From db40f7b6672ba244a51aef07459e038232f9442f Mon Sep 17 00:00:00 2001 From: Bdale Garbee Date: Tue, 7 Sep 2010 09:03:43 -0600 Subject: [PATCH] Imported Upstream version 1.7.4p4 --- ChangeLog | 161 +++++++++++++- Makefile.in | 9 +- UPGRADE | 2 +- aclocal.m4 | 50 +---- auth/pam.c | 4 + auth/sudo_auth.c | 5 +- boottime.c | 2 +- check.c | 7 +- config.h.in | 10 +- configure | 475 +++++++++++++++++++++++++++++++----------- configure.in | 7 +- env.c | 2 +- exec.c | 34 +-- exec_pty.c | 6 +- get_pty.c | 4 +- lbuf.c | 5 +- ldap.c | 8 +- match.c | 42 ++-- parse.c | 10 +- set_perms.c | 11 +- snprintf.c | 46 ++-- sudo.c | 2 +- sudo.pp | 30 ++- sudoers => sudoers.in | 5 +- 24 files changed, 673 insertions(+), 264 deletions(-) rename sudoers => sudoers.in (95%) diff --git a/ChangeLog b/ChangeLog index e70d94c..d5247b7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,8 +1,167 @@ +2010-09-06 Todd C. Miller + + * match.c: + When matching the runas user and runas group (-u and -g command line + options), keep track of runas group and runas user matches + separately. Only return a positive match if we have a match for + both runas user and runas group (if specified). + [68d30216c13a] + +2010-09-04 Todd C. Miller + + * ldap.c, parse.c: + Do not return -1 on error from the display functions; the call + expects a return value >= 0. + [e50e6ae4d06d] + + * ldap.c: + display_bound_defaults now returns a count so make the stub return + 0, not 1. + [97293ced4908] + +2010-09-03 Todd C. Miller + + * get_pty.c: + It looks like AIX doesn't need to push STREAMS modules for ptys. + [62c281fcd4ad] + +2010-08-30 Todd C. Miller + + * Makefile.in: + Install sudoers file from the build dir not hte src dir. + [a26afd8db531] + +2010-08-26 Todd C. Miller + + * set_perms.c: + If runas_pw changes, reset the stashed runas aux group vector. + Otherwise, if runas_default is set in a per-command Defaults + statement, the command runs with root's aux group vector (i.e. the + one that was used when locating the command). + [24a695707b67] + + * Makefile.in: + Add target to generate sudoers file Remove generated sudoers file as + part of distclean + [448627fc35b6] + +2010-08-23 millert + + * exec.c: + When not logging I/O install a handler for SIGCONT and deliver it to + the command upon resume. Fixes bugzilla #431 + [e84690aa67bd] + +2010-08-21 Todd C. Miller + + * sudo.c: + Don't need to fork and wait when compiled with --disable-pam-session + [2ae1bbe4437a] + +2010-08-20 Todd C. Miller + + * lbuf.c: + Convert a remaining puts() and putchar() to use the output function. + [d68c213feb0f] + +2010-08-18 Todd C. Miller + + * Makefile.in: + Replace sudoers with sudoers.in in DISTFILES + [616509f85d6c] + + * env.c: + Set dupcheck to TRUE when setting new HOME value if !env_reset but + always_set_home is true. Prevents a duplicate HOME in the + environment (old value plus the new one) introduced in 9f97e4b43a4b. + [2672ae047984] + + * configure, configure.in, sudoers, sudoers.in: + Substitute sysconfdir in the installed sudoers file to get the + correct path for sudoers.d. + [ab14a68e546f] + +2010-08-17 Todd C. Miller + + * boottime.c, get_pty.c: + Fix typos that prevented compilation on Irix; Friedrich Haubensak + [a3e6c5a66890] + +2010-08-14 Todd C. Miller + + * auth/pam.c: + If the user hits ^C while a password is being read, error out before + reading any further passwords in the pam conversation function. + Otherwise, if multiple PAM auth methods are required, the user will + have to hit ^C for each one. + [c8f6bc58fd86] + +2010-08-09 Todd C. Miller + + * exec.c: + Fix waitpid() loop termination condition. + [97719b3259f2] + + * exec_pty.c: + Use sudo_waitpid() instead of bare waitpid() + [624a40269189] + +2010-08-07 Todd C. Miller + + * sudo.pp: + Set pp_kit_version and strip off patchlevel + [814c87778567] + + * sudo.pp: + Better handling of versions with a patchlevel. For rpm and deb, use + the patchlevel+1 as the release. For AIX, use the patchlevel as the + 4th version number. For the rest, just leave the patchlevel in the + version string. + [d18ef30f0a72] + +2010-08-06 Todd C. Miller + + * auth/sudo_auth.c: + For non-standalone auth methods, stop reading the password if the + user enters ^C at the prompt. + [59d2b1328d1e] + + * check.c: + When removing/resetting the timestamp file ignore the tty ticket + contents. + [8b285f601ec0] + +2010-08-04 Todd C. Miller + + * UPGRADE: + Fix typo + [0f443aa22e96] + +2010-08-03 Todd C. Miller + + * check.c: + Do not produce a warning for "sudo -k" if the ticket file does not + exist. + [eeaaa73d7f5b] + +2010-08-02 Todd C. Miller + + * aclocal.m4, configure: + Add cross-compile defaults for remaining AC_TRY_RUN usage. + [fb88d22eabc6] + +2010-07-31 Todd C. Miller + + * aclocal.m4, config.h.in, configure, configure.in, snprintf.c: + Use AC_CHECK_MEMBER in SUDO_SOCK_SA_LEN Use AC_TYPE_LONG_LONG_INT + and AC_CHECK_SIZEOF([long int]) instead of rolling our own. + [5e7cc557a46e] + 2010-07-30 Todd C. Miller * .hgtags: Added tag SUDO_1_7_4 for changeset 2920a3b9d568 - [e929004d5102] [tip] + [e929004d5102] * pp: Debian: Remove dots from decoded release number AIX: looser matching diff --git a/Makefile.in b/Makefile.in index 425bbdf..0114ca7 100644 --- a/Makefile.in +++ b/Makefile.in @@ -159,7 +159,7 @@ DISTFILES = $(SRCS) $(HDRS) ChangeLog HISTORY INSTALL INSTALL.configure \ mkpkg pathnames.h.in pp sample.pam sample.syslog.conf \ sample.sudoers schema.ActiveDirectory schema.OpenLDAP \ schema.iPlanet siglist.in sudo.cat sudo.man.in sudo.pod sudo.pp \ - sudo_usage.h.in sudoers sudoers.cat sudoers.man.in sudoers.pod \ + sudo_usage.h.in sudoers.in sudoers.cat sudoers.man.in sudoers.pod \ sudoers.ldap.cat sudoers.ldap.man.in sudoers.ldap.pod \ sudoers2ldif sudoreplay.cat sudoreplay.man.in sudoreplay.pod \ visudo.cat visudo.man.in visudo.pod auth/API sudo.man.pl \ @@ -465,6 +465,9 @@ sudoreplay.man: $(srcdir)/sudoreplay.man.in @DEV@LICENSE: $(srcdir)/license.pod @DEV@ pod2text -l -i0 $(srcdir)/license.pod | sed '1,2d' > $@ +sudoers: $(srcdir)/sudoers.in + (cd $(top_builddir) && $(SHELL) config.status --file=plugins/sudoers/$@) + # The 1.7 branch started Jan 18, 2010 ChangeLog: if test -d $(srcdir)/.hg; then \ @@ -497,7 +500,7 @@ install-sudoers: install-dirs $(DESTDIR)$(sudoersdir)/sudoers.d test -f $(DESTDIR)$(sudoersdir)/sudoers || \ $(INSTALL) -O $(sudoers_uid) -G $(sudoers_gid) -M $(sudoers_mode) \ - $(srcdir)/sudoers $(DESTDIR)$(sudoersdir)/sudoers + sudoers $(DESTDIR)$(sudoersdir)/sudoers install-doc: install-dirs ChangeLog (cd $(srcdir) && for f in ChangeLog HISTORY LICENSE NEWS README TROUBLESHOOTING UPGRADE sample.