diff options
| author | Todd C. Miller <millert@cvs.openbsd.org> | 2008-01-07 14:10:09 +0000 |
|---|---|---|
| committer | Todd C. Miller <millert@cvs.openbsd.org> | 2008-01-07 14:10:09 +0000 |
| commit | 60cf1580bd16c58a8c23c32887781a4a24039a8a (patch) | |
| tree | 3951f3a8390a6440235344004da5e0dcb7fb618f /usr.bin | |
| parent | d43baef7aecad5b8a465e8a723b5897ddf157172 (diff) | |
Update to sudo 1.6.9p11
Diffstat (limited to 'usr.bin')
| -rw-r--r-- | usr.bin/sudo/CHANGES | 14 | ||||
| -rw-r--r-- | usr.bin/sudo/Makefile.in | 4 | ||||
| -rw-r--r-- | usr.bin/sudo/README.LDAP | 24 | ||||
| -rw-r--r-- | usr.bin/sudo/check.c | 24 | ||||
| -rw-r--r-- | usr.bin/sudo/config.h.in | 12 | ||||
| -rw-r--r-- | usr.bin/sudo/configure | 102 | ||||
| -rw-r--r-- | usr.bin/sudo/configure.in | 16 | ||||
| -rw-r--r-- | usr.bin/sudo/ldap.c | 187 | ||||
| -rw-r--r-- | usr.bin/sudo/sudo.pod | 7 | ||||
| -rw-r--r-- | usr.bin/sudo/sudoers.pod | 7 | ||||
| -rw-r--r-- | usr.bin/sudo/version.h | 4 |
11 files changed, 339 insertions, 62 deletions
diff --git a/usr.bin/sudo/CHANGES b/usr.bin/sudo/CHANGES index 8aa51fc7636..08be41123a6 100644 --- a/usr.bin/sudo/CHANGES +++ b/usr.bin/sudo/CHANGES @@ -2015,3 +2015,17 @@ Sudo 1.6.9p9 released. in addition to the existing start_tls support. Sudo 1.6.9p10 released. + +637) Fixed a compilation problem on SCO related to how they + store the high resolution timestamps in struct stat. + +638) Avoid checking the passwd file group multiple times + in the LDAP query when the user's passwd group is also + listed in the supplemental group vector. + +639) The URI specifier can now be used in ldap.conf even when + the LDAP SDK doesn't support ldap_initialize(). + +640) New %p prompt escape that expands to the user whose password + is being prompted, as specified by the rootpw, targetpw and + runaspw sudoers flags. Based on a diff from Patrick Schoenfeld. diff --git a/usr.bin/sudo/Makefile.in b/usr.bin/sudo/Makefile.in index 8073eb32e2a..c0472bd7ea0 100644 --- a/usr.bin/sudo/Makefile.in +++ b/usr.bin/sudo/Makefile.in @@ -20,7 +20,7 @@ # # @configure_input@ # -# $Sudo: Makefile.in,v 1.246.2.21 2007/12/17 19:18:14 millert Exp $ +# $Sudo: Makefile.in,v 1.246.2.22 2008/01/05 23:31:51 millert Exp $ # #### Start of system configuration section. #### @@ -131,7 +131,7 @@ TESTOBJS = interfaces.o testsudoers.o $(PARSEOBJS) LIBOBJS = @LIBOBJS@ @ALLOCA@ -VERSION = 1.6.9p10 +VERSION = 1.6.9p11 DISTFILES = $(SRCS) $(HDRS) BUGS CHANGES HISTORY INSTALL INSTALL.configure \ LICENSE Makefile.in PORTING README README.LDAP \ diff --git a/usr.bin/sudo/README.LDAP b/usr.bin/sudo/README.LDAP index 540df8d41b9..501471d6803 100644 --- a/usr.bin/sudo/README.LDAP +++ b/usr.bin/sudo/README.LDAP @@ -210,15 +210,26 @@ option. Make sure you sudoers_base matches exactly with the location you specified when you imported the sudoers. Below is an example /etc/ldap.conf - # Either specify a URI or host and port. - # If neither is specified sudo will default to localhost port 389. + # Either specify one or more URIs or one or more host:port pairs. + # If neither is specified sudo will default to localhost, port 389. + # #host ldapserver + #host ldapserver1 ldapserver2:390 + # + # Default port if host is specified without one, defaults to 389. #port 389 # - # URI will override host & port