--- embedaddon/sudo/ChangeLog 2013/10/14 07:56:33 1.1.1.5 +++ embedaddon/sudo/ChangeLog 2014/06/15 16:12:53 1.1.1.6 @@ -1,3 +1,2046 @@ +2014-05-06 Todd C. Miller + + * compat/getgrouplist.c, plugins/group_file/group_file.c, + plugins/system_group/system_group.c: + deal with NULL gr_mem here too + [0db43ed71001] + + * NEWS, configure, configure.ac: + Sudo 1.8.10p3 + [3f415a180023] + +2014-05-02 Todd C. Miller + + * common/event.c: + Fix non-blocking mode. We only want to exit the event loop when + poll() or select() returns 0 and there are no active events. This + fixes a problem on some systems where the last buffer was not being + written when the command exited. + [deb6b1a7b241] + +2014-04-28 Todd C. Miller + + * plugins/sudoers/boottime.c, plugins/sudoers/sudoers.h: + Make get_boottime() return bool. + [9ff15a995d01] + + * doc/CONTRIBUTORS, plugins/sudoers/boottime.c: + Fix fd leak on Linux when determing boot time. This is usually + masked by the closefrom() call in sudo. From Jamie Anderson. Bug + #645 + [0b4c430e8b88] + +2014-04-15 Todd C. Miller + + * doc/CONTRIBUTORS, plugins/sudoers/auth/pam.c: + Use PAM_REINITIALIZE_CRED instead of PAM_ESTABLISH_CRED when + changing the user. This is the correct flag to use with a program + that changes the uid like su or sudo and fixes a role problem on + Solaris. From Gary Winiger; Bug #642 + [ec23c3bf41bb] + + * plugins/sudoers/defaults.c: + pam_setcred should default to true; from Gary Winiger Bug #642 + [23e6628ec546] + +2014-04-09 Todd C. Miller + + * MANIFEST, plugins/sudoers/match.c, + plugins/sudoers/regress/testsudoers/test6.out.ok, + plugins/sudoers/regress/testsudoers/test6.sh, + plugins/sudoers/regress/testsudoers/test7.out.ok, + plugins/sudoers/regress/testsudoers/test7.sh: + Fix matching of uids and gids broken in sudo 1.8.9. + [315eff4add59] + + * plugins/sudoers/testsudoers.c: + Fix -P option in usage() + [50753b6222b7] + +2014-03-19 Todd C. Miller + + * plugins/sudoers/check.c, plugins/sudoers/prompt.c, + plugins/sudoers/sudoers.h: + Fix expansion of %p in the prompt for "sudo -l" when rootpw, runaspw + or targetpw is set. Bug #639 + [dff0208d1194] + +2014-03-17 Todd C. Miller + + * NEWS, configure, configure.ac: + Sudo 1.8.10p2 + [774ebec63b41] + + * plugins/sudoers/timestamp.c: + Don't write an empty timestamp record when timestamp_timeout is + zero. If we find an empty record in the timestamp file, overwrite it + with a good one, truncating the file as needed. + [9c226d81b660] + +2014-03-15 Todd C. Miller + + * doc/visudo.cat, doc/visudo.man.in, doc/visudo.mdoc.in: + Fix typos in description of the -x option. Bug #637 + [6ff2bfaaf99d] + +2014-03-13 Todd C. Miller + + * NEWS, configure, configure.ac: + Sudo 1.8.10p1 + [33828a3385ad] + + * plugins/sudoers/timestamp.c: + Fix typo/thinko that prevented "Defaults !tty_tickets" from working. + [f65cc29dbcc7] + + * plugins/sudoers/parse.c: + Fix "sudo -l command" output when the matching command is negated. + Bug #636 + [b4a92803f733] + +2014-03-11 Todd C. Miller + + * MANIFEST, common/Makefile.in, common/regress/atofoo/atofoo_test.c, + common/regress/sudo_conf/test5.err.ok, + common/regress/tailq/hltq_test.c: + The atofoo_test and hltq_test tests now display their own test error + rate. Display pass/fail count separately for sudo_conf and + sudo_parseln tests. Check stderr output for the sudo_conf test. + [5c814709ac70] + + * src/Makefile.in: + Don't run the check_ttyname test if cross compiling. + [874ecc1c3db0] + + * plugins/sudoers/Makefile.in: + CWD no longer used. + [13b2f3c4269b] + + * plugins/sudoers/Makefile.in: + Fix diff of toke and err output files in "make check" + [485cdf3c75e7] + +2014-03-07 Todd C. Miller + + * src/po/de.mo, src/po/de.po: + sync with translationproject.org + [d246c72a2350] + +2014-03-06 Todd C. Miller + + * configure, configure.ac: + Check whether ber.h is needed before ldap.h even if we are not using + any ber functions. Needed for older versions of nss ldap. + [c2310324dc34] + + * plugins/sudoers/sssd.c: + Fix compiler warning in debug code. + [8ee4cb6cafad] + + * MANIFEST, NEWS, doc/CONTRIBUTORS, src/po/ca.mo, src/po/ca.po: + Catalan translation for sudo from translationproject.org. + [d6af7d06ee36] + +2014-03-05 Todd C. Miller + + * NEWS: + Document negation fix in JSON output. + [37a85423ae49] + +2014-03-04 Todd C. Miller + + * plugins/sudoers/visudo_json.c: + Fix handling of '!' operator when converting sudoers. We now add a + "negated" boolean flag to objects that have the '!' operator. + [071926c10280] + +2014-03-01 Todd C. Miller + + * MANIFEST, NEWS, plugins/sudoers/po/cs.mo, plugins/sudoers/po/cs.po: + Czech translation for sudoers from translationproject.org + [c0aae297f7c1] + +2014-02-28 Todd C. Miller + + * configure, configure.ac: + Try -libmldap before -lldap in case there is no link from + libibmldap.so to libldap.so. Since IBM ldap is installed under /opt + we should only be able to reach it if --with-ldap was given an + explicit path. + + Only check for ber_set_option() if LBER_OPT_DEBUG_LEVEL is defined. + [89d50c29d737] + +2014-02-27 Todd C. Miller + + * plugins/sudoers/set_perms.c: + Fix typo in setreuid() PERM_ROOT error message. + [533415f53165] + + * mkpkg: + No longer need to disable setresuid() on debian. + [96ba687c35f0] + +2014-02-26 Todd C. Miller + + * plugins/sudoers/timestamp.c: + Fix conversion of timestamp_timeout from double to struct timeval. + Also quiet a printf format warning on 32-bit systems. + [59d1f3094dda] + +2014-02-25 Todd C. Miller + + * MANIFEST, NEWS, plugins/sudoers/po/sr.mo, plugins/sudoers/po/sr.po: + Serbian translation for sudoers from translationproject.org. + [7134b386d658] + +2014-02-24 Todd C. Miller + + * doc/CONTRIBUTORS: + Add Ingo Schwarze + [114cdf286987] + + * NEWS, plugins/sudoers/visudo_json.c: + When exporting sudoers in JSON format, use the same type of Options + object for both Defaults and Cmnd_Specs. + [caa57043e197] + +2014-02-17 Todd C. Miller + + * compat/inet_pton.c: + Silence cppcheck false positive. + [b2781c42a80f] + + * plugins/sudoers/po/fi.mo, plugins/sudoers/po/fi.po, + plugins/sudoers/po/pt_BR.mo, plugins/sudoers/po/pt_BR.po: + sync with translationproject.org + [baba43a6d682] + + * NEWS, doc/UPGRADE: + Mention init.d scripts on AIX and HP-UX Mention sudoers group + mismatch fix + [0259cb1f7cae] + + * INSTALL: + Talk about clearing files at boot time, not reboot time since it + happens when the system comes up, not down. + [e8e480bc34fd] + + * plugins/sudoers/sudoers.c: + We also need to open the sudoers file as root if there is a GID + mismatch. + [2fb2ba6fc4e6] + + * sudo.pp: + Install /etc/rc.d/init.d/sudo and /etc/rc.d/rc2.d/S90sudo for AIX + rpm packages. + [4aca1d318599] + +2014-02-16 Todd C. Miller + + * src/Makefile.in: + Remove init.d file and link in uninstall target. + [249a9f105cdd] + + * configure, configure.ac, sudo.pp: + Fix INIT_DIR for real this time. + [5444eb1afbc5] + + * configure, configure.ac, sudo.pp: + Use correct init.d dir on HP-UX. Fix pp warnings from rc.d and + init.d dirs. + [809b54ef95f8] + + * .hgignore, MANIFEST, configure, configure.ac, init.d/aix.sh.in, + init.d/hpux.sh.in, src/Makefile.in, sudo.pp: + First cut add installing an init.d file for HP-UX and AIX to remove + old sudo timestamp files at boot time. + [ec6d35c62d88] + +2014-02-15 Todd C. Miller + + * doc/sudo.cat, doc/sudo.man.in, doc/sudo.mdoc.in: + Use .Ar macro instead of "file ..." Use ".Cm -" instead of ".Li -" + for the default login class. From Ingo Schwarze. + [f13ea603760e] + + * doc/sudo.conf.mdoc.in, doc/sudo.mdoc.in, doc/sudo_plugin.mdoc.in, + doc/sudoers.ldap.mdoc.in, doc/sudoers.mdoc.in, + doc/sudoreplay.mdoc.in, doc/visudo.mdoc.in: + Remove some extraneous markup; from Ingo Schwarze + * No need to explicitly end a macro with No before | because | counts + as middle punctuation and falls out of the macro, anyway. + * No need to explicitly re-open in-line macros after | because | + counts as middle punctuation and the macros resume afterwards, + anyway. + * Simplify the mnemonic remarks regarding the option letters, no need + for manual font and spacing control with No and Ns. + * Trim Ns No to just Ns, it already implies No. + [cc63d66c6655] + + * doc/sudoers.man.in, doc/sudoers.mdoc.in: + Move zerowidth space in :alpha: after the colon for consistency. + [799f6656c6e8] + + * doc/sudo.cat, doc/sudo.conf.cat, doc/sudo.conf.man.in, + doc/sudo.man.in, doc/sudo_plugin.cat, doc/sudo_plugin.man.in, + doc/sudoers.cat, doc/sudoers.ldap.man.in, doc/sudoers.man.in, + doc/sudoreplay.cat, doc/sudoreplay.man.in, doc/visudo.cat, + doc/visudo.man.in: + regen + [14d682732b6f] + + * doc/sudo.mdoc.in, doc/sudoreplay.mdoc.in, doc/visudo.mdoc.in: + Remove extraneous keeps in SYNOPSIS now that mandoc does implied + keeps when converting from mdoc to man. + [0f48fc289f29] + + * doc/sudoers.mdoc.in: + Properly escape the : in :alpha: + [e41d4533a55f] + + * doc/sudo.cat, doc/sudo.man.in, doc/sudo.mdoc.in: + Replace some uses of .Sy with .Ar, .Ev and .Pa as appropriate. From + Jan Stary. + [90ec488905de] + +2014-02-12 Todd C. Miller + + * plugins/sudoers/visudo_json.c: + Fix indentation of Defaults entries. The initial indent should be + outside the loop iterating over the entries. + [dc493c888fb2] + +2014-02-11 Todd C. Miller + + * plugins/sudoers/po/da.mo, plugins/sudoers/po/da.po, + plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, + plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, + plugins/sudoers/po/it.mo, plugins/sudoers/po/it.po, + plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, + plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, + plugins/sudoers/po/vi.mo, plugins/sudoers/po/vi.po: + sync with translationproject.org + [fc517bc0908e] + + * common/aix.c, common/alloc.c, common/atoid.c, common/atomode.c, + common/fatal.c, common/gidlist.c, common/sudo_conf.c, + common/sudo_debug.c, compat/strsignal.c, compat/strtonum.c, + plugins/sudoers/audit.c, plugins/sudoers/bsm_audit.c, + plugins/sudoers/linux_audit.c, plugins/sudoers/locale.c, + plugins/sudoers/sudoers.h, plugins/sudoers/sudoreplay.c, + plugins/sudoers/visudo.c, plugins/sudoers/visudo_json.c, + src/locale_stub.c, src/net_ifs.c, src/sesh.c, src/sudo.h: + We must include gettext.h before missing.h as it includes system + headers. Also add missing DEFAULT_TEXT_DOMAIN defines in sudoers + audit code that does not include sudoers.h. + [3ac4aa43ce40] + + * common/sudo_dso.c: + When emulating DSO_NEXT with shl_get() we need to skip the program's + handle. This used to be documented as being index -2 but now it + seems to be index 0. As this is not guaranteed we need to look up + the real handle value for PROG_HANDLE and skip it when interating + through all the DSOs. Fixes infinite recursion on HP-UX in the + getenv() replacement. + [ade1b3045232] + + * src/env_hooks.c: + Export getenv() so it is visible to shared objects we link with. + [1ac08446a3a7] + +2014-02-08 Todd C. Miller + + * common/regress/atofoo/atofoo_test.c, + common/regress/sudo_conf/conf_test.c, + common/regress/sudo_parseln/parseln_test.c, + common/regress/tailq/hltq_test.c, + plugins/sudoers/regress/parser/check_fill.c: + Add some initprogname() calls to the test programs. + [e4320585a88b] + +2014-02-07 Todd C. Miller + + * plugins/sudoers/po/sudoers.pot: + regen + [038d066a866d] + + * doc/UPGRADE: + Mention that there is now a default LDAP search filter. + [6351da3f8377] + + * doc/sudoers.ldap.cat, doc/sudoers.ldap.man.in, + doc/sudoers.ldap.mdoc.in: + Minor word choice change. + [7e59ab3eb453] + + * NEWS, doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in, + plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, + plugins/sudoers/def_data.in, plugins/sudoers/defaults.c, + plugins/sudoers/ldap.c, plugins/sudoers/match.c: + Add use_netgroups sudoers option. For LDAP-based sudoers, netgroup + support requires an expensive substring match on the server. If + netgroups are not needed, this option can be disabled to reduce the + load on the LDAP server. + [e6bd6c103390] + +2014-02-06 Todd C. Miller + + * plugins/sudoers/ldap.c: + Update copyright year. + [1299eed430a5] + + * NEWS: + Mention LDAP changes. + [512b1e363587] + + * doc/sudoers.ldap.cat, doc/sudoers.ldap.man.in, + doc/sudoers.ldap.mdoc.in, plugins/sudoers/ldap.c: + Use a default LDAP search filter of (objectClass=sudoRole). When + constructing the netgroup query, add (sudoUser=*) to the query so we + don't fall below the 3 character OpenLDAP substring threshold. + Otherwise the index for sudoUser will never be used for that query. + Pointed out by Michael Stroeder. + [54856973af41] + + * plugins/sudoers/timestamp.c: + Don't warn about an insecure lecture dir twice. Display warnings in + the user's locale. + [2c56b8b6d6f9] + +2014-02-05 Todd C. Miller + + * NEWS: + Mention the fix for ^Z at the password prompt when sudo was started + in the background. + [352d52ad1f7d] + + * common/term.c, src/exec_pty.c: + In term_restore(), only restores the terminal if we are in the + foregroup process group. Instead of calling tcgetpgrp(), which is + racy, we set a temporary handler for SIGTTOU and check whether it + was received after a failed call to tcsetattr(). + [94979d51daa2] + + * MANIFEST, compat/getaddrinfo.c, compat/inet_pton.c, config.h.in, + configure, configure.ac, doc/LICENSE, include/missing.h, mkdep.pl, + plugins/sudoers/interfaces.c, plugins/sudoers/match_addr.c: + Use inet_pton() instead of inet_aton() and include a version from + BIND for those without it. + [fe61a27c76d3] + + * common/regress/atofoo/atofoo_test.c: + Quiet a gcc warning. + [f197821892ea] + + * compat/getaddrinfo.c: + Need to include limits.h for USHRT_MAX. + [d1d8bd9a0e01] + +2014-02-04 Todd C. Miller + + * common/term.c, include/sudo_util.h: + Use bool for function return values instead of 1 or 0. + [99e357c0800b] + + * configure, configure.ac: + Warn the user if the rundir needs to be cleared in the rc files. + Neither AIX not HP-UX clear /var/run (if it even exists). + [6cdbf57a2f9e] + + * NEWS: + Update for sudo 1.8.9p5 + [efb737c32615] + + * src/preserve_fds.c: + When the closefrom limit is greater than any of the preserved fds, + the pfds list will be non-empty but lastfd will be -1 triggering an + ecalloc(0) assertion. Instead, test for lastfd being -1 and make + sure we always update it, even if dup() fails. Also restore initial + value of lowfd after we are done relocating. Fixes bug #633 + [a11206a31f28] + + * common/term.c: + Document function return values. + [267bc85f6fbb] + +2014-02-03 Todd C. Miller + + * src/exec_pty.c: + term_restore() now restarts itself so we don't need to do it + ourselves. + [a17e885d0b0a] + + * common/term.c: + syscall restarting is broken on Mac OS X when interrupted by a tty + signal so restart tcsetattr() by hand. For details, see. + http://openradar.appspot.com/radar?id=6402578615107584 + [3997b2a0577e] + + * MANIFEST, common/Makefile.in, common/regress/atofoo/atofoo_test.c: + Add regress for atobool(), atoid() and atomode() + [e1cbdf86d6e2] + + * plugins/sudoers/Makefile.in: + Add back boottime.lo + [0b7ddc31e13e] + + * INSTALL: + Mention that rundir and vardir may be the same and what to do if + they are. + [301df9a31d43] + + * MANIFEST, doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in, + plugins/sudoers/boottime.c, plugins/sudoers/sudoers.h, + plugins/sudoers/timestamp.c: + Bring back boot time checking code and zero out time stamp files + that predate the boot time. This should help systems w/o /var/run + where the admin has setup rc.d to clear the timestamp directory. + [e09389a8b1ca] + + * configure, configure.ac: + Check libraries for inet_pton() if not in libc. + [9f9bd83895e8] + +2014-02-02 Todd C. Miller + + * configure, configure.ac: + Fix clock_gettime() detection when it lives in librt. Some systems + have inet_aton() in libresolv (older Solaris). + [e5f7c8bc9a81] + + * sudo.pp: + Avoid duplicate directories if vardir and rundir are the same. + [c5df5ebc191b] + + * plugins/sudoers/po/sudoers.pot: + regen + [740b2cc42fea] + + * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: + Elaborate on time stamp error message causes. + [2838fea2e21a] + +2014-02-01 Todd C. Miller + + * sudo.pp: + Remove the time stamp dir and its contents when uninstalling. We + currently leave the lecture status files installed until there is a + better way to detect upgrades. + [61532b7113ff] + + * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: + Update time stamp error messages and regen. + [edf570c98cd5] + + * plugins/sudoers/timestamp.c: + Restore warning when sudoers is unable to update the time stamp + file. + [86648a771250] + + * INSTALL, Makefile.in, configure, configure.ac, doc/sudoers.mdoc.in, + m4/sudo.m4, plugins/sudoers/Makefile.in, sudo.pp: + Replace --with-timedir and --with-lecture_dir with --with-rundir and + --with-vardir which are the parent directories of the time stamp and + lecture dirs. These directories need to be searchable by non-root so + that the timestampowner setting can function. + [5c38d77a2d0c] + + * plugins/sudoers/timestamp.c: + Fix use of timestampowner in the new time stamp world order. Parent + directories for timestampdir and lecture_dir are now created with + the execute bit set so that we can traverse them as non-root. + [9ff6f07c0a5d] + +2014-01-31 Todd C. Miller + + * common/Makefile.in, plugins/sample/Makefile.in, + plugins/sudoers/Makefile.in: + Regen