diff options
| author | Todd C. Miller <millert@cvs.openbsd.org> | 2007-08-15 14:22:40 +0000 |
|---|---|---|
| committer | Todd C. Miller <millert@cvs.openbsd.org> | 2007-08-15 14:22:40 +0000 |
| commit | cde03a4a0a3c7469d5d22de04feafcb05d2c595a (patch) | |
| tree | 54c1bdae9a87f253701afc1f8a09ad18a763e81f | |
| parent | ac1b0750f2de5bcab580a9e40849e3b7599ef5de (diff) | |
Update to sudo 1.6.9p4. Basically IPv6 support and improved man pages.
| -rw-r--r-- | usr.bin/sudo/CHANGES | 8 | ||||
| -rw-r--r-- | usr.bin/sudo/Makefile.in | 4 | ||||
| -rw-r--r-- | usr.bin/sudo/aclocal.m4 | 2 | ||||
| -rw-r--r-- | usr.bin/sudo/config.h | 3 | ||||
| -rw-r--r-- | usr.bin/sudo/config.h.in | 3 | ||||
| -rw-r--r-- | usr.bin/sudo/configure | 9 | ||||
| -rw-r--r-- | usr.bin/sudo/configure.in | 8 | ||||
| -rw-r--r-- | usr.bin/sudo/interfaces.c | 62 | ||||
| -rw-r--r-- | usr.bin/sudo/interfaces.h | 17 | ||||
| -rw-r--r-- | usr.bin/sudo/logging.c | 6 | ||||
| -rw-r--r-- | usr.bin/sudo/parse.c | 154 | ||||
| -rw-r--r-- | usr.bin/sudo/parse.lex | 17 | ||||
| -rw-r--r-- | usr.bin/sudo/parse.yacc | 4 | ||||
| -rw-r--r-- | usr.bin/sudo/sudo.c | 27 | ||||
| -rw-r--r-- | usr.bin/sudo/sudo.pod | 95 | ||||
| -rw-r--r-- | usr.bin/sudo/sudoers.pod | 31 | ||||
| -rw-r--r-- | usr.bin/sudo/version.h | 4 | ||||
| -rw-r--r-- | usr.bin/sudo/visudo.pod | 19 |
18 files changed, 355 insertions, 118 deletions
diff --git a/usr.bin/sudo/CHANGES b/usr.bin/sudo/CHANGES index 5cd99b7af75..99f2fabd32d 100644 --- a/usr.bin/sudo/CHANGES +++ b/usr.bin/sudo/CHANGES @@ -1943,3 +1943,11 @@ Sudo 1.6.9p2 released. in 1.6.9. Sudo 1.6.9p3 released. + +614) Added IPv6 support from YOSHIFUJI Hideaki. + +615) Fixed sudo_noexec installation path. + +616) Fixed a K&R compilation error. + +Sudo 1.6.9p4 released. diff --git a/usr.bin/sudo/Makefile.in b/usr.bin/sudo/Makefile.in index fd756c1db98..ed48fe54316 100644 --- a/usr.bin/sudo/Makefile.in +++ b/usr.bin/sudo/Makefile.in @@ -20,7 +20,7 @@ # # @configure_input@ # -# $Sudo: Makefile.in,v 1.246.2.10 2007/07/26 14:05:55 millert Exp $ +# $Sudo: Makefile.in,v 1.246.2.13 2007/08/15 14:16:57 millert Exp $ # #### Start of system configuration section. #### @@ -130,7 +130,7 @@ TESTOBJS = interfaces.o testsudoers.o $(PARSEOBJS) LIBOBJS = @LIBOBJS@ @ALLOCA@ -VERSION = 1.6.9p3 +VERSION = 1.6.9p4 DISTFILES = $(SRCS) $(HDRS) BUGS CHANGES HISTORY INSTALL INSTALL.configure \ LICENSE Makefile.in PORTING README README.LDAP TODO \ diff --git a/usr.bin/sudo/aclocal.m4 b/usr.bin/sudo/aclocal.m4 index c676d26fbc6..6dc85f662e5 100644 --- a/usr.bin/sudo/aclocal.m4 +++ b/usr.bin/sudo/aclocal.m4 @@ -229,7 +229,7 @@ dnl check for isblank(3) dnl AC_DEFUN([SUDO_FUNC_ISBLANK], [AC_CACHE_CHECK([for isblank], sudo_cv_func_isblank, - [AC_TRY_LINK([#include <ctype.h>], [(void)isblank(1);], + [AC_TRY_LINK([#include <ctype.h>], [return (isblank('a'));], sudo_cv_func_isblank=yes, sudo_cv_func_isblank=no)]) ] [ if test "$sudo_cv_func_isblank" = "yes"; then diff --git a/usr.bin/sudo/config.h b/usr.bin/sudo/config.h index c4779916c0c..3e2719fc3de 100644 --- a/usr.bin/sudo/config.h +++ b/usr.bin/sudo/config.h @@ -1,4 +1,4 @@ -/* $OpenBSD: config.h,v 1.4 2007/07/26 16:10:15 millert Exp $ */ +/* $OpenBSD: config.h,v 1.5 2007/08/15 14:22:39 millert Exp $ */ #ifndef _SUDO_CONFIG_H #define _SUDO_CONFIG_H @@ -20,6 +20,7 @@ #define HAVE_FSTAT 1 #define HAVE_FUTIMES 1 #define HAVE_GETCWD 1 +#define HAVE_GETADDRINFO 1 #define HAVE_GETDOMAINNAME 1 #define HAVE_GETGROUPS 1 #define HAVE_GETIFADDRS 1 diff --git a/usr.bin/sudo/config.h.in b/usr.bin/sudo/config.h.in index ad56a8e6205..765f6c53733 100644 --- a/usr.bin/sudo/config.h.in +++ b/usr.bin/sudo/config.h.in @@ -124,6 +124,9 @@ /* Define to 1 if you use the FWTK authsrv daemon. */ #undef HAVE_FWTK +/* Define to 1 if you have the `getaddrinfo' function. */ +#undef HAVE_GETADDRINFO + /* Define to 1 if you have the `getauthuid' function. (ULTRIX 4.x shadow passwords) */ #undef HAVE_GETAUTHUID diff --git a/usr.bin/sudo/configure b/usr.bin/sudo/configure index 19d838eb7e7..d98b953cf91 100644 --- a/usr.bin/sudo/configure +++ b/usr.bin/sudo/configure @@ -10386,7 +10386,7 @@ CC="$lt_save_CC" if test "$enable_shared" = "no"; then with_noexec=no else - eval _shrext="$shrext" + eval _shrext="$shrext_cmds" fi echo "$as_me:$LINENO: checking path to sudo_noexec.so" >&5 echo $ECHO_N "checking path to sudo_noexec.so... $ECHO_C" >&6 @@ -14232,9 +14232,10 @@ esac + for ac_func in strchr strrchr memchr memcpy memset sysconf tzset \ strftime setrlimit initgroups getgroups fstat gettimeofday \ - setlocale + setlocale getaddrinfo do as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` echo "$as_me:$LINENO: checking for $ac_func" >&5 @@ -16175,7 +16176,7 @@ cat >>conftest.$ac_ext <<_ACEOF int main () { -(void)isblank(1); +return (isblank('a')); ; return 0; } @@ -17167,7 +17168,7 @@ cat >>conftest.$ac_ext <<_ACEOF int main () { -DIR d; (void)&d.dd_fd; +DIR d; memset(&d, 0, sizeof(d)); return(d.dd_fd); ; return 0; } diff --git a/usr.bin/sudo/configure.in b/usr.bin/sudo/configure.in index ebf95e31058..59db870f941 100644 --- a/usr.bin/sudo/configure.in +++ b/usr.bin/sudo/configure.in @@ -1,6 +1,6 @@ dnl dnl Process this file with GNU autoconf to produce a configure script. -dnl $Sudo: configure.in,v 1.413.2.15 2007/07/22 22:43:50 millert Exp $ +dnl $Sudo: configure.in,v 1.413.2.18 2007/08/15 13:48:51 millert Exp $ dnl dnl Copyright (c) 1994-1996,1998-2007 Todd C. Miller <Todd.Miller@courtesan.com> dnl @@ -1147,7 +1147,7 @@ dnl if test "$enable_shared" = "no"; then with_noexec=no else - eval _shrext="$shrext" + eval _shrext="$shrext_cmds" fi AC_MSG_CHECKING(path to sudo_noexec.so) AC_ARG_WITH(noexec, [ --with-noexec[=PATH] fully qualified pathname of sudo_noexec.so], @@ -1666,7 +1666,7 @@ dnl Function checks dnl AC_CHECK_FUNCS(strchr strrchr memchr memcpy memset sysconf tzset \ strftime setrlimit initgroups getgroups fstat gettimeofday \ - setlocale) + setlocale getaddrinfo) if test -z "$SKIP_SETRESUID"; then AC_CHECK_FUNCS(setresuid, [SKIP_SETREUID=yes]) fi @@ -1720,7 +1720,7 @@ dnl Check for the dirfd function/macro. If not found, look for dd_fd in DIR. dnl AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <sys/types.h> #include <$ac_header_dirent>]], [[DIR d; (void)dirfd(&d);]])], [AC_DEFINE(HAVE_DIRFD)], [AC_TRY_LINK([#include <sys/types.h> -#include <$ac_header_dirent>], [DIR d; (void)&d.dd_fd;], [AC_DEFINE(HAVE_DD_FD)])]) +#include <$ac_header_dirent>], [DIR d; memset(&d, 0, sizeof(d)); return(d.dd_fd);], [AC_DEFINE(HAVE_DD_FD)])]) dnl dnl If NEED_SNPRINTF is set, add snprintf.c to LIBOBJS dnl (it contains snprintf, vsnprintf, asprintf, and vasprintf) diff --git a/usr.bin/sudo/interfaces.c b/usr.bin/sudo/interfaces.c index b4b72458796..b3dc14e9145 100644 --- a/usr.bin/sudo/interfaces.c +++ b/usr.bin/sudo/interfaces.c @@ -89,7 +89,7 @@ struct rtentry; #include "interfaces.h" #ifndef lint -__unused static const char rcsid[] = "$Sudo: interfaces.c,v 1.72.2.4 2007/06/14 16:24:09 millert Exp $"; +__unused static const char rcsid[] = "$Sudo: interfaces.c,v 1.72.2.6 2007/08/14 15:19:25 millert Exp $"; #endif /* lint */ @@ -103,8 +103,10 @@ void load_interfaces() { struct ifaddrs *ifa, *ifaddrs; - /* XXX - sockaddr_in6 sin6; */ struct sockaddr_in *sin; +#ifdef AF_INET6 + struct sockaddr_in6 *sin6; +#endif int i; if (getifaddrs(&ifaddrs)) @@ -118,8 +120,10 @@ load_interfaces() continue; switch(ifa->ifa_addr->sa_family) { - /* XXX - AF_INET6 */ case AF_INET: +#ifdef AF_INET6 + case AF_INET6: +#endif num_interfaces++; break; } @@ -137,7 +141,6 @@ load_interfaces() continue; switch(ifa->ifa_addr->sa_family) { - /* XXX - AF_INET6 */ case AF_INET: sin = (struct sockaddr_in *)ifa->ifa_addr; memcpy(&interfaces[i].addr, &sin->sin_addr, @@ -145,8 +148,21 @@ load_interfaces() sin = (struct sockaddr_in *)ifa->ifa_netmask; memcpy(&interfaces[i].netmask, &sin->sin_addr, sizeof(struct in_addr)); + interfaces[i].family = AF_INET; i++; break; +#ifdef AF_INET6 + case AF_INET6: + sin6 = (struct sockaddr_in6 *)ifa->ifa_addr; + memcpy(&interfaces[i].addr, &sin6->sin6_addr, + sizeof(struct in6_addr)); + sin6 = (struct sockaddr_in6 *)ifa->ifa_netmask; + memcpy(&interfaces[i].netmask, &sin6->sin6_addr, + sizeof(struct