diff options
44 files changed, 1812 insertions, 418 deletions
diff --git a/usr.bin/sudo/ChangeLog b/usr.bin/sudo/ChangeLog index 6b8b1e974a8..a20a1fc7fe5 100644 --- a/usr.bin/sudo/ChangeLog +++ b/usr.bin/sudo/ChangeLog @@ -1,3 +1,206 @@ +2009-06-15 17:19 millert + + * sudo.pod, sudoers.pod: Add non-unix group bits, adapted from + Quest + +2009-06-15 17:18 millert + + * Makefile.in: build the .cat page in the current working dir, not + the src dir + +2009-06-15 09:10 millert + + * env.c: Return EINVAL in setenv() if var is NULL or the empty + string to match glibc behavior. + +2009-06-13 16:52 millert + + * configure, configure.in: Use AS_HELP_STRING for AC_ARG_WITH and + AC_ARG_ENABLE + +2009-06-11 16:29 millert + + * sudo.cat, sudo.man.in, sudoers.cat, sudoers.ldap.cat, + sudoers.ldap.man.in, sudoers.man.in, visudo.cat, visudo.man.in: + regen + +2009-06-09 10:08 millert + + * INSTALL: Document --with-libvas and --with-libvas-rpath + +2009-05-29 09:43 millert + + * ldap.c, sudoers.ldap.pod: For netscape-derived LDAP SDKs the cert + and key paths may be a directory or a file. However, version 5.0 + of the SDK only seems to support using a directory. If + ldapssl_clientauth_init fails and the cert or key paths look like + they could be files, strip off the last path element and try + again. + +2009-05-29 09:40 millert + + * Makefile.in: Add non-Unix group .o to COMMON_OBJS and substitute + in path to flex. + +2009-05-26 20:49 millert + + * configure, configure.in, match.c, sudo.c, vasgroups.c: Update + non-Unix group support from Quest, as reworked by me. + +2009-05-26 20:47 millert + + * toke.c: regen + +2009-05-26 20:46 millert + + * toke.l: Add support for escaped hex chars in names, e.g. \x20 for + space. + +2009-05-25 08:02 millert + + * LICENSE, Makefile.in, aclocal.m4, alias.c, check.c, env.c, + fileops.c, glob.c, gram.y, interfaces.c, lbuf.c, ldap.c, + logging.c, logging.h, match.c, parse.c, parse.h, pathnames.h.in, + pwutil.c, set_perms.c, sudo.c, sudo.h, sudo.pod, sudo_nss.c, + sudo_nss.h, sudo_usage.h.in, sudoers.ldap.pod, sudoers.pod, + testsudoers.c, tgetpass.c, toke.l, visudo.c, auth/aix_auth.c, + auth/pam.c, auth/sudo_auth.c, auth/sudo_auth.h: Update copyright + years. + +2009-05-24 08:33 millert + + * interfaces.c, lbuf.c: Minor fixes for Minix-3 + +2009-05-22 06:37 millert + + * set_perms.c: Handle getgroups() returning 0. Also add missing + check for HAVE_GETGROUPS. + +2009-05-19 17:24 millert + + * Makefile.in, config.h.in, configure, configure.in, sudo.c, + version.h, visudo.c: Replace version.h with PACKAGE_VERSION set + via AC_INIT in configure. + +2009-05-18 06:33 millert + + * set_perms.c: Remove group setting code in setusercontext case, we + will do it ourselves later on in runas_setup. Set the gid after + initgroups/setgroups is called, since on Mac OS X it seems to + change the egid. + +2009-05-17 18:19 millert + + * LICENSE, Makefile.in, config.h.in, match.c, nonunix.h, sudo.c, + vasgroups.c: Initial bits of non-unix group support using Quest + Authentication Services + +2009-05-17 16:52 millert + + * toke.c, toke.l: Accept %:foo as a non-Unix group + +2009-05-17 16:22 millert + + * toke.c, toke.l: Allow user/group to be double quoted in the case + of non-Unix groups which contain spaces. + +2009-05-11 12:47 millert + + * match.c: Don't allow the user to specify the default runas user + if their sudoers entry only allows them to run as a group. + +2009-05-10 07:59 millert + + * sudo.c: Must call audit_success before we change uids. + +2009-05-10 07:52 millert + + * logging.c, set_perms.c, sudo.h, testsudoers.c: Add option for + set_perm to not exit on failure and use this in the logging + routines. + +2009-05-10 07:33 millert + + * parse.c: In -l mode, if the user is only allowed to run as a + group, display the user's name, not root's before the allowed + group. + +2009-05-09 21:00 millert + + * sudo.c: Fix -g mode, broken by rev 1.503 which had the side + effect of setting the runas user to root unilaterally. + +2009-05-08 16:19 millert + + * fileops.c: When unlocking a file with fcntl, use F_SETLK, not + F_SETLKW. + +2009-05-08 13:07 millert + + * pwutil.c: Only cache by the method we fetched for pwd and grp + lookups. Previously we cached both by namd and id but this can + cause problems for entries that share the same id. Also add more + info in the error message in case the insert fails (which should + now be impossible). + +2009-04-30 15:04 millert + + * sudoers.pod: Add a clarification from Nick Sieger + +2009-04-25 12:49 millert + + * env.c: Inline the setting of the environment string. + +2009-04-24 14:53 millert + + * env.c: setenv(3) in Linux treats a NUL value as the empty string + setenv(3) in BSD doesn't return an error if the name has '=' in + it, it just treats the '=' as end of string. + +2009-04-22 16:32 millert + + * toke.c, toke.l: Not all systems have d_namlen + +2009-04-20 13:53 millert + + * sudoers.pod: Fix up some pod2html issues. + +2009-04-19 14:09 millert + + * interfaces.c: Check for NULL ifa_addr and ifa_netmask. Adapted + from a diff from Quest Software. + +2009-04-19 09:01 millert + + * sudoers.pod: Ignore files ending in '~' in sudo.d (emacs backup + files) + +2009-04-19 08:56 millert + + * toke.c, toke.l: Ignore files ending in '~' in sudo.d (emacs + backup files) + +2009-04-18 19:37 millert + + * sudoers.cat, sudoers.man.in, sudoers.pod, toke.c, toke.l: For + #includedir, ignore any file containing a dot + +2009-04-18 19:25 millert + + * Makefile.in, version.h: Bump version + +2009-04-18 19:25 millert + + * gram.c, gram.y, parse.c, parse.h, sudo.c, sudo.h, sudoers.cat, + sudoers.man.in, sudoers.pod, testsudoers.c, toke.c, toke.l, + visudo.c: Implement #includedir directive. Files in an + includedir are not edited by visudo unless they contain a syntax + error. + +2009-04-18 12:06 millert + + * ChangeLog: sync + 2009-04-18 10:27 millert * WHATSNEW: Forgot umask_override @@ -4846,7 +5049,7 @@ 2004-10-01 10:58 millert * sample.pam, sample.sudoers, sample.syslog.conf, sudoers: Add - $Sudo: ChangeLog,v 1.21 2009/04/18 16:06:05 millert Exp $ tags. + $Sudo$ tags. 2004-10-01 10:47 millert diff --git a/usr.bin/sudo/INSTALL b/usr.bin/sudo/INSTALL index faec29a1268..b58852b9876 100644 --- a/usr.bin/sudo/INSTALL +++ b/usr.bin/sudo/INSTALL @@ -335,6 +335,16 @@ Special features/options: Enable support for role based access control (RBAC) on systems that support SELinux. + --with-libvas=[NAME] + Enable non-Unix group support using Quest Authentication + Services. If NAME is specified, it should be the name of + the shared library providing QAS support (libvas.so by default). + + --with-libvas-rpath=[PATH] + The path to search when loading libvas.so (or an alternate + name as specified by --with-libvas). This option only has + an effect when --with-libvas is specified. + The following options are also configurable at runtime: --with-long-otp-prompt diff --git a/usr.bin/sudo/LICENSE b/usr.bin/sudo/LICENSE index 786b7a096ee..0632e0bf178 100644 --- a/usr.bin/sudo/LICENSE +++ b/usr.bin/sudo/LICENSE @@ -1,6 +1,6 @@ Sudo is distributed under the following ISC-style license: - Copyright (c) 1994-1996, 1998-2008 + Copyright (c) 1994-1996, 1998-2009 Todd C. Miller <Todd.Miller@courtesan.com> Permission to use, copy, modify, and distribute this software for any @@ -48,3 +48,31 @@ bear the following UCB license: LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +nonunix.h and vasgroups.c bear the following license: + + Copyright (c) 2006 Quest Software, Inc. All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + 3. Neither the name of Quest Software, Inc. nor the names of its + contributors may be used to endorse or promote products derived from + this software without specific prior written permission. + + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" + AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE + LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. diff --git a/usr.bin/sudo/Makefile.in b/usr.bin/sudo/Makefile.in index 32100aba25a..c7fc8d91ef7 100644 --- a/usr.bin/sudo/Makefile.in +++ b/usr.bin/sudo/Makefile.in @@ -1,5 +1,5 @@ # -# Copyright (c) 1996, 1998-2005, 2007-2008 +# Copyright (c) 1996, 1998-2005, 2007-2009 # Todd C. Miller <Todd.Miller@courtesan.com> # # Permission to use, copy, modify, and distribute this software for any @@ -21,7 +21,7 @@ # # @configure_input@ # -# $Sudo: Makefile.in,v 1.334 2009/03/11 23:19:56 millert Exp $ +# $Sudo: Makefile.in,v 1.340 2009/06/15 21:18:53 millert Exp $ # #### Start of system configuration section. #### @@ -33,7 +33,7 @@ top_builddir = . # Compiler & tools to use CC = @CC@ -LEX = flex +FLEX = @FLEX@ YACC = @YACC@ NROFF = nroff -Tascii LIBTOOL = @LIBTOOL@ @@ -109,8 +109,8 @@ SRCS = aix.c alias.c alloc.c audit.c bsm_audit.c check.c closefrom.c \ mkstemp.c memrchr.c parse.c pwutil.c set_perms.c sigaction.c \ snprintf.c strcasecmp.c strerror.c strlcat.c strlcpy.c sudo.c \ sudo_noexec.c sudo_edit.c sudo_nss.c term.c testsudoers.c tgetpass.c \ - toke.c toke.l tsgetgrpw.c utimes.c visudo.c zero_bytes.c redblack.c \ - selinux.c sesh.c $(AUTH_SRCS) + toke.c toke.l tsgetgrpw.c utimes.c vasgroups.c visudo.c zero_bytes.c \ + redblack.c selinux.c sesh.c $(AUTH_SRCS) AUTH_SRCS = auth/afs.c auth/aix_auth.c auth/bsdauth.c auth/dce.c auth/fwtk.c \ auth/kerb4.c auth/kerb5.c auth/pam.c auth/passwd.c auth/rfc1938.c \ @@ -119,15 +119,15 @@ AUTH_SRCS = auth/afs.c auth/aix_auth.c auth/bsdauth.c auth/dce.c auth/fwtk.c \ HDRS = bsm_audit.h compat.h def_data.h defaults.h error.h ins_2001.h \ ins_classic.h ins_csops.h ins_goons.h insults.h interfaces.h lbuf.h \ - list.h logging.h parse.h sudo.h sudo_nss.h gram.h version.h \ + list.h logging.h nonunix.h redblack.h parse.h sudo.h sudo_nss.h gram.h \ auth/sudo_auth.h emul/charclass.h emul/fnmatch.h emul/glob.h \ - emul/timespec.h emul/utime.h redblack.h + emul/timespec.h emul/utime.h AUTH_OBJS = sudo_auth.o @AUTH_OBJS@ # Note: gram.o must come first here COMMON_OBJS = gram.o alias.o alloc.o defaults.o error.o list.o match.o \ - toke.o redblack.o zero_bytes.o + toke.o redblack.o zero_bytes.o @NONUNIX_GROUPS_IMPL@ SUDO_OBJS = $(COMMON_OBJS) $(AUTH_OBJS) @SUDO_OBJS@ audit.o check.o env.o \ getspwuid.o gettime.o goodpath.o fileops.o find_path.o \ @@ -141,7 +141,7 @@ TEST_OBJS = $(COMMON_OBJS) interfaces.o testsudoers.o tsgetgrpw.o tspwutil.o LIB_OBJS = @LIBOBJS@ -VERSION = 1.7.1 +VERSION = @PACKAGE_VERSION@ DISTFILES = $(SRCS) $(HDRS) ChangeLog HISTORY INSTALL INSTALL.configure \ LICENSE Makefile.in PORTING README README.LDAP TROUBLESHOOTING \ @@ -182,8 +182,8 @@ all: $(PROGS) $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $< .man.cat: - @rm -f $(srcdir)/$@ - sed '1s/^/.if n .ll 78n/' $< | $(NROFF) -man > $(srcdir)/$@ + @rm -f $@ + sed '1s/^/.if n .ll 78n/' $< | $(NROFF) -man > $@ sudo: $(SUDO_OBJS) $(LIB_OBJS) $(CC) -o $@ $(SUDO_OBJS) $(LIB_OBJS) $(SUDO_LDFLAGS) $(SUDO_LIBS) @@ -212,7 +212,7 @@ $(devdir)/gram.c: $(srcdir)/gram.y # Uncomment the lines before -@true if you intend to modify toke.l $(devdir)/toke.c: $(srcdir)/toke.l -@DEV@ $(LEX) $(srcdir)/toke.l +@DEV@ $(FLEX) $(srcdir)/toke.l @DEV@ mv -f lex.yy.c toke.c -@true @@ -301,7 +301,7 @@ strlcpy.o: $(srcdir)/strlcpy.c $(srcdir)/compat.h config.h $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/strlcpy.c selinux.o: $(srcdir)/selinux.c $(SUDODEP) $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/selinux.c -sudo.o: $(srcdir)/sudo.c $(SUDODEP) sudo_usage.h $(srcdir)/interfaces.h $(srcdir)/version.h +sudo.o: $(srcdir)/sudo.c $(SUDODEP) sudo_usage.h $(srcdir)/interfaces.h $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/sudo.c sudo_edit.o: $(srcdir)/sudo_edit.c $(SUDODEP) $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/sudo_edit.c @@ -321,7 +321,9 @@ tsgetgrpw.o: $(srcdir)/tsgetgrpw.c $(SUDODEP) $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/tsgetgrpw.c utimes.o: $(srcdir)/utimes.c $(srcdir)/compat.h $(srcdir)/emul/utime.h config.h $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/utimes.c -visudo.o: $(srcdir)/visudo.c $(SUDODEP) $(srcdir)/version.h $(devdir)/gram.h +vasgroups.o: $(srcdir)/vasgroups.c $(srcdir)/nonunix.h $(SUDODEP) + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/vasgroups.c +visudo.o: $(srcdir)/visudo.c $(SUDODEP) $(devdir)/gram.h $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/visudo.c zero_bytes.o: $(srcdir)/zero_bytes.c $(srcdir)/compat.h config.h $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/zero_bytes.c diff --git a/usr.bin/sudo/aclocal.m4 b/usr.bin/sudo/aclocal.m4 index 334952ae095..1a6d9904931 100644 --- a/usr.bin/sudo/aclocal.m4 +++ b/usr.bin/sudo/aclocal.m4 @@ -1,6 +1,7 @@ dnl Local m4 macros for autoconf (used by sudo) dnl -dnl Copyright (c) 1994-1996,1998-2004 Todd C. Miller <Todd.Miller@courtesan.com> +dnl Copyright (c) 1994-1996, 1998-2005, 2007-2009 +dnl Todd C. Miller <Todd.Miller@courtesan.com> dnl dnl XXX - should cache values in all cases!!! dnl diff --git a/usr.bin/sudo/alias.c b/usr.bin/sudo/alias.c index ac46f040a5b..e8fec56c07e 100644 --- a/usr.bin/sudo/alias.c +++ b/usr.bin/sudo/alias.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2004-2005m, 2007-2008 + * Copyright (c) 2004-2005m, 2007-2009 * Todd C. Miller <Todd.Miller@courtesan.com> * * Permission to use, copy, modify, and distribute this software for any @@ -47,7 +47,7 @@ #include <gram.h> #ifndef lint -__unused static const char rcsid[] = "$Sudo: alias.c,v 1.17 2009/04/05 16:25:04 millert Exp $"; +__unused static const char rcsid[] = "$Sudo: alias.c,v 1.18 2009/05/25 12:02:41 millert Exp $"; #endif /* lint */ /* diff --git a/usr.bin/sudo/auth/aix_auth.c b/usr.bin/sudo/auth/aix_auth.c index 2bbeb9a732c..853ceb8b1ac 100644 --- a/usr.bin/sudo/auth/aix_auth.c +++ b/usr.bin/sudo/auth/aix_auth.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999-2005, 2007-2008 Todd C. Miller <Todd.Miller@courtesan.com> + * Copyright (c) 1999-2005, 2007-2009 Todd C. Miller <Todd.Miller@courtesan.com> * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -47,7 +47,7 @@ #include "sudo_auth.h" #ifndef lint -__unused static const char rcsid[] = "$Sudo: aix_auth.c,v 1.26 2009/03/01 00:58:41 millert Exp $"; +__unused static const char rcsid[] = "$Sudo: aix_auth.c,v 1.27 2009/05/25 12:02:42 millert Exp $"; #endif /* lint */ /* diff --git a/usr.bin/sudo/auth/pam.c b/usr.bin/sudo/auth/pam.c index e8670a520f9..47820ba8a84 100644 --- a/usr.bin/sudo/auth/pam.c +++ b/usr.bin/sudo/auth/pam.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999-2005, 2007-2008 Todd C. Miller <Todd.Miller@courtesan.com> + * Copyright (c) 1999-2005, 2007-2009 Todd C. Miller <Todd.Miller@courtesan.com> * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -73,7 +73,7 @@ #endif #ifndef lint -__unused static const char rcsid[] = "$Sudo: pam.c,v 1.67 2009/02/25 12:21:11 millert Exp $"; +__unused static const char rcsid[] = "$Sudo: pam.c,v 1.68 2009/05/25 12:02:42 millert Exp $"; #endif /* lint */ static int sudo_conv __P((int, PAM_CONST struct pam_message **, diff --git a/usr.bin/sudo/auth/sudo_auth.c b/usr.bin/sudo/auth/sudo_auth.c index 84c1c1ab6f6..fa1419f28c5 100644 --- a/usr.bin/sudo/auth/sudo_auth.c +++ b/usr.bin/sudo/auth/sudo_auth.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999-2005, 2008 Todd C. Miller <Todd.Miller@courtesan.com> + * Copyright (c) 1999-2005, 2008-2009 Todd C. Miller <Todd.Miller@courtesan.com> * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -53,7 +53,7 @@ #include "insults.h" #ifndef lint -__unused static const char rcsid[] = "$Sudo: sudo_auth.c,v 1.39 2009/02/11 01:18:02 millert Exp $"; +__unused static const char rcsid[] = "$Sudo: sudo_auth.c,v 1.40 2009/05/25 12:02:42 millert Exp $"; #endif /* lint */ sudo_auth auth_switch[] = { diff --git a/usr.bin/sudo/auth/sudo_auth.h b/usr.bin/sudo/auth/sudo_auth.h index ed1545f40e8..42ac49b167d 100644 --- a/usr.bin/sudo/auth/sudo_auth.h +++ b/usr.bin/sudo/auth/sudo_auth.