summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTodd C. Miller <millert@cvs.openbsd.org>2008-07-31 16:44:05 +0000
committerTodd C. Miller <millert@cvs.openbsd.org>2008-07-31 16:44:05 +0000
commitdaf52ae7d678fa3f43b85be9091b54cbcd05a4fe (patch)
tree222e97fd4aba175d8178530baff52eed106a060a
parent6960c6b7f96163e79aa75b0ef330c8c13fc523bd (diff)
Update to sudo 1.6.9p17
-rw-r--r--usr.bin/sudo/CHANGES70
-rw-r--r--usr.bin/sudo/INSTALL4
-rw-r--r--usr.bin/sudo/Makefile.in22
-rw-r--r--usr.bin/sudo/auth/kerb5.c11
-rw-r--r--usr.bin/sudo/auth/pam.c13
-rw-r--r--usr.bin/sudo/config.guess56
-rw-r--r--usr.bin/sudo/config.h3
-rw-r--r--usr.bin/sudo/config.h.in6
-rw-r--r--usr.bin/sudo/config.sub63
-rw-r--r--usr.bin/sudo/configure609
-rw-r--r--usr.bin/sudo/configure.in76
-rw-r--r--usr.bin/sudo/def_data.c8
-rw-r--r--usr.bin/sudo/def_data.h4
-rw-r--r--usr.bin/sudo/def_data.in6
-rw-r--r--usr.bin/sudo/env.c7
-rw-r--r--usr.bin/sudo/install-sh4
-rw-r--r--usr.bin/sudo/ldap.c13
-rw-r--r--usr.bin/sudo/logging.c120
-rw-r--r--usr.bin/sudo/parse.c17
-rw-r--r--usr.bin/sudo/parse.h19
-rw-r--r--usr.bin/sudo/parse.lex33
-rw-r--r--usr.bin/sudo/parse.yacc147
-rw-r--r--usr.bin/sudo/pathnames.h10
-rw-r--r--usr.bin/sudo/pathnames.h.in6
-rw-r--r--usr.bin/sudo/sudo.c107
-rw-r--r--usr.bin/sudo/sudo.h11
-rw-r--r--usr.bin/sudo/sudo.pod29
-rw-r--r--usr.bin/sudo/sudo_edit.c8
-rw-r--r--usr.bin/sudo/sudoers.pod28
-rw-r--r--usr.bin/sudo/testsudoers.c6
-rw-r--r--usr.bin/sudo/tgetpass.c10
-rw-r--r--usr.bin/sudo/version.h4
-rw-r--r--usr.bin/sudo/visudo.c20
-rw-r--r--usr.bin/sudo/visudo.pod13
34 files changed, 1221 insertions, 342 deletions
diff --git a/usr.bin/sudo/CHANGES b/usr.bin/sudo/CHANGES
index fcb8d5596b7..c3124ca8f2e 100644
--- a/usr.bin/sudo/CHANGES
+++ b/usr.bin/sudo/CHANGES
@@ -2045,3 +2045,73 @@ Sudo 1.6.9p11 released.
to the screen if there was a read timeout.
Sudo 1.6.9p12 released.
+
+646) Sudo will now set the nproc resource limit to unlimited on Linux
+ systems to work around Linux's setuid() resource limit semantics.
+ On PAM systems the resource limits will be reset by pam_limits.so
+ before the command is executed.
+
+647) SELinux support that can be used to implement role based access
+ control (RBAC). A role and (optional) type may be specified
+ in sudoers or on the command line. These are then used in the
+ security context that the command is run as.
+
+648) Fixed a Kerberos 5 compilation problem with MIT Kerberos.
+
+Sudo 1.6.9p13 released.
+
+649) Fixed an invalid assumption in the PAM conversation function
+ introduced in version 1.6.9p9. The conversation function may
+ be called for non-password reading purposes as well.
+
+650) Fixed freeing an uninitialized pointer in -l mode, introduced in
+ version 1.6.9p13.
+
+651) Check /etc/sudoers after LDAP even if the user was found in LDAP.
+ This allows Defaults options in /etc/sudoers to take effect.
+
+652) Add missing checks for enforcing mode in SELinux RBAC mode.
+
+Sudo 1.6.9p14 released.
+
+653) Fixed installation of sudo_noexec.so on AIX.
+
+654) Updated libtool to version 1.5.26.
+
+655) Fixed printing of default SELinux role and type in -V mode.
+
+656) The HOME environment variable is once again preserved by default,
+ as per the documentation.
+
+Sudo 1.6.9p15 released.
+
+657) There was a missing space before the ldap libraries in the Makefile
+ for some configurations.
+
+658) LDAPS_PORT may not be defined on older Solaris LDAP SDKs.
+
+659) If the LDAP server could not be contacted and the user was not present
+ in sudoers, a syntax error in sudoers was incorrectly reported.
+
+Sudo 1.6.9p16 released.
+
+660) The -i flag should imply resetting the environment, as it did in
+ sudo version prior to 1.6.9. Also, the -i and -E flags are
+ mutually exclusive.
+
+661) Fixed the configure test for dirfd() under Linux.
+
+662) Fixed test for whether -lintl is required to link.
+
+663) Changed how sudo handles the child process when sending mail.
+ This fixes a problem on Linux with the mail_always option.
+
+664) Fixed a problem with line continuation characters inside of
+ quoted strings.
+
+Sudo 1.6.9p17 released.
+
+665) Fixed a crash when the -i flag was used with a uid not in the password
+ database.
+
+666) Regenerated parser to pull in a yacc skeleton fix.
diff --git a/usr.bin/sudo/INSTALL b/usr.bin/sudo/INSTALL
index b03d9e8ef39..1692887912e 100644
--- a/usr.bin/sudo/INSTALL
+++ b/usr.bin/sudo/INSTALL
@@ -320,6 +320,10 @@ Special features/options:
physically live in ${prefix}/etc and /etc/sudoers will be
a symbolic link.
+ --with-selinux
+ Enable support for role based access control (RBAC) on
+ systems that support SELinux.
+
The following options are also configurable at runtime:
--with-long-otp-prompt
diff --git a/usr.bin/sudo/Makefile.in b/usr.bin/sudo/Makefile.in
index 1ed0b8b4931..1650803fe2a 100644
--- a/usr.bin/sudo/Makefile.in
+++ b/usr.bin/sudo/Makefile.in
@@ -20,7 +20,7 @@
#
# @configure_input@
#
-# $Sudo: Makefile.in,v 1.246.2.23 2008/01/14 12:22:57 millert Exp $
+# $Sudo: Makefile.in,v 1.246.2.32 2008/06/22 20:29:03 millert Exp $
#
#### Start of system configuration section. ####
@@ -62,7 +62,9 @@ bindir = @bindir@
sbindir = @sbindir@
sysconfdir = @sysconfdir@
mandir = @mandir@
+noexecfile = @NOEXECFILE@
noexecdir = @NOEXECDIR@
+libexecdir = @libexecdir@
datarootdir = @datarootdir@
# Directory in which to install sudo.
@@ -105,7 +107,7 @@ SRCS = alloc.c alloca.c check.c closefrom.c def_data.c defaults.c env.c err.c \
logging.c memrchr.c mkstemp.c parse.c parse.lex parse.yacc set_perms.c \
sigaction.c snprintf.c strcasecmp.c strerror.c strlcat.c strlcpy.c \
sudo.c sudo_noexec.c sudo.tab.c sudo_edit.c testsudoers.c tgetpass.c \
- utimes.c visudo.c zero_bytes.c $(AUTH_SRCS)
+ utimes.c visudo.c zero_bytes.c selinux.c sesh.c $(AUTH_SRCS)
AUTH_SRCS = auth/afs.c auth/aix_auth.c auth/bsdauth.c auth/dce.c auth/fwtk.c \
auth/kerb4.c auth/kerb5.c auth/pam.c auth/passwd.c auth/rfc1938.c \
@@ -131,7 +133,7 @@ TESTOBJS = interfaces.o testsudoers.o $(PARSEOBJS)
LIBOBJS = @LIBOBJS@ @ALLOCA@
-VERSION = 1.6.9p12
+VERSION = 1.6.9p17
DISTFILES = $(SRCS) $(HDRS) BUGS CHANGES HISTORY INSTALL INSTALL.configure \
LICENSE Makefile.in PORTING README README.LDAP \
@@ -233,6 +235,7 @@ glob.o: glob.c config.h compat.h emul/glob.h
lsearch.o: lsearch.c config.h compat.h emul/search.h
memrchr.o: memrchr.c config.h compat.h
mkstemp.o: mkstemp.c config.h compat.h
+selinux.o: selinux.c $(SUDODEP)
snprintf.o: snprintf.c config.h compat.h
strcasecmp.o: strcasecmp.c config.h
strlcat.o: strlcat.c config.h
@@ -276,7 +279,7 @@ sia.o: $(authdir)/sia.c $(AUTHDEP)
sudo.man.in: $(srcdir)/sudo.pod
@rm -f $(srcdir)/$@
- ( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e 1d -e '/^=pod/q' -e 's/^/.\\" /p' sudo.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudo.pod | sed -e "s/(5)/($$mansectform)/" -e "s/(8)/($$mansectsu)/" >> $@ )
+ ( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' sudo.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudo.pod | sed -e "s/(5)/($$mansectform)/" -e "s/(8)/($$mansectsu)/" | perl -p sudo.man.pl >> $@ )
sudo.man: sudo.man.in
CONFIG_FILES=$@ CONFIG_HEADERS= sh ./config.status
@@ -285,7 +288,7 @@ sudo.cat: sudo.man
visudo.man.in: $(srcdir)/visudo.pod
@rm -f $(srcdir)/$@
- ( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e 1d -e '/^=pod/q' -e 's/^/.\\" /p' visudo.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" visudo.pod | sed -e "s/(5)/($$mansectform)/" -e "s/(8)/($$mansectsu)/" >> $@ )
+ ( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' visudo.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" visudo.pod | sed -e "s/(5)/($$mansectform)/" -e "s/(8)/($$mansectsu)/" >> $@ )
visudo.man: visudo.man.in
CONFIG_FILES=$@ CONFIG_HEADERS= sh ./config.status
@@ -294,7 +297,7 @@ visudo.cat: visudo.man
sudoers.man.in: $(srcdir)/sudoers.pod
@rm -f $(srcdir)/$@
- ( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e 1d -e '/^=pod/q' -e 's/^/.\\" /p' sudoers.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectform --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudoers.pod | sed -e "s/(5)/($$mansectform)/" -e "s/(8)/($$mansectsu)/" >> $@ )
+ ( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' sudoers.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectform --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudoers.pod | sed -e "s/(5)/($$mansectform)/" -e "s/(8)/($$mansectsu)/" | perl -p sudoers.man.pl >> $@ )
sudoers.man:: sudoers.man.in
CONFIG_FILES=$@ CONFIG_HEADERS= sh ./config.status
@@ -313,14 +316,11 @@ install-binaries: $(PROGS)
$(INSTALL) -O $(install_uid) -G $(install_gid) -M 4111 -s sudo $(DESTDIR)$(sudodir)/sudo
rm -f $(DESTDIR)$(sudodir)/sudoedit
ln $(DESTDIR)$(sudodir)/sudo $(DESTDIR)$(sudodir)/sudoedit
-
$(INSTALL) -O $(install_uid) -G $(install_gid) -M 0111 -s visudo $(DESTDIR)$(visudodir)/visudo
+@SELINUX@ $(INSTALL) -O $(install_uid) -G $(install_gid) -M 0111 -s sesh $(DESTDIR)$(libexecdir)/sesh
install-noexec: sudo_noexec.la
- $(LIBTOOL) --mode=install $(INSTALL) sudo_noexec.la $(DESTDIR)$(noexecdir)
-
-bininst-noexec: sudo_noexec.la
- $(LIBTOOL) --mode=install $(INSTALL) sudo_noexec.la $(DESTDIR)$(noexecdir)
+ test -f .libs/$(noexecfile) && $(INSTALL) -O $(install_uid) -G $(install_gid) -M 0755 .libs/$(noexecfile) $(DESTDIR)$(noexecdir)
install-sudoers:
test -f $(DESTDIR)$(sudoersdir)/sudoers || \
diff --git a/usr.bin/sudo/auth/kerb5.c b/usr.bin/sudo/auth/kerb5.c
index 763ce851b0d..89d43a7dd85 100644
--- a/usr.bin/sudo/auth/kerb5.c
+++ b/usr.bin/sudo/auth/kerb5.c
@@ -54,7 +54,7 @@
#include "sudo_auth.h"
#ifndef lint
-__unused static const char rcsid[] = "$Sudo: kerb5.c,v 1.23.2.7 2008/01/13 14:54:40 millert Exp $";
+__unused static const char rcsid[] = "$Sudo: kerb5.c,v 1.23.2.8 2008/02/13 22:17:41 millert Exp $";
#endif /* lint */
#ifdef HAVE_HEIMDAL
@@ -185,8 +185,10 @@ kerb5_verify(pw, pass, auth)
error_message(error));
goto done;
}
+#ifdef HAVE_HEIMDAL
krb5_get_init_creds_opt_set_default_flags(sudo_context, NULL,
krb5_principal_get_realm(sudo_context, princ), opts);
+#endif
/* Note that we always obtain a new TGT to verify the user */
if ((error = krb5_get_init_creds_password(sudo_context, &credbuf, princ,
@@ -217,8 +219,13 @@ kerb5_verify(pw, pass, auth)
}
done:
- if (opts)
+ if (opts) {
+#ifdef HAVE_HEIMDAL
krb5_get_init_creds_opt_free(opts);
+#else
+ krb5_get_init_creds_opt_free(sudo_context, opts);
+#endif
+ }
if (creds)
krb5_free_cred_contents(sudo_context, creds);
return (error ? AUTH_FAILURE : AUTH_SUCCESS);
diff --git a/usr.bin/sudo/auth/pam.c b/usr.bin/sudo/auth/pam.c
index f6024785bd8..b2fe41a7456 100644
--- a/usr.bin/sudo/auth/pam.c
+++ b/usr.bin/sudo/auth/pam.c
@@ -72,7 +72,7 @@
#endif
#ifndef lint
-__unused static const char rcsid[] = "$Sudo: pam.c,v 1.43.2.9 2007/12/02 17:13:52 millert Exp $";
+__unused static const char rcsid[] = "$Sudo: pam.c,v 1.43.2.10 2008/02/22 20:19:45 millert Exp $";
#endif /* lint */
static int sudo_conv __P((int, PAM_CONST struct pam_message **,
@@ -257,11 +257,6 @@ sudo_conv(num_msg, msg, response, appdata_ptr)
return(PAM_CONV_ERR);
zero_bytes(*response, num_msg * sizeof(struct pam_response));
- /* Is the sudo prompt standard? (If so, we'l just use PAM's) */
- std_prompt = strncmp(def_prompt, "Password:", 9) == 0 &&
- (def_prompt[9] == '\0' ||
- (def_prompt[9] == ' ' && def_prompt[10] == '\0'));
-
for (pr = *response, pm = *msg, n = num_msg; n--; pr++, pm++) {
flags = tgetpass_flags;
switch (pm->msg_style) {
@@ -269,6 +264,12 @@ sudo_conv(num_msg, msg, response, appdata_ptr)
SET(flags, TGP_ECHO);
case PAM_PROMPT_ECHO_OFF:
prompt = def_prompt;
+
+ /* Is the sudo prompt standard? (If so, we'l just use PAM's) */
+ std_prompt = strncmp(def_prompt, "Password:", 9) == 0 &&
+ (def_prompt[9] == '\0' ||
+ (def_prompt[9] == ' ' && def_prompt[10] == '\0'));
+
/* Only override PAM prompt if it matches /^Password: ?/ */
#if defined(PAM_TEXT_DOMAIN) && defined(HAVE_DGETTEXT)
if (!def_passprompt_override && (std_prompt ||
diff --git a/usr.bin/sudo/config.guess b/usr.bin/sudo/config.guess
index eeb9aef181b..f32079abda6 100644
--- a/usr.bin/sudo/config.guess
+++ b/usr.bin/sudo/config.guess
@@ -1,10 +1,10 @@
#! /bin/sh
# Attempt to guess a canonical system name.
# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
-# 2000, 2001, 2002, 2003, 2004, 2005, 2006 Free Software Foundation,
-# Inc.
+# 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008
+# Free Software Foundation, Inc.
