown defaults entries Some fuzzing inputs cause a huge number of warnings and displaying them all can result in the fuzz run timing out. If we disable the warnings we can avoid the timeout. [4823ee305937] * plugins/sudoers/defaults.c, plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y, plugins/sudoers/policy.c: Limit paths for command, cwd and chroot to PATH_MAX bytes. This helps prevent the fuzzer from going off the rails. [9550fa76a645] * plugins/sudoers/sudoers.c: sudo -i: missing NULL terminator when moving argv to make room for --login Fixes a potential crash for "sudo -i" when the target user has bash as the shell (which needs the --login option). Bug #998. [32644aae1eab] <1.9> * plugins/sudoers/sudoers.c: sudo -i: missing NULL terminator when moving argv to make room for --login Fixes a potential crash for "sudo -i" when the target user has bash as the shell (which needs the --login option). Bug #998. [4b297f2ead15] * lib/eventlog/eventlog.c: Only append argv[] to the log line if argv[0] is not NULL. It should not be possible to reach this point with a command defined but argv[] empty but it doesn't hurt to check. [61f9cf744673] 2021-09-18 Todd C. Miller * plugins/sudoers/check_aliases.c: Only warn about an undefined alias or a cycle a single time. There's no point in warning about the same problem multiple times. This implementation assumes a small number of warnings and so just uses a simple listed link. [4461f65d1bad] * configure, configure.ac: Remove now-unused CHECK_INTERCEPT variable. [447dbf8bea48] * plugins/sudoers/toke.c, plugins/sudoers/toke.l: Quiet pvs-studio false positive: V557 Array overrun is possible. Make the zero length check explicit so as not to confuse static (or human) analyzers. [512ab29a9f28] 2021-09-17 Todd C. Miller * MANIFEST, plugins/sudoers/regress/testsudoers/test17.out.ok, plugins/sudoers/regress/testsudoers/test17.sh: Test that digest matching works with LDAP sudoCommand: ALL [f7ec49401d4f] * plugins/sudoers/ldap_util.c: Allow a digest to be specified with the "ALL" command for ldap/sssd back-ends. This has been possible with sudoers file entries since sudo 1.9.0 but no corresponding change was made for ldap/sssd. [89a30bbd7dac] * lib/eventlog/eventlog.c: Use localtime_r() not gmtime_r() when formatting the local time. This is consistent with how sudo formatted time stamps prior to the logging code being split off into libeventlog. We only need to use gmtime_r() for ISO 8601 time. [aee6e29ba9d6] * lib/eventlog/eventlog.c, lib/iolog/regress/iolog_path/check_iolog_path.c, lib/util/sudo_debug.c, plugins/audit_json/audit_json.c, plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/fmtsudoers.c, plugins/sudoers/ldap.c, plugins/sudoers/parse.c, plugins/sudoers/timestr.c: Check strftime(3) return value in all cases. Old versions of strftime(3) didn't guarantee to NUL-terminate the buffer so we explicitly clear the last byte of the buffer and check it. [bc402e4bd4d2] * config.h.in, configure, configure.ac, logsrvd/tls_init.c: tls_init.c: use SSL_CTX_set0_tmp_dh_pkey if present. Fixes a warning on OpenSSL 3.0 and plugs a memory leak of dhparams on config reload. [02027ea86d3b] * configure, configure.ac, lib/util/digest_openssl.c: Use the EVP digest routines instead of calling SHA2 functions directly. Avoids compiler warnings with OpenSSL 3.0. EVP_MD_CTX_new() is only available for OpenSSL 1.1 and higher--we will fall back to sudo's SHA2 code if necessary. [6fbac28175f9] * configure, configure.ac: When using pkg-config, don't assume the names of the ssl and crypto libs. On the HP-UX build machines these are named libssl_pic.a and libcrypto_pic.a to avoid conflicting with the system libs. [a8eb772b3a4d] * lib/util/sudo_debug.c: Store milliseconds in the debug file timestamp. Sometime second granularity is not enough. [1df3e75f1133] * MANIFEST, config.h.in, configure, configure.ac, include/sudo_compat.h, lib/util/gmtime_r.c, lib/util/localtime_r.c: Add gmtime_r and localtime_r tests and compat if missing. [709671c493a3] * lib/eventlog/eventlog.c, lib/iolog/iolog_path.c, lib/iolog/regress/iolog_path/check_iolog_path.c, lib/util/sudo_debug.c, plugins/audit_json/audit_json.c, plugins/sample_approval/sample_approval.c, plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/fmtsudoers.c, plugins/sudoers/getdate.c, plugins/sudoers/getdate.y, plugins/sudoers/gmtoff.c, plugins/sudoers/ldap.c, plugins/sudoers/parse.c, plugins/sudoers/timestr.c: Use gmtime_r() and localtime_r() instead of gmtime() and localtime(). [5758514b25cb] * doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in: Plugin lines are for approval and audit plugins too. [67bb7c0687f2] * doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in, doc/sudo.man.in, doc/sudo.mdoc.in, doc/sudo_logsrvd.man.in, doc/sudo_logsrvd.mdoc.in, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, doc/sudo_plugin_python.man.in, doc/sudo_plugin_python.mdoc.in, doc/sudo_sendlog.man.in, doc/sudo_sendlog.mdoc.in, doc/sudoers.man.in, doc/sudoers.mdoc.in, doc/visudo.man.in, doc/visudo.mdoc.in: Standardize on "front-end" not "front end" in the man pages. [68748f8cc8a6] * MANIFEST, plugins/sudoers/regress/testsudoers/test16.out.ok, plugins/sudoers/regress/testsudoers/test16.sh: Add a test to exercise Bug #994 [eef2ece0e8d4] * scripts/mkpkg: mkpkg: limit the number of cores used to 16 [5b8f2aa834b8] 2021-09-16 Todd C. Miller * NEWS: fix typo [120b1e7d2aca] * .hgtags: Added tag SUDO_1_9_8p1 for changeset feb396a0d60d [e5f560a935fc] <1.9> * configure, configure.ac: Merge sudo 1.9.8p1 from tip [feb396a0d60d] [SUDO_1_9_8p1] <1.9> * NEWS: Bug #994. [14ea3a741b25] * plugins/sudoers/ldap_util.c: Always allocate a struct sudo_command for the command, even for ALL. This was missed in the previous set of changes, resulting in a crash for LDAP and SSSD rules that give sudo "ALL" privileges. Bug #994. [91d0379b068a] * plugins/sudoers/Makefile.in: Add SUDOERS_LDFLAGS to FUZZ_LDFLAGS Fixes a fuzzer link error when building with ldap if the ldap libs are not in the default library search path. [a450881f9763] * configure, configure.ac: Fix the OpenSSL link order for the non-pkg-config case. Since -lssl depends on -lcrypto, -lcrypto must be listed after -lssl. Fixes linking of non-dynamic OpenSSL libs. [787724ab6e87] 2021-09-15 Todd C. Miller * NEWS, configure, configure.ac: Sudo 1.9.8p1 [fc8c69d55348] * src/sudo_intercept_common.c: sudo_interposer_init: verify message type from sudo We should only get a HelloResponse from sudo at this point. [a021319260b3] * include/intercept.pb-c.h, src/exec_intercept.c, src/intercept.pb-c.c, src/intercept.proto, src/sudo_intercept_common.c: Avoid symbol name clash to fix --enable-static-sudoers linking. [5cc5e415844f] 2021-09-14 Todd C. Miller * plugins/sudoers/defaults.c, plugins/sudoers/policy.c: append_defaults() should not be passed a value for boolean flags. The operation should simply be set to true/false. Also treat a NULL file as coming from the front-end. Bug #993. [86e69d358916] 2021-09-13 Todd C. Miller * configure, configure.ac, plugins/python/Makefile.in, scripts/mkdep.pl, src/Makefile.in: Teach mkdep.pl about --tag=disable-static in LTFLAGS. If static objs are disabled we need to add explicit dependencies for .o files. The OpenBSD libtool doesn't use a pic object file when linking executables so we need to build the non-pic objects too. [cdefeeb41a64] * configure, configure.ac: Use SUDO_APPEND_LIBPATH when appending to LIBTLS and LIBMD. The OpenSSL pkgconfig files only include -L paths, not -R paths. Using SUDO_APPEND_LIBPATH ensures the rpath is set correctly so the binaries will run (not just link). [29d051972287] * INSTALL, configure, configure.ac: Add --enable-openssl-pkgconfig-template option. This can be used to find the correct openssl pkg-config file if it is not named "openssl" (also libcrypto). [77cd3463cefa] * plugins/sudoers/getdate.c, plugins/sudoers/getdate.y: Some POSIX yacc fixes for bison 3.8 yyerror() must be extern void declare tokens with type instead of using separate %type lines [c4e57f9e7df5] 2021-09-09 Todd C. Miller * .hgtags: Added tag SUDO_1_9_8 for changeset e25cff5d148b [4067d7a889fa] <1.9> * config.h.in, configure, configure.ac, include/sudo_compat.h, logsrvd/tls_init.c, plugins/sudoers/regress/fuzz/fuzz_policy.c: Merge sudo 1.9.8 from tip [e25cff5d148b] [SUDO_1_9_8] <1.9> * .gitignore, .hgignore: Add src/intercept.exp to ignore files. [4eaa182a8808] 2021-09-08 Todd C. Miller * plugins/sudoers/po/cs.mo: regen [8c168099301b] * NEWS: Mention --enable-static-sudoers fix. [c93a42253fd0] * configure, configure.ac: Fix typo introduced in 1.9.7 that set SUDO_LDFLAGS to SUDOERS_LDFLAGS. Copy pasta is not always the best kind of pasta. [08188442f77b] * MANIFEST, configure, configure.ac, m4/sudo.m4, src/Makefile.in, src/intercept.exp, src/intercept.exp.in, src/sudo_intercept.c: sudo_intercept.so: only replace execvpe() if it is present. execvpe() is a GNU extension also found on *BSD (but not macOS). [26153ad9c6ca] * NEWS: We now intercept more than just execve(). [33e453f035f8] 2021-09-07 Todd C. Miller * src/sudo_intercept.c: Implement simple PATH resolution for execvp(). We want to use PATH from the current value of the environment, not the initial value of PATH when the policy was opened. This is a little different from how real execvp() works since we use stat() instead of just execve(). [fae58e1962cc] * doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in, doc/sudoers.man.in, doc/sudoers.mdoc.in, src/intercept.exp, src/sudo_intercept.c: Add support for execl, execle, execlp, execvp, and execvpe. Currently, PATH traversal is handled by sudoers which uses the original PATH, not the one updated by the shell. [59dfbbd39bf6] 2021-09-03 Todd C. Miller * plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y: Remove conditional include of alloca.h, we don't define HAVE_ALLOCA_H. The configure check for alloca() was removed long ago but this got missed. [4c64529df149] * doc/sudoers.man.in, doc/sudoers.mdoc.in: Define RBAC and mention incompatibility with intercept/log_subcmds. [a44d8f96cad6] 2021-09-02 Todd C. Miller * src/exec_intercept.c: Fix computation of the token address when handling a partial read. We want to treat it as an array of bytes, not an array of tokens. Coverity CID 240011 [0bb3fb3315ce] * plugins/sudoers/parse.c: Quiet a PVS-Studio format string warning. [4e445c646dc8] * plugins/sudoers/po/sudoers.pot, po/sudo.pot: Regen .pot files. [4cec17bc24da] * plugins/sudoers/po/cs.po: Updated translations from translationproject.org [62fdbab57411] 2021-09-01 Todd C. Miller * src/Makefile.in: regen [a2f37ca5473b] * configure, configure.ac, lib/util/sudo_conf.c, scripts/mkdep.pl, src/Makefile.in, src/exec_common.c, src/exec_intercept.c: Do not compile intercept code if --disable-intercept is specified. [9d31e2822c24] * doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in: We now intercept execv() too. [f0eac891cb5c] * INSTALL: INSTALL: --disable-intercept will also disable "log_subcmds" [55ddfdae455d] * doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/parse.c: Can't use intercept or log_subcmds with SELinux RBAC. SELinux policy will prevent the inherited socket from sudo from being used and may also restrict the ability to connect back to the sudo process. [b73409172859] * m4/ax_prog_cc_for_build.m4: Fix typo in comment. [3259f09e6952] * po/cs.mo, po/cs.po: Updated translations from translationproject.org [7543d0d50ee2] * include/intercept.pb-c.h, src/exec_intercept.c, src/intercept.pb-c.c, src/intercept.proto, src/sudo_exec.h, src/sudo_intercept_common.c: Switch to a 128-bit token instead of a 64-bit secret. Protobuf doesn't have a 128-bit type so use two u64s. We now support partial reads of the token. [e39ece25fb3b] 2021-08-31 Todd C. Miller * MANIFEST, lib/util/Makefile.in, lib/util/regress/uuid/uuid_test.c, lib/util/uuid.c: Fix random uuid generation, no need to convert between byte order. Also add regression test. [fd2940acffc2] * include/intercept.pb-c.h, src/exec_intercept.c, src/intercept.pb-c.c, src/intercept.proto, src/sudo_intercept_common.c: sudo_intercept.so: send the secret immediately after connecting. Sending the secret out of band, before the message size is read, should make it harder to mount a DoS attack. [4c8b6577bd8c] * src/sudo_intercept_common.c: Handle reading large messages that don't fit in a single recv(). We know the length of what we are receiving so just loop until we have it all, get EOF or an error. [1b8aa927ea83] * configure, configure.ac: Add checks for -fstack-clash-protection and -Wl,-z,noexecstack We use -Wc,-fstack-clash-protection as the linker flag to prevent libtool from removing it from the link line. [7cd701b5039e] * src/exec_intercept.c: Make the sudo side of the intercept socket non-blocking. [3fe7129ea1f2] * src/exec_intercept.c: Handle partial read/write by dropping back into the event loop. [fa216d963e18] * src/exec_intercept.c: intercept_check_policy: Fix double free introduced in last commit If the command is not accepted we don't rebuild command_info[] and must not free it. It will be freed by the policy instead. [8bbd2af0924b] 2021-08-27 Todd C. Miller * include/intercept.pb-c.h, src/exec_intercept.c, src/intercept.pb-c.c, src/intercept.proto, src/sudo_intercept_common.c: Update runcwd in command_info[] before passing it to the audit plugin. Since sudoers does rejected commands itself the runcwd will still not be correct for those. [5462a5e1d760] * src/exec_preload.c: Fix LD_PRELOAD formatting when there is an existing LD_PRELOAD var. [04d8d7750ff6] 2021-08-26 Todd C. Miller * src/exec_intercept.c: intercept_check_policy: fix potential NUL dereference on the error path. [4d1b3f39ccb1] * NEWS, doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/policy.c, src/exec.c, src/exec_common.c, src/exec_nopty.c, src/exec_pty.c, src/sudo.c, src/sudo.h: Rename log_children -> log_subcmds [abd73fc939c3] * plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, plugins/sudoers/po/fr.mo, plugins/sudoers/po/fr.po, plugins/sudoers/po/hr.mo, plugins/sudoers/po/hr.po, plugins/sudoers/po/it.mo, plugins/sudoers/po/it.po, plugins/sudoers/po/ko.mo, plugins/sudoers/po/ko.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/pt.mo, plugins/sudoers/po/pt.po, plugins/sudoers/po/pt_BR.mo, plugins/sudoers/po/pt_BR.po, plugins/sudoers/po/sr.mo, plugins/sudoers/po/sr.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po, plugins/sudoers/po/zh_TW.mo, plugins/sudoers/po/zh_TW.po, po/eo.mo, po/eo.po, po/fr.mo, po/fr.po, po/hr.mo, po/hr.po, po/ko.mo, po/ko.po, po/pl.mo, po/pl.po, po/pt.mo, po/pt.po, po/pt_BR.mo, po/pt_BR.po, po/tr.mo, po/tr.po, po/uk.mo, po/uk.po, po/zh_CN.mo, po/zh_CN.po, po/zh_TW.mo, po/zh_TW.po: Updated translations from translationproject.org [f948528780fb] * lib/util/sudo_debug.c: Add sudo_debug_register_v2() stub for fuzzing build. [ba522c0c2075] * src/exec_intercept.c: Fix use-after-free on error. Also remove useless free of a ptr that is always NULL on the error path. [75200535be80] * src/exec_common.c: No longer need to remap intercept fd but we do need to remap debug fd. The intercept fd is closed in the ctor but the debug fd will still be open. [b48125b884f3] * include/sudo_debug.h, lib/util/sudo_debug.c, lib/util/util.exp.in, logsrvd/logsrvd.c, logsrvd/sendlog.c, plugins/audit_json/audit_json.c, plugins/python/sudo_python_debug.c, plugins/sample_approval/sample_approval.c, plugins/sudoers/sudoers_debug.c, plugins/sudoers/sudoreplay.c, src/sesh.c, src/sudo.c, src/sudo_intercept_common.c: sudo_debug_register: add minfd argument to specify lowest fd number Use this in sudo_intercept.so to avoid allocating a low-numbered fd which the shell reserves for use by scripts. [50b23c4d0531] * src/exec_intercept.c: Fix command name of sub-command in logs when log_children is set. [c1b35686d8b4] 2021-08-25 Todd C. Miller * plugins/sudoers/audit.c, plugins/sudoers/logging.c, plugins/sudoers/logging.h: log_allowed: pass struct eventlog * instead of argv[] and envp[]. This lets us log based on the command_info[] list passed in from the front-end. Previously, much of the struct eventlog was constructed from internal sudoers state instead. [4c4a7ddfeba3] * include/sudo_compat.h: sudo_compat.h: include unistd.h on HP-UX to safely redefine pread/pwrite HP-UX 11.31 defines static functions for pread() and pwrite() which will conflict with our macros. [2dd64cdc261f] * config.h.in, configure, configure.ac, include/intercept.pb-c.h, src/exec_intercept.c, src/exec_nopty.c, src/exec_pty.c, src/intercept.pb-c.c, src/intercept.proto, src/sudo_exec.h, src/sudo_intercept_common.c: Change intercept IPC to use a localhost socket instead of inherited fd. This allows intercept mode to work with shells that close all open fds upon startup. The ctor in sudo_intercept.so requests the port number and secret over the socket inherited from the parent then closes it. For each policy request, a TCP connection is made to the sudo parent process to perform the policy check. Child processes re-use the TCP socket to request the port number and secret just like the initial process started by sudo does. [7e7e4a389f11] * src/exec_intercept.c: Add a state variable to intercept_closure, replaces policy_result. [60fae103a4cd] * plugins/sudoers/match_command.c: command_matches: avoid printf("%s") of NULL in debug for sudo ALL. [5c81c2c32b4c] * Merge pull request #111 from commodo/fix-cflags lib/util/Makefile.in: use host CFLAGS and CPPFLAGS for mksig{name,list} [ee86d28da792] 2021-08-25 Alexandru Ardelean * lib/util/Makefile.in: lib: util: Makefile.in: use host CFLAGS and CPPFLAGS for mksig{name,list} When cross-build support was added for mkig{name,list} was added, the CFLAGS and CPPFLAGS should have been updated to the HOSTCFLAGS/HOSTCPPFLAGS vars. In a cross-build scenario, some of these flags don't match what the compiler can understand (because they may be architecture specific) and may fail the build. Using the HOSTCFLAGS/HOSTCPPFLAGS works and builds successfully. Also the output binary works on the target. This is in continuation of - https://github.com/sudo-project/sudo/pull/104 - https://github.com/sudo-project/sudo/pull/109 Signed-off-by: Alexandru Ardelean [f76870e1a6c5] 2021-08-24 Todd C. Miller * src/exec_intercept.c: Fold intercept_closure_reset() into intercept_close(). [ff00ab240672] * src/exec_preload.c: Fix typo that caused SUDO_INTERCEPT_FD to overwrite LD_PRELOAD. [e4cd1043c7bb] * src/exec_preload.c: Fix off-by-one that could result in duplicate SUDO_INTERCEPT_FD vars. [9044d0dff708] * src/sudo_intercept.c: Fix typo in macOS execv change. [1c637d909382] 2021-08-21 Todd C. Miller * doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in, doc/sudoers.man.in, doc/sudoers.mdoc.in, src/intercept.exp, src/sudo_intercept.c: Add execv(3) support to sudo_intercept.so. This allows intercept to work with csh which uses execv(3) not execve(2). [690ebf72b6f8] 2021-08-20 Todd C. Miller * doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in, doc/sudoers.man.in, doc/sudoers.mdoc.in: Sync the list of functions trapped by sudo_noexec.so. [b1f7799209ff] * doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in: Add a Debug example for sudo_intercept.so Don't try to enumerate all the sudo programs that support debugging since all of them do. [9c1201eaaca2] * doc/sudoers.man.in, doc/sudoers.mdoc.in: Update sudoers Debug example to match the debug changes from sudo 1.8.12. [7c831aa9b6d5] * doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in: sudo_intercept.so only intercepts execve(2) for now. [7314abc72fb9] * plugins/sudoers/parse.c: Fix formatting for bound defaults with multiple entries in the binding. The entries in the binding were separated with " ," instead of ", ". [14442701f793] * MANIFEST, src/Makefile.in, src/intercept.exp: Add exports file for sudo_intercept.so that only exports execve() [ac97417435ab] * src/Makefile.in, src/sudo_intercept.c, src/sudo_intercept_common.c: Add some debugging to the sudo_intercept.so. [2dee003b5cc7] * config.h.in, configure, configure.ac: Use AC_FUNC_FSEEKO instead of AC_CHECK_FUNCS_ONCE([fseeko]). This will define _LARGEFILE_SOURCE, if needed, to make the prototype visible on older systems. [3f4314f6a795] 2021-08-19 Todd C. Miller * config.h.in, configure, configure.ac, include/sudo_compat.h: We still need the pread/pwrite hack for HP-UX 11.11 at least. This time around, avoid defining _LARGEFILE64_SOURCE and just declare pread64/pwrite64 ourselves. [66e01b14a10f] * include/sudo_compat.h: Fix prototypes for sudo_pread() and sudo_pwrite(). [15acfc576a71] * src/exec_intercept.c: intercept_fd_cb: store the passed fd in newfd, not fd only affects the old BSD-style fd passing code, not POSIX-style. [4b13aa4593ba] * lib/util/Makefile.in: Fix mksiglist and mksigname dependencies. [31519cc5ec2b] * doc/sudoers.man.in, doc/sudoers.mdoc.in: set-user-ID and set-group-ID not set user-ID and set group-ID. [0ddf5fedc896] * NEWS: The fix for bug #989 will make sudo 1.9.8. Also mention intercept_authenticate and intercept_allow_setid. [fa8b7444486b] * plugins/sudoers/po/sudoers.pot: regen [c8993c070218] * .gitignore, .hgignore, MANIFEST, aclocal.m4, configure, configure.ac, lib/util/Makefile.in, lib/util/mksiglist.c, lib/util/mksiglist.h, lib/util/mksigname.c, lib/util/mksigname.h, lib/util/sys_siglist.h, lib/util/sys_signame.h, m4/ax_prog_cc_for_build.m4: Cross-build support for mksigname and mksiglist We must build these with the host C compiler but use the target preprocessor to generate the output. [bf2919b63fb9] 2021-08-19 a1346054 <36859588+a1346054@users.noreply.github.com> * .clang-format, INSTALL, MANIFEST, autogen.sh, doc/LICENSE, etc/sudo.pp, examples/Makefile.in: Minor cleanup (#110) * fix trivial shell script issues * remove trailing whitespace [f9d4de3dee50] 2021-08-19 Todd C. Miller * logsrvd/logsrvd_conf.c, plugins/sudoers/check.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/exptilde.c, plugins/sudoers/iolog.c, plugins/sudoers/logging.c, plugins/sudoers/mkdefaults, plugins/sudoers/policy.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/sudoers.c, plugins/sudoers/testsudoers.c, plugins/sudoers/tsdump.c: Replace messages like "unknown foo: %s" with "unknown foo %s". The colon really doesn't belong there; we generally use a colon to separate a message from the warning detail. [a1b99c8821ae] * doc/sudoers.man.in, doc/sudoers.mdoc.in: log_server_peer_cert and log_server_peer_key are not required by default. They are only required if sudo_logsrvd has tls_checkpeer enabled. [0d9099ce5d74] * logsrvd/logsrvd_conf.c: Sync warning messages with sudoers/logging.c Avoids 3 translation strings that were effectively duplicated. [eb058a820998] 2021-08-18 Todd C. Miller * lib/protobuf-c/Makefile.in, src/Makefile.in: regen [ab9d4b22d7cb] * doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/match_command.c, plugins/sudoers/parse.c, plugins/sudoers/parse.h, plugins/sudoers/regress/fuzz/fuzz_sudoers.c: Add intercept_allow_setid sudoers option, disabled by default. With this change, a shell in intercept mode cannot run a setuid or setgid binary by default. On most systems, the dynamic loader will ignore LD_PRELOAD for setuid/setgid binaries such as sudo which would effectively disable intercept mode. [cdb876f62882] * plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/match.c: Always allocate a struct sudo_command for the command, even for ALL. Previously we special-cased handling of ALL but this complicates some upcoming changes. [d552109d739c] 2021-08-16 Todd C. Miller * etc/codespell.exclude: Update TAGS_CHANGED macro based on parse.h [261e4bad3f55] * doc/sudo.man.in, doc/sudo.mdoc.in, doc/sudoers.man.in, doc/sudoers.mdoc.in: Better document the limitations of intercept mode. Also mention log_children under "Preventing shell escapes" [0dfca8d0672d] * plugins/sudoers/po/sudoers.pot, po/sudo.pot: Update .pot files for 1.9.8. [ed2582c37765] * doc/sudoers.man.in, doc/sudoers.mdoc.in: Try to clarify log_server_peer_key and log_server_peer_cert. These are client-side not server-side. [ffa4ee3e2557] * logsrvd/logsrvd_conf.c: Print the section when warning about an illegal key in the conf file. This should make it easier to tell when a setting is present in the wrong section. [8150a7775155] 2021-08-14 Todd C. Miller * lib/eventlog/eventlog.c: new_logline: limit offset to two significant digits after the decimal Now instead of TSID=0001L3@5.168230749 we would log TSID=0001L3@5.16. [089f7a1285cb] * logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c, logsrvd/logsrvd_journal.c: Set umask to be less restrictive before creating parent directories. Otherwise we could end up creating them with a more restrictive mode than indended. Coverity CID 221592 [1bbb3621106a] * lib/eventlog/eventlog.c: new_logline: handle case where evlog is NULL [e14ded2179e8] * logsrvd/logsrvd_local.c: store_alert_local: fix memory leak on error path Coverity CID 238642 [2a3c7fb50c38] * plugins/sudoers/audit.c: log_server_accept: fix memory leak of evlog when logging a sub- command. Coverity CID 238643 [36a7325b3dc2] * src/exec_intercept.c: Fix memory leak when client requests secret. Move closure allocation closer to where it is used. [773ffe0cb216] * logsrvd/logsrvd_local.c: store_accept_local: fix return value on error [de0d06a1ade2] 2021-08-13 Todd C. Miller * lib/eventlog/eventlog.c: Cast iolog_offset.tv_sec to long long for %lld printf format. Quiets a compiler warning on systems where tv_sec in struct timeval is not long long. [54d757357a00] * doc/sudoreplay.man.in, doc/sudoreplay.mdoc.in, lib/iolog/iolog_timing.c, plugins/sudoers/sudoreplay.c: Add support for an optional offset when parsing the ID to replay. The offset is a suffix in the form of @sec[.nanosec] [f8cda41ea0ae] * include/sudo_eventlog.h, lib/eventlog/eventlog.c, logsrvd/logsrvd_local.c, plugins/sudoers/logging.c: For intercepted commands, log an offset into the current I/O log. This can be used with sudoreplay to jump to when a specific command was executed within a session log. [fd9431d7c878] * logsrvd/logsrvd_local.c: Don't overwrite closure->evlog for sub-commands. [925c97582b1d] * config.h.in, configure, configure.ac, include/sudo_compat.h: Older Solaris has getusershell() et al but does not declare it. [df4cd6a5e07f] * src/exec_intercept.c, src/exec_nopty.c, src/exec_pty.c, src/sudo_intercept_common.c: Add missing stdint.h and sudo_rand.h includes. Needed for arc4random() and uin64_t. [47fd965524fe] * include/intercept.pb-c.h, src/exec_intercept.c, src/exec_nopty.c, src/exec_pty.c, src/intercept.pb-c.c, src/intercept.proto, src/sudo_exec.h, src/sudo_intercept_common.c: Pass a secret value to sudo_intercept.so and verify after policy check. The goal is to make it harder for someone to have a fake policy checker. This will not stop a determined adversary since the secret is present in the address space of the running process. [7938c63384df] 2021-08-11 Todd C. Miller * MANIFEST, src/Makefile.in, src/exec.c, src/exec_intercept.c: Split off intercept code into exec_intercept.c. [2c05715c4885] * scripts/mkpkg: Add trivial support for FreeBSD packages. The actual FreeBSD port supports multiple options but this is sufficient for testing purposes. [6bb8a1cdf26c] * scripts/pp: FreeBSD: Set default directory and file mode if not specified in %files Otherwise, a mode of 0 will be used, potentially rendering the system unusable. [a3be86a5f85f] * plugins/sudoers/logging.c: Use same check for intercepted commands as log_server_accept(). Previously, log_server_reject() and log_server_alert() just checked whether client_closure has been set. [41177f7c32f4] * logsrvd/logsrvd.c, logsrvd/logsrvd_relay.c, logsrvd/sendlog.c, plugins/sudoers/log_client.c: Call shutdown() on sockets before closing() if they are connected. This should ensure that the other side sees any queued data before the connection is dropped. [beaafc6c17cf] * logsrvd/logsrvd.c, logsrvd/logsrvd_relay.c, logsrvd/sendlog.c, plugins/sudoers/log_client.c: If SSL_shutdown() returns 0 it needs to be called one more time. [52bb0acfb659] * plugins/sudoers/editor.c: resolve_editor: sudoers_gc_remove(editor) before freeing it. [534cc939264f] 2021-08-10 Todd C. Miller * lib/util/mksigname.h, lib/util/siglist.in: Sync siglist.in with the generated files. The change to prefer SIGSYS over SIGUNUSED wasn't made to siglist.in. Also, mksigname.c doesn't need to explicitly set sudo_sys_signame[0]. [c331b05f8fc5] * plugins/sudoers/Makefile.in, plugins/sudoers/editor.c, plugins/sudoers/gc.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: Add garbage collection to resolve_editor(). Fixes a leak when evaluating the policy multiple times if sudoedit is set. [ab011d864e87] 2021-08-09 Todd C. Miller * src/exec_common.c: Fix compilation when configure option --disable-shared is specified. [98687e01c8e4] * doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/check.c, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: Add intercept_authenticate sudoers option, defaults to false. By default, sudoers will not require authentication of commands run via an intercepted session. To require authenticaton of subsequent commands, enable intercept_authenticate in sudoers. [b428c75da1ad] * config.h.in, configure, configure.ac, src/exec.c, src/sudo_intercept_common.c: If msg_control is not present in struct msghdr use msg_accrights instead. Fixes building on Solaris and probably others. It is possible to expose msg_control on Solaris but this requires a specific set of feature flag defines which can cause other complications. [6ee77b869a8c] * configure, configure.ac, src/exec_preload.c: Require that our dso be first in the list to make sure it takes effect. Otherwise, another dso could take precedence and ours would not be run. [58ba4086357c] * configure, configure.ac, pathnames.h.in, src/Makefile.in, src/exec_preload.c: If building with address sanitizer make sure its DSO is first. Address sanitizer requires that it be preloaded before any other DSO in LD_PRELOAD. This should not be required for clang, which links in asan statically by default. [a812062f42a8] * plugins/sudoers/policy.c, plugins/sudoers/sudoers.c: Plug some memory leaks when sudoers_policy_main is called multiple times. These would get cleaned up a policy close time but we don't want to bloat sudo's memory footprint when running a shell with multiple commands. [7fee001ffeae] * plugins/sudoers/audit.c, plugins/sudoers/iolog.c, plugins/sudoers/log_client.c, plugins/sudoers/log_client.h, plugins/sudoers/logging.c: Fix logging intercepted commands to a log server in sudoers. Only available when the server supports the subcommands capability. [5975770561de] * plugins/sudoers/audit.c, plugins/sudoers/logging.c, plugins/sudoers/logging.h: Use a separate uuid for intercepted commands. We use the uuid to match the command with its exit status. [467f0db6e2c6] * plugins/sudoers/policy.c, plugins/sudoers/sudoers.c: Avoid some double frees in the fuzzer Now that sudoers free old values of NewArgv and command_info the fuzzer needs to reset those values. Otherwise we end up with stashed values that have already been garbage collected. [2a1b5808d272] * NEWS, configure, configure.ac: Sudo 1.9.8 [bc96c8f95abf] * doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/fmtsudoers.c, plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y, plugins/sudoers/parse.c, plugins/sudoers/parse.h, plugins/sudoers/policy.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l: Add "intercept" Defaults setting to allow interception of sub- commands. This causes "intercept" to be set to true in command_info[] which the sudo front-end will use to determine whether or not to intercept attempts to run further commands, such as from a shell. Also add "log_children" which will use the same mechanism but only log (audit) further commands. [f42e11c0fde9] * INSTALL, configure, configure.ac, doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in, examples/sudo.conf.in, include/sudo_conf.h, lib/util/sudo_conf.c, lib/util/util.exp.in, pathnames.h.in, src/Makefile.in, src/exec.c, src/exec_common.c, src/selinux.c, src/sesh.c, src/sudo.c, src/sudo.h, src/sudo_exec.h: Add support for loading the sudo_intercept.so DSO. [47d84cc8a8ed] * include/sudo_compat.h, src/exec.c, src/exec_common.c, src/exec_monitor.c, src/exec_nopty.c, src/exec_pty.c, src/selinux.c, src/sesh.c, src/sudo_exec.h: Allocate a socketpair to communicate with sudo_intercept.so over. This is used for the intercept and log_children options. [b40091760952] * plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/pam.c, plugins/sudoers/defaults.c, plugins/sudoers/defaults.h, plugins/sudoers/file.c, plugins/sudoers/ldap.c, plugins/sudoers/ldap_util.c, plugins/sudoers/policy.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/sssd.c, plugins/sudoers/sudo_ldap.h, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: Make it possible to call the sudoers policy check function multiple times. We need to reset the Defaults values to their original state. [3187e87d7fb6] * plugins/sudoers/set_perms.c: Allow set_perms(PERM_INITIAL) to be called more than once. If the perm stack depth is non-zero when set_perms(PERM_INITIAL) is called, rewind it first and re-initialize the stack depth to 0. Fixes a user-after-free bug if set_perms(PERM_INITIAL) is called multiple times. [fdf9a2e07eb1] * plugins/sudoers/audit.c, plugins/sudoers/logging.c, plugins/sudoers/logging.h: Use run_argv and run_envp passed into the audit plugin for event logging. Previously we used NewArgv[] and env_get() but now that logging is performed via an audit plugin we should use the values passed in. [d8e031fc2389] * doc/sudo_logsrv.proto.man.in, doc/sudo_logsrv.proto.mdoc.in, include/log_server.pb-c.h, lib/logsrv/log_server.pb-c.c, lib/logsrv/log_server.proto, logsrvd/logsrvd.c: Allow multiple accept/reject messages during a logsrv conversation. The log server now advertises a subcommands flag if it supports logging subcommands (e.g. commands run from a sudo-spawned program like a shell). The client should only log additional commands during a session if this flag is set in the ServerHello message. [5b88982604e8] * MANIFEST, Makefile.in, configure, configure.ac, lib/logsrv/Makefile.in, lib/logsrv/protobuf-c.c, lib/protobuf-c/Makefile.in, lib/protobuf-c/protobuf-c.c: Add separate convenience lib for protobuf-c We need to use it for sudo <-> sudo_intercept.so communication. [9529d7f9db18] * MANIFEST, include/intercept.pb-c.h, src/Makefile.in, src/intercept.pb-c.c, src/intercept.proto: Define protocol for sudo <-> sudo_intercept.so communication. Uses google protocol buffers. [139ba292e226] * src/exec.c, src/sudo.c, src/sudo.h: Implement the sudo side of the sudo_intercept.so communication. [4a7face9ed17] * MANIFEST, src/Makefile.in, src/exec.c, src/exec_common.c, src/sudo_exec.h, src/sudo_intercept.c, src/sudo_intercept_common.c: Implement sudo_intercept.so. Uses protobuf to talk to main sudo process over a socketpair. [fc21ae0f663e] * src/sudo.c, src/sudo.h: Add return values for most of the plugin function wrappers that returned void. Previously, they would just exit if there was an error. Now the error is passed back up the stack so we can use them in sudo_intercept.so. [87cb4b0e7dff] * src/sudo.c: Reduce the number of function args passed to plugin wrappers. This makes sudo_settings, user_info, submit_argv, submit_envp and submit_optind global. This will be required for calling the wrapper from outside of sudo.c where we may not have access to those variables. [525bffcf911c] * src/exec.c, src/sudo.c, src/sudo.h: Call the approval plugin after the policy plugin accepts a command. Previously, for intercepted commands we only called the policy plugin. [4df18aaa8708] * src/exec.c: Take control of the tty and save its settings before doing a policy check. Otherwise the policy plugin won't be able to read the password. [6a422974d472] * MANIFEST, src/Makefile.in, src/exec_common.c, src/exec_preload.c, src/sudo_exec.h, src/sudo_intercept.c, src/sudo_intercept_common.c: Move preload_dso() to its own file and rename to sudo_preload_dso(). It now takes an intercept fd as an optional argument instead of a list of extra variables to add. This lets us check whether it is already set to the expected value (and add it if not). sudo_intercept.so now uses sudo_preload_dso() to make sure that LD_PRELOAD and SUDO_INTERCEPT_FD are set properly before executing. [447e96378d01] * src/exec_preload.c, src/sudo_intercept_common.c: Add debug support to sudo_intercept.so [586ea125cebb] * src/exec.c, src/exec_nopty.c, src/exec_pty.c: Make the log_children option only log and not check policy. [0524c7e87174] * plugins/sudoers/prompt.c: expand_prompt: use correct strlcpy() size parameter The available size passed to strlcpy() was computed incorrectly. Switch to updating the length after writing to the new prompt instead of computing it each time. The actual buffer size is computed and allocated correctly so there is no real consequence to this bug. Found by Qualys. [c03f1c2f8f35] 2021-08-03 Todd C. Miller * doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in, examples/sudo_logsrvd.conf: The tls_verify setting only affects server behavior, not the client. Originally, there was a flag in the ServerHello message to indicate that the client should verify the server cert, but this was removed TLS was moved to a separate port. Client validation of the server certificate is now configured in the sudoers file instead. [344b51f3eee3] 2021-08-02 Todd C. Miller * scripts/mkpkg: On macOS, don't disable tty tickets and set password timeout to 0. This more closely matches the options used by the macOS version of sudo. [bd21c492921c] * plugins/sudoers/find_path.c: Add some debugging info to find_path() [dd7aebb432d6] 2021-07-30 Todd C. Miller * lib/iolog/iolog_mkdtemp.c: iolog_mkdtemp: umask must not be more restrictive than the file modes. We need this even though we will be calling mkdtemp() since the umask affects the mode of any parent directories. [c545b3369eae] 2021-07-29 Todd C. Miller * plugins/sudoers/visudo.c: Plug memory leak in error path when sudoers cannot be opened. [3df6b32149b8] * plugins/sudoers/defaults.c: Trying to use "+=" or "-=" operators on a non-list is an error. Previously, they were simply treated as "=" for non-lists. [3e0d47d0b4ea] * src/regress/net_ifs/check_net_ifs.c: Plug a memory leak in check_net_ifs found by address sanitizer. [bff1ad993476] * configure, configure.ac: Prefix sanitizer and fuzzer options with -XCClinker in ASAN_LDFLAGS. Otherwise libtool may ignore the options when linking. [ed1120f3813d] 2021-07-27 Todd C. Miller * logsrvd/tls_init.c: Display the correct error message if X509_verify_cert() fails. We must use X509_STORE_CTX_get_error() and X509_verify_cert_error_string() instead of the generic OpenSSL error functions. [778bbbe68e28] * lib/eventlog/eventlog.c: In new_logline check for NULL args->reason for EVLOG_RAW. This can't happen in practice since we never set EVLOG_RAW without passing in a reason. Coverity CID 237142 237143 [83f9038151db] * lib/eventlog/eventlog.c: format_json: don't dereference evlog if it is NULL. Also silence a PVS Studio false positive. [150039f65d26] 2021-07-26 Todd C. Miller * .hgtags: Added tag SUDO_1_9_7p2 for changeset 590e06825ec4 [cf3865846c94] <1.9> * configure, configure.ac: Bump version to 1.9.7p2 [590e06825ec4] [SUDO_1_9_7p2] <1.9> * configure, configure.ac: Bump version to 1.9.7p2 [388bf6af8434] * NEWS: Sudo 1.9.7p2 [c3bd2eb0d779] <1.9> * NEWS: Sudo 1.9.7p2 [153a6c96a8ec] * config.h.in, configure, configure.ac, include/sudo_compat.h, logsrvd/tls_client.c, logsrvd/tls_init.c, plugins/sudoers/log_client.c: Use TLS_method() instead of TLS_client_method() throughout. OpenSSL returns an error for SSL_accept() if TLS_client_method() was used to generate the context (LibreSSL doesn't care). Prior to sudo 1.9.7, TLS_client_method() and TLS_server_method() were used in the TLS client and server initialization code respectively. This was refactored in sudo 1.9.7 to allow the code to be shared. Bug #988 [f2bf4aca30d4] <1.9> * config.h.in, configure, configure.ac, include/sudo_compat.h, logsrvd/tls_client.c, logsrvd/tls_init.c, plugins/sudoers/log_client.c: Use TLS_method() instead of TLS_client_method() throughout. OpenSSL returns an error for SSL_accept() if TLS_client_method() was used to generate the context (LibreSSL doesn't care). Prior to sudo 1.9.7, TLS_client_method() and TLS_server_method() were used in the TLS client and server initialization code respectively. This was refactored in sudo 1.9.7 to allow the code to be shared. Bug #988 [1ca00726b4d6] * plugins/sudoers/regress/fuzz/fuzz_policy.c: Only replace getaddrinfo for FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION. This works around an issue on SCO which uses inline functions in the header files which call the actual, versioned, library function. [f010d83f0168] <1.9> * plugins/sudoers/regress/fuzz/fuzz_policy.c: Only replace getaddrinfo for FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION. This works around an issue on SCO which uses inline functions in the header files which call the actual, versioned, library function. [64cbf884b7f9] 2021-07-26 MertsA * src/utmp.c: Rewind utmp file pointer after searching for entry (#108) getutline() advances the file pointer until it matches or reaches EOF. pututline() starts from the current position in utmp. This rewinds the file pointer to the beginning to avoid allocating additional spurious utmp entries. [af1463026fd1] <1.9> * src/utmp.c: Rewind utmp file pointer after searching for entry (#108) getutline() advances the file pointer until it matches or reaches EOF. pututline() starts from the current position in utmp. This rewinds the file pointer to the beginning to avoid allocating additional spurious utmp entries. [142555f7a47e] 2021-07-25 Todd C. Miller * configure, configure.ac, m4/sudo.m4: Use AC_CACHE_CHECK in place of AC_MSG_CHECKING + AC_CACHE_VAL where possible. [7b0fb8de8276] * config.h.in, configure, configure.ac, include/sudo_compat.h: Add configure check for va_copy instead of using #ifdef This prevents the va_copy compat #define from being used if sudo_compat.h is somehow included before stdarg.h. [6d283753e47b] <1.9> * config.h.in, configure, configure.ac, include/sudo_compat.h: Add configure check for va_copy instead of using #ifdef This prevents the va_copy compat #define from being used if sudo_compat.h is somehow included before stdarg.h. [fcfd53b859ac] 2021-07-23 Todd C. Miller * src/limits.c: Avoid using RLIM_INFINITY for the nofile soft limit to prevent closefrom_fallback() from closing too many file descriptors. [edbcd5c82d4d] <1.9> * src/limits.c: Avoid using RLIM_INFINITY for the nofile soft limit to prevent closefrom_fallback() from closing too many file descriptors. [e807ca9bfb6a] * plugins/sudoers/logging.c: Include signal.h for SIG2STR_MAX and sig2str(). [ad17a1be07e2] 2021-07-15 Todd C. Miller * include/sudo_eventlog.h, lib/eventlog/eventlog.c, logsrvd/iolog_writer.c, plugins/sudoers/logging.c, plugins/sudoers/policy.c, plugins/sudoers/sudoers.h: Create a UUID and log it in the JSON version of the event log. [8a1ad98fac51] * include/sudo_eventlog.h, lib/eventlog/eventlog.c, logsrvd/logsrvd_local.c, plugins/sudoers/logging.c: Remove unused info_cb and info arguments from eventlog_exit() [c614ef1afa12] 2021-07-09 Todd C. Miller * include/sudo_eventlog.h, lib/eventlog/eventlog.c: Add support for logging exit status events. For sudo-formatted logs, this is a record with "EXIT=number" and potentially "SIGNAL=name" after the command. For JSON-format logs, a new "exit" record is logged which contains an "exit_value" and potentially "signal" and "core_dumped". JSON-format logs now incude a UUID to associate the "exit" record with the "accept" record. [52e40ae4b79a] * doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/logging.c, plugins/sudoers/logging.h, plugins/sudoers/policy.c, plugins/sudoers/regress/fuzz/fuzz_policy.c: Add log_exit_status sudoers option to log when a command exits. This option defaults to off. [cac3ca7ad193] * doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in, examples/sudo_logsrvd.conf, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c, logsrvd/logsrvd_local.c: Add log_exit setting in the sudo_logsrvd.conf eventlog stanza This causes sudo_logsrvd to log a record with the exit status or terminating signal in response to an ExitMessage. [1a15f676974a] 2021-07-08 Todd C. Miller * plugins/python/python_plugin_common.c: Check that the python module we actually loaded is what we intended. This is intended to provide a more useful error message if the user defines a module which conflicts with a system python module. For example, a module called test.py would conflicts with the system python test module. [345523b6e87d] <1.9> * plugins/python/python_plugin_common.c: Check that the python module we actually loaded is what we intended. This is intended to provide a more useful error message if the user defines a module which conflicts with a system python module. For example, a module called test.py would conflicts with the system python test module. [0676191e4741] 2021-07-02 Todd C. Miller * doc/CONTRIBUTORS: Mention that xkcd inspired the sandwich logo. [c7839328e21f] * doc/HISTORY: Mention log server and fuzzers under Quest contributions. [f4a081f75cd0] 2021-06-26 Todd C. Miller * src/sesh.c, src/sudo.c, src/sudo_edit.c: Don't assume that the number of groups returned by getgroups() is static. On systems where getgroups() returns results based on more than just the per-process group vector in the kernel it is possible for the number of groups to change in between invocations. Based on GitHub PR #106 from Pierre-Olivier Martel. [832fa2480024] <1.9> * src/sesh.c, src/sudo.c, src/sudo_edit.c: Don't assume that the number of groups returned by getgroups() is static. On systems where getgroups() returns results based on more than just the per-process group vector in the kernel it is possible for the number of groups to change in between invocations. Based on GitHub PR #106 from Pierre-Olivier Martel. [dbc7a173a7b8] * doc/Makefile.in: Use "mandoc -Tlint -Wwarning" instead of -Wstyle. The style checks now include "referenced manual not found" warnings which is not helpful. [251757f22498] 2021-06-22 Todd C. Miller * logsrvd/Makefile.in, src/Makefile.in: regen [c6a21b385d57] 2021-06-21 Todd C. Miller * lib/fuzzstub/fuzzstub.c: Change ms from size_t to long. Avoids a spurious test failure on Solaris 9 [5e204b959000] <1.9> * lib/fuzzstub/fuzzstub.c: Change ms from size_t to long. Avoids a spurious test failure on Solaris 9 [c26f8d233ea9] * plugins/sudoers/interfaces.c, src/net_ifs.c: Move definition of INADDR_NONE from interfaces.c to net_ifs.c. Fixes compilation on Solaris 9. [d05bca21f145] <1.9> * plugins/sudoers/interfaces.c, src/net_ifs.c: Move definition of INADDR_NONE from interfaces.c to net_ifs.c. Fixes compilation on Solaris 9. [9da2276cf944] 2021-06-19 Todd C. Miller * logsrvd/logsrvd.c: Fix dead store found by clang analyzer. [5c85aeef651e] * logsrvd/logsrvd_conf.c: Fix prefix skipping when the prefix is embedded and not separate. This doesn't currently matter since the progname and the ": " are stored in separate messages. Found by clang analyzer. [321e90e1b347] * logsrvd/logsrvd_relay.c: Remove dead store found by clang analyzer. [5fd56f26e1ba] 2021-06-16 Todd C. Miller * plugins/audit_json/audit_json.c: Make sure we store an octal number (like umask) as a string. JSON doesn't (portably) support octal numbers with a leading zero. [a0c8392f2f7a] <1.9> * plugins/audit_json/audit_json.c: Make sure we store an octal number (like umask) as a string. JSON doesn't (portably) support octal numbers with a leading zero. [3ac37bb42f1e] * logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c, logsrvd/regress/fuzz/fuzz_logsrvd_conf.c: Replace logsrvd_is_early() with logsrvd_warn_stderr(). This is now defined in logsrvd_conf.c which removes a dependency on another compilation unit for the fuzzer. [3594cf3ec397] 2021-06-15 Todd C. Miller * logsrvd/logsrvd_local.c: Silence a compiler warning on Solaris. [fd9ba461b601] * logsrvd/logsrvd.c: Reduce scope of errstr variable so it is only declared for OpenSSL. [eebe09a17f4b] * plugins/sudoers/po/sudoers.pot, po/sudo.pot: regen [05b8391c6d13] * logsrvd/iolog_writer.c, logsrvd/logsrv_util.c, logsrvd/logsrvd.c, logsrvd/logsrvd_conf.c, logsrvd/logsrvd_journal.c, logsrvd/logsrvd_local.c, logsrvd/logsrvd_queue.c, logsrvd/logsrvd_relay.c, logsrvd/sendlog.c, logsrvd/tls_init.c: Use sudo_warnx?() instead of sudo_debug_printf for errors. We now hook the warn functions so the messages are logged. The messages still show up in the debug log too. [9e25dc71b4cc] 2021-06-14 Todd C. Miller * MANIFEST, config.h.in, configure, configure.ac, include/sudo_compat.h, lib/util/Makefile.in, lib/util/regress/vsyslog/vsyslog_test.c, lib/util/vsyslog.c, scripts/mkdep.pl: Remove vsyslog(3) emulation, it is no longer used. [7d1b78c2037a] 2021-06-13 Todd C. Miller * logsrvd/logsrvd_conf.c, logsrvd/regress/fuzz/fuzz_logsrvd_conf.c: If logsrvd_config not set fall back to using stderr for warnings. Also fix fuzz_logsrvd_conf link error. [eeaafe1b3e09] * doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in, examples/sudo_logsrvd.conf, logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c: Add support for logging server warning/error messages. We can use sudo_warn_set_conversation() to set a conversation function that either writes to a log file or calls syslog(). [5d8e13f053d0] 2021-06-11 Todd C. Miller * .hgtags: Added tag SUDO_1_9_7p1 for changeset d936a99e842d [9bc246c519f3] <1.9> * Merge sudo 1.9.7p1 from tip [d936a99e842d] [SUDO_1_9_7p1] <1.9> * NEWS, configure, configure.ac: Sudo 1.9.7p1 [29f478993ef3] 2021-06-09 Todd C. Miller * plugins/audit_json/audit_json.c: Check arrays that are passed in for NULL before using them. [925ba5b0f2cb] * configure, configure.ac: Disable nss_search()-based group lookups on HP-UX for now. There is a crash when "group: compat" is used in /etc/nsswitch.conf that I haven't been able to debug. Since HP-UX doesn't ship the appropriate headers it is likely that there is a mismatch between include/compat/nss_dbdefs.h and what HP actually uses. [28b00005c785] 2021-06-08 Todd C. Miller * logsrvd/logsrvd.c, logsrvd/logsrvd.h: Remove logsrvd closure ERROR state and use a boolean flag instead. Fixes a bug where we would not insert a journal file that failed to relay into the queue because its state was changed from CONNECTING to ERROR after failing to connect. [638285a4bedb] * include/compat/nss_dbdefs.h, lib/util/getgrouplist.c: Add NSS_TRYAGAIN and correct buflen in struct nss_XbyY_buf_t. Add some function argument names. Also use struct nss_db_state * instead of void * in nss_db_root_t. We don't define struct nss_db_state but since it is a pointer all we need is a forward declaration. [bc848fb97671] 2021-06-07 Todd C. Miller * lib/fuzzstub/fuzzstub.c, lib/iolog/Makefile.in, lib/util/Makefile.in, logsrvd/Makefile.in: Make sure we link with libsudo_util *after* libfuzzstub. This only affects builds with a static libsudo_util. Also fix a warning on HP- UX about main not being public. [18ff1f108c4e] * MANIFEST, lib/util/Makefile.in, lib/util/regress/getgrouplist/getgids.c: Add getgids utility to simular "id -G" using sudo_getgrouplist2() [aed11065818d] * lib/util/getgrouplist.c: Make sure we don't read or write past the end of the group buffer. We need to leave room for the terminating NULL in gr_mem. It is possible for gbm->numgids > gbm->maxgids if we ran out of room. [25a3ee849fd4] 2021-06-04 Todd C. Miller * lib/util/getgrouplist.c: Add some debugging to sudo_getgrouplist2(). [4d79e92c8ee8] 2021-06-02 Todd C. Miller * src/load_plugins.c: Fix some debug_decl typos and remove an unneeded cast. [fafa91ac3def] * plugins/sudoers/defaults.h: T_TIMEOUT is not a bitwise flag so doesn't need to be a power of 2. [66019af6d642] 2021-05-28 Todd C. Miller * src/load_plugins.c: sudo_stat_plugin(): set errno but do not warn if plugin path too long. The caller will display the warning (using errno) so there is no need to do it twice. [c8614b374a35] 2021-05-26 Todd C. Miller * doc/sudoreplay.man.in, doc/sudoreplay.mdoc.in: sudoreplay does not parse sudoers to find the value of iolog_dir. The default value for the I/O log directory is set at build time. [3cf72612e992] * plugins/sudoers/policy.c: Fix group list ref leak in sudoers_policy_store_result() on error path. [34785448a275] 2021-05-24 Todd C. Miller * plugins/sudoers/policy.c: Update comment to match reality. [ec3e0a40d1ec] 2021-05-13 Todd C. Miller * configure, configure.ac, scripts/ltmain.sh, src/Makefile.in: Build sudo_noexec.so as a module on systems other then Darwin. On Darwin, shared modules and shared libraries are not interchangable and since we preload sudo_noexec.so via DYLD_INSERT_LIBRARIES it must be a library, not a module. We must relax the requirement that libraries begin with a "lib" prefix to work around this difference. This does mean you must use sudo's libtool on Darwin (macOS) but that is already a requirement on other systems (notably HP-UX and SCO) due to a number of libtool patches we require that haven't be accepted upstream. This is a different fix for PR #102. [2e5454c56d3c] * configure, configure.ac: Use -Wno-deprecated-declarations on macOS This quiets warnings about LDAP and audit libraries being deprecated. We will use them until they are removed in a future version of macOS. [6fbdf644865c] 2021-05-12 Todd C. Miller * scripts/mkpkg: Use /usr/bin/cc on FreeBSD and macOS. [7d6bcea0e544] * plugins/sudoers/log_client.c: Don't include errno in "unable to connect to log server" message. There should be a more specific message, usually with an error string, displayed earlier. [e599f9b0fd1c] * src/ttyname.c: Fix compiler warning on FreeBSD. [2c6fc866fb5b] * lib/iolog/hostcheck.c: Explicitly include netinet/in.h for struct sockaddr_in and sockaddr+_in6. Fixes a compilation problem on FreeBSD. [2277c8f37c34] 2021-05-11 Todd C. Miller * .hgtags: Added tag SUDO_1_9_7 for changeset f0ce54d4288c [58968ec7a457] <1.9> * Merge sudo 1.9.7 from tip [f0ce54d4288c] [SUDO_1_9_7] <1.9> 2021-05-10 Todd C. Miller * plugins/sudoers/po/zh_TW.mo, plugins/sudoers/po/zh_TW.po: Updated translations from translationproject.org [3d6d49097b98] * plugins/sudoers/log_client.c: Better warning when close function is passed a non-terminal signal. [8b8628249e4d] * logsrvd/logsrvd_local.c: Remove line causing store_suspend_local() to return false on success. This is something that should have been removed as part of the local I/O logging refactor. [e8ae1e61b8b2] * src/exec_pty.c: Don't set the command status in the closure when the command is suspended. This should only be set for signals that terminate the process. Fixes a bug where the sudo front-end could call the plugin close function with a non-terminal signal argument. [a95024bfb6e8] 2021-05-07 Todd C. Miller * plugins/python/pyhelpers.c, plugins/python/python_plugin_policy.c: Quiet -Wshadow warnings from gcc. [7ff2985ba650] * NEWS, doc/sudoers.man.in, doc/sudoers.mdoc.in: The -g option may also be used with any group the target user belongs to. The description in the Runas_Spec section incorrectly stated that the -g option could not be used if no runas group was set. Bug #975. [67d1948d1aa8] * configure, configure.ac: Remove redundant "configuring Sudo version X.YY" line. We now display this along with the summary info at the end. [0d7c908f8d4c] * configure, configure.ac: Don't check for -Wl,-z,relro twice. [a30dce71fb26] 2021-05-06 Todd C. Miller * plugins/sudoers/po/fi.mo, plugins/sudoers/po/fi.po, plugins/sudoers/po/hr.mo, plugins/sudoers/po/hr.po, plugins/sudoers/po/ko.mo, plugins/sudoers/po/ko.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/pt.mo, plugins/sudoers/po/pt.po, plugins/sudoers/po/sv.mo, plugins/sudoers/po/sv.po, plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po: Updated translations from translationproject.org [9303a20fe480] * scripts/mkpkg: Build python plugin for RHEL 6 as well. [edaa6ec0e255] * configure, configure.ac: Remove shell-style quotes in configure warning/error/notice messages. Square bracket quotes are used, no need for shell-style double quotes. [e6de284df511] * NEWS, configure, configure.ac: Summarize configure settings after all tests have run. This makes it a lot easier to see what features have been enabled. [12ea96affed5] 2021-05-04 Todd C. Miller * INSTALL, configure, configure.ac: Remove --with-efence option, there are better options available. [78fd5ceb2c52] * NEWS: Move misplaced changes into the 1.9.7 section where they belong. [1519f7a4669b] * lib/util/regress/sudo_conf/conf_test.c: Awful hack to pass on macOS where group_source=dynamic by default. [b038bfab8c34] * plugins/sudoers/po/ca.mo, plugins/sudoers/po/ca.po, plugins/sudoers/po/cs.mo, plugins/sudoers/po/cs.po, plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, plugins/sudoers/po/fr.mo, plugins/sudoers/po/fr.po, plugins/sudoers/po/it.mo, plugins/sudoers/po/it.po, plugins/sudoers/po/ja.mo, plugins/sudoers/po/ja.po, plugins/sudoers/po/sr.mo, plugins/sudoers/po/sr.po, plugins/sudoers/po/sv.mo, plugins/sudoers/po/sv.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, po/ca.mo, po/ca.po, po/it.mo, po/it.po, po/sr.mo, po/sr.po: Updated translations from translationproject.org [7b156da85d13] * NEWS: Document late stage 1.9.7 changes. [28756df7dcb4] * doc/sudo_sendlog.man.in, doc/sudo_sendlog.mdoc.in, logsrvd/sendlog.c, logsrvd/sendlog.h: sudo_sendlog: rename -m (max-time) to -s (stop-after). [4f016111b242] * logsrvd/logsrv_util.c, logsrvd/logsrvd.c, logsrvd/logsrvd_journal.c: Update closure->elapsed_time in journal_seek(). Otherwise the commit point messages won't be accurate when restarting. [6cd4db44b8ee] * doc/sudo_sendlog.man.in, doc/sudo_sendlog.mdoc.in, logsrvd/sendlog.c, logsrvd/sendlog.h: Add "-m elapsed" option to specify the max elapsed time of records to send. Useful for testing the ability of the server to handle restarted log transfers. [cd9c9235e320] 2021-05-03 Todd C. Miller * logsrvd/logsrvd.c, logsrvd/logsrvd_relay.c: Disable reading from client or relay when sending error to client. We treat an error from the relay as fatal and must stop processing data from both client and relay to make sure we don't get out of sync. [258f9691b3d9] * logsrvd/iolog_writer.c, logsrvd/logsrvd.c, logsrvd/logsrvd_local.c: Fix I/O log restart of locally-store logs. This got broken a while ago when evlog in struct connection_closure was changed to a pointer. [8b59122891f9] * scripts/pp: Fix detection of the volatile flag when other flags are present. Otherwise flags fields like "volatile,ignore-other" will be ignored by the Debian and BSD back ends. [0d120b9eab71] * src/limits.c: Fix debug message when prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) fails. GitHub issue #101 [7d266c174457] * logsrvd/logsrvd_relay.c, logsrvd/sendlog.c, logsrvd/tls_client.c, logsrvd/tls_common.h, plugins/sudoers/log_client.c: Don't hard-code the TLS connect timeout, use normal connect timeout. For sudo_logsrvd, this is the relay connect_timeout setting. For sudoers, this is the log_server_timeout setting. [49e29f187f5a] 2021-05-02 Todd C. Miller * logsrvd/logsrvd_queue.c: Add missing closedir(3) in logsrvd_queue_scan(). Coverity CID 221591 [e9745c64a721] * NEWS: Mention "log_server_verify" bug fix. [a70060c34e7a] * configure, configure.ac, doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in, examples/sudo_logsrvd.conf, m4/sudo.m4, pathnames.h.in: Rename logsrvd log dir to /var/log/sudo_logsrvd. [fb979be9927e] * doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in, examples/sudo_logsrvd.conf, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c, logsrvd/logsrvd_queue.c: Make the failed relay retry interval configurable. This is the amount of time to wait before trying to resend a journal to the relay server after a connection error. [cbc04201a63e] 2021-05-01 Todd C. Miller * MANIFEST, logsrvd/Makefile.in, logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_journal.c, logsrvd/logsrvd_queue.c, logsrvd/logsrvd_relay.c: Send outgoing messages to the relay server on startup. Also attempt to retry messages that could not be relayed periodically. [7ed12983af85] * lib/util/fatal.c: Avoid clobbering errno in warning(). [3282a7db7f51] * logsrvd/logsrvd_relay.c: Set relay name string to NULL after dropping the reference. Otherwise it is possible to decrement the reference more than once. [245d4e60ea21] 2021-04-30 Todd C. Miller * plugins/sudoers/iolog.c: Fix cut & pasto that prevented the verify_server option from being set. The "log_server_verify" setting passed from the policy plugin was applied to the "keepalive" option instead of "verify_server". From Krisztian Kovacs. [06f716981ad0] 2021-04-29 Todd C. Miller * doc/sudo_logsrvd.man.in, doc/sudo_logsrvd.mdoc.in, logsrvd/logsrvd.c: Write client and server information to debug file on SIGUSR1 This can be used to debug client problems such as a connection not being closed as expected. [e6e3a4ba02f4] * doc/sudo_logsrvd.man.in, doc/sudo_logsrvd.mdoc.in: Document journal file directories in store_first mode. [a08de0c20127] * logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_journal.c: Create journal files in an incoming directory, move to outgoing when complete. This will make it possible to process completed journal files periodically if the relay server is down. [5ced00c6eb7e] * logsrvd/logsrvd_relay.c: Add missing connection_close() call for relay-only connections. For an immediate relay we will close the connection when the client disconnects (or there is a timeout). However, for store-and-forward mode the client has already disconnected at the time we are relaying. [e51e98489c6d] 2021-04-27 Todd C. Miller * plugins/sudoers/po/sudoers.pot: regen [4aa3f848b223] * logsrvd/logsrvd_conf.c: Replace non-ascii characters in warning string. [5e99ac170a15] * lib/util/regress/getgrouplist/getgrouplist_test.c, lib/util/regress/tailq/hltq_test.c, plugins/sudoers/regress/check_symbols/check_symbols.c, plugins/sudoers/regress/editor/check_editor.c, plugins/sudoers/regress/exptilde/check_exptilde.c, plugins/sudoers/regress/parser/check_base64.c, plugins/sudoers/regress/parser/check_fill.c, plugins/sudoers/regress/parser/check_gentime.c, plugins/sudoers/regress/parser/check_hexchar.c, plugins/sudoers/regress/starttime/check_starttime.c, plugins/sudoers/regress/unescape/check_unesc.c: Quiet clang analyzer false positive in regress tests. [190ad1f287d8] * MANIFEST, logsrvd/Makefile.in, logsrvd/iolog_writer.c, logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_local.c: Move local iolog log functions to logsrvd_local.c [e16e2a1d8209] * logsrvd/logsrvd_relay.c: Better client error reporting on relay server connection error. More detailed error messages may be found in the debug log. [d0807790327d] * logsrvd/logsrvd.c: Update debug pid string when sudo_logsrvd becomes a daemon. [33069e2da7d5] 2021-04-26 Todd C. Miller * logsrvd/logsrvd.c: Must call SSL_shutdown() before closing the underlying socket. This got broken by some code rearrangement when relay mode was added. [a3a8c4d10565] * logsrvd/logsrvd.c, logsrvd/logsrvd_relay.c: Recover if the client or relay server closes the TLS connection uncleanly. The other end of the connection should perform a proper TLS shutdown but as long as we are in the correct state there is no need to treat this as a user-visible error. [90887bc2235f] * NEWS, aclocal.m4, configure, configure.ac: Sudo 1.9.7 [c1ea457eca11] * MANIFEST, plugins/python/Makefile.in, plugins/python/lsan_suppr.txt: Add a suppression file for the libpython leaks. This is a big hammer but it seems like the best we can do for now. Allows "make check" to succeed when address sanitizer is used. [4500cd1e835e] 2021-04-25 Todd C. Miller * plugins/sudoers/Makefile.in, plugins/sudoers/editor.c, plugins/sudoers/regress/editor/check_editor.c: When spliting EDITOR check for escaped quote characters. Also add check_editor to sudoers "make check". [0d8001299358] 2021-04-24 Todd C. Miller * MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/editor.c, plugins/sudoers/regress/editor/check_editor.c: Treat a lone backslash at the end of a string as a literal backslash. GitHub issue #99 [40a53e523003] * doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in: Fix typo. [614379733a17] 2021-04-23 Todd C. Miller * plugins/python/pyhelpers.c: Avoid a potential NULL dereference when mutating args_str. Coverit CID 221401 [69f3c7f8e524] * logsrvd/logsrvd_journal.c: Avoid calling fread() with a NUL buffer if msg_len is 0. Coverity CID 221399 [ed605b7a3186] * logsrvd/logsrvd.c: Set a restrictive umask so new files are only read/write by owner. Coverity CID 221402 [595465e4baa2] * logsrvd/logsrvd.c: In connection_closure_free() only close sock if it is not -1. When relaying from a journal there will be no socket. Coverity CID 221403 [fd4f27067c3f] * logsrvd/logsrvd.c: Avoid potential NULL dereference in get_free_buf(). Coverity CID 221400 [6cb5491bf812] * logsrvd/logsrvd.c, logsrvd/logsrvd_relay.c: Remove some now-dead code in the error path. Coverity CID 221397 and 221398 [edc860f72f98] * logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_journal.c, logsrvd/logsrvd_relay.c: Use function pointers for each client message type instead of conditionals. This separats out the message handler from the functions that store or relay the message contents. [f596480880fa] * logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_relay.c: Add enqueue_error_message() helper function. Formats and enqueues an error message and enables the write event. [122bd89fe5e3] * logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_journal.c, logsrvd/logsrvd_relay.c: Forward the journaled entry after it has been stored locally. [a187d5a7ea28] * logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_journal.c: Stash the value of the store_first config setting in connection_closure. If the configuration changes it should not affect a connection that is already in progress. [6617c2b7ece5] * MANIFEST, logsrvd/Makefile.in, logsrvd/iolog_writer.c, logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c, logsrvd/logsrvd_journal.c, logsrvd/logsrvd_relay.c: Journal messages to disk when store_first is set in the relay section. Instead of forwarding messages immediately, they are journaled locally in wire format. This will be used to implement relay store-and-forward mode. [aa0c537258e7] * INSTALL, configure, configure.ac, doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in, doc/sudo_logsrvd.mdoc.in, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c, m4/sudo.m4, pathnames.h.in: Add configuration for sudo_logsrvd store-and-forward mode. Adds "relay_dir" and "store_first" settings to sudo_logsrvd.conf in the [relay] section. Also adds a --with-relaydir configure argument to change the default value (usually /var/log/logsrvd-relay. [6f064ed6d20e] * src/signal.c: Make sure SIGCHLD is not ignored when sudo is executed. If SIGCHLD is ignored there is a race condition between when the process is executed and when the SIGCHLD handler is installed. This fixes the bug described by GitHub PR #98 [b4c91a0f72e7] 2021-04-20 Todd C. Miller * config.h.in, configure, configure.ac: Remove the HP-UX 11.0 pread64() hack, it causes problems on modern HP-UX. [fea8ebd0b88d] * src/limits.c: Add minimum value to consider when overriding resource limits. Currently only used for RLIMIT_DATA and RLIMIT_AS. This works around a problem on HP-UX where setting RLIMIT_DATA changes the resource limits for both 32-bit and 64-bit processes. HP-UX processes start out with RLIMIT_DATA set based on the values of the maxdsiz and maxdsiz_64bit kernel tunables, depending on whether they are 32-bit or 64-bit. By default this limit is 1GB for 32-bit processes and 4GB for 64-bit. However, once RLIMIT_DATA is changed, it does not appear to be possible to restore the old values. This can result in a 64-bit process that is executed by a 32-bit shell getting the 32-bit RLIMIT_DATA instead of the 64-bit one. Bug #973 [8778a27abfaf] 2021-04-19 Todd C. Miller * logsrvd/logsrvd_relay.c: Don't use msg_len as a length after converting it to network byte order. [3f2496be1130] * logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_relay.c: Use the packed message buffer when relaying if possible. There's no need to rebuild the message buffer for anything but RestartMessage and ClientHello. [903fa50f48c9] 2021-04-18 Todd C. Miller * logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_relay.c: Allocate the data buffer in get_free_buf() too. We always know the size of the data buffer we need at allocation time. [c02dc245aa40] 2021-04-17 Todd C. Miller * logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_relay.c: Relay ChangeWindowSize and CommandSuspend events too. [cb20a1de47e3] 2021-04-16 Todd C. Miller * plugins/python/pyhelpers.c, plugins/python/regress/testdata/check_ex ample_debugging_c_calls@diag.log, plugins/python/regress/testdata/ch eck_example_debugging_c_calls@info.log, plugins/python/regress/testd ata/check_example_group_plugin_is_able_to_debug.log: Regenerate test output with python 3.10a7 Also adjust debug tests so they pass on older python versions [03aeda971872] * configure, m4/python.m4: determine Python (3.10) version number correctly. from upstream automake [1f4136509aca] * MANIFEST, aclocal.m4, m4/python.m4, m4/runlog.m4: Move python.m4 and runlog.m4 to the m4 directory. Previously they were inline in aclocal.m4. [6ec4c92539a7] 2021-04-15 Todd C. Miller * configure, configure.ac: Add hiuxmpp where we have hpux for special cases. Also move the HP- UX 11.00 pread(2) workaround into the section where pread(2) is tested for, not before it. [f6cc1820e0fb] * etc/sudo-logsrvd.pp, etc/sudo-python.pp: Only replace the last instance of "sudo" in example and doc dir. Otherwise we end up with weird paths for a prefix like /opt/sudo. [113bdf79f00f] 2021-04-13 Todd C. Miller * doc/sudoers.ldap.mdoc.in: Fix lint warning. [aa4a4f0b0da1] * doc/sudo_logsrvd.man.in, doc/sudo_logsrvd.mdoc.in: Mention relay mode and update TLS example. [a50a23542c05] * etc/sudo-logsrvd.pp, etc/sudo.pp: If libssl_dep was not passed in, use ldd to determine its value. Normally, mkpkg will figure this out, but if the user does "make package" outside of the mkpkg script, libssl_dep will not be set. [87329797daca] 2021-04-12 Todd C. Miller * INSTALL, configure, configure.ac, doc/UPGRADE: Enable the use of OpenSSL if log client/server not disabled. This adds a dependency on OpenSSL unless it is explicitly disabled (--disable-openssl) or the sudo log client and server are disabled (--disable-log-client and --disable-log-server). [618f504240d2] 2021-04-09 Todd C. Miller * etc/codespell.skip: configure aux scripts moved to the scripts directory [1cfcbfd128ed] * logsrvd/Makefile.in, logsrvd/logsrvd_conf.c: Set logsrvd_config to NULL in logsrvd_conf_cleanup() after freeing it. Fixes a double free in fuzz_logsrvd_conf (but not sudo_logsrvd itself). Also fix linking fuzz_logsrvd_conf with OpenSSL. [ad78729467d4] * logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.1, logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.2, logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.3, logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.4, logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.5, logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.6, logsrvd/regress/fuzz/fuzz_logsrvd_conf.c, logsrvd/regress/fuzz/fuzz_logsrvd_conf.dict: Update sudo_logsrvd.conf fuzzer to match configuration changes. [85ae32ce6f44] * doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in, examples/sudo_logsrvd.conf: Document relay configuration changes. [d66eb842a6ef] 2021-04-08 Todd C. Miller * logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c, logsrvd/logsrvd_relay.c: Move relay configuration into its own section and add TLS options. TLS options in the relay section will be used if specified, otherwise the TLS options from the server section are used. [0695e9b9b067] * logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c, logsrvd/logsrvd_relay.c: Add "server" and "relay" to getters/callbacks specific to server and relay. [618b4fa5325c] * logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c, logsrvd/logsrvd_relay.c: Remove struct logsrvd_tls_config. Now that the SSL context is initialized in logsrvd_conf.c there's no need to export TLS configuration other than tls_check_peer. [4fb0fdc417e1] * logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c, logsrvd/logsrvd_relay.c: No longer need struct logsrvd_tls_runtime, use SSL_CTX instead. [61e0bdf1499d] * logsrvd/logsrvd.c, logsrvd/logsrvd_conf.c: Move allocation of the TLS context to logsrvd_conf_apply(). This way we get certificate errors at configuration time, not after. It also means that a change to the config file that renders the TLS settings invalid will no longer cause the server to exit. The new config will just be ignored as if there was a syntax error. [352ecb58618f] * logsrvd/tls_init.c: Only initialize the SSL library once. [e17215eec1d6] 2021-04-07 Todd C. Miller * plugins/sudoers/timestamp.c: Sanity check struct timespec in timestamp file. Coverity CID 220564 [68dfceeb105e] * plugins/sudoers/timestamp.c: Check lseek(fd, 0, SEEK_CUR) for -1 return value. Not actually possible in practice. Coverity CID 220568. [27105922d3be] * src/net_ifs.c: Check for NULL ifa->ifa_addr and ifa->ifa_netmask in both loops. [373961966099] 2021-04-07 Radovan Sroka * src/sudo_edit.c: Fixed bad condition for sesh args In selinux_edit_copy_tfiles() when there is only one file and the open() fails then number of arguments is lower than expected. Sudo should return error with or without "Defaults !sudoedit_checkdir" set. This was found with regression testing of CVE-2021-23240. Signed-off-by: Radovan Sroka [947ce862c0bf] 2021-04-06 Todd C. Miller * src/net_ifs.c: Plug memory leak on overflow; Coverity CID 220556 [86b71e5dec5c] * logsrvd/logsrvd.c: In schedule_commit_point() do not free the closure on error. It is the caller's responsibility to free resources on error. Coverity CID 220557 [e6629496ab03] * plugins/sudoers/pwutil.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c: Cast NULL terminator argument to char * when calling sudo_mkgrent(). Avoids a portability issue on systems where NULL is not a pointer. [cdb9cf0ad2ea] * logsrvd/tls_init.c: Rename LOGSRVD_DEFAULT_CIPHER_LST13 to DEFAULT_CIPHER_LST13 [a5d7da05cf09] * logsrvd/tls_client.c: Include string.h for strerror(3) prototype. [57f5cfe43a89] * logsrvd/logsrvd_relay.c: Move connect_relay_tls() so we don't need a prototype for it. Fixes a warning when sudo is not configured to use OpenSSL. [0c73cfebf32b] * doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in, examples/sudo_logsrvd.conf: Document relay and connect_timeout server settings. [a101d54b451e] * MANIFEST, logsrvd/Makefile.in, logsrvd/logsrv_util.h, logsrvd/sendlog.c, logsrvd/sendlog.h, logsrvd/tls_client.c, logsrvd/tls_common.h: Move common TLS client code to tls_client.c and use it in sendlog.c. [5334b6c4bef8] * logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c: Rename listen_address -> server_address and add reference counting. This will be used by the upcoming relay mode. [f8ef9c83c3c8] * logsrvd/logsrvd.c: Try to send an error message to client for some client_msg_cb() failures. [0805636e8114] * logsrvd/logsrvd.c: Split most of server_commit_cb() out into schedule_commit_point(). This allows it to be used by the relay code too. [c985c2f9e5d5] * MANIFEST, logsrvd/Makefile.in, logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c, logsrvd/logsrvd_relay.c: Add a relay mode to sudo_logsrvd where it forwards instead of stores. Relay hosts are be specified in the server section of sudo_logsrvd.conf. [071c231e76a9] * logsrvd/Makefile.in, logsrvd/logsrvd.h, logsrvd/logsrvd_relay.c, logsrvd/sendlog.c, logsrvd/tls_common.h: Add support for relaying to another sudo_logsrvd via TLS. [c47397ce4098] * MANIFEST, include/sudo_util.h, lib/util/Makefile.in, lib/util/rcstr.c, lib/util/util.exp.in, plugins/sudoers/Makefile.in, plugins/sudoers/alias.c, plugins/sudoers/check_aliases.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/ldap.c, plugins/sudoers/ldap_util.c, plugins/sudoers/rcstr.c, plugins/sudoers/sssd.c, plugins/sudoers/sudoers.h, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/visudo.c: Move reference-counted string code from sudoers to libsudo_util. It will be used by sudo_logsrvd too. [d228aaf9b6fa] * logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c, logsrvd/logsrvd_relay.c: Add sa_host to struct server_address as a ref counted string. Also convert sa_str to ref counted string. [4e8abb84c11d] * logsrvd/logsrvd_conf.c: Don't allow a wildcard address for the relay parameter. [4a80d18d025b] * logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c: Add logsrvd_conf_cleanup() to free the conf data structures on exit. There is no longer a need to do anything in shutdown_cb() other than break out of the event loop. [9e4d7456fb7a] * src/tgetpass.c: Set user group list when executing the askpass helper. Under normal circumstances the existing group list will match the list fetched by sudo. However, if sudo is executed by a process that has changed the group list via setgroups(2) and "group_source" in sudo.conf is set to "dynamic" it is possible for them to be different. If group_source in sudo.conf is set to "dynamic" it is possible for the group list [2b1d4ffb9cf6] * logsrvd/logsrv_util.h, logsrvd/logsrvd.c, logsrvd/logsrvd.h: Use a tailq of write buffers instead of a single one per connection. This allows us to queue up multiple messages for writing like the sudoers client supports. Currently, each connection has its own free list. In the future we may want a single free list with low and high water marks. [b5df1b4d79c7] * configure.ac: Increase autoconf minimum version to 2.70. Some of the macros deprecated in 2.70 are required by older versions. For example, AC_PROG_CC now does the work of AC_PROG_CC_STDC. Bug #972 [223a584b6241] * MANIFEST, Makefile.in, config.guess, config.sub, configure, configure.ac, doc/Makefile.in, examples/Makefile.in, include/Makefile.in, install-sh, lib/util/Makefile.in, lib/zlib/Makefile.in, logsrvd/Makefile.in, ltmain.sh, plugins/audit_json/Makefile.in, plugins/group_file/Makefile.in, plugins/python/Makefile.in, plugins/sample/Makefile.in, plugins/sample_approval/Makefile.in, plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in, scripts/config.guess, scripts/config.sub, scripts/install-sh, scripts/ltmain.sh, src/Makefile.in: Move autoconf auxiliary files to the scripts directory. [5ea8182c11d9] 2021-04-05 Todd C. Miller * doc/sudoers.ldap.man.in, doc/sudoers.ldap.mdoc.in: Document SUCCESS=return support in sudoers nsswitch.conf entries. Based on a patch from Dennis Filder. Bug #971. [1d631d1b6244] 2021-04-01 Todd C. Miller * plugins/sudoers/audit.c: Move log_server_accept() out from under the #ifdef SUDOERS_LOG_CLIENT Fixes a link error when sudo is configured with --disable-log-client. [1bb7efdbddd5] 2021-04-01 Radovan Sroka * src/selinux.c: Removed depricated security_context_t Signed-off-by: Radovan Sroka [14aba55909fc] 2021-03-31 Todd C. Miller * logsrvd/sendlog.c: Return NULL if init_tls_client_context() fails. Otherwise, we will call SSL_new with a freed SSL context. Bug #970 [5fbadce88524] 2021-03-30 Todd C. Miller * src/parse_args.c: Use separate getopt config for sudoedit. Avoids a problem where the user gets an exclusive usage error message when using a sudo- specific option. GitHub issue #95 [b6207568e50a] * src/parse_args.c, src/sudo_usage.h.in: Add -h and -V to sudoedit usage and customize help output for sudoedit. Also add missing -B option to usage strings. [0d8fa214f8c3] * src/parse_args.c: Don't report a usage error for "sudo -V". GitHub issue #95 [a18573251751] * etc/sudo-logsrvd.pp, etc/sudo-python.pp, etc/sudo.pp: Do not include parent directories in rpm and deb files. Fixes a directory conflict with the AIX sudo rpm package. Other deb/rpm packages were not affected because parent dirs are omitted for a prefix of /usr. [f7d8db9670bb] 2021-03-29 Todd C. Miller * src/net_ifs.c: SCO OpenServer uses SIOCGIFANUM, not SIOCGIFNUM. On OpenServer, SIOCGIFNUM is the number of network interfaces, not the number of ifreq structs. [a992ea37b071] 2021-03-27 Todd C. Miller * src/net_ifs.c: Add support for HP-UX SIOCGLIFNUM and SIOCGLIFCONF ioctls. We need to use both SIOCGIFCONF and SIOCGLIFCONF since SIOCGLIFCONF only returns IPv6 addresses. [7a53304872b9] 2021-03-24 Todd C. Miller * src/net_ifs.c: Move get_net_ifs stub to the top and remove unused INET_ADDRSTRLEN def. [15bb7bc0ecb8] * src/net_ifs.c: No longer need ifr_tmp variable, just reuse ifr. Now that we store the string version of the address before fetching the netmask we can just re-use ifr. This simplifies things and is safer since if there is space for the address there must also be space for the mask. [89ade84d0a6d] * src/net_ifs.c: SCO OpenServer 5 returns a bogus value for SIOCGIFNUM. Gleaned from sendmail. [0616f2103f0b] * src/net_ifs.c: Use SIOCGSIZIFCONF or SIOCGIFNUM where available. Still falls back to a loop if not but now maxes out at 2048 interfaces instead of potentially looping forever. [f19cd2f827d5] * configure, configure.ac, src/net_ifs.c: Remove support for obsolete ISC UNIX and MIPS RISC/OS systems. They were getting in the way of net_its.c simplification. [4e2b7ce2fb7b] 2021-03-22 Todd C. Miller * src/net_ifs.c: Use SIOCGLIFCONF to get interface list where supported (Solaris). HP-UX has a SIOCGLIFCONF but it is incompatible (and appears to only return IPv6 addresses). Also add IPv6 support using SIOCGIFCONF (probably AIX only) and make sure ifr_tmpbuf[] is properly aligned. [d2eebba41618] * MANIFEST, src/Makefile.in, src/regress/net_ifs/check_net_ifs.c: Add simple regress check to display the network interfaces found. [6c1a5a50056e] 2021-03-19 Todd C. Miller * INSTALL: Suggest clang 11 or higher, some fuzzers may hang when used with clang 10. [abcf94949ca2] 2021-03-18 Todd C. Miller * MANIFEST, logsrvd/Makefile.in, logsrvd/regress/fuzz/fuzz_logsrvd_conf.dict: Add dictionary file for fuzz_logsrvd_conf. [f9e154751a5f] * Makefile.in, doc/Makefile.in, examples/Makefile.in, include/Makefile.in, lib/eventlog/Makefile.in, lib/fuzzstub/Makefile.in, lib/iolog/Makefile.in, lib/logsrv/Makefile.in, lib/util/Makefile.in, lib/zlib/Makefile.in, logsrvd/Makefile.in, plugins/audit_json/Makefile.in, plugins/group_file/Makefile.in, plugins/python/Makefile.in, plugins/sample/Makefile.in, plugins/sample_approval/Makefile.in, plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in, src/Makefile.in: Add a new "fuzz" target that executes the fuzzers for 8192 runs each. To run indefinately, set FUZZ_RUNS=-1, e.g. "make FUZZ_RUNS=-1 fuzz" [5fd3d7e9430f] * MANIFEST, lib/iolog/Makefile.in, lib/iolog/regress/corpus/log_json/id.json, lib/iolog/regress/corpus/log_json/ls.json, lib/iolog/regress/corpus/log_json/mailq.json, lib/iolog/regress/corpus/log_json/make.json, lib/iolog/regress/corpus/log_json/pkg_add.json, lib/iolog/regress/corpus/log_json/pkg_delete.json, lib/iolog/regress/corpus/log_json/printenv.json, lib/iolog/regress/corpus/log_legacy/id.log, lib/iolog/regress/corpus/log_legacy/ls.log, lib/iolog/regress/corpus/log_legacy/mailq.log, lib/iolog/regress/corpus/log_legacy/make.log, lib/iolog/regress/corpus/log_legacy/pkg_add.log, lib/iolog/regress/corpus/log_legacy/pkg_delete.log, lib/iolog/regress/corpus/log_legacy/printenv.log, lib/iolog/regress/corpus/seed/log_json/id.json, lib/iolog/regress/corpus/seed/log_json/ls.json, lib/iolog/regress/corpus/seed/log_json/mailq.json, lib/iolog/regress/corpus/seed/log_json/make.json, lib/iolog/regress/corpus/seed/log_json/pkg_add.json, lib/iolog/regress/corpus/seed/log_json/pkg_delete.json, lib/iolog/regress/corpus/seed/log_json/printenv.json, lib/iolog/regress/corpus/seed/log_legacy/id.log, lib/iolog/regress/corpus/seed/log_legacy/ls.log, lib/iolog/regress/corpus/seed/log_legacy/mailq.log, lib/iolog/regress/corpus/seed/log_legacy/make.log, lib/iolog/regress/corpus/seed/log_legacy/pkg_add.log, lib/iolog/regress/corpus/seed/log_legacy/pkg_delete.log, lib/iolog/regress/corpus/seed/log_legacy/printenv.log, lib/iolog/regress/corpus/seed/timing/timing.1, lib/iolog/regress/corpus/seed/timing/timing.2, lib/iolog/regress/corpus/seed/timing/timing.3, lib/iolog/regress/corpus/seed/timing/timing.4, lib/iolog/regress/corpus/timing/timing.1, lib/iolog/regress/corpus/timing/timing.2, lib/iolog/regress/corpus/timing/timing.3, lib/iolog/regress/corpus/timing/timing.4, lib/util/Makefile.in, lib/util/regress/corpus/seed/sudo_conf/sudo.conf.1, lib/util/regress/corpus/seed/sudo_conf/sudo.conf.2, lib/util/regress/corpus/seed/sudo_conf/sudo.conf.3, lib/util/regress/corpus/sudo_conf/sudo.conf.1, lib/util/regress/corpus/sudo_conf/sudo.conf.2, lib/util/regress/corpus/sudo_conf/sudo.conf.3, logsrvd/Makefile.in, logsrvd/regress/corpus/logsrvd_conf/logsrvd.conf.1, logsrvd/regress/corpus/logsrvd_conf/logsrvd.conf.2, logsrvd/regress/corpus/logsrvd_conf/logsrvd.conf.3, logsrvd/regress/corpus/logsrvd_conf/logsrvd.conf.4, logsrvd/regress/corpus/logsrvd_conf/logsrvd.conf.5, logsrvd/regress/corpus/logsrvd_conf/logsrvd.conf.6, logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.1, logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.2, logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.3, logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.4, logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.5, logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.6, plugins/sudoers/Makefile.in, plugins/sudoers/regress/corpus/policy/policy.1, plugins/sudoers/regress/corpus/policy/policy.2, plugins/sudoers/regress/corpus/policy/policy.3, plugins/sudoers/regress/corpus/policy/policy.4, plugins/sudoers/regress/corpus/policy/policy.5, plugins/sudoers/regress/corpus/seed/policy/policy.1, plugins/sudoers/regress/corpus/seed/policy/policy.2, plugins/sudoers/regress/corpus/seed/policy/policy.3, plugins/sudoers/regress/corpus/seed/policy/policy.4, plugins/sudoers/regress/corpus/seed/policy/policy.5: Move corpus files to a seed subdirectory. [ba6dd7f30d22] * lib/fuzzstub/fuzzstub.c: We can now rely on LLVMFuzzerTestOneInput to flush stdout. [f20f353eeb87] * plugins/sudoers/Makefile.in: Fix fuzz_sudoers output comparison when fuzzing is enabled. libFuzzer outputs additional info to stderr that our stub doesn't. [49434e4eceaa] * lib/iolog/regress/fuzz/fuzz_iolog_json.c, lib/iolog/regress/fuzz/fuzz_iolog_legacy.c, lib/iolog/regress/fuzz/fuzz_iolog_timing.c, lib/util/regress/fuzz/fuzz_sudo_conf.c, logsrvd/regress/fuzz/fuzz_logsrvd_conf.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c: Flush stdout before successful return from LLVMFuzzerTestOneInput(). Fixes a problem with diag lines from libFuzzer being interspersed with test output. [f0b701120128] * configure, configure.ac: Use --allow-multiple-definition to work around an issue with ld.lld. For fuzz_policy we redefine getaddrinfo/freeaddrinfo to work around a DNS timeout problem with name resolution and CIfuzz. However, this causes a link failure when sanitizers are enabled on systems that use ld.lld as their linker. Use a big hammer to avoid the link error. [2b9df5329c0e] * MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/testsudoers.c, plugins/sudoers/testsudoers_pwutil.c, plugins/sudoers/tsgetgrpw.c, plugins/sudoers/tsgetgrpw.h: Do not redefine system group and passwd functions for testsudoers. Instead, prefix the replacements with "testsudoers_" and use a custom pwutil backend so they get used. [6bfd2f8d01c0] * Makefile.in, doc/Makefile.in, examples/Makefile.in, include/Makefile.in, lib/eventlog/Makefile.in, lib/fuzzstub/Makefile.in, lib/iolog/Makefile.in, lib/logsrv/Makefile.in, lib/util/Makefile.in, lib/zlib/Makefile.in, logsrvd/Makefile.in, plugins/audit_json/Makefile.in, plugins/group_file/Makefile.in, plugins/python/Makefile.in, plugins/sample/Makefile.in, plugins/sample_approval/Makefile.in, plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in, src/Makefile.in: Rename "fuzz" makefile target to "check-fuzzer". It's purpose is to run the fuzzers are part of a normal "make check" to avoid bit rot, not to perform a fuzzer run. The fuzz_logsrvd_conf fuzzer was not wired up to "make check" previously. [01c03ccfd3f0] 2021-03-15 Todd C. Miller * .hgtags: Added tag SUDO_1_9_6p1 for changeset 055f2a618604 [5376bc9e3b85] <1.9> * Merge sudo 1.9.6p1 from tip [055f2a618604] [SUDO_1_9_6p1] <1.9> * NEWS, configure, configure.ac: Sudo 1.9.6p1 [93d95d3f23b1] 2021-03-15 Alexandru Ardelean * plugins/sudoers/policy.c: plugins: sudoers: policy: add MODE_IMPLIED_SHELL to RUN_VALID_FLAGS Since this flag isn't set, the sudo_mode variable gets invalidated and running the 'sudo' command seems to error out with message 'sudoers_policy_check: invalid mode flags from sudo front end: 0x80001"' [b98b418f1997] 2021-03-13 Todd C. Miller * .hgtags: Added tag SUDO_1_9_6 for changeset e3e96490e48f [2e377fa2b87c] <1.9> * config.guess, config.sub: Merge sudo 1.9.6 from tip [e3e96490e48f] [SUDO_1_9_6] <1.9> * NEWS: fix typo [c7367647bd7c] 2021-03-10 Todd C. Miller * NEWS: Bug #968 [e08853fca88e] * MANIFEST, logsrvd/Makefile.in, logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/sendlog.c, logsrvd/sendlog.h, logsrvd/tls_common.h, logsrvd/tls_init.c: Move common TLS initialization code to tls_init.c. [118c7d41ad48] * plugins/sudoers/po/ja.mo, plugins/sudoers/po/ja.po, po/tr.mo, po/tr.po: Updated translations from translationproject.org [cbc05710d6ba] * plugins/sudoers/Makefile.in, plugins/sudoers/gram.c: Use HAVE_STDINT_H instead of trying to guess based on __STDC_VERSION__. Fixes compilation with pre-C99 headers when the compiler supports C99. [05ebf79d02c7] * include/sudo_compat.h, lib/util/secure_path.c: Remove compatibility defines for POSIX sys/stat.h macros. Modern systems have them and we no longer support pre-POSIX systems. This fixes potential redefinition of the macros if sys/stat.h is included after sudo_compat.h. Bug #968. [d10d0b9b60e1] * lib/eventlog/logwrap.c, plugins/python/python_plugin_approval_multi.inc, plugins/python/python_plugin_audit_multi.inc, plugins/python/python_plugin_io_multi.inc, src/get_pty.c: Quiet a few Solaris Studio compiler warnings. [1d82509f2e44] * configure, configure.ac: Add -Wno-unknown-pragmas along with -Wall. We don't want warnings about unknown pragmas in system headers. [ac15fa0e3d95] * scripts/pp: Solaris 11.4 removed /usr/bin/optisa, use /usr/bin/isainfo instead. [97d8bb91cf02] 2021-03-08 Todd C. Miller * configure, configure.ac: Compare OS name against freebsd* and netbsd* not freebsd and netbsd. Fixes an issue on NetBSD where host_os starts with netbsdelf. [2e813d52a7d6] * plugins/sudoers/Makefile.in: Add @SUDOERS_LIBS@ to FUZZ_LIBS for -lutil on FreeBSD and NetBSD [38a7b3a9eb90] * lib/util/Makefile.in, plugins/python/Makefile.in, src/Makefile.in: Set locale for all "make check" targets. [1a80048486d4] 2021-03-07 Todd C. Miller * configure, configure.ac: AIX 6.1 may have a broken fmemopen(). We only use it for the fuzzers so ignore it for AIX < 7.1. [ad909c1479ff] 2021-03-06 Todd C. Miller * scripts/pp: Only put specific directories in the ROOT section of the AIX package. Previously, /usr and /opt were placed in USR and everything else went in ROOT. Now, only /dev, /etc, /sbin and /var go in ROOT. [6f1fbe8fea31] * plugins/sudoers/po/cs.mo, plugins/sudoers/po/cs.po, plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, plugins/sudoers/po/fi.mo, plugins/sudoers/po/fi.po, plugins/sudoers/po/fr.mo, plugins/sudoers/po/fr.po, plugins/sudoers/po/hr.mo, plugins/sudoers/po/hr.po, plugins/sudoers/po/ko.mo, plugins/sudoers/po/ko.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/pt.mo, plugins/sudoers/po/pt.po, plugins/sudoers/po/pt_BR.mo, plugins/sudoers/po/pt_BR.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po, plugins/sudoers/po/zh_TW.mo, plugins/sudoers/po/zh_TW.po, po/cs.mo, po/cs.po, po/de.mo, po/de.po, po/eo.mo, po/eo.po, po/fi.mo, po/fi.po, po/fr.mo, po/fr.po, po/hr.mo, po/hr.po, po/ja.mo, po/ja.po, po/ko.mo, po/ko.po, po/pl.mo, po/pl.po, po/pt.mo, po/pt.po, po/pt_BR.mo, po/pt_BR.po, po/uk.mo, po/uk.po, po/zh_CN.mo, po/zh_CN.po, po/zh_TW.mo, po/zh_TW.po: Updated translations from translationproject.org [53c17c8d56e9] 2021-03-05 Todd C. Miller * logsrvd/logsrvd.c, logsrvd/logsrvd_conf.c: Remove unused tls parameter, we now use a per-address tls flag. [2be727a37b9c] 2021-03-03 Todd C. Miller * doc/sudoers.man.in, doc/sudoers.mdoc.in: Document double escaping of backslashes. Bug #961. [ae51e4899555] * NEWS, configure, configure.ac: No longer need to define _DARWIN_UNLIMITED_GETGROUPS on macOS. We now define _DARWIN_C_SOURCE which accomplishes the same thing. [c233df4c1ae4] * plugins/sudoers/auth/pam.c: Fix a potential use-after-free in conversation function. The prompt passed in to sudo_pam_verify() will be freed later by check_user_interactive() so we need to reset the stashed value. From Pavel Heimlich. Bug #967. [86bc6ee3c493] * plugins/sudoers/pwutil.c: No need to update cp after storing gr->gr_name, it is not used, Coverity CID 219314 [27bace364dc9] 2021-03-02 Todd C. Miller * NEWS: Mention GitHub issue #56. [47b8b9fac52b] * plugins/sudoers/po/sudoers.pot: regen [923899bcc63d] * include/sudo_eventlog.h, lib/eventlog/eventlog.c, logsrvd/iolog_writer.c, logsrvd/logsrvd.c, logsrvd/logsrvd.h: Log peer address in sudo_logsrvd JSON-format logs. The peer that connected to us might not be the same host where the log entry originated. [4e2488efaf97] * NEWS, doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in, lib/util/sudo_conf.c: Make "group_source=dynamic" the default on macOS. Recent versions of macOS do not reliably return all of a user's non-local groups via getgroups(2), even when _DARWIN_UNLIMITED_GETGROUPS is defined. Bug #946. [491720b06a68] * lib/eventlog/Makefile.in, lib/iolog/Makefile.in, lib/util/Makefile.in, logsrvd/Makefile.in, plugins/sudoers/Makefile.in: For regess/fuzz set LC_ALL to C.UTF-8 if possible, falling back on C. Works around a crash in leak sanitizer when the locale is set to C and TLS support is enabled. [4345912b9bd8] 2021-03-01 Todd C. Miller * plugins/sudoers/toke.c, plugins/sudoers/toke.l: Initialize the lbuf used by sudoers_trace_print() in init_lexer(). Free the old buffer if there is one, otherwise it would never be freed. [1893ecc06718] * lib/util/lbuf.c: In sudo_lbuf_destroy(), reset error, len and size. [7a6f980c2215] * NEWS: Mention the integer overflow check in store_timespec(). [f41519e1dae9] * plugins/sudoers/regress/fuzz/fuzz_policy.c: In find_path() stub only make a copy in outfile if returning FOUND. Fixed a recently-introduced memory leak in the fuzzer. [2045b1afc0b5] 2021-02-28 Todd C. Miller * lib/util/sudo_debug.c: Disable debug code for FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION It will not be used and just confuses the coverage stats. [3307c855b77d] * plugins/sudoers/regress/fuzz/fuzz_policy.c: Expand stub getaddrinfo() to resolve "localhost". [e1035616ad99] * plugins/sudoers/regress/fuzz/fuzz_policy.c: Improve fuzz_policy coverage and set defaults in setdefs not parse. Now exercises session open/close and set additional defaults to exercise more code paths. [2843a0b930fd] * plugins/sudoers/match_command.c, plugins/sudoers/match_digest.c: Improve SUDOERS_NAME_MATCH support. Now supports digests and performs better directory matching. [2f2d63596256] * plugins/sudoers/policy.c: Add MODE_CHECK to LIST_VALID_FLAGS, fixes "sudo -l command". [eff4cbe95d75] 2021-02-26 Todd C. Miller * MANIFEST, include/sudo_iolog.h, lib/iolog/Makefile.in, lib/iolog/iolog_clearerr.c, lib/iolog/iolog_close.c, lib/iolog/iolog_eof.c, lib/iolog/iolog_fileio.c, lib/iolog/iolog_gets.c, lib/iolog/iolog_mkdirs.c, lib/iolog/iolog_mkdtemp.c, lib/iolog/iolog_mkpath.c, lib/iolog/iolog_nextid.c, lib/iolog/iolog_open.c, lib/iolog/iolog_openat.c, lib/iolog/iolog_read.c, lib/iolog/iolog_seek.c, lib/iolog/iolog_swapids.c, lib/iolog/iolog_util.c, lib/iolog/iolog_write.c, lib/iolog/regress/fuzz/fuzz_iolog_timing.c, logsrvd/iolog_writer.c, logsrvd/regress/fuzz/fuzz_logsrvd_conf.c: Split iolog_fileio.c into multiple files. [9b7c4f1b781f] * plugins/sudoers/defaults.c: Correct the integer overflow check in store_timespec(). Fixes oss- fuzz issue #31463 [3765d5c4ecd3] * plugins/sudoers/regress/sudoers/test27.ldif2sudo.ok: Update file that was missed in test27 changes. [5824f54afa88] * MANIFEST, include/sudo_iolog.h, lib/iolog/Makefile.in, lib/iolog/iolog_conf.c, lib/iolog/iolog_fileio.c, lib/iolog/iolog_loginfo.c: Break out I/O log config handling into iolog_conf.c. [546f503f9bb4] * lib/fuzzstub/Makefile.in, lib/iolog/Makefile.in, logsrvd/Makefile.in, plugins/sudoers/Makefile.in: regen Makefile.in [43c54f94e9c8] * examples/Makefile.in, lib/eventlog/Makefile.in, plugins/sudoers/Makefile.in: Add some missing files to the clean target [20754fec5ff1] * plugins/sudoers/regress/sudoers/test27.in, plugins/sudoers/regress/sudoers/test27.json.ok, plugins/sudoers/regress/sudoers/test27.ldif.ok, plugins/sudoers/regress/sudoers/test27.ldif2sudo.ok, plugins/sudoers/regress/sudoers/test27.out.ok, plugins/sudoers/regress/sudoers/test27.toke.ok: Add netgroup check to sudoers test27 [1b45a6794b2d] * plugins/sudoers/regress/fuzz/fuzz_sudoers.out.ok: Sync with fuzz_sudoers changes. [1481cef048ad] * plugins/sudoers/regress/fuzz/fuzz_sudoers.c: Fuzz with runuser and rungroup specified too. [2d8ceb465cea] * MANIFEST, plugins/sudoers/regress/sudoers/test27.in, plugins/sudoers/regress/sudoers/test27.json.ok, plugins/sudoers/regress/sudoers/test27.ldif.ok, plugins/sudoers/regress/sudoers/test27.ldif2sudo.ok, plugins/sudoers/regress/sudoers/test27.out.ok, plugins/sudoers/regress/sudoers/test27.toke.ok: Add test to exercise RunasSpec without a RunasUser. [ee22ac488aca] * MANIFEST, plugins/sudoers/regress/sudoers/test22.sudo.ok, plugins/sudoers/regress/sudoers/test23.sudo.ok, plugins/sudoers/regress/sudoers/test24.sudo.ok, plugins/sudoers/regress/sudoers/test26.sudo.ok: Remove unused regress files. [71d943734bb8] * logsrvd/regress/fuzz/fuzz_logsrvd_conf.c: Don't try to run getters if we failed to parse the config file. [734bb56c24ed] 2021-02-25 Todd C. Miller * plugins/sudoers/regress/fuzz/fuzz_policy.c: Add a stub getaddrinfo(3) to avoid a DNS timeout in CIfuzz. [5f725de1e3ad] * plugins/sudoers/regress/fuzz/fuzz_policy.c: Fix runchroot, runcwd, tty_tickets. Add timestampowner. [d8a945bea98d] * plugins/sudoers/policy.c: Only add command_info to garbage collector on successful return. Otherwise it will be freed on failure. [c3d0461efaa1] * plugins/sudoers/regress/fuzz/fuzz_sudoers.c: Add user millert to group sudo, which is often the exempt group. [fac833a2cf3b] * plugins/sudoers/regress/fuzz/fuzz_policy.c: Add some defaults settings in sudo_file_parse(). We don't have a real policy file but we still want to exercise callbacks in sudoers.c. [9f3d3f668973] * plugins/sudoers/sudoers.c: Do not free sudo_user.iolog_{file,path} in sudo_user_free(). They are not dynamically allocated. [59c102ba67cf] * lib/iolog/regress/fuzz/fuzz_iolog_timing.c: Remove unnecessary warnings, we want to fail silently. [4b1ee5dd2cb4] * logsrvd/regress/fuzz/fuzz_logsrvd_conf.c: No longer need to stub out eventlog config functions. [08c40b6a63c9] * MANIFEST, logsrvd/Makefile.in, logsrvd/regress/corpus/logsrvd_conf/logsrvd.conf.4, logsrvd/regress/corpus/logsrvd_conf/logsrvd.conf.5, logsrvd/regress/corpus/logsrvd_conf/logsrvd.conf.6, logsrvd/regress/fuzz/fuzz_logsrvd_conf.c: Call public getters in logsrvd.conf fuzzer and add to corpus. Now exercises the syslog config erorr path. [0b314e4e0696] * plugins/sudoers/regress/fuzz/fuzz_policy.c: Add more passes to policy fuzzer Now execises list, list other user and show_version. [21a1cc9665ec] * plugins/sudoers/defaults.c, plugins/sudoers/policy.c, plugins/sudoers/regress/fuzz/fuzz_policy.c: Implement sudoers_policy_deregister_hooks() Register/deregister hooks in fuzz_policy and also call show_version(). [8849644a75de] * plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c: Add sudoers debug register/deregister. [5fba9b19c6fa] * plugins/sudoers/defaults.c: Remove unnecessary break statement. [aa18c2957f82] * plugins/sudoers/regress/fuzz/fuzz_sudoers.out.ok, plugins/sudoers/regress/sudoers/test14.in, plugins/sudoers/regress/sudoers/test14.json.ok, plugins/sudoers/regress/sudoers/test14.ldif.ok, plugins/sudoers/regress/sudoers/test14.ldif2sudo.ok, plugins/sudoers/regress/sudoers/test14.out.ok, plugins/sudoers/regress/sudoers/test14.toke.ok: Include a sha384 digest in the test corpus. [6c405febff10] * plugins/sudoers/regress/fuzz/fuzz_sudoers.c: Parse sudoers file in the C locale. [82d6afbe499b] * MANIFEST, plugins/sudoers/regress/sudoers/test26.in, plugins/sudoers/regress/sudoers/test26.json.ok, plugins/sudoers/regress/sudoers/test26.ldif.ok, plugins/sudoers/regress/sudoers/test26.ldif2sudo.ok, plugins/sudoers/regress/sudoers/test26.out.ok, plugins/sudoers/regress/sudoers/test26.sudo.ok, plugins/sudoers/regress/sudoers/test26.toke.ok: Add regress test with all current Defaults settings. Currently skips SELinux and Solaris privilege settings. [79e82a58ccde] 2021-02-24 Todd C. Miller * MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/env.c, plugins/sudoers/sudoers.h, plugins/sudoers/sudoers_hooks.c: Move env hooks into sudoers_hooks.c. [7296d05b9206] * plugins/sudoers/regress/fuzz/fuzz_sudoers.c: No need to call check_defaults() and check_aliases() in quiet mode. [0d0f93849388] * plugins/sudoers/gc.c: sudoers_gc_init() is not currently used [e74d2870ae25] * MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/fmtsudoers.c, plugins/sudoers/fmtsudoers_cvt.c: Split fmtsudoers.c into the parts used by sudoers plugin and cvtsudoers. Only testsudoers and cvtsudoers use the full set of formatting functions. [8c57e80ae655] * plugins/sudoers/regress/fuzz/fuzz_sudoers.c: Check defaults settings too. [7dc7d66f47e7] * MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/regress/fuzz/fuzz_stubs.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c: Add fuzzer-specific stubs source file. [815c28958d42] * Makefile.in: Do not overwrite existing ChangeLog file if there is no hg/git dir. We don't want "make install" from a source tarball to nuke the ChangeLog. [f7aba6a01d85] * lib/iolog/Makefile.in, lib/util/Makefile.in, logsrvd/Makefile.in, plugins/sudoers/Makefile.in: Remove fuzzer targets in "make clean" [25b068bc254b] * .gitignore, .hgignore: Ignore fuzzer targets [d920254ce731] * lib/iolog/regress/fuzz/fuzz_iolog_json.c, lib/iolog/regress/fuzz/fuzz_iolog_legacy.c, lib/iolog/regress/fuzz/fuzz_iolog_timing.c, lib/util/regress/fuzz/fuzz_sudo_conf.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c: Set program name in fuzzers so we get consisten warnings. [1ee4b5478d1c] * plugins/sudoers/Makefile.in, plugins/sudoers/regress/fuzz/fuzz_policy.c: Use real eventlog config fuctions instead of stubs. [eed6fc4df1f6] * include/sudo_iolog.h, lib/iolog/iolog_fileio.c, lib/iolog/iolog_loginfo.c: Move iolog info log writing to iolog_loginfo.c [292915dae440] * MANIFEST, lib/iolog/Makefile.in, lib/iolog/iolog_loginfo.c, lib/iolog/iolog_timing.c, lib/iolog/iolog_util.c, lib/iolog/regress/iolog_timing/check_iolog_timing.c, lib/iolog/regress/iolog_util/check_iolog_util.c: Split iolog_util.c into iolog_loginfo.c and iolog_timing.c. Also rename check_iolog_util -> check_iolog_timing. [5b5249e4aa96] * MANIFEST, lib/iolog/Makefile.in, lib/iolog/iolog_legacy.c, lib/iolog/iolog_util.c: Move legacy I/O log info file parsing to iolog_legacy.c [94b767bb56c7] * MANIFEST, include/sudo_eventlog.h, lib/eventlog/Makefile.in, lib/eventlog/eventlog.c, lib/eventlog/eventlog_conf.c: Move eventlog config code into eventlog_conf.c [656d65215e50] * MANIFEST, lib/eventlog/Makefile.in, lib/eventlog/eventlog.c, lib/eventlog/eventlog_free.c: Move eventlog_free() into its own file. [a5ff36ac0ebb] * logsrvd/regress/fuzz/fuzz_logsrvd_conf.c: Stub out eventlog and iolog configuration setters. [cc32ba7436cd] * MANIFEST, plugins/sudoers/defaults.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.out.ok: Update Defaults settings after parsing sudoers. Also stub out dump_defaults when fuzzing as it is not used. [fa1e7c7b42c2] * plugins/sudoers/Makefile.in, plugins/sudoers/b64_decode.c, plugins/sudoers/b64_encode.c, plugins/sudoers/base64.c: Split base64 encode/decode functions into separate source files. They are independent functions. [ab0904c5122c] * plugins/sudoers/regress/fuzz/fuzz_policy.c: fuzz_printf and fuzz_conversation can be stubs. [9b11c9a3f3c3] 2021-02-23 Todd C. Miller * plugins/sudoers/regress/fuzz/fuzz_sudoers.c: Exercise tilde expansion if used in runcwd or runchroot. [a6f0995c6a55] * plugins/sudoers/check_aliases.c: Move alias checking code out of visudo.c and into check_aliases.c. [5c0a91978441] * plugins/sudoers/Makefile.in, plugins/sudoers/regress/fuzz/fuzz_sudoers.c: Check aliases in fuzz_sudoers if the policy parsed correctly. [b272e634f204] * MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/parse.h, plugins/sudoers/visudo.c: Move alias checking code out of visudo.c and into check_aliases.c. [b9c23c958935] * plugins/sudoers/Makefile.in, plugins/sudoers/regress/fuzz/fuzz_sudoers.c: We don't need to link fuzz_sudoers with file.c. [4fcd15e8cdcf] * lib/iolog/regress/fuzz/fuzz_iolog_json.dict, lib/util/regress/fuzz/fuzz_sudo_conf.dict, plugins/sudoers/regress/fuzz/fuzz_policy.dict, plugins/sudoers/regress/fuzz/fuzz_sudoers.dict, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.dict: Strings in dictionary files need to be quoted. [8a95ea335d2d] * MANIFEST, lib/iolog/Makefile.in, lib/iolog/regress/fuzz/fuzz_iolog_json.dict, lib/util/Makefile.in, lib/util/regress/fuzz/fuzz_sudo_conf.dict, plugins/sudoers/Makefile.in, plugins/sudoers/regress/fuzz/fuzz_policy.dict, plugins/sudoers/regress/fuzz/fuzz_sudoers.dict, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.dict: Add dictionary files for fuzzers where possible. [4d9147fd50fd] 2021-02-22 Todd C. Miller * plugins/sudoers/regress/fuzz/fuzz_sudoers.c: Also free safe_cmnd so it doesn't leak. [5071a1ffa5d0] * plugins/sudoers/stubs.c, plugins/sudoers/testsudoers.c: Return NOT_FOUND from the set_cmnd_path() stub since we don't set user_cmnd. The purpose of set_cmnd_path() is to reset user_cmnd based on a new runchroot. For the stub version we don't modify user_cmnd and so must not return a status of FOUND. Fixes oss-fuzz issue #31250 which only affected the fuzzer and not sudo. [36fe416668df] * plugins/sudoers/Makefile.in, plugins/sudoers/regress/fuzz/fuzz_sudoers.out.ok: Fix fuzz_sudoers output matching. [6cec1e5aa799] * lib/fuzzstub/fuzzstub.c: Print "running" and "executed" lines to stderr like libfuzzer does. [b76b7a4a6ff3] * plugins/sudoers/pwutil_impl.c: Support passing sudo_make_gidlist_item() an array of gids. The gids are formatted as strings, not gid_t. [d1608f63ae91] * plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.out.ok: Prime user/group cached and set the interface list. Also match parsed policy against multiple users. [ec19b5658a2a] * plugins/sudoers/pwutil.c, plugins/sudoers/sudoers.h: Add sudo_mkgrent(), to be used to prime the group cache in tests/fuzzers. [333f0887abbc] 2021-02-21 Todd C. Miller * plugins/sudoers/Makefile.in, plugins/sudoers/regress/fuzz/fuzz_sudoers.c: Perform matching in fuzz_sudoers for inputs that parse correctly. The fuzzer now exercised the normal match code as well as the pseudo-command (list, validate, etc) match code. Privileges are also listed for well-formed sudoers file. [8caf505d7341] * plugins/sudoers/match_command.c, plugins/sudoers/match_digest.c, plugins/sudoers/parse.h: Add back SUDOERS_NAME_MATCH and enable it when fuzzing. This avoids the test environment from influencing sudoers matching. [496b3a7184a8] * plugins/sudoers/match_command.c: Add missing globfree(3) in command_matches_glob() when matching a directory. [1d6d28d6eb61] 2021-02-19 Todd C. Miller * lib/util/sudo_dso.c: Add support on AIX for loading plugins that are .a (not .so) files. It is possible to specify the member name in parens after the path, e.g. sudoers.a(shr.o) for 32-bit or sudoers.a(shr_64.o) for 64-bit. If no member is specified in the path and dlopen() fails with ENOEXEC, try again with an explicit member, either shr.o or shr_64.o. [90d975989148] * Makefile.in, doc/Makefile.in, examples/Makefile.in, include/Makefile.in, lib/eventlog/Makefile.in, lib/fuzzstub/Makefile.in, lib/iolog/Makefile.in, lib/logsrv/Makefile.in, lib/util/Makefile.in, lib/zlib/Makefile.in, logsrvd/Makefile.in, plugins/audit_json/Makefile.in, plugins/group_file/Makefile.in, plugins/python/Makefile.in, plugins/sample/Makefile.in, plugins/sample_approval/Makefile.in, plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in, src/Makefile.in: Add clean rules to .PHONY target. [dea3468f3f7b] 2021-02-18 Todd C. Miller * Makefile.in, doc/Makefile.in, examples/Makefile.in, include/Makefile.in, lib/eventlog/Makefile.in, lib/fuzzstub/Makefile.in, lib/iolog/Makefile.in, lib/logsrv/Makefile.in, lib/util/Makefile.in, lib/zlib/Makefile.in, logsrvd/Makefile.in, plugins/audit_json/Makefile.in, plugins/group_file/Makefile.in, plugins/python/Makefile.in, plugins/sample/Makefile.in, plugins/sample_approval/Makefile.in, plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in, src/Makefile.in: Add install-fuzz Makefile target to install the fuzzers and seed corpus. The FUZZ_DESTDIR make variable needs to be set in the environment or on the command line. [89c4dc1e8cb0] * plugins/sudoers/Makefile.in: Only display fuzz_policy output if the fuzzer exits with an error. [c6927227be4a] * plugins/sudoers/regress/corpus/policy/policy.1, plugins/sudoers/regress/fuzz/fuzz_policy.c: Call list, validate and invalidate entry points too. We need a separate open/close for each one. [fbbc5bdb4541] * INSTALL, configure, configure.ac: Add --disable-ssp configure option. This allows for disabling -fstack-protector without turning off the other hardening options. [1d9ca18e4fa9] * lib/util/regress/getdelim/getdelim_test.c: Test the error case by closing the underlying fd. Note that we don't use ferror() here since our getdelim() has no way to set the error flag if there is a memory allocation error. [df0464968e2c] * lib/util/regress/getdelim/getdelim_test.c: Test the case where getdelim() must reallocate the buffer. Reproduces Bug #960. [df4dbc0830be] * lib/eventlog/eventlog.c: When logging JSON to syslog, wrap the contents in a "sudo" object. This makes it easier for log parsers to identify what is a sudo log entry. [2c96aeaabc8e] * plugins/sudoers/regress/fuzz/fuzz_policy.c: Restore the check for sudoers_policy.close == NULL. The fuzzers run as part of "make check" too in which case NO_LEAKS won't be defined and the close function will be set to NULL. [8418ff5f6dfb] * lib/iolog/iolog_json.c: Use %td when printing the difference of two pointers. [608de9ab3902] * plugins/sudoers/parse.c: Don't print a NULL as a string if role/type/privs/limitprivs is not set. We can't rely on printf("%s", NULL) not crashing. [4a04efbcbff9] * plugins/sudoers/sudoers.c: Fix compilation error on Solaris introduced with sudo_user_free(). [0ce4e0ac807e] 2021-02-17 Todd C. Miller * NEWS: Bug #960. [82303f217d8b] * plugins/sudoers/toke.c, plugins/sudoers/toke.l: Distinguish between EOF and error using feof(3), not ferror(3). Our getdelim(3) emulation won't set the error flag if the error is due to an allocation failure. This explains the premature EOF without error seen in Bug #960. [5a70875f92fa] * lib/util/getdelim.c: Reset end pointer when reallocing the line buffer in getdelim(). Fixes excessive memory allocations for long lines. Bug #960. [d6dd6893b38a] * lib/eventlog/Makefile.in, lib/iolog/Makefile.in, plugins/sudoers/Makefile.in: Remove duplicated MALLOC_OPTIONS and MALLOC_CONF env variables. [2f7695aadad9] * lib/iolog/iolog_json.c: On parse error, display line and column instead of the offending line. [bbda04a5b05d] * logsrvd/Makefile.in, plugins/sudoers/Makefile.in: regen [20e093fd76f0] * NEWS, configure, configure.ac: Sudo 1.9.6 [1c76fe52426f] 2021-02-16 Todd C. Miller * lib/iolog/iolog_json.c, lib/iolog/iolog_util.c: Pass I/O log memory allocation errors up to the caller. [4777add71679] * INSTALL, config.h.in, configure, configure.ac, doc/sudoers.man.in, doc/sudoers.mdoc.in, pathnames.h.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/defaults.c, plugins/sudoers/timestamp.c: Add admin_flag sudoers option and make --enable-admin-flag take a path. It is now possible to disable the Ubuntu admin flag in sudoers or change its location. GitHub issue #56 [d77c3876fa95] * plugins/sudoers/exptilde.c, plugins/sudoers/regress/exptilde/check_exptilde.c: Fix tilde expansion of paths with no user like ~/foo. The '/' separator was missing in the resulting path. [dbba61f76d6c] * doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in, lib/util/sudo_conf.c, plugins/sudoers/policy.c: Limit max_groups in sudo.conf to 1024. The max_groups setting should no longer be needed anyway. [aee7843e0c7d] * plugins/sudoers/policy.c, plugins/sudoers/sudoers.c: In sudoers_policy_close() call sudoers_cleanup() instead of sudo_user_free(). If we didn't call sudoers_policy_main() due to an early error there may be more things to clean up. [683d69d84aa6] * plugins/sudoers/policy.c: Check for invalid flag combinations from front-end for all cases. The checks are now performed in the check_policy, list, validate and invalidate functions instead of as part of the open function. We can't perform the checks in open because we don't yet know what operation is going to be performed. [b09105b3bb42] * plugins/sudoers/policy.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/sudoers.c: Always dynamically allocate user_cmnd, it is freed in sudo_user_free(). Instead of setting user_cmnd in the policy functions, always set argv. Calling sudoers_policy_main() with argc of 0 is no longer allowed. [820f1f4e5c44] * plugins/sudoers/policy.c: No need for sudoers_cleanup() in sudoers_policy_invalidate(). The sudoers close() function is now called even for "sudo -k". Also no need to set user_cmnd, it is not used in this code path. [c2c9832c32f4] 2021-02-15 Todd C. Miller * MANIFEST, logsrvd/Makefile.in, logsrvd/logsrvd_conf.c, logsrvd/regress/corpus/logsrvd_conf/logsrvd.conf.1, logsrvd/regress/corpus/logsrvd_conf/logsrvd.conf.2, logsrvd/regress/corpus/logsrvd_conf/logsrvd.conf.3, logsrvd/regress/fuzz/fuzz_logsrvd_conf.c: Add simple fuzzer for sudo_logsrvd.conf parser. [8b5cd9e24656] * lib/iolog/regress/fuzz/fuzz_iolog_timing.c: Fix unlinking of timing temp file. [8b0ce6d777c8] * lib/eventlog/Makefile.in, lib/iolog/Makefile.in, plugins/python/Makefile.in, plugins/sudoers/Makefile.in: Set MALLOC_OPTIONS and MALLOC_CONF for all regress targets. [47e8b85d1d9a] * MANIFEST, lib/util/Makefile.in, lib/util/regress/corpus/sudo_conf/sudo.conf.1, lib/util/regress/corpus/sudo_conf/sudo.conf.2, lib/util/regress/corpus/sudo_conf/sudo.conf.3, lib/util/regress/fuzz/fuzz_sudo_conf.c: Add simple fuzzer for sudo.conf parser. [8a530402f936] * plugins/sudoers/policy.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: Free struct sudo_user in sudoers_policy_close() and sudoers_cleanup(). Also, do not NULL out the close function if NO_LEAKS is defined. [f3fbf78e6e41] * MANIFEST, lib/iolog/Makefile.in, lib/iolog/regress/corpus/log_legacy/id, lib/iolog/regress/corpus/log_legacy/id.log, lib/iolog/regress/corpus/log_legacy/ls, lib/iolog/regress/corpus/log_legacy/ls.log, lib/iolog/regress/corpus/log_legacy/mailq, lib/iolog/regress/corpus/log_legacy/mailq.log, lib/iolog/regress/corpus/log_legacy/make, lib/iolog/regress/corpus/log_legacy/make.log, lib/iolog/regress/corpus/log_legacy/pkg_add, lib/iolog/regress/corpus/log_legacy/pkg_add.log, lib/iolog/regress/corpus/log_legacy/pkg_delete, lib/iolog/regress/corpus/log_legacy/pkg_delete.log, lib/iolog/regress/corpus/log_legacy/printenv, lib/iolog/regress/corpus/log_legacy/printenv.log, plugins/sudoers/Makefile.in: For "make fuzz" only fuzz the seed corpus. This way we avoid files generated by the fuzzer itself. [42ace1dec313] 2021-02-14 Todd C. Miller * plugins/sudoers/env.c, plugins/sudoers/gc.c, plugins/sudoers/policy.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: Fix sudoers garbage collection and run it in policy fuzzer. [c0d572fd9921] * .github/workflows/main.yml: Rename master -> main [57000edd1aff] * plugins/sudoers/policy.c: Do not include errno string for invalid params from front-end. [2d0b55b3041f] * plugins/sudoers/parse.c, plugins/sudoers/policy.c, plugins/sudoers/regress/fuzz/fuzz_policy.c: Always dynamically allocate user_role, user_type, user_privs, user_limitprivs [f5992824219d] * plugins/sudoers/policy.c: Remove dead code, front-end does not set runas_privs or runas_limitprivs [6ce3da323452] * plugins/sudoers/iolog.c: Plug memory leak if there are duplicate user_info or command_info entries. [21865246a4dc] 2021-02-13 Todd C. Miller * .github/workflows/main.yml: Add CIFuzz workflow to run fuzzers on push or PR. https://google.github.io/oss-fuzz/getting-started/continuous- integration/ [47f1c8015ec5] * plugins/sudoers/check.h, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/timestamp.c: Move create_admin_success_flag() to timestamp.c. [0675f230288c] * configure, configure.ac: Error out if fuzzer/sanitizer enabled but not supported by the compiler. [289afba93f79] * plugins/sudoers/regress/fuzz/fuzz_policy.c: The push() function was not updating the size after reallocating. [e089aaeee3b2] * plugins/sudoers/pwutil_impl.c, src/sudo.c: If sudo_getgrouplist2() returns -1, clamp ngroups based on max_groups. The ngroups parameter is an out parameter that is filled in with the actual number of groups, which may be less than the static number allocated when max_groups is set in sudo.conf. Fixes a potential out of bounds read found by LLVM libFuzzer. [a26461ccf891] 2021-02-12 Todd C. Miller * plugins/sudoers/policy.c: Reset sudoers path, owner and mode before parsing plugin arguments. This is only needed when calling sudoers_policy_deserialize_info() more than once, which is true for the policy fuzzer. [a25a6210f48c] * plugins/sudoers/sudoers.c: Cleanup sudoers sources on denial and error too. [454b7adcfa21] * plugins/sudoers/pwutil.c: Fix sudo_getgrgid reference count bug when gid doesn't exist. This one was missed when the other user/group lookup functions were fixed. [20e3fad6768b] * plugins/sudoers/policy.c: Plug memory leak if there are duplicate user_info entries. [b8ddcfa0a051] * MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/regress/corpus/policy/policy.1, plugins/sudoers/regress/corpus/policy/policy.2, plugins/sudoers/regress/corpus/policy/policy.3, plugins/sudoers/regress/corpus/policy/policy.4, plugins/sudoers/regress/corpus/policy/policy.5, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/sudoers.c: Fuzz sudoers policy module API. Includes a test case to reproduce CVE-2021-3156. [576d065759cf] * lib/iolog/Makefile.in, plugins/sudoers/Makefile.in: Make fuzz targets depend on fuzzer stub library. We really want a dependency on $(LIB_FUZZING_ENGINE) but that could be a flag like "-fsanitize=fuzzer" instead of a path. [0963418f1cf9] * lib/util/Makefile.in: regen [dd872eceb19e] * MANIFEST, plugins/sudoers/Makefile.in: Move audit.c from libparsesudoers to the sudoers module itself. Now that audit.c contains the audit module it doesn't belong in libparsesudoers. [3df4f6e10f54] * configure, configure.ac: Do not pass AX_APPEND_FLAG more than a single flag. GitHub issue #92 [ed9ccdd41231] 2021-02-10 Todd C. Miller * lib/eventlog/Makefile.in, lib/iolog/Makefile.in, logsrvd/Makefile.in, plugins/sudoers/Makefile.in: Fix up some .la file library dependencies. libsudo_iolog.la already depends on libsudo_util.la and libsudo_eventlog.la so we don't need to list those explicitly when libsudo_iolog.la is listed. [d8b55cf698b5] * lib/eventlog/eventlog.c, lib/util/Makefile.in, lib/util/progname.c, lib/util/regress/progname/progname_test.c, lib/util/sudo_conf.c, lib/util/util.exp.in, plugins/sudoers/audit.c, plugins/sudoers/find_path.c, plugins/sudoers/iolog.c, plugins/sudoers/match_command.c, plugins/sudoers/sudoers.c, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c, src/sudo_edit.c, src/sudo_noexec.c: Use sudo_basename() instead of doing the equivalent manually. [67e2b5d68a73] * MANIFEST, include/sudo_util.h, lib/util/Makefile.in, lib/util/basename.c, lib/util/util.exp.in: Add a GNU-compatible version of basename(3). Unlike POSIX basename(3), the GNU variant does not modify its argument. Note that basename of a path ending in "/" returns an empty string. [693e1d39718a] 2021-02-09 Todd C. Miller * lib/iolog/iolog_fileio.c: feof(3) returns non-zero at EOF, not necessarily 1. On Illumos at least it returns a value other than 1. [fc2242fe7c6e] * plugins/sudoers/toke.c, plugins/sudoers/toke.l: Portable workaround for getdelim(3) implementations modify buf on EOF. We should assume that the contents of buf are undefined when getdelim(3) returns -1. We now peek ahead one char and skip the getdelim(3) call if EOF is detected. This will preserve the original value of the last line. [1e353f05a0fa] * plugins/sudoers/toke.c, plugins/sudoers/toke.l: Some getdelim(3) implementations write a NUL to the buffer on EOF. AIX and Illumos appear to have this behavior. We now preserve the first character of the buffer on EOF to work around this. Fixes reporting of syntax errors on the last line of a file. [22611c14c1d1] * plugins/sudoers/Makefile.in: Fuzz the example sudoers file, not the default one. The default sudoers uses @includedir which can result in different output, depending on the permissions of /etc/sudoers.d. [1b325a1d0e0a] * configure, configure.ac: illumos has a broken fmemopen(3), don't use it. [d297ee0339e6] 2021-02-08 Todd C. Miller * config.h.in, configure, configure.ac, include/sudo_compat.h: Add configure check for SSIZE_MAX [ca7699154705] * lib/iolog/iolog_json.c: Suppress PVS Studio false positives. [6d8fcec047e5] * src/sesh.c: Silence a clang analyzer false positive. [8bc3e89f6fbb] * plugins/sudoers/toke_util.c: Silence a clang analyzer false positive. [2489166fc372] * lib/fuzzstub/fuzzstub.c: Fix CID 217123, size check always false on 64-bit systems. [3c018b5d43a8] * plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c: Make open_sudoers() always return NULL like fuzz_sudoers.c [042de90307ae] * plugins/sudoers/regress/sudoers/test4.toke.ok, plugins/sudoers/regress/sudoers/test5.toke.ok, plugins/sudoers/regress/sudoers/test7.toke.ok, plugins/sudoers/regress/sudoers/test8.toke.ok: Update *.toke.ok now that lexer doesn't call sudoerserror() itself. [d60c0d33b5b4] * plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y, plugins/sudoers/toke.c, plugins/sudoers/toke.h, plugins/sudoers/toke.l: The lexer now sets an error string before returning ERROR. The parser will use that when reporting on an ERROR state. This prevents the lexer from reporting errors about tokens that are not actually consumed by the parser and we don't have to worry about both the lexer and the parser reporting errors. It also means we only get one error per sudoers line. [7ffb0d28862f] * plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y, plugins/sudoers/toke.c, plugins/sudoers/toke.l: Go back to storing the last error file/line in sudoerserrorf(). This is still the best way to avoid displaying more than one error per line. [21da59d69c5f] * configure, configure.ac: Add -fsanitize=fuzzer-no-link to ASAN_LDFLAGS too, not just ASAN_CFLAGS. [d3c719c72d79] * MANIFEST, Makefile.in, doc/Makefile.in, examples/Makefile.in, include/Makefile.in, lib/eventlog/Makefile.in, lib/fuzzstub/Makefile.in, lib/iolog/Makefile.in, lib/logsrv/Makefile.in, lib/util/Makefile.in, lib/zlib/Makefile.in, logsrvd/Makefile.in, plugins/audit_json/Makefile.in, plugins/group_file/Makefile.in, plugins/python/Makefile.in, plugins/sample/Makefile.in, plugins/sample_approval/Makefile.in, plugins/sudoers/Makefile.in, plugins/sudoers/regress/fuzz/fuzz_sudoers.out.ok, plugins/system_group/Makefile.in, src/Makefile.in: Add fuzz Makefile target and run fuzzer corpus in make check. [a66085f05dea] 2021-02-07 Todd C. Miller * MANIFEST, Makefile.in, configure, configure.ac, lib/fuzzstub/Makefile.in, lib/fuzzstub/fuzzstub.c, lib/iolog/regress/fuzz/fuzz_iolog_json.c, lib/iolog/regress/fuzz/fuzz_iolog_legacy.c, lib/iolog/regress/fuzz/fuzz_iolog_timing.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c: Add stub library that just feeds files to the fuzzing target. This will allow the fuzzers to be run as part of "make check". [aa8fda20c3f8] * scripts/mkpkg: Append to CFLAGS and LDFLAGS instead of overriding them when adding -m64. [d02cf3c28198] * config.h.in, configure, configure.ac, lib/iolog/regress/fuzz/fuzz_iolog_json.c, lib/iolog/regress/fuzz/fuzz_iolog_legacy.c, lib/iolog/regress/fuzz/fuzz_iolog_timing.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c: Fall back to a temp file if fmemopen() is not available(). [87f804b98c18] * plugins/sudoers/gram.c, plugins/sudoers/gram.y: Add missing return statement when NO_LEAKS is not defined. [25b8e1041b62] * lib/eventlog/Makefile.in: Remove remnants of liblogsrv. [5030114bb12f] * INSTALL, configure, configure.ac, lib/iolog/Makefile.in, plugins/sudoers/Makefile.in: Add --enable-fuzzer-linker and --enable-fuzzer-engine options. These will allow the fuzzers to be built as part of oss-fuzz. [c3176bd8b95b] 2021-02-06 Todd C. Miller * .gitignore, .hgignore: Sync ignore files. [ddf136d412f7] * plugins/sudoers/Makefile.in: Fix linking of sudoers fuzzers with static libsudo_util. [86d07a5a671d] * INSTALL, configure, configure.ac, lib/iolog/Makefile.in, plugins/sudoers/Makefile.in: Add --enable-fuzzer option to use when building fuzzers [01e31362c2b0] * INSTALL, configure, configure.ac: Replace --enable-asan with --enable-sanitizer It is not possible to set the sanitizer flags at configure time. [115d869e1d55] 2021-02-06 Anton Bershanskiy <45960703+bershanskiy@users.noreply.github.com> * src/copy_file.c: Fix comment typo in src/copy_file.c [60dbf6da4712] 2021-02-06 Todd C. Miller * lib/iolog/Makefile.in, lib/iolog/regress/fuzz/fuzz_iolog_json.c, lib/iolog/regress/fuzz/fuzz_iolog_legacy.c, lib/iolog/regress/fuzz/fuzz_iolog_timing.c, plugins/sudoers/Makefile.in, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c: Build (but don't run) fuzzers as part of "make check". Uses a stub to make it possible to link w/o libfuzzer. The goal is to ensure the fuzzers are always buildable and avoid bit rot. [9186e252b8bf] * lib/iolog/Makefile.in, plugins/sudoers/Makefile.in: Add libsudo_eventlog.la as a dependency of libsudo_iolog.la No longer need to link against libsudo_eventlog.la in sudoers. [508097f86035] 2021-02-05 Todd C. Miller * MANIFEST, lib/iolog/regress/corpus/log_json/id.json, lib/iolog/regress/corpus/log_json/ls.json, lib/iolog/regress/corpus/log_json/mailq.json, lib/iolog/regress/corpus/log_json/make.json, lib/iolog/regress/corpus/log_json/pkg_add.json, lib/iolog/regress/corpus/log_json/pkg_delete.json, lib/iolog/regress/corpus/log_json/printenv.json, lib/iolog/regress/corpus/log_legacy/id, lib/iolog/regress/corpus/log_legacy/ls, lib/iolog/regress/corpus/log_legacy/mailq, lib/iolog/regress/corpus/log_legacy/make, lib/iolog/regress/corpus/log_legacy/pkg_add, lib/iolog/regress/corpus/log_legacy/pkg_delete, lib/iolog/regress/corpus/log_legacy/printenv, lib/iolog/regress/corpus/timing/timing.1, lib/iolog/regress/corpus/timing/timing.2, lib/iolog/regress/corpus/timing/timing.3, lib/iolog/regress/corpus/timing/timing.4: Add more test files for fuzzers. [22256acfbe23] 2021-02-05 Daniel Milnes * doc/sudo.mdoc.in: Fix the typo in the mdoc [e0ad7f93e678] * doc/sudo.man.in: Fix a tiny typo in the Sudo manpage [d52c308677bf] 2021-02-04 Todd C. Miller * MANIFEST, lib/iolog/regress/fuzz/fuzz_iolog_timing.c: fuzzer for I/O log timing files [7b32f8eecfd6] * lib/iolog/iolog_json.c: In JSON, name/value pairs must be separated by a comma. Previously we didn't require the comma to be there. [bb70cecf6360] * lib/iolog/iolog_json.c: Detect integer overflow when converting JSON_ARRAY to string vector. Extremely unlikely to happen but better safe than sorry. [60a7a4d3a1d8] 2021-02-03 Todd C. Miller * plugins/sudoers/toke.c, plugins/sudoers/toke.l: Only strip double quotes from an include path if len >= 2. Found locally using libfuzzer/oss-fuzz. [274d0a05081b] * plugins/sudoers/regress/fuzz/fuzz_sudoers.c: Don't allow the sudoers fuzzer to open include files. If we allow the fuzzer to choose include paths it will include random files in the file system. This leads to bug reports that cannot be reproduced. [b8ffce94f30a] * plugins/sudoers/toke.c, plugins/sudoers/toke.l: If getdelim() returns a string with embedded NULs, truncate on first one. This should avoid some issues with the fuzzer. [e90e61d4bb0e] * plugins/sudoers/toke.c, plugins/sudoers/toke.l: Reallocate the buffer correctly when appending a newline. Fixes a potential buffer overflow introduced in the last commit. [50b0f77aed5f] * plugins/sudoers/alias.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y: Don't free the alias name in alias_add() if the alias already exists. We need to be able to display it using alias_error(). Only free what we actually allocated in alias_add() on error and let the caller handle cleanup. Note that we cannot completely fill in the alias until it is inserted. Otherwise, we will have modified the file and members parameters even if there was an error. As a result, we have to remove those from the leak list after alias_add(), not before. [6a920646d7d1] * plugins/sudoers/toke.c, plugins/sudoers/toke.l: Fix NUL termination when parsing a sudoers file with no ending newline. oss-fuzz issue #30252 [5c75d8e15966] * plugins/sudoers/toke.c, plugins/sudoers/toke.l: sudoersrestart() does not reset state to INITIAL, do it in init_lexer(). Fixes spurious errors from fuzz_sudoers, which calls the parser multiple times. [bf2c1c3b82e6] * plugins/sudoers/regress/parser/check_fill.c, plugins/sudoers/toke.c, plugins/sudoers/toke.h, plugins/sudoers/toke.l, plugins/sudoers/toke_util.c: Push lexer leak tracking down into check_fill.c. This lets us track things correctly when buffers are realloc()d. Rewrote fill() and append() to be more readable. [a1e61a4a7aad] * plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/visudo.c: Use sudoersrestart() in fuzz_sudoers.c Since we run the parser multiple times we need to restart it each time. [64792d363f62] * plugins/sudoers/regress/fuzz/fuzz_sudoers.c: Parser needs user_shost for the %h escape in @include expansion. Fixes oss-fuzz issue #30238 [b043e413be31] * INSTALL: The --disable-leaks option is not recommended for production use. [cb37a56f4e99] * plugins/sudoers/gram.c, plugins/sudoers/gram.y: Remove options from the leak list before freeing them. Should fix oss-fuzz issue #30236 [1ee6dac8c027] * MANIFEST, include/sudo_iolog.h, lib/iolog/iolog_util.c, lib/iolog/regress/fuzz/fuzz_iolog_legacy.c: Add fuzzer for legacy I/O log info file. [3f4ed83660ca] * doc/Makefile.in, plugins/sudoers/Makefile.in: Fix uninstall target; there were missing line continuation chars. GitHub issue #87 [02cffb51c15c] 2021-02-02 Todd C. Miller * plugins/sudoers/cvtsudoers.c, plugins/sudoers/parse_ldif.c: Don't close fp in sudoers_parse_ldif() The caller should be the one to handle this. [e8d830851379] * .gitignore, .hgignore: Update ignore files. [0c8245d8097c] * plugins/sudoers/alias.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y: Got back to calling alias_free() on alias_add() failure. We now need to remove the name and members from the leak list *before* calling alias_add() since alias_add() will consume them for both success and failure. [65c95a84f8ca] * plugins/sudoers/regress/fuzz/fuzz_sudoers.c: close sudoersin, not fp, and reset it to be safe [f616d1c7c09a] * lib/iolog/regress/fuzz/fuzz_iolog_json.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c: Add missing fclose(3) of fmemopen(3) stream; it does not modify the data. [9207901dcccd] * lib/iolog/iolog_json.c: Check for unexpected value after checking the name, not before. [6f973cc4378d] * lib/util/progname.c: Allow getprogname() to succeed as long as __progname is present. Also simplify the progname code so we only need a single implementation. [300a29bd117e] * lib/iolog/iolog_json.c: Fix potential leak of evlog->runuser. Also warn if we find an unexpected JSON type. [0ec615b3d4e0] 2021-02-01 Todd C. Miller * plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c: Parse into a local parse_tree and add missing cleanup. Since parsed_policy is for the sudoers parser we should declare our own. [c418d65e7bb4] * plugins/sudoers/regress/fuzz/fuzz_sudoers.c: Call init_parser() after parsing to clean up completely. [2063d26ab401] * MANIFEST, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/regress/sudoers/test25.in, plugins/sudoers/regress/sudoers/test25.json.ok, plugins/sudoers/regress/sudoers/test25.ldif.ok, plugins/sudoers/regress/sudoers/test25.out.ok, plugins/sudoers/regress/sudoers/test25.toke.ok, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/toke_util.c: Plug a few more parser leaks. [c9478efdd65d] * plugins/sudoers/gram.c, plugins/sudoers/gram.y: Make parser_leak_remove(type, NULL) a no-op. [7699e99a028a] * MANIFEST, lib/iolog/regress/fuzz/fuzz_iolog_json.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c: Add initial fuzzers to be used by oss-fuzz. These are not yet hooked up to the sudo build. [5593a755f359] * plugins/sudoers/gc.c, plugins/sudoers/sudoers.h: Garbage collect unused gc_remove() function. [ff561edd846e] * plugins/sudoers/Makefile.in, plugins/sudoers/regress/testsudoers/test11.sh, plugins/sudoers/regress/testsudoers/test12.sh, plugins/sudoers/regress/testsudoers/test13.sh, plugins/sudoers/regress/testsudoers/test4.sh, plugins/sudoers/regress/testsudoers/test5.sh: The parser should be leak free, re-enable leak detection in ASAN. [a89599540a5a] * plugins/sudoers/alias.c, plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y, plugins/sudoers/parse.h, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/toke_util.c: Add garbage collection to the sudoers parser to clean up on error. This makes it possible to avoid memory leaks when there is a parse error. [ef739da324bb] 2021-01-31 Todd C. Miller * plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/ldap.c, plugins/sudoers/ldap_util.c, plugins/sudoers/parse.h, plugins/sudoers/sssd.c, plugins/sudoers/sudo_ldap.h: Move new_member_all to ldap_util.c, it is only used by ldap/sssd. [9df2efb6956a] 2021-01-30 Todd C. Miller * lib/iolog/iolog_json.c: Fix crashes trying to parse invalid JSON. Found locally using libfuzzer/oss-fuzz. [b74c8c260d60] * lib/iolog/iolog_json.c: Plug memory leak if a key is listed more than once in the log.json file. [764ef247f13e] * lib/iolog/regress/iolog_json/check_iolog_json.c: Fix crash when file does not exist. [55a46b75e6ed] * plugins/sudoers/gentime.c: Strict tz offset parsing. Fixes an out of bounds read found locally using libfuzzer/oss-fuzz. [72266f1af75d] * plugins/sudoers/ldap_util.c: Don't leak memory for duplicate command options. The last option wins but we also now warn about the duplicate. Found locally using libfuzzer/oss-fuzz. [f1cd342e62f7] * plugins/sudoers/ldap_util.c: Copy command options when converting a sudoRole with multiple sudoCommands. A sudoRole with multiple sudoCommands is converted to a privilege with multiple cmndspecs. However, we were not copying some of the command options to subsequent cmndspecs in the list. [d8309574a756] * plugins/sudoers/parse_ldif.c: Fix memory leak if the last line is folded. Fixes issue 30080 by ClusterFuzz-External [404f38aa19a6] * INSTALL, configure, configure.ac: Add --disable-leaks configure option. This enables the extra freeing of memory before exit also enabled by --enable-asan. To be used by oss-fuzz. [faddd42273a4] * plugins/sudoers/gentime.c: Stricter parsing of generalized time. Fixes potential out of bounds read found by libfuzzer/oss-fuzz. [4548e29ea5e0] 2021-01-29 Todd C. Miller * plugins/sudoers/parse_ldif.c: Don't bother calling ldif_to_sudoers() if there are no roles to convert. [242394d46fb1] * lib/iolog/iolog_json.c: In json_stack_push() treat stack exhaustion like memory allocation failure. Return NULL instead of treating as a fatal error. This should make life a little easier for oss-fuzz. [84c7c3b7971a] * plugins/sudoers/sudoers.c: Update comment about return values for resolve_host(). [0e92fe582db1] * plugins/sudoers/logging.c, plugins/sudoers/policy.c: Fix NO_ROOT_MAILER, broken by the eventlog refactor in sudo 1.9.4. init_eventlog_config() is called immediately after initializing the Defaults settings, which is before struct sudo_user is setup. This adds a call to eventlog_set_mailuid() if NO_ROOT_MAILER is defined after the invoking user is determined. Reported by Roman Fiedler. [e0d4f196ba02] 2021-01-28 Todd C. Miller * MANIFEST: Add plugins/sudoers/strvec_join.c [1dfeb8ab9fdb] * plugins/sudoers/strvec_join.c, plugins/sudoers/sudoers.c: Fix compilation on systems without a native strlcpy() function. [7b28feb4350a] * logsrvd/logsrvd.c, logsrvd/sendlog.c: Break up the long help string into multiple printf() statements. AIX xlc compiler doesn't like cpp directives in between strings. Also fixes a complaint from cppcheck and makes translation easier. [e55b4061f598] * plugins/sudoers/regress/unescape/check_unesc.c, plugins/sudoers/strvec_join.c, plugins/sudoers/sudoers.h: strvec_join: free result on error and actually use separator char [801546807a8a] 2021-01-27 Todd C. Miller * plugins/sudoers/Makefile.in, plugins/sudoers/regress/unescape/check_unesc.c: Test strvec_join() using strlcpy_unesc(). Emulates an overflow like: sudoedit -s '\' `perl -e 'print "A" x 65536'` [8d9a063adde5] * plugins/sudoers/Makefile.in, plugins/sudoers/strvec_join.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: Refactor code to flatten an argument vector into a string. This is used when building up the user_args string. [a6ae655d91a1] * MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/regress/unescape/check_unesc.c, plugins/sudoers/strlcpy_unesc.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: Add strlcpy_unescape() function to undo escaping from front-end. Includes unit test. [abfaa390d275] * plugins/sudoers/parse_ldif.c: Add missing check for reallocarray() failure. Found by OSS-Fuzz. [fcda06966ed7] 2021-01-26 Todd C. Miller * plugins/python/pyhelpers.c, plugins/python/pyhelpers.h, plugins/python/python_convmessage.c, plugins/python/sudo_python_module.c: Remove Py_SSIZE2SIZE to quiet cppcheck warnings. Tuple size cannot be negative and we already handle the case where it is zero. [d6ec5e558a0e] * src/parse_args.c: The program name may now only be "sudo" or "sudoedit". We no longer need to check for any string that ends in "edit". [caed524c6ba0] 2021-01-23 Todd C. Miller * .hgtags: Added tag SUDO_1_9_5p2 for changeset 83685ffbc4df [74a2ddc3e4a4] <1.9> * Merge sudo 1.9.5p2 from tip [83685ffbc4df] [SUDO_1_9_5p2] <1.9> * plugins/sudoers/timestamp.c: Fix the memset offset when converting a v1 timestamp to TS_LOCKEXCL. We want to zero the struct starting at flags, not type (which was just set). Found by Qualys. [09f98816fc89] * src/parse_args.c: Don't assume that argv is allocated as a single flat buffer. While this is how the kernel behaves it is not a portable assumption. The assumption may also be violated if getopt_long(3) permutes arguments. Found by Qualys. [c125fbe68783] * NEWS, configure, configure.ac: Sudo 1.9.5p2 [89a357d8da4e] * src/parse_args.c: Reset valid_flags to MODE_NONINTERACTIVE for sudoedit. This is consistent with how the -e option is handled. Also reject -H and -P flags for sudoedit as was done in sudo 1.7. Found by Qualys, this is part of the fix for CVE-2021-3156. [9b97f1787804] * plugins/sudoers/policy.c: Add sudoedit flag checks in plugin that are consistent with front- end. Don't assume the sudo front-end is sending reasonable mode flags. These checks need to be kept consistent between the sudo front-end and the sudoers plugin. [a97dc92eae6b] * plugins/sudoers/sudoers.c: Fix potential buffer overflow when unescaping backslashes in user_args. Also, do not try to unescaping backslashes unless in run mode *and* we are running the command via a shell. Found by Qualys, this fixes CVE-2021-3156. [049ad90590be] 2021-01-22 Fabrice Fontaine * lib/eventlog/Makefile.in: lib/eventlog/Makefile.in: fix static build without closefrom Since version 1.9.4 and https://github.com/sudo- project/sudo/commit/bd1ca79cca827a92e904f022e49df121931d4ff5, when closefrom is not available, libsudo_eventlog.a depends on libsudo_util.a. So reflect this dependency in the libtool file to avoid the following static build failure of logsrvd: /bin/bash ../libtool --tag=disable-static --mode=link /home/buildroot/autobuild/instance-1/output-1/host/bin/powerpc- linux-gcc -o sudo_logsrvd logsrv_util.o iolog_writer.o logsrvd.o logsrvd_conf.o -static -Wl,--enable-new-dtags -Wl,-z,relro ../lib/iolog/libsudo_iolog.la ../lib/eventlog/libsudo_eventlog.la ../lib/logsrv/liblogsrv.la /bin/bash ../libtool --tag=disable-static --mode=link /home/buildroot/autobuild/instance-1/output-1/host/bin/powerpc- linux-gcc -o sudo_sendlog logsrv_util.o sendlog.o -static -Wl,-- enable-new-dtags -Wl,-z,relro ../lib/iolog/libsudo_iolog.la ../lib/eventlog/libsudo_eventlog.la ../lib/logsrv/liblogsrv.la libtool: link: /home/buildroot/autobuild/instance-1/output-1/host/bin/powerpc- linux-gcc -o sudo_logsrvd logsrv_util.o iolog_writer.o logsrvd.o logsrvd_conf.o -static -Wl,--enable-new-dtags -Wl,-z -Wl,relro ../lib/iolog/.libs/libsudo_iolog.a /home/buildroot/autobuild/instanc e-1/output-1/build/sudo-1.9.5p1/lib/util/.libs/libsudo_util.a -lpthread -lz ../lib/eventlog/.libs/libsudo_eventlog.a ../lib/logsrv/.libs/liblogsrv.a /home/buildroot/autobuild/instance-1/output-1/host/opt/ext- toolchain/bin/../lib/gcc/powerpc-buildroot-linux- uclibc/8.3.0/../../../../powerpc-buildroot-linux-uclibc/bin/ld: ../lib/eventlog/.libs/libsudo_eventlog.a(eventlog.o): in function `send_mail.constprop.1': eventlog.c:(.text+0x149c): undefined reference to `sudo_closefrom' collect2: error: ld returned 1 exit status Fixes: - http://autobuild.buildroot.org/results/515b45f876fa9de03c9235f86017f 4dc10eb3b54 Signed-off-by: Fabrice Fontaine [4e42d276c336] 2021-01-21 Todd C. Miller * plugins/sudoers/log_client.c: Do not add an unfinished write buffer to the queue if it is already present. In client_msg_cb() we only remove a buffer from the queue when it is finished. Inserting the buf again can cause a cycle in the queue. [b398dcc0933d] 2021-01-20 Todd C. Miller * plugins/sudoers/log_client.c: Fix problem when SSL_read() returns SSL_ERROR_WANT_WRITE. This can happen when the socket cannot be written to immediately. We need to set the read_instead_of_write flag in that case, _not_ write_instead_of_read. Also sync comments with sendlog.c. Bug #954 [e4239bb932aa] 2021-01-18 Pavel Březina * plugins/sudoers/auth/pam.c: pam: pass KRB5CCNAME to pam_authenticate environment if available If a PAM module wants to authenticate user using GSSAPI, the authentication is broken if non-default ccache name is used in KRB5CCNAME environment variable. One way to mitigate this would be to add this to env_keep, but this also makes the variable available in the executed command which may not be always desirable. This patch sets KRB5CCNAME for pam_authenticate only, if it is available and not yet set. [90aba6ba6e03] 2021-01-15 Todd C. Miller * lib/util/progname.c: Fix setprogname() emulation on systems without it. For fully- qualified paths, store the string starting after the last slash, not at the slash itself. [111fde52d116] 2021-01-11 Todd C. Miller * .hgtags: Added tag SUDO_1_9_5p1 for changeset 3a873a732416 [e837c76279bc] <1.9> * Merge sudo 1.9.5p1 from tip [3a873a732416] [SUDO_1_9_5p1] <1.9> * NEWS, configure, configure.ac: Sudo 1.9.5p1 [2dbbab94d4b6] * src/sudo_edit.c: Run the editor with the user's real and effective uid and gid. Fixes a bug introduced in sudo 1.9.5 where the editor was run setuid root unless SELinux RBAC was in use. [30fe53c07aa7] * NEWS: fix typo [52e7767881ba] * src/copy_file.c, src/edit_open.c: Add casts to quiet two warnings on Solaris. [f76126f6d68d] 2021-01-09 Todd C. Miller * .hgtags: Added tag SUDO_1_9_5 for changeset 4059f5520d9d [ee76c8a938de] <1.9> * Merge sudo 1.9.5 from tip [4059f5520d9d] [SUDO_1_9_5] <1.9> * plugins/sudoers/po/sudoers.pot, po/sudo.pot: Update .pot files for 1.9.5. [49dae07bda23] 2021-01-08 Todd C. Miller * NEWS, configure, configure.ac, doc/LICENSE, etc/sudo-logsrvd.pp, etc/sudo-python.pp, etc/sudo.pp: Sudo 1.9.5 [3a0e500981a8] * doc/sudoers.man.in, doc/sudoers.man.in.sed, doc/sudoers.mdoc.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/defaults.c, plugins/sudoers/policy.c: Allow SELinux support to be disabled via the sudoers file. Defaults to true if sudo is built with SELinux support and SELinux is not disabled on the system. [c457eaae8692] 2021-01-06 Todd C. Miller * plugins/python/python_importblocker.c: Add a comment to verify_import() to clarify its purpose. [30ef680f4104] * lib/eventlog/eventlog.c, lib/util/arc4random.c, lib/util/sudo_debug.c, plugins/audit_json/audit_json.c, plugins/python/python_convmessage.c, plugins/sudoers/auth/pam.c, plugins/sudoers/getdate.c, plugins/sudoers/getdate.y, plugins/sudoers/goodpath.c, plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y, plugins/sudoers/rcstr.c, plugins/sudoers/redblack.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/toke_util.c, plugins/sudoers/visudo.c, src/exec_common.c, src/sesh.c, src/sudo.c, src/sudo_edit.c: Suppress PVS Studio false positives. [077f46549351] * plugins/sudoers/gram.c, plugins/sudoers/gram.y: Plug a memory leak in sudoerserrorf(). [a3c14cf0283e] * plugins/sudoers/editor.c, plugins/sudoers/fmtsudoers.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/ldap_util.c, plugins/sudoers/parse.h, plugins/sudoers/starttime.c, plugins/sudoers/tsgetgrpw.c, src/ttyname.c: Quiet a few harmless cppcheck warnings. [ab123790b3fd] * src/copy_file.c, src/sudo_edit.c: In sudoedit, use sudo_check_temp_file() for non-SELinux too. [b5d5bd506487] * MANIFEST, src/Makefile.in, src/edit_open.c, src/sesh.c, src/sudo_edit.c, src/sudo_edit.h, src/sudo_exec.h: Move safe open code out of sudo_edit.c and into edit_open.c. [108fcca05798] * src/Makefile.in, src/edit_open.c, src/sesh.c, src/sudo_edit.c, src/sudo_edit.h: Add directory writability checks for SELinux RBAC sudoedit. These were never added to the SELinux RBAC path. [0d4f28b5a8e2] * src/edit_open.c, src/exec.c, src/exec_pty.c, src/sesh.c, src/sudo.c, src/sudo.h, src/sudo_edit.c, src/sudo_edit.h, src/tgetpass.c: Add struct sudo_cred to hold the invoking or runas user credentials. We can use this when we need to pass around credential info instead of the user_details and command_details structs. [20594f3f00c1] * src/edit_open.c, src/sesh.c, src/sudo_edit.c, src/sudo_edit.h: Rename run_cred -> cur_cred and stash existing creds in set_tmpdir(). For sudo_edit_open() et al what we need is a copy of the current cred to restore after dir_is_writable() changes to the user cred. [dcfce8a11282] * configure, configure.ac, include/sudo_compat.h, lib/util/progname.c: Add setprogname(3) for those without it. [e2f1d1ecedb0] * src/sesh.c, src/sudo_edit.c: Split up sesh_sudoedit() so it is organized more like sudo_edit.c. The new sesh_edit_create_tfiles() and sesh_edit_copy_tfiles() functions are analogous to sudo_edit_create_tfiles() and sudo_edit_copy_tfiles(). Also use "sudoedit" in the warning/error messages from sesh_sudoedit(). Otherwise, the user gets a mix of messages from sudoedit and sesh. [5510be4b2129] * Makefile.in, lib/eventlog/Makefile.in, lib/iolog/Makefile.in, lib/logsrv/Makefile.in, lib/util/Makefile.in, logsrvd/Makefile.in, plugins/audit_json/Makefile.in, plugins/group_file/Makefile.in, plugins/python/Makefile.in, plugins/sample/Makefile.in, plugins/sample_approval/Makefile.in, plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in, src/Makefile.in: Remove the --force option from the cppcheck args, it causes errors. [57f2ad72e874] * include/sudo_util.h, lib/util/progname.c, lib/util/util.exp.in, src/sudo.c: For sudo, only allow "sudo" or "sudoedit" as the program name. The program name is also used when matching Debug lines in sudo.conf. We don't want the user to be able to influence sudo.conf Debug matching. The string "sudoedit" is treated the same as "sudo" in sudo.conf. Problem reported by Matthias Gerstner of SUSE. [1d32c53859f9] * lib/iolog/iolog_fileio.c, lib/util/sudo_debug.c, plugins/group_file/getgrent.c, plugins/sudoers/linux_audit.c, plugins/sudoers/tsgetgrpw.c: Check the return value of fcntl() when setting FD_CLOEXEC. This should never fail unless the fd is invalid. Problem reported by Matthias Gerstner of SUSE. [f1ca39a0d870] * src/sudo_edit.c: Fix potential directory existing info leak in sudoedit. When creating a new file, sudoedit checks to make sure the parent directory exists so it can provide the user with a sensible error message. However, this could be used to test for the existence of directories not normally accessible to the user by pointing to them with a symbolic link when the parent directory is controlled by the user. Problem reported by Matthias Gerstner of SUSE. [ea19d0073c02] * src/copy_file.c, src/sesh.c, src/sudo_edit.c, src/sudo_exec.h: Add security checks before using temp files for SELinux RBAC sudoedit. Otherwise, it may be possible for the user running sudoedit to replace the newly-created temporary files with a symbolic link and have sudoedit set the owner of an arbitrary file. Problem reported by Matthias Gerstner of SUSE. [8fcb36ef422a] * plugins/sudoers/po/hr.mo, plugins/sudoers/po/hr.po, plugins/sudoers/po/it.mo, plugins/sudoers/po/it.po, plugins/sudoers/po/ko.mo, plugins/sudoers/po/ko.po, plugins/sudoers/po/sr.mo, plugins/sudoers/po/sr.po, plugins/sudoers/po/sv.mo, plugins/sudoers/po/sv.po, po/ko.mo, po/ko.po, po/sr.mo, po/sr.po, po/sv.mo, po/sv.po: Updated translations from translationproject.org [e68c92c767f1] 2021-01-04 Todd C. Miller * plugins/sudoers/sudoers.c: Use debug_return_int() not debug_return_bool() to return -1. Found by PVS Studio. [f1f67ca51aeb] * plugins/sudoers/logging.c: Fix a crash introduced in 1.9.4 when running "sudo -i" as an unknown user. [d1a3f0f4d0f9] 2021-01-03 Todd C. Miller * plugins/sudoers/check.c: Make sure lecture file is a regular file before reading it. [c9c68eff1e45] 2021-01-02 Todd C. Miller * Makefile.in, lib/eventlog/Makefile.in, lib/iolog/Makefile.in, lib/logsrv/Makefile.in, lib/util/Makefile.in, logsrvd/Makefile.in, plugins/audit_json/Makefile.in, plugins/group_file/Makefile.in, plugins/group_file/plugin_test.c, plugins/python/Makefile.in, plugins/sample/Makefile.in, plugins/sample_approval/Makefile.in, plugins/sudoers/Makefile.in, plugins/sudoers/parse.h, plugins/system_group/Makefile.in, src/Makefile.in: Minor fixes pointed out by cppcheck. Also add compareBoolExpressionWithInt to suppression list. [52316819700e] * logsrvd/logsrvd.c: Avoid potential use after free with eventlog-only connections. Coverity CID 215884. [cca5cffabe42] * src/exec.c: Cannot do direct exec of a command when SELinux RBAC is enabled. [2706b0fc1451] * MANIFEST, configure, configure.ac, include/sudo_compat.h, lib/util/Makefile.in, lib/util/pread.c, lib/util/pwrite.c, scripts/mkdep.pl: Add emulation of pread(3) and pwrite(3) for systems without them. This makes it possible to remove some ugly #ifdefs and only affects very old systems. [1c2a31bda598] * lib/iolog/iolog_fileio.c, plugins/sudoers/match_command.c, plugins/sudoers/timestamp.c: Remove #ifdefs around code using pread(3) and pwrite(3). [3830fdf650df] * plugins/sudoers/Makefile.in: Regen now that ldap.c and sssd.c no longer need gram.h [5cc4e107f301] 2020-12-30 Todd C. Miller * lib/util/fatal.c: Fix deregistration of a callback that is not at the head of the list. The SLIST_FOREACH_PREVPTR macro doesn't work the way I thought it did. Just store our own prev pointer and use that instead. [04c290fe1fcb] 2020-12-21 Todd C. Miller * src/net_ifs.c: Fix the buffer size parameter when serializing the interface list. Problem reported by Matthias Gerstner of SUSE. [b0cae3ac8e46] 2020-12-20 Todd C. Miller * .hgtags: Added tag SUDO_1_9_4p2 for changeset 8aed5221ede9 [a74faf363dbb] <1.9> * merge sudo 1.9.4p2 from tip [8aed5221ede9] [SUDO_1_9_4p2] <1.9> * NEWS, configure, configure.ac: Sudo 1.9.4p2 [8bb8ec358990] * plugins/sudoers/sudoers.c: The runas user must be set before applying runas-based Defaults. This effectively backs out changeset f738f5ac5350, which made it possible to log the command when an invalid user was specified. The policy plugin API doesn't supply the command until the check function, at which point we've already denied the command due to the invalid user. Bug #951. [8a415f555cf9] 2020-12-18 Todd C. Miller * etc/uncrustify-small.cfg, etc/uncrustify.cfg: Don't enable mod_remove_empty_return We like to use an empty return for stub functions. [018ef129dc24] 2020-12-16 Todd C. Miller * .hgtags: Added tag SUDO_1_9_4p1 for changeset 8f65fd9f0f57 [e27e424f9f56] <1.9> * merge sudo 1.9.4p1 from tip [8f65fd9f0f57] [SUDO_1_9_4p1] <1.9> * plugins/sudoers/policy.c: The lower bounds for the "closefrom" option is 3, not 4. This is a regression introduced in sudo 1.8.9 with the strtonum() conversion. Bug #950. [fb06603b9a12] 2020-12-15 Todd C. Miller * NEWS, configure, configure.ac: Sudo 1.9.4p1 [59c37ec1a128] 2020-12-11 Todd C. Miller * doc/sudoers.man.in, doc/sudoers.mdoc.in: Direct execution of a command is incompatible with using a log server. [91afbbde217a] * plugins/sudoers/audit.c: Set sudoers_audit.close to NULL if not using a log server. [231abb92a3b2] 2020-12-08 Todd C. Miller * config.guess, config.h.in, config.sub, configure, configure.ac: Regenerate configure script with autoconf 2.71. Also fix some warnings from the new version. [cd1c7615e861] 2020-12-07 Todd C. Miller * config.h.in, configure, configure.ac, src/sudo.c: Define _DARWIN_UNLIMITED_GETGROUPS on macOS to suport > 16 groups. On macOS 10.6 and above, getgroups(2) can return more than NGROUPS_MAX if _DARWIN_UNLIMITED_GETGROUPS or _DARWIN_C_SOURCE is defined. Bug #946 [2e7d3c3cf18b] 2020-12-05 Todd C. Miller * doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in, examples/sudo.conf.in: Comment out the default plugin lines in the example sudo.conf. Fixes a problem when there are multiple versions of sudo installed and not all suport the audit plugin, such as on macOS. GitHub issue #75 [aaed5d7a3471] * plugins/sudoers/logging.c, plugins/sudoers/policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: Store the user-provided runas user and group name in struct sudo_user. This makes it available for event logging in case the name doesn't resolve. [98d70ba8a2a6] * plugins/sudoers/logging.c: Log submit group to event log. [3e7ace99f7f8] * plugins/sudoers/logging.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: Store iolog_path in struct sudo_user for use in the event log. [35bc39ec8ad5] 2020-12-04 Todd C. Miller * plugins/sudoers/logging.c, plugins/sudoers/sudoers.c: Defer lookup of runas user until sudoers_main() for better logging. The log message now includes user info and the command attempted. [f738f5ac5350] * lib/eventlog/eventlog.c: Don't assume that just because command is non-NULL, argv is non- NULL. [4fac4ae88e4e] * plugins/sudoers/logging.c: Fix a crash introduced in 1.9.4 when running command as an unknown user. Bug #948 [8b24c140ec7c] 2020-12-03 Todd C. Miller * logsrvd/logsrvd.c: When shutting down the server, close non-I/O log connections immediately. Avoids a timeout during server shutdown while the server waits for active connections to close. [26bfda2c8f67] * src/sudo.c: Audit errors from policy_init_session(), audit_accept(), and audit_reject(). [638e583754ac] * src/sudo.c: Do not run the command if the audit accept function fails. Also add warnings if the audit reject or error functions fail. [ca94ef438961] * plugins/sudoers/log_client.c: Reduce the number of error messages when we can't connect to the audit server. Add the error string to "unable to connect to log server" instead of using an extra error message for the connect(2) failure. [25ac7ac5bfdf] * plugins/sudoers/log_client.c: Use correct error message when the TLS connection is dropped. Was: "recv: Unknown error 0", now: "lost connection to log server". [5c3f319b1f75] 2020-12-02 Todd C. Miller * plugins/sudoers/alias.c, plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y, plugins/sudoers/parse.h: Change alias_add() to return bool and set errno on failure. This fixes a localization problem where the error message could have been reported in the wrong locale. [1859fe3da40c] 2020-11-30 Todd C. Miller * lib/eventlog/eventlog.c: Fix build when configured using --without-sendmail Bug #947 [41db1aad85bb] 2020-11-29 Todd C. Miller * .hgtags: Added tag SUDO_1_9_4 for changeset 74705fb3b956 [45a5e742496e] <1.9> * merge sudo 1.9.4 from tip [74705fb3b956] [SUDO_1_9_4] <1.9> * plugins/sudoers/po/fr.mo, plugins/sudoers/po/fr.po, plugins/sudoers/po/hr.mo, plugins/sudoers/po/hr.po, plugins/sudoers/po/ja.mo, plugins/sudoers/po/ja.po, plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po, po/hr.mo, po/hr.po: Updated translations from translationproject.org [96a5cfe3c66b] 2020-11-24 Todd C. Miller * NEWS: sudo_logsrvd.conf pid_file change. [fdc0276c7e0e] * logsrvd/logsrvd.c: Don't try to unlink a NULL pointer. [95babad9636a] * doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in, logsrvd/logsrvd.c, logsrvd/logsrvd_conf.c: If pid_file is set to an empty value, disable the use of a pid file. [d4462105ab4b] * doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in, logsrvd/logsrvd.c: Don't overwrite sudo_logsrvd.pid if it is a symbolic link. [d79f97a0a533] * INSTALL, configure, configure.ac, etc/codespell.exclude, plugins/sudoers/env.c: Fix typo detected by codespell 2.0.0 Also avoid some new false positives [d973f44e2396] 2020-11-23 Todd C. Miller * etc/uncrustify-small.cfg, etc/uncrustify.cfg, plugins/python/regress/testhelpers.h, plugins/sudoers/env.c, plugins/sudoers/sudo_ldap_conf.h: Set pp_ignore_define_body=false in uncrustify config. Need to work around a bug that produces closed brace errors, see https://github.com/uncrustify/uncrustify/issues/2569 [5e4692fca707] * plugins/sudoers/po/cs.mo, plugins/sudoers/po/cs.po, plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, plugins/sudoers/po/hr.mo, plugins/sudoers/po/hr.po, plugins/sudoers/po/it.mo, plugins/sudoers/po/it.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/pt.mo, plugins/sudoers/po/pt.po, plugins/sudoers/po/pt_BR.mo, plugins/sudoers/po/pt_BR.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, plugins/sudoers/po/zh_TW.mo, plugins/sudoers/po/zh_TW.po, po/hr.mo, po/hr.po, po/it.mo, po/it.po: Updated translations from translationproject.org [156162e6e07e] 2020-11-18 Todd C. Miller * lib/util/sudo_conf.c: Fix calling sudo_conf_read() multiple times with different conf_types. The change to reinitialize the configuration data when sudo_conf_read() is called again didn't take into account that sudo calls sudo_conf_read() twice--once for the debug info and once for everything else. [b6869b7da3c2] 2020-11-17 Todd C. Miller * plugins/sudoers/policy.c, plugins/sudoers/sudoers.c: Don't free the private copy of the environment until the close function. We may need to use it when logging from the audit reject function. [5118eb5797fb] * plugins/sudoers/log_client.c: It is possible for evlog->argv or evlog->envp to be NULL. [798ff96301bf] * src/exec_pty.c, src/sudo.c, src/sudo.h: Pass command_info[] to audit plugin on I/O log plugin reject or error. The audit plugin should cope with a NULL command_info but there's no reason not to pass the info when we have it. [e361897d0192] * doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, plugins/sudoers/audit.c: For the audit plugin, command_info may be NULL. Fixes a NULL dereference in sudoers_audit when an I/O logging plugin rejects input/output or returns an error. [9abee774e7e1] * plugins/sudoers/defaults.c: Add missing initialization of def_log_format to sudo. [8c824f6dcfdd] 2020-11-16 Todd C. Miller * config.h.in, configure, configure.ac: Newer LibreSSL has SSL_CTX_set_ciphersuites but it is not enabled. Add a check for the function declaration in openssl/ssl.h. [d6d0665572ec] * doc/sudoers.man.in, doc/sudoers.mdoc.in: Event log data is sent to sudo_logsrvd even when not I/O logging. [d720f4ad3d40] 2020-11-14 Todd C. Miller * plugins/sudoers/po/sudoers.pot: Regenerate sudoers.pot for 1.9.4 [127283726e97] * NEWS, configure, configure.ac: Update for sudo 1.9.4. [2cb747911aef] * plugins/sudoers/audit.c: Update struct eventlog based on command_info[] from front-end. The I/O log path is not known until the I/O log plugins have run and other plugins may alter the execution environment. [3ad14a88052e] * plugins/sudoers/alias.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/logging.h, plugins/sudoers/regress/testsudoers/test13.out.ok, plugins/sudoers/toke.h: Add sudoerserrorf(), a printf-style yyerror() function. Use this to display a better error message when using a reserved work in an alias definition. [1bb3915f61b6] 2020-11-13 Todd C. Miller * scripts/mkpkg: Build universal binaries on macOS 11.0 and higher. The resulting package should work on Macs based on Apple Silicon. [91cdeda79e66] 2020-11-12 Todd C. Miller * plugins/sudoers/editor.c: Support EDITOR environment variable that includes quotes. Quote support is limited to the beginning of a word. Also handles characters escaped with a backslash. [ebb7f3c6240c] 2020-11-11 Todd C. Miller * plugins/python/Makefile.in, plugins/python/pyhelpers.c, plugins/python/python_plugin_common.c, plugins/python/regress/iohelpers.h, plugins/python/regress/testdata/ check_example_debugging_c_calls@diag.log, plugins/python/regress/tes tdata/check_example_debugging_c_calls@info.log, plugins/python/regre ss/testdata/check_example_debugging_plugin@info.log, plugins/python/ regress/testdata/check_example_debugging_py_calls@diag.log, plugins/ python/regress/testdata/check_example_debugging_py_calls@info.log, p lugins/python/regress/testdata/check_example_group_plugin_is_able_to _debug.log, plugins/python/regress/testdata/check_example_io_plugin_ command_log.stored, plugins/python/regress/testdata/check_example_io _plugin_command_log_multiple1.stored, plugins/python/regress/testdat a/check_example_io_plugin_command_log_multiple2.stored, plugins/pyth on/regress/testdata/check_example_io_plugin_failed_to_start_command. stored, plugins/python/regress/testdata/check_example_io_plugin_fail s_with_python_backtrace.stderr, plugins/python/regress/testdata/chec k_example_policy_plugin_validate_invalidate.log, plugins/python/regr ess/testdata/check_loading_fails_not_owned_by_root.stderr, plugins/p ython/regress/testdata/check_loading_fails_wrong_classname.stderr, p lugins/python/regress/testdata/check_loading_fails_wrong_path.stderr , plugins/python/regress/testdata/check_multiple_approval_plugin_and _arguments.stdout, plugins/python/regress/testdata/check_python_plug ins_do_not_affect_each_other.stdout, plugins/python/regress/testhelpers.c, plugins/python/regress/testhelpers.h: Back out regex use in python tests, filter the output instead. This makes it possible to regenerate the test output again. Also adds an update_test_data target to the Makefile. [3837f51a8072] * plugins/sudoers/ldap.c: Ignore sudoNotBefore and sudoNotAfter unless ldap.conf contains SUDOERS_TIMED This is consistent with the pre-1.8.24 behavior. Bug #945 [d1e1bb5a6cc1] * src/sudo.c: Stay setuid until just before executing the command. Fixes a problem with pam_xauth which checks effective and real uids to get the real identity of the user. [2c6fef0107c8] 2020-11-10 Todd C. Miller * plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/ldap.c, plugins/sudoers/ldap_util.c, plugins/sudoers/parse.h, plugins/sudoers/sssd.c: Introduce new_member_all() for code that doesn't include gram.h. The ldap and sssd back-ends no longer require gram.h which fixes a compilation issue with IBM LDAP. [1729532cda27] * lib/util/sudo_conf.c, lib/util/sudo_debug.c, logsrvd/logsrvd.c: On SIGHUP, deregister the old debug instance before registering a new one. Otherwise, if debugging is enabled we will get an extra log instance each time sudo_logsrvd reeives SIGHUP which results in duplicate lines in the debug log. [538633994d8a] 2020-11-09 Todd C. Miller * plugins/sudoers/log_client.c, plugins/sudoers/log_client.h: Refactor code to format the client message after the hello. [12d29d129166] * doc/sudo_logsrv.proto.man.in, doc/sudo_logsrv.proto.mdoc.in, include/log_server.pb-c.h, lib/eventlog/eventlog.c, lib/logsrv/log_server.pb-c.c, lib/logsrv/log_server.proto, logsrvd/iolog_writer.c, logsrvd/logsrvd.c, plugins/sudoers/log_client.c: Add info_msgs to AlertMessage and populate it. This lets us log eventlog info along with the alert if it is available. [493a047a4463] * plugins/sudoers/audit.c, plugins/sudoers/logging.c, plugins/sudoers/logging.h: Use sudoers_to_eventlog() and init_log_details() in sudoers_audit_accept(). log_deserialize_info() can be private to iolog.c again. [0b4e03904f3d] * plugins/sudoers/Makefile.in, plugins/sudoers/audit.c, plugins/sudoers/iolog.c, plugins/sudoers/log_client.c, plugins/sudoers/log_client.h, plugins/sudoers/logging.c, plugins/sudoers/logging.h: Log reject and alert messages to the log server if one is defined. [087cf87d10af] * plugins/sudoers/logging.c: Treat an authentication failure as a reject, not an alert. This matters when logging via sudo_logsrvd. It also lets us remove a special case in vlog_warning(). [ae489d3f20a8] * MANIFEST, config.h.in, configure, configure.ac, plugins/sudoers/Makefile.in, plugins/sudoers/audit.c, plugins/sudoers/iolog.c, plugins/sudoers/iolog_client.c, plugins/sudoers/iolog_plugin.h, plugins/sudoers/log_client.c, plugins/sudoers/sudoers.c: Rename iolog_client -> log_client. The logsrvd client code is now used for more than just I/O logging. [ea47ce43bbee] * MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/audit.c, plugins/sudoers/iolog.c, plugins/sudoers/iolog_plugin.h, plugins/sudoers/log_client.c, plugins/sudoers/log_client.h: Rename iolog_plugin.h to log_client.h. It is no longer I/O log specific and is used by sudoers_audit too. [cde784a59490] * configure, configure.ac: Remove hack to define YYTOKENTYPE, it breaks newer bison. [8b919ef33db7] * plugins/sudoers/gram.c, plugins/sudoers/gram.h: Regenerate with bison 3.7.3 [9fb81b933c43] * include/sudo_eventlog.h, lib/eventlog/eventlog.c: Use struct eventlog *evlog, not struct eventlog *details. [a9b5f3c2902f] 2020-11-06 Todd C. Miller * lib/eventlog/eventlog.c: For logsrvd AlertMessages, evlog will be NULL. [d048f7b429d5] * lib/eventlog/eventlog.c: Append errstr to reason for alert and reject events if specified. Previously, we logged the error string separately but this is not consistent with how it is logged in other formats. [68c76e530248] * plugins/sudoers/logging.c: Fix cut & pasto in debug subsystem. [c39dd60b6d2d] 2020-11-04 Todd C. Miller * plugins/sudoers/iolog_client.c: Refactor code to format InfoMesage array into fmt_info_messages(). Add free_info_messages() to free the array. [e6223d325c77] * plugins/sudoers/Makefile.in, plugins/sudoers/audit.c, plugins/sudoers/iolog.c, plugins/sudoers/iolog_client.c, plugins/sudoers/iolog_plugin.h: Log accept messages in sudoers_audit if not I/O logging. [cdb5c443c97d] * plugins/sudoers/iolog.c, plugins/sudoers/iolog_client.c, plugins/sudoers/iolog_plugin.h: Refactor sudoers_io_open_remote() into log_server_open(). Also rename client_close() to log_server_close(). This keeps more of the client code details out of iolog.c and will be used when logging accept messages from the audit plugin. [e3f6ba6768b8] * plugins/sudoers/iolog.c: Move argv and envp setting into iolog_deserialize_info(). [613b97f1d7bc] * logsrvd/logsrvd.c: Avoid early return in handle_accept() if expect_iobufs not set. [918adc8234f0] 2020-11-02 Todd C. Miller * doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, include/sudo_plugin.h, plugins/python/regress/testdata/check_multipl e_approval_plugin_and_arguments.stdout, src/exec.c, src/load_plugins.c: Add event_alloc to the audit plugin API. The sudoers audit plugin will use this to communicate with sudo_logsrvd. [c2fc2911476b] * logsrvd/sendlog.c, plugins/sudoers/iolog_client.c: Set server_name before initiating TLS connection so verify function works. Fixes a crash in the SSL_VERIFY_PEER callback. Also call inet_ntop(3) with addr pointer, not sockaddr pointer so we get the correct IP address. [7a7dcebbe889] * plugins/sudoers/alias.c, plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/defaults.c, plugins/sudoers/defaults.h, plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y, plugins/sudoers/parse.c, plugins/sudoers/parse.h, plugins/sudoers/regress/sudoers/test18.toke.ok, plugins/sudoers/regress/sudoers/test2.ldif.ok, plugins/sudoers/regress/sudoers/test3.ldif.ok, plugins/sudoers/regress/sudoers/test6.ldif.ok, plugins/sudoers/regress/visudo/test2.err.ok, plugins/sudoers/regress/visudo/test3.err.ok, plugins/sudoers/visudo.c: Store column number for aliases, defaults and userspecs too. This is used to provided the column number along with the line number in error messages. For aliases we store the column of the alias name, not the value since that is what visudo generally needs. [1c9d86b88517] 2020-11-01 Todd C. Miller * plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/regress/testsudoers/test11.out.ok, plugins/sudoers/regress/testsudoers/test12.out.ok, plugins/sudoers/regress/testsudoers/test13.out.ok: Display column number in parse error messages too. Bug #841 [0aea28dec8f2] * plugins/sudoers/iolog_client.c, plugins/sudoers/iolog_plugin.h: Move tls initialized flag into client_closure. We may call tls_init() from multiple places in the future so a static initialized flag will cause problems. [00b2b02c24c5] * plugins/sudoers/cvtsudoers_json.c: Fix -Wshadow warnings caused by json enum member. [ea336980bb6a] 2020-10-30 Todd C. Miller * ABOUT-NLS, INSTALL, NEWS, configure.ac, doc/UPGRADE, doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, doc/sudoers.ldap.man.in, doc/sudoers.ldap.mdoc.in, doc/sudoers.man.in, doc/sudoers.mdoc.in, doc/sudoers_timestamp.man.in, doc/sudoers_timestamp.mdoc.in, doc/visudo.man.in, doc/visudo.mdoc.in, examples/sudo.conf.in, include/compat/getaddrinfo.h, install-sh, lib/util/getaddrinfo.c, lib/util/getentropy.c, lib/util/regress/sudo_conf/test1.in, lib/util/regress/sudo_parseln/test1.in, lib/util/regress/vsyslog/vsyslog_test.c, lib/util/strtoid.c, logsrvd/logsrvd.c, logsrvd/logsrvd_conf.c, logsrvd/sendlog.c, m4/sudo.m4, plugins/group_file/group_file.c, plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/passwd.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/def_data.c, plugins/sudoers/def_data.in, plugins/sudoers/editor.c, plugins/sudoers/env.c, plugins/sudoers/find_path.c, plugins/sudoers/gram.y, plugins/sudoers/group_plugin.c, plugins/sudoers/iolog_client.c, plugins/sudoers/stubs.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/timestamp.c, plugins/sudoers/visudo.c, src/load_plugins.c, src/sudo.c, src/sudo_noexec.c, src/tgetpass.c: Apply Google inclusive language guidelines. Also replace backwards with backward. [678fbce6054f] 2020-10-29 Todd C. Miller * doc/sudoers.ldap.man.in, doc/sudoers.ldap.mdoc.in: Refernce IBM LDAP libs, not Tivoli since that is how it is packaged. We still use Tivoli when talking about the server itself but refer to it as the "IBM Tivoli Directory Server". [9f97a7e6b67a] * doc/sudoers.ldap.man.in, doc/sudoers.ldap.mdoc.in: Add a newline before "This option is ..." [853f819f0241] * doc/sudoers.man.in: regen [8b29097f2cd1] 2020-10-28 Todd C. Miller * lib/eventlog/regress/logwrap/check_wrap.c, lib/eventlog/regress/logwrap/check_wrap.in, lib/eventlog/regress/logwrap/check_wrap.out.ok: Test eventlog_writeln() when word wrap is disabled. [73acb7fbef59] * configure, configure.ac: Bison generates an extra enum containing the parser tokens. This conflicts with the IBM ldap.h at least. Prevent it from being exposed by defining YYTOKENTYPE. [f3445ad76687] * configure, configure.ac: IBM LDAP packages use a lib64 directory for 64-bit libraries. We need to add this to LDFLAGS so the linker is able to find the correct libs when building 64-bit binaries. [701b83f6cd13] * config.h.in, configure, configure.ac, plugins/sudoers/ldap.c: Use ssl_err2string() in message on ldap_ssl_client_init() failure. Displaying SSL reason code directly is not user-friendly. [aaf272403f3e] 2020-10-27 Todd C. Miller * lib/eventlog/eventlog.c: For JSON logs, write the most important log elements first. This is important for syslog where the record could be truncated. [58fc957c41bb] * doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/logging.c, plugins/sudoers/sudoers.c: Add log_format sudoers setting to select sudo or json format logs. Defaults to sudo-format logs. [2936d2750af0] * include/sudo_json.h, lib/eventlog/eventlog.c, lib/util/json.c: Support "minimal" JSON which skips all non-essention whitespace. This replaces the old "compact" mode which is only used for syslog. [be07bca67019] * plugins/sudoers/logging.c: Don't warn about log failure more than once. [b4dc59a58d1d] 2020-10-26 Todd C. Miller * lib/eventlog/eventlog.c: Check for fdopen(3) failure in send_mail(). [e08b17bf26ce] * MANIFEST, include/sudo_eventlog.h, lib/eventlog/Makefile.in, lib/eventlog/eventlog.c, lib/eventlog/logwrap.c, lib/eventlog/regress/logwrap/check_wrap.c, lib/eventlog/regress/logwrap/check_wrap.in, lib/eventlog/regress/logwrap/check_wrap.out.ok, plugins/sudoers/Makefile.in, plugins/sudoers/logging.c, plugins/sudoers/logging.h, plugins/sudoers/logwrap.c, plugins/sudoers/regress/logging/check_wrap.c, plugins/sudoers/regress/logging/check_wrap.in, plugins/sudoers/regress/logging/check_wrap.out.ok, plugins/sudoers/sudoers.c: Add support for file log line wrapping in libeventlog. [935c30cf7633] * include/sudo_eventlog.h, lib/eventlog/eventlog.c, logsrvd/logsrvd_conf.c, plugins/sudoers/defaults.c, plugins/sudoers/logging.c, plugins/sudoers/logging.h, plugins/sudoers/stubs.c, plugins/sudoers/sudoers.c, plugins/sudoers/testsudoers.c: Use real setters for the eventlog config. This makes it possible to have a base config that the callers can modify instead of replacing the config wholesale. [2ca1e7d376c2] * include/sudo_eventlog.h, lib/eventlog/eventlog.c, plugins/sudoers/Makefile.in, plugins/sudoers/audit.c, plugins/sudoers/defaults.c, plugins/sudoers/locale.c, plugins/sudoers/logging.c, plugins/sudoers/logging.h, plugins/sudoers/policy.c, plugins/sudoers/stubs.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c: Use libeventlog in sudoers instead of doing our own logging. [d8306755201a] * lib/eventlog/eventlog.c, plugins/sudoers/logging.c: Log the short version of the tty in sudoers-format logs. This is consistent with historical practice. [69440e4659a8] * lib/eventlog/eventlog.c: Add default values in eventlog_setconf(). [582d359a8ec0] * include/sudo_eventlog.h, lib/eventlog/Makefile.in, lib/eventlog/eventlog.c, logsrvd/logsrvd.c, plugins/sudoers/Makefile.in, plugins/sudoers/defaults.c, plugins/sudoers/logging.h: Add support for mailing eventlog entries and for logging raw messages. These will be used by the sudoers plugin. [acab8209ddd0] * include/sudo_eventlog.h, lib/eventlog/eventlog.c, lib/iolog/iolog_fileio.c: If no JSON callback is provided, store the contents of struct eventlog. This moves the JSON formatting of struct eventlog out of libsudo_iolog and into libsudo_eventlog where it belongs. [260a7ec65485] * include/sudo_eventlog.h, lib/eventlog/eventlog.c, logsrvd/logsrvd.c: struct eventlog contains submit_time, no need to pass it in directly. [a3ac404e6a59] * include/sudo_eventlog.h, lib/eventlog/eventlog.c, logsrvd/logsrvd.c: Add an errstr argument to eventlog_alert(). [e2afd2f1c092] * plugins/sudoers/Makefile.in, plugins/sudoers/iolog.c, plugins/sudoers/iolog_client.c, plugins/sudoers/iolog_plugin.h: Make a copy of the strings stored in iolog_details and struct eventlog. Previously, we just made the strings const and relied on the front-end not changing them. Now the sudoers I/O log plugin behavior is consistent with the policy plugin. [406632298bd5] * plugins/sudoers/Makefile.in, plugins/sudoers/iolog.c, plugins/sudoers/iolog_client.c, plugins/sudoers/iolog_plugin.h: Use struct eventlog in iolog_details. [c22e05f420fe] * include/sudo_eventlog.h, include/sudo_iolog.h, lib/eventlog/eventlog.c, lib/iolog/Makefile.in, lib/iolog/iolog_fileio.c, lib/iolog/iolog_json.c, lib/iolog/iolog_util.c, logsrvd/Makefile.in, logsrvd/iolog_writer.c, logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/sendlog.c, logsrvd/sendlog.h, plugins/sudoers/Makefile.in, plugins/sudoers/iolog.c, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/sudoreplay.c: Use struct eventlog in place of struct iolog_info. [9fef7a5f077b] * logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c: No longer need eventlog-related getters in logsrvd.c [e3ab80a9a892] * MANIFEST, logsrvd/Makefile.in, logsrvd/eventlog.c, logsrvd/iolog_writer.c, logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c: Use libeventlog in sudo_logsrvd. [3dd22be50c30] * MANIFEST, Makefile.in, configure, configure.ac, include/sudo_eventlog.h, lib/eventlog/Makefile.in, lib/eventlog/eventlog.c, logsrvd/logsrvd.h: Refactor eventlog code into a library [2e02c25be009] 2020-10-20 Todd C. Miller * lib/iolog/Makefile.in, lib/logsrv/Makefile.in, lib/util/Makefile.in, logsrvd/Makefile.in, plugins/python/Makefile.in, plugins/sudoers/Makefile.in, src/Makefile.in: regen Makefiles [d9064a0c53ae] * scripts/mkpkg: Build 64-bit binaries on HP-UX ia64 [3f8b599e7d7f] 2020-10-16 Todd C. Miller * plugins/sudoers/Makefile.in: Explicitly set umask when running tests. Some tests create files that must not be world-writable. [9186ea1d2696] * plugins/sudoers/policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: sudoers_policy_store() -> sudoers_policy_store_result() [3dad5322916b] 2020-10-14 Todd C. Miller * plugins/sudoers/policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: Rename sudoers_policy_exec_setup() -> sudoers_policy_store(). It is called even when there is no command to execute. Also pass in status of whether or not the command was accepted. [a0ded23e81c4] 2020-10-10 Todd C. Miller * plugins/sudoers/Makefile.in, plugins/sudoers/regress/cvtsudoers/test1.sh, plugins/sudoers/regress/cvtsudoers/test10.sh, plugins/sudoers/regress/cvtsudoers/test11.sh, plugins/sudoers/regress/cvtsudoers/test12.sh, plugins/sudoers/regress/cvtsudoers/test13.sh, plugins/sudoers/regress/cvtsudoers/test14.sh, plugins/sudoers/regress/cvtsudoers/test15.sh, plugins/sudoers/regress/cvtsudoers/test16.sh, plugins/sudoers/regress/cvtsudoers/test17.sh, plugins/sudoers/regress/cvtsudoers/test18.sh, plugins/sudoers/regress/cvtsudoers/test19.sh, plugins/sudoers/regress/cvtsudoers/test2.sh, plugins/sudoers/regress/cvtsudoers/test20.sh, plugins/sudoers/regress/cvtsudoers/test21.sh, plugins/sudoers/regress/cvtsudoers/test22.sh, plugins/sudoers/regress/cvtsudoers/test23.sh, plugins/sudoers/regress/cvtsudoers/test24.sh, plugins/sudoers/regress/cvtsudoers/test25.sh, plugins/sudoers/regress/cvtsudoers/test26.sh, plugins/sudoers/regress/cvtsudoers/test27.sh, plugins/sudoers/regress/cvtsudoers/test28.sh, plugins/sudoers/regress/cvtsudoers/test29.sh, plugins/sudoers/regress/cvtsudoers/test3.sh, plugins/sudoers/regress/cvtsudoers/test30.sh, plugins/sudoers/regress/cvtsudoers/test31.sh, plugins/sudoers/regress/cvtsudoers/test32.sh, plugins/sudoers/regress/cvtsudoers/test33.sh, plugins/sudoers/regress/cvtsudoers/test4.sh, plugins/sudoers/regress/cvtsudoers/test5.sh, plugins/sudoers/regress/cvtsudoers/test6.sh, plugins/sudoers/regress/cvtsudoers/test7.sh, plugins/sudoers/regress/cvtsudoers/test8.sh, plugins/sudoers/regress/cvtsudoers/test9.sh, plugins/sudoers/regress/testsudoers/test1.sh, plugins/sudoers/regress/testsudoers/test10.sh, plugins/sudoers/regress/testsudoers/test11.sh, plugins/sudoers/regress/testsudoers/test12.sh, plugins/sudoers/regress/testsudoers/test13.sh, plugins/sudoers/regress/testsudoers/test14.sh, plugins/sudoers/regress/testsudoers/test15.sh, plugins/sudoers/regress/testsudoers/test2.sh, plugins/sudoers/regress/testsudoers/test3.sh, plugins/sudoers/regress/testsudoers/test4.sh, plugins/sudoers/regress/testsudoers/test5.sh, plugins/sudoers/regress/testsudoers/test6.sh, plugins/sudoers/regress/testsudoers/test7.sh, plugins/sudoers/regress/testsudoers/test8.sh, plugins/sudoers/regress/testsudoers/test9.sh, plugins/sudoers/regress/visudo/test1.sh, plugins/sudoers/regress/visudo/test10.sh, plugins/sudoers/regress/visudo/test2.sh, plugins/sudoers/regress/visudo/test3.sh, plugins/sudoers/regress/visudo/test4.sh, plugins/sudoers/regress/visudo/test5.sh, plugins/sudoers/regress/visudo/test6.sh, plugins/sudoers/regress/visudo/test7.sh, plugins/sudoers/regress/visudo/test8.sh, plugins/sudoers/regress/visudo/test9.sh: Pass path to testsudoers, visudo or cvtsudoers in the environment. Falls back on the unqualified command if the environment variable is not set. [a7b8c413b66d] 2020-10-09 Todd C. Miller * plugins/sudoers/sssd.c: Init cmnds to NULL in rule_to_priv() so we don't free a bogus pointer. In the sssd backend, the rule_to_priv() cleanup code assumes cmnds can be passed to fn_free_values(), which was not the case if we receive an error getting values for "sudoCommand". This is a regression introduced in sudo 1.9.1. Fix from Ron Bowes. GitHub issue #67. [a3fe4615f039] 2020-10-06 Todd C. Miller * plugins/sudoers/match_command.c, plugins/sudoers/match_digest.c, plugins/sudoers/parse.h: Pass runchroot to match_digest() too. We use the open fd for the actual I/O but having runchroot makes it possible to report the correct file name in error messages. [2e1d142e2fe5] 2020-10-04 Todd C. Miller * NEWS: GitHub issue #61 was fixed in sudo 1.9.3. [55e54b3111f0] 2020-09-29 Todd C. Miller * plugins/sudoers/def_data.h, plugins/sudoers/mkdefaults: Fix indentation of enum def_tuple. [237db08cc1a3] 2020-09-28 Todd C. Miller * plugins/sudoers/toke.c, plugins/sudoers/toke.l: Remove special case EOF handling; lines now always end in a newline. Previously we needed to emulate some of the state transitions that happen at end-of-line at end-of-file as well. Those are no longer needed now that we are guaranteed to always have a newline at the end. [4c0c21b081f7] 2020-09-27 Todd C. Miller * plugins/sudoers/toke.c, plugins/sudoers/toke.l: Increment sudolinebuf.size after realloc(). [b871905c3442] * plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y, plugins/sudoers/regress/sudoers/test13.toke.ok, plugins/sudoers/toke.c, plugins/sudoers/toke.l: Add a newline at end of line if one is missing. This is simpler than having to support entries that end at EOF too. [cb335acb1064] * MANIFEST, plugins/sudoers/regress/testsudoers/test14.out.ok, plugins/sudoers/regress/testsudoers/test14.sh, plugins/sudoers/regress/testsudoers/test15.out.ok, plugins/sudoers/regress/testsudoers/test15.sh: Add tests for entries without a newline. [98a50d8301a8] * plugins/sudoers/toke.c, plugins/sudoers/toke.l: Fix handling of a command spec without a newline at the end. For include files, we may need to inject a newline token now that the grammar requires lines to end with a newline or EOF. There is no END (EOF) token processed after popping off an include file since everything is just treated as one big file. [3e6c62ea7237] * plugins/sudoers/toke.c, plugins/sudoers/toke.l: Mark sudoerserror() messages for translation. [d6a173cea48b] * plugins/sudoers/regress/sudoers/test8.toke.ok, plugins/sudoers/toke.c, plugins/sudoers/toke.l: Fix line number accounting when a string contains a newline. Strings are not allowed to span multiple lines without a continuation character. Also provide a better error message if we are in the middle of a string and hit EOF. [cf34b0a3beba] 2020-09-26 Todd C. Miller * plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/sudoers.h, plugins/sudoers/toke.c, plugins/sudoers/toke.l: Use sudoerschar (yychar) instead of last_token. The parser already provides a way to examing the last token processed, we don't need to add our own. [ba35fe36bd56] 2020-09-25 Todd C. Miller * lib/util/closefrom.c, lib/util/getentropy.c, lib/util/pipe2.c, lib/util/term.c, lib/util/ttyname_dev.c, plugins/sudoers/auth/pam.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/env.c, plugins/sudoers/getdate.c, plugins/sudoers/getdate.y, plugins/sudoers/gmtoff.c, plugins/sudoers/locale.c, plugins/sudoers/logging.h, plugins/sudoers/policy.c, plugins/sudoers/starttime.c, plugins/sudoers/sudoers.c, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c, plugins/system_group/system_group.c, src/load_plugins.c, src/sudo.c, src/sudo_plugin_int.h, src/tgetpass.c, src/ttyname.c: Fix -Wshadow warnings. [5480e97a1160] * configure, configure.ac: Add -Wshadow to warning flags if the compiler supports it. [6f29b5ebc2b8] * MANIFEST, plugins/sudoers/regress/testsudoers/test13.out.ok, plugins/sudoers/regress/testsudoers/test13.sh: Add test for syntax error when defining an alias using a reserved word. [4c90b3952ed1] * doc/sudoers.man.in, doc/sudoers.mdoc.in: Fix pasto, TIMEOUT not CMND_TIMEOUT. [842ad3a578f2] * NEWS, doc/UPGRADE, doc/sudoers.man.in, doc/sudoers.man.in.sed, doc/sudoers.mdoc.in: Document reserved words that cannot be used as alias names. Bug #941 [4b37a2174cd2] * plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/sudoers_version.h: Detect when a reserved word is used when declaring an alias. Now instead of "syntax error, unexpected CHROOT, expecting ALIAS" the message is "syntax error, reserved word used as an alias name" Bug #941 [dfc55de5526c] 2020-09-23 Todd C. Miller * .hgtags: Added tag SUDO_1_9_3p1 for changeset 02c47b39359e [23bf4d95356d] <1.9> * merge sudo 1.9.3p1 from tip [02c47b39359e] [SUDO_1_9_3p1] <1.9> * plugins/sudoers/sudoers.c: Fix potential NULL deref in debug code. [c6b8910ac7dc] * plugins/sudoers/getspwuid.c: Close the passwd db before calling getpwnam_shadow(3). Otherwise, we will get the non-shadow passwd entry ("*") since we called setpassent(3) earlier to keep the passwd db open. [71ee5e16e4c5] * configure, configure.ac: Fix configure test for crypt(3) when it is present in libc. Fixes a regression introduced in sudo 1.9.3. [0d77733de667] * plugins/sudoers/audit.c, plugins/sudoers/logging.c, plugins/sudoers/logging.h, plugins/sudoers/sudoers.c: Add SLOG_AUDIT flag for log_warningx() to also audit the message. This lets us combine audit_failure() and log_warningx() calls with the same message. [23a8a5eab2ff] * plugins/sudoers/sudoers.c: Log when user-specified command line options are rejected by sudoers. We already audit those but in some cases they were not logged as well. [30d991993763] * NEWS, configure, configure.ac: Update for sudo 1.9.3p1 [0cbbb7608c3f] 2020-09-21 Todd C. Miller * .hgtags: Added tag SUDO_1_9_3 for changeset bdd40c087bec [eca7e986d20f] <1.9> * merge sudo 1.9.3 from tip [bdd40c087bec] [SUDO_1_9_3] <1.9> 2020-09-20 Todd C. Miller * configure, configure.ac: Move warning about plaintext password to the end of configure. It is unlikely to be noticed at the beginning of the output. [b3b5abcedc73] 2020-09-19 Todd C. Miller * plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, plugins/sudoers/po/fr.mo, plugins/sudoers/po/fr.po, plugins/sudoers/po/ja.mo, plugins/sudoers/po/ja.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/pt.mo, plugins/sudoers/po/pt.po, plugins/sudoers/po/pt_BR.mo, plugins/sudoers/po/pt_BR.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po, plugins/sudoers/po/zh_TW.mo, plugins/sudoers/po/zh_TW.po, po/eo.mo, po/eo.po, po/fi.mo, po/fi.po, po/fr.mo, po/fr.po: Updated translations from translationproject.org [54b5484b2756] 2020-09-18 Todd C. Miller * config.h.in, configure, configure.ac, plugins/sudoers/auth/passwd.c: Use a simple string compare on systems without crypt(3). This is only used on systems without PAM, BSD authentication or AIX authentication. Bug #940. [aed39197f364] * src/utmp.c: Fix typo in last commit. [30a77a50f7b2] 2020-09-17 Todd C. Miller * src/sudo_edit.c: Only use faccessat(3) if AT_EACCESS is defined. Apparently Android (bionic) has faccessat() but not AT_EACCESS. Bug #940. [18604919a023] * src/utmp.c: Guard use of ttyslot() with HAVE_TTYSLOT, fix guard for utmp_setid(). This should make it easier to compile sudo on Android which doesn't provide a way to write to the utmp file. Bug #940. [69fe5b8426cd] 2020-09-16 Todd C. Miller * po/zh_CN.mo, po/zh_CN.po: Updated translations from translationproject.org [ef72535d71a5] * plugins/sudoers/po/cs.mo, plugins/sudoers/po/cs.po, plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, plugins/sudoers/po/fi.mo, plugins/sudoers/po/fi.po, plugins/sudoers/po/fr.mo, plugins/sudoers/po/fr.po, plugins/sudoers/po/hr.mo, plugins/sudoers/po/hr.po, plugins/sudoers/po/it.mo, plugins/sudoers/po/it.po, plugins/sudoers/po/ja.mo, plugins/sudoers/po/ja.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/pt.mo, plugins/sudoers/po/pt.po, plugins/sudoers/po/pt_BR.mo, plugins/sudoers/po/pt_BR.po, plugins/sudoers/po/sr.mo, plugins/sudoers/po/sr.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, plugins/sudoers/po/zh_TW.mo, plugins/sudoers/po/zh_TW.po, po/cs.mo, po/cs.po, po/de.mo, po/de.po, po/eo.mo, po/eo.po, po/fi.mo, po/fi.po, po/fr.mo, po/fr.po, po/hr.mo, po/hr.po, po/it.mo, po/it.po, po/ja.mo, po/ja.po, po/pl.mo, po/pl.po, po/pt.mo, po/pt.po, po/pt_BR.mo, po/pt_BR.po, po/sr.mo, po/sr.po, po/tr.mo, po/tr.po, po/uk.mo, po/uk.po, po/zh_TW.mo, po/zh_TW.po: Updated translations from translationproject.org [48fdb293a803] * configure, configure.ac, plugins/sudoers/po/sudoers.pot: Back out sudo 1.9.3b1 version change. [70cee88da8b1] 2020-09-14 Todd C. Miller * NEWS, configure, configure.ac, plugins/sudoers/defaults.c, plugins/sudoers/po/sudoers.pot: Fix typo in warning for T_CHPATH, list '~' not '*' twice. Bug #938 [d516bebe9644] 2020-09-12 Todd C. Miller * plugins/sudoers/po/sudoers.pot, po/sudo.pot: Update .pot files for 1.9.3. [47cedd231dd6] 2020-09-10 Todd C. Miller * plugins/sudoers/iolog_client.c: Add missing check for strdup() failure. Coverity CID 214243 [86cf4da0cd81] * examples/sudoers: Sync example sudoers with manual page. [1ccf32907f11] 2020-09-09 Todd C. Miller * doc/sudoers.man.in, doc/sudoers.mdoc.in: Add simple runchroot and runcwd examples. Also document the limitation of command-based Defaults settings. [6a610884670c] * plugins/sudoers/sudoers.c: Add callback for runchroot Defaults and require password -D/-R checks. Using a command-based Default for runchroot will still only work for paths that exist both in and outside the chroot. [a50148e16b89] * plugins/sudoers/defaults.c, plugins/sudoers/match.c, plugins/sudoers/match_command.c, plugins/sudoers/parse.c, plugins/sudoers/parse.h, plugins/sudoers/sudoers.c, plugins/sudoers/testsudoers.c: Pass a struct to the match functions to track the resolved command. This makes it possible to update user_cmnd and cmnd_status modified by per-rule CHROOT settings. [c71faa1f5ea1] * plugins/sudoers/defaults.c, plugins/sudoers/editor.c, plugins/sudoers/find_path.c, plugins/sudoers/goodpath.c, plugins/sudoers/match.c, plugins/sudoers/match_command.c, plugins/sudoers/parse.c, plugins/sudoers/parse.h, plugins/sudoers/stubs.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c: Take the chroot into account when search for the command. This could a a user-specific chroot via the -R option, a runchroot Defaults value, or a per-command CHROOT spec in the sudoers rule. [d8765611b48c] 2020-09-06 Todd C. Miller * configure, configure.ac: Remove closefrom_fallback() from lib/util/util.exp. It is a static function and should not be exported. [dc09dc563197] 2020-09-06 Evan Anderson * configure, m4/sudo.m4: configure: Fix runstatedir handling for distros that do not support it runstatedir was added in yet-to-be released autoconf 2.70. Some distros are shipping this addition in their autoconf packages, but others, such as Fedora, are not. This causes the rundir variable to be set incorrectly if the configure script is regenerated with an unpatched autoconf since the runstatedir variable set is deleted after regeneration. This change works around that problem by checking that runstatedir is non-empty before potentially using it to set the rundir variable [35c1eb25dd9d] 2020-09-05 Todd C. Miller * lib/util/Makefile.in: We need to link with NET_LIBS for gai_strerror() on some systems. From Tim Rice [b10aeb7ec2ed] * ltmain.sh: Fix sco library versioning; fallout from frebsd-elf reorg. From Tim Rice [072a37c2d3cb] * configure, configure.ac: SVR4/5 fixes and long password support for OpenServer 6 & 5. From Tim Rice [8622970c77c3] * lib/logsrv/protobuf-c.c: Use config.h to handle systems without inline function support. [1ba5301de713] * configure, configure.ac: Prefer dlopen() over shl_load() on HP-UX 11.11 and higher. [065316970f79] * include/sudo_fatal.h, lib/util/fatal.c: Define sudo_warn_setlocale_t and use sudo_conv_t in sudo_fatal.h. Works around a bug in older versions of the HP ANSI C compiler and results in more readable code. [0e53ec783100] * configure, configure.ac: HP-UX cc may not allow __declspec(dllexport) to be used in conjunction with "#pragma HP_DEFINED_EXTERNAL" when redefining standard libc functions. [7190082c3a09] 2020-09-04 Todd C. Miller * configure, configure.ac: Fix check for hiding unexported symbols on HP-UX. We need to pass the -b option to the compiler, not just the linker, so it will choose the PIC C runtime. [bc1b9351cbce] * src/regress/ttyname/check_ttyname.c: Check that the files are character devices before comparing st_rdev. [d9f8b730d131] * src/regress/ttyname/check_ttyname.c: Fix regress when ttyname(3) returns the same device under a different name. On systems that have both new and old pty names we can end up with a name mismatch even though the underlying device is the same. [3760f44d81d4] * plugins/sudoers/regress/testsudoers/test3.sh: Use the same pattern of redefining TESTDIR as test10.sh. Adapted from a diff from Tim Rice. [378590625bfd] * logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c: Rename sa_len -> sa_size to avoid a conflict on UnixWare and others. On some systems, sa_len is a #define for 4.4BSD compatibility. [a369d15175dd] * plugins/sudoers/pwutil.c: Include strings.h for strcasecmp(3). From Tim Rice [27be3ee47426] * lib/util/getentropy.c: Add missing #ifdef HAVE_CLOCK_GETTIME in getentropy_fallback() From Tim Rice [4bdcf1048196] * plugins/sudoers/Makefile.in: Regen for check_exptilde.o [b3e2a87b5144] * lib/util/Makefile.in, scripts/mkdep.pl: Add missing dependency info for cfmakeraw.lo in lib/util/Makefile.in From Tim Rice [18d953844745] * plugins/sudoers/auth/pam.c: Be consistent and use __hpux not __hpux__ like the rest of sudo. [dd5ef59dc980] * lib/logsrv/protobuf-c.c: Replace "static inline" with "static __inline" for older compilers. [a09412277d0f] * MANIFEST, include/log_server.pb-c.h, lib/logsrv/Makefile.in, lib/logsrv/log_server.pb-c.c, logsrvd/eventlog.c, logsrvd/iolog_writer.c, logsrvd/logsrvd.c, logsrvd/sendlog.c, plugins/sudoers/iolog_client.c, scripts/unanon: Post-process protoc-c files to avoid depending on anonymous unions. Based on a patch from Michael Osipov. GitHub issue #60 [13ab1ec22477] * src/preload.c: Add sudoers_audit to sudo_sudoers_plugin_symbols[] array. Fixes loading of sudoers_audit when configured with --enable-static- sudoers. GitHub issue #61 [f0bd4b5cd7b3] 2020-09-03 Todd C. Miller * plugins/sudoers/gram.c, plugins/sudoers/gram.y: Fix copy and paste error; Coverity CID 214191 [49044d66dffc] * plugins/sudoers/visudo.c: Fix memory leak on error found by the clang 10.01 analyzer. [12de4dd014eb] * src/limits.c: Use correct size for curlim and maxlim. [1fc6aea5ece0] * configure, configure.ac, doc/Makefile.in: Only install man pages for logsrvd and python plugin if we build them. GitHub issue #58 [e92799dd4886] * Makefile.in, configure, configure.ac, doc/Makefile.in: Remove obsolete mansrcdir variable, add _SRC suffix to LOGSRV and LOGSRVD [aa9c0f8cb227] 2020-09-02 Todd C. Miller * logsrvd/eventlog.c, plugins/sudoers/logging.c: If the command was run in a chroot, add it to the log. [0cda78f7ed40] * MANIFEST, plugins/sudoers/regress/testsudoers/test12.out.ok, plugins/sudoers/regress/testsudoers/test12.sh: Add test of multiple syntax errors. Where possible, the portion of the line before the error should be still be interpreted. [3af61a54586f] * logsrvd/eventlog.c, logsrvd/iolog_writer.c, plugins/sudoers/logging.c, plugins/sudoers/policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: Log the runcwd not submitcwd in the sudo-style log file. The log entry should reflect the working directory the command actually ran in. [a477dee74683] * plugins/sudoers/gram.c, plugins/sudoers/gram.y: Fix error recovery in a privilege after a ':' separator. [02c4b5872a38] * plugins/sudoers/gram.c, plugins/sudoers/gram.y: Initialize runchroot and runcwd in init_options() [13bebf71955d] * MANIFEST: Fix path to check_exptilde.c [7dc831cbd59d] * include/log_server.pb-c.h, include/protobuf-c/protobuf-c.h, lib/logsrv/protobuf-c.c: Update to protobuf-c 1.3.3 [22a88bccb611] 2020-09-01 Todd C. Miller * plugins/sudoers/gram.c, plugins/sudoers/gram.h: Regenerate the parser with "bison -y" for verbose syntax error messages. [e1530c5b8960] * NEWS: Add chroot/chdir changes. [9367855da7d1] * doc/sudo.man.in, doc/sudo.mdoc.in, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.in, plugins/sudoers/defaults.c, plugins/sudoers/defaults.h, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, src/parse_args.c, src/sudo_usage.h.in: Support "*" for CWD/CHROOT to allow user to specify cwd or chroot. Adds two new command line options, -D (--chdir) and -R (--chroot) that can only be used when sudoers sets runcwd or runchroot to "*". [afeb73867b66] * MANIFEST, lib/util/Makefile.in, plugins/sudoers/Makefile.in, plugins/sudoers/exptilde.c, plugins/sudoers/regress/exptilde/check_exptilde.c: Unit test for exptilde [f0d7b0031fea] * MANIFEST, plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/fmtsudoers.c, plugins/sudoers/ldap_util.c, plugins/sudoers/parse.c, plugins/sudoers/regress/sudoers/test24.in, plugins/sudoers/regress/sudoers/test24.json.ok, plugins/sudoers/regress/sudoers/test24.ldif.ok, plugins/sudoers/regress/sudoers/test24.ldif2sudo.ok, plugins/sudoers/regress/sudoers/test24.out.ok, plugins/sudoers/regress/sudoers/test24.sudo.ok, plugins/sudoers/regress/sudoers/test24.toke.ok: Add support for runchroot and runcwd to "sudo -l" and cvtsudoers. [9f5ecd22d822] * include/sudo_iolog.h, lib/iolog/iolog_fileio.c, lib/iolog/iolog_json.c, lib/iolog/iolog_util.c, logsrvd/iolog_writer.c, logsrvd/logsrvd.h, plugins/sudoers/iolog.c, plugins/sudoers/iolog_client.c, plugins/sudoers/iolog_plugin.h: Read/write runchroot and runcwd entries in the JSON event log. [3edb8305abe9] * MANIFEST, doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/Makefile.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/defaults.c, plugins/sudoers/defaults.h, plugins/sudoers/exptilde.c, plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y, plugins/sudoers/parse.c, plugins/sudoers/parse.h, plugins/sudoers/policy.c, plugins/sudoers/regress/sudoers/test1.toke.ok, plugins/sudoers/regress/sudoers/test11.toke.ok, plugins/sudoers/regress/sudoers/test12.toke.ok, plugins/sudoers/regress/sudoers/test13.toke.ok, plugins/sudoers/regress/sudoers/test14.toke.ok, plugins/sudoers/regress/sudoers/test15.toke.ok, plugins/sudoers/regress/sudoers/test16.toke.ok, plugins/sudoers/regress/sudoers/test17.toke.ok, plugins/sudoers/regress/sudoers/test18.toke.ok, plugins/sudoers/regress/sudoers/test19.toke.ok, plugins/sudoers/regress/sudoers/test22.toke.ok, plugins/sudoers/regress/sudoers/test3.toke.ok, plugins/sudoers/regress/sudoers/test4.toke.ok, plugins/sudoers/regress/sudoers/test6.toke.ok, plugins/sudoers/regress/sudoers/test8.toke.ok, plugins/sudoers/sudoers.h, plugins/sudoers/sudoers_version.h, plugins/sudoers/toke.c, plugins/sudoers/toke.l: Add CHROOT and CWD sudoers options. Also matching runchroot and runcwd Defaults settings. [2f0aca92c360] 2020-08-31 Todd C. Miller * NEWS, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, include/sudo_plugin.h, plugins/python/regress/testdata/check_multipl e_approval_plugin_and_arguments.stdout, src/exec.c, src/limits.c, src/sudo.c, src/sudo.h: Pass resource limits values to the plugin in user_info[] Sudo resets the resource limits early in its execution so the plugin cannot tell what the original limits were itself. [64957c5875f3] * doc/Makefile.in, doc/sudo_logsrvd.man.in, doc/sudo_plugin_python.man.in, doc/sudo_plugin_python.mdoc.in, lib/logsrv/Makefile.in, lib/util/cfmakeraw.c, lib/util/fchmodat.c, lib/util/fstatat.c, lib/util/getdelim.c, lib/util/getusershell.c, lib/util/openat.c, lib/util/regress/getdelim/getdelim_test.c, lib/util/regress/strsig/strsig_test.c, lib/util/regress/strtofoo/strtobool_test.c, lib/util/regress/strtofoo/strtoid_test.c, lib/util/regress/strtofoo/strtomode_test.c, lib/util/regress/strtofoo/strtonum_test.c, lib/util/regress/vsyslog/vsyslog_test.c, lib/util/roundup.c, lib/util/strtoid.c, lib/util/strtonum.c, lib/util/term.c, lib/util/unlinkat.c, logsrvd/Makefile.in, logsrvd/eventlog.c, logsrvd/iolog_writer.c, logsrvd/logsrv_util.c, plugins/python/Makefile.in, plugins/python/pyhelpers.c, plugins/python/pyhelpers.h, plugins/python/python_baseplugin.c, plugins/python/python_convmessage.c, plugins/python/python_importblocker.c, plugins/python/python_loghandler.c, plugins/python/python_plugin_approval.c, plugins/python/python_plugin_audit.c, plugins/python/python_plugin_common.c, plugins/python/python_plugin_common.h, plugins/python/python_plugin_group.c, plugins/python/python_plugin_io.c, plugins/python/python_plugin_policy.c, plugins/python/sudo_python_debug.c, plugins/python/sudo_python_module.c, plugins/python/sudo_python_module.h, plugins/sudoers/fmtsudoers.c, plugins/sudoers/group_plugin.c, plugins/sudoers/ldap_conf.c, plugins/sudoers/parse.c, plugins/sudoers/parse_ldif.c, plugins/sudoers/set_perms.c, plugins/sudoers/starttime.c, plugins/sudoers/tsdump.c, src/exec_monitor.c, src/exec_nopty.c, src/limits.c, src/ttyname.c: Update copyright year on some files where it was out of date. [2086262cd012] 2020-08-27 Todd C. Miller * doc/sudoers.man.in, doc/sudoers.mdoc.in, doc/visudo.man.in, doc/visudo.mdoc.in: Refer to "syntax error" instead of "parse error". This is the term the parser uses when there is an actual error. [7134b6869432] * plugins/sudoers/visudo.c: Remove superfluous "parse error in sudoers near line N" message. The sudoers parser now produces better syntax error messages so we don't need visudo to print its own. [9c32131fb6ac] * plugins/sudoers/visudo.c: Don't override errorfile and errorlineno set by check_aliases(). Now that alias parsing stores the file and line number, visudo can use that information to go to the line with an error when re-editing. [896d1f73ca02] 2020-08-25 Todd C. Miller * config.h.in, configure, configure.ac, lib/util/sig2str.c, lib/util/str2sig.c: Use sigabbrev_np(3) to access signal abbreviations if supported. glibc-2.32 has removed sys_sigabbrev[], we can use sigabbrev_np(3) instead. [e30482f26924] 2020-08-17 Todd C. Miller * NEWS: Briefly describe how to restore historical parse error behavior. [1ede927d99b3] * NEWS, doc/UPGRADE: Mention eof-of-line terminator and plugin argument changes. [96cd7a3477fa] * doc/sudoers.man.in, doc/sudoers.mdoc.in, src/load_plugins.c: Fix sudoers_policy plugin options when sudoers_audit is not listed. As of sudo 1.9.1 the sudoers file is opened by the audit plugin, not the policy plugin. As a result, plugin options set for sudoers_policy have no effect. If sudoers_policy has plugin options in sudo.conf and sudoers_audit is not listed, move the options to sudoers_audit so they will have an effect. [839a9a9c0cc3] * doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/file.c, plugins/sudoers/policy.c, plugins/sudoers/sudoers.h: sudoers error recovery can be configured via an "error_recovery" setting. This setting is an argument to the sudoers plugin, similar to how sudoers_file, sudoers_mode, sudoers_uid, etc. are implemented. The default value is true. [86f7059f9e45] * plugins/sudoers/regress/testsudoers/test11.sh: Make this test pass with bison's verbose error messages. [a2a8e4ca3f63] 2020-08-16 Todd C. Miller * plugins/sudoers/gram.c, plugins/sudoers/gram.y: Recover from a syntax error after the ':' in a privilege spec. For compound privilege specs, don't throw away the entire thing if we have a syntax error, only the part after the error is encountered. [d6ef4e6ca624] * plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/regress/sudoers/test5.toke.ok: Add explicit end-of-line matching in the parser for better error messages. A valid line in sudoers must end in a newline or EOF. Previously, it was possible (though not documented) to have multiple user specs on a single line. Now, each must be on its own line. [9f513e9b10ee] * plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y, plugins/sudoers/toke.c, plugins/sudoers/toke.l: Add NOMATCH token and use it in the lexer for an unmatched pattern. The ERROR token is now only used for errors detected by the lexer and for which we've already printed an error. This lets us remove the hack in sudoerserror() and just check last_token to determine whether or not to display the error. [0ca11ad5b7f3] 2020-08-15 Todd C. Miller * plugins/sudoers/gram.c, plugins/sudoers/gram.y: Enable error recovery for syntax erorrs that don't end with a newline. A syntax error on the last line of a sudoers file with no trailing newline is now recoverable. [020f76d7f369] * plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/regress/testsudoers/test11.out.ok: Add error recovery for unexpected tokens after include/includedir. [1aedd819916d] * NEWS: Sudo 1.9.3 changes so far. [bc6c6321a065] * configure, configure.ac: sudo 1.9.3 [432950d9f778] 2020-08-14 Todd C. Miller * scripts/pp: Format the macOS minor version number with two digits. This way we get consistent 4-digit version numbers even for macOS verions like 10.3 or 11.0 where the minor number is a single digit. For example. 10.3 will be formatted as 1003 and 11.0 will be 1100. [7f48e10be9ae] 2020-08-13 Todd C. Miller * lib/zlib/infback.c, lib/zlib/inflate.c: Add missing ZFALLTHROUGH and use spaces not tabs. [4b1c71cfb8a9] * scripts/pp: Fix probe for macOS Big Sur "sw_vers -productName" now returns "macOS", not "Mac OS X" [4caad8ca5b0c] 2020-08-12 Todd C. Miller * plugins/python/pyhelpers.c, plugins/python/python_plugin_common.h, plugins/python/sudo_python_module.c, src/parse_args.c, src/selinux.c: Fix some warnings from pvs-studio [fa83bb619209] * Makefile.in, lib/iolog/iolog_fileio.c, lib/iolog/iolog_json.c, lib/util/aix.c, lib/util/sudo_debug.c, logsrvd/logsrvd.c, logsrvd/sendlog.c, plugins/audit_json/audit_json.c, plugins/sudoers/auth/aix_auth.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/securid5.c, plugins/sudoers/bsm_audit.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/env.c, plugins/sudoers/iolog.c, plugins/sudoers/iolog_client.c, plugins/sudoers/ldap.c, plugins/sudoers/ldap_conf.c, plugins/sudoers/linux_audit.c, plugins/sudoers/logging.c, plugins/sudoers/parse.c, plugins/sudoers/policy.c, plugins/sudoers/set_perms.c, plugins/sudoers/sssd.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c, src/copy_file.c, src/exec.c, src/exec_common.c, src/exec_monitor.c, src/exec_nopty.c, src/exec_pty.c, src/load_plugins.c, src/parse_args.c, src/selinux.c, src/sesh.c, src/solaris.c, src/sudo.c, src/sudo_edit.c, src/tgetpass.c, src/utmp.c: Fix some warnings from pvs-studio [164a51c446da] * plugins/sudoers/ldap.c, plugins/sudoers/ldap_util.c, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/sssd.c: Use angle quotes when including gram.h and def_data.c. Otherwise, we can include the wrong file when doing an out-of-source build when configured using --with-devel. [105e52a86e22] * lib/util/fatal.c, lib/util/regress/fnmatch/fnm_test.c, logsrvd/logsrvd.c, logsrvd/logsrvd_conf.c, logsrvd/sendlog.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/iolog_client.c, plugins/sudoers/logging.c, plugins/sudoers/match.c, plugins/sudoers/match_command.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/visudo.c, src/parse_args.c: Move inclusion of compat headers up with the system headers. Now that sudo_dso_public is defined in config.h we don't need sudo_compat.h before including the compat headers. [da2103ee7ba8] * config.h.in, configure.ac, include/compat/fnmatch.h, include/compat/getaddrinfo.h, include/compat/getopt.h, include/compat/glob.h, include/compat/sha2.h, include/sudo_compat.h, include/sudo_conf.h, include/sudo_debug.h, include/sudo_digest.h, include/sudo_dso.h, include/sudo_event.h, include/sudo_fatal.h, include/sudo_json.h, include/sudo_lbuf.h, include/sudo_rand.h, include/sudo_util.h, lib/iolog/regress/host_port/host_port_test.c, lib/iolog/regress/iolog_json/check_iolog_json.c, lib/iolog/regress/iolog_mkpath/check_iolog_mkpath.c, lib/iolog/regress/iolog_path/check_iolog_path.c, lib/iolog/regress/iolog_util/check_iolog_util.c, lib/util/mksiglist.c, lib/util/mksigname.c, lib/util/regress/fnmatch/fnm_test.c, lib/util/regress/getdelim/getdelim_test.c, lib/util/regress/getgrouplist/getgrouplist_test.c, lib/util/regress/glob/globtest.c, lib/util/regress/mktemp/mktemp_test.c, lib/util/regress/parse_gids/parse_gids_test.c, lib/util/regress/progname/progname_test.c, lib/util/regress/strsig/strsig_test.c, lib/util/regress/strsplit/strsplit_test.c, lib/util/regress/strtofoo/strtobool_test.c, lib/util/regress/strtofoo/strtoid_test.c, lib/util/regress/strtofoo/strtomode_test.c, lib/util/regress/strtofoo/strtonum_test.c, lib/util/regress/sudo_conf/conf_test.c, lib/util/regress/sudo_parseln/parseln_test.c, lib/util/regress/tailq/hltq_test.c, lib/util/regress/vsyslog/vsyslog_test.c, lib/util/term.c, logsrvd/logsrvd.c, logsrvd/sendlog.c, plugins/audit_json/audit_json.c, plugins/group_file/group_file.c, plugins/group_file/plugin_test.c, plugins/python/python_plugin_approval.c, plugins/python/python_plugin_audit.c, plugins/python/python_plugin_group.c, plugins/python/python_plugin_io.c, plugins/python/python_plugin_policy.c, plugins/sample/sample_plugin.c, plugins/sample_approval/sample_approval.c, plugins/sudoers/audit.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/iolog.c, plugins/sudoers/policy.c, plugins/sudoers/regress/check_symbols/check_symbols.c, plugins/sudoers/regress/env_match/check_env_pattern.c, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/regress/logging/check_wrap.c, plugins/sudoers/regress/parser/check_addr.c, plugins/sudoers/regress/parser/check_base64.c, plugins/sudoers/regress/parser/check_digest.c, plugins/sudoers/regress/parser/check_fill.c, plugins/sudoers/regress/parser/check_gentime.c, plugins/sudoers/regress/parser/check_hexchar.c, plugins/sudoers/regress/starttime/check_starttime.c, plugins/sudoers/sudoers.h, plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/tsdump.c, plugins/sudoers/visudo.c, plugins/system_group/system_group.c, src/env_hooks.c, src/regress/noexec/check_noexec.c, src/regress/ttyname/check_ttyname.c, src/sesh.c, src/sudo.c, src/sudo_noexec.c: Rename __dso_public -> sudo_dso_public and move to config.h. [12550ec04e3a] * lib/iolog/host_port.c, lib/iolog/iolog_fileio.c, lib/iolog/iolog_json.c, lib/iolog/iolog_path.c, lib/iolog/iolog_util.c, lib/util/ttyname_dev.c, logsrvd/eventlog.c, logsrvd/iolog_writer.c, logsrvd/logsrv_util.c, logsrvd/logsrvd.c, logsrvd/logsrvd_conf.c, logsrvd/sendlog.c, plugins/audit_json/audit_json.c, plugins/sample/sample_plugin.c, plugins/sample_approval/sample_approval.c, plugins/sudoers/locale.c, plugins/sudoers/sudoers.h, plugins/sudoers/sudoreplay.c, src/net_ifs.c, src/sesh.c, src/sudo.h: We no longer need to include sudo_gettext.h before sudo_compat.h [660770ab7e7b] * .gitignore, .hgignore: Add *.map to the ignore file. [e96b46d418db] 2020-08-11 Todd C. Miller * etc/uncrustify.cfg: Update to uncrustify 0.71.0 [dabd7b24c0d9] * doc/sudo.man.in, doc/sudo.mdoc.in, doc/sudoers.man.in, doc/sudoers.mdoc.in: Mention visudo in sudo(8) and document sudoers error recovery. [44acd34811fb] 2020-08-10 Todd C. Miller * MANIFEST, config.h.in, configure, configure.ac, include/sudo_compat.h, lib/util/Makefile.in, lib/util/freezero.c, lib/util/getentropy.c, plugins/sudoers/auth/aix_auth.c, plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/passwd.c, plugins/sudoers/auth/secureware.c, plugins/sudoers/auth/securid5.c, plugins/sudoers/auth/sia.c, plugins/sudoers/auth/sudo_auth.c, scripts/mkdep.pl, src/conversation.c: Use OpenBSD-compatible freezero() in place of explicit_bzero() + free() [af0a9ed1e259] * MANIFEST, config.h.in, configure, configure.ac, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, include/sudo_compat.h, include/sudo_plugin.h, lib/util/Makefile.in, lib/util/arc4random.c, lib/util/explicit_bzero.c, lib/util/getentropy.c, lib/util/memset_s.c, lib/util/sha2.c, plugins/sudoers/auth/aix_auth.c, plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/passwd.c, plugins/sudoers/auth/secureware.c, plugins/sudoers/auth/securid5.c, plugins/sudoers/auth/sia.c, plugins/sudoers/auth/sudo_auth.c, scripts/mkdep.pl, src/conversation.c: Switch from memset_s() -> explicit_bzero(). memset_s() (and all of Annex K) is likely to be removed from the a future version of the standard. [c0f81ef1ee3c] * plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y, plugins/sudoers/toke.c, plugins/sudoers/toke.l: Define YYERROR_VERBOSE for bison and rename COMMENT -> '\n' This results in better error messages when there is a parse error [7ba896f285a9] * plugins/sudoers/mkdefaults: Some minor cleanup. Use ntuples instead of tuple_last Strip leading and trailing double quotes using a single gsub() ntuples will never be zero so don't bother checking No need to explicitly close files in END [b841147900df] 2020-08-07 Todd C. Miller * lib/util/event.c, plugins/sudoers/cvtsudoers_pwutil.c, plugins/sudoers/defaults.c, plugins/sudoers/linux_audit.c, plugins/sudoers/logging.c, plugins/sudoers/pwutil.c, plugins/sudoers/pwutil_impl.c, src/selinux.c: Quiet some clang 10 analyzer warnings. [4147311f6278] * logsrvd/sendlog.c: Refactor freeing of InfoMessage list into free_info_messages(). Also fixes a false positive from the clang analyzer. [25a6f0035a33] * plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y, plugins/sudoers/regress/testsudoers/test11.out.ok, plugins/sudoers/regress/testsudoers/test11.sh: Require that a @include line end with a newline or EOF. We now parse the entire line before reading the include file. This is less surprising behavior and results in better error messages. [ad6a2c991db6] * plugins/sudoers/defaults.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/parse.c, plugins/sudoers/regress/sudoers/test1.out.ok, plugins/sudoers/regress/sudoers/test10.out.ok, plugins/sudoers/regress/sudoers/test11.out.ok, plugins/sudoers/regress/sudoers/test12.out.ok, plugins/sudoers/regress/sudoers/test13.out.ok, plugins/sudoers/regress/sudoers/test14.out.ok, plugins/sudoers/regress/sudoers/test15.out.ok, plugins/sudoers/regress/sudoers/test16.out.ok, plugins/sudoers/regress/sudoers/test17.out.ok, plugins/sudoers/regress/sudoers/test18.out.ok, plugins/sudoers/regress/sudoers/test18.toke.ok, plugins/sudoers/regress/sudoers/test19.out.ok, plugins/sudoers/regress/sudoers/test2.out.ok, plugins/sudoers/regress/sudoers/test20.out.ok, plugins/sudoers/regress/sudoers/test21.out.ok, plugins/sudoers/regress/sudoers/test22.out.ok, plugins/sudoers/regress/sudoers/test23.out.ok, plugins/sudoers/regress/sudoers/test3.out.ok, plugins/sudoers/regress/sudoers/test4.out.ok, plugins/sudoers/regress/sudoers/test4.toke.ok, plugins/sudoers/regress/sudoers/test5.out.ok, plugins/sudoers/regress/sudoers/test5.toke.ok, plugins/sudoers/regress/sudoers/test6.out.ok, plugins/sudoers/regress/sudoers/test7.out.ok, plugins/sudoers/regress/sudoers/test7.toke.ok, plugins/sudoers/regress/sudoers/test8.out.ok, plugins/sudoers/regress/sudoers/test8.toke.ok, plugins/sudoers/regress/sudoers/test9.out.ok, plugins/sudoers/regress/testsudoers/test1.out.ok, plugins/sudoers/regress/testsudoers/test10.out.ok, plugins/sudoers/regress/testsudoers/test11.out.ok, plugins/sudoers/regress/testsudoers/test2.out.ok, plugins/sudoers/regress/testsudoers/test3.out.ok, plugins/sudoers/regress/testsudoers/test4.out.ok, plugins/sudoers/regress/testsudoers/test5.out.ok, plugins/sudoers/regress/testsudoers/test6.out.ok, plugins/sudoers/regress/testsudoers/test7.out.ok, plugins/sudoers/regress/testsudoers/test8.out.ok, plugins/sudoers/regress/testsudoers/test9.out.ok, plugins/sudoers/regress/visudo/test2.err.ok, plugins/sudoers/regress/visudo/test3.err.ok, plugins/sudoers/regress/visudo/test8.err.ok, plugins/sudoers/regress/visudo/test8.sh, plugins/sudoers/testsudoers.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/visudo.c: Display more specific parser error messages when possible. [91dd5d67bb83] * plugins/sudoers/file.c: Let the sudoers parser recover after a parse error. We currently just discard the line with the error. [712537665215] * plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/regress/testsudoers/test11.out.ok, plugins/sudoers/toke.c, plugins/sudoers/toke.h, plugins/sudoers/toke.l: Keep track of the position of the current token for error messages. [a5f6bd38267e] 2020-08-06 Todd C. Miller * plugins/sudoers/Makefile.in: regen [28026a042255] * plugins/sample_approval/sample_approval.exp: Sync sample_approval.exp with sample_approval.c [e810da8a6772] * plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/regress/testsudoers/test11.out.ok, plugins/sudoers/toke.c, plugins/sudoers/toke.h, plugins/sudoers/toke.l: Store the current line in our own buffer for better error messages. [33b2042e0028] 2020-08-05 Todd C. Miller * etc/sudo-logsrvd.pp, etc/sudo.pp, scripts/mkpkg: Fix libssl dependency on Debian-based systems. Older systems may still have libssl1.0.0, not libssl1.1. [0de802ec595a] * plugins/sudoers/toke.c, plugins/sudoers/toke.l: Add workaround for yyless() not resetting yy_at_bol. [5defcd893f6a] 2020-08-03 Todd C. Miller * configure, configure.ac: Always use a linker script to hide symbols if it is supported. We use this even if the compiler has symbol visibility support so we will notice mismatches between the exports file and __dso_public annotations in the source code. [1679ac3124b1] * MANIFEST, configure, configure.ac, plugins/python/python_plugin.exp, plugins/python/python_plugin.exp.in: Rename python_plugin.exp.in -> python_plugin.exp There is nothing dynamic in this file. [f34cc08c026c] * MANIFEST, configure, configure.ac, plugins/python/python_plugin.exp.in, plugins/python/python_plugin_approval_multi.inc, plugins/python/python_plugin_audit_multi.inc: Add missing python_plugin.exp.in file and remove unneeded __dso_public This fixes building the python plugin on systems where the compiler doesn't support symbol hiding (but wherethe linker does). [e0305faf8282] 2020-08-02 Todd C. Miller * plugins/sudoers/mkdefaults: Use "foo in bar" syntax for testing existence of a key. [0807ae0db0a7] * plugins/sudoers/Makefile.in, plugins/sudoers/toke.c: Replace /*FALLTHROUGH*/ in generated code. [a7590ec10b16] 2020-08-01 Todd C. Miller * lib/zlib/infback.c, lib/zlib/inflate.c, lib/zlib/zconf.h.in: Add ZFALLTHROUGH macro to use instead of /* FALLTHROUGH */ comments. [92ec8a466095] * config.h.in, configure, configure.ac, include/sudo_compat.h, lib/util/arc4random_buf.c, lib/util/glob.c, lib/util/snprintf.c, lib/util/strtonum.c, logsrvd/sendlog.c, plugins/python/pyhelpers.c, plugins/sudoers/auth/pam.c, plugins/sudoers/check.c, plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/defaults.c, plugins/sudoers/fmtsudoers.c, plugins/sudoers/ldap_util.c, plugins/sudoers/match.c, plugins/sudoers/parse_ldif.c, plugins/sudoers/sssd.c, plugins/sudoers/sudo_printf.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/timestamp.c, plugins/sudoers/visudo.c, src/conversation.c, src/exec_monitor.c, src/exec_pty.c, src/parse_args.c, src/regress/noexec/check_noexec.c, src/tgetpass.c: Use the fallthrough attribute instead of /* FALLTHROUGH */ comments. [ce33e87ddfd6] 2020-07-30 Todd C. Miller * plugins/sudoers/Makefile.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/mkdefaults: Rewrite mkdefaults in awk. [f069ca4eae59] 2020-07-22 Todd C. Miller * doc/CONTRIBUTORS: Update translators. [5252e2d1a61a] * doc/sudo.man.in, doc/sudo.mdoc.in, src/copy_file.c: Prompt user before truncating a file to zero bytes. Bug #922. [8bfaa57d5bd4] 2020-07-21 Todd C. Miller * .hgtags: Added tag SUDO_1_9_2 for changeset a411d532a5f4 [84e81d1fe48f] <1.9> * merge sudo 1.9.2 from tip [a411d532a5f4] [SUDO_1_9_2] <1.9> 2020-07-21 kuberlog * config.h.in, configure.ac: configure.ac: fix documentation about lecture [382c2809eda1] 2020-07-19 Todd C. Miller * plugins/sudoers/po/cs.mo, plugins/sudoers/po/cs.po, plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, plugins/sudoers/po/ja.mo, plugins/sudoers/po/ja.po, plugins/sudoers/po/ko.mo, plugins/sudoers/po/ko.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/pt.mo, plugins/sudoers/po/pt.po, plugins/sudoers/po/pt_BR.mo, plugins/sudoers/po/pt_BR.po, plugins/sudoers/po/ro.mo, plugins/sudoers/po/ro.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po, plugins/sudoers/po/zh_TW.mo, plugins/sudoers/po/zh_TW.po, po/cs.mo, po/cs.po, po/de.mo, po/de.po, po/eo.mo, po/eo.po, po/ja.mo, po/ja.po, po/ko.mo, po/ko.po, po/pl.mo, po/pl.po, po/pt.mo, po/pt.po, po/pt_BR.mo, po/pt_BR.po, po/ro.mo, po/ro.po, po/tr.mo, po/tr.po, po/uk.mo, po/uk.po, po/zh_CN.mo, po/zh_CN.po, po/zh_TW.mo, po/zh_TW.po: Updated translations from translationproject.org [74fbf2ca39e1] 2020-07-16 Todd C. Miller * configure, configure.ac: Handle openssl where there is no separate libcrypto pkgconfig file. In this case, just use the full openssl libs to get the sha2 functions. [f724510bb416] * INSTALL, configure, configure.ac: Ignore --enable-gcrypt if --enable-openssl is also specified. [39d493d7e549] 2020-07-15 Todd C. Miller * NEWS, configure, configure.ac: Sudo 1.9.2 [9af764b239c2] * config.h.in, configure, configure.ac: Fix some warnings displayed by autoconf 2.69b This fixes the missing HAVE_GSSAPI_GSSAPI_H define in config.h.in. TODO: replace shadow_funcs variable in function checks with literals [9d8f67e1f8fe] 2020-07-12 Todd C. Miller * plugins/sudoers/audit.c: Initialize sudo_conv and sudo_printf in sudoers_audit_open(). We will need them if there is an error parsing sudoers and leaving them unset can result in NULL deref. Also set the text domain to "sudoers" like we do for the policy and I/O logging open functions. Bug #934. [e88919ff4900] 2020-07-11 Todd C. Miller * plugins/sudoers/po/it.mo, plugins/sudoers/po/it.po, plugins/sudoers/po/ko.mo, plugins/sudoers/po/ko.po, plugins/sudoers/po/ro.mo, plugins/sudoers/po/ro.po, po/it.mo, po/it.po, po/ko.mo, po/ko.po, po/ro.mo, po/ro.po: Updated translations from translationproject.org [2488a1479208] 2020-07-06 Todd C. Miller * plugins/sudoers/sudoers.exp: Export sudoers_audit symbol for compilers without symbol visibility. [081f6729cb38] * doc/sudoers.man.in, doc/sudoers.mdoc.in: Document the contents of the log.json file. [b1ea749fffc2] * lib/iolog/iolog_fileio.c: Fix typo, runas_uid should be runas_gid. [7b2c0fd84a60] * examples/sudo.conf.in: Add sudoers_audit line for completeness, matching the documentation. When sudoers is loaded as a policy plugin, it will be loaded automatically as an audit plugin. Listing it explicitly in the default sudo.conf file helps bring attention to the fact that sudoers now supports the audit plugin type. [7145a02ed280] * plugins/sudoers/defaults.c: Add some debugging statements around Defaults lookup. [b95e2a9b6555] * plugins/sudoers/sudoers.in: Replace #includedir with @includedir in default sudoers file. [d18945ec728e] 2020-06-26 Todd C. Miller * configure, m4/libtool.m4: Allow HP-UX share libs and modules to link against static libs. hppa64 and ia64 use PIC by default [0553c60b922a] 2020-06-25 Todd C. Miller * configure, configure.ac: Use pkg-config to find the openssl cflags and libs if possible. We support linking against static openssl libs too. [55442f4fea5e] 2020-06-24 Todd C. Miller * scripts/pp: Fix parsing of /etc/redhat-release on RHEL 8. RedHat dropped the word "server" from the release name in redhat-release which results in the awk script printing the wrong field. Instead of using awk, just use sed to pull out the version number immediately following the word "release". [a283acb4622a] * plugins/sudoers/po/sudoers.pot, po/sudo.pot: regen without `scare quotes' [31f021892137] * plugins/sudoers/def_data.c, plugins/sudoers/def_data.in, src/parse_args.c, src/sudo.c: Replace or remove use of `scare quotes' These don't translate well and look odd in many fonts. [3c7fa8f93543] 2020-06-20 Todd C. Miller * lib/zlib/infback.c, lib/zlib/inflate.c: Add FALLTHROUGH comments to quiet -Wimplicit-fallthrough [f724957b7cae] * src/solaris.c: Fix implicit fallthrough warning and add break to default cases. [74d8c68eb160] * configure, configure.ac, m4/ax_func_snprintf.m4, m4/sudo.m4: Fix some warnings from configure test programs. [6cff0cdb066a] * configure, configure.ac: Add -Wimplicit-fallthrough to --enable-warnings if available. Note that clang 10 has support for -Wimplicit-fallthrough in C code but doesn't recognize lint-style FALLTHROUGH comments like gcc does so we can't use it. [cf70a1ab3ea9] * configure, configure.ac: Drop old test for -lcposix for ISC Unix. [1bfd474c8819] 2020-06-19 Todd C. Miller * README: Mention sudo-blog announce list. [526dc0cc1e83] * NEWS: Bugs #860 and #917 were fixed in 1.9.0. [51a347785dbf] 2020-06-18 Todd C. Miller * .hgtags: Added tag SUDO_1_9_1 for changeset 06b47089122a [94c1c10ddbbd] <1.9> * merge sudo 1.9.1 from tip [06b47089122a] [SUDO_1_9_1] <1.9> * plugins/sudoers/po/sudoers.pot: regen to fix a typo [9755e76fcd8b] * MANIFEST, lib/iolog/Makefile.in, lib/iolog/regress/iolog_mkpath/check_iolog_mkpath.c: Add regress test to catch swapids() bug when called by iolog_mkdtemp() [deff1dc2f144] * plugins/sudoers/po/cs.mo, plugins/sudoers/po/cs.po, po/ro.mo, po/ro.po: Updated translations from translationproject.org [9007c89029ea] 2020-06-16 Todd C. Miller * doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in: Document the order in which the plugin open/close functions are called. [48ec66882e1a] * NEWS, lib/iolog/iolog_fileio.c: Fix a typo that prevented swapids() from restoring the original gid. This led to a regression when the iolog_file setting ends in six or more X's or when the I/O logs are stored on NFS. [522d8ec470cb] 2020-06-15 Todd C. Miller * src/exec_monitor.c, src/exec_pty.c, src/get_pty.c, src/sudo.h, src/sudo_exec.h: Replace master/slave in code with leader/follower. [230f5343d961] * NEWS, doc/sudoers.man.in, doc/sudoers.mdoc.in, examples/sudoers, plugins/sudoers/regress/cvtsudoers/sudoers, plugins/sudoers/regress/cvtsudoers/sudoers.defs, plugins/sudoers/regress/cvtsudoers/test13.out.ok, plugins/sudoers/regress/cvtsudoers/test19.out.ok, plugins/sudoers/regress/visudo/test6.sh: Replace terms master and blacklist in docs and examples. [2908ac6c0fe0] * NEWS: Bug #929 [c1f5a01d1af6] 2020-06-14 Todd C. Miller * src/sudo_edit.c: Clean up temporary sudoedit files on success; Bug #929 This is a regression introduced in sudo 1.9.0. [2bc4822b7382] 2020-06-12 Todd C. Miller * NEWS: New Romanian translation [fd753dfa0a84] 2020-06-11 Todd C. Miller * plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, plugins/sudoers/po/fr.mo, plugins/sudoers/po/fr.po, plugins/sudoers/po/hr.mo, plugins/sudoers/po/hr.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/pt.mo, plugins/sudoers/po/pt.po, plugins/sudoers/po/pt_BR.mo, plugins/sudoers/po/pt_BR.po, plugins/sudoers/po/sr.mo, plugins/sudoers/po/sr.po, plugins/sudoers/po/sv.mo, plugins/sudoers/po/sv.