Makefiles. + [59542bcdb222] + + * common/sudo_debug.c, config.h.in, include/sudo_util.h, + plugins/sample/sample_plugin.c: + Move ctim_get and mtim_get to sudo_util.h + [d565391f5491] + + * plugins/sudoers/timestamp.c: + sprinkle some debug printfs and add function header comments + [1842d9b8170d] + + * plugins/sudoers/timestamp.c: + Properly handle the case where /var/run/sudo/ts doesn't exist. + [895f3ad6ad60] + + * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: + fix typo + [50041ebb6ce6] + + * NEWS: + Mention "sudo -K" change. + [e99bd7657aae] + + * doc/UPGRADE: + Upgrade info for 1.8.10 + [0867718b9af5] + +2014-01-30 Todd C. Miller + + * plugins/sudoers/timestamp.c: + Warn on ftruncate failure(). + [d2081876da25] + + * plugins/sudoers/timestamp.c: + Fix checking of lecture status. + [e12d78234d17] + + * mkpkg: + Do not override timedir on Debian. + [283fa2e69a0a] + + * common/event.c, common/event_select.c, include/missing.h, + plugins/sudoers/iolog.c, plugins/sudoers/sudoreplay.c, + plugins/sudoers/visudo.c, src/sudo_edit.c: + Use sudo_timeval macros and remove compat macros from missing.h + [1de76d8b811e] + + * INSTALL, MANIFEST, NEWS, compat/Makefile.in, compat/clock_gettime.c, + config.h.in, configure, configure.ac, doc/sudoers.cat, + doc/sudoers.man.in, doc/sudoers.mdoc.in, include/missing.h, + include/sudo_util.h, m4/sudo.m4, mkdep.pl, pathnames.h.in, + plugins/sudoers/Makefile.in, plugins/sudoers/boottime.c, + plugins/sudoers/check.h, plugins/sudoers/def_data.c, + plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, + plugins/sudoers/defaults.c, plugins/sudoers/sudoers.h, + plugins/sudoers/timestamp.c, src/Makefile.in: + Switch to new time stamp file format. Each user now has a single + file which may contain multiple records when per-tty time stamps are + in use (the default). The time stamps use a monotonic timer where + available and are once again stored in /var/run/sudo. The lecture + status is now stored separately from the time stamps in a different + directory. + [7e16eb37bacc] + +2014-01-29 Todd C. Miller + + * NEWS, doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in, + plugins/sudoers/check.c: + When listing a user's privileges, always prompt the user for their + own password, regardless of the value of target_pw, root_pw or + runas_pw. + [73a13ccc7933] + +2014-01-30 Todd C. Miller + + * common/atomode.c: + Zero out errstr when there is no error; fixes bug #632 + [74950ef1a0dc] + +2014-01-26 Todd C. Miller + + * configure, configure.ac, plugins/sudoers/interfaces.c, + plugins/sudoers/match_addr.c: + Use inet_aton() instead of inet_addr() as it allows us to + distinguish between the address (or mask 255.255.255.255) and an + error. In the future we may consider switching to inet_pton() for + IPv4 too. + [b6b4e4c77e9a] + +2014-01-24 Todd C. Miller + + * include/missing.h: + Fix typo, ULONG_MAX vs. ULLONG_MAX + [5d274daa9fb1] + + * plugins/sudoers/sudo_nss.c: + Fix typo in the AIX case. + [ee531c950fce] + + * plugins/sudoers/sudo_nss.c: + Size pointer for sudo_parseln() should be size_t not ssize_t. This + was already correct for the nsswitch.conf case. + [cfaf895c1db4] + +2014-01-23 Todd C. Miller + + * NEWS, common/sudo_conf.c, doc/sudo.conf.cat, doc/sudo.conf.man.in, + doc/sudo.conf.mdoc.in, include/sudo_conf.h, src/net_ifs.c: + It is now possible to disable network interface probing in sudo.conf + by changing the value of the probe_interfaces setting. + [e9dc28c7db60] + +2014-01-22 Todd C. Miller + + * plugins/sudoers/match_addr.c: + If inet_addr() returns INADDR_NONE, return false instead of + iterating through the interfaces looking for a match that will never + happen. + [1559c301caec] + + * configure, configure.ac, src/Makefile.in: + Add explicit dependency on sudoers.la to sudo target when sudoers is + compiled statically into the sudo binary. + [d08cc66e18bd] + +2014-01-21 Todd C. Miller + + * plugins/sudoers/getdate.c, plugins/sudoers/getdate.y, + plugins/sudoers/iolog_path.c, plugins/sudoers/logging.c, + plugins/sudoers/regress/iolog_path/check_iolog_path.c, + plugins/sudoers/sudoreplay.c, plugins/sudoers/timestr.c: + Do not assume localtime(), gmtime() and ctime() always return non- + NULL. + [a1b5b67436de] + +2014-01-15 Todd C. Miller + + * Makefile.in, common/Makefile.in, compat/Makefile.in, + doc/Makefile.in, include/Makefile.in, + plugins/group_file/Makefile.in, plugins/sample/Makefile.in, + plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in, + src/Makefile.in, zlib/Makefile.in: + Update copyright years + [37d2aaa92544] + + * plugins/sudoers/visudo_json.c: + Eliminate dead store found by clang checker. + [86874d5340f1] + + * NEWS, configure, configure.ac: + Update for sudo 1.8.9p4 + [f79ab7c6c1c5] + + * common/sudo_debug.c, include/sudo_debug.h, src/preserve_fds.c: + When relocating fds, update the debug fd if it is set so we are + guaranteed to get debugging output. + [b1deaa472aa6] + +2014-01-14 Todd C. Miller + + * src/exec.c: + If the event loop exits due to an error and we are not logging I/O, + kill the command if still running. Fixes a bug where sudo could exit + while the command was still running. + [844018ff8a8c] + + * src/preserve_fds.c: + When relocating preserved fds, start with the highest ones first to + avoid moving fds around more than we have to. Now uses a bitmap to + keep track of which fds are being preserved. Fixes a bug where the + debugging fd could be relocated to the same fd as the error + backchannel temporarily, resulting in debugging output being printed + to the backchannel if util@debug was enabled. + [55e006dbeaf3] + + * src/preserve_fds.c: + When restoring fds traverse list from high -> low, not low -> high + to avoid implicitly closing an fd we want to relocate. + [6351225f47d7] + + * src/exec.c: + If not logging I/O we may get EOF when the command is executed and + the other end of the backchannel is closed. Just remove the + backchannel event in this case or we will continue to receive the + event. Bug #631 + [a204b69d91f7] + + * src/po/sr.mo, src/po/sr.po: + sync with translationproject.org + [987087ce4658] + +2014-01-13 Todd C. Miller + + * src/ttyname.c: + Fix strtonum() usage when parsing /proc/self/stat on Linux. Bug #630 + [3448dffe9701] + + * NEWS, configure, configure.ac: + Update for sudo 1.8.9p3 + [22e5a6f69999] + + * plugins/sudoers/logwrap.c: + Remove dead store; found by cppcheck + [a59833af3401] + +2014-01-08 Todd C. Miller + + * src/sesh.c: + Quiet a cppcheck warning about a negative subscript. + [ab98b72f5bdf] + + * src/exec_common.c, src/selinux.c, src/sesh.c, src/sudo_exec.h: + Make noexec parameter to sudo_execve() bool. + [daa75e4c248a] + + * plugins/sudoers/sudoreplay.c: + Quiet a few innocuous cppcheck warnings. + [90ffa16d27b1] + + * plugins/sudoers/sssd.c: + Handle in_res being NULL for sudo_debug_printf() in + sudo_sss_filter_result(). + [8595cc05d2a8] + + * plugins/sudoers/iolog.c: + When writing length to timing file, use %u not %d as it is unsigned. + [a7f2fcb6919e] + + * plugins/sudoers/visudo_json.c: + Close export_fp in the error path too, but do not close stdout. + [5c918718ab45] + + * plugins/sudoers/auth/secureware.c: + Move right brace outside #ifdef HAVE_DISPCRYPT; found by cppcheck. + [f2619d2eb7a8] + +2014-01-13 Todd C. Miller + + * plugins/group_file/plugin_test.c: + Make this compile again + [f0ff8df475e8] + + * common/term.c: + Add suppression line to quiet a bogus (inconclusive) cppcheck + warning. + [065207271e5d] + + * plugins/sudoers/toke.c, plugins/sudoers/toke.l: + Do not leak old istack if realloc fails; found by cppcheck. Also + modify yyless() to avoid a harmless cppcheck warning every time it + is used. + [021077017a23] + + * Makefile.in, common/Makefile.in, compat/Makefile.in, + doc/Makefile.in, include/Makefile.in, + plugins/group_file/Makefile.in, plugins/sample/Makefile.in, + plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in, + src/Makefile.in, zlib/Makefile.in: + Add cppcheck target to run cppcheck on all source files. + [d207c2ef49a2] + +2014-01-09 Todd C. Miller + + * NEWS, configure, configure.ac: + Update for sudo 1.8.9p2 + [2e7fe6e371a4] + + * config.h.in, configure, ltmain.sh, m4/libtool.m4, m4/ltoptions.m4, + m4/ltsugar.m4, m4/ltversion.m4, m4/lt~obsolete.m4: + Update to libtool-2.4.2.418 + [d1dbed89d733] + + * config.guess, config.sub: + Update from http://git.savannah.gnu.org/gitweb/?p=config.git + [2b5e32d23be5] + +2014-01-08 Todd C. Miller + + * NEWS: + Sudo 1.8.9 also fixes bug #617 + [cc5c18228719] + +2014-01-07 Todd C. Miller + + * NEWS: + The fix for the hang was already in the 1.8.9 tarballs. + [f038ebcc1071] + + * NEWS, configure, configure.ac: + Update for sudo 1.8.9p1 + [732fca0003cf] + + * common/atobool.c, common/event.c, plugins/sudoers/iolog.c, + plugins/sudoers/parse.h, src/exec.c, src/preserve_fds.c: + Update copyright year. + [fdeb5956810e] + + * plugins/sudoers/parse.h: + Go back to making the bit fields in struct cmndtag explicitly + signed. This fixes a problem on gcc 4.8 (at least) which appears to + be treating the value as unsigned by default. + [46b9a7bb10ac] + + * common/atobool.c: + Use debug_return_int() instead of bare return for debugging support. + [c273f822de5f] + +2014-01-06 Todd C. Miller + + * common/event.c: + Fix infinite loop that could be triggered by sudo_ev_loopbreak() and + sudo_ev_loopcontinue(). + [1723561c46b0] + + * NEWS: + Update for 1.8.9 final. + [d49c14d21410] + +2014-01-04 Todd C. Miller + + * plugins/sudoers/iolog.c: + Handle a sequence file with no trailing newline. + [aa29306e4f6d] + +2014-01-03 Todd C. Miller + + * plugins/sudoers/iolog.c: + Truncate io log and timing files on open when recycling them. Only + an issue when the sequence number wraps around. + [01b2dfe15ff0] + + * plugins/sudoers/iolog.c: + Repair reading of the iolog sequence number that got broken when + adding stricter strtoul() checks. + [e0f4a11c3437] + + * src/exec.c: + If invoked as sudoedit we can't just exec the command directly since + the temporary files need to be updated before sudo exits. + [508503be1c4f] + + * src/preserve_fds.c: + Fix restoration of the close-on-exec flag when moving a relocated fd + back into its original position. + [5572f1f8b48a] + +2014-01-02 Todd C. Miller + + * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: + Add "see below" to reference "Secure editing" section in "Preventing + shell escapes". + [b2db990a36b3] + +2014-01-01 Todd C. Miller + + * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: + Add initial "Secure editing" section. + [0d7a192e0e25] + + * doc/LICENSE: + Update copyright year. + [4a639d9207a9] + +2013-12-31 Todd C. Miller + + * plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, + plugins/sudoers/po/fi.mo, plugins/sudoers/po/fi.po, src/po/eo.mo, + src/po/eo.po, src/po/fi.mo, src/po/fi.po: + sync with translationproject.org + [5c15a411b10d] + + * plugins/sudoers/policy.c: + Make user_cwd and user_tty dynamically allocated even for the + "unknown" case. + [015454bf97f8] + +2013-12-30 Todd C. Miller + + * configure, configure.ac: + Use -fstack-protector-strong in preference to -fstack-protector-all + or -fstack-protector. + [bdd1066eefc4] + + * doc/HISTORY: + Dell acquired Quest + [3d5b7d27a313] + +2013-12-29 Todd C. Miller + + * plugins/sudoers/po/vi.mo, plugins/sudoers/po/vi.po, src/po/ru.mo, + src/po/ru.po, src/po/vi.mo, src/po/vi.po: + sync with translationproject.org + [f964671d08ce] + +2013-12-28 Todd C. Miller + + * plugins/sudoers/po/da.mo, plugins/sudoers/po/da.po, + plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, + plugins/sudoers/po/it.mo, plugins/sudoers/po/it.po, + plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, + plugins/sudoers/po/pt_BR.mo, plugins/sudoers/po/pt_BR.po, + plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, + plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po, + src/po/cs.mo, src/po/cs.po, src/po/da.mo, src/po/da.po, + src/po/it.mo, src/po/it.po, src/po/pl.mo, src/po/pl.po, + src/po/pt_BR.mo, src/po/pt_BR.po, src/po/uk.mo, src/po/uk.po, + src/po/zh_CN.mo, src/po/zh_CN.po: + sync with translationproject.org + [5f5becf5fb7a] + + * doc/sudoers.ldap.cat: + regen + [77745e6bc0d5] + + * NEWS: + Update for recent changes. + [365b9084268a] + + * plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, + plugins/sudoers/visudo.c: + Fix typo; we want setlocale(LC_ALL, "") since we are setting the + locale for the first time. + [e2b9660e9d48] + +2013-12-27 Todd C. Miller + + * plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, + plugins/sudoers/visudo.c: + Use sudoers_initlocale() in main() startup, not sudoers_setlocal() + as the latter assumes we are already in the user's locale which may + not be the case. For sudoreplay, we can just use setlocale() + directly as there is no sudoers locale. + [12235e50dea0] + +2013-12-24 Todd C. Miller + + * src/preserve_fds.c, src/sudo.c, src/sudo.h: + Redo preserve_fds support to remap high fds so we can get the most + out of closefrom(). The fds are then restored after closefrom(). + [7d712ec49db7] + + * plugins/sudoers/Makefile.in: + Fix install-plugin when sudoers is compiled statically. + [36a8bf3b588d] + +2013-12-20 Todd C. Miller + + * MANIFEST, common/sudo_debug.c, doc/sudo_plugin.cat, + doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, + include/sudo_debug.h, include/sudo_plugin.h, src/Makefile.in, + src/exec.c, src/exec_pty.c, src/preserve_fds.c, src/sudo.c, + src/sudo.h, src/sudo_exec.h: + Add support for preventing fds from getting clobbered by + closefrom(). + [269f45964ff0] + +2013-12-19 Todd C. Miller + + * plugins/sudoers/Makefile.in: + regen + [b8f458379b5b] + +2013-12-18 Todd C. Miller + + * common/alloc.c: + Need to include limits.h here too. + [b53c6edef597] + +2013-12-17 Todd C. Miller + + * config.h.in, configure, configure.ac, plugins/sudoers/parse.h: + No need to use __signed. + [05f9648d1953] + + * plugins/sudoers/regress/logging/check_wrap.c: + Need limits.h here too. + [54aac3bbf66a] + + * compat/closefrom.c: + Still need limits.h here. + [0abc6b2be208] + + * plugins/sudoers/po/sudoers.pot: + regen + [386b47ced07f] + + * compat/closefrom.c: + Go back to using /proc/self/fd instead of /proc/$$/fd as only AIX + lacks /proc/self and it has F_CLOSEM. + [b5735fbcfdce] + +2013-12-16 Todd C. Miller + + * plugins/sudoers/visudo_json.c: + Use a switch to map digest type to name instead of an array of + strings. + [ab17ceb4dd60] + + * compat/closefrom.c: + Use /dev/fd in closefrom() on FreeBSD < 8.0 and Mac OS X. + [e70df3b3144b] + + * compat/snprintf.c: + Remove _MAX and _MIN compat; we rely on missing.h for that. We + already require the compiler handle long long so there's no need to + use HAVE_LONG_LONG_INT everywhere. + [2bda15071439] + + * common/ttysize.c, include/missing.h: + Remove _MAX and _MIN defines that any system from the last 20 years + should have. Add ULLONG_MAX in case it is missing. + [2db0cee4aaa8] + + * doc/visudo.cat, doc/visudo.man.in, doc/visudo.mdoc.in, + plugins/sudoers/visudo.c, plugins/sudoers/visudo_json.c: + Change visudo -x to take a file name argument, which may be '-' to + write the exported sudoers file to stdout. + [84cb72c3c391] + + * plugins/sudoers/auth/bsdauth.c, plugins/sudoers/gram.c, + plugins/sudoers/gram.y, plugins/sudoers/parse.c, + plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, + plugins/sudoers/testsudoers.c, plugins/sudoers/toke.c, + plugins/sudoers/toke.l, plugins/sudoers/visudo.c, + plugins/sudoers/visudo_json.c, src/regress/ttyname/check_ttyname.c: + Move symbol extern defs into sudoers.h + [b631a0b57fae] + + * plugins/sudoers/regress/check_symbols/check_symbols.c, + plugins/sudoers/regress/logging/check_wrap.c: + Add missing sudo_util.h + [ed0edc2e2d0c] + +2013-12-14 Todd C. Miller + + * plugins/sudoers/sudoreplay.c: + Warn if the time stamp in the I/O log file does not fit in time_t. + Warn if the info line is not well-formed instead of silently + ignoring it. + [37a050de5be5] + +2013-12-13 Todd C. Miller + + * common/Makefile.in, plugins/sudoers/Makefile.in, src/Makefile.in: + Rename libcommon libsudo_util + [df3ffd4229e5] + +2013-12-12 Todd C. Miller + + * MANIFEST, common/Makefile.in, common/aix.c, common/atobool.c, + common/atoid.c, common/atomode.c, common/fmt_string.c, + common/gidlist.c, common/progname.c, common/setgroups.c, + common/sudo_conf.c, common/term.c, common/ttysize.c, + include/missing.h, include/sudo_util.h, + plugins/group_file/Makefile.in, plugins/group_file/getgrent.c, + plugins/sudoers/Makefile.in, plugins/sudoers/sudoers.h, + plugins/sudoers/sudoreplay.c, plugins/system_group/Makefile.in, + plugins/system_group/system_group.c, src/Makefile.in, src/sudo.h: + Move prototypes for functions provided by libcommon that don't have + their own header files into sudo_util.h. + [43f423a24416] + +2013-12-11 Todd C. Miller + + * plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/def_data.c, + plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, + plugins/sudoers/defaults.c, plugins/sudoers/defaults.h, + plugins/sudoers/logging.c, plugins/sudoers/logging.h, + plugins/sudoers/mkdefaults: + Now that we have proper number parsing functions we should store + T_UINT defaults values as unsigned int, not int. + [67d8c2244f1d] + + * plugins/sudoers/defaults.c, plugins/sudoers/defaults.h: + Don't use int where we really mean enum def_tuple. When this code + was written it was assumed that we may have multiple