-timestamp='2006-11-15'
+timestamp='2008-01-23'
# This file is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
@@ -56,8 +56,8 @@ version="\
GNU config.guess ($timestamp)
Originally written by Per Bothner.
-Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005
-Free Software Foundation, Inc.
+Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001,
+2002, 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
@@ -330,7 +330,7 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
sun4*:SunOS:5.*:* | tadpole*:SunOS:5.*:*)
echo sparc-sun-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
exit ;;
- i86pc:SunOS:5.*:*)
+ i86pc:SunOS:5.*:* | i86xen:SunOS:5.*:*)
echo i386-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
exit ;;
sun4*:SunOS:6*:*)
@@ -532,7 +532,7 @@ EOF
echo rs6000-ibm-aix3.2
fi
exit ;;
- *:AIX:*:[45])
+ *:AIX:*:[456])
IBM_CPU_ID=`/usr/sbin/lsdev -C -c processor -S available | sed 1q | awk '{ print $1 }'`
if /usr/sbin/lsattr -El ${IBM_CPU_ID} | grep ' POWER' >/dev/null 2>&1; then
IBM_ARCH=rs6000
@@ -781,7 +781,7 @@ EOF
i*:CYGWIN*:*)
echo ${UNAME_MACHINE}-pc-cygwin
exit ;;
- i*:MINGW*:*)
+ *:MINGW*:*)
echo ${UNAME_MACHINE}-pc-mingw32
exit ;;
i*:windows32*:*)
@@ -791,12 +791,18 @@ EOF
i*:PW*:*)
echo ${UNAME_MACHINE}-pc-pw32
exit ;;
- x86:Interix*:[3456]*)
- echo i586-pc-interix${UNAME_RELEASE}
- exit ;;
- EM64T:Interix*:[3456]* | authenticamd:Interix*:[3456]*)
- echo x86_64-unknown-interix${UNAME_RELEASE}
- exit ;;
+ *:Interix*:[3456]*)
+ case ${UNAME_MACHINE} in
+ x86)
+ echo i586-pc-interix${UNAME_RELEASE}
+ exit ;;
+ EM64T | authenticamd)
+ echo x86_64-unknown-interix${UNAME_RELEASE}
+ exit ;;
+ IA64)
+ echo ia64-unknown-interix${UNAME_RELEASE}
+ exit ;;
+ esac ;;
[345]86:Windows_95:* | [345]86:Windows_98:* | [345]86:Windows_NT:*)
echo i${UNAME_MACHINE}-pc-mks
exit ;;
@@ -830,7 +836,14 @@ EOF
echo ${UNAME_MACHINE}-pc-minix
exit ;;
arm*:Linux:*:*)
- echo ${UNAME_MACHINE}-unknown-linux-gnu
+ eval $set_cc_for_build
+ if echo __ARM_EABI__ | $CC_FOR_BUILD -E - 2>/dev/null \
+ | grep -q __ARM_EABI__
+ then
+ echo ${UNAME_MACHINE}-unknown-linux-gnu
+ else
+ echo ${UNAME_MACHINE}-unknown-linux-gnueabi
+ fi
exit ;;
avr32*:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-gnu
@@ -951,6 +964,9 @@ EOF
x86_64:Linux:*:*)
echo x86_64-unknown-linux-gnu
exit ;;
+ xtensa*:Linux:*:*)
+ echo ${UNAME_MACHINE}-unknown-linux-gnu
+ exit ;;
i*86:Linux:*:*)
# The BFD linker knows what the default object file format is, so
# first see if it will tell us. cd to the root directory to prevent
@@ -1209,9 +1225,15 @@ EOF
SX-6:SUPER-UX:*:*)
echo sx6-nec-superux${UNAME_RELEASE}
exit ;;
+ SX-7:SUPER-UX:*:*)
+ echo sx7-nec-superux${UNAME_RELEASE}
+ exit ;;
SX-8:SUPER-UX:*:*)
echo sx8-nec-superux${UNAME_RELEASE}
exit ;;
+ SX-8R:SUPER-UX:*:*)
+ echo sx8r-nec-superux${UNAME_RELEASE}
+ exit ;;
Power*:Rhapsody:*:*)
echo powerpc-apple-rhapsody${UNAME_RELEASE}
exit ;;
@@ -1462,9 +1484,9 @@ This script, last modified $timestamp, has failed to recognize
the operating system you are using. It is advised that you
download the most up to date version of the config scripts from
- http://savannah.gnu.org/cgi-bin/viewcvs/*checkout*/config/config/config.guess
+ http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess;hb=HEAD
and
- http://savannah.gnu.org/cgi-bin/viewcvs/*checkout*/config/config/config.sub
+ http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub;hb=HEAD
If the version you run ($0) is already up to date, please
send the following data and any information you think might be
diff --git a/usr.bin/sudo/config.h b/usr.bin/sudo/config.h
index 55ecc94cb35..4a90f38ec68 100644
--- a/usr.bin/sudo/config.h
+++ b/usr.bin/sudo/config.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: config.h,v 1.8 2007/12/03 15:09:47 millert Exp $ */
+/* $OpenBSD: config.h,v 1.9 2008/07/31 16:44:03 millert Exp $ */
#ifndef _SUDO_CONFIG_H
#define _SUDO_CONFIG_H
@@ -49,6 +49,7 @@
#define HAVE_SETLOCALE 1
#define HAVE_SETRESUID 1
#define HAVE_SETRLIMIT 1
+#define HAVE_SETSID 1
#define HAVE_SIGACTION 1
#define HAVE_SIG_ATOMIC_T 1
#define HAVE_SNPRINTF 1
diff --git a/usr.bin/sudo/config.h.in b/usr.bin/sudo/config.h.in
index 2ce67d7af9d..a009a090ae5 100644
--- a/usr.bin/sudo/config.h.in
+++ b/usr.bin/sudo/config.h.in
@@ -305,6 +305,9 @@
/* Define to 1 if you have the <security/pam_appl.h> header file. */
#undef HAVE_SECURITY_PAM_APPL_H
+/* Define to 1 to enable SELinux RBAC support. */
+#undef HAVE_SELINUX
+
/* Define to 1 if you have the `seteuid' function. */
#undef HAVE_SETEUID
@@ -320,6 +323,9 @@
/* Define to 1 if you have the `setrlimit' function. */
#undef HAVE_SETRLIMIT
+/* Define to 1 if you have the `setsid' function. */
+#undef HAVE_SETSID
+
/* Define to 1 if you have the `set_auth_parameters' function. */
#undef HAVE_SET_AUTH_PARAMETERS
diff --git a/usr.bin/sudo/config.sub b/usr.bin/sudo/config.sub
index 92a51de71f4..922d3b5d0bf 100644
--- a/usr.bin/sudo/config.sub
+++ b/usr.bin/sudo/config.sub
@@ -1,10 +1,10 @@
#! /bin/sh
# Configuration validation subroutine script.
# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
-# 2000, 2001, 2002, 2003, 2004, 2005, 2006 Free Software Foundation,
-# Inc.
+# 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008
+# Free Software Foundation, Inc.
-timestamp='2006-11-07'
+timestamp='2008-01-16'
# This file is (in principle) common to ALL GNU software.
# The presence of a machine in this file suggests that SOME GNU software
@@ -72,8 +72,8 @@ Report bugs and patches to <config-patches@gnu.org>."
version="\
GNU config.sub ($timestamp)
-Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005
-Free Software Foundation, Inc.
+Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001,
+2002, 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
@@ -245,12 +245,12 @@ case $basic_machine in
| bfin \
| c4x | clipper \
| d10v | d30v | dlx | dsp16xx \
- | fr30 | frv \
+ | fido | fr30 | frv \
| h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \
| i370 | i860 | i960 | ia64 \
| ip2k | iq2000 \
| m32c | m32r | m32rle | m68000 | m68k | m88k \
- | maxq | mb | microblaze | mcore \
+ | maxq | mb | microblaze | mcore | mep \
| mips | mipsbe | mipseb | mipsel | mipsle \
| mips16 \
| mips64 | mips64el \
@@ -324,7 +324,7 @@ case $basic_machine in
| clipper-* | craynv-* | cydra-* \
| d10v-* | d30v-* | dlx-* \
| elxsi-* \
- | f30[01]-* | f700-* | fr30-* | frv-* | fx80-* \
+ | f30[01]-* | f700-* | fido-* | fr30-* | frv-* | fx80-* \
| h8300-* | h8500-* \
| hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \
| i*86-* | i860-* | i960-* | ia64-* \
@@ -369,10 +369,14 @@ case $basic_machine in
| v850-* | v850e-* | vax-* \
| we32k-* \
| x86-* | x86_64-* | xc16x-* | xps100-* | xscale-* | xscalee[bl]-* \
- | xstormy16-* | xtensa-* \
+ | xstormy16-* | xtensa*-* \
| ymp-* \
| z8k-*)
;;
+ # Recognize the basic CPU types without company name, with glob match.
+ xtensa*)
+ basic_machine=$basic_machine-unknown
+ ;;
# Recognize the various machine names and aliases which stand
# for a CPU type and a company and sometimes even an OS.
386bsd)
@@ -443,6 +447,14 @@ case $basic_machine in
basic_machine=ns32k-sequent
os=-dynix
;;
+ blackfin)
+ basic_machine=bfin-unknown
+ os=-linux
+ ;;
+ blackfin-*)
+ basic_machine=bfin-`echo $basic_machine | sed 's/^[^-]*-//'`
+ os=-linux
+ ;;
c90)
basic_machine=c90-cray
os=-unicos
@@ -475,8 +487,8 @@ case $basic_machine in
basic_machine=craynv-cray
os=-unicosmp
;;
- cr16c)
- basic_machine=cr16c-unknown
+ cr16)
+ basic_machine=cr16-unknown
os=-elf
;;
crds | unos)
@@ -672,6 +684,14 @@ case $basic_machine in
basic_machine=m68k-isi
os=-sysv
;;
+ m68knommu)
+ basic_machine=m68k-unknown
+ os=-linux
+ ;;
+ m68knommu-*)
+ basic_machine=m68k-`echo $basic_machine | sed 's/^[^-]*-//'`
+ os=-linux
+ ;;
m88k-omron*)
basic_machine=m88k-omron
;;
@@ -687,6 +707,10 @@ case $basic_machine in
basic_machine=i386-pc
os=-mingw32
;;
+ mingw32ce)
+ basic_machine=arm-unknown
+ os=-mingw32ce
+ ;;
miniframe)
basic_machine=m68000-convergent
;;
@@ -813,6 +837,14 @@ case $basic_machine in
basic_machine=i860-intel
os=-osf
;;
+ parisc)
+ basic_machine=hppa-unknown
+ os=-linux
+ ;;
+ parisc-*)
+ basic_machine=hppa-`echo $basic_machine | sed 's/^[^-]*-//'`
+ os=-linux
+ ;;
pbd)
basic_machine=sparc-tti
;;
@@ -1021,6 +1053,10 @@ case $basic_machine in
basic_machine=tic6x-unknown
os=-coff
;;
+ tile*)
+ basic_machine=tile-unknown
+ os=-linux-gnu
+ ;;
tx39)
basic_machine=mipstx39-unknown
;;
@@ -1226,7 +1262,7 @@ case $os in
| -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \
| -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \
| -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \
- | -skyos* | -haiku* | -rdos* | -toppers*)
+ | -skyos* | -haiku* | -rdos* | -toppers* | -drops*)
# Remember, each alternative MUST END IN *, to match a version number.
;;
-qnx*)
@@ -1421,6 +1457,9 @@ case $basic_machine in
m68*-cisco)
os=-aout
;;
+ mep-*)
+ os=-elf
+ ;;
mips*-cisco)
os=-elf
;;
diff --git a/usr.bin/sudo/configure b/usr.bin/sudo/configure
index 38fe5c15e28..c2fd1925a17 100644
--- a/usr.bin/sudo/configure
+++ b/usr.bin/sudo/configure
@@ -818,9 +818,14 @@ SUDOERS_MODE
SUDOERS_UID
SUDOERS_GID
DEV
+SELINUX
+BAMAN
+LCMAN
+SEMAN
mansectsu
mansectform
mansrcdir
+NOEXECFILE
NOEXECDIR
noexec_file
INSTALL_NOEXEC
@@ -877,6 +882,8 @@ ECHO
AR
RANLIB
STRIP
+DSYMUTIL
+NMEDIT
UNAMEPROG
TRPROG
NROFFPROG
@@ -1567,6 +1574,7 @@ Optional Packages:
--with-secure-path override the user's path with a built-in one
--without-interfaces don't try to read the ip addr of ether interfaces
--with-stow properly handle GNU stow packaging
+ --with-selinux enable SELinux support
--with-gnu-ld assume the C compiler uses GNU ld [default=no]
--with-pic try to use only PIC/non-PIC objects [default=use
both]
@@ -2073,6 +2081,11 @@ echo "$as_me: Configuring Sudo version 1.6.9" >&6;}
+
+
+
+
+
timeout=5
password_timeout=5
sudo_umask=0022
@@ -2106,6 +2119,10 @@ PROGS="sudo visudo"
: ${SUDOERS_UID='0'}
: ${SUDOERS_GID='0'}
DEV="#"
+SELINUX="#"
+BAMAN='.\" '
+LCMAN='.\" '
+SEMAN='.\" '
AUTH_OBJS=
AUTH_REG=
AUTH_EXCL=
@@ -2118,7 +2135,11 @@ shadow_funcs=
shadow_libs=
shadow_libs_optional=
-test "$mandir" = '${prefix}/man' && mandir='$(prefix)/man'
+if test X"$prefix" = X"NONE"; then
+ test "$mandir" = '${datarootdir}/man' && mandir='$(prefix)/man'
+else
+ test "$mandir" = '${datarootdir}/man' && mandir='$(datarootdir)/man'
+fi
test "$bindir" = '${exec_prefix}/bin' && bindir='$(exec_prefix)/bin'
test "$sbindir" = '${exec_prefix}/sbin' && sbindir='$(exec_prefix)/sbin'
test "$sysconfdir" = '${prefix}/etc' -a X"$with_stow" != X"yes" && sysconfdir='/etc'
@@ -3922,6 +3943,29 @@ echo "${ECHO_T}no" >&6; }
fi
+
+# Check whether --with-selinux was given.
+if test "${with_selinux+set}" = set; then
+ withval=$with_selinux; case $with_selinux in
+ yes) cat >>confdefs.h <<\_ACEOF
+#define HAVE_SELINUX 1
+_ACEOF
+
+ SUDO_LIBS="${SUDO_LIBS} -lselinux"
+ SUDO_OBJS="${SUDO_OBJS} selinux.o"
+ PROGS="${PROGS} sesh"
+ SELINUX=""
+ SEMAN=""
+ ;;
+ no) ;;
+ *) { { echo "$as_me:$LINENO: error: \"--with-selinux does not take an argument.\"" >&5
+echo "$as_me: error: \"--with-selinux does not take an argument.\"" >&2;}
+ { (exit 1); exit 1; }; }
+ ;;
+esac
+fi
+
+
# Extract the first word of "egrep", so it can be a program name with args.
set dummy egrep; ac_word=$2
{ echo "$as_me:$LINENO: checking for $ac_word" >&5
@@ -5870,7 +5914,7 @@ lt_cv_deplibs_check_method='unknown'
# whether `pass_all' will *always* work, you probably want this one.
case $host_os in
-aix4* | aix5*)
+aix[4-9]*)
lt_cv_deplibs_check_method=pass_all
;;
@@ -6085,7 +6129,7 @@ ia64-*-hpux*)
;;
*-*-irix6*)
# Find out which ABI we are using.
- echo '#line 6088 "configure"' > conftest.$ac_ext
+ echo '#line 6132 "configure"' > conftest.$ac_ext
if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
(eval $ac_compile) 2>&5
ac_status=$?