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po, plugins/sudoers/po/zh_TW.mo, plugins/sudoers/po/zh_TW.po, po/cs.mo, po/cs.po, po/de.mo, po/de.po, po/eo.mo, po/eo.po, po/fi.mo, po/fi.po, po/fr.mo, po/fr.po, po/hr.mo, po/hr.po, po/pl.mo, po/pl.po, po/pt.mo, po/pt.po, po/pt_BR.mo, po/pt_BR.po, po/sv.mo, po/sv.po, po/tr.mo, po/tr.po, po/uk.mo, po/uk.po, po/zh_CN.mo, po/zh_CN.po, po/zh_TW.mo, po/zh_TW.po: Updated translations from translationproject.org [570aacc81015] * MANIFEST, doc/CONTRIBUTORS, plugins/sudoers/po/ro.mo, plugins/sudoers/po/ro.po, po/ro.mo, po/ro.po: Romanian translation from translationproject.org. [1e277907378e] * NEWS: Add missing entry for the LDAP/SSSD sudoHost regression. Also add new Romanian translation [624eb5e8e612] 2020-06-07 Todd C. Miller * plugins/sudoers/sudoers.c: Fix a typo in the audit string when "sudo -E" is not allowed. [85bcb3b1f7d8] 2020-06-06 Todd C. Miller * plugins/python/regress/testhelpers.c: Check asprintf() return value. [456bb2d7c37f] * scripts/mkpkg: Prefer the python3 in /usr/bin on Solaris. The /opt/csw version, if it exists, may be a 32-bit version which we can't link with. Also handle the case where the /usr/bin/python3 link is missing. [2ed7715e6b2e] * config.h.in, configure, configure.ac, include/sudo_compat.h: Declare getdelim(3) if it exists in libc but is not prototyped in stdio.h. This can happen on systems with a gcc packages that was built on and older versions of the OS where getdelim(3) was not present. [e78803280641] * aclocal.m4, configure, configure.ac: For python3-config, only use -I and -L/-l from --cflags and --ldflags output. Otherwise we may get other flags used to build python that conflict with what sudo uses. [7a8d3c5fd2ae] * scripts/mkpkg: Build 64-bit binaries and the python package on Solaris 11 and above. No longer prefer the Solaris Studio C compiler over gcc, it causes issues with the Python plugin. [a92f9641bd07] * logsrvd/sendlog.c: Fix memory leak on error in fmt_info_messages(). [511ac9ba6819] * NEWS: Update for 1.9.1b1 [562b0add8e04] 2020-06-05 Todd C. Miller * plugins/sudoers/po/sudoers.pot, po/sudo.pot: regen for sudo 1.9.1 [8960aceb2519] 2020-06-04 Todd C. Miller * plugins/sudoers/audit.c, plugins/sudoers/logging.c, plugins/sudoers/logging.h: Add basic support for reject and error audit events to sudoers. This is only used when logging events from plugins other than sudoers, such as an approval plugin. With this change, if an approval plugin rejects the command the denial will be logged in the sudoers log file using the message from the approval plugin. [c7abc39b0e37] * plugins/sudoers/bsm_audit.c, plugins/sudoers/solaris_audit.c, scripts/mkpkg: Fix Solaris and BSM audit warnings. Use BSM audit on Illumos, which lacks Solaris audit. [3844e8a24f59] * plugins/sudoers/policy.c: Track whether the session was opened in sudoers. In sudoers_policy_close() only warn about being unable to run the command if we actually opened the session (and thus passed all approval plugins). [f99b434d121b] * src/sudo.c: Only display an error in the built-in policy close if command is set. If a policy or approval plugin denies the command, command_details will not have been filled out. [245024004df2] * plugins/sudoers/ldap.c, plugins/sudoers/parse.c, plugins/sudoers/sssd.c: Avoid passing NULL to printf in match debug code for LDAP/SSSD. The file name in struct userspec was not set for the LDAP and SSSD backends. There is no actual file in this case so set the name to LDAP/SSSD. Also add a guard to make sure we don't try to print NULL in sudoers_lookup_check() if name is left unset. [240efcda496e] 2020-06-03 Todd C. Miller * plugins/sudoers/linux_audit.c, plugins/sudoers/linux_audit.h: Add missing const to linux_audit_command()'s argv function argument. [cb219f1ccb6e] * plugins/sudoers/ldap.c, plugins/sudoers/sssd.c: When converting LDAP to sudoers, ignore entries with no sudoHost attribute. Otherwise, sudo_ldap_role_to_priv() will treat a NULL host list as as the "ALL" wildcard. This regression was introduced in sudo 1.8.23, which was the first version to convert LDAP sudoRole objects to sudoers internal data structures. Thanks to Andreas Mueller for reporting and debugging this problem. [484d0d3b892e] 2020-06-02 Todd C. Miller * doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in, src/load_plugins.c: Load the sudoers module as an audit plugin if loaded as a policy plugin. Now that logging of successful commands is performed by sudoers as an audit plugin we need to load sudoers_audit if sudoers_policy is also loaded. Otherwise, accpted commands will not be logged. [f20bee20f4c7] * plugins/sudoers/audit.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/bsm_audit.c, plugins/sudoers/bsm_audit.h, plugins/sudoers/logging.c, plugins/sudoers/logging.h, plugins/sudoers/policy.c, plugins/sudoers/solaris_audit.c, plugins/sudoers/solaris_audit.h, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: Defer logging of the successful command until approval plugins have run. This adds audit plugin support to the sudoers module, currently only used for accept events. As a result, the sudoers file is now initially parsed as an audit plugin. [552c13bd0287] * doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, doc/sudo_plugin_python.man.in, doc/sudo_plugin_python.mdoc.in, include/sudo_plugin.h, plugins/audit_json/audit_json.c, plugins/python/sudo_python_module.c, src/sudo.c: Add support for "accept" audit events sent by the sudo front-end. With this change, the sudo front-end will send an "accept" audit event to the audit plugins after all the I/O logging plugins have been initialized. This can be used by an audit plugin that does not care about the result of the individual policy and approval plugins and only wants to receive a single "accept" event if all policy and approval plugins have succeeded. The plugin_type argument for events sent by the front-end is SUDO_FRONT_END (0). [6b3cb94fedb9] * src/exec_pty.c: If event loop fails due to ENXIO, remove /dev/tty events and recover. This fixes an issue on Solaris 11.4 (and probably others) with "sudo reboot" when I/O logging is enabled. Previously, sudo would kill the command if it was still running after the event loop terminated, leaving the system in a half-dead state. [e12e3040b067] 2020-06-01 Todd C. Miller * src/exec_pty.c: Don't try to suspend sudo if the user's tty has gone away. Fixes a problem on Solaris 11.4 (and possibly others) where sudo continually tries to put itself in the background after the user's terminal has been revoked. [92f172b46b9c] * src/exec_pty.c: Back out WIP code that was mistakenly committed. [41f57239b2c4] * scripts/mkpkg: Don't enable BSM audit on Solaris 10, it is missing AUE_sudo [3b32087b1ed3] * src/exec_pty.c, src/get_pty.c: On Solaris 11.4 the openpty(3) prototype lives in termios.h. [d6e353e8b9df] * plugins/sudoers/solaris_audit.c: Add missing stdlib.h include and fix solaris_audit_failure() error return. [5748d8fd24c4] * scripts/mkpkg: Use Solaris audit for Solaris 11, not BSM audit. BSM audit is no longer supported in Solaris 11.4. [01f2189f439d] 2020-05-26 Todd C. Miller * src/exec.c: Check audit plugins for a close function too before execing command directly. We cannot exec the command directly if any of the policy or audit plugins use a close function. [5aa6db56ce32] 2020-05-22 Todd C. Miller * NEWS: Mention Bug #927. [0fd9e757d80b] 2020-05-20 Todd C. Miller * configure, configure.ac, m4/sudo.m4: Add basic support for --runstatedir If the user specifies --runstatedir but not --with-rundir, use runstatdir as the parent directory of the sudo rundir. In the future we may deprecate --with-rundir in favor of --runstatedir but that will require changes for systems with no /var/run directory. [14879831fe6e] * MANIFEST, NEWS, doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y, plugins/sudoers/regress/testsudoers/test10.out.ok, plugins/sudoers/regress/testsudoers/test10.sh, plugins/sudoers/regress/testsudoers/test11.out.ok, plugins/sudoers/regress/testsudoers/test11.sh, plugins/sudoers/regress/testsudoers/test2.out.ok, plugins/sudoers/regress/testsudoers/test2.sh, plugins/sudoers/regress/testsudoers/test3.out.ok, plugins/sudoers/regress/testsudoers/test3.sh, plugins/sudoers/regress/testsudoers/test4.sh, plugins/sudoers/regress/testsudoers/test5.sh, plugins/sudoers/regress/testsudoers/test8.out.ok, plugins/sudoers/regress/testsudoers/test8.sh, plugins/sudoers/regress/testsudoers/test9.out.ok, plugins/sudoers/regress/testsudoers/test9.sh, plugins/sudoers/sudoers_version.h, plugins/sudoers/testsudoers.c, plugins/sudoers/toke.c, plugins/sudoers/toke.h, plugins/sudoers/toke.l: Add support for @include and @includedir These are less confusing than #include and #includedir when the hash character is also the comment character. This commit also adds real parsing of include directives as opposed to the pure lexer approach used previously. As a result, it is now possible to include files with spaces by either using a double- quoted string or escaping the space characters with a backslash. [c422a5c8ea5d] 2020-05-19 Todd C. Miller * lib/iolog/iolog_fileio.c: In iolog_openat() enable the write bit on pre-existing files if needed. This prevents problems caused by the change to strip the write bit from the timing file when it is finished. [a6b0da3f7b94] * plugins/sudoers/visudo.c: In visudo check that an include file is regular file before using it. Avoids a generic "input in flex scanner failed" error message. [287d90d359a6] * plugins/sudoers/toke.c, plugins/sudoers/toke.l: Fix a memory leak on error when including a file or directory. [02db03f7b565] 2020-05-18 Todd C. Miller * NEWS, configure, configure.ac: Sudo 1.9.1 [57a1a5f05500] * doc/sudoreplay.man.in, doc/sudoreplay.mdoc.in, plugins/sudoers/sudoreplay.c: Add a follow option (-F) to support replaying a live session. By default, sudoreplay will exit when it reaches the end of the timing file. With the -F option, it will keep going until the timing file is finished and its write bit is cleared. [12ab27768cad] * include/sudo_iolog.h, lib/iolog/iolog_fileio.c: Add iolog_clearerr() that acts like clearerr(3). Works for both compressed and uncompressed I/O logs. [c83b88285c2c] * plugins/sudoers/iolog.c: Clear the write bit from the I/O log timing file when it is complete. This matches the behavior of sudo_logsrvd. [0bc8a012db26] * logsrvd/logsrvd.c, logsrvd/sendlog.c: Use PACKAGE_VERSION instead of 0.1 as the client and server version. [d1e3ac049cf7] * lib/util/Makefile.in, lib/util/aix.c, lib/util/fatal.c, lib/util/getusershell.c, lib/util/gidlist.c, lib/util/json.c, lib/util/mkdir_parents.c, lib/util/strsignal.c, lib/util/strtoid.c, lib/util/strtomode.c, lib/util/strtonum.c, lib/util/sudo_conf.c, lib/util/sudo_debug.c: Set DEFAULT_TEXT_DOMAIN in lib/util's Makefile not individual .c files. We no longer need to include sudo_gettext.h before sudo_compat.h [ead9b6a434b8] * lib/iolog/iolog_fileio.c, lib/iolog/iolog_json.c, lib/iolog/iolog_path.c, lib/iolog/iolog_util.c, lib/iolog/regress/host_port/host_port_test.c, lib/iolog/regress/iolog_json/check_iolog_json.c, lib/iolog/regress/iolog_path/check_iolog_path.c, lib/iolog/regress/iolog_util/check_iolog_util.c, lib/util/digest_gcrypt.c, lib/util/event.c, lib/util/event_select.c, lib/util/fnmatch.c, lib/util/getaddrinfo.c, lib/util/getcwd.c, lib/util/getdelim.c, lib/util/getgrouplist.c, lib/util/getopt_long.c, lib/util/glob.c, lib/util/inet_pton.c, lib/util/json.c, lib/util/key_val.c, lib/util/lbuf.c, lib/util/locking.c, lib/util/mkdir_parents.c, lib/util/mktemp.c, lib/util/parseln.c, lib/util/progname.c, lib/util/pw_dup.c, lib/util/regress/fnmatch/fnm_test.c, lib/util/regress/getdelim/getdelim_test.c, lib/util/regress/getgrouplist/getgrouplist_test.c, lib/util/regress/glob/globtest.c, lib/util/regress/mktemp/mktemp_test.c, lib/util/regress/parse_gids/parse_gids_test.c, lib/util/regress/progname/progname_test.c, lib/util/regress/strsplit/strsplit_test.c, lib/util/regress/sudo_conf/conf_test.c, lib/util/regress/sudo_parseln/parseln_test.c, lib/util/regress/tailq/hltq_test.c, lib/util/regress/vsyslog/vsyslog_test.c, lib/util/secure_path.c, lib/util/sha2.c, lib/util/sig2str.c, lib/util/snprintf.c, lib/util/str2sig.c, lib/util/strndup.c, lib/util/strtobool.c, lib/util/sudo_conf.c, lib/util/sudo_debug.c, lib/util/sudo_dso.c, lib/util/term.c, lib/util/ttyname_dev.c, lib/util/vsyslog.c, plugins/audit_json/audit_json.c, plugins/group_file/getgrent.c, plugins/group_file/group_file.c, plugins/python/sudo_python_debug.c, plugins/sample/sample_plugin.c, plugins/sample_approval/sample_approval.c, plugins/sudoers/alias.c, plugins/sudoers/auth/afs.c, plugins/sudoers/auth/aix_auth.c, plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/dce.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/kerb5.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/passwd.c, plugins/sudoers/auth/rfc1938.c, plugins/sudoers/auth/secureware.c, plugins/sudoers/auth/securid5.c, plugins/sudoers/auth/sia.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/boottime.c, plugins/sudoers/check.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/cvtsudoers_pwutil.c, plugins/sudoers/defaults.c, plugins/sudoers/editor.c, plugins/sudoers/env.c, plugins/sudoers/env_pattern.c, plugins/sudoers/filedigest.c, plugins/sudoers/find_path.c, plugins/sudoers/fmtsudoers.c, plugins/sudoers/gentime.c, plugins/sudoers/getdate.c, plugins/sudoers/getdate.y, plugins/sudoers/getspwuid.c, plugins/sudoers/goodpath.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/group_plugin.c, plugins/sudoers/interfaces.c, plugins/sudoers/iolog.c, plugins/sudoers/iolog_path_escapes.c, plugins/sudoers/ldap.c, plugins/sudoers/ldap_conf.c, plugins/sudoers/ldap_util.c, plugins/sudoers/locale.c, plugins/sudoers/logging.c, plugins/sudoers/logwrap.c, plugins/sudoers/match.c, plugins/sudoers/match_addr.c, plugins/sudoers/match_command.c, plugins/sudoers/match_digest.c, plugins/sudoers/parse.c, plugins/sudoers/parse_ldif.c, plugins/sudoers/policy.c, plugins/sudoers/prompt.c, plugins/sudoers/pwutil.c, plugins/sudoers/pwutil_impl.c, plugins/sudoers/rcstr.c, plugins/sudoers/regress/check_symbols/check_symbols.c, plugins/sudoers/regress/env_match/check_env_pattern.c, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/regress/logging/check_wrap.c, plugins/sudoers/regress/parser/check_addr.c, plugins/sudoers/regress/parser/check_base64.c, plugins/sudoers/regress/parser/check_digest.c, plugins/sudoers/regress/parser/check_fill.c, plugins/sudoers/regress/parser/check_gentime.c, plugins/sudoers/regress/parser/check_hexchar.c, plugins/sudoers/set_perms.c, plugins/sudoers/sssd.c, plugins/sudoers/starttime.c, plugins/sudoers/strlist.c, plugins/sudoers/stubs.c, plugins/sudoers/sudo_nss.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers_debug.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/timeout.c, plugins/sudoers/timestamp.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/toke_util.c, plugins/sudoers/tsdump.c, plugins/sudoers/tsgetgrpw.c, plugins/sudoers/visudo.c, plugins/system_group/system_group.c, src/conversation.c, src/env_hooks.c, src/exec.c, src/exec_common.c, src/exec_monitor.c, src/exec_nopty.c, src/exec_pty.c, src/get_pty.c, src/hooks.c, src/limits.c, src/load_plugins.c, src/net_ifs.c, src/parse_args.c, src/preserve_fds.c, src/regress/noexec/check_noexec.c, src/regress/ttyname/check_ttyname.c, src/signal.c, src/sudo.c, src/sudo_edit.c, src/sudo_noexec.c, src/tcsetpgrp_nobg.c, src/tgetpass.c, src/ttyname.c, src/utmp.c: Include string.h unconditionally and only use strings.h for strn?casecmp() In the pre-POSIX days BSD had strings.h, not string.h. Now strings.h is only used for non-ANSI string functions. [f7f633de570a] * lib/iolog/host_port.c, lib/iolog/iolog_fileio.c, lib/iolog/iolog_json.c, lib/iolog/iolog_path.c, lib/iolog/iolog_util.c, lib/iolog/regress/host_port/host_port_test.c, lib/iolog/regress/iolog_json/check_iolog_json.c, lib/iolog/regress/iolog_path/check_iolog_path.c, lib/iolog/regress/iolog_util/check_iolog_util.c, lib/util/aix.c, lib/util/arc4random.c, lib/util/arc4random_buf.c, lib/util/arc4random_uniform.c, lib/util/cfmakeraw.c, lib/util/closefrom.c, lib/util/digest.c, lib/util/digest_gcrypt.c, lib/util/digest_openssl.c, lib/util/dup3.c, lib/util/event_poll.c, lib/util/event_select.c, lib/util/fatal.c, lib/util/fchmodat.c, lib/util/fnmatch.c, lib/util/fstatat.c, lib/util/getaddrinfo.c, lib/util/getcwd.c, lib/util/getdelim.c, lib/util/getgrouplist.c, lib/util/gethostname.c, lib/util/getopt_long.c, lib/util/gettime.c, lib/util/getusershell.c, lib/util/gidlist.c, lib/util/glob.c, lib/util/isblank.c, lib/util/json.c, lib/util/key_val.c, lib/util/lbuf.c, lib/util/locking.c, lib/util/logfac.c, lib/util/logpri.c, lib/util/memset_s.c, lib/util/mkdir_parents.c, lib/util/mksiglist.c, lib/util/mksigname.c, lib/util/mktemp.c, lib/util/openat.c, lib/util/parseln.c, lib/util/pipe2.c, lib/util/progname.c, lib/util/pw_dup.c, lib/util/reallocarray.c, lib/util/regress/fnmatch/fnm_test.c, lib/util/regress/getgrouplist/getgrouplist_test.c, lib/util/regress/glob/globtest.c, lib/util/regress/mktemp/mktemp_test.c, lib/util/regress/parse_gids/parse_gids_test.c, lib/util/regress/progname/progname_test.c, lib/util/regress/strsig/strsig_test.c, lib/util/regress/strsplit/strsplit_test.c, lib/util/regress/strtofoo/strtobool_test.c, lib/util/regress/strtofoo/strtoid_test.c, lib/util/regress/strtofoo/strtomode_test.c, lib/util/regress/strtofoo/strtonum_test.c, lib/util/regress/sudo_conf/conf_test.c, lib/util/regress/sudo_parseln/parseln_test.c, lib/util/regress/tailq/hltq_test.c, lib/util/regress/vsyslog/vsyslog_test.c, lib/util/roundup.c, lib/util/secure_path.c, lib/util/setgroups.c, lib/util/sha2.c, lib/util/sig2str.c, lib/util/snprintf.c, lib/util/str2sig.c, lib/util/strlcat.c, lib/util/strlcpy.c, lib/util/strndup.c, lib/util/strsignal.c, lib/util/strsplit.c, lib/util/strtobool.c, lib/util/strtoid.c, lib/util/strtomode.c, lib/util/strtonum.c, lib/util/sudo_conf.c, lib/util/sudo_debug.c, lib/util/sudo_dso.c, lib/util/term.c, lib/util/ttysize.c, lib/util/unlinkat.c, lib/util/utimens.c, lib/util/uuid.c, plugins/audit_json/audit_json.c, plugins/group_file/getgrent.c, plugins/group_file/group_file.c, plugins/group_file/plugin_test.c, plugins/python/regress/testhelpers.h, plugins/python/sudo_python_debug.h, plugins/sample/sample_plugin.c, plugins/sample_approval/sample_approval.c, plugins/sudoers/alias.c, plugins/sudoers/audit.c, plugins/sudoers/base64.c, plugins/sudoers/boottime.c, plugins/sudoers/bsm_audit.c, plugins/sudoers/check.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/cvtsudoers_pwutil.c, plugins/sudoers/defaults.c, plugins/sudoers/digestname.c, plugins/sudoers/editor.c, plugins/sudoers/env.c, plugins/sudoers/env_pattern.c, plugins/sudoers/file.c, plugins/sudoers/filedigest.c, plugins/sudoers/find_path.c, plugins/sudoers/fmtsudoers.c, plugins/sudoers/gc.c, plugins/sudoers/gentime.c, plugins/sudoers/getdate.c, plugins/sudoers/getdate.y, plugins/sudoers/getspwuid.c, plugins/sudoers/gmtoff.c, plugins/sudoers/goodpath.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/group_plugin.c, plugins/sudoers/hexchar.c, plugins/sudoers/interfaces.c, plugins/sudoers/iolog_client.c, plugins/sudoers/iolog_path_escapes.c, plugins/sudoers/ldap_conf.c, plugins/sudoers/linux_audit.c, plugins/sudoers/locale.c, plugins/sudoers/logging.c, plugins/sudoers/logwrap.c, plugins/sudoers/match.c, plugins/sudoers/match_command.c, plugins/sudoers/match_digest.c, plugins/sudoers/parse.c, plugins/sudoers/parse_ldif.c, plugins/sudoers/prompt.c, plugins/sudoers/pwutil.c, plugins/sudoers/pwutil_impl.c, plugins/sudoers/rcstr.c, plugins/sudoers/redblack.c, plugins/sudoers/regress/check_symbols/check_symbols.c, plugins/sudoers/regress/env_match/check_env_pattern.c, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/regress/logging/check_wrap.c, plugins/sudoers/regress/parser/check_addr.c, plugins/sudoers/regress/parser/check_base64.c, plugins/sudoers/regress/parser/check_digest.c, plugins/sudoers/regress/parser/check_fill.c, plugins/sudoers/regress/parser/check_gentime.c, plugins/sudoers/regress/parser/check_hexchar.c, plugins/sudoers/regress/starttime/check_starttime.c, plugins/sudoers/set_perms.c, plugins/sudoers/solaris_audit.c, plugins/sudoers/sssd.c, plugins/sudoers/strlist.c, plugins/sudoers/stubs.c, plugins/sudoers/sudo_nss.c, plugins/sudoers/sudo_printf.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers_debug.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/timeout.c, plugins/sudoers/timestamp.c, plugins/sudoers/timestr.c, plugins/sudoers/toke_util.c, plugins/sudoers/tsdump.c, plugins/sudoers/tsgetgrpw.c, plugins/sudoers/visudo.c, plugins/system_group/system_group.c, src/conversation.c, src/copy_file.c, src/env_hooks.c, src/exec.c, src/exec_common.c, src/exec_nopty.c, src/get_pty.c, src/hooks.c, src/limits.c, src/load_plugins.c, src/openbsd.c, src/parse_args.c, src/preload.c, src/preserve_fds.c, src/selinux.c, src/sesh.c, src/signal.c, src/solaris.c, src/sudo_edit.c, src/tcsetpgrp_nobg.c, src/tgetpass.c, src/utmp.c: We no longer need to include headers we don't use for sudo*.h files. Previously we needed to include headers required by the various sudo*h files. Now those files are more self-sufficient and we should only include headers needed by code in the various .c files. [72cbeae218e7] * include/sudo_compat.h, include/sudo_conf.h, include/sudo_debug.h, include/sudo_iolog.h, include/sudo_json.h, include/sudo_util.h, plugins/sudoers/sudoers.h: Add dependent system includes to make sudo_*.h more standalone. In the past we've relied on the various .c files to include the system headers that define types that the sudo_*.h headers require. This is fragile and can cause issues when includes get re-ordered. [a9fb765c0fba] * plugins/sudoers/env.c: Fix typo in PERLIO_DEBUG (trailing whitespace). This has no effect unless env_reset is disabled. From Allan Wirth [bdf9c9e7f455] 2020-05-17 Sebastian Rasmussen * plugins/sudoers/visudo.c: Fix typo in warning message. [01b8fab9fdf5] 2020-05-15 Todd C. Miller * lib/util/mksiglist.h, lib/util/mksigname.h: Prefer SIGSYS if SIGUNUSED is defined to the same value. Fixes a regress failure on musl libc where SIGSYS and SIGUNUSED share the same value. [e030acf8a670] * plugins/python/regress/testhelpers.h: Add missing sys/wait.h include; fixes a compilation problem on musl libc. [9a6a09e74a14] * lib/iolog/hostcheck.c: Add missing sys/types.h include; fixes a compilation problem on musl libc. [7c8ea831203b] * include/sudo_compat.h: Only define WCONTINUED and WIFCONTINUED if neither are already defined. Fixes a warning on musl libc where WIFCONTINUED is defined in stdlib.h for some reason. [9f55ae24b479] 2020-05-16 Dan Robertson * include/sudo_debug.h: Fix includes when building with musl Include sys/types.h for mode_t and id_t in sudo_debug.h [15abb56a1edf] 2020-05-15 Todd C. Miller * scripts/mkpkg: Enable OpenSSL on RHEL 6 too. The version of OpenSSL in RHEL 6 is new enough for the log server to use. [853fd8a74207] * logsrvd/logsrvd_conf.c: Don't print errno for the "TLS not supported" message. [c94540d3d632] 2020-05-14 Todd C. Miller * etc/sudo-logsrvd.pp, etc/sudo-python.pp: Fix macOS bundle IDs for sudo-logsrvd and sudo-python packages [a9f6aea56e40] 2020-05-13 Todd C. Miller * logsrvd/eventlog.c: Add iolog_path to the JSON-format event log [924d8836ead0] * logsrvd/logsrvd.c, logsrvd/logsrvd.h: Rename FLUSHED state to FINISHED This makes more sense when receiving event-only logs. [9e2736246e0d] 2020-05-12 Todd C. Miller * logsrvd/logsrvd.c, logsrvd/logsrvd.h: Fix handling of connections without associated I/O logs. This fixes reject events as well as accept events without the expect_iobufs flag set. [3ddb52ae0af4] * logsrvd/sendlog.c: Fix handling of accept and reject messages without an I/O log. Only set expect_iobufs in AcceptMessage if sending I/O logs. Set state to FINISHED immediately after sending a RejectMessage. [767e75944d4f] * doc/sudo_sendlog.man.in, doc/sudo_sendlog.mdoc.in, logsrvd/sendlog.c, logsrvd/sendlog.h: Add -A and -R options to test logging of accept and reject events. If -A is specified, no I/O will be sent, only the accept event. For -R, a reject event with the specified reason is sent. [90db0e6f9b68] * configure, configure.ac: cfmakeraw(3) is broken on AIX, don't use it there The cfmakeraw(3) function exists but does not set VMIN to 1 or VTIME to 0 in c_cc[] in struct termios, which makes it useless. The AIX version also doesn't clear the CSIZE and PARENB flags from c_cflag. [bbdcae2c5fb5] * NEWS: fix pastos [cbf517081e74] 2020-05-11 Todd C. Miller * .hgtags: Added tag SUDO_1_9_0 for changeset 706d726a2f8e [d1f2b4ee59d5] <1.9> * MANIFEST, include/sudo_iolog.h, include/sudo_util.h, lib/iolog/Makefile.in, lib/iolog/host_port.c, lib/iolog/regress/host_port/host_port_test.c, lib/util/Makefile.in, lib/util/host_port.c, lib/util/regress/host_port/host_port_test.c, lib/util/util.exp.in, logsrvd/logsrvd_conf.c, plugins/sudoers/iolog_client.c: Rename sudo_parse_host_port -> iolog_parse_host_port and mv to lib/iolog It is not used outside of the I/O log client and server and the host:port syntax may change in the future. [706d726a2f8e] [SUDO_1_9_0] * plugins/sudoers/sudoreplay.c: Remove duplicate inclusion of time.h [f560858325d5] 2020-05-08 Todd C. Miller * doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in, logsrvd/logsrvd.c, logsrvd/logsrvd_conf.c, plugins/sudoers/iolog_client.c: Only enable TLS listener by default if we have a cert for it. We want the log server to work with the default configuration. If the default certificate path exists, it will be used with the default listener. If the user explicitly enabled a TLS listener we always attempt to use it. If TLS was specified but no cert file was set, the default location will be used (and an error will occur if the cert cannot be loaded). [16ade34c38ee] 2020-05-07 Todd C. Miller * plugins/sudoers/po/sudoers.pot, po/sudo.pot: regen for 1.9.0 final [99e507035253] * logsrvd/Makefile.in: regen [555d817825b0] * doc/sudo.man.in, doc/sudo.mdoc.in, src/parse_args.c: The --preserve-env=list option may be specified more than once. [8066a9d1b04b] * doc/sudo_logsrv.proto.man.in, doc/sudo_logsrv.proto.mdoc.in, doc/sudoers.man.in, doc/sudoers.mdoc.in: Quiet some warnings from igor. [4df4fd274023] * MANIFEST, Makefile.in, etc/codespell.exclude, etc/codespell.ignore, etc/codespell.skip: Plumb in codespell with a "make spell" target. [4b1de7ee8648] * configure, configure.ac, install-sh: Fix a few more typos. [d22a8c46c743] 2020-05-06 Todd C. Miller * NEWS, doc/sudo.man.in, doc/sudo.mdoc.in, src/parse_args.c: Don't allow duplicate values for command line options that take an argument. Previously, if multiple instances of the same command line option were specified, the last one would be used. This meant that, for example, "sudo -u someuser -u otheruser id" would run the command as "otheruser". This has the potential to cause problems for programs that run sudo with a user-specified command that do not use the "--" option to indicate that no more options should be processed. While this is a bug in the calling program, there is little downside to erroring out when multiple options of the same type are specified on the command line. Bug #924 [66e2612e7672] * NEWS: Debian bug #734752 [d3285c45ac4b] * src/sudo.c, src/sudo.h: Look up runas user by name, not euid, where possible. Fixes a problem when there are multiple users with the same user-ID where the PAM session modules could be called with the wrong user name. Debian bug #734752 [b45608f29a02] * src/sesh.c: Fix ironic typo in spelling fixes. Bug #925 [73de90df6ff9] * scripts/pp: Sync PolyPkg from upstream. [ac5e4b830177] * NEWS, TODO, config.h.in, configure.ac, doc/sudo_plugin_python.man.in, doc/sudo_plugin_python.mdoc.in, etc/sudo.pp, include/compat/getaddrinfo.h, include/sudo_event.h, include/sudo_util.h, lib/util/fnmatch.c, lib/util/getaddrinfo.c, lib/util/regress/vsyslog/vsyslog_test.c, logsrvd/logsrvd.c, plugins/audit_json/audit_json.c, plugins/python/example_debugging.py, plugins/python/regress/check_python_examples.c, plugins/python/regress/testhelpers.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/iolog.c, plugins/sudoers/iolog_client.c, plugins/sudoers/parse.h, plugins/sudoers/pwutil.h, plugins/sudoers/regress/cvtsudoers/test30.sh, scripts/mkdep.pl, src/exec.c, src/exec_monitor.c, src/exec_pty.c, src/sesh.c: Apply spelling fixes. Fixes from PR #30 (ka7) and Bug #925 (fossies.org codespell) [1fb13dc3991b] 2020-05-05 Todd C. Miller * Makefile.in, etc/sudo-python.pp: Use the proper python version in the libpython dependency on Debian. The configure script already detects the python version, we just need to use it. [4e49c53f206f] * plugins/sudoers/po/sv.mo, plugins/sudoers/po/sv.po, po/ja.mo, po/ja.po, po/sv.mo, po/sv.po: Updated translations from translationproject.org [abdb2d6fe7cb] * NEWS: Bug #922 and Bug #923 [7a77f74c436f] 2020-05-04 Todd C. Miller * etc/sudo.pp: Fix Debian ldap dependency broken in last commit. [4980b1b653ef] * etc/sudo.pp: Fix "make package" on Debian when linux_audit is not set. [a00d7dec5821] * doc/sudo_logsrv.proto.man.in, doc/sudo_logsrv.proto.mdoc.in, include/log_server.pb-c.h, lib/logsrv/log_server.pb-c.c, lib/logsrv/log_server.proto, logsrvd/logsrvd.c, logsrvd/sendlog.c, plugins/sudoers/iolog_client.c: Add a ClientHello message that client sends to the server. This makes it easier to detect a plaintext client sending to a TLS port. Without this, the TLS server will be silent as it waits for the client to initiate the TLS connection. [22c033bcf456] * logsrvd/sendlog.c, plugins/sudoers/iolog_client.c: Better error messages when there is a problem with the TLS connection. If SSL_read, SSL_write or SSL_connect fails we can use the reason string to let the user know what the problem is. [92f603e37e40] * doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in, logsrvd/logsrvd_conf.c: Make the default certificate and key paths match the example file. [f642836bfcf0] * logsrvd/logsrvd.c, plugins/sudoers/iolog_client.c: Warn about tls errors during startup so the user has a clue. We write messages to stderr until we become a daemon. [25ad61aa7dab] * doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in, doc/sudo_sendlog.man.in, doc/sudo_sendlog.mdoc.in, doc/sudoers.man.in, doc/sudoers.mdoc.in, include/log_server.pb-c.h, lib/logsrv/log_server.pb-c.c, lib/logsrv/log_server.proto, logsrvd/logsrvd.c, logsrvd/sendlog.c: Remove the tls parameter from the ServerHello message. The TLS connection is now initiated before ServerHello is received. [9d8b76f14cda] * doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in, doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/defaults.c, plugins/sudoers/iolog.c, plugins/sudoers/iolog_client.c, plugins/sudoers/iolog_plugin.h, plugins/sudoers/policy.c: Adapt sudoers iolog client to log server dual port changes. The TLS handshake now occurs before the ServerHello message is read. This fixes potential man-in-the-middle attacks and works better with TLS 1.3. [8137b029a3fe] * doc/sudo_logsrv.proto.man.in, doc/sudo_logsrv.proto.mdoc.in, doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in, examples/sudo_logsrvd.conf, logsrvd/logsrv_util.h, logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c, logsrvd/sendlog.c: Use port 30343 for plaintext and port 30344 for TLS. For TLS connections we now do the TLS handshake immediately before the ServerHello message. This lets the client recieve an alert from the server is there is a handshake error after the TLS connect has succeeded. It also means that the contents of the ServerHello are protected from a man-in-the-middle attack. [bb4d8b57b3dd] * include/sudo_util.h, lib/util/host_port.c, lib/util/regress/host_port/host_port_test.c, logsrvd/logsrvd_conf.c, plugins/sudoers/iolog_client.c: Add support for a tls flag in sudo_parse_host_port(). If the string "(tls)" appears at the end, the tls flag is set to true and the default tls port is used if necessary. [f0d9a225cd75] * logsrvd/sendlog.c, plugins/sudoers/iolog_client.c: Plug memory leaks in sudo_sendlog [886254bcae6a] * lib/util/event.c, lib/util/event_poll.c, lib/util/event_select.c: Handle EAGAIN like we do ENOMEM from poll() and select(). On some systems, poll() and select() can return EAGAIN instead of ENOMEM if there is a kernel resource shortage. In this case we just re-enter the event loop and retry. [048df2548dcc] 2020-05-03 Todd C. Miller * configure, configure.ac: Use the --embed when running "python3-config --ldflags" if supported. Newer versions of python3-config only include libpython in the output when the --embed is used. Otherwise, "python3-config --libs" and "python3-config --ldflags" only list the libraries python is dependent on and not the python library itself. [d90dc892c726] 2020-04-30 Todd C. Miller * logsrvd/sendlog.c, plugins/sudoers/iolog_client.c: On error, remove the connection with an error without freeing the closure. Fixes the final message at the end when there is a network error. [0e1952eb707b] * lib/util/event_poll.c: Do not call poll(2) or ppoll(2) with nfds > RLIMIT_NOFILE. Both poll(2) and ppoll(2) will return EINVAL if the nfds function argument is larger than the max files per process resource limit. Prevent this by limiting the max number entries in the pfds[] array to the RLIMIT_NOFILE soft limit. [ab0f798bb024] 2020-04-29 Todd C. Miller * include/sudo_event.h, lib/util/event.c: The timeout parameter of sudo_ev_add() should be const. [de85c8897aad] 2020-04-28 Todd C. Miller * plugins/sudoers/iolog_client.c: Don't free TLS on error in tls_init(), it is freed in client_closure_free(). Fixes a double free on error introduced with the TLS state cleanup in client_closure_free(). [f1b478f2ec13] * logsrvd/logsrvd.c: Check for tls_config->dhparams_path being non-NULL before using it. [09348a25bfd2] 2020-04-23 Todd C. Miller * doc/sudo_sendlog.man.in, doc/sudo_sendlog.mdoc.in: Document the TLS and test options. [e5f6b6c46c25] * logsrvd/sendlog.c: Allow -t option even without OpenSSL Also add -t to the usage message [d874c9a67ed6] * logsrvd/sendlog.c: Use sudo_strtonum() instead of relying on strtoll(). Older, pre-C99, systems may not include strtoll() in their C library. [a1a610bbe022] * include/protobuf-c/protobuf-c.h: Allow this to build on systems without stdint.h by using config.h. Old, pre-C99, systems may have inttypes.h but not stdint.h. [72e603875b82] 2020-04-22 Todd C. Miller * etc/sudo-logsrvd.pp, scripts/pp: Fix support for pp_systemd_disabled and check for systemd existence. On our build schroots we don't have systemctl installed but do have the /etc/systemd and /lib/systemd (or /usr/lib/systemd) directories. [93917f4130b0] * etc/sudo-logsrvd.pp: Set pp_macos_service_id instead of pp_macos_default_service_id_prefix. It is only effective to set pp_macos_default_service_id_prefix in the indivisual %service sections (and not %set) so we may was well use pp_macos_service_id which includes the service name. [84ccf13e7076] * etc/sudo-logsrvd.pp: Set launchd service id prefix to "ws.sudo." The default value in PolyPkg is "com.quest.rc." [eb581d74573e] * scripts/pp: Fix macOS package creation. [556c0051c0fc] 2020-04-21 Todd C. Miller * plugins/sudoers/iolog_client.c: Shut down the TLS connection cleanly in client_closure_free(). Also free the SSL data which is part of the client closure. [258ec8832cbd] * src/exec_monitor.c, src/exec_nopty.c, src/selinux.c, src/sudo.c, src/sudo.h, src/sudo_edit.c, src/sudo_exec.h: Fix sudoedit when running with SELinux RBAC mode. We can't use run_command() to run sesh, that will use the sudo event loop (and might run it in a pty!). There's no need to relabel the tty when copying files. Get the path to sesh from sudo.conf. Currently, for SELinux RBAC, the editor runs with the target user's security context. This defeats the purpose of sudoedit. Fixing that requires passing file descriptors between the main sudo process (running with the invoking user's security context) and sesh (runnning with the target user's security context). [81c9ec600894] * MANIFEST, src/Makefile.in, src/copy_file.c, src/sesh.c, src/sudo_edit.c, src/sudo_exec.h: Refactor the sudoedit code to copy files so it can be shared. The SELinux sudoedit code now extends the destination file the same way the non-SELinux version does. [82c44299309e] * src/sudo_edit.c: Do not remove sudoedit temporary files if we cannot overwrite the real file. The warning message says the files were preserved but they actually got removed. [685f2de6bb2e] * include/compat/glob.h, lib/util/glob.c: Make gl_pathc, gl_matchc and gl_offs size_t in glob_t to match POSIX. [c3586082d3ea] * scripts/pp: Only remove the systemd unit service file if we copied it manually. If the service file was installed as part of the package it will be removed automatically when the package is uninstalled. [e98e1493c5bf] 2020-04-20 Todd C. Miller * doc/sudo_logsrv.proto.man.in, doc/sudo_logsrv.proto.mdoc.in: Document TLS settings in ServerHello [22ae16f41585] 2020-04-17 Todd C. Miller * src/sudo_edit.c: Extend the original file before to the new size before updating it. Instead of opening the original file for writing w/ tuncation, we first extend the file with zeroes (by writing, not seeking), then overwrite it. This should allow sudo to fail early if the disk is out of space before it overwrites the original file. [aef4db03e9e1] * src/sudo.c: I/O log plugins should be closed *before* the policy plugin, not after. [dec6fccf63d4] * plugins/sudoers/set_perms.c: Fix typo [82b0efbb6c26] * plugins/sudoers/iolog.c: Only display error string once on I/O error. We already include the error string in the format so no need to use errno too. [59795855d6a2] * plugins/sudoers/iolog.c, plugins/sudoers/policy.c: Free passwd and group caches in I/O plugin after log_warning(), not before. The logging functions may try to use the cache via set_perms(PERM_ROOT). [652b925b9658] 2020-04-17 Laszlo Orban * logsrvd/logsrvd.c: add missing shudown of TLS connection [14b25a0f4f6b] 2020-04-16 Todd C. Miller * etc/sudo-logsrvd.pp, scripts/pp: Disable systemd support on Linux systems that don't use it. [3c01c91dbfb2] 2020-04-14 Todd C. Miller * configure, configure.ac: 1.9.0 final [acf3b4592384] * etc/sudo-logsrvd.pp, scripts/pp: Update PolyPkg from my branch with systemd support. [a7a487496209] 2020-04-09 Todd C. Miller * plugins/python/example_conversation.py, plugins/python/example_io_plugin.py, plugins/python/regress/testdata /check_example_io_plugin_fails_with_python_backtrace.stdout: If the signal.Signals enum is not present, search the dictionary. The Signals enum was added in Python 3.5. If it is not present we need to iterate over the dictionary items, looking for signal name to number mappings. Fixes the signal tests with Python 3.4. [22811794ed46] * plugins/python/regress/check_python_examples.c, plugins/python/sudo_python_module.c: Python dictionaries are sparse so we cannot use pos as an index. When converting sudo options from a dictionary to a tuple we need to track the current index into the tuple separately from the position of the dictionary entry. [07cb8a0c7f21] 2020-04-08 Todd C. Miller * etc/sudo-logsrvd.pp: Fix handling of /etc/sudo_logsrvd.conf in the sudo-logsrvd package. For rpm and deb we include the file directly and mark it volatile. For all others we copy it in the postinstall script from the example dir if the file doesn't already exist. [83264a96b923] * scripts/mkpkg: Check for the Sun Studio C compiler on Solaris under /opt. Also intialize with_python to false. [52e28d55f9a6] * po/sudo.pot: regen [faaacb7777d4] * lib/util/parseln.c: Explicitly include stdio.h for getdelim(3) [3b0bff3ef388] * logsrvd/logsrvd.c: Reload sudo.conf upon SIGUP This makes it possible to update the Debug settings in sudo.conf and have them take effect on reload. [9fb7baf9a3ad] * logsrvd/logsrvd.c, logsrvd/sendlog.c, plugins/sudoers/iolog_client.c: Store the result of ERR_get_error() so we can use it for both warn and debug. Otherwise, only the debug framework gets the actual error and the user won't see the problem. [039565f16d13] * logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c: Disable IPv4-mapped IPv6 addresses in the listener. Also store the host + port string and use it in error messages. [3fbac477ef6b] * configure, configure.ac, examples/Makefile.in: Install the example sudo_logsrvd.conf unless one already exists [89c41b936c44] 2020-04-07 Todd C. Miller * examples/sudo_logsrvd.conf: Make the path to logsrvd_cert.pem match the documentation. [b2a45e7c9cdb] * etc/sudo-logsrvd.pp, logsrvd/logsrvd.c: Create the pid file parent directory if it doesn't already exist. Also package the run directory in the sudo_logsrvd PolyPkg file. [ac8b573e8545] * configure, configure.ac: Sudo 1.9.0rc1 [7d437646afc2] * MANIFEST: Include all python plugin files in MANIFEST, not the directory itself. [4aa09dd70b9e] * plugins/python/example_approval_plugin.py, plugins/python/example_audit_plugin.py, plugins/python/example_group_plugin.py, plugins/python/example_io_plugin.py, plugins/python/example_policy_plugin.py, plugins/python/regress/test data/check_example_io_plugin_fails_with_python_backtrace.stdout: Avoid using typing annotations so tests run with Python 3.4. [88b7048bc4a6] * plugins/python/python_plugin_common.c, plugins/python/regress/testda ta/check_loading_fails_missing_classname.stderr: Sort the list of possible plugins before printing it. This gives more reproducible error messages for the tests. [ea33f4970268] * plugins/python/regress/iohelpers.h, plugins/python/regress/testdata/ check_example_group_plugin_is_able_to_debug.log, plugins/python/regr ess/testdata/check_example_io_plugin_command_log.stored, plugins/pyt hon/regress/testdata/check_example_io_plugin_command_log_multiple1.s tored, plugins/python/regress/testdata/check_example_io_plugin_comma nd_log_multiple2.stored, plugins/python/regress/testdata/check_examp le_io_plugin_failed_to_start_command.stored, plugins/python/regress/ testdata/check_example_io_plugin_fails_with_python_backtrace.stderr, plugins/python/regress/testdata/check_loading_fails_wrong_path.stder r, plugins/python/regress/testdata/check_multiple_approval_plugin_an d_arguments.stdout, plugins/python/regress/testdata/check_python_plu gins_do_not_affect_each_other.stdout, plugins/python/regress/testhelpers.h: Use regular expressions when matching expected and actual text. [f2562728481a] * plugins/python/regress/iohelpers.h, plugins/python/regress/testdata/ check_example_debugging_c_calls@info.log, plugins/python/regress/tes tdata/check_example_debugging_plugin@info.log, plugins/python/regress/testhelpers.c: Use regex to match __init__.py instead of hacking it in verify_log_lines() [8bf71289e585] * plugins/python/pyhelpers.c, plugins/python/python_plugin_common.c, plugins/python/regress/check_python_examples.c, plugins/python/regress/iohelpers.c, plugins/python/regress/plugin_approval_test.py, plugins/python/regre ss/testdata/check_example_debugging_c_calls@diag.log, plugins/python /regress/testdata/check_example_debugging_c_calls@info.log, plugins/ python/regress/testdata/check_example_debugging_py_calls@diag.log, p lugins/python/regress/testdata/check_example_debugging_py_calls@info .log, plugins/python/regress/testdata/check_example_policy_plugin_va lidate_invalidate.log, plugins/python/regress/testdata/check_loading _fails_wrong_classname.stderr, plugins/python/regress/testdata/check _multiple_approval_plugin_and_arguments.stdout, plugins/python/regress/testhelpers.h: Make most python tests pass with Python 3.4 Dictionary order is not stable in Python < 3.6 so we need to sort by key to have consistent results. The LogHandler output is also different on older Python versions. Also, don't stop running python tests after the first error. [aaa06cb5fac1] * plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c: Increase the maximum delay again for slower systems. Otherwise we may get a spurious test failure. [6660908aa93d] * plugins/python/Makefile.in, plugins/sudoers/Makefile.in, scripts/mkdep.pl: Handle dependencies for .h files in the same directory as the source. Fixes missing header dependencies for the sudoers and python plugins. [3109dd5cf61e] * etc/sudo.pp: Remove bits for Tru64 kit-style packages [0e9a9580d76c] * MANIFEST, Makefile.in, configure, configure.ac, etc/sudo-logsrvd.pp, etc/sudo-python.pp, etc/sudo.pp: Split sudo_logsrvd and the python plugin into their own packages. [9aee8247f0ba] * scripts/mkpkg: Build python packages where possible. [7a2b993bb8ac] 2020-04-06 Todd C. Miller * plugins/sudoers/iolog_client.c: Don't pass a NULL submitcwd or ttyname value to the server. It is possible for the cwd and/or tty to be missing. If we send a NULL pointer to the server where it expects a string the AcceptMessage will fail to parse. [4f96d1c6e41c] * include/sudo_plugin.h: Disable -Wstrict-prototypes for sudo_hook_fn_t typedef. [15d2a1332865] * plugins/python/python_plugin_common.c: Fall back to using Py_Finalize() for Python version < 3.6 [e7ad63e57c79] 2020-04-06 Robert Manner * logsrvd/eventlog.c: logsrvd/eventlog.c: add a newline after each log message for logfile output [457f77b8f3be] * lib/iolog/iolog_fileio.c: lib/iolog/iolog_fileio.c: do not call fchown on invalid fd Fixes the warning in the log: iolog_write_info_file_json: unable to fchown 0:0 /var/log/...: Bad file descriptor [bccdaf007db8] * logsrvd/iolog_writer.c: logsrvd/iolog_writer.c: treat runuid, rungid 0 as valid (usually ==root) [5a7c447e9619] 2020-04-05 Todd C. Miller * po/eo.mo, po/eo.po, po/sr.mo, po/sr.po: Updated translations from translationproject.org [6e47dbfdba2c] 2020-04-03 Todd C. Miller * examples/Makefile.in: Install example sudo_logsrvd.conf file [c1c6f4c8119d] * doc/sudoers.man.in, doc/sudoers.mdoc.in: Make it clear in the sudoers grammar that sudoedit needs file args. Debian bug #571621 [b6358b602623] 2020-04-02 Todd C. Miller * NEWS: Fixed Debian bugs #571621, #596631 and #669687 [6058c1c46739] * doc/sudo.man.in, doc/sudo.mdoc.in, plugins/sudoers/env.c: Truncate the command args at 4096 chars when formatting SUDO_COMMAND. We have to limit the length of SUDO_COMMAND to avoid getting E2BIG from execve(2) for very long argument vectors. The command's environment also counts against the ARG_MAX limit. Debian bug #596631 [ff1fa8e3377f] * plugins/sudoers/auth/pam.c: Do not try to delete creds we did not set. If pam_setcred() fails when opening the PAM session, we don't want to call it with PAM_DELETE_CRED when closing the session. [c31039431c46] 2020-04-01 Todd C. Miller * plugins/sudoers/auth/API, plugins/sudoers/auth/aix_auth.c, plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/kerb5.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/passwd.c, plugins/sudoers/auth/secureware.c, plugins/sudoers/auth/sia.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/auth/sudo_auth.h, plugins/sudoers/check.c, plugins/sudoers/sudoers.h: Add a force flag to sudo_auth_cleanup() to force immediate cleanup. This is used for PAM authentication to make sure pam_end() is called via sudo_auth_cleanup() when the user authenticates successfully but sudoers denies the command. Debian bug #669687 [98cb9d98f547] * plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c: Increase the maximum delay for slower systems. Otherwise we may get a spurious test failure. [e4c1fffd427c] * doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in: Document when cwd_optional was added. [165447e1d7fa] 2020-03-31 Todd C. Miller * NEWS, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, plugins/sudoers/policy.c, src/exec.c, src/sudo.c, src/sudo.h: Add cwd_optional to command details and enable it in the sudoers plugin. If cwd_optional is set to true, a failure to set the cwd will be a warning, not an error, and the command will still run. Debian bug #598519 [a6694704d92f] * doc/sudo.man.in, doc/sudo.mdoc.in: The policy close function is responsible for closing the PAM session. [db4af211ff75] * .clang-format: Config file for clang-format 8.x and higher based on webkit style. This approximates what I want the sudo coding style to look like. Only deviations from webkit style are included. [d3ec3a8401cf] * src/exec_pty.c: Don't kill the command just because the loop exited unexpectedly. We currently have no good way to distinguish between an error executing the command and an error while the command is running. In the future, we should have additional status codes so we can tell what type of condition caused the loop to exit. For now, only kill the command if cstat is left uninitialized. [9492d60783fe] 2020-03-29 Todd C. Miller * logsrvd/logsrvd.c: Write process ID as an unsigned int (with a cast). On Solaris, pid_t may be typedef'd as a long but the actual range is 32 bits at most. [b9a818d77142] * doc/LICENSE: Add license info for a few other files. These are all ISC licensed but it is still best to have them all listed in one place. [dd37dc484ea5] * plugins/sudoers/po/ca.mo, plugins/sudoers/po/ca.po, plugins/sudoers/po/cs.mo, plugins/sudoers/po/cs.po, plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, plugins/sudoers/po/fi.mo, plugins/sudoers/po/fi.po, plugins/sudoers/po/fr.mo, plugins/sudoers/po/fr.po, plugins/sudoers/po/hr.mo, plugins/sudoers/po/hr.po, plugins/sudoers/po/it.mo, plugins/sudoers/po/it.po, plugins/sudoers/po/ja.mo, plugins/sudoers/po/ja.po, plugins/sudoers/po/ko.mo, plugins/sudoers/po/ko.po, plugins/sudoers/po/nb.mo, plugins/sudoers/po/nb.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/pt.mo, plugins/sudoers/po/pt.po, plugins/sudoers/po/pt_BR.mo, plugins/sudoers/po/pt_BR.po, plugins/sudoers/po/sv.mo, plugins/sudoers/po/sv.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po, plugins/sudoers/po/zh_TW.mo, plugins/sudoers/po/zh_TW.po, po/ca.mo, po/ca.po, po/cs.mo, po/cs.po, po/de.mo, po/de.po, po/eo.mo, po/eo.po, po/fi.mo, po/fi.po, po/fr.mo, po/fr.po, po/hr.mo, po/hr.po, po/it.mo, po/it.po, po/ja.mo, po/ja.po, po/ko.mo, po/ko.po, po/nb.mo, po/nb.po, po/pl.mo, po/pl.po, po/pt.mo, po/pt.po, po/pt_BR.mo, po/pt_BR.po, po/sv.mo, po/sv.po, po/tr.mo, po/tr.po, po/uk.mo, po/uk.po, po/vi.mo, po/vi.po, po/zh_CN.mo, po/zh_CN.po, po/zh_TW.mo, po/zh_TW.po: Updated translations from translationproject.org [58d62352abff] * lib/util/getusershell.c, lib/util/host_port.c, lib/util/roundup.c, logsrvd/iolog_writer.c, logsrvd/logsrv_util.c, logsrvd/logsrv_util.h, logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c, logsrvd/sendlog.c, logsrvd/sendlog.h, plugins/sudoers/iolog_client.c, plugins/sudoers/iolog_plugin.h: Some new source files got created with my old email address. [ede435f55f5c] * .gitignore, .hgignore: Ignore __pycache__ directories. [5901cfb35a74] * include/sudo_iolog.h, lib/iolog/iolog_util.c, logsrvd/sendlog.c, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/sudoreplay.c: iolog_parse_loginfo() now opens the log file itself. [bf03f505fc94] * include/sudo_iolog.h, lib/iolog/Makefile.in, lib/iolog/iolog_fileio.c, lib/iolog/iolog_util.c, logsrvd/eventlog.c, logsrvd/iolog_writer.c, logsrvd/logsrvd.h, logsrvd/sendlog.c, plugins/sudoers/Makefile.in, plugins/sudoers/iolog.c, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/sudoreplay.c: Write an extended I/O info log in JSON format. This will be used by sudoreplay if it exists to get more information about the command being replayed. [5fc89148c214] * MANIFEST, doc/sudoreplay.man.in, doc/sudoreplay.mdoc.in, include/sudo_iolog.h, lib/iolog/Makefile.in, lib/iolog/iolog_json.c, lib/iolog/iolog_util.c, plugins/sudoers/sudoreplay.c: Parse I/O JSON info file in JSON if present. The JSON version includes more information than the original "log" file in the I/O log dir. [269ae210ea34] * logsrvd/iolog_writer.c, logsrvd/logsrvd.h: Store runenv in the I/O log info file too. [15f90fb3748f] * plugins/sudoers/Makefile.in, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c: Create files for check_iolog_plugin in the build dir, not src dir. [bdaea95b47fc] * include/sudo_json.h, lib/iolog/iolog_fileio.c, lib/util/json.c, logsrvd/eventlog.c, logsrvd/iolog_writer.c, logsrvd/logsrvd.h, plugins/audit_json/audit_json.c: Do not use JSON_ARRAY with sudo_json_add_value() [c74b75adb90f] * MANIFEST, lib/iolog/Makefile.in, lib/iolog/iolog_json.c, lib/iolog/iolog_json.h, lib/iolog/regress/iolog_json/check_iolog_json.c, lib/iolog/regress/iolog_json/test1.in, lib/iolog/regress/iolog_json/test2.in, lib/iolog/regress/iolog_json/test2.out.ok, lib/iolog/regress/iolog_json/test3.in, lib/util/json.c: Add tests for the simple json parser. [9ede5000f4c7] * lib/iolog/iolog_json.c: Simply the JSON parsing code a bit. We can use a single stack for nested objects and arrays. There is also no need to track the current object and array separately. This allows us to remove the array special case when assigning a value. [4a34e528d9f0] * NEWS: Update NEWS for 1.9.0b5 changes [bf8db62788d3] * logsrvd/logsrvd.c: sudo_logsrvd now exits with an error if it cannot open any listen sockets. [47a22f71e286] * configure, doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in, doc/sudo_logsrvd.man.in, doc/sudo_logsrvd.mdoc.in, examples/sudo_logsrvd.conf, logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c, m4/sudo.m4, pathnames.h.in: Create a pidfile for sudo_logsrvd when not run with the -n flag. [9f1b8edff6cc] * etc/sudo.pp: Add sudo_logsrvd as a service so it gets started at boot. [d2ac9eb87dbf] * plugins/sudoers/po/sudoers.pot: Update sudoers.pot with json parser warnings. [2b277f799d2e] 2020-03-19 Todd C. Miller * scripts/mkpkg: Enable OpenSSL on systems that can support it. [976370b9d9db] 2020-03-17 Todd C. Miller * config.h.in, configure, configure.ac, logsrvd/logsrvd.c: Add configure check for SSL_CTX_get0_certificate(). Dummy out verify_server_cert() if it is not present to allow building on older OpenSSL versions. Rewriting this to work with old OpenSSL is not worth the trouble. [61349d2533fe] * lib/iolog/hostcheck.c: Include stdlib.h for malloc(3) prototype. We shouldn't rely on it to be implicitly included via OpenSSL headers. [9f4f7d3d3662] 2020-03-16 Todd C. Miller * plugins/sudoers/policy.c: Only set errstr for plugin API version 1.15 and above. [780722091e9f] 2020-03-14 Todd C. Miller * NEWS: Sudo 1.8.31p1 [40629e6fd692] * src/limits.c: Ignore a failure to restore the RLIMIT_CORE resource limit. Linux containers don't allow RLIMIT_CORE to be set back to RLIM_INFINITY if we set the limit to zero, even for root. This is not a problem outside the container. [1064b906ca68] 2020-03-12 Todd C. Miller * plugins/sudoers/po/sudoers.pot, po/sudo.pot: regen [72ca06a294b4] * include/sudo_event.h, lib/util/event.c: Add SUDO_EV_MASK to mask off invalid event values. Now used by sudo_ev_init() to avoid bogus events. [10a5d1afa1c9] 2020-03-11 Todd C. Miller * plugins/python/regress/iohelpers.c, plugins/python/regress/testhelpers.c: Avoid using sprintf(), vsprintf(), strcat(), and strncat(). It is less error-prone to use functions with a return value that indicates when truncation ocurred. [21938a3b1548] * plugins/sudoers/match_digest.c: Work around two Coverity false positives; CID 208813 208815 [389bf3749ed2] * logsrvd/logsrvd.c: Fix potential use-after-free; Coverity CID 208814 [e575532efe35] * plugins/python/regress/iohelpers.h, plugins/python/regress/testdata/ check_example_debugging_c_calls@info.log, plugins/python/regress/tes tdata/check_example_debugging_plugin@info.log, plugins/python/regress/testhelpers.c: Don't hard-code path to logging/__init__.py or line numbers. Allows python plugin tests to success on versions other than 3.7. [659d3d3fcb8b] * doc/LICENSE: Add copyright for the Python bindings. [cc64df1f85f2] * plugins/sudoers/match_command.c: Fix typo introduced on systems with O_PATH or O_EXEC [e8fea3eabf99] * NEWS: Update for sudo 1.9.0 [39158cb4af26] * doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/fmtsudoers.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/match.c, plugins/sudoers/match_command.c, plugins/sudoers/regress/sudoers/test14.in, plugins/sudoers/regress/sudoers/test14.json.ok, plugins/sudoers/regress/sudoers/test14.ldif.ok, plugins/sudoers/regress/sudoers/test14.ldif2sudo.ok, plugins/sudoers/regress/sudoers/test14.out.ok, plugins/sudoers/regress/sudoers/test14.toke.ok, plugins/sudoers/sudoers_version.h: Allow the ALL keyword to be specified with a digest list. [9856ed3cde7f] * doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/fmtsudoers.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/ldap_util.c, plugins/sudoers/match.c, plugins/sudoers/match_command.c, plugins/sudoers/match_digest.c, plugins/sudoers/parse.h, plugins/sudoers/regress/sudoers/test14.in, plugins/sudoers/regress/sudoers/test14.json.ok, plugins/sudoers/regress/sudoers/test14.ldif.ok, plugins/sudoers/regress/sudoers/test14.ldif2sudo.ok, plugins/sudoers/regress/sudoers/test14.out.ok, plugins/sudoers/regress/sudoers/test14.toke.ok, plugins/sudoers/sudo_ldap.h: Allow a list of digests to be specified for a command. [e0e9ecee870b] * plugins/sudoers/ldap_util.c, plugins/sudoers/parse_ldif.c: A struct member of type ALL should have its name field set to NULL. [484b9af004af] * doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/toke.c, plugins/sudoers/toke.l: Allow Cmd_Alias in addition to Cmnd_Alias. Some people find using Cmd_Alias more natural. [55edb5057091] 2020-03-01 Todd C. Miller * doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/auth/pam.c, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/defaults.c: Add pam_ruser and pam_rhost sudoers flags. [b1d494440004] * logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/sendlog.c, logsrvd/sendlog.h: Store the event base in the client closure. Explicitly passing the event base removes the need to set a default base. [0e4ae8d810f8] * plugins/sudoers/iolog.c: Revert change to initialize io_operations earlier. Instead, check io_operations.open for NULL which is the case for "sudo -V". Also move the early return in sudoers_io_open() for "sudo -V" until after we have initialized debugging. [0e9e7a99725d] 2020-02-28 Todd C. Miller * plugins/sudoers/iolog.c: Initialize io_operations earlier. [ab235d88f8ae] 2020-02-27 Todd C. Miller * plugins/sudoers/iolog_client.c: Mark up some remaining TODOs [847c9328a7b5] * src/conversation.c: Sudo's -S option should override the SUDO_CONV_PREFER_TTY flag. [f5737b68c0bf] * plugins/python/pyhelpers.c, plugins/python/python_plugin_policy.c, plugins/python/sudo_python_module.c: Use C99 __func__ instead of gcc-specific __PRETTY_FUNCTION__ [db4f5d7c200e] 2020-02-27 Robert Manner * plugins/python/example_debugging.py, plugins/python/regress/testdata /check_example_debugging_c_calls@diag.log, plugins/python/regress/te stdata/check_example_debugging_c_calls@info.log, plugins/python/regr ess/testdata/check_example_debugging_plugin@err.log, plugins/python/ regress/testdata/check_example_debugging_plugin@info.log: plugins/python/regress: add a test and example of using the python logger [ed23b3ba375f] * MANIFEST, doc/sudo_plugin_python.man.in, doc/sudo_plugin_python.mdoc.in, plugins/python/Makefile.in, plugins/python/python_baseplugin.c, plugins/python/python_convmessage.c, plugins/python/python_importblocker.c, plugins/python/python_loghandler.c, plugins/python/python_plugin_common.c, plugins/python/sudo_python_module.c, plugins/python/sudo_python_module.h: plugins/python/sudo_module: add sudo.LogHandler so python log system can be used with sudo logsystem. Loggers use it by default (the handler is set on the root logger). If that is not the intent, it can be overridden explicitly. [45b8902ce188] 2020-02-26 Todd C. Miller * INSTALL, Makefile.in, config.h.in, configure, configure.ac, lib/iolog/iolog_fileio.c, plugins/sudoers/Makefile.in, plugins/sudoers/iolog.c, plugins/sudoers/iolog_client.c, plugins/sudoers/iolog_plugin.h, plugins/sudoers/sudoers.c: Add --disable-log-server and --disable-log-client configure options. These can be used to optionally disable building sudo_logsrvd and support for remote I/O logging in the sudoers plugin respectively. [bc802e022f22] 2020-02-26 Robert Manner * doc/sudo_plugin_python.man.in, doc/sudo_plugin_python.mdoc.in, plugins/python/python_plugin_common.c, plugins/python/regress/check_python_examples.c, plugins/python/regre ss/testdata/check_loading_fails_missing_classname.stderr, plugins/py thon/regress/testdata/check_loading_succeeds_with_missing_classname. stdout: plugins/python: autodetect ClassName field If "ClassName" is not specified, load the one and only sudo.Plugin from the module (if so), otherwise display which plugins are available from which the system admin can choose. [b9dbbf1b6e97] * doc/sudo_plugin_python.man.in, doc/sudo_plugin_python.mdoc.in, plugins/python/Makefile.in, plugins/python/python_plugin_common.c: plugins/python/plugin_common: add a default search path for python plugins If the ModulePath is relative, assume it is under "/usr/local/libexec/sudo/python" or wherever the sudo plugins are in a "python" subdirectory. [5f75db882754] * plugins/python/regress/check_python_examples.c, plugins/python/regre ss/testdata/check_example_audit_plugin_version_display.stdout, plugi ns/python/regress/testdata/check_example_debugging_py_calls@info.log , plugins/python/regress/testdata/check_example_io_plugin_version_di splay_full.stdout, plugins/python/regress/testdata/check_example_pol icy_plugin_version_display_full.stdout, plugins/python/regress/testd ata/check_multiple_approval_plugin_and_arguments.stdout: plugins/python/regress: update tests for show_version changes - plugin->show_version is not marked NULL any more. - if verbose, it also displays which python class was loaded from which file [e30a1e43e3c2] * plugins/python/python_plugin_approval.c, plugins/python/python_plugin_audit.c, plugins/python/python_plugin_common.c, plugins/python/python_plugin_common.h, plugins/python/python_plugin_io.c, plugins/python/python_plugin_policy.c: plugins/python: make show_version display the plugin in verbose mode Before it only displayed the plugin version, now it also displays which python plugin is loaded to be more useful. [8c94175ead70] * plugins/python/python_plugin_approval.c, plugins/python/python_plugin_common.c: plugins/python/approval: fix show_version crash when it is not implemented For approval plugins show_version is not optional. [61f6b4679d6b] 2020-02-24 Todd C. Miller * plugins/sudoers/policy.c, plugins/sudoers/sudoers.c: Avoid calling sudoers_policy_exec_setup() on error. We only want to pass the execution environment back for commands that are accepted or rejected. Also avoid potentially freeing the wrong pointer when garbage collection is enabled. [a3a202e89951] 2020-02-22 Todd C. Miller * logsrvd/eventlog.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c: Open event log at config time instead of open/close for each entry. If logging via syslog, do the openlog() at config time instead. We still lock the log file prior to writing to it but unlock immediately after. [3236bd001160] * lib/util/locking.c: Fix unlocking of an entire file with lockf(). Since lockf() uses the files's current offset, we need to seek to the start of the file to unlock the entire file. [e415af1de6ca] 2020-02-21 Robert Manner * doc/sudo_plugin_python.man.in, doc/sudo_plugin_python.mdoc.in: doc/sudo_plugin_python: add approval plugin to supported plugins [5034917e6902] 2020-02-20 Todd C. Miller * lib/util/util.exp.in: Add sudo_json_free_v1 to symbol exports file too. [0a91a2986952] * lib/util/Makefile.in, logsrvd/Makefile.in, plugins/sudoers/Makefile.in: Regenerate dependencies to match the recent JSON changes. [5da86c77629c] * plugins/python/python_convmessage.c: Add missing check for calloc(3) failure. [589c32ff2cf1] 2020-02-19 Robert Manner * doc/sudo_plugin_python.man.in, doc/sudo_plugin_python.mdoc.in: doc/sudo_plugin_python: document approval plugin and PluginReject [9e61203dcb8d] * plugins/python/sudo_python_module.c: plugins/python/sudo_python_module.c: remove unused declaration We do not use structsequence any more. [a5570ba5ad8b] 2020-02-18 Todd C. Miller * logsrvd/logsrvd.c, logsrvd/logsrvd.h: Re-register listeners on SIGHUP. Previously, a config reload would refresh the listener address list but the changes had no effect on the actual addresses being listened on. [c1c0ada6c594] * logsrvd/logsrvd.c: Fix compilation error when not built with OpenSSL support. Adds a missing #ifdef HAVE_OPENSSL and reorders code to avoid the need for a static init_tls_server_context() prototype. [976c469eeb57] 2020-02-18 Robert Manner * plugins/python/python_plugin_common.c: plugins/python: restore the original python inittab after interpreter deinit [b78a5d995de9] 2020-02-17 Todd C. Miller * doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in, include/sudo_json.h, lib/util/json.c, logsrvd/eventlog.c: Add support for JSON structured logging using syslog. Note that depending on the system, the default syslog buffer may not be large enough to store all the logging data. [15a6667b1198] * doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in, examples/sudo_logsrvd.conf, logsrvd/eventlog.c, logsrvd/iolog_writer.c, logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c: Add support for JSON logging in sudo_logsrvd. [8b013b899e3b] * include/sudo_json.h, lib/util/json.c, lib/util/util.exp.in, plugins/audit_json/audit_json.c, plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/regress/sudoers/test10.json.ok, plugins/sudoers/regress/sudoers/test9.json.ok: Rework the JSON API to write to a memory buffer, not a stdio stream. [ec4e4053e95e] * logsrvd/logsrvd.c, logsrvd/logsrvd_conf.c: Fix support for reloading the config in sudo_logsrvd. We need to re- initialize the TLS server context. Also fix a memory leak of the TLS parameters on reload. [c4ca45502f3e] 2020-02-17 Robert Manner * plugins/python/pyhelpers.c, plugins/python/pyhelpers.h, plugins/python/python_plugin_common.c, plugins/python/regress/check_python_examples.c, plugins/python/regre ss/testdata/check_example_debugging_load@diag.log, plugins/python/regress/testhelpers.c: plugins/python: only deinit interpreters when sudo unlinks the plugin This only happens when sudo unloads the last python plugin. The reason doing so is because there are some python modules which does not support importing them again after destroying the interpreter which has imported them previously. Another solution would be to just leak the interpreters (let the kernel free up), but then there might be some python resources like open files would not get cleaned up correctly if the plugin is badly written. Tests are meant to test the scenario sudo does, so I have modified them to generally do not unlink but only a few times (~per plugin type) so it does not use 48 interpreters (one gets started on every plugin->open) and it is visible at least which type of plugin fails deinit if there is an error. [13cdead652aa] * plugins/python/python_plugin_common.c, plugins/python/sudo_python_debug.c: plugins/python/debug: adapt debug refcount solution of sudoers plugin [dc815e383c39] 2020-02-16 Todd C. Miller * plugins/sudoers/iolog_client.c: The environment in the accept message is runenv not submitenv. The I/O logging plugin is passed the environment the command will run with, not the user's original environment. [b3e1ee513001] 2020-02-15 Todd C. Miller * include/sudo_compat.h, lib/iolog/iolog_fileio.c, plugins/audit_json/audit_json.c, src/utmp.c: Add compatibility define for fseeko(3). This is better than cluttering up the code with #ifdefs for obsolete systems. [a9123f768fe0] 2020-02-14 Todd C. Miller * MANIFEST, plugins/sudoers/regress/testsudoers/test8.out.ok, plugins/sudoers/regress/testsudoers/test8.sh: Add test for #include directive without a trailing newline. [dfcfad5c7c41] * plugins/sudoers/toke.c, plugins/sudoers/toke.l: Don't require a newline at the end of include or includedir directives. [3d6aa5531609] 2020-02-14 Robert Manner * plugins/python/regress/testhelpers.c: plugins/python/regress/testhelpers.c: replace fromisoformat fromisoformat is only supported from python >=3.7 [86bf6de82376] 2020-02-13 Robert Manner * plugins/python/python_plugin_common.h, plugins/python/sudo_python_module.c: plugins/python: add missing annotations to help cpychecker [fd66659bd681] * plugins/python/python_plugin_common.c: plugins/python/python_plugin_common.c: release py_args in close even if the arguments are not used (eg. when there is no "close" call in the plugin). It was not really a memleak, because interpreter is deinitialized anyway, which frees the object. [5de8c111d40d] * plugins/python/python_plugin_approval.c: plugins/python/python_plugin_approval: fix negative ref count The python_plugin_api_rc_call function already decrements the refcount of py_args. Python avoids the double free, but the error gets shown if using python debug build. [4370af5b9092] 2020-02-12 Robert Manner * plugins/python/regress/check_python_examples.c: plugins/python/regress: still some memleak fix [c60050b79a5e] * plugins/python/python_plugin_audit.c, plugins/python/python_plugin_common.c, plugins/python/python_plugin_common.h, plugins/python/python_plugin_io.c, plugins/python/python_plugin_policy.c: plugins/python: make storing errstr more explicit The error is always stored in plugin_ctx, but it is only set into errstr if the API version is enough. (Previously it worked the opposite: we only stored the error if API level was enough.) [5b4fa733c876] * plugins/python/regress/check_python_examples.c: plugins/python/regress: strengthen errstr verification Tests did not catch the issue where errstr was not set correctly, but its pointer contained the expected data, because the memory allocator reused the same space for storing the string. Now it is either verified to be NULL, or reset to NULL. [973e52ed3f68] * plugins/python/regress/check_python_examples.c: plugins/python/regress: simplify plugin option creation [628142f39c63] 2020-02-11 Todd C. Miller * include/sudo_debug.h, lib/util/sudo_debug.c, lib/util/util.exp.in, plugins/audit_json/audit_json.c, plugins/python/sudo_python_debug.c, plugins/sample_approval/sample_approval.c, plugins/sudoers/sudoers_debug.c: Move duplicated code to parse plugin debug flags to libsudo_util. There's no need for four copies of sudo_debug_parse_flags(). [cfd9d624d8b1] 2020-02-11 Robert Manner * plugins/python/python_plugin_common.c, plugins/python/sudo_python_module.c, plugins/python/sudo_python_module.h: plugins/python/sudo_module: let a reject also supply error message Same as sudo.PluginError exception, have a sudo.PluginReject exception as well. Added common base exception as well. [e2e36f4778d4] * plugins/python/regress/check_python_examples.c, plugins/python/regress/plugin_approval_test.py, plugins/python/regre ss/testdata/check_multiple_approval_plugin_and_arguments.stderr, plu gins/python/regress/testdata/check_multiple_approval_plugin_and_argu ments.stdout, plugins/python/regress/testhelpers.c, plugins/python/regress/testhelpers.h: plugins/python/regress: add tests for approval plugin [31bd830a36fa] * MANIFEST, plugins/python/Makefile.in, plugins/python/python_plugin_approval.c, plugins/python/python_plugin_approval_multi.inc, plugins/python/python_plugin_common.c, plugins/python/python_plugin_common.h, plugins/python/sudo_python_module.c: plugins/python: add python approval plugin wrapper [489ef35ac957] * MANIFEST, plugins/python/Makefile.in, plugins/python/example_approval_plugin.py: plugins/python: add python approval plugin example [4ed865e04c0a] 2020-02-10 Todd C. Miller * MANIFEST, plugins/sudoers/regress/sudoers/test23.in, plugins/sudoers/regress/sudoers/test23.json.ok, plugins/sudoers/regress/sudoers/test23.ldif.ok, plugins/sudoers/regress/sudoers/test23.ldif2sudo.ok, plugins/sudoers/regress/sudoers/test23.out.ok, plugins/sudoers/regress/sudoers/test23.sudo.ok, plugins/sudoers/regress/sudoers/test23.toke.ok: Add regress test for parsing Defaults lists. Currently only env_check, env_delete, env_keep and log_servers are lists. [dfda2dec37d3] * doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in: Clarify that approval close happens after auditing. Also fix a few typos. [8f9fb2f0b5a7] * doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, include/sudo_plugin.h, plugins/sample_approval/sample_approval.c, src/sudo.c: Add open and close functions to the approval plugin API. We need a close function to be able to to free memory allocated for errstr. Unlike the other plugins, the close function is called immediately after the plugin's check or show_version function. The plugin does not remain open until the command completes. [6611bafc8ace] * plugins/audit_json/audit_json.c: Use unique function names to avoid confusion with front-end functions. Also add a missing sudo_debug_enter() after debug registration. [b127b0997ecb] * scripts/log2cl.pl: Use Text::Wrap instead of perl's built-in format function. This still breaks log filename incorrectly but is a step in the right direction. [2184fe794ecb] * Makefile.in, scripts/log2cl.pl: Avoid changing directory when generating the ChangeLog file. Instead, pass the repo path to either hg or log2cl.pl [736e90c9fe6d] 2020-02-10 Robert Manner * src/sudo.c: src/sudo.c: call audit plugin close when result is a wait status [0bfe6bc588a3] * Makefile.in: Makefile.in: fix install target for out of source build The scriptdir contained a path relative to where the target was started. The scripts are called like "$scriptdir/script_name" which is fine with relative path as well, until the current directory is not changed. But things like cd $srcdir && $scriptdir/script_name fails (if building in separate build directory). [7c0958b47925] * doc/sudo_plugin_python.man.in, doc/sudo_plugin_python.mdoc.in: doc/sudo_plugin_python: document python audit plugin support [2a2f6227bae0] * doc/sudo_plugin_python.man.in, doc/sudo_plugin_python.mdoc.in: doc/sudo_plugin_python: document returning error string [cf32faa3805f] * doc/sudo_plugin_python.man.in, doc/sudo_plugin_python.mdoc.in: doc/sudo_plugin_python: update python manual for constant -> enum changes [e2cd8737978c] 2020-02-08 Todd C. Miller * lib/iolog/regress/iolog_path/check_iolog_path.c, lib/util/mksiglist.c, lib/util/mksigname.c, lib/util/regress/fnmatch/fnm_test.c, lib/util/regress/getdelim/getdelim_test.c, lib/util/regress/glob/globtest.c, lib/util/regress/parse_gids/parse_gids_test.c, lib/util/regress/progname/progname_test.c, lib/util/regress/sudo_parseln/parseln_test.c, logsrvd/logsrvd.c, logsrvd/sendlog.c, plugins/group_file/plugin_test.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/logging.c, plugins/sudoers/regress/check_symbols/check_symbols.c, plugins/sudoers/regress/env_match/check_env_pattern.c, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/regress/logging/check_wrap.c, plugins/sudoers/regress/parser/check_addr.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/tsdump.c, plugins/sudoers/visudo.c, src/exec.c, src/exec_monitor.c, src/exec_nopty.c, src/exec_pty.c, src/parse_args.c, src/regress/noexec/check_noexec.c: Use EXIT_SUCCESS and EXIT_FAILURE more consistently. [1b78154a35f3] * src/parse_args.c, src/sudo.c, src/sudo.h: Mark main sudo usage() function __noreturn__. This splits the usage printing out into display_usage(). [400d23c2a6f1] * include/sudo_json.h, lib/util/json.c, lib/util/util.exp.in, plugins/sudoers/cvtsudoers_json.c: Use json functions from libsudo_util in cvtsudoers. [c4316ce76fe6] 2020-02-07 Todd C. Miller * plugins/sample_approval/sample_approval.c: Check localtime() return value; coverity CID 208156 [e2697b46f7e2] * plugins/audit_json/audit_json.c: Check fseeko() return value; coverity CID 207993 [3abd610ae63b] * logsrvd/sendlog.c, logsrvd/sendlog.h: Make restart and elapsed members of the closure structs not pointers. Fixes coverity CID 207992 [2dbace19cb6a] * lib/iolog/iolog_fileio.c: Check return value of sudo_lock_file(); coverity CID 207991 [e2862d70dea8] * logsrvd/logsrvd.c: Only keepalive if accept() succeeded; coverity CID 207990 [0c35e46495a2] 2020-02-06 Todd C. Miller * MANIFEST, Makefile.in, doc/Makefile.in, examples/Makefile.in, generate_test_coverage.sh, include/Makefile.in, lib/iolog/Makefile.in, lib/logsrv/Makefile.in, lib/util/Makefile.in, lib/zlib/Makefile.in, log2cl.pl, logsrvd/Makefile.in, mkdep.pl, mkinstalldirs, mkpkg, plugins/audit_json/Makefile.in, plugins/group_file/Makefile.in, plugins/python/Makefile.in, plugins/sample/Makefile.in, plugins/sample_approval/Makefile.in, plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in, pp, scripts/generate_test_coverage.sh, scripts/log2cl.pl, scripts/mkdep.pl, scripts/mkinstalldirs, scripts/mkpkg, scripts/pp, src/Makefile.in: Move some scripts from the top level src dir to a scripts dir. [0be8e958cbc2] * MANIFEST, plugins/sample_approval/Makefile.in, plugins/sample_approval/sample_approval.c, plugins/sample_approval/sample_approval.exp: Add sample approval plugin that simply tests for "business hours" [8005b14fd0c7] * Makefile.in, configure, configure.ac: Add sample approval plugin that simply tests for "business hours" [9d7370fea2c3] * src/load_plugins.c: Refactor code to alloc and insert a new plugin_container. The only outlier is the policy plugin which is not part of a list since there can only be a single policy plugin. [610c6e01eb0b] * plugins/audit_json/audit_json.c: Tech audit_json about approval plugin accept/reject [b1e568bacd87] * doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, include/sudo_plugin.h, src/load_plugins.c, src/sudo.c, src/sudo_plugin_int.h: Add an approval plugin type that runs after the policy plugin. The basic idea is that the approval plugin adds an additional layer of policy. There can be multiple approval plugins. [2b57fac1ad0b] * doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in: plugin documentation fixes: o whitespace cleanup o show_version doesn't have an errstr argument o document runas_user and runas_group in command_info[] o add missing .El at before start of audit section [73cb9ca71ef7] 2020-02-06 Robert Manner * plugins/python/sudo_python_module.c: plugins/python/sudo_python_module.c: fix options_as_dict if no equal sign The intented behaviour was that those get skipped, but the PyList_GetItem sets the interpreter into error state, so python has raised exception. [4f99dd186eb9] * plugins/python/regress/check_python_examples.c, plugins/python/regre ss/testdata/check_example_audit_plugin_receives_accept.stdout, plugi ns/python/regress/testdata/check_example_audit_plugin_receives_error .stdout, plugins/python/regress/testdata/check_example_audit_plugin_ receives_reject.stdout, plugins/python/regress/testdata/check_exampl e_audit_plugin_version_display.stdout, plugins/python/regress/testda ta/check_example_audit_plugin_workflow_multiple.stderr, plugins/pyth on/regress/testdata/check_example_audit_plugin_workflow_multiple.std out: plugins/python/regress/check_python_examples: add audit_plugin tests [fcc483a569ff] * plugins/python/python_plugin_common.c, plugins/python/python_plugin_common.h, plugins/python/python_plugin_io.c, plugins/python/python_plugin_policy.c: plugins/python/python_plugin_common: close can get custom arguments For the audit plugin. Ensure we do not fail if plugin_ctx->py_instance is NULL (because plugin init has failed). [dd1c0be3d8e7] * plugins/python/example_group_plugin.py, plugins/python/example_io_plugin.py, plugins/python/example_policy_plugin.py, plugins/python/regress/test data/check_example_io_plugin_fails_with_python_backtrace.stdout: plugins/python/example_*.py: document returning error string [ee55ef4a3cb6] * plugins/python/example_conversation.py, plugins/python/example_debugging.py, plugins/python/example_group_plugin.py, plugins/python/example_io_plugin.py, plugins/python/example_policy_plugin.py, plugins/python/regress/test data/check_example_debugging_c_calls@info.log, plugins/python/regres s/testdata/check_example_debugging_plugin@info.log, plugins/python/r egress/testdata/check_example_io_plugin_fails_with_python_backtrace. stdout: plugins/python/example*.py: pep8 fixes (mainly line too long) [56b15859cc9a] 2020-02-05 Todd C. Miller * plugins/audit_json/audit_json.exp: Exported symbol is audit_json [a39e9cc1047b] * doc/sudo_plugin_python.man.in, doc/sudo_plugin_python.mdoc.in: Silence lint warning. [fbba7f8dc3ef] * plugins/sudoers/policy.c: Add runas_user and runas_group (if set) to command_info for audit plugin. Otherwise, the audit plugin has to look up the runas name and group by user or group ID. [711731384693] * src/tgetpass.c: Only enable pwfeedback when reading password from /dev/tty. This effectively disables pwfeedback when the -S or -A options are used. [71da469aab20] 2020-02-05 Robert Manner * plugins/python/regress/check_python_examples.c: plugins/python/regress: load/unload module for each testcase so they can start from clean state. (My problem was optional argument tests has destroyed the callbacks.) [ab90adbb9328] * plugins/python/python_plugin_common.c, plugins/python/python_plugin_common.h, plugins/python/python_plugin_group.c, plugins/python/python_plugin_io.c, plugins/python/python_plugin_policy.c, plugins/python/sudo_python_module.c, plugins/python/sudo_python_module.h: plugins/python: add support for callback errstr arguments Plugins can raise a sudo.PluginError exception to add context message for the failure. The callback's errstr gets filled up with the specified message. But, as sudo expects a string constant (will not free the string), we store it in the plugin context at least until next callback invocation. [240bf4c627f0] * plugins/python/regress/check_python_examples.c, plugins/python/regress/plugin_errorstr.py: plugins/python/regress: add test for callback error msg return [44a71a20f94c] * plugins/python/python_plugin_io.c, plugins/python/python_plugin_policy.c: plugins/python_plugin_io,policy: fix version display in verbose mode Unfortunately the test did not catch this mistake, because it only searches that "Python policy plugin API version" string is present and does not check the version. [7da28d01063f] 2020-02-04 Robert Manner * plugins/python/example_conversation.py, plugins/python/example_debugging.py, plugins/python/example_group_plugin.py, plugins/python/example_io_plugin.py, plugins/python/example_policy_plugin.py, plugins/python/pyhelpers.c, plugins/python/pyhelpers.h, plugins/python/python_plugin_common.c, p lugins/python/regress/testdata/check_example_debugging_c_calls@diag. log, plugins/python/regress/testdata/check_example_debugging_c_calls @info.log, plugins/python/regress/testdata/check_example_group_plugi n_is_able_to_debug.log, plugins/python/sudo_python_module.c: plugins/python/sudo_python_module.c: use IntEnums instead of constants It is a bit more code, but it is more "pythonic" and easier to debug as the enum values also know their names. It is also an API break, eg. sudo.RC_OK becomes sudo.RC.OK as sudo.RC will be the "type" of the enum, but I guess that is acceptable before the initial release. [2a0845428e2b] 2020-02-03 Robert Manner * plugins/python/python_plugin_policy.c: plugins/python/python_plugin_policy: add missing debug return [2bf4cc35de9c] 2020-02-03 Laszlo Orban * logsrvd/sendlog.c: fixed compiler error when sudo is configured without --enable- openssl [fb19fb96c41d] 2020-02-03 Robert Manner * MANIFEST, plugins/python/Makefile.in, plugins/python/python_plugin_audit.c, plugins/python/python_plugin_audit_multi.inc, plugins/python/sudo_python_module.c: plugins/python: add python audit plugin wrapper [92bf3ccbd35d] * MANIFEST, plugins/python/Makefile.in, plugins/python/example_audit_plugin.py: plugins/python: add example python audit plugin [15abd19f6fdb] 2020-02-02 Todd C. Miller * doc/sudo_logsrvd.conf.man.in, doc/sudo_plugin.man.in: Regenerate .man.in files from .mdoc.in [6d04628b3bbb] * doc/sudo_plugin.mdoc.in: Update documentation for setbase when the given base is NULL. [03054c46d322] * plugins/sudoers/iolog_client.c, src/sudo.c: For plugin events, set the sudo event base for setbase(NULL). This makes it possible for a plugin to change the event base to a local one and then reset it back to its original value. [f95ab1a5fd5a] 2020-02-01 Todd C. Miller * plugins/sudoers/iolog_client.c: Don't display "error in event loop" on loop break reading ServerHello. We should already have displayed a more useful error message. Otherwise, we can get two "error in event loop" warnings if the TLS handshake fails (in addition to other error messages). [c42b8158ab36] 2020-01-31 Todd C. Miller * plugins/sudoers/iolog.c, plugins/sudoers/iolog_client.c, plugins/sudoers/iolog_plugin.h: Read ServerHello message synchronously before the command is executed. Otherwise, the command could be run before the TLS handshake completes. [4dab1676ae41] 2020-01-31 Robert Manner * plugins/python/pyhelpers.c, plugins/python/pyhelpers.h, plugins/python/python_convmessage.c: plugins/python/pyhelpers: add helpers for attribute handling to simplify code a bit. [c3eb52c88a04] 2020-01-30 Todd C. Miller * doc/sudo_plugin.mdoc.in: Document audit plugin in the sudo_plugin manual. [e2aab376bae1] * include/sudo_plugin.h, plugins/audit_json/audit_json.c, src/sudo.c: Change audit close arguments to a type and value. That way we can distinguish between different error types. [37abbe9f39b5] * MANIFEST, Makefile.in, configure, configure.ac, m4/sudo.m4, pathnames.h.in, plugins/audit_json/Makefile.in, plugins/audit_json/audit_json.c, plugins/audit_json/audit_json.exp: Example audit plugin that writes JSON output to a log file. [295d9d1a1209] * plugins/python/python_plugin_io.c, plugins/python/python_plugin_io_multi.inc, plugins/python/python_plugin_policy.c, plugins/python/regress/check_python_examples.c: Adapt python plugin to new plugin API changes [974e76db3a3a] * plugins/sudoers/audit.c, plugins/sudoers/iolog.c, plugins/sudoers/logging.c, plugins/sudoers/logging.h, plugins/sudoers/policy.c, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: Pass back a failure or error string to the front end. The audit_failure() function now stores the failure string. This will allow an audit plugin to log the reason if the user's request is a rejected. [5bb4e000a7ec] * doc/sudo_plugin.mdoc.in, include/sudo_plugin.h, src/exec_pty.c, src/load_plugins.c, src/parse_args.c, src/sudo.c, src/sudo.h, src/sudo_plugin_int.h: Define a new plugin type that receives accept and reject messages. This can be used to implement logging-only plugins. The plugin functions now take an errstr argument that can be used to return an error string to be logged on failure or error. [361aab49325f] * MANIFEST, config.h.in, configure, configure.ac, include/sudo_rand.h, lib/util/arc4random.c, lib/util/arc4random_buf.c: Add tests for arc4random_buf() and an implementation for those without. [e89dabfd5a41] * MANIFEST, include/sudo_util.h, lib/util/Makefile.in, lib/util/util.exp.in, lib/util/uuid.c: Add code to generate universally unique identifiers. We create type 4, variant 1 uuids (random). [22aff362662e] * MANIFEST, include/sudo_json.h, lib/util/Makefile.in, lib/util/json.c, lib/util/util.exp.in: Add a simple API for writing JSON records. To be used by the upcoming JSON audit module. [734b29194a82] 2020-01-29 Todd C. Miller * NEWS: Sudo 1.8.31 changes. [3d12f4cb4d9f] * src/tgetpass.c: Fix a buffer overflow when pwfeedback is enabled and input is a not a tty. In getln() if the user enters ^U (erase line) and the write(2) fails, the remaining buffer size is reset but the current pointer is not. While here, fix an incorrect break for erase when write(2) fails. Also disable pwfeedback when input is not a tty as it cannot work. CVE-2019-18634 Credit: Joe Vennix from Apple Information Security. [4830bdf1a683] 2020-01-28 Todd C. Miller * plugins/sudoers/sudoers.c: Fix warning about unresolved host name with "sudo -l -h hostname". The resolve_host() function returns 0 on success, not bool. [9af5bb6e4036] * configure, configure.ac: Check for presence of fseeko() regardless of utmp type. [d0c254ba8311] * plugins/python/regress/check_python_examples.c: Fix typo in a test: python_policy->close not python_io->close [34d8631cc501] * lib/util/getentropy.c: Allow getentropy.c to compile when MAP_ANON is unavailable. [d707e07f1a9c] * MANIFEST, lib/util/Makefile.in, lib/util/arc4random.c, lib/util/arc4random.h: Remove multi-thread support from arc4random. Sudo is not multi- threaded so we don't need the added complexity. [77c1795e0aaa] 2020-01-28 Robert Manner * plugins/python/sudo_python_module.c: plugins/sudo_python_module: Fix double free in sudo.options_as_dict function PyArg_ParseTuple sets the py_config_tuple pointer, but it does not increment the reference count, so by decrementing, we end up freeing the argument passed in. [511aeb75a905] * plugins/python/example_io_plugin.py, plugins/python/regress/testdata /check_example_io_plugin_fails_with_python_backtrace.stdout: plugins/python/example_io_plugin: close the file at destroy to avoid warning of debug python build. [6730352ab2d8] 2020-01-28 Todd C. Miller * lib/util/arc4random.h, lib/util/getentropy.c: Backed out changeset 9dce3ebb2c37 MAP_SGI_ANYADDR cannot be used in place of MAP_ANON [b261d200435a] 2020-01-28 Robert Manner * plugins/python/Makefile.in, plugins/python/regress/check_python_examples.c, plugins/python/regress/testhelpers.c, plugins/python/regress/testhelpers.h: plugins/python: memleak fixes in test The main problem was that string array objects were constructed differently: - if constructed by the test, then the elements were constant - if constructed by the plugin, then the elements were allocated Modified it so that now each array contains allocated strings so they can be handled similarly. For freeing, I have used the str_array_free function from the plugin, so I have linked its object into the test runner. Happy path is now free of "definitely lost" memleaks, so the test can be used for valgrind. [657ffd948be5] 2020-01-28 Laszlo Orban * logsrvd/sendlog.c, logsrvd/sendlog.h: Refactor sudo_sendlog in order to be able to send one I/O log multiple times in parallel (for testing purposes) [c9afea455ab6] 2020-01-27 Todd C. Miller * lib/util/arc4random.h, lib/util/getentropy.c: Fix compilation on IRIX; Bug #915 IRIX lacks MAP_ANON (and MAP_ANONYMOUS) but we can use the IRIX-specific flag MAP_SGI_ANYADDR instead. From Kazuo Kuroi [9dce3ebb2c37] 2020-01-24 Todd C. Miller * plugins/sudoers/check.c: Fix crash in sudo 1.8.30 when suspending sudo at the password prompt. The closure pointer in sudo_conv_callback was being filled in with a struct getpass_closure ** instead of a struct getpass_closure *. The bug was introduced in the fix for Bug #910; previously the closure variable was a struct getpass_closure, not a pointer. Fix from Michael Norton; Bug #914. [011b6a7663ef] 2020-01-24 Robert Manner * plugins/python/pyhelpers.c, plugins/python/pyhelpers.h, plugins/python/python_plugin_common.c, plugins/python/python_plugin_common.h, plugins/python/python_plugin_group.c, plugins/python/python_plugin_io.c, plugins/python/python_plugin_policy.c: plugins/python: use separate python interpreter for each plugin On each plugin initialization we create a separate python interpreter which gets stored in the plugin_ctx. The main interpreter is stored in py_ctx and is used for creating more interpreters (if more plugins get loaded) and final python deinitialization. The "traceback" module import and the ImportBlocker initialization was moved, because it has to happen inside the plugin specific interpreters. [eb9308e5eacb] * plugins/python/regress/check_python_examples.c, plugins/python/regress/plugin_conflict.py, plugins/python/regress/te stdata/check_python_plugins_do_not_affect_each_other.stdout: plugins/python/regress: add a failing textcase about python plugins affect each other Since python plugins are run inside the same interpreter, they affect each other's state, which would be better to avoid. [1628425d608c] 2020-01-23 Todd C. Miller * doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in: Document new tls_verify setting. [3e4bc6e4d301] * config.h.in, configure, configure.ac: Use AC_CHECK_DECLS when checking for SSL_CTX_set_min_proto_version Also use AC_CHECK_FUNCS to check for the other OpenSSL functions [f3e36090a31e] 2020-01-23 Robert Manner * doc/sudo_plugin_python.man.in, doc/sudo_plugin_python.mdoc.in: doc/sudo_plugin_python: update doc about the multiple I/O plugin loading [08e7c479954b] * plugins/python/Makefile.in: plugins/python/Makefile.in: update autogenerated header dependencies [54c0c7f11046] * plugins/python/pyhelpers.c, plugins/python/pyhelpers.h, plugins/python/python_plugin_common.c, plugins/python/regress/check_python_examples.c, plugins/python/regre ss/testdata/check_example_io_plugin_command_log_multiple.stderr, plugins/python/sudo_python_module.c: plugins/python/pyhelpers: have a default sudo_printf function Adapted the default sudo_printf from sudoers plugin to be able to print errors before plugin open() gets called. (This is used by the multiple io plugin loading to display error for too much plugin load.) Since this makes us always have a sudo_log, I have removed the logic about whether it is available or not. [fdd4842b3ba2] * src/load_plugins.c: src/load_plugins.c: plugins can supply a clone function if they want to support getting loaded multiple times. [33ff0027f686] 2020-01-23 Laszlo Orban * examples/sudo_logsrvd.conf, include/log_server.pb-c.h, lib/logsrv/log_server.pb-c.c, lib/logsrv/log_server.proto, logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c, plugins/sudoers/iolog_client.c: logserver option to disable certificate verification on server side and server authentication on client side [9b171f3af727] 2020-01-22 Todd C. Miller * src/load_plugins.c: Refactor code to allocate and fill struct plugin_container. This will help avoid duplicate code in the audit and approval plugins. [8ad9ba987131] * doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in, doc/sudoers.man.in, doc/sudoers.mdoc.in, examples/sudo_logsrvd.conf: Document TCP keepalive options in the manual pages. [7afe9293b503] * doc/CONTRIBUTORS: Add proper diacritical to Róbert's name. [9ca9ea59cdd4] 2020-01-22 Robert Manner * plugins/python/regress/check_python_examples.c, plugins/python/regre ss/testdata/check_example_io_plugin_command_log_multiple.stderr, plu gins/python/regress/testdata/check_example_io_plugin_command_log_mul tiple.stdout, plugins/python/regress/testdata/check_example_io_plugi n_command_log_multiple1.stored, plugins/python/regress/testdata/chec k_example_io_plugin_command_log_multiple2.stored, plugins/python/regress/testhelpers.c, plugins/python/regress/testhelpers.h: plugins/python/regress: add a testcase for multiple io plugin loading to verify 2 python plugins can work next to each other. [916dd4f44bcf] 2020-01-22 Laszlo Orban * include/log_server.pb-c.h, lib/logsrv/log_server.pb-c.c, lib/logsrv/log_server.proto, logsrvd/logsrvd.c, logsrvd/sendlog.c, plugins/sudoers/iolog_client.c: Rename tls_checkpeer to tls_reqcert in ServerHello message [b69630f1f5b4] 2020-01-22 Robert Manner * plugins/python/python_baseplugin.c, plugins/python/python_convmessage.c: plugins/python: fix return value typo for the error case [a7088391d8fb] 2020-01-21 Todd C. Miller * etc/sudo.pp, examples/Makefile.in, examples/sudo.conf.in: Install a default sudo.conf file. [e2b4613cced9] * aclocal.m4, autogen.sh, config.h.in, configure, configure.ac, include/sudo_compat.h, logsrvd/logsrvd.c, logsrvd/sendlog.c, plugins/sudoers/iolog_client.c: Add support for building on OpenSSL 1.0.2. This adds compatibility defines for some OpenSSL 1.1.x functions. [17e50378c8ee] 2020-01-21 Robert Manner * plugins/python/python_plugin_io.c, plugins/python/python_plugin_io_multi.inc: plugins/python/plugin_io: enable loading of multiple io plugins Separate sudo io plugin symbols are created which stores wrapper functions adding the context of which python plugin the callback is about. These sudo io plugin "slots" get generated with macros by the preprocessor. This makes sudo support loading multiple python IO plugins like this: (note the differences in the symbol names) Plugin python_io python_plugin.so ModulePath=... ClassName=SudoIOPlugin1 Plugin python_io1 python_plugin.so ModulePath=... ClassName=SudoIOPlugin2 Plugin python_io2 python_plugin.so ModulePath=... ClassName=SudoIOPlugin3 [cb45052d227a] 2020-01-21 Laszlo Orban * plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/defaults.c, plugins/sudoers/iolog.c, plugins/sudoers/iolog_client.c, plugins/sudoers/iolog_plugin.h, plugins/sudoers/policy.c: sudoers: disable SO_KEEPALIVE socket option based on log_server_disable_keepalive flag in sudoers [ad48ee6fbcb7] * examples/sudo_logsrvd.conf, logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c: logserver: enable/disable SO_KEEPALIVE socket option based on tcp_keepalive configuration option in sudo_logsrvd.conf [c0d919468e95] 2020-01-20 Todd C. Miller * include/hostcheck.h: No need to export the validate_hostname() symbol. We don't export symbols in convenience libraries, only installed DSOs. [f26897793700] * lib/iolog/hostcheck.c: Fix a few pointer signedness warnings on Linux. [6a4f68430e69] * include/sudo_compat.h, lib/iolog/hostcheck.c, logsrvd/logsrvd.c, plugins/sudoers/iolog.c, plugins/sudoers/iolog_client.c, plugins/sudoers/iolog_plugin.h, src/net_ifs.c: Store the server host name and IP in client_closure_fill(). Also check for getpeername() and inet_ntop() failure. [22df6ff5fcaf] * logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/sendlog.c, logsrvd/sendlog.h, plugins/sudoers/iolog_client.c, plugins/sudoers/iolog_plugin.h: Fix handling of SSL_ERROR_WANT_{READ,WRITE} during normal I/O. If we get SSL_ERROR_WANT_WRITE during SSL_read(), we need to resume the SSL_read(), not call SSL_write() as we were doing. Likewise for SSL_ERROR_WANT_READ received from SSL_write(). This introduces a flag so we call the proper callback even when the I/O direction doesn't match the read/write calls. [7162125ad7b7] * lib/util/Makefile.in: Add siglist.c and signame.c as dependencies for depend target. Fixes running "make depend" in lib/util dir when siglist.c or signame.c are not already present. [9d7aa4107136] * Makefile.in, doc/Makefile.in, examples/Makefile.in, include/Makefile.in, lib/iolog/Makefile.in, lib/logsrv/Makefile.in, lib/util/Makefile.in, lib/zlib/Makefile.in, logsrvd/Makefile.in, plugins/group_file/Makefile.in, plugins/python/Makefile.in, plugins/sample/Makefile.in, plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in, src/Makefile.in: Add abs_top_srcdir and abs_top_builddir and use them. Configure provides absolution versions of srcdir, builddir, top_srcdir and top_builddir. We can use these instead of calling pwd. [597ba26af997] 2020-01-20 Robert Manner * plugins/python/Makefile.in: plugins/python/Makefile.in: remove path prefix from examples to make install target work [ba31bde08e17] 2020-01-19 Todd C. Miller * lib/iolog/Makefile.in: Rebuild dependencies after hostcheck.c include changes. [3a4e808e5038] 2020-01-18 Todd C. Miller * include/hostcheck.h, lib/iolog/hostcheck.c, logsrvd/logsrvd.c, plugins/sudoers/iolog_client.c: Add debugging statements to certificate checks. [81f813c8c1f1] * MANIFEST, lib/iolog/Makefile.in, lib/iolog/hostcheck.c, plugins/sudoers/iolog.c: Portability fixes and correct path to hostcheck.h in MANIFEST. Include sys/socket.h for getpeername(). Link with -lnsl on Solaris to get inet_pton(). [060371a21669] * lib/iolog/Makefile.in, lib/logsrv/Makefile.in, lib/util/Makefile.in, lib/zlib/Makefile.in, logsrvd/Makefile.in, plugins/group_file/Makefile.in, plugins/python/Makefile.in, plugins/sample/Makefile.in, plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in, src/Makefile.in: Using "libtool --clean" to remove regular files is slow. We only need to use libtool's clean mode to remove files created by libtool. [510af2b052c6] 2020-01-17 Todd C. Miller * .gitignore, .hgignore: Add examples/sudo.conf to ignore files. [9eb86d1b8661] * doc/sudo.conf.mdoc.in, examples/sudo.conf.in: Remove whitespace at the end of the line in example sudo.conf [88b0ae1f8a18] * doc/sudo_plugin_python.mdoc.in: Fix mdoc lint warnings by removing .Pp before and after .Ss. [e59218682d7f] 2020-01-17 Robert Manner * plugins/python/regress/check_python_examples.c, plugins/python/regress/iohelpers.c, plugins/python/regress/iohelpers.h, plugins/python/regress/testhelpers.c, plugins/python/regress/testhelpers.h: plugins/python/regress: add missing license texts [b0e4b41b2834] 2020-01-16 Todd C. Miller * logsrvd/logsrvd.c: Fix TLS accept when SSL_accept() returns SSL_ERROR_WANT_WRITE. We need to switch from SUDO_EV_READ to SUDO_EV_WRITE for this case. [71ada9bfa056] * logsrvd/sendlog.c, plugins/sudoers/iolog_client.c, plugins/sudoers/iolog_plugin.h: Fix TLS connect when SSL_connect returns SSL_ERROR_WANT_READ. We need to switch from SUDO_EV_WRITE to SUDO_EV_READ for this case. Also make the tls connect events private to tls_timed_connect() with their own closure. There is no need to store them in the client closure. [afda37d1dd26] * logsrvd/iolog_writer.c: Store submit time in struct iolog_info. Fixes missing time stamp in remote I/O log info file. [dcd1dfa00646] * src/sudo_edit.c: Treat EROFS (like EACCES) as a non-fatal error in dir_is_writable(). Fixes sudoedit on macOS 10.15 and above where the root file system is mounted read-only. See https://support.apple.com/en-us/HT210650. From Dan Villiom Podlaski Christiansen. Bug #913 [cc636a1af1b6] 2020-01-15 Todd C. Miller * lib/util/event.c, plugins/sudoers/iolog_client.c: Really fix flushing of data in client_close(). Now that we call fmt_exit_message() from client_close() we do not need to try to determine whether the read or write events were pending in the old base. We can't tell anyway because the active flag in the event was cleared when the old sudo event base was destroyed. It is correct to enable both the read and write events after formatting the ExitMessage. [c59e77060c37] * plugins/sudoers/iolog.c, plugins/sudoers/iolog_client.c, plugins/sudoers/iolog_path_escapes.c: Use SUDOERS_DEBUG_* not SUDO_DEBUG_* in debug_decl() for the sudoers plugin. [2d0c049e689e] * src/sudo.c, src/sudo_plugin_int.h: Wrap calls to plugin event callbacks to use the plugin's debug instance. Otherwise, the debug output in a plugin's event callback will go to the sudo debug file, not sudoers. [02e227cfc715] * lib/util/regress/strsig/strsig_test.c: FreeBSD is missing SIGLWP (aka SIGTHR) in sys_signame[]. Don't test SIGLWP on FreeBSD where it is reserved for the thread library and is not listed in sys_signame[]. [95cbafc79b4d] * configure, configure.ac: We want to use DT_RUNPATH in preference to DT_RPATH in ELF binaries. Otherwise, LD_LIBRARY_PATH does not work when running the tests. The GNU linker's --enable-new-dtags can be used to do this. We don't do this on NetBSD where RPATH already supports LD_LIBRARY_PATH. [2c6c9a348d81] 2020-01-15 Laszlo Orban * plugins/sudoers/Makefile.in, plugins/sudoers/iolog_client.c: do server identity validation in iolog plugin [b1bec55bbed6] * logsrvd/Makefile.in, logsrvd/logsrvd.c, logsrvd/logsrvd.h: do client identity validation in logserver [e415409dfe0b] * MANIFEST, include/hostcheck.h, lib/iolog/Makefile.in, lib/iolog/hostcheck.c: implement host validation for the audit server SSL certificates [7f48e57bece2] 2020-01-14 Todd C. Miller * plugins/sudoers/sudoers_debug.c: Fix reference counting when both sudoers policy and I/O log are loaded. If both sudoers policy and I/O log plugins are loaded, debug_files will be empty when the I/O plugin is initialized. This changes the logic to always increase the reference count if the instance is valid. [18adfeb3727b] * src/load_plugins.c: Fix handling of duplicate policy and I/O plugins. The warning message said the later I/O plugin was ignored but it actually overwrote the existing one instead. The first registered plugin of the same name now is used, as was intended. Specifying more than one policy plugin is no longer a fatal error; this allows the admin to fix the situation. [dde476072346] 2020-01-14 Robert Manner * aclocal.m4, configure, configure.ac, plugins/python/regress/check_python_examples.c, plugins/python/regress/testhelpers.c, plugins/python/regress/testhelpers.h, plugins/python/sudo_python_debug.h: plugins/python: various portability improvements [d6aa5e2585ef] * plugins/python/example_conversation.py, plugins/python/example_io_plugin.py, plugins/python/regress/testdata /check_example_conversation_plugin_reason_log_with_suspend.stdout, p lugins/python/regress/testdata/check_example_io_plugin_command_log.s tored, plugins/python/regress/testdata/check_example_io_plugin_fails _with_python_backtrace.stdout: plugins/python/example_{io,conversation}: avoid printing signal number They are platform dependant, so their test would fail on some platforms. While we could create separate plugin for the tests, I like the idea that the examples are ensured to be working. I believe this is a good compromise for being able to auto update the test cases. [7b46d305e7d9] * plugins/python/Makefile.in, plugins/python/regress/check_python_examples.c: plugins/python/regress: load the python plugin dynamically instead of linking with it. [084c61e7d565] 2020-01-11 Todd C. Miller * src/sudo_edit.c: For sudoedit_checkdir consider a user-owner directory to be writable. The non-faccessat() code already did this so this just brings the faccessat() path into alignment. Bug #912 [91a1a9c0ba40] 2020-01-10 Todd C. Miller * doc/CONTRIBUTORS: Add newline before list of artwork authors. [1be0fe5f7d7a] * doc/LICENSE: Update copyright year. [f4ef4c1990af] 2020-01-10 Robert Manner * plugins/python/example_policy_plugin.py: plugins/python/example_policy_plugin.py: extend user env changing example Make the demonstration extend the environment with a new variable. Easier to read, and makes the testing able to check for that it is working. [77c09cc38298] * generate_test_coverage.sh: generate_test_coverage.sh: example script to ease test coverage generation Uses lcov and genhtml to generate test coverage. It is meant to be run in a clean directory. Extra configure options can be added as script arguments. Example execution: mkdir build cd build ../generate_test_coverage.sh --enable-python [a52c480639aa] 2020-01-09 Todd C. Miller * plugins/sudoers/logging.c: Remove MAXSYSLOGTRIES, it is no longer used. [dbd274fd8330] 2020-01-09 Robert Manner * plugins/python/python_plugin_common.c, plugins/python/python_plugin_policy.c: plugins/python/python_plugin_policy: fix validate() call When calling validate() python function, TypeError exception was thrown ("argument list must be a tuple"), because the call does not have arguments, and python does not accept empty tuple for execution. NULL must be used instead, which was handled as argument construction failure previously. [5ac3c2acee9b] * plugins/python/example_policy_plugin.py: plugins/python/example_policy_plugin.py: make allowed_commands ordered Storing them as "tuple" instead of "set", so they have a fix order. This makes the output of the list() example stable. ("set" is printed out in random order) [470ccf46a088] * plugins/python/example_io_plugin.py, plugins/python/example_policy_plugin.py, plugins/python/python_plugin_common.c, plugins/python/python_plugin_io.c, plugins/python/python_plugin_policy.c: plugins/python: fix confusing version display IO/Group/Policy Python API version is displayed instead of sudo version, because that is not very meaningful in this context. They are only displayed in verbose mode. Example plugins express it more concrete that they are displaying their version, not the API version. [af9d969231a9] 2020-01-08 Robert Manner * plugins/python/example_conversation.py: plugins/python/example_conversation.py: make log path configurable Similarly to IO plugin example. (It is easier to test it this way.) [6526a842ee21] 2020-01-07 Todd C. Miller * src/sudo.c: Iterate over io_plugins list in the iolog_* wrappers. Moving the iteration into the wrapper functions simplifies the calling code. [1e803fb8fd1f] * src/sudo.c: policy_plugin is global, no need to pass it to policy_* functions. [676c85f87b3c] * configure, configure.ac: If --enable-openssl or --enable-gcrypt is given a path, append to LDFLAGS. Previously we appended the path to SUDOERS_LDFLAGS but now that we use OpenSSL in the log server, LDFLAGS is the correct one to use. [8b30cffe500f] * doc/CONTRIBUTORS: Add Robert Manner [fe8bb27dcff3] 2020-01-07 Robert Manner * plugins/python/example_io_plugin.py: plugins/python/example_io_plugin.py: fix backtrace during destructor If the plugin fails to open the file for writing, constructor will raise an exception and exit before creating the "_log" member variable. So the destructor will also raise a backtrace. (Which python ignores, but dumps out to stderr.) [09cfa2edb38c] * plugins/python/python_plugin_common.c: plugins/python/python_plugin_common: raise debug level for module import [b261d22e3c2e] * plugins/python/regress/testdata/check_example_conversation_plugin_re ason_log_with_suspend.conversation, plugins/python/regress/testdata/ check_example_conversation_plugin_reason_log_with_suspend.stderr, pl ugins/python/regress/testdata/check_example_conversation_plugin_reas on_log_with_suspend.stdout, plugins/python/regress/testdata/check_ex ample_conversation_plugin_reason_log_with_suspend.stored, plugins/py thon/regress/testdata/check_example_conversation_plugin_reason_log_w ithout_suspend.conversation, plugins/python/regress/testdata/check_e xample_conversation_plugin_reason_log_without_suspend.stderr, plugin s/python/regress/testdata/check_example_conversation_plugin_reason_l og_without_suspend.stdout, plugins/python/regress/testdata/check_exa mple_conversation_plugin_reason_log_without_suspend.stored, plugins/ python/regress/testdata/check_example_conversation_plugin_user_inter rupts.conv, plugins/python/regress/testdata/check_example_conversati on_plugin_user_interrupts.conversation, plugins/python/regress/testd ata/check_example_conversation_plugin_user_interrupts.stderr, plugin s/python/regress/testdata/check_example_conversation_plugin_user_int errupts.stdout, plugins/python/regress/testdata/check_example_debugg ing_c_calls@diag.log, plugins/python/regress/testdata/check_example_ debugging_c_calls@info.log, plugins/python/regress/testdata/check_ex ample_debugging_load@diag.log, plugins/python/regress/testdata/check _example_debugging_plugin@err.log, plugins/python/regress/testdata/c heck_example_debugging_plugin@info.log, plugins/python/regress/testd ata/check_example_debugging_py_calls@diag.log, plugins/python/regres s/testdata/check_example_debugging_py_calls@info.log, plugins/python /regress/testdata/check_example_debugging_sudo_cb@info.log, plugins/ python/regress/testdata/check_example_group_plugin_is_able_to_debug. log, plugins/python/regress/testdata/check_example_io_plugin_command _log.stderr, plugins/python/regress/testdata/check_example_io_plugin _command_log.stdout, plugins/python/regress/testdata/check_example_i o_plugin_command_log.stored, plugins/python/regress/testdata/check_e xample_io_plugin_failed_to_start_command.stderr, plugins/python/regr ess/testdata/check_example_io_plugin_failed_to_start_command.stdout, plugins/python/regress/testdata/check_example_io_plugin_failed_to_st art_command.stored, plugins/python/regress/testdata/check_example_io _plugin_fails_with_python_backtrace.stderr, plugins/python/regress/t estdata/check_example_io_plugin_fails_with_python_backtrace.stdout, p lugins/python/regress/testdata/check_example_io_plugin_version_displ ay.stderr, plugins/python/regress/testdata/check_example_io_plugin_v ersion_display.stdout, plugins/python/regress/testdata/check_example _io_plugin_version_display.stored, plugins/python/regress/testdata/c heck_example_policy_plugin_accepted_execution.stderr, plugins/python /regress/testdata/check_example_policy_plugin_accepted_execution.std out, plugins/python/regress/testdata/check_example_policy_plugin_den ied_execution.stderr, plugins/python/regress/testdata/check_example_ policy_plugin_denied_execution.stdout, plugins/python/regress/testda ta/check_example_policy_plugin_failed_execution.stderr, plugins/pyth on/regress/testdata/check_example_policy_plugin_failed_execution.std out, plugins/python/regress/testdata/check_example_policy_plugin_lis t.stderr, plugins/python/regress/testdata/check_example_policy_plugi n_list.stdout, plugins/python/regress/testdata/check_example_policy_ plugin_validate_invalidate.log, plugins/python/regress/testdata/chec k_example_policy_plugin_version_display.stderr, plugins/python/regre ss/testdata/check_example_policy_plugin_version_display.stdout, plug ins/python/regress/testdata/check_loading_fails_missing_classname.st derr, plugins/python/regress/testdata/check_loading_fails_missing_cl assname.stdout, plugins/python/regress/testdata/check_loading_fails_ missing_path.stderr, plugins/python/regress/testdata/check_loading_f ails_missing_path.stdout, plugins/python/regress/testdata/check_load ing_fails_not_owned_by_root.stderr, plugins/python/regress/testdata/ check_loading_fails_not_owned_by_root.stdout, plugins/python/regress /testdata/check_loading_fails_wrong_classname.stderr, plugins/python /regress/testdata/check_loading_fails_wrong_classname.stdout, plugin s/python/regress/testdata/check_loading_fails_wrong_path.stderr, plu gins/python/regress/testdata/check_loading_fails_wrong_path.stdout: plugins/python/regress/testdata: generated data for the pyplugin tests [cec6c9036644] * plugins/python/example_debugging.py: plugins/python/example_debugging: fix typo in comment [38de8ea0b0e9] 2020-01-06 Laszlo Orban * plugins/sudoers/iolog.c, plugins/sudoers/iolog_client.c, plugins/sudoers/iolog_plugin.h: save a pointer to the currently connected audit server in the closure object [f1c14c43ab40] 2020-01-05 Todd C. Miller * plugins/sudoers/timestamp.c: Sanity check size when converting the first record to TS_LOCKEXCL Coverity CID 206591 [5b94873c4051] * include/sudo_iolog.h, lib/iolog/iolog_fileio.c: Fix coverity CID 206586. Potential use after free calling gzstrerror() after gzclose(). [4bcba58004c8] * plugins/sudoers/cvtsudoers.c: Use canonical pattern when freeing a tail queue. Avoids some coverity false positives when using TAILQ_FOREACH_SAFE to free the tail queue. [9019d7ad9958] 2020-01-03 Robert Manner * MANIFEST, plugins/python/Makefile.in, plugins/python/regress/check_python_examples.c, plugins/python/regress/iohelpers.c, plugins/python/regress/iohelpers.h, plugins/python/regress/testdata/sudo.conf.developer_mode, plugins/python/regress/testdata/sudo.conf.normal_mode, plugins/python/regress/testhelpers.c, plugins/python/regress/testhelpers.h: plugins/python/regress: adds tests for python plugin feature and examples [7ab4daed9558] 2020-01-03 Todd C. Miller * plugins/sudoers/iolog_client.c: Avoid potential NULL deref in tls_timed_connect() error path. Coverity CID 206396 [730687307b24] * logsrvd/sendlog.c: Check for sudo_ev_add() failure; Coverity CID 206395 206397 [7008560eac95] 2020-01-02 Todd C. Miller * doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in, examples/sudo.conf.in: Update sample sudo.conf with all supported settings. The deprecated "max_groups" setting is not documented. [e17f7bf95578] * doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in, examples/sudo.conf.in, lib/util/regress/sudo_conf/test1.in, lib/util/regress/sudo_parseln/test1.in: Remove POD-style C<> markup (typewriter font) from sudo.conf [b69d4743c860] * MANIFEST, configure, configure.ac, examples/Makefile.in, examples/sudo.conf, examples/sudo.conf.in: Substitute plugin dir into examples/sudo.conf [8c481a21c098] 2020-01-02 Robert Manner * plugins/sudoers/sudoers_debug.c: plugins/sudoers/sudoers_debug.c: fix harmless debug deregistration warning If the debug sudoers subsystem is not registered, because it does not get any file names to deal with (TAILQ_EMPTY(debug_files)), deregistration of the subsystem outputs a warning: sudo: sudo_debug_deregister_v1: invalid instance ID -1, max -1 This patch prevents that by only increasing the refcount if the debug_instance was registered successfully. [939042599498] * plugins/python/Makefile.in: plugins/python/Makefile.in: fix the install path of examples Examples are installed by default to "docdir", which refers to PACKAGE_TARNAME variable which was empty for the python plugin Makefile.in So the examples were installed to '.../share/doc/examples' instead of '.../share/doc/sudo/examples'. This also made them be skipped from the package. Also the install target now depends on install-doc so the examples gets installed also (similarly as other examples). [e4c07404a3fc] * doc/sudo_plugin_python.man.in, doc/sudo_plugin_python.mdoc.in: doc/sudo_plugin_python: indent code examples for easier readability [c91ee22bfc83] * doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in: doc/sudo.conf: document developer_mode option [127215dca183] 2019-12-31 Todd C. Miller * doc/UPGRADE: fix typo in previous [3031418fba2b] * Makefile.in: In update-pot match *.c not *c. [77a1139fef99] * NEWS, doc/UPGRADE: Changes in sudo 1.8.30 [dfaac62074f4] 2019-12-26 Todd C. Miller * Makefile.in: Add check for up to date def_data.[ch] in check-dist target. [ffaf150e76a5] 2019-12-25 Todd C. Miller * src/limits.c: Use 64-bit resource limits on AIX. [b8b76c47c8a7] * src/limits.c: When restoring old resource limits, try to recover if we receive EINVAL. On NetBSD, setrlimit(2) can return EINVAL if the new soft limit is lower than the current resource usage. This can be a problem when restoring the old stack limit if sudo has raised it. [50bdbdbea1b7] * src/limits.c: Sudo doesn't require such a large stack. [f93eb9e0c105] * plugins/sudoers/Makefile.in: Restore check for readable /etc/sudoers in pre-install target. If there is no installed sudoers there is nothing to check... [99e65bc54052] * config.h.in, configure, configure.ac: Enable OpenBSD extensions on NetBSD to get reallocarray(3) prototype. [e303dca0c1cb] * include/sudo_event.h: Add forward declaration of struct timeval for deprecated APIs. [e41bdbbbc067] * lib/util/sig2str.c, lib/util/str2sig.c: Fix compilation on systems with SIGRTMIN/SIGRTMAX but not _SC_RTSIG_MAX. [8e40c62e00f8] * include/sudo_compat.h: Older systems may not support WCONTINUED. [730bede52ff0] * plugins/sudoers/logging.c: Support systems that have nl_langinfo(3) but not the CODESET define. Fixes compilation on old NetBSD versions. [03e7cff93172] * plugins/sudoers/starttime.c: Fix a typo; HAVE_KINFO_PROC2_NETBSD not HAVE_KINFO_PROC2_NETBSD2 [0c46a062f888] 2019-12-23 Todd C. Miller * MANIFEST, Makefile.in, configure, configure.ac, etc/init.d/aix.sh.in, etc/init.d/hpux.sh.in, etc/init.d/sudo.conf.in, etc/sudo.pp, init.d/aix.sh.in, init.d/hpux.sh.in, init.d/sudo.conf.in, src/Makefile.in, sudo.pp: Move init.d and sudo.pp to the etc dir. [81c9cbbc8ea9] * MANIFEST, config.h.in, configure, configure.ac, include/sudo_compat.h, lib/util/cfmakeraw.c: Add cfmakeraw() for systems without it. [48f48eaf2a68] * MANIFEST: Remove indent.pro from MANIFEST [2b6a24282b8c] * .gitignore, .hgignore: Add uncrustify.files to ignore file. [056b0df738a9] * doc/sudo_plugin_python.man.in, doc/sudo_plugin_python.mdoc.in: Substitute @prefix@ in for the example paths. We can't use @exampledir@ here since it contains Makefile variables. [1744e2bcc813] 2019-12-22 Todd C. Miller * include/sudo_debug.h, lib/iolog/iolog_fileio.c, lib/iolog/iolog_path.c, lib/iolog/iolog_util.c, lib/util/aix.c, lib/util/digest.c, lib/util/digest_gcrypt.c, lib/util/digest_openssl.c, lib/util/event.c, lib/util/event_poll.c, lib/util/event_select.c, lib/util/gettime.c, lib/util/getusershell.c, lib/util/gidlist.c, lib/util/host_port.c, lib/util/key_val.c, lib/util/lbuf.c, lib/util/locking.c, lib/util/logfac.c, lib/util/logpri.c, lib/util/mkdir_parents.c, lib/util/parseln.c, lib/util/secure_path.c, lib/util/setgroups.c, lib/util/strsplit.c, lib/util/strtobool.c, lib/util/strtoid.c, lib/util/strtomode.c, lib/util/sudo_conf.c, lib/util/term.c, lib/util/ttyname_dev.c, lib/util/ttysize.c, logsrvd/eventlog.c, logsrvd/iolog_writer.c, logsrvd/logsrv_util.c, logsrvd/logsrvd.c, logsrvd/logsrvd_conf.c, logsrvd/sendlog.c, plugins/python/python_plugin_common.c, plugins/python/sudo_python_debug.c, plugins/sudoers/alias.c, plugins/sudoers/audit.c, plugins/sudoers/auth/afs.c, plugins/sudoers/auth/aix_auth.c, plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/dce.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/kerb5.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/passwd.c, plugins/sudoers/auth/rfc1938.c, plugins/sudoers/auth/secureware.c, plugins/sudoers/auth/securid5.c, plugins/sudoers/auth/sia.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/base64.c, plugins/sudoers/boottime.c, plugins/sudoers/bsm_audit.c, plugins/sudoers/check.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/cvtsudoers_pwutil.c, plugins/sudoers/defaults.c, plugins/sudoers/digestname.c, plugins/sudoers/editor.c, plugins/sudoers/env.c, plugins/sudoers/env_pattern.c, plugins/sudoers/file.c, plugins/sudoers/filedigest.c, plugins/sudoers/find_path.c, plugins/sudoers/fmtsudoers.c, plugins/sudoers/gc.c, plugins/sudoers/gentime.c, plugins/sudoers/getspwuid.c, plugins/sudoers/goodpath.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/group_plugin.c, plugins/sudoers/hexchar.c, plugins/sudoers/interfaces.c, plugins/sudoers/iolog.c, plugins/sudoers/iolog_client.c, plugins/sudoers/iolog_path_escapes.c, plugins/sudoers/ldap.c, plugins/sudoers/ldap_conf.c, plugins/sudoers/ldap_util.c, plugins/sudoers/linux_audit.c, plugins/sudoers/locale.c, plugins/sudoers/logging.c, plugins/sudoers/logwrap.c, plugins/sudoers/match.c, plugins/sudoers/match_addr.c, plugins/sudoers/match_command.c, plugins/sudoers/match_digest.c, plugins/sudoers/parse.c, plugins/sudoers/parse_ldif.c, plugins/sudoers/policy.c, plugins/sudoers/prompt.c, plugins/sudoers/pwutil.c, plugins/sudoers/pwutil_impl.c, plugins/sudoers/rcstr.c, plugins/sudoers/redblack.c, plugins/sudoers/set_perms.c, plugins/sudoers/sssd.c, plugins/sudoers/starttime.c, plugins/sudoers/strlist.c, plugins/sudoers/stubs.c, plugins/sudoers/sudo_nss.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers_debug.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/timeout.c, plugins/sudoers/timestamp.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/toke_util.c, plugins/sudoers/tsdump.c, plugins/sudoers/visudo.c, src/exec.c, src/exec_common.c, src/exec_nopty.c, src/exec_pty.c, src/get_pty.c, src/hooks.c, src/limits.c, src/load_plugins.c, src/net_ifs.c, src/parse_args.c, src/preserve_fds.c, src/selinux.c, src/sesh.c, src/signal.c, src/solaris.c, src/sudo.c, src/sudo_edit.c, src/tgetpass.c, src/ttyname.c, src/utmp.c: debug_decl and debug_decl_vars now require a semicolon at the end. [c05890653007] 2019-12-21 Todd C. Miller * MANIFEST, doc/Makefile.in, doc/sudo_plugin_python.man.in, doc/sudo_plugin_python.mdoc.in: Add sudo_plugin_python manual page. Based on markdown docs from Robert Manner. [65f2af21832d] 2019-12-18 Todd C. Miller * plugins/sudoers/sudoers.c, src/limits.c: Output the name of the limit when warning about setrlimit or getrlimit. From Kimmo Suominen. [92ed66b5cc1f] 2019-12-14 Todd C. Miller * aclocal.m4, config.h.in, configure: regen [81961af46679] * MANIFEST: Add python module files to MANIFEST [f223a19117bb] * doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in: Update SUDO_CONV_REPL_MAX in docs. [120970879b36] * Makefile.in: Remove uncrustify.files in clean target [ba843b8f2e80] 2019-12-13 Todd C. Miller * Makefile.in, etc/uncrustify-small.cfg, etc/uncrustify.cfg, indent.pro: Add uncrustify config file for new sudo code style. [7c3b3f733134] * include/sudo_plugin.h: Bump SUDO_CONV_REPL_MAX from 255 to 1023 [9127fb27eb55] * lib/util/digest_gcrypt.c, plugins/sudoers/auth/passwd.c, plugins/sudoers/auth/secureware.c: Minor style cleanups. Remove extraneous break after return statement. Convert two old K&R function declarations. [19f8b7a3d2d1] 2019-12-11 Todd C. Miller * src/selinux.c: Save/restore the raw form of the file context in case mctrans is not available. [786a04ba33ab] 2019-12-10 Robert Manner * plugins/python/python_plugin_common.c: plugins/python: make group plugin able to debug It does not get the debug settings, so it looks them up through sudo_conf. [fe4dbf8345b6] * include/sudo_conf.h, lib/util/regress/sudo_conf/conf_test.c, lib/util/regress/sudo_conf/test1.in, lib/util/regress/sudo_conf/test1.out.ok, lib/util/regress/sudo_conf/test2.out.ok, lib/util/regress/sudo_conf/test3.out.ok, lib/util/regress/sudo_conf/test4.out.ok, lib/util/regress/sudo_conf/test5.out.ok, lib/util/regress/sudo_conf/test6.out.ok, lib/util/regress/sudo_conf/test7.out.ok, lib/util/regress/sudo_conf/test8.err.ok, lib/util/regress/sudo_conf/test8.in, lib/util/regress/sudo_conf/test8.out.ok, lib/util/sudo_conf.c, lib/util/util.exp.in, plugins/sudoers/group_plugin.c, src/load_plugins.c: src/load_plugins, plugins/sudoers: added developer_mode sudo.conf option It can be used to disable the enforcement that a plugin (shared object or an imported python module) must be owned by root and not modifiable by others. This can make plugin development easier. [a9f86943d30c] 2019-12-09 Todd C. Miller * MANIFEST, config.h.in, configure, configure.ac, doc/sudoers.man.in, doc/sudoers.mdoc.in, include/sudo_compat.h, lib/util/Makefile.in, lib/util/getusershell.c, mkdep.pl, plugins/sudoers/check.c, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: Add runas_check_shell flag to require a runas user to have a valid shell. Not enabled by default. [9e7936e0ccfe] * doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/defaults.c, plugins/sudoers/sudoers.c: Add a new flag "allow_unknown_runas_id" to control matching of unknown IDs. Previous, sudo would always allow unknown user or group IDs if the sudoers entry permitted it. This included the "ALL" alias. With this change, the admin must explicitly enable support for unknown IDs. [ebdbb5c7f60b] 2019-12-07 Todd C. Miller * lib/util/term.c: Use cfmakeraw() in sudo_term_raw() instead of doing it manually. [b8ff5f81399f] * plugins/sudoers/iolog.c, plugins/sudoers/iolog_client.c, plugins/sudoers/iolog_plugin.h: Fix event loop called via I/O log close function. We need to set events that were pending in the old base in the new one. Fixes sending the final I/O log data and the ExitMessage to the server. [dcba4ce2196c] * doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, include/sudo_plugin.h, src/sudo.c: Replace timeleft with pending in sudo plugin event API. [5f49af23af38] * plugins/sudoers/sudoreplay.c: Use sudo_ev_pending() instead of the deprecated sudo_ev_timeleft(). [c6cce5275f1e] * include/sudo_event.h, lib/util/event.c, lib/util/util.exp.in: Add sudo_ev_pending(), used to check whether an event is pending. [edcea66bda32] * plugins/sudoers/Makefile.in: Add TLS libs when linking check_iolog_plugin [d84a5f5c6bc1] 2019-12-06 Todd C. Miller * plugins/sudoers/iolog_client.c: Remove extraneous newlines in some sudo_warnx() calls. [d3dbf0f93372] * doc/sudoers.man.in, doc/sudoers.mdoc.in: Document log_server_cabundle, log_server_peer_cert and log_server_peer_key [edea4d048221] * Merge pull request #16 from laczau/master Proper handling of certificate chain file [44939e511321] 2019-12-06 Laszlo Orban * logsrvd/logsrvd.c: cert files can contain the full chain of trust, so load all certs in every case for verification [ca26bb970ef5] 2019-12-05 Todd C. Miller * doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in: Sync init_session() prototype with sudo_plugin.h and fix a typo. [1501cdfa8e76] 2019-12-05 Robert Manner * plugins/python/example_conversation.py, plugins/python/example_debugging.py: plugins/python: example plugin demonstrating conversation and debug API [e487d2240607] * include/sudo_debug.h, lib/util/sudo_debug.c, lib/util/util.exp.in: lib/util/sudo_debug.c: add a function for querying if debugging is needed for a level. Rationale: this way we can avoid computing details for the log which will not happen at all if the computation is slow. [d636c26d192d] 2019-12-04 Todd C. Miller * plugins/sudoers/check.c: Only update the time stamp entry after the approval function has succeeded. Bug #910 [9b2022e6f11d] 2019-12-04 Robert Manner * plugins/python/sudo_python_debug.c, plugins/python/sudo_python_debug.h: plugins/python: add sudo debug helpers [1d48021e86ad] 2019-12-04 Todd C. Miller * Merge pull request #14 from sudo-project/tls-config-default-values Audit Server - add default values for cert paths [f30a48f8b5d5] 2019-12-04 Laszlo Orban * logsrvd/logsrvd.c, logsrvd/logsrvd_conf.c: add default values for cert paths [a76ca8a3ca9f] 2019-12-03 Todd C. Miller * lib/util/sudo_debug.c: Add reference counting to debug register/deregister. Fixes a potential problem when an instance is re-registered. [270e739fd0b3] * plugins/sudoers/sudoers_debug.c: Only deregister the sudoers debug instance on last close. Reference count calls to sudoers_debug_register and only deregister sudoers_debug_instance when refcnt reaches 0. Fixes a problem where the debug system was deregistered when the sudoers policy is closed even though the iolog plugin is active. [2b73f3e9fc32] 2019-12-02 Robert Manner * plugins/python/python_importblocker.c: plugins/python: add ImportBlocker which forbids loading unsafe python modules If non root can alter any imported python modules, he is able to run anything he would like to as root user. This class is a helper to avoid such situation. This feature can be disabled with 'DeveloperMode=1' plugin option. [26be6228724f] 2019-11-28 Laszlo Orban * plugins/sudoers/iolog_client.c, plugins/sudoers/iolog_plugin.h: implement tls layer in iolog plugin [c25837909952] * plugins/sudoers/iolog.c, plugins/sudoers/policy.c: process tls config options [510fdfd39d71] * plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in: add audit server tls related configuration options to sudoers [f4135025ff1d] * plugins/sudoers/Makefile.in: optionally link sudoers with openssl libs [750f87200eab] 2019-11-27 Laszlo Orban <43516882+laczau@users.noreply.github.com> * logsrvd/logsrvd.c: Merge pull request #11 from sudo-project/audit-server-tls-async Sudo audit Server - TLS protocol update [923f6d914ec5] 2019-11-26 Laszlo Orban * logsrvd/logsrvd.c: disable timeout for the reader after ServerHello message [e579450aafa1] 2019-11-25 Todd C. Miller * logsrvd/logsrvd.c: Exit if the first call to logsrvd_conf_read() fails. It is not fatal if subsequent calls fail (due to SIGHUP) since we keep a copy of the old config before installing the new one. [c20866ea9d03] * Makefile.in, plugins/sudoers/Makefile.in: Add some missing files to "make clean" and "make distclean" [d1b559e9e1ab] * .gitignore, .hgignore: Update .hgignore and convert to .gitignore [c8b92b55e74a] 2019-11-22 Laszlo Orban * logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c: use event timeout instead of socket timeout [5c72d1d18aec] * logsrvd/sendlog.c, logsrvd/sendlog.h: adapt sudo sendlog (async communication, unencrypted ServerHello message) [0269d852f6c6] * logsrvd/logsrvd.c, logsrvd/logsrvd.h: ServerHello message is now unencrypted, TLS communication has been refactored to full async [d138cbe2253e] * include/log_server.pb-c.h, lib/logsrv/log_server.pb-c.c, lib/logsrv/log_server.proto, logsrvd/logsrvd.c: extend ServerHello message with two fields (tls, tls_checkpeer) [6d7965d29cd4] 2019-11-21 Robert Manner * Makefile.in: Makefile.in: fix calling log2cl when doing out of source build If doing build out of source and not calling configure by absolute path, $(top_srcdir) variable will contain a path relative to the directory we stand in. So, after changing the current directory "cd $(srcdir)", this path will point to somewhere else making the install step fail. [58a22fce613f] * plugins/python/python_baseplugin.c, plugins/python/python_convmessage.c, plugins/python/sudo_python_module.c, plugins/python/sudo_python_module.h: plugins/python: add a sudo python module [c512c48170ae] 2019-11-20 Todd C. Miller * doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, plugins/sudoers/policy.c, src/sudo.c: For plugin API 1.15 and up, always call the plugin close function. Previously, it was only called when a command was run (including sudoedit). Now, plugin operations list, validate, invalidate, and show_version are also closed. [6cdcb5624908] 2019-11-19 Todd C. Miller * plugins/sudoers/iolog_client.c: Avoid NULL deref on an error path if calloc() fails. Coverity CID 205873 [bad732813149] * src/conversation.c: Fix potential fd leak when converting trailing newline to cr + nl. Coverity CID 205872 [4597abb8ee1f] * doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in, doc/sudo_logsrvd.man.in, doc/sudo_logsrvd.mdoc.in, examples/sudo_logsrvd.conf: Document the process of creating self-signed certificates for sudo_logsrvd. Based on a document from Laszlo Orban. [0be730e58f17] * plugins/group_file/plugin_test.c: Sync with argument handling in group_plugin.c [937475aa2c3f] * plugins/sudoers/group_plugin.c: If a group plugin has optional arguments, NULL terminate the vector. Otherwise, the plugin cannot determine the end of arguments. The behavior now matches the plugin documentation. [51e02f75a447] 2019-11-19 Robert Manner * plugins/python/example_group_plugin.py: plugins/python: add example python group plugin [9f9d7cc2d5db] * plugins/python/example_policy_plugin.py: plugins/python: add example python policy plugin [6cc0d47edae0] * plugins/python/example_io_plugin.py: plugins/python: add example io python plugin [d22532c34748] 2019-11-18 Todd C. Miller * doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, src/sudo.c: If there is no session or terminal group ID, pass the plugin a value of 0. This behavior already matches what is documented in the sudo_plugin manual for "sid" but the "tcpgid" entry needed to be updated. [2d720153c4cf] * plugins/sudoers/sudoers.c: Don't touch the local iolog sequence file if we are logging remotely [3c5dc60a9d11] * plugins/sudoers/iolog_client.c: Plug a memory leak found by leak sanitizer [13aac57d0506] * plugins/sudoers/iolog.c, plugins/sudoers/iolog_client.c, plugins/sudoers/iolog_plugin.h: Make a shallow copy of user_env in I/O plugin in case it is reallocated. The policy plugin's session init function may reallocate the user environment pointer. Fixes a use after free when PAM is used. [3eb35dac2743] * doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/policy.c: Rename "log_server" in sudoers to "log_servers" to match I/O plugin. [1dbe79c18760] 2019-11-17 Todd C. Miller * logsrvd/logsrvd.c: Check closure->ssl for non-NULL instead of logsrvd_conf_get_tls_opt(). It's a little more obvious this way and ssl is only non-NULL when the tls option is enabled anyway. [3436430c064b] * logsrvd/logsrvd.c: Init iolog_dir_fd and sock in connection_closure before adding to list. Otherwise we could close the wrong fds in the error path. [1643211f8b46] * doc/CONTRIBUTORS: Add Laszlo Orban [2836214cd4b8] 2019-11-16 Todd C. Miller * doc/sudo_logsrvd.conf.man.in: regen [4a44bfc42b4b] * doc/sudo_logsrvd.conf.mdoc.in, examples/sudo_logsrvd.conf: Change TLS example file locations to be under /etc/ssl/sudo. [f4c302a3bcb9] * doc/sudo_logsrvd.conf.mdoc.in, examples/sudo_logsrvd.conf: Document sudo_logsrvd TLS configuration. [97260e6acfaf] 2019-11-15 Todd C. Miller * include/sudo_event.h: Include time.h for struct timespec. [8bd80773d0fa] * lib/util/util.exp.in: Add sudo_ev_set_v1 to the exports file. [fd6b66378e5d] * doc/sudoers.man.in, doc/sudoers.mdoc.in: Document the log_server and log_server_timeout options [7d7429b73d25] * MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/defaults.c, plugins/sudoers/iolog.c, plugins/sudoers/iolog_client.c, plugins/sudoers/iolog_plugin.h, plugins/sudoers/policy.c, src/exec_nopty.c, src/exec_pty.c, src/sudo.c: Add support for logging to the log server [158a8e80faab] * doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, include/sudo_event.h, include/sudo_plugin.h, lib/util/event.c, plugins/sudoers/iolog.c, plugins/sudoers/policy.c, src/Makefile.in, src/exec.c, src/exec_monitor.c, src/exec_nopty.c, src/exec_pty.c, src/load_plugins.c, src/preload.c, src/sudo.c, src/sudo.h, src/sudo_plugin_int.h: Add a plugin interface to sudo main event loop. [123662f454da] * MANIFEST, Makefile.in, configure, configure.ac, include/log_server.pb-c.h, include/protobuf-c/protobuf-c.h, lib/logsrv/Makefile.in, lib/logsrv/log_server.pb-c.c, lib/logsrv/log_server.proto, lib/logsrv/protobuf-c.c, logsrvd/Makefile.in, logsrvd/log_server.pb-c.c, logsrvd/log_server.pb-c.h, logsrvd/log_server.proto, logsrvd/protobuf-c/protobuf-c.c, logsrvd/protobuf-c/protobuf-c.h: Move protobuf-c.c, log_server.proto, log_server.pb-c.[ch] to lib/logsrv [6772a775471f] * lib/util/event.c: When freeing an event base, reset ev->base to NULL for associated events. [7199d3967059] * logsrvd/logsrvd_conf.c: Move cb_timeout() out from under the HAVE_OPENSSL ifdef. [c7fc294ce21a] * INSTALL, config.h.in, configure, configure.ac, logsrvd/Makefile.in, logsrvd/logsrvd.c: LibreSSL and older OpenSSL don't support SSL_CTX_set_ciphersuites(). Add a configure test and skip TLS 1.3 setup if it is missing. We still accept the tls_ciphers13 config setting but it will be ignored. [06d478442971] * logsrvd/logsrvd.c, logsrvd/sendlog.c: Minor style nits that I missed during review. [7209ccc5a3cf] * logsrvd/sendlog.c: Avoid calling SSL_CTX_free() on an uninitialized pointer in an error path. [2df423e30773] * Merge pull request #9 from sudo-project/audit-server-tls-support Audit server tls support [0aded6c1deec] 2019-11-13 Laszlo Orban * logsrvd/Makefile.in, logsrvd/sendlog.c: update sudo_sendlog to support openssl tls [ab4be8367862] 2019-11-12 Todd C. Miller * src/limits.c: Simplify resource limit fallback logic a bit. [cdab60b50079] 2019-11-11 Todd C. Miller * doc/CONTRIBUTORS: Add sudo logo designers [94c841c8bc28] * src/limits.c: Don't set the RLIMIT_STACK soft/hard limits to unlimited. Use 8Mb for soft and 64Mb for hard. Works around issues on macOS and docker. See also Bug #908 [1d7f52c32360] * src/tgetpass.c: Restore resource limits before executing the askpass program. Linux with docker seems to have issues executing a program when the stack size is unlimited. Bug #908 [28cb58a5ac94] * src/conversation.c: Check for replies pointer being NULL just in case. [7c0c4c6b001e] 2019-11-11 Laszlo Orban * examples/sudo_logsrvd.conf, logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c: set timeout value for the socket [e884292ab6c9] 2019-11-09 Todd C. Miller * src/conversation.c: Convert trailing newline to carriage return + newline for tty. Does not currently handle embedded newlines. [ad195e045150] 2019-11-08 Todd C. Miller * lib/util/fatal.c: Only write a carriage return if output is to a tty. [f605335649ea] * lib/util/fatal.c: Include a carriage return when printing warning messages. Otherwise, if the command is running in a pty the output is stair-stepped. [f23d4f0ed902] 2019-11-08 Laszlo Orban * configure, logsrvd/Makefile.in, logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c: make audit server openssl dependency optional; tls layer is compiled only if sudo is built with --enable-openssl feature switch [c360a34c89c0] 2019-11-07 Todd C. Miller * lib/util/util.exp.in: Add sudo_parse_host_port_v1 and sudo_pow2_roundup_v1 to exports file. [e8b529115871] 2019-11-07 Laszlo Orban * logsrvd/logsrvd.c: fixed segfault when connection_closure_free() tries to remove a non- existent connection object from the list [4d6dd38d59f6] 2019-11-06 Todd C. Miller * lib/util/closefrom.c: Fix typo in closefrom emulation. [b23a6c512d4a] * plugins/sudoers/env.c: Do not warn about a missing /etc/environment file on Linux without PAM. Bug #907 [f85ff5ee2caf] 2019-11-05 Todd C. Miller * doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/cvtsudoers.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/parse.h, plugins/sudoers/regress/parser/check_fill.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c, plugins/sudoers/toke_util.c, plugins/sudoers/visudo.c: Transparently handle the "sudo sudoedit" problem. Some admin are confused about how to give users sudoedit permission and many users try to run sudoedit via sudo instead of directly. If the user runs "sudo sudoedit" sudo will now treat it as plain "sudoedit" after issuing a warning. If the admin has specified a fully-qualified path for sudoedit in sudoers, sudo will treat it as just "sudoedit" and match accordingly. In visudo (but not sudo), a fully-qualified path for sudoedit is now treated as an error. [5cdcfd9a6c33] * logsrvd/iolog_writer.c, logsrvd/sendlog.c: Rename cwd -> submitcwd to match man page. [bc9ea396055a] 2019-11-05 Laszlo Orban * logsrvd/logsrvd.c: verify server/client certs with CA certificate chain file [a177af7d7bbf] 2019-11-05 Todd C. Miller * MANIFEST, lib/util/Makefile.in, lib/util/host_port.c, lib/util/regress/host_port/host_port_test.c: Add unit test for parse_host_port and make an empty port an error. [b6b895cdc010] 2019-11-04 Todd C. Miller * lib/util/host_port.c: Fill in host and port pointers on success. [794368ebd367] 2019-11-04 Laszlo Orban * logsrvd/logsrvd.c: fix copy-paste mistake [2fe897c77485] 2019-11-02 Todd C. Miller * MANIFEST, include/sudo_util.h, lib/util/Makefile.in, lib/util/host_port.c, logsrvd/logsrvd_conf.c: Split out code to parse host:port into a utility function. [d8331e72394d] * MANIFEST, include/sudo_util.h, lib/util/Makefile.in, lib/util/roundup.c, logsrvd/logsrv_util.c, logsrvd/logsrv_util.h, logsrvd/logsrvd.c, logsrvd/sendlog.c: Move bufsize_roundup() -> sudo_pow2_roundup() in libsudo_util. [791f5c353ef1] * lib/iolog/Makefile.in, logsrvd/Makefile.in: Add missing depend target [75107bcfff3d] * lib/iolog/Makefile.in, lib/util/Makefile.in, logsrvd/Makefile.in, plugins/group_file/Makefile.in, plugins/sample/Makefile.in, plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in, src/Makefile.in: We haven't needed -I$(top_srcdir) for a long time. [6974ea4a6c8c] * lib/util/closefrom.c: In closefrom_fallback() use the interval [OPEN_MAX, INT_MAX]. We want to try closing at least OPEN_MAX fds but no more than INT_MAX. On 64-bit systems it is possible for sysconf(_SC_OPEN_MAX) to return a value larger than INT_MAX when the number of open files is unlimited. [08d6fea1c894] * plugins/sudoers/logging.c, src/exec_monitor.c, src/selinux.c, src/tgetpass.c: Use dup3() instead of dup2(). This is less error prone since dup3() returns an error if old == new. Sudo guarantees that fds 0-2 are already open. [a9ffaa8a8a55] * MANIFEST, config.h.in, configure, configure.ac, include/sudo_compat.h, lib/util/Makefile.in, lib/util/dup3.c, mkdep.pl: Add dup3() emulation. [7bd8864dee7e] * plugins/sudoers/logging.c, src/exec_monitor.c, src/exec_pty.c, src/tgetpass.c: Open all pipes using pipe2() with O_CLOEXEC. We no longer depend on calling closefrom() before exec. [176ae5cf1d94] * src/exec.c, src/tgetpass.c: Call closefrom() before we change to a non-root UID. This prevents another process from changing the NOFILE resource limit of the child process and defeating the closefrom() call. Reported by Joe Vennix from Apple Information Security. [f93d52b24976] * MANIFEST, logsrvd/Makefile.in: Regenerate Makefile and sort MANIFEST [24664d6c9d47] 2019-11-01 Todd C. Miller * doc/sudo.man.in, doc/sudo.mdoc.in: Reference timestamp_type and timestamp_timeout in sudoers. This should help users find details on how time stamp files work. [d5aa7c0b404c] 2019-10-31 Laszlo Orban * logsrvd/logsrvd.c: process tls config params in the audit server and establish TLS connection accordingly [33ce32c140af] 2019-10-29 Todd C. Miller * src/limits.c: macOS does not allow rlim_cur to be set to RLIM_INFINITY for RLIMIT_NOFILE. We need to use OPEN_MAX instead as per the macOS setrlimit manual. Bug #904 [2a00e62eaeb0] 2019-10-28 Todd C. Miller * Makefile.in: Fix ChangeLog generation on a branch. [69409e5b1179] 2019-10-27 Todd C. Miller * logsrvd/sendlog.c: Remove unused copy of iolog_seekto(). [1d730d414cd9] 2019-10-25 Laszlo Orban * examples/sudo_logsrvd.conf, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c: add configuration options for TLS [291a9986d6e9] 2019-10-24 Todd C. Miller * MANIFEST, doc/Makefile.in, doc/sudo_logsrv.proto.man.in, doc/sudo_logsrv.proto.mdoc.in, doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in, examples/sudo_logsrvd.conf, logsrvd/iolog_writer.c: Document the sudo log server protocol [46de0934987c] * include/sudo_iolog.h, lib/iolog/iolog_fileio.c, logsrvd/logsrvd_conf.c, plugins/sudoers/iolog.c: Read logsrvd.conf in two steps: first read, then apply if OK. This fixes a problem where when logsrvd.conf was reloaded while running (due to SIGHUP) and there was an error we could end up with a partial config. [d3244c318c5b] * include/sudo_iolog.h, lib/iolog/iolog_util.c, lib/iolog/regress/iolog_util/check_iolog_util.c, logsrvd/iolog_writer.c, logsrvd/logsrv_util.c, logsrvd/sendlog.c, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/sudoreplay.c: Add iolog_ prefix to exported functions in iolog_util.c [62027c8e1abd] * include/sudo_iolog.h, lib/iolog/iolog_fileio.c, logsrvd/logsrvd_conf.c, plugins/sudoers/iolog.c, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c: Simplify iolog_set_user and iolog_set_group [e82c5078b02c] * MANIFEST, config.h.in, configure, configure.ac, include/sudo_compat.h, lib/util/Makefile.in, lib/util/fchmodat.c, lib/util/fstatat.c, mkdep.pl: Add fchmodat() and fstatat() emulation. Note that fchmodat() emulation does not support AT_SYMLINK_NOFOLLOW [8232c22e71c7] * doc/sudo_logsrvd.man.in, doc/sudo_logsrvd.mdoc.in, logsrvd/iolog_writer.c, logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c: Clear the write bit on the timing file for completed logs. This allows us to tell whether or not a log can be restarted. [b2180b6ef53b] * logsrvd/logsrvd.c: Redirect std{in,out,err} to /dev/null even when given the -n option. [376186a8d9cc] * include/sudo_iolog.h, lib/iolog/iolog_fileio.c, lib/iolog/iolog_path.c, lib/iolog/regress/iolog_path/check_iolog_path.c, lib/iolog/regress/iolog_path/data, logsrvd/iolog_writer.c, plugins/sudoers/iolog.c, plugins/sudoers/iolog_path_escapes.c, plugins/sudoers/sudoers.c: Simplify expand_iolog_path() [4f0f85f659d1] * plugins/sudoers/po/sudoers.pot, po/sudo.pot: regen [e268d56da49c] * examples/sudo_logsrvd.conf, include/sudo_iolog.h, lib/iolog/iolog_fileio.c, logsrvd/Makefile.in, logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c: Make the logsrvd port and list address configurable. [69d73358888d] * Makefile.in, logsrvd/Makefile.in, logsrvd/iolog_writer.c, logsrvd/logsrvd.c, logsrvd/logsrvd_conf.c, logsrvd/sendlog.c: Mark logsrvd and sendlog strings for translation in the sudoers domain [24b1fd6250fb] * logsrvd/Makefile.in, logsrvd/logsrvd.c, logsrvd/sendlog.c: Add long option support to logsrvd and sendlog. [ecb2fae83abb] * logsrvd/iolog_writer.c, logsrvd/logsrvd.c, logsrvd/logsrvd.h: Return an error to the client on error instead of dropping the connection. [2e40ca902100] * examples/sudo_logsrvd.conf, logsrvd/logsrvd_conf.c: Convert sudo_logsrvd.conf to ini file format [91dff03d0795] * MANIFEST, examples/sudo_logsrvd.conf, include/sudo_util.h, lib/util/Makefile.in, lib/util/logfac.c, lib/util/logpri.c, lib/util/util.exp.in, logsrvd/Makefile.in, logsrvd/eventlog.c, logsrvd/iolog_writer.c, logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c, plugins/sudoers/defaults.c: Add basic support for event logging using a sudo-style log format. [eb6aa3672e6f] * logsrvd/logsrvd.c, logsrvd/sendlog.c: Add OpenBSD malloc options. [a0d79af0c430] * MANIFEST, logsrvd/Makefile.in, logsrvd/buffer.c, logsrvd/buffer.h, logsrvd/iolog_writer.c, logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/sendlog.c, logsrvd/sendlog.h: Allow messages up to 2Mb in size. [af79754aaf53] * MANIFEST, configure, configure.ac, doc/Makefile.in, doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in, doc/sudo_logsrvd.man.in, doc/sudo_logsrvd.mdoc.in, doc/sudo_sendlog.man.in, doc/sudo_sendlog.mdoc.in, examples/sudo_logsrvd.conf, m4/sudo.m4: Add manual pages for logsrvd and sendlog. [f437259d81ae] * include/sudo_iolog.h, lib/iolog/iolog_fileio.c, logsrvd/iolog_writer.c, logsrvd/logsrvd.c: Add restart support for compresses I/O logs. [1191fac5ff52] * logsrvd/sendlog.c, logsrvd/sendlog.h: Fix client side of restart. Seek to the target point there too so we start sending from the right place. [403bf22a6dad] * include/sudo_iolog.h, lib/iolog/iolog_util.c, logsrvd/iolog_writer.c, logsrvd/sendlog.c, plugins/sudoers/sudoreplay.c: Move read_timing_record() into libsudo_iolog [65a984f7fa7a] * MANIFEST, lib/iolog/iolog_fileio.c, logsrvd/Makefile.in, logsrvd/buffer.c, logsrvd/buffer.h, logsrvd/iolog_writer.c, logsrvd/logsrv_util.c, logsrvd/logsrv_util.h, logsrvd/logsrvd.h, logsrvd/sendlog.c, logsrvd/sendlog.h: Rename buffer.c -> logsrv_util.c and add iolog_seekto() [0ff1a6fdaecd] * logsrvd/logsrvd.c, logsrvd/sendlog.c: Fix some warnings from the clang static analyzer. [95de486cfb65] * logsrvd/sendlog.c: Fix Coverity CID 204353, fd leak on error path. [3519d910c777] * logsrvd/logsrvd_conf.c: Fix Coverity CID 204355, resource leak on error path. [c5c50c6bae16] * lib/iolog/iolog_fileio.c: Avoid TOCTOU in iolog_mkdirs; Coverity CID 204356 [0c8679a731f5] * lib/util/mkdir_parents.c: Avoid TOCTOU in sudo_mkdir_parents; Coverity CID 204357 [e9eeae60dff2] * logsrvd/log_server.pb-c.c, logsrvd/log_server.pb-c.h, logsrvd/log_server.proto: Add NumberList to InfoMessage. Also make comments fit in 80 columns when formatted as a man page. [fd7af0bb2477] * configure, configure.ac, include/sudo_rand.h, logsrvd/Makefile.in, logsrvd/logsrvd.c: Command line option processing for logsrvd [0f2248532960] * MANIFEST, examples/sudo_logsrvd.conf, logsrvd/Makefile.in, logsrvd/iolog_writer.c, logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c, pathnames.h.in: Add config file support for logsrvd [4e643a95c88b] * MANIFEST, include/sudo_util.h, lib/util/Makefile.in, lib/util/mkdir_parents.c, lib/util/util.exp.in, plugins/sudoers/Makefile.in, plugins/sudoers/mkdir_parents.c, plugins/sudoers/sudoers.h: Move mkdir_parents to libsudo_util. [3f540eb94282] * MANIFEST, Makefile.in, configure, configure.ac, include/sudo_iolog.h, include/sudo_util.h, lib/iolog/Makefile.in, lib/iolog/iolog_fileio.c, lib/iolog/iolog_path.c, lib/iolog/iolog_util.c, lib/iolog/regress/iolog_path/check_iolog_path.c, lib/iolog/regress/iolog_path/data, lib/iolog/regress/iolog_util/check_iolog_util.c, lib/util/sudo_conf.c, logsrvd/Makefile.in, logsrvd/iolog_writer.c, logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c, logsrvd/sendlog.c, logsrvd/sendlog.h, plugins/sample/sample_plugin.c, plugins/sudoers/Makefile.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/iolog.c, plugins/sudoers/iolog.h, plugins/sudoers/iolog_files.h, plugins/sudoers/iolog_path.c, plugins/sudoers/iolog_path_escapes.c, plugins/sudoers/iolog_util.c, plugins/sudoers/iolog_util.h, plugins/sudoers/policy.c, plugins/sudoers/regress/iolog_path/check_iolog_path.c, plugins/sudoers/regress/iolog_path/data, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/regress/iolog_util/check_iolog_util.c, plugins/sudoers/set_perms.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/sudoreplay.c, src/sudo.h: Refactor code in sudoers that creates I/O log files to share with logsrvd. [3aa1fa95650d] * Makefile.in, include/sudo_iolog.h, lib/iolog/iolog_path.c, lib/iolog/regress/iolog_path/check_iolog_path.c, logsrvd/iolog_writer.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c, plugins/sudoers/iolog_path_escapes.c, plugins/sudoers/sudoers.c: Enable sudo_logsrvd.conf settings. [8e7b37d1d2a9] * include/sudo_iolog.h, lib/iolog/iolog_fileio.c, lib/iolog/iolog_util.c, logsrvd/iolog_writer.c, logsrvd/logsrvd.h, logsrvd/sendlog.c, plugins/sudoers/iolog.c, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/sudoreplay.c: Use openat(2) when opening files in the I/O log directory. [1ab2e278e1d9] * logsrvd/Makefile.in, sudo.pp: Add sudo_ prefix to logsrvd and sendlog. [acbaed157ae5] * logsrvd/iolog_writer.c, logsrvd/log_server.pb-c.c, logsrvd/log_server.pb-c.h, logsrvd/log_server.proto, logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/sendlog.c, logsrvd/sendlog.h: Rename ExecMessage -> AcceptMessage and add RejectMessage [a080c4eb7c4b] * MANIFEST, config.h.in, configure, configure.ac, include/sudo_compat.h, lib/util/openat.c, lib/util/unlinkat.c, src/sudo_edit.c: Move openat() emulation to lib/util and at unlinkat() emulation. [756ace7fdf38] * logsrvd/iolog_writer.c, logsrvd/logsrvd.c, logsrvd/sendlog.c: Add debugging for logsrvd and sendlog [4c86dbceb611] * MANIFEST, doc/LICENSE, logsrvd/Makefile.in, logsrvd/protobuf-c/protobuf-c.c, logsrvd/protobuf-c/protobuf-c.h: Import protobuf-c source since to avoid an external dependency. The files generated with protoc-c are not standalone. We need to include protobuf-c.c and protobuf-c.h from the protobuf-c distribution too. Building protoc-c requires a relative recent version of gcc which limits its portability. [0ea50a59cab7] * logsrvd/Makefile.in, logsrvd/iolog_writer.c, logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/sendlog.c, logsrvd/sendlog.h: Add support for restarting I/O log transfers. [748e8f4f7fec] * MANIFEST, Makefile.in, configure, configure.ac, logsrvd/Makefile.in, logsrvd/iolog.h, logsrvd/iolog_reader.c, logsrvd/iolog_writer.c, logsrvd/log_server.pb-c.c, logsrvd/log_server.pb-c.h, logsrvd/log_server.proto, logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/sendlog.c, logsrvd/sendlog.h, sudo.pp: Import proof of concept sudo log server. [a0687ba66feb] * MANIFEST, logsrvd/Makefile.in, logsrvd/iolog.h, logsrvd/iolog_reader.c, logsrvd/iolog_writer.c, logsrvd/logsrvd.h, logsrvd/sendlog.c, logsrvd/sendlog.h, mkdep.pl, plugins/sudoers/Makefile.in, plugins/sudoers/iolog.h, plugins/sudoers/iolog_util.c, plugins/sudoers/iolog_util.h, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/regress/iolog_util/check_iolog_util.c, plugins/sudoers/sudoreplay.c: Refactor I/O log code so it can be shared between sudoers and logsrvd [b6608769ba8a] * lib/util/strtonum.c: Avoid invalid read when minval > maxval [7f1a6f992e4f] 2019-10-23 Todd C. Miller * NEWS, plugins/sudoers/policy.c, src/sudo.c: Don't pass an invalid session or process group ID to the plugin. Fixes a regression in 1.8.28 when there is no terminal session leader. [d9c626167b3c] 2019-10-22 Robert Manner * plugins/python/pyhelpers.c, plugins/python/pyhelpers.h, plugins/python/pyhelpers_cpychecker.h, plugins/python/python_plugin_common.c, plugins/python/python_plugin_common.h, plugins/python/python_plugin_group.c, plugins/python/python_plugin_io.c, plugins/python/python_plugin_policy.c: plugins/python: a plugin which can load policy/io plugin written in python [2c7620c8052f] * Makefile.in, configure.ac, plugins/python/Makefile.in: Makefile.in, configure.ac: add python plugin build [09b305e2cd54] 2019-10-21 Todd C. Miller * plugins/sudoers/po/sudoers.pot, po/sudo.pot: regen [70f4543f177c] * src/limits.c: Not all systems support RLIMIT_NPROC and RLIMIT_RSS [26b8e2afe755] * doc/Makefile.in, examples/Makefile.in, include/Makefile.in, lib/util/Makefile.in, lib/zlib/Makefile.in, plugins/group_file/Makefile.in, plugins/sample/Makefile.in, plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in, src/Makefile.in: Add depend target to all Makefile.in files. [0a22d80ef716] * NEWS, configure, configure.ac, doc/UPGRADE: Sudo 1.8.29 [736c9a5c3720] * MANIFEST, lib/util/Makefile.in, src/Makefile.in, src/exec.c, src/limits.c, src/sudo.c, src/sudo.h: Set resource limits in the sudo process to unlimited. We don't want sudo to be limited by the caller's resource limits. The original resource limits are restore before session setup. [6c3bf214caf0] 2019-10-20 Todd C. Miller * plugins/sudoers/starttime.c, src/ttyname.c: Older FreeBSD needs sys/param.h included before sys/user.h. From Darren Tucker [88c060df0439] * include/sudo_util.h, lib/util/getgrouplist.c, lib/util/gidlist.c, lib/util/regress/strtofoo/strtoid_test.c, lib/util/strtoid.c, lib/util/util.exp.in, plugins/group_file/getgrent.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/cvtsudoers_pwutil.c, plugins/sudoers/iolog.c, plugins/sudoers/match.c, plugins/sudoers/policy.c, plugins/sudoers/pwutil.c, plugins/sudoers/regress/iolog_path/check_iolog_path.c, plugins/sudoers/sudoers.c, plugins/sudoers/testsudoers.c, plugins/sudoers/tsgetgrpw.c, plugins/sudoers/visudo.c, plugins/system_group/system_group.c, src/sudo.c: Rename sudo_strtoid() to sudo_strtoidx() and add simplified sudo_strtoid() [94a418cdbae6] 2019-10-19 Todd C. Miller * doc/UPGRADE, doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in, doc/sudo.man.in, doc/sudo.mdoc.in, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, doc/sudoers.ldap.man.in, doc/sudoers.ldap.mdoc.in, doc/sudoers.man.in, doc/sudoers.mdoc.in, doc/sudoers_timestamp.man.in, doc/sudoers_timestamp.mdoc.in, doc/visudo.man.in, doc/visudo.mdoc.in, plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/iolog.c, plugins/sudoers/ldap.c, plugins/sudoers/policy.c, plugins/sudoers/pwutil.c, plugins/sudoers/sssd.c, plugins/sudoers/testsudoers.c, src/exec.c: Refer to user-ID and group-ID instead of "user ID" and "group ID" [36d7bd4ab52d] 2019-10-18 Todd C. Miller * doc/sudoers.man.in, doc/sudoers.mdoc.in: sudoedit doesn't create a new PAM session so PAM umask does not apply. [8ae167d0ae7c] * doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, doc/sudoers.man.in, doc/sudoers.mdoc.in, include/sudo_plugin.h, plugins/sudoers/policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, src/exec.c, src/sudo.c, src/sudo.h: Change how the umask is handled with PAM and login.conf. If the umask is explicitly set in sudoers, use that value regardless of what is in PAM or login.conf. If using the default umask from sudoers, allow PAM or login.conf to override it. Bug #900 [7c0a835ac512] 2019-10-17 Todd C. Miller * doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/audit.c, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/defaults.c, plugins/sudoers/logging.c: Add log_allowed and log_denied sudoers flags, defaulting to true. [fb1e188a3d05] * lib/util/Makefile.in, plugins/sudoers/Makefile.in, src/Makefile.in: Enable security auditing malloc options for "make check". [333632dd3134] 2019-10-16 Todd C. Miller * doc/sudoers.man.in, doc/sudoers.mdoc.in: Be more consistent with how we talk about sudoers Defaults settings. Use "flag" not "option" when referring to boolean flags. Use "setting" in place of "Defaults setting" in most places. Use "the foo option" instead of "sudo's foo option" for command line options. [8058378c4b35] * plugins/sudoers/Makefile.in: No need to check existing sudoers file when installing to DESTDIR This check can cause problems on systems where /etc/sudoers.d is not readable. [2ec01e9fe408] * lib/util/str2sig.c: Inclue sudo_util.h to get sudo_strtonum() prototype. [8b0b4ee28d5f] * lib/util/str2sig.c: strtonum -> sudo_strtonum [4d2363678583] * MANIFEST: Add split out strtofoo tests. [0cc598502faf] * lib/util/strtonum.c: Make sure we don't go past the end of the string when out of range. [2b89961c524a] * lib/util/regress/strtofoo/strtonum_test.c, lib/util/strtonum.c: Fix stronum() regress test and the errno value for out of range numbers. [3547d022bead] * lib/util/Makefile.in, lib/util/regress/atofoo/atofoo_test.c, lib/util/regress/strtofoo/strtobool_test.c, lib/util/regress/strtofoo/strtoid_test.c, lib/util/regress/strtofoo/strtomode_test.c, lib/util/regress/strtofoo/strtonum_test.c: Split atofoo.c regress into multiple tests. [75b7547e33bd] * NEWS, configure, configure.ac: Sudo 1.8.28p1 [09ceaddc94f9] 2019-10-15 Todd C. Miller * plugins/sudoers/parse.c: The fix for bug #869 broke "sudo -v" when verifypw=all (the default) [aac35bcd8584] 2019-10-14 Todd C. Miller * include/sudo_compat.h, include/sudo_util.h, lib/util/Makefile.in, lib/util/closefrom.c, lib/util/getaddrinfo.c, lib/util/strtonum.c, lib/util/sudo_conf.c, lib/util/ttysize.c, plugins/sudoers/boottime.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/defaults.c, plugins/sudoers/iolog.c, plugins/sudoers/iolog_util.c, plugins/sudoers/ldap_conf.c, plugins/sudoers/match_addr.c, plugins/sudoers/policy.c, plugins/sudoers/regress/logging/check_wrap.c, plugins/sudoers/regress/parser/check_addr.c, plugins/sudoers/regress/starttime/check_starttime.c, src/parse_args.c, src/sesh.c, src/sudo.c, src/ttyname.c: Use sudo_strtonum() explicitly instead of via a macro. [f75f786eddd5] * config.h.in, configure, configure.ac, include/sudo_compat.h, lib/util/Makefile.in, lib/util/strtoid.c, lib/util/strtonum.c, lib/util/util.exp.in, mkdep.pl: Always use our own strtonum and implement sudo_strtoid in terms of it. [94b1114ef79d] * plugins/sudoers/pwutil.c: Use errno in warning when sudo_make_*_item() fails. Previously we always said "out of memory" if not ENOENT. [68e5a208c242] * plugins/sudoers/Makefile.in, plugins/sudoers/parse_ldif.c, plugins/sudoers/regress/cvtsudoers/test26.err.ok, plugins/sudoers/regress/cvtsudoers/test26.sh: Reject non-LDIF input when converting from LDIF to sudoers or JSON. [2d08d4aa0e01] 2019-10-10 Todd C. Miller * plugins/sudoers/po/ca.mo, plugins/sudoers/po/da.mo, plugins/sudoers/po/el.mo, plugins/sudoers/po/eu.mo, plugins/sudoers/po/fi.mo, plugins/sudoers/po/fur.mo, plugins/sudoers/po/hr.mo, plugins/sudoers/po/hu.mo, plugins/sudoers/po/ko.mo, plugins/sudoers/po/lt.mo, plugins/sudoers/po/nl.mo, plugins/sudoers/po/ru.mo, plugins/sudoers/po/sk.mo, plugins/sudoers/po/sl.mo, plugins/sudoers/po/sr.mo, plugins/sudoers/po/tr.mo, plugins/sudoers/po/zh_CN.mo, po/ast.mo, po/ca.mo, po/es.mo, po/eu.mo, po/fi.mo, po/fur.mo, po/gl.mo, po/hr.mo, po/hu.mo, po/ko.mo, po/nl.mo, po/nn.mo, po/ru.mo, po/sk.mo, po/sl.mo, po/sr.mo, po/sudo.pot, po/vi.mo, po/zh_CN.mo: regen [362645d256b7] * NEWS, lib/util/strtoid.c: Treat an ID of -1 as invalid since that means "no change". Fixes CVE-2019-14287. Found by Joe Vennix from Apple Information Security. [83db8dba09e7] * lib/util/regress/atofoo/atofoo_test.c, plugins/sudoers/regress/testsudoers/test5.out.ok, plugins/sudoers/regress/testsudoers/test5.sh: Add sudo_strtoid() tests for -1 and range errors. Also adjust testsudoers/test5 which relied upon gid -1 parsing. [db06a8336c09] 2019-10-06 Todd C. Miller * INSTALL, configure, configure.ac: Back out compiler override for now. [f03f7fd7ff8b] * configure, configure.ac: Only prefer clang over gcc on BSD systems. [2309baa23a00] 2019-10-05 Todd C. Miller * Makefile.in: Fix "make pvs-studio" run in a build dir [a49635de3777] 2019-09-27 Todd C. Miller * plugins/sudoers/po/sudoers.pot, po/sudo.pot: regen [430d45f3b461] * NEWS: Bug #898 [3d07895888e8] * src/exec.c, src/exec_monitor.c, src/exec_nopty.c, src/exec_pty.c, src/selinux.c, src/sudo.c, src/sudo.h: Fix restoring the file context of the user's tty with SELinux. Also fix broken tty labeling when running a command in a pty. Includes a fix for a typo introduced in the last change set. [eb3f547b08f8] * lib/util/arc4random.c: _rs_random_buf is currently unused [e384fc3625e8] * src/selinux.c: Add some debugging around context setting and tty labeling Also be more extact with error return values [ed66480282c7] 2019-09-21 Todd C. Miller * lib/util/sudo_debug.c: Better error message when debug log file cannot be opened. [09e0cdff0c49] 2019-09-20 Todd C. Miller * .hgignore: Ignore in-tree build directory. [66577c63f097] * configure, configure.ac: Set CC before AC_USE_SYSTEM_EXTENSIONS to get our preferred compiler. [6a318eeffb30] 2019-09-19 Todd C. Miller * pp: Update Polypkg to the latest version from git. [68bbecc25007] * configure, configure.ac: If no mandoc or nroff is present, install mdoc format manuals. If there is no installed nroff/mandoc they will need to install groff or heirloom doctools to format the manual pages. [6dd386c1a378] 2019-09-18 Todd C. Miller * doc/sudoers.man.in, doc/sudoers.mdoc.in, include/sudo_plugin.h: Refer to number of terminal lines, not rows, for consistency. [566e3e38058f] 2019-09-17 Todd C. Miller * INSTALL, configure, configure.ac: Prefer clang over gcc. We want to use clang on systems where clang is the system compiler. It is less common to have clang installed on systems where gcc is the system compiler. [d29d764a4938] * INSTALL: No longer need bypass_last_login on HP-UX, warnings work with clang. Also add deb package names for pam and ldap devel on Linux. [6aff480b1f4b] * src/parse_args.c: Silence a warning from clang about string concatenation. [cadba1a4d86d] 2019-09-14 Todd C. Miller * NEWS, doc/UPGRADE: sudoedit umask fix [4bfc0e393e2a] 2019-09-13 Todd C. Miller * lib/util/event.c: Fix sorting of the time-based event queue. [f12e5a877c8a] * lib/util/event.c: Support default base in got_exit, got_break, loopexit, loopbreak, loopcontinue [da02194b5ba9] 2019-09-11 Todd C. Miller * src/sudo_edit.c: Create new files with the umask specified in sudoers. [4d0b6152834b] 2019-09-05 Todd C. Miller * plugins/sudoers/parse_ldif.c: More case-insensitive compare for LDAP attributes and string lists. Only the ALL keyword should be compared case-sensitive. [87cd688b2648] 2019-08-30 Todd C. Miller * src/sudo.h: Enable asserts for Coverity too. [b830f200a8bd] * src/parse_args.c, src/sudo.h: Add asserts() to avoid static analyzer false positives. [860aca50028d] * plugins/sudoers/gram.c, plugins/sudoers/gram.y: Plug memory leak on malloc failure. [1b35743703d4] * plugins/sudoers/ldap_util.c: Plug memory leak on malloc failure. [c2257637d659] 2019-08-29 Todd C. Miller * plugins/sudoers/auth/pam.c: Add sudo_pam_strerror(), like pam_strerror() but never returns NULL. It also uses strerror(errno) for PAM_SYSTEM_ERR. [b070d1702112] * plugins/sudoers/auth/pam.c: If pam_start() fails, display the PAM error using pam_strerror(). It is legal to pass pam_strerror() a NULL handle. [6403fa1479d8] 2019-08-27 Todd C. Miller * doc/sudoreplay.man.in, doc/sudoreplay.mdoc.in, plugins/sudoers/sudoreplay.c: If the sudoreplay ID option is a fully-qualified path, use it directly. Previously, one had to use the -d option to override the I/O log directory. [9fddb3ffc760] * plugins/sudoers/Makefile.in: regen [f70579d2972b] * MANIFEST, doc/sudo.conf.man.in.sed: Add conditional for sesh path in sudo.conf manual. [93b5c6fcf8f4] 2019-08-26 Todd C. Miller * NEWS: Bug #895 [d69984bccd0e] * plugins/sudoers/auth/aix_auth.c, plugins/sudoers/auth/dce.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/securid5.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/check.c, plugins/sudoers/sudo_printf.c, src/conversation.c: Use the SUDO_CONV_PREFER_TTY flag during authentication. This prevents the password and PAM prompts from being redirected. Bug #895 [546082c674b7] 2019-08-23 Todd C. Miller * mkpkg: Fix typo that prevented a missing linux audit lib from being detected. [b9412151615d] 2019-08-20 Todd C. Miller * plugins/sudoers/sudoreplay.c: Use fputs(), not printf() for plain strings. [b102ae1cb6da] * NEWS: Recent fixes. [8249e98a05c8] * plugins/sudoers/ldap.c: Add user ID to the search filter when matching sudoUser. We already support group IDs but the user ID was missing. From sudo-1.8.23-ldapsearchuidfix.patch in RHEL 7. [3da7b9f990be] * plugins/sudoers/regress/sudoers/test2.json.ok, plugins/sudoers/regress/sudoers/test2.toke.ok, plugins/sudoers/toke.c, plugins/sudoers/toke.l: Fix parsing of double-quoted Defaults bindings that start with % or +. From sudo-1.8.23-fix-double-quote-parsing-for-Defaults- values.patch in RHEL 7. [df613e67ef45] * src/exec.c: Restore core dump resource limit before the PAM session module is run. Otherwise, we may override the limits set by PAM. Bug #894 [f35441098234] 2019-08-19 Todd C. Miller * lib/util/sig2str.c, lib/util/str2sig.c: sys_signame on macOS contains lower-cases names [d7af71311b3d] * MANIFEST, configure, configure.ac, lib/util/Makefile.in, lib/util/regress/strsig/strsig_test.c: Add regress tests for str2sig() and sig2str(). [fb73303699fb] * lib/util/str2sig.c: SIGIOT and SIGABRT are aliases on BSD systems. [d35f75aba04a] * lib/util/sig2str.c, lib/util/str2sig.c: Fix handling of real-time signals. [39066a5eabcb] 2019-08-16 Todd C. Miller * NEWS: ipa_hostname fix [54245ed09830] 2019-08-15 Todd C. Miller * plugins/sudoers/file.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/ldap.c, plugins/sudoers/match.c, plugins/sudoers/parse.h, plugins/sudoers/sssd.c: Fix special handling of ipa_hostname that was lost in sudo 1.8.24. We now include the long and short hostname in sudo parser container. [b4f31dbe3109] 2019-08-14 Todd C. Miller * plugins/sudoers/iolog_event.h: Remove unused include file. [0731078e72b1] 2019-08-05 Todd C. Miller * NEWS, doc/UPGRADE: Mention I/O log signal change in NEWS and UPGRADE files. [ac7969640146] * MANIFEST, NEWS, plugins/sudoers/po/ast.mo, plugins/sudoers/po/ast.po: Asturian translation for sudoers from translationproject.org. [4f011f10129e] * mkdep.pl: Check source dir if source file is not listed in MANIFEST. Previously, we just used the file name without $(srcdir). [cd17ca929217] * MANIFEST, config.h.in, configure, configure.ac, doc/sudoers.man.in, doc/sudoers.mdoc.in, include/sudo_compat.h, lib/util/Makefile.in, lib/util/str2sig.c, plugins/sudoers/iolog.c, plugins/sudoers/iolog_util.c: Store signal name, not number in I/O log timing file. The "SIG" prefix is not used so, e.g. SIGTERM -> "TERM". This makes the I/O log files portable from one system to another. Older I/O log files with signal numbers can still be replayed. [5652f831b715] 2019-07-30 Todd C. Miller * src/utmp.c: Disable stringop-truncation false positive warnings on gcc 8. Strings in struct utmp/utmpx are not guaranteed to be NUL- terminated. [644b97bba318] * plugins/group_file/plugin_test.c, src/net_ifs.c: Replace non-essential strncpy() calls. [2377cad6e155] 2019-07-26 Todd C. Miller * configure, configure.ac: Revert version back to 1.8.28 [4e2deb0b4925] * lib/util/Makefile.in: Link util functions being tested directly with the test harness. Otherwise we may get the version from the installed libsudo_util.so. [46c833080d13] 2019-07-23 Todd C. Miller * plugins/sudoers/po/cs.mo, plugins/sudoers/po/cs.po, plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, plugins/sudoers/po/fr.mo, plugins/sudoers/po/fr.po, plugins/sudoers/po/it.mo, plugins/sudoers/po/it.po, plugins/sudoers/po/ja.mo, plugins/sudoers/po/ja.po, plugins/sudoers/po/nb.mo, plugins/sudoers/po/nb.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/pt.mo, plugins/sudoers/po/pt.po, plugins/sudoers/po/pt_BR.mo, plugins/sudoers/po/pt_BR.po, plugins/sudoers/po/sv.mo, plugins/sudoers/po/sv.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, plugins/sudoers/po/vi.mo, plugins/sudoers/po/zh_TW.mo, plugins/sudoers/po/zh_TW.po, po/cs.mo, po/cs.po, po/da.mo, po/da.po, po/de.mo, po/de.po, po/eo.mo, po/eo.po, po/fr.mo, po/fr.po, po/it.mo, po/it.po, po/ja.mo, po/ja.po, po/nb.mo, po/nb.po, po/pl.mo, po/pl.po, po/pt.mo, po/pt.po, po/pt_BR.mo, po/pt_BR.po, po/sv.mo, po/sv.po, po/tr.mo, po/tr.po, po/uk.mo, po/uk.po, po/zh_TW.mo, po/zh_TW.po: Updated translations from translationproject.org [a5aa41ab05cb] 2019-07-19 Todd C. Miller * configure, configure.ac, plugins/sudoers/fmtsudoers.c, plugins/sudoers/parse.c: Use strftime(3) instead of formatting struct tm by hand. Fixes a warning on newer versions of gcc. [4a2fdb51bbe5] * doc/sudo.man.in, doc/sudo.mdoc.in: Update error message when the password cannot be read from the terminal. [9b329f92e8a0] * NEWS: Fix for Bug #888 [d64fc43adfdd] * plugins/sudoers/match_command.c, plugins/sudoers/match_digest.c: If the command in sudoers does not exist on the file system, match by name. We still want to match the command even if it doesn't exist so that the NOPASSWD flag on sudoers entries with non-existant paths works as expected. Bug #888. [0879054870be] * NEWS, doc/TROUBLESHOOTING, po/sudo.pot, src/tgetpass.c: More verbose error message when a password is required and no terminal is present. Bug #828. [f15ffeffff32] * plugins/sudoers/po/sudoers.pot, po/sudo.pot: regen [8e0fdf8e4cd5] * doc/sudoers.man.in, doc/sudoers.mdoc.in: Document that PAM session modules are now run with the silent flag. [b67b769a0532] 2019-07-14 Todd C. Miller * plugins/sudoers/sudoers.c: Simpler change to retry sudo_secure_file() as root as needed. [feb0c2309366] * plugins/sudoers/sudoers.c: If we are unable to stat() sudoers as non-root, try again as root. By default, sudo relies soley on group permissions to read sudoers to make it possible to store sudoers on NFS. However, if /etc/sudoers is not accessible to non-root uids for some reason, sudo will fail. Bug #880. [6a50adb25f2e] 2019-07-12 Todd C. Miller * doc/sudoers.man.in, doc/sudoers.mdoc.in: Clarify that ttyin contains raw terminal input. [eea9d33f85bd] 2019-07-11 Todd C. Miller * doc/sudoers.man.in, doc/sudoers.mdoc.in: Expand the description of the I/O log files. [f15cefc9bbd8] * doc/sudo.conf.mdoc.in: Remove trailing whitespace. [421e9f481c1d] 2019-07-03 Todd C. Miller * configure, configure.ac, doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in, doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/group_file/Makefile.in, plugins/sample/Makefile.in, plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in: Rename PLUGINDIR -> plugindir [75cc43534ee1] * configure, configure.ac: Use $libexecdir in default settings used by the documentation. The web and pdf pages will substitute /usr/local/libexec for $noexec_file. Also do substitution of variables using exec_prefix even if we don't use them in the Makefile since the documentation may reference them. [b7a37b03b6db] * doc/Makefile.in, doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in: Add conditional for sesh path in sudo.conf manual. [ec1f8f559bad] * configure, configure.ac: Update plugindir even when --disable-shared is specified. Otherwise, the default value is substituted into the Makefiles and documentation which may not match --prefix. Bug #886 [0f6c9a4af739] 2019-06-25 Todd C. Miller * include/sudo_util.h, lib/util/fatal.c, lib/util/inet_ntop.c, lib/util/regress/vsyslog/vsyslog_test.c, lib/util/sudo_debug.c, plugins/sudoers/find_path.c, plugins/sudoers/group_plugin.c, plugins/sudoers/iolog.c, plugins/sudoers/ldap.c, plugins/sudoers/ldap_conf.c, plugins/sudoers/logging.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/timestamp.c, src/load_plugins.c, src/net_ifs.c, src/sudo.c: Add ssizeof macro that returns ssize_t. We can use this instead of casting the result of size_t to int. Also change checks for snprintf() returning <=0 to <0. [da4a95a5d8ec] 2019-06-21 Todd C. Miller * doc/TROUBLESHOOTING, doc/sudoers.man.in, doc/sudoers.mdoc.in: sudoedit should be used for editing files instead of "sudo editor" That way the user's editor config files are used by the editor. [24bb1e6326ee] * doc/TROUBLESHOOTING: Move the section on HOME to be after the environment section. Also strongly discourage the disabling of env_reset. [7a41bddf5fde] 2019-06-20 Todd C. Miller * doc/TROUBLESHOOTING: Remove the Solaris last login question, add one about HOME. The PAM session is opened with PAM_SILENT so last login info is not printed. It is dangerous to preserve HOME from the user's environment. [99be2cd98556] * doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, doc/sudoers.man.in, doc/sudoers.mdoc.in: Use the term pseudo-terminal more consistently. [129a0d2e5a33] * doc/sudoers.man.in, doc/sudoers.mdoc.in: Document why HOME should not be preserved from the user's environment. Text was adapted from what is already present in the UPGRADE file. Also mark set_home and always_set_home as obsolete. [3cddca2f78de] * doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in: Refer to command line options, not flags. [5caa383e1f9b] * NEWS: sync [fd7e952e3e43] * doc/TROUBLESHOOTING: sudo will now prompt for a password as long as /dev/tty is available. [a4241d432e63] * MANIFEST, configure, configure.ac, doc/Makefile.in, doc/cvtsudoers.cat, doc/sudo.cat, doc/sudo.conf.cat, doc/sudo_plugin.cat, doc/sudoers.cat, doc/sudoers.ldap.cat, doc/sudoers_timestamp.cat, doc/sudoreplay.cat, doc/visudo.cat: Remove .cat pages, there is no need for them in the modern world. Sudo only shipped .cat pages for Irix, which lacked nroff. Irix is long dead and there are multiple open source nroff options. [b7a48dc22bdb] * INSTALL, configure.ac, doc/sudoers.cat, doc/visudo.cat: Make env_editor the default. It is already the default in the package script. [a4f0c46ef5d6] * INSTALL, doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in, doc/visudo.cat, doc/visudo.man.in, doc/visudo.mdoc.in: Don't describe env_editor as a security hole. Users that are able to edit sudoers can grant themselves permissions so the fact that visudo runs the editor as root is not a security issue. [627f0a96ccc9] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in, doc/visudo.cat, doc/visudo.man.in, doc/visudo.mdoc.in: Fix details of how EDITOR, VISUAL and SUDO_EDITOR are (or are not) preserved. The description in the editor option was incorrect and didn't mention env_keep. Reported by Sander Bos [1b498d610672] * doc/visudo.cat, doc/visudo.man.in, doc/visudo.mdoc.in: Modern visudo locks the actual sudoers file, not the sudoers.tmp file. Refer to sudoers.tmp as a temporary file, not a lock file. Reported by Sander Bos [3a449f316304] 2019-06-19 Todd C. Miller * plugins/sudoers/sudoers.c: In tty_present(), check for /dev/tty if sudo was unable to get the tty name. For requiretty it is enough to check that /dev/tty is available. If sudo can't get the tty from the kernel (missing /proc?) that is OK. [2102ffa0fa7e] * src/tgetpass.c: Don't refuse to use the tty unless /dev/tty is unavailable. We don't care whether sudo was able to get the tty name from the kernel. All that really matters is whether we are able to disable echo as needed. [a3376277883f] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Use of "they" was ambiguous. [a39f42aa21ca] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Better description of secure_path. The secure_path option affects the resolution of unqualified commands as well as the environment that commands run with. [e0534efa8271] * doc/CONTRIBUTORS: Add Sander Bos [75f6f90c2f24] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Fix a few typos and awkward wording. Use the singular "they" instead of he/she. Add back missing text in description of variables starting with (). Based on changes from Sander Bos. [d6b5068ae2ca] 2019-06-15 Todd C. Miller * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Clarify which environment variables are set based on the target user. [1e6ac7e5ef32] 2019-06-10 Todd C. Miller * lib/util/Makefile.in: libsudo_util depends on LT_DEP_LIBS even when building a static lib [232370d6af88] * aclocal.m4, config.h.in, configure, configure.ac, lib/util/arc4random.c: Solaris getentropy() requires that sys/random.h be included. [f1ec0a7290a6] 2019-05-29 Todd C. Miller * plugins/sudoers/parse.c: Use the runhost for "User foo is not allowed to run sudo on bar." Otherwise, if the -h option is specified sudo will print the local host name instead of the host specified via -h. [8e6836ff952c] 2019-05-28 Todd C. Miller * doc/TROUBLESHOOTING: Document that "no tty present and no askpass program specified" may happen when /proc is not accessible. [b551c47e55aa] 2019-05-27 Todd C. Miller * doc/CONTRIBUTORS: Add Sangamesh Mallayya and Michael Spradling [73b3acddc973] * doc/sudo.cat, doc/sudo.man.in, doc/sudo.mdoc.in, src/parse_args.c, src/sudo.h, src/tgetpass.c: Add -B option to ring the bell before the password prompt. [b2181b069809] * plugins/sudoers/auth/aix_auth.c: Allow the user to change their password if expired on AIX. Bug #883 [b1def2572198] 2019-05-26 Todd C. Miller * plugins/sudoers/auth/aix_auth.c: When using AIX auth, don't display the AIX password incorrect message. Avoids a "3004-300 You entered an invalid login name or password" message in addition to sudo's own "Sorry, try again" message. [ee606cfc3c8c] 2019-05-24 Todd C. Miller * mkpkg: AIX packages were not being build with optimization enabled. [41563464b897] 2019-05-22 Todd C. Miller * plugins/sudoers/parse.c, plugins/sudoers/parse.h: Fix a typo. [6cd3fdc40b13] * mkpkg: Support using macOS SDKs from /Library/Developer/CommandLineTools/SDKs [98399af73e06] 2019-05-16 Todd C. Miller * lib/util/term.c: It is safe to assume _POSIX_VDISABLE is defined. The old compat defines were to support pre-termios systems. [82153896cede] 2019-05-06 Todd C. Miller * plugins/sudoers/auth/pam.c: Remove second catopen() which is never called. [8a3db9d71297] 2019-05-01 Todd C. Miller * doc/TROUBLESHOOTING: Sudo's conversation functions now filters out the last login information. [ac21b18ba6bf] 2019-04-29 Todd C. Miller * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/auth/pam.c, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/defaults.c: Add pam_acct_mgmt setting to enable/disable PAM account validation. [ec657af6eeb8] * doc/cvtsudoers.cat, doc/sudo.cat, doc/sudo.conf.cat, doc/sudo_plugin.cat, doc/sudoers.cat, doc/sudoers.ldap.cat, doc/sudoers_timestamp.cat, doc/sudoreplay.cat, doc/visudo.cat: regen [d39b0636806f] * NEWS, configure, configure.ac: Sudo 1.8.28 [dd02af1b71e1] * Makefile.in, configure.ac, doc/Makefile.in, doc/cvtsudoers.man.in, doc/cvtsudoers.mdoc.in, doc/fixman.sh, doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in, doc/sudo.man.in, doc/sudo.mdoc.in, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, doc/sudoers.ldap.man.in, doc/sudoers.ldap.mdoc.in, doc/sudoers.man.in, doc/sudoers.mdoc.in, doc/sudoers_timestamp.man.in, doc/sudoers_timestamp.mdoc.in, doc/sudoreplay.man.in, doc/sudoreplay.mdoc.in, doc/visudo.man.in, doc/visudo.mdoc.in, examples/Makefile.in, include/Makefile.in, include/compat/charclass.h, include/compat/endian.h, include/compat/fnmatch.h, include/compat/getopt.h, include/compat/glob.h, include/compat/nss_dbdefs.h, include/compat/sha2.h, include/sudo_compat.h, include/sudo_conf.h, include/sudo_debug.h, include/sudo_digest.h, include/sudo_dso.h, include/sudo_event.h, include/sudo_fatal.h, include/sudo_gettext.h, include/sudo_lbuf.h, include/sudo_plugin.h, include/sudo_queue.h, include/sudo_rand.h, include/sudo_util.h, lib/util/Makefile.in, lib/util/aix.c, lib/util/arc4random.c, lib/util/arc4random.h, lib/util/arc4random_uniform.c, lib/util/closefrom.c, lib/util/digest.c, lib/util/digest_gcrypt.c, lib/util/digest_openssl.c, lib/util/event.c, lib/util/event_poll.c, lib/util/event_select.c, lib/util/fatal.c, lib/util/fnmatch.c, lib/util/getcwd.c, lib/util/getdelim.c, lib/util/getentropy.c, lib/util/getgrouplist.c, lib/util/gethostname.c, lib/util/getopt_long.c, lib/util/gettime.c, lib/util/gidlist.c, lib/util/glob.c, lib/util/inet_ntop.c, lib/util/inet_pton.c, lib/util/isblank.c, lib/util/key_val.c, lib/util/lbuf.c, lib/util/locking.c, lib/util/memrchr.c, lib/util/memset_s.c, lib/util/mksiglist.c, lib/util/mksigname.c, lib/util/mktemp.c, lib/util/nanosleep.c, lib/util/parseln.c, lib/util/pipe2.c, lib/util/progname.c, lib/util/pw_dup.c, lib/util/reallocarray.c, lib/util/regress/atofoo/atofoo_test.c, lib/util/regress/getdelim/getdelim_test.c, lib/util/regress/getgrouplist/getgrouplist_test.c, lib/util/regress/parse_gids/parse_gids_test.c, lib/util/regress/progname/progname_test.c, lib/util/regress/strsplit/strsplit_test.c, lib/util/regress/sudo_conf/conf_test.c, lib/util/regress/sudo_parseln/parseln_test.c, lib/util/regress/tailq/hltq_test.c, lib/util/regress/vsyslog/vsyslog_test.c, lib/util/secure_path.c, lib/util/setgroups.c, lib/util/sha2.c, lib/util/sig2str.c, lib/util/snprintf.c, lib/util/strlcat.c, lib/util/strlcpy.c, lib/util/strndup.c, lib/util/strnlen.c, lib/util/strsignal.c, lib/util/strsplit.c, lib/util/strtobool.c, lib/util/strtoid.c, lib/util/strtomode.c, lib/util/strtonum.c, lib/util/sudo_conf.c, lib/util/sudo_debug.c, lib/util/sudo_dso.c, lib/util/term.c, lib/util/ttyname_dev.c, lib/util/ttysize.c, lib/util/utimens.c, lib/util/vsyslog.c, lib/zlib/Makefile.in, log2cl.pl, m4/sudo.m4, mkdep.pl, mkpkg, pathnames.h.in, plugins/group_file/Makefile.in, plugins/group_file/getgrent.c, plugins/group_file/group_file.c, plugins/group_file/plugin_test.c, plugins/sample/Makefile.in, plugins/sample/sample_plugin.c, plugins/sudoers/Makefile.in, plugins/sudoers/alias.c, plugins/sudoers/audit.c, plugins/sudoers/auth/afs.c, plugins/sudoers/auth/aix_auth.c, plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/dce.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/kerb5.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/passwd.c, plugins/sudoers/auth/rfc1938.c, plugins/sudoers/auth/secureware.c, plugins/sudoers/auth/securid5.c, plugins/sudoers/auth/sia.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/auth/sudo_auth.h, plugins/sudoers/base64.c, plugins/sudoers/boottime.c, plugins/sudoers/bsm_audit.c, plugins/sudoers/bsm_audit.h, plugins/sudoers/check.c, plugins/sudoers/check.h, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers.h, plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/cvtsudoers_pwutil.c, plugins/sudoers/defaults.c, plugins/sudoers/defaults.h, plugins/sudoers/digestname.c, plugins/sudoers/editor.c, plugins/sudoers/env.c, plugins/sudoers/env_pattern.c, plugins/sudoers/file.c, plugins/sudoers/filedigest.c, plugins/sudoers/find_path.c, plugins/sudoers/fmtsudoers.c, plugins/sudoers/gc.c, plugins/sudoers/gentime.c, plugins/sudoers/getspwuid.c, plugins/sudoers/gmtoff.c, plugins/sudoers/goodpath.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/group_plugin.c, plugins/sudoers/hexchar.c, plugins/sudoers/ins_2001.h, plugins/sudoers/ins_classic.h, plugins/sudoers/ins_csops.h, plugins/sudoers/ins_goons.h, plugins/sudoers/ins_python.h, plugins/sudoers/insults.h, plugins/sudoers/interfaces.c, plugins/sudoers/interfaces.h, plugins/sudoers/iolog.c, plugins/sudoers/iolog.h, plugins/sudoers/iolog_event.h, plugins/sudoers/iolog_files.h, plugins/sudoers/iolog_path.c, plugins/sudoers/iolog_util.c, plugins/sudoers/ldap.c, plugins/sudoers/ldap_conf.c, plugins/sudoers/ldap_util.c, plugins/sudoers/linux_audit.c, plugins/sudoers/linux_audit.h, plugins/sudoers/locale.c, plugins/sudoers/logging.c, plugins/sudoers/logging.h, plugins/sudoers/logwrap.c, plugins/sudoers/match.c, plugins/sudoers/match_addr.c, plugins/sudoers/match_command.c, plugins/sudoers/match_digest.c, plugins/sudoers/mkdir_parents.c, plugins/sudoers/parse.c, plugins/sudoers/parse.h, plugins/sudoers/parse_ldif.c, plugins/sudoers/policy.c, plugins/sudoers/prompt.c, plugins/sudoers/pwutil.c, plugins/sudoers/pwutil.h, plugins/sudoers/pwutil_impl.c, plugins/sudoers/rcstr.c, plugins/sudoers/redblack.c, plugins/sudoers/redblack.h, plugins/sudoers/regress/check_symbols/check_symbols.c, plugins/sudoers/regress/env_match/check_env_pattern.c, plugins/sudoers/regress/iolog_path/check_iolog_path.c, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/regress/iolog_util/check_iolog_util.c, plugins/sudoers/regress/logging/check_wrap.c, plugins/sudoers/regress/parser/check_addr.c, plugins/sudoers/regress/parser/check_base64.c, plugins/sudoers/regress/parser/check_digest.c, plugins/sudoers/regress/parser/check_fill.c, plugins/sudoers/regress/parser/check_gentime.c, plugins/sudoers/regress/parser/check_hexchar.c, plugins/sudoers/regress/starttime/check_starttime.c, plugins/sudoers/set_perms.c, plugins/sudoers/solaris_audit.c, plugins/sudoers/solaris_audit.h, plugins/sudoers/sssd.c, plugins/sudoers/starttime.c, plugins/sudoers/strlist.c, plugins/sudoers/strlist.h, plugins/sudoers/stubs.c, plugins/sudoers/sudo_ldap.h, plugins/sudoers/sudo_ldap_conf.h, plugins/sudoers/sudo_nss.c, plugins/sudoers/sudo_nss.h, plugins/sudoers/sudo_printf.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/sudoers_debug.c, plugins/sudoers/sudoers_debug.h, plugins/sudoers/sudoers_version.h, plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/timeout.c, plugins/sudoers/timestamp.c, plugins/sudoers/timestr.c, plugins/sudoers/toke.c, plugins/sudoers/toke.h, plugins/sudoers/toke.l, plugins/sudoers/toke_util.c, plugins/sudoers/tsdump.c, plugins/sudoers/tsgetgrpw.c, plugins/sudoers/tsgetgrpw.h, plugins/sudoers/visudo.c, plugins/system_group/Makefile.in, plugins/system_group/system_group.c, src/Makefile.in, src/conversation.c, src/env_hooks.c, src/exec.c, src/exec_common.c, src/exec_monitor.c, src/exec_nopty.c, src/exec_pty.c, src/get_pty.c, src/hooks.c, src/load_plugins.c, src/net_ifs.c, src/openbsd.c, src/parse_args.c, src/preload.c, src/preserve_fds.c, src/regress/noexec/check_noexec.c, src/regress/ttyname/check_ttyname.c, src/selinux.c, src/sesh.c, src/signal.c, src/solaris.c, src/sudo.c, src/sudo.h, src/sudo_edit.c, src/sudo_exec.h, src/sudo_noexec.c, src/sudo_plugin_int.h, src/sudo_usage.h.in, src/tcsetpgrp_nobg.c, src/tgetpass.c, src/ttyname.c, src/utmp.c: Add SPDX-License-Identifier to files. [db66decfad24] 2019-04-28 Todd C. Miller * plugins/sudoers/auth/pam.c: Filter out last login messages on HP-UX unless running a shell. HP- UX in trusted mode will display last login messages as part of the PAM account management module by libpam_comsec. There is no way to suppress these messages from the PAM configuration in trusted mode so we need to filter them in the conversation function. In regular mode, similar (but different) messages may be produced by libpam_hpsec. [5bbb02c69b46] 2019-04-26 Todd C. Miller * lib/util/closefrom.c: FreeBSD's /dev/fd only contains fds 0-2 unless fdescfs is mounted. In practice this doesn't matter since FreeBSD >= 8 has a native closefrom [bbeeb52550f1] 2019-04-20 Todd C. Miller * plugins/sudoers/logging.c: Keep debug fds open in send_mail() to aid in debugging. Adds closefrom_nodebug() which acts like closefrom(3) but doesn't close debug fds for use by send_mail(). Also moves the code to exec the mailer to its own function. [b1892425667a] 2019-04-19 Todd C. Miller * plugins/sudoers/defaults.c: Set def_mailerflags even if sendmail was not found at configure time. Fixes a NULL dereference when mailerpath is set but mailerflags is not. Bug #878 [6c57f5ddca54] 2019-04-08 Todd C. Miller * MANIFEST, config.h.in, configure, configure.ac, include/sudo_compat.h, lib/util/Makefile.in, lib/util/getdelim.c, lib/util/getline.c, lib/util/parseln.c, lib/util/regress/getdelim/getdelim_test.c, mkdep.pl, plugins/sudoers/auth/aix_auth.c, plugins/sudoers/boottime.c, plugins/sudoers/iolog_util.c, plugins/sudoers/ldap_conf.c, plugins/sudoers/parse_ldif.c, plugins/sudoers/sssd.c: Add a proper getdelim(3) replacement and use it instead of getline(3). [2e06e45ffbd6] * plugins/sudoers/auth/pam.c: Restrict the PAM_TTY kludge to Solaris and Linux-PAM. Setting PAM_TTY to the empty string causes problems with some modules on HP- UX so restrict it to systems where it is fixes known issues. [d61f4e20dc67] 2019-03-18 Todd C. Miller * lib/util/getgrouplist.c: Fix the counting of supplementary groups on AIX. We should not assume that basegid will be present in the list of gids returned by getgrset(). [6b5fa2805840] 2019-03-14 Todd C. Miller * plugins/sudoers/pwutil.c: Plug a memory leak on user/group lookup failure found by ASAN. [aff673f310d0] 2019-03-08 Todd C. Miller * MANIFEST, plugins/sudoers/regress/testsudoers/test3.d/root, plugins/sudoers/regress/testsudoers/test3.sh: Fix test failure when run by a user other than the file owner. [c41ea7cfedf8] * MANIFEST, plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, plugins/sudoers/po/ko.mo, plugins/sudoers/po/ko.po, plugins/sudoers/po/zh_TW.mo, plugins/sudoers/po/zh_TW.po, po/da.mo, po/da.po, po/eo.mo, po/eo.po, po/es.mo, po/es.po, po/zh_TW.mo, po/zh_TW.po: Updated translations from translationproject.org [484d7b28bdd6] * MANIFEST, plugins/sudoers/regress/cvtsudoers/test1.sh, plugins/sudoers/regress/cvtsudoers/test10.sh, plugins/sudoers/regress/cvtsudoers/test11.sh, plugins/sudoers/regress/cvtsudoers/test12.sh, plugins/sudoers/regress/cvtsudoers/test13.sh, plugins/sudoers/regress/cvtsudoers/test14.sh, plugins/sudoers/regress/cvtsudoers/test15.sh, plugins/sudoers/regress/cvtsudoers/test16.sh, plugins/sudoers/regress/cvtsudoers/test17.sh, plugins/sudoers/regress/cvtsudoers/test18.sh, plugins/sudoers/regress/cvtsudoers/test19.sh, plugins/sudoers/regress/cvtsudoers/test2.sh, plugins/sudoers/regress/cvtsudoers/test20.sh, plugins/sudoers/regress/cvtsudoers/test21.sh, plugins/sudoers/regress/cvtsudoers/test22.sh, plugins/sudoers/regress/cvtsudoers/test23.sh, plugins/sudoers/regress/cvtsudoers/test24.sh, plugins/sudoers/regress/cvtsudoers/test25.sh, plugins/sudoers/regress/cvtsudoers/test26.err.ok, plugins/sudoers/regress/cvtsudoers/test26.out.ok, plugins/sudoers/regress/cvtsudoers/test26.sh, plugins/sudoers/regress/cvtsudoers/test27.sh, plugins/sudoers/regress/cvtsudoers/test28.sh, plugins/sudoers/regress/cvtsudoers/test29.sh, plugins/sudoers/regress/cvtsudoers/test3.sh, plugins/sudoers/regress/cvtsudoers/test30.sh, plugins/sudoers/regress/cvtsudoers/test31.sh, plugins/sudoers/regress/cvtsudoers/test32.err.ok, plugins/sudoers/regress/cvtsudoers/test32.out.ok, plugins/sudoers/regress/cvtsudoers/test32.sh, plugins/sudoers/regress/cvtsudoers/test33.sh, plugins/sudoers/regress/cvtsudoers/test4.sh, plugins/sudoers/regress/cvtsudoers/test5.sh, plugins/sudoers/regress/cvtsudoers/test6.sh, plugins/sudoers/regress/cvtsudoers/test7.sh, plugins/sudoers/regress/cvtsudoers/test8.sh, plugins/sudoers/regress/cvtsudoers/test9.sh: Test cvtsudoers stdout and stderr separately. Fixes a test failure on systems with musl libc. Bug #873 [e82a381f4f3d] 2019-03-06 Todd C. Miller * plugins/sudoers/starttime.c, src/ttyname.c: Better comment about EOVERFLOW and pstat_getproc(). Also remove some useless casts. [09a915110812] * lib/util/closefrom.c: Ignore EOVERFLOW from pstat_getproc(), it is not a fatal error. It just means that one of the fields in pstat lacks the precision to store a value. That's not an issue for pst_highestfd. [bb7ed18e360b] * sudo.pp: update copyright year [cff8184aeb11] 2019-03-05 Todd C. Miller * src/load_plugins.c: Fix error message when a fully-qualified plugin path does not exist. [318f7511c9bc] 2019-03-04 Todd C. Miller * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Fix unescaped '\' and remove an extra '[' in the definition of digest. [9ea1a400ebc9] 2019-03-03 Todd C. Miller * plugins/sudoers/toke.c, plugins/sudoers/toke.l: Ignore carriage return before a linefeed. This allows sudo to parse files with DOS-style line endings. [65882b63a84d] 2019-02-26 Todd C. Miller * doc/sudoers.ldap.cat, doc/sudoers.ldap.man.in, doc/sudoers.ldap.mdoc.in: For sssd, the nsswitch.conf setting should be "sss" not "sssd". From Johnathan Smith. [5c07130d1bbc] 2019-02-20 Todd C. Miller * plugins/sudoers/env.c, plugins/sudoers/sudoers.h: Add simple API for to allow reading environment data from different sources. Currently, this is used to read a file like /etc/environment. [ce9161899719] 2019-02-19 Todd C. Miller * plugins/sudoers/sudoers.c: Fix pasto; the unrestricted env file was read when we want the restricted one. [23b0b3c473db] * plugins/sudoers/cvtsudoers.c, plugins/sudoers/defaults.h, plugins/sudoers/parse.h, plugins/sudoers/strlist.c, src/sudo.h: Be sure to include sudo_queue.h where needed instead of relying on other headers. [fe9418a9b378] 2019-02-18 Todd C. Miller * lib/util/util.exp.in: Only export sudo_arc4random_uniform() if arc4random_uniform() is missing. [e32a7243976d] * lib/util/regress/vsyslog/vsyslog_test.c: Quiet a warning on gcc 8 [fe8cad6564e2] * include/sudo_compat.h: AIX 7.1 defines O_CLOEXEC but it can't be used outside the kernel. Redefine O_CLOEXEC if it doesn't fit in an int and pipe2() is missing. [3ef0220351ca] * MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/match.c, plugins/sudoers/match_command.c, plugins/sudoers/match_digest.c, plugins/sudoers/parse.h: Split command match code out into match_command.c. Also remove unused SUDOERS_NAME_MATCH code. [2a7adb93a65e] 2019-02-17 Todd C. Miller * plugins/sudoers/match_digest.c: Split out digest matching into its own file. [93863918f934] * plugins/sudoers/Makefile.in, plugins/sudoers/match.c, plugins/sudoers/parse.h: Split out digest matching into its own file. [aafdc9b976ed] 2019-02-12 Todd C. Miller * plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y, plugins/sudoers/toke.c, plugins/sudoers/toke.l: Rename FOLLOW and NOFOLLOW tokens FOLLOWLNK and NOFOLLOWLNK. Fixes a namespace collision on Solaris when bison is used. [707b94b7c1e9] 2019-02-06 Todd C. Miller * plugins/sudoers/match.c: Add stub definition of digest_matches() for SUDOERS_NAME_MATCH [a322e57c85e0] * plugins/sudoers/sudo_nss.c: No longer need to include sudo_lbuf.h [db110422b24c] * mkpkg: On RedHat/CentOS get the OS major version from /etc/redhat-release. We cannot determine this from the output of "pp --probe" since it doesn't contain a period to separate the major and minor numbers. [78a27d62de0c] 2019-02-05 Todd C. Miller * plugins/sudoers/policy.c: Use SET macro instead of bitwise OR. [b523937e8da8] * plugins/sudoers/pwutil_impl.c: In sudo_make_grlist_item() the calculation of total did not include space for pointers to the group names. [7c438dd62f45] * plugins/sudoers/cvtsudoers_pwutil.c: Use correct debug_decl() names. [d0f02db8be20] * plugins/sudoers/sudoers.h: Add fallback values for sudoers uid, gid and mode if not set in Makefile. [21e41ed7a06c] 2019-02-04 Todd C. Miller * lib/util/memset_s.c: include stddef.h to make sure we get NULL [d42b4c325c0c] 2019-02-02 Todd C. Miller * src/net_ifs.c: Fix memory leak when there are no network interfaces or an error occurs. [7ba525ee9233] 2019-01-25 Todd C. Miller * configure, configure.ac: Use $ac_cv_search_FUNCTION instead of $ac_lib and $ac_res. Fixes a problem where libcrypt is not used with autoconf caching. Adapted from a diff from Adam Labbe. [5cfcade6ce3e] 2019-01-24 Todd C. Miller * po/de.mo, po/de.po, po/ko.mo, po/ko.po: Updated translations from translationproject.org [4995f6542a2c] 2019-01-22 Todd C. Miller * plugins/sudoers/parse.c: Fix listpw=never and verifypw=never. Bug #869 [ecb89088a884] 2019-01-20 Todd C. Miller * lib/util/regress/vsyslog/vsyslog_test.c, lib/util/sig2str.c, plugins/sudoers/alias.c, plugins/sudoers/cvtsudoers_pwutil.c, plugins/sudoers/env.c, plugins/sudoers/find_path.c, plugins/sudoers/fmtsudoers.c, plugins/sudoers/group_plugin.c, plugins/sudoers/iolog.c, plugins/sudoers/ldap.c, plugins/sudoers/ldap_conf.c, plugins/sudoers/ldap_util.c, plugins/sudoers/logging.c, plugins/sudoers/match.c, plugins/sudoers/parse.c, plugins/sudoers/set_perms.c, plugins/sudoers/starttime.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/timestamp.c, plugins/sudoers/tsdump.c, src/exec_monitor.c, src/exec_nopty.c, src/exec_pty.c, src/sudo.c, src/ttyname.c: Minor snprintf() usage tweaks: 1) don't assume snprintf() returns -1 on error, check for <0 2) when comparing return value of sizeof(foo), cast the sizeof, not the len 3) cast return value to void in cases where snprintf cannot fail [2af6dfb31a49] 2019-01-07 Todd C. Miller * NEWS: The AIX nofiles hard limit fix and bug #867 will make 1.8.27. [a8b4710ff907] * plugins/sudoers/auth/pam.c: Use PAM_SILENT to prevent pam_lastlog from printing last login information on RedHat except when explicitly running a shell. Adapted from a patch from Nir Soffer. Bug #867 [b8b5d3445a3c] * lib/util/aix.c: Fix the default nofiles and stack hard limits. The table of default hard limits in /etc/security/limits was out of date with respect to the current documentation. The default hard limit for nofiles should be unlimited, not 8196. The default hard limit for stack should be 4194304 blocks (which fits in an unsigned long on 32-bit platforms). [68c8c05a0b9b] 2019-01-03 Todd C. Miller * plugins/sudoers/po/sudoers.pot: regen [3000c62ed0ba] * NEWS: Final updates for sudo 1.8.27. [40d6ecb1f739] * src/exec_pty.c: Update copyright year [adc9f4046585] * doc/LICENSE: Update for 2019 [ccbbad25d7c7] 2019-01-02 Todd C. Miller * src/exec_pty.c: Fix setting of utmp entry when running command in a pty. Regression introduced in sudo 1.8.22. [cf81f3fa1f3a] 2018-12-24 Todd C. Miller * plugins/sudoers/sudoers.c: Use debug_return_int not debug_return_bool in resolve_host [490241e14e68] * NEWS, configure, configure.ac: sudo 1.8.27 [f59a4a391a44] * doc/visudo.cat, doc/visudo.man.in, doc/visudo.mdoc.in, plugins/sudoers/visudo.c: Allow the sudoers file to be specified without the -f option. Bug #864 [eb3d4c4461ba] 2018-12-20 Todd C. Miller * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: The iolog_dir section is below the maxseq section, not above. [35534e4f23d9] 2018-12-12 Todd C. Miller * plugins/sudoers/po/ja.mo, plugins/sudoers/po/ja.po, po/ja.mo, po/ja.po: Updated translations from translationproject.org [270660da2de4] 2018-12-11 Todd C. Miller * plugins/sudoers/sudoreplay.c: Add -n and -R options to help; reported by Radovan Sroka [683df32eb950] * doc/cvtsudoers.cat, doc/cvtsudoers.man.in, doc/cvtsudoers.mdoc.in: Add missing description of padding option and missing argument to -c. [c762020f1694] * plugins/sudoers/cvtsudoers.c: The -c option was missing from the help info; from Radovan Sroka [aa36d5c05b0b] * doc/cvtsudoers.cat, doc/cvtsudoers.man.in, doc/cvtsudoers.mdoc.in: Fix some typos; reported by Radovan Sroka [d6137224dd47] 2018-12-08 Todd C. Miller * plugins/sudoers/auth/pam.c: In sudo_pam_approval(), for the exempt case, only overwrite pam status when the passwd is expired or needs to be updated. [2c2d1ed1bb7e] 2018-12-07 Todd C. Miller * plugins/sudoers/auth/pam.c: The fix for bug #843 was incomplete and caused pam_end() to be called early. sudo_pam_approval() must not set the global pam status to an error value if it returns AUTH_SUCCESS. Otherwise, sudo_pam_cleanup() will call pam_end() before sudo_pam_begin_session(). This resulted in a NULL PAM handle being used in sudo_pam_begin_session(). [656aa910fbaf] 2018-12-05 Todd C. Miller * src/exec.c: Don't run the command in a pty if no I/O plugins are logging anything. That way an I/O plugin that doesn't actually log anything won't cause the command to be run in a pty. [ef83f35c9cb0] 2018-11-29 Todd C. Miller * .hgignore: Update ignore patterns to match doc changes. [7438cdacc0e1] * doc/fixmdoc.sed: fix mode fixmdoc.sed [d74c0b7c5932] 2018-11-27 Todd C. Miller * doc/Makefile.in, doc/sudo.conf.man.in, doc/sudo.man.in, doc/sudoers.ldap.man.in, doc/sudoers.man.in, doc/sudoers_timestamp.man.in, doc/sudoreplay.man.in, doc/visudo.man.in: Fix section in the .TH line of *.man.in file. The substitution for @mansectsu@ and @mansectform@ was broken. No longer need to strip out OpenBSD from the header line. [cb02c8496b21] * doc/sudoers.man.in.sed: Add sudoers.man.in.sed, missed from previous commit. [a2113a52e6a7] * doc/CONTRIBUTORS: Add Guillem Jover [db7a39f9726a] * NEWS: recent changes [0c07a0cdf2ff] * MANIFEST, doc/Makefile.in, doc/fixman.sh, doc/fixmdoc.sed, doc/fixmdoc.sh, doc/sudo.cat, doc/sudo.man.in, doc/sudo.man.in.sed, doc/sudo.mdoc.in, doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Use roff conditionals in the manuals instead of post-processing. We still need to process the resulting .man.in files to add back the conditionals but this should be easier to debug as the changes are visible in the .in file. Some minor postprocessing is still used to make the manuals HP-UX friendly and to change "0 seconds" -> unlimited after substitution. [44316d271ab8] 2018-11-24 Todd C. Miller * doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in: Sudo plugin manual updates and clarification from Guillem Jover: - Add missing return information for show_version(). - Fix prototypes for several function pointers. - Update SUDO_API_VERSION_MINOR. - Add missing references to log_suspend() and change_winsize(). - Add missing "array.". - Clarify that argc can be zero on sudo -V. - Clarify size requirements for conversation array arguments. - Clarify timeout zero value for struct sudo_conv_message. - Clarify initial and final state of reply in struct sudo_conv_reply. [1241cff4dd51] * doc/fixmdoc.sh, doc/sudo.man.in, doc/sudo.mdoc.in, doc/sudoers.man.in, doc/sudoers.mdoc.in: Revert changes to give arguments to the .Bx macro. This is intended for things like .Bx 4.3 to generate "4.3BSD" so the argument ends up before the BSD, not after. Just go back to using "BSD authentication" and "BSD login classes" so fixmdoc.sh can operate correctly. Bug #861 [c58965343318] 2018-11-23 Todd C. Miller * doc/fixmdoc.sh, doc/sudo.mdoc.in, doc/sudoers.mdoc.in: Update fixmdoc.sh to match the BSD -> .Bx changes in the manuals. Bug #861 [7ddfb74781a1] 2018-11-18 Todd C. Miller * config.h.in, configure, configure.ac, m4/sudo.m4, src/utmp.c: Add support for utmps as found in HP-UX. [f55312948139] 2018-11-14 Todd C. Miller * config.h.in, configure, configure.ac, include/sudo_util.h, lib/util/utimens.c: Support st_nmtime in struct stat as found in HP-UX. [0854b34cd2ea] * lib/util/closefrom.c: If fcntl fails, fall back to the /proc implementation. [59a03e0d3148] 2018-11-12 Todd C. Miller * NEWS: Mention schema.olcSudo [320adcd29a61] 2018-11-09 Todd C. Miller * doc/sudoers.ldap.cat, doc/sudoers.ldap.man.in, doc/sudoers.ldap.mdoc.in: Mention schema.olcSudo here too. [a19dff54603b] * MANIFEST, README.LDAP, doc/CONTRIBUTORS, doc/schema.OpenLDAP, doc/schema.olcSudo: OpenLDAP schema file for Sudo in on-line configuration (OLC) format. From Frederic Pasteleurs. [1fcfa9f307a2] * po/ast.mo, po/ast.po: Updated translations from translationproject.org [70f0ec8c721c] 2018-11-08 Todd C. Miller * lib/util/closefrom.c: Only use closefrom_fallback() if no better method exists. The previous logic was too fragile. [2510928e291f] 2018-11-07 Todd C. Miller * plugins/sudoers/po/cs.mo, plugins/sudoers/po/cs.po, plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/hr.mo, plugins/sudoers/po/hr.po, plugins/sudoers/po/it.mo, plugins/sudoers/po/it.po, plugins/sudoers/po/nb.mo, plugins/sudoers/po/nb.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/pt_BR.mo, plugins/sudoers/po/pt_BR.po, plugins/sudoers/po/sv.mo, plugins/sudoers/po/sv.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, plugins/sudoers/po/vi.mo, plugins/sudoers/po/vi.po, plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po, po/cs.mo, po/cs.po, po/fr.mo, po/fr.po, po/hr.mo, po/hr.po, po/it.mo, po/it.po, po/nb.mo, po/nb.po, po/pl.mo, po/pl.po, po/pt_BR.mo, po/pt_BR.po, po/sv.mo, po/sv.po, po/tr.mo, po/tr.po, po/uk.mo, po/uk.po, po/vi.mo, po/vi.po, po/zh_CN.mo, po/zh_CN.po: Updated translations from translationproject.org [898154804015] * MANIFEST, NEWS, doc/CONTRIBUTORS, plugins/sudoers/po/pt.mo, plugins/sudoers/po/pt.po, po/pt.mo, po/pt.po: Portuguese translation for sudo and sudoers from translationproject.org. [4c49e5cf8936] 2018-11-05 Todd C. Miller * NEWS, configure, configure.ac, include/sudo_fatal.h, lib/util/Makefile.in, lib/util/fatal.c, lib/util/util.exp.in, plugins/sudoers/Makefile.in, plugins/sudoers/logging.c, plugins/sudoers/logging.h, plugins/sudoers/sudoers.c: Add sudo_gai_fatal, sudo_gai_vfatal, sudo_gai_vwarn, sudo_gai_warn and gai_log_warning that use gai_strerror() instead of strerror(). [9c37c5db3293] 2018-10-31 Todd C. Miller * plugins/sudoers/match.c: Fix memory leak in runaslist_matches(). [f1366ad50eb3] 2018-10-29 Todd C. Miller * NEWS: typo [fc8aa243672a] * plugins/sudoers/po/sudoers.pot, po/sudo.pot: regen [f333405eb06c] * NEWS: More updates for 1.8.26 [1941961b232f] 2018-10-28 Todd C. Miller * MANIFEST, doc/sudoers.ldap.cat, doc/sudoers.ldap.man.in, doc/sudoers.ldap.mdoc.in, plugins/sudoers/ldap_util.c, plugins/sudoers/regress/cvtsudoers/test33.out.ok, plugins/sudoers/regress/cvtsudoers/test33.sh: Add support for negated sudoRunAsUser and sudoRunAsGroup entries. [d0368336d92b] 2018-10-27 Todd C. Miller * doc/sudo.cat, doc/sudo.man.in, doc/sudo.mdoc.in, doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Document that the target user's groups may be specified via the -g option. [67b7643e3bcb] * plugins/sudoers/tsgetgrpw.c: Include getpwent() version of sudo_getgrouplist2_v1() from getgrouplist.c [60aa493504d1] * MANIFEST, plugins/sudoers/regress/testsudoers/group, plugins/sudoers/regress/testsudoers/test1.sh: Use a testsudoers group file with known contents instead of the system one. [7a4499c92acd] * plugins/sudoers/match.c, plugins/sudoers/parse.h, plugins/sudoers/set_perms.c: Allow the group set by "sudo -g" to be any of the target user's groups. Previously, this was only allowed if the group matched the target user's primary group ID (from the passwd database entry). The sudoers policy will now allow the group if it is one of the target user's supplemental groups as well. [c43fedc19a01] 2018-10-26 Todd C. Miller * lib/util/regress/getgrouplist/getgrouplist_test.c: Skip sudo_getgrouplist2() check on systems with getgrouplist_2(). sudo_getgrouplist2() is just a wrapper on such systems and this avoids a test failure on macOS where a user is automatically a member of certain groups. [26ba0c363b80] * lib/util/util.exp.in: Add missing exported symbol sudo_term_eof [2d8e0438eba4] * plugins/sudoers/ldap_conf.c: Add missing #ifdef LDAP_OPT_X_TLS_REQUIRE_CERT Fixes problems building on older LDAP sdks. [1effb0f19867] * MANIFEST: add getgrouplist_test.c [ca5bae341846] * lib/util/regress/getgrouplist/getgrouplist_test.c: Check the user's primary gid from the passwd file too. [60ba98074d75] * .hgignore: ignore prologue [589222ec2717] * lib/util/aix.c, lib/util/arc4random.c, lib/util/arc4random_uniform.c, lib/util/closefrom.c, lib/util/digest.c, lib/util/digest_gcrypt.c, lib/util/digest_openssl.c, lib/util/event.c, lib/util/event_poll.c, lib/util/event_select.c, lib/util/fatal.c, lib/util/fnmatch.c, lib/util/getentropy.c, lib/util/getgrouplist.c, lib/util/gethostname.c, lib/util/getline.c, lib/util/getopt_long.c, lib/util/gettime.c, lib/util/gidlist.c, lib/util/isblank.c, lib/util/key_val.c, lib/util/lbuf.c, lib/util/locking.c, lib/util/memrchr.c, lib/util/memset_s.c, lib/util/mksiglist.c, lib/util/mksigname.c, lib/util/mktemp.c, lib/util/nanosleep.c, lib/util/parseln.c, lib/util/pipe2.c, lib/util/progname.c, lib/util/pw_dup.c, lib/util/reallocarray.c, lib/util/regress/atofoo/atofoo_test.c, lib/util/regress/getgrouplist/getgrouplist_test.c, lib/util/regress/parse_gids/parse_gids_test.c, lib/util/regress/progname/progname_test.c, lib/util/regress/strsplit/strsplit_test.c, lib/util/regress/sudo_conf/conf_test.c, lib/util/regress/sudo_parseln/parseln_test.c, lib/util/regress/tailq/hltq_test.c, lib/util/regress/vsyslog/vsyslog_test.c, lib/util/secure_path.c, lib/util/setgroups.c, lib/util/sha2.c, lib/util/sig2str.c, lib/util/strlcat.c, lib/util/strlcpy.c, lib/util/strndup.c, lib/util/strnlen.c, lib/util/strsignal.c, lib/util/strsplit.c, lib/util/strtobool.c, lib/util/strtoid.c, lib/util/strtomode.c, lib/util/strtonum.c, lib/util/sudo_conf.c, lib/util/sudo_debug.c, lib/util/sudo_dso.c, lib/util/term.c, lib/util/ttyname_dev.c, lib/util/ttysize.c, lib/util/utimens.c, lib/util/vsyslog.c, plugins/group_file/getgrent.c, plugins/group_file/group_file.c, plugins/group_file/plugin_test.c, plugins/sample/sample_plugin.c, plugins/sudoers/Makefile.in, plugins/sudoers/alias.c, plugins/sudoers/audit.c, plugins/sudoers/auth/afs.c, plugins/sudoers/auth/aix_auth.c, plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/dce.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/kerb5.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/passwd.c, plugins/sudoers/auth/rfc1938.c, plugins/sudoers/auth/secureware.c, plugins/sudoers/auth/securid5.c, plugins/sudoers/auth/sia.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/base64.c, plugins/sudoers/boottime.c, plugins/sudoers/bsm_audit.c, plugins/sudoers/check.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/cvtsudoers_pwutil.c, plugins/sudoers/defaults.c, plugins/sudoers/digestname.c, plugins/sudoers/editor.c, plugins/sudoers/env.c, plugins/sudoers/env_pattern.c, plugins/sudoers/file.c, plugins/sudoers/filedigest.c, plugins/sudoers/find_path.c, plugins/sudoers/fmtsudoers.c, plugins/sudoers/gc.c, plugins/sudoers/gentime.c, plugins/sudoers/getdate.c, plugins/sudoers/getspwuid.c, plugins/sudoers/gmtoff.c, plugins/sudoers/goodpath.c, plugins/sudoers/gram.c, plugins/sudoers/group_plugin.c, plugins/sudoers/hexchar.c, plugins/sudoers/interfaces.c, plugins/sudoers/iolog.c, plugins/sudoers/iolog_path.c, plugins/sudoers/iolog_util.c, plugins/sudoers/ldap.c, plugins/sudoers/ldap_conf.c, plugins/sudoers/ldap_util.c, plugins/sudoers/linux_audit.c, plugins/sudoers/locale.c, plugins/sudoers/logging.c, plugins/sudoers/logwrap.c, plugins/sudoers/match.c, plugins/sudoers/match_addr.c, plugins/sudoers/mkdir_parents.c, plugins/sudoers/parse.c, plugins/sudoers/parse_ldif.c, plugins/sudoers/policy.c, plugins/sudoers/prompt.c, plugins/sudoers/pwutil.c, plugins/sudoers/pwutil_impl.c, plugins/sudoers/rcstr.c, plugins/sudoers/redblack.c, plugins/sudoers/regress/check_symbols/check_symbols.c, plugins/sudoers/regress/env_match/check_env_pattern.c, plugins/sudoers/regress/iolog_path/check_iolog_path.c, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/regress/iolog_util/check_iolog_util.c, plugins/sudoers/regress/logging/check_wrap.c, plugins/sudoers/regress/parser/check_addr.c, plugins/sudoers/regress/parser/check_base64.c, plugins/sudoers/regress/parser/check_digest.c, plugins/sudoers/regress/parser/check_fill.c, plugins/sudoers/regress/parser/check_gentime.c, plugins/sudoers/regress/parser/check_hexchar.c, plugins/sudoers/regress/starttime/check_starttime.c, plugins/sudoers/set_perms.c, plugins/sudoers/solaris_audit.c, plugins/sudoers/sssd.c, plugins/sudoers/starttime.c, plugins/sudoers/strlist.c, plugins/sudoers/stubs.c, plugins/sudoers/sudo_nss.c, plugins/sudoers/sudo_printf.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers_debug.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/timeout.c, plugins/sudoers/timestamp.c, plugins/sudoers/timestr.c, plugins/sudoers/toke.c, plugins/sudoers/toke_util.c, plugins/sudoers/tsdump.c, plugins/sudoers/tsgetgrpw.c, plugins/sudoers/visudo.c, plugins/system_group/system_group.c, src/conversation.c, src/env_hooks.c, src/exec.c, src/exec_common.c, src/exec_monitor.c, src/exec_nopty.c, src/exec_pty.c, src/get_pty.c, src/hooks.c, src/load_plugins.c, src/net_ifs.c, src/openbsd.c, src/parse_args.c, src/preload.c, src/preserve_fds.c, src/regress/noexec/check_noexec.c, src/regress/ttyname/check_ttyname.c, src/selinux.c, src/sesh.c, src/signal.c, src/solaris.c, src/sudo.c, src/sudo_edit.c, src/sudo_noexec.c, src/tcsetpgrp_nobg.c, src/tgetpass.c, src/ttyname.c, src/utmp.c: Convert PVS-Studio comment to ANSI C. [31f2aefe6d9b] * Makefile.in, doc/Makefile.in, doc/cvtsudoers.man.in, doc/cvtsudoers.mdoc.in, doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in, doc/sudo.man.in, doc/sudo.mdoc.in, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, doc/sudoers.ldap.man.in, doc/sudoers.ldap.mdoc.in, doc/sudoers.man.in, doc/sudoers.mdoc.in, doc/sudoers_timestamp.man.in, doc/sudoers_timestamp.mdoc.in, doc/sudoreplay.man.in, doc/sudoreplay.mdoc.in, doc/visudo.man.in, doc/visudo.mdoc.in, examples/Makefile.in, include/Makefile.in, include/sudo_lbuf.h, lib/util/Makefile.in, lib/util/digest.c, lib/util/digest_gcrypt.c, lib/util/digest_openssl.c, lib/util/lbuf.c, lib/util/setgroups.c, lib/util/ttysize.c, lib/zlib/Makefile.in, plugins/group_file/Makefile.in, plugins/sample/Makefile.in, plugins/sudoers/Makefile.in, plugins/sudoers/alias.c, plugins/sudoers/auth/dce.c, plugins/sudoers/auth/kerb5.c, plugins/sudoers/auth/securid5.c, plugins/sudoers/auth/sia.c, plugins/sudoers/base64.c, plugins/sudoers/file.c, plugins/sudoers/filedigest.c, plugins/sudoers/gentime.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/match.c, plugins/sudoers/match_addr.c, plugins/sudoers/parse.c, plugins/sudoers/testsudoers.c, plugins/sudoers/timeout.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/toke_util.c, plugins/sudoers/tsdump.c, plugins/system_group/Makefile.in, src/Makefile.in, src/sesh.c, src/sudo_usage.h.in: Fix some mangled text in the license block. [86b88fbda4b4] * lib/util/Makefile.in, lib/util/regress/getgrouplist/getgrouplist_test.c, lib/util/regress/parse_gids/parse_gids_test.c: Add regress test for sudo_getgrouplist2(). This test assumes all the groups in root's group list can be resolved by group ID. [48564f85b7ed] 2018-10-25 Todd C. Miller * NEWS: More changes in 1.8.26 [fe81e3e4b653] * MANIFEST, doc/cvtsudoers.cat, doc/cvtsudoers.man.in, doc/cvtsudoers.mdoc.in, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers.h, plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/regress/cvtsudoers/test31.conf, plugins/sudoers/regress/cvtsudoers/test31.out.ok, plugins/sudoers/regress/cvtsudoers/test31.sh, plugins/sudoers/regress/cvtsudoers/test32.out.ok, plugins/sudoers/regress/cvtsudoers/test32.sh: Add padding option to cvtsudoers. Bug #856 [6e31b0e37ba1] * lib/util/getgrouplist.c: Remove an errant grset++ in the AIX version of sudo_getgrouplist2(). Bug #857 [03b19227cab2] 2018-10-22 Todd C. Miller * lib/util/Makefile.in, plugins/group_file/Makefile.in, plugins/sample/Makefile.in, plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in, src/Makefile.in: Pass --sourcetree-root to pvs-studio and don't check sudo_noexec.c. Since we don't auto-generate dependencies for sudo_noexec.c we can't easily check it from outside the source tree. This is not a problem as it just contains stub functions. [3cf842d30e45] * MANIFEST, doc/CONTRIBUTORS, po/ast.mo, po/ast.po: Asturian translation for sudo from translationproject.org [dc0b31fa013c] 2018-10-21 Todd C. Miller * lib/util/gettime.c: Add support for CLOCK_MONOTONIC_RAW and CLOCK_UPTIME_RAW, present on macOS. [5f34c8de0707] * INSTALL, configure, configure.ac: Add --enable-pvs-studio configure option to create PVS-Studio.cfg. [772e86227c11] * lib/util/aix.c, lib/util/arc4random.c, lib/util/arc4random_uniform.c, lib/util/closefrom.c, lib/util/digest.c, lib/util/digest_gcrypt.c, lib/util/digest_openssl.c, lib/util/event.c, lib/util/event_poll.c, lib/util/event_select.c, lib/util/fatal.c, lib/util/fnmatch.c, lib/util/getentropy.c, lib/util/getgrouplist.c, lib/util/gethostname.c, lib/util/getline.c, lib/util/getopt_long.c, lib/util/gettime.c, lib/util/gidlist.c, lib/util/isblank.c, lib/util/key_val.c, lib/util/lbuf.c, lib/util/locking.c, lib/util/memrchr.c, lib/util/memset_s.c, lib/util/mksiglist.c, lib/util/mksigname.c, lib/util/mktemp.c, lib/util/nanosleep.c, lib/util/parseln.c, lib/util/pipe2.c, lib/util/progname.c, lib/util/pw_dup.c, lib/util/reallocarray.c, lib/util/regress/atofoo/atofoo_test.c, lib/util/regress/parse_gids/parse_gids_test.c, lib/util/regress/progname/progname_test.c, lib/util/regress/strsplit/strsplit_test.c, lib/util/regress/sudo_conf/conf_test.c, lib/util/regress/sudo_parseln/parseln_test.c, lib/util/regress/tailq/hltq_test.c, lib/util/regress/vsyslog/vsyslog_test.c, lib/util/secure_path.c, lib/util/setgroups.c, lib/util/sha2.c, lib/util/sig2str.c, lib/util/strlcat.c, lib/util/strlcpy.c, lib/util/strndup.c, lib/util/strnlen.c, lib/util/strsignal.c, lib/util/strsplit.c, lib/util/strtobool.c, lib/util/strtoid.c, lib/util/strtomode.c, lib/util/strtonum.c, lib/util/sudo_conf.c, lib/util/sudo_debug.c, lib/util/sudo_dso.c, lib/util/term.c, lib/util/ttyname_dev.c, lib/util/ttysize.c, lib/util/utimens.c, lib/util/vsyslog.c, plugins/group_file/getgrent.c, plugins/group_file/group_file.c, plugins/group_file/plugin_test.c, plugins/sample/sample_plugin.c, plugins/sudoers/alias.c, plugins/sudoers/audit.c, plugins/sudoers/auth/afs.c, plugins/sudoers/auth/aix_auth.c, plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/dce.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/kerb5.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/passwd.c, plugins/sudoers/auth/rfc1938.c, plugins/sudoers/auth/secureware.c, plugins/sudoers/auth/securid5.c, plugins/sudoers/auth/sia.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/base64.c, plugins/sudoers/boottime.c, plugins/sudoers/bsm_audit.c, plugins/sudoers/check.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/cvtsudoers_pwutil.c, plugins/sudoers/defaults.c, plugins/sudoers/digestname.c, plugins/sudoers/editor.c, plugins/sudoers/env.c, plugins/sudoers/env_pattern.c, plugins/sudoers/file.c, plugins/sudoers/filedigest.c, plugins/sudoers/find_path.c, plugins/sudoers/fmtsudoers.c, plugins/sudoers/gc.c, plugins/sudoers/gentime.c, plugins/sudoers/getdate.c, plugins/sudoers/getspwuid.c, plugins/sudoers/gmtoff.c, plugins/sudoers/goodpath.c, plugins/sudoers/gram.c, plugins/sudoers/group_plugin.c, plugins/sudoers/hexchar.c, plugins/sudoers/interfaces.c, plugins/sudoers/iolog.c, plugins/sudoers/iolog_path.c, plugins/sudoers/iolog_util.c, plugins/sudoers/ldap.c, plugins/sudoers/ldap_conf.c, plugins/sudoers/ldap_util.c, plugins/sudoers/linux_audit.c, plugins/sudoers/locale.c, plugins/sudoers/logging.c, plugins/sudoers/logwrap.c, plugins/sudoers/match.c, plugins/sudoers/match_addr.c, plugins/sudoers/mkdir_parents.c, plugins/sudoers/parse.c, plugins/sudoers/parse_ldif.c, plugins/sudoers/policy.c, plugins/sudoers/prompt.c, plugins/sudoers/pwutil.c, plugins/sudoers/pwutil_impl.c, plugins/sudoers/rcstr.c, plugins/sudoers/redblack.c, plugins/sudoers/regress/check_symbols/check_symbols.c, plugins/sudoers/regress/env_match/check_env_pattern.c, plugins/sudoers/regress/iolog_path/check_iolog_path.c, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/regress/iolog_util/check_iolog_util.c, plugins/sudoers/regress/logging/check_wrap.c, plugins/sudoers/regress/parser/check_addr.c, plugins/sudoers/regress/parser/check_base64.c, plugins/sudoers/regress/parser/check_digest.c, plugins/sudoers/regress/parser/check_fill.c, plugins/sudoers/regress/parser/check_gentime.c, plugins/sudoers/regress/parser/check_hexchar.c, plugins/sudoers/regress/starttime/check_starttime.c, plugins/sudoers/set_perms.c, plugins/sudoers/solaris_audit.c, plugins/sudoers/sssd.c, plugins/sudoers/starttime.c, plugins/sudoers/strlist.c, plugins/sudoers/stubs.c, plugins/sudoers/sudo_nss.c, plugins/sudoers/sudo_printf.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers_debug.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/timeout.c, plugins/sudoers/timestamp.c, plugins/sudoers/timestr.c, plugins/sudoers/toke.c, plugins/sudoers/toke_util.c, plugins/sudoers/tsdump.c, plugins/sudoers/tsgetgrpw.c, plugins/sudoers/visudo.c, plugins/system_group/system_group.c, src/conversation.c, src/env_hooks.c, src/exec.c, src/exec_common.c, src/exec_monitor.c, src/exec_nopty.c, src/exec_pty.c, src/get_pty.c, src/hooks.c, src/load_plugins.c, src/net_ifs.c, src/openbsd.c, src/parse_args.c, src/preload.c, src/preserve_fds.c, src/regress/noexec/check_noexec.c, src/regress/ttyname/check_ttyname.c, src/selinux.c, src/sesh.c, src/signal.c, src/solaris.c, src/sudo.c, src/sudo_edit.c, src/sudo_noexec.c, src/tcsetpgrp_nobg.c, src/tgetpass.c, src/ttyname.c, src/utmp.c: Add comments in .c files so PVS-Studio will check them. [b42b6dcb48a6] * .hgignore, Makefile.in, doc/Makefile.in, examples/Makefile.in, include/Makefile.in, lib/util/Makefile.in, lib/zlib/Makefile.in, mkdep.pl, plugins/group_file/Makefile.in, plugins/sample/Makefile.in, plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in, src/Makefile.in: Add pvs-studio target and associated production rules. [3dbcef5ac205] 2018-10-20 Todd C. Miller * plugins/sudoers/iolog_util.c: Simplify range checks. No need to check for ERANGE in the cases where we also check that the value is <= INT_MAX. Found by PVS- Studio. [45810a8437b6] 2018-10-19 Todd C. Miller * lib/util/key_val.c, plugins/sudoers/iolog_path.c, plugins/sudoers/linux_audit.c, plugins/sudoers/toke_util.c, src/preserve_fds.c: Avoid some PVS-Studio false positives. [e4d8ce94fda7] * src/sudo.c: Remove some calls to sudo_fatalx(); just propagate the error return. [bc9eefbf0cdf] * src/sesh.c: No need to check if fd_dst is -1 in sudoedit mode. Failure to open the destination sudoedit file is fatal so there's no need to check that fd_dst != -1 later on. Found by PVS-Studio. [5530586ace16] * plugins/sudoers/timestamp.c: In timestamp_open() no need to free cookie on error, it is NULL. Found by PVS-Studio. [becfe97c72f8] 2018-10-18 Todd C. Miller * plugins/sudoers/ldap_util.c: Fix a memory leak on malloc() error in sudo_ldap_role_to_priv(). Coverity CID 188804 [1bea56670410] * plugins/sudoers/parse_ldif.c: Move the allocation of role to be immediately before in_role is set. This makes it clear that when in_role == true, role is non-NULL. Also remove two dead stores. [790d90c578c8] * plugins/sudoers/parse_ldif.c: Fix trimming of non-escaped trailing space in ldif_parse_attribute(). Found by PVS-Studio. [37fded3c77a4] * plugins/sudoers/match.c: Simplify the logic surrounding sudoers_args in command_args_match(). We only need to check that sudoers_args is non-NULL once. Found by PVS-Studio. [93c967145e82] * plugins/sudoers/ldap.c: If sudo_ldap_get_values_len() fails goto cleanup instead of oom. This is not strictly necessary as there's not anything to cleanup in this case but it is more consistent with the code that follows. [d0d8b8b8dca8] * plugins/sudoers/policy.c: Fix handling of timeout values in sudoers. When passing the timeout back to the front end, ignore the user-specified timeout if it is not set (initialized to 0). Otherwise, sudo would choose a zero user-specified timeout over the sudoers-specified timeout (non- zero). [6b08b3b918b7] 2018-10-17 Todd C. Miller * plugins/sudoers/cvtsudoers_pwutil.c: Fix cut & pastos in cvtsudoers_make_gritem() [bd901c0394ba] * plugins/sudoers/regress/sudoers/test17.ldif2sudo.ok: Fix expected test output now that command_timeout is parsed correctly in LDIF. [ba6cfd26330e] * lib/util/event.c, lib/util/event_poll.c, lib/util/event_select.c: tv_nsec can never be negative after timespecsub. Found by PVS Studio [ecfb93c9463c] 2018-10-16 Todd C. Miller * plugins/sudoers/sudoers.c: Avoid potentially undefined behavior. Found by PVS Studio. [ae76c69e0d6f] * plugins/sudoers/ldap_util.c: sudo_ldap_parse_option() never returns '=' as the operator. When parsing command_timeout, role, type, privs and limitprivs, check that val is non-NULL instead. Found by PVS Studio. [10f8cff7cce7] * plugins/sudoers/Makefile.in, plugins/sudoers/toke.c: Fix up #line entries that reference lex.sudoers.c. [c724cef37b66] 2018-10-13 Todd C. Miller * plugins/sudoers/iolog.h, plugins/sudoers/iolog_util.c: Fix workaround for broken sudo 1.8.7 timing files. [78ef3625c650] * plugins/sudoers/parse_ldif.c: Fix memory leak when reusing the runas list. We need to free the member list itself as well as its contents. [62fb86a5c83f] * doc/sudo.cat, doc/sudo.man.in, doc/sudo.mdoc.in: Some DIAGNOSTICS updates: Update error message for when the user's uid does not exist in passwd. Remove "This error indicates" and some other cosmetic cleanups. [c73841e03014] * src/sudo.c: If the user's passwd entry cannot be resolved via the uid, use the same error message as visudo. [ce596b32dfbb] 2018-10-12 Todd C. Miller * doc/sudo.cat, doc/sudo.man.in, doc/sudo.mdoc.in: Add a DIAGNOSTICS section with an explanation of the more non- trivial error messages. [775419794f7d] * plugins/sudoers/sudoreplay.c, src/exec_monitor.c, src/exec_nopty.c, src/exec_pty.c: Replace sudo_fatal(NULL) with an "unable to allocate memory" message that includes the function name. [26e19bcc0ce8] 2018-10-09 Todd C. Miller * doc/sudo.cat, doc/sudo.man.in, doc/sudo.mdoc.in, src/tgetpass.c: Make EOF handling while reading the password prompt more like getpass(3). We now return the password as long as at least one character has been read. Previously, EOF at the password prompt was treated as if nothing was entered. [fc2ed4a87e6f] * doc/sudoers.ldap.cat, doc/sudoers.ldap.man.in: regen [2aee8680abc3] * src/tgetpass.c: Print a warning for password read issues. Issues include: timeout at the password prompt, read error while reading the password, and EOF reading the password. [df1dcebe9ffa] 2018-10-08 Todd C. Miller * lib/util/term.c, src/tgetpass.c: Handle EOF on password input when pwfedback is enabled. [4958978fc967] 2018-10-07 Todd C. Miller * doc/sudoers.ldap.mdoc.in: Fix remaining instances of "e.g." without a trailing ','. [8cbf11c04b3c] * doc/sudo.cat, doc/sudo.conf.cat, doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in, doc/sudo.man.in, doc/sudo.mdoc.in, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, doc/sudoers.cat, doc/sudoers.ldap.cat, doc/sudoers.ldap.man.in, doc/sudoers.ldap.mdoc.in, doc/sudoers.man.in, doc/sudoers.mdoc.in, doc/sudoers_timestamp.cat, doc/sudoers_timestamp.man.in, doc/sudoers_timestamp.mdoc.in: Use mdoc macros for BSD systems. All manuals now pass "make lint" [7f23209a5e1c] * doc/Makefile.in: Use -Wstyle with -Tlint since sudo is not part of the base system. This avoids "referenced manual not found" and "operating system explicitly specified" warnings. [e417e972a88a] * doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in: Document log_suspend() and fix the description of the change_winsize() return value. [be02b0fb26a9] 2018-10-06 Todd C. Miller * doc/sudo.cat, doc/sudo.man.in, doc/sudo.mdoc.in, doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in, doc/sudoers_timestamp.cat, doc/sudoers_timestamp.man.in, doc/sudoers_timestamp.mdoc.in, doc/sudoreplay.cat, doc/sudoreplay.man.in, doc/sudoreplay.mdoc.in, doc/visudo.cat, doc/visudo.man.in, doc/visudo.mdoc.in: Fix problems found by igor. Bug #854 [4ddcb625f3b7] * doc/Makefile.in: Sort DOCS and DEVDOCS and remove extra sudoers entry (it was listed twice). [abb2baac9373] * doc/Makefile.in: Add igor target to run igor(1) on the manuals. [64be7fb868b3] 2018-10-05 Todd C. Miller * doc/sudoreplay.cat, doc/sudoreplay.man.in, doc/sudoreplay.mdoc.in, plugins/sudoers/sudoreplay.c: Add new -S option to sleep while the command was suspended. The default behavior is now to not consider the time the command was suspended as part of the normal inter-event delay. [bb30f7b28126] * MANIFEST, include/sudo_plugin.h, plugins/sudoers/Makefile.in, plugins/sudoers/iolog.c, plugins/sudoers/iolog.h, plugins/sudoers/iolog_event.h, plugins/sudoers/iolog_files.h, plugins/sudoers/iolog_util.c, plugins/sudoers/iolog_util.h, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/regress/iolog_util/check_iolog_util.c, plugins/sudoers/sudoreplay.c, src/exec_pty.c: Add a suspend event type to the I/O log to log suspend/resume of the command so we can skip that delay during replay. [8091d1835a31] * src/exec_pty.c, src/sudo.c, src/sudo.h: Initialize the pty rows/cols based on the values we stored in user_details. This fixes a minor issue where we would send an extra window size change event the first time the command was suspended. [b2ae9be4d1d6] 2018-09-27 Todd C. Miller * doc/sudoers.ldap.cat, doc/sudoers.ldap.man.in, doc/sudoers.ldap.mdoc.in, plugins/sudoers/ldap_conf.c, plugins/sudoers/sudo_ldap_conf.h: Add support for OpenLDAP's TLS_REQCERT setting in ldap.conf. [f07a14ae05cb] 2018-09-24 Todd C. Miller * include/sudo_util.h, plugins/sudoers/defaults.c, plugins/sudoers/iolog_util.c, plugins/sudoers/regress/starttime/check_starttime.c: Move definition of TIME_T_MAX to sudo_util.h [469c36d44950] * NEWS, doc/UPGRADE: Changes in 1.8.26 (so far). [5c73b0d8c676] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/env.c: Treat LOGIN, LOGNAME and USER specially. If one is preserved or deleted we want to preserve or delete all of them. [ea1782686195] * doc/sudo.cat, doc/sudo.man.in, doc/sudo.mdoc.in, doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/env.c, plugins/sudoers/logging.c, plugins/sudoers/regress/visudo/test6.sh: Remove special handling of the USERNAME environment variable. It used to be set on old versions of Fedora but that hasn't been the case for some time. It's worth noting that ssh doesn't set USERNAME either. [5141bebd99c4] * configure, configure.ac: sudo 1.8.26 [cfe8d540328e] 2018-09-22 Todd C. Miller * src/sudo.c: Remove unused system_maxgroups argument from fill_group_list(). [debc4ca9d35f] * lib/util/getgrouplist.c: Pass getgrouplist() NGROUPS_MAX+1, not NGROUPS_MAX so we have room for the primary gid. [fccf07f2e8cf] 2018-09-20 Todd C. Miller * plugins/sudoers/cvtsudoers_json.c: In print_member_json_int() eliminate the need_newline variable and just move the non-alias expansion printing bits into the else clause, including the newline and comma printing. [b40224fc6090] * MANIFEST, plugins/sudoers/regress/cvtsudoers/test30.out.ok, plugins/sudoers/regress/cvtsudoers/test30.sh: Add regress test for bug #853 [31544afc6013] * plugins/sudoers/cvtsudoers_json.c: When expanding an alias in print_member_json_int() avoid printing an extra comma at the end of the entry. Bug #853. [e73e09f8569a] 2018-09-12 Todd C. Miller * doc/CONTRIBUTORS: Add Kan Sasaki [ff277fb5b0c9] * NEWS, configure, configure.ac: sudo 1.8.25p1 [c4f0a69e6356] * lib/util/event_poll.c: Fix a crash in the event system's poll() backend introduced with support for nanosecond timers. Only affects systems without ppoll(). Bug #851 [54e561b11a0f] 2018-09-02 Todd C. Miller * plugins/sudoers/po/sudoers.pot: regen [04afa00445ef] 2018-08-31 Todd C. Miller * plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c: Allow for some clock drift due to ntpd, etc. [2d72989fe7b1] * plugins/sudoers/visudo.c: If sudo_lock_file() fails for a reason other than the file already being locked, give the user a chance to edit anyway. [e5a963ecc083] 2018-08-30 Todd C. Miller * plugins/sudoers/regress/cvtsudoers/test28.sh: Quick sort is not a stable sort; use distinct sudoOrder values so the output is predictable. [46ebc1169c0c] * lib/util/regress/atofoo/atofoo_test.c, lib/util/regress/parse_gids/parse_gids_test.c, plugins/sudoers/ldap.c, plugins/sudoers/regress/parser/check_base64.c: Fix warnings on OpenIndiana (Illumos) [1b45d303b338] * plugins/sudoers/ldap.c: Correct ldap_to_sudoers() return value. [16b0d144b196] * NEWS: Bug #849 [3e05bad00a44] * plugins/sudoers/sssd.c: The sssd backend used to take the first match, assuming that entries were sorted in descending order by sudoOrder. That allowed it to avoid iterating over the entire list of rules. Now that we convert to a sudoers parse tree, we need to convert rules in ascending order, not descending. The simplest way to accomplish this is to simply iterate over the rules from last to first, reversing the sort order. Bug #849 [63627909bb10] * MANIFEST, plugins/sudoers/regress/cvtsudoers/test28.out.ok, plugins/sudoers/regress/cvtsudoers/test28.sh, plugins/sudoers/regress/cvtsudoers/test29.out.ok, plugins/sudoers/regress/cvtsudoers/test29.sh: Add some more ldif -> sudoers tests to verify sudoOrder. [f41358fbd066] * plugins/sudoers/ldap.c: For conversion to a sudoers parse tree, ldap_entry_compare() now needs to sort in ascending order, not descending. Bug #849 [9f23126cded8] 2018-08-29 Todd C. Miller * plugins/sudoers/cvtsudoers.c: No need to set input_file for stdin in parse_ldif(); noted by clang analyzer. [c852e1c92dd2] * plugins/sudoers/iolog_util.c: Use TIME_T_MAX when parsing the I/O log file timestamp and disallow negative times. [bfb17118e584] * MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/iolog_util.c, plugins/sudoers/iolog_util.h, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/regress/iolog_util/check_iolog_util.c, plugins/sudoers/sudoreplay.c: When parsing an I/O log timing line, store the result in a timespec, not a double. The speed factor (for scaling the delay) in sudoreplay is still a double but we only need to adjust the delay if the factor is something other than 1.0. [39077129d1f9] * plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c: Fix memory leak in test. [94fb9f39dfee] * doc/cvtsudoers.cat, doc/sudo.cat, doc/sudo.conf.cat, doc/sudo_plugin.cat, doc/sudoers.cat, doc/sudoers.ldap.cat, doc/sudoers_timestamp.cat, doc/sudoreplay.cat, doc/visudo.cat: regen [f2850c2f733a] 2018-08-28 Todd C. Miller * plugins/sudoers/env.c: Update conversion of DID_* to KEPT_* to match the new values of DID_* and KEPT_*. [6ce1bc30a4d1] * NEWS, plugins/sudoers/env.c: Set the LOGIN environment variable on AIX like we do LOGNAME. [e6afb82d918c] 2018-08-27 Todd C. Miller * config.h.in, configure, configure.ac, m4/sudo.m4, plugins/sudoers/bsm_audit.c: Add a test for the 4-argument au_close() function found in Solaris 11 instead of assuming it is present if __sun is defined. Fixes a compilation error on OpenIndiana and older Solaris versions. [4a4f91e28bbc] * doc/CONTRIBUTORS: Add Miguel Sanders and Scott Cheloha [14aca7309a0a] * NEWS: testsudoers changes [f008d473c933] * plugins/sudoers/Makefile.in, plugins/sudoers/testsudoers.c: Add ldif support to testsudoers [321f11b7badd] 2018-08-26 Todd C. Miller * MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers.h, plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/parse.h, plugins/sudoers/parse_ldif.c: Move ldif -> sudoers conversion code into parse_ldif.c [497d55799d5b] * MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers.h, plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/cvtsudoers_pwutil.c, plugins/sudoers/strlist.c, plugins/sudoers/strlist.h: Move string list functions to their own file. [a15902cde4eb] * lib/util/Makefile.in: sync [9b1f98d4335f] 2018-08-25 Todd C. Miller * include/sudo_event.h, lib/util/event.c, lib/util/util.exp.in: Backward ABI compatibility for even functions that use a timeval. [01d9e617a923] * lib/util/event.c, lib/util/event_poll.c, lib/util/event_select.c: Use a monotonic timer for the event subsystem. [acf30905a275] * config.h.in, configure, configure.ac, include/sudo_event.h, lib/util/event.c, lib/util/event_poll.c, lib/util/event_select.c, plugins/sudoers/iolog_util.h, plugins/sudoers/sudoers.h, plugins/sudoers/sudoreplay.c: Use struct timespec, not struct timeval in the event subsystem. Use ppoll() or pselect() if avaialble which use timespec. [b1bfccec8b13] 2018-08-24 Todd C. Miller * .hgignore: sync [193fd33e9864] * plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers.h, plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/cvtsudoers_ldif.c: Eliminate most use of parsed_sudoers in cvtsudoers [0d0504f61e3e] * plugins/sudoers/alias.