in6_addr)); + interfaces[i].family = AF_INET6; + i++; + break; +#endif /* AF_INET6 */ } } #ifdef HAVE_FREEIFADDRS @@ -245,7 +261,7 @@ load_interfaces() continue; sin = (struct sockaddr_in *) &ifr->ifr_addr; - interfaces[num_interfaces].addr.s_addr = sin->sin_addr.s_addr; + interfaces[num_interfaces].addr.ip4.s_addr = sin->sin_addr.s_addr; /* Stash the name of the interface we saved. */ previfname = ifr->ifr_name; @@ -262,20 +278,21 @@ load_interfaces() #endif /* _ISC */ sin = (struct sockaddr_in *) &ifr_tmp.ifr_addr; - interfaces[num_interfaces].netmask.s_addr = sin->sin_addr.s_addr; + interfaces[num_interfaces].netmask.ip4.s_addr = sin->sin_addr.s_addr; } else { #else { #endif /* SIOCGIFNETMASK */ - if (IN_CLASSC(interfaces[num_interfaces].addr.s_addr)) - interfaces[num_interfaces].netmask.s_addr = htonl(IN_CLASSC_NET); - else if (IN_CLASSB(interfaces[num_interfaces].addr.s_addr)) - interfaces[num_interfaces].netmask.s_addr = htonl(IN_CLASSB_NET); + if (IN_CLASSC(interfaces[num_interfaces].addr.ip4.s_addr)) + interfaces[num_interfaces].netmask.ip4.s_addr = htonl(IN_CLASSC_NET); + else if (IN_CLASSB(interfaces[num_interfaces].addr.ip4.s_addr)) + interfaces[num_interfaces].netmask.ip4.s_addr = htonl(IN_CLASSB_NET); else - interfaces[num_interfaces].netmask.s_addr = htonl(IN_CLASSA_NET); + interfaces[num_interfaces].netmask.ip4.s_addr = htonl(IN_CLASSA_NET); } /* Only now can we be sure it was a good/interesting interface. */ + interfaces[num_interfaces].family = AF_INET; num_interfaces++; } @@ -308,9 +325,26 @@ void dump_interfaces() { int i; +#ifdef AF_INET6 + char addrbuf[INET6_ADDRSTRLEN], maskbuf[INET6_ADDRSTRLEN]; +#endif puts("Local IP address and netmask pairs:"); - for (i = 0; i < num_interfaces; i++) - printf("\t%s / 0x%x\n", inet_ntoa(interfaces[i].addr), - (unsigned int)ntohl(interfaces[i].netmask.s_addr)); + for (i = 0; i < num_interfaces; i++) { + switch(interfaces[i].family) { + case AF_INET: + printf("\t%s / ", inet_ntoa(interfaces[i].addr.ip4)); + puts(inet_ntoa(interfaces[i].netmask.ip4)); + break; +#ifdef AF_INET6 + case AF_INET6: + inet_ntop(AF_INET6, &interfaces[i].addr.ip6, + addrbuf, sizeof(addrbuf)); + inet_ntop(AF_INET6, &interfaces[i].netmask.ip6, + maskbuf, sizeof(maskbuf)); + printf("\t%s / %s\n", addrbuf, maskbuf); + break; +#endif /* AF_INET6 */ + } + } } diff --git a/usr.bin/sudo/interfaces.h b/usr.bin/sudo/interfaces.h index 1b82df5e8db..de4af008f84 100644 --- a/usr.bin/sudo/interfaces.h +++ b/usr.bin/sudo/interfaces.h @@ -17,7 +17,7 @@ * Agency (DARPA) and Air Force Research Laboratory, Air Force * Materiel Command, USAF, under agreement number F39502-99-1-0512. * - * $Sudo: interfaces.h,v 1.8.2.1 2007/06/12 01:28:41 millert Exp $ + * $Sudo: interfaces.h,v 1.8.2.2 2007/08/13 16:30:02 millert Exp $ */ #ifndef _SUDO_INTERFACES_H @@ -27,8 +27,19 @@ * IP address and netmask pairs for checking against local interfaces. */ struct interface { - struct in_addr addr; - struct in_addr netmask; + int family; /* AF_INET or AF_INET6 */ + union { + struct in_addr ip4; +#ifdef AF_INET6 + struct in6_addr ip6; +#endif + } addr; + union { + struct in_addr ip4; +#ifdef AF_INET6 + struct in6_addr ip6; +#endif + } netmask; }; /* diff --git a/usr.bin/sudo/logging.c b/usr.bin/sudo/logging.c index b8073097231..f6f5b14ee3d 100644 --- a/usr.bin/sudo/logging.c +++ b/usr.bin/sudo/logging.c @@ -60,7 +60,7 @@ #include "sudo.h" #ifndef lint -__unused static const char rcsid[] = "$Sudo: logging.c,v 1.168.2.11 2007/07/24 15:52:37 millert Exp $"; +__unused static const char rcsid[] = "$Sudo: logging.c,v 1.168.2.12 2007/08/08 20:07:45 millert Exp $"; #endif /* lint */ static void do_syslog __P((int, char *)); @@ -135,8 +135,8 @@ do_syslog(pri, msg) size_t len, maxlen; char *p, *tmp, save; const char *fmt; - const char fmt_first[] = "%8s : %s"; - const char fmt_contd[] = "%8s : (command continued) %s"; + const char *fmt_first = "%8s : %s"; + const char *fmt_contd = "%8s : (command continued) %s"; /* * Log the full line, breaking into multiple syslog(3) calls if necessary diff --git a/usr.bin/sudo/parse.c b/usr.bin/sudo/parse.c index 