@@ -6257,7 +6301,11 @@ sparc*-*solaris*)
*64-bit*)
case $lt_cv_prog_gnu_ld in
yes*) LD="${LD-ld} -m elf64_sparc" ;;
- *) LD="${LD-ld} -64" ;;
+ *)
+ if ${LD-ld} -64 -r -o conftest2.o conftest.o >/dev/null 2>&1; then
+ LD="${LD-ld} -64"
+ fi
+ ;;
esac
;;
esac
@@ -6657,7 +6705,6 @@ done
# Autoconf 2.13's AC_OBJEXT and AC_EXEEXT macros only works for C compilers!
-
# find the maximum length of command line arguments
{ echo "$as_me:$LINENO: checking the maximum length of command line arguments" >&5
echo $ECHO_N "checking the maximum length of command line arguments... $ECHO_C" >&6; }
@@ -6972,7 +7019,7 @@ EOF
echo "$progname: failed program was:" >&5
cat conftest.$ac_ext >&5
fi
- rm -f conftest* conftst*
+ rm -rf conftest* conftst*
# Do not use the global_symbol_pipe unless it works.
if test "$pipe_works" = yes; then
@@ -7532,6 +7579,318 @@ fi
;;
esac
+
+ case $host_os in
+ rhapsody* | darwin*)
+ if test -n "$ac_tool_prefix"; then
+ # Extract the first word of "${ac_tool_prefix}dsymutil", so it can be a program name with args.
+set dummy ${ac_tool_prefix}dsymutil; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_DSYMUTIL+set}" = set; then
+ echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+ if test -n "$DSYMUTIL"; then
+ ac_cv_prog_DSYMUTIL="$DSYMUTIL" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ for ac_exec_ext in '' $ac_executable_extensions; do
+ if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+ ac_cv_prog_DSYMUTIL="${ac_tool_prefix}dsymutil"
+ echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+ break 2
+ fi
+done
+done
+IFS=$as_save_IFS
+
+fi
+fi
+DSYMUTIL=$ac_cv_prog_DSYMUTIL
+if test -n "$DSYMUTIL"; then
+ { echo "$as_me:$LINENO: result: $DSYMUTIL" >&5
+echo "${ECHO_T}$DSYMUTIL" >&6; }
+else
+ { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+
+fi
+if test -z "$ac_cv_prog_DSYMUTIL"; then
+ ac_ct_DSYMUTIL=$DSYMUTIL
+ # Extract the first word of "dsymutil", so it can be a program name with args.
+set dummy dsymutil; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_ac_ct_DSYMUTIL+set}" = set; then
+ echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+ if test -n "$ac_ct_DSYMUTIL"; then
+ ac_cv_prog_ac_ct_DSYMUTIL="$ac_ct_DSYMUTIL" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ for ac_exec_ext in '' $ac_executable_extensions; do
+ if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+ ac_cv_prog_ac_ct_DSYMUTIL="dsymutil"
+ echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+ break 2
+ fi
+done
+done
+IFS=$as_save_IFS
+
+fi
+fi
+ac_ct_DSYMUTIL=$ac_cv_prog_ac_ct_DSYMUTIL
+if test -n "$ac_ct_DSYMUTIL"; then
+ { echo "$as_me:$LINENO: result: $ac_ct_DSYMUTIL" >&5
+echo "${ECHO_T}$ac_ct_DSYMUTIL" >&6; }
+else
+ { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+ if test "x$ac_ct_DSYMUTIL" = x; then
+ DSYMUTIL=":"
+ else
+ case $cross_compiling:$ac_tool_warned in
+yes:)
+{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet. If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&5
+echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet. If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&2;}
+ac_tool_warned=yes ;;
+esac
+ DSYMUTIL=$ac_ct_DSYMUTIL
+ fi
+else
+ DSYMUTIL="$ac_cv_prog_DSYMUTIL"
+fi
+
+ if test -n "$ac_tool_prefix"; then
+ # Extract the first word of "${ac_tool_prefix}nmedit", so it can be a program name with args.
+set dummy ${ac_tool_prefix}nmedit; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_NMEDIT+set}" = set; then
+ echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+ if test -n "$NMEDIT"; then
+ ac_cv_prog_NMEDIT="$NMEDIT" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ for ac_exec_ext in '' $ac_executable_extensions; do
+ if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+ ac_cv_prog_NMEDIT="${ac_tool_prefix}nmedit"
+ echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+ break 2
+ fi
+done
+done
+IFS=$as_save_IFS
+
+fi
+fi
+NMEDIT=$ac_cv_prog_NMEDIT
+if test -n "$NMEDIT"; then
+ { echo "$as_me:$LINENO: result: $NMEDIT" >&5
+echo "${ECHO_T}$NMEDIT" >&6; }
+else
+ { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+
+fi
+if test -z "$ac_cv_prog_NMEDIT"; then
+ ac_ct_NMEDIT=$NMEDIT
+ # Extract the first word of "nmedit", so it can be a program name with args.
+set dummy nmedit; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_ac_ct_NMEDIT+set}" = set; then
+ echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+ if test -n "$ac_ct_NMEDIT"; then
+ ac_cv_prog_ac_ct_NMEDIT="$ac_ct_NMEDIT" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ for ac_exec_ext in '' $ac_executable_extensions; do
+ if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+ ac_cv_prog_ac_ct_NMEDIT="nmedit"
+ echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+ break 2
+ fi
+done
+done
+IFS=$as_save_IFS
+
+fi
+fi
+ac_ct_NMEDIT=$ac_cv_prog_ac_ct_NMEDIT
+if test -n "$ac_ct_NMEDIT"; then
+ { echo "$as_me:$LINENO: result: $ac_ct_NMEDIT" >&5
+echo "${ECHO_T}$ac_ct_NMEDIT" >&6; }
+else
+ { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+ if test "x$ac_ct_NMEDIT" = x; then
+ NMEDIT=":"
+ else
+ case $cross_compiling:$ac_tool_warned in
+yes:)
+{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet. If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&5
+echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet. If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&2;}
+ac_tool_warned=yes ;;
+esac
+ NMEDIT=$ac_ct_NMEDIT
+ fi
+else
+ NMEDIT="$ac_cv_prog_NMEDIT"
+fi
+
+
+ { echo "$as_me:$LINENO: checking for -single_module linker flag" >&5
+echo $ECHO_N "checking for -single_module linker flag... $ECHO_C" >&6; }
+if test "${lt_cv_apple_cc_single_mod+set}" = set; then
+ echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+ lt_cv_apple_cc_single_mod=no
+ if test -z "${LT_MULTI_MODULE}"; then
+ # By default we will add the -single_module flag. You can override
+ # by either setting the environment variable LT_MULTI_MODULE
+ # non-empty at configure time, or by adding -multi_module to the
+ # link flags.
+ echo "int foo(void){return 1;}" > conftest.c
+ $LTCC $LTCFLAGS $LDFLAGS -o libconftest.dylib \
+ -dynamiclib ${wl}-single_module conftest.c
+ if test -f libconftest.dylib; then
+ lt_cv_apple_cc_single_mod=yes
+ rm -rf libconftest.dylib*
+ fi
+ rm conftest.c
+ fi
+fi
+{ echo "$as_me:$LINENO: result: $lt_cv_apple_cc_single_mod" >&5
+echo "${ECHO_T}$lt_cv_apple_cc_single_mod" >&6; }
+ { echo "$as_me:$LINENO: checking for -exported_symbols_list linker flag" >&5
+echo $ECHO_N "checking for -exported_symbols_list linker flag... $ECHO_C" >&6; }
+if test "${lt_cv_ld_exported_symbols_list+set}" = set; then
+ echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+ lt_cv_ld_exported_symbols_list=no
+ save_LDFLAGS=$LDFLAGS
+ echo "_main" > conftest.sym
+ LDFLAGS="$LDFLAGS -Wl,-exported_symbols_list,conftest.sym"
+ cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h. */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h. */
+
+int
+main ()
+{
+
+ ;
+ return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_link") 2>conftest.er1
+ ac_status=$?
+ grep -v '^ *+' conftest.er1 >conftest.err
+ rm -f conftest.er1
+ cat conftest.err >&5
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest$ac_exeext &&
+ $as_test_x conftest$ac_exeext; then
+ lt_cv_ld_exported_symbols_list=yes
+else
+ echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ lt_cv_ld_exported_symbols_list=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+ conftest$ac_exeext conftest.$ac_ext
+ LDFLAGS="$save_LDFLAGS"
+
+fi
+{ echo "$as_me:$LINENO: result: $lt_cv_ld_exported_symbols_list" >&5
+echo "${ECHO_T}$lt_cv_ld_exported_symbols_list" >&6; }
+ case $host_os in
+ rhapsody* | darwin1.[0123])
+ _lt_dar_allow_undefined='${wl}-undefined ${wl}suppress' ;;
+ darwin1.*)
+ _lt_dar_allow_undefined='${wl}-flat_namespace ${wl}-undefined ${wl}suppress' ;;
+ darwin*)
+ # if running on 10.5 or later, the deployment target defaults
+ # to the OS version, if on x86, and 10.4, the deployment
+ # target defaults to 10.4. Don't you love it?
+ case ${MACOSX_DEPLOYMENT_TARGET-10.0},$host in
+ 10.0,*86*-darwin8*|10.0,*-darwin[91]*)
+ _lt_dar_allow_undefined='${wl}-undefined ${wl}dynamic_lookup' ;;
+ 10.[012]*)
+ _lt_dar_allow_undefined='${wl}-flat_namespace ${wl}-undefined ${wl}suppress' ;;
+ 10.*)
+ _lt_dar_allow_undefined='${wl}-undefined ${wl}dynamic_lookup' ;;
+ esac
+ ;;
+ esac
+ if test "$lt_cv_apple_cc_single_mod" = "yes"; then
+ _lt_dar_single_mod='$single_module'
+ fi
+ if test "$lt_cv_ld_exported_symbols_list" = "yes"; then
+ _lt_dar_export_syms=' ${wl}-exported_symbols_list,$output_objdir/${libname}-symbols.expsym'
+ else
+ _lt_dar_export_syms="~$NMEDIT -s \$output_objdir/\${libname}-symbols.expsym \${lib}"
+ fi
+ if test "$DSYMUTIL" != ":"; then
+ _lt_dsymutil="~$DSYMUTIL \$lib || :"
+ else
+ _lt_dsymutil=
+ fi
+ ;;
+ esac
+
+
enable_dlopen=no
enable_win32_dll=no
@@ -7597,7 +7956,7 @@ ac_outfile=conftest.$ac_objext
echo "$lt_simple_link_test_code" >conftest.$ac_ext
eval "$ac_link" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
_lt_linker_boilerplate=`cat conftest.err`
-$rm conftest*
+$rm -r conftest*
## CAVEAT EMPTOR:
@@ -7629,11 +7988,11 @@ else
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
- (eval echo "\"\$as_me:7632: $lt_compile\"" >&5)
+ (eval echo "\"\$as_me:7991: $lt_compile\"" >&5)
(eval "$lt_compile" 2>conftest.err)
ac_status=$?
cat conftest.err >&5
- echo "$as_me:7636: \$? = $ac_status" >&5
+ echo "$as_me:7995: \$? = $ac_status" >&5
if (exit $ac_status) && test -s "$ac_outfile"; then
# The compiler can only warn and ignore the option if not recognized
# So say no if there are warnings other than the usual output.
@@ -7903,10 +8262,10 @@ if test -n "$lt_prog_compiler_pic"; then
{ echo "$as_me:$LINENO: checking if $compiler PIC flag $lt_prog_compiler_pic works" >&5
echo $ECHO_N "checking if $compiler PIC flag $lt_prog_compiler_pic works... $ECHO_C" >&6; }
-if test "${lt_prog_compiler_pic_works+set}" = set; then
+if test "${lt_cv_prog_compiler_pic_works+set}" = set; then
echo $ECHO_N "(cached) $ECHO_C" >&6
else
- lt_prog_compiler_pic_works=no
+ lt_cv_prog_compiler_pic_works=no
ac_outfile=conftest.$ac_objext
echo "$lt_simple_compile_test_code" > conftest.$ac_ext
lt_compiler_flag="$lt_prog_compiler_pic -DPIC"
@@ -7919,27 +8278,27 @@ else
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
- (eval echo "\"\$as_me:7922: $lt_compile\"" >&5)
+ (eval echo "\"\$as_me:8281: $lt_compile\"" >&5)
(eval "$lt_compile" 2>conftest.err)
ac_status=$?
cat conftest.err >&5
- echo "$as_me:7926: \$? = $ac_status" >&5
+ echo "$as_me:8285: \$? = $ac_status" >&5
if (exit $ac_status) && test -s "$ac_outfile"; then
# The compiler can only warn and ignore the option if not recognized
# So say no if there are warnings other than the usual output.
$echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' >conftest.exp
$SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then
- lt_prog_compiler_pic_works=yes
+ lt_cv_prog_compiler_pic_works=yes
fi
fi
$rm conftest*
fi
-{ echo "$as_me:$LINENO: result: $lt_prog_compiler_pic_works" >&5
-echo "${ECHO_T}$lt_prog_compiler_pic_works" >&6; }
+{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_pic_works" >&5
+echo "${ECHO_T}$lt_cv_prog_compiler_pic_works" >&6; }
-if test x"$lt_prog_compiler_pic_works" = xyes; then
+if test x"$lt_cv_prog_compiler_pic_works" = xyes; then
case $lt_prog_compiler_pic in
"" | " "*) ;;
*) lt_prog_compiler_pic=" $lt_prog_compiler_pic" ;;
@@ -7966,10 +8325,10 @@ esac
wl=$lt_prog_compiler_wl eval lt_tmp_static_flag=\"$lt_prog_compiler_static\"
{ echo "$as_me:$LINENO: checking if $compiler static flag $lt_tmp_static_flag works" >&5
echo $ECHO_N "checking if $compiler static flag $lt_tmp_static_flag works... $ECHO_C" >&6; }
-if test "${lt_prog_compiler_static_works+set}" = set; then
+if test "${lt_cv_prog_compiler_static_works+set}" = set; then
echo $ECHO_N "(cached) $ECHO_C" >&6
else
- lt_prog_compiler_static_works=no
+ lt_cv_prog_compiler_static_works=no
save_LDFLAGS="$LDFLAGS"
LDFLAGS="$LDFLAGS $lt_tmp_static_flag"
echo "$lt_simple_link_test_code" > conftest.$ac_ext
@@ -7982,20 +8341,20 @@ else
$echo "X$_lt_linker_boilerplate" | $Xsed -e '/^$/d' > conftest.exp
$SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
if diff conftest.exp conftest.er2 >/dev/null; then
- lt_prog_compiler_static_works=yes
+ lt_cv_prog_compiler_static_works=yes
fi
else
- lt_prog_compiler_static_works=yes
+ lt_cv_prog_compiler_static_works=yes
fi
fi
- $rm conftest*
+ $rm -r conftest*
LDFLAGS="$save_LDFLAGS"
fi
-{ echo "$as_me:$LINENO: result: $lt_prog_compiler_static_works" >&5
-echo "${ECHO_T}$lt_prog_compiler_static_works" >&6; }
+{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_static_works" >&5
+echo "${ECHO_T}$lt_cv_prog_compiler_static_works" >&6; }
-if test x"$lt_prog_compiler_static_works" = xyes; then
+if test x"$lt_cv_prog_compiler_static_works" = xyes; then
:
else
lt_prog_compiler_static=
@@ -8023,11 +8382,11 @@ else
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
- (eval echo "\"\$as_me:8026: $lt_compile\"" >&5)
+ (eval echo "\"\$as_me:8385: $lt_compile\"" >&5)
(eval "$lt_compile" 2>out/conftest.err)
ac_status=$?
cat out/conftest.err >&5
- echo "$as_me:8030: \$? = $ac_status" >&5
+ echo "$as_me:8389: \$? = $ac_status" >&5
if (exit $ac_status) && test -s out/conftest2.$ac_objext
then
# The compiler can only warn and ignore the option if not recognized
@@ -8107,12 +8466,13 @@ echo $ECHO_N "checking whether the $compiler linker ($LD) supports shared librar
# it will be wrapped by ` (' and `)$', so one must not match beginning or
# end of line. Example: `a|bc|.*d.*' will exclude the symbols `a' and `bc',
# as well as any symbol that contains `d'.
- exclude_expsyms="_GLOBAL_OFFSET_TABLE_"
+ exclude_expsyms='_GLOBAL_OFFSET_TABLE_|_GLOBAL__F[ID]_.*'
# Although _GLOBAL_OFFSET_TABLE_ is a valid symbol C name, most a.out
# platforms (ab)use it in PIC code, but their linkers get confused if
# the symbol is explicitly referenced. Since portable code cannot
# rely on this symbol name, it's probably fine to never include it in
# preloaded symbol tables.
+ # Exclude shared library initialization/finalization symbols.