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/parse.h, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c: Make alias_apply() take 3 arguments, the first being a pointer to the struct sudoers_parse_tree. [7802295c07fa] 2018-08-23 Todd C. Miller * plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c: Handle systems where root's gid is not 0. [1fc92bad715a] * plugins/sudoers/iolog_util.c, plugins/sudoers/iolog_util.h: Add missing files from last commit. [a155e07bb191] * .hgignore, MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/po/sudoers.pot, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/sudoreplay.c: Add regress test for I/O log plugin endpoints [bf9fbe5ff2a6] * plugins/sudoers/iolog.c: We cannot reuse last_time for the I/O log info file now that it is a monotonic timer. Just call time(3) in write_info_log() directly. [f2e1de732a91] * src/exec_pty.c: Move the loop to free the monitor_messages list into free_exec_closure_pty() [d6edc1a94e7e] * po/sudo.pot: regen [6467f05a2fd0] 2018-08-22 Todd C. Miller * lib/util/getentropy.c: Fix typo in last commit. [38f3450b57fb] * config.h.in, configure, configure.ac, lib/util/getentropy.c: Do not assume all Linux has linux/random.h. Add missing sys/syscall.h include [8460f258e1af] * plugins/sudoers/policy.c, plugins/sudoers/timestamp.c, plugins/sudoers/visudo.c, src/sudo_edit.c: Cast uid/gid to unsigned int before printing. [37fcab8b4f97] * include/sudo_compat.h: Only include stdarg.h if we need it. [c266d34454ba] * plugins/sudoers/bsm_audit.c, plugins/sudoers/timestamp.c: fix compiler warnings on Solaris 11 [6c92c438a38e] * lib/util/getentropy.c: Fix setting of errno when gotdata() fails. [4fab71fa575f] * plugins/sudoers/cvtsudoers_pwutil.c, plugins/sudoers/ldap.c, plugins/sudoers/pwutil.c, plugins/sudoers/pwutil_impl.c, plugins/sudoers/rcstr.c, plugins/sudoers/timestamp.c, src/sudo_noexec.c: Include stddef.h for offsetof() definition. [15d13ae1ba46] * NEWS: Bugs 846 and 847 [a0ba7ad24812] * include/sudo_compat.h: We still need to include string.h for AIX (and possibly others) when we are not using the system memset_r() function and rsize_t is defined by the system headers. [e1f8f7537209] * configure, configure.ac, include/sudo_compat.h, mkpkg: Add --enable-package-build to give configure a hint that we are building a package. This can be used to avoid relying on libc functions that may not be present in all libc versions for a particular system. For instance, AIX 7.1 may or may not have memset_s() and getline() present. [7e843bed8435] * include/sudo_compat.h: AIX defines rsize_t in string.h, not stddef.h for use by the memset_s() prototype. We use our own memset_s() on AIX since it is not available on all BOS levels which makes package building problematic. [3724b47eadd8] 2018-08-21 Todd C. Miller * plugins/sudoers/defaults.c: Fix printing of T_TIMESPEC values. [8775c17229a4] * plugins/sudoers/iolog.c: Remove unused struct script_buf [fd27f67123b3] 2018-08-20 Todd C. Miller * NEWS: Document when the I/O log timing file entry bug was introduced. [09a75d80487e] * NEWS: sync [95fd54c61719] * config.h.in, configure, configure.ac, lib/util/gettime.c: HP-UX doesn't suport CLOCK_MONOTONIC but we can use gethrtime() instead. [3ec7d99444c0] * src/exec_monitor.c, src/exec_pty.c: Close the pty slave in the parent so that when the command and monitor exit, the pty gets recycled without our having to close it directly. [fec53753cf52] * lib/util/term.c, src/exec_monitor.c, src/exec_pty.c, src/sudo.h: Move updating of the window size to the monitor process. This will allow us to close the slave in the main sudo process in the future so only the command and monitor have it open. [07108a1c2edc] * configure, configure.ac: sudo 1.8.25 [4938ba570787] * plugins/sudoers/regress/sudoers/test19.ldif2sudo.ok: Fix test output for bug #845 [ee6f2d615bd8] * plugins/sudoers/ldap_util.c: Fix pasto when converting sudoNotAfter; from Miguel Sanders Bug #845 [69638cd6da60] 2018-08-19 Todd C. Miller * aclocal.m4, config.h.in, configure, configure.ac, include/sudo_util.h, lib/util/gettime.c, lib/util/util.exp.in: Add sudo_gettime_uptime() to measure time while not sleeping. [a128e7d51740] * plugins/sudoers/iolog.c: Use a monotonic timer that only runs while not suspended for the iolog timing values and write nsec-precision entries. [7f37f0b24ce7] 2018-08-18 Todd C. Miller * mkpkg: Detect number of CPUs on AIX. [2b7c62b42da2] * plugins/sudoers/iolog.c: Fix I/O log timing file on systems without a C99-compatible snprintf(). On those systems we use our own snprintf() that doesn't support floating point. We don't actually need floating point in this case since the we can print seconds and microseconds without using it. [4ea419ac5bee] * NEWS: Fix for Bug #844 [51cfeb79669c] * src/sudo_edit.c: Handle the case where O_PATH or O_SEARCH is defined but O_DIRECTORY is not. In theory, O_DIRECTORY is redundant when O_SEARCH is specified but it is legal for O_EXEC and O_SEARCH to have the same value. Bug #844 [fb75d75c7249] 2018-08-17 Todd C. Miller * NEWS: sync [2be1b619a06a] * plugins/sudoers/starttime.c: Fix get_starttime() on HP-UX. [329a4ad9f4ef] * mkpkg: Detect number of CPUs on HP-UX. Use MAKE environment variable if set. [c95ab5d6d392] * src/net_ifs.c: Avoid a compilation problem on HP-UX 11.31 with gcc and machine/sys/getppdp.h [b861e894271b] 2018-08-16 Todd C. Miller * plugins/sudoers/Makefile.in: Add CHECK_SYMBOLS_LDFLAGS to check_symbols target. Non-ELF HP-UX executables don't support SHLIB_PATH or LD_LIBRARY_PATH unless ld is passed the +s flag. This lets the check_symbols test pass on systems where the ldap libraries aren't installed in the standard location. [c2d6d3248fa4] 2018-08-15 Todd C. Miller * doc/Makefile.in: For the lint target, don't stop after the first manual that fails lint. [8a80d8e7b540] * plugins/sudoers/timestamp.c: Add debugging info so we can tell why a timestamp record doesn't match. [99ede76f9835] 2018-08-13 Todd C. Miller * NEWS: typo [8a5a11b921ea] * plugins/sudoers/po/da.mo, plugins/sudoers/po/da.po, po/da.mo, po/da.po: sync with translationproject.org [19f7eba39013] 2018-08-11 Todd C. Miller * plugins/sudoers/iolog.c: Fix the return value of sudoers_io_change_winsize() on success. Otherwise, we only log a single window size change. [d6cdab99f6f9] * plugins/sudoers/po/da.mo, plugins/sudoers/po/da.po, plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po: sync with translationproject.org [4109b52f393f] 2018-08-08 Todd C. Miller * NEWS: sync [1448675b44aa] 2018-08-07 Todd C. Miller * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Fix ambiguity when talking about Aliases. We can't use User_Alias in the grammar as both the definition of the Alias as well as its name. This adds {User,Runas,Host,Cmnd}_Alias_Spec to help differentiate between the name of the alias and its definition. Bug #834 [06678d12306f] * doc/cvtsudoers.cat, doc/sudoreplay.cat: regen [d7237381675a] * Makefile.in: Warn if unable to run xgettext or msgfmt. [d0cbba35cd49] 2018-08-06 Todd C. Miller * plugins/sudoers/po/cs.mo, plugins/sudoers/po/cs.po, plugins/sudoers/po/de.mo, plugins/sudoers/po/hr.mo, plugins/sudoers/po/it.mo, plugins/sudoers/po/ja.mo, plugins/sudoers/po/nb.mo, plugins/sudoers/po/nb.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pt_BR.mo, plugins/sudoers/po/sv.mo, plugins/sudoers/po/uk.mo, plugins/sudoers/po/vi.mo: sync with translationproject.org [d1deb5cb5eb3] 2018-08-05 Todd C. Miller * plugins/sudoers/fmtsudoers.c, plugins/sudoers/ldap.c, plugins/sudoers/ldap_util.c, plugins/sudoers/parse.c, plugins/sudoers/parse.h, plugins/sudoers/policy.c, plugins/sudoers/sssd.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: Refactor code to convert defaults to tags and do conversion on output for "sudo -l". Remove the short_list (was long_list) global in favor of a verbose argument. [eae1e1e814e0] 2018-08-04 Todd C. Miller * plugins/sudoers/policy.c: Assign short_list true, not 1 now that it is a boolean. [10354cd29439] * plugins/sudoers/fmtsudoers.c: fix typo [ad7e93f375ba] 2018-08-03 Todd C. Miller * plugins/sudoers/rcstr.c: Fix a warning on FreeBSD which has a fancier __containerof implementation. [b5106a524232] * plugins/sudoers/po/de.po, plugins/sudoers/po/hr.po, plugins/sudoers/po/it.po, plugins/sudoers/po/ja.po, plugins/sudoers/po/pl.po, plugins/sudoers/po/pt_BR.po, plugins/sudoers/po/sv.po, plugins/sudoers/po/uk.po, plugins/sudoers/po/vi.po: sync with translationproject.org [ae5353cbeac4] 2018-08-02 Todd C. Miller * aclocal.m4, autogen.sh, config.h.in, configure: Regen with aclocal 1.15.1. [22c02e451333] * plugins/sudoers/ldap.c, plugins/sudoers/parse.c, plugins/sudoers/policy.c, plugins/sudoers/sssd.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: For ldap/sssd, include defaults in the generate privilege unless we are listing in short mode (in which case we convert them to tags if possible). Fixes a problem where sudoOptions were not being applied to the command. [b21267488971] * plugins/sudoers/defaults.c, plugins/sudoers/defaults.h, plugins/sudoers/parse.c, plugins/sudoers/sudoers.c, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c: update_defaults() needs to be able to take a defaults_list for the ldap/sssd backends which support per-role defaults. [ddbb07881a46] 2018-07-31 Todd C. Miller * plugins/sudoers/po/sudoers.pot: regen [29c5a09aaeaf] 2018-07-30 Todd C. Miller * NEWS: Update [045b535f84b9] 2018-07-26 Todd C. Miller * plugins/sudoers/alias.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/defaults.c, plugins/sudoers/defaults.h, plugins/sudoers/file.c, plugins/sudoers/fmtsudoers.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/ldap.c, plugins/sudoers/match.c, plugins/sudoers/parse.c, plugins/sudoers/parse.h, plugins/sudoers/sssd.c, plugins/sudoers/sudo_nss.h, plugins/sudoers/sudoers.c, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c: o Move userspecs, defaults and aliases into a new struct sudoers_parse_tree. o The parse tree is now passed to the alias, match and defaults functions. o The nss API has been changed so that the nss parse() function returns a pointer to a struct sudoers_parse_tree which will be filled in by the getdefs() and query() functions. [bddb4676ad0e] * lib/util/getgrouplist.c: Don't need to preallocate 4 x NGROUP_MAX on AIX or BSD/Linux. For BSD/Linux, getgrouplist(3) will tell us the number of groups if we don't have enough. For AIX, we can count the entries in the group set before allocating the group vector. [c278fd947af4] * plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/auth/sudo_auth.h, plugins/sudoers/check.c, plugins/sudoers/sudoers.h: Ignore PAM_NEW_AUTHTOK_REQD and PAM_AUTHTOK_EXPIRED errors from pam_acct_mgmt() if authentication is disabled for the user. Bug #843 [1dc39794cf0d] 2018-07-23 Todd C. Miller * src/exec_pty.c: Work around a bug on AIX where closing the pty slave causes the main sudo process to lose its controlling tty (which was *not* the pty slave). [649a25b7f864] * src/sudo.c: Add missing aix_restoreauthdb() call to match the aix_setauthdb() added in b8a011be9af7. Fixes issues on AIX where local users/groups may not be resolved when some NIS/AD/LDAP is used for users. [16e196a7a337] * lib/util/getgrouplist.c: Linux getgrouplist(3) returns the number of groups on success instead of 0 like BSD. [599a89afa4f5] 2018-07-20 Todd C. Miller * mkdep.pl, plugins/sudoers/Makefile.in: When both a .o and .lo file was used in a Makefile, we used to make the .o depend on the .lo. Unfortunately, this creates a race condition for parallel make since libtool is not atomic (it creates a .o and then renames it when building PIC objects for shared libs). We always link with libtool so the only reason to prefer the .o over the .lo file is to avoid mixing .o and .lo in the dependencies. That's not a good enough reason so change mkdep.pl to warn when both a .o and .lo are referenced in a Makefile and do nothing else. Bug #842 [a8d94e6aed9f] 2018-07-15 Todd C. Miller * plugins/sudoers/ldap.c: Avoid duplicate free when netgroup_base is invalid. [5ce39dff77ba] 2018-07-03 Todd C. Miller * lib/util/arc4random.h: Use madvise(2) with MADV_WIPEONFORK if available. [a11461409569] 2018-07-01 Todd C. Miller * plugins/sudoers/po/pt_BR.mo, plugins/sudoers/po/pt_BR.po, po/eo.mo, po/eo.po: sync with translationproject.org [01bcfe7b30e5] * NEWS: Update. [f5e0b1f909bb] 2018-06-25 Todd C. Miller * doc/sudoers.ldap.cat, doc/sudoers.ldap.man.in, doc/sudoers.ldap.mdoc.in: sync with schema.OpenLDAP [d83420d8228d] * doc/schema.OpenLDAP: RFC 2849 specifies whitespace as the space character only so replace tabs with spaces. Bug #840 [e9d5de6365ba] * doc/schema.OpenLDAP: Fix typo; bug #839 [dee2dad738de] 2018-06-16 Todd C. Miller * doc/sudo.conf.cat, doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in: Should no longer need to set max_groups. [459119b11265] 2018-06-15 Todd C. Miller * plugins/sudoers/cvtsudoers_pwutil.c, plugins/sudoers/pwutil_impl.c, src/sudo.c: Use new sudo_getgrouplist2() function instead of getgrouplist(). [8e88b6d3ea6f] * configure, configure.ac, include/sudo_compat.h, include/sudo_util.h, lib/util/Makefile.in, lib/util/getgrouplist.c, lib/util/util.exp.in: Add sudo_getgrouplist2() to dynamically allocate the group vector. This allows us to avoid repeatedly calling getgrouplist() with a statically sized vector on macOS, Solaris, HP-UX, and AIX. [55480e2ec7c2] * src/conversation.c: Fix fd leak introduced by SUDO_CONV_PREFER_TTY commit. Coverity CID 186605. [fb6eb518bc4c] 2018-06-13 Todd C. Miller * doc/sudo.cat, doc/sudo.conf.cat, doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in, doc/sudo.man.in, doc/sudo.mdoc.in, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, doc/sudoers.cat, doc/sudoers.ldap.cat, doc/sudoers.ldap.man.in, doc/sudoers.ldap.mdoc.in, doc/sudoers.man.in, doc/sudoers.mdoc.in, doc/sudoers_timestamp.cat, doc/sudoers_timestamp.man.in, doc/sudoers_timestamp.mdoc.in, doc/visudo.cat, doc/visudo.man.in, doc/visudo.mdoc.in: Fix some issues pointed out by mandoc -Tlint [7ace981c7334] * doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, include/sudo_plugin.h, src/conversation.c: Add SUDO_CONV_PREFER_TTY flag for conversation function to tell sudo to try writing to /dev/tty first. Can be used in conjunction with SUDO_CONV_INFO_MSG and SUDO_CONV_ERROR_MSG. [a1e9420a7c5e] 2018-06-08 Todd C. Miller * doc/LICENSE: Update for arc4random.c, arc4random_uniform.c and getentropy.c [168db3c8d590] 2018-06-05 Todd C. Miller * src/regress/noexec/check_noexec.c: FreeBSD wordexp() returns WRDE_SYNTAX if it can't write to the shell process. Since we've prevented execve() from succeeding this is the error we get back from wordexp() on FreeBSD. [2a7a73de30cf] 2018-06-04 Todd C. Miller * plugins/sudoers/starttime.c: Fix conversion of usec to nsec; from Scott Cheloha [26fa756ea623] 2018-06-01 Todd C. Miller * include/sudo_plugin.h: Fix typo. [504256dc4ccc] 2018-05-29 Todd C. Miller * plugins/sudoers/ldap.c, plugins/sudoers/sssd.c: The getdefs() function now get called multiple times so use the cached data if present. [042be7ccab3c] * plugins/sudoers/sssd.c, plugins/sudoers/sudoers.c: Return an empty defaults list, not NULL if there is no global sudoers defaults entry in sss. [8e16de465ee2] * plugins/sudoers/file.c: Fix memory leak of handle pointer on close. [e4eb30e611d4] * plugins/sudoers/ldap.c, plugins/sudoers/sssd.c: Remove a needless copy when parsing options. [60fe50b736a9] * plugins/sudoers/file.c, plugins/sudoers/ldap.c, plugins/sudoers/parse.c, plugins/sudoers/sssd.c, plugins/sudoers/sudo_nss.c, plugins/sudoers/sudo_nss.h, plugins/sudoers/sudoers.c: Move cached userspecs and defaults into the handle object. [37e4df73907d] 2018-05-28 Todd C. Miller * plugins/sudoers/toke.c, plugins/sudoers/toke.l: Quiet a clang analyzer warning. It should not be possible for pop_include() to be called when YY_CURRENT_BUFFER is NULL. [148d79e5a44e] * plugins/sudoers/file.c, plugins/sudoers/ldap.c, plugins/sudoers/sssd.c: Reorder things to avoid the need to declare static functions. [8f27e69fa9cb] 2018-05-24 Todd C. Miller * MANIFEST, config.h.in, configure, configure.ac, include/sudo_rand.h, lib/util/Makefile.in, lib/util/arc4random.c, lib/util/arc4random.h, lib/util/arc4random_uniform.c, lib/util/chacha_private.h, lib/util/getentropy.c, lib/util/util.exp.in, mkdep.pl: Import arc4random() from libressl. This takes an all-in-one approach instead of the one-file-per-OS approach that libressl takes. The fallback code does not have as many OS-specific bits as libressl. [310d65e466bd] * lib/util/Makefile.in, lib/util/mktemp.c, plugins/sudoers/Makefile.in, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/insults.h: Use arc4random for mkstemp() and insults. [b8c7447756f2] * MANIFEST, configure, configure.ac, include/sudo_digest.h, lib/util/Makefile.in, lib/util/digest.c, lib/util/digest_gcrypt.c, lib/util/digest_openssl.c, lib/util/util.exp.in, mkdep.pl, plugins/sudoers/Makefile.in, plugins/sudoers/digestname.c, plugins/sudoers/filedigest.c, plugins/sudoers/filedigest_gcrypt.c, plugins/sudoers/filedigest_openssl.c, plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y, plugins/sudoers/ldap_util.c, plugins/sudoers/match.c, plugins/sudoers/parse.h, plugins/sudoers/regress/parser/check_digest.c, plugins/sudoers/sudo_ldap.h, plugins/sudoers/toke.c, plugins/sudoers/toke.l: Move digest code into libutil [c53cf5c508eb] 2018-05-20 Todd C. Miller * MANIFEST, plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/regress/cvtsudoers/test25.sh, plugins/sudoers/regress/cvtsudoers/test26.out.ok, plugins/sudoers/regress/cvtsudoers/test26.sh, plugins/sudoers/regress/cvtsudoers/test27.out.ok, plugins/sudoers/regress/cvtsudoers/test27.sh: Check for invalid bas64 attributes. [4218d11c8205] * plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/regress/parser/check_base64.c: Fix pointer sign warnings. [5ee724e3956e] * plugins/sudoers/cvtsudoers_ldif.c: Add missing variable declaration for SELinux and Solaris. [c8084f0508e5] * plugins/sudoers/cvtsudoers_ldif.c: Handle empty string and treat it as safe. [8029b97d8f4a] * MANIFEST, plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/regress/cvtsudoers/test26.out.ok, plugins/sudoers/regress/cvtsudoers/test26.sh: Add support for base64-encoding non-safe strings in LDIF output. [b9fd1795f4ee] 2018-05-19 Todd C. Miller * plugins/sudoers/base64.c, plugins/sudoers/parse.h, plugins/sudoers/regress/parser/check_base64.c: Add base64_encode() by Jon Mayo. [a893ec3dc667] 2018-05-18 Todd C. Miller * MANIFEST, plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/regress/cvtsudoers/test25.out.ok, plugins/sudoers/regress/cvtsudoers/test25.sh: Add support for parsing base64-encoded attributes [262dd9a526de] 2018-05-17 Todd C. Miller * plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/regress/sudoers/test2.ldif.ok: rfc2253 says we need to escape " and leading and trailing space. [1c0105a5eb1b] * configure, configure.ac: Define ZLIB_CONST so we get the const version of the API. [71a629d0eb4b] 2018-05-16 Todd C. Miller * plugins/sudoers/parse.c: Fix logic inversion when handing the authenticate Defaults option for "sudo -l" and "sudo -v" in long list mode. [f8157d4c4f03] * plugins/sudoers/sssd.c: Set handle->pw before sss_to_sudoers() since sss_check_user() uses it. Coverity CID 185651 [fa646e569352] * plugins/sudoers/ldap_util.c: Fix memory leak on error, CID 185602 [31c1ab085985] * plugins/sudoers/ldap.c: Some ldap_get_values_len -> sudo_ldap_get_values_len that were missed before. [d7f1877531be] * plugins/sudoers/ldap_util.c: When building up the cmndspec, add the actual command member last. This simplifies the logic regarding the SETENV tag and alsomakes "out of memory" cleanup simpler. [d704f3b09ac1] * plugins/sudoers/cvtsudoers_ldif.c: Fix format string mismatch, sudo_order is unsigned. [ecc398e45b0a] * plugins/sudoers/pwutil.c: Add cppcheck annotation to suppress memory leak false positive. [d4a0ae57c372] * plugins/sudoers/ldap_util.c: Sudo "ALL" implies the SETENV tag. [7abc653b4d39] * src/parse_args.c: Only set MODE_PRESERVE_ENV when preserving the entire environment. Fixes a problem introduced in 1.8.23 where "sudo -i" could not be used in conjunction with --preserve-env=VARIABLE. Bug #835 [8ea75ca8fbd2] 2018-05-15 Todd C. Miller * plugins/sudoers/file.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/ldap.c, plugins/sudoers/parse.h, plugins/sudoers/sssd.c: Add free_userspecs() and free_default() and use them instead of looping over the lists and calling free_userspec() and free_default(). [797221539242] * configure, configure.ac: Depending on the bos level, AIX 6.1 may or may not include getline/getdelim and AIX 7.1 may or may not include memset_s. Since we need to build packages that will work on all AIX 6.1 and 7.1 machines, use our getline() and memset_s emulation. [f5c427076b2c] 2018-05-14 Todd C. Miller * plugins/sudoers/ldap_util.c: Do not leak struct sudo_command when the command is ALL. Coverity CID 185602. [d71ca4bc06bc] * NEWS, configure, configure.ac: Sudo 1.8.24 [7df3df9a3907] * plugins/sudoers/sssd.c: Improve comments about why we need to do a user check and how it related to netgroups. [605234ed0935] * plugins/sudoers/ldap.c, plugins/sudoers/sssd.c: Add checks for ldap/sss functions failing due to memory allocation errors. [0dfeb0d8ecf5] * plugins/sudoers/ldap.c, plugins/sudoers/sssd.c: Let the main sudoers lookup code check the host name. We still check the user name so it is possible to use a single userspec but this may change in the future. [a74699b90213] * MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/defaults.c, plugins/sudoers/defaults.h, plugins/sudoers/file.c, plugins/sudoers/ldap.c, plugins/sudoers/ldap_util.c, plugins/sudoers/parse.c, plugins/sudoers/parse.h, plugins/sudoers/sssd.c, plugins/sudoers/sudo_ldap.h, plugins/sudoers/sudo_nss.c, plugins/sudoers/sudo_nss.h, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c: Simplify the nss interface such that each sudoers provider fills in a per-nss list of userspecs and defaults instead of using separate lookup and list functions. This makes it possible to have a single implementation of the code for sudoers lookup and listing. [50de9302de01] * plugins/sudoers/alias.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/defaults.c, plugins/sudoers/filedigest.c, plugins/sudoers/filedigest_gcrypt.c, plugins/sudoers/filedigest_openssl.c, plugins/sudoers/fmtsudoers.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/ldap.c, plugins/sudoers/ldap_conf.c, plugins/sudoers/ldap_util.c, plugins/sudoers/match.c, plugins/sudoers/parse.c, plugins/sudoers/policy.c, plugins/sudoers/regress/parser/check_addr.c, plugins/sudoers/sssd.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/toke_util.c, plugins/sudoers/visudo.c: Include parse.h in sudoers.h since it will soon be required. [196abb590d96] * plugins/sudoers/ldap_util.c: Parse "ALL" as a command correctly. [d969e7dfdbbc] 2018-05-11 Todd C. Miller * plugins/sudoers/match.c: Add debug warning if lseek() fails (should not be possible). [d568dc923c7d] * plugins/sudoers/match.c: Fix swapped args of lseek() when rewinding. This didn't cause a problem because the value of SEEK_SET is 0. [142591a3f333] 2018-05-10 Todd C. Miller * plugins/sudoers/regress/parser/check_hexchar.c: Fix a format-truncation warning in newer gcc by avoiding using %0x and %0X in the test. We are formatting a single byte so just do it one nybble at a time. [7c594a63598f] * configure: Regen with autoconf git commit e17a30e987d7ee695fb4294a82d987ec3dc9b974 AC_HEADER_MAJOR: port to glibc 2.25 [9fe77765c768] 2018-05-03 Todd C. Miller * plugins/sudoers/cvtsudoers_ldif.c: No need to explicitly free role on EOF, it will be freed after the loop is done. [8d08c06b7622] * plugins/sudoers/policy.c: Garbage collect the command argv, envp and info vectors since they are not available at policy close time. [de22290a8ec5] * plugins/sudoers/cvtsudoers_ldif.c: Plug memory leaks on parse error or when an LDIF entry doesn't match the dn filter. [4f48e740eed1] * plugins/sudoers/cvtsudoers.c: Rename variables now that the string list functions are not ldap- specific. [640497f70551] 2018-04-30 Todd C. Miller * NEWS: Fix typo [6466295ba962] 2018-04-29 Todd C. Miller * configure, configure.ac: fix version [bfed601130b5] * NEWS: sync [1c382f2aff27] * configure, configure.ac, plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po, po/zh_CN.mo, po/zh_CN.po: sync with translationproject.org [ec28ff5acbd6] 2018-04-25 Todd C. Miller * plugins/sudoers/match.c: O_EXEC for fexecve() not O_SEARCH. [a156d8b38f31] * doc/TROUBLESHOOTING: Document how to suppress the last login message on Solaris. [2926b670aca4] 2018-04-24 Todd C. Miller * plugins/sudoers/cvtsudoers_json.c: Fix compilation error with older Sun Studio compilers. [0f735611642d] * NEWS: Update Bug #831 decription. [d5e6a2a807b8] * MANIFEST, doc/CONTRIBUTORS, po/zh_TW.mo, po/zh_TW.po: Add Chinese(Taiwan) translation for sudo. [5a4ba6769cca] * plugins/sudoers/match.c: Move the check for /dev/fd/N until *after* the digest has been checked. We still need to be able to check the digest even if there is no /dev/fd/N or fexecve(). [e0e086b4e764] 2018-04-23 Todd C. Miller * plugins/sudoers/match.c: Rewind the fd after calling sudo_filedigest(). Otherwise, when running a script via fexecve(), the interpreter may get EOF when reading /dev/fd/N. This only appears to affect BSD systems with fdescfs. Bug #831. [d79f5125cc73] * plugins/sudoers/match.c: In open_cmnd(), return true, not false, if we the /dev/fd/N pathname is not present. We don't want to fail a match because of this. [72c4b499c019] * NEWS: Bug #831. [700646725f45] * plugins/sudoers/match.c: We can only use fexecve() on a script if /dev/fd/N exists. Some systems, such as FreeBSD, don't have /dev/fd mounted by default. Bug #831 [30f7c5d64104] 2018-04-22 Todd C. Miller * plugins/sudoers/po/ca.mo, plugins/sudoers/po/ca.po, plugins/sudoers/po/da.mo, plugins/sudoers/po/da.po, plugins/sudoers/po/el.mo, plugins/sudoers/po/el.po, plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, plugins/sudoers/po/eu.mo, plugins/sudoers/po/eu.po, plugins/sudoers/po/fi.mo, plugins/sudoers/po/fi.po, plugins/sudoers/po/fr.mo, plugins/sudoers/po/fr.po, plugins/sudoers/po/fur.mo, plugins/sudoers/po/fur.po, plugins/sudoers/po/hu.mo, plugins/sudoers/po/hu.po, plugins/sudoers/po/ko.mo, plugins/sudoers/po/ko.po, plugins/sudoers/po/lt.mo, plugins/sudoers/po/lt.po, plugins/sudoers/po/nl.mo, plugins/sudoers/po/nl.po, plugins/sudoers/po/ru.mo, plugins/sudoers/po/ru.po, plugins/sudoers/po/sk.mo, plugins/sudoers/po/sk.po, plugins/sudoers/po/sl.mo, plugins/sudoers/po/sl.po, plugins/sudoers/po/sr.mo, plugins/sudoers/po/sr.po, plugins/sudoers/po/tr.mo, plugins/sudoers/po/tr.po, plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po, po/ca.mo, po/ca.po, po/da.mo, po/da.po, po/de.mo, po/de.po, po/eo.mo, po/eo.po, po/es.mo, po/es.po, po/eu.mo, po/eu.po, po/fi.mo, po/fi.po, po/fur.mo, po/fur.po, po/gl.mo, po/gl.po, po/hu.mo, po/hu.po, po/ko.mo, po/ko.po, po/nl.mo, po/nl.po, po/nn.mo, po/nn.po, po/ru.mo, po/ru.po, po/sk.mo, po/sk.po, po/sl.mo, po/sl.po, po/sr.mo, po/sr.po, po/vi.mo, po/vi.po, po/zh_CN.mo, po/zh_CN.po: sync with translationproject.org [a786a841f30a] 2018-04-21 Todd C. Miller * plugins/sudoers/po/ca.mo, plugins/sudoers/po/ca.po, plugins/sudoers/po/da.mo, plugins/sudoers/po/da.po, plugins/sudoers/po/el.mo, plugins/sudoers/po/el.po, plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, plugins/sudoers/po/eu.mo, plugins/sudoers/po/eu.po, plugins/sudoers/po/fi.mo, plugins/sudoers/po/fi.po, plugins/sudoers/po/fr.mo, plugins/sudoers/po/fr.po, plugins/sudoers/po/fur.mo, plugins/sudoers/po/fur.po, plugins/sudoers/po/hu.mo, plugins/sudoers/po/hu.po, plugins/sudoers/po/ko.mo, plugins/sudoers/po/ko.po, plugins/sudoers/po/lt.mo, plugins/sudoers/po/lt.po, plugins/sudoers/po/nl.mo, plugins/sudoers/po/nl.po, plugins/sudoers/po/ru.mo, plugins/sudoers/po/ru.po, plugins/sudoers/po/sk.mo, plugins/sudoers/po/sk.po, plugins/sudoers/po/sl.mo, plugins/sudoers/po/sl.po, plugins/sudoers/po/sr.mo, plugins/sudoers/po/sr.po, plugins/sudoers/po/tr.mo, plugins/sudoers/po/tr.po, plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po, po/ca.mo, po/ca.po, po/da.mo, po/da.po, po/de.mo, po/de.po, po/eo.mo, po/eo.po, po/es.mo, po/es.po, po/eu.mo, po/eu.po, po/fi.mo, po/fi.po, po/fur.mo, po/fur.po, po/gl.mo, po/gl.po, po/hu.mo, po/hu.po, po/ko.mo, po/ko.po, po/nl.mo, po/nl.po, po/nn.mo, po/nn.po, po/ru.mo, po/ru.po, po/sk.mo, po/sk.po, po/sl.mo, po/sl.po, po/sr.mo, po/sr.po, po/vi.mo, po/vi.po, po/zh_CN.mo, po/zh_CN.po: sync with translationproject.org [268a65ce44cb] * MANIFEST, plugins/sudoers/regress/cvtsudoers/test23.out.ok, plugins/sudoers/regress/cvtsudoers/test23.sh, plugins/sudoers/regress/cvtsudoers/test24.out.ok, plugins/sudoers/regress/cvtsudoers/test24.sh: Add tests for round-tripping cvtsudoers, sudoers -> LDIF -> sudoers and LDIF -> sudoers -> LDIF. [370d4ba4dbb8] 2018-04-19 Todd C. Miller * MANIFEST, plugins/sudoers/regress/cvtsudoers/test22.out.ok, plugins/sudoers/regress/cvtsudoers/test22.sh: Test the -b option when converting from LDIF. [4d65c7c2ed01] * plugins/sudoers/cvtsudoers_ldif.c: Fix the -b option when converting from LDIF. [f3c1e4dbd61e] 2018-04-18 Todd C. Miller * plugins/sudoers/po/it.mo, plugins/sudoers/po/it.po, po/it.mo, po/it.po: sync with translationproject.org [1953956c60fe] * doc/cvtsudoers.cat, doc/cvtsudoers.man.in, doc/cvtsudoers.mdoc.in, doc/sudo.conf.cat, doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in, doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, doc/sudoers.ldap.cat, doc/sudoers.ldap.man.in, doc/sudoers.ldap.mdoc.in, doc/sudoreplay.cat, doc/sudoreplay.man.in, doc/sudoreplay.mdoc.in: Fix some more typos. [87fde92a1fa4] * doc/Makefile.in: mandoc now preserves the copyright notice, no need to do it ourselves [2c3f6841941a] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Describe the special handling of LOGNAME, USER and USERNAME. Fix typos reported by aspell. [e89bd28f4530] * src/load_plugins.c: Fix a memory leak on the error path. [db5a4678e0e4] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Document that the editor setting is also used by sudoedit. [2ae14439efd7] 2018-04-17 Todd C. Miller * src/load_plugins.c, src/sudo.c, src/sudo_plugin_int.h: Plug memory leak when an I/O plugin is specified in sudo.conf but the I/O plugin is not configured. [5b5086d7152a] * INSTALL, MANIFEST, NEWS, config.h.in, configure, configure.ac, plugins/sudoers/Makefile.in, plugins/sudoers/ins_python.h, plugins/sudoers/insults.h: Monty Python insults from Philip Hudson [8330cfc5ea19] 2018-04-15 Todd C. Miller * doc/cvtsudoers.cat, doc/cvtsudoers.man.in, doc/cvtsudoers.mdoc.in: add examples [830ff26a0dbc] * doc/sudo.conf.man.in, doc/sudo.man.in, doc/sudo.mdoc.in, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, doc/sudoers.ldap.man.in, doc/sudoers.man.in, doc/sudoers_timestamp.man.in, doc/sudoreplay.man.in, doc/visudo.man.in: Update copyright year and regen man pages. [6385891ebaa3] * plugins/sudoers/po/cs.mo, plugins/sudoers/po/cs.po, plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/hr.mo, plugins/sudoers/po/hr.po, plugins/sudoers/po/ja.mo, plugins/sudoers/po/ja.po, plugins/sudoers/po/nb.mo, plugins/sudoers/po/nb.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/pt_BR.mo, plugins/sudoers/po/pt_BR.po, plugins/sudoers/po/sv.mo, plugins/sudoers/po/sv.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, plugins/sudoers/po/vi.mo, plugins/sudoers/po/vi.po, po/cs.mo, po/cs.po, po/fr.mo, po/fr.po, po/hr.mo, po/hr.po, po/ja.mo, po/ja.po, po/nb.mo, po/nb.po, po/pl.mo, po/pl.po, po/pt_BR.mo, po/pt_BR.po, po/sv.mo, po/sv.po, po/tr.mo, po/tr.po, po/uk.mo, po/uk.po: sync with translationproject.org [3495b17becb0] * plugins/sudoers/cvtsudoers.c, plugins/sudoers/match.c: Prune alias contents when pruning and expanding aliases. This abuses the userlist_matches_filter() and hostlist_matches_filter() functions. A better approach would be to call the correct function from user_matches() and host_matches(). [0ae5f351b09f] * MANIFEST, examples/sudoers, plugins/sudoers/Makefile.in, plugins/sudoers/regress/cvtsudoers/sudoers, plugins/sudoers/regress/cvtsudoers/sudoers.defs, plugins/sudoers/regress/cvtsudoers/test1.out.ok, plugins/sudoers/regress/cvtsudoers/test1.sh, plugins/sudoers/regress/cvtsudoers/test10.out.ok, plugins/sudoers/regress/cvtsudoers/test10.sh, plugins/sudoers/regress/cvtsudoers/test11.out.ok, plugins/sudoers/regress/cvtsudoers/test11.sh, plugins/sudoers/regress/cvtsudoers/test12.out.ok, plugins/sudoers/regress/cvtsudoers/test12.sh, plugins/sudoers/regress/cvtsudoers/test13.out.ok, plugins/sudoers/regress/cvtsudoers/test13.sh, plugins/sudoers/regress/cvtsudoers/test14.out.ok, plugins/sudoers/regress/cvtsudoers/test14.sh, plugins/sudoers/regress/cvtsudoers/test15.out.ok, plugins/sudoers/regress/cvtsudoers/test15.sh, plugins/sudoers/regress/cvtsudoers/test16.out.ok, plugins/sudoers/regress/cvtsudoers/test16.sh, plugins/sudoers/regress/cvtsudoers/test17.out.ok, plugins/sudoers/regress/cvtsudoers/test17.sh, plugins/sudoers/regress/cvtsudoers/test18.out.ok, plugins/sudoers/regress/cvtsudoers/test18.sh, plugins/sudoers/regress/cvtsudoers/test19.out.ok, plugins/sudoers/regress/cvtsudoers/test19.sh, plugins/sudoers/regress/cvtsudoers/test2.out.ok, plugins/sudoers/regress/cvtsudoers/test2.sh, plugins/sudoers/regress/cvtsudoers/test20.conf, plugins/sudoers/regress/cvtsudoers/test20.out.ok, plugins/sudoers/regress/cvtsudoers/test20.sh, plugins/sudoers/regress/cvtsudoers/test21.conf, plugins/sudoers/regress/cvtsudoers/test21.out.ok, plugins/sudoers/regress/cvtsudoers/test21.sh, plugins/sudoers/regress/cvtsudoers/test3.out.ok, plugins/sudoers/regress/cvtsudoers/test3.sh, plugins/sudoers/regress/cvtsudoers/test4.out.ok, plugins/sudoers/regress/cvtsudoers/test4.sh, plugins/sudoers/regress/cvtsudoers/test5.out.ok, plugins/sudoers/regress/cvtsudoers/test5.sh, plugins/sudoers/regress/cvtsudoers/test6.out.ok, plugins/sudoers/regress/cvtsudoers/test6.sh, plugins/sudoers/regress/cvtsudoers/test7.out.ok, plugins/sudoers/regress/cvtsudoers/test7.sh, plugins/sudoers/regress/cvtsudoers/test8.out.ok, plugins/sudoers/regress/cvtsudoers/test8.sh, plugins/sudoers/regress/cvtsudoers/test9.out.ok, plugins/sudoers/regress/cvtsudoers/test9.sh: cvtsudoers regress tests [72fd218b5036] 2018-04-14 Todd C. Miller * doc/cvtsudoers.cat, doc/cvtsudoers.man.in, doc/cvtsudoers.mdoc.in: Fix typo [e572c36919b7] * plugins/sudoers/cvtsudoers.c: Fix cut & pasto that prevented "-d command" from working. [6e4ff7f23d0a] 2018-04-13 Todd C. Miller * plugins/sudoers/cvtsudoers.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y: Fix a user after free crash as well as a memory leak when filtering Defaults. [9bdd404ae6a4] 2018-04-12 Todd C. Miller * doc/cvtsudoers.cat, doc/cvtsudoers.man.in, doc/cvtsudoers.mdoc.in: Document that a User_Alias or Host_Alias may be used in the match filter. [49b9306a6a6d] * plugins/sudoers/fmtsudoers.c: Don't always expand aliases when formatting a host-based Defaults line. This was missed when expand_aliases support was added. [ef12a033306c] * plugins/sudoers/cvtsudoers.c: Allow host and user aliases to be specified in match filters. [6bc8c0da4578] * plugins/sudoers/po/sudoers.pot, po/sudo.pot: Update copyright year. [e9c2eb23def1] 2018-04-10 Todd C. Miller * plugins/sudoers/po/cs.mo, plugins/sudoers/po/cs.po, plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/hr.mo, plugins/sudoers/po/hr.po, plugins/sudoers/po/hu.mo, plugins/sudoers/po/hu.po, plugins/sudoers/po/it.mo, plugins/sudoers/po/it.po, plugins/sudoers/po/ja.mo, plugins/sudoers/po/ja.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/pt_BR.mo, plugins/sudoers/po/pt_BR.po, plugins/sudoers/po/sv.mo, plugins/sudoers/po/sv.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, plugins/sudoers/po/vi.mo, plugins/sudoers/po/vi.po, po/da.mo, po/da.po, po/hr.mo, po/hr.po, po/hu.mo, po/hu.po, po/pt_BR.mo, po/pt_BR.po, po/tr.mo, po/tr.po: sync with translationproject.org [4a0811073374] 2018-04-09 Todd C. Miller * plugins/sudoers/alias.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/parse.h: When the -d option is used, remove aliases used by the non-converted Defaults settings if the aliases are not also referenced by userspecs. [d07c4254b3dd] 2018-04-05 Todd C. Miller * plugins/sudoers/po/sudoers.pot, po/sudo.pot: regen [9a4d88b2a965] * NEWS: update [6ef9dde8fc9a] * doc/cvtsudoers.cat, doc/cvtsudoers.man.in, doc/cvtsudoers.mdoc.in: Mention -p and -M options in the description of -m. [b20abfd14164] 2018-04-04 Todd C. Miller * src/sudo_edit.c: Check sudoedit temporary directory for writability before using it. [1e29ade3f4b2] * plugins/sudoers/regress/starttime/check_starttime.c: Use btime in /proc/stat to determine system start time instead of /proc/uptime. Fixes the process start time test when run from a container where /proc/uptime is the uptime of the container but the process start time is relative to the host system boot time. Bug #829 [65ba61e55011] * doc/cvtsudoers.cat, doc/cvtsudoers.man.in, doc/cvtsudoers.mdoc.in, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers.h, plugins/sudoers/match.c, plugins/sudoers/parse.h: Add option to prune non-matching entries from cvtsudoers output with -m option is used. [9a69ba35389d] 2018-04-02 Todd C. Miller * doc/cvtsudoers.cat, doc/cvtsudoers.man.in, doc/cvtsudoers.mdoc.in, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers.h: Allow defaults types and suppression list to be specified in the config file. [62dd7a96ac9b] * plugins/sudoers/alias.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/parse.h, plugins/sudoers/visudo.c: Refactor common alias code out of cvtsudoers and visudo and into alias.c. [b3ba3e6f24d2] 2018-03-29 Todd C. Miller * plugins/sudoers/cvtsudoers.c: Avoid NULL deref in an error path. CID 183467 [38ea56670f18] * plugins/sudoers/cvtsudoers.c: No need to initialize the last pointer passed to strtok_r(). This was originally added to appease newer gcc but no longer seems to be required. CID 183466, CID 183468, CID 183469 [b0a9b90603e1] * plugins/sudoers/cvtsudoers_json.c: Avoid false positive NULL dereference by uses value.u.string instead of name as the former is guaranteed not to be NULL. Fixes CID 183465. [c896d10f5626] 2018-03-29 Todd C. Miller * plugins/sudoers/po/sudoers.pot: regen [8a88e162fd0b] * doc/sudoers.ldap.cat, doc/sudoers.ldap.man.in, doc/sudoers.ldap.mdoc.in: Add a section on convertion from file-based sudoers. [033c797b229d] 2018-03-28 Todd C. Miller * doc/cvtsudoers.cat, doc/cvtsudoers.man.in, doc/cvtsudoers.mdoc.in, plugins/sudoers/cvtsudoers.c: Add support for "cvtsudoers -d all" [62e748b70105] * doc/cvtsudoers.cat, doc/cvtsudoers.man.in, doc/cvtsudoers.mdoc.in, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers.h: Add -d option to control what type of Defaults entries are converted. [b723f0dae5c7] 2018-03-27 Todd C. Miller * src/exec_pty.c: In pty_close() we still need to check whether the pty master and slave fds are open before closing them. When no tty is present but we are I/O logging pty_close() will be called when there is no actual pty in use. [59201fb78427] * doc/cvtsudoers.cat, doc/cvtsudoers.man.in, doc/sudo.conf.cat, doc/sudoers_timestamp.cat, doc/visudo.cat: regen [186f3b58daf5] 2018-03-26 Todd C. Miller * .hgignore: ignore *.ldif2sudo regress output [8d57e8a0013f] * src/exec_pty.c: In pty_close() there is no need to remove events associated with the pty slave as there are none. We also don't need to check for the pty fds being -1 since they are not closed elsewhere and pty_close() is only called if pty_setup() succeeds. [585a47fb5a8b] 2018-03-25 Todd C. Miller * doc/Makefile.in, doc/cvtsudoers.mdoc.in: Move cvtsudoers to section 1. [69adcb2d24ff] * src/exec_pty.c: In pty_close() close the slave and remove any events associated with it. Fixes a potential hang when performing the final flush on non- BSD systems. [40159d852c2d] 2018-03-23 Todd C. Miller * plugins/sudoers/ldap_util.c: Fix typo in strcmp(), we are comparing var not val. [07ccd7bae4f6] * MANIFEST: sync [7960511e39dd] * NEWS: sync [c655e7111ce9] 2018-03-22 Todd C. Miller * plugins/sudoers/po/sudoers.pot: regen [ff7b545844fb] * doc/cvtsudoers.cat, doc/cvtsudoers.man.in, doc/cvtsudoers.mdoc.in, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers.h, plugins/sudoers/cvtsudoers_pwutil.c, plugins/sudoers/pwutil.c, plugins/sudoers/sudoers.h: Add -M option to cvtsudoers to force the use of the local passwd and group databases when matching. [ea58e2765a40] * doc/cvtsudoers.cat, doc/cvtsudoers.man.in, doc/cvtsudoers.mdoc.in, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers.h, plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/cvtsudoers_ldif.c: Add cvtsudoers command line option to suppress certain parts of the security policy. Can be used to suppress displaying of Defaults entries, aliases or privileges. [b243efa695e6] 2018-03-21 Todd C. Miller * plugins/sudoers/regress/parser/check_gentime.c: Silence a false positive from the clang static analyzer. [bfde0594783e] * plugins/sudoers/cvtsudoers.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/parse.h: Silence a false positive from the clang static analyzer. [5257e321158d] * plugins/sudoers/cvtsudoers.c: Fix memory leak on error path. [1a13732abfd5] * plugins/sudoers/po/sudoers.pot: regen [c139b8bed3c1] * plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers.h, plugins/sudoers/cvtsudoers_ldif.c: Move cvtsudoers string functions into cvtsudoers.c [4b5b799e7abc] * plugins/sudoers/Makefile.in: regen [6ecb37e35c9f] * doc/cvtsudoers.cat, doc/cvtsudoers.man.in, doc/cvtsudoers.mdoc.in, plugins/sudoers/Makefile.in, plugins/sudoers/alias.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers.h, plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/cvtsudoers_pwutil.c, plugins/sudoers/parse.h: Initial support filtering by user, group and host in cvtsudoers. Currently forces alias expansion when a filter is applied and the entire matching user or host list is printed, even the non-matching entries. This effectively allows you to grep sudoers by user, group and host. [0adbf8d38eb4] * plugins/sudoers/defaults.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/parse.h: Add free_default() to free a struct defaults pointer so we have a single place where we free the defaults. A pointer to the previous Default's binding may be passed in to avoid freeing an already free binding. [9d9ef007ee88] * doc/sudo.cat, doc/sudo.man.in, doc/sudo.mdoc.in, doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, doc/sudoers.cat, doc/sudoers.ldap.cat, doc/sudoers.ldap.man.in, doc/sudoers.ldap.mdoc.in, doc/sudoers.man.in, doc/sudoers.mdoc.in: Decrease bullet width to 1n. [e6f3776fd72e] 2018-03-17 Todd C. Miller * src/sudo.c: Add aix_setauthdb() before the initial getpwuid() call. [b8a011be9af7] 2018-03-10 Todd C. Miller * plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/fmtsudoers.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/parse.h: fix compilation on Solaris [e31019b5f545] 2018-03-08 Todd C. Miller * doc/sudoreplay.cat, doc/sudoreplay.man.in, doc/sudoreplay.mdoc.in, plugins/sudoers/sudoreplay.c: Make "sudoreplay -m 0" skip the pauses entirely. [d9a7fc9f5720] * doc/sudoreplay.cat, doc/sudoreplay.man.in, doc/sudoreplay.mdoc.in: Document that a negative value for -m will elmininate the pauses. [a025e96abb47] 2018-03-06 Todd C. Miller * plugins/sudoers/testsudoers.c: Update copyright date, remove unneeded include and add a few comments. [ac1bccd631e5] * plugins/sudoers/Makefile.in, plugins/sudoers/regress/sudoers/test1.out.ok, plugins/sudoers/regress/sudoers/test10.out.ok, plugins/sudoers/regress/sudoers/test11.out.ok, plugins/sudoers/regress/sudoers/test12.out.ok, plugins/sudoers/regress/sudoers/test13.out.ok, plugins/sudoers/regress/sudoers/test14.out.ok, plugins/sudoers/regress/sudoers/test15.out.ok, plugins/sudoers/regress/sudoers/test16.out.ok, plugins/sudoers/regress/sudoers/test17.out.ok, plugins/sudoers/regress/sudoers/test18.out.ok, plugins/sudoers/regress/sudoers/test19.out.ok, plugins/sudoers/regress/sudoers/test2.out.ok, plugins/sudoers/regress/sudoers/test20.out.ok, plugins/sudoers/regress/sudoers/test21.out.ok, plugins/sudoers/regress/sudoers/test22.out.ok, plugins/sudoers/regress/sudoers/test3.out.ok, plugins/sudoers/regress/sudoers/test4.out.ok, plugins/sudoers/regress/sudoers/test5.out.ok, plugins/sudoers/regress/sudoers/test6.out.ok, plugins/sudoers/regress/sudoers/test7.out.ok, plugins/sudoers/regress/sudoers/test8.out.ok, plugins/sudoers/regress/sudoers/test9.out.ok, plugins/sudoers/testsudoers.c: Use fmtsudoers functions in testsudoers. [be27df4a5291] * MANIFEST, plugins/sudoers/regress/sudoers/test22.in, plugins/sudoers/regress/sudoers/test22.json.ok, plugins/sudoers/regress/sudoers/test22.ldif.ok, plugins/sudoers/regress/sudoers/test22.ldif2sudo.ok, plugins/sudoers/regress/sudoers/test22.out.ok, plugins/sudoers/regress/sudoers/test22.sudo.ok, plugins/sudoers/regress/sudoers/test22.toke.ok: Add test for empty runas user list. [5598cf4c3329] * plugins/sudoers/testsudoers.c: Don't print an empty user list as ALL. [806ee09f854d] * plugins/sudoers/fmtsudoers.c, plugins/sudoers/parse.h: In sudoers_format_userspecs make the separator optional and silence a printf format warning. [62c576cbec4b] * plugins/sudoers/starttime.c: Use correct defines when checking for sysctl kinfo_proc support. [6017e45d14b9] * plugins/sudoers/cvtsudoers_json.c: Fix crash when converting sudoers entry with a runas list that is present but empty. [ff6b9ef53c6b] 2018-03-05 Todd C. Miller * config.h.in, configure, configure.ac, plugins/sudoers/starttime.c, plugins/sudoers/sudoers.c, src/regress/ttyname/check_ttyname.c, src/tgetpass.c, src/ttyname.c: Less confusing sysctl checks for kinfo_proc. [553f6b3f9c3b] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/defaults.c, plugins/sudoers/ldap.c, plugins/sudoers/match.c, plugins/sudoers/pwutil.c, plugins/sudoers/sssd.c: Add case_insensitive_group and case_insensitive_user sudoers options, which are enabled by default. [bd74d8b7fe83] 2018-03-04 Todd C. Miller * plugins/sudoers/fmtsudoers.c: Kill dead store found by clang-analyzer. [af2021d3d396] * plugins/sudoers/Makefile.in, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/fmtsudoers.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/ldap.c, plugins/sudoers/ldap_util.c, plugins/sudoers/parse.h, plugins/sudoers/regress/sudoers/test2.ldif.ok, plugins/sudoers/regress/sudoers/test3.ldif.ok, plugins/sudoers/regress/sudoers/test6.ldif.ok, plugins/sudoers/sssd.c: Initial support for adding comments that will be emitted when sudoers is formatted. Currently adds a comment for the source sudoRole when converting from ldif -> sudoers. [bf2e7f48f452] * lib/util/lbuf.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/fmtsudoers.c, plugins/sudoers/parse.h: Special case comment lines in lbufs. [10d6d229ffae] * plugins/sudoers/cvtsudoers_ldif.c: Handle escaped commas when skipping over the cn. [61aed7ff5e1c] 2018-03-03 Todd C. Miller * plugins/sudoers/cvtsudoers.c, plugins/sudoers/fmtsudoers.c, plugins/sudoers/parse.h: When formatting as sudoers, flush the lbuf after each userspec. [060266dd440c] 2018-03-02 Todd C. Miller * MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/regress/sudoers/test1.ldif2sudo.ok, plugins/sudoers/regress/sudoers/test14.ldif2sudo.ok, plugins/sudoers/regress/sudoers/test15.ldif2sudo.ok, plugins/sudoers/regress/sudoers/test16.ldif2sudo.ok, plugins/sudoers/regress/sudoers/test17.ldif2sudo.ok, plugins/sudoers/regress/sudoers/test19.ldif2sudo.ok, plugins/sudoers/regress/sudoers/test2.ldif2sudo.ok, plugins/sudoers/regress/sudoers/test20.ldif2sudo.ok, plugins/sudoers/regress/sudoers/test21.ldif2sudo.ok, plugins/sudoers/regress/sudoers/test3.ldif2sudo.ok, plugins/sudoers/regress/sudoers/test6.ldif2sudo.ok: Add tests for round-tripping sudoers -> ldif -> sudoers [72e3e73fb612] * plugins/sudoers/cvtsudoers_ldif.c: Add missing sudoOrder support to parse_ldif(). [8c5e9f22f0da] * plugins/sudoers/ldap_util.c: Add missing support for converting LOG_INPUT/LOG_OUTPUT tags and expand support for NOMAIL tags. [2820c8333381] * plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/regress/sudoers/test2.ldif.ok, plugins/sudoers/regress/sudoers/test3.ldif.ok, plugins/sudoers/regress/sudoers/test6.ldif.ok: Don't emit an empty sudoRole for global defaults if there are none. [2a69dccb7071] * plugins/sudoers/ldap_util.c: Avoid changing the order of non-negated hosts and commands. We still put negated hosts/commands at the end of the list. [e1aea92dd6dc] * plugins/sudoers/cvtsudoers_ldif.c: Handle parsing boolean options that have no explicit value. [b5d597faa23d] * plugins/sudoers/cvtsudoers_ldif.c: Refactor the code that actually converts the role to sudoers format into role_to_sudoers() now that it is more involved than just calling sudo_ldap_role_to_priv(). [b876171ff96e] * plugins/sudoers/cvtsudoers_ldif.c: When merging two privileges, use the runas lists of the previous privilege when possible. Otherwise, the generated sudoers line will include a runas list for commands that is not necessary. [337b49451947] 2018-03-01 Todd C. Miller * plugins/sudoers/match.c: Use a case-insensitive comparison when matching user and group names in sudoers with the passwd or group database. This can be necessary when users and groups are stored in AD or LDAP. [bfccb8acc3e9] * plugins/sudoers/Makefile.in: Fix clean target for *.sudo regress files [6f52a4aef93a] * .hgignore: ignore more binaries [9adf244d0e9e] * plugins/sudoers/cvtsudoers.c: Fix use of uninitialized variable (conf) if sudoers_debug_register() happens to fail. [0ef1765f14f4] 2018-02-28 Todd C. Miller * plugins/sudoers/cvtsudoers_ldif.c: Split conversion code out of parse_ldif() and into ldif_to_sudoers(). [27c8b7001735] * plugins/sudoers/cvtsudoers_ldif.c: Quiet a clang analyzer warning. [21102c27dcce] * MANIFEST, configure, configure.ac, mkdep.pl, plugins/sudoers/Makefile.in, plugins/sudoers/ldap_common.c, plugins/sudoers/ldap_util.c: rename ldap_common.c -> ldap_util.c [3093bdbb8a9b] * plugins/sudoers/cvtsudoers_ldif.c: When converting from ldif to sudoers, sudoRole objects with the same user if possible. If both user and host are the same, merge into a single privilege. This makes it possible to convert a sudoers entry like: aaron shanty = NOEXEC: /usr/bin/vi, /usr/bin/more, EXEC: /bin/sh to ldif and then back to sudoers as a single line. Currently, the ldif entries to be merged must have the same or adjacent sudoOrder attributes. [74e5cef2e849] * plugins/sudoers/cvtsudoers_ldif.c: plug memory leaks [a5268668c397] * src/parse_args.c: Restore line to set MODE_PRESERVE_ENV in flags when the -E command line option is used. The caller doesn't check MODE_PRESERVE_ENV these days but parse_args uses it to detect usage errors when -E is used along with a mutually excusive option. Problem found by Yuriy Vostrikov. [b511e35d9be4] 2018-02-26 Todd C. Miller * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Add missing close parenthesis in "Including other files from within sudoers" section. Bug #824 [3335cb2ce29f] 2018-02-25 Todd C. Miller * plugins/sudoers/ldap_common.c: When converting from LDAP to sudoers, put negated hosts and commands at the end of the list. Since LDAP doesn't guarantee attribute order we need to make sure negated entries always override non- negated ones. [0ebff259c521] 2018-02-24 Todd C. Miller * plugins/sudoers/cvtsudoers.c: We may need the hostname to resolve %h escapes in include files. [3e57710762d3] * doc/cvtsudoers.cat, doc/cvtsudoers.man.in, doc/cvtsudoers.mdoc.in, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers_ldif.c: Setting a sudoOrder start point of 0 will disable creation of sudoOrder attributes in the resulting LDIF output. [4107f61b431b] * plugins/sudoers/cvtsudoers.c: Don't need to fill in struct sudo_user since we don't do matching. [cdc876d298b5] * MANIFEST, doc/cvtsudoers.cat, doc/cvtsudoers.man.in, doc/cvtsudoers.mdoc.in, pathnames.h.in, plugins/sudoers/Makefile.in, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers.h, plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/cvtsudoers_ldif.c: Add support for setting default options in a config file. In addition to expand_aliases, input_format and output_format, both the initial sudoOrder and the increment when updating sudoOrder for subsequent sudoRole objects can be specified. Command line options have also been added for the start order and increment. [d3121c039ddf] 2018-02-22 Todd C. Miller * NEWS: cvtsudoers can now read LDIF [99b7ed30c754] * doc/UPGRADE: Fix a typo. [87f635970a5d] * plugins/sudoers/fmtsudoers.c: Deal with user_name not being set in cvtsudoers. [421bb1dbff57] * doc/cvtsudoers.cat, doc/cvtsudoers.man.in, doc/cvtsudoers.mdoc.in, plugins/sudoers/Makefile.in, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/ldap.c, plugins/sudoers/ldap_common.c, plugins/sudoers/sssd.c, plugins/sudoers/sudo_ldap.h: Initial support for parsing sudoers LDIF files in cvtsudoers. This makes it possible to convert from LDAP sudoers to a traditional sudoers file. Semantic differences between file sudoers and LDAP sudoers mean that LDIF -> sudoers is not completely equivalent. [ddf513e2778f] 2018-02-21 Todd C. Miller * plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/regress/sudoers/test14.ldif.ok: Fix LDIF conversion of commands with an associated digest. [590ab0cb58e4] * plugins/sudoers/ldap_common.c: In array_to_member_list() use the correct type for netgroups and user groups. [359947d19131] * plugins/sudoers/fmtsudoers.c: Prepend digest to command if present. Fix printing of group IDs and non-unix groups. [5f9834b4bcbc] * plugins/sudoers/cvtsudoers_json.c: Fix gcc false positive for uninitialized variable [d250b862c1ed] 2018-02-20 Todd C. Miller * pp: Update Polypkg to the latest version from git. [204ebffb502f] * config.h.in, configure, configure.ac, src/sudo.c: Use setpassent() and setgroupent() on systems that support it to keep the passwd and group database open. Sudo does a lot of passwd and group lookups so it can be beneficial to just leave the file open. [3d2d5bca9670] 2018-02-19 Todd C. Miller * doc/cvtsudoers.cat, doc/cvtsudoers.man.in, doc/cvtsudoers.mdoc.in, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/fmtsudoers.c: Add option to cvtsudoers to expand aliases in the output. [1af56459fd7d] * plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/regress/sudoers/test1.json.ok, plugins/sudoers/regress/sudoers/test14.json.ok, plugins/sudoers/regress/sudoers/test15.json.ok, plugins/sudoers/regress/sudoers/test16.json.ok, plugins/sudoers/regress/sudoers/test17.json.ok, plugins/sudoers/regress/sudoers/test19.json.ok, plugins/sudoers/regress/sudoers/test2.json.ok, plugins/sudoers/regress/sudoers/test6.json.ok: Fix conversion of "ALL" in the JSON output format, which was being printed as an alias. [3f7869688820] * INSTALL, configure, configure.ac: Clarify that --with-rundir and --with-vardir take sudo-specific directory, e.g. /var/run/sudo and not just /var/run. Bug #823 [e1913085e544] * src/exec_pty.c: In pty_cleanup() we need to call sudo_term_restore() even if no I/O plugins are present as long as /dev/tty exists. Fixes the use_pty case with no I/O plugins. [82fecef72998] * include/sudo_event.h, lib/util/event.c, lib/util/util.exp.in, plugins/sudoers/sudoreplay.c, src/exec_monitor.c, src/exec_nopty.c, src/exec_pty.c: Add sudo_ev_dispatch(), a wrapper for ev_loop() with no flags. Similar the dispatch function in libevent. [61e588fd50d0] * INSTALL, configure, configure.ac, doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in, m4/sudo.m4: Use /run in preference to /var/run if it exists. Bug #822 [ec2febe6f8a3] 2018-02-14 Todd C. Miller * NEWS: mention common sudoers formatting changes [b32825ca3e2f] 2018-02-11 Todd C. Miller * MANIFEST, configure, configure.ac, mkdep.pl, plugins/sudoers/Makefile.in, plugins/sudoers/ldap.c, plugins/sudoers/ldap_conf.c, plugins/sudoers/sudo_ldap.h, plugins/sudoers/sudo_ldap_conf.h: Move LDAP configuration bits into ldap_conf.c [1673e3c7855a] 2018-02-10 Todd C. Miller * plugins/sudoers/ldap.c, plugins/sudoers/ldap_common.c: No longer need to include stddef.h [a10a13dc73c7] * plugins/sudoers/iolog.c: Remove dead store, found by cppcheck. [744e99ffc82e] * plugins/sudoers/ldap.c, plugins/sudoers/ldap_common.c, plugins/sudoers/sssd.c, plugins/sudoers/sudo_ldap.h: simplify iterator [944fd546ec98] * plugins/sudoers/mkdir_parents.c: Silence a false positive from cppcheck. [f94421968d8e] * plugins/sudoers/tsdump.c: Cast version to int when printing. Avoids a cppcheck warning. [3312bec4f1e3] 2018-02-09 Todd C. Miller * plugins/sudoers/ldap.c, plugins/sudoers/ldap_common.c, plugins/sudoers/sssd.c, plugins/sudoers/sudo_ldap.h: Use an iterator instead of fragile pointer arithmetic to iterate over value arrays in sudo_ldap_role_to_priv(). [61752c5f3427] * MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/cvtsudoers.c, plugins/sudoers/fmtsudoers.c, plugins/sudoers/ldap.c, plugins/sudoers/parse.c, plugins/sudoers/parse.h, plugins/sudoers/sssd.c: Move sudoers formatting code into fmtsudoers. [ff25291c99f4] * plugins/sudoers/cvtsudoers.c, plugins/sudoers/parse.c: Clean up some XXX in parse.c [19854e7d8ac7] * plugins/sudoers/ldap.c, plugins/sudoers/parse.c, plugins/sudoers/parse.h, plugins/sudoers/sssd.c: Rename sudo_file_append_default() -> sudo_lbuf_append_default() and use it for ldap and sssd too. [dae22810f2dd] * MANIFEST, configure, configure.ac, mkdep.pl, plugins/sudoers/Makefile.in, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/ldap.c, plugins/sudoers/ldap_common.c, plugins/sudoers/parse.h, plugins/sudoers/sssd.c, plugins/sudoers/sudo_ldap.h: Move common bits of ldap to sudoers conversion into ldap_common.c and use it in sssd.c. [5cca03f64b77] * plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/ldap.c, plugins/sudoers/parse.c, plugins/sudoers/parse.h: Convert ldap results into a sudoers userspec so we can use the "sudo -l" output functions in parse.c. [1422e10dc274] 2018-02-08 Todd C. Miller * sudo.pp: Don't mark sudoers.dist volatile, it only gets used on systems that don't have the concept of volatile files. [c47fd17e62e3] 2018-02-05 Todd C. Miller * plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/parse.h: Refactor member freeing code into free_member(). Refactor userspec freeing code into free_userspec(). [ccc95e8b9f69] * plugins/sudoers/cvtsudoers.c: Fix compilation with glibc where stdout is not constant. [97a0302c29c8] 2018-02-04 Todd C. Miller * plugins/sudoers/ldap.c: For "sudo -l", if a word includes spaces, print it in double quotes. Also escape spaces in the command path. This matches the sudoers quoting rules. [04ace6decf3a] 2018-02-03 Todd C. Miller * plugins/sudoers/ldap.c: Display sudoNotBefore and sudoNotAfter in "sudo -l" [ef7de4c8aa9e] * plugins/sudoers/parse.c: For "sudo -l", if a word includes spaces, print it in double quotes. Also escape spaces in the command path. This matches the sudoers quoting rules. [fa12a254657c] * plugins/sudoers/cvtsudoers.c: Add back printing of negation operator ('!') when printing a word with spaces in it. [c69706a91817] * plugins/sudoers/Makefile.in: Use visudo to validate "cvtsudoers -f sudoers" output. [06bae7204926] * plugins/sudoers/regress/sudoers/test21.in, plugins/sudoers/regress/sudoers/test21.json.ok, plugins/sudoers/regress/sudoers/test21.ldif.ok, plugins/sudoers/regress/sudoers/test21.out.ok, plugins/sudoers/regress/sudoers/test21.toke.ok: Remove syslog_goodpri and syslog_badpri without a value that causes visudo to report an error. [c1f696e49f49] * plugins/sudoers/cvtsudoers.c: When outputting sudoers, if a word includes spaces, print it in double quotes. Also escape spaces in the command path. [d040c1a21277] 2018-02-02 Todd C. Miller * doc/cvtsudoers.cat, doc/cvtsudoers.man.in, doc/cvtsudoers.mdoc.in, plugins/sudoers/alias.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/parse.h, plugins/sudoers/visudo.c: Add sudoers output format to cvtsudoers. In the future this may be used with filters to emit a partial sudoers file instead of a full one. [533d2c389213] * plugins/sudoers/parse.c: When printing a member name, quote sudoers special characters unless it is a UID/GID, in which case we print the '#' unquoted. [e4e8154c4fe9] * plugins/sudoers/parse.c, plugins/sudoers/parse.h: Move SUDOERS_QUOTED define to parse.h [a813ec4acb5f] 2018-01-30 Todd C. Miller * plugins/sudoers/timestamp.c: Remove extraneous break statement and fix some whitespace. [39df566c33e3] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: The max timeout for kernel time stamps is 60 minutes, not 3600 minutes. [95be88c4f106] 2018-01-29 Todd C. Miller * plugins/sudoers/testsudoers.c: Check the return value of sudoers_debug_register(). Coverity CID 182574 [fb5449acdafd] * plugins/sudoers/cvtsudoers_ldif.c: Fix memory leak, su->count is now 0 when it is unused, not 1. Covertity CID 182573 [77019ded8f84] * plugins/sudoers/cvtsudoers_ldif.c: Quiet a clang analyzer false positive. [ef04f7069df4] * plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/regress/sudoers/test2.ldif.ok, plugins/sudoers/regress/sudoers/test6.ldif.ok: Quote special characters when creating the cn as per RFC2253 [e49ff28c1fd7] * NEWS, configure, configure.ac, doc/UPGRADE: Sudo 1.8.23 [e364ed057d1d] * doc/LICENSE: Remove the C-style comment charactes from the getopt_long.c and inet_pton.c license text as it was inconsistent with the rest of the file and messed up the html formatting. [a26679d2d0a7] * MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/sudoers2ldif, sudo.pp: Remove sudoers2ldif, it has been replaced by cvtsudoers. [7563cc3768c2] 2018-01-28 Todd C. Miller * doc/cvtsudoers.cat, doc/cvtsudoers.man.in, doc/cvtsudoers.mdoc.in, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers_ldif.c: Add -b option to specify the base dn. [7cd4c46c33bf] * doc/cvtsudoers.cat, doc/cvtsudoers.man.in, doc/cvtsudoers.mdoc.in: Document limitations of LDIF conversion. [e8c84362f084] * doc/cvtsudoers.cat, doc/cvtsudoers.man.in, doc/cvtsudoers.mdoc.in, plugins/sudoers/cvtsudoers.c: Switch the default output format to LDIF [a677c7b72a90] * plugins/sudoers/visudo.c: Execute cvtsudoers if the user runs "visudo -x" but also emit a warning. [53ec45a847d2] * doc/cvtsudoers.cat, doc/cvtsudoers.man.in, doc/cvtsudoers.mdoc.in, plugins/sudoers/cvtsudoers.c, plugins/sudoers/stubs.c, plugins/sudoers/visudo.c: Revert 04ec05108b2b, change the default input source back to stdin. [df8d94f1bab4] * MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/regress/sudoers/test1.ldif.ok, plugins/sudoers/regress/sudoers/test10.ldif.ok, plugins/sudoers/regress/sudoers/test11.ldif.ok, plugins/sudoers/regress/sudoers/test12.ldif.ok, plugins/sudoers/regress/sudoers/test13.ldif.ok, plugins/sudoers/regress/sudoers/test14.ldif.ok, plugins/sudoers/regress/sudoers/test15.ldif.ok, plugins/sudoers/regress/sudoers/test16.ldif.ok, plugins/sudoers/regress/sudoers/test17.ldif.ok, plugins/sudoers/regress/sudoers/test18.ldif.ok, plugins/sudoers/regress/sudoers/test19.ldif.ok, plugins/sudoers/regress/sudoers/test2.ldif.ok, plugins/sudoers/regress/sudoers/test20.ldif.ok, plugins/sudoers/regress/sudoers/test21.ldif.ok, plugins/sudoers/regress/sudoers/test3.ldif.ok, plugins/sudoers/regress/sudoers/test4.ldif.ok, plugins/sudoers/regress/sudoers/test5.ldif.ok, plugins/sudoers/regress/sudoers/test6.ldif.ok, plugins/sudoers/regress/sudoers/test7.ldif.ok, plugins/sudoers/regress/sudoers/test8.ldif.ok, plugins/sudoers/regress/sudoers/test9.ldif.ok: Add LDIF conversion to sudoers tests [997b79da8874] * plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/regress/sudoers/test19.json.ok: Add notbefore and notafter support to the backends. [be50db300eda] 2018-01-27 Todd C. Miller * README.LDAP: cvtsudoers instead of sudoers2ldif [3909ea2c29c1] * MANIFEST, doc/cvtsudoers.cat, doc/cvtsudoers.man.in, doc/cvtsudoers.mdoc.in, plugins/sudoers/Makefile.in, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers_ldif.c: Add ldif backend to cvtsudoers, to replace sudoers2ldif [f0e039c63488] * plugins/sudoers/Makefile.in: fix make check [2cbedce72e3a] 2018-01-26 Todd C. Miller * plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers_json.c: Parse sudoers in the front end, not the back end. [30d4e40ed69a] * doc/Makefile.in: install the cvtsudoers manual [243d319fed1c] * doc/cvtsudoers.cat, doc/cvtsudoers.man.in, doc/cvtsudoers.mdoc.in, plugins/sudoers/cvtsudoers.c, plugins/sudoers/stubs.c, plugins/sudoers/visudo.c: Use the built-in sudoers file location as the default sudoers file for cvtsudoers and move parse_sudoers_options() to stubs.c since it is shared between visudo.c and cvtsudoers.c. [04ec05108b2b] * MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/cvtsudoers.c, plugins/sudoers/stubs.c, plugins/sudoers/visudo.c: Move common stub functions required by the parser out of visudo.c and cvtsudoers.c and into stubs.c. [a324cbde55a3] * plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers_json.c: Rename export_sudoers() to convert_sudoers_json() and move the check for the same input and output file to the front-end. [7c83c21ea479] * sudo.pp: add cvtsudoers [e8ba851cafb4] * MANIFEST, doc/Makefile.in, doc/cvtsudoers.cat, doc/cvtsudoers.man.in, doc/cvtsudoers.mdoc.in, doc/visudo.cat, doc/visudo.man.in, doc/visudo.mdoc.in, plugins/sudoers/Makefile.in, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/visudo.c, plugins/sudoers/visudo_json.c: Move sudoers JSON conversion to cvtsudoers which will eventually output to other formats too. [e64a50657a88] * plugins/sudoers/defaults.c: Convert from time in minutes to timespec directly instead of converting to double via strtod(). This makes it easier to catch overflow. [0d6ab7c21a15] 2018-01-24 Todd C. Miller * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: document that kernel tty timestamps don't support negative timeouts [4ff726cf2010] 2018-01-23 Todd C. Miller * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/timestamp.c: Fall back to ppid time stamps if timestamp_type == kernel and no tty is present. This is consistent with timestamp_type == tty. [26c527166a0c] * plugins/sudoers/timestamp.c: Do not call the TIOCSETVERAUTH ioctl with a negative number of seconds. Also cap the max number of seconds at 3600 to avoid getting EINVAL from TIOCSETVERAUTH. [371744874743] 2018-01-22 Todd C. Miller * plugins/sudoers/defaults.c: Better conversion from double to nanoseconds. [2f54790801c8] * plugins/sudoers/auth/aix_auth.c, plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/securid5.c, plugins/sudoers/auth/sia.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/auth/sudo_auth.h, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/defaults.c, plugins/sudoers/defaults.h, plugins/sudoers/mkdefaults, plugins/sudoers/timestamp.c: Store passwd_timeout and timestamp_timeout as a struct timespec instead of as a float. Remove timeout argument to auth_getpass() as it was never used. [c4a3c60d0284] 2018-01-21 Todd C. Miller * plugins/sudoers/mkdefaults: Don't rely on perl being installed in /usr/local/bin [e3274f56df43] 2018-01-17 Todd C. Miller * config.h.in, configure, configure.ac, lib/util/gettime.c, lib/util/mktemp.c, lib/util/nanosleep.c, lib/util/utimens.c, plugins/sudoers/boottime.c, plugins/sudoers/check.c, plugins/sudoers/getdate.c, plugins/sudoers/getdate.y, plugins/sudoers/group_plugin.c, plugins/sudoers/iolog.c, plugins/sudoers/ldap.c, plugins/sudoers/sssd.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/timestamp.c, plugins/sudoers/visudo.c, src/net_ifs.c, src/sesh.c, src/sudo.c, src/sudo_edit.c, src/utmp.c: Remove use of AC_HEADER_TIME, only obsolete platforms actually need this. Also stop removing sys/time.h unless the source file uses struct timeval. [a744b8a07685] * plugins/sudoers/gram.c, plugins/sudoers/gram.y: Remove duplicate options %type [3ea3c3d477bf] 2018-01-16 Todd C. Miller * plugins/sudoers/auth/API, plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/auth/sudo_auth.h, plugins/sudoers/check.c, plugins/sudoers/sudoers.h: Add an approval function to the sudo auth API which is run after the user's password has been verified. The approval function is run even if no password is required. This is currently only used for PAM (use pam_acct_mgmt) and BSD auth (auth_approval). [cab448ac8633] 2018-01-15 Todd C. Miller * plugins/sudoers/tsdump.c: treat uid as unsigned in error message [2672d4ca3479] * MANIFEST, plugins/sudoers/po/fur.mo: Add missing plugins/sudoers/po/fur.mo file to repo. [cfa503d7fcd4] * NEWS: Mention new sudoers_timestamp manual. [f96ad00c4ba4] 2018-01-12 Todd C. Miller * .hgignore: ignore tsdump [39306d37c846] * plugins/sudoers/tsdump.c: Convert from mono time to real time before displaying time stamps. [12f9e1f5e8e5] 2018-01-11 Todd C. Miller * plugins/sudoers/solaris_audit.c: Use PATH_MAX, not MAXPATHLEN. [d3c7466aad1d] * MANIFEST, config.h.in, configure, configure.ac, include/sudo_util.h, lib/util/Makefile.in, lib/util/ttyname_dev.c, lib/util/util.exp.in, plugins/sudoers/Makefile.in, plugins/sudoers/check.h, plugins/sudoers/tsdump.c, src/ttyname.c: Add tsdump, a simple utility to dump a timestamp file. To build, run "make tsdump" in the plugins/sudoers directory (it is not built by default). In order to map the tty device number to a name, sudo_ttyname_dev() has been moved into libsudo_util. [b79ae30fe6a4] 2018-01-04 Todd C. Miller * plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, po/uk.mo, po/uk.po: sync with translationproject.org [71140a551c60] * doc/LICENSE: Welcome to 2018 [3ddea360d414] 2017-12-28 Todd C. Miller * plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/fur.po, plugins/sudoers/po/nb.mo, plugins/sudoers/po/nb.po, plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po: sync with translationproject.org [fbd54c7f59f1] 2017-12-22 Todd C. Miller * plugins/sudoers/logging.c: Silence a clang analyzer false positive. [bfcdfe2c1376] * doc/Makefile.in: Remove extra $(srcdir)/sudoreplay.man.in target added by mistake. [7e83806cc17e] * plugins/sudoers/po/cs.mo, plugins/sudoers/po/cs.po, plugins/sudoers/po/da.mo, plugins/sudoers/po/da.po, plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, plugins/sudoers/po/hr.mo, plugins/sudoers/po/hr.po, plugins/sudoers/po/it.mo, plugins/sudoers/po/it.po, plugins/sudoers/po/ja.mo, plugins/sudoers/po/ja.po, plugins/sudoers/po/nb.mo, plugins/sudoers/po/nb.po, plugins/sudoers/po/nl.mo, plugins/sudoers/po/nl.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/pt_BR.mo, plugins/sudoers/po/pt_BR.po, plugins/sudoers/po/sv.mo, plugins/sudoers/po/sv.po, plugins/sudoers/po/vi.mo, plugins/sudoers/po/vi.po, po/ja.mo, po/ja.po: sync with translationproject.org [27cf5abeeb1a] * plugins/sudoers/timestamp.c: Use a tty lock even for kernel time stamps so we can avoid simultaneous password prompts. [90a55098176b] * NEWS: visudo changes [06c99aab6f7a] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in, doc/visudo.cat, doc/visudo.man.in, doc/visudo.mdoc.in, plugins/sudoers/editor.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/visudo.c: Also honor SUDO_EDITOR in visudo. Previously is was only used by sudoedit. [9bccc7171a53] 2017-12-21 Todd C. Miller * plugins/sudoers/sudoers.c: Stop looking for an editor as soon as we find one. A similar fix was made to visudo some time ago. [c6c5d968612a] * doc/sudoers_timestamp.cat, doc/sudoers_timestamp.man.in, doc/sudoers_timestamp.mdoc.in: The session ID was added in 1.8.6p7 to prevent a user in another session from re-using the time stamp file. Other minor cleanups. [f733f7ea97a7] * plugins/sudoers/check.h: "time stamp" not "timestamp" [af0f2d8b6d52] 2017-12-20 Todd C. Miller * NEWS, doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/timestamp.c: Add "kernel" as a possible value of timestamp_type. Currently only supported on OpenBSD. [ca1a2a03e37d] * MANIFEST, doc/Makefile.in, doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in, doc/sudoers_timestamp.cat, doc/sudoers_timestamp.man.in, doc/sudoers_timestamp.mdoc.in, plugins/sudoers/check.h: Document the sudoers time stamp file format. [d3470da8fde9] 2017-12-19 Todd C. Miller * plugins/sudoers/regress/starttime/check_starttime.c: Verify start time of the current process, allowing for some clock drift. For Linux, process start time is relative to boot time, not wallclock time. [4928645eaa1c] 2017-12-18 Todd C. Miller * NEWS: sync [aeffb7f82e10] * plugins/sudoers/po/sudoers.pot: regen [8be51858eec1] * MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/regress/starttime/check_starttime.c: Trivial test for process start time. We don't try to check the resulting timespec as it differs by platform. On most it is wallclock time, on others it is relative to boot time (Linux). [e74cf3bd4c87] * lib/util/Makefile.in: regen [6de26735d666] 2017-12-17 Todd C. Miller * plugins/sudoers/starttime.c: Support start time on macOS and 4.4BSD [81f2eebc7edb] 2017-12-16 Todd C. Miller * plugins/sudoers/regress/env_match/check_env_pattern.c: Include sys/types.h for mode_t used in sudoers.h. [bdff1606f111] * plugins/sudoers/starttime.c: Fix compilation error on FreeBSD [2c4962a7812c] * plugins/sudoers/starttime.c: Fix debug_decl(), it should be SUDOERS_DEBUG_UTIL Add debugging for the successful case For Linux, don't NUL out *ep before parsing with strtoull(). * * * Add missing debug info for the System V /proc version. [2394c6d9375d] * MANIFEST, doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/Makefile.in, plugins/sudoers/check.h, plugins/sudoers/starttime.c, plugins/sudoers/timestamp.c: In the timestamp record, include the start time of the terminal session leader for tty-based timestamps or the start time of the parent process for ppid-based timestamps. Idea from Duncan Overbruck. [f0964b4cf4ac] 2017-12-15 Todd C. Miller * plugins/sudoers/timestamp.c: If the lock record doesn't match the expected record size we need to seek to the end of the record as we otherwise may have gone too far (or not far enough). Fixes interop problems when the time stamp record changes size. [e8e4c3815db5] 2017-12-12 Todd C. Miller * src/exec_pty.c: No need for a loop around the recv() now that we don't have to worry about EINTR. CID 180697 [7cb966d69bc6] * doc/sudo.cat, doc/sudo.man.in, doc/sudo.mdoc.in: Try to be clearer about sudo's exit value when the -l option is used. [efbddaa576a7] * NEWS: sync [99fc4b347250] * doc/sudoers.ldap.cat, doc/sudoers.ldap.man.in, doc/sudoers.ldap.mdoc.in, plugins/sudoers/ldap.c, plugins/sudoers/sssd.c: An empty RunAsUser means run as the invoking user, similar to how the sudoers files works. [576172386594] * doc/sudoers.cat, doc/sudoers.man.in: regen [9b6d0064f410] 2017-12-11 Todd C. Miller * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/logging.c: Add authfail_message sudoers option to allow the user to override the default message of %d incorrect password attempt(s). [f11e9d64a6da] * plugins/sudoers/policy.c, src/parse_args.c: Allow the plugin to determine whether or not an empty timeout is allowed. For sudoers, an error will be returned for an empty timeout. [26511c049fb1] * plugins/sudoers/timeout.c: Return an error for an empty timeout string. Just use strtol() for syntax checking instead of scanning with strspn(). [1fa1b712fbcc] * src/parse_args.c, src/sudo_edit.c: Change some _() into U_() since they are used for warn/fatal. We always want to issue warnings in the user's locale. [684331aee66e] * Makefile.in: update my email address [b4ec26be6203] 2017-12-10 Todd C. Miller * log2cl.pl: Don't print mercurial branch info for merges. [489881774e52] * log2cl.pl: Use log size instead of using a separator between the log entry and the file names. [620c231f789b] * src/parse_args.c: Print usage and return an error when an empty argument is given for all command line arguments other than -p and -E. Bug #817 [143be1bc8316] * plugins/sudoers/policy.c: Better input validation of settings passed by the sudo front-end. Instead of ignoring an empty setting, throw an error. [93cc4f4761f3] * log2cl.pl: Treat a blank line in a commit message as a line break. There doesn't appear to be a way to make perl's format use a blank field but at least the line break happens now. [fbc3ff819341] 2017-12-09 Todd C. Miller * MANIFEST, Makefile.in, log2cl.pl: Add script to generate ChangeLog from git log output. [e8bfbd1ae6ef] 2017-12-08 Todd C. Miller * plugins/sudoers/defaults.c, plugins/sudoers/logging.c, plugins/sudoers/logging.h: Don't include syslog.h from logging.h, just include it in the two .c files it is actually needed. [9ffc5ca9eb49] 2017-12-06 Todd C. Miller * doc/visudo.cat, doc/visudo.man.in, doc/visudo.mdoc.in: Document that in check mode, visudo does not check the owner/mode on files specified with the -f flag. [f5d86019e4c7] 2017-12-03 Todd C. Miller * Makefile.in, configure.ac, doc/HISTORY, doc/LICENSE, doc/Makefile.in, doc/fixman.sh, doc/fixmdoc.sh, doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in, doc/sudo.man.in, doc/sudo.mdoc.in, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, doc/sudoers.ldap.man.in, doc/sudoers.ldap.mdoc.in, doc/sudoers.man.in, doc/sudoers.mdoc.in, doc/sudoreplay.man.in, doc/sudoreplay.mdoc.in, doc/visudo.man.in, doc/visudo.mdoc.in, examples/Makefile.in, include/Makefile.in, include/compat/charclass.h, include/compat/endian.h, include/compat/fnmatch.h, include/compat/nss_dbdefs.h, include/compat/sha2.h, include/sudo_compat.h, include/sudo_conf.h, include/sudo_debug.h, include/sudo_dso.h, include/sudo_event.h, include/sudo_fatal.h, include/sudo_gettext.h, include/sudo_lbuf.h, include/sudo_plugin.h, include/sudo_util.h, lib/util/Makefile.in, lib/util/aix.c, lib/util/closefrom.c, lib/util/event.c, lib/util/event_poll.c, lib/util/event_select.c, lib/util/fatal.c, lib/util/getgrouplist.c, lib/util/gethostname.c, lib/util/getline.c, lib/util/getopt_long.c, lib/util/gettime.c, lib/util/gidlist.c, lib/util/glob.c, lib/util/isblank.c, lib/util/key_val.c, lib/util/lbuf.c, lib/util/locking.c, lib/util/memrchr.c, lib/util/memset_s.c, lib/util/mksiglist.c, lib/util/mksigname.c, lib/util/mktemp.c, lib/util/nanosleep.c, lib/util/parseln.c, lib/util/pipe2.c, lib/util/progname.c, lib/util/pw_dup.c, lib/util/regress/atofoo/atofoo_test.c, lib/util/regress/fnmatch/fnm_test.c, lib/util/regress/glob/globtest.c, lib/util/regress/parse_gids/parse_gids_test.c, lib/util/regress/progname/progname_test.c, lib/util/regress/strsplit/strsplit_test.c, lib/util/regress/sudo_conf/conf_test.c, lib/util/regress/sudo_parseln/parseln_test.c, lib/util/regress/tailq/hltq_test.c, lib/util/regress/vsyslog/vsyslog_test.c, lib/util/secure_path.c, lib/util/setgroups.c, lib/util/sha2.c, lib/util/sig2str.c, lib/util/snprintf.c, lib/util/strlcat.c, lib/util/strlcpy.c, lib/util/strndup.c, lib/util/strnlen.c, lib/util/strsignal.c, lib/util/strsplit.c, lib/util/strtobool.c, lib/util/strtoid.c, lib/util/strtomode.c, lib/util/strtonum.c, lib/util/sudo_conf.c, lib/util/sudo_debug.c, lib/util/sudo_dso.c, lib/util/term.c, lib/util/ttysize.c, lib/util/utimens.c, lib/util/vsyslog.c, lib/zlib/Makefile.in, m4/sudo.m4, mkdep.pl, mkpkg, pathnames.h.in, plugins/group_file/Makefile.in, plugins/group_file/getgrent.c, plugins/group_file/group_file.c, plugins/group_file/plugin_test.c, plugins/sample/Makefile.in, plugins/sample/sample_plugin.c, plugins/sudoers/Makefile.in, plugins/sudoers/alias.c, plugins/sudoers/audit.c, plugins/sudoers/auth/afs.c, plugins/sudoers/auth/aix_auth.c, plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/dce.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/kerb5.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/passwd.c, plugins/sudoers/auth/rfc1938.c, plugins/sudoers/auth/secureware.c, plugins/sudoers/auth/securid5.c, plugins/sudoers/auth/sia.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/auth/sudo_auth.h, plugins/sudoers/base64.c, plugins/sudoers/boottime.c, plugins/sudoers/bsm_audit.c, plugins/sudoers/bsm_audit.h, plugins/sudoers/check.c, plugins/sudoers/check.h, plugins/sudoers/defaults.c, plugins/sudoers/defaults.h, plugins/sudoers/digestname.c, plugins/sudoers/editor.c, plugins/sudoers/env.c, plugins/sudoers/env_pattern.c, plugins/sudoers/filedigest.c, plugins/sudoers/filedigest_gcrypt.c, plugins/sudoers/filedigest_openssl.c, plugins/sudoers/find_path.c, plugins/sudoers/gc.c, plugins/sudoers/gentime.c, plugins/sudoers/getspwuid.c, plugins/sudoers/gmtoff.c, plugins/sudoers/goodpath.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/group_plugin.c, plugins/sudoers/hexchar.c, plugins/sudoers/ins_2001.h, plugins/sudoers/ins_classic.h, plugins/sudoers/ins_csops.h, plugins/sudoers/ins_goons.h, plugins/sudoers/insults.h, plugins/sudoers/interfaces.c, plugins/sudoers/interfaces.h, plugins/sudoers/iolog.c, plugins/sudoers/iolog.h, plugins/sudoers/iolog_path.c, plugins/sudoers/ldap.c, plugins/sudoers/linux_audit.c, plugins/sudoers/linux_audit.h, plugins/sudoers/locale.c, plugins/sudoers/logging.c, plugins/sudoers/logging.h, plugins/sudoers/logwrap.c, plugins/sudoers/match.c, plugins/sudoers/match_addr.c, plugins/sudoers/mkdir_parents.c, plugins/sudoers/parse.c, plugins/sudoers/parse.h, plugins/sudoers/po/sudoers.pot, plugins/sudoers/policy.c, plugins/sudoers/prompt.c, plugins/sudoers/pwutil.c, plugins/sudoers/pwutil.h, plugins/sudoers/pwutil_impl.c, plugins/sudoers/rcstr.c, plugins/sudoers/redblack.c, plugins/sudoers/redblack.h, plugins/sudoers/regress/check_symbols/check_symbols.c, plugins/sudoers/regress/env_match/check_env_pattern.c, plugins/sudoers/regress/iolog_path/check_iolog_path.c, plugins/sudoers/regress/logging/check_wrap.c, plugins/sudoers/regress/parser/check_addr.c, plugins/sudoers/regress/parser/check_base64.c, plugins/sudoers/regress/parser/check_digest.c, plugins/sudoers/regress/parser/check_fill.c, plugins/sudoers/regress/parser/check_gentime.c, plugins/sudoers/regress/parser/check_hexchar.c, plugins/sudoers/set_perms.c, plugins/sudoers/sssd.c, plugins/sudoers/sudo_nss.c, plugins/sudoers/sudo_nss.h, plugins/sudoers/sudo_printf.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/sudoers2ldif, plugins/sudoers/sudoers_debug.c, plugins/sudoers/sudoers_debug.h, plugins/sudoers/sudoers_version.h, plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/timeout.c, plugins/sudoers/timestamp.c, plugins/sudoers/timestr.c, plugins/sudoers/toke.c, plugins/sudoers/toke.h, plugins/sudoers/toke.l, plugins/sudoers/toke_util.c, plugins/sudoers/tsgetgrpw.c, plugins/sudoers/tsgetgrpw.h, plugins/sudoers/visudo.c, plugins/sudoers/visudo_json.c, plugins/system_group/Makefile.in, plugins/system_group/system_group.c, po/sudo.pot, src/Makefile.in, src/conversation.c, src/env_hooks.c, src/exec.c, src/exec_common.c, src/exec_monitor.c, src/exec_nopty.c, src/exec_pty.c, src/get_pty.c, src/hooks.c, src/load_plugins.c, src/net_ifs.c, src/openbsd.c, src/parse_args.c, src/preload.c, src/preserve_fds.c, src/regress/noexec/check_noexec.c, src/regress/ttyname/check_ttyname.c, src/selinux.c, src/sesh.c, src/signal.c, src/solaris.c, src/sudo.c, src/sudo.h, src/sudo_edit.c, src/sudo_exec.h, src/sudo_noexec.c, src/sudo_plugin_int.h, src/sudo_usage.h.in, src/tcsetpgrp_nobg.c, src/tgetpass.c, src/ttyname.c, src/utmp.c, sudo.pp: update my email to Todd.Miller@sudo.ws [96110003e904] 2017-12-02 Todd C. Miller * plugins/sudoers/sudoreplay.c: Add missing carriage return before prompt when replay is done. [cf4b8bfcb3dd] * src/exec_pty.c: Track window size changes that happen while sudo is suspended [cae06f75bde9] 2017-12-01 Todd C. Miller * plugins/sudoers/po/sudoers.pot, po/sudo.pot: regen [26ae754b8416] * doc/sudo.cat, doc/sudo.conf.cat, doc/sudo_plugin.cat, doc/sudoers.cat, doc/sudoers.ldap.cat, doc/sudoreplay.cat, doc/visudo.cat: regen for sudo 1.8.22 [596d82da0158] * NEWS, configure, configure.ac: Sudo 1.8.22 [6b32c2f5d020] * doc/sudo.cat, doc/sudo.man.in, doc/sudo.mdoc.in: Background processes started by the command will no longer receive SIGHUP. [47bcc3ae4362] * src/exec_monitor.c: When the command completes, make the monitor the foreground process group before informing the main sudo process of the command's exit status. This will prevent processes started by the command (which runs in a different process group) from receiving SIGHUP since the kernel sends SIGHUP to the foreground process group associated with the terminal session. The monitor has a SIGHUP handler installed so the signal is effectively ignored. [9e163efe4afb] * src/sudo.c: Add debug printfs around group list retrieval. [5f307b00153b] 2017-11-30 Todd C. Miller * src/exec_pty.c: Move call to sudo_ev_loopcontinue() into schedule_signal() itself. We always want to prioritize signal forwarding. [4b25dc24038b] * src/exec_monitor.c, src/exec_nopty.c, src/exec_pty.c: Don't loop over read/write, recv/send or tcgetpgrp/tcsetpgrp trying to handle EINTR. We now use SA_RESTART with signals so this is not needed and is potentially dangerous if it is possible to receive SIGTTIN or SIGTTOU (which it currently is not). [ba6885b57891] 2017-11-29 Todd C. Miller * src/exec_monitor.c, src/signal.c: Sprinkle some extra debugging printfs [bf33574bc603] * src/exec_pty.c: We don't need to be the foreground process to be able to write to the terminal in most cases. If the background process tries to modify the terminal flags it will receive SIGTTOU which is relayed to the sudo front-end. This currently mishandles terminals with the TOSTOP local flag set. [3fc25570d482] * src/exec_pty.c: Handle receipt of SIGTTIN/SIGTTOU when reading/writing from/to the tty. We can't use a signal event for these since that would restart the system call after the signal was handled and the callback would not get a chance to run. Fixes running a command in the background that write to the tty when the TOSTOP terminal flag is set. [5ac68f05249a] 2017-11-28 Todd C. Miller * plugins/sudoers/sssd.c: Avoid a double free when ipa_hostname is set in sssd.conf and it is an unqualified host name. From Daniel Kopecek. Also move the "unable to allocate memory" warning into get_ipa_hostname() itself to make it easier to see where the allocation failed in the debug log. [14dacdea3319] * plugins/sudoers/ldap.c, plugins/sudoers/policy.c, plugins/sudoers/pwutil.c, plugins/sudoers/pwutil.h, plugins/sudoers/pwutil_impl.c, plugins/sudoers/set_perms.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: When running a command as the invoking user we cannot use the gid list from the front-end since it may not correspond to the user's aux group vector as defined by the group database. [b456101fe509] * lib/util/regress/fnmatch/fnm_test.c, lib/util/regress/glob/globtest.c, plugins/sudoers/regress/env_match/check_env_pattern.c, plugins/sudoers/regress/parser/check_base64.c, plugins/sudoers/regress/parser/check_digest.c, plugins/sudoers/regress/parser/check_gentime.c, plugins/sudoers/regress/parser/check_hexchar.c: Add missing initprogname() calls. [ad4f8d236d89] 2017-11-21 Todd C. Miller * doc/sudo.cat, doc/sudo.man.in, doc/sudo.mdoc.in: Better describe things when a command is run in a pty. [0f34fc342ab5] 2017-11-16 Todd C. Miller * plugins/sudoers/ldap.c: Plug some memory leaks on error, some found by the clang static analyzer. [62844cc145b6] 2017-11-15 Todd C. Miller * plugins/sudoers/parse.c: Avoid calling cmnd_matches() in list/verify mode if we already have a match. [5bddfc911065] * plugins/sudoers/ldap.c, plugins/sudoers/parse.c, plugins/sudoers/sssd.c: In list (-l) or verify (-v) mode, if we have a match but authentication is required, clear FLAG_NOPASSWD so that when listpw/verifypw is set to "all" and there are multiple sudoers sources a password will be required unless none of the entries in all sources require authentication. From Radovan Sroka of RedHat [edac7222600a] * plugins/sudoers/ldap.c, plugins/sudoers/sssd.c: When checking the results for "sudo -l" and "sudo -v", keep checking even after we get a match since the value of doauth may depend on evaluating all the results. From Radovan Sroka of RedHat. [ae0704445bd4] 2017-11-14 Todd C. Miller * plugins/sudoers/sudoers.c: If passwd_tries is less than 1, check_user() will always return false (since the user didn't authenticate). The normal reason for this is an authentication error but in this case no authentication was tries so no warning message has been displayed to the user. If the user wasn't given a chance to authenticate, set inform_user to true when calling log_denial() from sudoers_policy_main(). An alternate approach would be for check_user() to return true in this case but seems more confusing. [c8be95b46e9d] 2017-10-22 Todd C. Miller * doc/TROUBLESHOOTING: Document bash shell alias issue with "sudo -i". [8affa5376277] 2017-10-20 Todd C. Miller * plugins/sudoers/policy.c: Return an error if the sudo front end doesn't set the user name, user ID, group ID or host name. Bug #807 [03e281d93fff] * lib/util/gethostname.c: Treat an empty hostname as a failure and return NULL. [fafb3a3083cb] 2017-10-17 Todd C. Miller * plugins/sudoers/sudoers2ldif: Add support for #include and #includedir from Natale Vinto. [926deea0d506] 2017-10-14 Todd C. Miller * doc/CONTRIBUTORS: Minor corrections from Tae Wong [dbc5ee98ffa6] 2017-10-12 Todd C. Miller * doc/sudo.cat, doc/sudo.man.in, doc/sudo.mdoc.in: Add a warning that for "sudo -i command" and "sudo -s command" the shell is not run in interactive mode which may change its behavior. [76c19db05a1e] 2017-09-26 Todd C. Miller * include/sudo_compat.h, src/exec_pty.c: Fix stair-stepped output when the output of a sudo command is piped to another command and use_pty is set. [e91e3f12d2d4] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: env_keep and env_check are also taken into account with "sudo -i". Bug #806 [5f5568c6fdd9] 2017-09-18 Todd C. Miller * INSTALL, config.h.in, configure, configure.ac, plugins/sudoers/ins_classic.h: Make PC insults the default and add new configure option, enable- offensive-insults, to enable the offensive insults. [eb264d342601] 2017-09-14 Todd C. Miller * doc/CONTRIBUTORS: Add missing translators from recent updates and one name change. [20828c25ad92] 2017-09-07 Todd C. Miller * MANIFEST, plugins/sudoers/po/fur.po, plugins/sudoers/po/hr.mo, plugins/sudoers/po/hr.po, plugins/sudoers/po/sv.mo, plugins/sudoers/po/sv.po, po/hr.mo, po/hr.po, po/sv.mo, po/sv.po: sync with translationproject.org * * * sync with translationproject.org [24bb066fa19f] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: More accurately describe the use_pty option now that its behavior has changed with respect to interposition with a pipe. Also describe some caveats with log_input. [a87056499931] * doc/UPGRADE: Document changes in use_pty behavior when no terminal is present. [a4b978693178] * src/exec_pty.c: Set ec->cmnd_pid to the correct value when receiving the command's process ID from the monitor. [a624309ba848] * src/exec.c, src/exec_nopty.c, src/exec_pty.c, src/sudo_exec.h: If /dev/tty is not available and no I/O logging plugins are configured, fall back on exec_nopty() even if the policy plugin requested a pty. We never allocate a pty when sudo is not run from a terminal anyway. [c9b9c6c4e0ad] * src/exec_pty.c: Do not set utmp_user if we did not actually allocate a pty. [aa8e0fdea32b] 2017-09-06 Todd C. Miller * NEWS, configure, configure.ac: sudo 1.8.21p2 [94d18888e7c4] * src/exec.c: sudo_terminated() should not return true when SIGCHLD is pending. Bug #801 [57f636b6489f] * src/tgetpass.c: Set SIGCHLD handler to SIG_DFL before forking the askpass command and restore after. Otherwise, SIGCHLD will end up in the list of pending signals and sudo_execute() will not execute the command. [c171eeabdc72] * lib/util/event.c: The read and write sides of signal_pipe[] were swapped, resulting in EBADF reading from and writing to the signal pipe on Linux and probably others. On systems with bidirectional pipes this was not an issue. [7668f93e6544] 2017-09-05 Todd C. Miller * plugins/sudoers/auth/pam.c: Fix a logic error in 96651906de42 which prevented sudo from using the PAM-supplied prompt. Bug #799 [6ee5cc13af69] 2017-09-01 Todd C. Miller * NEWS, configure, configure.ac: Sudo 1.8.21p1 [7e6bf56cb06c] * mkpkg: The Fedora sudo package uses /etc/ldap.conf not /etc/sudo-ldap.conf. [7b4e6f50e138] * plugins/sudoers/ldap.c, plugins/sudoers/sssd.c: The fix for matching when no sudoRunAsUser is present in a sudoRole was incomplete. If no -g option was specified on the command line but sudoRunAsGroup is present in a sudoRole, we need to treat the group match as failed instead of missing. [3aaeeebd924c] * plugins/sudoers/check.c, plugins/sudoers/defaults.c: Sprinkle a few more debugging printfs. [f7a40f9985cf] * plugins/sudoers/sudoreplay.c: Fix replaying sessions that contain input logs. When the inter- record timeout expires we need to read the next record if there is nothing to output. [443b329ddc60] * doc/visudo.cat: regen [7ace4ac32116] * doc/sudo.cat, doc/sudo.man.in, doc/sudo.mdoc.in: Fix typo (Auguest vs. August). From David Pocock. [98a792ff1c90] 2017-08-31 Todd C. Miller * plugins/sudoers/sudo_nss.c: Go back to returning true from display_privs() on non-error. This results in "sudo -U otheruser -l" exiting with a status of 0 even when otheruser is not allowed to run commands. This is appropriate since the "sudo -l" command was successful. This does not change the exit value when otheruser runs "sudo -l" themselves, the exit status will be 1 since that user is not allowed to run commands. Requested by Radovan Sroka. [055b78015fcb] * plugins/sudoers/ldap.c: Fix the pass2 ldap query string when no search filter is defined. Due to the addition of "(sudoUser=*)" to the query we always need the AND operator, even if no search filter is present. [631243487d27] 2017-08-29 Todd C. Miller * src/exec_nopty.c: Don't forward SIGINFO to the child when it is send by the kernel (not another user process). This is consistent with the handling of other keyboard-generated signals such as SIGINT, SIGQUIT and SIGTSTP. Bug #796 [29603b0a4315] 2017-08-23 Todd C. Miller * sudo.pp: Fix path to LICENSE and NEWS files that get used in the installer. Previously, the installed versions were used instead of the ones in the destdir. [689a5806f2de] 2017-08-20 Todd C. Miller * plugins/sudoers/po/fi.mo, plugins/sudoers/po/fi.po, po/fi.mo, po/fi.po: sync with translationproject.org [32a0f3bbba31] 2017-08-18 Todd C. Miller * po/es.mo, po/es.po: sync with translationproject.org [bfa5659d66f2] 2017-08-12 Todd C. Miller * plugins/sudoers/po/it.mo, plugins/sudoers/po/it.po, po/it.mo, po/it.po: sync with translationproject.org [05cd6ff68a4b] 2017-08-11 Todd C. Miller * NEWS: Preserving environment variables on the command line was bug #279 [46f2c7931a84] 2017-08-10 Todd C. Miller * MANIFEST, NEWS, doc/CONTRIBUTORS, po/fur.mo, po/fur.po: Add Friulian translation for sudo from Fabio Tomat via translationproject.org [77fdb76e83c8] 2017-08-08 Todd C. Miller * plugins/sudoers/po/cs.mo, plugins/sudoers/po/cs.po, plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/ko.mo, plugins/sudoers/po/ko.po, plugins/sudoers/po/nb.mo, plugins/sudoers/po/nb.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/pt_BR.mo, plugins/sudoers/po/pt_BR.po, plugins/sudoers/po/sr.mo, plugins/sudoers/po/sr.po, plugins/sudoers/po/sv.mo, plugins/sudoers/po/sv.po, plugins/sudoers/po/vi.mo, plugins/sudoers/po/vi.po, plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po, po/cs.mo, po/cs.po, po/fr.mo, po/fr.po, po/ko.mo, po/ko.po, po/nb.mo, po/nb.po, po/pl.mo, po/pl.po, po/pt_BR.mo, po/pt_BR.po, po/sr.mo, po/sr.po, po/sv.mo, po/sv.po, po/vi.mo, po/vi.po, po/zh_CN.mo, po/zh_CN.po: sync with translationproject.org [0f18e2f30ff5] 2017-08-04 Todd C. Miller * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: In the Runas example that uses "boulder" make it clear that "boulder" is a host name. [6bca59aa5579] 2017-08-03 Todd C. Miller * plugins/sudoers/po/sudoers.pot, po/sudo.pot: regen [9bb78048656f] * NEWS, doc/sudo.cat, doc/sudo.man.in, doc/sudo.mdoc.in, src/parse_args.c: Allow the user to specify a list of environment variables to preserve. This adds an option paramter to the --preserve-env option, a comma-separated list of variable names. [a6bc511a2e81] 2017-08-01 Todd C. Miller * INSTALL, NEWS, config.h.in, configure, configure.ac, doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/defaults.c, plugins/sudoers/sudoers.c, plugins/sudoers/timestamp.c: Replace tty_tickets option with timestamp_type which can be global, ppid or tty. Defaults to tty (no change in behavior). Some users want the ppid behavior. [426161a2e06f] * lib/util/Makefile.in, plugins/sudoers/Makefile.in: regen [b396e70a4a8b] * plugins/sudoers/sudoers.c: Don't send email about an unresolvable host name if fqdn is enabled and the user specified the run host via the -h flag. [59d7a8743943] 2017-07-31 Todd C. Miller * plugins/sudoers/sudoreplay.c: fix playback of stdout/stderr without embedded carriage returns [f1a5b47be2db] 2017-07-28 Todd C. Miller * plugins/sudoers/ldap.c: Avoid unused variable warning when sasl is not used. [3010fd3c5a7f] * INSTALL, configure, configure.ac: Add support for --enable-sasl and --disable-sasl to make it possible to enable/disable support for LDAP with SASL authentication. Sudo compiles in support for SASL authentiation by default if the ldap_sasl_interactive_bind_s() function is detected. Bug #788 [cf94d407d576] * NEWS: List the correct pattern ("*=()*") in the env_delete description. Use pseudo-tty instead of pseudo terminal for consistency. [f2df0baea2f0] 2017-07-27 Todd C. Miller * lib/util/closefrom.c: Include pathnames.h for /dev/fd on FreeBSD and Mac OS X. [b190dc607277] * NEWS: update for 1.8.21 [a3a38f6cba66] * src/exec_pty.c: No need to call sudo_ev_del() before sudo_ev_free(); sudo_ev_free() will delete the event from its base before freeing it. [ebf3dedcba5c] * src/exec_pty.c: Terminate the command if an I/O log function returns 0 or -1. This was mistakenly removed by 25b7fd056614 in Sudo 1.8.18 with the removal of the ignore_iolog_errors variable. [e1dd18d95815] * plugins/sudoers/sudoreplay.c: Quiet a coverity false positive. [b7a9c9e35fd0] * plugins/sudoers/sudoreplay.c: Change to a single event loop in sudoreplay and use signal events. [7320de46cf48] 2017-07-21 Todd C. Miller * doc/sudo.conf.cat, doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in: start new sentences on a new line [ae35ab253de5] * doc/sudo.cat, doc/sudo.man.in, doc/sudo.mdoc.in, doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Clarify how the variable prompt options interact with each other and PAM. [342b936c4aaa] * plugins/sudoers/sudoers.c: Don't set passprompt_override when SUDO_PROMPT is present. This effectively reverts ed77d255f383. We treat the SUDO_PROMPT environment variable similar to passprompt in sudoers: it will only override a PAM prompt if the PAM prompt is either "Password:" or "username's Password:". [6dad2bd126d1] 2017-07-20 Todd C. Miller * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/logging.c: Add syslog_pid sudoers option to log sudo's process ID when logging via syslog. This is disabled by default to match historic behavior. [f4dc29b0052c] * plugins/sudoers/auth/pam.c: When deciding which prompt to use (PAM's or sudo's) treat the PAM prompt "username's Password:" as equivalent to "Password:". Some PAM modules (on AIX at least) use this prompt. [96651906de42] * plugins/sudoers/def_data.c, plugins/sudoers/def_data.in: Add missing argument to a few of the defaults strings in the "sudo -V" output. [44546c4b87c3] * plugins/sudoers/policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/visudo.c: When examining environment variables or variables passed in from the front-end, ignore variables with no value specified. [8537a7fc6190] * doc/sudo.cat, doc/sudo.man.in, doc/sudo.mdoc.in: Document that "-p prompt" overrides SUDO_PROMPT. [d2e6b518d00d] * plugins/sudoers/sudoers.c: Enable passprompt_override by default if SUDO_PROMPT is present in the environment. This is consistent with how "sudo -p prompt" is handled. [ed77d255f383] 2017-07-17 Todd C. Miller * plugins/sudoers/sudoreplay.c: When reading a single character via a switch() use "default: instead of "case 1:" to quiet a coverity warning. [ddcfc40159e4] * plugins/sudoers/sudoreplay.c: Initialize ch in getsize_cb() in case we are called with the wrong initial state. [a31431c59e14] * plugins/sudoers/sudoreplay.c: remove unused variable [488054411049] * plugins/sudoers/visudo.c: Call install_sudoers() even when doedit is false. If a file in a #includedir has a syntax error it will still have been edited and we need to install the edited temp file. [ab833e2d1791] * plugins/sudoers/visudo.c: Reparse sudoers if a new #include file was added. Otherwise the new file will not get its syntax checked. Bug #791 [e584dc8bf306] 2017-07-14 Todd C. Miller * plugins/sudoers/sudoreplay.c: don't restore the cursor when setting terminal size, we don't want the cursor to move [9cbcb3372bcd] * plugins/sudoers/sudoreplay.c: Read the xterm terminal size using an event so we can easily time out if needed. [634524476741] * lib/util/event.c, src/exec_nopty.c, src/exec_pty.c: If we free the default base in sudo_ev_base_free(), reset the default base to NULL. [2a8f7938618b] 2017-07-13 Todd C. Miller * include/sudo_event.h, lib/util/event.c, lib/util/util.exp.in, src/exec_monitor.c, src/exec_nopty.c, src/exec_pty.c: Add the ability to set a default event base, to be used by plugins which don't have access to the event base. [dc159ea98b25] * doc/sudoreplay.cat, doc/sudoreplay.man.in, doc/sudoreplay.mdoc.in, plugins/sudoers/sudoreplay.c: Allow sudoreplay to adjust the window size on xterm-like terminals. [3358b1a9f01c] 2017-07-12 Todd C. Miller * lib/util/term.c: Clear input, output, control and local flags before copying them from the source terminal. Otherwise, flags that are disabled in the source terminal may still be enabled in the destination. [ead41242b820] * doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, include/sudo_plugin.h, src/exec_pty.c: Pass window size change events to the plugin. [529b5c9d16a4] * plugins/sudoers/iolog.c, plugins/sudoers/sudoreplay.c: Log window size change events in the sudoers I/O plugin. Let sudoreplay parse a timing file with window change events (currently ignored). [a67f4627dfa7] * Makefile.in, doc/Makefile.in, examples/Makefile.in, include/Makefile.in, lib/util/Makefile.in, lib/zlib/Makefile.in, plugins/group_file/Makefile.in, plugins/sample/Makefile.in, plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in, src/Makefile.in: Remove pointless subshells in targets that simply change the directory and execute a command. The command is already run in a shell so there is no need to execute a subshell in this case. [e57639cb2f97] 2017-07-10 Todd C. Miller * src/sudo.c: Store the debug instance ID for I/O plugins too. Now iolog_open() is consistent with policy_open(). [519abb3c09d0] 2017-06-29 Todd C. Miller * config.h.in, configure, configure.ac, lib/util/mktemp.c: Use getentropy() in mkstemp/mkdtemp replacement. [8d8e45266858] * configure, configure.ac, lib/util/closefrom.c, lib/util/mktemp.c, pathnames.h.in, src/exec_pty.c, src/get_pty.c, src/ttyname.c: Use _PATH_DEV consistently [ca10a91539e0] 2017-06-15 Todd C. Miller * lib/util/term.c: When copying terminal settings from one tty to another only copy a subset of the flags. Sudo now copies the same set of flags that OpenSSH uses, which should be safe. [2f12bc7a87d1] * src/exec_monitor.c, src/exec_nopty.c: Add debug warning when we have wait status but don't overwrite the existing cstat. [5ae8f8e75104] * src/exec_monitor.c: Better handling of SIGCONT from in command in the monitor. It is useful to know when the command continued but we don't want to inform the parent or store the wait status in this case. Fixes a hang after multiple suspends on Linux. [9cdbbb7ff3dd] 2017-06-09 Todd C. Miller * plugins/sudoers/parse.h: avoid padding in struct cmndspec [2529551a9c2d] 2017-06-07 Todd C. Miller * doc/sudo.cat, doc/sudo.conf.cat, doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in, doc/sudo.man.in, doc/sudo.mdoc.in, doc/sudoers.cat, doc/sudoers.ldap.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Fix the man section of sudo_plugin in cross-references. [f964de570403] 2017-06-05 Todd C. Miller * src/sudo_edit.c: Don't treat an unchanged file as an error. From Xin Li. [503e04f7856e] * src/sudo_edit.c: sudo_edit() must return a wait status but if there is an error, or even if no changes were made to the file, it was returning 1 instead which would be interpreted as the command having received SIGHUP. Use the W_EXITCODE() to construct a proper wait status in the error case too. [62515bd6c64c] 2017-06-03 Todd C. Miller * src/ttyname.c: Avoid sign extension when assigning the value of tty_nr in /proc/self/stat on Linux. It is an unsigned int value that is printed as a signed int but dev_t is unsigned long long. We need to cast to unsigned int before assigning to a dev_t. [c198d1317560] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/env.c: Instead of hard-coding a check for bash functions in env_should_delete(), use a "*=()* " pattern in initial_badenv_table[] to match them instead. This allows the user to remove the check via env_delete. [90c4dfd1d3a3] 2017-06-02 Todd C. Miller * INSTALL.configure, configure.ac, doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in, mkpkg, sudo.pp: Mac OS X -> macOS [08f793d1f496] * doc/sudo.conf.cat, doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in: devsearch is ignored on BSD, macOS and Solaris [b041a1d64eda] 2017-06-01 Todd C. Miller * lib/util/event.c: Move the bits to fill in the new event base to sudo_ev_base_init(), which is not currently exported. [9be46693bed1] 2017-05-31 Todd C. Miller * src/ttyname.c: A command name may also contain newline characters so read /proc/self/stat until EOF. It is not legal for /proc/self/stat to contain embedded NUL bytes so treat the file as corrupt if we see any. With help from Qualys. This is not exploitable due to the /dev traversal changes in sudo 1.8.20p1 (thanks Solar!). [9ad60fe663e5] * NEWS: Sudo 1.8.20p2 [39f199a38383] 2017-05-30 Todd C. Miller * src/selinux.c: After opening a tty device, fstat() and error out if it is not a character device. [e03cfa98f2b6] * INSTALL, configure, configure.ac, doc/sudo.conf.cat, doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in, include/sudo_conf.h, lib/util/sudo_conf.c, lib/util/util.exp.in, pathnames.h.in, src/ttyname.c: Add a new "devsearch" Path setting to sudo.conf for configuring the /dev paths to traverse instead of hard-coding a list in ttyname.c The default value can be set at configure time. [7ab1be502dc3] * src/ttyname.c: Use /proc/self consistently on Linux. As far as I know, only AIX doesn't support /proc/self. [ef737b5d4ed8] 2017-05-29 Todd C. Miller * NEWS, configure: Sudo 1.8.20p1 [c34da84ae8e4] * src/ttyname.c: Fix for CVE-2017-1000367, parsing of /proc/pid/stat on Linux when the process name contains spaces. Since the user has control over the command name this could be used by a user with sudo access to overwrite an arbitrary file. Thanks to Qualys for investigating and reporting this bug. Also stop performing a breadth-first traversal of /dev when looking for the device. Only the directories specified in search_devs[] are checked. [b5460cbbb11b] 2017-05-23 Todd C. Miller * lib/util/event_select.c: Fix potential memory leak on reallocarray() error. Coverity CID 169639 [c303e6eecc78] * plugins/sudoers/bsm_audit.c: Only fall back to deprecated getaudit() on FreeBSD. Fixes compiler warnings on macOS. [18f4699e417c] * mkpkg: Use clang on macOS if present [a963454d1b9e] * sudo.pp: fix paths to LICENSE and NEWS files for macOS packages [47103614311b] 2017-05-18 Todd C. Miller * src/exec_monitor.c, src/exec_nopty.c, src/exec_pty.c: To avoid overwriting existing command status, check for CMD_INVALID instead of CMD_ERRNO or CMD_WSTATUS. [5fec1fa81482] * plugins/sudoers/regress/env_match/data: Add some patterns that could result in exponential run time for poorly written '*' matching. [98f4d085c919] 2017-05-15 Todd C. Miller * lib/util/ttysize.c, src/exec_pty.c: On HP-UX 11.0, sys/ioctl.h is not sufficient to make struct winsize visisble, we need termios.h too. [211510123ad6] * lib/util/ttysize.c: Always used TIOCGWINSZ. [82e679b8cd00] * src/exec.c, src/sudo.c, src/sudo.h: Move exec_setup(), unlimit_nproc() and restore_nproc() from sudo.c to exec.c. [9127e50cf4ec] * src/sudo_edit.c: No need to include selinux.h here. [8bb07a8f4203] * plugins/sudoers/regress/env_match/check_env_pattern.c: Fix compilation error on macOS [bc5e5c3d44f2] 2017-05-12 Todd C. Miller * config.h.in, configure, configure.ac, include/sudo_compat.h, lib/util/term.c, plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/visudo.c, src/exec_monitor.c, src/exec_nopty.c, src/exec_pty.c, src/signal.c, src/sudo.c, src/tcsetpgrp_nobg.c, src/tgetpass.c: Remove use of non-standard sigaction_t [81a57af4c7a9] * plugins/sudoers/iolog.c, plugins/sudoers/mkdir_parents.c, plugins/sudoers/set_perms.c, plugins/sudoers/timestamp.c, plugins/sudoers/visudo.c: Use debug logging instead of ignore_result() where possible. [9c9fde5b52cc] * Makefile.in: Add cov-build and cov-submit targets for checking with coverity. [bf88b4439c7b] * plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/ldap.c: Avoid a clang analyzer false positive. [9f4f915a2e28] * plugins/sudoers/sudoreplay.c: Restore the error message for sudo_ev_add() failure. [267305606577] * include/sudo_event.h, lib/util/event.c: Add support for signal events in sudo's event subsystem [0d48fab2dec8] * include/sudo_event.h, lib/util/event.c: Handle the possibility of the siginfo parameter in sa_sigaction handler being NULL. [0835ca553426] * src/exec.c, src/exec_monitor.c, src/exec_nopty.c, src/exec_pty.c, src/signal.c, src/sudo.h, src/sudo_exec.h: Use SUDO_EV_SIGNAL and SUDO_EV_SIGINFO instead of managing the signal_pipe explicitly. [841e2ca6a4a6] * lib/util/event.c: Activate the sigevents inside the signal pipe callback itself and call signal_pipe_cb() directly if the backend returns EINTR and the signal_caught flag is set. This has the side effect of processing signal events in the current pass of the event loop instead of the next one. [d94e202b8e57] * src/signal.c: Add SIGCHLD to the list of signals we install sudo_handler() for. Otherwise, it is possible for the command to exit before the SIGCHLD handler is installed. POSIX says that signals that are ignored by default are still ignored even if the signal mask would block them. We need to have a handler installed for SIGCHLD before the fork(). [a26f04459c37] * MANIFEST, doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/Makefile.in, plugins/sudoers/env.c, plugins/sudoers/env_pattern.c, plugins/sudoers/regress/env_match/check_env_pattern.c, plugins/sudoers/regress/env_match/data, plugins/sudoers/sudoers.h: Add support for multiple '*' in env_keep, env_check and env_delete entries. [b55270a8ecc4] * configure, configure.ac: sudo 1.8.21 [76aa5455903e] * include/sudo_compat.h, plugins/sudoers/timestamp.c, src/tcsetpgrp_nobg.c, src/tgetpass.c: Remove use of the non-standard SA_INTERRUPT [3ec05ffb0dcb] * include/sudo_queue.h: Add workaround for clang static analyzer being confused by LIST_REMOVE and TAILQ_REMOVE. [ff8d278e8526] 2017-05-11 Todd C. Miller * plugins/sudoers/Makefile.in: Fix "make check" when openssl or gcrypt is used. Bug #787 [7968686742e2] 2017-05-10 Todd C. Miller * plugins/sudoers/sudoreplay.c: Only display string version of errno if sudo_ev_add() fails for now [24244a02c93f] 2017-05-08 Todd C. Miller * NEWS: update [8e3359235e24] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Be clear that #includedir diverts control to the files in the specified directory and, when parsing of those files is complete, returns control to the original file. Bug #775 [f68769f15356] 2017-05-07 Todd C. Miller * plugins/sudoers/po/sr.mo, plugins/sudoers/po/sr.po, po/sr.mo, po/sr.po: sync with translationproject.org [4552eaf8fabf] 2017-05-05 Todd C. Miller * NEWS: update [53d1c9424816] * src/exec_monitor.c: Fix a hang introduced in the last commit. Don't close the pty slave until after we have the controlling tty. [c9c19beb60ed] * src/exec_monitor.c, src/exec_pty.c: If any of std{in,out,err} are not hooked up to a tty only interpose ourselves with a pipe if the plugin will actually log the data. This avoids a problem with non-interactive commands where no tty is present where sudo will consume stdin even when log_input is not enabled in sudoers. [a79edafdd307] * NEWS: update [144ff056cd01] * doc/TROUBLESHOOTING: Update based on information from Michael Felt. [7ea34380ba1d] 2017-05-04 Todd C. Miller * plugins/sudoers/sudoreplay.c: In check_input() when switch()ing on the return value of read(), use the default label instead of 1 for the success case. It is only reading a single byte so the two are equivalent but it reads better using default. [860682b86af5] * plugins/sudoers/sudoreplay.c: Check sudo_ev_add() return value. Coverity CID 168362 [b69779d3801f] * plugins/sudoers/iolog.c: Add io_open() wrapper for open(2) that retries with PERM_IOLOG if open(2) fails with EACCES. Use io_open() instead of duplicate copies of the same fallback code. [09f7992f681b] * plugins/sudoers/iolog.c: Don't retry the open() if set_perms() fails. [0808a9157037] * plugins/sudoers/iolog.c: Fix typo (fd2 vs. fd) caught by coverity, CID 168359. [f68df770e06f] * po/hu.mo, po/hu.po: sync with translationproject.org [ebef76dc27be] 2017-05-03 Todd C. Miller * INSTALL: Warn people not to use --enable-asan in production. [ecb5c1143ef4] * configure, configure.ac, src/Makefile.in: Move the invocation of check_noexec into the main "check" target but only run it if not cross compiling and whe CHECK_NOEXEC is not empty. [cba8fd3337c2] * src/Makefile.in: Move @CHECK_NOEXEC@ to TEST_PROGS so it gets cleaned up properly. [efaa9c44e749] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Move syslog_maxlen to the "Integers" section. Move syslog_goodpri and syslog_badpri to the "Strings at can be used in a boolean context" section. [342dfe9dd37c] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Fix a pasto that resulted in an extra (empty) syslog_goodpri list entry. [eb0563c5b8dc] * MANIFEST, plugins/sudoers/regress/sudoers/test20.in, plugins/sudoers/regress/sudoers/test20.json.ok, plugins/sudoers/regress/sudoers/test20.out.ok, plugins/sudoers/regress/sudoers/test20.toke.ok, plugins/sudoers/regress/sudoers/test21.in, plugins/sudoers/regress/sudoers/test21.json.ok, plugins/sudoers/regress/sudoers/test21.out.ok, plugins/sudoers/regress/sudoers/test21.toke.ok: Add tests for parsing tuples and syslog options. [86f3da23b4df] * plugins/sudoers/defaults.c: Allow the syslog Defaults option to be used in a "true" boolean context and use the compiled in default log facility in this case. [4fab25217602] * plugins/sudoers/defaults.c: Allow a tuple to be set to boolean true. Regression introduced by refactor of set_default_entry() in sudo 1.8.18. [9b38728deb27] 2017-05-01 Todd C. Miller * doc/TROUBLESHOOTING: Replace the list of "dangerous" environment variables and explain how sudo handles the environment instead. [966cf87d1bed] 2017-04-28 Todd C. Miller * lib/util/glob.c: Fix exponential behavior in glob() with respect to multiple '*'. See https://research.swtch.com/glob Adapted from https://perl5.git.perl. org/perl.git/commit/33252c318625f3c6c89b816ee88481940e3e6f95 [3d187b0fb764] * src/exec_pty.c: We no longer need to write to the tty if the command was killed by a signal. Sudo will terminate itself with the same signal the command died from. Unfortunately, we lose the "core dumped" bit since sudo itself will not dump core, but there doesn't appear to be a way around that. [1be331e0c4d4] 2017-04-27 Todd C. Miller * src/sudo.c: On Linux, if the command we ran dumped core, set PR_SET_DUMPABLE to 0. This will prevent sudo itself from dumping core in this case. [cf5a5793ebf4] * INSTALL: Update path to sudo_noexec.so [14e995667c8b] * src/sudo.c: If the command terminated due to a signal, sudo will send that same signal to itself so the parent shell knows the command died from a signal. However, we don't want sudo itself to dump core. [8d823e6ec41e] 2017-04-26 Todd C. Miller * NEWS: sync [1704e6005b07] * src/sudo.c: The fix for Bug #722 contained a typo/thinko that resulted in the exit status being 0 when a command was killed by a signal other than SIGINT. This fixes the signal handler setup so sudo will terminate with the same signal as the command. Bug #784. [50b988d0c97f] * sudo.pp: Better check for /etc/rc.d/rc2.d/S90sudo on AIX [93de5e34a6a3] * src/Makefile.in: Don't install the rc.d link when installing to a DESTDIR. DESTDIR is generally only set when installing to a temporary directory for packaging in which case the link should be made in a post-install script. [4200ef757b56] * plugins/sudoers/Makefile.in, sudo.pp: In "make install", install sample sudoers file as /etc/sudoers.dist and copy it to /etc/sudoers if there is no existing /etc/sudoers. Packages either contain /etc/sudoers (RPM and Debian) or /etc/sudoers.dist (everything else). [40f8e5806d71] * Makefile.in, mkdep.pl: Allow "make dist" and "make depend" to work for out of tree builds. [7b7ba3f38abb] 2017-04-24 Todd C. Miller * lib/zlib/Makefile.in: Add missing $(srcdir) prefix to shlib_exp definition. [c63e8e73507e] 2017-04-21 Todd C. Miller * include/sudo_compat.h: Fix typo in killpg macro. [f7392d21c915] * include/sudo_compat.h: Fix the killpg macro for systems without killpg() in libc. [ba0c5162bc4a] 2017-04-20 Todd C. Miller * src/exec_pty.c: Use the standard idiom for popping all entries from a tail queue. The llvm checker gets confused by TAILQ_REMOVE and generate use- after-free false positives. [a88cacd23f09] * src/exec_monitor.c, src/exec_nopty.c: rewrite errpipe callbacks [5c75729cea19] * src/exec_monitor.c, src/exec_nopty.c: use pipe2() with O_CLOEXEC instead of pipe() + fcntl() and FD_CLOEXEC [c8c9cc31c43a] * src/exec_pty.c: init io_pipe[][] to -1, not 0 [71012940a8f1] 2017-04-19 Todd C. Miller * plugins/sudoers/sssd.c: In sudo_sss_check_user() it is not possible for handle to be NULL. [de41ba76a4ce] * plugins/sudoers/sssd.c: Fix a use after free when the fqdn sudoOption is set and no hostname value is present in sssd.conf. [716a7c502cc0] * src/sudo.c: Avoid unused variable when getgrouplist_2() is available. It would be nicer to just provide getgrouplist_2() (or the equivalent) and avoid the ugly #ifdefs. [2c7ac21feb5f] * plugins/sudoers/po/nb.mo, plugins/sudoers/po/nb.po, po/nb.mo, po/nb.po: sync with translationproject.org [e91a983f9de6] 2017-04-13 Todd C. Miller * plugins/sudoers/Makefile.in: regen [790d9a05f585] 2017-04-12 Todd C. Miller * src/ttyname.c: In sudo_ttyname_scan() if dir is the empty string, set errno to ENOENT before returning. [f531ea6e489e] 2017-04-11 Todd C. Miller * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Try to make it clear that when match_group_by_gid is enabled, groups in sudoers are looked up by group name instead of group ID. This doesn't usually cause problems, but if there are conflicting group entries (for example, from a local /etc/group file and an LDAP or AD group database), whether the group is resolved by name or ID can be used to work around conflicts. [fe3bfca4fcce] 2017-04-07 Todd C. Miller * plugins/sudoers/po/ja.mo, plugins/sudoers/po/ja.po, po/ja.mo, po/ja.po: sync with translationproject.org [94d36c45e345] * plugins/sudoers/regress/parser/check_digest.c: plug memory leak in check_digest [40aab9e6e365] * src/exec.c: Check return value of dispatch_pending_signals() in case we received SIGINT or SIGQUIT before executing the command. [218758d1560d] 2017-03-30 Todd C. Miller * configure, configure.ac: back out unintentional change to the version number [799b396c1c69] 2017-03-28 Todd C. Miller * plugins/sudoers/po/cs.mo, plugins/sudoers/po/cs.po, plugins/sudoers/po/da.mo, plugins/sudoers/po/da.po, plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/hr.mo, plugins/sudoers/po/hr.po, plugins/sudoers/po/it.mo, plugins/sudoers/po/it.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/pt_BR.mo, plugins/sudoers/po/pt_BR.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, plugins/sudoers/po/vi.mo, plugins/sudoers/po/vi.po, plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po, po/cs.mo, po/cs.po, po/da.mo, po/da.po, po/de.mo, po/de.po, po/fr.mo, po/fr.po, po/hr.mo, po/hr.po, po/it.mo, po/it.po, po/pl.mo, po/pl.po, po/pt_BR.mo, po/pt_BR.po, po/tr.mo, po/tr.po, po/uk.mo, po/uk.po, po/vi.mo, po/vi.po, po/zh_CN.mo, po/zh_CN.po: sync with translationproject.org [04c4a3ec233d] 2017-03-27 Todd C. Miller * configure, configure.ac, plugins/sudoers/Makefile.in, plugins/sudoers/regress/parser/check_digest.c, plugins/sudoers/regress/parser/check_digest.out.ok: Make check_digest test sudo_filedigest() itself instead of the underlying SHA2 functions. That way we can test it regardless of whether we use sudo's SHA2 functions or a library version. [9834b37f1fb0] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Document that commands matched by "sudo ALL" are not affected by fdexec. [7cc3b770a2ff] 2017-03-24 Todd C. Miller * NEWS: Update for 1.8.20 [14a09000c1dc] * plugins/sudoers/po/sudoers.pot: regen for restricted_env_file [81290b370c95] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Mention that iolog_user is useful for NFS. [9c8f9dfdebf0] 2017-03-23 Todd C. Miller * plugins/sudoers/iolog.c: Only retry mkdir or create with PERM_IOLOG if errno is EACCES. Also always use PERM_IOLOG for mkdtemp() since we cannot retry if it fails. Since we are guaranteed to create a new directory there's no real need to try w/o PERM_IOLOG in this case. [c3c67d78e46a] 2017-03-22 Todd C. Miller * plugins/sudoers/iolog.c: Add fallback to PERM_IOLOG when making the final componenet of iolog_dir. [72924e4c8f5d] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/env.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: Add restricted_env_file which is like env_file but subject to the same restrictions as the user's own environment. [ec887cc57a8b] * plugins/sudoers/iolog.c: quiet a warning on older zlib [bcd3cac968a2] * plugins/sudoers/iolog.c, plugins/sudoers/timestamp.c: cast mode_t to unsigned int when printing with %o [f9ca9ead134e] 2017-03-21 Todd C. Miller * plugins/sudoers/po/sudoers.pot: regen [f62e81f74d10] * plugins/sudoers/iolog.c, plugins/sudoers/mkdir_parents.c, plugins/sudoers/timestamp.c: Set umask temporarily when creating files instead of changing the mode after the fact. This is slightly less error prone. [a9b4cf336b73] * plugins/sudoers/iolog.c: remove now-useless variable [9a36b2449ac4] * plugins/sudoers/mkdir_parents.c: Don't set owner/mode on directories that already exist, only on newly-created ones. [2b616be0e165] * plugins/sudoers/iolog.c, plugins/sudoers/mkdir_parents.c: Explicitly set the file mode of I/O log files so the mode is not affected by the invoking user's umask. [ec7d5dd47b6b] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/iolog.c, plugins/sudoers/mkdir_parents.c, plugins/sudoers/set_perms.c, plugins/sudoers/sudoers.h, plugins/sudoers/timestamp.c: Add PERM_IOLOG so we can create I/O log files on an NFS-mounted filesystem where root is remapped to an unprivileged user. [01804a971cd5] * plugins/sudoers/mkdir_parents.c: Restore the '/' in the path before returning if we encounter an error. [bb12cfce16fd] * plugins/sudoers/sssd.c: zero out nss->handle after it has been freed to make sure we cannot free it twice [00d5340b7541] 2017-03-20 Todd C. Miller * plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/timestamp.c: When creating the timestamp directory, use the group of the timestamp owner instead of inheriting the group of the parent directory. [7a4a10cafe08] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/iolog.c: Add iolog_flush option. [96baa17409cf] 2017-03-17 Todd C. Miller * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/iolog.c: Don't allow the user to specify an I/O log file mode that sudo can't read or write to. I/O logs must always be readable and writable by the owner. [b32e2ef04905] 2017-03-14 Todd C. Miller * doc/sudo.cat, doc/sudo.conf.cat, doc/sudo_plugin.cat, doc/sudoers.cat, doc/sudoers.ldap.cat, doc/sudoreplay.cat, doc/visudo.cat: Regenerate the cat pages with newer mandoc which formats double quotes as "foo" instead of ``foo''. [5f14e527ae05] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Make it clear that I/O logs will be complete even if the command run by sudo is terminated by a signal. The I/O log buffering just prevents the logs from being displayed in real-time as the command is running. [072fd419ac1e] 2017-03-13 Todd C. Miller * src/exec.c, src/exec_monitor.c, src/signal.c, src/sudo.h: Replace pipe_nonblock() with pipe2() [c106b62d7835] * MANIFEST, config.h.in, configure, configure.ac, include/sudo_compat.h, lib/util/Makefile.in, lib/util/pipe2.c, mkdep.pl: Emulate pipe2() on systems without it. [5a183dd380f0] 2017-03-10 Todd C. Miller * plugins/sudoers/auth/kerb5.c: Fix declaration of sudo_krb5_verify() in the case where krb5_verify_user() is not present. Bug #777 [eafd4e2d7c7f] * plugins/sudoers/rcstr.c: Use HAVE_STDBOOL_H to detect systems w/o stdbool.h. Bug #778 [dbac86777429] 2017-03-09 Todd C. Miller * plugins/sudoers/po/sudoers.pot, po/sudo.pot: regen [2fc489ddc143] * src/exec_monitor.c, src/exec_nopty.c, src/exec_pty.c: Move SIGCHLD handling into handle_sigchld() functions and move the remaining bits of dispatch_signal() into signal_pipe_cb() [b120f5cfa8cc] 2017-03-08 Todd C. Miller * src/utmp.c: e_termination should be set to the value of WTERMSIG not WEXITSTATUS [95f37078ae8f] 2017-03-07 Todd C. Miller * MANIFEST, src/Makefile.in, src/exec_nopty.c, src/sudo.h, src/tcsetpgrp_nobg.c: Add tcsetpgrp_nobg() which acts like tcsetpgrp() but returns -1 for a background process. This is safer than blocking SIGTTOU which would cause tcsetpgrp() to succeed in the background. [7ab75c47b8bf] 2017-03-06 Todd C. Miller * src/exec_nopty.c: Prevent sudo from receiving SIGTTOU when it tries to restore the controlling terminal. There appears to be a race with the shell (bash) which we may lose. [aab018fb9940] 2017-03-03 Todd C. Miller * plugins/sudoers/timestamp.c, src/exec_monitor.c: Add some casts to quiet gcc warnings on Solaris and remove a now- useless debug printf. [16c862eab0ce] * src/exec_pty.c: change debug info when suspending sudo [f5c5ee07f8e3] * MANIFEST, src/Makefile.in, src/exec.c, src/exec_monitor.c, src/exec_nopty.c, src/exec_pty.c, src/sudo_exec.h: Reorganize the command execution code to separate out the pty and non-pty code paths into their own event loops. The non-pty exec code is now contained in exec_nopty.c and the pty exec code is split between exec_pty.c (parent process) and exec_monitor.c (session leader). This results in a small bit of duplicated code but improves readability. Some of the duplicated code will fall out in future changes to the event subsystem (the signal pipe). [fe239d2a3cbd] 2017-02-26 Todd C. Miller * lib/util/ttysize.c, src/exec_pty.c: Remove support for the TIOCGSIZE ioctl. Systems that use this rather than TIOCGWINSZ are too old for sudo to build on anyway. [0179b16c70f9] 2017-02-24 Todd C. Miller * src/exec.c, src/exec_pty.c: Set the child pid to -1 after we've waited for it and take care to avoid killing pid -1. This makes it a bit more explicit and removes the need for a separate variable to track the child's status. Sudo already stops processing signals after it receives SIGCHLD so it is not vulnerable to CVE-2017-2616. [1123704858ae] 2017-02-22 Todd C. Miller * doc/visudo.cat, doc/visudo.man.in, doc/visudo.mdoc.in: Update the description of strict mode to current reality. Aliases haven't needed to be defined before they are used since sudo 1.7. [9dc4ce4ec538] * doc/visudo.cat, doc/visudo.man.in, doc/visudo.mdoc.in, plugins/sudoers/regress/visudo/test2.err.ok, plugins/sudoers/regress/visudo/test3.err.ok, plugins/sudoers/visudo.c: Go back to using a Warning/Error prefix in the message printed to stderr for alias problems. Requested by Tomas Sykora. [ad4dc6e34222] 2017-02-21 Todd C. Miller * plugins/sudoers/filedigest.c, plugins/sudoers/filedigest_openssl.c: fix copyright years [b9f013f95bb2] 2017-02-20 Todd C. Miller * MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/digestname.c, plugins/sudoers/filedigest.c, plugins/sudoers/ldap.c, plugins/sudoers/match.c, plugins/sudoers/parse.h, plugins/sudoers/sssd.c, plugins/sudoers/visudo_json.c: Move the file digest code out of match.c and into filedigest.c. Inspired by RedHat changes that used libgcrypt. Also add digest_type_to_name() to map a sudo digest type (int) to a name (string) and use it. [9213d8c94b8f] * INSTALL, MANIFEST, configure, configure.ac, mkdep.pl, plugins/sudoers/Makefile.in, plugins/sudoers/filedigest_openssl.c: Add support for using the message digest functions in OpenSSL instead of sudo's own SHA2 implementation. [d77639c97e43] * INSTALL, MANIFEST, configure, configure.ac, mkdep.pl, plugins/sudoers/Makefile.in, plugins/sudoers/filedigest_gcrypt.c: Add support for using the message digest functions in libgcrypt instead of sudo's own SHA2 implementation. [0259467c38dd] * plugins/sudoers/gmtoff.c: Check for gmtime() or localtime() returning NULL and just use a zero offset in that case. Should not be possible. [ed210dd8bf46] 2017-02-18 Todd C. Miller * plugins/sudoers/sudoers2ldif: Add support for ROLE, TYPE, PRIVS, LIMITPRIVS, TIMEOUT, NOTBEFORE and NOTAFTER. [d0310b017c78] * config.h.in, configure, configure.ac, plugins/sudoers/timestr.c: strftime() was in C89 so use it unconditionally. [87bf66aa18fd] * MANIFEST, config.h.in, configure, configure.ac, doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in, include/sudo_debug.h, lib/util/sudo_debug.c, lib/util/util.exp.in, plugins/sudoers/Makefile.in, plugins/sudoers/gentime.c, plugins/sudoers/gmtoff.c, plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y, plugins/sudoers/parse.c, plugins/sudoers/parse.h, plugins/sudoers/regress/parser/check_gentime.c, plugins/sudoers/regress/sudoers/test19.in, plugins/sudoers/regress/sudoers/test19.json.ok, plugins/sudoers/regress/sudoers/test19.out.ok, plugins/sudoers/regress/sudoers/test19.toke.ok, plugins/sudoers/regress/visudo/test10.out.ok, plugins/sudoers/regress/visudo/test10.sh, plugins/sudoers/sudoers_version.h, plugins/sudoers/testsudoers.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l: Add NOTBEFORE and NOTAFTER command options similar to what is already available in LDAP. [3ba0f9567f83] 2017-02-16 Todd C. Miller * plugins/sudoers/po/sudoers.pot, po/sudo.pot: regen [f2876eadc1f5] * doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, include/sudo_plugin.h: Bump version to 1.11 for timeout entry in settings[] [7b288e4bab93] * doc/sudo.conf.cat, doc/sudo_plugin.cat, doc/sudoers.ldap.cat, doc/sudoreplay.cat, doc/visudo.cat: regen [8c059a57d367] * doc/sudo.cat, doc/sudo.man.in, doc/sudo.mdoc.in, doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, src/parse_args.c, src/sudo_usage.h.in: Add a command line option to specify the command timeout, as long as sudoers does not specify a shorter time limit. [a8ef7f923d0a] 2017-02-15 Todd C. Miller * plugins/sudoers/gram.c, plugins/sudoers/gram.y: Better error message when the timeout value does not parse. [2360fb093e3e] * plugins/sudoers/timeout.c: set errno to ERANGE not EOVERFLOW on range error [9654e1acab0d] 2017-02-14 Todd C. Miller * plugins/sudoers/Makefile.in: regen [46a124dd72aa] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y, plugins/sudoers/parse.h: Merge command tags, SELinux type/role and Solaris privs settings into "command options". This relaxes the order of things so tags and other options can be interspersed. [0970fd78cbe8] * MANIFEST, doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/Makefile.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/defaults.c, plugins/sudoers/defaults.h, plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y, plugins/sudoers/ldap.c, plugins/sudoers/mkdefaults, plugins/sudoers/parse.c, plugins/sudoers/parse.h, plugins/sudoers/policy.c, plugins/sudoers/regress/sudoers/test17.in, plugins/sudoers/regress/sudoers/test17.json.ok, plugins/sudoers/regress/sudoers/test17.out.ok, plugins/sudoers/regress/sudoers/test17.toke.ok, plugins/sudoers/regress/sudoers/test18.in, plugins/sudoers/regress/sudoers/test18.json.ok, plugins/sudoers/regress/sudoers/test18.out.ok, plugins/sudoers/regress/sudoers/test18.toke.ok, plugins/sudoers/testsudoers.c, plugins/sudoers/timeout.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/visudo_json.c: Add support for command timeouts in sudoers. After the timeout, the command will be terminated. [a36a748e9324] * doc/fixman.sh, doc/fixmdoc.sh, doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y, plugins/sudoers/parse.h: Split out tags again so they must precede the command and not allow them to be mixed in with options. [e7e7d60316cc] * plugins/sudoers/gram.c, plugins/sudoers/gram.y: Only inherit SELinux role/type and Solaris privilege sets if the command does not include any. Previously, a command with only a role would inherit a type from the previous command which is not what was intended. [171a3ad972e7] * plugins/sudoers/ldap.c, plugins/sudoers/sssd.c: List SELinux role/type for "sudo -l" with LDAP and SSSd backends. Also fix printing of the timeout. [740723a49ab5] * plugins/sudoers/gram.c, plugins/sudoers/gram.y: Plug some memory leaks found by ASAN. [08189098a5b6] * plugins/sudoers/Makefile.in: Only inhibit ASAN leak detector for tests that result in a parse error. The parser cannot currently clean up completely on error. [b2f82dcd2545] * plugins/sudoers/rcstr.c: supress cppcheck memory leak false positive [e0caf2275a44] * lib/util/strtoid.c: fix typo that prevented compilation on FreeBSD [27866f6a2b5e] 2017-02-13 Todd C. Miller * lib/util/Makefile.in: Link vsyslog.lo directly into vsyslog_test to make sure the syslog() stub gets called. Otherwise, the real syslog will get called via libutil on AIX. [693bc8411a98] * lib/util/regress/vsyslog/vsyslog_test.c: Fix final test with a format > 2048 bytes. Keep track of tests run in the syslog() stub so we can detect if the stub is not being called. [d10d784446c1] * lib/zlib/deflate.c: avoid redefining the MIN macro [45b7b0ba0f01] * plugins/sudoers/parse.h, plugins/sudoers/timestr.c: Include parse.h in timestr.c which is where function prototype lives. [3ec9ec84a84c] * plugins/sudoers/toke.c, plugins/sudoers/toke.l: Fix for including a sudoers file that begins with the letter 'i'. The hack to determine whether we are parsing an include or includedir is no longer safe now that relative include paths are permitted. Bug #776. [4d9691a43867] 2017-02-10 Todd C. Miller * plugins/sudoers/def_data.c, plugins/sudoers/def_data.in: Display the value of syslog_maxlen in sudo -V output. [0841ad36531c] 2017-02-06 Todd C. Miller * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/defaults.c: Add ignore_unknown_defaults flag to ignore unknown Defaults entries in sudoers instead of producing a warning. [a7fdb44677dd] 2017-01-27 Todd C. Miller * plugins/sudoers/match.c: Always set the close-on-exec bit on the fd used to generate the digest (i.e. the command to run) on systems that lack fexecve(2). That way we don't need to explicitly close it using #ifdefs. [f840a22fac1c] * plugins/sudoers/po/ca.mo, plugins/sudoers/po/ca.po, plugins/sudoers/po/da.mo, plugins/sudoers/po/da.po, plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, plugins/sudoers/po/sr.mo, plugins/sudoers/po/sr.po, plugins/sudoers/po/sv.mo, plugins/sudoers/po/sv.po, po/ca.mo, po/ca.po, po/eo.mo, po/eo.po, po/sv.mo, po/sv.po: sync with translationproject.org [57e877674892] * NEWS: first updates for 1.8.20 [118208688b08] * configure, configure.ac: sudo 1.8.20 [6cba125ea903] 2017-01-25 Todd C. Miller * doc/LICENSE, lib/zlib/adler32.c, lib/zlib/compress.c, lib/zlib/crc32.c, lib/zlib/deflate.c, lib/zlib/deflate.h, lib/zlib/gzguts.h, lib/zlib/gzlib.c, lib/zlib/gzread.c, lib/zlib/gzwrite.c, lib/zlib/infback.c, lib/zlib/inffast.c, lib/zlib/inflate.c, lib/zlib/inflate.h, lib/zlib/inftrees.c, lib/zlib/trees.c, lib/zlib/uncompr.c, lib/zlib/zconf.h.in, lib/zlib/zlib.exp, lib/zlib/zlib.h, lib/zlib/zutil.c, lib/zlib/zutil.h: update zlib to version 1.2.11 [75a563663083] 2017-01-23 Todd C. Miller * plugins/sudoers/match.c: Fix fdexec=never when a digest is present. [49d3ab5baad0] 2017-01-22 Todd C. Miller * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/defaults.c, plugins/sudoers/match.c: Add new fdexec sudoers setting to allow choose whether execve() or fexecve() is used. [6a7623aa9a64] * src/exec.c, src/exec_pty.c: Close execfd in parent processes where it is not needed. [f44e334d43e2] 2017-01-21 Todd C. Miller * plugins/sudoers/match.c: Add support for digest matching when the command is a glob-style pattern or a directory. For example: millert ALL = sha224:TmUvLkp3a2txliSC2X6CiK42626qdKsH72m/PQ== /bin/ millert ALL = sha224:TmUvLkp3a2txliSC2X6CiK42626qdKsH72m/PQ== /bin/* would only match /bin/ls (assuming the digest matches). Previously, only explicit path matches checked the digest. [d4f6822ba9bb] 2017-01-17 Todd C. Miller * doc/sudoers.ldap.cat, doc/sudoers.ldap.man.in, doc/sudoers.ldap.mdoc.in, plugins/sudoers/ldap.c: Add support for SASL_MECH in ldap.conf; Bug #764 [d057bb7f2ddc] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Fix documentation bug, the contents of env_file have never been subject to env_keep or env_check. However, variables are only added if they have not already been preserved. [4483b1b44709] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in, examples/sudoers: Safer example for rule that can change non-root passwords. GNU getopts allows options to follow arguments so we need to be able to deny things like "passwd root -q". From Paul "Joey" Clark. Bug #772 [c809f1372811] 2017-01-16 Todd C. Miller * plugins/sudoers/ldap.c: Don't overwrite the return value of ldap_sasl_interactive_bind_s() by the subsequent call to sudo_set_krb5_ccache_name(). From Paul Zirnik of SUSE. [448baff2b586] * plugins/sudoers/env.c: In sudo_unsetenv_nodebug(), decrement envp.env_len after removing the variable. From Paul Zirnik of SUSE. [3d87a008671c] 2017-01-15 Todd C. Miller * lib/util/Makefile.in: only run vsyslog_test if it exists [5323dfcfb009] * MANIFEST, configure, configure.ac, lib/util/Makefile.in, lib/util/regress/vsyslog/vsyslog_test.c: Add regress for vsyslog replacement. [1f767b8f5940] 2017-01-13 Todd C. Miller * configure, configure.ac: Define HAVE_NANOSLEEP if we find nanosleep in librt [ec8d949bf411] * configure, configure.ac: sudo_nanosleep not nanosleep in util.exp.in [18a3bca78962] * configure, configure.ac: add nanosleep to util.exp.in if needed [6ac2e9266d67] * NEWS, configure, configure.ac: sudo 1.8.19p2 [9c15593a007a] * lib/util/vsyslog.c: Double the size of new_fmt[] and remove an extraneous break in the %m handling that was leftover from an earlier edit. [fcb28dc9cd4e] * lib/util/vsyslog.c: Fix typo, want vsnprintf not snprintf. [2717f2125ecd] * plugins/sudoers/logging.c: move va_start() in mysyslog() [b58ec40bbfc3] * plugins/sudoers/sudoers.c: Only treat failure of expand_iolog_path() as fatal if ignore_iolog_errors is not set. [1ba009311cf7] 2017-01-12 Todd C. Miller * MANIFEST, config.h.in, configure, configure.ac, include/sudo_compat.h, lib/util/Makefile.in, lib/util/nanosleep.c, mkdep.pl, src/exec_pty.c: When waiting for the parent to grant us the tty, use nanosleep instead of spinning to avoid hogging the CPU. [76335b380d7c] * src/sudo.c: Use ROOT_UID instead of 0 [5ed03a4e0b0b] 2017-01-09 Todd C. Miller * plugins/sudoers/Makefile.in: regen [99b26e2c523d] 2017-01-07 Todd C. Miller * MANIFEST, plugins/sudoers/interfaces.c, plugins/sudoers/regress/visudo/test9.out.ok, plugins/sudoers/regress/visudo/test9.sh, plugins/sudoers/visudo.c: Fix crash in visudo introduced in sudo 1.8.9 when an IP address or network is used in a host-based Defaults entry. Bug #766 [ff9001f126b5] 2017-01-05 Todd C. Miller * configure, configure.ac, doc/LICENSE: Avoid using the system strnlen/strndup on AIX < 6. Even if configure correctly detects it is working on the build machine, the sudo package may be run on a system with an old libc were it is broken. [28d148db0aaa] 2016-12-20 Todd C. Miller * NEWS, configure, configure.ac: sudo 1.8.19p1 [7bfd43fa5caf] * plugins/sudoers/defaults.c: Fix logic bug when matching syslog priority and facility. [576cc9eb850f] * doc/HISTORY: Dell spun off Quest so simplify the history by just talking about Quest and not Dell. [a66120495435] 2016-12-19 Todd C. Miller * doc/LICENSE: Fix copyright year [3122e55195a6] * NEWS: typo [ffe9e84928b6] 2016-12-18 Todd C. Miller * include/sudo_compat.h: HAVE_DECL_GETGROUPLIST_2 is always defined if HAVE_GETGROUPLIST_2 is, we need to check its value, not whether it is defined. [849eb3113149] 2016-12-15 Todd C. Miller * plugins/sudoers/po/ko.mo, plugins/sudoers/po/ko.po: sync with translationproject.org [abf5d356a33b] 2016-12-13 Todd C. Miller * configure, plugins/sudoers/po/cs.mo, plugins/sudoers/po/cs.po, plugins/sudoers/po/da.mo, plugins/sudoers/po/da.po, plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/it.mo, plugins/sudoers/po/it.po, plugins/sudoers/po/ja.mo, plugins/sudoers/po/ja.po, plugins/sudoers/po/nb.mo, plugins/sudoers/po/nb.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/pt_BR.mo, plugins/sudoers/po/pt_BR.po, plugins/sudoers/po/sr.mo, plugins/sudoers/po/sr.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, plugins/sudoers/po/vi.mo, plugins/sudoers/po/vi.po, plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po, po/sr.mo, po/sr.po: sync with translationproject.org [fec672d5a4c7] * config.h.in, configure.ac, include/sudo_compat.h, plugins/sudoers/pwutil_impl.c, src/sudo.c: Use getgrouplist_2() on macOS if available. [3bf58af56d18] 2016-12-03 Todd C. Miller * plugins/sudoers/po/sudoers.pot: regen [3f4d52230317] * plugins/sudoers/interfaces.c: In set_interfaces() treat a parse error as fatal. [7d0048108b1d] 2016-12-02 Todd C. Miller * lib/util/regress/atofoo/atofoo_test.c: Fix a clang warning on macOS [58e9d192e907] 2016-12-01 Todd C. Miller * plugins/sudoers/po/ko.mo, plugins/sudoers/po/ko.po, plugins/sudoers/po/vi.mo, plugins/sudoers/po/vi.po, po/ko.mo, po/ko.po, po/vi.mo, po/vi.po: sync with translationproject.org [99cce0f5fddc] * NEWS: update for 1.8.19b2 [18cfc9b8b8e7] * plugins/sudoers/timestamp.c: Ignore a boot time that is in the future, which can happen when the clock is corrected down after boot. Otherwise, the timestamp file will be unlinked each time sudo is run and a password is always required. [dd3b2b7ae709] 2016-11-30 Todd C. Miller * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.in, plugins/sudoers/defaults.c, plugins/sudoers/logging.c: Allow syslog priority to be negated or set to "none" to disable logging successes or failures. [624eddac4ab1] * doc/sudoreplay.cat, doc/sudoreplay.man.in, doc/sudoreplay.mdoc.in, plugins/sudoers/sudoreplay.c: Allow stdin and ttyin to be displayed too. The only one that is really useful in sudoreplay is stdin when input is from a pipe. [5aa8b3a90c84] * src/regress/noexec/check_noexec.c: Solaris 10 wordexp() returns 127 on execve() failure like popen() does. [f927c50dda17] * config.h.in, configure, configure.ac, include/sudo_debug.h, lib/util/regress/atofoo/atofoo_test.c, lib/util/strtoid.c, lib/util/sudo_debug.c, lib/util/util.exp.in: id_t is 64-bits on FreeBSD so use strtoll() there. Fixes the strtoid regress. [448a9857e89f] 2016-11-29 Todd C. Miller * NEWS: fix typo [92ea657a87f5] * plugins/sudoers/sudoers.c: Fix the "all" setting for verifypw and listpw; nopass would never be true even if all the user's entries had the NOPASSWD tag. Regression introduce in sudo 1.8.17. Bug #762 [c672e3ebfbe2] 2016-11-28 Todd C. Miller * plugins/sudoers/po/ca.mo, plugins/sudoers/po/cs.mo, plugins/sudoers/po/cs.po, plugins/sudoers/po/da.mo, plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/el.mo, plugins/sudoers/po/eo.mo, plugins/sudoers/po/eu.mo, plugins/sudoers/po/fi.mo, plugins/sudoers/po/fr.mo, plugins/sudoers/po/hr.mo, plugins/sudoers/po/hr.po, plugins/sudoers/po/hu.mo, plugins/sudoers/po/it.mo, plugins/sudoers/po/it.po, plugins/sudoers/po/ja.mo, plugins/sudoers/po/ja.po, plugins/sudoers/po/ko.mo, plugins/sudoers/po/ko.po, plugins/sudoers/po/lt.mo, plugins/sudoers/po/nb.mo, plugins/sudoers/po/nb.po, plugins/sudoers/po/nl.mo, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/pt_BR.mo, plugins/sudoers/po/pt_BR.po, plugins/sudoers/po/ru.mo, plugins/sudoers/po/sk.mo, plugins/sudoers/po/sl.mo, plugins/sudoers/po/sr.mo, plugins/sudoers/po/tr.mo, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po, po/cs.mo, po/cs.po, po/de.mo, po/de.po, po/es.mo, po/es.po, po/fr.mo, po/fr.po, po/hr.mo, po/hr.po, po/it.mo, po/it.po, po/ja.mo, po/ja.po, po/ko.mo, po/ko.po, po/nb.mo, po/nb.po, po/pl.mo, po/pl.po, po/pt_BR.mo, po/pt_BR.po, po/tr.mo, po/tr.po, po/uk.mo, po/uk.po, po/zh_CN.mo, po/zh_CN.po: sync with translationproject.org [8a4ab570d132] 2016-11-25 Todd C. Miller * plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c, src/openbsd.c: Just use malloc_options "S" on OpenBSD instead of "AFGJPR". [2851cd2da1c7] 2016-11-22 Todd C. Miller * plugins/sudoers/po/sudoers.pot, po/sudo.pot: Update year in license [e370bf3d1035] 2016-11-21 Todd C. Miller * plugins/sudoers/po/sudoers.pot, po/sudo.pot: regen [d524f0306467] * doc/sudo.conf.cat, doc/sudoers.ldap.cat, doc/sudoreplay.cat: regen [185328ea20c3] * include/sudo_debug.h, lib/util/sudo_debug.c, plugins/sudoers/iolog.c, plugins/sudoers/policy.c, plugins/sudoers/sudoers.h, plugins/sudoers/sudoers_debug.c, plugins/sudoers/visudo.c, src/sudo.c: Add SUDO_DEBUG_INSTANCE_ERROR return value for sudo_debug_register() and check for it in places where we check the return value of sudo_debug_register(). [d1e74c5f21a6] 2016-11-20 Todd C. Miller * NEWS: update for 1.8.19 [b248866c511d] 2016-11-17 Todd C. Miller * config.h.in, configure, configure.ac, plugins/sudoers/getspwuid.c: Add support for getpwnam_shadow() on OpenBSD [4db7ed374c33] * doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, plugins/sudoers/policy.c, src/sudo.c: Add umask to user_info passed in from the front end to the plugin. [4a4eee52a717] * plugins/sudoers/auth/rfc1938.c: Fix sign compare warning. [8732d632cbff] * MANIFEST, aclocal.m4, configure, configure.ac, m4/ax_append_flag.m4, m4/sudo.m4: Use AX_APPEND_FLAG instead of SUDO_APPEND_CPPFLAGS and direct modification of LDFLAGS. [c1464dcd45e0] * MANIFEST, configure, configure.ac, plugins/sudoers/aixcrypt.exp: Remove aixcrypt.exp, it was a remnant of the 90's crypto wars where crypt() was not exported. [785d57666d41] * doc/TROUBLESHOOTING: Remove obsolete solaris issue with snprintf [3ce6cc899026] * INSTALL: SunOS 4.x is no longer supported [2239eb30ff2c] 2016-11-16 Todd C. Miller * lib/util/regress/sudo_conf/test1.in, lib/util/sudo_conf.c: Plug memory leak when a particular Path is set more than once. [debc97dac01d] * plugins/sudoers/ldap.c, plugins/sudoers/sssd.c: Add sudo_ldap_is_negated() and sudo_ldap_is_negated() functions and use them to parse negated entries instead of doing it manually. [12010b64afe5] * plugins/sudoers/ldap.c: Fix printing of sudoedit_follow in "sudo -l" [2094a8f880c4] * plugins/sudoers/sssd.c: For "sudo -l" print sudoOption sudoedit_follow as FOLLOW. [9c860b1fa721] * config.h.in, configure, configure.ac, include/sudo_conf.h, lib/util/regress/sudo_conf/conf_test.c, lib/util/regress/sudo_conf/test1.out.ok, lib/util/sudo_conf.c, lib/util/util.exp.in, plugins/sudoers/policy.c, src/exec_common.c, src/load_plugins.c, src/parse_args.c: Always define _PATH_SUDO_NOEXEC, _PATH_SUDO_SESH, _PATH_SUDO_PLUGIN_DIR, even if only defined to NULL. This means the accessors can always be present. Use RTLD_PRELOAD_VAR instead of _PATH_SUDO_NOEXEC to tell when noexec is available. Add ENABLE_SUDO_PLUGIN_API and use it instead of _PATH_SUDO_PLUGIN_DIR to tell when the plugin API is available. Add sudo_conf_clear_paths() to clear the path values so the regress tests are not affected by compile-time settings. [2b05e4a143d9] * plugins/sudoers/ldap.c: Use readline() in sudo_ldap_read_secret() [3f0506e5cbe3] 2016-11-15 Todd C. Miller * lib/util/sudo_conf.c: Get rid of struct sudo_conf_paths and just use #defined index values to access the path values. Make all accessors available even when the feature is not enabled. [58d1ec6170a8] * configure, configure.ac, lib/util/Makefile.in, lib/zlib/Makefile.in, mkdep.pl, plugins/group_file/Makefile.in, plugins/sample/Makefile.in, plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in, src/Makefile.in: Add ASAN_CFLAGS and ASAN_LDFLAGS and use -Wc prefix in ASAN_LDFLAGS to prevent libtool from strippign them out. Avoid using ASAN flags when building sudo_noexec.so. [9644dd92e586] 2016-11-14 Todd C. Miller * configure, configure.ac: Disable noexec for HP-UX 10.x which probably doesn't support LD_PRELOAD [d87bc5ea4688] * config.h.in, configure, configure.ac, plugins/sudoers/getspwuid.c: Remove SunOS 4 support, it is not modern enough to run sudo. [b6e15f8360b6] * config.h.in, configure, configure.ac, plugins/sudoers/getspwuid.c: Remove HP-UX 9 support, it is not modern enough for sudo. [226dda48c1e1] * config.h.in, configure, configure.ac, plugins/sudoers/auth/passwd.c, plugins/sudoers/getspwuid.c: Remove Ultrix support, modern sudo can't run on Ultrix anyway. [95a11ef29a2b] * MANIFEST, configure, configure.ac, lib/util/sudo_conf.c, src/Makefile.in, src/exec_common.c, src/regress/noexec/check_noexec.c, src/sudo_exec.h: Add regress for noexec functionality [2cadd8e04677] * src/Makefile.in: Unbreak sudo_noexec on macOS where shared libraries and dynamic modules are different. We still want to install sudo_noexec.so without the "lib" prefix so some hackery is required. [93d7b69491a1] * configure, configure.ac: Don't enable noexec for AIX 5.0-5.2, we need 5.3 and above. [92cad0180239] 2016-11-13 Todd C. Miller * src/Makefile.in: Need to link sudo_noexec.so with -ldl for dlsym() on some platforms. Otherwise, the wordexp(3) wrapper will fail due to an undefined symbol. Bug #761 [120a317ce25b] * plugins/sudoers/visudo.c: In strict mode, go to the file/line with an undefined aliases or aliases cycle directly. [b4f51b79bd9e] 2016-11-12 Todd C. Miller * doc/visudo.cat, doc/visudo.man.in, doc/visudo.mdoc.in, plugins/sudoers/alias.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/parse.h, plugins/sudoers/regress/visudo/test2.err.ok, plugins/sudoers/regress/visudo/test3.err.ok, plugins/sudoers/visudo.c: Store the file/lineno for alias and userspec entries so we can provide that info if there is an error. [7deb4e41ca7b] 2016-11-11 Todd C. Miller * MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/rcstr.c, plugins/sudoers/sudoers.h, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/visudo.c, plugins/sudoers/visudo_json.c: Add simple reference-counted string allocator and use it for passing around references to the sudoers path. This lets us avoid making copies of the sudoers path for the errorfile as well as each Defaults entry. [afcff7b5b647] * lib/util/sha2.c: Cast len from size_t to uint64_t before bit shifting since we are adding to count which is also uint64_t. Quiets a PVS-Studio warning. [167210670b30] 2016-11-10 Todd C. Miller * MANIFEST, plugins/sudoers/regress/visudo/test7.out.ok, plugins/sudoers/regress/visudo/test7.sh, plugins/sudoers/regress/visudo/test8.err.ok, plugins/sudoers/regress/visudo/test8.out.ok, plugins/sudoers/regress/visudo/test8.sh: Add checks for sudoers_locale early Defaults [582c08c9418c] * src/parse_args.c, src/sudo.c, src/sudo.h: Add the argument vector allocated for -s and -i mode to the garbage collector list. Avoids an ASAN warning on exit when the -s or -i flags are used. [652691a5216b] 2016-11-09 Todd C. Miller * plugins/sudoers/iolog.c: add missing sudo_pw_delref/sudo_gr_delref to plug memory leak [c4ba4c26e0c1] * plugins/sudoers/defaults.c, plugins/sudoers/defaults.h, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/ldap.c, plugins/sudoers/parse.c, plugins/sudoers/parse.h, plugins/sudoers/regress/parser/check_fill.c, plugins/sudoers/sssd.c, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c, plugins/sudoers/visudo_json.c: Go back to parsing Defaults entries in update_defaults instead of as sudoers is read. Otherwise, we cannot properly support early defaults like sudoers_locale. [ff1328a86b97] * mkpkg: Use expr instead of POSIX sh numerical expression to avoid a syntax error on older shells. [638383bb40d5] 2016-11-08 Todd C. Miller * doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, include/sudo_plugin.h: Bump plugin minor version to 10 for sudo_mode, sudo_group and sudo_user. [0c65dc1f2874] * plugins/sudoers/ldap.c, plugins/sudoers/sssd.c: Fix a bug in host matching where a negated sudoHost entry would prevent other sudoHosts following it from matching. [40cbd5790106] * plugins/sudoers/defaults.c: Zero out sd_un before calling parse_default() so we don't try to free stack garbage in the ldap/sssd backends. [6b64a8e3a19d] 2016-11-07 Todd C. Miller * plugins/sudoers/ldap.c: Use "ret", not "rc" for the function return value. [fdfe637adee6] * include/sudo_compat.h, lib/util/strtomode.c, plugins/sudoers/defaults.c, plugins/sudoers/goodpath.c, plugins/sudoers/logging.c, plugins/sudoers/policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/timestamp.c, plugins/sudoers/visudo.c, src/sesh.c, src/sudo.c, src/sudo_edit.c: Use sys/stat.h defines instead of bare octal values. [215c80e09830] * doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/iolog.c, plugins/sudoers/policy.c: Pass iolog mode, group and user from policy plugin to I/O log plugin. [1ed4967771c8] 2016-11-06 Todd C. Miller * plugins/sudoers/defaults.c, plugins/sudoers/defaults.h, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/ldap.c, plugins/sudoers/parse.h, plugins/sudoers/regress/parser/check_fill.c, plugins/sudoers/sssd.c: Instead of parsing sudoers Defaults twice, parse once while reading sudoers and then just set the parsed value in update_defaults(). [370d51681c6e] * plugins/sudoers/defaults.c: Use "struct defaults *d" instead of "struct defaults *def" throughout for consistency and to avoid confusino with "struct def_values *def". Use "str" not "var" for the string argument to convert and store in sd_un for the store_* functions. [5cc3efc609df] * plugins/sudoers/parse.c: In display_bound_defaults() rename dtype arg -> deftype. [b3323960e1db] 2016-11-03 Todd C. Miller * lib/util/regress/sudo_conf/test4.err.ok, lib/util/regress/sudo_conf/test5.err.ok, plugins/sudoers/regress/visudo/test2.err.ok, plugins/sudoers/regress/visudo/test3.err.ok: Update error output to match quoting changes. [27bbf5004d1e] * plugins/sudoers/defaults.c: Avoid passing in a struct sudo_defs_types pointer to the store functions. Pass in a pointer to the union to fill instead. [ea956d00aae3] * plugins/sudoers/defaults.h: no longer need struct defaults forward referebce [21e34ca85de5] 2016-11-02 Todd C. Miller * lib/util/sudo_conf.c, plugins/sudoers/alias.c, plugins/sudoers/defaults.c, plugins/sudoers/logging.c, plugins/sudoers/sudoers.c, plugins/sudoers/visudo.c, plugins/sudoers/visudo_json.c, src/load_plugins.c: Use "double quotes" in messages instead of a combination of the accent (grave) mark and apostrophe. [10dee3ecf3e1] * plugins/sudoers/defaults.c, plugins/sudoers/defaults.h, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/ldap.c, plugins/sudoers/sssd.c: Add file:linenumber prefix to all Defaults warnings so we can see them when running sudo too. For LDAP/SSSD we print the sudoRole instead of the file name and omit the line number. [5c6b95cd3792] * doc/sudo.cat, doc/sudo.man.in, doc/sudo.mdoc.in: Use sudoedit in examples instead of "sudo vi" [6008c208682c] 2016-11-01 Todd C. Miller * plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/parse.c, plugins/sudoers/parse.h, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c, plugins/sudoers/visudo_json.c: Only treat an unknown Defaults entry as a parse error in visudo, not in sudo itself. [8d8aa7ac5a32] * plugins/sudoers/defaults.c, plugins/sudoers/defaults.h, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/visudo.c: Instead of checking Defaults values after the fact, check them at sudoers parse time. This makes it possible to display the file and line number with the problem and for visudo to go right to the error. [ac66bd690d05] * plugins/sudoers/alias.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/parse.h: Refactor freeing of a member_list into free_members(). [d29daa01bb9c] * plugins/sudoers/gram.c, plugins/sudoers/gram.y: add_defaults() now calls sudoerserror() itself instead of the caller assuming any error means out of member. [a25e51321e0b] * plugins/sudoers/defaults.c, plugins/sudoers/mkdir_parents.c: s/rval/ret/g -- old habits die hard [fa55d08b233a] 2016-10-31 Todd C. Miller * plugins/sudoers/sudoers.c: Remove inaccurate XXX comment, sudo_file_parse() sends mail on parse error. [052b0e112839] * plugins/sudoers/visudo.c: The fix for Bug #408 broke editing of files in an include dir that have a syntax error. Normally, visudo does not edit those files, but if a syntax error is detected in one, the user gets a chance to fix it. [6b00f9bfff31] * plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/sudoers.h, plugins/sudoers/visudo.c, plugins/sudoers/visudo_json.c: Make a copy of the current sudoers path when assigning errorfile. Fixes a potential use after free in visudo when there is an error in one of the include files. [eb6db5d15b61] * plugins/sudoers/sudoers_debug.c: sudoers_debug_register() was not setting the active debug instance to sudoers_debug_instance when called from the I/O log plugin. This is because it relied on sudo_debug_register to do that but sudoers_debug_parse_flags() doesn't set debug_files[] sudoers_debug_instance is already set (we can only init sudoers debug once). To work around this, just make sudoers_debug_instance the active debug instance in sudoers_debug_register() when it is already set. [71b0221c8c28] * src/load_plugins.c: Fix pasto when setting I/O plugin debug files [03c3aab22e65] * plugins/sudoers/iolog.c: use cp instead of *cur when comparing against plugin_path [f2dfe69549f5] 2016-10-30 Todd C. Miller * plugins/sudoers/mkdir_parents.c: In sudo_mkdir_parents() inherit the gid of / instead of using gid 0 for the first component. [5f2bf33bccb5] * plugins/sudoers/iolog.c: We want to inherit the gid from the parent directory when not setting permissions on intermerdiate directories. [845f5a20b5fa] 2016-10-29 Todd C. Miller * MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/iolog.c, plugins/sudoers/mkdir_parents.c, plugins/sudoers/sudoers.h, plugins/sudoers/timestamp.c: Move io_mkdir_parents() to its own file and use it in ts_mkdirs(). [c1d55f588a60] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/defaults.c, plugins/sudoers/iolog.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: Make the I/O log file/dir permissions and owner configurable. [e7a74f3dfa56] * lib/util/Makefile.in, mkdep.pl: Add vsyslog.lo [18362a9ae32e] * configure, configure.ac: sudo 1.8.19 [97743604e6e3] 2016-10-28 Todd C. Miller * plugins/sudoers/defaults.c: Don't try to syntax check an unrecognized Defaults value in visudo. [e4972655b5d3] 2016-10-26 Todd C. Miller * plugins/sudoers/iolog.c: Create I/O log files with the same gid as the parent directory. [0da5824e006d] * plugins/sudoers/ldap.c: Check for sudo_ldap_result_last_search() returning NULL. This can't happen in practice because we always call sudo_ldap_result_add_search() first which guarantees there is a result to be found. Quiets a PVS-Studio warning. [4f6074f40fbc] * src/exec_pty.c: Quiet a PVS-Studio warning about the spin loop when waiting for the parent to assign us the terminal pgrp. [d063a283477b] * plugins/sudoers/env.c: Fix incorrect strncmp() lengths. The check for USERNAME was only looking at the first 5 characters (copy and paste error). The check for SUDO_PS1 was not checking the trailing '=' character (off by one error). Found by PVS-Studio. [297380eb6940] * plugins/sudoers/env.c: When checking for old-style bash functions in the environment, check for values starting with "() " (note the trailing space) rather than "()". Bash will only treat the value as a function if the space after "()" is present. The trailing space was already present in the compare string but when it was added, the length passed to strncmp() was not updated from 3 to 4. Found by PVS-Studio. No security impact. [7e35f39d356b] * plugins/sudoers/set_perms.c: Add some missing casts from uid_t/gid_t to int when printing uid/gid values. We print these as signed so a value of -1 (no change) is obvious. Quiets PVS-Studio warnings. [9773e5b166e1] * plugins/sudoers/timestamp.c: def_timestamp_timeout is a double so compare against 0.0 not 0 to avoid making it appear to be an integer type. [8675db470ab7] * plugins/sudoers/defaults.c: When checking syslog facility or priority, move the string compare into the body of the loop and return if it matches. If we finish the loop it means we didn't find a match. This makes the code a little bit more readable. [d1df1649a01e] * lib/util/strlcpy.c, lib/util/strnlen.c, plugins/sudoers/defaults.c, plugins/sudoers/env.c, plugins/sudoers/logging.c, plugins/sudoers/visudo_json.c, src/env_hooks.c, src/exec_pty.c: Replace bare ";" in the body of for() loops with "continue;" for improved readability. [92eff8dbe5f8] 2016-10-21 Todd C. Miller * config.guess, config.sub: Update from http://git.savannah.gnu.org/gitweb/?p=config.git [86e6144dfdd7] * config.guess, config.sub, configure, ltmain.sh, m4/libtool.m4, m4/ltoptions.m4, m4/ltsugar.m4, m4/ltversion.m4, m4/lt~obsolete.m4: Update to libtool 2.4.6 [8d85d9e8687b] 2016-10-19 Todd C. Miller * lib/util/vsyslog.c: Use a static buffer if possible. [758ce6478994] * MANIFEST, configure, configure.ac, include/sudo_compat.h, lib/util/vsyslog.c, plugins/sudoers/logging.c: add vsyslog() for systems without it. [c6457f333252] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: There are now 14 tag values, not 10. Don't bother mentioning the number since it keeps increasing. Bug #759 [17e4c900dc12] 2016-10-18 Todd C. Miller * config.h.in, configure, configure.ac, plugins/sudoers/logging.c: Use vsyslog() if available. [ea9b7a51eaec] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/defaults.c, plugins/sudoers/logging.c: Add syslog_maxlen to control the max size of syslog messages. [5f9872d2073f] 2016-10-17 Todd C. Miller * src/tgetpass.c: Don't generate SIGTOU when restoring the terminal modes. It doen't make sense to suspend the process only to restore the terminal settings since in this case the shell has already taken ownership of the tty. [981c26f3fc8f] * plugins/sudoers/sudoreplay.c, src/exec_pty.c, src/tgetpass.c: The flush parameter of sudo_term_restore() is bool, not int. [c2597f1881f3] 2016-10-14 Todd C. Miller * doc/sudo.conf.cat, doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in: Add wordexp() to the list of functions wrapped by sudo_noexec.so. [2e847ce3f02f] 2016-10-10 Todd C. Miller * src/sudo_noexec.c: Need RTLD_NEXT for wordexp() on dlopen() systems. It is missing on AIX 5.1 at least. [167a518d8129] * src/sudo_noexec.c: add missing guard around wordexp() [7b8357b0a358] * NEWS: expand on 1.8.18p1 changes [f560e06ad584] 2016-10-09 Todd C. Miller * NEWS, configure, configure.ac: sudo 1.8.18p1 [a36e17d1c5db] * config.h.in, configure, configure.ac, src/sudo_noexec.c: Fix configure check for seccomp filter on Linux [5d88d7cda853] 2016-10-08 Todd C. Miller * config.h.in, configure, configure.ac, src/sudo_noexec.c: Use a seccomp filter on Linux to disable execve(2) and execveat(2). This still relies on LD_PRELOAD to work so it has the same issues as the existing mether with respect to running 32-bit binaries on a 64-bit kernel. [59d76bdc0f0c] * src/Makefile.in: regen [9e313cb0900b] * plugins/sudoers/Makefile.in: regen [5ca77049e5cd] 2016-10-05 Todd C. Miller * aclocal.m4, config.h.in, configure, configure.ac, src/sudo_noexec.c: Wrap wordexp(3) in sudo_noexec. [e7d09243e51b] 2016-09-26 Todd C. Miller * plugins/sudoers/Makefile.in: Clean .json files created by "make check" [d214117fbda1] 2016-09-19 Todd C. Miller * po/ca.mo, po/da.mo, po/eo.mo, po/es.mo, po/eu.mo, po/fi.mo, po/gl.mo, po/hr.mo, po/hu.mo, po/ko.mo, po/nl.mo, po/ru.mo, po/sk.mo, po/sl.mo, po/sr.mo, po/tr.mo: recompile .po files [3d91cbf75744] * plugins/sudoers/ldap.c, plugins/sudoers/sssd.c: Fix matching when no sudoRunAsUser is present in a sudoRole. If only a sudoRunAsGroup is present, match on the invoking user if the -g option was specified and the group matched. If no sudoRunAsGroup is present and the -g option was specified, allow it if it matches the passwd gid of the runas user. This matches the behavior of the sudoers backend. [e1a52c34da5e] * plugins/sudoers/match.c: runas_pw can no longer be NULL [020c6ddcae11] 2016-09-15 Todd C. Miller * NEWS: RunAsGroup without RunAsUser issues [52d1547c9d3a] * plugins/sudoers/ldap.c, plugins/sudoers/sssd.c: user_matched and group_matched must be type int, not bool [204d8de97a05] * plugins/sudoers/ldap.c, plugins/sudoers/match.c, plugins/sudoers/parse.h, plugins/sudoers/sssd.c: Use RUNAS_USER_SPECIFIED and RUNAS_GROUP_SPECIFIED when deciding whether to check runas user/group instead of checking runas_pw or runas_gr. [d17f223e8313] * plugins/sudoers/ldap.c, plugins/sudoers/sssd.c: When matching against runas_default use userpw_matches() instead of just strcasecmp(). [ce70077c5861] * plugins/sudoers/testsudoers.c: Set RUNAS_USER_SPECIFIED when -u is specified and/or RUNAS_GROUP_SPECIFIED when -g is specified. [fa7a1035a058] * plugins/sudoers/ldap.c, plugins/sudoers/sssd.c: Fix printing of the default runas user when a RunAsGroup is specified but no RunAsUser is present. [c05dabd194a1] * plugins/sudoers/ldap.c, plugins/sudoers/sssd.c: Only match against runas_default if both sudoRunAsUser and sudoRunAsGroup are missing. [019084f428b2] * plugins/sudoers/match.c: runas_pw can no longer be NULL here [e73dcebafa15] * plugins/sudoers/ldap.c, plugins/sudoers/match.c, plugins/sudoers/parse.h, plugins/sudoers/sssd.c: Update check for whether or not the runas user was set in the ldap and sssd backends to match the sudoers file backend. Introduces the runas_user_set() macro to improve readability. Previously, runas_pw was set late, now it is set before checking sudoers. [d8280d8a96c9] * doc/sudoers.ldap.cat, doc/sudoers.ldap.man.in, doc/sudoers.ldap.mdoc.in: Document that negated sudoHosts are only supported by 1.8.18 and higher. [f56824fe61bc] * plugins/sudoers/Makefile.in, plugins/sudoers/regress/testsudoers/test4.sh, plugins/sudoers/regress/testsudoers/test5.sh: Disable Address Sanitizer leak detection for tests which generate parse errors. The parser leaks a bit on error. [4b0ddb11df3a] * plugins/sudoers/sssd.c: Fix underflow in get_ipa_hostname() when trimming trailing whitespace. [875f2f5cd363] 2016-09-14 Todd C. Miller * NEWS: Document negated sudoHost entries. [41d9853f89f7] * plugins/sudoers/sssd.c: Support negated sudoHost entries. [7c25f9111633] * doc/sudoers.ldap.cat, doc/sudoers.ldap.man.in, doc/sudoers.ldap.mdoc.in: Document negated sudoHost entries. [6c8444c6bc6c] * plugins/sudoers/ldap.c: Support negated sudoHost entries. [1899906b8ef4] 2016-09-13 Todd C. Miller * plugins/sudoers/match.c: Don't check the username when matching a host netgroup unless def_netgroup_tuple is enabled. [238c8064542f] * plugins/sudoers/match.c: Move valid domain name check into a new valid_domain() function. Fix memory leak if getdomainname(2) fails and avoid using heap garbage for the domain name matching in this case. [946f2441c90a] 2016-09-12 Todd C. Miller * plugins/sudoers/po/it.mo, plugins/sudoers/po/it.po, po/it.mo, po/it.po: sync with translationproject.org [40eab0801eae] 2016-09-11 Todd C. Miller * src/exec_pty.c: Add back line mistakenly removed in 0cf2a9351740 [8622c83c1474] * plugins/sudoers/po/nb.mo, plugins/sudoers/po/nb.po, po/nb.mo, po/nb.po: sync with translationproject.org [f180826bb77b] 2016-09-09 Todd C. Miller * NEWS: Bug #757 [de67bc9e26f8] * plugins/sudoers/sudoers.c: Fix typo that broke short host name matching when the fqdn flag is enabled. Bug #757 [605c03afc80f] 2016-09-08 Todd C. Miller * include/sudo_debug.h, lib/util/aix.c, lib/util/fnmatch.c, lib/util/getgrouplist.c, lib/util/secure_path.c, lib/util/setgroups.c, lib/util/strtoid.c, lib/util/sudo_conf.c, lib/util/sudo_debug.c, plugins/sample/sample_plugin.c, plugins/sudoers/auth/aix_auth.c, plugins/sudoers/auth/securid5.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/check.c, plugins/sudoers/env.c, plugins/sudoers/goodpath.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/interfaces.c, plugins/sudoers/iolog.c, plugins/sudoers/ldap.c, plugins/sudoers/logging.c, plugins/sudoers/match.c, plugins/sudoers/parse.c, plugins/sudoers/policy.c, plugins/sudoers/pwutil.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/timestamp.c, plugins/sudoers/visudo.c, plugins/sudoers/visudo_json.c, src/env_hooks.c, src/exec.c, src/exec_pty.c, src/get_pty.c, src/hooks.c, src/load_plugins.c, src/regress/ttyname/check_ttyname.c, src/selinux.c, src/signal.c, src/sudo.c, src/sudo_edit.c, src/tgetpass.c, src/ttyname.c, src/utmp.c: Be consistent with the naming of the variable used to store the function return value. Previously, some code used "rval", some used "ret". This standardizes on "ret" and uses "rc" for temporary return codes. [017866310d24] 2016-09-07 Todd C. Miller * plugins/sudoers/po/ca.po, plugins/sudoers/po/cs.mo, plugins/sudoers/po/cs.po, plugins/sudoers/po/da.po, plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/el.po, plugins/sudoers/po/eo.po, plugins/sudoers/po/eu.po, plugins/sudoers/po/fi.po, plugins/sudoers/po/fr.po, plugins/sudoers/po/hr.po, plugins/sudoers/po/hu.po, plugins/sudoers/po/it.po, plugins/sudoers/po/ja.mo, plugins/sudoers/po/ja.po, plugins/sudoers/po/ko.po, plugins/sudoers/po/lt.po, plugins/sudoers/po/nb.po, plugins/sudoers/po/nl.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/pt_BR.mo, plugins/sudoers/po/pt_BR.po, plugins/sudoers/po/ru.po, plugins/sudoers/po/sk.po, plugins/sudoers/po/sl.po, plugins/sudoers/po/sr.po, plugins/sudoers/po/sv.mo, plugins/sudoers/po/sv.po, plugins/sudoers/po/tr.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, plugins/sudoers/po/vi.mo, plugins/sudoers/po/vi.po, plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po, po/ca.po, po/cs.mo, po/cs.po, po/da.po, po/de.mo, po/de.po, po/eo.po, po/es.po, po/eu.po, po/fi.po, po/fr.mo, po/fr.po, po/gl.po, po/hr.po, po/hu.po, po/it.po, po/ja.mo, po/ja.po, po/ko.po, po/nb.po, po/nl.po, po/pl.mo, po/pl.po, po/pt_BR.mo, po/pt_BR.po, po/ru.po, po/sk.po, po/sl.po, po/sr.po, po/sv.mo, po/sv.po, po/tr.po, po/uk.mo, po/uk.po, po/vi.mo, po/vi.po, po/zh_CN.mo, po/zh_CN.po: sync with translationproject.org [6312962695df] * MANIFEST, NEWS, doc/CONTRIBUTORS, po/nn.mo, po/nn.po: Norwegian Nynorsk translation of sudo from translationproject.org [05203a266265] * NEWS: Fix for Bug #756 [89ff21579216] 2016-09-05 Todd C. Miller * plugins/sudoers/sudoers.c: In sudoers_main() avoid setting rval prematurely. Prevents a crash when auditing fails after successfully authenticating. Bug #756 [d17a06bce04c] * plugins/sudoers/defaults.c: Apply match_group_by_gid early. [1259c7fd66ca] 2016-09-02 Todd C. Miller * NEWS: update [292a9e21474e] * src/ttyname.c: Don't disable large file support for Linux, just SVR4-style /proc. Otherwise, stat(2) may fail on Linux when running a 32-bit sudo on a 64-bit machine. Bug #755 [09450ce8b8a8] 2016-09-01 Todd C. Miller * include/sudo_util.h: Make sudo_parseln() flags hex to make it more obvious that they are bit flags. [b912a078047e] * plugins/sudoers/env.c: Don't try to support line continuation in /etc/environment. [d7e30e821c0e] * doc/sudoers.ldap.cat, doc/sudoers.ldap.man.in, doc/sudoers.ldap.mdoc.in, plugins/sudoers/ldap.c: No line continuation support in ldap.conf. [211caaba2395] * include/sudo_util.h, lib/util/parseln.c: Add flag to sudo_parseln() to disable line continuation support. [d2820247fc07] * doc/sudoers.ldap.cat, doc/sudoers.ldap.man.in, doc/sudoers.ldap.mdoc.in: A comment character ('#') is only special at the beginning of the line. [b3b67b7e4fc0] * include/sudo_util.h, lib/util/parseln.c, lib/util/regress/sudo_parseln/parseln_test.c, lib/util/sudo_conf.c, lib/util/util.exp.in, plugins/sudoers/env.c, plugins/sudoers/ldap.c, plugins/sudoers/sudo_nss.c: Add a flags option to sudo_parseln() and a flag to only mach comments at the beginning of the line. Use the flag when parsing ldap.conf. [40c560fc9a10] * src/sudo.c: If get_process_ttyname() fails for errno != ENOENT, just warn instead of making it a fatal error. Bug #755 [1a028b861801] 2016-08-31 Todd C. Miller * plugins/sudoers/mkdefaults: use strict [681281bc0f6d] * plugins/sudoers/def_data.h, plugins/sudoers/mkdefaults: Define def_foo in terms of the I_FOO index instead of a bare number. [abb119f84ae6] * plugins/sudoers/po/cs.mo, plugins/sudoers/po/cs.po, plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/fi.mo, plugins/sudoers/po/fi.po, plugins/sudoers/po/hr.mo, plugins/sudoers/po/hr.po, plugins/sudoers/po/it.mo, plugins/sudoers/po/it.po, plugins/sudoers/po/ja.mo, plugins/sudoers/po/ja.po, plugins/sudoers/po/nb.mo, plugins/sudoers/po/nb.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, plugins/sudoers/po/vi.mo, plugins/sudoers/po/vi.po, plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po: sync with translationproject.org [d339717f8692] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Mention that match_group_by_gid has no effect when sudoers is stored in LDAP. [5eb6ae45c699] * include/sudo_compat.h, src/sudo.c: Use W_EXITCODE to construct the wait status if sudo could not execute the command. Fixes the sudo exit value for exec(3) failure. [95eae2d60292] * src/exec.c: fix brace style [54448c10b6b5] * plugins/sudoers/po/sudoers.pot, po/sudo.pot: regen [794b06ba727b] * src/sudo.c: It is possible for get_user_info() to fail for reasons other than ENOMEM so print the warning message there rather than in main(). [8c24df8d6b78] 2016-08-30 Todd C. Miller * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: match_group_by_gid is only available in sudo 1.8.18 and above [dd237eb540d0] * doc/UPGRADE: Mention match_group_by_gid [417f27e9059a] * NEWS, doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Document match_group_by_gid [2234997acb8d] * plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/pwutil.c: Add match_group_by_gid Defaults option to allow sites with slow group lookups and a small number of groups in sudoers to match groups by group ID instead of by group name. [20714580da96] 2016-08-29 Todd C. Miller * NEWS: Mention "sudo -l command" bug fix. [cb8ade186880] * plugins/sudoers/ldap.c, plugins/sudoers/sssd.c: Fix "sudo -l command" in the LDAP and SSS backends when the command is not allowed. [631038350b2a] 2016-08-26 Todd C. Miller * plugins/sudoers/defaults.c: Use sudo_strsplit() instead of doing the equivalent manually. [9eb6d1cc78bd] 2016-08-25 Todd C. Miller * NEWS: Move SIGPIPE bug fix to 1.8.18 where it belongs [52509fd0100e] * plugins/sudoers/defaults.c: Fix memset size typo in previous commit. [e00299f7c50f] * plugins/sudoers/regress/visudo/test6.out.ok, plugins/sudoers/regress/visudo/test6.sh: Add regress for check_defaults() use-after-free bug. [0b362678ca10] * MANIFEST, plugins/sudoers/defaults.c: Fix use-after-free in check_defaults(), reported by Radovan Sroka of RedHat. [ab3a4227c12f] 2016-08-24 Todd C. Miller * NEWS: SIGPIPE bug fix [24c9a12f7e59] * src/signal.c: Now that we ignore SIGPIPE in sudo we need to restore it at exec time. Problem reported by Radovan Sroka of RedHat. [3cfa7e3510ff] 2016-08-22 Todd C. Miller * mkpkg: Fix appending to make_opts [abe28b6b7663] * NEWS: Add Bug #753 and fix reference to Bug #752. [e8c959e1cd6c] 2016-08-21 Todd C. Miller * plugins/sudoers/po/da.mo, plugins/sudoers/po/da.po, plugins/sudoers/po/nb.mo, plugins/sudoers/po/nb.po, plugins/sudoers/po/sr.mo, plugins/sudoers/po/sr.po, po/da.mo, po/da.po, po/pt_BR.mo, po/pt_BR.po: sync with translationproject.org [219c3f0aeee7] * plugins/sudoers/po/sudoers.pot, po/sudo.pot: regen pot files [d0c56a4ff553] 2016-08-17 Todd C. Miller * NEWS: Update with logging changes. [f41beca23b99] * plugins/sudoers/logging.c: Avoid duplicate warnings when we cannot write to the log file. Also send the warning in mail if possible. [9b8509cff137] * plugins/sudoers/iolog.c, src/exec_pty.c, src/sudo.c, src/sudo.h: Move the ignoring of I/O log plugin errors into the I/O log plugin itself. [25b7fd056614] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/defaults.c, plugins/sudoers/iolog.c, plugins/sudoers/policy.c, plugins/sudoers/sudoers.c, src/exec_pty.c, src/sudo.c, src/sudo.h: Make the behavior when we cannot write to a log or audit file configurable. File log failures are ignored by default for consistency with syslog. Audit errors are ignored by default to allow the admin to fix the issue. I/O log file errors are still fatal by default since if I/O logging is activated it is usually to have an audit trail. Bug #751 [dbd085e7c736] 2016-08-15 Todd C. Miller * plugins/sudoers/logging.c: Make sure we print an error message to stderr (and not just send mail) if do_logfile() fails. Bug #751 [7884a23a0cdc] 2016-08-13 Todd C. Miller * plugins/sudoers/pwutil.c: Separate out the supplemental group ID checks from the supplemental group name checks in user_in_group(). We now call sudo_get_gidlist() only when the group name in sudoers begins with a '#' (which is seldom used). [80534785d8b7] * plugins/sudoers/ldap.c, plugins/sudoers/policy.c, plugins/sudoers/pwutil.c, plugins/sudoers/pwutil.h, plugins/sudoers/pwutil_impl.c, plugins/sudoers/set_perms.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: Cache the user's group IDs and group names separately and only resolve group IDs -> names when needed. If the sudoers file doesn't contain groups we will no longer try to resolve all the user's group IDs to names, which can be expensive on some systems. [8ce3564e896e] 2016-08-12 Todd C. Miller * plugins/sudoers/defaults.c: Remove the "op" parameter from all the store_foo() functions except store_list() where it is actually needed. For the others, a NULL value indicates the setting was negated. This unconfuses static analyzers (and perhaps humans too). [fca031b57f15] * plugins/sudoers/defaults.c: Flags always have a NULL value. Regression introduced by refactor of set_default_entry(). [71fe4fad097b] * plugins/sudoers/defaults.c: Set rc to true when setting a flag Defaults value. [cf016b6aedd4] * src/utmp.c: suppress a cppcheck false positive [0d44aa7cf05c] * plugins/sudoers/defaults.c: Refactor the error parts of set_default_entry() so the switch() is mostly just calls to store_foo() functions. Avoids a lot of duplicated error checking and silences a cppcheck false positive. [1112b894007c] * plugins/sudoers/defaults.c: In set_default_entry() check for unsupported Defaults type. [beb1ae20179f] * lib/util/aix.c: Add missing break in switch that sets the max limit for RLIMIT_NOFILE. Found by cppcheck. [39b1979b1b92] * plugins/sudoers/defaults.c: Check sudoers_initlocale return value and treat as oom. Coverity CID 141832 [b1cad9d6c49d] 2016-08-10 Todd C. Miller * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/match.c, plugins/sudoers/parse.c, plugins/sudoers/sudoers.c, plugins/sudoers/testsudoers.c: Set runas_pw early and adjust runaslist_matches() to deal. Since we now set runas_default early there is no need to call update_defaults with SETDEF_RUNAS after sudoers has been parsed. [35e0b08219a8] 2016-08-09 Todd C. Miller * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/defaults.c, plugins/sudoers/group_plugin.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c: Load sudoers group plugin via an early callback. [0fc4382cd6e4] * sudo.pp: System Integrity Protection on Mac OS X won't allow us to write directly to /etc or /var. We must install in /private/{etc,var} instead. [831c78241e78] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Document that fqdn, runas_default and sudoers_locale are parsed early. [beb4868c449e] * doc/sudo.cat, doc/sudo.conf.cat, doc/sudo_plugin.cat, doc/sudoers.cat, doc/sudoers.ldap.cat, doc/sudoreplay.cat, doc/visudo.cat: Regen for 1.8.18 [eb4feabb8fee] 2016-08-08 Todd C. Miller * plugins/sudoers/defaults.h, plugins/sudoers/ldap.c, plugins/sudoers/sssd.c: Avoid passing around struct defaults when it is not needed. As a result, we no longer need to include gram.h in the LDAP and SSSD backends. [14d0bfdc8bd2] * plugins/sudoers/defaults.c, plugins/sudoers/defaults.h, plugins/sudoers/ldap.c, plugins/sudoers/sssd.c: Instead of deferring setting early defaults until we have traversed the entire defaults list, just defer running the callbacks. Otherwise, if the last early default setting we see has a bad value we won't set any defaults of that type even if there was an earlier one that was valid. [552863e5a097] * plugins/sudoers/defaults.c: Run callbacks once in set_default_entry() instead of each of the store_foo() functions. [b92b51c67845] 2016-08-03 Todd C. Miller * mkpkg: Use /proc/cpuinfo on Linux instead of running lscpu [450ea436dbe4] * mkpkg: If using GNU make on a multi-cpu system, use the -j flag to run make jobs in parallel, up to the number of cpus/cores. [7a6670de96dc] 2016-07-31 Todd C. Miller * plugins/sudoers/visudo.c: Only check SUDO_USER if euid is 0 [f42d00c94817] 2016-07-30 Todd C. Miller * plugins/sudoers/visudo.c: Initialize sudo_user based on the SUDO_USER environment variable if present. This allows things like :Defaults:username editor=foo" to work when visudo is run via sudo. [a526d6f74198] 2016-07-28 Todd C. Miller * src/exec_pty.c: Add function name in "command resumed" debug message [e209f199a79f] * src/exec_pty.c: If waitpid() returns 0 or -1, display a warning, this should never happen. Add a check for unhandled wait status (also should never happen). [983a0b79b527] * plugins/sudoers/defaults.c: Flag settings have a NULL value so we can't use that to test whether an entry in struct early_default is set or not. Add a "set" member and use that instead. [68a7c0de9b0e] 2016-07-27 Todd C. Miller * src/exec_pty.c: Explicitly check for a continued process with waitpid(2). Otherwise, waitpid() will return 0 when the command is resumed after being suspended, which we were treating the same as -1. Fixes suspend and resume on Linux and probably others. [54a464b116ad] * plugins/sudoers/defaults.c: Fix --with-fqdn, the value should be NULL since it is a flag. [95bc8b82911e] * plugins/sudoers/defaults.c, plugins/sudoers/defaults.h, plugins/sudoers/ldap.c, plugins/sudoers/sssd.c: Add support for early defaults to the ldap and sssd backends. [3a034360c177] 2016-07-25 Todd C. Miller * src/sudo_edit.c: Repair symlink check in sudo_edit_openat_nofollow() on systems without O_NOFOLLOW, it must be done relative to dfd. Previously the lstat() would always fail, possibly leading to a false positive. Also add an early symlink check like in sudo_edit() while here. [f72901c7f7cc] * src/sudo_edit.c: On systems that lack the O_NOFOLLOW open(2) flag, check in sudo_edit_open() whether the path to be opened is symlink before opening it. This is racey but we detect losing the last post-open and it is better to fail early if possible. When editing a link to a non-existent file, a zero-length file will be left behind but it is too dangerous to try and remove it after the fact. Bug #753 [dac04f305262] * src/sudo_edit.c: Update debug_decl for sudo_edit_openat_nofollow() Remove unused variables when O_NOFOLLOW is not present. [8dc0afb1de58] 2016-07-23 Todd C. Miller * plugins/sudoers/defaults.c, plugins/sudoers/visudo.c: Split set_default_entry() out of set_default() so we can call it from check_defaults() to validate the defaults value. In visudo, suppress warnings from update_defaults() and rely on check_defaults() to provide warnings. [7d9b50f42d0b] * plugins/sudoers/defaults.c: Split binding match code out of default_type_matches() into default_binding_matches(). We can now use default_type_matches() in check_defaults(). [c158768b12c5] * plugins/sudoers/visudo.c: Pass quiet flag to init_parser() and update_defaults() when doing first parse of sudoers. [3af76c1a0d84] 2016-07-22 Todd C. Miller * plugins/sudoers/defaults.c, plugins/sudoers/defaults.h, plugins/sudoers/ldap.c, plugins/sudoers/parse.c, plugins/sudoers/sssd.c, plugins/sudoers/sudoers.c, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c: Update defaults in visudo after sudoers has been edited so we pick up locale changes. The init_defaults() function will now re-init the sudoers locale. [ceb099392289] 2016-07-20 Todd C. Miller * plugins/sudoers/testsudoers.c: Set sudoers locale before calling sudoersparse(). We don't need to restore the user's locale since warnings are displayed in the user's locale anyway. [c44a38a496d1] * plugins/sudoers/visudo.c: Set the locale to the sudoers locale when parsing and restore the user's locale afterward. Also set the warn/fatal locale helper function so warning messages during a sudoers parse are displayed in the user's own locale. [a0b2cdb69d43] * plugins/sudoers/logging.h: Add forward decl of union sudo_defs_val to silence a gcc warning. [9e717510f132] * plugins/sudoers/sudoers.c: Set the warn/fatal locale helper function in sudoers_policy_init() so warning messages during sudoers loading are displayed in the user's own locale. [b6c7bab1ca80] * plugins/sudoers/locale.c, plugins/sudoers/logging.h, plugins/sudoers/sudoers.c, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c: Move sudoers locale callback function to locale.c and user it in visudo and testsudoers. [7c4e9a71e252] * plugins/sudoers/sudoers.c: In cb_sudoers_locale() actually set the locale in addition to storing its name. Otherwise, it won't take effect until sudoers lookup time. [ceb446c2168b] * plugins/sudoers/defaults.c: Fix regression that would cause early defaults entries to be set multiple times. [5f5cd02d5f0f] * NEWS, configure, configure.ac: sudo 1.8.18 [7c778904c39b] 2016-07-19 Todd C. Miller * plugins/sudoers/defaults.c, plugins/sudoers/sudoers.c: Only set early defaults once, regardless of how many times the variable is set in sudoers. This avoids running an early callback more than once. For example, we don't want to call cb_fqdn() if sudo is compiled with FQDN set but sudoers has "Defaults !fqdn". [0c5d80939ea2] * plugins/sudoers/defaults.c, plugins/sudoers/defaults.h: Make strings const in functions that set defaults as they are not modified. [d01f22ab1902] * plugins/sudoers/sudoers.c: In cb_fqdn() just return if the fqdn flag is set to false. [0cb3d78aa944] 2016-07-18 Todd C. Miller * plugins/sudoers/defaults.c: Implement callbacks for defaults flags (T_FLAG). [936adcc98800] * plugins/sudoers/sudoers.c: add debug_decl for cb_runas_default and cb_sudoers_locale [4667b1e14172] * plugins/sudoers/defaults.c, plugins/sudoers/sudoers.c: Convert fqdn to a callback and add it to the list of early defaults. [df863787cf5e] * plugins/sudoers/defaults.c, plugins/sudoers/defaults.h, plugins/sudoers/iolog.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c: Change defaults callbacks to take a union sudo_defs_val * instead of a char *. [c7730fa19e46] * plugins/sudoers/defaults.c: When updating defaults, process certain values fist since they can influence how other defaults are parsed. Currently, runas_default and sudoers_locale are processed early. [32062737a1ae] 2016-07-16 Todd C. Miller * plugins/sudoers/toke_util.c: Fix typo introduced in last commit to fix fill_args() overflow check. [535d13b81c5d] * plugins/sudoers/toke_util.c: Fix underflow checl in fill_args(). [2c6852e65ad6] * plugins/sudoers/toke_util.c: Make sure we account for the trailing NUL when computing arg_size in fill_args(). Bug #752 [c73c1ea4b230] * plugins/sudoers/toke_util.c: Make arg_size and arg_len unsigned since we do bitwise operations on them. [0a551c7a5e67] 2016-07-08 Todd C. Miller * lib/util/Makefile.in, lib/zlib/Makefile.in, plugins/group_file/Makefile.in, plugins/sample/Makefile.in, plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in, src/Makefile.in: Only remove backup files as part of "make uninstall" when INSTALL_BACKUP is set. [c2541d2de89c] * configure, configure.ac, lib/util/Makefile.in, lib/zlib/Makefile.in, plugins/group_file/Makefile.in, plugins/sample/Makefile.in, plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in, src/Makefile.in: Only keep backups of installed files on HP-UX where you cannot unlink a shared library that is in use. [8763a1d0d515] 2016-07-03 Todd C. Miller * plugins/sudoers/toke.c, plugins/sudoers/toke.l: Ignore a missing or insecure #includedir, it is not a fatal error. [8a82818c9f0d] * plugins/sudoers/toke.c, plugins/sudoers/toke.l: Make sure we always call sudoerserror() on error in read_dir_files(), otherwise sudo will not treat it as a fatal error. [1a38da425ca0] 2016-06-30 Todd C. Miller * plugins/sudoers/sudoers.c: Set the sudoers locale before opening the sudoers file. Previously the sudoers locale was used when evaluating sudoers but not during the inital parse. Bug #748 [c8deb0da75b4] * plugins/sudoers/locale.c: Add debugging [5fbe2f109b92] * plugins/sudoers/Makefile.in: Don't link test programs with the sudoers-specific locale code if we don't need to. [41224154534e] * plugins/sudoers/Makefile.in: sudoreplay does not need to link with the sudoers-specific locale code. [348638a68f69] 2016-06-27 Todd C. Miller * plugins/sudoers/gram.c, plugins/sudoers/gram.y: new_digest was prototyped as static but not explicitly declared static. [52949a024acb] * configure, configure.ac: Some versions of HP-UX 11.11 do not expose struct sockaddr_ext if _XOPEN_SOURCE_EXTENDED is defined. Only define _XOPEN_SOURCE_EXTENDED if we can still compile net/if.h. [0189ff7daa63] * plugins/sudoers/Makefile.in: Some versions of HP-UX make will ignore suffix rules if they are empty. [cffeee232752] 2016-06-23 Todd C. Miller * src/exec_pty.c: Don't skip debug printfs in handle_sigchld() just because execve() returned an error. [0cf2a9351740] * include/compat/charclass.h, include/sudo_compat.h, lib/util/aix.c, lib/util/getaddrinfo.c, lib/util/sudo_debug.c, plugins/sudoers/insults.h, plugins/sudoers/regress/parser/check_base64.c, plugins/sudoers/regress/parser/check_fill.c, plugins/sudoers/sudoers_debug.c: Add definition of nitems for those without it and use it throughout. [4b30c8834fdd] 2016-06-22 Todd C. Miller * sudo.pp: Update copyright year. [638c964e44fd] * NEWS, configure, configure.ac: Sudo 1.8.17p1 [bc30a172370c] * src/sudo.c, src/sudo.h: Set user groups in exec_setup() if they were not already set by policy_init_session(). Bug #749 [3bf16489800c] 2016-06-15 Todd C. Miller * doc/sudo.conf.cat, doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in: Point the reader to the sudoers manual for the list of supported arguments after the plugin path. [40cbfa5deeb1] * doc/sudoers.ldap.cat, doc/sudoers.ldap.man.in, doc/sudoers.ldap.mdoc.in: forgot to update date in last commit [3872a46e229b] * doc/sudoers.ldap.cat, doc/sudoers.ldap.man.in, doc/sudoers.ldap.mdoc.in: Fix typo; cn=default should be cn=defaults [06e097667465] 2016-06-13 Todd C. Miller * lib/util/Makefile.in, lib/zlib/Makefile.in, plugins/group_file/Makefile.in, plugins/sample/Makefile.in, plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in, src/Makefile.in: Fold lines at 80 characters for the clean: target [651623231cd8] * lib/util/Makefile.in: Remove mksiglist, siglist.c, mksigname, signame.c as part of "distclean" [ed7f58685633] 2016-06-12 Todd C. Miller * plugins/sudoers/po/it.mo, plugins/sudoers/po/it.po, plugins/sudoers/po/pt_BR.mo, plugins/sudoers/po/pt_BR.po: sync with translationproject.org [a3bb8c15ef3d] * plugins/sudoers/sssd.c: LDAP sudoers doesn't support negated users, groups or netgroups. [d6585245c24d] 2016-06-09 Todd C. Miller * NEWS: Bug #746 [e0bba3ae78c2] * plugins/sudoers/match.c: When matching paths with glob(3), check returned matches against user_cmnd first if it is fully-qualified. This avoids a lot of needless stat(2) calls and avoids a mismatch between safe_cmnd and argv[0] if there are multiple matches with the same inode/dev due to links. Bug #746. [29bdba0cf2eb] * NEWS: Add execve failure in pty bug fix. [941672cc6793] * plugins/sudoers/po/fi.mo, plugins/sudoers/po/fi.po: sync with translationproject.org [a4f789cedecc] * src/exec_pty.c: In handle_sigchld() fix the return value when we've already received an exec error. We don't want to overwrite the error status but we do need to indicate that the command is no longer running. Fixes as hang on execve(2) error when running in a pty. [797bed2c39a7] * src/exec.c, src/exec_common.c: Move sudo_debug_execve() call into sudo_execve(). [ab2ea3459a7c] * plugins/sudoers/po/cs.mo, plugins/sudoers/po/cs.po, plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/fi.mo, plugins/sudoers/po/fi.po, plugins/sudoers/po/hr.mo, plugins/sudoers/po/hr.po, plugins/sudoers/po/ja.mo, plugins/sudoers/po/ja.po, plugins/sudoers/po/nb.mo, plugins/sudoers/po/nb.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/sv.mo, plugins/sudoers/po/sv.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, plugins/sudoers/po/vi.mo, plugins/sudoers/po/vi.po, plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po, po/sr.mo, po/sr.po, po/sv.mo, po/sv.po: sync with translationproject.org [046ba9a0fca8] 2016-06-07 Todd C. Miller * NEWS: update for 1.8.17 final [a2f02775aba5] * lib/util/aix.c: Fix setting of hard stack limit when stack_hard is not specified in /etc/security/limits. When 64-bit resource limits are supported we can use the default value of 8388608 512-byte blocks directly. We should only resort to using RLIM_SAVED_MAX for 32-bit resource limits. [cc4933fc41bd] 2016-06-06 Todd C. Miller * plugins/sudoers/po/sudoers.pot: regen [4ab85a46cf63] 2016-06-05 Todd C. Miller * plugins/sudoers/sssd.c: Ignore empty ipa_hostname [9421ade7b47f] * plugins/sudoers/sssd.c: Better martching of ipa_hostname in sssd.conf [abd53491cb4b] 2016-06-04 Todd C. Miller * INSTALL, configure, configure.ac, pathnames.h.in, plugins/sudoers/sssd.c: Use the value of ipa_hostname from /etc/sssd/sssd.conf if present instead of the system hostname. [3f5cffcd8432] 2016-06-03 Todd C. Miller * plugins/sudoers/sssd.c: When matching host, short-circuit the loop when we get a match. Only check username as part of the netgroup when netgroup_tuple is enabled. [2eab4070dcf7] * plugins/sudoers/ldap.c, plugins/sudoers/sssd.c: Avoid using !strcmp() [f976b3d973e0] 2016-06-02 Todd C. Miller * plugins/sudoers/sssd.c: SSSD doesn't handle netgroups, we have to ensure they are correctly filtered in sudo. The rules may contain mixed sudoUser specification so we have to check not only for netgroup membership but also for user and group matches. Adapted from a patch from Daniel Kopecek. [50d8d88bcc28] 2016-06-01 Todd C. Miller * plugins/sudoers/auth/pam.c: Return PAM_CONV_ERR from the conversation function if getpass returns NULL or the user pressed ^C. [bec7e2ec26ff] * plugins/sudoers/base64.c: Make base64 decoding table-driven. [2d001c111552] * plugins/sudoers/toke.c, plugins/sudoers/toke.l: Back out cfa26b99228f, it was already fixed differently. Caught by regress checks. [0584f80e9951] 2016-05-31 Todd C. Miller * plugins/sudoers/toke.c, plugins/sudoers/toke.l: Allow double-quoted groups and netgroups to be part of a Defaults spec. From Daniel Kopecek. [cfa26b99228f] * doc/sudoers.ldap.cat, doc/sudoers.ldap.man.in, doc/sudoers.ldap.mdoc.in: The sudoers.ldap manual is installed in section 4 or 5, not 1m or 8. Also fix the section for ldap.conf cross-references. [eb1c0a2b84a1] * doc/sudoers.ldap.cat, doc/sudoers.ldap.man.in, doc/sudoers.ldap.mdoc.in: Fix copy pasta, "sudoNotAfter" not "sudoNotBefore". Add missing word "order" in a sentence describing sudoOrder. [653cb783f89b] * plugins/sudoers/sssd.c: For sudo -ll (long list) print the SSSD role just like we do for the LDAP backend. Adapted from sudo-1.8.6p3-sssdrulenames.patch [46f962b1f3ef] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Setting timestamp_timeout less than zero only lasts until the next reboot. Adapted from a RedHat patch. [f8ce1dfebfe9] * po/it.mo, po/it.po, po/nb.mo, po/nb.po: sync with translationproject.org [31b55426358b] 2016-05-25 Todd C. Miller * src/conversation.c: fputs() is now specified as returning non-negative on success, not explicitly zero. Fixes a failure on glibc. [55f8a25d4af4] * src/conversation.c: Don't try to dereference replies[] if it is a NULL pointer. [c4fdd838f2f5] * plugins/sudoers/policy.c: sudo_version should be unsigned [7719d425c65a] * plugins/sudoers/po/ca.mo, plugins/sudoers/po/ca.po, plugins/sudoers/po/da.mo, plugins/sudoers/po/da.po, plugins/sudoers/po/hr.mo, plugins/sudoers/po/hr.po, plugins/sudoers/po/sv.mo, plugins/sudoers/po/sv.po, plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po, po/ca.mo, po/ca.po, po/cs.mo, po/cs.po, po/da.mo, po/da.po, po/de.mo, po/de.po, po/fr.mo, po/fr.po, po/hr.mo, po/hr.po, po/ja.mo, po/ja.po, po/pl.mo, po/pl.po, po/sk.mo, po/sk.po, po/sv.mo, po/sv.po, po/uk.mo, po/uk.po, po/vi.mo, po/vi.po, po/zh_CN.mo, po/zh_CN.po: sync with translationproject.org [e40cdc972d19] * MANIFEST, NEWS, doc/CONTRIBUTORS, plugins/sudoers/po/ko.mo, plugins/sudoers/po/ko.po, po/ko.mo, po/ko.po: Korean translation for sudo and sudoers from translationproject.org. [188ffbed5bf2] * NEWS, plugins/sudoers/auth/pam.c: Ignore PAM_SESSION_ERR from pam_open_session() since this can apparently happen on systems using Solaris-derived PAM. Other errors from pam_open_session() are treated as fatal. This avoids the "policy plugin failed session initialization" error message seen on some systems. [0f7f3e7ead21] 2016-05-24 Todd C. Miller * NEWS, src/exec_pty.c: Don't read from stdin when flushing final buffers in blocking mode. Reading from the pipe can block too if the other end is not closed. [a651f913a1ef] 2016-05-23 Todd C. Miller * NEWS: Mention visudo -x change. [2fd35df055b2] * plugins/sudoers/regress/sudoers/test1.json.ok, plugins/sudoers/regress/sudoers/test14.json.ok, plugins/sudoers/regress/sudoers/test15.json.ok, plugins/sudoers/regress/sudoers/test16.json.ok, plugins/sudoers/regress/sudoers/test2.json.ok, plugins/sudoers/visudo_json.c: There's no need to escape forward slashes in JSON output. While it is legal to escape a forward slash, it is not required. [044710f516a9] * doc/UPGRADE: Document that in 1.8.12 sudo started being able to check the NIS domain on Solaris. [bced94478c0e] 2016-05-20 Todd C. Miller * NEWS: Better description of the I/O logging pipe issue. [6eee2f8a1fae] * src/exec_pty.c: In del_io_events(), avoid reading from the pty master in blocking mode. We now do two passes, one with SUDO_EVLOOP_NONBLOCK and another that could block if stdin is a pipe. This ensures we consume the pipe until EOF. [564ae2b4c305] * lib/util/event.c: Improve debug info in sudo_ev_add() and sudo_ev_del() [ca839439ff22] * src/exec_pty.c: In pty_close(), call del_io_events with the SUDO_EVLOOP_ONCE flag so the event loop will exit after a single run through. Otherwise, we may hang at exit on non-BSD systems. [e6c38d5a341b] 2016-05-18 Todd C. Miller * po/sudo.pot: regen [18a4570be506] 2016-05-17 Todd C. Miller * src/exec_pty.c: Bump I/O buffer size to 64K. We don't use PIPE_BUF or _PC_PIPE_BUF for this because that corresponds to the value for atomic pipe writes. The actual pipe buffer is much larger on modern systems and 64K is what BSD and Linux support for large pipe buffers. [3b5d995966ef] * NEWS: I/O logging bug fix [934d755ac12c] * src/exec_pty.c: Don't use SUDO_EVLOOP_NONBLOCK when flushing buffers at pty close time, only when the user suspends sudo. Fixes a problem where all buffers might not get flushed at exit when logging I/O. Reproducible via "sudo tar cf - foo | (cd /tmp && sudo tar xf -)" on OpenBSD. [bbe0e18739ec] 2016-05-16 Todd C. Miller * plugins/sudoers/visudo_json.c: Don't try to fflush(export_fp) or ferror(export_fp) if export_fp is NULL, which can happen on the error path. [ccfb4dd260fa] * plugins/sudoers/sudoers.c, src/exec.c, src/exec_pty.c, src/sudo.c, src/tgetpass.c: O_NOCTTY has no effect when opening /dev/tty as the open can only succeed if there is already a controlling tty. [9ca106c499b2] * src/sudo.c: Do not need to open /dev/tty with O_NONBLOCK, it doesn't block on first open like a physical terminal. By definition, if you have a controlling tty, the first open (which might block) has already occurred. [15a5f006836a] * src/selinux.c: Use O_NOCTTY when opening a tty. [5f9fd6458be4] * src/Makefile.in: regen [105ef4533724] * plugins/sudoers/auth/sudo_auth.c: No need to set pass to NULL after freeing at the end of the loop it since it is already set to NULL each time through the loop. [2657b0b4260d] 2016-05-14 Todd C. Miller * NEWS: SELinux fixes in 1.8.17. [f743cf0d9c62] * plugins/sudoers/logging.h, plugins/sudoers/logwrap.c: Check fprintf() return value in writeln_wrap() and return the number of characters actually written, or -1 on error. [4739e0f58fa3] * src/conversation.c: Check fputs() return value. [e85778cbe0e3] * plugins/sudoers/ldap.c, plugins/sudoers/sssd.c: Do not write directly to stdout/stderr, use sudo_printf which calls the conversation function. [e86d5ed4dca7] * plugins/sudoers/auth/dce.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/securid5.c: Do not write directly to stdout/stderr, use sudo_printf which calls the conversation function. [002a30fdb4e0] * plugins/sudoers/iolog.c, plugins/sudoers/visudo_json.c: Use ferror() after fflush() to check the error status of the stdio stream we wrote to. [fa1db13fe9ac] 2016-05-13 Todd C. Miller * plugins/sudoers/parse.c: printf() returns < 0 on error, not explicitly -1 [2a2385b941de] * doc/sudo.cat, doc/sudo.conf.cat, doc/sudo_plugin.cat, doc/sudoers.ldap.cat, doc/sudoreplay.cat, doc/visudo.cat: Regen for 1.8.17 [e24b0f944000] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Document that you need to preserve EDITOR and/or VISUAL for env_editor to be useful. [ef0ce8917307] * src/selinux.c: Fix last commit, now that argc is not reset we need to explicitly start the copy from argv[1]. From Daniel Kopecek [f52403ef587a] 2016-05-12 Todd C. Miller * src/selinux.c: cosmetic change to warning string [a2893e3f9b70] * plugins/sudoers/auth/pam.c: Avoid adding an extraneous warning string to sudoers.pot. [6b07043b48f7] * lib/util/snprintf.c: Use EOVERFLOW, not ENOMEM for overflow conditions. For snprintf() and vsnprintf(), POSIX says we should return -1 and set errno to EOVERFLOW if the size param is > INT_MAX; also zero out the string in this case (not mandated by POSIX) for safety. [294720fc981a] 2016-05-11 Todd C. Miller * plugins/sudoers/auth/pam.c: Now that pam_open_session() failure is fatal we should print and log an error from it. Bug #744 [0e98a92ef910] * src/selinux.c: Repair SELinux support, broken by 397722cdd7ec. From Daniel Kopecek. [1246583c7c1f] * plugins/sudoers/iolog.c, plugins/sudoers/pwutil.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c: Remove sudo_mkpwcache() and sudo_mkgrcache(). We now create the caches as needed on demand. Also remove calls to sudo_freepwcache() and sudo_freegrcache() that are immediately followed by execve(), they are not needed. [60448afe813d] * plugins/sudoers/iolog.c, plugins/sudoers/logging.c, plugins/sudoers/pwutil.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c: Eliminate use of setpwent()/endpwent() and setgrent()/endgrent(). Sudo never iterates over the passwd or group file. Rename sudo_set{pw,gr}ent() -> sudo_mk{pw,gr}cache() and use sudo_free{pw,gr}cache() instead of sudo_end{pw,gr}ent(). [66e6f5e7b51b] 2016-05-10 Todd C. Miller * plugins/sudoers/parse.h: Remove unnecessary NULL checks in the RUNAS_CHANGED macro. The only place where the pointers could be NULL is in visudo_json.c but we already check for "next" being NULL there. Quiets a cppcheck warning. [a0d84832c154] 2016-05-09 Todd C. Miller * plugins/sudoers/sudoreplay.c: In replay_session() free iov at the end of the function (if needed) instead of after processing each line from the timing file. Coverity CID 104843. [5112f514af87] * plugins/sudoers/sudoreplay.c: Add io_log_read() and io_log_gets() to hide differences between gzread/fread and gzgets/fgets. Check for premature EOF and error from io_log_read(). Also sanity check the index in the timing file. Coverity CID 104630. [6a3b9932f567] * src/exec_pty.c: Break up io_callback() into read_callback() and write_callback() to make it clear that we can't get an event with both read and write set. [cd3a1e182dd4] 2016-05-07 Todd C. Miller * src/exec_pty.c: In io_callback() make sure we clear SUDO_EV_READ if we close the fd. It should not be possible for SUDO_EV_READ to be set when revent is non-NULL but this makes static analyzers happier. Coverity CID 104124. [7acc249fa098] * plugins/sudoers/ldap.c: In sudo_krb5_copy_cc_file() move the close(ofd) to the done: label so we only have to cleanup in one place. Coverity CID 104577. [0f189e70c59d] * plugins/sudoers/ldap.c: Fix memory leak in sudo_netgroup_lookup() in the non-error case. Coverity CID 104572, 104573, 104574, 104575. [7f9fb7a360b7] * plugins/sudoers/ldap.c: Fix fd leak in sudo_krb5_copy_cc_file() if restore_perms() fails. Coverity CID 104571. [d9434cdfb73c] * plugins/sudoers/sudoreplay.c: Free the events and event base before returning from replay_session(). Coverity CID 104116, 104117. [321216089e4a] * src/sudo_edit.c: In sudo_edit_create_tfiles(), fix fd leak if sudo_edit_mktemp() fails. Coverity CID 104114. [713de09ff956] * src/sudo_edit.c: Fix fd leak in sudo_edit_open_nonwritable() if dir_is_writable() returns an error. Coverity CID 104113. [314a57004f00] * src/sudo_edit.c: Fix memory leak of sesh_args in selinux_edit_copy_tfiles(). Coverity CID 104112. [ac7f0cbd07c9] * plugins/sudoers/visudo.c: Fix memory leak in get_editor() if resolve_editor() fails with an error. Coverity CID 104107. [e355b1f45bcb] * src/sudo.c: Fix memory leak on error if sudo_new_key_val() fails. Coverity CID 104103. [c2ee1557aef2] * plugins/sudoers/visudo.c: Ignore the return value of the initial sudoersparse(), before we have actually edited any files. Coverity CID 104078. [184d9c6aec65] * src/exec.c: Ignore the result of send() on exec error, if it fails the other end of the pipe is gone and we are headed for exit. Coverity CID 104066. [cdcd7dfcbca1] * plugins/sudoers/toke_util.c: In fill_args() clean up properly if there is an internal overflow (which should not be possible). Coverity CID 104569. [0bc710e91ec4] * plugins/sudoers/gc.c: Fix logic inversion in sudoers_gc_remove(), currently unused. Coverity CID 104568 [e29df8da11ea] 2016-05-06 Todd C. Miller * plugins/sudoers/iolog.c: In io_mkdirs(), change the order from stat then mkdir, to mkdir then stat. This more closely matches what "mkdir -p" does. Coverity CID 104120. [e462528ff7ea] * plugins/sudoers/timestamp.c: In ts_mkdirs(), change the order from stat then mkdir, to mkdir then stat. This more closely matches what "mkdir -p" does. Coverity CID 104119. [c0c0e2662883] * plugins/sudoers/sudoers.c: Newer versions of Ubuntu have switched from using the "admin" group to the "sudo" group to align with Debian. create_admin_success_flag() now accepts either one. https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1387347 [17b4d725dac4] * plugins/sudoers/timestamp.c: Cast off_t printed via printf(3) instead of assuming it is long long. [b1d398f4a8dc] * plugins/sudoers/sudoers.c: Instead of using stat(2) to see if the admin flag file exists and creating it if not, just try to create the file and treat EEXIST as a non-error. Coverity CID 104121. [bd58b0a35a3c] * MANIFEST, plugins/sample/README: README file for the sample plugin that tells the user how to build, install and enable it. [8d7096ce78cc] * plugins/sample/sample_plugin.c: Fix compilation error and export sample_policy struct. From Michael Evans [5280c1576e7f] * NEWS: Update for 1.8.17 [979688a5ef13] * configure, configure.ac: Sudo 1.8.17 [09311b2e9697] * plugins/sudoers/logging.c: Check return value of restore_perms() in vlog_warning(). Coverity CID 104079. [86555dd0942d] * plugins/sudoers/editor.c: Fix memory leaks in resolve_editor() in the error path. Coverity CID 104109, 104110 [6ac3f7e3ada9] * plugins/sudoers/policy.c: Fix memory leak of gid_list in sudoers_policy_exec_setup() in the error path. Coverity CID 104111. [eac1e9489367] * plugins/sudoers/logging.c: Fix fd leak in do_logfile() if we fail to lock the log file. Coverity CID 104115. [164a693207a8] * plugins/sudoers/sssd.c: Fix memory leak of sss_result in sudo_sss_lookup() Coverity CID 104106 [7dcee1e6d76f] * plugins/sudoers/iolog.c: Fix fd leak in open_io_fd() if gzdopen/fdopen fails. Coverity CID 104105 [c4c2848c1167] * plugins/sudoers/iolog.c: Fix fd leak in io_nextid() in error path. Coverity CID 104104 [8920cdaab5bd] 2016-05-05 Todd C. Miller * plugins/sudoers/timestamp.c: Check lseek() return value. Coverity CID 104061. [bf3bb4c80cfc] * plugins/sudoers/timestamp.c: Ignore ts_write() return value when disabling an entry with a bogus timestamp. We ignore the timestamp entry even it doesn't succeed. Coverity CID 104062. [5e5925ebbc75] * plugins/sudoers/iolog.c, plugins/sudoers/match.c, plugins/sudoers/tsgetgrpw.c, src/exec.c, src/exec_pty.c, src/sudo.c: Cast the return value of fcntl() to void when setting FD_CLOEXEC. Coverity CID 104063, 104064, 104069, 104070, 104071, 104072, 104073, 104074 [48720d2f6658] * plugins/group_file/getgrent.c: Cast the return value of fcntl() to void when setting FD_CLOEXEC. Coverity CID 104075, 104076, 104077. [7fe1d9f97321] * plugins/sudoers/env.c: Avoid a false positive. Coverity CID 104056. [0256978219a6] * plugins/sudoers/visudo_json.c: Avoid calling fclose(NULL) on error in export_sudoers(). Coverity CID 104091. [2f73d86ab929] * plugins/sudoers/toke_util.c: In fill_args(), check for "arg_size == 0" instead of "sudoerslval.command.args == NULL" since the latter leads Coverity to imply that sudoerslval.command.args could be NULL later on. Coverity CID 104093. [bab505438881] * plugins/sudoers/sudoers.c: Avoid calling fclose(NULL) if the sudoers file is not secure and restore_perms() fails. Coverity CID 104090. [150db126c221] 2016-05-04 Todd C. Miller * plugins/sudoers/toke.h, plugins/sudoers/toke_util.c: In fill_args(), replace loop that increments arg_size() with a simple add and mask. Should prevent a false positive from Coverity CID 104094. [411c7e398286] * plugins/sudoers/sudoreplay.c: In parse_expr(), move the "bad" label after the "default" case in the switch(), not before it. This seemed to confuse Covertity, resulting in a false positive, CID 104095. [4371f26995fb] * doc/sudoreplay.cat, doc/sudoreplay.man.in, doc/sudoreplay.mdoc.in: For "sudoreplay -l", not all predicates may be shortened to a single character. Both 'c' and 't' have more than one possibility. [29a5a9a313e2] * src/exec.c, src/exec_pty.c, src/sudo.c: pid_t is defined by POSIX as a signed integer type so we don't need a cast when comparing to -1. [98f0a86260a0] * src/exec.c: In dispatch_signal() for stopped processes check for tcgetpgrp() returning -1. Also change checks from "saved_pgrp != -1" to "fd != -1". Coverity CID 104098. [42ac4ad85900] * src/selinux.c: In relabel_tty() always jump to bad: on error, regardless of the value of se_state.enforcing. On error, return -1 if enforcing, else 0. Coverity CID 104099. [db1a54d718f1] * config.h.in, configure.ac: Define NO_LEAKS when sudo is built with Coverity. [f4209b9ade8c] * src/exec_pty.c: In io_callback() if we write the complete buffer and find that there is no associated reader just return as there is nothing else to be done. In practice is it not possible for SUDO_EV_READ to be set if revent is NULL but an early return is harmless and possibly easier to understand. Coverity CID 104124. [3b3eb45b701e] * src/sudo_edit.c: Handle read() returning -1 when creating temporary files. Coverity CID 104100 [e82af51e4f48] * plugins/sudoers/policy.c: Fix cut and paste error when checking cols for 0. Coverity CID 104081 [22a3b7d9bce1] * plugins/sudoers/pwutil.c: Use a single debug message for cache hit or store to avoid another situation where they get out of sync. Bug #743 [4cf484e9b016] * plugins/sudoers/pwutil.c: Sync the "cache hit" debug messages with the "cached" debug messages. This fixes a bug where we could dereference a NULL pointer when we look up a negative cached entry which is stored as a NULL passwd or group struct pointer. Bug #743. [1d13341d53ec] 2016-04-28 Todd C. Miller * configure, configure.ac: Remove the check for __sprintf_chk when checking for _FORTIFY_SOURCE, Some implementations are purely header-file based. As long as we can link a test program using sprintf() when _FORTIFY_SOURCE=2 it should be safe to use. [910af8ba4666] * config.h.in, configure, configure.ac: Remove configure checks for dev_t, id_t, ino_t, ptrdiff_t, size_t and ssize_t. These have been specified by either ANSI C or POSIX for long enough that if the system doesn't support them, it is unlikely to be able to compile sudo anyway. [c9fd433cfe27] * src/sudo.c: Do group setup in policy_init_session() before calling out to the plugin. This makes it possible for the pam_group module to change the group in pam_setcred(). It's a bit bogus since pam_setcred() is documented as not changing the group or user ID, but pam_group is shipped with stock Linux-PAM so we need to support it. [814cda602541] 2016-04-26 Todd C. Miller * plugins/sudoers/logging.c: Add missing newline when logging to a file (not syslog) and loglinelen is set to a non-positive number. Bug #742 [ef0a5428a574] 2016-04-25 Todd C. Miller * src/exec.c: style fix; fork_cmnd should start on a new line [e8211fe0f8d7] 2016-04-22 Todd C. Miller * doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, plugins/sudoers/ldap.c, plugins/sudoers/logging.c, src/signal.c, src/sudo.c, src/tgetpass.c: Ignore SIGPIPE for the duration of sudo and not just in a few select places. We have no control over what nss, PAM modules or sudo plugins might do so ignoring SIGPIPE is safest. [7c919101b8ec] * src/selinux.c: Use string_to_security_class() instead of pulling SECCLASS_CHR_FILE from flask.h. Avoids a warning with new SELinux includes. [24f357b419c4] 2016-04-19 Todd C. Miller * plugins/sudoers/ldap.c, plugins/sudoers/parse.c, plugins/sudoers/sssd.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: When determining whether or not "sudo -l" or "sudo -b" should prompt for a password, take all sudoers sources into account. In other words, if both file and ldap sudoers sources are in use, "sudo -v" will now require that all entries in both sources be have NOPASSWD (file) or !authenticate (ldap) in the entries. [51e2a5ecacc6] 2016-03-22 Todd C. Miller * plugins/sudoers/auth/aix_auth.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/sudo_auth.h: If the auth_type setting in /etc/security/login.cfg is set to PAM_AUTH but pam_start() fails, fall back to use AIX authentication. Skip the auth_type check if sudo is not compiled with PAM support. [cdbe432c465c] 2016-03-17 Todd C. Miller * doc/sudo.conf.cat, doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in: The header for sudo.conf(5) should be SUDO.CONF(5) not SUDO(5). [d3afd5bd550f] 2016-03-16 Todd C. Miller * plugins/sudoers/policy.c: hook_version and hook_type are unsigned so use 0, not -1 in the final (empty) entry. Quiets a warning on Solaris Studio 12.2. [4947de8e35b7] 2016-03-09 Todd C. Miller * NEWS, config.h.in, configure, configure.ac, plugins/sudoers/auth/pam.c: Work around an ambiguity in the PAM spec with respect to the conversation function. It is not clear whether the "struct pam_message **msg" is an array of pointers or a pointer to an array. Linux-PAM and OpenPAM use an array of pointers while Solaris/HP- UX/AIX uses a pointer to an array. Bug #726. [d2b926e2f7d6] 2016-03-08 Todd C. Miller * plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, plugins/sudoers/po/it.mo, plugins/sudoers/po/it.po, plugins/sudoers/po/ja.mo, plugins/sudoers/po/ja.po, plugins/sudoers/po/sr.mo, plugins/sudoers/po/sr.po, po/eo.mo, po/eo.po, po/it.mo, po/it.po, po/ja.mo, po/ja.po, po/ru.mo, po/ru.po, po/sr.mo, po/sr.po: sync with translationproject.org [271c6738213d] 2016-02-27 Todd C. Miller * NEWS: Bug #738 [9e7974480cdc] 2016-02-26 Todd C. Miller * plugins/sudoers/po/nb.mo, plugins/sudoers/po/nb.po, po/nb.mo, po/nb.po: sync with translationproject.org [6aa32f6e5240] * lib/util/regress/fnmatch/fnm_test.in: Better test for negated character classes. [635e3c17bca1] * lib/util/regress/fnmatch/fnm_test.in: Add test for negated character class [0d813e098864] * plugins/sudoers/po/cs.mo, plugins/sudoers/po/cs.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/pt_BR.mo, plugins/sudoers/po/pt_BR.