settings but only works with LDAP - # SDK's that support ldap_initialize() such as OpenLDAP. + # URI will override the host and port settings. uri ldap://ldapserver #uri ldaps://secureldapserver + #uri ldaps://secureldapserver ldap://ldapserver + # + # The amount of time, in seconds, to wait while trying to connect to + # an LDAP server. + bind_timelimit 30 + # + # The amount of time, in seconds, to wait while performing an LDAP query. + timelimit 30 # # must be set or sudo will ignore LDAP sudoers_base ou=SUDOers,dc=example,dc=com @@ -336,9 +347,8 @@ Here is an example: sudoCommand: ALL Another difference is that negations on the Host, User or Runas are -currently ignorred. For example, these attributes do not work how they first -seem. If you desperately want this to be changed, contact Aaron Spangler -(aaron@spangler.ods.org). +currently ignorred. For example, these attributes do not work how +they first seem. # does not match all but joe # rather, does not match anyone diff --git a/usr.bin/sudo/check.c b/usr.bin/sudo/check.c index 3d527f23fe8..4889ac7af96 100644 --- a/usr.bin/sudo/check.c +++ b/usr.bin/sudo/check.c @@ -63,7 +63,7 @@ #include "sudo.h" #ifndef lint -__unused static const char rcsid[] = "$Sudo: check.c,v 1.223.2.9 2007/07/06 19:52:13 millert Exp $"; +__unused static const char rcsid[] = "$Sudo: check.c,v 1.223.2.10 2008/01/05 23:59:42 millert Exp $"; #endif /* lint */ /* Status codes for timestamp_status() */ @@ -206,6 +206,16 @@ expand_prompt(old_prompt, user, host) len += strlen(user_host) - 2; subst = 1; break; + case 'p': + p++; + if (def_rootpw) + len += 2; + else if (def_targetpw || def_runaspw) + len += strlen(*user_runas) - 2; + else + len += strlen(user_name) - 2; + subst = 1; + break; case 'u': p++; len += strlen(user_name) - 2; @@ -247,6 +257,18 @@ expand_prompt(old_prompt, user, host) goto oflow; np += n; continue; + case 'p': + p++; + if (def_rootpw) + n = strlcpy(np, "root", np - endp); + else if (def_targetpw || def_runaspw) + n = strlcpy(np, *user_runas, np - endp); + else + n = strlcpy(np, user_name, np - endp); + if (n >= np - endp) + goto oflow; + np += n; + continue; case 'u': p++; n = strlcpy(np, user_name, np - endp); diff --git a/usr.bin/sudo/config.h.in b/usr.bin/sudo/config.h.in index 2d45f3cb695..822ff6b2358 100644 --- a/usr.bin/sudo/config.h.in +++ b/usr.bin/sudo/config.h.in @@ -374,6 +374,9 @@ /* Define to 1 if your struct stat has an st_mtim member */ #undef HAVE_ST_MTIM +/* Define to 1 if your struct stat uses an st__tim union */ +#undef HAVE_ST__TIM + /* Define to 1 if your struct stat has an st_mtimespec member */ #undef HAVE_ST_MTIMESPEC @@ -635,8 +638,13 @@ * so the last 3 digits of tv_nsec are not significant. */ #ifdef HAVE_ST_MTIM -# define mtim_getsec(_x) ((_x).st_mtim.tv_sec) -# define mtim_getnsec(_x) (((_x).st_mtim.tv_nsec / 1000) * 1000) +# ifdef HAVE_ST__TIM +# define mtim_getsec(_x) ((_x).st_mtim.st__tim.tv_sec) +# define mtim_getnsec(_x) (((_x).st_mtim.st__tim.tv_nsec / 1000) * 1000) +# else +# define mtim_getsec(_x) ((_x).st_mtim.tv_sec) +# define mtim_getnsec(_x) (((_x).st_mtim.tv_nsec / 1000) * 1000) +# endif #else # ifdef HAVE_ST_MTIMESPEC # define mtim_getsec(_x) ((_x).st_mtimespec.tv_sec) diff --git a/usr.bin/sudo/configure b/usr.bin/sudo/configure index 29b474fc02c..b36ee338f82 100644 --- a/usr.bin/sudo/configure +++ b/usr.bin/sudo/configure @@ -17660,6 +17660,106 @@ if test $ac_cv_member_struct_stat_st_mtim = yes; then #define HAVE_ST_MTIM 1 _ACEOF + { echo "$as_me:$LINENO: checking for struct stat.st_mtim.st__tim" >&5 +echo $ECHO_N "checking for struct stat.st_mtim.st__tim... $ECHO_C" >&6; } +if test "${ac_cv_member_struct_stat_st_mtim_st__tim+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +static struct stat ac_aggr; +if (ac_aggr.st_mtim.st__tim) +return 0; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_cv_member_struct_stat_st_mtim_st__tim=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +static struct stat ac_aggr; +if (sizeof ac_aggr.st_mtim.st__tim) +return 0; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_cv_member_struct_stat_st_mtim_st__tim=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_cv_member_struct_stat_st_mtim_st__tim=no +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +{ echo "$as_me:$LINENO: result: $ac_cv_member_struct_stat_st_mtim_st__tim" >&5 +echo "${ECHO_T}$ac_cv_member_struct_stat_st_mtim_st__tim" >&6; } +if test $ac_cv_member_struct_stat_st_mtim_st__tim = yes; then + cat >>confdefs.h <<\_ACEOF +#define HAVE_ST__TIM 1 +_ACEOF + +fi + else { echo "$as_me:$LINENO: checking for struct stat.st_mtimespec" >&5 echo $ECHO_N "checking for struct stat.st_mtimespec... $ECHO_C" >&6; } @@ -24071,3 +24171,5 @@ fi + + diff --git a/usr.bin/sudo/configure.in b/usr.bin/sudo/configure.in index a64fb6978cc..a766f923cc2 100644 --- a/usr.bin/sudo/configure.in +++ b/usr.bin/sudo/configure.in @@ -1,6 +1,6 @@ dnl dnl Process this file with GNU autoconf to produce a configure script. -dnl $Sudo: configure.in,v 1.413.2.34 2007/12/19 19:29:29 millert Exp $ +dnl $Sudo: configure.in,v 1.413.2.36 2008/01/03 16:05:42 millert Exp $ dnl dnl Copyright (c) 1994-1996,1998-2007 Todd C. Miller <Todd.Miller@courtesan.com> dnl @@ -1719,7 +1719,9 @@ AC_CHECK_FUNCS(mkstemp, [], [SUDO_OBJS="${SUDO_OBJS} mkstemp.o" ]) AC_CHECK_FUNCS(snprintf vsnprintf asprintf vasprintf, , [NEED_SNPRINTF=1]) if test X"$ac_cv_type_struct_timespec" != X"no"; then - AC_CHECK_MEMBER([struct stat.st_mtim], AC_DEFINE(HAVE_ST_MTIM), [AC_CHECK_MEMBER([struct stat.st_mtimespec], AC_DEFINE([HAVE_ST_MTIMESPEC]))]) + AC_CHECK_MEMBER([struct stat.st_mtim], [AC_DEFINE(HAVE_ST_MTIM)] + [AC_CHECK_MEMBER([struct stat.st_mtim.st__tim], AC_DEFINE(HAVE_ST__TIM))], + [AC_CHECK_MEMBER([struct stat.st_mtimespec], AC_DEFINE([HAVE_ST_MTIMESPEC]))]) AC_MSG_CHECKING([for two-parameter timespecsub]) AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#include <sys/types.h> #include <sys/time.h>]], [[struct timespec ts1, ts2; @@ -2431,6 +2433,7 @@ AH_TEMPLATE(HAVE_SIA, [Define to 1 if you use SIA authentication.]) AH_TEMPLATE(HAVE_SIGACTION_T, [Define to 1 if <signal.h> has the sigaction_t typedef.]) AH_TEMPLATE(HAVE_SKEY, [Define to 1 if you use S/Key.]) AH_TEMPLATE(HAVE_SKEYACCESS, [Define to 1 if your S/Key library has skeyaccess().]) +AH_TEMPLATE(HAVE_ST__TIM, [Define to 1 if your struct stat uses an st__tim union]) AH_TEMPLATE(HAVE_ST_MTIM, [Define to 1 if your struct stat has an st_mtim member]) AH_TEMPLATE(HAVE_ST_MTIMESPEC, [Define to 1 if your struct stat has an st_mtimespec member]) AH_TEMPLATE(HAVE_TERMIOS_H, [Define to 1 if you have the <termios.h> header