From 3a1004dc74b0fb7599a4d1f1805fcb798a562948 Mon Sep 17 00:00:00 2001 From: Bdale Garbee Date: Tue, 19 Feb 2008 11:19:54 +0900 Subject: [PATCH] Imported Debian patch 1.6.9p12-1 --- CHANGES | 16 ++++ Makefile.in | 4 +- README.LDAP | 14 ++- auth/kerb5.c | 143 +++++++++++----------------- config.h.in | 9 ++ configure | 236 ++++++++++++++++++++++++++++++++++++++++++++++- configure.in | 16 +++- debian/changelog | 6 ++ ldap.c | 24 ++++- parse.yacc | 16 +++- sudo.cat | 18 ++-- sudo.man.in | 4 +- sudo.tab.c | 172 ++++++++++++++++++---------------- sudoers | 7 +- sudoers.cat | 48 +++++----- sudoers.man.in | 4 +- tgetpass.c | 8 +- version.h | 4 +- visudo.cat | 6 +- visudo.man.in | 4 +- 20 files changed, 517 insertions(+), 242 deletions(-) diff --git a/CHANGES b/CHANGES index 08be411..fcb8d55 100644 --- a/CHANGES +++ b/CHANGES @@ -2029,3 +2029,19 @@ Sudo 1.6.9p10 released. 640) New %p prompt escape that expands to the user whose password is being prompted, as specified by the rootpw, targetpw and runaspw sudoers flags. Based on a diff from Patrick Schoenfeld. + +Sudo 1.6.9p11 released. + +641) Added a configure check for the ber_set_option() function. + +642) Fixed a compilation problem with the HP-UX K&R C compiler. + +643) Revamped the Kerberos 5 ticket verification code. + +644) Added support for the checkpeer ldap.conf variable for + netscape-based LDAP SDKs. + +645) Fixed a problem where an incomplete password could be echoed + to the screen if there was a read timeout. + +Sudo 1.6.9p12 released. diff --git a/Makefile.in b/Makefile.in index b852c6f..5f0b0ce 100644 --- a/Makefile.in +++ b/Makefile.in @@ -20,7 +20,7 @@ # # @configure_input@ # -# $Sudo: Makefile.in,v 1.246.2.22 2008/01/05 23:31:51 millert Exp $ +# $Sudo: Makefile.in,v 1.246.2.23 2008/01/14 12:22:57 millert Exp $ # #### Start of system configuration section. #### @@ -131,7 +131,7 @@ TESTOBJS = interfaces.o testsudoers.o $(PARSEOBJS) LIBOBJS = @LIBOBJS@ @ALLOCA@ -VERSION = 1.6.9p11 +VERSION = 1.6.9p12 DISTFILES = $(SRCS) $(HDRS) BUGS CHANGES HISTORY INSTALL INSTALL.configure \ LICENSE Makefile.in PORTING README README.LDAP \ diff --git a/README.LDAP b/README.LDAP index a36ff24..df4ad21 100644 --- a/README.LDAP +++ b/README.LDAP @@ -224,6 +224,13 @@ when you imported the sudoers. Below is an example /etc/ldap.conf #uri ldaps://secureldapserver #uri ldaps://secureldapserver ldap://ldapserver # + # The amount of time, in seconds, to wait while trying to connect to + # an LDAP server. + bind_timelimit 30 + # + # The amount of time, in seconds, to wait while performing an LDAP query. + timelimit 30 + # # must be set or sudo will ignore LDAP sudoers_base ou=SUDOers,dc=example,dc=com # @@ -249,7 +256,7 @@ when you imported the sudoers. Below is an example /etc/ldap.conf #ssl start_tls # # Additional TLS options follow that allow tweaking of the - # SSL/TLS connection. Only supported when using OpenLDAP. + # SSL/TLS connection. # #tls_checkpeer yes # verify server SSL certificate #tls_checkpeer no # ignore server SSL certificate @@ -340,9 +347,8 @@ Here is an example: sudoCommand: ALL Another difference is that negations on the Host, User or Runas are -currently ignorred. For example, these attributes do not work how they first -seem. If you desperately want this to be changed, contact Aaron Spangler -(aaron@spangler.ods.org). +currently ignorred. For example, these attributes do not work how +they first seem. # does not match all but joe # rather, does not match anyone diff --git a/auth/kerb5.c b/auth/kerb5.c index 57f183e..763ce85 100644 --- a/auth/kerb5.c +++ b/auth/kerb5.c @@ -54,7 +54,7 @@ #include "sudo_auth.h" #ifndef lint -__unused static const char rcsid[] = "$Sudo: kerb5.c,v 1.23.2.4 2007/06/12 01:28:42 millert Exp $"; +__unused static const char rcsid[] = "$Sudo: kerb5.c,v 1.23.2.7 2008/01/13 14:54:40 millert Exp $"; #endif /* lint */ #ifdef HAVE_HEIMDAL @@ -65,7 +65,7 @@ __unused static const char rcsid[] = "$Sudo: kerb5.c,v 1.23.2.4 2007/06/12 01:28 #endif #ifndef HAVE_KRB5_VERIFY_USER -static int verify_krb_v5_tgt __P((krb5_context, krb5_ccache, char *)); +static int verify_krb_v5_tgt __P((krb5_context, krb5_creds *, char *)); #endif static struct _sudo_krb5_data { krb5_context sudo_context; @@ -74,8 +74,6 @@ static struct _sudo_krb5_data { } sudo_krb5_data = { NULL, NULL, NULL }; typedef struct _sudo_krb5_data *sudo_krb5_datap; -extern const krb5_cc_ops krb5_mcc_ops; - int kerb5_init(pw, promptp, auth) struct passwd *pw; @@ -128,16 +126,6 @@ kerb5_init(pw, promptp, auth) free(pname); #endif - /* For CNS compatibility */ - if ((error = krb5_cc_register(sudo_context, &krb5_mcc_ops, FALSE))) { - if (error != KRB5_CC_TYPE_EXISTS) { - log_error(NO_EXIT|NO_MAIL, - "%s: unable to use Memory ccache: %s", auth->name, - error_message(error)); - return(AUTH_FAILURE); - } - } - (void) snprintf(cache_name, sizeof(cache_name), "MEMORY:sudocc_%ld", (long) getpid()); if ((error = krb5_cc_resolve(sudo_context, cache_name, @@ -149,13 +137,6 @@ kerb5_init(pw, promptp, auth) } ccache = sudo_krb5_data.ccache; - if ((error = krb5_cc_initialize(sudo_context, ccache, princ))) { - log_error(NO_EXIT|NO_MAIL, - "%s: unable to initialize ccache: %s", auth->name, - error_message(error)); - return(AUTH_FAILURE); - } - return(AUTH_SUCCESS); } @@ -187,41 +168,59 @@ kerb5_verify(pw, pass, auth) { krb5_context sudo_context; krb5_principal