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, plugins/sudoers/po/vi.mo, plugins/sudoers/po/vi.po, po/cs.mo, po/cs.po, po/de.mo, po/de.po, po/fr.mo, po/fr.po, po/pl.mo, po/pl.po, po/pt_BR.mo, po/pt_BR.po, po/uk.mo, po/uk.po, po/vi.mo, po/vi.po, po/zh_CN.mo, po/zh_CN.po: sync with translationproject.org [9398ffdc7719] * NEWS: sync [a27a7d40491e] * lib/util/fnmatch.c: Fix negation of character classes. [aed07c013a41] * plugins/sudoers/ldap.c, plugins/sudoers/sssd.c: Fix the check for whether a user is allowed to lists another user's privileges. The "matched" variable is not boolean, it can also have the value UNSPEC so we need to check explicitly for true. Bug #738 [e8ed706fda03] * plugins/sudoers/auth/pam.c: Log the number of PAM messages in the conversation function at debug level. [3f16eea5875f] 2016-02-24 Todd C. Miller * configure, configure.ac: Don't check for posix_spawn() or posix_spawnp() if we were unable to find spawn.h. This should only be a problem on systems with broken headers. Bug #730 [5e5b0646dca4] 2016-02-22 Todd C. Miller * NEWS: update for 1.8.16 [bad5e6534f39] * doc/CONTRIBUTORS, plugins/sudoers/sudoers2ldif: Fix documented bug with duplicate role names and turn on perl warnings. Based on a diff from Aaron Peschel [344a1c1f5c93] 2016-02-20 Todd C. Miller * lib/util/aix.c: Add declaration of getauthdb() for AIX 5.1 [f758960bcfd6] 2016-02-19 Todd C. Miller * plugins/sudoers/po/sudoers.pot, po/sudo.pot: regen [e61e1241f15f] * plugins/sudoers/po/fr.mo, plugins/sudoers/po/fr.po, plugins/sudoers/po/nb.mo, plugins/sudoers/po/nb.po: sync with translationproject.org [2f3dea24199b] * INSTALL: Add a note that --with-solaris-audit is only for Solaris 11 and above. Bug #737 [6722331c2830] 2016-02-18 Todd C. Miller * configure, configure.ac: Remove last remnants of the deprecated --with-stow option. [8616d6de7ecd] * src/Makefile.in: src/load_plugins.c needs _PATH_SUDO_CONF so allow it to be overridden via the Makefile like other consumers of _PATH_SUDO_CONF. Bug #735 [10148ef883ec] 2016-02-01 Todd C. Miller * configure, configure.ac, include/sudo_util.h, lib/util/aix.c, lib/util/getgrouplist.c, plugins/sudoers/pwutil.c, plugins/sudoers/pwutil.h, plugins/sudoers/pwutil_impl.c, plugins/sudoers/set_perms.c, src/sudo.c: Add an administrative domain to the passwd/group cache key for AIX which can have different name <-> ID mappings depending on whether the database is local, LDAP, etc. [5319c11aefe9] * mkpkg, sudo.pp: Fedora dropped "core" from the name some time ago so just match on f[0-9] for the rpm distro name provided by pp. Since the version numbers of Fedora and RHEL are so different switch to defining variables to indicate which features should be enabled. Works for Fedora 23. [4ec50b352293] 2016-01-31 Todd C. Miller * mkpkg, sudo.pp: Treat fedora core like centos/rhel for package building. [0dfc607d07a1] 2016-01-29 Todd C. Miller * plugins/sudoers/regress/iolog_path/check_iolog_path.c, plugins/sudoers/regress/parser/check_fill.c: Plug some memory leaks in the tests. [ce76ba538867] * plugins/sudoers/toke_util.c: If realloc of sudoerslval.command.args fails, reset sudoerslval.command.args as well as arg_len and arg_size after freeing sudoerslval.command.args. [6481bad56e6a] * src/exec_pty.c: When freeing the iobs after pty tear-down, also free the associated event structures. Quiets a memory leak warnings from address sanitizer and valgrind. [f19c689a2ded] 2016-01-28 Todd C. Miller * plugins/sudoers/iolog.c: iolog_compress should be bool, not int [b437123a242b] * plugins/sudoers/visudo.c: Quiet address sanitizer leak detector. [b7ce672331f6] * MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/env.c, plugins/sudoers/gc.c, plugins/sudoers/sudoers.h: Simple garbage collection (really a to-be-freed list) for the sudoers plugin. Almost identical to what sudo.c uses. Currenly only the environment strings are collected at exit time which is enough to quiet address sanitizer's leak detector. [47f32e047b1a] * src/sudo.c: Rename gc_cleanup to gc_run and remove I/O plugins from the plugin list when freeing them. [ea640f0b46f9] * src/sudo.c: Free up the garbage via an atexit() handler instead of requiring a call to gc_exit. [cc9c96d88595] * src/sudo_edit.c: Plug a memory leak in sudo_edit. [cab9a13a669b] 2016-01-27 Todd C. Miller * INSTALL: mention --enable-asan [ee2bc0f60c8b] * plugins/sudoers/auth/sudo_auth.c: Try to deconfuse static analyzers a bit. [7e728c76f5df] * plugins/sudoers/sssd.c: Avoid possible NULL deref found by clang analyzer. [8bb3cbfe0446] * config.h.in, configure, configure.ac: Add --enable-asan configure flag to enable address sanitizer [8aae250fb68e] * src/sudo.c, src/sudo_plugin_int.h, src/ttyname.c: Add support for garbage collecting info passed to the plugin before exit to appease address sanitizer's leak detector (and valgrind's leak checker). We can't free these sooner since the plugin may be using the memory. For plugin API 2.0 it should be make clear that the plugin must make a copy of the data in the arrays passed in to the plugin's open() function. Only enabled if NO_LEAKS is defined. [8458bcb165d8] * plugins/sudoers/auth/aix_auth.c, plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/securid5.c, plugins/sudoers/auth/sia.c, plugins/sudoers/auth/sudo_auth.c: auth_getpass() returns a dynamically allocated copy of the plaintext password which needs to be freed after checking (and clearing) it. [28d2c83c3ac4] * src/sudo.c: Remove sudo_fatalx() calls from format_plugin_settings(). [96a18a3ccc49] * plugins/sudoers/sssd.c: fn_free_result() (aka sss_sudo_free_result() in sss_sudo.c) handles a NULL poiner so there's no need to check before calling it. Add missing initialization of sss_sudo_result to NULL in sudo_sss_setdefs(). [fa1c8eaed6ac] * plugins/sudoers/sssd.c: Add missing return when user is not found in sudo_sss_result_get(). Previously we fell through to the default case which just logged a debug message and returned so this just avoids the extra (generic) debug message. [68c2201f3a85] 2016-01-26 Todd C. Miller * lib/util/gettime.c: Fix a warning on AIX. [4ebc19a143ff] * src/sudo.c: Pass updated user_env_out, not envp, to the I/O open function. [f02e6f32f189] * src/sudo.c: Pass updated argv/envp to the I/O open function like the plugin API documents. [ff9f4fae5cf3] 2016-01-25 Todd C. Miller * plugins/sudoers/iolog.c: Add check for I/O log file handle being NULL. This could only happen if the front-end calls iolog_open with argc == 0 but actually runs a command. [5113a3c04494] 2016-01-22 Todd C. Miller * plugins/sudoers/pwutil.c: Additional debugging for pwutil functions. [908b83c3acbb] * config.h.in, configure, configure.ac, lib/util/aix.c: When calling setauthdb(), save the old registry value so we can restore it properly. Previously we were setting the registry to unrestricted instead of actually restoring it. [5a2921412663] * plugins/sudoers/sudoers.c: Use SUDOERS_DEBUG_UTIL not SUDO_DEBUG_UTIL in the plugin. [79b012777e71] 2016-01-21 Todd C. Miller * lib/util/sudo_debug.c: When parsing debug entries, don't make a lower value override a higher one. For example, for "pcomm@debug,all@warn" the "all@warn" should not set pcomm to "warn" when it is already at "debug". [031037a56e51] 2016-01-20 Todd C. Miller * plugins/sudoers/policy.c: Set sudoedit_checkdir=false in command_details when it is disabled in sudoers. [811dd43b29f5] * include/sudo_compat.h, lib/util/strtobool.c, plugins/sudoers/ldap.c, plugins/sudoers/sssd.c, src/sudo_edit.c: Update copyright year [5ec484920763] * src/sudo_edit.c: If the user runs "sudoedit /" we will receive ENOENT from openat(2) and sudoedit will try to create a file with the null string. If path is empty, open the cwd instead so sudoedit can give a sensible error message. [fc39d5804f1f] * lib/util/strtobool.c: Log an error for invalid boolean strings. [004afa5e05c5] * src/sudo.c: Fix off by one error in new SET_FLAG macro. [5bdce4edf8b9] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Document the race with sudoedit_checkdir in 1.8.15. [cb7aed3367e9] * doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in: Document sudoedit_checkdir [89f2452272ad] 2016-01-19 Todd C. Miller * src/sudo_edit.c: There are no systems that support O_SEARCH/O_PATH that do not also support O_DIRECTORY so simplify the definition of DIR_OPEN_FLAGS a bit. [a48f11ea53b3] * plugins/sudoers/po/sudoers.pot, po/sudo.pot: regen [8ae4d883ac59] * NEWS, doc/UPGRADE: Add 1.8.16 changes [8d3a3f5cdf59] * doc/sudo.cat, doc/sudo.man.in, doc/sudo.mdoc.in, doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/defaults.c, src/sudo.c: Make sudoedit_checkdir the default and update the documentation accordingly. [84bbc1b73411] * src/sudo.c: Add a SET_FLAG macro to simplify parsing command details boolean flags. Previously, flags were only set and never cleared even if the boolean value was false. This was not a problem as there were no default flags for the plugin to enable. That will change in the future. [75f24ca13f41] 2016-01-18 Todd C. Miller * src/sudo_edit.c: Need to be root when switching to a different user. [06d5f010b607] * src/sudo_edit.c: Use O_SEARCH on systems without O_PATH if present. It can be used for a similar purpose. [3f559a389bf9] * config.h.in, configure, configure.ac, src/sudo_edit.c: Use faccessat(2) for directory writability instead of doing the checks manually where possible. This also allows us to remove the #ifdef __linux__ bits since we no longer use fstat(2) on Linux with an O_PATH fd. [fe50d0c1f1b9] 2016-01-16 Todd C. Miller * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Add "I/O LOG FILES" section to the manual and move many of the details from the log_input and log_output descriptions to it. [a604903f5ae3] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Use "Nm sudoers" when talking about the plugin and "Em sudoers" when talking about the sudoers file. [727a68b02de7] 2016-01-13 Todd C. Miller * lib/zlib/zlib.exp: Remove gzopen_w which is only defined on Windows. [a73236903e7b] * config.h.in, configure, configure.ac, include/sudo_compat.h: Work around the buggy pread(2) on 32-bit HP-UX 11.00 by using pread64() on that platform. [31c4be934115] 2016-01-12 Todd C. Miller * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/defaults.c, plugins/sudoers/ldap.c, plugins/sudoers/match.c, plugins/sudoers/parse.c, plugins/sudoers/parse.h, plugins/sudoers/sssd.c, plugins/sudoers/testsudoers.c: Add support for matching the entire netgroup tuple (user, host, domain). [9f694ba7c86d] * plugins/sudoers/ldap.c: Use asprintf() to generate the netgroup filter instead of using lots of concatenation. [f8290c040aea] * lib/util/util.exp.in: Add missing sudo_debug_exit_ssize_t_v1 symbol. [9407fb25dfa4] 2016-01-11 Todd C. Miller * plugins/sudoers/match.c: Silence warning in digest_matches() on systems with no fexecve(2). [0cd3cc8fa195] * plugins/sudoers/sssd.c: Fix free() of invalid pointer introduced in the commit that stripped whitespace between a '!' and the name in a sudoOption. [4d2c1761c752] * plugins/sudoers/ldap.c: Fix free() of invalid pointer introduced in the commit that stripped whitespace between a '!' and the name in a sudoOption. [14391603a9e5] * src/sudo_edit.c: Add missing dfd argument to the version of sudo_edit_openat_nofollow() for systems without O_NOFOLLOW. [574e4a840879] * plugins/sudoers/ldap.c: In sudo_netgroup_lookup() only build up the search filter once instead of once per netgroup_base. [a03440237078] * plugins/sudoers/ldap.c: It is safe to pass ldap_msgfree() a NULL pointer. [abc2eaddbf83] * plugins/sudoers/ldap.c: On overflow, warn before freeing anything. [2e3bcfa4a8f9] * plugins/sudoers/ldap.c, plugins/sudoers/sssd.c: Use user_runhost and user_srunhost instead of user_host and user_shost. Fixes "sudo -l -h other_host" for LDAP and sssd. [e1abfdc82242] * plugins/sudoers/def_data.c, plugins/sudoers/def_data.in: Update description of sudoedit_checkdir. Reported by Sander Bos. [ee44e7255096] * src/sudo_edit.c: No need to check whether the fd we opened is really a directory in sudo_edit_open_nonwritable() since if not, the openat() will fail with ENOTDIR anyway. [b41c5b289f35] 2016-01-10 Todd C. Miller * doc/CONTRIBUTORS, doc/UPGRADE, doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in, include/sudo_compat.h, src/sudo_edit.c: Rewritten sudoedit_checkdir support that checks all the dirs in the path and refuses to follow symlinks in writable directories. This is a better fix for CVE-2015-5602. Adapted from a diff by Ben Hutchings. Bug #707 [c2e36a80a279] 2016-01-04 Todd C. Miller * MANIFEST, plugins/sudoers/po/ca.mo, plugins/sudoers/po/ca.po, plugins/sudoers/po/fi.mo, plugins/sudoers/po/fi.po, plugins/sudoers/po/fr.mo, plugins/sudoers/po/fr.po, plugins/sudoers/po/sr.mo, plugins/sudoers/po/sr.po, po/ca.mo, po/ca.po, po/fi.mo, po/fi.po, po/hu.mo, po/hu.po, po/sr.mo, po/sr.po: sync with translationproject.org [94ffd6b18431] * configure, configure.ac, doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in, include/sudo_plugin.h, plugins/sudoers/match.c, plugins/sudoers/policy.c, plugins/sudoers/sudoers.h, src/exec.c, src/exec_common.c, src/selinux.c, src/sesh.c, src/sudo.c, src/sudo.h, src/sudo_exec.h: Add support for using fexecve() if supported on commands that are checksummed. [397722cdd7ec] 2015-12-29 Todd C. Miller * src/sudo_edit.c: Call openat() with the basename not the full path. From Ben Hutchings. [33272418bb10] 2015-12-24 Todd C. Miller * plugins/sudoers/group_plugin.c, plugins/sudoers/policy.c: Fix compilation with --disable-shared [84c084618676] 2015-12-20 Todd C. Miller * src/exec_common.c: Check for existing dso in LD_PRELOAD and only add it if it is not already present. [15042e8999f7] 2015-12-18 Todd C. Miller * doc/sudo.cat, doc/sudo.man.in, doc/sudo.mdoc.in: Clarify when SIGINT and SIGQUIT are relayed by sudo to the command. [8efed5784393] * plugins/sudoers/group_plugin.c, plugins/sudoers/policy.c, plugins/sudoers/sudoers.h, src/load_plugins.c: Actually use the plugin_dir Path setting in sudo.conf. [bccc548127a2] * lib/util/sudo_conf.c: The Path setting for the plugin directory is "plugin_dir" not "plugin". [07c2677bbce5] * doc/sudo.conf.cat, doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in, lib/util/sudo_conf.c, src/exec_common.c: Allow sudo.conf Path settings to disable path names (by setting the value of NULL). [81a44e011a40] 2015-12-16 Todd C. Miller * src/selinux.c, src/sudo.h: Change noexec flag in selinux_execve() from int to bool. [7cb872aac155] * src/exec_common.c, src/sudo_exec.h: Refactor code to set LD_PRELOAD (or the equivalent) in the environment into a preload_dso() function. Also avoid allocating a new copy of the environment array if the size of the array does not change. [72194b0b51f7] * configure, configure.ac: Add missing square brackets in configure option descriptions. [6e25685c6349] 2015-12-11 Todd C. Miller * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Document the names of the I/O log files and mention buffering. Document that I/O logs are in gzip format by default. [474838e7b365] 2015-12-10 Todd C. Miller * plugins/sudoers/env.c: Add BASHOPTS to initial_badenv_table[]; from Stephane Chazelas [f206a9089a69] 2015-12-09 Todd C. Miller * plugins/sudoers/ldap.c, plugins/sudoers/sssd.c: When parsing sudoOptions that include an operator (!, +, +=, -=) strip out any whitespace on either side of the operator. [62041b5888e5] 2015-12-08 Todd C. Miller * plugins/sudoers/sudoers2ldif: Strip whitespace around '!', '=', '+=' and '-=' in Defaults entries. [dcc9d15b0f3c] 2015-12-06 Todd C. Miller * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Document the race condition between the digest check and command execution. [24a3d9215c64] 2015-12-02 Todd C. Miller * plugins/sudoers/ldap.c: When checking the query results, don't set user_matches in the netgroup pass unless sudo_ldap_check_non_unix_group() returns true. This was preventing the mail_no_user sudoOption from being effective. [31004144421b] * plugins/sudoers/ldap.c, plugins/sudoers/sssd.c: In list mode, we always want to clear FLAG_NO_USER and FLAG_NO_HOST regardless of whether or not there was an actual match. Otherwise, warning mail may be sent which is not what we want in list mode. This is consistent with what the sudoers file backend does. [2809338a7b21] 2015-11-22 Todd C. Miller * plugins/sudoers/toke.h, plugins/sudoers/toke_util.c: Use size_t for length parameters in the fill functions used by the lexer. [0428c9067182] * plugins/sudoers/toke.c, plugins/sudoers/toke.l: Use yy_size_t for digest_len since newer flex uses yy_size_t for yyleng. Old flex uses int for yyleng so we need to use a cast to avoid a sign compare warning. [4a3dc6fb8f99] 2015-11-20 Todd C. Miller * Makefile.in, README, configure, configure.ac, plugins/sudoers/regress/sudoers/test1.in, sudo.pp: Use https in sudo.ws urls [04e5177022d3] * doc/sudo.cat, doc/sudo.conf.cat, doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in, doc/sudo.man.in, doc/sudo.mdoc.in, doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, doc/sudoers.cat, doc/sudoers.ldap.cat, doc/sudoers.ldap.man.in, doc/sudoers.ldap.mdoc.in, doc/sudoers.man.in, doc/sudoers.mdoc.in, doc/sudoreplay.cat, doc/sudoreplay.man.in, doc/sudoreplay.mdoc.in, doc/visudo.cat, doc/visudo.man.in, doc/visudo.mdoc.in: Use https in urls. [855b05943b2d] * configure, configure.ac: sudo 1.8.16 [b745f7031aeb] * plugins/sudoers/env.c: When preserving variables from the invoking user's environment, if there are duplicates only keep the first instance. [d4dfb05db5d7] 2015-11-01 Todd C. Miller * include/sudo_debug.h, lib/util/parseln.c, lib/util/sudo_debug.c, plugins/sudoers/timestamp.c: Add debug_return_ssize_t [d491ed281726] * plugins/sudoers/timestamp.c: Avoid compilation error on Solaris 10 with Stun Studio 12. Bug #727 [facd8ff1ee6c] 2015-10-31 Todd C. Miller * plugins/sudoers/po/da.mo, plugins/sudoers/po/da.po, po/da.mo, po/da.po: sync with translationproject.org [6711d740d3d0] * NEWS: Mention ssp configure fix. [92d64fd724cc] 2015-10-30 Todd C. Miller * plugins/sudoers/po/cs.mo, plugins/sudoers/po/cs.po, plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/it.mo, plugins/sudoers/po/it.po, plugins/sudoers/po/ja.mo, plugins/sudoers/po/ja.po, plugins/sudoers/po/nb.mo, plugins/sudoers/po/nb.po, plugins/sudoers/po/nl.mo, plugins/sudoers/po/nl.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/pt_BR.mo, plugins/sudoers/po/pt_BR.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, plugins/sudoers/po/vi.mo, plugins/sudoers/po/vi.po, plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po, po/cs.mo, po/cs.po, po/de.mo, po/de.po, po/fr.mo, po/fr.po, po/it.mo, po/it.po, po/ja.mo, po/ja.po, po/nb.mo, po/nb.po, po/pl.mo, po/pl.po, po/pt_BR.mo, po/pt_BR.po, po/uk.mo, po/uk.po, po/vi.mo, po/vi.po, po/zh_CN.mo, po/zh_CN.po: sync with translationproject.org [9c8eb0062d8c] * configure, configure.ac: Don't use CPPFLAGS for the -fstack-protector check. Otherwise on systems with _FORTIFY_SOURCE support we'll get an error due to the lack of optimization flags. Bug #725 [1a9f8571a82d] * configure, configure.ac: When checking for stack protector support we need to actually link the test program. [ab4f94aac7de] 2015-10-29 Todd C. Miller * configure, configure.ac: Preserve LDFLAGS when checking for stack protector as they may include rpath settings to allow the stack protector lib to be found. Avoid using existing CFLAGS since we don't want the compiler to optimize away the stack variable. [e6bc59225c06] * configure, configure.ac: Better configure test for -fstack-protector. Some gcc installations may be missing the ssp library even though the compiler supports it. [4ade5d1249f4] 2015-10-25 Todd C. Miller * src/sudo_edit.c: Set errno to EISDIR instead of ENOTDIR if directory is writable since ENOTDIR can be a legitimate errno. This avoids a bogus "directory is writable" error in that case. [97ee37d905ce] * mkpkg: Fix the check for whether to include 32-bit arch in Mac OS X packages. [a76654512f6b] 2015-10-24 Todd C. Miller * plugins/sudoers/po/sudoers.pot, po/sudo.pot: regen [58277a8f418b] * NEWS, src/sudo_edit.c: When creating a new file, sudoedit will now check that the file's parent directory exists before running the editor. [65bc45510fb2] * NEWS, doc/UPGRADE, doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/match.c: Add always_query_group_plugin [7e9060d4c13a] 2015-10-23 Todd C. Miller * ABOUT-NLS, MANIFEST: Add ABOUT-NLS from GNU gettext. [971c168c065a] * NEWS, config.h.in, configure, configure.ac, doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/policy.c, plugins/sudoers/sudoers_version.h, src/sudo.c, src/sudo.h, src/sudo_edit.c: Add directory writability checks for sudoedit. [f5349d059a98] 2015-10-06 Todd C. Miller * NEWS: Latest. [9aae49302c60] * src/conversation.c: Ignore the SUDO_CONV_PROMPT_ECHO_OK flag when echo is enabled. This was preventing a match of SUDO_CONV_PROMPT_ECHO_ON which resulted in a masked password instead of an echoed one. [53f6a78d79e3] * plugins/sudoers/auth/bsdauth.c: Repair challenge/response prompting for BSD authentication which got broken while it was converted to use the conversation function. [2d0b0cec5e4f] * plugins/sudoers/auth/sia.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/auth/sudo_auth.h: Use the auth_getpass (and the plugin conversation fuction) for Tru64 SIA. This prevents sudo from sleeping while holding the tty ticket lock. [9221eec812cf] * NEWS, doc/UPGRADE, plugins/sudoers/env.c: For env_reset, SHELL should be set based on the target user, not the invoking user unless preserved via env_keep. [b77adbc08c91] * plugins/sudoers/po/da.mo, plugins/sudoers/po/da.po: sync with translationproject.org [adb927ad5e86] 2015-10-05 Todd C. Miller * NEWS: Hungarian and Slovak translations [d3b6acece125] * MANIFEST, doc/CONTRIBUTORS, plugins/sudoers/po/hu.mo, plugins/sudoers/po/hu.po, plugins/sudoers/po/sk.mo, plugins/sudoers/po/sk.po, po/sk.mo, po/sk.po: Add new Slovak and Hungarian translations from translationproject.org [132ec9b7a927] 2015-10-02 Todd C. Miller * src/sudo_edit.c: Remove S_ISREG check from sudo_edit_open(), it is already done in the caller. [9fff8c0bb1f7] * src/sudo_edit.c: Open sudoedit files with O_NONBLOCK and fail if they are not regular files. [56b01164869c] * plugins/sudoers/logging.c, plugins/sudoers/visudo.c, src/tgetpass.c: It is possible for WIFSTOPPED to be true even if waitpid() is not given WUNTRACED if the child is ptraced. Don't exit the waitpid() loop if WIFSTOPPED is true, just in case. [a2cab04a03da] 2015-09-30 Todd C. Miller * plugins/sudoers/po/cs.mo, plugins/sudoers/po/de.mo, plugins/sudoers/po/fi.mo, plugins/sudoers/po/it.mo, plugins/sudoers/po/ja.mo, plugins/sudoers/po/nb.mo, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pt_BR.mo, plugins/sudoers/po/uk.mo, plugins/sudoers/po/vi.mo, plugins/sudoers/po/zh_CN.mo, po/cs.mo, po/de.mo, po/fi.mo, po/fr.mo, po/gl.mo, po/it.mo, po/ja.mo, po/nb.mo, po/pl.mo, po/pt_BR.mo, po/uk.mo, po/vi.mo, po/zh_CN.mo: rebuild .mo files [676362ed6061] * plugins/sudoers/po/pt_BR.po, po/pt_BR.po: sync with translationproject.org [be932694e600] 2015-09-28 Todd C. Miller * config.h.in, configure, configure.ac, src/sudo_noexec.c: There's no point in trying to interpose protected versions of the exec family of functions. Many modern C libraries use hidden symbols for the functions and syscalls defined in libc such that they cannot be overridden inside libc itself. We have to just wrap all the exec variants plus system and popen. [30aa4bd6c15b] * doc/sudo.conf.cat, doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in: List all the functions wrapped by sudo_noexec.so. [57a9db56f4e0] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: The section is now called "EXEC and NOEXEC" and it is above, not below. [9b0a2537f65d] * src/sudo_noexec.c: Also wrap popen(3). [a826cd7787e9] * src/sudo_noexec.c: Also interpose system(3). On glibc systems you cannot interpose the syscalls used internally by libc. [58a5c06b5257] * src/conversation.c: Set active debug instance to sudo_debug_instance() during the conversation function. [22fb750d92a9] 2015-09-27 Todd C. Miller * doc/sudo.cat, doc/sudo.man.in, doc/sudo.mdoc.in: LOGNAME and USERNAME are set the same way as USER [54f170cf2536] * doc/sudo.cat, doc/sudo.man.in, doc/sudo.mdoc.in: Document behavior when the command dies from a signal in EXIT STATUS. [3c93d682e5e6] 2015-09-26 Todd C. Miller * NEWS: Bug #722 [5cca49bb0e02] * src/sudo.c: When the command sudo is running is killed by a signal, sudo will now send itself the same signal with the default signal handler instead of exiting. The bash shell appears to ignore some signals, e.g. SIGINT, unless the command is killed by that signal. This makes the behavior of commands run under sudo the same as without sudo when bash is the shell. Bug #722 [153f016db8f1] 2015-09-25 Todd C. Miller * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Adjust set_logname description to new behavior when any of LOGNAME, USER or USERNAME are preserved. [89009c2dcf38] * NEWS, plugins/sudoers/env.c: If some, but not all, of the LOGNAME, USER or USERNAME environment variables have been preserved from the invoking user's environment, sudo will now use the preserved value to set the remaining variables instead of using the runas user. This ensures that if, for example, only LOGNAME is present in the env_keep list, that sudo will not set USER and USERNAME to the runas user. [54a60fe72b9a] 2015-09-24 Todd C. Miller * plugins/sudoers/auth/pam.c: Fix passing of the callback pointer to the conversation function. This was preventing the on_suspend and on_resume functions from being called on PAM systems. [611246ded4ff] * include/sudo_plugin.h: Explicitly mark large hex constants unsigned. [5b67b0090814] * plugins/sudoers/timestamp.c: Cast sizeof(entry) to off_t before making it a negative offset for lseek(). Fixes "sudo -k" on Solaris and probably others. [ed5d312f6baa] 2015-09-21 Todd C. Miller * doc/sudoers.cat, doc/sudoers.ldap.cat, doc/sudoers.ldap.man.in, doc/sudoers.ldap.mdoc.in, doc/sudoers.man.in, doc/sudoers.mdoc.in: Add explicit mention of sudo's netgroup semantics since they differ from most other netgroup consumers. [0e9030f8cf56] * plugins/sudoers/po/fi.po, po/fi.po: sync with translationproject.org [f9236f25a616] * plugins/sudoers/check.c: Fix potential double free of the cookie when sudo is suspended at the password prompt. [cbecb3136155] 2015-09-16 Todd C. Miller * plugins/sudoers/po/cs.po, plugins/sudoers/po/zh_CN.po, po/cs.po, po/zh_CN.po: sync with translationproject.org [21138f16a3a6] 2015-09-15 Todd C. Miller * plugins/sudoers/po/de.po, plugins/sudoers/po/it.po, plugins/sudoers/po/ja.po, plugins/sudoers/po/nb.po, plugins/sudoers/po/pl.po, plugins/sudoers/po/uk.po, plugins/sudoers/po/vi.po, po/de.po, po/fr.po, po/gl.po, po/it.po, po/ja.po, po/nb.po, po/pl.po, po/uk.po, po/vi.po: sync with translationproject.org [2d9f3e4c3ccf] * NEWS: Bug #719 [cfa393164a0f] * doc/sudo.cat, doc/sudo.man.in, doc/sudo.mdoc.in: SIGHUP is now relayed to the command. Bug #719 [8db7c492c52a] * src/exec.c: When a terminal device is closed, SIGHUP is sent to the controlling process associated with that terminal. It is not sent to the entire process group so sudo needs to relay SIGHUP to the command when it is not being run in a new pty. Bug #719 [b408a792f31a] * NEWS: Mention visudo bug in 1.8.14 [0fec829807fd] * plugins/sudoers/visudo.c: We reserved two slots at the end of the editor argv for the line number and the file name. However, resolve_editor() adds "--" before the file names so the +line_number is interpreted as a file name, not a line number so we need to overwrite the "--" as well. [ff107430ee4b] 2015-09-10 Todd C. Miller * config.h.in, configure, configure.ac, lib/util/sig2str.c, lib/util/strsignal.c: Remove checks for __sys_siglist and __sys_signame. They are internal to libc and there are no known systems that export those symbols that do not already export the single underbar or no- underbar versions. [2b3efe0a91f2] * plugins/sudoers/po/ru.mo, plugins/sudoers/po/ru.po, po/es.mo, po/es.po: Sync with translationproject.org [feb5eb934a9e] * plugins/sudoers/po/sudoers.pot, po/sudo.pot: regen [947e8320c557] 2015-09-09 Todd C. Miller * src/tgetpass.c: Restore old signal handlers before tty settings. That way SIGTTOU is at its original value if sudo_term_restore() should fail. [69d2cc6c0702] * doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in: Document what happens when the on_suspend/on_resume callbacks return an error. [d8c9dcf7a926] * doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, include/sudo_plugin.h, plugins/group_file/group_file.c, plugins/group_file/plugin_test.c, plugins/sudoers/group_plugin.c, plugins/sudoers/policy.c, plugins/system_group/system_group.c, src/hooks.c: No need to have version macros for hooks, callbacks and the sudoers group plugin. We can just use the main sudo API macros. The sudoers group plugin macros are preserved for source compatibility but are not documented. [8c52bb83f991] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Properly escape the backslash before a comma in an example so the example rule is parsable by visudo. [6745d38e9876] * src/tgetpass.c: Ignore callbacks if major version doesn't match. [f852e6ebff01] * MANIFEST, config.h.in, configure, configure.ac, include/compat/timespec.h, lib/util/Makefile.in, lib/util/gettime.c, lib/util/utimens.c, plugins/sudoers/Makefile.in, plugins/sudoers/sudoreplay.c, plugins/sudoers/timestamp.c, plugins/sudoers/visudo.c, src/Makefile.in, src/sudo_edit.c: Remove include/compat/timespec.h. Systems old enough to lack struct timespec are too old to build a modern sudo. [37812e10a449] * NEWS: Bug #713 [8a7245d76799] * src/exec.c: Fill in cstat if exec_setup() fails. Previously it was only filled in for an execve() failure. Fixes an unkillable sudo process when exec_setup() fails and I/O logging is enabled. [ff1d39d9e505] * src/sudo.c: Fix running commands as non-root when neither setresuid() not setreuid() are available. At this point we are already root so setuid() must succeed. Bug #713 [34754ad586c7] * src/sudo.c: Cast uid_t to unsigned int when printing as %u [669e2d5244a6] * doc/UPGRADE: Mention time stamp file locking changes, fix some spelling. [c4563ea85e3a] * NEWS: Update with latest changes. [2cbd50e7c158] 2015-09-07 Todd C. Miller * doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, include/sudo_fatal.h, include/sudo_plugin.h, lib/util/fatal.c, plugins/sudoers/auth/afs.c, plugins/sudoers/auth/aix_auth.c, plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/dce.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/kerb5.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/passwd.c, plugins/sudoers/auth/rfc1938.c, plugins/sudoers/auth/secureware.c, plugins/sudoers/auth/securid5.c, plugins/sudoers/auth/sia.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/auth/sudo_auth.h, plugins/sudoers/check.c, plugins/sudoers/sudo_nss.c, plugins/sudoers/sudoers.h, src/conversation.c, src/sudo.c, src/sudo.h, src/sudo_plugin_int.h, src/tgetpass.c: Add a struct sudo_conv_callback that contains on_suspend and on_resume function pointer args plus a closure pointer and at it to the conversation function. [5608cb4c18f2] * config.h.in, configure, configure.ac, include/sudo_util.h, lib/util/locking.c, lib/util/util.exp.in, plugins/sudoers/check.c, plugins/sudoers/check.h, plugins/sudoers/policy.c, plugins/sudoers/sudoers.h, plugins/sudoers/timestamp.c: Lock individual records in the timestamp file instead of the entire file. This will make it possible for multiple sudo processes using the same tty to serialize their timestamp lookups. [f4ad82e36d90] * lib/util/term.c, plugins/sudoers/check.c, plugins/sudoers/sudoreplay.c, src/tgetpass.c: Implement suspend/resume callbacks for the conversation function. If suspended, close the timestamp file (dropping all locks). On resume, lock the record before reading the password. For this to work properly we need to be able to run th callback when tsetattr() suspends us, not just when the user does. To accomplish this the term_* functions now return EINTR if SIGTTOU would be generated. The caller now has to restart the term_* function (and send itself SIGTTOU) instead of it being done automatically. [572374035897] * plugins/sudoers/timestamp.c: Allow the time stamp lock to be interrupted by signals. [aa5017f86210] * plugins/sudoers/timestamp.c: Adjust new locking to work when tty_tickets is disabled. We need to use per-tty/ppid locking to gain exclusive access to the tty for the password prompt but use a separate (short term) lock that is shared among all sudo processes for the user. [d6d7a0bb6bd0] * lib/util/locking.c: Set errno to EINVAL if sudo_lock_* is called with a bad type. [cfba014f1c1a] * src/exec_pty.c: sudo_term_* already restart themselve for all but SIGTTOU so we don't need to use our own restart loops. [113924cd05c0] * config.h.in, configure, configure.ac, plugins/sudoers/iolog.c, plugins/sudoers/timestamp.c: Use pread(2) and pwrite(2) where possible. [86cd3f6bab9e] * plugins/sudoers/timestamp.c: Bring back the check for time stamp files that predate the boot time. Instead of truncating we now unlink the file since another process may be sleeping on the lock. [9cdf7468d0f2] * plugins/sudoers/check.c: Avoid touching the time stamp directory for "sudo -k command" [391d20c17775] 2015-09-02 Todd C. Miller * doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, include/sudo_plugin.h: Make hook_version and hook_type unsigned. [77cb84793f07] 2015-09-01 Todd C. Miller * plugins/sudoers/base64.c, plugins/sudoers/match.c, plugins/sudoers/regress/parser/check_base64.c: When decoding base64, avoid using '=' in the decoded temporary array as a sentinel as it can legitimately be present. Instead, just use the count of bytes stored in the temp array to determine which bytes to fold into the destination. [6abef15d3954] 2015-08-21 Todd C. Miller * NEWS, plugins/sudoers/sudoers.c, plugins/sudoers/visudo.c: When parsing def_editor, break out of the loop when we find the first valid editor. Bug #714 [c7508ed075c2] 2015-08-18 Todd C. Miller * plugins/sudoers/visudo.c: The condition for adding a missing newline at the end of sudoers was never reached. Keep track of the last character and write a newline character if when copying to the temp file. Found by Radovan Sroka. [86c20e7fc6bd] * plugins/sudoers/sudoers.c, plugins/sudoers/visudo.c: Remove extraneous while() from botched do {} while() loop conversion to use sudo_strsplit. Noticed by Radovan Sroka. [cd2d25510129] 2015-08-10 Todd C. Miller * plugins/sudoers/auth/pam.c, plugins/sudoers/auth/sudo_auth.c: In sudo_pam_begin_session() and sudo_pam_end_session() return AUTH_FATAL on error, not AUTH_FAILURE. In sudo_auth_begin_session() treat anything other than AUTH_SUCCESS as a fatal error. [3ad7296390f2] * doc/CONTRIBUTORS, src/exec.c, src/exec_pty.c: Linux sets si_pid in struct siginfo to 0 when the process that sent the signal is in a different container since the PID namespaces in different conatiners are separate. Avoid looking up the process group by id when si_pid is 0 since getpgid(0) returns the process group of the current process. Since sudo ignores signals sent by processes in its own process group, this had the effect of ignoring signals sent from other containers. From Maarten de Vries [6d3f43b95a1f] * plugins/sudoers/auth/pam.c: Sprinkle some debugging. [f5a94a3a1192] 2015-08-09 Todd C. Miller * doc/sudo.cat, doc/sudo.conf.cat, doc/sudo.conf.man.in, doc/sudo.man.in, doc/sudo.mdoc.in: Document that sudo uses the real uid to map from uid to passwd file user name. [04f6709675cc] * doc/sudo.cat, doc/sudo.conf.cat, doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in, doc/sudo.man.in, doc/sudo.mdoc.in: disable_coredump can be set to no on modern OSes without security consequences. [ebe6d5bb2274] 2015-08-07 Todd C. Miller * doc/sudo.cat, doc/sudo.man.in, doc/sudo.mdoc.in, doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Emphasis on the never. [39ca000281c7] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Explicitly tell people not to grant sudoedit to directories the user can write to. While sudoedit will no longer open symbolic links, hard links are still an issue. [26e0afae9bae] * doc/sudo.cat, doc/sudo.man.in, doc/sudo.mdoc.in: Add warning about writable directories and sudo/sudoedit. [701ff725af42] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Emphasize that wildcards are not regexps. Bug #692 [1e071810c4cb] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Emphasize that wildcards in command line arguments are dangerous. Document the failings of the passwd example on GNU systems. Bug #691 [54d793aea6b2] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Escape the colons in [[:alpha:]] as required by sudoers. [ad875dd5ca64] * po/sudo.pot, src/sudo_edit.c: Change warning when user tries to sudoedit a symbolic link. [b8f44e834c2f] 2015-08-06 Todd C. Miller * MANIFEST: add .json regress files to MANIFEST [03ddb3a9671b] * plugins/sudoers/po/sudoers.pot, po/sudo.pot: regen [5abaa0eeab86] * doc/sudo.conf.cat, doc/sudoers.ldap.cat, doc/sudoreplay.cat, doc/visudo.cat: regen [43e6b445734c] * doc/UPGRADE, doc/sudo.cat, doc/sudo.man.in, doc/sudo.mdoc.in, doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in, include/sudo_compat.h, include/sudo_plugin.h, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y, plugins/sudoers/ldap.c, plugins/sudoers/parse.c, plugins/sudoers/parse.h, plugins/sudoers/policy.c, plugins/sudoers/regress/sudoers/test1.in, plugins/sudoers/regress/sudoers/test1.json.ok, plugins/sudoers/regress/sudoers/test1.out.ok, plugins/sudoers/regress/sudoers/test1.toke.ok, plugins/sudoers/sudoers_version.h, plugins/sudoers/testsudoers.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/visudo_json.c, src/sesh.c, src/sudo.c, src/sudo.h, src/sudo_edit.c: Do not follow symbolic links in sudoedit by default. This behavior can be controlled by the sudoedit_follow Defaults flag as well as the FOLLOW/NOFOLLOW tags. [9636fd256325] * NEWS, aclocal.m4, configure, configure.ac: Sudo 1.8.15 [bf18da363b06] * plugins/sudoers/Makefile.in, plugins/sudoers/regress/sudoers/test1.json.ok, plugins/sudoers/regress/sudoers/test10.json.ok, plugins/sudoers/regress/sudoers/test11.json.ok, plugins/sudoers/regress/sudoers/test12.json.ok, plugins/sudoers/regress/sudoers/test13.json.ok, plugins/sudoers/regress/sudoers/test14.json.ok, plugins/sudoers/regress/sudoers/test15.json.ok, plugins/sudoers/regress/sudoers/test16.json.ok, plugins/sudoers/regress/sudoers/test2.json.ok, plugins/sudoers/regress/sudoers/test3.json.ok, plugins/sudoers/regress/sudoers/test4.json.ok, plugins/sudoers/regress/sudoers/test5.json.ok, plugins/sudoers/regress/sudoers/test6.json.ok, plugins/sudoers/regress/sudoers/test7.json.ok, plugins/sudoers/regress/sudoers/test8.json.ok, plugins/sudoers/regress/sudoers/test9.json.ok: Check JSON output of sudoers test files too. [3d8517812b80] 2015-08-04 Todd C. Miller * plugins/sudoers/sudoers.c: Move comment to match moved code. [7a30f06462a8] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: maxseq is an int not a string [bffd97d22064] 2015-08-02 Todd C. Miller * src/preserve_fds.c: Include sys/types.h for id_t. Bug #711 [fda95d9ca1e9] 2015-07-31 Todd C. Miller * lib/util/fnmatch.c: Avoid a potential out of bounds read found by enh while fuzzing with address sanitizer enabled. [52d6b9916593] 2015-07-27 Todd C. Miller * mkpkg: Set sssd lib location to /usr/lib64 on 64-bit RHEL/Centos. Bug #710 [428421925a20] 2015-07-24 Todd C. Miller * doc/CONTRIBUTORS, src/Makefile.in: The init.d files are generated from a .in file so we need to install from top_builddir not top_srcdir. From Ross Burton. Bug #708 [df1e7a0d3182] 2015-07-22 Todd C. Miller * lib/util/term.c: Replace two "return 0" with debug_return_bool(false). [49f8fb3dcd36] * src/ttyname.c: fix typo in previous commit [094488696f2c] * NEWS, configure, configure.ac: Sudo 1.8.14p3 [0079c43d8247] 2015-07-21 Todd C. Miller * src/ttyname.c: Fix errno value from get_process_ttyname() when no tty is present. [ff7b12bb0638] * src/ttyname.c: On AIX, only convert the tty device number from dev64_t to dev32_t if dev_t is 32-bits. [0e728a1eb07a] 2015-07-20 Todd C. Miller * NEWS, configure, configure.ac: Sudo 1.8.14p2 [55fe56b28c7b] * plugins/sudoers/timestamp.c: Fix creation of the timestamp file; bug #704 [1ff77fd5cc8f] 2015-07-19 Todd C. Miller * src/regress/ttyname/check_ttyname.c, src/sudo.c, src/sudo.h, src/ttyname.c: Avoid needless memory allocation when resolving the tty name. [c58cce92d5e0] 2015-07-17 Todd C. Miller * NEWS, configure, configure.ac: Sudo 1.8.14p1 [973705806759] * plugins/sudoers/sssd.c: Fix typo in sudo_sss_attrcpy() that caused a memory allocation error. [0fa324a7bb56] 2015-07-15 Todd C. Miller * plugins/sudoers/po/ja.mo, plugins/sudoers/po/uk.mo, plugins/sudoers/po/vi.mo, plugins/sudoers/po/zh_CN.mo: rebuild [e4c7cda46475] 2015-07-14 Todd C. Miller * lib/util/lbuf.c, plugins/sudoers/env.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/interfaces.c, plugins/sudoers/match.c, plugins/sudoers/pwutil_impl.c, plugins/sudoers/redblack.c, src/hooks.c, src/net_ifs.c, src/sudo.c: Add some debugging printfs when malloc fails and we don't have an explicit call to sudo_warnx(). [07aebb5839c3] * plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/toke_util.c: Add missing warnings for memory allocation failure. Add function name to memory allocation warnings. [4f6027786a28] * lib/util/parseln.c: Return -1 if realloc() fails. [707632291eac] * lib/util/event.c, lib/util/event_poll.c, lib/util/event_select.c: Add line number to debug log for memory allocation errors. [f4f3debdfcc5] * plugins/sudoers/auth/pam.c: Add warning if calloc() fails. Add debugging for other unexpected errors. [a1e0945237d8] * plugins/sudoers/ldap.c: Add missing check for calloc(3) return value. [37fe3ca78e8e] 2015-07-13 Todd C. Miller * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Document that the values printed by "sudo -V" are affected by Defaults settings in sudoers. [80ec2572861b] 2015-07-10 Todd C. Miller * plugins/sudoers/group_plugin.c, plugins/sudoers/regress/check_symbols/check_symbols.c, plugins/sudoers/sssd.c, src/load_plugins.c: Avoid calling dlerror() multiple times since it clear the error status after printing the error. Problem caused by sudo_warn/sudo_fatal being macros... [c0fd3b0fb9c3] * doc/sudo.cat, doc/sudo.man.in, doc/sudo.mdoc.in, doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Attempt to clarify the conditions under which MAIL and HOME are set to the target user. [ebd269bebe64] 2015-07-09 Todd C. Miller * mkpkg: Better checks for the libaudit package for Debian and error out if we can't figure it out. [225c1bfcb629] * mkpkg: Fix linux_audit setting on non-multiarch Debian. [0a38e9d158f4] * sudo.pp: Fix typo that broke the linux_audit dependency on Debian. [0917bd45acf1] * NEWS: Mention /proc/stat btime fix. [754050a340e2] * config.h.in, configure, configure.ac, lib/util/getaddrinfo.c, plugins/sudoers/interfaces.c, plugins/sudoers/match_addr.c, src/net_ifs.c: Solaris 2.6 has the prototypes for inet_pton() and inet_ntop() in resolv.h. [dc0f62743845] * plugins/sudoers/boottime.c: Sprinkle debugging for boottime. [dfb45c763179] * mkpkg: The old Solaris /bin/sh doesn't support POSIX $( .. ) syntax, use backquotes instead. [c9e33ffef2b1] 2015-07-08 Todd C. Miller * mkpkg, sudo.pp: Only use --with-sssd-lib on Debian/Ubuntu w/ multipackage. Use dpkg- query to determine the name of the audit package for proper dependencies. [e9669389aa2f] * mkpkg, plugins/sudoers/sudoers.in, sudo.pp: Update Debian/Ubuntu packages to be more like the vendor ones. One notable exception is that sudo.ws packages use /var/run, not /var/lib for timestamp files. [0f4c49a3768e] * doc/CONTRIBUTORS: Add Jakub Wilk [78bfdf2e441b] * plugins/sudoers/boottime.c: Strip newline from /proc/stat btime line to avoid a strtonum() failure. From Jakub Wilk. [8a04f85a070f] * src/exec_pty.c: In io_callback() service writes before reads. That way, if both SUDO_EV_READ and SUDO_EV_WRITE are set and read() returns 0 (EOF) we don't close the fd before the write() is performed. If the write() returns EPIPE, ENXIO, EIO or EBADF, clear SUDO_EV_READ before we close the fd to avoid calling read() on a closed fd. [167548fd8af2] 2015-07-07 Todd C. Miller * lib/util/regress/sudo_conf/conf_test.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c, src/sesh.c, src/sudo.c: Check sudo_conf_read() return value and exit on fatal error (a warning was already printed by sudo_conf_read()). [d05797f4f197] * NEWS: Mention double-quoted sudoOption value support. [55684a73f097] * plugins/sudoers/ldap.c, plugins/sudoers/sssd.c: Add support for parsing quoted strings in a sudoOption just like sudoers Defaults settings. [fe8291414179] * plugins/sudoers/po/da.mo, plugins/sudoers/po/da.po, plugins/sudoers/po/fi.mo, plugins/sudoers/po/fi.po, po/da.mo, po/da.po: Sync with translationproject.org [1c15d1a3dbdd] 2015-07-06 Todd C. Miller * plugins/sudoers/po/sudoers.pot, po/sudo.pot: Update year. [6ca660e4a957] * plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/nb.mo, plugins/sudoers/po/nb.po, po/de.mo, po/de.po, po/nb.mo, po/nb.po: Sync with translationproject.org [d7ede74dcb19] * src/sudo.c: Fix utmp setup broken by commit be0ca60facf8 [cd8a06f57f2b] 2015-07-03 Todd C. Miller * plugins/sudoers/po/cs.mo, plugins/sudoers/po/cs.po, plugins/sudoers/po/it.mo, plugins/sudoers/po/it.po, plugins/sudoers/po/ja.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/uk.po, plugins/sudoers/po/vi.po, plugins/sudoers/po/zh_CN.po, po/cs.mo, po/cs.po, po/fr.mo, po/fr.po, po/it.mo, po/it.po, po/pl.mo, po/pl.po: Sync with translationproject.org [aa473519e66d] * plugins/sudoers/po/sudoers.pot: regen [8f8aa321f043] * plugins/sudoers/logging.c: Fix typo in error message. [220832711826] 2015-07-02 Todd C. Miller * NEWS: Bug #702 is the AIX timespec issue. [c597a312e816] * config.h.in, configure, configure.ac, lib/util/closefrom.c, lib/util/getcwd.c, lib/util/glob.c, plugins/sudoers/match.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l, src/ttyname.c: We require POSIX so no need to conditionally include dirent.h. Add a check for d_namlen and use the result in the NAMLEN macro. [2728194cb6cf] * lib/util/event.c, lib/util/event_poll.c, lib/util/event_select.c, lib/util/getcwd.c, lib/util/gettime.c, lib/util/glob.c, lib/util/lbuf.c, lib/util/locking.c, lib/util/mktemp.c, lib/util/parseln.c, lib/util/secure_path.c, lib/util/setgroups.c, lib/util/sudo_conf.c, lib/util/sudo_debug.c, lib/util/ttysize.c, plugins/group_file/group_file.c, plugins/sample/sample_plugin.c, plugins/sudoers/alias.c, plugins/sudoers/auth/afs.c, plugins/sudoers/auth/aix_auth.c, plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/dce.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/kerb5.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/passwd.c, plugins/sudoers/auth/rfc1938.c, plugins/sudoers/auth/secureware.c, plugins/sudoers/auth/securid5.c, plugins/sudoers/auth/sia.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/check.c, plugins/sudoers/defaults.c, plugins/sudoers/editor.c, plugins/sudoers/env.c, plugins/sudoers/find_path.c, plugins/sudoers/getspwuid.c, plugins/sudoers/goodpath.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/group_plugin.c, plugins/sudoers/interfaces.c, plugins/sudoers/iolog.c, plugins/sudoers/ldap.c, plugins/sudoers/logging.c, plugins/sudoers/match.c, plugins/sudoers/match_addr.c, plugins/sudoers/parse.c, plugins/sudoers/policy.c, plugins/sudoers/pwutil.c, plugins/sudoers/pwutil_impl.c, plugins/sudoers/set_perms.c, plugins/sudoers/sssd.c, plugins/sudoers/sudo_nss.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers_debug.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/timestamp.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/toke_util.c, plugins/sudoers/visudo.c, plugins/sudoers/visudo_json.c, plugins/system_group/system_group.c, src/conversation.c, src/exec.c, src/exec_common.c, src/exec_pty.c, src/get_pty.c, src/hooks.c, src/load_plugins.c, src/net_ifs.c, src/openbsd.c, src/parse_args.c, src/preserve_fds.c, src/signal.c, src/solaris.c, src/sudo.c, src/sudo_edit.c, src/sudo_noexec.c, src/tgetpass.c, src/ttyname.c, src/utmp.c: There's no need to conditionalize the #include , we require a POSIX system. [79389c527c08] * include/sudo_compat.h: Remove some compatibilty defines that should no longer be needed. [e9136646d1c6] 2015-06-30 Todd C. Miller * NEWS: Final changes in 1.8.14 [3a5cd4f2875a] * include/sudo_compat.h: Need to include stddef.h to get rsize_t on Mac OS X for sudo_memset_s() prototype. [9615efed4a9a] * lib/util/regress/parse_gids/parse_gids_test.c, lib/util/regress/strsplit/strsplit_test.c: Add missing exit value. [484202b53893] * lib/util/regress/mktemp/mktemp_test.c: Add missing fcntl.h include. [020fe6252d96] * configure, configure.ac: Do check for inet_pton before inet_ntop since we may need to record dependent libraries for inet_pton when linking our getaddrinfo replacement. [fde03eefd88d] * include/sudo_debug.h, lib/util/sudo_debug.c: Fix build on compilers w/o __func__ or __FUNCTION__ [196d75416cd5] * lib/util/util.exp.in: Remove sudo_evasprintf_v1, missed during alloc.c removal. [7d0ac7e5909d] * lib/util/snprintf.c: Add missing fcntl.h include. [23b886deb879] * config.h.in, configure, configure.ac: Add check for inline support. [061dab0e411c] 2015-06-29 Todd C. Miller * doc/LICENSE: Add reallocarray.c license. [b4b4d46309f3] 2015-06-27 Todd C. Miller * doc/CONTRIBUTORS: Fix entry for Joel Pelaez Jorge. [386434049903] 2015-06-26 Todd C. Miller * include/sudo_lbuf.h, lib/util/lbuf.c, lib/util/util.exp.in, plugins/sudoers/ldap.c, plugins/sudoers/parse.c, plugins/sudoers/sssd.c, plugins/sudoers/sudo_nss.c: Add an error flag to the lbuf struct to simplify error checking. Callers of the lbuf functions now check the error flag to tell if a memory allocation error ocurred. [bc44b0fbc03b] * plugins/sudoers/parse.c, plugins/sudoers/sudo_nss.c, plugins/sudoers/sudo_nss.h, plugins/sudoers/sudoers.h: display_privs() and display_cmnd() may need to return -1 on error. [b6d8826900bb] 2015-06-25 Todd C. Miller * plugins/sudoers/check.c, plugins/sudoers/check.h, plugins/sudoers/ldap.c, plugins/sudoers/logging.c, plugins/sudoers/parse.c, plugins/sudoers/policy.c, plugins/sudoers/prompt.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/timestamp.c: Check restore_perms() return value in all cases, pushing the return value back up the call stack. [c9beeed2b614] * plugins/sudoers/sudo_nss.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: Return -1, not 0 from sudoers when there is an error (as opposed to a policy denial). [5d197fe29e0e] * doc/CONTRIBUTORS: Add Joel Pelaez Jorge [55387b44d6e9] * plugins/sudoers/auth/pam.c: When checking whether the PAM prompt matches "Password:", also check for the untranslated version. The PAM module might not be using the localized string even though it exists. From Joel Pelaez Jorge. Fixes Bug #701 [d87f6f2ccb42] 2015-06-24 Todd C. Miller * plugins/sudoers/ldap.c: Silence clang analyzer warning on glibc systems where the first argument to qsort() is marked as non-NULL. Also change some counters from into to unsigned int and two flags from int to bool. [09e400445ca2] 2015-06-23 Todd C. Miller * plugins/sudoers/sudoreplay.c: Silence clang analyzer warning on glibc systems where the first argument to qsort() is marked as non-NULL. [34fa7256f1e2] * include/sudo_compat.h, include/sudo_debug.h, include/sudo_util.h, src/preserve_fds.c: Use our own bitmap macros instead of borrowing the ones from select. [51ef403511d9] * lib/util/sudo_debug.c: Must call round_nfds() with fd+1 since it takes a count not the fd number. In other words, the lowest value is 1, not 0. [cc175cba5371] * src/ttyname.c: Quiet clang analyzer false positive. [9ebecd6b6b29] * src/sesh.c: Fix uninitialized variables warnings in error case when src file cannot be opened. At least one of these is a false positive. [98b417c1307a] 2015-06-20 Todd C. Miller * lib/util/getline.c, plugins/sudoers/toke_util.c: It's safe to rely on C89 semantics for realloc(NULL, size). [b633582413ac] * plugins/sudoers/env.c: malloc() sets errno to ENOMEM on failure so we don't need to set it explicitly. [09cb5ceaaec3] * include/sudo_compat.h: No longer need __malloc_like [a41b69f256f6] * lib/util/util.exp.in: Remove symbols from the now-removed alloc.c. [da0753d85d20] * include/sudo_compat.h, lib/util/aix.c, lib/util/closefrom.c, lib/util/event.c, lib/util/event_poll.c, lib/util/event_select.c, lib/util/getaddrinfo.c, lib/util/getcwd.c, lib/util/getgrouplist.c, lib/util/gethostname.c, lib/util/getline.c, lib/util/getopt_long.c, lib/util/gettime.c, lib/util/gidlist.c, lib/util/glob.c, lib/util/key_val.c, lib/util/lbuf.c, lib/util/locking.c, lib/util/mksiglist.c, lib/util/mksigname.c, lib/util/parseln.c, lib/util/progname.c, lib/util/pw_dup.c, lib/util/reallocarray.c, lib/util/regress/atofoo/atofoo_test.c, lib/util/regress/parse_gids/parse_gids_test.c, lib/util/regress/progname/progname_test.c, lib/util/regress/strsplit/strsplit_test.c, lib/util/regress/sudo_conf/conf_test.c, lib/util/regress/sudo_parseln/parseln_test.c, lib/util/setgroups.c, lib/util/sha2.c, lib/util/sig2str.c, lib/util/snprintf.c, lib/util/strndup.c, lib/util/strsplit.c, lib/util/strtobool.c, lib/util/strtoid.c, lib/util/strtomode.c, lib/util/strtonum.c, lib/util/sudo_conf.c, lib/util/sudo_debug.c, lib/util/sudo_dso.c, lib/util/term.c, lib/util/ttysize.c, plugins/group_file/getgrent.c, plugins/group_file/group_file.c, plugins/group_file/plugin_test.c, plugins/sample/sample_plugin.c, plugins/sudoers/alias.c, plugins/sudoers/audit.c, plugins/sudoers/auth/afs.c, plugins/sudoers/auth/aix_auth.c, plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/dce.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/kerb5.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/passwd.c, plugins/sudoers/auth/rfc1938.c, plugins/sudoers/auth/secureware.c, plugins/sudoers/auth/securid5.c, plugins/sudoers/auth/sia.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/base64.c, plugins/sudoers/boottime.c, plugins/sudoers/check.c, plugins/sudoers/defaults.c, plugins/sudoers/editor.c, plugins/sudoers/env.c, plugins/sudoers/find_path.c, plugins/sudoers/getdate.c, plugins/sudoers/getdate.y, plugins/sudoers/getspwuid.c, plugins/sudoers/group_plugin.c, plugins/sudoers/interfaces.c, plugins/sudoers/iolog.c, plugins/sudoers/iolog_path.c, plugins/sudoers/linux_audit.c, plugins/sudoers/locale.c, plugins/sudoers/logging.c, plugins/sudoers/logwrap.c, plugins/sudoers/match.c, plugins/sudoers/match_addr.c, plugins/sudoers/parse.c, plugins/sudoers/policy.c, plugins/sudoers/prompt.c, plugins/sudoers/pwutil_impl.c, plugins/sudoers/redblack.c, plugins/sudoers/regress/check_symbols/check_symbols.c, plugins/sudoers/regress/iolog_path/check_iolog_path.c, plugins/sudoers/regress/logging/check_wrap.c, plugins/sudoers/regress/parser/check_addr.c, plugins/sudoers/regress/parser/check_base64.c, plugins/sudoers/regress/parser/check_digest.c, plugins/sudoers/regress/parser/check_fill.c, plugins/sudoers/regress/parser/check_hexchar.c, plugins/sudoers/set_perms.c, plugins/sudoers/sssd.c, plugins/sudoers/sudo_nss.c, plugins/sudoers/sudo_printf.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers_debug.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/timestamp.c, plugins/sudoers/timestr.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/toke_util.c, plugins/sudoers/tsgetgrpw.c, plugins/sudoers/visudo.c, plugins/sudoers/visudo_json.c, plugins/system_group/system_group.c, src/conversation.c, src/env_hooks.c, src/exec.c, src/exec_common.c, src/exec_pty.c, src/get_pty.c, src/hooks.c, src/load_plugins.c, src/net_ifs.c, src/openbsd.c, src/parse_args.c, src/preserve_fds.c, src/regress/ttyname/check_ttyname.c, src/selinux.c, src/signal.c, src/solaris.c, src/sudo.c, src/sudo_edit.c, src/tgetpass.c, src/ttyname.c, src/utmp.c: Only include stddef.h where it is needed. [ce597fb7ffb9] 2015-06-19 Todd C. Miller * plugins/sudoers/po/sudoers.pot, po/sudo.pot: regen [cad83b927f4e] * lib/util/sudo_conf.c, plugins/sudoers/locale.c: Better handling of setlocale() returning NULL. [7cd4fcdb528c] * lib/util/aix.c, lib/util/gidlist.c, lib/util/sudo_conf.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/rfc1938.c, plugins/sudoers/defaults.c, plugins/sudoers/editor.c, plugins/sudoers/env.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/group_plugin.c, plugins/sudoers/iolog.c, plugins/sudoers/iolog_path.c, plugins/sudoers/ldap.c, plugins/sudoers/linux_audit.c, plugins/sudoers/logging.c, plugins/sudoers/match.c, plugins/sudoers/parse.c, plugins/sudoers/policy.c, plugins/sudoers/prompt.c, plugins/sudoers/sssd.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers_debug.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c, src/conversation.c, src/exec.c, src/exec_common.c, src/exec_pty.c, src/load_plugins.c, src/parse_args.c, src/preserve_fds.c, src/selinux.c, src/sesh.c, src/sudo.c, src/sudo_edit.c: Add function name to "unable to allocate memory" warnings. [98c07e26a13e] * configure, configure.ac, include/sudo_compat.h, lib/util/aix.c, lib/util/closefrom.c, lib/util/event.c, lib/util/event_poll.c, lib/util/event_select.c, lib/util/getaddrinfo.c, lib/util/getcwd.c, lib/util/getgrouplist.c, lib/util/gethostname.c, lib/util/getline.c, lib/util/getopt_long.c, lib/util/gettime.c, lib/util/gidlist.c, lib/util/glob.c, lib/util/key_val.c, lib/util/lbuf.c, lib/util/locking.c, lib/util/mksiglist.c, lib/util/mksigname.c, lib/util/parseln.c, lib/util/progname.c, lib/util/pw_dup.c, lib/util/reallocarray.c, lib/util/regress/atofoo/atofoo_test.c, lib/util/regress/parse_gids/parse_gids_test.c, lib/util/regress/progname/progname_test.c, lib/util/regress/strsplit/strsplit_test.c, lib/util/regress/sudo_conf/conf_test.c, lib/util/regress/sudo_parseln/parseln_test.c, lib/util/regress/tailq/hltq_test.c, lib/util/setgroups.c, lib/util/sha2.c, lib/util/sig2str.c, lib/util/snprintf.c, lib/util/strndup.c, lib/util/strsplit.c, lib/util/strtobool.c, lib/util/strtoid.c, lib/util/strtomode.c, lib/util/strtonum.c, lib/util/sudo_conf.c, lib/util/sudo_debug.c, lib/util/sudo_dso.c, lib/util/term.c, lib/util/ttysize.c, plugins/group_file/getgrent.c, plugins/group_file/group_file.c, plugins/sample/sample_plugin.c, plugins/sudoers/alias.c, plugins/sudoers/audit.c, plugins/sudoers/auth/afs.c, plugins/sudoers/auth/aix_auth.c, plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/dce.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/kerb5.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/passwd.c, plugins/sudoers/auth/rfc1938.c, plugins/sudoers/auth/secureware.c, plugins/sudoers/auth/securid5.c, plugins/sudoers/auth/sia.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/base64.c, plugins/sudoers/boottime.c, plugins/sudoers/check.c, plugins/sudoers/defaults.c, plugins/sudoers/editor.c, plugins/sudoers/env.c, plugins/sudoers/find_path.c, plugins/sudoers/getdate.c, plugins/sudoers/getdate.y, plugins/sudoers/getspwuid.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/group_plugin.c, plugins/sudoers/interfaces.c, plugins/sudoers/iolog.c, plugins/sudoers/iolog_path.c, plugins/sudoers/ldap.c, plugins/sudoers/linux_audit.c, plugins/sudoers/locale.c, plugins/sudoers/logging.c, plugins/sudoers/logwrap.c, plugins/sudoers/match.c, plugins/sudoers/match_addr.c, plugins/sudoers/parse.c, plugins/sudoers/policy.c, plugins/sudoers/prompt.c, plugins/sudoers/pwutil.c, plugins/sudoers/pwutil_impl.c, plugins/sudoers/redblack.c, plugins/sudoers/regress/check_symbols/check_symbols.c, plugins/sudoers/regress/iolog_path/check_iolog_path.c, plugins/sudoers/regress/logging/check_wrap.c, plugins/sudoers/regress/parser/check_addr.c, plugins/sudoers/regress/parser/check_base64.c, plugins/sudoers/regress/parser/check_digest.c, plugins/sudoers/regress/parser/check_fill.c, plugins/sudoers/regress/parser/check_hexchar.c, plugins/sudoers/set_perms.c, plugins/sudoers/sssd.c, plugins/sudoers/sudo_nss.c, plugins/sudoers/sudo_printf.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers_debug.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/timestamp.c, plugins/sudoers/timestr.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/toke_util.c, plugins/sudoers/tsgetgrpw.c, plugins/sudoers/visudo.c, plugins/sudoers/visudo_json.c, plugins/system_group/system_group.c, src/conversation.c, src/env_hooks.c, src/exec.c, src/exec_common.c, src/exec_pty.c, src/get_pty.c, src/hooks.c, src/load_plugins.c, src/net_ifs.c, src/openbsd.c, src/parse_args.c, src/preserve_fds.c, src/regress/ttyname/check_ttyname.c, src/signal.c, src/solaris.c, src/sudo.c, src/sudo_edit.c, src/tgetpass.c, src/ttyname.c, src/utmp.c: We require ANSI C so stop using the obsolete STDC_HEADERS. [35a5a680e5fe] * lib/util/getgrouplist.c, lib/util/regress/glob/globtest.c, lib/util/sudo_debug.c, plugins/group_file/getgrent.c, plugins/group_file/plugin_test.c, plugins/sample/sample_plugin.c, plugins/sudoers/group_plugin.c, plugins/sudoers/interfaces.c, plugins/sudoers/ldap.c, plugins/sudoers/logging.c, plugins/sudoers/regress/logging/check_wrap.c, plugins/sudoers/sudo_nss.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/tsgetgrpw.c: Use strtok_r() instead of strtok() [6b8e3c253dcf] * config.h.in, configure, configure.ac: Add back _REENTRANT define on HP-UX to expose strtok_r on some versions. We may need to define it on other systems too. [12c36f12eed2] * configure, configure.ac: Fix check for strnlen() when cross-compiling. [e501c508891a] * plugins/sudoers/interfaces.c: Use sudo_strsplit() in dump_interfaces. [b76ee2f47f37] 2015-06-18 Todd C. Miller * lib/util/inet_pton.c, lib/util/key_val.c, lib/util/lbuf.c, lib/util/locking.c, lib/util/parseln.c, lib/util/regress/parse_gids/parse_gids_test.c, lib/util/regress/progname/progname_test.c, lib/util/regress/strsplit/strsplit_test.c, lib/util/regress/sudo_conf/conf_test.c, lib/util/regress/sudo_parseln/parseln_test.c, lib/util/regress/tailq/hltq_test.c, lib/util/sha2.c, lib/util/snprintf.c, lib/util/strtobool.c, lib/util/term.c, plugins/group_file/getgrent.c, plugins/group_file/group_file.c, plugins/sample/sample_plugin.c, plugins/sudoers/boottime.c, plugins/sudoers/editor.c, plugins/sudoers/getdate.c, plugins/sudoers/getdate.y, plugins/sudoers/interfaces.c, plugins/sudoers/iolog_path.c, plugins/sudoers/policy.c, plugins/sudoers/pwutil.c, plugins/sudoers/pwutil_impl.c, plugins/sudoers/regress/check_symbols/check_symbols.c, plugins/sudoers/regress/iolog_path/check_iolog_path.c, plugins/sudoers/regress/logging/check_wrap.c, plugins/sudoers/regress/parser/check_base64.c, plugins/sudoers/regress/parser/check_digest.c, plugins/sudoers/regress/parser/check_hexchar.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/tsgetgrpw.c, plugins/system_group/system_group.c, src/conversation.c, src/exec_pty.c, src/net_ifs.c, src/openbsd.c, src/preserve_fds.c, src/regress/ttyname/check_ttyname.c, src/solaris.c, src/sudo.c, src/tgetpass.c, src/ttyname.c, src/utmp.c: Remove obsolete memory.h include. [0c1351d614a9] * config.h.in, configure, configure.ac, lib/util/getcwd.c, lib/util/gethostname.c, lib/util/glob.c, lib/util/locking.c, lib/util/parseln.c, lib/util/pw_dup.c, lib/util/reallocarray.c, lib/util/snprintf.c, lib/util/strndup.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/toke_util.c, src/env_hooks.c: Remove support for the obsolete malloc.h header. [2a118de27d4e] * config.h.in, configure, configure.ac, plugins/sudoers/defaults.c, plugins/sudoers/logging.c: Remove BROKEN_SYSLOG define which was for obsolete versions of HP- UX. Remove last remnants of 4.2BSD syslog support. [e234515f515d] * lib/util/sudo_conf.c: Use sudo_strsplit() instead of doing the equivalent manually. [220f2e4a0e68] * lib/util/regress/strsplit/strsplit_test.c: Test strsplit behavior with an empty string. [62ae80dcee4a] * lib/util/Makefile.in, lib/zlib/Makefile.in, plugins/group_file/Makefile.in, plugins/sample/Makefile.in, plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in, src/Makefile.in: Allow "make LIBTOOL=/path/to/libtool" to work properly. [f9e5f7109107] * MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/editor.c, plugins/sudoers/find_path.c, plugins/sudoers/goodpath.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/visudo.c: Use a common function for resolviong the user's editor in sudoedit and visudo. The find_path() function now returns a dynamically allocated path instead of using a static string. [97fe58966144] * config.h.in, configure, configure.ac, lib/util/Makefile.in, lib/zlib/Makefile.in, plugins/group_file/Makefile.in, plugins/sample/Makefile.in, plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in, src/Makefile.in: Replace use of OSDEFS with config.h defines. Rename DEFS in Makefile.in to CPPDEFS and include in CPPFLAGS. Bring back _BSD_SOURCE as a config.h define. Remove obsolescent _REENTRANT define. [0d76a12adca8] 2015-06-17 Todd C. Miller * MANIFEST, include/sudo_alloc.h, lib/util/Makefile.in, lib/util/alloc.c: Remove now-unused sudo_alloc.h and alloc.c [0fe70085c75c] * plugins/sudoers/Makefile.in, src/Makefile.in, src/conversation.c, src/env_hooks.c, src/exec.c, src/exec_common.c, src/exec_pty.c, src/hooks.c, src/load_plugins.c, src/net_ifs.c, src/parse_args.c, src/preserve_fds.c, src/regress/ttyname/check_ttyname.c, src/selinux.c, src/sesh.c, src/sudo.c, src/sudo.h, src/sudo_edit.c, src/ttyname.c: Avoid using exiting allocators in the front end. [be0ca60facf8] * include/sudo_conf.h, include/sudo_lbuf.h, lib/util/Makefile.in, lib/util/aix.c, lib/util/gidlist.c, lib/util/lbuf.c, lib/util/sudo_conf.c, lib/util/sudo_debug.c: Use non-exiting allocators in libsudo_util. [d9b7cf17b9b4] * plugins/sudoers/ldap.c, plugins/sudoers/logging.c: Remove asprintf() return value warnings. [fe25ce11f96a] * config.h.in, configure, configure.ac: Use AC_FUNC_STRNLEN to check for broken strnlen() on AIX. This requires that we use AC_USE_SYSTEM_EXTENSIONS so remove things from OSDEFS that are enabled by AC_USE_SYSTEM_EXTENSIONS. [1f64269cab6e] * plugins/sudoers/ldap.c: Remove extraneous semicolons in CHECK_* macros. [ef99aa3c9d70] * plugins/sudoers/regress/iolog_path/check_iolog_path.c, plugins/sudoers/sudoers.c, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c: Remove remaining SUDO_MAIN remnants. [1c077699f444] * plugins/sudoers/Makefile.in, plugins/sudoers/alias.c, plugins/sudoers/auth/aix_auth.c, plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/kerb5.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/passwd.c, plugins/sudoers/auth/rfc1938.c, plugins/sudoers/auth/secureware.c, plugins/sudoers/auth/sia.c, plugins/sudoers/check.c, plugins/sudoers/defaults.c, plugins/sudoers/defaults.h, plugins/sudoers/env.c, plugins/sudoers/find_path.c, plugins/sudoers/getspwuid.c, plugins/sudoers/group_plugin.c, plugins/sudoers/interfaces.c, plugins/sudoers/interfaces.h, plugins/sudoers/iolog.c, plugins/sudoers/iolog_path.c, plugins/sudoers/linux_audit.c, plugins/sudoers/locale.c, plugins/sudoers/logging.h, plugins/sudoers/match.c, plugins/sudoers/parse.c, plugins/sudoers/policy.c, plugins/sudoers/prompt.c, plugins/sudoers/regress/iolog_path/check_iolog_path.c, plugins/sudoers/regress/parser/check_addr.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/sudoers_debug.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c: Use non-exiting allocatings in the sudoers plugin. [a5668cb9c516] 2015-06-16 Todd C. Miller * plugins/sudoers/sssd.c: Use non-exiting allocators in the sudoers SSSD backend. [dba29b55ac0b] * plugins/sudoers/ldap.c: Use non-exiting allocators in the sudoers LDAP backend. [37bfa441345a] * lib/util/Makefile.in: regen dependencies [5be6eb005946] 2015-06-15 Todd C. Miller * configure, lib/util/Makefile.in, mkdep.pl: Add missing dependency info for reallocarray.lo in lib/util/Makefile.in and regen configure to match last configure.ac change. [da1fc49b53dc] * plugins/sudoers/ldap.c: Use \28 and \29 instead of \( and \) in the ldap query as per RFC 2254. Fixes netgroup queries on AIX. From Steven Soulen. [33267d6243aa] 2015-06-13 Todd C. Miller * lib/util/glob.c: Move pattern length check until after we have initialized the glob_t so we can call globfree() even on error. From Frank Denis. [a246f9054395] 2015-06-12 Todd C. Miller * plugins/sudoers/sudoers.c, src/sudo.c: We need to unlimit RLIMIT_NPROC in sudoers as well as the sudo front end since set_perms() and restore_perms change the read uid and may fail with EAGAIN on Linux kernels prior to 3.1. [e6a03c31f4e5] 2015-06-08 Todd C. Miller * doc/sudo.cat, doc/sudo.man.in, doc/sudo.mdoc.in: Fix underlining of "root" in -u option descriptions. Bug #699 [b3afe47d9798] * doc/UPGRADE, src/load_plugins.c: Remove support for converting plugin.so -> plugin.sl on HP-UX when plugin.so can not be found. This was a temporary hack for using an older (pre 1.8.7) sudoers plugin with a newer sudo front-end. [561e2ce444ed] 2015-06-05 Todd C. Miller * lib/util/event.c, lib/util/event_select.c: Add debugging output on memory alloc failure. Add missing checks in event_select.c for reallocarray() failure. [0853c7bcbeaa] * lib/util/event_poll.c: Use non-exiting allocators. [5ed0e276b551] 2015-06-04 Todd C. Miller * plugins/sudoers/logging.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: Bring back VALIDATE_ERROR which will be used in the case of memory allocation errors. [784c885db95c] 2015-06-03 Todd C. Miller * lib/util/snprintf.c: If asprintf() or vasprintf() fail, set the dest pointer to NULL like BSD and Solaris do. This appears to be the direction glibc is going as well. [92fb2283dc9a] 2015-05-28 Todd C. Miller * plugins/sudoers/env.c: Use a stack buffer for the validate_env_vars() error message. [69df3a0cbc2b] 2015-05-27 Todd C. Miller * lib/util/fatal.c: Fix typo/thinko in static buffer conversion; use vsnprintf() not snprintf() [9d42fb3a94f6] * plugins/sudoers/ldap.c: Fix old gcc2 variadic macro support. [fd951ed8865e] * plugins/sudoers/visudo.c: Restore old behavior where visudo prevents you from making the main sudoers file zero length. [b03ef908120f] * plugins/sudoers/logging.c, plugins/sudoers/logging.h, plugins/sudoers/sudoers.c: Non-exiting allocators for log functions. If log_allowed() fails the user may not run the command. We don't try to return early for log_failure(), log_auth_failure() or log_denial() as we would not run the command in that case. [40c3d0dd75bc] * plugins/sudoers/alias.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/toke_util.c: Use non-exiting allocators in the parser (much of it already did). [f14222e5ad1b] * lib/util/aix.c, plugins/sudoers/pwutil.c, plugins/sudoers/pwutil_impl.c: Use non-existing allocators in the passwd/group cache functions. [86bbe840f348] * MANIFEST, configure.ac, lib/util/alloc.c, lib/util/reallocarray.c: Add standalone reallocarray.c from OpenBSD instead of rolling our own. [36ec5840729e] * plugins/sudoers/alias.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/iolog.c, plugins/sudoers/parse.h, plugins/sudoers/pwutil.c, plugins/sudoers/redblack.c, plugins/sudoers/redblack.h, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c: Use non-exiting allocators in the redblack tree and fix the fallout. Also switch to non-exiting allocators in affected code blocks. [bca56cf769cb] * plugins/sudoers/alias.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/parse.h: The error string returned by alias_add should be const. [b378188a0a8f] * plugins/sudoers/policy.c: Fix typo, efree vs. free. [9146ba7473ca] * plugins/sudoers/policy.c, src/exec_common.c, src/sudo.c: Add a few missing sudo_new_key_val() return value checks. Also use non-exiting allocators for consistency. [2ae76a679052] 2015-05-26 Todd C. Miller * MANIFEST, lib/util/Makefile.in, lib/util/regress/parse_gids/parse_gids_test.c, lib/util/regress/strsplit/strsplit_test.c: Add unit tests for strsplit and parse_gid_list. [e08c5ff7b5f0] * MANIFEST, include/sudo_util.h, lib/util/Makefile.in, lib/util/strsplit.c, lib/util/util.exp.in, plugins/sudoers/sudoers.c: Add sudo_strsplit(), similar to strtok_r() but non-destructive and operates on non-C strings (requires a length parameter). [45fb50775249] * lib/util/fatal.c: Use a static buffer for sudo_warn/sudo_fatal messages where possible. [6e1d6ecc022d] * include/sudo_compat.h: Fix sudo_strnlen() prototype. [1367bd9227b3] * MANIFEST, config.h.in, configure, configure.ac, include/sudo_compat.h, lib/util/Makefile.in, lib/util/strndup.c, mkdep.pl: Add strndup() for those without it. As strndup.c uses strnlen(), use our own if it is missing. [cf904a9c68f7] * lib/util/strnlen.c: Add missing sudo_ prefix and include sudo_compat.h. [d5e5dfc3fd20] * MANIFEST, config.h.in, configure, configure.ac, include/sudo_compat.h, lib/util/strnlen.c: Add strnlen() replacement needed for glob.c. Only used if no glob() and no strnlen(). [bb6b7c4549b1] 2015-05-21 Todd C. Miller * plugins/sudoers/logging.h, plugins/sudoers/sudoers.h: Get rid of SUDO_MAIN. Modern compilers don't warn about mixing extern and auto declarations unless they conflict. [a273b73bca6d] * config.h.in, configure.ac, include/compat/endian.h, include/compat/fnmatch.h, include/compat/getaddrinfo.h, include/compat/getopt.h, include/compat/glob.h, include/compat/nss_dbdefs.h, include/compat/sha2.h, include/compat/stdbool.h, include/compat/timespec.h, include/sudo_alloc.h, include/sudo_compat.h, include/sudo_conf.h, include/sudo_debug.h, include/sudo_dso.h, include/sudo_event.h, include/sudo_fatal.h, include/sudo_gettext.h, include/sudo_lbuf.h, include/sudo_plugin.h, include/sudo_queue.h, include/sudo_util.h, lib/util/fatal.c, plugins/sudoers/bsm_audit.h, plugins/sudoers/check.h, plugins/sudoers/defaults.h, plugins/sudoers/ins_2001.h, plugins/sudoers/ins_classic.h, plugins/sudoers/ins_csops.h, plugins/sudoers/ins_goons.h, plugins/sudoers/insults.h, plugins/sudoers/interfaces.h, plugins/sudoers/iolog.h, plugins/sudoers/linux_audit.h, plugins/sudoers/logging.h, plugins/sudoers/parse.c, plugins/sudoers/parse.h, plugins/sudoers/pwutil.h, plugins/sudoers/redblack.c, plugins/sudoers/redblack.h, plugins/sudoers/regress/iolog_path/check_iolog_path.c, plugins/sudoers/solaris_audit.h, plugins/sudoers/sssd.c, plugins/sudoers/sudo_nss.h, plugins/sudoers/sudo_printf.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/sudoers_debug.h, plugins/sudoers/sudoers_version.h, plugins/sudoers/testsudoers.c, plugins/sudoers/toke.c, plugins/sudoers/toke.h, plugins/sudoers/toke.l, plugins/sudoers/visudo.c, src/net_ifs.c, src/sudo.h, src/sudo_exec.h, src/sudo_plugin_int.h, src/sudo_usage.h.in: Avoid using a leading underbar in defines as they are reserved in ISO C. [a442d88c6490] * Makefile.in, doc/Makefile.in, examples/Makefile.in, include/Makefile.in, lib/util/Makefile.in, lib/zlib/Makefile.in, plugins/group_file/Makefile.in, plugins/sample/Makefile.in, plugins/sudoers/Makefile.in, plugins/sudoers/auth/afs.c, plugins/sudoers/auth/aix_auth.c, plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/dce.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/kerb5.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/rfc1938.c, plugins/sudoers/auth/secureware.c, plugins/sudoers/auth/securid5.c, plugins/sudoers/auth/sia.c, plugins/sudoers/bsm_audit.c, plugins/sudoers/linux_audit.c, plugins/sudoers/solaris_audit.c, plugins/sudoers/sssd.c, plugins/system_group/Makefile.in, src/Makefile.in, src/selinux.c: Add target for "make splint". A few files need extra guards to avoid errors on systems where they would not otherwise be compiled. No warnings from splint. [64fc04debc58] 2015-05-20 Todd C. Miller * plugins/sudoers/auth/sia.c: Use reallocarray() instead of sudo_emallocarray() and return an error on allocation failure. [fee12ac1e0c8] * plugins/sudoers/auth/kerb5.c: In our krb5_get_init_creds_opt_alloc() replacement use malloc() instead of sudo_emalloc() and return KRB5_CC_NOMEM on allocation failure. Only old versions of Kerberos V will need this. [95ac6c5b7b60] * lib/util/event.c, lib/util/event_select.c: Use non-exiting allocators. [91bbc657901d] 2015-05-18 Todd C. Miller * config.h.in, configure, configure.ac, src/sudo.c: There should be no need to check for tzset() as it is POSIX. [50825eb75c97] * configure, configure.ac: Add sudo_reallocarrary to util.exp.in if reallocarray is not found. [32588e00bb33] 2015-05-15 Todd C. Miller * NEWS: NLS now works on Mac OS X properly. [1485c9e51b04] * configure, configure.ac, src/Makefile.in: Force flat namespace on darwin to make the getenv() hooking work as it does on ELF. [0837cc3559ce] 2015-05-14 Todd C. Miller * lib/util/alloc.c, lib/util/snprintf.c, plugins/sample/sample_plugin.c, plugins/sudoers/auth/rfc1938.c, plugins/sudoers/redblack.c, plugins/sudoers/testsudoers.c, plugins/sudoers/toke_util.c: No need to cast malloc() return value. [09c7236d3e1a] * lib/util/getcwd.c, lib/util/getline.c, lib/util/glob.c, plugins/sudoers/env.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l: Use reallocarray where possible. [2b5957a38baa] * config.h.in, configure, configure.ac, include/sudo_compat.h, lib/util/alloc.c: Add reallocarray() for those without it. [3ac5a4abe077] 2015-05-13 Todd C. Miller * NEWS: The getenv() hook still doesn't work on Mac OS X. [d9297b9ff54c] 2015-05-12 Todd C. Miller * include/sudo_fatal.h, lib/util/fatal.c: In sudo_warn_gettext_v1() call dgettext() not gettext() to make sure the domain is set correctly. The sudoers plugin uses its own text domain. [f7ce0100ff5c] 2015-05-11 Todd C. Miller * doc/Makefile.in: man pages should explicitly depend on config.status since it is used to substitute in variables/settings. [bebe8e19d767] * doc/sudo.cat, doc/sudo.conf.cat, doc/sudo_plugin.cat, doc/sudoers.cat, doc/sudoers.ldap.cat, doc/sudoers.man.in, doc/sudoreplay.cat, doc/visudo.cat: regen [2e613d7bb477] * NEWS, configure, configure.ac: Sudo 1.8.14 [66e33bc0d18e] * INSTALL, MANIFEST, aclocal.m4, config.h.in, configure, configure.ac, include/sudo_fatal.h, lib/util/Makefile.in, lib/util/fatal.c, lib/util/locale_weak.c, lib/util/util.exp.in, m4/ax_sys_weak_alias.m4, mkdep.pl, plugins/sudoers/Makefile.in, plugins/sudoers/locale.c, plugins/sudoers/logging.h, plugins/sudoers/sudoers.c, src/Makefile.in, src/locale_stub.c: Instead of trying to make weak functions work on all platforms, just use a registration function for a plugin-specific setlocale function. The sudoers version just wraps sudoers_setlocale(). [0eef64f41cdf] * src/parse_args.c: Fix indentation of -a flag help line. [a2ed556b6454] * include/sudo_compat.h: Fix compilation when HAVE_DECL_SIG2STR_MAX is not defined. [31aa465affaa] * doc/Makefile.in: Add lint target to run "mandoc -Tlint" over the manuals. [63ed14d91adc] 2015-05-08 Todd C. Miller * include/sudo_compat.h: HAVE_DECL_SIG2STR_MAX is always defined so use a !HAVE_DECL_SIG2STR_MAX check instead of #ifndef. [65cc03302d39] 2015-05-07 Todd C. Miller * src/tgetpass.c: Sync tty_present() with sudoers version. [040c05e68627] * src/load_plugins.c: sudo_check_plugin() returns bool. [15b2851bfb90] * plugins/sudoers/match.c: In usergr_matches() matched should be bool but we have to take care to handle group_plugin_query() returning a value other than 0/1. [c120901f71c7] * plugins/sudoers/ldap.c: sudo_ldap_check_non_unix_group() returns bool, not int. [d12e9242454f] * plugins/sudoers/logging.c: Convert two debug_return_int to debug_return_bool. [594d0fc8efda] * include/sudo_debug.h, lib/util/sudo_debug.c, plugins/sudoers/auth/dce.c, plugins/sudoers/check.c, plugins/sudoers/env.c, plugins/sudoers/group_plugin.c, plugins/sudoers/iolog.c, plugins/sudoers/ldap.c, plugins/sudoers/match.c, plugins/sudoers/policy.c, plugins/sudoers/sudoers.c, src/sudo.c: Previously, debug_return_bool was the same as debug_return_int except that it logged true/false for 1/0. However, this appears to trigger a bug in some compilers. To avoid this, debug_return_bool now uses bool, not int. Callers that were passing it an int have been converted to use debug_return_int instead. [ca142b5a9433] * src/get_pty.c, src/sudo.h: get_pty() should return bool [2c72c8d3603b] * src/sudo.h, src/tgetpass.c: Make tty_present static to tgetpass.c [bb73a2cc8754] * config.h.in, configure, configure.ac, include/sudo_compat.h: Add configure check for SIG2STR_MAX, which may be missing on UnixWare. [e9dcac23c639] * m4/ax_sys_weak_alias.m4: Need to quote $GCC as it may include arguments. From Tim Rice. [9ed8a3be94bf] * MANIFEST: Add missing m4/ax_sys_weak_alias.m4 [269a8d5bfb49] 2015-04-28 Todd C. Miller * mkpkg: There's no point in building i386 binaries for Mac OS X 10.7 and higher. [e8876ea36d14] 2015-04-27 Todd C. Miller * plugins/sudoers/po/fi.mo, plugins/sudoers/po/fi.po, plugins/sudoers/po/fr.mo, plugins/sudoers/po/fr.po, po/ja.mo, po/ja.po: Sync with translationproject.org [414c51286530] 2015-04-26 Todd C. Miller * plugins/sudoers/bsm_audit.c: Only fall back on AUE_DARWIN_sudo if au_preselect() fails. [aea2f3a60b46] 2015-04-25 Todd C. Miller * plugins/sudoers/bsm_audit.c: Work around a problem on Mac OS X 10.10 which defines AUE_sudo but where au_preselect() only accepts AUE_DARWIN_sudo (the old value). [b5d32d6453d1] 2015-04-22 Todd C. Miller * src/env_hooks.c: Don't use dlsym() to find the libc getenv() since this may allocate memory on some systems (glibc) which leads to a hang if malloc() calls getenv() (jemalloc). [441846664820] * include/sudo_debug.h, src/sudo.c: Split variable declaration out of debug_decl into debug_decl_vars() so we can use it in main() when we know sudo_debug_enter() cannot succeed. [6931948a57f8] * src/sudo.c: Defer conversation initialization until right before plugins are initialized. [83db53d4945c] 2015-04-16 Todd C. Miller * plugins/sudoers/sudoers.c, plugins/sudoers/testsudoers.c: When creating a passwd struct from a uid that is not in the passwd database, set pw_gid to the user's gid instead of whatever the user specified via the -g flag (or 0 if no -g). [4154970432df] 2015-04-14 Todd C. Miller * plugins/sudoers/ldap.c: Add some ldap_err2string() debugging when the LDAP search fails. Adapted from a diff from Steven Soulen. [e08d38481041] 2015-04-13 Todd C. Miller * plugins/sudoers/po/da.mo, plugins/sudoers/po/da.po, plugins/sudoers/po/sr.mo, plugins/sudoers/po/sr.po, po/sr.mo, po/sr.po: Sync with translationproject.org [cbf24072ad07] 2015-04-10 Todd C. Miller * doc/CONTRIBUTORS: Add David Michael and Andrey Klyachkin. [e153a9b46e1f] * sudo.pp: Sync tmpfiles.d/sudo.conf with init.d/sudo.conf.in [9e3945c1fe6e] * include/sudo_util.h: Avoid struct assignment when stashing mtime since AIX at least uses a struct st_timespec that differs from struct timespec. From Andrey Klyachkin. [e267ea5b019e] 2015-04-09 Todd C. Miller * sudo.pp: Work around a bug in pp that caused a warning when exampledir is a subdir of docdir. [d81db98f215f] * plugins/sudoers/solaris_audit.c: Add sys/types.h [e0794f05e95c] * lib/util/getopt_long.c, lib/util/mksiglist.c, lib/util/mksigname.c, lib/util/regress/fnmatch/fnm_test.c, lib/util/regress/glob/globtest.c, lib/util/sha2.c, plugins/sudoers/regress/parser/check_base64.c, plugins/sudoers/regress/parser/check_digest.c, plugins/sudoers/regress/parser/check_hexchar.c: Include sys/types.h instead of unistd.h to get uid_t and gid_t. Add missing include of sys/types.h to a few places. [86eb67f3c41a] 2015-04-08 Todd C. Miller * mkpkg: Remove unintended commit [2eeeb74b9174] * init.d/sudo.conf.in: Add tmpfiles.d/sudo.conf template. [ead9bb7b5328] 2015-04-07 Todd C. Miller * .hgignore, INSTALL, MANIFEST, Makefile.in, configure, configure.ac, mkpkg, src/Makefile.in, sudo.pp: Create template tmpfiles.d/sudo.conf for installation instead of creating one via echo commands in the Makefile. Add --enable-tmpfiles.d configure option to enable/disable use of tmpfiles.d and override the default directory. Use --disable-tmpfiles.d in mkpkg so we no longer need to ignore tmpfiles.d/sudo.conf in sudo.pp. [930983f88927] * sudo.pp: Fix setting of pp_rpm_version when there is no patchlevel present. Also tighten up the regexp for pp_rpm_release. [d6a89aafd99d] 2015-04-06 Todd C. Miller * INSTALL, Makefile.in, configure, configure.ac, doc/sudoers.mdoc.in, examples/Makefile.in, mkpkg, sudo.pp: Make exampledir configurable and default to DATAROOTDIR/examples/sudo on BSD systems. [4c1271298712] * src/Makefile.in, sudo.pp: Install /usr/lib/tmpfiles.d/sudo.conf on systems with systemd but do not package it. For packages we create /usr/lib/tmpfiles.d/sudo.conf as needed in the postinstall script. [522666bc079f] 2015-03-22 Todd C. Miller * doc/sudo.cat, doc/sudo.conf.cat, doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in, doc/sudo.man.in, doc/sudo.mdoc.in, doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, doc/sudoers.cat, doc/sudoers.ldap.cat, doc/sudoers.ldap.man.in, doc/sudoers.ldap.mdoc.in, doc/sudoers.man.in, doc/sudoers.mdoc.in, doc/sudoreplay.cat, doc/sudoreplay.man.in, doc/sudoreplay.mdoc.in, doc/visudo.cat, doc/visudo.man.in, doc/visudo.mdoc.in: Fix "mandoc -Tlint" warnings. Sync AUTHORS section in man pages. Regenerate all man pages. [34e4149bb225] * lib/util/Makefile.in, plugins/sudoers/Makefile.in, src/Makefile.in: Make libsudo_util depend on libintl instead of requiring users of libsudo_util to link with libintl directly. Bug #690 [f2508d1a21ee] 2015-03-21 Todd C. Miller * plugins/sudoers/logging.c: Use saved errno in vlog_warning() before calling sudo_vwarn_nodebug(). Fixes the error message printed if set_perms() fails. [68bd7297137e] 2015-03-18 Todd C. Miller * NEWS: Update for 1.8.13 final. [4c03db3a740f] 2015-03-16 Todd C. Miller * plugins/sudoers/env.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: For sudoedit, run the editor with the user's original environment as per the documentation (and as in sudo 1.7.x). Bug #688 [a5081c8f6950] * plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, po/fr.mo, po/fr.po: Sync with translationproject.org [0b820c5ecb0c] 2015-03-10 Todd C. Miller * lib/util/term.c: Update function names in debug_decl. [b83f153b2f43] * lib/util/term.c: Use TCSAFLUSH instead of TCSANOW in sudo_term_copy(). Be consistent with where we put TCSASOFT in the action flags. [6ffeec3aa184] 2015-03-09 Todd C. Miller * plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po, po/da.mo, po/da.po, po/fi.mo, po/fi.po, po/zh_CN.mo, po/zh_CN.po: Sync with translationproject.org [0d20f88c0a83] 2015-03-08 Todd C. Miller * lib/util/sha2.c: Include unistd.h since sudo_compat.h uses gid_t. [da491d83e5dc] 2015-03-05 Todd C. Miller * INSTALL, configure, configure.ac: Add --disable-weak-symbols option to disable use of weak symbols in libsudo_util. [3edf2bccb4d8] * configure: regen [ff1abfcd2b61] * m4/ax_sys_weak_alias.m4: When checking for weak aliases, check the gcc attribute format last since some C compilers just ignore unsupported attributes. [e172cbbfa615] * sudo.pp: Update copyright year. [67bcd24c6477] * plugins/sudoers/po/cs.mo, plugins/sudoers/po/cs.po, plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, plugins/sudoers/po/it.mo, plugins/sudoers/po/it.po, plugins/sudoers/po/nb.mo, plugins/sudoers/po/nb.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/pt_BR.mo, plugins/sudoers/po/pt_BR.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, plugins/sudoers/po/vi.mo, plugins/sudoers/po/vi.po, po/cs.mo, po/cs.po, po/de.mo, po/de.po, po/eo.mo, po/eo.po, po/it.mo, po/it.po, po/nb.mo, po/nb.po, po/pl.mo, po/pl.po, po/pt_BR.mo, po/pt_BR.po, po/uk.mo, po/uk.po, po/vi.mo, po/vi.po: Sync with translationproject.org [ceb62f98364c] * configure, configure.ac, include/compat/sha2.h: Fix symbol name collision with systems that have their own sha2 implementation. This can result in PAM using the wrong sha2 implementation on Solaris systems configured to use SHA512 for passwords. [3a25c4896804] * src/Makefile.in: Use SSP_LDFLAGS when linking sudo_noexec.la [6187b17fad90] 2015-03-03 Todd C. Miller * MANIFEST, config.h.in, configure, configure.ac, include/compat/utime.h, lib/util/Makefile.in, lib/util/utimens.c: Remove compat/utime.h, it was only useful for ancient systems that are no longer capable of compiling sudo. [94e4f02868db] 2015-03-02 Todd C. Miller * configure, configure.ac, lib/util/Makefile.in: Link libsudo_util with -lrt on systems where clock_gettime is in -lrt. [44a9a0d0af69] * NEWS: Update. [811c8d7090c0] * lib/util/strlcat.c, lib/util/strlcpy.c: Update OpenBSD CVS Ids [933788497ee4] * lib/util/strlcat.c: Make comment match code. [b1b68810929d] * lib/util/utimens.c: Fix compilation error on systems without futimes(). [4d55a58ea12e] * MANIFEST, config.h.in, configure, configure.ac, include/sudo_compat.h, include/sudo_util.h, lib/util/Makefile.in, lib/util/gettime.c, lib/util/util.exp.in, lib/util/utimens.c, lib/util/utimes.c, mkdep.pl, plugins/sudoers/Makefile.in, plugins/sudoers/boottime.c, plugins/sudoers/gettime.c, plugins/sudoers/sudoers.h, plugins/sudoers/timestamp.c, plugins/sudoers/visudo.c, src/Makefile.in, src/sesh.c, src/sudo_edit.c: Use futimens() and utimensat() instead of futimes() and utimes(). [8400f91466d8] * plugins/sudoers/visudo.c: Fix compiler warning on systems where mode_t is not unsigned int, such as 32-bit Solaris. [1eeeea1c203d] * plugins/sudoers/ldap.c, plugins/sudoers/sssd.c: Fix logic for verifypw/listpw all in sudoers LDAP and sssd. [5bc60a34a477] * src/tgetpass.c: Fix cut & pasto that prevented the SIGPIPE handler from being restored before returning from tgetpass(). From mancha [230b0a86876e] 2015-02-28 Todd C. Miller * src/sesh.c, src/sudo_edit.c: Our utimes() emulation support futime() too. [439851535285] 2015-02-27 Todd C. Miller * plugins/sudoers/po/sudoers.pot, po/sudo.pot: regen [40aa9164563f] * plugins/sudoers/testsudoers.c: Define YYDEBUG to 0 if not already defined so we can protect use of sudoersdebug with "#if YYDEBUG" like the generated parser does. From David Michael. [394e1c237aac] 2015-02-26 Todd C. Miller * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Document that Aliases may not be redefined and that "sudo -f /etc/sudo.d/foo" will not catch the redefinition. [3bff3b5f7eb1] * sudo.pp: Only create /usr/lib/tmpfiles.d/sudo.conf if /usr/lib/tmpfiles.d/systemd.conf also exists. Some other package may have created /usr/lib/tmpfiles.d even though it is not used. [cf013d95b7d7] * plugins/sudoers/Makefile.in: regen [4dde632c35cd] * sudo.pp: Clear the ts dir instead of just making sure it exists. [c49b6e3e2360] * configure, configure.ac: Only substiture init.d scripts that we are going to use. [301f16bd04c5] 2015-02-25 Todd C. Miller * plugins/sudoers/Makefile.in, sudo.pp: Create /usr/lib/tmpfiles.d/sudo.conf when systemd is used. [532dc61e7bb7] * plugins/sudoers/iolog.c, plugins/sudoers/visudo.c, src/sudo_edit.c, src/utmp.c: Check the return value of gettimeofday(), even though it should never fail. [747715d8a11c] 2015-02-24 Todd C. Miller * MANIFEST, configure, configure.ac, include/sudo_compat.h, lib/util/Makefile.in, lib/util/clock_gettime.c, mkdep.pl, plugins/sudoers/Makefile.in, plugins/sudoers/gettime.c, plugins/sudoers/po/sudoers.pot, plugins/sudoers/sudoers.h, plugins/sudoers/timestamp.c: We cannot (easily) use clock_gettime(CLOCK_MONOTONIC) directly as it may be present but not implemented. Add sudo_gettime_real() and sudo_gettime_mono() functions to get the real and monotonic times respectively. Now sudo_gettime_mono() checks the value of sysconf(_SC_MONOTONIC_CLOCK) before calling clock_gettime(CLOCK_MONOTONIC) and falls back on sudo_gettime_real() as needed. The Mach version of sudo_gettime_mono() uses mach_absolute_time(). This should fix problems with timestamp files on systems where the CLOCK_MONOTONIC is defined but not actually implemented. [cd04a21af4c5] * include/sudo_compat.h, plugins/sudoers/timestamp.c: Check clock_gettime() return value and warn if it fails. Currently, the timestamp will be ignored if clock_gettime() fails. [3658154638da] 2015-02-23 Todd C. Miller * lib/util/sudo_debug.c: Plug memory leak when debug file cannot be opened. Use %zu printf format now that our snprintf support it. [a168a002cd19] * plugins/sudoers/auth/pam.c: Pam conversation function changes: o use PAM_BUF_ERR as the return value when calloc() fails. o sanity check the value of num_msg o remove the workaround for old Apple PAM o PAM_AUTH_ERR is not a valid PAM conversation function return value If getpass_error is set after a call to pam_verify (usually because the user pressed ^C), return AUTH_INTR immediately instead of checking the pam_verify return value. [8d378f40fe1f] * INSTALL, NEWS, configure, configure.ac, plugins/sudoers/auth/aix_auth.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/auth/sudo_auth.h: On AIX use the value of auth_type in /etc/security/login.cfg to determine whether to use LAM or PAM unless the user specified the --with-pam or --with-aixauth configure flags. [cb314c1ed5f8] * lib/util/parseln.c: Fix cast. [4f56047e2bc4] 2015-02-21 Todd C. Miller * config.h.in, configure, configure.ac, lib/util/snprintf.c: Update snprintf.c from OpenBSD. The floating point and wide character code has been retained but is not compiled by default. [6801a77398fc] 2015-02-20 Todd C. Miller * plugins/sudoers/regress/sudoers/test1.in, plugins/sudoers/regress/sudoers/test1.out.ok, plugins/sudoers/regress/sudoers/test1.toke.ok: Update the regression test that check that all tags are parsed. [d0f9af2f9d45] * MANIFEST, configure, configure.ac, lib/util/Makefile.in, lib/util/mktemp.c, lib/util/regress/mktemp/mktemp_test.c, mkdep.pl: Add regress for mkdtemp and mkstemps from OpenBSD [18714ae9bffd] * plugins/sudoers/po/sudoers.pot: regen [b77490dd9b33] * plugins/sudoers/po/nl.mo, plugins/sudoers/po/nl.po, po/tr.mo, po/tr.po: Sync with translationproject.org [b2946065653d] * config.h.in, configure.ac: Correct SECURE_PATH comment. [3fd6132d5dba] * NEWS, configure, configure.ac: Sudo 1.8.13 [32c1183b0666] 2015-02-19 Todd C. Miller * MANIFEST, config.h.in, configure, configure.ac, include/sudo_compat.h, include/sudo_util.h, lib/util/Makefile.in, lib/util/gethostname.c, lib/util/util.exp.in, plugins/sudoers/match.c, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c, src/sudo.c: Avoid using HOST_NAME_MAX directly and use sysconf(_SC_HOST_NAME_MAX) instead. [97036b819d58] * plugins/sudoers/auth/passwd.c, plugins/sudoers/auth/secureware.c: Historically, crypt() returned the empty string on error, which ensured that crypt("", "") would return "", which supported matcing empty encrypted passwords with no additional code. Some modern versions of crypt() (such as glibc) return NULL on error so we need an explicit test to match an empty plaintext password and an empty encrypted password. [b88eb9da5e57] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Sort tags lexically in the sudoers manual [66716c0b7a13] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y, plugins/sudoers/ldap.c, plugins/sudoers/parse.c, plugins/sudoers/parse.h, plugins/sudoers/regress/sudoers/test1.out.ok, plugins/sudoers/sssd.c, plugins/sudoers/sudoers_version.h, plugins/sudoers/testsudoers.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/visudo_json.c: Add support for MAIL and NOMAIL command tags to toggle mail sending behavior on a per-command (or Cmnd_Alias) basis. [04f30a064c25] * config.h.in, configure, configure.ac, include/sudo_compat.h, lib/util/closefrom.c, lib/util/setgroups.c, plugins/sudoers/pwutil_impl.c, src/sudo.c: Almost no systems actually define OPEN_MAX since it is dynamic on modern OSes. If sysconf(_SC_OPEN_MAX) ever fails, fall back on _POSIX_OPEN_MAX instead. We can assume modern systems have sysconf(). Also remove checks for strrchr() and strtoll() for which the HAVE_* defines are no longer used. [c3058a6cca86] * lib/util/getline.c, plugins/group_file/getgrent.c, plugins/sudoers/regress/check_symbols/check_symbols.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/tsgetgrpw.c: All modern systems should have LINE_MAX. [117322b6d86c] * Makefile.in, sudo.pp: Don't need to pass exampledir to polypkg now that it is just under docdir. [9f24f0184a78] 2015-02-18 Todd C. Miller * sudo.pp: Fix packaging of the example dir. [4c7cbc3fc190] * lib/util/mktemp.c: Fix mkstemps() extension handling. Sudoedit will now preserve the extension properly when the system libc lacks mkstemps(). [b86f54331972] 2015-02-17 Todd C. Miller * MANIFEST, aclocal.m4, config.h.in, configure, configure.ac, lib/util/Makefile.in, lib/util/locale_weak.c, m4/ax_sys_weak_alias.m4, mkdep.pl, src/Makefile.in, src/locale_stub.c: Use weak symbols for sudo_warn_gettext() and sudo_warn_strerror() so distros using "-Wl,--no-undefined" in LDFLAGS don't run into problems. [708418615aae] * lib/util/mksiglist.c, lib/util/mksigname.c: Include unistd.h in siglist.c and signame.c to get gid_t which is used by sudo_compat.h. Bug #686 [0ab6450a96ec] 2015-02-15 Todd C. Miller * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/logging.c: Add mail_all_cmnds to always mail when a user runs a command (or tries to) including sudoedit. The mail_always flag goes back to its old semantic of always mailing when sudo is run. [edc904502061] 2015-02-10 Todd C. Miller * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Minor change in description of TZ path handling. [579b02f0dbe0] * Makefile.in, examples/Makefile.in: Move example dir under the doc dir to conform to Debian guidelines. Bug #682. [494d9a0484b6] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Document that a leading ':' is skipped when checking TZ for a fully- qualified path name. [91859f613b88] 2015-02-09 Todd C. Miller * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Typo. [b9257ea66116] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Fix typos. [ac1467f71ac0] * plugins/sample/sample_plugin.c: Fix compilation on systems w/o __dso_public [b773ef9127fa] 2015-02-07 Todd C. Miller * NEWS, plugins/sudoers/po/ru.mo, plugins/sudoers/po/ru.po: Russian translation for sudoers from translationproject.org. [8a7fc2e00072] 2015-02-06 Todd C. Miller * MANIFEST, doc/CONTRIBUTORS, plugins/sudoers/po/ru.mo, plugins/sudoers/po/ru.po: Russian translation for sudoers from translationproject.org. [1d5869e4d4af] * config.h.in, configure, configure.ac, include/sudo_compat.h: Add check for getresuid() declaration, which may be missing on HP- UX. When checking for getdomainname() prototype, look in netdb.h too. [0ba583590b17] * INSTALL, NEWS, configure, configure.ac, doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in, m4/sudo.m4, pathnames.h.in, plugins/sudoers/env.c: Sanity check the TZ environment variable by special casing it in env_check. The --with-tzdir configure option can be used to specify the zoneinfo directory if configure doesn't find it. [650ac6938b59] * NEWS: Mention crash fixes. [f759c993e172] * src/parse_args.c: Bail with usage() early if argc <= 0. [aaba56c9a797] 2015-02-05 Todd C. Miller * plugins/sudoers/pwutil.c: Remove extraneous casts of node->data (which is void *). [950749570a00] * doc/CONTRIBUTORS: Add Stephane Chazelas [a6c7becabee7] * plugins/sudoers/pwutil.c: Fix a potential crash when getpwnam() of the running user fails and we don't replace the negative cached entry with a faked up one. From Stephane Chazelas [9088f041bbad] * src/parse_args.c, src/sudo.c: Don't assume argv[0] is set without first checking argc. [aabdc9d0ba26] * lib/util/progname.c: Call setprogname("sudo") if getprogname() returns NULL or the empty string. [45438f7227b1] * plugins/sudoers/set_perms.c: Handle sudo_get_grlist() returning NULL which can happen if getgrouplist() fails even after allocating the appropriate amount of memory. From Stephane Chazelas [25747a0ead7c] * config.h.in, configure, configure.ac: Remove configure checks for strrchr() and strtoll() for which the HAVE_* defines are no longer used. [f04216435aba] * config.h.in, configure, configure.ac, doc/sudoreplay.cat, doc/sudoreplay.man.in, doc/sudoreplay.mdoc.in, plugins/sudoers/sudoreplay.c: Require POSIX regular expression support for sudoreplay. [1486747cd470] * config.h.in, configure, configure.ac, include/sudo_compat.h: Check whether getdomainname(), innetgr(), setresuid() and setresgid() are declared and add prototypes in sudo_compat.h as needed. [03aa144afce4] * plugins/sudoers/policy.c: The plugin no longer needs to call initprogname() now that it links with the same libsudo_util as sudo. [78b65a352ac5] 2015-02-04 Todd C. Miller * sudo.pp: Add /usr/local/share/examples/ directory to parentdirs so it is explicitly added to the package. [ef1aa52b0aad] * plugins/sudoers/po/da.mo, po/da.mo: Sync with translationproject.org [943986acd31c] * plugins/sudoers/po/cs.mo, plugins/sudoers/po/cs.po, plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, plugins/sudoers/po/fi.mo, plugins/sudoers/po/fi.po, plugins/sudoers/po/it.mo, plugins/sudoers/po/it.po, plugins/sudoers/po/nb.mo, plugins/sudoers/po/nb.po, plugins/sudoers/po/nl.mo, plugins/sudoers/po/nl.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/pt_BR.mo, plugins/sudoers/po/pt_BR.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, plugins/sudoers/po/vi.mo, plugins/sudoers/po/vi.po, plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po, po/nl.mo, po/nl.po: Sync with translationproject.org [4977ac967bdd] 2015-02-03 Todd C. Miller * plugins/sudoers/getdate.c, plugins/sudoers/gram.c: Regen with yacc skeleton that the clang analyzer doesn't complain about. [e15991fd4ab1] * configure, configure.ac, lib/util/alloc.c, lib/util/glob.c, plugins/sudoers/env.c, plugins/sudoers/getdate.c, plugins/sudoers/getdate.y, plugins/sudoers/gram.c, plugins/sudoers/gram.y: Use stdint.h to get SIZE_MAX as inttypes.h on some pre-C99 HP-UX systems doesn't include stdint.h itself. [9fbd35811743] * configure, configure.ac: SIZE_MAX may be in limits.h on pre-C99 compilers. [d3b554f7e0e5] * config.h.in, configure, configure.ac, lib/util/aix.c: Add missing prototypes for usrinfo() and setauthdb() for AIX. [aa4b205296cf] * config.h.in, configure, configure.ac, plugins/sudoers/match.c: Solaris uses sysinfo(SI_SRPC_DOMAIN) instead of getdomainname() to get the host's NIS domain. [9234c62a1469] 2015-02-02 Todd C. Miller * configure, configure.ac: Remove AC_PROG_GCC_TRADITIONAL and add AC_PROG_CC_STDC since we need C99. [005775f5662b] * plugins/sudoers/match.c: Actually use the check for prior initialization in sudo_getdomainname(). [06368385ad0d] * configure, configure.ac: We need to add OSDEFS to CFLAGS to expose LLONG_MAX et al on glibc when not explicitly asking for c99. [ae9435631600] * NEWS, doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/logging.c: Don't send mail about pseudo-command failure unless it is an authentication failure. [deddcfc1f2ab] * configure, configure.ac: Fix check for SIZE_MAX, which should be in stdint.h not limits.h. [47bf0ab7dfca] * lib/util/glob.c: Need to include inttypes.h for SIZE_MAX [a11f42f40294] * plugins/sudoers/po/sudoers.pot: regen [d35b24f95ef8] 2015-02-01 Todd C. Miller * include/sudo_debug.h, lib/util/aix.c, lib/util/event.c, lib/util/event_poll.c, lib/util/event_select.c, lib/util/gidlist.c, lib/util/key_val.c, lib/util/lbuf.c, lib/util/locking.c, lib/util/parseln.c, lib/util/secure_path.c, lib/util/setgroups.c, lib/util/strtobool.c, lib/util/strtoid.c, lib/util/strtomode.c, lib/util/sudo_conf.c, lib/util/sudo_debug.c, lib/util/term.c, lib/util/ttysize.c, lib/util/util.exp.in, plugins/sudoers/alias.c, plugins/sudoers/audit.c, plugins/sudoers/auth/afs.c, plugins/sudoers/auth/aix_auth.c, plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/dce.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/kerb5.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/passwd.c, plugins/sudoers/auth/rfc1938.c, plugins/sudoers/auth/secureware.c, plugins/sudoers/auth/securid5.c, plugins/sudoers/auth/sia.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/base64.c, plugins/sudoers/boottime.c, plugins/sudoers/bsm_audit.c, plugins/sudoers/check.c, plugins/sudoers/defaults.c, plugins/sudoers/env.c, plugins/sudoers/find_path.c, plugins/sudoers/getspwuid.c, plugins/sudoers/goodpath.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/group_plugin.c, plugins/sudoers/hexchar.c, plugins/sudoers/interfaces.c, plugins/sudoers/iolog.c, plugins/sudoers/iolog_path.c, plugins/sudoers/ldap.c, plugins/sudoers/linux_audit.c, plugins/sudoers/logging.c, plugins/sudoers/logwrap.c, plugins/sudoers/match.c, plugins/sudoers/match_addr.c, plugins/sudoers/parse.c, plugins/sudoers/policy.c, plugins/sudoers/prompt.c, plugins/sudoers/pwutil.c, plugins/sudoers/pwutil_impl.c, plugins/sudoers/redblack.c, plugins/sudoers/set_perms.c, plugins/sudoers/sssd.c, plugins/sudoers/sudo_nss.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/sudoers_debug.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/timestamp.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/toke_util.c, plugins/sudoers/visudo.c, plugins/sudoers/visudo_json.c, src/exec.c, src/exec_common.c, src/exec_pty.c, src/get_pty.c, src/hooks.c, src/load_plugins.c, src/net_ifs.c, src/parse_args.c, src/preserve_fds.c, src/selinux.c, src/sesh.c, src/signal.c, src/solaris.c, src/sudo.c, src/sudo_edit.c, src/tgetpass.c, src/ttyname.c, src/utmp.c: Go back to a 2 args debug_decl and just use the "default" instance, now renamed "active". [7130b7478355] 2015-01-31 Todd C. Miller * doc/LICENSE: Update copyright year. [e1dad7b195e4] 2015-01-30 Todd C. Miller * doc/sudoers.ldap.cat, doc/sudoers.ldap.man.in, doc/sudoers.ldap.mdoc.in, plugins/sudoers/ldap.c, plugins/sudoers/match.c, plugins/sudoers/parse.h: When querying LDAP netgroups, use the NIS domain if it is sent but also match nisNetgroupTriple entries that have no domain. [5a0fa3ac26f7] * plugins/sudoers/sudoreplay.c: Avoid setting the tty to non-blocking mode so "sudoreplay | cat" (for example) works as expected. We only read a single byte from the keyboard and only when interactive anyway so this should be fine. [9615a932545b] * lib/zlib/Makefile.in, plugins/sudoers/Makefile.in: regen [f19c6e000850] * plugins/sudoers/sudoreplay.c: Avoid a cppcheck warning about undefined behavior (using the address of a stack buffer - 1) and fix a memory leak of the iov when doing nl->crnl conversion. [e26f9008c2e4] * doc/CONTRIBUTORS: Add Steven Soulen [17a47303d5fe] * plugins/sudoers/sudoreplay.c: Fix handling of partial writes from writev() which can occur with large output buffers. [1065dbeaa13d] 2015-01-29 Todd C. Miller * NEWS, doc/sudoers.ldap.cat, doc/sudoers.ldap.man.in, doc/sudoers.ldap.mdoc.in, plugins/sudoers/ldap.c: Add support for querying netgroups directly via LDAP since there is no other way to look up all the netgroups for a user (unlike regular groups). This introduces netgroup_base and netgroup_search_filter options to ldap.conf. Based on a diff from Steven Soulen. [7e3d55983e71] 2015-01-27 Todd C. Miller * doc/sudoers.ldap.cat, doc/sudoers.ldap.man.in, doc/sudoers.ldap.mdoc.in: Sort ldap.conf options. [264608124698] 2015-01-22 Todd C. Miller * plugins/sudoers/ldap.c: Add macros to ease the checking of strlcpy, strlcat and sudo_ldap_value_cat return values. [e9122413d4fa] 2015-01-21 Todd C. Miller * plugins/sudoers/check.c, plugins/sudoers/ldap.c, plugins/sudoers/logging.c, plugins/sudoers/parse.c, plugins/sudoers/sssd.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: Rename VALIDATE_OK -> VALIDATE_SUCCESS Rename VALIDATE_NOT_OK -> VALIDATE_FAILURE [4379cac9f75d] * plugins/sudoers/logging.c, plugins/sudoers/sudoers.h: Remove now-unused VALIDATE_ERROR define. [569d4936b761] * plugins/sudoers/logging.c: should_mail() now returns bool. [0316d1fb08c3] * lib/util/sudo_debug.c: If sudo_debug_register() fails return SUDO_DEBUG_INSTANCE_INITIALIZER, not -1. Otherwise we could end up setting the instance to -1 which is invalid. [032bb1db6db5] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Fix typo. [014be972780c] * doc/Makefile.in: Use "mandoc -Tascii" to generate .cat pages to avoid locale-specific characters. [0ec42d8924fc] 2015-01-19 Todd C. Miller * configure, m4/sudo.m4: Use AC_PATH_PROG to find programs instead of checking the path manually. [2b5d9893a7a7] 2015-01-16 Todd C. Miller * lib/util/strlcat.c, lib/util/strlcpy.c: Sync with OpenBSD version [22c073c42a9e] 2015-01-15 Todd C. Miller * configure, configure.ac: Use AC_CHECK_HEADERS_ONCE and AC_CHECK_FUNCS_ONCE where possible and quote the first args in AC_CHECK_FUNCS calls. [84aa40ab410a] * config.h.in, configure, configure.ac, include/sudo_compat.h: Avoid inadvertantly defining things like PATH_MAX simply because the source file doesn't include limits.h. [d2e7c4093f55] 2015-01-14 Todd C. Miller * configure, ltmain.sh, m4/libtool.m4, m4/ltoptions.m4, m4/ltversion.m4: Update to libtool 2.4.4 + HP-UX patches [859b7378bc37] * src/ttyname.c: Document why we need sys/param.h. [f21a4d7122f0] * configure, m4/sudo.m4: Don't need sys/param.h. [6aa24ecfc9d4] * lib/util/closefrom.c: Don't appear to need sys/param.h for pstat_getproc() on HP-UX even though the man page lists it. [47d75f3db288] * lib/util/inet_ntop.c, lib/util/inet_pton.c: Should not need sys/param.h here. [5c83cebcd75f] 2014-12-31 Todd C. Miller * plugins/sudoers/match_addr.c: Use standard CIDR -> netmask conversion and disallow 0-bit CIDRs. [d30313d726eb] 2014-12-24 Todd C. Miller * README.LDAP: Update link to gq LDAP editor, now on sourceforge. [706dadea1abb] 2014-12-16 Todd C. Miller * include/compat/glob.h, lib/util/glob.c: Add support for GLOB_LIMIT from OpenBSD (not currently used) and also a limit on the max recursion depth for glob(). [6f9e26b88612] * lib/util/glob.c: Quiet compiler sign compare warning. [c4f35c02122c] 2014-12-10 Todd C. Miller * NEWS: fnmatch fix [07542b07ac67] * lib/util/fnmatch.c: Remove artificial limit on length of pattern and string. It is possible to use fnmatch() on things other than paths (such as arguments) so a limit of PATH_MAX does not make sense. Fixes a bug where rules would fail to match if the length of the arguments were larger than PATH_MAX (usually 1024). [942770c20422] 2014-12-04 Todd C. Miller * doc/sudo.cat, doc/sudo.conf.cat, doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in, doc/sudo.man.in, doc/sudo.mdoc.in, doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, doc/sudoers.cat, doc/sudoers.ldap.cat, doc/sudoers.ldap.man.in, doc/sudoers.ldap.mdoc.in, doc/sudoers.man.in, doc/sudoers.mdoc.in, doc/sudoreplay.cat, doc/sudoreplay.man.in, doc/sudoreplay.mdoc.in, doc/visudo.cat, doc/visudo.man.in, doc/visudo.mdoc.in: Remove the extra /sudo in sudo.ws urls [0b804e3a1008] 2014-11-27 Todd C. Miller * doc/sudo.cat, doc/sudo.conf.cat, doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in, doc/sudo.man.in, doc/sudo.mdoc.in, doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, doc/sudoers.cat, doc/sudoers.ldap.cat, doc/sudoers.ldap.man.in, doc/sudoers.ldap.mdoc.in, doc/sudoers.man.in, doc/sudoers.mdoc.in, doc/sudoreplay.cat, doc/sudoreplay.man.in, doc/sudoreplay.mdoc.in, doc/visudo.cat, doc/visudo.man.in, doc/visudo.mdoc.in: Reference bugzilla.sudo.ws [7dc11bbe6f13] 2014-11-20 Todd C. Miller * plugins/sudoers/po/sudoers.pot, po/sudo.pot: sync [da17d5a611ce] 2014-11-19 Todd C. Miller * plugins/sudoers/gram.c, plugins/sudoers/gram.y: Require that a digest be specified with a real command, not an alias or pseudo-command. Found via a crash by afl. [55f6166cab63] * NEWS: sync [4b31247735c4] * MANIFEST, doc/CONTRIBUTORS, plugins/sudoers/po/fr.mo, plugins/sudoers/po/fr.po: French translation for sudoers from translationproject.org. [5c592350c4b0] 2014-11-18 Todd C. Miller * src/exec.c, src/exec_pty.c, src/tgetpass.c: Defer registration of the SIGCHLD handler until just before we exec the command. Fixes a problem where pam_gnome_keyring installs its own SIGCHLD handler and may not restore the original one. As a result, we now have to explicitly wait for the askpass helper to finish. Bug #657 [f499500fef71] 2014-11-17 Todd C. Miller * doc/sudoers.ldap.cat, doc/sudoers.ldap.man.in, doc/sudoers.ldap.mdoc.in: Mention sssd support in the sudoers.ldap manual and cross-reference sssd-sudo(5). [32f84fbf210c] 2014-11-16 Todd C. Miller * doc/CONTRIBUTORS: Reorder an entry. [5d15735294f1] 2014-11-15 Todd C. Miller * Makefile.in, lib/util/Makefile.in, plugins/group_file/Makefile.in, plugins/sample/Makefile.in, plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in, src/Makefile.in: Prevent cppcheck from getting confused by our compat definition of the va_copy macro for pre-C99. [61d94525be2e] 2014-11-14 Todd C. Miller * plugins/sudoers/iolog_path.c: Fix potential NULL pointer deref found by cppcheck. [668967e031e0] * plugins/sudoers/alias.c: Quiet a cppcheck false positive. [35a16ae4660c] * lib/util/sudo_debug.c: If there are multiple outputs, ap will be re-used so make a copy and operate on it instead. [f4f19df43c93] * src/hooks.c: Fix typo in hook return value check. [b12839dc6e78] * NEWS: Mention visudo use of sudoers plugin args to set default sudoers file name and owner/mode. [7f2733b53431] * NEWS: Mention fix for bug #678 [7f7a6d8b985b] 2014-11-12 Todd C. Miller * plugins/sudoers/sudoers.c: In set_fqdn() we neeed to set user_runhost/user_srunhost at the same time we set user_host/user_shost since that is what hostlist_matches() uses. Bug #678 [4f75b01d4884] 2014-11-11 Todd C. Miller * src/hooks.c: Do not call sudo_warnx() on invalid value from the env hook functions as the printf() family may call getenv() for locale reasons. [547fc25acb7c] * doc/sudo.conf.mdoc.in, doc/sudo.man.in, doc/sudo.mdoc.in, doc/sudo_plugin.man.in, doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in, doc/sudoreplay.mdoc.in, doc/visudo.cat, doc/visudo.man.in, doc/visudo.mdoc.in: No need to keep specifying ".Nm foo" since the Nm macro remembers the argument it was first called with and uses it if none is specified. Also fix a few minor formatting errors and regen bulleted lists in the .man.in files. [d2669e94add4] * doc/visudo.cat, doc/visudo.man.in, doc/visudo.mdoc.in: Add sudo.conf to SEE ALSO and rename section on sudo.conf [d4cc8ad2c2b4] * doc/sudoreplay.cat, doc/sudoreplay.man.in, doc/sudoreplay.mdoc.in: Mention sudo.conf use for debugging [9393fb061bcd] * doc/sudo.cat, doc/sudo.conf.cat, doc/sudo_plugin.cat, doc/sudoers.cat, doc/sudoers.ldap.cat, doc/sudoers.man.in, doc/sudoreplay.cat: regen [1d34d21b2136] * doc/visudo.cat, doc/visudo.man.in, doc/visudo.mdoc.in: Document sudo.conf usage now that visudo will parse the sudoers arguments. [78a413c019a9] 2014-11-10 Todd C. Miller * plugins/sudoers/visudo.c: Use sudoers.so args from sudo.conf to set sudoers_file, sudoers_uid, sudoers_gid, and sudoers_mode in visudo. [1c7408b5ff7e] * plugins/sudoers/visudo.c: Use sudoers_file, sudoers_uid, sudoers_gid, and sudoers_mode symbols from toke.l instead of the upper case defines. [21ba15518c7d] * lib/util/Makefile.in, lib/zlib/Makefile.in, plugins/group_file/Makefile.in, plugins/sample/Makefile.in, plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in: Use SSP_LDFLAGS when creating shared objects. [2428de97d2c2] * lib/util/Makefile.in: We only build .lo (not .o) files for libsudo_util [2c1e0475cddc] * plugins/sudoers/po/cs.mo, plugins/sudoers/po/cs.po, plugins/sudoers/po/da.mo, plugins/sudoers/po/da.po, plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, plugins/sudoers/po/fi.mo, plugins/sudoers/po/fi.po, plugins/sudoers/po/it.mo, plugins/sudoers/po/it.po, plugins/sudoers/po/nb.mo, plugins/sudoers/po/nb.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/pt_BR.mo, plugins/sudoers/po/pt_BR.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, plugins/sudoers/po/vi.mo, plugins/sudoers/po/vi.po, plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po, po/cs.mo, po/cs.po, po/da.mo, po/da.po, po/de.mo, po/de.po, po/eo.mo, po/eo.po, po/fi.mo, po/fi.po, po/it.mo, po/it.po, po/nb.mo, po/nb.po, po/pl.mo, po/pl.po, po/pt_BR.mo, po/pt_BR.po, po/ru.mo, po/ru.po, po/uk.mo, po/uk.po, po/vi.mo, po/vi.po, po/zh_CN.mo, po/zh_CN.po: Sync with translationproject.org [e51055fdffe1] 2014-11-06 Todd C. Miller * NEWS: sync [aab14a9942e0] 2014-11-04 Todd C. Miller * src/exec.c, src/exec_pty.c: Make sure that SIGCHLD is not treated as a user-generated signal in which case it could be ignored. Bug #676 [a4caaaaa47a8] 2014-10-31 Todd C. Miller * config.h.in, configure, configure.ac, lib/util/mktemp.c: Use arc4random() for mkstemp/mkdtemp if available. If not, try to seed from /dev/urandom before falling back to the gettimeofday seed. [7a7096ab82c9] * lib/util/sudo_debug.c: Use a static buffer for sudo_debug_execve2() if possible. [abf1fd5891ab] 2014-10-30 Todd C. Miller * configure, ltmain.sh, m4/libtool.m4, m4/ltoptions.m4, m4/ltsugar.m4, m4/ltversion.m4, m4/lt~obsolete.m4: Update to libtool 2.4.3 + HP-UX patches [9ddfd96f3bea] 2014-10-29 Todd C. Miller * configure, configure.ac, include/sudo_compat.h, lib/util/mktemp.c: If a system lacks mkdtemp() or mkstemps(), use our own mkdtemp() and mkstemps(). Previously we only exposed the missing one but since the guts are the same we might as well use them. [12d4ac64462f] * src/env_hooks.c: Mark the putenv(), setenv() and unsetenv() symbols as global, not hidden. Fixes a mismatch where a plugin (or its loaded dso) would call setenv() to set a variables but be unable to find it later with getenv(). [96127ac4bbb3] 2014-10-28 Todd C. Miller * Makefile.in: Fix install-nls target from builddir. [da63bc37f6c5] * Makefile.in: Fix dependency on sudo.pp, it needs to relative to srcdir. [c76088da98e8] * src/sesh.c: Adapt to new debug subsystem registration. [8e13b349b44b] 2014-10-27 Todd C. Miller * lib/zlib/Makefile.in, lib/zlib/zlib.exp: Add missing zlib.exp file and common LT_LDFLAGS Makefile.in. [0bc0092d3e03] * lib/util/sudo_conf.c: Fix path settings broken in rev 9731. [2b33916eb287] * MANIFEST, lib/util/regress/sudo_conf/test4.err.ok: Adjust regress test now that boolean settings display an error for invalid input. [73a7365f492e] * plugins/sudoers/iolog.c, plugins/sudoers/policy.c, plugins/sudoers/sudoers.h, plugins/sudoers/sudoers_debug.c, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c: Add sudoers_debug_deregister() and use it instead of calling sudo_debug_deregister() directly. [819b0e08196e] * configure, configure.ac, lib/util/Makefile.in, lib/zlib/Makefile.in, plugins/group_file/Makefile.in, plugins/sample/Makefile.in, plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in: Use AC_PROG_AWK [945cf6deb18d] * NEWS: Mention shared zlib. [094bdada1106] * MANIFEST: Add lib/zlib/zlib.exp [7b5011e3eea9] * INSTALL, configure, configure.ac, lib/zlib/Makefile.in, lib/zlib/zconf.h.in: Add support for installing a shared zlib [6875ab6ca44f] * lib/util/Makefile.in: fix comment typo [35c3dda27eec] * configure, configure.ac, lib/zlib/Makefile.in: Newer zlib uses HAVE_HIDDEN to turn on symbol hiding so we don't need to disable it with NO_VIS. [b3eee86f015f] * po/sudo.pot: regen [687bc1ea88ac] * configure.ac, include/sudo_debug.h, lib/util/sudo_debug.c, lib/util/util.exp.in: Version the symbols for sudo_debug.c now that the API is stable. [873850a062a8] 2014-10-26 Todd C. Miller * lib/util/sudo_conf.c: Go back to parsing sudo.conf in place for settings and paths and improve debugging info for unsupported entries and parse errors. [264e1f7d6551] * include/sudo_conf.h, lib/util/regress/sudo_conf/conf_test.c, lib/util/sudo_conf.c, lib/util/util.exp.in, plugins/sudoers/sudoers_debug.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c, src/load_plugins.c, src/sudo.c, src/sudo_plugin_int.h: Add a flag argument to sudo_conf_read() so we can decide which bits get parsed. This lets us parse Debug statements first and init the debug subsystem early. [56dbf1e671de] 2014-10-24 Todd C. Miller * lib/zlib/gzguts.h: Include stdio.h after zlib.h, not before. We need the large file defines to come first. [b42b53d10252] * doc/LICENSE, lib/zlib/compress.c, lib/zlib/crc32.c, lib/zlib/crc32.h, lib/zlib/deflate.c, lib/zlib/deflate.h, lib/zlib/gzguts.h, lib/zlib/gzlib.c, lib/zlib/gzread.c, lib/zlib/gzwrite.c, lib/zlib/infback.c, lib/zlib/inffast.c, lib/zlib/inflate.c, lib/zlib/inftrees.c, lib/zlib/trees.c, lib/zlib/uncompr.c, lib/zlib/zconf.h.in, lib/zlib/zlib.h, lib/zlib/zutil.c, lib/zlib/zutil.h: Update zlib to version 1.2.8 [f95280e0448d] * configure, configure.ac: Don't add -Wold-style-definition to CFLAGS as it causes problems with 3rd party libraries such as zlib. [1d7613d1c177] * src/load_plugins.c: Free up plugin info structs after converting to plugin containers. [1168e873d778] * INSTALL, MANIFEST, Makefile.in, configure, configure.ac, doc/Makefile.in, doc/TROUBLESHOOTING, doc/UPGRADE, doc/sample.pam, doc/sample.sudo.conf, doc/sample.sudoers, doc/sample.syslog.conf, examples/Makefile.in, examples/pam.conf, examples/sudo.conf, examples/sudoers, examples/syslog.conf, sudo.pp: Move sample.* files to a sudo examples dir [b53e3df56c66] * sudo.pp: Fix a packaging problem with the sudoedit man page link on Debian. [8ad77a37048e] * plugins/sudoers/iolog.c, plugins/sudoers/policy.c: Initialize the debug subsystem in sudoers early. Currently this means iterating over the settings list twice. [93b12ea08405] * lib/util/sudo_debug.c: No need to convert sudoedit -> sudo in sudo_debug_get_instance() as we store the actual program name and only do the sudoedit -> sudo conversion when reading the sudo.conf file. Fixes debugging when invoked as sudoedit. [535c01d83b14] * lib/util/sudo_conf.c, lib/util/sudo_debug.c, plugins/sudoers/iolog.c, plugins/sudoers/policy.c, src/exec_pty.c, src/load_plugins.c, src/sudo.c, src/sudo_plugin_int.h: In the plugin registers with the debug framework at open time, the sudo front-end will now set the default debug instance appropriately before calling into the plugin. This means the plugin no longer needs to do the sudo_debug_set_default_instance() dance. [10dd45a7884f] * Makefile.in: Remove duplicate -U__NBBY in CPPCHECK_OPTS [ad518cb36279] 2014-10-23 Todd C. Miller * plugins/sudoers/Makefile.in: Older shells don't support unset. [8762e40871ab] * configure, configure.ac, include/sudo_compat.h, lib/util/inet_ntop.c, src/net_ifs.c: Fix inet_ntop() replacement on older systems without it. We only expose the prototype for net_ifs.c due to the use of socklen_t. [18b95ca378ab] * lib/util/sudo_debug.c: Dynamically allocate debug_fds bitmap and realloc as needed. [e858199414f6] * Makefile.in, include/sudo_debug.h, lib/util/Makefile.in, lib/util/sudo_debug.c, plugins/group_file/Makefile.in, plugins/sample/Makefile.in, plugins/sudoers/Makefile.in, plugins/sudoers/sudoers_debug.c, plugins/sudoers/sudoers_debug.h, plugins/system_group/Makefile.in, src/Makefile.in, src/exec.c: Use generic bitmap macros instead of select-style fd_set. [c382edc413be] * lib/util/sudo_debug.c: Replace sudo_debug_num_instances with sudo_debug_max_instance [12625fd174a4] * plugins/sudoers/iolog.c, plugins/sudoers/policy.c: Don't call into the debug subsystem after we've deregistered the plugin's instance. [fca7279d2f40] * lib/util/sudo_debug.c: Only fill in subsystem_ids[] for the instance if the caller passed in an array for it. If the caller only wants the default subsystems we don't actually need ids[]. [07939da6d3a5] * lib/util/Makefile.in: Link with -ldl if needed when built with --disable-shared-libutil/ [542eeffaf57d] * src/regress/ttyname/check_ttyname.c: Fix includes order. [ddd58edba5af] * lib/util/util.exp.in: Remove extra newline mistakenly introduced in rev 9682. [36a40e308bbc] * plugins/sudoers/Makefile.in: Fix typo in unset. [2c5fbe4c9a54] * plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c, src/sesh.c: Set debug instance for standalone programs. [306225438408] * plugins/sudoers/bsm_audit.c, plugins/sudoers/linux_audit.c, src/net_ifs.c: Fix compilation issues, fallout from the debug changes. [aff5bb3d0322] * plugins/sudoers/po/sudoers.pot, po/sudo.pot: regen [bbb69f299d1f] * configure, configure.ac: Sudo 1.8.12 [8d9b15c1de44] * NEWS: Update with debug system changes and revent bug fixes. [44133de1dee2] * include/sudo_debug.h, lib/util/sudo_conf.c, lib/util/sudo_debug.c, plugins/sudoers/sudoers_debug.c, plugins/sudoers/sudoers_debug.h: When registering with the debug subsystem, the caller now passes in an arrary of ints that gets filled in with the subsytem IDs to be used in debug_decl. [80e80ba194f7] * plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c: sudoers_debug_instance is now included in libparsesudoers so we don't need to declare it here. [a56f79e6fcf8] 2014-10-22 Todd C. Miller * MANIFEST, include/sudo_debug.h, lib/util/sudo_debug.c, lib/util/ttysize.c, plugins/sudoers/Makefile.in, plugins/sudoers/alias.c, plugins/sudoers/audit.c, plugins/sudoers/auth/afs.c, plugins/sudoers/auth/aix_auth.c, plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/dce.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/kerb5.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/passwd.c, plugins/sudoers/auth/rfc1938.c, plugins/sudoers/auth/secureware.c, plugins/sudoers/auth/securid5.c, plugins/sudoers/auth/sia.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/base64.c, plugins/sudoers/boottime.c, plugins/sudoers/bsm_audit.c, plugins/sudoers/check.c, plugins/sudoers/defaults.c, plugins/sudoers/env.c, plugins/sudoers/find_path.c, plugins/sudoers/getspwuid.c, plugins/sudoers/goodpath.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/group_plugin.c, plugins/sudoers/hexchar.c, plugins/sudoers/interfaces.c, plugins/sudoers/iolog.c, plugins/sudoers/iolog_path.c, plugins/sudoers/ldap.c, plugins/sudoers/linux_audit.c, plugins/sudoers/logging.c, plugins/sudoers/logwrap.c, plugins/sudoers/match.c, plugins/sudoers/match_addr.c, plugins/sudoers/parse.c, plugins/sudoers/policy.c, plugins/sudoers/prompt.c, plugins/sudoers/pwutil.c, plugins/sudoers/pwutil_impl.c, plugins/sudoers/redblack.c, plugins/sudoers/set_perms.c, plugins/sudoers/sssd.c, plugins/sudoers/sudo_nss.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/sudoers_debug.c, plugins/sudoers/sudoers_debug.h, plugins/sudoers/testsudoers.c, plugins/sudoers/timestamp.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/toke_util.c, plugins/sudoers/visudo.c, plugins/sudoers/visudo_json.c: The sudoers plugin now defines its own list of debugging subsystem names and defines. [e85d0375e059] * MANIFEST, include/sudo_debug.h, lib/util/aix.c, lib/util/event.c, lib/util/event_poll.c, lib/util/event_select.c, lib/util/gidlist.c, lib/util/key_val.c, lib/util/lbuf.c, lib/util/locking.c, lib/util/parseln.c, lib/util/secure_path.c, lib/util/setgroups.c, lib/util/strtobool.c, lib/util/strtoid.c, lib/util/strtomode.c, lib/util/sudo_conf.c, lib/util/sudo_debug.c, lib/util/term.c, lib/util/ttysize.c, lib/util/util.exp.in, plugins/sudoers/Makefile.in, plugins/sudoers/alias.c, plugins/sudoers/audit.c, plugins/sudoers/auth/afs.c, plugins/sudoers/auth/aix_auth.c, plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/dce.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/kerb5.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/passwd.c, plugins/sudoers/auth/rfc1938.c, plugins/sudoers/auth/secureware.c, plugins/sudoers/auth/securid5.c, plugins/sudoers/auth/sia.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/base64.c, plugins/sudoers/boottime.c, plugins/sudoers/bsm_audit.c, plugins/sudoers/check.c, plugins/sudoers/defaults.c, plugins/sudoers/env.c, plugins/sudoers/find_path.c, plugins/sudoers/getspwuid.c, plugins/sudoers/goodpath.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/group_plugin.c, plugins/sudoers/hexchar.c, plugins/sudoers/interfaces.c, plugins/sudoers/iolog.c, plugins/sudoers/iolog_path.c, plugins/sudoers/ldap.c, plugins/sudoers/linux_audit.c, plugins/sudoers/logging.c, plugins/sudoers/logwrap.c, plugins/sudoers/match.c, plugins/sudoers/match_addr.c, plugins/sudoers/parse.c, plugins/sudoers/policy.c, plugins/sudoers/prompt.c, plugins/sudoers/pwutil.c, plugins/sudoers/pwutil_impl.c, plugins/sudoers/redblack.c, plugins/sudoers/set_perms.c, plugins/sudoers/sssd.c, plugins/sudoers/sudo_nss.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/sudoers_debug.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/timestamp.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/toke_util.c, plugins/sudoers/visudo.c, plugins/sudoers/visudo_json.c, src/Makefile.in, src/exec.c, src/exec_common.c, src/exec_pty.c, src/get_pty.c, src/hooks.c, src/load_plugins.c, src/net_ifs.c, src/parse_args.c, src/preserve_fds.c, src/regress/ttyname/check_ttyname.c, src/selinux.c, src/sesh.c, src/signal.c, src/solaris.c, src/sudo.c, src/sudo.h, src/sudo_edit.c, src/tgetpass.c, src/ttyname.c, src/utmp.c: Add support for multiple Debug lines per program. Callers may register arbitrary debug facilities or use built-in defaults. We now use separate Debug statements for plugins and programs. [5e553cbbfbb1] * MANIFEST, doc/sudo.conf.cat, doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in, doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, include/sudo_conf.h, include/sudo_debug.h, lib/util/Makefile.in, lib/util/regress/sudo_conf/conf_test.c, lib/util/regress/sudo_conf/test7.in, lib/util/regress/sudo_conf/test7.out.ok, lib/util/sudo_conf.c, lib/util/sudo_debug.c, lib/util/util.exp.in, plugins/sudoers/Makefile.in, plugins/sudoers/solaris_audit.c, plugins/sudoers/sssd.c, plugins/sudoers/sudoers.h, src/hooks.c, src/load_plugins.c, src/parse_args.c, src/sudo.c, src/sudo_plugin_int.h: Change how sudo.conf is parsed. We now do a quick parse and then set the values after the entire file has been parsed. This lets us init the debug system earlier. Plugin-specific debug flags are now stored in struct plugin_info and struct plugin_container and passed to the plugin via one or more debug_flags settings. [62fb1102e1e2] * src/parse_args.c, src/sudo.c, src/sudo.h: Return settings from parse_args as struct sudo_settings and format for the plugin at plugin open time. This will allow for additional, plugin-specific settings to be added to the array. [167929871b94] * doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, include/sudo_plugin.h, src/load_plugins.c, src/sudo.c, src/sudo_plugin_int.h: Pass plugin path in the settings array. [45bc2d087115] * plugins/sudoers/parse.c: Remove an unneeded NULL check to quiet a cppcheck warning. [64cb92122658] 2014-10-14 Todd C. Miller * plugins/sudoers/Makefile.in: Set locale to C for visudo and testsudoers regression tests. Bug #672 [adf7997a0a65] 2014-10-13 Todd C. Miller * plugins/sudoers/linux_audit.c: Fix logic bug. We only want to return -1 from linux_audit_open() when audit_open() fails and errno is not one of EINVAL, EPROTONOSUPPORT, or EAFNOSUPPORT. For those errno values, we return AUDIT_NOT_CONFIGURED which is not a fatal error. Bug #671 [6f0d8f1c7648] 2014-10-11 Todd C. Miller * NEWS: Add back fix for Bug #663 [a3dfc76ee776] 2014-10-10 Todd C. Miller * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: The older style bash function exporting is not used by post- shellshock versions of bash. [223efe328e86] * plugins/sudoers/env.c: Apple uses a different variant of the BASH_FUNC prefix for bash functions. [ea13c8c2a716] 2014-10-07 Todd C. Miller * NEWS: Remove change that is part of 1.8.12 not 1.8.11p1 [8fdad4c4f314] * NEWS, configure, configure.ac: Update for sudo 1.8.11p1 [80e9898f7c04] * src/regress/ttyname/check_ttyname.c: Only check stdin for the tty and avoid the check entirely if we don't have a way to get the tty from the kernel. Bug #643 [deb799e16416] * lib/util/sudo_debug.c: Make a copy of ap in sudo_debug_vprintf2() in case the static buffer is not big enough and we need to call vasprintf(). [a5d32b9d63be] * src/sudo.c: Avoid comparing new cwd with old one if getcwd() failed. Bug #670 [e99093578ca7] * plugins/sudoers/env.c: Fix debugging printout output for env_should_keep() [a9e7ea4b6751] 2014-10-06 Todd C. Miller * Makefile.in, include/Makefile.in: Use INSTALL_OWNER instead of -O/-G flags so we can work with the autotools install-sh too. Bug #669 [a5f87f6a52b7] * plugins/sudoers/policy.c, plugins/sudoers/sudoers.c: Move sudo_printf to policy.c to match sudo_conv. [f2d6065c3daf] 2014-10-05 Todd C. Miller * MANIFEST, include/sudo_fatal.h, lib/util/Makefile.in, lib/util/fatal.c, lib/util/sudo_printf.c, lib/util/util.exp.in, plugins/sudoers/Makefile.in, plugins/sudoers/sudo_printf.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, src/conversation.c, src/sudo.c, src/sudo_plugin_int.h: Add sudo_warn_set_conversation() to specify a conversation function to use for warn/fatal. If no conversation function is specified, the standard error will be used. We now only need sudo_printf() for things that use the parser. [d6049e53e3e3] 2014-10-03 Todd C. Miller * doc/sudo.cat, doc/sudo.man.in, doc/sudo.mdoc.in: Use correct names when referring to subsections in the sudoers manual. [7a016916f0ab] 2014-10-02 Todd C. Miller * MANIFEST, config.h.in, configure, configure.ac, lib/util/inet_ntop.c, src/net_ifs.c: Use inet_ntop() instead of inet_ntoa() and include a version for systems that are missing it. [1a1a70dba9c0] 2014-10-01 Todd C. Miller * configure, configure.ac: Fix detection of functions in network libs like -lsocket, -lnsl and -linet when we have already added those libs to NET_LIBS. Fixes a problem where inet_pton() was not detected on Solaris. [27e10183649e] * NEWS: Mention --disable-shared-libutil fix. [7efe70688237] * src/Makefile.in: Always use --tag=disable-static to avoid installing a static sudo_noexec. [5d7d58879f99] * configure, configure.ac, lib/util/Makefile.in, plugins/sudoers/Makefile.in: Instead of building libutil statically for --disable-shared-libutil, just treat it as a convenience library. Do the same with sudoers for --enable-static-sudoers. Fixes link errors on Solaris among others when --disable-shared-libutil is used. [c5357fe78ab7] * configure, configure.ac, lib/util/Makefile.in, plugins/group_file/Makefile.in, plugins/sample/Makefile.in, plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in: Remove LT_LDMAP and LT_LDOPT and just use LT_LDEXPORTS for the compiler-specific option to restrict symbol exporting. [09e8dab6f528] * src/preload.c: Include sys/types.h to get gid_t, etc used in sudo_compat.h. Fixes a build issue on Solaris. [b8917967df41] 2014-09-29 Todd C. Miller * src/regress/ttyname/check_ttyname.c: Fix cust & pasto in error message when there is a mismatch between the sudo and libc ttys. From Diego Elio Petteno'. Bug #643 [87d5f1a49535] 2014-09-27 Todd C. Miller * plugins/sudoers/env.c: Add BASH_FUNC_* to environment blacklist for newer-style bash functions. [b6e66c4a782e] * Makefile.in: Pull additional password prompts out of mkpkg instead of hard-coding them. [d2a6da883b34] * NEWS: Add post-1.8.11 changes [11169ace8fa4] * Makefile.in, configure.ac, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/sia.c, plugins/sudoers/po/sudoers.pot: Add a space after "Password:" in default password prompt so it is easier to read when pwfeedback is enabled. [a7750d845b5b] * plugins/sudoers/auth/sudo_auth.c: Simplify how we count the password tries [71b9f2021561] * plugins/sudoers/auth/sia.c, plugins/sudoers/auth/sudo_auth.c: Block SIGINT and SIGQUIT while verifying passwords so that authentication modules that use sleep() are not interrupted. If the user interrupted authentication, exit the loop. [1cfafd7fcb13] * configure, configure.ac: Remove Convex support; it is not modern enough to run sudo 1.8. [c3bdfbb2ee11] * configure, configure.ac: Only check for -lshadow if we haven't already found getspnam() in libc. Rather than treat this specially, just add -lshadow as another place to search in addition to -lgen. [fdf06757f25d] 2014-09-26 Todd C. Miller * plugins/sudoers/auth/sudo_auth.c: If all authentication methods fail init/setup, fail with an error. [4cd0481bf05e] * plugins/sudoers/auth/sudo_auth.c: Move pass_warn() so that it is defined before it is called(). [6ea697e89fef] 2014-09-24 Todd C. Miller * pp: Remove duplicate Requires: line in generated rpm spec file. [335703b110c7] * pp: In pp_files_expand() set _target to be empty. Fixes a problem with Solaris sh where simply using typeset doesn't causes the variable to be treated as local so we can inadvertantly inherit a value from a previous call. [f3cecca3c7b0] 2014-09-23 Todd C. Miller * configure, configure.ac: Fix version for release. [39f6a2e9a098] 2014-09-20 Todd C. Miller * configure, configure.ac, pathnames.h.in: Only redefine _PATH_BSHELL on AIX if we included paths.h. [2dd4e808f69f] * NEWS: Bug 661 [7f2b278086b2] * pathnames.h.in, src/exec_common.c, src/sudo.c: On AIX, _PATH_BSHELL is /usr/bin/bsh but we want to use /usr/bin/sh (which is usually ksh). This makes sudo's behavior when executing a shell without the #! magic number match execvp() on AIX. [2b438ff99991] * pathnames.h.in: Whitespace changes. [107f66ecfa54] * configure, m4/sudo.m4: Prefer /usr/bin/sh to /bin/sh to match modern systems. [9e2ccb5b239f] * NEWS, lib/util/Makefile.in: Don't use SSP_CFLAGS or PIE_CFLAGS when building mksiglist/mksigname as they are built with the host compiler which may be different when cross-compiling. From Gustavo Zacarias. Bug 662. [f1a6d58c0baa] 2014-09-17 Todd C. Miller * plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/sr.mo, plugins/sudoers/po/sr.po, po/cs.mo, po/cs.po, po/de.mo, po/de.po, po/eo.mo, po/eo.po, po/fi.mo, po/fi.po, po/nb.mo, po/nb.po, po/pl.mo, po/pl.po, po/pt_BR.mo, po/pt_BR.po, po/ru.mo, po/ru.po, po/sr.mo, po/sr.po, po/uk.mo, po/uk.po, po/vi.mo, po/vi.po, po/zh_CN.mo, po/zh_CN.po: Sync with translationproject.org [588c41d2eab5] 2014-09-16 Todd C. Miller * plugins/sudoers/sudo_nss.c: Make sure we can't insert an nss entry in the list that has already been used before. [b5fab945991b] * plugins/sudoers/visudo_json.c: Use correct gettext macro with sudo_warnx() [0a532986b016] * NEWS: Make nsswitch.conf bug fix description more accurrate. It affects the "files" nsswitch source too. [a29cce3a3ee9] * NEWS: Mention nsswitch.conf duplicate entry fix. [f8a45b59a577] 2014-09-15 Todd C. Miller * plugins/sudoers/parse.c, plugins/sudoers/sudoers.h: Make sudoers file nsswitch functions static to parse.c since they are self-contained. [cf22385d0659] * plugins/sudoers/sudo_nss.c: Fix infinite loop when mulitple sudoers entries are present in nsswitch.conf. From Daniel Kopecek. [e773e0eee736] 2014-09-10 Todd C. Miller * NEWS: Fix for bug #660 [e25192ad79cc] * src/get_pty.c: Fix compilation on systems without openpty(), _getpty() or grantpt(). From Vasilyy Balyasnyy [897280412e3e] 2014-09-08 Todd C. Miller * src/conversation.c: Remove remaining use of SUDO_CONV_DEBUG_MSG. [4ee756b687ea] * doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, include/sudo_plugin.h: SUDO_CONV_DEBUG_MSG is no longer supported. [7bf46cf06578] * doc/sudo.conf.cat, doc/sudoers.cat: regen [5bff0d4d3956] * include/sudo_debug.h, lib/util/sudo_debug.c, lib/util/sudo_printf.c, plugins/sudoers/iolog.c, plugins/sudoers/policy.c: There is no longer a reason for the plugin to init the debug subsystem itself. It will always be initialized by the front-end if needed. [970dd80a9e3c] * include/sudo_alloc.h, include/sudo_compat.h, include/sudo_fatal.h: Add function arg names to prototypes where missing. [e78dc4c48521] * lib/util/alloc.c: Remove obsolete definition of SIZE_T which is now handled by sudo_compat.h and rename the format arg to fmt in sudo_evasprintf_v1() for consistency with sudo_easprintf_v1(). [72c0fc5e5114] * src/parse_args.c: If we were invoked with any name ending in "edit", treat as sudoedit. [d307572f08bc] 2014-09-04 Todd C. Miller * po/sudo.pot: regen [31c115ffbba8] * src/exec.c, src/exec_pty.c, src/signal.c: Check return value of sigaction(), even though it should never fail. [75c578e6a07c] 2014-09-03 Todd C. Miller * lib/util/Makefile.in, src/Makefile.in: regen [2fcb390e8e89] * MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/regress/parser/check_hexchar.c: Add hexchar unit test [de65e0ded4a2] * plugins/sudoers/regress/parser/check_addr.c: Avoid division by zero if there was no test data. [de3324077ba0] 2014-09-02 Todd C. Miller * lib/util/event.c: Remove confusing comment. [ee1765a06b94] * lib/util/sudo_debug.c: Use a stack buffer for the debug message when possible, most are small. [945fb94a7aaf] 2014-09-01 Todd C. Miller * plugins/sudoers/po/ca.mo, plugins/sudoers/po/ca.po, po/ca.mo, po/ca.po: Sync with translationproject.org [661d536a7599] 2014-08-31 Todd C. Miller * src/exec.c: Convert a debug printf to a user-visible warning. [c3866eaea3ec] * include/sudo_fatal.h, include/sudo_util.h, lib/util/fatal.c: Move sudo_printf extern to sudo_util.h [50275ef999e9] * include/sudo_fatal.h, include/sudo_lbuf.h, lib/util/fatal.c, lib/util/lbuf.c: Some versions of the HP C Compiler don't export functions that take function pointers as arguments unless a typedef is used. [97cc0525dbd7] * include/sudo_lbuf.h: Work around a bug in the HP C compiler. [5c902aefeba6] * lib/util/lbuf.c: Don't need sudo_fatal.h [bccfe4df4794] 2014-08-30 Todd C. Miller * po/da.mo, po/da.po: Sync with translationproject.org [7910e3fc0f3e] * src/exec.c: Remove signal_event from evbase before calling sudo_ev_loopexit() when the command has exited or been killed. It is possible that we could receive another signal on the pipe if they are delivered out of order. [b8ed1c9482b4] 2014-08-29 Todd C. Miller * src/exec_pty.c: Treat EOF on signal pipe (which should never happen) as ECONNRESET. [eb57e9047a2c] * include/sudo_event.h, lib/util/event.c, src/exec_pty.c: Don't allow sudo_ev_loopcont() to override sudo_ev_loopexit() [b6b53eacbc61] * include/sudo_event.h, lib/util/event.c, lib/util/event_poll.c, lib/util/event_select.c: Add some internal convenience functions. [b01063d82347] 2014-08-26 Todd C. Miller * sudo.pp: Fix osrelease sed expression. It wasn't matching distros with a single digit version such as sles9. [44f3e9b7e6c0] * plugins/sudoers/po/cs.mo, plugins/sudoers/po/cs.po, plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, plugins/sudoers/po/fi.mo, plugins/sudoers/po/fi.po, plugins/sudoers/po/it.mo, plugins/sudoers/po/it.po, plugins/sudoers/po/nb.mo, plugins/sudoers/po/nb.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/pt_BR.mo, plugins/sudoers/po/pt_BR.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, plugins/sudoers/po/vi.mo, plugins/sudoers/po/vi.po, plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po, po/cs.mo, po/cs.po, po/de.mo, po/de.po, po/eo.mo, po/eo.po, po/fi.mo, po/fi.po, po/it.mo, po/it.po, po/nb.mo, po/nb.po, po/pl.mo, po/pl.po, po/pt_BR.mo, po/pt_BR.po, po/ru.mo, po/ru.po, po/uk.mo, po/uk.po, po/vi.mo, po/vi.po, po/zh_CN.mo, po/zh_CN.po: Sync with translationproject.org [5b2c6063db75] * plugins/sudoers/iolog.c: Return -1 from logging functions if we get a write error. [a3ae43d54101] * NEWS: Mention I/O plugin changes. [0bd2e99fe87a] * doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, include/sudo_plugin.h, src/exec_pty.c: Change behavior when plugin I/O logging function returns 0 or -1. For -1 (error) return, we now kill the command and disable the I/O logging function that returned the error. For a 0 (reject) return, we no longer display the rejected output to the user's terminal. The plugin API revision is now 1.6. [27bb504860f3] * doc/sudoers.cat: regen to fix version. [641ea29b7dd3] * plugins/sample/sample_plugin.c: Add trivial dirty word check to the sample output logging function. [a14494b87b4d] 2014-08-25 Todd C. Miller * NEWS: Update for 1.8.11b2 [72ac1f26ba78] * src/sudo_edit.c: Fix restoration of effective uid/gid in command_details. This masked the effects an unset (really zero) egid. Bug 656 [b75eed459386] * src/sudo.c: Set runas egid to the same value as runas gid if egid not specified by the plugin. Only affects new files created by sudoedit. Bug #656 [f2daabba4912] * src/sudo_edit.c: Don't leak temp fd in sudo_edit_copy_tfiles(). Fix fd leak in error path in sudo_edit_copy_tfiles(). [465d6a79b5cf] 2014-08-22 Todd C. Miller * NEWS: fix typo [a4659abcbc1d] * src/signal.c: We write an unsigned char, not an int, to the signal pipe. [fae4217be608] 2014-08-21 Todd C. Miller * src/sudo_edit.c: Sprinkle some debugging around uid/gid setting in sudoedit. [15e4a337f0b0] * src/sesh.c, src/sudo.c, src/sudo.h, src/sudo_edit.c, src/sudo_exec.h: Make sudoedit work with SELinux RBAC. Adapted from RedHat patches (Daniel Kopecek) but made to behave a bit more like the non-SELinux bits. [8f3f7969220f] * src/sudo_edit.c: Refactor code that copies temp files into separate functions. [b1057f4bee87] * doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in: Fix typo, .em should be .Em [ec28aa3bdd6a] 2014-08-18 Todd C. Miller * src/sesh.c: Add missing call to initprogname(). [71040679765f] * lib/util/sudo_debug.c, lib/util/sudo_printf.c: Don't recurse infinitely until we blow the stack when the debug file can't be opened in the front-end. The conversation-type debug mode will be removed in the future. [38cd1a6343c2] 2014-08-15 Todd C. Miller * sudo.pp: Only use the first two digits of the version number. Fixes a problem on RHEL 7 which has version numbers like 7.0.1406 [272727fd57fb] * plugins/sudoers/linux_audit.c: Fix return value when kernel has no audit support. [7ca1c9857058] * lib/util/progname.c: remove unused label [4179ea1ffa3a] 2014-08-14 Todd C. Miller * aclocal.m4, autogen.sh: Update to automake 1.14 (no code changes). [5e04db4f7c5d] 2014-08-11 Todd C. Miller * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Document the interaction between sudoers environment handling and the pam_env module. [bd56868f078c] * plugins/sudoers/env.c: Don't allow pam_env to overwrite existing variables when env_reset is disabled unless the variables match the black list and would normally be removed. It may just be better to never overwrite when env_reset is disabled. [e0ae88fce535] 2014-08-09 Todd C. Miller * plugins/sudoers/po/sudoers.pot, po/sudo.pot: Update year range to include 2014 [6b3b5f3fa791] 2014-08-08 Todd C. Miller * lib/util/Makefile.in: Remove regress .err files in distclean target. [d66a4f1db130] * lib/util/Makefile.in, plugins/group_file/Makefile.in, plugins/sample/Makefile.in, plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in: Remove generated files for linker as part of distclean. [5d1bf6c32c6b] * .hgignore: Ignore .out and .err files in lib/util regress [9f4d91e77c0f] * NEWS: Add additional 1.8.11 changes and fix typos. [7980e2abb6ea] * configure, configure.ac, plugins/sudoers/Makefile.in: Avoid building/running the check_symbols test program unless we are building a shared sudoers plugin. [a6bde1a12111] * plugins/sudoers/Makefile.in, src/Makefile.in: Remove two instances of -no-fast-install that were missed before. [8a2c89cdf252] * INSTALL, NEWS, configure, configure.ac, lib/util/Makefile.in: Add --disable-shared-libutil configure option. It may only be used in conjunction with the --enable-static-sudoers option. [e19c71464399] 2014-08-07 Todd C. Miller * doc/Makefile.in: Remove noop man.sed files Use full path instead of $@.in when calling config.status with --file=- [53c69928427e] * src/preserve_fds.c: Fix "sudo -C" when we have internal fds to preserve from closefrom(). [942db66345ea] 2014-08-06 Todd C. Miller * NEWS, doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/env.c: Add explicit support for matching the full environment string (name=value). Bash functions may now be preserved for full matches, but not for name-only matches. [f4d816e11f66] 2014-08-05 Todd C. Miller * .hgignore: Ignore lib/util/util.exp [e08306ca6a6d] 2014-07-30 Todd C. Miller * configure, configure.ac: Fix exporting of asprintf/vasprintf symbols. [5ff59bdeb501] * configure, configure.ac: Don't export getaddrinfo symbols if we found the function in a library. [3bf4a5d3cfdb] * src/sudo_edit.c: It is now sudo_efree() not efree(). Don't try to free a pointer to garbage on error. [51a1ddaa220d] * plugins/sudoers/po/sudoers.pot, po/sudo.pot: Regen .pot files [8c46fe51d32e] 2014-07-29 Todd C. Miller * src/sudo_edit.c: Plug memory leak, even though we are headed for exit. [e2b28ddffabe] * configure, configure.ac, lib/util/Makefile.in, plugins/sudoers/Makefile.in: If getaddrinfo() is missing libsudoutil may need to pull in networking libraries. [4d6724d54927] * MANIFEST, configure, configure.ac, include/sudo_compat.h, lib/util/Makefile.in, lib/util/util.exp, lib/util/util.exp.in, m4/sudo.m4: Only include functions in util.exp that are actually in the library. Fixes a problem on Solaris where undefined functions that are listed as exported in the map file result in a link error. Also make sure we use our glob.c if the system is missing glob(). [3121ad215f1e] * configure, configure.ac: Make sure shadow libs don't end up in LIBS, only SUDOERS_LIBS (and SUDO_LIBS if set_auth_parameters() or initprivs() are present. [fb084b157c76] * configure.ac: No need to AC_SUBST HAVE_BSM_AUDIT and HAVE_SOLARIS_AUDIT [5d73ccf3a7b9] 2014-07-28 Todd C. Miller * src/exec.c, src/exec_pty.c, src/sudo_exec.h: Attempt to handle systems with SA_SIGINFO but that lack SI_USER. [0c8b09861ad5] * config.h.in, configure, configure.ac, include/sudo_compat.h: Replace use of HAVE_GETCWD with PREFER_PORTABLE_GETCWD. It is safe to assume getcwd() exists, we just need to handle broken ones. [e897223a8f38] * config.h.in, configure, configure.ac, plugins/sudoers/Makefile.in: Add check for inet_ntoa() since it may live in libnsl. Make getcwd() replacement private to the SunOS 4 section. [8e2cd0fdd6cd] * plugins/sudoers/match.c: Avoid mixing declarations and code for non-C99 compilers. [1fa5cf2356fd] * include/sudo_debug.h: For C89, use "const char __func__[]" instead of "const char *__func__". [c4e9f9d6691b] * plugins/sudoers/match.c: Fix compilation on systems w/o netgroups. [57deb66ef8ff] 2014-07-26 Todd C. Miller * src/preserve_fds.c: Back out old workaround for sudoedit hang when debugging was enabled. [f547bf80c436] * src/sudo_edit.c: Don't memcpy() the preserved_fds TAILQ as the pointers into the head will be wrong. All we need to do is save the old command details and restore them after calling run_command(). Fixes a hang with sudoedit when debugging is enabled. [84ff8e1f490a] 2014-07-25 Todd C. Miller * src/sudo.c: The default policy close function should only print an error message if the error_code is non-zero. [2032c9e33e3f] * src/preserve_fds.c: If there the preserved fds list is empty, add a new element with TAILQ_INSERT_HEAD instead of TAILQ_INSERT_TAIL to avoid an infinite loop on AIX, Solaris and possibly others when debug mode is active. [63cefe22c515] * lib/util/progname.c: Remove support for getting program name via /proc as pr_fname is usually filled in after symbolic links have been processed, even on Solaris. [0460c613753c] * lib/util/Makefile.in: Use shlib_enable instead of soext when determining whether to install the library. [d46640a7733c] * lib/util/regress/atofoo/atofoo_test.c: Avoid potential division by zero [6411d276a138] * lib/util/Makefile.in: Don't link progname test with libsudo_util, just link in progname.lo directly since that is all we need. Avoid a linker issue on darwin. [ee6210ee5cc0] * lib/util/progname.c: Remove pstat_getproc() path as pst_ucomm on HP-UX will return the target of a symbolic link and not the name of the link itself. Avoid using pr_fname on AIX for the same reason. Bug 654 [36aced8e3714] * MANIFEST, lib/util/Makefile.in, lib/util/regress/progname/progname_test.c: Add test for getprogname() and symbolic links; bug 654 [fbbe9faeda46] 2014-07-24 Todd C. Miller * doc/sudo.conf.cat, doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in: Document tracing [cfd7f14d596d] 2014-07-23 Todd C. Miller * lib/util/util.exp: sudo_term_{erase,kill} are regular symbols not functions. [3454a9c1328b] 2014-07-22 Todd C. Miller * plugins/sudoers/ldap.c: Fix NULL deref if base64_decode returns -1. [d03e207b1bb8] * MANIFEST, include/missing.h, include/sudo_compat.h, lib/util/Makefile.in, lib/util/aix.c, lib/util/alloc.c, lib/util/clock_gettime.c, lib/util/closefrom.c, lib/util/event.c, lib/util/event_poll.c, lib/util/event_select.c, lib/util/fatal.c, lib/util/fnmatch.c, lib/util/getaddrinfo.c, lib/util/getcwd.c, lib/util/getgrouplist.c, lib/util/getline.c, lib/util/getopt_long.c, lib/util/gidlist.c, lib/util/glob.c, lib/util/inet_pton.c, lib/util/isblank.c, lib/util/key_val.c, lib/util/lbuf.c, lib/util/locking.c, lib/util/memrchr.c, lib/util/memset_s.c, lib/util/mksiglist.c, lib/util/mksigname.c, lib/util/mktemp.c, lib/util/parseln.c, lib/util/progname.c, lib/util/pw_dup.c, lib/util/regress/atofoo/atofoo_test.c, lib/util/regress/fnmatch/fnm_test.c, lib/util/regress/glob/globtest.c, lib/util/regress/sudo_conf/conf_test.c, lib/util/regress/sudo_parseln/parseln_test.c, lib/util/regress/tailq/hltq_test.c, lib/util/secure_path.c, lib/util/setgroups.c, lib/util/sha2.c, lib/util/sig2str.c, lib/util/snprintf.c, lib/util/strlcat.c, lib/util/strlcpy.c, lib/util/strsignal.c, lib/util/strtobool.c, lib/util/strtoid.c, lib/util/strtomode.c, lib/util/strtonum.c, lib/util/sudo_conf.c, lib/util/sudo_debug.c, lib/util/sudo_dso.c, lib/util/sudo_printf.c, lib/util/term.c, lib/util/ttysize.c, lib/util/utimes.c, plugins/group_file/Makefile.in, plugins/group_file/getgrent.c, plugins/group_file/group_file.c, plugins/sample/Makefile.in, plugins/sample/sample_plugin.c, plugins/sudoers/Makefile.in, plugins/sudoers/audit.c, plugins/sudoers/base64.c, plugins/sudoers/boottime.c, plugins/sudoers/bsm_audit.c, plugins/sudoers/getdate.c, plugins/sudoers/getdate.y, plugins/sudoers/hexchar.c, plugins/sudoers/linux_audit.c, plugins/sudoers/locale.c, plugins/sudoers/redblack.c, plugins/sudoers/regress/check_symbols/check_symbols.c, plugins/sudoers/regress/logging/check_wrap.c, plugins/sudoers/regress/parser/check_base64.c, plugins/sudoers/regress/parser/check_digest.c, plugins/sudoers/regress/parser/check_fill.c, plugins/sudoers/sudoers.h, plugins/sudoers/sudoreplay.c, plugins/sudoers/timestr.c, plugins/system_group/Makefile.in, plugins/system_group/system_group.c, src/Makefile.in, src/locale_stub.c, src/net_ifs.c, src/preload.c, src/regress/ttyname/check_ttyname.c, src/sesh.c, src/sudo.h, src/sudo_noexec.c: Rename missing.h -> sudo_compat.h [ddcc945a0f87] * MANIFEST, include/secure_path.h, include/sudo_util.h, lib/util/Makefile.in, lib/util/secure_path.c, lib/util/sudo_conf.c, plugins/sudoers/Makefile.in, plugins/sudoers/sudoers.c, plugins/sudoers/testsudoers.c, plugins/sudoers/timestamp.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l: Merge secure_path.h -> sudo_util.h [0385dfbf2e2d] * include/secure_path.h, include/sudo_alloc.h, include/sudo_conf.h, include/sudo_dso.h, include/sudo_event.h, include/sudo_fatal.h, include/sudo_lbuf.h, include/sudo_util.h, lib/util/aix.c, lib/util/alloc.c, lib/util/event.c, lib/util/fatal.c, lib/util/gidlist.c, lib/util/key_val.c, lib/util/lbuf.c, lib/util/locking.c, lib/util/parseln.c, lib/util/secure_path.c, lib/util/setgroups.c, lib/util/strtobool.c, lib/util/strtoid.c, lib/util/strtomode.c, lib/util/sudo_conf.c, lib/util/sudo_dso.c, lib/util/term.c, lib/util/ttysize.c, lib/util/util.exp, plugins/sudoers/locale.c, src/locale_stub.c: Version the functions in libsudo_util [c6d6eba95bb4] 2014-07-21 Todd C. Miller * include/gettext.h, include/sudo_gettext.h, lib/util/Makefile.in, lib/util/aix.c, lib/util/alloc.c, lib/util/fatal.c, lib/util/gidlist.c, lib/util/strsignal.c, lib/util/strtoid.c, lib/util/strtomode.c, lib/util/strtonum.c, lib/util/sudo_conf.c, lib/util/sudo_debug.c, plugins/sudoers/Makefile.in, plugins/sudoers/audit.c, plugins/sudoers/bsm_audit.c, plugins/sudoers/linux_audit.c, plugins/sudoers/locale.c, plugins/sudoers/sudoers.h, plugins/sudoers/sudoreplay.c, src/Makefile.in, src/locale_stub.c, src/net_ifs.c, src/sesh.c, src/sudo.h: Rename gettext.h -> sudo_gettext.h [7f6b44473b8f] * include/fatal.h, include/sudo_fatal.h, lib/util/Makefile.in, lib/util/aix.c, lib/util/alloc.c, lib/util/event.c, lib/util/event_poll.c, lib/util/event_select.c, lib/util/fatal.c, lib/util/getopt_long.c, lib/util/gidlist.c, lib/util/lbuf.c, lib/util/regress/atofoo/atofoo_test.c, lib/util/regress/tailq/hltq_test.c, lib/util/sudo_conf.c, lib/util/sudo_debug.c, plugins/sudoers/Makefile.in, plugins/sudoers/bsm_audit.c, plugins/sudoers/linux_audit.c, plugins/sudoers/locale.c, plugins/sudoers/regress/check_symbols/check_symbols.c, plugins/sudoers/regress/logging/check_wrap.c, plugins/sudoers/sudoers.h, plugins/sudoers/sudoreplay.c, src/Makefile.in, src/locale_stub.c, src/net_ifs.c, src/regress/ttyname/check_ttyname.c, src/sesh.c, src/sudo.h: Rename fatal.h -> sudo_fatal.h [bef3401dbb24] * include/queue.h, include/sudo_conf.h, include/sudo_event.h, include/sudo_queue.h, lib/util/Makefile.in, lib/util/fatal.c, lib/util/regress/tailq/hltq_test.c, plugins/sudoers/Makefile.in, plugins/sudoers/regress/parser/check_fill.c, plugins/sudoers/sudoers.h, plugins/sudoers/sudoreplay.c, src/Makefile.in, src/hooks.c: Rename queue.h -> sudo_queue.h to avoid collisions with the system version. [473614fdde5a] * include/sudo_debug.h, lib/util/sudo_debug.c: Conver sudo_debug_write() to a macro [0f110f27a23c] 2014-07-17 Todd C. Miller * doc/fixman.sh, doc/fixmdoc.sh: Fix man page post-processing; it was deleting more than intended. [716af03dcfb7] 2014-07-16 Todd C. Miller * doc/Makefile.in: Remove double $(srcdir) when running sed scripts. [16add67ae550] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: "an EXEC tag" not "a EXEC tag" [9ac1b8e322f9] * doc/sudoers.cat: Document that I/O logging is not enabled by default. [08fca95dd5a4] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Document that exec_background is off by default. [87fe5defff58] 2014-07-14 Todd C. Miller * src/sesh.c: Error out if sesh is run as a login shell but the shell it needs to run has no slash. This shouldn't happen in practice. [10ff502888ee] * MANIFEST, include/compat/mksiglist.h, include/compat/mksigname.h, lib/util/Makefile.in, lib/util/mksiglist.c, lib/util/mksiglist.h, lib/util/mksigname.c, lib/util/mksigname.h: Move mksiglist.h and mksigname.h to lib/util where they belong. [d01046c69060] * config.h.in, configure, configure.ac, include/missing.h, lib/util/progname.c, lib/util/util.exp, plugins/sudoers/Makefile.in: Avoid passing -no-fast-install to libtool as this results in the build dir being left in the library path of the installed executable. Instead, we remove the "lt-" prefix from the program name in initprogname() so that the regress test output is unaffected by libtool's binary wrapper. [75d1563e95b4] * sudo.pp: Fix syntax error with some shells. [91e8da7702c5] 2014-07-13 Todd C. Miller * configure, configure.ac: Force libtool to use runtime linking on AIX so that it installs the plugins as .so files and not .a files. [ae66488bd9ca] * plugins/sudoers/ldap.c: Be sure to NUL-terminate the decoded secret when converting from base64. [b3dc463c8882] * plugins/sudoers/ldap.c: Fix a pointer signednes warning calling base64_decode(). [74f7354867a3] * lib/util/getgrouplist.c: Use sudo_strtoid() now that it is located in the same library. [4868532e2d65] * lib/util/strtoid.c: Skip leading space (ala strtol) so that we can pick up the sign even if it is not the first character of the string. [148ee633c6a4] 2014-07-12 Todd C. Miller * plugins/sudoers/sudoers.c: For sudoedit, audit the actual editor being run, not just the sudoedit command. [59a5b0ad36af] * src/selinux.c: Audit failed user role changes. RedHat bz #665131 [cf9777687124] * plugins/sudoers/Makefile.in: Avoid running check_symbols for static sudoers [71b13bada1ce] * plugins/sudoers/regress/visudo/test3.err.ok, plugins/sudoers/regress/visudo/test3.sh: Adapt to unused alias changes. [4b58e36c3d8f] * doc/visudo.cat, doc/visudo.man.in, doc/visudo.mdoc.in, plugins/sudoers/visudo.c: An unused alias is not really an error, even in strict mode. RedHat bz #604297 [f10b3b7ec5a6] * src/sesh.c: When running a login shell via sesh, make new argv[0] -shell, not /path/to-shell. RedHat bz #1065418 [414cb512f102] 2014-07-11 Todd C. Miller * sudo.pp: The RHEL sudo package allows users in group wheel to run sudo. [9f22020a57cf] * Makefile.in, sudo.pp: Avoid packaging parent directories when they are system directories. Currently we just skip this when prefix is /usr [93ccede545cd] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Fix typo: sudo.d -> sudoers.d. From RedHat bz #726634 [1c99a4fd9c7d] * mkpkg: RHEL 6 and above use /etc/sudo-ldap.conf not /etc/ldap.conf [ce3216e4390a] * pp: For rpm, do not specify a mode in %attr for symbolic links. Avoids the warning "Explicit %attr() mode not applicaple to symlink" [3f5a80ed5081] 2014-07-10 Todd C. Miller * include/sudo_alloc.h, lib/util/aix.c, lib/util/event.c, lib/util/event_poll.c, lib/util/event_select.c, lib/util/fatal.c, lib/util/lbuf.c, lib/util/sudo_conf.c, plugins/sudoers/alias.c, plugins/sudoers/auth/aix_auth.c, plugins/sudoers/auth/kerb5.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/passwd.c, plugins/sudoers/auth/secureware.c, plugins/sudoers/auth/sia.c, plugins/sudoers/check.c, plugins/sudoers/defaults.c, plugins/sudoers/env.c, plugins/sudoers/find_path.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/group_plugin.c, plugins/sudoers/interfaces.c, plugins/sudoers/iolog.c, plugins/sudoers/iolog_path.c, plugins/sudoers/ldap.c, plugins/sudoers/linux_audit.c, plugins/sudoers/locale.c, plugins/sudoers/logging.c, plugins/sudoers/match.c, plugins/sudoers/policy.c, plugins/sudoers/pwutil.c, plugins/sudoers/pwutil_impl.c, plugins/sudoers/redblack.c, plugins/sudoers/sssd.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/toke_util.c, plugins/sudoers/visudo.c, src/exec.c, src/exec_common.c, src/exec_pty.c, src/hooks.c, src/load_plugins.c, src/net_ifs.c, src/preserve_fds.c, src/regress/ttyname/check_ttyname.c, src/selinux.c, src/sudo.c, src/ttyname.c: efree -> sudo_efree for consistency [7dfd16fbb6cf] * doc/sudo.cat, doc/sudo.conf.cat, doc/sudo_plugin.cat, doc/sudoers.cat, doc/sudoreplay.cat, doc/visudo.cat: regen [a1d38600d34c] * doc/sudoers.ldap.cat, doc/sudoers.ldap.man.in, doc/sudoers.ldap.mdoc.in, plugins/sudoers/ldap.c: Add support for base64 secrets in ldap.conf and ldap.secret. Based on an idea from anthony AT rlost DOT com [4999b78f8b6d] 2014-07-09 Todd C. Miller * mkpkg: Don't use the HP compiler in preference to gcc. Some versions have trouble compiling lbuf.c. [322daf03ab6f] 2014-07-08 Todd C. Miller * configure, configure.ac, plugins/group_file/Makefile.in, plugins/sample/Makefile.in, plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in, src/Makefile.in: Remove @SOEXT@ and @SHLIB_EXT@ now that we use libtool to install shared objects. Instead, use the new @SHLIB_ENABLE@ that is set to the value of $enable_dlopen. For sudo_noexec.so there is nothing special to do since the install-noexec target is only called when noexec is enabled by configure. [4447190f212b] * configure, configure.ac: Make dynamic shared objects non-writable on HP-UX. Using writable DSOs can substantially increase the load time. [8715aff11063] * include/fatal.h, lib/util/fatal.c, lib/util/util.exp, plugins/sudoers/locale.c, src/locale_stub.c: Add sudo_warn_strerror() that wraps strerror() with calls to setlocale() in sudoers so we always get the error string in the user's locale. Also change _warning() to take the error number as a parameter instead of examining errno. [cc38a8389a7b] 2014-07-03 Todd C. Miller * Makefile.in, lib/util/Makefile.in, plugins/group_file/Makefile.in, plugins/sample/Makefile.in, plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in, src/Makefile.in: Avoid a cppcheck warning when NSIG is not defined. [f8e5e92bab60] * include/missing.h: Fix typos in utimes/futimes macros. [10f022d933c2] 2014-07-01 Todd C. Miller * configure: regen [e351d905c0c9] * configure.ac: Fix sudo when --disable-shared configure option was specified. [07899f6b43f0] * configure, m4/libtool.m4: Do not set an internal name for HP-UX modules, only archives. This works around a problem with some versions of HP-UX ld where setting an internal name that doesn't end in .sl causes link errors. [9a049adb22aa] * plugins/group_file/Makefile.in, plugins/sample/Makefile.in, plugins/system_group/Makefile.in: Never build build static versions of other plugins. [52123c4c17bc] * lib/util/Makefile.in: Don't build a static libsudo_util.a unless we are linking sudoers statically. [9c3327977dff] 2014-06-29 Todd C. Miller * configure, configure.ac, lib/util/Makefile.in, plugins/group_file/Makefile.in, plugins/sample/Makefile.in, plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in, src/Makefile.in: Use libtool to install/uninstall the plugins and sudo_noexec. [18ae09c53f2e] * configure, ltmain.sh, m4/libtool.m4: Fix my typos in the HP-UX libtool patch [6e70066d86bb] 2014-06-27 Todd C. Miller * NEWS: Mention Solaris audit. [d90efa19ca16] * INSTALL, MANIFEST, config.h.in, configure, configure.ac, mkdep.pl, plugins/sudoers/Makefile.in, plugins/sudoers/audit.c, plugins/sudoers/solaris_audit.c, plugins/sudoers/solaris_audit.h: Add Solaris audit support; from Gary Winiger at Oracle. [6f68a27e53f5] * MANIFEST: Sync MANIFEST with file name changes. [d9958df5f9da] * plugins/sudoers/toke.c: regen [ad82b20093c3] * include/sudo_util.h, lib/util/Makefile.in, lib/util/atobool.c, lib/util/atoid.c, lib/util/atomode.c, lib/util/getgrouplist.c, lib/util/gidlist.c, lib/util/regress/atofoo/atofoo_test.c, lib/util/strtobool.c, lib/util/strtoid.c, lib/util/strtomode.c, lib/util/sudo_conf.c, lib/util/util.exp, plugins/group_file/getgrent.c, plugins/sudoers/defaults.c, plugins/sudoers/iolog.c, plugins/sudoers/ldap.c, plugins/sudoers/match.c, plugins/sudoers/policy.c, plugins/sudoers/pwutil.c, plugins/sudoers/regress/iolog_path/check_iolog_path.c, plugins/sudoers/sudoers.c, plugins/sudoers/testsudoers.c, plugins/sudoers/tsgetgrpw.c, plugins/sudoers/visudo_json.c, plugins/system_group/system_group.c, src/sudo.c: atobool -> sudo_strtobool atoid-> sudo_strtoid atomode -> sudo_strtomode [aefe6f09f4a4] * lib/util/alloc.c, lib/util/event_select.c: Fix regexp damage when renaming erecalloc() -> sudo_erecalloc() [d772a34032cc] * src/sudo_edit.c: Handle systems like AIX that lack a way to set the modification time on open fds. [b93c0a55c21b] * MANIFEST: update MANIFEST for alloc.h -> sudo_alloc.h change [ce240c682554] * include/alloc.h, include/sudo_alloc.h, lib/util/Makefile.in, lib/util/aix.c, lib/util/alloc.c, lib/util/event.c, lib/util/event_poll.c, lib/util/event_select.c, lib/util/fatal.c, lib/util/gidlist.c, lib/util/lbuf.c, lib/util/sudo_conf.c, lib/util/sudo_debug.c, lib/util/util.exp, plugins/sudoers/Makefile.in, plugins/sudoers/alias.c, plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/kerb5.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/rfc1938.c, plugins/sudoers/auth/sia.c, plugins/sudoers/defaults.c, plugins/sudoers/env.c, plugins/sudoers/find_path.c, plugins/sudoers/getspwuid.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/group_plugin.c, plugins/sudoers/interfaces.c, plugins/sudoers/iolog.c, plugins/sudoers/iolog_path.c, plugins/sudoers/ldap.c, plugins/sudoers/linux_audit.c, plugins/sudoers/locale.c, plugins/sudoers/logging.c, plugins/sudoers/match.c, plugins/sudoers/parse.c, plugins/sudoers/policy.c, plugins/sudoers/prompt.c, plugins/sudoers/pwutil.c, plugins/sudoers/pwutil_impl.c, plugins/sudoers/redblack.c, plugins/sudoers/sssd.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c, src/Makefile.in, src/conversation.c, src/env_hooks.c, src/exec.c, src/exec_common.c, src/exec_pty.c, src/hooks.c, src/load_plugins.c, src/net_ifs.c, src/parse_args.c, src/preserve_fds.c, src/regress/ttyname/check_ttyname.c, src/selinux.c, src/sesh.c, src/sudo.c, src/sudo.h, src/sudo_edit.c, src/ttyname.c: Add sudo_ prefix to alloc.c functions and rename alloc.h -> sudo_alloc.h [3a19f5391442] * lib/util/fatal.c: Remove extra sudo_ prefix from vfatalxnodebug and vfatalx_nodebug. [819ad8075005] * MANIFEST, include/fileops.h, include/sudo_util.h, lib/util/Makefile.in, lib/util/fileops.c, lib/util/locking.c, lib/util/parseln.c, lib/util/regress/sudo_parseln/parseln_test.c, lib/util/sudo_conf.c, plugins/sudoers/Makefile.in, plugins/sudoers/sudoers.h, src/Makefile.in, src/sudo.h: Split fileops.c into parseln.c and locking.c [361ea81e88d9] * include/fatal.h, include/gettext.h, lib/util/aix.c, lib/util/alloc.c, lib/util/fatal.c, lib/util/getopt_long.c, lib/util/gidlist.c, lib/util/regress/atofoo/atofoo_test.c, lib/util/regress/tailq/hltq_test.c, lib/util/sudo_conf.c, lib/util/util.exp, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/rfc1938.c, plugins/sudoers/auth/securid5.c, plugins/sudoers/bsm_audit.c, plugins/sudoers/defaults.c, plugins/sudoers/env.c, plugins/sudoers/group_plugin.c, plugins/sudoers/iolog.c, plugins/sudoers/ldap.c, plugins/sudoers/linux_audit.c, plugins/sudoers/locale.c, plugins/sudoers/logging.c, plugins/sudoers/match.c, plugins/sudoers/policy.c, plugins/sudoers/prompt.c, plugins/sudoers/pwutil.c, plugins/sudoers/regress/check_symbols/check_symbols.c, plugins/sudoers/regress/iolog_path/check_iolog_path.c, plugins/sudoers/regress/logging/check_wrap.c, plugins/sudoers/regress/parser/check_addr.c, plugins/sudoers/set_perms.c, plugins/sudoers/sssd.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/timestamp.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/toke_util.c, plugins/sudoers/visudo.c, plugins/sudoers/visudo_json.c, src/exec.c, src/exec_common.c, src/exec_pty.c, src/hooks.c, src/load_plugins.c, src/locale_stub.c, src/net_ifs.c, src/parse_args.c, src/selinux.c, src/sesh.c, src/signal.c, src/solaris.c, src/sudo.c, src/sudo_edit.c, src/tgetpass.c, src/ttyname.c, src/utmp.c: Rename warning/fatal -> sudo_warn/sudo_fatal to avoid namespace pollution in libsudo_util.so. [4eb69f501113] 2014-06-26 Todd C. Miller * include/sudo_util.h, lib/util/term.c, lib/util/ttysize.c, lib/util/util.exp, plugins/sudoers/sudoreplay.c, src/exec_pty.c, src/sudo.c, src/tgetpass.c: Reduce name space pollution in libsudo_util.so [215e4413529a] * src/solaris.c: Use sudo_dso_load() from libsudo_util.so instead of dlopen() since we no longer link sudo directly with libdl.so. [fe6942873c2d] * MANIFEST, Makefile.in, doc/Makefile.in, include/alloc.h, include/compat/fnmatch.h, include/compat/getaddrinfo.h, include/compat/getopt.h, include/compat/glob.h, include/compat/sha2.h, include/fatal.h, include/fileops.h, include/lbuf.h, include/missing.h, include/secure_path.h, include/sudo_conf.h, include/sudo_debug.h, include/sudo_dso.h, include/sudo_event.h, include/sudo_util.h, install-sh, lib/util/Makefile.in, lib/util/fatal.c, lib/util/getaddrinfo.c, lib/util/pw_dup.c, lib/util/regress/fnmatch/fnm_test.c, lib/util/sudo_dso.c, lib/util/sudo_printf.c, lib/util/term.c, lib/util/util.exp, plugins/group_file/Makefile.in, plugins/sample/Makefile.in, plugins/sudoers/Makefile.in, plugins/sudoers/match.c, plugins/sudoers/regress/parser/check_digest.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/visudo.c, plugins/system_group/Makefile.in, src/Makefile.in, src/parse_args.c, src/preload.c: Add exported libsudo_util functions to util.exp and mark in headers using __dso_public. [18faff6ab915] * include/fatal.h, lib/util/fatal.c, lib/util/util.exp, plugins/sudoers/iolog.c, plugins/sudoers/policy.c, plugins/sudoers/sudoers.c: Remove use of setjmp/longjmp in the sudoers plugin. We no longer call fatal() except in the malloc wrappers and due to libsudo_util there is now a single copy of fatal/fatalx. [109407210f9c] * NEWS, configure, configure.ac: Sudo 1.8.11 [5fb775825aab] * include/fileops.h, lib/util/fileops.c, lib/util/util.exp, plugins/sudoers/iolog.c, plugins/sudoers/ldap.c, plugins/sudoers/logging.c, plugins/sudoers/timestamp.c, plugins/sudoers/visudo.c, src/sudo_edit.c: Remove touch() from fileops.c and just call utimes/futimes directly. Rename lock_file -> sudo_lock_file to avoid namespace pollution [ec08128b6900] * MANIFEST, include/sudo_util.h, lib/util/Makefile.in, lib/util/fmt_string.c, lib/util/key_val.c, lib/util/util.exp, plugins/sample/sample_plugin.c, plugins/sudoers/policy.c, src/Makefile.in, src/exec_common.c, src/parse_args.c, src/sudo.c: Rename fmt_string -> sudo_new_key_val to better describe its function. [f9061e319cc3] * include/sudo_util.h, lib/util/gidlist.c, lib/util/util.exp, plugins/sudoers/policy.c, src/sudo.c: Rename parse_gid_list -> sudo_parse_gids to avoid namespace pollution. [d88f3cab97e1] * MANIFEST, Makefile.in, include/lbuf.h, include/sudo_lbuf.h, lib/util/Makefile.in, lib/util/lbuf.c, lib/util/util.exp, plugins/sudoers/Makefile.in, plugins/sudoers/ldap.c, plugins/sudoers/parse.c, plugins/sudoers/sssd.c, plugins/sudoers/sudo_nss.c, plugins/sudoers/sudo_nss.h, plugins/sudoers/sudoers.h, plugins/sudoers/toke.c, plugins/sudoers/toke.l, src/Makefile.in, src/parse_args.c: Don't pollute the namespace with lbuf struct and functions [7859e3c22fb9] * config.h.in, configure, configure.ac, include/compat/fnmatch.h, include/compat/getaddrinfo.h, include/compat/getopt.h, include/compat/glob.h, include/missing.h, lib/util/clock_gettime.c, lib/util/closefrom.c, lib/util/fnmatch.c, lib/util/getaddrinfo.c, lib/util/getcwd.c, lib/util/getgrouplist.c, lib/util/getline.c, lib/util/getopt_long.c, lib/util/glob.c, lib/util/inet_pton.c, lib/util/memrchr.c, lib/util/memset_s.c, lib/util/mktemp.c, lib/util/pw_dup.c, lib/util/sig2str.c, lib/util/snprintf.c, lib/util/strlcat.c, lib/util/strlcpy.c, lib/util/strsignal.c, lib/util/strtonum.c, lib/util/utimes.c: Prefix all libc replacements with sudo_ and #define the real name to the sudo_ version. That way we don't pollute the libc namespace. [5cf7101479b8] * .hgignore, MANIFEST, Makefile.in, common/Makefile.in, common/aix.c, common/alloc.c, common/atobool.c, common/atoid.c, common/atomode.c, common/event.c, common/event_poll.c, common/event_select.c, common/fatal.c, common/fileops.c, common/fmt_string.c, common/gidlist.c, common/lbuf.c, common/progname.c, common/regress/atofoo/atofoo_test.c, common/regress/sudo_conf/conf_test.c, common/regress/sudo_conf/test1.in, common/regress/sudo_conf/test1.out.ok, common/regress/sudo_conf/test2.in, common/regress/sudo_conf/test2.out.ok, common/regress/sudo_conf/test3.in, common/regress/sudo_conf/test3.out.ok, common/regress/sudo_conf/test4.in, common/regress/sudo_conf/test4.out.ok, common/regress/sudo_conf/test5.err.ok, common/regress/sudo_conf/test5.in, common/regress/sudo_conf/test5.out.ok, common/regress/sudo_conf/test6.in, common/regress/sudo_conf/test6.out.ok, common/regress/sudo_parseln/parseln_test.c, common/regress/sudo_parseln/test1.in, common/regress/sudo_parseln/test1.out.ok, common/regress/sudo_parseln/test2.in, common/regress/sudo_parseln/test2.out.ok, common/regress/sudo_parseln/test3.in, common/regress/sudo_parseln/test3.out.ok, common/regress/sudo_parseln/test4.in, common/regress/sudo_parseln/test4.out.ok, common/regress/sudo_parseln/test5.in, common/regress/sudo_parseln/test5.out.ok, common/regress/sudo_parseln/test6.in, common/regress/sudo_parseln/test6.out.ok, common/regress/tailq/hltq_test.c, common/secure_path.c, common/setgroups.c, common/sudo_conf.c, common/sudo_debug.c, common/sudo_dso.c, common/sudo_printf.c, common/term.c, common/ttysize.c, compat/Makefile.in, compat/charclass.h, compat/clock_gettime.c, compat/closefrom.c, compat/endian.h, compat/fnmatch.c, compat/fnmatch.h, compat/getaddrinfo.c, compat/getaddrinfo.h, compat/getcwd.c, compat/getgrouplist.c, compat/getline.c, compat/getopt.h, compat/getopt_long.c, compat/glob.c, compat/glob.h, compat/inet_pton.c, compat/isblank.c, compat/memrchr.c, compat/memset_s.c, compat/mksiglist.c, compat/mksiglist.h, compat/mksigname.c, compat/mksigname.h, compat/mktemp.c, compat/nss_dbdefs.h, compat/pw_dup.c, compat/regress/fnmatch/fnm_test.c, compat/regress/fnmatch/fnm_test.in, compat/regress/glob/files, compat/regress/glob/globtest.c, compat/regress/glob/globtest.in, compat/sha2.c, compat/sha2.h, compat/sig2str.c, compat/siglist.in, compat/snprintf.c, compat/stdbool.h, compat/strlcat.c, compat/strlcpy.c, compat/strsignal.c, compat/strtonum.c, compat/timespec.h, compat/utime.h, compat/utimes.c, configure, configure.ac, include/compat/charclass.h, include/compat/endian.h, include/compat/fnmatch.h, include/compat/getaddrinfo.h, include/compat/getopt.h, include/compat/glob.h, include/compat/mksiglist.h, include/compat/mksigname.h, include/compat/nss_dbdefs.h, include/compat/sha2.h, include/compat/stdbool.h, include/compat/timespec.h, include/compat/utime.h, lib/util/Makefile.in, lib/util/aix.c, lib/util/alloc.c, lib/util/atobool.c, lib/util/atoid.c, lib/util/atomode.c, lib/util/clock_gettime.c, lib/util/closefrom.c, lib/util/event.c, lib/util/event_poll.c, lib/util/event_select.c, lib/util/fatal.c, lib/util/fileops.c, lib/util/fmt_string.c, lib/util/fnmatch.c, lib/util/getaddrinfo.c, lib/util/getcwd.c, lib/util/getgrouplist.c, lib/util/getline.c, lib/util/getopt_long.c, lib/util/gidlist.c, lib/util/glob.c, lib/util/inet_pton.c, lib/util/isblank.c, lib/util/lbuf.c, lib/util/memrchr.c, lib/util/memset_s.c, lib/util/mksiglist.c, lib/util/mksigname.c, lib/util/mktemp.c, lib/util/progname.c, lib/util/pw_dup.c, lib/util/regress/atofoo/atofoo_test.c, lib/util/regress/fnmatch/fnm_test.c, lib/util/regress/fnmatch/fnm_test.in, lib/util/regress/glob/files, lib/util/regress/glob/globtest.c, lib/util/regress/glob/globtest.in, lib/util/regress/sudo_conf/conf_test.c, lib/util/regress/sudo_conf/test1.in, lib/util/regress/sudo_conf/test1.out.ok, lib/util/regress/sudo_conf/test2.in, lib/util/regress/sudo_conf/test2.out.ok, lib/util/regress/sudo_conf/test3.in, lib/util/regress/sudo_conf/test3.out.ok, lib/util/regress/sudo_conf/test4.in, lib/util/regress/sudo_conf/test4.out.ok, lib/util/regress/sudo_conf/test5.err.ok, lib/util/regress/sudo_conf/test5.in, lib/util/regress/sudo_conf/test5.out.ok, lib/util/regress/sudo_conf/test6.in, lib/util/regress/sudo_conf/test6.out.ok, lib/util/regress/sudo_parseln/parseln_test.c, lib/util/regress/sudo_parseln/test1.in, lib/util/regress/sudo_parseln/test1.out.ok, lib/util/regress/sudo_parseln/test2.in, lib/util/regress/sudo_parseln/test2.out.ok, lib/util/regress/sudo_parseln/test3.in, lib/util/regress/sudo_parseln/test3.out.ok, lib/util/regress/sudo_parseln/test4.in, lib/util/regress/sudo_parseln/test4.out.ok, lib/util/regress/sudo_parseln/test5.in, lib/util/regress/sudo_parseln/test5.out.ok, lib/util/regress/sudo_parseln/test6.in, lib/util/regress/sudo_parseln/test6.out.ok, lib/util/regress/tailq/hltq_test.c, lib/util/secure_path.c, lib/util/setgroups.c, lib/util/sha2.c, lib/util/sig2str.c, lib/util/siglist.in, lib/util/snprintf.c, lib/util/strlcat.c, lib/util/strlcpy.c, lib/util/strsignal.c, lib/util/strtonum.c, lib/util/sudo_conf.c, lib/util/sudo_debug.c, lib/util/sudo_dso.c, lib/util/sudo_printf.c, lib/util/term.c, lib/util/ttysize.c, lib/util/utimes.c, lib/zlib/Makefile.in, lib/zlib/adler32.c, lib/zlib/compress.c, lib/zlib/crc32.c, lib/zlib/crc32.h, lib/zlib/deflate.c, lib/zlib/deflate.h, lib/zlib/gzclose.c, lib/zlib/gzguts.h, lib/zlib/gzlib.c, lib/zlib/gzread.c, lib/zlib/gzwrite.c, lib/zlib/infback.c, lib/zlib/inffast.c, lib/zlib/inffast.h, lib/zlib/inffixed.h, lib/zlib/inflate.c, lib/zlib/inflate.h, lib/zlib/inftrees.c, lib/zlib/inftrees.h, lib/zlib/trees.c, lib/zlib/trees.h, lib/zlib/uncompr.c, lib/zlib/zconf.h.in, lib/zlib/zlib.h, lib/zlib/zutil.c, lib/zlib/zutil.h, plugins/group_file/Makefile.in, plugins/sample/Makefile.in, plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in, po/README, po/ca.mo, po/ca.po, po/cs.mo, po/cs.po, po/da.mo, po/da.po, po/de.mo, po/de.po, po/eo.mo, po/eo.po, po/es.mo, po/es.po, po/eu.mo, po/eu.po, po/fi.mo, po/fi.po, po/fr.mo, po/fr.po, po/gl.mo, po/gl.po, po/hr.mo, po/hr.po, po/it.mo, po/it.po, po/ja.mo, po/ja.po, po/nb.mo, po/nb.po, po/nl.mo, po/nl.po, po/pl.mo, po/pl.po, po/pt_BR.mo, po/pt_BR.po, po/ru.mo, po/ru.po, po/sl.mo, po/sl.po, po/sr.mo, po/sr.po, po/sudo.pot, po/sv.mo, po/sv.po, po/tr.mo, po/tr.po, po/uk.mo, po/uk.po, po/vi.mo, po/vi.po, po/zh_CN.mo, po/zh_CN.po, src/Makefile.in, src/po/README, src/po/ca.mo, src/po/ca.po, src/po/cs.mo, src/po/cs.po, src/po/da.mo, src/po/da.po, src/po/de.mo, src/po/de.po, src/po/eo.mo, src/po/eo.po, src/po/es.mo, src/po/es.po, src/po/eu.mo, src/po/eu.po, src/po/fi.mo, src/po/fi.po, src/po/fr.mo, src/po/fr.po, src/po/gl.mo, src/po/gl.po, src/po/hr.mo, src/po/hr.po, src/po/it.mo, src/po/it.po, src/po/ja.mo, src/po/ja.po, src/po/nb.mo, src/po/nb.po, src/po/nl.mo, src/po/nl.po, src/po/pl.mo, src/po/pl.po, src/po/pt_BR.mo, src/po/pt_BR.po, src/po/ru.mo, src/po/ru.po, src/po/sl.mo, src/po/sl.po, src/po/sr.mo, src/po/sr.po, src/po/sudo.pot, src/po/sv.mo, src/po/sv.po, src/po/tr.mo, src/po/tr.po, src/po/uk.mo, src/po/uk.po, src/po/vi.mo, src/po/vi.po, src/po/zh_CN.mo, src/po/zh_CN.po, zlib/Makefile.in, zlib/adler32.c, zlib/compress.c, zlib/crc32.c, zlib/crc32.h, zlib/deflate.c, zlib/deflate.h, zlib/gzclose.c, zlib/gzguts.h, zlib/gzlib.c, zlib/gzread.c, zlib/gzwrite.c, zlib/infback.c, zlib/inffast.c, zlib/inffast.h, zlib/inffixed.h, zlib/inflate.c, zlib/inflate.h, zlib/inftrees.c, zlib/inftrees.h, zlib/trees.c, zlib/trees.h, zlib/uncompr.c, zlib/zconf.h.in, zlib/zlib.h, zlib/zutil.c, zlib/zutil.h: Top level directory reorg Move src/po -> po Combine common and compat -> lib/util Move zlib -> lib/zlib [d699ccb60e7e] * configure, ltmain.sh, m4/libtool.m4: libtool patches for HP-UX to support DESTDIR [9df98a9582bd] * pp: Update polypkg from trunk. [4dc362248196] * plugins/sudoers/sssd.c, plugins/sudoers/sudo_nss.c: Fix sssd compiler warnings and fix the sha2 digest support. [2975b030b298] 2014-06-17 Todd C. Miller * plugins/sudoers/ldap.c: Don't call gss_krb5_ccache_name() with a NULL pointer when restoring the old credential cache file name. This can happen if there was no old name returned by gss_krb5_ccache_name(). Fixes a crash on kerberized LDAP on some platforms. [4090029e463e] 2014-06-04 Todd C. Miller * MANIFEST, doc/CONTRIBUTORS, plugins/sudoers/po/el.mo, plugins/sudoers/po/el.po: Add Greek PO file for sudoers from translationproject.org [6c0cc2def911] 2014-05-28 Todd C. Miller * src/exec.c, src/exec_pty.c: Ignore signals sent by the command's process group, not just the command itself. If we cannot determine the process group ID of the sender (as it may no longer exist), just check the process ID. [7ffa2eefd3c0] 2014-05-27 Todd C. Miller * src/exec.c: In handler_user_only() only forward the signal if it was not generated by the command. This should fix a problem with programs that catch SIGTSTP, perform cleanup, and then re-send the signal to their process group (of which sudo is the leader). [d590c899e194] * src/exec.c, src/exec_pty.c, src/signal.c: Handle EINTR from write(2) when writing to pipes and socket pairs. [d26a40d21d7a] 2014-05-24 Todd C. Miller * MANIFEST, plugins/sudoers/po/nb.mo, plugins/sudoers/po/nb.po: Norwegian Bokmaal translation for sudoers from translationproject.com [92e4aea46c1e] 2014-05-23 Todd C. Miller * MANIFEST, doc/CONTRIBUTORS, src/po/nb.mo, src/po/nb.po: Norwegian Bokmaal translation for sudo from translationproject.com [3497f74028fe] 2014-05-13 Todd C. Miller * doc/visudo.cat, doc/visudo.man.in, doc/visudo.mdoc.in, plugins/sudoers/visudo.c: Try to be clearer about which are the input and output files in export mode. [66167511a410] * plugins/sudoers/visudo_json.c: In -x mode, require that the input and output files be different. This won't currently catch collisions between the output file and an include file. [0c19b82a75e7] * plugins/sudoers/bsm_audit.h, plugins/sudoers/linux_audit.h: BSM and Linux audit do not yet use the argc function argument. [3291695d1dfb] * plugins/sudoers/audit.c, plugins/sudoers/auth/sia.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/bsm_audit.c, plugins/sudoers/bsm_audit.h, plugins/sudoers/linux_audit.h, plugins/sudoers/logging.c, plugins/sudoers/logging.h, plugins/sudoers/sudoers.c: Pass argc to audit functions too. Will be needed for Solaris audit support. [d2114897a44e] 2014-05-12 Todd C. Miller * common/fatal.c, include/fatal.h, plugins/sudoers/policy.c: Do not allow the same callback function to be registered more that once in fatal_callback_register(). Add fatal_callback_deregister() to deregister a callback. [eff74fb9d274] * MANIFEST, plugins/sudoers/regress/sudoers/test15.in, plugins/sudoers/regress/sudoers/test15.out.ok, plugins/sudoers/regress/sudoers/test15.toke.ok, plugins/sudoers/regress/sudoers/test16.in, plugins/sudoers/regress/sudoers/test16.out.ok, plugins/sudoers/regress/sudoers/test16.toke.ok: Add trivial sudoedit parsing tests. [291ba6f4d6fd] * MANIFEST, plugins/sudoers/po/ca.mo, plugins/sudoers/po/ca.po: Catalan translation for sudoers from translationproject.org. [b102f8cfeed1] 2014-05-10 Todd C. Miller * plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po, src/po/ca.mo, src/po/ca.po, src/po/gl.mo, src/po/gl.po: Sync with translationproject.org [62e5b4842834] 2014-05-09 Todd C. Miller * configure, configure.ac: lockf() is broken on the Hurd -- use flock instead Bug #647 [7b8935a0c8b9] * plugins/sudoers/visudo.c: Don't try to install the temporary sudoers file if we didn't edit it. By default, visudo does not edit files in a #includedir. Fixes a NULL pointer defef on GNU hurd; Bug #647 [3a677c4773e5] 2014-05-07 Todd C. Miller * src/regress/ttyname/check_ttyname.c: When comparing tty names, resolve the tty for fds 0-3 and compare each one instead of just using the first that resolves. [c37946b280a5] * compat/getgrouplist.c, configure, configure.ac: Solaris 8 doesn't export _nss_initf_group() so we need to provide out own for getgrouplist(). [d494b39e9376] 2014-05-06 Todd C. Miller * compat/getgrouplist.c, plugins/group_file/group_file.c, plugins/system_group/system_group.c: deal with NULL gr_mem here too [0db43ed71001] * NEWS, configure, configure.ac: Sudo 1.8.10p3 [3f415a180023] 2014-05-02 Todd C. Miller * plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/kerb5.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/sia.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/check.c, plugins/sudoers/env.c, plugins/sudoers/iolog.c, plugins/sudoers/logging.c, plugins/sudoers/logging.h, plugins/sudoers/parse.c, plugins/sudoers/sudoers.c, plugins/sudoers/timestamp.c: Rename log_warning flags and only send mail if SLOG_SEND_MAIL is set instead of mailing by default like we used to. [5b3882833aa1] * plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/kerb5.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/sia.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/check.c, plugins/sudoers/env.c, plugins/sudoers/iolog.c, plugins/sudoers/logging.c, plugins/sudoers/logging.h, plugins/sudoers/parse.c, plugins/sudoers/sudoers.c, plugins/sudoers/timestamp.c: Add log_warningx [feef646cb8b1] * src/exec_pty.c: Add debugging info for when we delete I/O events that still have buffered data in them. [7f17992cdf22] * common/event.c: Fix non-blocking mode. We only want to exit the event loop when poll() or select() returns 0 and there are no active events. This fixes a problem on some systems where the last buffer was not being written when the command exited. [deb6b1a7b241] * plugins/sudoers/toke.c, plugins/sudoers/toke.l: Change return value of switch_dir() to an int so we can distinguish between an error and an empty dir in push_includedir(). [d0462b84782e] * plugins/sudoers/toke.c, plugins/sudoers/toke.l: Move code to fill in the list of dirs out of switch_dir and into its own function. Quiets a false positive from cppcheck which got confused due to variable reuse. [6d6296f46255] * plugins/sudoers/audit.c: Avoid unused variable warning if auditing is not supported. [5e6fd2ffe039] 2014-05-01 Todd C. Miller * plugins/sudoers/Makefile.in: Fix library order when linking binaries. [3fec51f98ae1] * plugins/sudoers/getdate.c, plugins/sudoers/getdate.y: Include limits.h and inttypes.h for SIZE_MAX define. [41f8be660384] * include/missing.h, plugins/sudoers/env.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y: Move SIZE_MAX compat define into missing.h where it belongs. [1bb108cf9df3] 2014-04-30 Todd C. Miller * plugins/sudoers/iolog.c, plugins/sudoers/logging.c, plugins/sudoers/logging.h, plugins/sudoers/policy.c, plugins/sudoers/sudoers.c: Remove now-unused log_fatal() [53478df3bb1e] * plugins/sudoers/auth/aix_auth.c, plugins/sudoers/auth/pam.c, plugins/sudoers/env.c, plugins/sudoers/ldap.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: Eliminate calls to fatal()/fatalx()/log_fatal() in env.c and just pass back a return value. [d7f2be8f2740] 2014-04-28 Todd C. Miller * plugins/sudoers/boottime.c, plugins/sudoers/sudoers.h: Make get_boottime() return bool. [9ff15a995d01] * doc/CONTRIBUTORS, plugins/sudoers/boottime.c: Fix fd leak on Linux when determing boot time. This is usually masked by the closefrom() call in sudo. From Jamie Anderson. Bug #645 [0b4c430e8b88] 2014-04-24 Todd C. Miller * plugins/sudoers/audit.c: Handle the (currently impossible) case where both BSM and Linux auditing are supported. Pacifies cppcheck. [899cd6b5e487] * plugins/sudoers/iolog.c: Don't call ferror() on a closed stream, just check the return value of fclose() instead. Found by cppcheck. [e843f3c8f5d8] 2014-04-22 Todd C. Miller * doc/CONTRIBUTORS, plugins/sudoers/auth/pam.c: Use calloc() instead of malloc(n * s) followed by memset(). From Jean-Philippe Ouellet. [f416cebd3d8e] * plugins/sudoers/sudoers.c: Format string safety in error path. [956fd6dbba80] * common/alloc.c, common/event_poll.c, common/gidlist.c, common/sudo_conf.c, include/alloc.h, plugins/sudoers/auth/sia.c, plugins/sudoers/env.c, plugins/sudoers/group_plugin.c, plugins/sudoers/ldap.c, plugins/sudoers/pwutil_impl.c, plugins/sudoers/sssd.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/visudo.c, src/env_hooks.c, src/exec_common.c, src/parse_args.c, src/selinux.c, src/sudo.c, src/sudo_edit.c, src/ttyname.c: Rename emalloc2() -> emallocarray() and erealloc3() -> ereallocarray(). [db3941093c68] * compat/Makefile.in, mkdep.pl, plugins/sudoers/Makefile.in: Add missing rule for building sha2.lo when not supported by libc or libmd. [70a16e10ddcd] 2014-04-15 Todd C. Miller * plugins/sudoers/sudoers.in: Disable I/O logging for halt and poweroff in addition to reboot in commented out example. [40a7f11686ce] * doc/CONTRIBUTORS, plugins/sudoers/auth/pam.c: Use PAM_REINITIALIZE_CRED instead of PAM_ESTABLISH_CRED when changing the user. This is the correct flag to use with a program that changes the uid like su or sudo and fixes a role problem on Solaris. From Gary Winiger; Bug #642 [ec23c3bf41bb] * plugins/sudoers/defaults.c: pam_setcred should default to true; from Gary Winiger Bug #642 [23e6628ec546] 2014-04-10 Todd C. Miller * plugins/sudoers/ldap.c, plugins/sudoers/logging.c, plugins/sudoers/parse.c, plugins/sudoers/policy.c, plugins/sudoers/set_perms.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c, plugins/sudoers/timestamp.c: Make set_perms() and restore_perms() return an error instead of calling exit() on failure. [b1a1a36abdb4] * plugins/sudoers/sudoers.c: Eliminate calls to fatal() in sudoers.c and just pass back a return value. [e4d87a036f6d] * plugins/sudoers/logging.c: Elimate calls to fatal() in the logging code. [9847acdf7066] 2014-04-09 Todd C. Miller * common/regress/atofoo/atofoo_test.c: Quiet a compiler warning on Solaris. [3b9827834800] * MANIFEST, common/Makefile.in, compat/Makefile.in, compat/sha2.c, compat/sha2.h, config.h.in, configure, configure.ac, m4/sudo.m4, plugins/sudoers/Makefile.in, plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y, plugins/sudoers/match.c, plugins/sudoers/regress/parser/check_digest.c, plugins/sudoers/regress/sudoers/test14.toke.ok, plugins/sudoers/sha2.c, plugins/sudoers/sha2.h, plugins/sudoers/toke.c, plugins/sudoers/toke.l: Move the sha2 code into libreplace and add configure checks for SHA224Update in libc and libmd. Solaris uses "void *" where we use "unsigned char *" so we need a check for that too. Solaris sha2.h defines SHA224, SHA256, SHA384, and SHA512 so rename those tokens. Adapted from changes from Vladimir Marek in bug #641. [cd02732f0704] * MANIFEST, plugins/sudoers/match.c, plugins/sudoers/regress/testsudoers/test6.out.ok, plugins/sudoers/regress/testsudoers/test6.sh, plugins/sudoers/regress/testsudoers/test7.out.ok, plugins/sudoers/regress/testsudoers/test7.sh: Fix matching of uids and gids broken in sudo 1.8.9. [315eff4add59] * plugins/sudoers/testsudoers.c: Fix -P option in usage() [50753b6222b7] 2014-04-07 Todd C. Miller * plugins/sudoers/check.c, plugins/sudoers/prompt.c, plugins/sudoers/set_perms.c: Remove a few more unnecessary uses of fatal(). [8cfb205831dc] * plugins/sudoers/auth/sudo_auth.c: Use log_warning() not log_fatal() for the "Invalid authentication methods compiled into sudo" message. We return -1 on error anyway. [c8da5cf74348] * plugins/sudoers/policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: Return MODE_ERROR from sudoers_policy_deserialize_info() instead of calling fatalx(). [6faefdd188f2] * common/gidlist.c, src/sudo.c: parse_gid_list() now returns -1 on error instead of calling fatalx(). [ccf19c4a0d5b] 2014-04-04 Todd C. Miller * src/exec.c: Forward SIGINFO to running command if supported. If the command is being run in the background (or exec_background is set in sudoers), it is the sudo process, not the actual command, that receives the ^T. [d2b020bdf0d5] * plugins/sudoers/defaults.h, plugins/sudoers/iolog.c, plugins/sudoers/iolog_path.c, plugins/sudoers/regress/iolog_path/check_iolog_path.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c: Remove calls to log_fatal() in I/O log functions and just pass an error back to the caller. [e89593d9dc35] 2014-04-01 Todd C. Miller * common/alloc.c, plugins/sudoers/env.c, plugins/sudoers/linux_audit.c, plugins/sudoers/policy.c, plugins/sudoers/prompt.c, plugins/sudoers/sudoers.c, plugins/sudoers/testsudoers.c: Make "internal error, %s overflow" arguments consistent, using __func__ where possible (when debugging is allowed). [84e2c40d101b] 2014-03-31 Todd C. Miller * plugins/sudoers/toke_util.c, src/net_ifs.c: Use common printf format when warning of buffer overflow prevention. [8b0d732b0eae] * Makefile.in: Remove init.d/*.sh in distclean [99cd1eaf4684] * .hgignore: Correctly ignore init.d/*.sh [04aabe1893e5] * plugins/sudoers/ldap.c: Remove remaining calls to fatalx(); just pass the error to the caller. [a8bcf903d84b] 2014-03-26 Todd C. Miller * plugins/sudoers/pwutil.c, plugins/sudoers/sudoers.h: Make a password/group cache collision a warning rather than fatal. This should not be possible in practice and we can safely return the new (potentially duplicate) item as it will be freed by the caller. Make sudo_set_grlist() return an error on failure instead of calling fatalx(). [5e8d3006862d] * plugins/sudoers/timestamp.c: Use log_warning() instead of log_fatal() if the ticket or lecture path is too long and just return an error. This can only happen from a misconfiguration so just ignoring the ticket/lecture file is safe. [864c5de8345b] * plugins/sudoers/find_path.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: In find_path(), return NOT_FOUND_ERROR instead of calling fatal() if the path is too long. Remove an extraneous check against PATH_MAX in set_cmnd() since find_path() already contains such a check. [183106753690] * plugins/sudoers/sudoers.h: Remove unused MODE_LISTDEFS define and correct a comment. [fb47e59ce5fe] * plugins/sudoers/hexchar.c, plugins/sudoers/match.c, plugins/sudoers/toke_util.c: Make hexchar() return -1 on invalid input instead of calling fatalx(). Callers used to check that the string was hex before calling hexchar(). Now callers must check for a -1 return value instead. [1be217c71ce7] * plugins/sudoers/audit.c, plugins/sudoers/bsm_audit.c, plugins/sudoers/bsm_audit.h, plugins/sudoers/linux_audit.c, plugins/sudoers/logging.h, plugins/sudoers/sudoers.c: Propagate errors in audit code to caller instead of using fatal(). If we fail to audit an otherwise successful command, return an error from the policy. For Linux audit, sudo may be compiled with audit support but auditing may not be setup, so we don't consider that an error. [9a5753bfcb95] * plugins/sudoers/boottime.c: Remove unused variable on Linux. [f63d7b86797d] * plugins/sudoers/timestamp.c: Fix warning on systems where mode_t is not unsigned int (Solaris). [acd1457c23ec] 2014-03-25 Todd C. Miller * plugins/sudoers/env.c, plugins/sudoers/sudoers.c: Audit path too long errror. Add comments about non-audit events and placeholders for future audit hooks. [434ee47c83dc] * src/net_ifs.c: Fix aliasing warning in old-style interface probe code. [1d6ce6f46da1] * plugins/sudoers/set_perms.c: Fix some sign comparision warnings. [20c6068db104] * common/aix.c, common/gidlist.c, compat/getgrouplist.c, include/sudo_util.h, src/sudo.c: Don't call fatal/fatalx in common/*.c [ebf5e55a1ec1] 2014-03-19 Todd C. Miller * plugins/sudoers/check.c, plugins/sudoers/prompt.c, plugins/sudoers/sudoers.h: Fix expansion of %p in the prompt for "sudo -l" when rootpw, runaspw or targetpw is set. Bug #639 [dff0208d1194] 2014-03-17 Todd C. Miller * NEWS, configure, configure.ac: Sudo 1.8.10p2 [774ebec63b41] * plugins/sudoers/timestamp.c: Don't write an empty timestamp record when timestamp_timeout is zero. If we find an empty record in the timestamp file, overwrite it with a good one, truncating the file as needed. [9c226d81b660] 2014-03-15 Todd C. Miller * doc/visudo.cat, doc/visudo.man.in, doc/visudo.mdoc.in: Fix typos in description of the -x option. Bug #637 [6ff2bfaaf99d] 2014-03-13 Todd C. Miller * NEWS, configure, configure.ac: Sudo 1.8.10p1 [33828a3385ad] * plugins/sudoers/timestamp.c: Fix typo/thinko that prevented "Defaults !tty_tickets" from working. [f65cc29dbcc7] * plugins/sudoers/parse.c: Fix "sudo -l command" output when the matching command is negated. Bug #636 [b4a92803f733] 2014-03-11 Todd C. Miller * MANIFEST, common/Makefile.in, common/regress/atofoo/atofoo_test.c, common/regress/sudo_conf/test5.err.ok, common/regress/tailq/hltq_test.c: The atofoo_test and hltq_test tests now display their own test error rate. Display pass/fail count separately for sudo_conf and sudo_parseln tests. Check stderr output for the sudo_conf test. [5c814709ac70] * src/Makefile.in: Don't run the check_ttyname test if cross compiling. [874ecc1c3db0] * plugins/sudoers/Makefile.in: CWD no longer used. [13b2f3c4269b] * plugins/sudoers/Makefile.in: Fix diff of toke and err output files in "make check" [485cdf3c75e7] 2014-03-07 Todd C. Miller * src/po/de.mo, src/po/de.po: sync with translationproject.org [d246c72a2350] 2014-03-06 Todd C. Miller * configure, configure.ac: Check whether ber.h is needed before ldap.h even if we are not using any ber functions. Needed for older versions of nss ldap. [c2310324dc34] * plugins/sudoers/sssd.c: Fix compiler warning in debug code. [8ee4cb6cafad] * MANIFEST, NEWS, doc/CONTRIBUTORS, src/po/ca.mo, src/po/ca.po: Catalan translation for sudo from translationproject.org. [d6af7d06ee36] 2014-03-05 Todd C. Miller * NEWS: Document negation fix in JSON output. [37a85423ae49] 2014-03-04 Todd C. Miller * plugins/sudoers/visudo_json.c: Fix handling of '!' operator when converting sudoers. We now add a "negated" boolean flag to objects that have the '!' operator. [071926c10280] 2014-03-01 Todd C. Miller * MANIFEST, NEWS, plugins/sudoers/po/cs.mo, plugins/sudoers/po/cs.po: Czech translation for sudoers from translationproject.org [c0aae297f7c1] 2014-02-28 Todd C. Miller * configure, configure.ac: Try -libmldap before -lldap in case there is no link from libibmldap.so to libldap.so. Since IBM ldap is installed under /opt we should only be able to reach it if --with-ldap was given an explicit path. Only check for ber_set_option() if LBER_OPT_DEBUG_LEVEL is defined. [89d50c29d737] 2014-02-27 Todd C. Miller * plugins/sudoers/set_perms.c: Fix typo in setreuid() PERM_ROOT error message. [533415f53165] * plugins/sudoers/auth/API, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/auth/sudo_auth.h: Remove unused FLAG_USER auth flag. We have no auth methods that require that authentication be run as the invoking user. [4a9a9f557cb1] * mkpkg: No longer need to disable setresuid() on debian. [96ba687c35f0] 2014-02-26 Todd C. Miller * plugins/sudoers/timestamp.c: Fix conversion of timestamp_timeout from double to struct timeval. Also quiet a printf format warning on 32-bit systems. [59d1f3094dda] 2014-02-25 Todd C. Miller * MANIFEST, NEWS, plugins/sudoers/po/sr.mo, plugins/sudoers/po/sr.po: Serbian translation for sudoers from translationproject.org. [7134b386d658] 2014-02-24 Todd C. Miller * doc/CONTRIBUTORS: Add Ingo Schwarze [114cdf286987] * NEWS, plugins/sudoers/visudo_json.c: When exporting sudoers in JSON format, use the same type of Options object for both Defaults and Cmnd_Specs. [caa57043e197] 2014-02-17 Todd C. Miller * compat/inet_pton.c: Silence cppcheck false positive. [b2781c42a80f] * plugins/sudoers/po/fi.mo, plugins/sudoers/po/fi.po, plugins/sudoers/po/pt_BR.mo, plugins/sudoers/po/pt_BR.po: sync with translationproject.org [baba43a6d682] * NEWS, doc/UPGRADE: Mention init.d scripts on AIX and HP-UX Mention sudoers group mismatch fix [0259cb1f7cae] * INSTALL: Talk about clearing files at boot time, not reboot time since it happens when the system comes up, not down. [e8e480bc34fd] * plugins/sudoers/sudoers.c: We also need to open the sudoers file as root if there is a GID mismatch. [2fb2ba6fc4e6] * sudo.pp: Install /etc/rc.d/init.d/sudo and /etc/rc.d/rc2.d/S90sudo for AIX rpm packages. [4aca1d318599] 2014-02-16 Todd C. Miller * src/Makefile.in: Remove init.d file and link in uninstall target. [249a9f105cdd] * configure, configure.ac, sudo.pp: Fix INIT_DIR for real this time. [5444eb1afbc5] * configure, configure.ac, sudo.pp: Use correct init.d dir on HP-UX. Fix pp warnings from rc.d and init.d dirs. [809b54ef95f8] * .hgignore, MANIFEST, configure, configure.ac, init.d/aix.sh.in, init.d/hpux.sh.in, src/Makefile.in, sudo.pp: First cut add installing an init.d file for HP-UX and AIX to remove old sudo timestamp files at boot time. [ec6d35c62d88] 2014-02-15 Todd C. Miller * doc/sudo.cat, doc/sudo.man.in, doc/sudo.mdoc.in: Use .Ar macro instead of "file ..." Use ".Cm -" instead of ".Li -" for the default login class. From Ingo Schwarze. [f13ea603760e] * doc/sudo.conf.mdoc.in, doc/sudo.mdoc.in, doc/sudo_plugin.mdoc.in, doc/sudoers.ldap.mdoc.in, doc/sudoers.mdoc.in, doc/sudoreplay.mdoc.in, doc/visudo.mdoc.in: Remove some extraneous markup; from Ingo Schwarze * No need to explicitly end a macro with No before | because | counts as middle punctuation and falls out of the macro, anyway. * No need to explicitly re-open in-line macros after | because | counts as middle punctuation and the macros resume afterwards, anyway. * Simplify the mnemonic remarks regarding the option letters, no need for manual font and spacing control with No and Ns. * Trim Ns No to just Ns, it already implies No. [cc63d66c6655] * doc/sudoers.man.in, doc/sudoers.mdoc.in: Move zerowidth space in :alpha: after the colon for consistency. [799f6656c6e8] * doc/sudo.cat, doc/sudo.conf.cat, doc/sudo.conf.man.in, doc/sudo.man.in, doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudoers.cat, doc/sudoers.ldap.man.in, doc/sudoers.man.in, doc/sudoreplay.cat, doc/sudoreplay.man.in, doc/visudo.cat, doc/visudo.man.in: regen [14d682732b6f] * doc/sudo.mdoc.in, doc/sudoreplay.mdoc.in, doc/visudo.mdoc.in: Remove extraneous keeps in SYNOPSIS now that mandoc does implied keeps when converting from mdoc to man. [0f48fc289f29] * doc/sudoers.mdoc.in: Properly escape the : in :alpha: [e41d4533a55f] * doc/sudo.cat, doc/sudo.man.in, doc/sudo.mdoc.in: Replace some uses of .Sy with .Ar, .Ev and .Pa as appropriate. From Jan Stary. [90ec488905de] 2014-02-12 Todd C. Miller * plugins/sudoers/visudo_json.c: Fix indentation of Defaults entries. The initial indent should be outside the loop iterating over the entries. [dc493c888fb2] 2014-02-11 Todd C. Miller * plugins/sudoers/po/da.mo, plugins/sudoers/po/da.po, plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, plugins/sudoers/po/it.mo, plugins/sudoers/po/it.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, plugins/sudoers/po/vi.mo, plugins/sudoers/po/vi.po: sync with translationproject.org [fc517bc0908e] * common/aix.c, common/alloc.c, common/atoid.c, common/atomode.c, common/fatal.c, common/gidlist.c, common/sudo_conf.c, common/sudo_debug.c, compat/strsignal.c, compat/strtonum.c, plugins/sudoers/audit.c, plugins/sudoers/bsm_audit.c, plugins/sudoers/linux_audit.c, plugins/sudoers/locale.c, plugins/sudoers/sudoers.h, plugins/sudoers/sudoreplay.c, plugins/sudoers/visudo.c, plugins/sudoers/visudo_json.c, src/locale_stub.c, src/net_ifs.c, src/sesh.c, src/sudo.h: We must include gettext.h before missing.h as it includes system headers. Also add missing DEFAULT_TEXT_DOMAIN defines in sudoers audit code that does not include sudoers.h. [3ac4aa43ce40] * common/sudo_dso.c: When emulating DSO_NEXT with shl_get() we need to skip the program's handle. This used to be documented as being index -2 but now it seems to be index 0. As this is not guaranteed we need to look up the real handle value for PROG_HANDLE and skip it when interating through all the DSOs. Fixes infinite recursion on HP-UX in the getenv() replacement. [ade1b3045232] * src/env_hooks.c: Export getenv() so it is visible to shared objects we link with. [1ac08446a3a7] 2014-02-08 Todd C. Miller * common/regress/atofoo/atofoo_test.c, common/regress/sudo_conf/conf_test.c, common/regress/sudo_parseln/parseln_test.c, common/regress/tailq/hltq_test.c, plugins/sudoers/regress/parser/check_fill.c: Add some initprogname() calls to the test programs. [e4320585a88b] 2014-02-07 Todd C. Miller * plugins/sudoers/po/sudoers.pot: regen [038d066a866d] * doc/UPGRADE: Mention that there is now a default LDAP search filter. [6351da3f8377] * doc/sudoers.ldap.cat, doc/sudoers.ldap.man.in, doc/sudoers.ldap.mdoc.in: Minor word choice change. [7e59ab3eb453] * NEWS, doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/defaults.c, plugins/sudoers/ldap.c, plugins/sudoers/match.c: Add use_netgroups sudoers option. For LDAP-based sudoers, netgroup support requires an expensive substring match on the server. If netgroups are not needed, this option can be disabled to reduce the load on the LDAP server. [e6bd6c103390] 2014-02-06 Todd C. Miller * plugins/sudoers/ldap.c: Update copyright year. [1299eed430a5] * NEWS: Mention LDAP changes. [512b1e363587] * doc/sudoers.ldap.cat, doc/sudoers.ldap.man.in, doc/sudoers.ldap.mdoc.in, plugins/sudoers/ldap.c: Use a default LDAP search filter of (objectClass=sudoRole). When constructing the netgroup query, add (sudoUser=*) to the query so we don't fall below the 3 character OpenLDAP substring threshold. Otherwise the index for sudoUser will never be used for that query. Pointed out by Michael Stroeder. [54856973af41] * plugins/sudoers/timestamp.c: Don't warn about an insecure lecture dir twice. Display warnings in the user's locale. [2c56b8b6d6f9] 2014-02-05 Todd C. Miller * NEWS: Mention the fix for ^Z at the password prompt when sudo was started in the background. [352d52ad1f7d] * common/term.c, src/exec_pty.c: In term_restore(), only restores the terminal if we are in the foregroup process group. Instead of calling tcgetpgrp(), which is racy, we set a temporary handler for SIGTTOU and check whether it was received after a failed call to tcsetattr(). [94979d51daa2] * MANIFEST, compat/getaddrinfo.c, compat/inet_pton.c, config.h.in, configure, configure.ac, doc/LICENSE, include/missing.h, mkdep.pl, plugins/sudoers/interfaces.c, plugins/sudoers/match_addr.c: Use inet_pton() instead of inet_aton() and include a version from BIND for those without it. [fe61a27c76d3] * common/regress/atofoo/atofoo_test.c: Quiet a gcc warning. [f197821892ea] * compat/getaddrinfo.c: Need to include limits.h for USHRT_MAX. [d1d8bd9a0e01] 2014-02-04 Todd C. Miller * common/term.c, include/sudo_util.h: Use bool for function return values instead of 1 or 0. [99e357c0800b] * configure, configure.ac: Warn the user if the rundir needs to be cleared in the rc files. Neither AIX not HP-UX clear /var/run (if it even exists). [6cdbf57a2f9e] * NEWS: Update for sudo 1.8.9p5 [efb737c32615] * src/preserve_fds.c: When the closefrom limit is greater than any of the preserved fds, the pfds list will be non-empty but lastfd will be -1 triggering an ecalloc(0) assertion. Instead, test for lastfd being -1 and make sure we always update it, even if dup() fails. Also restore initial value of lowfd after we are done relocating. Fixes bug #633 [a11206a31f28] * common/term.c: Document function return values. [267bc85f6fbb] 2014-02-03 Todd C. Miller * src/exec_pty.c: term_restore() now restarts itself so we don't need to do it ourselves. [a17e885d0b0a] * common/term.c: syscall restarting is broken on Mac OS X when interrupted by a tty signal so restart tcsetattr() by hand. For details, see. http://openradar.appspot.com/radar?id=6402578615107584 [3997b2a0577e] * MANIFEST, common/Makefile.in, common/regress/atofoo/atofoo_test.c: Add regress for atobool(), atoid() and atomode() [e1cbdf86d6e2] * plugins/sudoers/Makefile.in: Add back boottime.lo [0b7ddc31e13e] * INSTALL: Mention that rundir and vardir may be the same and what to do if they are. [301df9a31d43] * MANIFEST, doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/boottime.c, plugins/sudoers/sudoers.h, plugins/sudoers/timestamp.c: Bring back boot time checking code and zero out time stamp files that predate the boot time. This should help systems w/o /var/run where the admin has setup rc.d to clear the timestamp directory. [e09389a8b1ca] * configure, configure.ac: Check libraries for inet_pton() if not in libc. [9f9bd83895e8] 2014-02-02 Todd C. Miller * configure, configure.ac: Fix clock_gettime() detection when it lives in librt. Some systems have inet_aton() in libresolv (older Solaris). [e5f7c8bc9a81] * sudo.pp: Avoid duplicate directories if vardir and rundir are the same. [c5df5ebc191b] * plugins/sudoers/po/sudoers.pot: regen [740b2cc42fea] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Elaborate on time stamp error message causes. [2838fea2e21a] 2014-02-01 Todd C. Miller * sudo.pp: Remove the time stamp dir and its contents when uninstalling. We currently leave the lecture status files installed until there is a better way to detect upgrades. [61532b7113ff] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Update time stamp error messages and regen. [edf570c98cd5] * plugins/sudoers/timestamp.c: Restore warning when sudoers is unable to update the time stamp file. [86648a771250] * INSTALL, Makefile.in, configure, configure.ac, doc/sudoers.mdoc.in, m4/sudo.m4, plugins/sudoers/Makefile.in, sudo.pp: Replace --with-timedir and --with-lecture_dir with --with-rundir and --with-vardir which are the parent directories of the time stamp and lecture dirs. These directories need to be searchable by non-root so that the timestampowner setting can function. [5c38d77a2d0c] * plugins/sudoers/timestamp.c: Fix use of timestampowner in the new time stamp world order. Parent directories for timestampdir and lecture_dir are now created with the execute bit set so that we can traverse them as non-root. [9ff6f07c0a5d] 2014-01-31 Todd C. Miller * common/Makefile.in, plugins/sample/Makefile.in, plugins/sudoers/Makefile.in: Regen Makefiles. [59542bcdb222] * common/sudo_debug.c, config.h.in, include/sudo_util.h, plugins/sample/sample_plugin.c: Move ctim_get and mtim_get to sudo_util.h [d565391f5491] * plugins/sudoers/timestamp.c: sprinkle some debug printfs and add function header comments [1842d9b8170d] * plugins/sudoers/timestamp.c: Properly handle the case where /var/run/sudo/ts doesn't exist. [895f3ad6ad60] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: fix typo [50041ebb6ce6] * NEWS: Mention "sudo -K" change. [e99bd7657aae] * doc/UPGRADE: Upgrade info for 1.8.10 [0867718b9af5] 2014-01-30 Todd C. Miller * plugins/sudoers/timestamp.c: Warn on ftruncate failure(). [d2081876da25] * plugins/sudoers/timestamp.c: Fix checking of lecture status. [e12d78234d17] * mkpkg: Do not override timedir on Debian. [283fa2e69a0a] * common/event.c, common/event_select.c, include/missing.h, plugins/sudoers/iolog.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/visudo.c, src/sudo_edit.c: Use sudo_timeval macros and remove compat macros from missing.h [1de76d8b811e] * INSTALL, MANIFEST, NEWS, compat/Makefile.in, compat/clock_gettime.c, config.h.in, configure, configure.ac, doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in, include/missing.h, include/sudo_util.h, m4/sudo.m4, mkdep.pl, pathnames.h.in, plugins/sudoers/Makefile.in, plugins/sudoers/boottime.c, plugins/sudoers/check.h, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/defaults.c, plugins/sudoers/sudoers.h, plugins/sudoers/timestamp.c, src/Makefile.in: Switch to new time stamp file format. Each user now has a single file which may contain multiple records when per-tty time stamps are in use (the default). The time stamps use a monotonic timer where available and are once again stored in /var/run/sudo. The lecture status is now stored separately from the time stamps in a different directory. [7e16eb37bacc] * common/atomode.c: Zero out errstr when there is no error; fixes bug #632 [74950ef1a0dc] 2014-01-29 Todd C. Miller * NEWS, doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/check.c: When listing a user's privileges, always prompt the user for their own password, regardless of the value of target_pw, root_pw or runas_pw. [73a13ccc7933] 2014-01-26 Todd C. Miller * configure, configure.ac, plugins/sudoers/interfaces.c, plugins/sudoers/match_addr.c: Use inet_aton() instead of inet_addr() as it allows us to distinguish between the address (or mask 255.255.255.255) and an error. In the future we may consider switching to inet_pton() for IPv4 too. [b6b4e4c77e9a] 2014-01-24 Todd C. Miller * include/missing.h: Fix typo, ULONG_MAX vs. ULLONG_MAX [5d274daa9fb1] * plugins/sudoers/sudo_nss.c: Fix typo in the AIX case. [ee531c950fce] * plugins/sudoers/sudo_nss.c: Size pointer for sudo_parseln() should be size_t not ssize_t. This was already correct for the nsswitch.conf case. [cfaf895c1db4] 2014-01-23 Todd C. Miller * NEWS, common/sudo_conf.c, doc/sudo.conf.cat, doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in, include/sudo_conf.h, src/net_ifs.c: It is now possible to disable network interface probing in sudo.conf by changing the value of the probe_interfaces setting. [e9dc28c7db60] 2014-01-22 Todd C. Miller * plugins/sudoers/match_addr.c: If inet_addr() returns INADDR_NONE, return false instead of iterating through the interfaces looking for a match that will never happen. [1559c301caec] * configure, configure.ac, src/Makefile.in: Add explicit dependency on sudoers.la to sudo target when sudoers is compiled statically into the sudo binary. [d08cc66e18bd] 2014-01-21 Todd C. Miller * plugins/sudoers/getdate.c, plugins/sudoers/getdate.y, plugins/sudoers/iolog_path.c, plugins/sudoers/logging.c, plugins/sudoers/regress/iolog_path/check_iolog_path.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/timestr.c: Do not assume localtime(), gmtime() and ctime() always return non- NULL. [a1b5b67436de] 2014-01-15 Todd C. Miller * Makefile.in, common/Makefile.in, compat/Makefile.in, doc/Makefile.in, include/Makefile.in, plugins/group_file/Makefile.in, plugins/sample/Makefile.in, plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in, src/Makefile.in, zlib/Makefile.in: Update copyright years [37d2aaa92544] * plugins/sudoers/visudo_json.c: Eliminate dead store found by clang checker. [86874d5340f1] * NEWS, configure, configure.ac: Update for sudo 1.8.9p4 [f79ab7c6c1c5] * common/sudo_debug.c, include/sudo_debug.h, src/preserve_fds.c: When relocating fds, update the debug fd if it is set so we are guaranteed to get debugging output. [b1deaa472aa6] 2014-01-14 Todd C. Miller * src/exec.c: If the event loop exits due to an error and we are not logging I/O, kill the command if still running. Fixes a bug where sudo could exit while the command was still running. [844018ff8a8c] * src/preserve_fds.c: When relocating preserved fds, start with the highest ones first to avoid moving fds around more than we have to. Now uses a bitmap to keep track of which fds are being preserved. Fixes a bug where the debugging fd could be relocated to the same fd as the error backchannel temporarily, resulting in debugging output being printed to the backchannel if util@debug was enabled. [55e006dbeaf3] * src/preserve_fds.c: When restoring fds traverse list from high -> low, not low -> high to avoid implicitly closing an fd we want to relocate. [6351225f47d7] * src/exec.c: If not logging I/O we may get EOF when the command is executed and the other end of the backchannel is closed. Just remove the backchannel event in this case or we will continue to receive the event. Bug #631 [a204b69d91f7] * src/po/sr.mo, src/po/sr.po: sync with translationproject.org [987087ce4658] 2014-01-13 Todd C. Miller * src/ttyname.c: Fix strtonum() usage when parsing /proc/self/stat on Linux. Bug #630 [3448dffe9701] * NEWS, configure, configure.ac: Update for sudo 1.8.9p3 [22e5a6f69999] * plugins/sudoers/toke.c, plugins/sudoers/toke.l: Do not leak old istack if realloc fails; found by cppcheck. Also modify yyless() to avoid a harmless cppcheck warning every time it is used. [021077017a23] * common/term.c: Add suppression line to quiet a bogus (inconclusive) cppcheck warning. [065207271e5d] * plugins/group_file/plugin_test.c: Make this compile again [f0ff8df475e8] * plugins/sudoers/logwrap.c: Remove dead store; found by cppcheck [a59833af3401] * Makefile.in, common/Makefile.in, compat/Makefile.in, doc/Makefile.in, include/Makefile.in, plugins/group_file/Makefile.in, plugins/sample/Makefile.in, plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in, src/Makefile.in, zlib/Makefile.in: Add cppcheck target to run cppcheck on all source files. [d207c2ef49a2] 2014-01-09 Todd C. Miller * NEWS, configure, configure.ac: Update for sudo 1.8.9p2 [2e7fe6e371a4] * config.h.in, configure, ltmain.sh, m4/libtool.m4, m4/ltoptions.m4, m4/ltsugar.m4, m4/ltversion.m4, m4/lt~obsolete.m4: Update to libtool-2.4.2.418 [d1dbed89d733] * config.guess, config.sub: Update from http://git.savannah.gnu.org/gitweb/?p=config.git [2b5e32d23be5] 2014-01-08 Todd C. Miller * src/sesh.c: Quiet a cppcheck warning about a negative subscript. [ab98b72f5bdf] * src/exec_common.c, src/selinux.c, src/sesh.c, src/sudo_exec.h: Make noexec parameter to sudo_execve() bool. [daa75e4c248a] * plugins/sudoers/sudoreplay.c: Quiet a few innocuous cppcheck warnings. [90ffa16d27b1] * plugins/sudoers/sssd.c: Handle in_res being NULL for sudo_debug_printf() in sudo_sss_filter_result(). [8595cc05d2a8] * plugins/sudoers/iolog.c: When writing length to timing file, use %u not %d as it is unsigned. [a7f2fcb6919e] * plugins/sudoers/visudo_json.c: Close export_fp in the error path too, but do not close stdout. [5c918718ab45] * plugins/sudoers/auth/secureware.c: Move right brace outside #ifdef HAVE_DISPCRYPT; found by cppcheck. [f2619d2eb7a8] * NEWS: Sudo 1.8.9 also fixes bug #617 [cc5c18228719] 2014-01-07 Todd C. Miller * NEWS: The fix for the hang was already in the 1.8.9 tarballs. [f038ebcc1071] * NEWS, configure, configure.ac: Update for sudo 1.8.9p1 [732fca0003cf] * common/atobool.c, common/event.c, plugins/sudoers/iolog.c, plugins/sudoers/parse.h, src/exec.c, src/preserve_fds.c: Update copyright year. [fdeb5956810e] * plugins/sudoers/parse.h: Go back to making the bit fields in struct cmndtag explicitly signed. This fixes a problem on gcc 4.8 (at least) which appears to be treating the value as unsigned by default. [46b9a7bb10ac] * common/atobool.c: Use debug_return_int() instead of bare return for debugging support. [c273f822de5f] 2014-01-06 Todd C. Miller * common/event.c: Fix infinite loop that could be triggered by sudo_ev_loopbreak() and sudo_ev_loopcontinue(). [1723561c46b0] * NEWS: Update for 1.8.9 final. [d49c14d21410] 2014-01-04 Todd C. Miller * plugins/sudoers/iolog.c: Handle a sequence file with no trailing newline. [aa29306e4f6d] 2014-01-03 Todd C. Miller * plugins/sudoers/iolog.c: Truncate io log and timing files on open when recycling them. Only an issue when the sequence number wraps around. [01b2dfe15ff0] * plugins/sudoers/iolog.c: Repair reading of the iolog sequence number that got broken when adding stricter strtoul() checks. [e0f4a11c3437] * src/exec.c: If invoked as sudoedit we can't just exec the command directly since the temporary files need to be updated before sudo exits. [508503be1c4f] * src/preserve_fds.c: Fix restoration of the close-on-exec flag when moving a relocated fd back into its original position. [5572f1f8b48a] 2014-01-02 Todd C. Miller * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Add "see below" to reference "Secure editing" section in "Preventing shell escapes". [b2db990a36b3] 2014-01-01 Todd C. Miller * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Add initial "Secure editing" section. [0d7a192e0e25] * doc/LICENSE: Update copyright year. [4a639d9207a9] 2013-12-31 Todd C. Miller * plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, plugins/sudoers/po/fi.mo, plugins/sudoers/po/fi.po, src/po/eo.mo, src/po/eo.po, src/po/fi.mo, src/po/fi.po: sync with translationproject.org [5c15a411b10d] * plugins/sudoers/policy.c: Make user_cwd and user_tty dynamically allocated even for the "unknown" case. [015454bf97f8] 2013-12-30 Todd C. Miller * configure, configure.ac: Use -fstack-protector-strong in preference to -fstack-protector-all or -fstack-protector. [bdd1066eefc4] * doc/HISTORY: Dell acquired Quest [3d5b7d27a313] 2013-12-29 Todd C. Miller * plugins/sudoers/po/vi.mo, plugins/sudoers/po/vi.po, src/po/ru.mo, src/po/ru.po, src/po/vi.mo, src/po/vi.po: sync with translationproject.org [f964671d08ce] 2013-12-28 Todd C. Miller * plugins/sudoers/po/da.mo, plugins/sudoers/po/da.po, plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/it.mo, plugins/sudoers/po/it.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/pt_BR.mo, plugins/sudoers/po/pt_BR.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po, src/po/cs.mo, src/po/cs.po, src/po/da.mo, src/po/da.po, src/po/it.mo, src/po/it.po, src/po/pl.mo, src/po/pl.po, src/po/pt_BR.mo, src/po/pt_BR.po, src/po/uk.mo, src/po/uk.po, src/po/zh_CN.mo, src/po/zh_CN.po: sync with translationproject.org [5f5becf5fb7a] * doc/sudoers.ldap.cat: regen [77745e6bc0d5] * NEWS: Update for recent changes. [365b9084268a] * plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c: Fix typo; we want setlocale(LC_ALL, "") since we are setting the locale for the first time. [e2b9660e9d48] 2013-12-27 Todd C. Miller * plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c: Use sudoers_initlocale() in main() startup, not sudoers_setlocal() as the latter assumes we are already in the user's locale which may not be the case. For sudoreplay, we can just use setlocale() directly as there is no sudoers locale. [12235e50dea0] 2013-12-24 Todd C. Miller * src/preserve_fds.c, src/sudo.c, src/sudo.h: Redo preserve_fds support to remap high fds so we can get the most out of closefrom(). The fds are then restored after closefrom(). [7d712ec49db7] * plugins/sudoers/Makefile.in: Fix install-plugin when sudoers is compiled statically. [36a8bf3b588d] 2013-12-20 Todd C. Miller * MANIFEST, common/sudo_debug.c, doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, include/sudo_debug.h, include/sudo_plugin.h, src/Makefile.in, src/exec.c, src/exec_pty.c, src/preserve_fds.c, src/sudo.c, src/sudo.h, src/sudo_exec.h: Add support for preventing fds from getting clobbered by closefrom(). [269f45964ff0] 2013-12-19 Todd C. Miller * plugins/sudoers/Makefile.in: regen [b8f458379b5b] 2013-12-18 Todd C. Miller * common/alloc.c: Need to include limits.h here too. [b53c6edef597] 2013-12-17 Todd C. Miller * config.h.in, configure, configure.ac, plugins/sudoers/parse.h: No need to use __signed. [05f9648d1953] * plugins/sudoers/regress/logging/check_wrap.c: Need limits.h here too. [54aac3bbf66a] * compat/closefrom.c: Still need limits.h here. [0abc6b2be208] * plugins/sudoers/po/sudoers.pot: regen [386b47ced07f] * compat/closefrom.c: Go back to using /proc/self/fd instead of /proc/$$/fd as only AIX lacks /proc/self and it has F_CLOSEM. [b5735fbcfdce] 2013-12-16 Todd C. Miller * plugins/sudoers/visudo_json.c: Use a switch to map digest type to name instead of an array of strings. [ab17ceb4dd60] * compat/closefrom.c: Use /dev/fd in closefrom() on FreeBSD < 8.0 and Mac OS X. [e70df3b3144b] * compat/snprintf.c: Remove _MAX and _MIN compat; we rely on missing.h for that. We already require the compiler handle long long so there's no need to use HAVE_LONG_LONG_INT everywhere. [2bda15071439] * common/ttysize.c, include/missing.h: Remove _MAX and _MIN defines that any system from the last 20 years should have. Add ULLONG_MAX in case it is missing. [2db0cee4aaa8] * doc/visudo.cat, doc/visudo.man.in, doc/visudo.mdoc.in, plugins/sudoers/visudo.c, plugins/sudoers/visudo_json.c: Change visudo -x to take a file name argument, which may be '-' to write the exported sudoers file to stdout. [84cb72c3c391] * plugins/sudoers/auth/bsdauth.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/parse.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/visudo.c, plugins/sudoers/visudo_json.c, src/regress/ttyname/check_ttyname.c: Move symbol extern defs into sudoers.h [b631a0b57fae] * plugins/sudoers/regress/check_symbols/check_symbols.c, plugins/sudoers/regress/logging/check_wrap.c: Add missing sudo_util.h [ed0edc2e2d0c] 2013-12-14 Todd C. Miller * plugins/sudoers/sudoreplay.c: Warn if the time stamp in the I/O log file does not fit in time_t. Warn if the info line is not well-formed instead of silently ignoring it. [37a050de5be5] 2013-12-13 Todd C. Miller * common/Makefile.in, plugins/sudoers/Makefile.in, src/Makefile.in: Rename libcommon libsudo_util [df3ffd4229e5] 2013-12-12 Todd C. Miller * MANIFEST, common/Makefile.in, common/aix.c, common/atobool.c, common/atoid.c, common/atomode.c, common/fmt_string.c, common/gidlist.c, common/progname.c, common/setgroups.c, common/sudo_conf.c, common/term.c, common/ttysize.c, include/missing.h, include/sudo_util.h, plugins/group_file/Makefile.in, plugins/group_file/getgrent.c, plugins/sudoers/Makefile.in, plugins/sudoers/sudoers.h, plugins/sudoers/sudoreplay.c, plugins/system_group/Makefile.in, plugins/system_group/system_group.c, src/Makefile.in, src/sudo.h: Move prototypes for functions provided by libcommon that don't have their own header files into sudo_util.h. [43f423a24416] 2013-12-11 Todd C. Miller * plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/defaults.c, plugins/sudoers/defaults.h, plugins/sudoers/logging.c, plugins/sudoers/logging.h, plugins/sudoers/mkdefaults: Now that we have proper number parsing functions we should store T_UINT defaults values as unsigned int, not int. [67d8c2244f1d] * plugins/sudoers/defaults.c, plugins/sudoers/defaults.h: Don't use int where we really mean enum def_tuple. When this code was written it was assumed that we may have multiple tuple types. However, that hasn't happened and probably never will. [8491f970f343] * plugins/sudoers/po/sudoers.pot, src/po/sudo.pot: Regen after string parsing changes. [fd6bf79c3286] * common/atoid.c, common/atomode.c, compat/strtonum.c, configure, configure.ac, include/missing.h, plugins/sudoers/defaults.c, plugins/sudoers/iolog.c, plugins/sudoers/ldap.c, plugins/sudoers/sudoreplay.c, src/parse_args.c, src/ttyname.c: The OpenBSD strtonum() uses very short error strings that can't be translated usefully. Convert them to longer strings on error. Also use the longer strings for atomode() and atoid(). [dace028594da] 2013-12-10 Todd C. Miller * MANIFEST, common/Makefile.in, common/atoid.c, common/atomode.c, plugins/sudoers/defaults.c, plugins/sudoers/policy.c, plugins/sudoers/sudoers.h, src/sudo.c, src/sudo.h: Add atomode() function for parsing a file mode. [44e29629aa5e] * common/sudo_conf.c, common/ttysize.c, compat/Makefile.in, compat/closefrom.c, compat/getaddrinfo.c, compat/strtonum.c, configure, configure.ac, include/missing.h, plugins/sudoers/boottime.c, plugins/sudoers/defaults.c, plugins/sudoers/iolog.c, plugins/sudoers/ldap.c, plugins/sudoers/match_addr.c, plugins/sudoers/policy.c, plugins/sudoers/regress/logging/check_wrap.c, plugins/sudoers/regress/parser/check_addr.c, plugins/sudoers/sudoreplay.c, plugins/system_group/system_group.c, src/parse_args.c, src/sudo.c, src/ttyname.c: Use strtonum() instead of atoi(), strtol() or strtoul() where possible. [e4a1fc84b893] * MANIFEST, compat/Makefile.in, compat/strtonum.c, config.h.in, configure, configure.ac, include/missing.h, mkdep.pl: Add strtonum.c to compat for simpler number parsing. [a4c69b003da0] 2013-12-09 Todd C. Miller * src/exec_common.c: Fix a warning on Solaris, we need to use debug_return_const_ptr. [932aa94c0cac] * plugins/sudoers/Makefile.in: check_symbols needs to link with SUDO_LIBS in order to get -lpthread on HP-UX for libldap (which uses threads). It would be better to have a separate variable for the pthread library but this is no worse than it used to be. [94591b765371] 2013-12-08 Todd C. Miller * doc/sudo.cat, doc/sudo.man.in, doc/sudo.mdoc.in: add missing comma [7dcbd1c6dd25] * doc/sudo.cat, doc/sudo.man.in, doc/sudo.mdoc.in: Make -c option description more accurate. [3f305ae6037e] 2013-12-07 Todd C. Miller * doc/CONTRIBUTORS, plugins/sudoers/sudoers.c: When checking whether a user may change the login class, just check pw_uid of the runas user, which was passed in to set_loginclass(). [aaf736440441] 2013-12-06 Todd C. Miller * plugins/sudoers/visudo_json.c: Use atoid() when parsing user/group IDs and print them as unsigned int. [40c77459a36a] 2013-12-05 Todd C. Miller * plugins/sudoers/sudoreplay.c: Correctly parse 64-bit times in I/O log files. [d053ee75adc3] * compat/getgrouplist.c, plugins/group_file/getgrent.c, plugins/sudoers/pwutil.c, plugins/sudoers/regress/iolog_path/check_iolog_path.c, plugins/sudoers/sudoers.c, plugins/sudoers/testsudoers.c: Use atoid() not atoi() when parsing uids/gids. [491146596626] * plugins/sudoers/match.c, plugins/sudoers/match_addr.c, plugins/sudoers/parse.h, plugins/sudoers/pwutil.c, plugins/sudoers/pwutil.h, plugins/sudoers/pwutil_impl.c, plugins/sudoers/sudoers.h: Better match debugging. Sprinkle const in match functions. [4cd8d793f165] 2013-12-04 Todd C. Miller * doc/sudo.cat, doc/sudo.conf.cat, doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in, doc/sudo.man.in, doc/sudo.mdoc.in, doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in: Document that plugins can be compiled statically into the sudo binary. [434061cf909f] 2013-12-03 Todd C. Miller * plugins/sudoers/sssd.c: sudo_sss_filter_user_netgroup(): fix comment typos, break out of loop early if we match ALL or netgroup. [0691731f4b12] * plugins/sudoers/sssd.c: When filtering netgroups, use the passwd struct stashed in the handle, not user_name since we may be listing another users privileges. [f2669cf7b70c] * mkpkg: RHEL 6 and above builds sudo with SSSD support [afc3d894851e] * plugins/sudoers/sssd.c: Avoid passing NULL domainname to sudo_debug_printf(). [b08abe5e6d23] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Document sssd debug subsystem. [250c3ab1bcf0] * doc/sudo.conf.cat, doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in: Document "event" debug subsystem. [85d220b48edc] * plugins/sudoers/match.c: Use atoid() instead of atoi() when parsing uids/gids so we get proper range checking. [5c3e2f3f6cb9] * plugins/sudoers/sssd.c: Add user netgroup filtering for SSSD. Previously, rules for a netgroup were applied to all even when they did not belong to the specified netgroup. RedHat Bugzilla 880150. [784848b5462c] * plugins/sudoers/sssd.c: Fix several issues found by the clang static analyzer; Daniel Kopecek [520261dd7461] 2013-12-02 Todd C. Miller * README.LDAP: Mention how to dump sudoers info from LDAP. [a53c93790a30] * src/exec_common.c: On Solaris, disabling the proc_exec privilege appears to interfere with DAC file permissions. Adding DAC override permissions to the inheritable set works around this for commands run as root without giving extra permissions to other users. Bug #626 [391ad44026c3] 2013-12-01 Todd C. Miller * MANIFEST, common/Makefile.in, common/progname.c, compat/Makefile.in, compat/getprogname.c, configure, configure.ac, include/missing.h, mkdep.pl, plugins/sample/sample_plugin.c, plugins/sudoers/policy.c, plugins/sudoers/regress/check_symbols/check_symbols.c, plugins/sudoers/regress/iolog_path/check_iolog_path.c, plugins/sudoers/regress/logging/check_wrap.c, plugins/sudoers/regress/parser/check_addr.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c, src/parse_args.c, src/regress/ttyname/check_ttyname.c, src/sudo.c: Instead of setprogname(), add initprogname() which gets the program name for getprogname() using /proc or pstat() if possible. [e2d48d81456f] 2013-11-30 Todd C. Miller * src/ttyname.c: Ignore EOVERFLOW from pstat_getproc(). The HP-UX kernel appears to return this in certain situations but it appears to be harmless at least insofar as retrieving the tty goes. [105bea4e1c20] * plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, plugins/sudoers/po/fi.mo, plugins/sudoers/po/fi.po, plugins/sudoers/po/it.mo, plugins/sudoers/po/it.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/pt_BR.mo, plugins/sudoers/po/pt_BR.