+++ /dev/null
-# Configuration file for git-buildpackage and friends
-
-[DEFAULT]
-# the default build command:
-#builder = debuild -i\.git/ -I.git
-# the default clean command:
-#cleaner = debuild clean
-# the default branch for upstream sources:
-upstream-branch = upstream
-# the default branch for the debian patch:
-debian-branch = master
-# the default tag formats used:
-#upstream-tag = upstream/%(version)s
-#debian-tag = debian/%(version)s
-# use pristine-tar:
-pristine-tar = True
-
-# Options only affecting git-buildpackage
-[git-buildpackage]
-#upstream-branch = dfsgclean
-# uncomment this to automatically GPG sign tags
-#sign-tags = True
-# keyid to GPG sign tags with
-#keyid = 0xdeadbeef
-# push to a remote repository after a successful tag:
-posttag = git push --mirror
-# use this for more svn-buildpackage like behaviour:
-export-dir = ../build-area/sudo/
-#tarball-dir = ../tarballs/
-
-# Options only affecting git-import-orig
-[git-import-orig]
-#upstream-branch = newupstream
-#debian-branch = dfsgclean
-#filter = .svn
-
-# Options only affecting git-import-dsc
-[git-import-dsc]
-#upstream-branch = svn-upstream
-#filter = [ 'CVS', '.cvsignore' ]
-
-# Options only affecting git-dch
-[git-dch]
-#git-log = --no-merges
-#snapshot-number = snapshot + 1
-
--- /dev/null
+# Configuration file for git-buildpackage and friends
+
+[DEFAULT]
+# the default build command:
+#builder = debuild -i\.git/ -I.git
+# the default clean command:
+#cleaner = debuild clean
+# the default branch for upstream sources:
+upstream-branch = upstream
+# the default branch for the debian patch:
+debian-branch = master
+# the default tag formats used:
+#upstream-tag = upstream/%(version)s
+#debian-tag = debian/%(version)s
+# use pristine-tar:
+pristine-tar = True
+
+# Options only affecting git-buildpackage
+[git-buildpackage]
+#upstream-branch = dfsgclean
+# uncomment this to automatically GPG sign tags
+#sign-tags = True
+# keyid to GPG sign tags with
+#keyid = 0xdeadbeef
+# push to a remote repository after a successful tag:
+posttag = git push --mirror
+# use this for more svn-buildpackage like behaviour:
+export-dir = ../build-area/sudo/
+#tarball-dir = ../tarballs/
+
+# Options only affecting git-import-orig
+[git-import-orig]
+#upstream-branch = newupstream
+#debian-branch = dfsgclean
+#filter = .svn
+
+# Options only affecting git-import-dsc
+[git-import-dsc]
+#upstream-branch = svn-upstream
+#filter = [ 'CVS', '.cvsignore' ]
+
+# Options only affecting git-dch
+[git-dch]
+#git-log = --no-merges
+#snapshot-number = snapshot + 1
+
/* For SUDO_PS1 -> PS1 conversion. */
if (strncmp(*ep, "SUDO_PS1=", 8) == 0)
ps1 = *ep + 5;
+--- tmp/sudoers.pod 2010-03-11 12:28:58.000000000 -0700
++++ sudo/sudoers.pod 2010-03-11 12:29:58.000000000 -0700
+@@ -1227,6 +1227,9 @@
+
+ =item env_delete
+
++Not effective due to security issues: only variables listed in
++I<env_keep> or I<env_check> can be passed through B<sudo>!
++
+ Environment variables to be removed from the user's environment
+ when the I<env_reset> option is not in effect. The argument may
+ be a double-quoted, space-separated list or a single value without
+@@ -1240,8 +1243,8 @@
+
+ =item env_keep
+
+-Environment variables to be preserved in the user's environment
+-when the I<env_reset> option is in effect. This allows fine-grained
++Environment variables to be preserved in the user's environment.
++This allows fine-grained
+ control over the environment B<sudo>-spawned processes will receive.
+ The argument may be a double-quoted, space-separated list or a
+ single value without double-quotes. The list can be replaced, added
+@@ -1280,8 +1283,14 @@
+ =head1 EXAMPLES
+
+ Below are example I<sudoers> entries. Admittedly, some of
+-these are a bit contrived. First, we define our I<aliases>:
++these are a bit contrived. First, we allow a few environment
++variables to pass and then define our I<aliases>:
+
++ # Run X applications through sudo; HOME is used to find .Xauthority file
++ # Note that some programs may use HOME for other purposes too and
++ # this may lead to privilege escalation!
++ Defaults env_keep = "DISPLAY HOME"
++
+ # User alias specification
+ User_Alias FULLTIMERS = millert, mikef, dowdy
+ User_Alias PARTTIMERS = bostley, jwfox, crawl
+--- /home/bdale/Desktop/sudo-1.7.2p1/sudo.pod 2009-06-15 15:19:47.000000000 -0600
++++ sudo/sudo.pod 2009-11-20 07:31:58.000000000 -0700
+@@ -452,8 +452,8 @@
+ To prevent command spoofing, B<sudo> checks "." and "" (both denoting
+ current directory) last when searching for a command in the user's
+ PATH (if one or both are in the PATH). Note, however, that the
+-actual C<PATH> environment variable is I<not> modified and is passed
+-unchanged to the program that B<sudo> executes.
++C<PATH> environment variable is further modified in Debian because of
++the use of the I<SECURE_PATH> build option.