tuple types. + However, that hasn't happened and probably never will. + [8491f970f343] + + * plugins/sudoers/po/sudoers.pot, src/po/sudo.pot: + Regen after string parsing changes. + [fd6bf79c3286] + + * common/atoid.c, common/atomode.c, compat/strtonum.c, configure, + configure.ac, include/missing.h, plugins/sudoers/defaults.c, + plugins/sudoers/iolog.c, plugins/sudoers/ldap.c, + plugins/sudoers/sudoreplay.c, src/parse_args.c, src/ttyname.c: + The OpenBSD strtonum() uses very short error strings that can't be + translated usefully. Convert them to longer strings on error. Also + use the longer strings for atomode() and atoid(). + [dace028594da] + +2013-12-10 Todd C. Miller + + * MANIFEST, common/Makefile.in, common/atoid.c, common/atomode.c, + plugins/sudoers/defaults.c, plugins/sudoers/policy.c, + plugins/sudoers/sudoers.h, src/sudo.c, src/sudo.h: + Add atomode() function for parsing a file mode. + [44e29629aa5e] + + * common/sudo_conf.c, common/ttysize.c, compat/Makefile.in, + compat/closefrom.c, compat/getaddrinfo.c, compat/strtonum.c, + configure, configure.ac, include/missing.h, + plugins/sudoers/boottime.c, plugins/sudoers/defaults.c, + plugins/sudoers/iolog.c, plugins/sudoers/ldap.c, + plugins/sudoers/match_addr.c, plugins/sudoers/policy.c, + plugins/sudoers/regress/logging/check_wrap.c, + plugins/sudoers/regress/parser/check_addr.c, + plugins/sudoers/sudoreplay.c, plugins/system_group/system_group.c, + src/parse_args.c, src/sudo.c, src/ttyname.c: + Use strtonum() instead of atoi(), strtol() or strtoul() where + possible. + [e4a1fc84b893] + + * MANIFEST, compat/Makefile.in, compat/strtonum.c, config.h.in, + configure, configure.ac, include/missing.h, mkdep.pl: + Add strtonum.c to compat for simpler number parsing. + [a4c69b003da0] + +2013-12-09 Todd C. Miller + + * src/exec_common.c: + Fix a warning on Solaris, we need to use debug_return_const_ptr. + [932aa94c0cac] + + * plugins/sudoers/Makefile.in: + check_symbols needs to link with SUDO_LIBS in order to get -lpthread + on HP-UX for libldap (which uses threads). It would be better to + have a separate variable for the pthread library but this is no + worse than it used to be. + [94591b765371] + +2013-12-08 Todd C. Miller + + * doc/sudo.cat, doc/sudo.man.in, doc/sudo.mdoc.in: + add missing comma + [7dcbd1c6dd25] + + * doc/sudo.cat, doc/sudo.man.in, doc/sudo.mdoc.in: + Make -c option description more accurate. + [3f305ae6037e] + +2013-12-07 Todd C. Miller + + * doc/CONTRIBUTORS, plugins/sudoers/sudoers.c: + When checking whether a user may change the login class, just check + pw_uid of the runas user, which was passed in to set_loginclass(). + [aaf736440441] + +2013-12-06 Todd C. Miller + + * plugins/sudoers/visudo_json.c: + Use atoid() when parsing user/group IDs and print them as unsigned + int. + [40c77459a36a] + +2013-12-05 Todd C. Miller + + * plugins/sudoers/sudoreplay.c: + Correctly parse 64-bit times in I/O log files. + [d053ee75adc3] + + * compat/getgrouplist.c, plugins/group_file/getgrent.c, + plugins/sudoers/pwutil.c, + plugins/sudoers/regress/iolog_path/check_iolog_path.c, + plugins/sudoers/sudoers.c, plugins/sudoers/testsudoers.c: + Use atoid() not atoi() when parsing uids/gids. + [491146596626] + + * plugins/sudoers/match.c, plugins/sudoers/match_addr.c, + plugins/sudoers/parse.h, plugins/sudoers/pwutil.c, + plugins/sudoers/pwutil.h, plugins/sudoers/pwutil_impl.c, + plugins/sudoers/sudoers.h: + Better match debugging. Sprinkle const in match functions. + [4cd8d793f165] + +2013-12-04 Todd C. Miller + + * doc/sudo.cat, doc/sudo.conf.cat, doc/sudo.conf.man.in, + doc/sudo.conf.mdoc.in, doc/sudo.man.in, doc/sudo.mdoc.in, + doc/sudo_plugin.cat, doc/sudo_plugin.man.in, + doc/sudo_plugin.mdoc.in: + Document that plugins can be compiled statically into the sudo + binary. + [434061cf909f] + +2013-12-03 Todd C. Miller + + * plugins/sudoers/sssd.c: + sudo_sss_filter_user_netgroup(): fix comment typos, break out of + loop early if we match ALL or netgroup. + [0691731f4b12] + + * plugins/sudoers/sssd.c: + When filtering netgroups, use the passwd struct stashed in the + handle, not user_name since we may be listing another users + privileges. + [f2669cf7b70c] + + * mkpkg: + RHEL 6 and above builds sudo with SSSD support + [afc3d894851e] + + * plugins/sudoers/sssd.c: + Avoid passing NULL domainname to sudo_debug_printf(). + [b08abe5e6d23] + + * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in: + Document sssd debug subsystem. + [250c3ab1bcf0] + + * doc/sudo.conf.cat, doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in: + Document "event" debug subsystem. + [85d220b48edc] + + * plugins/sudoers/match.c: + Use atoid() instead of atoi() when parsing uids/gids so we get + proper range checking. + [5c3e2f3f6cb9] + + * plugins/sudoers/sssd.c: + Add user netgroup filtering for SSSD. Previously, rules for a + netgroup were applied to all even when they did not belong to the + specified netgroup. RedHat Bugzilla 880150. + [784848b5462c] + + * plugins/sudoers/sssd.c: + Fix several issues found by the clang static analyzer; Daniel + Kopecek + [520261dd7461] + +2013-12-02 Todd C. Miller + + * README.LDAP: + Mention how to dump sudoers info from LDAP. + [a53c93790a30] + + * src/exec_common.c: + On Solaris, disabling the proc_exec privilege appears to interfere + with DAC file permissions. Adding DAC override permissions to the + inheritable set works around this for commands run as root without + giving extra permissions to other users. Bug #626 + [391ad44026c3] + +2013-12-01 Todd C. Miller + + * MANIFEST, common/Makefile.in, common/progname.c, compat/Makefile.in, + compat/getprogname.c, configure, configure.ac, include/missing.h, + mkdep.pl, plugins/sample/sample_plugin.c, plugins/sudoers/policy.c, + plugins/sudoers/regress/check_symbols/check_symbols.c, + plugins/sudoers/regress/iolog_path/check_iolog_path.c, + plugins/sudoers/regress/logging/check_wrap.c, + plugins/sudoers/regress/parser/check_addr.c, + plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, + plugins/sudoers/visudo.c, src/parse_args.c, + src/regress/ttyname/check_ttyname.c, src/sudo.c: + Instead of setprogname(), add initprogname() which gets the program + name for getprogname() using /proc or pstat() if possible. + [e2d48d81456f] + +2013-11-30 Todd C. Miller + + * src/ttyname.c: + Ignore EOVERFLOW from pstat_getproc(). The HP-UX kernel appears to + return this in certain situations but it appears to be harmless at + least insofar as retrieving the tty goes. + [105bea4e1c20] + + * plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, + plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, + plugins/sudoers/po/fi.mo, plugins/sudoers/po/fi.po, + plugins/sudoers/po/it.mo, plugins/sudoers/po/it.po, + plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, + plugins/sudoers/po/pt_BR.mo, plugins/sudoers/po/pt_BR.po, + plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, + plugins/sudoers/po/vi.mo, plugins/sudoers/po/vi.po, + plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po, + src/po/cs.mo, src/po/cs.po, src/po/eo.mo, src/po/eo.po, + src/po/fi.mo, src/po/fi.po, src/po/it.mo, src/po/it.po, + src/po/pl.mo, src/po/pl.po, src/po/pt_BR.mo, src/po/pt_BR.po, + src/po/ru.mo, src/po/ru.po, src/po/uk.mo, src/po/uk.po, + src/po/vi.mo, src/po/vi.po, src/po/zh_CN.mo, src/po/zh_CN.po: + Sync with translationproject.org + [3694d7ad4c9d] + +2013-11-28 Todd C. Miller + + * plugins/sudoers/visudo.c: + Add missing newline in help message after export option. + [1c0bff0c181e] + +2013-11-26 Todd C. Miller + + * configure, configure.ac, plugins/sudoers/Makefile.in, + src/Makefile.in: + Do not add LIBDL to SUDO_LIBS or SUDOERS_LIBS in configure, do it in + Makefile.in so we can make it last. Fixes a linking problem on + Ubuntu precise. + [f8d3bddbe742] + +2013-11-25 Todd C. Miller + + * configure, m4/ax_func_getaddrinfo.m4: + Do not rely on NULL being defined for getaddrinfo() test. Fixes the + check on HP-UX 11.23. + [a5dcf0283693] + +2013-11-24 Todd C. Miller + + * plugins/sudoers/po/sudoers.pot, src/po/sudo.pot: + Regen for sudo 1.8.9b1 + [945f27a7aa1c] + + * src/po/de.mo, src/po/de.po, src/po/sr.mo, src/po/sr.po: + Sync with translationproject.org + [52abae16ccfa] + +2013-11-22 Todd C. Miller + + * INSTALL, MANIFEST, NEWS, common/Makefile.in, common/sudo_dso.c, + compat/Makefile.in, compat/dlfcn.h, compat/dlopen.c, config.h.in, + configure, configure.ac, include/sudo_dso.h, mkdep.pl, + plugins/sudoers/Makefile.in, plugins/sudoers/group_plugin.c, + plugins/sudoers/ldap.c, + plugins/sudoers/regress/check_symbols/check_symbols.c, + plugins/sudoers/sssd.c, plugins/system_group/Makefile.in, + plugins/system_group/system_group.c, src/Makefile.in, + src/env_hooks.c, src/load_plugins.c, src/preload.c, src/sudo.c, + src/sudo.h: + Add wrapper functions for dlopen() et al so that we can support + statically compiling in the sudoers plugin but still allow other + plugins to be loaded. The new --enable-static-sudoers configure + option will cause the sudoers plugin to be compiled statically into + the sudo binary. This does not prevent other plugins from being + loaded as per sudo.conf. + [9425770e9d2b] + +2013-11-21 Todd C. Miller + + * plugins/sudoers/visudo_json.c: + Handle non-unix groups correctly. Get rid of runasuser and + runasgroup types and use username and usergroup instead. The fact + that the user or group is inside a Runas_List doesn't affect its + underlying type. + [ea1789258c11] + +2013-11-20 Todd C. Miller + + * plugins/sudoers/visudo_json.c: + Simplify Defaults list option object. The name and value strings are + superfluous. + [5852b0184669] + + * compat/dlopen.c: + Back out unintended change. + [85156e49e96e] + + * MANIFEST, aclocal.m4, configure, configure.ac, + m4/ax_func_getaddrinfo.m4: + Add dedicated test for getaddrinfo(). Tru64 UNIX contains two + versions of getaddrinfo and we must include netdb.h to get the + proper definition. + [9882e3e1e8e3] + + * compat/dlopen.c, + plugins/sudoers/regress/check_symbols/check_symbols.c: + Define RTLD_GLOBAL for older systems without it. Bug #621 + [ed38ac84f1da] + +2013-11-19 Todd C. Miller + + * compat/snprintf.c, include/missing.h: + Rename snprintf replacement rpl_snprintf since we may now replace + the libc version and #define rpl_snprintf snprintf in missing.h so + we get our version when needed. This is consistent with how we + replace glob and fnmatch. + [309aa17d0dfe] + + * common/Makefile.in, common/regress/sudo_conf/conf_test.c, + common/regress/sudo_parseln/parseln_test.c, + common/regress/tailq/hltq_test.c, src/Makefile.in: + libcommon tests need locale_stub.lo to link. + [baae40f36de5] + + * MANIFEST, aclocal.m4, compat/snprintf.c, config.h.in, configure, + configure.ac, m4/ax_func_snprintf.m4: + Add check for C99 compliant (v)snprintf function. + [79e02551543c] + + * compat/sig2str.c, configure, configure.ac: + Include unistd.h in sig2str.c for Tru64 as it defines SIGRTMIN and + SIGRTMAX in terms of sysconf(), which is prototyped in unistd.h. Bug + #621; from Daniel Richard G. + [2a59ccb8c966] + + * include/gettext.h, plugins/sudoers/locale.c, src/locale_stub.c: + Add definition of U_ for --disable-nsl Don't define warning_gettext + if --disable-nsl Bug #621; from Daniel Richard G. + [c0054eb89c2b] + +2013-11-18 Todd C. Miller + + * plugins/sudoers/visudo_json.c: + When merging Defaults entries we need to check the type of the next + entry and not just assume it is the same as the previous one. + [e97d9b9cf0d5] + + * plugins/sudoers/visudo_json.c: + runasgroups not runasgroup in the Cmnd_Spec. + [92ea5dc20e4d] + + * plugins/sudoers/visudo_json.c: + Fix some syntax errors and change how lists are handled. + [027b8dea44b2] + + * common/sudo_debug.c, config.h.in, configure, configure.ac, + include/fatal.h, include/sudo_debug.h: + Allow sudo to compile without variadic macro support in cpp. + Debugging support will be limited (no file info from warnings.) From + Daniel Richard G.; Bug #621 + [51b8b868cd4b] + + * Makefile.in, common/aix.c, common/fatal.c, common/gidlist.c, + common/sudo_conf.c, include/fatal.h, include/gettext.h, + include/missing.h, plugins/sudoers/auth/fwtk.c, + plugins/sudoers/auth/rfc1938.c, plugins/sudoers/auth/securid5.c, + plugins/sudoers/bsm_audit.c, plugins/sudoers/defaults.c, + plugins/sudoers/env.c, plugins/sudoers/group_plugin.c, + plugins/sudoers/iolog.c, plugins/sudoers/ldap.c, + plugins/sudoers/linux_audit.c, plugins/sudoers/locale.c, + plugins/sudoers/logging.c, plugins/sudoers/match.c, + plugins/sudoers/policy.c, plugins/sudoers/prompt.c, + plugins/sudoers/pwutil.c, plugins/sudoers/set_perms.c, + plugins/sudoers/sssd.c, plugins/sudoers/sudoers.c, + plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, + plugins/sudoers/timestamp.c, plugins/sudoers/toke.c, + plugins/sudoers/toke.l, plugins/sudoers/toke_util.c, + plugins/sudoers/visudo.c, plugins/sudoers/visudo_json.c, src/exec.c, + src/exec_common.c, src/exec_pty.c, src/load_plugins.c, + src/locale_stub.c, src/net_ifs.c, src/parse_args.c, src/selinux.c, + src/sesh.c, src/signal.c, src/solaris.c, src/sudo.c, + src/sudo_edit.c, src/tgetpass.c, src/utmp.c: + Add warning_gettext() wrapper function that changes to the user + locale, then calls gettext(). Add U_ macro that calls + warning_gettext() instead of gettext(). Rename warning2()/error2() + back to warning_nodebug()/error_nodebug(). + [f3bb207db201] + +2013-11-17 Todd C. Miller + + * common/fileops.c, compat/getaddrinfo.c, compat/mktemp.c, + compat/utimes.c, configure.ac, plugins/sudoers/boottime.c, + plugins/sudoers/check.c, plugins/sudoers/getdate.c, + plugins/sudoers/getdate.y, plugins/sudoers/group_plugin.c, + plugins/sudoers/iolog.c, plugins/sudoers/ldap.c, + plugins/sudoers/logging.h, plugins/sudoers/sssd.c, + plugins/sudoers/sudoreplay.c, plugins/sudoers/timestamp.c, + plugins/sudoers/visudo.c, src/exec.c, src/exec_pty.c, src/preload.c, + src/sudo.c, src/sudo_edit.c, src/ttyname.c, src/utmp.c: + Fix some #if vs. #ifdef and remove an extraneous semicolon. Bug + #624; from Daniel Richard G. + [b212e4694018] + + * include/sudo_debug.h, plugins/sudoers/defaults.c, + plugins/sudoers/ldap.c, src/exec_common.c: + Add debug_return_const_str and debug_return_const_ptr for returning + a const string or pointer. Using const for the normal versions + produces warnings with the Tru64 compiler. + [45018a149cb4] + + * common/event_poll.c, compat/getaddrinfo.c, config.h.in, configure, + configure.ac, m4/sudo.m4: + Fixes for building under Tru64; from Daniel Richard G. Bug #624 + [fc4a6cbae1ba] + +2013-11-16 Todd C. Miller + + * plugins/sudoers/logging.c: + log_{fatal,warning} now logs to the debug file itself. + log_{fatal,warning} now calls warningx2() after setting the locale + itself instead of using the wrapper macros. This removes the only + use of warningx(ngettext(...)). + [930129361e0a] + +2013-11-15 Todd C. Miller + + * configure, configure.ac: + Add -Wpointer-arith to --enable-warnings + [2043ae306d1b] + + * configure, configure.ac: + Fix more instances of #include directives where the '#' was not in + column 1. From Daniel Richard G. (bug #622) + [75f36f39dcab] + + * MANIFEST, doc/visudo.cat, doc/visudo.man.in, doc/visudo.mdoc.in, + plugins/sudoers/Makefile.in, plugins/sudoers/visudo.c, + plugins/sudoers/visudo_json.c: + Add support to visudo to export sudoers in JSON format. + [1697b2b4bfd2] + +2013-11-13 Todd C. Miller + + * plugins/sudoers/parse.h: + Remove unused digest field from struct cmndspec, the digest really + lives in struct sudo_command. + [e9a1e2e112d6] + + * config.h.in, configure: + Regen with autoconf 2.69 + [275f69f98f9e] + + * MANIFEST, Makefile.in, config.h.in, configure.ac, configure.in, + doc/Makefile.in: + Rename configure.in -> configure.ac + [0aeafe425373] + + * MANIFEST, aclocal.m4, autogen.sh, config.h.in, configure, + configure.in, ltmain.sh, m4/sudo.m4: + From Daniel Richard G. (bug #622) Add an autogen.sh script that + rebuilds the autoconf world. Move old aclocal.m4 contents to + m4/sudo.m4. New (generayed) aclocal.m4 contains the m4_include + directives. Some tests had #include directives where the '#' was not + in column 1. Updated obsolete macro usage via autoupdate. + [5fe8de5a56df] + +2013-11-12 Todd C. Miller + + * src/sudo_exec.h: + Very old systems (pre XPG 4.2) may not support MSG_WAITALL. The + likelihood of receiving a partial message is quite low so this is + not a big deal. + [900a304f9548] + + * configure, configure.in: + HP-UX may require _XOPEN_SOURCE_EXTENDED to be defined for + MSG_WAITALL to be visible. + [f08b1a00a30a] + + * MANIFEST, plugins/sudoers/regress/visudo/test5.out.ok, + plugins/sudoers/regress/visudo/test5.sh: + Add regress test for bug #623 + [8e83cfccaf14] + + * plugins/sudoers/toke.c, plugins/sudoers/toke.l: + Cope with a comment on the last line of the file with no newline. + Bug #623 + [f826243bc4e6] + + * compat/getaddrinfo.c: + Include arpa/inet.h for HP-UX; from Daniel Richard G. + [d4d7a4303bae] + + * doc/Makefile.in: + Add missing $(mansrcdir) to visudo.mdoc and visudo.man. From Daniel + Richard G. + [f664c8d2f961] + +2013-11-11 Todd C. Miller + + * include/fatal.h: + In v{warning,fatal}x?