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, plugins/sudoers/po/vi.mo, plugins/sudoers/po/vi.po, plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po, src/po/cs.mo, src/po/cs.po, src/po/eo.mo, src/po/eo.po, src/po/fi.mo, src/po/fi.po, src/po/it.mo, src/po/it.po, src/po/pl.mo, src/po/pl.po, src/po/pt_BR.mo, src/po/pt_BR.po, src/po/ru.mo, src/po/ru.po, src/po/uk.mo, src/po/uk.po, src/po/vi.mo, src/po/vi.po, src/po/zh_CN.mo, src/po/zh_CN.po: Sync with translationproject.org [3694d7ad4c9d] 2013-11-28 Todd C. Miller * plugins/sudoers/visudo.c: Add missing newline in help message after export option. [1c0bff0c181e] 2013-11-26 Todd C. Miller * configure, configure.ac, plugins/sudoers/Makefile.in, src/Makefile.in: Do not add LIBDL to SUDO_LIBS or SUDOERS_LIBS in configure, do it in Makefile.in so we can make it last. Fixes a linking problem on Ubuntu precise. [f8d3bddbe742] 2013-11-25 Todd C. Miller * configure, m4/ax_func_getaddrinfo.m4: Do not rely on NULL being defined for getaddrinfo() test. Fixes the check on HP-UX 11.23. [a5dcf0283693] 2013-11-24 Todd C. Miller * plugins/sudoers/po/sudoers.pot, src/po/sudo.pot: Regen for sudo 1.8.9b1 [945f27a7aa1c] * src/po/de.mo, src/po/de.po, src/po/sr.mo, src/po/sr.po: Sync with translationproject.org [52abae16ccfa] 2013-11-22 Todd C. Miller * INSTALL, MANIFEST, NEWS, common/Makefile.in, common/sudo_dso.c, compat/Makefile.in, compat/dlfcn.h, compat/dlopen.c, config.h.in, configure, configure.ac, include/sudo_dso.h, mkdep.pl, plugins/sudoers/Makefile.in, plugins/sudoers/group_plugin.c, plugins/sudoers/ldap.c, plugins/sudoers/regress/check_symbols/check_symbols.c, plugins/sudoers/sssd.c, plugins/system_group/Makefile.in, plugins/system_group/system_group.c, src/Makefile.in, src/env_hooks.c, src/load_plugins.c, src/preload.c, src/sudo.c, src/sudo.h: Add wrapper functions for dlopen() et al so that we can support statically compiling in the sudoers plugin but still allow other plugins to be loaded. The new --enable-static-sudoers configure option will cause the sudoers plugin to be compiled statically into the sudo binary. This does not prevent other plugins from being loaded as per sudo.conf. [9425770e9d2b] 2013-11-21 Todd C. Miller * plugins/sudoers/visudo_json.c: Handle non-unix groups correctly. Get rid of runasuser and runasgroup types and use username and usergroup instead. The fact that the user or group is inside a Runas_List doesn't affect its underlying type. [ea1789258c11] 2013-11-20 Todd C. Miller * plugins/sudoers/visudo_json.c: Simplify Defaults list option object. The name and value strings are superfluous. [5852b0184669] * compat/dlopen.c: Back out unintended change. [85156e49e96e] * MANIFEST, aclocal.m4, configure, configure.ac, m4/ax_func_getaddrinfo.m4: Add dedicated test for getaddrinfo(). Tru64 UNIX contains two versions of getaddrinfo and we must include netdb.h to get the proper definition. [9882e3e1e8e3] * compat/dlopen.c, plugins/sudoers/regress/check_symbols/check_symbols.c: Define RTLD_GLOBAL for older systems without it. Bug #621 [ed38ac84f1da] 2013-11-19 Todd C. Miller * compat/snprintf.c, include/missing.h: Rename snprintf replacement rpl_snprintf since we may now replace the libc version and #define rpl_snprintf snprintf in missing.h so we get our version when needed. This is consistent with how we replace glob and fnmatch. [309aa17d0dfe] * common/Makefile.in, common/regress/sudo_conf/conf_test.c, common/regress/sudo_parseln/parseln_test.c, common/regress/tailq/hltq_test.c, src/Makefile.in: libcommon tests need locale_stub.lo to link. [baae40f36de5] * MANIFEST, aclocal.m4, compat/snprintf.c, config.h.in, configure, configure.ac, m4/ax_func_snprintf.m4: Add check for C99 compliant (v)snprintf function. [79e02551543c] * compat/sig2str.c, configure, configure.ac: Include unistd.h in sig2str.c for Tru64 as it defines SIGRTMIN and SIGRTMAX in terms of sysconf(), which is prototyped in unistd.h. Bug #621; from Daniel Richard G. [2a59ccb8c966] * include/gettext.h, plugins/sudoers/locale.c, src/locale_stub.c: Add definition of U_ for --disable-nsl Don't define warning_gettext if --disable-nsl Bug #621; from Daniel Richard G. [c0054eb89c2b] 2013-11-18 Todd C. Miller * plugins/sudoers/visudo_json.c: When merging Defaults entries we need to check the type of the next entry and not just assume it is the same as the previous one. [e97d9b9cf0d5] * plugins/sudoers/visudo_json.c: runasgroups not runasgroup in the Cmnd_Spec. [92ea5dc20e4d] * plugins/sudoers/visudo_json.c: Fix some syntax errors and change how lists are handled. [027b8dea44b2] * common/sudo_debug.c, config.h.in, configure, configure.ac, include/fatal.h, include/sudo_debug.h: Allow sudo to compile without variadic macro support in cpp. Debugging support will be limited (no file info from warnings.) From Daniel Richard G.; Bug #621 [51b8b868cd4b] * Makefile.in, common/aix.c, common/fatal.c, common/gidlist.c, common/sudo_conf.c, include/fatal.h, include/gettext.h, include/missing.h, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/rfc1938.c, plugins/sudoers/auth/securid5.c, plugins/sudoers/bsm_audit.c, plugins/sudoers/defaults.c, plugins/sudoers/env.c, plugins/sudoers/group_plugin.c, plugins/sudoers/iolog.c, plugins/sudoers/ldap.c, plugins/sudoers/linux_audit.c, plugins/sudoers/locale.c, plugins/sudoers/logging.c, plugins/sudoers/match.c, plugins/sudoers/policy.c, plugins/sudoers/prompt.c, plugins/sudoers/pwutil.c, plugins/sudoers/set_perms.c, plugins/sudoers/sssd.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/timestamp.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/toke_util.c, plugins/sudoers/visudo.c, plugins/sudoers/visudo_json.c, src/exec.c, src/exec_common.c, src/exec_pty.c, src/load_plugins.c, src/locale_stub.c, src/net_ifs.c, src/parse_args.c, src/selinux.c, src/sesh.c, src/signal.c, src/solaris.c, src/sudo.c, src/sudo_edit.c, src/tgetpass.c, src/utmp.c: Add warning_gettext() wrapper function that changes to the user locale, then calls gettext(). Add U_ macro that calls warning_gettext() instead of gettext(). Rename warning2()/error2() back to warning_nodebug()/error_nodebug(). [f3bb207db201] 2013-11-17 Todd C. Miller * common/fileops.c, compat/getaddrinfo.c, compat/mktemp.c, compat/utimes.c, configure.ac, plugins/sudoers/boottime.c, plugins/sudoers/check.c, plugins/sudoers/getdate.c, plugins/sudoers/getdate.y, plugins/sudoers/group_plugin.c, plugins/sudoers/iolog.c, plugins/sudoers/ldap.c, plugins/sudoers/logging.h, plugins/sudoers/sssd.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/timestamp.c, plugins/sudoers/visudo.c, src/exec.c, src/exec_pty.c, src/preload.c, src/sudo.c, src/sudo_edit.c, src/ttyname.c, src/utmp.c: Fix some #if vs. #ifdef and remove an extraneous semicolon. Bug #624; from Daniel Richard G. [b212e4694018] * include/sudo_debug.h, plugins/sudoers/defaults.c, plugins/sudoers/ldap.c, src/exec_common.c: Add debug_return_const_str and debug_return_const_ptr for returning a const string or pointer. Using const for the normal versions produces warnings with the Tru64 compiler. [45018a149cb4] * common/event_poll.c, compat/getaddrinfo.c, config.h.in, configure, configure.ac, m4/sudo.m4: Fixes for building under Tru64; from Daniel Richard G. Bug #624 [fc4a6cbae1ba] 2013-11-16 Todd C. Miller * plugins/sudoers/logging.c: log_{fatal,warning} now logs to the debug file itself. log_{fatal,warning} now calls warningx2() after setting the locale itself instead of using the wrapper macros. This removes the only use of warningx(ngettext(...)). [930129361e0a] 2013-11-15 Todd C. Miller * configure, configure.ac: Add -Wpointer-arith to --enable-warnings [2043ae306d1b] * configure, configure.ac: Fix more instances of #include directives where the '#' was not in column 1. From Daniel Richard G. (bug #622) [75f36f39dcab] * MANIFEST, doc/visudo.cat, doc/visudo.man.in, doc/visudo.mdoc.in, plugins/sudoers/Makefile.in, plugins/sudoers/visudo.c, plugins/sudoers/visudo_json.c: Add support to visudo to export sudoers in JSON format. [1697b2b4bfd2] 2013-11-13 Todd C. Miller * plugins/sudoers/parse.h: Remove unused digest field from struct cmndspec, the digest really lives in struct sudo_command. [e9a1e2e112d6] * config.h.in, configure: Regen with autoconf 2.69 [275f69f98f9e] * MANIFEST, Makefile.in, config.h.in, configure.ac, configure.in, doc/Makefile.in: Rename configure.in -> configure.ac [0aeafe425373] * MANIFEST, aclocal.m4, autogen.sh, config.h.in, configure, configure.in, ltmain.sh, m4/sudo.m4: From Daniel Richard G. (bug #622) Add an autogen.sh script that rebuilds the autoconf world. Move old aclocal.m4 contents to m4/sudo.m4. New (generayed) aclocal.m4 contains the m4_include directives. Some tests had #include directives where the '#' was not in column 1. Updated obsolete macro usage via autoupdate. [5fe8de5a56df] 2013-11-12 Todd C. Miller * src/sudo_exec.h: Very old systems (pre XPG 4.2) may not support MSG_WAITALL. The likelihood of receiving a partial message is quite low so this is not a big deal. [900a304f9548] * configure, configure.in: HP-UX may require _XOPEN_SOURCE_EXTENDED to be defined for MSG_WAITALL to be visible. [f08b1a00a30a] * MANIFEST, plugins/sudoers/regress/visudo/test5.out.ok, plugins/sudoers/regress/visudo/test5.sh: Add regress test for bug #623 [8e83cfccaf14] * plugins/sudoers/toke.c, plugins/sudoers/toke.l: Cope with a comment on the last line of the file with no newline. Bug #623 [f826243bc4e6] * compat/getaddrinfo.c: Include arpa/inet.h for HP-UX; from Daniel Richard G. [d4d7a4303bae] * doc/Makefile.in: Add missing $(mansrcdir) to visudo.mdoc and visudo.man. From Daniel Richard G. [f664c8d2f961] 2013-11-11 Todd C. Miller * include/fatal.h: In v{warning,fatal}x?() make a new copy of ap for the debug functions. It is not legal to use ap twice without reinitializing it. Noticed by Daniel Richard G. [6ca8bc48ecb3] * include/fatal.h: Remove errant warning_restore_locale() call. [4ef7aecefcbb] * include/missing.h, plugins/sudoers/logging.c: Move va_copy compat macro to missing.h [c873e4cc4c8a] * common/Makefile.in, compat/Makefile.in, mkdep.pl, plugins/group_file/Makefile.in, plugins/sample/Makefile.in, plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in, src/Makefile.in, zlib/Makefile.in: Uniquify header dependencies so we don't end up with duplicates when a header file includes other headers. The header dependencies are sorted so the generated order is stable. [95747db2f07a] * compat/Makefile.in, configure, configure.in, doc/CONTRIBUTORS, mkdep.pl: Add getaddrinfo.lo to LTLIBOBJS for systems that need it. From Daniel Richard G. [e94ee99a52a9] * plugins/sudoers/testsudoers.c: Fix pasto [5262735e78e0] 2013-11-07 Todd C. Miller * doc/sudoers.mdoc.in: Fix typo. [6b11a4eec6b6] 2013-11-04 Todd C. Miller * plugins/sudoers/getdate.c, plugins/sudoers/gram.c: regen [995ca9f21862] * plugins/sudoers/getdate.c, plugins/sudoers/getdate.y, plugins/sudoers/sudoreplay.c, plugins/sudoers/toke.c: Fix warnings from -Wold-style-definition [a748c5c7b423] * configure, configure.in: Add -Wold-style-definition to --enable-warnings [0484de0deb59] * common/event_poll.c: Extra debugging for ready fds. [91fb85cdecbb] * common/event_select.c: When deleting an event, check ev->events to determine whether to remove from readfds or writefds instead of blinding removing from both. Also fix highfd adjustment. [7384db65ca9c] 2013-11-02 Todd C. Miller * common/event_select.c: Only check an fd that is >= 0. Timeout-only events may have a negative fd. [fa0e5cbc3cc2] 2013-11-01 Todd C. Miller * common/event.c: Don't call sudo_ev_{add,del}_impl() for timeout-only events. This makes it possible to pass sudo_ev_alloc() an fd of -1 for events only use SUDO_EV_TIMEOUT. [6838657a1a2f] 2013-10-31 Todd C. Miller * common/alloc.c, common/event_select.c, include/sudo_event.h: Make a copy of readfds/writefds before calling select() instead of calculating it each time. Keep track of high fd in the base. [6048b78f2e94] 2013-10-30 Todd C. Miller * doc/CONTRIBUTORS: Add Stephen Gelman [0028c7a91a4f] * plugins/sudoers/getdate.c, plugins/sudoers/gram.c: Fix sign comparison warning. [914cb36b9ed2] * plugins/sudoers/sudoreplay.c: Fix potential NULL dereference in non-interactive mode. [9233428d3f32] 2013-10-29 Todd C. Miller * src/exec.c, src/exec_pty.c: Use MSG_WAITALL when receiving struct command_status over the Unix domain socket since we no longer use datagrams. This should avoid the need to handle incomplete reads, though in theory it is still possible. [28a92888a908] * plugins/sudoers/sudoreplay.c: SIGKILL is not catchable [79f82e4cb11d] * common/event.c, include/sudo_event.h, plugins/sudoers/sudoreplay.c: Add sudo_ev_get_timeleft() to get the amount of time left before an event times out and use it in sudoreplay. [d5b17ee30fa4] 2013-10-28 Todd C. Miller * doc/sudoreplay.cat, doc/sudoreplay.man.in, doc/sudoreplay.mdoc.in, plugins/sudoers/sudoreplay.c: If the user presses or in sudoreplay, skip to the next event. Useful for skipping past long pauses in the data. [43343f45c94d] * common/event.c, common/event_poll.c, common/event_select.c: Fix sudo_ev_scan_impl() return value in event_poll.c. Make sure we clear active flag from unprocessed events if sudo_ev_loopbreak() or sudo_ev_loopcontinue() are used. Remove bogus optimization when the timeout is zero or negative; it could prevent an I/O event from being triggered. [a13603fb3134] * plugins/sudoers/sudoreplay.c: Move session replay into its own function. [e323f7729595] * common/event.c, common/event_poll.c, common/event_select.c, include/sudo_event.h: Get rid of cur and pending pointers in struct sudo_event_base. We now pop the first event off the active queue instead of using a foreach loop with deferred removal of the event. Add SUDO_EVQ_INSERTED and SUDO_EVQ_TIMEOUTS flags to indicate that the event on the event queue and timeouts queue respectively. No longer need to compare the timeout to {0,0} or compare the event's base pointer to NULL to determine queue membership. [f2b2251fd523] * common/event_poll.c: rename sudo_ev_loop_impl() -> sudo_ev_scan_impl() [614faaff04e3] * MANIFEST, common/event.c, common/event_poll.c, common/event_select.c, compat/Makefile.in, compat/nanosleep.c, config.h.in, configure, configure.in, include/missing.h, include/sudo_event.h, mkdep.pl, plugins/sudoers/Makefile.in, plugins/sudoers/sudoreplay.c, src/exec.c, src/exec_pty.c: Add support for libevent-style timed events. Adding a timed event is currently O(n). The only consumer of timed events is sudoreplay which only used a singled one so O(n) == O(1) for now. This also allows us to remove the nanosleep compat function as we now use a timeout event instead. [db41c08e92dc] 2013-10-26 Todd C. Miller * src/exec.c, src/exec_pty.c: Now that sudo_ev_base_free() removes all events before freeing we don't need to do this by hand. [b59d43658c5f] * common/event.c, common/event_poll.c, common/event_select.c, include/sudo_event.h: Add a list of active events in the base that the back end sets when it calls poll or select. This allows the front end to iterate over the events instead of having that code in both back ends. It will also simplify support for timeout events. Also make sure we can't touch freed memory if a callback frees its own event. [933b99b3f2bc] * common/event.c: Remove any existing events before freeing the event base. [2543c6620cf1] 2013-10-25 Todd C. Miller * src/exec_pty.c: mon_handler() should be static [b1a62ef65c96] 2013-10-24 Todd C. Miller * plugins/sudoers/ldap.c: If user specified start_tls and ldaps, display a warning and ignore start_tls. There's no reason to make this a fatal error. [bf446dd1e740] * src/exec_pty.c: Add missing else when the connection from the monitor to the parent sudo process is broken (due to the parent dying). Prevents a spurious "unexpected reply type on backchannel" warning. [5c44053cef08] * src/exec_pty.c: When flushing output we don't care whether we are the foreground process or not, we still need to flush to /dev/tty. If we are in the background, it is OK to get SIGTTOU. [9716892d1fb5] * plugins/sudoers/ldap.c: Should not attempt start_tls on an ldaps connection. [9d01d461c52c] 2013-10-23 Todd C. Miller * plugins/sudoers/regress/parser/check_fill.c: Fix sign compare warning. [6130fa8df758] * doc/Makefile.in: Eliminate warning about circular dependency from GNU make. [7ed5df762089] * plugins/sudoers/set_perms.c, plugins/sudoers/sudoers.c, src/ttyname.c: More sign compare fixes. On Solaris id_t is signed so use uid_t in the set_perms.c ID macro instead. [8166dcc50d0b] * common/fileops.c, common/lbuf.c, common/secure_path.c, common/sudo_debug.c, include/secure_path.h, plugins/sudoers/find_path.c, plugins/sudoers/getdate.c, plugins/sudoers/group_plugin.c, plugins/sudoers/interfaces.h, plugins/sudoers/iolog.c, plugins/sudoers/iolog_path.c, plugins/sudoers/ldap.c, plugins/sudoers/logging.c, plugins/sudoers/match_addr.c, plugins/sudoers/parse.h, plugins/sudoers/policy.c, plugins/sudoers/prompt.c, plugins/sudoers/pwutil_impl.c, plugins/sudoers/set_perms.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/timestamp.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/toke_util.c, src/load_plugins.c, src/sudo.c, src/ttyname.c: Quiet sign comparision warnings. [e34f45dad10c] * configure, configure.in: Add -Wsign-compare to --enable-warnings [d560e274a6ae] * plugins/sudoers/ldap.c: Ignore SIGPIPE when connecting to the LDAP server so we can get a proper error message with the IBM LDAP libs. Also return LDAP_SUCCESS instead of 0 from most sudo_ldap_* functions that return an int. [611a4ed9b8ee] * plugins/sudoers/regress/parser/check_base64.c, plugins/sudoers/regress/parser/check_digest.c: Quiet compiler warnings. [7d82dcca7126] 2013-10-22 Todd C. Miller * plugins/sudoers/ldap.c: sudo_ldap_parse_uri() should join multiple URIs in the string list together but it was clearing the host entry each time through the loop. Fixes a bug with multiple URI entries in ldap.conf where only the last one was being honored. [83cee19b136d] * src/exec_pty.c: Avoid a double free introduced when plugging a memory leak in safe_close(). A new ev_free_by_fd() function is used to remove and free any events sharing the specified fd. This can be used after safe_close() to make sure we don't try to select() on a closed fd. [54f48a281147] * plugins/sudoers/gram.c, plugins/sudoers/gram.y, src/exec.c: Quiet some llvm check false positives. The common idiom of using TAILQ_FIRST, TAILQ_REMOVE and free in a loop to free each entry in a TAILQ confuses llvm. Use TAILQ_FOREACH_SAFE instead (which is probably faster anyway). [bd1b8c11f416] * plugins/sudoers/auth/pam.c: If pam_open_session() fails don't call pam_getenvlist() with a NULL pam handle. [352e0329acba] * plugins/sudoers/defaults.c: Fix newly introduced use after frees found by llvm checker. [a81080230f1f] * common/event_select.c: Remove an errant list_next() call that should have been removed in the TAILQ conversion. [3bbf8d117ce4] * MANIFEST, common/Makefile.in, common/list.c, common/regress/tailq/hltq_test.c, include/list.h, include/queue.h, plugins/sudoers/Makefile.in, plugins/sudoers/alias.c, plugins/sudoers/defaults.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/match.c, plugins/sudoers/parse.c, plugins/sudoers/parse.h, plugins/sudoers/regress/parser/check_fill.c, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c: Add "headless" tail queues and use them in place of the semi- circular lists in sudoers. Once the headless tail queue is built up it is converted to a normal TAILQ. This removes the last consumer of list.c and list.h so those can now be removed. [5986ba762a24] * common/Makefile.in, common/fatal.c, plugins/sudoers/Makefile.in, plugins/sudoers/defaults.c, plugins/sudoers/defaults.h, plugins/sudoers/env.c, plugins/sudoers/interfaces.c, plugins/sudoers/interfaces.h, plugins/sudoers/ldap.c, plugins/sudoers/match_addr.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/visudo.c, src/Makefile.in, src/exec_pty.c, src/hooks.c: Use SLIST and STAILQ macros instead of doing headless singly linked lists manually. As a bonus we now use a tail queue for ldap.c and sudoreplay.c. [c31bc2d99082] * MANIFEST, common/Makefile.in, common/event.c, common/event_poll.c, common/event_select.c, common/list.c, common/regress/sudo_conf/conf_test.c, common/sudo_conf.c, doc/LICENSE, include/list.h, include/missing.h, include/queue.h, include/sudo_conf.h, include/sudo_event.h, plugins/sudoers/Makefile.in, plugins/sudoers/ldap.c, plugins/sudoers/parse.c, plugins/sudoers/parse.h, plugins/sudoers/sssd.c, plugins/sudoers/sudo_nss.c, plugins/sudoers/sudo_nss.h, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/visudo.c, src/Makefile.in, src/exec.c, src/exec_pty.c, src/load_plugins.c, src/sudo.c, src/sudo.h, src/sudo_plugin_int.h: Convert sudo to use BSD TAILQ macros instead of home ground tail queue functions. This includes a private queue.h header derived from FreeBSD. It is simpler to just use our own header rather than try to deal with macros that may or may not be present in various queue.h incarnations. [450bce095d7c] 2013-10-21 Todd C. Miller * plugins/sudoers/sudoreplay.c: Fix AND operator broken by changes to fix OR. [a4d3485ee943] 2013-10-19 Todd C. Miller * plugins/sudoers/sudoreplay.c: Fix OR operator. [f5c1c90ee284] 2013-10-18 Todd C. Miller * src/exec_pty.c: Fix memory leak of I/O buffer events in safe_close(). [08cd790cfbba] 2013-10-16 Todd C. Miller * common/sudo_debug.c: Don't allow the debug subsystem to be initialized twice. Otherwise we can exhuast our stack when built in static mode. [fadacb6a4617] * common/event_poll.c: Make sure we do not try to usie index -1 in base->pfds[]. [beeb922aba3f] 2013-10-14 Todd C. Miller * NEWS, configure, configure.in: Bump version to 1.8.9 [758dbb464796] 2013-10-12 Todd C. Miller * src/exec_pty.c: Convert the monitor process to the event subsystem. [c4fe8e2ba53c] * src/exec.c, src/exec_pty.c, src/sudo_exec.h: Convert the main sudo event loop to use the event subsystem. Read events for I/O buffers are added before the loop starts. Write events are added on demand as the buffers are filled. [72a603e997e0] * INSTALL, MANIFEST, common/Makefile.in, common/event.c, common/event_poll.c, common/event_select.c, common/list.c, common/sudo_debug.c, config.h.in, configure, configure.in, include/list.h, include/sudo_debug.h, include/sudo_event.h, mkdep.pl, plugins/sudoers/Makefile.in, src/Makefile.in, src/exec_pty.c: Simple event subsystem that uses poll() or select(). Basically a simplied subset of libevent2. Currently only fd events are supported (since that's all we need). The poll() backend is used by default, except on Mac OS X where poll() is broken for devices (including /dev/tty and ptys). [8773142b4117] * src/exec.c, src/exec_pty.c: Use SOCK_STREAM for socketpair, not SOCK_DGRAM so we get consistent semantics when the other end closes. This should make the conversion to poll() less problematic. [b6a321722a91] 2013-10-06 Todd C. Miller * common/sudo_debug.c: Fix removal of trailing newlines in a debug message. [6f5ce5ac64e0] 2013-10-04 Todd C. Miller * plugins/sudoers/visudo.c: When checking for unused Runas_Aliases, count those used as part of a Runas Group too. Fixes a false positive warning. [f13271a4a377] 2013-09-29 Todd C. Miller * include/missing.h: Include stddef.h for rsize_t and errno_t on systems that support it natively. [bc547d47e9c6] * MANIFEST: Fix braino. [67b79747312f] * plugins/sudoers/po/da.mo, plugins/sudoers/po/de.mo, plugins/sudoers/po/eo.mo, plugins/sudoers/po/fi.mo, plugins/sudoers/po/it.mo, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pt_BR.mo, plugins/sudoers/po/uk.mo, plugins/sudoers/po/vi.mo, plugins/sudoers/po/zh_CN.mo: Rebuild message catalog files. [0a9befb0674e] * src/po/da.mo, src/po/eo.mo, src/po/fi.mo, src/po/it.mo, src/po/pl.mo, src/po/pt_BR.mo, src/po/ru.mo, src/po/uk.mo, src/po/vi.mo, src/po/zh_CN.mo: Rebuild message catalog files. [25191089ddf2] * MANIFEST, NEWS, doc/CONTRIBUTORS, src/po/cs.mo, src/po/cs.po: Czech translation for sudo from translationproject.org. [8bc0ed069ddb] 2013-09-18 Todd C. Miller * plugins/sudoers/po/da.po, plugins/sudoers/po/de.po, plugins/sudoers/po/eo.po, plugins/sudoers/po/fi.po, plugins/sudoers/po/it.po, plugins/sudoers/po/pl.po, plugins/sudoers/po/pt_BR.po, plugins/sudoers/po/uk.po, plugins/sudoers/po/vi.po, plugins/sudoers/po/zh_CN.po, src/po/da.po, src/po/eo.po, src/po/fi.po, src/po/it.po, src/po/pl.po, src/po/pt_BR.po, src/po/ru.po, src/po/uk.po, src/po/vi.po, src/po/zh_CN.po: Sync with translationproject.org [c16f9bb4579e] * NEWS, plugins/sudoers/getdate.c, plugins/sudoers/getdate.y: Change "next" back to 2. In the context of "next Friday" we really do want the friday of the upcoming (not current) week. Unfortunately, this means that things like "next week" and "next year" will match one more than we really want. Fixing this will require some fairly major changes to the grammar. [7f863c930121] * doc/sudoreplay.cat, doc/sudoreplay.man.in, doc/sudoreplay.mdoc.in: Mention that relative times don't always do what you might expect. [710a9b0dd36f] 2013-09-17 Todd C. Miller * doc/CONTRIBUTORS: Add diacritical for Zdenek Behan. [78d333f88e6c] 2013-09-11 Todd C. Miller * src/regress/ttyname/check_ttyname.c: Do not fail if ttyname() cannot determine the tty but sudo can. Should fix problems with running "make check" under pbuilder. [e6fc06a6c5cf] * plugins/sudoers/Makefile.in: Remove extraneous $$CWD; from Bdale Garbee [4d040ddd7446] 2013-09-09 Todd C. Miller * NEWS, plugins/sudoers/getdate.c, plugins/sudoers/getdate.y: Make "this" and "next" qualifiers work a bit better. There is still room for improvement as "this week" will use the current time instead of the beginning of the week. That's a separate issue though. [e844c02f754a] 2013-09-06 Todd C. Miller * common/regress/sudo_conf/conf_test.c, common/regress/sudo_parseln/parseln_test.c: Mark main() public to silence a warning on HP-UX. [ac0b869b9842] 2013-09-03 Todd C. Miller * plugins/sudoers/po/sudoers.pot, plugins/sudoers/timestamp.c: Be specific that we are talking about the Unix epoch; bug #615 [25887775371b] * plugins/sudoers/auth/bsdauth.c, plugins/sudoers/po/sudoers.pot, src/po/sudo.pot, src/selinux.c: Do not use "setup" as a verb; bug #614 [17c4750aac5f] * plugins/sudoers/iolog.c: Fix logic goof when checking open() status. [76ece1445d71] * plugins/sudoers/po/nl.mo, plugins/sudoers/po/nl.po, src/po/nl.mo, src/po/nl.po, src/po/ru.mo, src/po/ru.po: Sync with translationproject.org [21351498000f] * NEWS, plugins/sudoers/sudoreplay.c: Work around a bug in sudo 1.8.7 timing files where the indexes are off by two. [4aa0cd58af58] * MANIFEST, plugins/sudoers/iolog.c, plugins/sudoers/iolog.h, plugins/sudoers/sudoreplay.c: Repair writing of the I/O log file indices broken in sudo 1.8.7. [6a5f867884f5] 2013-08-31 Todd C. Miller * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Try to improve the PAGERS noexec example a bit. [226f11118daa] 2013-08-30 Todd C. Miller * doc/sudoers.ldap.cat, doc/sudoers.ldap.man.in, doc/sudoers.ldap.mdoc.in: Document comment character in ldap.conf Clarify what is and is not supported in TLS_KEYPW Mention that gsk8capicmd can be used to create a stash file [fb8f06ab4458] 2013-08-26 Todd C. Miller * NEWS: New bugs fixed for 1.8.8. [c158df7cd9d2] * plugins/sudoers/visudo.c: Fix setting of quiet flag when -q / --quiet is specified. Do not print "sudoers: parsed OK" in quiet mode. [df55acd57ce6] * plugins/sudoers/po/fi.mo, plugins/sudoers/po/fi.po, plugins/sudoers/po/it.mo, plugins/sudoers/po/it.po, src/po/fi.mo, src/po/fi.po, src/po/it.mo, src/po/it.po: Updated translations from translationproject.org [e9e8abd23a28] * plugins/sudoers/check.c: Don't allow root to change its SELinux role without a password. Bug #611 [f8b599acb29d] 2013-08-21 Todd C. Miller * NEWS: Mention new Mac OS X symbol interposition. [98293b7c4e0f] * plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, src/po/eo.mo, src/po/eo.po, src/po/fr.mo, src/po/fr.po: Updated translations from translationproject.org [865be7454354] * config.h.in, configure, configure.in, src/sudo_noexec.c: Add configure checks for the exec functions we will dummy out. This is only really needed on Mac OS X when symbol interposition is being performed but won't hurt elsewhere. [49c20cf6bab0] 2013-08-20 Todd C. Miller * config.h.in, configure, configure.in, src/Makefile.in, src/sudo_noexec.c: Fix installation of sudo_noexec on Mac OS X. Use library symbol interposition on Mac OS X 10.4 and higher so we don't need to set DYLD_FORCE_FLAT_NAMESPACE=1. [a82999dff8e6] 2013-08-19 Todd C. Miller * doc/sudoers.ldap.cat, doc/sudoers.ldap.man.in, doc/sudoers.ldap.mdoc.in: Fix typo in tls_key example for Tivoli [36599f424ac4] * src/parse_args.c: Don't escape '$' when running "sudo -i command". Bug #564 [17542d52f714] * plugins/sudoers/iolog_path.c: Fix typo in comment. [d0510ed5eaba] * plugins/sudoers/auth/pam.c: Fix comment. [4e89e0bfd6af] * plugins/sudoers/timestr.c, plugins/sudoers/visudo.c: Quiet some gcc -Wformat=2 false positives [28a2014b9822] 2013-08-18 Todd C. Miller * plugins/sudoers/auth/pam.c: Remove now-obsolete arg to env_merge() [ba015cf5d935] * plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/pt_BR.mo, plugins/sudoers/po/pt_BR.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, plugins/sudoers/po/vi.mo, plugins/sudoers/po/vi.po, plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po, src/po/pl.mo, src/po/pl.po, src/po/pt_BR.mo, src/po/pt_BR.po, src/po/uk.mo, src/po/uk.po, src/po/vi.mo, src/po/vi.po, src/po/zh_CN.mo, src/po/zh_CN.po: Updated translations from translationproject.org [72b6aeaba505] * MANIFEST, NEWS, doc/CONTRIBUTORS, src/po/fr.mo, src/po/fr.po: French translation for sudo from translationproject.org. [a72321771860] * plugins/sudoers/logging.h: Add __printflike to audit_failure. [1686b3699d41] * include/missing.h: Use __nonnull__ attribute in __printflike. [d123613a1fb6] 2013-08-17 Todd C. Miller * plugins/sudoers/env.c, plugins/sudoers/sudoers.h: When merging the PAM environment, allow environment variables set in PAM to override ones set by sudo as long as they do not match the env_keep or env_check lists. [f3c64967fed7] * plugins/sudoers/auth/pam.c: Call pam_getenvlist() after we've opened the session to get the session-specific environment variables. [b413fb9e1c77] * plugins/sudoers/ldap.c: Fix error display from ldap_ssl_client_init(). There are two error codes. The return value can be decoded via ldap_err2string() but the ssl reason code cannot (you have to look it up in a table online). [0267125ce9f0] 2013-08-16 Todd C. Miller * NEWS: option not flag [08c31af7b818] * compat/getopt_long.c, config.h.in, configure, configure.in: Don't redefine opterr, optind, optopt, optarg in getopt_long.c. Add a check for optreset which is a BSD extension and provide a definition in getopt_long.c if it is not present. [3393e8d83400] * plugins/sudoers/po/sudoers.pot, src/po/sudo.pot: regen [f38f65830118] * plugins/sudoers/sudoreplay.c, plugins/sudoers/visudo.c: Use lower case for the long option arguments to match the manual. This is inconsistent with GNU but it is better to match the sudo documentation. [8fac2d64f5d2] * NEWS: Sudo 1.8.8 [105c73752474] * src/parse_args.c: Use lower card for the long option arguments to match the manual. This is inconsistent with GNU but it is better to match the sudo documentation. [af243dd39850] * doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in: Describe how remote command execution can be implemented. [3eba7f93b7f6] * doc/sudoers.ldap.cat: Bump version. [0ee7f02f3627] 2013-08-15 Todd C. Miller * src/sudo.c: Make it a fatal error if the plugin returns invalid or out of range command info. [8a7e56c7584a] * plugins/sudoers/policy.c: Use strtol() instead of atoi() and perform error checking of parameters passed from the sudo front-end. [05e05be3c6c4] * plugins/sudoers/auth/pam.c: It is not possible for auth to be NULL here. [771500e776e9] * plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c: Initialize user_runhost and user_srunhost to user_host and user_shost in visudo and testsudoers. [c47cca74e1fc] * MANIFEST, common/Makefile.in, common/aix.c, common/alloc.c, common/error.c, common/fatal.c, common/gidlist.c, common/lbuf.c, common/list.c, common/sudo_conf.c, common/sudo_debug.c, compat/Makefile.in, compat/getopt_long.c, include/error.h, include/fatal.h, plugins/sudoers/Makefile.in, plugins/sudoers/bsm_audit.c, plugins/sudoers/hexchar.c, plugins/sudoers/linux_audit.c, plugins/sudoers/locale.c, plugins/sudoers/regress/check_symbols/check_symbols.c, plugins/sudoers/regress/logging/check_wrap.c, plugins/sudoers/sudoers.h, plugins/sudoers/sudoreplay.c, src/Makefile.in, src/locale_stub.c, src/net_ifs.c, src/regress/ttyname/check_ttyname.c, src/sesh.c, src/sudo.h: Rename error.h -> fatal.h now that there is no error() function. [3a3827f10f04] * common/sudo_debug.c, include/sudo_debug.h: Add support to the debug subsystem for zero-length strings. This can happen for things like warning(NULL) or fatal(NULL) where we just want to log the errno string. [3ed739c5cc91] * include/error.h: Add __printflike for vfatal, vfatalx, vwarning and vwarningx. [57e65ed595d2] * plugins/sudoers/audit.c: Need to include gettext.h for BSM audit. [a87fda2d0123] * common/alloc.c, plugins/sudoers/env.c, src/exec_common.c, src/parse_args.c, src/sudo.c: Change some fatalx(NULL) that should be fatal(NULL). [8b1efda9f578] * include/error.h, include/missing.h: Use __printf0like for warning() and fatal() since the fmt string may be NULL. [858a890f00ad] * compat/pw_dup.c: Quiet a gcc "used uninitialized in this function" false positive. [98f47f89ce60] * mkpkg: Enable bsm audit on Mac OS X and Solaris >= 11. [8607488f986c] * plugins/sudoers/bsm_audit.c: Fix compilation on Solaris 11. [01aa46298ed7] * plugins/sudoers/bsm_audit.c: Add missing missing.h [080de69a55a1] * plugins/sudoers/sudoers.c: Move the -C (user_closefrom) check until after set_cmnd() so that closefrom_override can be used in a command-specific Defaults line. Fixes bug #610 from Mengtao Sun. [413565c6ff6b] 2013-08-14 Todd C. Miller * src/exec.c: If not using a pty and the child process gets SIGTTOU or SIGTTIN and sudo is the foreground process, make the child the foreground process and continue it. [5ff433443bc4] * src/sudo.c: If sudo is not setuid and was not invoked with a full path, look in the user's PATH for the sudo binary to give a better error message. [a740129a38f0] * doc/sudo.cat, doc/sudo.man.in, doc/sudo.mdoc.in, plugins/sudoers/logging.c, plugins/sudoers/match.c, plugins/sudoers/policy.c, plugins/sudoers/sudo_nss.c, plugins/sudoers/sudoers.h: Add limited support for "sudo -l -h other_host". Since group lookups are done on the local host, rules that use group membership may be incorrect if the group database is not synchronized between hosts. [2c8b222a5f7f] * src/parse_args.c: Fix parsing of "-h host" when used in conjunction with the -l flag. [62f3d726d52b] * configure, configure.in, doc/fixman.sh, doc/fixmdoc.sh, doc/sudo.cat, doc/sudo.man.in, doc/sudo.mdoc.in, doc/sudoreplay.cat, doc/sudoreplay.man.in, doc/sudoreplay.mdoc.in, doc/visudo.cat, doc/visudo.man.in, doc/visudo.mdoc.in, plugins/sudoers/sudoreplay.c, plugins/sudoers/visudo.c, src/parse_args.c, src/sudo.c, src/sudo_usage.h.in: Simplify usage messages a bit and make --help output more closely resemble GNU usage wrt long options. Sync usage and man page SYNOPSYS sections and improve long options in the manual pages. Now that we have long options we don't need to give the mnemonic for the single-character options in the description. [17b7e386955a] 2013-08-13 Todd C. Miller * plugins/sudoers/logging.c: Fix setting of mailer argv[0] to basename of mailerpath. No need to strdup() mailerpath as it is not modified. [8843cdd958ee] * plugins/sudoers/logging.c: Make sure the mailer exists and is a regular file before trying to exec it. [b73d6214014f] * plugins/sudoers/timestamp.c: If tty_tickets are enabled but there is no tty, use a ticket file based on the parent pid. [75408bd61ced] * common/sudo_conf.c, doc/sudo.conf.cat, doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in, include/sudo_conf.h, src/parse_args.c: Allow default plugin dir to be configured in sudo.conf. [478883594cc5] * doc/CONTRIBUTORS: UTF8 for Ruusamae, Elan; from Tae Wong [02e0c95b4fa6] 2013-08-12 Todd C. Miller * MANIFEST, common/regress/sudo_conf/test5.in, common/regress/sudo_conf/test5.out.ok, common/regress/sudo_conf/test6.in, common/regress/sudo_conf/test6.out.ok, common/sudo_conf.c, doc/sudo.conf.cat, doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in, plugins/sudoers/policy.c, plugins/sudoers/pwutil_impl.c, src/sudo.c: Don't allow max_groups to be set to zero, it just complicates things needlessly. Fixes an assertion in visudo when there is a group- based Defaults entry. [d62a8ea32db9] 2013-08-08 Todd C. Miller * MANIFEST, common/Makefile.in, common/gidlist.c, plugins/sudoers/policy.c, plugins/sudoers/sudoers.h, src/sudo.c, src/sudo.h: Refactor code to parse list of gids into its own function that is shared by the sudo front-end and the sudoers module. Make uid/gid parse error be fatal, not just a warning. [da3b2b06605c] * common/atoid.c: Add function comment block. [09a324de716f] * common/atoid.c: Default text domain is now sudo, not sudoers. [1acb1da6f304] * common/Makefile.in: Update dependency for atoid.lo [5e367cd44288] * common/atoid.c, plugins/sudoers/iolog.c, plugins/sudoers/policy.c, plugins/sudoers/sudoers.h, plugins/sudoers/tsgetgrpw.c, src/sudo.c, src/sudo.h: Add endpointer and separator args to atoid() [2077e4ed8578] 2013-08-07 Todd C. Miller * compat/getgrouplist.c: Use private version of atoid() to avoid a dependency on libcommon.a (since that already depends on libreplace.a). [7c12d63b0560] * doc/CONTRIBUTORS: More UTF8 in names; from Tae Wong [512b263f51c8] * compat/getgrouplist.c, plugins/sudoers/iolog.c, plugins/sudoers/tsgetgrpw.c, src/sudo.c, src/sudo.h: Use atoid() in more places. [06f4ae57c707] * MANIFEST, common/Makefile.in, common/atoid.c, plugins/sudoers/Makefile.in, plugins/sudoers/atoid.c: Move atoid() to common so it can be used in src and compat too. [095d730701e4] * compat/closefrom.c: Avoid a crash on Mac OS X 10.8 (at least) when we close libdispatch's fds out from under it before executing the command. Switch to just setting the close on exec flag instead. [349ebf4987df] * doc/CONTRIBUTORS: Convert to last, first for easier sorting and use UTF8 (including a BOM). [8c30d221bd75] * plugins/sudoers/atoid.c: Add atoid() function to convert a string to an id_t (uid, gid or pid). We have to be careful to choose() either strtol() or strtoul() depending on whether the string appears to be signed or unsigned. Always using strtoul() is unsafe on 64-bit platforms since the uid might be represented as a negative number and (unsigned long)-1 on a 64-bit system is 0xffffffffffffffff not 0xffffffff. Fixes a problem with uids larger than 0x7fffffff on 32-bit platforms. [5d818e399157] * MANIFEST, config.h.in, configure, configure.in, plugins/sudoers/Makefile.in, plugins/sudoers/policy.c, plugins/sudoers/sudoers.h: Add atoid() function to convert a string to an id_t (uid, gid or pid). We have to be careful to choose() either strtol() or strtoul() depending on whether the string appears to be signed or unsigned. Always using strtoul() is unsafe on 64-bit platforms since the uid might be represented as a negative number and (unsigned long)-1 on a 64-bit system is 0xffffffffffffffff not 0xffffffff. Fixes a problem with uids larger than 0x7fffffff on 32-bit platforms. [cd92246a710f] * plugins/sudoers/sudoers.c: Avoid "perm stack underflow" error when logging the unknown uid error. [871514c713b7] * plugins/sudoers/set_perms.c: In rewind_perms() there is nothing to do if perm_stack_depth == 0. [98de335f47f0] 2013-08-06 Todd C. Miller * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/auth/pam.c, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in: Add pam_setcred sudoers option to allow the user to control whether pam_setcred() is called on the user's behalf. [4260a8e43073] * configure, configure.in, doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/auth/pam.c, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/defaults.c: Add pam_service and pam_login_service sudoers settings to control the service name passed to pam_start. [5ea0e3588f3a] * mkpkg: Newer Xcode places the SDKs under Xcode.app [4b54379d5c45] 2013-08-03 Todd C. Miller * MANIFEST, common/Makefile.in, common/zero_bytes.c, compat/Makefile.in, compat/memset_s.c, config.h.in, configure, configure.in, doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, include/missing.h, include/sudo_plugin.h, mkdep.pl, plugins/sudoers/Makefile.in, plugins/sudoers/auth/aix_auth.c, plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/passwd.c, plugins/sudoers/auth/secureware.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/defaults.c, plugins/sudoers/logging.c, plugins/sudoers/sha2.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/tsgetgrpw.c, plugins/sudoers/visudo.c, src/Makefile.in, src/conversation.c, src/sudo.h, src/sudo_edit.c, src/tgetpass.c: Implement memset_s() and use it instead of zero_bytes(). A new constant, SUDO_CONV_REPL_MAX, is defined by the plugin API as the max conversation reply length. This constant can be used as a max value for memset_s() when clearing passwords filled in by the conversation function. [264ec146028e] 2013-08-01 Todd C. Miller * plugins/group_file/Makefile.in, plugins/sample/Makefile.in, plugins/system_group/Makefile.in: Do not try to install plugins when shared modules are disabled (sudoers already had the check). [3d582c042042] * plugins/sudoers/Makefile.in: Update dependencies to take into account compat/getopt.h and compat/dlfcn.h. [301fb31cd121] * src/Makefile.in: Update dependencies now that sudo_usage.h is always included from the build dir. [c1ff70ec9515] 2013-07-31 Todd C. Miller * plugins/sudoers/ldap.c: Add some warnings and debugging to sasl ccname handling. [467f415861f0] * plugins/sudoers/ldap.c: Fix write loop invariant in sudo_krb5_copy_cc_file() [6948cf6e9b9f] 2013-07-30 Todd C. Miller * plugins/sudoers/ldap.c: Strip off leading FILE: or WRFILE: prefix before trying to copy the user's credential cache. [56c16feab62f] 2013-07-29 Todd C. Miller * src/sudo.c: Instead of setting RLIMIT_NPROC to unlimited when sudo initializes, just save RLIMIT_NPROC in exec_setup() before the final setuid() and restore it immediately after. We don't need to modify RLIMIT_NPROC for simple euid changes, just for changing the real (and saved) uids before we exec. This also means we no longer need to worry about _SC_CHILD_MAX returning -1. Bug #565 [1372f1909039] 2013-07-28 Todd C. Miller * plugins/sudoers/ldap.c, src/preload.c: Now that the ldap code runs with the real and effective uid set to 0, it is not possible for the gssapi libs to find the user's krb5 credential cache file. To work around this, we make a temporary copy of the user's credential cache specified by KRB5CCNAME (opened with the user's effective uid) and point gssapi to it. To set the credential cache file name, we dynamically look up gss_krb5_ccache_name() and use it if available, otherwise fall back to setting KRB5CCNAME. [8b86c134541a] 2013-07-19 Todd C. Miller * doc/sudo.man.in, doc/sudoreplay.cat, doc/sudoreplay.man.in, doc/sudoreplay.mdoc.in, doc/visudo.cat, doc/visudo.man.in, doc/visudo.mdoc.in, plugins/sudoers/sudoreplay.c, plugins/sudoers/visudo.c: Long option support for visudo and sudoreplay. [91427968be71] 2013-07-18 Todd C. Miller * doc/sudo.cat, doc/sudo.man.in, doc/sudo.mdoc.in, src/Makefile.in, src/parse_args.c, src/sudo.c, src/sudo_usage.h.in: Add support for long options and fix inclusion of sudo_usage.h with modern gcc broken in 8597:1fcb7ba13018. [d13134819944] * src/Makefile.in: Add rule to rebuild sudo_usage.h when the .in file changes. [59a32899e251] * compat/Makefile.in, mkdep.pl, src/Makefile.in: Add make rules for building getopt_long.c [5f57593b3a8b] * src/parse_args.c: Make "-h hostname" work. Optional args in GNU getopt() only work when there is no space between the option flag and the argument. [b8258659cabb] 2013-07-17 Todd C. Miller * MANIFEST, compat/getopt.h, compat/getopt_long.c, config.h.in, configure, configure.in, doc/LICENSE, src/parse_args.c: Use getopt_long() so we can make the -h flag take an optional argument. Includes a version for those without it. [d1dd66c8a86b] 2013-07-16 Todd C. Miller * doc/sudo.cat, doc/sudo.man.in, doc/sudo.mdoc.in: Document that the -h option can be used specify a host name for future plugins. [8470c74cf326] * include/sudo_plugin.h, src/parse_args.c, src/sudo_usage.h.in: Overload -h option to specify an optional hostname for remote access. This is future-proofing; no policy plugins currently support this. [0e01d8c3c623] * configure, configure.in: Bump version to 1.8.8 [a1155bfaa28f] * doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in: Document the remote_host setting (-h host) [c737db906f5d] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: fix "the the" [0025464a3942] * src/parse_args.c, src/sudo.c, src/sudo.h: Do not error out if arg to -U option cannot be resolved, that is for the plugin to decide. There is no need for runas_user and runas_group to be global, make them local to parse_args() instead. [fb02a62a72ba] * MANIFEST, doc/CONTRIBUTORS, plugins/sudoers/po/pt_BR.mo, plugins/sudoers/po/pt_BR.po, src/po/es.mo, src/po/es.po, src/po/pt_BR.mo, src/po/pt_BR.po: Sync with translationproject.org [e8f4772d918a] 2013-07-11 Todd C. Miller * doc/TROUBLESHOOTING: Remove old bits about sudo setuid problems that should have been cleaned up in changeset 7917:fa4894896d8a. Also update the mode of sudo to 04755 to match current packaging. [1e3904cdc2de] * plugins/sudoers/auth/pam.c: Go back to ignoring the return value of pam_setcred() since with stacked PAM auth modules a failure from one module may override PAM_SUCCESS from another. If the first module in the stack fails, the others may be run (and succeed) but an error will be returned. This can cause a spurious warning on systems with non-local users (e.g. pam_ldap or pam_sss) where pam_unix is consulted first. [b6022e26135a] * src/net_ifs.c: Remove unused variable. [93dde7d82fde] * NEWS: Fix typo [5ef79671c2c7] 2013-07-09 Todd C. Miller * plugins/sudoers/sssd.c: Fix pasto; sudo_sss_extract_digest() not sudo_ldap_extract_digest(). From Dan Harnett. [4a0af6f12765] 2013-06-18 Todd C. Miller * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Fix formatting typo; from Eric S. Raymond [058b533ba460] 2013-06-17 Todd C. Miller * mkpkg: Use -gxcoff on aix so dbx can be used to debug sudo. [4950e019ed2d] 2013-06-12 Todd C. Miller * doc/visudo.cat, doc/visudo.man.in, doc/visudo.mdoc.in: Fix typo; bug 605 [41f7b46a6e51] 2013-06-04 Todd C. Miller * src/po/da.mo, src/po/eo.mo, src/po/es.mo, src/po/it.mo, src/po/tr.mo: Regen .mo files that were out of date. [9e25a254f9db] 2013-05-30 Todd C. Miller * NEWS, configure, configure.in: On Solaris 11 and higher, tag binaries for ASLR if supported by the linker. [a2a6cafa3e60] * mkpkg: No longer need to disable PIE on Solaris. [cf90019ae67e] 2013-05-28 Todd C. Miller * INSTALL, NEWS, configure, configure.in, doc/TROUBLESHOOTING: Restrict default creation of PIE binaries (-fPIE and -pie) to Linux. OpenBSD also supports PIE but enables it by default so we don't need to do anything. This fixes problems on systems with a version of GNU ld that accepts -pie but where the run-time linker doesn't actually support PIE. Also verify that a trivial PIE binary works unless PIE is explicitly enabled. [3c5f125efeb1] 2013-05-24 Todd C. Miller * aclocal.m4, configure, configure.in: Attempt to detect PIE failure on Solaris 10 with GNU as and GNU ld where we can end up crashing due to malloc() failures. Sems OK when Using Sun as and ld. [b8ba412102ab] * NEWS: Update with final changes. [78ff6d2ed47a] 2013-05-23 Todd C. Miller * configure, configure.in: Add -fPIE to PIE_LDFLAGS as per gcc manual. [fe900cbb0780] 2013-05-22 Todd C. Miller * common/Makefile.in, compat/Makefile.in: Add missing $(PIE_LDFLAGS) $(SSP_LDFLAGS) for test programs [f84bc7482b78] * MANIFEST, plugins/sudoers/alias.c, plugins/sudoers/match.c, plugins/sudoers/parse.c, plugins/sudoers/parse.h, plugins/sudoers/regress/visudo/test4.out.ok, plugins/sudoers/regress/visudo/test4.sh, plugins/sudoers/visudo.c: Replace sequence number-based cycle detection in visudo with a "used" flag in struct alias. The caller is required to call alias_put() when it is done with the alias. Inspired by a patch from Daniel Kopecek. [0bdbac1b3b39] 2013-05-20 Todd C. Miller * plugins/sudoers/iolog.c: Eliminate a few relocations related to sudoers_io. [18e9e2cc3367] * plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po: Sync with translationproject.org [f38cc128a2ad] 2013-05-18 Todd C. Miller * src/ttyname.c: Clarify a comment. [7a045ee06e95] 2013-05-16 Todd C. Miller * src/ttyname.c: Handle d_type == DT_UNKNOWN when resolving the device to a name and sprinkle some more debugging. [8774133747d9] 2013-05-03 Todd C. Miller * doc/TROUBLESHOOTING: Add message about disabling PIE if sudo gets SIGSEGV. [c786af2a6751] * plugins/sudoers/check.h, plugins/sudoers/timestamp.c: No longer store the ctime of a devpts tty. The handling of ctime on devpts in Linux has been changed to conform to POSIX. As a result we can no longer assume that the ctime will stay unchanged throughout the life of the session. We store the session ID in the time stamp file so there is a much smaller chance of the time stamp file being reused by a new login. While here, store the uid/gid in the timestamp file too for good measure. [7028b21f7a9b] * configure, configure.in: PIE is broken on FreeBSD/arm [f232c60d6229] * mkpkg: Add explicit sendmail path for Linux since we may not have sendmail installed in the build chroot. [1ba2f84f4ff0] 2013-05-01 Todd C. Miller * common/sudo_debug.c, plugins/sudoers/iolog.c, plugins/sudoers/set_perms.c, src/sudo.c, src/tgetpass.c: Quiet a few -Wunused-result compiler warnings. [ef12afb61423] 2013-04-30 Todd C. Miller * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Mention what SHA-2 formats are supported. [bf298d0fdf8a] * doc/CONTRIBUTORS: List code and translations separately. [826547bc1295] 2013-04-29 Todd C. Miller * MANIFEST, plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/tr.mo, plugins/sudoers/po/tr.po, plugins/sudoers/po/vi.mo, plugins/sudoers/po/vi.po: Sync with translationproject.org [9499a6f438b8] * plugins/sudoers/po/sudoers.pot: regen [cce449e284a6] * Makefile.in: Fix c-format for fatal/fatalx [4ad81d3faaeb] 2013-04-26 Todd C. Miller * Makefile.in, plugins/sudoers/iolog.c, plugins/sudoers/policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/visudo.c, src/exec_pty.c, src/sudo.h: Change some error/errorx -> fatal/fatalx in comments and xgettext flags. [9d9b64fa2ec9] * NEWS: There is now a Turkish translation of sudoers. [701c5af6aa76] * MANIFEST, plugins/sudoers/po/da.mo, plugins/sudoers/po/da.po, plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, plugins/sudoers/po/fi.mo, plugins/sudoers/po/fi.po, plugins/sudoers/po/it.mo, plugins/sudoers/po/it.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/tr.mo, plugins/sudoers/po/tr.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, plugins/sudoers/po/vi.mo, plugins/sudoers/po/vi.po, plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po: Updated translations from translationproject.org including new Turkish translation. [9cedbb50d90f] 2013-04-25 Todd C. Miller * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Document that sudoers will re-use existing I/O log paths unless they are mktemp-style with trailing X's. [4f43bd13d9e7] * NEWS, doc/sudoers.cat, doc/sudoers.ldap.cat, doc/sudoers.ldap.man.in, doc/sudoers.ldap.mdoc.in, doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/ldap.c, plugins/sudoers/policy.c, plugins/sudoers/sudoers.h: Allow ldap_conf and ldap_secret to be specified as plugin arguments in sudo.conf [37c6c425b565] * doc/sudoers.ldap.cat, doc/sudoers.ldap.man.in, doc/sudoers.ldap.mdoc.in: sudoers_debug is now deprecated in favor of the sudo debugging framework. [1195be1ec254] * plugins/sudoers/ldap.c: Replace DPRINTF with DPRINTF1 and DPRINTF2 macros that use SUDO_DEBUG_DIAG and SUDO_DEBUG_INFO respectively for logging to the debug file with the ldap subsystem. The sudoers_debug setting in ldap.conf is still honored for now but will be removed in a future release. [cfa42b4b913e] 2013-04-24 Todd C. Miller * plugins/sudoers/sudoers2ldif: Add support for converting sudoers files with SHA-2 command digests. [dc0d03485946] * doc/fixman.sh, doc/fixmdoc.sh, mkdep.pl, mkpkg, plugins/sudoers/sudoers2ldif: Add copyright notice to scripts [5e8bd4e6083f] * MANIFEST, plugins/sudoers/regress/sudoers/test14.in, plugins/sudoers/regress/sudoers/test14.out.ok, plugins/sudoers/regress/sudoers/test14.toke.ok: Add regress for SHA-2 digests. [0b258c2a2a95] * compat/getgrouplist.c: Solaris maps negative gids to GID_NOBODY. [57050e5c750f] * plugins/sudoers/visudo.c: Clear up an llvm checker warning which appears to be a false positive and fix an old XXX while I'm at it. [9ee13133e596] * doc/sudo.cat, doc/sudo.man.in, doc/sudo.mdoc.in, doc/sudoreplay.cat, doc/sudoreplay.man.in, doc/sudoreplay.mdoc.in: Correct last change date [3bc1fa5b0f76] * plugins/sudoers/po/sudoers.pot, plugins/sudoers/sudoreplay.c: No need to translate this error message. [4d9941970a26] * doc/UPGRADE: Mention .sl vs. .so extension handling on HP-UX Mention group membership changes Fix typos [40ac0efbdb2b] * aclocal.m4, common/aix.c, common/alloc.c, common/atobool.c, common/error.c, common/fmt_string.c, common/lbuf.c, common/list.c, common/setgroups.c, common/term.c, common/ttysize.c, compat/Makefile.in, compat/dlopen.c, compat/endian.h, compat/getline.c, compat/getprogname.c, compat/isblank.c, compat/memrchr.c, compat/mksiglist.c, compat/mktemp.c, compat/nanosleep.c, compat/pw_dup.c, compat/sig2str.c, compat/snprintf.c, compat/strlcat.c, compat/strlcpy.c, compat/strsignal.c, compat/utimes.c, doc/Makefile.in, include/Makefile.in, include/alloc.h, include/fileops.h, include/gettext.h, include/lbuf.h, include/missing.h, include/sudo_plugin.h, pathnames.h.in, plugins/group_file/Makefile.in, plugins/sample/Makefile.in, plugins/sample/sample_plugin.c, plugins/sudoers/Makefile.in, plugins/sudoers/alias.c, plugins/sudoers/audit.c, plugins/sudoers/auth/afs.c, plugins/sudoers/auth/aix_auth.c, plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/dce.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/kerb5.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/passwd.c, plugins/sudoers/auth/rfc1938.c, plugins/sudoers/auth/secureware.c, plugins/sudoers/auth/securid5.c, plugins/sudoers/auth/sia.c, plugins/sudoers/auth/sudo_auth.h, plugins/sudoers/bsm_audit.c, plugins/sudoers/bsm_audit.h, plugins/sudoers/defaults.c, plugins/sudoers/defaults.h, plugins/sudoers/env.c, plugins/sudoers/find_path.c, plugins/sudoers/getspwuid.c, plugins/sudoers/goodpath.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/group_plugin.c, plugins/sudoers/interfaces.c, plugins/sudoers/interfaces.h, plugins/sudoers/iolog_path.c, plugins/sudoers/linux_audit.c, plugins/sudoers/linux_audit.h, plugins/sudoers/locale.c, plugins/sudoers/logging.h, plugins/sudoers/match.c, plugins/sudoers/match_addr.c, plugins/sudoers/parse.c, plugins/sudoers/parse.h, plugins/sudoers/prompt.c, plugins/sudoers/pwutil.h, plugins/sudoers/redblack.c, plugins/sudoers/redblack.h, plugins/sudoers/regress/check_symbols/check_symbols.c, plugins/sudoers/regress/iolog_path/check_iolog_path.c, plugins/sudoers/regress/logging/check_wrap.c, plugins/sudoers/regress/parser/check_addr.c, plugins/sudoers/regress/parser/check_fill.c, plugins/sudoers/set_perms.c, plugins/sudoers/sudo_nss.c, plugins/sudoers/sudo_nss.h, plugins/sudoers/sudoers_version.h, plugins/sudoers/testsudoers.c, plugins/sudoers/toke.c, plugins/sudoers/toke.h, plugins/sudoers/toke.l, plugins/sudoers/toke_util.c, plugins/sudoers/tsgetgrpw.c, plugins/sudoers/visudo.c, plugins/system_group/Makefile.in, plugins/system_group/system_group.c, src/Makefile.in, src/conversation.c, src/exec.c, src/exec_common.c, src/get_pty.c, src/net_ifs.c, src/parse_args.c, src/preload.c, src/selinux.c, src/sesh.c, src/signal.c, src/sudo_edit.c, src/sudo_exec.h, src/sudo_noexec.c, src/sudo_plugin_int.h, src/tgetpass.c, src/utmp.c: Update copyright years. [5c6d72661bad] * plugins/sudoers/mon_systrace.h: Systrace support was removed long ago. [10a038a2da77] 2013-04-23 Todd C. Miller * MANIFEST, plugins/sudoers/regress/sudoers/test10.toke.out.ok, plugins/sudoers/regress/sudoers/test9.toke.out.ok: Remove some files that were mistakenly added. [833502da26de] * common/sudo_debug.c, config.h.in, configure, configure.in, plugins/sudoers/boottime.c, plugins/sudoers/iolog.c, plugins/sudoers/ldap.c, plugins/sudoers/logging.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/timestamp.c: Use time(&now) instead of now = time(NULL) when storing the current time in a time_t (better compiler error checking). Better parsing and printing of 64-bit time_t on 32-bit platforms. [c227dc72c04e] 2013-04-21 Todd C. Miller * src/ttyname.c: Don't check the tty of the parent process. Now that we get the controlling tty device number from the kernel there is no need. If the process has really disassociated from the tty then reporting "unknown" is appropriate. [62fb66e565db] 2013-04-20 Todd C. Miller * common/error.c: Use EXIT_FAILURE instead of 1 as the fatal() exit value. [ed94c2c5e88a] * src/sesh.c: Change remaining errorx -> fatalx [3f6d70e19303] 2013-04-19 Todd C. Miller * plugins/sudoers/pwutil.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: Replace sudo_fakepwnamid() with sudo_mkpwent() and don't return an error if the entry already exists in the cache. [94d45970400a] * plugins/sudoers/bsm_audit.c, plugins/sudoers/po/sudoers.pot: Change "foo: failed" to just "foo" since we print the string form of errno. Gets rids of some useless translations. [476f37349dbc] 2013-04-18 Todd C. Miller * plugins/sudoers/match.c: Fix pasto in debug_decl [08650186a239] * plugins/sudoers/Makefile.in: regen [acf4c34fba2c] * plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/kerb5.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/sia.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/logging.c, plugins/sudoers/logging.h, plugins/sudoers/parse.c, plugins/sudoers/sudoers.c, plugins/sudoers/timestamp.c: Rename log_error() -> log_warning() for consistency with warning()/fatal() [474ed5a0e335] * plugins/sudoers/auth/API: The NO_EXIT flag was removed a while ago. [e0a4be270226] * common/aix.c, common/alloc.c, common/error.c, include/error.h, plugins/sudoers/bsm_audit.c, plugins/sudoers/env.c, plugins/sudoers/find_path.c, plugins/sudoers/hexchar.c, plugins/sudoers/iolog.c, plugins/sudoers/ldap.c, plugins/sudoers/linux_audit.c, plugins/sudoers/logging.c, plugins/sudoers/policy.c, plugins/sudoers/prompt.c, plugins/sudoers/pwutil.c, plugins/sudoers/regress/check_symbols/check_symbols.c, plugins/sudoers/regress/iolog_path/check_iolog_path.c, plugins/sudoers/regress/logging/check_wrap.c, plugins/sudoers/regress/parser/check_addr.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/timestamp.c, plugins/sudoers/visudo.c, src/exec.c, src/exec_common.c, src/exec_pty.c, src/net_ifs.c, src/parse_args.c, src/selinux.c, src/signal.c, src/sudo.c, src/sudo_edit.c, src/tgetpass.c, src/utmp.c: Rename error/errorx -> fatal/fatalx and remove the exit value as it was always 1. [ea66f58c4da5] * NEWS: digests are supported in sudoers ldap too [77d6c25f7653] * plugins/sudoers/regress/check_symbols/check_symbols.c: Print test failures to stdout like the final count so the outputis not displayed out of order. [f541b78ecb93] * plugins/sudoers/po/da.mo, plugins/sudoers/po/da.po, plugins/sudoers/po/eo.po, plugins/sudoers/po/hr.mo, plugins/sudoers/po/hr.po, plugins/sudoers/po/it.po, src/po/da.mo, src/po/da.po, src/po/eo.po, src/po/hr.mo, src/po/hr.po, src/po/it.po, src/po/tr.po: Sync with translationproject.org [cbd70678b99f] * Makefile.in: Check for any uncommitted changes in dist target and add force-dist target that omit check-dist. [78dc3f41e37e] 2013-04-17 Todd C. Miller * src/regress/ttyname/check_ttyname.c: Fix logic bug when checking tty via ttyname(). [279aee076194] * compat/endian.h: Fix check for _BIG_ENDIAN and _LITTLE_ENDIAN (Solaris) and __BIG_ENDIAN__ and __LITTLE_ENDIAN__ (HP-UX) [fe35e0b04502] * plugins/sudoers/po/sudoers.pot: regen [0ddebccd3045] * NEWS, doc/sample.sudoers, doc/sudoers.cat, doc/sudoers.ldap.cat, doc/sudoers.ldap.man.in, doc/sudoers.ldap.mdoc.in, doc/sudoers.man.in, doc/sudoers.mdoc.in: Document digest support. [d794c7b9a7bc] * MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/regress/parser/check_base64.c: Simple bas64 decode unit test. [344b0df0fe50] * MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/base64.c, plugins/sudoers/match.c, plugins/sudoers/parse.h: Move base64_decode into its own source file. [30497e7f88bc] * plugins/sudoers/getdate.c, plugins/sudoers/getdate.y: Only check year against 2038 if time_t is 32-bit. [9c1f2e3fc3ba] 2013-04-16 Todd C. Miller * plugins/sudoers/ldap.c, plugins/sudoers/parse.h, plugins/sudoers/sssd.c: Add digest support for sudoers in ldap and sss. [314937b5e59e] * INSTALL, configure, configure.in: Error out in configure if the compiler doesn't support "long long". [d3645c1d50d1] * plugins/sudoers/match.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l: Include stdint.h or inttypes.h before sha2.h [20ad1c20313d] * common/lbuf.c: Simplify lbuf append functions by moving the realloc code into lbuf_expand(). We now expand as needed each time bytes need to be written to the lbuf. Also handle a NULL pointer being passed in for paranoia's sake. [6283ee562ef4] * plugins/sudoers/iolog.c: Zero out struct iolog_details early to avoid a potential (though unlikely) dereference of stack garbage if we hit a fatal error before iolog_deserialize_info() is called. [2eeca8be05fb] 2013-04-15 Todd C. Miller * sudo.pp: Update copyright year. [b843c6a43238] * plugins/sudoers/sudoers_version.h: Bump SUDOERS_GRAMMAR_VERSION for new digest support. [188556fb8156] * plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y, plugins/sudoers/match.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l: Sanity check digest in parser so visudo can catch errors. Add base64 support [b8586d5cc7ed] * MANIFEST, compat/endian.h, config.h.in, configure, configure.in, plugins/sudoers/Makefile.in, plugins/sudoers/sha2.c: For big endian architectures just use memcpy() instead of BE macros in a loop. [c71a0f4a8a8e] 2013-04-14 Todd C. Miller * MANIFEST, config.h.in, configure, configure.in, plugins/sudoers/Makefile.in, plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y, plugins/sudoers/hexchar.c, plugins/sudoers/ldap.c, plugins/sudoers/match.c, plugins/sudoers/parse.h, plugins/sudoers/regress/parser/check_digest.c, plugins/sudoers/regress/parser/check_digest.out.ok, plugins/sudoers/sha2.h, plugins/sudoers/sssd.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/toke_util.c: Initial implementation of checksum support in sudoers. Currently supports SHA-224, SHA-256, SHA-384, SHA-512. TODO: checksum format validation in parser and base64 support. checksum support for ldap sudoers [b8f196346eca] 2013-04-13 Todd C. Miller * doc/CONTRIBUTORS, plugins/sudoers/sha2.c, plugins/sudoers/sha2.h: SHA-224, SHA-256, SHA-384 and SHA-512. Derived from the public domain SHA-1 and SHA-2 implementations by Steve Reid and Wei Dai respectively. [7511d07c0a83] 2013-04-11 Todd C. Miller * NEWS: Add sudo 1.8.6p8 [0666fd0321ae] * plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/po/sudoers.pot: Add missing "not" in error message when mixing standalone and non- standalone authentication methods. [7eba4439db73] * plugins/sudoers/auth/passwd.c, plugins/sudoers/auth/secureware.c: Check for crypt() returning NULL. Traditionally, crypt() never returned NULL but newer versions of eglibc have a crypt() that does. Bug #598 [887b9df243df] * plugins/sudoers/auth/pam.c: Better PAM error messages [fd7eda53cdd7] * plugins/sudoers/auth/kerb5.c: Better error messages [98142874a2f4] * plugins/sudoers/bsm_audit.c: Use same error message for getauid() failure. [07f0d88cb1df] * plugins/sudoers/sssd.c: Start warning with a lower case letter for consistency and to match existing translated strings. [b719ac52c9e3] 2013-04-10 Todd C. Miller * mkpkg: Disable PIE on Solaris where it is not really supported. [c36c84cdcc7a] * src/ttyname.c: AIX may have a 64-bit pr_ttydev that we need to convert to 32-bit before we try to match it against st_rdev. [5dab449fb962] * src/ttyname.c: Break out of the loop if sudo_ttyname_scan() returns non-NULL. Fixes a problem finding the tty name when it is not in /dev/pts. [6c205d087fa0] * compat/snprintf.c: Support %lld and %llu [feabfa06c954] * .hgignore, MANIFEST, src/Makefile.in, src/regress/ttyname/check_ttyname.c: Add ttyname test. [e987038f8c07] 2013-04-09 Todd C. Miller * plugins/sudoers/po/fi.mo, plugins/sudoers/po/fi.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/sl.mo, plugins/sudoers/po/sl.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, plugins/sudoers/po/vi.mo, plugins/sudoers/po/vi.po, plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po, src/po/de.mo, src/po/de.po, src/po/fi.mo, src/po/fi.po, src/po/pl.mo, src/po/pl.po, src/po/ru.mo, src/po/ru.po, src/po/sl.mo, src/po/sl.po, src/po/uk.mo, src/po/uk.po, src/po/vi.mo, src/po/vi.po, src/po/zh_CN.mo, src/po/zh_CN.po: Sync with translationproject.org [4d7b73b22079] * plugins/sudoers/timestamp.c: Log timestampfile to debug file. [e997281146c0] * plugins/sudoers/auth/pam.c, plugins/sudoers/po/sudoers.pot: Don't add the "Password: " string we look up in the PAM text domain to the sudoers.pot file. [771b52244abf] 2013-04-08 Todd C. Miller * plugins/sudoers/po/sudoers.pot: Synce with regcomp() error message change. [fc6d3dfb8eb8] * plugins/sudoers/sudoreplay.c: Be consistent with error message when regcomp() fails. [de6c69ba04e4] 2013-04-05 Todd C. Miller * plugins/sudoers/regress/testsudoers/test5.out.ok, plugins/sudoers/regress/testsudoers/test5.sh: Use group -1 instead of 1 as the invalid group since the running user might have group 1 as their default group. [71404a9fa75d] * plugins/sudoers/Makefile.in: PWD may be a shell builtin, use CWD instead. [c443105c5091] 2013-04-04 Todd C. Miller * plugins/sudoers/check.c: Split up check_user(). [ce7cc0767589] 2013-04-03 Todd C. Miller * config.h.in, configure.in: Cosmetic fixes in the comments. [640abee43c14] 2013-04-02 Todd C. Miller * configure, configure.in: Use AC_LINK_IFELSE instead of AC_TRY_LINK Fix printing of status message for visibility checks when the test fails. [99665477ee55] * config.h.in: regen [00c22606719a] * configure, configure.in: We no longer use mbr_check_membership() and setrlimit64() is AIX- specific. [43caf685a1f1] * Makefile.in: The first (all) target must be by itself or some makes will choose the run the entire target list. [16cf3def49f5] * configure, configure.in: Do exec_prefix expansion when enable_shared even if noexec is not enabled. [7ed28cb32d8d] * compat/getgrouplist.c: Use free() not efree() since we don't include alloc.h here [1a008737be24] * plugins/sudoers/po/sudoers.pot, src/po/sudo.pot: regen [b939f941346f] * plugins/sudoers/regress/testsudoers/test2.sh, plugins/sudoers/regress/testsudoers/test3.sh, plugins/sudoers/regress/testsudoers/test5.sh: Pass in expected gid to testsudoers in addition to the uid that matches the test sudoers files. [6a1710e8cac1] 2013-04-01 Todd C. Miller * include/missing.h: Tru64 5.x does declare innetgr() and getdomainname(). [c75598e69c7e] * plugins/sudoers/match.c: Fix compilation when getdomainame() is not present. [e831b017a962] * config.h.in, configure.in, include/missing.h: Move SET/CLR/ISSET from config.h.in to missing.h [3a3dd29fd7f0] * configure, configure.in: Fix getgrouplist() check. [12a2adf60e98] * MANIFEST: No more timestamp.h [5677e26afc0f] * plugins/sudoers/check.c: Neded sys/time.h for struct timeval in struct sudo_tty_info. [aceaadd8c400] * plugins/sudoers/Makefile.in: regen depends [21675a8b67e5] * NEWS: Mention libibmldap on HP-UX [75b4e4b22950] * NEWS, plugins/sudoers/match.c: Instead of checking the domain name explicitly for "(none)", just check for illegal characters. [ce35dda811db] * plugins/sudoers/visudo.c: Only warn once when we are unable to open the sudoers file. [9e27e3aa5b10] * plugins/sudoers/sudoers.c: Fall back to opening /dev/tty to determine whether there is a tty if the system doesn't have kernel support for determing the tty. [2775bcf9a9b5] * compat/getprogname.c: Update guard to take __progname into account [60eae3f20232] * compat/snprintf.c: Some older systems have inttypes.h but not stdint.h [ed1ef160015f] * compat/closefrom.c, compat/dlopen.c, compat/fnmatch.c, compat/getaddrinfo.c, compat/getcwd.c, compat/getgrouplist.c, compat/getline.c, compat/getprogname.c, compat/glob.c, compat/isblank.c, compat/memrchr.c, compat/mktemp.c, compat/nanosleep.c, compat/pw_dup.c, compat/sig2str.c, compat/snprintf.c, compat/strlcat.c, compat/strlcpy.c, compat/strsignal.c, compat/utimes.c: Add guards in compat source files. Not really needed since we only include them in the Makefile if they are needed but should not hurt either. [8cbd3b4595b9] 2013-03-31 Todd C. Miller * plugins/sudoers/gram.c, plugins/sudoers/gram.y: Don't include gram.h in gram.y, its contents are already included. Move sudoerserror to the end of gram.y so COMMENT is declared when we need to use it. [7d72ebdd7222] 2013-03-29 Todd C. Miller * config.h.in, configure.in: Remove some pre-ANSI cruft. [6a95704b2116] * plugins/sudoers/match.c: Rename NAME_MATCH -> SUDOERS_NAME_MATCH and avoid pulling in glob.h when it is set. [da40c550ffed] * NEWS, plugins/sudoers/iolog_path.c: We still want to recognize %{seq} for the SUDOERS_NO_SEQ case but just leave it as-is. [9a22de140d28] 2013-03-28 Todd C. Miller * plugins/sudoers/gram.c, plugins/sudoers/gram.y: Add missing semicolon in rule. [817d3f1b2a21] * plugins/sudoers/sudoers.c: Now that we can determine the terminal even when file descriptors are redirected we can check user_ttypath rather than opening /dev/tty when enforcing requiretty. [56a28bc09041] * plugins/sudoers/policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: Stash umask in struct sudo_user so we don't need to look it up later. [9f85749199dc] * plugins/sudoers/sudoers.c: Minor cosmetic change [c373e106ed49] * plugins/sudoers/regress/parser/check_addr.c: No longer need to declare interfaces [d7ff7e579557] * plugins/sudoers/logging.c: Fix compilation in SUDOERS_NO_SEQ case [9a6db9247534] * plugins/sudoers/regress/parser/check_addr.c: No longer need to define sudo_printf [578ad13c3546] * plugins/sudoers/check.c, plugins/sudoers/check.h, plugins/sudoers/timestamp.c: Pass auth_pw to the timestamp functions. [f603649177d6] * plugins/sudoers/iolog_path.c: Fix SUDOERS_NO_SEQ [17881f9bcd68] * plugins/sudoers/locale.c: Don't need all of sudoers.h in here [c518150c6483] * plugins/sudoers/sudoers.c: Don't need to include sudoers_version.h here. [8abb31102119] 2013-03-27 Todd C. Miller * plugins/sudoers/check.c: DEFAULT_LECTURE is no longer used. [f565c00a68c1] * plugins/sudoers/policy.c, plugins/sudoers/sudoers.c: Move sudo_conv into policy.c [f699aee7136b] * plugins/sudoers/pwutil.c: cosmetic fixes [930e60389ca8] * plugins/sudoers/match.c: RHEL (and perhaps other Linux distros) use the string "(none)" instead of an empty string when there is no actual NIS-style domain name. Bug #596 [11aec11489ac] * plugins/sudoers/match.c: Fix return values when NAME_MATCH is defined. [ce030be9ccef] 2013-03-26 Todd C. Miller * plugins/sudoers/pwutil.c, plugins/sudoers/pwutil.h: Update copyright year. [7e4b8d49addd] * plugins/sudoers/pwutil.c, plugins/sudoers/pwutil.h, plugins/sudoers/pwutil_impl.c, plugins/sudoers/sudoers.h: Add sudo_set_grlist(), currently unused by the back end. [b37ac1d0e8fc] * plugins/sudoers/pwutil.c: Remove unused macros, fix a debug_decl [6136fb4a0d3b] * include/missing.h: Tru64 Unix doesn't prototype innetgr() or getdomainname(). [585ac1874dfe] * include/missing.h: Whitespace fixes [0bb28cd91d97] * common/error.c: Don't need to include setjmp.h here, error.h already includes it. [fd05ab00e186] 2013-03-25 Todd C. Miller * compat/Makefile.in, plugins/sudoers/Makefile.in: regen depends [57991f5e16b4] * plugins/sudoers/check.h: Rename guard define. [ccf4dba241d6] * plugins/sudoers/check.c, plugins/sudoers/check.h, plugins/sudoers/timestamp.c, plugins/sudoers/timestamp.h: Move contents of timestamp.h into check.h. [c139757a9283] * plugins/sudoers/sudoers.h: expand_prompt() is now in prompt.c sudo_printf extern is now in error.h [219bd74ca62b] * plugins/sudoers/bsm_audit.h, plugins/sudoers/defaults.h, plugins/sudoers/ins_2001.h, plugins/sudoers/ins_classic.h, plugins/sudoers/ins_csops.h, plugins/sudoers/ins_goons.h, plugins/sudoers/insults.h, plugins/sudoers/interfaces.h, plugins/sudoers/linux_audit.h, plugins/sudoers/logging.h, plugins/sudoers/parse.h, plugins/sudoers/pwutil.h, plugins/sudoers/redblack.h, plugins/sudoers/sudo_nss.h, plugins/sudoers/sudoers.h, plugins/sudoers/timestamp.h, plugins/sudoers/toke.h: Change multiple inclusion guards to be _SUDOERS_FOO_H [faace6d55e78] 2013-03-23 Todd C. Miller * MANIFEST, plugins/sudoers/po/nl.mo, plugins/sudoers/po/nl.po, src/po/nl.mo, src/po/nl.po, src/po/tr.mo, src/po/tr.po: New Dutch translation for sudo and sudoers New Turkish translation for sudo From translationproject.org [bc918b7b23a4] 2013-03-21 Todd C. Miller * config.h.in, configure, configure.in: Fix a typo in a comment and make sure we don't mistakenly include _PATH_SUDO_ASKPASS and _PATH_SUDO_SESH in config.h.in [694d12ac70ec] 2013-03-19 Todd C. Miller * plugins/sudoers/Makefile.in: Don't build check_symbols if we are linking sudoers in statically. [f6602723bab7] * configure, configure.in: Use $host_os not $host when we only care about the os name and version. [05e4f4fcba06] * aclocal.m4, configure, configure.in: Suppress duplicate -L and -I flags. [228f2f581aed] * common/Makefile.in, compat/regress/fnmatch/fnm_test.c: Fix regress tests on non-OpenBSD platforms. [9d91bc859c50] * configure, configure.in: If we find sasl/sasl.h there's no need to check for sasl.h too [889efaa86012] * aclocal.m4, configure, configure.in: Add -R flags at the very end after configure link tests are done since we can only count on libtool to accept -R, the compiler front end may not. Also unify the libldap and libibmldap tests using AC_SEARCH_LIBS and check for -lCsup on HP-UX which is needed by libibmldap (but is not an explicit dependency). [ab1451894351] 2013-03-18 Todd C. Miller * configure, configure.in: Back out changes that broke detection of skey, opie and ldap libraries. [ffa82b8f8641] * plugins/sudoers/regress/testsudoers/test1.sh, plugins/sudoers/regress/testsudoers/test2.sh, plugins/sudoers/regress/testsudoers/test3.sh, plugins/sudoers/regress/testsudoers/test4.sh, plugins/sudoers/regress/testsudoers/test5.sh, plugins/sudoers/regress/visudo/test1.sh, plugins/sudoers/regress/visudo/test2.sh, plugins/sudoers/regress/visudo/test3.sh: Add explicit "exit 0" to prevent the check target from ending prematurely. [cca411b492bd] * plugins/sudoers/Makefile.in: Fix exit values in check target so we don't have to ignore errors. [cbc429c409e9] * plugins/sudoers/Makefile.in: Fail a test if there is unexpected stderr output. [4fc24d536bec] * MANIFEST: Fix path to sudo.conf manuals; remove non-existant test2.err.ok [6b8bcd60dd85] * src/load_plugins.c: Fix compilation in dynamic mode. [679856fa0774] * configure, configure.in: On HP-UX, libibmldap has a hidden dependency on libCsup [22994709d77c] * compat/dlopen.c: Pass BIND_VERBOSE to shl_load() [0060b9cfa9ab] * configure, configure.in: Only create static helper libs when --disable-shared is specified. [1fcdb1a437e0] * src/load_plugins.c: Ubreak static build. [4ac9f96be285] * INSTALL, aclocal.m4, configure, configure.in: Replace --with-rpath and --with-blibpath with --disable-rpath. Now that we use libtool for linking we can just use the -R flag and have libtool translate it to the proper linker flag. [09798fad6888] 2013-03-15 Todd C. Miller * src/exec_pty.c: Bump I/O buffer size 32K [4ef793225309] 2013-03-14 Todd C. Miller * configure, configure.in, doc/sudo.conf.cat, doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in: Document sesh Path setting. [34b0b903b4f8] * src/exec.c, src/exec_common.c: Move exec_cmnd to exec.c to fix a compilation issue with sesh.c [06aa1956f38d] * common/sudo_conf.c, configure, configure.in, include/sudo_conf.h, src/selinux.c: Make sesh path configurable in sudo.conf [91d331f273b7] * configure, configure.in: Use -fno-pie and -nopie if supported when --disable-pie is specified. [777138c04dcc] 2013-03-13 Todd C. Miller * doc/sudo.cat, doc/sudo.man.in, doc/sudo.mdoc.in: Document direct execution of the command if the policy plugin has no close function. [6a14145c6e80] 2013-03-07 Todd C. Miller * plugins/sudoers/auth/pam.c: Only delete creds if we actually established them. Print an error if pam_setcred() fails and we actually authenticated. [1e015314903b] * common/Makefile.in, plugins/group_file/Makefile.in: regen [dd8cee2a5e1b] * common/alloc.c, include/alloc.h: Convert efree() to a macro that just casts to void * and does free(). If the system free() can't handle free(NULL) this may crash but C89 was a long time ago. [efd0ff9270fb] * configure, configure.in: Define _REENTRANT for HP-UX when we add -lpthread to SUDO_LIBS. Fixes a problem with errno sometimes not being set on error on HP- UX. [54b419d58320] * common/sudo_debug.c: Fix debug logging from the plugin when there is no error number. This was broken in the big debugging reorg for 1.8.7. [2ea7e145e928] 2013-03-06 Todd C. Miller * configure, configure.in, plugins/group_file/Makefile.in, plugins/sample/Makefile.in, plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in, src/load_plugins.c: Always install plugins with a .so extension regardless of what extension the system uses for shared libraries. That way the group_plugin sudoers setting can be shared between heterogenous systems. [a7e6ecff6fdf] * plugins/sudoers/match.c: Mac OS X has netgroup functions in netdb.h. [243881a974aa] * plugins/sudoers/parse.h: Tags in struct cmndtag can be set to IMPLIED as well. [cb6926988cc8] * plugins/sudoers/parse.c: Quiet a compiler warning. [14e608c2001d] * plugins/sudoers/testsudoers.c: Quiet an llvm checker warning. [2eeb9f3d08f3] * plugins/sudoers/parse.c: Quiet gcc -Wuninitialized false positive [643ad987503d] 2013-03-05 Todd C. Miller * doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Document group_file and system_group plugins. [b56511e79230] * NEWS: Sudo 1.8.7 [e95183b8fa27] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Try to clarify that sudoedit in sudoers should not include a leading pathname. [7b2beac92a9c] * plugins/sudoers/pwutil_impl.c: Make sure groupname_len is at least 32 just to be on the safe side. It is better to allocate a little extra and not need it than to have to reallocate and start over. [6d3e1ba47de9] * include/alloc.h, include/missing.h: Add __malloc_like macro to apply __malloc__ attribute to emalloc, ecalloc and estrdup. It cannot be applied to realloc since that may return the same pointer. [8d70cb81d1f1] * plugins/sudoers/toke.c, plugins/sudoers/toke.l: Fix potential double free in an error path. [657573feb6a4] * src/exec_pty.c: When running the command in a pty, defer the call to exec_setup() until just before we exec the command. This is consistent with the non-pty path. As a side effect, the monitor process runs as root and not the runas user. [e2a7f8c7ee4c] 2013-03-02 Todd C. Miller * compat/closefrom.c: Update copyright year. [9b652af4dfc0] 2013-03-01 Todd C. Miller * compat/closefrom.c: Use pst_highestfd from pstat_getproc() on HP-UX. [09f3fea46a3d] 2013-02-28 Todd C. Miller * Makefile.in, common/Makefile.in, doc/Makefile.in, plugins/sudoers/Makefile.in: Clean up generated test files and other minor housekeeping. [f5f4fdd908e1] * plugins/sudoers/iolog.c: Add back gettimeofday() call inadvertantly removed in e1abb9810a83 [675cce8401ae] * config.h.in, configure, configure.in, src/ttyname.c: Use pstat() on HP-UX to determine the tty device. [2884af22a9df] * plugins/sudoers/auth/pam.c: Fix PAM compilation: def_pam_session, not just pam_session. [5417d7acc6ea] * doc/fixmdoc.sh: Don't remove the -S option description when trimming out selinux. Bug #592 [8a94f2cfa0a0] 2013-02-25 Todd C. Miller * NEWS: Update for Sudo 1.8.6p7 [0858a73e9c40] 2013-02-24 Todd C. Miller * doc/sudo.cat, doc/sudo.man.in, doc/sudo.mdoc.in: Document when sudo may exec the command directly instead of forking. [da41951edc28] * doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in: Document that close and version be NULL for plugin API >= 1.3 and that sudo may execute the command directly if there is no close, or pty or timeout needed. [e5f929ddeaf8] * plugins/sudoers/auth/sudo_auth.c: Fix debug_decl for sudo_auth_begin_session and sudo_auth_end_session. [58243392c0df] * configure, configure.in, doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/auth/pam.c, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/defaults.c: Add pam_session sudoers option. [d994465db9f1] * plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/policy.c, plugins/sudoers/sudoers.h: Dummy out close function if there is no end_session for the auth method and the front-end can handle a NULL close function. Avoids the extra sudo process when we don't actually need it. [74886d5b0fb6] 2013-02-23 Todd C. Miller * Makefile.in, aclocal.m4: Add m4/ to paths m4_include parameters so we don't need to use autoconf's -I flag. [4fd86e7a84f3] * src/exec.c, src/exec_common.c, src/exec_pty.c, src/sudo_exec.h, src/sudo_plugin_int.h: If the policy plugin does not provide a close function, there is no command timeout and no pty is required, skip the event loop and just exec the command directly. [ad532f107170] * src/sudo.c: Do not crash if the plugin close and version functions are not defined. If there is no policy close function, simply print a warning that the command was not found. [c789a9dd54e8] 2013-02-21 Todd C. Miller * plugins/sudoers/parse.c: Fix typos in selinux/solaris privs specific code. [9af3999361b4] * doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, src/parse_args.c: Pass the default plugin directory to the plugin via the settings list. Could be used by a stacking plugin. [688e771fc145] * plugins/sudoers/timestamp.c: Completely ignore time stamp file if it is set to the epoch, regardless of what gettimeofday() returns. [df58842af660] * doc/CONTRIBUTORS: Add Nikolai Kondrashov [df59791438f9] * plugins/sudoers/ldap.c, plugins/sudoers/sssd.c: Use userpw_matches() for username matching so #uid works for sudoRunAsUser. [a124062334df] * plugins/sudoers/sssd.c: Avoid calling realloc3() with a zero size parameter when all retrieved sssd rules fail. Otherwise we'll get a run-time error due to malloc(0) checking. [84dfcb73ebd7] * plugins/sudoers/sssd.c: Do not send error mail if a user is not found in SSSD. Local users can run sudo too. From Nikolai Kondrashov [3d2ae99ee468] 2013-02-20 Todd C. Miller * MANIFEST, common/regress/sudo_conf/test4.in, common/regress/sudo_conf/test4.out.ok: Test setting disable_coredump to illegal value. [3c71c6c49027] * common/sudo_conf.c: Fix atobool() usage. [d40c9f4d06b0] * common/regress/sudo_conf/conf_test.c: Remove unused variable. [328b524b365b] * plugins/sudoers/sudoers.c: Make "sudo -l non_existent_command" warn that non_existent_command doesn't exist, not the "list" pseudo-command. [9dc0388fc4f3] * plugins/sudoers/parse.c: Make sudoers file long list output better match the format used by ldap sudoers. Tags are now converted to options and there is a single command per line. [6e6dc3f20d84] * doc/sudo.conf.cat, doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in, doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Use the correct the sudoers policy symbol names and undo an editor goof committed when adding max_groups to sudo.conf. [2a6f7ddf5cc3] * plugins/sudoers/parse.c, plugins/sudoers/sudo_nss.c: For "sudo -l" start a new line if the runas list changes to make the output easier to read. [7dc3d724c924] 2013-02-19 Todd C. Miller * plugins/sudoers/parse.c, plugins/sudoers/sudo_nss.c: For "sudo -l" and "sudo -ll" only print the runas info for subsequent commands in a list if the runas info has changed. If we have new runas info, print out the tags again so as to be less confusing to the user. For "sudo -ll" set the line continuation indent to 8. [b5ec02fe7fc1] 2013-02-18 Todd C. Miller * MANIFEST, Makefile.in, configure, configure.in, doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/group_file/Makefile.in, plugins/group_file/getgrent.c, plugins/group_file/group_file.c, plugins/group_file/group_file.exp, plugins/group_file/plugin_test.c, plugins/sample_group/Makefile.in, plugins/sample_group/getgrent.c, plugins/sample_group/plugin_test.c, plugins/sample_group/sample_group.c, plugins/sample_group/sample_group.exp: Rename sample_group plugin to group_file. Install group_file and system_group plugins by default. [951b3e446fae] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/iolog.c, plugins/sudoers/policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: Add maxseq sudoers option to limit the max number of I/O log files. [e1abb9810a83] 2013-02-16 Todd C. Miller * plugins/sudoers/iolog.c: Log lines and columns in the iolog file. [03adb6230e05] 2013-02-15 Todd C. Miller * MANIFEST, common/Makefile.in, common/regress/sudo_conf/conf_test.c, common/regress/sudo_conf/test1.in, common/regress/sudo_conf/test1.out.ok, common/regress/sudo_conf/test2.in, common/regress/sudo_conf/test2.out.ok, common/regress/sudo_conf/test3.in, common/regress/sudo_conf/test3.out.ok, common/sudo_conf.c, include/sudo_conf.h, plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c, src/sesh.c, src/sudo.c: Add simple regress tests for sudo.conf parsing. [3c36b61bf61c] * src/sudo.c: Always display the I/O plugin version as long as its open functions doesn't return an error. Previously it was only displayed if the plugin open returned 1. [4b0277db3f8c] * plugins/sudoers/pwutil_impl.c: Use sysconf(_SC_LOGIN_NAME_MAX) to find max username length instead of poking around in struct utmpx. [2c0cc5c42958] * plugins/sudoers/pwutil_impl.c, src/parse_args.c, src/sudo.c: #include "sudo_usage.h" not so we get the one in the build directory and not the src dir when using a separate build directory. [1fcb7ba13018] 2013-02-14 Todd C. Miller * common/fileops.c: If a line was longer that 0x80000000 the bit hack to round to the next power of two would roll over to zero. [f4f729cf6f0f] * plugins/sudoers/policy.c, plugins/sudoers/pwutil_impl.c, plugins/sudoers/sudoers.h, src/sudo.c: Use max_groups in front-end and plugin. [bf1e74166831] * doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, src/parse_args.c: Pass max_groups to plugin in settings list. [d7d76e8651f4] * common/sudo_conf.c, doc/sudo.conf.cat, doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in, include/sudo_conf.h: Add max_groups setting to sudo.conf (currently unused) and remove unused return value from setters. [f6494f71e1f0] 2013-02-12 Todd C. Miller * INSTALL: Reorganize configure options [23475de8039f] 2013-02-11 Todd C. Miller * NEWS: Add Sudo 1.8.6p7 [5192fc511cbe] 2013-02-10 Todd C. Miller * INSTALL.configure: Sync with autoconf 2.68 [985e5c8efa4e] * INSTALL, README: Remove obsolete OS notes and move build requirements to INSTALL. [bf0dd53ca164] 2013-02-08 Todd C. Miller * doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in: Sort elements of the settings, user_info and command_info lists. [663062ada5b7] * doc/sudo.cat, doc/sudo.man.in, doc/sudo.mdoc.in: Remove trailing white space [027916a6c8e7] * plugins/sudoers/policy.c, plugins/sudoers/sudoers.h, plugins/sudoers/timestamp.c, plugins/sudoers/timestamp.h: Store the session ID in the tty ticket file too. A tty may only be in one session at a time so if the session ID doesn't match we ignore the ticket. [4eb2cb8df48b] 2013-02-07 Todd C. Miller * plugins/sudoers/sudoers.c, src/sudo.c: Move tzset() call from sudoers plugin to sudo front end. [3c058dad8772] * doc/sudo.conf.cat, doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in, doc/sudoers.cat, doc/sudoers.ldap.cat, doc/sudoers.ldap.man.in, doc/sudoers.ldap.mdoc.in: Mention line continuation [399873f8c805] * MANIFEST, common/Makefile.in, common/fileops.c, common/regress/sudo_parseln/parseln_test.c, common/regress/sudo_parseln/test1.in, common/regress/sudo_parseln/test1.out.ok, common/regress/sudo_parseln/test2.in, common/regress/sudo_parseln/test2.out.ok, common/regress/sudo_parseln/test3.in, common/regress/sudo_parseln/test3.out.ok, common/regress/sudo_parseln/test4.in, common/regress/sudo_parseln/test4.out.ok, common/regress/sudo_parseln/test5.in, common/regress/sudo_parseln/test5.out.ok, common/regress/sudo_parseln/test6.in, common/regress/sudo_parseln/test6.out.ok, common/sudo_conf.c, include/fileops.h, plugins/sudoers/env.c, plugins/sudoers/ldap.c, plugins/sudoers/sudo_nss.c: Add line continuation support to sudo_parseln() and make it use getline() instead of fgets() internally. [d02bf3973fc5] 2013-02-06 Todd C. Miller * plugins/sample/sample_plugin.c: Fix memory leak in error path; found by llvm checker [d090c26a5b00] * plugins/sudoers/sudoreplay.c: Remove useless store detected by llvm checker. [12a4db91651a] * configure, configure.in, doc/UPGRADE, mkpkg, src/Makefile.in, src/load_plugins.c, sudo.pp: Sudo now stores its libexec files in a "sudo" subdirectory instead of in libexec itself. For backwards compatibility, if the plugin is not found in the default plugin directory, sudo will check the parent directory default directory ends in "/sudo". [5de67de76489] * plugins/sample/sample_plugin.c, plugins/sample_group/sample_group.c, plugins/system_group/system_group.c: Add missing __dso_public to plugin structs so they are exported. [dde703577621] * doc/sudo.conf.cat, doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in: Mention that sudoers has its own plugins too. [0a6c6203b512] 2013-02-05 Todd C. Miller * doc/visudo.cat, doc/visudo.man.in, doc/visudo.mdoc.in: Correct last change date. [45894291d792] * doc/sudo.cat, doc/sudo.conf.cat, doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in, doc/sudo.man.in, doc/sudo.mdoc.in, doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Remove duplicated sudo.conf info in the sudo, sudoers and sudo_plugin manuals and cross-reference the new sudo.conf manual. [b808ba29cf3a] * doc/sudoreplay.cat, doc/sudoreplay.man.in, doc/sudoreplay.mdoc.in: Fix typos [0e70964150c6] * doc/sudoers.ldap.cat, doc/sudoers.ldap.man.in, doc/sudoers.ldap.mdoc.in: Fix some typos. [94ae045cfbc6] * MANIFEST, doc/Makefile.in, doc/sudo.conf.cat, doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in: Add standalone sudo.conf manual page. [d64d949b700c] * doc/sample.sudo.conf: add group_source example [118c1ba1c014] * configure, configure.in, doc/sample.sudo.conf, doc/sudo.man.in, doc/sudo.mdoc.in, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, doc/sudoers.man.in, doc/sudoers.mdoc.in: Use PLUGINDIR in the manuals and fix a typo in the sample sudo.conf. [f5bd6006dc1c] * plugins/sudoers/po/it.mo, plugins/sudoers/po/it.po, src/po/it.mo, src/po/it.po: Sync with translationproject.org [a6f2b9aac371] 2013-02-03 Todd C. Miller * plugins/sudoers/po/fi.mo, plugins/sudoers/po/fi.po, plugins/sudoers/po/vi.mo, plugins/sudoers/po/vi.po, src/po/fi.mo, src/po/fi.po, src/po/gl.mo, src/po/gl.po, src/po/vi.mo, src/po/vi.po: Sync with translationproject.org [ba546666969d] 2013-02-01 Todd C. Miller * plugins/sudoers/po/da.po, plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, src/po/da.po, src/po/eo.mo, src/po/eo.po, src/po/es.po, src/po/gl.po: Sync with translationproject.org [cdc454e34c03] 2013-01-31 Todd C. Miller * NEWS: Clarify ttyname changes. [cbf2f80fe582] * NEWS: Add 1.8.6p6 [3aa591e98b3b] * src/ttyname.c: Remove ttyname() fall back code on systems where we can query the kernel for the tty device via /proc or sysctl(). If there is no controlling tty, it is better to just treat the tty as unknown rather than to blindly use what is hooked up to std{in,out,err}. [b2bd3005d2e4] 2013-01-27 Todd C. Miller * common/sudo_conf.c, include/sudo_conf.h, src/sudo.c: Add group_source setting in sudo.conf to allow the admin to specify how a user's groups are looked up. Legal values are static (just the kernel list from getgroups), dynamic (whatever the group database includes) and adaptive (only use group db if kernel group list is full). [87a5b02e22ad] * plugins/sudoers/policy.c: Pass back exec_background to front end if it is enabled in sudoers. [8230e1cd0bbd] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Mention that exec_background is for 1.8.7 and higher only. [fdf0d5a3e182] 2013-01-24 Todd C. Miller * MANIFEST: Add missing test files. [1165389aa5e6] * plugins/sudoers/regress/visudo/test3.err.ok, plugins/sudoers/regress/visudo/test3.out.ok, plugins/sudoers/regress/visudo/test3.sh: Add regress test for bug 361 [54c7fb61b82d] * plugins/sudoers/iolog.c: Add __dso_public to extern declaration of declaration to match actual definition. [4695ded501e6] * NEWS: Add 1.8.6p5 [b07b28c5c4d7] 2013-01-23 Todd C. Miller * MANIFEST, plugins/sudoers/regress/visudo/test2.err.ok, plugins/sudoers/regress/visudo/test2.out.ok, plugins/sudoers/regress/visudo/test2.sh: Add test for visudo cycle check core dump; test case from Daniel Kopecek [41074541147a] * plugins/sudoers/visudo.c: Fix potential stack overflow due to infinite recursion in alias cycle detection. From Daniel Kopecek. [d7e018a87434] * common/sudo_conf.c, include/sudo_conf.h, src/load_plugins.c: Ignore duplicate entries in sudo.conf and report the line number when there is an error. Warn, don't abort if there is more than one policy plugin. [dfcb5a698f0a] * plugins/sudoers/tsgetgrpw.c: Use strtoul() not atoi(). [58a52cf9b6b8] 2013-01-22 Todd C. Miller * compat/Makefile.in: regen depends for to add compat/nss_dbdefs.h for getgrouplist.lo [9b44e9d26d16] * compat/nss_dbdefs.h: Fix typo that breaks the build on HP-UX. [b9ab6ba23485] * MANIFEST, compat/getgrouplist.c, compat/nss_dbdefs.h, config.h.in, configure, configure.in: Use nss_search() to implement getgrouplist() where available. Tested on Solaris and HP-UX. We need to include a compatibility header for HP-UX which uses the Solaris nsswitch implementation but doesn't ship nss_dbdefs.h. [d29dbc4dc06d] 2013-01-19 Todd C. Miller * src/exec.c, src/exec_pty.c, src/signal.c, src/sudo.h: Remove extra flag to sudo_sigaction(). We want to trap the signal regardless of whether or not it is ignored by the underlying command since there's no way to know what signal handlers the command will install. Now we just use sudo_sigaction() to set a flag in saved_signals[] to indicate whether a signal needs to be restored before exec. [c042d52c7192] 2013-01-18 Todd C. Miller * compat/getgrouplist.c, config.h.in, configure, configure.in: Use _getgroupsbymember() on Solaris to get the groups list. Fixes performance problems with the getgroupslist() compat on Solaris systems with network-based group databases. [287d3ae2ce8d] 2013-01-17 Todd C. Miller * doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in: Document signal handler behavior in plugin API 1.3 [20dc9d1c105f] * MANIFEST, include/sudo_plugin.h, src/Makefile.in, src/exec.c, src/exec_pty.c, src/signal.c, src/sudo.c, src/sudo.h: Move signal code into its own source file and add sudo_sigaction() wrapper that has an extra flag to check the saved_signals list to only install the handler if the signal is not already ignored. Bump plugin API version for the new front-end signal behavior. [5d2f27a1b404] * plugins/sudoers/sudoers.c, src/exec.c, src/sudo.c, src/sudo.h, src/sudo_exec.h: Catch SIGINT, SIGQUIT and SIGTSTP in the front end before we execute the command. If we get SIGINT or SIGQUIT, call the plugin close() functions as if the command was interrupted. If we get SIGTSTP, uninstall the handler and deliver SIGTSTP to ourselves. [332baf3a81b7] * src/exec.c, src/exec_pty.c: Rename handle_signals() to dispatch_signals(). Block other signals in handler() so we don't have to worry about the write() being interrupted. [666e95c9a0f1] 2013-01-16 Todd C. Miller * src/tgetpass.c: Rename signal handler to avoid name clash with one in exec.c [8913101a29b6] 2013-01-13 Todd C. Miller * src/sudo.c: Add missing call to save_signals(). [47d075d7326b] 2013-01-11 Todd C. Miller * Makefile.in, plugins/sudoers/po/sudoers.pot, src/po/sudo.pot: Fill in the comment block at the top of the .pot files and preserve it when regenerating them. [6449497b76db] * doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/sudoers.c, src/exec_pty.c, src/sudo.c, src/sudo.h: Add exec_background option in plugin command info and a sudoers option to match. When set, commands are started in the background and automatically foregrounded as needed. There are issues with some ill-mannered programs (like Linux su) so this is not the default. [c0b32b0938f2] * common/Makefile.in: regen [2b2b220e7aea] * src/Makefile.in: Add SESH_OBJS variable for sesh object files. [d3e04ae8fd1f] * configure.in, doc/LICENSE, plugins/sudoers/redblack.c: Update copyright year. [61a0f0cedb13] * src/exec_pty.c: Always resume the command in the foreground if sudo itself is the foreground process. This helps work around poorly behaved programs that catch SIGTTOU/SIGTTIN but suspend themselves with SIGSTOP. At worst, sudo will go into the background but upon resume the command will be runnable. Otherwise, we can get into a situation where the command will immediately suspend itself. [c368ac3eb2e4] * configure, configure.in: Use -fstack-protector-all in preference to -fstack-protector where supported. [f930c95ceb51] 2013-01-10 Todd C. Miller * configure, configure.in: Only test for -fstack-protector and -fvisibility=hidden on GNU compatible compilers. [796f4696d863] 2013-01-03 Todd C. Miller * NEWS: Add Sudo 1.8.6p4 [8a928de8e717] * common/Makefile.in, compat/Makefile.in, configure, configure.in, plugins/sample/Makefile.in, plugins/sample_group/Makefile.in, plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in, src/Makefile.in: Break out stack smashing protector options into SSP_CFLAGS and SSP_LDFLAGS so we can use it everywhere (unlike LT_LDFLAGS). [01be114fc9fb] 2013-01-01 Todd C. Miller * doc/CONTRIBUTORS, plugins/sudoers/redblack.c: In rbrepair(), make sure we never try to change the color of the sentinel node, which is the first entry, not the root. From Michael King [3fc4dc4004ec] 2012-12-28 Todd C. Miller * src/exec_pty.c: No need to restore default signal handler for SIGSTOP as it is not catchable. Attempting to do so is harmless but sigaction() will fail and set errno to EINVAL which makes it looks like there is an error. [be7c0b759e9a] * src/exec.c: Print SIGCONT_FG and SIGCONT_BG properly in debug output. [93e59e301c8f] 2012-12-27 Todd C. Miller * configure, configure.in: Disable PIE on FreeBSD/ia64, otherwise sudo will segfault. [9ed48f696595] 2012-12-20 Todd C. Miller * include/missing.h: Add howmany() macro since some systems have this in sys/param.h which we no longer include. [2c5efaa16c45] 2012-12-07 Todd C. Miller * plugins/sudoers/regress/sudoers/test11.toke.out.ok: Remove errant file. [a91699beffc6] 2012-12-04 Todd C. Miller * plugins/sudoers/regress/check_symbols/check_symbols.c, plugins/sudoers/regress/iolog_path/check_iolog_path.c, plugins/sudoers/regress/logging/check_wrap.c, plugins/sudoers/regress/parser/check_addr.c, plugins/sudoers/regress/parser/check_fill.c: Remove obsolete sudoers_cleanup() stubs. [89153025a2ae] * common/alloc.c, common/atobool.c, common/fileops.c, common/fmt_string.c, common/lbuf.c, common/secure_path.c, common/sudo_conf.c, common/sudo_debug.c, common/term.c, compat/closefrom.c, compat/getcwd.c, compat/glob.c, compat/snprintf.c, include/missing.h, plugins/sample/sample_plugin.c, plugins/sample_group/getgrent.c, plugins/sample_group/plugin_test.c, plugins/sample_group/sample_group.c, plugins/sudoers/alias.c, plugins/sudoers/auth/afs.c, plugins/sudoers/auth/aix_auth.c, plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/dce.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/kerb5.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/passwd.c, plugins/sudoers/auth/rfc1938.c, plugins/sudoers/auth/secureware.c, plugins/sudoers/auth/securid5.c, plugins/sudoers/auth/sia.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/boottime.c, plugins/sudoers/check.c, plugins/sudoers/defaults.c, plugins/sudoers/env.c, plugins/sudoers/find_path.c, plugins/sudoers/getspwuid.c, plugins/sudoers/goodpath.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/group_plugin.c, plugins/sudoers/interfaces.c, plugins/sudoers/iolog.c, plugins/sudoers/ldap.c, plugins/sudoers/logging.c, plugins/sudoers/match.c, plugins/sudoers/match_addr.c, plugins/sudoers/parse.c, plugins/sudoers/policy.c, plugins/sudoers/prompt.c, plugins/sudoers/pwutil.c, plugins/sudoers/pwutil_impl.c, plugins/sudoers/redblack.c, plugins/sudoers/regress/parser/check_addr.c, plugins/sudoers/set_perms.c, plugins/sudoers/sssd.c, plugins/sudoers/sudo_nss.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/timestamp.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/toke_util.c, plugins/sudoers/tsgetgrpw.c, plugins/sudoers/visudo.c, plugins/system_group/system_group.c, src/conversation.c, src/exec.c, src/exec_common.c, src/exec_pty.c, src/get_pty.c, src/load_plugins.c, src/net_ifs.c, src/parse_args.c, src/sudo.c, src/sudo_edit.c, src/tgetpass.c, src/ttyname.c, src/utmp.c: Don't include . We only needed it for MAXPATHLEN, MAXHOSTNAMELEN and the MIN/MAX macros. We now use PATH_MAX and HOST_NAME_MAX throughout without falling back on MAXPATHLEN or MAXHOSTNAMELEN and define our own MIN/MAX macros as needed. [f4807d46f504] * include/missing.h, plugins/sudoers/match.c, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c, src/sudo.c: Use MAX_HOST_NAME+1 (limits.h) instead of MAXHOSTNAMELEN (sys/param.h or netdb.h). [2544f5e306dd] 2012-11-30 Todd C. Miller * plugins/sudoers/logging.c: Move debug_decl() in log_failure() to be after the variable declarations for C89. [f48d2035ab44] 2012-11-29 Todd C. Miller * common/error.c, include/error.h, plugins/sudoers/iolog.c, plugins/sudoers/logging.c, plugins/sudoers/policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: Cannot wrap sigsetjmp() or we end up returning to the wrong place. Use a macro instead. [749ee6acdad8] 2012-11-28 Todd C. Miller * plugins/sudoers/policy.c: Fix return in sudoers_policy_open that should be debug_return. [a78b795b6846] 2012-11-27 Todd C. Miller * src/ttyname.c: Define sudo_ttyname_dev() for the HAVE_STRUCT_PSINFO_PR_TTYDEV case too. [acfa891c229e] * src/solaris.c: Quiet a gcc warning and add comment about needing to keep the handle open. [f954f228960f] 2012-11-26 Todd C. Miller * INSTALL: mention --disable-shared [6954d39e2d0f] * doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in: Add missing command_info argument in I/O plugin open() prototype. Bug #579 [72beb07aba0e] 2012-11-25 Todd C. Miller * plugins/sudoers/gram.c: Regen for proper line numbers. [6cf6e132e764] * configure, configure.in: Add locale_stub.o to SUDO_OBJS, not locale_stub.lo. [d604dc8ca38a] * common/sudo_printf.c: Include missing.h for __printflike. [a33640600faf] * plugins/sudoers/iolog.c: Saner loop invariant in io_mkdirs (cosmetic only). [dc30274afe38] * MANIFEST, common/Makefile.in, common/error.c, common/sudo_printf.c, configure, configure.in, include/error.h, mkdep.pl, plugins/sudoers/Makefile.in, plugins/sudoers/locale.c, plugins/sudoers/logging.c, plugins/sudoers/plugin_error.c, plugins/sudoers/policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c, src/Makefile.in, src/error.c, src/exec_pty.c, src/locale_stub.c, src/sesh.c: Move warn/error into common and make static builds work. [4d3f374f4e4c] * MANIFEST, common/Makefile.in, common/sudo_debug.c, common/sudo_printf.c, include/error.h, plugins/sudoers/Makefile.in, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/iolog.c, plugins/sudoers/plugin_error.c, plugins/sudoers/policy.c, plugins/sudoers/regress/check_symbols/check_symbols.c, plugins/sudoers/regress/iolog_path/check_iolog_path.c, plugins/sudoers/regress/logging/check_wrap.c, plugins/sudoers/regress/parser/check_addr.c, plugins/sudoers/regress/parser/check_fill.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c, src/Makefile.in, src/conversation.c, src/sesh.c: Move _sudo_printf from src/conversation.c to common/sudo_printf.c. Add sudo_printf function pointer that is initialized to _sudo_printf() instead of requiring a sudo_conv function pointer everywhere. The plugin will reset sudo_printf to point to the version passed in via the plugin open function. Now plugin_error.c can just call sudo_printf in all cases. The sudoers binaries no longer need their own version of sudo_printf. [9b09d3f63790] * plugins/sudoers/iolog.c, plugins/sudoers/logging.c, plugins/sudoers/plugin_error.c, plugins/sudoers/policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: Add plugin_setjmp() wrapper for siglongjmp(error_jmp, 1) so we don't need error_jmp to be extern. Also add plugin_clearjmp() that clears a flag so error()/errorx() knows when to call exit() vs. longjmp(). [5a4617148e70] * plugins/sudoers/set_perms.c: Let warning() call gettext() for us. [ab8d502ba4ac] * include/error.h, plugins/sudoers/plugin_error.c, src/error.c: Do locale swapping in the warning()/error() macros themselves instead of in the underlying functions. [4cd205540e17] * common/alloc.c, common/list.c, include/error.h, plugins/sudoers/env.c, plugins/sudoers/plugin_error.c, plugins/sudoers/regress/check_symbols/check_symbols.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/visudo.c, src/error.c, src/hooks.c: Rename warning2()/error2() -> warning_nodebug()/error_nodebug(). [48346393634d] * common/sudo_conf.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/rfc1938.c, plugins/sudoers/auth/securid5.c, plugins/sudoers/defaults.c, plugins/sudoers/group_plugin.c, plugins/sudoers/ldap.c, plugins/sudoers/linux_audit.c, plugins/sudoers/logging.c, plugins/sudoers/plugin_error.c, plugins/sudoers/policy.c, plugins/sudoers/sssd.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/toke_util.c, plugins/sudoers/visudo.c, src/error.c, src/exec.c, src/exec_common.c, src/exec_pty.c, src/load_plugins.c, src/net_ifs.c, src/parse_args.c, src/selinux.c, src/sesh.c, src/solaris.c, src/sudo.c, src/sudo_edit.c, src/tgetpass.c: Call gettext() on parameters for warning()/warningx() instead of having warning() do it for us. [c71088bc9d3e] * Makefile.in, plugins/sudoers/alias.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/toke_util.c: Call gettext() in sudoerserror() in the user's locale and pass the untranslated string to it. [cdbfc231b848] * plugins/sudoers/Makefile.in, plugins/sudoers/locale.c, plugins/sudoers/logging.h, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c: Allow sudoers programs (visudo, sudoreplay, visudo) to use plugin_error.c instead of the error.c from the front-end. This means sudoers_setlocale() needs to be independent of the sudo_user struct and the defaults table. The sudoers locale is now updated via a callback. [e356f5f8cd6a] * plugins/sudoers/iolog.c, plugins/sudoers/logging.c, plugins/sudoers/plugin_error.c, plugins/sudoers/policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: Include setjmp.h in sudoers.h Move error_jmp into plugin_error.c Rename sudoers_plugin_cleanup sudoers_cleanup Make sudoers warning/error functions work when sudo_conv is NULL [7365ee24a779] * src/error.c: No need to change locale in front-end warning()/error(). [23dc1df7f93b] * plugins/sudoers/tsgetgrpw.c: Ignore bad lines in passwd/group file instead if stopping processing when we hit one. [79b790559075] * plugins/sudoers/regress/testsudoers/test2.sh, plugins/sudoers/regress/testsudoers/test3.sh, plugins/sudoers/regress/testsudoers/test5.sh: Bash doesn't let you set UID to use MYUID instead. [5be56335f059] * plugins/sudoers/visudo.c: Avoid NULL deref for unknown Defaults in strict mode. [545c21c1e7d6] * common/sudo_conf.c, common/sudo_debug.c: See DEFAULT_TEXT_DOMAIN [3d723e1d27db] 2012-11-13 Todd C. Miller * .hgignore: Add signame.c and mksigname. [d59bbf423f00] * plugins/sudoers/Makefile.in: Fold preinstall into install-plugin and pass the path to the plugin binary to the preinstall command. [2c2205af8bb7] * pp: sync with upstream [a4b7336b3256] * src/sudo.h: repair spacing [f5c1255ce514] 2012-11-12 Todd C. Miller * common/sudo_debug.c: Set group on sudo_debug when creating it to gid 0 so systems without BSD group semantics don't get the invoking user's group. [7dda01196554] * plugins/sudoers/iolog.c: Rename mkdir_parents() io_mkdirs() and add a flag to specify whether path is a temporary, in which case the final component is created via mkdtemp() instead of mkdir(). [79c0c4e7ed58] * plugins/sudoers/set_perms.c, plugins/sudoers/sudoers.h: For PERM_ROOT set egid to 0 so log files are not created with the gid of the user. [5b964ea43474] * plugins/sudoers/logging.c: Add calls to set_perms(PERM_ROOT) becore logging to a file. We should already be root but since we cache the current permission status it is basically free. That way, if more of sudoers runs as non-root in the future logging will still work correctly. [c591d4973f41] * common/sudo_conf.c, config.h.in, configure, configure.in, include/gettext.h, plugins/sudoers/locale.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c, src/error.c, src/exec.c, src/sesh.c, src/sudo.c: #unifdef HAVE_SETLOCALE, it is C89 so no need to check for it. [41f6bb4926f4] * doc/sudo.cat, doc/sudo.man.in, doc/sudo.mdoc.in, doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in: Mention that sudo.conf is parsed in the C locale. [f711c416e30c] * common/sudo_conf.c: Parse sudo.conf in the "C" locale. [776658f651ea] * plugins/sudoers/locale.c, plugins/sudoers/logging.h, plugins/sudoers/sudoers.h: Fix compilation on systems w/o setlocale() [6940d1c1c1ce] * doc/TROUBLESHOOTING: Sudo now includes a workaround for the Solaris 11 locale issue. [ab93787a552c] 2012-11-11 Todd C. Miller * include/gettext.h, plugins/sudoers/iolog_path.c, plugins/sudoers/locale.c, plugins/sudoers/regress/iolog_path/check_iolog_path.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c, src/error.c, src/exec.c, src/sesh.c, src/sudo.c, src/sudo.h: Always include locale.h from gettext.h so we no longer need to include locale.h from the .c files. [93d39182ccfa] * MANIFEST, config.h.in, configure, configure.in, mkdep.pl, plugins/sudoers/Makefile.in, src/Makefile.in, src/openbsd.c, src/solaris.c, src/sudo.c, src/sudo.h: Add os-specific initialization functions for solaris (workaround setuid locale problem in Solaris 11) and openbsd (set malloc_options if SUDO_DEVEL). Also move set_project() to solaris.c. [1d6581afbaf4] 2012-11-09 Todd C. Miller * plugins/sudoers/find_path.c, plugins/sudoers/group_plugin.c, plugins/sudoers/iolog.c, plugins/sudoers/policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/timestamp.c: Avoid strerror() when possible and just rely on warning/error to handle errno in the proper locale. [bf612caae97c] * plugins/sudoers/logging.c: Set sudoers locale in log_allowed() [2dd0ac704cae] * plugins/sudoers/check.c: Make the sudo lecture translatable. [3cdfc183d72d] * Makefile.in: Add the values of badpass_message, passprompt and mailsub to sudoers.pot so they can be translated. [51cbe8adcb94] * plugins/sudoers/logging.c: Expand the FMT_FIRST anf FMT_CONTD macros inline so they get picked up by xgettext. [c5b74115caf0] 2012-11-08 Todd C. Miller * plugins/sudoers/check.c, plugins/sudoers/prompt.c, plugins/sudoers/sudoers.h: Make expand_prompt() args const and free the prompt when we are done with it. [995ef8519fe6] * plugins/sudoers/policy.c: Fix cut and pasto [e002921c1d15] * plugins/sudoers/defaults.c, plugins/sudoers/logging.c: Expand def_mailsub in the sudoers locale, not the user's. [a4775f2fb385] * common/sudo_conf.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/rfc1938.c, plugins/sudoers/auth/securid5.c, plugins/sudoers/defaults.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/group_plugin.c, plugins/sudoers/ldap.c, plugins/sudoers/linux_audit.c, plugins/sudoers/logging.c, plugins/sudoers/plugin_error.c, plugins/sudoers/policy.c, plugins/sudoers/sssd.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/visudo.c, src/error.c, src/exec.c, src/exec_common.c, src/exec_pty.c, src/load_plugins.c, src/net_ifs.c, src/parse_args.c, src/selinux.c, src/sesh.c, src/sudo.c, src/sudo_edit.c, src/tgetpass.c: Display warning/error messages in the user's locale. [00a04165c0cf] * plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/kerb5.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/sia.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/check.c, plugins/sudoers/env.c, plugins/sudoers/iolog.c, plugins/sudoers/locale.c, plugins/sudoers/logging.c, plugins/sudoers/logging.h, plugins/sudoers/parse.c, plugins/sudoers/set_perms.c, plugins/sudoers/sudoers.c, plugins/sudoers/timestamp.c: Call gettext inside log_error et al instead of having the caller do it. This way we can display any messages to the user in their own locale but log in the sudoers local. [286e0444f785] * MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/env.c, plugins/sudoers/locale.c, plugins/sudoers/logging.h, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: Add simple locale switching to make it easy to switch from the user's locale to the sudoers locale without making excessive setlocale() calls when we don't need to. [5c61582fdeee] * plugins/sudoers/iolog_path.c, plugins/sudoers/logging.c, plugins/sudoers/sudoers.c: Convert setlocale() to sudoers_setlocale() in the sudoers module. This only converts existing uses, there are more places where we need to sprinkle sudoers_setlocale() calls. [8ee0cbf0d0a9] * plugins/sudoers/audit.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/logging.c, plugins/sudoers/sudoers.c: audit_failure() now calls gettext itself using the sudoers locale. [d77f1d78799a] * common/sudo_debug.c, include/error.h, include/sudo_debug.h, plugins/sudoers/plugin_error.c, src/error.c: Add variants of warn/error and sudo_debug_printf that take a va_list instead of a variable number of args. [00392bdc063c] * INSTALL, doc/TROUBLESHOOTING: Document Solaris 11 locale issues and workarounds. [05f7d34af3ae] * Makefile.in, configure, configure.in: Solaris gettext() looks in lang.UTF-8, not just lang for UTF-8 locales. Make links from localdir/lang -> localdir/lang.UTF-8 [5ca9326480e2] 2012-11-06 Todd C. Miller * plugins/sudoers/audit.c, plugins/sudoers/logging.c, plugins/sudoers/logging.h, plugins/sudoers/sudoers.c: Do not inform the user that the command was not permitted by the policy if they do not successfully authenticate. This is a regression introduced in sudo 1.8.6. [c1279df08bfb] * plugins/sudoers/Makefile.in: Add preinstall target that runs SUDO_PREINSTALL_CMD. Used to fixup the rpath in HP-UX SOM shared libraries for the LDAP libs. [b07185657b42] * src/parse_args.c: The -a option should be #ifdef HAVE_BSD_AUTH_H, not -A. [22c73cbe3ff9] 2012-10-28 Todd C. Miller * INSTALL, configure, configure.in: Allow the user to specify and alternate libtool [c9d6fc9521fd] 2012-10-26 Todd C. Miller * doc/CONTRIBUTORS, plugins/sudoers/sudo_nss.c: Allow sudo to be build with sss support without also including ldap support. From Stephane Graber. [b992a80ebea1] 2012-10-25 Todd C. Miller * MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/iolog_path.c, plugins/sudoers/logging.c, plugins/sudoers/plugin_error.c, plugins/sudoers/policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c: Refactor policy plugin interface code from sudoers.c into policy.c [393e62910b8a] * plugins/sudoers/iolog.c, plugins/sudoers/sudoers.c: Refactor command_info setting into its own function. [a952b948324c] * plugins/sudoers/interfaces.c, plugins/sudoers/interfaces.h, plugins/sudoers/match_addr.c, plugins/sudoers/sudoers.c, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c: Make interfaces pointer private to interfaces.c and add get_interfaces() accessor. [b69b9334ed3c] 2012-10-24 Todd C. Miller * plugins/sudoers/iolog_path.c, plugins/sudoers/logging.c, plugins/sudoers/sudoers.h: Make user_cwd const since it is either a string literal or passed in from the front-end. [90751b81e8bc] * configure, configure.in: sudo 1.8.7 [bf727adb8af0] * plugins/sudoers/sudoers.c: Avoid nested strtok() calls. [9d9f22ab52a9] 2012-10-23 Todd C. Miller * MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/check.c, plugins/sudoers/prompt.c, plugins/sudoers/sudoers.h: Move expand_prompt() into its own source file for easier unit testing. [b419b48a436f] * MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/check.c, plugins/sudoers/check.h, plugins/sudoers/sudoers.h, plugins/sudoers/timestamp.c, plugins/sudoers/timestamp.h: Make check.c independent of the underlying timestamp implementation. [895071bd6065] * plugins/sudoers/iolog_path.c: Add SUDOERS_NO_SEQ define to allow ${seq} to be disabled. [8ac38f02dd6d] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Use a list for the possible values of Tag_Spec with a minimal indent to improve readability. In the pod version, these were =head3. Also use .St -p1003.1 instead of just POSIX when talking about glob() and fnmatch(). [361a6f7a5c44] 2012-10-02 Todd C. Miller * src/ttyname.c: sudo_ttyname_dev() is unused if there is no /proc or sysctl(). [6598dbf81e16] * compat/mksiglist.c, compat/mksigname.c, compat/regress/fnmatch/fnm_test.c, compat/regress/glob/globtest.c, plugins/sample_group/plugin_test.c, plugins/sudoers/regress/check_symbols/check_symbols.c, plugins/sudoers/regress/iolog_path/check_iolog_path.c, plugins/sudoers/regress/logging/check_wrap.c, plugins/sudoers/regress/parser/check_addr.c, plugins/sudoers/regress/parser/check_fill.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c, src/sesh.c, src/sudo.c: Explicitly mark main() as public in executables to avoid an HP-UX ld warning. [72a40ce218be] * doc/sudo.cat, doc/sudo.man.in, doc/sudo.mdoc.in: Remove grep from SEE ALSO section. [c7cafee1621f] * common/alloc.c: If vasprintf() fails, just use the errno it sets instead of assuming ENOMEM. [1be5bfdc0cab] 2012-09-28 Todd C. Miller * doc/TROUBLESHOOTING: Mention HP-UX pam.conf settings. [8b8e745b49fd] 2012-09-27 Todd C. Miller * MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/check.c, plugins/sudoers/defaults.c, plugins/sudoers/timestamp.c, plugins/sudoers/timestamp.h: Split off timestamp functions into their own source file. [d5833332511d] 2012-09-26 Todd C. Miller * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Mention how !foo is not the same as ALL,!foo [51f8e470757d] 2012-09-25 Todd C. Miller * src/exec_pty.c: Start commands in the background when I/O logging is enabled. We can't do this on Mac OS X due to a kernel bug in tc[gs]etattr(2) which returns EINTR on signal instead of restarting automatically. [83b1d59146f7] * src/exec_pty.c: Handle SIGCONT_FG and SIGCONT_BG when converting signal number to string in deliver_signal(). [2cefea7a976e] 2012-09-24 Todd C. Miller * src/exec_pty.c: Fix running commands that need the terminal in the background when I/O logging is enabled. E.g. "sudo vi &". When the command is foregrounded, it will now resume properly. [0bc13a253429] * plugins/sudoers/match.c: Add rudimentary support for name-based matching as a compile-time option. This unsafe when used in conjunction with the '!' operator. [f93bc8e6db15] 2012-09-21 Todd C. Miller * MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/pwutil.c, plugins/sudoers/pwutil.h, plugins/sudoers/pwutil_impl.c: Split out implementation-specific back end code out of pwutil.c into pwutil_impl.c. This will allow the main pwutil code to be used for lookup methods other than getpw* and getgr*. [999c2dde60e4] 2012-09-18 Todd C. Miller * NEWS, configure, configure.in: sudo 1.8.6p3 [97fef3d9ed65] 2012-09-17 Todd C. Miller * doc/fixman.sh: Don't use embedded newline when matching, use \n. This got expanded at some point. Bug #573 [6652f834b8f5] * plugins/sudoers/gram.c, plugins/sudoers/gram.y: Rename yyerror() to sudoerserror() to match yacc prefix changes. Not really needed due to the #defines that yacc makes but it is less confusing this way as the lexer calls sudoerserror(). [a0577be6527d] * common/alloc.c, plugins/sample_group/plugin_test.c, plugins/sudoers/env.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/toke_util.c, src/exec_common.c, src/parse_args.c, src/sudo.c: No need to translate "unable to allocate memory" when we can just use the system translation via strerror(). [377499e5827c] * plugins/sudoers/sudoreplay.c: Fall back on lstat(2) if d_type in struct dirent is DT_UNKNOWN. Not all file systems support d_type. Bug #572 [8b861c62945f] * plugins/sudoers/sudoreplay.c: Avoid calling fclose(NULL) in the error path when we cannot open an I/O log file. [9401d5c4bb05] 2012-09-16 Todd C. Miller * NEWS, configure, configure.in: Sudo 1.8.6p2 [6e32496280f2] * src/exec.c: When setting the signal handler for SIGTSTP to the default value in non-I/O log mode, store the old handler value for when we restore it after resume. [242628694e42] * plugins/sudoers/env.c: Replace the guts of sudo_setenv_nodebug() with our old setenv.c which supports non-standard BSD and glibc semantics. sudo_setenv() now simply calls sudo_setenv2(). [57ffb6c9efaa] 2012-09-15 Todd C. Miller * doc/sudoers.cat, doc/sudoers.ldap.cat, doc/sudoers.ldap.man.in, doc/sudoers.ldap.mdoc.in, doc/sudoers.man.in, doc/sudoers.mdoc.in: Document non-Unix group support in LDAP sudoers. [33c89f3aeee6] * plugins/sudoers/ldap.c: Enable non-Unix group support for LDAP sudoers. We now check for non-Unix groups and netgroups with the same query in the second pass. Bug #571 [eb98fdff54d9] 2012-09-14 Todd C. Miller * plugins/sudoers/Makefile.in, plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/parse.c, plugins/sudoers/regress/parser/check_fill.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c, plugins/sudoers/toke.c, plugins/sudoers/toke.h, plugins/sudoers/toke.l, plugins/sudoers/toke_util.c, plugins/sudoers/visudo.c: Set yacc prefix to "sudoers" to avoid conflicts other yacc parsers. [cb6c0d93215e] 2012-09-12 Todd C. Miller * NEWS: Mention support for SUCCESS=return in /etc/nsswitch.conf [ef1f35aa0863] * NEWS, configure, configure.in: sudo 1.8.6p1 [73a5e1f004b3] 2012-09-11 Todd C. Miller * plugins/sudoers/env.c: Avoid setting LOGNAME, USER and USERNAME variables twice when set_logname is enabled. [0de4f5fbd1d4] * plugins/sudoers/env.c: Fix duplicate detection in sudo_putenv(), do not prune out the variable we just set when overwriting an existing instance. Fixes bug #570 [854ee714c831] * plugins/sudoers/env.c: Add some debuggging [a25cd3305823] 2012-09-04 Todd C. Miller * plugins/sudoers/sudo_nss.c: Disable word wrap in list mode when stdout is a pipe to make "sudo -l | grep ..." more useful. Adapted from a diff by Daniel Kopecek. [65ade04511fd] * common/lbuf.c: Print a trailing newline in lbuf_print() when there is not enough space to do word wrapping and the lbuf does not end with a newline. [c0200e19cd09] * plugins/sudoers/sudo_nss.c, plugins/sudoers/sudoers.c: Add support for [SUCCESS=return] in nsswitch.conf; from Daniel Kopecek [5c480316e3ce] * MANIFEST: Add sssd.c [9cadd014ef97] 2012-09-01 Todd C. Miller * plugins/sudoers/po/da.mo, plugins/sudoers/po/fi.mo, plugins/sudoers/po/hr.mo, plugins/sudoers/po/sl.mo, plugins/sudoers/po/uk.mo, src/po/fi.mo, src/po/hr.mo, src/po/it.mo, src/po/ru.mo, src/po/sl.mo, src/po/uk.mo, src/po/vi.mo: regen .po files [62423d4d143d] * MANIFEST, plugins/sudoers/po/vi.mo: Add Vietnamese sudoers translation from translationproject.org [33666a605525] * NEWS: mention PIE [05032e5304c6] * MANIFEST, plugins/sudoers/po/vi.po: Add Vietnamese sudoers translation from translationproject.org [015c2204bae2] 2012-08-29 Todd C. Miller * Makefile.in, compat/Makefile.in, mkdep.pl: Add missing signame dependency [e493bfb01929] * src/exec.c, src/ttyname.c: Silence compiler warnings. [1c5374b66d9b] * MANIFEST, compat/Makefile.in, compat/sig2str.c, compat/strsigname.c, config.h.in, configure, configure.in, include/missing.h, mkdep.pl, src/exec.c, src/exec_pty.c: Replace strsigname() with sig2str(), emulating it as needed. [1e348cca1fa6] * config.h.in, configure, configure.in, src/utmp.c: Use fseeko() for legacy utmp handling if available. [b4bbd8d2c0e9] 2012-08-28 Todd C. Miller * compat/strsigname.c, config.h.in, configure, configure.in: Detect sys_sigabbrev[] and use it in place of sys_signame[] if present. For some reason glibc does not declare sys_sigabbrev so we must add an extern definition of our own. [b38f3fbd7078] * compat/strsignal.c, compat/strsigname.c: Handle NULL entries in sys_siglist and sys_signame. [a388959d9654] * compat/mksiglist.c, compat/mksiglist.h, compat/mksigname.c, compat/mksigname.h, compat/strsignal.c, compat/strsigname.c: Convert my_sys_sig{list,name} -> sudo_sys_sig{list,name} [711e41aba59a] 2012-08-27 Todd C. Miller * NEWS: sync [5a2522488754] * src/exec.c: Pass on SIGTSTP to the command if it was sent by a user process (not the kernel or the terminal) when we are not I/O logging and set the default SIGTSTP handler when we re-send the signal to ourself, restoring our handler after we resume. [4259c47e31c0] * src/exec.c: Shells typically change their process group when they start up so that they can implement job control. Most well-behaved shells change the pgrp back to its original value before suspending so we must not try to restore in that case, lest we race with the child upon resume, potentially stopping sudo with SIGTTOU while the command continues to run. Some shells, such as pdksh, just suspend the shell by sending SIGSTOP to themselves without restoring the pgrp. In this case we need to change the pgrp back for them. Should fix bug #568 [6ac6751ffd17] 2012-08-26 Todd C. Miller * MANIFEST, compat/Makefile.in, compat/mksigname.c, compat/mksigname.h, compat/strsignal.c, compat/strsigname.c, config.h.in, configure, configure.in, include/missing.h, mkdep.pl, src/exec.c, src/exec_pty.c: Use strsigname() to print signal names in the debug output. If the system has no strsigname(), use our own. [0735f18906b9] 2012-08-23 Todd C. Miller * plugins/sudoers/regress/testsudoers/test5.inc, plugins/sudoers/regress/testsudoers/test5.sh: Remove generated file and change path for temporary include file. [4e9fa830c6b5] * plugins/sudoers/Makefile.in: When running regress tests, list pass/fail rate for each dir (testsudoers and visudo) instead of the total. Also prevent the result files from clobbering each other by keeping them in the relevant directories. [6aac53baff7d] * plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/toke.c, plugins/sudoers/toke.l: Don't print an error message in yyerror() if open_sudoers() fails, we've already printed an error message. Also restore the check for sudoers_warnings in yyerror(). [aa6036df5fb2] * plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/toke.c, plugins/sudoers/toke.h, plugins/sudoers/toke.l: Avoid printing the >>> parse error <<< message for testsudoers when the -t flag is specified. [76f3433c8992] 2012-08-22 Todd C. Miller * plugins/sudoers/parse.c: Fix NULL deref when an entry has no Runas_Entry [4b14983ff6e7] * plugins/sudoers/po/ja.mo, plugins/sudoers/po/ja.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po, src/po/ja.mo, src/po/ja.po, src/po/pl.mo, src/po/pl.po, src/po/zh_CN.mo, src/po/zh_CN.po: sync with translationproject.org [440e9c9b37de] * NEWS: sync [3142ba2dce60] * plugins/sudoers/check.c: Correct the check_user() comment header. [73da30308fff] * plugins/sudoers/auth/sudo_auth.c: Change a log_fatal() into log_error() when no auth methods are configured. The caller already checks the return value. [05f5c39793a7] * plugins/sudoers/logging.c: Add missing debug_return [3a76bb7c2fe7] 2012-08-21 Todd C. Miller * doc/sudo.cat, doc/sudo.man.in, doc/sudo.mdoc.in, doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, doc/sudoers.cat, doc/sudoers.ldap.cat, doc/sudoers.ldap.man.in, doc/sudoers.ldap.mdoc.in, doc/sudoers.man.in, doc/sudoers.mdoc.in: Make the capitalization consistent for .Ss and .Sx [5c5735ee4b2f] * doc/Makefile.in, doc/fixman.sh, doc/fixmdoc.sh, doc/sudo.cat, doc/sudo.man.in, doc/sudo.mdoc.in: Add COMMAND EXECUTION section that describes how sudo runs the command, the extra sudo processes and signal handling. [dff2d88e984e] 2012-08-18 Todd C. Miller * Makefile.in: Happy Easter [4b9d697c6b83] 2012-08-17 Todd C. Miller * compat/Makefile.in: Don't echo the awk command when building siglist.in [21daa72921e6] * doc/fixman.sh, doc/sudo.cat, doc/sudo.man.in, doc/sudo.mdoc.in, doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Cosmetic changes. [19259528e9ad] * doc/Makefile.in: The HISTORY, LICENSE and CONTRIBUTORS files are not longer generated. [ea6ac9e981e6] * MANIFEST, plugins/sudoers/po/da.po, plugins/sudoers/po/fi.po, plugins/sudoers/po/hr.po, plugins/sudoers/po/it.mo, plugins/sudoers/po/it.po, plugins/sudoers/po/sl.po, plugins/sudoers/po/uk.po, src/po/de.mo, src/po/de.po, src/po/fi.po, src/po/hr.po, src/po/it.po, src/po/ru.po, src/po/sl.po, src/po/uk.po, src/po/vi.po: Sync with translationproject.org and add Italian sudoers translation. [9276740aea59] 2012-08-16 Todd C. Miller * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Expand description of fqdn to talk about systems where the hosts file is searched before DNS. [4ee812ca6116] 2012-08-15 Todd C. Miller * doc/Makefile.in: For cat pages there is nothing to make unless DEVEL is set. [fab4a5b68708] * configure, configure.in, doc/Makefile.in: Always use mandoc to format cat pages and remove now-extraneous nroff configure tests. [5747f4ed5762] * pp: sync polypkg from git [89ddf6ea3e3f] * plugins/sudoers/sudoers.c: Use AI_FQDN instead of AI_CANONNAME if available since "canonical" is not always the same as "fully qualified". [7c1d9c098386] 2012-08-14 Todd C. Miller * doc/sudoers.mdoc.in: Fix some typos. Describe error messages not related to policy permissions. [f5ebf9030d85] * plugins/sudoers/defaults.c, plugins/sudoers/defaults.h, plugins/sudoers/visudo.c: Add new check_defaults() function to check (but not update) the Defaults entries. Visudo can now use this instead of update_defaults to check all the defaults regardless instead of just the global Defaults entries. [3fa879ce1b65] 2012-08-13 Todd C. Miller * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Document sudoers log format. [08998a7061ab] * NEWS: Update for sudo 1.8.5p3 [6e102a5d4e8d] * src/load_plugins.c: Add missing check for I/O plugin API version when checking for the presence of I/O plugin hooks. [ef05c7eeaf81] * src/hooks.c: Can't call debug code in the process_hooks_xxx functions() since ctime() may look up the timezone via the TZ environment variable. [2179fb26bd8e] 2012-08-10 Todd C. Miller * src/exec_common.c, src/sesh.c, src/utmp.c: Include signal.h before sudo_exec.h since it uses sigset_t * in the fork_pty prototype. [94fc0d859600] * doc/sudo.cat, doc/sudo.man.in, doc/sudo.mdoc.in, doc/sudoreplay.cat, doc/sudoreplay.man.in, doc/sudoreplay.mdoc.in, doc/visudo.cat, doc/visudo.man.in, doc/visudo.mdoc.in: Remove OPTIONS section; options now go inside DESCRIPTION [a619fc58a746] * plugins/sudoers/po/sudoers.pot, src/po/sudo.pot: regen [44719d80bc06] * MANIFEST, NEWS, plugins/sudoers/po/da.mo, plugins/sudoers/po/da.po, plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, plugins/sudoers/po/fi.mo, plugins/sudoers/po/fi.po, plugins/sudoers/po/hr.mo, plugins/sudoers/po/hr.po, plugins/sudoers/po/ja.mo, plugins/sudoers/po/ja.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/sl.mo, plugins/sudoers/po/sl.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po, src/po/da.mo, src/po/da.po, src/po/hr.mo, src/po/hr.po, src/po/sl.mo, src/po/sl.po, src/po/vi.mo, src/po/vi.po: Sync with translationproject.org and add new Slovenian translation. [34b4b966bbac] * common/alloc.c, plugins/sudoers/check.c, plugins/sudoers/env.c, plugins/sudoers/linux_audit.c, plugins/sudoers/sudoers.c, plugins/sudoers/testsudoers.c: Reduce the number of "internal error, foo overflow" messages that need to be translated. [93ffa2b3d53f] * NEWS: Mention HP-UX reboot fix. [1e39b5aa32ac] * INSTALL, NEWS, common/sudo_debug.c, configure, configure.in, doc/CONTRIBUTORS, include/sudo_debug.h, mkdep.pl, pathnames.h.in, plugins/sudoers/Makefile.in, plugins/sudoers/sssd.c, plugins/sudoers/sudo_nss.c, plugins/sudoers/sudoers.c: Support for using SSSD (http://fedorahosted.org/sssd/) as a sudoers data source. From Daniel Kopecek and Pavel Brezina. [3f85e95d6928] 2012-08-09 Todd C. Miller * common/sudo_conf.c, src/load_plugins.c: If sudo.conf contains an I/O plugin but no policy plugin, use sudoers for the policy plugin. If a policy plugin is specified without an I/O plugin, only the policy plugin will be loaded. [ea192df2439d] * doc/Makefile.in, doc/sudoers.man.in: Do not modify the .Os section when building the .man.in file from .mdoc.in. [a9f9628e147f] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Add a note about wildcards matching multiple words and include an example. Also mention that for sudoedit, a wildcard in command line args does not match a slash. [fcb9fbac14e0] 2012-08-07 Todd C. Miller * src/exec_pty.c, src/sudo_exec.h: Fix a comment, update a variable name in a prototype; all cosmetic. [e89f10cbd6e1] * plugins/sudoers/iolog.c: Cast 2nd argument of lseek() to off_t if it is a constant for systems with 64-bit off_t but without a proper lseek() prototype. [d8779da135d0] * compat/getline.c, plugins/sudoers/check.c, plugins/sudoers/env.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/visudo.c: Fix some warnings from clang checker-267 [1e44ef7860b5] * plugins/sample/sample_plugin.c: Fix memory leak found by clang checker-267 [f8a43617fdfb] 2012-08-06 Todd C. Miller * src/exec.c, src/exec_pty.c, src/sudo.h, src/sudo_exec.h: If we receive a signal from the command we executed, do not forward it back to the command. This fixes a problem with BSD-derived versions of the reboot command which send SIGTERM to all other processes, including the sudo process. Sudo would then deliver SIGTERM to reboot which would die before calling the reboot() system call, effectively leaving the system in single user mode. [4ffab9ab9e98] 2012-08-03 Todd C. Miller * doc/fixman.sh, doc/fixmdoc.sh: Remove section about Solaris 10 on other systems. Add missing sudoers.man.in bit to fixman.sh. [176559199ba7] 2012-08-02 Todd C. Miller * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: Expand section on Solaris privileges. [3a1bfa2f1743] * NEWS: Expand a bit on the Solaris priv set changes. [bffb78b4a520] * plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/parse.c, plugins/sudoers/parse.h, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c: The second argument to init_parser() is now bool. [fb727a4fb651] * plugins/sudoers/gram.c, plugins/sudoers/gram.y: Fix printing of parse error message to stderr. [dea6b420b84f] * plugins/sudoers/check.c, plugins/sudoers/defaults.c, plugins/sudoers/match.c, plugins/sudoers/parse.c, plugins/sudoers/parse.h, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c: If a command matches using an empty Runas_List (i.e. Runas_List is present but empty) and the -u option was not specified, set runas_pw to user_pw instead of using runas_default. This is intended to be used in conjunction with the Solaris Privilege Set support for rules that grant privileges without changing the user. [e84a081f3c11] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y, plugins/sudoers/match.c, plugins/sudoers/parse.c, plugins/sudoers/sudoers_version.h: Add support for parsing an empty Runas_List, which only allows the command to be run as the invoking user. This can be used in conjunction with the Solaris Privilege Set support to grant privileges without changing the user. [dc34373792fc] 2012-08-01 Todd C. Miller * doc/fixman.sh: Fix HP-UX, just use ".TH name section" like the vendor manuals. [559738237c92] * plugins/sudoers/toke.c, plugins/sudoers/toke.l: Fix compilation on Solaris [2d310302207c] * .hgignore, MANIFEST, doc/Makefile.in, doc/fixman.sh, doc/fixmdoc.sh, doc/sudo.man.sh, doc/sudo.mdoc.sh, doc/sudoers.man.sh, doc/sudoers.mdoc.sh: Generate a sed script file when munging *.mdoc or *.man instead of passing sed expressions on the command line. Older seds do not support \n in a replacement so generate and run a sed script instead. [0bcce3f1ca18] * doc/Makefile.in, doc/sudo.man.in, doc/sudo_plugin.man.in, doc/sudoers.ldap.man.in, doc/sudoers.man.in, doc/sudoreplay.man.in, doc/visudo.man.in: Use "Sudo VERSION" as the 4th arg to .TH instead of just "VERSION" [fe0f10b63776] 2012-07-31 Todd C. Miller * src/exec.c: When checking whether a signal is user-generated, compare si_code against SI_USER instead of <= 0 since on HP-UX, terminal-related signals get a code of 0. [4e9021243343] * src/sudo.c: SuSE Enterprise Linux uses RLIMIT_NPROC and _SC_CHILD_MAX interchangably. This causes problems when setting RLIMIT_NPROC to RLIM_INFINITY due to a bug in bash where bash tries to honor the value of _SC_CHILD_MAX but treats a value of -1 as an error, and uses a default value of 32 instead. Previously, we just checked RLIMIT_NPROC and, if it was unlimited, restored the previous value of RLIMIT_NPROC. However, that makes it impossible to set nproc to unlimited. We now only restore the nproc resource limit if sysconf(_SC_CHILD_MAX) is negative. In most cases, pam_limits will set RLIMIT_NPROC for us. [cb71cc8d0b08] 2012-07-30 Todd C. Miller * plugins/sudoers/ldap.c: Active Directory apparently requires that tenths of a second be present in a date so append .0 to the "now" value in the time filter. Also remove space for the global AND from TIMEFILTER_LENGTH since it was not being used consistently. Buffers of TIMEFILTER_LENGTH now need to account for the terminating NUL byte. [d28619ff6e45] * plugins/sudoers/toke.c, plugins/sudoers/toke.l: Fix SELinux build [cc0d1f4e851b] 2012-07-29 Todd C. Miller * MANIFEST: Remove pod versinons of HISTORY, CONTRIBUTORS and LICENSE as they were not being kept in sync. [fc3ad1847cb1] * doc/HISTORY, doc/Makefile.in, doc/contributors.pod, doc/history.pod, doc/license.pod: Remove pod versinons of HISTORY, CONTRIBUTORS and LICENSE as they were not being kept in sync. [950363dffe3a] 2012-07-27 Todd C. Miller * plugins/sudoers/logging.c: Fix printing of the permission denied message to standard error when a user is not allowed to run a command. This got broken by the recent logging changes. [b7af63da3ca1] * plugins/sudoers/sudoers_version.h: Bump grammar version for Solaris privs. [2a2baf024477] * doc/schema.ActiveDirectory: Fix errors introduced when sudoNotBefore, sudoNotAfter and sudoOrder were added. From David Hicks. [3fc432a8edb4] 2012-07-26 Todd C. Miller * plugins/sudoers/Makefile.in: Remove lex.yy.c when building toke.c [72bb9e62b289] * doc/Makefile.in: Fix building docs in a build dir. [7a6f435af022] * doc/sudo.man.pl, doc/sudo.pod, doc/sudo_plugin.pod, doc/sudoers.ldap.pod, doc/sudoers.man.pl, doc/sudoers.pod, doc/sudoreplay.pod, doc/visudo.pod: Remove pod versions of the manual; we now use mdoc. [5c967d2dd5db] * MANIFEST, doc/Makefile.in, doc/sudo.man.sh, doc/sudo.mdoc.sh, doc/sudoers.man.sh, doc/sudoers.mdoc.sh: Add post-processing scripts to strip out login class, BSD auth, SELinux and privilege set bits when they are not supported. [d0d51f72f597] * NEWS, configure.in, doc/CONTRIBUTORS, doc/Makefile.in, doc/contributors.pod, doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.man.pl, doc/sudoers.mdoc.in, doc/sudoers.pod, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y, plugins/sudoers/parse.c, plugins/sudoers/parse.h, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l, src/sudo.c, src/sudo.h: Merge in Solaris privilege support by Darren Moffat and John Zolnowsky [3aa0a64f2f5c] 2012-07-25 Todd C. Miller * doc/contributors.pod: Sync with CONTRIBUTORS file [9a0852306ad9] * doc/sudo.man.in, doc/sudo_plugin.man.in, doc/sudoers.ldap.man.in, doc/sudoers.man.in, doc/sudoreplay.man.in: Regen .man.in files with my private mandoc. [dc3c9fc449eb] * doc/Makefile.in: add MANDOC variable [35527e66afc5] 2012-07-20 Todd C. Miller * doc/sudo.man.in, doc/sudo_plugin.man.in, doc/sudoers.ldap.man.in, doc/sudoers.man.in, doc/sudoreplay.man.in, doc/visudo.man.in: Regen .man.in files with hacked mandoc to avoid issues with historic nroff. [d45cfa7d665f] 2012-07-19 Todd C. Miller * doc/sudo.mdoc.in, doc/sudoers.mdoc.in: Fix groff warnings. [111d522ca807] * doc/Makefile.in: Fix dependencies for .man.in files. [aefeffe1af2b] * .hgignore: Add doc/*.mdoc to ignore file [1e4de6ef2ad8] * INSTALL, MANIFEST, NEWS, configure, configure.in, doc/Makefile.in, doc/sudo.cat, doc/sudo.man.in, doc/sudo.mdoc.in, doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, doc/sudoers.cat, doc/sudoers.ldap.cat, doc/sudoers.ldap.man.in, doc/sudoers.ldap.mdoc.in, doc/sudoers.man.in, doc/sudoers.mdoc.in, doc/sudoreplay.cat, doc/sudoreplay.man.in, doc/sudoreplay.mdoc.in, doc/visudo.cat, doc/visudo.man.in, doc/visudo.mdoc.in: Build .man.in and .cat files from .mdoc.in files. Add new --with-man and --with-mdoc configure options. [c963fd7e8f80] 2012-07-18 Todd C. Miller * doc/sudo.mdoc.in, doc/sudo_plugin.mdoc.in, doc/sudoers.ldap.mdoc.in, doc/sudoers.mdoc.in, doc/sudoreplay.mdoc.in, doc/visudo.mdoc.in: Sudo manuals formatted in mdoc, to replace the pod versions. [e6dca4030451] * doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.pod, doc/sudoers.cat, doc/sudoers.ldap.cat, doc/sudoers.ldap.man.in, doc/sudoers.ldap.pod, doc/sudoers.man.in, doc/sudoers.pod, doc/sudoreplay.cat, doc/sudoreplay.man.in, doc/sudoreplay.pod, doc/visudo.cat, doc/visudo.man.in, doc/visudo.pod: More minor costmetic fixes. [a7287a68385a] 2012-07-12 Todd C. Miller * doc/sudo.cat, doc/sudo.man.in, doc/sudo.pod: Minor cosmetic fixes. [9c48bdaf3946] 2012-07-11 Todd C. Miller * plugins/sudoers/logging.c, plugins/sudoers/po/sudoers.pot: Use "a password is required" instead of "password required" when the -n flag is used and we need to read a password. [a3c30fc41648] 2012-07-10 Todd C. Miller * NEWS: Mention logging changes. [8238fd6e02e8] * plugins/sudoers/po/sudoers.pot: regen [e2cf634ba63b] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.pod: Document that other mail_* flags have precedence over mail_badpass. [9f4cc9188f40] * plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/check.c, plugins/sudoers/logging.c, plugins/sudoers/logging.h, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: Move log_denial() calls and logic to log_failure(). Move authentication failure logging to log_auth_failure(). Both of these call audit_failure() for us. This subtly changes logging for commands that are denied by sudoers but where the user failed to enter the correct password. Previously, these would be logged as "N incorrect password attempts" but now are logged as "command not allowed". Fixes bug #563 [cad35f0b3ad7] 2012-07-06 Todd C. Miller * common/aix.c: Do not set a resource limit to zero when we are unable to fetch a value from /etc/security/limits. [62bfb0a7895e] 2012-07-05 Todd C. Miller * sudo.pp: Add "Provides: sudo" to debian sudo-ldap package [beb8afa0beb2] 2012-07-02 Todd C. Miller * configure, configure.in, zlib/Makefile.in: Define NO_VIZ for zlib when gcc doesn't support symbol visibility attributes. [9fdcbf526386] * configure, configure.in: Use the autoconf cache when checking for symbol export control support. [03c2cce8711f] * INSTALL, common/Makefile.in, compat/Makefile.in, configure, configure.in, mkpkg, plugins/sample/Makefile.in, plugins/sample_group/Makefile.in, plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in, src/Makefile.in: Add configure check for building PIE executables instead of doing it in mkpkg. [02b5b78ef258] * sudo.pp: MacOS pp backend doesn't like modes longer than 4 characters. [01b49022bf01] 2012-07-01 Todd C. Miller * configure, configure.in: Add -Wc,-fstack-protector to LT_LDFLAGS instead of adding -fstack-protector to LDFLAGS so it doesn't get stripped out. Libtool will strip -fstack-protector from the linker flags and we always link with libtool. [0a0a0250ac2b] 2012-06-29 Todd C. Miller * doc/sudo.cat, doc/sudo.man.in, doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudoers.cat, doc/sudoers.ldap.cat, doc/sudoers.ldap.man.in, doc/sudoers.man.in, doc/sudoreplay.cat, doc/sudoreplay.man.in, doc/visudo.cat, doc/visudo.man.in: Regen for sudo 1.8.6 [1657ee28b496] * NEWS, doc/sudoers.ldap.pod: Document improved Tivoli Directory Server support. [fb411edf4687] * config.h.in, configure, configure.in, plugins/sudoers/ldap.c: Add support for ldaps using Tivoli LDAP libraries. Add ldap.conf option to specify Tivoli key db password. Allow TLS ciphers to be configured for Tivoli. [737e17c91e60] 2012-06-28 Todd C. Miller * plugins/sudoers/ldap.c: Tivoli Directory Server 6.3 libs always return a (bogus) error when setting LDAP_OPT_CONNECT_TIMEOUT. [504406637c38] * NEWS: Update [687a755604e8] * plugins/sudoers/ldap.c: Treat LDAP_OPT_CONNECT_TIMEOUT (Tivoli Directory Server 6.3) the same as LDAP_OPT_CONNECT_TIMEOUT (OpenSSH). Don't make failure to a set an ldap option fatal. [17cf93ae3304] 2012-06-27 Todd C. Miller * plugins/sudoers/sudoers.c: Zero pointers in sudo_user struct after freeing, just in case. [8eff1f80b943] * plugins/sudoers/sudoers.c: Free user_gids in close function if it has not already been freed. [cbce28877f37] * plugins/sudoers/pwutil.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: Defer group ID to name resolution until we actually need it. [463e75b81e89] * src/sudo.c: It is safe to read in sudo.conf before calling user_info(). [3290b6434e3c] * plugins/sudoers/env.c, plugins/sudoers/ldap.c: Use MAX_UID_T_LEN + 1 for uid/gid buffers, not MAX_UID_T_LEN to prevent potential truncation. Bug #562. [29d9fc4e0c4e] 2012-06-25 Todd C. Miller * sudo.pp: If installing with installp, error out if there is already an instance of the rpm package installed. [ec24c6faba22] * mkpkg: Add --disable-nls for AIX [192ac2f7d65e] 2012-06-22 Todd C. Miller * sudo.pp: Debian sudo-ldap packages should now depend on libldap-2.4-2, not libldap2. [cbcec71e6b58] 2012-06-21 Todd C. Miller * sudo.pp: Add Homepage and Bugs to debian control file. [0f19d7d14e66] 2012-06-20 Todd C. Miller * mkpkg: fix typo when setting aix_freeware [2fd6feb50195] * common/Makefile.in, compat/Makefile.in, configure, configure.in, doc/Makefile.in, include/Makefile.in, plugins/sample/Makefile.in, plugins/sample_group/Makefile.in, plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in, src/Makefile.in, zlib/Makefile.in: Don't run regress tests or sudoers sanity check (using the newly- built visudo) when cross compiling. Bug #560 [0c4e3f68b2f5] * MANIFEST, configure, configure.in, plugins/sample/Makefile.in, plugins/sample/sample_plugin.exp, plugins/sample/sample_plugin.map, plugins/sample/sample_plugin.sym, plugins/sample_group/Makefile.in, plugins/sample_group/sample_group.exp, plugins/sample_group/sample_group.map, plugins/sample_group/sample_group.sym, plugins/sudoers/Makefile.in, plugins/sudoers/sudoers.exp, plugins/sudoers/sudoers.map, plugins/sudoers/sudoers.sym, plugins/system_group/Makefile.in, plugins/system_group/system_group.exp, plugins/system_group/system_group.map, plugins/system_group/system_group.sym: Rename foo.sym -> foo.exp Remove foo.map from the repo and generate it on demand Use a loader option file for HP-UX ld to explicitly export symbols [2402ff5302ab] * src/Makefile.in: Remove extraneous backslash [8ca054de138c] * plugins/sudoers/regress/check_symbols/check_symbols.c: Don't check for errorx as an exported symbols as it is now a macro. Check for user_in_group() instead. [7b02c8ecd3ea] 2012-06-19 Todd C. Miller * configure, configure.in: Adjust ld map file support to use an anonymous scope to match the updated .map files. [49be44282d9e] 2012-06-18 Todd C. Miller * config.h.in, configure, configure.in, include/gettext.h: Older versions of Solaris lack ngettext() [028af10dfa5f] * configure, configure.in: Move the check for -static-libgcc until after AC_LANG_WERROR has been called and use AX_CHECK_COMPILE_FLAG(). [a7b09120e7ff] * include/gettext.h: Sudo defines HAVE_SETLOCALE not HAVE_LOCALE_H [3aa2780d4a4e] * include/error.h, include/sudo_debug.h: Fix gcc 2.x variant macro support. [8e71c2370997] * plugins/sudoers/logging.c, plugins/sudoers/sudoreplay.c: Fix compilation on gcc 2.95 and other compilers that only allow variable declarations at the beginning of a block. [9d80c802bb46] * configure, configure.in, plugins/sudoers/Makefile.in: Link check_symbols with SUDO_LIBS to make sure we link with the requisite libraries to successfully dlopen sudoers.so. This is needed on HP-UX where a program dlopen()ing a shared object that uses pthreads must also be linked with pthreads (and HP-UX LDAP uses pthreads). [b8961cd82337] * plugins/sudoers/regress/check_symbols/check_symbols.c: Add check for exported local symbols. This will cause a "make check" failure on systems where we don't support symbol hiding. [8aa549389bb1] * configure, configure.in: Additional ${foo} -> $(foo) Makefile tweaks. [046bbde18f52] * plugins/sample/sample_plugin.map, plugins/sample_group/sample_group.map, plugins/sudoers/sudoers.map, plugins/system_group/system_group.map: No need to provide a name for the scope in the map file since we don't use the it for versioning. [5ed4b997560d] 2012-06-17 Todd C. Miller * MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/regress/check_symbols/check_symbols.c: Add regress test for symbol visibility. [9adddd4e0518] 2012-06-15 Todd C. Miller * NEWS, configure, configure.in: sudo 1.8.6 [57008a7afb77] * configure, configure.in, include/missing.h: Add support for controlling symbol visibility using the HP and Solaris C compilers. [46d5b468979e] * plugins/sudoers/iolog.c, plugins/sudoers/iolog_path.c, plugins/sudoers/regress/iolog_path/check_iolog_path.c, plugins/sudoers/sudoers.h: Use the expanded io log dir when updating the sequence number. Includes a workaround for older versions of sudo where the sequence number was stored in the unexpanded io log dir. [210797dab9a8] 2012-06-14 Todd C. Miller * src/parse_args.c: Simplify "sudo -s" argv rewriting. [7be143dae7c5] * MANIFEST, configure, configure.in, plugins/sample/Makefile.in, plugins/sample_group/Makefile.in, plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in, src/Makefile.in, src/sudo_noexec.map: Don't use a map file for sudo_noexec.so since Solaris ld doesn't allow '*' in the global section. The libtool export flag is now added to LT_LDFLAGS instead of commenting/uncommenting lines. [38fc37a66b04] 2012-06-13 Todd C. Miller * config.h.in, configure, configure.in, include/missing.h: The visibility attribute was actually added in gcc 3.3.x, not 4.0. Just assume that if -fvisibility=hidden works that the attribute is usable. [d3904d6faf14] * plugins/sudoers/check.c, plugins/sudoers/iolog.c, plugins/sudoers/iolog_path.c, plugins/sudoers/ldap.c, plugins/sudoers/match.c, plugins/sudoers/pwutil.c, plugins/sudoers/set_perms.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/sudoers.map, plugins/sudoers/sudoers.sym, plugins/sudoers/testsudoers.c, plugins/system_group/system_group.c: Export group cache from sudoers.so for system_group.so to use. [16695d207fc5] * MANIFEST, configure, configure.in, include/missing.h, plugins/sample/Makefile.in, plugins/sample/sample_plugin.map, plugins/sample_group/Makefile.in, plugins/sample_group/sample_group.map, plugins/sudoers/Makefile.in, plugins/sudoers/iolog.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.map, plugins/system_group/Makefile.in, plugins/system_group/system_group.map, src/sudo_noexec.c, src/sudo_noexec.map: Use gcc's visibility attribute to specify when symbols are visible or hidden, if available. If not available, use an ELF version script if it is supported. If all else fails, fall back to using libtool's -export-symbols. [64e889921727] 2012-06-12 Todd C. Miller * sudo.pp: Add mode for installed locale files but leave the directories with default mode and owner. [142237dbb31f] 2012-06-11 Todd C. Miller * mkpkg, sudo.pp: Install AIX packages under /opt/freeware with links in /usr/bin and /usr/sbin. This matches the layout of the sudo package from AIX freeware. [0b79d47bbe01] * Makefile.in, configure, configure.in, plugins/sample/Makefile.in, plugins/sample_group/Makefile.in, plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in, src/Makefile.in, sudo.pp: Install shared objects with mode 0644 except on HP-UX which needs the executable bit set. [ae416af0ba6c] * Makefile.in, doc/Makefile.in, include/Makefile.in, plugins/sudoers/Makefile.in, src/Makefile.in: Make installed file modes consistent with the file modes in the sudo package. [307386373289] 2012-06-08 Todd C. Miller * doc/sudoers.pod: Add "%:" prefix when talking about QAS non-Unix group support. [7cb25f6861f8] * pp, sudo.pp: Fix packaging of symbolic links on HP-UX when the link source already exists in the filesystem. [c9bb48031596] * mkpkg: Only specify prefix if we are overriding the default value. Fixes the man dir (/usr/local/man vs. /usr/local/share/man). [65351b6c1697] * sudo.pp: Fix setting of sudoedit_man variable. [9beed9ae5bba] * doc/Makefile.in: Echo the command when linking the sudoedit manual. [6c83b5657b55] 2012-06-07 Todd C. Miller * mkpkg, sudo.pp: Build .deb packages with selinux support. [3fd9cb1b4526] 2012-06-04 Todd C. Miller * sudo.pp: Don't list paths for unstripped binaries in the lintial overrides. [4c8e16f1773b] * pp: Add support for Installed-Size header in control file, required by newer debian versions. [e97d76234bee] * pp: Fix extended description in .deb files. [d35e27ace146] * sudo.pp: Add Depends, Replaces and Conflicts headers for .deb packages. [76eb6c4b3278] 2012-06-01 Todd C. Miller * plugins/sudoers/sudo_nss.c: If there are no privs to print, write the message to the lbuf instead of printing it directly. [ecd56226abb7] 2012-05-31 Todd C. Miller * sudo.pp: Set -e in %pos and %preun for debian to quiet a lintian warning. [8bb908514df9] * doc/Makefile.in, src/Makefile.in, sudo.pp: Install sudoedit and the sudoedit manual as symbolic links, not hard links and package them as such. [f317ff3cf3e7] * sudo.pp: Make sudo binary permissions 755 instead of 111 Add lintian overrides file for .deb files. [991cd7d7f0e1] * configure, configure.in, doc/Makefile.in, mkpkg: Replace out of date MAN_POSTINSTALL with MANCOMPRESS and MANCOMPRESSEXT which can be used to compress the installed manual pages. Compress the man pages for .deb files to appease lintian. [4e34083b41d2] * sudo.pp: Debian fixes: * fix modes to be more in line with what Debian expects * add section * install LICENSE as copyright and ChangeLog as changelog * create stub changelog.debian [7f6c5647f588] * pp: Fix find command to properly skip files in the DEBIAN dir when building md5sums. [8918bde941fa] * pp, sudo.pp: Use a debian-compliant package maintainer field. [fc51a94170eb] 2012-05-30 Todd C. Miller * plugins/sudoers/sudoreplay.c: No need to loop over atomic_writev(), it guarantees to write all data or return an error. Fix handling of stdout/stderr that contains "\r\n" and handle a "\r\n" pair that spans a buffer. [8aaf02d90c45] 2012-05-29 Todd C. Miller * NEWS: Update for sudo 1.8.5p2 [d369d4d40a19] * plugins/sudoers/sudoreplay.c: Instead of doing extra write()s when replaying stdout, build up a vector for writev() instead. This results in far fewer system calls. [303d866c025c] 2012-05-27 Todd C. Miller * src/env_hooks.c, src/sudo.h, src/tgetpass.c: Provide unhooked version of getenv() and use it when looking up DISPLAY and SUDO_ASKPASS in the environment. [04dbdccf4a14] 2012-05-25 Todd C. Miller * plugins/sudoers/sudoreplay.c: When replaying a log of stdout or stderr, do newline to carriage return + linefeed conversion. We cannot have termios do this for us since we've disabled output postprocessing (POST) when setting raw mode. [61352a7d996f] 2012-05-24 Todd C. Miller * configure, configure.in: When checking for -fstack-protector, treat warnings as fatal errors. [4124cd12d511] 2012-05-22 Todd C. Miller * configure, configure.in: Fix test for -z relro [548bdb6f5c4a] * MANIFEST: Add m4/ax_check_compile_flag.m4 and m4/ax_check_link_flag.m4 [ed063264a2a1] * INSTALL, aclocal.m4, configure, configure.in, m4/ax_check_compile_flag.m4, m4/ax_check_link_flag.m4: Build with -fstack-protector and link with -zrelo where supported. Added --disable-hardening option to disable hardening options. [0b6c1a1ceb03] 2012-05-21 Todd C. Miller * plugins/sudoers/Makefile.in, plugins/sudoers/regress/testsudoers/test1.sh, plugins/sudoers/regress/testsudoers/test2.sh, plugins/sudoers/regress/testsudoers/test3.sh, plugins/sudoers/regress/testsudoers/test4.out.ok, plugins/sudoers/regress/testsudoers/test4.sh, plugins/sudoers/regress/testsudoers/test5.inc, plugins/sudoers/regress/testsudoers/test5.out.ok, plugins/sudoers/regress/testsudoers/test5.sh, plugins/sudoers/testsudoers.c: Add tests for sudoers mode, owner and group checks. [a7607443aba0] * plugins/sudoers/set_perms.c, plugins/sudoers/sudoers.c: If sudoers_mode is group-readable but the actual sudoers file is not, open the file as uid 0, not uid 1. This fixes a problem when sudoers has a more restrictive mode than what sudo expects to find. In older versions, sudo would silently chmod the file to add the group-readable bit. [c056b6003e6f] * INSTALL, common/secure_path.c, config.h.in, configure, configure.in: No longer throw an error if sudoers is a symbolic link. Deprecated the --with-stow option as that is now (effectively) the default. [8ce783e54886] 2012-05-18 Todd C. Miller * plugins/sudoers/Makefile.in, plugins/sudoers/regress/testsudoers/test2.inc, plugins/sudoers/regress/testsudoers/test2.out.ok, plugins/sudoers/regress/testsudoers/test2.sh, plugins/sudoers/regress/testsudoers/test3.d/root, plugins/sudoers/regress/testsudoers/test3.out.ok, plugins/sudoers/regress/testsudoers/test3.sh: Add basic tests for #include and #includedir [b303e4218951] * plugins/sudoers/testsudoers.c: Add -U sudoers_uid option to testsudoers. [3f8ed13501ba] 2012-05-17 Todd C. Miller * NEWS, configure, configure.in: Update for 1.8.5p1 [c33c49bf5b4b] * plugins/sudoers/toke.c, plugins/sudoers/toke.l: Fix #includedir; from Mike Frysinger [d4833d4e39a0] * plugins/sudoers/check.c: Don't prompt for a password if the user is in the exempt group, is root, or is running the command as themselves even if the -k option was specified. This makes "sudo -k command" consistent with the behavior one would get if the user ran "sudo -k" immediately before running the command. [632b3961df00] 2012-05-15 Todd C. Miller * INSTALL: Fix capitalization [7258aa977caf] * mkpkg: Build PIE executable on Mac OS X 10.5 and above. [2a5c7ef92182] 2012-05-14 Todd C. Miller * NEWS: Update for sudo 1.8.4p5 [21164f508b68] * plugins/sudoers/match_addr.c: Add missing break between AF_INET and AF_INET6 in addr_matches_if_netmask() [672a4793931a] * plugins/sudoers/mon_systrace.c: Move systrace monitor code to the attic [d6faf4754e9c] 2012-05-11 Todd C. Miller * src/exec.c: The pointer to the siginfo_t struct in a signal handler may be NULL. [41a4ee934b53] 2012-05-10 Todd C. Miller * plugins/sudoers/pwutil.c: Fix an alignment problem on NetBSD systems with a 64-bit time_t and strict alignment. Based on a patch from Martin Husemann. [1e5ba3c18f17] * include/missing.h: Add offsetof macro for those without it. [e44cb51d2587] * MANIFEST: add system_group plugin [6169793b510c] 2012-05-09 Todd C. Miller * compat/dlopen.c: Implement RTLD_NEXT and fix RTLD_DEFAULT for HP-UX. [85bd03bc5d94] 2012-05-08 Todd C. Miller * NEWS: Mention system_group plugin [05393dd4bdb8] * Makefile.in, plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in: update depends [6feb0b824fc4] * plugins/system_group/system_group.c: Only call gr_delref() when use sudo's password caching functions. [1103442e21fa] * plugins/sample_group/Makefile.in, plugins/system_group/Makefile.in: Add missing dependency on libreplace.la [05bfd9d4657f] * compat/dlopen.c: Emulate RTLD_DEFAULT and RTLD_SELF w/ shl_findsym() using NULL and PROG_HANDLE. [2382d0693acc] * Makefile.in, configure, configure.in, plugins/system_group/Makefile.in, plugins/system_group/system_group.c, plugins/system_group/system_group.sym: Add group plugin that does lookups by name using the system group database. [2ddbb604112f] * plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, src/po/pl.mo, src/po/pl.po: sync with translationproject.org [4ef05df4226d] 2012-05-03 Todd C. Miller * plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, plugins/sudoers/po/fi.mo, plugins/sudoers/po/fi.po, plugins/sudoers/po/ja.mo, plugins/sudoers/po/ja.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po, src/po/de.mo, src/po/de.po, src/po/eo.mo, src/po/eo.po, src/po/fi.mo, src/po/fi.po, src/po/ja.mo, src/po/ja.po, src/po/ru.mo, src/po/ru.po, src/po/sr.mo, src/po/sr.po, src/po/uk.mo, src/po/uk.po, src/po/vi.mo, src/po/vi.po, src/po/zh_CN.mo, src/po/zh_CN.po: sync with translationproject.org [115c3f828fc5] 2012-05-01 Todd C. Miller * sudo.pp: Add mode for docdir and use '-' (default) for localedir mode. Fixes a problem on Linux when building in a directory with the setgid bit set. [582279c8bcb1] 2012-04-30 Todd C. Miller * pp: Match CentOS 6.0 [1e99ef210f98] 2012-04-24 Todd C. Miller * NEWS: Update with recent changes [c5fc220ba696] * pp: Fix version check on AIX [d272e39112f4] * plugins/sudoers/po/sudoers.pot, src/po/sudo.pot: regen [72b23509465a] * plugins/sudoers/ldap.c: Need to call ldapssl_clientauth_init() for start_tls on Mozilla LDAP SDK. [87b685e70b9a] * plugins/sudoers/ldap.c: Fix printing of invalid uri [645aa53acdde] * plugins/sudoers/auth/pam.c: Pass PAM_SILENT when deleting creds to remove an annoying warning message on Solaris. [1dd0301ef293] 2012-04-23 Todd C. Miller * src/utmp.c: Fix the setutxent and endutxent compatibility defines (this time correctly) when only setutent and endutent are available. [d136d2867db9] * plugins/sudoers/ldap.c: sudo_ldap_set_options_global() should not take an LDAP handle as an argument since the options affect the global settings. [1dc39b9d20f2] * mkpkg: Debian sudo has not been built with --with-exempt=sudo since 1.6.8. [c7716291a856] * doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.pod, plugins/sudoers/auth/pam.c, src/exec.c, src/exec_pty.c, src/sudo.c, src/sudo.h: Call the policy's init_session() function before we fork the child. That way, the session is created and destroyed in the same process, which is needed by some modules, such as pam_mount. [ece552ba002e] * doc/TROUBLESHOOTING: Add entry for SSL LDAP errors on Mozilla SDKs when the cert dir is not specified. [bd293e100b28] * plugins/sudoers/auth/pam.c: Delete creds after closing the PAM session. [5158d726d6a5] * plugins/sudoers/ldap.c: Provide a more useful error message if using a Mozilla-style LDAP SDK and you forgot to specify TLS_CERT in ldap.conf. [7cb78feb899c] * src/exec_pty.c: Add missing initialization of a sigaction structure when I/O logging. Fixes a potential problem when suspending the command. [f4480f2ba816] * plugins/sudoers/ldap.c: Split global and per-connection LDAP options into separate arrays. Set global LDAP options before calling ldap_initialize() or ldap_init(). After we have an LDAP handle, set the per-connection options. Fixes a problem with OpenLDAP using the nss crypto backend; bug #342 [265c9d2dc12b] * plugins/sudoers/po/da.mo, plugins/sudoers/po/da.po, plugins/sudoers/po/fi.mo, plugins/sudoers/po/fi.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po, src/po/de.mo, src/po/de.po, src/po/hr.mo, src/po/hr.po, src/po/vi.mo, src/po/vi.po, src/po/zh_CN.mo, src/po/zh_CN.po: sync with translationproject.org [6d7fe44be21e] 2012-04-21 Todd C. Miller * src/sudo.c, src/sudo.h: Move struct passwd pointer into struct command details. [d6fb1eff2065] 2012-04-20 Todd C. Miller * pp: Sync with upstream for Mac OS X (and other) fixes. [c2f4998d01b0] * mkpkg: Only built Mac intel universal binary on an intel machine. [0009e0b7e5a8] * src/Makefile.in: Do not pass libtool the -static-libtool-libs option when building sudo and sesh. Otherwise, libtool may prefer a static version of an installed library over a dynamic one when linking. [6fbac9adc885] 2012-04-19 Todd C. Miller * MANIFEST, NEWS, doc/CONTRIBUTORS, plugins/sudoers/po/hr.mo, plugins/sudoers/po/hr.po, src/po/de.mo, src/po/de.po: Add German translation for sudo Add Croatian translation for sudoers [fa4da1a6530c] * plugins/sudoers/iolog.c: typo fix in comment [abd721d1288e] 2012-04-16 Todd C. Miller * NEWS: Update with recent changes [6fa11e8448b9] * Makefile.in, plugins/sudoers/po/sudoers.pot, src/po/sudo.pot: Sort xgettext output by file name. [f650841810f0] * doc/sudoreplay.cat, doc/sudoreplay.man.in, doc/sudoreplay.pod: Clarify what "sudoreplay -l" displays and mention that it is sorted. [84031c117bd6] * config.h.in, configure, configure.in, src/ttyname.c: Use AC_HEADER_MAJOR to determine where major/minor are defined. [3c949650a223] * config.h.in, configure, configure.in, src/ttyname.c: Include sys/mkdev.h if present instead of sys/sysmacros.h for minor(). This is needed on Solaris (at least) where the makedev macros in sysmacros.h are obsolete and library functions should be used instead. [343928acf81e] * mkpkg: When building on Mac OS X, only set SDK_FLAGS if specified osversion doesn't match host. [d84c6efac872] 2012-04-15 Todd C. Miller * src/ttyname.c: Add back buf and tty variables for _ttyname() case that were inadvertantly removed. [a4a820b22a44] 2012-04-13 Todd C. Miller * plugins/sudoers/po/sudoers.pot: regen [5446b12c1250] * configure, configure.in: Remove b8 from version number. [5adc4dcec061] * src/ttyname.c: remove some XXX [187579a5f593] * src/ttyname.c: When looking for a device match, do a breadth-first search instead of depth-first. We already special case /dev/pts/ so chances are good that if it is not a pseudo-tty it is in the base of /dev/. Also avoid a stat(2) when possible if struct dirent has d_type. [0183f8a1b278] * doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.pod, src/sudo.c, src/sudo.h: Pass pid, ppid, sid, pgid and tcpgid to plugin in user_info list. [f0574d878491] * src/po/eo.mo, src/po/es.mo, src/po/es.po, src/po/fi.mo, src/po/ja.mo, src/po/pl.mo, src/po/ru.mo, src/po/uk.mo, src/po/vi.mo: sync with translationproject.org [4527ea78fbd5] * MANIFEST, NEWS, doc/CONTRIBUTORS, src/po/gl.mo, src/po/gl.po, src/po/hr.mo, src/po/hr.po: New Croatian and Galician translations from translationproject.org [ad4bd924b4de] * src/ttyname.c: Add depth-first traversal of /dev/ for the /proc case when not /dev/pts/N [499bd3456774] * config.h.in, configure, configure.in, plugins/sudoers/sudoreplay.c: If struct dirent has d_type, use it to avoid an extra stat(). [741dabbe4bcd] * plugins/sudoers/sudoreplay.c: Sort output of "sudoreplay -l" [c0615795bd4b] 2012-04-12 Todd C. Miller * plugins/sudoers/sudoreplay.c: Fix duplicate free introduced in last rev [efdaabe69d75] 2012-04-11 Todd C. Miller * plugins/sudoers/auth/pam.c: Instead of treating ^C from tgetpass() specially, always return AUTH_INTR if tgetpass() returned NULL. Treat PAM_AUTHINFO_UNAVAIL like PAM_AUTH_ERR which Mac OS X returns this when there is no tty. [a3b17298d4d0] * config.h.in, configure, configure.in, src/ttyname.c: Rototill code to determine the tty. For Linux, we now look up the tty device in /proc/pid/stat instead of trying to open /proc/pid/fd/[0-2]. The sudo_ttyname_dev() function maps the given device number to a string. On BSD, we can use devname(). On Solaris, _ttyname_dev() does what we want. TODO: write /dev/ traversal code for the generic sudo_ttyname_dev(). [6b22be4d09f0] 2012-04-10 Todd C. Miller * src/ttyname.c: Define PRNODEV for those w/o it. [f17290e64559] * config.h.in, configure, configure.in, src/ttyname.c: Check for SVR4-style struct psinfo.pr_ttydev and use that to determine the tty if std{in,out,err} are not ttys. [76ad33a91f4b] * src/ttyname.c: Better support for SVR4-style /proc entries where we can't use ttyname() on the /proc/pid/fd/[0-2] entries. We can, however, attempt to map the device number back to the correct pseudo-tty slave device. [4f9f48cc79eb] * src/ttyname.c: When trying to determine the tty name, check parent's stderr in addition to its stdin and stdout. [604644056c7d] * src/exec_pty.c: Treat a tty read failure like EOF as it usually means the pty has gone away. Handle write() on the tty returning EIO. [16957f4a706f] * src/exec.c, src/exec_pty.c: Linux select() may return ENOMEM if there is a kernel resource shortage. Older Solaris select() may return EIO instead of EBADF when the tty goes away. If we get an unhandled select() failure, kill the child and exit cleanly. [d93940a311ab] * src/ttyname.c: Open /proc/pid/fd/[0-2] in non-blocking mode just in case we might block in open. [a9f809d09d52] 2012-04-09 Todd C. Miller * plugins/sudoers/set_perms.c: Fix restoration of AIX permissions. [30c717115988] * src/parse_args.c: Allow the -k flag to be used along with the -i and -s flags. [0653b17c97f1] * plugins/sudoers/sudoreplay.c: Plug memory leak in parse_logfile() in the error path. [9cce86fa833b] * plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po, src/po/da.mo, src/po/da.po, src/po/eo.po, src/po/es.po, src/po/fi.po, src/po/it.mo, src/po/it.po, src/po/ja.po, src/po/pl.po, src/po/ru.po, src/po/uk.po, src/po/vi.po, src/po/zh_CN.mo, src/po/zh_CN.po: sync with translationproject.org [14af43d0b170] 2012-04-08 Todd C. Miller * compat/regress/glob/globtest.c, config.h.in, configure, configure.in, plugins/sudoers/match.c: Do not use GLOB_BRACE or GLOB_TILDE flags to glob()--we want the glob() and fnmatch() results to be consistent. [4226750d73c2] 2012-04-06 Todd C. Miller * MANIFEST, common/Makefile.in, common/ttysize.c, src/Makefile.in, src/ttysize.c: Move ttysize.c to common so sudoreplay can use it. [b4a0aa514cd4] * plugins/sudoers/sudoreplay.c: If I/O log file includes rows + cols, warn if the user's tty is not big enough. [b980ef89efff] * plugins/sudoers/sudoreplay.c: Fix printing of TSID in "sudoreplay -l" [4221e3e108b4] * common/sudo_debug.c, include/sudo_debug.h, plugins/sudoers/logging.c, plugins/sudoers/visudo.c, src/exec.c, src/exec_pty.c: Log the process id in the debug file output. Since we don't want to keep calling getpid(), stash the value at init time and when we fork(). [2782d30c024d] * src/exec_pty.c: Ignore SIGTTIN and SIGTTOU in main sudo process when I/O logging. It is better to receive EIO from read()/write() than to be suspended when we don't expect it. Fixes a problem when our terminal is revoked which can happen when, e.g. our sshd is killed unceremoniously. Also, only change the value of "alive" from true to false, never from false to true. It is possible for us to receive notification of the child having stopped after it is already dead. This does not mean it has risen from the grave. [26c9fe8ce0f9] * src/exec_pty.c: Distinguish between signals we received from the parent vs. those delivered explicitly to the monitor process in debugging info. [40716cb180e5] 2012-04-05 Todd C. Miller * plugins/sudoers/check.c: In Solaris 11, /dev/pts under the "dev" filesystem, not "devices". Update tty_is_devpts() to match so we can determine when the tty has been reused. [2689665df027] * common/sudo_debug.c, include/error.h, include/sudo_debug.h: Always pass __func__, __FILE__ and __LINE__ in sudo_debug_printf() and use a new flag, SUDO_DEBUG_FILENO to specify when to use it. This allows consumers of sudo_debug_printf() to log that data without having to specify it manually. [7c94c4879208] * src/exec_pty.c: Make this compile after last change. [ee09034f3266] * src/exec_pty.c: Don't try to restore the terminal if we are not the foreground process. Otherwise, we may be stopped by SIGTTOU when we try to update the terminal settings when cleaning up. [c48b24335456] * src/exec.c: If select() return EBADF in the main event loop, one of the ttys must have gone away so perform any I/O we can and close the bad fds. [3bc8678c03ce] * common/sudo_debug.c, include/error.h, include/sudo_debug.h, plugins/sudoers/toke.c, plugins/sudoers/toke.h, plugins/sudoers/toke.l: Log warning() at SUDO_DEBUG_WARN not SUDO_DEBUG_ERROR. Log the function, file and line number in the debug log for warning() and error(). [894cd131f11d] 2012-04-04 Todd C. Miller * common/sudo_debug.c, include/error.h, include/sudo_debug.h, src/conversation.c: Add SUDO_DEBUG_ERRNO flag to debug functions so we can log errno. Use this flag when wrapping error() and warning() so the debug output includes the error string. [1e2c67adaf1f] 2012-03-30 Todd C. Miller * NEWS: Update for sudo 1.8.5 [7d2b62b823fe] * plugins/sudoers/po/sudoers.pot: regen [718ad9de92cd] * doc/CONTRIBUTORS: sync [f48013aea641] * plugins/sudoers/pwutil.c: Use ecalloc() [fabd23c1f271] * src/exec_pty.c: Don't need zero_bytes() after ecalloc() [1a9d95cd10ef] * config.h.in, configure, configure.in, src/sudo_noexec.c: Add execvpe(), exect(), posix_spawn() and posix_spawnp() wrappers to sudo_noexec.c. [cbaa1d4b0f8a] * src/utmp.c: Fix compat setutxent and endutxent macros for systems with setutent() but not setutxent(). From Gustavo Zacarias [d7ce622fc5f2] 2012-03-29 Todd C. Miller * configure.in: Add ignore_result definition to AH_BOTTOM [8d4096838a98] * common/sudo_debug.c, config.h.in, plugins/sample/sample_plugin.c, plugins/sudoers/iolog.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/visudo.c, src/env_hooks.c, src/exec.c, src/exec_pty.c, src/tgetpass.c: Fix compiler warnings on some platforms and provide a better method of defeating gcc's warn_unused_result attribute. [9a8f804fcc75] * configure, configure.in: Fix building the builtin zlib from a build dir. When a zlib dir was specified, prepend its include path instead of appending so we get the right zlib headers. [5f61d591b186] * doc/LICENSE, zlib/adler32.c, zlib/crc32.c, zlib/crc32.h, zlib/deflate.c, zlib/deflate.h, zlib/gzguts.h, zlib/gzlib.c, zlib/gzread.c, zlib/gzwrite.c, zlib/infback.c, zlib/inffixed.h, zlib/inflate.c, zlib/inftrees.c, zlib/trees.c, zlib/zconf.h.in, zlib/zlib.h, zlib/zutil.c, zlib/zutil.h: Update zlib to version 1.2.6 [173c4bc4d4fc] 2012-03-28 Todd C. Miller * include/missing.h: g/c __unused which is no longer used [7ef3f23edcd6] * src/env_hooks.c: Fix compilation if RTLD_NEXT is not defined. [d5605f468b71] * src/po/sr.mo, src/po/sr.po: sync with translationproject.org [27d559f7985d] * doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudoers.cat, doc/sudoers.man.in: regen [f9f63ce478b6] * plugins/sudoers/po/sudoers.pot, src/po/sudo.pot: regen [59035d82d15a] * Makefile.in: Ignore Project-Id-Version when comparing pot files. [22feb9ede46b] * plugins/sudoers/bsm_audit.c: Use error() instead of log_fatal() [54130bda4b50] * plugins/sudoers/env.c: Fix signedness of didvar in env_update_didvar() [77048a80b3e4] * plugins/sudoers/iolog.c: Quiet a compiler warning on some platforms. [8fdcaece0400] * compat/fnmatch.c: cast ctype(3) function/macro arguments from char to unsigned char to avoid potential negative subscripting. [bdcf7eef21ef] * common/setgroups.c: Quiet a warning on systems where the gids array in setgroups() is not prototyped as being const, even though it really is. [fdd758c6302d] * src/env_hooks.c: Quiet a compiler warning on systems where the argument to putenv(3) is const. [51bae2193b53] * plugins/sudoers/sudoreplay.c: Undo an incorrect int -> bool conversion. [b9a4ce320f14] * MANIFEST, NEWS, plugins/sudoers/po/sv.mo, plugins/sudoers/po/sv.po, src/po/sv.mo, src/po/sv.po: Add Swedish sudo and sudoers translations from translationproject.org [f7ce1de9073f] * plugins/sudoers/env.c: No need to preserve ODMDIR on AIX now that we always read /etc/environment. [4aa04b2f0125] 2012-03-27 Todd C. Miller * doc/sudoers.pod, plugins/sudoers/env.c: When initializing the environment for env_reset, start out with the contents of /etc/environment on AIX and login.conf on BSD. [5717bdc321e2] * doc/TROUBLESHOOTING, src/sudo.c: If we are not running with an effective uid of 0, try to give the user enough information to debug the problem. [fa4894896d8a] * plugins/sudoers/getdate.c, plugins/sudoers/gram.c: Quiet a clang-analyzer false positive. [c4c0c1b9c8b0] * src/tgetpass.c: If there is nothing to read from the askpass program, set errno to EINTR. This makes the cancel button behave like the user entered ^C at the password prompt when PAM is used. [594302cb9caf] * src/sudo.h, src/tgetpass.c: Fetch the value of "askpass" from the sudo conf struct. [4593ee8f1bd3] * common/sudo_conf.c: Fix matching of "Path askpass" and "Path noexec" [4df28d62afb9] 2012-03-26 Todd C. Miller * plugins/sudoers/visudo.c: Quiet a clang-analyzer dead store warning. [dd90bf385a3f] * plugins/sudoers/sudoers.c: If the "timestampowner" user cannot be resolved, use ROOT_UID instead of exiting with a fatal error. [8d62aae99715] * plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/kerb5.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/sia.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/bsm_audit.c, plugins/sudoers/check.c, plugins/sudoers/env.c, plugins/sudoers/iolog.c, plugins/sudoers/logging.c, plugins/sudoers/logging.h, plugins/sudoers/parse.c, plugins/sudoers/set_perms.c, plugins/sudoers/sudoers.c: Remove the NO_EXIT flag to log_error() and add a log_fatal() function that exits and is marked no_return. Fixes false positives from static analyzers and is easier for humans to read too. [a0fe785c2a3d] 2012-03-24 Todd C. Miller * plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, src/po/eo.mo, src/po/eo.po: sync with translationproject.org [df5e8777de13] 2012-03-20 Todd C. Miller * src/po/da.mo, src/po/da.po: sync with translationproject.org [629d99548b78] * plugins/sudoers/po/da.mo, plugins/sudoers/po/da.po: sync with translationproject.org [9d122a2860d6] 2012-03-19 Todd C. Miller * src/po/it.mo, src/po/it.po: sync with translationproject.org [6397593b15cf] * common/sudo_conf.c, plugins/sudoers/alias.c, plugins/sudoers/defaults.c, plugins/sudoers/env.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/interfaces.c, plugins/sudoers/ldap.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/visudo.c, src/exec.c, src/exec_pty.c, src/hooks.c, src/load_plugins.c: Use ecalloc() when allocating structs. [8b5888868db2] * common/alloc.c, include/alloc.h: Add ecalloc() and commented out recalloc(). Use inline strnlen() instead of strlen() in estrndup(). [7fb9aa46c1e0] 2012-03-18 Todd C. Miller * plugins/sudoers/po/fi.mo, plugins/sudoers/po/fi.po, plugins/sudoers/po/ja.mo, plugins/sudoers/po/ja.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po, src/po/fi.mo, src/po/fi.po, src/po/ja.mo, src/po/ja.po, src/po/pl.mo, src/po/pl.po, src/po/ru.mo, src/po/ru.po, src/po/uk.mo, src/po/uk.po, src/po/vi.mo, src/po/vi.po, src/po/zh_CN.mo, src/po/zh_CN.po: sync with translationproject.org [45a032c37334] 2012-03-16 Todd C. Miller * plugins/sudoers/set_perms.c: Remove unused label [2660bb0c1313] * doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.pod: Document what changed in each plugin API revision [59b30a6fc4d1] * plugins/sudoers/set_perms.c: Remove bogus optimization that could lead to a double free of the group list. [b0bfbd2a83a8] 2012-03-15 Todd C. Miller * doc/TROUBLESHOOTING: Expand AIX /etc/security/privcmds entry. [9f3f072e034e] * NEWS: Update for sudo 1.8.5 [086049011f25] * common/sudo_conf.c, doc/sample.sudo.conf, doc/sudo.cat, doc/sudo.man.in, doc/sudo.pod, doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.pod, doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.pod, include/sudo_conf.h, include/sudo_plugin.h, src/load_plugins.c, src/sudo.c, src/sudo_plugin_int.h: Rename plugin "args" to "options" [f25624951bd2] * doc/CONTRIBUTORS: Add Lithuanian and Vietnamese translators [2b4c075b69e3] * Makefile.in: Ignore comments when comparing new and old pot files. [f872999347b3] * src/Makefile.in: regen [c8193b1b11c7] * doc/sudo_plugin.cat, doc/sudo_plugin.man.in: regen [15e3c17e8a3a] * doc/sudo_plugin.pod, include/sudo_plugin.h, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/auth/sudo_auth.h, plugins/sudoers/env.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, src/hooks.c, src/sudo.c, src/sudo.h: Pass a pointer to user_env in to the init_session policy plugin function so session setup can modify the user environment as needed. For PAM authentication, merge the PAM environment with the user environment at init_session time. We no longer need to swap in the user_env for environ during session init, nor do we need to disable the env hooks at init_session time. [3f5277b359d8] * plugins/sample/sample_plugin.c: Add explicit NULL entries for init_session, register_hooks and deregister_hooks with appropriate comments. [727a57978b40] * compat/pw_dup.c: Quiet a gcc "used uninitialized in this function" false positive. [f14b68379ce9] * plugins/sudoers/toke.c, plugins/sudoers/toke.l: We should always call warning() with a format string or a string literal. In this case, the argument (path) is not user-controlled. [e9ef51224024] 2012-03-14 Todd C. Miller * src/selinux.c: Include sudo_exec.h for the sudo_execve() prototype. [769e58065edc] * config.h.in, configure, configure.in: Add check for pam_getenvlist() [36bde3f26c60] * common/sudo_conf.c: Set args to NULL in default plugin info struct when there is no Plugin line in sudo.conf. [93ec67708f01] * plugins/sudoers/po/sudoers.pot, src/po/sudo.pot: regen [a9287677795c] * doc/sudo.cat, doc/sudo.man.in, doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudoers.cat, doc/sudoers.ldap.cat, doc/sudoers.ldap.man.in, doc/sudoers.man.in, doc/sudoreplay.cat, doc/sudoreplay.man.in, doc/visudo.cat, doc/visudo.man.in: regen [a242769d7962] * configure, configure.in: Bump version to 1.8.5 [e8618f0c2505] * doc/sudo_plugin.pod: Document hooks API [e6ad07d27958] 2012-03-13 Todd C. Miller * sudo.pp: Make sudoersdir relative to PKG_INSTALL_ROOT for Solaris. [fd72340042d3] * include/sudo_plugin.h: Use sudo_hook_fn_t in struct sudo_hook. [938f93112d6e] * doc/TROUBLESHOOTING: If cross compiling, --host must include the OS in the tuple. E.g. --host powerpc-unknown-linux [b8c010070c1e] 2012-03-12 Todd C. Miller * plugins/sudoers/parse.c: Fix bogus int -> bool conversion; tags can have a value of -1. [e63d6434a303] * plugins/sudoers/env.c: Add env_should_keep() and env_should_delete() wrapper functions to simplify things a bit and hide the fact that matches_env_check() is not bool. [7a03d7a12b50] * sudo.pp: Fix application of debian-specific sudoers mods when building packages as non-root. [34bf4c52c425] * plugins/sudoers/env.c: matches_env_check() returns int, not boolean [0ad915b8d5cb] * src/sudo_edit.c: Fix compilation when seteuid() is not available. [8a722f998000] * src/ttyname.c: Simply move the free of ki_proc outside the realloc() loop. [217b786da760] * src/ttyname.c: Bring back the erealloc() for the ENOMEM loop and just zero the pointer after we free it. [29a016e45127] * src/ttyname.c: Don't try to erealloc() a potentially freed pointer; Mateusz Guzik [266e08844065] 2012-03-10 Todd C. Miller * plugins/sudoers/set_perms.c: Use normal error path if unable to set sudoers gid. [01c816918c99] * plugins/sudoers/set_perms.c: Make this work again on systems w/o seteuid(). [2e67f7421e97] 2012-03-09 Todd C. Miller * plugins/sudoers/set_perms.c: Fix compilation if no seteuid/setreuid/setresuid available. [d0b3c1f88eb4] * plugins/sudoers/set_perms.c: Better error messages, and added debugging throughout. Fixed seteuid() version of set_perms()/restore_perms(). Fixed logic bug in AIX version of restore_perms(). Added checks to avoid changing uid/gid when we don't have to. Never set gid/uid state to -1, use the old value instead. [29188d469b5c] * src/exec_pty.c, src/ttyname.c: Fix format string warning on Solaris with gcc 3.4.3. [d1eeb6e1dd0f] * src/sudo.c: Always declare environ now that we swap it around unilaterally. [aaa3e92e7d0d] * src/Makefile.in: Honor LDFLAGS when linking sesh; from Vita Cizek [498b41438f6e] * src/sesh.c: Include alloc.h for estrdup() prototype; from Vita Cizek [93203655a320] 2012-03-08 Todd C. Miller * plugins/sudoers/sudoers.c: Don't read /etc/environment on Linux when using PAM, PAM should set the environment variables as needed via pam_env. [b1ef62cb2d40] * INSTALL: Fix editor goof. [0c3dd3bb8b57] * src/hooks.c, src/sudo.c, src/sudo.h: Disable environment hooks after we get user_env back to make sure a plugin can't to modify user_env after we "own" it. This is kind of a hack but we don't want the init_session plugin function to modify user_env. [8e6d119452a5] * src/hooks.c, src/sudo.c: Add support for deregistering hooks. If an I/O log plugin fails to initialize, deregister its hooks (if any). [ac00c93900c5] 2012-03-07 Todd C. Miller * plugins/sudoers/sudoers.c, src/sudo.c: Move LOGIN_PATH and LOGIN_SETENV handling to plugin now that we hook setenv. [e75469dd9908] * MANIFEST, aclocal.m4, common/sudo_debug.c, compat/Makefile.in, compat/setenv.c, compat/unsetenv.c, config.h.in, configure, configure.in, include/sudo_debug.h, include/sudo_plugin.h, mkdep.pl, plugins/sudoers/auth/aix_auth.c, plugins/sudoers/env.c, plugins/sudoers/ldap.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, src/Makefile.in, src/env_hooks.c, src/hooks.c, src/load_plugins.c, src/sudo.c, src/sudo.h, src/sudo_plugin_int.h: Initial cut at a hooks implementation. The plugin can register hooks for getenv, putenv, setenv and unsetenv. This makes it possible for the plugin to trap changes to the environment made by authentication methods such as PAM or BSD auth so that such changes are reflected in the environment passed back to sudo for execve(). [61cffa06f863] 2012-03-05 Todd C. Miller * MANIFEST, src/po/vi.mo, src/po/vi.po: Add Vietnamese sudo translation from translationproject.org [96df426790d5] 2012-03-02 Todd C. Miller * doc/sample.sudo.conf, doc/sudo.pod, doc/sudo_plugin.pod, doc/sudoers.pod: List sudo_noexec.so not noexec.so in the sample sudo.conf [53844e190ec5] * common/sudo_conf.c, doc/sample.sudo.conf, doc/sudo.pod, doc/sudo_plugin.pod, doc/sudoers.pod, include/sudo_conf.h, include/sudo_plugin.h, plugins/sample/sample_plugin.c, plugins/sudoers/iolog.c, plugins/sudoers/sudoers.c, plugins/sudoers/toke.l, src/load_plugins.c, src/sudo.c, src/sudo_plugin_int.h: Add support for plugin args at the end of a Plugin line in sudo.conf. Bump the minor number accordingly and update the documentation. A plugin must check the sudo front end's version before using the plugin_args parameter since it is only supported for API version 1.2 and higher. [587f1f819536] 2012-03-01 Todd C. Miller * plugins/sudoers/Makefile.in: update depends [6d2da44e11e5] * MANIFEST: secure_path.c is in common, not compat [619c4a663dde] * configure, configure.in: Add check for variadic macro support in cpp. [756854caf675] 2012-02-29 Todd C. Miller * common/secure_path.c, common/sudo_conf.c, include/secure_path.h, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/toke.c, plugins/sudoers/toke.l: Add type param to sudo_secure_path() and add sudo_secure_file() and sudo_secure_dir() wrappers which get by #includedir in sudoers. [2ec2d3d8df04] 2012-02-28 Todd C. Miller * doc/visudo.pod, plugins/sudoers/visudo.c: Check the owner and mode in -c (check) mode unless the -f option is specified. Previously, the owner and mode were checked on the main sudoers file when the -s (strict) option was given, but this was not documented. [b2d6ee1e547a] * config.h.in, configure, configure.in, src/ttyname.c: Prefer KERN_PROC2 over KERN_PROC. Fixes compilation on some versions of OpenBSD versions that have KERN_PROC2 but not KERN_PROC. [159f6a50456a] 2012-02-27 Todd C. Miller * doc/CONTRIBUTORS: Add Eric Lakin for patch in bug #538 [490c29c234c6] * src/exec_pty.c: Fix typo in safe_close() made while converting to debug framework that prevented it from actually closing anything. [a66422a62afd] * src/exec_pty.c: Add some more debugging. [b5667947dda9] * common/Makefile.in, compat/Makefile.in, doc/Makefile.in, include/Makefile.in: We need sysconfdir in compat/Makfile to get the proper sudo.conf path. Add standard prefix and foodir expansion in all Makefiles to avoid this problem in the future. [62b6ce4ecae9] 2012-02-25 Todd C. Miller * MANIFEST, plugins/sudoers/po/lt.mo, plugins/sudoers/po/lt.po: New Lithuanian sudoers translation from translationproject.org [10436b649035] * plugins/sudoers/po/ja.po: Update from translationproject.org [acb8db5f8ef1] 2012-02-24 Todd C. Miller * plugins/sudoers/ldap.c: When adding gids to the LDAP filter, only add the primary gid once. This is consistent with the space computation/allocation. From Eric Lakin [35d9d99c92c6] * doc/TROUBLESHOOTING: Add entry for AIX enhanced RBAC config. [5e10b6f8def7] * mkpkg: Target Mac OS X 10.5 when building packages. [06fce9bbebee] 2012-02-22 Todd C. Miller * MANIFEST, common/Makefile.in, common/secure_path.c, common/sudo_conf.c, include/secure_path.h, plugins/sudoers/Makefile.in, plugins/sudoers/sudoers.c: Relax the user/group/mode checks on sudoers files. As long as the file is owned by the right user, not world-writable and not writable by a group other than the one specified at configure time (gid 0 by default), the file is considered OK. Note that visudo will still set the mode to the value specified at configure time. [241174babfcc] 2012-02-21 Todd C. Miller * plugins/sudoers/set_perms.c: Add AIX-specific version of permission setting code to make sure that the saved uid gets restored properly. [9a6f5d22c301] * config.h.in, configure, configure.in, src/exec_common.c: Check for LD_PRELOAD variants in configure instead of checkign cpp symbols. In disable_execute(), compute the length of the new envp and allocate it once instead of reallocating on demand. Also append old value of LD_PRELOAD (if any) to the new value. [680266346917] * plugins/sudoers/def_data.c, plugins/sudoers/def_data.in: Fix the description of noexec. [6a6d142f3c80] * plugins/sudoers/defaults.c, plugins/sudoers/defaults.h: The "op" parameter to set_default() must be int, not bool since it is set to '+' or '-' for list add and subtract. [8da5b137bea2] * sudo.pp: Make sure sudoers is writable before calling ed script. [95352ab6336b] 2012-02-17 Todd C. Miller * doc/CONTRIBUTORS, doc/contributors.pod: Update contributors. Now includes translators and authors of compat code. [4fb5b616b50a] 2012-02-16 Todd C. Miller * src/po/sudo.pot: regen [2c86e2c328fe] * pp, sudo.pp: Build flat packages, not package bundles, on Mac OS X. [57bda3cd5520] 2012-02-10 Todd C. Miller * sudo.pp: Move macos section to be with the other OS-specific sections. [51423bb2973a] * plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po: Sync with translationproject.org [8ce41cbb8da0] * configure, configure.in: Don't permanently add -D_FORTIFY_SOURCE=2 to CPPFLAGS [fa979aa6fe7d] * sudo.pp: Add Mac OS X support, printing the latest chunk of the NEWS file and the license text in the installer. [ffeab72387c0] * sudo.pp: Add explicit file modes that match those used by "make install" [7eb37242c920] * pp: Sync with upstream for Mac OS X fixes. [97cba179041e] * plugins/sudoers/Makefile.in, src/Makefile.in: Got back to using "install-sh -M" for files installed as non- readable by owner. This fixes "make install" as non-root for package building. [967804ee77d6] 2012-02-09 Todd C. Miller * plugins/sudoers/po/da.mo, plugins/sudoers/po/da.po, plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, plugins/sudoers/po/fi.mo, plugins/sudoers/po/fi.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po: Sync with translationproject.org [0e53db12039a] * Makefile.in, doc/Makefile.in, include/Makefile.in, plugins/sample/Makefile.in, plugins/sample_group/Makefile.in, plugins/sudoers/Makefile.in, src/Makefile.in: Use -m not -M for install-sh for everything except setuid. Install locale .mo files mode 0444, not 0644. If timedir parent doesn't exist, use default dir mode, not 0700. [8b6f64c92090] 2012-02-07 Todd C. Miller * pp: Re-sync with upstream; no longer need a local patch. [97a2c7be5e59] * mkpkg: Add support for building Mac OS X packages. [94d49ac223a4] * pp: Sync with upstream [1c97654fc841] * src/Makefile.in: No longer need to define _PATH_SUDO_CONF here. [2560905b7482] * src/exec_common.c: Fix noexec for Mac OS X. [b7a744bca2c0] 2012-02-06 Todd C. Miller * common/Makefile.in: Move _PATH_SUDO_CONF override to common to match sudo_debug.c [f0788972a63a] * plugins/sudoers/set_perms.c: More complete fix for LDR_PRELOAD on AIX. The addition of set_perm(PERM_ROOT) before calling the nss open functions (needed to avoid a GNU TLS bug) also broke LDR_PRELOAD. Setting the effective and then real uid to 0 for PERM_ROOT works around the issue. [5888eda051af] * plugins/sudoers/po/sudoers.pot, src/po/sudo.pot: regen [997fe403e219] * src/sudo.c: Set real uid to root before calling sudo_edit() or run_command() so that the monitor process is owned by root and not by the user. Otherwise, on AIX at least, the monitor process shows up in ps as belonging to the user (and can be killed by the user). [d4772d7d2fc5] * plugins/sudoers/set_perms.c: For PERM_ROOT when using setreuid(), only set the euid to 0 prior to the call to setuid(0) if the current euid is non-zero. This effectively restores the state of things prior to rev 7bfeb629fccb. Fixes a problem on AIX where LDR_PRELOAD was not being honored for the command being executed. [b9b40325b4dc] * MANIFEST, compat/pw_dup.c, config.h.in, configure, configure.in, include/missing.h, src/sudo.c: Make a copy of the struct passwd in exec_setup() to make sure nothing in the policy init modifies it. [b721261c921f] 2012-02-05 Todd C. Miller * doc/sudoers.pod: update copyright [f9d229d1f65e] * common/sudo_debug.c, include/sudo_debug.h: g/c now-unused debug subsystems [8f21726e698f] * doc/sudo.pod, doc/sudoers.pod: Enumerate the debug subsystems used by sudo and sudoers. [ac4f84293d14] 2012-02-03 Todd C. Miller * NEWS, common/sudo_conf.c, doc/sample.sudo.conf, doc/sudo.pod, include/sudo_conf.h, src/sudo.c: Normally, sudo disables core dumps while it is running. This behavior can now be modified at run time with a line in sudo.conf like "Set disable_coredumps false" [ad14e0508b0d] * NEWS: Mention Spanish translation [600f3205bd6e] * common/sudo_debug.c: Make sure we don't try to fall back to using the conversation function for debugging in the main sudo process if we are unable to open the debug file. [ffa329aa908c] * MANIFEST, src/po/es.mo, src/po/es.po: Add sudo Spanish translation from translationproject.org [c1906654e740] 2012-02-02 Todd C. Miller * plugins/sudoers/iolog.c: Better debug subsystem usage [1a31f115743c] * src/sudo.c: Remove duplicate function prototypes [ae04b00532eb] 2012-02-01 Todd C. Miller * configure, configure.in: Error out if user specified --with-pam but we can't find the headers or library. Also throw an error if the headers are present but the library is not and vice versa. [d6bf3e3d0aae] 2012-01-31 Todd C. Miller * plugins/sudoers/sudoers.c: Fix the sudoers permission check when the expected sudoers mode is owner-writable. [8b0b7e770a22] 2012-01-30 Todd C. Miller * configure, configure.in: Verify that we can link executables built with -D_FORTIFY_SOURCE before using it. [7578215d1a95] * src/exec_common.c: Fix potential off-by-one when making a copy of the environment for LD_PRELOAD insertion. Fixes bug #534 [cc699cd551b6] * configure, configure.in: Add rudimentary check for _FORTIFY_SOURCE support by checking for __sprintf_chk, one of the functions used by gcc to support it. [a992673d2ef8] * compat/stdbool.h, config.h.in, configure, configure.in: Use AC_HEADER_STDBOOL instead of checking for stdbool.h ourselves. [8ba1370884b3] 2012-01-29 Todd C. Miller * plugins/sudoers/po/sudoers.pot, src/po/sudo.pot: regen [1e0b38397705] 2012-01-25 Todd C. Miller * src/exec.c, src/sudo.c: The change in 818e82ecbbfc that caused to exit when the monitor dies created a race condition between the monitor exiting and the status being read. All we really want to do is make sure that select() notifies us that there is a status change when the monitor dies unexpectedly so shutdown the socketpair connected to the monitor for writing when it dies. That way we can still read the status that is pending on the socket and select() on Linux will tell us that the fd is ready. [7fb5b30ea48d] * MANIFEST, src/Makefile.in, src/exec.c, src/exec_common.c, src/exec_pty.c, src/selinux.c, src/sesh.c, src/sudo.c, src/sudo.h, src/sudo_exec.h: Refactor disable_execute() and my_execve() into exec_common.c for use by sesh.c. This fixes NOEXEC when SELinux is used. Instead of disabling exec in exec_setup(), disable it immediately before executing the command. Adapted from a diff by Arno Schuring. [ec4d8b53db6b] 2012-01-20 Todd C. Miller * aclocal.m4, configure, configure.in: Add custom version of AC_CHECK_LIB that uses the extra libs in the cache value name. With this we no longer need to rely on a modified version of autoconf. [1c3b1d482d6c] 2012-01-19 Todd C. Miller * configure, configure.in: Better handling of network functions that need -lsocket -lnsl [cc386342ec2b] * src/sudo.c: When setting up the execution environment, set groups before gid/egid like sudo 1.7 did. [928e1c5fa6c1] * configure, configure.in: Remove "WARNING: unable to find foo() trying -lsocket -lnsl" [84b23cdf138f] * plugins/sudoers/sudoers.c: For "sudo -g" prepend the specified group ID to the beginning of the groups list. This matches BSD convention where the effective gid is the first entry in the group list. This is required on newer FreeBSD where the effective gid is not tracked separately and thus setgroups() changes the egid if this convention is not followed. Fixes bug #532 [782d6909108b] 2012-01-17 Todd C. Miller * configure, configure.in: Fix sh warning; use "test" instead of "[" [c6ee3407f65e] * src/exec.c: When not logging I/O, use a signal handler that only forwards SIGINT, SIGQUIT and SIGHUP when they are user-generated signals. Fixes a race in the non-I/O logging path where the command may receive two keyboard-generated signals; one from the kernel and one from the sudo process. [9638684e786a] * src/exec.c: Back out change that put the command in its own pgrp when not logging I/O. It causes problems with pipelines. [4fc9c6e1e770] 2012-01-16 Todd C. Miller * compat/Makefile.in, configure, configure.in: Only run compat regress tests on compat objects we actually build. Fixes "make check" in the compat dir for systems that don't implement character classes in fnmatch() or glob(). Bug #531 [a7addc305e83] 2012-01-14 Todd C. Miller * plugins/sudoers/po/da.mo, plugins/sudoers/po/da.po: Update po files from translationproject.org [5ea066af1356] 2012-01-13 Todd C. Miller * sudo.pp: Include parent directories in case they don't already exist. This fixes a directory permissions problem with the AIX package when the /usr/local directories don't already exist. [a14f783dc827] * pp: sync with git version [2f79d0543661] * common/Makefile.in, plugins/sudoers/Makefile.in, src/Makefile.in: regen dependencies [24c92ca6c64d] * MANIFEST, src/Makefile.in, src/sudo.c, src/sudo.h, src/ttyname.c: Move tty name lookup code to its own file. [58faf072cbf4] 2012-01-12 Todd C. Miller * NEWS: Update with latest sudo 1.8.4 changes. [a4ffe4f42528] * config.h.in, configure, configure.in: Remove obsolete template for HAVE_TIMESPEC [75709007c906] * src/sudo.c: Add a check for devname() returning a fully-qualified pathname. None of the devname() implementations do this today but you never know when this might change. [16813ace38f9] 2012-01-11 Todd C. Miller * plugins/sudoers/visudo.c: For "visudo -c" also list include files that were checked when everything is OK. [ad6f85b35c9c] * src/sudo.c: The device name returned by devname() does not include the /dev/ prefix so we need to add it ourselves. [b55285abb7ed] * src/sudo.c: Add debug warning if KERN_PROC sysctl fails or devname() can't resolve the tty device to a name. [b5a23916ba3a] * common/sudo_debug.c: The result of writev() is never checked so just cast to NULL. [4be4e9b58d5b] * plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, plugins/sudoers/po/fi.mo, plugins/sudoers/po/fi.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po: Update Esperanto, Finnish, Polish and Ukrainian translations from translationproject.org. [bb91bc6ad7e9] 2012-01-10 Todd C. Miller * config.h.in, configure, configure.in, src/sudo.c: Add support for determining tty via sysctl on other BSD variants. [fd15f63f719a] * configure, configure.in: Only check for struct kinfo_proc.ki_tdev on systems that support sysctl. [109b3f07a39d] * src/sudo.c: For FreeBSD, try the KERN_PROC_PID sysctl() first, falling back on ttyname() of std{in,out,err}. [95969b70bd68] 2012-01-09 Todd C. Miller * config.h.in, configure, configure.in, src/sudo.c: On newer FreeBSD we can get the parent's tty name via sysctl(). [3207290501ee] * plugins/sudoers/testsudoers.c: Include locale.h [a602cd0b8c2d] * src/sudo.c: Silence a gcc warning. [8c6d0e3cd534] * plugins/sudoers/bsm_audit.c: Need to include gettext.h and sudo_debug.h; from John Hein [447912aa7300] * plugins/sudoers/iolog.c: Initialize the debug framework from the I/O plugin too. [ce1bf44d96d2] 2012-01-08 Todd C. Miller * plugins/sudoers/testsudoers.c: Enable debugging via sudo.conf. [d85669c749d0] 2012-01-07 Todd C. Miller * plugins/sudoers/visudo.c: Use SUDO_DEBUG_ALIAS for alias checking functions. [fb84af30dc76] * configure, configure.in: More complete test for getaddrinfo() that doesn't rely on the network libraries already being added to LIBS. [cbaf2369f4f0] 2012-01-06 Todd C. Miller * common/aix.c: Add debug support. [def1bdf24485] * configure, configure.in: Need -lsocket -lnsl for getaddrinfo(3) on Solaris at least. [a2ea1c2eac61] * compat/getaddrinfo.c: Include errno.h and missing.h [7d15e17cc2f2] * .hgignore: ignore doc/varsub [417f9fc3231b] * configure.in, doc/visudo.pod, plugins/sudoers/Makefile.in, plugins/sudoers/gram.y, plugins/sudoers/match.c, plugins/sudoers/parse.c, plugins/sudoers/testsudoers.c, src/exec.c, src/parse_args.c, src/sudo.c, src/sudo.h: Update copyright year. [5d0ffc7dd567] * NEWS: Update for sudo 1.8.4 [841e3eff9844] * plugins/sudoers/po/sudoers.pot, src/po/sudo.pot: regen pot files [c509cb45b66a] * plugins/sudoers/sudoreplay.c: Enable debugging via sudo.conf. [5087aaee8484] * plugins/sudoers/visudo.c: Enable debugging via sudo.conf. [04b067c16ed3] * plugins/sudoers/visudo.c: Allow "visudo -c" to work when we only have read-only access to the sudoers include files. [d8c6713fe5c1] * doc/sudo.pod, doc/visudo.pod: Mention the CONTRIBUTORS file, not HISTORY in AUTHOR section. Add HISTORY section in sudo that points to HISTORY file. [d1f1bcb051c5] * doc/sudo.pod, doc/sudo_plugin.pod: Document Debug setting in sudo.conf and debug_flags in plugin. [acfc505aa4a9] 2012-01-05 Todd C. Miller * plugins/sudoers/match.c: Do not include GLOB_MARK in the flags we pass to glob(3). Fixes a bug where a pattern like "/usr/*" include /usr/bin/ in the results, which would be incorrectly be interpreted as if the sudoers file had specified a directory. From Vitezslav Cizek. [0cdb6252188c] * INSTALL, config.h.in, configure, configure.in, plugins/sudoers/auth/kerb5.c: Add --enable-kerb5-instance configure option to allow people using Kerberos V authentication to use a custom instance. Adapted from a diff by Michael E Burr. [e83af8bb7aa7] * doc/sudo.pod, src/parse_args.c, src/sudo.c, src/sudo.h: Remove -D debug_level option. [cbcd05094347] * doc/LICENSE: Update copyright year. [9f43dd7aa852] 2012-01-04 Todd C. Miller * plugins/sudoers/parse.c, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c: parse_error is now bool, not int [5ea7fb6fda38] * plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/parse.c: Print a more sensible error if yyparse() returns non-zero but yyerror() was not called. [d44ec88f1183] * plugins/sudoers/Makefile.in, plugins/sudoers/getdate.c, plugins/sudoers/gram.c: Replace y.tab.c with the correct filename in #line directives. [3c84fcb7e959] 2012-01-03 Todd C. Miller * src/sudo.c: When trying to determine the tty, fall back on /proc/ppid/fd/{0,1,2} if the main process's fds 0-2 are not hooked up to a tty. Adapted from a diff by Zdenek Behan. [b9dfce12af85] * src/exec.c: When not logging I/O, put command in its own pgrp and make that the controlling pgrp if the command is in the foreground. Fixes a race in the non-I/O logging path where the command may receive two keyboard-generated signals; one from the kernel and one from the sudo process. [d0e263ce496c] 2011-12-20 Todd C. Miller * src/sudo_edit.c: Quiet a bogus gcc warning. [2009669e0608] * src/parse_args.c, src/sudo.h: Fix warnings related to sudo.conf accessors. [08ddc29ba50b] * common/sudo_conf.c, include/sudo_conf.h: Separate sudo.conf parsing from plugin loading and move the parse functions into the common lib so that visudo, etc. can use them. [f1fc659a8079] * MANIFEST, common/Makefile.in, src/Makefile.in, src/load_plugins.c, src/parse_args.c, src/sudo.c, src/sudo_plugin_int.h: Separate sudo.conf parsing from plugin loading and move the parse functions into the common lib so that visudo, etc. can use them. [e1f2cf6bd57a] * doc/sudoers.pod, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/sudoers.c, src/sudo.c: Remove support for noexec_file in sudoers and the plugin API [3e2fd58879b5] * plugins/sudoers/sudoers.c: Don't dump interfaces if there are none. [9081bb4d3e9e] * plugins/sudoers/def_data.c, plugins/sudoers/def_data.in: Add missing %s printf escape to the group_plugin, iolog_dir and iolog_file descriptions. [7db03f2b737e] 2011-12-18 Todd C. Miller * plugins/sudoers/def_data.c, plugins/sudoers/def_data.in, src/exec.c: Fix typo in visiblepw description; from Joel Pickett [2fb4b26d5c2c] 2011-12-08 Todd C. Miller * MANIFEST, configure, configure.in, mkdep.pl, plugins/sudoers/Makefile.in, plugins/sudoers/env.c, plugins/sudoers/login_class.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, src/sudo.c: When running a login shell with a login_class specified, use LOGIN_SETENV instead of rolling our own login.conf setenv support since FreeBSD's login.conf has more than just setenv capabilities. This requires us to swap the plugin-provided envp for the global environ before calling setusercontext() and then stash the resulting environ pointer back into the command details, which is kind of a hack. [ad4f1190143b] * plugins/sudoers/Makefile.in: If srcdir is "." just use the basename of the yacc/lex file when generating the C version. This matches the generated files currently in the repo. [0b11c3df87a8] * doc/Makefile.in, plugins/sudoers/Makefile.in: Clean up the DEVEL noise [9de2afe457fd] * src/exec.c: Handle different Unix domain socket (actually socketpair) semantics in BSD vs. Linux. In BSD if one end of the socketpair goes away select() returns the fd as readable and the read will fail with ECONNRESET. This doesn't appear to happen on Linux so if we notice that the monitor process has died when I/O logging is enabled, behave like the command has exited. This means we log the wait status of the monitor, not the command, but there is nothing else we can do at that point. This should only be an issue if SIGKILL is sent to the monitor process. [818e82ecbbfc] * src/exec_pty.c: Catch common signals in the monitor process so they get passed to the command. Fixes a problem when the entire login session is killed when ssh is disconnected or the terminal window is closed. Previously, the monitor would exit and plugin's close method would not be called. [0e4658263138] * INSTALL, configure, configure.in: Mention how to configure pam_hpsec on HP-UX to play nicely with sudo. [a7294cd8ce98] 2011-12-07 Todd C. Miller * plugins/sudoers/ldap.c: Escape values in the search expression as per RFC 4515. [c2adbc5db92b] * doc/Makefile.in, include/Makefile.in, plugins/sample/Makefile.in, plugins/sample_group/Makefile.in, plugins/sudoers/Makefile.in, src/Makefile.in: No need for install target to depend explicitly on install-dirs, the install-foo targets all depend on it. [62a36ed98279] 2011-12-05 Todd C. Miller * .hgignore: ignore src/sesh [463d492f6782] * MANIFEST, common/Makefile.in, configure, configure.in, mkdep.pl, plugins/sample/Makefile.in, plugins/sample_group/Makefile.in, plugins/sudoers/Makefile.in, plugins/sudoers/env.c, plugins/sudoers/login_class.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, src/Makefile.in: Add support for setenv entries in login.conf. We can't use LOGIN_SETENV since the plugin sets up the envp the command is executed with. Also regen the Makefile.in files while here. Fixes bug #527 [088d507926e2] 2011-12-02 Todd C. Miller * MANIFEST, aclocal.m4, compat/getaddrinfo.c, compat/getaddrinfo.h, config.h.in, configure, configure.in, plugins/sudoers/sudoers.c, src/net_ifs.c: Add getaddrinfo() for those without it, written by Russ Allbery [4cf9ac831222] * doc/Makefile.in: Restore PACKAGE_TARNAME, it is used in docdir [9d65e893edb1] * MANIFEST, compat/stdbool.h: SunPro C Compiler also has a _Bool builtin. Also add stdbool.h to the MANIFEST [e67700dc5621] * common/atobool.c, common/term.c, src/exec.c: Remove duplicate return statements. [48a20d5215fd] * plugins/sudoers/auth/bsdauth.c: Remove inaccurate comment [e7f0265cf657] * plugins/sudoers/auth/bsdauth.c, plugins/sudoers/sudoers.c: Fetch the login class for the user we authenticate specifically when using BSD authentication. That user may have a different login class than what we will use to run the command. When setting the login class for the command, use the target user's struct passwd, not the invoking user's. Fixes bug 526 [21bf0af892f7] * compat/Makefile.in, configure, configure.in, doc/Makefile.in, plugins/sudoers/Makefile.in: Replace @DEV@ prefix with DEVEL variable so we can do "make DEVEL=1" [8ee6e0891f27] * plugins/sudoers/regress/iolog_path/check_iolog_path.c, plugins/sudoers/regress/logging/check_wrap.c, plugins/sudoers/regress/parser/check_addr.c, plugins/sudoers/regress/parser/check_fill.c: Fix "make check" fallout from the sudo_conv changes in sudo_debug. [b0aaa63c9081] * common/fileops.c, common/sudo_debug.c, configure, configure.in, include/fileops.h, plugins/sample/Makefile.in, plugins/sample/sample_plugin.c, plugins/sample_group/Makefile.in, plugins/sample_group/sample_group.c, plugins/sudoers/alias.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/check.c, plugins/sudoers/defaults.c, plugins/sudoers/defaults.h, plugins/sudoers/env.c, plugins/sudoers/find_path.c, plugins/sudoers/goodpath.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/group_plugin.c, plugins/sudoers/iolog.c, plugins/sudoers/iolog_path.c, plugins/sudoers/ldap.c, plugins/sudoers/match.c, plugins/sudoers/match_addr.c, plugins/sudoers/parse.c, plugins/sudoers/parse.h, plugins/sudoers/pwutil.c, plugins/sudoers/sudo_nss.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c, plugins/sudoers/toke.c, plugins/sudoers/toke.h, plugins/sudoers/toke.l, plugins/sudoers/toke_util.c, plugins/sudoers/visudo.c, src/exec.c, src/exec_pty.c, src/load_plugins.c, src/sudo.c, src/sudo.h, src/sudo_exec.h, src/sudo_plugin_int.h, src/utmp.c: Use stdbool.h instead of rolling our own TRUE/FALSE macros. [dcb0bbc42fc9] 2011-12-01 Todd C. Miller * compat/stdbool.h, config.h.in, configure, configure.in: Add stdbool.h for systems without it. [18bd9dda1dcd] * aclocal.m4, config.h.in, configure, configure.in: No longer need SUDO_CHECK_TYPE and SUDO_TYPE_* now that the default includes have unistd.h in them. Add check for socklen_t for upcoming getaddrinfo compat. [d705465bef69] * common/fileops.c, compat/nanosleep.c, config.h.in, configure, configure.in, plugins/sudoers/interfaces.c, plugins/sudoers/interfaces.h, plugins/sudoers/match_addr.c, plugins/sudoers/sudoreplay.c, src/net_ifs.c: Use HAVE_STRUCT_TIMESPEC and HAVE_STRUCT_IN6_ADDR instead of HAVE_TIMESPEC and HAVE_IN6_ADDR respectively. [fa187c9bd2be] * src/sudo_noexec.c: No longer need to include time.h here as missing.h does not use time_t. [fa3a089bf5b1] 2011-11-30 Todd C. Miller * plugins/sudoers/visudo.c: Fix mode on sudoers as needed when the -f option is not specified. [7a1c40b0dc03] * MANIFEST, src/po/sr.mo, src/po/sr.po: Add Serbian translation for sudo from translationproject.org [9a0c25e25cba] * common/sudo_debug.c, plugins/sudoers/sudoers.c, src/load_plugins.c, src/parse_args.c: No longer pass debug_file to plugin, plugins must now use CONV_DEBUG_MSG [810cda1abb0b] * mkpkg: Build PIE executables for newer Debian and Ubuntu [1c5f25f8904a] * common/sudo_debug.c: Include time.h for ctime() prototype. [10090cf3bca1] 2011-11-29 Todd C. Miller * common/sudo_debug.c, include/sudo_debug.h, src/exec.c, src/exec_pty.c: Do not close error pipe or debug fd via closefrom() as we need them to report an exec error should one occur. [732f6587fafa] * doc/sudoers.ldap.pod: Document that a sudoUser may now be a group ID. [2fef46b9d3d3] * plugins/sudoers/ldap.c: Add support for permitting access by group ID in addition to group name. [b9450fdf1f69] * plugins/sudoers/ldap.c: Older Netscape LDAP SDKs don't prototype ldapssl_set_strength() [d62a1e7cff4f] * compat/fnmatch.c, compat/fnmatch.h, doc/LICENSE: Replace UCB fnmatch.c with a non-recursive version written by William A. Rowe Jr. [354d3384adb8] * plugins/sudoers/auth/pam.c: Fix typo, return_debug vs. debug_return [1b522efcbb0d] 2011-11-23 Todd C. Miller * plugins/sudoers/po/ja.mo, plugins/sudoers/po/ja.po: Update Japanese sudoers translation from translationproject.org [ec0f2beaad36] * doc/sudoers.pod: Make the env_reset descriptions consistent. [41c056f02688] 2011-11-22 Todd C. Miller * configure, configure.in: Do multiple expansion when expanding paths to the noexec file, sesh and the plugin directory. Adapted from a diff by Mike Frysinger [d7e16c876c66] * common/Makefile.in: regen [9d729e09c186] 2011-11-21 Todd C. Miller * .hgignore: Add ignore file; from Mike Frysinger [1fa8d52425f8] * mkdep.pl: no longer save old Makefile.in to .old [378dd2395545] * plugins/sudoers/Makefile.in, src/Makefile.in: regen [769faf517720] * config.guess, config.sub, configure, ltmain.sh, m4/libtool.m4, m4/ltoptions.m4, m4/ltversion.m4: Update to libtool 2.4.2 [9dac78d84b4f] 2011-11-18 Todd C. Miller * plugins/sudoers/sudoers_version.h: Bump grammar version for #include and #includedir relative path support. [82a4f7cd8f71] 2011-11-17 Todd C. Miller * doc/sudoers.pod, plugins/sudoers/toke.c, plugins/sudoers/toke.l: Add support for relative paths in #include and #includedir [4d6e3bd0c24f] * plugins/sudoers/Makefile.in: Fix install-plugin when shared objects are unsupported or disabled. [cbdd770a7a1b] * plugins/sudoers/goodpath.c: Don't write to sbp if it is NULL [fc438f8e8570] 2011-11-16 Todd C. Miller * Makefile.in: Remove all sudo/sudoers .mo files on uninstall If LINGUAS is set, only install matching .mo files [c1dc30ab4ebc] 2011-11-13 Todd C. Miller * plugins/sudoers/group_plugin.c, plugins/sudoers/plugin_error.c, plugins/sudoers/sudoers.c, src/conversation.c: Fix non-dynamic (no dlopen) sudo build. [b0bd3fa925a3] * configure, configure.in: Don't error out if the user specified --disable-shared [cf035dd1e5cc] * common/sudo_debug.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c, src/conversation.c: Use SUDO_CONV_DEBUG_MSG in the plugin instead of writing directly to the debug file. [640c62f83251] * plugins/sudoers/find_path.c, plugins/sudoers/goodpath.c, plugins/sudoers/sudoers.h: Make sudo_goodpath() return value bolean [fea2d59a6e55] * INSTALL, MANIFEST, configure, configure.in, mkdep.pl, plugins/sudoers/Makefile.in, plugins/sudoers/auth/securid.c: Remove obsolete securid auth method. [4e54f860214b] * plugins/sudoers/auth/afs.c, plugins/sudoers/auth/aix_auth.c, plugins/sudoers/auth/dce.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/kerb5.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/passwd.c, plugins/sudoers/auth/rfc1938.c, plugins/sudoers/auth/secureware.c, plugins/sudoers/auth/securid5.c, plugins/sudoers/auth/sia.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/auth/sudo_auth.h: Prefix authentication functions with a "sudo_" prefix to avoid namespace problems. [581d74063ea1] * INSTALL, MANIFEST, config.h.in, configure, configure.in, doc/TROUBLESHOOTING, mkdep.pl, plugins/sudoers/Makefile.in, plugins/sudoers/auth/kerb4.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/auth/sudo_auth.h, plugins/sudoers/env.c: Remove the old Kerberos IV support [2e4b4a44209d] 2011-11-12 Todd C. Miller * plugins/sudoers/check.c: Don't print garbage at the end of the custom lecture. [44bb788fafaa] * plugins/sudoers/toke.c, plugins/sudoers/toke.l: Add lexer tracing as debug@parser [d850f3f9d414] * plugins/sudoers/alias.c, plugins/sudoers/defaults.c, plugins/sudoers/defaults.h, plugins/sudoers/gram.c, plugins/sudoers/match.c, plugins/sudoers/parse.c, plugins/sudoers/regress/parser/check_fill.c, plugins/sudoers/testsudoers.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/toke_util.c, plugins/sudoers/visudo.c: Revert 003bdb078a15. We need to #include not "gram.h" and and not "def_data.h" when generating the parser in a build dir. [7da701def753] 2011-11-08 Todd C. Miller * mkdep.pl, plugins/sudoers/Makefile.in: Better devdir support in mkdep.pl [7dcec57bd155] * plugins/sudoers/Makefile.in: Add devdir before srcdir in include path and fix up dependecies accordingly. [6e9958eca485] * plugins/sudoers/alias.c, plugins/sudoers/defaults.c, plugins/sudoers/defaults.h, plugins/sudoers/match.c, plugins/sudoers/parse.c, plugins/sudoers/testsudoers.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/toke_util.c, plugins/sudoers/visudo.c: #include "gram.h" not and "def_data.h" and not . [003bdb078a15] * sudo.pp: Mark libexec files as optional. If we build without shared object support, libexec is not used. [4bffcf482219] * src/load_plugins.c: Change Debug sudo.conf setting to take a program name as the first argument. In the future, this will allow visudo and sudoreplay to use their own Debug entries. [cfb8f7e4867c] * src/sudo.c: fix sudo_debug_printf priority [dcb67e965609] * plugins/sudoers/sudoers.c: add missing debug_return_int [d88ec450c592] 2011-11-07 Todd C. Miller * common/sudo_debug.c, include/error.h, include/sudo_debug.h, plugins/sudoers/logging.c, src/exec.c, src/exec_pty.c: Fold SUDO_DEBUG_PROGERR and SUDO_DEBUG_SYSERR into SUDO_DEBUG_ERROR [dcee8efc294f] * doc/UPGRADE: Add missing word in HOME security note. [fd844fdcc1ac] * plugins/sudoers/testsudoers.c: Prevent "testsudoers -d username" from trying to malloc(0). [839126e56e8c] 2011-11-06 Todd C. Miller * plugins/sudoers/regress/sudoers/test10.in, plugins/sudoers/regress/sudoers/test10.out.ok, plugins/sudoers/regress/sudoers/test10.toke.ok, plugins/sudoers/regress/sudoers/test10.toke.out.ok, plugins/sudoers/regress/sudoers/test11.in, plugins/sudoers/regress/sudoers/test11.out.ok, plugins/sudoers/regress/sudoers/test11.toke.ok, plugins/sudoers/regress/sudoers/test11.toke.out.ok, plugins/sudoers/regress/sudoers/test12.in, plugins/sudoers/regress/sudoers/test12.out.ok, plugins/sudoers/regress/sudoers/test12.toke.ok, plugins/sudoers/regress/sudoers/test13.in, plugins/sudoers/regress/sudoers/test13.out.ok, plugins/sudoers/regress/sudoers/test13.toke.ok, plugins/sudoers/regress/sudoers/test9.in, plugins/sudoers/regress/sudoers/test9.out.ok, plugins/sudoers/regress/sudoers/test9.toke.ok, plugins/sudoers/regress/sudoers/test9.toke.out.ok: Tests for empty sudoers (should parse OK) and syntax errors within a line (should report correct line number) both with and without the trailing newline. [d57c879c4718] * plugins/sudoers/regress/sudoers/test4.out.ok, plugins/sudoers/regress/sudoers/test5.out.ok, plugins/sudoers/regress/sudoers/test7.out.ok, plugins/sudoers/regress/sudoers/test8.out.ok, plugins/sudoers/testsudoers.c: Print line number when there is a parser error. [5444ef6ac6dc] 2011-11-05 Todd C. Miller * plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/toke.c, plugins/sudoers/toke.l: Keep track of the last token returned. On error, if the last token was COMMENT, decrement sudolineno since the error most likely occurred on the preceding line. Previously we always uses sudolineno-1 which will give the wrong line number for errors within a line. [d661a03a64da] 2011-11-03 Todd C. Miller * NEWS: update with sudo 1.8.3p1 info [0f79ff31f602] * plugins/sudoers/sudoers.c: Fix crash when "sudo -g group -i" is run. Fixes bug 521 [a3087ae337c4] 2011-10-26 Todd C. Miller * plugins/sudoers/visudo.c: Make alias_remove_recursive() return TRUE/FALSE as its callers expect and remove two unused arguments. Fixes bug 519. [2ee3b2882844] * plugins/sudoers/regress/visudo/test1.out.ok, plugins/sudoers/regress/visudo/test1.sh: Add regress test for bugzilla 519 [48000ebedf97] * plugins/sudoers/regress/iolog_path/check_iolog_path.c, plugins/sudoers/regress/logging/check_wrap.c, plugins/sudoers/regress/parser/check_addr.c, plugins/sudoers/regress/parser/check_fill.c: Disable warning/error wrapping in regress tests. [373c589ba561] 2011-10-25 Todd C. Miller * Makefile.in: Do compile-po as part of sync-po so that the .mo files get rebuild automatically when we sync with translationproject.org [83f3cbfc2f33] * plugins/sudoers/Makefile.in: check_addr needs to link with the network libraries on Solaris [322bd70e316e] * plugins/sudoers/match.c: When matching a RunasAlias for a runas group, pass the alias in as the group_list, not the user_list. From Daniel Kopecek. [766545edf141] * plugins/sudoers/check.c, plugins/sudoers/sudoers.c: We need to init the auth system regardless of whether we need a password since we will be closing the PAM session in the monitor process. Fixes a crash in the monitor on Solaris; bugzilla #518 [e82809f86fb3] 2011-10-24 Todd C. Miller * src/exec.c: Get rid of done: label. If the child exits we still need to close the pty, update utmp and restore the SELinux tty context. [cc127bf48405] 2011-10-22 Todd C. Miller * common/Makefile.in, common/atobool.c, common/fileops.c, common/fmt_string.c, common/lbuf.c, common/list.c, common/setgroups.c, common/term.c, plugins/sudoers/Makefile.in, plugins/sudoers/alias.c, plugins/sudoers/audit.c, plugins/sudoers/auth/afs.c, plugins/sudoers/auth/aix_auth.c, plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/dce.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/kerb4.c, plugins/sudoers/auth/kerb5.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/passwd.c, plugins/sudoers/auth/rfc1938.c, plugins/sudoers/auth/secureware.c, plugins/sudoers/auth/securid.c, plugins/sudoers/auth/securid5.c, plugins/sudoers/auth/sia.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/boottime.c, plugins/sudoers/bsm_audit.c, plugins/sudoers/check.c, plugins/sudoers/defaults.c, plugins/sudoers/env.c, plugins/sudoers/find_path.c, plugins/sudoers/getspwuid.c, plugins/sudoers/goodpath.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/group_plugin.c, plugins/sudoers/interfaces.c, plugins/sudoers/iolog.c, plugins/sudoers/iolog_path.c, plugins/sudoers/ldap.c, plugins/sudoers/linux_audit.c, plugins/sudoers/logging.c, plugins/sudoers/logwrap.c, plugins/sudoers/match.c, plugins/sudoers/match_addr.c, plugins/sudoers/parse.c, plugins/sudoers/pwutil.c, plugins/sudoers/redblack.c, plugins/sudoers/set_perms.c, plugins/sudoers/sudo_nss.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/toke.c, plugins/sudoers/toke.h, plugins/sudoers/toke.l, plugins/sudoers/toke_util.c, src/Makefile.in, src/conversation.c, src/exec.c, src/exec_pty.c, src/get_pty.c, src/load_plugins.c, src/net_ifs.c, src/parse_args.c, src/selinux.c, src/sudo.c, src/sudo.h, src/sudo_edit.c, src/tgetpass.c, src/ttysize.c, src/utmp.c: Add debug_decl/debug_return (almost) everywhere. Remove old sudo_debug() and convert users to sudo_debug_printf(). [8f3bbf907b67] * common/alloc.c, include/error.h, plugins/sudoers/plugin_error.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c, src/error.c: Wrap error/errorx and warning/warningx functions with debug statements. Disable wrapping for standalone sudoers programs as well as memory allocation functions (to avoid infinite recursion). [562ed7b5ae8d] * README, config.h.in, configure, configure.in: Add checks for __func__ and __FUNCTION__ and mention that we now require a cpp that supports variadic macros. [314cfe4c5d23] * MANIFEST, common/Makefile.in, common/sudo_debug.c, include/sudo_debug.h, include/sudo_plugin.h, src/conversation.c, src/load_plugins.c, src/parse_args.c, src/sudo.c, src/sudo_plugin_int.h: New debug framework for sudo and plugins using /etc/sudo.conf that also supports function call tracing. [cded741e9f10] 2011-10-21 Todd C. Miller * plugins/sudoers/po/ja.mo, plugins/sudoers/po/ja.po: Update Japanese sudoers translation from translationproject.org [c24725775e32] 2011-10-12 Todd C. Miller * configure, configure.in: Override and ignore the --disable-static option. Sudo already runs libtool with -tag=disable-static where applicable and we need non- PIC objects to build the executables. [aff1227b853a] 2011-10-10 Todd C. Miller * NEWS: Add sudoedit fix [74655c7ccad1] * plugins/sudoers/po/sudoers.pot: regen pot files [28d89a831ed3] * plugins/sudoers/env.c: Ignore set_logname (which is now the default) for sudoedit since we want the LOGNAME, USER and USERNAME environment variables to refer to the calling user since that is who the editor runs as. This allows the editor to find the user's startup files. Fixes bugzilla #515 [6c5dddf5ff05] * plugins/sudoers/pwutil.c: Instead of trying to grow the buffer in make_grlist_item(), simply increase the total length, free the old buffer and allocate a new one. This is less error prone and saves us from having to adjust all the pointers in the buffer. This code path is only taken when there are groups longer than the length of the user field in struct utmp or utmpx, which should be quite rare. [5587dc8cffaf] * src/po/it.mo: Add Italian translation for sudo from translationproject.org [1b3dd886e7e3] * MANIFEST, NEWS, plugins/sudoers/po/ja.mo, plugins/sudoers/po/ja.po, src/po/ja.mo, src/po/ja.po: Japanese translation for sudo and sudoers from translationproject.org [c06dd866be6e] 2011-10-07 Todd C. Miller * plugins/sudoers/Makefile.in: sudoreplay depends on timestr.lo too; from Mike Frysinger [b9e73214b2f1] 2011-10-04 Todd C. Miller * plugins/sudoers/po/sudoers.pot: Regen sudoers pot file. [019588bafdb3] * NEWS: Update with latest sudo 1.8.3 news [6868042a88e9] * plugins/sudoers/sudoers.c: It appears that LDAP or NSS may modify the euid so we need to be root for the open(). We restore the old perms at the end of sudoers_policy_open(). [2da67a5497ef] * plugins/sudoers/set_perms.c: Better warning message on setuid() failure for the setreuid() version of set_perms(). [07abcfe7bd9a] 2011-09-27 Todd C. Miller * plugins/sudoers/check.c: Delref auth_pw at the end of check_user() instead of getting a ref twice. [cb665f55e6a5] * plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/check.c: Make sudo_auth_{init,cleanup} return TRUE on success and check for sudo_auth_init() return value in check_user(). [92631c919356] * plugins/sudoers/auth/sudo_auth.c: Do not return without restoring permissions. [59ef40b6696a] * plugins/sudoers/po/sudoers.pot, src/po/sudo.pot: regen pot files [9f320a340b7c] * plugins/sudoers/auth/API, plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/kerb4.c, plugins/sudoers/auth/kerb5.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/passwd.c, plugins/sudoers/auth/secureware.c, plugins/sudoers/auth/securid.c, plugins/sudoers/auth/securid5.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/auth/sudo_auth.h, plugins/sudoers/check.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: Modify the authentication API such that the init and cleanup functions are always called, regardless of whether or not we are going to verify a password. This is needed for proper PAM session support. [19a53f3fb596] * compat/Makefile.in, mkdep.pl, plugins/sudoers/Makefile.in: Add missing dependency for getspwuid.lo and regen other depends. [f7f70eae819a] * plugins/sudoers/auth/pam.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/auth/sudo_auth.h, plugins/sudoers/sudoers.c: Fix a PAM_USER mismatch in session open/close. We update PAM_USER to the target user immediately before setting resource limits, which is after the monitor process has forked (so it has the old value). Also, if the user did not authenticate, there is no pamh in the monitor so we need to init pam here too. This means we end up calling pam_start() twice, which should be fixed, but at least the session is always properly closed now. [fbc063a2a872] * src/utmp.c: Add check for old being NULL in utmp_setid(); from Steven McDonald [e87126442f2e] 2011-09-25 Todd C. Miller * plugins/sudoers/pwutil.