extract_expsyms_cmds=
# Just being paranoid about ensuring that cc_basename is set.
for cc_temp in $compiler""; do
@@ -8171,7 +8531,7 @@ cc_basename=`$echo "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"`
# See if GNU ld supports shared libraries.
case $host_os in
- aix3* | aix4* | aix5*)
+ aix[3-9]*)
# On AIX/PPC, the GNU linker is very broken
if test "$host_cpu" != ia64; then
ld_shlibs=no
@@ -8390,7 +8750,7 @@ _LT_EOF
fi
;;
- aix4* | aix5*)
+ aix[4-9]*)
if test "$host_cpu" = ia64; then
# On IA64, the linker does run time linking by default, so we don't
# have to do anything special.
@@ -8410,7 +8770,7 @@ _LT_EOF
# Test if we are trying to use run time linking or normal
# AIX style linking. If -brtl is somewhere in LDFLAGS, we
# need to do runtime linking.
- case $host_os in aix4.[23]|aix4.[23].*|aix5*)
+ case $host_os in aix4.[23]|aix4.[23].*|aix[5-9]*)
for ld_flag in $LDFLAGS; do
if (test $ld_flag = "-brtl" || test $ld_flag = "-Wl,-brtl"); then
aix_use_runtimelinking=yes
@@ -8682,11 +9042,10 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
link_all_deplibs=yes
if test "$GCC" = yes ; then
output_verbose_link_cmd='echo'
- archive_cmds='$CC -dynamiclib $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
- module_cmds='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
- # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin lds
- archive_expsym_cmds='sed -e "s,#.*,," -e "s,^[ ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
- module_expsym_cmds='sed -e "s,#.*,," -e "s,^[ ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+ archive_cmds="\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring $_lt_dar_single_mod${_lt_dsymutil}"
+ module_cmds="\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dsymutil}"
+ archive_expsym_cmds="sed 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring ${_lt_dar_single_mod}${_lt_dar_export_syms}${_lt_dsymutil}"
+ module_expsym_cmds="sed -e 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dar_export_syms}${_lt_dsymutil}"
else
case $cc_basename in
xlc*)
@@ -9206,7 +9565,7 @@ aix3*)
soname_spec='${libname}${release}${shared_ext}$major'
;;
-aix4* | aix5*)
+aix[4-9]*)
version_type=linux
need_lib_prefix=no
need_version=no
@@ -9724,6 +10083,21 @@ esac
echo "${ECHO_T}$dynamic_linker" >&6; }
test "$dynamic_linker" = no && can_build_shared=no
+if test "${lt_cv_sys_lib_search_path_spec+set}" = set; then
+ echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+ lt_cv_sys_lib_search_path_spec="$sys_lib_search_path_spec"
+fi
+
+sys_lib_search_path_spec="$lt_cv_sys_lib_search_path_spec"
+if test "${lt_cv_sys_lib_dlsearch_path_spec+set}" = set; then
+ echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+ lt_cv_sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec"
+fi
+
+sys_lib_dlsearch_path_spec="$lt_cv_sys_lib_dlsearch_path_spec"
+
variables_saved_for_relink="PATH $shlibpath_var $runpath_var"
if test "$GCC" = yes; then
variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH"
@@ -10043,7 +10417,7 @@ fi
{ echo "$as_me:$LINENO: result: $ac_cv_lib_dld_shl_load" >&5
echo "${ECHO_T}$ac_cv_lib_dld_shl_load" >&6; }
if test $ac_cv_lib_dld_shl_load = yes; then
- lt_cv_dlopen="shl_load" lt_cv_dlopen_libs="-dld"
+ lt_cv_dlopen="shl_load" lt_cv_dlopen_libs="-ldld"
else
{ echo "$as_me:$LINENO: checking for dlopen" >&5
echo $ECHO_N "checking for dlopen... $ECHO_C" >&6; }
@@ -10319,7 +10693,7 @@ fi
{ echo "$as_me:$LINENO: result: $ac_cv_lib_dld_dld_link" >&5
echo "${ECHO_T}$ac_cv_lib_dld_dld_link" >&6; }
if test $ac_cv_lib_dld_dld_link = yes; then
- lt_cv_dlopen="dld_link" lt_cv_dlopen_libs="-dld"
+ lt_cv_dlopen="dld_link" lt_cv_dlopen_libs="-ldld"
fi
@@ -10368,7 +10742,7 @@ else
lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
lt_status=$lt_dlunknown
cat > conftest.$ac_ext <<EOF
-#line 10371 "configure"
+#line 10745 "configure"
#include "confdefs.h"
#if HAVE_DLFCN_H
@@ -10468,7 +10842,7 @@ else
lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
lt_status=$lt_dlunknown
cat > conftest.$ac_ext <<EOF
-#line 10471 "configure"
+#line 10845 "configure"
#include "confdefs.h"
#if HAVE_DLFCN_H
@@ -10595,7 +10969,7 @@ aix3*)
fi
;;
-aix4* | aix5*)
+aix[4-9]*)
if test "$host_cpu" != ia64 && test "$aix_use_runtimelinking" = no ; then
test "$enable_shared" = yes && enable_static=no
fi
@@ -10651,6 +11025,7 @@ if test -f "$ltmain"; then
predeps \
postdeps \
compiler_lib_search_path \
+ compiler_lib_search_dirs \
archive_cmds \
archive_expsym_cmds \
postinstall_cmds \
@@ -10711,7 +11086,7 @@ echo "$as_me: creating $ofile" >&6;}
# Generated automatically by $PROGRAM (GNU $PACKAGE $VERSION$TIMESTAMP)
# NOTE: Changes made to this file will be lost: look at ltmain.sh.
#
-# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
+# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008
# Free Software Foundation, Inc.
#
# This file is part of GNU Libtool:
@@ -10947,6 +11322,10 @@ predeps=$lt_predeps
# shared library.
postdeps=$lt_postdeps
+# The directories searched by this compiler when creating a shared
+# library
+compiler_lib_search_dirs=$lt_compiler_lib_search_dirs
+
# The library search path used internally by the compiler when linking
# a shared library.
compiler_lib_search_path=$lt_compiler_lib_search_path
@@ -11142,6 +11521,7 @@ fi
{ echo "$as_me:$LINENO: result: $with_noexec" >&5
echo "${ECHO_T}$with_noexec" >&6; }
+NOEXECFILE="sudo_noexec$_shrext"
NOEXECDIR="`echo $with_noexec|sed 's:^\(.*\)/[^/]*:\1:'`"
if test "$with_devel" = "yes" -a -n "$GCC"; then
@@ -11734,7 +12114,7 @@ fi
: ${mansectsu='1m'}
: ${mansectform='4'}
;;
- *-*-linux*)
+ *-*-linux*|*-*-k*bsd*-gnu)
OSDEFS="${OSDEFS} -D_GNU_SOURCE"
# Some Linux versions need to link with -lshadow
shadow_funcs="getspnam"
@@ -13675,7 +14055,7 @@ if test `eval echo '${'$as_ac_Header'}'` = yes; then
cat >>confdefs.h <<_ACEOF
#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
_ACEOF
-
+ LCMAN=""
case "$OS" in
freebsd|netbsd) SUDO_LIBS="${SUDO_LIBS} -lutil"
;;
@@ -15151,9 +15531,10 @@ LIBS=$ac_save_LIBS
+
for ac_func in strchr strrchr memchr memcpy memset sysconf tzset \
strftime setrlimit initgroups getgroups fstat gettimeofday \
- setlocale getaddrinfo
+ setlocale getaddrinfo setsid
do
as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
{ echo "$as_me:$LINENO: checking for $ac_func" >&5
@@ -17930,7 +18311,7 @@ cat >>conftest.$ac_ext <<_ACEOF
int
main ()
{
-DIR d; (void)dirfd(&d);
+DIR *d; (void)dirfd(d);
;
return 0;
}
@@ -19736,56 +20117,20 @@ fi
case $host in
*-*-linux*|*-*-solaris*)
-
-for ac_func in dgettext
-do
-as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-{ echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
-if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
- echo $ECHO_N "(cached) $ECHO_C" >&6
-else
- cat >conftest.$ac_ext <<_ACEOF
+ # dgettext() may be defined to dgettext_libintl in the
+ # header file, so first check that it links w/ additional
+ # libs, then try with -lintl
+ cat >conftest.$ac_ext <<_ACEOF
/* confdefs.h. */
_ACEOF
cat confdefs.h >>conftest.$ac_ext
cat >>conftest.$ac_ext <<_ACEOF
/* end confdefs.h. */
-/* Define $ac_func to an innocuous variant, in case <limits.h> declares $ac_func.
- For example, HP-UX 11i <limits.h> declares gettimeofday. */
-#define $ac_func innocuous_$ac_func
-
-/* System header to define __stub macros and hopefully few prototypes,
- which can conflict with char $ac_func (); below.
- Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
- <limits.h> exists even on freestanding compilers. */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef $ac_func
-
-/* Override any GCC internal prototype to avoid an error.
- Use char because int might match the return type of a GCC
- builtin and then its argument prototype would still apply. */
-#ifdef __cplusplus
-extern "C"
-#endif
-char $ac_func ();
-/* The GNU C library defines this for functions which it implements
- to always fail with ENOSYS. Some functions are actually named
- something starting with __ and the normal name is an alias. */
-#if defined __stub_$ac_func || defined __stub___$ac_func
-choke me
-#endif
-
+#include <libintl.h>
int
main ()
{
-return $ac_func ();
+(void)dgettext((char *)0, (char *)0);
;
return 0;
}
@@ -19808,27 +20153,15 @@ eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
test ! -s conftest.err
} && test -s conftest$ac_exeext &&
$as_test_x conftest$ac_exeext; then
- eval "$as_ac_var=yes"
+ cat >>confdefs.h <<\_ACEOF
+#define HAVE_DGETTEXT 1
+_ACEOF
+
else
echo "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5
- eval "$as_ac_var=no"
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
- conftest$ac_exeext conftest.$ac_ext
-fi
-ac_res=`eval echo '${'$as_ac_var'}'`
- { echo "$as_me:$LINENO: result: $ac_res" >&5
-echo "${ECHO_T}$ac_res" >&6; }
-if test `eval echo '${'$as_ac_var'}'` = yes; then
- cat >>confdefs.h <<_ACEOF
-#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
-_ACEOF
-
-else
- { echo "$as_me:$LINENO: checking for dgettext in -lintl" >&5
+ { echo "$as_me:$LINENO: checking for dgettext in -lintl" >&5
echo $ECHO_N "checking for dgettext in -lintl... $ECHO_C" >&6; }
if test "${ac_cv_lib_intl_dgettext+set}" = set; then
echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -19898,8 +20231,9 @@ _ACEOF
fi
fi
-done
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+ conftest$ac_exeext conftest.$ac_ext
;;
esac
fi
@@ -20051,8 +20385,7 @@ if test $ac_cv_header_bsd_auth_h = yes; then
_ACEOF
AUTH_OBJS="$AUTH_OBJS bsdauth.o"
- BSDAUTH_USAGE='[-a auth_type] '
- AUTH_EXCL=BSD_AUTH
+ AUTH_EXCL=BSD_AUTH; BAMAN=""
else
{ { echo "$as_me:$LINENO: error: BSD authentication was specified but bsd_auth.h could not be found" >&5
echo "$as_me: error: BSD authentication was specified but bsd_auth.h could not be found" >&2;}
@@ -22781,7 +23114,7 @@ fi
done
- SUDO_LIBS="${SUDO_LIBS}${LDAP_LIBS}"
+ SUDO_LIBS="${SUDO_LIBS} ${LDAP_LIBS}"
LIBS="$_LIBS"
LDFLAGS="$_LDFLAGS"
# XXX - OpenLDAP has deprecated ldap_get_values()
@@ -22903,10 +23236,7 @@ fi
test "$exec_prefix" = "NONE" && exec_prefix='$(prefix)'
-if test "$with_noexec" != "no"; then
- PROGS="${PROGS} sudo_noexec.la"
- INSTALL_NOEXEC="install-noexec"
-
+if test X"$with_noexec" != X"no" -o X"$with_selinux" != X"no"; then
oexec_prefix="$exec_prefix"
if test "$exec_prefix" = '$(prefix)'; then
if test "$prefix" = "NONE"; then
@@ -22915,12 +23245,25 @@ if test "$with_noexec" != "no"; then
exec_prefix="$prefix"
fi
fi
- eval noexec_file="$with_noexec"
+ if test X"$with_noexec" != X"no"; then
+ PROGS="${PROGS} sudo_noexec.la"
+ INSTALL_NOEXEC="install-noexec"
+
+ eval noexec_file="$with_noexec"
cat >>confdefs.h <<_ACEOF
#define _PATH_SUDO_NOEXEC "$noexec_file"
_ACEOF
+ fi
+ if test X"$with_selinux" != X"no"; then
+ eval sesh_file="$libexecdir/sesh"
+
+cat >>confdefs.h <<_ACEOF
+#define _PATH_SUDO_SESH "$sesh_file"
+_ACEOF
+
+ fi
exec_prefix="$oexec_prefix"
fi
@@ -23601,9 +23944,14 @@ SUDOERS_MODE!$SUDOERS_MODE$ac_delim
SUDOERS_UID!$SUDOERS_UID$ac_delim
SUDOERS_GID!$SUDOERS_GID$ac_delim
DEV!$DEV$ac_delim
+SELINUX!$SELINUX$ac_delim
+BAMAN!$BAMAN$ac_delim
+LCMAN!$LCMAN$ac_delim
+SEMAN!$SEMAN$ac_delim
mansectsu!$mansectsu$ac_delim
mansectform!$mansectform$ac_delim
mansrcdir!$mansrcdir$ac_delim
+NOEXECFILE!$NOEXECFILE$ac_delim
NOEXECDIR!$NOEXECDIR$ac_delim
noexec_file!$noexec_file$ac_delim
INSTALL_NOEXEC!$INSTALL_NOEXEC$ac_delim
@@ -23637,11 +23985,6 @@ path_info!$path_info$ac_delim
EGREPPROG!$EGREPPROG$ac_delim
CC!$CC$ac_delim
ac_ct_CC!$ac_ct_CC$ac_delim
-EXEEXT!$EXEEXT$ac_delim
-OBJEXT!$OBJEXT$ac_delim
-CPP!$CPP$ac_delim
-build!$build$ac_delim
-build_cpu!$build_cpu$ac_delim
_ACEOF
if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 97; then
@@ -23683,6 +24026,11 @@ _ACEOF
ac_delim='%!_!# '
for ac_last_try in false false false false false :; do
cat >conf$$subs.sed <<_ACEOF
+EXEEXT!$EXEEXT$ac_delim
+OBJEXT!$OBJEXT$ac_delim
+CPP!$CPP$ac_delim
+build!$build$ac_delim
+build_cpu!$build_cpu$ac_delim
build_vendor!$build_vendor$ac_delim
build_os!$build_os$ac_delim
host!$host$ac_delim
@@ -23701,6 +24049,8 @@ ECHO!$ECHO$ac_delim
AR!$AR$ac_delim
RANLIB!$RANLIB$ac_delim
STRIP!$STRIP$ac_delim
+DSYMUTIL!$DSYMUTIL$ac_delim
+NMEDIT!$NMEDIT$ac_delim
UNAMEPROG!$UNAMEPROG$ac_delim
TRPROG!$TRPROG$ac_delim
NROFFPROG!$NROFFPROG$ac_delim
@@ -23712,7 +24062,7 @@ KRB5CONFIG!$KRB5CONFIG$ac_delim
LTLIBOBJS!$LTLIBOBJS$ac_delim
_ACEOF
- if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 27; then
+ if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 34; then
break
elif $ac_last_try; then
{ { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
@@ -24102,21 +24452,22 @@ echo "$as_me: $ac_file is unchanged" >&6;}
fi
rm -f "$tmp/out12"
# Compute $ac_file's index in $config_headers.
+_am_arg=$ac_file
_am_stamp_count=1
for _am_header in $config_headers :; do
case $_am_header in
- $ac_file | $ac_file:* )
+ $_am_arg | $_am_arg:* )
break ;;
* )
_am_stamp_count=`expr $_am_stamp_count + 1` ;;
esac
done
-echo "timestamp for $ac_file" >`$as_dirname -- $ac_file ||
-$as_expr X$ac_file : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
- X$ac_file : 'X\(//\)[^/]' \| \
- X$ac_file : 'X\(//\)$' \| \
- X$ac_file : 'X\(/\)' \| . 2>/dev/null ||
-echo X$ac_file |
+echo "timestamp for $_am_arg" >`$as_dirname -- "$_am_arg" ||
+$as_expr X"$_am_arg" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+ X"$_am_arg" : 'X\(//\)[^/]' \| \
+ X"$_am_arg" : 'X\(//\)$' \| \
+ X"$_am_arg" : 'X\(/\)' \| . 2>/dev/null ||
+echo X"$_am_arg" |
sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
s//\1/
q
@@ -24323,3 +24674,5 @@ fi
+
+
diff --git a/usr.bin/sudo/configure.in b/usr.bin/sudo/configure.in
index 32994e9a7b2..109fc9a721f 100644
--- a/usr.bin/sudo/configure.in
+++ b/usr.bin/sudo/configure.in
@@ -1,6 +1,6 @@
dnl
dnl Process this file with GNU autoconf to produce a configure script.