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999-2005, 2007-2008 Todd C. Miller <Todd.Miller@courtesan.com> + * Copyright (c) 1999-2005, 2007-2009 Todd C. Miller <Todd.Miller@courtesan.com> * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -13,7 +13,7 @@ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. * - * $Sudo: sudo_auth.h,v 1.28 2008/12/02 17:30:39 millert Exp $ + * $Sudo: sudo_auth.h,v 1.29 2009/05/25 12:02:42 millert Exp $ */ #ifndef SUDO_AUTH_H diff --git a/usr.bin/sudo/check.c b/usr.bin/sudo/check.c index 3261fd6614f..bdce34e23b7 100644 --- a/usr.bin/sudo/check.c +++ b/usr.bin/sudo/check.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1993-1996,1998-2005, 2007-2008 + * Copyright (c) 1993-1996,1998-2005, 2007-2009 * Todd C. Miller <Todd.Miller@courtesan.com> * * Permission to use, copy, modify, and distribute this software for any @@ -59,7 +59,7 @@ #include "sudo.h" #ifndef lint -__unused static const char rcsid[] = "$Sudo: check.c,v 1.246 2009/02/24 13:04:39 millert Exp $"; +__unused static const char rcsid[] = "$Sudo: check.c,v 1.247 2009/05/25 12:02:41 millert Exp $"; #endif /* lint */ /* Status codes for timestamp_status() */ diff --git a/usr.bin/sudo/config.h b/usr.bin/sudo/config.h index 2a8d68720b8..33c0e77703b 100644 --- a/usr.bin/sudo/config.h +++ b/usr.bin/sudo/config.h @@ -1,4 +1,4 @@ -/* $OpenBSD: config.h,v 1.12 2009/06/03 15:53:08 millert Exp $ */ +/* $OpenBSD: config.h,v 1.13 2009/06/21 14:48:41 millert Exp $ */ #ifndef _SUDO_CONFIG_H #define _SUDO_CONFIG_H @@ -8,6 +8,12 @@ * --with-env-editor --disable-path-info --with-logfac=authpriv */ +#define PACKAGE_BUGREPORT "http://www.sudo.ws/bugs/" +#define PACKAGE_NAME "sudo" +#define PACKAGE_STRING "sudo 1.7.2" +#define PACKAGE_TARNAME "sudo" +#define PACKAGE_VERSION "1.7.2" + #define HAVE_ASPRINTF 1 #define HAVE_BSD_AUTH_H 1 #define HAVE_CLOSEFROM 1 diff --git a/usr.bin/sudo/config.h.in b/usr.bin/sudo/config.h.in index 9bf2c62fa8b..18698f4f92b 100644 --- a/usr.bin/sudo/config.h.in +++ b/usr.bin/sudo/config.h.in @@ -98,6 +98,9 @@ /* Define to 1 if you have the `dispcrypt' function. */ #undef HAVE_DISPCRYPT +/* Define to 1 if you have the <dlfcn.h> header file. */ +#undef HAVE_DLFCN_H + /* Define to 1 if your glob.h defines the GLOB_BRACE and GLOB_TILDE flags. */ #undef HAVE_EXTENDED_GLOB @@ -511,6 +514,9 @@ /* The message given when a bad password is entered. */ #undef INCORRECT_PASSWORD +/* The name of libvas.so */ +#undef LIBVAS_SO + /* The syslog facility sudo will use. */ #undef LOGFAC @@ -552,6 +558,21 @@ /* Define to 1 if root should not be allowed to use sudo. */ #undef NO_ROOT_SUDO +/* Define to the address where bug reports for this package should be sent. */ +#undef PACKAGE_BUGREPORT + +/* Define to the full name of this package. */ +#undef PACKAGE_NAME + +/* Define to the full name and version of this package. */ +#undef PACKAGE_STRING + +/* Define to the one symbol short name of this package. */ +#undef PACKAGE_TARNAME + +/* Define to the version of this package. */ +#undef PACKAGE_VERSION + /* The default password prompt. */ #undef PASSPROMPT @@ -635,6 +656,9 @@ /* Define to 1 if you want a different ticket file for each tty. */ #undef USE_TTY_TICKETS +/* Define to 1 if using a non-unix group lookup implementation. */ +#undef USING_NONUNIX_GROUPS + /* Define to avoid using the passwd/shadow file for authentication. */ #undef WITHOUT_PASSWD diff --git a/usr.bin/sudo/configure b/usr.bin/sudo/configure index 421a4e20646..1d45b2118a1 100644 --- a/usr.bin/sudo/configure +++ b/usr.bin/sudo/configure @@ -1,6 +1,8 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.61 for sudo 1.7. +# Generated by GNU Autoconf 2.61 for sudo 1.7.2. +# +# Report bugs to <http://www.sudo.ws/bugs/>. # # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001, # 2002, 2003, 2004, 2005, 2006 Free Software Foundation, Inc. @@ -722,9 +724,9 @@ SHELL=${CONFIG_SHELL-/bin/sh} # Identity of this package. PACKAGE_NAME='sudo' PACKAGE_TARNAME='sudo' -PACKAGE_VERSION='1.7' -PACKAGE_STRING='sudo 1.7' -PACKAGE_BUGREPORT='' +PACKAGE_VERSION='1.7.2' +PACKAGE_STRING='sudo 1.7.2' +PACKAGE_BUGREPORT='http://www.sudo.ws/bugs/' # Factoring default headers for most tests. ac_includes_default="\ @@ -836,6 +838,7 @@ BSDAUTH_USAGE SELINUX_USAGE LDAP LOGINCAP_USAGE +NONUNIX_GROUPS_IMPL timedir timeout password_timeout @@ -895,6 +898,7 @@ TRPROG NROFFPROG YACC YFLAGS +FLEX LIBOBJS KRB5CONFIG LTLIBOBJS' @@ -1412,7 +1416,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures sudo 1.7 to adapt to many kinds of systems. +\`configure' configures sudo 1.7.2 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1477,7 +1481,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of sudo 1.7:";; + short | recursive ) echo "Configuration of sudo 1.7.2:";; esac cat <<\_ACEOF @@ -1526,10 +1530,10 @@ Optional Packages: --with-skey=DIR enable S/Key support --with-opie=DIR enable OPIE support --with-long-otp-prompt use a two line OTP (skey/opie) prompt - --with-SecurID[=DIR] enable SecurID support - --with-fwtk[=DIR] enable FWTK AuthSRV support - --with-kerb4[=DIR] enable Kerberos IV support - --with-kerb5[=DIR] enable Kerberos V support + --with-SecurID=DIR enable SecurID support + --with-fwtk=DIR enable FWTK AuthSRV support + --with-kerb4=DIR enable Kerberos IV support + --with-kerb5=DIR enable Kerberos V support --with-aixauth enable AIX general authentication support --with-pam enable PAM support --with-AFS enable AFS support @@ -1545,7 +1549,8 @@ Optional Packages: --with-logpath path to the sudo log file --with-loglen maximum length of a log file line (default is 80) --with-ignore-dot ignore '.' in the PATH - --without-mail-if-no-user do not send mail if user not in sudoers + --without-mail-if-no-user + do not send mail if user not in sudoers --with-mail-if-no-host send mail if user in sudoers but not for this host --with-mail-if-noperms send mail if user not allowed to run command --with-mailto who should get sudo mail (default is "root") @@ -1554,20 +1559,23 @@ Optional Packages: --with-badpass-message message the user sees when the password is wrong --with-fqdn expect fully qualified hosts in sudoers --with-timedir path to the sudo timestamp dir - --with-sendmail=path set path to sendmail + --with-sendmail set path to sendmail --without-sendmail do not send mail at all --with-sudoers-mode mode of sudoers file (defaults to 0440) --with-sudoers-uid uid that owns sudoers file (defaults to 0) --with-sudoers-gid gid that owns sudoers file (defaults to 0) - --with-umask umask with which the prog should run (default is 022) + --with-umask umask with which the prog should run (default is + 022) --without-umask Preserves the umask of the user invoking sudo. --with-runas-default User to run commands as (default is "root") --with-exempt=group no passwd needed for users in this group --with-editor=path Default editor for visudo (defaults to vi) --with-env-editor Use the environment variable EDITOR for visudo --with-passwd-tries number of tries to enter password (default is 3) - --with-timeout minutes before sudo asks for passwd again (def is 5 minutes) - --with-password-timeout passwd prompt timeout in minutes (default is 5 minutes) + --with-timeout minutes before sudo asks for passwd again (def is 5 + minutes) + --with-password-timeout passwd prompt timeout in minutes (default is 5 + minutes) --with-tty-tickets use a different ticket file for each tty --with-insults insult the user for entering an incorrect password --with-all-insults include all the sudo insult sets @@ -1575,21 +1583,26 @@ Optional Packages: --with-csops-insults include CSOps insults --with-hal-insults include 2001-like insults --with-goons-insults include the insults from the "Goon Show" - --with-nsswitch[=PATH] path to nsswitch.conf - --with-ldap[=DIR] enable LDAP support + --with-nsswitch=PATH path to nsswitch.conf + --with-ldap=DIR enable LDAP support --with-ldap-conf-file path to LDAP configuration file --with-ldap-secret-file path to LDAP secret password file - --with-pc-insults replace politically incorrect insults with less offensive ones + --with-pc-insults replace politically incorrect insults with less + offensive ones --with-secure-path override the user's path with a built-in one --without-interfaces don't try to read the ip addr of ether interfaces --with-stow properly handle GNU stow packaging --with-askpass=PATH Fully qualified pathname of askpass helper + --with-libvas=NAME Name of the libvas shared library + (default=libvas.so) + --with-libvas-rpath=PATH + Path to look for libvas in [default=/opt/quest/lib] --with-selinux enable SELinux support --with-gnu-ld assume the C compiler uses GNU ld [default=no] --with-pic try to use only PIC/non-PIC objects [default=use both] --with-noexec=PATH fully qualified pathname of sudo_noexec.so - --with-netsvc[=PATH] path to netsvc.conf + --with-netsvc=PATH path to netsvc.conf Some influential environment variables: CC C compiler command @@ -1609,6 +1622,7 @@ Some influential environment variables: Use these variables to override the choices made by `configure' or to help it to find libraries and programs with nonstandard names/locations. +Report bugs to <http://www.sudo.ws/bugs/>. _ACEOF ac_status=$? fi @@ -1669,7 +1683,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -sudo configure 1.7 +sudo configure 1.7.2 generated by GNU Autoconf 2.61 Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001, @@ -1683,7 +1697,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by sudo $as_me 1.7, which was +It was created by sudo $as_me 1.7.2, which was generated by GNU Autoconf 2.61. Invocation command line was $ $0 $@ @@ -2038,8 +2052,9 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu ac_config_headers="$ac_config_headers config.h pathnames.h" -{ echo "$as_me:$LINENO: Configuring Sudo version 1.7" >&5 -echo "$as_me: Configuring Sudo version 1.7" >&6;} +{ echo "$as_me:$LINENO: Configuring Sudo version $PACKAGE_VERSION" >&5 +echo "$as_me: Configuring Sudo version $PACKAGE_VERSION" >&6;} + @@ -3783,6 +3798,44 @@ fi +# Check whether --with-libvas was given. +if test "${with_libvas+set}" = set; then + withval=$with_libvas; case $with_libvas in + yes) with_libvas=libvas.so + ;; + no) ;; + *) +cat >>confdefs.h <<_ACEOF +#define LIBVAS_SO "$with_with_libvas" +_ACEOF + + ;; +esac +if test X"$with_libvas" != X"no"; then + +cat >>confdefs.h <<_ACEOF +#define LIBVAS_SO "$with_libvas" +_ACEOF + + cat >>confdefs.h <<\_ACEOF +#define USING_NONUNIX_GROUPS 1 +_ACEOF + + NONUNIX_GROUPS_IMPL="vasgroups.o" + +# Check whether --with-libvas-rpath was given. +if test "${with_libvas_rpath+set}" = set; then + withval=$with_libvas_rpath; LIBVAS_RPATH=$withval +else + LIBVAS_RPATH=/opt/quest/lib +fi + +fi + +fi + + + { echo "$as_me:$LINENO: checking whether to do user authentication by default" >&5 echo $ECHO_N "checking whether to do user authentication by default... $ECHO_C" >&6; } # Check whether --enable-authentication was given. @@ -5507,6 +5560,8 @@ fi + + # Check whether --enable-shared was given. if test "${enable_shared+set}" = set; then enableval=$enable_shared; p=${PACKAGE-default} @@ -6207,7 +6262,7 @@ ia64-*-hpux*) ;; *-*-irix6*) # Find out which ABI we are using. - echo '#line 6210 "configure"' > conftest.$ac_ext + echo '#line 6265 "configure"' > conftest.$ac_ext if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? @@ -6757,7 +6812,12 @@ echo "$as_me: WARNING: $ac_header: section \"Present But Cannot Be Compiled\ echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;} { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5 echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;} - + ( cat <<\_ASBOX +## --------------------------------------- ## +## Report this to http://www.sudo.ws/bugs/ ## +## --------------------------------------- ## +_ASBOX + ) | sed "s/^/$as_me: WARNING: /" >&2 ;; esac { echo "$as_me:$LINENO: checking for $ac_header" >&5 @@ -7969,7 +8029,7 @@ echo "${ECHO_T}$lt_cv_ld_exported_symbols_list" >&6; } esac -enable_dlopen=no +enable_dlopen=yes enable_win32_dll=no # Check whether --enable-libtool-lock was given. @@ -8066,11 +8126,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:8069: $lt_compile\"" >&5) + (eval echo "\"\$as_me:8129: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:8073: \$? = $ac_status" >&5 + echo "$as_me:8133: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -8356,11 +8416,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:8359: $lt_compile\"" >&5) + (eval echo "\"\$as_me:8419: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:8363: \$? = $ac_status" >&5 + echo "$as_me:8423: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -8460,11 +8520,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:8463: $lt_compile\"" >&5) + (eval echo "\"\$as_me:8523: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:8467: \$? = $ac_status" >&5 + echo "$as_me:8527: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -10820,7 +10880,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<EOF -#line 10823 "configure" +#line 10883 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -10920,7 +10980,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<EOF -#line 10923 "configure" +#line 10983 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -12076,6 +12136,66 @@ done if test "x$ac_cv_prog_cc_c89" = "xno"; then with_noexec=no fi + + # Use the +DAportable flag if it is supported + _CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS +DAportable" + { echo "$as_me:$LINENO: checking whether $CC understands +DAportable" >&5 +echo $ECHO_N "checking whether $CC understands +DAportable... $ECHO_C" >&6; } +if test "${sudo_cv_var_daportable+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && + $as_test_x conftest$ac_exeext; then + sudo_cv_var_daportable=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + sudo_cv_var_daportable=no +fi + +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext + +fi +{ echo "$as_me:$LINENO: result: $sudo_cv_var_daportable" >&5 +echo "${ECHO_T}$sudo_cv_var_daportable" >&6; } + if test X"$sudo_cv_var_daportable" != X"yes"; then + CFLAGS="$_CFLAGS" + fi + case "$host" in *-*-hpux1-8.