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: If the invoking user cannot be resolved by uid fake the struct passwd and store it in the cache so we can delref it on exit. [a27e2f8b9f5e] 2011-09-24 Todd C. Miller * plugins/sudoers/sudoers.c: Don't error out if the group plugin cannot be loaded, just warn. [0fbfcd381e33] 2011-09-23 Todd C. Miller * plugins/sudoers/sudoers.c: Quiet a false positive found by several static analysis tools. These tools don't know that log_error() does not return (it longjmps to error_jmp which returns to the sudo front-end). [33d0469df21b] 2011-09-22 Todd C. Miller * MANIFEST, plugins/sudoers/po/da.mo, plugins/sudoers/po/eo.mo, plugins/sudoers/po/fi.mo, plugins/sudoers/po/pl.mo, plugins/sudoers/po/uk.mo, plugins/sudoers/po/zh_CN.mo, src/po/it.po: Add Italian translation for sudo from translationproject.org Regen .mo files [c3c888a82be6] 2011-09-21 Todd C. Miller * doc/TROUBLESHOOTING: Update to current reality and add bit about ssh auth [184a1e7c2eeb] * plugins/sudoers/gram.c, plugins/sudoers/gram.y: Make "verbose" static; fixes a namespace clash with pam_ssh_agent_auth (and it doesn't need to be extern these days). [cc38d2eb2f4c] * config.h.in, configure, configure.in, src/get_pty.c: FreeBSD has libutil.h not util.h [dab4c94b6d4f] * configure, configure.in: Define _BSD_SOURCE on FreeBSD, OpenBSD and DragonflyBSD [41c362f0a92a] 2011-09-20 Todd C. Miller * plugins/sudoers/po/da.po, plugins/sudoers/po/eo.po, plugins/sudoers/po/fi.po, plugins/sudoers/po/pl.po, plugins/sudoers/po/uk.po, plugins/sudoers/po/zh_CN.po: Update po files from translationproject.org [1e99e147c7fa] 2011-09-16 Todd C. Miller * doc/sudoers.ldap.pod, plugins/sudoers/ldap.c: Add support for DEREF in ldap.conf. [3c1937a98547] * Makefile.in: install target should depend on ChangeLog too, not just install-doc [1a7c83941175] * doc/sudoers.pod: Only iolog_file (not iolog_dir) supports mktemp-style suffixes. [0eca47d60a2c] * NEWS: Sync with 1.8 branch for sudo 1.8.2 and 1.8.3 changes. [0501415cc5ff] * doc/UPGRADE: Document group lookup change and possible side effects. [585743e1ebf7] * configure, configure.in: Fix some square brackets in case statements that needed to be doubled up. While here, use $OSMAJOR when it makes sense. [8973343f4696] * plugins/sudoers/pwutil.c: Fix a crash in make_grlist_item() on 64-bit machines with strict alignment. [c89508c73c46] * plugins/sudoers/defaults.c, plugins/sudoers/defaults.h: Remove list_options() function that is no longer used now that "sudo -L" is gone. [fcc6a776c135] * configure, configure.in: Error message if user tries --with-CC [ec5b478f813a] * configure, configure.in: Check for -libmldap too when looking for ldap libs, which is the Tivoli Directory Server client library. [bb3007a97206] 2011-09-09 Todd C. Miller * plugins/sudoers/parse.c: Honor NOPASSWD tag for denied commands too. [8dd92656db92] 2011-09-08 Todd C. Miller * INSTALL, configure, configure.in: Remove --with-CC option; it doesn't work correctly now that we use libtool. Users can get the same effect by setting the CC environment variable when running configure. [ec22bd1a55e0] 2011-08-31 Todd C. Miller * config.h.in, configure, configure.in, plugins/sudoers/visudo.c, src/sudo_edit.c: Assume all modern systems support fstat(2). [6a5a8985f6a0] 2011-08-30 Todd C. Miller * compat/regress/glob/globtest.c, config.h.in, configure, configure.in, include/missing.h, plugins/sudoers/sudoers.h, src/sudo.h, src/sudo_noexec.c: Add configure test for missing errno declaration and only declare it ourselves if it is missing. [456e76c809a2] * plugins/sudoers/alias.c: Include errno.h before sudo.h to avoid conflicting with the system definition of errno. [d0b97e392512] 2011-08-29 Todd C. Miller * plugins/sudoers/regress/parser/check_addr.c: Only print individual check status when there is a failure. [2ac704c91441] * plugins/sudoers/regress/iolog_path/check_iolog_path.c, plugins/sudoers/regress/logging/check_wrap.c, plugins/sudoers/regress/parser/check_addr.c: Add calls to setprogname() for test programs. [a8d9b420e826] * configure, configure.in: Add -Wall and -Werror after all tests so they don't cause failures. [2661188ff3fa] * plugins/sudoers/Makefile.in: Actually run check_addr in the check target [0b2778bc86bf] * MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/match.c, plugins/sudoers/match_addr.c, plugins/sudoers/regress/parser/check_addr.c, plugins/sudoers/regress/parser/check_addr.in: Split out address matching into its own file and add regression tests for it. [12b9a2bf8dba] 2011-08-27 Todd C. Miller * plugins/sudoers/match.c: When matching an address with a netmask in sudoers, AND the mask and addr before checking against the local addresses. [9747bb6d7b1c] 2011-08-26 Todd C. Miller * plugins/sudoers/match.c: Fix netmask matching. [a3c8f8cc1464] * plugins/sudoers/visudo.c: Don't assume all editors support the +linenumber command line argument, use a whitelist of known good editors. [21d43a91fd10] 2011-08-23 Todd C. Miller * plugins/sudoers/set_perms.c, plugins/sudoers/visudo.c, src/exec.c, src/exec_pty.c, src/sudo.c: Silence compiler warnings on Solaris with gcc 3.4.3 [da620bae6fdb] * mkpkg: Fix building on RHEL 3 [f3227fb2a252] * INSTALL, configure, configure.in: Add --enable-werror configure option. [fec2cdb95543] * common/setgroups.c: setgroups() proto lives in grp.h on RHEL4, perhaps others. [de91c0de5a98] * configure, configure.in: Use PAM by default on AIX 6 and higher. [e16493208e5f] 2011-08-22 Todd C. Miller * MANIFEST, plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, src/po/eo.mo, src/po/eo.po: Add new Esperanto translation from translationproject.org [0d9a59e04c64] 2011-08-19 Todd C. Miller * plugins/sudoers/iolog_path.c: Quiet an innocuous valgrind warning. [0582b6027161] 2011-08-18 Todd C. Miller * plugins/sudoers/iolog_path.c, plugins/sudoers/regress/iolog_path/data: Fix expansion of strftime() escapes in log_dir and add a regress test that exhibited the problem. [a5c7c1c4c589] * plugins/sudoers/Makefile.in: Fix "make check" return value. [33b58e175230] 2011-08-17 Todd C. Miller * plugins/sudoers/po/sudoers.pot, src/po/sudo.pot: Regen pot files [063841aac19b] * Makefile.in: Fix logic inversion in pot file up to date check. [f6a8ca8654df] 2011-08-15 Todd C. Miller * configure, configure.in: Add caching for gettext() checks. [01b7200f6105] * configure, configure.in: Better handling of libintl header and library mismatch. [9a49b1d4db69] 2011-08-13 Todd C. Miller * plugins/sudoers/sudoers.c: Also check sudoers gid if sudoers is group writable. [23ef96ca0d33] 2011-08-12 Todd C. Miller * configure, configure.in: If dlopen is present but libtool doesn't find it, error out since it probably means that libtool doesn't support the system. [a9da0a5f7941] * mkpkg: configure args on the command line should override builtin defaults. Disable NLS for non-Linux/Solaris unless explicitly enabled. [b2fb05614504] * plugins/sudoers/auth/aix_auth.c: Fix loop that calls authenticate(). If there was an error message from authenticate(), display it. [063a0c4f0b9a] 2011-08-11 Todd C. Miller * m4/libtool.m4, m4/ltversion.m4: Update to autoconf 2.68 and libtool 2.4 [5a912a6eb67b] * config.guess, config.sub, configure, configure.in, ltmain.sh: Update to autoconf 2.68 and libtool 2.4 [931ab56aecf6] * doc/sudoers.pod: Fix typo; OPT should be OTP [e97bd2e46544] * plugins/sudoers/Makefile.in: Rename libsudoers convenience library to libparsesudoers to avoid libtool confusion. [2a89a613f537] 2011-08-10 Todd C. Miller * MANIFEST, plugins/sudoers/po/da.mo, plugins/sudoers/po/da.po: Add Danish sudoers translation from translationproject.org [27b96e85eb13] * plugins/sudoers/sudoers.c, plugins/sudoers/testsudoers.c: Add dedicated callback function for runas_default sudoers setting that only sets runas_pw if no runas user or group was specified by the user. [b8382d8eea34] 2011-08-09 Todd C. Miller * plugins/sudoers/po/fi.mo, plugins/sudoers/po/fi.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, src/po/ru.mo, src/po/ru.po: Update Finish, Polish, Russian and Ukrainian translations from translationproject.org. [f9339aff664e] * plugins/sudoers/defaults.h, plugins/sudoers/sudoers.c, plugins/sudoers/testsudoers.c: Go back to using a callback for runas_default to keep runas_pw in sync. This is needed to make per-entry runas_default settings work with LDAP-based sudoers. Instead of declaring it a callback in def_data.in, sudo and testsudoers poke sudo_defs_table[] which is a bit naughty, but avoids requiring stub functions in visudo and the tests. [9aaefb908415] 2011-08-05 Todd C. Miller * Makefile.in: Add check for out of date message catalogs when doing "make dist". [e45a29b612f4] 2011-08-02 Todd C. Miller * configure: regen [d6f9ad26774a] * configure.in: Make sure compiler supports static-libgcc before using it. [b01bd9566e50] 2011-08-01 Todd C. Miller * src/Makefile.in: Link libsudo_noexec.la with LDLDFLAGS for -static-libgcc [c99c7ab3edef] 2011-07-30 Todd C. Miller * MANIFEST, plugins/sudoers/po/fi.mo, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/zh_CN.mo, src/po/ru.mo, src/po/ru.po, src/po/zh_CN.mo: Add new Russian sudo translation from translationproject.org and rebuild the other translation files. [e20015459056] 2011-07-29 Todd C. Miller * plugins/sudoers/po/fi.po, plugins/sudoers/po/pl.po: Update Finish and Polish translations from translationproject.org [4e3dbba4a1de] * plugins/sudoers/sudoers.c, src/parse_args.c, src/sudo.c: Go back to escaping the command args for "sudo -i" and "sudo -s" before calling the plugin. Otherwise, spaces in the command args are not treated properly. The sudoers plugin will unescape non- spaces to make matching easier. [dfa2c4636f33] 2011-07-28 Todd C. Miller * plugins/sudoers/check.c, plugins/sudoers/group_plugin.c, plugins/sudoers/ldap.c, plugins/sudoers/parse.c, plugins/sudoers/set_perms.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l: Fix some potential problems found by the clang static analyzer, none serious. [ff64aa74aae6] * plugins/sudoers/po/uk.po, plugins/sudoers/po/zh_CN.po, src/po/zh_CN.po: Updated Ukranian and Chinese (simplified) po files from translationproject.org [ec792becb48e] 2011-07-27 Todd C. Miller * plugins/sudoers/po/pl.po: Updated Polish translation from translationproject.org [a3af53cb649c] * plugins/sudoers/po/sudoers.pot, src/po/sudo.pot: Rebuild pot files [c650524c0f0a] * plugins/sudoers/audit.c, plugins/sudoers/sudoers.c: Don't try to audit failure if the runas user does not exist. We don't have the user's command at this point so there is nothing to audit. Add a NULL check in audit_success() and audit_failure() just to be on the safe side. [2a0007c2022f] * mkpkg: Add -g to CFLAG for PIE builds. [32a0a9693c9c] 2011-07-25 Todd C. Miller * plugins/sudoers/pwutil.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, src/sudo.c: Remove fallback to per-group lookup when matching groups in sudoers. The sudo front-end will now use getgrouplist() to get the user's list of groups if getgroups() fails or returns zero groups so we always have a list of the user's groups. For systems with mbr_check_membership() which support more that NGROUPS_MAX groups (Mac OS X), skip the call to getgroups() and use getgrouplist() so we get all the groups. [51b3ed8c600b] 2011-07-22 Todd C. Miller * common/setgroups.c: Fix setgroups() fallback code on EINVAL. [2b6faecd56a4] * plugins/sudoers/set_perms.c: Fix two PERM_INITIAL cases that were still using user_gids. [9680bab0acc6] * MANIFEST: Add Polish sudo message catalog [8bb40c3ba576] * plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: user_group is no longer used, remove it [9acede0fe6c5] 2011-07-20 Todd C. Miller * MANIFEST, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po: Add Polish translation from translationproject.org [afac5c638573] * MANIFEST, common/Makefile.in, common/setgroups.c, plugins/sudoers/set_perms.c, plugins/sudoers/sudoers.h, src/sudo.c, src/sudo.h, src/sudo_edit.c: Add a wrapper for setgroups() that trims off extra groups and retries if setgroups() fails. Also add some missing addrefs for PERM_USER and PERM_FULL_USER. [224dfd8aae5c] * MANIFEST, compat/Makefile.in, compat/getgrouplist.c, config.h.in, configure, configure.in, include/missing.h, mkdep.pl, plugins/sudoers/ldap.c, plugins/sudoers/pwutil.c, plugins/sudoers/set_perms.c, plugins/sudoers/sudo_nss.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, src/sudo.c: Instead of keeping separate groups and gids arrays, create struct group_info and use it to store both, along with a count for each. Cache group info on a per-user basis using getgrouplist() to get the groups. We no longer need special to special case the user or list user for user_in_group() and thus no longer need to reset the groups list when listing another user. [0ad849a8b2d5] * src/preload.c: Don't rely on NULL since we don't include a header for it. [b40937f1890c] 2011-07-19 Todd C. Miller * doc/sudoers.pod: Fix typo [c1035360e169] 2011-07-18 Todd C. Miller * plugins/sudoers/sudoers.c: Do not shadow global sudo_mode with a local variable in set_cmnd() [0c72969503ad] 2011-07-17 Todd C. Miller * plugins/sudoers/sudoers.c: bash 2.x doesd not support the -l flag and exits with an error if it is specified so use --login instead. This causes an error with bash 1.x (which uses -login instead) but this version is hopefully less used than 2.x. [5c4c296e30e6] * src/po/pl.mo, src/po/pl.po: Add Polish translation from translationproject.org [48592dd6edcf] 2011-07-13 Todd C. Miller * plugins/sudoers/set_perms.c: Make error strings translatable. [414c5c484768] * mkpkg: Only run configure with --with-pam-login for RHEL 5 and above. [6c16e4de4026] * sudo.pp: Fix typo in summary [9ac618c9a749] 2011-07-11 Todd C. Miller * plugins/sudoers/logwrap.c: Add missing logwrap.c [c12a413ecc1d] * MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/logging.c, plugins/sudoers/logging.h, plugins/sudoers/regress/logging/check_wrap.c, plugins/sudoers/regress/logging/check_wrap.in, plugins/sudoers/regress/logging/check_wrap.out.ok: Split out log file word wrap code into its own file and add unit tests. Fixes an off-by one in the word wrap when the log line length matches loglinelen. [52ed277f6690] 2011-07-05 Todd C. Miller * mkpkg: For SuSE, only use /usr/lib64 as libexec if generating 64-bit binaries. [645ab903cf77] * src/load_plugins.c, src/sudo.c: Fix build error when --without-noexec configure option is used. [b994f7b0d8b4] * configure, configure.in: Disable noexec for AIX < 5. LDR_PRELOAD is only available in AIX 5.3 and above. [c2a6f9b472f3] 2011-07-01 Todd C. Miller * plugins/sudoers/ldap.c, plugins/sudoers/pwutil.c, plugins/sudoers/set_perms.c, plugins/sudoers/sudo_nss.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: Resolve the list of gids passed in from the sudo frontend (the result of getgroups()) to names and store both the group names and ids in the sudo_user struct. When matching groups in the sudoers file, match based on the names in the groups list first and only do a gid-based match when we absolutely have to. By matching on the group name (as it is listed in sudoers) instead of id (which we would have to resolve) we save a lot of group lookups for sudoers files with a lot of groups in them. [8dc19353f148] 2011-06-26 Todd C. Miller * plugins/sudoers/sudoers.c: Workaround for "sudo -i command" and newer versions of bash which don't go into login mode when -c is specified unless -l is too. [9393762b80f3] 2011-06-23 Todd C. Miller * plugins/sudoers/logging.c: Rewrite logfile word wrapping code to be more straight-forward and actually wrap at the correct place. [f712a0c90f55] 2011-06-22 Todd C. Miller * doc/CONTRIBUTORS, doc/contributors.pod, plugins/sudoers/sudoers.c: Set use_pty=true in command details when use_pty is set in sudoers. From Ludwig Nussel [8d95a163dfc1] 2011-06-20 Todd C. Miller * plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po, src/po/zh_CN.mo, src/po/zh_CN.po: Sync Chinese (simplified) PO files from translationproject.org [acce8eb7be18] 2011-06-18 Todd C. Miller * MANIFEST, plugins/sudoers/po/eu.mo, plugins/sudoers/po/fi.mo, plugins/sudoers/po/uk.mo, src/po/da.mo, src/po/da.po, src/po/eu.mo: Add Danish translation from translationproject.org and add missing Basque mo files. [0c22bb21b9c4] * Makefile.in, configure, configure.in: No longer need to specify LINGUAS in configure, "make install-nls" now just installs all the .mo files it finds. [fcd45cf04885] 2011-06-17 Todd C. Miller * MANIFEST, doc/CONTRIBUTORS, doc/Makefile.in, doc/contributors.pod: Build CONTRIBUTORS from newly-added contributors.pod [8b192f2720f4] * doc/CONTRIBUTORS: Rework the wording in the leading paragraph [312044145cdd] 2011-06-14 Todd C. Miller * MANIFEST, doc/CONTRIBUTORS: Add a CONTRIBUTORS file with the names of folks who have contributed code or patches to sudo since I started maintaining it (plus the original authors). [b8bdd8b59528] 2011-06-13 Todd C. Miller * plugins/sudoers/env.c: Preserve SHELL variable for "sudo -s". Otherwise we can end up with a situation where the SHELL variable and the actual shell being run do not match. [b8b3974aee3e] 2011-06-10 Todd C. Miller * configure, configure.in: Only enable Solaris project support when setproject() is present in libproject. [49ad7857ab89] * sudo.pp: Explicitly set mode and owner of /etc/sudoers instead of relying on "cp -p" to work in the postinstall script. On AIX 6.1 at least the postinstall script runs before the final file permissions are set. [e41ffc0212b2] 2011-06-09 Todd C. Miller * doc/sudo.pod, doc/sudoers.pod: Refer the user to the "Command Environment" section in description of sudo's -i option. [263cc3be7eef] * doc/sudo.pod: Fix typo [35dfac450f4d] 2011-06-08 Todd C. Miller * mkdep.pl: If there is no old dependency for an object file, use the MANIFEST to find its source. [d15e3b9899f9] * compat/Makefile.in: Remove dependency for getgrouplist.lo as we don't ship that source file. [312a6d5fe6b0] 2011-06-07 Todd C. Miller * plugins/sudoers/getdate.c, plugins/sudoers/getdate.y: Do not declare yyparse() static as the actual function generated by yacc is extern. [9017b79dcf55] 2011-06-06 Todd C. Miller * Makefile.in: Remove locale files in "make uninstall" [201ff261ecbe] * configure.in, plugins/sudoers/po/eu.po, plugins/sudoers/po/fi.po, plugins/sudoers/po/uk.po, src/po/eu.po: Add Basque translation and sync Finish and Ukranian translations. [66d2c78c8a13] * configure, configure.in: FreeBSD no longer needs the main sudo binary to link with -lpam now that plug-ins are loaded with RTLD_GLOBAL. [96c710df2457] * plugins/sudoers/group_plugin.c, src/load_plugins.c: Load plugins with RTLD_GLOBAL instead of RTLD_LOCAL. This fixes problems with pam modules not having access to symbols provided by libpam on some platforms. Affects FreeBSD and SLES 10 at least. [0d016983ec84] * Makefile.in: Move xgettext invocation out of update-po target into update-pot [19a73c6d017c] 2011-06-04 Todd C. Miller * plugins/sudoers/po/sudoers.pot, src/po/sudo.pot: Regenerate .pot files for 1.8.2rc2 [c3037f591dd8] * Makefile.in, common/Makefile.in, compat/Makefile.in, doc/Makefile.in, include/Makefile.in, plugins/sample/Makefile.in, plugins/sample_group/Makefile.in, plugins/sudoers/Makefile.in, src/Makefile.in, zlib/Makefile.in: Move nls targets to the top level Makefile so the paths in the pot file are saner [65b9285cd8d9] * src/po/fi.mo: Add compiled version of sudo Finish translation [8f2405384ea3] * MANIFEST, plugins/sudoers/po/fi.mo, plugins/sudoers/po/uk.mo: Update MANIFEST with .po and .mo files Rebuild sudoers fi and uk .mo files [a165e70fa9ec] * configure, configure.in, plugins/sudoers/po/fi.po: Add Finish translation from translationproject.org [4466f8a96ceb] 2011-06-03 Todd C. Miller * doc/sudoers.pod: The group named by exempt_group should not have a % prefix. [df084d6b32c8] 2011-06-01 Todd C. Miller * doc/sudoers.pod: Fix typo; "Defaults group_plugin" not "Defaults sudo_plugin" [5113699a3f8b] 2011-05-31 Todd C. Miller * src/exec.c, src/exec_pty.c: Fix compressed io log corruption in background mode by using _exit() instead of exit() to avoid flushing buffers twice. Improved background mode support. When not allocating a pty, the command is run in its own process group. This prevents write access to the tty. When running in a pty, stdin is not hooked up and we never read from /dev/tty, which results in similar behavior. [87c15149894c] * compat/Makefile.in, mkdep.pl, plugins/sudoers/Makefile.in: Clean up regress files Generate proper dependencies for regress objs in compat [88bfc728c1e7] * plugins/sudoers/Makefile.in: Add missing dependency for check_fill.o. [0bd6362e3e17] 2011-05-29 Todd C. Miller * INSTALL, configure, configure.in: Add support for --enable-nls[=location] [b90db44a050f] 2011-05-28 Todd C. Miller * plugins/sudoers/linux_audit.c: Include gettext.h [7f909a6e48cb] * plugins/sudoers/ldap.c, plugins/sudoers/parse.c: Quiet gcc warnings. [b41a6cdca583] * configure, configure.in: Don't install .mo files if gettext was not found. [1397b34cc165] 2011-05-27 Todd C. Miller * src/exec.c: Always allocate a pty when running a command in the background but call setsid() after forking to make sure we don't end up with a controlling tty. [b6454ba172e8] * plugins/sudoers/iolog.c: Add missing space between command name and the first command line argument. [fe217f0a36d4] * plugins/sudoers/sudoreplay.c: Quiet a compiler warning on some platforms. [de9f2849f236] * plugins/sudoers/po/README, src/po/README: README file that directs people to translationproject.org [30c0fc323281] * plugins/sudoers/po/uk.po, src/po/fi.po: Sync translations with TP [1d7d64559cba] * Makefile.in: Add 'sync-po' target to top-level Makefile to rsync the po files from translationproject.org. [20508211aaa3] * plugins/sudoers/Makefile.in: install nls files from install target [5fc07b6cab38] * Makefile.in, plugins/sudoers/Makefile.in, src/Makefile.in, sudo.pp: Include .mo files in sudo binary packags. [278d4821a916] * configure, configure.in, plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po, src/po/zh_CN.mo, src/po/zh_CN.po: Add simplified chinese translation [2b33ffc755b9] 2011-05-26 Todd C. Miller * configure, configure.in, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, src/po/uk.mo, src/po/uk.po: Add ukranian translation [2d8102688e93] * compat/Makefile.in: refer to siglist.c, not ./siglist.c since not all makes will treat foo and ./foo the same. [6639d293ffba] * plugins/sudoers/sudoers.c: Set def_preserve_groups before searching for the command when the -P flag is specified. [0edc7942f875] * Makefile.in, compat/Makefile.in, mkdep.pl, plugins/sudoers/Makefile.in: Add dependency for siglist.lo in compat. This is a generated file so "make depend" needs to depend on it. [28d0932f8b50] * compat/Makefile.in: More dependency fixes. [aad0d05cd020] * compat/Makefile.in: Fix a few dependencies. [eb21aa35a032] * plugins/sudoers/Makefile.in, src/Makefile.in: Place compiled mo files in the src dir, not the build dir. When installing compiled mo files, display a status message. [e15634c29cd3] 2011-05-25 Todd C. Miller * doc/sudoers.ldap.pod, plugins/sudoers/ldap.c: Tivoli Directory Server requires that seconds be present in a timestamp, even though RFC 4517 states that they are optional. [55fe23dd4ef9] * plugins/sudoers/sudo_nss.h: Add missing bit of copyright [d2eba3c364ca] * doc/visudo.pod: Mention cycle detection warnings [a76bef15ab67] * plugins/sudoers/visudo.c: When checking aliases, also check the contents of the alias in case there are problems with an alias that is referenced inside another. Replace the self reference check with real alias cycle detection. [a66c904cf53b] * plugins/sudoers/alias.c: Set errno to ELOOP in alias_find() if there is a cycle. Set errno to ENOENT in alias_find() and alias_remove() if the entry could not be found. [b4f0b89e433c] * plugins/sudoers/visudo.c: Increment alias_seqno before calls to alias_remove_recursive() to avoid false positives with the alias loop detection. Fixes spurious warnings about unused aliases when they are nested. [a344483b8193] * MANIFEST: add mkdep.pl [86b7ed33eab2] * plugins/sudoers/Makefile.in: Add dependency on convenience libs to binaries [cd3078b3c997] * Makefile.in: mkdep.pl only works when run from the src dir [f35a5e47c944] * Makefile.in, common/Makefile.in, compat/Makefile.in, mkdep.pl, plugins/sample/Makefile.in, plugins/sample_group/Makefile.in, plugins/sudoers/Makefile.in, src/Makefile.in, zlib/Makefile.in: Auto-generate Makefile dependencies with a perl script. [a3e4afcd7975] 2011-05-23 Todd C. Miller * plugins/sudoers/match.c: If the user specifies a runas group via sudo's -g option that matches the runas user's group in the passwd database and that group is not denied in the Runas_Spec, allow it. Thus, if user root's gid in /etc/passwd is 0, then "sudo -u root -g root id" is allow even if no groups are present in the Runas_Spec. [e3f9732dc564] 2011-05-22 Todd C. Miller * plugins/sudoers/Makefile.in, src/Makefile.in: Add dependencies on gettext.h [a3a9dc51f78b] * plugins/sudoers/Makefile.in, src/Makefile.in: Fix install-nls target with HP-UX sh when gettext is not present. [0c6b9655cd41] 2011-05-20 Todd C. Miller * plugins/sudoers/Makefile.in, plugins/sudoers/po/sudoers.pot, src/Makefile.in, src/po/sudo.pot: regenerate .pot files for lbuf changes [918ded125a0b] * configure, configure.in: Add missing "checking" message for gettext when using the cache. [9c21187ad1d2] * common/lbuf.c, include/lbuf.h, plugins/sudoers/ldap.c, plugins/sudoers/parse.c, plugins/sudoers/sudo_nss.c, src/parse_args.c: Add primitive format string support to the lbuf code to make translations simpler. [ee71c7ef5299] * MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/po/sudoers.pot, src/Makefile.in, src/po/sudo.pot: Add message catalog template files for sudo and the sudoers module. [f3f8acb1f014] * MANIFEST, common/aix.c, common/alloc.c, compat/strsignal.c, config.h.in, configure.in, doc/Makefile.in, include/gettext.h, plugins/sudoers/iolog.c, plugins/sudoers/plugin_error.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/sudoreplay.c, plugins/sudoers/visudo.c, src/error.c, src/net_ifs.c, src/sesh.c, src/sudo.c, src/sudo.h: Add gettext.h convenience header. This is similar to but distinct from the one included with the gettext package. [930a0591f73c] 2011-05-19 Todd C. Miller * configure, configure.in: Add checks for nroff -c and -Tascii flags [19ca990b3149] * configure, configure.in: Add check for HP bundled C Compiler (which cannot create shared libs) [517716a7072d] * plugins/sudoers/sudoreplay.c: Fix C format warnings. [6514326013fa] * include/error.h: Add __printflike [e1749a30a406] * plugins/sudoers/ldap.c, plugins/sudoers/parse.c, plugins/sudoers/sudo_nss.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/visudo.c, src/parse_args.c: Translate help / usage strings. [ee1cc9b1a8bd] * plugins/sudoers/Makefile.in, src/Makefile.in: Set --msgid-bugs-address to the bugzilla url [5a0aa250ca21] * Makefile.in, common/Makefile.in, compat/Makefile.in, configure, configure.in, doc/Makefile.in, include/Makefile.in, plugins/sample/Makefile.in, plugins/sample_group/Makefile.in, plugins/sudoers/Makefile.in, src/Makefile.in, zlib/Makefile.in: Add scaffolding to update .po files and install .mo files. [f05f4eed1fe1] * doc/license.pod: update copyright year [fa0c62523875] * INSTALL, README: No need to include version number at the top of these files. [9f2981325351] 2011-05-18 Todd C. Miller * plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/env.c, plugins/sudoers/find_path.c, plugins/sudoers/group_plugin.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/visudo.c: Minor warning/error cleanup [9236dc85aeab] * config.h.in, configure.in: Emulate ngettext for the non-nls case [13571d63fa36] * plugins/sudoers/ldap.c: Do not mark untranslatable strings for translation [735f5d4413fe] * plugins/sudoers/check.c: Use ROOT_UID not 0. [09a268db8da4] * plugins/sudoers/check.c, plugins/sudoers/iolog.c, plugins/sudoers/logging.c, src/exec.c, src/exec_pty.c, src/load_plugins.c, src/sudo.c, src/sudo_edit.c: Minor warning/error message cleanup [3c7b1a7939b5] * plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/iolog.c, plugins/sudoers/ldap.c, plugins/sudoers/logging.c, plugins/sudoers/mon_systrace.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/visudo.c, src/exec.c, src/exec_pty.c, src/net_ifs.c, src/selinux.c: cannot -> "unable to" in warning/error messages [31c3897649e9] * plugins/sudoers/check.c, plugins/sudoers/mon_systrace.c, plugins/sudoers/set_perms.c, plugins/sudoers/sudo_nss.c, plugins/sudoers/sudoers.c, plugins/sudoers/visudo.c, src/exec_pty.c, src/sudo.c, src/utmp.c: can't -> "unable to" in warning/error messages [127b75f15291] * configure, configure.in: FreeBSD needs the main sudo executable to link with -lpam when loading dynaic pam modules for some reason. [944522cc9bef] 2011-05-17 Todd C. Miller * plugins/sudoers/ldap.c, src/exec.c, src/exec_pty.c, src/sudo.c: We don't want to translate debugging messages. [56a1a365815a] * configure, configure.in, plugins/sudoers/Makefile.in, plugins/sudoers/iolog.c, plugins/sudoers/plugin_error.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/sudoreplay.c, plugins/sudoers/visudo.c, src/Makefile.in, src/sesh.c, src/sudo.c: Add calls to bindtextdomain() and textdomain() Currently there are two domains, one for the sudo front-end and one for the sudoers plugin and its associated utilities. [0426138f789e] * configure, configure.in: Fix caching of libc gettext check. [942142d2c43a] * plugins/sudoers/def_data.c, plugins/sudoers/defaults.c, plugins/sudoers/mkdefaults: Mark defaults descriptions for translation [5b27f018e6cf] * NEWS: Update for sudo 1.8.1p2 [747c4dee2ca7] 2011-05-16 Todd C. Miller * plugins/sudoers/toke.c, plugins/sudoers/toke.l: Quiet compiler warning when SELinux is enabled. [1fbf77dda240] * plugins/sudoers/plugin_error.c, plugins/sudoers/sudoreplay.c, src/error.c, src/net_ifs.c, src/sesh.c: Add missing includes of libintl.h. [bc1d66316082] * plugins/sudoers/auth/pam.c: Fix gettext marker. [a5cf4ed66c66] * common/aix.c, common/alloc.c, compat/strsignal.c, plugins/sudoers/auth/pam.c, plugins/sudoers/sudoers.h, src/sudo.h: Include libint.h where needed. [2b0e5a663c7b] * plugins/sudoers/alias.c, plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/kerb5.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/rfc1938.c, plugins/sudoers/auth/securid.c, plugins/sudoers/auth/securid5.c, plugins/sudoers/auth/sia.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/bsm_audit.c, plugins/sudoers/check.c, plugins/sudoers/defaults.c, plugins/sudoers/env.c, plugins/sudoers/find_path.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/group_plugin.c, plugins/sudoers/interfaces.c, plugins/sudoers/iolog.c, plugins/sudoers/iolog_path.c, plugins/sudoers/ldap.c, plugins/sudoers/linux_audit.c, plugins/sudoers/logging.c, plugins/sudoers/parse.c, plugins/sudoers/plugin_error.c, plugins/sudoers/pwutil.c, plugins/sudoers/set_perms.c, plugins/sudoers/sudo_nss.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/toke_util.c, plugins/sudoers/visudo.c: Prepare sudoers module messages for translation. [7212ae1909c5] * plugins/sudoers/sudoers.c: Only check gid of sudoers file if it is group-readable. [50e3bc0cb242] * plugins/sudoers/auth/aix_auth.c: For AIX, keep calling authenticate() until reenter reaches 0. [e240815b74b1] 2011-05-09 Todd C. Miller * configure, configure.in: Cache the status of the initial gettext() check. [32751ebe1704] * INSTALL, configure, configure.in: Add --disable-nls flag and improve checks for gettext. [c7e6b17052de] * configure, configure.in: When building with gcc on HP-UX, use -march=1.1 to produce portable binaries on a pa-risc2 host. Previously, the +Dportable option was used for the HP-UX C compiler but gcc always produced native binaries. [8f4c749324d7] 2011-05-06 Todd C. Miller * common/aix.c, common/alloc.c, compat/strsignal.c, src/error.c, src/exec.c, src/exec_pty.c, src/load_plugins.c, src/net_ifs.c, src/parse_args.c, src/selinux.c, src/sesh.c, src/sudo.c, src/sudo_edit.c, src/tgetpass.c, src/utmp.c: Prepare sudo front end messages for translation. [2fc2fabceccb] 2011-05-04 Todd C. Miller * config.h.in, configure, configure.in, plugins/sudoers/auth/pam.c: Add initial scaffolding to support localization via gettext() [7d47b59fcf95] * compat/fnmatch.h, compat/glob.h: Don't let the fnmatch/glob macros expand the function prototype. [a9014aa0288e] 2011-05-03 Todd C. Miller * compat/fnmatch.c, compat/fnmatch.h, compat/glob.c, compat/glob.h: Resolve namespace collisions on HP-UX ia64 and possibly others by adding a rpl_ prefix to our fnmatch and glob replacements and #defining rpl_foo to foo in the header files. [caa9b690a15d] 2011-04-29 Todd C. Miller * plugins/sudoers/toke.c, plugins/sudoers/toke.l: Split ALL, ROLE and TYPE into their own actions. Since you can only have #ifdefs inside of braces, ROLE and TYPE use a naughty goto in the non-SELinux case. This is safe because the actions are in one big switch() statement. [7473fc2cfa2c] * plugins/sudoers/toke.c, plugins/sudoers/toke.l: Fix regexp for matching a CIDR-style IPv4 netmask. From Marc Espie. [9be3480c2865] 2011-04-27 Todd C. Miller * doc/UPGRADE, doc/sudoers.pod: askpass moved from sudoers to sudo.conf in sudo 1.8.0 [b2c2956cec4e] * doc/sudoers.pod: Remove obsolete warning about runas_default and ordering. Move syslog facility and priority lists into the section where the relevant options are described. [e57b8dc3f779] 2011-04-26 Todd C. Miller * plugins/sudoers/auth/sia.c: Fix SIA support; we no longer have access to the real argc and argv so allocate space for a fake one and use the argv passed to the plugin with "sudo" for argv[0]. [1c0552772ad2] 2011-04-23 Todd C. Miller * src/net_ifs.c: Remove useless realloc when trying to get the buffer size right. [792225380a62] * plugins/sudoers/set_perms.c: Be explicit when setting euid to 0 before call to setreuid(0, 0) [7bfeb629fccb] 2011-04-18 Todd C. Miller * configure, configure.in: Need to do checks for krb5_verify_user, krb5_init_secure_context and krb5_get_init_creds_opt_alloc regardless of whether or not krb5-config is present. [9d1b98ece1d3] 2011-04-15 Todd C. Miller * plugins/sudoers/set_perms.c: Work around weird AIX saved uid semantics on setuid() and setreuid(). On AIX, setuid() will only set the saved uid if the euid is already 0. [069fc08150ca] 2011-04-14 Todd C. Miller * sudo.pp: update copyright year [1c42d579ba6e] * plugins/sudoers/toke.c, plugins/sudoers/toke.l: Treat a missing includedir like an empty one and do not return an error. [92f71d8cbfd4] 2011-04-12 Todd C. Miller * pp: Fix ARCH setting in cross-compile Solaris packages. [b0de281cc889] * sudo.pp: Fix aix version setting. [98437dbfb085] * plugins/sudoers/ldap.c: Remove extraneous parens in LDAP filter when sudoers_search_filter is enabled that causes a search error. From Matthew Thomas. [1d75bf1fc8d9] 2011-04-11 Todd C. Miller * plugins/sudoers/regress/iolog_path/check_iolog_path.c: Correct sizeof() to fix test failure. [fd2f7c0c0572] * plugins/sudoers/Makefile.in: "install" target should depend on "install-dirs". Fixes "make -j" problem and closes bz #487. From Chris Coleman. [083902d38edb] 2011-04-07 Todd C. Miller * config.h.in: Add HAVE_RFC1938_SKEYCHALLENGE [a94cb33758a8] 2011-04-06 Todd C. Miller * NEWS: Mention plugin loading and libgcc changes [e11b30b5026a] * src/load_plugins.c, src/sudo.c, src/sudo_plugin_int.h: Load plugins after parsing arguments and potentially printing the version. That way, an error loading or initializing a plugin doesn't break "sudo -h" or "sudo -V". [1b76f2b096a2] * Makefile.in: When using a sub-shell to invoke the sub-make, exec make instead of running it inside the shell to avoid an extra process. [fd2c04a71fbf] * compat/regress/fnmatch/fnm_test.in, compat/regress/glob/globtest.c: Stop testing unspecified behavior in fnmatch Make glob test more portable [229803093725] * compat/Makefile.in: No need to add current dir to include path and having it breaks the test programs that expect to get the system glob.h and fnmatch.h [68085f624be4] * INSTALL, configure, configure.in: Fix and document --with-plugindir; partially from Diego Elio Petteno [07edc52ea89e] * compat/Makefile.in, compat/regress/fnmatch/fnm_test.c, compat/regress/fnmatch/fnm_test.in, compat/regress/glob/globtest.c, compat/regress/glob/globtest.in: Fix fnmatch and glob tests to not use hard-coded flag values in the input file. Link test programs with libreplace so we get our replacement verions as needed. [c2cca448f660] * Makefile.in: If make in a subdir fails, fail the target in the upper level Makefile too. Adapted from a patch from Diego Elio Petteno [76fc9a0d96fd] * configure, configure.in, plugins/sudoers/auth/rfc1938.c: Add check for NetBSD-style 4-argument skeychallenge() as Gentoo also has this. Adapted from a patch from Diego Elio Petteno [a97279a59b93] * plugins/sudoers/Makefile.in: Make SUDOERS_LDFLAGS reference $(LDFLAGS) instead of using @LDFLAGS@ directly. [47b884029b3b] * configure, configure.in: Fix warnings when -without-skey, --without-opie, --without-kerb4, --without-kerb5 or --without-SecurID were specified. [71ad150f4d24] * MANIFEST: Add plugins/sudoers/sudoers_version.h [7423966de440] * configure, configure.in, plugins/sample/Makefile.in, plugins/sample_group/Makefile.in, plugins/sudoers/Makefile.in: Back out the --with-libpath addition to SUDOERS_LDFLAGS since that now include LDFLAGS in the sudoers Makefile.in. Add missing settng of @LDFLAGS@ in plugin Makefile.in files. [b835826f889c] 2011-04-05 Todd C. Miller * NEWS: Mention %#gid support in User_List and Runas_List [5a983dff017a] * plugins/sudoers/sudoers.c, plugins/sudoers/sudoers_version.h, plugins/sudoers/visudo.c: Keep track of sudoers grammar version and report it in the -V output. [52901a3c0296] * plugins/sudoers/sudo_nss.h: Add multiple inclusion guard [50853aed046e] * configure, configure.in, plugins/sample/Makefile.in, plugins/sample_group/Makefile.in, plugins/sudoers/Makefile.in: The --with-libpath option now adds to SUDOERS_LDFLAGS as well as LDFLAGS. Remove old -static hack for HP-UX < 9. Add LTLDFLAGS and set it to -Wc,-static-libgcc if not using GNU ld so we don't have a dependency on the shared libgcc in sudoers.so. [66ad8bc5e32d] * doc/sudoers.pod: Fix typo; from Petr Uzel [f9a7afd80892] 2011-04-01 Todd C. Miller * plugins/sudoers/testsudoers.c: In dump-only mode, use "root" as the default username instead of "nobody" as the latter may not be available on all systems. [0c48e6414337] 2011-03-31 Todd C. Miller * plugins/sudoers/testsudoers.c: Remove NewArgv/NewArgc, they are no longer needed. [16e18f734c7e] * plugins/sudoers/testsudoers.c: Fix setting of user_args [aa29e0d0a54a] * plugins/sudoers/toke.c, plugins/sudoers/toke.l: Add '!' token to lex tracing [5227ad266235] * plugins/sudoers/regress/testsudoers/test1.sh: Use group bin in test, not wheel as most systems have the bin group but the same is no longer true of wheel. [718802b3b45e] * plugins/sudoers/toke.c, plugins/sudoers/toke.l: Avoid using pre or post increment in a parameter to a ctype(3) function as it might be a macro that causes the increment to happen more than once. [78e281152c3a] 2011-03-30 Todd C. Miller * sudo.pp: Strip off the beta or release candidate version when building AIX packages. [28fe31668559] * configure, configure.in: We need to include OSDEFS in CFLAGS when doing the utmp/utmpx structure checks for glibc which only has __e_termination visible when _GNU_SOURCE is *not* defined. [59ae1698911f] * common/aix.c: getuserattr(user, ...) will fall back to the "default" entry automatically, there's no need to check "default" manually. [3c7a47a61fdb] 2011-03-29 Todd C. Miller * doc/UPGRADE: Document parser changes. [ec415503308d] * Makefile.in, common/Makefile.in, compat/Makefile.in, doc/Makefile.in, include/Makefile.in, plugins/sample/Makefile.in, plugins/sample_group/Makefile.in, plugins/sudoers/Makefile.in, src/Makefile.in, zlib/Makefile.in: If there is an existing sudoers file, only install if it passes a syntax check. [37427c73e8cb] * plugins/sudoers/regress/sudoers/test6.out.ok, plugins/sudoers/testsudoers.c: Add runasgroup support to testsudoers [047ea5571f33] * plugins/sudoers/Makefile.in: For "make check", keep going even if a test fails. [ce6a0a73c372] * plugins/sudoers/testsudoers.c: More useful exit codes: * 0 - parsed OK and command matched. * 1 - parse error * 2 - command not matched * 3 - command denied [1d2ce1361903] * doc/sudoers.pod: Document %#gid, and %:#nonunix_gid syntax. [492d4f9696c4] * plugins/sudoers/pwutil.c: Add support to user_in_group() for treating group names that begin with a '#' as gids. [20240c94a134] * config.h.in, configure, configure.in, src/utmp.c: Add explicit check for struct utmpx.ut_exit.e_termination and struct utmpx.ut_exit.__e_termination. HP-UX uses the latter. Only update ut_exit if we detect one or the other. [b4e8cab777e6] 2011-03-28 Todd C. Miller * plugins/sudoers/toke.c: Add back missing #include of config.h [9ab3897a1b2e] * plugins/sudoers/iolog_path.c, plugins/sudoers/regress/iolog_path/data: Avoid a NULL deref on unrecognized escapes. Collapse %% -> % like strftime() does. [93395762cdcd] * aclocal.m4: Quote first argument to AC_DEFUN(); from Elan Ruusamae [97f53ad31d77] 2011-03-27 Todd C. Miller * MANIFEST: add new sudoers tests [476af91b3da3] * plugins/sudoers/regress/sudoers/test8.in, plugins/sudoers/regress/sudoers/test8.out.ok, plugins/sudoers/regress/sudoers/test8.toke.ok: Add test for a newline in the middle of a string when no line continuation character is used. [de2394bc86ab] * plugins/sudoers/toke.c, plugins/sudoers/toke.l: Use bitwise AND instead of modulus to check for length being odd. A newline in the middle of a string is an error unless a line continuation character is used. [bdb1d762a1d5] * plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/toke.c, plugins/sudoers/toke.l: Move lexer globals initialization into init_lexer. [1ce62211aadb] * plugins/sudoers/toke.c, plugins/sudoers/toke.l: Fix a potential crash when a non-regular file is present in an includedir. Fixes bz #452 [1586760c3525] * pp: On some Linux systems, "uname -p" contains detailed processor info so check "uname -m" first and then "uname -p" if needed. Recognize PLD Linux. [b8535cb9012e] 2011-03-25 Todd C. Miller * plugins/sudoers/redblack.c: Don't need all sudoers.h here. [8c0929f42dab] * src/sudo.c: Print sudo version early, in case policy plugin init fails. [47cddc4358bc] 2011-03-24 Todd C. Miller * plugins/sudoers/regress/sudoers/test4.toke.ok: Update to match change in input. [4a3af8e68790] * plugins/sudoers/toke.c, plugins/sudoers/toke.l: Make an empty group or netgroup a syntax error. [66f51ddc2ff6] * plugins/sudoers/regress/sudoers/test7.in, plugins/sudoers/regress/sudoers/test7.out.ok, plugins/sudoers/regress/sudoers/test7.toke.ok: An empty group or netgroup should be a syntax error. [bd5bf1e2edce] * plugins/sudoers/regress/sudoers/test6.in, plugins/sudoers/regress/sudoers/test6.out.ok, plugins/sudoers/regress/sudoers/test6.toke.ok: Check that uids work in per-user and per-runas Defaults Check that uids and gids work in a Command_Spec [c5e848e6082b] * plugins/sudoers/regress/sudoers/test5.in, plugins/sudoers/regress/sudoers/test5.out.ok, plugins/sudoers/regress/sudoers/test5.toke.ok: Test empty string in User_Alias and Command_Spec [3a084d777e03] * plugins/sudoers/toke.c, plugins/sudoers/toke.l: Allow a group ID in the User_Spec. [bc2859eb71dc] 2011-03-23 Todd C. Miller * plugins/sudoers/toke.c, plugins/sudoers/toke.l: Return an error for the empty string when a word is expected. Allow an ID for per-user or per-runas Defaults. [915c259b00ff] * plugins/sudoers/testsudoers.c: Fix printing "User_Alias FOO = ALL" [ba58c3d548b3] 2011-03-22 Todd C. Miller * src/parse_args.c: Better error message about invalid -C argument [c9a8d15bbf5d] * NEWS: fix typo [cdcfbafed013] * doc/sudoers.pod: Fix placement of equal size ('=') in user specification summary. [5ad7178b230d] 2011-03-21 Todd C. Miller * MANIFEST: update to match sudoers regress [e04db0648717] * plugins/sudoers/toke.c, plugins/sudoers/toke.l: Restore ability to define TRACELEXER and have trace output go to stderr. [d9531e4d1b20] * plugins/sudoers/toke.c, plugins/sudoers/toke.l: Restore old behavior of setting sawspace = TRUE for command line args when a line continuation character is hit to avoid causing problems for existing sudoers files. [fd930ad25550] * plugins/sudoers/regress/sudoers/test4.in, plugins/sudoers/regress/sudoers/test4.out.ok, plugins/sudoers/regress/sudoers/test4.toke.ok: Add test for line continuation and aliases [29ab538ca6bb] * plugins/sudoers/Makefile.in: Make test output line up nicely for parse vs. toke [257ef82c1434] * plugins/sudoers/Makefile.in, plugins/sudoers/regress/sudoers/test1.in, plugins/sudoers/regress/sudoers/test1.out.ok, plugins/sudoers/regress/sudoers/test1.toke.ok, plugins/sudoers/regress/sudoers/test2.in, plugins/sudoers/regress/sudoers/test2.out.ok, plugins/sudoers/regress/sudoers/test2.toke.ok, plugins/sudoers/regress/sudoers/test3.in, plugins/sudoers/regress/sudoers/test3.out.ok, plugins/sudoers/regress/sudoers/test3.toke.ok, plugins/sudoers/regress/testsudoers/test1.ok, plugins/sudoers/regress/testsudoers/test1.out.ok, plugins/sudoers/regress/testsudoers/test1.sh, plugins/sudoers/regress/testsudoers/test2.out, plugins/sudoers/regress/testsudoers/test2.sh, plugins/sudoers/regress/testsudoers/test3.ok, plugins/sudoers/regress/testsudoers/test3.sh, plugins/sudoers/regress/visudo/test1.ok, plugins/sudoers/regress/visudo/test1.sh: Move parser tests to sudoers directory and test the tokenizer output too. [44f529b3cdb6] * plugins/sudoers/toke.c, plugins/sudoers/toke.l: If we match a rule anchored to the beginning of a line after parsing a line continuation character, return an ERROR token. It would be nicer to use REJECT instead but that substantially slows down the lexer. [355478293f8c] * plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/toke.c, plugins/sudoers/toke.h, plugins/sudoers/toke.l: Move LEXTRACE macro to toke.h so we can use it in yyerror(). [72ee7a06d3ca] 2011-03-20 Todd C. Miller * plugins/sudoers/testsudoers.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l: Make lex tracing settable at run-time in testsudoers via the -t flag. Trace output goes to stderr. Will be used by regress tests to check lexer. [93bd53c413c8] * plugins/sudoers/toke.c, plugins/sudoers/toke.l: Allow whitespace after the modifier in a Defaults entry. E.g. "Defaults: username set_home" [9dfcf8dd8a3a] 2011-03-18 Todd C. Miller * mkpkg: Don't set CC when cross-compiling. [4b95b0c04e1c] * NEWS: Credit Matthew Thomas for the sudoers_search_filter changes. [a65998ab09f7] * MANIFEST: Add the .sym files to the MANIFEST [f599225cc861] * NEWS: Update for sudo 1.8.1 beta [71021e854c49] * doc/sudo_plugin.pod, plugins/sudoers/sudoers.c, src/parse_args.c: user_shell -> run_shell to avoid confusion with the user's SHELL variable. [dc0ac6dafc21] * src/exec_pty.c: Save the controlling tty process group before suspending in pty mode. Previously, we assumed that the child pgrp == child pid (which is usually, but not always, the case). [10b2883b7875] * doc/sudoers.ldap.pod, plugins/sudoers/ldap.c: Add support for sudoers_search_filter setting in ldap.conf. This can be used to restrict the set of records returned by the LDAP query. [b0f1b721d102] 2011-03-17 Todd C. Miller * configure, configure.in: Remove the hack to disable -g in CFLAGS unless --with-devel [89822cf84ef4] * doc/sudoers.pod: The '@' character does not normally need to be quoted. [7823f5ed829a] * plugins/sudoers/toke.c, plugins/sudoers/toke.l: We normaly transition from GOTDEFS to STARTDEFS on whitespace, but if that whitespace is followed by a comma, we want to treat it as part of a list and not transition. [1ca6943e1824] * plugins/sudoers/regress/testsudoers/test3.ok, plugins/sudoers/regress/testsudoers/test3.sh: Add check for whitespace when a User_List is used for a per-user Defaults entry. [91f75e6dd19a] * plugins/sudoers/regress/testsudoers/test2.out, plugins/sudoers/regress/testsudoers/test2.sh: Expand quoted name checks to cover recent fixes. [ce4f76bca146] * plugins/sudoers/toke.c, plugins/sudoers/toke.l: Fix parsing of double-quoted names in Defaultd and Aliases which was broken in 601d97ea8792. [424b0d6c1dc4] * plugins/sudoers/Makefile.in: toke_util.c lives in $(srcdir) not $(devdir) [94866bebee83] 2011-03-16 Todd C. Miller * configure, configure.in: Change trunk version to 1.8.x to distinguish from real 1.8.0. [a9781e61d064] * NEWS, doc/UPGRADE: Document major changes in 1.8.1 and add upgrade notes. [f2cf51b0d9ce] * plugins/sudoers/match.c: Be careful not to deref user_stat if it is NULL. This cannot currently happen in sudo but might in other programs using the parser. [06a2334dd674] * mkpkg: configure will not add -O2 to CFLAGS if it is already defined to add -O2 to the CFLAGS we pass in when PIE is being used. [1ce6481ece59] * doc/sudoers.pod: Warn about the dangers of log_input and mention iolog_file and iolog_dir in the log_input and log_output descriptions. [ae854ffb0768] * pp: sync with git version [a993e39ce3cb] * doc/sudoers.pod: It seems that h comes after i [0f621109220d] * doc/sudoers.pod: Move log_input and log_output to their proper, sorted, location. Document set_utmp and utmp_runas. [273b234b9c34] * src/exec.c: Save the controlling tty process group before suspending so we can restore it when we resume. Fixes job control problems on Linux caused by the previous attemp to fix resuming a shell when I/O logging not enabled. [f03a660315ee] * common/lbuf.c: Fix printing of the remainder after a newline. Fixes "sudo -l" output corruption that could occur in some cases. [25d83fb501fc] 2011-03-15 Todd C. Miller * config.h.in, configure, configure.in, src/exec_pty.c, src/sudo_exec.h, src/utmp.c: Add support for ut_exit [b574c13f1bba] * doc/sudo_plugin.pod, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/defaults.c, plugins/sudoers/sudoers.c, src/exec.c, src/exec_pty.c, src/sudo.c, src/sudo.h, src/sudo_exec.h, src/utmp.c: Add support for controlling whether utmp is updated and which user is listed in the entry. [44a81632133f] * plugins/sudoers/def_data.h, plugins/sudoers/defaults.h, plugins/sudoers/ldap.c, plugins/sudoers/mkdefaults, plugins/sudoers/parse.c: Fix typo; tupple vs. tuple [697744acb710] * src/utmp.c: For legacy utmp, strip the /dev/ prefix before trying to determine slot since the ttys file does not include the /dev/ prefix. [7ad5b81ff90c] * aclocal.m4, configure, configure.in, pathnames.h.in: Add check for _PATH_UTMP [21e638029bfd] 2011-03-14 Todd C. Miller * plugins/sudoers/regress/iolog_path/check_iolog_path.c: Adapt check_iolog_path to sessid changes [728b5fe2be6f] * config.h.in, configure, configure.in, src/Makefile.in, src/exec_pty.c, src/sudo_exec.h, src/utmp.c: Redo utmp handling. If no getutent()/getutxent() is available, assume a ttyslot-based utmp. If getttyent() is available, use that directly instead of ttyslot() so we don't have to do the stdin dup2 dance. [18aa455cd140] 2011-03-11 Todd C. Miller * MANIFEST, src/Makefile.in, src/exec_pty.c, src/sudo_exec.h, src/utmp.c: Move utmp handling into utmp.c [f6eae6c8e012] * common/aix.c, common/alloc.c, common/fileops.c, common/fmt_string.c, common/lbuf.c, common/list.c, compat/isblank.c, compat/memrchr.c, compat/mksiglist.c, compat/nanosleep.c, compat/snprintf.c, compat/strlcat.c, compat/strlcpy.c, compat/strsignal.c, compat/utimes.c, doc/sudo.pod, doc/visudo.pod, include/sudo_plugin.h, plugins/sample/sample_plugin.c, plugins/sample_group/getgrent.c, plugins/sample_group/plugin_test.c, plugins/sudoers/alias.c, plugins/sudoers/auth/afs.c, plugins/sudoers/auth/aix_auth.c, plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/dce.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/kerb4.c, plugins/sudoers/auth/kerb5.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/passwd.c, plugins/sudoers/auth/rfc1938.c, plugins/sudoers/auth/secureware.c, plugins/sudoers/auth/securid.c, plugins/sudoers/auth/securid5.c, plugins/sudoers/auth/sia.c, plugins/sudoers/boottime.c, plugins/sudoers/bsm_audit.c, plugins/sudoers/env.c, plugins/sudoers/find_path.c, plugins/sudoers/goodpath.c, plugins/sudoers/logging.c, plugins/sudoers/parse.c, plugins/sudoers/parse.h, plugins/sudoers/redblack.c, plugins/sudoers/set_perms.c, plugins/sudoers/timestr.c, plugins/sudoers/tsgetgrpw.c, plugins/sudoers/visudo.c, src/exec.c, src/exec_pty.c, src/get_pty.c, src/parse_args.c, src/sudo.c, src/sudo.h, src/sudo_edit.c, src/sudo_exec.h, src/sudo_noexec.c, src/sudo_plugin_int.h, src/tgetpass.c: Update copyright years. [16aa39f9060a] * doc/sudo_plugin.pod, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, src/parse_args.c: Add "user_shell" boolean as a way to indicate to the plugin that the -s flag was given. [fb1ef0897b32] * plugins/sudoers/iolog_path.c, plugins/sudoers/logging.c, plugins/sudoers/sudoers.h: Move sessid out of sudo_user. [ba298ddb57f4] * plugins/sudoers/iolog.c, plugins/sudoers/iolog_path.c, plugins/sudoers/logging.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: Log the TSID even if it is not a simple session ID. [d7cc1b9c513c] * doc/sample.sudo.conf, doc/sudo.pod, doc/sudoers.pod: Document noexec in sample.sudo.conf and add back noexec_file section in sudoers with a note that it is deprecated. [4a6e961e494d] * plugins/sudoers/set_perms.c: Fix running commands as non-root on systems where setreuid() changes the saved uid based on the effective uid we are changing to. [df0769b71b34] 2011-03-10 Todd C. Miller * plugins/sudoers/defaults.c, src/load_plugins.c, src/sudo.c, src/sudo.h: Move noexec path into sudo.conf now that sudo itself handles noexec. Currently can be configured in sudoers too but is now undocumented and will be removed in a future release. [6fa8befdc110] * doc/sudo.pod, doc/sudoers.pod: Document "Path noexec ..." in sudo.conf. No longer document noexec_file in sudoers, it will be removed in a future release. [24eee3a0b3e5] * plugins/sudoers/env.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, src/sudo.c, src/sudo.h: Move noexec handling to sudo front-end where it is documented as being. [3ed4f10d7052] * config.h.in, configure, configure.in, plugins/sudoers/sudoers.c, src/exec.c, src/exec_pty.c, src/sudo.c, src/sudo.h, src/sudo_edit.c, src/sudo_exec.h: Add support for disabling exec via solaris privileges. Includes preparation for moving noexec support out of sudoers and into front end as documented. [dec843ed553e] * plugins/sample/Makefile.in, plugins/sample/sample_plugin.sym, plugins/sample_group/Makefile.in, plugins/sample_group/sample_group.sym, plugins/sudoers/Makefile.in, plugins/sudoers/sudoers.sym: Only export the symbols corresponding to the plugin structs. [8d8d03b0ca54] * configure, configure.in, plugins/sample/Makefile.in, plugins/sample_group/Makefile.in, plugins/sudoers/Makefile.in: Install plugins manually instead of using libtool. This works around a problem on AIX where libtool will install a .a file containing the .so file instead of the .so file itself. [796971cfbddb] * Makefile.in: Move check into its own rule since some versions of make will run both targets as the default rule. [34d759979176] * configure, ltmain.sh, m4/libtool.m4, m4/ltoptions.m4, m4/ltversion.m4, m4/lt~obsolete.m4: Update to libtool 2.2.10 [34c130de6af7] 2011-03-09 Todd C. Miller * src/exec.c: In handle_signals(), restart the read() on EINTR to make sure we keep up with the signal pipe. Don't return -1 on EAGAIN, it just means we have emptied the pipe. [d5b9c8eb9000] * compat/mktemp.c: Reorder functions to quiet a compiler warning. [c9e9a23729f0] * mkpkg: Use the Sun Studio C compiler on Solaris if possible [11a86e27891e] 2011-03-08 Todd C. Miller * mkpkg: Fix default setting of osversion variable. [52e49ca1cedd] * doc/sudo_plugin.pod: Make two login_class entris consistent. [18ff1fa94a91] * config.h.in, configure, configure.in, src/exec.c, src/exec_pty.c, src/sudo_exec.h: Add support for adding a utmp entry when allocating a new pty. Requires the BSD login(3) or SYSV/POSIX getutent()/getutxent(). Currently only creates a new entry if the existing tty has a utmp entry. [32db72b81d80] * plugins/sudoers/boottime.c: Avoid pulling in headers we don't need on Linux For getutx?id(), call setutx?ent() first and always call endutx?ent(). [5dad21e1ee1b] * configure, configure.in: Add some more libs to SUDOERS_LIBS instead of relying on them to be pulled in by SUDO_LIBS. [18a7c21c09a7] * plugins/sudoers/sudoers.c: Fix return value of "sudo -l command" when command is not allowed, broken in [c7097ea22111]. The default return value is now TRUE and a bad: label is used when permission is denied. Also fixed missing permissions restoration on certain errors. On error()/errorx(), the password and group files are now closed before returning. [4f2d0e869ae5] 2011-03-07 Todd C. Miller * plugins/sudoers/set_perms.c, plugins/sudoers/sudoers.c: Fix passing of login class back to sudo front end. [6f70a784ce48] * mkpkg: Add --osversion flag to specify OS instead of running "pp --probeonly" [a8efdccb7bc1] * sudo.pp: Fix expr usage w/ GNU expr [48895599ee63] 2011-03-06 Todd C. Miller * plugins/sudoers/sudoers.c: Fix exit value for validate and list mode. [c7097ea22111] * plugins/sudoers/sudoers.c: Fix non-interactive mode with sudoers plugin. [172f29597bd2] 2011-03-05 Todd C. Miller * doc/sudoreplay.pod: sudoreplay can now find IDs other than %{seq} and display the session. [fc3dd3be67e9] 2011-03-04 Todd C. Miller * plugins/sudoers/sudoreplay.c: Add support for replaying sessions when iolog_file is set to something other than %{seq}. [ca3131243874] * plugins/sudoers/visudo.c: If we are killed by a signal, display the name of the signal that got us. [994bb76a990e] * configure, configure.in: Move libs used for authentication from SUDO_LIBS to SUDOERS_LIBS where they belong. [40f94b936fa4] * configure.in: Fix bug in skey/opie check that could cause a shell warning. [83c043072be5] * plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c: No longer need sudo_getepw() stubs. [bbee15c36912] 2011-03-03 Todd C. Miller * plugins/sudoers/sudo_nss.c: Fix exit value of "sudo -l command" in sudoers module. [a6541867521b] 2011-03-02 Todd C. Miller * compat/regress/glob/globtest.c: Use fgets() not fgetln() for portability. [df1bb67fb168] * sudo.pp: Don't use the beta or release candidate version as the rpm release. [d661ef78021a] 2011-02-25 Todd C. Miller * configure, configure.in: version 1.8.0 [f6530d56f6ae] [SUDO_1_8_0] * NEWS: update sudo 1.8 section [f2ee2cf95d18] 2011-02-23 Todd C. Miller * plugins/sudoers/regress/testsudoers/test2.sh: fix test description [cd5730fa9f09] * plugins/sudoers/regress/testsudoers/test2.out, plugins/sudoers/regress/testsudoers/test2.sh, plugins/sudoers/regress/visudo/test2.out, plugins/sudoers/regress/visudo/test2.sh: convert test2 to use testsudoers [b5ec3f0b69f1] * include/sudo_plugin.h, src/sudo_plugin_int.h: Move struct generic_plugin to sudo_plugin_int.h [6f7bc629329c] * plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/parse.c, plugins/sudoers/parse.h, plugins/sudoers/set_perms.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: Allow sudoers file name, mode, uid and gid to be specified in the settings list. The sudo front end does not currently set these but may in the future. [22f38a0fda2a] 2011-02-21 Todd C. Miller * configure, configure.in, doc/sudo.cat, doc/sudo.man.in, doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudoers.cat, doc/sudoers.ldap.cat, doc/sudoers.ldap.man.in, doc/sudoers.man.in, doc/sudoreplay.cat, doc/sudoreplay.man.in, doc/visudo.cat, doc/visudo.man.in: 1.8.0rc1 [5d4588b9c057] * doc/sudo.pod, doc/sudoreplay.pod, doc/visudo.pod, plugins/sudoers/sudoreplay.c, plugins/sudoers/visudo.c, src/parse_args.c, src/sudo.h: add help text to sudo, visudo and sudoreplay for the -h option [52e7378d8476] 2011-02-19 Todd C. Miller * compat/snprintf.c: avoid using "howmany" for a parameter name since it is a select- related macro [a14d565401a1] * doc/sudoers.pod: mention group_plugin when describing nonunix_group [e0d1d0034b17] * doc/sudo_plugin.pod: Add missing period at end of sentence [6744d7e9056d] * Makefile.in, doc/Makefile.in, include/Makefile.in, plugins/sample/Makefile.in, plugins/sample_group/Makefile.in, plugins/sudoers/Makefile.in, src/Makefile.in: add localstatedir; closes bug 471 [7aefcab85088] * config.h.in, configure, configure.in, plugins/sudoers/sudoreplay.c, src/exec.c, src/exec_pty.c: The howmany macro lives in sys/sysmacros.h on SVR5 systems Closes Bug 470 [927ed6740f32] * configure.in: add missing AH_TEMPLATE for ENV_RESET [16300010c986] * src/exec.c: SVR5 systems return non-zero for success on socketpair(), check for -1 instead. Closes Bug 469 [4d276494bf8e] 2011-02-16 Todd C. Miller * configure, configure.in: 1.8.0b5 [d611cd5d73d3] * doc/sudo.cat, doc/sudo.man.in, doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudoers.cat, doc/sudoers.ldap.cat, doc/sudoers.ldap.man.in, doc/sudoers.man.in, doc/sudoreplay.cat, doc/sudoreplay.man.in, doc/visudo.cat, doc/visudo.man.in: regen [85e96eeaed82] * doc/sudo.pod: Document that a sudo.conf file with no Pligin lines uses the default sudoers plugins. [88bd52da977f] * src/load_plugins.c: If sudo.conf contains no Plugin lines, use the default sudoers policy and I/O plugins. [fd8f4cb811ab] 2011-02-14 Todd C. Miller * plugins/sudoers/sudo_nss.c: Avoid printing empty "Runas and Command-specific defaults for user" line. [2dd330fe4f8b] * common/lbuf.c: Truncate the buffer at buf.len before printing in the non-wordwrap case. [901e9833f80d] * common/lbuf.c: Remove extra newline when the tty width is very small or unavailable [245c05506c0e] 2011-02-11 Todd C. Miller * plugins/sudoers/alias.c: Remove unneeded variable. [2c086d30b796] 2011-02-09 Todd C. Miller * configure, configure.in: Prefer getutxid over getutid [3f3322e9c93e] * plugins/sudoers/boottime.c: Include utmp.h / utmpx.h before missing.h as apparently including it afterwards causes a compilation problem on GNU Hurd. [a528029ae962] 2011-02-07 Todd C. Miller * plugins/sudoers/sudoreplay.c, plugins/sudoers/toke_util.c: #include "foo.h", not for local includes. [f65ec693998e] * src/parse_args.c: remove bogus XXX [9136c17d53ce] * compat/mksiglist.c: Fix typo [1a3bb7b455c9] * compat/glob.c, plugins/sudoers/ldap.c, plugins/sudoers/logging.c, plugins/sudoers/match.c: return foo not return(foo) [5c9e0647359a] 2011-02-06 Todd C. Miller * src/exec.c: Remove duplicate FD_SET of signal_pipe[0] [3096527d2215] 2011-02-05 Todd C. Miller * compat/mksiglist.c: Use "missing.h" not in generated code. [d8e09cffbe09] 2011-02-04 Todd C. Miller * aclocal.m4, configure: fix --with-iologdir=no [a89699cb5f5f] * aclocal.m4, configure: fix typo that broke --with-iologdir [91b54eb22403] 2011-02-03 Todd C. Miller * configure, configure.in, doc/sudo.cat, doc/sudo.man.in, doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudoers.cat, doc/sudoers.ldap.cat, doc/sudoers.ldap.man.in, doc/sudoers.man.in, doc/sudoreplay.cat, doc/sudoreplay.man.in, doc/visudo.cat, doc/visudo.man.in: Bump version to 1.8.0b4 [e2b7f2cdc02e] * NEWS: sync [decf5a0a8a33] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.pod: Attempt to clarify how users and groups interact in Runas_Specs [e6fb3a2dbd77] * plugins/sudoers/regress/visudo/test2.out, plugins/sudoers/regress/visudo/test2.sh: Add test for quoted group that contains escaped double quotes [44596c48c629] * src/exec.c, src/exec_pty.c: Pass SIGUSR1/SIGUSR2 through to the child. [c3108a827b01] * src/exec_pty.c, src/sudo_exec.h: Use special values SIGCONT_FG and SIGCONT_BG instead of SIGUSR1 and SIGUSR2 to indicate whether the child should be continued in the foreground or background. [35ca47cc6785] * src/exec.c: Use pid_t not int and check the return value of kill() [36ae7d37d7f9] 2011-02-02 Todd C. Miller * src/exec_pty.c: Remove obsolete comment [baebef4919f6] * src/exec.c: In non-pty mode before continuing the child, make it the foreground pgrp if possible. Fixes resuming a shell. [fef5b1d02ddb] * src/exec_pty.c: If we get a signal other than SIGCHLD in the monitor, pass it directly to the child. [b3ecb28163a0] * src/exec.c, src/exec_pty.c, src/sudo.h: Save signal state before changing handlers and restore before we execute the command. [faf7475dc4bf] 2011-02-01 Todd C. Miller * plugins/sudoers/iolog.c: Use a char array to map a number to a base36 digit. [257576c51f8b] * doc/sudoers.ldap.cat, doc/sudoers.ldap.man.in, doc/sudoers.ldap.pod: Be clear about what versions of sudo support new LDAP attributes. Fix up some formatting of attribute names. Minor other tweaks. [39f65df71f65] 2011-01-31 Todd C. Miller * plugins/sudoers/toke.c, plugins/sudoers/toke.l: match quoted strings the same way whether in a Defaults line or as a user/group/netgroup name. Fixes escaped double quotes in quoted user/group/netgroup names. [601d97ea8792] * plugins/sudoers/Makefile.in: 'make check' depends on visudo and testsudoers [127c5a24df8f] * plugins/sudoers/sudoers2ldif: Add sudoOrder attribute to each entry Parse LOG_{INPUT,OUTPUT} tags [9029163a58c3] 2011-01-30 Todd C. Miller * doc/UPGRADE: Mention LDAP attribute compatibility status. [2c3595aaec63] 2011-01-28 Todd C. Miller * README.LDAP: Mention phpQLAdmin [9304c9064fbe] * INSTALL, NEWS, config.h.in, configure, configure.in, doc/sudoers.man.in, doc/sudoers.pod, plugins/sudoers/defaults.c: Add --disable-env-reset configure option. [8a753aa13a46] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.pod: Document that sudoers_locale also affects logging and email. [998d6ac11277] * NEWS, config.h.in, configure, configure.in, plugins/sudoers/logging.c: Do logging and email sending in the locale specified by the "sudoers_locale" setting ("C" by default). Email send by sudo includes MIME headers when the sudoers locale is not "C". [cb7e55408400] 2011-01-27 Todd C. Miller * plugins/sudoers/check.c: Fix indentation [65ae7e92b9e4] 2011-01-25 Todd C. Miller * NEWS, src/parse_args.c, src/sudo.c: Perform command escaping for "sudo -s" and "sudo -i" after validating sudoers so the sudoers entries don't need to have all the backslashes. [4e168c103f4b] 2011-01-24 Todd C. Miller * plugins/sudoers/logging.c: Prepend "list " to the command logged when "sudo -l command" is used to make it clear that the command was listed, not run. [f392a6056cd6] * plugins/sudoers/parse.c: cosmetic change [7c0951dbc2dd] * common/aix.c, common/alloc.c, common/fileops.c, common/fmt_string.c, common/list.c, common/term.c, compat/fnmatch.c, compat/getcwd.c, compat/glob.c, compat/isblank.c, compat/memrchr.c, compat/mktemp.c, compat/nanosleep.c, compat/regress/glob/globtest.c, compat/snprintf.c, compat/strlcat.c, compat/strlcpy.c, compat/strsignal.c, compat/utimes.c, plugins/sample/sample_plugin.c, plugins/sample_group/getgrent.c, plugins/sample_group/plugin_test.c, plugins/sudoers/alias.c, plugins/sudoers/auth/afs.c, plugins/sudoers/auth/aix_auth.c, plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/dce.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/kerb4.c, plugins/sudoers/auth/kerb5.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/passwd.c, plugins/sudoers/auth/rfc1938.c, plugins/sudoers/auth/secureware.c, plugins/sudoers/auth/securid.c, plugins/sudoers/auth/securid5.c, plugins/sudoers/auth/sia.c, plugins/sudoers/bsm_audit.c, plugins/sudoers/check.c, plugins/sudoers/defaults.c, plugins/sudoers/find_path.c, plugins/sudoers/goodpath.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/iolog.c, plugins/sudoers/ldap.c, plugins/sudoers/match.c, plugins/sudoers/mon_systrace.c, plugins/sudoers/parse.c, plugins/sudoers/pwutil.c, plugins/sudoers/redblack.c, plugins/sudoers/set_perms.c, plugins/sudoers/sudo_nss.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/timestr.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/toke_util.c, plugins/sudoers/tsgetgrpw.c, plugins/sudoers/visudo.c, src/exec_pty.c, src/get_pty.c, src/load_plugins.c, src/parse_args.c, src/sudo_noexec.c, src/tgetpass.c: standardize on "return foo;" rather than "return(foo);" or "return (foo);" [32d76c5aaf8c] * plugins/sudoers/sudoers.c: Do not reject sudoers file just because it is root-writable. [0febc579185b] 2011-01-21 Todd C. Miller * NEWS: sync [1ab03f8278ff] * plugins/sudoers/sudo_nss.c: For "sudo -U user -l" if user is not authorized on the host, say so. [289afe6dd15c] * plugins/sudoers/ldap.c: In sudo_ldap_lookup(), always do the initial sudoers check as the invoking user. If we are listing another user's privs we will do a separate lookup using list_pw later. [e52bc15de76d] 2011-01-20 Todd C. Miller * MANIFEST: add parser fill tests [4f65140d3515] * compat/regress/glob/globtest.c, compat/regress/glob/globtest.in: Don't test features not supported by the bundled glob() [8ec7ace11949] * Makefile.in, aclocal.m4, common/Makefile.in, common/term.c, compat/Makefile.in, configure.in, doc/LICENSE, doc/Makefile.in, doc/sudo_plugin.man.in, doc/sudo_plugin.pod, doc/sudoers.ldap.man.in, doc/sudoers.ldap.pod, doc/sudoers.man.in, doc/sudoers.pod, include/Makefile.in, plugins/sample/Makefile.in, plugins/sample_group/Makefile.in, plugins/sudoers/Makefile.in, plugins/sudoers/check.c, plugins/sudoers/defaults.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/iolog.c, plugins/sudoers/iolog_path.c, plugins/sudoers/ldap.c, plugins/sudoers/match.c, plugins/sudoers/pwutil.c, plugins/sudoers/sudo_nss.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/toke_util.c, src/Makefile.in, zlib/Makefile.in: Update copyright year to 2011 [ac1b45cb1809] * plugins/sudoers/sudo_nss.c: When listing, use separate lbufs for the defaults and the privileges and only print something if the number of privileges is non-zero. Fixes extraneous Defaults output for "sudo -U unauthorized_user -l". [d0854d39f8ef] * plugins/sudoers/ldap.c: Stash pointer to user group vector in LDAP handle and only reuse the query if it has not changed. We always allocate a new buffer when we reset the group vector so a simple pointer check is sufficient. [88861d4eba69] * plugins/sudoers/sudo_nss.c: Check initgroups() return value. [3bdaf58408a7] * plugins/sudoers/Makefile.in, plugins/sudoers/regress/parser/check_fill.c: Add tests for the fill functions in toke_util.c [bca587ab4956] 2011-01-19 Todd C. Miller * plugins/sudoers/regress/iolog_path/check_iolog_path.c: fix copyright year [e2038cdaf055] * NEWS: sync [56ca5d5eaebe] 2011-01-18 Todd C. Miller * common/term.c: Clear, don't set, OPOST in c_oflag as was intended in 506ad5ae9b4e. [b91f266624ec] 2011-01-14 Todd C. Miller * mkpkg, sudo.pp: Add Requires line for audit-libs >= 1.4 for RHEL5+ [6c02f976171b] * pp: sync with git version [d301c32d5865] 2011-01-13 Todd C. Miller * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.pod: fix typo [39353f92976f] 2011-01-12 Todd C. Miller * NEWS: Update for sudo 1.7.4p5 [b444da76901f] * doc/schema.OpenLDAP, doc/schema.iPlanet: Add sudoNotBefore and sudoNotAfter attributes as optional attributes to the sudoRole object class. From Andreas Mueller [dacfad7e7a95] 2011-01-11 Todd C. Miller * NEWS: Mention "sudo -g group" password check fix. [1eb8fb14e53b] * plugins/sudoers/sudoers.c: Fix "sudo -g" support in the sudoers module. [07d1b0ce530e] * plugins/sudoers/check.c: If the user is running sudo as himself but as a different group we need to prompt for a password. [caf1fcc9a117] 2011-01-10 Todd C. Miller * NEWS, config.h.in, configure, configure.in, doc/sudoers.ldap.cat, doc/sudoers.ldap.man.in, doc/sudoers.ldap.pod, plugins/sudoers/ldap.c: Add support for TIMEOUT in ldap.conf, mapping to the OpenLDAP LDAP_OPT_TIMEOUT. There is no corresponding option for mozilla- derived LDAP SDKs but we can pass the timeout parameter to ldap_search_ext_s() or ldap_search_st() when possible. [5537049991f7] * doc/sudoers.ldap.cat, doc/sudoers.ldap.man.in: regen [5b361c3c4324] * NEWS, doc/sudoers.ldap.pod, plugins/sudoers/ldap.c: Add NETWORK_TIMEOUT as an alias for BIND_TIMELIMIT for compatibility with OpenLDAP ldap.conf files. [e97843bd16fb] * plugins/sudoers/pwutil.c: If user has no supplementary groups, fall back on checking the group file expliticly. [5223ad4eb690] 2011-01-08 Todd C. Miller * plugins/sudoers/toke.h, plugins/sudoers/toke_util.c: constify [6e132a4cca61] * plugins/sudoers/toke.c, plugins/sudoers/toke.h, plugins/sudoers/toke.l: Move fill macro to toke.h [623d430798cf] * MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/toke.c, plugins/sudoers/toke.h, plugins/sudoers/toke.l, plugins/sudoers/toke_util.c: Split tokenizer utility functions out into toke_util.c [89a97bd51618] * plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/toke.c, plugins/sudoers/toke.l: ANSIfy [ca0eba1dfaa9] 2011-01-07 Todd C. Miller * MANIFEST: sync [a43f94064bb3] * plugins/sudoers/Makefile.in: Add visudo tests to check target [8c82fb4ed40f] * compat/Makefile.in, compat/regress/fnmatch/fnm_test.c, compat/regress/fnmatch/fnm_test.in, compat/regress/glob/files, compat/regress/glob/globtest.c, compat/regress/glob/globtest.in: Add my regress tests for fnmatch() and glob() from OpenBSD. [6e8c1f211723] * plugins/sudoers/regress/testsudoers/test1.sh, plugins/sudoers/regress/visudo/test1.ok, plugins/sudoers/regress/visudo/test1.sh: Add regress test for command tags using visudo -c [18b0ef207c0f] * plugins/sudoers/Makefile.in, plugins/sudoers/regress/testsudoers/test1.ok, plugins/sudoers/regress/testsudoers/test1.sh: Add support for regress tests using testsudoers [1fa94bd2671b] * plugins/sudoers/testsudoers.c: Need to set user_name explicitly due to internal changes made when converting sudoers to a plugin. [1fa54e86a364] 2011-01-06 Todd C. Miller * MANIFEST, Makefile.in, common/Makefile.in, compat/Makefile.in, doc/Makefile.in, include/Makefile.in, plugins/sample/Makefile.in, plugins/sample_group/Makefile.in, plugins/sudoers/Makefile.in, plugins/sudoers/regress/iolog_path/check_iolog_path.c, plugins/sudoers/regress/iolog_path/data, src/Makefile.in, zlib/Makefile.in: Add regression tests for iolog_path() [afa4b416e559] * Makefile.in, common/Makefile.in, compat/Makefile.in, doc/Makefile.in, include/Makefile.in, plugins/sample/Makefile.in, plugins/sample_group/Makefile.in, plugins/sudoers/Makefile.in, src/Makefile.in, zlib/Makefile.in: Add support for "make Makefile" to regenerate Makefile from Makefile.in [98bd2dda3294] * plugins/sudoers/iolog_path.c: Quiest a bogus compiler warning. [5ff932a7ad67] 2011-01-05 Todd C. Miller * plugins/sudoers/iolog_path.c: Protect call to setlocale() with HAVE_SETLOCALE [2c29ee3ccc81] 2011-01-04 Todd C. Miller * MANIFEST: mkstemps.c was renamed mktemp.c [ae299c3b1827] * NEWS: Update from 1.7 branch [20817d79717b] * Makefile.in: Use "mv -f" when regenerating ChangeLog [c163635206c6] * plugins/sudoers/match.c: Fix NULL dereference with "sudo -g group" when the sudoers rule has no runas user or group listed. Fixes RedHat bug Bug 667103. [41a6a1243d9e] 2011-01-03 Todd C. Miller * doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.pod: Correct the default sudo.conf example [4e791698cad1] 2010-12-31 Todd C. Miller * plugins/sudoers/iolog_path.c: Reset slashp if we allocate a new buffer for strftime() [e491daa4203b] * plugins/sudoers/iolog_path.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: Add extra out parameter to expand_iolog_path() to allow the caller to split the path into dir and file components if needed. [88346bc5ae39] 2010-12-30 Todd C. Miller * plugins/sudoers/iolog.c: mkdir_iopath() returns size_t now that it uses strlcpy() and not snprintf() [3c4c64d265eb] * plugins/sudoers/iolog.c, plugins/sudoers/iolog_path.c: Trim leading slashes from iolog_file and trailing slashes from iolog_dir [a803b51f8948] * doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.pod, plugins/sudoers/iolog.c, plugins/sudoers/iolog_path.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: Pass a single I/O log file name in command_details instead of separate dir + file parameters. [d672a3e46e80] * plugins/sudoers/sudoreplay.c: change an error() to errorx() [8013dcfdd69d] * plugins/sudoers/iolog.c: Add missing cwd line to I/O log info file that got dropped when iolog_deserialize_info() was added [7cf84f208423] 2010-12-29 Todd C. Miller * plugins/sudoers/iolog.c: Avoid relying on globals filled in by the sudoers policy module for the sudoers I/O log module. The I/O log open function now pulls the bits it needs out of user_info and command_info. [c02f6951b0cc] * plugins/sudoers/iolog.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: If no iolog file is specified by the policy plugin, use io_nextid() to determine the next file in the sequence. [faa1130b1020] 2010-12-28 Todd C. Miller * doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.pod: Document iolog_compress in command_info [58895c7d12f5] * plugins/sudoers/iolog.c, plugins/sudoers/sudoers.c: Add support for the iolog_compress variable in command_info. [36f13a2fd1c1] * plugins/sudoers/iolog.c, plugins/sudoers/sudoers.c: Add sigsetjmp() calls to all plugin entry points just to be safe. [3fa482355bc4] * src/sudo.c, src/sudo.h: Don't need iolog variables in struct command_details, they are for the I/O log plugins to handle. [5111579ffd9d] 2010-12-27 Todd C. Miller * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.pod: Document use of mkdtemp() for iolog path teplates [5db6101408a9] * doc/sudo.cat, doc/sudo.man.in, doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudoers.cat, doc/sudoers.ldap.cat, doc/sudoers.ldap.man.in, doc/sudoers.man.in, doc/sudoreplay.cat, doc/sudoreplay.man.in, doc/visudo.cat, doc/visudo.man.in: regen [1ee11fd6d4eb] * doc/sudo_plugin.pod, doc/sudoers.pod: Document iolog_file and supported escape sequences for sudoers. Clarify that iolog_file can contain directories. [da611dedcbdb] * compat/Makefile.in, configure, configure.in: Fix building of mkstemps/mkdtemp replacements. [793a5e303122] * compat/mkstemps.c, compat/mktemp.c, config.h.in, configure, configure.in, include/missing.h: Provide mkdtemp() for systems without it. [b0527dfa965c] * plugins/sudoers/iolog_path.c: Fix typo [277f6c514cba] * plugins/sudoers/iolog.c: Only use mkdtemp() if the path ends in at least 6 Xs since otherwise glibc mkdtemp() returns EINVAL. [2e7323b05579] * plugins/sudoers/Makefile.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/defaults.c, plugins/sudoers/iolog.c, plugins/sudoers/iolog_path.c, plugins/sudoers/plugin_error.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: Allow sudoers to specify the iolog file in addition to the iolog dir. Add escape sequence support to iolog file and dir: sequence number, user, group, runas_user, runas_group, hostname and command in addition to any escape sequence recognized by strftime(3). [75cd32ee0435] * plugins/sudoers/iolog.c: Add missing sigsetjmp() call in I/O plugin open function. Fixes a crash when the I/O plugin calls error(), errorx() or log_error(). [1a6718bd817d] 2010-12-21 Todd C. Miller * doc/sudo_plugin.pod, plugins/sudoers/iolog.c, plugins/sudoers/sudoers.c: Give the policy module fine-grained control over what the I/O plugin logs. [d29784fd2a66] * common/term.c: Clear OPOST from c_oflag like we used to. Fixes screen-based editors such as vi. [506ad5ae9b4e] * doc/sudoers.pod: Clarify umask option description. From Reuben Thomas. [1294ac84222b] 2010-12-20 Todd C. Miller * doc/sudoers.ldap.pod, plugins/sudoers/ldap.c: Pick last match in LDAP sudoers too [fbfd8e85703b] * doc/sudo_plugin.pod: Document iolog_file, iolog_dir and use_pty [26120a59c20e] * plugins/sample/sample_plugin.c, plugins/sudoers/iolog.c, plugins/sudoers/sudoers.c: Adapt plugins to version I/O logging ABI 1.1 [880dd64bc1e8] * src/exec.c, src/sudo.h: Add use_pty command_info flag for policies to indicate that a pty should be allocated even if no I/O logging is performed. [e7b167f8a6e5] * src/sudo.c: Add remaining plugin convenience functions [ffeaf96da031] * include/sudo_plugin.h, src/sudo.c, src/sudo.h, src/sudo_plugin_int.h: Change I/O log API to pass in command info to the I/O log open function. Add iolog_file and iolog_dir parameters to command info. This allows the policy plugin to specify the I/O log pathname. Add convenience functions for calling plugin functions that handle ABI backwards compatibility. [9b81dce76ce5] * compat/dlopen.c: Remove useless cast [7cecce969739] 2010-12-17 Todd C. Miller * configure, configure.in: Bump version to 1.8.0b3 [1dc9f040aae0] 2010-12-13 Todd C. Miller * configure.in: Remove extraneous newline [71c94551eea5] 2010-12-10 Todd C. Miller * doc/sudoers.pod, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/defaults.c, plugins/sudoers/iolog.c: Make I/O log dir configurable. [99b576667a38] * aclocal.m4, configure, configure.in, doc/sudoers.pod: Rename io_logdir to iolog_dir [0731662acc8d] 2010-12-07 Todd C. Miller * pp: Add missing '*' that prevented the generic ELF case from matching. [be77ca26bfb2] * pp: If file(1) can't identify the ELF binary type, try readelf(1). [38a18d32a9e3] 2010-11-30 Todd C. Miller * plugins/sudoers/auth/kerb4.c, plugins/sudoers/check.c, plugins/sudoers/env.c, plugins/sudoers/pwutil.c, plugins/sudoers/sudoers.c, src/sudo.c: Use %u to print uid/gid, not %lu and adjust casts to match. [03c43b8749cf] * doc/sudoers.ldap.pod: Clarify ordering of entries and attributes. [924e2a6bb603] * doc/sudoers.ldap.pod: Fix typo and editing goof. [79dc7ccd85a8] * doc/schema.ActiveDirectory, doc/schema.OpenLDAP, doc/schema.iPlanet, doc/sudoers.ldap.pod: Merge in ordered LDAP entry support from Andreas Mueller. [ea5885989bad] * plugins/sudoers/ldap.c: Make sure we don't dereference a NULL handle. [1a9f9ee15371] 2010-11-24 Todd C. Miller * pp: Add support for RHEL 6 file modes that include a trailing dot on files with an SELinux security context [dc09be959547] 2010-11-23 Todd C. Miller * src/sudo.c: exec_setup() does not need to setuid(0), the Ubuntu issue was in the sudoers module. [d6dd99fc6062] * plugins/sudoers/sudoers.c: create_admin_success_flag() should use restore_perms() rather than set_perms() to restore the uid. [eba7a91c1f57] * src/sudo.c: In exec_setup() call setuid(0) to make certain the subsequent uid and gid changes will succeed. Fixes a problem on Ubuntu. [c5d32abf0645] * src/sudo_edit.c: Error out if we cannot change to root's uid so we catch the failure early. [7a2e7f8f2c80] 2010-11-22 Todd C. Miller * doc/sudoers.pod: fix typo; from Michael T Hunter [a574a9d0db5b] * plugins/sudoers/match.c: In sudoedit mode, assume command line arguments are paths and pass FNM_PATHNAME to fnmatch(). [ce0abff8ce9f] 2010-11-20 Todd C. Miller * configure, configure.in: Add workaround for an error in sys/types.h on HP-UX 11.23 when large file support is enabled. Defining _XOPEN_SOURCE_EXTENDED avoids the broken bits of the header file. [e337217f097a] * aclocal.m4: Fix SUDO_MAILDIR usage of AC_LANG_PROGRAM [fbbcee28961f] * sudo.pp: For Tru64, strip off beta version. [eeccd762df5e] * MANIFEST, plugins/sudoers/testsudoers.c, plugins/sudoers/tsgetgrpw.c, plugins/sudoers/tsgetgrpw.h: Avoid conflicts with system definitions in grp.h and pwd.h [b219ffe1da09] * zlib/gzguts.h: Include stdio.h after zlib.h, not before. We need the large file defines to come first. [21d6df39790f] 2010-11-19 Todd C. Miller * doc/sudoers.ldap.cat, doc/sudoers.ldap.man.in: regen [3ff8750d0aac] * Makefile.in: Don't clean ChangeLog [ab0d30d289d4] * plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c: Add prototype for cleanup() [75626fd3769a] 2010-11-18 Todd C. Miller * plugins/sudoers/group_plugin.c: Avoid deferencing group_plugin if it is NULL in group_plugin_query(). This should not happen. [4f2933c8da7e] * plugins/sudoers/group_plugin.c: group plugin init function return TRUE when successful [198024477030] 2010-11-17 Todd C. Miller * plugins/sudoers/ldap.c: Enlarge the array of entry wrappers int blocks of 100 entries to save on allocation time. From Andreas Mueller [375c916bb03b] * plugins/sudoers/ldap.c: Add back call to sudo_ldap_timefilter() in sudo_ldap_build_pass2() that was mistakenly dropped. [1555f5bc132d] 2010-11-16 Todd C. Miller * doc/TROUBLESHOOTING: Mention that sudo needs "ar" to build. [65582ace2d09] * configure, configure.in: Fail with a more useful error if "ar" is not found. [d1cb83719c17] 2010-11-14 Todd C. Miller * plugins/sudoers/ldap.c: Merge in ordered LDAP entry support from Andreas Mueller and add local changes from the 1.7 branch. [bca29e461618] 2010-11-12 Todd C. Miller * doc/schema.ActiveDirectory, doc/schema.OpenLDAP, doc/schema.iPlanet, doc/sudoers.ldap.pod, plugins/sudoers/ldap.c: Add timed entry support from Andreas Mueller. [e18d1df46a8d] * plugins/sudoers/group_plugin.c: Don't try to unload if group_plugin is NULL. Don't call dlclose() if group_handle is NULL [de2273da37d5] * plugins/sudoers/sudoers.h: It is now plugin_cleanup(), not cleanup() [da62a4e1a78c] * plugins/sudoers/logging.c, plugins/sudoers/sudoers.c: Call plugin_cleanup(), not cleanup() [e800ad8b33ad] 2010-11-11 Todd C. Miller * plugins/sudoers/ldap.c: Use efree() not free() and remove malloc.h include since we never directly call malloc() or free(). [107fffd134bb] 2010-11-09 Todd C. Miller * sudo.pp: set PSTAMP for Solaris and move the backend-specific bits to their own %if [xxx] %endif blocks in %set. [a94ebe8920c1] * pp: sync with git repo [75ff509696b4] * configure, configure.in: Only substitute file zlib files when using the builtin zlib [6c8145b2deb4] * common/Makefile.in, compat/Makefile.in, plugins/sample/Makefile.in, plugins/sample_group/Makefile.in, plugins/sudoers/Makefile.in, src/Makefile.in, zlib/Makefile.in: Give up on using VPATH to find sources as it is implemented inconsistenly in different versions of make. [60517c69aaee] * plugins/sudoers/Makefile.in, plugins/sudoers/getdate.c, plugins/sudoers/gram.c, plugins/sudoers/toke.c: Include config.h before any other includes to make sure we get the right value for _FILE_OFFSET_BITS. [8fb007ca832e] * MANIFEST: Add zlib [04a3e23dfaa9] * zlib/Makefile.in: Add missing targets [40e45a177168] * src/Makefile.in: g/c unused $(GENERATED) [c8758068c1bc] 2010-11-08 Todd C. Miller * plugins/sudoers/group_plugin.c: Zero out group_plugin on unload just to be safe. [0b10f4d101ca] * plugins/sudoers/group_plugin.c: Unload group plugin if its init function fails. [6552cdac4b7c] * src/sudo.c: Only chdir to cwd if it is different from the current cwd or there is a new root (chroot). [b8203e875e84] * configure, configure.in, doc/sudo.cat, doc/sudo.man.in, doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudoers.ldap.cat, doc/sudoers.ldap.man.in, doc/visudo.cat, doc/visudo.man.in: Bump version to 1.8.0b2 [6dadeb75a878] 2010-10-28 Todd C. Miller * INSTALL: Better --enable-zlib description [e0da54fa59a6] * mkpkg: Use system zlib on Linux Let configure decide on Solaris For all others, use builtin zlib [3d52eddb523c] * zlib/zconf.h.in: Add large file support. [bec01215270d] * config.h.in: Add large file support. [244e95b034ec] * Makefile.in, configure, configure.in, doc/LICENSE, doc/license.pod, zlib/Makefile.in, zlib/adler32.c, zlib/compress.c, zlib/crc32.c, zlib/crc32.h, zlib/deflate.c, zlib/deflate.h, zlib/gzclose.c, zlib/gzguts.h, zlib/gzlib.c, zlib/gzread.c, zlib/gzwrite.c, zlib/infback.c, zlib/inffast.c, zlib/inffast.h, zlib/inffixed.h, zlib/inflate.c, zlib/inflate.h, zlib/inftrees.c, zlib/inftrees.h, zlib/trees.c, zlib/trees.h, zlib/uncompr.c, zlib/zconf.h.in, zlib/zlib.h, zlib/zutil.c, zlib/zutil.h: Add local copy of zlib for systems that lack it. [7542ca465c5a] 2010-10-15 Todd C. Miller * src/exec.c: If perform_io() fails, kill the child before exiting so it doesn't complain about connection reset. We can get an I/O error if, for example, and we get EIO reading from stdin. [e59a05fa729f] 2010-10-12 Todd C. Miller * plugins/sudoers/sudoers.c, src/sudo.c: Fix complilation on systems with set_auth_parameters() Sprinkle volatile to quiet warnings from gcc 2.8.0 [a34c2b924ba7] * compat/dlfcn.h, compat/dlopen.c: Avoid potential namespace issues with dlopen() emulation. [aedfababd6ca] * MANIFEST: sync [6afb97e6d308] * plugins/sudoers/interfaces.c: Use INADDR_NONE instead of casting -1 to in_addr_t (which may not exist). [ddfca5af1a36] * Makefile.in: Mark ChangeLog as PHONY Don't overwrite ChangeLog if we can't run hg [e9d04bfa4505] * configure, configure.in: HP-UX 10.20 libc has an incompatible getline [2e7bc202e78d] * plugins/sudoers/visudo.c: Quiet an HP-UX compiler warning. [55b9d587ac8c] * configure, configure.in: Check for vi even with --with-editor specified; the sample plugin needs it. [94dfc3643f76] 2010-10-11 Todd C. Miller * compat/dlopen.c: Fix remaining syntax errors. [9d729b5b577e] * src/Makefile.in: sudo binary depends on the libtool-generated libs [9e6148406adb] * plugins/sudoers/group_plugin.c, src/load_plugins.c: Use HAVE_DLOPEN instead of HAVE_DLFCN_H when determining whether to include the local or system dlfcn.h [68cfe4c1089b] * pp: Don't use run_as_superuser=false on HP-UX [532242370b09] * src/net_ifs.c: Use memset() instead of zero_bytes() since we don't include sudoers.h [a187c18c2472] * plugins/sudoers/interfaces.c: Fix pasto; AF_INET not AF_INET6 [2d2e9d7dc6f9] * compat/dlopen.c: Actually call shl_load() [ed8153b8a3cd] * pp: Update from git repo. Debian: version numbers now compliant with policy section 5.6.12 HP-UX: minimal changes needed to work on HP-UX 10.20 [ecf2692bceeb] * configure, configure.in: Fix dlopen() detection for systems where dlopen() is in a separate library. [fa6b175582b6] * plugins/sudoers/auth/pam.c: If pam_acct_mgmt() returns PAM_AUTH_ERR print a (hopefully) more useful message and return AUTH_FATAL so sudo does not keep trying to validate the user. [1be8857e5291] * src/preload.c: sudo_preload_table is an array [b7704e72a9da] * compat/dlopen.c: Quiet a compiler warning and fix sudo_preload_table external definition. [8234987664cc] * compat/dlfcn.h: Fix multiple inclusion guard in dlfcn.h and fix dlerror() prototype. [8bab6a4053cc] * plugins/sudoers/group_plugin.c: Make this compile correctly when no dlopen is available. [57643879bd2b] 2010-10-07 Todd C. Miller * plugins/sudoers/check.c: Having a timestamp file defined is no longer indicative of tty tickets being enabled. Check def_tty_tickets directly. [efcc11ad157f] * src/exec_pty.c, src/sudo.h, src/ttysize.c: Fix TCGETWINSZ compat. [da3a8b17cf7a] 2010-10-02 Todd C. Miller * src/exec_pty.c, src/ttysize.c: Prefer newer TIOCGWINSZ ioctl to old TIOCGSIZE [926492dd10a6] 2010-10-01 Todd C. Miller * plugins/sudoers/sudoers.c, src/sudo.c: Move set_project() from sudoers module into sudo proper. [beabafac03b4] * configure, configure.in: Fix typo and regenerate [4a3caf4234f3] * plugins/sudoers/ldap.c: When iterating over returned LDAP entries, keep looking at remaining matches even if we have a positive match. This catches negative matches that may exist in other entries and more closely match the sudoers file behavior. [f47db6e609b0] * pp: Add support for multiple package instances on Solaris. [7f2a8b942545] * src/exec.c: Add missing signal_pipe[0] to fdsr for the non-pty case. [79d01e11b19c] * mkpkg: Add --with-project for Solaris [ffa4c2bb93f7] * README: Need ar and ranlib too [5c2f679172ef] 2010-09-27 Todd C. Miller * plugins/sudoers/env.c: Preserve ODMDIR environment variable by default on AIX. [bd47cb1e804f] 2010-09-26 Todd C. Miller * Makefile.in, compat/Makefile.in, compat/dlfcn.h, compat/dlopen.c, config.h.in, configure, configure.in, plugins/sample/Makefile.in, plugins/sample_group/Makefile.in, plugins/sudoers/Makefile.in, plugins/sudoers/group_plugin.c, plugins/sudoers/plugin_error.c, plugins/sudoers/sudoers.c, src/Makefile.in, src/load_plugins.c, src/preload.c: Add dlopen() emulation for systems without it. For HP-UX 10, emulate using shl_load(). For others, link sudoers plugin statically and use a lookup table to emulate dlsym(). [e92edfb3c642] 2010-09-24 Todd C. Miller * compat/fnmatch.c, compat/glob.c, compat/mksiglist.c, compat/nanosleep.c, compat/utimes.c: When including compat headers, use the compat dir as part of the path so we are sure to get the correct header. [6c2a45da6af5] 2010-09-21 Todd C. Miller * plugins/sudoers/linux_audit.c: Ignore ECONNREFUSED from audit_log_user_command() which will occur if auditd is not running. [d314fe4c8d03] 2010-09-17 Todd C. Miller * pp: Sync with git version [1c0357744222] 2010-09-16 Todd C. Miller * common/fileops.c, plugins/sudoers/defaults.c: Cast isblank argument to unsigned char. [c822dbb3ca54] 2010-09-14 Todd C. Miller * INSTALL, config.h.in, configure, configure.in, doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.pod, plugins/sudoers/defaults.c: Implement --with-umask-override configure flag. [863e3047df22] * plugins/sudoers/env.c: Take MODE_LOGIN_SHELL into account when initially setting reset_home instead of special-casing it later. [5d6b16480fd6] * plugins/sudoers/sudoers.c: In login mode, make a copy of the runas user's pw_shell for NewArgv[0] because 1) we modify it and 2) it will runas_pw gets freed before exec. [1d1ccb568dfa] * plugins/sudoers/env.c: Reset HOME for "sudo -i" even if HOME was listed in env_keep. [c1c1c65a2d63] * src/sudo.c: Use SIG_SETMASK when resetting signal mask instead of SIG_UNBLOCK. [7443454e5f88] * src/sudo.c: Reset signal mask at sudo startup time; we need to be able to rely on normal signal delivery to control the child process. [95800163ff94] 2010-09-13 Todd C. Miller * install-sh: Use sed instead of expr to split a flag from its argument. Fixes a problem with expr interpreting its arguments as a flag when they start with a dash. [736065e14301] * common/lbuf.c: Do not need sys/time.h after all [91f6f668ccda] * common/lbuf.c: Include sys/time.h for utimes() and struct timeval. No longer need ioctl.h or termios.h [2d75273d3213] * compat/snprintf.c: Quiet bogus compiler warnings. [fe252e1968f5] * include/missing.h: Declare innetgr() for HP-UX which is missing a declaration. Declare domainname() for HP-UX and Solaris which are missing a declaration. [b37c50751138] * plugins/sudoers/bsm_audit.c: Use __sun for consistency with the rest of the sources. [6b086b61ccb6] * plugins/sudoers/group_plugin.c: Quiet a bogus compiler warning. [ebc069842c4a] * plugins/sudoers/pwutil.c: Don't try to delref a NULL group. [f6ff0838be21] * common/alloc.c, common/lbuf.c: Include memory.h on systems that need it. [4e676da81c6f] 2010-09-11 Todd C. Miller * src/exec.c: Quiet gcc warnings on glibc systems that use warn_unused_result for write(2). [0532da0b7cf7] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.pod: sudo_plugin is in section 8; from Ted Percival [b4506a0de87e] * plugins/sudoers/Makefile.in: testsudoers depends on libsudoers.la, not sudoreplay [cdb1cc3bf06a] 2010-09-10 Todd C. Miller * src/exec.c: Read as many signals on the signal pipe as we can before returning. [b181671da047] * src/exec.c, src/exec_pty.c, src/sudo_exec.h: Instead of using a array to store received signals, open a pipe and have the signal handler write the signal number to one end and select() on the other end. This makes it possible to handle signals similar to I/O without race conditions. [ee84d65c16b6] 2010-09-09 Todd C. Miller * doc/visudo.pod, plugins/sudoers/visudo.c: Make "visudo -c -f -" check the standard input. [195a3d2a9a26] * doc/sudoers.pod: set_home and always_set_home have an effect if HOME is present in the env_keep list. [159d0b9dc5c8] * plugins/sudoers/env.c: Make -H flag work when HOME is listed in env_keep. Also makes "set_home" and "always_set_home" override override HOME in env_keep. [a3e5b966193f] 2010-09-08 Todd C. Miller * plugins/sudoers/Makefile.in, plugins/sudoers/interfaces.c, plugins/sudoers/interfaces.h, plugins/sudoers/match.c, plugins/sudoers/sudoers.c, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c, src/net_ifs.c: Convert sudoers plugin to use interface list passed in settings. [87d9b5f4f586] * doc/sudo_plugin.pod, src/Makefile.in, src/net_ifs.c, src/parse_args.c, src/sudo.h: Query local network interfaces in the main sudo driver and pass to the plugin as "network_addrs" in the settings list. [7f35bcfe77a7] * plugins/sudoers/bsm_audit.c: Solaris BSM audit return EINVAL when auditing is not enabled, whereas OpenBSM returns ENOSYS. [411b980ec58b] 2010-09-07 Todd C. Miller * compat/fnmatch.c: missing.h should come before most local includes [53921a7b8b5b] * plugins/sudoers/sudoreplay.c: missing.h should come before most local includes [e9abb0db1aac] * plugins/sudoers/sudoers.h: Make local includes consistent; use double quotes for local includes except for generated ones where we use angle brackets. [09de4faa9547] * plugins/sudoers/sudoers.c: Always fill in NewArgv for audit code. [7c3aca60519f] * plugins/sudoers/toke.c, plugins/sudoers/toke.l: Add missing LOG_INPUT/LOG_OUTPUT support in the lexer. [007cf6560f92] * common/alloc.c, common/atobool.c, common/fileops.c, common/fmt_string.c, common/lbuf.c, common/list.c, common/term.c, common/zero_bytes.c, compat/closefrom.c, compat/fnmatch.c, compat/getcwd.c, compat/getgrouplist.c, compat/getline.c, compat/getprogname.c, compat/glob.c, compat/isblank.c, compat/memrchr.c, compat/mksiglist.c, compat/mkstemps.c, compat/nanosleep.c, compat/setenv.c, compat/snprintf.c, compat/strlcat.c, compat/strlcpy.c, compat/strsignal.c, compat/unsetenv.c, compat/utimes.c, include/compat.h, plugins/sample/sample_plugin.c, plugins/sample_group/getgrent.c, plugins/sample_group/plugin_test.c, plugins/sample_group/sample_group.c, plugins/sudoers/audit.c, plugins/sudoers/auth/afs.c, plugins/sudoers/boottime.c, plugins/sudoers/getdate.c, plugins/sudoers/getdate.y, plugins/sudoers/linux_audit.c, plugins/sudoers/match.c, plugins/sudoers/plugin_error.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/timestr.c, src/error.c, src/sesh.c, src/sudo.h, src/sudo_noexec.c, src/ttysize.c: Make local includes consistent; use double quotes for local includes except for generated ones where we use angle brackets. Also g/c unused compat.h. [e57070dc8f04] 2010-09-06 Todd C. Miller * plugins/sudoers/match.c: When matching the runas user and runas group (-u and -g command line options), keep track of runas group and runas user matches separately. Only return a positive match if we have a match for both runas user and runas group (if specified). [815219e04cc8] 2010-09-04 Todd C. Miller * doc/sudoers.ldap.pod, plugins/sudoers/ldap.c: Add support for multiple URI lines by joining the contents and passing the result to ldap_initialize. [a47cae3b72e8] * plugins/sudoers/ldap.c, plugins/sudoers/parse.c: Do not return -1 on error from the display functions; the caller expects a return value >= 0. [101456a7dd00] * plugins/sudoers/sudoers.c: Do not set both MODE_EDIT and MODE_RUN [8faa36694d54] 2010-09-03 Todd C. Miller * include/missing.h: Move includes to the top of the file. [a51436798e8c] 2010-08-30 Todd C. Miller * plugins/sudoers/Makefile.in: Add missing definition of timedir [458a749c2c5e] * compat/fnmatch.c, compat/getprogname.c, compat/isblank.c, compat/mksiglist.c, compat/strsignal.c, plugins/sudoers/plugin_error.c, src/error.c, src/sudo_noexec.c: Add #include of sys/types.h for .c files that include missing.h to be sure that size_t and ssize_t are defined. [08e3132dbf4f] * plugins/sudoers/Makefile.in: Install sudoers file from the build dir not hte src dir. [ca89e962dbf4] 2010-08-26 Todd C. Miller * plugins/sudoers/set_perms.c: If runas_pw changes, reset the stashed runas aux group vector. Otherwise, if runas_default is set in a per-command Defaults statement, the command runs with root's aux group vector (i.e. the one that was used when locating the command). [24f9107cedd2] * plugins/sudoers/Makefile.in: Add target to generate sudoers file Remove generated sudoers file as part of distclean [fb7422e90f03] 2010-08-24 Todd C. Miller * src/exec.c: When not logging I/O install a handler for SIGCONT and deliver it to the command upon resume. Fixes bugzilla #431 [495dce52a5aa] 2010-08-21 Todd C. Miller * plugins/sudoers/sudoers.h: g/c unused auth_pw extern definition [40eb7477ba17] * plugins/sudoers/check.c, plugins/sudoers/sudoers.c: Move get_auth() into check.c where it is actually used. [e31db0ce3a61] 2010-08-20 Todd C. Miller * common/lbuf.c: Convert a remaining puts() and putchar() to use the output function. [d69e363a506b] * plugins/sudoers/plugin_error.c: Plug memory leak [68895469ea8d] 2010-08-18 Todd C. Miller * plugins/sudoers/env.c: Set dupcheck to TRUE when setting new HOME value if !env_reset but always_set_home is true. Prevents a duplicate HOME in the environment (old value plus the new one) introduced in f421f8827340. [9ca19183794f] * configure, configure.in, plugins/sudoers/sudoers, plugins/sudoers/sudoers.in: Substitute sysconfdir in the installed sudoers file to get the correct path for sudoers.d. [86072b6cd55d] 2010-08-17 Todd C. Miller * src/get_pty.c: Fix typo that prevented compilation on Irix; Friedrich Haubensak [b48be51b65fc] 2010-08-16 Todd C. Miller * MANIFEST, common/Makefile.in, common/aix.c, common/alloc.c, common/atobool.c, common/fileops.c, common/fmt_string.c, common/lbuf.c, common/list.c, common/term.c, common/zero_bytes.c, compat/Makefile.in, compat/closefrom.c, compat/fnmatch.c, compat/getcwd.c, compat/getgrouplist.c, compat/getline.c, compat/getprogname.c, compat/glob.c, compat/isblank.c, compat/memrchr.c, compat/mksiglist.c, compat/mkstemps.c, compat/nanosleep.c, compat/setenv.c, compat/snprintf.c, compat/strlcat.c, compat/strlcpy.c, compat/strsignal.c, compat/unsetenv.c, compat/utimes.c, include/compat.h, include/missing.h, plugins/sample/sample_plugin.c, plugins/sample_group/getgrent.c, plugins/sample_group/sample_group.c, plugins/sudoers/Makefile.in, plugins/sudoers/audit.c, plugins/sudoers/boottime.c, plugins/sudoers/getdate.c, plugins/sudoers/getdate.y, plugins/sudoers/linux_audit.c, plugins/sudoers/plugin_error.c, plugins/sudoers/sudoers.h, plugins/sudoers/sudoreplay.c, plugins/sudoers/timestr.c, src/Makefile.in, src/error.c, src/sesh.c, src/sudo.h, src/sudo_noexec.c, src/ttysize.c: Merge compat.h and missing.h into missing.h [572909ae9716] 2010-08-14 Todd C. Miller * plugins/sudoers/auth/pam.c: If the user hits ^C while a password is being read, error out before reading any further passwords in the pam conversation function. Otherwise, if multiple PAM auth methods are required, the user will have to hit ^C for each one. [23782631748c] 2010-08-12 Todd C. Miller * plugins/sudoers/check.c: Update comment [a5296cb3a20a] * doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.pod: Document sudo_conv_t function and sudo_printf_t return values. [745c0017814c] * src/conversation.c: Make _sudo_printf return the number of characters printed on success like printf(3). [8eeefe8d7e77] 2010-08-10 Todd C. Miller * plugins/sudoers/sudoers.c: sudoers.h includes sudo_plugin.h for us [cabe68e07807] * common/Makefile.in, common/gettime.c, compat/mkstemps.c, plugins/sudoers/sudoers.h, plugins/sudoers/visudo.c, src/sudo.h, src/sudo_edit.c: Use gettimeofday() directly instead of via the gettime() wrapper. [7490426c99ae] * common/gettime.c, compat/snprintf.c, compat/strcasecmp.c, compat/strerror.c, config.h.in, configure, configure.in, include/compat.h, include/missing.h, plugins/sudoers/logging.c, plugins/sudoers/sudoers.c, plugins/sudoers/visudo.c, src/sudo.c: Remove some obsolete configure tests, ancient Unix systems are no longer supported. [2be6218c3a36] 2010-08-07 Todd C. Miller * sudo.pp: Set pp_kit_version and strip off patch level [aacfda1b676d] * sudo.pp: Better handling of versions with a patchlevel. For rpm and deb, use the patchlevel+1 as the release. For AIX, use the patchlevel as the 4th version number. For the rest, just leave the patchlevel in the version string. [638bd35f2346] 2010-08-06 Todd C. Miller * plugins/sudoers/auth/sudo_auth.c: For non-standalone auth methods, stop reading the password if the user enters ^C at the prompt. [82c2911bb264] * configure, configure.in, plugins/sudoers/Makefile.in, plugins/sudoers/auth/passwd.c, plugins/sudoers/auth/secureware.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/auth/sudo_auth.h, plugins/sudoers/pwutil.c: No need to look up shadow password unless we are doing password- style authentication. This moves the shadow password lookup to the auth functions that need it. [ba9e3eba2b72] * plugins/sudoers/sudoers.c: Retain final passwd/group refs until the policy close() function. Note that this doesn't get called in all cases so putting this in a cleanup function is probably better. [bbe214cb4119] * plugins/sudoers/check.c: Fix mismerge [395115f89dd6] * plugins/sudoers/check.c: When removing/resetting the timestamp file ignore the tty ticket contents. [b709f5667a0b] * plugins/sudoers/sudoers.c: delref sudo_user.pw, runas_pw and runas_gr immediately before we return. [4d67d15dfd3b] 2010-08-04 Todd C. Miller * plugins/sudoers/check.c, plugins/sudoers/ldap.c, plugins/sudoers/match.c, plugins/sudoers/pwutil.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: Reference count cached passwd and group structs. The cache holds one reference itself and another is added by sudo_getgr{gid,nam} and sudo_getpw{uid,nam}. The final ref on the runas and user passwd and group structs are persistent for now. [e544685523c3] * doc/UPGRADE: fix typo [e32f2d35e6c9] 2010-08-03 Todd C. Miller * plugins/sudoers/check.c: Do not produce a warning for "sudo -k" if the ticket file does not exist. [1598f6061b75] * plugins/sudoers/pwutil.c: Instead of caching struct passwd and struct group in the red-black tree, store a struct cache_item which includes both the key and datum. This allows us to user the actual name that was looked up as the key instead of the contents of struct passwd or struct group. This matters because the name in the database may not match what we looked up, due either to case folding or truncation (historically at 8 characters). Also mark the disabled calls to sudo_freepwcache() and sudo_freegrcache() as broken since we use cached data for things like set_perms() and the logging functions. Fixing this would require making a copy of the structs for user and runas or adding a reference count (better). [225d4a22f60e] * plugins/sudoers/Makefile.in: Fix path to mkinstalldirs [b4968379b12d] * plugins/sudoers/check.c, plugins/sudoers/logging.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/visudo.c, src/exec_pty.c, src/get_pty.c, src/tgetpass.c: Quiet gcc warnings on glibc systems that use warn_unused_result for write(2) and others. [c99f138960e0] 2010-08-02 Todd C. Miller * plugins/sudoers/toke.c, plugins/sudoers/toke.l: Add %option noinput [72b9cd49b4f1] * aclocal.m4, configure, configure.in: Add cross-compile defaults for remaining AC_TRY_RUN usage. Also add back getgroups() check since AC_FUNC_GETGROUPS defaults to "no" when cross-compiling. [e385c176d0ee] 2010-07-31 Todd C. Miller * aclocal.m4, compat/snprintf.c, config.h.in, configure, configure.in: Use AC_CHECK_MEMBER in SUDO_SOCK_SA_LEN Use AC_TYPE_LONG_LONG_INT and AC_CHECK_SIZEOF([long int]) instead of rolling our own. [cf3e60d9c440] 2010-07-29 Todd C. Miller * pp: Update to latest version [32f93be33961] 2010-07-28 Todd C. Miller * sudo.pp: Let pp determine pp_aix_version itself. [7cf0245d84ed] * INSTALL, config.h.in, configure, configure.in, mkpkg, plugins/sudoers/sudoers.c: Add support for Ubuntu admin flag file and enable it when building Ubuntu packages. [00e27cff2dfb] * plugins/sudoers/sudoers, sudo.pp: Add commented out SuSE-like targetpw settings [4605d47b7413] * configure, configure.in: Only try to use +DAportable for non-GCC on hppa [75d0f284ccf7] * configure, configure.in: Prevent configure from adding the -g flag unless in devel mode [b1fd3f8d45c0] 2010-07-27 Todd C. Miller * sudo.pp: Go back to sudo-flavor to match existing packages and only use an underscore for those that need it. [d737069d1e1c] * sudo.pp: Use sudo_$flavor instead of sudo-$flavor since that causes the least amount of trouble for the various package managers. [71f547af35fc] * mkpkg: Fix handling of the ldap flavor Remove destdir unless --debug was specified Make distclean before running configure if there is a Makefile present [6316f08de7d3] * sudo.pp: Add back include file. [195627bf68b8] * mkpkg: Pass extra args on to configure on HP-UX, if we don't have the HP C compiler, disable zlib to prevent gcc from finding it in /usr/local/lib. [473efa0e2bac] * mkpkg: Use the HP ANSI C compiler on HP-UX if possible [fb249b6b175d] * plugins/sudoers/sudoreplay.c: Some getline() implementations (FreeBSD 8.0) do not ignore the length pointer when the line pointer is NULL as they should. [2410a1a3543c] * plugins/sudoers/sudoreplay.c: Don't need to check for *cp being non-zero, isdigit() will do that. [7df11ea8a487] * plugins/sudoers/sudoreplay.c: Add setlocale() so the command line arguments that use floating point work in different locales. Since sudo now logs the timing data in the C locale we must Parse the seconds in the timing file manually instead of using strtod(). Furthermore, sudo 1.7.3 logged the number of seconds with the user's locale so if the decimal point is not '.' try using the locale-specific version. [4d385765f23b] * src/exec.c: Do I/O logging in the C locale so the floating point numbers in the timing file are not locale-dependent. [5961cec044ec] * plugins/sudoers/sudoreplay.c: Use errorx() not error() for thingsthat don't set errno. [0fe5e692af84] 2010-07-26 Todd C. Miller * pp: Better support for 1.2.3 style versions in Tru64 kits [997c549bb777] * sudo.pp: Add Tru64 kit support [e273a954f981] * pp: Remove apparently unnecessary use of sudo [be8840d85125] * Makefile.in, plugins/sudoers/Makefile.in: Create timedir as part of install-dirs target. [c736bc2fb14f] * src/exec_pty.c: Handle ENXIO from read/write which can occur when reading/writing a pty that has gone away. [fa2e8059879f] * plugins/sudoers/pwutil.c: sudo_pwdup() was not expanding an empty pw_shell to _PATH_BSHELL [3a045475d5ee] * mkpkg: platform is a pp flag not a variable [12eba39a47c1] * Makefile.in, mkpkg, sudo.pp: Add simple arg parsing for mkpkg so we can set debug, flavor or platform. [ada839fe252d] * pp: Make rpm backend work on AIX 5.x [549a76d11393] 2010-07-25 Todd C. Miller * plugins/sudoers/sudoers: Add commented out Defaults entry for log_output [7e67d7588900] 2010-07-23 Todd C. Miller * doc/Makefile.in: Remove sudo docdir completely [dce8e82878ef] * doc/sample.sudo.conf: Add sample sudo.conf [aafdba3fc411] * src/Makefile.in: Pass install-sh -b~ here too. [c3f5eb446c38] * plugins/sample/Makefile.in, plugins/sample_group/Makefile.in, plugins/sudoers/Makefile.in, src/Makefile.in: Install binary files with -b~ to make a backup. Fixes "text file busy" error on HP-UX during install. [81f306f54f8c] * install-sh: "mv -f" on HP-UX doesn't unlink the destination first so add an explicit rm before moving the temporary into place. [fb719a79582d] * configure, configure.in: Some more ${foo} -> $(foo) conversion for consistent Makefiles. [0aa098770074] * doc/Makefile.in, plugins/sudoers/Makefile.in: Install sudoers2ldif in the doc dir [33ac3b53d7f5] 2010-07-22 Todd C. Miller * pathnames.h.in: Add missing include of maillock.h for Solaris [5a58883be23a] * NEWS, configure, configure.in, doc/TROUBLESHOOTING, doc/UPGRADE, doc/sample.syslog.conf, doc/sudoers.cat: Change the default syslog facility from local2 to authpriv (or auth if the operating system doesn't support authpriv). [3b70ba514f49] * Makefile.in, sudo.pp: Install sudoers as /etc/sudoers on RPM and debian systems where the package manager will not replace a user-modified configuration file. This fixes upgrades from the vendor sudo packages. [d886b6d60b5b] * pp: RPM: use %config(noreplace) instead of %config for volatile This results in the new file being installed with a .rpmnew suffix instead of the file being replaced and the old one renamed with a .rpmsave suffix. [58be2119f8e8] * plugins/sudoers/Makefile.in: Add PACKAGE_TARNAME for docdir [930c92b8f8f0] 2010-07-21 Todd C. Miller * compat/mkstemps.c, plugins/sudoers/boottime.c: Include time.h for struct timeval [ddf8b04f0276] * src/exec_pty.c: The return value of strsignal() may be const and should be treated as const regardless. [620074ae1e77] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.pod: Mention that 127.0.0.1 will not match, nor will localhost unless that is the actual host name. [8b574122eb8f] * MANIFEST, NEWS, README, WHATSNEW, doc/Makefile.in, doc/UPGRADE: Rename WHATSNEW -> NEWS [d1a2c8c47d89] * pp: Updated pp with latest patches [98e16b9b8f62] * WHATSNEW: Sync with 1.7.4 [65ac4dafeef7] * doc/UPGRADE, doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.pod, plugins/sudoers/sudoers: Add commented out line to add HOME to env_keep and add a warning to the note about the HOME change in UPGRADE. [0d6a775bb6c8] 2010-07-20 Todd C. Miller * plugins/sudoers/sudoreplay.c: Add LINE_MAX define for those without it. [446d9dbe7859] * INSTALL, WHATSNEW, config.h.in, configure, configure.in, doc/UPGRADE, doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.pod, plugins/sudoers/defaults.c: The tty_tickets option is now on by default. [a01c48206d80] * WHATSNEW: Mention that AIX authdb support has been fixed. [87bd7f4eba6a] * common/aix.c: setauthdb() only sets the "old" registry if it was set by a previous call to setauthdb(). To restore the original value, passing NULL (or an empty string) to setauthdb() is sufficient. [470da190a254] 2010-07-19 Todd C. Miller * WHATSNEW, doc/UPGRADE, doc/sudo.cat, doc/sudo.man.in, doc/sudo.pod, doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.pod, plugins/sudoers/env.c: Reset HOME when env_reset is enabled unless it is in env_keep [f421f8827340] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.pod: The default for set_logname has been "true" for some time now. [f489da5674c3] * plugins/sudoers/boottime.c: Add missing include of time.h [624d7014932f] * plugins/sudoers/logging.c: Fix check for dup2() return value. [140ea2d50d20] * plugins/sudoers/env.c: Add PYTHONUSERBASE to initial_badenv_table [3149aae5b12c] * plugins/sudoers/visudo.c: Treat an unknown defaults entry as a parse error. [b3ebad73efb2] * plugins/sudoers/defaults.c, plugins/sudoers/sudoers.c: Check return value of setdefs() but don't stop setting defaults if we hit an unknown one. [945e752239ab] * WHATSNEW, aclocal.m4, config.h.in, configure, configure.in, doc/sudo.cat, doc/sudo.man.in, doc/sudo.pod, doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.pod, pathnames.h.in, plugins/sudoers/env.c: If env_reset is enabled, set the MAIL environment variable based on the target user unless MAIL is explicitly preserved in sudoers. [a1b03e2e0e96] 2010-07-17 Todd C. Miller * pp: decode debian code names [8741280d9960] * WHATSNEW: fix typo [a8a19451110b] 2010-07-16 Todd C. Miller * WHATSNEW: Merge with 1.7.4 [9348fa7e15b8] * src/sudo.c: Restore RLIMIT_NPROC after the uid switch if it appears that runas_setup() did not do it for us. Fixes a bash script problem on SuSE with RLIMIT_NPROC set to RLIM_INFINITY. [786fb272e5fd] * INSTALL: document --with-pam-login [ea93e4c6873c] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.pod: The tag is NOSETENV, not UNSETENV. From Petr Uzel. [2ac90d8de36e] 2010-07-15 Todd C. Miller * mkpkg, pp, sudo.pp: Restore the dot removal in the os version reported by polypkg. Adapt mkpkg and sudo.pp to the change. [dcafdd53b88f] * sudo.pp: Include flavor in solaris package name [e605f6364c9f] * mkpkg: Older shells don't support IFS= so set explictly to space, tab, newline. [7773960bc8a0] * mkpkg: Use '=' not '==' in test [c99d42bc48e6] * mkpkg: Fix typo that prevented debian from matching [84421078fcb7] * mkpkg: Add missing prefix setting for debian [6466f23de4aa] * sudo.pp: Use tab indents to reduce the chance of problem with <<- Fix the debian %set section, pp does not set pp_deb_distro Uncomment %sudo line in sudoers for debian Uncomment some env_keep lines for RHEL, SLES and debian to more closely match the vendor sudoers files. Add /etc/pam.d to %files Remove the /etc/sudo-ldap.conf symlink on debian for ldap flavor [c5b49feb1a0c] * plugins/sudoers/sudoers: Add commented out env_keep entries, sample Aliases and a %sudo line for debian. [387719e52d0f] * configure, configure.in: Move zlib check later on in the script to avoid a strange shell problem on SLES11. [1a3153bb1291] * configure.in: Remove check for egrep; configure has its own [a3b9d98cb5d2] 2010-07-14 Todd C. Miller * mkpkg: Enable zlib for linux distros [8fa51a1405a4] * mkpkg: Add ldap flavor to default build [97644f5a555f] * mkpkg, sudo.pp: Simplify rpm linux distro settings [b9dcf10cdf20] * aclocal.m4, configure, configure.in, doc/UPGRADE, doc/sudoers.cat: Move time stamp files from /var/run/sudo to /var/{db,lib,adm}/sudo. [2c549c1acde9] * Makefile.in: Fix ChangeLog creation from build dir [3d0c7904f173] * plugins/sudoers/sudoers.c: Handle getcwd() failure. [aef7bef87394] * doc/Makefile.in, mkpkg, sudo.pp: Add ldap "flavor" for debian, controlled by the SUDO_FLAVOR environment variable. [be6ed611b7a8] * sudo.pp: Create sudo group on debian [6ed6c032042e] * mkpkg, sudo.pp: Add debian 4/5/6 and use the dot when doing version matches [6bcb664d1f4f] * aclocal.m4, configure: Use a loop when searching for mv, sendmail and sh [d5e9369f8d13] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.pod: Remove spurious "and"; from debian [a21e6f7c5b99] * aclocal.m4, configure, configure.in, doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.pod, doc/visudo.cat, doc/visudo.man.in, doc/visudo.pod: Substitute the value of EDITOR into the sudoers and visudo manuals. [cd79e587dd7f] 2010-07-13 Todd C. Miller * mkpkg, pp, sudo.pp: Initial support for debian 4.0 [ac6707915fa8] * mkpkg: Some platforms need -fPIE instead of -fpie [fd6be19e5bc2] * plugins/sudoers/auth/pam.c: Only set PAM_RHOST for Solaris, where it is needed to avoid a bug. On Linux it causes a DNS lookup via libaudit. [1e10105ade5b] * MANIFEST: Update MANIFEST to match packaging changes [ef86ee557b5b] * sudo.psf: We now use pp to generate HP-UX packages [f7aa8da7844e] * INSTALL.binary, plugins/sudoers/Makefile.binary.in: Remove vestiges of old binary package bits. [afffd005452f] * INSTALL, Makefile.in, common/Makefile.in, compat/Makefile.in, doc/Makefile.in, include/Makefile.in, plugins/sample/Makefile.in, plugins/sample_group/Makefile.in, plugins/sudoers/Makefile.in, src/Makefile.in: install-man -> install-doc [99b5fa05567c] * Makefile.in, doc/Makefile.in, include/Makefile.in, mkpkg, plugins/sudoers/Makefile.in, pp, src/Makefile.in, sudo.pp: Use http://rc.quest.com/topics/polypkg/ for packaging [5ca8eb75b223] * install-sh: Just ignore the -c option, it is the default Add support for -d option [a8b6b0a131e8] 2010-07-12 Todd C. Miller * pathnames.h.in, plugins/sudoers/env.c, plugins/sudoers/logging.c: Use _PATH_STDPATH instead of _PATH_DEFPATH [137fa911908e] * plugins/sudoers/Makefile.in, src/Makefile.in: Do not strip binaries. [20166e287176] * INSTALL, configure, configure.in: Add --insults=disabled configure option to allow people to build in insult support but have the insults disabled unless explicitly enabled in sudoers. [523b8c552e90] * compat/mkstemps.c: Add prototype for gettime() [275eee40473b] * config.h.in, configure, configure.in, plugins/sudoers/auth/pam.c, plugins/sudoers/env.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: Add support for a sudo-i pam.d file to be used for "sudo -i". Adapted from a RedHat patch. [06d34f16520b] 2010-07-09 Todd C. Miller * include/missing.h: Fix mkstemps() prototype [2421841e815b] * MANIFEST, compat/Makefile.in, compat/mkstemp.c, compat/mkstemps.c, config.h.in, configure, configure.in, include/missing.h, src/sudo_edit.c: Use mkstemps() instead of mkstemp() in sudoedit. This allows sudoedit to preserve the file extension (if any) which may be used by the editor (like emacs) to choose the editing mode. [d33172d2c086] 2010-07-08 Todd C. Miller * doc/sudoers.ldap.cat, doc/sudoers.ldap.man.in, doc/sudoers.ldap.pod, plugins/sudoers/ldap.c: TLS_CACERT is now an alias for TLS_CACERTFILE. OpenLDAP uses TLS_CACERT, not TLS_CACERTFILE in its ldap.conf. Other LDAP client code, such as nss_ldap, uses TLS_CACERTFILE. Also document why you should avoid disabling TLS_CHECKPEER is possible. [196622436212] 2010-07-07 Todd C. Miller * doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.pod: Make sudo_plugin format a bit more like a man page [048d596e32da] * plugins/sudoers/toke.c, plugins/sudoers/toke.l: Add suport for negated user/host/command lists in a Defaults entry. E.g. Defaults:!baduser noexec [d41112cf0342] * Makefile.in, common/Makefile.in, compat/Makefile.in, doc/Makefile.in, include/Makefile.in, plugins/sample/Makefile.in, plugins/sample_group/Makefile.in, plugins/sudoers/Makefile.in, src/Makefile.in: Add uninstall target [fea66ebf136a] * common/Makefile.in, compat/Makefile.in: Remove unused AR, SED and RANLIB variables [2ff9928bfdb3] * Makefile.in: Do not install sample plugins [5443b87bd1c3] 2010-07-06 Todd C. Miller * MANIFEST, aclocal.m4, compat/setenv.c, compat/unsetenv.c, configure, configure.in, plugins/sudoers/env.c: Now that sudoers is a dynamically loaded module we cannot override the libc environment functions because the symbols may already have been resolved via libc. Remove getenv/putenv/setenv/unsetenv replacements from sudoers and add replacements for setenv/unsetenv for systems that lack them. [3f2b43cb8851] * configure, configure.in, plugins/sudoers/Makefile.in: Link testsudoers with -ldl when needed [f79606f9fcd7] * plugins/sample_group/plugin_test.c: Remove unused time.h and add limits.h for PATH_MAX [3f5d0074d621] * doc/sudoers.ldap.pod: Fix typo. [bc855fd57397] 2010-07-05 Todd C. Miller * plugins/sample_group/plugin_test.c: Do not depend on strlcpy/strlcat [6e7e2b5af051] * plugins/sample_group/plugin_test.c: Standalone test driver for sudoers group plugin. [eb1235fc3b8e] 2010-07-02 Todd C. Miller * plugins/sudoers/group_plugin.c, src/load_plugins.c: Use RTLD_LAZY instead of RTLD_NOW; was using RTLD_NOW as a debugging aid. [2a34e616229b] * plugins/sample_group/sample_group.c: Fix style nit in function declarations [ab87c7c76bf9] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.pod: Document group_plugin syntax. [ed1faf72ddcb] * doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.pod: Document the sudoers group plugin. [f19a62dc8cfc] * INSTALL, MANIFEST, Makefile.in, config.h.in, configure, configure.in, doc/LICENSE, doc/license.pod, include/sudo_plugin.h, plugins/sample_group/Makefile.in, plugins/sample_group/getgrent.c, plugins/sample_group/sample_group.c, plugins/sudoers/Makefile.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/group_plugin.c, plugins/sudoers/match.c, plugins/sudoers/nonunix.h, plugins/sudoers/set_perms.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c, plugins/sudoers/vasgroups.c, plugins/sudoers/visudo.c, src/sudo.c: Replace built-in non-unix group support with a sudoers group plugin. Include a sample plugin that can read Unix-format group files. [8fc58ce0b1a8] * configure, configure.in, src/load_plugins.c: Add a trailing slash to _PATH_SUDO_PLUGIN_DIR to simplify usage. [5c491dddb8ef] 2010-07-01 Todd C. Miller * doc/sudo.cat, doc/sudo.man.in, doc/sudo.pod, doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.pod: Move sudoers-specific bits out of sudo(8) and into sudoers(5) [e8a5a5830cfe] * aclocal.m4, configure, configure.in: Substitute @io_logdir@ for the sudoers I/O log directory. [21a75ca7b0ab] 2010-06-29 Todd C. Miller * MANIFEST, common/Makefile.in, common/aix.c, common/alloc.c, common/atobool.c, common/fileops.c, common/fmt_string.c, common/lbuf.c, common/term.c, compat/fnmatch.c, compat/getcwd.c, compat/getgrouplist.c, compat/getline.c, compat/glob.c, compat/snprintf.c, config.h.in, configure, configure.in, include/fileops.h, plugins/sample/sample_plugin.c, plugins/sudoers/alias.c, plugins/sudoers/auth/afs.c, plugins/sudoers/auth/aix_auth.c, plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/dce.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/kerb4.c, plugins/sudoers/auth/kerb5.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/passwd.c, plugins/sudoers/auth/rfc1938.c, plugins/sudoers/auth/secureware.c, plugins/sudoers/auth/securid.c, plugins/sudoers/auth/securid5.c, plugins/sudoers/auth/sia.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/boottime.c, plugins/sudoers/check.c, plugins/sudoers/defaults.c, plugins/sudoers/env.c, plugins/sudoers/find_path.c, plugins/sudoers/getdate.c, plugins/sudoers/getdate.y, plugins/sudoers/getspwuid.c, plugins/sudoers/goodpath.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/interfaces.c, plugins/sudoers/iolog.c, plugins/sudoers/ldap.c, plugins/sudoers/logging.c, plugins/sudoers/match.c, plugins/sudoers/parse.c, plugins/sudoers/pwutil.c, plugins/sudoers/set_perms.c, plugins/sudoers/sudo_nss.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/tsgetgrpw.c, plugins/sudoers/visudo.c, src/Makefile.in, src/aix.c, src/conversation.c, src/exec.c, src/exec_pty.c, src/get_pty.c, src/load_plugins.c, src/parse_args.c, src/sudo.c, src/sudo.h, src/sudo_edit.c, src/tgetpass.c: Set usrinfo for AIX Set adminstrative domain for the process when looking up user's password or group info and when preparing for execve(). Include strings.h even if string.h exists since they may define different things. Fixes warnings on AIX and others. [cf8b93e872c9] * Makefile.in: Add a separate all target for AIX make which was using the entire LHS (not just the first entry) of the first target as the implicit target. [a45b980a01ef] * plugins/sudoers/env.c: Do not rely on env.env_len when unsetting a variable, just use the NULL terminator. [ca6eb239c829] * plugins/sudoers/env.c: In unsetenv() check for NULL or empty name as per POSIX 1003.1-2008 [7046ba7caa4e] 2010-06-25 Todd C. Miller * plugins/sudoers/vasgroups.c: Use warningx() instead of log_error() since the latter is not available to visudo or testsudoers. This does mean that they don't end up in syslog. [152b7c50f426] * plugins/sudoers/sudoers.c: Defer call to sudo_nonunix_groupcheck_cleanup() until after we have closed the sudoers sources. From Quest sudo. [c1cd573bab94] * plugins/sudoers/pwutil.c: Ignore case when matching user/group names in the cache. From Quest sudo. [2aa4ecc7d7f5] 2010-06-24 Todd C. Miller * config.h.in, configure, configure.in, src/selinux.c: Add check for setkeycreatecon() when --with-selinux is specified. [affae247b4e0] * configure, configure.in: Error out if libaudit.h is missing or ununable when --with-linux- audit was specified [d82e743fac04] * doc/HISTORY, doc/history.pod: Add =head3 entries, mostly for the html version [ee93112d0308] 2010-06-22 Todd C. Miller * doc/HISTORY, doc/history.pod: Mention when LDAP was incorporate. [2923dc17f79c] 2010-06-21 Todd C. Miller * configure, configure.in: Define _LINUX_SOURCE_COMPAT on AIX for strsignal() prototype, it is not covered by _ALL_SOURCE. [c92fd69809d0] 2010-06-18 Todd C. Miller * plugins/sudoers/iolog.c: Add a cast to quiet a compiler warning. [a200e07ee1bc] * plugins/sudoers/getdate.c, plugins/sudoers/getdate.y: Quiet a compiler warning. [c9acfc927cea] * plugins/sudoers/defaults.c, plugins/sudoers/sudoers.c: Call set_fqdn() after sudoers has parsed instead of inline as a callback. [5f4e5d075f2d] * WHATSNEW, plugins/sudoers/sudoers.c: Do not call set_fqdn() until sudoers parses (where is gets run as a callback). [09040fca6d40] * WHATSNEW: mention the change in tty ticket behavior when there is no tty [575a1fd98f05] * plugins/sudoers/check.c: Do not update tty ticket if there is no tty. [63f9c33ce6a7] * doc/LICENSE, doc/license.pod: Update copyright year [0722ab5d404b] * doc/Makefile.in: Do not rely on BSD make's $> [936a86398bd9] * configure, configure.in: Set timedir to /var/db/sudo for darwin to match Apple sudo's location [d5b9b03096f1] 2010-06-16 Todd C. Miller * plugins/sudoers/sudoers.h: Add stub declarations for struct stat and struct timeval [f6d90551a4fd] * MANIFEST: Remove compat/sigaction.c [d0ed6d9a770e] * config.h.in, configure, configure.in, plugins/sudoers/defaults.c, plugins/sudoers/iolog.c, plugins/sudoers/sudoreplay.c: Check for zlib.h in addition to libz. [6e191b4a6065] * MANIFEST, src/Makefile.in, src/exec.c, src/exec_pty.c, src/sudo.h, src/sudo_exec.h: Move functions and symbols shared between exec.c and exec_pty.c into sudo_exec.h. [14ae63403544] * doc/Makefile.in: Comment out rules to build .man.in and .cat files unless --with- devel [3cf7e5606a85] * doc/Makefile.in: Comment out rules to build .man.in and .cat files unless --with- devel [d30495b0e29e] * src/parse_args.c: Quote any non-alphanumeric characters other than '_' or '-' when passing a command to be run via the shell for the -s and -i options. [d633f74fe2d9] * doc/Makefile.in: Add back .man suffix [6e63b60a2739] * INSTALL, MANIFEST, WHATSNEW, config.h.in, configure, configure.in, plugins/sudoers/Makefile.in, plugins/sudoers/audit.c, plugins/sudoers/bsm_audit.c, plugins/sudoers/linux_audit.c, plugins/sudoers/linux_audit.h, plugins/sudoers/logging.h, src/selinux.c: Add Linux audit support. [5a2f445e0bd4] 2010-06-15 Todd C. Miller * plugins/sudoers/iolog.c: Remove an XXX [a170cbe651d1] * doc/sudoreplay.cat, doc/sudoreplay.man.in, doc/sudoreplay.pod, plugins/sudoers/sudoreplay.c: Add -f (filter) option to sudoreplay to allow certain streams to be replayed and others ignored. [62e51b432ea1] * src/load_plugins.c, src/parse_args.c, src/sudo.c, src/sudo.h, src/tgetpass.c: Fix -A flag when askpass is specified in sudo.conf or if sudo doesn't need to read a password. [2e401e4a00e3] * src/exec.c, src/exec_pty.c, src/parse_args.c, src/sudo.c, src/sudo.h, src/sudo_edit.c, src/tgetpass.c: Clean up some XXXs [689f0b002d3d] * WHATSNEW, doc/sudoers.ldap.cat, doc/sudoers.ldap.man.in, doc/sudoers.ldap.pod, plugins/sudoers/ldap.c: Add support for multiple sudoers_base entries in ldap.conf. From Joachim Henke [e3e4a3c2bd5b] * config.h.in, configure, configure.in, plugins/sudoers/logging.c, src/exec_pty.c: remove setsid check, we require a POSIX system [cc73cb9e22c0] * plugins/sudoers/logging.c, src/exec_pty.c, src/selinux.c, src/sudo.c, src/tgetpass.c: Check for dup2() failure. [5d46d66794f5] * config.h.in, configure, configure.in: Remove dup2() check, it is not optional. [5f1d56de4384] 2010-06-14 Todd C. Miller * WHATSNEW: sync with sudo 1.7.3 [88e5c0bd6d59] * INSTALL: SunOS does not ship with an ANSI compiler [f13c85c67069] * INSTALL: Update OS specific notes. Delete some really ancient ones and move older ones to the end of the list. [59ce592c4c52] * README: Sudo can be downloaded from the web site too Mention "OS dependent notes" section in INSTALL [191871538984] * src/exec_pty.c, src/selinux.c: Call selinux_restore_tty() as part of cleanup() so it gets called from error()/errorx() [bb017da6b6da] * MANIFEST, doc/PORTING: Remove obsolete porting guide [321e35591344] * plugins/sudoers/interfaces.h, plugins/sudoers/match.c: Move union sudo_in_addr_un into interfaces.h [b2c8b19ee094] * doc/Makefile.in: Remove useless circular dependencies [5682181b59cf] * plugins/sudoers/auth/afs.c, plugins/sudoers/auth/aix_auth.c, plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/dce.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/kerb4.c, plugins/sudoers/auth/kerb5.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/passwd.c, plugins/sudoers/auth/rfc1938.c, plugins/sudoers/auth/secureware.c, plugins/sudoers/auth/securid.c, plugins/sudoers/auth/securid5.c, plugins/sudoers/auth/sia.c: Convert to ANSI C function declarations [a4f76927d034] * common/alloc.c, common/fileops.c, common/gettime.c, common/list.c, common/zero_bytes.c, compat/charclass.h, compat/closefrom.c, compat/fnmatch.c, compat/glob.c, compat/isblank.c, compat/memrchr.c, compat/mkstemp.c, compat/nanosleep.c, compat/snprintf.c, compat/strcasecmp.c, compat/strerror.c, compat/strlcat.c, compat/strlcpy.c, compat/timespec.h, compat/utime.h, compat/utimes.c, doc/HISTORY, doc/history.pod, doc/license.pod, include/alloc.h, include/error.h, include/lbuf.h, include/list.h, include/missing.h, pathnames.h.in, plugins/sudoers/alias.c, plugins/sudoers/audit.c, plugins/sudoers/auth/sudo_auth.h, plugins/sudoers/boottime.c, plugins/sudoers/bsm_audit.c, plugins/sudoers/bsm_audit.h, plugins/sudoers/defaults.c, plugins/sudoers/defaults.h, plugins/sudoers/find_path.c, plugins/sudoers/getspwuid.c, plugins/sudoers/goodpath.c, plugins/sudoers/gram.y, plugins/sudoers/interfaces.c, plugins/sudoers/interfaces.h, plugins/sudoers/logging.c, plugins/sudoers/logging.h, plugins/sudoers/match.c, plugins/sudoers/parse.h, plugins/sudoers/plugin_error.c, plugins/sudoers/pwutil.c, plugins/sudoers/redblack.c, plugins/sudoers/redblack.h, plugins/sudoers/sudo_nss.h, plugins/sudoers/sudoers.h, plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/timestr.c, plugins/sudoers/toke.l, plugins/sudoers/visudo.c, src/aix.c, src/conversation.c, src/error.c, src/load_plugins.c, src/parse_args.c, src/sesh.c, src/sudo.h, src/sudo_noexec.c, src/sudo_plugin_int.h, src/sudo_usage.h.in, src/tgetpass.c: Update copyright year [26ac7991f7d8] * doc/Makefile.in: Fix commented DEVDOCS when not in devel mode. [e0a97eaf3793] * plugins/sudoers/match.c: Quiet a compiler warning. [b2a17ebd5d38] * plugins/sudoers/getdate.c, plugins/sudoers/getdate.y: Quiet a compiler warning. [687843bc593d] * plugins/sudoers/ldap.c, plugins/sudoers/sudoers.h: Make all functions in ldap.c static [b2111e89eeba] * doc/schema.ActiveDirectory: Updates from Alain Roy to provide better examples for importing the schema and to fix problems caused by Windows validating attributes which have not yet been added before committing the changes. [69f4c5ccaf89] 2010-06-11 Todd C. Miller * configure, configure.in, doc/Makefile.in, doc/sudo.cat, doc/sudo.man.in, doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudoers.cat, doc/sudoers.ldap.cat, doc/sudoers.ldap.man.in, doc/sudoers.man.in, doc/sudoreplay.cat, doc/sudoreplay.man.in, doc/visudo.cat, doc/visudo.man.in: Leave rules to build .man.in and .cat files uncommented but only make them part of the "all" rule in devel mode. Generate .cat files directly from .man.in instead of .man using default values in configure.in [c3054a44f6a5] * configure, configure.in: Bump sudo version to 1.8.0b1 [8f79c85135e1] * configure, configure.in, src/sudo.c, src/sudo_usage.h.in: Print configure args with verbose version information. [1ce690660ed2] * TODO, plugins/sudoers/visudo.c: Remove tfd from struct sudoersfile; it is not used. Add prev pointer to struct sudoersfile. Declare list of sudoersfile using TQ_DECLARE. Use tq_append to append sudoers entries to the tail queue. [1743f9a286e4] 2010-06-10 Todd C. Miller * WHATSNEW: Describe tty timestamp improvements [e214e863a313] * plugins/sudoers/toke.c, plugins/sudoers/toke.l: A comment character may not be part of a command line argument unless it is quoted with a backslash. Fixes parsing of: testuser ALL=NOPASSWD: /usr/bin/wl #comment foo bar closes bz #441 [ea2e990f85ed] * doc/sudoers.pod: Make this read a little bit better when passwd_timeout is 0. [39d362757f31] * doc/sudo.man.in, doc/sudo.man.pl, doc/sudo.pod: Attempt to handle a default password prompt timeout of zero more gracefully. [ea47d43acf5b] * plugins/sudoers/toke.c, plugins/sudoers/toke.l: Do not override value of keepopen global, instead restore it to the value we pushed onto the stack when popping. [fe282e5a3402] * plugins/sudoers/Makefile.in: Add dependency for utility programs on libreplace and libcommon [2339aba64928] * compat/sigaction.c, config.h.in, configure.in, include/compat.h, plugins/sudoers/logging.c, plugins/sudoers/mon_systrace.c, src/exec.c, src/exec_pty.c, src/tgetpass.c: Remove sigaction emulation Use SA_INTERRUPT in sa_flags [7dd61f1bd8d2] * MANIFEST, config.h.in, configure, configure.in, include/missing.h: We don't use getgrouplist() at the moment so there's no need to provide a compat version. [1597536fbada] * TODO: sync with reality [9e1a874e7885] * include/sudo_plugin.h, plugins/sudoers/auth/sudo_auth.c, src/conversation.c, src/sudo.h, src/tgetpass.c: Fix visiblepw sudoers option; the plugin API portion still needs documenting [60b6933ef5e0] * src/sudo.c: Print sudo version as well. [987ed459b459] * plugins/sudoers/iolog.c, plugins/sudoers/sudoers.c: Use sudo_printf for I/O log version Clarify policy plugin version string [5a58b7e8c80b] * plugins/sudoers/getdate.c, plugins/sudoers/getdate.y, plugins/sudoers/ldap.c, plugins/sudoers/sudoreplay.c: Silence some compiler warnings [afb1eba90915] * src/load_plugins.c, src/tgetpass.c: Store askpass path in a global instead of uses setenv() which many systems lack. [b440bcc0e660] 2010-06-09 Todd C. Miller * doc/sudo.cat, doc/sudo.man.in, doc/sudo.pod, doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.pod, plugins/sudoers/check.c, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/defaults.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, src/load_plugins.c, src/parse_args.c, src/tgetpass.c: Move askpass path specification from sudoers to sudo.conf. [5507ab867c26] * src/exec.c, src/exec_pty.c, src/sudo.c, src/sudo.h: Use a flag bit in struct command_details for selinux instead of a separate field. [c59ca4acded9] * src/exec.c, src/exec_pty.c, src/sudo.c, src/sudo.h: Implement background mode. If I/O logging we use pipes instead of a pty. [c07a4b356cbd] * compat/mksiglist.c, compat/strsignal.c, include/compat.h, src/exec.c, src/exec_pty.c, src/tgetpass.c: Move compat definition of NSIG to compat.h [ab0385467f25] * doc/sudo.cat, doc/sudo.man.in, doc/sudo.pod, doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.pod: Mention plugins in the sudo manual and add some missing path substitution in the sudo_plugin manual. [570f831f47a3] * src/Makefile.in: Set _PATH_SUDO_CONF based on $(sysconfdir) [fde51869cf07] * common/lbuf.c, common/term.c, config.h.in, configure, configure.in, src/exec.c, src/exec_pty.c, src/ttysize.c: Require POSIX termios to build sudo [9ec6b41f3f95] * src/tgetpass.c: Ignore SIGPIPE for "sudo -S" [7ad27fde0c06] * src/tgetpass.c: Fix uninitialized variable in TGP_ECHO case and print a newline if the user interrupted password input. [ce19204d8dd4] * src/tgetpass.c: Make TGP_ECHO override TGP_MASK and don't try to restore the terminal if we didn't modify it. [a7e11abfe7e4] * doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.pod, include/sudo_plugin.h, plugins/sudoers/auth/sudo_auth.c, src/conversation.c, src/sudo.h, src/tgetpass.c: Add SUDO_CONV_PROMPT_MASK define which corresponds to the "pwfeedback" sudoers option. Do not disable echo if TGP_ECHO is set. [e0550590cabe] * src/exec_pty.c: Use POSIX tcgetpgrp() instead of BSD TIOCGPGRP ioctl [762448182fe3] * src/exec_pty.c: Remove commented out copy of old sudo_execve() function. [9c5e21380472] 2010-06-08 Todd C. Miller * include/compat.h: No longer need NGROUPS_MAX define [cae4c49d7077] * compat/nanosleep.c, config.h.in, configure, configure.in, include/compat.h, plugins/sudoers/check.c, plugins/sudoers/iolog.c, plugins/sudoers/visudo.c, src/sudo_edit.c: Replace timerfoo macros with timevalfoo since the timer macros are known to be busted on some systems. [4f97d79f2d41] * src/exec.c, src/exec_pty.c, src/selinux.c, src/sudo.c, src/sudo.h: Add selinux_enabled flag into struct command_details and set it in command_info_to_details(). Return an error from selinux_setup() instead of exiting. Call selinux_setup() from exec_setup(). [011bea23a5a0] * plugins/sudoers/sudoers.c: Fix setting selinux type on command line. [814b20a0b3be] * plugins/sudoers/iolog.c: In sudoers_io_close(), skip NULL io_fds[] elements. [4011ff7d4daf] * plugins/sudoers/auth/pam.c: If pam_open_session() fails, pass its status to pam_end. [1d8de4cf8ff3] * plugins/sudoers/toke.c, plugins/sudoers/toke.l: If a file in a #includedir has improper permissions or owner just skip it. This prevents packages that incorrectly install a file into /etc/sudoers.d from breaking sudo so easily. Syntax errors in #includedir files still result in a parse error (for now). [ade99a4549a4] * src/exec_pty.c: Remove duplicate call to selinux_setup(). [82bd52764e21] * WHATSNEW, doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.pod, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/iolog.c: Add use_pty sudoers option to force use of a pty even when not logging I/O. [b280a8972a79] * plugins/sudoers/env.c, plugins/sudoers/sudoers.h: Make env_init() void as it never fails. [d3890e55daa7] * plugins/sudoers/env.c: No longer use _NSGetEnviron so don't need crt_externs.h [9b4e0e139881] * plugins/sudoers/env.c: Remove unused VNULL define [a42cacb263e3] 2010-06-07 Todd C. Miller * plugins/sudoers/iolog.c: Add #define for maximum session id [9e18c17a28c2] * MANIFEST, src/Makefile.in, src/exec.c, src/exec_pty.c, src/sudo.h: Split exec.c into exec.c and exec_pty.c [d52376327332] * MANIFEST: Sync with source file moves. [4a62c6c9e846] * src/Makefile.in, src/get_pty.c, src/pty.c: Rename pty.c -> get_pty.c [5696a12bd29b] 2010-06-06 Todd C. Miller * plugins/sudoers/iolog.c: Only use I/O input log file if def_log_input is set and output file if def_log_output is set. [d866992f1681] 2010-06-04 Todd C. Miller * compat/strsignal.c: Update copyright year [a96f2593fd4e] * src/pty.c: uid -> ttyuid [c3454d74ebcb] * plugins/sudoers/sudoers.c: For sudoedit, make a local copy of editor string si become part of argv. If no editor environment variable, split def_editor on ':' since it may be a colon-delimited path. [2ee298506a6e] * src/sudo_edit.c: Remove unneeded endpwent()/endgrent() [623f6743d101] * doc/Makefile.in: Use value of nroff from configure [b2ce649125ab] * src/exec.c: Add missing const to I/O log action function [d764a3955e04] * plugins/sudoers/check.c: Update copyright year and fix whitespace [e648c35b16be] * configure, configure.in: Fix typo [8e0bdfc47da4] * plugins/sudoers/iolog.c: Remove redundant tty signal blocking in log function. [f17f575dabd4] 2010-06-03 Todd C. Miller * plugins/sudoers/iolog.c: Place static keyword where it belongs [b01aec7c86b4] * plugins/sudoers/logging.c: Always use a printf format string for send_mail() [13b1ada644c9] * common/atobool.c, plugins/sudoers/ldap.c: Extend atobool() so we can use it in the LDAP code. [73f8e6807044] * doc/sudo.cat, doc/sudo.man.in, doc/sudo.pod: Sudo now stashes tty ctime for tty_tickets on Solaris too. [e82df13ad3fd] * plugins/sudoers/boottime.c: Fix dummy version of get_boottime() [01d69c06013b] 2010-06-02 Todd C. Miller * plugins/sudoers/check.c: Enable tty_is_devpts() support for Solaris with the "devices" filesystem. [237c6b25fa84] * src/exec.c: Unbreak the non-io logging case. [4822b9f709fb] * src/conversation.c, src/sudo.c, src/sudo_plugin_int.h: Fix symbol name conflict with sudo_printf. [0d44eab0a8f6] * plugins/sudoers/auth/pam.c: Fix OpenPAM detection for newer versions. [1b2abed232d8] * plugins/sudoers/vasgroups.c: Sync with Quest sudo git repo [f1d98b3cba02] * aclocal.m4, configure, configure.in: HP-UX ld uses +b instead or -R or -rpath Fix typo in libvas check Add missing template for ENV_DEBUG Adapted from Quest sudo [695dbd7b28f4] * README.LDAP: Fix typos; from Quest Sudo [4eba9da33b8e] 2010-06-01 Todd C. Miller * plugins/sudoers/Makefile.in: Add back -I$(top_srcdir); we need it for including compat/foo.h since we cannot rely on "foo.h" being found relative to the source file when the cwd is different. [bbf24695f325] * src/exec.c: Fix a bug where we could treat EAGAIN as a permanent error. Also set cstat if perform_io() returns an error. [200475c4326f] * common/alloc.c, plugins/sudoers/boottime.c, plugins/sudoers/sudoers.c: Add casts to quiet compiler warnings. [85eb1c336697] * plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c: Fix typo in ternary operator usage. [6492ac1450e2] 2010-05-30 Todd C. Miller * INSTALL, configure, configure.in: Add --enable-warnings and fix typo in SUDO_IO_LOGDIR [92121d693b30] * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.pod, doc/sudoreplay.cat, doc/sudoreplay.man.in, doc/sudoreplay.pod: Update docs to match sudoers I/O logging changes [18d651989e49] * INSTALL, WHATSNEW, aclocal.m4, configure, configure.in, pathnames.h.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/defaults.c, plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y, plugins/sudoers/iolog.c, plugins/sudoers/parse.c, plugins/sudoers/parse.h, plugins/sudoers/sudoers.c, plugins/sudoers/sudoreplay.c: Break sudoers transcript feature up into log_input and log_output. [db3c1248d2ad] * plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c: Use setprogname() as needed. [6beee63a4553] * plugins/sudoers/iolog.c, plugins/sudoers/sudoreplay.c: Adapt sudoreplay to iolog changes. [581f52c05f0f] 2010-05-29 Todd C. Miller * plugins/sudoers/iolog.c: Log all input and output into separate files and store a number on each timing file line to indicate which file the data is in. [fb460c5273dd] * plugins/sudoers/iolog.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: Make sudoers_io functions static to iolog.c [b2df3cc3eecb] 2010-05-28 Todd C. Miller * doc/sudo.cat, doc/sudo.man.in, doc/sudo.pod, src/parse_args.c, src/sudo_usage.h.in: Completely remove the -L flag from the sudo front end. [3d220030b720] * plugins/sudoers/sudoreplay.c: Fix EAGAIN handling when writing to stdout. [4766d77cea49] * plugins/sudoers/sudoers.c: Eliminate unused variables [83bd711e79c4] * plugins/sudoers/sudoers.c, src/exec.c, src/sudo.c: Re-enable cleanup functions in sudoers plugin and sudo driver for error()/errorx(). [43093f937dd8] * plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/defaults.c, plugins/sudoers/interfaces.c, plugins/sudoers/iolog.c, plugins/sudoers/parse.c, plugins/sudoers/sudoers.c, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c: Use sudo_printf to display verbose version information. [435cc9f8d4a2] * common/Makefile.in, compat/Makefile.in, plugins/sample/Makefile.in, plugins/sudoers/Makefile.in, src/Makefile.in: Minor Makefile cleanup: fix a typo, change the removal order in the clean targets, and remove a superfluous include path for the sudoers plugin. [6e3b2d6b4437] * plugins/sudoers/env.c: Handle duplicate variables in the environment. For unsetenv(), keep looking even after remove the first instance. For sudo_putenv(), check for and remove dupes after we replace an existing value. [c1bbb88d0435] 2010-05-27 Todd C. Miller * plugins/sudoers/Makefile.in: Use explicit path to source file instead of $< for files that live in devdir and top_srcdir. [358ab7f6cc64] * plugins/sudoers/Makefile.in: Add explicit rules to compile gram.c and toke.c for HP-UX Pevent ending LIBSUDOERS_OBJS with a backslash [481a5c96d47e] * plugins/sudoers/Makefile.in, src/Makefile.in: Link libcommon before libreplace since libcommon may use functions only present in libreplace. [1847c496ff5b] * common/Makefile.in: Move code common to sudo and the sudoers plugin to a convenience library, libcommon. Removes the need to make links in the sudoers plugin dir and reduces re-compilation of duplicate object files. [4c8986352937] * Makefile.in, common/alloc.c, common/atobool.c, common/fileops.c, common/fmt_string.c, common/gettime.c, common/lbuf.c, common/list.c, common/term.c, common/zero_bytes.c, configure, configure.in, plugins/sample/Makefile.in, plugins/sudoers/Makefile.in, src/Makefile.in, src/alloc.c, src/atobool.c, src/fileops.c, src/fmt_string.c, src/gettime.c, src/lbuf.c, src/list.c, src/term.c, src/zero_bytes.c: Move code common to sudo and the sudoers plugin to a convenience library, libcommon. Removes the need to make links in the sudoers plugin dir and reduces re-compilation of duplicate object files. [1d1d98bd55b9] * src/exec.c, src/sudo.c, src/sudo.h: Rename script_execve to sudo_execve and rename script_foo in exec.c [a35ec80de96a] * MANIFEST, src/Makefile.in, src/exec.c, src/script.c: rename script.c exec.c and fix up the MANIFEST file [36bc3bff9578] * src/script.c, src/sudo.c, src/sudo.h: Rename script_setup() to pty_setup() and call from script_execve() directly. [899b0fb2a14d] * configure, configure.in: bump version to 1.8.0a2 [0b1c1ca9d4e5] * doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.pod: Document init_session [b5324785a406] * plugins/sudoers/auth/API, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/auth/sudo_auth.h: Clean up the sudoers auth API a bit and update the docs. [c40fd4cb6e68] * include/sudo_plugin.h, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, src/script.c, src/sudo.c: Add init_session function to struct policy_plugin that gets called before the uid/gid/etc changes. A struct passwd pointer is passed in,which may be NULL if the user does not exist in the passwd database.The sudoers module uses init_session to open the pam session as needed. [d71723320ee8] 2010-05-26 Todd C. Miller * plugins/sudoers/auth/pam.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/auth/sudo_auth.h, plugins/sudoers/set_perms.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: Add open/close session to sudo auth, only used by PAM. This allows us to open (and close) the PAM session from sudoers. [2665e2920d0d] * plugins/sudoers/Makefile.in: Add explicit rule to build getdate.o for HP-UX make. [7f049e989956] * plugins/sudoers/Makefile.in: Back out most of change 45e406ebdea2. Create dummy .l.c and .y.c rules as an alternate way to prevent HP-UX make (and others) from trying to rebuild the parser in non-dev mode. [f84badad98c5] * plugins/sudoers/sudoers.c: Re-enable PATH_MAX check for command [40d8a50da136] * Makefile.in: For distclean, clean the main directory last since the subdirs need to be able to run libtool to clean things. [8949a9861634] * compat/Makefile.in: Fix generation of mksiglist.h [b7cdc9b36650] * src/script.c: Now that we defer sending cstat until the end of script_child() we cannot reuse cstat when reading command status from parent. [25c882643466] 2010-05-25 Todd C. Miller * configure, configure.in, doc/sudo.man.in, doc/sudo.man.pl, doc/sudoers.cat, doc/sudoers.ldap.cat, doc/sudoers.ldap.man.in, doc/sudoers.man.in, doc/sudoers.man.pl, doc/sudoreplay.cat, doc/sudoreplay.man.in, doc/visudo.cat, doc/visudo.man.in: Use numeric registers to handle conditionals instead of trying to do it all with text processing. [478079c3fd4b] * doc/sudoers.pod: Document per-command SELinux settings [13840d566805] * plugins/sudoers/sudoers.c: Repair "sudo -l -U username" [10a0dcdf2ddf] * plugins/sudoers/sudoers.c: Set selinux role and type in command details. [8ae6d35a126d] * src/script.c, src/selinux.c, src/sudo.h: Rework SELinux support. [83279cc94bf2] 2010-05-24 Todd C. Miller * src/script.c, src/selinux.c, src/sudo.h: Make SELinux support compile again. Needs more work to be complete. [3d3addebcf82] * doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.pod, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, src/parse_args.c, src/script.c, src/selinux.c, src/sudo.c, src/sudo.h: Bring back closefrom settings. [b1c6257d4bbb] * plugins/sudoers/iolog.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: If running a command or sudoedit in transcript mode, call io_nextid() before log_allowed() so the session id is logged. [c42f3ae40150] * configure, configure.in: Use mandoc(1) if nroff(1) is not present. [daad4bbd04af] * doc/Makefile.in: Use the --file argument to config.status instead of setting CONFIG_FILES in the environment. [c89411a8bf70] * plugins/sudoers/Makefile.in: We cannot conditionally update gram.h or the dependency ordering gets messed up in devel mode. [c938953231d9] 2010-05-21 Todd C. Miller * Makefile.in, compat/Makefile.in, configure, configure.in, doc/Makefile.in, include/Makefile.in, plugins/sample/Makefile.in, plugins/sudoers/Makefile.in, src/Makefile.in: Substitute @SHELL@ into Makefiles [36aa6a095335] * config.sub: Fix typo [16d294d26b58] * config.guess, config.sub, configure, configure.in: Update to autoconf 2.65 [4fa6ea8caea3] * Makefile.in: Fix libtool target (space vs. tabs) [755cf3892618] * config.h.in, plugins/sudoers/logging.h, plugins/sudoers/visudo.c: Remove use of RETSIGTYPE; all modern systems have signal handlers that return void. [42b4e3aee668] * Makefile.in, aclocal.m4, acsite.m4, configure, configure.in, ltmain.sh, m4/libtool.m4, m4/ltoptions.m4, m4/ltsugar.m4, m4/ltversion.m4, m4/lt~obsolete.m4, plugins/sample/Makefile.in, plugins/sudoers/Makefile.in, src/Makefile.in: Update to libtool-2.2.6b. I haven't made any local modifications this time, which should be OK since we install sudo_noexec.so by hand now. [6f79ced593bb] * compat/Makefile.in, plugins/sample/Makefile.in, plugins/sudoers/Makefile.in, src/Makefile.in: Use libtool to clean objects [1581057d6472] * include/Makefile.in: Install sudo_plugin.h as part of "make install" and make other install targets callable from the top-level Makefile [aaaeb027d774] * configure, configure.in: regen with autoupdate to eliminate AC_TRY_LINK [5d5541c230f5] * Makefile.in, compat/Makefile.in, configure, configure.in, doc/Makefile.in, plugins/sample/Makefile.in, plugins/sudoers/Makefile.in, src/Makefile.in: Install sudo_plugin.h as part of "make install" and make other install targets callable from the top-level Makefile [b258b8401b1c] * plugins/sample/sample_plugin.c: The sample plugin doesn't support being run with no args so return a usage error in this case. [473b3cf965be] * plugins/sudoers/iolog.c: Set close on exec flag for descriptors used for I/O logging so they are not present in the command being run. [2c7e8708df76] * plugins/sudoers/tsgetgrpw.c: Set close on exec flag in private versions of setpwent() and setgrent(). [64fef78cb833] * src/script.c: Close the I/O pipes aftering dup2()ing them to std{in,out,err}. Fixes extra fds being present in the command when it is part of a pipeline. [060451617713] * plugins/sudoers/sudoers.c: Set user_tty to "unknown" if there is no tty, like sudo 1.7 does (it is used when logging). Note that user_ttypath will still be NULL if there is no tty. [31b69a6ecda7] * src/script.c, src/sudo.h: Cosmetic changes: add comments, remove orphaned prototype and make a global static. [f7851af0143e] 2010-05-20 Todd C. Miller * src/script.c: Move check for maxfd == -1 to flush_output where it belongs. [b826a95b4491] * src/script.c: Break out of select loop if all the fds we want to select on are -1. [f5b387024238] * src/sudo.c: Avoid possible malloc(0) if plugin returns an empty groups list. [9765a8fe5ce7] * src/sudo.c: Add debugging info when calling plugin close function [95a273c7ff66] * src/script.c: Avoid closing stdin/stdout/stderr when we are piping output. [330e76423caf] * src/script.c: When execve() of the command fails, it is possible to receive SIGCHLD before we've read the error status from the pipe. Re-order things such that we send the final status at the very end and prefer error status over wait status. [b0dcf825244f] 2010-05-19 Todd C. Miller * plugins/sudoers/auth/sudo_auth.c: Fix compilation for non PAM/BSD auth/AIX auth [e382b39d2e4f] 2010-05-18 Todd C. Miller * src/script.c: Additional checks to make sure we don't close /dev/tty by mistake. When flushing, sleep in select as long as we have buffers that need to be written out. [8139cbd3dd54] * src/script.c: Now that we can use pipes for stdin/stdout/stderr there is no longer a need to error out when there is no tty. We just need to make sure we don't try to use the tty fd if it is -1. [666621635d26] 2010-05-17 Todd C. Miller * doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.pod, include/sudo_plugin.h, plugins/sample/sample_plugin.c, plugins/sudoers/iolog.c, plugins/sudoers/sudoers.h, src/sudo.c: Add argc and argv to I/O logger open function. [0d7faa007d27] * doc/sudo_plugin.man.in, doc/sudo_plugin.pod, include/sudo_plugin.h, plugins/sample/sample_plugin.c, plugins/sudoers/sudoers.c, src/parse_args.c, src/sudo.c, src/sudo_edit.c: Remove check_sudoedit function pointer in struct sudo_policy. Instead, sudo will set sudoedit=true in the settings array. The plugin should check for this and modify argv_out as appropriate in check_policy. [c0328e3276b8] 2010-05-16 Todd C. Miller * plugins/sample/sample_plugin.c, src/sudo.c, src/sudo.h, src/sudo_edit.c: If plugin sets "sudoedit=true" in the command info, enable sudoedit mode even if not invoked as sudoedit. This allows a plugin to enable sudoedit when the user runs an editor. [96d67b99e42e] 2010-05-15 Todd C. Miller * plugins/sudoers/Makefile.in: gram.h must not depend on gram.y if we want to avoid unnecessary rebuilding of targets dependent on gram.h when gram.y changes. [9db4b767fdca] * plugins/sample/sample_plugin.c: Refactor common bits of check_policy and check_edit [ac4d366a04cf] * plugins/sample/sample_plugin.c: Add sudoedit support [a1a6cc4c0cef] 2010-05-14 Todd C. Miller * plugins/sudoers/Makefile.in: Rely more on VPATH; fixes a dependency issue with the parser. [45e406ebdea2] * include/compat.h: Fix typo introduced in last commit [3ccb0f853d11] * include/compat.h: Emulate seteuid using setreuid() or setresuid() as needed. There are still a few places that call seteuid() directly. [36e8efa3a99d] * src/parse_args.c, src/sudo_edit.c: Attempt to fix building on systems that only have setuid. [8e9ba4083318] * doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.pod: Clarify sudoedit a tad. [d39dfaa14ade] 2010-05-13 Todd C. Miller * src/sudo_edit.c: Fix compilation on HP-UX [f6e47843d139] * doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.pod: Document sudoedit [4cbf5196d993] * plugins/sudoers/sudoers.c, src/sudo.c, src/sudo.h, src/sudo_edit.c: Change how we handle the sudoedit argv. We now require that there be a "--" in argv to separate the editor and any command line arguments from the files to be edited. [20623d549a3c] * include/sudo_plugin.h, plugins/sample/sample_plugin.c, plugins/sudoers/Makefile.in, plugins/sudoers/gettime.c, plugins/sudoers/set_perms.c, plugins/sudoers/sudoers.c, src/Makefile.in, src/gettime.c, src/parse_args.c, src/sudo.c, src/sudo.h, src/sudo_edit.c: Work in progress support for sudoedit. The actual interface used by the plugin for sudoedit is likely to change. [c31262a31997] * plugins/sudoers/find_path.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/visudo.c: Make find_path() a little more generic by not checking def_foo variables inside it. Instead, pass in ignore_dot as a function argument. [9c23101a094d] * plugins/sudoers/env.c: Add version of getenv(3) that uses our own environ pointer. [0e3783e63534] 2010-05-12 Todd C. Miller * src/script.c: Avoid a potential race condition if SIGCHLD is received immediately before we call select(). [99adc5ea7f0a] * plugins/sudoers/sudoers.c: Call env_init() before we open the sudoers sources as those may call our setenv() replacement. [5f82601f5ab0] * plugins/sudoers/env.c: Initialize env_len in env_init() [7ae02b3029b5] 2010-05-11 Todd C. Miller * doc/sudo.cat, doc/sudo.man.in, doc/sudo.pod: Document time stamp shortcomings under SECURITY NOTES Use "time stamp" instead of timestamp. [2b86120815b2] * doc/Makefile.in: Make sed substitution of mansectsu and mansectform global. [94588632dba0] * plugins/sudoers/check.c: If the tty lives on a devpts filesystem, stash the ctime in the tty ticket file, as it is not updated when the tty is written to. This helps us determine when a tty has been reused without the user authenticating again with sudo. [0e62a31bceb0] * src/tgetpass.c: Fix pasto in mulitple signal fix and use _NSIG not NSIG since that is what our compat checks set. [df50f0a040c9] * configure, configure.in: Add check for whether sudo need to link with -ldl to get dlopen(). This is a bit of a hack that will get reworked when libtool is updated. [63bdcf579533] * plugins/sudoers/check.c: Fix timestamp removal with -k/-K [6b4639fef973] * plugins/sudoers/Makefile.in: audit.c is now private to the sudoers plugin [1974f342ae0b] * configure, configure.in: Link with -lpthread on HP-UX since a plugin may be linked with -lpthread and dlopen() will fail if the shared object has a dependency on -lpthread but the main program is not linked with it. [d42139391263] * config.h.in, configure, configure.in, plugins/sudoers/set_perms.c: Add separate test for getresuid() since HP-UX has setresuid() but no getresuid(). [910fe727a374] * doc/Makefile.in: Remove errant backslash [dd5464257c69] * src/script.c: Fix SIGPIPE handling. Now that we use may use pipes for stdin/stdout we need to pass any SIGPIPE we receive to the running command. [3f6b1991f4fd] * src/script.c: Also start the command in the background if stdin is not a tty. [d93bc33a3740] 2010-05-10 Todd C. Miller * plugins/sudoers/sudoreplay.c, src/script.c, src/sudo.h, src/term.c: No need to use pseudo-cbreak mode now that we use pipes when stdout is not a tty. Instead, check whether stdin is a tty and if not, delay setting the tty to raw mode until the command tries to access it itself (and receives SIGTTIN or SIGTTOU). [e68315cf8c6b] * src/tgetpass.c: Use an array for signals received instead of a single variable so we don't lose any when there are multiple different signals. [2ac726dac864] * src/tgetpass.c: Do signal setup after turning off echo, not before. If we are using a tty but are not the foreground pgrp this will generate SIGTTOU so we want the default action to be taken (suspend process). [bebb6209c795] 2010-05-07 Todd C. Miller * src/script.c: Flush the iobufs on suspend or child exit using the same logic as the main event loop. [c627feee1035] * src/script.c: Free memory after we are done with it. [8db9b611b45a] 2010-05-06 Todd C. Miller * doc/HISTORY: Quest now sponsors Sudo development [6cc490083bc7] 2010-05-05 Todd C. Miller * doc/Makefile.in: Install sudo_plugin man page. [c253729790b2] * src/script.c: Go back to reseting io_buffer offset and length (and now also the EOF handling) in the loop we do the FD_SET, not after we drain the buffer after write() since we don't know what order reads and writes will occur in. [5f38bfa8497f] * MANIFEST: audit files moved to sudoers plugin directory [b1ead182428e] * doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.pod: Document plugin_printf and new logging functions. [fe9430b60ab5] * src/script.c: Add support for logging stdin when it is not a tty. There is still a bug where "cat | sudo cat" has problems because both cat and sudo are trying to read from the tty. [04c9c59fcfba] * include/sudo_plugin.h, plugins/sample/sample_plugin.c, plugins/sudoers/sudoers.c, src/script.c: Add separate I/O logging functions for tty in/out and stdin/stdout/stderr. NOTE: stdin logging does not currently work and is disabled for now. [a36dfd4ca935] 2010-05-04 Todd C. Miller * include/sudo_plugin.h, plugins/sample/sample_plugin.c, plugins/sudoers/iolog.c, plugins/sudoers/ldap.c, plugins/sudoers/logging.c, plugins/sudoers/plugin_error.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, src/conversation.c, src/sudo.c, src/sudo_plugin_int.h: Add pointer to a printf like function to plugin open functon. This can be used instead of the conversation function to display info and error messages. [98734eea8ef1] * Makefile.in: Stop if make in a subdir fails [228bb3ad2dbc] * src/script.c: Only set user's tty to blocking mode when doing the final flush. Flush pipes as well as pty master when the process is done. [20ff67218666] 2010-05-03 Todd C. Miller * plugins/sudoers/ldap.c: Use print_error() when displaying ldap config info in debugging mode. [d142e0cacb22] * compat/Makefile.in, compat/strdup.c, compat/strndup.c: No longer need strdup() or strndup() replacements. [df53697174ec] * plugins/sudoers/logging.c, plugins/sudoers/plugin_error.c, plugins/sudoers/sudoers.h: Add print_error() function that uses the conversation function to print a variable number of error strings and use it in log_error(). [b1fa2861b575] * src/script.c, src/sudo.h, src/term.c: Do not need the opost flag to term_copy() now that we use pipes for stdout/stderr when they are not a tty. [f42811f70a19] * src/script.c: Use pipes to the sudo process if stdout or stderr is not a tty. Still needs some polishing and a decision as to whether it is desirable to add additonal entry points for logging stdout/stderr/stdin when they are not ttys. That would allow a replay program to keep things separate and to know whether the terminal needs to be in raw mode at replay time. [1a945e0ab2da] 2010-04-30 Todd C. Miller * plugins/sudoers/Makefile.in, plugins/sudoers/audit.c, plugins/sudoers/bsm_audit.c, plugins/sudoers/bsm_audit.h, src/audit.c, src/bsm_audit.c, src/bsm_audit.h: Move audit sources into the sudoers plugin dir; the driver does not use them. [50ec36422cd0] * compat/getline.c, compat/mksiglist.c, compat/nanosleep.c, compat/strdup.c, compat/strndup.c, plugins/sample/sample_plugin.c, plugins/sudoers/boottime.c, plugins/sudoers/getdate.c, plugins/sudoers/match.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/timestr.c, plugins/sudoers/vasgroups.c, src/alloc.c, src/atobool.c, src/audit.c, src/lbuf.c, src/list.c, src/sesh.c, src/term.c, src/ttysize.c: Use angle brackets when including headers that can only be found when an -I flag is specified. The files in the compat dir could get away with double quotes here but I've converted all the source files to use angle brackets for consistency. [9e30a8fc6d4b] * plugins/sudoers/Makefile.in: Add missing -I$(top_srcdir) to CPPFLAGS so includes in the compat dir can be found when building outside the source tree. [1150934b79dd] * plugins/sudoers/Makefile.in: Clean up links in distclean [78595028be8b] * plugins/sudoers/Makefile.in: Hack around VPATH semantic differences by symlinking files we need from ../../src into the current directory and build those. A better fix would be to either make a .a or .la file with those files in it or simply use a single, flat, Makefile instead of per-subdirs Makefiles. [892c332d3f05] * plugins/sudoers/Makefile.in, src/Makefile.in, src/fmt_string.c: fmt_string is used by the sudoers plugin too so do not include sudo.h (which is not really needed here anyway) [231c35e3941f] * compat/Makefile.in, plugins/sample/Makefile.in, plugins/sudoers/Makefile.in, src/Makefile.in: Fix building with non-BSD versions of make such as GNU make. Requires VPATH support, which should be in any non-neolithic make. [dc174f135919] * configure, configure.in, plugins/sudoers/Makefile.in, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/sudoers.c, src/Makefile.in: Re-enable bsm audit. Currently auditing is done within the sudoers plugin itself. If possible, this should really be done in the main driver but we don't presently have the needed data to do that. This will be re-evaluated when Linux audit support is added. [1d05a3236bfe] * compat/Makefile.in, plugins/sample/Makefile.in, plugins/sudoers/Makefile.in, src/Makefile.in: Remove extraneous $srcdir and use more .c.lo and .c.o rules instead of explicit rules in the dependency. [88f80efd25f0] * plugins/sudoers/visudo.c: Fix mismerge; alias_remove_recursive() now returns int [6257a4849641] 2010-04-29 Todd C. Miller * plugins/sudoers/visudo.c: Fix a crash when checking a sudoers file that has aliases that reference themselves. Based on a diff from David Wood. [545d194484a7] * src/script.c: Print signal info after restoring the tty mode, not before. [a68618e67435] * src/script.c: Defer call to alarm() until after we fork the child. Pass correct pid to terminate_child() If the command exits due to signal, set alive to false like we do when it exits normally. Add missing check for errpipe[0] != -1 before using it in FD_ISSET [22f0a1549391] 2010-04-28 Todd C. Miller * plugins/sudoers/boottime.c: Use 1/0 instead of TRUE/FALSE so we don't need sudoers.h [0e627170c6e8] 2010-04-27 Todd C. Miller * src/Makefile.in: Simplify dependencies by using .c.o and .c.lo rules. [6abcaef5d1ac] * configure, configure.in, plugins/sudoers/Makefile.in, src/Makefile.in: Substitute in @PROGS@ into src/Makefile to add sesh [cc46d3b6208f] 2010-04-26 Todd C. Miller * plugins/sudoers/sudoers.c: Add back calls to log_denial() if sudoers does not allow the command. [9783316207f0] * plugins/sudoers/sudoers.c: Pass in correct pwflag for list and validate. [973dd56d4b81] * plugins/sudoers/env.c: Add missing check for NULL in validate_env_vars [1d6eb6957824] * src/Makefile.in: Add sudo_noexec.la to "all" target, otherwise it only gets built at install time. [644a9694d2ef] * plugins/sudoers/sudoers.c: Only set sudo_user.env_vars if the env_add list is empty. [fccdf6f0e0e2] * plugins/sudoers/sudoers.c: Set sudo_user.env_vars so that environment variables specified on the command line get logged correctly. [9b51012c491e] * plugins/sudoers/env.c, plugins/sudoers/logging.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: Re-enable environment files and setting environment variables on the command line. [5662d5645dbd] 2010-04-24 Todd C. Miller * plugins/sudoers/check.c: Fix typo in last commit (ifndef vs ifdef) Make sure we pass ctime() a pointer to time_t as tv_sec in struct timeval may be long. [4de0c46e788e] * plugins/sudoers/check.c: Don't stash ctime in on-disk tty ticket info for now; on many (most?) systems the ctime is updated when the tty is written to. Once I have a better idea of what systems do not update ctime on ttys (and have a way to test for this) the ctime stash will be conditionally re-enabled. [a90eeec0f648] 2010-04-23 Todd C. Miller * MANIFEST, Makefile.in: Add back "dist" target, this time using a MANIFEST file [29277c05499f] * Makefile.in: Remove Makefile in distclean target [83d695f4f450] * Makefile.in, src/Makefile.in: Update clean and cleandir targets [ad7b2afeb9c1] * include/fileops.h, plugins/sudoers/sudoers.h, src/fileops.c, src/sudo.h: Move fileops.c defines and prototypes to filesops.h [4545e9b6892d] * plugins/sudoers/check.c: Lock the tty timestamp when writing. We shouldn't have to lock when reading since the file is updated via a single write system call. [0c7276f02696] 2010-04-22 Todd C. Miller * plugins/sudoers/alias.c, plugins/sudoers/check.c, plugins/sudoers/defaults.c, plugins/sudoers/find_path.c, plugins/sudoers/getspwuid.c, plugins/sudoers/gettime.c, plugins/sudoers/goodpath.c, plugins/sudoers/interfaces.c, plugins/sudoers/iolog.c, plugins/sudoers/ldap.c, plugins/sudoers/logging.c, plugins/sudoers/match.c, plugins/sudoers/nonunix.h, plugins/sudoers/parse.c, plugins/sudoers/pwutil.c, plugins/sudoers/redblack.c, plugins/sudoers/sudo_nss.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/timestr.c, plugins/sudoers/tsgetgrpw.c, plugins/sudoers/vasgroups.c, plugins/sudoers/visudo.c: Convert to ANSI C function declarations [9c45def57cf7] * plugins/sudoers/sudoers.h: Remove extraneous bits and classify by source file. [e8ea9f109ebb] * include/compat.h: Add timercmp macro for systems without it [d3bf87b1d08e] * plugins/sudoers/boottime.c, plugins/sudoers/check.c, plugins/sudoers/sudoers.h: get_boottime() now fills in a timeval struct [3573c3f44e11] * plugins/sudoers/check.c: Store info from stat(2)ing the tty in the tty ticket when tty tickets are in use. On most systems, this closes the loophole whereby a user can log out of a tty, log back in and still have the timestamp be valid. [53380f9f5242] * config.h.in, configure.in: Add timespec2timeval and use it when getting ctime/mtime [4cb7f7caec2c] 2010-04-20 Todd C. Miller * plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/set_perms.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c: Convert perm setting to push/pop model; still needs some work Use the stashed runas groups instead of using getgrouplist() Reset perms to the initial value on error [09c072ebde8b] * config.h.in, configure.in: fix ctim_get and mtim_get macros [58773dc1e360] * config.h.in, configure, configure.in, include/compat.h, plugins/sudoers/check.c, plugins/sudoers/gettime.c, plugins/sudoers/sudoers.h, plugins/sudoers/visudo.c, src/fileops.c: Use timeval directly instead of converting to timespec when dealing with file times and time of day. [a0ce1ae00a67] * plugins/sudoers/Makefile.in: Don't like sudoreplay with libsudoers.la due to a yacc symbol conflict. [f1a59cc63a15] 2010-04-18 Todd C. Miller * configure, configure.in: Darwin >= 9.x has real setreuid(2) [7ec942a64275] 2010-04-17 Todd C. Miller * plugins/sudoers/env.c, plugins/sudoers/sudoers.h: Ansify env.c [f58551bad10a] * plugins/sudoers/env.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: Remove remaining references to the environ pointer. [96faa530816a] 2010-04-16 Todd C. Miller * config.h.in, configure, configure.in, plugins/sudoers/env.c: Don't change the environ directly in the sudoers plugin [6db48ed3f7e0] 2010-04-15 Todd C. Miller * plugins/sudoers/sudoers.c: Fix typo [4aa452b07f8f] * plugins/sudoers/alias.c: Fix use after free in error message when a duplicate alias exists. [ce1d2812ee34] 2010-04-14 Todd C. Miller * doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.pod, src/parse_args.c: Add a "noninteractive" boolean to the settings passed in to the plugin's open function that is set when the user specifies the -n flag. [68f8d9d6d4d0] * config.h.in, configure, configure.in, plugins/sudoers/env.c: Add workaround for the lack of the environ pointer on Mac OS X in dlopen()ed modules. Use of environ in the sudoers plugin should ultimately be removed but this will do for the moment. [80c61647434f] * plugins/sudoers/visudo.c: Set errorfile to the sudoers path if we set parse_error manually. This prevents a NULL dereference in printf() when checking a sudoers file in strict mode when alias errors are present. [45e249ca99f7] * plugins/sudoers/sudoers.c: Main sudo no longer print "unable to execute" on exec failure so do it here. [50aaf62b43b5] 2010-04-13 Todd C. Miller * src/script.c: Use a pipe to pass back errno to the parent if execve() fails. If we get an error in script_child(), kill the command and exit. [dc3bf870f91b] * doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.pod, src/parse_args.c, src/sudo.c: Handle plugin's open function returning -2 (usage error). [aadf900c1de8] * src/script.c: If execve() fails, leave it to the plugin to print an error string. [e25748f2d5b9] * src/script.c: If execve fails in logging mode, pass the errno directly to the grandparent on the backchannel and exit. The immediate parent will get SIGCHLD and try to report that status but its parent will no longer be listening. It would probably be cleaner to pass this over a pipe in script_child(). [cb122acc81a8] * plugins/sudoers/sudoers.c: Don't override rval with results of check_user() unless it failed. [46fb7e87ac7d] 2010-04-12 Todd C. Miller * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.pod: Fix typo [ccd0b693f3da] * src/parse_args.c: NULL-terminate env_add [2c534368a0c3] 2010-04-11 Todd C. Miller * src/sudo.c: Call the I/O log open function before the I/O version function. [e88bf898990b] * plugins/sudoers/iolog.c: Remove io_conv and just use sudo_conv [a280052468eb] * plugins/sudoers/set_perms.c: Fix set/restore perms for systems w/o setresuid [4160517f6666] 2010-04-10 Todd C. Miller * plugins/sudoers/check.c, plugins/sudoers/logging.c, plugins/sudoers/parse.c, plugins/sudoers/set_perms.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: Primitive set/restore permissions. Will be replaced by a push/pop model. [aae102290866] * src/script.c: Only need to take action on SIGCHLD in parent if no I/O logger. If there is an I/O logger we will receive ECONNRESET or EPIPE when we try to read from the socketpair. [e1e4560401f6] 2010-04-09 Todd C. Miller * compat/memrchr.c, doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.pod, plugins/sudoers/find_path.c: Merge fb4d571495fa from the 1.7 branch to trunk. [c8fb424ad4d2] * find_path.c: Qualify the command even if it is in the current working directory, e.g. "./foo" instead of just returning "foo". This removes an ambiguity between real commands and possible pseudo-commands in command matching. [fb4d571495fa] <1.7> 2010-04-08 Todd C. Miller * src/script.c: Don't set SA_RESTART when registering SIGALRM handler. Do set SA_RESTART when registering SIGWINCH handler. [173472b76525] * doc/Makefile.in: Add dev targets for *.man.in and *.cat that don't specfify the $(srcdir) prefix. [b62f425da2e4] * src/script.c: If log_input or log_output returns false, terminate the command. [074f4c0c34a0] * src/script.c: Better signal handling. Instead of using a single variable to store the received signal, use an array so we can't lose a signal when multiple are sent. Fix process termination by SIGALRM in non-I/O logger mode. Fix relaying terminal signals to the child in non-I/O logger mode. [7a4723aca99d] * src/script.c: Fix a race between when we get the child pid in the parent and when the child process exits. The problem exhibited as a hang after a short-lived process, e.g. "sudo id" when no IO logger was enabled. [80bcc0aca70b] 2010-04-07 Todd C. Miller * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.pod: Add a note about the security implications of the fast_glob option. [c37a92ab7c93] * sudoers.cat, sudoers.man.in, sudoers.pod: Add a note about the security implications of the fast_glob option. [84f8097553d9] <1.7> * memrchr.c: Remove duplicate includes [3e8d90f4c30f] <1.7> 2010-04-06 Todd C. Miller * config.h.in, configure, configure.in: Fix up some AC_DEFINE descriptions and regen config.h.in [f4655adc0db3] 2010-04-05 Todd C. Miller * include/missing.h: No longer check for strdup or strndup for LIBOBJ replacement. [fdc764ee8109] * src/script.c: Avoid installing signal handlers that are io-logger specific. Fixes job control when no io logger is enabled. [0853dd0906d4] * doc/Makefile.in: Only regen man pages from pod when configured with --with-devel [ab1995f8103d] 2010-04-04 Todd C. Miller * Makefile, Makefile.in, configure, configure.in: Top-level Makefile.in. Nothing is currently substituted but this is needed for separate build dirs. [e80873cbd201] * compat/Makefile.in, doc/Makefile.in, plugins/sample/Makefile.in, plugins/sudoers/Makefile.in, src/Makefile.in: Fix out-of-tree builds [59a35bef07b8] * Merge [386b848047e9] * doc/Makefile.in: We always install sudoreplay in 1.8 [ce52ba6617c9] * plugins/sudoers/iolog.c, plugins/sudoers/sudoers.c: Free str after using it in the version method. Use sudo_conv, not io_conv since we don't have the IO conversation function pointer in the I/O version method anymore now that io_open is delayed. [f2ed132adeb0] 2010-04-03 Todd C. Miller * compat/siglist.in: SIGPOLL is sometimes the same as SIGIO (like on HP-UX) [6d69e1b05faf] 2010-04-02 Todd C. Miller * configure, configure.in: No need to provide strdup() or strndup(), sudo uses estrdup() and estrndup() [57ec23b72958] * compat/Makefile.in, compat/mksiglist.c, compat/mksiglist.h, compat/siglist.in: Add license to mksiglist.c and note that the bits from pdksh are public domain [d8121a2467e8] * compat/Makefile.in: Fix LIBOBJDIR vs. srcdir wrt the siglist bits [164160148421] * plugins/sudoers/Makefile.in: Add sudoreplay testsudoers and visudo to clean target [138a17e51c0c] * compat/Makefile.in, compat/mksiglist.c, compat/mksiglist.h, compat/siglist.in, compat/strsignal.c, configure, configure.in, include/missing.h, src/script.c: Create our own sys_siglist for systems without it for use by strsignal() [2e5da011ebc3] * compat/Makefile.in: Remove duplicate $(LIBOBJDIR) [adf9abc9432f] 2010-04-01 Todd C. Miller * plugins/sudoers/sudoers.c, src/sudo.c, src/sudo_edit.c: Main sudo should not block signals; the plugin should do this in check_policy. [3f3736a7c5ed] 2010-03-31 Todd C. Miller * src/script.c: Fix a sizeof(ptr) vs. sizeof(*ptr) [aa1bcf5afcce] * src/script.c: Unlike most operating systems, HP-UX select() is not interrupted by SIGCHLD when the signal is registered with SA_RESTART. If we clear SA_RESTART when calling sigaction() for SIGCHLD we get the expected behavior and the code in the select() loops already handles EINTR correctly. [9eba0115e35a] * compat/getprogname.c: progname should be const [130228f062b7] * plugins/sudoers/Makefile.in: Move --tag=disable-static to when we link sudoers.la, not when we install. [ceb5e6c3b78b] * src/load_plugins.c: Load the sudoers I/O plugin by default too now that it is hooked up. [ea38befd0742] 2010-03-30 Todd C. Miller * src/pty.c: It looks like AIX doesn't need to push STREAMS modules for ptys. [22da618ba0a1] 2010-03-28 Todd C. Miller * src/parse_args.c, src/sudo.c: Delay calling the I/O plugin open function until the policy plugin returns success. [f3297c325b48] 2010-03-27 Todd C. Miller * plugins/sudoers/Makefile.in, plugins/sudoers/iolog.c, plugins/sudoers/set_perms.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: Add back io logging (transcript) support. Currently, the open function runs too early and it is not possible to use the io module independently of the policy module. [9bd932f66226] * plugins/sudoers/set_perms.c: Comment out dead code; will be removed when set_perms is rewritten. [af7a995284f8] 2010-03-23 Todd C. Miller * plugins/sudoers/sudoers.c: Fix off by one error when allocating user_groups. [6281fcf9c3bb] 2010-03-22 Todd C. Miller * configure, configure.in, plugins/sudoers/Makefile.in: Add REPLAY_LIBS for sudoreplay and add -lrt to it on Solaris. [fbce3e9eda3a] * plugins/sudoers/sudoers.c: Fix typo in preserve groups case [1fd72024fb5a] * plugins/sudoers/sudoers.c: In command_info it is "runas_groups" not "groups". [5c64dce4f285] * src/sudo.c: Fix iteration over runas_groups list. [b3c45a0cd643] * configure, configure.in, plugins/sudoers/env.c, plugins/sudoers/match.c, src/script.c: Merge 5177a284b9ff 549f8f7c2463 88f3181692fe from 1.7 branch. [a8108a0776c2] * compat/getgrouplist.c: getgrouplist(3) for those without it [4ab4d21e3b16] * configure, configure.in: Fix installation of sudoers.ldap in "make install" when --with-ldap was specified without a directory. From Prof. Dr. Andreas Mueller [5177a284b9ff] <1.7> * plugins/sudoers/sudoers.c: Set preserve_groups or groups list in command_info [1266119ad654] * src/sudo.c: Fix setting of groups list [e75315e40bd4] * config.h.in, configure, configure.in, include/compat.h, include/missing.h: Add checks for getgrset and getgrouplist and use replacement getgrouplist if the system doesn't support it. [a62b8ba50863] * src/parse_args.c: Pass in preserve_groups when the -P flag is specified as per the design [7420c5d15474] * plugins/sudoers/sudoers.c: Check preserve_groups and ignore_ticket args with atobool instead of assuming they are true if present. [71c905702697] 2010-03-21 Todd C. Miller * plugins/sudoers/Makefile.in, plugins/sudoers/error.c, plugins/sudoers/plugin_error.c: Rename plugin-specific error.c to plugin_error.c Wire up visudo, sudoreplay and testsudoers in the build [9d581d5fa4d4] * src/Makefile.in, src/term.c: term.c does not needto include sudo.h [f6683cdcd2dd] * TODO, doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.pod: Document the -2 return in the check_policy section too [e9cb4c34bbcf] * doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.pod, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, src/parse_args.c, src/sudo.c, src/sudo.h: Fix the -s and -i flags and add support for the "implied_shell" option. If the user does not specify a command, sudo will now pass in the path to the user's shell and set impied_shell=true. The plugin can them either check the command normally or return -2 to cause sudo to print a usage message and exit. [bf889c38f229] 2010-03-19 Todd C. Miller * config.h.in, configure, configure.in, src/load_plugins.c: Bring back SUDOERS_PLUGIN but add .dylib -> .so conversion for Darwin where libraries end in .dylib but modules end in .so [2c56aaa38e21] * plugins/sudoers/parse.c: Better prefix determination now that we can't rely on len==0 to tell the beginning on an entry. [622bf18179e9] * plugins/sudoers/ldap.c: display_bound_defaults() stub should return 0, not 1 since it is a count, not a boolean. [0327a6c3d55d] * doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.pod: Document progname in settings [42031d56a2e3] * compat/getprogname.c, include/compat.h, plugins/sample/sample_plugin.c, plugins/sudoers/sudoers.c, src/parse_args.c, src/sudo.c: Rewrite compat/getprogname.c and add setprogname(). The progname is now passed to the plugin via the settings array. [25d8663e6006] * configure, configure.in, plugins/sudoers/Makefile.in: Fix --with-ldap [b64b633f426d] * plugins/sudoers/sudo_nss.c: Add missing whitespace for Runas and Command-specific defaults [65f4ddf5545e] * plugins/sudoers/ldap.c, plugins/sudoers/parse.c, plugins/sudoers/sudo_nss.c: Use embedded newlines in lbuf instead of multiple calls to lbuf_print. [eed3af9cc3e1] * src/lbuf.c: Add support for embedded newlines. [e11f79b18deb] 2010-03-18 Todd C. Miller * compat/getprogname.c: If system doesn't support getprogname or __programe and we are building a shared object don't bother with Argc/Argv, just return "sudo" [aebde9062be7] * config.h.in, configure, configure.in, src/load_plugins.c: Hard-code sudoers.so instead of using SUDOERS_PLUGIN since libtool appears to always install a shared object with the .so suffix. [f9bbd0c0e9d3] * compat/Makefile.in, configure, configure.in, plugins/sample/Makefile.in, plugins/sudoers/Makefile.in, src/Makefile.in: Play more nicely with libtool and let it build libreplace (was libmissing) for us. [a4c6ebb2495c] * include/missing.h: Include stdarg.h for va_list rather than requiring all consumers of missing.h to include stdarg.h themselves. [37382df948de] * include/lbuf.h, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/check.c, plugins/sudoers/sudo_nss.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, src/lbuf.c, src/parse_args.c: Pass in output function to lbuf_init() instead of writing to stdout. A side effect is that the usage info can now go to stderr as it should. [6d261261a072] 2010-03-17 Todd C. Miller * include/lbuf.h, plugins/sudoers/sudo_nss.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, src/lbuf.c, src/parse_args.c, src/sudo.c: Use number of tty columns that is passed in user_info instead of getting it directly in the lbuf code. [8a16635c2638] * plugins/sudoers/alias.c, plugins/sudoers/auth/dce.c, plugins/sudoers/auth/kerb5.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/sia.c, plugins/sudoers/auth/sudo_auth.h, plugins/sudoers/check.c, plugins/sudoers/defaults.c, plugins/sudoers/defaults.h, plugins/sudoers/env.c, plugins/sudoers/getdate.c, plugins/sudoers/getdate.y, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/interfaces.h, plugins/sudoers/logging.c, plugins/sudoers/logging.h, plugins/sudoers/match.c, plugins/sudoers/mon_systrace.h, plugins/sudoers/parse.c, plugins/sudoers/parse.h, plugins/sudoers/pwutil.c, plugins/sudoers/redblack.c, plugins/sudoers/redblack.h, plugins/sudoers/set_perms.c, plugins/sudoers/sudo_nss.h, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/timestr.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/tsgetgrpw.c, plugins/sudoers/visudo.c: Kill __P in sudoers [63601e6cb171] * config.h.in, configure, configure.in, src/load_plugins.c: Set the sudoers plugin name in configure so we get the extension right. [edad89924cd1] * doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.pod: Document lines/cols in user_info [a808872394f3] * src/Makefile.in, src/sudo.c, src/sudo.h, src/ttysize.c: Add tty size to user info [23f3d27e77a7] * src/script.c: Use TIOCGSIZE/TIOCSSIZE instead of TIOCGWINSZ/TIOCSWINSZ [a2208dd09051] 2010-03-16 Todd C. Miller * plugins/sudoers/sudoers.c: Kill dead code Add missing sigsetjmp in sudo_policy_invalidate Error out if we fail to lookup the user's name that is passed in [e4e3728ed482] * plugins/sudoers/error.c: Pass the error value back via siglongjmp. [667b8ad575ce] * plugins/sudoers/check.c: Use conversation function for lecture. [1ab4719f509b] * plugins/sudoers/check.c: Don't update ticket file if verify_user returns FALSE. [2bbc46a39a2b] 2010-03-15 Todd C. Miller * plugins/sudoers/sudoers.c, src/sudo.c: Wire up invalidate and validate methods for sudoers [c0630c7bca47] * plugins/sudoers/check.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: Add support for -k flag with a command. [edad239b098b] * src/parse_args.c: Allow -k to be specified with a command. [43a45add9974] * plugins/sudoers/sudoers.c: Wire up policy_list [27cc35699eca] * plugins/sudoers/error.c: Add newline at the end of message and space after the colon in warning message [5a591aa8e744] * plugins/sudoers/auth/sudo_auth.c: Add missing newline after pass password warning [337dba3870a7] * plugins/sudoers/sudoers.c: Set user_groups and user_ngroups based on user_info [61bee85128c8] * plugins/sudoers/error.c: Make this compile [7041c441e1c8] * Makefile: Build sudoers plugin [5cdf06e66978] * plugins/sudoers/gram.c, plugins/sudoers/gram.y: Use warningx in yyerror() so the conversation function gets used when built as part of sudoers. [85f964215eef] * plugins/sudoers/error.c, plugins/sudoers/sudoers.c: Make _warning in error.c use the conversation function and remove commented out warning/warningx in sudoers.c. [7c9b09024b63] * plugins/sudoers/logging.c: Use siglongjmp() in log_error for fatal errors [b50e26f1c73f] * plugins/sample/Makefile.in, plugins/sudoers/Makefile.in: Quiet a libtool warning [b2331fb006bc] 2010-03-14 Todd C. Miller * plugins/sudoers/auth/pam.c: Rename sudo_conv to conversation to avoid a namespace conflict. [1ad359d36be9] * plugins/sudoers/Makefile.in, plugins/sudoers/alias.c, plugins/sudoers/auth/afs.c, plugins/sudoers/auth/aix_auth.c, plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/dce.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/kerb4.c, plugins/sudoers/auth/kerb5.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/passwd.c, plugins/sudoers/auth/rfc1938.c, plugins/sudoers/auth/secureware.c, plugins/sudoers/auth/securid.c, plugins/sudoers/auth/securid5.c, plugins/sudoers/auth/sia.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/auth/sudo_auth.h, plugins/sudoers/check.c, plugins/sudoers/defaults.c, plugins/sudoers/env.c, plugins/sudoers/error.c, plugins/sudoers/find_path.c, plugins/sudoers/getspwuid.c, plugins/sudoers/goodpath.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/interfaces.c, plugins/sudoers/ldap.c, plugins/sudoers/logging.c, plugins/sudoers/match.c, plugins/sudoers/mon_systrace.c, plugins/sudoers/parse.c, plugins/sudoers/pwutil.c, plugins/sudoers/redblack.c, plugins/sudoers/set_perms.c, plugins/sudoers/sudo_nss.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c, plugins/sudoers/toke.c, plugins/sudoers/tsgetgrpw.c, plugins/sudoers/vasgroups.c, plugins/sudoers/visudo.c: Initial bits of sudoers plugin; still needs work. [af2a2c59a952] * config.h.in: Add HAVE_STRDUP and HAVE_STRNDUP [50a3c0dd510f] * compat/Makefile.in, configure, configure.in: Build libmissing in two flavors (one PIC one non-PIC) and link with the appropriate one. [b62f411a4c18] * Makefile, compat/fnmatch.c, compat/glob.c, compat/nanosleep.c, compat/utimes.c, plugins/sample/Makefile.in, src/Makefile.in: Build libmissing in two flavors (one PIC one non-PIC) and link with the appropriate one. [e1e04972b5fe] 2010-03-13 Todd C. Miller * include/missing.h: Add strdup and strndup and fix strsignal [c159babe2896] 2010-03-12 Todd C. Miller * compat/strdup.c, compat/strndup.c, configure, configure.in, plugins/sample/Makefile.in, src/Makefile.in: Add strdup and strndup to compat [25c9fd399a4d] * plugins/sample/sample_plugin.c: Need to include compat.h before missing.h [c94f7aad380f] * compat/strsignal.c: Must check HAVE_DECL_SYS_SIGLIST == 1 (not just if defined) since if it doesn't exist configure will set it to 0. [384580566389] * compat/glob.c: Fix botched ANSI C coversion of globexp2() [4a344b8cbe49] * configure, configure.in: Remove redundant getgroups check [0b16ec210c81] * configure, configure.in, src/lbuf.c, src/script.c, src/term.c: Require either termios or termio, no more sgtty. [9b2fa2f17a1c] * compat/strsignal.c, config.h.in, configure, configure.in: Change the sys_siglist check to use AC_CHECK_DECLS and also check for _sys_siglist and__sys_siglist [2e078fed2408] 2010-03-11 Todd C. Miller * configure, configure.in, src/Makefile.in: Change SUDO_LDFLAGS to SUDOERS_LDFLAGS and add SUDOERS_OBJS. We now use SUDO_OBJS for the main driver as part of OBJS. [9ae4a80a5ade] * doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.pod: Mention in the conversation function section that a newline is not implicit. [04a233b6c491] * include/compat.h: Add definition of WCOREDUMP for systems without it. This is known to work on AIX and SunOS 4, but may be incorrect on other systems that lack WCOREDUMP. [c85b3ce6b77d] 2010-03-09 Todd C. Miller * plugins/sample/sample_plugin.c, src/conversation.c: conversation function no longer puts a newline at the end of info or error messages. [c534cae1ac4a] * match.c: When doing a glob match, short circuit if gl.gl_pathc is 0. From Mark Kettenis. [549f8f7c2463] <1.7> 2010-03-08 Todd C. Miller * script.c: Use parent process group id instead of parent process id when checking foreground status and suspending parent. Fixes an issue when running commands under /usr/bin/time and others. [eac86126e335] <1.7> * env.c: In setenv(), if the var is empty, return 1 and set errno to EINVAL instead of returning EINVAL directly. [d202091ec15e] <1.7> 2010-03-07 Todd C. Miller * src/script.c: Use parent process group id instead of parent process id when checking foreground status and suspending parent. Fixes an issue when running commands under /usr/bin/time and others. [564f528c3bb7] 2010-03-06 Todd C. Miller * aclocal.m4: transcript option is now --with not --enable [0646fac4cf93] * plugins/sample/sample_plugin.c: Add support to -u and -g flags Check fmt_string retval Add timeout for debugging purposes [cfefa4fa60b5] * src/script.c, src/sudo.c: Wire up SIGALRM handler Set close on exec flag for child side of the socketpair Fix signal handling when not doing I/O logging [379581ec7272] * src/sudo.c: g/c unused SIGCHLD handler [0afa03912dce] * src/fmt_string.c, src/parse_args.c, src/sudo.c: Don't use emalloc() in fmt_string(); we want to be able to use it from a plugin. [ade64d368147] * include/list.h: tq_remove not list_remove [0e0e1fd5c31c] * configure, configure.in: AUTH_OBJS should contain .lo files not .o files. [c64c82c9d5a2] 2010-03-05 Todd C. Miller * src/parse_args.c: Simplify conversion of command line args to name=value pairs. [75ab127c6a94] * plugins/sample/sample_plugin.c: Handle NULL reply from conversation function [6ce09b6cb204] * compat/getline.c: Don't depend on emalloc/erealloc [73df09e2109f] * plugins/sample/Makefile.in: Use $(OBJS) instead of sample_plugin.lo [2d995db9aa99] * plugins/sample/sample_plugin.c: runas_user is in settings not user_info [7ee12068bc57] * src/parse_args.c: Fix a mismatch between sudo_settings and settings_pairs that causes some settings to get the wrong values. [b1bc6d81a65f] 2010-03-04 Todd C. Miller * src/Makefile.in, src/aix.c, src/alloc.c, src/atobool.c, src/error.c, src/fileops.c, src/lbuf.c, src/list.c, src/pty.c, src/sesh.c, src/sudo.c, src/sudo_edit.c, src/term.c, src/zero_bytes.c: Convert to ANSI C [d03b6e4a3b75] * src/load_plugins.c: Fix strlcpy() return value check. [7cd66999a374] * INSTALL, configure, configure.in: No longer need to substitute in script.o and pty.o; I/O logging support is always built. [45250024c5dc] 2010-02-28 Todd C. Miller * src/script.c: Add fallback to /bin/sh when execve() fails with ENOEXEC. [7684a15a1352] * include/alloc.h, src/alloc.c: Add estrndup() [47621c83bed9] 2010-02-27 Todd C. Miller * src/script.c, src/sudo.c: Refactor script_execve() a bit so that it can be used in non-script mode. Needs more cleanup. [f09e022d547c] * src/sudo.c: Ignore empty entries in command_info list [1eea9a8de21c] * include/list.h, src/list.c: Add tq_remove [40908a617cb2] * src/conversation.c: Pass timeout to tgetpass() [9e66c918b771] * Makefile: Add ChangeLog target [da4a39150838] * README, WHATSNEW: Bump version and update things slightly for sudo 1.8.0 [4b73cc45e2d4] * configure, configure.in: Sudo now requires an ANSI/ISO C compiler [1e51f72e6964] * src/alloc.c, src/audit.c, src/error.c, src/lbuf.c, src/sudo_noexec.c: Convert to ANSI C [5cbd315dbde8] * include/alloc.h, include/compat.h, include/error.h, include/lbuf.h, include/list.h, include/missing.h: Convert to ANSI C [3f5016ff64f4] * compat/charclass.h, compat/closefrom.c, compat/fnmatch.c, compat/fnmatch.h, compat/getcwd.c, compat/getline.c, compat/getprogname.c, compat/glob.c, compat/glob.h, compat/isblank.c, compat/memrchr.c, compat/mkstemp.c, compat/nanosleep.c, compat/sigaction.c, compat/snprintf.c, compat/strcasecmp.c, compat/strerror.c, compat/strlcat.c, compat/strlcpy.c, compat/strsignal.c, compat/utime.h, compat/utimes.c: Convert to ANSI C [0d635c85461c] 2010-02-24 Todd C. Miller * src/sudo.c, src/tgetpass.c: Make user_details extern so tgetpass can get at the uid and gid. Set uid/gid to user before executing askpass program. Check environment for SUDO_ASKPASS and use that if set. TODO: a way for the policy to set the askpass program itself [d33606396176] * src/sudo.c: No longer need sudo_usage.h in sudo.c [063e2946c382] * doc/sudo.cat, doc/sudo.man.in, doc/sudo.pod, doc/sudo_plugin.man.in, doc/sudo_plugin.pod, src/Makefile.in, src/parse_args.c, src/sudo_usage.h.in: Document -D level command line flag which maps to the debug_level setting. [61f1e2ab3ac1] * doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.pod: Document debug_level in plugin doc. Still need to document the -D flag in sudo itself. [8c62daea3e9b] 2010-02-22 Todd C. Miller * match.c: Check for pseudo-command by looking at the first character of the command in sudoers instead of checking the user-supplied command for a slash. [88f3181692fe] <1.7> 2010-02-21 Todd C. Miller * plugins/sample/sample_plugin.c: include missing,h for vasprintf [92503de49b39] * doc/Makefile.in, doc/plugin.pod, doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.pod: Rename plugin.pod -> sudo_plugin.pod and wire into Makefile [14cfb4775238] * plugins/sample/sample_plugin.c: Need to include limits.h [bda7f74343d2] * compat/glob.c: No more sudo_getpw* [232e52907634] * plugins/sample/Makefile.in, src/Makefile.in: Add missing compat bits [4843dd000e08] * compat/closefrom.c, compat/mkstemp.c, plugins/sample/Makefile.in: compat files should not include sudo.h wire up compat in sample plugin [a175b8185e0f] * Makefile, configure, configure.in, doc/Makefile.in, src/Makefile.in: Fix up compat dependencies. Fix distclean target in doc/Makefile.in [57e49bc20857] * configure, configure.in: Fix typo [333655e3d5fe] * plugins/sample/sample_plugin.c: Log input and output to temp files for proof of concept. [ae1dfc34f7d6] * Makefile, configure, configure.in, doc/Makefile.in: Add doc Makefile.in and wire it up [6a310443c87d] * src/script.c: Handle SIGSTOP in addition to SIGTSTP. Fixes a problem with suspending a shell with the "suspend" builtint. [3d65f182819a] * src/script.c: In child, handle parent side of the pipe going away. [a29c14d78cd9] * src/script.c: No longer need to check for explicit death of the child (process #2) since if it dies we will get EPIPE from the socketpair. Fix a sizeof() that was causing a spurious error. Convert SCRIPT_DEBUG to sudo_debug. [24c55dd4ff60] * src/sudo.c: Make sudo_debug do a single vfprintf() which will result in a single write call on most systems. Avoids problems with interleaved debug printf from different processes. Also remove an extraneous error case since recv() can't return a short read and add some more XXX. [b37a8533ef1e] 2010-02-20 Todd C. Miller * src/script.c: Fix uninitialized variable. [e012a0a30890] * src/Makefile.in: Fix sudo install target [1417fa4b4ab9] * src/parse_args.c, src/sudo.c, src/sudo.h: Wire up debug_level [144fab289c73] * src/Makefile.in: Fix dependencies [5170940af2ce] * configure, configure.in: Fix setting of plugin dir [144eda170a72] * Makefile: add clean targets [d53f6f6f5c3a] * src/atobool.c: Add missing source for sudo front end [42487de9c489] * plugins/sample/Makefile.in, plugins/sample/sample_plugin.c: Sample plugin demonstrating the sudo plugin API [f1fd62d7644f] * Makefile, configure, configure.in, install-sh, pathnames.h.in, plugins/sudoers/install-sh, src/Makefile.in, src/conversation.c, src/fileops.c, src/fmt_string.c, src/load_plugins.c, src/parse_args.c, src/pty.c, src/script.c, src/sudo.c, src/sudo.h, src/sudo_plugin_int.h, src/sudo_usage.h.in, src/tgetpass.c, sudo_usage.h.in: Modular sudo front-end which loads policy and I/O plugins that do most the actual work. Currently relies on dynamic loading using dlopen(). See doc/plugin.pod for the plugin API. [924f6eb2fbba] * doc/plugin.pod, include/sudo_plugin.h: Sudo plugin API [374ccbbd24ae] * compat/fnmatch.c, compat/glob.c, compat/nanosleep.c, compat/utimes.c, plugins/sudoers/check.c, plugins/sudoers/gettime.c, plugins/sudoers/match.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c, src/fileops.c, src/sudo_edit.c: Replace emul/include.h with compat/include.h to match new source tree layout. [7eccd10449a1] * src/lbuf.c: Include missing.h for memrchr() proto [03abd63a8a33] * HISTORY, LICENSE, Makefile.binary.in, Makefile.in, PORTING, TROUBLESHOOTING, UPGRADE, aix.c, aixcrypt.exp, alias.c, alloc.c, alloc.h, audit.c, auth/API, auth/afs.c, auth/aix_auth.c, auth/bsdauth.c, auth/dce.c, auth/fwtk.c, auth/kerb4.c, auth/kerb5.c, auth/pam.c, auth/passwd.c, auth/rfc1938.c, auth/secureware.c, auth/securid.c, auth/securid5.c, auth/sia.c, auth/sudo_auth.c, auth/sudo_auth.h, boottime.c, bsm_audit.c, bsm_audit.h, check.c, closefrom.c, compat.h, compat/charclass.h, compat/closefrom.c, compat/fnmatch.c, compat/fnmatch.h, compat/getcwd.c, compat/getline.c, compat/getprogname.c, compat/glob.c, compat/glob.h, compat/isblank.c, compat/memrchr.c, compat/mkstemp.c, compat/nanosleep.c, compat/sigaction.c, compat/snprintf.c, compat/strcasecmp.c, compat/strerror.c, compat/strlcat.c, compat/strlcpy.c, compat/strsignal.c, compat/timespec.h, compat/utime.h, compat/utimes.c, def_data.c, def_data.h, def_data.in, defaults.c, defaults.h, doc/HISTORY, doc/LICENSE, doc/PORTING, doc/TROUBLESHOOTING, doc/UPGRADE, doc/history.pod, doc/license.pod, doc/sample.pam, doc/sample.sudoers, doc/sample.syslog.conf, doc/schema.ActiveDirectory, doc/schema.OpenLDAP, doc/schema.iPlanet, doc/sudo.cat, doc/sudo.man.in, doc/sudo.man.pl, doc/sudo.pod, doc/sudoers.cat, doc/sudoers.ldap.cat, doc/sudoers.ldap.man.in, doc/sudoers.ldap.pod, doc/sudoers.man.in, doc/sudoers.man.pl, doc/sudoers.pod, doc/sudoreplay.cat, doc/sudoreplay.man.in, doc/sudoreplay.pod, doc/visudo.cat, doc/visudo.man.in, doc/visudo.pod, emul/charclass.h, emul/fnmatch.h, emul/glob.h, emul/timespec.h, emul/utime.h, env.c, error.c, error.h, fileops.c, find_path.c, fnmatch.c, getcwd.c, getdate.c, getdate.y, getline.c, getprogname.c, getspwuid.c, gettime.c, glob.c, goodpath.c, gram.c, gram.h, gram.y, history.pod, include/alloc.h, include/compat.h, include/error.h, include/lbuf.h, include/list.h, include/missing.h, ins_2001.h, ins_classic.h, ins_csops.h, ins_goons.h, install-sh, insults.h, interfaces.c, interfaces.h, isblank.c, lbuf.c, lbuf.h, ldap.c, license.pod, list.c, list.h, logging.c, logging.h, match.c, memrchr.c, missing.h, mkdefaults, mkstemp.c, mon_systrace.c, mon_systrace.h, nanosleep.c, nonunix.h, parse.c, parse.h, plugins/sudoers/Makefile.binary.in, plugins/sudoers/Makefile.in, plugins/sudoers/aixcrypt.exp, plugins/sudoers/alias.c, plugins/sudoers/auth/API, plugins/sudoers/auth/afs.c, plugins/sudoers/auth/aix_auth.c, plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/dce.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/kerb4.c, plugins/sudoers/auth/kerb5.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/passwd.c, plugins/sudoers/auth/rfc1938.c, plugins/sudoers/auth/secureware.c, plugins/sudoers/auth/securid.c, plugins/sudoers/auth/securid5.c, plugins/sudoers/auth/sia.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/auth/sudo_auth.h, plugins/sudoers/boottime.c, plugins/sudoers/check.c, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/defaults.c, plugins/sudoers/defaults.h, plugins/sudoers/env.c, plugins/sudoers/find_path.c, plugins/sudoers/getdate.c, plugins/sudoers/getdate.y, plugins/sudoers/getspwuid.c, plugins/sudoers/gettime.c, plugins/sudoers/goodpath.c, plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y, plugins/sudoers/ins_2001.h, plugins/sudoers/ins_classic.h, plugins/sudoers/ins_csops.h, plugins/sudoers/ins_goons.h, plugins/sudoers/install-sh, plugins/sudoers/insults.h, plugins/sudoers/interfaces.c, plugins/sudoers/interfaces.h, plugins/sudoers/ldap.c, plugins/sudoers/logging.c, plugins/sudoers/logging.h, plugins/sudoers/match.c, plugins/sudoers/mkdefaults, plugins/sudoers/mon_systrace.c, plugins/sudoers/mon_systrace.h, plugins/sudoers/nonunix.h, plugins/sudoers/parse.c, plugins/sudoers/parse.h, plugins/sudoers/pwutil.c, plugins/sudoers/redblack.c, plugins/sudoers/redblack.h, plugins/sudoers/set_perms.c, plugins/sudoers/sudo_nss.c, plugins/sudoers/sudo_nss.h, plugins/sudoers/sudoers, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/sudoers2ldif, plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/timestr.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/tsgetgrpw.c, plugins/sudoers/vasgroups.c, plugins/sudoers/visudo.c, pty.c, pwutil.c, redblack.c, redblack.h, sample.pam, sample.sudoers, sample.syslog.conf, schema.ActiveDirectory, schema.OpenLDAP, schema.iPlanet, script.c, selinux.c, sesh.c, set_perms.c, sigaction.c, snprintf.c, src/aix.c, src/alloc.c, src/audit.c, src/bsm_audit.c, src/bsm_audit.h, src/error.c, src/fileops.c, src/lbuf.c, src/list.c, src/pty.c, src/script.c, src/selinux.c, src/sesh.c, src/sudo_edit.c, src/sudo_noexec.c, src/term.c, src/tgetpass.c, src/zero_bytes.c, strcasecmp.c, strerror.c, strlcat.c, strlcpy.c, strsignal.c, sudo.c, sudo.cat, sudo.h, sudo.man.in, sudo.man.pl, sudo.pod, sudo_edit.c, sudo_noexec.c, sudo_nss.c, sudo_nss.h, sudoers, sudoers.cat, sudoers.ldap.cat, sudoers.ldap.man.in, sudoers.ldap.pod, sudoers.man.in, sudoers.man.pl, sudoers.pod, sudoers2ldif, sudoreplay.c, sudoreplay.cat, sudoreplay.man.in, sudoreplay.pod, term.c, testsudoers.c, tgetpass.c, timestr.c, toke.c, toke.l, tsgetgrpw.c, utimes.c, vasgroups.c, visudo.c, visudo.cat, visudo.man.in, visudo.pod, zero_bytes.c: Rework source layout in preparation for modular sudo. [7fc1978c6ad5] 2010-02-13 Todd C. Miller * Avoid a duplicate fclose() of the sudoers file. [5dba851088c1] * Fix size arg when realloc()ing include stack. From Daniel Kopecek [0a2935061e33] * Use setrlimit64(), if available, instead of setrlimit() when setting AIX resource limits since rlim_t is 32bits. [353db89bac61] * Fix use after free when sending error messages. From Timo Juhani Lindfors [e50dbd902382] * ChangeLog, Makefile.in: Generate the ChangeLog as part of "make dist" instead of having it in the repo. [251b70964673] 2010-02-09 Todd C. Miller * toke.l: Avoid a duplicate fclose() of the sudoers file. [164d39108dde] <1.7> * toke.l: Fix size arg when realloc()ing include stack. From Daniel Kopecek [8900bccef219] <1.7> 2010-02-06 Todd C. Miller * aix.c, config.h.in, configure, configure.in: Use setrlimit64(), if available, instead of setrlimit() when setting AIX resource limits since rlim_t is 32bits. [2cbb14d98fc1] <1.7> * logging.c: Fix use after free when sending error messages. From Timo Juhani Lindfors [caf183fd9d94] <1.7> 2010-01-18 Todd C. Miller * ChangeLog, Makefile.in: Generate the ChangeLog as part of "make dist" instead of having it in the repo. [836c31615859] <1.7> 2010-01-18 convert-repo * .hgtags: update tags [9b7aa44ae436] 2010-01-17 Todd C. Miller * Makefile.in: Generate correct ChangeLog for 1.7 branch. [586dd90b8878] <1.7> * Makefile.binary.in, Makefile.in, aix.c, alias.c, alloc.c, alloc.h, auth/afs.c, auth/aix_auth.c, auth/bsdauth.c, auth/dce.c, auth/fwtk.c, auth/kerb4.c, auth/kerb5.c, auth/pam.c, auth/passwd.c, auth/rfc1938.c, auth/secureware.c, auth/securid.c, auth/securid5.c, auth/sia.c, auth/sudo_auth.c, auth/sudo_auth.h, check.c, closefrom.c, compat.h, configure.in, defaults.c, defaults.h, emul/charclass.h, emul/timespec.h, env.c, error.c, error.h, fileops.c, find_path.c, getcwd.c, getprogname.c, getspwuid.c, gettime.c, goodpath.c, gram.c, gram.y, ins_2001.h, ins_classic.h, ins_csops.h, ins_goons.h, insults.h, interfaces.c, interfaces.h, isblank.c, lbuf.c, lbuf.h, ldap.c, list.c, list.h, logging.c, logging.h, match.c, memrchr.c, missing.h, mkinstalldirs, mkstemp.c, mon_systrace.c, nanosleep.c, parse.c, parse.h, pathnames.h.in, pty.c, pwutil.c, redblack.c, redblack.h, sample.pam, sample.sudoers, sample.syslog.conf, script.c, selinux.c, sesh.c, set_perms.c, sigaction.c, snprintf.c, strcasecmp.c, strerror.c, strlcat.c, strlcpy.c, strsignal.c, sudo.c, sudo.h, sudo.man.in, sudo.pod, sudo_edit.c, sudo_noexec.c, sudo_nss.c, sudo_nss.h, sudo_usage.h.in, sudoers.ldap.man.in, sudoers.ldap.pod, sudoers.man.in, sudoers.pod, sudoers2ldif, sudoreplay.c, sudoreplay.man.in, sudoreplay.pod, term.c, testsudoers.c, tgetpass.c, timestr.c, toke.c, toke.l, utimes.c, visudo.c, visudo.man.in, visudo.pod, zero_bytes.c: Remove CVS $Sudo$ tags. [de683a8b31f5] 2009-12-26 Todd C. Miller * sudo_usage.h.in: make this match sudoers SYNOPSIS [c74ba66944c2] * lbuf.c, parse.c: Print a newline between Runas and Command-specific defaults in sudo -l. [b5bdfcc9ce4b] * term.c: Use SET and CLR macros in term_raw [50ca42609d6c] * sudoreplay.c: Set stdin to non-blocking mode early instead of in check_input. Use term_raw instead of term_cbreak since the data we get has already been expanded via OPOST. [51c47e803d62] 2009-12-23 Todd C. Miller * script.c, term.c: Enable/disable all postprocessing instead of just nl->crnl processing since things like tab expansion matter too. However, if stdout is a tty leave postprocessing on in the pty since we run into problems doing it only on the real stdout with .e.g nvi. [62666e309673] 2009-12-19 Todd C. Miller * check.c: If tty_tickets is enabled and there is no tty, prompt for a password. Do not lecture user for "sudo -k command" if user has a timestamp. [5880200c5f6b] * INSTALL: Document missing options: --with-efence and --with-bsm-audit [d83afcdf9ff3] * sudo.cat, sudo.man.in, sudo.pod, sudoers.cat, sudoers.ldap.cat, sudoers.ldap.man.in, sudoers.ldap.pod, sudoers.man.in, sudoers.pod, sudoreplay.cat, sudoreplay.man.in, sudoreplay.pod, visudo.cat, visudo.man.in, visudo.pod: username -> user name groupname -> group name hostname -> host name [10c85646f45d] * INSTALL, README.LDAP, sudoers.pod: filename -> file name like the rest of the docs [1ef8ab5a9018] 2009-12-17 Todd C. Miller * parse.c: Fix printing of entries with multiple host entries on a single line. [226ceaf91d8d] 2009-12-14 Todd C. Miller * sudoers.pod: Mention that targetpw affects the timestamp file name. [a26e22e4f72e] * def_data.c, def_data.h, def_data.in, defaults.c, script.c, sudoers.pod: Add compress_transcript option. [6e94f8cb9dfb] 2009-12-13 Todd C. Miller * configure, configure.in: bump to 1.7.3b2 [906d7e347d15] * pwutil.c, set_perms.c, sudo.c, sudo_nss.c: Better split of membership vs. traditional group check in user_in_group(). Allow user_ngroups to be < 0 if getgroups() fails. [6ebc55d4716b] 2009-12-12 Todd C. Miller * pwutil.c: Fix pasto and add default return value. [7973b5e4599c] * check.c, match.c, pwutil.c, sudo.h: refactor group member checking into user_in_group() [48ca8c2eddf8] * check.c, config.h.in, configure, configure.in, match.c, sudo.c, sudo.h: Add support for mbr_check_membership() as present in darwin. [5501aed02b9f] 2009-12-10 Todd C. Miller * match.c: Rename label to be accurate [3af17dd960f7] * Makefile.in, boottime.c, check.c, config.h.in, configure, configure.in, sudo.h: Treat timestamp files from before we booted as old. Idea from and Apple patch. [5c96e484c05a] 2009-12-09 Todd C. Miller * sudo.c, sudo.pod, sudo_usage.h.in: Allow the -u flag to be used in conjunction with the -v flag as per older versions of sudo. [591e9fc13c1a] * logging.c: fix typo in last commit [4fd0c692dcf0] 2009-12-08 Todd C. Miller * logging.c: Convert fmt_first and fmt_confd into macros. [32e870158b29] * sudoers.pod: timeouts can be floats now [89de639a9679] * WHATSNEW, def_data.c, def_data.h, def_data.in, defaults.c, defaults.h, mkdefaults: Add support for floating point timeout values (e.g. 2.5 minutes). [210ffa291733] 2009-12-07 Todd C. Miller * sudo.pod: The -L flag will be removed in sudo 1.7.4 [ffd026084333] 2009-12-06 Todd C. Miller * sudoreplay.c: Fix a bug due to order of operators. [938d34464283] 2009-11-23 Todd C. Miller * match.c: cmnd_matches() already deals with negation so _cmndlist_matches() does not need to do so itself. Fixes a bug with negated entries in a Cmnd_List. [71c845f6ce73] 2009-11-22 Todd C. Miller * sudo.c: Don't exit() from open_sudoers, just return NULL for all errors. [8cfa832f972a] * script.c: Can't rely on the shell sending us SIGCONT when transitioning from backgroup to foreground process. [3c6c5b6cb4b3] * toke.c, toke.l: Add missing extern def for parse_error [45b7b59d03b7] 2009-11-21 Todd C. Miller * toke.c, toke.l: Avoid a parse error when #includedir doesn't find any files. Closes bug #375 [1ce1b850e9e6] * Makefile.in: Include sudo.man.pl and sudoers.man.pl in the distribution tarball. [6a22e32da108] 2009-11-15 Todd C. Miller * script.c: Start command out in foreground mode if stdout is a tty. Works around issues with some curses-based programs that don't handle tcsetattr getting interrupted by a signal. Still allows us to avoid hogging the tty if the command is part of a pipeline. [1c32f2b94769] * script.c, sudo.c, sudo.h, sudoreplay.c, term.c, tgetpass.c: Use a socketpair to pass signals from parent to child. Child will now pass command status change info back via the socketpair. This allows the parent to distinguish between signals it has been sent directly and signals the command has received. It also means the parent can once again print the signal notifications to the tty so all writes to the pty master occur in the parent. The command is now always started in background mode with tty signals handled by the parent. [c6790b82986d] 2009-11-04 Todd C. Miller * configure, configure.in: Fix a few typos in the descriptions; from Jeff Makey Only do the check for krb5_get_init_creds_opt_free() taking two arguments if we find krb5_get_init_creds_opt_alloc(). Otherwise we will get a false positive when using our own krb5_get_init_creds_opt_free which takes only a single argument. [845a9ff6f93d] 2009-11-03 Todd C. Miller * configure, configure.in: Remove a spurious comma in the kerb5 bits. [3433eab083db] * auth/kerb5.c: Call krb5_get_init_creds_opt_init() in our emulated krb5_get_init_creds_opt_alloc() for MIT kerberos. [7ffb40bf43e9] 2009-11-01 Todd C. Miller * config.h.in: Add HAVE_ZLIB [9297bde61ecc] * script.c: Need to ignore SIGTT{IN,OU} in child when running the command in the background. Also some minor cleanup. [dc208d982319] 2009-10-31 Todd C. Miller * script.c: Instead of calling sigsuspend when waiting for SIGUSR[12] from parent, install the signal handlers w/o SA_RESTART and let them interrupt waitpid(). [759c7d18203b] * script.c: Pass along SIGHUP and SIGTERM from parent to child. [035b0e254568] * script.c: Close unused bits of script_fds in processes that don't need them. Restore default SIGCONT handler in child. [e037378ab0c1] * script.c: Update foreground/background status in SIGCONT handler in parent process. [3f7f91333264] 2009-10-25 Todd C. Miller * script.c: Defer setting terminal into raw mode until just before we fork() and only do it if sudo is the foreground process. If we get SIGTT{IN,OU} and sudo is already in the foreground be sure to set raw mode before continuing the child. [1102ef40832c] 2009-10-24 Todd C. Miller * script.c: Fix handling of SIGTTOU/SIGTTIN in program being run. We now only give the command the controlling tty if the main sudo process is the foreground process. [cf3a91cb5682] * script.c: Don't bother with sudo_waitpid() here for now. [9086de480c2d] * script.c: fix non-zlib case [a258bff0f9a6] 2009-10-23 Todd C. Miller * script.c: Remove non-wroking code that crept into rev 1.55 [2802dd55cff5] 2009-10-22 Todd C. Miller * INSTALL, configure, configure.in, script.c, sudoreplay.c: First pass at zlib support for transcript data files [5d10260807da] * Makefile.in: remove vestiges of ZLDFLAGS [1fa0caf1c0fb] * script.c: Add missing variable declaration for when TIOCSCTTY is not defined. Need to include sys/termio.h for TIOCSCTTY on some systems. [ee7f41ac2709] * script.c: when resuming command, send SIGCONT to its pgrp not just pid [5cd63c1d565b] * selinux.c: remove unused variable [df67df4be228] * script.c: include selinux.h for is_selinux_enabled() proto [85ebaa880cc1] * script.c: Don't use log_error() in the child process. [def65fe2a433] * script.c: Do I/O in parent instead of child since the parent can have both /dev/tty as well as the pty fds open. The child just sets things up and waits for its grandchild and writes the signal description to the pty master if the command was killed by a signal. [95e473208982] 2009-10-18 Todd C. Miller * missing.h, sudo.h: Move two struct forward declarations from sudo.h to missing.h [90ad28294a8c] * script.c: Make comment at the top of script_exec() match reality. [c5042d27dbe0] * sudo.c: if neither stdin nor stdout is a tty, check stderr [c532ff20c8d8] * Makefile.in: Add back dependecy of gram.h on gram.y [c58382b7fcca] * script.c: Make transcript mode work as long as we can figure out our tty, even if it is not stdin. We'd like to use /dev/tty but that won't be valid after the setsid(). [7b8bba8d99e7] 2009-10-17 Todd C. Miller * config.h.in, configure, configure.in, pty.c: Add support for IRIX-style dynamic ptys [bedc9bac44c1] * Makefile.in, alloc.h, getline.c, sudo.h, sudoreplay.c: Move alloc.c protos into alloc.h [b6a90649617d] * missing.h: Move prototypes for missing libc functions to missing.h [dda9ae1ccaf8] * Makefile.in, sudo.h, sudoreplay.c: Move prototypes for missing libc functions to missing.h [7483166b577b] 2009-10-16 Todd C. Miller * config.h.in, configure, configure.in: Disable transcript support if no tcsetpgrp until we support older BSD-style job control. [27ac1d8163df] * configure, configure.in, pty.c, script.c: Break out pty code into pty.c [e85509b25d41] * compat.h, config.h.in, configure, configure.in: add killpg macro if no killpg function [3a125f4a51f0] * config.h.in, configure, configure.in, script.c: Push ptem and ldterm for STERAMS-based systems when allocating a pty. [36bb39b30ff2] 2009-10-15 Todd C. Miller * script.c: Sprinkle some more O_NOCTTY and call grantpt() before unlockpt() [d94bd5c9bf4e] * script.c: Call tcgetpgrp() in the parent, not the child and have the child spin until it is granted. Fixes a race on darwin. [6e8d435339ce] * script.c: Only use TIOCNOTTY in the non-setsid case. If no TIOCSCTTY, just reopen slave. [0bdc63c019ca] 2009-10-14 Todd C. Miller * script.c: In script mode, if the command is killed by a signal, print the signal description as well as a core dump notification like the shell does. [9df61738df07] * Makefile.in, config.h.in, configure, configure.in, strsignal.c, sudo.h: Add check for strsignal() and a simple implementation if it is not there but sys_siglist is [61421a188ef4] * script.c: Add missing WUNTRACED and store the signal that stopped the grandchild in suspended, not signo. [df65042b200e] * script.c: g/c unused code [40d8cb5c9203] * script.c: Associate the grandchild's pgrp with the tty instead of the child's and just get suspend notifications via SIGCHLD instead of directly. This fixes a hang with programs that try to set terminal attributes and is more consistent with how the shell handles things. [6865abff7e94] 2009-10-12 Todd C. Miller * script.c: Move setpgid() of child into the parent side of the fork() where it belongs. [3defa782777c] 2009-10-11 Todd C. Miller * script.c: fix typo [b6a612b3622c] * script.c: Run command in its own pgrp (like the shell does) for easier signalling. No need to relay SIGINT or SIGQUIT to parent, just send to grandchild. Don't want grandchild stopped events in the child (only termination). Flush output after suspending grandchild before signalling parent. [db556bf2176f] * script.c: Back out revision 1.34; the problem lies elsewhere. [85f590a03275] * script.c: Don't set stdout to blocking mode when flushing remaining output. It can cause us to hang when trying to exit. Need to investigate why. [6f803a3e33ca] * script.c: Handle SIGTTOU and remove some debugging. [52d17279053e] * term.c: Back out revision 1.10 as the signal that interrupts us may be SIGTTOU or SIGTTIN which the caller must handle. [7e2fa9107975] * script.c: Apparently we need to send SIGSTOP to the command as well as ourself when we get SIGTSTP, the kernel doesn't automatically stop the process for us. [1a936e9309c4] * script.c: Use an extra process to act as the glue bewteen the sessions associated with the user's controlling tty (what the shell uses) and the tty that sudo is using to do its logging. Basically, this means that if we get, e.g. SIGTSTP from the process sudo is running, we relay the signal to the parent so it's shell can do the job control. [6dd296988060] * term.c: Handle getting/setting terminal attributes when the fd is in non- blocking mode. [ae5ae535ea7b] 2009-10-07 Todd C. Miller * sudoreplay.c, sudoreplay.cat, sudoreplay.man.in, sudoreplay.pod: Add support for pausing and changing the speed in interactive mode. [72a2063780a7] * script.c: Already define O_NOCTTY in compat.h, don't need it here [b5d80ed3e5ce] 2009-10-06 Todd C. Miller * sudoreplay.c: Add missing protos [c4cb4e7f4d8a] 2009-09-30 Todd C. Miller * sudo_edit.c: Always update the stashed mtime of the temp file instead of using what we have for the original because the time resolution of the filesystem the temporary is on may not match that of the filesystem that holds the original. Should fix bz #371 found by Philippe Levan. [c86ca4bec60c] * sudoreplay.c: Use cbreak mode instead of raw mode and add signal handlers to restore the tty on interrupt. [84dd283da41c] * script.c, sudo.h, term.c: Retain NL to NLCR conversion on the real tty and skip it on the pty we allocate. That way, if stdout is not a pty there are no extra carriage returns. [32e4f570414e] * script.c: Fix log_output(); just pass in a string and a length. [ca980cc0a3fb] 2009-09-28 Todd C. Miller * script.c: do not use errno when complaining out lack of a tty [8f9b8c55ab8e] 2009-09-27 Todd C. Miller * Makefile.in, sudoreplay.c, term.c: Instead of messing with line endings, just set terminal to raw mode in sudoreplay. [90943fa87acb] * term.c: When copying the terminal attributes to the pty, be sure not to set ONLCR. This prevents extra carriage returns from ending up in the script output file. [e6b5475ac2aa] * script.c: Convert a do {} while into a while [e461310d2c77] * Makefile.in: Use if then instead of test && when installing binaries that may not exist. [ad4f9490d971] * script.c: Add O_NOCTTY when opening a tty device. Explicitly disconnect from old tty before associatng with new one. [0e0ca634b80c] * script.c, selinux.c, sudo.c, sudo.h: First cut at refactoring some of the selinux code so it can be used in conjunction with sudo's transcript support. [779b0d8f9d29] 2009-09-26 Todd C. Miller * aclocal.m4, configure, configure.in: Fix default case of transcript_enabled being unset. [f8aa96186e6b] * script.c, sudoreplay.c: Use _PATH_SUDO_TRANSCRIPT instead of _PATH_SUDO_SESSDIR [2844a7a851fa] * INSTALL, Makefile.in, aclocal.m4, configure, configure.in, sudo.c: Hook up --disable-transcript and --enable-transcript=DIR [b3fa7e6b2480] 2009-09-25 Todd C. Miller * aclocal.m4, configure, configure.in, pathnames.h.in: _PATH_SUDO_SESSDIR -> _PATH_SUDO_TRANSCRIPT Add --enable- transcript=DIR option to specify the directory [b0bb76d43cda] * sudo.cat, sudo.man.in, sudoers.cat, sudoers.man.in: regen [c7a8a0a9027c] * configure, configure.in, sudoers.man.pl, sudoers.pod: Substitute in default value for secure_path [c8f9ac6dbf93] * sudo.pod: Mention that the password must be followed by a newline with the -S option. [2fc589a3ee7e] 2009-09-20 Todd C. Miller * script.c: Go back to dropping out of the select() loop when the process dies; Linux ptys apparently don't behave the same as BSD in regards to select(). No need to flush remaining output to the transcript, only to stdout. Add back code to check the master pty for additional data when we exit the main select loop. [abed9a9cbc6b] 2009-09-19 Todd C. Miller * Makefile.in: Add getline.o to COMMON_OBJS [04ef7643cbc2] * Makefile.in: sudoreplay depends on libsudo.a [142bd0472631] * Makefile.in: More pwutil.o into COMMON_OBJS [4a016b933629] * pwutil.c, testsudoers.c, tsgetgrpw.c: Remove my_* redirection in pwutil.c for testsudoers and just use the normal libc get{pw,gr}* names. [9b76d637d86b] * sudoreplay.cat, sudoreplay.man.in, sudoreplay.pod: More time and date examples [c6ee0175ec56] * Makefile.in, configure, configure.in, nanosleep.c, sudoreplay.c: Move nanosleep() emulation into its own file Check librt.a for nanosleep if we don't find it in libc [4da0cc26aad7] * Makefile.in, configure, configure.in: Build libsudo with the common bits and link things against that. [2b53bc0b081a] * script.c: Fix final flush. [6da287d833da] * script.c: Keep reading from the pty master -> log file until read returns <= 0. Do our best to write everything to stdout when flushing any remaining bits. [2a45d4ae280c] * sudoreplay.c: Use unbuffered I/O when writing to stdout and make sure we write the entire buffer. [f39ef9844a47] 2009-09-18 Todd C. Miller * sudoreplay.c: Only use max_wait if it is non-zero [f6c10604d2e8] * getdate.c, getdate.y, getline.c: Need compat.h here [5d6722e225a0] * sudoreplay.c: Fix nanosleep emulation [34e5e5d72a76] * script.c: Fix comment after #endif [bd1347718b25] * sudoreplay.c: Add protos for missing libc bits [644f496427a2] * configure, configure.in: add missing line continuation char [db13c0d402cd] * config.h.in, configure, configure.in, getline.c: Implement getline() in terms of fgetln() if we have it. [3ab786eaadc5] * sudoreplay.c: Print year when formatting log line [90be669e3443] * sudoreplay.pod: Document cwd, attempt to document time/date formats. [6290fb9b65c6] * sudoreplay.c: Fix getline return value check. [d696d6657261] * Makefile.in, config.h.in, configure, configure.in, getline.c, sudoreplay.c: Use getline() if the system has it, else use provide our own for sudoreplay. [afca1d6fbe5e] * script.c: Refactor code to update output and timing files. [361491332b1a] 2009-09-17 Todd C. Miller * sudoreplay.c: Make sudo_getln() behave more like glibc getline. [40c9f2ea29e6] * script.c: When flushing remaining output, also update timing file. [5a9a5a627549] * sudoreplay.c: Use get_timestr() and make the -l output look like the regular sudo log. [452ba9d436c9] * logging.c, sudo.h, timestr.c: Make get_timestr() take a time_t so we can use it properly in sudoreplay. [82e67cc53c9c] * script.c: Create session dir earlier now that we update the seq number early. [797fe8d6dc61] 2009-09-16 Todd C. Miller * sudoreplay.c: Use fromdate and todate as the keywords instead of from and to; the short forms will still be accepted. [d14d9b116df4] * sudoreplay.c: Fix reading long liensin sudo_getln() [58dadd74118c] * script.c, sudoreplay.c: Log the cwd in the script log file. Add sudo_getln() to read arbitrarily long lines. [faceb802ab8f] * Makefile.in, logging.c, sudo.h, timestr.c: Move get_timestr() into its own source file so sudoreplay can use it. [99b054bfa20a] 2009-09-15 Todd C. Miller * sudoreplay.c: Add to and from perdicates (date ranges); needs documentation [1d629174dcf4] 2009-09-14 Todd C. Miller * Makefile.in, getdate.c, getdate.y: Fix warning and add generated getdate.c [b877a86b5a03] * Makefile.in, getdate.y: Add getdate.y to be used for sudoreplay date parsing. [b8e26fbb7a40] 2009-09-13 Todd C. Miller * sudoreplay.c: Check more than just the first character of a predicate [4fe53728adb1] * sudoreplay.cat, sudoreplay.man.in, sudoreplay.pod: Add examples, sort predicates [70f8075cbccc] * Makefile.in, sudoreplay.c, sudoreplay.cat, sudoreplay.man.in, sudoreplay.pod: Implement search expressions in sudoreplay similar in concept to what find or tcpdump uses. TODO: date ranges [f7ce4fb4cf3a] 2009-09-07 Todd C. Miller * script.c: Remove vhangup as it was hanging up the wrong tty. Should really vhangup in the child after it as set its tty. [2eed9df73010] * sudoers.pod: Fix cut at documenting transcript support. [e6c533a5568a] * logging.c: ID= -> TSID= for transcript ID [1bf755a35333] 2009-09-06 Todd C. Miller * sudoers.pod: Move fast_glob description to where it belongs in sorted order [5901cfb0d25f] * def_data.c, def_data.h, def_data.in, gram.c, gram.h, gram.y, parse.c, parse.h, sudo.c: Rename script -> transcript [e06cf823122c] 2009-09-03 Todd C. Miller * compat.h: Add timeradd and timersub for those without them [929f8aa06c2b] * script.c: Sanity check sessid before using it. [aa8ca5211d43] * sudo.c: Only set the session id if we are running a command or editing a file. [7205d717c098] * script.c: Actually. qsort is fine since most versions fal back to a cheaper sort when the number of elements to sort is small (like in our case). [d11c7cd352fe] * config.h.in, configure, configure.in, script.c: Check for dup2 and use dup instead if we don't have it. [98bd89830f8a] * script.c, sudo.c, sudo.h: Move the code to dup2 the script fds to low numbered descriptors into script_duplow() and fix the fd sorting. [9453fdc5fba6] * script.c, sudo.c, sudo.h: Move script_setup() back to immediately before we drop privs and call the new script_nextid() in its place, which will set sudo_user.sessid for the logging functions. [8434d0c8ff08] 2009-09-01 Todd C. Miller * Makefile.in: Install sudoreplay [6acf2cdb4d3f] * sudoreplay.c: remove unused variable [2316360bb992] 2009-08-30 Todd C. Miller * logging.c, script.c, sudo.c, sudo.h: Log the session ID, if there is one. Currently logs ID=XXXXXX, perhaps should be SESSIONID or SESSID. [53976905b0a6] * Makefile.in, configure, configure.in, sudoreplay.cat, sudoreplay.man.in, sudoreplay.pod: Add sudoreplay docs [da4f14f0e64c] * sudoreplay.c: add -V (version) flag [b5e743639ee3] * sudoreplay.c: Hook up max_wait. [2ec5697a92ba] * script.c, sudoreplay.c: Use base36 number for the ID and store script files with paths like /var/log/sudo-session/00/00/00{,.tim,.scr}. This gives us 36^6 (2,176,782,336) unique IDs. [6aab019d07aa] 2009-08-23 Todd C. Miller * config.h.in, configure.in: Add check for regcomp [44c3ebd7ff34] * sudoreplay.c: Add support for selecting by pattern and tty when listing. [66189f840c52] 2009-08-17 Todd C. Miller * sudoreplay.c: The beginnings of a list mode. [8d0150b4a52c] 2009-08-16 Todd C. Miller * Makefile.in: fix pasto [616b4640b8a8] * Makefile.in, config.h.in, configure.in: Add scaffolding for building sudoreplay [a32958505dbe] * sudoreplay.c: include error.h first arg to nanotime is const [fe5a7bb31bc5] * sudoreplay.c: Initial cut at sudoreplay; replay a sudo session. [f149fba372bd] 2009-08-08 Todd C. Miller * script.c: Fix wait() usage and use correct wait status. [f4745ed7ad05] * sudo.c, sudo.h, tgetpass.c: Add protos for term_* to sudo.h [14fe1abd7e7b] * script.c: Fix detection of the child process exiting. Since the child is in its own session we should only ever get SIGCHLD for that process but better safe than sorry. [7edfdadd8505] * config.h.in: Add UNIX98 pty support. [82f4b53a0e8f] * configure, configure.in, script.c: Add UNIX98 pty support. [795b8bb0a3a1] 2009-08-07 Todd C. Miller * term.c: For raw mode, don't bother clearing BRKINT or PARMRK and clear IUCLC if it is defined. [40f8b83baf69] * auth/pam.c: Set PAM_RUSER and PAM_RHOST early so they can be used during authentication. Based on a patch from Jamie Beverly. [3d567b453a6a] * match.c: Close dir before returning if strlcpy() reports overflow. From Martynas Venckus. [6a82f96473e5] * config.h.in, configure, configure.in, script.c: On Linux, the openpty proto libes in pty.h [98643a018d1c] * script.c: Call vhangup on exit if the system has it Use setpgrp() if no setsid() [3a9e13149829] 2009-08-06 Todd C. Miller * config.h.in, configure, configure.in: Add checks for revoke and vhangup if we don't have openpty [fcb04572e994] * script.c: Session logging guts that got forgotten in the previous commit. [c2af08a63ea9] * Makefile.in, aclocal.m4, compat.h, config.h.in, configure, configure.in, def_data.c, def_data.h, def_data.in, gram.c, gram.h, gram.y, parse.c, parse.h, pathnames.h.in, sudo.c, sudo.h, term.c, tgetpass.c: First cut at session logging for sudo. Still need to write get_pty() for Unix 98 and old-style BSD ptys. Also needs documentation and general cleanup. [77e3f5e25738] 2009-08-05 Todd C. Miller * sudo.c, sudo_edit.c: Fix a bug introduced with def_closefrom. The value of def_closefrom already includes the +1. [7291c136300d] 2009-07-29 Todd C. Miller * Makefile.in: Generate sudo distributions with pax in ustar mode. No longer need to use a temp file or have the source dir name match the version. [9778177a8272] 2009-07-18 Todd C. Miller * toke.c, toke.l: Fix expansion of %h in #include names. Fixes bugzilla 363 [6e346879ba24] 2009-07-12 Todd C. Miller * mkdefaults: If no arg assume def_data.in [c1dd28c0e675] * README, WHATSNEW: Update for 1.7.2 [f5ad45f69f05] [SUDO_1_7_2] * ChangeLog: sync [6283549396ff] 2009-06-30 Todd C. Miller * sudoers.cat, sudoers.man.in, sudoers.pod: Add missing single quotes around a colon in Runas_Spec definition. From Elias Benali. [ccc6ee4fca83] 2009-06-29 Todd C. Miller * sudo.man.in, sudoers.man.in: regen [546e75304ebf] * redblack.c: In rbrepair, re-color the root or the first non-block node we find to be black. Re-coloring the root is probably not needed but won't hurt. [34d01ebe241b] * sudo.cat, sudoers.cat: regen [bebf5a39f54f] 2009-06-26 Todd C. Miller * redblack.c: When repairing the tree, don't touch the root node. [9841f0d5d789] 2009-06-25 Todd C. Miller * set_perms.c: Protect call to setegid in runas_setup with #ifdef HAVE_SETEUID. Reported by Josef Schmid. [ed044b1eb879] 2009-06-23 Todd C. Miller * sudoers.pod: Document that we accept env_pam-style environment files [e3b545456352] * env.c: Adapt to accept pam_env-style /etc/environment which allows shell- style lines such as: export EDITOR="/usr/bin/vi" [752eb75bf007] * sudoers.pod: Make it clear that env_delete only works when !env_reset. From Loïc Minier [3bd3f8e351ba] 2009-06-15 Todd C. Miller * sudo.pod, sudoers.pod: Add non-unix group bits, adapted from Quest [8ce427de8dea] * Makefile.in: build the .cat page in the current working dir, not the src dir [00e87a307674] * env.c: Return EINVAL in setenv() if var is NULL or the empty string to match glibc behavior. [23fd7c247142] 2009-06-13 Todd C. Miller * configure, configure.in: Use AS_HELP_STRING for AC_ARG_WITH and AC_ARG_ENABLE [fedd4a3e2a85] 2009-06-11 Todd C. Miller * sudo.cat, sudo.man.in, sudoers.cat, sudoers.ldap.cat, sudoers.ldap.man.in, sudoers.man.in, visudo.cat, visudo.man.in: regen [7b9f461a40b3] 2009-06-09 Todd C. Miller * INSTALL: Document --with-libvas and --with-libvas-rpath [a071e6d96c89] 2009-05-29 Todd C. Miller * ldap.c, sudoers.ldap.pod: For netscape-derived LDAP SDKs the cert and key paths may be a directory or a file. However, version 5.0 of the SDK only seems to support using a directory. If ldapssl_clientauth_init fails and the cert or key paths look like they could be files, strip off the last path element and try again. [ac4e49d83043] * Makefile.in: Add non-Unix group .o to COMMON_OBJS and substitute in path to flex. [4547cc1a335f] 2009-05-27 Todd C. Miller * configure, configure.in, match.c, sudo.c, vasgroups.c: Update non-Unix group support from Quest, as reworked by me. [1abafce29dc6] * toke.c: regen [01bfca9148b7] * toke.l: Add support for escaped hex chars in names, e.g. \x20 for space. [3c7be8e58a39] 2009-05-25 Todd C. Miller * LICENSE, Makefile.in, aclocal.m4, alias.c, auth/aix_auth.c, auth/pam.c, auth/sudo_auth.c, auth/sudo_auth.h, check.c, env.c, fileops.c, glob.c, gram.y, interfaces.c, lbuf.c, ldap.c, logging.c, logging.h, match.c, parse.c, parse.h, pathnames.h.in, pwutil.c, set_perms.c, sudo.c, sudo.h, sudo.pod, sudo_nss.c, sudo_nss.h, sudo_usage.h.in, sudoers.ldap.pod, sudoers.pod, testsudoers.c, tgetpass.c, toke.l, visudo.c: Update copyright years. [e615f676c764] 2009-05-24 Todd C. Miller * interfaces.c, lbuf.c: Minor fixes for Minix-3 [898c510d23f9] 2009-05-22 Todd C. Miller * set_perms.c: Handle getgroups() returning 0. Also add missing check for HAVE_GETGROUPS. [d73b958f9ffd] 2009-05-19 Todd C. Miller * Makefile.in, config.h.in, configure, configure.in, sudo.c, version.h, visudo.c: Replace version.h with PACKAGE_VERSION set via AC_INIT in configure. [5050579a264d] 2009-05-18 Todd C. Miller * set_perms.c: Remove group setting code in setusercontext case, we will do it ourselves later on in runas_setup. Set the gid after initgroups/setgroups is called, since on Mac OS X it seems to change the egid. [09dc21d8b42d] 2009-05-17 Todd C. Miller * LICENSE, Makefile.in, config.h.in, match.c, nonunix.h, sudo.c, vasgroups.c: Initial bits of non-unix group support using Quest Authentication Services [1eecab0ff27e] * toke.c, toke.l: Accept %:foo as a non-Unix group [4c4b5dd899a6] * toke.c, toke.l: Allow user/group to be double quoted in the case of non-Unix groups which contain spaces. [47a3d568b7e8] 2009-05-11 Todd C. Miller * match.c: Don't allow the user to specify the default runas user if their sudoers entry only allows them to run as a group. [4d726177227c] 2009-05-10 Todd C. Miller * sudo.c: Must call audit_success before we change uids. [04a9e6ce6e55] * logging.c, set_perms.c, sudo.h, testsudoers.c: Add option for set_perm to not exit on failure and use this in the logging routines. [833dce7b7f42] * parse.c: In -l mode, if the user is only allowed to run as a group, display the user's name, not root's before the allowed group. [ef92ff99d265] * sudo.c: Fix -g mode, broken by rev 1.503 which had the side effect of setting the runas user to root unilaterally. [50a2f7df4385] 2009-05-08 Todd C. Miller * fileops.c: When unlocking a file with fcntl, use F_SETLK, not F_SETLKW. [30fbe832dcf3] * pwutil.c: Only cache by the method we fetched for pwd and grp lookups. Previously we cached both by namd and id but this can cause problems for entries that share the same id. Also add more info in the error message in case the insert fails (which should now be impossible). [ef95a4f0bab5] 2009-04-30 Todd C. Miller * sudoers.pod: Add a clarification from Nick Sieger [1eadad329561] 2009-04-25 Todd C. Miller * env.c: Inline the setting of the environment string. [9515d11c6295] 2009-04-24 Todd C. Miller * env.c: setenv(3) in Linux treats a NUL value as the empty string setenv(3) in BSD doesn't return an error if the name has '=' in it, it just treats the '=' as end of string. [941260bf94d2] 2009-04-22 Todd C. Miller * toke.c, toke.l: Not all systems have d_namlen [e377b18d8e2d] 2009-04-20 Todd C. Miller * sudoers.pod: Fix up some pod2html issues. [823a1f10ab60] 2009-04-19 Todd C. Miller * interfaces.c: Check for NULL ifa_addr and ifa_netmask. Adapted from a diff from Quest Software. [73de36653131] * sudoers.pod: Ignore files ending in '~' in sudo.d (emacs backup files) [7871fad702db] * toke.c, toke.l: Ignore files ending in '~' in sudo.d (emacs backup files) [53fded2a469f] 2009-04-18 Todd C. Miller * sudoers.cat, sudoers.man.in, sudoers.pod, toke.c, toke.l: For #includedir, ignore any file containing a dot [a7daa1bce6c2] * Makefile.in, version.h: Bump version [ef60f14ffc44] * gram.c, gram.y, parse.c, parse.h, sudo.c, sudo.h, sudoers.cat, sudoers.man.in, sudoers.pod, testsudoers.c, toke.c, toke.l, visudo.c: Implement #includedir directive. Files in an includedir are not edited by visudo unless they contain a syntax error. [3923d85a6c79] * ChangeLog: sync [8741ed61a78b] [SUDO_1_7_1] * WHATSNEW: Forgot umask_override [7c86a21a5504] * ChangeLog, TODO: sync [57339ca6bccf] 2009-04-16 Todd C. Miller * visudo.c: Rewind stream if we fdopen sudoers since it may not be at the beginning. Set the keepopen flag on already-open files too so the lexer doesn't close them out from under us. [61292d819aff] * visudo.c: Print the proper file name when there is a parse error in an include file. [b0e85d4aedde] 2009-04-11 Todd C. Miller * WHATSNEW: Sync [997e5d485ea3] 2009-04-10 Todd C. Miller * configure, configure.in: Fix a warning when --without-ldap is specified. [d91fd9481b30] 2009-04-05 Todd C. Miller * alias.c, parse.h, visudo.c: Store aliases that we remove during check_aliases in a freelist and free them at the end so we don't leak memory. [805e2272f6a3] 2009-03-28 Todd C. Miller * visudo.c: Check aliases in -c mode too. [9199e188d9f2] * alias.c, parse.h, visudo.c: Make alias_remove return the alias struct instead of freeing it directly. Fixes a use after free in alias_remove_recursive, the only consumer. [a04b61804800] * alias.c, match.c, parse.c, parse.h, visudo.c: Rename find_alias -> alias_find for consistency. [48b0a82924f3] 2009-03-27 Todd C. Miller * visudo.c: When checking for unused aliases, recurse if the alias points to another alias. [2d4d1a7f3a41] 2009-03-16 Todd C. Miller * ldap.c: Back out rev 1.105 for now. Real ldapux_client.conf support will be done later after some refactoring. [8ad72e69b277] 2009-03-14 Todd C. Miller * ldap.c: Treat ldap_hostport the same as "host" for ldapux. [3281dcc66da8] * configure, configure.in: Only check for ldap_sasl_interactive_bind_s if we can find sasl.h. Fixes compilation with ldapux. [ca1ed585ef0e] 2009-03-12 Todd C. Miller * fileops.c: fix char subscript [41e51f080d00] 2009-03-11 Todd C. Miller * Makefile.in: remove errant carriage returns [e9e258a31c7b] * audit.c, env.c: fix K&R compilation [d182e8920f13] * sudo.cat, sudo.man.in, sudoers.cat, sudoers.ldap.cat, sudoers.ldap.man.in, sudoers.man.in, visudo.cat, visudo.man.in: regen [791a5cbf04e5] 2009-03-10 Todd C. Miller * config.h.in: Add missing HAVE_BSM_AUDIT [49ad1bb96f04] * WHATSNEW: Add 1.7.1 features [f107f1604c61] * INSTALL: Mention --with-netsvc [d1e90d147795] * sudoers.ldap.pod: Document netsvc.conf support [e78f8abce6af] * configure, configure.in, pathnames.h.in, sudo.c, sudo_nss.c, sudo_nss.h: Add support for AIX netsvc.conf (like nsswitch.conf). [1df56a84dee5] 2009-03-08 Todd C. Miller * config.h.in, configure, configure.in, env.c: Add --enable-env-debug flag to enable environment sanity checks. [128cdd8832e7] * sudoers.ldap.pod, sudoers.pod: Work around some pod2html issue. [e733b9609bd2] 2009-03-07 Todd C. Miller * env.c: Only sync environ for putenv, setenv, and unsetenv. We need to make sure that sudo_putenv and sudo_setenv only modify env.envp, not environ. [be3ac732243c] 2009-03-02 Todd C. Miller * env.c: Really fix UNSETENV_VOID [08ab7e882507] * env.c: Fix unsetenv when UNSETENV_VOID [d3038b3f2f15] * aclocal.m4, configure: Fix SUDO_FUNC_PUTENV_CONST [de35569c572b] * ldap.c: tivoli-based ldap does not have ldapssl_err2string [c63fd90d5e99] * configure: regen [f38f1ee828ad] 2009-03-01 Todd C. Miller * config.h.in, configure, configure.in, ldap.c: Add support for Tivoli-based LDAP start TLS as seen in AIX. Untested. [8f8771829f85] * env.c: Add sanity checks for setenv/unsetenv [adbd1d95856b] * Makefile.in: Include bsm_audit.h in the tarball [4a4aa02b2c32] * Makefile.in, version.h: bump version for sudo 1.7.1 [362c71d21595] * aclocal.m4, auth/aix_auth.c, config.h.in, configure, configure.in, env.c, ldap.c, sudo.h: Replace sudo_setenv/sudo_unsetenv with calls to setenv/unsetenv and provide our own setenv/unsetenv/putenv that operates on own env pointer. Make sync_env() inline in setenv/unsetenv/putenv functions. [276edcd23032] 2009-02-25 Todd C. Miller * sudo.c: Make "sudoedit -h" work as expected [2bcbbb45d389] * auth/pam.c: Make sure def_prompt is always defined. This is a workaround for pam configs that prompt for a password in the session but don't have an auth line. A better fix is to expand the sudo prompt earlier and set def_prompt to that when initializing. [ee073c04aec3] * sudo.pod: Mention that the helper for -A may be graphical. [b64a940c4082] * TROUBLESHOOTING: Document what happens if there is no tty. [313d58a856a5] * sudo.c: cosmetic changes [894f5e3b0c3e] * term.c: Fix term_restore [6c6315ff14bc] * sudo.c: Fix "sudo -k" with no other args [59e94dc419c6] 2009-02-24 Todd C. Miller * check.c, sudo.c, sudo.pod, sudo_usage.h.in: Allow the -k flag to be specified in conjunction with a command or another option that may require authentication. [5960ff20355d] 2009-02-23 Todd C. Miller * configure, configure.in: Remove unneeded AC_CANONICAL_TARGET; from Diego E. 