summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--usr.bin/sudo/ChangeLog30
-rw-r--r--usr.bin/sudo/Makefile.in8
-rw-r--r--usr.bin/sudo/config.h6
-rw-r--r--usr.bin/sudo/configure20
-rw-r--r--usr.bin/sudo/configure.in4
-rw-r--r--usr.bin/sudo/find_path.c5
-rw-r--r--usr.bin/sudo/sudo_usage.h18
-rw-r--r--usr.bin/sudo/sudoers.pod27
8 files changed, 94 insertions, 24 deletions
diff --git a/usr.bin/sudo/ChangeLog b/usr.bin/sudo/ChangeLog
index 6ed7972e89a..a8d71a2dfe0 100644
--- a/usr.bin/sudo/ChangeLog
+++ b/usr.bin/sudo/ChangeLog
@@ -1,3 +1,33 @@
+2010-04-09 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * configure, configure.in: Fix installation of sudoers.ldap
+ in "make install" when --with-ldap was specified without a
+ directory. From Prof. Dr. Andreas Mueller
+
+2010-04-09 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * find_path.c: Qualify the command even if it is in the
+ current working directory, e.g. "./foo" instead of just
+ returning "foo". This removes an ambiguity between real
+ commands and possible pseudo-commands in command matching.
+
+2010-04-07 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * sudoers.cat, sudoers.man.in, sudoers.pod: Add a note about
+ the security implications of the fast_glob option.
+
+ * memrchr.c: Remove duplicate includes
+
+2010-03-10 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * sudo.c: Fix a bug introduced with def_closefrom. The value
+ of def_closefrom already includes the +1.
+
+2010-03-09 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * match.c: When doing a glob match, short circuit if
+ gl.gl_pathc is 0. From Mark Kettenis.
+
2010-02-22 Todd C. Miller <Todd.Miller@courtesan.com>
* match.c: Check for pseudo-command by looking at the first
diff --git a/usr.bin/sudo/Makefile.in b/usr.bin/sudo/Makefile.in
index 09f6b301413..8d69f819074 100644
--- a/usr.bin/sudo/Makefile.in
+++ b/usr.bin/sudo/Makefile.in
@@ -457,11 +457,9 @@ realclean: distclean
cleandir: realclean
dist:
- rm -f ../sudo-$(VERSION).tar.gz
- ( cd .. ; TF="/tmp/sudo.dist$$$$" ; rm -f $$TF ; for i in $(DISTFILES) ; \
- do echo sudo-$(VERSION)/$$i >> $$TF ; done ; \
- tar Ocf sudo-$(VERSION).tar \
- `cat $$TF` && gzip --best sudo-$(VERSION).tar && rm -f $$TF)
+ pax -w -x ustar -s '/^/sudo-$(VERSION)\//' -f ../sudo-$(VERSION).tar \
+ $(DISTFILES)
+ gzip -9f ../sudo-$(VERSION).tar
ls -l ../sudo-$(VERSION).tar.gz
bindist:
diff --git a/usr.bin/sudo/config.h b/usr.bin/sudo/config.h
index 84fe811b80a..90325266d8f 100644
--- a/usr.bin/sudo/config.h
+++ b/usr.bin/sudo/config.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: config.h,v 1.17 2010/03/01 11:36:47 millert Exp $ */
+/* $OpenBSD: config.h,v 1.18 2010/04/13 23:22:01 millert Exp $ */
#ifndef _SUDO_CONFIG_H
#define _SUDO_CONFIG_H
@@ -10,9 +10,9 @@
#define PACKAGE_BUGREPORT "http://www.sudo.ws/bugs/"
#define PACKAGE_NAME "sudo"
-#define PACKAGE_STRING "sudo 1.7.2p5"
+#define PACKAGE_STRING "sudo 1.7.2p6"
#define PACKAGE_TARNAME "sudo"
-#define PACKAGE_VERSION "1.7.2p5"
+#define PACKAGE_VERSION "1.7.2p6"
#define HAVE_ASPRINTF 1
#define HAVE_BSD_AUTH_H 1
diff --git a/usr.bin/sudo/configure b/usr.bin/sudo/configure
index d04941853fd..95f96c44095 100644
--- a/usr.bin/sudo/configure
+++ b/usr.bin/sudo/configure
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.61 for sudo 1.7.2p5.