-dnl $Sudo: configure.in,v 1.413.2.43 2008/01/21 16:46:50 millert Exp $
+dnl $Sudo: configure.in,v 1.413.2.53 2008/06/22 20:23:56 millert Exp $
dnl
dnl Copyright (c) 1994-1996,1998-2007 Todd C. Miller <Todd.Miller@courtesan.com>
dnl
@@ -33,9 +33,14 @@ AC_SUBST(SUDOERS_MODE)
AC_SUBST(SUDOERS_UID)
AC_SUBST(SUDOERS_GID)
AC_SUBST(DEV)
+AC_SUBST(SELINUX)
+AC_SUBST(BAMAN)
+AC_SUBST(LCMAN)
+AC_SUBST(SEMAN)
AC_SUBST(mansectsu)
AC_SUBST(mansectform)
AC_SUBST(mansrcdir)
+AC_SUBST(NOEXECFILE)
AC_SUBST(NOEXECDIR)
AC_SUBST(noexec_file)
AC_SUBST(INSTALL_NOEXEC)
@@ -109,6 +114,10 @@ PROGS="sudo visudo"
: ${SUDOERS_UID='0'}
: ${SUDOERS_GID='0'}
DEV="#"
+SELINUX="#"
+BAMAN='.\" '
+LCMAN='.\" '
+SEMAN='.\" '
AUTH_OBJS=
AUTH_REG=
AUTH_EXCL=
@@ -127,7 +136,11 @@ shadow_libs_optional=
dnl
dnl Override default configure dirs...
dnl
-test "$mandir" = '${prefix}/man' && mandir='$(prefix)/man'
+if test X"$prefix" = X"NONE"; then
+ test "$mandir" = '${datarootdir}/man' && mandir='$(prefix)/man'
+else
+ test "$mandir" = '${datarootdir}/man' && mandir='$(datarootdir)/man'
+fi
test "$bindir" = '${exec_prefix}/bin' && bindir='$(exec_prefix)/bin'
test "$sbindir" = '${exec_prefix}/sbin' && sbindir='$(exec_prefix)/sbin'
test "$sysconfdir" = '${prefix}/etc' -a X"$with_stow" != X"yes" && sysconfdir='/etc'
@@ -1114,6 +1127,20 @@ AC_ARG_ENABLE(path_info,
esac
], AC_MSG_RESULT(no))
+AC_ARG_WITH(selinux, [ --with-selinux enable SELinux support],
+[case $with_selinux in
+ yes) AC_DEFINE(HAVE_SELINUX)
+ SUDO_LIBS="${SUDO_LIBS} -lselinux"
+ SUDO_OBJS="${SUDO_OBJS} selinux.o"
+ PROGS="${PROGS} sesh"
+ SELINUX=""
+ SEMAN=""
+ ;;
+ no) ;;
+ *) AC_MSG_ERROR(["--with-selinux does not take an argument."])
+ ;;
+esac])
+
dnl
dnl If we don't have egrep we can't do anything...
dnl
@@ -1160,6 +1187,7 @@ AC_ARG_WITH(noexec, [ --with-noexec[=PATH] fully qualified pathname of sud
*) ;;
esac], [with_noexec="$libexecdir/sudo_noexec$_shrext"])
AC_MSG_RESULT($with_noexec)
+NOEXECFILE="sudo_noexec$_shrext"
NOEXECDIR="`echo $with_noexec|sed 's:^\(.*\)/[[^/]]*:\1:'`"
dnl
@@ -1382,7 +1410,7 @@ case "$host" in
: ${mansectsu='1m'}
: ${mansectform='4'}
;;
- *-*-linux*)
+ *-*-linux*|*-*-k*bsd*-gnu)
OSDEFS="${OSDEFS} -D_GNU_SOURCE"
# Some Linux versions need to link with -lshadow
shadow_funcs="getspnam"
@@ -1633,7 +1661,7 @@ if test "$OS" != "ultrix"; then
fi
fi
if test ${with_logincap-'no'} != "no"; then
- AC_CHECK_HEADERS(login_cap.h, [
+ AC_CHECK_HEADERS(login_cap.h, [LCMAN=""
case "$OS" in
freebsd|netbsd) SUDO_LIBS="${SUDO_LIBS} -lutil"
;;
@@ -1681,7 +1709,7 @@ dnl
AC_FUNC_GETGROUPS
AC_CHECK_FUNCS(strchr strrchr memchr memcpy memset sysconf tzset \
strftime setrlimit initgroups getgroups fstat gettimeofday \
- setlocale getaddrinfo)
+ setlocale getaddrinfo setsid)
if test -z "$SKIP_SETRESUID"; then
AC_CHECK_FUNCS(setresuid, [SKIP_SETREUID=yes])
fi
@@ -1736,7 +1764,7 @@ dnl
dnl Check for the dirfd function/macro. If not found, look for dd_fd in DIR.
dnl
AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <sys/types.h>
-#include <$ac_header_dirent>]], [[DIR d; (void)dirfd(&d);]])], [AC_DEFINE(HAVE_DIRFD)], [AC_TRY_LINK([#include <sys/types.h>
+#include <$ac_header_dirent>]], [[DIR *d; (void)dirfd(d);]])], [AC_DEFINE(HAVE_DIRFD)], [AC_TRY_LINK([#include <sys/types.h>
#include <$ac_header_dirent>], [DIR d; memset(&d, 0, sizeof(d)); return(d.dd_fd);], [AC_DEFINE(HAVE_DD_FD)])])
dnl
dnl If NEED_SNPRINTF is set, add snprintf.c to LIBOBJS
@@ -1839,8 +1867,13 @@ if test ${with_pam-"no"} != "no"; then
esac], AC_MSG_RESULT(yes))
case $host in
*-*-linux*|*-*-solaris*)
- AC_CHECK_FUNCS(dgettext, [],
- [AC_CHECK_LIB(intl, dgettext, [LIBS="${LIBS} -lintl"]
+ # dgettext() may be defined to dgettext_libintl in the
+ # header file, so first check that it links w/ additional
+ # libs, then try with -lintl
+ AC_LINK_IFELSE([AC_LANG_PROGRAM(
+ [[#include <libintl.h>]], [(void)dgettext((char *)0, (char *)0);])],
+ [AC_DEFINE(HAVE_DGETTEXT)],
+ [AC_CHECK_LIB(intl, dgettext, [LIBS="${LIBS} -lintl"]
[AC_DEFINE(HAVE_DGETTEXT)])])
;;
esac
@@ -1868,8 +1901,7 @@ dnl
if test ${with_bsdauth-'no'} != "no"; then
AC_CHECK_HEADER(bsd_auth.h, AC_DEFINE(HAVE_BSD_AUTH_H)
[AUTH_OBJS="$AUTH_OBJS bsdauth.o"]
- [BSDAUTH_USAGE='[[-a auth_type]] ']
- [AUTH_EXCL=BSD_AUTH],
+ [AUTH_EXCL=BSD_AUTH; BAMAN=""],
[AC_MSG_ERROR([BSD authentication was specified but bsd_auth.h could not be found])])
fi
@@ -2296,7 +2328,7 @@ if test ${with_ldap-'no'} != "no"; then
AC_CHECK_FUNCS(ldap_initialize ldap_start_tls_s ldapssl_init ldapssl_set_strength)
AC_CHECK_HEADERS([ldap_ssl.h] [mps/ldap_ssl.h], [break], [], [#include <ldap.h>])
- SUDO_LIBS="${SUDO_LIBS}${LDAP_LIBS}"
+ SUDO_LIBS="${SUDO_LIBS} ${LDAP_LIBS}"
LIBS="$_LIBS"
LDFLAGS="$_LDFLAGS"
# XXX - OpenLDAP has deprecated ldap_get_values()
@@ -2360,13 +2392,11 @@ dnl
test "$exec_prefix" = "NONE" && exec_prefix='$(prefix)'
dnl
-dnl Defer setting _PATH_SUDO_NOEXEC until after exec_prefix is set
+dnl Defer setting _PATH_SUDO_NOEXEC and _PATH_SUDO_SESH
+dnl until after exec_prefix is set
dnl XXX - this is gross!
dnl
-if test "$with_noexec" != "no"; then
- PROGS="${PROGS} sudo_noexec.la"
- INSTALL_NOEXEC="install-noexec"
-
+if test X"$with_noexec" != X"no" -o X"$with_selinux" != X"no"; then
oexec_prefix="$exec_prefix"
if test "$exec_prefix" = '$(prefix)'; then
if test "$prefix" = "NONE"; then
@@ -2375,8 +2405,17 @@ if test "$with_noexec" != "no"; then
exec_prefix="$prefix"
fi
fi
- eval noexec_file="$with_noexec"
- AC_DEFINE_UNQUOTED(_PATH_SUDO_NOEXEC, "$noexec_file", [The fully qualified pathname of sudo_noexec.so])
+ if test X"$with_noexec" != X"no"; then
+ PROGS="${PROGS} sudo_noexec.la"
+ INSTALL_NOEXEC="install-noexec"
+
+ eval noexec_file="$with_noexec"
+ AC_DEFINE_UNQUOTED(_PATH_SUDO_NOEXEC, "$noexec_file", [The fully qualified pathname of sudo_noexec.so])
+ fi
+ if test X"$with_selinux" != X"no"; then
+ eval sesh_file="$libexecdir/sesh"
+ AC_DEFINE_UNQUOTED(_PATH_SUDO_SESH, "$sesh_file", [The fully qualified pathname of sesh])
+ fi
exec_prefix="$oexec_prefix"
fi
@@ -2437,6 +2476,7 @@ AH_TEMPLATE(HAVE_OPIE, [Define to 1 if you use NRL OPIE.])
AH_TEMPLATE(HAVE_PAM, [Define to 1 if you use PAM authentication.])
AH_TEMPLATE(HAVE_PROJECT_H, [Define to 1 if you have the <project.h> header file.])
AH_TEMPLATE(HAVE_SECURID, [Define to 1 if you use SecurID for authentication.])
+AH_TEMPLATE(HAVE_SELINUX, [Define to 1 to enable SELinux RBAC support.])
AH_TEMPLATE(HAVE_SIA, [Define to 1 if you use SIA authentication.])
AH_TEMPLATE(HAVE_SIGACTION_T, [Define to 1 if <signal.h> has the sigaction_t typedef.])
AH_TEMPLATE(HAVE_SKEY, [Define to 1 if you use S/Key.])
diff --git a/usr.bin/sudo/def_data.c b/usr.bin/sudo/def_data.c
index 944a55c2355..ff9ebc654c9 100644
--- a/usr.bin/sudo/def_data.c
+++ b/usr.bin/sudo/def_data.c
@@ -264,6 +264,14 @@ struct sudo_defs_types sudo_defs_table[] = {
"Environment variables to preserve:",
NULL,
}, {
+ "role", T_STR,
+ "SELinux role to use in the new security context: %s",
+ NULL,
+ }, {
+ "type", T_STR,
+ "SELinux type to use in the new security context: %s",
+ NULL,
+ }, {
NULL, 0, NULL
}
};
diff --git a/usr.bin/sudo/def_data.h b/usr.bin/sudo/def_data.h
index 13d81bf7089..bbbd2ab0a5f 100644
--- a/usr.bin/sudo/def_data.h
+++ b/usr.bin/sudo/def_data.h
@@ -118,6 +118,10 @@
#define I_ENV_DELETE 58
#define def_env_keep (sudo_defs_table[59].sd_un.list)
#define I_ENV_KEEP 59
+#define def_role (sudo_defs_table[60].sd_un.str)
+#define I_ROLE 60
+#define def_type (sudo_defs_table[61].sd_un.str)
+#define I_TYPE 61
enum def_tupple {
never,
diff --git a/usr.bin/sudo/def_data.in b/usr.bin/sudo/def_data.in
index 47370b83ecf..afc4e4cfc68 100644
--- a/usr.bin/sudo/def_data.in
+++ b/usr.bin/sudo/def_data.in
@@ -191,3 +191,9 @@ env_delete
env_keep
T_LIST|T_BOOL
"Environment variables to preserve:"
+role
+ T_STR
+ "SELinux role to use in the new security context: %s"
+type
+ T_STR
+ "SELinux type to use in the new security context: %s"
diff --git a/usr.bin/sudo/env.c b/usr.bin/sudo/env.c
index 6cb26d38095..dba49551150 100644
--- a/usr.bin/sudo/env.c
+++ b/usr.bin/sudo/env.c
@@ -52,7 +52,7 @@
#include "sudo.h"
#ifndef lint
-__unused static const char rcsid[] = "$Sudo: env.c,v 1.39.2.17 2007/07/31 18:04:31 millert Exp $";
+__unused static const char rcsid[] = "$Sudo: env.c,v 1.39.2.19 2008/06/21 19:04:07 millert Exp $";
#endif /* lint */
/*
@@ -198,6 +198,7 @@ static const char *initial_checkenv_table[] = {
static const char *initial_keepenv_table[] = {
"COLORS",
"DISPLAY",
+ "HOME",
"HOSTNAME",
"KRB5CCNAME",
"LS_COLORS",
@@ -405,7 +406,7 @@ rebuild_env(envp, sudo_mode, noexec)
ps1 = NULL;
didvar = 0;
memset(&env, 0, sizeof(env));
- if (def_env_reset) {
+ if (def_env_reset || ISSET(sudo_mode, MODE_LOGIN_SHELL)) {
/* Pull in vars we want to keep from the old environment. */
for (ep = envp; *ep; ep++) {
int keepit;
@@ -536,6 +537,7 @@ rebuild_env(envp, sudo_mode, noexec)
#endif
/* Set $USER, $LOGNAME and $USERNAME to target if "set_logname" is true. */
+ /* XXX - not needed for MODE_LOGIN_SHELL */
if (def_set_logname && runas_pw->pw_name) {
if (!ISSET(didvar, KEPT_LOGNAME))
insert_env(format_env("LOGNAME", runas_pw->pw_name, VNULL), &env, 1);
@@ -546,6 +548,7 @@ rebuild_env(envp, sudo_mode, noexec)