file and the `tcgetattr' function.]) @@ -2471,8 +2474,13 @@ AH_BOTTOM([/* * so the last 3 digits of tv_nsec are not significant. */ #ifdef HAVE_ST_MTIM -# define mtim_getsec(_x) ((_x).st_mtim.tv_sec) -# define mtim_getnsec(_x) (((_x).st_mtim.tv_nsec / 1000) * 1000) +# ifdef HAVE_ST__TIM +# define mtim_getsec(_x) ((_x).st_mtim.st__tim.tv_sec) +# define mtim_getnsec(_x) (((_x).st_mtim.st__tim.tv_nsec / 1000) * 1000) +# else +# define mtim_getsec(_x) ((_x).st_mtim.tv_sec) +# define mtim_getnsec(_x) (((_x).st_mtim.tv_nsec / 1000) * 1000) +# endif #else # ifdef HAVE_ST_MTIMESPEC # define mtim_getsec(_x) ((_x).st_mtimespec.tv_sec) diff --git a/usr.bin/sudo/ldap.c b/usr.bin/sudo/ldap.c index 85762ab7d99..c4fbfbf6008 100644 --- a/usr.bin/sudo/ldap.c +++ b/usr.bin/sudo/ldap.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003-2005 Todd C. Miller <Todd.Miller@courtesan.com> + * Copyright (c) 2003-2008 Todd C. Miller <Todd.Miller@courtesan.com> * * This code is derived from software contributed by Aaron Spangler. * @@ -45,6 +45,7 @@ # include <unistd.h> #endif /* HAVE_UNISTD_H */ #include <ctype.h> +#include <limits.h> #include <pwd.h> #include <grp.h> #include <netinet/in.h> @@ -65,7 +66,7 @@ #include "parse.h" #ifndef lint -__unused static const char rcsid[] = "$Sudo: ldap.c,v 1.11.2.28 2007/12/19 19:29:32 millert Exp $"; +__unused static const char rcsid[] = "$Sudo: ldap.c,v 1.11.2.32 2008/01/05 23:27:10 millert Exp $"; #endif /* lint */ #ifndef LINE_MAX @@ -183,6 +184,127 @@ static void sudo_ldap_update_defaults __P((LDAP *)); static void sudo_ldap_close __P((LDAP *)); static LDAP *sudo_ldap_open __P((void)); +#ifndef HAVE_LDAP_INITIALIZE +/* + * For each uri, convert to host:port pairs. For ldaps:// enable SSL + * Accepts: uris of the form ldap:/// or ldap://hostname:portnum/ + * where the trailing slash is optional. + */ +static int +sudo_ldap_parse_uri(uri_list) + const char *uri_list; +{ + char *buf, *uri, *host, *cp, *port; + char hostbuf[LINE_MAX]; + int nldap = 0, nldaps = 0; + int rc = -1; + + buf = estrdup(uri_list); + hostbuf[0] = '\0'; + for ((uri = strtok(buf, " \t")); uri != NULL; (uri = strtok(NULL, " \t"))) { + if (strncasecmp(uri, "ldap://", 7) == 0) { + nldap++; + host = uri + 7; + } else if (strncasecmp(uri, "ldaps://", 8) == 0) { + nldaps++; + host = uri + 8; + } else { + warnx("unsupported LDAP uri type: %s", uri); + goto done; + } + + /* trim optional trailing slash */ + if ((cp = strrchr(host, '/')) != NULL && cp[1] == '\0') { + *cp = '\0'; + } + + if (hostbuf[0] != '\0') { + if (strlcat(hostbuf, " ", sizeof(hostbuf)) >= sizeof(hostbuf)) + goto toobig; + } + + if (*host == '\0') + host = "localhost"; /* no host specified, use localhost */ + + if (strlcat(hostbuf, host, sizeof(hostbuf)) >= sizeof(hostbuf)) + goto toobig; + + /* If using SSL and no port specified, add port 636 */ + if (nldaps) { + if ((port = strrchr(host, ':')) == NULL || !isdigit(port[1])) + if (strlcat(hostbuf, ":636", sizeof(hostbuf)) >= sizeof(hostbuf)) + goto toobig; + } + } + if (hostbuf[0] == '\0') { + warnx("invalid uri: %s", uri_list); + goto done; + } + + if (nldaps != 0) { + if (nldap != 0) { + warnx("cannot mix ldap and ldaps URIs"); + goto done; + } + if (ldap_conf.ssl_mode == SUDO_LDAP_STARTTLS) { + warnx("cannot mix ldaps and starttls"); + goto