+# Generated by GNU Autoconf 2.61 for sudo 1.7.2p6.
#
# Report bugs to <http://www.sudo.ws/bugs/>.
#
@@ -724,8 +724,8 @@ SHELL=${CONFIG_SHELL-/bin/sh}
# Identity of this package.
PACKAGE_NAME='sudo'
PACKAGE_TARNAME='sudo'
-PACKAGE_VERSION='1.7.2p5'
-PACKAGE_STRING='sudo 1.7.2p5'
+PACKAGE_VERSION='1.7.2p6'
+PACKAGE_STRING='sudo 1.7.2p6'
PACKAGE_BUGREPORT='http://www.sudo.ws/bugs/'
# Factoring default headers for most tests.
@@ -1417,7 +1417,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures sudo 1.7.2p5 to adapt to many kinds of systems.
+\`configure' configures sudo 1.7.2p6 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1482,7 +1482,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of sudo 1.7.2p5:";;
+ short | recursive ) echo "Configuration of sudo 1.7.2p6:";;
esac
cat <<\_ACEOF
@@ -1684,7 +1684,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-sudo configure 1.7.2p5
+sudo configure 1.7.2p6
generated by GNU Autoconf 2.61
Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
@@ -1698,7 +1698,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by sudo $as_me 1.7.2p5, which was
+It was created by sudo $as_me 1.7.2p6, which was
generated by GNU Autoconf 2.61. Invocation command line was
$ $0 $@
@@ -22884,9 +22884,9 @@ if test ${with_ldap-'no'} != "no"; then
CPPFLAGS="${CPPFLAGS} -I${with_ldap}/include"
with_ldap=yes
- LDAP=""
fi
SUDO_OBJS="${SUDO_OBJS} ldap.o"
+ LDAP=""
{ echo "$as_me:$LINENO: checking for LDAP libraries" >&5
echo $ECHO_N "checking for LDAP libraries... $ECHO_C" >&6; }
@@ -24559,7 +24559,7 @@ exec 6>&1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by sudo $as_me 1.7.2p5, which was
+This file was extended by sudo $as_me 1.7.2p6, which was
generated by GNU Autoconf 2.61. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -24608,7 +24608,7 @@ Report bugs to <bug-autoconf@gnu.org>."
_ACEOF
cat >>$CONFIG_STATUS <<_ACEOF
ac_cs_version="\\
-sudo config.status 1.7.2p5
+sudo config.status 1.7.2p6
configured by $0, generated by GNU Autoconf 2.61,
with options \\"`echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\"
diff --git a/usr.bin/sudo/configure.in b/usr.bin/sudo/configure.in
index fcd0be869f3..0c08180d552 100644
--- a/usr.bin/sudo/configure.in
+++ b/usr.bin/sudo/configure.in
@@ -3,7 +3,7 @@ dnl Process this file with GNU autoconf to produce a configure script.
