summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTodd C. Miller <millert@cvs.openbsd.org>2005-02-05 23:31:54 +0000
committerTodd C. Miller <millert@cvs.openbsd.org>2005-02-05 23:31:54 +0000
commite7fa4316c2bf6f71dd851829824df85eaf17d4bd (patch)
tree5716ab05c054257d3281bd0f953088b16911cf23
parent032e3e55c9462a20c0f9af0c4ba6374225707f3c (diff)
Update to Sudo 1.6.8p7
-rw-r--r--usr.bin/sudo/CHANGES12
-rw-r--r--usr.bin/sudo/LICENSE2
-rw-r--r--usr.bin/sudo/Makefile.in2
-rw-r--r--usr.bin/sudo/TROUBLESHOOTING16
-rw-r--r--usr.bin/sudo/auth/pam.c26
-rw-r--r--usr.bin/sudo/env.c3
-rw-r--r--usr.bin/sudo/sudo.82
-rw-r--r--usr.bin/sudo/sudoers.52
-rw-r--r--usr.bin/sudo/version.h2
-rw-r--r--usr.bin/sudo/visudo.82
10 files changed, 48 insertions, 21 deletions
diff --git a/usr.bin/sudo/CHANGES b/usr.bin/sudo/CHANGES
index d4d5ab765d5..f614f0b4102 100644
--- a/usr.bin/sudo/CHANGES
+++ b/usr.bin/sudo/CHANGES
@@ -1764,3 +1764,15 @@ Sudo 1.6.8p4 released.
556) Invalid values for a tuple are now handled correctly.
Sudo 1.6.8p5 released.
+
+557) Added a set of missing braces needed for MacOS X / Darwin.
+
+558) Define LDAP_OPT_SUCCESS for those without it.
+
+Sudo 1.6.8p6 released.
+
+559) Warn if the user tries to use the -u option when not running a command.
+
+560) Better PAM error handling and messages.
+
+Sudo 1.6.8p7 released.
diff --git a/usr.bin/sudo/LICENSE b/usr.bin/sudo/LICENSE
index 8703535ff31..70655fa144f 100644
--- a/usr.bin/sudo/LICENSE
+++ b/usr.bin/sudo/LICENSE
@@ -1,6 +1,6 @@
Sudo is distributed under the following ISC-style license:
- Copyright (c) 1994-1996,1998-2004 Todd C. Miller <Todd.Miller@courtesan.com>
+ Copyright (c) 1994-1996,1998-2005 Todd C. Miller <Todd.Miller@courtesan.com>
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.bin/sudo/Makefile.in b/usr.bin/sudo/Makefile.in
index b5585b65a94..477ad2b7a8a 100644
--- a/usr.bin/sudo/Makefile.in
+++ b/usr.bin/sudo/Makefile.in
@@ -130,7 +130,7 @@ TESTOBJS = interfaces.o testsudoers.o $(PARSEOBJS)
LIBOBJS = @LIBOBJS@ @ALLOCA@
-VERSION = 1.6.8p5
+VERSION = 1.6.8p7
DISTFILES = $(SRCS) $(HDRS) BUGS CHANGES HISTORY INSTALL INSTALL.configure \
LICENSE Makefile.in PORTING README README.LDAP RUNSON TODO \
diff --git a/usr.bin/sudo/TROUBLESHOOTING b/usr.bin/sudo/TROUBLESHOOTING
index 94a93ccbcd4..3f7dd35a880 100644
--- a/usr.bin/sudo/TROUBLESHOOTING
+++ b/usr.bin/sudo/TROUBLESHOOTING
@@ -25,9 +25,19 @@ A) The operating system you are running probably has broken support for
option and rebuild sudo.
Q) Sudo never gives me a chance to enter a password using PAM, it just
- says 'Sorry, try again.' three times and quits.
-A) You didn't setup PAM to work with sudo. On Linux this generally
- means installing sample.pam as /etc/pam.d/sudo.
+ says 'Sorry, try again.' three times and exits.
+A) You didn't setup PAM to work with sudo. On Redhat Linux or Fedora
+ Core this generally means installing sample.pam as /etc/pam.d/sudo.
+ See the sample.pam file for hints on what to use for other Linux
+ systems.
+
+Q) Sudo says 'Account expired or PAM config lacks an "account"
+ section for sudo, contact your system administrator' and exits
+ but I know my account has not expired.
+A) Your PAM config lacks an "account" specification. On Linux this
+ usually means you are missing a line like:
+ account required pam_unix.so
+ in /etc/pam.d/sudo.
Q) Sudo is setup to log via syslog(3) but I'm not getting any log
messages.