}
/* Set $HOME for `sudo -H'. Only valid at PERM_FULL_RUNAS. */
+ /* XXX - not needed for MODE_LOGIN_SHELL */
if (runas_pw->pw_dir) {
if (ISSET(sudo_mode, MODE_RESET_HOME) ||
(ISSET(sudo_mode, MODE_RUN) && (def_always_set_home ||
diff --git a/usr.bin/sudo/install-sh b/usr.bin/sudo/install-sh
index 124c991e959..3b069404e5a 100644
--- a/usr.bin/sudo/install-sh
+++ b/usr.bin/sudo/install-sh
@@ -1,7 +1,7 @@
#! /bin/sh
## (From INN-1.4, written by Rich Salz)
-## $Revision: 1.8 $
+## $Revision: 1.9 $
## A script to install files and directories.
PROGNAME=`basename $0`
@@ -182,7 +182,7 @@ fi
## Get the destination and a temp file in the destination diretory.
if [ -d "$2" ] ; then
- DEST="$2/$1"
+ DEST="$2/`basename $1`"
TEMP="$2/$$.tmp"
else
DEST="$2"
diff --git a/usr.bin/sudo/ldap.c b/usr.bin/sudo/ldap.c
index 9097310cbf9..8ee0ba73d9c 100644
--- a/usr.bin/sudo/ldap.c
+++ b/usr.bin/sudo/ldap.c
@@ -71,7 +71,7 @@
#include "parse.h"
#ifndef lint
-__unused static const char rcsid[] = "$Sudo: ldap.c,v 1.11.2.36 2008/01/21 16:08:26 millert Exp $";
+__unused static const char rcsid[] = "$Sudo: ldap.c,v 1.11.2.38 2008/04/11 14:03:51 millert Exp $";
#endif /* lint */
#ifndef LINE_MAX
@@ -82,6 +82,10 @@ __unused static const char rcsid[] = "$Sudo: ldap.c,v 1.11.2.36 2008/01/21 16:08
# define LDAP_OPT_SUCCESS LDAP_SUCCESS
#endif
+#ifndef LDAPS_PORT
+# define LDAPS_PORT 636
+#endif
+
#define DPRINTF(args, level) if (ldap_conf.debug >= level) warnx args
#define CONF_BOOL 0
@@ -1189,6 +1193,13 @@ sudo_ldap_check(pwflag)
if (setenv_implied)
def_setenv = TRUE;
sudo_ldap_parse_options(ld, entry);
+#ifdef HAVE_SELINUX
+ /* Set role and type if not specified on command line. */
+ if (user_role == NULL)
+ user_role = def_role;
+ if (user_type == NULL)
+ user_type = def_type;
+#endif /* HAVE_SELINUX */
/* make sure we don't reenter loop */
ret = VALIDATE_OK;
/* break from inside for loop */
diff --git a/usr.bin/sudo/logging.c b/usr.bin/sudo/logging.c
index b03a4020098..80d0f5a37d1 100644
--- a/usr.bin/sudo/logging.c
+++ b/usr.bin/sudo/logging.c
@@ -27,6 +27,7 @@
#include <sys/types.h>
#include <sys/param.h>
#include <sys/stat.h>
+#include <sys/ioctl.h>
#include <sys/wait.h>
#include <stdio.h>
#ifdef STDC_HEADERS
@@ -56,11 +57,12 @@
#include <signal.h>
#include <time.h>
#include <errno.h>
+#include <fcntl.h>
#include "sudo.h"
#ifndef lint
-__unused static const char rcsid[] = "$Sudo: logging.c,v 1.168.2.13 2007/11/25 13:07:38 millert Exp $";
+__unused static const char rcsid[] = "$Sudo: logging.c,v 1.168.2.16 2008/06/22 20:23:57 millert Exp $";
#endif /* lint */
static void do_syslog __P((int, char *));
@@ -458,9 +460,9 @@ send_mail(line)
{
FILE *mail;
char *p;
- int pfd[2];
- pid_t pid;
- sigset_t set, oset;
+ int fd, pfd[2], status;
+ pid_t pid, rv;
+ sigaction_t sa;
#ifndef NO_ROOT_MAILER
static char *root_envp[] = {
"HOME=/",
@@ -476,17 +478,79 @@ send_mail(line)
if (!def_mailerpath || !def_mailto)
return;
- (void) sigemptyset(&set);
- (void) sigaddset(&set, SIGCHLD);
- (void) sigprocmask(SIG_BLOCK, &set, &oset);
+ /* Fork and return, child will daemonize. */
+ switch (pid = fork()) {
+ case -1:
+ /* Error */
+ err(1, "cannot fork");
+ break;
+ case 0:
+ /* Child */
+ switch (pid = fork()) {
+ case -1:
+ /* Error. */
+ mysyslog(LOG_ERR, "cannot fork: %m");
+ _exit(1);
+ case 0:
+ /* Grandchild continues below. */
+ break;
+ default:
+ /* Parent will wait for us. */
+ _exit(0);
+ }
+ break;
+ default:
+ /* Parent */
+ do {
+#ifdef HAVE_WAITPID
+ rv = waitpid(pid, &status, 0);
+#else
+ rv = wait(&status);
+#endif
+ } while (rv == -1 && errno == EINTR);
+ return;
+ }
+
+ /* Daemonize - disassociate from session/tty. */
+#ifdef HAVE_SETSID
+ if (setsid() == -1)
+ warn("setsid");
+#else
+ setpgrp(0, 0);
+# ifdef TIOCNOTTY
+ if ((fd = open(_PATH_TTY, O_RDWR, 0644)) != -1) {
+ ioctl(fd, TIOCNOTTY, NULL);
+ close(fd);
+ }
+# endif
+#endif
+ chdir("/");
+ if ((fd = open(_PATH_DEVNULL, O_RDWR, 0644)) != -1) {
+ (void) dup2(fd, STDIN_FILENO);
+ (void) dup2(fd, STDOUT_FILENO);
+ (void) dup2(fd, STDERR_FILENO);
+ }
- if (pipe(pfd) == -1)
- err(1, "cannot open pipe");
+ /* Close password and other fds so we don't leak. */
+ endpwent();
+ closefrom(STDERR_FILENO + 1);
+
+ /* Ignore SIGPIPE in case mailer exits prematurely (or is missing). */
+ sigemptyset(&sa.sa_mask);
+ sa.sa_flags = 0;
+ sa.sa_handler = SIG_IGN;
+ (void) sigaction(SIGPIPE, &sa, NULL);
+
+ if (pipe(pfd) == -1) {
+ mysyslog(LOG_ERR, "cannot open pipe: %m");
+ _exit(1);
+ }
switch (pid = fork()) {
case -1:
/* Error. */
- err(1, "cannot fork");
+ mysyslog(LOG_ERR, "cannot fork: %m");
+ _exit(1);
break;
case 0:
{
@@ -517,9 +581,6 @@ send_mail(line)
}
argv[i] = NULL;
- /* Close password file so we don't leak the fd. */
- endpwent();
-
/*
* Depending on the config, either run the mailer as root
* (so user cannot kill it) or as the user (for the paranoid).
@@ -531,6 +592,7 @@ send_mail(line)
set_perms(PERM_FULL_USER);
execv(mpath, argv);
#endif /* NO_ROOT_MAILER */
+ mysyslog(LOG_ERR, "cannot execute %s: %m", mpath);
_exit(127);
}
break;
@@ -562,10 +624,14 @@ send_mail(line)
(void) fprintf(mail, "\n\n%s : %s : %s : %s\n\n", user_host,
get_timestr(), user_name, line);
fclose(mail);
-
- (void) sigprocmask(SIG_SETMASK, &oset, NULL);
- /* If mailer is done, wait for it now. If not, we'll get it later. */
- reapchild(SIGCHLD);
+ do {
+#ifdef HAVE_WAITPID
+ rv = waitpid(pid, &status, 0);
+#else
+ rv = wait(&status);
+#endif
+ } while (rv == -1 && errno == EINTR);
+ _exit(0);
}
/*
@@ -597,26 +663,6 @@ mail_auth(status, line)
}
/*
- * SIGCHLD sig handler--wait for children as they die.
- */
-RETSIGTYPE
-reapchild(sig)
- int sig;
-{
- int status, serrno = errno;
-#ifdef sudo_waitpid
- pid_t pid;
-
- do {
- pid = sudo_waitpid(-1, &status, WNOHANG);
- } while (pid != 0 && (pid != -1 || errno == EINTR));
-#else
- (void) wait(&status);
-#endif
- errno = serrno;
-}
-
-/*
* Return an ascii string with the current date + time
* Uses strftime() if available, else falls back to ctime().
*/
diff --git a/usr.bin/sudo/parse.c b/usr.bin/sudo/parse.c
index ce943f64eff..8c4a1e5bb59 100644
--- a/usr.bin/sudo/parse.c
+++ b/usr.bin/sudo/parse.c
@@ -90,7 +90,7 @@
#endif /* HAVE_EXTENDED_GLOB */
#ifndef lint
-__unused static const char rcsid[] = "$Sudo: parse.c,v 1.160.2.15 2007/12/04 15:26:40 millert Exp $";
+__unused static const char rcsid[] = "$Sudo: parse.c,v 1.160.2.16 2008/02/09 14:44:48 millert Exp $";
#endif /* lint */
/*
@@ -198,6 +198,21 @@ sudoers_lookup(pwflag)
/*
* User was granted access to cmnd on host as user.
*/
+#ifdef HAVE_SELINUX
+ /* Set role and type if not specified on command line. */
+ if (user_role == NULL) {
+ if (match[top-1].role != NULL)
+ user_role = match[top-1].role;
+ else
+ user_role = def_role;
+ }
+ if (user_type == NULL) {
+ if (match[top-1].type != NULL)
+ user_type = match[top-1].type;
+ else
+ user_type = def_type;
+ }
+#endif
set_perms(PERM_ROOT);
return(VALIDATE_OK |
(no_passwd == TRUE ? FLAG_NOPASS : 0) |
diff --git a/usr.bin/sudo/parse.h b/usr.bin/sudo/parse.h
index 9ad008a3ae9..a9bbc8e0e7a 100644
--- a/usr.bin/sudo/parse.h
+++ b/usr.bin/sudo/parse.h
@@ -14,7 +14,7 @@
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*
- * $Sudo: parse.h,v 1.14.2.1 2007/06/23 21:36:48 millert Exp $
+ * $Sudo: parse.h,v 1.14.2.2 2008/02/09 14:44:48 millert Exp $
*/
#ifndef _SUDO_PARSE_H
@@ -35,6 +35,8 @@ struct matchstack {
int nopass;
int noexec;
int setenv;
+ char *role;
+ char *type;
};
/*
@@ -46,6 +48,15 @@ struct sudo_command {
char *args;
};
+/*
+ * SELinux-specific container struct.
+ * Currently just contains a role and type.
+ */
+struct selinux_info {
+ char *role;
+ char *type;
+};
+
#define user_matches (match[top-1].user)
#define cmnd_matches (match[top-1].cmnd)
#define host_matches (match[top-1].host)
@@ -64,6 +75,12 @@ struct command_match {
char *cmnd;
size_t cmnd_len;
size_t cmnd_size;
+ char *role;
+ size_t role_len;
+ size_t role_size;
+ char *type;
+ size_t type_len;
+ size_t type_size;
int nopasswd;
int noexecve;
int setenv;
diff --git a/usr.bin/sudo/parse.lex b/usr.bin/sudo/parse.lex
index 1c4bbc79b9a..41eba105d28 100644
--- a/usr.bin/sudo/parse.lex
+++ b/usr.bin/sudo/parse.lex
@@ -55,7 +55,7 @@
#include <sudo.tab.h>
#ifndef lint
-__unused static const char rcsid[] = "$Sudo: parse.lex,v 1.132.2.7 2007/08/25 02:48:01 millert Exp $";
+__unused static const char rcsid[] = "$Sudo: parse.lex,v 1.132.2.10 2008/06/26 11:53:50 millert Exp $";
#endif /* lint */
#undef yywrap /* guard against a yywrap macro */
@@ -151,7 +151,7 @@ DEFVAR [a-z_]+
}
<INSTR>{
- \\\n[[:blank:]]* {
+ \\[[:blank:]]*\n[[:blank:]]* {
/* Line continuation char followed by newline. */
++sudolineno;
LEXTRACE("\n");
@@ -163,12 +163,13 @@ DEFVAR [a-z_]+
return(WORD);
}
- ([^\"\n]|\\\")+ {
+ \\ {
+ LEXTRACE("BACKSLASH ");
+ append(yytext, yyleng);
+ }
+
+ ([^\"\n\\]|\\\")+ {
LEXTRACE("STRBODY ");
- /* Push back line continuation char if present */
- if (yyleng > 2 && yytext[yyleng - 1] == '\\' &&
- isspace((unsigned char)yytext[yyleng - 2]))
- yyless(yyleng - 1);
append(yytext, yyleng);
}
}
@@ -326,11 +327,21 @@ NOSETENV[[:blank:]]*: {
if (strcmp(yytext, "ALL") == 0) {
LEXTRACE("ALL ");
return(ALL);
- } else {
- fill(yytext, yyleng);
- LEXTRACE("ALIAS ");
- return(ALIAS);
}
+#ifdef HAVE_SELINUX
+ /* XXX - restrict type/role to initial state */
+ if (strcmp(yytext, "TYPE") == 0) {
+ LEXTRACE("TYPE ");
+ return(TYPE);
+ }
+ if (strcmp(yytext, "ROLE") == 0) {
+ LEXTRACE("ROLE ");
+ return(ROLE);
+ }
+#endif /* HAVE_SELINUX */
+ fill(yytext, yyleng);
+ LEXTRACE("ALIAS ");
+ return(ALIAS);
}
<GOTRUNAS>(#[0-9-]+|{WORD}) {
diff --git a/usr.bin/sudo/parse.yacc b/usr.bin/sudo/parse.yacc
index 5b1c856bb16..93871b23892 100644
--- a/usr.bin/sudo/parse.yacc
+++ b/usr.bin/sudo/parse.yacc
@@ -70,7 +70,7 @@
#endif /* HAVE_LSEARCH */
#ifndef lint
-__unused static const char rcsid[] = "$Sudo: parse.yacc,v 1.204.2.10 2008/01/16 23:20:53 millert Exp $";
+__unused static const char rcsid[] = "$Sudo: parse.yacc,v 1.204.2.13 2008/02/27 20:34:42 millert Exp $";
#endif /* lint */
/*
@@ -140,6 +140,8 @@ int top = 0, stacksize = 0;
match[top].nopass = def_authenticate ? UNSPEC : TRUE; \
match[top].noexec = def_noexec ? TRUE : UNSPEC; \
match[top].setenv = def_setenv ? TRUE : UNSPEC; \
+ match[top].role = NULL; \
+ match[top].type = NULL; \
top++; \
} while (0)
@@ -156,6 +158,8 @@ int top = 0, stacksize = 0;
match[top].nopass = match[top-1].nopass; \
match[top].noexec = match[top-1].noexec; \
match[top].setenv = match[top-1].setenv; \
+ match[top].role = estrdup(match[top-1].role); \
+ match[top].type = estrdup(match[top-1].type); \
top++; \
} while (0)
@@ -163,8 +167,11 @@ int top = 0, stacksize = 0;
do { \
if (top == 0) \
yyerror("matching stack underflow"); \
- else \
+ else { \
+ efree(match[top-1].role); \
+ efree(match[top-1].type); \
top--; \
+ } \
} while (0)
@@ -182,6 +189,12 @@ int top = 0, stacksize = 0;
#define append_runas(s, p) append(s, &cm_list[cm_list_len].runas, \
&cm_list[cm_list_len].runas_len, &cm_list[cm_list_len].runas_size, p)
+#define append_role(s, p) append(s, &cm_list[cm_list_len].role, \
+ &cm_list[cm_list_len].role_len, &cm_list[cm_list_len].role_size, p)
+
+#define append_type(s, p) append(s, &cm_list[cm_list_len].type, \
+ &cm_list[cm_list_len].type_len, &cm_list[cm_list_len].type_size, p)
+
#define append_entries(s, p) append(s, &ga_list[ga_list_len-1].entries, \
&ga_list[ga_list_len-1].entries_len, \
&ga_list[ga_list_len-1].entries_size, p)
@@ -240,6 +253,7 @@ yyerror(s)
int BOOLEAN;
struct sudo_command command;
int tok;
+ struct selinux_info seinfo;
}
%start file /* special start symbol */
@@ -269,6 +283,8 @@ yyerror(s)
%token <tok> RUNASALIAS /* Runas_Alias keyword */
%token <tok> ':' '=' ',' '!' '+' '-' /* union member tokens */
%token <tok> ERROR
+%token <tok> TYPE /* SELinux type */
+%token <tok> ROLE /* SELinux role */
/*
* NOTE: these are not true booleans as there are actually 4 possible values:
@@ -283,6 +299,9 @@ yyerror(s)
%type <BOOLEAN> oprunasuser
%type <BOOLEAN> runaslist
%type <BOOLEAN> user
+%type <seinfo> selinux
+%type <string> rolespec
+%type <string> typespec
%%
@@ -394,6 +413,12 @@ privilege : hostlist '=' cmndspeclist {
no_passwd = def_authenticate ? UNSPEC : TRUE;
no_execve = def_noexec ? TRUE : UNSPEC;
setenv_ok = def_setenv ? TRUE : UNSPEC;
+#ifdef HAVE_SELINUX
+ efree(match[top-1].role);
+ match[top-1].role = NULL;
+ efree(match[top-1].type);
+ match[top-1].type = NULL;
+#endif
}
;
@@ -457,7 +482,18 @@ cmndspeclist : cmndspec
| cmndspeclist ',' cmndspec
;
-cmndspec : { SETENV_RESET; } runasspec cmndtag opcmnd {
+cmndspec : { SETENV_RESET; } runasspec selinux cmndtag opcmnd {
+#ifdef HAVE_SELINUX
+ /* Replace inherited role/type as needed. */
+ if ($3.role != NULL) {
+ efree(match[top-1].role);
+ match[top-1].role = $3.role;
+ }
+ if ($3.type != NULL) {
+ efree(match[top-1].type);
+ match[top-1].type = $3.type;
+ }
+#endif
/*
* Push the entry onto the stack if it is worth
* saving and reset cmnd_matches for next cmnd.