() make a new copy of ap for the debug + functions. It is not legal to use ap twice without reinitializing + it. Noticed by Daniel Richard G. + [6ca8bc48ecb3] + + * include/fatal.h: + Remove errant warning_restore_locale() call. + [4ef7aecefcbb] + + * include/missing.h, plugins/sudoers/logging.c: + Move va_copy compat macro to missing.h + [c873e4cc4c8a] + + * common/Makefile.in, compat/Makefile.in, mkdep.pl, + plugins/group_file/Makefile.in, plugins/sample/Makefile.in, + plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in, + src/Makefile.in, zlib/Makefile.in: + Uniquify header dependencies so we don't end up with duplicates when + a header file includes other headers. The header dependencies are + sorted so the generated order is stable. + [95747db2f07a] + + * compat/Makefile.in, configure, configure.in, doc/CONTRIBUTORS, + mkdep.pl: + Add getaddrinfo.lo to LTLIBOBJS for systems that need it. From + Daniel Richard G. + [e94ee99a52a9] + + * plugins/sudoers/testsudoers.c: + Fix pasto + [5262735e78e0] + +2013-11-07 Todd C. Miller + + * doc/sudoers.mdoc.in: + Fix typo. + [6b11a4eec6b6] + +2013-11-04 Todd C. Miller + + * plugins/sudoers/getdate.c, plugins/sudoers/gram.c: + regen + [995ca9f21862] + + * plugins/sudoers/getdate.c, plugins/sudoers/getdate.y, + plugins/sudoers/sudoreplay.c, plugins/sudoers/toke.c: + Fix warnings from -Wold-style-definition + [a748c5c7b423] + + * configure, configure.in: + Add -Wold-style-definition to --enable-warnings + [0484de0deb59] + + * common/event_poll.c: + Extra debugging for ready fds. + [91fb85cdecbb] + + * common/event_select.c: + When deleting an event, check ev->events to determine whether to + remove from readfds or writefds instead of blinding removing from + both. Also fix highfd adjustment. + [7384db65ca9c] + +2013-11-02 Todd C. Miller + + * common/event_select.c: + Only check an fd that is >= 0. Timeout-only events may have a + negative fd. + [fa0e5cbc3cc2] + +2013-11-01 Todd C. Miller + + * common/event.c: + Don't call sudo_ev_{add,del}_impl() for timeout-only events. This + makes it possible to pass sudo_ev_alloc() an fd of -1 for events + only use SUDO_EV_TIMEOUT. + [6838657a1a2f] + +2013-10-31 Todd C. Miller + + * common/alloc.c, common/event_select.c, include/sudo_event.h: + Make a copy of readfds/writefds before calling select() instead of + calculating it each time. Keep track of high fd in the base. + [6048b78f2e94] + +2013-10-30 Todd C. Miller + + * doc/CONTRIBUTORS: + Add Stephen Gelman + [0028c7a91a4f] + + * plugins/sudoers/getdate.c, plugins/sudoers/gram.c: + Fix sign comparison warning. + [914cb36b9ed2] + + * plugins/sudoers/sudoreplay.c: + Fix potential NULL dereference in non-interactive mode. + [9233428d3f32] + +2013-10-29 Todd C. Miller + + * src/exec.c, src/exec_pty.c: + Use MSG_WAITALL when receiving struct command_status over the Unix + domain socket since we no longer use datagrams. This should avoid + the need to handle incomplete reads, though in theory it is still + possible. + [28a92888a908] + + * plugins/sudoers/sudoreplay.c: + SIGKILL is not catchable + [79f82e4cb11d] + + * common/event.c, include/sudo_event.h, plugins/sudoers/sudoreplay.c: + Add sudo_ev_get_timeleft() to get the amount of time left before an + event times out and use it in sudoreplay. + [d5b17ee30fa4] + +2013-10-28 Todd C. Miller + + * doc/sudoreplay.cat, doc/sudoreplay.man.in, doc/sudoreplay.mdoc.in, + plugins/sudoers/sudoreplay.c: + If the user presses or in sudoreplay, skip to the + next event. Useful for skipping past long pauses in the data. + [43343f45c94d] + + * common/event.c, common/event_poll.c, common/event_select.c: + Fix sudo_ev_scan_impl() return value in event_poll.c. Make sure we + clear active flag from unprocessed events if sudo_ev_loopbreak() or + sudo_ev_loopcontinue() are used. Remove bogus optimization when the + timeout is zero or negative; it could prevent an I/O event from + being triggered. + [a13603fb3134] + + * plugins/sudoers/sudoreplay.c: + Move session replay into its own function. + [e323f7729595] + + * common/event.c, common/event_poll.c, common/event_select.c, + include/sudo_event.h: + Get rid of cur and pending pointers in struct sudo_event_base. We + now pop the first event off the active queue instead of using a + foreach loop with deferred removal of the event. Add + SUDO_EVQ_INSERTED and SUDO_EVQ_TIMEOUTS flags to indicate that the + event on the event queue and timeouts queue respectively. No longer + need to compare the timeout to {0,0} or compare the event's base + pointer to NULL to determine queue membership. + [f2b2251fd523] + + * common/event_poll.c: + rename sudo_ev_loop_impl() -> sudo_ev_scan_impl() + [614faaff04e3] + + * MANIFEST, common/event.c, common/event_poll.c, + common/event_select.c, compat/Makefile.in, compat/nanosleep.c, + config.h.in, configure, configure.in, include/missing.h, + include/sudo_event.h, mkdep.pl, plugins/sudoers/Makefile.in, + plugins/sudoers/sudoreplay.c, src/exec.c, src/exec_pty.c: + Add support for libevent-style timed events. Adding a timed event is + currently O(n). The only consumer of timed events is sudoreplay + which only used a singled one so O(n) == O(1) for now. This also + allows us to remove the nanosleep compat function as we now use a + timeout event instead. + [db41c08e92dc] + +2013-10-26 Todd C. Miller + + * src/exec.c, src/exec_pty.c: + Now that sudo_ev_base_free() removes all events before freeing we + don't need to do this by hand. + [b59d43658c5f] + + * common/event.c, common/event_poll.c, common/event_select.c, + include/sudo_event.h: + Add a list of active events in the base that the back end sets when + it calls poll or select. This allows the front end to iterate over + the events instead of having that code in both back ends. It will + also simplify support for timeout events. Also make sure we can't + touch freed memory if a callback frees its own event. + [933b99b3f2bc] + + * common/event.c: + Remove any existing events before freeing the event base. + [2543c6620cf1] + +2013-10-25 Todd C. Miller + + * src/exec_pty.c: + mon_handler() should be static + [b1a62ef65c96] + +2013-10-24 Todd C. Miller + + * plugins/sudoers/ldap.c: + If user specified start_tls and ldaps, display a warning and ignore + start_tls. There's no reason to make this a fatal error. + [bf446dd1e740] + + * src/exec_pty.c: + Add missing else when the connection from the monitor to the parent + sudo process is broken (due to the parent dying). Prevents a + spurious "unexpected reply type on backchannel" warning. + [5c44053cef08] + + * src/exec_pty.c: + When flushing output we don't care whether we are the foreground + process or not, we still need to flush to /dev/tty. If we are in the + background, it is OK to get SIGTTOU. + [9716892d1fb5] + + * plugins/sudoers/ldap.c: + Should not attempt start_tls on an ldaps connection. + [9d01d461c52c] + +2013-10-23 Todd C. Miller + + * plugins/sudoers/regress/parser/check_fill.c: + Fix sign compare warning. + [6130fa8df758] + + * doc/Makefile.in: + Eliminate warning about circular dependency from GNU make. + [7ed5df762089] + + * plugins/sudoers/set_perms.c, plugins/sudoers/sudoers.c, + src/ttyname.c: + More sign compare fixes. On Solaris id_t is signed so use uid_t in + the set_perms.c ID macro instead. + [8166dcc50d0b] + + * common/fileops.c, common/lbuf.c, common/secure_path.c, + common/sudo_debug.c, include/secure_path.h, + plugins/sudoers/find_path.c, plugins/sudoers/getdate.c, + plugins/sudoers/group_plugin.c, plugins/sudoers/interfaces.h, + plugins/sudoers/iolog.c, plugins/sudoers/iolog_path.c, + plugins/sudoers/ldap.c, plugins/sudoers/logging.c, + plugins/sudoers/match_addr.c, plugins/sudoers/parse.h, + plugins/sudoers/policy.c, plugins/sudoers/prompt.c, + plugins/sudoers/pwutil_impl.c, plugins/sudoers/set_perms.c, + plugins/sudoers/sudoreplay.c, plugins/sudoers/timestamp.c, + plugins/sudoers/toke.c, plugins/sudoers/toke.l, + plugins/sudoers/toke_util.c, src/load_plugins.c, src/sudo.c, + src/ttyname.c: + Quiet sign comparision warnings. + [e34f45dad10c] + + * configure, configure.in: + Add -Wsign-compare to --enable-warnings + [d560e274a6ae] + + * plugins/sudoers/ldap.c: + Ignore SIGPIPE when connecting to the LDAP server so we can get a + proper error message with the IBM LDAP libs. Also return + LDAP_SUCCESS instead of 0 from most sudo_ldap_* functions that + return an int. + [611a4ed9b8ee] + + * plugins/sudoers/regress/parser/check_base64.c, + plugins/sudoers/regress/parser/check_digest.c: + Quiet compiler warnings. + [7d82dcca7126] + +2013-10-22 Todd C. Miller + + * plugins/sudoers/ldap.c: + sudo_ldap_parse_uri() should join multiple URIs in the string list + together but it was clearing the host entry each time through the + loop. Fixes a bug with multiple URI entries in ldap.conf where only + the last one was being honored. + [83cee19b136d] + + * src/exec_pty.c: + Avoid a double free introduced when plugging a memory leak in + safe_close(). A new ev_free_by_fd() function is used to remove and + free any events sharing the specified fd. This can be used after + safe_close() to make sure we don't try to select() on a closed fd. + [54f48a281147] + + * plugins/sudoers/gram.c, plugins/sudoers/gram.y, src/exec.c: + Quiet some llvm check false positives. The common idiom of using + TAILQ_FIRST, TAILQ_REMOVE and free in a loop to free each entry in a + TAILQ confuses llvm. Use TAILQ_FOREACH_SAFE instead (which is + probably faster anyway). + [bd1b8c11f416] + + * plugins/sudoers/auth/pam.c: + If pam_open_session() fails don't call pam_getenvlist() with a NULL + pam handle. + [352e0329acba] + + * plugins/sudoers/defaults.c: + Fix newly introduced use after frees found by llvm checker. + [a81080230f1f] + + * common/event_select.c: + Remove an errant list_next() call that should have been removed in + the TAILQ conversion. + [3bbf8d117ce4] + + * MANIFEST, common/Makefile.in, common/list.c, + common/regress/tailq/hltq_test.c, include/list.h, include/queue.h, + plugins/sudoers/Makefile.in, plugins/sudoers/alias.c, + plugins/sudoers/defaults.c, plugins/sudoers/gram.c, + plugins/sudoers/gram.y, plugins/sudoers/match.c, + plugins/sudoers/parse.c, plugins/sudoers/parse.h, + plugins/sudoers/regress/parser/check_fill.c, + plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c: + Add "headless" tail queues and use them in place of the semi- + circular lists in sudoers. Once the headless tail queue is built up + it is converted to a normal TAILQ. This removes the last consumer of + list.c and list.h so those can now be removed. + [5986ba762a24] + + * common/Makefile.in, common/fatal.c, plugins/sudoers/Makefile.in, + plugins/sudoers/defaults.c, plugins/sudoers/defaults.h, + plugins/sudoers/env.c, plugins/sudoers/interfaces.c, + plugins/sudoers/interfaces.h, plugins/sudoers/ldap.c, + plugins/sudoers/match_addr.c, plugins/sudoers/sudoreplay.c, + plugins/sudoers/toke.c, plugins/sudoers/toke.l, + plugins/sudoers/visudo.c, src/Makefile.in, src/exec_pty.c, + src/hooks.c: + Use SLIST and STAILQ macros instead of doing headless singly linked + lists manually. As a bonus we now use a tail queue for ldap.c and + sudoreplay.c. + [c31bc2d99082] + + * MANIFEST, common/Makefile.in, common/event.c, common/event_poll.c, + common/event_select.c, common/list.c, + common/regress/sudo_conf/conf_test.c, common/sudo_conf.c, + doc/LICENSE, include/list.h, include/missing.h, include/queue.h, + include/sudo_conf.h, include/sudo_event.h, + plugins/sudoers/Makefile.in, plugins/sudoers/ldap.c, + plugins/sudoers/parse.c, plugins/sudoers/parse.h, + plugins/sudoers/sssd.c, plugins/sudoers/sudo_nss.c, + plugins/sudoers/sudo_nss.h, plugins/sudoers/sudoers.c, + plugins/sudoers/sudoers.h, plugins/sudoers/visudo.c, + src/Makefile.in, src/exec.c, src/exec_pty.c, src/load_plugins.c, + src/sudo.c, src/sudo.h, src/sudo_plugin_int.h: + Convert sudo to use BSD TAILQ macros instead of home ground tail + queue functions. This includes a private queue.h header derived from + FreeBSD. It is simpler to just use our own header rather than try to + deal with macros that may or may not be present in various queue.h + incarnations. + [450bce095d7c] + +2013-10-21 Todd C. Miller + + * plugins/sudoers/sudoreplay.c: + Fix AND operator broken by changes to fix OR. + [a4d3485ee943] + +2013-10-19 Todd C. Miller + + * plugins/sudoers/sudoreplay.c: + Fix OR operator. + [f5c1c90ee284] + +2013-10-18 Todd C. Miller + + * src/exec_pty.c: + Fix memory leak of I/O buffer events in safe_close(). + [08cd790cfbba] + +2013-10-16 Todd C. Miller + + * common/sudo_debug.c: + Don't allow the debug subsystem to be initialized twice. Otherwise + we can exhuast our stack when built in static mode. + [fadacb6a4617] + + * common/event_poll.c: + Make sure we do not try to usie index -1 in base->pfds[]. + [beeb922aba3f] + +2013-10-14 Todd C. Miller + + * NEWS, configure, configure.in: + Bump version to 1.8.9 + [758dbb464796] + +2013-10-12 Todd C. Miller + + * src/exec_pty.c: + Convert the monitor process to the event subsystem. + [c4fe8e2ba53c] + + * src/exec.c, src/exec_pty.c, src/sudo_exec.h: + Convert the main sudo event loop to use the event subsystem. Read + events for I/O buffers are added before the loop starts. Write + events are added on demand as the buffers are filled. + [72a603e997e0] + + * INSTALL, MANIFEST, common/Makefile.in, common/event.c, + common/event_poll.c, common/event_select.c, common/list.c, + common/sudo_debug.c, config.h.in, configure, configure.in, + include/list.h, include/sudo_debug.h, include/sudo_event.h, + mkdep.pl, plugins/sudoers/Makefile.in, src/Makefile.in, + src/exec_pty.c: + Simple event subsystem that uses poll() or select(). Basically a + simplied subset of libevent2. Currently only fd events are supported + (since that's all we need). The poll() backend is used by default, + except on Mac OS X where poll() is broken for devices (including + /dev/tty and ptys). + [8773142b4117] + + * src/exec.c, src/exec_pty.c: + Use SOCK_STREAM for socketpair, not SOCK_DGRAM so we get consistent + semantics when the other end closes. This should make the conversion + to poll() less problematic. + [b6a321722a91] + +2013-10-06 Todd C. Miller + + * common/sudo_debug.c: + Fix removal of trailing newlines in a debug message. + [6f5ce5ac64e0] + +2013-10-04 Todd C. Miller + + * plugins/sudoers/visudo.c: + When checking for unused Runas_Aliases, count those used as part of + a Runas Group too. Fixes a false positive warning. + [f13271a4a377] + 2013-09-29 Todd C. Miller * include/missing.h: @@ -182,9 +2225,8 @@ * plugins/sudoers/ldap.c: Fix error display from ldap_ssl_client_init(). There are two error - codes. The return value can be decoded via ldap_err2string() but - the ssl reason code cannot (you have to look it up in a table - online). + codes. The return value can be decoded via ldap_err2string() but the + ssl reason code cannot (you have to look it up in a table online). [0267125ce9f0] 2013-08-19 Todd C. Miller @@ -330,9 +2372,9 @@ [3a3827f10f04] * common/sudo_debug.c, include/sudo_debug.h: - Add support to the debug subsystem for zero-length strings. This - can happen for things like warning(NULL) or fatal(NULL) where we - just want to log the errno string. + Add support to the debug subsystem for zero-length strings. This can + happen for things like warning(NULL) or fatal(NULL) where we just + want to log the errno string. [3ed739c5cc91] * include/error.h: @@ -392,10 +2434,9 @@ plugins/sudoers/logging.c, plugins/sudoers/match.c, plugins/sudoers/policy.c, plugins/sudoers/sudo_nss.c, plugins/sudoers/sudoers.h: - Add limited support for "sudo -l -h other_host". Since group - lookups are done on the local host, rules that use group membership - may be incorrect if the group database is not synchronized between - hosts. + Add limited support for "sudo -l -h other_host". Since group lookups + are done on the local host, rules that use group membership may be + incorrect if the group database is not synchronized between hosts. [2c8b222a5f7f] * src/parse_args.c: @@ -516,26 +2557,24 @@ * plugins/sudoers/atoid.c: Add atoid() function to convert a string to an id_t (uid, gid or - pid). We have to be careful to choose() either strtol() or - strtoul() depending on whether the string appears to be signed or - unsigned. Always using strtoul() is unsafe on 64-bit platforms since - the uid might be represented as a negative number and (unsigned - long)-1 on a 64-bit system is 0xffffffffffffffff not 0xffffffff. - Fixes a problem with uids larger than 0x7fffffff on 32-bit - platforms. + pid). We have to be careful to choose() either strtol() or strtoul() + depending on whether the string appears to be signed or unsigned. + Always using strtoul() is unsafe on 64-bit platforms since the uid + might be represented as a negative number and (unsigned long)-1 on a + 64-bit system is 0xffffffffffffffff not 0xffffffff. Fixes a problem + with uids larger than 0x7fffffff on 32-bit platforms. [5d818e399157] * MANIFEST, config.h.in, configure, configure.in, plugins/sudoers/Makefile.in, plugins/sudoers/policy.c, plugins/sudoers/sudoers.h: Add atoid() function to convert a string to an id_t (uid, gid or - pid). We have to be careful to choose() either strtol() or - strtoul() depending on whether the string appears to be signed or - unsigned. Always using strtoul() is unsafe on 64-bit platforms since - the uid might be represented as a negative number and (unsigned - long)-1 on a 64-bit system is 0xffffffffffffffff not 0xffffffff. - Fixes a problem with uids larger than 0x7fffffff on 32-bit - platforms. + pid). We have to be careful to choose() either strtol() or strtoul() + depending on whether the string appears to be signed or unsigned. + Always