243a463c0a0..5abf5f4ffe7 100644 --- a/usr.bin/sudo/parse.c +++ b/usr.bin/sudo/parse.c @@ -25,6 +25,7 @@ #include <sys/types.h> #include <sys/param.h> +#include <sys/socket.h> #include <sys/stat.h> #include <stdio.h> #ifdef STDC_HEADERS @@ -89,7 +90,7 @@ #endif /* HAVE_EXTENDED_GLOB */ #ifndef lint -__unused static const char rcsid[] = "$Sudo: parse.c,v 1.160.2.11 2007/08/02 02:09:10 millert Exp $"; +__unused static const char rcsid[] = "$Sudo: parse.c,v 1.160.2.12 2007/08/13 16:30:02 millert Exp $"; #endif /* lint */ /* @@ -382,22 +383,85 @@ command_matches(sudoers_cmnd, sudoers_args) } } -/* - * Returns TRUE if "n" is one of our ip addresses or if - * "n" is a network that we are on, else returns FALSE. - */ -int -addr_matches(n) +static int +addr_matches_if(n) char *n; { int i; + struct in_addr addr; + struct interface *ifp; +#ifdef AF_INET6 + struct in6_addr addr6; + int j; +#endif + int family = AF_UNSPEC; + +#ifdef AF_INET6 + if (inet_pton(AF_INET6, n, &addr6) > 0) { + family = AF_INET6; + } else +#else + { + family = AF_INET; + addr.s_addr = inet_addr(n); + } +#endif + + for (i = 0; i < num_interfaces; i++) { + ifp = &interfaces[i]; + if (ifp->family != family) + continue; + switch(family) { + case AF_INET: + if (ifp->addr.ip4.s_addr == addr.s_addr || + (ifp->addr.ip4.s_addr & ifp->netmask.ip4.s_addr) + == addr.s_addr) + return(TRUE); + break; +#ifdef AF_INET6 + case AF_INET6: + if (memcmp(ifp->addr.ip6.s6_addr, addr6.s6_addr, + sizeof(addr6.s6_addr)) == 0) + return(TRUE); + for (j = 0; j < sizeof(addr6.s6_addr); j++) { + if ((ifp->addr.ip6.s6_addr[j] & ifp->netmask.ip6.s6_addr[j]) != addr6.s6_addr[j]) + break; + } + if (j == sizeof(addr6.s6_addr)) + return(TRUE); +#endif /* AF_INET6 */ + } + } + + return(FALSE); +} + +static int +addr_matches_if_netmask(n, m) + char *n; char *m; +{ + int i; struct in_addr addr, mask; + struct interface *ifp; +#ifdef AF_INET6 + struct in6_addr addr6, mask6; + int j; +#endif + int family = AF_UNSPEC; - /* If there's an explicit netmask, use it. */ - if ((m = strchr(n, '/'))) { - *m++ = '\0'; +#ifdef AF_INET6 + if (inet_pton(AF_INET6, n, &addr6) > 0) + family = AF_INET6; + else +#else + { + family = AF_INET; addr.s_addr = inet_addr(n); + } +#endif + + if (family == AF_INET) { if (strchr(m, '.')) mask.s_addr = inet_addr(m); else { @@ -407,25 +471,69 @@ addr_matches(n) mask.s_addr <<= i; mask.s_addr = htonl(mask.s_addr); } - *(m - 1) = '/'; - - for (i = 0; i < num_interfaces; i++) - if ((interfaces[i].addr.s_addr & mask.s_addr) == addr.s_addr) - return(TRUE); - } else { - addr.s_addr = inet_addr(n); - - for (i = 0; i < num_interfaces; i++) - if (interfaces[i].addr.s_addr == addr.s_addr || - (interfaces[i].addr.s_addr & interfaces[i].netmask.s_addr) - == addr.s_addr) - return(TRUE); + } +#ifdef AF_INET6 + else { + if (inet_pton(AF_INET6, m, &mask6) <= 0) { + j = atoi(m); + for (i = 0; i < 16; i++) { + if (j < i * 8) + mask6.s6_addr[i] = 0; + else if (i * 8 + 8 <= j) + mask6.s6_addr[i] = 0xff; + else + mask6.s6_addr[i] = 0xff00 >> (j - i * 8); + } + } + } +#endif /* AF_INET6 */ + + for (i = 0; i < num_interfaces; i++) { + ifp = &interfaces[i]; + if (ifp->family != family) + continue; + switch(family) { + case AF_INET: + if ((ifp->addr.ip4.s_addr & mask.s_addr) == addr.s_addr) + return(TRUE); +#ifdef AF_INET6 + case AF_INET6: + for (j = 0; j < sizeof(addr6.s6_addr); j++) { + if ((ifp->addr.ip6.s6_addr[j] & mask6.s6_addr[j]) != addr6.s6_addr[j]) + break; + } + if (j == sizeof(addr6.s6_addr)) + return(TRUE); +#endif /* AF_INET6 */ + } } return(FALSE); } /* + * Returns TRUE if "n" is one of our ip addresses or if + * "n" is a network that we are on, else returns FALSE. + */ +int +addr_matches(n) + char *n; +{ + char *m; + int retval; + + /* If there's an explicit netmask, use it. */ + if ((m = strchr(n, '/'))) { + *m++ = '\0'; + retval = addr_matches_if_netmask(n, m); + *(m - 1) = '/'; + } else + retval = addr_matches_if(n); + + return(retval); +} + +/* * Returns 0 if the hostname matches the pattern and non-zero otherwise. */ int diff --git a/usr.bin/sudo/parse.lex b/usr.bin/sudo/parse.lex index a77c03800fb..1b47711c837 100644 --- a/usr.bin/sudo/parse.lex +++ b/usr.bin/sudo/parse.lex @@ -55,7 +55,7 @@ #include <sudo.tab.h> #ifndef lint -__unused static const char rcsid[] = "$Sudo: parse.lex,v 1.132.2.3 2007/06/23 21:36:48 millert Exp $"; +__unused static const char rcsid[] = "$Sudo: parse.lex,v 1.132.2.4 2007/08/13 16:30:02 millert Exp $"; #endif /* lint */ #undef yywrap /* guard against a yywrap macro */ @@ -83,8 +83,11 @@ extern void yyerror __P((char *)); #endif %} +HEXDIGIT [0-9A-Fa-f]{1,4} OCTET (1?