princ; + krb5_creds credbuf, *creds = NULL; krb5_ccache ccache; - krb5_creds creds; krb5_error_code error; - krb5_get_init_creds_opt opts; + krb5_get_init_creds_opt *opts = NULL; sudo_context = ((sudo_krb5_datap) auth->data)->sudo_context; princ = ((sudo_krb5_datap) auth->data)->princ; ccache = ((sudo_krb5_datap) auth->data)->ccache; - /* Initialize options to defaults */ - krb5_get_init_creds_opt_init(&opts); + /* Set default flags based on the local config file. */ + error = krb5_get_init_creds_opt_alloc(sudo_context, &opts); + if (error) { + log_error(NO_EXIT|NO_MAIL, + "%s: unable to allocate options: %s", auth->name, + error_message(error)); + goto done; + } + krb5_get_init_creds_opt_set_default_flags(sudo_context, NULL, + krb5_principal_get_realm(sudo_context, princ), opts); /* Note that we always obtain a new TGT to verify the user */ - if ((error = krb5_get_init_creds_password(sudo_context, &creds, princ, + if ((error = krb5_get_init_creds_password(sudo_context, &credbuf, princ, pass, krb5_prompter_posix, - NULL, 0, NULL, &opts))) { - if (error == KRB5KRB_AP_ERR_BAD_INTEGRITY) /* Bad password */ - return(AUTH_FAILURE); - /* Some other error */ - log_error(NO_EXIT|NO_MAIL, - "%s: unable to get credentials: %s", auth->name, - error_message(error)); - return(AUTH_FAILURE); + NULL, 0, NULL, opts))) { + /* Don't print error if just a bad password */ + if (error != KRB5KRB_AP_ERR_BAD_INTEGRITY) + log_error(NO_EXIT|NO_MAIL, + "%s: unable to get credentials: %s", auth->name, + error_message(error)); + goto done; } + creds = &credbuf; + + /* Verify the TGT to prevent spoof attacks. */ + if ((error = verify_krb_v5_tgt(sudo_context, creds, auth->name))) + goto done; - /* Stash the TGT so we can verify it. */ - if ((error = krb5_cc_store_cred(sudo_context, ccache, &creds))) { + /* Store cred in cred cache. */ + if ((error = krb5_cc_initialize(sudo_context, ccache, princ))) { + log_error(NO_EXIT|NO_MAIL, + "%s: unable to initialize ccache: %s", auth->name, + error_message(error)); + } else if ((error = krb5_cc_store_cred(sudo_context, ccache, creds))) { log_error(NO_EXIT|NO_MAIL, - "%s: unable to store credentials: %s", auth->name, + "%s: unable to store cred in ccache: %s", auth->name, error_message(error)); - } else { - error = verify_krb_v5_tgt(sudo_context, ccache, auth->name); } - krb5_free_cred_contents(sudo_context, &creds); +done: + if (opts) + krb5_get_init_creds_opt_free(opts); + if (creds) + krb5_free_cred_contents(sudo_context, creds); return (error ? AUTH_FAILURE : AUTH_SUCCESS); } #endif @@ -252,81 +251,43 @@ kerb5_cleanup(pw, auth) #ifndef HAVE_KRB5_VERIFY_USER /* - * This routine with some modification is from the MIT V5B6 appl/bsd/login.c - * * Verify the Kerberos ticket-granting ticket just retrieved for the * user. If the Kerberos server doesn't respond, assume the user is * trying to fake us out (since we DID just get a TGT from what is - * supposedly our KDC). If the host/ service is unknown (i.e., - * the local keytab doesn't have it), return success but log the error. - * - * This needs to run as root (to read the host service ticket). + * supposedly our KDC). * * Returns 0 for successful authentication, non-zero for failure. */ static int -verify_krb_v5_tgt(sudo_context, ccache, auth_name) +verify_krb_v5_tgt(sudo_context, cred, auth_name) krb5_context sudo_context; - krb5_ccache ccache; + krb5_creds *cred; char *auth_name; /* For error reporting */ { - char phost[BUFSIZ]; krb5_error_code error; - krb5_principal princ; - krb5_data packet; - krb5_keyblock *keyblock = 0; - krb5_auth_context auth_context = NULL; - - packet.data = 0; + krb5_principal server; + krb5_verify_init_creds_opt vopt; /* * Get the server principal for the local host. * (Use defaults of "host" and canonicalized local name.) */ if ((error = krb5_sname_to_principal(sudo_context, NULL, NULL, - KRB5_NT_SRV_HST, &princ))) { + KRB5_NT_SRV_HST, &server))) { log_error(NO_EXIT|NO_MAIL, "%s: unable to get host principal: %s", auth_name, error_message(error)); return(-1); } - /* Extract the name directly. Yow. */ - strlcpy(phost, extract_name(sudo_context, princ), sizeof(phost)); - - /* - * Do we have host/ keys? - * (use default keytab, kvno IGNORE_VNO to get the first match, - * and enctype is currently ignored anyhow.) - */ - if ((error = krb5_kt_read_service_key(sudo_context, NULL, princ, 0, - 0, &keyblock))) { - /* Keytab or service key does not exist. */ - log_error(NO_EXIT, - "%s: host service key not found: %s", auth_name, - error_message(error)); - goto cleanup; - } - if (keyblock) - krb5_free_keyblock(sudo_context, keyblock); - - /* Talk to the kdc and construct the ticket. */ - error = krb5_mk_req(sudo_context, &auth_context, 0, "host", phost, - NULL, ccache, &packet); - if (auth_context) { - krb5_auth_con_free(sudo_context, auth_context); - auth_context = NULL; /* setup for rd_req */ - } - - /* Try to use the ticket. */ - if (!error) - error = krb5_rd_req(sudo_context, &auth_context, &packet, princ, - NULL, NULL, NULL); -cleanup: - if (packet.data) - krb5_free_data_contents(sudo_context, &packet); - krb5_free_principal(sudo_context, princ); + /* Initialize verify opts and set secure mode */ + krb5_verify_init_creds_opt_init(&vopt); + krb5_verify_init_creds_opt_set_ap_req_nofail(&vopt, 1); + /* verify the Kerberos ticket-granting ticket we just retrieved */ + error = krb5_verify_init_creds(sudo_context, cred, server, NULL, + NULL, &vopt); + krb5_free_principal(sudo_context, server); if (error) log_error(NO_EXIT|NO_MAIL, "%s: Cannot verify TGT! Possible attack!: %s", auth_name, diff --git a/config.h.in b/config.h.in index 822ff6b..2ce67d7 100644 --- a/config.h.in +++ b/config.h.in @@ -221,12 +221,18 @@ /* Define to 1 if you have the `ldap_initialize' function. */ #undef HAVE_LDAP_INITIALIZE +/* Define to 1 if you have the header file. */ +#undef HAVE_LDAP_SSL_H + /* Define to 1 if you have the `ldap_start_tls_s' function. */ #undef HAVE_LDAP_START_TLS_S /* Define to 1 if you have the `ldapssl_init' function. */ #undef HAVE_LDAPSSL_INIT +/* Define to 1 if you have the `ldapssl_set_strength' function. */ +#undef HAVE_LDAPSSL_SET_STRENGTH + /* Define to 1 if you have the `lockf' function. */ #undef HAVE_LOCKF @@ -263,6 +269,9 @@ /* Define to 1 if you have the `mkstemp' function. */ #undef HAVE_MKSTEMP +/* Define to 1 if you have the header file. */ +#undef HAVE_MPS_LDAP_SSL_H + /* Define to 1 if you have the header file, and it defines `DIR'. */ #undef HAVE_NDIR_H diff --git a/configure b/configure index a410173..571eec3 100755 --- a/configure +++ b/configure @@ -22469,12 +22469,102 @@ rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ conftest$ac_exeext conftest.$ac_ext done if test "$found" = "no"; then - LDAP_LIBS=" -lldap" + LIBS="${_LIBS} -lldap" + LDAP_LIBS="-lldap" { echo "$as_me:$LINENO: result: not found, using -lldap" >&5 echo "${ECHO_T}not found, using -lldap" >&6; } else { echo "$as_me:$LINENO: result: $LDAP_LIBS" >&5 echo "${ECHO_T}$LDAP_LIBS" >&6; } + fi + OLIBS="$LIBS" + { echo "$as_me:$LINENO: checking for library containing ber_set_option" >&5 +echo $ECHO_N "checking for library containing ber_set_option... $ECHO_C" >&6; } +if test "${ac_cv_search_ber_set_option+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + ac_func_search_save_LIBS=$LIBS +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char ber_set_option (); +int +main () +{ +return ber_set_option (); + ; + return 0; +} +_ACEOF +for ac_lib in '' lber; do + if test -z "$ac_lib"; then + ac_res="none required" + else + ac_res=-l$ac_lib + LIBS="-l$ac_lib $ac_func_search_save_LIBS" + fi + rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && + $as_test_x conftest$ac_exeext; then + ac_cv_search_ber_set_option=$ac_res +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + +fi + +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext + if test "${ac_cv_search_ber_set_option+set}" = set; then + break +fi +done +if test "${ac_cv_search_ber_set_option+set}" = set; then + : +else + ac_cv_search_ber_set_option=no +fi +rm conftest.$ac_ext +LIBS=$ac_func_search_save_LIBS +fi +{ echo "$as_me:$LINENO: result: $ac_cv_search_ber_set_option" >&5 +echo "${ECHO_T}$ac_cv_search_ber_set_option" >&6; } +ac_res=$ac_cv_search_ber_set_option +if test "$ac_res" != no; then + test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" + found=yes +else + found=no +fi + + if test X"$found" = X"yes" -a X"$LIBS" != X"$OLIBS"; then + LDAP_LIBS="$LDAP_LIBS -llber" fi { echo "$as_me:$LINENO: checking whether lber.h is needed" >&5 echo $ECHO_N "checking whether lber.h is needed... $ECHO_C" >&6; } @@ -22533,7 +22623,8 @@ rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ -for ac_func in ldap_initialize ldap_start_tls_s ldapssl_init + +for ac_func in ldap_initialize ldap_start_tls_s ldapssl_init ldapssl_set_strength do as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` { echo "$as_me:$LINENO: checking for $ac_func" >&5 @@ -22627,6 +22718,147 @@ fi done + +for ac_header in ldap_ssl.h mps/ldap_ssl.h +do +as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh` +if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then + { echo "$as_me:$LINENO: checking for $ac_header" >&5 +echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; } +if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +fi +ac_res=`eval echo '${'$as_ac_Header'}'` + { echo "$as_me:$LINENO: result: $ac_res" >&5 +echo "${ECHO_T}$ac_res" >&6; } +else + # Is the header compilable? +{ echo "$as_me:$LINENO: checking $ac_header usability" >&5 +echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6; } +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +#include <$ac_header> +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_header_compiler=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_header_compiler=no +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5 +echo "${ECHO_T}$ac_header_compiler" >&6; } + +# Is the header present? +{ echo "$as_me:$LINENO: checking $ac_header presence" >&5 +echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6; } +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include <$ac_header> +_ACEOF +if { (ac_try="$ac_cpp conftest.$ac_ext" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 + (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } >/dev/null && { + test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || + test ! -s conftest.err + }; then + ac_header_preproc=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_header_preproc=no +fi + +rm -f conftest.err conftest.