'Flameeyes' [e86ab69c4a57] * Makefile.in: Parallel make fix. From Diego E. 'Flameeyes' [1289d7ee27db] 2009-02-21 Todd C. Miller * def_data.c, def_data.h, def_data.in, sudo.c, sudoers.pod: Implement umask_override [8b87a3f7c5aa] * toke.c: regen [79d7ca9ac873] * sudoers.pod, toke.l, visudo.c: Implement %h escape in sudoers include filenames. [a7f288dd64f0] * audit.c: Need to include compat.h [c0dc07ce2f70] * Makefile.in, audit.c, bsm_audit.c, bsm_audit.h, logging.h, sudo.c: Make audit_success and audit_failure generic functions in preparation for integrating linux audit support. [7df020a8fd6f] * term.c: remove duplicate include [1dfcd01a7e46] 2009-02-20 Todd C. Miller * bsm_audit.c: Add missing include [fb56e08c37ee] * sudo.c: May need to update the runas user after parsing command-based defaults. [246f130d7802] 2009-02-18 Todd C. Miller * glob.c: Add missing pair of braces introduced with character class support. [0e2afa2e03e9] 2009-02-15 Todd C. Miller * def_data.c, def_data.h, def_data.in, sudoers.pod, tgetpass.c: Rename pwstars to pwfeedback [a9f85a57ebac] 2009-02-11 Todd C. Miller * bsm_audit.c, bsm_audit.h: Add const to make MacOS happy. [4274432d6627] * Makefile.in, auth/sudo_auth.c, bsm_audit.c, bsm_audit.h, configure, configure.in, sudo.c: Add bsm audit support from Christian S.J. Peron [bef61cd8693d] * term.c: This is new code, no DARPA notice. [ec6ad09b9c23] 2009-02-10 Todd C. Miller * def_data.c, def_data.h, def_data.in, match.c, sudoers.pod: Rename simple_glob -> fast_glob [68d9ed803cc1] * match.c: g/c unused var [693fa0464eb6] * def_data.c, def_data.h, def_data.in, match.c, sudoers.pod: Add simple_glob option to use fnmatch() instead of glob(). This is useful when you need to specify patterns that reference network file systems. [77ba634f6949] * tgetpass.c: add term_* proto [520f5149d073] * sudoers.pod: mention glob() [ddaab8e03c52] 2009-02-09 Todd C. Miller * tgetpass.c: Delete any pwstars we wrote after the user hits return. That way there is no record on screen as to the user's password length. [fae25cda762b] 2009-02-08 Todd C. Miller * term.c: Move terminal setting bits from tgetpass.c to term.c [03d43325ee99] * Makefile.in, def_data.c, def_data.h, def_data.in, sudoers.pod, tgetpass.c: Add pwstars sudoers option that causes sudo to print a star every time the user presses a key. [7aab417e184d] 2009-02-03 Todd C. Miller * Makefile.in: Fix up F<> brokenness for visudo.man.in and sudoers.ldap.man.in. [64f70e879816] 2009-01-27 Todd C. Miller * ldap.c: For ldap_search_ext_s() the sizelimit param should be 0, not -1, to indicate no limit. From Mark Janssen. [e2c5732d54f5] 2009-01-17 Todd C. Miller * toke.c, toke.l: Comments that begin with #- should not be parsed as uids. [a72a50f12f41] 2009-01-09 Todd C. Miller * sudo.c: Do not try to set the close on exec flag if we didn't actually open sudoers. [ece3ca256904] 2008-12-19 Todd C. Miller * ChangeLog: regen [e11f0e4c1bdd] [SUDO_1_7_0] 2008-12-14 Todd C. Miller * TODO: sync [5b8954462bb3] 2008-12-09 Todd C. Miller * auth/pam.c: Return PAM_AUTH_ERR instead of PAM_CONV_ERR if user enters ^C at the password prompt. [8563601cb3de] * configure, configure.in: Don't try to build sudo_noexec.so on HP-UX with the bundled compiler as it cannot generate shared objects. [6d4262ef9669] * emul/charclass.h, glob.c, lbuf.c, tgetpass.c: K&R compilation fixes [77921678d17c] * parse.c: Use tq_foreach_fwd when checking pseudo-commands to make it clear that we are not short-circuiting on last match. When pwcheck is 'all', initialize nopass to TRUE and override it with the first non- TRUE entry. [96b209f4778f] 2008-12-08 Todd C. Miller * parse.c: Do not short circuit pseudo commands when we get a match since, depending on the settings, we may need to examine all commands for tags. [fdbaf89d6f35] 2008-12-03 Todd C. Miller * sudoers.cat, sudoers.man.in: regen [1ecce7c1b841] * sudoers.pod: hostnames may also contain wildcards [82b76695601c] * Makefile.in: remove stamp-* files and linux core files in clean target [22003f091467] 2008-12-02 Todd C. Miller * auth/sudo_auth.h, config.h.in, configure, configure.in: Use HAVE_SIA_SES_INIT instead of HAVE_SIA for Digital UNIX [6905bede8410] 2008-11-26 Todd C. Miller * configure, configure.in: correctly enable SIA on Digital UNIX [a51881d13995] * TODO: checkpoint [af0fe8d94d42] * ChangeLog: sync [831f623cf99c] 2008-11-25 Todd C. Miller * check.c, sudo.h, tgetpass.c: Even if neither stdin nor stdout are ttys we may still have /dev/tty available to us. [20f306ba883b] 2008-11-24 Todd C. Miller * sudoers.cat, sudoers.man.in: regen [76d97c4c318f] * sudoers.pod: fix typos; Markus Lude [bff8bc1e2066] * ChangeLog: sync [f108552531cd] * toke.c: regen [de828413c67e] * toke.l: Fix matching of a line that only consists of a comment char [09c953d8d5ca] 2008-11-22 Todd C. Miller * auth/pam.c: MacOS pam will retry conversation function if it fails so just treat ^C as an empty password. [d056058930bc] * visudo.c: When checking for alias use, also check defaults bindings. [2647f82c7dbd] * redblack.c: unused var [b7ff71c17c18] * redblack.c: Replace my rbdelete with Emin's version (which actually works ;-) [21b133dd0c72] 2008-11-19 Todd C. Miller * testsudoers.c: malloc debugging [0fb446fa3279] * visudo.c: malloc options in devel mode for visudo too [98d06c6afeef] 2008-11-18 Todd C. Miller * sudo.c: fix compilation on non-C99; from Theo [7c304e16c536] * visudo.c: fix check_aliases [83f30a3b1765] * alias.c: when destroying an alias, free the correct data pointer [6e1a8bd86c01] * auth/sudo_auth.h: add proto for aixauth_cleanup; from Dale King [eba94ffc8f63] 2008-11-15 Todd C. Miller * sudo.cat, sudo.man.in, sudoers.cat, sudoers.man.in, visudo.cat, visudo.man.in: regen [409fa57fff83] * sudo.pod, sudoers.pod, visudo.pod: standardize on the term 'option' for command line options (not flag) [228caefc2e36] 2008-11-14 Todd C. Miller * INSTALL: Add note on configuring HP-UX pam [f7674a581baf] 2008-11-11 Todd C. Miller * check.c, sudo.c: Move tty checks into check_user() so we only do them if we actually need a password. [7d997d7106d6] * sudo.c: Don't error out if no tty or askpass unless we actually need to authenticate. [9f23b83ed66c] 2008-11-10 Todd C. Miller * ChangeLog: regen [23f9aef32da6] * pathnames.h.in, sudo.c: s/overriden/overridden/; from Tobias Stoeckmann [9f7459a8fac5] 2008-11-09 Todd C. Miller * WHATSNEW, visudo.c: check sudoers owner and mode in strict mode [a3468c5ac1c4] * gram.c, toke.c: regen [7d6b515a5443] * sudo.man.in, sudoers.man.in, visudo.man.in: Update copyright years. [52d340cb8cba] * LICENSE, alias.c, alloc.c, auth/afs.c, auth/aix_auth.c, auth/bsdauth.c, auth/fwtk.c, auth/kerb4.c, auth/kerb5.c, auth/pam.c, auth/securid.c, auth/securid5.c, auth/sia.c, auth/sudo_auth.h, closefrom.c, compat.h, defaults.c, defaults.h, env.c, fileops.c, gettime.c, gram.y, ins_csops.h, insults.h, interfaces.c, interfaces.h, lbuf.c, license.pod, list.c, logging.c, logging.h, parse.c, parse.h, pwutil.c, redblack.c, redblack.h, snprintf.c, sudo.c, sudo.pod, sudo_edit.c, sudo_nss.h, sudoers.pod, testsudoers.c, toke.l, tsgetgrpw.c, utimes.c, version.h, visudo.c, visudo.pod, zero_bytes.c: Update copyright years. [b4e6bf2beafa] * emul/charclass.h, fnmatch.c, glob.c: add my copyright [28681385014a] 2008-11-08 Todd C. Miller * toke.c, toke.l: The loop in fill_cmnd() was going one byte too far past the end, resulting in a NUL being written immediately after the buffer end. [a5a49d603cd7] * UPGRADE, WHATSNEW: add sections on tgetpass changes [2e6929b6a102] * tgetpass.c: Treat EOF w/o newline as an error. [aa02b1db9240] 2008-11-07 Todd C. Miller * parse.c: Fix "sudo -v" when NOPASSWD is set. [f4914711ea80] * auth/bsdauth.c, auth/fwtk.c, auth/pam.c, auth/sudo_auth.c, auth/sudo_auth.h: No longer treat an empty password at the prompt as special. To quit out of sudo you now need to hit ^C at the password prompt. [980f760ad419] * sudoers.cat, sudoers.man.in: regen [6ca21a2cd869] * def_data.c, def_data.h, def_data.in, sudo.c, sudoers.pod: Sudo will now refuse to run if no tty is present unless the new visiblepw sudoers flag is set. [0cc56943252e] 2008-11-06 Todd C. Miller * aix.c: just use RLIM_INFINITY for RLIM_SAVED_MAX if RLIM_SAVED_MAX not defined [24fc6f712d5c] * aix.c: fix fallback value for RLIM_SAVED_MAX [e09e04e1af89] * auth/aix_auth.c, auth/sudo_auth.h: Move clearing of AUTHSTATE into aixauth_cleanup. [e14ae7bd259c] * auth/aix_auth.c, env.c: Unset AUTHSTATE after calling authenticate() as it may not be correct for the user we are running the command as. [d14f68f1b0ab] * isblank.c: Add isblank() function for systems without it. Needed for POSIX character class matching in fnmatch.c and glob.c. [16cba30b283f] 2008-11-05 Todd C. Miller * TROUBLESHOOTING: expound on sudo and cd [8e0fa9033637] 2008-11-04 Todd C. Miller * ChangeLog: regen [40cf320a10fc] * sudoers.cat, sudoers.man.in: regen [7cac761ae2c6] * sudoers.pod: mention defauts parse order [4e2ce86d1394] 2008-11-03 Todd C. Miller * Makefile.in, aclocal.m4, compat.h, configure: Add isblank() function for systems without it. Needed for POSIX character class matching in fnmatch.c and glob.c. [a1ab55da8424] * Makefile.in: add emul/charclass.h to HDRS [7e8a019dcaa4] 2008-11-02 Todd C. Miller * TODO: checkpoint [afeb9bc1baed] * defaults.c, parse.c, testsudoers.c, visudo.c: Move update_defaults into defaults.c and call it properly from visudo and testsudoers. [f4dbb369461f] * defaults.c, interfaces.c, pwutil.c, sudo.c, sudo_edit.c, tgetpass.c, tsgetgrpw.c: use zero_bytes() instead of memset() for consistency [4cee0465f4a8] * logging.c, mon_systrace.c, parse.c, sudo.c, sudo_edit.c, tgetpass.c, visudo.c: Zero out sigaction_t before use in case it has non-standard entries. [120092225459] * match.c: quiet gcc [098a1df49b23] * match.c: Short circuit glob() checks if basename(pattern) != basename(command). Refactor code that checks for a command in a directory and use it in the glob case if the resolved pattern ends in a '/'. [3c46fd317acb] 2008-11-01 Todd C. Miller * defaults.h, parse.c, sudo.c, testsudoers.c, visudo.c: Defer setting runas defaults until after runaspw/gr is setup. [12e75ee49c0c] 2008-10-29 Todd C. Miller * match.c, sudo.c, testsudoers.c: Use MAXHOSTNAMELEN+1 when allocating host/domain name since some systems do not include space for the NUL in the size. Also manually NUL-terminate buffer from gethostname() since POSIX is wishy-washy on this. [7266ab3296a3] 2008-10-26 Todd C. Miller * sudo.c, sudoers.pod: When setting the umask, use the union of the user's umask and the default value set in sudoers so that we never lower the user's umask when running a command. [4e804b004e38] * sudo.c: Don't try to read from a zero-length sudoers file. Remove the bogus Solaris work-around for EAGAIN. Since we now use fgetc() it should not be a problem. [bb8e5f68d944] 2008-10-25 Todd C. Miller * parse.c: In update_defaults() check the return value of user*_matches against ALLOW so we don't inadvertantly match on UNSPEC. [4e422fa1527e] 2008-10-24 Todd C. Miller * sudo.cat, sudo.man.in, sudoers.cat, sudoers.ldap.cat, sudoers.ldap.man.in, sudoers.man.in, visudo.cat, visudo.man.in: regen man pages; no more hyphenation [15de4fe2fe01] * sudo.c: Don't error out on a zero-length sudoers file. With the advent of #include the user could create a situation where sudo is unusable. [6eb461319fa5] 2008-10-23 Todd C. Miller * auth/kerb5.c, config.h.in, configure, configure.in: Newer heimdal has 2-argument krb5_get_init_creds_opt_free() like MIT krb5. Really old heimdal has no krb5_get_init_creds_opt_alloc() at all. Add configure tests to handle all the cases. [4b554a98470d] 2008-10-08 Todd C. Miller * sudo.pod: resort ENVIRONMENT [f4f20f40653e] * sudoers.pod: document sudoers_locale [0bffd2dbe806] * sudo.pod, sudo_edit.c: add SUDO_EDITOR variable that sudoedit uses in preference to VISUAL or EDITOR [0ef8cb248cee] * toke.c, toke.l: In fill_cmnd(), collapse any escaped sudo-specific characters. Allows character classes to be used in pathnames. [5685244c8e44] 2008-10-03 Todd C. Miller * lbuf.c: fix typo in non-C89 function declaration [99a7113b3a05] * sudoers.pod: Mention POSIX characters classes now that out fnmatch() and glob() support them. [9c916f1230c3] * sample.sudoers, sudoers.pod: Replace [A-z] (which won't match in UTF8) with [A-Za-z] which is locale agnostic. [a60a62bec244] * parse.h: use __signed char if we are going to assign a negative value since on Power, char is unsigned by default [2877b319df17] * config.h.in, configure, configure.in: Add tests for __signed char and signed char. [5eb874fdf1d4] * aix.c: Fix AIX limit setting. getuserattr() returns values in disk blocks rather than bytes. The default hard stack size in newer AIX is RLIM_SAVED_MAX. From Dale King. [3db67415ecc3] 2008-09-26 Todd C. Miller * emul/charclass.h, fnmatch.c, glob.c: Add character class support to included glob(3) and fnmatch(3). [6b5b4ad77899] 2008-09-16 Todd C. Miller * emul/fnmatch.h: Remove UCB advertising clause and some compatibility defines. [2ade7bee74e1] 2008-09-14 Todd C. Miller * sudo_edit.c: Check EDITOR/VISUAL to make sure sudoedit is not re-invoking itself or sudo. This allows one to set EDITOR to sudoedit without getting into an infinite loop of sudoedit running itself until the path gets too big. [aa49ab68f82d] * def_data.c, def_data.h, def_data.in, defaults.c, sudo.c: Add sudoers_locale Defaults option to override the default sudoers locale of "C". [0639886a35bf] 2008-09-13 Todd C. Miller * sudo.c: Set locale to system default except for during sudoers parse. [016dd2736728] 2008-09-12 Todd C. Miller * match.c: Redo change in 1.34 to use pointer arithmetic. [f9e7b63bb450] 2008-09-11 Todd C. Miller * match.c: Fix a dereference (read) of a freed pointer. Reported by Patrick Williams. [69877b633753] 2008-08-23 Todd C. Miller * sudo.c: Set locale to "C" to avoid interpretation issues with character ranges in sudoers. May want to make the locale a sudoers option in the future. [098a95de1746] 2008-08-20 Todd C. Miller * config.h.in: we no longer use setproctitle [c7f20fb747ea] * sudo.h: remove #if 1 [a368ee6816c6] * LICENSE, mkstemp.c: Use my replacement mkstemp() from the mktemp package. [d07c2beb0f9e] 2008-07-12 Todd C. Miller * gram.c: regen with yacc skeleton bug fixed [24784571cbb8] * sudoers.pod: Remove duplicate "as root". From Martin Toft. [97241acfee5e] 2008-07-02 Todd C. Miller * pwutil.c, sudo.c, sudo.h, testsudoers.c: Flesh out the fake passwd entry used for running commands as a uid not listed in the passwd database. Fixes an issue with some PAM modules. [a6648227f3f2] 2008-07-01 Todd C. Miller * sudo.c: Error out in -i mode if the user has no shell. This can happen when running commands as a uid with no password entry. [0c174bef36ff] 2008-06-26 Todd C. Miller * toke.c, toke.l: Better fix for line continuation inside double quotes. Now accepts whitespace between the backslash and the newline like the main lexer. [64efcdf86d31] 2008-06-25 Todd C. Miller * toke.c, toke.l: Fix line continuation in strings. It was only being honored if preceded by whitespace. [96c21271a3e4] 2008-06-22 Todd C. Miller * config.h.in, configure, configure.in, logging.c: Replace the double fork with a fork + daemonize. [328505441e67] 2008-06-21 Todd C. Miller * env.c, sudo.c: The -i flag should imply env_reset. This got broken in sudo 1.6.9. [3caedfeaec87] * logging.c, sudo.c, sudo_edit.c, visudo.c: Change how the mailer is waited for. Instead of having a SIGCHLD handler, use the double fork trick to orphan the child that opens the pipe to sendmail. Fixes a problem running su on some Linux distros. [b59ce60a393d] 2008-06-20 Todd C. Miller * configure, configure.in: Fix configure test for dirfd() on Linux where DIR is opaque. [b8f729cdfecc] 2008-06-17 Todd C. Miller * tgetpass.c: Get rid of the QNX TCSAFLUSH -> TCSADRAIN hack. If QNX still has this problem we'll need to revisit this again. [c17fee8ad530] 2008-06-11 Todd C. Miller * logging.c: Ignore SIGPIPE instead of blocking it when piping to the mailer. If we only block the signal it may be delivered later when we unblock. Also, there is no need to block SIGCHLD since we no longer do the double fork. The normal SIGCHLD handler is sufficient. [e94a49e992e5] 2008-06-08 Todd C. Miller * configure, configure.in: Add description for NO_PAM_SESSION, from a redhat patch. [b9e4c939ec09] 2008-06-06 Todd C. Miller * sudo.cat, sudo.man.in, sudo.pod: Fix typos in -i usage [2d7ce5de0235] 2008-05-18 Todd C. Miller * configure, configure.in: Redo the test for dgettext() in a way that hopefully will work around the libintl_dgettext() undefined problem. [d27beb0cf85e] 2008-05-11 Todd C. Miller * schema.ActiveDirectory: change filename in comment [733da4ee9ac5] 2008-05-10 Todd C. Miller * Makefile.in, README.LDAP, sudoers.ldap.cat, sudoers.ldap.man.in, sudoers.ldap.pod: Reference schema.ActiveDirectory [d6aec537800e] 2008-05-09 Todd C. Miller * schema.OpenLDAP, schema.iPlanet: Mark sudoRunAs as deprecated. [00c50df807af] * schema.ActiveDirectory: add sudoRunAsUser and sudoRunAsGroup [19bcce6f72fb] * schema.ActiveDirectory: Active Directory schema by Chantal Paradis and Eric Paquet [06a09c92c6a5] 2008-05-08 Todd C. Miller * parse.c: remove an XXX that was fixed [b88038062fa2] * ChangeLog: sync [8fc27c17270e] * parse.c: Initialize tags to UNSPEC instead of def_* in "sudo -l" mode. This fixes a problem where the tag value printed was influenced by defaults set in the first pass through the parser. [588ccd630367] 2008-05-04 Todd C. Miller * Makefile.in, sudo.psf: No point in packaging the TODO file [9590248fffe1] * ChangeLog: sync [152acf4c6813] 2008-05-03 Todd C. Miller * WHATSNEW, def_data.c, def_data.h, def_data.in, env.c, sudo.c, sudo.h, sudoers.cat, sudoers.man.in, sudoers.pod: Add env_file Defaults option that is similar to /etc/environment on some systems. [1daf53d51e18] 2008-05-02 Todd C. Miller * Makefile.in, README, TODO, WHATSNEW, sudo.cat, sudo.man.in, sudoers.cat, sudoers.ldap.cat, sudoers.ldap.man.in, sudoers.man.in, version.h, visudo.cat, visudo.man.in: change version to 1.7.0 [d41d126b9bd8] * UPGRADE: initial valgrind pass done [c59c3876d8ca] 2008-04-23 Todd C. Miller * ldap.c: Fix typo/think in sudo_ldap_read_secret() when storing the secret. [830d246c09b0] 2008-04-11 Todd C. Miller * ldap.c: define LDAPS_PORT if the system headers do not [247b12325701] 2008-04-10 Todd C. Miller * gram.c, gram.y: Fix another memory leak in init_parser(). [7bba47deba11] * configure, configure.in: There was a missing space before the ldap libs in SUDO_LIBS for some configurations. [7524cfc93759] * alias.c, gram.c, gram.y, toke.c, toke.l: Clean up some memory leaks pointed out by valgrind. [a965866ece1a] 2008-04-07 Todd C. Miller * sudo.c: fix "sudo -s" broken by mode/flags breakout [acffe984d408] * configure, configure.in: remove duplicate check for dgettext [58145529133c] 2008-04-05 Todd C. Miller * aix.c: Fall back to default stanza if no user-specific limit is found. [7b8cb29123ee] 2008-04-02 Todd C. Miller * snprintf.c: include stdint.h if present [f0ec38529306] * snprintf.c: Use LLONG_MAX, not the old QUAD_MAX [01041ce508fb] 2008-04-01 Todd C. Miller * sudoers.ldap.pod: fix cut and pasto [34240fdef5ab] 2008-03-31 Todd C. Miller * pwutil.c: Add #ifdef PURITY [ce1b571ad526] 2008-03-30 Todd C. Miller * auth/bsdauth.c: remove useless cast [494f8a862e1d] 2008-03-27 Todd C. Miller * ChangeLog: sync [f5c97ffaabcc] * TODO: sync [96ff1c44c182] * sudo.h: Split MODE_* defines into primary and flags. [c02ee3027cb9] 2008-03-26 Todd C. Miller * aix.c: It turns out the logic for getting AIX limits is more convoluted than I realized and differs depending on whether the soft and/or hard limits are defined. [cf8d3f85d395] 2008-03-23 Todd C. Miller * Makefile.in, configure, configure.in: Back out AIX-specific change to set the sudo_noexec path to the .a file, we do really want to use the .so file. Since libtool doesn't do that correctly, just install the .so file ourselves in the Makefile. [05c6f33177d9] * install-sh: If the file given to install is a path, only use the basename of the file when building the destination path. [695ba4e429ce] 2008-03-18 Todd C. Miller * sudo.c: parse_args() cleanup: Sort command line options in the getopt() switch The -U option requires a parameter Normalize a few ISSET calls Split mode into mode and flags and retire the now-obsolete excl variable [0d156835f861] * WHATSNEW, check.c, sudo.c, sudo.cat, sudo.h, sudo.man.in, sudo.pod, sudo_usage.h.in: Add -n (non-interactive) flag. [e3e50400d32d] * sudo.c: Move version printing, etc. into a separate function. [18c91b476e2c] * sudo.c: Don't try to cleanup nsswitch if it has not been initialized. [aeb1ca1b399d] 2008-03-17 Todd C. Miller * logging.c: Block SIGPIPE in send_mail() so sudo is not killed by a problem executing the mailer. [f130e7924cca] 2008-03-14 Todd C. Miller * configure, configure.in: AIX shared libs end in .a, not .so. [a5deb07020d8] 2008-03-13 Todd C. Miller * env.c: Preserve HOME by default too. Matches documentation and previous behavior. [c16f17f1047c] 2008-03-12 Todd C. Miller * sudo.c: Use getopt() to parse the command line. We need to be able to intersperse env variables and options yet still honor "--"" which complicates things slightly. [60f271ce5c16] 2008-03-06 Todd C. Miller * ChangeLog: sync [685e67964eda] * acsite.m4, configure, ltmain.sh: update to libtool-1.5.26 [4c9a8c3d3b40] * config.guess, config.sub: update from libtool-1.5.26 distribution [c6641aef2527] * aix.c, sudo.h: attempt to fix compilation errors on AIX [edb13e5b2184] * Makefile.in: fix typo in last commit [25ba7f7ceae4] * Makefile.in: Add WHATSNEW file to the distribution [213f4115de8f] * visudo.c: use warningx instead of fprintf(stderr, ...) [a3494b8ccb19] * list.c: add DEBUG to list2tq [115d24a3000c] * ChangeLog, TODO: sync [60e6f4d1fac0] * WHATSNEW: mention mailfrom [e2498f9e18d6] * Makefile.in, aix.c, config.h.in, configure, configure.in, set_perms.c, sudo.h: Add aix_setlimits() to set resource limits on AIX using a combination of getuserattr() and setrlimit(). Currently untested. [9b1441fd89ca] 2008-03-05 Todd C. Miller * def_data.c, def_data.h, def_data.in, logging.c, sudoers.cat, sudoers.man.in, sudoers.pod: Add mailfrom Defaults option that sets the value of the From: field in the warning/error mail. If unset the login name of the invoking user is used. [029b9f05d3d9] * defaults.c: store a copy of _PATH_SUDO_ASKPASS in def_askpass that is freeable [a90e407d5e00] * gram.c, gram.y: When adding a default, only call list2tq() once to do the list to tq conversion. It is not legal to call list2tq multiple times on the same list since list2tq consumes and modifies the list argument. [fbc25d245c4a] * sudoers.ldap.cat, sudoers.ldap.man.in, sudoers.ldap.pod: comment out XXXs for now [595a1d43309d] * WHATSNEW: mention askpass [b993e0837c22] 2008-03-04 Todd C. Miller * sudo.c: Error out if both -A and -S are specified Error out if -A is specified but no askpass is configured [24f1df2638f6] * configure, configure.in: we are not going to ship a sudo-specific askpass [61949e7a3943] 2008-03-03 Todd C. Miller * sudo.h: fix definition of TGP_ASKPASS [0447c57ba4c3] * def_data.c, def_data.in: make askpass boolean-capable [e0885893a325] * INSTALL: document --with-askpass [c76e15ba97cf] * sudo.cat, sudo.man.in, sudoers.cat, sudoers.ldap.cat, sudoers.man.in, visudo.cat: regen [8d16242980b7] 2008-03-02 Todd C. Miller * sudo.pod, sudo_usage.h.in, sudoers.pod: document -A and askpass [02c07505a78c] * auth/sudo_auth.c, check.c, configure, configure.in, def_data.c, def_data.h, def_data.in, defaults.c, pathnames.h.in, sudo.c, sudo.h, sudo_usage.h.in, tgetpass.c: Add support for running a helper program to read the password when no tty is present (or when specified with the -A flag). TODO: docs. [05780f5f71fd] * def_data.c, def_data.in: add missing printf format to SELinux role and type strings [2b32774715e7] 2008-02-27 Todd C. Miller * INSTALL, configure, configure.in: Disable use of gss_krb5_ccache_name() by default and add --enable-gss-krb5-ccache-name configure option to enable it. It seems that gss_krb5_ccache_name() doesn't work properly with some combinations of Heimdal and OpenLDAP. [f61ebd3b19bd] 2008-02-22 Todd C. Miller * selinux.c: Ignore setexeccon() failing in permissive mode. Also add a call to setkeycreatecon() (though this is probably insufficient). From Dan Walsh. [52564fc1c069] * auth/pam.c: Only set std_prompt for the PAM_PROMPT_* cases. The conversation function may be called for non-password reading purposes so we must be careful not to use def_prompt in cases where it may not be set. [29d88ca575ba] 2008-02-20 Todd C. Miller * selinux.c: Don't free the new tty context, we need to keep it around when we restore the tty context after the command completes [5b4bd39b6ea8] 2008-02-19 Todd C. Miller * selinux.c: s/newrole/sudo/ [21b8a96ff8df] * sudo.man.pl, sudo.pod: Only put login_cap(3) in SEE ALSO section if we have login.conf support [05250ddff2c0] 2008-02-18 Todd C. Miller * sudo.cat, sudo.man.in, sudoers.cat, sudoers.ldap.cat, sudoers.ldap.man.in, sudoers.man.in, visudo.cat, visudo.man.in: regen [301e5c5ccdbe] * Makefile.in, configure, configure.in: Substitute in comment characters for lines partaining to login.conf, BSD auth and SELinux and only enable them if pertinent. [9a02bd6a6658] * sudo.man.pl: Substitute in comment characters for lines partaining to login.conf, BSD auth and SELinux and only enable them if pertinent. [0c56d4750ac3] * sudo.pod: Substitute in comment characters for lines partaining to login.conf, BSD auth and SELinux and only enable them if pertinent. [acdbdfd24e1d] * sudoers.man.pl: Substitute in comment characters for lines partaining to login.conf, BSD auth and SELinux and only enable them if pertinent. [6c88f30b878a] * sudoers.pod: Substitute in comment characters for lines partaining to login.conf, BSD auth and SELinux and only enable them if pertinent. [c1c98fa163ce] * Makefile.in, sudo.pod, sudoers.ldap.pod, sudoers.pod, visudo.pod: Remove the =cut on the first line (above the copyright notice) to quiet pod2man. Also remove the hackery in the FILES section and just deal with the fact that there will a newline between each pathname. [2ac1ab191835] 2008-02-17 Todd C. Miller * Makefile.in: run sudo.man.pl when generating sudo.man.in [859727369168] * configure, configure.in, sudo.man.pl: comment out SELinux manual bits unless --with-selinux was specified [97ff4212b649] * sudoers.pod: document role and type defaults for SELinux [870f303366b3] * sudo.c, sudo.cat, sudo.man.in, sudo.pod, sudo_usage.h.in: Document "sudo -ll" and make "sudo -l -l" be equivalent. [3ce6dc429ea3] 2008-02-15 Todd C. Miller * configure, configure.in: Treat k*bsd*-gnu like Linux, not BSD. Fixes compilation problems on Debian GNU/kFreeBSD. [c4efa567a328] 2008-02-13 Todd C. Miller * auth/kerb5.c: Avoid Heimdal'isms introduced in the rev 1.32 rewrite of verify_krb_v5_tgt() [f80538e5a6fa] * logging.c, logging.h, sudo.c: Remove dependence on VALIDATE_NOT_OK in logging functions. Split log_auth() into log_allowed() and log_denial() Replace mail_auth() with should_mail() and a call to send_mail() [58aac9997557] 2008-02-10 Todd C. Miller * ldap.c: Add debugging so we can tell if the krb5 ccache is accessible [c679322527bb] * INSTALL: mention --with-selinux [9efbe0b52194] 2008-02-09 Todd C. Miller * configure: regen [467a834f867c] * selinux.c: add Sudo tag [d004ee669bed] * sudo.c, sudo.cat, sudo.h, sudo.man.in, sudo.pod, sudo_usage.h.in, sudoers.ldap.cat, sudoers.ldap.man.in, sudoers.ldap.pod, testsudoers.c, toke.c, toke.l: Add support for SELinux RBAC. Sudoers entries may specify a role and type. There are also role and type defaults that may be used. To make sure a transition occurs, when using RBAC commands are executed via the new sesh binary. Based on initial changes from Dan Walsh. [1d4abfe2c004] * Makefile.in, config.h.in, configure.in, def_data.c, def_data.h, def_data.in, gram.c, gram.h, gram.y, ldap.c, parse.c, parse.h, pathnames.h.in, selinux.c: Add support for SELinux RBAC. Sudoers entries may specify a role and type. There are also role and type defaults that may be used. To make sure a transition occurs, when using RBAC commands are executed via the new sesh binary. Based on initial changes from Dan Walsh. [6b421948286e] * sesh.c: Add support for SELinux RBAC. Sudoers entries may specify a role and type. There are also role and type defaults that may be used. To make sure a transition occurs, when using RBAC commands are executed via the new sesh binary. Based on initial changes from Dan Walsh. [1e3b395ce049] 2008-02-08 Todd C. Miller * lbuf.c, ldap.c, parse.c, sudo.c, sudo.h, sudo_nss.c: Add long list (sudo -ll) support for printing verbose LDAP and sudoers file entries. Still need to update manual. [2875be37935c] 2008-02-03 Todd C. Miller * ldap.c, parse.c, sudo.h, sudo_nss.c, sudo_nss.h: Unify the -l output for file and ldap based sudoers and use lbufs for both. The ldap output does not currently include options that cannot be represented as tags. This will be remedied in a long list output mode to come. [b2e429456596] 2008-01-27 Todd C. Miller * set_perms.c: Use a specific error message for errno == EAGAIN when setuid() et al fails. On Linux systems setuid() will fail with errno set to EAGAIN if changing to the new uid would result in a resource limit violation. [08d0aecd9f03] * sudo.c: Unlimit nproc on Linux systems where calling the setuid() family of syscalls causes the nroc resource limit to be checked. The limits will be reset by pam_limits.so when PAM is used. In the non-PAM case the nproc limit will remain unlimited but there doesn't seem to be a way around that other than having sudo parse /etc/security/limits.conf directly. [df024b415a8d] * env.c, sudo.c, sudo.pod: Only read /etc/environment on Linux and AIX [90669e2aefdb] 2008-01-23 Todd C. Miller * configure, configure.in: Use SUDO_DEFINE_UNQUOTED instead of AC_DEFINE_UNQUOTED to prevent ldap.conf and ldap.secret paths from going into config.h. Avoid single quotes in variable expansion when using SUDO_DEFINE_UNQUOTED since in some versions of bash they will end up literally in the resulting define. [25390f3ef10a] 2008-01-21 Todd C. Miller * README.LDAP: mention --with-nsswitch=no [c509df927263] * configure, configure.in: ldap_ssl.h depends on ldap.h being included first [d96d90e9b21f] * config.h.in, configure, configure.in, ldap.c: Include ldap_ssl.h if we can find it. Needed for the ldapssl_set_strength defines on HP-UX at least. [9e530470948a] * sudoers.ldap.pod: sync [b9d101f4673a] * TODO: sync [2ce951b2ecd0] * sudo.cat, sudo.man.in, sudoers.cat, sudoers.ldap.cat, sudoers.ldap.man.in, sudoers.man.in, visudo.cat, visudo.man.in: regen [b61d793987e0] * Makefile.in: Use 78n line length when formatting cat pages. [761bee9d5759] * README.LDAP: Remove redundant info that is now in sudoers.ldap.pod [01828dcce59e] 2008-01-20 Todd C. Miller * sudoers.ldap.cat, sudoers.ldap.man.in, sudoers.ldap.pod: Reorganize the first section a bit. Substitute the proper path for /etc/sudoers. [11ae165e065d] * sudoers.ldap.cat, sudoers.ldap.man.in, sudoers.ldap.pod: Substitute values for ldap.conf, ldap.secret and nsswitch.conf Move schema into EXAMPLES [ab6509d1dde7] * configure, configure.in: Substitute values for ldap.conf, ldap.secret and nsswitch.conf into sudoers.ldap.man. [6e689972f465] * configure, configure.in: substitute for sudoers.ldap.man [5a4a25766dee] * Makefile.in: Fix cut & pasto introduced when adding sudoers.ldap man page. [a7b069af8894] * sudoers.ldap.cat, sudoers.ldap.man.in, sudoers.ldap.pod: Fill in some of the missing pieces. Still needs some reorganization and editing. [5e7331722166] 2008-01-19 Todd C. Miller * Makefile.in, sudoers.ldap.cat, sudoers.ldap.man.in, sudoers.ldap.pod: Beginnings of a sudoers.ldap man page. Currently, much of the information is adapted from README.LDAP. [aad28c8a922d] 2008-01-18 Todd C. Miller * pwutil.c: When copying gr_mem we must guarantee that the storage space for gr_mem is properly aligned. The simplest way to do this is to simply store gr_mem directly after struct group. This is not a problem for gr_passwd or gr_name as they are simple strings. [af58fc76f1ed] * ldap.c: Fix a typo/thinko in one of the calls to sudo_ldap_check_user_netgroup(). From Marco van Wieringen. [70b2eb8097f5] 2008-01-17 Todd C. Miller * config.h.in, configure, configure.in, ldap.c: include in ldap.c if available [34346206ef16] 2008-01-16 Todd C. Miller * gram.c, gram.y: Make sure we define SIZE_MAX for yacc's skeleton.c [d8a45c7a3c42] * tgetpass.c: Use TCSAFLUSH when restoring terminal settings (and echo) to guarantee that any pending output is discarded [549a184479e5] 2008-01-15 Todd C. Miller * sudoers: no longer need to specify SETENV when user has sudo ALL [3051b41f8032] * testsudoers.c: sync user_args size calculation with sudo.c Add -g group option, renaming old -g to -G Add set_runasgr() and set_runaspw() and use them [0850325180f0] * sudo.c, sudo.h: Make set_runaspw static void [5d44d7a340ce] * testsudoers.c, visudo.c: g/c set_runaspw stub [79ebb5e2cc38] * configure, configure.in: Don't add -llber twice. [4356d302eef4] 2008-01-14 Todd C. Miller * ldap.c: fix typo [249cecc557e9] 2008-01-13 Todd C. Miller * gram.c: regen [2f94ea375b67] * configure, configure.in: Fix check that determines whether -llber is required. [6afa99523379] * README.LDAP, config.h.in, configure, configure.in, ldap.c: For netscape-based LDAP, use ldapssl_set_strength() to implement the checkpeer ldap.conf option. [16ae24d73795] * auth/kerb5.c: Delay krb5_cc_initialize() until we actually need to use the cred cache, which is what krb5_verify_user() does. Better cleanup on failure. [d12e5f1695b8] 2008-01-12 Todd C. Miller * auth/kerb5.c: Rewrite verify_krb_v5_tgt() based on what heimdal's krb5_verify_user() does. [05b5815f86c9] 2008-01-09 Todd C. Miller * gram.c: The U suffix on constants is an ANSI feature [c6dfce3167f1] * configure, configure.in: Add check for ber_set_option() in -llber [43d0c0566074] 2008-01-07 Todd C. Miller * README.LDAP: default if no nsswitch.conf is files only [c13001d9c998] 2008-01-06 Todd C. Miller * README.LDAP: don't tell people to mail aaron about LDAP stuff [8165ec1ef0c6] * README.LDAP: timelimit and bind_timelimit [44f74cbed167] * ChangeLog: sync [aba1a0ab02bd] * ldap.c: Move ldap.secret reading into a separate function. [1948acc9f7a4] * check.c: user_runas -> runas_pw [334490fc2bae] 2008-01-05 Todd C. Miller * TODO: sync [c7b165cc47c6] * check.c, sudo.pod, sudoers.pod: Add and document the %p escape in the password prompt. Based on a patch from Patrick Schoenfeld. [3972d4f31ffa] * ldap.c: Check strlcpy() return values. [9b42f3ae8ff1] * ldap.c: refactor ldap binding code into sudo_ldap_bind_s() [cb0c66a4d955] * README.LDAP: Make it clear that host and uri can take multiple parameters. URI is now supported for more than just openldap nsswitch.conf does't accept "compat" [f610dea656d6] * sudo.c: comment cleanup and update (c) year [6cd69c810ca5] * parse.c, sudo_nss.c: Move display_privs() and display_cmnd() from parse.c to sudo_nss.c. This should make it possible to build an LDAP-only sudo binary. [61c3f27066a0] * ldap.c, parse.c, sudo.c, sudo.h, sudo_nss.h: Improve chaining of multiple sudoers sources by passing in the previous return value to the next in the chain [2c0b722b1b2d] * gram.y: Free up parser data structures in sudo_file_close(). [2251531d4519] * gram.c, parse.c: Free up parser data structures in sudo_file_close(). [8371f130f401] * ldap.c: Parse uri ourself if no ldap_initialize() is present Use ldap_create() instead of deprecated ldap_init() Use ldap_sasl_bind_s() instead of deprecated ldap_simple_bind_s() [85d3825b1953] * config.h.in, configure, configure.in: Add check for ldap_sasl_bind_s() Remove -DLDAP_DEPRECATED from CFLAGS [240524512bc5] 2008-01-04 Todd C. Miller * config.h.in, configure, configure.in: add check for ldap_create [3089badd73b8] 2008-01-03 Todd C. Miller * config.h.in, configure, configure.in, ldap.c: Add sudo_ldap_get_first_rdn() to return the first rdn of an entry's dn using the mechanism appropriate for the LDAP SDK in use. Use ldap_unbind_ext_s() instead of deprecated ldap_unbind_s(). Emulate ldap_unbind_ext_s() and ldap_search_ext_s() for SDK's without them. [6deeca3d00cc] * lbuf.c: include unistd.h [8419ed0bae7f] * config.h.in, configure.in: fix typo in mtim_getnsec [2d5f21230a60] 2008-01-02 Todd C. Miller * config.h.in, configure, configure.in: add check for st__tim in struct stat as used by SCO [587060ea2a89] * ldap.c: use ldap_search_ext_s instead of deprecated ldap_search_s [5fc44fe3b44c] * Makefile.in, TODO, sudo.cat, sudo.man.in: add sudo_nss.h to HDRS [86f01a70ff29] * ldap.c: Replace deprecated ldap_explode_dn() with calls to ldap_str2dn() and ldap_rdn2str(). [aa217002cfae] 2008-01-01 Todd C. Miller * ldap.c: Use ldap_get_values_len()/ldap_value_free_len() instead of the deprecated ldap_get_values()/ldap_value_free(). [e22dceb85e57] * ChangeLog: sync [adad27b36107] * TODO: sync [c449eb47e0ef] * gettime.c, sudo.c: Remove some already fixed XXXs [532788d0e6da] * ldap.c: Same return value as non-existent sudoers if LDAP was unable to connect. [5819810e8e4e] * sudo.pod: mention /etc/environment [ea8e6102f853] * README.LDAP, UPGRADE, WHATSNEW: Update to reflect recent developments. [ed1fb026fe77] * sudo.c: Print nsswitch.conf, ldap.conf and ldap.secret paths in -V output. [55b68a58260d] * ldap.c: When building up a query don't list groups in the aux group vector that are the same as the passwd file group. On most systems the first gid in the group vector is the same as the passwd entry gid. [4bb51e297e0d] * env.c, ldap.c: Define LDAPNOINIT before calling ldap_init(), etc. to disable user ldaprc and system defaults that could affect how LDAP works. [ce5036440db2] * INSTALL, configure, configure.in, pathnames.h.in, sudo.c, sudo_nss.c, sudo_nss.h: Rename read_nss -> sudo_read_nss Add --with-nsswitch to allow users to specify nsswitch.conf path or disable it. If --with-nsswitch=no but --with-ldap, order is LDAP, then sudoers. Fix --with-ldap-conf- file and --with-ldap-secret-file [ea5d7704381f] * parse.c: Honor def_ignore_local_sudoers [f38e1121fae1] 2007-12-31 Todd C. Miller * ldap.c: no longer need to check def_ignore_local_sudoers here [fce2a72f96fb] * parse.c: Refactor group vector resetting into a function and also call it from display_cmnd. Stop after the first sucessful match in display_cmnd. Print a newline between each display_privs method. [981b37b5adff] * parse.c: fix double free introduced in rev 1.218 [c574b02d8747] * ldap.c: belt and suspenders; zero out result after freeing it [7732988d4620] * env.c, fileops.c, ldap.c, sudo.h, sudo_nss.c: Refactor line reading into a separate function, sudo_parseln(), which removes comments, leading/trailing whitespace and newlines. May want to rethink the use of sudo_parseln() for /etc/ldap.secret [61d9068f0645] * parse.c, sudo.c: Make the inability to read the sudoers file a non-fatal error if there are other sudoers sources available. sudoers_file_lookup now returns "not OK" if sudoers was not present [643babf597a8] * ldap.c: make it clear that the global options are from LDAP [9ff950349463] * logging.c: allocate proper amount of space for error string [8bebb7d46d19] * sudo_nss.c, sudo_nss.h: actual sudo nss code [5bd7d52d7738] * ldap.c, parse.c, sudo.c, sudo.h: nss-ify display_privs and display_cmnd. [cccfdd3253f2] * defaults.c, parse.c, testsudoers.c, visudo.c: move update_defaults() to parse.c [ace144b958a9] * Makefile.in, ldap.c, list.c, parse.c, parse.h, sudo.c, sudo.h: Use nsswitch to hide some sudoers vs. ldap implementation details and reduce the number of #ifdef LDAP TODO: fix display routines and error handling [6225edde89a6] 2007-12-28 Todd C. Miller * Makefile.in, README.LDAP, ldap.c, pathnames.h.in, sudo.c, sudo.h: First cut at nsswitch.conf support. Further reorganizaton and related changes are forthcoming. [717f59d0790b] 2007-12-21 Todd C. Miller * env.c, pathnames.h.in, sudo.c, sudo.h: Add support for reading and /etc/environment file. Still needs to be documented and should probably only applies to OSes that have it (AIX and Linux, maybe others). [15d3edae27e4] * ldap.c: include limits.h [e19875ef0f82] 2007-12-20 Todd C. Miller * WHATSNEW: reword LDAP SASL [7ec3c4ec31b5] 2007-12-19 Todd C. Miller * TODO: sync [87c5a7aea7bf] * README.LDAP: Add an example sudoRole, clarify netscape vs. openldap a bit more [6f96c0ca8107] * README.LDAP: Be clear on what is OpenLDAP vs. Netscape-derived [a33c8314dec5] * config.h.in, configure, configure.in, ldap.c: Use ldapssl_init() for ldaps support instead of trying to do it manually with ldap_init() + ldapssl_install_routines(). Use tls_cert and tls_key for cert7.db and key3.db respectively. Don't print debugging info for options that are not set. Add warning if start_tls specified when not supported. [abb62dc7e4a3] * ldap.c: fix compilation on solaris [03d449684e80] * Makefile.in: add missing .h and .c files for missing lib objs [8b37825bdfc7] 2007-12-18 Todd C. Miller * ldap.c: fix LDAP_OPT_NETWORK_TIMEOUT setting [226eba89c0ad] * ldap.c: fix compilation on Solaris [917d47639eb6] 2007-12-17 Todd C. Miller * configure, configure.in: fix typo [009d5c81b225] * README.LDAP: try to clear up which variables are for OpenLDAP and which are for netscape-derived SDKs [f8d9823ee73c] * config.h.in, configure, configure.in, ldap.c: Add support for "ssl on" in both netscape and openldap flavors. Only the OpenLDAP flavor has been tested. [952745829ec5] * logging.c, sudo.c, sudo.h: Call cleanup() before exit in log_error() instead of calling sudo_ldap_close() directly. ldap_conn can now be static to sudo.c [da02d1b67a2c] * sudo.c: ld -> ldap_conn [01afa6d927cc] 2007-12-16 Todd C. Miller * logging.c, sudo.c, sudo.h: Better ldap cleanup. [25b9abe2d617] * ldap.c: Distinguish between LDAP conf settings that are connection-specific (which take an ld pointer) and those that are default settings (which do not). [d48dc6c9c3b4] 2007-12-14 Todd C. Miller * ldap.c: Improved warnings on error. [c8dce7b4feb4] * ldap.c: Make ldap config table driven and set the config *after* we open the connection. [d9698b5a2681] 2007-12-13 Todd C. Miller * ldap.c: fix LDAP_OPT_X_CONNECT_TIMEOUT compat define [598c6df06660] * configure, configure.in: some operating systems need to link with -lkrb5support when using krb5 [8896365dde9e] 2007-12-10 Todd C. Miller * WHATSNEW: minor update [acfeeb7f4886] * sudo.cat, sudo.man.in, sudoers.cat, sudoers.man.in: regen [a3c6699674f9] 2007-12-08 Todd C. Miller * ChangeLog, TODO: sync [138e99b925ee] * ldap.c, schema.OpenLDAP, schema.iPlanet, sudoers2ldif: add -g support for LDAP [8fc27dbe9287] 2007-12-03 Todd C. Miller * WHATSNEW, sudo.c, sudo.pod, sudo_usage.h.in: The -i and -s flags can now take an optional command. [6afec104ee77] 2007-12-02 Todd C. Miller * auth/pam.c, def_data.c, def_data.h, def_data.in, sudo.c, sudo.pod, sudoers.pod: Add passprompt_override flag to sudoers that will cause the prompt to be overridden in all cases. This flag is also set when the user specifies the -p flag. [e4c5402131a6] * sudo.c: Move setting of login class until after sudoers has been parsed. Set NewArgv[0] for -i after runas_pw has been set. [62a48c8c56fa] * configure, configure.in: Move the dgettext check. [5fd8a4712d1c] 2007-12-01 Todd C. Miller * auth/pam.c, config.h.in, configure, configure.in: Add basic support for looking up the string "Password: " in the PAM localized text db. This allows us to determine whether the PAM prompt is the default "Password: " one even if it has been localized. TODO: concatenate non-std PAM prompts and user-specified sudo prompts. [81c25a415d41] 2007-11-27 Todd C. Miller * Makefile.in, config.h.in, configure, configure.in, parse.c, set_perms.c, sudo.c, sudo.h: Use AC_FUNC_GETGROUPS instead of a home-grown attempt that was insufficient. [1cce6ec1a91e] * acsite.m4, configure, interfaces.c, memrchr.c: Fix typos; Martynas Venckus [be1233cca11a] 2007-11-26 Todd C. Miller * set_perms.c: Don't assume runas_pw is set; it may not be in the -g case. [aa11bd2193ac] 2007-11-25 Todd C. Miller * logging.c, set_perms.c: Set aux group vector for PERM_RUNAS and restore group vector for PERM_ROOT if we previously changed it. Stash the runas group vector so we don't have to call initgroups more than once. Also add no-op check to check_perms. [53837fc755f7] 2007-11-21 Todd C. Miller * WHATSNEW, check.c, def_data.in, defaults.c, gram.c, gram.h, gram.y, ldap.c, logging.c, match.c, mon_systrace.c, parse.c, parse.h, pwutil.c, set_perms.c, sudo.c, sudo.cat, sudo.h, sudo.man.in, sudo.pod, sudo_usage.h.in, sudoers.cat, sudoers.man.in, sudoers.pod, testsudoers.c, visudo.c, visudo.cat, visudo.man.in: Add support for runas groups. This allows the user to run a command with a different effective group. If the -g option is specified without -u the command will be run as the current user (only the group will change). the -g and -u options may be used together. TODO: implement runas group for ldap improve runas group documentation add testsudoers support [9019309df6d0] * configure, configure.in: fix setting of mandir [2c60f269399f] * sudo.pod, sudoers.pod: document that ALL implies SETENV [bcc8e5b703b9] * ldap.c: s/setenv_ok/setenv_implied/g [f005df2c2eea] * ldap.c: hostname_matches() returns TRUE on match in sudo 1.7. [c3d4377b6e8b] * ldap.c: use strcmp, not strcasecmp when comparing ALL [e486024574a1] * ldap.c: Make sudo ALL imply setenv. Note that unlike with file-based sudoers this does affect all the commands in the sudoRole. [bc12f54321d1] * gram.c, gram.y, parse.c, parse.h: sudo "ALL" now implies the SETENV tag but, unlike an explicit tag, it is not passed on to other commands in the list. [026e2cb40680] * visudo.c: Add missing sudo_setpwent() and sudo_setgrent() calls. Also use sudo_getpwuid() instead of getpwuid(). [86f30a8fbd49] 2007-11-15 Todd C. Miller * sudoers: Expand on the dangers of not using visudo to edit sudoers. [e434e8057d02] 2007-11-08 Todd C. Miller * parse.c: Don't quote *?[]! on output since the lexer does not strip off the backslash when reading those in. [561da4a13afa] 2007-11-07 Todd C. Miller * glob.c: expand "u_foo" types to "unsigned foo" to avoid compatibility issues. [b0d7c64d78c3] 2007-11-04 Todd C. Miller * logging.c: Refactor log line generation in to new_logline(). [6a9b9730615d] 2007-10-25 Todd C. Miller * TROUBLESHOOTING: fix typo [9e19d4f86e47] 2007-10-24 Todd C. Miller * config.h.in, configure, configure.in, interfaces.c, interfaces.h, match.c: Add configure check for struct in6_addr instead of relying on AF_INET6 since some systems define AF_INET6 but do not include IPv6 support. [e24082c416bd] 2007-10-21 Todd C. Miller * configure, configure.in: Fix block to add -lutil for FreeBSD and NetBSD when logincap is in use. [76a9df4a63be] 2007-10-20 Todd C. Miller * configure, configure.in: POSIX states that struct timespec be declared in time.h so check there regardless of the value of TIME_WITH_SYS_TIME. [e42c55ec9daf] 2007-10-17 Todd C. Miller * tgetpass.c: Instead of defining a macro to call the appropriate method for turning on/off echo, just define tc[gs]etattr() and the related defines that use the correct terminal ioctls if needed. Also go back to using TCSAFLUSH instead of TCSADRAIN on all but QNX. [5dfb2379d995] 2007-10-09 Todd C. Miller * Makefile.in: g/c @ALLOCA@ [e6946c2e3820] * configure: regen [9bac7159a138] * INSTALL, auth/pam.c, config.h.in, configure.in: Add --disable-pam-session configure option to disable calling pam_{open,close}_session. May work around bugs in some PAM implementations. [273d0fdb4a9d] 2007-10-08 Todd C. Miller * tgetpass.c: quiet gcc warnings [325565c5a579] * tgetpass.c: Avoid printing the prompt if we are already backgrounded. E.g. if the user runs "sudo foo &" from the shell. In this case, the call to tcsetattr() will cause SIGTTOU to be delivered. [db2139a8d8b8] 2007-09-15 Todd C. Miller * def_data.c, def_data.h, def_data.in: Reorder things such that the definition of env_reset come right before the env variable lists. [e0d8e22a581a] * parse.h: Shrink type and seqno in struct alias from int to u_short [9425263dd565] * alias.c, match.c, parse.c, parse.h: Add a sequence number in the aliases for loop detection. If we find an alias with the seqno already set to the current (global) value we know we've visited it before so ignore it. [301a0548ffff] 2007-09-13 Todd C. Miller * TODO, auth/pam.c, sudo.c, sudo.h: PAM wants the full tty path so add user_ttypath which holds the full path to the tty or is NULL if no tty was present. [c7c1dd4b36c8] * auth/pam.c: Set PAM_RHOST to work around a bug in Solaris 7 and lower that results in a segv. [3a8865b3a357] 2007-09-11 Todd C. Miller * gram.c: regen [5647be127950] * alias.c, defaults.c, gram.y, list.c, list.h, match.c, parse.c, parse.h, testsudoers.c, visudo.c: rename lh_ -> tq_ [8f500c542c4a] 2007-09-10 Todd C. Miller * alloc.c: remove some useless casts [409a448b23f5] * alloc.c: pull in inttypes.h for SIZE_MAX; we avoid stdint.h since inttypes.h predates the final C99 spec and the standard specifies that it shall include stdint.h anyway [ae478fdef61a] 2007-09-06 Todd C. Miller * Makefile.in, alloca.c, configure.in: Since we ship with a pre-generated parser there is no need to ship a bogus alloca implementation. [3f611a7cc0e5] * configure: regen [771eccf5269c] * configure.in: remove initial setting of CHECKSIA, we require that it be unset if not used [a2e91adc5aa2] * Makefile.in: add list.c to SRCS [7db0e56cf5b9] * configure: regen [3716ec30172e] * configure.in: only do SIA checks on Digital Unix [6a96e1af2597] 2007-09-05 Todd C. Miller * sudoers.cat, sudoers.man.in: regen [ac1dc29de72b] * ChangeLog, TODO: sync [781effce0a2d] * auth/kerb5.c: Remove call to krb5_cc_register() as it is not needed for modern kerb5. [351b8b764f16] * configure: regen [ac21dbcc9c2c] * aclocal.m4, configure.in: New method for setting the default authentication type and avoiding conflicts in auth types. [5fb15be11f78] * match.c, parse.c, testsudoers.c: Each entry in a cmndlist now has an associated runaslist so no need to keep track of the most recent non-NULL one. [582e015786b0] 2007-09-04 Todd C. Miller * ldap.c: back out partial ldaps support mistakenly committed [357703e94b2d] * ldap.c: Add support for unix groups and netgroups in sudoRunas [2f04eb91c6d0] 2007-09-03 Todd C. Miller * sudo_edit.c: Fix sudoedit of a non-existent file. From Tilo Stritzky. [a5488a03bddd] 2007-09-02 Todd C. Miller * configure: regen [541177376ee1] * INSTALL: update --passprompt escape info [6d57db4cd538] * configure.in: remove now-bogus comment and update copyright date [6a4af45fa331] * configure.in: Fix up use of with_passwd [7c79d8640f77] * acsite.m4, config.guess, config.sub, configure.in, ltmain.sh: Update to autoconf-2.61 andf libtool-1.5.24 [045259b0b439] * Makefile.in: "cmp -s" not just cmp Add @datarootdir@ to quiet autoconf-2.61 [f5b6a7afb817] 2007-09-01 Todd C. Miller * gram.c: regen [b5b78e71d2cb] * gram.y: move tags and runaslist propagation to be earlier [94f7805f4489] * visudo.c: If -f flag given use the permissions of the original file as a template [9303d22bddb0] * gram.y: prevent a double free() when re-initing the parser [5b3907c4de5a] 2007-08-31 Todd C. Miller * configure: regen [49a90b19a17d] * aclocal.m4, alias.c, alloc.c, auth/API, auth/afs.c, auth/bsdauth.c, auth/kerb4.c, auth/kerb5.c, auth/pam.c, auth/securid.c, auth/securid5.c, auth/sia.c, auth/sudo_auth.h, config.h.in, configure.in, env.c, ldap.c, list.c, list.h, memrchr.c, parse.c, parse.h, pwutil.c, redblack.c, redblack.h, snprintf.c, sudo.c, sudo.h, testsudoers.c, visudo.c, zero_bytes.c: Remove support for compilers that don't support void * [35e1d01ae197] * gram.c: regen [70ce412a458a] * Makefile.in, alias.c, defaults.c, gram.y, list.c, list.h, match.c, parse.c, parse.h, testsudoers.c, visudo.c: Move list manipulation macros to list.h and create C versions of the more complex ones in list.c. The names have been down-cased so they appear more like normal functions. [9cea0e281148] * Makefile.in: Fix cmp command when regenerating parser. Make gram.o the first dependency for all programs so gram.h will be generated before anything that needs it. [429ea065abf1] * gram.y, parse.h: Convert NEW_DEFAULT anf NEW_MEMBER into static functions. [2f3433833589] * match.c, parse.c, testsudoers.c: Use LH_FOREACH_REV when checking permission and short-circuit on the first non-UNSPEC hit we get for the command. This means that instead of cycling through the all the parsed sudoers entries we start at the end and work backwards and quit after the first positive or negative match. [881474532f3e] * gram.c: regen [9152a19d4188] * defaults.c, gram.y, parse.c, parse.h, testsudoers.c, visudo.c: Change list head macros to take a pointer, not a struct. [054f1dcce4cc] * gram.c: regen [be154aae6235] * gram.y: Propagate the runasspec from one command to the next in a cmndspec. [4957b1cb03a3] 2007-08-30 Todd C. Miller * match.c: Replace has_meta() with a macro that calls strpbrk(). [a2e58846a542] * regen [5a932a5c9451] * alias.c, defaults.c, gram.y, match.c, parse.c, parse.h, testsudoers.c, visudo.c: Use a list head struct when storing the semi-circular lists and convert to tail queues in the process. This will allow us to reverse foreach loops more easily and it makes it clearer which functions expect a list as opposed to a single member. Add macros for manipulating lists. Some of these should become functions. When freeing up a list, just pop off the last item in the queue instead of going from head to tail. This is simpler since we don't have to stash a pointer to the next member, we always just use the last one in the queue until the queue is empty. Rename match functions that take a list to have list in the name. Break cmnd_matches() into cmnd_matches() and cmndlist_matches. [7c37b271607a] * parse.c: Fix pasto, append "!" not negated (which is an int) for sudo -l output. [93a444c3997f] * Makefile.in: Remove the dependency of gram .h on gram.y, the .c dependency is enough. Only move y.tab.h to gram.h if it is different; avoids needless rebuilding. [67bf4ea2a2e5] 2007-08-27 Todd C. Miller * sudoers.pod: Defaults lines may be associated with lists of users, hosts, commands and runas users, not just single entries. [795effacb6be] 2007-08-26 Todd C. Miller * Makefile.in: Revert the "cmp" portion of the last diff, it doesn't make sense. [26f34bf4e2e3] * Makefile.in: Remove *.lo for clean: When generating the parser, only move the generated files into place if they differ from the existing ones. [84673fea371b] 2007-08-25 Todd C. Miller * toke.c, toke.l: Replace IPV6 regexp with a much simpler (readable) one and add an extra check when it matches to make sure we have a valid address. [592e9f690556] * match.c: Fix thinko introduced when merging IPV6 support. [da38cd5eb8c7] 2007-08-24 Todd C. Miller * HISTORY, LICENSE: regen [0d7b27b90634] * license.pod: add 2007 [510e5048ae1a] * UPGRADE: mention #uid vs. comment pitfall [4d2861898bcc] * acsite.m4: Merge in a patch from the libtool cvs that fixes a problem with the latest autoconf. From Stepan Kasal. [0c279ae7df3e] * parse.h: Back out he XOR swap trick, it is slower than a temp variable on modern CPUs. [91c4b024e317] * gram.c: regen [cb6d4106fb74] * gram.y, parse.h: Convert the tail queue to a semi-circle queue and use the XOR swap trick to swap the prev pointers during append. [8bf4d9fbee58] 2007-08-23 Todd C. Miller * parse.h: remove useless statement [421ec1dd73e6] * toke.c, toke.l: Refactor #include parsing into a separate function and return unparsed chars (such as newline or comment) back to the lexer. [64166917aa3d] 2007-08-22 Todd C. Miller * WHATSNEW: mention better uid support [56f510e7f2ec] * sudoers.pod: Users may now consist of a uid. [5fd31b2c55ed] * gram.c, gram.h, toke.c: regen [599e58af6dc1] * parse.c: Use lbuf_append_quoted() for sudo -l output to quote characters that would require quoting in sudoers. [3132d05c990a] * lbuf.c, lbuf.h: Add lbuf_append_quoted() which takes a set of characters which should be quoted with a backslash when displayed. [ab09bebb1d65] * toke.l: Require that the first character after a comment not be a digit or a dash. This allows us to remove the GOTRUNAS state and treat uid/gids similar to other words. It also means that we can now specify uids in User_Lists and a User_Spec may now contain a uid. [461fe01f8392] * gram.y, toke.l: Replace RUNAS token with '(' and ')' tokens to make the runas portion of the grammar more natural. [e0c383b4684d] * BUGS: The BUGS file is history [4d9a809585c7] * Makefile.in, README: The BUGS file is history [d9500e261172] 2007-08-21 Todd C. Miller * toke.c, toke.l: Allow comments after a RunasAlias as long as the character after the pound sign isn't a digit or a dash. [d7f3bd94eeda] * WHATSNEW: Glob support was back-ported to 1.6.9 [d1d5cfd46228] 2007-08-20 Todd C. Miller * Makefile.in: remove sudo_usage.h in distclean [df05ce9c4127] * parse.c: If a Defaults value contains a blank, double-quote the string. [9057a910daad] * toke.c, toke.l: Properly deal with Defaults double-quoted strings that span multiple lines using the line continuation char. Previously, the entire thing, including the continuation char, newline, and spaces was stored as-is. [4a4e8eacefe6] * sudo.c: Be consistent when using single quotes and backticks. [d010b83a0fa1] 2007-08-19 Todd C. Miller * Makefile.in, configure, configure.in, lbuf.c, lbuf.h, parse.c, sudo.c, sudo_usage.h.in: Add new linebuf code to do appends of dynamically allocated strings and word-wrapped output. Currently used for sudo's usage() and sudo -l output. Sudo usage strings are now in sudo_usage.h which is generated at configure time. [4dfd0ee8d961] 2007-08-18 Todd C. Miller * parse.c, sudo.c, sudo.h: Fix line wrapping in usage() and use the actual tty width instead of assuming 80. [700eab37c5a6] 2007-08-17 Todd C. Miller * history.pod: some more info [8140112a8ae1] * history.pod: Mentioned Chris Jepeway's parser and also the new one that is in sudo 1.7. [2132d00f0597] 2007-08-16 Todd C. Miller * sudo.pod, visudo.pod: For the options list, add flag args where appropriate and increase the indent level so there is room for them. [2b60fb572e12] 2007-08-15 Todd C. Miller * parse.c: Fix some spacing in "sudo -l" and add a comment about some bogosity in the line wrapping. [b59b056f5ee2] * sudo.cat, sudo.man.in, sudoers.cat, sudoers.man.in, visudo.cat, visudo.man.in: regen [5fb719f18ebc] * INSTALL, Makefile.in, WHATSNEW, config.h.in, configure.in, def_data.c, def_data.h, def_data.in, gram.c, gram.h, gram.y, parse.c, parse.h, pathnames.h.in, sudo.c, sudo.h, sudoers.pod, testsudoers.c, toke.c, toke.l: Remove monitor support until there is a versino of systrace that uses a lookaside buffer (or we have a better mechanism to use). [61ff76878e4a] * config.h.in, configure, configure.in, sudo.c: use getaddrinfo() instead of gethostbyname() if it is available [cc33c136aa6a] 2007-08-14 Todd C. Miller * parse.c, sudo.c: Deal with OSes where sizeof(gid_t) < sizeof(int). [130a89cbdfba] * interfaces.c: repair non-getifaddrs() code after ipv6 integration [7ae7a89e2236] * sudo.c: If we can open sudoers but fail to read the first byte, close the file stream before trying again. [6f31272fae7b] 2007-08-13 Todd C. Miller * toke.c: regen [4d7afe0aa6fa] * gram.y, interfaces.c, interfaces.h, match.c, sudoers.pod, toke.l: Add IPv6 support; adapted from patches by YOSHIFUJI Hideaki [4e6ff2965a42] * sudo.pod, sudoers.pod, visudo.pod: Add some missing markup Update copyright [7e6d3c686b5e] 2007-08-12 Todd C. Miller * configure, configure.in: fix sudo_noexec extension which got broken in the libtool update [3a5b447df861] 2007-08-10 Todd C. Miller * Makefile.in: explicitly specify -Tascii to nroff [45c8da4cbefe] 2007-08-08 Todd C. Miller * logging.c: remove an ANSI-ism that crept in [29086f87b2ca] 2007-08-07 Todd C. Miller * sudo.pod: Adjust list indents Prevent -- from being turned into an em dash Use a list for the environment instead of a literal paragraph [c3abcd8f76f4] * visudo.pod: Use a list for the environment instead of an indented literal paragraph. [0ffcfcb7349f] * sudoers.pod: Adjust list indentation [615c89e3123a] * license.pod: add =head3 [8b2e0d38c0bd] 2007-08-06 Todd C. Miller * sudo.pod: mention that when specifying a uid for the -u option the shell may require that the # be escaped [3e3a17bff150] 2007-08-02 Todd C. Miller * match.c: Fix off by one in group matching. [b529602b7fba] 2007-07-31 Todd C. Miller * env.c: Fix typo: PYTHONINSPEC should be PYTHONINSPECT. From David Krause. [ffbf8907c6e7] 2007-07-30 Todd C. Miller * configure, configure.in: Add missing define of HAVE_GSS_KRB5_CCACHE_NAME for the -lgssapi_krb5 case. [2b85a89c2252] * aclocal.m4, configure, configure.in: Fix link tests such that new gcc doesn't optimize away the test. [83484ec95cba] 2007-07-29 Todd C. Miller * sudo.pod, sudoers.pod, visudo.pod: add missing over/back [251a12c89b91] * sudo.pod, sudoers.pod, visudo.pod: Change FILES section to use =item [60b9efc3a0b2] * env.c: Add back allocation of the env struct in rebuild_env but save a copy of the old pointer and free it before returning. [1100cd4fa997] * env.c: Don't init the private environment in rebuild_env() since it may have already been done implicitly sudo_setenv/sudo_unsetenv. Multiply length by sizeof(char *) in memcpy/memmove when copying the environment so we copy the full thing. Add missing set of parens so we deref the right pointer in sudo_unsetenv when searching for a matching variable. [9086a8f756b1] 2007-07-26 Todd C. Miller * sudo.pod, sudoers.pod, visudo.pod: Use file markup for paths in the FILES section [940d99f731f2] * sudo.pod, sudoers.pod, visudo.pod: Don't capitalize sudo/visudo [f067a455d44b] * sudoers.pod: Sort sudoers options; based on a diff from Igor Sobrado. [a9b9befe85ac] 2007-07-25 Todd C. Miller * sudo.pod, sudoers.pod, visudo.pod: Use 8 and 5 instead of @mansectsu@ and @mansectform@ since the latter confuses pod2man. The Makefile rules for the .man.in file will add @mansectsu@ and @mansectform@ back in after pod2man is done anyway. [b50ea0db727c] 2007-07-22 Todd C. Miller * LICENSE, Makefile.in, license.pod: Move license info to pod format [25bdd82e592b] * configure, configure.in, sudoers.pod: Substitute value of path_info into sudoers man page. [9ba661a82798] * WHATSNEW: remove features that were back-ported to 1.6.9 [e76d756cbe65] * sudo.c, sudo.pod, visudo.c, visudo.pod: Sort SYNOPSIS and sync usage. From Igor Sobrado. [4970386c9e54] * env.c: Only need sudo_setenv/sudo_unsetenv if we are going to use ldap_sasl_interactive_bind_s() but don't have gss_krb5_ccache_name(). [f1a73d8b35c5] * ChangeLog: rebuild without branch info [5d5a33494677] * Makefile.in: Add ChangeLog target [a702034fdd89] * auth/pam.c: Run cleanup code if the user hits ^C at the password prompt. [9cf87768e921] * auth/pam.c: Some versions of pam_lastlog have a bug that will cause a crash if PAM_TTY is not set so if there is no tty, set PAM_TTY to the empty string. [5b63f6c88866] 2007-07-20 Todd C. Miller * Makefile.in: ChageLog not Changelog [1243d8473ceb] * ChangeLog: sync [d887df98c6b0] * Makefile.in: CHANGE -> Changelog [917738df30dd] * TODO: sync [cd382f7d1948] 2007-07-19 Todd C. Miller * config.h.in, configure, configure.in, ldap.c: Add configure hooks for gss_krb5_ccache_name() and the gssapi headers. [139606209991] 2007-07-18 Todd C. Miller * env.c, sudo.c: rebuild_env() and insert_env_vars() no longer return environment pointer, they set environ directly. No longer need to pass around an envp pointer since we just operate on environ now. Add dosync argument to insert_env() that indicates whether it should reset environ when realloc()ing env.envp. Use an initial size of 128 for the environment. [4735fd5fddb8] * env.c: Split sudo_setenv() into an external version and a version only for use by rebuild_env(). [fda7d655adb1] 2007-07-16 Todd C. Miller * ldap.c: Add support for using gss_krb5_ccache_name() instead of setting KRB5CCNAME. Also use sudo_unsetenv() in the non- gss_krb5_ccache_name() case if there was no KRB5CCNAME in the original environment. TODO: configure setup for gss_krb5_ccache_name() [fcafa5a49caf] * README.LDAP: add krb5_ccname [fceb8f883886] * README.LDAP, ldap.c: Add support for sasl_secprops in ldap.conf [1f06f4bf7347] * env.c, sudo.h: Add sudo_unsetenv() and refactor private env syncing code into sync_env(). [045ecb3fd22b] * README.LDAP, ldap.c: The ldap.conf variable is sasl_auth_id not sasl_authid. [a5f98491311b] 2007-07-15 Todd C. Miller * ldap.c, sudo.c, sudo.h: Add support for krb5_ccname in ldap.conf. If specified, it will override the default value of KRB5CCNAME in the environment for the duration of the call to ldap_sasl_interactive_bind_s(). [b08a10c3045b] * env.c, sudo.h: Remove format_env() Add sudo_setenv() to replace most format_env() + insert_env() combinations. insert_env() no longer takes a struct environment * [131da52f43f3] * ldap.c: Fix use_sasl vs. rootuse_sasl logic. [0c0417b6918c] * README.LDAP, config.h.in, configure, configure.in, ldap.c: Add support for SASL auth when connecting to an LDAP server. Adapted from a diff by Tom McLaughlin. [a6285f1356ea] 2007-07-14 Todd C. Miller * configure, configure.in: Only enable AIX or BSD auth if no other exclusive auth method has been chosen. Allows people to e.g., use PAM on AIX without adding --without-aixauth. A better solution is needed to deal with default authentication since if a non-exclusive method is chosen we will still get an error. [83f7afdc0ec3] 2007-07-11 Todd C. Miller * HISTORY, Makefile.in, history.pod: Generate HISTORY from history.pod (which is also used for web pages) [60bcd5164931] 2007-07-09 Todd C. Miller * sudo.man.in, sudoers.man.in: regen [63956a366191] * sudo.pod: Better explanation of environment handling in the sudo man page. [6c247742f7ee] * env.c, sudo.c: Defer setting user-specified env vars until after authentication. [4750b79323ee] * env.c: honor def_default_path for PATH set on the command line [6db31d9b6d65] * env.c, sudo.c, sudo.pod, sudoers.pod: Allow user to set environment variables on the command line as long as they are allowed by env_keep and env_check. Ie: apply the same restrictions as normal environment variables. TODO: deal with secure_path [26c0da3840cf] 2007-07-08 Todd C. Miller * sudo.c, sudo_edit.c: Call rebuild_env() in call cases. Pass original envp to sudo_edit(). Don't allow -E or env var setting in sudoedit mode. More accurate usage() when called as sudoedit. [a4af20658361] * ldap.c: warn -> warning [d87d1192b048] * sudo.pod: add -c option to sudoedit synopsis [15b596a7e2db] * TODO: udpate to reality [e2f8fde89db1] * parse.c: Use ALLOW/DENY instead of TRUE/FALSE when dealing with the return value from {user,host,runas,cmnd}_matches(). Rename *matches variables -> *match. Purely cosmetic. [e54a44c00a88] * parse.c: Move setting of FLAG_NO_CHECK into the if(pwflag) block. No change in behavior. [c6272b4f2127] * sudoers: add SETENV tag [3a3066bb6788] 2007-07-06 Todd C. Miller * parse.c: Make pwcheck local to the pwflag block. Use pwcheck even if user didn't match since Defaults options may still apply. [45da9efbbafd] * check.c, sudo.c: Do not update timestamp if user not validated by sudoers. [a4a9d4364827] * set_perms.c: for PERM_RUNAS, set the egid to the runas user's gid and restore to the user's original in PERM_ROOT [1514bfb32847] * logging.c, mon_systrace.c, set_perms.c, sudo.h: PERM_FULL_ROOT is now no different than PERM_ROOT so remove PERM_FULL_ROOT [b9d047a3178c] * check.c: don't check timestamp mtime if we are just going to remove it [5d2470bc6cbd] * sudoers.pod: Move sudoers defaults parameters into their own section. [54701fbc0ff3] * testsudoers.c: Reduce a level of indent by a few placed continue statements. [5d5a9838c8ef] * parse.c: Make matching but negated commands/hosts/runas entries override a previous match as expected. Also reduce some levels of indent by a few placed continue statements. [dd59fa4b91a1] 2007-07-05 Todd C. Miller * parse.c: Print default runas in "sudo -l" if sudoers don't specify one. [07d408c400bd] * match.c: Less hacky way of testing whether the domain was set. [a537059776e5] 2007-07-04 Todd C. Miller * INSTALL: Mention pam-devel and openldap-devel for Linux [9e708c54ecc3] 2007-07-03 Todd C. Miller * README.LDAP: or vs. are [abe8c0f3a410] 2007-07-01 Todd C. Miller * sudo.c: fix typo in Solaris project support [2ffeb2d80959] * HISTORY: update [df162b36f120] * sudo.c: Make -- on the command line match the manual page. The implied shell case has been simplified as a result. [cd217a1f6694] 2007-06-28 Todd C. Miller * sudoers2ldif: add simplistic support for sudoRunas; note that if a sudoers entry contains multiple Runas users, all will apply to the sudoRole [65b11421f5c8] * sudoers2ldif: honor SETENV and NOSETENV tags [2c0d5ba7a09b] 2007-06-24 Todd C. Miller * mon_systrace.c: Redo setting of user_args. We now build up a private copy of argv first and then replace the NULs with spaces. [ccbba72ea112] * mon_systrace.c: getcwd() returns NULL on failure, not 0 on success [88cd9e66e530] * mon_systrace.c: allow chunksiz to reach 1 before erroring out [619d68f14964] * sudo.cat, sudo.man.in, sudoers.cat, sudoers.man.in, visudo.cat, visudo.man.in: regen [8db512d3caf0] 2007-06-23 Todd C. Miller * def_data.c, def_data.h, def_data.in, env.c, gram.c, gram.h, gram.y, logging.c, parse.c, parse.h, sudo.c, sudo.h, sudo.pod, sudoers.pod, toke.c, toke.l: Add support for setting environment variables on the command line. This is only allowed if the setenv sudoers options is enabled or if the command is prefixed with the SETENV tag. [5744caebd969] * README.LDAP: replace Aaron's email address with the sudo-workers list [2ffce5f9afc0] * configure: regen [8013dff82c0c] 2007-06-22 Todd C. Miller * Makefile.in, README.LDAP: Break schema out into separate files. [1a53966ca1fa] * schema.OpenLDAP, schema.iPlanet: Break schema out into separate files. [15e598e4c60b] 2007-06-21 Todd C. Miller * auth/aix_auth.c: free message if set by authenticate() [849c220c1236] * match.c: deal with NULL gr_mem [49e4d74f0bbe] 2007-06-20 Todd C. Miller * config.h.in: regen [fead999ad3e9] * configure.in: add template for HAVE_PROJECT_H [e6c42c2eaad1] * closefrom.c: include fcntl.h [54d98b382f03] 2007-06-19 Todd C. Miller * INSTALL: mention --with-project [d3ea3baad7c5] * config.h.in, configure.in, sudo.c: Add Solaris 10 "project" support. From Michael Brantley. [f14f3c8c6554] * sudoers.pod: fix typo [50db81a19787] * configure: regen [ea71afd3e564] * configure.in: Fix preservation of LDFLAGS in the LDAP case. [40a3a47e8059] * memrchr.c: Remove dependecy on NULL [c957ae5e1733] * configure: regen [4955ce0c6912] * aclocal.m4, configure.in: Can't use the regular autoconf fnmatch() check since we need FNM_CASEFOLD so go back to our custom one. [f10d76237486] * env.c: Fix preserving of variables in env_keep. [d040049d6b84] * env.c: add XAUTHORIZATION [0d589a5fe015] * UPGRADE: expand upon env resetting and mention that it began in 1.6.9 not 1.7. [dba251655c76] * sudoers.pod: Update descriptions of env_keep and env_check to match current reality. [dba77357954b] 2007-06-18 Todd C. Miller * env.c: Add LINGUAS to initial_checkenv_table. Add COLORS, HOSTNAME, LS_COLORS, MAIL, PS1, PS2, XAUTHORITY to intial_keepenv_table. [eec4632bd190] * env.c, logging.c: Treat USERNAME environemnt variable like LOGNAME/USER [09f52dcfd70c] * env.c: Don't need to populate keepenv table with the contents of the checkenv table. [527a14afd973] * sudo.c: Don't force sudo into the C locale. [8a5bd301ef96] * env.c: Make env_check apply when env_reset it true. Environment variables are passed through unless they contain '/' or '%'. There is no need to have a variable in both env_check and env_keep. [840c802721e4] 2007-06-16 Todd C. Miller * visudo.c: Remove an duplicate lock_file() call and add a comment. [5af9dcdf0eb6] * UPGRADE: Add sudo 1.6.9 upgrade note. [1585149f2914] 2007-06-14 Todd C. Miller * interfaces.c: Solaris will return EINVAL if the buffer used in SIOCGIFCONF is too small. From Klaus Wagner. [d6899fc44f77] * logging.c, sudo.h: Redo the long syslog line splitting based on a patch from Eygene Ryabinkin. Include memrchr() for systems without it. [66a50e8d553a] * Makefile.in, config.h.in, configure, configure.in: Redo the long syslog line splitting based on a patch from Eygene Ryabinkin. Include memrchr() for systems without it. [407a46190921] * memrchr.c: Redo the long syslog line splitting based on a patch from Eygene Ryabinkin. Include memrchr() for systems without it. [2f6702b7d41b] * configure.in: Since we need to be able to convert timespec to timeval for utimes() the last 3 digits in the tv_nsec are not significant. This makes the sudoedit file date comparison work again. [9d0258849fa9] 2007-06-13 Todd C. Miller * aclocal.m4, configure, configure.in: Add SUDO_ADD_AUTH macro to deal with adding things to AUTH_OBJS. This deals with exclusive authentication methods in a simple way. [7d70072c0f35] 2007-06-12 Todd C. Miller * LICENSE: mkstemp.c is BSD code too. [29e236d98162] * sudo.pod, sudoers.pod, visudo.pod: No commercial support for now. [7c76b3e192dd] 2007-06-11 Todd C. Miller * sudo.c: cleanenv() is no more. [518080514408] 2007-06-10 Todd C. Miller * ChangeLog: Display branch info in Changelog [44e3b27427c7] * utimes.c: Include config.h early so we have it for TIME_WITH_SYS_TIME [4bf1a00d0703] * ChangeLog: Fix Changelog generation and update. [6e960dbcbece] 2007-06-09 Todd C. Miller * closefrom.c: Use /proc/self/fd instead of /proc/$$/fd Move old-style fd closing into closefrom_fallback() and call that if /proc/self/fd doesn't exist or the F_CLOSEM fcntl() fails [faa7e4810758] * auth/kerb5.c, config.h.in, configure.in: o use krb5_verify_user() if available instead of doing it by hand o use krb5_init_secure_context() if we have it o pass an encryption type of 0 to krb5_kt_read_service_key() instead of ENCTYPE_DES_CBC_MD5 to let kerberos choose. [df7acf72bd7c] * env.c: Check TERM and COLORTERM for '%' and '/' characters. From Debian. [f92d05197e40] * configure.in: Fix closefrom() substitution in the Makefile [b642b13fcc5c] * TROUBLESHOOTING: Mention alternate sudo pronunciation. [7c71dc73409f] 2007-06-07 Todd C. Miller * env.c: Remove KRB5_KTNAME from environment. Allow COLORTERM. [70f35a79f780] * auth/kerb5.c: If we cannot get a valid service key using the default keytab it is a fatal error. Fixes a bug where sudo could be tricked into allowing access when it should not by a fake KDC. From Thor Lancelot Simon. [a3ae6a47cb23] 2007-05-12 Todd C. Miller * aclocal.m4, configure, configure.in: Update long long checks to use AC_CHECK_TYPES and to cache values. [047318eaaeb2] * aclocal.m4, configure.in: Use AC_FUNC_FNMATCH instead of a homebrew fnmatch checker. We can't use AC_REPLACE_FNMATCH since that assumes replacing with GNU fnmatch. [80513a1003ea] 2007-05-11 Todd C. Miller * configure, configure.in: Add closefrom() to LIB_OBJS not SUDO_OBJS if it is missing since we need it for visudo now too. [50837c7c2b5e] 2007-04-24 Todd C. Miller * sudoers.pod: Attempt to clarify the bit talking about network numbers w/o netmasks. [211e68c1d034] * sudo.pod: Clarify timestamp dir ownership sentence. [9178f132c7f7] 2007-04-20 Todd C. Miller * auth/pam.c: Linux PAM now defines __LINUX_PAM__, not __LIBPAM_VERSION. From Dmitry V. Levin. [81fce91667bc] 2007-04-16 Todd C. Miller * sudo.c: -i is also one of the mutually exclusive options to list it in the warning message. Noted by Chris Pepper. [7da73fb248e9] 2007-04-12 Todd C. Miller * visudo.pod: The sudoers variable is env_editor, not enveditor. From Jean- Francois Saucier. [2a86ec09a6db] 2007-03-29 Todd C. Miller * redblack.c: I tracked down the original author so credit him and include his license info. [3733553a1bba] 2007-02-06 Todd C. Miller * sudo.cat, sudo.man.in, sudo.pod, sudoers.cat, sudoers.man.in, sudoers.pod: Fix typos; from Jason McIntyre. [1ee4ce2512f2] * logging.c: Restore signal mask before calling reapchild(). Fixes a possible race condition that could prevent sudo from properly waiting for the child. [9ee4192385dc] 2007-01-31 Todd C. Miller * pwutil.c: Don't declare pw_free() if we are not going to use it. [adb79a4289ca] * env.c: Add NOEXEC support for AIX 5.3 which supports LDR_PRELOAD and LDR_PRELOAD64. The 64-bit version is not currently supported. Remove zero_env() prototype as it no longer exists. [b4fe65027fb6] 2006-12-11 Todd C. Miller * logging.c: Add "Auto-Submitted: auto-generated" line to sudo mail for rfc 3834. [78002ad90f7b] 2006-09-29 Todd C. Miller * auth/pam.c: If the user enters ^C at the password prompt, abort instead of trying to authenticate with an empty password (which causes an annoying delay). [da3f27b747c7] 2006-08-17 Todd C. Miller * closefrom.c, config.h.in, configure, configure.in: Add fcntl F_CLOSEM support to closefrom(); adapted from a diff by Darren Tucker. [0331b7780759] * pwutil.c: pw_free() is only used by sudo_freepwcache() so ifdef it out too. [0014c0d9eeba] 2006-08-04 Todd C. Miller * config.guess, config.sub: Update to latest versions from cvs.savannah.gnu.org [aa0143101c20] 2006-07-31 Todd C. Miller * pwutil.c, sudo_edit.c: Move password/group cache cleaning out of sudo_end{pw,grp}ent() so we can close the passwd/group files early. [559074bd7eb7] * config.h.in, configure, configure.in, set_perms.c: Add seteuid() flavor of set_perms() for systems without setreuid() or setresuid() that have a working seteuid(). Tested on Darwin. [508d8da99189] 2006-07-30 Todd C. Miller * mon_systrace.c: systrace_read() returns ssize_t [9f97d1d1a59d] * configure, configure.in: Fix typo, -lldap vs. -ldap; from Tim Knox. [a8cc43c3bb2a] 2006-07-28 Todd C. Miller * HISTORY: Fix typo; Matt Ackeret [86964ee3dfbd] 2006-07-17 Todd C. Miller * sudo.c: Print sudoers path in -V mode for root. [dc43f2d75bd9] 2006-06-15 Todd C. Miller * ldap.c: Do a sub tree search instead of a base search (one level in the tree only) for sudo right objects. This allows system administrators to categorize the rights in a tree to make them easier to manage. [6d2d9abf996e] 2005-12-28 Todd C. Miller * sudo.pod: fix typo [1473413bcbda] 2005-12-04 Todd C. Miller * ldap.c: Convert GET_OPT and GET_OPTI to use just 2 args. Add timelimit and bind_timelimit support; adapted from gentoo. [afc816093026] 2005-11-23 Todd C. Miller * ldap.c: Support comments that start in the middle of a line [c25df6ee3db8] * configure, configure.in: Define LDAP_DEPRECATED until we start using ldap_get_values_len() [ee249bfe230a] 2005-11-18 Todd C. Miller * closefrom.c: Silence gcc -Wsign-compare; djm@openbsd.org [28769ce6418d] * error.c, sudo.c, sudo.h, testsudoers.c, visudo.c: cleanup() now takes an int as an arg so it can be used as a signal handler too. [2bb0df34d09c] * sudo.c: Make a copy of the shell field in the passwd struct for NewArgv to avoid a use after free situation after sudo_endpwent() is called. [5dcc9ffd362e] 2005-11-17 Todd C. Miller * config.h.in, configure, configure.in: Add mkstemp() for those poor souls without it. [5fdd02e863e0] * Makefile.in: Add mkstemp() for those poor souls without it. [9c1cf2678f24] * mkstemp.c: Add mkstemp() for those poor souls without it. [c99401207860] 2005-11-15 Todd C. Miller * env.c: Add PERL5DB to list of environment variables to remove. [7375c27ecf75] 2005-11-13 Todd C. Miller * mon_systrace.c, mon_systrace.h: Instead of calling the check function twice with a state cookie use separate check/log functions. Check more ioctl() calls for failure. systrace_{read,write} now return the number of bytes read/written or -1 on error. [3dc8946d90e9] * env.c: Add more environment variables to remove; from gentoo linux Add some comments about what bad env variables go to what (more to do) [6918110a6b82] 2005-11-11 Todd C. Miller * sudo.c, sudo_edit.c: Move sudo_end{gr,pw}ent() until just before the exec since they free up our cached copy of the passwd structs, including sudo_user and sudo_runas. Fixes a use-after-free bug. [54de3778bad0] * visudo.c: Close all fd's before executing editor. [4fcc05e1bec8] * sudo.c: Enable malloc debugging on OpenBSD when SUDO_DEVEL is set. [ef0e8ffa5c9f] * check.c: Fix fd leak when lecture file option is enabled. From Jerry Brown [ce97f9207cd8] 2005-11-07 Todd C. Miller * env.c: Add PERLLIB, PERL5LIB and PERL5OPT to the default list of environment variables to remove. From Charles Morris [c96e1367d1c1] 2005-11-01 Todd C. Miller * env.c: add JAVA_TOOL_OPTIONS to initial_badenv_table for java 5 [72a6a1571226] 2005-10-28 Todd C. Miller * env.c: add PS4 and SHELLOPTS to initial_badenv_table for bash [89dfb3f318f3] 2005-08-15 Todd C. Miller * sudoers.pod: Fix typo; Toby Peterson [b7a3222b23f4] 2005-08-02 Todd C. Miller * tsgetgrpw.c: Make return buffers static so they don't get clobbered [13323a39b9f5] 2005-07-28 Todd C. Miller * auth/securid5.c: Fix securid5 authentication, was not checking for ACM_OK. Also add default cases for the two switch()es. Problem noted by ccon at worldbank [14091e418333] 2005-06-27 Todd C. Miller * ldap.c: Remove ncat() in favor of just counting bytes and pre-allocating what is needed. [25b8712adb61] 2005-06-26 Todd C. Miller * ldap.c: Fix up some comments Add missing fclose() for the rootbinddn case [ae95c8a89711] * ldap.c: align struct ldap_config [35d0d64c76f8] * ldap.c: use LINE_MAX for max conf file line size [da116cb8853d] * pathnames.h.in: add _PATH_LDAP_SECRET [128b04ecfab7] * README.LDAP: Mention rootbinddn Give example ou=SUDOers container [852edc69bd1c] 2005-06-25 Todd C. Miller * INSTALL, configure, configure.in, ldap.c: Support rootbinddn in ldap.conf [1615c91522a1] * env.c, sudo.pod, sudoers.pod: Preserve DISPLAY environment variable by default. [05f503d5f438] * acsite.m4, configure: set need_lib_prefix=no for all cases; this is safe for LD_PRELOAD [18a04dea8d05] * acsite.m4, configure: set need_version=no for all cases; this is safe for LD_PRELOAD [b542560e1a73] * aclocal.m4: typo [c040df0fcd5a] * configure, configure.in: Add dragonfly [f13794618636] * auth/pam.c: Fix call to pam_end() when pam_open_session() fails. [0be47cdfdef1] * configure: regen [7f5c13b4b800] * acsite.m4: rebuild acsite.m4 from libtool 1.9f libtool.m4 ltoptions.m4 ltsugar.m4 ltversion.m4 [a7ba9fd1a2ab] * config.guess, config.sub, ltmain.sh: merge in local changes: config.guess: o better openbsd support config.sub: o hiuxmpp support ltmain.sh o remove requirement that libs must begin with "lib" o don't print a bunch of crap about library installs o don't run ldconfig [f4149f2c720f] * config.guess, config.sub, ltmain.sh: libtool 1.9f [82a534e7121f] * configure.in: Update with autoupdate and make minor changes for libtool 1.9f [11b5ae5c1428] 2005-06-23 Todd C. Miller * parse.c: don't call sudo_ldap_display_cmnd if ldap not setup [8bcf6c094ffe] * check.c, compat.h: Move declatation of struct timespec to its own include files for systems without it since it needs time_t defined. [2ef2ace8fe85] * emul/timespec.h: Move declatation of struct timespec to its own include files for systems without it since it needs time_t defined. [f95137771564] * fileops.c: Move declatation of struct timespec to its own include files for systems without it since it needs time_t defined. [dd8573b2ee7d] * gettime.c: Move declatation of struct timespec to its own include files for systems without it since it needs time_t defined. [021b4569cc0c] * sudo_edit.c, visudo.c: Move declatation of struct timespec to its own include files for systems without it since it needs time_t defined. [b95c333299a0] * ldap.c: Don't set safe_cmnd for the "sudo ALL" case. [ad7fa9e07da0] 2005-05-27 Todd C. Miller * auth/pam.c: Call pam_open_session() and pam_close_session() to give pam_limits a chance to run. Idea from Karel Zak. [fed46d471350] 2005-04-24 Todd C. Miller * check.c, sudo.c: Add explicit cast from mode_t -> u_int in printf to silence warnings on Solaris [17bb961fe22d] * parse.c: include grp.h to silence a warning on Solaris [14386fbab640] 2005-04-23 Todd C. Miller * parse.c: Fix printing of += and -= defaults. [a667604c56cd] 2005-04-17 Todd C. Miller * mon_systrace.c: Sanity check number of syscall args with argsize. Not really needed but a little paranoia never hurts. [6bb455a2c2d6] * mon_systrace.c, mon_systrace.h: Don't do pointer arithmetic on void * Use int, not size_t/ssize_t for systrace lengths (since it uses int) [3cafccffcffd] 2005-04-16 Todd C. Miller * mon_systrace.c: Add some memsets for paranoia Fix namespace collsion w/ error Check rval of decode_args() and update_env() Remove improper setting of validated variable [3d385158354d] 2005-04-12 Todd C. Miller * parse.c, sudo.c, sudo.h: In -l mode, only check local sudoers file if def_ignore_sudoers is not set and call LDAP versions from display_privs() and display_cmnd() instead of directly from main(). Because of this we need to defer closing the ldap connection until after -l processing has ocurred and we must pass in the ldap pointer to display_privs() and display_cmnd(). [1dfc2e8c9f2b] * ldap.c: Reorganize LDAP code to better match normal sudoers parsing. Instead of storing strings for later printing in -l mode we do another query since the authenticating user and the user being listed may not be the same (the new -U flag). Also add support for "sudo -l command". There is still a fair bit if duplicated code that can probably be refactored. [e9568f19bde5] 2005-04-11 Todd C. Miller * ldap.c: Replace pass variable with do_netgr for better readability. [1bba841b6e79] * ldap.c: use DPRINTF macro [02b159b66bb5] * ldap.c: estrdup, not strdup [22cdee7973c1] 2005-04-10 Todd C. Miller * parse.c: Add macro to test if the tag changed to improve readability. [4e11b4819556] * parse.c: Avoid printing defaults header if there are no defaults to print... [41a28627df03] * glob.c: Fix a warning on systems without strlcpy(). [6814e0f0e4f4] * pwutil.c: Use macros where possible for sudo_grdup() like sudo_pwdup(). [30f201ff35cd] 2005-04-08 Todd C. Miller * utimes.c: It is possible for tv_usec to hold >= 1000000 usecs so add in tv_usec / 1000000. [794ac4d53a65] 2005-03-30 Todd C. Miller * auth/kerb5.c: The component in krb5_principal_get_comp_string() should be 1, not 0 for Heimdal. From Alex Plotnick. [fefa351c5044] 2005-03-29 Todd C. Miller * alias.c, alloc.c, check.c, defaults.c, find_path.c, gram.c, gram.y, interfaces.c, ldap.c, logging.c, match.c, mon_systrace.c, pwutil.c, redblack.c, sudo.c, sudo.h, toke.c, toke.l, visudo.c: Add efree() for consistency with emalloc() et al. Allows us to rely on C89 behavior (free(NULL) is valid) even on K&R. [7876bb80d87c] * parse.c, sudo.c: Move initgroups() for -U option into display_privs() so group matching in sudoers works correctly. [b074428ad2ca] 2005-03-27 Todd C. Miller * ldap.c: Removed duplicate call to ldap_unbind_s introduced along with sudo_ldap_close. [19acc1c20f7c] * parse.c: Add missing space in Defaults printing [95d2935bf6d4] 2005-03-25 Todd C. Miller * pwutil.c: Sync sudo_pwdup with OpenBSD changes: use macros for size computaton and string copies. [6b6b241495e5] 2005-03-19 Todd C. Miller * pwutil.c: Zero old pw_passwd before replacing with version from shadow file. [3251b349dfe1] * configure, configure.in: Only attempt shadow password detection if PAM is not being used Add shadow_* variables to make shadow password detection more generic. [d498a3423ac9] * configure.in: Use OSDEFS for os-specific -D_FOO_BAR stuff rather than CPPFLAGS [04d55bbd5e35] 2005-03-13 Todd C. Miller * sudoers.pod: use a non-breaking space to avoid a double space after e.g. [11cdb54bdf7b] * sudo.pod: commna, not colon after e.g. [8d5875ff72e0] 2005-03-12 Todd C. Miller * sudo_noexec.c: Add __ variants of the exec functions. GNU libc at least uses __execve() internally. [d1880473d790] * indent.pro: Match reality a bit more. [633e3fa875a7] * pwutil.c: Missed piece from rev. 1.6, fix sudo_getpwnam() too. [128f7b21c2ee] * pwutil.c: Store shadow password after making a local copy of struct passwd in case normal and shadow routines use the same internal buffer in libc. [f806052a6ffc] 2005-03-11 Todd C. Miller * alloc.c, logging.c: Make varargs usage consistent with the rest of the code. [3d45affc9851] 2005-03-10 Todd C. Miller * sudo_noexec.c: Wrap more of the exec family since on Linux the others do not appear to go through the normal execve() path. [8167769b4e19] * visudo.c: make print_unused static like proto says [ecf10e1bae55] * glob.c: silence a warning on K&R systems [2e00425f1a5c] * alias.c, error.c: make this build in K&R land [156f65f8525a] * parse.c: make this build in K&R land [6fc9276889cb] 2005-03-08 Todd C. Miller * toke.c: regen [3b349748cd21] 2005-03-06 Todd C. Miller * ldap.c: return(foo) not return foo optimize _atobool() slightly [11d09d154ed5] * ldap.c: Use TRUE/FALSE [53999320d98f] * ldap.c: Reformat to match the rest of sudo's code. [1bd0f2afa0e7] * sudo.pod: I am the primary author [5d311ecd85c6] 2005-02-23 Todd C. Miller * Makefile.in, README, RUNSON: The RUNSON file is toast--it confused too many people and really isn't needed in a configure-oriented world. [96a6ef7bbc08] * INSTALL: alternate -> alternative [b65015c5d0a2] * tgetpass.c: Use TCSADRAIN instead of TCSAFLUSH since some OSes have issues with TCSAFLUSH. [c66b4763ffdc] * toke.l: Allow leading blanks before Defaults and Foo_Alias definitions [2add513d9277] * Makefile.in: fix rules to build toke.o and gram.o in devel mode [96cbb414ebd3] 2005-02-20 Todd C. Miller * sudoers.pod: env_keep overrides set_logname [401877193a15] * env.c: Fix disabling set_logname and make env_keep override set_logname. [0906e7a5ed93] * compat.h, config.h.in, configure, configure.in: No longer need memmove() [43bdb6efe3f2] * env.c, sudo.c: Just clean the environment once. This assumes that any further setenv/putenv will be able to handle the fact that we replaced environ with our own malloc'd copy but all the implementations I've checked do. [11658fe92ba2] 2005-02-16 Todd C. Miller * env.c, sudo.c: In -i mode, base the value of insert_env()'s dupcheck flag on DID_FOO flags. Move checks for $HOME resetting into rebuild_env() [8365b0bd0c71] 2005-02-13 Todd C. Miller * env.c, sudo.c: Move setting of user_path, user_shell, user_prompt and prev_user into init_vars() since user_shell at least is needed there. [37e22dce66e9] 2005-02-12 Todd C. Miller * Makefile.in: fix devel builds [9fbb15ef164c] * sudo.c: Fix some printf format mismatches on error. [ffc1c3f11740] * check.c: Fix some printf format mismatches on error. [7b3b508adf50] * configure, gram.c, toke.c: regen [aa76f9d8b02a] * Makefile.in, aclocal.m4, alias.c, alloc.c, auth/afs.c, auth/aix_auth.c, auth/bsdauth.c, auth/dce.c, auth/fwtk.c, auth/kerb4.c, auth/kerb5.c, auth/pam.c, auth/passwd.c, auth/rfc1938.c, auth/secureware.c, auth/securid.c, auth/securid5.c, auth/sia.c, auth/sudo_auth.c, auth/sudo_auth.h, check.c, closefrom.c, compat.h, configure.in, defaults.c, defaults.h, emul/utime.h, env.c, error.c, fileops.c, find_path.c, getprogname.c, getspwuid.c, gettime.c, goodpath.c, gram.y, interfaces.c, interfaces.h, ldap.c, logging.c, logging.h, match.c, mon_systrace.c, parse.c, redblack.c, redblack.h, set_perms.c, sigaction.c, snprintf.c, strcasecmp.c, strerror.c, strlcat.c, strlcpy.c, sudo.c, sudo.h, sudo.pod, sudo_edit.c, sudo_noexec.c, sudoers.pod, testsudoers.c, tgetpass.c, toke.l, utimes.c, version.h, visudo.c, visudo.pod, zero_bytes.c: Update copyright years. [0610c3654739] * LICENSE: Update copyright years. [f60473bca4b1] * Makefile.binary.in: Update copyright years. [d78ffc9f2e2b] * BUGS, INSTALL, INSTALL.binary, Makefile.in, README, configure.in: version 1.7 [aa977a544ca1] * WHATSNEW: What's new in sudo 1.7, based on the 1.7 CHANGES entries. [ecfcf7269c14] 2005-02-11 Todd C. Miller * compat.h, logging.h, sudo.h: Add __printflike and use it with gcc to warn about printf-like format mismatches [b192ad4a0548] 2005-02-10 Todd C. Miller * CHANGES, ChangeLog: Replaced CHANGES file with ChangeLog generated from cvs logs [d9ace9dab98f] * set_perms.c: Use warning/error instead of perror/fatal. [e33259df7738] * config.guess: Update OpenBSD section [9d2c23de6801] * UPGRADE: Add upgrading noted for 1.7 [1fb6b6d6df07] * env.c, sudo.c, sudoers.pod: Instead of zeroing out the environment, just prune out entries based on the env_delete and env_check lists. Base building up the new environment on the current environment and the variables we removed initially. [fc192df8fd15] * config.h.in, configure, configure.in, sudo.c: Set locale to "C" if locales are supported, just to be safe. [91fbaa98f02e] * toke.c, toke.l: Cast argument to ctype functions to unsigned char. [e096b4d65796] 2005-02-08 Todd C. Miller * env.c: correct value for DID_USER [b5b05d36ec15] * error.c, fnmatch.c, getcwd.c, glob.c, snprintf.c: #include not "compat.h" [7a0ad9a0ccd7] * defaults.c: Reset the environment by default. [4ecc6423e0f0] * sudo.c: Alloc an extra slot in NewArgv. Removes the need to malloc an new vector if execve() fails. [83dfb6f584a7] 2005-02-07 Todd C. Miller * INSTALL, config.h.in, configure, configure.in, sudo.c: Use execve(2) and wrap the command in sh if we get ENOEXEC. [c0c6af4e2a21] 2005-02-06 Todd C. Miller * sudo_noexec.c: Only include time.h on systems that lack struct timespec which gets defind in compat.h (using time_t). [e373e518b4cb] * sudo_noexec.c: Include time.h for time_t in compat.h for systems w/o struct timespec. [a34b5637e458] * compat.h, config.h.in, configure, configure.in: use bcopy on systems w/o memmove [f835eafd78c6] * compat.h: __attribute__((__unused__)) doesn't work in gcc 2.7.2.1 so limit its use to gcc >= 2.8. [1cb9a4e58566] * Makefile.in: Add explicit rule to build sudo_noexec.lo [df1dfcf8dd77] 2005-02-05 Todd C. Miller * INSTALL.configure, Makefile.in: No longer depend on VPATH; pointed out a bunch of missed dependencies. [601a45d4af6b] * TROUBLESHOOTING: Help for PAM when account section is missing [9b8221256756] * auth/pam.c: Give user a clue when there is a missing "account" section in the PAM config. [2529625c0495] * auth/pam.c: Better error handling. [518c9bda23d8] * config.h.in, configure, configure.in: Move _FOO_SOURCE to CPPFLAGS so it takes effect as early as possible. Silences a warning about isblank() on linux. [19c94d7ecdc8] * auth/pam.c: Fix typo (missing comma) that caused an incorrect number of args to be passed to log_error(). [0099dfec560f] 2005-02-01 Todd C. Miller * pwutil.c: Don't try to destroy a tree we didn't create. [d43c4fe03aa4] 2005-01-27 Todd C. Miller * alias.c, alloc.c, auth/afs.c, auth/aix_auth.c, auth/bsdauth.c, auth/dce.c, auth/fwtk.c, auth/kerb4.c, auth/kerb5.c, auth/pam.c, auth/passwd.c, auth/rfc1938.c, auth/secureware.c, auth/securid.c, auth/securid5.c, auth/sia.c, auth/sudo_auth.c, check.c, closefrom.c, compat.h, defaults.c, env.c, error.c, fileops.c, find_path.c, fnmatch.c, getcwd.c, getprogname.c, getspwuid.c, gettime.c, goodpath.c, gram.c, gram.y, interfaces.c, ldap.c, logging.c, match.c, mon_systrace.c, parse.c, pwutil.c, set_perms.c, sigaction.c, snprintf.c, strcasecmp.c, strerror.c, strlcat.c, strlcpy.c, sudo.c, sudo_edit.c, sudo_noexec.c, testsudoers.c, tgetpass.c, toke.c, toke.l, utimes.c, visudo.c, zero_bytes.c: Add __unused to rcsids [ad6b4ac45705] 2005-01-21 Todd C. Miller * configure, configure.in: Fix error message when mixing invalid auth types [68069b3ff5bc] * INSTALL: PAM, AIX auth, BSD auth and login_cap are now on by default if the OS supports them. [4e44e9098cf0] * auth/sudo_auth.h, config.h.in: s/HAVE_AUTHENTICATE/HAVE_AIXAUTH/g [2d569b43b23e] * configure.in: Better checking for conflicting authentication methods Display the authentication methods used at the end of configure Rename --with- authenticate -> --with-aixauth Use --with-aixauth, --with-bsdauth, --with-pam, --with-logincap by default on systems that support them unless disabled. Add OSMAJOR variable that replaces old OSREV; now OSREV has full version number [a21115b6fe9f] 2005-01-18 Todd C. Miller * def_data.c, def_data.in, sudo.c, sudoers.pod: s/-O/-C/ [ee73f1b81923] 2005-01-14 Todd C. Miller * configure.in: Replace: test -n "$FOO" || FOO="bar" With: : ${FOO='bar'} [37552d9054fc] 2005-01-09 Todd C. Miller * pwutil.c, testsudoers.c, tsgetgrpw.c: Use function pointers to only call private passwd/group routines when using a nonstandard passwd/group file. [215908681dfb] 2005-01-06 Todd C. Miller * CHANGES: sync [2e55c03f5790] * tsgetgrpw.c: Can't use strtok() since it doesn't handle empty fields so add getpwent()/getgrent() functions and call those. [bdaa5b0db70e] 2005-01-05 Todd C. Miller * Makefile.in: Fix dummied out toke.c and gram.c dependencies. [4b909c8b2ebe] * Makefile.in: Rename PARSESRCS -> GENERATED since it is only used in the clean target Add devdir variable and use it to specify the path to parser sources [f27b3f41ca23] * configure: regen [22c6435dbd46] * configure.in: Add a devdir variables that defaults to $(srcdir) and is set to . if --devel was specified. Allows for proper dependecies building the parser. [a36d694c6d21] * testsudoers.c: Add support for custom passwd/group files. [296549ff4b87] * Makefile.in: Build private copy of pwutil.o for testsudoers with MYPW defined so it uses our own passwd/group routines. [bafa54ec78ca] * visudo.c: Remove sudo_*{pw,gr}* stubs and add sudo_setspent/sudo_endspent stubs instead. We can now just use the caching sudo_*{pw,gr}* functions in pwutil.c Add comment about wanting to call sudo_endpwent/sudo_endgrent in cleanup() [7e59d6b5510d] * tsgetgrpw.c: Remove caching; we will just use what is in pwutil.c Use global buffers for passwd/group structs Rename functions from sudo_* to my_* [8c1e068f574c] * logging.c, sudo.c: g/c pwcache_init/pwcache_destroy [60a24909b947] * sudo.h: Undo last commit and add sudo_setspent and sudo_endspent instead. [bac80db08296] * getspwuid.c, pwutil.c: Move all but the shadow stuff from getspwuid.c to pwutil.c and pwcache_get and pwcache_put as they are no longer needed. Also add preprocessor magic to use private versions of the passwd and group routines if MYPW is defined (for use by testsudoers). [a16b8678a426] * tsgetgrpw.c: zero out struct passwd/group before filling it in so if there are fields we don't handle they end up as 0. [274cb6a93301] * logging.c, sudo.c, sudo.h, testsudoers.c, visudo.c: Adapt to pwutil.c [43ebd04c8b82] * Makefile.in: Add tsgetgrpw.c and pwutil.c Rename the *OBJ variables for better readability. [7f88c6061e2d] * tsgetgrpw.c: Passwd and group lookup routines for testsudoers that support alternate passwd and group files. [d7803101d34e] * getspwuid.c, pwutil.c: Split off pw/gr cache and dup code into its own file. This allows visudo and testsudoers to use the pw/gr cache too. [ef333d3ffedf] 2005-01-02 Todd C. Miller * parse.c: Print Defaults info in "sudo -l" output and wrap lines based on the terminal width. [e559eae4250e] 2005-01-01 Todd C. Miller * match.c, testsudoers.c, visudo.c: Only check group vector in usergr_matches() if we are matching the invoking or list user. Always check the group members, even if there was a group vector. [d0c7ceb2a041] 2004-12-17 Todd C. Miller * LICENSE, Makefile.in, fnmatch.3: No longer bundle fnmatch.3 [72db4a4ff4e1] * CHANGES, TODO: checkpoint [e92781bfd99c] 2004-12-16 Todd C. Miller * sudo.c: sort usage [15e3b876ec2c] * sudo.pod: Sort command line options [c1fa56584bc4] * def_data.c, def_data.h, def_data.in, defaults.c, logging.c, sudo.c, sudo.pod, sudoers.pod: Add closefrom sudoers option to start closing at a point other than 3. Add closefrom_override sudoers option and -C sudo flag to allow the user to specify a different closefrom starting point. [370652b099d1] * pathnames.h.in: Add _PATH_DEVNULL for those without it. [0c4c3e0ceb8b] * LICENSE: no more UCB strcasecmp [397a6298e07f] * strcasecmp.c: replace BSD licensed one with version derived from pdksh [d7cfda8c57a2] 2004-12-10 Todd C. Miller * sudo.c: Fix last commit. [7afb9a180532] * sudo.c: Make sure stdin, stdout and stderr are open and dup them to /dev/null if not. [590f387068bd] 2004-12-03 Todd C. Miller * ldap.c, mon_systrace.c, sudo.c, sudo.h: add sudo_ldap_close [4273a36765a7] * fileops.c, gettime.c, sudo.c, sudo_edit.c, utimes.c, visudo.c: Use TIME_WITH_SYS_TIME [c32b59bf15fb] * config.h.in, configure, configure.in: Add TIME_WITH_SYS_TIME_H [57cb146f451d] 2004-12-02 Todd C. Miller * env.c: Add missing braces to avoid DYLD_FORCE_FLAT_NAMESPACE being set unconditionally on darwin. From Toby Peterson. [d69959681c87] * getspwuid.c: Check rbinsert() return value. In the case of faked up entries there is usually a negative response cached that we need to overwrite. In pwfree() don't try to zero out a NULL pw_passwd pointer. [00b32d1a48c1] * mon_systrace.c: Use the double fork trick to avoid the monitor process being waited for by the main program run through sudo. [e0ce556712ff] 2004-11-29 Todd C. Miller * sudo.c: Call initgroups() in -U mode so group matches work normally. [2235bea15283] * def_data.h, mkdefaults: Don't print a trailing comma for the last entry in enum def_tupple [c43a96bb31df] 2004-11-28 Todd C. Miller * sudoers.cat, sudoers.man.in, sudoers.pod: Mention values when lecture, listpw and verifypw are used in boolean context. [a0b5c0abaccf] * def_data.c, def_data.in: verifypw when used in a boolean TRUE context should be "all", not "any". [2eb076ddd5e2] 2004-11-26 Todd C. Miller * def_data.in, defaults.c: Allow tuples that can be used as booleans to be used as boolean TRUE. In this case the 2nd possible value of the tuple is used for TRUE. [bd99aa77e88b] 2004-11-25 Todd C. Miller * configure, configure.in: Correct the test for 2-parameter timespecsub [d41c9cb26b97] * sudo.h: Add strub struct definitions for passwd, timeval and timespec [c4ce5c43d8c5] * config.h.in, configure, configure.in, sudo_edit.c, visudo.c: Add check for 2-argument form of timespecsub (FreeBSD and BSD/OS) and fix a typo in the gettimeofday check. [8ac9893057ce] 2004-11-24 Todd C. Miller * match.c, testsudoers.c: Deal with user_stat being NULL as it is for visudo and testsudoers. [3605a6ff64d0] * parse.c, sudo.c, sudo.cat, sudo.h, sudo.man.in, sudo.pod: Add -U option to use in conjunction with -l instead of -u. Add support for "sudo -l command" to test a specific command. [99638789d415] * gram.c, gram.y, sudo.c: Set safe_cmnd after sudoers_lookup() if it has not been set. Previously it was set by sudo "ALL" in the parser but at that point the fully-qualified pathname has not yet been found. [ac30d98f8225] 2004-11-23 Todd C. Miller * parse.c, testsudoers.c: Correctly handle multiple privileges per userspec and runas inheritence. [a98a965181af] 2004-11-21 Todd C. Miller * defaults.c: Zero out sd_un for each entry in sudo_defs_table in init_defaults. [031d3cd4a848] 2004-11-19 Todd C. Miller * toke.c, toke.l: make per-command defaults work with sudoedit [e56fe33db916] * ldap.c, parse.c, sudo.c, sudo.h: Remove the FLAG_NOPASS, FLAG_NOEXEC and FLAG_MONITOR flags. Instead, we just set the approriate defaults variable. [756eeecc1d86] * sample.sudoers, sudoers.cat, sudoers.man.in, sudoers.pod: Document per-command Defaults. [92a0f84b91c1] * defaults.c, defaults.h, gram.c, gram.h, gram.y, mon_systrace.c, sudo.c, testsudoers.c, toke.c, toke.l, visudo.c: Add support for command-specific Defaults entries. E.g. Defaults!/usr/bin/vi noexec [be3d52bf01cf] * defaults.c, match.c, parse.c, parse.h, testsudoers.c: Change an occurence of user_matches() -> runas_matches() missed previously runas_matches(), host_matches() and cmnd_matches() only really need to pass in a list of members. user_matches() still needs to pass in a passwd struct because of "sudo -l" [833b22fc6fa0] * parse.c: Check def_authenticate, def_noexec and def_monitor when setting return flags. XXX May be better to just set the defaults directly and get rid of those flags. [b6db22b59d69] * alias.c, alloc.c, auth/afs.c, auth/aix_auth.c, auth/bsdauth.c, auth/dce.c, auth/fwtk.c, auth/kerb4.c, auth/kerb5.c, auth/pam.c, auth/passwd.c, auth/rfc1938.c, auth/secureware.c, auth/securid.c, auth/securid5.c, auth/sia.c, auth/sudo_auth.c, check.c, closefrom.c, defaults.c, env.c, error.c, fileops.c, find_path.c, fnmatch.c, getcwd.c, getprogname.c, getspwuid.c, gettime.c, glob.c, goodpath.c, gram.c, gram.y, interfaces.c, ldap.c, logging.c, match.c, mon_systrace.c, parse.c, redblack.c, set_perms.c, snprintf.c, strcasecmp.c, strerror.c, strlcat.c, strlcpy.c, sudo.c, sudo_edit.c, sudo_noexec.c, testsudoers.c, tgetpass.c, toke.c, toke.l, utimes.c, visudo.c, zero_bytes.c: Use: #include Not: #include "config.h" That way we get the correct config.h when build dir != src dir [97e5670a442b] * Makefile.in: Back out part of rev 1.263; fix -I order [197ea01cad5d] * toke.c, toke.l: More robust parsing if #include; could be much better still. [31bc3cd8f045] * sudo_edit.c, visudo.c: Make arg splitting in visudo and sudoedit consistent. [7bc74485f246] * Makefile.in, alias.c, gram.c, gram.y, parse.h: Split alias routines out into their own file. [d90f633cf9ae] * error.h: __attribute__ is already defined in compat.h [676ed3fe9203] * visudo.c: quit() should not be __noreturn__ as it is non-void on some platforms. [e528c2b6ba10] * auth/fwtk.c, auth/rfc1938.c, auth/securid.c, auth/securid5.c: Add local error/warning functions like err/warn but that call an additional cleanup routine in the error case. This means we no longer need to compile a special version of alloc.o for visudo. [e78e8aae882e] * parse.h: Clarify comments about the data structures [ae894e266701] 2004-11-18 Todd C. Miller * visudo.c: Add support for VISUAL and EDITOR containing command line args. If env_editor is not set any args in VISUAL and EDITOR are ignored. Arguments are also now supported in def_editor. [ff7303b8e298] 2004-11-17 Todd C. Miller * parse.h: alias_matches() is no more [b59825e28084] * CHANGES, TODO: sync [2b8f5f63c1de] * Makefile.in: When regenerating the parser, don't replace gram.h unless it has changed. [819949668018] * Makefile.in: remove Makefile.binary for distclean [351eec8d00b2] * env.c: Preserve KRB5CCNAME in zero_env() and add a paranoia check to make sure we can't overflow new_env. [3284d17b9c6d] * sudo_edit.c: paranoia when stripping trailing slashes from tempdir. [012f1aa2b81f] * sudo.c: Set user_ngroups to 0 if getgroups() returns an error. [c46d43e9449a] 2004-11-16 Todd C. Miller * config.h.in, configure, configure.in, sudo.c: Add configure check for getgroups() [5d8a214e2cef] * ldap.c: Use supplementary group vector in struct sudo_user. [3d0c463c034d] * match.c: Only do string comparisons on the group members if there is no supplemental group list. [be1c8362f7ef] * CHANGES, TODO: sync [db188bc5b975] * sudo_edit.c: On Digital UNIX _PATH_VAR_TMP doesn't end with a trailing slash so chop off any trailing slashes we see and add an explicit one. [e1b477dafee1] * match.c: remove bogus XXX comment [8aecb8a28d40] * match.c: Get rid of alias_matches and correctly fall through to the non-alias cases when there is no alias with the specified name. [2cd555246f09] * getspwuid.c: Cache non-existent passwd/group entries too. [8de9a467d271] * gram.c: regen [9ece18c58f36] * getspwuid.c: fix typo [9a7ae371eac1] * check.c, getspwuid.c, glob.c, ldap.c, logging.c, match.c, mon_systrace.h, sudo.c, sudo.h, testsudoers.c, visudo.c: Implement group caching and use the passwd and group caches throughout. [f1d8c5015169] 2004-11-15 Todd C. Miller * match.c: Properly negate the return value of alias_matches() when appropriate. [ce59c4ce77ad] * match.c: Make hostname_matches() return TRUE for a match, else FALSE like the caller expects. [1dc03902d3a2] * Makefile.in: Add missing dependencies on gram.h [4f94bbb1d50c] * match.c: Use runas_matches in alias_matches() now that we have it. [284d22e91178] * parse.c, parse.h: Expand aliases in "sudo -l" mode [f67a38b79c44] * gram.y, match.c: Use ALIAS for the member type when storing an alias instead of HOSTALIAS/RUNASALIAS/CMNDALIAS/USERALIAS since match.c relies on the more generic type. Expand runas_matches instead of calling user_matches() inside of it since user_matches() looks up USERALIASes, not RUNASALIASes. [52004d75232b] * CHANGES, getspwuid.c: Paranoia; zero out pw_passwd before freeing passwd entry. [bd1b22638f00] * LICENSE, Makefile.in, alloc.c, check.c, config.h.in, configure, configure.in, defaults.c, emul/err.h, env.c, err.c, error.c, error.h, find_path.c, interfaces.c, logging.c, mon_systrace.c, sudo.c, sudo.h, sudo_edit.c, testsudoers.c, visudo.c: Add local error/warning functions like err/warn but that call an additional cleanup routine in the error case. This means we no longer need to compile a special version of alloc.o for visudo. [25000b676cfe] * match.c: Use userpw_matches() to compare usernames, not strcmp(), since the latter checks for "#uid". [fcbe4b859f66] * getspwuid.c, mon_systrace.c, mon_systrace.h, sudo.c: Cache passwd db entries in 2 reb-black trees; one indexed by uid, the other by user name. The data returned from the cache should be considered read-only and is destroyed by sudo_endpwent(). [ee2418ff3f86] * match.c: add cast to uid_t [eb6415302d84] * gram.y: missing free in alias_destroy [572ecb680ad8] * redblack.c: Can't use rbapply() for rbdestroy since the destructor is passed a data pointer, not a node pointer. [11ce713830c0] * getspwuid.c, logging.c, sudo.c, sudo.h: Create and use private versions of setpwent() and endpwent() that set/end the shadow password file too. [616bc76d23bf] * gram.c, gram.h, gram.y, match.c, parse.h, testsudoers.c, visudo.c: Store aliases in a red-black tree. [ce017d540416] * Makefile.in, redblack.c, redblack.h: red-black tree implementation [cd5586e8f48b] * visudo.c: Edit all sudoers file if there were unused or undefined aliases and we are in strict mode. [b6d5f5bb7262] 2004-11-12 Todd C. Miller * CHANGES, def_data.c, def_data.h, def_data.in, defaults.c, env.c, find_path.c, sudoers.cat, sudoers.man.in, sudoers.pod, visudo.c: Bring back the "secure_path" Defaults option now that Defaults take effect before the path is searched. [2e52c0e27606] 2004-11-11 Todd C. Miller * logging.c, parse.c: A user can always list their own entries, even with -u. Better error message when failing to list another user's entries. [e2e24deb0071] * parse.c, sudo.c, sudo.h: The syntax to list another user's entries is now "-u otheruser -l". Only root or users with sudo "ALL" may list other user's entries. [3c0657e8f5fe] * sudo.cat, sudo.man.in, sudo.pod: Update env variable info in SECURITY NOTES [299716071024] * env.c: strip CDPATH too [9b97643b26f9] * env.c: strip exported bash functions from the environment. [9e5090c8284f] 2004-10-27 Todd C. Miller * sudo.c: Only reset sudo_user.pw based on SUDO_USER environment variables for real commands and sudoedit. This avoids a confusing message when a user tries "sudo -l" or "sudo -v" and is denied. [3ea6d0053274] * gram.c, gram.y, parse.h: Extend LIST_APPEND to deal with appending lists too [d963e42f622f] 2004-10-26 Todd C. Miller * logging.c: Convert some bitwise AND to ISSET [130dc40d268e] * lex.yy.c, toke.c: toke.c replaces lex.yy.c [048858df79e7] * CHANGES, TODO: sync [d19e7abf251c] * BUGS: new parser fixes most of the outstanding bugs [0891f66e3758] * configure: regen [1a3358cc7283] * visudo.c: Rework for the new parser. Now checks for unused aliases in sudoers. [ad462ede3094] * testsudoers.c: Rewrite for the new parser. Now supports a -d flag (dump) and adds a -h flag (host). It now defaults to the local hostname unless otherwise specified. [1b69685cc601] * sudo.h: Add new prototypes. Remove NOMATCH/UNSPEC (now in parse.h) [2e4fb3abfef0] * sudo.c: Update for new parse. We now call find_path() *after* we have updated the global defaults based on sudoers. Also adds support for listing other user's privs if you are root. [cf3db9fc3024] * mon_systrace.c: Working LDAP support; also remove a now-unneeded rewind(). [649ecf1baf6b] * logging.c, logging.h: Add NO_STDERR flag. [6cb935af94e0] * ldap.c: Split sudo_ldap_check() into three pieces: sudo_ldap_open(), udo_ldap_update_defaults() and sudo_ldap_check(). This allows us to connecto to LDAP, apply the default options, find the command in the user's path, and then check whether the user is allowed to run it. The important thing here is that the default runas user may be specified as a default option and that needs to be set before we search for the command. [fc0426abc6f1] * ldap.c: Add casts to unsigned char for isspace() to quiet a gcc warning. [e5358e3df439] * defaults.h: Add prototype for update_defaults() [564dac3db74e] * defaults.c: Don't warn about line numbers now that we operate on a set of data structures (or LDAP) and not a file. [bcd9ffb9b67c] * config.h.in: No long use lsearch() [9d048c587319] * Makefile.in: Update for new and changed file names. [6f424a7c4515] * LICENSE: no more BSD lsearch.c [463a96d89026] * match.c: foo_matches() routines now live in match.c Added user_matches(), runas_matches(), host_matches(), cmnd_matches() and alias_matches() that operate on the parsed sudoers file. [b14da8a0567e] * parse.lex, toke.l: Move parse.lex -> toke.l Rename buffer_frob() -> switch_buffer() WORD no longer needs to exclude '@' kill yywrap() [a922294eb7b7] * gram.c, gram.h, gram.y, parse.c, parse.h, parse.yacc, sudo.tab.c, sudo.tab.h: Rewritten parser that converts sudoers into a set of data structures. This eliminates ordering issues and makes it possible to apply sudoers Defaults entries before searching for the command. [30d2ec4d203c] * configure.in, emul/search.h, lsearch.c: We won't be using lsearch() any longer. [29c4d54bfac0] * ldap.c: sudo should not send mail if someone who runs 'sudo -l' has no entry. [6fc27a69fd9c] * sudo.cat, sudo.man.in, sudoers.cat, sudoers.man.in, visudo.cat, visudo.man.in: regen [8166347917f3] * visudo.pod: Update warnings to match new visudo [004c0766798f] * sudoers.pod: The new parser doesn't have the old ordering constraints. [ffd43bd08661] * sudo.pod: Document that -l now takes an optional username argument [278f9557de8b] 2004-10-25 Todd C. Miller * RUNSON: AIX 5.2.0.0 works [523acd29d858] * ldap.c: If LDAP_OPT_SUCCESS is not defined, use LDAP_SUCCESS instead. Fixes a compilation problem with Solaris 9's native LDAP. Set FLAG_MONITOR when needed. [35824ade672d] 2004-10-23 Todd C. Miller * mon_systrace.c: Call sudo_goodpath() *after* changing the cwd to match the traced process. Fixes relative paths. [12ee111d0ad7] 2004-10-21 Todd C. Miller * testsudoers.c: Kill set_perms() stub--it is no longer needed. [116ed702935d] 2004-10-13 Todd C. Miller * sudoers.cat, sudoers.man.in, sudoers.pod: stay_setuid now requires set_reuid() or setresuid() [8511f67e25d5] * INSTALL, PORTING, TROUBLESHOOTING, config.h.in, configure, configure.in, set_perms.c, sudo.c, sudo.h: Kill use of POSIX saved uids; they aren't worth bothering with. [b3b1f19f18c1] 2004-10-07 Todd C. Miller * glob.c: remove call to issetugid() [63f2e492c08f] * sudoers.cat, sudoers.man.in, sudoers.pod: Remove warning about wildcards. Now that we use glob() the bug is fixed. [b15729d32266] * parse.c: Use glob(3) instead of fnmatch(3) for matching pathnames and stat each result that matches the basename of the user's command. This makes "cd /usr/bin ; sudo ./blah" work when sudoers allows /usr/bin/blah. Fixes bug #143. [e31eb6310340] * config.h.in, configure, configure.in: Define HAVE_EXTENDED_GLOB for extended glob (GLOB_TILDE and GLOB_BRACE) [677ed6661e17] * config.h.in, configure, configure.in: Check for a glob() that supports GLOB_BRACE and GLOB_TILDE [aaa2329dd266] * LICENSE: reference glob [bedc9a923423] * emul/glob.h: 4.4BSD glob(3) with fixes from OpenBSD and some unneeded extensions removed. [0335cf31fb1e] * glob.c: 4.4BSD glob(3) with fixes from OpenBSD and some unneeded extensions removed. [81799451473c] 2004-10-05 Todd C. Miller * mon_systrace.c: Just return if STRIOCINJECT or STRIOCREPLACE fail. It probably means we are out of space in the stack gap... [5b02b702021e] * CHANGES: sync [be3826273e56] * mon_systrace.c: Take a stab at ldap sudoers support here. [9d023695b0de] * mon_systrace.c, mon_systrace.h: Detach from tracee on SIGHUP, SIGINT and SIGTERM. Now "sudo reboot" doesn't cause reboot to inadvertanly kill itself. [d4aab2365610] * mon_systrace.c: put "monitor" in the proctitle, not "systrace" [9a9025767d86] * mon_systrace.c: When modifying the environment, don't replace envp when we can get away with just rewriting pointers in the traced process. [c03622f7a2e2] * mon_systrace.c, mon_systrace.h: Add environment updating via STRIOCINJECT (if available). [037291016870] * sudoers.cat, sudoers.man.in: regen [869acc511046] 2004-10-04 Todd C. Miller * lex.yy.c: regen [4e61a9bd3c97] * parse.lex: Fix bug introduced in unput() removal; want yyless(0) not yyless(1) [b70d7bd6e147] * mon_systrace.c: Include file is now mon_systrace.h [ead4e36d92ae] * Makefile.in, configure, configure.in, def_data.c, def_data.h, def_data.in, lex.yy.c, parse.c, parse.h, parse.lex, parse.yacc, sudo.c, sudo.h, sudo.tab.c, sudo.tab.h, sudoers.pod: No longer call it tracing, it is now "monitoring" which should be more a obvious name to non-hackers. [aa811ded0789] 2004-10-01 Todd C. Miller * mon_systrace.c, mon_systrace.h: Fix some XXX [a271072dacc6] * mon_systrace.c, mon_systrace.h: No need to include syscall.h, use 1024 as the max # of entries (the max that systrace(4) allows). Only need to use SYSTR_POLICY_ASSIGN once Change check_syscall() -> find_handler() and have it return the handler instead of just running it. We need this since handler now have two parts: one part that generates and answer and another that gets called after the answer is accepted (to do logging). Add some missing check_exec for emul execv [a89d243f0525] * sample.pam, sample.sudoers, sample.syslog.conf, sudoers: Add $Sudo$ tags. [6f3fedb0daba] * config.h.in: Add missing HAVE_LINUX_SYSTRACE_H [ff75ab7bfc53] * Makefile.in: add trace_systrace.o dependency [88a408668ab2] 2004-09-30 Todd C. Miller * configure, configure.in: Also look for systrace.h in /usr/include/linux [98b98b436cf3] * mon_systrace.c, mon_systrace.h: Move all struct defs and prototypes into trace_systrace.h and mark all but systace_attach() static. [85511253b570] * mon_systrace.c, mon_systrace.h: Add support for tracing emulations. At the moment, all emulations are compiled in. It might make sense to #ifdef them in the future, though this impeeds readability. [87bb50abf277] * Makefile.in, configure, configure.in: rename systrace.c -> trace_systrace.c [31cfa4407d93] * parse.yacc, sudo.tab.c: Allow this to build with a K&R compiler again [32876af5bb98] * TODO: sync [46865bd70f7c] * compat.h, sudo.c, visudo.c: Use __attribute__((__noreturn__)) [65bbad71fe89] * visudo.c: Exit() takes a negative value to indicate it was not called via signal. [b93032ed7b60] * sudo.cat, sudo.man.in, sudoers.cat, sudoers.man.in, visudo.cat, visudo.man.in: regen [45bcf4661558] * Makefile.in, visudo.c: Define Err() and Errx() that are like err() and errx() but call Exit() instead of exit(). Build private copy of alloc.o for visudo that calls Err() and Errx(). [c6d02bf42edd] 2004-09-29 Todd C. Miller * lex.yy.c, sudo.tab.c: regen [39de7e7c59da] * CHANGES: sync [ba481d9ed1aa] * visudo.c: Overhaul visudo for editing multiple files: o visudo has been broken out into functions (more work needed here) o each file is now edited before sudoers is re-parsed o if a #include line is added that file will be edited too TODO: o cleanup temp files when exiting via err() or errx() o continue breaking things out into separate functions [80c35cf534eb] * parse.lex, sudo.c, sudo.h, testsudoers.c, visudo.c: Add keepopen arg to open_sudoers that open_sudoers can use to indicate to the caller that the fd should not be closed when it is done with it. To be used by visudo to keep locked fds from being closed prematurely (and thus losing the lock). [f330fe632470] * parse.yacc, sudo.c: Add errorfile global that contains the name of the file that caused the error. [98079c7a37ed] * parse.lex: return COMMENT to yacc grammar for a #include line [2024a8de4fa8] * parse.lex: Remove us of unput() in favor of yyless() which is cheaper. [c61291902beb] * parse.yacc: Allow an empty sudoers file. [62fb111db2e7] 2004-09-28 Todd C. Miller * mon_systrace.c: Rewind sudoers_fp now that sudoers_lookup() doesn't do it for us. [9e15869ef597] * lex.yy.c, sudo.tab.c: regen [c29bdd43bfad] * visudo.c: Do signal setup before calling edit_sudoers(). Don't shadow the "quiet" global. [74252efd09ff] * visudo.c: If a sudoers file includes other files, edit those too. Does not yes deal with creating the new includes files itself. [06af7b9c173f] * testsudoers.c: init_parser now takes a path [b5ee186eb192] * parse.c, parse.h, parse.lex, parse.yacc: More scaffolding for dealing with multiple sudoers files: o init_parser() now takes a path used to populate the sudoers global o the sudoers global is used to print the correct file in yyerror() o when switching to a new sudoers file, perserve old file name and line number [d9be4970b8bd] * Makefile.in, pathnames.h.in: Kill _PATH_SUDOERS_TMP; it is not meaningful now that we can have multiple sudoers files. [6ccc4e921c43] * parse.c, sudo.c: Rewind sudoers_fp in open_sudoers() instead of sudoers_lookup() so we start at the right file position when reading include files. [91fcb961e7a4] * sudoers.pod: document #include [fbb92a25a726] * lex.yy.c: regen [50cd7a4c9dff] * parse.lex: Add max depth of 128 for the include stack to avoid loops. Since yyerror() doesn't stop parsing, pass return values back to yylex and call yyterminate() on error. [e79dbffb729d] 2004-09-27 Todd C. Miller * sudoers.pod: document tracing [165a467eadd8] * sudo.pod: Mention PREVENTING SHELL ESCAPES section of sudoers man page [3217ccecd834] * lex.yy.c, sudo.tab.c: regen [fbd58d1d3a76] * parse.lex: Add support for #include in sudoers (visudo support TBD) [a78015ca81af] * parse.yacc: make yyerror()'s argument const [7d8e168c019a] * testsudoers.c, visudo.c: Add open_sudoers() stubs. [087466787198] * sudo.c, sudo.h: Rename check_sudoers() open_sudoers() and make it return a FILE * [142fc511fc65] 2004-09-26 Todd C. Miller * BUGS, INSTALL, INSTALL.binary, Makefile.in, README, configure.in, version.h: Crank version [1adc3f839480] * Makefile.in, sudo.psf: Better HP-UX depot construction [2d952b000e63] 2004-09-25 Todd C. Miller * mon_systrace.c: o Made children global so check_exec() can lookup a child. o Replaced uid in struct childinfo with struct passwd * (for runas) o new_child() now takes a parent pid so the runas info can be inherited o Added find_child() to lookup a child by its pid o update_child() now fills in a struct passwd o Converted the big if/else mess in set_policy to a switch o Syscalls that change uid are now "ask" so we get SYSTR_MSG_UGID events [29b9ea3f09a3] * getspwuid.c: Add flag to sudo_pwdup that indicates whether or not to lookup the shadow password. Will be used to a struct passwd that has the shadow password already filled in. [e19d43dd7238] * mon_systrace.c: add missing increment of addr in read_string() [f9eb0f060cb6] * mon_systrace.c: Remove bogus call to update_child() and some cosmetic fixes [701ab0b97fef] * mon_systrace.c: Don't leak /dev/systrace fd to tracee Make initialized global for simplicity If STRIOCATTACH returns EBUSY we are already being traced Check for user_args == NULL in setproctitle() call Add missing calls to STRIOCANSWER [1956edf9bc3a] * sudo.c: g/c sudo_pwdup proto [b7c4d6249ecb] * Makefile.in, sudo.psf: Add target for building a depot file [357019efd99b] * mon_systrace.c: trim includes [501534428471] 2004-09-24 Todd C. Miller * lex.yy.c, sudo.tab.c, sudo.tab.h: regen [52fd250c6986] * INSTALL: document --with-systrace [79623927c94e] * config.h.in, configure, configure.in: Add check for setproctitle [1730cf1c26ed] * mon_systrace.c: pass struct str_msg_ask in to syscall checker so it can set the error code [1703fd2fdef6] * mon_systrace.c: systrace(4) support for sudo. On systems with the systrace(4) kernel facility (OpenBSD, NetBSD, Linux w/ patches) sudo can intercept exec calls and check the exec args against the sudoers file. In other words, sudo can now control subcommands and shell escapes. [928c9217c386] * sudo.c, sudo.h: Call systrace_attach() if FLAG_TRACE is set. [014ba9402fa5] * parse.c, parse.h, parse.lex, parse.yacc, sudo.h: Add trace Defaults option and TRACE/NOTRACE tags and set FLAG_TRACE [a99904db5e56] * parse.c, sudo.c: Don't close sudoers_fp, keep it open and set close on exec flag instead. [43a9fec60bee] * def_data.c, def_data.h, def_data.in: Add trace option [5b643b86730a] * Makefile.in: Add systrace [47a0519c427c] * INSTALL: SunOS /bin/sh blows up with configure [005a23cc5615] * configure, configure.in: Include sys/param.h before systrace.h [9345bc8efecf] * configure: regen [a8f53fcbb254] * pathnames.h.in: _PATH_DEV_SYSTRACE [d2ad1e492a00] * configure.in: line up options in --help [fa51f2821d09] * config.h.in, configure.in: Add --with-systrace [a264d54bc413] 2004-09-23 Todd C. Miller * configure: regen [a4dad0bcc523] * aclocal.m4, configure.in: make this work with autoconf-2.59 [c4a92b6a684a] 2004-09-16 Todd C. Miller * sudo_edit.c: Simplify logic around open & stat of files and do sanity on edited file even if we lack fstat (still racable but worth doing). [adda65ade70c] 2004-09-15 Todd C. Miller * HISTORY: Add support url [bf6590fbde9f] * Makefile.in: versino 1.6.8p1 [b84ebfaf1552] [SUDO_1_6_8p1] * CHANGES: more changes for 1.6.8p1 [e23a9c0393b6] * version.h: 1.6.8p1 [872f14504b5f] * CHANGES, sudo_edit.c: Add sanity check so we don't try to edit something other than a regular file. [350134ec6d4e] 2004-09-15 Aaron Spangler * CHANGES: sync [3091ca9eae00] * INSTALL: document --with-ldap-conf-file [0e2cd6b896f1] 2004-09-14 Todd C. Miller * CHANGES, ins_csops.h: political correctness strikes again [428e8bc77f55] * RUNSON: sync [27f44bd423dc] 2004-09-12 Todd C. Miller * Makefile.binary.in, Makefile.in: Install sudoedit man link [19a55234fc1f] * INSTALL: Update PAM note and mention where HP-UX users can download gcc binaries. [d37cdbbabfd4] * Makefile.in: libtool wants to install stuff from .libs so fake one up for binary installations. [a681bc6fcfba] * Makefile.binary.in: rm -f old sudoedit link instead of using ln -f set LIBTOOL correctly [3e0c4b3372cc] * Makefile.in: Deal with "uname -m" having slashes in it rm -f old sudoedit link instead of using ln -f [cff33fb97e5b] * Makefile.binary, Makefile.binary.in: Makefile.binary -> Makefile.binary.in for config.status substitution Add support for installing noexec bits [37d8bb3483c6] * Makefile.in: Copy noexec bits into binary dists too No longer use my old arch script for making binary dists [e7058bab9e33] * Makefile.binary: Install sudoedit link. [417d1e101711] 2004-09-11 Todd C. Miller * emul/utime.h: avoid __P so there is no need for compat.h to be included [6d8d1f1abf7d] * utimes.c: Don't use HAVE_UTIME_H before including config.h. [013b7bb61181] 2004-09-10 Todd C. Miller * compat.h: Fix Solatis futimes macro [d4eda2ca0d29] 2004-09-09 Todd C. Miller * sudo_edit.c: Rename ots -> omtim for improved readability. [127ca5bb297c] 2004-09-08 Todd C. Miller * sudo_edit.c: Redo changes in revision 1.7. Don't really need to keep the temp file open; re-opening it with the invoking user's euid is sufficient. [55a883165a95] * CHANGES: sync [9015b291170d] * sudo.cat, sudo.man.in: regen [c0313f6ed783] * sudo.pod: back out revision 1.70; it is no long applicable [b641d503aff6] * env.c: Let the loader initialize nep [bec192139b02] * config.h.in, configure, configure.in: Removed unneed check for fchown Add check for gettimeofday Move autoheader template stuff into separate AH_TEMPLATE lines [bfc0edbd43f2] * check.c, compat.h, fileops.c, sudo.h, sudo_edit.c, visudo.c: Use timespec throughout. [1a178a23b69b] * Makefile.in: gettime.[co] [6aeb48a7ab7f] * gettime.c: function to return the current time in a struct timespec [bf8eb12cb63f] * utimes.c: Not a darpa-sponsored file. [121ce5e2036c] 2004-09-07 Todd C. Miller * compat.h, config.h.in, configure, configure.in: Add a check for struct timespec and provide it for those without. [42124055030d] * config.h.in, configure, configure.in, sudo_edit.c: Add checks for st_mtim and st_mtimespec and add macros for pulling the mtime sec and nsec out of struct stat. These are used in sudo_edit() to better tell whether or not the file has changed. [23debfbb3fab] * check.c, fileops.c, sudo.h, sudo_edit.c, visudo.c: Add an extra param to touch() for nsec [56f7a4ba8ddb] * sudo_edit.c: Call mkstemp() as the in invoking user so we don't have to chown the file later. Only touch() the temp file if we can do it via the file descriptor. Don't check for modification of the temp file if we lack fstat(). Catch errors read()ing the temp file. [665f52c70836] * fileops.c: If path is NULL and fd == -1 return -1. [757a518a824c] * sudo_edit.c: closefrom() is overkill, the only extra fds are the ones we opened so just close those in the child. [f361c9d2a1f4] * Makefile.in, aclocal.m4, check.c, compat.h, config.h.in, configure, configure.in, fileops.c, sudo.h, sudo_edit.c, utime.c, utimes.c, visudo.c: Use utimes() and futimes() instead of utime() in touch(), emulating as needed. Not all systems are able to support setting the times of an fd so touch() takes both an fd and a file name as arguments. [3d9276f29717] 2004-09-07 Aaron Spangler * env.c: Rare SEGV [8995f828782d] 2004-09-06 Todd C. Miller * sudo.cat, sudo.man.in, sudoers.cat, sudoers.man.in, visudo.cat, visudo.man.in: regen [b8e9406711c5] * sudo.pod, sudoers.pod, visudo.pod: Add SUPPORT section and re-order some of the sections to match the order we use in OpenBSD. [fa37bd917e2c] 2004-09-06 Aaron Spangler * env.c: Openldap ~/.ldaprc fix [1a37afe6850f] 2004-09-06 Todd C. Miller * sudo.pod: Talk about how the editor must write its changes to the original file and not just use rename(2). [c55ed91c5ee9] * CHANGES: sync [62af26bd37a2] * sudo_edit.c: Keep the temp file open instead of re-opening after the editor has exited. [de41eeb6dcf2] * sample.pam: Update for current redhat/fedora core. [8cf083077333] 2004-09-03 Aaron Spangler * README.LDAP: tls_ examples [ba783d88a034] 2004-09-02 Aaron Spangler * ldap.c: config tls_* options [0b0e0797b3b9] 2004-08-29 Todd C. Miller * configure, configure.in: No need for -lcrypt when using pam. [41fff3a53e68] 2004-08-27 Todd C. Miller * configure: regen [75820aecce2c] 2004-08-27 Aaron Spangler * configure.in, ldap.c, pathnames.h.in: Allow --with-ldap-conf-file option to override LDAP_CONF [c9909bc484a5] * ldap.c: cleanup debug message [1f6ca4824d8d] 2004-08-26 Aaron Spangler * README.LDAP: more config info [f2e7147fd507] 2004-08-24 Todd C. Miller * TODO, find_path.c, goodpath.c, parse.c, sudo.c, sudo.h, visudo.c: Add cmnd_base to struct sudo_user and set it in init_vars(). Add cmnd_stat to struct sudo_user and set it in sudo_goodpath(). No longer use gross statics in command_matches(). Also rename some variables for improved clarity. [7169a6c7bea4] 2004-08-21 Todd C. Miller * INSTALL: document HP's crippled compiler deficiency. [c405ea5a8d4c] * INSTALL: Fix some thinkos in --with-editor and --with-env-editor descriptions. Noticed by Norihiko Murase. [dd781de1c985] * configure, configure.in: --with-noexec takes an optional PATH argument. [8f6ab77f22cc] * INSTALL: document --with-noexec [50cb1fc627ce] 2004-08-17 Todd C. Miller * RUNSON, TODO: sync [f2503bd13373] [SUDO_1_6_8] * sudo_edit.c: Better warning message when sudoedit is unable to write to the destination file. [f78c18f2ffa8] * sudo.cat, sudo.man.in: regen [7e2bf63d6d9a] * sudo.pod: Don't italicize the string "sudoedit" [c691643bd269] 2004-08-16 Todd C. Miller * HISTORY: Mention GratiSoft. [dc53de581b2d] 2004-08-11 Todd C. Miller * sudo.tab.c: regen [8ae0484dfc38] * parse.yacc: Reset used_runas to FALSE when re-intializing the parser. [b7403f353a02] 2004-08-09 Todd C. Miller * config.guess: Correct OpenBSD mips support [314fc7afc165] * config.guess: Add OpenBSD/mips [ac87d0a773ef] 2004-08-07 Aaron Spangler * README.LDAP: More behavior notes [13be1d212b47] * README.LDAP: Updates on current behavior [d498a8866d6f] 2004-08-06 Todd C. Miller * sudo.pod: =back does not take an indentlevel (makes no difference to formatted files). [e5f479e24fa8] * sudoers.pod: =back does not take an indentlevel (makes no difference to formatted files). [9c8523bb382a] * CHANGES: new [2dbd9aba8b33] * sudo.c: Consistency. Use same error for bad -u #uid when targetpw is set as we do when a bad -u username is specified. [922961c4a9d6] * TODO: Add checksum idea from Steve Mancini [e6ece1b766ba] * sudo.cat, sudo.man.in: regen [f93d41fc38b1] * sudoers.cat, sudoers.man.in: regen [370d2317829f] * sudo.pod, sudoers.pod: Document the restriction on uids specified via -u when targetpw is set. [878fedb455db] * sudo.c: Error out when targetpw is enabled and sudo is run with -u #uid but #uid does not exist in the passwd database. We can't do target authentication when the target is not in passwd! [27c5888c86eb] * sudo.cat, sudo.man.in, sudoers.cat, sudoers.man.in: regen [ceb65711050c] * TODO: Some more todo for the next release. [7b7417be7601] * INSTALL: Make it clear that PAM should be used for DCE support when possible. [7502029fd385] * sudoers.pod: o Document problems with wildcards and relative paths. o Make the order requirements more prominent. o Change a "set" to "reset" for clarity. [bacdd181b33f] 2004-08-05 Todd C. Miller * sudo.pod: Mention --with-secure-path, not SECURE_PATH. [41283ddde5e1] 2004-08-03 Aaron Spangler * ldap.c: reflect changes to parse.c [8880fe9b724d] 2004-08-02 Todd C. Miller * sudo.tab.c: regen [a57658ca9177] * parse.yacc: Don't pass user_cmnd and user_args to command_matches(), just use the globals there. Since we keep state with statics anyway it is misleading to pretend that passing in different cmnd and cmnd_args will work. [a4910bf6032b] * parse.c, parse.h, testsudoers.c, visudo.c: Don't pass user_cmnd and user_args to command_matches(), just use the globals there. Since we keep state with statics anyway it is misleading to pretend that passing in different cmnd and cmnd_args will work. [0a2544991fd6] * parse.c: Fix a bug introduced in rev. 1.149. When checking for pseudo- commands check for a '/' anywhere in cmnd, not just the first character. [ce98142f03ca] 2004-07-31 Aaron Spangler * sudo.man.in, sudo.pod: Clarification thanks to Olivier Blin [a91800e094b1] * sudoers.man.in, sudoers.pod: Add ignore_local_sudoers [741ddcbf7083] * README.LDAP: Sun One schema definition by Andreas.Bussjaeger@t-systems.com and janth@moldung.no [742c02e07cd9] 2004-07-29 Todd C. Miller * CHANGES: typo [e7cdefbd7a9a] 2004-07-23 Todd C. Miller * CHANGES: sync [734dafc4a85e] * parse.c: Parse sudoers file as PERM_RUNAS not PERM_ROOT and remove a useless PERM_SUDOERS. Restore to PERM_ROOT upon exit of the parse. [151b7f593568] 2004-07-08 Todd C. Miller * CHANGES: PAM change [d8fb6d6a22d0] 2004-07-08 Aaron Spangler * ldap.c: Better debugging of ALL command [9db3e84029dc] 2004-07-08 Todd C. Miller * parse.c: When matching for "sudoedit" in sudoers check both the command the user typed *and* the command that is listed in the sudoers entry. [f36ca1f94095] 2004-07-04 Aaron Spangler * ldap.c: Added !command feature [ed539574611b] 2004-06-28 Todd C. Miller * auth/pam.c: Use pam_acct_mgmt() to check for disabled accounts; Brian Farrell [2be8e0e8813a] 2004-06-11 Todd C. Miller * LICENSE: License is ISC-style, not BSD-style [ac0589e1dd5d] * CHANGES: sync [16058a30f404] 2004-06-10 Todd C. Miller * sudo.cat, sudo.man.in: regen [8820eb9c809b] * sudo.pod: o Update some out of date bits to reality o Change the shell promt in examples to bourne-shell style o Clarify some details o Add a CAVEAT about "sudo cd /foo" [b0af373214b6] * check.c: Don't ask for a password if invoking user == target user. [dd5c96141132] * sudo.c: typo in comment [278d20f9b249] 2004-06-08 Todd C. Miller * sudoers.cat, sudoers.man.in: regen [9036c6f39eff] * sudoers.pod: Expand on NOEXEC a little. [9a13756aebe4] * TODO: sync [8d2c1af48de8] * visudo.cat, visudo.man.in: regen [3921f01607c8] * sudo.tab.c: regen [9338c3d68250] * CHANGES, parse.yacc, visudo.c: Add a check in visudo for runas_default being set after it has already been used. [803560986a8a] * visudo.pod: Add a check in visudo for runas_default being set after it has already been used. [6700358d7ad8] * sudo.tab.c: regen [b60636e2cf63] * parse.yacc: Add a MATCHED macro for testing whether foo_matches has been set to TRUE or FALSE. This is more readable than checking for >=0 or < 0. Doesn't change the actual code generated. [f376da8ccdc8] 2004-06-07 Todd C. Miller * sudoers.cat: regen [6cceb6d6c9bd] * sudoers.man.in: regen [5acd12b730b3] * sudoers: Correct description of where Defaults specs should go. [868db857630d] * sudoers.pod: Correct description of where Defaults specs should go. [6b11ff53d7ad] * auth/bsdauth.c, auth/kerb5.c: update (c) year [d72eb434c068] * auth/pam.c: update (c) year [87149e0eed50] * find_path.c: update (c) year [40c227af9227] * ldap.c: update (c) year [f264632488a0] * logging.h: update (c) year [3cec76d400ce] * testsudoers.c, visudo.c: update (c) year [272c8a53604c] 2004-06-06 Todd C. Miller * sudo.tab.c: regen [83408d9e9d2e] * auth/bsdauth.c, auth/kerb5.c, auth/pam.c, visudo.c: Remove trailing spaces, no actual code changes. [4c3bf2819293] * ldap.c, logging.h, parse.c, parse.yacc, sudo.c, testsudoers.c: Remove trailing spaces, no actual code changes. [c7075d1cbed5] * tgetpass.c: Remove trailing spaces, no actual code changes. [96f6e0a24c26] * compat.h, defaults.c, env.c: Remove trailing spaces, no actual code changes. [893e83c33795] * find_path.c: Remove trailing spaces, no actual code changes. [7ed7099f3c71] * getcwd.c: Remove trailing spaces, no actual code changes. [776cc0374547] * check.c: Remove trailing spaces, no actual code changes. [f77750f8803b] * sudo.tab.c: regen [62e0ed883b31] * parse.yacc: Fix a >=0 that should be <0 that was improperly converted when UNSPEC was added. [ad1531a55a49] * parse.yacc: Add do {} while(0) around pop macro Set cmnd_matches to UNSPEC, not NOMATCH when resetting it. [ae017a12870a] * parse.yacc: Fix pastos introduced in SETNMATCH addition. [6ea1c9d80681] 2004-06-05 Todd C. Miller * README.LDAP: Update for configure changes [637a635da287] * sudo.tab.c: regen [4753c2788713] * parse.yacc: Add NOMATCH and UNSPEC defines (-1 and -2 respectively) and use these in parse.yacc. Also in parse.yacc initialize the *_matches vars to UNSPEC and add two macros, SETMATCH and SETNMATCH for use when setting *_matches to a value that may be NOMATCH/UNSPEC/TRUE/FALSE. [746b519e41a6] * sudo.h: Add NOMATCH and UNSPEC defines (-1 and -2 respectively) and use these in parse.yacc. Also in parse.yacc initialize the *_matches vars to UNSPEC and add two macros, SETMATCH and SETNMATCH for use when setting *_matches to a value that may be NOMATCH/UNSPEC/TRUE/FALSE. [2ba622e15a4d] * parse.yacc: Initialize runas to -2, not -1 since we need to be able to distinguish between the initialized value and the value of a non- match when passing along the runas value to multiple commands. The result of this is that an unmatched runas is now set to -1, not 0. This is required now that parse.c treats a FALSE value for runas as being explicitly denied. [7791ed3621f6] 2004-06-03 Todd C. Miller * getprogname.c: Error out if argc < 1. [c566cce8dc78] * sudo.c, visudo.c: Error out if argc < 1. [ce6b2a9eda3c] * configure, configure.in: Add tests for what libs we need to link with for ldap and for whether or not lber.h needs to be explicitly included. [b2e9729cc4e7] 2004-06-03 Aaron Spangler * ldap.c: Solaris native LDAP build fix [39929e40eb11] 2004-06-01 Todd C. Miller * ldap.c: Set edn to NULL is ldap_get_dn() fails to avoid potential use of an unset variable. [6a4c20a66f98] * sudo.h: Add prototype for sudo_ldap_list_matches [443b007a8dab] * compat.h: Better check for dirfd macro--we now set HAVE_DIRFD for the macro version too. Added check for dd_fd in `DIR' if no dirfd is found; this is now used to confitionally define the dirfd macro in compat.h. [8d50ff1bbf2a] * config.h.in: Better check for dirfd macro--we now set HAVE_DIRFD for the macro version too. Added check for dd_fd in `DIR' if no dirfd is found; this is now used to confitionally define the dirfd macro in compat.h. [34eace4faec8] * configure, configure.in: Better check for dirfd macro--we now set HAVE_DIRFD for the macro version too. Added check for dd_fd in `DIR' if no dirfd is found; this is now used to confitionally define the dirfd macro in compat.h. [567656978f7e] * closefrom.c: Only check /proc/$$/fd if we have the dirfd function/macro. [15e3ccce7553] * compat.h, config.h.in, configure, configure.in: Add a check for a dirfd() function (like Linux) and add a dirfd macro in compat.h if there is no dirfd() function or macro. [1e95756edb50] * closefrom.c, getcwd.c: dirfd() is now defined in compat.h as needed. [bb1d79271188] * CHANGES: Clarify closefrom() note. [f4e4a5508dda] * parse.c: When checking for a command in the directory, only copy the base dir once. [7a3276808b87] * closefrom.c: If there is a /proc/$$/fd directory, behave like the Solaris closefrom() and only close the descriptors listed therein. [19de23779e84] * alloc.c: compat.h guarantees INT_MAX is defined. [1bf0c79d4606] * compat.h: Add definitions of OPEN_MAX and INT_MAX for those without it and remove definition of RLIM_INFINITY (now unused). [f827d1ebf96e] * CHANGES, alloc.c, check.c, compat.h, find_path.c, getcwd.c, parse.c, sudo.c, sudo.h, visudo.c: Use PATH_MAX, not MAXPATHLEN since the former is standardized. [59788f211c24] 2004-05-31 Todd C. Miller * CHANGES: sync [d32fa124f1ad] * RUNSON: Add some entries that were mailed in a while ago [ff8d5bfec54e] * closefrom.c: o sysconf returns a long, not an int. o check for negative return value from sysconf/getdtablesize and use OPEN_MAX in this case. o define OPEN_MAX to 256 for those without it (a fair guess...) [ccf81ae6deb2] 2004-05-30 Todd C. Miller * UPGRADE: Mention change in parse order for RunAs entries. [dc73b0bca617] * configure: regen [07cce8e0534e] 2004-05-29 Todd C. Miller * INSTALL, README.LDAP, config.h.in, configure.in: o --with-ldap now takes an optional dir as a parameter o added check for ldap_initialize() and start_tls_s() [2b846c7974c6] * README.LDAP: Fix some typos, word choice and formatting issues. [00dc8ca84b10] 2004-05-28 Todd C. Miller * tgetpass.c: Use SA_INTERRUPT so SunOS works correctly, avoid stdio and just use read/write as it is simpler. [30f5446ee8b0] * configure, configure.in: Remove hack overriding cross-compiler check. It should no longer be needed. [22a6cbd88608] * compat.h: Remove select() compat bits since we no longer use select(). [d7bbf7cd36f5] * CHANGES, tgetpass.c: Use alarm() instead of select() for the timeout for systems that don't fully/properly implement select(). [d7cc60f15800] 2004-05-27 Todd C. Miller * CHANGES: synbc [132a39788e07] * RUNSON: update [61ef508380c6] * set_perms.c: Deal with systems that have no way of setting the effective uid such as nsr-tandem-nsk. [306e00e9b5a4] * configure, configure.in: Define NO_SAVED_IDS if we don't find seteuid() [8588f18345cf] * config.h.in, configure, configure.in: Add back check for setreuid() since NSK doesn't have it. [43127bd703d1] * sudoers.cat, sudoers.man.in: regen [af4f4b20e422] * BUGS: sync [3593f17f72ed] * CHANGES: sync [29ca3b699c24] * parse.c: In sudoers_lookup() return VALIDATE_NOT_OK if the runas user was explicitly denied and the command matched. This fixes a long- standing bug and makes: foo machine = (ALL) /usr/bin/blah foo machine = (!bar) /usr/bin/blah equivalent to: foo machine = (ALL, !bar) /usr/bin/blah [2f5ee244985a] * sudoers.pod: Clarify mail_noperm [3238b2d41989] 2004-05-20 Aaron Spangler * Makefile.in: Missing DESTDIR in make install for sudo_noexec.la [91431e821525] 2004-05-17 Todd C. Miller * sudo.cat, sudo.man.in, sudoers.cat, sudoers.man.in, visudo.cat, visudo.man.in: regen [cdfde0dcb556] * TODO: sync [4799b7d8b62c] * sample.sudoers: Remove fastboot/fasthalt (who still remembers these?) and add a minimal sudoedit example. [b1bca73d6250] * sudoers.pod: Remove fastboot/fasthalt (who still remembers these?) and add a minimal sudoedit example. [19d299f233cd] * CHANGES, INSTALL: filesystem -> file system [85948b608ffe] * TROUBLESHOOTING: filesystem -> file system [39fb594e9338] * UPGRADE, sudo.c, visudo.c: filesystem -> file system [1e1afaf30469] * sudo.pod, sudoers.pod: Fix some minor typos and formatting goofs [e94d243a0b90] * lex.yy.c: regen [2eed0ab1f4c4] * visudo.pod: remove my email addr [b63262c0389b] * sudo.pod, sudoers.pod, visudo.pod: Use @mansectform@ and @mansectsu@ everywhere Make man page references links with L<> [f459f4b9ddb9] * parse.lex: Accept quoted globbing characters and pass them verbatim for fnmatch() [8248b86e9380] * UPGRADE: Document that /tmp/.odus is gone. [3667b66af5bb] * pathnames.h.in: No longer use /tmp/.odus as a possible timestamp dir unless specifically configured to do so. Instead, if no /var/run exists, use /var/adm/sudo or /usr/adm/sudo. [48d94c9f9ad4] * CHANGES: No longer use /tmp/.odus as a possible timestamp dir unless specifically configured to do so. Instead, if no /var/run exists, use /var/adm/sudo or /usr/adm/sudo. [6058c4cefcec] * aclocal.m4: No longer use /tmp/.odus as a possible timestamp dir unless specifically configured to do so. Instead, if no /var/run exists, use /var/adm/sudo or /usr/adm/sudo. [cf52c4c2803f] * configure: No longer use /tmp/.odus as a possible timestamp dir unless specifically configured to do so. Instead, if no /var/run exists, use /var/adm/sudo or /usr/adm/sudo. [058d7b8cf07b] * check.c, compat.h: Preliminary changes to support nsr-tandem-nsk. Based on patches from Tom Bates. [390b698b5924] * logging.c: Preliminary changes to support nsr-tandem-nsk. Based on patches from Tom Bates. [934bbe6872b6] * set_perms.c, sudo.c, tgetpass.c, visudo.c: Preliminary changes to support nsr-tandem-nsk. Based on patches from Tom Bates. [2e5f81834383] 2004-05-16 Todd C. Miller * CHANGES: There was no 1.6.7p6. [8013d2e6b062] * BUGS, CHANGES: sync [c38b41f32857] * Makefile.in: add missing files to DISTFILES [e6a80ad03039] * sudo.cat, sudoers.cat, visudo.cat: regen [027bc9746dd5] * sudoers.man.in: regen [f5e85ef686cf] * Makefile.in: Fix some line wrap and update (c) year [bad1f46aa1ca] 2004-04-28 Aaron Spangler * README.LDAP: Build Note [7a061248249b] 2004-04-07 Aaron Spangler * Makefile.in: Fix install-dirs [be0726dd92e7] 2004-04-05 Todd C. Miller * sudo.tab.c: regen [3f4f0d1ab8b9] * visudo.c: In Exit() when used as a signal handler, emsg is a pointer so sizeof() is wrong so make it a #define instead. Also avoid using a negative exit value. Found by Aaron Campbell [78716a3a3fdc] 2004-03-24 Todd C. Miller * sudoers.pod: Remove bogus sentence about uids in a User_List. Document usernames vs. uid parsing in a Runas_List. [7ca510b5031c] * parse.c, parse.h, parse.yacc, sudo.c, testsudoers.c, visudo.c: If the user specified a uid with the -u flag and the uid exists in the passwd file, set runas_user to the name, not the uid. When comparing usernames in sudoers, if a name is really a uid (starts with '#') compare it numerically to pw_uid. [8d6935d04673] 2004-03-22 Todd C. Miller * auth/kerb5.c: krb5_mcc_ops should be const; Johnny C. Lam [aa8c753e426e] 2004-02-28 Aaron Spangler * CHANGES, config.h.in, ldap.c: Added start_tls support [7ef864c15b69] 2004-02-14 Todd C. Miller * Makefile.in: Clean up libtool stuff for 'make distclean' and add def_data.c, def_data.h to PARSESRCS. [bf9bb6bb06ab] 2004-02-14 Aaron Spangler * strlcat.c, strlcpy.c: Un-Fix last license munge [42654b77ac71] 2004-02-13 Todd C. Miller * configure: regen [e4de6b23a4dc] * CHANGES, RUNSON, TODO: checkpoint [94e1ace84d5c] * lex.yy.c, sudo.tab.c: regen [8ce784505643] * auth/passwd.c, auth/rfc1938.c, auth/secureware.c, auth/securid.c, auth/securid5.c, auth/sia.c, auth/sudo_auth.c, auth/sudo_auth.h, emul/search.h, emul/utime.h: More to a less restrictive, ISC-style license. [a31b20e48003] * auth/afs.c, auth/aix_auth.c, zero_bytes.c: More to a less restrictive, ISC-style license. [6d234be91c5e] * auth/bsdauth.c: More to a less restrictive, ISC-style license. [e21be6594b58] * auth/dce.c, auth/fwtk.c, auth/kerb4.c: More to a less restrictive, ISC-style license. [87534c164a52] * auth/kerb5.c, auth/pam.c: More to a less restrictive, ISC-style license. [e41f92b41216] * sudoers.man.in, sudoers.pod, testsudoers.c, tgetpass.c, visudo.c, visudo.man.in, visudo.pod: More to a less restrictive, ISC-style license. [b02aea324fd6] * Makefile.binary: More to a less restrictive, ISC-style license. [1ed561734535] * parse.lex, parse.yacc: More to a less restrictive, ISC-style license. [2f5942e847a1] * utime.c, version.h: More to a less restrictive, ISC-style license. [e2e038ad8209] * LICENSE, Makefile.in, alloc.c, check.c, closefrom.c, compat.h, defaults.c: More to a less restrictive, ISC-style license. [d8d7bfc8a18b] * defaults.h: More to a less restrictive, ISC-style license. [008f5d5743f5] * env.c: More to a less restrictive, ISC-style license. [d5bd859757de] * fileops.c: More to a less restrictive, ISC-style license. [4129a8b38a67] * find_path.c, getprogname.c: More to a less restrictive, ISC-style license. [f605d5eab6f1] * getspwuid.c, goodpath.c, ins_2001.h, ins_classic.h, ins_csops.h, ins_goons.h, insults.h, interfaces.c, interfaces.h: More to a less restrictive, ISC-style license. [520381c60a54] * ldap.c, logging.c, logging.h, parse.c, parse.h, pathnames.h.in, set_perms.c: More to a less restrictive, ISC-style license. [64d772d70ab3] * sigaction.c, strerror.c: More to a less restrictive, ISC-style license. [4bccdedca58a] * strlcat.c, strlcpy.c, sudo.c, sudo.h, sudo.man.in, sudo.pod, sudo_edit.c: More to a less restrictive, ISC-style license. [71cdcc241e94] * sudo_noexec.c: More to a less restrictive, ISC-style license. [a6da7631e0b2] 2004-02-13 Aaron Spangler * CHANGES, Makefile.in, README.LDAP, config.h.in, configure.in: Merged in LDAP Support [1038092a161e] * def_data.c, def_data.h, def_data.in: Merged in LDAP Support [8fb255280e42] * ldap.c, sudo.c, sudo.h: Merged in LDAP Support [547eaa346fcc] * sudoers2ldif: Merged in LDAP Support [3994c4d05947] 2004-02-08 Todd C. Miller * sudo.h, sudo_noexec.c: Only do "extern int errno" if errno is not a macro. [b2e02a08be8b] 2004-02-06 Todd C. Miller * set_perms.c: setreuid(0, 0) fails on QNX if the euid is not already 0 so set the euid first, then just call setuid(0) to set the real uid too. [f08546e2e0ee] * set_perms.c: Use setresuid() and setreuid() for PERM_RUNAS when appropriate instead of seteuid() which may not exist. [ba508581befb] 2004-02-04 Todd C. Miller * LICENSE: 2004 [37425513a342] * INSTALL, config.h.in, configure, configure.in, ins_classic.h: Add --with-pc-insults configure option [7daa5294c17b] * visudo.man.in: Prefer VISUAL over EDITOR like old vipw did. [996252a4ab65] 2004-02-01 Todd C. Miller * sudo.man.in, sudoers.man.in: regen [a247f1c52eb9] * sudoers.pod: Add a note that noexec is not a cure-all. [9e7fc535367d] * sudoers.pod: Mention that disabling "root_sudo" is pretty pointless. [f38a415afba0] * configure, configure.in: Substitute for root_sudo in sudoers.pod [ce483cfc86be] * sudo.pod: Add sudoedit to the NAME section [51bc453ec2f6] * sudoers.pod: Document that fact that setting ignore_dot in sudoers has no effect due to the fact that find_path() is called *before* sudoers is read. [6808df7e417c] 2004-01-30 Todd C. Miller * sudo_edit.c: Do not require _PATH_USRTMP to be set. [546f3270dd10] * BUGS, CHANGES, TODO: sync [4205ddeab781] * sudo.man.in: regen [e2143690a88a] * sudo.pod: Clarify that when sudo is run by root with the SUDO_USER variable set, the sudoers lookup happens for root and not the SUDO_USER user. [47207bec1bdf] 2004-01-29 Todd C. Miller * auth/pam.c, auth/sudo_auth.c, interfaces.c, logging.c, parse.c, set_perms.c, sigaction.c, sudo.c, tgetpass.c: Use the SET, CLR and ISSET macros. [a8b0d7f1e8fd] * defaults.c, env.c: Use the SET, CLR and ISSET macros. [2f39431e0a49] * fnmatch.c: Use the SET, CLR and ISSET macros. [1afbcba22ba6] * interfaces.h: MAIN was replaced with _SUDO_MAIN some time ago. [ea1b38f2ac9d] * sudo.c: Don't look at prev_user until after we've parsed sudoers and done the password check. That way, if sudo/sudoedit is run from a root process that was invoked by sudo, we check sudoers for root, not the previous user. This makes sudoedit much more useful and means that for the sudo case, we get correct logging on who actually ran the command. [431dfbf20552] 2004-01-23 Todd C. Miller * sudo_edit.c: Add a comment describing why we need to be notified about our child stopping. [0bec3ce4b49d] 2004-01-22 Todd C. Miller * def_data.c, def_data.in: Update the noexec variable descriptions [9cb7f1aa0e57] * sudoers.man.in, sudoers.pod: noexec now replaces more than just execve() [23cbdc0ee95c] * sudo_noexec.c: Alas, all the world does not go through execve(2). Many systems still have an execv(2) system call, Linux 2.6 provides fexecve(2) and it is not uncommon for libc to have underscore ('_') versions of the functions to be used internally by the library. Instead of stubbing all these out by hand, define a macro and let it do the work. Extra exec functions pointed out by Reznic Valery. [9fa0cd871b0c] * sudo.c, sudo_edit.c: Fix suspending the editor in -e mode. Because we do a fork() first we need to be notified when the child has been stopped and then send that same signal to ourself so the shell can do its job control thing. [773165eb6057] * visudo.c: Use WIFEXITED and WEXITSTATUS macros. If there are systems out there that want to run sudo that still don't support these we can try to deal with that later. [6af68e4aff60] * lex.yy.c: regen [403435317d5d] * sudo.man.in, sudo.pod, sudoers.man.in, sudoers.pod: Document sudo -e / sudoedit [a80f6ea910af] * configure, configure.in: fix typo [5020fcdc27f4] * config.h.in, configure.in: Add SET/CLR/ISSET [03ff57286e7e] 2004-01-21 Todd C. Miller * sudo.c: Allow non-exclusive flags when invoked as sudoedit. Pretty print the long usage() line to not wrap (assumes 80 char display) [3941fa4004bb] * Makefile.in, sudo.c: If sudo is invoked as "sudoedit" the -e flag is implied and no other flags are permitted. [929670b01293] * sudo.h: Add a new flag, -e, that makes it possible to give users the ability to edit files with the editor of their choice as the invoking user, not the runas user. Temporary files are used for the actual edit and the temp file is copied over the original after the editor is done. [c4051414c1f4] * Makefile.in, parse.c, parse.lex, sudo.c, sudo_edit.c: Add a new flag, -e, that makes it possible to give users the ability to edit files with the editor of their choice as the invoking user, not the runas user. Temporary files are used for the actual edit and the temp file is copied over the original after the editor is done. [37ac05c8ac3c] * env.c, sudo.c: If real uid == 0 and the SUDO_USER environment variables is set, use that to determine the invoking user's true identity. That way the proper info gets logged by someone who has done "sudo su" but still uses sudo to as root. We can't do this for non-root users since that would open up a security hole, though perhaps it would be acceptable to use getlogin(2) on OSes where this a system call (and doesn't just look in the utmp file). [c2f9198708a1] * pathnames.h.in: Add _PATH_TMP, _PATH_VARTMP and _PATH_USRTMP [7d9e5768df93] * config.h.in, configure, configure.in: Add check for fchown(2) [a85df18798ed] 2004-01-20 Todd C. Miller * sudo.c: Back out portions of the -i commit that set NewArgv[0] in set_runaspw. It is far to late to set NewArgv[0] there and will have no effect anyway as cmnd and safe_cmnd have already been set. [c2d343430c1c] * visudo.c, visudo.pod: Prefer VISUAL over EDITOR like old vipw did. [ae32f477cea3] 2004-01-19 Todd C. Miller * env.c, sudo.c: In -i mode always set new environment based on the runas user's passwd entry. [fa653b7887a8] 2004-01-18 Todd C. Miller * sudo.man.in, sudo.pod: Document the new -i flag and sync SYNOPSIS section with usage() in sudo.c. Also sort the flags in the OPTIONS section. [6aabc0ffc47e] * sudo.c, sudo.h: o Add -i that acts similar to "su -", based on patches from David J. MacKenzie o Sort the flags in the usage message [c0fe7d6beffd] * sudoers.man.in, sudoers.pod: Add a missing @runas_default@ substitution. [60516fe2d090] 2004-01-17 Todd C. Miller * sudo.c: Change euid to runas user before calling find_path(). Unfortunately, though runas_user can be modified in sudoers we haven't parsed sudoers yet. [f469fdf2e313] * sudoers.man.in, sudoers.pod: Add missing defintion of Parameter_List and use single pipes in the Defaults EBNF definition. [f7bed6e909bf] * sudo.c: Fix a bug when set_runaspw() is used as a callback. We don't want to reset the contents of runas_pw if the user specified a user via the -u flag. Avoid unnecessary passwd lookups in set_authpw(). In most cases we already have the info in runas_pw. [efc35623ba09] 2004-01-16 Todd C. Miller * check.c: Add Stan Lee / Uncle Ben quote to the lecture from RedHat [ebd5a76ccd7e] * sudo.h: Update sudo_getepw() proto and add one for set_runaspw() [6ed65795c17f] * parse.c: If we can't stat the command as root, try as the runas user instead. [ae713fca0e15] * testsudoers.c, visudo.c: Add stub set_runaspw() function [42aa37050053] * sudo.c: Add set_runaspw() function to fill in runas_pw. This will be used as a callback to update runas_pw when the runas user changes. [e570aa0088d0] * env.c, sudo.c: PERM_RUNAS -> PERM_FULL_RUNAS [51eec6f9e89a] * set_perms.c, sudo.h: Rename PERM_RUNAS -> PERM_FULL_RUNAS and add a PERM_RUNAS that just changes the euid. [877c6fe4d12c] * getspwuid.c: Make sudo_pwdup() act like OpenBSD pw_dup() and allocate memory in one chunk for easy free()ing. Also change it from static to extern. [ab503260a7ec] * defaults.c, defaults.h: Add callback support [a61c4ca983fb] * def_data.c, def_data.in: Add a callback field and use it for runas_default [d3e9f06872b8] * mkdefaults: Add a callback field and use it for runas_default [96b69c27df5e] 2004-01-15 Todd C. Miller * auth/fwtk.c: Add support for chalnecho and display server responses used by fwtk >= 2.0 [b1870f7aaf0d] 2004-01-12 Todd C. Miller * sudoers.man.in, sudoers.pod: ld.so is ld.so.1 on solaris [2bf9a123fa4c] * Makefile.in, config.h.in, configure, configure.in, sudo.c, sudo.h: Use closefrom() instead of doing the equivalent inline. [7e3ef6072884] * closefrom.c: closefrom(3) for systems w/o it [35caf58bb636] 2004-01-09 Todd C. Miller * sudoers.man.in: Update from .pod file. [d4c94fc0e0c9] * configure, configure.in: Substitute noexec_file for the sudoers man page [203d3376a551] * sudo.man.in, sudo.pod: Mention noexec [014375ddbb06] * sudoers.man.in, sudoers.pod: Document noexec [49a65d06201f] * auth/pam.c, config.h.in, configure.in: Move PAM_CONST macro definition from config.h to pam.c where it belongs. We can't have this in config.h since that gets included too early. [e64748071637] * auth/pam.c, config.h.in, configure, configure.in: Some PAM implementations put their headers in /usr/include/pam instead of /usr/include/security. [8cc749e9575c] * configure.in: I missed changing the EXEC macro -> EXECV here when I changed this in config.h.in and sudo.c a while ago. [6f5afac7789f] * acsite.m4: OpenBSD vax/m88k/hppa don't do shared libs [e4901d958bb7] * configure, configure.in: o merge the hpux case entries into a single entry w/ its own sub- case statement. o HP-UX >= 11 support getspnam(), use it in preference to getprpwuid() [0caad428894e] * configure, configure.in: eval $shrext so that it expands nicely on MacOS X [40419343eef8] * Makefile.in: Don't lie about making a module, it does the wrong thing on mach [7629b28f5688] * ltmain.sh: Remove requirement that libs must begin with "lib". They don't when we point directly at the lib using LD_PRELOAD or its equivalent. [d66f3de6ec85] * acsite.m4: Disable support for c++, f77 and java. We don't need it, it takes a lot of time, and it hosed our check for shared lib support. [4f5749c52ce4] * configure: regen [160865e9d15f] * configure.in: Call AC_ENABLE_SHARED and check the status of enable_shared to know when shared libs are available. [42504c1668fc] * acsite.m4: Duh, OpenBSD suports shared libs too [8e3cd9417475] * config.h.in, configure.in: Only OpenPAM and Linux PAM use const qualifiers. [b2f76476e866] * configure, configure.in: o No need to check for sed, libtool config does that for us o move check for --with-noexec until after libtool magic is run so we can use $can_build_shared and $shrext [668c656e89cc] * ltmain.sh: Don't print a bunch of crap about library installs since we are not really installing a library. [83fbcad29fe4] * env.c: Make format_env() varargs Add noexec support for Darwin, MacOS X, Irix, and Tru64 [468885d75d10] * acsite.m4, ltconfig, ltmain.sh: Update to libtool 1.5 with local changes: o no ldconfig in the finish step o assume no libprefix or version is needed [4961cffc3797] * sudo_noexec.c: Fix compilation under K&R [8b309bf0b1b2] 2004-01-06 Todd C. Miller * CHANGES: checkpoint [3c368badab32] * sudo_noexec.c: stub execve() that just returns EACCES; used for noexec functionality [1297acae283a] * sudo.tab.c: Regen w/ updated byacc from OpenBSD; fixes a gcc 3.2 issue with generated code. [0a61c735eabe] * sudo.tab.h: Regen w/ updated byacc from OpenBSD; fixes a gcc 3.2 issue with generated code. [dcab78c49273] 2004-01-05 Todd C. Miller * def_data.c, def_data.h, def_data.in: Move the environment defaults to the end and shorten a few of the descriptions. [66787b9c612c] * configure, configure.in: no shared libs on ultris or convexos [2c5f3c456e32] * Makefile.in, configure, configure.in: Build sudo_noexec shared object using libtool; could use some cleanup. [373f483555dd] * acsite.m4, ltconfig, ltmain.sh: libtool scaffolding [c903a42e3d90] * parse.yacc, sudo.tab.c: Merge the NOPASSWD/PASSWD and NOEXEC/EXEC rules so that order is not important. [c6e8a34639a4] * defaults.c, env.c, lex.yy.c, parse.c, parse.h, parse.lex, parse.yacc, pathnames.h.in, sudo.c, sudo.h, sudo.tab.c: update copyright year [a16372ae1711] * configure, configure.in, defaults.c, env.c, pathnames.h.in: Add _PATH_SUDO_NOEXEC and corresponding --with-noexec configure option. The default value of noexec_file is set to this. [7d88e1d3c494] * def_data.c, def_data.h, def_data.in, env.c, lex.yy.c, parse.c, parse.h, parse.lex, parse.yacc, sudo.c, sudo.h, sudo.tab.c, sudo.tab.h: Add support for preloading a shared object containing a dummy execve() function that just sets error and returns -1. This adds a "noexec_file" option to load the filename as well as a "noexec" flag to enable it unconditionally. There is also a NOEXEC tag that can be attached to specific commands and an EXEC tag to disable it. [c8b6712feb91] * mkdefaults: add missing newline to usage statement [e84746618362] * config.h.in, sudo.c: Rename EXEC macro -> EXECV [ddaa0c027299] * logging.c: Don't truncate usernames to 8 characters in the log message. [f62a20f27075] * check.c, sudoers.man.in, sudoers.pod: Update copyright year [ca9964054085] * check.c, def_data.c, def_data.h, def_data.in, sudoers.man.in, sudoers.pod: Add a new option, lecture_file, that can be used to point to a custom sudo lecture. [940133231216] 2003-12-31 Todd C. Miller * auth/aix_auth.c, auth/bsdauth.c, auth/fwtk.c, auth/pam.c, auth/sudo_auth.c: Add a zero_bytes() function to do the equivalent of bzero in such a way that will heopfully not be optimized away by sneaky compilers. [161b6d74bfb4] * Makefile.in, sudo.h: Add a zero_bytes() function to do the equivalent of bzero in such a way that will heopfully not be optimized away by sneaky compilers. [ff136de3e255] * zero_bytes.c: Add a zero_bytes() function to do the equivalent of bzero in such a way that will heopfully not be optimized away by sneaky compilers. [d035abf0af94] * err.c: Use #ifdef __STDC__, not #if __STDC__. [6889dd6bc51a] 2003-12-30 Todd C. Miller * mkdefaults: Always put at least one space between the def_* macro name and its definition. [6b3ad0e6619a] * configure, configure.in: Adjust code for --without-lecture to match new values. [062aa788a6b9] * visudo.man.in: regen after pasto fix [3deec16906c0] * sudoers.man.in, sudoers.pod: Document that "lecture" has changed from a flag to a tuple. [e2c03062b533] * check.c, def_data.c, def_data.h, def_data.in, defaults.c, defaults.h, logging.c, mkdefaults, parse.c, sudo.c, sudo.h: Add support for tuples in def_data.in; these are implemented as an enum type. Currently there is only a single tuple enum but in the future we may have one tuple enum per T_TUPLE entry in def_data.in. Currently listpw, verifypw and lecture are tuples. This avoids the need to have two entries (one ival, one str) for pwflags and syslog values. lecture is now a tuple with the following values: never, once, always We no longer use both an int and string entry for syslog facilities and priorities. Instead, there are logfac2str() and logpri2str() functions that get used when we need to print the string values. [5293f946c836] * auth/aix_auth.c, auth/bsdauth.c, auth/fwtk.c, auth/pam.c, auth/rfc1938.c, auth/securid5.c, auth/sia.c, auth/sudo_auth.c, check.c, def_data.h, defaults.c, defaults.h, env.c, find_path.c, logging.c, mkdefaults, parse.c, parse.yacc, set_perms.c, sudo.c, sudo.tab.c, visudo.c: Create def_* macros for each defaults value so we no longer need the def_{flag,ival,str,list,mode} macros (which have been removed). This is a step toward more flexible data types in def_data.in. [009c02934106] * TODO: checkpoint [0a99a4bb5d15] 2003-12-23 Todd C. Miller * sudo.c: If we are in -k/-K mode, just spew to stderr. It is not unusual for users to place "sudo -k" in a .logout file which can cause sudo to be run during reboot after the YP/NIS/NIS+/LDAP/etc daemon has died. Previously, this would result in useless mail and logging. [d282e7ed63af] 2003-12-16 Todd C. Miller * visudo.pod: fix pasto in VISUAL description [1c6a6148b5f9] 2003-12-10 Todd C. Miller * configure: regen [f44312c63799] * CHANGES: checkpoint [0c42e38f78d5] * TROUBLESHOOTING: Some OSes (like Solaris) allow export w/ nosuid too [973ce85ffa12] 2003-08-12 Todd C. Miller * compat.h: We don't use FD_ZERO anymore so just define FD_SET (if not already there). [d1c8c11905cd] 2003-06-29 Todd C. Miller * auth/pam.c: Fix a core dump on Solaris by preserving the pam_handle_t we used during authentication for pam_prep_user(). If we didn't authenticate (ie: ticket still valid), we call pam_init() from pam_prep_user(). This is something of a hack; it may be better to change the auth API and add an auth_final() function that acts like pam_prep_user(). [f787de49b175] 2003-06-21 Todd C. Miller * set_perms.c: Add explicit declaration of printerr variable in function header (was defaulting to int which is OK but oh so K&R :-). From Theo. [492c2358783f] 2003-06-09 Todd C. Miller * config.h.in, configure.in: s/HAVE_STOW/USE_STOW/ [4b99e1824ece] * logging.c: Also exit waitpid() loop when pid == 0. Fixes a problem where the sudo process would spin eating up CPU until sendmail finished when it has to send mail. [ec3d5792b9b4] 2003-05-30 Todd C. Miller * fnmatch.3: Remove advertising clause, UCB has disavowed it [3ff24291bcfa] * fnmatch.c: Remove advertising clause, UCB has disavowed it [43a26bbd6628] 2003-05-22 Todd C. Miller * parse.c: Don't assume that getgrnam() calls don't modify contents of struct passwd returned by getpwnam(). On FreeBSD w/ NIS this can happen. Based on a patch from Kirk Webb. [5574c68f60f3] 2003-05-06 Todd C. Miller * configure.in: missing ;; [22378f2a9d31] * configure.in: darwin has a broken setreuid() in at least some versions [d572aed930d2] * env.c: Fix an off by one error when reallocating the environment; Kevin Pye [3d98e7cf097a] 2003-04-30 Todd C. Miller * sudoers.pod: Fix User_Spec definition; SEKINE Tatsuo [49b0da65e090] 2003-04-28 Todd C. Miller * HISTORY: More info on the early days from Coggs. [9381ca10b06b] 2003-04-21 Todd C. Miller * auth/kerb5.c: remove errant semicolon that prevented compilation under heimdal [d2f2bb73a598] 2003-04-16 Todd C. Miller * auth/afs.c, auth/aix_auth.c, auth/bsdauth.c, auth/dce.c, auth/fwtk.c, auth/kerb4.c, parse.lex, parse.yacc, utime.c, version.h: add DARPA credit on affected files [868d54cbddea] * auth/kerb5.c, auth/pam.c: add DARPA credit on affected files [15da3021b49c] * auth/passwd.c, auth/rfc1938.c, auth/secureware.c, auth/securid.c, auth/securid5.c, auth/sia.c, auth/sudo_auth.c, fileops.c, find_path.c, getprogname.c, getspwuid.c, goodpath.c, interfaces.c, interfaces.h: add DARPA credit on affected files [da66e28fb3f5] * logging.c, parse.c: add DARPA credit on affected files [8f75f822755b] * pathnames.h.in: add DARPA credit on affected files [e334cdda422f] * set_perms.c: add DARPA credit on affected files [3d79fdabb582] * sigaction.c, strerror.c, sudo.c, sudo.h, sudo.man.in, sudo.pod, sudoers.man.in: add DARPA credit on affected files [d8adf1c2ba22] * sudoers.pod: add DARPA credit on affected files [83b46318750b] * testsudoers.c, tgetpass.c, visudo.c, visudo.man.in, visudo.pod: add DARPA credit on affected files [7020785ee50d] * Makefile.in, alloc.c, check.c: add DARPA credit on affected files [cd939e05c810] * compat.h: add DARPA credit on affected files [316a735783c4] * defaults.c, defaults.h: add DARPA credit on affected files [6a64205fd1eb] * env.c: add DARPA credit on affected files [90239f51ef0a] * LICENSE: slightly different wording for the darpa credit [e468909c4a21] 2003-04-15 Todd C. Miller * LICENSE: Add DARPA credit [8eb20e2cd63e] 2003-04-14 Todd C. Miller * auth/kerb5.c: Use krb5_princ_component() instead of krb5_princ_realm() for MIT Kerberos like we did before I messed things up ;-) Use krb5_principal_get_comp_string() to do the same thing w/ Heimdal. I'm not sure if the component should be 0 or 1 in this case. #define ENCTYPE_DES_CBC_MD5 ETYPE_DES_CBC_MD5 for Heimdal since older versions lack ENCTYPE_DES_CBC_MD5. This is gross and there should be a configure check for this I guess. [74919a3933fe] 2003-04-13 Todd C. Miller * TROUBLESHOOTING, config.h.in, configure, configure.in: builtin -> built-in; Jason McIntyre [70b81ac48943] * sample.sudoers: builtin -> built-in; Jason McIntyre [027f2187923e] * sudoers.pod: built in -> built-in; Jason McIntyre [da658ef5138d] 2003-04-09 Todd C. Miller * CHANGES: checkpoint for 1.6.7p3 [da85f989fadf] * HISTORY: Update info on the early years @ SUNY-Buffalo from Cliff Spencer. Amazingly, sudo source from 1985 is available via groups.google.com [39e0fc85b89f] * sudo.c: Don't change rl.rlim_max for RLIMIT_CORE. We need only set rl.rlim_cur to 0 to turn off core dumps. This may be needed for the RLIMIT_CORE restoration on some OSes. [7e2c1a7adfd8] 2003-04-04 Todd C. Miller * auth/kerb5.c: Make this compile on Heimdal and MIT Kerberos 5 [44c07d615868] * config.h.in, configure, configure.in: Check for heimdal even if we found krb5-config and define HAVE_HEIMDAL. [aba0126f0059] * auth/kerb5.c: Replace ETYPE_DES_CBC_MD5 with ENCTYPE_DES_CBC_MD5. The former is no longer defined by MIT kerb5 (though it used to be and indeed remains so in Heimdal). [e5a6c64d7cd5] 2003-04-03 Todd C. Miller * mkinstalldirs: Remove newer stuff that passes multiple (possibly duplicate) directories to "mkdir -p" since that seems to break on Tru64 Unix at least. This basically brings back what shipped with sudo 1.6.6. [f2a1abd872b3] 2003-04-02 Todd C. Miller * auth/kerb5.c: Correct number of args to krb5_principal_get_realm() and fix an unclosed comment that hid the bug. [0b37f8ce7824] * configure: regen [1876cb840fe0] * BUGS: ++version [ea3573432412] * CHANGES, version.h: ++version [f66985a64063] * INSTALL: ++version [555aeba5c2bf] * INSTALL.binary: ++version [a506204e77d0] * Makefile.in: ++version [97ef63cedc38] * README: ++version [488e0bbff613] * configure.in: ++version [480aff7c048e] * configure.in: use krb5-config to determine Kerberos V details if it exists [7b46bbdaf774] * alloc.c, auth/fwtk.c, auth/rfc1938.c, auth/securid.c, auth/securid5.c, auth/sia.c, check.c, compat.h, defaults.c, env.c, find_path.c, interfaces.c, logging.c, parse.c, sudo.c, sudo.h, testsudoers.c, visudo.c: Use warn/err and getprogname() throughout. The main exception is openlog(). Since the admin may be filtering logs based on the program name in the log files, hard code this to "sudo". [9f180d015cfa] * Makefile.in: Add getprogname.c and err.c [d411c54a07dc] * configure: regen [6d585d391acc] * config.h.in, configure.in: Add checks for getprognam(), __progname and err.h [bcbccf61d34a] * emul/err.h: For systems withour err/warn functions. [1b33118884d9] * err.c: For systems withour err/warn functions. [26721f6b041f] * getprogname.c: For systems neither getprogname() nor __progname; uses Argv[0]. [841cf42af1eb] 2003-04-01 Todd C. Miller * CHANGES: checkpoint for 1.6.7p1 [5bfdaf441dce] * sudo.c, testsudoers.c: fix strlcpy() rval check (innocuous) [e05ac7e0d1f3] * check.c: oflow detection in expand_prompt() was faulty (false positives). The count was based on strlcat() return value which includes the length of the entire string. [086c5a0acb25] 2003-03-31 Todd C. Miller * CHANGES: checkpoint for the sudo 1.6.7 release [87322187ed78] * RUNSON, TODO: checkpoint for the sudo 1.6.7 release [096bab4da29a] [SUDO_1_6_7] 2003-03-24 Todd C. Miller * logging.c: g/c unused variable [c57cd4a17765] * configure: regen [e7c1f581dfac] * configure.in: use man sections 8 and 5 for csops [87de581bda88] 2003-03-21 Todd C. Miller * configure: regen [cb1433a9c7a1] * configure.in: Add -lskey or -lopie directly to SUDO_LIBS instead of having AC_CHECK_LIB() add them to LIBS. Fixes visudo linkage. [ac5667978939] * configure: regen [638459118a2a] * INSTALL: Add --with-blibpath for AIX. An alternate libpath may be specified or -blibpath support can be disabled. Also change conifgure such that -blibpath is not specified if no -L libpaths were added to SUDO_LDFLAGS. [4b4bbe5bbe1b] * aclocal.m4: Add --with-blibpath for AIX. An alternate libpath may be specified or -blibpath support can be disabled. Also change conifgure such that -blibpath is not specified if no -L libpaths were added to SUDO_LDFLAGS. [37022e991575] * configure.in: Add --with-blibpath for AIX. An alternate libpath may be specified or -blibpath support can be disabled. Also change conifgure such that -blibpath is not specified if no -L libpaths were added to SUDO_LDFLAGS. [c7d17b480cad] * configure.in: add AIX blibpath support [16ba788bf086] * INSTALL, configure.in: --with-skey and --with-opie now take an option directory argument This obsoletes a --with-csops hack (/tools/cs/skey) Also remove the remaining direct uses of "echo" [5b4986a90c03] 2003-03-20 Todd C. Miller * configure.in: Detect KTH Kerberos IV and deal with it. Also make -lroken optional for KTH Kerberos IV and V. [119f97b48e18] * aclocal.m4: Add SUDO_APPEND_LIBPATH function that add -L/path/to/dir (and -R/path/to/dir if $with_rpath) to the specified variable. [e55e49d076ce] * INSTALL, configure.in: Add -R/path/to/libs for Solaris and SVR4. There is a new configure option, --with-rpath to control this behavior. [d4730c5399ab] * configure.in: for kerb4 put libdes after libkrb on the link line [5c566100eab6] * auth/kerb4.c: typo [6541b72b64a3] * configure.in: fix kerberos lib check when a path is specified [ae833a914c6f] * logging.c: Fix boolean thinko in SIGCHLD reaper and call reapchild after sending mail instead of doing a conditional sudo_waitpid. [86fa9a35df5a] 2003-03-19 Todd C. Miller * configure: regen [e6275cf528ba] * configure.in: replace =DIR with [=DIR] where sensible [c39a59173b38] * configure.in: o Use AC_MSG_* instead of "echo" o New Kerberos include/lib detection based on openssh's configure.in [5b7a340912df] * INSTALL: --with-kerb4 and --with-kerb5 now take an optional argument. [71ed87fc9c64] 2003-03-16 Todd C. Miller * auth/securid.c: Kill remaining strcpy(), the programmer's guide says username is 32 bytes. [bdba70fcd08d] * auth/kerb4.c: trat uid_t as unsigned long for printf and use snprintf, not sprintf [8072f5f8966d] * auth/rfc1938.c: use snprintf [fc0c70c665fe] 2003-03-15 Todd C. Miller * auth/afs.c, auth/aix_auth.c, auth/bsdauth.c, auth/dce.c, auth/fwtk.c, auth/kerb4.c, auth/kerb5.c, auth/pam.c, auth/passwd.c, auth/rfc1938.c, auth/sudo_auth.c: update copyright year [b0a10ccb1d0e] * sudo.man.in, sudoers.man.in, visudo.man.in: update copyright year [8fce0034eb51] * LICENSE, Makefile.in, aclocal.m4, alloc.c, check.c, compat.h, configure.in, env.c, find_path.c, interfaces.c, logging.c, parse.c, parse.lex, parse.yacc, set_perms.c, sudo.c, sudo.h, sudo.pod, sudoers.pod, testsudoers.c, version.h, visudo.c, visudo.pod: update copyright year [d541e75fe520] * check.c, env.c, sudo.c: Cast [ug]ids to unsigned long and printf with %lu [2ede64d3592b] * configure: regen [c7c3245bdf3e] * configure.in: correct error messages for --with-sudoers-{mode,uid,gid} [77fc15b1c9db] * alloc.c: make the malloc(0) error specific to each function to aid tracking down bugs. [a58c34374b4b] * alloc.c: deal with platforms where size_t is signed and there is no SIZE_MAX or SIZE_T_MAX [7192abb4ab4e] * auth/kerb5.c: Make this compile w/ Heimdal and fix some gcc warnings. [f52f026f31c2] * sudo.c: Use stat_sudoers macro so --with-stow can work [c3674735c139] * INSTALL, config.h.in, configure, configure.in: Add support for --with-stow based on patches from Robert Uhl [b274cc1dd52c] * env.c: fix indentation [110d9f1721b1] * configure.in: back out rev 1.352 [1eee91c83f11] * lex.yy.c: regen [72fba1c9590b] * parse.lex: use strlcpy, not strncpy [4faccbaeccef] * set_perms.c: Fix typo; check pw_uid, not pw_gid after setusercontext() failure. [33bf0d18fdc1] * logging.c: use pid_t [3e0536993d2c] 2003-03-14 Todd C. Miller * strlcat.c, strlcpy.c: Make gcc shutup about unused rcsid [1669a0c74e9e] * interfaces.c: Move the n == 0 check for the non-getifaddrs cas [2460be061b2a] * auth/rfc1938.c: skeychallenge() on NetBSD take a size parameter [05acc2012801] * configure: regen [24bccf4749e8] * configure.in: put -ldl after -lpam, not before; fixes static linking on Linux [7f06b7b2b4d8] * interfaces.c: Avoid malloc(0) and fix the loop invariant for the getifaddrs() case. [239a55068646] * sudo.cat, sudoers.cat, visudo.cat: regen [4a2eed3981ca] * sudo.man.in, sudoers.man.in, visudo.man.in: regen [2c96ea2cf930] * Makefile.in: Preserve copyright notice from .pod file in .man.in file [519fbd09aebc] * visudo.pod: Add sudoers(5) to SEE ALSO [77ecfe3aedf1] 2003-03-13 Todd C. Miller * lex.yy.c: regen [6f5751ce0b74] * parse.lex: Don't assume libc can realloc() a NULL string. If malloc/realloc fails, make sure we just return; yyerror() is not terminal. [1b8618623708] * lex.yy.c: regen [5d31b46191c6] * parse.lex: simplify fill_args a little and use strlcpy for paranoia [0ea35a55542b] * sudo.tab.c: regen [5a8d508d708b] * check.c, env.c, find_path.c, parse.c, parse.yacc, sudo.c, testsudoers.c: Use strlc{at,py} for paranoia's sake and exit on overflow. In all cases the strings were either pre-allocated to the correct size of length checks were done before the copy but a little paranoia can go a long way. [e73d28f1d14e] * sudo.h: Add strlc{at,py} protos [748ffc7fc7f4] * env.c, interfaces.c: Use erealloc3() [47f2cb46aba8] * configure: regen [e7e2fb79f935] * alloc.c: Oflow test of nmemb > SIZE_MAX / size is fine (don't need >=). Use memcpy() instead of strcpy() in estrdup() so this is strcpy()-free. [7e0fa4d6fc1d] * sudo.c: snprintf() a uid as %lu, not %ld to match the MAX_UID_T_LEN test in configure. [09ea4d3959e9] * aclocal.m4: In MAX_UID_T_LEN test cast uid_t to unsigned long, just unsigned. [31b4fdfdb8bf] 2003-03-12 Todd C. Miller * sudo.c: Use snprintf() for paranoia [a2659ceb46de] * parse.yacc: Use emalloc2 and erealloc3 [90a069842401] * Makefile.in: strlc{at,py} for those w/o it [bac82dc916ee] * strlcat.c, strlcpy.c: stlc{at,py} for those w/o it. [ce7254f5db09] * config.h.in, configure, configure.in: Add stlc{at,py} for those w/o it. [00f08219657a] * alloc.c, sudo.h: Add erealloc3(), a realloc() version of emalloc2(). [c96eaf08bbed] * interfaces.c, sudo.c: Use emalloc2() to allocate N things of a certain size. [1e0aba365555] * alloc.c, sudo.h: Add emalloc2() -- like calloc() but w/o the bzero and with error/oflow checking. [292150bc4153] * alloc.c: Error out on malloc(0); suggested by theo [995279e81326] 2003-03-10 Todd C. Miller * configure, configure.in: fix a typo; David Krause [f161213a17ab] 2003-03-07 Todd C. Miller * sudo.pod: fix typo [3ae5ad9a351a] 2003-03-04 Todd C. Miller * env.c: Remove DYLD_ from the environment for MacOS X; from bbraun [38caad5a3935] 2003-03-01 Todd C. Miller * config.h.in, configure.in: not not; Anil Madhavapeddy [d4f4f0bfc66b] 2003-01-23 Todd C. Miller * sudo.pod, sudoers.pod, visudo.pod: typos; jmc@openbsd.org [868c0f09bf9e] 2003-01-20 Todd C. Miller * parse.yacc: Add some missing ';' rule terminators that bison warns about. [535b0b8dcce5] * config.sub: fix typo I introduced in last merge [81db4e4f43fe] * configure: regenerate with autoconf 2.57 [ca0c1e9564f8] * config.h.in: Add missing "$HOME" [209186197ad1] * configure.in: Add some more square backets to make autoconf 2.57 happy [b5639c14faf7] * config.guess: Updates from autoconf-2.57 [ea0f8ca622af] * config.sub, mkinstalldirs: Updates from autoconf-2.57 [36be35eb331b] 2003-01-17 Todd C. Miller * lex.yy.c, sudo.tab.c: regen [0b529db7cb6d] * sudo.tab.h: regen [13a65a421567] * parse.lex, parse.yacc, sudoers.pod: Add support for Defaults>RunasUser [20d726373175] 2003-01-07 Todd C. Miller * visudo.c: fclose() yyin after each yyparse() is done and use fopen() instead of using freopen(). [587f8a2df857] * parse.lex: Better fix for sudoers files w/o a newline before EOF. It looks like the issue is that yyrestart() does not reset the start condition to INITIAL which is an issue since we parse sudoers multiple times. [920f8326968a] 2003-01-06 Todd C. Miller * parse.lex: Work around what appears to be a flex bug when dealing with files that lack a final newline before EOF. This adds a rule to match EOF in the non-initial states which resets the state to INITIAL and throws an error. [b94943bb1f81] * visudo.c: o The parser needs sudoers to end with a newline but some editors (emacs) may not add one. Check for a missing newline at EOF and add one if needed. o Set quiet flag during initial sudoers parse (to get options) o Move yyrestart() call and always use freopen() to open yyin after initial sudoers parse. [12d12f9b07aa] 2002-12-15 Todd C. Miller * set_perms.c: Fix pasto/thinko in setresgid()/setregid() usage. Want to set effective gid, not real gid, when reading sudoers. [c7d18b810fcd] * set_perms.c: don't compile set_perms_posix if we have setreuid or setresuid [b9cea7a81a29] 2002-12-14 Todd C. Miller * sudo.pod, sudoers.pod: document new prompt escapes [2f088076b640] * check.c: Add %U and %H escapes and redo prompt rewriting. "%%" now gets collapsed to "%" as was originally intended. This also gets rid of lastchar (does lookahead instead of lookback) which should simplify the logic slightly. [4b707b77b3c7] 2002-12-13 Todd C. Miller * tgetpass.c: Write the prompt *after* turning off echo to avoid some password characters being echoed on heavily-loaded machines with fast typists. [d38c57775915] * config.sub: Add support for mipseb; wiz@danbala.tuwien.ac.at [cfdac87ed5c8] * configure.in: Fix IRIX fallout from name changes in man dir/sect Makefile variables. Patch from erici AT motown DOT cc DOT utexas DOT edu [9a7618755c23] * auth/pam.c: Keep a local copy of tgetpass_flags so we don't add in TGP_ECHO to the global copy. Problem noted by Peter Pentchev. [d0a3e189cb06] 2002-11-28 Todd C. Miller * sudo.tab.c: regen [23b931359087] * parse.yacc: Add missing yyerror() calls; YYERROR does not seem to call this for us. [0be7aeb3ac57] 2002-11-26 Todd C. Miller * sudo.c: fix typo in comment; Pedro Bastos [d7406c460e99] 2002-11-22 Todd C. Miller * INSTALL: document --disable-setresuid [fbd03d03a027] * auth/aix_auth.c, auth/bsdauth.c, auth/fwtk.c, auth/pam.c, auth/sudo_auth.c: Sprinkle some volatile qualifiers to prevent over-enthusiastic optimizers from removing memset() calls. [5370ac0e6129] * logging.c, parse.yacc: minor sign fixes pointed out by gcc -Wsign-compare [db872438337f] * set_perms.c, sudo.c, sudo.h: Revamp set_perms. We now use a version based on setresuid() or setreuid() when possible since that allows us to support the stay_setuid option and we always know exactly what the semantics will be (various Linux kernels have broken POSIX saved uid support). [523bc212396c] * config.h.in, configure: regen from configure.in [351877ea2624] * configure.in: Add checks for setresuid() and a way to disable using it [a5b21653d169] * compat.h: No long need to emulate set*[ug]id() via setres[ug]id() or setre[ug]id(). The new set_perms stuff only uses things it knows are there. [47884bd5d1d9] * sudo.c: Before exec, restore state of signal handlers to be the same as when we were initialy invoked instead of just reseting to SIG_DFL. Fixes a problem when using sudo with nohup. Based on a patch from Paul Markham. [f8f5a1484faa] * sudo.c: o timestamp_uid should be uid_t, not int o clarify error message when sudo is run by root and no_root_sudo is set [19dda0734264] 2002-09-19 Todd C. Miller * README: update ftp link for bison [98bc191016e3] 2002-07-20 Todd C. Miller * set_perms.c: Error out if setusercontext() fails and the runas user is not root. [089f9ade4686] 2002-05-20 Todd C. Miller * auth/securid5.c: Fix rcsid [07e9e85dcc2f] * configure.in: Fix SecurID API test [5ec201f454a5] 2002-05-17 Todd C. Miller * env.c: typo in comment [9d385c9ac533] * configure.in: securid5 stuff needs pthreads. Just adding -lpthread is suboptimal but I don't see a better way at the moment. [f89e55cbb313] * Makefile.in, auth/securid5.c: SecurID API version 5 support from Michael Stroucken [68500ac7e531] * configure.in: Add check for SecurID 5.0 API [1ee242e6de6b] 2002-05-08 Todd C. Miller * strerror.c: We actually do still need config.h to get the 'const' definition for K&R C. [d9c982032d85] 2002-05-05 Todd C. Miller * configure: regen with autoconf 2.5.3 [c71fc086eef5] * configure.in: Don't set sysconfdir to '/etc' if the user has specified a --prefix. [d90da1efafd9] * configure.in: Some fixes for autoconf 2.53 from Robert Uhl o don't AC_SUBST LIBOBJS o force a 4th arg for AC_CHECK_HEADER() to workaround a bug [dd67afefa90d] * env.c, sudo.c, sudo.h: No need for dump_badenv() now that dump_defaults() knows how to dump lists. [6bcda468501d] * BUGS, INSTALL, INSTALL.binary, Makefile.in, README, configure.in, version.h: ++version [44e3b8f95f0b] * sudoers.pod: document timestampowner [37ebd69e9dd1] * check.c: Don't call set_perms() when doing timestamp stuff unless timestamp_uid != 0. [63a63d41d18c] * auth/sudo_auth.c, check.c, logging.c, parse.c, set_perms.c, sudo.c, sudo.h, testsudoers.c: g/c second arg to set_perms--it is no longer used [7ac4ce50c612] 2002-05-03 Todd C. Miller * check.c, set_perms.c, sudo.c, sudo.h: Add support for non-root timestamp dirs. This allows the timestamp dir to be shared via NFS (though this is not recommended). [faa83dd2b7fb] * def_data.c, def_data.h, def_data.in: Add timestampowner, "Owner of the authentication timestamp dir" [d47640d4c86a] 2002-05-02 Todd C. Miller * env.c: Don't try to pre-compute the size of the new envp, just allocate space up front and realloc as needed. Changes to the new env pointer must all be made through insert_env() which now keeps track of spaced used and allocates as needed. [39bc934a9f2c] 2002-04-26 Todd C. Miller * configure: regen [0e12c09bb790] * configure.in: Fix two typo/pastos; from jrj@purdue.edu [b718a4bf1181] 2002-04-25 Todd C. Miller * INSTALL.binary, README: ++version [a1e33027278c] [SUDO_1_6_6] * configure, sudo.cat, sudo.man.in, sudoers.cat, sudoers.man.in, visudo.cat, visudo.man.in: regen [19eb2be283ef] * CHANGES, RUNSON, TODO: Sync with 1.6.6 [2ff9a9087f63] * check.c: The the loop used to expand %h and %u, the lastchar variable was not being initialized. This means that if the last char in the prompt is '%' and the first char is 'h' or 'u' a extra copy of the host or user name would be copied, for which space had not been allocated. [b2e27197857d] 2002-04-18 Todd C. Miller * BUGS, INSTALL, Makefile.in, configure.in, version.h: crank version to 1.6.6 [cfd08689e597] * auth/afs.c: #undef VOID to get rid of an AFS warning [b40760564dc1] * env.c: Use easprintf instead of emalloc + sprintf for some things. [e7bfe2e69a03] 2002-03-16 Todd C. Miller * lex.yy.c, sudo.tab.c: regen [35327104383d] * parse.c, parse.lex, parse.yacc, testsudoers.c: Remove Chris Jepeway's email address so people don't bug him ;-) [c03410747a69] 2002-03-12 Todd C. Miller * sudo.c: Move endpwent() to be after set_perms(PERM_RUNAS, ...) and also call endgrent() at the same time. [28b6097d5d1a] 2002-02-22 Todd C. Miller * INSTALL: Make it clear which configure options take arguments. [38529e7efad0] 2002-01-25 Todd C. Miller * compat.h: HP-UX 9.x has RLIMIT_* but no RLIM_INFINITY. If there is no RLIM_INFINITY, just pretend it is -1. This works because we only check for RLIM_INFINITY and do not set anything to that value. [53173d34e6eb] 2002-01-22 Todd C. Miller * auth/pam.c: Zero and free allocated memory when there is a conversation error. [e342133db579] * auth/bsdauth.c: Use sigaction() not signal() [126c2790561f] * INSTALL: Mention that some linux kernels have broken POSIX saved ID support [571ef1a893d3] * CHANGES: checkpoint for 1.6.5p2 [9e9e456f7f43] * configure: regen [d53703a46708] * configure.in: Add --disable-setreuid flag [3b9f2679cb55] * INSTALL: Document new --disable-setreuid option and change description for --disable-saved-ids to match new error message. [14fd3e5f60a5] * set_perms.c: fatal() now takes an argument that determines whether or not to call perror(). [d826b25e62ff] * PORTING: Update for new error messages from set_perms() [60c545a6bcff] * TROUBLESHOOTING: Update for new error messages from set_perms() [78007c3f76a9] 2002-01-21 Todd C. Miller * auth/pam.c: Make this compile w/o warnings [b90843a29af5] * auth/pam.c: Mention that we can't use pam_acct_mgmt() [1dfc5a6e0479] * auth/aix_auth.c, auth/bsdauth.c, auth/fwtk.c, auth/pam.c: The user's password was not zeroed after use when AIX authentication, BSD authentication, FWTK or PAM was in use. [b18fff30b1e7] 2002-01-20 Todd C. Miller * auth/pam.c: Avoid giving PAM a NULL password response, use the empty string instead. This avoids a log warning when the user hits ^C at the password prompt when PAM is in use. [c3315805e4e4] * auth/pam.c: Don't check the return value of pam_setcred(). In Linux-PAM 0.75 pam_setcred() returns the last saved return code, not the return code for the setcred module. Because we haven't called pam_authenticate(), this is not set and so pam_setcred() returns PAM_PERM_DENIED. [73db145fa179] * Makefile.binary: Don't need a '/' between $(DESTDIR) and a directory. [cd7eb6098b87] * Makefile.in: Don't need a '/' between $(DESTDIR) and a directory. [0901ca618176] 2002-01-18 Todd C. Miller * configure: regen [41b12c039282] * configure.in: o BSDi also has a bogus setreuid() o Old FreeBSD has a bogus setreuid() o new NetBSD has a real setreuid() o add check for freeifaddrs() if getifaddrs() exists. [a82ee3b01733] * config.h.in, interfaces.c: Older BSDi releases lack freeifaddrs() so add a test for that and if it is not present just use free(). [6270671ea9d5] 2002-01-17 Todd C. Miller * CHANGES, RUNSON: Checkpoint for 1.6.5p1 [26134ecf9b36] * auth/passwd.c: Return AUTH_FAILURE in passwd_init() if skeyaccess() denies access to normal passwords, not AUTH_FATAL (which just causes an exit). [785e0f4bc0e2] * visudo.c: Don't use memory after it has been freed. [c60492739fdb] * auth/passwd.c: skeyaccess() wants a struct passwd * not a char *; Patch from Phillip E. Lobbes [65a1d3806fcd] [SUDO_1_6_5] * BUGS: ++version [b2e1825e692e] * CHANGES, RUNSON, TODO: checkpoint for sudo 1.6.5 [d730945622e7] 2002-01-16 Todd C. Miller * configure: regen [49744c403ac9] * INSTALL, INSTALL.binary, Makefile.in, README, configure.in: version 1.6.5 [ec30a5f7fc45] * sudo.cat, sudo.man.in, sudoers.cat, sudoers.man.in, visudo.cat, visudo.man.in: sudo version 1.6.5 [458a3bed535d] * logging.c: o when invoking the mailer as root use a hard-coded environment that doesn't include any info from the user's environment. Basically paranoia. o Add support for the NO_ROOT_MAILER compile-time option and run the mailer as the user and not root if NO_ROOT_MAILER is defined. [4df351ec92ce] * set_perms.c, sudo.h: Bring back PERM_FULL_USER [edb6039bb284] * configure: regen [3eb2943afa03] * version.h: version 1.6.5 [044fc9a0c72b] * INSTALL, config.h.in, configure.in: Add --disable-root-mailer option to run the mailer as the user and not root. [e9f805397963] * CHANGES: checkpoint for 1.6.4p2 [b58aae5aa98a] * PORTING: Mention the "seteuid(0): Operation not permitted" problem here too just for good measure. [90135b37a691] 2002-01-15 Todd C. Miller * env.c, getspwuid.c, sudo.c: The SHELL environment variable was preserved from the user's environment instead of being reset based on the passwd database when the "env_reset" option was used. Now it is reset as it should be. [300066ef3c71] * configure: regen [a47d779e6552] * INSTALL, TROUBLESHOOTING, config.h.in, configure.in, set_perms.c, sudo.c: Add a configure option to turn off use of POSIX saved IDs [fb18cc8e94d0] * configure: regen [d4f2f20025b6] * configure.in: add --with-efence option [45c4f33a8e88] * sudo.c: Only OR in MODE_RESET_HOME if MODE_RUN is set. Fixes a problem where "sudo -l" would not work if always_set_home was set. [c3a6de6c4800] * lex.yy.c: regen [417424452998] * parse.lex: Quoted commas were not being treated correctly in command line arguments. [753415541b37] * sudo.c: o Move the call to rebuild_env() until after MODE_RESET_HOME is set. Otherwise, the set_home option has no effect. o Fix use of freed memory when the "fqdn" flag is set. This was introduced by the fix for the "segv when gethostbynam() fails" bug. Also, we no longer call set_fqdn() if the "fqdn" flag is not set so there is no need to check the "fqdn" flag in set_fqdn() itself. [4b6a4245c04e] * env.c: Add 'continue' statements to optimize the switch statement. From Solar. [a82c76975ae5] 2002-01-13 Todd C. Miller * sudoers.cat, sudoers.man.in: Regen from new sudoers.pod [6ecc07b3d0e1] [SUDO_1_6_4] * sudoers.pod: Add caveat about stay_setuid flag [9d228a7bea1b] * sudo.c: If set_perms == set_perms_posix and the stay_setuid flag is not set, set all uids to 0 and use set_perms_fallback(). [c4e54d1ec86f] * set_perms.c, sudo.h: Remove PERM_FULL_USER (which is no longer used) and add PERM_FULL_ROOT (used when exec'ing the mailer). [15406c522ea2] * logging.c: Use set_perms(PERM_FULL_ROOT, 0) before exec'ing the mailer since we never want to run the mailer setuid. [2294853e0666] 2002-01-12 Todd C. Miller * sudo.cat, sudo.man.in, sudo.pod, visudo.cat, visudo.man.in, visudo.pod: Use sudo.ws instead of courtesan.com in URLs [55204002a308] * Makefile.binary, Makefile.in: Fix mansect substitution [b7b5cbc3aa91] * Makefile.in: Substitute man sections in Makefile.binary [040deb785e56] * Makefile.binary: Sync install targets with Makefile.in and substitute in man sections. [77882a275281] * INSTALL, INSTALL.binary: version is 1.6.4 [0f87aabbcb70] * Makefile.in: Repair bindist target [8d43bfe7e2d1] * CHANGES: sync for 1.6.4 [13ca3d4a0a72] 2002-01-10 Todd C. Miller * install-sh: Fix case where neither whoami nor id are found [424dd270bc47] 2002-01-09 Todd C. Miller * install-sh: If neither whoami nor id exists, just assume we are root. [2d2644e42c53] * alloc.c: Add explicit cast to (VOID *) on malloc/realloc. Seems to be needed on AIX which for some reason isn't pulling in the malloc prototype. [231440d2ee3b] 2002-01-08 Todd C. Miller * Makefile.in, aclocal.m4, compat.h, parse.c, sudo.c: (c) 2002 [700e3b41a68e] * CHANGES: checkpoint [33e604bd8d5b] * sudo.c: Defer assigning new environment until right before the exec. [f13c49e75c1c] * parse.c: kill extra blank line [12ef22e9dae3] 2002-01-07 Todd C. Miller * configure: regen [a6cd2d788f74] * configure.in: Use -O not -O2 for m88k-motorola-sysv* since motorola gcc-derived compiler doesn't recognise -O2. [5234aa543692] * HISTORY: Clarify origins of Root Group sudo a bit based on info from billp@rootgroup.com [4deef01c4208] 2002-01-03 Todd C. Miller * LICENSE: 2002 [6c8e089dbd1a] * CHANGES: checkpoint for 1.6.4rc1 [3349eb87a49f] 2002-01-02 Todd C. Miller * config.h.in: now generated via autoheader [84657d303cb9] * configure: regen [207bfa6a13f6] * compat.h: Move in some stuff that was previously in config.h. [e576d8b6480f] * aclocal.m4, configure.in: Add info for autoheader. [0549cd5da27c] 2002-01-01 Todd C. Miller * Makefile.in: o Add DESTDIR support o Use -M, -O, and -G instead of -m, -o, and -g to facilitate non-root installs [619216038f56] * install-sh: Add -M option (like -m but only for root) If we can't find "whoami", use "id" w/ some sed. [b39121c8b792] * configure: regen [b39b93ff9804] * configure.in: allow user to always override mansectsu and mansectform [0fca5e63bd90] 2001-12-31 Todd C. Miller * mkinstalldirs: update from autoconf 2.52 [07bd75a508c3] * config.guess, config.sub: Update from autoconf 2.52 [857b90fe31b7] * configure: regen with autoconf 2.52 [08e7d1ea2aeb] * configure.in: o Call AC_PROG_CC_STDC to find out how to run the compiler in ANSI mode o Remove compiler-specific checks for HP-UX now that we use AC_PROG_CC_STDC [d433a70b6208] * RUNSON: Checkpoint [babf6d2235d1] * auth/pam.c: o Add pam_prep_user function to call pam_setcred() for the target user; on Linux this often sets resource limits. o When calling pam_end(), try to convert the auth->result to a PAM_FOO value. This is a hack--we really need to stash the last PAM_FOO value received and use that instead. [6ad6f340dd2a] * set_perms.c, sudo.h: o Add pam_prep_user function to call pam_setcred() for the target user; on Linux this often sets resource limits. [67795421ac82] * env.c: Fix off by one error in number of bytes allocated via malloc (does not affected any released version of sudo). [5f5915360111] 2001-12-30 Todd C. Miller * lex.yy.c: regen [8208c0277775] * parse.lex: Allow '@', '(', ')', ':' in arguments to a defaults variable w/o requiring that they be quoted. [ae59bc8f68dd] * sudoers.cat, sudoers.man.in, sudoers.pod: Mention that no double quotes are needed when adding/deleting/assigning a single value to a list. [25efc940a1f0] * Makefile.in: Don't rely on mkdefaults being executable, call perl explicitly. [6edc97ba5f1d] * sudo.tab.c: regen [49130b2e7e4d] * parse.yacc: Remove some XXX that are no longer relevant. [d460ac0d3767] * defaults.c: o Roll our own loop instead of using strpbrk() for better grokability o When adding to a list we must malloc() and use memcpy(), not strdup() since we must only copy len bytes from str. [649bef08e1f0] 2001-12-21 Todd C. Miller * sudo.tab.c: regen [f0bbf2c38c0e] * parse.yacc: typo in comment [2563711ff593] 2001-12-19 Todd C. Miller * CHANGES: checkpoint [a6d8a29fb30e] * configure: regen [bdfcaaf3bd13] * configure.in: avoid the -g flag unless --with-devel was specified [a976707bef30] * Makefile.in: mkdefaults, def_data.in and sigaction.c were missing from the tarball [6917ffbaa412] * Makefile.in: def_data.c was missing [87c78b11453d] 2001-12-18 Todd C. Miller * env.c: Fix setting of $USER and $LOGNAME in the non-reset_env case. Also allow HOME, SHELL, LOGNAME, and USER to be specified in keep_env [fc8698e6a45e] * TODO: Another TODO item [6f251d6cd466] * sudoers: Add comment for Default section so folks know where it should go. [7edba626f392] 2001-12-17 Todd C. Miller * tgetpass.c: Use TCSETAF, not TCSETA to set terminal in termio case [fbd172f6c5d3] * sudoers.cat, sudoers.man.in: regen from sudoers.pod [64edd2de816e] * sudoers.pod: o Typo, Runas_User_List should be Runas_List o a User_List can not contain a uid o mention that the Defaults section should come after Alias definitions but before the user specifications [54070ba2092b] 2001-12-15 Todd C. Miller * sudoers.cat, sudoers.man.in: regen [e62d1d97693c] * sudoers.pod: Fix listpw and verifypw sections, they were not being formatted properly. [123868c2f3e9] * sudoers.cat, sudoers.man.in: regen [f94841f8b374] * sudoers.pod: fix typos [f278f1c1184e] * configure: regen [d2270049ba9f] * config.h.in, configure.in: use AC_SYS_POSIX_TERMIOS instead of rolling our own [c1a13f1354b9] * README: Reference sudo.ws not courtesan.com [ca13be67ebd7] * PORTING: Add notes on shadow passwords [aa13863f2314] * BUGS: In list mode (sudo -l), characters escaped with a backslash are shown verbatim with the backslash. [1a75a2858be2] * sudoers: Add simple examples from OpenBSD (Marc Espie) [3ae9a9ae4125] * tgetpass.c: Catch SIGTTIN and SIGTTOU too and treat them like SIGTSTP. [f8817699ee10] * CHANGES: minor prettyification [f523587929b9] * CHANGES: Updated change log [39d9010ee7a8] * testsudoers.c: Fix CIDR handling here too. [c91db8344c32] * auth/pam.c: Apparently a NULL response is OK [83bae61078d9] * TODO: Checkpoint for upcoming beta release [efb95c09df2a] * TROUBLESHOOTING: Many people believe that adding a runas spec should obviate the need for the -u flag. It does not. [c698bad85b0e] * RUNSON: checkpoint update for upcoming 1.6.4 beta [009e465a0a45] * config.h.in: o Add HAVE_STDLIB_H and HAVE_MEMORY_H o Define HAVE_STRINGS_H even if HAVE_STRING_H is defined -- this is safe now [d27c035f4e14] * PORTING: Add signals section [2d24c13cb3c8] * configure: regen [2b80a939e2ed] * configure.in: Fix check for sigaction_t [6fa41c89ab20] * sudo.c: XXX - should call find_path() as runas user, not root. Can't do that until the parser changes though. [f0b4f85651bd] * sudo.c: If find_path() fails as root, try again as the invoking user (useful for NFS). Idea from Chip Capelik. [e03fa7872692] * sudo.cat, sudo.man.in, sudoers.cat, sudoers.man.in: Regenerate after pod file changes [48e4bd75ec21] * def_data.c, def_data.h, def_data.in, set_perms.c, sudo.c, sudo.h, sudo.pod, sudoers.pod: Add new sudoers option "preserve_groups". Previously sudo would not call initgroups() if the target user was root. Now it always calls initgroups() unless the -P command line option or the "preserve_groups" sudoers option is set. Idea from TJ Saunders. [4f730359f101] 2001-12-14 Todd C. Miller * compat.h, config.h.in: Use new HAVE_SIGACTION_T define [dfb25f3cae5b] * logging.c: Fix compilation on K&C [7355e3275e34] * configure: regen [a710584f92f0] * configure.in: Add check for sigaction_t -- IRIX already defines this so don't redefine it. [df9c5737f6da] * snprintf.c: fix typo [3d782b8134c8] * interfaces.c: need stdlib.h here too [c789d8973ab2] * configure: regen [44822856bf46] * configure.in: Remove redundant checks for string.h, strings.h and unistd.h [933c94f8bbf4] * sudo.cat, sudo.man.in, sudoers.cat, sudoers.man.in, visudo.cat, visudo.man.in: Regen from pod files [ad18c590f638] * BUGS: Update for 1.6.4 [26bc88b69d22] * configure, lex.yy.c, sudo.tab.c: regen [bef89fd6fa2d] * strerror.c: Return EINVAL if errnum > sys_nerr [0512374e6661] * auth/sudo_auth.h: o Update copyright year [a877016db6e2] * LICENSE, Makefile.binary, Makefile.in, aclocal.m4, compat.h, config.h.in, defaults.h, interfaces.h, pathnames.h.in, sudo.h, sudo.pod: o Update copyright year [e15a1b39039f] * configure.in: o Don't define STDC_HEADERS unconditionally for IRIX o Update copyright year [82a8cb819e07] * README: update version [d82e523a16b4] * auth/afs.c, auth/aix_auth.c, auth/bsdauth.c, auth/dce.c, auth/fwtk.c, auth/kerb4.c, auth/kerb5.c, auth/pam.c, auth/passwd.c, auth/rfc1938.c, auth/secureware.c, auth/securid.c, auth/sia.c, auth/sudo_auth.c, logging.c, parse.c, parse.lex, parse.yacc, set_perms.c, snprintf.c, sudo.c, testsudoers.c, tgetpass.c, utime.c, visudo.c: o Reorder some headers and use STDC_HEADERS define properly o Update copyright year [fe39f76b3795] * lsearch.c: o Reorder some headers and use STDC_HEADERS define properly o Update copyright year [764ba3d4fa13] * alloc.c, check.c, defaults.c, env.c, fileops.c, find_path.c, fnmatch.c: o Reorder some headers and use STDC_HEADERS define properly o Update copyright year [dab8f192a3ed] * getcwd.c: o Reorder some headers and use STDC_HEADERS define properly o Update copyright year [b199d70ac7ab] * getspwuid.c, goodpath.c, interfaces.c: o Reorder some headers and use STDC_HEADERS define properly o Update copyright year [fb46d46140d4] * configure: regen [156658f25cea] * tgetpass.c: flags set in signal handlers should be volatile sig_atomic_t [c22931a5535e] * config.h.in, configure.in: Add checks for volatile and sig_atomic_t [b03b3341381d] * configure, lex.yy.c: regen [ed9daba88217] * def_data.c, def_data.h, def_data.in, defaults.c, env.c, find_path.c, sudo.c, sudoers.pod: Remove "secure_path" Defaults option since it cannot work with the existing parser. [c9e54a0f5971] * find_path.c, sudo.c: Unset "secure_path" if user_is_exempt() [fb7544565ae8] * env.c, pathnames.h.in: o Remove assumption that PATH and TERM are not listed in env_keep o If no PATH is in the environment use a default value o If TERM is not set in the non-reset case also give it a default value. [c987eb7df268] * aclocal.m4, configure.in, defaults.c, pathnames.h.in: _PATH_SENDMAIL -> _PATH_SUDO_SENDMAIL so --without-sendmail works on systems that define in paths.h [51865b0cdebf] * auth/passwd.c, auth/sudo_auth.c, auth/sudo_auth.h: Add support for skeyaccess(3) if it is present in libskey. [8add77c7d3e7] 2001-12-13 Todd C. Miller * sudo.c: Only need to do 'lc = login_getclass(NULL)' if lc == NULL [5a3d3cbf2c6d] * parse.lex: '\\' is a perfectly legal character to have in a command line argument. [c15a466ef00e] * sudo.c: o Defer call to set_fqdn() until it is safe to use log_error() o Don't print errno string value if gethostbyname fails, it is not relevant [c0c6bcf08bcb] * parse.c: Fix CIDR -> in_addr_t conversion. [2f307ebeb63f] 2001-12-12 Todd C. Miller * sudoers.pod: Remove an extra "User_List" in the User_Spec definition From ybertrand AT snoopymail.com [97bde59ea280] * parse.c: Make 'listpw=never' work for users who are not explicitly mentioned in sudoers. [258f0f30a428] * sudoers.pod: Remove gratuitous '=' in EBNF grammar; era AT iki.fi [4b0f03872ee1] * sudoers.pod: Document new list Defaults type and convert env_keep and env_delete to lists. Document new env_check option. [a07f1f079fe3] * lex.yy.c, sudo.tab.c, sudo.tab.h: regen parser [e39ac6c6581b] * parse.lex: Don't let '#' appear in a {WORD} and restrict #foo in a Runas spec to #[0-9-]+. [69c5388908f3] * configure: regen [0f1877b88cb3] * aclocal.m4: Simpler SUDO_FUNC_ISBLANK that uses AC_TRY_LINK [6545503ae361] * config.h.in, configure.in: Add check for skeyaccess(3) [6caf69fe6359] * visudo.pod: Document new -c, -f, and -q options [13d0203c21d3] * visudo.c: o Add -f option (alternate sudoers file) o Convert to use getopt(3) [4c2b664d617d] * configure: regen [6d5bd932e7b5] * aclocal.m4, config.h.in, configure.in: Add check for isblank and a replacement macro if it doesn't exist. [b524f5e4f953] 2001-12-11 Todd C. Miller * visudo.c: In check-only mode, don't create sudoers if it does not already exist. [c748a2d5acad] * parse.yacc: o Add a new token, DEFVAR, to indicate a Defaults variable name o Add support for "+=" and "-=" list operators o replace some 1 and 0 with TRUE and FALSE for greater legibility. [554cb174b37e] * parse.lex: o Use exclusive start conditions to remove some ambiguity in the lexer. Also reorder some things for clarity. o Add support for "+=" and "-=" list operators. o Use the new DEFVAR token to denote a Defaults variable name. [3a2cf8323e26] * sudo.h: Prototype init_envtables() [b74916469dab] * env.c: o Convert environment handling to use lists instead of strings. This greatly simplifies routines that need to do "foreach" type operations. o Add new init_envtables() function to set env_check and env_delete defaults based on initial_badenv_table and initial_checkenv_table (formerly sudo_badenv_table). [0a8b404658b6] * defaults.c, defaults.h: o Add a new LIST type and functions to manipulate it. o This is for use with environment handling variables. o Call new init_envtables() routine inside init_defaults() to initialize the environment lists. [ae73e64f0902] * def_data.c, def_data.h, def_data.in: Convert environment options to use the new LIST type and add a new one, env_check that only deletes if the sanity check fails. [3019503936de] * testsudoers.c: Add dummy version of init_envtables() [9d9e3ee609d9] * parse.yacc: honor quiet mode [8330fba6167c] * visudo.c: Add check-only mode [dab411bc8c35] * mkdefaults: Fix generation of entries with NULL descriptions. [ea75b9fed02e] 2001-12-09 Todd C. Miller * tgetpass.c: Use sigaction_t and quiet a gcc warning. [6f67d719c452] * sudo.c: Must reset signal handlers before we exec [300418120e1a] * auth/aix_auth.c, auth/bsdauth.c, auth/fwtk.c, auth/pam.c, auth/sudo_auth.c: Be carefule now that tgetpass() can return NULL (user hit ^C). PAM version needs testing. Set SIGTSTP to SIG_DFL during password entry so user can suspend us. [00304aa58747] * tgetpass.c: Add support for interrupting/suspending tgetpass via keyboard input. If you suspend sudo from the password prompt and resume it will re- prompt you. [4af2b5101d32] * sudo.c: Don't block keyboard interrupt signals, just set them to SIG_IGN. [d46d7f67ef6b] 2001-12-08 Todd C. Miller * config.h.in: add back HAVE_SIGACTION [c9c7702c603e] * configure: regen [09fe669d337f] * config.h.in, configure.in, logging.c, sudo.c, visudo.c: Kill POSIX_SIGNALS define and old signal support now that we emulate POSIX ones Also be sure to correctly initialize struct sigaction. [4bc2a6dbb2be] * strerror.c: Don't need config.h or "#ifndef HAVE_STRERROR" wrapper. [1ad64a19f328] * compat.h: Add scaffolding for POSIX signal emulation [945861d4c93b] * sigaction.c: o Add missing ';' so this compiles o Can't use NULL since we don't include stdio.h [04d0cac7438f] * sigaction.c: Emulate sigaction() using sigvec() [d0b54a989875] 2001-11-13 Todd C. Miller * sudoers.pod: Document new behavior of negative values of timestamp_timeout Fix a typo [4c0716570d01] * sudo.pod: Add security note about command not being logged after 'sudo su' and friends. [43294851a33c] * sudo.pod: Mention that -V prints default values when run as root, including the list of environment variables to clear. [d9e5e550a8c3] * Makefile.in: Run pod2man with --quotes=none to avoid stupid quoting of C<> entries. [997b23c35dbe] 2001-11-12 Todd C. Miller * auth/sudo_auth.c, def_data.c, def_data.h, def_data.in, sudoers.pod: Add mail_badpass option Also modify mail_always behavior to also send mail when the password is wrong [838d40ccafce] * env.c, sudo.c, sudo.h: Dump default bad env table when 'sudo -V' is run by root. [f67f1b8048b0] * sudoers.pod: document env_delete [d74f893663a2] * env.c: Add support for '*' in env_keep when not resetting the environment (ie: the normal case). [fd4fb62ea8fd] * env.c: Add env_delete variable that lets the user replace/add to the bad_env_table. Allow '*' wildcard in env_keep entries. [aa728bc35e29] 2001-11-06 Todd C. Miller * mkinstalldirs: Force umask to 022 to guarantee sane directory permissions. [9ab3cfe70569] 2001-11-02 Todd C. Miller * Makefile.in: add sudo.tab.h and sudo.tab.c to sudo.tab.o dependency [671010465e6f] * mkdefaults: fix breakage in last commit [8318f8851e56] * Makefile.in: acsite.m4 -> aclocal.m4 [30c146873a01] * check.c: fix I_TS_TIMEOUT vs. I_TIMESTAMP_TIMEOUT pasto in previous commit [4dc8b39954da] * def_data.c: regenerated from def_data.in [915ea16ce1eb] * check.c, defaults.c, defaults.h: Add new T_UINT type that most things use instead of T_INT If timestamp_timeout is < 0 then treat the ticket as never expiring (to be expired manually by the user). [3a3a636a2a5d] * def_data.in: change most T_INT -> T_UINT [a2228d2457af] * mkdefaults: fix warning when no args [ca70a5394af5] * visudo.c: Change 2 Exit() -> exit() Avoid stdio in Exit() and call _exit() if we are a signal handler. We no longer print the signal number but the user can just check the exit value for that. [dc424f631fef] 2001-10-16 Todd C. Miller * logging.c: when setting up pipes in child process check for case where stdin == pipe fd 0 [518112d76184] 2001-10-11 Todd C. Miller * visudo.c: Ignore editor exit value since XPG4 says vi's exit value is the count of editing errors made (failed searches, etc). [b9d952284865] 2001-10-05 Todd C. Miller * configure: regen [cb3aa586f03b] * configure.in: sco now is identified by config.guess as *-sco-* [46664bbdea61] * configure.in: Check for getspnam() in -lgen if not in -lc for UnixWare. [0f152ad1ba93] 2001-09-18 Todd C. Miller * sudoers.pod, visudo.pod: "upper case" -> "uppercase" [f9151f232326] * sudoers.pod: fix typos and grammar; pjanzen@foatdi.harvard.edu [2855d73d0237] 2001-08-28 Todd C. Miller * sudoers.pod: Missing word (specify); krapht@secureops.com [65523eb37a2c] 2001-08-23 Todd C. Miller * sudo.c: If we fail to lookup a login class, apply the default one. [d4869faa6816] * logging.c: In log_error() free message, not logline unconditionally, then free logline if it is not the same as message. No function change but this mirrors how they are allocated. [565e5f6cc643] 2001-07-17 Todd C. Miller * configure: regenerate [834a48f548a2] * configure.in: remove some backslash quotes that are unneeded [50d401d6e2ca] * configure.in: o Tweaks to make this work with autoconf-2.50 o Use AC_LIBOBJ instead of changing LIBOBJS directly o Use AC_REPLACE_FUNCS where we can o Use AC_CHECK_FUNCS instead of AC_CHECK_FUNC so we don't have to AC_DEFINE things manually. [f502c5f15f92] * config.guess, config.sub: Updated from autoconf-2.50 [6140205915ef] 2001-05-22 Todd C. Miller * README: Update mailing list section. We use mailman now, not majordomo. [b9a8ca45e6dc] 2001-05-10 Todd C. Miller * getspwuid.c, logging.c, sudo.c: Use setpwent()/endpwent() + all the shadow variants to make sure we don't inadvertantly leak an fd to the child. Apparently Linux's shadow routines leave the fd open even if you don't call setspent(). Reported by mike@gistnet.com; different patch used. [d33792ef6c01] 2001-04-13 Todd C. Miller * sudoers.pod: s/eg./e.g./ [bd32a0acaf93] * tgetpass.c: select() may return EAGAIN. If so, continue like we do for EINTR. [5f202c943818] * logging.c: Fix a non-exploitable buffer overflow in the word splitting code. This should really be rewritten. [4c724363863a] * Makefile.in: FAQ link goes away [1d26dd6c8972] * INSTALL: Tell people to look in sample.syslog.conf for examples, not FAQ [affcae3f43ca] * TROUBLESHOOTING: Update list of env vars that are cleared [234e56f1435a] * sudo.c: remove struct env_table decl since that stuff has all moved to env.c [5dd923148777] 2001-04-04 Todd C. Miller * fileops.c: Fix a pasto in flock-style unlocking and include for flock on older systems; twetzel@gwdg.de [d5420d9d2861] * configure: regen to get NeXT lockf/flock fix [d3ba6ed70e15] * configure.in: force NeXT to use flock since lockf is broken [bd5391dca1bb] 2001-03-30 Todd C. Miller * check.c: Use stashed user_gid when checking against exempt gid since sudo sets its gid to a a value that makes sudoers readable. Previously if you used gid 0 as the exempt group everyone would be exempt. From Paul Kranenburg [0b140cc3a817] 2001-03-29 Todd C. Miller * configure: regen [cc455408f32b] * aclocal.m4: #include stdio.h in SUDO_CHECK_TYPE since IRIX 6 aparently defines some types (such as ssize_t) therein. [b6aee85ca331] 2001-03-02 Todd C. Miller * defaults.c: Fix negation of paths in a boolean context. Problem found by apt@UH.EDU [8aee217a7cdf] 2001-02-23 Todd C. Miller * visudo.c: pasto [ad32b277bf68] 2001-02-17 Todd C. Miller * visudo.c: SA_RESETHAND means the opposite of what I was thinking--oops To block all signals in old-style signals use ~0, not 0xffffffff [6ecdd793590a] 2001-02-04 Todd C. Miller * defaults.c: coerce difference of pointers to int when used in a string length printf format; deraadt@openbsd.org [a9d10f07180d] 2001-01-17 Todd C. Miller * visudo.c: Block all signals in Exit() to avoid a signal race. There is still a tiny window but I'm not going to worry about it. [6661805c0458] 2001-01-07 Todd C. Miller * env.c: glibc uses the LANGUAGE env var so clear that too; Solar Designer [d4ba95628afb] * lex.yy.c: Regenerate with a fix to flex.skl that preserves errno from clobbering by isatty(). [607eec736e19] 2000-12-31 Todd C. Miller * auth/aix_auth.c, auth/bsdauth.c, auth/fwtk.c, auth/pam.c, auth/sia.c, auth/sudo_auth.c: Some defaults I_ defines got renamed. [ec19b23caaf3] * Makefile.in, check.c, def_data.c, def_data.h, def_data.in, defaults.c, defaults.h, env.c, logging.c, mkdefaults, parse.yacc, set_perms.c, sudo.c, sudo.tab.c: Move defaults info into its own files from which we generate .h and .c files. This makes adding or rearranging variables much simpler. [e91b880b5043] 2000-12-30 Todd C. Miller * configure, configure.in: fix typo in last commit [10a6ee2bae71] * compat.h, config.h.in, configure, configure.in: Add check + emulation for setegid (like seteuid). [29492092bd2f] * env.c: Make env_keep override badenv_table as documented Fix traversal of badenv_table (broken in last commit) [37c9f0d22673] * set_perms.c, sudo.c, sudo.h: Don't try and build saved uid version of set_perms on systems w/o them. Rename set_perms_saved_uid() -> set_perms_posix() Make set_perms_setreuid simply be set_perms_fallback() and simply include the appropriate function at compile time (setreuid() vs. setuid()). [3107333c062c] * sudoers.cat, sudoers.man.in, sudoers.pod: PATH is also preserved when env_reset is in effect [90e45c5711ff] * CHANGES, Makefile.in, check.c, compat.h, config.h.in, configure, configure.in, defaults.c, defaults.h, env.c, find_path.c, getspwuid.c, set_perms.c, sudo.c, sudo.cat, sudo.h, sudo.man.in, sudo.pod, sudoers.cat, sudoers.man.in, sudoers.pod, testsudoers.c, visudo.c, visudo.cat, visudo.man.in: New Defaults options: o stay_setuid - sudo will remain setuid if system has saved uids or setreuid(2) o env_reset - reset the environment to a sane default o env_keep - preserve environment variables that would otherwise be cleared No longer use getenv/putenv/setenv functions--do environment munging by hand. Potentially dangerous environment variables can be cleared only if they contain '/' pr '%' characters to protect buggy programs. Moved environment routines into env.c (new file) [c2f97651db4c] * INSTALL: Clear up --without-passwd description [2f336dab6733] * putenv.c, sudo_setenv.c: We now build up a new environment from scratch and assign it to "environ". [6ae6152f2238] 2000-12-19 Todd C. Miller * sudo.pod, visudo.pod: Grammatical fixes from Paul Janzen [e03ead2e56f8] 2000-12-15 Todd C. Miller * visudo.c: If there was a syntax error and the user just wants to quit, unlink sudoers if it is zero length. [74ba7921f520] * visudo.c: 'Q' means ignore parse error, not 'q' [e8d0e4491fe6] * visudo.c: Open sudoers for writing with mode SUDOERS_MODE From Dimitry Andric [b24990a72491] 2000-12-13 Todd C. Miller * set_perms.c: Add missing #ifdef HAVE_LOGIN_CAP_H; ayamura@ayamura.org [41a8db10e076] 2000-12-09 Todd C. Miller * config.guess, config.sub: Darwin / Mac OS X support from Wilfredo Sanchez [6052da895d2e] 2000-11-03 Todd C. Miller * sudo.c, visudo.c: Use exit(127), not exit(-1) [9ff0c3eada34] * Makefile.in, defaults.c, defaults.h, set_perms.c, sudo.c: Move set_perms() to its own file and use POSIX saved uid or setreuid() if available. Added stay_setuid option for systems that have libraries that perform extra paranoia checks in system libraries for setuid programs (ie: anything with issetugid(2)). [28960f842698] * sudo.c: strip more bits from the environment and add a facility for stripping things only if they contain '/' or '%' to address printf format string vulnerabilities in other programs. [b98d6375f299] 2000-11-02 Todd C. Miller * configure: regen [7e74e5c91049] * configure.in: For NCR, add -lc89 to LIBS, not SUDO_LIBS and cache the existence of strcasecmp(). [a418e9e70442] * configure: regen [bbff244a52bc] * configure.in: Check for strcasecmp(3) in -lc89 for NCR Unix [361c99576681] 2000-11-01 Todd C. Miller * config.h.in: Define HAVE_INNETGR #ifdef HAVE__INNETGR [473cdb92b6db] * configure: regen [4e6364a195e0] * compat.h, config.h.in, configure.in: Add check for _innetgr(3) since NCR systems have that instead of innetgr(3). [25e6852e7494] 2000-10-31 Todd C. Miller * auth/securid.c: check return value of creadcfg() call sd_close() after sd_auth() store username in sd->username so we don't rely on the USER env variable [d106b4f42722] 2000-10-30 Todd C. Miller * INSTALL: document --with-bsdauth [f1518ecc2ee9] * configure: regen [dceb35071ea8] * configure.in: --with-bsdauth assumes --with-logincap [4200778083fd] * auth/bsdauth.c, auth/fwtk.c: When prompting for a response to a challenge, if the user just hits return then reprompt with echo turned on. [a539b6474a97] 2000-10-29 Todd C. Miller * sudo.c: Remove debugging code that should not have been committed, oops. [9862607b77a7] * auth/bsdauth.c: Use lower-level routines and get the password ourselves. Checks for a challenge and if there is one echo is not turned off. [2d8fcd166baa] * auth/pam.c, auth/sudo_auth.h: minor housekeeping, no real code changes [d0074a277fb4] 2000-10-27 Todd C. Miller * sudo.c: Fix a coredump in the logging functions if gethostname(2) fails by deferring the call to log_error() until things are better setup. Fix return value of set_loginclass() in non-BSD-auth case. Hard-code 'sudo' in the usage message so we can fit more options on a line [d9d1b7579818] * logging.c: Fix errant ';' (typo) that broken MSG_ONLY [849b2276a470] 2000-10-26 Todd C. Miller * sudo.cat, sudo.man.in: regen [bb3c8c6704d1] * sudo.pod: Document -a flag [e18316cebaac] * Makefile.in, auth/bsdauth.c, auth/sudo_auth.h, config.h.in, configure, configure.in, getspwuid.c, sudo.c: Add support for BSD authentication. [f374cfd9ca0d] 2000-10-19 Todd C. Miller * sudoers.pod: Fix typo; from sato@complex.eng.hokudai.ac.jp [3085fee9766e] 2000-10-12 Todd C. Miller * sudoers.pod: Mention negating umask [c9e410294dae] * defaults.c: Allow user to specify umask of 0777 (same as !umask) [bb771daa96fe] 2000-10-09 Todd C. Miller * sudo.pod, visudo.pod: Fix a typo and give a URL for the sudo history. [77f73199aedb] 2000-10-08 Todd C. Miller * defaults.c, sudo.pod: fix typos; pepper@reppep.com [5532c7421340] 2000-09-14 Todd C. Miller * sudo.c, sudo.h, sudo_setenv.c: sudo_setenv() now exits on memory alloc failure instead of returning -1. [71f1cf18f47b] 2000-09-07 Todd C. Miller * sudo.c: Strip out NLSPATH and PATH_LOCALE from the environment for FreeBSD and possibly others. [b69d985b0d22] * logging.c: Don't use vsyslog(3) since HP-UX (and others?) lack it. This means that "%m" won't be expanded but we don't use that anyway since the logging routines may splat to stderr as well. [8d37a544d0c0] * defaults.c, defaults.h, sudo.c, sudoers.cat, sudoers.man.in, sudoers.pod: Add always_set_home variable [dbcaff646e07] * configure, configure.in: Have to hard code default values in help since the defaults are set _after_ the help stuff. [7b5d6d72f55c] 2000-08-31 Todd C. Miller * lex.yy.c, parse.lex: Allow special characters (including '#') to be embedded in pathnames if quoted by a '\\'. The quoted chars will be dealt with by fnmatch(). Unfortunately, 'sudo -l' still prints the '\\'. [3ed33cf09977] 2000-08-13 Todd C. Miller * install-sh: Better path searching for programs we need. [60517cb1f0d6] * TROUBLESHOOTING: Add section on "C compiler cannot create executables" errors. [e4ada6eaee59] * Makefile.binary, Makefile.in, version.h: Crank version [93d1bd5b7f5e] * aclocal.m4, configure, configure.in, sudo.cat, sudo.man.in, sudo.pod, sudoers.cat, sudoers.man.in, sudoers.pod, visudo.cat, visudo.man.in, visudo.pod: Substitute values from configure into man pages. [619854c356c1] 2000-08-12 Todd C. Miller * parse.c, sudo.c: The listpw and verifypw sudoers options would not take effect because the value of the default was checked *before* sudoers was parsed. Instead of passing in the value of PWCHECK_* to sudoers_lookup(), pass in the arg for def_ival() so the check can be deferred until after sudoers is parsed. [4f596e358f72] 2000-08-11 Todd C. Miller * tgetpass.c: When writing prompt, no need to write the NUL as well; hag@linnaean.org [fbcdd7b431ee] 2000-06-09 Todd C. Miller * install-sh: When looking for chown, check in /sbin too [657ba6653f8c] 2000-06-05 Todd C. Miller * visudo.c: Remove extraneous call to init_defaults() and set runas_user to NULL betweem parses so init_defaults will reset it each time, thus avoiding a reference to free()d data. [7421fcd692af] 2000-06-04 Todd C. Miller * config.h.in, interfaces.c, interfaces.h, sudo.c: Add support for using getifaddrs() to get the list of ip addr / netmask pairs. Currently IPv4-only. [a35bc4f7306d] * visudo.c: Add a missing check for UserEditor == NULL Add missing '+' before line number when invoking editor to fix a syntax error [f0d4635f6082] 2000-05-12 Todd C. Miller * sudo.c: Call clean_env very early in main() for paranoia's sake. Idea from Marc Esipovich. [f8d72ebd0115] 2000-05-10 Todd C. Miller * sudo.h: Update proto for evasprintf and easprintf [d147d6e58419] * alloc.c: Make easprintf() and evasprintf() return an int. [b2ca5d089667] * check.c: If the targetpw flag is set, use target username as part of the timestamp path. If tty tickets are in effect cat the tty and the target username with a ':' as the separator. [de11abc693c2] 2000-05-09 Todd C. Miller * auth/pam.c: Backout part of last change; setting PAM_USER to the invoking user breaks things like targetpw. [427218a7387f] * auth/pam.c: set tty and username via pam_set_item [85d1922dbcc9] * auth/sudo_auth.c, check.c, getspwuid.c, sudo.c, sudo.h: Fix root, runas, and target authentication for non-passwd file auth methods. [a14535e7b30c] 2000-04-22 Todd C. Miller * sudo.cat, sudo.man.in, sudo.pod, sudoers.cat, sudoers.man.in, sudoers.pod, visudo.cat, visudo.man.in, visudo.pod: Use B<-Z> not C<-Z> for command line flags in all places. This is more consistent and works around a bug in Pod::Man. [64b5a05f30c5] * sudoers.cat, sudoers.man.in, sudoers.pod: Fix an occurence of 'semicolon' that should be 'colon' [4ea5aacae3fb] 2000-04-19 Todd C. Miller * configure, configure.in: Fix --with-badpri help line [3cc40977c043] 2000-04-17 Todd C. Miller * defaults.c, logging.c, sudo.c: Bracket calls to syslog with an openlog() and closelog() since some authentication methods (like PAM) may do their own logging via syslog. Since we don't use syslog much (usually just once per session) this doesn't really incur a performance penalty. It also Fixes a SEGV with pam_kafs. [fe1cc28529f6] 2000-04-15 Todd C. Miller * sudo.c: Fix -H flag. runas_homedir is only valid after set_perms(PERM_RUNAS, mode) [ce9b1c6f68a6] 2000-04-12 Todd C. Miller * INSTALL: Clarify the fact that insults are not enabled just by including them in the binary. [d5a31d48320c] 2000-04-07 Todd C. Miller * sudo.cat, sudo.man.in, sudoers.cat, sudoers.man.in, visudo.cat, visudo.man.in: Regenerated with perl 5.6.0 pod2man [21751433768b] * Makefile.in: Give date string to pod2man since its default is ugly and it ain't got no alibi. [0080b2f6298f] * Makefile.in: Do section substitution on the output of pod2man and remove hack needed for old pod2man. [1ef843d5c78b] * sudo.pod, sudoers.pod, visudo.pod: Put back real man sections, we will do the substitution later. [f728c1abad7e] 2000-04-02 Todd C. Miller * configure, configure.in: Don't bother checking for the path to vi if user specified --with- editor [bf698487e0d5] 2000-04-01 Todd C. Miller * CHANGES, visudo.c: Visudo now does its own fork/exec instead of calling system(3). [99bbcd88863b] * CHANGES, INSTALL, Makefile.in, sudoers.cat, sudoers.man.in, sudoers.pod, visudo.c: Visudo now checks for the existence of an editor and gives a sensible error if it does not exist. The path to the editor for visudo is now a colon-separated list of allowable editors. If the user has $EDITOR set and it matches one of the allowed editors that editor will be used. If not, the first editor in the list that actually exists is used. [cc86eb9f5440] * sudo.cat, sudo.man.in, sudo.pod: Clear up confusion wrt sudo's return value. [9385b12d8e79] 2000-03-27 Todd C. Miller * Makefile.in: Strip sudo and visudo for bindist target [a995ddd79177] * sudo.cat, sudo.man.in, sudo.pod, sudoers.cat, sudoers.man.in, sudoers.pod, visudo.cat, visudo.man.in, visudo.pod: Use @mansectsu@ and @mansectform@ in the man page bodies as well. [5eb9e60a726f] [SUDO_1_6_3] * visudo.cat, visudo.man.in, visudo.pod: Typo: @sysconf@ -> @sysconfdir@ [f07f52fcd099] * Makefile.in: 'make dist' should not cause any files to be modified so remove its dependencies. [7f44a2666a9c] * CHANGES: Whoops, forgot to add release marker [16c0f16b35b8] 2000-03-26 Todd C. Miller * CHANGES: Final change for 1.6.3 (or so I hope) [473c89da6123] * sudo.cat, sudoers.cat, visudo.cat: Use SYSV man sections since BSD systems will have nroff... [0a6bd154324e] 2000-03-24 Todd C. Miller * parse.yacc, sudo.tab.c: When checking to see if the host/user matches in a defaults spec, check against TRUE, not just non-zero since it might be -1. [41f2b7ad3fdd] * configure, configure.in: OSF/1 puts file formats in section 4, not 5. [d77c1301afa9] * CHANGES, INSTALL, sudo.c: Make login class support work on BSD/OS [e9bbe3c08ade] * RUNSON: Update for 1.6.3 [c40ce1d76c4d] * configure, configure.in: If there is no inet_addr but there *is* an __inet_addr that's ok since inet_addr is probably just a macro then. The better thing to do would be to look for the macro, but this is fine for now. [1b8865ae4d68] * configure, configure.in: Don't use shlicc for BSD/OS 4.x [83fbf6dedd2c] * Makefile.in, configure, configure.in: *.man lives in cwd, *.cat lives in $(srcdir), add a @mansrcdir@ configure variable so we can deal with this. Also, only remove *.man for 'distclean' not 'clean'. [30d56e6de214] * sudo.c: set_loginclass() should be static like the proto says [d570a2d55fb8] 2000-03-23 Todd C. Miller * fnmatch.c: Add #ifdef __STDC__ around the rangematch function header to avoid promotion of test to int, thus violating the prototype. Gcc handles this gracefully but more std ANSI compilers will complain. [7d98c3e332b2] * emul/fnmatch.h: Pull in newer fnmatch(3) that supports FNM_CASEFOLD [4e1320852f8b] * aclocal.m4, configure, fnmatch.3, fnmatch.c: Pull in newer fnmatch(3) that supports FNM_CASEFOLD Check for FNM_CASEFOLD in configure [9ef952bf1896] * CHANGES, TODO: update for 1.6.3 [e4ba6368a0c5] * sudo.tab.c, sudo.tab.h, testsudoers.c, visudo.c: Fully qualified hosts w/ wildcards were not matching the FQHOST token type. There's really no need for a separate token for fully- qualified vs. unqualified anymore so FQHOST is now history and hostname_matches now decides which hostname (short or long) to check based on whether or not the pattern contains a '.'