[0-9]{1,2})|(2[0-4][0-9])|(25[0-5]) DOTTEDQUAD {OCTET}(\.{OCTET}){3} +IPV6ADDR \:\:|({HEXDIGIT}\:){7}{HEXDIGIT}|({HEXDIGIT}\:){5}{HEXDIGIT}\:{DOTTEDQUAD}|({HEXDIGIT}\:){1,7}\:|({HEXDIGIT}\:){1,6}(\:{HEXDIGIT}){1}|({HEXDIGIT}\:){1,5}(\:{HEXDIGIT}){2}|({HEXDIGIT}\:){1,2}\:{DOTTEDQUAD}|({HEXDIGIT}\:){1,4}(\:{HEXDIGIT}){3}|({HEXDIGIT}\:){1,4}(\:{HEXDIGIT}){1}\:{DOTTEDQUAD}|({HEXDIGIT}\:){1,3}(\:{HEXDIGIT}){4}|({HEXDIGIT}\:){1,3}(\:{HEXDIGIT}){2}\:{DOTTEDQUAD}|({HEXDIGIT}\:){1,2}(\:{HEXDIGIT}){5}|({HEXDIGIT}\:){1,2}(\:{HEXDIGIT}){3}\:{DOTTEDQUAD}|({HEXDIGIT}\:){1}(\:{HEXDIGIT}){6}|({HEXDIGIT}\:){1}(\:{HEXDIGIT}){4}\:{DOTTEDQUAD}|\:(\:{HEXDIGIT}){1,7}|\:(\:{HEXDIGIT}){1,5}\:{DOTTEDQUAD} + HOSTNAME [[:alnum:]_-]+ WORD ([^#>@!=:,\(\) \t\n\\]|\\[^\n])+ ENVAR ([^#!=, \t\n\\]|\\[^\n])([^#=, \t\n\\]|\\[^\n])* @@ -265,6 +268,18 @@ NOSETENV[[:blank:]]*: { return(NTWKADDR); } +{IPV6ADDR}(\/{IPV6ADDR})? { + fill(yytext, yyleng); + LEXTRACE("NTWKADDR "); + return(NTWKADDR); + } + +{IPV6ADDR}\/([0-9]|[1-9][0-9]|1[01][0-9]|12[0-8]) { + fill(yytext, yyleng); + LEXTRACE("NTWKADDR "); + return(NTWKADDR); + } + <INITIAL>\( { BEGIN GOTRUNAS; LEXTRACE("RUNAS "); diff --git a/usr.bin/sudo/parse.yacc b/usr.bin/sudo/parse.yacc index 5cbe0fa3bd3..a759212640d 100644 --- a/usr.bin/sudo/parse.yacc +++ b/usr.bin/sudo/parse.yacc @@ -72,7 +72,7 @@ #endif /* HAVE_LSEARCH */ #ifndef lint -__unused static const char rcsid[] = "$Sudo: parse.yacc,v 1.204.2.5 2007/07/09 21:53:01 millert Exp $"; +__unused static const char rcsid[] = "$Sudo: parse.yacc,v 1.204.2.6 2007/08/13 16:30:02 millert Exp $"; #endif /* lint */ /* @@ -232,7 +232,7 @@ yyerror(s) %token <command> COMMAND /* absolute pathname w/ optional args */ %token <string> ALIAS /* an UPPERCASE alias name */ %token <string> DEFVAR /* a Defaults variable name */ -%token <string> NTWKADDR /* w.x.y.z */ +%token <string> NTWKADDR /* w.x.y.z or ipv6 address */ %token <string> NETGROUP /* a netgroup (+NAME) */ %token <string> USERGROUP /* a usergroup (%NAME) */ %token <string> WORD /* a word */ diff --git a/usr.bin/sudo/sudo.c b/usr.bin/sudo/sudo.c index 3bd7280f99a..44a5e3a68f3 100644 --- a/usr.bin/sudo/sudo.c +++ b/usr.bin/sudo/sudo.c @@ -102,7 +102,7 @@ #include "version.h" #ifndef lint -__unused __unused static const char rcsid[] = "$Sudo: sudo.c,v 1.369.2.26 2007/07/22 19:21:01 millert Exp $"; +__unused __unused static const char rcsid[] = "$Sudo: sudo.c,v 1.369.2.29 2007/08/15 13:48:56 millert Exp $"; #endif /* lint */ /* @@ -596,7 +596,7 @@ init_vars(sudo_mode, envp) #ifdef HAVE_GETGROUPS if ((user_ngroups = getgroups(0, NULL)) > 0) { - user_groups = emalloc2(user_ngroups, sizeof(gid_t)); + user_groups = emalloc2(user_ngroups, MAX(sizeof(gid_t), sizeof(int))); if (getgroups(user_ngroups, user_groups) < 0) log_error(USE_ERRNO|MSG_ONLY, "can't get group vector"); } else @@ -914,7 +914,6 @@ check_sudoers() { struct stat statbuf; int rootstat, i; - char c; /* * Fix the mode and group on sudoers file from old default. @@ -966,7 +965,9 @@ check_sudoers() for (i = 0; i < 10 ; i++) { errno = 0; if ((sudoers_fp = fopen(_PATH_SUDOERS, "r")) == NULL || - fread(&c, sizeof(c), 1, sudoers_fp) != 1) { + fgetc(sudoers_fp) == EOF) { + if (sudoers_fp != NULL) + fclose(sudoers_fp); sudoers_fp = NULL; if (errno != EAGAIN && errno != EWOULDBLOCK) break; @@ -1134,17 +1135,33 @@ set_project(pw) void set_fqdn() { +#ifdef HAVE_GETADDRINFO + struct addrinfo *res0, hint; +#else struct hostent *hp; +#endif char *p; +#ifdef HAVE_GETADDRINFO + memset(&hint, 0, sizeof(hint)); + hint.ai_family = PF_UNSPEC; + hint.ai_flags = AI_CANONNAME; + if (getaddrinfo(user_host, NULL, &hint, &res0) != 0) { +#else if (!