done; + } + ldap_conf.ssl_mode = SUDO_LDAP_SSL; + } + + free(ldap_conf.host); + ldap_conf.host = estrdup(hostbuf); + rc = 0; + +done: + efree(buf); + return(rc); + +toobig: + errx(1, "sudo_ldap_parse_uri: out of space building hostbuf"); +} +#endif /* HAVE_LDAP_INITIALIZE */ + +static int +sudo_ldap_init(ldp, host, port) + LDAP **ldp; + const char *host; + int port; +{ + LDAP *ld = NULL; + int rc = LDAP_CONNECT_ERROR; + +#ifdef HAVE_LDAPSSL_INIT + if (ldap_conf.ssl_mode == SUDO_LDAP_SSL) { + DPRINTF(("ldapssl_clientauth_init(%s, %s)", + ldap_conf.tls_certfile ? ldap_conf.tls_certfile : "NULL", + ldap_conf.tls_keyfile ? ldap_conf.tls_keyfile : "NULL"), 2); + rc = ldapssl_clientauth_init(ldap_conf.tls_certfile, NULL, + ldap_conf.tls_keyfile != NULL, ldap_conf.tls_keyfile, NULL); + if (rc != LDAP_SUCCESS) { + warnx("unable to initialize SSL cert and key db: %s", + ldapssl_err2string(rc)); + goto done; + } + + DPRINTF(("ldapssl_init(%s, %d, 1)", host, port), 2); + if ((ld = ldapssl_init(host, port, 1)) == NULL) + goto done; + } else +#endif + { + DPRINTF(("ldap_init(%s, %d)", host, port), 2); + if ((ld = ldap_init(host, port)) == NULL) + goto done; + } + rc = LDAP_SUCCESS; + +done: + *ldp = ld; + return(rc); +} + /* * Walk through search results and return TRUE if we have a matching * netgroup, else FALSE. @@ -509,6 +631,8 @@ sudo_ldap_build_pass1() /* Append supplementary groups */ for (i = 0; i < user_ngroups; i++) { + if (user_groups[i] == user_gid) + continue; if ((grp = getgrgid(user_groups[i])) != NULL) { ncat(&b, &sz, "(sudoUser=%"); ncat(&b, &sz, grp -> gr_name); @@ -641,12 +765,9 @@ sudo_ldap_read_config() if (ldap_conf.debug > 1) { fprintf(stderr, "LDAP Config Summary\n"); fprintf(stderr, "===================\n"); -#ifdef HAVE_LDAP_INITIALIZE if (ldap_conf.uri) { fprintf(stderr, "uri %s\n", ldap_conf.uri); - } else -#endif - { + } else { fprintf(stderr, "host %s\n", ldap_conf.host ? ldap_conf.host : "(NONE)"); fprintf(stderr, "port %d\n", ldap_conf.port); @@ -695,8 +816,19 @@ sudo_ldap_read_config() ldap_conf.ssl_mode = SUDO_LDAP_SSL; } +#ifndef HAVE_LDAP_INITIALIZE + /* Convert uri list to host list if no ldap_initialize(). */ + if (ldap_conf.uri) { + if (sudo_ldap_parse_uri(ldap_conf.uri) != 0) + return(FALSE); + free(ldap_conf.uri); + ldap_conf.uri = NULL; + ldap_conf.port = LDAP_PORT; + } +#endif + /* Use port 389 for plaintext LDAP and port 636 for SSL LDAP */ - if (ldap_conf.port < 0) + if (!ldap_conf.uri && ldap_conf.port < 0) ldap_conf.port = ldap_conf.ssl_mode == SUDO_LDAP_SSL ? LDAPS_PORT : LDAP_PORT; @@ -894,7 +1026,7 @@ sudo_ldap_set_options(ld) ldap_err2string(rc)); return(-1); } - + DPRINTF(("ldap_set_option(LDAP_OPT_X_TLS, LDAP_OPT_X_TLS_HARD)\n"), 1); } #endif return(0); @@ -912,46 +1044,17 @@ sudo_ldap_open() if (!sudo_ldap_read_config()) return(NULL); -#ifdef HAVE_LDAPSSL_INIT - if (ldap_conf.ssl_mode == SUDO_LDAP_SSL) { - DPRINTF(("ldapssl_clientauth_init(%s, %s)", - ldap_conf.tls_certfile ? ldap_conf.tls_certfile : "NULL", - ldap_conf.tls_keyfile ? ldap_conf.tls_keyfile : "NULL"), 2); - rc = ldapssl_clientauth_init(ldap_conf.tls_certfile, NULL, - ldap_conf.tls_keyfile != NULL, ldap_conf.tls_keyfile, NULL); - if (rc != LDAP_SUCCESS) { - warnx("unable to initialize SSL cert and key db: %s", - ldapssl_err2string(rc)); - return(NULL); - } - } -#endif /* HAVE_LDAPSSL_INIT */ - /* Connect to LDAP server */ #ifdef HAVE_LDAP_INITIALIZE - if (ldap_conf.uri) { + if (ldap_conf.uri != NULL) { DPRINTF(("ldap_initialize(ld, %s)", ldap_conf.uri), 2); rc = ldap_initialize(&ld, ldap_conf.uri); - if (rc != LDAP_SUCCESS) { - warnx("unable to initialize LDAP: %s", ldap_err2string(rc)); - return(NULL); - } } else #endif /* HAVE_LDAP_INITIALIZE */ - { -#ifdef HAVE_LDAPSSL_INIT - DPRINTF(("ldapssl_init(%s, %d, %d)", ldap_conf.host, ldap_conf.port, - ldap_conf.ssl_mode == SUDO_LDAP_SSL), 2); - ld = ldapssl_init(ldap_conf.host, ldap_conf.port, - ldap_conf.ssl_mode == SUDO_LDAP_SSL); -#else - DPRINTF(("ldap_init(%s, %d)", ldap_conf.host, ldap_conf.port), 2); - ld = ldap_init(ldap_conf.host, ldap_conf.port); -#endif /* HAVE_LDAPSSL_INIT */ - if (ld == NULL) { - warn("unable to initialize LDAP"); - return(NULL); - } + rc = sudo_ldap_init(&ld, ldap_conf.host, ldap_conf.port); + if (rc != LDAP_SUCCESS) { + warnx("unable to initialize LDAP: %s", ldap_err2string(rc)); + return(NULL); } /* Set LDAP options */ diff --git a/usr.bin/sudo/sudo.pod b/usr.bin/sudo/sudo.pod index 8f06797028b..b6562b08ac3 100644 --- a/usr.bin/sudo/sudo.pod +++ b/usr.bin/sudo/sudo.pod @@ -19,7 +19,7 @@ Sponsored in part by the Defense Advanced Research Projects Agency (DARPA) and Air Force Research Laboratory, Air Force Materiel Command, USAF, under agreement number F39502-99-1-0512. -$Sudo: sudo.pod,v 1.70.2.19 2007/11/21 19:26:10 millert Exp $ +$Sudo: sudo.pod,v 1.70.2.20 2008/01/05 23:59:42 millert Exp $ =pod =head1 NAME @@ -238,6 +238,11 @@ I<sudoers> option is set) expanded to the local hostname without the domain name +=item C<%p> + +expanded to the user whose password is being asked for (respects the +I<rootpw>, I<targetpw> and I<runaspw> flags in I<sudoers>) + =item C<%U> expanded to the login name of the user the command will diff --git a/usr.bin/sudo/sudoers.pod b/usr.bin/sudo/sudoers.pod index d8af57fd58e..91dfd849446 100644 --- a/usr.bin/sudo/sudoers.pod +++ b/usr.bin/sudo/sudoers.pod @@ -19,7 +19,7 @@ Sponsored in part by the Defense Advanced Research Projects Agency (DARPA) and Air Force Research Laboratory, Air Force Materiel Command, USAF, under agreement number F39502-99-1-0512. -$Sudo: sudoers.pod,v 1.95.2.22 2007/12/02 17:13:52 millert Exp $ +$Sudo: sudoers.pod,v 1.95.2.23 2008/01/05 23:59:42 millert Exp $ =pod =head1 NAME @@ -786,6 +786,11 @@ option is set) expanded to the local hostname without the domain name +=item C<%p> + +expanded to the user whose password is being asked for (respects the +I<rootpw>, I<targetpw> and I<runaspw> flags in I<sudoers>) + =item C<%U> expanded to the login name of the user the command will diff --git a/usr.bin/sudo/version.h b/usr.bin/sudo/version.h index 1c3a4f76d06..4394ff199a9 100644 --- a/usr.bin/sudo/version.h +++ b/usr.bin/sudo/version.h @@ -17,12 +17,12 @@ * Agency (DARPA) and Air Force Research Laboratory, Air Force * Materiel Command, USAF, under agreement number F39502-99-1-0512. * - * $Sudo: version.h,v 1.66.2.13 2007/12/17 19:18:14 millert Exp $ + * $Sudo: version.h,v 1.66.2.14 2008/01/05 23:31:52 millert Exp $ */ #ifndef _SUDO_VERSION_H #define _SUDO_VERSION_H -static const char version[] = "1.6.9p10"; +static const char version[] = "1.6.9p11"; #endif /* _SUDO_VERSION_H */ |