*) cat >>confdefs.h <<\_ACEOF @@ -12947,6 +13067,47 @@ fi done test -n "$YACC" || YACC="yacc" +# Extract the first word of "flex", so it can be a program name with args. +set dummy flex; ac_word=$2 +{ echo "$as_me:$LINENO: checking for $ac_word" >&5 +echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; } +if test "${ac_cv_path_FLEX+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + case $FLEX in + [\\/]* | ?:[\\/]*) + ac_cv_path_FLEX="$FLEX" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_path_FLEX="$as_dir/$ac_word$ac_exec_ext" + echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done +done +IFS=$as_save_IFS + + test -z "$ac_cv_path_FLEX" && ac_cv_path_FLEX="flex" + ;; +esac +fi +FLEX=$ac_cv_path_FLEX +if test -n "$FLEX"; then + { echo "$as_me:$LINENO: result: $FLEX" >&5 +echo "${ECHO_T}$FLEX" >&6; } +else + { echo "$as_me:$LINENO: result: no" >&5 +echo "${ECHO_T}no" >&6; } +fi + + { echo "$as_me:$LINENO: checking for mv" >&5 echo $ECHO_N "checking for mv... $ECHO_C" >&6; } if test -f "/usr/bin/mv"; then @@ -13738,7 +13899,12 @@ echo "$as_me: WARNING: $ac_header: section \"Present But Cannot Be Compiled\ echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;} { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5 echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;} - + ( cat <<\_ASBOX +## --------------------------------------- ## +## Report this to http://www.sudo.ws/bugs/ ## +## --------------------------------------- ## +_ASBOX + ) | sed "s/^/$as_me: WARNING: /" >&2 ;; esac { echo "$as_me:$LINENO: checking for $ac_header" >&5 @@ -13941,7 +14107,12 @@ echo "$as_me: WARNING: $ac_header: section \"Present But Cannot Be Compiled\ echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;} { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5 echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;} - + ( cat <<\_ASBOX +## --------------------------------------- ## +## Report this to http://www.sudo.ws/bugs/ ## +## --------------------------------------- ## +_ASBOX + ) | sed "s/^/$as_me: WARNING: /" >&2 ;; esac { echo "$as_me:$LINENO: checking for $ac_header" >&5 @@ -14084,7 +14255,12 @@ echo "$as_me: WARNING: $ac_header: section \"Present But Cannot Be Compiled\ echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;} { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5 echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;} - + ( cat <<\_ASBOX +## --------------------------------------- ## +## Report this to http://www.sudo.ws/bugs/ ## +## --------------------------------------- ## +_ASBOX + ) | sed "s/^/$as_me: WARNING: /" >&2 ;; esac { echo "$as_me:$LINENO: checking for $ac_header" >&5 @@ -14226,7 +14402,12 @@ echo "$as_me: WARNING: project.h: section \"Present But Cannot Be Compiled\" echo "$as_me: WARNING: project.h: proceeding with the preprocessor's result" >&2;} { echo "$as_me:$LINENO: WARNING: project.h: in the future, the compiler will take precedence" >&5 echo "$as_me: WARNING: project.h: in the future, the compiler will take precedence" >&2;} - + ( cat <<\_ASBOX +## --------------------------------------- ## +## Report this to http://www.sudo.ws/bugs/ ## +## --------------------------------------- ## +_ASBOX + ) | sed "s/^/$as_me: WARNING: /" >&2 ;; esac { echo "$as_me:$LINENO: checking for project.h" >&5 @@ -19834,7 +20015,12 @@ echo "$as_me: WARNING: $ac_header: section \"Present But Cannot Be Compiled\ echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;} { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5 echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;} - + ( cat <<\_ASBOX +## --------------------------------------- ## +## Report this to http://www.sudo.ws/bugs/ ## +## --------------------------------------- ## +_ASBOX + ) | sed "s/^/$as_me: WARNING: /" >&2 ;; esac { echo "$as_me:$LINENO: checking for $ac_header" >&5 @@ -20142,7 +20328,12 @@ echo "$as_me: WARNING: bsd_auth.h: section \"Present But Cannot Be Compiled\ echo "$as_me: WARNING: bsd_auth.h: proceeding with the preprocessor's result" >&2;} { echo "$as_me:$LINENO: WARNING: bsd_auth.h: in the future, the compiler will take precedence" >&5 echo "$as_me: WARNING: bsd_auth.h: in the future, the compiler will take precedence" >&2;} - + ( cat <<\_ASBOX +## --------------------------------------- ## +## Report this to http://www.sudo.ws/bugs/ ## +## --------------------------------------- ## +_ASBOX + ) | sed "s/^/$as_me: WARNING: /" >&2 ;; esac { echo "$as_me:$LINENO: checking for bsd_auth.h" >&5 @@ -20592,7 +20783,12 @@ echo "$as_me: WARNING: krb.h: section \"Present But Cannot Be Compiled\"" >& echo "$as_me: WARNING: krb.h: proceeding with the preprocessor's result" >&2;} { echo "$as_me:$LINENO: WARNING: krb.h: in the future, the compiler will take precedence" >&5 echo "$as_me: WARNING: krb.h: in the future, the compiler will take precedence" >&2;} - + ( cat <<\_ASBOX +## --------------------------------------- ## +## Report this to http://www.sudo.ws/bugs/ ## +## --------------------------------------- ## +_ASBOX + ) | sed "s/^/$as_me: WARNING: /" >&2 ;; esac { echo "$as_me:$LINENO: checking for krb.h" >&5 @@ -22918,7 +23114,12 @@ echo "$as_me: WARNING: $ac_header: section \"Present But Cannot Be Compiled\ echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;} { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5 echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;} - + ( cat <<\_ASBOX +## --------------------------------------- ## +## Report this to http://www.sudo.ws/bugs/ ## +## --------------------------------------- ## +_ASBOX + ) | sed "s/^/$as_me: WARNING: /" >&2 ;; esac { echo "$as_me:$LINENO: checking for $ac_header" >&5 @@ -23030,7 +23231,9 @@ _ACEOF fi done -, break + +else + break fi done @@ -23519,7 +23722,12 @@ echo "$as_me: WARNING: $ac_header: section \"Present But Cannot Be Compiled\ echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;} { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5 echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;} - + ( cat <<\_ASBOX +## --------------------------------------- ## +## Report this to http://www.sudo.ws/bugs/ ## +## --------------------------------------- ## +_ASBOX + ) | sed "s/^/$as_me: WARNING: /" >&2 ;; esac { echo "$as_me:$LINENO: checking for $ac_header" >&5 @@ -23660,7 +23868,12 @@ echo "$as_me: WARNING: $ac_header: section \"Present But Cannot Be Compiled\ echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;} { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5 echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;} - + ( cat <<\_ASBOX +## --------------------------------------- ## +## Report this to http://www.sudo.ws/bugs/ ## +## --------------------------------------- ## +_ASBOX + ) | sed "s/^/$as_me: WARNING: /" >&2 ;; esac { echo "$as_me:$LINENO: checking for $ac_header" >&5 @@ -23697,6 +23910,14 @@ echo "$as_me: WARNING: Unable to locate gssapi.h, you will have to edit the Make LDFLAGS="$_LDFLAGS" fi +if test X"$LIBVAS_RPATH" != X""; then + if test -n "$blibpath"; then + blibpath_add="${blibpath_add}:$LIBVAS_RPATH" + else + LDFLAGS="$LDFLAGS -R$LIBVAS_RPATH" + fi +fi + if test -n "$blibpath"; then if test -n "$blibpath_add"; then SUDO_LDFLAGS="$SUDO_LDFLAGS -Wl,-blibpath:${blibpath}${blibpath_add}" @@ -24241,7 +24462,7 @@ exec 6>&1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by sudo $as_me 1.7, which was +This file was extended by sudo $as_me 1.7.2, which was generated by GNU Autoconf 2.61. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -24290,7 +24511,7 @@ Report bugs to <bug-autoconf@gnu.org>." _ACEOF cat >>$CONFIG_STATUS <<_ACEOF ac_cs_version="\\ -sudo config.status 1.7 +sudo config.status 1.7.2 configured by $0, generated by GNU Autoconf 2.61, with options \\"`echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\" @@ -24540,6 +24761,7 @@ BSDAUTH_USAGE!$BSDAUTH_USAGE$ac_delim SELINUX_USAGE!$SELINUX_USAGE$ac_delim LDAP!$LDAP$ac_delim LOGINCAP_USAGE!$LOGINCAP_USAGE$ac_delim +NONUNIX_GROUPS_IMPL!$NONUNIX_GROUPS_IMPL$ac_delim timedir!$timedir$ac_delim timeout!$timeout$ac_delim password_timeout!$password_timeout$ac_delim @@ -24562,7 +24784,6 @@ fqdn!$fqdn$ac_delim runas_default!$runas_default$ac_delim env_editor!$env_editor$ac_delim passwd_tries!$passwd_tries$ac_delim -tty_tickets!$tty_tickets$ac_delim _ACEOF if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 97; then @@ -24604,6 +24825,7 @@ _ACEOF ac_delim='%!_!# ' for ac_last_try in false false false false false :; do cat >conf$$subs.sed <<_ACEOF +tty_tickets!$tty_tickets$ac_delim insults!$insults$ac_delim root_sudo!$root_sudo$ac_delim path_info!$path_info$ac_delim @@ -24640,12 +24862,13 @@ TRPROG!$TRPROG$ac_delim NROFFPROG!$NROFFPROG$ac_delim YACC!$YACC$ac_delim YFLAGS!$YFLAGS$ac_delim +FLEX!$FLEX$ac_delim LIBOBJS!$LIBOBJS$ac_delim KRB5CONFIG!$KRB5CONFIG$ac_delim LTLIBOBJS!$LTLIBOBJS$ac_delim _ACEOF - if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 39; then + if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 41; then break elif $ac_last_try; then { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5 @@ -25271,3 +25494,5 @@ fi + + diff --git a/usr.bin/sudo/configure.in b/usr.bin/sudo/configure.in index 88bd0602ea2..e21ad6fe7b0 100644 --- a/usr.bin/sudo/configure.in +++ b/usr.bin/sudo/configure.in @@ -1,15 +1,15 @@ dnl dnl Process this file with GNU autoconf to produce a configure script. -dnl $Sudo: configure.in,v 1.546 2009/04/10 20:59:42 millert Exp $ +dnl $Sudo: configure.in,v 1.549 2009/06/13 20:52:50 millert Exp $ dnl -dnl Copyright (c) 1994-1996,1998-2008 Todd C. Miller <Todd.Miller@courtesan.com> +dnl Copyright (c) 1994-1996,1998-2009 Todd C. Miller <Todd.Miller@courtesan.com> dnl -AC_INIT([sudo], [1.7]) +AC_INIT([sudo], [1.7.2], [http://www.sudo.ws/bugs/], [sudo]) AC_CONFIG_HEADER(config.h pathnames.h) dnl dnl This won't work before AC_INIT dnl -AC_MSG_NOTICE([Configuring Sudo version 1.7]) +AC_MSG_NOTICE([Configuring Sudo version $PACKAGE_VERSION]) dnl dnl Variables that get substituted in the Makefile and man pages dnl @@ -51,6 +51,7 @@ AC_SUBST(BSDAUTH_USAGE) AC_SUBST(SELINUX_USAGE) AC_SUBST(LDAP) AC_SUBST(LOGINCAP_USAGE) +AC_SUBST(NONUNIX_GROUPS_IMPL) dnl dnl Variables that get substituted in docs (not overridden by environment) dnl @@ -161,14 +162,14 @@ dnl dnl Deprecated --with options (these all warn or generate an error) dnl -AC_ARG_WITH(otp-only, [ --with-otp-only deprecated], +AC_ARG_WITH(otp-only, [AS_HELP_STRING([--with-otp-only], [deprecated])], [case $with_otp_only in yes) with_passwd="no" AC_MSG_NOTICE([--with-otp-only option deprecated, treating as --without-passwd]) ;; esac]) -AC_ARG_WITH(alertmail, [ --with-alertmail deprecated], +AC_ARG_WITH(alertmail, [AS_HELP_STRING([--with-alertmail], [deprecated])], [case $with_alertmail in *) with_mailto="$with_alertmail" AC_MSG_NOTICE([--with-alertmail option deprecated, treating as --mailto]) @@ -179,7 +180,7 @@ dnl dnl Options for --with dnl -AC_ARG_WITH(CC, [ --with-CC C compiler to use], +AC_ARG_WITH(CC, [AS_HELP_STRING([--with-CC], [C compiler to use])], [case $with_CC in yes) AC_MSG_ERROR(["must give --with-CC an argument."]) ;; @@ -189,14 +190,14 @@ AC_ARG_WITH(CC, [ --with-CC C compiler to use], ;; esac]) -AC_ARG_WITH(rpath, [ --with-rpath pass -R flag in addition to -L for lib paths], +AC_ARG_WITH(rpath, [AS_HELP_STRING([--with-rpath], [pass -R flag in addition to -L for lib paths])], [case $with_rpath in yes|no) ;; *) AC_MSG_ERROR(["--with-rpath does not take an argument."]) ;; esac]) -AC_ARG_WITH(blibpath, [ --with-blibpath[=PATH] pass -blibpath flag to ld for additional lib paths], +AC_ARG_WITH(blibpath, [AS_HELP_STRING([--with-blibpath[=PATH]], [pass -blibpath flag to ld for additional lib paths])], [case $with_blibpath in yes|no) ;; *) AC_MSG_NOTICE([will pass -blibpath:${with_blibpath} to the loader.]) @@ -206,7 +207,7 @@ esac]) dnl dnl Handle BSM auditing support. dnl -AC_ARG_WITH(bsm-audit, [ --with-bsm-audit enable BSM audit support], +AC_ARG_WITH(bsm-audit, [AS_HELP_STRING([--with-bsm-audit], [enable BSM audit support])], [case $with_bsm_audit in yes) AC_DEFINE(HAVE_BSM_AUDIT) SUDO_LIBS="${SUDO_LIBS} -lbsm" @@ -217,7 +218,7 @@ AC_ARG_WITH(bsm-audit, [ --with-bsm-audit enable BSM audit support], ;; esac]) -AC_ARG_WITH(incpath, [ --with-incpath additional places to look for include files], +AC_ARG_WITH(incpath, [AS_HELP_STRING([--with-incpath], [additional places to look for include files])], [case $with_incpath in yes) AC_MSG_ERROR(["must give --with-incpath an argument."]) ;; @@ -230,7 +231,7 @@ AC_ARG_WITH(incpath, [ --with-incpath additional places to look for in ;; esac]) -AC_ARG_WITH(libpath, [ --with-libpath additional places to look for libraries], +AC_ARG_WITH(libpath, [AS_HELP_STRING([--with-libpath], [additional places to look for libraries])], [case $with_libpath in yes) AC_MSG_ERROR(["must give --with-libpath an argument."]) ;; @@ -240,7 +241,7 @@ AC_ARG_WITH(libpath, [ --with-libpath additional places to look for li ;; esac]) -AC_ARG_WITH(libraries, [ --with-libraries additional libraries to link with], +AC_ARG_WITH(libraries, [AS_HELP_STRING([--with-libraries], [additional libraries to link with])], [case $with_libraries in yes) AC_MSG_ERROR(["must give --with-libraries an argument."]) ;; @@ -250,7 +251,7 @@ AC_ARG_WITH(libraries, [ --with-libraries additional libraries to link w ;; esac]) -AC_ARG_WITH(devel, [ --with-devel add development options], +AC_ARG_WITH(devel, [AS_HELP_STRING([--with-devel], [add development options])], [case $with_devel in yes) AC_MSG_NOTICE([Setting up for development: -Wall, flex, yacc]) PROGS="${PROGS} testsudoers" @@ -263,7 +264,7 @@ AC_ARG_WITH(devel, [ --with-devel add development options], ;; esac]) -AC_ARG_WITH(efence, [ --with-efence link with -lefence for malloc() debugging], +AC_ARG_WITH(efence, [AS_HELP_STRING([--with-efence], [link with -lefence for malloc() debugging])], [case $with_efence in yes) AC_MSG_NOTICE([Sudo will link with -lefence (Electric Fence)]) LIBS="${LIBS} -lefence" @@ -276,7 +277,7 @@ AC_ARG_WITH(efence, [ --with-efence link with -lefence for malloc() d ;; esac]) -AC_ARG_WITH(csops, [ --with-csops add CSOps standard options], +AC_ARG_WITH(csops, [AS_HELP_STRING([--with-csops], [add CSOps standard options])], [case $with_csops in yes) AC_MSG_NOTICE([Adding CSOps standard options]) CHECKSIA=false @@ -293,7 +294,7 @@ AC_ARG_WITH(csops, [ --with-csops add CSOps standard options], ;; esac]) -AC_ARG_WITH(passwd, [ --without-passwd don't use passwd/shadow file for authentication], +AC_ARG_WITH(passwd, [AS_HELP_STRING([--without-passwd], [don't use passwd/shadow file for authentication])], [case $with_passwd in yes|no) AC_MSG_CHECKING(whether to use shadow/passwd file authentication) AC_MSG_RESULT($with_passwd) @@ -304,7 +305,7 @@ AC_ARG_WITH(passwd, [ --without-passwd don't use passwd/shadow file for ;; esac]) -AC_ARG_WITH(skey, [ --with-skey[=DIR] enable S/Key support ], +AC_ARG_WITH(skey, [AS_HELP_STRING([--with-skey[=DIR]], [enable S/Key support ])], [case $with_skey in no) with_skey="" ;; @@ -315,7 +316,7 @@ AC_ARG_WITH(skey, [ --with-skey[=DIR] enable S/Key support ], ;; esac]) -AC_ARG_WITH(opie, [ --with-opie[=DIR] enable OPIE support ], +AC_ARG_WITH(opie, [AS_HELP_STRING([--with-opie[=DIR]], [enable OPIE support ])], [case $with_opie in no) with_opie="" ;; @@ -326,7 +327,7 @@ AC_ARG_WITH(opie, [ --with-opie[=DIR] enable OPIE support ], ;; esac]) -AC_ARG_WITH(long-otp-prompt, [ --with-long-otp-prompt use a two line OTP (skey/opie) prompt], +AC_ARG_WITH(long-otp-prompt, [AS_HELP_STRING([--with-long-otp-prompt], [use a two line OTP (skey/opie) prompt])], [case $with_long_otp_prompt in yes) AC_DEFINE(LONG_OTP_PROMPT) AC_MSG_CHECKING(whether to use a two line prompt for OTP authentication) @@ -339,7 +340,7 @@ AC_ARG_WITH(long-otp-prompt, [ --with-long-otp-prompt use a two line OTP (skey ;; esac]) -AC_ARG_WITH(SecurID, [ --with-SecurID[[=DIR]] enable SecurID support], +AC_ARG_WITH(SecurID, [AS_HELP_STRING([--with-SecurID[[=DIR]]], [enable SecurID support])], [case $with_SecurID in no) with_SecurID="";; *) AC_DEFINE(HAVE_SECURID) @@ -349,7 +350,7 @@ AC_ARG_WITH(SecurID, [ --with-SecurID[[=DIR]] enable SecurID support], ;; esac]) -AC_ARG_WITH(fwtk, [ --with-fwtk[[=DIR]] enable FWTK AuthSRV support], +AC_ARG_WITH(fwtk, [AS_HELP_STRING([--with-fwtk[[=DIR]]], [enable FWTK AuthSRV support])], [case $with_fwtk in no) with_fwtk="";; *) AC_DEFINE(HAVE_FWTK) @@ -359,7 +360,7 @@ AC_ARG_WITH(fwtk, [ --with-fwtk[[=DIR]] enable FWTK AuthSRV support], ;; esac]) -AC_ARG_WITH(kerb4, [ --with-kerb4[[=DIR]] enable Kerberos IV support], +AC_ARG_WITH(kerb4, [AS_HELP_STRING([--with-kerb4[[=DIR]]], [enable Kerberos IV support])], [case $with_kerb4 in no) with_kerb4="";; *) AC_MSG_CHECKING(whether to try kerberos IV