using strtoul() is unsafe on 64-bit platforms since the uid + might be represented as a negative number and (unsigned long)-1 on a + 64-bit system is 0xffffffffffffffff not 0xffffffff. Fixes a problem + with uids larger than 0x7fffffff on 32-bit platforms. [cd92246a710f] * plugins/sudoers/sudoers.c: @@ -642,9 +2681,9 @@ * plugins/sudoers/ldap.c, src/preload.c: Now that the ldap code runs with the real and effective uid set to 0, it is not possible for the gssapi libs to find the user's krb5 - credential cache file. To work around this, we make a temporary - copy of the user's credential cache specified by KRB5CCNAME (opened - with the user's effective uid) and point gssapi to it. To set the + credential cache file. To work around this, we make a temporary copy + of the user's credential cache specified by KRB5CCNAME (opened with + the user's effective uid) and point gssapi to it. To set the credential cache file name, we dynamically look up gss_krb5_ccache_name() and use it if available, otherwise fall back to setting KRB5CCNAME. @@ -799,10 +2838,10 @@ * INSTALL, NEWS, configure, configure.in, doc/TROUBLESHOOTING: Restrict default creation of PIE binaries (-fPIE and -pie) to Linux. OpenBSD also supports PIE but enables it by default so we don't need - to do anything. This fixes problems on systems with a version of - GNU ld that accepts -pie but where the run-time linker doesn't - actually support PIE. Also verify that a trivial PIE binary works - unless PIE is explicitly enabled. + to do anything. This fixes problems on systems with a version of GNU + ld that accepts -pie but where the run-time linker doesn't actually + support PIE. Also verify that a trivial PIE binary works unless PIE + is explicitly enabled. [3c5f125efeb1] 2013-05-24 Todd C. Miller @@ -835,8 +2874,8 @@ plugins/sudoers/regress/visudo/test4.sh, plugins/sudoers/visudo.c: Replace sequence number-based cycle detection in visudo with a "used" flag in struct alias. The caller is required to call - alias_put() when it is done with the alias. Inspired by a patch - from Daniel Kopecek. + alias_put() when it is done with the alias. Inspired by a patch from + Daniel Kopecek. [0bdbac1b3b39] 2013-05-20 Todd C. Miller @@ -870,12 +2909,12 @@ * plugins/sudoers/check.h, plugins/sudoers/timestamp.c: No longer store the ctime of a devpts tty. The handling of ctime on - devpts in Linux has been changed to conform to POSIX. As a result - we can no longer assume that the ctime will stay unchanged - throughout the life of the session. We store the session ID in the - time stamp file so there is a much smaller chance of the time stamp - file being reused by a new login. While here, store the uid/gid in - the timestamp file too for good measure. + devpts in Linux has been changed to conform to POSIX. As a result we + can no longer assume that the ctime will stay unchanged throughout + the life of the session. We store the session ID in the time stamp + file so there is a much smaller chance of the time stamp file being + reused by a new login. While here, store the uid/gid in the + timestamp file too for good measure. [7028b21f7a9b] * configure, configure.in: @@ -1289,8 +3328,8 @@ plugins/sudoers/toke_util.c: Initial implementation of checksum support in sudoers. Currently supports SHA-224, SHA-256, SHA-384, SHA-512. TODO: checksum format - validation in parser and base64 support. checksum support for - ldap sudoers + validation in parser and base64 support. checksum support for ldap + sudoers [b8f196346eca] 2013-04-13 Todd C. Miller @@ -1917,8 +3956,8 @@ * src/exec_pty.c: When running the command in a pty, defer the call to exec_setup() until just before we exec the command. This is consistent with the - non-pty path. As a side effect, the monitor process runs as root - and not the runas user. + non-pty path. As a side effect, the monitor process runs as root and + not the runas user. [e2a7f8c7ee4c] 2013-03-02 Todd C. Miller @@ -2363,10 +4402,10 @@ * common/sudo_conf.c, include/sudo_conf.h, src/sudo.c: Add group_source setting in sudo.conf to allow the admin to specify - how a user's groups are looked up. Legal values are static (just - the kernel list from getgroups), dynamic (whatever the group - database includes) and adaptive (only use group db if kernel group - list is full). + how a user's groups are looked up. Legal values are static (just the + kernel list from getgroups), dynamic (whatever the group database + includes) and adaptive (only use group db if kernel group list is + full). [87a5b02e22ad] * plugins/sudoers/policy.c: @@ -2434,10 +4473,10 @@ * MANIFEST, compat/getgrouplist.c, compat/nss_dbdefs.h, config.h.in, configure, configure.in: - Use nss_search() to implement getgrouplist() where available. - Tested on Solaris and HP-UX. We need to include a compatibility - header for HP-UX which uses the Solaris nsswitch implementation but - doesn't ship nss_dbdefs.h. + Use nss_search() to implement getgrouplist() where available. Tested + on Solaris and HP-UX. We need to include a compatibility header for + HP-UX which uses the Solaris nsswitch implementation but doesn't + ship nss_dbdefs.h. [d29dbc4dc06d] 2013-01-19 Todd C. Miller @@ -2514,9 +4553,8 @@ plugins/sudoers/sudoers.c, src/exec_pty.c, src/sudo.c, src/sudo.h: Add exec_background option in plugin command info and a sudoers option to match. When set, commands are started in the background - and automatically foregrounded as needed. There are issues with - some ill-mannered programs (like Linux su) so this is not the - default. + and automatically foregrounded as needed. There are issues with some + ill-mannered programs (like Linux su) so this is not the default. [c0b32b0938f2] * common/Makefile.in: @@ -2578,9 +4616,8 @@ * src/exec_pty.c: No need to restore default signal handler for SIGSTOP as it is not - catchable. Attempting to do so is harmless but sigaction() will - fail and set errno to EINVAL which makes it looks like there is an - error. + catchable. Attempting to do so is harmless but sigaction() will fail + and set errno to EINVAL which makes it looks like there is an error. [be7c0b759e9a] * src/exec.c: @@ -2816,10 +4853,10 @@ plugins/sudoers/sudoers.h, plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c: Allow sudoers programs (visudo, sudoreplay, visudo) to use - plugin_error.c instead of the error.c from the front-end. This - means sudoers_setlocale() needs to be independent of the sudo_user - struct and the defaults table. The sudoers locale is now updated - via a callback. + plugin_error.c instead of the error.c from the front-end. This means + sudoers_setlocale() needs to be independent of the sudo_user struct + and the defaults table. The sudoers locale is now updated via a + callback. [e356f5f8cd6a] * plugins/sudoers/iolog.c, plugins/sudoers/logging.c, @@ -3429,14 +5466,13 @@ * src/exec.c: Shells typically change their process group when they start up so - that they can implement job control. Most well-behaved shells - change the pgrp back to its original value before suspending so we - must not try to restore in that case, lest we race with the child - upon resume, potentially stopping sudo with SIGTTOU while the - command continues to run. Some shells, such as pdksh, just suspend - the shell by sending SIGSTOP to themselves without restoring the - pgrp. In this case we need to change the pgrp back for them. Should - fix bug #568 + that they can implement job control. Most well-behaved shells change + the pgrp back to its original value before suspending so we must not + try to restore in that case, lest we race with the child upon + resume, potentially stopping sudo with SIGTTOU while the command + continues to run. Some shells, such as pdksh, just suspend the shell + by sending SIGSTOP to themselves without restoring the pgrp. In this + case we need to change the pgrp back for them. Should fix bug #568 [6ac6751ffd17] 2012-08-26 Todd C. Miller @@ -3593,9 +5629,9 @@ * plugins/sudoers/defaults.c, plugins/sudoers/defaults.h, plugins/sudoers/visudo.c: Add new check_defaults() function to check (but not update) the - Defaults entries. Visudo can now use this instead of - update_defaults to check all the defaults regardless instead of just - the global Defaults entries. + Defaults entries. Visudo can now use this instead of update_defaults + to check all the defaults regardless instead of just the global + Defaults entries. [3fa879ce1b65] 2012-08-13 Todd C. Miller @@ -3810,8 +5846,8 @@ Previously, we just checked RLIMIT_NPROC and, if it was unlimited, restored the previous value of RLIMIT_NPROC. However, that makes it impossible to set nproc to unlimited. We now only restore the nproc - resource limit if sysconf(_SC_CHILD_MAX) is negative. In most - cases, pam_limits will set RLIMIT_NPROC for us. + resource limit if sysconf(_SC_CHILD_MAX) is negative. In most cases, + pam_limits will set RLIMIT_NPROC for us. [cb71cc8d0b08] 2012-07-30 Todd C. Miller @@ -3993,9 +6029,9 @@ call audit_failure() for us. This subtly changes logging for commands that are denied by sudoers - but where the user failed to enter the correct password. - Previously, these would be logged as "N incorrect password attempts" - but now are logged as "command not allowed". Fixes bug #563 + but where the user failed to enter the correct password. Previously, + these would be logged as "N incorrect password attempts" but now are + logged as "command not allowed". Fixes bug #563 [cad35f0b3ad7] 2012-07-06 Todd C. Miller @@ -4207,8 +6243,8 @@ [b8961cd82337] * plugins/sudoers/regress/check_symbols/check_symbols.c: - Add check for exported local symbols. This will cause a "make - check" failure on systems where we don't support symbol hiding. + Add check for exported local symbols. This will cause a "make check" + failure on systems where we don't support symbol hiding. [8aa549389bb1] * configure, configure.in: @@ -4290,9 +6326,9 @@ plugins/system_group/system_group.map, src/sudo_noexec.c, src/sudo_noexec.map: Use gcc's visibility attribute to specify when symbols are visible - or hidden, if available. If not available, use an ELF version - script if it is supported. If all else fails, fall back to using - libtool's -export-symbols. + or hidden, if available. If not available, use an ELF version script + if it is supported. If all else fails, fall back to using libtool's + -export-symbols. [64e889921727] 2012-06-12 Todd C. Miller @@ -4436,8 +6472,7 @@ * plugins/sudoers/sudoreplay.c: Instead of doing extra write()s when replaying stdout, build up a - vector for writev() instead. This results in far fewer system - calls. + vector for writev() instead. This results in far fewer system calls. [303d866c025c] 2012-05-27 Todd C. Miller @@ -4885,9 +6920,9 @@ Rototill code to determine the tty. For Linux, we now look up the tty device in /proc/pid/stat instead of trying to open /proc/pid/fd/[0-2]. The sudo_ttyname_dev() function maps the given - device number to a string. On BSD, we can use devname(). On - Solaris, _ttyname_dev() does what we want. TODO: write /dev/ - traversal code for the generic sudo_ttyname_dev(). + device number to a string. On BSD, we can use devname(). On Solaris, + _ttyname_dev() does what we want. TODO: write /dev/ traversal code + for the generic sudo_ttyname_dev(). [6b22be4d09f0] 2012-04-10 Todd C. Miller @@ -5498,8 +7533,8 @@ * src/hooks.c, src/sudo.c, src/sudo.h: Disable environment hooks after we get user_env back to make sure a - plugin can't to modify user_env after we "own" it. This is kind of - a hack but we don't want the init_session plugin function to modify + plugin can't to modify user_env after we "own" it. This is kind of a + hack but we don't want the init_session plugin function to modify user_env. [8e6d119452a5] @@ -5523,11 +7558,11 @@ plugins/sudoers/sudoers.h, src/Makefile.in, src/env_hooks.c, src/hooks.c, src/load_plugins.c, src/sudo.c, src/sudo.h, src/sudo_plugin_int.h: - Initial cut at a hooks implementation. The plugin can register - hooks for getenv, putenv, setenv and unsetenv. This makes it - possible for the plugin to trap changes to the environment made by - authentication methods such as PAM or BSD auth so that such changes - are reflected in the environment passed back to sudo for execve(). + Initial cut at a hooks implementation. The plugin can register hooks + for getenv, putenv, setenv and unsetenv. This makes it possible for + the plugin to trap changes to the environment made by authentication + methods such as PAM or BSD auth so that such changes are reflected + in the environment passed back to sudo for execve(). [61cffa06f863] 2012-03-05 Todd C. Miller @@ -5590,8 +7625,8 @@ [b2d6ee1e547a] * config.h.in, configure, configure.in, src/ttyname.c: - Prefer KERN_PROC2 over KERN_PROC. Fixes compilation on some - versions of OpenBSD versions that have KERN_PROC2 but not KERN_PROC. + Prefer KERN_PROC2 over KERN_PROC. Fixes compilation on some versions + of OpenBSD versions that have KERN_PROC2 but not KERN_PROC. [159f6a50456a] 2012-02-27 Todd C. Miller @@ -5650,8 +7685,8 @@ Relax the user/group/mode checks on sudoers files. As long as the file is owned by the right user, not world-writable and not writable by a group other than the one specified at configure time (gid 0 by - default), the file is considered OK. Note that visudo will still - set the mode to the value specified at configure time. + default), the file is considered OK. Note that visudo will still set + the mode to the value specified at configure time. [241174babfcc] 2012-02-21 Todd C. Miller @@ -5728,8 +7763,8 @@ * plugins/sudoers/Makefile.in, src/Makefile.in: Got back to using "install-sh -M" for files installed as non- - readable by owner. This fixes "make install" as non-root for - package building. + readable by owner. This fixes "make install" as non-root for package + building. [967804ee77d6] 2012-02-09 Todd C. Miller @@ -5947,8 +7982,8 @@ * plugins/sudoers/sudoers.c: For "sudo -g" prepend the specified group ID to the beginning of the groups list. This matches BSD convention where the effective gid is - the first entry in the group list. This is required on newer - FreeBSD where the effective gid is not tracked separately and thus + the first entry in the group list. This is required on newer FreeBSD + where the effective gid is not tracked separately and thus setgroups() changes the egid if this convention is not followed. Fixes bug #532 [782d6909108b] @@ -6278,8 +8313,8 @@ * plugins/sudoers/Makefile.in: If srcdir is "." just use the basename of the yacc/lex file when - generating the C version. This matches the generated files - currently in the repo. + generating the C version. This matches the generated files currently + in the repo. [0b11c3df87a8] * doc/Makefile.in, plugins/sudoers/Makefile.in: @@ -6300,8 +8335,8 @@ * src/exec_pty.c: Catch common signals in the monitor process so they get passed to - the command. Fixes a problem when the entire login session is - killed when ssh is disconnected or the terminal window is closed. + the command. Fixes a problem when the entire login session is killed + when ssh is disconnected or the terminal window is closed. Previously, the monitor would exit and plugin's close method would not be called. [0e4658263138] @@ -6368,10 +8403,10 @@ * plugins/sudoers/auth/bsdauth.c, plugins/sudoers/sudoers.c: Fetch the login class for the user we authenticate specifically when - using BSD authentication. That user may have a different login - class than what we will use to run the command. When setting the - login class for the command, use the target user's struct passwd, - not the invoking user's. Fixes bug 526 + using BSD authentication. That user may have a different login class + than what we will use to run the command. When setting the login + class for the command, use the target user's struct passwd, not the + invoking user's. Fixes bug 526 [21bf0af892f7] * compat/Makefile.in, configure, configure.in, doc/Makefile.in, @@ -6417,8 +8452,8 @@ * aclocal.m4, config.h.in, configure, configure.in: No longer need SUDO_CHECK_TYPE and SUDO_TYPE_* now that the default - includes have unistd.h in them. Add check for socklen_t for - upcoming getaddrinfo compat. + includes have unistd.h in them. Add check for socklen_t for upcoming + getaddrinfo compat. [d705465bef69] * common/fileops.c, compat/nanosleep.c, config.h.in, configure, @@ -6873,10 +8908,10 @@ * plugins/sudoers/pwutil.c: Instead of trying to grow the buffer in make_grlist_item(), simply increase the total length, free the old buffer and allocate a new - one. This is less error prone and saves us from having to adjust - all the pointers in the buffer. This code path is only taken when - there are groups longer than the length of the user field in struct - utmp or utmpx, which should be quite rare. + one. This is less error prone and saves us from having to adjust all + the pointers in the buffer. This code path is only taken when there + are groups longer than the length of the user field in struct utmp + or utmpx, which should be quite rare. [5587dc8cffaf] * src/po/it.mo: @@ -6956,9 +8991,9 @@ * plugins/sudoers/auth/pam.