$ac_ext +{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5 +echo "${ECHO_T}$ac_header_preproc" >&6; } + +# So? What about this header? +case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in + yes:no: ) + { echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5 +echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;} + { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5 +echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;} + ac_header_preproc=yes + ;; + no:yes:* ) + { echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5 +echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;} + { echo "$as_me:$LINENO: WARNING: $ac_header: check for missing prerequisite headers?" >&5 +echo "$as_me: WARNING: $ac_header: check for missing prerequisite headers?" >&2;} + { echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5 +echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;} + { echo "$as_me:$LINENO: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&5 +echo "$as_me: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&2;} + { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5 +echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;} + { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5 +echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;} + + ;; +esac +{ echo "$as_me:$LINENO: checking for $ac_header" >&5 +echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; } +if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + eval "$as_ac_Header=\$ac_header_preproc" +fi +ac_res=`eval echo '${'$as_ac_Header'}'` + { echo "$as_me:$LINENO: result: $ac_res" >&5 +echo "${ECHO_T}$ac_res" >&6; } + +fi +if test `eval echo '${'$as_ac_Header'}'` = yes; then + cat >>confdefs.h <<_ACEOF +#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1 +_ACEOF + break +fi + +done + + SUDO_LIBS="${SUDO_LIBS}${LDAP_LIBS}" LIBS="$_LIBS" LDFLAGS="$_LDFLAGS" diff --git a/configure.in b/configure.in index 0a2e699..addcfa8 100644 --- a/configure.in +++ b/configure.in @@ -1,6 +1,6 @@ dnl dnl Process this file with GNU autoconf to produce a configure script. -dnl $Sudo: configure.in,v 1.413.2.36 2008/01/03 16:05:42 millert Exp $ +dnl $Sudo: configure.in,v 1.413.2.42 2008/01/21 16:08:27 millert Exp $ dnl dnl Copyright (c) 1994-1996,1998-2007 Todd C. Miller dnl @@ -2274,19 +2274,27 @@ if test ${with_ldap-'no'} != "no"; then done dnl if nothing linked just try with -lldap if test "$found" = "no"; then - LDAP_LIBS=" -lldap" + LIBS="${_LIBS} -lldap" + LDAP_LIBS="-lldap" AC_MSG_RESULT([not found, using -lldap]) else AC_MSG_RESULT([$LDAP_LIBS]) fi - dnl try again w/o explicitly including lber.h + dnl check if we need to link with -llber for ber_set_option + OLIBS="$LIBS" + AC_SEARCH_LIBS([ber_set_option], [lber], [found=yes], [found=no]) + if test X"$found" = X"yes" -a X"$LIBS" != X"$OLIBS"; then + LDAP_LIBS="$LDAP_LIBS -llber" + fi + dnl check if ldap.h includes lber.h for us AC_MSG_CHECKING([whether lber.h is needed]) AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include #include ]], [[(void)ldap_init(0, 0)]])], [AC_MSG_RESULT([no])], [ AC_MSG_RESULT([yes]) AC_DEFINE(HAVE_LBER_H)]) - AC_CHECK_FUNCS(ldap_initialize ldap_start_tls_s ldapssl_init) + AC_CHECK_FUNCS(ldap_initialize ldap_start_tls_s ldapssl_init ldapssl_set_strength) + AC_CHECK_HEADERS([ldap_ssl.h] [mps/ldap_ssl.h], [break]) SUDO_LIBS="${SUDO_LIBS}${LDAP_LIBS}" LIBS="$_LIBS" diff --git a/debian/changelog b/debian/changelog index 1d317a2..945d501 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +sudo (1.6.9p12-1) unstable; urgency=low + + * new upstream version, closes: #464890 + + -- Bdale Garbee Tue, 19 Feb 2008 11:19:54 +0900 + sudo (1.6.9p11-3) unstable; urgency=low * patch for configure to fix FTBFS on GNU/kFreeBSD, closes: #465956 diff --git a/ldap.c b/ldap.c index c4fbfbf..9097310 100644 --- a/ldap.c +++ b/ldap.c @@ -61,12 +61,17 @@ # include #endif #include +#if defined(HAVE_LDAP_SSL_H) +# include +#elif defined(HAVE_MPS_LDAP_SSL_H) +# include +#endif #include "sudo.h" #include "parse.h" #ifndef lint -__unused static const char rcsid[] = "$Sudo: ldap.c,v 1.11.2.32 2008/01/05 23:27:10 millert Exp $"; +__unused static const char rcsid[] = "$Sudo: ldap.c,v 1.11.2.36 2008/01/21 16:08:26 millert Exp $"; #endif /* lint */ #ifndef LINE_MAX @@ -136,6 +141,8 @@ struct ldap_config_table ldap_conf_table[] = { #ifdef LDAP_OPT_X_TLS_REQUIRE_CERT { "tls_checkpeer", CONF_BOOL, FALSE, LDAP_OPT_X_TLS_REQUIRE_CERT, &ldap_conf.tls_checkpeer }, +#else + { "tls_checkpeer", CONF_BOOL, FALSE, -1, &ldap_conf.tls_checkpeer }, #endif #ifdef LDAP_OPT_X_TLS_CACERTFILE { "tls_cacertfile", CONF_STR, FALSE, LDAP_OPT_X_TLS_CACERTFILE, @@ -810,12 +817,19 @@ sudo_ldap_read_config() * Interpret SSL option */ if (ldap_conf.ssl != NULL) { - if (strcasecmp(ldap_conf.ssl, "start_tls") == 0) - ldap_conf.ssl_mode = SUDO_LDAP_STARTTLS; - else if (_atobool(ldap_conf.ssl)) - ldap_conf.ssl_mode = SUDO_LDAP_SSL; + if (strcasecmp(ldap_conf.ssl, "start_tls") == 0) + ldap_conf.ssl_mode = SUDO_LDAP_STARTTLS; + else if (_atobool(ldap_conf.ssl)) + ldap_conf.ssl_mode = SUDO_LDAP_SSL; } +#if defined(HAVE_LDAPSSL_SET_STRENGTH) && !defined(LDAP_OPT_X_TLS_REQUIRE_CERT) + if (ldap_conf.tls_checkpeer != -1) { + ldapssl_set_strength(NULL, + ldap_conf.tls_checkpeer ? LDAPSSL_AUTH_CERT : LDAPSSL_AUTH_WEAK); + } +#endif + #ifndef HAVE_LDAP_INITIALIZE /* Convert uri list to host list if no ldap_initialize(). */ if (ldap_conf.uri) { diff --git a/parse.yacc b/parse.yacc index 5ba5214..a269e35 100644 --- a/parse.yacc +++ b/parse.yacc @@ -60,6 +60,7 @@ #ifdef HAVE_LSEARCH # include #endif /* HAVE_LSEARCH */ +#include #include "sudo.h" #include "parse.h" @@ -69,9 +70,22 @@ #endif /* HAVE_LSEARCH */ #ifndef lint -__unused static const char rcsid[] = "$Sudo: parse.yacc,v 1.204.2.9 2007/11/21 18:15:49 millert Exp $"; +__unused static const char rcsid[] = "$Sudo: parse.yacc,v 1.204.2.10 2008/01/16 23:20:53 millert Exp $"; #endif /* lint */ +/* + * We must define SIZE_MAX for yacc's skeleton.c. + * If there is no SIZE_MAX or SIZE_T_MAX we have to assume that size_t + * could be signed (as it is on SunOS 4.x). + */ +#ifndef SIZE_MAX +# ifdef SIZE_T_MAX +# define SIZE_MAX SIZE_T_MAX +# else +# define SIZE_MAX INT_MAX +# endif /* SIZE_T_MAX */ +#endif /* SIZE_MAX */ + /* * Globals */ diff --git a/sudo.cat b/sudo.cat index ca6b521..e8aca6f 100644 --- a/sudo.cat +++ b/sudo.cat @@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN -1.6.9p11 January 5, 2008 1 +1.6.9p12 January 14, 2008 1 @@ -127,7 +127,7 @@ OOPPTTIIOONNSS -1.6.9p11 January 5, 2008 2 +1.6.9p12 January 14, 2008 2 @@ -193,7 +193,7 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) -1.6.9p11 January 5, 2008 3 +1.6.9p12 January 14, 2008 3 @@ -259,7 +259,7 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) -1.6.9p11 January 5, 2008 4 +1.6.9p12 January 14, 2008 4 @@ -325,7 +325,7 @@ SSEECCUURRIITTYY NNOOTTEESS -1.6.9p11 January 5, 2008 5 +1.6.9p12 January 14, 2008 5 @@ -391,7 +391,7 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) -1.6.9p11 January 5, 2008 6 +1.6.9p12 January 14, 2008 6 @@ -457,7 +457,7 @@ FFIILLEESS -1.6.9p11 January 5, 2008 7 +1.6.9p12 January 14, 2008 7 @@ -523,7 +523,7 @@ CCAAVVEEAATTSS -1.6.9p11 January 5, 2008 8 +1.6.9p12 January 14, 2008 8 @@ -589,6 +589,6 @@ DDIISSCCLLAAIIMMEERR -1.6.9p11 January 5, 2008 9 +1.6.9p12 January 14, 2008 9 diff --git a/sudo.man.in b/sudo.man.in index 38c2d92..e34b463 100644 --- a/sudo.man.in +++ b/sudo.man.in @@ -18,7 +18,7 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.\" $Sudo: sudo.man.in,v 1.29.2.19 2008/01/05 23:59:42 millert Exp $ +.\" $Sudo: sudo.man.in,v 1.29.2.20 2008/01/14 12:22:57 millert Exp $ .\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32 .\" .\" Standard preamble: @@ -150,7 +150,7 @@ .\" ======================================================================== .\" .IX Title "SUDO @mansectsu@" -.TH SUDO @mansectsu@ "January 5, 2008" "1.6.9p11" "MAINTENANCE COMMANDS" +.TH SUDO @mansectsu@ "January 14, 2008" "1.6.9p12" "MAINTENANCE COMMANDS" .SH "NAME" sudo, sudoedit \- execute a command as another user .SH "SYNOPSIS" diff --git a/sudo.tab.c b/sudo.tab.c index efb314f..46b2529 100644 --- a/sudo.tab.c +++ b/sudo.tab.c @@ -78,6 +78,7 @@ static char yyrcsid[] #ifdef HAVE_LSEARCH # include #endif /* HAVE_LSEARCH */ +#include #include "sudo.h" #include "parse.h" @@ -87,9 +88,22 @@ static char yyrcsid[] #endif /* HAVE_LSEARCH */ #ifndef lint -__unused static const char rcsid[] = "$Sudo: sudo.tab.c,v 1.76.2.8 2007/11/21 18:15:49 millert Exp $"; +__unused static const char rcsid[] = "$Sudo: sudo.tab.c,v 1.76.2.11 2008/01/16 23:20:54 millert Exp $"; #endif /* lint */ +/* + * We must define SIZE_MAX for yacc's skeleton.c. + * If there is no SIZE_MAX or SIZE_T_MAX we have to assume that size_t + * could be signed (as it is on SunOS 4.x). + */ +#ifndef SIZE_MAX +# ifdef SIZE_T_MAX +# define SIZE_MAX SIZE_T_MAX +# else +# define SIZE_MAX INT_MAX +# endif /* SIZE_T_MAX */ +#endif /* SIZE_MAX */ + /* * Globals */ @@ -237,7 +251,7 @@ yyerror(s) } parse_error = TRUE; } -#line 224 "parse.yacc" +#line 238 "parse.yacc" #ifndef YYSTYPE_DEFINED #define YYSTYPE_DEFINED typedef union { @@ -247,7 +261,7 @@ typedef union { int tok; } YYSTYPE; #endif /* YYSTYPE_DEFINED */ -#line 251 "sudo.tab.c" +#line 265 "sudo.tab.c" #define COMMAND 257 #define ALIAS 258 #define DEFVAR 259 @@ -675,7 +689,7 @@ short *yyss; short *yysslim; YYSTYPE *yyvs; int yystacksize; -#line 911 "parse.yacc" +#line 925 "parse.yacc" #define MOREALIASES (32) aliasinfo *aliases = NULL; @@ -1031,7 +1045,7 @@ init_parser() if (printmatches == TRUE) expand_match_list(); } -#line 983 "sudo.tab.c" +#line 997 "sudo.tab.c" /* allocate initial stack or double stack size, up to YYMAXDEPTH */ #if defined(__cplusplus) || defined(__STDC__) static int yygrowstack(void) @@ -1053,7 +1067,7 @@ static int yygrowstack() #ifdef SIZE_MAX #define YY_SIZE_MAX SIZE_MAX #else -#define YY_SIZE_MAX 0xffffffffU +#define YY_SIZE_MAX 0x7fffffff #endif if (newsize && YY_SIZE_MAX / newsize < sizeof *newss) goto bail; @@ -1234,85 +1248,85 @@ yyreduce: switch (yyn) { case 3: -#line 280 "parse.yacc" +#line 294 "parse.yacc" { ; } break; case 4: -#line 282 "parse.yacc" +#line 296 "parse.yacc" { yyerrok; } break; case 5: -#line 283 "parse.yacc" +#line 297 "parse.yacc" { push; } break; case 6: -#line 283 "parse.yacc" +#line 297 "parse.yacc" { while (top && user_matches != TRUE) pop; } break; case 7: -#line 288 "parse.yacc" +#line 302 "parse.yacc" { ; } break; case 8: -#line 290 "parse.yacc" +#line 304 "parse.yacc" { ; } break; case 9: -#line 292 "parse.yacc" +#line 306 "parse.yacc" { ; } break; case 10: -#line 294 "parse.yacc" +#line 308 "parse.yacc" { ; } break; case 11: -#line 296 "parse.yacc" +#line 310 "parse.yacc" { ; } break; case 13: -#line 302 "parse.yacc" +#line 316 "parse.yacc" { defaults_matches = TRUE; } break; case 14: -#line 305 "parse.yacc" +#line 319 "parse.yacc" { push; } break; case 