dnl
dnl Copyright (c) 1994-1996,1998-2010 Todd C. Miller <Todd.Miller@courtesan.com>
dnl
-AC_INIT([sudo], [1.7.2p5], [http://www.sudo.ws/bugs/], [sudo])
+AC_INIT([sudo], [1.7.2p6], [http://www.sudo.ws/bugs/], [sudo])
AC_CONFIG_HEADER(config.h pathnames.h)
dnl
dnl This won't work before AC_INIT
@@ -2444,9 +2444,9 @@ if test ${with_ldap-'no'} != "no"; then
SUDO_APPEND_LIBPATH(LDFLAGS, [${with_ldap}/lib])
CPPFLAGS="${CPPFLAGS} -I${with_ldap}/include"
with_ldap=yes
- LDAP=""
fi
SUDO_OBJS="${SUDO_OBJS} ldap.o"
+ LDAP=""
AC_MSG_CHECKING([for LDAP libraries])
LDAP_LIBS=""
diff --git a/usr.bin/sudo/find_path.c b/usr.bin/sudo/find_path.c
index 59d94f3878c..22ff607df95 100644
--- a/usr.bin/sudo/find_path.c
+++ b/usr.bin/sudo/find_path.c
@@ -122,7 +122,10 @@ find_path(infile, outfile, sbp, path)
* Check current dir if dot was in the PATH
*/
if (!result && checkdot) {
- result = sudo_goodpath(infile, sbp);
+ len = snprintf(command, sizeof(command), "./%s", infile);
+ if (len <= 0 || len >= sizeof(command))
+ errorx(1, "%s: File name too long", infile);
+ result = sudo_goodpath(command, sbp);
if (result && def_ignore_dot)
return(NOT_FOUND_DOT);
}
diff --git a/usr.bin/sudo/sudo_usage.h b/usr.bin/sudo/sudo_usage.h
index faeed374bc7..489cfd9d1ff 100644
--- a/usr.bin/sudo/sudo_usage.h
+++ b/usr.bin/sudo/sudo_usage.h
@@ -1,3 +1,21 @@
+/*
+ * Copyright (c) 2007-2009 Todd C. Miller <Todd.Miller@courtesan.com>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
#ifndef _SUDO_USAGE_H
#define _SUDO_USAGE_H
diff --git a/usr.bin/sudo/sudoers.pod b/usr.bin/sudo/sudoers.pod
index 2f85b4445e1..4cf77aaea52 100644
--- a/usr.bin/sudo/sudoers.pod
+++ b/usr.bin/sudo/sudoers.pod
@@ -1,4 +1,4 @@
-Copyright (c) 1994-1996, 1998-2005, 2007-2009
+Copyright (c) 1994-1996, 1998-2005, 2007-2010
Todd C. Miller <Todd.Miller@courtesan.com>
Permission to use, copy, modify, and distribute this software for any
@@ -711,7 +711,7 @@ by default.
=item passprompt_override
The password prompt specified by I<passprompt> will normally only
-be used if the passwod prompt provided by systems such as PAM matches
+be used if the password prompt provided by systems such as PAM matches
the string "Password:". If I<passprompt_override> is set, I<passprompt>
will always be used. This flag is I<off> by default.
@@ -808,7 +808,12 @@ system that is mounted on demand (automounted). The I<fast_glob>
option causes B<sudo> to use the L<fnmatch(3)> function, which does
not access the file system to do its matching. The disadvantage
of I<fast_glob> is that it is unable to match relative pathnames
-such as F<./ls> or F<../bin/ls>. This flag is I<off> by default.
+such as F<./ls> or F<../bin/ls>. This has security implications
+when path names that include globbing characters are used with the
+negation operator, C<'!'>, as such rules can be trivially bypassed.
+As such, this option should not be used when I<sudoers> contains rules
+that contain negated path names which include globbing characters.
+This flag is I<off> by default.
=item stay_setuid
@@ -1469,6 +1474,22 @@ different name, or use a shell escape from an editor or other
program. Therefore, these kind of restrictions should be considered
advisory at best (and reinforced by policy).
+Furthermore, if the I<fast_glob> option is in use, it is not possible
+to reliably negate commands where the path name includes globbing
+(aka wildcard) characters. This is because the C library's
+L<fnmatch(3)> function cannot resolve relative paths. While this
+is typically only an inconvenience for rules that grant privileges,
+it can result in a security issue for rules that subtract or revoke
+privileges.
+
+For example, given the following I<sudoers> entry:
+
+ john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,
+ /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
+
+User B<john> can still run C</usr/bin/passwd root> if I<fast_glob> is
+enabled by changing to F</usr/bin> and running C<./passwd root> instead.
+
=head1 PREVENTING SHELL ESCAPES
Once B<sudo> executes a program, that program is free to do whatever