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/auth/sudo_auth.h, plugins/sudoers/sudoers.c: - Fix a PAM_USER mismatch in session open/close. We update PAM_USER - to the target user immediately before setting resource limits, which - is after the monitor process has forked (so it has the old value). + Fix a PAM_USER mismatch in session open/close. We update PAM_USER to + the target user immediately before setting resource limits, which is + after the monitor process has forked (so it has the old value). Also, if the user did not authenticate, there is no pamh in the monitor so we need to init pam here too. This means we end up calling pam_start() twice, which should be fixed, but at least the @@ -7083,8 +9118,8 @@ * INSTALL, configure, configure.in: Remove --with-CC option; it doesn't work correctly now that we use - libtool. Users can get the same effect by setting the CC - environment variable when running configure. + libtool. Users can get the same effect by setting the CC environment + variable when running configure. [ec22bd1a55e0] 2011-08-31 Todd C. Miller @@ -7336,9 +9371,9 @@ * plugins/sudoers/sudoers.c, src/parse_args.c, src/sudo.c: Go back to escaping the command args for "sudo -i" and "sudo -s" - before calling the plugin. Otherwise, spaces in the command args - are not treated properly. The sudoers plugin will unescape non- - spaces to make matching easier. + before calling the plugin. Otherwise, spaces in the command args are + not treated properly. The sudoers plugin will unescape non- spaces + to make matching easier. [dfa2c4636f33] 2011-07-28 Todd C. Miller @@ -7491,8 +9526,8 @@ plugins/sudoers/regress/logging/check_wrap.in, plugins/sudoers/regress/logging/check_wrap.out.ok: Split out log file word wrap code into its own file and add unit - tests. Fixes an off-by one in the word wrap when the log line - length matches loglinelen. + tests. Fixes an off-by one in the word wrap when the log line length + matches loglinelen. [52ed277f6690] 2011-07-05 Todd C. Miller @@ -7507,8 +9542,8 @@ [b994f7b0d8b4] * configure, configure.in: - Disable noexec for AIX < 5. LDR_PRELOAD is only available in AIX - 5.3 and above. + Disable noexec for AIX < 5. LDR_PRELOAD is only available in AIX 5.3 + and above. [c2a6f9b472f3] 2011-07-01 Todd C. Miller @@ -7804,8 +9839,8 @@ * Makefile.in, compat/Makefile.in, mkdep.pl, plugins/sudoers/Makefile.in: - Add dependency for siglist.lo in compat. This is a generated file - so "make depend" needs to depend on it. + Add dependency for siglist.lo in compat. This is a generated file so + "make depend" needs to depend on it. [28d0932f8b50] * compat/Makefile.in: @@ -8248,8 +10283,8 @@ * src/load_plugins.c, src/sudo.c, src/sudo_plugin_int.h: Load plugins after parsing arguments and potentially printing the - version. That way, an error loading or initializing a plugin - doesn't break "sudo -h" or "sudo -V". + version. That way, an error loading or initializing a plugin doesn't + break "sudo -h" or "sudo -V". [1b76f2b096a2] * Makefile.in: @@ -8330,8 +10365,8 @@ plugins/sample_group/Makefile.in, plugins/sudoers/Makefile.in: The --with-libpath option now adds to SUDOERS_LDFLAGS as well as LDFLAGS. Remove old -static hack for HP-UX < 9. Add LTLDFLAGS and - set it to -Wc,-static-libgcc if not using GNU ld so we don't - have a dependency on the shared libgcc in sudoers.so. + set it to -Wc,-static-libgcc if not using GNU ld so we don't have a + dependency on the shared libgcc in sudoers.so. [66ad8bc5e32d] * doc/sudoers.pod: @@ -8621,8 +10656,8 @@ * plugins/sudoers/testsudoers.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l: Make lex tracing settable at run-time in testsudoers via the -t - flag. Trace output goes to stderr. Will be used by regress tests - to check lexer. + flag. Trace output goes to stderr. Will be used by regress tests to + check lexer. [93bd53c413c8] * plugins/sudoers/toke.c, plugins/sudoers/toke.l: @@ -8655,14 +10690,13 @@ * src/exec_pty.c: Save the controlling tty process group before suspending in pty - mode. Previously, we assumed that the child pgrp == child pid - (which is usually, but not always, the case). + mode. Previously, we assumed that the child pgrp == child pid (which + is usually, but not always, the case). [10b2883b7875] * doc/sudoers.ldap.pod, plugins/sudoers/ldap.c: - Add support for sudoers_search_filter setting in ldap.conf. This - can be used to restrict the set of records returned by the LDAP - query. + Add support for sudoers_search_filter setting in ldap.conf. This can + be used to restrict the set of records returned by the LDAP query. [b0f1b721d102] 2011-03-17 Todd C. Miller @@ -8894,9 +10928,9 @@ * configure, configure.in, plugins/sample/Makefile.in, plugins/sample_group/Makefile.in, plugins/sudoers/Makefile.in: - Install plugins manually instead of using libtool. This works - around a problem on AIX where libtool will install a .a file - containing the .so file instead of the .so file itself. + Install plugins manually instead of using libtool. This works around + a problem on AIX where libtool will install a .a file containing the + .so file instead of the .so file itself. [796971cfbddb] * Makefile.in: @@ -8955,8 +10989,8 @@ * plugins/sudoers/sudoers.c: Fix return value of "sudo -l command" when command is not allowed, - broken in [c7097ea22111]. The default return value is now TRUE and - a bad: label is used when permission is denied. Also fixed missing + broken in [c7097ea22111]. The default return value is now TRUE and a + bad: label is used when permission is denied. Also fixed missing permissions restoration on certain errors. On error()/errorx(), the password and group files are now closed before returning. [4f2d0e869ae5] @@ -9446,8 +11480,8 @@ * plugins/sudoers/ldap.c: Stash pointer to user group vector in LDAP handle and only reuse the - query if it has not changed. We always allocate a new buffer when - we reset the group vector so a simple pointer check is sufficient. + query if it has not changed. We always allocate a new buffer when we + reset the group vector so a simple pointer check is sufficient. [88861d4eba69] * plugins/sudoers/sudo_nss.c: @@ -9767,9 +11801,8 @@ plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: Allow sudoers to specify the iolog file in addition to the iolog dir. Add escape sequence support to iolog file and dir: sequence - number, user, group, runas_user, runas_group, hostname and - command in addition to any escape sequence recognized by - strftime(3). + number, user, group, runas_user, runas_group, hostname and command + in addition to any escape sequence recognized by strftime(3). [75cd32ee0435] * plugins/sudoers/iolog.c: @@ -9786,8 +11819,8 @@ [d29784fd2a66] * common/term.c: - Clear OPOST from c_oflag like we used to. Fixes screen-based - editors such as vi. + Clear OPOST from c_oflag like we used to. Fixes screen-based editors + such as vi. [506ad5ae9b4e] * doc/sudoers.pod: @@ -10523,8 +12556,8 @@ * plugins/sudoers/match.c: When matching the runas user and runas group (-u and -g command line options), keep track of runas group and runas user matches - separately. Only return a positive match if we have a match for - both runas user and runas group (if specified). + separately. Only return a positive match if we have a match for both + runas user and runas group (if specified). [815219e04cc8] 2010-09-04 Todd C. Miller @@ -10749,8 +12782,8 @@ * plugins/sudoers/check.c, plugins/sudoers/ldap.c, plugins/sudoers/match.c, plugins/sudoers/pwutil.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h: - Reference count cached passwd and group structs. The cache holds - one reference itself and another is added by sudo_getgr{gid,nam} and + Reference count cached passwd and group structs. The cache holds one + reference itself and another is added by sudo_getgr{gid,nam} and sudo_getpw{uid,nam}. The final ref on the runas and user passwd and group structs are persistent for now. [e544685523c3] @@ -10883,8 +12916,8 @@ * plugins/sudoers/sudoreplay.c: Add setlocale() so the command line arguments that use floating - point work in different locales. Since sudo now logs the timing - data in the C locale we must Parse the seconds in the timing file + point work in different locales. Since sudo now logs the timing data + in the C locale we must Parse the seconds in the timing file manually instead of using strtod(). Furthermore, sudo 1.7.3 logged the number of seconds with the user's locale so if the decimal point is not '.' try using the locale-specific version. @@ -11063,8 +13096,8 @@ * common/aix.c: setauthdb() only sets the "old" registry if it was set by a previous - call to setauthdb(). To restore the original value, passing NULL - (or an empty string) to setauthdb() is sufficient. + call to setauthdb(). To restore the original value, passing NULL (or + an empty string) to setauthdb() is sufficient. [470da190a254] 2010-07-19 Todd C. Miller @@ -11174,8 +13207,8 @@ Use tab indents to reduce the chance of problem with <<- Fix the debian %set section, pp does not set pp_deb_distro Uncomment %sudo line in sudoers for debian Uncomment some env_keep lines for RHEL, - SLES and debian to more closely match the vendor sudoers files. - Add /etc/pam.d to %files Remove the /etc/sudo-ldap.conf symlink on + SLES and debian to more closely match the vendor sudoers files. Add + /etc/pam.d to %files Remove the /etc/sudo-ldap.conf symlink on debian for ldap flavor [c5b49feb1a0c] @@ -11813,8 +13846,8 @@ * plugins/sudoers/toke.c, plugins/sudoers/toke.l: A comment character may not be part of a command line argument - unless it is quoted with a backslash. Fixes parsing of: - testuser ALL=NOPASSWD: /usr/bin/wl #comment foo bar closes bz #441 + unless it is quoted with a backslash. Fixes parsing of: testuser + ALL=NOPASSWD: /usr/bin/wl #comment foo bar closes bz #441 [ea2e990f85ed] * doc/sudoers.pod: @@ -11935,8 +13968,7 @@ include/sudo_plugin.h, plugins/sudoers/auth/sudo_auth.c, src/conversation.c, src/sudo.h, src/tgetpass.c: Add SUDO_CONV_PROMPT_MASK define which corresponds to the - "pwfeedback" sudoers option. Do not disable echo if TGP_ECHO is - set. + "pwfeedback" sudoers option. Do not disable echo if TGP_ECHO is set. [e0550590cabe] * src/exec_pty.c: @@ -11988,8 +14020,8 @@ * plugins/sudoers/toke.c, plugins/sudoers/toke.l: If a file in a #includedir has improper permissions or owner just - skip it. This prevents packages that incorrectly install a file - into /etc/sudoers.d from breaking sudo so easily. Syntax errors in + skip it. This prevents packages that incorrectly install a file into + /etc/sudoers.d from breaking sudo so easily. Syntax errors in #includedir files still result in a parse error (for now). [ade99a4549a4] @@ -12487,8 +14519,8 @@ [31b69a6ecda7] * src/script.c, src/sudo.h: - Cosmetic changes: add comments, remove orphaned prototype and - make a global static. + Cosmetic changes: add comments, remove orphaned prototype and make a + global static. [f7851af0143e] 2010-05-20 Todd C. Miller @@ -12562,8 +14594,8 @@ * plugins/sample/sample_plugin.c, src/sudo.c, src/sudo.h, src/sudo_edit.c: If plugin sets "sudoedit=true" in the command info, enable sudoedit - mode even if not invoked as sudoedit. This allows a plugin to - enable sudoedit when the user runs an editor. + mode even if not invoked as sudoedit. This allows a plugin to enable + sudoedit when the user runs an editor. [96d67b99e42e] 2010-05-15 Todd C. Miller @@ -12615,9 +14647,9 @@ [4cbf5196d993] * plugins/sudoers/sudoers.c, src/sudo.c, src/sudo.h, src/sudo_edit.c: - Change how we handle the sudoedit argv. We now require that there - be a "--" in argv to separate the editor and any command line - arguments from the files to be edited. + Change how we handle the sudoedit argv. We now require that there be + a "--" in argv to separate the editor and any command line arguments + from the files to be edited. [20623d549a3c] * include/sudo_plugin.h, plugins/sample/sample_plugin.c, @@ -12709,9 +14741,8 @@ [dd5464257c69] * src/script.c: - Fix SIGPIPE handling. Now that we use may use pipes for - stdin/stdout we need to pass any SIGPIPE we receive to the running - command. + Fix SIGPIPE handling. Now that we use may use pipes for stdin/stdout + we need to pass any SIGPIPE we receive to the running command. [3f6b1991f4fd] * src/script.c: @@ -12924,8 +14955,8 @@ * src/script.c: Defer call to alarm() until after we fork the child. Pass correct pid to terminate_child() If the command exits due to signal, set - alive to false like we do when it exits normally. Add missing - check for errpipe[0] != -1 before using it in FD_ISSET + alive to false like we do when it exits normally. Add missing check + for errpipe[0] != -1 before using it in FD_ISSET [22f0a1549391] 2010-04-28 Todd C. Miller @@ -13790,9 +15821,9 @@ [04a233b6c491] * include/compat.h: - Add definition of WCOREDUMP for systems without it. This is known - to work on AIX and SunOS 4, but may be incorrect on other systems - that lack WCOREDUMP. + Add definition of WCOREDUMP for systems without it. This is known to + work on AIX and SunOS 4, but may be incorrect on other systems that + lack WCOREDUMP. [c85b3ce6b77d] 2010-03-09 Todd C. Miller @@ -14399,8 +16430,8 @@ * match.c: cmnd_matches() already deals with negation so _cmndlist_matches() - does not need to do so itself. Fixes a bug with negated entries in - a Cmnd_List. + does not need to do so itself. Fixes a bug with negated entries in a + Cmnd_List. [71c845f6ce73] 2009-11-22 Todd C. Miller @@ -14444,9 +16475,9 @@ allows the parent to distinguish between signals it has been sent directly and signals the command has received. It also means the parent can once again print the signal notifications to the tty so - all writes to the pty master occur in the parent. The command is - now always started in background mode with tty signals handled by - the parent. + all writes to the pty master occur in the parent. The command is now + always started in background mode with tty signals handled by the + parent. [c6790b82986d] 2009-11-04 Todd C. Miller @@ -14706,9 +16737,8 @@ [85f590a03275] * script.c: - Don't set stdout to blocking mode when flushing remaining output. - It can cause us to hang when trying to exit. Need to investigate - why. + Don't set stdout to blocking mode when flushing remaining output. It + can cause us to hang when trying to exit. Need to investigate why. [6f803a3e33ca] * script.c: @@ -15233,9 +17263,9 @@ configure.in, def_data.c, def_data.h, def_data.in, gram.c, gram.h, gram.y, parse.c, parse.h, pathnames.h.in, sudo.c, sudo.h, term.c, tgetpass.c: - First cut at session logging for sudo. Still need to write - get_pty() for Unix 98 and old-style BSD ptys. Also needs - documentation and general cleanup. + First cut at session logging for sudo. Still need to write get_pty() + for Unix 98 and old-style BSD ptys. Also needs documentation and + general cleanup. [77e3f5e25738] 2009-08-05 Todd C. Miller @@ -15751,10 +17781,10 @@ [2bcbbb45d389] * auth/pam.c: - Make sure def_prompt is always defined. This is a workaround for - pam configs that prompt for a password in the session but don't have - an auth line. A better fix is to expand the sudo prompt earlier and - set def_prompt to that when initializing. + Make sure def_prompt is always defined. This is a workaround for pam + configs that prompt for a password in the session but don't have an + auth line. A better fix is to expand the sudo prompt earlier and set + def_prompt to that when initializing. [ee073c04aec3] * sudo.pod: @@ -16905,8 +18935,8 @@ * INSTALL, configure, configure.in: Disable use of gss_krb5_ccache_name() by default and add - --enable-gss-krb5-ccache-name configure option to enable it. It - seems that gss_krb5_ccache_name() doesn't work properly with some + --enable-gss-krb5-ccache-name configure option to enable it. It seems + that gss_krb5_ccache_name() doesn't work properly with some combinations of Heimdal and OpenLDAP. [f61ebd3b19bd] @@ -16976,9 +19006,8 @@ * Makefile.in, sudo.pod, sudoers.ldap.pod, sudoers.pod, visudo.pod: Remove the =cut on the first line (above the copyright notice) to - quiet pod2man. Also remove the hackery in the FILES section and - just deal with the fact that there will a newline between each - pathname. + quiet pod2man. Also remove the hackery in the FILES section and just + deal with the fact that there will a newline between each pathname. [2ac1ab191835] 2008-02-17 Todd C. Miller @@ -17042,29 +19071,26 @@ * sudo.c, sudo.cat, sudo.h, sudo.man.in, sudo.pod, sudo_usage.h.in, sudoers.ldap.cat, sudoers.ldap.man.in, sudoers.ldap.pod, testsudoers.c, toke.c, toke.l: - Add support for SELinux RBAC. Sudoers entries may specify a role - and type. There are also role and type defaults that may be used. - To make sure a transition occurs, when using RBAC commands are - executed via the new sesh binary. Based on initial changes from Dan - Walsh. + Add support for SELinux RBAC. Sudoers entries may specify a role and + type. There are also role and type defaults that may be used. To + make sure a transition occurs, when using RBAC commands are executed + via the new sesh binary. Based on initial changes from Dan Walsh. [1d4abfe2c004] * sesh.c: - Add support for SELinux RBAC. Sudoers entries may specify a role - and type. There are also role and type defaults that may be used. - To make sure a transition occurs, when using RBAC commands are - executed via the new sesh binary. Based on initial changes from Dan - Walsh. + Add support for SELinux RBAC. Sudoers entries may specify a role and + type. There are also role and type defaults that may be used. To + make sure a transition occurs, when using RBAC commands are executed + via the new sesh binary. Based on initial changes from Dan