. [fbd2887d9811] * lex.yy.c, parse.c, parse.lex, parse.yacc: Fully qualified hosts w/ wildcards were not matching the FQHOST token type. There's really no need for a separate token for fully- qualified vs. unqualified anymore so FQHOST is now history and hostname_matches now decides which hostname (short or long) to check based on whether or not the pattern contains a '.'. [630d9d205397] * parse.h: Fully qualified hosts w/ wildcards were not matching the FQHOST token type. There's really no need for a separate token for fully- qualified vs. unqualified anymore so FQHOST is now history and hostname_matches now decides which hostname (short or long) to check based on whether or not the pattern contains a '.'. [dd7bbe223461] * parse.c, parse.h, parse.yacc, sudo.tab.c, sudoers.cat, sudoers.man.in, sudoers.pod, testsudoers.c, visudo.c: Add support for wildcards in the hostname. [d8d821ed4238] * Makefile.in: Add targets for *.man.in, using config.status to generate *.man from *.man.in [640e50ede485] * sudoers.cat, sudoers.man.in, sudoers.pod: Document set_logname option and enbolden refs to sudo and visudo. [9622b3a48707] * INSTALL, Makefile.in, aclocal.m4, configure, configure.in, sudo.cat, sudo.man.in, sudo.pod, sudoers.cat, sudoers.man.in, sudoers.pod, visudo.cat, visudo.man.in, visudo.pod: Add FreeBSD login.conf support (untested on BSD/OS) based on a patch from Michael D. Marchionna. configure now does substitution on the man pages, allowing us to fix up the paths and set the section correctly. Based on an idea from Michael D. Marchionna. [463e928a0a2f] * auth/passwd.c: Better fix for handling HP-UX aging info. [3950f42d8549] * sudo.c: Add support for set_logname run-time default [c6a7cc76b8b4] * sudo.man.in, sudoers.man.in, visudo.man.in: configure does substitution on these to produce *.man [b83fc3c1bfc9] * sudo.man, sudoers.man, visudo.man: These files now get generated from *.man.in at configure time. [c499061f79e0] 2000-03-22 Todd C. Miller * defaults.c, defaults.h: Add set_logname option so users can turn off setting of LOGNAME/USER environment variables. [6316869180b8] * lsearch.c, parse.c, testsudoers.c: kill register [6e104e653748] 2000-03-13 Todd C. Miller * auth/passwd.c: HP-UX adds extra info at the end for password aging so when comparing the result of crypt to pw_passwd we only compare the first len(epass) bytes *unless* the user entered an empty string for a password. [3d24d4e4e889] * logging.c: Get rid of grandchild hack, it was causing problems and there is really no need for it. This fixes a bug where we spin eating up CPU when the user runs a long-running process like a shell. [5743b10b1e81] 2000-03-07 Todd C. Miller * sudo.c: User can always specify a login class if he/she is already root. [710d160cef9f] * config.h.in, configure, configure.in, defaults.c, defaults.h, sudo.c, sudo.h: FreeBSD login class (login.conf) support. [026b981d6328] 2000-03-06 Todd C. Miller * auth/sudo_auth.c: HAVE_SECUREWARE -> HAVE_GETPRPWNAM; fixes secureware support [9cd4929f1a78] 2000-03-03 Todd C. Miller * auth/passwd.c: Truncate unencrypted password to 8 chars if encrypted password is exactly 13 characters (indicateing standard a DES password). Many versions of crypt() do this for you, but not all (like HP-UX's). [a9d0259cb193] 2000-03-02 Todd C. Miller * INSTALL, RUNSON: Mention that gcc on dynix may have problems [77b97fa5bf1b] 2000-02-29 Todd C. Miller * Makefile.in: Link visudo with NET_LIBS since we now call syslog via defaults.c [9e3830b277cc] * defaults.c: Use Argv[0] as the first arg to openlog() since visudo uses this too. [e61078f328ec] 2000-02-28 Todd C. Miller * sudo.c: Stash coredumpsize resource limit and retsore it before the exec() Otherwise the child ends up with a coredumpsize of 0. [f6a4783835a3] 2000-02-27 Todd C. Miller * sudo.cat, sudo.man, sudo.pod: document -S flag [3ebd805b7142] * sudo.c: fix usage string [66b2dfa47fe8] * CHANGES, RUNSON, TODO, auth/aix_auth.c, auth/fwtk.c, auth/pam.c, auth/sudo_auth.c, sudo.c, sudo.h, tgetpass.c: Added -S flag (read passwd from stdin) and tgetpass_flags global that holds flags to be passed in to tgetpass(). Change echo_off param to tgetpass() into a flags field. There are currently 2 possible flags for tgetpass(): TGP_ECHO and TGP_STDIN. In tgetpass(), abstract the echo set/clear via macros and if (flags & TGP_ECHO) but echo is not set on the terminal, but sure to set it. [a4fcbb712cd0] * tgetpass.c: Fixed a bug that caused an infinite loop when the password timeout was disabled. [2be1ffc5a39f] 2000-02-18 Todd C. Miller * CHANGES, defaults.c, defaults.h, getspwuid.c, sudo.c, sudo.h, sudoers.cat, sudoers.man, sudoers.pod, visudo.c: Add rootpw, runaspw, and targetpw options. [2d4563e46df7] * CHANGES, defaults.c, sudoers.cat, sudoers.man, sudoers.pod, visudo.c: enveditor -> env_editor [ddc5f856e583] 2000-02-16 Todd C. Miller * BUGS, INSTALL, Makefile.in, README, configure, configure.in, sudo.cat, sudo.man, sudoers.cat, sudoers.man, version.h, visudo.cat, visudo.man: crank versino to 1.6.3 [a5f7d3e74360] * INSTALL, TODO, defaults.c, defaults.h, sudoers.cat, sudoers.man, sudoers.pod, visudo.c: Add 'editor' and 'enveditor' sudoers defaults and make visudo honor them. This means that visudo will now parse the sudoers file *before* it is edited so a bogus sudoers file will cause a warning to go to stderr. Also, visudo checks the variables once--it does not check them after each editor run since that could be confusing. [9f5af18e9212] 2000-02-15 Todd C. Miller * RUNSON: 1.6.2 -> 1.6.2p1 [e25b74f1d1af] * check.c, sudo.c, sudo.h: Move user_is_exempt prototype into sudo.h [daf26a6ded8a] 2000-02-13 Todd C. Miller * configure, configure.in: Fix thinko, some && should have been || in the last commit [4b9b2d487ded] * configure, configure.in: Don't initialized Makefile variables to be NULL since the user may want to import variables from their environment. [7be019f4422c] 2000-02-04 Todd C. Miller * configure, configure.in: typo [38f4d8971f0a] 2000-01-28 Todd C. Miller * sudo.tab.c: fix a yacc (skeleton.c) warning [a2da228a937b] 2000-01-27 Todd C. Miller * INSTALL, RUNSON, configure, configure.in: Make pam work on HP-UX 11.0;jaearick@colby.edu [b94de0ff6f42] * CHANGES: recent changes; prepare for 1.6.2p1 [b291635ea141] * find_path.c: Don't apply SECURE_PATH if user is example; jmknoble@pobox.com [4306285c4f6e] 2000-01-26 Todd C. Miller * sudo.tab.c: Regen with yacc that has a memory leak plugged. [e26383a04eb7] * sudoers.cat, sudoers.man, sudoers.pod: Expanded docs on sudoers 'defaults' options based on INSTALL file info. [54c3d62d6c74] * INSTALL: Fix some while lies [d15311782150] 2000-01-24 Todd C. Miller * Makefile.in: When making a bindist, link FAQ to TROUBLESHOOTING instead of copying. [2d88a6ac88cf] * sudoers.cat, sudoers.man, sudoers.pod: Add netgroup caveat [28d119f466e3] [SUDO_1_6_2] * RUNSON: Last minute updates [89fb4ed22d52] * TROUBLESHOOTING: PAM entry [a9fd59f39457] * auth/pam.c: correct a comment [a29627225ba9] * CHANGES, RUNSON: update for 1.6.2 [b7f1c40ea732] * auth/pam.c: Better detection of PAM errors and fix custom prompts with PAM. Based on patches from "Cloyce D. Spradling" [ff69234b94a5] 2000-01-20 Todd C. Miller * snprintf.c: Cast ULONG_MAX to unsigned long long when comparing to an unsigned long long value. [9d918c3a2ecd] 2000-01-19 Todd C. Miller * CHANGES, config.h.in, configure, configure.in, visudo.c: Fix sudoers locking in visudo. We now lock the sudoers file itself, not the temp file (since locking the temp file can foul up editors). The previous locking scheme didn't work because the fd was closed too early. [de2011bb11ed] * config.h.in, configure, configure.in: Don't need test for ftruncate() any more. [e5f71c848104] * configure, configure.in: Add a test for the -Aa flag w/ HP-UX's cc. Fixes compilation with the unbundled HP-UX cc. [2c373612c644] 2000-01-18 Todd C. Miller * sudoers.cat, sudoers.man, sudoers.pod: "a a" -> "a"; Aaron Campbell [05360d2c314e] 2000-01-17 Todd C. Miller * LICENSE, Makefile.in, defaults.c, defaults.h, parse.c, parse.h, parse.yacc, sudo.c, sudo.h, sudoers.pod, testsudoers.c, tgetpass.c, version.h, visudo.c: update copyright year on changed files [5792a2a28a4c] * RUNSON: updates [edf8f19aa403] * CHANGES: aix fix [4d4a243b31e2] * INSTALL: Crank version to 1.6.2 [bcb5cb411624] * configure: Crank version to 1.6.2 [32a19f33427f] * sudo.c: When using rlimit check for RLIM_INFINITY When computing the value of maxfd, use min(getdtablesize(), RLIMIT_NOFILE) [8c16166802e5] * CHANGES: recent changes [09fc7112e44d] * BUGS, Makefile.in, README, configure.in, sudo.cat, sudo.man, sudoers.cat, sudoers.man, version.h, visudo.cat, visudo.man: Crank version to 1.6.2 [055fa61a7c61] * INSTALL, defaults.c, defaults.h, sudo.c, sudo.h, sudoers.pod: Add 'shell_noargs' runtime option back in. We have to defer checking until after the sudoers file has been parsed but since there are now other options that operate that way this one can too. Based on a patch from bguillory@email.com. [231db7a007a6] * defaults.c, defaults.h, parse.c, sudo.c, sudo.h: Add "listpw" and "verifypw" options. [190683bac878] * sudoers.cat, sudoers.man, sudoers.pod: o Fix some typos/omissions o Add section on verifypw and listpw o Define how NOPASSWD interacts with the -v and -l flags [6feb7350eb79] 2000-01-14 Todd C. Miller * configure, configure.in: For HP-UX cc, add -Aa to CPPFLAGS. For HP-UX always add -D_HPUX_SOURCE to CPPFLAGS. [06cc35d89dc8] * defaults.c, defaults.h: In struct sudo_defs_types, move the union to the end and don't initialize the union member since that only works with an ANSI compiler. We set the value of the union by hand in init_defaults() anyway. This allows sudo to compile on a K&R compiler again. [623487e1fcfa] 2000-01-11 Todd C. Miller * parse.c, parse.h, parse.yacc, sudo.tab.c, testsudoers.c, visudo.c: netgr_matches needs to check shost as well as host since they may be different. [3f43ace23d3e] * tgetpass.c: End on \r as well as \n [cb7c6e6f4202] 2000-01-03 Todd C. Miller * sudo.c: Update statbuf.st_mode based on SUDOERS_MODE when we are chaning from 0400 to whatever SUDOERS_MODE is (converting from the old sudoers mode). Assumes that SUDOERS_MODE is less restrictive than 0400 which should always be the case. [34cd83d49d20] * parse.c, parse.yacc, sudo.c, sudo.h, sudo.tab.c: Make treatment of -l and -v sane wrt NOPASSWD flags. Now allow -l w/o a passwd if there is *any* entry for the user on the host with a NOPASSWD flag. For -v, only allow w/o a passwd if *all* entries for the user on the host w/ the specified runas user have the NOPASSWD flag set. [4b3b85697653] * Makefile.in: add check target [3d24d34a76fd] 1999-12-16 Todd C. Miller * visudo.c: Treat EOF at whatnow prompt like 'x' instead of looping. [5deffc27114c] 1999-12-10 Todd C. Miller * CHANGES: recent changes [5836a9452568] [SUDO_1_6_1] 1999-12-09 Todd C. Miller * config.h.in, configure, configure.in, sudo.c: Add check for initgroups() since old SYSV lacks this. [657a6005a569] * CHANGES, RUNSON, aclocal.m4, config.h.in, configure, configure.in, parse.c, testsudoers.c: o Kill HAVE_FNMATCH_H o Only define HAVE_FNMATCH if exists. [17d081e917d6] 1999-12-06 Todd C. Miller * auth/sudo_auth.c: Don't allow insults to be enabled if the insults[] array is empty. Otherwise there would be division by zero. [b20c14db6029] * CHANGES, RUNSON: Don't allow insults to be enabled if the insults[] array is empty. Otherwise there would be division by zero. [974f4780254b] * insults.h: Don't allow insults to be enabled if the insults[] array is empty. Otherwise there would be division by zero. [028f130204b0] * insults.h: Don't care about USE_INSULTS #define since the insult stuff may be overridden at runtime. [b873df8b299c] * auth/sudo_auth.c: Honor insults flag. [756111640fdc] * CHANGES, parse.c: Don't ask the user for a password if the user is not allowed to run the command and the authenticate flag (in sudoers) is false. [cea9fdc09c76] * CHANGES, RUNSON, lex.yy.c, parse.lex: o Whenever we get a bare newline we change to the INITIAL state. o Enter GOTRUNAS when we see Runas_Alias This allows #uid to work in a RunasAlias. [a475513e7c7a] 1999-12-05 Todd C. Miller * CHANGES, parse.yacc, sudo.tab.c: fix parsing of runas lists: o oprunasuser and runaslist now return a value o in a runasspec, if a runaslist does not return TRUE, set runas_matches to FALSE. Normally, a runaslist only returns FALSE for explicitly denied users. o since runaslist does not modify the stack there is no need for a push/pop in runasalias. [82b305b34a8c] * check.c, sudo.c: Don't kill the user's tickets until after sudoers has been parsed since tty_tickets and ticket_dir could be set in sudoers. [f43e25367f3a] * BUGS, CHANGES, Makefile.binary, Makefile.in, README, RUNSON, configure, configure.in, sudo.cat, sudo.man, sudoers.cat, sudoers.man, tgetpass.c, version.h, visudo.cat, visudo.man: crank version to 1.6 [95f8bdcf9bb2] * testsudoers.c: add set_fqdn() stub [bbc81af5b41a] 1999-12-02 Todd C. Miller * INSTALL, defaults.c, defaults.h, sudo.c, sudo.h, sudoers.cat, sudoers.man, sudoers.pod, visudo.c: o Kill shell_noargs option, it cannot work since the command needs to be set before sudoers is parsed. o Fix the "set_home" sudoers option (only worked at compile time). o Fix "fqdn" sudoers option. We now set host/shost via set_fqdn which gets called when the "fqdn" option is set in sudoers. o Move the openlog() to store_syslogfac() so this gets overridden correctly from the sudoers file. [3dca861f0f5d] * auth/securid.c: SecurID support should compile now. [a544e5c6ea34] 1999-11-29 Todd C. Miller * sudo.cat, sudo.man, sudo.pod, sudoers.cat, sudoers.man, visudo.cat, visudo.man, visudo.pod: fix some syntactic goofs [b3451f0d5239] 1999-11-28 Todd C. Miller * Makefile.in, sudo.html, sudoers.html, visudo.html: No longer need the .html files as they are generated automatically on the web site. [1b4aa4204584] * CHANGES, LICENSE: kill characters that made wml unhappy [b988fbc6da56] * HISTORY: typo [a418963f7fce] 1999-11-25 Todd C. Miller * README: majordomo@cs.colorado.edu -> majordomo@courtesan.com [5d151e8ffd3b] * Makefile.in, configure: Wrap script execution w/ /bin/sh for the benefit of ctm [3a9c4766b2c3] 1999-11-24 Todd C. Miller * sudo.c: Make the -s flag be exclusive too. Also reorder the flags in the exclusive usage message so they are alphabetical. [4c7af200db34] 1999-11-23 Todd C. Miller * auth/pam.c: make pam errors other than PAM_PERM_DENIED fatal [64bcb3fd2baf] * auth/API: fix typo [f3134c88b12e] * INSTALL: make it clear that /etc/pam.d/sudo is required on linux [213cc3eaad82] * auth/pam.c: fix a warning on redhat and spew an error if pam_authenticate() returns an error other than AUTH_SUCCESS or PAM_PERM_DENIED [7e46dd19da89] * sudo.cat, sudo.html, sudo.man, sudo.pod: Be very clear that the password required is the user's not root's [a6da127347e5] 1999-11-20 Todd C. Miller * Makefile.in: add sample.syslog.conf to DISTFILES and BINFILES [8661c27c007e] 1999-11-19 Todd C. Miller * RUNSON: updates from Brian Jackson + some formatting [6d31c6fa63f8] 1999-11-18 Todd C. Miller * INSTALL.binary, Makefile.binary, README, RUNSON: o One RUNSon update o Changes for automating real binary releases [dd9585f4406c] * Makefile.in: Add bindist target [546ed3fa94bb] 1999-11-16 Todd C. Miller * TROUBLESHOOTING: talk about run-time options in addition to compile-time options [1eb813ff0a9a] [SUDO_1_6_0] * CHANGES: fix typos [65e92bb70a7b] * sudo.c: need sys/time.h if HAVE_SETRLIMIT [ce31655a8a60] * PORTING, README, RUNSON, sudo.c, sudo.cat, sudo.html, sudo.man, sudo.pod, visudo.cat, visudo.html, visudo.man, visudo.pod: get rid of references to sudo-bugs. Now mention the web site or the sudo@ alias [a9db861fd8c6] * sudoers.html: repair pod2html damage [62ece4277f1f] * RUNSON, TODO: Update for 1.6 release [98569c57ba2a] * sudoers.cat, sudoers.html, sudoers.man, sudoers.pod: Add warning about using ALL in a command context. [6c77685ab280] 1999-11-09 Todd C. Miller * visudo.c: Call yyrestart() on a parse error to reset the lexer state. [1370a27acdb2] * lex.yy.c, parse.lex: Don't need YY_FLUSH_BUFFER after all Move yyrestart() into visudo.c since it might not get called in yywrap if we get a parse error (and we only reread the file on error anyway). [37f4b449e28e] * lex.yy.c, parse.lex: Call YY_FLUSH_BUFFER macro in yywrap() to clean up any buffers that might still exist. Call yyrestart() instead of using the deprecated YY_NEW_FILE macro. [7d0d873046c6] * lex.yy.c, parse.lex: flex doesn't need %N table size declarations [268b020fd60a] * sudoers.cat, sudoers.html, sudoers.man, sudoers.pod: Mention what characters need to be escaped in names. [72ccbb6b0f31] 1999-11-08 Todd C. Miller * configure: regen [65827abb5c7b] * INSTALL: clarify Mac OS X entry [8da1549a71f5] * RUNSON: update [0cff8df7459f] * configure.in: o Use AC_MSG_ERROR throughout o Check syslog configure options for danity [4cb81e642e5c] 1999-11-05 Todd C. Miller * defaults.c: Fix printing of type T_MODE in dump_defaults() [a868bb6f5515] * strcasecmp.c: missing sys/types.h [ca694ca325b6] * INSTALL: Break out options that may be overridden at run time into their own section. Add a not about Max OS X and correct some lies. [d8bcfd120593] 1999-11-04 Todd C. Miller * CHANGES, config.h.in, configure, configure.in, sudo.c: o Now use getrlimit to find the highest fd when closing all non-std fd's o Turn off core dumps via setrlimit for the sake of paranoia [dd9f651b6def] * RUNSON: updates [f581841fe615] 1999-11-01 Todd C. Miller * CHANGES: updates [553baa1d44c7] * tgetpass.c: When read()'ing, do a single character at a time to be sure we don't go oast the newline. [907d33f55bb4] * sudo.c: For the sudo_root option, check against user_uid, not getuid() since at this point, ruid == euid == 0. [92d5c51939b4] * RUNSON: some updates [e3ed0c1f312b] * logging.h: Fix compilation problem when --with-logging=file was specified. This means that syslog is now required to build sudo but that should not be a problem. If it is it can be fixed trivially with a configure check for syslog() or syslog.h. [839a4b069190] * tgetpass.c: Make this work again for things like "sudo echo hi | more" where the tty gets put into character at a time mode. We read until we read end of line or we run out of space (similar to fgets(3)). [c8f746df2e63] 1999-10-20 Todd C. Miller * sudoers.cat, sudoers.html, sudoers.man, sudoers.pod: change ital to bold [f860978e530a] * RUNSON: update [9bcfbb405568] 1999-10-16 Todd C. Miller * defaults.c: Error out if syslog parameters are given without a value. For Ultrix or 4.2BSD "syslog" is allowed without a value since there are no facilities in the 4.2BSD syslog. [69e7a686f5f0] 1999-10-15 Todd C. Miller * defaults.c: Ignore the syslog facility for systems w/ old syslog like Ultrix. [5c250adbbb84] * TROUBLESHOOTING: people with "." early in their path can have problems running sudo from the build dir ;-) [20a1744a24a4] 1999-10-13 Todd C. Miller * sudo.cat, sudo.html, sudo.man, sudo.pod: Remove -r realm option [127caa537f95] * auth/kerb5.c, auth/sudo_auth.c, auth/sudo_auth.h, configure, configure.in, sudo.c: New krb5 code from Frank Cusack . [7177a3893a62] * CHANGES: update to reality [766cfbb512d6] 1999-10-12 Todd C. Miller * auth/fwtk.c: include to get function prototypes. [d6c7c12d09fe] * sudo.cat, sudo.html, sudo.man, sudo.pod: document -L flag [dc803e1ce0d7] 1999-10-11 Todd C. Miller * sudo.c: in set_perms(), always call setuid(0) before changing the ruid/euid so we always know it will succeed. [8cced1b862bf] * defaults.h: #undef T_FOO to avoid conflicts with system defines (like on ULTRIX). [d9f0aac092b0] * TODO, sample.sudoers, sudoers.cat, sudoers.html, sudoers.man, sudoers.pod: Docuement "Defaults" lines in /etc/sudoers. Still needs some fleshing out but this is a start. [521a1e629bbc] 1999-10-10 Todd C. Miller * use strtol, not strtoul since not everyone has not strtoul [988462f093cc] * defaults.c: use strtol, not strtoul since not everyone has not strtoul [fce835ce62e3] * lex.yy.c, parse.lex: last {WORD} rule should only apply in the INITIAL state [9b57570bfa83] * lex.yy.c, parse.lex: o Add support for escaped characters in the WORD macro o Modify fill() to squash escape chars [87572d59e4e0] * defaults.c, defaults.h: o Add T_PATH flag to allow simple sanity checks for default values that are supposed to be pathnames. o Fix a duplicate free when visudo finds an error. [bdc6855a6c6d] 1999-10-09 Todd C. Miller * defaults.c, defaults.h, logging.c: mail_if_foo -> mail_foo [cbee9415875d] 1999-10-08 Todd C. Miller * compat.h, defaults.c, defaults.h, sudo.c, tgetpass.c: o Add requiretty option o Move O_NOCTTY to compat.h [65b8bf0e1795] * logging.c: The exit() in log_error() was mistakenly removed in a previous version. Put it back... [9473449130a4] 1999-10-07 Todd C. Miller * INSTALL, TODO, auth/aix_auth.c, auth/fwtk.c, auth/pam.c, auth/rfc1938.c, auth/sia.c, auth/sudo_auth.c, check.c, config.h.in, configure, configure.in, defaults.c, defaults.h, find_path.c, getspwuid.c, logging.c, parse.yacc, sudo.c, sudo.tab.c: o Change defaults stuff to put the value right in the struct. o Implement mailer_flags o Store syslog stuff both in int and string form. Setting the string form magically updates the int version. o Add boolean attribute to strings where it makes sense to say !foo [4698953f9a36] * tgetpass.c: add O_NOCTTY when opening /dev/tty just in case [4c6d1d1bb300] 1999-10-06 Todd C. Miller * auth/API: cleanup function no longer takes a status arg [0819edbfe7f8] * INSTALL: the the [19aadb65ea28] 1999-09-15 Todd C. Miller * TODO, config.h.in, configure, configure.in, logging.c: Use strftime() instead of ctime() if it is available. [fb60ea63b514] 1999-09-14 Todd C. Miller * defaults.c: fix copyright date [4a53b54aa72f] * RUNSON: update ReliantUNIX entry [de618a4f67d9] * defaults.c, defaults.h, logging.c: add log_year option [251a9e20568a] * configure, configure.in: add --without-sendmail to help output [93162f199902] * configure, configure.in: enforce an otctal arg for --with-suoders-mode [45e1b04ccad3] 1999-09-08 Todd C. Miller * BUGS, INSTALL, Makefile.in, TODO, aclocal.m4, auth/aix_auth.c, auth/fwtk.c, auth/kerb5.c, auth/pam.c, auth/rfc1938.c, auth/sia.c, auth/sudo_auth.c, check.c, config.h.in, configure, configure.in, defaults.c, defaults.h, find_path.c, lex.yy.c, logging.c, parse.h, parse.lex, parse.yacc, sudo.c, sudo.h, sudo.tab.c, sudo.tab.h, testsudoers.c, version.c, visudo.c: Add support for "Defaults" line in sudoers to make configuration variables changable at runtime (and on a global, per-host and per- user basis). Both the names and the internal representation are still subject to change. It was necessary to make sudo_user.runas but a char ** instead of a char * since this value can be changed by a Defaults line. There is a similar (but more complicated) issue with sudo_user.prompt but it is handled differently at the moment. Add a "-L" flag to list the name of options with their descriptions. This may only be temporary. Move some prototypes to parse.h Be much less restrictive on what is allowed for a username. [f71abf7ba80c] * sample.syslog.conf: Add more info [e952e6f42d4d] 1999-09-04 Todd C. Miller * LICENSE, fnmatch.3, fnmatch.c, getcwd.c, lsearch.c, snprintf.c, strcasecmp.c: UCB has dropped the advertising clause from their license. [a5602b36a341] 1999-08-31 Todd C. Miller * auth/sudo_auth.h: move dce_verofy proto to correct section [972c815af558] * auth/dce.c: remove XXX [820631855be0] 1999-08-28 Todd C. Miller * emul/fnmatch.h: Add fnmatch() prototype [79e84576d92a] * fnmatch.c, parse.c, testsudoers.c: Move inclusion of emul/fnmatch.h to be after sudo.h for __P [1182c89fa811] * sudo.h: add strcasecmp proto [512d1d8a6a0c] * auth/sudo_auth.c: add check for case where there are no auth methods [e4af2b91b43e] * configure, configure.in: Define _XOPEN_EXTENDED_SOURCE on AIX and __USE_FIXED_PROTOTYPES__ on SunOS4 w/ gcc [746ce8bcec23] * getspwuid.c, lex.yy.c, parse.lex, parse.yacc, sudo.tab.c: include strings.h everywhere we include string.h [6f7d5d437e7b] * version.c: nicer output when showing auth methods [0eac4b977f9d] * version.c: Add support for SEND_MAIL_WHEN_NO_HOST [9f20a3a3fae6] * config.h.in, configure, configure.in: Add _GNU_SOURCE for Linux [c7bd8c511847] * lex.yy.c, parse.lex: fix definition of OCTECT [4af30e63244d] * configure, configure.in: aix_auth.o not authenticate.o [fe95dfb08df4] 1999-08-27 Todd C. Miller * sudo.c: Only block SIGINT, SIGQUIT, SIGTSTP (which can be generated from the keyboard). Since we run with ruid/euid == 0 the user can't really signal us in nasty ways. [a7f6487c0f48] * visudo.c: Don't need to worry about catching too many signals since we do locking on the tmp file. If a lockfile is really stale, it will be detected and overwritten. [28983db3e749] * INSTALL, Makefile.in: include auth/API in tarball [014991600252] * auth/sudo_auth.c: move memset() of plaintext pw outside of verify loop and only do the memset if we are *not* in standalone mode. [66f8e87567e2] * auth/sudo_auth.c, auth/sudo_auth.h: DCE is not a standalone method [34963e2d8a1b] * sudo.c: fix --enable-noargs-shell [4234062abbb0] * snprintf.c: "#ifdef __STDC__" not "#if __STDC__" (I missed one) [c430b80454c6] * auth/fwtk.c, auth/sia.c: _cleanup() function returns an int. [d1a1cc071ec1] * auth/dce.c: there were still some return(0)'s hanging around, make them AUTH_FAILURE [1002aa1962c3] * parse.c: typo in comment [5abc410dbfd2] * version.c: add missing semicolon [a262283b52a5] * auth/sudo_auth.h: missing backslash [bf89f6bd2900] 1999-08-26 Todd C. Miller * CHANGES, config.h.in, configure, configure.in: Kill _XOPEN_EXTENDED_SOURCE -- causes problems on some OSes [f1a9bca0cf67] * Makefile.in: add parse.h to HDRS [a3d054987766] * Makefile.in, configure, configure.in: Kill VISUDO_LIBS and VISUDO_LDFLAGS. Add LIBS, NET_LIBS, and LDFLAGS. Common libs go in LIBS, commong ld flags go in LDFLAGS and network libs like -lsocket, -lnsl go in NET_LIBS. This allows testsudoers to build on Solaris and is a bit cleaner in general. [4e6239e97002] * UPGRADE: mention ptmp -> sudoers.tmp [ec3baa0fe8a1] * config.h.in, configure, configure.in: Define _XOPEN_SOURCE_EXTENDED not _XOPEN_SOURCE [6f93dc7f39f5] * RUNSON: add 2 reports [ce0fcc00ee4e] * auth/kerb5.c: Minor changes, mostly cosmetic. verify_krb_v5_tgt() changed to return a value more like a system function [0dd56aa21424] * auth/dce.c: Add an XXX [58fc8562c212] * TODO: more things todo! [5a459d0cf339] * sample.sudoers: update based on what is in the man page [1a0477db96fa] * parse.yacc, sudo.tab.c: minor change to first line printed in -l mode [69eb57d96952] * sudo.cat, sudo.html, sudo.man, sudo.pod: rename "ENVIRONMENT VARIABLES" section to "ENVIRONMENT" to be more standard and add "EXAMPLES" section [7e543335ebe1] * visudo.cat, visudo.html, visudo.man, visudo.pod: rename "ENVIRONMENT VARIABLES" section to "ENVIRONMENT" to be more standard [f82d87ed65c2] * logging.c, parse.c, sudo.h: add FLAG_NO_CHECK [c7d69176a2d7] * lex.yy.c, parse.lex: make an OCTET really be limited to 0-255 [6ee568dd6a02] * UPGRADE: mention timestamp changes [e44d5302bf60] * PORTING: cosmetic cleanup [36fa3a2664dd] * sudoers.cat, sudoers.html, sudoers.man, sudoers.pod: new sudoers(8) man page [e674d06283d0] 1999-08-24 Todd C. Miller * version.c: Update comments about syslog name tables [63830a782dcb] * CHANGES, LICENSE, Makefile.in, configure, configure.in, parse.yacc, strcasecmp.c, sudo.tab.c: include strcasecmp() for those without it [a0d8e2488bbc] * sample.sudoers: Use the : operator some more and fix a typo [18804c70da86] * HISTORY: update the history of sudo [9d9b3d5279b3] * parse.c, parse.lex, testsudoers.c: CIDR-style netmask support [768644467353] * CHANGES: recent changes [a4319e9d07cb] * sudo.tab.c, sudo.tab.h: these should be generated with byacc, not bison [f57b9489b752] * lex.yy.c: regen [522461f95dfa] * parse.h, parse.yacc, sudo.tab.c, sudo.tab.h: In "sudo -l" mode, the type of the stored (expanded) alias was not stored with the contents. This could lead to incorrect output if the sudoers file had different alias types with the same name. Normal parsing (ie: not in '-l' mode) is unaffected. [823fe2bc4b79] 1999-08-23 Todd C. Miller * configure, configure.in: define _XOPEN_SOURCE to get at crypt() proto on some systems [1b3769b86fb9] 1999-08-22 Todd C. Miller * snprintf.c: fix comment [fc1264df00f7] * tgetpass.c: don't need limits.h [f1631829af45] * snprintf.c: kill bogus reference to vfprintf [a0b99b25d389] * sample.sudoers, sudoers: better examples [b4d87ea64cc8] * snprintf.c: Add some const in the K&R defs. This is safe since we define const away if the compiler doesn't grok it. [614d6e83d45e] * aclocal.m4, configure: Better test for working long long support. Ultrix compiler supports basic long long but not all operations on them. [5da1508710ed] * aclocal.m4, auth/secureware.c, config.h.in, configure, getspwuid.c, snprintf.c, sudo.c: Add check for LONG_IS_QUAD #undef MAXINT before including hpsecurity.h to silence an HP-UX warning Check for U?LONG_LONG_MAX in snprintf.c and use LONG_IS_QUAD [a1f7993367fc] 1999-08-21 Todd C. Miller * LICENSE, aclocal.m4, config.h.in, configure, configure.in, snprintf.c: UCB-derived snprintf + asprintf support. Supports quads if the compiler does. No floating point yet, perhaps later... [0caf05aba945] 1999-08-20 Todd C. Miller * auth/API, auth/sudo_auth.c, auth/sudo_auth.h, check.c, find_path.c, goodpath.c, logging.c, parse.c, sudo.c: Run most of the code as root, not the invoking user. It doesn't really gain us anything to run as the user since an attacker can just have an setuid(0) in their egg. Running as root solves potential problems wrt signalling. [408e530dda01] * sudo.tab.c: regen [f8cfb37e37de] 1999-08-19 Todd C. Miller * logging.c, sudo.c: Don't wait for child to finish in log_error(), let the signal handler get it if we are still running, else let init reap it for us. The extra time it takes to wait lets the user know that mail is being sent. Install SIGCHLD handler in main() and for POSIX signals, block everything *except* SIGCHLD. [d2b6ab0ef3be] * INSTALL, config.h.in, configure, configure.in, logging.c, parse.c, parse.yacc, sudo.c, sudo.h: sudoers_lookup() now returns a bitmap instead of an int. This makes it possible to express things like "failed to validate because user not listed for this host". Some thigns that were previously VALIDATE_FOO are now FLAG_FOO. This may change later on. Reorganized code in log_auth() and sudo.c to deal with above changes. Safer versions of push/pushcp with in the do { ... } while (0) style parse.yacc now saves info on the stack to allow parse.c to determine if a user was listed, but not for the host he/she tried to run on. Added --with-mail-if-no-host option [63326cb01efc] 1999-08-17 Todd C. Miller * parse.yacc, sudo.h, sudo.tab.c, visudo.c, visudo.cat, visudo.html, visudo.man, visudo.pod: o NewArgv and NewArgc don't need to be externally visible. o If pedantic > 1, it is a parse error. o Add -s (strict) option to visudo which sets pedantic to 2. [5d7d81b55cd5] * HISTORY, INSTALL: Just have sudo-bugs contact info in one place [e7f6588ea683] * sudo.cat, sudo.html, sudo.man, sudo.pod: Add BUGS section [6607d96ea510] * Makefile.in, configure, configure.in: Add testsudoers to default build target if --with-devel Don't clean generated parser files unless "distclean". [5827b769dc57] * parse.yacc, sudo.tab.c: In pedantic mode we need to save *all* the aliases, not just those that match, or we get spurious warnings. [24f5b1f0e1de] * TROUBLESHOOTING: reference samples.sylog.conf [11841668380a] 1999-08-14 Todd C. Miller * sample.syslog.conf: Sample entries for syslog.conf [0f7697d878a1] * CHANGES: recent changes [8bca8810c6bd] * auth/API, auth/afs.c, auth/aix_auth.c, auth/dce.c, auth/fwtk.c, auth/kerb4.c, auth/kerb5.c, auth/pam.c, auth/passwd.c, auth/rfc1938.c, auth/secureware.c, auth/securid.c, auth/sia.c, auth/sudo_auth.c, auth/sudo_auth.h: In struct sudo_auth, turn need_root and configured into flags and add a flag to specify an auth method is running alone (the only one). Pass auth methods their sudo_auth pointer, not the data pointer. This allows us to get at the flags and tell if we are the only auth method. That, in turn, allows the method to be able to decide what should/should not be a fatal error. Currently only rfc1938 uses it this way, which allows us to kill the OTP_ONLY define and te hackery that went with it. With access to the sudo_auth struct, methods can also get at a string holding their cannonical name (useful in error messages). [b7e320fc6511] * INSTALL, Makefile.in, README, config.h.in, configure, configure.in, getspwuid.c, lex.yy.c, parse.lex, parse.yacc, sudo.tab.c, sudo.tab.h: o --with-otp deprecated, use --without-passwd instead o real dependencies in the Makefile o --with-devel option to enable yacc, lex, and -Wall o style -- "foo -> bar" becomes "foo->bar" o ALL goes back to being a token, not a string but don't leak memory o rename hsotspec -> host in parse.yacc [912c45226cb2] 1999-08-12 Todd C. Miller * BUGS, CHANGES: recent changes [801fa6e55687] * auth/sudo_auth.c, configure, configure.in, interfaces.c, snprintf.c, sudo.c, sudo.h: o Digital UNIX needs to check for *snprintf() before -ldb is added to LIBS since -ldb includes a bogus snprintf(). o Add forward refs for struct mbuf and struct rtentry for Digital UNIX. o Reorder some functions in snprintf.c to fix -Wall o Add missing includes to fix more -Wall [8d207203e126] * INSTALL, auth/sudo_auth.c, check.c, config.h.in, configure, configure.in, parse.yacc, sudo.tab.c, testsudoers.c, version.c, visudo.c: o Add a "pedentic" flag to the parser. This makes sudo warn in cases where an alias may be used before it is defined. Only turned on for visudo and testsudoers. o Add --disable-authentication option that makes sudo not require authentication by default. The PASSWD tag can be used to require authentication for an entry. We no longer overload --without-passwd. [f307e09adf98] * lex.yy.c, parse.lex: Break 'WORD' regexp def into HOSTNAME and USERNAME. These days a username can contain just about anything so be very permissive. Also drop the unused \. punctuation. [06a50614ff89] 1999-08-09 Todd C. Miller * parse.yacc, sudo.tab.c: o add a 'val' element to aliasinfo struct and move -> parse.h o find_alias() now returns an aliasinfo * instead of boolean o add_alias() now takes a value parameter to store in the aliasinfo.val o The cmnd, hostspec, runasuser, and user rules now return: 1) positive match 0) negative match (due to '!') -1) no match This means setting $$ explicitly in all cases, which I should have done in the first place. It also means that we always store a value that is != -1 and when we see a '!' we can set *_matches to !rv if rv != -1. The upshot of all of this is that '!' now works the way it should in lists and some of the rules are more uniform and sensible. [ad8e73b5d581] * Makefile.in: add parse.h dependency [4ccccd464d30] * parse.h: kill unused *_matched macros [02cba6dcb732] * parse.yacc: Allow a list of users as the first thing in a user spec, not just a single entry. This makes things more uniform, though it does allow you to write user specs that are hard to read. [3c4c91c508ca] * sudo.tab.c: parse.yacc [feca81881bb6] * configure: regen [6f247010bb3b] * configure.in: fix check for crypt() in libufc [82770736f4b0] 1999-08-07 Todd C. Miller * README: sudo-users list now exists [4716d2bb0bbf] * INSTALL, PORTING, README, TODO, TROUBLESHOOTING: Update to reality. [1eda2d57e42a] * CHANGES, Makefile.in, TODO, TROUBLESHOOTING, check.c, compat.h, config.h.in, configure, configure.in, fileops.c, logging.c, sudo.h, version.c, visudo.c: o Move lock_file() and touch() into fileops.c so visudo can use them o Visudo now locks the sudoers temp file instead of bailing when the temp file already exists. This fixes the problem of stale temp files but it does *require* that you not try to put the temp file in a world-writable directory. This shoud not be an issue as the temp file should live in the same dir as sudoers. o Visudo now only installs the temp file as sudoers if it changed. [2517cd06c070] 1999-08-06 Todd C. Miller * logging.c: add fcntl locking [c304adeaf515] * config.h.in, configure, configure.in, logging.c: Lock the log file. [d8652704fbdf] * Makefile.in, TROUBLESHOOTING, parse.c, pathnames.h.in, sudo.c, visudo.c, visudo.cat, visudo.html, visudo.man, visudo.pod: o /etc/stmp -> /etc/sudoers.tmp since solaris uses stmp as shadow temp file o _PATH_SUDO_SUDOERS -> _PATH_SUDOERS and _PATH_SUDO_STMP -> _PATH_SUDOERS_TMP [68cad8975807] 1999-08-05 Todd C. Miller * INSTALL, check.c, config.h.in, configure, configure.in, version.c: o Kill *_MESSAGE and replace with NO_LECTURE o Add more things to root sudo -V config reporting [cdd2613a9dcf] * configure, configure.in: aix_auth.o not authenticate.o [d972e35f6730] * config.h.in: Add --with-goodpri and --with-badpri configure options to specify the syslog priority to use. [2595ae50ab86] * INSTALL, configure, configure.in, logging.h: Add --with-goodpri and --with-badpri configure options to specify the syslog priority to use. [8276ee9b2b49] * compat.h: kill crufty AIX stuff [a4f35ef9854e] * Makefile.in: Sigh, some versions of make (like Solaris's) don't deal with $< like I would expect. Both GNU and BSD makes get this right but... So, we just expand $< inline at the cost of some ugliness. [b1b456f8801f] * version.c: If the invoking user is root, sudo will now print configure info in -V mode. Currently just prints logging info, to be expanded later. [392f7ed99267] * logging.c, logging.h, sudo.c, sudo.h: o new defines for syslog facility and priority o use new print_version() functino for -V mode [78abc5142985] * check.c: Don't need version.c [db9a830ad893] * aclocal.m4, config.h.in, configure, configure.in: Add check for syslog facilities and priorities tables in syslog.h [b86213e5fc5c] * Makefile.in: o authenticate -> aix_auth o add version.c [44b6b9a8d0f5] * auth/sudo_auth.c: Missed a prompt -> user_prompt conversion [e4c60b1f210c] 1999-08-04 Todd C. Miller * TODO: sudo should lock its logfile [6d2830b28b07] * parse.yacc, sudo.tab.c: o Add '!' correctly when expanding Aliases. o Add shortcut macros for append() to make things more readable. o The separator in append() is now a string instead of a char. o In append(), only prepend the separator if the last char is not a '!'. This is a hack but it greatly simplifies '!' handling. o In -l mode, Runas lists and NOPASSWD/PASSWD tags are now inherited across entries in a list (matches current behavior). o Fix formatting in -l mode such that items in a list are separated by a space. Greatlt improves readability. o Space for name field in struct aliasinfo is now allocated dyanically instead of using a (big) buffer. o In add_alias(), only search the list once (lsearch instead of lfind + lsearch) [51f7e07addb9] * lex.yy.c, sudo.tab.c, sudo.tab.h: regen [5c19bb05dc21] * configure, configure.in: Solais pam doesn't require anye xtra setup [a25ba03d91d1] * parse.yacc: o Simpler '!' support now that the lexer deals with multiple !'s for us. o In the case of opFOO, have FOO give a boolean return value and set foo_matches in opFOO, not FOO. o Treat 'ALL' as a string since it gets fill()'d in parse.lex--fixes a small memory leak. In the long run it may be better to just fix parse.lex and make ALL back into a token. However, having it be a string is useful since it can be easily passed back to the parent rule if we so desire. [b3c64b443018] * parse.lex: o Remove some unnecessary backslashes o collapse multiple !'s by using !+ and checking if yyleng is even or odd. this allows us to simplify ! handling in parse.yacc [76330e8da8e3] * sudo.c: -u flag was being ignored [e30283207585] 1999-08-01 Todd C. Miller * Makefile.in: correct fix [a0e2377dec8f] * Makefile.in: work around pod2man stupididy [7c755640b67f] * Makefile.in: correct dependencies for .cat [5ed7b0653b68] * sudo.cat, sudo.man, visudo.cat, visudo.man: regen [b74510dd6a0a] * sudo.pod, visudo.pod: Add copyright Update to reality [188e9b046c15] * parse.c, sudo.c, sudo.h: rename validate() to the more descriptive sudoers_lookup() [7a1cb652f379] * auth/aix_auth.c: use tgetpass [b8ba5daec40a] 1999-07-31 Todd C. Miller * CHANGES: updates [e61460cdf4a0] * HISTORY, INSTALL, Makefile.in, README, RUNSON, TROUBLESHOOTING, configure, configure.in, sudo.c: Sudo, not CU Sudo [9061b3573c0c] * LICENSE: add 4th term to license similar to term 5 in the apache license [92712e895afb] * emul/search.h, emul/utime.h: add 4th term to license similar to term 5 in the apache license [4f93a8b9396e] * auth/afs.c, auth/aix_auth.c, auth/dce.c, auth/fwtk.c, auth/kerb4.c, auth/kerb5.c, auth/pam.c, auth/passwd.c, auth/rfc1938.c, auth/secureware.c, auth/securid.c, auth/sia.c, auth/sudo_auth.c, auth/sudo_auth.h, insults.h, interfaces.c, interfaces.h, lex.yy.c, logging.c, logging.h, parse.c, parse.h, parse.lex, parse.yacc, pathnames.h.in, putenv.c, strerror.c, sudo.c, sudo.h, sudo.tab.c, sudo_setenv.c, testsudoers.c, tgetpass.c, utime.c, version.h, visudo.c: add 4th term to license similar to term 5 in the apache license [afae9f2bf9ec] * Makefile.in, alloc.c, check.c, compat.h, config.h.in, find_path.c, getspwuid.c, goodpath.c: add 4th term to license similar to term 5 in the apache license [969e63dbd38e] * ins_2001.h, ins_classic.h, ins_csops.h, ins_goons.h: add 4th term to license similar to term 5 in the apache license [c389d3fdafac] * LICENSE, aclocal.m4, auth/rfc1938.c, check.c, configure.in, insults.h, logging.c, sudo.c, sudo.h: there was a 1995 release too [5963fd89457a] 1999-07-28 Todd C. Miller * CHANGES: updates [254b794f16ab] * check.c: Use dirs instead of files for timestamp. This allows tty and non- tty schemes to coexist reasonably. Note, however, that when you update a tty ticket, the mtime on the user dir gets updated as well. [44bfac32f799] * configure, configure.in: Fix getprpwnam() checking on SCO. Need to link with "-lprot -lx" when linking test program, not just -lprot. Also add check for getspnam(). The SCO docs indicate that /etc/shadow can be used but this may be a lie. [2ba21d36cc1e] 1999-07-24 Todd C. Miller * auth/API: first cut at auth API description [3d10df021eb8] 1999-07-22 Todd C. Miller * auth/fwtk.c, auth/kerb4.c, auth/kerb5.c, auth/pam.c, auth/rfc1938.c, auth/secureware.c, auth/securid.c, auth/sudo_auth.c, auth/sudo_auth.h: auth API change. There is now an init method that gets run before the main loop. This allows auth routines to differentiate between initialization that happens once vs. setup that needs to run each time through the loop. [76df1c0d3478] * auth/kerb5.c, logging.c: use easprintf() and evasprintf() [fd97d96dc12f] * alloc.c, sudo.h: add easprintf() and evasprintf(), error checking versions of asprintf() and vasprintf() [f54385de20b7] * TODO: remove 2 items. One done, one won't do. [64513b47bc7a] * lex.yy.c, sudo.tab.c: regen [4aa299de2752] * configure, sudo.cat, sudo.html, sudo.man, sudoers.html, visudo.cat, visudo.html, visudo.man: regen [553c0d1209be] * CHANGES: new changes [d7be00b7e36b] * sudo.pod: o Document -K flag and update meaning of -k flag. o BSD-style copyright o Document clearing of BIND resolver environment variables o Clarify bit about shared libs o suggest rc files create /tmp/.odus if your OS gives away files [4a4092be1455] * visudo.pod: BSD license [ad0bfd0a4630] * version.h: BSD-style copyright [ecc6479325be] * tgetpass.c: o BSD copyright o no need to block signals, we now do that in main() o cosmetic changes [61958beda7ab] * testsudoers.c, visudo.c: o BSD-style copyright o Use "struct sudo_user" instead of old globals. o some cometic cleanup [88c0c6924082] * sudo_setenv.c: BSD-style copyright [df20290129a0] * sudo.h: o BSD copyright o logging and parser bits moved to their own .h files o new "struct sudo_user" to encapsulate many of the old globals. [50fc86bf25cb] * sudo.c: o no longer contains sudo 1.1/1.2 code o BSD copyright o use new logging routines o simplified flow of control o BIND resolver additions to badenv_table [8c53f15bfcb0] * strerror.c: BSD-style copyright [7c906c3a82ac] * snprintf.c: Now compiles on more K&R compilers [07ab1d3231c7] * putenv.c: BSD-style copyright, cosmetic changes [c42371295881] * pathnames.h.in: BSD-style copyright [e5c34ebd4cf1] * parse.c, parse.h, parse.lex, parse.yacc: BSD-style copyright. Move parser-specific defines and structs into parse.h + other cosmetic changes [d3088efb6228] * logging.h: defines for logging routines [13147941c02d] * find_path.c, getspwuid.c, goodpath.c, interfaces.c: BSD-style copyright, cosmetic changes [e8205e91a4fa] * ins_2001.h, ins_classic.h, ins_csops.h, ins_goons.h, insults.h, interfaces.h: BSD-style copyright [b9499da7cdce] * configure.in: o tgetpass.c is no longer optional o kill DCE_OBJS, add AUTH_OBJS o kill --disable-tgetpass o add --without-passwd o changes to fill in AUTH_OBJS for new auth api o check for strerror(), v?snprintf() and v?asprintf() o replace --with-AuthSRV with --with-fwtk [9a3f39b9c128] * config.h.in: BSD-style copyright. Remove USE_GETPASS and HAVE_UTIME_NULL. Add HAVE_FWTK, HAVE_STRERROR, HAVE_SNPRINTF, HAVE_VSNPRINTF, HAVE_ASPRINTF, HAVE_VASPRINTF, WITHOUT_PASSWD and NO_PASSWD [9a09054db53a] * compat.h: BSD-style copyright; Add S_IFLNK and MIN/MAX id they are missing. [25509c566975] * alloc.c: BSD-style copyright [4967be892363] * TROUBLESHOOTING: no more --with-getpass [afd5b670c196] * TODO: Take out things I've done... [375420c8270e] * README: Refer to LICENSE [c486c8db30f6] * PORTING: --with-getpass no longer exists [db48202df1bb] * Makefile.in: BSD-style copyright. Update to reflect reality wrt new files and new auth modules. [61a2ca7940fb] * INSTALL: Remove --with-AuthSRV and --disable-tgetpass. Add --with-fwtk and --without-passwd. [64e8f9e1c05e] * HISTORY: Update history a bit [df60c0a871b8] * COPYING, LICENSE: Now distributed under a BSD-style license [d1a184ccabe1] * auth/sudo_auth.c: o BSD-style copyright o Add support for NO_PASSWD/WITHOUT_PASSWD options. o skey/opie replaced by rfc1938 code o new struct sudo_user global [891b57060868] * auth/pam.c, auth/sia.c: BSD-style copyright and use new log functions [65c44445ea84] * auth/kerb5.c: o BSD-style copyright o Use new log functiongs o Use asprintf() and snprintf() where sensible. [1ff0feaacf95] * check.c: Rewrote all the old sudo 1.1/1.2 code. Timestamp handling is now done more reasonably--better sanity checks and tty-based stamps are now done as files in a directory with the same name as the invoking user, eg. /var/run/sudo/millert/ttyp1. It is not currently possible to mix tty and non-tty based ticket schemes but this may change in the future (it requires sudo to use a directory instead of a file in the non-tty case). Also, ``sudo -k'' now sets the ticket back to the epoch and ``sudo -K'' really deletes the file. That way you don't get the lecture again just because you killed your ticket in .logout. BSD-style copyright now. [ec3460f85be8] * logging.c: o rewritten logging routines. log_error() now takes printf-style varargs and log_auth() for the return value of validate(). o BSD- style copyright [438292025c4e] * auth.c, check_sia.c, dce_pwent.c, secureware.c: superceded by new auth API [412060590da7] * auth/kerb4.c: BSD-style copyright [cc4e800833c7] * auth/fwtk.c: Use snprintf() where it makes sense and add a BSD-style copyright [1b7502388a74] * auth/afs.c, auth/aix_auth.c, auth/dce.c, auth/passwd.c, auth/rfc1938.c, auth/secureware.c, auth/securid.c, auth/sudo_auth.h: BSD-style copyright [42583bedae5c] * emul/utime.h, utime.c: BSD-style copyright [3985c90aba47] * emul/search.h: this has been rewritten so use my BSD-style copyright [176df1b0de6f] 1999-07-15 Todd C. Miller * snprintf.c: include malloc.h if no stdlib.h [7b123f1d1d03] * snprintf.c: KTH snprintf()/asprintf() for systems w/o them [3ca9aefb9d01] * strerror.c: strerror() for systems w/o it [7f0bd8a1c1b4] 1999-07-12 Todd C. Miller * visudo.c: stylistic changes [6f99aceb7170] * parse.c, parse.lex, parse.yacc: Add contribution info in the main comment [e50cec10acd6] 1999-07-11 Todd C. Miller * auth/pam.c: remove missed ref to PAM_nullpw [a43e59692cdb] * auth/sudo_auth.h: pasto [891ff138ab89] * auth/kerb5.c: more or less complete now--still untested [21036732faa0] * auth/afs.c, auth/pam.c: don't use user_name macro, it will go away [def7cf727349] * auth/opie.c, auth/rfc1938.c, auth/skey.c, auth/sudo_auth.h: combine skey/opie code into rfc1938.c [44d88ca93d3e] * auth/dce.c, auth/sudo_auth.h: DCE authentication method; basically unchanged from dce_pwent.c [4d468473dd6f] * auth/aix_auth.c, auth/sudo_auth.h: AIX authenticate() support. Could probably be much better [000013321a33] * auth/sia.c: Fix an uninitialized variable and some cleanup. Now works (tested) [fd6ad88ff055] * auth/sia.c, auth/sudo_auth.h: SIA support for digital unix [5335f3e70eab] * auth/pam.c: don't use prompt global, it will go away [fadd22dd6ce4] * auth/secureware.c: correct copyright years [6aa07c49f51b] * auth/afs.c, auth/fwtk.c, auth/kerb4.c, auth/kerb5.c, auth/opie.c, auth/pam.c, auth/passwd.c, auth/secureware.c, auth/securid.c, auth/skey.c, auth/sudo_auth.c, auth/sudo_auth.h: New authentication API and methods [9debe9b59c79] 1999-07-08 Todd C. Miller * sudo.tab.c: regen [84578e82c1a6] * parse.yacc: only save an entry if user_matches && host_matches, even if the stack is empty (fix for previous commit) [00984b078d8a] * sudo.tab.c: regen [66acf160b4b7] * parse.yacc: 1) Always save an entry on the stack if it is empty. This fixes the -l and -v flags that were broken by earlier parser changes. 2) In a Runas list, don't negate FALSE -> TRUE since that would make !foo match any time the user specified a runas user (via -u) other than foo. [f322eb54b015] * testsudoers.c: interfaces and num_interfaces are now auto, not extern [113add5c6518] 1999-07-07 Todd C. Miller * auth.c: use a static global to keep stae about empty passwords [bc02e30807d8] * check_sia.c: make PASSWORD_NOT_CORRECT logging consistent with other modules [21962549d5fd] 1999-07-05 Todd C. Miller * auth.c: PAM prompt code was wrong, looks like we have to kludge it after all. [91f246155ead] * auth.c: In the PAM code, when a user hits return at the first password prompt, exit without a warning just like the normal auth code [918f59bacdb7] * configure, configure.in: kludge around cross-compiler false positives [5e5fc8356400] * auth.c, check.c, check_sia.c, logging.c, sudo.h, tgetpass.c: New (correct) PAM code Tgetpass now takes an echo flag for use with PAM_PROMPT_ECHO_ON Block SIGINT and SIGTSTP during auth remove a useless umask setting Change error from BAD_ALLOCATION -> BAD_AUTH_INIT (for use with sia/PAM) Some cosmetic changes to auth.c for consistency [e71397f09dd8] * sudo.c: Some -Wall and kill some trailing spaces [8229b43d5c4e] * configure.in: define -D__EXTENSIONS__ for solaris so we get crypt() proto [7533e4436cab] 1999-06-22 Todd C. Miller * RUNSON: add Dynix 4.4.4 [b69f773efbce] * INSTALL, config.h.in, configure, configure.in: for kerberos V < version, fall back on old kerb4 auth code [d685ed3a1d8e] * INSTALL: clarify some things [2f5ba2e8e53a] * UPGRADE, sudoers.cat, sudoers.man, sudoers.pod: typos [8925a109c093] 1999-06-14 Todd C. Miller * sudo.c: mention why DONT_LEAK_PATH_INFO is not the default [0346260cb4ec] 1999-06-03 Todd C. Miller * tgetpass.c: Fix open(2) return value checking, was NULL for fopen, should be -1 for open [355878bf6d8a] * configure: regen [68bf82871862] * configure.in: better wording for solaris pam notice [04e88c7a6c42] * CHANGES: document recent changes [7c922c5622ef] * TROUBLESHOOTING: Update shadow password section [e8448bae7d66] * auth.c: move authentication code from check.c to auth.c [e9f6ecae2399] * Makefile.in, check.c, sudo.h: move authentication code to auth.c [124cded85f46] 1999-05-17 Todd C. Miller * Makefile.in, check.c, check_sia.c, compat.h, find_path.c, getspwuid.c, goodpath.c, interfaces.c, interfaces.h, lex.yy.c, logging.c, parse.c, parse.lex, parse.yacc, secureware.c, sudo.c, sudo.h, sudo.tab.c, sudo_setenv.c, testsudoers.c, tgetpass.c, visudo.c: Move interface-related defines to interfaces.h so we don't have to include everywhere. [e7599d8ea0bf] 1999-05-14 Todd C. Miller * CHANGES, INSTALL, TODO, check.c, compat.h, getspwuid.c, logging.c, parse.yacc, sudo.c, sudo.tab.c, tgetpass.c: o Replace _PASSWD_LEN braindeath with our own SUDO_MAX_PASS. It turns out the old DES crypt does the right thing with passwords longert than 8 characters. o Fix common typo (necesary -> necessary) o Update TODO list [ad75007a6f13] 1999-05-03 Todd C. Miller * sudo.c: set $LOGNAME when we set $USER [391596210fd7] 1999-04-27 Todd C. Miller * INSTALL: add comment about digital unix and interfaces.c warning with gcc [e20f815901cc] 1999-04-15 Todd C. Miller * sample.sudoers: use modern paths and give examples for some of the new parser features [e7b2e507c695] 1999-04-10 Todd C. Miller * parse.c: fix comment [5eb0d005a65f] * alloc.c, check.c, check_sia.c, dce_pwent.c, find_path.c, getspwuid.c, goodpath.c, interfaces.c, lex.yy.c, logging.c, parse.c, parse.lex, parse.yacc, putenv.c, secureware.c, sudo.c, sudo.tab.c, sudo_setenv.c, testsudoers.c, tgetpass.c, utime.c, visudo.c: Function names should be flush with the start of the line so they can be found trivially in an editor and with grep [3c400abde574] * find_path.c, interfaces.c, lex.yy.c, parse.c, parse.lex, parse.yacc, sudo.c, sudo.tab.c, testsudoers.c, tgetpass.c, visudo.c: free(3) is already void, no need to cast it [6981e1ebda0f] * logging.c, sudo.c, sudo.h: catch case where cmnd_safe is not set (this should not be possible) [3e1e3038546c] * CHANGES, logging.c, parse.c, parse.yacc, sudo.c, sudo.h, sudo.tab.c, testsudoers.c, visudo.c: Stash the "safe" path (ie: the one listed in sudoers) to the command instead of stashing the struct stat. Should be safer. [aa2883fcf57e] 1999-04-08 Todd C. Miller * INSTALL, Makefile.in, UPGRADE: notes on updating from an earlier release [df9fffa4ab2c] * CHANGES: updated [574f5065d15a] 1999-04-07 Todd C. Miller * parse.yacc, sudo.tab.c, sudo.tab.h, sudoers.cat, sudoers.html, sudoers.man, sudoers.pod: You can now specifiy a host list instead of just a host or alias. Ie: user = host1,host2,ALIAS,!host3 my_command now works. [e3942bb78021] * testsudoers.c: Quiet -Wall [a3edc8b08c3a] * parse.yacc, sudo.tab.c: Move the push from the beginning of cmndspec to the end. This means we no longer have to do a push at the end of privilege, just reset some values. [8ea66e5860c6] * sudoers.cat, sudoers.html, sudoers.man, sudoers.pod: runas-lists and NOPASSWD/PASSWD modifiers are now sticky and you can use "!" most everywhere [aadae4d1c9d5] 1999-04-06 Todd C. Miller * sudoers.pod: modernize paths and update su example based on sample.sudoers one [3f6a37e16c83] * sample.sudoers: New runas semantics [756ee92865b7] * CHANGES, Makefile.in, alloc.c, config.h.in, configure, configure.in, strdup.c, sudo.h: In estrdup(), do the malloc ourselves so we don't need to rely on the system strdup(3) which may or may not exist. There is now no need to provide strdup() for those w/o it. Also, the prototype for estrdup() was wrong, it returns char * and its param is const. [5f1f984da8e3] * getcwd.c: $Sudo tag [e4188a35e68c] * check.c: buf should be prompt; Michael Robokoff [2aec87c86cde] * CHANGES, TODO, parse.yacc, sudo.tab.c: It is now possible to use the '!' operator in a runas list as well as in a Cmnd_Alias, Host_Alias and User_Alias. [a4fdaabda990] * logging.c, sudo.h: Kill GLOBAL_NO_SPW_ENT (not used) and crank GLOBAL_PROBLEM [73d0376785ae] * sudo.h: Definitions of *_matched were wrong--user top, not top-2 as subscript. [5f8350a57362] * logging.c, parse.c, parse.yacc, sudo.c, sudo.h, sudo.tab.c: Add VALIDATE_NOT_OK_NOPASS for when user is not allowed to run a command but the NOPASSWD flag was set. Make runasspec, runaslist, runasuser, and nopasswd typeless in parse.yacc Add support for '!' in the runas list Fix double printing of '%' and '+' for groups and netgroups respectively Add *_matched macros (no need for local stack variable). Should only be used directly after a pop (since top must be >= 2). [392b1400c4e6] * aclocal.m4, configure.in: Add copyright, somewhat silly [55c2cdd82dca] 1999-04-05 Todd C. Miller * BUGS, INSTALL, Makefile.in, README, alloc.c, check.c, check_sia.c, compat.h, config.h.in, configure, configure.in, dce_pwent.c, emul/utime.h, find_path.c, getspwuid.c, goodpath.c, ins_2001.h, ins_classic.h, ins_csops.h, ins_goons.h, insults.h, interfaces.c, lex.yy.c, logging.c, parse.c, parse.lex, parse.yacc, pathnames.h.in, putenv.c, secureware.c, strdup.c, sudo.c, sudo.cat, sudo.h, sudo.man, sudo.tab.c, sudo_setenv.c, sudoers.cat, sudoers.man, testsudoers.c, tgetpass.c, utime.c, version.h, visudo.c, visudo.cat, visudo.man: Crank version to 1.6 and combine copyright statements [0e1c791658ae] * sample.sudoers: Use ! not ^ to do negation [1480a0761730] * lex.yy.c, sudo.tab.c: regen [89ca5a46684b] * parse.lex, parse.yacc: Make runas and NOPASSWD tags persistent across entris in a command list. Add a PASSWD tag to reverse NOPASSWD. When you override a runas or *PASSWD tag the value given becomes the new default for the rest of the command list. [f1bbb4066542] 1999-04-02 Todd C. Miller * CHANGES, RUNSON: update for 1.5.9 [a1ae9d4a7d54] [SUDO_1_5_9] * visudo.c: Shift return value of system(3) by 8 to get real exit value and if it is not 1 or 0 print the retval along with the error message. [c1ff50d743fb] 1999-03-30 Todd C. Miller * Makefile.in: testsudoers needs LIBOBJS too [972571b4e4bf] * parse.c, parse.yacc, sudo.tab.c: Fix another parser bug. For a sudoers entry like this: millert ALL=/bin/ls,(daemon) !/bin/ls sudo would not allow millert to run ls as root. [51968e1eb33d] * CHANGES: new change [271c6110bb62] * parse.yacc, sudo.tab.c: Save entries that match a ! command on the matching stack too [5afb5107116c] * sudo.c: Make sudo's usage info better when mutually exclusive args are given and don't rely on argument order to detect this; nick@zeta.org.au [2422753c88fd] 1999-03-29 Todd C. Miller * CHANGES, Makefile.in, RUNSON: updates from CU [b37381e3dafb] * Makefile.in: use gzip [94a64e52a166] * parse.yacc, sudo.tab.c: Fix off by one error introduced in *alloc changes [95ede581153a] * BUGS, CHANGES, INSTALL, Makefile.in, README, alloc.c, check.c, check_sia.c, compat.h, config.h.in, configure, configure.in, dce_pwent.c, emul/utime.h, find_path.c, getspwuid.c, goodpath.c, ins_2001.h, ins_classic.h, ins_csops.h, ins_goons.h, insults.h, interfaces.c, lex.yy.c, logging.c, parse.c, parse.lex, parse.yacc, pathnames.h.in, putenv.c, secureware.c, strdup.c, sudo.c, sudo.cat, sudo.h, sudo.man, sudo.tab.c, sudo_setenv.c, sudoers.cat, sudoers.man, testsudoers.c, tgetpass.c, utime.c, version.h, visudo.c, visudo.cat, visudo.html, visudo.man, visudo.pod: ++version [c6d88f024e37] * Makefile.in, check.c, find_path.c, getspwuid.c, goodpath.c, interfaces.c, lex.yy.c, logging.c, parse.c, parse.lex, parse.yacc, putenv.c, secureware.c, strdup.c, sudo.c, sudo.h, sudo.tab.c, sudo_setenv.c, testsudoers.c, utime.c, visudo.c: Use emalloc/erealloc/estrdup [44221d97361a] * alloc.c: error checking memory allocation routines [5f8c1e7bbc71] * parse.yacc, sudo.tab.c: Still not right, this fixes it for real [ad553b6f5339] * parse.yacc, sudo.tab.c: Fix for previous commit [4d6f989f9bf2] * CHANGES, INSTALL, parse.yacc: Fix a parser bug that was exposed when mixing different runas specs and ! commands. For example: millert ALL=(daemon) /usr/bin/whoami,!/bin/ls would allow millert to run whoami as root as well as daemon when it should just allow daemon. The problem was that comma-separated commands in a list shared the same entry on the matching stack. Now they get their own entry iff there is a full match. It may be better to just make the runas spec persistent across all commands in a list like the user and host entries of the matching stack. However, since that is a fairly major change it should gets its own minor rev increase. [c4b939cdcc8e] 1999-03-28 Todd C. Miller * check.c, config.h.in: Simplify PAM code and fix a PAM-related warning on Linux [2468399523b6] 1999-03-26 Todd C. Miller * CHANGES: updates [29d4a997769c] * sample.sudoers: better su entry [76d8285a72ba] * configure: regen [b7450cc6975d] * check.c, configure.in: new pam code that works on solaris, should work on linux too; aelberg@home.com [84c16c0ff259] 1999-03-19 Todd C. Miller * RUNSON: more entries [b6bef8660759] * config.h.in: only include strings.h if there is no string.h [b66054a32b00] 1999-03-17 Todd C. Miller * config.guess: Sinix is now being called ReliantUNIX; bjjackso@us.oracle.com [c086d2fe63af] 1999-03-13 Todd C. Miller * sudo.c: shost must be set before log functions are called #ifdef HOST_IN_LOG [d49a7944358f] 1999-03-07 Todd C. Miller * CHANGES, lex.yy.c, parse.lex: Fix a bug wrt quoting characters in command args. Stop processing an arg when you hit a backslash so the quoted-character detection can catch it. [2281438d7f41] 1999-02-26 Todd C. Miller * interfaces.c: include sys/time.h; aparently AIX needs it. ppz@cdu.elektra.ru [31118a9e9916] 1999-02-24 Todd C. Miller * configure, configure.in: add missing case statement so --without-sendmail works [ca25614f7dd9] 1999-02-23 Todd C. Miller * CHANGES: more [4d70e44f7f93] 1999-02-22 Todd C. Miller * configure, configure.in: only search for -lsun in irix <= 4.x [e604238317b1] * configure, configure.in: back out last configure.in change now that I've hacked autoconf to fix the real problem and add a missing newline [2dabf59a79b5] * CHANGES: updated [bb35d526552f] * getcwd.c: add def of dirfd() for those without it [95f0173d8441] * configure, configure.in: When falling back to checking for socket() when linking with "-lsocket -lnsl" check for main() instead since autoconf has already cached the results of checking for socket() in -lsocket. This is really an autoconf bug as it should use the extra libs as part of the cache variable name. [a845f8b710ad] * configure.in: typo [a7d62f62a478] 1999-02-21 Todd C. Miller * configure.in: fix occurrence of $with_timeout that should be $with_password_timeout; Michael.Neef@neuroinformatik.ruhr-uni- bochum.de [8c4da2cf73d1] 1999-02-17 Todd C. Miller * sudo.cat, sudo.html, sudo.man, sudo.pod: fix grammar; espie@openbsd.org [7031d9dfbc3e] [SUDO_1_5_8] 1999-02-11 Todd C. Miller * parse.yacc, sudo.c, testsudoers.c: add cast for strdup in places it does not have it [7ce4478d3b0f] 1999-02-09 Todd C. Miller * configure, configure.in: define for_BSD_TYPES irix [858337ff4af8] 1999-02-07 Todd C. Miller * Makefile.in, sudo.cat, sudo.html, sudo.man, sudo.pod: Make it clear that it is the user's password, not root's, that we want. [ae0f51b35ee4] * check.c, sudo.h: If the user enters an empty password and really has no password, accept the empty password they entered. Perviously, they could enter anything *but* an empty password. Also, add GETPASS macro that calls either tgetpass() or getpass() depending on how sudo was configured. Problem noted by jdg@maths.qmw.ac.uk [2fde21ce94c1] 1999-02-03 Todd C. Miller * Makefile.in, check.c, check_sia.c, compat.h, config.h.in, dce_pwent.c, emul/utime.h, find_path.c, getspwuid.c, goodpath.c, ins_2001.h, ins_classic.h, ins_csops.h, ins_goons.h, insults.h, interfaces.c, logging.c, parse.c, parse.lex, parse.yacc, pathnames.h.in, putenv.c, secureware.c, strdup.c, sudo.c, sudo.h, sudo_setenv.c, testsudoers.c, tgetpass.c, utime.c, version.h, visudo.c: add explicate copyright [d3b4449834a5] * CHANGES: mention -lsocket, -lnsl configure changes [9140af4ad8ae] 1999-02-02 Todd C. Miller * sudo.c: Don't clobber errno after calling check_sudoers(). [59bd581b2654] 1999-02-01 Todd C. Miller * configure, configure.in: When linking with both -lsocket and -lnsl be sure to do so in that order. Also, when we can't find socket() or inet_addr() and have to try linking with both libs, issue a warning. [0ee547163067] * sudo.cat, sudo.man, sudo.pod: clarify bad timestamp and fmt [70e42cf56c75] 1999-01-23 Todd C. Miller * INSTALL, RUNSON: be clear that pam is linux-only and add a RUNSON entry [7fdeab875e0d] 1999-01-22 Todd C. Miller * CHANGES, INSTALL, configure, configure.in: fix and correctly document --with-umask; problem noted by adap@adap.org [11cd0481d63a] 1999-01-20 Todd C. Miller * configure, configure.in: only use /usr/{man,catman}/local to store man pages if suer didn't override prefix or mandir [781ad2cbe9be] * INSTALL, configure, configure.in: fix typo, make --with-SecurID take an arg [026a9b4014fc] 1999-01-19 Todd C. Miller * RUNSON: updates from users [2286982b31e6] * CHANGES, INSTALL, check.c, configure, configure.in: FWTK 'authsrv' support from Kevin Kadow [23aa4e5c6b02] * configure, configure.in: better fix for the problem of unresolved symbols in -lnsl or -lsocket [82fe70fc287f] * configure, configure.in: when checking for functions in -lnsl and -lsocket link with both of them to avoid unresolved symbols on some weirdo systems [1734a591808e] 1999-01-18 Todd C. Miller * BUGS, CHANGES, RUNSON, TODO: old changes that didn't make it into RCS before the RCS->CVS switch [846eb2b8f9aa] 1999-01-17 Todd C. Miller * Makefile.in, check.c, check_sia.c, compat.h, config.h.in, configure.in, dce_pwent.c, emul/search.h, emul/utime.h, find_path.c, getspwuid.c, goodpath.c, ins_2001.h, ins_classic.h, ins_csops.h, ins_goons.h, insults.h, interfaces.c, lex.yy.c, logging.c, lsearch.c, parse.c, parse.lex, parse.yacc, pathnames.h.in, putenv.c, secureware.c, strdup.c, sudo.c, sudo.pod, sudo_setenv.c, sudoers.pod, testsudoers.c, tgetpass.c, utime.c, visudo.c, visudo.pod: add sudo tags [962f81eaa5ab] * sudo.h: testing Sudo tag [e84cbc521129] * version.h: testing Sudo tag [a8c3a3998b88] * BUGS, INSTALL, Makefile.in, README, check.c, check_sia.c, compat.h, config.h.in, configure, configure.in, dce_pwent.c, emul/utime.h, find_path.c, getspwuid.c, goodpath.c, ins_2001.h, ins_classic.h, ins_csops.h, ins_goons.h, insults.h, interfaces.c, lex.yy.c, logging.c, parse.c, parse.lex, parse.yacc, pathnames.h.in, putenv.c, secureware.c, strdup.c, sudo.c, sudo.cat, sudo.h, sudo.man, sudo_setenv.c, sudoers.cat, sudoers.man, testsudoers.c, tgetpass.c, utime.c, version.h, visudo.c, visudo.cat, visudo.man: crank version and regen files [23eacf00a1a4] * Makefile.in: kill rcs goop in update_version and fix now that version is a const [e6e50bd8d1e1] * INSTALL, check.c, config.h.in, configure, configure.in, logging.c, sudo.c, sudo.h, sudo.pod: kerb5 support from fcusack@iconnet.net [8134027986e2] * realpath.c, sudo_realpath.c: we no longer use realpath [0f5f64abc646] * qualify.c: replaced by find_path.c [9e32a87e09c4] * options.h: all options are now configure flags [ee6bd9610102] * lex.yy.c: regen [bdbf8a18161f] * getwd.c: superceded by getcwd.c [1e54ee0990b4] * getpass.c: superceded by tgetpass.c [4e0d1edc30e3] * SUPPORTED: superceded by RUNSON [854c5a21cb53] * OPTIONS: No longer used now that we have configure options for everything. [9b1ae1c89259] * configure: regen based on configure.in [3a4d73936973] * sudo.cat, sudo.html, sudo.man, sudoers.cat, sudoers.html, sudoers.man, visudo.cat, visudo.html, visudo.man: regen based on sudo.pod, sudoers.pod, and visudo.pod [c267beb90778] 1998-12-11 Todd C. Miller * check.c: fix tty tickets in remove_timestamp (didn't use ':') [fd964a74a32b] 1998-12-07 Todd C. Miller * interfaces.c: close sock when we are done with it [95de0380f8a4] 1998-11-28 Todd C. Miller * parse.yacc: never say "error on line -1" [361db1491121] 1998-11-24 Todd C. Miller * configure.in: check for -lnsl before -lsocket [8e966d6bbcb5] * configure.in: quote '[', ']' used in ranges correctly [fa4f9c6ff651] 1998-11-21 Todd C. Miller * config.h.in: add missing NO_ROOT_SUDO noted by drno@tsd.edu [c969f25d1667] 1998-11-20 Todd C. Miller * version.h: 1.5.7 [7a22de0bc148] * INSTALL: more info for 1.5.7 [30ad9e784799] * README: update for 1.5.7 [cd03a0a27cd2] * parse.yacc: make increases of cm_list_size and ga_list_size be similar to increases of stacksize (ie: >= not > in initial compare). [6bd450a896c7] * parse.yacc: when we get a syntax error, report it for the previous line since that's generally where the error occurred. [c4ac84058f0b] 1998-11-18 Todd C. Miller * config.h.in, configure.in, interfaces.c: add back check for sys/sockio.h but only use it if SIOCGIFCONF is not defined [d197f31fd1e4] [SUDO_1_5_7] * config.h.in: define BSD_COMP for svr4 [87ac1147ff79] * check.c, check_sia.c, find_path.c, getcwd.c, getspwuid.c, goodpath.c, interfaces.c, logging.c, lsearch.c, parse.c, parse.lex, parse.yacc, putenv.c, secureware.c, strdup.c, sudo.c, sudo_setenv.c, testsudoers.c, tgetpass.c, utime.c, visudo.c: more -Wall [d98e2d32db2a] * configure.in: kill check for sockio,h [4399779014c1] * config.h.in: no more HAVE_SYS_SOCKIO_H [67484528e347] * check.c, check_sia.c, find_path.c, getcwd.c, getspwuid.c, goodpath.c, interfaces.c, logging.c, lsearch.c, parse.c, parse.lex, parse.yacc, putenv.c, secureware.c, strdup.c, sudo.c, sudo_setenv.c, testsudoers.c, tgetpass.c, utime.c, visudo.c: -Wall [2b7e83976788] 1998-11-16 Todd C. Miller * sudo.c: add missing inform_user() [8689528c6d55] 1998-11-14 Todd C. Miller * find_path.c: return NOT_FOUND if given fully qualified path and it does not exist previously it would perror(ENOENT) which bypasses the option to not leak path info [ccbc3d0130ae] * configure.in: for kerb5, check for -lkerb4, fall back on -lkrb for kerb, check for -ldes [c77d3b484ece] 1998-11-13 Todd C. Miller * INSTALL: tty tickets are user:tty now [a53a303a614d] * check.c: when using tty tickets make it user:tty not user.tty as a username could have a '.' in it [3160b3f5c890] 1998-11-10 Todd C. Miller * sudo.c: add "ignoring foo found in ." for auth successful case [24257169e0bd] 1998-11-09 Todd C. Miller * sudo.c: add missing printf param [8c905124f777] 1998-11-08 Todd C. Miller * INSTALL, config.h.in, configure.in, find_path.c, sudo.c, sudo.h: go back to printing "command not found" unless --disable-path-info specified. Also, tell user when we ignore '.' in their path and it would have been used but for --with-ignore-dot. [066e118c11e4] * check.c, sudo.c: Only one space after a colon, not two, in printf's [38452f4c8007] 1998-11-05 Todd C. Miller * sudo.pod: document setting $USER [80557fe6aede] * check.c: fix bugs with prompt expansion [44c4fca5f009] * sudo.c: set $USER for root too [4b525e1c6269] 1998-11-04 Todd C. Miller * getspwuid.c: typo [5107446f43e0] * configure.in: HP-UX's iscomsec is in -lsec, not libc [03c9f700b795] * configure.in: remove some entries in the OS case statement that did nothing [ea96e7e0f624] * TROUBLESHOOTING: add "cd" section and flush out syslog section [5107f7363b78] * Makefile.in: no more sudo-lex.yy.c [ed50826efbbc] * check_sia.c: add custom prompt support [6a285cea10b7] * testsudoers.c: kill perror("malloc") since we already have a good error messages pw_ent -> pw for brevity [eee31052921e] * sudo.c: kill perror("malloc") since we already have a good error messages pw_ent -> pw for brevity set $USER if -u specified [9f3753461f8a] * parse.yacc: kill perror("malloc") since we already have a good error messages [849459088ac3] * parse.c: kill perror("malloc") since we already have a good error messages pw_ent -> pw for brevity when checking if %group matches, look up user in password file so that %groups works in a RunAs spec. [0489b4ecc59a] * logging.c: kill perror("malloc") since we already have a good error messages [3191a18b3526] * check.c, getspwuid.c, interfaces.c: kill perror("malloc") since we already have a good error messages pw_ent -> pw for brevity [7193fdb38cf9] 1998-11-03 Todd C. Miller * tgetpass.c: the prompt is expanded before tgetpass is called [0f408f508041] * sudo.h: tgetpass now has the same args as getpass again [b6778cd9d79f] * getspwuid.c: add iscomsec, issecure support [007be7ec7ae7] * check.c: we now expand any %h or %u in the prompt before passing to tgetpass [f3db8c9ee387] * configure.in: add check for syslog(3) in -lsocket, -lnsl, -linet [5a96f902ce00] * config.h.in: add HAVE_ISCOMSEC and HAVE_ISSECURE [f640b0d4cf05] * configure.in: add check for iscomsec in HP-UX [b28b249040f0] * configure.in: check for issecure if we have getpwanam on SunOS some options are incompatible with DUNIX SIA check for dispcrypt on DUNIX [a49d05d9c913] 1998-10-25 Todd C. Miller * config.h.in: add HAVE_DISPCRYPT [7376d543d8d6] * secureware.c: add back support for non-dispcrypt based checking for older DUNIX [977b98e936be] * INSTALL: sia changes [c5387c06e30f] * configure.in: SIA becomes the default on Digital UNIX now havbe --disable-sia to turn it off... [3b647558ea13] * check.c: move local includes after system ones [b2abad4c4aef] 1998-10-24 Todd C. Miller * check.c, check_sia.c, sudo.h: add pass_warn() which prints out INCORRECT_PASSWORD or an insult to stderr [547cbf299661] * check_sia.c: fix while loop in sia_attempt_auth() that checks the password. Only the first iteration was working. [1886fd1ac831] 1998-10-22 Todd C. Miller * aclocal.m4: don't trust UID_MAX or MAXUID [2aeddb1654d8] * configure.in: fix two pastos [c18f0a10b75d] * configure.in: fix typo [1eb3190ef12d] * getspwuid.c, secureware.c: init crypt_type to INT_MAX since it is legal to be negative in DUNX 5.0 [cefbde04822d] * configure.in: for secureware on dunix, use -lsecurity -ldb -laud -lm but check for -ldb since DUNX < 4.0 lacks it [e6b11d971068] 1998-10-21 Todd C. Miller * check.c, compat.h, config.h.in, configure.in, getspwuid.c, secureware.c, sudo.c, tgetpass.c: getprpwuid is broken in HP-UX 10.20 at least (it sleeps for 2 minutes if the shadow files don't exist). [2f297d095004] 1998-10-20 Todd C. Miller * INSTALL: updated --with-editor blurb [77d8a3ea7328] * TROUBLESHOOTING: tell how to put sudoers in a different dir [456cd20eb1d0] * configure.in: add missing quotes around $with_editor [22881748ab1b] * configure.in: typo in --with-editor bits [ab6964580681] * INSTALL: I don't expect it to work on Solaris [1c2fceaaf56e] * check.c: add back security/pam_misc.h [6ffd30033c1e] 1998-10-19 Todd C. Miller * INSTALL: remove dunix note since configure checks for this now [e9904512b8e8] * configure.in: add check for broken dunix prot.h (4.0 < 4.0D is bad) [8a4c1e6aef3b] * getspwuid.c, secureware.c, tgetpass.c: new dunix shadow code, use dispcrypt(3) [1b936bc7268c] * config.h.in: add HAVE_INITPRIVS [4369f4c4f914] * sudo.c: call initprivs() if we have it for getprpwuid later on [11cf5915d826] * Makefile.in: clean pathnames.h too [5f1df3262613] * configure.in: quote "Sorry, try again." with [] since it has a comma in it set LIBS when we add stuff to SUDO_LIBS set SECUREWARE when we find getprpwuid() so we can check for bigcrypt, set_auth_parameters, and initprivs later. [e226b0a3f250] * INSTALL: update Digital UNIX note about acl.h [80132b71d73a] * INSTALL: add --with-sia --without-root-sudo -> --disable-root-sudo some reordering [198386358818] * secureware.c: add whitespace [4aadaf1a54b0] * Makefile.in, check.c, config.h.in, configure.in, logging.c, sudo.h: add SIA support [fa3ddbb9cc51] * check_sia.c: Initial revision [2968551d40e4] 1998-10-18 Todd C. Miller * configure.in: when checking for -lsocket, -lnsl, and -linet, check for the specific functions we need from them. [8d33e64362a3] * config.h.in, sudo.h: move Syslog_* defs into sudo.h [03d1774f25c7] * Makefile.in, sudo.h: added check_secureware [e46e3cbb9a97] * configure.in: finished adding AC_MSG_CHECKING and AC_MSG_RESULT bits [dbefe1856503] * insults.h: don't define CLASSIC_INSULTS and CSOPS_INSULTS if no other sets defined. configure now does that for us [e4520ea0581f] * configure.in: move some --with options around change a bunch of echo's to AC_MSG_CHECKING, AC_MSG_RESULT pairs [ffdf6869fdd7] * configure.in: change $with_foo-bar -> $with_foo_bar kill extra " that caused a syntax error add some echo verbage [3278c49bf74b] 1998-10-17 Todd C. Miller * check.c: moved SecureWare stuff into secureware.c [42d3d3ac35dc] * secureware.c: Initial revision [aa7f72a249cf] * INSTALL: update url to solaris gcc bins [36a3eb668777] * INSTALL: change option formatter and flesh out someentries [6fbd1db4a8ad] * TROUBLESHOOTING, sudo.pod, visudo.pod: environmental variable -> environment variable [6f14d708e32d] * BUGS: everything is now done via configure [c217858f58ab] * README: prev rev was 1.5.6 [7b4177103c35] * Makefile.in: passing SUDOERS_MODE, SUDOERS_UID, SUDOERS_GID correctly [31c6b0a5e0e2] * config.h.in: SUDOERS_MODE, SUDOERS_UID, SUDOERS_GID now come from the Makefile [d406a1ef6d25] * Makefile.in: merge OSDEFS and OPTIONS into DEFS get sudoers_uid, sudoers_gid, sudoers_mode from configure [1c509500655a] * configure.in: SUDOERS_MODE, SUDOERS_UID, and SUDOERS_GID now get substituted into the Makefile, not config.h [d4482f1492fe] * INSTALL: document all --with/--enable options [22d81b312d7f] 1998-10-15 Todd C. Miller * insults.h: options.h is no more [560946a33f7f] * config.h.in: assimilated options.h [dd8ce74613c1] * configure.in: moved options from options.h to configure [d39662f71b4e] * check.c, find_path.c, getspwuid.c, goodpath.c, interfaces.c, logging.c, parse.c, parse.lex, parse.yacc, sudo.c, sudo.pod, sudo_setenv.c, visudo.c: no more options.h [43924bf0858d] * INSTALL, Makefile.in, PORTING, TROUBLESHOOTING: remove references to options.h [ef3474295395] * dce_pwent.c, interfaces.c, sudo.c: kill sys/time.h [4d833f0034e4] * tgetpass.c: if select return < -1 still prompt for pw [e0009e5c93a2] * options.h: convert LOGGING, LOGFAC, MAXLOGFILELEN, IGNORE_DOT_PATH into configure options [e60a1e546516] * parse.c: FAST_MATCH is no longer an optino [c448dbb3464b] * check.c: remove_timestamp() if timestamp is preposterous [70d9a86c6ecd] * options.h: convert more options to --with/--enable [34646d9b09dc] * INSTALL, aclocal.m4: logfile -> logpath [42de502bc637] * configure.in: convert more options into --with and --enable [92d0898c9844] * tgetpass.c: catch EINTR in select and restart [f045d2f234d7] * logging.c: sys/errno -> errno [7f0c5beab6f2] 1998-09-24 Todd C. Miller * sudo.c: UMASK -> SUDO_UMASK. [48f308661514] * check.c, logging.c: time.h, not sys/time.h [91de049c79e4] 1998-09-21 Todd C. Miller * logging.c: MAILER -> _PATH_SENDMAIL [df65d6896639] * INSTALL, configure.in: no more --with-C2, now it is --disable-shadow [18bfcab3b9ab] * aclocal.m4, check.c, compat.h, config.h.in, configure.in, getspwuid.c, sudo.c, tgetpass.c: new shadow password scheme. Always include shadow support if the platform supports it and the user did not disable it via configure [2135d93bb4a9] 1998-09-20 Todd C. Miller * configure.in: --with-getpass -> --{enable,disable}-tgetpass [451b33fdd4c7] * Makefile.in: pathnames.h -> pathnames.h.in [b109022eca69] * check.c: fix version string [761b25c314ea] * check.c: move pam_conv to be static to auth function remove pam_misc.h (solaris doesn't have one) [a682e4da987a] * aclocal.m4: _CONFIG_PATH_* -> _PATH_* or _PATH_SUDO_* kill SUDO_PROG_PWD [e6005d0599b5] * configure.in: munge pathnames.h.in -> pathnames.h kill SUDO_PROG_PWD [24c0ac2155ef] * pathnames.h.in: convert to pathnames.h.in [013bddf7f684] 1998-09-19 Todd C. Miller * configure.in: fix typo in sysv4 matching case /. [2994c4f88cf5] 1998-09-18 Todd C. Miller * check.c: pam stuff needs to run as root, not user, for shadow passwords [d94ff75de503] 1998-09-17 Todd C. Miller * BUGS, INSTALL, README, configure.in: updated version [775adc7de7ac] * Makefile.in, check.c, compat.h, config.h.in, dce_pwent.c, emul/utime.h, find_path.c, getspwuid.c, goodpath.c, ins_2001.h, ins_classic.h, ins_csops.h, ins_goons.h, insults.h, interfaces.c, logging.c, options.h, parse.c, parse.lex, parse.yacc, pathnames.h.in, putenv.c, strdup.c, sudo.c, sudo.h, sudo_setenv.c, testsudoers.c, tgetpass.c, utime.c, visudo.c: updated version [5ca599fb6b93] * check.c: user version.h for long message [47a52ac7e542] * check.c: this is version 1.5.6 [8451ac79eee2] 1998-09-16 Todd C. Miller * Makefile.in: remove errant backslash [0222a8a650ff] 1998-09-15 Todd C. Miller * options.h, parse.yacc, pathnames.h.in: fix version string [fdee73255d64] [SUDO_1_5_6] * BUGS, CHANGES, TODO: updtaed for 1.5.6 [752443bf7f26] * RUNSON: updated for 1.5.6 [0f878123fe6a] 1998-09-14 Todd C. Miller * interfaces.c: kill unused localhost_mask var copy if name to ifr_tmp after we zero it [8e89c364cef2] 1998-09-13 Todd C. Miller * INSTALL: Better description of new vs. old sudoers modes fix some typos better description of /usr/ucb/cc gotchas on slowaris [c00b2a6fc1e8] * Makefile.in: add sample.pam [ec7f6cc19b00] * sudo.c: set NewArgv[0] to user_shell, not basename(user_shell) [1e907cbc9f7b] 1998-09-12 Todd C. Miller * README: mention TROUBLESHOOTING more fix some typos [2c2e6907d4a4] * configure.in: move --enable/--disable to be after --with [9b30097f76c1] * INSTALL: document --enable/--disable [c522362e38a8] * INSTALL: document --with-pam [7e38932c78ac] 1998-09-11 Todd C. Miller * configure.in: Add message for pam users [d224f277e3cd] * sample.pam: Initial revision [3a84d7045f54] * config.h.in: fix HAVE_PAM [2f0f303ebd88] * check.c, config.h.in, configure.in: pam support, from Gary Calvin [ea3e0a72d707] 1998-09-10 Todd C. Miller * config.h.in: add HOST_IN_LOG and WRAP_LOG [822c36eeb6a8] * logging.c: add WRAP_LOG and HOST_IN_LOG [3cf6052bd27e] * configure.in: add --enable-log-host and --enable-log-wrap [c968cc12b353] * aclocal.m4: use AC_DEFINE_UNQUOTED for --with-logfile and --with-timedir [915fef7e11a1] 1998-09-09 Todd C. Miller * compat.h: add howmany macro [9107a057a7c8] * tgetpass.c: include sys/param.h to get howmany macro [7e908b5e1f32] 1998-09-08 Todd C. Miller * OPTIONS, options.h, parse.yacc, sudo.c, testsudoers.c, visudo.c: add RUNAS_DEFAULT [1e76398ea3fd] 1998-09-07 Todd C. Miller * fnmatch.c: bring in stdio.h for NULL [69c016610cbb] * aclocal.m4: allow /bin/{ksh,bach} and /usr/bin/{ksh,bash} as sh [15ab2972f8d0] * sudo.c: use HAVE_SET_AUTH_PARAMETERS [8abfdc8c80f7] * config.h.in: add HAVE_SET_AUTH_PARAMETERS [673a5ebd5539] * configure.in: add *-*-hiuxmpp* add test for set_auth_parameters() if secureware [a401f5a7469a] * config.sub: add support for HI-UX/MPP SR220001 02-03 0 SR2201 [cb657b7acaae] * interfaces.c: initialize previfname [26a1902f56dc] * interfaces.c: Don't use SIOCGIFADDR, we don't need it Use SIOCGIFFLAGS if we have it check ifr_flags against IFF_UP and IFF_LOOPBACK instead of kludging it [fa5c890c313b] * configure.in: typo [bff579fbe95c] * Makefile.in: don't need special build line for sudo.tab.o [10c0a0a912e4] * Makefile.in: don't clean sudo.tab.[ch] [c40d5968efbb] * sudo.c: Sudo should prompt for a password before telling the user that a command could not be found. [d718c85a0047] * BUGS: for 1.5.6 [0cc1fe5b9129] * INSTALL, README: no longer require yacc [d9096fc5b8b6] * Makefile.in: typo [70feb1aefbd5] * Makefile.in: y.tab -> sudo.tab include pre-yacc'd parse.yacc [cc802025fd44] * parse.lex: include sudo.tab.h, not y.tab.h don't break out of command args if you get a '=' [728ad26dbda5] * insults.h: fix version , [242bbce1b2d4] * ins_2001.h, ins_classic.h, ins_csops.h, ins_goons.h: fix version [2bb9086fea1e] * compat.h: fix version [7e634d498ce6] * getcwd.c: getcwd(3) from OpenBSD for those without it. [6c68d0df8f6c] * sudo.h: HAVE_GETWD -> HAVE_GETCWD [2ad1e64d60c0] * configure.in: pretend sunos doesn't have getcwd(3) since it opens a pipe to getpwd! [677992ba5a6a] * parse.c: use NAMLEN() macro [8f5685aa3165] * fnmatch.c: remove duplicate include of string.h [6024f3051ac3] * configure.in: call SUDO_TYPE_DEV_T and SUDO_TYPE_INO_T [3d82a9c22cc2] * aclocal.m4: add SUDO_TYPE_DEV_T and SUDO_TYPE_INO_T [53fbc47282f9] * config.h.in: add dev_t and ino_t [5929bb0c7e1a] 1998-07-28 Todd C. Miller * check.c: fix OTP_ONLY for opie [7edcfa78f2ec] 1998-06-24 Todd C. Miller * testsudoers.c, tgetpass.c: include stdlib.h for malloc proto [c9f4b99a2fe9] 1998-05-19 Todd C. Miller * Makefile.in: make update_version saner [d522f93ee04a] * config.h.in: add HAVE_WAITPID, HAVE_WAIT3, and sudo_waitpid() [c9a2d21dc608] * configure.in: check for waitpid and wait3 or no waitpid [1f18c3224184] * logging.c: used waitpid or wait3 if we have 'em [391c3279ee65] 1998-05-02 Todd C. Miller * visudo.c: fix some fprintf args, ariel@oz.engr.sgi.com (Ariel Faigon) [fbf53b18178f] 1998-04-28 Todd C. Miller * configure.in: don't need to explicately mention -lsocket -lnsl for sequent [1898dc055352] 1998-04-25 Todd C. Miller * configure.in: dynix should not link with -linet [278a4b9cfe2a] 1998-04-10 Todd C. Miller * INSTALL: mention that HP-UX doesn't ship with yacc [bde5147198c0] 1998-04-07 Todd C. Miller * check.c: ignore kerberos if we can't get the local realm [1e311a091a27] 1998-04-06 Todd C. Miller * BUGS, INSTALL, README, configure.in: ++version [499ffc746018] * version.h: ++ [35ba1ee01bd3] * Makefile.in, check.c, config.h.in, dce_pwent.c, emul/utime.h, find_path.c, getcwd.c, getspwuid.c, goodpath.c, interfaces.c, logging.c, parse.c, parse.lex, putenv.c, strdup.c, sudo.c, sudo.h, sudo_setenv.c, testsudoers.c, tgetpass.c, utime.c, visudo.c: updated version [b4990a513f31] * check.c, sudo.h: fix version [5710795834e8] * getcwd.c: don't use popen/pclose. Do it inline. [29e57b0646a4] * lsearch.c: add rcsid [b2b55c39858d] * sudo.c: typo [d381ac39ed0f] * check.c, compat.h, ins_2001.h, ins_classic.h, ins_csops.h, ins_goons.h, insults.h, options.h, parse.yacc, pathnames.h.in, sudo.h: updated version [462d6e1a2d75] * check.c, find_path.c, parse.c, sudo.c, testsudoers.c: MAX* + 1 -> MAX* [2c2eeb78d34f] * Makefile.in: getwd.c -> getcwd.c [7d718c32fc02] * config.h.in: kill HAVE_GETWD [6ad3d702343f] * configure.in: getcwd, not getwd [33e5b9841f58] * getcwd.c: use MAX* not MAX* + 1 always run pwd as using getwd() defeats the purpose [24e58d340161] 1998-03-31 Todd C. Miller * OPTIONS, options.h: add STUB_LOAD_INTERFACES [d747cb23ca83] * Makefile.in, check.c, compat.h, config.h.in, dce_pwent.c, emul/utime.h, find_path.c, getspwuid.c, getwd.c, goodpath.c, ins_2001.h, ins_classic.h, ins_csops.h, ins_goons.h, insults.h, interfaces.c, logging.c, options.h, parse.c, parse.lex, parse.yacc, pathnames.h.in, putenv.c, strdup.c, sudo.c, sudo.h, sudo_setenv.c, testsudoers.c, tgetpass.c, utime.c, visudo.c: updated version [0798229312cc] * configure.in: support *-ccur-sysv4 and fix two typos [24a823ad7cc9] 1998-03-28 Todd C. Miller * configure.in: don't echo about with_logfile and with_timedir [31e4a1e2d9ad] * INSTALL: document --with-logfile and --with-timedir [674f811a40e0] * aclocal.m4: support --with-logfile and --with-timedir [2fc36b35db12] * configure.in: Add --with-logfile and --with-timedir [09045bf07e29] * sudo.c: change size computation of NewArgv for UNICOS [b50df07da3a1] 1998-02-19 Todd C. Miller * configure.in: treate -*-sysv4* like *-*-svr4 [471b7ef4dbf2] 1998-02-18 Todd C. Miller * configure.in: fix spacing for --with-authenticate help [8321cb37c410] * Makefile.in, check.c, compat.h, config.h.in, dce_pwent.c, emul/utime.h, find_path.c, getspwuid.c, getwd.c, goodpath.c, ins_2001.h, ins_classic.h, ins_csops.h, ins_goons.h, insults.h, interfaces.c, logging.c, options.h, parse.c, parse.lex, parse.yacc, pathnames.h.in, putenv.c, strdup.c, sudo.c, sudo.h, sudo_setenv.c, testsudoers.c, tgetpass.c, utime.c, visudo.c: updated version [dc1ab97312eb] * parse.yacc: fix off by one error in push macro [bece59c8c3a9] 1998-02-17 Todd C. Miller * configure.in: removed bogus alloca hack [a68dd720462d] * check.c: added AIX 4.x authenticate() support [12985eb448a0] * parse.yacc: include alloca.h if using bison and not gcc and it exists. fixes an alloca problem on hpux 10.x [e3b5c4f26072] * INSTALL: mention --with-authenticate [78a1c96820e7] * configure.in: added AIX authenticate() support [c983193ec252] * config.h.in: add HAVE_AUTHENTICATE [7b0e5f5db5d9] * interfaces.c: dynamically size ifconf buffer [10afb0e9b2f9] * configure.in: quote '[' and ']' [8fc38a4defad] * Makefile.in, check.c, compat.h, config.h.in, dce_pwent.c, emul/utime.h, find_path.c, getspwuid.c, getwd.c, goodpath.c, ins_2001.h, ins_classic.h, ins_csops.h, ins_goons.h, insults.h, logging.c, options.h, parse.c, parse.lex, parse.yacc, pathnames.h.in, putenv.c, strdup.c, sudo.c, sudo.h, sudo_setenv.c, testsudoers.c, tgetpass.c, utime.c, visudo.c: updated version [5f66de71ec61] * visudo.pod: add ERRORS section [3df3edb73cf6] 1998-02-16 Todd C. Miller * TROUBLESHOOTING: add busy stmp file explanation [6c555d469b6f] 1998-02-15 Todd C. Miller * configure.in: the name of the cached var that signals whether or not you are cross compiling changed. It is now ac_cv_prog_cc_cross [123911c0658c] 1998-02-11 Todd C. Miller * INSTALL: mention glibc 2.07 is fixed wrt lsearch()\. [ded758524582] 1998-02-07 Todd C. Miller * sample.sudoers, sudoers.pod: better example of su but not root su [b3199610be21] 1998-02-06 Todd C. Miller * Makefile.in, check.c, compat.h, config.h.in, dce_pwent.c, emul/utime.h, find_path.c, getspwuid.c, getwd.c, goodpath.c, ins_2001.h, ins_classic.h, ins_csops.h, ins_goons.h, insults.h, interfaces.c, logging.c, options.h, parse.c, parse.lex, parse.yacc, pathnames.h.in, putenv.c, strdup.c, sudo.c, sudo.h, sudo_setenv.c, testsudoers.c, tgetpass.c, utime.c, visudo.c: updated version [46922b84e86b] * Makefile.in: correct regexp for updating version [8032728b2a8a] * tgetpass.c: remove bogus flush of stderr spew prompt before turning off echo. Seems to fix a weird problem where if sudo complained about a bogus stamp file the user would sometimes not have a chance to enter a password [7aa1493cc141] * check.c: fix bogus flush of stderr [6d047871c5e8] * sudo.c: close fd's <=2 not <=3 and move that chunk of code up [553e4faac195] * configure.in: support hpux1[0-9] not just hpux10 [5a34a000ff8a] 1998-01-30 Todd C. Miller * parse.c: set sudoers_fp to nil after closing [221a8b4bbf34] 1998-01-24 Todd C. Miller * config.guess, config.sub: updated from autoconf 2.12 [6fc86a0fc61b] * configure.in: add *-*-svr4 rule [38f0427f7c9d] 1998-01-23 Todd C. Miller * tgetpass.c: fix select usage for high fd's (dynamically allocate readfds) [c2d1f76e0321] * check.c: kill extra whitespace [d784b6c9c514] * sudo.c: do an initgroups() before running a command, unless the target user is root. [4ca561287480] 1998-01-22 Todd C. Miller * TROUBLESHOOTING: tell people to use tabs, not spaces, in syslog.conf [8ae90a205134] 1998-01-21 Todd C. Miller * Makefile.in, config.h.in, dce_pwent.c, emul/utime.h, getwd.c, parse.lex, putenv.c, strdup.c, testsudoers.c, utime.c: updated version [4d855ff5de26] * check.c, find_path.c, getspwuid.c, goodpath.c, interfaces.c, logging.c, parse.c, sudo.c, sudo_setenv.c, tgetpass.c, visudo.c: updated version [8e007e178b33] * compat.h, ins_2001.h, ins_classic.h, ins_csops.h, ins_goons.h, insults.h, options.h, parse.yacc, pathnames.h.in, sudo.h: updated version [9ddea5c8814d] * Makefile.in: more tweaks to update_version [047698752855] * Makefile.in: fixed up update_version rule [47b6fa34b77f] * configure.in: ++version [c1ca664e30b7] * Makefile.in: removed supe of check.c [8f340a05296a] * INSTALL: ++version I missed [a298e6c17491] * RUNSON: updated [a14f6057bc15] * BUGS, INSTALL, Makefile.in, README, check.c, compat.h, config.h.in, dce_pwent.c, emul/utime.h, find_path.c, getspwuid.c, getwd.c, goodpath.c, ins_2001.h, ins_classic.h, ins_csops.h, ins_goons.h, insults.h, interfaces.c, logging.c, options.h, parse.c, parse.lex, parse.yacc, pathnames.h.in, putenv.c, strdup.c, sudo.c, sudo.h, sudo_setenv.c, testsudoers.c, tgetpass.c, utime.c, version.h, visudo.c: updated version [02231b1a3ab3] * CHANGES: updated for 1.5.5 [634e5fcaf40b] * Makefile.in: add rules to update version stuff in files so I don't need to do it by hand [3620ad60485a] * sudo.h: sudoers_fp is now extern [88c6e9b9ea84] * sudo.c: in check_sudoers, cache the sudoers file handle in sudoers_fp so we don't have to open it again in the parse. This may help with weird solaris problems where EAGAIN sometime occurrs. [d3c26451ed1d] * parse.c: sudoers file open is now done only in check_sudoers() so we just do a rewind() instead of an open. May help people on solaris who were getting EAGAIN. [c8b8c7722fa5] 1998-01-16 Todd C. Miller * INSTALL: mention that newer glibc is fixed [20f06f5d3ef3] 1998-01-13 Todd C. Miller * sudo.c: newer irix uses _RLDN32_* envariables for 32-bit binaries so ignore _RLD* instead of _RLD_* [1e22c588d602] * parse.c: typo [d0b7cb85f08a] * parse.c: fix that bug for real [5a6eeca6d04b] * INSTALL: document Linux's libc6 brokenness. [0246c1aa64ee] * parse.yacc: -Wall [d0e452fb1e2d] * RUNSON: updated [4949a1bbd0a9] [SUDO_1_5_4] * TROUBLESHOOTING: remind people to HUP syslogd [590962faa4f0] * Makefile.in: add -O flag to tar [622d02de339d] * RUNSON: updated [a72930d6e615] * TODO: updated [4a51bd458390] * sudo.pod: remove author's email addr. people should mail sudo-bugs [9b6bbdb3a6d9] * INSTALL: fix version [246274c6c8af] * README, check.c, compat.h, config.h.in, configure.in, dce_pwent.c, find_path.c, getspwuid.c, getwd.c, goodpath.c, ins_2001.h, ins_classic.h, ins_csops.h, ins_goons.h, insults.h, interfaces.c, logging.c, options.h, parse.c, parse.lex, parse.yacc, pathnames.h.in, putenv.c, strdup.c, sudo.c, sudo.h, sudo_setenv.c, testsudoers.c, tgetpass.c, utime.c, version.h, visudo.c: ++version [f532ff4ee766] * RUNSON: updated [62d5c71358b5] * INSTALL, Makefile.in: ++version [1a7c7628edfc] * CHANGES: updated fort 1.5.4 [7e4873508c99] * check.c: exit(1) if user enters no passwd [f382c0e35e4e] * BUGS: ++version [fab6a867ab67] * parse.c: commands can start with ./* not just /* -- fixes a serious security hole. [244d2fe35ee3] 1997-12-21 Todd C. Miller * sudo.c: Don't set the tty variable to NULL when we lack a tty, leave it as "unknown". [193b26daba03] 1997-11-23 Todd C. Miller * sample.sudoers: fix usage of (username) in conjunction with , and ! [7ae68607f68f] * visudo.c: catch the case where the user is not in the passwd file [31650258deb0] * tgetpass.c: use fileno(input) + 1 instead of getdtablesize() as the nfds arg to select(2) [60ab2d9a9ee8] * sudo.c: define tty global to an initial value to avoid dumping core in logging functions when passwd file is unavailable. [77056c7bc908] * sudo.c: do the set_perms(PERM_USER, sudo_mode) after we have gotten the passwd entry [1fdb8e579a5a] * sudo.pod: talk about problem of ALL [1cd1905c9f6f] 1997-10-10 Todd C. Miller * README: new web location [d24dc26f6da5] * INSTALL: fdesc bug is fixed in Open/Net BSD [7d4d81b08ac3] * HISTORY: updates from Nieusma [3a43769a1b78] 1997-10-09 Todd C. Miller * dce_pwent.c: move compat.h after the system includes [5ea43a5968ac] 1997-08-06 Todd C. Miller * logging.c: save errno from being clobbered by wait(). From Theo [f2d1c48cd592] 1997-05-21 Todd C. Miller * compat.h: fix an occurence of setresuid -> setreuid (typo) [394de35c9b1c] 1997-03-19 Todd C. Miller * install-sh: check for path to strip [2b7ef824bd55] 1997-01-16 Todd C. Miller * logging.c: deal with maxfilelen < 0 case [f0af095178d7] * OPTIONS: fixed descriptin [629f60bd4b5f] 1996-12-12 Todd C. Miller * sudo.c: correct error message if mode/owner wrong and not statable by owner but is statable by root. [cb631ce2e85e] 1996-11-23 Todd C. Miller * config.guess, config.sub: autoconf 2.11 [f3cbe59e0756] 1996-11-16 Todd C. Miller * CHANGES, RUNSON, TODO: sudo 1.5.3. [2be3229b8626] 1996-11-14 Todd C. Miller * parse.yacc, sudo.h: command_alias -> generic_alias [c404ca8c510d] [SUDO_1_5_3] * sample.sudoers: added Runas_Alias example and fixed syntax errors [c304053f4a8a] * OPTIONS, options.h: updated MAILSUBJECT [18d1573fcd2a] * logging.c: added %h expansion [a4bff9b284fd] * INSTALL, Makefile.in, README, check.c, compat.h, config.h.in, configure.in, dce_pwent.c, find_path.c, getspwuid.c, getwd.c, goodpath.c, ins_2001.h, ins_classic.h, ins_csops.h, ins_goons.h, insults.h, interfaces.c, logging.c, options.h, parse.c, parse.lex, parse.yacc, pathnames.h.in, putenv.c, strdup.c, sudo.c, sudo.h, sudo_setenv.c, testsudoers.c, tgetpass.c, utime.c, version.h, visudo.c: ++version [211ff20f956f] * BUGS, emul/utime.h: ++version [cde5376579e3] * sudoers.pod: document Runas_Alias [b1a58f28fb2c] * visudo.pod: q (uid) -> Q [d256649a0e6b] * visudo.c: buffer oflow checking q (uit) -> Q if yyparse() fails drop into whatnow [1cb183d15626] * parse.yacc: add size params to sprintf [9228f698921f] * parse.lex: allow trailing space after '\\' but before '\n' [f51dbbf69fdf] * find_path.c: off by one error in path size check [a6d75ccd7632] * check.c: sprintf paranoia [3ffb12d198dd] 1996-11-12 Todd C. Miller * parse.yacc: fixed more_aliases [aab12f2a50af] * visudo.c: now warns if killed by signal ./ [310c186a0fd7] 1996-11-11 Todd C. Miller * parse.yacc: fix Runas_Alias stuff Alias's in runas list now get expanded (but it is gross) [45590b83120f] * sudo.c: Can now deal with SUDOERS_UID == 0 and SUDOERS_MODE == 0400 [d53e01c14c58] * parse.yacc: add Runas_Alias support change FOO to FOO_ALIAS (ie: USER_ALIAS) [7a4a040aae2d] * parse.lex: Add Runas_Alias and simplify a rule. [6f794a769a37] * parse.yacc: always store User_Alias's since they can be used inside of a runas list. Sigh. Really need a Runas_Alias instead. [3bab058a873e] 1996-10-30 Todd C. Miller * visudo.c: deal with case where there is no sudoers file [fa38b3bb244d] 1996-10-12 Todd C. Miller * TROUBLESHOOTING: added one [e61346d06725] 1996-10-11 Todd C. Miller * HISTORY, testsudoers.c: developement -> development [4df55e293941] * INSTALL: added a note [3845fb83dbc0] * RUNSON: for 1.5.2 [5489b7298942] * CHANGES: updated [0741834929e6] 1996-10-10 Todd C. Miller * PORTING: removed seteuid() notes [1010a60f281d] [SUDO_1_5_2] 1996-10-09 Todd C. Miller * compat.h: better seteuid() emulatino [e807623b662c] * configure.in: added check for seteuid [8cf9fabc6f4f] * config.h.in: added HAVE_SETEUID [596db46aa828] 1996-10-08 Todd C. Miller * configure.in: first stab at sequent support [b85a7bfcac76] * config.h.in: added HAVE_SYS_SELECT_H [93ecdd042463] * compat.h: sequent -> _SEQUENT_ [63a38b6da98c] * compat.h: added seteuid() macro for DYNIX [695bd63c5ea6] * tgetpass.c: _AIX -> HAVE_SYS_SELECT_H [b31221211bc2] 1996-10-07 Todd C. Miller * BUGS, INSTALL, Makefile.in, OPTIONS, README, config.h.in, logging.c, parse.c, parse.lex, parse.yacc, putenv.c, strdup.c, sudo_setenv.c, testsudoers.c, tgetpass.c, utime.c, visudo.c: ++version [8052992fd453] * check.c, compat.h, dce_pwent.c, emul/utime.h, find_path.c, getspwuid.c, getwd.c, goodpath.c, ins_2001.h, ins_classic.h, ins_csops.h, ins_goons.h, insults.h, interfaces.c, options.h, pathnames.h.in, version.h: ++version [f7ad15e1598a] * sudo.pod: added -H and SUDO_PS1 [bb965241e30c] * configure.in: use SUDO_FUNC_FNMATCH [6a8350d85fb2] * aclocal.m4: added SUDO_FUNC_FNMATCH [45b32c91c4ba] * sudo.c: added -H flag [11ebc6872fd6] * sudo.h: added MODE_RESET_HOME / [67a7f8bcbbd6] 1996-10-05 Todd C. Miller * INSTALL: mention OPIE [5723515d5bbd] * options.h: SKEY -> OTP [c1d268130bc4] * configure.in: added opie support [123872b41b20] * compat.h, config.h.in: added HAVE_OPIE [528c71afc1e5] * check.c: added HAVE_OPIE and changed to *_OTP_* [4c62f5db872a] * OPTIONS: SKEY -> OTP [bd858e5e9652] 1996-10-04 Todd C. Miller * check.c: moved fclose() in skey stuff. [11f7dc8431a6] 1996-10-03 Todd C. Miller * putenv.c: index -> strchr remove unnecesary stuff [af2d05238062] * check.c: now call skeychallenge() to get challenge instead of making one up ourselves. this way, we get extra goodies in the prompt. [49b770d98d3a] 1996-09-10 Todd C. Miller * CHANGES: added one [3f5149357e2a] [SUDO_1_5_1] * parse.lex: allow logins to start with a number (YUCK!) [7ed7ef324741] 1996-09-08 Todd C. Miller * TROUBLESHOOTING: added soalris 2.5 vs 2.4 note [16160a251aae] * configure.in: DUNIX doesn't need -lnsl [be924cc322c3] * CHANGES: *** empty log message *** [1b2937521981] * check.c, compat.h, config.h.in, dce_pwent.c, find_path.c, getspwuid.c, getwd.c, goodpath.c, ins_2001.h, ins_classic.h, ins_csops.h, ins_goons.h, insults.h, interfaces.c, logging.c, options.h, parse.c, parse.lex, parse.yacc, pathnames.h.in, putenv.c, strdup.c, sudo.c, sudo.h, sudo_setenv.c, testsudoers.c, tgetpass.c, utime.c, version.h, visudo.c: courtesan [5f203589bbfe] * PORTING, README, RUNSON: courtesan [d72517f4937e] * INSTALL, Makefile.in, TROUBLESHOOTING: courtesan [5c007e3c7a71] * visudo.pod: *** empty log message *** [37ebe85bd4e1] * sudo.pod, visudo.pod: courtesan [37f02e2130ea] 1996-09-07 Todd C. Miller * HISTORY: added courtesan ./ [b01435226276] 1996-09-06 Todd C. Miller * sudo.c: added $SUDO_PROMPT support [cb1fa72c093d] 1996-09-04 Todd C. Miller * check.c: print long skey challemged to stderr, not stdout [750fc775b3b2] 1996-09-01 Todd C. Miller * CHANGES: updated for 1.5.1 [9b615f393057] * emul/utime.h: ++version [a94de18deafb] 1996-08-31 Todd C. Miller * RUNSON: updated for 1.5.1 [4092f20ab634] 1996-08-30 Todd C. Miller * check.c: use shost, not host for tgetpass [6061c49ff9be] * sudo.pod: documented %u and %h [6d2922d29897] * OPTIONS: documented %u and %h [1a71da13a864] * configure.in: fixed typo [1230dec2b062] * INSTALL, Makefile.in, README, check.c, compat.h, config.h.in, dce_pwent.c, find_path.c, getspwuid.c, getwd.c, goodpath.c, ins_2001.h, ins_classic.h, ins_csops.h, ins_goons.h, insults.h, interfaces.c, logging.c, options.h, parse.c, parse.lex, parse.yacc, pathnames.h.in, putenv.c, strdup.c, sudo.c, sudo.h, sudo_setenv.c, testsudoers.c, tgetpass.c, utime.c, version.h, visudo.c: ++version [65ce8eabf77a] * BUGS: ++version [afecab53aab7] 1996-08-29 Todd C. Miller * Makefile.in, configure.in, version.h: ++version [fb3ff940d672] * sudo.h: new tgetpass() params [9eccc5b0f8ae] * check.c: pass use and host to tgetpass [c56d9d13c401] * tgetpass.c: added %u and %h escapes [04ae775d3e5d] * OPTIONS, check.c, options.h: added NO_MESSAGE [3927dad19057] * configure.in: added cray (unicos) support [1122210c5fb1] 1996-08-27 Todd C. Miller * OPTIONS, options.h, sudo.c: added SHELL_SETS_HOME [0b26909b0929] 1996-08-25 Todd C. Miller * INSTALL: added note about "make install" [7e56ea76d4b4] * parse.yacc: changed length/size params from int to size_t [5654e5ceb1b3] * OPTIONS: now get CSOPS insults as well by default [297323d0179a] * insults.h: use csops insults too by default [07fafc136169] * INSTALL, Makefile.in, README, config.h.in, configure.in, version.h: version = 1.5 [4b8772b11e3b] * sudo.c: added runas_homedir [b0e0d4417a15] * TODO: updated for 1.5 [66259df825d5] * RUNSON: updated for 1.5 [e08bc9ebfe95] * CHANGES: 1.5 release [8c16942fea41] * INSTALL: added "upgrading" notes [210d968964ff] 1996-08-22 Todd C. Miller * visudo.c: now do chmod and chown after edit of temp file and before rename [de174e34faa7] [SUDO_1_5_0] 1996-08-18 Todd C. Miller * Makefile.in: ++version added INSTALL.configure [c9e9214f52ae] * configure.in, version.h: ++version [5985abed3eb2] * TROUBLESHOOTING: *** empty log message *** [d65c540ec52e] * parse.yacc: added missing cast [e7247319a7d5] * sudo.c: sets $HOME to pw_dir of runas user [d3f7f4d05752] * sudo.pod: document $HOME change [854454d458c4] 1996-08-17 Todd C. Miller * sudo.pod: fixed up some wording [b0c8582f2c97] * check.c, dce_pwent.c, find_path.c, getspwuid.c, getwd.c, goodpath.c, interfaces.c, logging.c, parse.c, parse.lex, parse.yacc, putenv.c, strdup.c, sudo.c, sudo_setenv.c, testsudoers.c, tgetpass.c, utime.c, visudo.c: ++version [748be723fd8b] * compat.h, ins_2001.h, ins_classic.h, ins_csops.h, ins_goons.h, insults.h, options.h, pathnames.h.in, sudo.h: ++version [acdf8b1b2a1b] * emul/utime.h: ++version [b3f35298ab8d] * sudo.h: name nad type changes [db24ab3da141] * testsudoers.c: now works with new sudo [379346c42cc2] * parse.yacc: fixed some XXX [f5fe4c990052] * parse.yacc: some variable name changes + comment headers for functions. [3dc3bd9aa73d] * tgetpass.c: added extra paren's to make compilers happy [9e4968a34d56] * sudo.c: *** empty log message *** [70c924c1ed69] * parse.c: now uses init_parser() if not in sudoers and tries "list" or "validate" scold but don't be nasty. [c0d8fb3f8c9e] * TROUBLESHOOTING: now can use upper case login names [c772fffcefe5] * visudo.c: now uses init_parser() [b9efae7243fd] * INSTALL, README: updated [27dc8283fdc8] * PORTING: added info about PASSWORD_TIMEOUT [980e15d892f8] * INSTALL.configure: Initial revision [8292e89a08d3] * BUGS: fixed a bug , [c6e46f5624f9] * parse.yacc: now dynamically allocates memory for the stacks -- no more overflows! [8615c35b6ad3] * sudo.pod: -l now explands command aliases [39f45605935d] * parse.yacc: hacks to expand command aliases for `sudo -l' [e4eb752608f9] * sudo.c: remove $ENV and $BASH_ENV (dangerous in ksh, posix sh, and bash) [01327ca5084b] * sudo.h: added struct command_alias [dd2f32764082] * sudo.pod: fixed a bug [e708ff08d2eb] * lsearch.c: in compar() key should be first arg [fc14c3fa62ee] 1996-08-15 Todd C. Miller * BUGS: fixed some bugs [639dfe425bd5] * parse.yacc: can now deal with upcase HOST and USER names [c6aa7bcfb00d] * sudo.c: don't yell too loudly at non-sudoers if they do "sudo -l" [4ef146128d89] * sudo.pod: fixed thinko [830f2f0f22e7] * parse.c: fix comment [d20ce9e17ddc] 1996-08-09 Todd C. Miller * parse.c, parse.yacc: added support for new `sudo -l' stuff [7dceaef3c733] * sudo.c: now uses list_matches() [293364821b61] * sudo.h: added struct sudo_match [b2684179d179] * configure.in: now more -lgnumalloc [4f8ae42617d8] 1996-08-01 Todd C. Miller * install-sh: added more paths for chown and whoami [6e685a19426c] 1996-07-31 Todd C. Miller * check.c: typo [3adfa01c04bc] 1996-07-30 Todd C. Miller * aclocal.m4: fixed DUNIX check for shadow pw [c25324bcd27b] * tgetpass.c: now only turn off echo if it is already on. this fixes a race when you use sudo in a pipelin [28388c2de21c] * INSTALL: updated [b45ac9366b7e] * configure.in: changed "test -z $foo && do_this" to if; then construct [2183c4426bca] 1996-07-29 Todd C. Miller * configure.in: added missing defines of SHADOW_TYPE [be89ea68a7f3] 1996-07-26 Todd C. Miller * check.c: protect AUTH_CRYPT_OLDCRYPT and AUTH_CRYPT_C1CRYPT since they are only in dunix 4.x [1e7c1c677263] * getspwuid.c: added AUTH_CRYPT_C1CRYPT support [88d6b0058b20] * parse.c: no longer return VALIDATE_NOT_OK if there was a runas that didn't match. Now we can have runas stuff on more than one line. [52b68920d7b7] * getspwuid.c, sudo.c, tgetpass.c: use SHADOW_TYPE instead of HAVE_C2_SECURITY [cf401dfcbc06] * configure.in: got rid of HAVE_C2_SECURITY SHADOW_TYPE is always defined to something [c7a233c4dd93] * config.h.in: removed HAVE_C2_SECURITY added SPW_BSD [8314405e9754] * compat.h: use SHADOW_TYPE instead of HAVE_C2_SECURITY [6f94870df17f] * check.c: SHADOW_TYPE is always defined so just against its value [72c69a55d02f] * aclocal.m4: added SUDO_CHECK_SHADOW_DUNIX [ef025ae9d496] 1996-07-25 Todd C. Miller * sudoers.pod: * -> ?* in one example added another instance of (runas) and one of NOPASSWD: [d74fe1dcbe7d] 1996-07-24 Todd C. Miller * configure.in: added back check for config.cache from other host type [0ba87871f585] * parse.lex: removed an instance of \" [1e008d3709f6] * sample.sudoers: added an example [dbfcf68ee330] * sudoers.pod: updated wrt new wildcard matching [193fa44a475b] * configure.in: new check for shadow passwords if we don't know anything [67465df7dc9a] * aclocal.m4: new SUDO_CHECK_SHADOW_GENERIC [3563b16a41b8] * configure.in: added back check for -lsocket (oops) [a80882ee1cb6] * configure.in: better (working) check for shadow passwd type if we know to use C2. [3cdd2a59a641] * configure.in: now uses AC_CANONICAL_HOST to figure out os type [80db7fe6e704] * Makefile.in: added config.{guess,sub} [c6be7e3ca384] * aclocal.m4: removed unused stuff to figure out os type [c9a0f3b57123] * config.sub: added openbsd [bfc6bfec3668] * config.sub: Initial revision [e6e06ce0d17d] * config.guess: Initial revision [99dd06f79199] * testsudoers.c: don't call fnmatch() with FNM_PATHNAME flag unless it can only be a pathname. need to check against sudoers_args even if user_args is nil [66e6cf77f5d6] * parse.c: don't call fnmatch() with FNM_PATHNAME flag unless it can only be a pathname need to check against sudoers_args even if user_args is nil [74374df17311] 1996-07-23 Todd C. Miller * check.c: added support for AUTH_CRYPT_OLDCRYPT w/ DUNIX C2 [cbb00261c415] * testsudoers.c: now takes command line args and uses cmnd_args [f0c2fd35a527] * parse.lex: fill_args was adding an extra leading space [692fc999b2e8] 1996-07-22 Todd C. Miller * visudo.c: fixed dummy command_matches() [93d9543db6e2] * parse.yacc: fixed prototype [7b0addfbd429] * sudo.h: added cmnd_args [8f47c4ae65ef] * parse.yacc: now uses flat args string [016e65877da3] * parse.c, parse.lex: now uses flat arg string [5b5f2e3f4c09] * visudo.c: added cmnd_args def [876867134775] * sudo.c: now sets cmnd_args global [e6fee70cb59b] * logging.c: cmnd_args is now exported from sudo.[ch] [7a9cd36e356f] 1996-07-21 Todd C. Miller * parse.yacc: can't rely on cmnd_matches as much as I thought -- added some $$ stuff back in to prevent namespace pollution problems. [3c45fedb5af3] * parse.yacc: Simplified parse rules wrt runas and NOPASSWD (more consistent). [e6d838c8a4c7] 1996-07-20 Todd C. Miller * parse.lex: NOPASSWD may now have blanks before the ':' '(' only starts a 'runas' if in the initial state to avoid collision with command args [c5c01172f499] * configure.in: added checks for specific shadow passwd schemes [b7e3d1f7b84f] * aclocal.m4: added routines to check for specific shadow passwd types [e5e1d19960a6] 1996-07-18 Todd C. Miller * configure.in: added support for ncr boxen [bea9dc5aae7f] * aclocal.m4: added support for detecting ncr boxen [8653a158a924] 1996-07-16 Todd C. Miller * configure.in: added sinix support [5de2b2173ee1] 1996-07-14 Todd C. Miller * TROUBLESHOOTING: added info about "config.cache from other other" error. [845b10198e0b] * aclocal.m4: now makes sure you don't have a config.cache file from another OS [4fe32571c021] * configure.in: now sets $LIBS when needed to configure links with libs when doing tests hpux10 now uses SPW_SECUREWARE for C2 added check for bigcrypt(3) if SPW_SECUREWARE [2df6b8ca538f] * getspwuid.c: fixed typo [fe1cb1d792d6] * tgetpass.c: now include stuff for SPW_SECUREWARE to get AUTH_MAX_PASSWD_LENGTH [f71138372c07] * getspwuid.c: no more SPW_HPUX10 [cfdeb18bc16b] * config.h.in: no more SPW_HPUX10 added HAVE_BIGCRYPT [00d296479a61] * compat.h: now uses AUTH_MAX_PASSWD_LENGTH if SPW_SECUREWARE [6c6d9e680417] * check.c: SPW_SECUREWARE now uses bigcrypt [be71fc66690f] 1996-07-13 Todd C. Miller * sample.sudoers: fixed 2 syntax errors [45eee19ef4ac] * sudoers: root may now run ALL as ALL [1b54c6b9b212] 1996-07-12 Todd C. Miller * interfaces.c: fixed a typo/thinko that broke BSD's with sa_len [603438360126] 1996-07-08 Todd C. Miller * check.c, configure.in: updated AFS support [e572eb8d177a] * TROUBLESHOOTING: added entry about /usr/ucb/cc [025b353aa9d3] * INSTALL: prep no longer holds gcc binaries [8b0942958049] * INSTALL: updated AFS note [7af6efd5abe4] * Makefile.in: added @AFS_LIBS@ [97b6fe6ad7d6] * compat.h: AFS allows long passwords [5fb17122c302] * testsudoers.c: fixed -u user support [b1a0c1648639] * parse.c: sudo -v now groks VALIDATE_OK_NOPASS [74fc03fffe7e] * parse.yacc: fixed no_passwd vs. runas_matched [549a9b791a6a] * TROUBLESHOOTING: took out stuff about NFS-mounting since it is no longer an issue [d95ab7fbbc61] * INSTALL: added --with-libraries > --with-libpath --with-incpath [d5d15a7a0f4c] * parse.yacc: was setting runas_matches to -1 in wrong place [db2b1deb8d33] * check.c: removed usersec.h which is not present in new AFS versions [618b016dd17f] * tgetpass.c: now deals with timeout <= 0 [ba53a1257255] * OPTIONS: updated [75093bd8fdca] * configure.in: BSD/OS >= 2.0 now uses shlicc instead of just gcc [ff6dbf7825c2] * sudo.c: fixed backwards compatibility with sudo 1.4 sudoers mode for root readable/writable filesystems [2694ed627221] * Makefile.in: now gives INSTALL -c flag [63db055a2fd1] * parse.yacc: slightly simpler initialization of no_passwd and runas_matches [463a1b5fa323] * testsudoers.c: added -u username support [38b072fcd6b3] * configure.in: improved --with-libraries support [047dbc5f0af2] 1996-07-07 Todd C. Miller * configure.in: added --with-incpath, --with-libpath, --with-libraries [20f20d6c718c] * parse.yacc: now initializes some fields that weren't getting set to -1 pretty gross -- need a rewrite. [021c160390c6] 1996-06-26 Todd C. Miller * alloca.c: removed emacs'isms [9d4ec2efe057] * configure.in: no longer add -lPW to *_LIBS since we include alloca.c [a626d1bbea80] * config.h.in: added HAVE_ALLOCA_H [15491e2a6cff] * Makefile.in: added alloca.c [0400f25e1fe4] * alloca.c: Initial revision [06d033aa4882] * configure.in: ++version [f52c0fb98f90] 1996-06-25 Todd C. Miller * sudo.c: now set uid to 1 instead of nobody for PERM_SUDOERS since nobody is not always set to a valid uid. [c2669f77704d] * OPTIONS: fixed entry for SUDO_MODE [d7272f6035b8] * sudo.c: Fixed NFS-mounted sudoers file under solaris both uid *and* gid were being set to -2. Now beat NFS to the punch and set uid to "nobody" ourselves, preserving group 0 to read sudoers. [b1fbc5dd1e34] * parse.c: moved set_perms(PERM_ROOT) to be before yyparse() [7619d8080735] * logging.c: fixed a typo [318acc48cde0] * configure.in: no longer need AC_PROG_INSTALL [de01b1336dc8] * Makefile.in: always use install-sh to avoid install(1)'s that use get{pw,gr}nam [ea2351986406] * INSTALL: make clean -> make distclean [704a98e8ba10] 1996-06-20 Todd C. Miller * parse.yacc: removed some unnecsary if's [f00db6508132] * Makefile.in, version.h: ++version [bdb6740b24c8] * parse.c, testsudoers.c: now includes netgroup.h [93f5a06352bc] * interfaces.c: removed cats of ioctl to int since they didn't shut up -Wall [83e9f912cd7a] * interfaces.c: explicately cast ioctl() to int since it it not always declared [2ff9294e469e] * sudo.h: added declarations for yyparse() and yylex() [6071321ab771] * parse.yacc: fixed an occurence of '==' -> '=' [2c46d2e11d57] * config.h.in, configure.in: added check for netgroup.h [73403050f4e3] * sudo.c: fixed 2 compiler warnings [680929b0bd97] * sudo.c: SHELL_IF_NO_ARGS caused core dump since NewArg[cv] weren't being initialized [18707ecd07c2] 1996-06-19 Todd C. Miller * sudo.pod: fixed a typo [e4b5c12aa130] 1996-06-17 Todd C. Miller * parse.yacc: fixed a formatting thingie [c79327b6f19b] * parse.c, parse.yacc: fixed -u support with multiple user lists on a line [e4d1066adca2] * configure.in: unixware needs -lgen [b5bf9bca63cc] * README: updated ftp location [b25a033f7921] * sudoers.pod: add net_addr/netmask support [674e83516d1e] * sample.sudoers: added net_addr/mask example [774878e89b28] * parse.c, parse.lex: added support for net_addr/netmask [e33de27325d8] 1996-06-16 Todd C. Miller * sudoers.pod: ^ -> ! [1a084950d6ef] 1996-06-15 Todd C. Miller * RUNSON: updated for 1.4.3 [c82019025d09] * CHANGES: udpated for 1.4.3 [ceaa81adb8f0] * BUGS, TODO, TROUBLESHOOTING: updated [ff94fae4b853] * sample.sudoers: updated with examples of new stuff [99d0b4cb4c9c] * INSTALL, README: ++version [b763b80fe836] * sudoers.pod: updated wrt -u and NOPASSWD [0b5b722ea0f4] * sudo.pod: updated wrt -u and CAVEATS [71d5d53b5d18] 1996-06-09 Todd C. Miller * sudo.c: fixed usage() [114c7d09b550] * parse.lex: now use :foo: character classes (makes no diff for generated lexer) [7b0aeb737a02] 1996-06-07 Todd C. Miller * check.c: fixed LONG_SKEY_PROMPT stuff [0efe78b4bdda] 1996-06-06 Todd C. Miller * visudo.c: fixed a comment [3d289017104b] * lsearch.c: make more like NetBSD one -- now compiles w/o warnings [932206296a54] * emul/search.h: fixed decls of lsearch() [c58cf4584c45] * config.h.in, configure.in, getspwuid.c: added SPW_HPUX10 [d74e5eaa5f17] * check.c: hpux 10 uses bigcrypt() if C2 [359eb63f4021] 1996-06-04 Todd C. Miller * parse.c: now always uses fnmatch to match args [a9d91f35256a] * tgetpass.c: back to using stdio instead of raw i/o since that caused some problems [e7ce2bc92974] 1996-05-29 Todd C. Miller * sudo.c: now give usage warning if use -l,-v,-k with args [6b48180c4fea] 1996-05-28 Todd C. Miller * sudo.c: NewArgc is now set to 1 for -l, -v, -k [7497cb1416a8] * sudo.c: now sets sudoers to correct group if mode is 0400 [484c43d99718] * install-sh: updated to version used by inn and bind [28683ad8725a] * configure.in: now uses -lgnumalloc if it exists [3651ca4415a2] * Makefile.in: "make install" now sets uid/gid and mode on sudoers if it exists [1f5216191ae9] * sudo.c: rmeoved debugging statements [aeda278e2c26] * parse.yacc: added a missing free() [592c9482a159] * sudo.c: now uses user_gid instead of getegid (which was wrong anyway) to set SUDO_GID Now sets command line args in SUDO_COMMAND envariabled (logging.c depends on args being in the environment) [9f5328a3b942] * logging.c: now uses SUDO_COMMAND envariable to get command args rather than building it up again. [7f8edc5bccb7] * parse.c: now uses user_gid [4b9303ae45fe] * sudo.c: fixed off by one error in allocation NewArgv [921ea1a4e7c6] * parse.c: in sudoers, 'command ""' now means command with no args [a5273648ace2] * configure.in: added check for fnmatch(3) and fnmatch.h [258916a7866f] * config.h.in: added HAVE_FNMATCH [b9860d361e93] * Makefile.in: replaced wildcat.* with fnmatch.* [03ad9ee21a1c] * testsudoers.c: now uses fnmatch() [5a7f7de987a9] 1996-05-27 Todd C. Miller * parse.c: now uses fnmatch() instead of wildmat a trailing star (*) by itself now matches multiple args added support for wildcards in the pathname in sudoers [1f7fb950b868] 1996-05-25 Todd C. Miller * fnmatch.c: now includes compat.h and config.h [090206b95cf8] * config.h.in: added HAVE_FNMATCH_H [90eb42150173] * configure.in: now checks for alloca() (if needed by bison or dce) and links with -lPW if it contains alloca() and libv and compiler do not. [cfa2b3cef49a] * emul/fnmatch.h, fnmatch.3, fnmatch.c: Initial revision [20b1f762a32a] 1996-04-29 Todd C. Miller * sudo.c: now fixes mode on sudoers if set to 0400 to aid in upgrade [d4bdfd521820] 1996-04-28 Todd C. Miller * Makefile.in: fixed pod2man usage [5adf2ec77b27] * Makefile.in, configure.in, version.h: ++version [b4029de876d0] * testsudoers.c, visudo.c: runas_user is now initialized to "root" [8537d97bff39] * sudo.h: removed PERM_FULL_ROOT [241f8bbf647f] * sudo.c: runas_user defaults to "root" so no more need to PERM_RUNAS [fc0c0dfc72ba] * parse.c: will now only running commands as root if there was no runas list (or if root is in the runas list) [40c587666c81] * logging.c: now logs "USER=%s" [b733504c87fd] * parse.yacc: runas_matches is now set to false if we get a negative match [5495b150b300] * parse.lex: make #uid work + some minor cleanup [07851bbce03a] * sample.sudoers: added support for NOPASSWD and "runas" from garp@opustel.com / [7a9c67b51fa5] * visudo.c: added support for "runas" from garp@opustel.com replaced SUDOERS_OWNER with SUDOERS_UID, SUDOERS_GID added support for SUDOERS_MODE [e714209b9885] * testsudoers.c: added support for "runas" from garp@opustel.com [b837f856da10] * sudo.h: added support for NO_PASSWD and runas from garp@opustel.com replaced SUDOERS_OWNER with SUDOERS_UID and SUDOERS_GID and added support fro SUDOERS_MODE [cea6f26679b7] * sudo.c: added support for NO_PASSWD and runas from garp@opustel.com replaced SUDOERS_OWNER with SUDOERS_UID and SUDOERS_GID and added support fro SUDOERS_MODE [61b5434237c5] * parse.yacc: added support for NO_PASSWD and runas from garp@opustel.com [72ebd3056f22] * parse.c, parse.lex: added support for NO_PASSWD and runas from garp@opustel.com [fef6dbdd114d] * logging.c: added support for SUDOERS_WRONG_MODE and "runas" [e794efc2b443] * configure.in: added --with-CC only link with -lshadow on linux (with shadow pw) if libc lacks getspnam() [3ecf4ae21002] * OPTIONS, options.h: removed NO_PASSWD since it is not possible to do this in the sudoers file itself. Replaced SUDOERS_OWNER with SUDOERS_UID and SUDOERS_GID. Added SUDOERS_MODE. [2eaa4891ef48] * Makefile.in: now uses SUDOERS_UID and SUDOERS_GID [8d615f0fdb2a] 1996-04-27 Todd C. Miller * INSTALL: added --with-CC [a1b8286a81b8] 1996-04-06 Todd C. Miller * parse.lex: added double quote support [a5e4fc7e3a2b] * sudoers.pod: documented double quoting [c6ea47969a44] 1996-04-05 Todd C. Miller * mkinstalldirs: Initial revision [dcb86d65ad8f] * check.c: fixed some indentation [4d1c5ab8072b] * Makefile.in: fixed a typo [0d27eebc7227] * Makefile.in: added install-dirs . [f499b99b8be7] 1996-04-04 Todd C. Miller * dce_pwent.c: new version from "Jeff A. Earickson" [422481be5fbd] 1996-04-03 Todd C. Miller * configure.in: $CSOPS -> $with_csops (whoops, missed one) [b04c6948130e] * BUGS: updated [c4d5713e227d] * parse.lex: FQHOST now has same constraints as non-FQHOST [e1c3bf2381d1] * INSTALL: added note about OS's w/ shadow passwords turned on by default [166257f43be4] 1996-04-02 Todd C. Miller * configure.in: fixed a typo [e5c3e2e9a359] * configure.in: added support for --without-THING sanitized shadow pw situtation by adding support for --without-C2 [65dc6bf64cce] * tgetpass.c: fixed a typo wrt placement of an end paren [a8780f818231] * check.c: was closing an fd that may not have been opened [760271c7bdc9] 1996-03-22 Todd C. Miller * OPTIONS, options.h, sudo.c: added NO_PASSWD [28ff1dc93d7a] 1996-03-20 Todd C. Miller * configure.in: now always use shadow pw on some arches [069161ccffda] 1996-03-19 Todd C. Miller * configure.in: added pyramid support [a0eb57a3a531] * configure.in: no longer check for C2 if alternate passwd method is used no longer check for some libs twice [2d0c3c902b40] * parse.yacc: moved fqdn stuff into parse.lex (FQHOST) [d9c9abd481d8] * parse.lex: added FQHOST rules [4a1695acff6d] * tgetpass.c: now define TCSASOFT in necesary [3fac2e21c9ab] * tgetpass.c: now uses read/write instead of stdio string goop to avoid problems with select(2) [67fd174e518c] * OPTIONS, find_path.c, options.h: -DNO_DOT_PATH -> -DIGNORE_DOT_PATH [d05ba5100d28] 1996-03-17 Todd C. Miller * INSTALL: added note about no shadow auto-detect if using alternate auth schemes [b425592232a3] * configure.in: don't check for C2 if AFS or DCE (unless they said --with-C2) [61342962171a] * testsudoers.c: now groks shost [85dda17303f6] * OPTIONS, find_path.c, options.h: added NO_DOT_PATH [c261ca1fb196] 1996-03-16 Todd C. Miller * find_path.c: checkdot now works correctly [3bc4835bb3e9] 1996-03-12 Todd C. Miller * configure.in: can't have DCE and C2 passwords both... [fb9a8ab7ca66] 1996-03-11 Todd C. Miller * parse.yacc, sudo.c, sudo.h, visudo.c: now uses shost even if not FQDN [87f7498b3a1f] * configure.in: now looks for skey in /usr/lib and doesn't require libskey to be in /usr/local/lib just because skey.h is (for my netbsd box :-) [ceb1763e37d2] * aclocal.m4, config.h.in, pathnames.h.in: _SUDO_PATH_ -> _CONFIG_PATH_ [84d97ad13d75] * aclocal.m4, sudo.pod: /var/run/.odus -> /var/run/sudo [922da220b8f5] * pathnames.h.in: now uses _SUDO_PATH_TIMEDIR [5ecab0155fdf] * OPTIONS: udpated FQDN [361b6f7440c0] * aclocal.m4, configure.in: added SUDO_TIMEDIR [368c95c8c950] * config.h.in: added _SUDO_PATH_TIMEDIR [3879864d808c] * sudo.pod: updated wrt /var/run/sudo [9e14f2a429d3] * sudo.c, sudo.h: added support for shost if FQDN [51a3f51a09a1] * parse.yacc, visudo.c: now uses shost if FQDN [d19da2e92b42] * check.c: Now use skeylookup() instead off skeychallenge() [4c7438bb2ae0] 1996-02-28 Todd C. Miller * logging.c: mail_argv should not contain ALERTMAIL as it includes "-t" [67ffaaa8f843] 1996-02-22 Todd C. Miller * INSTALL, Makefile.in, README, configure.in, version.h: ++version [e08fd4a809fc] * compat.h: added more _PASSWD_LEN stuff -- now uses PASS_MAX too [2f20c3153689] * tgetpass.c: now includes limits.h moved _PASSWD_LEN -> compat.h [b1ca3cafdacc] 1996-02-06 Todd C. Miller * INSTALL, README: ++version [3eacf32803f5] * Makefile.in: ++versoin [3b91c317630a] * Makefile.in: fixed a typo [3661ac4a7803] * configure.in: ++version [60e842973745] 1996-02-05 Todd C. Miller * RUNSON: updated [def2c3c24195] * CHANGES: done for 1.4.1 (I hope) [2ab543769a40] * sudoers.pod: added info on wildcards [ce3bd41bc063] * sample.sudoers: added wildcard example [762feb0577bd] * Makefile.in: now uses *.pod to build *.man and *.cat & *.html [3ec14962028b] * configure.in: addedSUDO_PROG_BSHELL !ll [3c80b320bf16] * visudo.pod: fixed up some formatting [12166c434526] * sudoers.pod: redid section describing sample sudoers stuff [b8065cceec71] * sudo.pod: fixed some formatting [aa9a681add0f] * getspwuid.c: now treats "" as bourne shell [30194a72ad56] * Makefile.in: TESTOBJS nwo includes wildmat.o [86cc6500f84d] * testsudoers.c: now works with NewArg[cv] [2f72674ce942] * sudo.c: removed an XXX (fixed it in getspwuid.c) [e791ee0d1a68] * aclocal.m4: added check for bourne shell [a2fd51676b8a] * pathnames.h.in: added _PATH_BSHELL [e7c10011d47b] * config.h.in: added _SUDO_PATH_BSHELL [6a1182898de9] 1996-02-04 Todd C. Miller * visudo.c: unixware vi returns 256 instead of 0 [234ffc7c6786] * INSTALL: added Linux note [5f85efcd2b58] * logging.c: fixed up some XXX's. file log format now looks a little more like real syslog(3) format. [6df55707bfc3] * README, TROUBLESHOOTING: updated wrt lex/flex [eb787d69156b] * Makefile.in: commented out rule to build lex.yy.c from parse.lex since we ship with a pre-flex'd parser [7507e2ce4a95] * parse.c, parse.yacc, visudo.c: path_matches -> command_matches [0bd469424f86] * logging.c: eliminated some strcat()'s [9878a79bc374] * configure.in: no longer checks for lex/flex (now assumes flex) [a086ccc73798] * configure.in: now checks for $kerb_dir_candidate/krb.h instead of just kerb_dir_candidate [9133bc3c5208] 1996-02-03 Todd C. Miller * parse.yacc: now use a 'hook' expression instead of an iffy one :-) [9560df01b8c0] 1996-02-02 Todd C. Miller * visudo.c: now works with new sudo arg stuff [310a0d43ddad] * parse.yacc: fixed dereferencing deadbeef [474ef8a8006b] * sudo.c: changed an occurrence of Argv to NewArgv [205b012b7691] * parse.lex: took out support for quoted commands since there is no need... [5c5036d353b1] * parse.c: fixed a typo in a for() loop [7e8d5283c43b] * logging.c: protected against dereferencing rogue pointers [56debd517717] * sudo.c: now uses NewArgv amd NewArgc so cmnd_aegs is no longer needed this also allows us to eliminate some kludges in parse_args() and eliminate superfluous code. [5122f66ad150] * logging.c: no longer uses cmnd_args, now uses NewArgv instead. [abddd23cf068] * sudo.h: added struct sudo_command, NewArgc, and NewArgv removed cmnd_args (no longer used) [78410984fb05] * Makefile.in: added wildmat.c to SRCS & SUDOBJS [3800efb41794] * parse.yacc: COMMAND is now a struct containing the path and args [5c32822c5b94] * parse.lex: replaced append() with fill_cmnd() and fill_args. command args from a sudoers entry are now stored in an arrary for easy matching. [a981d7f4eb0d] * parse.c: command line args from sudoers file are now in an array like ones passed in from the command line [1d9e37e84519] 1996-02-01 Todd C. Miller * parse.c: wildwat stuff now works [49d16488531f] 1996-01-29 Todd C. Miller * version.h: ++version [53e55463ef89] * Makefile.in: ++version added wildmat.* [0508297a4711] 1996-01-28 Todd C. Miller * parse.lex: added support for quoted commands (w/ or w/o args) [b9a637155673] 1996-01-22 Todd C. Miller * sudo.pod, visudo.pod: cleaned up formatting [4591d4195437] * sudo.pod, visudo.pod: Initial revision [7564a8242750] 1996-01-21 Todd C. Miller * sudoers.pod: looks reasonable, could be mroe readable [a5be2d19d9e0] * sudoers.pod: Initial revision [957888be31a6] 1996-01-16 Todd C. Miller * RUNSON: updated [633743aa924b] * OPTIONS: updated NO_ROOT_SUDO entry [f1c15b1dec9e] 1996-01-15 Todd C. Miller * RUNSON: *** empty log message *** [5b63de579ff7] [SUDO_1_4_0] * sudo.c: fixed SECURE_PATH [6002889f606d] * RUNSON: udpa`ted for 1.4 [6014a8592815] * configure.in: AIX aixcrypt.exp now uses $(srcdir) [b0d57674fef4] * TROUBLESHOOTING: added entry for anal ansi compilers [4193cec1c6b1] 1996-01-14 Todd C. Miller * INSTALL: added info on libcrypt_i for SCO [575497d56698] * TODO: *** empty log message *** [d0aaf67b9913] * sample.sudoers: added comments [a7773f7eda8d] * TODO: 1.4 release [1dade29e9fd9] * CHANGES: ++version [67241be40780] * INSTALL, OPTIONS, README, config.h.in, configure.in: ++version [2e0a37897f68] * BUGS: ++version and fixed ISC [78963f01a0e3] * check.c, compat.h, dce_pwent.c, find_path.c, getspwuid.c, getwd.c, goodpath.c, ins_2001.h, ins_classic.h, ins_csops.h, ins_goons.h, insults.h, logging.c, options.h, pathnames.h.in, putenv.c, strdup.c, sudo.c, sudo.h, sudo_setenv.c, testsudoers.c, tgetpass.c, utime.c, visudo.c: ++version [b6227f29b3d9] * interfaces.c: added STUB_LOAD_INTERFACES ++version [d8150a3fd577] * Makefile.in, emul/utime.h, parse.c, parse.lex, parse.yacc, version.h: ++version [da9e90e69bdc] * PORTING: added info about fd_set in tgetpass added info on interfaces.c [a39902febd17] 1996-01-11 Todd C. Miller * dce_pwent.c: added sudo header [fc0f2c48682e] * tgetpass.c: fixed a typo [43d40b72ee8f] * Makefile.in: tgetpass.o is now only linked in with sudo (not visudo) [7407c5ff11f8] 1996-01-09 Todd C. Miller * BUGS, INSTALL, Makefile.in, OPTIONS, README, config.h.in, configure.in: ++version [9b82ad805d6b] * emul/utime.h: added copyright notice [4380f16cd075] * check.c, compat.h, find_path.c, getspwuid.c, getwd.c, goodpath.c, ins_2001.h, ins_classic.h, ins_csops.h, ins_goons.h, insults.h, interfaces.c, logging.c, options.h, parse.c, parse.lex, parse.yacc, pathnames.h.in, putenv.c, strdup.c, sudo.c, sudo.h, sudo_setenv.c, testsudoers.c, tgetpass.c, utime.c, version.h, visudo.c: ++version [32717fdb5d05] * tgetpass.c: minor cleanup and now includes sys/bsdtypes for svr4'ish boxen [326864428da2] * configure.in: ISC now gets -lcrypt now check for sys/bsdtypes.h [e064799c054b] * config.h.in: added check for sys/bsdtypes.h [9adb9533c363] 1996-01-07 Todd C. Miller * parse.yacc: removed debugging stuff (setting freed ptr to NULL) [02fe8eec63a0] * TROUBLESHOOTING: added 2 entries [02884e2733e2] * Makefile.in: added FAQ [074d8dfcf28d] * TROUBLESHOOTING: added section on syslog [e6bc02a22b86] * configure.in: added AC_ISC_POSIX for better ISC support [8436b3e12af2] * config.h.in: fixed typo [f1b3922babf4] * config.h.in: added define for _POSIX_SOURCE [ded6d92b34f9] 1996-01-04 Todd C. Miller * configure.in: fixed check for lsearch() [75baa5bc28a3] 1995-12-22 Todd C. Miller * interfaces.c: fixed for AIX now deal if num_interfaces == 0 (should not happen) [ae450e859227] 1995-12-20 Todd C. Miller * configure.in: now only define HAVE_LSEARCH if there is a corresponding search.h [8ce645c5d17f] * interfaces.c: works on ISC again [ccac920d424c] 1995-12-18 Todd C. Miller * configure.in: now define HAVE_LSEARCH if we find lsearch() in libcompat [7343e4313a87] * lsearch.c: char * -> const char * [1c0b11c2300a] * configure.in: now looks in -lcompat for lsearch() [a1cc1d6fcd09] * Makefile.in: remove sudo.core visudo.core for clan target [b523456a85df] * aclocal.m4: added UID_MAX support in check for MAX_UID_T_LEN [7ab262b1173f] * Makefile.in: fixed another occurence of sudo_getpwuid.* [fb5809c07da2] * Makefile.in, getspwuid.c: sudo_getpwuid.c -> getspwuid.c [875f2ef808b4] * configure.in: moved the "echo" [ad7b8f966076] * BUGS, CHANGES, INSTALL, Makefile.in, OPTIONS, README, check.c, compat.h, config.h.in, configure.in, find_path.c, getspwuid.c, getwd.c, goodpath.c, ins_2001.h, ins_classic.h, ins_csops.h, ins_goons.h, insults.h, interfaces.c, logging.c, options.h, parse.c, parse.lex, parse.yacc, pathnames.h.in, putenv.c, strdup.c, sudo.c, sudo.h, sudo_setenv.c, testsudoers.c, tgetpass.c, utime.c, version.h, visudo.c: ++version [ee57c6410ffa] * testsudoers.c: added group support [54d8097df8bd] * sample.sudoers: added group entry [50994d31fd49] * sudoers.man: documented group support [0a16707f8fed] * parse.c, parse.lex, parse.yacc, visudo.c: added group support [427218c879c8] 1995-12-15 Todd C. Miller * check.c: tkfile was too short and overflowed the kerberos realm [53823a1ff5af] 1995-12-11 Todd C. Miller * sudo.c: now copy command args directly from Argv [77408278b6fd] * sudo.c: replaced code to copy cmnd_args so that is does not use realloc since most realloc()'s really stink [b29a0ff73fb6] 1995-12-08 Todd C. Miller * configure.in: syslog() fixed in hpux 10.01 [2648e6f0cdb0] 1995-12-06 Todd C. Miller * configure.in: AC_CHECK_LIB() now sets SUDO_LIBS (and VISUDO_LIBS if appropriate) [8f108b8d8711] * configure.in: better error if cannot find skey incs or libs [5887662ee9d3] * aclocal.m4: now use a temp file for determining max len of uid_t in string form. the old hacky way broke on netbsd [b68f470fa9f8] * sudo.c: added set of parens and a space [8a3d4826d022] 1995-12-05 Todd C. Miller * dce_pwent.c: fixes from Jeff Earickson , [bde0f0b756ec] * check.c: modified a comment [e2a97f1afbbe] * Makefile.in: fixed up testsudoers target [d39c4e7bb609] * configure.in: DCE changes from Jeff Earickson LIBS -> SUDO_LIBS and VISUDO_LIBS LDFLAGS -> SUDO_FDFLAGS and VISUDO_LDFLAGS [da7a1c433828] * Makefile.in: LIBS -> SUDO_LIBS , VISUDO_LIBS LDFLAGS -> SUDO_LDFLAGS, VISUDO_LDFLAGS [4b69503e8487] 1995-11-28 Todd C. Miller * configure.in: fix for C2 on hpux 10 now uses -linet if it exists [8d300112263d] * check.c: LONG_SKEY_PROMPT is less of a klusge / [dcc144abaac3] * configure.in: fixed typos w/ dce stuff [f7dfd6d4e149] * Makefile.in: added dce_pwent.c [79047acdc516] 1995-11-26 Todd C. Miller * INSTALL: amended section on combining authentication mechanisms [dc5138c7c716] * PORTING: minor updates for 1.3.6 [fe80c13bd994] * TROUBLESHOOTING: added 2 more entries [c7201439a0f5] * BUGS: updated for 1.3.6 [979b414d2a2d] * README: overhauled [3af8b60eb594] * INSTALL: rewrote for sudo 1.3.6 [b16027b9c726] * TROUBLESHOOTING: added 3 entries [934c9ee3f153] 1995-11-25 Todd C. Miller * find_path.c, getspwuid.c, sudo.c: added explict casts for strdup since many includes don't prototype it. gag me. [3e19a11f2fcc] * sudo.h: removed prototype for sudo_getpwuid() since convex C compiler choked on it. [c3ea74ca67b0] * sudo.c: added prototype for sudo_getpwuid() [4a8e3cdc2b98] * lsearch.c: now compiles on strict ANSI compilers [3ce5d72d0b08] * check.c: added LONG_SKEY_PROMPT support [48a18b8a2332] * Makefile.in: added extra $'s for make to eat up, yum. [2995b214e12b] * OPTIONS, options.h: added LONG_SKEY_PROMPT [f23ae799b5a4] 1995-11-24 Todd C. Miller * check.c: s/key support now works with normal s/key as well as logdaemon [d67573f523bf] * OPTIONS, options.h: added SKEY_ONLY [bbf07654e0de] * compat.h: set _PASSWD_LEN to 256 for any of KERB4, DCE, SKEY [205895b96a36] * INSTALL: added DCE note added more AIX notes [6345403b3522] * sudo.c: now include pthread.h for DCE support [6fe02865f679] * check.c: dce_pwent() is ok after all ., [d26a8746a55d] * logging.c: now uses SYSLOG() macro that equates to either syslog() or syslog_wrapper [42ac4cff8045] * dce_pwent.c: minor formatting changes. renamed check() to somthing less generic [71859f217be1] * check.c, logging.c, parse.yacc, sudo.c, sudo.h, testsudoers.c, visudo.c: now uses user_pw_ent and simple macros to get at the contents [f4cbf3e7145a] 1995-11-23 Todd C. Miller * check.c: simpler dec unix C2 support [86bc8f75250e] * getspwuid.c: now sets crypt_type for DEC unix C2 [99aeadd18266] 1995-11-21 Todd C. Miller * configure.in: added csops paths for skey [b8ca672e2117] * getspwuid.c: now includes string.h for strdup() prototype [3605259c3620] * getspwuid.c: fixed a few typos [46c97e4ea417] * check.c: now includes skey.h [11e611ce1b61] * getspwuid.c: fixed up comments [223dac56f0c8] * check.c: moved a lot of the shadow passwd crap to sudo_getpwuid() [97d8887fb7d3] * sudo.c: now uses sudo_pw_ent [d014dadbef48] * testsudoers.c: now uses sudo_pw_ent [d92936ed7e34] * visudo.c: now sets sudo_pw_ent [ff75cdfcf8b3] * getspwuid.c: Initial revision [6deb6df9d7bc] * tgetpass.c: moved dce stuff into compat.h [1124284396e7] * logging.c, sudo.h: now uses sudo_pw_ent [404ff20a5067] * Makefile.in: added sudo_getpwuid.c [6666d0644512] * compat.h: added dce support [3c3b36a7ce0e] * parse.yacc: now uses sudo_pw_ent [9f5e8d11bd68] 1995-11-20 Todd C. Miller * check.c: fixed exempt_group stuff for OS's that don't put base gid in group vector [003f153bd396] * check.c: S/Key support now works with sunos4 shadow passwords [1eb64a5efff1] * Makefile.in: fixed clean rule [5695a2c62816] * config.h.in, configure.in: added DCE support [f53c766c1947] * tgetpass.c: DCE & KERB support [904cf436506a] * check.c: first stab at dce support [aea5ca07b1e3] * dce_pwent.c: now smells like sudo [8b3d609b49cd] * dce_pwent.c: Initial revision [b573555f2399] * check.c: skey'd sudo now works w/ normal password as well [8d038f9f6e94] 1995-11-19 Todd C. Miller * Makefile.in, OPTIONS, check.c, compat.h, config.h.in, find_path.c, getwd.c, goodpath.c, ins_2001.h, ins_classic.h, ins_csops.h, ins_goons.h, insults.h, interfaces.c, logging.c, options.h, parse.c, parse.lex, parse.yacc, pathnames.h.in, putenv.c, strdup.c, sudo.c, sudo.h, sudo_setenv.c, testsudoers.c, tgetpass.c, utime.c, version.h, visudo.c: updated version number [ba7e346d7904] * README: updated to reflect version change [1d15cf1d8cc8] * configure.in: --with options now line up ++version [08ebf625fbca] * sudo.h: removed unecesary S/Key stuff [68188cba90af] * configure.in: fixed S/Key support [f6d9cbc36618] * Makefile.in: -I stuff now goes in CPPFLAGS [7b8e53c5b046] * check.c: fixed SKey support [52c1a5cf4435] * README: updated version [bed6498a10bb] * OPTIONS: fixed description of EXEMPTGROUP [cfeead55edc2] * sudo.c: more people use _RLD_ than just alphas... [6a3c7090a6f6] * Makefile.in: replaced $man_prefix with $mandir [dc4b36a550e2] * configure.in: fixed a typo [a38a4acddcaf] * Makefile.in: now use more GNU'ish dir names [c5498391a520] * configure.in: now set *dir correctly (can override from command line) [523ff98fd438] * sudo.c: now deal with situations where we getwd() fails [88a9e61dccbb] 1995-11-17 Todd C. Miller * Makefile.in: added etc_dir, bin_dir, sbin_dir [75fd08d92842] * configure.in: added sbin_dir [3cb318c0d8d1] * Makefile.in: now ship a flex-generated lex.yy.c [4d083ed70dce] * Makefile.in: now sets _PATH_SUDO_SUDOERS, _PATH_SUDO_STMP, SUDOERS_OWNER [4d51dc9c3780] * pathnames.h.in: _PATH_SUDO_SUDOERS & _PATH_SUDO_STMP are now overridden via Makefile [773fd163d52f] * options.h: no more error for redefining SUDOERS_OWNER [4ba336644c6a] * OPTIONS: expanded SUDOERS_OWNER section [12fae405759e] 1995-11-16 Todd C. Miller * visudo.c: now warn if chown(2) failed [d0d1db6e3a1f] * logging.c: better default warning for NO_SUDOERS_FILE [5260b458ac64] * sudo.c: added missing set_perms() no more cryptic message if the sudoers file is zero length, now just give a parse error [b81ea724838a] * logging.c: better diagnostics if NO_SUDOERS_FILE [877e878663c5] * sudo.c: check_sudoers() now catches sudoers files that are not readable (but are stat'able). [fea05663b3de] 1995-11-13 Todd C. Miller * configure.in: now add -D__STDC__ for convex cc (not gcc) [c80fc53ff51b] * configure.in: MAN_PREFIX -> man_prefix now sets prefix and exec_prefix [fe238226a057] * Makefile.in: now uses exec_prefix & prefix from configure [f62fca5f56bd] * find_path.c, getwd.c, goodpath.c, interfaces.c, logging.c, parse.c, parse.lex, parse.yacc, sudo.c, sudo.h, sudo_setenv.c, tgetpass.c, utime.c, visudo.c: options.h is now <> instead of "" so shadow build trees can have a custom copy of options.h [e6782676099c] * check.c: user_is_exempt() is no longer a hack, it now uses getgrnam() [287f8d5356f7] * options.h: EXEMPTGROUP is now "sudo" [61487304dbe1] * configure.in: MAN_POSTINSTALL now contains a leading space [eaad4ac34012] * Makefile.in: removed leading tab if @MAN_POSTINSTALL@ not defined now removes testsudoers in clean: [e01711baceb8] * tgetpass.c: includes pwd.h to get _PASSWD_LEN definition [8ec174f263f1] 1995-10-30 Todd C. Miller * sudo.c: unset the KRB_CONF envariable if using kerberos so we don't get spoofed into using a bogus server [2561a0274fca] 1995-09-29 Todd C. Miller * parse.yacc: now explicately initialize match[] tp be FALSE [0e45e5c47766] 1995-09-23 Todd C. Miller * sudo.c: removed unused variable now passes -Wall [3452508bc16d] * parse.yacc: yyerror and dumpaliases are now void's now passes -Wall [2769dfb51993] * parse.lex: added prototype for yyerror [1f3f0c1b4ab4] * check.c, logging.c, parse.c: now passes -Wall [eab57e5e81d2] * interfaces.c: rmeoved unused cruft now passes -Wall [7a47e1866f4b] * Makefile.in: fixed headers that moved to emul dir [e680c1e5049b] * logging.c: fixed deref of nil pointer if no args [973b9bea432f] 1995-09-15 Todd C. Miller * OPTIONS: added a caveat to FQDN section [dcf6e2a5fff4] 1995-09-13 Todd C. Miller * Makefile.in: more $srcdir support for install targets [f6eac78436dd] * find_path.c, interfaces.c, parse.c, parse.lex, parse.yacc, putenv.c, strdup.c, sudo.c, sudo_setenv.c, testsudoers.c, visudo.c: don't include malloc.h if we include stdlib.h [fca2ff307cd8] * parse.yacc: local search.h now lives in emul [51c458904424] * check.c, utime.c: local utime.h now lives in emul dir [f92fc9e8c8de] * lsearch.c: local search.h now lives in emul [579efc407439] * Makefile.in: added support for building in other than the sourcedir [2ab53a43f7d4] 1995-09-10 Todd C. Miller * OPTIONS: annotated CSOPS_INSULTS option [9e57d45a0afa] * TROUBLESHOOTING: updated shadow passwords blurb [39b785bc7253] * sudo.c: if SHELL_IF_NO_ARGS is set, "sudo -- foo" now runs a shell and passes along foo as the arguments [a91077aa8fc5] 1995-09-09 Todd C. Miller * parse.lex: collapsed pathname and dir sections into one -- its now less expensive [89caa03bec25] * parse.lex: fixed spacing quoting [,:\\=] now works correctly append() and fill() now take args to make the above work [09d023d9ef3a] * sudo.c: fixed a typo that caused commands with no tty on fd 0 but a tty on fd 1 to erroneously have "none" as their tty [07d2c0e7977c] 1995-09-04 Todd C. Miller * check.c: timestampfile is now a global static removed decl of timestampfile in remove_timestamp since we can just use the global one [f0cbdc6aab1c] * check.c: created touch() to update timestamps added USE_TTY_TICKETS support (bit of a kludge) [cee1dd0318f8] * compat.h: added _S_IFDIR and S_ISDIR [b4a51cc9628e] * OPTIONS, options.h: added USE_TTY_TICKETS [b4e22f81f25e] * parse.yacc: removed const from casts for lsearch() & lfind() to placate irix 4.x C compiler [5003081f76ea] 1995-09-03 Todd C. Miller * sudo.c: now only strip '/dev/' off of a tty if it starts with '/dev/' [7f62bcd24039] * pathnames.h.in: added _PATH_DEV [6375f44d1910] * configure.in: AC_HAVE_HEADERS -> AC_CHECK_HEADERS now check for tcgetattr only if have termios.h [9c60391235fd] * tgetpass.c: fixed incorrect #ifdef termio uses "unsigned short" not int for c_?flag [d032e6a29845] * parse.lex, parse.yacc: fixed a spelling error [cad6a944c7b1] * Makefile.in: fixed typo [204a65403e7c] 1995-09-02 Todd C. Miller * Makefile.in: fixed a comment [268f760e57ad] * parse.yacc: added dotcat() to cat 2 strings w/ a dot effeciently now that we dynamically allocate strings they need to be free()'d [ec2e2152f415] * parse.lex: dynamically allocates space for strings [d10ac3533d66] * sudo.h: no more MAXCOMMANDLENGTH [e2e1219bff8a] * sudo.h: added decl of tty [c8ae81303ee5] * logging.c, sudo.c: moved tty stuff into sudo.c [e028abefeb07] 1995-09-01 Todd C. Miller * parse.c: fixed a logic bug. Was denying a command if user gave command line args but there were none in the sudoers file which is wrong. [7489a99b8e8a] * sudo.h: MAXCOMMMANDLEN dropped down to 1K [38ef54ba290b] * parse.lex: return foo; -> return(foo); [0e8be1b57001] * parse.yacc: fixed netgr_matches() prototype [e69f15910464] * parse.lex: added support for escaping "termination" characters [8bd4ef50f35c] * parse.c: buf is now of size MAXPATHLEN+1 since it never holds command args [2ce4b763058c] * sudo.c: fixed comments [0c74a3d2ebb0] * goodpath.c: fixed negation problem (doh!) [782814e3a2d1] * parse.yacc: fixed 2nd parameter to lfind() [63d7b1623c08] * parse.lex: now do bounds checking in fill() and append() [54381b563251] * sudo.c: include netdb.h as we should added a missing void cast added SHELL_IF_NO_ARGS support now use realloc() properly. would fail if realloc actually moved the string instead of shrinking it [897ccdec9c06] * sample.sudoers: updated with examples of new features [9b3ed00e8aa6] * goodpath.c: now set errno to EACCES if not a regular file or not executable [2d069548a5ea] * find_path.c: if given a fully-qualified or relative path we now check it with sudo_goodpath() and error out with the appropriate error message if the file does not exist or is not executable [590f89dd8dec] * emul/search.h, lsearch.c: now use correct args for lfind [fccdcdbf020e] * logging.c: added a comment [fab9f49708ea] * insults.h: added in CSOps insults [ad8eb1862adc] * ins_csops.h: Initial revision [de5a475ec018] * tgetpass.c: added RCS id [c3ffd550a482] * sudo.h: increased MAXCOMMANDLENGTH to 8k HAVE_GETCWD -> HAVE_GETWD [aba25c90d08a] * OPTIONS: added CLASSIC_INSULTS, CSOPS_INSULTS, SHELL_IF_NO_ARGS [e27bd62e9ccf] * sudo.c: fixed -k load_interfaces() now gets called if FQDN is set -p now works with -s [07ca2a34bae8] * parse.c: don't try to stat() "pseudo commands" like "validate" [75527045984b] * options.h: added CLASSIC_INSULTS added CSOPS_INSULTS added SHELL_IF_NO_ARGS [07b157a0eafd] * configure.in: added SecurID support added other insults to --with-csops [6c992ceb244c] * config.h.in: added HAVE_SECURID [e734ff617fe8] * Makefile.in: added clobber target added ins_csops.h now gets CFLAGS from configure [d1e29c7cec25] * aclocal.m4: relaxed SUDO_FULL_VOID [fb4084f27406] * visudo.c: function comment blocks are now in same style as rest of code [04a2931354c5] * testsudoers.c: added support for command line args in /etc/sudoers [bfe4e1bcc655] * sudoers.man: updated to have command args in the sudoers file [1cd34355e9ea] * sudo.man: added -s and -- flags added SHELL to ENVIRONMENT VARIABLES section [930b48023b68] 1995-08-19 Todd C. Miller * parse.yacc: PATH renamed to COMMAND [4e109a6de3cd] * parse.lex: it is now a parse error for directories to have args attached to them [2ab10a146b54] * logging.c: now say command args if telling user to buzz off [933de26ded8b] * sudo.c: -s no longer indicates end of args sped up loading on cmnd_args in load_cmnd() [eac99a4da862] * parse.c: removed an unreachable statement [634302623c49] * parse.lex: made more efficient by pulling out the terminators when in GOTCMND state and making them their own rule [80798f1e1166] 1995-08-14 Todd C. Miller * sudo.h: removed MAXLOGLEN since it is no longer used [102824196b71] * parse.lex: now allows command args [d29dfa1e5254] * parse.c: now groks command arguments [6c414cb7f105] * logging.c: now sets tty correctly when piped input [de46a30c0406] * sudo.c: fixed loading of cmnd_args (was including command name too) [15319a425ea6] * logging.c: fixed a core dump due to incorrect if construct [582363c7d7fa] 1995-08-13 Todd C. Miller * configure.in: only add -lsun is irix < 5 don't look for -lnsl or -lsocket if irix [da591fe9b931] * aclocal.m4: fixed check for ISC [52e59f2082a7] * sudo.c: now sets cmnd_args used by log_error() and that will be used by the parse to check against command args [c6804389723b] * sudo.h: added cmnd_args [4d00446b4a8d] * logging.c: now dynamically allocate logline since we can guess at its size [4bed8c8446aa] 1995-08-05 Todd C. Miller * logging.c: cleaned up a bunch of unnecesary #ifdef's eliminated a buffer remove "register" since the compiler knows more than I do now do a "basename" of the tty [3b1bbf0b3da1] 1995-07-31 Todd C. Miller * configure.in: ++version [5ce552f9a5f1] * sudo.h: added shell extern changed MODE_* to be bit masks to allow for several options together [06f9dc4f400c] * sudo.c: added -s (shell) option made MODE_* masks so we can do bitwise & and | to see if multiple flags are set. [01f8143010ad] * check.c: added securid support [909e078005fe] 1995-07-30 Todd C. Miller * logging.c: removed a bunch of unnecesary strncpy()'s and replaced with strcat() [644506b57d61] 1995-07-29 Todd C. Miller * Makefile.in, version.h: ++version [3cd6f1fbc3d9] 1995-07-27 Todd C. Miller * parse.yacc: fixed free() of an uninitialized pointer (yuck) [8c404ee502ee] * testsudoers.c: added netgr_matches [e7c9fa2f774c] * parse.c: cleaned up netgr_matches [8108f00b810e] 1995-07-26 Todd C. Miller * RUNSON: updated for 1.3.4 [4741704310a1] 1995-07-25 Todd C. Miller * Makefile.in: now installs sudoers.man -- really should clean this up though. [455631d45a1d] * Makefile.in: added sudoers.cat and sudoers.man [0bdedd6c7363] * sudo.man: pulled out stuff on the sudoers file format into a separate man page [de215d999cb9] * sudoers.man: Initial revision [f25eafbb7095] * HISTORY: fixed up my email address [254fbf80be74] * configure.in: added checks for innetgr and getdomainname [24a99cb7e97e] * visudo.c: added dummy netgr_matches function [1841ff2c01da] * parse.c: added netgr_matches [ec90db6a97b8] * parse.lex, parse.yacc: added NETGROUP support [c9dd93e3bc4b] * config.h.in: added HAVE_INNETGR & HAVE_GETDOMAINNAME [14abd494d875] 1995-07-24 Todd C. Miller * sudo.c: rewrote clean_env() that has rm_env() builtin [55cb43818a95] 1995-07-23 Todd C. Miller * check.c: now cast uid to long in sprintf [b549eea40aeb] * OPTIONS: added _INSULTS suffix to HAL & GOONS end [ed620d0aad30] * options.h: added _INSULTS suffix to HAL & GOONS [9f72e9b83afd] * ins_2001.h, ins_classic.h, ins_goons.h, insults.h: converted to new scheme of insult "unions" end [2f6d2b412132] * sudo.c: now uses MAX_UID_T_LEN [c1df79e0f389] * configure.in: added SUDO_UID_T_LEN !l [195f0b9f5f84] * config.h.in: added MAX_UID_T_LEN [73f42ae4f14d] * check.c: now use MAX_UID_T_LEN [df9c063234cb] * aclocal.m4: added check for max len of uid_t fixed sco vs. isc check [d558f36d2223] 1995-07-19 Todd C. Miller * configure.in: corrected version [828dd1571e86] * configure.in: added sco support [af1e2f616638] * aclocal.m4: hack to check for sco [549ab99a9a43] * interfaces.c: removed #include since it was hosing some OS's [ac78a7c04005] 1995-07-18 Todd C. Miller * find_path.c: fixed prreadlink() prototype [b380fe1f2b11] * check.c: added parens in #if's [e96ade691b82] * configure.in: added SPW_ prefix [a302683a1483] * sudo.h: moved SPW_* to config.h.in [6b3be70e34cf] * sudo.c: added a set of parens [8188d735d695] * config.h.in: added SPW_* [5ead6371cf60] * sudo.h: added SPW_* reordered error codes [dead25b4ed0a] * check.c: moved SPW_* to sudo.h [ca51fb04caf4] 1995-07-17 Todd C. Miller * sudo.c: SPW_AUTH -> SPW_SECUREWARE [6b512b2bc5dc] * logging.c: GLOBAL_NO_AUTH_ENT -> GLOBAL_NO_SPW_ENT [defdd0944e2f] * configure.in: AUTH -> SECUREWARE [d1f8a17001dd] * check.c: SPW_AUTH -> SPW_SECUREWARE [af0e8d8b89b2] * check.c: now uses SHADOW_TYPE to make shadow pw support more readable and modular. It's a start... [8c2a59667014] * configure.in: added autodetection of shadow passwords [85f81fa54b1b] * sudo.c: now uses SHADOW_TYPE define [355e5dc09b07] * config.h.in: added SHADOW_TYPE which replaces SUNOS4 & __svr4__ defines [c0c06e83e483] * aclocal.m4: added SUDO_CHECK_SHADOW [464301301639] 1995-07-12 Todd C. Miller * configure.in: define SVR4 for ISC define BROKEN_SYSLOG for hpux took out test for memmove() since we dno longer use it... [8aefa87d7d31] * CHANGES: updated [ce97b3fd7182] * logging.c: added BROKEN_SYSLOG support [a45c3bca36f6] * config.h.in: added BROKEN_SYSLOG [6f6abf0a6268] * check.c: now only bitch it timestamp > time_now + 2 * timeout to allow for a machine udpating its time from a server [546bc8d35325] * sudo.man: added 2 security notes updated Nieusma's email addr [616756c56977] * lsearch.c: changed a memmove() to memcpy() since we don't have to worry about overlapping segments. [30baa478526b] 1995-07-11 Todd C. Miller * interfaces.c: cleanup up the loop when interfaces are groped in so that it is readable [1fa39446bd69] * Makefile.in, version.h: ++version [b46bd2b1770f] 1995-07-09 Todd C. Miller * CHANGES: annotated 124-126 [b82a2b3ec7ce] 1995-07-07 Todd C. Miller * check.c: fixed permissions check on /tmp/.odus [cc2431a65468] 1995-07-06 Todd C. Miller * check.c: fixed some comments [8896d09b4fda] * check.c: now checks owner & mode of timedir also checks for bogus dates on timestamp file [a0fad5df5b0a] * OPTIONS: updated TIMEOUT info [033cc22d9e04] * logging.c, sudo.h: added BAD_STAMPDIR and BAD_STAMPFILE [31d9ce691101] * compat.h: added definition of S_IRWXU [ff2dab091a9b] * CHANGES: updated [a40df90284f1] 1995-07-03 Todd C. Miller * interfaces.c: added #ifdef to make it compile on strange arches [4a127f12afce] 1995-07-02 Todd C. Miller * aclocal.m4: fixed check for fulkl void impl. [b6f2a4a361d8] * check.c: added mssing "static" [520552f2772b] * insults.h: replaced #elif with #else #if constructs for ancient C compilers [39ab2d365b57] * INSTALL: updated irix c2 & kerb5 info [ae79b99b4905] * configure.in: added shadow pw support for irix [632469d9c528] 1995-07-01 Todd C. Miller * BUGS, TODO: updated [2a96bb18ac30] * CHANGES: last changes for sudo 1.3.3 [c1c0cd1034b8] * configure.in: now calls SUDO_SOCK_SA_LEN [14ea78159d45] * config.h.in: added HAVE_SA_LEN [cc2a346aa905] * aclocal.m4: added SUDO_SOCK_SA_LEN [456a2025644a] * interfaces.c: now works with ip implementations that use sa_len in sockaddr [90be6e028077] * INSTALL: added note about buggy AIX compiler [c0f6d427e4e4] * interfaces.c: now include sys/time.h for AIX [2510858ab38b] 1995-06-28 Todd C. Miller * Makefile.in: getcwd -> getwd [66085ebca98e] * interfaces.c: now works for ISC and others. yay. [f336d4ffc927] 1995-06-26 Todd C. Miller * Makefile.in, version.h: version++ [836cffc2078d] 1995-06-23 Todd C. Miller * aclocal.m4: fixed test for full void impl [fb004107e7b9] * sudo.c: now check to see that st_dev is non-zero before assuming that we are being spoofed [1b0e1c30c506] 1995-06-20 Todd C. Miller * aclocal.m4, configure.in: SUDO_FUNC_UTIME_NULL -> AC_FUNC_UTIME_NULL [4953379bfb01] 1995-06-19 Todd C. Miller * aclocal.m4: fixed include file order for SUDO_FUNC_UTIME_POSIX [ff64ab7df44f] * logging.c: added cast for ttyname() [444f05f56758] * configure.in: fixed typo [de068e748431] * check.c: now deal correctly with all known variation of utime() -- yippe [b778a4195a89] * configure.in: added SUDO_FUNC_UTIME_POSIX [cf635f2269d6] * aclocal.m4: added SUDO_FUNC_UTIME_NULL and SUDO_FUNC_UTIME_POSIX [d79593be4b73] * config.h.in: added HAVE_UTIME_POSIX [c67b4ac0dca5] * check.c: fixed a typo [b14df5680f59] * check.c: no longer assume !HAVE_UTIME_NULL means old BSD utime() [0aeaf4b2f38b] * check.c: fixed fascist C compiler warning [c61ddf2f1f93] * interfaces.c: now set strioctl.ic_timout in STRSET() now initialize num_interfaces to 0 (just to be anal) [c54cc2ba0052] 1995-06-18 Todd C. Miller * sudo.h: increaed MAXLOGLEN by MAXPATHLEN to account for ttyname [74cf585a54fb] * logging.c: added tty logging [e27d8dcfbd78] * interfaces.c: reworked the ISC code [bcf57ce8ae69] * Makefile.in, version.h: updated version [032941c9b94d] * check.c: now expect old-style utime(3) if utime() can't take NULL as an arg [018dd4a73030] * configure.in: added check for utime.h [0b76e8feb618] * config.h.in: added HAVE_UTIME_H [62ee42feda46] * Makefile.in: added CPPFLAGS STATIC_FLAGS -> LDFLAGS [fa3201d294e1] * configure.in: now search for kerb libs and includes [cc332401e571] * check.c: added support for utime(2)'s that can't take a NULL parameter [98797fedf69f] * utime.c: moved HAVE_UTIME_NULL stuff to update_timestamp() where t belongs [6ce6d825fb44] * configure.in: added utime(s) stuff [a2afb744403e] * check.c: now use utime() [48902240a51e] * config.h.in: added HAVE_UTIME and HAVE_UTIME_NULL [9a56ab65d4f4] 1995-06-17 Todd C. Miller * utime.c: now use HAVE_UTIME_NULL [e3944de09a92] * emul/utime.h, utime.c: Initial revision [a2cbf2ef3427] * check.c: need to setuid(0) to make kerb4 stuff work. [c6cfda4039d7] * tgetpass.c: no more special case for kerberos [4a5c33145be9] * config.h.in: took out setreuid and setresuid stuff added kerb5 stuff (use kerb4 emulation) [a607ee43e650] * compat.h: no longer need setreuid() emulation now set _PASSWD_LEN to 128 if kerberos [02fb274cc136] * check.c: now use private ticket file for kerberos support to avoid trouncing on system one [28d8b6b812c7] 1995-06-15 Todd C. Miller * sudo.h: added SPOOF_ATTEMPT & cmnd_st [d3b42a1f4d0d] * sudo.c: added anti-spoofing support [ab1e2aa44a57] * parse.c: now use global cmnd_st [47018265a1a6] * logging.c: added SPOOF_ATTEMPT suypport [7bbe9dd2a021] * testsudoers.c, visudo.c: added void casts where appropriate [f191441ba333] * parse.yacc: fixed up spacing and added void casts where appropriate [15d886fc809c] * sudo.c: fixed problem with "-p prompt" but no args [6fc048261a3e] 1995-06-14 Todd C. Miller * sudo.man: added BUGS and annotated -l description [e5c506de2603] * sudo.h: validate() now takes a flag [26627becc60a] * sudo.c: validate() now takes a flag added -l [a4f7bb97fe54] * parse.yacc: added support for -l [e7a9b10b0ad3] * parse.c: validate() now takes a flag that says whether or not to check the command [9e1e67f4e281] 1995-06-08 Todd C. Miller * logging.c: now deals with Argv == 1 [0acb637ab635] * sudo.man: added -p option [e60382fc0561] * sudo.c: added prompt support reworked parse_args() [2f605267ed4a] * sudo.h: added prompt [5ab021bdb419] * options.h: added PASSPROMPT [614727ff44a2] * check.c: now use BUFSIZ as length of kerb password added kpass so pass is always a char * now use prompt global when asking for a password [76be09af784f] * tgetpass.c: now use BUFSIZ as _PASSWD_LEN if using kerberos [1e907eed312b] * OPTIONS: added PASSPROMPT [ddb2f405ce40] 1995-06-07 Todd C. Miller * configure.in: only look for -lufc or -lcrypt if crypt() not in libc [9717d315661f] * check.c: don't exit on kerb error, just warn if k_errno == KDC_PR_UNKNOWN (unknown user) silently fail [2b48693d4ee9] * INSTALL: added kerb4 note [986e393f740c] * tgetpass.c: HAVE_KERBEROS -> HAVE_KERB4 [e438bfb5e6aa] * check.c: removed debugging printf [1cf9f5cbffa5] * configure.in: KERBEROS -> KERB4 added checks for setreuid & setresuid [01e9945beb1e] * config.h.in: HAVE_KERBEROS -> HAVE_KERB4 added HAVE_SETREUID and HAVE_SETRESUID [0e0bb5b8ac3e] * compat.h: added deif of UID_NO_CHANGE & GID_NO_CHANGE added setreuid emulation with setresuid if applic [9dae24c47696] * check.c: HAVE_KERBEROS -> HAVE_KERB4 now only do the stupid chown() hack if no setreuid() or a broken one [1fca642bdb8e] 1995-06-06 Todd C. Miller * configure.in: added kerberos support [da5639b9b8e7] * config.h.in: added HAVE_KERBEROS [fcc5be550e65] * tgetpass.c: added KERBEROS support (long passwords) [303ba6924dd2] * check.c: added kerberos support [e40afe98fc1d] 1995-06-03 Todd C. Miller * sudo.h: added MODE_BACKGROUND [9b483c932016] * sudo.man: escaped dashes added -b option [62e84f1a7714] * sudo.c: added -b option [7e78aaefeb95] * check.c: added crypt() for osf/1 3.x enhanced secuiry [e9aa5abdb7d5] * configure.in: now check for -lcrypt [5cb9c67e9fa2] * interfaces.c: added ENXIO like EADDRNOTAVAIL [74223bb1ba75] 1995-05-08 Todd C. Miller * configure.in: now emulate getwd(), not getcwd() [3e5439d9a5f4] * sudo.c: getcwd() -> getwd() [6392a96a658e] * getwd.c: getcwd -> getwd [1b0ab9bae11e] 1995-05-02 Todd C. Miller * ins_2001.h, ins_classic.h, ins_goons.h: Initial revision [86db60d8cf00] * insults.h: broke out insults into separate include files [0a01993bd38a] * OPTIONS, options.h: added GOONS [e283203c6515] * Makefile.in: added ins_2001.h ins_classic.h ins_goons.h [2a39cd6a4cd2] * Makefile.in, version.h: ++version [05ebf4f5e41a] * visudo.c: moved signal handler setup to setup_signals() [3dd976c04540] * sudo.h: added load_interfaces() [af2d473b09e2] * sudo.c: moved load_interfaces to interfaces.c [5c8c138e5d4c] * parse.yacc: added clearaliases [aeb4ff301daa] * OPTIONS, options.h: added FAST_MATCH [f49ea3d1b525] * parse.lex: now uses clearaliases variable [a2dda415bf61] * interfaces.c: Initial revision [a1990e3f5c69] * Makefile.in: added interfaces.[co] [1e8e5984de97] * testsudoers.c: now uses ip addrs and netmasks via load_interfaces() [54b8f7a6835e] * sudo.c: now remove IFS instead of setting to "sane" value [ce7eec9f115e] 1995-05-01 Todd C. Miller * parse.c: added FAST_MATCH [816d4f5fe81a] 1995-04-30 Todd C. Miller * Makefile.in: sudo_goodpath.c-> goodpath.c [a5072c4e1de2] * sudo.c: added Andy's new ISC changes [caa6bbee358e] 1995-04-14 Todd C. Miller * OPTIONS: added a sentence to SECURE_PATH info [cad6e1569d15] * BUGS: added one [4b35cf699a83] * CHANGES: updated [5fded9dc62f0] * RUNSON: updated [33cb993cfd39] 1995-04-13 Todd C. Miller * RUNSON: updated for beta3 [a05dc6a91995] * Makefile.in, version.h: ++version [54aaf3fadc75] * aclocal.m4: sendmail is now looked for in /usr/ucblib [231ac1a4662f] * sudo.c: fixed indentation [fb137400c8c2] * aclocal.m4: fixed a typo [e03f1acc468b] * sudo.c: updated ISC mods [070290d4754b] * configure.in: added unixware case [e90250bae0d9] * check.c: user_is_exempt is no longer hidden [1a341765b8af] * RUNSON: updated [a9c4898b26dd] * aclocal.m4: isc and riscos changes [98b5d86585d1] * OPTIONS: added NOTE about new interaction of EXEMPTGROUP and SECURE_PATH [e1ecc464ce4b] * Makefile.in: fixed a typo and added testsudoers stuff [435d60e163dc] * testsudoers.c: Initial revision [6ce14a448662] 1995-04-12 Todd C. Miller * parse.yacc: applied fixed patch from Chris [cd6144203d13] 1995-04-11 Todd C. Miller * Makefile.in: fixed a typo [34f8a54ba041] * parse.yacc: added a set of braces for bison [f0e43b938914] * parse.yacc: merged in Chris' changes to dekludge the parser. [82d6e373ab1c] * logging.c: send_mail() was calling find_path() which is wrong since find_path() stores cmnd in a static var. Anyhow, it doesn't make much sense since MAILER should always be fully qualified [6eae6a0b8098] 1995-04-10 Todd C. Miller * sample.sudoers: added User_Alias stuff [aaba8c8e918d] * aclocal.m4: SUDO_NEXT now looks for /usr/lib/NextStep/software_version [52bd81f34b32] * RUNSON: added DEC UNIX 3.0 w/ gcc [7daf570775b5] * visudo.c: Exit was being used in places where exit should be used [6026a89c07ed] * sudoers: added "User alias specification" [a487b6e234f8] * parse.yacc: fixed probs caused by making nslots and naliases a size_t [0be919384f3f] * RUNSON: added KSR, upped rev to 1.3.1b2 [ce04ee6faadf] * logging.c, parse.yacc: 1024 -> BUFSIZ [cd6dda45fa11] * parse.yacc: void * -> VOID * naliases and nslots are now size_t to appease lsearch on 64-bit machines [bf2f807c0dc1] 1995-04-09 Todd C. Miller * TODO: did a bunch of things and added a bunch :-) [42afd957b829] * PORTING: updated [972f95c85776] * visudo.man: closer to BSD manpage style [07ae88f50325] * sudo.man: closer to standard BSD man format [372c28dcc135] * compat.h, config.h.in, emul/search.h, insults.h, options.h, pathnames.h.in, sudo.h, version.h: added RCS id [c0ec90b81002] * sudo.h: removed crufty #defines that are no longer used [35e2b4b477f0] * BUGS: fixed a bug [5bb3e1bee85e] * sudo.man: updated based on sudo changes [e65de1cae438] * parse.yacc: now allow ALL keyword in User_Aliases now allow ALL keyword as well as a NAME or ALIAS [1fb31404dd0f] * CHANGES: updated [b24018ac610b] * sudo.c: now sets SUDO_COMMAND and SUDO_GID envariables. [e9d791557fb7] * aclocal.m4: fixed bug with full void impl check [35715301023c] * parse.yacc: fixed User_Alias supoprt [4c30dfbaaa07] * parse.yacc: added stubs for User_Alias support [f4afbd247edf] * sudo.c: now sets removes # bogus interfaces from num_interfaces [6f077fac9ab1] * parse.lex: added User_Alias support [bc7997e5df85] 1995-04-08 Todd C. Miller * Makefile.in: removed extraneous TODO [bc87a3b14d6d] 1995-04-07 Todd C. Miller * visudo.c: ntwk_matches -> addr_matches [475044e288b8] * parse.yacc: ntwk_matches -> addr_matches [dd1f4093fd2d] * parse.c: ntwk_matches -> addr_matches now use inet_addr() not inet_network() (which expects octet boundaries) fixes for OSF (sizeof(int) != sizeof(long)) [acd2f556940f] * sudo.c: took out debugging info [044023063eca] * aclocal.m4: OS was being set to unknown before non-uname based host checks. This caused no checks to happen since $OS was not zero-length. [335a7267479d] * sudo.c: fixed loading of interfaces struct still has debugging info in though [2d1a18998c1e] * parse.c: fixed typo [175674a3a9fa] 1995-04-06 Todd C. Miller * Makefile.in: ++version [55d191b5daa3] * version.h: ++ [d7d1f115696a] * visudo.c: removed extraneous extern decl of "top [50355621047d] * visudo.c: now zeros "top" [4e683210345b] * parse.yacc: removed parser_cleanup (no need for it now) [afa59f222b6c] * parse.lex: now calls reset_aliases() directly [3a23cbd60fc0] 1995-04-04 Todd C. Miller * OPTIONS: added a sentence to SECURE_PATH description [c5bf75b85af0] * parse.c: fixed my stupid bug where I used NAMLEN on something I wanted to just get the name from. argh. [111f460f6540] 1995-04-03 Todd C. Miller * lsearch.c: fixed argument order of memmove() that i hosed when converting from bcopy(). arghh. [2f5336045c8b] * Makefile.in: finally fixed DISTFILES line [a1b419e73a63] * Makefile.in: tabs -> spaces [280fb03e5764] * Makefile.in: added missing files to DISTFILES [991fc1cd2263] * Makefile.in: SUPPORTED -> RUNSON [7580e65b05fb] 1995-04-01 Todd C. Miller * TODO: updated [fe764a29c1cc] * RUNSON: updated for pl5b1 release [aefc35bd2291] * BUGS, TODO: updated [8f0ea249b687] * check.c: fixed bug where if you hit return at first sudo prompt it would still log as a failure [24539c854692] * CHANGES: updated [251cc7b3ede4] * aclocal.m4: better test for bogus void * implementation [efe23180cb88] * logging.c: added PASSWORDS_NOT_CORRECT [bd12c73f83f7] * check.c: added PASSWORDS_NOT_CORRECT stuff] [90de391a979f] * sudo.h: added PASSWORDS_NOT_CORRECT [727fbeb76fc5] * tgetpass.c: moved pathnames.h [4f910e5a8df7] * sudo.c: removed some unused vars and fixed up uid2str [70e92c7f9076] * putenv.c: moved compat.h [b271091586f6] * getcwd.c, getwd.c: added pathnames.h [6f25218f133f] 1995-03-31 Todd C. Miller * parse.yacc: fixed a typo I introduced in the last checkin :-( [62c3af75c4fe] * parse.lex: can't have #ifdef's where N is defined so just do this the broken way for AIX [c5648a5594e4] * parse.yacc: better hack from Chris (but still a hack) [6b6d8aed93f3] * parse.lex: stupid hack for broken aix lex [efc3f9e5280e] * tgetpass.c: now includes compat.h  [401822173f77] * visudo.c: now includes fcntl.h [63865c2f8ac6] * compat.h: added FD_SET and FD_ZERO for 4.2BSD [00c5597c0bb0] * parse.yacc: dirty hack to fix parser bug. i don't really like this but it works for now... [5b8bbdc81569] * sudo.c: uid2str is now static like the prototype says [f2a97b5cb870] 1995-03-30 Todd C. Miller * CHANGES, SUPPORTED, TODO, TROUBLESHOOTING: updated [6f79c3e92716] * RUNSON: Initial revision [12a09ef9e884] * sudo.c: check_sudoers now returns an error code and sudo calls inform_user and log_error based on the return value. [340eca188d9a] * logging.c, sudo.h: added entries for new errors [6050d8542e1f] * parse.c: now set uid to that of SUDOERS_OWNER while parsing sudoers file [3683c42bc9b0] * Makefile.in: took out testsudoers  [65317d49db48] * sudo.c: now explicately checks that it is setuid root [2fe1be60ef6a] * sudo.c: If a user has no passwd entry sudo would segv (writing to a garbage pointer). Now allocate space before writing :-) [d08e7eb5e5ef] * configure.in: reordered AC_CHECK_FUNCS [4c82e56c6f4f] * config.h.in: fixed memset macro [77ede6b714ab] * tgetpass.c, visudo.c: bzero -> memset [1a005bb322c8] * logging.c: bzero -> memset when a parse error is logged the line number of the error is now logged too [a42d68047723] * INSTALL: added Sunos to blurb about c2 security [af750a1d131e] * configure.in: added a SUN4 define for C2 security [6ad5b23a3eb0] * config.h.in: bcopy -> memmove bzero -> memset [5494460c8464] * lsearch.c: bcopy -> memmove char * -> VOID * [a15f5c316e16] * check.c: added support for sunos with C2 security [03fea5bb21e6] * OPTIONS, options.h: reordered [1686265af3e1] * pathnames.h.in: _PATH_SUDO_LOGFILE now set based on configure [5867b58e4a04] * configure.in: added SUDO_LOGFILE and SUDO_TYPE_SIZE_T [1984d9fd1b5c] * config.h.in: added _SUDO_PATH_LOGFILE [dd3eebe62580] * aclocal.m4: added SUDO_LOGFILE to find where to put sudo.log added SUDO_CHECK_TYPE (just AC_CHECK_TYPE but checks unistd.h too) added SUDO_TYPE_SIZE_T (calls SUDO_CHECK_TYPE) [c589a515a99a] 1995-03-29 Todd C. Miller * TROUBLESHOOTING: Initial revision [f42f1baba3a8] * sudo.c: now do set_perms(PERM_ROOT) before the getpwuid() in load_global() to work around a problem is trusted hpux shadow passwords. yuck. [ae1f13b54687] * parse.yacc: backed out a change in malloc/realloc [ab868db0ad69] * parse.yacc: now include stdlib.h [957eef0631eb] * visudo.c: now do an freopen() of the stmp file so that yyin will always point to the same thing. This is important for flex since we are doing a YY_NEWFILE [44558922fd3e] * parse.yacc: replaced yywrap() with parser_cleanup() since yywrap() needs to be in parse.lex to be able to use YY_NEW_FILE. sigh. [12dd09921074] * parse.lex: now have a rule that matches anything that doesn't match an explicite rule. well, you know what i mean (. matches anything not yet matched). However, this means that there is input still queued up so we need to do a YY_NEW_FILE; in yywrap. So, yywrap has moved into parse.lex and it calls parser_cleanup() which is most of the old yywrap() sigh. [7f4042bc48d6] * SUPPORTED: no longer used [8f220be4da94] * getcwd.c, getwd.c: moved compat.h to be the last include file [9f3a65e2d485] * parse.yacc: fixed type of aliascmp() args [1c27eb989bdf] * find_path.c: NULL -> '\0' [5c8d8cf1692e] * parse.yacc: added casts to lfind and lsearch args for irix [61027ddeecf8] * Makefile.in: bsdinstall -> install-sh [61de6612c5a5] * INSTALL: added info about make realclean [29c6324d727f] * Makefile.in: updated VERSION added dependencies for visudo.cat [09077d7229d4] * version.h: -> pl5b1 [5d21c7ad1a41] * sudo.c: took out -l [fc1478d81b38] * Makefile.in: now there is a real visudo.man and visudo.cat [58aeac43a6dd] * sudo.man: took out visudo stuff [4a6ac4393343] * visudo.man: Initial revision [cba348843db8] * parse.c, parse.lex, parse.yacc: updated copyright [ffa16b70944a] * README: updated for pl5 [a26e423e9e5f] * sudo.man: updated Nieusma & Hieb email addresses [f0083e71989d] * INSTALL: updated to include options.h and OPTIONS [ee59e2b76c94] * CHANGES, TODO: updated [51e011ad5220] * BUGS: eliminated bug #1 (yay) [e7e88515494e] * configure.in: sunos no longer gets linked statically [2e5b3ff3108f] 1995-03-28 Todd C. Miller * parse.lex: prototype now uses __P() [68ecdcab4c70] * parse.lex: make fill() non-ansi [d6509972260b] * parse.c: made -v (validate) work [13c9d520638c] * logging.c: now gives host [f04859cdba5a] * find_path.c: don't check for execute/statable if fq or relative path given [4bbe851f3973] * parse.c: added a cast [345c308f72f3] * visudo.c: now include ctype.h for islower and tolower macros [582c0aa332d5] * goodpath.c: moved _S_IFMT & _S_ISREG to compat.h [828e4ca4e7b4] * sudo.c: moved a set of parens [5783474ecf37] * strdup.c: now include compat.h [75e2036b94af] * emul/search.h: void * -> VOID * [cedcfaf04161] * parse.yacc: now cast malloc & realloc return vals added search for HAVE_LSEARCH now use strcmp if no strcasecmp available [d6a42bc3d4ae] * lsearch.c: void * -> VOID * [886adc44f607] * config.h.in: removed HAVE_FLEX added VOID added HAVE_DIRENT_H, HAVE_SYS_NDIR_H, HAVE_SYS_DIR_H, HAVE_NDIR_H added HAVE_LSEARCH [3b50d7fb4349] * compat.h: added _S_IFMT, _S_IFREG, and S_ISREG [73d506c7d53c] * aclocal.m4: took out SUDO_PROG_INSTALL 1.x to 2.x changes added echo and results to most SUDO_* macros [8442155f5936] * Makefile.in: no more -I. [63462f195bd4] * configure.in: various 1.x ro 2.x autoconf changes now check for strcasecmp now use AC_INSTALL_PROG instead of custom one added check for fully woorking void implementation [5ac6b6e6230f] * Makefile.in: added lsearch & search.h visudo links into $(LIBOBJS) [bc119cda4598] * aclocal.m4: partial 1.x to 2.x changes added SUDO_FULL_VOID [1194d01fa5c5] * visudo.c: whatnow_help was prototyped to be static be was not declared as such [0f85489dd426] * configure.in: autoconf 2.x changes took out HAVE_FLEX (no longer used) added check for dirent/dir/ndir.h [7408f3854948] * parse.c: now use groovy gnu autoconf macro AC_HEADER_DIRENT [e465db9f5dfa] * getcwd.c, getwd.c: MAXPATHLEN -> MAXPATHLEN+1 [714d87424e21] * emul/search.h, lsearch.c: Initial revision [55d79482c535] 1995-03-27 Todd C. Miller * parse.yacc: eliminated bison warnings [61ca0a96da22] * parse.lex: added missing case [6be0f849747c] * visudo.c: now iincludes signal.h [221e0fcc144f] * parse.yacc: only clear data structures on a parse error [7b1c0f1a4527] * visudo.c: whatnow() now gives help on invalid input [e5a4cd88c587] * visudo.c: added a whatnow() function (sort of like mh) [932d9b145f1c] * parse.yacc: kill_aliases -> reset_aliases yywrap() now cleans up by calling reset_aliases() and clearing top took reset stuff out of yyerror() since it doesn't beling there (and doesn't work anyway). errorlineno is now initially set to -1 so we can set it to the first error that occurrs (it was getting set to the last) [2f71f95a974c] * parse.lex: added a void cast [18ae6042dce4] * visudo.c: rewrote from scratch based on 4.3BSD vipw.c [2f6814f18576] 1995-03-26 Todd C. Miller * sudo.c, sudo.h: removed ocmnd [a31735f41ad4] * sudo.h: no more sudo_realpath() and find_path() changed params [8e85c3b39159] * sudo.c: find_path() changed since no more realpath() [b25366c7f2ee] * parse.yacc: on error, errorlineno is set to the line where the error occurred added kill_aliases() to free the aliases struct now clean up in yyerror() so we can reparse cleanly [2342f578c27a] * options.h, parse.c: no more USE_REALPATH [cfc59babeaff] * logging.c: changed to use new find_path() [91c7a38e7751] * find_path.c: removed all the realpath() stuff [cc21a43a8562] * Makefile.in: sudo_realpath.c -> sudo_goodpath.c [03a9b1ddec2f] * visudo.c: now works correctly with utk parser [08aa554a0ce8] * goodpath.c: Initial revision [1ea607e1ffb2] * sudo_realpath.c: eliminated a compiler warning [198bcccc55b6] * sudo.c: elinated compiler warning [e2384f9a878b] * sudo_realpath.c: added sudo_goodpath() [43878c4cc540] * sudo.h: added prototype for sudo_goodpath [23e8627a2265] * parse.c: added support for /sys/dir.h [eca897087741] * options.h: USE_REALPATH turned off [620ac8b63d85] * find_path.c: added calls to sudo_goodpath() [ad170904fbcd] * configure.in: added check for dirent.h [7964a8c26855] * config.h.in: added HAVE_DIRENT_H [1f785fec7e19] * configure.in: added in linux shadow pass stuff  [e585a5785f50] 1995-03-24 Todd C. Miller * visudo.c: added back host, user, cmnd, parse_error [0ec19f3d64f4] * visudo.c: added in utk changes plus some minor cosmetic changes [c5c1921c8a58] * sudo.c, sudo_realpath.c: added void casts for printf's [9c6ff11c0082] * options.h: added a define of USE_REALPATH [db3711c9efc5] * configure.in: there is no more visudoers/Makefile [36e1bc1f78d0] * Makefile.in: added in utk changes (visudo is now built from the toplevel) [76203d4b345d] * find_path.c: added (void) casts to printf's [dd5cb1e060ac] * parse.c, parse.lex, parse.yacc, sudo.h, sudo_realpath.c: merged in utk changes [35563307fd8e] 1995-03-23 Todd C. Miller * find_path.c: now check to see that what we are trying to run is a file (or a link to a file, we do a stat(2) so there is no diff) [05889c4bcace] 1995-03-13 Todd C. Miller * CHANGES: updated [3e8047bb26fb] * Makefile.in: aclocal.m4 -> acsite.m4 make realclean updated for new autoconf  [0bdbaa7c4c7d] * sudo.man: added myself as maintainer [77a9d75aab84] 1995-02-17 Todd C. Miller * sudo.c: changed setegid -> setgid [7f4788d73b6f] 1995-02-06 Todd C. Miller * configure.in: fixed the test for irix 5.x to skip bad libs [bfef896de013] * aclocal.m4: now initialize OS and OSREV [cc302756e440] 1995-01-27 Todd C. Miller * configure.in: irix5 changes [ac985b23f5f2] * configure.in: AC_WITH -> AC_ARG_WITH changes other misc changes for autoconf 2.1 compatibility [0cf8c92a06d7] 1995-01-19 Todd C. Miller * visudo.c: use YY_NEW_FILE, not yyrestart since OSF flex doesn't do the righ thing wrt yyrestart (grrrr) [18e8eabfbb82] 1995-01-16 Todd C. Miller * Makefile.in: added visudoers/compat.h to DISTFILES [db23b574b034] * configure.in: fixed an echo [7cbc0462b89d] * sudo.c: added ocmnd declaration adjusted for find_path()'s new parameters [d929cd156474] * sudo.h: added ocmnd extern adjusted find_path() prototype [e0004daf5d3c] * parse.c: cmndcmp() now takes 3 arguments and checks against the qualified as well as the unqualified pathname. more code that should use cmndcmp() but did not, now does [6f70a8c17bee] * options.h: added to a comment [7a78680426b2] * logging.c: changed to use new find_path() parameter passing [840981d30db4] * find_path.c: find_path() now takes 2 copyout parameters (one for the qualified pathname and one for the unqualified pathname). The third parameter may be NULL. [851503b005e9] * configure.in: no longer munge pathnames.h [427d8796c5a9] * pathnames.h.in: changed _PATH_* to use _SUDO_PATH_* (which are defined in config.h) as a result, pathnames.h does not need to be run through configure and the user can override the configured values easily. [2e378f2ebe88] * config.h.in: added _SUDO_PATH_* entries [0857de7cebab] * aclocal.m4: _PATH* -> _SUDO_PATH_* [7601193f56cc] * Makefile.in: updated DISTFILES and HDRS .o's now depend on config.h [39d8601965cf] 1995-01-13 Todd C. Miller * compat.h: removed extraneous #endif [27d4c5f2ce7e] * aclocal.m4: added SUDO_PROG_MV [76dda3bdd816] * configure.in: added SUDO_PROG_MV added riscos and isc os types took out -DSHORT_MESSAGE from --with-csops since it is now the default [68c206ad976e] * sudo.c: move the include of id.h to compat.h now includes options.h [45a1eaafb3a8] * sudo.h: moved compatibility #defines to compat.h [0eee27057698] * pathnames.h.in: added _PATH_MV [e830797ab320] * config.h.in: move __P to compat.h [188e12e0ba93] * getcwd.c, getwd.c, putenv.c: now includes compat.h [c72cb6d73981] * compat.h: Initial revision [d4d2f359ae03] 1995-01-12 Todd C. Miller * sudo.h: pull user-configurable stuff out and put in options.h [ef929467b070] 1995-01-11 Todd C. Miller * parse.lex, parse.yacc, visudo.c: now includes options.h [e36d7c82add1] * check.c, find_path.c, logging.c, parse.c, sudo_realpath.c, sudo_setenv.c: now includes options.h [f186ba03de07] * Makefile.in: added visudoers/options.h [e5350c476494] * OPTIONS, options.h: Initial revision [9b6b5001e318] * Makefile.in: added OPTIONS and options.h [25448341e16a] * logging.c: changed #ifdef's to use LOGGING and SLOG_SYSLOG/SLOG_FILE [5dd6385dd1d3] * check.c, sudo.h: changed PASSWORD_TIMEOUT to minutes [0ec6aab98738] 1994-12-17 Todd C. Miller * visudo.c: now only do Editor +line_num if line_num != 0 [b69f04b5e3c7] 1994-12-16 Todd C. Miller * visudo.c: now use mv if rename(2) fails [83210dca1bab] * BUGS: added a visudo bug [d61a806f9aa7] * check.c: expanded comment [641f2cba94cb] 1994-11-12 Todd C. Miller * check.c: fixed user_is_exempt to return 0 if EXEMPTGROUP is not set [7a11135039a8] 1994-11-10 Todd C. Miller * sudo.c: added mips & isc support [e258dc053119] * parse.c: added support for non-root owned sudoers file [fea07e65a0fc] * check.c: added exempt group support [928fb4bd9ad5] * sudo.h: added set_perms() support added SUDOERS_OWNER so can have non-root own sudoers file added exempt group support added isc support [61c578d31fc1] * visudo.c: now copy sudoers to temp file via read/write (not stdio) now chown new sudoers file to SUDOERS_OWNER [a5176c59df70] 1994-11-08 Todd C. Miller * configure.in: added skey support [35a8d2fabdb7] * sudo_realpath.c: be_* -> setperms() [a1631d686e1c] * sudo.h: fixed typo added set_perms support added skey support added seteuid()/setegid() emulation for AIX [c0c8d6771406] * sudo.c: be_* -> setperms() now check to make sure sudoers file is owned by root nread/write by only root [13ab1e261f1a] * logging.c, parse.c: be_* -> setperms() [21499d845c8f] * check.c: be_* -> set_perms() added skey support [df51b56871c1] 1994-11-06 Todd C. Miller * Makefile.in: ++version [3c1abbe4e43c] * version.h: ++ [1d2f9b540a95] 1994-10-21 Todd C. Miller * sudo.c: now sets IFS [eabbb41b9f08] * insults.h: fixed typo [c7997f19216e] 1994-10-15 Todd C. Miller * config.h.in: added HAVE_SKEY [da948ec4186b] 1994-10-04 Todd C. Miller * CHANGES: updated [f4b55ab007ea] * Makefile.in: ++version [0489068b8c95] * version.h: ++ [d189faedf423] * sudo.c: now bail if ARgv[1] > MAXPATHLEN [0cea8ecc9dc2] * configure.in: added function check for tcgetattr(3) [e03289b22c2f] * config.h.in: only define HAVE_TERMIOS_H if you have tcgetattr(3) [757eab83d1a2] * config.h.in: added check for tcgetattr [c5ae92715930] 1994-09-26 Todd C. Miller * CHANGES: updated [cbc419883108] 1994-09-22 Todd C. Miller * parse.lex: now only include unistd.h for linux [e9adeab95ef0] 1994-09-21 Todd C. Miller * Makefile.in: added visudo.8 generation [d6a3f0f887f8] * configure.in: added -Wl,-bI:./aixcrypt.exp to aix flags [72594a21edcf] 1994-09-20 Todd C. Miller * BUGS: added one [9993a349e096] * CHANGES: updated [297b31ec4cdd] * README: added mailing list info [10372f94a2b2] * parse.yacc: now use sudolineno instead of yylineno fixed bison warnings [25a83e62057b] * configure.in: now use -no_library_replacement for osf don't make a static binary for hpux >= 9.0 [1fa7b892f1a3] * tgetpass.c: added string.h/strings.h inclusion [71faa98fc0a1] * config.h.in: added ssize_t def [406284bd1ac0] * parse.lex: added inclusion of string.h/strings.h [6985b1df5d09] * aclocal.m4: fixed uname | sed (needed to quote the '[') [4cd2d3415c1a] * parse.lex: replaced yylineno with sudolineno fixed bison syntax errors [0bd31a5fab26] * visudo.c: changed yylineno to sudolineno since yylineno cannot be counted upon. [38c30104d0ae] * TODO: updated [5d4746f1a752] * parse.c: added code to support command listings [030172e133fd] * sudo.c: added code for -l flag [801dbbc82778] * sudo.man: fixed typo added info for -l flag [8916ca945d65] * configure.in: AC_SSIZE_T -> SUDO_SSIZE_T [c61f7f47013f] * aclocal.m4: added SUDO_SSIZE_T [0ccdb77be84d] * sudo.h: added MODE_LIST [9b2bd844c76c] * configure.in: added AC_SSIZE_T [35cca208f9b5] * find_path.c, sudo_realpath.c: readlink() is now declared as returning ssize~_t [0640a08d1407] * configure.in: added -laud for OSF c2 [b7539c905efc] 1994-09-02 Todd C. Miller * Makefile.in, visudo.c: changed sudo-bugs.cs.colorado.edu -> sudo-bugs@cs.colorado.edu [067fd9bcb5e1] * config.h.in, parse.lex, parse.yacc, pathnames.h.in: changed sudo-bugs.cs.colorado.edu -> sudo-bugs@cs.colorado.edu [fc46e7c7110a] * check.c, find_path.c, getcwd.c, getwd.c, insults.h, logging.c, parse.c, putenv.c, strdup.c, sudo.c, sudo.h, sudo_realpath.c, sudo_setenv.c, tgetpass.c, version.h: changed sudo-bugs.cs.colorado.edu -> sudo-bugs@cs.colorado.ed [d1d4fbc53a98] 1994-09-01 Todd C. Miller * Makefile.in: ++version [b7066d97633f] * version.h: ++ [65ec69d88110] * logging.c: added host to alertmail messages [d973c19ce777] * CHANGES, TODO: udpated [5a65eb16faeb] * logging.c: fixed logging problem where mail would not say which user it was [35723edcc5d2] * configure.in: added -laud for gcc if osf & c2 [18f1e0ae5548] * check.c: moved set_auth_parameters to sudo.c [d23112fe01db] * sudo.c: added set_auth_parameters for osf [eb70f65214ac] * configure.in: cleaned up -static stuff [01e9575f0422] * Makefile.in: ++version [7ac3bff5c770] * version.h: ++ [10a4ff478469] * sudo.c: changed setenv() to sudo_setenv() [40a78abb9946] * check.c: fixed osf problem [3d69b118efb8] * configure.in: added OSF C2 stuff [38cff3ad4093] * CHANGES: updated [cd341dd0581a] * check.c: added osf auth support & removed some extra spaces [a448cdd81514] * INSTALL, SUPPORTED: added osf C2 stuff [f70484796146] 1994-08-31 Todd C. Miller * TODO: added 2 suggestions [695fbdbd86e6] * Makefile.in: removed README.v1.3.1 and added VERSION stuff [f69403eb04c6] * version.h: pl1 [21580c0f8cb1] 1994-08-30 Todd C. Miller * version.h: 1.3.1final [630114970298] * Makefile.in: added HISTORY [901bff251614] * sudo.man: mention HISTPRY file [86dbcfd4326e] * sudo.c: use sizeof instead of a constant in 1 place [d819604c68ca] * parse.yacc: added unistd.h [6f9500f9fe7e] * parse.lex: added unistd.h [468b81a276eb] * README: udpated [7e275618923a] * HISTORY: Initial revision [5db1b0a3939b] 1994-08-17 Todd C. Miller * version.h: ++ [7dfbb4a810bb] [SUDO_1_3_1] * CHANGES: updated [7820ee610bf8] * sudo_setenv.c: added unistd.h include [30cf2b654525] 1994-08-16 Todd C. Miller * sudo.c: added sys/time.h for AIX [199fc8caf3a3] 1994-08-15 Todd C. Miller * configure.in: added check for -lsocket and sys/sockio.h [f9abfbb31031] * config.h.in: took out libshadow check and added in sys/sockio.h check [0c4b0393ac80] * sudo.c: now include sockio.h instead of ioctl.h if it exists "sudo -" now gets a better error message [53041bea5483] * sample.sudoers: now has a dir and subnet entry [56b820f65438] 1994-08-13 Todd C. Miller * sudo.c: removed if_ether.h [b4f64507493e] * TODO: added an item [ea2a1bb6922a] * sudo.man: added network and ip addresses to man page [01c85016511f] * sudo.c: no error if can't get interfaces or netmask since networking may not be in the kernel. [50b8890e2134] * parse.c: nwo check for interfaces == NULL [dc1b3eef0db2] * parse.c: fixed a bug that caused directory specs in a Cmnd_Alias to fail if the last entry in the spec failed (ie: it was only looking at the last entry). CLeaned things up by adding the cmndcmp() function--all neat & tidy [007e93578e5e] * CHANGES: added one [40e8a2cef497] 1994-08-12 Todd C. Miller * sudo.c: now do two passes to skip bogus interfaces (lo0, etc) [465e30aecaf7] * parse.lex, parse.yacc, visudo.c: added include of netinet/in.h [11e3816ed362] * logging.c, sudo_realpath.c, sudo_setenv.c: added ninclude of netinet/in.h [daccfa40fe1e] * check.c, find_path.c, getcwd.c, getwd.c: added include of netinet/in.h [0222f95e06ad] * version.h: ++ [d6b0cfa35a38] * sudo.h: added interfaces global [ba52fa8ad75e] * parse.c: now uses new interfaces global [17473ad5ecba] * sudo.c: now ip addresses are gleaned fw/o dns [8828bb2007e0] 1994-08-10 Todd C. Miller * sudo.c: added load_ip_addrs() to load the ip_addrs global var [60c825f04238] * parse.c: added hostcmp() to compare hostnames, ip addrs, and network addrs [ab0e40e37537] * sudo.h: added ip_addrs def added load_ip_addrs prototype [c41c565d0777] 1994-08-08 Todd C. Miller * CHANGES: updated [2a128dbe9bcb] * Makefile.in: removed multiple entries in DISTFILES [2490f4f371e6] * visudo.c: ansified the !STDC_HEADERS decls [646ba06d17ae] * find_path.c, getcwd.c, getwd.c, putenv.c, strdup.c: don't do malloc decl if gnuc [f1bad1925f98] * sudo.c: can't use getopt(3) since it munges args to the command to be run as root don't do malloc decl if gnuc [38e78f6da14e] * find_path.c, getcwd.c, getwd.c, putenv.c, strdup.c, sudo.c, sudo_realpath.c, sudo_setenv.c: ansi-fied !STDC_HEADER function prottypes [51d8cad89976] * getcwd.c, getwd.c: added missing paren [6a1fae70e27e] * Makefile.in: added putenv.c to DISTFILES [a5e4523eabbb] * sudo_setenv.c: added params to func decls when STDC_HEADERS is not defined now can count on putenv() being there [fd587796189b] * sudo_realpath.c: took out errno decl since sudo.h does it for us fixed up a next cc warning added params to func decls when STDC_HEADERS is not defined [70fa5152ace6] * sudo.h: took out environ extern added local declaratio of putenv() if local version is needed [a84bae6c020d] * find_path.c, getcwd.c, getwd.c, strdup.c, sudo.c: added params to func decls when STDC_HEADERS is not defined [f406f0e47ac0] * config.h.in: added memcpy check check to see that ansi vs bsd macros are ntot already defiend before defining (ie: avoid redefinition) [879ae026e19f] * configure.in: removed fluff setenv check plus check w/ replace for putenv if also no setenv [e3c03814ad4b] * putenv.c: Initial revision [3cff63e2dc1b] 1994-08-06 Todd C. Miller * sudo_setenv.c: Initial revision [4d637631fa6b] * sudo.h: rm'd s realp[ath added sudo_realpath and sudo_setenv [07ba001ff57e] * sudo.c: now use sudo_setenvc [fd81e04d5ef0] * configure.in: added puteenv and setenv, removed realpath [27bfacfb513b] * config.h.in: added putenv & setenv [515f14eaf6e4] * Makefile.in: added sudo_setenv [217731a717c5] * version.h: ++ [eadb346d7129] 1994-08-05 Todd C. Miller * configure.in: added MAN_POSTINSTALL and /usr/share/catman for irix [2a9496c1bdba] * Makefile.in: added MAN_POSTINSTALL [89b0d4695529] * CHANGES: added [48c021ba8a70] * sudo.man: added SUDO_* plus new options [c0759cff5683] * CHANGES: added one [7d44a3922d56] * configure.in: took out shadow lib [07cf3de18701] * TODO: adde done [a27a578e8afe] * visudo.c: now use yyrestart() if flex now reset yylineno to 0 [77d67ce0b677] * Makefile.in: support for installing a cat page instead of a man page if no nroff [44671c0fc0fa] * configure.in: now defines HAVE_FLEX fixed up man stuff so that it looks for nroff to determine whether or not to install a cat or man page [0562d069c135] * config.h.in: added HAVE_FLEX [c5490bae39d3] * sudo.c: not set ret to MODE_RUN initially [88b4983c195b] * find_path.c: made command (and therefor cmnd dynamically allocated) [95b82e32b6de] * TODO: did #8 [fb6f41308cdf] * version.h: ++ [14112ecab5ae] * sudo_realpath.c: changed bufs from MAXPATHLEN to MAXPATHLEN+1 [0ad4f34e55c0] * sudo.h: added MODE_ removed validate_only and added remove_timestamp() [dd5f99c57728] * sudo.c: usage() now takes an int (exit value) added parse_args() to parse command line arguments moved call to find_path() from load_globals to new function load_cmnd() removed validate_only global -- now use the concept of "modes" added -h and -k options [c3887090b28a] * parse.c: no longer use global validate_only now checks for command called "validate" removed check for non-fully qualified commands since that is done by find_path [7d56fbd26369] * find_path.c: changed MAXPATHLEN r to MAXPATHLEN+1 [a86e8664d971] * find_path.c: fixed off by one error with MAXPATHLEN and fixed a comment [58adcef8c981] * check.c: check_timestamp no longer runs reminder(), it is implied in the return val added remove_timestamp() [42ab5a77066f] * CHANGES: updated [8e69b31df024] 1994-08-04 Todd C. Miller * BUGS: fixed on [bc34f1ac4280] * sudo_realpath.c: took out old_errno [a168d00a0768] * CHANGES: updated [04ba80922df7] 1994-08-03 Todd C. Miller * logging.c: moved send_mail to after syslog [4d4188087834] * sudo.c: now set SUDO_ envariables [e5963f1bd3bb] 1994-08-01 Todd C. Miller * version.h: ++ [2a4534845d8c] * sudo_realpath.c: now print error if chdir fails [0d75c8973d49] * find_path.c: removed an XXX [e2077bcb35aa] 1994-07-26 Todd C. Miller * CHANGES: updated [e30a2b39b41a] * configure.in: no more static binaries for aix [77a0beb6bd80] 1994-07-25 Todd C. Miller * INSTALL: fixed typo [ba5e0d391bc4] * sudo_realpath.c: took out stuff not needed for sudo now does be_root/be_user itself now uses cwd global [4f6d4641d793] * version.h: +=2 [97da927b297c] * logging.c, sudo.c: be_root/be_user is now down in sudo_realpath() [f331662fa50f] * logging.c, sudo.h: now works with 4.2BSD syslog (blech) [98e39d89dd36] * find_path.c: now use sudo_realpath() [ab436a8ebd02] * config.h.in: took out realpth() stuff since we now use sudo_realpath() [8de5ef9f6044] * configure.in: ultrix enhanced sec [815fb7fffcc0] * SUPPORTED: added ultrix enhanced sec. [6466766c8062] * INSTALL: updated [d681a634297a] * check.c: ultrix enhanced security suport [f10c8decbcc2] * Makefile.in: added sudo_realpath.c [6b9bcd3be022] * CHANGES: updated [2fa8084c1b53] * tgetpass.c: increased passwd len to 24 for c2 security [ec64838be62d] * BUGS: updated BUGS [ca00d8fec2ce] 1994-07-15 Todd C. Miller * check.c: now use user global var [568769719013] * configure.in: took out -ls [490a44180d5f] 1994-07-14 Todd C. Miller * configure.in: added AFS libs [4fb40c8c01ba] * sudo.h: user is now a char * added epasswd [27a919fafdfb] * sudo.c: added tzset() to load_globals added epasswd (encrypted password) global made user dynamically allocated [b99ef9bdbfce] * configure.in: added tzset test [27592dd1214b] * config.h.in: added HAVE_TZSET [b13f4213f3d0] * check.c: cleaned up encrypted passwd grab somewhat [c8ba9a4db38a] * configure.in: fixed AFS typo [2bfcbce237b6] * INSTALL: added AFS not [80c67329393c] * CHANGES: udpated [2f09ecdd5d31] * logging.c: can now log to both syslog & a file [4d5c0932bc01] * sudo.h: added BOTH_LOGS [623c539be824] * CHANGES: updated [a1c7f5ef3616] * configure.in: --with-AFS [28718d8f5daf] * config.h.in: added HAVE_AFS [2e32bb4e63e4] * check.c: added afs changes [fe4d0ff320a2] * sudo.h: removed AFS stuff :-) [a40387e6fa27] * tgetpass.c: include sys/select for AIX [f32c5a8f2c84] * sudo.h: added AFS [da2ab3dd0348] * version.h: ++ [452d4dfe25af] 1994-07-07 Todd C. Miller * CHANGES, SUPPORTED: updated [e7dfe6f23a37] * logging.c: can now have MAILER undefined [1d33b98b35e1] * INSTALL: new sub-note about MAILER [d35c636a0574] * sudo.man: added blurb about password timeout [70c2ee50de20] * configure.in: convex c2 changes [367138a6232e] * aclocal.m4: took out duplicate define of _CONVEX_SOURCE [647182138450] * Makefile.in: added OSDEFS [7fdcd50602d1] * config.h.in: added spaces [f2b8a05e48f3] * tgetpass.c: added a goto if fgets fails [68a6586d9c45] * sudo.h: use __hpux not hpux convex c2 stuff [5c377a8d5f34] * sudo.c: use __hpux not hpux [9363bc0f9f9e] * logging.c: convex c2 stuff [ea5630975ac4] * config.h.in: define ansi-ish cpp os defines if non-ansi are defined for hpux & convex [664f53a5e786] * INSTALL: updated to say we support sonvex C2 [5f2f8b87013e] * check.c: added convex c2 support [9a665d4918fa] 1994-07-01 Todd C. Miller * tgetpass.c: no more ioctl never returns NULL uses fgets() and select() to timeout [b333e6d63e97] 1994-06-29 Todd C. Miller * configure.in: things were testing -n "$GCC" instead of -z "$GCC" [059a9b15ede2] * tgetpass.c: now works + uses fgets() [353d7ebcb7bb] 1994-06-28 Todd C. Miller * tgetpass.c: select doesn't seem to recognize a single '\n' as input waiting so we can;t use it, sigh. [f76e3218b835] 1994-06-26 Todd C. Miller * PORTING: updated tgetpass() blurb [95baac736b49] * configure.in: added --with-getpass [42ac0bdf58ed] * Makefile.in: added tgetpass stuff [e2b38c635663] * tgetpass.c: now uses stdio [36af8ff66e35] * version.h: ++ [4e81c9db19bd] 1994-06-24 Todd C. Miller * PORTING: updated ,. [54f523770a05] * config.h.in: added USE_GETPASS && HAVE_C2_SECURITY [86b355cb2953] * configure.in: fixed a test aded --with-C2 and --with-tgetpass [abf6181588ef] * check.c: added hpux C2 shit [20d4177ffa88] * Makefile.in: took out tgetpass.* [cc82fd9984b4] * INSTALL: added C2 blurb [1d2bfc35e4b6] 1994-06-13 Todd C. Miller * configure.in: no termio(s) for ultrix since it is broken [d3e82e835350] * check.c: added a space (yeah, anal) [05e4b31ca68c] * realpath.c, sudo_realpath.c: fixed it (duh, rtfm) [f13097cb8cb6] 1994-06-08 Todd C. Miller * config.h.in: took out bsd signal stuff for irix [e179cdafc97a] * visudo.c: comments in #endif [e3a629190f5e] * configure.in: don't define BSD signals for irix [3ce57bffb7f0] * TODO: did some... [274241cd0f74] * CHANGES: updated [8f29fc755faf] * realpath.c, sudo_realpath.c: took out unneeded code by changing where a strings was terminated [b5564d62d30e] 1994-06-07 Todd C. Miller * realpath.c, sudo_realpath.c: fix bug where /dirname would return NULL [b85f470daf26] * sudo.h: move __P to config.h [7763c0ff3f28] * getcwd.c, getwd.c, realpath.c, sudo_realpath.c: added errno definition [4cc9d2d9782a] * config.h.in: added __P [ca06f5aa58f3] * config.h.in: added HAVE_FCHDIR [206d714641e0] * strdup.c: now include stdio [0d8458da0e1d] * realpath.c, sudo_realpath.c: now works if no fchdir [e035911b6722] * visudo.c: define SA_RESETHAND to null if not defined [afec03e84342] * configure.in: added check & replace [c1a65481441c] * configure.in: took out -static for nextstep -- it doesn't work [fa1a1a611743] 1994-06-06 Todd C. Miller * logging.c: moved #endif to where it belongs [07d3a8972097] * SUPPORTED: correction [0c1ecba3e5a3] * configure.in: now checks for strdup realpath getcwd bzero [f029a1917515] * config.h.in: emulate bzero [d792352e44a3] * visudo.c: added posic signals [2ed0005f90fc] * tgetpass.c: bzero cast [6d91b1a1526f] * logging.c: added posix signals [67ede9c22a05] * configure.in: removed BROKEN_GETPASS added new srcs toreplace missing functions [cf44274bb1c8] * config.h.in: added posix signal stuff [a3c1c98fe8ef] * Makefile.in: added new srcs [b6a079afee47] * visudo.c: updated useag [589ed091c44f] * tgetpass.c: now uses posix signals [30f74964074f] * PORTING: updated sto reflect major changes [bcfc309e017b] * CHANGES, TODO: updated [23aacbd54278] * tgetpass.c: uses sysconf() if available [a27431c90bab] * sudo.h: added PASSWORD_TIMEOUT + prototypes for new functions [d7473c2f77c4] * realpath.c, sudo_realpath.c: for those w/o this in libc [1e47aa7a9d46] * getcwd.c, getwd.c: Initial revision [c90dea57a84f] * find_path.c: rewrote to use realpath(3) - nis now all my code [d2c3bb8fb37d] * config.h.in: added HAVE_REALPATH [02c10352a8c7] * check.c: now use tgetpass [b5c021fc179f] * Makefile.in: added LIBOBJS use tgetpass.c [230a7b3eeaa3] 1994-06-05 Todd C. Miller * tgetpass.c: works now :-) [025e7a3875ba] * tgetpass.c: Initial revision [3316ab33b230] * pathnames.h.in: added /dev/tty [29242585e53f] 1994-06-04 Todd C. Miller * version.h: incremented [f2e54b48280f] * sudo.c: always use getcwd [c6068e8a4029] * config.h.in: added check for getwd [ab1e102ad673] * configure.in: replace strdup & realpath & getcwd if missing [b0eb14f2a1c3] * pathnames.h.in: added _PATH_PWD [309d2388f69a] * aclocal.m4: added SUDO_PROG_PWD [e16e85deb96c] * strdup.c: Initial revision [810efdc15007] * realpath.c, sudo_realpath.c: Initial revision [d85eee438e09] 1994-06-03 Todd C. Miller * configure.in: quoted quare brackets [d0e7ca111d98] 1994-06-02 Todd C. Miller * sudo.c: no need to strdup() a constant [a8c44712df9a] * CHANGES: updated [71364129cca0] * sudo.man: added validate [0bb198095a26] * sudo.c: added -v to usage [31ea71f11dbb] * parse.c, sudo.c, sudo.h: added validate_only stuff [9bcd853d3c90] 1994-05-30 Todd C. Miller * configure.in: now finds sed [6374bb0d3f28] * aclocal.m4: $OSREV is now an int [ace0666d66cf] 1994-05-29 Todd C. Miller * configure.in: added mtxinu to caser [73a776887b16] * sudo.h: added EXEC macro [2e8eb28b710a] * sudo.c: now use the EXEC nmacro now only do a gethostbyname() if FQDN is set [56afb4f658d5] * logging.c: changed mail_argv[] def now use EXEC() macro [ddcabd28edb1] * check.c: took out crypt() definition [0e657724cf5f] * version.h: upped the version [62c5d66119fc] * configure.in: always look for -lnsl [d7b594f0313b] * aclocal.m4: added an echo [1caae3491dc5] * sudo.h: SHORT_MESSAGE is now the default [cfce35c3119a] * config.h.in: fixed typo [6499a564bf75] * configure.in: added missing AC_DEFINE(SVR4) for solaris [feef0b17b94f] * sudo.man: documented the -v flag [a6429f2bc2cf] * SUPPORTED: updated [088886e79540] * check.c: proto-ized crypt() [801e4ff5b121] * config.h.in: added LIBSHADOW undef [8df588e9ee2b] * configure.in: nwo set OS to be lowercase [561ebed833e4] 1994-05-28 Todd C. Miller * configure.in: now use SUDO_OSTYPE to set $OS [0e60aee23098] * aclocal.m4: now use uname to determine os [99705e58d400] * visudo.c: added prototypes & moved sig handler around [1f0bc8d23b51] * sudo.h: added prototyppes [be3935a2b163] * check.c, logging.c, sudo.c: added prototypes [2079b4605ab8] * parse.c: added comment [a34d147d8399] * config.h.in: nwo use _BSD_SIGNALS not _BSD_COMPAT [63663195f047] * aixcrypt.exp: Initial revision [890aed08357e] * Makefile.in: added aixcrypt.exp [1005a183105f] * parse.lex, parse.yacc: moved config.h to top of includes [9569c49aa5f3] 1994-05-25 Todd C. Miller * find_path.c: now don't bitch if get EACCESS (treat like EPERM) [dbeffb638de4] * visudo.c: added -v flag and usage() [4d44ed60ed75] * version.h: fixed a typo [cf3f9347ae41] * sudo.c: cast Argv to a const for exec added -v flag [d11b6efc0e45] * logging.c: mail_argv is now a const [93bb5d90bb6f] * configure.in: only set RETSIGTYPE if it is not set already [c97aac260b77] * aclocal.m4: now defines & STDC_HEADERS for Irix [9c2b24ad1fc5] * Makefile.in: added version.h [9f79e880229a] * insults.h, sudo.h: prevent multiple inclusion [d68c8a9243ce] * version.h: Initial revision [dbb39c5ef8d9] * parse.lex, parse.yacc: now includes config.h [f117e036a56b] * aclocal.m4: now talks about sunos 4.x [c9054aa92d4e] * visudo.c: calls to Exit now pass an arg [a92104670551] 1994-05-24 Todd C. Miller * visudo.c: signal handler now takes an int argument [26f480c41523] * CHANGES: updated [8c166a9d796b] * sudo.c: ok, the getcwd() is now *really* done as the user [ab86cf85134a] * configure.in: changed AIX STATIC_FLAGS [b9c0a3ba5663] * aclocal.m4: solaris now defines SVR4 [c3e20cac96f5] * sudo.h: added cwd and fixed stupid core dump that makes no sense. sigh. [7a9755436dbb] * sudo.c: moved getcwd stuff into load_globals [ec2bc90df1f3] * parse.c: took out externs that are in suod.h [93c4b3f856d7] * logging.c: moved cwd into load_globals [050de754d228] * find_path.c: moved cwd stuff [22f3f3b4c34d] * Makefile.in: fixed make distclean & realclean [c9964d89bcef] * TODO: updated ., [e513581ef0e3] * CHANGES: added solaris changes [505d930daf27] * aclocal.m4: added solaris changes, need to rework [33f20fb16c49] * configure.in: cleaned up for solaris [2fb8cfa05d0f] * logging.c: reinstall reapchild signal handler for non-bsd signals [3d1dc545113d] * sudo.h: took out getdtablesize() emulation for HP-UX (no longer needed) [1fc83d170f34] * sudo.c: support for HAVE_SYSCONF [50ca2a7a224a] * visudo.c: added for solaris & reorg'd the includes + minor prettying up / [0a570e826dd4] * config.h.in: added HAVE_SYSCONF [2b9a9f3a4e94] 1994-05-16 Todd C. Miller * configure.in: now tells you what os you are running /. [06c6332a895b] * aclocal.m4: took out extra ',' [e8c75ce59f4a] 1994-05-14 Todd C. Miller * config.h.in: added _BSD_COMPAT [73c5099806c2] * aclocal.m4: fixed for irix5 [1047d1f6c0eb] * CHANGES: updated [1bc4969fee96] * sudo.c: uid seinitialized to -2 [8d7812b1878b] 1994-04-28 Todd C. Miller * sudo.c: now removes LIBPATH for AIX [075392eb1dd9] 1994-03-13 Todd C. Miller * configure.in: now uses ufc if it finds it [ab6ce30a5958] 1994-03-12 Todd C. Miller * sudo.h: no longer define yyval & yylval since yacc does it [09d250aea50a] * parse.lex: now defines yylval as extenr [8ec2b88952bc] * configure.in: BROKEN_GETPASS is now an OPTION [3714f4bb8312] * config.h.in: took out BROKEN_GETPASS [9c4f6aa50137] * Makefile.in: took out big comment [4c13cff0e556] * README: updated [b8b9902b620d] * Makefile.in: took out README.beta [ed2cd861e82b] * SUPPORTED: Initial revision [2fffc51e6606] * INSTALL: now reference SUPPORTED ., [d112c30be1f2] * config.h.in: now check for convex OR __convex__ [a0e5701a3069] * aclocal.m4: now check for convex or __convex__ [5dae2bfbe3bc] * Makefile.in: added dist target [400a54de57db] * aclocal.m4: use __convex__ [58a19470ed0b] * find_path.c: now use _S_* stat stuff to be ansi-like [28cce560e048] * INSTALL: updated for configure directions [a034ccc7c30a] * Makefile.in: distclean now removes config.h and pathnames.h [300f2349b4ab] * CHANGES: updated [646f7e9430c1] * TODO: fixed typoe [70fd6361b2bc] * visudo.c: updated version [cf13d87d789f] * Makefile.in: updated version [8c5dacc27a7a] * config.h.in, pathnames.h.in: added copyright header [747ce3d3d6b7] * check.c, find_path.c, insults.h, logging.c, parse.c, parse.lex, parse.yacc, sudo.c, sudo.h: udpated version [4751c39bad18] * visudo.c: udpated to use configure + pathnames.h [d45dff76a1cd] * aclocal.m4: updated [f05a367a55be] * Makefile.in, config.h.in, configure.in: updated [524778598879] * sudo.h: now works with configure [83fc40e533f4] * check.c, find_path.c, getpass.c, logging.c, parse.c, sudo.c: updated to work with configure + pathnames.h [cb67fa6ab52d] * Makefile.in: added LEXLIB [f43cad4ab0a2] 1994-03-10 Todd C. Miller * COPYING: updated gnu general licence to versio 2 [2b0b56112ddc] * config.h.in, pathnames.h.in: Initial revision [4b586f39ec2d] * sudo.h: changed to work with configure [13f3506ddf16] 1994-03-09 Todd C. Miller * Makefile.in, aclocal.m4, configure.in: Initial revision [a8636ae77371] * visudo.c: now uses defines used by configure [de438d118993] 1994-03-01 Todd C. Miller * find_path.c: sudo won't bitch about EPERM now, for real [ce26d9ef7e3f] 1994-02-28 Todd C. Miller * logging.c: renamed exec_argv to eliminate a libc name clash with ksros [bcb4350d8411] * CHANGES: corrected [dae68d422efd] * logging.c, sudo.c, sudo.h: execve -> execv [40cc2c4bdb15] * TODO: upated [9275a8b8fc45] * PORTING: added 2 mroe items [6cbb5c56993c] * CHANGES: updated [73f34f8e571a] * sudo.h: added UMASK and mode_t declaration [7c2015e1d171] * sudo.c: added UMASK [d37be7523680] * logging.c: now opens log file with mode 077 [0825cc3ee841] * check.c: saved current umask ans restores it [659c1aaae8e8] * sudo.h: added MAXLOGFILELEN [34331c7dee90] * logging.c: split long log lines. FOr syslog, split into multiple entries, for a log file, indent the extra for readability [72c9e4cdba6e] 1994-02-27 Todd C. Miller * CHANGES: added changes [81196833673d] * sudo.h: MAXLOGLEN & MAXSYSLOGLEN are now different (as they should be) [1aa69e903840] 1994-02-25 Todd C. Miller * TODO: added input from Brett M Hogden [80f01fc88ce9] 1994-02-16 Todd C. Miller * sudo.c: added rmenv() to remove stuff from environ. can now uses execvp() OR execve() becuase of this. [e7fc2535bd67] * logging.c: now uses execvp() OR execve() [56391aa1f99d] * sudo.h: added USE_EXECVE [f21f38050b95] * sudo.h: added environ [6b805e23c6f6] * find_path.c: now ignore EPERM [c8fd7117a1d7] * sudo.h: moved some func decls out of sudo.h and into sudo.c as statics /. [5f555c267d27] * CHANGES: updated [431f478af320] * sudo.h: took out Envp [6f722be7793d] 1994-02-14 Todd C. Miller * BUGS: Initial revision [4a8ecf0da95c] 1994-02-10 Todd C. Miller * CHANGES: added SECURE_PATH [1c72cb222609] * sudo.c, sudo.h: added SECURE_PATH [5bf5357a63c5] * sudo.h: added SECURE_PATH [3976a74405ac] * INSTALL: added sample.sudoers note [1b395d29aaeb] * sudoers: Initial revision [485888d07477] 1994-02-09 Todd C. Miller * find_path.c: fixed typo [bfc3cc4d41ca] * PORTING: took out SAVED_UID garbage [b7c2d3469661] [SUDO_1_3_0] * INSTALL: mentioned HAL [253d6695df90] * sudo.h: added HAL line [29ec1a4ac6de] * insults.h: added HAL insults [7d7c96d77c74] * TODO: updated [aa2ed9790586] * logging.c: more verbose error if mailer not found [fca47fd00cb6] * check.c: now do getpwent as root for soem shadow password systems (bsdi) [e0339e110d46] 1994-02-08 Todd C. Miller * sudo.h: took out SAVED_UID garbade [fcb0e81dcdb5] * sudo.c: took out SAVED_UID garbage since it don't work [507e9513e9c2] 1994-02-06 Todd C. Miller * README: updated [d2b6b253dae5] * insults.h: added a missing space :-) [8940ea991f87] * sudo.c, sudo.h: took out multimax cruft [c2606b365181] * INSTALL: minor update [05fb6ee73131] * PORTING: finished [c4ac47c84dc5] * sudo.c: fixed a typo + indentation [7eab40aae8fa] 1994-02-05 Todd C. Miller * sudo.h: took outumoved some defines to the config file ,. ,. [defff05beb52] * PORTING: Initial revision [c803e9127959] * TODO: did #6 [c6fa1c946c31] * sudo.h: added HAS_SAVED_UID [6a88a39c0a07] * sudo.c: put back AIX cruft [a24d2507ddd4] 1994-02-03 Todd C. Miller * sudo.c: aix changes [1663915f754a] 1994-02-02 Todd C. Miller * CHANGES: updated [a8cc73747cae] * check.c, logging.c, parse.c, sudo.c, sudo.h: now is only root when abs necesary [3c9d12c5cdfe] * check.c: added missing %s\n [609320b72d89] 1994-01-31 Todd C. Miller * install-sh: Initial revision [b5bba140a175] * TODO: updated [c9d2eba602af] * CHANGES: updated [932f1fc3bb14] * sudo.c: now removed _RLD_* for alphas [54a36e648158] * INSTALL: updated for new config scheme [61c8ae800444] * find_path.c: more verbose eror messages [b4fd123db42d] 1994-01-27 Todd C. Miller * TODO: now have solaris [371002fbf266] * sudo.h: define __svr4__ for SOLARIS [0b5cf5ed936d] * check.c: added svr4 junk for shadow pws for solaris 2.x [91ed58f21618] * check.c, sudo.c: took out setuid(0) and setreuid(udi) garbage. Its not needed since we start out setuid with the correct perms. [07689e782b0b] * check.c, sudo.c, sudo.h: now use setreuid() [7d64d685d78e] 1994-01-26 Todd C. Miller * sudo.man: revised AUTHORS secrtion & added ENV_EDITOR stuff to VARIABLES sectoin [b26967b1e19b] * visudo.c: now uses ENV_EDITOR if you want to use the EDITOR envar [a4f8fcb9bd1d] * sudo.h: now uses ENV_EDITOR if you want to use the EDITOR envar >> . [028cc55c4328] 1993-12-07 Todd C. Miller * README: minor update + spell fix [a411717a7249] * INSTALL: rewrote most of this [a6750923f9c9] * sudo.h: added all options that are in the Makefile [6db3b3b841b3] * getpass.c: now use USE_TERMIO #define for sgi & hpux [b91f89ae6be1] * TODO: todo: posix sigs [4548a56eb2ef] 1993-12-06 Todd C. Miller * check.c, find_path.c: always include strings.h [1fc20bda92c0] * visudo.c: added STATICEDITOR [0596f820716e] * sudo.h: sgi has vi in /usr/bin too [94203b62bfd9] * sudo.man: added VISUAL [87c2844c4cac] 1993-12-03 Todd C. Miller * sudo.h: sue /usr/bin/vi on some systems [e3ad9190f35e] * sudo.c: fixed warning (include strings.h) [0b896de4d8a0] * sudo.man: added John_Rouillard@dl5000.bc.edu's changes (new features) [f41b4205a8cf] * CHANGES: changes from John_Rouillard@dl5000.bc.edu [6bdef8e948d5] * visudo.c: added EDITOR envar [5c4bf716de21] * check.c, find_path.c, parse.c, sudo.c: added patches from John_Rouillard directory spec uses EDITOR [f62a435f8c41] 1993-12-02 Todd C. Miller * getpass.c: added flush for hpux [07cfdd6a7b55] 1993-11-30 Todd C. Miller * sudo.c: no longer assume malloc returns a char * [7480bd2756f3] * sudo.c: alpha change to remove LD_-like thing fixed SHLIB_PATH stuff -- now gets removed correctly [8587166c6ac8] * sudo.h: added STD_HEADERS macro [480f5a9a516c] * sudo.c: now uses STD_HEADERS macor for ansi [c5018806fd59] * find_path.c: now uses STD_HEADERS macro [ad821e0788ea] * check.c: niceties for C compiler bitches -- no real change [0fc0b1a5fb64] 1993-11-29 Todd C. Miller * visudo.c: now doesn't fclose a file never opened. [ee888ec9427d] 1993-11-28 Todd C. Miller * sudo.man: added visudo line [698d51c66407] * sudo.man: added error stuff added me in there... [d202fd34b906] * CHANGES: noted insults [998a22c2230c] * INSTALL: added blurb about reading stuff [e71db100798f] * sudo.h: added insults [c110431cec56] * insults.h: corrected somments and removed newlines [493706fd488c] * check.c: now uses insults [6d23cf06a0ef] * insults.h: Initial revision [83153c26b4a3] * INSTALL: added dec syslog note [555437273237] * sample.sudoers: added real stuff in there [53442a7fba78] * TODO: added a todo [c630472bd4dc] * TODO: added one [806464453284] 1993-11-27 Todd C. Miller * sample.sudoers: Initial revision [7db0a9f1ca8f] * sudo.man: updated with changes [d9bf254c6c08] * sudo.man: Initial revision [dd6f11174ac6] * indent.pro: Initial revision [dbfbb494fad9] * CHANGES, COPYING, INSTALL, README, TODO: Initial revision [6d98f489a079] * visudo.c: updated version number and took out jeff's old addr since it is no good [ee47c24818cb] * check.c, find_path.c, logging.c, parse.c, parse.lex, parse.yacc, sudo.c, sudo.h: updated version number and took out jeff's email (since it is invalid) [54616458a52e] 1993-10-28 Todd C. Miller * check.c: added fflush() [145c881f4fb4] 1993-10-23 Todd C. Miller * find_path.c: now return NULL instead pfof exiting for nopnn-fatal errors [8bc74f8cb1ae] 1993-10-21 Todd C. Miller * check.c: new banner [5387ab2af516] * parse.lex: now sudo.h gets included first [2acb01c18e18] 1993-10-18 Todd C. Miller * parse.lex: now can use flex [164d3839adf0] * sudo.h: linux patch [f1b6b1b1a2ca] * sudo.c: hpux 9 fix, removes SHLIB_PATH linux patch [67611dc1737f] * check.c: linux diff [c24536682397] 1993-10-15 Todd C. Miller * find_path.c: stat now ignores EINVAL [c7761a5dc642] 1993-10-06 Todd C. Miller * find_path.c, sudo.c: now declare strdup as extern [6b7d6f8784b5] 1993-10-04 Todd C. Miller * visudo.c: reformatted with indent + by hand [9d43084e4990] * check.c, find_path.c, getpass.c, logging.c, parse.c, sudo.c, sudo.h: used indent to "fix" coding style [489ffacbdc70] * find_path.c: now checks '.' or '.' or '' in PATH -- but does it LAST should maybe move the code that does this into the loop body. makes it messier tho. hmmm. [c4d22b48da9a] 1993-09-08 Todd C. Miller * find_path.c: redid the fix for non-executable files in an easier to read way plus some minor aethetic changes [84fe337f1426] * find_path.c: fixed bug with non-executable tings of same name in path introduced by checkig errno after stat(2). [c2a812cfcbc1] 1993-09-05 Todd C. Miller * sudo.c: fixed off by one error [fabb7cee0041] * find_path.c: now handles decending below '/' correctly [5d2ddfc0b220] * sudo.c: now actually builds Envp instead of munging envp [bdc4b08f6898] 1993-09-04 Todd C. Miller * parse.yacc: now includes sys/param.h [efbb494ab4de] * visudo.c: now includes sys/param.h [ad6c91d59958] * sudo.h: fixed ifndef -> ifdef [7aebe822d863] * qualify.c: make more like find_path.c [853b2dab2e03] * find_path.c: rewritten by millert [c6a043cc11b3] * sudo.h: fixed MAXCOMMANDLENGTH now uses USE_CWD and NEED_STRDUP added info about new defines in the comment [39ffefce3aec] * logging.c: now uses USE_CWD [fa0f3b118bb3] * sudo.h: added delc for clean_envp() and Envp [a12034e300c2] * sudo.c: now rips LD_* env vars out of envp and passed sanitized Envp to exec [d201a218e056] * logging.c: now uses execve() [f3e01032cd33] * find_path.c: ENOTDIR is ok now too (in case part of the path is bogus) [b5cbbb201bb5] * qualify.c: now works correctly (ttaltotal rewrite) [0c25d64a5c68] * parse.lex: now includes sys/param.h didn't match trailing / -- fix from rouilj@cs.umb.edu [b6363ba110af] 1993-06-11 Todd C. Miller * sudo.c: moved around the #ifndef _AIX [7d4330950c20] * check.c, logging.c, parse.c: Initial revision [c101e9572d7f] 1993-03-20 Todd C. Miller * qualify.c: Initial revision [5a5f21d0e0bf] 1993-03-13 Todd C. Miller * find_path.c: now works if you do sudo bin/test [07835120ce43] * find_path.c: works [c3da8b5efa20] 1993-03-02 Todd C. Miller * sudo.h: Initial revision [28a1caa38b72] * visudo.c: Initial revision [0e5cd7c3cdbe] * parse.lex, parse.yacc: Initial revision [5f2d0cccb06b] 1993-02-16 Todd C. Miller * sudo.c: took out errno.h [7466431a2655] * sudo.c: now spews error if exec fails and exits with -1 [e5c41ea725c1] * sudo.c: Initial revision [8aeabe39a0c2] * find_path.c: now only execs files with (an) executable bit set. [0a451f9c0e58] * find_path.c: Initial revision [02a534891a35] 1993-02-15 Todd C. Miller * getpass.c: added nice comment [ea8b2aaa9389] * getpass.c: now works on sgi's [bf2b7c6d0960] * getpass.c: Initial revision [9f4de251c1b5]