@@ -482,6 +518,7 @@ cmndspec : { SETENV_RESET; } runasspec cmndtag opcmnd {
pushcp;
else if (user_matches == TRUE && keepall)
pushcp;
+
cmnd_matches = UNSPEC;
}
;
@@ -502,6 +539,97 @@ opcmnd : cmnd {
}
;
+rolespec : ROLE '=' WORD {
+#ifdef HAVE_SELINUX
+ if (printmatches == TRUE && host_matches == TRUE &&
+ user_matches == TRUE && runas_matches == TRUE)
+ append_role($3, NULL);
+ $$ = $3;
+#else
+ free($3);
+ $$ = NULL;
+#endif /* HAVE_SELINUX */
+ }
+ ;
+
+typespec : TYPE '=' WORD {
+#ifdef HAVE_SELINUX
+ if (printmatches == TRUE && host_matches == TRUE &&
+ user_matches == TRUE && runas_matches == TRUE)
+ append_type($3, NULL);
+ $$ = $3;
+#else
+ free($3);
+ $$ = NULL;
+#endif /* HAVE_SELINUX */
+ }
+ ;
+
+selinux : /* empty */ {
+#ifdef HAVE_SELINUX
+ if (printmatches == TRUE && host_matches == TRUE &&
+ user_matches == TRUE && runas_matches == TRUE) {
+ /* Inherit role. */
+ cm_list[cm_list_len].role =
+ estrdup(cm_list[cm_list_len-1].role);
+ cm_list[cm_list_len].role_len =
+ cm_list[cm_list_len-1].role_len;
+ cm_list[cm_list_len].role_size =
+ cm_list[cm_list_len-1].role_len + 1;
+ /* Inherit type. */
+ cm_list[cm_list_len].type =
+ estrdup(cm_list[cm_list_len-1].type);
+ cm_list[cm_list_len].type_len =
+ cm_list[cm_list_len-1].type_len;
+ cm_list[cm_list_len].type_size =
+ cm_list[cm_list_len-1].type_len + 1;
+ }
+#endif /* HAVE_SELINUX */
+ $$.role = NULL;
+ $$.type = NULL;
+ }
+ | rolespec {
+#ifdef HAVE_SELINUX
+ if (printmatches == TRUE && host_matches == TRUE &&
+ user_matches == TRUE && runas_matches == TRUE) {
+ /* Inherit type. */
+ cm_list[cm_list_len].type =
+ estrdup(cm_list[cm_list_len-1].type);
+ cm_list[cm_list_len].type_len =
+ cm_list[cm_list_len-1].type_len;
+ cm_list[cm_list_len].type_size =
+ cm_list[cm_list_len-1].type_len + 1;
+ }
+#endif /* HAVE_SELINUX */
+ $$.role = $1;
+ $$.type = NULL;
+ }
+ | typespec {
+#ifdef HAVE_SELINUX
+ if (printmatches == TRUE && host_matches == TRUE &&
+ user_matches == TRUE && runas_matches == TRUE) {
+ /* Inherit role. */
+ cm_list[cm_list_len].role =
+ estrdup(cm_list[cm_list_len-1].role);
+ cm_list[cm_list_len].role_len =
+ cm_list[cm_list_len-1].role_len;
+ cm_list[cm_list_len].role_size =
+ cm_list[cm_list_len-1].role_len + 1;
+ }
+#endif /* HAVE_SELINUX */
+ $$.type = $1;
+ $$.role = NULL;
+ }
+ | rolespec typespec {
+ $$.role = $1;
+ $$.type = $2;
+ }
+ | typespec rolespec {
+ $$.type = $1;
+ $$.role = $2;
+ }
+ ;
+
runasspec : /* empty */ {
if (printmatches == TRUE && host_matches == TRUE &&
user_matches == TRUE) {
@@ -514,7 +642,7 @@ runasspec : /* empty */ {
cm_list[cm_list_len].runas_len =
cm_list[cm_list_len-1].runas_len;
cm_list[cm_list_len].runas_size =
- cm_list[cm_list_len-1].runas_size;
+ cm_list[cm_list_len-1].runas_len + 1;
}
}
/*
@@ -1102,6 +1230,14 @@ list_matches()
(void) printf("(%s) ", def_runas_default);
}
+#ifdef HAVE_SELINUX
+ /* SELinux role and type */
+ if (cm_list[count].role != NULL)
+ (void) printf("ROLE=%s ", cm_list[count].role);
+ if (cm_list[count].type != NULL)
+ (void) printf("TYPE=%s ", cm_list[count].type);
+#endif
+
/* Is execve(2) disabled? */
if (cm_list[count].noexecve == TRUE && !def_noexec)
(void) fputs("NOEXEC: ", stdout);
@@ -1141,6 +1277,8 @@ list_matches()
for (count = 0; count < cm_list_len; count++) {
efree(cm_list[count].runas);
efree(cm_list[count].cmnd);
+ efree(cm_list[count].role);
+ efree(cm_list[count].type);
}
efree(cm_list);
cm_list = NULL;
@@ -1245,6 +1383,7 @@ expand_match_list()
}
cm_list[cm_list_len].runas = cm_list[cm_list_len].cmnd = NULL;
+ cm_list[cm_list_len].type = cm_list[cm_list_len].role = NULL;
cm_list[cm_list_len].nopasswd = FALSE;
cm_list[cm_list_len].noexecve = FALSE;
cm_list[cm_list_len].setenv = FALSE;
diff --git a/usr.bin/sudo/pathnames.h b/usr.bin/sudo/pathnames.h
index 67b0a8bb543..2cde4325c9d 100644
--- a/usr.bin/sudo/pathnames.h
+++ b/usr.bin/sudo/pathnames.h
@@ -1,4 +1,4 @@
-/* pathnames.h. Generated by configure. */
+/* pathnames.h. Generated from pathnames.h.in by configure. */
/*
* Copyright (c) 1996, 1998, 1999, 2001, 2004
* Todd C. Miller <Todd.Miller@courtesan.com>.
@@ -19,7 +19,7 @@
* Agency (DARPA) and Air Force Research Laboratory, Air Force
* Materiel Command, USAF, under agreement number F39502-99-1-0512.
*
- * $Sudo: pathnames.h.in,v 1.51.2.3 2007/06/19 21:25:48 millert Exp $
+ * $Sudo: pathnames.h.in,v 1.51.2.4 2008/02/09 14:44:48 millert Exp $
*/
/*
@@ -87,7 +87,7 @@
#endif /* _PATH_SUDO_SENDMAIL */
#ifndef _PATH_SUDO_NOEXEC
-#define _PATH_SUDO_NOEXEC "/usr/libexec/sudo_noexec"
+#define _PATH_SUDO_NOEXEC "/usr/local/libexec/sudo_noexec.so"
#endif /* _PATH_SUDO_NOEXEC */
#ifndef _PATH_VI
@@ -102,6 +102,10 @@
#define _PATH_BSHELL "/bin/sh"
#endif /* _PATH_BSHELL */
+#ifndef _PATH_SUDO_SESH
+#define _PATH_SUDO_SESH "/usr/local/libexec/sesh"
+#endif /* _PATH_SUDO_SESH */
+
#ifndef _PATH_TMP
#define _PATH_TMP "/tmp/"
#endif /* _PATH_TMP */
diff --git a/usr.bin/sudo/pathnames.h.in b/usr.bin/sudo/pathnames.h.in
index cef07932eb6..3fc32495cf1 100644
--- a/usr.bin/sudo/pathnames.h.in
+++ b/usr.bin/sudo/pathnames.h.in
@@ -18,7 +18,7 @@
* Agency (DARPA) and Air Force Research Laboratory, Air Force
* Materiel Command, USAF, under agreement number F39502-99-1-0512.
*
- * $Sudo: pathnames.h.in,v 1.51.2.3 2007/06/19 21:25:48 millert Exp $
+ * $Sudo: pathnames.h.in,v 1.51.2.4 2008/02/09 14:44:48 millert Exp $
*/
/*
@@ -101,6 +101,10 @@
#undef _PATH_BSHELL
#endif /* _PATH_BSHELL */
+#ifndef _PATH_SUDO_SESH
+#undef _PATH_SUDO_SESH
+#endif /* _PATH_SUDO_SESH */
+
#ifndef _PATH_TMP
#define _PATH_TMP "/tmp/"
#endif /* _PATH_TMP */
diff --git a/usr.bin/sudo/sudo.c b/usr.bin/sudo/sudo.c
index 021e0e560b7..3405e1f5def 100644
--- a/usr.bin/sudo/sudo.c
+++ b/usr.bin/sudo/sudo.c
@@ -96,13 +96,16 @@
# include <project.h>
# include <sys/task.h>
#endif
+#ifdef HAVE_SELINUX
+# include <selinux/selinux.h>
+#endif
#include "sudo.h"
#include "interfaces.h"
#include "version.h"
#ifndef lint
-__unused __unused static const char rcsid[] = "$Sudo: sudo.c,v 1.369.2.34 2007/12/13 14:12:49 millert Exp $";
+__unused __unused static const char rcsid[] = "$Sudo: sudo.c,v 1.369.2.43 2008/07/02 10:28:43 millert Exp $";
#endif /* lint */
/*
@@ -152,7 +155,7 @@ login_cap_t *lc;
#ifdef HAVE_BSD_AUTH_H
char *login_style;
#endif /* HAVE_BSD_AUTH_H */
-sigaction_t saved_sa_int, saved_sa_quit, saved_sa_tstp, saved_sa_chld;
+sigaction_t saved_sa_int, saved_sa_quit, saved_sa_tstp;
int
@@ -201,8 +204,6 @@ main(argc, argv, envp)
(void) sigaction(SIGINT, &sa, &saved_sa_int);
(void) sigaction(SIGQUIT, &sa, &saved_sa_quit);
(void) sigaction(SIGTSTP, &sa, &saved_sa_tstp);
- sa.sa_handler = reapchild;
- (void) sigaction(SIGCHLD, &sa, &saved_sa_chld);
/*
* Turn off core dumps and close open files.
@@ -270,25 +271,22 @@ main(argc, argv, envp)
validated = sudo_ldap_check(pwflag);
/* Skip reading /etc/sudoers if LDAP told us to */
- if (def_ignore_local_sudoers); /* skips */
- else if (ISSET(validated, VALIDATE_OK) && !printmatches); /* skips */
- else if (ISSET(validated, VALIDATE_OK) && printmatches)
- {
- check_sudoers(); /* check mode/owner on _PATH_SUDOERS */
+ if (!def_ignore_local_sudoers) {
+ int v;
- /* User is found in LDAP and we want a list of all sudo commands the
- * user can do, so consult sudoers but throw away result.
- */
- sudoers_lookup(pwflag);
- }
- else
-#endif
- {
check_sudoers(); /* check mode/owner on _PATH_SUDOERS */
- /* Validate the user but don't search for pseudo-commands. */
- validated = sudoers_lookup(pwflag);
+ /* Local sudoers file overrides LDAP if we have a match. */
+ v = sudoers_lookup(pwflag);
+ if (validated == VALIDATE_ERROR || ISSET(v, VALIDATE_OK))
+ validated = v;
}
+#else
+ check_sudoers(); /* check mode/owner on _PATH_SUDOERS */
+
+ /* Validate the user but don't search for pseudo-commands. */
+ validated = sudoers_lookup(pwflag);
+#endif
if (safe_cmnd == NULL)
safe_cmnd = estrdup(user_cmnd);
@@ -437,13 +435,18 @@ main(argc, argv, envp)
(void) sigaction(SIGINT, &saved_sa_int, NULL);
(void) sigaction(SIGQUIT, &saved_sa_quit, NULL);
(void) sigaction(SIGTSTP, &saved_sa_tstp, NULL);
- (void) sigaction(SIGCHLD, &saved_sa_chld, NULL);
#ifndef PROFILING
if (ISSET(sudo_mode, MODE_BACKGROUND) && fork() > 0)
exit(0);
- else
+ else {
+#ifdef HAVE_SELINUX
+ if (is_selinux_enabled() > 0 && user_role != NULL)
+ selinux_exec(user_role, user_type, NewArgv, environ,
+ ISSET(sudo_mode, MODE_LOGIN_SHELL));
+#endif
execve(safe_cmnd, NewArgv, environ);
+ }
#else
exit(0);
#endif /* PROFILING */
@@ -610,8 +613,10 @@ init_vars(sudo_mode, envp)
log_error(USE_ERRNO|MSG_ONLY, "can't get hostname");
set_runaspw(*user_runas); /* may call log_error() */
- if (*user_runas[0] == '#' && runas_pw->pw_name && runas_pw->pw_name[0])
- *user_runas = estrdup(runas_pw->pw_name);
+ if (*user_runas[0] == '#') {
+ if (runas_pw->pw_name != *user_runas && runas_pw->pw_name[0])
+ *user_runas = estrdup(runas_pw->pw_name);
+ }
/*
* Get current working directory. Try as user, fall back to root.
@@ -858,6 +863,28 @@ parse_args(argc, argv)
case 'E':
SET(rval, MODE_PRESERVE_ENV);
break;
+#ifdef HAVE_SELINUX
+ case 'r':
+ /* Must have an associated SELinux role. */
+ if (NewArgv[1] == NULL)
+ usage(1);
+
+ user_role = NewArgv[1];
+
+ NewArgc--;
+ NewArgv++;
+ break;
+ case 't':
+ /* Must have an associated SELinux type. */
+ if (NewArgv[1] == NULL)
+ usage(1);
+
+ user_type = NewArgv[1];
+
+ NewArgc--;
+ NewArgv++;
+ break;
+#endif
case '-':
NewArgc--;
NewArgv++;
@@ -893,7 +920,10 @@ args_done:
warnx("you may not specify environment variables in edit mode");
usage(1);
}
-
+ if (ISSET(rval, MODE_PRESERVE_ENV) && ISSET(rval, MODE_LOGIN_SHELL)) {
+ warnx("you may not specify both the `-i' and `-E' options");
+ usage(1);
+ }
if (user_runas != NULL && !ISSET(rval, (MODE_EDIT|MODE_RUN))) {
if (excl != '\0')
warnx("the `-u' and '-%c' options may not be used together", excl);
@@ -992,9 +1022,25 @@ static void
initial_setup()
{
int miss[3], devnull = -1;
-#if defined(RLIMIT_CORE) && !defined(SUDO_DEVEL)
+#if defined(__linux__) || (defined(RLIMIT_CORE) && !defined(SUDO_DEVEL))
struct rlimit rl;
+#endif
+#if defined(__linux__)
+ /*
+ * Unlimit the number of processes since Linux's setuid() will
+ * apply resource limits when changing uid and return EAGAIN if
+ * nproc would be violated by the uid switch.
+ */
+ rl.rlim_cur = rl.rlim_max = RLIM_INFINITY;
+ if (setrlimit(RLIMIT_NPROC, &rl)) {
+ if (getrlimit(RLIMIT_NPROC, &rl) == 0) {
+ rl.rlim_cur = rl.rlim_max;
+ (void)setrlimit(RLIMIT_NPROC, &rl);
+ }
+ }
+#endif /* __linux__ */
+#if defined(RLIMIT_CORE) && !defined(SUDO_DEVEL)
/*
* Turn off core dumps.