authentication) @@ -368,7 +369,7 @@ AC_ARG_WITH(kerb4, [ --with-kerb4[[=DIR]] enable Kerberos IV support], ;; esac]) -AC_ARG_WITH(kerb5, [ --with-kerb5[[=DIR]] enable Kerberos V support], +AC_ARG_WITH(kerb5, [AS_HELP_STRING([--with-kerb5[[=DIR]]], [enable Kerberos V support])], [case $with_kerb5 in no) with_kerb5="";; *) AC_MSG_CHECKING(whether to try Kerberos V authentication) @@ -377,7 +378,7 @@ AC_ARG_WITH(kerb5, [ --with-kerb5[[=DIR]] enable Kerberos V support], ;; esac]) -AC_ARG_WITH(aixauth, [ --with-aixauth enable AIX general authentication support], +AC_ARG_WITH(aixauth, [AS_HELP_STRING([--with-aixauth], [enable AIX general authentication support])], [case $with_aixauth in yes) AUTH_EXCL="$AUTH_EXCL AIX_AUTH";; no) ;; @@ -385,7 +386,7 @@ AC_ARG_WITH(aixauth, [ --with-aixauth enable AIX general authenticatio ;; esac]) -AC_ARG_WITH(pam, [ --with-pam enable PAM support], +AC_ARG_WITH(pam, [AS_HELP_STRING([--with-pam], [enable PAM support])], [case $with_pam in yes) AUTH_EXCL="$AUTH_EXCL PAM";; no) ;; @@ -393,7 +394,7 @@ AC_ARG_WITH(pam, [ --with-pam enable PAM support], ;; esac]) -AC_ARG_WITH(AFS, [ --with-AFS enable AFS support], +AC_ARG_WITH(AFS, [AS_HELP_STRING([--with-AFS], [enable AFS support])], [case $with_AFS in yes) AC_DEFINE(HAVE_AFS) AC_MSG_CHECKING(whether to try AFS (kerberos) authentication) @@ -405,7 +406,7 @@ AC_ARG_WITH(AFS, [ --with-AFS enable AFS support], ;; esac]) -AC_ARG_WITH(DCE, [ --with-DCE enable DCE support], +AC_ARG_WITH(DCE, [AS_HELP_STRING([--with-DCE], [enable DCE support])], [case $with_DCE in yes) AC_DEFINE(HAVE_DCE) AC_MSG_CHECKING(whether to try DCE (kerberos) authentication) @@ -417,14 +418,14 @@ AC_ARG_WITH(DCE, [ --with-DCE enable DCE support], ;; esac]) -AC_ARG_WITH(logincap, [ --with-logincap enable BSD login class support], +AC_ARG_WITH(logincap, [AS_HELP_STRING([--with-logincap], [enable BSD login class support])], [case $with_logincap in yes|no) ;; *) AC_MSG_ERROR(["--with-logincap does not take an argument."]) ;; esac]) -AC_ARG_WITH(bsdauth, [ --with-bsdauth enable BSD authentication support], +AC_ARG_WITH(bsdauth, [AS_HELP_STRING([--with-bsdauth], [enable BSD authentication support])], [case $with_bsdauth in yes) AUTH_EXCL="$AUTH_EXCL BSD_AUTH";; no) ;; @@ -432,7 +433,7 @@ AC_ARG_WITH(bsdauth, [ --with-bsdauth enable BSD authentication suppor ;; esac]) -AC_ARG_WITH(project, [ --with-project enable Solaris project support], +AC_ARG_WITH(project, [AS_HELP_STRING([--with-project], [enable Solaris project support])], [case $with_project in yes|no) ;; no) ;; @@ -441,7 +442,7 @@ AC_ARG_WITH(project, [ --with-project enable Solaris project support], esac]) AC_MSG_CHECKING(whether to lecture users the first time they run sudo) -AC_ARG_WITH(lecture, [ --without-lecture don't print lecture for first-time sudoer], +AC_ARG_WITH(lecture, [AS_HELP_STRING([--without-lecture], [don't print lecture for first-time sudoer])], [case $with_lecture in yes|short|always) lecture=once ;; @@ -458,7 +459,7 @@ else fi AC_MSG_CHECKING(whether sudo should log via syslog or to a file by default) -AC_ARG_WITH(logging, [ --with-logging log via syslog, file, or both], +AC_ARG_WITH(logging, [AS_HELP_STRING([--with-logging], [log via syslog, file, or both])], [case $with_logging in yes) AC_MSG_ERROR(["must give --with-logging an argument."]) ;; @@ -478,7 +479,7 @@ AC_ARG_WITH(logging, [ --with-logging log via syslog, file, or both], esac], [AC_DEFINE(LOGGING, SLOG_SYSLOG) AC_MSG_RESULT(syslog)]) AC_MSG_CHECKING(which syslog facility sudo should log with) -AC_ARG_WITH(logfac, [ --with-logfac syslog facility to log with (default is "local2")], +AC_ARG_WITH(logfac, [AS_HELP_STRING([--with-logfac], [syslog facility to log with (default is "local2")])], [case $with_logfac in yes) AC_MSG_ERROR(["must give --with-logfac an argument."]) ;; @@ -493,7 +494,7 @@ AC_DEFINE_UNQUOTED(LOGFAC, "$logfac", [The syslog facility sudo will use.]) AC_MSG_RESULT($logfac) AC_MSG_CHECKING(at which syslog priority to log commands) -AC_ARG_WITH(goodpri, [ --with-goodpri syslog priority for commands (def is "notice")], +AC_ARG_WITH(goodpri, [AS_HELP_STRING([--with-goodpri], [syslog priority for commands (def is "notice")])], [case $with_goodpri in yes) AC_MSG_ERROR(["must give --with-goodpri an argument."]) ;; @@ -509,7 +510,7 @@ AC_DEFINE_UNQUOTED(PRI_SUCCESS, "$goodpri", [The syslog priority sudo will use f AC_MSG_RESULT($goodpri) AC_MSG_CHECKING(at which syslog priority to log failures) -AC_ARG_WITH(badpri, [ --with-badpri syslog priority for failures (def is "alert")], +AC_ARG_WITH(badpri, [AS_HELP_STRING([--with-badpri], [syslog priority for failures (def is "alert")])], [case $with_badpri in yes) AC_MSG_ERROR(["must give --with-badpri an argument."]) ;; @@ -524,7 +525,7 @@ esac]) AC_DEFINE_UNQUOTED(PRI_FAILURE, "$badpri", [The syslog priority sudo will use for unsuccessful attempts/errors.]) AC_MSG_RESULT($badpri) -AC_ARG_WITH(logpath, [ --with-logpath path to the sudo log file], +AC_ARG_WITH(logpath, [AS_HELP_STRING([--with-logpath], [path to the sudo log file])], [case $with_logpath in yes) AC_MSG_ERROR(["must give --with-logpath an argument."]) ;; @@ -533,7 +534,7 @@ AC_ARG_WITH(logpath, [ --with-logpath path to the sudo log file], esac]) AC_MSG_CHECKING(how long a line in the log file should be) -AC_ARG_WITH(loglen, [ --with-loglen maximum length of a log file line (default is 80)], +AC_ARG_WITH(loglen, [AS_HELP_STRING([--with-loglen], [maximum length of a log file line (default is 80)])], [case $with_loglen in yes) AC_MSG_ERROR(["must give --with-loglen an argument."]) ;; @@ -548,7 +549,7 @@ AC_DEFINE_UNQUOTED(MAXLOGFILELEN, $loglen, [The max number of chars per log file AC_MSG_RESULT($loglen) AC_MSG_CHECKING(whether sudo should ignore '.' or '' in \$PATH) -AC_ARG_WITH(ignore-dot, [ --with-ignore-dot ignore '.' in the PATH], +AC_ARG_WITH(ignore-dot, [AS_HELP_STRING([--with-ignore-dot], [ignore '.' in the PATH])], [case $with_ignore_dot in yes) ignore_dot=on ;; @@ -565,7 +566,7 @@ else fi AC_MSG_CHECKING(whether to send mail when a user is not in sudoers) -AC_ARG_WITH(mail-if-no-user, [ --without-mail-if-no-user do not send mail if user not in sudoers], +AC_ARG_WITH(mail-if-no-user, [AS_HELP_STRING([--without-mail-if-no-user], [do not send mail if user not in sudoers])], [case $with_mail_if_no_user in yes) mail_no_user=on ;; @@ -582,7 +583,7 @@ else fi AC_MSG_CHECKING(whether to send mail when user listed but not for this host) -AC_ARG_WITH(mail-if-no-host, [ --with-mail-if-no-host send mail if user in sudoers but not for this host], +AC_ARG_WITH(mail-if-no-host, [AS_HELP_STRING([--with-mail-if-no-host], [send mail if user in sudoers but not for this host])], [case $with_mail_if_no_host in yes) mail_no_host=on ;; @@ -599,7 +600,7 @@ else fi AC_MSG_CHECKING(whether to send mail when a user tries a disallowed command) -AC_ARG_WITH(mail-if-noperms, [ --with-mail-if-noperms send mail if user not allowed to run command], +AC_ARG_WITH(mail-if-noperms, [AS_HELP_STRING([--with-mail-if-noperms], [send mail if user not allowed to run command])], [case $with_mail_if_noperms in yes) mail_noperms=on ;; @@ -616,7 +617,7 @@ else fi AC_MSG_CHECKING(who should get the mail that sudo sends) -AC_ARG_WITH(mailto, [ --with-mailto who should get sudo mail (default is "root")], +AC_ARG_WITH(mailto, [AS_HELP_STRING([--with-mailto], [who should get sudo mail (default is "root")])], [case $with_mailto in yes) AC_MSG_ERROR(["must give --with-mailto an argument."]) ;; @@ -628,7 +629,7 @@ esac]) AC_DEFINE_UNQUOTED(MAILTO, "$mailto", [The user or email address that sudo mail is sent to.]) AC_MSG_RESULT([$mailto]) -AC_ARG_WITH(mailsubject, [ --with-mailsubject subject of sudo mail], +AC_ARG_WITH(mailsubject, [AS_HELP_STRING([--with-mailsubject], [subject of sudo mail])], [case $with_mailsubject in yes) AC_MSG_ERROR(["must give --with-mailsubject an argument."]) ;; @@ -642,7 +643,7 @@ esac]) AC_DEFINE_UNQUOTED(MAILSUBJECT, "$mailsub", [The subject of the mail sent by sudo to the MAILTO user/address.]) AC_MSG_CHECKING(for bad password prompt) -AC_ARG_WITH(passprompt, [ --with-passprompt default password prompt], +AC_ARG_WITH(passprompt, [AS_HELP_STRING([--with-passprompt], [default password prompt])], [case $with_passprompt in yes) AC_MSG_ERROR(["must give --with-passprompt an argument."]) ;; @@ -654,7 +655,7 @@ AC_MSG_RESULT($passprompt) AC_DEFINE_UNQUOTED(PASSPROMPT, "$passprompt", [The default password prompt.]) AC_MSG_CHECKING(for bad password message) -AC_ARG_WITH(badpass-message, [ --with-badpass-message message the user sees when the password is wrong], +AC_ARG_WITH(badpass-message, [AS_HELP_STRING([--with-badpass-message], [message the user sees when the password is wrong])], [case $with_badpass_message in yes) AC_MSG_ERROR(["Must give --with-badpass-message an argument."]) ;; @@ -667,7 +668,7 @@ AC_DEFINE_UNQUOTED(INCORRECT_PASSWORD, "$badpass_message", [The message given wh AC_MSG_RESULT([$badpass_message]) AC_MSG_CHECKING(whether to expect fully qualified hosts in sudoers) -AC_ARG_WITH(fqdn, [ --with-fqdn expect fully qualified hosts in sudoers], +AC_ARG_WITH(fqdn, [AS_HELP_STRING([--with-fqdn], [expect fully qualified hosts in sudoers])], [case $with_fqdn in yes) fqdn=on ;; @@ -683,7 +684,7 @@ else AC_MSG_RESULT(no) fi -AC_ARG_WITH(timedir, [ --with-timedir path to the sudo timestamp dir], +AC_ARG_WITH(timedir, [AS_HELP_STRING([--with-timedir], [path to the sudo timestamp dir])], [case $with_timedir in yes) AC_MSG_ERROR(["must give --with-timedir an argument."]) ;; @@ -691,8 +692,8 @@ AC_ARG_WITH(timedir, [ --with-timedir path to the sudo timestamp dir], ;; esac]) -AC_ARG_WITH(sendmail, [ --with-sendmail=path set path to sendmail - --without-sendmail do not send mail at all], +AC_ARG_WITH(sendmail, [AS_HELP_STRING([--with-sendmail], [set path to sendmail]) +AS_HELP_STRING([--without-sendmail], [do not send mail at all])], [case $with_sendmail in yes) with_sendmail="" ;; @@ -701,7 +702,7 @@ AC_ARG_WITH(sendmail, [ --with-sendmail=path set path to sendmail ;; esac]) -AC_ARG_WITH(sudoers-mode, [ --with-sudoers-mode mode of sudoers file (defaults to 0440)], +AC_ARG_WITH(sudoers-mode, [AS_HELP_STRING([--with-sudoers-mode], [mode of sudoers file (defaults to 0440)])], [case $with_sudoers_mode in yes) AC_MSG_ERROR(["must give --with-sudoers-mode an argument."]) ;; @@ -715,7 +716,7 @@ AC_ARG_WITH(sudoers-mode, [ --with-sudoers-mode mode of sudoers file (defau ;; esac]) -AC_ARG_WITH(sudoers-uid, [ --with-sudoers-uid uid that owns sudoers file (defaults to 0)], +AC_ARG_WITH(sudoers-uid, [AS_HELP_STRING([--with-sudoers-uid], [uid that owns sudoers file (defaults to 0)])], [case $with_sudoers_uid in yes) AC_MSG_ERROR(["must give --with-sudoers-uid an argument."]) ;; @@ -727,7 +728,7 @@ AC_ARG_WITH(sudoers-uid, [ --with-sudoers-uid uid that owns sudoers file ( ;; esac]) -AC_ARG_WITH(sudoers-gid, [ --with-sudoers-gid gid that owns sudoers file (defaults to 0)], +AC_ARG_WITH(sudoers-gid, [AS_HELP_STRING([--with-sudoers-gid], [gid that owns sudoers file (defaults to 0)])], [case $with_sudoers_gid in yes) AC_MSG_ERROR(["must give --with-sudoers-gid an argument."]) ;; @@ -740,8 +741,8 @@ AC_ARG_WITH(sudoers-gid, [ --with-sudoers-gid gid that owns sudoers file ( esac]) AC_MSG_CHECKING(for umask programs should be run with) -AC_ARG_WITH(umask, [ --with-umask umask with which the prog should run (default is 022) - --without-umask Preserves the umask of the user invoking sudo.], +AC_ARG_WITH(umask, [AS_HELP_STRING([--with-umask], [umask with which the prog should run (default is 022)]) +AS_HELP_STRING([--without-umask], [Preserves the umask of the user invoking sudo.])], [case $with_umask in yes) AC_MSG_ERROR(["must give --with-umask an argument."]) ;; @@ -760,7 +761,7 @@ else fi AC_MSG_CHECKING(for default user to run commands as) -AC_ARG_WITH(runas-default, [ --with-runas-default User to run commands as (default is "root")], +AC_ARG_WITH(runas-default, [AS_HELP_STRING([--with-runas-default], [User to run commands as (default is "root")])], [case $with_runas_default in yes) AC_MSG_ERROR(["must give --with-runas-default an argument."]) ;; @@ -772,7 +773,7 @@ esac]) AC_DEFINE_UNQUOTED(RUNAS_DEFAULT, "$runas_default", [The user sudo should run commands as by default.]) AC_MSG_RESULT([$runas_default]) -AC_ARG_WITH(exempt, [ --with-exempt=group no passwd needed for users in this group], +AC_ARG_WITH(exempt, [AS_HELP_STRING([--with-exempt=group], [no passwd needed for users in this group])], [case $with_exempt in yes) AC_MSG_ERROR(["must give --with-exempt an argument."]) ;; @@ -785,7 +786,7 @@ AC_ARG_WITH(exempt, [ --with-exempt=group no passwd needed for users in thi esac]) AC_MSG_CHECKING(for editor that visudo should use) -AC_ARG_WITH(editor, [ --with-editor=path Default editor for visudo (defaults to vi)], +AC_ARG_WITH(editor, [AS_HELP_STRING([--with-editor=path], [Default editor for visudo (defaults to vi)])], [case $with_editor in yes) AC_MSG_ERROR(["must give --with-editor an argument."]) ;; @@ -797,7 +798,7 @@ AC_ARG_WITH(editor, [ --with-editor=path Default editor for visudo (defaul esac], [AC_DEFINE(EDITOR, _PATH_VI) AC_MSG_RESULT(vi)]) AC_MSG_CHECKING(whether to obey EDITOR and VISUAL environment variables) -AC_ARG_WITH(env-editor, [ --with-env-editor Use the environment variable EDITOR for visudo], +AC_ARG_WITH(env-editor, [AS_HELP_STRING([--with-env-editor], [Use the environment variable EDITOR for visudo])], [case $with_env_editor in yes) env_editor=on ;; @@ -814,7 +815,7 @@ else fi AC_MSG_CHECKING(number of tries a user gets to enter their password) -AC_ARG_WITH(passwd-tries, [ --with-passwd-tries number of tries to enter password (default is 3)], +AC_ARG_WITH(passwd-tries, [AS_HELP_STRING([--with-passwd-tries], [number of tries to enter password (default is 3)])], [case $with_passwd_tries in yes) ;; no) AC_MSG_ERROR(["--without-editor not supported."]) @@ -828,7 +829,7 @@ AC_DEFINE_UNQUOTED(TRIES_FOR_PASSWORD, $passwd_tries, [The number of tries a use AC_MSG_RESULT($passwd_tries) AC_MSG_CHECKING(time in minutes after which sudo will ask for a password again) -AC_ARG_WITH(timeout, [ --with-timeout minutes before sudo asks for passwd again (def is 5 minutes)], +AC_ARG_WITH(timeout, [AS_HELP_STRING([--with-timeout], [minutes before sudo asks for passwd again (def is 5 minutes)])], [case $with_timeout in yes) ;; no) timeout=0 @@ -842,7 +843,7 @@ AC_DEFINE_UNQUOTED(TIMEOUT, $timeout, [The number of minutes before sudo asks fo AC_MSG_RESULT($timeout) AC_MSG_CHECKING(time in minutes after the password prompt will time out) -AC_ARG_WITH(password-timeout, [ --with-password-timeout passwd prompt timeout in minutes (default is 5 minutes)], +AC_ARG_WITH(password-timeout, [AS_HELP_STRING([--with-password-timeout], [passwd prompt timeout in minutes (default is 5 minutes)])], [case $with_password_timeout in yes) ;; no) password_timeout=0 @@ -856,7 +857,7 @@ AC_DEFINE_UNQUOTED(PASSWORD_TIMEOUT, $password_timeout, [The passwd prompt timeo AC_MSG_RESULT($password_timeout) AC_MSG_CHECKING(whether to use per-tty ticket files) -AC_ARG_WITH(tty-tickets, [ --with-tty-tickets use a different ticket file for each tty], +AC_ARG_WITH(tty-tickets, [AS_HELP_STRING([--with-tty-tickets], [use a different ticket file for each tty])], [case $with_tty_tickets in yes) tty_tickets=on ;; @@ -873,7 +874,7 @@ else fi AC_MSG_CHECKING(whether to include insults) -AC_ARG_WITH(insults, [ --with-insults insult the user for entering an incorrect password], +AC_ARG_WITH(insults, [AS_HELP_STRING([--with-insults], [insult the user for entering an incorrect password])], [case $with_insults in yes) insults=on with_classic_insults=yes @@ -891,7 +892,7 @@ else AC_MSG_RESULT(no) fi -AC_ARG_WITH(all-insults, [ --with-all-insults include all the sudo insult sets], +AC_ARG_WITH(all-insults, [AS_HELP_STRING([--with-all-insults], [include all the sudo insult sets])], [case $with_all_insults in yes) with_classic_insults=yes with_csops_insults=yes @@ -903,7 +904,7 @@ AC_ARG_WITH(all-insults, [ --with-all-insults include all the sudo insult ;; esac]) -AC_ARG_WITH(classic-insults, [ --with-classic-insults include the insults from the "classic" sudo], +AC_ARG_WITH(classic-insults, [AS_HELP_STRING([--with-classic-insults], [include the insults from the "classic" sudo])], [case $with_classic_insults in yes) AC_DEFINE(CLASSIC_INSULTS) ;; @@ -912,7 +913,7 @@ AC_ARG_WITH(classic-insults, [ --with-classic-insults include the insults from ;; esac]) -AC_ARG_WITH(csops-insults, [ --with-csops-insults include CSOps insults], +AC_ARG_WITH(csops-insults, [AS_HELP_STRING([--with-csops-insults], [include CSOps insults])], [case $with_csops_insults in yes) AC_DEFINE(CSOPS_INSULTS) ;; @@ -921,7 +922,7 @@ AC_ARG_WITH(csops-insults, [ --with-csops-insults include CSOps insults], ;; esac]) -AC_ARG_WITH(hal-insults, [ --with-hal-insults include 2001-like insults], +AC_ARG_WITH(hal-insults, [AS_HELP_STRING([--with-hal-insults], [include 2001-like insults])], [case $with_hal_insults in yes) AC_DEFINE(HAL_INSULTS) ;; @@ -930,7 +931,7 @@ AC_ARG_WITH(hal-insults, [ --with-hal-insults include 2001-like insults], ;; esac]) -AC_ARG_WITH(goons-insults, [ --with-goons-insults include the insults from the "Goon Show"], +AC_ARG_WITH(goons-insults, [AS_HELP_STRING([--with-goons-insults], [include the insults from the "Goon Show"])], [case $with_goons_insults in yes) AC_DEFINE(GOONS_INSULTS) ;; @@ -939,7 +940,7 @@ AC_ARG_WITH(goons-insults, [ --with-goons-insults include the insults from t ;; esac]) -AC_ARG_WITH(nsswitch, [ --with-nsswitch[[=PATH]] path to nsswitch.conf], +AC_ARG_WITH(nsswitch, [AS_HELP_STRING([--with-nsswitch[[=PATH]]], [path to nsswitch.conf])], [case $with_nsswitch in no) ;; yes) with_nsswitch="/etc/nsswitch.conf" @@ -947,7 +948,7 @@ AC_ARG_WITH(nsswitch, [ --with-nsswitch[[=PATH]] path to nsswitch.conf], *) ;; esac]) -AC_ARG_WITH(ldap, [ --with-ldap[[=DIR]] enable LDAP support], +AC_ARG_WITH(ldap, [AS_HELP_STRING([--with-ldap[[=DIR]]], [enable LDAP support])], [case $with_ldap in no) ;; *) AC_DEFINE(HAVE_LDAP) @@ -956,15 +957,15 @@ AC_ARG_WITH(ldap, [ --with-ldap[[=DIR]] enable LDAP support], ;; esac]) -AC_ARG_WITH(ldap-conf-file, [ --with-ldap-conf-file path to LDAP configuration file]) +AC_ARG_WITH(ldap-conf-file, [AS_HELP_STRING([--with-ldap-conf-file], [path to LDAP configuration file])]) SUDO_DEFINE_UNQUOTED(_PATH_LDAP_CONF, "${with_ldap_conf_file-/etc/ldap.conf}", [Path to the ldap.conf file]) ldap_conf=${with_ldap_conf_file-'/etc/ldap.conf'} -AC_ARG_WITH(ldap-secret-file, [ --with-ldap-secret-file path to LDAP secret password file]) +AC_ARG_WITH(ldap-secret-file, [AS_HELP_STRING([--with-ldap-secret-file], [path to LDAP secret password file])]) SUDO_DEFINE_UNQUOTED(_PATH_LDAP_SECRET, "${with_ldap_secret_file-/etc/ldap.secret}", [Path to the ldap.secret file]) ldap_secret=${with_ldap_secret_file-'/etc/ldap.secret'} -AC_ARG_WITH(pc-insults, [ --with-pc-insults replace politically incorrect insults with less offensive ones], +AC_ARG_WITH(pc-insults, [AS_HELP_STRING([--with-pc-insults], [replace politically incorrect insults with less offensive ones])], [case $with_pc_insults in yes) AC_DEFINE(PC_INSULTS) ;; @@ -985,7 +986,7 @@ if test "$insults" = "on"; then fi AC_MSG_CHECKING(whether to override the user's path) -AC_ARG_WITH(secure-path, [ --with-secure-path override the user's path with a built-in one], +AC_ARG_WITH(secure-path, [AS_HELP_STRING([--with-secure-path], [override the user's path with a built-in one])], [case $with_secure_path in yes) AC_DEFINE_UNQUOTED(SECURE_PATH, "/bin:/usr/ucb:/usr/bin:/usr/sbin:/sbin:/usr/etc:/etc") AC_MSG_RESULT([:/usr/ucb:/usr/bin:/usr/sbin:/sbin:/usr/etc:/etc]) @@ -998,7 +999,7 @@ AC_ARG_WITH(secure-path, [ --with-secure-path override the user's path wit esac], AC_MSG_RESULT(no)) AC_MSG_CHECKING(whether to get ip addresses from the network interfaces) -AC_ARG_WITH(interfaces, [ --without-interfaces don't try to read the ip addr of ether interfaces], +AC_ARG_WITH(interfaces, [AS_HELP_STRING([--without-interfaces], [don't try to read the ip addr of ether interfaces])], [case $with_interfaces in yes) AC_MSG_RESULT(yes) ;; @@ -1010,7 +1011,7 @@ AC_ARG_WITH(interfaces, [ --without-interfaces don't try to read the ip addr esac], AC_MSG_RESULT(yes)) AC_MSG_CHECKING(whether stow should be used) -AC_ARG_WITH(stow, [ --with-stow properly handle GNU stow packaging], +AC_ARG_WITH(stow, [AS_HELP_STRING([--with-stow], [properly handle GNU stow packaging])], [case $with_stow in yes) AC_MSG_RESULT(yes) AC_DEFINE(USE_STOW) @@ -1022,7 +1023,7 @@ AC_ARG_WITH(stow, [ --with-stow properly handle GNU stow packaging] esac], AC_MSG_RESULT(no)) AC_MSG_CHECKING(whether to use an askpass helper) -AC_ARG_WITH(askpass, [ --with-askpass=PATH Fully qualified pathname of askpass helper], +AC_ARG_WITH(askpass, [AS_HELP_STRING([--with-askpass=PATH], [Fully qualified pathname of askpass helper])], [case $with_askpass in yes) AC_MSG_ERROR(["--with-askpass takes a path as an argument."]) ;; @@ -1032,13 +1033,35 @@ AC_ARG_WITH(askpass, [ --with-askpass=PATH Fully qualified pathname of askp esac], AC_MSG_RESULT(no)) dnl +dnl If enabled, set LIBVAS_SO, LIBVAS_RPATH and USING_NONUNIX_GROUPS +dnl +AC_ARG_WITH(libvas, [AS_HELP_STRING([--with-libvas=NAME], [Name of the libvas shared library (default=libvas.so)])], +[case $with_libvas in + yes) with_libvas=libvas.so + ;; + no) ;; + *) AC_DEFINE_UNQUOTED([LIBVAS_SO], ["$with_with_libvas"], [The name of libvas.so]) + ;; +esac +if test X"$with_libvas" != X"no"; then + AC_DEFINE_UNQUOTED([LIBVAS_SO], ["$with_libvas"], [The name of libvas.so]) + AC_DEFINE(USING_NONUNIX_GROUPS) + NONUNIX_GROUPS_IMPL="vasgroups.o" + AC_ARG_WITH([libvas-rpath], + [AS_HELP_STRING([--with-libvas-rpath=PATH], + [Path to look for libvas in [default=/opt/quest/lib]])], + [LIBVAS_RPATH=$withval], + [LIBVAS_RPATH=/opt/quest/lib]) +fi +]) + +dnl dnl Options for --enable dnl AC_MSG_CHECKING(whether to do user authentication by default) AC_ARG_ENABLE(authentication, -[ --disable-authentication - Do not require authentication by default], +[AS_HELP_STRING([--disable-authentication], [Do not require authentication by default])], [ case "$enableval" in yes) AC_MSG_RESULT(yes) ;; @@ -1053,7 +1076,7 @@ AC_ARG_ENABLE(authentication, AC_MSG_CHECKING(whether to disable running the mailer as root) AC_ARG_ENABLE(root-mailer, -[ --disable-root-mailer Don't run the mailer as root, run as the user], +[AS_HELP_STRING([--disable-root-mailer], [Don't run the mailer as root, run as the user])], [ case "$enableval" in yes) AC_MSG_RESULT(no) ;; @@ -1067,7 +1090,7 @@ AC_ARG_ENABLE(root-mailer, ], AC_MSG_RESULT(no)) AC_ARG_ENABLE(setreuid, -[ --disable-setreuid Don't try to use the setreuid() function], +[AS_HELP_STRING([--disable-setreuid], [Don't try to use the setreuid() function])], [ case "$enableval" in no) SKIP_SETREUID=yes ;; @@ -1076,7 +1099,7 @@ AC_ARG_ENABLE(setreuid, ]) AC_ARG_ENABLE(setresuid, -[ --disable-setresuid Don't try to use the setresuid() function], +[AS_HELP_STRING([--disable-setresuid], [Don't try to use the setresuid() function])], [ case "$enableval" in no) SKIP_SETRESUID=yes ;; @@ -1086,7 +1109,7 @@ AC_ARG_ENABLE(setresuid, AC_MSG_CHECKING(whether to disable shadow password support) AC_ARG_ENABLE(shadow, -[ --disable-shadow Never use shadow passwords], +[AS_HELP_STRING([--disable-shadow], [Never use shadow passwords])], [ case "$enableval" in yes) AC_MSG_RESULT(no) ;; @@ -1101,7 +1124,7 @@ AC_ARG_ENABLE(shadow, AC_MSG_CHECKING(whether root should be allowed to use sudo) AC_ARG_ENABLE(root-sudo, -[ --disable-root-sudo Don't allow root to run sudo], +[AS_HELP_STRING([--disable-root-sudo], [Don't allow root to run sudo])], [ case "$enableval" in yes) AC_MSG_RESULT(yes) ;; @@ -1116,7 +1139,7 @@ AC_ARG_ENABLE(root-sudo, AC_MSG_CHECKING(whether to log the hostname in the log file) AC_ARG_ENABLE(log-host, -[ --enable-log-host Log the hostname in the log file], +[AS_HELP_STRING([--enable-log-host], [Log the hostname in the log file])], [ case "$enableval" in yes) AC_MSG_RESULT(yes) AC_DEFINE(HOST_IN_LOG) @@ -1131,7 +1154,7 @@ AC_ARG_ENABLE(log-host, AC_MSG_CHECKING(whether to invoke a shell if sudo is given no arguments) AC_ARG_ENABLE(noargs-shell, -[ --enable-noargs-shell If sudo is given no arguments run a shell], +[AS_HELP_STRING([--enable-noargs-shell], [If sudo is given no arguments run a shell])], [ case "$enableval" in yes) AC_MSG_RESULT(yes) AC_DEFINE(SHELL_IF_NO_ARGS) @@ -1146,8 +1169,7 @@ AC_ARG_ENABLE(noargs-shell, AC_MSG_CHECKING(whether to set \$HOME to target user in shell mode) AC_ARG_ENABLE(shell-sets-home, -[ --enable-shell-sets-home - Set $HOME to target user in shell mode], +[AS_HELP_STRING([--enable-shell-sets-home], [Set $HOME to target user in shell mode])], [ case "$enableval" in yes) AC_MSG_RESULT(yes) AC_DEFINE(SHELL_SETS_HOME) @@ -1162,7 +1184,7 @@ AC_ARG_ENABLE(shell-sets-home, AC_MSG_CHECKING(whether to disable 'command not found' messages) AC_ARG_ENABLE(path_info, -[ --disable-path-info Print 'command not allowed' not 'command not found'], +[AS_HELP_STRING([--disable-path-info], [Print 'command not allowed' not 'command not found'])], [ case "$enableval" in yes) AC_MSG_RESULT(no) ;; @@ -1178,7 +1200,7 @@ AC_ARG_ENABLE(path_info, AC_MSG_CHECKING(whether to enable environment debugging) AC_ARG_ENABLE(env_debug, -[ --enable-env-debug Whether to enable environment debugging.], +[AS_HELP_STRING([--enable-env-debug], [Whether to enable environment debugging.])], [ case "$enableval" in yes) AC_MSG_RESULT(yes) AC_DEFINE(ENV_DEBUG) @@ -1191,7 +1213,7 @@ AC_ARG_ENABLE(env_debug, esac ], AC_MSG_RESULT(no)) -AC_ARG_WITH(selinux, [ --with-selinux enable SELinux support], +AC_ARG_WITH(selinux, [AS_HELP_STRING([--with-selinux], [enable SELinux support])], [case $with_selinux in yes) SELINUX_USAGE="[[-r role]] [[-t type]] " AC_DEFINE(HAVE_SELINUX) @@ -1209,8 +1231,9 @@ esac]) dnl dnl gss_krb5_ccache_name() may not work on Heimdal so we don't use it by default dnl -AC_ARG_ENABLE(gss_krb5_ccache_name, [ --enable-gss-krb5-ccache-name - Use GSS-API to set the Kerberos V cred cache name], [check_gss_krb5_ccache_name=$enableval], [check_gss_krb5_ccache_name=no]) +AC_ARG_ENABLE(gss_krb5_ccache_name, +[AS_HELP_STRING([--enable-gss-krb5-ccache-name], [Use GSS-API to set the Kerberos V cred cache name])], +[check_gss_krb5_ccache_name=$enableval], [check_gss_krb5_ccache_name=no]) dnl dnl If we don't have egrep we can't do anything... @@ -1238,6 +1261,7 @@ dnl Libtool magic; enable shared libs and disable static libs dnl AC_CANONICAL_HOST AC_DISABLE_STATIC +AC_LIBTOOL_DLOPEN AC_PROG_LIBTOOL dnl @@ -1249,7 +1273,7 @@ else eval _shrext="$shrext_cmds" fi AC_MSG_CHECKING(path to sudo_noexec.so) -AC_ARG_WITH(noexec, [ --with-noexec[=PATH] fully qualified pathname of sudo_noexec.so], +AC_ARG_WITH(noexec, [AS_HELP_STRING([--with-noexec[=PATH]], [fully qualified pathname of sudo_noexec.so])], [case $with_noexec in yes) with_noexec="$libexecdir/sudo_noexec$_shrext" ;; @@ -1359,7 +1383,7 @@ case "$host" in fi # AIX analog of nsswitch.conf, enabled by default - AC_ARG_WITH(netsvc, [ --with-netsvc[[=PATH]] path to netsvc.conf], + AC_ARG_WITH(netsvc, [AS_HELP_STRING([--with-netsvc[[=PATH]]], [path to netsvc.conf])], [case $with_netsvc in no) ;; yes) with_netsvc="/etc/netsvc.conf" @@ -1390,6 +1414,19 @@ case "$host" in if test "x$ac_cv_prog_cc_c89" = "xno"; then with_noexec=no fi + + # Use the +DAportable flag if it is supported + _CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS +DAportable" + AC_CACHE_CHECK([whether $CC understands +DAportable], + [sudo_cv_var_daportable], + [AC_TRY_LINK([], [], [sudo_cv_var_daportable=yes], + [sudo_cv_var_daportable=no])] + ) + if test X"$sudo_cv_var_daportable" != X"yes"; then + CFLAGS="$_CFLAGS" + fi + case "$host" in *-*-hpux[1-8].*) AC_DEFINE(BROKEN_SYSLOG) @@ -1432,7 +1469,7 @@ case "$host" in : ${CHECKSIA='true'} AC_MSG_CHECKING(whether to disable sia support on Digital UNIX) AC_ARG_ENABLE(sia, - [ --disable-sia Disable SIA on Digital UNIX], + [AS_HELP_STRING([--disable-sia], [Disable SIA on Digital UNIX])], [ case "$enableval" in yes) AC_MSG_RESULT(no) CHECKSIA=true @@ -1725,6 +1762,7 @@ dnl dnl Program checks dnl AC_PROG_YACC +AC_PATH_PROG([FLEX], [flex], [flex]) SUDO_PROG_MV SUDO_PROG_BSHELL if test -z "$with_sendmail"; then @@ -1950,7 +1988,7 @@ if test ${with_pam-"no"} != "no"; then AUTH_EXCL=PAM AC_MSG_CHECKING(whether to use PAM session support) AC_ARG_ENABLE(pam_session, - [ --disable-pam-session Disable PAM session support], + [AS_HELP_STRING([--disable-pam-session], [Disable PAM session support])], [ case "$enableval" in yes) AC_MSG_RESULT(yes) ;; @@ -2440,7 +2478,7 @@ if test ${with_ldap-'no'} != "no"; then AC_MSG_RESULT([yes]) AC_DEFINE(HAVE_LBER_H)]) - AC_CHECK_HEADERS([sasl/sasl.h] [sasl.h], [AC_CHECK_FUNCS(ldap_sasl_interactive_bind_s), [break]]) + AC_CHECK_HEADERS([sasl/sasl.h] [sasl.h], [AC_CHECK_FUNCS(ldap_sasl_interactive_bind_s)], [break]) AC_CHECK_HEADERS([ldap_ssl.h] [mps/ldap_ssl.h], [break], [], [#include <ldap.h>]) AC_CHECK_FUNCS(ldap_initialize ldap_start_tls_s ldapssl_init ldapssl_set_strength ldap_search_ext_s ldap_unbind_ext_s ldap_str2dn ldap_create ldap_sasl_bind_s ldap_ssl_client_init ldap_start_tls_s_np) @@ -2477,6 +2515,18 @@ if test ${with_ldap-'no'} != "no"; then fi dnl +dnl Add LIBVAS_RPATH to LDFLAGS +dnl GNU ld accepts -R/path/ as an alias for -rpath /path/ +dnl +if test X"$LIBVAS_RPATH" != X""; then + if test -n "$blibpath"; then + blibpath_add="${blibpath_add}:$LIBVAS_RPATH" + else + LDFLAGS="$LDFLAGS -R$LIBVAS_RPATH" + fi +fi + +dnl dnl Add $blibpath to SUDO_LDFLAGS if specified by the user or if we dnl added -L dirpaths to SUDO_LDFLAGS. dnl @@ -2655,6 +2705,7 @@ AH_TEMPLATE(USE_TTY_TICKETS, [Define to 1 if you want a different ticket file fo AH_TEMPLATE(WITHOUT_PASSWD, [Define to avoid using the passwd/shadow file for authentication.]) AH_TEMPLATE(sig_atomic_t, [Define to `int' if <signal.h> does not define.]) AH_TEMPLATE(__signed, [Define to `signed' or nothing if compiler does not support a signed type qualifier.]) +AH_TEMPLATE(USING_NONUNIX_GROUPS, [Define to 1 if using a non-Unix group lookup implementation.]) dnl dnl Bits to copy verbatim into config.h.in diff --git a/usr.bin/sudo/env.c b/usr.bin/sudo/env.c index 16b9e61a075..54b685dfa85 100644 --- a/usr.bin/sudo/env.c +++ b/usr.bin/sudo/env.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000-2005, 2007-2008 + * Copyright (c) 2000-2005, 2007-2009 * Todd C. Miller <Todd.Miller@courtesan.com> * * Permission to use, copy, modify, and distribute this software for any @@ -49,7 +49,7 @@ #include "sudo.h" #ifndef lint -__unused static const char rcsid[] = "$Sudo: env.c,v 1.101 2009/03/11 23:01:10 millert Exp $"; +__unused static const char rcsid[] = "$Sudo: env.c,v 1.105 2009/06/15 13:10:01 millert Exp $"; #endif /* lint */ /* @@ -249,24 +249,35 @@ setenv(var, val, overwrite) const char *val; int overwrite; { - char *estring; + char *estring, *ep; + const char *cp; size_t esize; - if (strchr(var, '=') != NULL) { - errno = EINVAL; - return(-1); - } - - esize = strlen(var) + 1 + strlen(val) + 1; - estring = emalloc(esize); + if (!var || *var == '\0') + return(EINVAL); - /* Build environment string and insert it. */ - if (strlcpy(estring, var, esize) >= esize || - strlcat(estring, "=", esize) >= esize || - strlcat(estring, val, esize) >= esize) { + /* + * POSIX says a var name with '=' is an error but BSD + * just ignores the '=' and anything after it. + */ + for (cp = var; *cp && *cp != '='; cp++) + ; + esize = (size_t)(cp - var) + 2; + if (val) { + esize += strlen(val); /* glibc treats a NULL val as "" */ + } - errorx(1, "internal error, setenv() overflow"); + /* Allocate and fill in estring. */ + estring = ep = emalloc(esize); + for (cp = var; *cp && *cp != '='; cp++) + *ep++ = *cp; + *ep++ = '='; + if (val) { + for (cp = val; *cp; cp++) + *ep++ = *cp; } + *ep = '\0'; + /* Sync env.envp with environ as needed. */ if (env.envp != environ) { char **ep; diff --git a/usr.bin/sudo/fileops.c b/usr.bin/sudo/fileops.c index 84b618d0815..40cc86023a4 100644 --- a/usr.bin/sudo/fileops.c +++ b/usr.bin/sudo/fileops.