diff options
-rw-r--r-- | usr.bin/sudo/ChangeLog | 30 | ||||
-rw-r--r-- | usr.bin/sudo/Makefile.in | 8 | ||||
-rw-r--r-- | usr.bin/sudo/config.h | 6 | ||||
-rw-r--r-- | usr.bin/sudo/configure | 20 | ||||
-rw-r--r-- | usr.bin/sudo/configure.in | 4 | ||||
-rw-r--r-- | usr.bin/sudo/find_path.c | 5 | ||||
-rw-r--r-- | usr.bin/sudo/sudo_usage.h | 18 | ||||
-rw-r--r-- | usr.bin/sudo/sudoers.pod | 27 |
8 files changed, 94 insertions, 24 deletions
diff --git a/usr.bin/sudo/ChangeLog b/usr.bin/sudo/ChangeLog index 6ed7972e89a..a8d71a2dfe0 100644 --- a/usr.bin/sudo/ChangeLog +++ b/usr.bin/sudo/ChangeLog @@ -1,3 +1,33 @@ +2010-04-09 Todd C. Miller <Todd.Miller@courtesan.com> + + * configure, configure.in: Fix installation of sudoers.ldap + in "make install" when --with-ldap was specified without a + directory. From Prof. Dr. Andreas Mueller + +2010-04-09 Todd C. Miller <Todd.Miller@courtesan.com> + + * find_path.c: Qualify the command even if it is in the + current working directory, e.g. "./foo" instead of just + returning "foo". This removes an ambiguity between real + commands and possible pseudo-commands in command matching. + +2010-04-07 Todd C. Miller <Todd.Miller@courtesan.com> + + * sudoers.cat, sudoers.man.in, sudoers.pod: Add a note about + the security implications of the fast_glob option. + + * memrchr.c: Remove duplicate includes + +2010-03-10 Todd C. Miller <Todd.Miller@courtesan.com> + + * sudo.c: Fix a bug introduced with def_closefrom. The value + of def_closefrom already includes the +1. + +2010-03-09 Todd C. Miller <Todd.Miller@courtesan.com> + + * match.c: When doing a glob match, short circuit if + gl.gl_pathc is 0. From Mark Kettenis. + 2010-02-22 Todd C. Miller <Todd.Miller@courtesan.com> * match.c: Check for pseudo-command by looking at the first diff --git a/usr.bin/sudo/Makefile.in b/usr.bin/sudo/Makefile.in index 09f6b301413..8d69f819074 100644 --- a/usr.bin/sudo/Makefile.in +++ b/usr.bin/sudo/Makefile.in @@ -457,11 +457,9 @@ realclean: distclean cleandir: realclean dist: - rm -f ../sudo-$(VERSION).tar.gz - ( cd .. ; TF="/tmp/sudo.dist$$$$" ; rm -f $$TF ; for i in $(DISTFILES) ; \ - do echo sudo-$(VERSION)/$$i >> $$TF ; done ; \ - tar Ocf sudo-$(VERSION).tar \ - `cat $$TF` && gzip --best sudo-$(VERSION).tar && rm -f $$TF) + pax -w -x ustar -s '/^/sudo-$(VERSION)\//' -f ../sudo-$(VERSION).tar \ + $(DISTFILES) + gzip -9f ../sudo-$(VERSION).tar ls -l ../sudo-$(VERSION).tar.gz bindist: diff --git a/usr.bin/sudo/config.h b/usr.bin/sudo/config.h index 84fe811b80a..90325266d8f 100644 --- a/usr.bin/sudo/config.h +++ b/usr.bin/sudo/config.h @@ -1,4 +1,4 @@ -/* $OpenBSD: config.h,v 1.17 2010/03/01 11:36:47 millert Exp $ */ +/* $OpenBSD: config.h,v 1.18 2010/04/13 23:22:01 millert Exp $ */ #ifndef _SUDO_CONFIG_H #define _SUDO_CONFIG_H @@ -10,9 +10,9 @@ #define PACKAGE_BUGREPORT "http://www.sudo.ws/bugs/" #define PACKAGE_NAME "sudo" -#define PACKAGE_STRING "sudo 1.7.2p5" +#define PACKAGE_STRING "sudo 1.7.2p6" #define PACKAGE_TARNAME "sudo" -#define PACKAGE_VERSION "1.7.2p5" +#define PACKAGE_VERSION "1.7.2p6" #define HAVE_ASPRINTF 1 #define HAVE_BSD_AUTH_H 1 diff --git a/usr.bin/sudo/configure b/usr.bin/sudo/configure index d04941853fd..95f96c44095 100644 --- a/usr.bin/sudo/configure +++ b/usr.bin/sudo/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.61 for sudo 1.7.2p5. +# Generated by GNU Autoconf 2.61 for sudo 1.7.2p6. # # Report bugs to <http://www.sudo.ws/bugs/>. # @@ -724,8 +724,8 @@ SHELL=${CONFIG_SHELL-/bin/sh} # Identity of this package. PACKAGE_NAME='sudo' PACKAGE_TARNAME='sudo' -PACKAGE_VERSION='1.7.2p5' -PACKAGE_STRING='sudo 1.7.2p5' +PACKAGE_VERSION='1.7.2p6' +PACKAGE_STRING='sudo 1.7.2p6' PACKAGE_BUGREPORT='http://www.sudo.ws/bugs/' # Factoring default headers for most tests. @@ -1417,7 +1417,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures sudo 1.7.2p5 to adapt to many kinds of systems. +\`configure' configures sudo 1.7.2p6 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1482,7 +1482,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of sudo 1.7.2p5:";; + short | recursive ) echo "Configuration of sudo 1.7.2p6:";; esac cat <<\_ACEOF @@ -1684,7 +1684,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -sudo configure 1.7.2p5 +sudo configure 1.7.2p6 generated by GNU Autoconf 2.61 Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001, @@ -1698,7 +1698,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by sudo $as_me 1.7.2p5, which was +It was created by sudo $as_me 1.7.2p6, which was generated by GNU Autoconf 2.61. Invocation command line was $ $0 $@ @@ -22884,9 +22884,9 @@ if test ${with_ldap-'no'} != "no"; then CPPFLAGS="${CPPFLAGS} -I${with_ldap}/include" with_ldap=yes - LDAP="" fi SUDO_OBJS="${SUDO_OBJS} ldap.o" + LDAP="" { echo "$as_me:$LINENO: checking for LDAP libraries" >&5 echo $ECHO_N "checking for LDAP libraries... $ECHO_C" >&6; } @@ -24559,7 +24559,7 @@ exec 6>&1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by sudo $as_me 1.7.2p5, which was +This file was extended by sudo $as_me 1.7.2p6, which was generated by GNU Autoconf 2.61. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -24608,7 +24608,7 @@ Report bugs to <bug-autoconf@gnu.org>." _ACEOF cat >>$CONFIG_STATUS <<_ACEOF ac_cs_version="\\ -sudo config.status 1.7.2p5 +sudo config.status 1.7.2p6 configured by $0, generated by GNU Autoconf 2.61, with options \\"`echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\" diff --git a/usr.bin/sudo/configure.in b/usr.bin/sudo/configure.in index fcd0be869f3..0c08180d552 100644 --- a/usr.bin/sudo/configure.in +++ b/usr.bin/sudo/configure.in @@ -3,7 +3,7 @@ dnl Process this file with GNU autoconf to produce a configure script. dnl dnl Copyright (c) 1994-1996,1998-2010 Todd C. Miller <Todd.Miller@courtesan.com> dnl -AC_INIT([sudo], [1.7.2p5], [http://www.sudo.ws/bugs/], [sudo]) +AC_INIT([sudo], [1.7.2p6], [http://www.sudo.ws/bugs/], [sudo]) AC_CONFIG_HEADER(config.h pathnames.h) dnl dnl This won't work before AC_INIT @@ -2444,9 +2444,9 @@ if test ${with_ldap-'no'} != "no"; then SUDO_APPEND_LIBPATH(LDFLAGS, [${with_ldap}/lib]) CPPFLAGS="${CPPFLAGS} -I${with_ldap}/include" with_ldap=yes - LDAP="" fi SUDO_OBJS="${SUDO_OBJS} ldap.o" + LDAP="" AC_MSG_CHECKING([for LDAP libraries]) LDAP_LIBS="" diff --git a/usr.bin/sudo/find_path.c b/usr.bin/sudo/find_path.c index 59d94f3878c..22ff607df95 100644 --- a/usr.bin/sudo/find_path.c +++ b/usr.bin/sudo/find_path.c @@ -122,7 +122,10 @@ find_path(infile, outfile, sbp, path) * Check current dir if dot was in the PATH */ if (!result && checkdot) { - result = sudo_goodpath(infile, sbp); + len = snprintf(command, sizeof(command), "./%s", infile); + if (len <= 0 || len >= sizeof(command)) + errorx(1, "%s: File name too long", infile); + result = sudo_goodpath(command, sbp); if (result && def_ignore_dot) return(NOT_FOUND_DOT); } diff --git a/usr.bin/sudo/sudo_usage.h b/usr.bin/sudo/sudo_usage.h index faeed374bc7..489cfd9d1ff 100644 --- a/usr.bin/sudo/sudo_usage.h +++ b/usr.bin/sudo/sudo_usage.h @@ -1,3 +1,21 @@ +/* + * Copyright (c) 2007-2009 Todd C. Miller <Todd.Miller@courtesan.com> + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF + * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + #ifndef _SUDO_USAGE_H #define _SUDO_USAGE_H diff --git a/usr.bin/sudo/sudoers.pod b/usr.bin/sudo/sudoers.pod index 2f85b4445e1..4cf77aaea52 100644 --- a/usr.bin/sudo/sudoers.pod +++ b/usr.bin/sudo/sudoers.pod @@ -1,4 +1,4 @@ -Copyright (c) 1994-1996, 1998-2005, 2007-2009 +Copyright (c) 1994-1996, 1998-2005, 2007-2010 Todd C. Miller <Todd.Miller@courtesan.com> Permission to use, copy, modify, and distribute this software for any @@ -711,7 +711,7 @@ by default. =item passprompt_override The password prompt specified by I<passprompt> will normally only -be used if the passwod prompt provided by systems such as PAM matches +be used if the password prompt provided by systems such as PAM matches the string "Password:". If I<passprompt_override> is set, I<passprompt> will always be used. This flag is I<off> by default. @@ -808,7 +808,12 @@ system that is mounted on demand (automounted). The I<fast_glob> option causes B<sudo> to use the L<fnmatch(3)> function, which does not access the file system to do its matching. The disadvantage of I<fast_glob> is that it is unable to match relative pathnames -such as F<./ls> or F<../bin/ls>. This flag is I<off> by default. +such as F<./ls> or F<../bin/ls>. This has security implications +when path names that include globbing characters are used with the +negation operator, C<'!'>, as such rules can be trivially bypassed. +As such, this option should not be used when I<sudoers> contains rules +that contain negated path names which include globbing characters. +This flag is I<off> by default. =item stay_setuid @@ -1469,6 +1474,22 @@ different name, or use a shell escape from an editor or other program. Therefore, these kind of restrictions should be considered advisory at best (and reinforced by policy). +Furthermore, if the I<fast_glob> option is in use, it is not possible +to reliably negate commands where the path name includes globbing +(aka wildcard) characters. This is because the C library's +L<fnmatch(3)> function cannot resolve relative paths. While this +is typically only an inconvenience for rules that grant privileges, +it can result in a security issue for rules that subtract or revoke +privileges. + +For example, given the following I<sudoers> entry: + + john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*, + /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root + +User B<john> can still run C</usr/bin/passwd root> if I<fast_glob> is +enabled by changing to F</usr/bin> and running C<./passwd root> instead. + =head1 PREVENTING SHELL ESCAPES Once B<sudo> executes a program, that program is free to do whatever |