*/
@@ -1194,6 +1240,11 @@ set_runaspw(user)
runas_pw = emalloc(sizeof(struct passwd));
(void) memset((VOID *)runas_pw, 0, sizeof(struct passwd));
runas_pw->pw_uid = atoi(user + 1);
+ runas_pw->pw_name = user;
+ runas_pw->pw_passwd = "*";
+ runas_pw->pw_gecos = user;
+ runas_pw->pw_dir = "/";
+ runas_pw->pw_shell = estrdup(_PATH_BSHELL);
}
} else {
runas_pw = sudo_getpwnam(user);
@@ -1273,7 +1324,13 @@ usage(exit_val)
#ifdef HAVE_LOGIN_CAP_H
" [-c class|-]",
#endif
+#ifdef HAVE_SELINUX
+ " [-r role]",
+#endif
" [-p prompt]",
+#ifdef HAVE_SELINUX
+ " [-t type]",
+#endif
" [-u username|#uid]",
" [VAR=value]",
" {-i | -s | <command>}",
diff --git a/usr.bin/sudo/sudo.h b/usr.bin/sudo/sudo.h
index 665deb639f4..889cd4abc83 100644
--- a/usr.bin/sudo/sudo.h
+++ b/usr.bin/sudo/sudo.h
@@ -17,7 +17,7 @@
* Agency (DARPA) and Air Force Research Laboratory, Air Force
* Materiel Command, USAF, under agreement number F39502-99-1-0512.
*
- * $Sudo: sudo.h,v 1.209.2.13 2007/11/27 23:41:23 millert Exp $
+ * $Sudo: sudo.h,v 1.209.2.14 2008/02/09 14:44:48 millert Exp $
*/
#ifndef _SUDO_SUDO_H
@@ -53,6 +53,10 @@ struct sudo_user {
int ngroups;
GETGROUPS_T *groups;
struct list_member *env_vars;
+#ifdef HAVE_SELINUX
+ char *role;
+ char *type;
+#endif
};
/*
@@ -149,6 +153,8 @@ struct sudo_user {
#define safe_cmnd (sudo_user.cmnd_safe)
#define login_class (sudo_user.class_name)
#define runas_pw (sudo_user._runas_pw)
+#define user_role (sudo_user.role)
+#define user_type (sudo_user.type)
/*
* We used to use the system definition of PASS_MAX or _PASSWD_LEN,
@@ -262,6 +268,9 @@ char *sudo_getepw __P((const struct passwd *));
int pam_prep_user __P((struct passwd *));
void zero_bytes __P((volatile VOID *, size_t));
int gettime __P((struct timespec *));
+#ifdef HAVE_SELINUX
+void selinux_exec __P((char *, char *, char **, char **, int));
+#endif
YY_DECL;
/* Only provide extern declarations outside of sudo.c. */
diff --git a/usr.bin/sudo/sudo.pod b/usr.bin/sudo/sudo.pod
index b6562b08ac3..f88c68f04b9 100644
--- a/usr.bin/sudo/sudo.pod
+++ b/usr.bin/sudo/sudo.pod
@@ -1,4 +1,3 @@
-=cut
Copyright (c) 1994-1996, 1998-2005, 2007
Todd C. Miller <Todd.Miller@courtesan.com>
@@ -19,7 +18,7 @@ Sponsored in part by the Defense Advanced Research Projects
Agency (DARPA) and Air Force Research Laboratory, Air Force
Materiel Command, USAF, under agreement number F39502-99-1-0512.
-$Sudo: sudo.pod,v 1.70.2.20 2008/01/05 23:59:42 millert Exp $
+$Sudo: sudo.pod,v 1.70.2.24 2008/02/19 18:22:11 millert Exp $
=pod
=head1 NAME
@@ -30,11 +29,16 @@ sudo, sudoedit - execute a command as another user
B<sudo> B<-h> | B<-K> | B<-k> | B<-L> | B<-l> | B<-V> | B<-v>
-B<sudo> [B<-bEHPS>] S<[B<-a> I<auth_type>]>
-S<[B<-c> I<class>|I<->]> S<[B<-p> I<prompt>]> S<[B<-u> I<username>|I<#uid>]>
+B<sudo> [B<-bEHPS>]
+S<[B<-a> I<auth_type>]>
+S<[B<-c> I<class>|I<->]>
+S<[B<-p> I<prompt>]>
+S<[B<-u> I<username>|I<#uid>]>
S<[B<VAR>=I<value>]> S<{B<-i> | B<-s> | I<command>}>
-B<sudoedit> [B<-S>] S<[B<-a> I<auth_type>]> S<[B<-c> I<class>|I<->]>
+B<sudoedit> [B<-S>]
+S<[B<-a> I<auth_type>]>
+S<[B<-c> I<class>|I<->]>
S<[B<-p> I<prompt>]> S<[B<-u> I<username>|I<#uid>]>
file ...
@@ -458,11 +462,15 @@ Default editor to use in B<-e> (sudoedit) mode
=head1 FILES
-=over 4
+=over 24
+
+=item F<@sysconfdir@/sudoers>
+
+List of who can run what
-=item F<@sysconfdir@/sudoers>C< >List of who can run what
+=item F<@timedir@>
-=item F<@timedir@>C< >Directory containing timestamps
+Directory containing timestamps
=back
@@ -495,8 +503,9 @@ to make the C<cd> and file redirection work.
=head1 SEE ALSO
-L<grep(1)>, L<su(1)>, L<stat(2)>, L<login_cap(3)>, L<passwd(5)>,
-L<sudoers(5)>, L<visudo(8)>
+L<grep(1)>, L<su(1)>, L<stat(2)>,
+L<login_cap(3)>,
+L<passwd(5)>, L<sudoers(5)>, L<visudo(8)>
=head1 AUTHORS
diff --git a/usr.bin/sudo/sudo_edit.c b/usr.bin/sudo/sudo_edit.c
index 50759996518..5ed8e66ce92 100644
--- a/usr.bin/sudo/sudo_edit.c
+++ b/usr.bin/sudo/sudo_edit.c
@@ -62,10 +62,10 @@
#include "sudo.h"
#ifndef lint
-__unused static const char rcsid[] = "$Sudo: sudo_edit.c,v 1.6.2.8 2007/09/03 20:28:31 millert Exp $";
+__unused static const char rcsid[] = "$Sudo: sudo_edit.c,v 1.6.2.9 2008/06/21 00:47:52 millert Exp $";
#endif /* lint */
-extern sigaction_t saved_sa_int, saved_sa_quit, saved_sa_tstp, saved_sa_chld;
+extern sigaction_t saved_sa_int, saved_sa_quit, saved_sa_tstp;
extern char **environ;
/*
@@ -231,11 +231,10 @@ int sudo_edit(argc, argv, envp)
nargv[ac++] = tf[i++].tfile;
nargv[ac] = NULL;
- /* We wait for our own children and can be suspended. */
+ /* Allow the editor to be suspended. */
sigemptyset(&sa.sa_mask);
sa.sa_flags = SA_RESTART;
sa.sa_handler = SIG_DFL;
- (void) sigaction(SIGCHLD, &sa, NULL);
(void) sigaction(SIGTSTP, &saved_sa_tstp, NULL);
/*
@@ -251,7 +250,6 @@ int sudo_edit(argc, argv, envp)
/* child */
(void) sigaction(SIGINT, &saved_sa_int, NULL);
(void) sigaction(SIGQUIT, &saved_sa_quit, NULL);
- (void) sigaction(SIGCHLD, &saved_sa_chld, NULL);
set_perms(PERM_FULL_USER);
endpwent();
endgrent();
diff --git a/usr.bin/sudo/sudoers.pod b/usr.bin/sudo/sudoers.pod
index 91dfd849446..c5ebc61250f 100644
--- a/usr.bin/sudo/sudoers.pod
+++ b/usr.bin/sudo/sudoers.pod
@@ -1,4 +1,3 @@
-=cut
Copyright (c) 1994-1996, 1998-2005, 2007
Todd C. Miller <Todd.Miller@courtesan.com>
@@ -19,7 +18,7 @@ Sponsored in part by the Defense Advanced Research Projects
Agency (DARPA) and Air Force Research Laboratory, Air Force
Materiel Command, USAF, under agreement number F39502-99-1-0512.
-$Sudo: sudoers.pod,v 1.95.2.23 2008/01/05 23:59:42 millert Exp $
+$Sudo: sudoers.pod,v 1.95.2.27 2008/07/12 12:49:04 millert Exp $
=pod
=head1 NAME
@@ -299,7 +298,7 @@ For example:
ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
would allow the user B<ray> to run F</bin/kill>, F</bin/ls>, and
-F</usr/bin/lprm> as root on the machine rushmore as B<root> without
+F</usr/bin/lprm> as B<root> on the machine rushmore without
authenticating himself. If we only want B<ray> to be able to
run F</bin/kill> without a password the entry would be:
@@ -500,14 +499,14 @@ of B<sudo>).
=item ignore_local_sudoers
-If set via LDAP, parsing of @sysconfdir@/sudoers will be skipped.
+If set via LDAP, parsing of F<@sysconfdir@/sudoers> will be skipped.
This is intended for Enterprises that wish to prevent the usage of local
sudoers files so that only LDAP is used. This thwarts the efforts of
-rogue operators who would attempt to add roles to @sysconfdir@/sudoers.
-When this option is present, @sysconfdir@/sudoers does not even need to exist.
-Since this option tells B<sudo> how to behave when no specific LDAP entries
-have been matched, this sudoOption is only meaningful for the cn=defaults
-section. This flag is I<off> by default.
+rogue operators who would attempt to add roles to F<@sysconfdir@/sudoers>.
+When this option is present, F<@sysconfdir@/sudoers> does not even need to
+exist. Since this option tells B<sudo> how to behave when no specific LDAP
+entries have been matched, this sudoOption is only meaningful for the
+C<cn=defaults> section. This flag is I<off> by default.
=item insults
@@ -1021,15 +1020,18 @@ B<notice>, and B<warning>.
=head1 FILES
-=over 4
+=over 24
+
+=item F<@sysconfdir@/sudoers>
-=item F<@sysconfdir@/sudoers>C< >
List of who can run what
-=item F</etc/group>C< >
+=item F</etc/group>
+
Local groups file
-=item F</etc/netgroup>C< >
+=item F</etc/netgroup>
+
List of network groups
=back
diff --git a/usr.bin/sudo/testsudoers.c b/usr.bin/sudo/testsudoers.c
index 756d331e74e..3b213f36f2b 100644
--- a/usr.bin/sudo/testsudoers.c
+++ b/usr.bin/sudo/testsudoers.c
@@ -75,7 +75,7 @@
#endif /* HAVE_FNMATCH */
#ifndef lint
-__unused static const char rcsid[] = "$Sudo: testsudoers.c,v 1.88.2.6 2007/10/24 16:43:27 millert Exp $";
+__unused static const char rcsid[] = "$Sudo: testsudoers.c,v 1.88.2.7 2008/02/09 14:44:49 millert Exp $";
#endif /* lint */
@@ -542,6 +542,10 @@ main(argc, argv)
(void) printf("no_passwd : %d\n", no_passwd);
(void) printf("runas_match: %d\n", runas_matches);
(void) printf("runas : %s\n", *user_runas);
+ if (match[top-1].role)
+ (void) printf("role : %s\n", match[top-1].role);
+ if (match[top-1].type)
+ (void) printf("type : %s\n", match[top-1].type);
top--;
}
}
diff --git a/usr.bin/sudo/tgetpass.c b/usr.bin/sudo/tgetpass.c
index 9e22b5d64c2..2c94cdb11a2 100644
--- a/usr.bin/sudo/tgetpass.c
+++ b/usr.bin/sudo/tgetpass.c
@@ -70,7 +70,7 @@
#include "sudo.h"
#ifndef lint
-__unused static const char rcsid[] = "$Sudo: tgetpass.c,v 1.111.2.6 2008/01/16 18:03:24 millert Exp $";
+__unused static const char rcsid[] = "$Sudo: tgetpass.c,v 1.111.2.7 2008/06/21 00:27:01 millert Exp $";
#endif /* lint */
#ifndef TCSASOFT
@@ -89,14 +89,6 @@ __unused static const char rcsid[] = "$Sudo: tgetpass.c,v 1.111.2.6 2008/01/16 1
#endif
/*
- * QNX 6 (at least) has issues with TCSAFLUSH.
- */
-#ifdef __QNX__
-#undef TCSAFLUSH
-#define TCSAFLUSH TCSADRAIN
-#endif
-
-/*
* Compat macros for non-termios systems.
*/
#ifndef HAVE_TERMIOS_H
diff --git a/usr.bin/sudo/version.h b/usr.bin/sudo/version.h
index a51e62a4f0d..c9459cc1957 100644
--- a/usr.bin/sudo/version.h
+++ b/usr.bin/sudo/version.h
@@ -17,12 +17,12 @@
* Agency (DARPA) and Air Force Research Laboratory, Air Force
* Materiel Command, USAF, under agreement number F39502-99-1-0512.
*
- * $Sudo: version.h,v 1.66.2.15 2008/01/14 12:22:57 millert Exp $
+ * $Sudo: version.h,v 1.66.2.20 2008/06/22 20:29:03 millert Exp $
*/
#ifndef _SUDO_VERSION_H
#define _SUDO_VERSION_H
-static const char version[] = "1.6.9p12";
+static const char version[] = "1.6.9p17";
#endif /* _SUDO_VERSION_H */
diff --git a/usr.bin/sudo/visudo.c b/usr.bin/sudo/visudo.c
index 0310d84d4cd..4fdcd8f46a3 100644
--- a/usr.bin/sudo/visudo.c
+++ b/usr.bin/sudo/visudo.c
@@ -78,7 +78,7 @@
#include "version.h"
#ifndef lint
-__unused static const char rcsid[] = "$Sudo: visudo.c,v 1.166.2.10 2007/09/01 13:39:13 millert Exp $";
+__unused static const char rcsid[] = "$Sudo: visudo.c,v 1.166.2.11 2008/06/21 00:47:52 millert Exp $";
#endif /* lint */
struct sudoersfile {
@@ -590,12 +590,7 @@ run_command(path, argv)
char **argv;
{
int status;
- pid_t pid;
- sigset_t set, oset;
-
- (void) sigemptyset(&set);
- (void) sigaddset(&set, SIGCHLD);
- (void) sigprocmask(SIG_BLOCK, &set, &oset);
+ pid_t pid, rv;
switch (pid = fork()) {
case -1:
@@ -603,7 +598,6 @@ run_command(path, argv)
Exit(-1);
break; /* NOTREACHED */
case 0:
- (void) sigprocmask(SIG_SETMASK, &oset, NULL);
endpwent();
closefrom(STDERR_FILENO + 1);
execv(path, argv);
@@ -612,15 +606,15 @@ run_command(path, argv)
break; /* NOTREACHED */
}
+ do {
#ifdef sudo_waitpid
- pid = sudo_waitpid(pid, &status, 0);
+ rv = sudo_waitpid(pid, &status, 0);
#else
- pid = wait(&status);
+ rv = wait(&status);
#endif
+ } while (rv == -1 && errno == EINTR);
- (void) sigprocmask(SIG_SETMASK, &oset, NULL);
-
- if (pid == -1 || !WIFEXITED(status))
+ if (rv == -1 || !WIFEXITED(status))
return(-1);
return(WEXITSTATUS(status));
}
diff --git a/usr.bin/sudo/visudo.pod b/usr.bin/sudo/visudo.pod
index 0743b938672..d914fab45e7 100644
--- a/usr.bin/sudo/visudo.pod
+++ b/usr.bin/sudo/visudo.pod
@@ -1,4 +1,3 @@
-=cut
Copyright (c) 1996,1998-2005, 2007 Todd C. Miller <Todd.Miller@courtesan.com>
Permission to use, copy, modify, and distribute this software for any
@@ -18,7 +17,7 @@ Sponsored in part by the Defense Advanced Research Projects
Agency (DARPA) and Air Force Research Laboratory, Air Force
Materiel Command, USAF, under agreement number F39502-99-1-0512.
-$Sudo: visudo.pod,v 1.38.2.9 2007/08/13 16:23:31 millert Exp $
+$Sudo: visudo.pod,v 1.38.2.10 2008/02/19 15:45:12 millert Exp $
=pod
=head1 NAME
@@ -125,11 +124,15 @@ Used by visudo if VISUAL is not set
=head1 FILES
-=over 4
+=over 24
+
+=item F<@sysconfdir@/sudoers>
+
+List of who can run what
-=item F<@sysconfdir@/sudoers>C< >List of who can run what
+=item F<@sysconfdir@/sudoers.tmp>
-=item F<@sysconfdir@/sudoers.tmp>C< >Lock file for visudo
+Lock file for visudo
=back