diff --git a/usr.bin/sudo/auth/pam.c b/usr.bin/sudo/auth/pam.c
index 1dc162ab94d..d289a06ef5c 100644
--- a/usr.bin/sudo/auth/pam.c
+++ b/usr.bin/sudo/auth/pam.c
@@ -91,8 +91,7 @@ pam_init(pw, promptp, auth)
pam_conv.conv = sudo_conv;
pam_status = pam_start("sudo", pw->pw_name, &pam_conv, &pamh);
if (pam_status != PAM_SUCCESS) {
- log_error(USE_ERRNO|NO_EXIT|NO_MAIL,
- "unable to initialize PAM");
+ log_error(USE_ERRNO|NO_EXIT|NO_MAIL, "unable to initialize PAM");
return(AUTH_FATAL);
}
if (strcmp(user_tty, "unknown"))
@@ -125,25 +124,30 @@ pam_verify(pw, prompt, auth)
*pam_status);
return(AUTH_FAILURE);
case PAM_NEW_AUTHTOK_REQD:
- log_error(NO_EXIT|NO_MAIL, "%s, %s"
+ log_error(NO_EXIT|NO_MAIL, "%s, %s",
"Account or password is expired",
"reset your password and try again");
- *pam_status = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
+ *pam_status = pam_chauthtok(pamh,
+ PAM_CHANGE_EXPIRED_AUTHTOK);
if (*pam_status == PAM_SUCCESS)
return(AUTH_SUCCESS);
if ((s = pam_strerror(pamh, *pam_status)))
- log_error(NO_EXIT|NO_MAIL, "pam_chauthtok: %s",s);
+ log_error(NO_EXIT|NO_MAIL, "pam_chauthtok: %s", s);
return(AUTH_FAILURE);
+ case PAM_AUTHTOK_EXPIRED:
+ log_error(NO_EXIT|NO_MAIL,
+ "Password expired, contact your system administrator");
+ return(AUTH_FATAL);
case PAM_ACCT_EXPIRED:
- log_error(NO_EXIT|NO_MAIL, "%s, %s"
- "Account or password is expired",
- "contact your system administrator");
- /* FALLTHROUGH */
- default:
- return(AUTH_FAILURE);
+ log_error(NO_EXIT|NO_MAIL, "%s %s",
+ "Account expired or PAM config lacks an \"account\"",
+ "section for sudo, contact your system administrator");
+ return(AUTH_FATAL);
}
+ /* FALLTHROUGH */
case PAM_AUTH_ERR:
case PAM_MAXTRIES:
+ case PAM_PERM_DENIED:
return(AUTH_FAILURE);
default:
if ((s = pam_strerror(pamh, *pam_status)))
diff --git a/usr.bin/sudo/env.c b/usr.bin/sudo/env.c
index 3f58b446ee4..3e156dde15e 100644
--- a/usr.bin/sudo/env.c
+++ b/usr.bin/sudo/env.c
@@ -499,7 +499,7 @@ rebuild_env(envp, sudo_mode, noexec)
* http://www.fortran-2000.com/ArnaudRecipes/sharedlib.html
* XXX - should prepend to original value, if any
*/
- if (noexec && def_noexec_file != NULL)
+ if (noexec && def_noexec_file != NULL) {
#if defined(__darwin__) || defined(__APPLE__)
insert_env(format_env("DYLD_INSERT_LIBRARIES", def_noexec_file, VNULL), 1);
insert_env(format_env("DYLD_FORCE_FLAT_NAMESPACE", VNULL), 1);
@@ -510,6 +510,7 @@ rebuild_env(envp, sudo_mode, noexec)
insert_env(format_env("LD_PRELOAD", def_noexec_file, VNULL), 1);
# endif
#endif
+ }
/* Set PS1 if SUDO_PS1 is set. */
if (ps1)
diff --git a/usr.bin/sudo/sudo.8 b/usr.bin/sudo/sudo.8
index e0400a3e17b..a0024b61dc7 100644
--- a/usr.bin/sudo/sudo.8
+++ b/usr.bin/sudo/sudo.8
@@ -149,7 +149,7 @@
.\" ========================================================================
.\"
.IX Title "SUDO 8"
-.TH SUDO 8 "November 26, 2004" "1.6.8p5" "MAINTENANCE COMMANDS"
+.TH SUDO 8 "February 5, 2005" "1.6.8p7" "MAINTENANCE COMMANDS"
.SH "NAME"
sudo, sudoedit \- execute a command as another user
.SH "SYNOPSIS"
diff --git a/usr.bin/sudo/sudoers.5 b/usr.bin/sudo/sudoers.5
index 3fc10e1a7be..e5d381eccf2 100644
--- a/usr.bin/sudo/sudoers.5
+++ b/usr.bin/sudo/sudoers.5
@@ -149,7 +149,7 @@
.\" ========================================================================
.\"
.IX Title "SUDOERS 5"
-.TH SUDOERS 5 "November 28, 2004" "1.6.8p5" "MAINTENANCE COMMANDS"
+.TH SUDOERS 5 "February 5, 2005" "1.6.8p7" "MAINTENANCE COMMANDS"
.SH "NAME"
sudoers \- list of which users may execute what
.SH "DESCRIPTION"
diff --git a/usr.bin/sudo/version.h b/usr.bin/sudo/version.h
index 3f06dfbc986..9ac1b0773c7 100644
--- a/usr.bin/sudo/version.h
+++ b/usr.bin/sudo/version.h
@@ -23,6 +23,6 @@
#ifndef _SUDO_VERSION_H
#define _SUDO_VERSION_H
-static const char version[] = "1.6.8p5";
+static const char version[] = "1.6.8p6";
#endif /* _SUDO_VERSION_H */
diff --git a/usr.bin/sudo/visudo.8 b/usr.bin/sudo/visudo.8
index d871eb4ec87..bfbfcae2678 100644
--- a/usr.bin/sudo/visudo.8
+++ b/usr.bin/sudo/visudo.8
@@ -149,7 +149,7 @@
.\" ========================================================================
.\"
.IX Title "VISUDO 8"
-.TH VISUDO 8 "November 26, 2004" "1.6.8p5" "MAINTENANCE COMMANDS"
+.TH VISUDO 8 "February 5, 2005" "1.6.8p7" "MAINTENANCE COMMANDS"
.SH "NAME"
visudo \- edit the sudoers file
.SH "SYNOPSIS"