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999-2005, 2007 Todd C. Miller <Todd.Miller@courtesan.com> + * Copyright (c) 1999-2005,2007,2009 Todd C. Miller <Todd.Miller@courtesan.com> * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -54,7 +54,7 @@ #endif #ifndef lint -__unused static const char rcsid[] = "$Sudo: fileops.c,v 1.17 2009/03/12 00:03:04 millert Exp $"; +__unused static const char rcsid[] = "$Sudo: fileops.c,v 1.19 2009/05/25 12:02:41 millert Exp $"; #endif /* lint */ /* @@ -144,7 +144,7 @@ lock_file(fd, lockit) lock.l_pid = getpid(); lock.l_type = (lockit == SUDO_UNLOCK) ? F_UNLCK : F_WRLCK; lock.l_whence = SEEK_SET; - func = (lockit == SUDO_TLOCK) ? F_SETLK : F_SETLKW; + func = (lockit == SUDO_LOCK) ? F_SETLKW : F_SETLK; return(fcntl(fd, func, &lock) == 0); #else diff --git a/usr.bin/sudo/gram.y b/usr.bin/sudo/gram.y index d39068d47d6..9ab395bfbd4 100644 --- a/usr.bin/sudo/gram.y +++ b/usr.bin/sudo/gram.y @@ -1,6 +1,6 @@ %{ /* - * Copyright (c) 1996, 1998-2005, 2007-2008 + * Copyright (c) 1996, 1998-2005, 2007-2009 * Todd C. Miller <Todd.Miller@courtesan.com> * * Permission to use, copy, modify, and distribute this software for any @@ -54,7 +54,7 @@ #include "parse.h" #ifndef lint -__unused static const char rcsid[] = "$Sudo: gram.y,v 1.34 2008/11/09 14:13:12 millert Exp $"; +__unused static const char rcsid[] = "$Sudo: gram.y,v 1.36 2009/05/25 12:02:41 millert Exp $"; #endif /* lint */ /* @@ -766,11 +766,14 @@ init_parser(path, quiet) init_aliases(); + init_lexer(); + efree(sudoers); sudoers = path ? estrdup(path) : NULL; parse_error = FALSE; errorlineno = -1; + errorfile = NULL; sudolineno = 1; verbose = !quiet; } diff --git a/usr.bin/sudo/interfaces.c b/usr.bin/sudo/interfaces.c index 27ca4382e61..6272704c94a 100644 --- a/usr.bin/sudo/interfaces.c +++ b/usr.bin/sudo/interfaces.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 1998-2005, 2007-2008 + * Copyright (c) 1996, 1998-2005, 2007-2009 * Todd C. Miller <Todd.Miller@courtesan.com> * * Permission to use, copy, modify, and distribute this software for any @@ -85,9 +85,13 @@ struct rtentry; #include "interfaces.h" #ifndef lint -__unused static const char rcsid[] = "$Sudo: interfaces.c,v 1.84 2008/11/09 14:13:12 millert Exp $"; +__unused static const char rcsid[] = "$Sudo: interfaces.c,v 1.87 2009/05/25 12:02:41 millert Exp $"; #endif /* lint */ +/* Minix apparently lacks IFF_LOOPBACK */ +#ifndef IFF_LOOPBACK +# define IFF_LOOPBACK 0 +#endif #ifdef HAVE_GETIFADDRS @@ -139,9 +143,13 @@ load_interfaces() switch(ifa->ifa_addr->sa_family) { case AF_INET: sin = (struct sockaddr_in *)ifa->ifa_addr; + if (sin == NULL) + continue; memcpy(&interfaces[i].addr, &sin->sin_addr, sizeof(struct in_addr)); sin = (struct sockaddr_in *)ifa->ifa_netmask; + if (sin == NULL) + continue; memcpy(&interfaces[i].netmask, &sin->sin_addr, sizeof(struct in_addr)); interfaces[i].family = AF_INET; @@ -150,9 +158,13 @@ load_interfaces() #ifdef HAVE_IN6_ADDR case AF_INET6: sin6 = (struct sockaddr_in6 *)ifa->ifa_addr; + if (sin6 == NULL) + continue; memcpy(&interfaces[i].addr, &sin6->sin6_addr, sizeof(struct in6_addr)); sin6 = (struct sockaddr_in6 *)ifa->ifa_netmask; + if (sin6 == NULL) + continue; memcpy(&interfaces[i].netmask, &sin6->sin6_addr, sizeof(struct in6_addr)); interfaces[i].family = AF_INET6; diff --git a/usr.bin/sudo/lbuf.c b/usr.bin/sudo/lbuf.c index ef898eb7be3..9e6bf0d10b0 100644 --- a/usr.bin/sudo/lbuf.c +++ b/usr.bin/sudo/lbuf.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2007-2008 Todd C. Miller <Todd.Miller@courtesan.com> + * Copyright (c) 2007-2009 Todd C. Miller <Todd.Miller@courtesan.com> * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -41,12 +41,19 @@ # include <unistd.h> #endif /* HAVE_UNISTD_H */ #include <ctype.h> +#ifdef HAVE_TERMIOS_H +# include <termios.h> +#else +# ifdef HAVE_TERMIO_H +# include <termio.h> +# endif +#endif #include "sudo.h" #include "lbuf.h" #ifndef lint -__unused static const char rcsid[] = "$Sudo: lbuf.c,v 1.7 2008/12/09 20:55:49 millert Exp $"; +__unused static const char rcsid[] = "$Sudo: lbuf.c,v 1.9 2009/05/25 12:02:41 millert Exp $"; #endif /* lint */ #if !defined(TIOCGSIZE) && defined(TIOCGWINSZ) diff --git a/usr.bin/sudo/ldap.c b/usr.bin/sudo/ldap.c index 62009b57b13..33e65067c16 100644 --- a/usr.bin/sudo/ldap.c +++ b/usr.bin/sudo/ldap.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003-2008 Todd C. Miller <Todd.Miller@courtesan.com> + * Copyright (c) 2003-2009 Todd C. Miller <Todd.Miller@courtesan.com> * * This code is derived from software contributed by Aaron Spangler. * @@ -82,7 +82,7 @@ #include "lbuf.h" #ifndef lint -__unused static const char rcsid[] = "$Sudo: ldap.c,v 1.106 2009/03/16 16:11:28 millert Exp $"; +__unused static const char rcsid[] = "$Sudo: ldap.c,v 1.108 2009/05/29 13:43:12 millert Exp $"; #endif /* lint */ #ifndef LDAP_OPT_SUCCESS @@ -386,10 +386,32 @@ sudo_ldap_init(ldp, host, port) ldap_conf.tls_keyfile ? ldap_conf.tls_keyfile : "NULL"), 2); rc = ldapssl_clientauth_init(ldap_conf.tls_certfile, NULL, ldap_conf.tls_keyfile != NULL, ldap_conf.tls_keyfile, NULL); + /* + * Mozilla-derived SDKs have a bug starting with version 5.0 + * where the path can no longer be a file name and must be a dir. + */ if (rc != LDAP_SUCCESS) { - warningx("unable to initialize SSL cert and key db: %s", - ldapssl_err2string(rc)); - goto done; + char *cp; + if (ldap_conf.tls_certfile) { + cp = strrchr(ldap_conf.tls_certfile, '/'); + if (cp != NULL && strncmp(cp + 1, "cert", 4) == 0) + *cp = '\0'; + } + if (ldap_conf.tls_keyfile) { + cp = strrchr(ldap_conf.tls_keyfile, '/'); + if (cp != NULL && strncmp(cp + 1, "key", 3) == 0) + *cp = '\0'; + } + DPRINTF(("ldapssl_clientauth_init(%s, %s)", + ldap_conf.tls_certfile ? ldap_conf.tls_certfile : "NULL", + ldap_conf.tls_keyfile ? ldap_conf.tls_keyfile : "NULL"), 2); + rc = ldapssl_clientauth_init(ldap_conf.tls_certfile, NULL, + ldap_conf.tls_keyfile != NULL, ldap_conf.tls_keyfile, NULL); + if (rc != LDAP_SUCCESS) { + warningx("unable to initialize SSL cert and key db: %s", + ldapssl_err2string(rc)); + goto done; + } } DPRINTF(("ldapssl_init(%s, %d, 1)", host, port), 2); diff --git a/usr.bin/sudo/logging.c b/usr.bin/sudo/logging.c index b536305dfd0..53288e502da 100644 --- a/usr.bin/sudo/logging.c +++ b/usr.bin/sudo/logging.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1994-1996, 1998-2008 Todd C. Miller <Todd.Miller@courtesan.com> + * Copyright (c) 1994-1996, 1998-2009 Todd C. Miller <Todd.Miller@courtesan.com> * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -58,7 +58,7 @@ #include "sudo.h" #ifndef lint -__unused static const char rcsid[] = "$Sudo: logging.c,v 1.203 2008/11/09 14:13:12 millert Exp $"; +__unused static const char rcsid[] = "$Sudo: logging.c,v 1.205 2009/05/25 12:02:41 millert Exp $"; #endif /* lint */ static void do_syslog __P((int, char *)); @@ -371,7 +371,7 @@ log_error(flags, fmt, va_alist) #endif /* Become root if we are not already to avoid user interference */ - set_perms(PERM_ROOT); + set_perms(PERM_ROOT|PERM_NOEXIT); /* Expand printf-style format + args. */ evasprintf(&message, fmt, ap); @@ -555,10 +555,10 @@ send_mail(line) * (so user cannot kill it) or as the user (for the paranoid). */ #ifndef NO_ROOT_MAILER - set_perms(PERM_ROOT); + set_perms(PERM_ROOT|PERM_NOEXIT); execve(mpath, argv, root_envp); #else - set_perms(PERM_FULL_USER); + set_perms(PERM_FULL_USER|PERM_NOEXIT); execv(mpath, argv); #endif /* NO_ROOT_MAILER */ mysyslog(LOG_ERR, "cannot execute %s: %m", mpath); diff --git a/usr.bin/sudo/logging.h b/usr.bin/sudo/logging.h index 6aed5d2d876..d65a8abcb61 100644 --- a/usr.bin/sudo/logging.h +++ b/usr.bin/sudo/logging.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999-2005, 2008 + * Copyright (c) 1999-2005, 2009 * Todd C. Miller <Todd.Miller@courtesan.com> * * Permission to use, copy, modify, and distribute this software for any @@ -14,7 +14,7 @@ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. * - * $Sudo: logging.h,v 1.14 2009/02/21 13:37:47 millert Exp $ + * $Sudo: logging.h,v 1.15 2009/05/25 12:02:41 millert Exp $ */ #ifndef _LOGGING_H diff --git a/usr.bin/sudo/match.c b/usr.bin/sudo/match.c index c457d1c496a..fd60fdbd28e 100644 --- a/usr.bin/sudo/match.c +++ b/usr.bin/sudo/match.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 1998-2005, 2007-2008 + * Copyright (c) 1996, 1998-2005, 2007-2009 * Todd C. Miller <Todd.Miller@courtesan.com> * * Permission to use, copy, modify, and distribute this software for any @@ -89,9 +89,12 @@ #ifndef HAVE_EXTENDED_GLOB # include "emul/glob.h" #endif /* HAVE_EXTENDED_GLOB */ +#ifdef USING_NONUNIX_GROUPS +# include "nonunix.h" +#endif /* USING_NONUNIX_GROUPS */ #ifndef lint -__unused static const char rcsid[] = "$Sudo: match.c,v 1.42 2009/03/28 13:07:16 millert Exp $"; +__unused static const char rcsid[] = "$Sudo: match.c,v 1.46 2009/05/27 00:49:07 millert Exp $"; #endif /* lint */ static struct member_list empty; @@ -174,9 +177,13 @@ _runaslist_matches(user_list, group_list) struct alias *a; int rval, matched = UNSPEC; - /* Deny if user specified a group but there is no group in sudoers */ - if (runas_gr != NULL && tq_empty(group_list)) - return(DENY); + if (runas_gr != NULL) { + if (tq_empty(group_list)) + return(DENY); /* group was specified but none in sudoers */ + if (runas_pw != NULL && strcmp(runas_pw->pw_name, user_name) && + tq_empty(user_list)) + return(DENY); /* user was specified but none in sudoers */ + } if (tq_empty(user_list) && tq_empty(group_list)) return(userpw_matches(def_runas_default, runas_pw->pw_name, runas_pw)); @@ -805,7 +812,6 @@ group_matches(sudoers_group, gr) /* * Returns TRUE if the given user belongs to the named group, * else returns FALSE. - * XXX - reduce the number of group lookups */ int usergr_matches(group, user, pw) @@ -813,7 +819,7 @@ usergr_matches(group, user, pw) char *user; struct passwd *pw; { - struct group *grp; + struct group *grp = NULL; char **cur; int i; @@ -821,14 +827,18 @@ usergr_matches(group, user, pw) if (*group++ != '%') return(FALSE); +#ifdef USING_NONUNIX_GROUPS + if (*group == ':') + return(sudo_nonunix_groupcheck(++group, user, pw)); +#endif /* USING_NONUNIX_GROUPS */ + /* look up user's primary gid in the passwd file */ if (pw == NULL && (pw = sudo_getpwnam(user)) == NULL) - return(FALSE); - - if ((grp = sudo_getgrnam(group)) == NULL) - return(FALSE); + goto try_supplementary; /* check against user's primary (passwd file) gid */ + if ((grp = sudo_getgrnam(group)) == NULL) + goto try_supplementary; if (grp->gr_gid == pw->pw_gid) return(TRUE); @@ -841,12 +851,21 @@ usergr_matches(group, user, pw) if (grp->gr_gid == user_groups[i]) return(TRUE); } - if (grp->gr_mem != NULL) { + +try_supplementary: + if (grp != NULL && grp->gr_mem != NULL) { for (cur = grp->gr_mem; *cur; cur++) if (strcmp(*cur, user) == 0) return(TRUE); } +#ifdef USING_NONUNIX_GROUPS + /* not a Unix group, could be an AD group */ + if (sudo_nonunix_groupcheck_available() && + sudo_nonunix_groupcheck(group, user, pw)) + return(TRUE); +#endif /* USING_NONUNIX_GROUPS */ + return(FALSE); } diff --git a/usr.bin/sudo/nonunix.h b/usr.bin/sudo/nonunix.h new file mode 100644 index 00000000000..09de9d2f6e0 --- /dev/null +++ b/usr.bin/sudo/nonunix.h @@ -0,0 +1,46 @@ +/* + * (c) 2006 Quest Software, Inc. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of Quest Software, Inc. nor the names of its + * contributors may be used to endorse or promote products derived from this + * software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef _NONUNIX_H +#define _NONUNIX_H + +void +sudo_nonunix_groupcheck_init(void); + +void +sudo_nonunix_groupcheck_cleanup(void); + +int +sudo_nonunix_groupcheck( const char* group, const char* user, const struct passwd* pwd ); + +int +sudo_nonunix_groupcheck_available(void); + +#endif /* _NONUNIX_H */ diff --git a/usr.bin/sudo/parse.c b/usr.bin/sudo/parse.c index b656bf2da5d..eeb0511b9fc 100644 --- a/usr.bin/sudo/parse.c +++ b/usr.bin/sudo/parse.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2004-2005, 2007-2008 Todd C. Miller <Todd.Miller@courtesan.com> + * Copyright (c) 2004-2005, 2007-2009 Todd C. Miller <Todd.Miller@courtesan.com> * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -49,7 +49,7 @@ #include <gram.h> #ifndef lint -__unused static const char rcsid[] = "$Sudo: parse.c,v 1.239 2009/03/28 13:07:16 millert Exp $"; +__unused static const char rcsid[] = "$Sudo: parse.c,v 1.242 2009/05/25 12:02:41 millert Exp $"; #endif /* lint */ /* Characters that must be quoted in sudoers */ @@ -89,7 +89,7 @@ sudo_file_open(nss) { if (def_ignore_local_sudoers) return(-1); - nss->handle = open_sudoers(_PATH_SUDOERS, NULL); + nss->handle = open_sudoers(_PATH_SUDOERS, FALSE, NULL); return(nss->handle ? 0 : -1); } @@ -328,8 +328,10 @@ sudo_file_display_priv_short(pw, us, lbuf) print_member(lbuf, m->name, m->type, m->negated, RUNASALIAS); } - } else { + } else if (tq_empty(&cs->runasgrouplist)) { lbuf_append(lbuf, def_runas_default, NULL); + } else { + lbuf_append(lbuf, pw->pw_name, NULL); } if (!tq_empty(&cs->runasgrouplist)) { lbuf_append(lbuf, " : ", NULL); @@ -377,8 +379,10 @@ sudo_file_display_priv_long(pw, us, lbuf) print_member(lbuf, m->name, m->type, m->negated, RUNASALIAS); } - } else { + } else if (tq_empty(&cs->runasgrouplist)) { lbuf_append(lbuf, def_runas_default, NULL); + } else { + lbuf_append(lbuf, pw->pw_name, NULL); } lbuf_print(lbuf); if (!tq_empty(&cs->runasgrouplist)) { diff --git a/usr.bin/sudo/parse.h b/usr.bin/sudo/parse.h index ba70d6c4c64..991856fd581 100644 --- a/usr.bin/sudo/parse.h +++ b/usr.bin/sudo/parse.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 1998-2000, 2004, 2007-2008 + * Copyright (c) 1996, 1998-2000, 2004, 2007-2009 * Todd C. Miller <Todd.Miller@courtesan.com> * * Permission to use, copy, modify, and distribute this software for any @@ -14,7 +14,7 @@ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. * - * $Sudo: parse.h,v 1.47 2009/04/05 16:25:04 millert Exp $ + * $Sudo: parse.h,v 1.49 2009/05/25 12:02:41 millert Exp $ */ #ifndef _SUDO_PARSE_H @@ -185,6 +185,7 @@ struct alias *alias_remove __P((char *, int)); void alias_free __P((void *)); void alias_apply __P((int (*)(void *, void *), void *)); void init_aliases __P((void)); +void init_lexer __P((void)); void init_parser __P((char *, int)); int alias_compare __P((const void *, const void *)); diff --git a/usr.bin/sudo/pathnames.h.in b/usr.bin/sudo/pathnames.h.in index 13ce9e9f02e..be46f904b17 100644 --- a/usr.bin/sudo/pathnames.h.in +++ b/usr.bin/sudo/pathnames.h.in @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 1998, 1999, 2001, 2004 + * Copyright (c) 1996, 1998, 1999, 2001, 2004, 2005, 2007-2009 * Todd C. Miller <Todd.Miller@courtesan.com>. * * Permission to use, copy, modify, and distribute this software for any @@ -18,7 +18,7 @@ * Agency (DARPA) and Air Force Research Laboratory, Air Force * Materiel Command, USAF, under agreement number F39502-99-1-0512. * - * $Sudo: pathnames.h.in,v 1.64 2009/03/10 20:44:05 millert Exp $ + * $Sudo: pathnames.h.in,v 1.65 2009/05/25 12:02:41 millert Exp $ */ /* diff --git a/usr.bin/sudo/pwutil.c b/usr.bin/sudo/pwutil.c index 2fd0988008a..bbc3174dddb 100644 --- a/usr.bin/sudo/pwutil.c +++ b/usr.bin/sudo/pwutil.