Walsh. [1e3b395ce049] * Makefile.in, config.h.in, configure.in, def_data.c, def_data.h, def_data.in, gram.c, gram.h, gram.y, ldap.c, parse.c, parse.h, pathnames.h.in, selinux.c: - Add support for SELinux RBAC. Sudoers entries may specify a role - and type. There are also role and type defaults that may be used. - To make sure a transition occurs, when using RBAC commands are - executed via the new sesh binary. Based on initial changes from Dan - Walsh. + Add support for SELinux RBAC. Sudoers entries may specify a role and + type. There are also role and type defaults that may be used. To + make sure a transition occurs, when using RBAC commands are executed + via the new sesh binary. Based on initial changes from Dan Walsh. [6b421948286e] 2008-02-08 Todd C. Miller @@ -17095,9 +19121,9 @@ * sudo.c: Unlimit nproc on Linux systems where calling the setuid() family of syscalls causes the nroc resource limit to be checked. The limits - will be reset by pam_limits.so when PAM is used. In the non-PAM - case the nproc limit will remain unlimited but there doesn't seem to - be a way around that other than having sudo parse + will be reset by pam_limits.so when PAM is used. In the non-PAM case + the nproc limit will remain unlimited but there doesn't seem to be a + way around that other than having sudo parse /etc/security/limits.conf directly. [df024b415a8d] @@ -17193,9 +19219,9 @@ * pwutil.c: When copying gr_mem we must guarantee that the storage space for - gr_mem is properly aligned. The simplest way to do this is to - simply store gr_mem directly after struct group. This is not a - problem for gr_passwd or gr_name as they are simple strings. + gr_mem is properly aligned. The simplest way to do this is to simply + store gr_mem directly after struct group. This is not a problem for + gr_passwd or gr_name as they are simple strings. [af58fc76f1ed] * ldap.c: @@ -17543,8 +19569,8 @@ 2007-12-21 Todd C. Miller * env.c, pathnames.h.in, sudo.c, sudo.h: - Add support for reading and /etc/environment file. Still needs to - be documented and should probably only applies to OSes that have it + Add support for reading and /etc/environment file. Still needs to be + documented and should probably only applies to OSes that have it (AIX and Linux, maybe others). [15d3edae27e4] @@ -17776,8 +19802,8 @@ [e486024574a1] * ldap.c: - Make sudo ALL imply setenv. Note that unlike with file-based - sudoers this does affect all the commands in the sudoRole. + Make sudo ALL imply setenv. Note that unlike with file-based sudoers + this does affect all the commands in the sudoRole. [bc12f54321d1] * gram.c, gram.y, parse.c, parse.h: @@ -17878,8 +19904,8 @@ * tgetpass.c: Avoid printing the prompt if we are already backgrounded. E.g. if - the user runs "sudo foo &" from the shell. In this case, the call - to tcsetattr() will cause SIGTTOU to be delivered. + the user runs "sudo foo &" from the shell. In this case, the call to + tcsetattr() will cause SIGTTOU to be delivered. [db2139a8d8b8] 2007-09-15 Todd C. Miller @@ -18090,10 +20116,10 @@ * match.c, parse.c, testsudoers.c: Use LH_FOREACH_REV when checking permission and short-circuit on the - first non-UNSPEC hit we get for the command. This means that - instead of cycling through the all the parsed sudoers entries we - start at the end and work backwards and quit after the first - positive or negative match. + first non-UNSPEC hit we get for the command. This means that instead + of cycling through the all the parsed sudoers entries we start at + the end and work backwards and quit after the first positive or + negative match. [881474532f3e] * gram.c: @@ -18124,9 +20150,9 @@ * alias.c, defaults.c, gram.y, match.c, parse.c, parse.h, testsudoers.c, visudo.c: Use a list head struct when storing the semi-circular lists and - convert to tail queues in the process. This will allow us to - reverse foreach loops more easily and it makes it clearer which - functions expect a list as opposed to a single member. + convert to tail queues in the process. This will allow us to reverse + foreach loops more easily and it makes it clearer which functions + expect a list as opposed to a single member. Add macros for manipulating lists. Some of these should become functions. @@ -18250,9 +20276,9 @@ * toke.l: Require that the first character after a comment not be a digit or a - dash. This allows us to remove the GOTRUNAS state and treat - uid/gids similar to other words. It also means that we can now - specify uids in User_Lists and a User_Spec may now contain a uid. + dash. This allows us to remove the GOTRUNAS state and treat uid/gids + similar to other words. It also means that we can now specify uids + in User_Lists and a User_Spec may now contain a uid. [461fe01f8392] * gram.y, toke.l: @@ -19067,9 +21093,8 @@ * auth/kerb5.c: If we cannot get a valid service key using the default keytab it is - a fatal error. Fixes a bug where sudo could be tricked into - allowing access when it should not by a fake KDC. From Thor Lancelot - Simon. + a fatal error. Fixes a bug where sudo could be tricked into allowing + access when it should not by a fake KDC. From Thor Lancelot Simon. [a3ae6a47cb23] 2007-05-12 Todd C. Miller @@ -19151,8 +21176,8 @@ * env.c: Add NOEXEC support for AIX 5.3 which supports LDR_PRELOAD and - LDR_PRELOAD64. The 64-bit version is not currently supported. - Remove zero_env() prototype as it no longer exists. + LDR_PRELOAD64. The 64-bit version is not currently supported. Remove + zero_env() prototype as it no longer exists. [b4fe65027fb6] 2006-12-11 Todd C. Miller @@ -19537,11 +21562,10 @@ [1dfc2e8c9f2b] * ldap.c: - Reorganize LDAP code to better match normal sudoers parsing. - Instead of storing strings for later printing in -l mode we do - another query since the authenticating user and the user being - listed may not be the same (the new -U flag). Also add support for - "sudo -l command". + Reorganize LDAP code to better match normal sudoers parsing. Instead + of storing strings for later printing in -l mode we do another query + since the authenticating user and the user being listed may not be + the same (the new -U flag). Also add support for "sudo -l command". There is still a fair bit if duplicated code that can probably be refactored. @@ -20126,8 +22150,8 @@ * match.c, testsudoers.c, visudo.c: Only check group vector in usergr_matches() if we are matching the - invoking or list user. Always check the group members, even if - there was a group vector. + invoking or list user. Always check the group members, even if there + was a group vector. [d0c7ceb2a041] 2004-12-17 Todd C. Miller @@ -20202,9 +22226,8 @@ [d69959681c87] * getspwuid.c: - Check rbinsert() return value. In the case of faked up entries - there is usually a negative response cached that we need to - overwrite. + Check rbinsert() return value. In the case of faked up entries there + is usually a negative response cached that we need to overwrite. In pwfree() don't try to zero out a NULL pw_passwd pointer. [00b32d1a48c1] @@ -20296,8 +22319,8 @@ [e56fe33db916] * ldap.c, parse.c, sudo.c, sudo.h: - Remove the FLAG_NOPASS, FLAG_NOEXEC and FLAG_MONITOR flags. - Instead, we just set the approriate defaults variable. + Remove the FLAG_NOPASS, FLAG_NOEXEC and FLAG_MONITOR flags. Instead, + we just set the approriate defaults variable. [756eeecc1d86] * sample.sudoers, sudoers.cat, sudoers.man.in, sudoers.pod: @@ -20313,8 +22336,8 @@ * defaults.c, match.c, parse.c, parse.h, testsudoers.c: Change an occurence of user_matches() -> runas_matches() missed previously runas_matches(), host_matches() and cmnd_matches() only - really need to pass in a list of members. user_matches() still - needs to pass in a passwd struct because of "sudo -l" + really need to pass in a list of members. user_matches() still needs + to pass in a passwd struct because of "sudo -l" [833b22fc6fa0] * parse.c: @@ -20622,8 +22645,8 @@ [ad462ede3094] * testsudoers.c: - Rewrite for the new parser. Now supports a -d flag (dump) and adds - a -h flag (host). It now defaults to the local hostname unless + Rewrite for the new parser. Now supports a -d flag (dump) and adds a + -h flag (host). It now defaults to the local hostname unless otherwise specified. [1b69685cc601] @@ -20805,8 +22828,8 @@ 2004-10-05 Todd C. Miller * mon_systrace.c: - Just return if STRIOCINJECT or STRIOCREPLACE fail. It probably - means we are out of space in the stack gap... + Just return if STRIOCINJECT or STRIOCREPLACE fail. It probably means + we are out of space in the stack gap... [5b02b702021e] * CHANGES: @@ -20952,10 +22975,10 @@ [ba481d9ed1aa] * visudo.c: - Overhaul visudo for editing multiple files: o visudo has been - broken out into functions (more work needed here) o each file is - now edited before sudoers is re-parsed o if a #include line is - added that file will be edited too + Overhaul visudo for editing multiple files: o visudo has been broken + out into functions (more work needed here) o each file is now edited + before sudoers is re-parsed o if a #include line is added that file + will be edited too TODO: o cleanup temp files when exiting via err() or errx() o continue breaking things out into separate functions @@ -21011,9 +23034,9 @@ * parse.c, parse.h, parse.lex, parse.yacc: More scaffolding for dealing with multiple sudoers files: o - init_parser() now takes a path used to populate the sudoers global - o the sudoers global is used to print the correct file in yyerror() - o when switching to a new sudoers file, perserve old file name and + init_parser() now takes a path used to populate the sudoers global o + the sudoers global is used to print the correct file in yyerror() o + when switching to a new sudoers file, perserve old file name and line number [d9be4970b8bd] @@ -21097,8 +23120,8 @@ * getspwuid.c: Add flag to sudo_pwdup that indicates whether or not to lookup the - shadow password. Will be used to a struct passwd that has the - shadow password already filled in. + shadow password. Will be used to a struct passwd that has the shadow + password already filled in. [e19d43dd7238] * mon_systrace.c: @@ -21148,11 +23171,10 @@ [1703fd2fdef6] * mon_systrace.c: - systrace(4) support for sudo. On systems with the systrace(4) - kernel facility (OpenBSD, NetBSD, Linux w/ patches) sudo can - intercept exec calls and check the exec args against the sudoers - file. In other words, sudo can now control subcommands and shell - escapes. + systrace(4) support for sudo. On systems with the systrace(4) kernel + facility (OpenBSD, NetBSD, Linux w/ patches) sudo can intercept exec + calls and check the exec args against the sudoers file. In other + words, sudo can now control subcommands and shell escapes. [928c9217c386] * sudo.c, sudo.h: @@ -22061,8 +24083,8 @@ 2004-05-29 Todd C. Miller * INSTALL, README.LDAP, config.h.in, configure.in: - o --with-ldap now takes an optional dir as a parameter o added - check for ldap_initialize() and start_tls_s() + o --with-ldap now takes an optional dir as a parameter o added check + for ldap_initialize() and start_tls_s() [2b846c7974c6] * README.LDAP: @@ -22128,8 +24150,8 @@ * parse.c: In sudoers_lookup() return VALIDATE_NOT_OK if the runas user was explicitly denied and the command matched. This fixes a long- - standing bug and makes: foo machine = (ALL) /usr/bin/blah - foo machine = (!bar) /usr/bin/blah + standing bug and makes: foo machine = (ALL) /usr/bin/blah foo + machine = (!bar) /usr/bin/blah equivalent to: foo machine = (ALL, !bar) /usr/bin/blah [2f5ee244985a] @@ -22228,18 +24250,18 @@ [6058c4cefcec] * set_perms.c, sudo.c, tgetpass.c, visudo.c: - Preliminary changes to support nsr-tandem-nsk. Based on patches - from Tom Bates. + Preliminary changes to support nsr-tandem-nsk. Based on patches from + Tom Bates. [2e5f81834383] * logging.c: - Preliminary changes to support nsr-tandem-nsk. Based on patches - from Tom Bates. + Preliminary changes to support nsr-tandem-nsk. Based on patches from + Tom Bates. [934bbe6872b6] * check.c, compat.h: - Preliminary changes to support nsr-tandem-nsk. Based on patches - from Tom Bates. + Preliminary changes to support nsr-tandem-nsk. Based on patches from + Tom Bates. [390b698b5924] 2004-05-16 Todd C. Miller @@ -22587,9 +24609,9 @@ [773165eb6057] * visudo.c: - Use WIFEXITED and WEXITSTATUS macros. If there are systems out - there that want to run sudo that still don't support these we can - try to deal with that later. + Use WIFEXITED and WEXITSTATUS macros. If there are systems out there + that want to run sudo that still don't support these we can try to + deal with that later. [6af68e4aff60] * lex.yy.c: @@ -22623,27 +24645,25 @@ * sudo.h: Add a new flag, -e, that makes it possible to give users the ability to edit files with the editor of their choice as the invoking user, - not the runas user. Temporary files are used for the actual edit - and the temp file is copied over the original after the editor is - done. + not the runas user. Temporary files are used for the actual edit and + the temp file is copied over the original after the editor is done. [c4051414c1f4] * Makefile.in, parse.c, parse.lex, sudo.c, sudo_edit.c: Add a new flag, -e, that makes it possible to give users the ability to edit files with the editor of their choice as the invoking user, - not the runas user. Temporary files are used for the actual edit - and the temp file is copied over the original after the editor is - done. + not the runas user. Temporary files are used for the actual edit and + the temp file is copied over the original after the editor is done. [37ac05c8ac3c] * env.c, sudo.c: If real uid == 0 and the SUDO_USER environment variables is set, use that to determine the invoking user's true identity. That way the proper info gets logged by someone who has done "sudo su" but still - uses sudo to as root. We can't do this for non-root users since - that would open up a security hole, though perhaps it would be - acceptable to use getlogin(2) on OSes where this a system call (and - doesn't just look in the utmp file). + uses sudo to as root. We can't do this for non-root users since that + would open up a security hole, though perhaps it would be acceptable + to use getlogin(2) on OSes where this a system call (and doesn't + just look in the utmp file). [c2f9198708a1] * pathnames.h.in: @@ -22692,9 +24712,9 @@ 2004-01-17 Todd C. Miller * sudo.c: - Change euid to runas user before calling find_path(). - Unfortunately, though runas_user can be modified in sudoers we - haven't parsed sudoers yet. + Change euid to runas user before calling find_path(). Unfortunately, + though runas_user can be modified in sudoers we haven't parsed + sudoers yet. [f469fdf2e313] * sudoers.man.in, sudoers.pod: @@ -22703,9 +24723,9 @@ [f7bed6e909bf] * sudo.c: - Fix a bug when set_runaspw() is used as a callback. We don't want - to reset the contents of runas_pw if the user specified a user via - the -u flag. + Fix a bug when set_runaspw() is used as a callback. We don't want to + reset the contents of runas_pw if the user specified a user via the + -u flag. Avoid unnecessary passwd lookups in set_authpw(). In most cases we already have the info in runas_pw. @@ -22730,8 +24750,8 @@ [42aa37050053] * sudo.c: - Add set_runaspw() function to fill in runas_pw. This will be used - as a callback to update runas_pw when the runas user changes. + Add set_runaspw() function to fill in runas_pw. This will be used as + a callback to update runas_pw when the runas user changes. [e570aa0088d0] * env.c, sudo.c: @@ -22947,8 +24967,8 @@ Add support for preloading a shared object containing a dummy execve() function that just sets error and returns -1. This adds a "noexec_file" option to load the filename as well as a "noexec" flag - to enable it unconditionally. There is also a NOEXEC tag that can - be attached to specific commands and an EXEC tag to disable it. + to enable it unconditionally. There is also a NOEXEC tag that can be + attached to specific commands and an EXEC tag to disable it. [c8b6712feb91] * mkdefaults: @@ -23085,11 +25105,10 @@ * auth/pam.c: Fix a core dump on Solaris by preserving the pam_handle_t we used - during authentication for pam_prep_user(). If we didn't - authenticate (ie: ticket still valid), we call pam_init() from - pam_prep_user(). This is something of a hack; it may be better to - change the auth API and add an auth_final() function that acts like - pam_prep_user(). + during authentication for pam_prep_user(). If we didn't authenticate + (ie: ticket still valid), we call pam_init() from pam_prep_user(). + This is something of a hack; it may be better to change the auth API + and add an auth_final() function that acts like pam_prep_user(). [f787de49b175] 2003-06-21 Todd C. Miller @@ -23289,9 +25308,9 @@ [aba0126f0059] * auth/kerb5.c: - Replace ETYPE_DES_CBC_MD5 with ENCTYPE_DES_CBC_MD5. The former is - no longer defined by MIT kerb5 (though it used to be and indeed - remains so in Heimdal). + Replace ETYPE_DES_CBC_MD5 with ENCTYPE_DES_CBC_MD5. The former is no + longer defined by MIT kerb5 (though it used to be and indeed remains + so in Heimdal). [e5a6c64d7cd5] 2003-04-03 Todd C. Miller @@ -23834,10 +25853,9 @@ [587f8a2df857] * parse.lex: - Better fix for sudoers files w/o a newline before EOF. It looks - like the issue is that yyrestart() does not reset the start - condition to INITIAL which is an issue since we parse sudoers - multiple times. + Better fix for sudoers files w/o a newline before EOF. It looks like + the issue is that yyrestart() does not reset the start condition to + INITIAL which is an issue since we parse sudoers multiple times. [920f8326968a] 2003-01-06 Todd C. Miller @@ -23851,10 +25869,10 @@ * visudo.c: o The parser needs sudoers to end with a newline but some editors - (emacs) may not add one. Check for a missing newline at EOF and - add one if needed. o Set quiet flag during initial sudoers parse (to - get options) o Move yyrestart() call and always use freopen() to - open yyin after initial sudoers parse. + (emacs) may not add one. Check for a missing newline at EOF and add + one if needed. o Set quiet flag during initial sudoers parse (to get + options) o Move yyrestart() call and always use freopen() to open + yyin after initial sudoers parse. [12d12f9b07aa] 2002-12-15 Todd C. Miller @@ -24071,9 +26089,9 @@ * env.c: Don't try to pre-compute the size of the new envp, just allocate - space up front and realloc as needed. Changes to the new env - pointer must all be made through insert_env() which now keeps track - of spaced used and allocates as needed. + space up front and realloc as needed. Changes to the new env pointer + must all be made through insert_env() which now keeps track of + spaced used and allocates as needed. [39bc934a9f2c] 2002-04-26 Todd C. Miller @@ -24103,8 +26121,8 @@ * check.c: The the loop used to expand %h and %u, the lastchar variable was not - being initialized. This means that if the last char in the prompt - is '%' and the first char is 'h' or 'u' a extra copy of the host or + being initialized. This means that if the last char in the prompt is + '%' and the first char is 'h' or 'u' a extra copy of the host or user name would be copied, for which space had not been allocated. [b2e27197857d] @@ -24524,8 +26542,8 @@ 2002-01-01 Todd C. Miller * Makefile.in: - o Add DESTDIR support o Use -M, -O, and -G instead of -m, -o, and - -g to facilitate non-root installs + o Add DESTDIR support o Use -M, -O, and -G instead of -m, -o, and -g + to facilitate non-root installs [619216038f56] * install-sh: @@ -24568,9 +26586,9 @@ * auth/pam.c: o Add pam_prep_user function to call pam_setcred() for the target user; on Linux this often sets resource limits. o When calling - pam_end(), try to convert the auth->result to a PAM_FOO value. - This is a hack--we really need to stash the last PAM_FOO value - received and use that instead. + pam_end(), try to convert the auth->result to a PAM_FOO value. This + is a hack--we really need to stash the last PAM_FOO value received + and use that instead. [6ad6f340dd2a] * set_perms.c, sudo.h: @@ -24776,8 +26794,8 @@ [6fa41c89ab20] * sudo.c: - XXX - should call find_path() as runas user, not root. Can't do - that until the parser changes though. + XXX - should call find_path() as runas user, not root. Can't do that + until the parser changes though. [f0b4f85651bd] * sudo.c: @@ -25034,9 +27052,9 @@ * parse.lex: o Use exclusive start conditions to remove some ambiguity in the - lexer. Also reorder some things for clarity. o Add support for - "+=" and "-=" list operators. o Use the new DEFVAR token to denote - a Defaults variable name. + lexer. Also reorder some things for clarity. o Add support for "+=" + and "-=" list operators. o Use the new DEFVAR token to denote a + Defaults variable name. [3a2cf8323e26] * sudo.h: @@ -25044,18 +27062,17 @@ [b74916469dab] * env.c: - o Convert environment handling to use lists instead of strings. - This greatly simplifies routines that need to do "foreach" type - operations. o Add new init_envtables() function to set env_check - and env_delete defaults based on initial_badenv_table and + o Convert environment handling to use lists instead of strings. This + greatly simplifies routines that need to do "foreach" type + operations. o Add new init_envtables() function to set env_check and + env_delete defaults based on initial_badenv_table and initial_checkenv_table (formerly sudo_badenv_table). [0a8b404658b6] * defaults.c, defaults.h: o Add a new LIST type and functions to manipulate it. o This is for - use with environment handling variables. o Call new - init_envtables() routine inside init_defaults() to initialize the - environment lists. + use with environment handling variables. o Call new init_envtables() + routine inside init_defaults() to initialize the environment lists. [ae73e64f0902] * def_data.c, def_data.h, def_data.in: @@ -25375,8 +27392,8 @@ * check.c: Use stashed user_gid when checking against exempt gid since sudo - sets its gid to a a value that makes sudoers readable. Previously - if you used gid 0 as the exempt group everyone would be exempt. From + sets its gid to a a value that makes sudoers readable. Previously if + you used gid 0 as the exempt group everyone would be exempt. From Paul Kranenburg [0b140cc3a817] @@ -25421,8 +27438,8 @@ 2001-01-17 Todd C. Miller * visudo.c: - Block all signals in Exit() to avoid a signal race. There is still - a tiny window but I'm not going to worry about it. + Block all signals in Exit() to avoid a signal race. There is still a + tiny window but I'm not going to worry about it. [6661805c0458] 2001-01-07 Todd C. Miller @@ -25862,8 +27879,8 @@ 2000-04-15 Todd C. Miller * sudo.c: - Fix -H flag. runas_homedir is only valid after - set_perms(PERM_RUNAS, mode) + Fix -H flag. runas_homedir is only valid after set_perms(PERM_RUNAS, + mode) [ce9b1c6f68a6] 2000-04-12 Todd C. Miller @@ -25913,8 +27930,8 @@ sensible error if it does not exist. The path to the editor for visudo is now a colon-separated list of - allowable editors. If the user has $EDITOR set and it matches one - of the allowed editors that editor will be used. If not, the first + allowable editors. If the user has $EDITOR set and it matches one of + the allowed editors that editor will be used. If not, the first editor in the list that actually exists is used. [cc86eb9f5440] @@ -26372,10 +28389,10 @@ [055fa61a7c61] * INSTALL, defaults.c, defaults.h, sudo.c, sudo.h, sudoers.pod: - Add 'shell_noargs' runtime option back in. We have to defer - checking until after the sudoers file has been parsed but since - there are now other options that operate that way this one can too. - Based on a patch from bguillory@email.com. + Add 'shell_noargs' runtime option back in. We have to defer checking + until after the sudoers file has been parsed but since there are now + other options that operate that way this one can too. Based on a + patch from bguillory@email.com. [231db7a007a6] * defaults.c, defaults.h, parse.c, sudo.c, sudo.h: @@ -26500,9 +28517,9 @@ * CHANGES, parse.yacc, sudo.tab.c: fix parsing of runas lists: o oprunasuser and runaslist now return a value o in a runasspec, if a runaslist does not return TRUE, set - runas_matches to FALSE. Normally, a runaslist only returns FALSE - for explicitly denied users. o since runaslist does not modify the - stack there is no need for a push/pop in runasalias. + runas_matches to FALSE. Normally, a runaslist only returns FALSE for + explicitly denied users. o since runaslist does not modify the stack + there is no need for a push/pop in runasalias. [82b305b34a8c] * check.c, sudo.c: @@ -26527,10 +28544,9 @@ o Kill shell_noargs option, it cannot work since the command needs to be set before sudoers is parsed. o Fix the "set_home" sudoers option (only worked at compile time). o Fix "fqdn" sudoers option. - We now set host/shost via set_fqdn which gets called when the - "fqdn" option is set in sudoers. o Move the openlog() to - store_syslogfac() so this gets overridden correctly from the - sudoers file. + We now set host/shost via set_fqdn which gets called when the "fqdn" + option is set in sudoers. o Move the openlog() to store_syslogfac() + so this gets overridden correctly from the sudoers file. [3dca861f0f5d] * auth/securid.c: @@ -26661,8 +28677,8 @@ * lex.yy.c, parse.lex: Don't need YY_FLUSH_BUFFER after all Move yyrestart() into visudo.c - since it might not get called in yywrap if we get a parse error - (and we only reread the file on error anyway). + since it might not get called in yywrap if we get a parse error (and + we only reread the file on error anyway). [37f4b449e28e] * lex.yy.c, parse.lex: @@ -26745,10 +28761,10 @@ [e3ed0c1f312b] * logging.h: - Fix compilation problem when --with-logging=file was specified. - This means that syslog is now required to build sudo but that should - not be a problem. If it is it can be fixed trivially with a - configure check for syslog() or syslog.h. + Fix compilation problem when --with-logging=file was specified. This + means that syslog is now required to build sudo but that should not + be a problem. If it is it can be fixed trivially with a configure + check for syslog() or syslog.h. [839a4b069190] * tgetpass.c: @@ -26770,9 +28786,9 @@ 1999-10-16 Todd C. Miller * defaults.c: - Error out if syslog parameters are given without a value. For - Ultrix or 4.2BSD "syslog" is allowed without a value since there are - no facilities in the 4.2BSD syslog. + Error out if syslog parameters are given without a value. For Ultrix + or 4.2BSD "syslog" is allowed without a value since there are no + facilities in the 4.2BSD syslog. [69e7a686f5f0] 1999-10-15 Todd C. Miller @@ -26878,8 +28894,8 @@ getspwuid.c, logging.c, parse.yacc, sudo.c, sudo.tab.c: o Change defaults stuff to put the value right in the struct. o Implement mailer_flags o Store syslog stuff both in int and string - form. Setting the string form magically updates the int version. - o Add boolean attribute to strings where it makes sense to say !foo + form. Setting the string form magically updates the int version. o + Add boolean attribute to strings where it makes sense to say !foo [4698953f9a36] * tgetpass.c: @@ -27189,9 +29205,9 @@ * parse.h, parse.yacc, sudo.tab.c, sudo.tab.h: In "sudo -l" mode, the type of the stored (expanded) alias was not - stored with the contents. This could lead to incorrect output if - the sudoers file had different alias types with the same name. - Normal parsing (ie: not in '-l' mode) is unaffected. + stored with the contents. This could lead to incorrect output if the + sudoers file had different alias types with the same name. Normal + parsing (ie: not in '-l' mode) is unaffected. [823fe2bc4b79] 1999-08-23 Todd C. Miller @@ -27373,12 +29389,12 @@ * INSTALL, auth/sudo_auth.c, check.c, config.h.in, configure, configure.in, parse.yacc, sudo.tab.c, testsudoers.c, version.c, visudo.c: - o Add a "pedentic" flag to the parser. This makes sudo warn in - cases where an alias may be used before it is defined. Only turned - on for visudo and testsudoers. o Add --disable-authentication option - that makes sudo not require authentication by default. The PASSWD - tag can be used to require authentication for an entry. We no - longer overload --without-passwd. + o Add a "pedentic" flag to the parser. This makes sudo warn in cases + where an alias may be used before it is defined. Only turned on for + visudo and testsudoers. o Add --disable-authentication option that + makes sudo not require authentication by default. The PASSWD tag can + be used to require authentication for an entry. We no longer + overload --without-passwd. [f307e09adf98] * lex.yy.c, parse.lex: @@ -27444,9 +29460,9 @@ version.c, visudo.c: o Move lock_file() and touch() into fileops.c so visudo can use them o Visudo now locks the sudoers temp file instead of bailing when the - temp file already exists. This fixes the problem of stale temp - files but it does *require* that you not try to put the temp file in - a world-writable directory. This shoud not be an issue as the temp + temp file already exists. This fixes the problem of stale temp files + but it does *require* that you not try to put the temp file in a + world-writable directory. This shoud not be an issue as the temp file should live in the same dir as sudoers. o Visudo now only installs the temp file as sudoers if it changed. [2517cd06c070] @@ -27535,11 +29551,11 @@ o Add '!' correctly when expanding Aliases. o Add shortcut macros for append() to make things more readable. o The separator in append() is now a string instead of a char. o In append(), only - prepend the separator if the last char is not a '!'. This is a - hack but it greatly simplifies '!' handling. o In -l mode, Runas - lists and NOPASSWD/PASSWD tags are now inherited across entries in - a list (matches current behavior). o Fix formatting in -l mode such - that items in a list are separated by a space. Greatlt improves + prepend the separator if the last char is not a '!'. This is a hack + but it greatly simplifies '!' handling. o In -l mode, Runas lists + and NOPASSWD/PASSWD tags are now inherited across entries in a list + (matches current behavior). o Fix formatting in -l mode such that + items in a list are separated by a space. Greatlt improves readability. o Space for name field in struct aliasinfo is now allocated dyanically instead of using a (big) buffer. o In add_alias(), only search the list once (lsearch instead of lfind + @@ -27560,8 +29576,8 @@ set foo_matches in opFOO, not FOO. o Treat 'ALL' as a string since it gets fill()'d in parse.lex--fixes a small memory leak. In the long run it may be better to just fix parse.lex and make ALL back - into a token. However, having it be a string is useful since it - can be easily passed back to the parent rule if we so desire. + into a token. However, having it be a string is useful since it can + be easily passed back to the parent rule if we so desire. [b3c64b443018] * parse.lex: @@ -27823,8 +29839,8 @@ [db48202df1bb] * Makefile.in: - BSD-style copyright. Update to reflect reality wrt new files and - new auth modules. + BSD-style copyright. Update to reflect reality wrt new files and new + auth modules. [61a2ca7940fb] * INSTALL: @@ -27862,9 +29878,9 @@ user, eg. /var/run/sudo/millert/ttyp1. It is not currently possible to mix tty and non-tty based ticket schemes but this may change in the future (it requires sudo to use a directory instead of a file in - the non-tty case). Also, ``sudo -k'' now sets the ticket back to - the epoch and ``sudo -K'' really deletes the file. That way you - don't get the lecture again just because you killed your ticket in + the non-tty case). Also, ``sudo -k'' now sets the ticket back to the + epoch and ``sudo -K'' really deletes the file. That way you don't + get the lecture again just because you killed your ticket in .logout. BSD-style copyright now. [ec3460f85be8] @@ -28117,8 +30133,8 @@ parse.yacc, sudo.c, sudo.tab.c, tgetpass.c: o Replace _PASSWD_LEN braindeath with our own SUDO_MAX_PASS. It turns out the old DES crypt does the right thing with passwords - longert than 8 characters. o Fix common typo (necesary -> - necessary) o Update TODO list + longert than 8 characters. o Fix common typo (necesary -> necessary) + o Update TODO list [ad75007a6f13] 1999-05-03 Todd C. Miller @@ -28429,9 +30445,9 @@ 1999-03-07 Todd C. Miller * CHANGES, lex.yy.c, parse.lex: - Fix a bug wrt quoting characters in command args. Stop processing - an arg when you hit a backslash so the quoted-character detection - can catch it. + Fix a bug wrt quoting characters in command args. Stop processing an + arg when you hit a backslash so the quoted-character detection can + catch it. [2281438d7f41] 1999-02-26 Todd C. Miller @@ -28518,8 +30534,8 @@ * check.c, sudo.h: If the user enters an empty password and really has no password, - accept the empty password they entered. Perviously, they could - enter anything + accept the empty password they entered. Perviously, they could enter + anything *but* an empty password. Also, add GETPASS macro that calls either tgetpass() or getpass() depending on how sudo was configured. Problem noted by jdg@maths.qmw.ac.uk @@ -31558,8 +33574,8 @@ * sudo.h: added support for NO_PASSWD and runas from garp@opustel.com replaced - SUDOERS_OWNER with SUDOERS_UID and SUDOERS_GID and added support - fro SUDOERS_MODE + SUDOERS_OWNER with SUDOERS_UID and SUDOERS_GID and added support fro + SUDOERS_MODE [cea6f26679b7] * sudo.c: @@ -34204,8 +36220,8 @@ [044023063eca] * aclocal.m4: - OS was being set to unknown before non-uname based host checks. - This caused no checks to happen since $OS was not zero-length. + OS was being set to unknown before non-uname based host checks. This + caused no checks to happen since $OS was not zero-length. [335a7267479d] * sudo.c: @@ -34674,8 +36690,7 @@ [1194d01fa5c5] * visudo.c: - whatnow_help was prototyped to be static be was not declared as - such + whatnow_help was prototyped to be static be was not declared as such [0f85489dd426] * configure.in: @@ -36815,8 +38830,8 @@ [34331c7dee90] * logging.c: - split long log lines. FOr syslog, split into multiple entries, for - a log file, indent the extra for readability + split long log lines. FOr syslog, split into multiple entries, for a + log file, indent the extra for readability [72c9e4cdba6e] 1994-02-27 Todd C. Miller @@ -36838,8 +38853,8 @@ 1994-02-16 Todd C. Miller * sudo.c: - added rmenv() to remove stuff from environ. can now uses execvp() - OR execve() becuase of this. + added rmenv() to remove stuff from environ. can now uses execvp() OR + execve() becuase of this. [e7fc2535bd67] * logging.c: @@ -37137,8 +39152,7 @@ [5c4bf716de21] * check.c, find_path.c, parse.c, sudo.c: - added patches from John_Rouillard directory spec - uses EDITOR + added patches from John_Rouillard directory spec uses EDITOR [f62a435f8c41] 1993-12-02 Todd C. Miller