*; do $(INSTALL) -O $(install_uid) -G $(install_gid) -M 0444 $$f $(DESTDIR)$(docdir); done) @@ -521,7 +524,7 @@ mostlyclean: clean distclean: clean -rm -rf Makefile pathnames.h config.h config.status config.cache \ - config.log libtool sudo_noexec.lo .libs $(GENERATED) \ + config.log libtool sudoers sudo_noexec.lo .libs $(GENERATED) \ sudo.man sudoers.man sudoers.ldap.man sudoreplay.man \ visudo.man sudo_usage.h Makefile.binary diff --git a/UPGRADE b/UPGRADE index c3aab26..fb27119 100644 --- a/UPGRADE +++ b/UPGRADE @@ -29,7 +29,7 @@ o Upgrading from a version prior to 1.7.4: use when searching for configuration files. Adding HOME to env_keep may enable a user to run unrestricted commands via sudo. - The default syslog facility has changed from "local2" or "authpriv" + The default syslog facility has changed from "local2" to "authpriv" (or "auth" if the operating system doesn't have "authpriv"). The --with-logfac configure option can be used to change this or it can be changed in the sudoers file. diff --git a/aclocal.m4 b/aclocal.m4 index 5bbb4ac..1276746 100644 --- a/aclocal.m4 +++ b/aclocal.m4 @@ -227,7 +227,7 @@ AC_DEFUN([SUDO_FUNC_UNSETENV_VOID], ], [sudo_cv_func_unsetenv_void=no], [sudo_cv_func_unsetenv_void=yes], - [sudo_cv_func_unsetenv_void=yes])]) + [sudo_cv_func_unsetenv_void=no])]) if test $sudo_cv_func_unsetenv_void = yes; then AC_DEFINE(UNSETENV_VOID, 1, [Define to 1 if the `unsetenv' function returns void instead of `int'.]) @@ -253,24 +253,14 @@ int putenv(const char *string) {return 0;}], [])], dnl dnl check for sa_len field in struct sockaddr dnl -AC_DEFUN(SUDO_SOCK_SA_LEN, -[AC_MSG_CHECKING(for sa_len field in struct sockaddr) -AC_CACHE_VAL(sudo_cv_sock_sa_len, -[AC_TRY_RUN([#include -#include -main() { -struct sockaddr s; -s.sa_len = 0; -exit(0); -}], sudo_cv_sock_sa_len=yes, sudo_cv_sock_sa_len=no, - sudo_cv_sock_sa_len=no) -rm -f core core.* *.core])dnl -AC_MSG_RESULT($sudo_cv_sock_sa_len) -if test $sudo_cv_sock_sa_len = yes; then - AC_DEFINE(HAVE_SA_LEN, 1, [Define if your struct sockadr has an sa_len field.]) -fi -]) - +AC_DEFUN(SUDO_SOCK_SA_LEN, [ + AC_CHECK_MEMBER([struct sockaddr.sa_len], + [AC_DEFINE(HAVE_SA_LEN, 1, [Define if your struct sockadr has an sa_len field.])], + [], + [ #include + #include ] + )] +) dnl dnl check for max length of uid_t in string representation. dnl we can't really trust UID_MAX or MAXUID since they may exist @@ -299,33 +289,13 @@ main() { (void) fprintf(f, "%d\n", strlen(b)); (void) fclose(f); exit(0); -}], sudo_cv_uid_t_len=`cat conftestdata`, sudo_cv_uid_t_len=10) +}], sudo_cv_uid_t_len=`cat conftestdata`, sudo_cv_uid_t_len=10, sudo_cv_uid_t_len=10) ]) rm -f conftestdata AC_MSG_RESULT($sudo_cv_uid_t_len) AC_DEFINE_UNQUOTED(MAX_UID_T_LEN, $sudo_cv_uid_t_len, [Define to the max length of a uid_t in string context (excluding the NUL).]) ]) -dnl -dnl Check for presence of long long and for sizeof(long long) == sizeof(long) -dnl -AC_DEFUN(SUDO_TYPE_LONG_LONG, -[AC_CHECK_TYPES(long long, [AC_DEFINE(HAVE_LONG_LONG, 1, [Define if your compiler supports the "long long" type.])] -[AC_MSG_CHECKING(for long and long long equivalence) -AC_CACHE_VAL(sudo_cv_type_long_is_quad, -[AC_TRY_RUN([ -main() { -if (sizeof(long long) == sizeof(long)) exit(0); -else exit(1); -}], [sudo_cv_type_long_is_quad=yes], -[sudo_cv_type_long_is_quad=no], [sudo_cv_type_long_is_quad=no]) -rm -f core core.* *.core])dnl -AC_MSG_RESULT($sudo_cv_type_long_is_quad) -if test $sudo_cv_type_long_is_quad = yes; then - AC_DEFINE(LONG_IS_QUAD, 1, [Define if sizeof(long) == sizeof(long long).]) -fi -])]) - dnl dnl append a libpath to an LDFLAGS style variable dnl diff --git a/auth/pam.c b/auth/pam.c index ddffe01..ca2ef10 100644 --- a/auth/pam.c +++ b/auth/pam.c @@ -281,6 +281,10 @@ sudo_conv(num_msg, msg, response, appdata_ptr) case PAM_PROMPT_ECHO_OFF: prompt = def_prompt; + /* Error out if the last password read was interrupted. */ + if (gotintr) + goto err; + /* Is the sudo prompt standard? (If so, we'l just use PAM's) */ std_prompt = strncmp(def_prompt, "Password:", 9) == 0 && (def_prompt[9] == '\0' || diff --git a/auth/sudo_auth.c b/auth/sudo_auth.c index f17ae8d..69b0a3a 100644 --- a/auth/sudo_auth.c +++ b/auth/sudo_auth.c @@ -185,8 +185,9 @@ verify_user(pw, prompt) goto cleanup; } #ifndef AUTH_STANDALONE - if (p) - zero_bytes(p, strlen(p)); + if (p == NULL) + break; + zero_bytes(p, strlen(p)); #endif if (!ISSET(tgetpass_flags, TGP_ASKPASS)) pass_warn(stderr); diff --git a/boottime.c b/boottime.c index 37c8315..f75af3e 100644 --- a/boottime.c +++ b/boottime.c @@ -142,7 +142,7 @@ get_boottime(tv) int get_boottime(tv) - struct timeval *tv + struct timeval *tv; { return 0; } diff --git a/check.c b/check.c index 8b7834a..d6efa6d 100644 --- a/check.c +++ b/check.c @@ -556,9 +556,12 @@ timestamp_status(timestampdir, timestampfile, user, flags) /* * Check for stored tty info. If the file is zero-sized * it is an old-style timestamp with no tty info in it. + * If removing, we don't care about the contents. * The actual mtime check is done later. */ - if (sb.st_size != 0) { + if (ISSET(flags, TS_REMOVE)) { + status = TS_OLD; + } else if (sb.st_size != 0) { struct tty_info info; int fd = open(timestampfile, O_RDONLY, 0644); if (fd != -1) { @@ -646,7 +649,7 @@ remove_timestamp(remove) } } else { timevalclear(&tv); - if (touch(-1, path, &tv) == -1) + if (touch(-1, path, &tv) == -1 && errno != ENOENT) error(1, "can't reset %s to Epoch", path); } } diff --git a/config.h.in b/config.h.in index 7c70f7f..af5653b 100644 --- a/config.h.in +++ b/config.h.in @@ -310,8 +310,8 @@ /* Define to 1 if you have the header file. */ #undef HAVE_LOGIN_CAP_H -/* Define if your compiler supports the "long long" type. */ -#undef HAVE_LONG_LONG +/* Define to 1 if the system has the type `long long int'. */ +#undef HAVE_LONG_LONG_INT /* Define to 1 if you have the `lrand48' function. */ #undef HAVE_LRAND48 @@ -616,9 +616,6 @@ /* Define to SLOG_SYSLOG, SLOG_FILE, or SLOG_BOTH. */ #undef LOGGING -/* Define if sizeof(long) == sizeof(long long). */ -#undef LONG_IS_QUAD - /* Define to 1 if you want a two line OTP (S/Key or OPIE) prompt. */ #undef LONG_OTP_PROMPT @@ -723,6 +720,9 @@ /* Define to 1 if you want sudo to set $HOME in shell mode. */ #undef SHELL_SETS_HOME +/* The size of `long int', as computed by sizeof. */ +#undef SIZEOF_LONG_INT + /* Define to 1 if you have the ANSI C header files. */ #undef STDC_HEADERS diff --git a/configure b/configure index 45c2937..e66f189 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.65 for sudo 1.7.4. +# Generated by GNU Autoconf 2.65 for sudo 1.7.4p4. # # Report bugs to . # @@ -701,8 +701,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='sudo' PACKAGE_TARNAME='sudo' -PACKAGE_VERSION='1.7.4' -PACKAGE_STRING='sudo 1.7.4' +PACKAGE_VERSION='1.7.4p4' +PACKAGE_STRING='sudo 1.7.4p4' PACKAGE_BUGREPORT='http://www.sudo.ws/bugs/' PACKAGE_URL='' @@ -1552,7 +1552,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures sudo 1.7.4 to adapt to many kinds of systems. +\`configure' configures sudo 1.7.4p4 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1617,7 +1617,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of sudo 1.7.4:";; + short | recursive ) echo "Configuration of sudo 1.7.4p4:";; esac cat <<\_ACEOF @@ -1828,7 +1828,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -sudo configure 1.7.4 +sudo configure 1.7.4p4 generated by GNU Autoconf 2.65 Copyright (C) 2009 Free Software Foundation, Inc. @@ -2250,16 +2250,57 @@ $as_echo "$ac_res" >&6; } } # ac_fn_c_check_type -# ac_fn_c_check_decl LINENO SYMBOL VAR -# ------------------------------------ -# Tests whether SYMBOL is declared, setting cache variable VAR accordingly. -ac_fn_c_check_decl () +# ac_fn_c_compute_int LINENO EXPR VAR INCLUDES +# -------------------------------------------- +# Tries to find the compile-time value of EXPR in a program that includes +# INCLUDES, setting VAR accordingly. Returns whether the value could be +# computed +ac_fn_c_compute_int () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack - { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $2 is declared" >&5 -$as_echo_n "checking whether $2 is declared... " >&6; } -if { as_var=$3; eval "test \"\${$as_var+set}\" = set"; }; then : - $as_echo_n "(cached) " >&6 + if test "$cross_compiling" = yes; then + # Depending upon the size, compute the lo and hi bounds. +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +$4 +int +main () +{ +static int test_array [1 - 2 * !(($2) >= 0)]; +test_array [0] = 0 + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_lo=0 ac_mid=0 + while :; do + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +$4 +int +main () +{ +static int test_array [1 - 2 * !(($2) <= $ac_mid)]; +test_array [0] = 0 + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_hi=$ac_mid; break +else + as_fn_arith $ac_mid + 1 && ac_lo=$as_val + if test $ac_lo -le $ac_mid; then + ac_lo= ac_hi= + break + fi + as_fn_arith 2 '*' $ac_mid + 1 && ac_mid=$as_val +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + done else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ @@ -2267,27 +2308,125 @@ $4 int main () { -#ifndef $2 - (void) $2; -#endif +static int test_array [1 - 2 * !(($2) < 0)]; +test_array [0] = 0 ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : - eval "$3=yes" + ac_hi=-1 ac_mid=-1 + while :; do + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +$4 +int +main () +{ +static int test_array [1 - 2 * !(($2) >= $ac_mid)]; +test_array [0] = 0 + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_lo=$ac_mid; break else - eval "$3=no" + as_fn_arith '(' $ac_mid ')' - 1 && ac_hi=$as_val + if test $ac_mid -le $ac_hi; then + ac_lo= ac_hi= + break + fi + as_fn_arith 2 '*' $ac_mid && ac_mid=$as_val fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + done +else + ac_lo= ac_hi= fi -eval ac_res=\$$3 - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 -$as_echo "$ac_res" >&6; } +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +# Binary search between lo and hi bounds. +while test "x$ac_lo" != "x$ac_hi"; do + as_fn_arith '(' $ac_hi - $ac_lo ')' / 2 + $ac_lo && ac_mid=$as_val + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +$4 +int +main () +{ +static int test_array [1 - 2 * !(($2) <= $ac_mid)]; +test_array [0] = 0 + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_hi=$ac_mid +else + as_fn_arith '(' $ac_mid ')' + 1 && ac_lo=$as_val +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +done +case $ac_lo in #(( +?