15: -#line 305 "parse.yacc" +#line 319 "parse.yacc" { defaults_matches = user_matches; pop; } break; case 16: -#line 309 "parse.yacc" +#line 323 "parse.yacc" { push; } break; case 17: -#line 309 "parse.yacc" +#line 323 "parse.yacc" { defaults_matches = yyvsp[0].BOOLEAN == TRUE; pop; } break; case 18: -#line 313 "parse.yacc" +#line 327 "parse.yacc" { push; } break; case 19: -#line 313 "parse.yacc" +#line 327 "parse.yacc" { defaults_matches = host_matches; pop; } break; case 22: -#line 323 "parse.yacc" +#line 337 "parse.yacc" { if (defaults_matches == TRUE && !set_default(yyvsp[0].string, NULL, TRUE)) { @@ -1323,7 +1337,7 @@ case 22: } break; case 23: -#line 331 "parse.yacc" +#line 345 "parse.yacc" { if (defaults_matches == TRUE && !set_default(yyvsp[0].string, NULL, FALSE)) { @@ -1334,7 +1348,7 @@ case 23: } break; case 24: -#line 339 "parse.yacc" +#line 353 "parse.yacc" { if (defaults_matches == TRUE && !set_default(yyvsp[-2].string, yyvsp[0].string, TRUE)) { @@ -1346,7 +1360,7 @@ case 24: } break; case 25: -#line 348 "parse.yacc" +#line 362 "parse.yacc" { if (defaults_matches == TRUE && !set_default(yyvsp[-2].string, yyvsp[0].string, '+')) { @@ -1358,7 +1372,7 @@ case 25: } break; case 26: -#line 357 "parse.yacc" +#line 371 "parse.yacc" { if (defaults_matches == TRUE && !set_default(yyvsp[-2].string, yyvsp[0].string, '-')) { @@ -1370,7 +1384,7 @@ case 26: } break; case 29: -#line 372 "parse.yacc" +#line 386 "parse.yacc" { /* * We already did a push if necessary in @@ -1385,25 +1399,25 @@ case 29: } break; case 30: -#line 386 "parse.yacc" +#line 400 "parse.yacc" { SETMATCH(host_matches, yyvsp[0].BOOLEAN); } break; case 31: -#line 389 "parse.yacc" +#line 403 "parse.yacc" { SETNMATCH(host_matches, yyvsp[0].BOOLEAN); } break; case 32: -#line 394 "parse.yacc" +#line 408 "parse.yacc" { yyval.BOOLEAN = TRUE; } break; case 33: -#line 397 "parse.yacc" +#line 411 "parse.yacc" { if (addr_matches(yyvsp[0].string)) yyval.BOOLEAN = TRUE; @@ -1413,7 +1427,7 @@ case 33: } break; case 34: -#line 404 "parse.yacc" +#line 418 "parse.yacc" { if (netgr_matches(yyvsp[0].string, user_host, user_shost, NULL)) yyval.BOOLEAN = TRUE; @@ -1423,7 +1437,7 @@ case 34: } break; case 35: -#line 411 "parse.yacc" +#line 425 "parse.yacc" { if (hostname_matches(user_shost, user_host, yyvsp[0].string) == 0) yyval.BOOLEAN = TRUE; @@ -1433,7 +1447,7 @@ case 35: } break; case 36: -#line 418 "parse.yacc" +#line 432 "parse.yacc" { aliasinfo *aip = find_alias(yyvsp[0].string, HOST_ALIAS); @@ -1458,11 +1472,11 @@ case 36: } break; case 39: -#line 446 "parse.yacc" +#line 460 "parse.yacc" { SETENV_RESET; } break; case 40: -#line 446 "parse.yacc" +#line 460 "parse.yacc" { /* * Push the entry onto the stack if it is worth @@ -1492,13 +1506,13 @@ case 40: } break; case 41: -#line 475 "parse.yacc" +#line 489 "parse.yacc" { SETMATCH(cmnd_matches, yyvsp[0].BOOLEAN); } break; case 42: -#line 478 "parse.yacc" +#line 492 "parse.yacc" { if (printmatches == TRUE) { if (in_alias == TRUE) @@ -1510,13 +1524,13 @@ case 42: } break; case 43: -#line 486 "parse.yacc" +#line 500 "parse.yacc" { SETNMATCH(cmnd_matches, yyvsp[0].BOOLEAN); } break; case 44: -#line 491 "parse.yacc" +#line 505 "parse.yacc" { if (printmatches == TRUE && host_matches == TRUE && user_matches == TRUE) { @@ -1543,17 +1557,17 @@ case 44: } break; case 45: -#line 515 "parse.yacc" +#line 529 "parse.yacc" { runas_matches = yyvsp[0].BOOLEAN; } break; case 46: -#line 520 "parse.yacc" +#line 534 "parse.yacc" { ; } break; case 47: -#line 521 "parse.yacc" +#line 535 "parse.yacc" { /* Later entries override earlier ones. */ if (yyvsp[0].BOOLEAN != NOMATCH) @@ -1563,11 +1577,11 @@ case 47: } break; case 48: -#line 530 "parse.yacc" +#line 544 "parse.yacc" { ; } break; case 49: -#line 531 "parse.yacc" +#line 545 "parse.yacc" { if (printmatches == TRUE) { if (in_alias == TRUE) @@ -1579,14 +1593,14 @@ case 49: } break; case 50: -#line 539 "parse.yacc" +#line 553 "parse.yacc" { /* Set $$ to the negation of runasuser */ yyval.BOOLEAN = (yyvsp[0].BOOLEAN == NOMATCH ? NOMATCH : ! yyvsp[0].BOOLEAN); } break; case 51: -#line 545 "parse.yacc" +#line 559 "parse.yacc" { if (printmatches == TRUE) { if (in_alias == TRUE) @@ -1604,7 +1618,7 @@ case 51: } break; case 52: -#line 560 "parse.yacc" +#line 574 "parse.yacc" { if (printmatches == TRUE) { if (in_alias == TRUE) @@ -1622,7 +1636,7 @@ case 52: } break; case 53: -#line 575 "parse.yacc" +#line 589 "parse.yacc" { if (printmatches == TRUE) { if (in_alias == TRUE) @@ -1640,7 +1654,7 @@ case 53: } break; case 54: -#line 590 "parse.yacc" +#line 604 "parse.yacc" { aliasinfo *aip = find_alias(yyvsp[0].string, RUNAS_ALIAS); @@ -1673,7 +1687,7 @@ case 54: } break; case 55: -#line 620 "parse.yacc" +#line 634 "parse.yacc" { if (printmatches == TRUE) { if (in_alias == TRUE) @@ -1686,7 +1700,7 @@ case 55: } break; case 56: -#line 632 "parse.yacc" +#line 646 "parse.yacc" { /* Inherit {NO,}{PASSWD,EXEC,SETENV} status. */ if (printmatches == TRUE && host_matches == TRUE && @@ -1707,7 +1721,7 @@ case 56: } break; case 57: -#line 650 "parse.yacc" +#line 664 "parse.yacc" { no_passwd = TRUE; if (printmatches == TRUE && host_matches == TRUE && @@ -1716,7 +1730,7 @@ case 57: } break; case 58: -#line 656 "parse.yacc" +#line 670 "parse.yacc" { no_passwd = FALSE; if (printmatches == TRUE && host_matches == TRUE && @@ -1725,7 +1739,7 @@ case 58: } break; case 59: -#line 662 "parse.yacc" +#line 676 "parse.yacc" { no_execve = TRUE; if (printmatches == TRUE && host_matches == TRUE && @@ -1734,7 +1748,7 @@ case 59: } break; case 60: -#line 668 "parse.yacc" +#line 682 "parse.yacc" { no_execve = FALSE; if (printmatches == TRUE && host_matches == TRUE && @@ -1743,7 +1757,7 @@ case 60: } break; case 61: -#line 674 "parse.yacc" +#line 688 "parse.yacc" { setenv_ok = TRUE; if (printmatches == TRUE && host_matches == TRUE && @@ -1752,7 +1766,7 @@ case 61: } break; case 62: -#line 680 "parse.yacc" +#line 694 "parse.yacc" { setenv_ok = FALSE; if (printmatches == TRUE && host_matches == TRUE && @@ -1761,7 +1775,7 @@ case 62: } break; case 63: -#line 688 "parse.yacc" +#line 702 "parse.yacc" { if (printmatches == TRUE) { if (in_alias == TRUE) @@ -1782,7 +1796,7 @@ case 63: } break; case 64: -#line 706 "parse.yacc" +#line 720 "parse.yacc" { aliasinfo *aip; @@ -1814,7 +1828,7 @@ case 64: } break; case 65: -#line 735 "parse.yacc" +#line 749 "parse.yacc" { if (printmatches == TRUE) { if (in_alias == TRUE) { @@ -1841,11 +1855,11 @@ case 65: } break; case 68: -#line 765 "parse.yacc" +#line 779 "parse.yacc" { push; } break; case 69: -#line 765 "parse.yacc" +#line 779 "parse.yacc" { if ((MATCHED(host_matches) || pedantic) && !add_alias(yyvsp[-3].string, HOST_ALIAS, host_matches)) { @@ -1856,7 +1870,7 @@ case 69: } break; case 74: -#line 783 "parse.yacc" +#line 797 "parse.yacc" { push; if (printmatches == TRUE) { @@ -1869,7 +1883,7 @@ case 74: } break; case 75: -#line 792 "parse.yacc" +#line 806 "parse.yacc" { if ((MATCHED(cmnd_matches) || pedantic) && !add_alias(yyvsp[-3].string, CMND_ALIAS, cmnd_matches)) { @@ -1884,11 +1898,11 @@ case 75: } break; case 76: -#line 806 "parse.yacc" +#line 820 "parse.yacc" { ; } break; case 80: -#line 814 "parse.yacc" +#line 828 "parse.yacc" { if (printmatches == TRUE) { in_alias = TRUE; @@ -1900,7 +1914,7 @@ case 80: } break; case 81: -#line 822 "parse.yacc" +#line 836 "parse.yacc" { if ((yyvsp[0].BOOLEAN != NOMATCH || pedantic) && !add_alias(yyvsp[-3].string, RUNAS_ALIAS, yyvsp[0].BOOLEAN)) { @@ -1914,11 +1928,11 @@ case 81: } break; case 84: -#line 839 "parse.yacc" +#line 853 "parse.yacc" { push; } break; case 85: -#line 839 "parse.yacc" +#line 853 "parse.yacc" { if ((MATCHED(user_matches) || pedantic) && !add_alias(yyvsp[-3].string, USER_ALIAS, user_matches)) { @@ -1930,19 +1944,19 @@ case 85: } break; case 88: -#line 854 "parse.yacc" +#line 868 "parse.yacc" { SETMATCH(user_matches, yyvsp[0].BOOLEAN); } break; case 89: -#line 857 "parse.yacc" +#line 871 "parse.yacc" { SETNMATCH(user_matches, yyvsp[0].BOOLEAN); } break; case 90: -#line 862 "parse.yacc" +#line 876 "parse.yacc" { if (userpw_matches(yyvsp[0].string, user_name, sudo_user.pw)) yyval.BOOLEAN = TRUE; @@ -1952,7 +1966,7 @@ case 90: } break; case 91: -#line 869 "parse.yacc" +#line 883 "parse.yacc" { if (usergr_matches(yyvsp[0].string, user_name, sudo_user.pw)) yyval.BOOLEAN = TRUE; @@ -1962,7 +1976,7 @@ case 91: } break; case 92: -#line 876 "parse.yacc" +#line 890 "parse.yacc" { if (netgr_matches(yyvsp[0].string, NULL, NULL, user_name)) yyval.BOOLEAN = TRUE; @@ -1972,7 +1986,7 @@ case 92: } break; case 93: -#line 883 "parse.yacc" +#line 897 "parse.yacc" { aliasinfo *aip = find_alias(yyvsp[0].string, USER_ALIAS); @@ -1997,12 +2011,12 @@ case 93: } break; case 94: -#line 905 "parse.yacc" +#line 919 "parse.yacc" { yyval.BOOLEAN = TRUE; } break; -#line 1954 "sudo.tab.c" +#line 1968 "sudo.tab.c" } yyssp -= yym; yystate = *yyssp; diff --git a/sudoers b/sudoers index d25c395..c57a3ef 100644 --- a/sudoers +++ b/sudoers @@ -20,14 +20,13 @@ # Runas alias specification # User privilege specification -root ALL=(ALL) SETENV: ALL +root ALL=(ALL) ALL # Uncomment to allow people in group wheel to run all commands -# and set environment variables. -# %wheel ALL=(ALL) SETENV: ALL +# %wheel ALL=(ALL) ALL # Same thing without a password -# %wheel ALL=(ALL) NOPASSWD: SETENV: ALL +# %wheel ALL=(ALL) NOPASSWD: ALL # Samples # %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom diff --git a/sudoers.cat b/sudoers.cat index 7fe45b2..d1714cf 100644 --- a/sudoers.cat +++ b/sudoers.cat @@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN -1.6.9p11 January 5, 2008 1 +1.6.9p12 January 14, 2008 1 @@ -127,7 +127,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.9p11 January 5, 2008 2 +1.6.9p12 January 14, 2008 2 @@ -193,7 +193,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.9p11 January 5, 2008 3 +1.6.9p12 January 14, 2008 3 @@ -259,7 +259,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.9p11 January 5, 2008 4 +1.6.9p12 January 14, 2008 4 @@ -325,7 +325,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.9p11 January 5, 2008 5 +1.6.9p12 January 14, 2008 5 @@ -391,7 +391,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.9p11 January 5, 2008 6 +1.6.9p12 January 14, 2008 6 @@ -457,7 +457,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.9p11 January 5, 2008 7 +1.6.9p12 January 14, 2008 7 @@ -523,7 +523,7 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS -1.6.9p11 January 5, 2008 8 +1.6.9p12 January 14, 2008 8 @@ -589,7 +589,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.9p11 January 5, 2008 9 +1.6.9p12 January 14, 2008 9 @@ -655,7 +655,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.9p11 January 5, 2008 10 +1.6.9p12 January 14, 2008 10 @@ -721,7 +721,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.9p11 January 5, 2008 11 +1.6.9p12 January 14, 2008 11 @@ -787,7 +787,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.9p11 January 5, 2008 12 +1.6.9p12 January 14, 2008 12 @@ -853,7 +853,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.9p11 January 5, 2008 13 +1.6.9p12 January 14, 2008 13 @@ -919,7 +919,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.9p11 January 5, 2008 14 +1.6.9p12 January 14, 2008 14 @@ -985,7 +985,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.9p11 January 5, 2008 15 +1.6.9p12 January 14, 2008 15 @@ -1051,7 +1051,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.9p11 January 5, 2008 16 +1.6.9p12 January 14, 2008 16 @@ -1117,7 +1117,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.9p11 January 5, 2008 17 +1.6.9p12 January 14, 2008 17 @@ -1183,7 +1183,7 @@ EEXXAAMMPPLLEESS -1.6.9p11 January 5, 2008 18 +1.6.9p12 January 14, 2008 18 @@ -1249,7 +1249,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.9p11 January 5, 2008 19 +1.6.9p12 January 14, 2008 19 @@ -1315,7 +1315,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.9p11 January 5, 2008 20 +1.6.9p12 January 14, 2008 20 @@ -1381,7 +1381,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.9p11 January 5, 2008 21 +1.6.9p12 January 14, 2008 21 @@ -1447,7 +1447,7 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS -1.6.9p11 January 5, 2008 22 +1.6.9p12 January 14, 2008 22 @@ -1513,7 +1513,7 @@ CCAAVVEEAATTSS -1.6.9p11 January 5, 2008 23 +1.6.9p12 January 14, 2008 23 @@ -1579,6 +1579,6 @@ DDIISSCCLLAAIIMMEERR -1.6.9p11 January 5, 2008 24 +1.6.9p12 January 14, 2008 24 diff --git a/sudoers.man.in b/sudoers.man.in index f568c41..248ea7f 100644 --- a/sudoers.man.in +++ b/sudoers.man.in @@ -18,7 +18,7 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.\" $Sudo: sudoers.man.in,v 1.45.2.21 2008/01/05 23:59:42 millert Exp $ +.\" $Sudo: sudoers.man.in,v 1.45.2.22 2008/01/14 12:22:57 millert Exp $ .\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32 .\" .\" Standard preamble: @@ -150,7 +150,7 @@ .\" ======================================================================== .\" .IX Title "SUDOERS @mansectform@" -.TH SUDOERS @mansectform@ "January 5, 2008" "1.6.9p11" "MAINTENANCE COMMANDS" +.TH SUDOERS @mansectform@ "January 14, 2008" "1.6.9p12" "MAINTENANCE COMMANDS" .SH "NAME" sudoers \- list of which users may execute what .SH "DESCRIPTION" diff --git a/tgetpass.c b/tgetpass.c index c008c15..9e22b5d 100644 --- a/tgetpass.c +++ b/tgetpass.c @@ -70,7 +70,7 @@ #include "sudo.h" #ifndef lint -__unused static const char rcsid[] = "$Sudo: tgetpass.c,v 1.111.2.5 2007/10/17 15:39:43 millert Exp $"; +__unused static const char rcsid[] = "$Sudo: tgetpass.c,v 1.111.2.6 2008/01/16 18:03:24 millert Exp $"; #endif /* lint */ #ifndef TCSASOFT @@ -107,8 +107,6 @@ __unused static const char rcsid[] = "$Sudo: tgetpass.c,v 1.111.2.5 2007/10/17 1 # define tcsetattr(f, a, t) ioctl(f, a, t) # undef TCSAFLUSH # define TCSAFLUSH TCSETAF -# undef TCSANOW -# define TCSANOW TCSETA # else # undef termios # define termios sgttyb @@ -117,8 +115,6 @@ __unused static const char rcsid[] = "$Sudo: tgetpass.c,v 1.111.2.5 2007/10/17 1 # define tcsetattr(f, a, t) ioctl(f, a, t) # undef TCSAFLUSH # define TCSAFLUSH TIOCSETP -# undef TCSANOW -# define TCSANOW TIOCSETN # endif /* HAVE_TERMIO_H */ #endif /* HAVE_TERMIOS_H */ @@ -202,7 +198,7 @@ restart: /* Restore old tty settings and signals. */ if (memcmp(&term, &oterm, sizeof(term)) != 0) { - while (tcsetattr(input, TCSANOW|TCSASOFT, &oterm) == -1 && + while (tcsetattr(input, TCSAFLUSH|TCSASOFT, &oterm) == -1 && errno == EINTR) continue; } diff --git a/version.h b/version.h index 4394ff1..a51e62a 100644 --- a/version.h +++ b/version.h @@ -17,12 +17,12 @@ * Agency (DARPA) and Air Force Research Laboratory, Air Force * Materiel Command, USAF, under agreement number F39502-99-1-0512. * - * $Sudo: version.h,v 1.66.2.14 2008/01/05 23:31:52 millert Exp $ + * $Sudo: version.h,v 1.66.2.15 2008/01/14 12:22:57 millert Exp $ */ #ifndef _SUDO_VERSION_H #define _SUDO_VERSION_H -static const char version[] = "1.6.9p11"; +static const char version[] = "1.6.9p12"; #endif /* _SUDO_VERSION_H */ diff --git a/visudo.cat b/visudo.cat index bd9f7a9..de2e765 100644 --- a/visudo.cat +++ b/visudo.cat @@ -61,7 +61,7 @@ OOPPTTIIOONNSS -1.6.9p11 January 5, 2008 1 +1.6.9p12 January 14, 2008 1 @@ -127,7 +127,7 @@ DDIIAAGGNNOOSSTTIICCSS -1.6.9p11 January 5, 2008 2 +1.6.9p12 January 14, 2008 2 @@ -193,6 +193,6 @@ DDIISSCCLLAAIIMMEERR -1.6.9p11 January 5, 2008 3 +1.6.9p12 January 14, 2008 3 diff --git a/visudo.man.in b/visudo.man.in index 08fa256..371965c 100644 --- a/visudo.man.in +++ b/visudo.man.in @@ -17,7 +17,7 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.\" $Sudo: visudo.man.in,v 1.20.2.16 2008/01/05 23:59:42 millert Exp $ +.\" $Sudo: visudo.man.in,v 1.20.2.17 2008/01/14 12:22:57 millert Exp $ .\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32 .\" .\" Standard preamble: @@ -149,7 +149,7 @@ .\" ======================================================================== .\" .IX Title "VISUDO @mansectsu@" -.TH VISUDO @mansectsu@ "January 5, 2008" "1.6.9p11" "MAINTENANCE COMMANDS" +.TH VISUDO @mansectsu@ "January 14, 2008" "1.6.9p12" "MAINTENANCE COMMANDS" .SH "NAME" visudo \- edit the sudoers file .SH "SYNOPSIS" -- 2.30.2