(hp = gethostbyname(user_host))) { +#endif log_error(MSG_ONLY|NO_EXIT, - "unable to lookup %s via gethostbyname()", user_host); + "unable to resolve host %s", user_host); } else { if (user_shost != user_host) efree(user_shost); efree(user_host); +#ifdef HAVE_GETADDRINFO + user_host = estrdup(res0->ai_canonname); + freeaddrinfo(res0); +#else user_host = estrdup(hp->h_name); +#endif } if ((p = strchr(user_host, '.'))) { *p = '\0'; diff --git a/usr.bin/sudo/sudo.pod b/usr.bin/sudo/sudo.pod index 665031a9b89..694ae3627f0 100644 --- a/usr.bin/sudo/sudo.pod +++ b/usr.bin/sudo/sudo.pod @@ -1,5 +1,6 @@ =cut -Copyright (c) 1994-1996,1998-2007 Todd C. Miller <Todd.Miller@courtesan.com> +Copyright (c) 1994-1996, 1998-2005, 2007 + Todd C. Miller <Todd.Miller@courtesan.com> Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above @@ -18,7 +19,7 @@ Sponsored in part by the Defense Advanced Research Projects Agency (DARPA) and Air Force Research Laboratory, Air Force Materiel Command, USAF, under agreement number F39502-99-1-0512. -$Sudo: sudo.pod,v 1.70.2.15 2007/07/29 23:09:47 millert Exp $ +$Sudo: sudo.pod,v 1.70.2.18 2007/08/13 16:23:31 millert Exp $ =pod =head1 NAME @@ -58,7 +59,7 @@ is implied. B<sudo> determines who is an authorized user by consulting the file F<@sysconfdir@/sudoers>. By giving B<sudo> the B<-v> flag, a user -can update the time stamp without running a I<command.> The password +can update the time stamp without running a I<command>. The password prompt itself will also time out if the user's password is not entered within C<@password_timeout@> minutes (unless overridden via I<sudoers>). @@ -94,9 +95,9 @@ B<sudo> accepts the following command line options: The B<-a> (I<authentication type>) option causes B<sudo> to use the specified authentication type when validating the user, as allowed -by C</etc/login.conf>. The system administrator may specify a list +by F</etc/login.conf>. The system administrator may specify a list of sudo-specific authentication methods by adding an "auth-sudo" -entry in C</etc/login.conf>. This option is only available on systems +entry in F</etc/login.conf>. This option is only available on systems that support BSD authentication. =item -b @@ -119,7 +120,7 @@ root. This option is only available on systems with BSD login classes. =item -E -The B<-E> (I<preserve> environment) option will override the +The B<-E> (I<preserve> I<environment>) option will override the I<env_reset> option in L<sudoers(5)>). It is only available when either the matching command has the C<SETENV> tag or the I<setenv> option is set in L<sudoers(5)>. @@ -132,7 +133,7 @@ of a command, the string "sudoedit" is used when consulting the I<sudoers> file. If the user is authorized by I<sudoers> the following steps are taken: -=over 8 +=over 4 =item 1. @@ -213,7 +214,7 @@ forbidden) commands for the invoking user on the current host. =item -P -The B<-P> (I<preserve> group vector) option causes B<sudo> to +The B<-P> (I<preserve> I<group vector>) option causes B<sudo> to preserve the invoking user's group vector unaltered. By default, B<sudo> will initialize the group vector to the list of groups the target user is in. The real and effective group IDs, however, are @@ -225,7 +226,7 @@ The B<-p> (I<prompt>) option allows you to override the default password prompt and use a custom one. The following percent (`C<%>') escapes are supported: -=over 8 +=over 4 =item C<%H> @@ -265,11 +266,13 @@ in L<passwd(5)>. =item -u -The B<-u> (I<user>) option causes B<sudo> to run the specified command -as a user other than I<root>. To specify a I<uid> instead of a -I<username>, use I<#uid>. Note that if the I<targetpw> Defaults -option is set (see L<sudoers(5)>) it is not possible -to run commands with a uid not listed in the password database. +The B<-u> (I<user>) option causes B<sudo> to run the specified +command as a user other than I<root>. To specify a I<uid> instead +of a I<username>, use I<#uid>. When running commands as a I<uid>, +many shells require that the '#' be escaped with a backslash ('\'). +Note that if the I<targetpw> Defaults option is set (see L<sudoers(5)>) +it is not possible to run commands with a uid not listed in the +password database. =item -V @@ -395,44 +398,66 @@ L<sudoers(5)>. B<sudo> utilizes the following environment variables: - EDITOR Default editor to use in -e (sudoedit) mode if - VISUAL is not set +=over 16 + +=item C<EDITOR> + +Default editor to use in B<-e> (sudoedit) mode if C<VISUAL> is not set + +=item C<HOME> + +In B<-s> or B<-H> mode (or if sudo was configured with the +--enable-shell-sets-home option), set to homedir of the target user + +=item C<PATH> + +Set to a sane value if the I<secure_path> sudoers option is set. + +=item C<SHELL> - HOME In -s or -H mode (or if sudo was configured with - the --enable-shell-sets-home option), set to - homedir of the target user +Used to determine shell to run with C<-s> option - PATH Set to a sane value if sudo was configured with - the --with-secure-path option +=item C<SUDO_PROMPT> - SHELL Used to determine shell to run with -s option +Used as the default password prompt - SUDO_PROMPT Used as the default password prompt +=item C<SUDO_COMMAND> - SUDO_COMMAND Set to the command run by sudo +Set to the command run by sudo - SUDO_USER Set to the login of the user who invoked sudo +=item C<SUDO_USER> - SUDO_UID Set to the uid of the user who invoked sudo +Set to the login of the user who invoked sudo - SUDO_GID Set to the gid of the user who invoked sudo +=item C<SUDO_UID> - SUDO_PS1 If set, PS1 will be set to its value +Set to the uid of the user who invoked sudo - USER Set to the target user (root unless the -u option - is specified) +=item C<SUDO_GID> - VISUAL Default editor to use in -e (sudoedit) mode +Set to the gid of the user who invoked sudo + +=item C<SUDO_PS1> + +If set, C<PS1> will be set to its value + +=item C<USER> + +Set to the target user (root unless the B<-u> option is specified) + +=item C<VISUAL> + +Default editor to use in B<-e> (sudoedit) mode + +=back =head1 FILES =over 4 -=item F<@sysconfdir@/sudoers>C< > -List of who can run what +=item F<@sysconfdir@/sudoers>C< >List of who can run what -=item F<@timedir@>C< > -Directory containing timestamps +=item F<@timedir@>C< >Directory containing timestamps =back diff --git a/usr.bin/sudo/sudoers.pod b/usr.bin/sudo/sudoers.pod index 121141bb664..ba8b0ffdc00 100644 --- a/usr.bin/sudo/sudoers.pod +++ b/usr.bin/sudo/sudoers.pod @@ -1,5 +1,6 @@ =cut -Copyright (c) 1994-1996,1998-2005 Todd C. Miller <Todd.Miller@courtesan.com> +Copyright (c) 1994-1996, 1998-2005, 2007 + Todd C. Miller <Todd.Miller@courtesan.com> Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above @@ -18,7 +19,7 @@ Sponsored in part by the Defense Advanced Research Projects Agency (DARPA) and Air Force Research Laboratory, Air Force Materiel Command, USAF, under agreement number F39502-99-1-0512. -$Sudo: sudoers.pod,v 1.95.2.16 2007/07/29 23:09:47 millert Exp $ +$Sudo: sudoers.pod,v 1.95.2.19 2007/08/13 16:30:02 millert Exp $ =pod =head1 NAME @@ -52,7 +53,7 @@ operators, which many readers will recognize from regular expressions. Do not, however, confuse them with "wildcard" characters, which have different meanings. -=over 8 +=over 4 =item C<?> @@ -156,8 +157,9 @@ If you do not specify a netmask along with the network number, B<sudo> will query each of the local host's network interfaces and, if the network number corresponds to one of the hosts's network interfaces, the corresponding netmask will be used. The netmask -may be specified either in dotted quad notation (e.g.E<nbsp>255.255.255.0) -or CIDR notation (number of bits, e.g.E<nbsp>24). A hostname may +may be specified either in standard IP address notation +(e.g.E<nbsp>255.255.255.0 or ffff:ffff:ffff:ffff::), +or CIDR notation (number of bits, e.g.E<nbsp>24 or 64). A hostname may include shell-style wildcards (see the L<Wildcards> section below), but unless the C<hostname> command on your machine returns the fully qualified hostname, you'll need to use the I<fqdn> option for @@ -432,7 +434,7 @@ grouped by type, are listed below. B<Flags>: -=over 12 +=over 16 =item