From 3a9f5f17329715f3bc44f8680c997f0f551ff59f Mon Sep 17 00:00:00 2001 From: Bdale Garbee Date: Thu, 27 Oct 2011 00:58:48 +0200 Subject: [PATCH] Imported Upstream version 1.8.3p1 --- ChangeLog | 19 +++++++++++++- NEWS | 8 ++++++ configure | 18 ++++++------- configure.in | 2 +- plugins/sudoers/Makefile.in | 2 +- plugins/sudoers/check.c | 50 +++++++++++++++++++++---------------- plugins/sudoers/match.c | 2 +- plugins/sudoers/sudoers.c | 10 +++----- 8 files changed, 70 insertions(+), 41 deletions(-) diff --git a/ChangeLog b/ChangeLog index 98e4a39..f4ebc2f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,8 +1,25 @@ +2011-10-25 Todd C. Miller + + * plugins/sudoers/Makefile.in: + check_addr needs to link with the network libraries on Solaris + [322bd70e316e] + + * plugins/sudoers/match.c: + When matching a RunasAlias for a runas group, pass the alias in as + the group_list, not the user_list. From Daniel Kopecek. + [766545edf141] + + * plugins/sudoers/check.c, plugins/sudoers/sudoers.c: + We need to init the auth system regardless of whether we need a + password since we will be closing the PAM session in the monitor + process. Fixes a crash in the monitor on Solaris; bugzilla #518 + [e82809f86fb3] + 2011-10-21 Todd C. Miller * .hgtags: Added tag SUDO_1_8_3 for changeset 82bec4d3a203 - [6c953ef6f577] [tip] <1.8> + [6c953ef6f577] <1.8> * Update Japanese sudoers translation from translationproject.org [82bec4d3a203] [SUDO_1_8_3] <1.8> diff --git a/NEWS b/NEWS index dcbbd03..1773635 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,11 @@ +What's new in Sudo 1.8.3p1? + + * Fixed a crash in the monitor process on Solaris when NOPASSWD + was specified or when authentication was disabled. + + * Fixed matching of a Runas_Alias in the group section of a + Runas_Spec. + What's new in Sudo 1.8.3? * Fixed expansion of strftime() escape sequences in the "log_dir" diff --git a/configure b/configure index 3f89ae3..ef2d1ba 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.68 for sudo 1.8.3. +# Generated by GNU Autoconf 2.68 for sudo 1.8.3p1. # # Report bugs to . # @@ -570,8 +570,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='sudo' PACKAGE_TARNAME='sudo' -PACKAGE_VERSION='1.8.3' -PACKAGE_STRING='sudo 1.8.3' +PACKAGE_VERSION='1.8.3p1' +PACKAGE_STRING='sudo 1.8.3p1' PACKAGE_BUGREPORT='http://www.sudo.ws/bugs/' PACKAGE_URL='' @@ -1446,7 +1446,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures sudo 1.8.3 to adapt to many kinds of systems. +\`configure' configures sudo 1.8.3p1 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1511,7 +1511,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of sudo 1.8.3:";; + short | recursive ) echo "Configuration of sudo 1.8.3p1:";; esac cat <<\_ACEOF @@ -1728,7 +1728,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -sudo configure 1.8.3 +sudo configure 1.8.3p1 generated by GNU Autoconf 2.68 Copyright (C) 2010 Free Software Foundation, Inc. @@ -2432,7 +2432,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by sudo $as_me 1.8.3, which was +It was created by sudo $as_me 1.8.3p1, which was generated by GNU Autoconf 2.68. Invocation command line was $ $0 $@ @@ -20615,7 +20615,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by sudo $as_me 1.8.3, which was +This file was extended by sudo $as_me 1.8.3p1, which was generated by GNU Autoconf 2.68. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -20681,7 +20681,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -sudo config.status 1.8.3 +sudo config.status 1.8.3p1 configured by $0, generated by GNU Autoconf 2.68, with options \\"\$ac_cs_config\\" diff --git a/configure.in b/configure.in index 9de75a6..bca3bf4 100644 --- a/configure.in +++ b/configure.in @@ -3,7 +3,7 @@ dnl Process this file with GNU autoconf to produce a configure script. dnl dnl Copyright (c) 1994-1996,1998-2011 Todd C. Miller dnl -AC_INIT([sudo], [1.8.3], [http://www.sudo.ws/bugs/], [sudo]) +AC_INIT([sudo], [1.8.3p1], [http://www.sudo.ws/bugs/], [sudo]) AC_CONFIG_HEADER([config.h pathnames.h]) dnl dnl Note: this must come after AC_INIT diff --git a/plugins/sudoers/Makefile.in b/plugins/sudoers/Makefile.in index 3a0cddc..6c3c35c 100644 --- a/plugins/sudoers/Makefile.in +++ b/plugins/sudoers/Makefile.in @@ -174,7 +174,7 @@ testsudoers: libparsesudoers.la $(TEST_OBJS) $(LT_LIBS) $(LIBTOOL) --mode=link $(CC) -o $@ $(TEST_OBJS) $(LDFLAGS) libparsesudoers.la $(LIBS) $(NET_LIBS) @LIBDL@ check_addr: $(CHECK_ADDR_OBJS) $(LT_LIBS) - $(LIBTOOL) --mode=link $(CC) -o $@ $(CHECK_ADDR_OBJS) $(LDFLAGS) $(LIBS) + $(LIBTOOL) --mode=link $(CC) -o $@ $(CHECK_ADDR_OBJS) $(LDFLAGS) $(LIBS) $(NET_LIBS) check_iolog_path: $(CHECK_IOLOG_PATH_OBJS) $(LT_LIBS) $(LIBTOOL) --mode=link $(CC) -o $@ $(CHECK_IOLOG_PATH_OBJS) $(LDFLAGS) $(LIBS) diff --git a/plugins/sudoers/check.c b/plugins/sudoers/check.c index 4be3b0b..20cba07 100644 --- a/plugins/sudoers/check.c +++ b/plugins/sudoers/check.c @@ -104,6 +104,35 @@ check_user(int validated, int mode) char *prompt; struct stat sb; int status, rval = TRUE; + int need_pass = def_authenticate; + + /* + * Init authentication system regardless of whether we need a password. + * Required for proper PAM session support. + */ + auth_pw = get_authpw(); + if (sudo_auth_init(auth_pw) == -1) { + rval = -1; + goto done; + } + + if (need_pass) { + /* Always need a password when -k was specified with the command. */ + if (ISSET(mode, MODE_IGNORE_TICKET)) { + SET(validated, FLAG_CHECK_USER); + } else { + /* + * Don't prompt for the root passwd or if the user is exempt. + * If the user is not changing uid/gid, no need for a password. + */ + if (user_uid == 0 || (user_uid == runas_pw->pw_uid && + (!runas_gr || user_in_group(sudo_user.pw, runas_gr->gr_name))) + || user_is_exempt()) + need_pass = FALSE; + } + } + if (!need_pass) + goto done; /* Stash the tty's ctime for tty ticket comparison. */ if (def_tty_tickets && user_ttypath && stat(user_ttypath, &sb) == 0) { @@ -114,27 +143,6 @@ check_user(int validated, int mode) ctim_get(&sb, &tty_info.ctime); } - /* Init authentication system regardless of whether we need a password. */ - auth_pw = get_authpw(); - if (sudo_auth_init(auth_pw) == -1) { - rval = -1; - goto done; - } - - /* Always prompt for a password when -k was specified with the command. */ - if (ISSET(mode, MODE_IGNORE_TICKET)) { - SET(validated, FLAG_CHECK_USER); - } else { - /* - * Don't prompt for the root passwd or if the user is exempt. - * If the user is not changing uid/gid, no need for a password. - */ - if (user_uid == 0 || (user_uid == runas_pw->pw_uid && - (!runas_gr || user_in_group(sudo_user.pw, runas_gr->gr_name))) || - user_is_exempt()) - goto done; - } - if (build_timestamp(×tampdir, ×tampfile) == -1) { rval = -1; goto done; diff --git a/plugins/sudoers/match.c b/plugins/sudoers/match.c index 9f15020..b0ff377 100644 --- a/plugins/sudoers/match.c +++ b/plugins/sudoers/match.c @@ -209,7 +209,7 @@ _runaslist_matches(struct member_list *user_list, struct member_list *group_list break; case ALIAS: if ((a = alias_find(m->name, RUNASALIAS)) != NULL) { - rval = _runaslist_matches(&a->members, &empty); + rval = _runaslist_matches(&empty, &a->members); if (rval != UNSPEC) group_matched = m->negated ? !rval : rval; break; diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c index 8f3c548..0e25866 100644 --- a/plugins/sudoers/sudoers.c +++ b/plugins/sudoers/sudoers.c @@ -433,13 +433,9 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[], rebuild_env(); /* Require a password if sudoers says so. */ - if (def_authenticate) { - int rc = check_user(validated, sudo_mode); - if (rc != TRUE) { - rval = rc; - goto done; - } - } + rval = check_user(validated, sudo_mode); + if (rval != TRUE) + goto done; /* If run as root with SUDO_USER set, set sudo_user.pw to that user. */ /* XXX - causes confusion when root is not listed in sudoers */ -- 2.47.2