+
+ B<sudo> will check the ownership of its timestamp directory
+ (F<@timedir@> by default) and ignore the directory's contents if
sudo-1.7.2p1-visudo-manpage-fix.diff
typo-in-classic-insults.diff
env.c-safety.diff
+paths-in-samples.diff
+sudoers.pod.diff
+sudo.pod.diff
--- /home/bdale/Desktop/sudo-1.7.2p1/sudo.pod 2009-06-15 15:19:47.000000000 -0600
+++ sudo/sudo.pod 2009-11-20 07:31:58.000000000 -0700
-@@ -452,8 +452,8 @@
- To prevent command spoofing, B<sudo> checks "." and "" (both denoting
- current directory) last when searching for a command in the user's
- PATH (if one or both are in the PATH). Note, however, that the
--actual C<PATH> environment variable is I<not> modified and is passed
--unchanged to the program that B<sudo> executes.
-+C<PATH> environment variable is further modified in Debian because of
-+the use of the I<SECURE_PATH> build option.
-
- B<sudo> will check the ownership of its timestamp directory
- (F<@timedir@> by default) and ignore the directory's contents if
@@ -616,6 +616,10 @@
L<login_cap(3)>,
L<passwd(5)>, L<sudoers(5)>, L<visudo(8)>
---- /home/bdale/Desktop/sudo-1.7.2p1/sudoers.pod 2009-06-30 06:41:09.000000000 -0600
-+++ sudo/sudoers.pod 2009-11-20 07:31:58.000000000 -0700
+--- tmp/sudoers.pod 2010-03-11 12:28:58.000000000 -0700
++++ sudo/sudoers.pod 2010-03-11 12:29:58.000000000 -0700
@@ -93,7 +93,7 @@
Cmnd_Alias ::= NAME '=' Cmnd_List
+ NAME ::= [A-Z]([a-z][A-Z][0-9]_)*
Each I<alias> definition is of the form
-
-@@ -565,7 +565,7 @@
-
- =over 16
-
--=item always_set_home
-+=item mail_badpass
-
- If set, B<sudo> will set the C<HOME> environment variable to the home
- directory of the target user (which is root unless the B<-u> option is used).
-@@ -1227,6 +1227,9 @@
-
- =item env_delete
-
-+Not effective due to security issues: only variables listed in
-+I<env_keep> or I<env_check> can be passed through B<sudo>!
-+
- Environment variables to be removed from the user's environment
- when the I<env_reset> option is not in effect. The argument may
- be a double-quoted, space-separated list or a single value without
-@@ -1240,8 +1243,8 @@
-
- =item env_keep
-
--Environment variables to be preserved in the user's environment
--when the I<env_reset> option is in effect. This allows fine-grained
-+Environment variables to be preserved in the user's environment.
-+This allows fine-grained
- control over the environment B<sudo>-spawned processes will receive.
- The argument may be a double-quoted, space-separated list or a
- single value without double-quotes. The list can be replaced, added
-@@ -1282,6 +1285,15 @@
- Below are example I<sudoers> entries. Admittedly, some of
- these are a bit contrived. First, we define our I<aliases>:
-
-+Below are example I<sudoers> entries. Admittedly, some of
-+these are a bit contrived. First, we allow a few environment
-+variables to pass and then define our I<aliases>:
-+
-+ # Run X applications through sudo; HOME is used to find .Xauthority file
-+ # Note that some programs may use HOME for other purposes too and
-+ # this may lead to privilege escalation!
-+ Defaults env_keep = "DISPLAY HOME"
-+
- # User alias specification
- User_Alias FULLTIMERS = millert, mikef, dowdy
- User_Alias PARTTIMERS = bostley, jwfox, crawl
+@@ -747,7 +747,7 @@
+ If set, root is allowed to run B<sudo> too. Disabling this prevents users
+ from "chaining" B<sudo> commands to get a root shell by doing something
+ like C<"sudo sudo /bin/sh">. Note, however, that turning off I<root_sudo>
+-will also prevent root and from running B<sudoedit>.
++will also prevent root from running B<sudoedit>.
+ Disabling I<root_sudo> provides no real additional security; it
+ exists purely for historical reasons.
+ This flag is I<@root_sudo@> by default.
* "host" is the (possibly fully-qualified) hostname and
* "shost" is the unqualified form of the hostname.
*/
- sudo_user.host_fqdn_queried = FALSE;
nohostname = gethostname(thost, sizeof(thost));
if (nohostname)
user_host = user_shost = "localhost";
/* Defer call to set_fqdn() until log_error() is safe. */
user_shost = user_host;
} else {
- user_shost = user_host;
+ if ((p = strchr(user_host, '.'))) {
+ *p = '\0';
+ user_shost = estrdup(user_host);
+ *p = '.';
+ } else {
+ user_shost = user_host;
+ }
}
}
} else {
user_shost = user_host;
}
- sudo_user.host_fqdn_queried = TRUE;
}
/*
char *ttypath;
char *host;
char *shost;
- int host_fqdn_queried;
- char **runas;
char *prompt;
char *cmnd;
char *cmnd_args;
If set, root is allowed to run \fBsudo\fR too. Disabling this prevents users
from \*(L"chaining\*(R" \fBsudo\fR commands to get a root shell by doing something
like \f(CW"sudo sudo /bin/sh"\fR. Note, however, that turning off \fIroot_sudo\fR
-will also prevent root from running \fBsudoedit\fR.
+will also prevent root and from running \fBsudoedit\fR.
Disabling \fIroot_sudo\fR provides no real additional security; it
exists purely for historical reasons.
This flag is \fI@root_sudo@\fR by default.
If set, root is allowed to run B<sudo> too. Disabling this prevents users
from "chaining" B<sudo> commands to get a root shell by doing something
like C<"sudo sudo /bin/sh">. Note, however, that turning off I<root_sudo>
-will also prevent root and from running B<sudoedit>.
+will also prevent root from running B<sudoedit>.
Disabling I<root_sudo> provides no real additional security; it
exists purely for historical reasons.
This flag is I<@root_sudo@> by default.