*) eval "$3=\$ac_lo"; ac_retval=0 ;; +'') ac_retval=1 ;; +esac + else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +$4 +static long int longval () { return $2; } +static unsigned long int ulongval () { return $2; } +#include +#include +int +main () +{ + + FILE *f = fopen ("conftest.val", "w"); + if (! f) + return 1; + if (($2) < 0) + { + long int i = longval (); + if (i != ($2)) + return 1; + fprintf (f, "%ld", i); + } + else + { + unsigned long int i = ulongval (); + if (i != ($2)) + return 1; + fprintf (f, "%lu", i); + } + /* Do not output a trailing newline, as this causes \r\n confusion + on some platforms. */ + return ferror (f) || fclose (f) != 0; + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_run "$LINENO"; then : + echo >>conftest.val; read $3 &6; } eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;} } # ac_fn_c_check_member + +# ac_fn_c_check_decl LINENO SYMBOL VAR +# ------------------------------------ +# Tests whether SYMBOL is declared, setting cache variable VAR accordingly. +ac_fn_c_check_decl () +{ + as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $2 is declared" >&5 +$as_echo_n "checking whether $2 is declared... " >&6; } +if { as_var=$3; eval "test \"\${$as_var+set}\" = set"; }; then : + $as_echo_n "(cached) " >&6 +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +$4 +int +main () +{ +#ifndef $2 + (void) $2; +#endif + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + eval "$3=yes" +else + eval "$3=no" +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +eval ac_res=\$$3 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } + eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;} + +} # ac_fn_c_check_decl cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by sudo $as_me 1.7.4, which was +It was created by sudo $as_me 1.7.4p4, which was generated by GNU Autoconf 2.65. Invocation command line was $ $0 $@ @@ -6584,13 +6762,13 @@ if test "${lt_cv_nm_interface+set}" = set; then : else lt_cv_nm_interface="BSD nm" echo "int some_variable = 0;" > conftest.$ac_ext - (eval echo "\"\$as_me:6587: $ac_compile\"" >&5) + (eval echo "\"\$as_me:6765: $ac_compile\"" >&5) (eval "$ac_compile" 2>conftest.err) cat conftest.err >&5 - (eval echo "\"\$as_me:6590: $NM \\\"conftest.$ac_objext\\\"\"" >&5) + (eval echo "\"\$as_me:6768: $NM \\\"conftest.$ac_objext\\\"\"" >&5) (eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out) cat conftest.err >&5 - (eval echo "\"\$as_me:6593: output\"" >&5) + (eval echo "\"\$as_me:6771: output\"" >&5) cat conftest.out >&5 if $GREP 'External.*some_variable' conftest.out > /dev/null; then lt_cv_nm_interface="MS dumpbin" @@ -7795,7 +7973,7 @@ ia64-*-hpux*) ;; *-*-irix6*) # Find out which ABI we are using. - echo '#line 7798 "configure"' > conftest.$ac_ext + echo '#line 7976 "configure"' > conftest.$ac_ext if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5 (eval $ac_compile) 2>&5 ac_status=$? @@ -9188,11 +9366,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:9191: $lt_compile\"" >&5) + (eval echo "\"\$as_me:9369: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:9195: \$? = $ac_status" >&5 + echo "$as_me:9373: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -9527,11 +9705,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:9530: $lt_compile\"" >&5) + (eval echo "\"\$as_me:9708: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:9534: \$? = $ac_status" >&5 + echo "$as_me:9712: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -9632,11 +9810,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:9635: $lt_compile\"" >&5) + (eval echo "\"\$as_me:9813: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:9639: \$? = $ac_status" >&5 + echo "$as_me:9817: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -9687,11 +9865,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:9690: $lt_compile\"" >&5) + (eval echo "\"\$as_me:9868: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:9694: \$? = $ac_status" >&5 + echo "$as_me:9872: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -12054,7 +12232,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<_LT_EOF -#line 12057 "configure" +#line 12235 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -12150,7 +12328,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<_LT_EOF -#line 12153 "configure" +#line 12331 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -14099,6 +14277,131 @@ $as_echo "#define HAVE_IN6_ADDR 1" >>confdefs.h fi + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for long long int" >&5 +$as_echo_n "checking for long long int... " >&6; } +if test "${ac_cv_type_long_long_int+set}" = set; then : + $as_echo_n "(cached) " >&6 +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + + /* For now, do not test the preprocessor; as of 2007 there are too many + implementations with broken preprocessors. Perhaps this can + be revisited in 2012. In the meantime, code should not expect + #if to work with literals wider than 32 bits. */ + /* Test literals. */ + long long int ll = 9223372036854775807ll; + long long int nll = -9223372036854775807LL; + unsigned long long int ull = 18446744073709551615ULL; + /* Test constant expressions. */ + typedef int a[((-9223372036854775807LL < 0 && 0 < 9223372036854775807ll) + ? 1 : -1)]; + typedef int b[(18446744073709551615ULL <= (unsigned long long int) -1 + ? 1 : -1)]; + int i = 63; +int +main () +{ +/* Test availability of runtime routines for shift and division. */ + long long int llmax = 9223372036854775807ll; + unsigned long long int ullmax = 18446744073709551615ull; + return ((ll << 63) | (ll >> 63) | (ll < i) | (ll > i) + | (llmax / ll) | (llmax % ll) + | (ull << 63) | (ull >> 63) | (ull << i) | (ull >> i) + | (ullmax / ull) | (ullmax % ull)); + ; + return 0; +} + +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + if test "$cross_compiling" = yes; then : + ac_cv_type_long_long_int=yes +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include + #ifndef LLONG_MAX + # define HALF \ + (1LL << (sizeof (long long int) * CHAR_BIT - 2)) + # define LLONG_MAX (HALF - 1 + HALF) + #endif +int +main () +{ +long long int n = 1; + int i; + for (i = 0; ; i++) + { + long long int m = n << i; + if (m >> i != n) + return 1; + if (LLONG_MAX / 2 < m) + break; + } + return 0; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_run "$LINENO"; then : + ac_cv_type_long_long_int=yes +else + ac_cv_type_long_long_int=no +fi +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ + conftest.