always_set_home @@ -686,7 +688,7 @@ the --with-logincap option. This flag is I<off> by default. B<Integers>: -=over 12 +=over 16 =item passwd_tries @@ -697,7 +699,7 @@ B<sudo> logs the failure and exits. The default is C<@passwd_tries@>. B<Integers that can be used in a boolean context>: -=over 12 +=over 16 =item loglinelen @@ -729,7 +731,7 @@ it to 0777 to preserve the user's umask. The default is C<@sudo_umask@>. B<Strings>: -=over 12 +=over 16 =item badpass_message @@ -763,7 +765,7 @@ The default prompt to use when asking for a password; can be overridden via the B<-p> option or the C<SUDO_PROMPT> environment variable. The following percent (`C<%>') escapes are supported: -=over 8 +=over 4 =item C<%H> @@ -953,7 +955,7 @@ The default value is I<all>. B<Lists that can be used in a boolean context>: -=over 12 +=over 16 =item env_check @@ -1061,6 +1063,7 @@ these are a bit contrived. First, we define our I<aliases>: /usr/local/bin/tcsh, /usr/bin/rsh, \ /usr/local/bin/zsh Cmnd_Alias SU = /usr/bin/su + Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less Here we override some of the compiled in default values. We want B<sudo> to log via L<syslog(3)> using the I<auth> facility in all @@ -1070,7 +1073,9 @@ want to reset the C<LOGNAME>, C<USER> or C<USERNAME> environment variables when running commands as root. Additionally, on the machines in the I<SERVERS> C<Host_Alias>, we keep an additional local log file and make sure we log the year in each log line since -the log entries will be kept around for several years. +the log entries will be kept around for several years. Lastly, we +disable shell escapes for the commands in the PAGERS C<Cmnd_Alias> +(F</usr/bin/more>, F</usr/bin/pg> and F</usr/bin/less>). # Override built-in defaults Defaults syslog=auth @@ -1166,7 +1171,7 @@ in the I<SERVERS> C<Host_Alias> (master, mail, www and ns). jill SERVERS = /usr/bin/, !SU, !SHELLS For any machine in the I<SERVERS> C<Host_Alias>, B<jill> may run -any commands in the directory /usr/bin/ except for those commands +any commands in the directory F</usr/bin/> except for those commands belonging to the I<SU> and I<SHELLS> C<Cmnd_Aliases>. steve CSNETS = (operator) /usr/local/op_commands/ diff --git a/usr.bin/sudo/version.h b/usr.bin/sudo/version.h index 30b31b7caed..7ad1cf4b44a 100644 --- a/usr.bin/sudo/version.h +++ b/usr.bin/sudo/version.h @@ -17,12 +17,12 @@ * Agency (DARPA) and Air Force Research Laboratory, Air Force * Materiel Command, USAF, under agreement number F39502-99-1-0512. * - * $Sudo: version.h,v 1.66.2.4 2007/07/26 14:05:55 millert Exp $ + * $Sudo: version.h,v 1.66.2.7 2007/08/15 14:16:58 millert Exp $ */ #ifndef _SUDO_VERSION_H #define _SUDO_VERSION_H -static const char version[] = "1.6.9p3"; +static const char version[] = "1.6.9p4"; #endif /* _SUDO_VERSION_H */ diff --git a/usr.bin/sudo/visudo.pod b/usr.bin/sudo/visudo.pod index d29d718141b..0743b938672 100644 --- a/usr.bin/sudo/visudo.pod +++ b/usr.bin/sudo/visudo.pod @@ -1,5 +1,5 @@ =cut -Copyright (c) 1996,1998-2003 Todd C. Miller <Todd.Miller@courtesan.com> +Copyright (c) 1996,1998-2005, 2007 Todd C. Miller <Todd.Miller@courtesan.com> Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above @@ -18,7 +18,7 @@ Sponsored in part by the Defense Advanced Research Projects Agency (DARPA) and Air Force Research Laboratory, Air Force Materiel Command, USAF, under agreement number F39502-99-1-0512. -$Sudo: visudo.pod,v 1.38.2.8 2007/07/29 23:09:47 millert Exp $ +$Sudo: visudo.pod,v 1.38.2.9 2007/08/13 16:23:31 millert Exp $ =pod =head1 NAME @@ -111,8 +111,17 @@ and exit. The following environment variables are used only if B<visudo> was configured with the I<--with-env-editor> option: - VISUAL Invoked by visudo as the editor to use - EDITOR Used by visudo if VISUAL is not set +=over 16 + +=item C<VISUAL> + +Invoked by visudo as the editor to use + +=item C<EDITOR> + +Used by visudo if VISUAL is not set + +=back =head1 FILES @@ -122,7 +131,7 @@ was configured with the I<--with-env-editor> option: =item F<@sysconfdir@/sudoers.tmp>C< >Lock file for visudo -=back 4 +=back =head1 DIAGNOSTICS |