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 1998-2005, 2007-2008 + * Copyright (c) 1996, 1998-2005, 2007-2009 * Todd C. Miller <Todd.Miller@courtesan.com> * * Permission to use, copy, modify, and distribute this software for any @@ -53,7 +53,7 @@ #include "redblack.h" #ifndef lint -__unused static const char rcsid[] = "$Sudo: pwutil.c,v 1.21 2008/11/09 14:13:12 millert Exp $"; +__unused static const char rcsid[] = "$Sudo: pwutil.c,v 1.23 2009/05/25 12:02:41 millert Exp $"; #endif /* lint */ #ifdef MYPW @@ -207,18 +207,16 @@ sudo_getpwuid(uid) if (pw->pw_passwd != NULL) zero_bytes(pw->pw_passwd, strlen(pw->pw_passwd)); pw->pw_passwd = cp; - - if (rbinsert(pwcache_byname, (void *) pw) != NULL) - errorx(1, "unable to cache user name, already exists"); if (rbinsert(pwcache_byuid, (void *) pw) != NULL) - errorx(1, "unable to cache uid, already exists"); + errorx(1, "unable to cache uid %lu (%s), already exists", + uid, pw->pw_name); return(pw); } else { pw = emalloc(sizeof(*pw)); zero_bytes(pw, sizeof(*pw)); pw->pw_uid = uid; if (rbinsert(pwcache_byuid, (void *) pw) != NULL) - errorx(1, "unable to cache uid, already exists"); + errorx(1, "unable to cache uid %lu, already exists", uid); return(NULL); } } @@ -250,11 +248,8 @@ sudo_getpwnam(name) if (pw->pw_passwd != NULL) zero_bytes(pw->pw_passwd, strlen(pw->pw_passwd)); pw->pw_passwd = cp; - if (rbinsert(pwcache_byname, (void *) pw) != NULL) - errorx(1, "unable to cache user name, already exists"); - if (rbinsert(pwcache_byuid, (void *) pw) != NULL) - errorx(1, "unable to cache uid, already exists"); + errorx(1, "unable to cache user %s, already exists", name); return(pw); } else { len = strlen(name) + 1; @@ -266,7 +261,7 @@ sudo_getpwnam(name) pw->pw_name = cp; pw->pw_uid = (uid_t) -1; if (rbinsert(pwcache_byname, (void *) pw) != NULL) - errorx(1, "unable to cache user name, already exists"); + errorx(1, "unable to cache user %s, already exists", name); return(NULL); } } @@ -487,17 +482,16 @@ sudo_getgrgid(gid) */ if ((gr = getgrgid(gid)) != NULL) { gr = sudo_grdup(gr); - if (rbinsert(grcache_byname, (void *) gr) != NULL) - errorx(1, "unable to cache group name, already exists"); if (rbinsert(grcache_bygid, (void *) gr) != NULL) - errorx(1, "unable to cache gid, already exists"); + errorx(1, "unable to cache gid %lu (%s), already exists", + gid, gr->gr_name); return(gr); } else { gr = emalloc(sizeof(*gr)); zero_bytes(gr, sizeof(*gr)); gr->gr_gid = gid; if (rbinsert(grcache_bygid, (void *) gr) != NULL) - errorx(1, "unable to cache gid, already exists"); + errorx(1, "unable to cache gid %lu, already exists, gid"); return(NULL); } } @@ -525,9 +519,7 @@ sudo_getgrnam(name) if ((gr = getgrnam(name)) != NULL) { gr = sudo_grdup(gr); if (rbinsert(grcache_byname, (void *) gr) != NULL) - errorx(1, "unable to cache group name, already exists"); - if (rbinsert(grcache_bygid, (void *) gr) != NULL) - errorx(1, "unable to cache gid, already exists"); + errorx(1, "unable to cache group %s, already exists", name); return(gr); } else { len = strlen(name) + 1; @@ -539,7 +531,7 @@ sudo_getgrnam(name) gr->gr_name = cp; gr->gr_gid = (gid_t) -1; if (rbinsert(grcache_byname, (void *) gr) != NULL) - errorx(1, "unable to cache group name, already exists"); + errorx(1, "unable to cache group %s, already exists", name); return(NULL); } } diff --git a/usr.bin/sudo/set_perms.c b/usr.bin/sudo/set_perms.c index bc88a844de3..887e8b74574 100644 --- a/usr.bin/sudo/set_perms.c +++ b/usr.bin/sudo/set_perms.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1994-1996,1998-2008 Todd C. Miller <Todd.Miller@courtesan.com> + * Copyright (c) 1994-1996,1998-2009 Todd C. Miller <Todd.Miller@courtesan.com> * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -52,7 +52,7 @@ #include "sudo.h" #ifndef lint -__unused static const char rcsid[] = "$Sudo: set_perms.c,v 1.44 2008/03/06 17:19:56 millert Exp $"; +__unused static const char rcsid[] = "$Sudo: set_perms.c,v 1.48 2009/05/25 12:02:41 millert Exp $"; #endif /* lint */ #ifdef __TANDEM @@ -77,14 +77,18 @@ static int current_perm = -1; * We only flip the effective gid since it only changes for PERM_SUDOERS. * This version of set_perms() works fine with the "stay_setuid" option. */ -void +int set_perms(perm) int perm; { const char *errstr; + int noexit; + + noexit = ISSET(perm, PERM_NOEXIT); + CLR(perm, PERM_MASK); if (perm == current_perm) - return; + return(1); switch (perm) { case PERM_ROOT: @@ -169,10 +173,13 @@ set_perms(perm) } current_perm = perm; - return; + return(1); bad: - errorx(1, "%s: %s", errstr, + warningx("%s: %s", errstr, errno == EAGAIN ? "too many processes" : strerror(errno)); + if (noexit) + return(0); + exit(1); } #else @@ -184,14 +191,18 @@ bad: * we are headed for an exec(). * This version of set_perms() works fine with the "stay_setuid" option. */ -void +int set_perms(perm) int perm; { const char *errstr; + int noexit; + + noexit = ISSET(perm, PERM_NOEXIT); + CLR(perm, PERM_MASK); if (perm == current_perm) - return; + return(1); switch (perm) { case PERM_ROOT: @@ -279,10 +290,13 @@ set_perms(perm) } current_perm = perm; - return; + return(1); bad: - errorx(1, "%s: %s", errstr, + warningx("%s: %s", errstr, errno == EAGAIN ? "too many processes" : strerror(errno)); + if (noexit) + return(0); + exit(1); } # else /* !HAVE_SETRESUID && !HAVE_SETREUID */ @@ -292,14 +306,18 @@ bad: * Set real and effective uids and gids based on perm. * NOTE: does not support the "stay_setuid" option. */ -void +int set_perms(perm) int perm; { const char *errstr; + int noexit; + + noexit = ISSET(perm, PERM_NOEXIT); + CLR(perm, PERM_MASK); if (perm == current_perm) - return; + return(1); /* * Since we only have setuid() and seteuid() and semantics @@ -391,10 +409,13 @@ set_perms(perm) } current_perm = perm; - return; + return(1); bad: - errorx(1, "%s: %s", errstr, + warningx("%s: %s", errstr, errno == EAGAIN ? "too many processes" : strerror(errno)); + if (noexit) + return(0); + exit(1); } # else /* !HAVE_SETRESUID && !HAVE_SETREUID && !HAVE_SETEUID */ @@ -404,14 +425,18 @@ bad: * NOTE: does not support the "stay_setuid" or timestampowner options. * Also, SUDOERS_UID and SUDOERS_GID are not used. */ -void +int set_perms(perm) int perm; { const char *errstr; + int noexit; + + noexit = ISSET(perm, PERM_NOEXIT); + CLR(perm, PERM_MASK); if (perm == current_perm) - return; + return(1); switch (perm) { case PERM_ROOT: @@ -448,10 +473,13 @@ set_perms(perm) } current_perm = perm; - return; + return(1); bad: - errorx(1, "%s: %s", errstr, + warningx("%s: %s", errstr, errno == EAGAIN ? "too many processes" : strerror(errno)); + if (noexit) + return(0); + exit(1); } # endif /* HAVE_SETEUID */ # endif /* HAVE_SETREUID */ @@ -462,7 +490,9 @@ static void runas_setgroups() { static int ngroups = -1; +#ifdef HAVE_GETGROUPS static GETGROUPS_T *groups; +#endif struct passwd *pw; if (def_preserve_groups) @@ -475,14 +505,16 @@ runas_setgroups() pw = runas_pw ? runas_pw : sudo_user.pw; if (initgroups(pw->pw_name, pw->pw_gid) < 0) log_error(USE_ERRNO|MSG_ONLY, "can't set runas group vector"); - if ((ngroups = getgroups(0, NULL)) < 0) - log_error(USE_ERRNO|MSG_ONLY, "can't get runas ngroups"); - groups = emalloc2(ngroups, sizeof(GETGROUPS_T)); - if (getgroups(ngroups, groups) < 0) - log_error(USE_ERRNO|MSG_ONLY, "can't get runas group vector"); +#ifdef HAVE_GETGROUPS + if ((ngroups = getgroups(0, NULL)) > 0) { + groups = emalloc2(ngroups, sizeof(GETGROUPS_T)); + if (getgroups(ngroups, groups) < 0) + log_error(USE_ERRNO|MSG_ONLY, "can't get runas group vector"); + } } else { if (setgroups(ngroups, groups) < 0) log_error(USE_ERRNO|MSG_ONLY, "can't set runas group vector"); +#endif /* HAVE_GETGROUPS */ } } @@ -530,13 +562,9 @@ runas_setup() #ifdef HAVE_LOGIN_CAP_H if (def_use_loginclass) { /* - * We only use setusercontext() set the nice value and rlimits. + * We only use setusercontext() to set the nice value and rlimits. */ flags = LOGIN_SETRESOURCES|LOGIN_SETPRIORITY; - if (!def_preserve_groups) - SET(flags, LOGIN_SETGROUP); - else if (setgid(gid)) - warning("cannot set gid to runas gid"); if (setusercontext(lc, runas_pw, runas_pw->pw_uid, flags)) { if (runas_pw->pw_uid != ROOT_UID) error(1, "unable to set user context"); @@ -545,11 +573,11 @@ runas_setup() } } #endif /* HAVE_LOGIN_CAP_H */ - if (setgid(gid)) - warning("cannot set gid to runas gid"); /* * Initialize group vector */ runas_setgroups(); + if (setegid(gid) || setgid(gid)) + warning("cannot set gid to runas gid"); } } diff --git a/usr.bin/sudo/sudo.c b/usr.bin/sudo/sudo.c index 9916fb311f2..66a1121dcf1 100644 --- a/usr.bin/sudo/sudo.c +++ b/usr.bin/sudo/sudo.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1993-1996, 1998-2008 Todd C. Miller <Todd.Miller@courtesan.com> + * Copyright (c) 1993-1996, 1998-2009 Todd C. Miller <Todd.Miller@courtesan.com> * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -99,10 +99,13 @@ #include "sudo.h" #include "lbuf.h" #include "interfaces.h" -#include "version.h" + +#ifdef USING_NONUNIX_GROUPS +# include "nonunix.h" +#endif #ifndef lint -__unused static const char rcsid[] = "$Sudo: sudo.c,v 1.510 2009/03/10 20:44:05 millert Exp $"; +__unused static const char rcsid[] = "$Sudo: sudo.c,v 1.517 2009/05/27 00:49:07 millert Exp $"; #endif /* lint */ /* @@ -271,6 +274,10 @@ main(argc, argv, envp) init_vars(sudo_mode, envp); /* XXX - move this later? */ +#ifdef USING_NONUNIX_GROUPS + sudo_nonunix_groupcheck_init(); /* initialise nonunix groups impl */ +#endif /* USING_NONUNIX_GROUPS */ + /* Parse nsswitch.conf for sudoers order. */ snl = sudo_read_nss(); @@ -355,6 +362,12 @@ main(argc, argv, envp) break; } } + +#ifdef USING_NONUNIX_GROUPS + /* Finished with the groupcheck code */ + sudo_nonunix_groupcheck_cleanup(); +#endif + if (safe_cmnd == NULL) safe_cmnd = estrdup(user_cmnd); @@ -482,6 +495,9 @@ main(argc, argv, envp) (void) setrlimit(RLIMIT_CORE, &corelimit); #endif /* RLIMIT_CORE && !SUDO_DEVEL */ + /* Must audit before uid change. */ + audit_success(NewArgv); + /* Become specified user or root if executing a command. */ if (ISSET(sudo_mode, MODE_RUN)) set_perms(PERM_FULL_RUNAS); @@ -529,7 +545,6 @@ main(argc, argv, envp) #ifndef PROFILING if (ISSET(sudo_mode, MODE_BACKGROUND) && fork() > 0) { syslog(LOG_AUTH|LOG_ERR, "fork"); - audit_success(NewArgv); exit(0); } else { #ifdef HAVE_SELINUX @@ -537,7 +552,6 @@ main(argc, argv, envp) selinux_exec(user_role, user_type, NewArgv, ISSET(sudo_mode, MODE_LOGIN_SHELL)); #endif - audit_success(NewArgv); execv(safe_cmnd, NewArgv); } #else @@ -826,7 +840,7 @@ set_cmnd(sudo_mode) if (!update_defaults(SETDEF_CMND)) log_error(NO_STDERR|NO_EXIT, "problem with defaults entries"); - if (!runas_user) + if (!runas_user && !runas_group) set_runaspw(def_runas_default); /* may have been updated above */ return(rval); @@ -1072,8 +1086,9 @@ parse_args(argc, argv) * Returns a handle to the sudoers file or NULL on error. */ FILE * -open_sudoers(sudoers, keepopen) +open_sudoers(sudoers, doedit, keepopen) const char *sudoers; + int doedit; int *keepopen; { struct stat statbuf; @@ -1436,7 +1451,7 @@ cleanup(gotsignal) static void show_version() { - (void) printf("Sudo version %s\n", version); + (void) printf("Sudo version %s\n", PACKAGE_VERSION); if (getuid() == 0) { putchar('\n'); (void) printf("Sudoers path: %s\n", _PATH_SUDOERS); diff --git a/usr.bin/sudo/sudo.h b/usr.bin/sudo/sudo.h index e00e6bdd0b3..afb4e4e0bda 100644 --- a/usr.bin/sudo/sudo.h +++ b/usr.bin/sudo/sudo.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 1993-1996, 1998-2005, 2007-2008 + * Copyright (c) 1993-1996, 1998-2005, 2007-2009 * Todd C. Miller <Todd.Miller@courtesan.com> * * Permission to use, copy, modify, and distribute this software for any @@ -18,7 +18,7 @@ * Agency (DARPA) and Air Force Research Laboratory, Air Force * Materiel Command, USAF, under agreement number F39502-99-1-0512. * - * $Sudo: sudo.h,v 1.270 2009/03/01 00:58:40 millert Exp $ + * $Sudo: sudo.h,v 1.273 2009/05/25 12:02:41 millert Exp $ */ #ifndef _SUDO_SUDO_H @@ -129,6 +129,8 @@ struct sudo_user { #define PERM_RUNAS 0x04 #define PERM_FULL_RUNAS 0x05 #define PERM_TIMESTAMP 0x06 +#define PERM_NOEXIT 0x10 /* flag */ +#define PERM_MASK 0xf0 /* * Shortcuts for sudo_user contents. @@ -269,7 +271,7 @@ int sudo_file_display_cmnd __P((struct sudo_nss *, struct passwd *)); int sudo_file_display_defaults __P((struct sudo_nss *, struct passwd *, struct lbuf *)); int sudo_file_display_bound_defaults __P((struct sudo_nss *, struct passwd *, struct lbuf *)); int sudo_file_display_privs __P((struct sudo_nss *, struct passwd *, struct lbuf *)); -void set_perms __P((int)); +int set_perms __P((int)); void remove_timestamp __P((int)); int check_secureware __P((char *)); void sia_attempt_auth __P((void)); @@ -298,7 +300,7 @@ char *sudo_getepw __P((const struct passwd *)); int pam_prep_user __P((struct passwd *)); void zero_bytes __P((volatile void *, size_t)); int gettime __P((struct timespec *)); -FILE *open_sudoers __P((const char *, int *)); +FILE *open_sudoers __P((const char *, int, int *)); void display_privs __P((struct sudo_nss_list *, struct passwd *)); int display_cmnd __P((struct sudo_nss_list *, struct passwd *)); int get_ttycols __P((void)); diff --git a/usr.bin/sudo/sudo.pod b/usr.bin/sudo/sudo.pod index 40243f8118d..a4354bfffc1 100644 --- a/usr.bin/sudo/sudo.pod +++ b/usr.bin/sudo/sudo.pod @@ -1,4 +1,4 @@ -Copyright (c) 1994-1996, 1998-2005, 2007-2008 +Copyright (c) 1994-1996, 1998-2005, 2007-2009 Todd C. Miller <Todd.Miller@courtesan.com> Permission to use, copy, modify, and distribute this software for any @@ -18,7 +18,7 @@ Sponsored in part by the Defense Advanced Research Projects Agency (DARPA) and Air Force Research Laboratory, Air Force Materiel Command, USAF, under agreement number F39502-99-1-0512. -$Sudo: sudo.pod,v 1.122 2009/02/25 11:17:26 millert Exp $ +$Sudo: sudo.pod,v 1.124 2009/06/15 21:19:47 millert Exp $ =pod =head1 NAME @@ -571,15 +571,23 @@ To get a file listing of an unreadable directory: $ sudo ls /usr/local/protected -To list the home directory of user yazza on a machine where the -file system holding ~yazza is not exported as root: +To list the home directory of user yaz on a machine where the +file system holding ~yaz is not exported as root: - $ sudo -u yazza ls ~yazza + $ sudo -u yaz ls ~yaz To edit the F<index.html> file as user www: $ sudo -u www vi ~www/htdocs/index.html +To view system logs only accessible to root and users in the adm group: + + $ sudo -g adm view /var/log/syslog + +To run an editor as jim with a different primary group: + + $ sudo -u jim -g audio vi ~jim/sound.txt + To shutdown a machine: $ sudo shutdown -r +15 "quick reboot" diff --git a/usr.bin/sudo/sudo_nss.c b/usr.bin/sudo/sudo_nss.c index f096172b4d0..138c0e2ad60 100644 --- a/usr.bin/sudo/sudo_nss.c +++ b/usr.bin/sudo/sudo_nss.