$ac_objext conftest.beam conftest.$ac_ext +fi + +else + ac_cv_type_long_long_int=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_type_long_long_int" >&5 +$as_echo "$ac_cv_type_long_long_int" >&6; } + if test $ac_cv_type_long_long_int = yes; then + +$as_echo "#define HAVE_LONG_LONG_INT 1" >>confdefs.h + + fi + +# The cast to long int works around a bug in the HP C Compiler +# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects +# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. +# This bug is HP SR number 8606223364. +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of long int" >&5 +$as_echo_n "checking size of long int... " >&6; } +if test "${ac_cv_sizeof_long_int+set}" = set; then : + $as_echo_n "(cached) " >&6 +else + if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (long int))" "ac_cv_sizeof_long_int" "$ac_includes_default"; then : + +else + if test "$ac_cv_type_long_int" = yes; then + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +{ as_fn_set_status 77 +as_fn_error "cannot compute sizeof (long int) +See \`config.log' for more details." "$LINENO" 5; }; } + else + ac_cv_sizeof_long_int=0 + fi +fi + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_long_int" >&5 +$as_echo "$ac_cv_sizeof_long_int" >&6; } + + + +cat >>confdefs.h <<_ACEOF +#define SIZEOF_LONG_INT $ac_cv_sizeof_long_int +_ACEOF + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for size_t" >&5 $as_echo_n "checking for size_t... " >&6; } if test "${sudo_cv_type_size_t+set}" = set; then : @@ -14239,10 +14542,7 @@ if test "${sudo_cv_uid_t_len+set}" = set; then : else rm -f conftestdata if test "$cross_compiling" = yes; then : - { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error "cannot run test program while cross compiling -See \`config.log' for more details." "$LINENO" 5; } + sudo_cv_uid_t_len=10 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ @@ -14286,90 +14586,18 @@ cat >>confdefs.h <<_ACEOF _ACEOF -ac_fn_c_check_type "$LINENO" "long long" "ac_cv_type_long_long" "$ac_includes_default" -if test "x$ac_cv_type_long_long" = x""yes; then : - -cat >>confdefs.h <<_ACEOF -#define HAVE_LONG_LONG 1 -_ACEOF - - -$as_echo "#define HAVE_LONG_LONG 1" >>confdefs.h - -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for long and long long equivalence" >&5 -$as_echo_n "checking for long and long long equivalence... " >&6; } -if test "${sudo_cv_type_long_is_quad+set}" = set; then : - $as_echo_n "(cached) " >&6 -else - if test "$cross_compiling" = yes; then : - sudo_cv_type_long_is_quad=no -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -main() { -if (sizeof(long long) == sizeof(long)) exit(0); -else exit(1); -} -_ACEOF -if ac_fn_c_try_run "$LINENO"; then : - sudo_cv_type_long_is_quad=yes -else - sudo_cv_type_long_is_quad=no -fi -rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ - conftest.$ac_objext conftest.beam conftest.$ac_ext -fi - -rm -f core core.* *.core -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $sudo_cv_type_long_is_quad" >&5 -$as_echo "$sudo_cv_type_long_is_quad" >&6; } -if test $sudo_cv_type_long_is_quad = yes; then - -$as_echo "#define LONG_IS_QUAD 1" >>confdefs.h - -fi -fi + ac_fn_c_check_member "$LINENO" "struct sockaddr" "sa_len" "ac_cv_member_struct_sockaddr_sa_len" " #include + #include -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for sa_len field in struct sockaddr" >&5 -$as_echo_n "checking for sa_len field in struct sockaddr... " >&6; } -if test "${sudo_cv_sock_sa_len+set}" = set; then : - $as_echo_n "(cached) " >&6 -else - if test "$cross_compiling" = yes; then : - sudo_cv_sock_sa_len=no -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include -#include -main() { -struct sockaddr s; -s.sa_len = 0; -exit(0); -} -_ACEOF -if ac_fn_c_try_run "$LINENO"; then : - sudo_cv_sock_sa_len=yes -else - sudo_cv_sock_sa_len=no -fi -rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ - conftest.$ac_objext conftest.beam conftest.$ac_ext -fi - -rm -f core core.* *.core -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $sudo_cv_sock_sa_len" >&5 -$as_echo "$sudo_cv_sock_sa_len" >&6; } -if test $sudo_cv_sock_sa_len = yes; then +" +if test "x$ac_cv_member_struct_sockaddr_sa_len" = x""yes; then : $as_echo "#define HAVE_SA_LEN 1" >>confdefs.h fi + case "$DEFS" in *"RETSIGTYPE"*) ;; *) { $as_echo "$as_me:${as_lineno-$LINENO}: checking return type of signal handlers" >&5 @@ -14856,7 +15084,7 @@ if test "${sudo_cv_func_unsetenv_void+set}" = set; then : $as_echo_n "(cached) " >&6 else if test "$cross_compiling" = yes; then : - sudo_cv_func_unsetenv_void=yes + sudo_cv_func_unsetenv_void=no else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ @@ -18242,7 +18470,7 @@ test "$datarootdir" = '${prefix}/share' && datarootdir='$(prefix)/share' test "$docdir" = '${datarootdir}/doc/${PACKAGE_TARNAME}' && docdir='$(datarootdir)/doc/$(PACKAGE_TARNAME)' test "$sysconfdir" = '${prefix}/etc' -a X"$with_stow" != X"yes" && sysconfdir='/etc' -ac_config_files="$ac_config_files Makefile sudo.man visudo.man sudoers.man sudoers.ldap.man sudoreplay.man sudo_usage.h" +ac_config_files="$ac_config_files Makefile sudo.man visudo.man sudoers.man sudoers.ldap.man sudoreplay.man sudo_usage.h sudoers" cat >confcache <<\_ACEOF # This file is a shell script that caches the results of configure @@ -18749,7 +18977,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by sudo $as_me 1.7.4, which was +This file was extended by sudo $as_me 1.7.4p4, which was generated by GNU Autoconf 2.65. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -18815,7 +19043,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -sudo config.status 1.7.4 +sudo config.status 1.7.4p4 configured by $0, generated by GNU Autoconf 2.65, with options \\"\$ac_cs_config\\" @@ -19199,6 +19427,7 @@ do "sudoers.ldap.man") CONFIG_FILES="$CONFIG_FILES sudoers.ldap.man" ;; "sudoreplay.man") CONFIG_FILES="$CONFIG_FILES sudoreplay.man" ;; "sudo_usage.h") CONFIG_FILES="$CONFIG_FILES sudo_usage.h" ;; + "sudoers") CONFIG_FILES="$CONFIG_FILES sudoers" ;; *) as_fn_error "invalid argument: \`$ac_config_target'" "$LINENO" 5;; esac diff --git a/configure.in b/configure.in index f54eb79..4186b88 100644 --- a/configure.in +++ b/configure.in @@ -3,7 +3,7 @@ dnl Process this file with GNU autoconf to produce a configure script. dnl dnl Copyright (c) 1994-1996,1998-2010 Todd C. Miller dnl -AC_INIT([sudo], [1.7.4], [http://www.sudo.ws/bugs/], [sudo]) +AC_INIT([sudo], [1.7.4p4], [http://www.sudo.ws/bugs/], [sudo]) AC_CONFIG_HEADER(config.h pathnames.h) dnl dnl This won't work before AC_INIT @@ -1891,12 +1891,13 @@ AC_CHECK_TYPE([struct timespec], [AC_DEFINE(HAVE_TIMESPEC)], [], [#include ]) AC_CHECK_TYPES([struct in6_addr], [AC_DEFINE(HAVE_IN6_ADDR)], [], [#include #include ]) +AC_TYPE_LONG_LONG_INT +AC_CHECK_SIZEOF([long int]) SUDO_TYPE_SIZE_T SUDO_TYPE_SSIZE_T SUDO_TYPE_DEV_T SUDO_TYPE_INO_T SUDO_UID_T_LEN -SUDO_TYPE_LONG_LONG SUDO_SOCK_SA_LEN dnl dnl only set RETSIGTYPE if it is not set already @@ -2802,7 +2803,7 @@ test "$sysconfdir" = '${prefix}/etc' -a X"$with_stow" != X"yes" && sysconfdir='/ dnl dnl Substitute into the Makefile and man pages dnl -AC_CONFIG_FILES([Makefile sudo.man visudo.man sudoers.man sudoers.ldap.man sudoreplay.man sudo_usage.h]) +AC_CONFIG_FILES([Makefile sudo.man visudo.man sudoers.man sudoers.ldap.man sudoreplay.man sudo_usage.h sudoers]) AC_OUTPUT dnl diff --git a/env.c b/env.c index c6e0a6b..739631f 100644 --- a/env.c +++ b/env.c @@ -766,7 +766,7 @@ rebuild_env(noexec) /* Set $HOME to target user if not preserving user's value. */ if (reset_home && !ISSET(didvar, KEPT_HOME)) - sudo_setenv("HOME", runas_pw->pw_dir, ISSET(didvar, DID_HOME)); + sudo_setenv("HOME", runas_pw->pw_dir, TRUE); /* Provide default values for $TERM and $PATH if they are not set. */ if (!ISSET(didvar, DID_TERM)) diff --git a/exec.c b/exec.c index 93316a0..784f90a 100644 --- a/exec.c +++ b/exec.c @@ -101,8 +101,15 @@ static int fork_cmnd(path, argv, envp, sv, rbac_enabled) int rbac_enabled; { struct command_status cstat; + sigaction_t sa; int pid; + zero_bytes(&sa, sizeof(sa)); + sigemptyset(&sa.sa_mask); + sa.sa_flags = SA_INTERRUPT; /* do not restart syscalls */ + sa.sa_handler = handler; + sigaction(SIGCONT, &sa, NULL); + pid = fork(); switch (pid) { case -1: @@ -260,21 +267,22 @@ sudo_execve(path, argv, envp, uid, cstat, dowait, bgmode) #else pid = wait(&status); #endif - if (pid == child) { - if (!log_io) { - if (WIFSTOPPED(status)) { - /* Child may not have privs to suspend us itself. */ - kill(getpid(), WSTOPSIG(status)); - } else { - /* Child has exited, we are done. */ - cstat->type = CMD_WSTATUS; - cstat->val = status; - return 0; - } + } while (pid == -1 && errno == EINTR); + if (pid == child) { + /* If not logging I/O and child has exited we are done. */ + if (!log_io) { + if (WIFSTOPPED(status)) { + /* Child may not have privs to suspend us itself. */ + kill(getpid(), WSTOPSIG(status)); + } else { + /* Child has exited, we are done. */ + cstat->type = CMD_WSTATUS; + cstat->val = status; + return 0; } - /* Else we get ECONNRESET on sv[0] if child dies. */ } - } while (pid != -1 || errno == EINTR); + /* Else we get ECONNRESET on sv[0] if child dies. */ + } } zero_bytes(fdsw, howmany(maxfd + 1, NFDBITS) * sizeof(fd_mask)); diff --git a/exec_pty.c b/exec_pty.c index 191e0e3..2d6b0e8 100644 --- a/exec_pty.c +++ b/exec_pty.c @@ -653,7 +653,11 @@ handle_sigchld(backchannel, cstat) /* read child status */ do { - pid = waitpid(child, &status, WUNTRACED|WNOHANG); +#ifdef sudo_waitpid + pid = sudo_waitpid(child, &status, WUNTRACED|WNOHANG); +#else + pid = wait(&status); +#endif } while (pid == -1 && errno == EINTR); if (pid == child) { if (cstat->type != CMD_ERRNO) { diff --git a/get_pty.c b/get_pty.c index 7bc0355..7b35108 100644 --- a/get_pty.c +++ b/get_pty.c @@ -88,7 +88,7 @@ get_pty(master, slave, name, namesz, ttyuid) char *line; /* IRIX-style dynamic ptys (may fork) */ - line = _getpty(master, O_RDWR, IRUSR|S_IWUSR|S_IWGRP, 0); + line = _getpty(master, O_RDWR, S_IRUSR|S_IWUSR|S_IWGRP, 0); if (line == NULL) return (0); *slave = open(line, O_RDWR|O_NOCTTY, 0); @@ -146,7 +146,7 @@ get_pty(master, slave, name, namesz, ttyuid) close(*master); return(0); } -# ifdef I_PUSH +# if defined(I_PUSH) && !defined(_AIX) ioctl(*slave, I_PUSH, "ptem"); /* pseudo tty emulation module */ ioctl(*slave, I_PUSH, "ldterm"); /* line discipline module */ # endif diff --git a/lbuf.c b/lbuf.c index e64f76b..bd218da 100644 --- a/lbuf.c +++ b/lbuf.c @@ -282,14 +282,15 @@ lbuf_print(lbuf) /* For very small widths just give up... */ if (lbuf->cols <= lbuf->indent + contlen + 20) { - puts(lbuf->buf); + lbuf->output(lbuf->buf); + lbuf->output("\n"); goto done; } /* Print each line in the buffer */ for (cp = lbuf->buf; cp != NULL && *cp != '\0'; ) { if (*cp == '\n') { - putchar('\n'); + lbuf->output("\n"); cp++; } else { ep = memchr(cp, '\n', lbuf->len - (cp - lbuf->buf)); diff --git a/ldap.c b/ldap.c index 9554df2..81d3c40 100644 --- a/ldap.c +++ b/ldap.c @@ -1227,7 +1227,7 @@ sudo_ldap_display_defaults(nss, pw, lbuf) int rc, count = 0; if (ld == NULL) - return(-1); + goto done; for (base = ldap_conf.base; base != NULL; base = base->next) { result = NULL; @@ -1251,6 +1251,7 @@ sudo_ldap_display_defaults(nss, pw, lbuf) if (result) ldap_msgfree(result); } +done: return(count); } @@ -1263,7 +1264,7 @@ sudo_ldap_display_bound_defaults(nss, pw, lbuf) struct passwd *pw; struct lbuf *lbuf; { - return(1); + return(0); } /* @@ -1440,7 +1441,7 @@ sudo_ldap_display_privs(nss, pw, lbuf) int rc, do_netgr, count = 0; if (ld == NULL) - return(-1); + goto done; /* * Okay - time to search for anything that matches this user @@ -1482,6 +1483,7 @@ sudo_ldap_display_privs(nss, pw, lbuf) } efree(filt); } +done: return(count); } diff --git a/match.c b/match.c index 64d413b..91ec315 100644 --- a/match.c +++ b/match.c @@ -170,15 +170,9 @@ _runaslist_matches(user_list, group_list) { struct member *m; struct alias *a; - int rval, matched = UNSPEC; - - if (runas_gr != NULL) { - if (tq_empty(group_list)) - return(DENY); /* group was specified but none in sudoers */ - if (runas_pw != NULL && strcmp(runas_pw->pw_name, user_name) && - tq_empty(user_list)) - return(DENY); /* user was specified but none in sudoers */ - } + int rval; + int user_matched = UNSPEC; + int group_matched = UNSPEC; if (tq_empty(user_list) && tq_empty(group_list)) return(userpw_matches(def_runas_default, runas_pw->pw_name, runas_pw)); @@ -187,59 +181,67 @@ _runaslist_matches(user_list, group_list) tq_foreach_rev(user_list, m) { switch (m->type) { case ALL: - matched = !m->negated; + user_matched = !m->negated; break; case NETGROUP: if (netgr_matches(m->name, NULL, NULL, runas_pw->pw_name)) - matched = !m->negated; + user_matched = !m->negated; break; case USERGROUP: if (usergr_matches(m->name, runas_pw->pw_name, runas_pw)) - matched = !m->negated; + user_matched = !m->negated; break; case ALIAS: if ((a = alias_find(m->name, RUNASALIAS)) != NULL) { rval = _runaslist_matches(&a->members, &empty); if (rval != UNSPEC) - matched = m->negated ? !rval : rval; + user_matched = m->negated ? !rval : rval; break; } /* FALLTHROUGH */ case WORD: if (userpw_matches(m->name, runas_pw->pw_name, runas_pw)) - matched = !m->negated; + user_matched = !m->negated; break; } - if (matched != UNSPEC) + if (user_matched != UNSPEC) break; } } if (runas_gr != NULL) { + if (user_matched == UNSPEC) { + if (runas_pw == NULL || strcmp(runas_pw->pw_name, user_name) == 0) + user_matched = ALLOW; /* only changing group */ + } tq_foreach_rev(group_list, m) { switch (m->type) { case ALL: - matched = !m->negated; + group_matched = !m->negated; break; case ALIAS: if ((a = alias_find(m->name, RUNASALIAS)) != NULL) { rval = _runaslist_matches(&a->members, &empty); if (rval != UNSPEC) - matched = m->negated ? !rval : rval; + group_matched = m->negated ? !rval : rval; break; } /* FALLTHROUGH */ case WORD: if (group_matches(m->name, runas_gr)) - matched = !m->negated; + group_matched = !m->negated; break; } - if (matched != UNSPEC) + if (group_matched != UNSPEC) break; } } - return(matched); + if (user_matched == DENY || group_matched == DENY) + return(DENY); + if (user_matched == group_matched || runas_gr == NULL) + return(user_matched); + return(UNSPEC); } int diff --git a/parse.c b/parse.c index 245219e..97aba79 100644 --- a/parse.c +++ b/parse.c @@ -429,7 +429,7 @@ sudo_file_display_privs(nss, pw, lbuf) int nfound = 0; if (nss->handle == NULL) - return(-1); + goto done; tq_foreach_fwd(&userspecs, us) { if (userlist_matches(pw, &us->users) != ALLOW) @@ -440,6 +440,7 @@ sudo_file_display_privs(nss, pw, lbuf) else nfound += sudo_file_display_priv_short(pw, us, lbuf); } +done: return(nfound); } @@ -457,7 +458,7 @@ sudo_file_display_defaults(nss, pw, lbuf) int nfound = 0; if (nss->handle == NULL) - return(-1); + goto done; if (lbuf->len == 0 || isspace((unsigned char)lbuf->buf[lbuf->len - 1])) prefix = " "; @@ -493,7 +494,7 @@ sudo_file_display_defaults(nss, pw, lbuf) prefix = ", "; nfound++; } - +done: return(nfound); } @@ -594,7 +595,7 @@ sudo_file_display_cmnd(nss, pw) int host_match, runas_match, cmnd_match; if (nss->handle == NULL) - return(rval); + goto done; match = NULL; tq_foreach_rev(&userspecs, us) { @@ -625,6 +626,7 @@ sudo_file_display_cmnd(nss, pw) user_args ? user_args : ""); rval = 0; } +done: return(rval); } diff --git a/set_perms.c b/set_perms.c index 4e7dc9c..81e2e76 100644 --- a/set_perms.c +++ b/set_perms.c @@ -488,7 +488,8 @@ runas_setgroups() # ifdef HAVE_GETGROUPS static GETGROUPS_T *groups; # endif - struct passwd *pw; + static struct passwd *pw; + struct passwd *opw = pw; if (def_preserve_groups) return; @@ -496,14 +497,18 @@ runas_setgroups() /* * Use stashed copy of runas groups if available, else initgroups and stash. */ - if (ngroups == -1) { - pw = runas_pw ? runas_pw : sudo_user.pw; + pw = runas_pw ? runas_pw : sudo_user.pw; + if (pw != opw) { # ifdef HAVE_SETAUTHDB aix_setauthdb(pw->pw_name); # endif if (initgroups(pw->pw_name, pw->pw_gid) < 0) log_error(USE_ERRNO|MSG_ONLY, "can't set runas group vector"); # ifdef HAVE_GETGROUPS + if (groups) { + efree(groups); + groups = NULL; + } if ((ngroups = getgroups(0, NULL)) > 0) { groups = emalloc2(ngroups, sizeof(GETGROUPS_T)); if (getgroups(ngroups, groups) < 0) diff --git a/snprintf.c b/snprintf.c index 27757f9..4123a9d 100644 --- a/snprintf.c +++ b/snprintf.c @@ -89,7 +89,7 @@ static int xxxprintf __P((char **, size_t, int, const char *, va_list)); #ifndef LONG_MAX # define LONG_MAX (ULONG_MAX / 2) #endif -#ifdef HAVE_LONG_LONG +#ifdef HAVE_LONG_LONG_INT # ifndef ULLONG_MAX # ifdef UQUAD_MAX # define ULLONG_MAX UQUAD_MAX @@ -104,7 +104,7 @@ static int xxxprintf __P((char **, size_t, int, const char *, va_list)); # define LLONG_MAX (ULLONG_MAX / 2) # endif # endif -#endif /* HAVE_LONG_LONG */ +#endif /* HAVE_LONG_LONG_INT */ /* * Macros for converting digits to letters and vice versa @@ -212,8 +212,8 @@ __ultoa(val, endp, base, octzero, xdigs) } /* Identical to __ultoa, but for quads. */ -#ifdef HAVE_LONG_LONG -# ifdef LONG_IS_QUAD +#ifdef HAVE_LONG_LONG_INT +# if SIZEOF_LONG_INT == 8 # define __uqtoa(v, e, b, o, x) __ultoa((unsigned long)(v), (e), (b), (o), (x)) # else static char * @@ -268,8 +268,8 @@ __uqtoa(val, endp, base, octzero, xdigs) } return (cp); } -# endif /* !LONG_IS_QUAD */ -#endif /* HAVE_LONG_LONG */ +# endif /* !SIZEOF_LONG_INT */ +#endif /* HAVE_LONG_LONG_INT */ /* * Actual printf innards. @@ -292,7 +292,7 @@ xxxprintf(strp, strsize, alloc, fmt0, ap) int prec; /* precision from format (%.3d), or -1 */ char sign; /* sign prefix (' ', '+', '-', or \0) */ unsigned long ulval; /* integer arguments %[diouxX] */ -#ifdef HAVE_LONG_LONG +#ifdef HAVE_LONG_LONG_INT unsigned long long uqval; /* %q (quad) integers */ #endif int base; /* base for [diouxX] conversion */ @@ -469,11 +469,11 @@ reswitch: switch (ch) { case 'l': flags |= LONGINT; goto rflag; -#ifdef HAVE_LONG_LONG +#ifdef HAVE_LONG_LONG_INT case 'q': flags |= QUADINT; goto rflag; -#endif /* HAVE_LONG_LONG */ +#endif /* HAVE_LONG_LONG_INT */ case 'c': *(cp = buf) = va_arg(ap, int); size = 1; @@ -484,7 +484,7 @@ reswitch: switch (ch) { /*FALLTHROUGH*/ case 'd': case 'i': -#ifdef HAVE_LONG_LONG +#ifdef HAVE_LONG_LONG_INT if (flags & QUADINT) { uqval = va_arg(ap, long long); if ((long long)uqval < 0) { @@ -493,7 +493,7 @@ reswitch: switch (ch) { } } else -#endif /* HAVE_LONG_LONG */ +#endif /* HAVE_LONG_LONG_INT */ { ulval = SARG(); if ((long)ulval < 0) { @@ -504,11 +504,11 @@ reswitch: switch (ch) { base = 10; goto number; case 'n': -#ifdef HAVE_LONG_LONG +#ifdef HAVE_LONG_LONG_INT if (flags & QUADINT) *va_arg(ap, long long *) = ret; else -#endif /* HAVE_LONG_LONG */ +#endif /* HAVE_LONG_LONG_INT */ if (flags & LONGINT) *va_arg(ap, long *) = ret; else if (flags & SHORTINT) @@ -520,11 +520,11 @@ reswitch: switch (ch) { flags |= LONGINT; /*FALLTHROUGH*/ case 'o': -#ifdef HAVE_LONG_LONG +#ifdef HAVE_LONG_LONG_INT if (flags & QUADINT) uqval = va_arg(ap, unsigned long long); else -#endif /* HAVE_LONG_LONG */ +#endif /* HAVE_LONG_LONG_INT */ ulval = UARG(); base = 8; goto nosign; @@ -567,11 +567,11 @@ reswitch: switch (ch) { flags |= LONGINT; /*FALLTHROUGH*/ case 'u': -#ifdef HAVE_LONG_LONG +#ifdef HAVE_LONG_LONG_INT if (flags & QUADINT) uqval = va_arg(ap, unsigned long long); else -#endif /* HAVE_LONG_LONG */ +#endif /* HAVE_LONG_LONG_INT */ ulval = UARG(); base = 10; goto nosign; @@ -581,20 +581,20 @@ reswitch: switch (ch) { case 'x': xdigs = "0123456789abcdef"; hex: -#ifdef HAVE_LONG_LONG +#ifdef HAVE_LONG_LONG_INT if (flags & QUADINT) uqval = va_arg(ap, unsigned long long); else -#endif /* HAVE_LONG_LONG */ +#endif /* HAVE_LONG_LONG_INT */ ulval = UARG(); base = 16; /* leading 0x/X only if non-zero */ if (flags & ALT && -#ifdef HAVE_LONG_LONG +#ifdef HAVE_LONG_LONG_INT (flags & QUADINT ? uqval != 0 : ulval != 0)) #else ulval != 0) -#endif /* HAVE_LONG_LONG */ +#endif /* HAVE_LONG_LONG_INT */ flags |= HEXPREFIX; /* unsigned conversions */ @@ -613,14 +613,14 @@ number: if ((dprec = prec) >= 0) * -- ANSI X3J11 */ cp = buf + BUF; -#ifdef HAVE_LONG_LONG +#ifdef HAVE_LONG_LONG_INT if (flags & QUADINT) { if (uqval != 0 || prec != 0) cp = __uqtoa(uqval, cp, base, flags & ALT, xdigs); } else -#endif /* HAVE_LONG_LONG */ +#endif /* HAVE_LONG_LONG_INT */ { if (ulval != 0 || prec != 0) cp = __ultoa(ulval, cp, base, diff --git a/sudo.c b/sudo.c index 3bccdd3..159a2c8 100644 --- a/sudo.c +++ b/sudo.c @@ -105,7 +105,7 @@ # include "nonunix.h" #endif -#ifdef HAVE_PAM +#if defined(HAVE_PAM) && !defined(NO_PAM_SESSION) # define CMND_WAIT TRUE #else # define CMND_WAIT FALSE diff --git a/sudo.pp b/sudo.pp index 8f7ccba..1f203d8 100644 --- a/sudo.pp +++ b/sudo.pp @@ -13,16 +13,30 @@ The basic philosophy is to give as few privileges as possible but \ still allow people to get their work done." vendor="Todd C. Miller" copyright="(c) 1993-1996,1998-2010 Todd C. Miller" - pp_rpm_release="1" + + # Convert to 4 part version for AIX, including patch level + pp_aix_version=`echo $version|sed -e 's/\([0-9]*\.[0-9]*\.[0-9]*\)$/\1.0/' -e 's/[^0-9]*\([0-9]*\)$/.\1/'` + + # Strip of patchlevel for kit which only supports x.y.z versions + pp_kit_version="`echo $version|sed -e 's/\.//g' -e 's/p[0-9]*$//'`" + pp_kit_name="TCM" + + pp_sd_vendor_tag="TCM" + pp_solaris_name="TCM${name}" +%if [rpm,deb] + # Convert patch level into release and remove from version + pp_rpm_release="`echo $version|sed 's/^[0-9]*\.[0-9]*\.[0-9]*[^0-9]*//'`" + pp_rpm_release="`expr $pp_rpm_release + 1`" + pp_rpm_version="`echo $version|sed 's/p[0-9]*$//'`" pp_rpm_license="BSD" pp_rpm_url="http://www.sudo.ws/" pp_rpm_group="Applications/System" pp_rpm_packager="Todd.Miller@courtesan.com" - pp_deb_maintainer="Todd.Miller@courtesan.com" - pp_sd_vendor_tag="TCM" - pp_kit_name="TCM" - pp_solaris_name="TCM${name}" -%if [!rpm,deb] + + pp_deb_maintainer="$pp_rpm_packager" + pp_deb_release="$pp_rpm_release" + pp_deb_version="$pp_rpm_version" +%else # For all but RPM and Debian we need to install sudoers with a different # name and make a copy of it if there is no existing file. mv ${pp_destdir}$sudoersdir/sudoers ${pp_destdir}$sudoersdir/sudoers.dist @@ -66,8 +80,8 @@ still allow people to get their work done." # For RedHat the doc dir is expected to include version and release case "$pp_rpm_distro" in centos*|rhel*) - mv ${pp_destdir}/${docdir} ${pp_destdir}/${docdir}-${version}-1 - docdir=${docdir}-${version}-1 + mv ${pp_destdir}/${docdir} ${pp_destdir}/${docdir}-${version}-${pp_rpm_release} + docdir=${docdir}-${version}-${pp_rpm_release} ;; esac diff --git a/sudoers b/sudoers.in similarity index 95% rename from sudoers rename to sudoers.in index 4d346a6..42e639e 100644 --- a/sudoers +++ b/sudoers.in @@ -85,5 +85,6 @@ root ALL=(ALL) ALL # Defaults targetpw # Ask for the password of the target user # ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw' -## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) -#includedir /etc/sudoers.d +## Read drop-in files from @sysconfdir@/sudoers.d +## (the '#' here does not indicate a comment) +#includedir @sysconfdir@/sudoers.d -- 2.30.2