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2007-2008 Todd C. Miller <Todd.Miller@courtesan.com> + * Copyright (c) 2007-2009 Todd C. Miller <Todd.Miller@courtesan.com> * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -45,7 +45,7 @@ #include "lbuf.h" #ifndef lint -__unused static const char rcsid[] = "$Sudo: sudo_nss.c,v 1.7 2009/03/10 20:44:05 millert Exp $"; +__unused static const char rcsid[] = "$Sudo: sudo_nss.c,v 1.8 2009/05/25 12:02:41 millert Exp $"; #endif /* lint */ extern struct sudo_nss sudo_nss_file; diff --git a/usr.bin/sudo/sudo_nss.h b/usr.bin/sudo/sudo_nss.h index 996fc745594..1822465a373 100644 --- a/usr.bin/sudo/sudo_nss.h +++ b/usr.bin/sudo/sudo_nss.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2007-2008 Todd C. Miller <Todd.Miller@courtesan.com> + * Copyright (c) 2007-2009 Todd C. Miller <Todd.Miller@courtesan.com> * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -13,7 +13,7 @@ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. * - * $Sudo: sudo_nss.h,v 1.6 2009/03/10 20:44:05 millert Exp $ + * $Sudo: sudo_nss.h,v 1.7 2009/05/25 12:02:42 millert Exp $ */ struct lbuf; diff --git a/usr.bin/sudo/sudo_usage.h.in b/usr.bin/sudo/sudo_usage.h.in index e6db4ee3fb8..e310b0c8b31 100644 --- a/usr.bin/sudo/sudo_usage.h.in +++ b/usr.bin/sudo/sudo_usage.h.in @@ -1,3 +1,23 @@ +/* + * Copyright (c) 2007-2009 Todd C. Miller <Todd.Miller@courtesan.com> + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF + * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * $Sudo: sudo_usage.h.in,v 1.10 2009/05/25 12:02:42 millert Exp $ + */ + #ifndef _SUDO_USAGE_H #define _SUDO_USAGE_H diff --git a/usr.bin/sudo/sudoers.ldap.pod b/usr.bin/sudo/sudoers.ldap.pod index 37528fd90ab..7d59cb2fe41 100644 --- a/usr.bin/sudo/sudoers.ldap.pod +++ b/usr.bin/sudo/sudoers.ldap.pod @@ -1,4 +1,4 @@ -Copyright (c) 2003-2008 +Copyright (c) 2003-2009 Todd C. Miller <Todd.Miller@courtesan.com> Permission to use, copy, modify, and distribute this software for any @@ -14,7 +14,7 @@ ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -$Sudo: sudoers.ldap.pod,v 1.12 2009/03/10 21:08:18 millert Exp $ +$Sudo: sudoers.ldap.pod,v 1.14 2009/05/29 13:43:12 millert Exp $ =pod =head1 NAME @@ -620,12 +620,20 @@ determines sudoers source order on AIX #tls_cert /etc/certs/client_cert.pem #tls_key /etc/certs/client_key.pem # - # For SunONE or iPlanet LDAP, the file specified by tls_cert may - # contain CA certs and/or the client's cert. If the client's - # cert is included, tls_key should be specified as well. - # For backward compatibility, sslpath may be used in place of tls_cert. - #tls_cert /var/ldap/cert7.db - #tls_key /var/ldap/key3.db + # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either + # a directory, in which case the files in the directory must have the + # default names (e.g. cert8.db and key4.db), or the path to the cert + # and key files themselves. However, a bug in version 5.0 of the LDAP + # SDK will prevent specific file names from working. For this reason + # it is suggested that tls_cert and tls_key be set to a directory, + # not a file name. + # + # The certificate database specified by tls_cert may contain CA certs + # and/or the client's cert. If the client's cert is included, tls_key + # should be specified as well. + # For backward compatibility, "sslpath" may be used in place of tls_cert. + #tls_cert /var/ldap + #tls_key /var/ldap # # If using SASL authentication for LDAP (OpenSSL) # use_sasl yes diff --git a/usr.bin/sudo/sudoers.pod b/usr.bin/sudo/sudoers.pod index f62379493da..70febd580f9 100644 --- a/usr.bin/sudo/sudoers.pod +++ b/usr.bin/sudo/sudoers.pod @@ -1,4 +1,4 @@ -Copyright (c) 1994-1996, 1998-2005, 2007-2008 +Copyright (c) 1994-1996, 1998-2005, 2007-2009 Todd C. Miller <Todd.Miller@courtesan.com> Permission to use, copy, modify, and distribute this software for any @@ -18,7 +18,7 @@ Sponsored in part by the Defense Advanced Research Projects Agency (DARPA) and Air Force Research Laboratory, Air Force Materiel Command, USAF, under agreement number F39502-99-1-0512. -$Sudo: sudoers.pod,v 1.163 2009/03/08 15:51:01 millert Exp $ +$Sudo: sudoers.pod,v 1.170 2009/06/15 21:19:47 millert Exp $ =pod =head1 NAME @@ -116,6 +116,7 @@ The definitions of what constitutes a valid I<alias> member follow. '!'* '#'uid | '!'* '%'group | '!'* '+'netgroup | + '!'* '%:'nonunix_group | '!'* User_Alias A C<User_List> is made up of one or more usernames, uids (prefixed @@ -124,6 +125,33 @@ with '+') and C<User_Alias>es. Each list item may be prefixed with zero or more '!' operators. An odd number of '!' operators negate the value of the item; an even number just cancel each other out. +A C<username>, C<group>, C<netgroup> and C<nonunix_groups> may +be enclosed in double quotes to avoid the need for escaping special +characters. Alternately, special characters may be specified in +escaped hex mode, e.g. \x20 for space. + +The C<nonunix_group> syntax depends on the underlying implementation. +For instance, the QAS AD backend supports the following formats: + +=over 4 + +=item * + +Group in the same domain: "Group Name" + +=item * + +Group in any domain: "Group Name@FULLY.QUALIFIED.DOMAIN" + +=item * + +Group SID: "S-1-2-34-5678901234-5678901234-5678901234-567" + +=back + +Note that quotes around group names are optional. Unquoted strings must +use a backslash (\) to escape spaces and the '@' symbol. + Runas_List ::= Runas_Member | Runas_Member ',' Runas_List @@ -259,7 +287,8 @@ A B<user specification> determines which commands a user may run (and as what user) on specified hosts. By default, commands are run as B<root>, but this can be changed on a per-command basis. -Let's break that down into its constituent parts: +The basic structure of a user specification is `who = where (as_whom) +what'. Let's break that down into its constituent parts: =head2 Runas_Spec @@ -441,13 +470,15 @@ with B<any> arguments. =head2 Including other files from within sudoers It is possible to include other I<sudoers> files from within the -I<sudoers> file currently being parsed using the C<#include> -directive, similar to the one used by the C preprocessor. This is -useful, for example, for keeping a site-wide I<sudoers> file in -addition to a per-machine local one. For the sake of this example -the site-wide I<sudoers> will be F</etc/sudoers> and the per-machine -one will be F</etc/sudoers.local>. To include F</etc/sudoers.local> -from within F</etc/sudoers> we would use the following line in F</etc/sudoers>: +I<sudoers> file currently being parsed using the C<#include> and +C<#includedir> directives. + +This can be used, for example, to keep a site-wide I<sudoers> file +in addition to a local, per-machine file. For the sake of this +example the site-wide I<sudoers> will be F</etc/sudoers> and the +per-machine one will be F</etc/sudoers.local>. To include +F</etc/sudoers.local> from within F</etc/sudoers> we would use the +following line in F</etc/sudoers>: =over 4 @@ -465,10 +496,32 @@ files is enforced to prevent include file loops. The filename may include the C<%h> escape, signifying the short form of the hostname. I.e., if the machine's hostname is "xerxes", then - #include /etc/sudoers.%h +C<#include /etc/sudoers.%h> will cause B<sudo> to include the file F</etc/sudoers.xerxes>. +The C<#includedir> directive can be used to create a F<sudo.d> +directory that the system package manager can drop I<sudoers> rules +into as part of package installation. For example, given: + +C<#includedir /etc/sudoers.d> + +B<sudo> will read each file in F</etc/sudoers.d>, skipping file +names that end in C<~> or contain a C<.> character to avoid causing +problems with package manager or editor temporary/backup files. +Files are parsed in sorted lexical order. That is, +F</etc/sudoers.d/01_first> will be parsed before +F</etc/sudoers.d/10_second>. Be aware that because the sorting is +lexical, not numeric, F</etc/sudoers.d/1_whoops> would be loaded +B<after> F</etc/sudoers.d/10_second>. Using a consistent number +of leading zeroes in the file names can be used to avoid such +problems. + +Note that unlike files included via C<#include>, B<visudo> will not +edit the files in a C<#includedir> directory unless one of them +contains a syntax error. It is still possible to run B<visudo> +with the C<-f> flag to edit the files directly. + =head2 Other special characters and reserved words The pound sign ('#') is used to indicate a comment (unless it is @@ -937,6 +990,13 @@ two consecutive C<%> characters are collapsed into a single C<%> character The default value is C<@passprompt@>. +=item role + +The default SELinux role to use when constructing a new security +context to run the command. The default role may be overridden on +a per-command basis in I<sudoers> or via command line options. +This option is only available whe B<sudo> is built with SELinux support. + =item runas_default The default user to run commands as if the B<-u> option is not specified @@ -970,6 +1030,13 @@ The default is F<@timedir@>. The owner of the timestamp directory and the timestamps stored therein. The default is C<root>. +=item type + +The default SELinux type to use when constructing a new security +context to run the command. The default type may be overridden on +a per-command basis in I<sudoers> or via command line options. +This option is only available whe B<sudo> is built with SELinux support. + =back B<Strings that can be used in a boolean context>: @@ -1220,6 +1287,7 @@ these are a bit contrived. First, we define our I<aliases>: # Runas alias specification Runas_Alias OP = root, operator Runas_Alias DB = oracle, sybase + Runas_Alias ADMINGRP = adm, oper # Host alias specification Host_Alias SPARC = bigtime, eclipse, moet, anchor :\ @@ -1313,6 +1381,12 @@ The user B<joe> may only L<su(1)> to operator. pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root + %opers ALL = (: ADMINGRP) /usr/sbin/ + +Users in the B<opers> group may run commands in F</usr/sbin/> as themselves +with any group in the I<ADMINGRP> C<Runas_Alias> (the B<adm> and B<oper> +groups). + The user B<pete> is allowed to change anyone's password except for root on the I<HPPA> machines. Note that this assumes L<passwd(1)> does not take multiple usernames on the command line. diff --git a/usr.bin/sudo/testsudoers.c b/usr.bin/sudo/testsudoers.c index 0eaf1d737cf..c961432edd7 100644 --- a/usr.bin/sudo/testsudoers.c +++ b/usr.bin/sudo/testsudoers.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 1998-2005, 2007-2008 + * Copyright (c) 1996, 1998-2005, 2007-2009 * Todd C. Miller <Todd.Miller@courtesan.com> * * Permission to use, copy, modify, and distribute this software for any @@ -71,7 +71,7 @@ #endif /* HAVE_FNMATCH */ #ifndef lint -__unused static const char rcsid[] = "$Sudo: testsudoers.c,v 1.128 2008/11/19 17:01:20 millert Exp $"; +__unused static const char rcsid[] = "$Sudo: testsudoers.c,v 1.131 2009/05/25 12:02:42 millert Exp $"; #endif /* lint */ @@ -373,8 +373,9 @@ set_fqdn() } FILE * -open_sudoers(path, keepopen) +open_sudoers(path, isdir, keepopen) const char *path; + int isdir; int *keepopen; { return(fopen(path, "r")); @@ -386,11 +387,11 @@ init_envtables() return; } -void +int set_perms(perm) int perm; { - return; + return(1); } void diff --git a/usr.bin/sudo/tgetpass.c b/usr.bin/sudo/tgetpass.c index 5fcbb434383..503cb972d4a 100644 --- a/usr.bin/sudo/tgetpass.c +++ b/usr.bin/sudo/tgetpass.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 1998-2005, 2007-2008 + * Copyright (c) 1996, 1998-2005, 2007-2009 * Todd C. Miller <Todd.Miller@courtesan.com> * * Permission to use, copy, modify, and distribute this software for any @@ -57,7 +57,7 @@ #include "sudo.h" #ifndef lint -__unused static const char rcsid[] = "$Sudo: tgetpass.c,v 1.130 2009/02/15 20:53:49 millert Exp $"; +__unused static const char rcsid[] = "$Sudo: tgetpass.c,v 1.131 2009/05/25 12:02:42 millert Exp $"; #endif /* lint */ static volatile sig_atomic_t signo; diff --git a/usr.bin/sudo/toke.l b/usr.bin/sudo/toke.l index 01aa762a154..9b93563558f 100644 --- a/usr.bin/sudo/toke.l +++ b/usr.bin/sudo/toke.l @@ -1,6 +1,6 @@ %{ /* - * Copyright (c) 1996, 1998-2005, 2007-2008 + * Copyright (c) 1996, 1998-2005, 2007-2009 * Todd C. Miller <Todd.Miller@courtesan.com> * * Permission to use, copy, modify, and distribute this software for any @@ -27,6 +27,7 @@ #include <sys/types.h> #include <sys/param.h> +#include <sys/stat.h> #include <stdio.h> #ifdef STDC_HEADERS # include <stdlib.h> @@ -49,13 +50,29 @@ #if defined(HAVE_MALLOC_H) && !defined(STDC_HEADERS) # include <malloc.h> #endif /* HAVE_MALLOC_H && !STDC_HEADERS */ +#ifdef HAVE_DIRENT_H +# include <dirent.h> +# define NAMLEN(dirent) strlen((dirent)->d_name) +#else +# define dirent direct +# define NAMLEN(dirent) (dirent)->d_namlen +# ifdef HAVE_SYS_NDIR_H +# include <sys/ndir.h> +# endif +# ifdef HAVE_SYS_DIR_H +# include <sys/dir.h> +# endif +# ifdef HAVE_NDIR_H +# include <ndir.h> +# endif +#endif #include <ctype.h> #include "sudo.h" #include "parse.h" #include <gram.h> #ifndef lint -__unused static const char rcsid[] = "$Sudo: toke.l,v 1.29 2009/02/21 21:49:19 millert Exp $"; +__unused static const char rcsid[] = "$Sudo: toke.l,v 1.37 2009/05/27 00:46:51 millert Exp $"; #endif /* lint */ extern YYSTYPE yylval; @@ -69,15 +86,16 @@ static int append __P((char *, int)); static int _fill __P((char *, int, int)); static int fill_cmnd __P((char *, int)); static int fill_args __P((char *, int, int)); -static int switch_buffer __P((char *)); +static int _push_include __P((char *, int)); +static int pop_include __P((void)); static int ipv6_valid __P((const char *s)); static char *parse_include __P((char *)); extern void yyerror __P((const char *)); #define fill(a, b) _fill(a, b, 0) -#define push_include(_p) (switch_buffer((_p))) -#define pop_include() (switch_buffer(NULL)) +#define push_include(_p) (_push_include((_p), FALSE)) +#define push_includedir(_p) (_push_include((_p), TRUE)) /* realloc() to size + COMMANDARGINC to make room for command args */ #define COMMANDARGINC 64 @@ -227,6 +245,19 @@ DEFVAR [a-z_]+ yyterminate(); } +<INITIAL>^#includedir[[:blank:]]+\/.*\n { + char *path; + + if ((path = parse_include(yytext)) == NULL) + yyterminate(); + + LEXTRACE("INCLUDEDIR\n"); + + /* Push current buffer and switch to include file */ + if (!push_includedir(path)) + yyterminate(); + } + <INITIAL>^[[:blank:]]*Defaults([:@>\!]{WORD})? { int n; for (n = 0; isblank((unsigned char)yytext[n]); n++) @@ -316,7 +347,7 @@ NOSETENV[[:blank:]]*: { return(NETGROUP); } -\%{WORD} { +\%:?{WORD} { /* UN*X group */ if (!fill(yytext, yyleng)) yyterminate(); @@ -412,11 +443,28 @@ sudoedit { } } /* a pathname */ +<INITIAL,GOTDEFS>\"[^"\n]+\" { + /* a quoted user/group name */ + if (!fill(yytext + 1, yyleng - 2)) + yyterminate(); + switch (yytext[1]) { + case '%': + LEXTRACE("USERGROUP "); + return(USERGROUP); + case '+': + LEXTRACE("NETGROUP "); + return(NETGROUP); + default: + LEXTRACE("WORD(4) "); + return(WORD); + } + } + <INITIAL,GOTDEFS>({ID}|{WORD}) { /* a word */ if (!fill(yytext, yyleng)) yyterminate(); - LEXTRACE("WORD(4) "); + LEXTRACE("WORD(5) "); return(WORD); } @@ -490,12 +538,57 @@ sudoedit { } %% +static unsigned char +hexchar(s) + const char *s; +{ + int i; + int result = 0; + + s += 2; /* skip \\x */ + for (i = 0; i < 2; i++) { + switch (*s) { + case 'A': + case 'a': + result += 10; + break; + case 'B': + case 'b': + result += 11; + break; + case 'C': + case 'c': + result += 12; + break; + case 'D': + case 'd': + result += 13; + break; + case 'E': + case 'e': + result += 14; + break; + case 'F': + case 'f': + result += 15; + break; + default: + result += *s - '0'; + break; + } + if (i == 0) { + result *= 16; + s++; + } + } + return((unsigned char)result); +} + static int _fill(src, len, olen) char *src; int len, olen; { - int i, j; char *dst; dst = olen ? realloc(yylval.string, olen + len + 1) : malloc(len + 1); @@ -507,13 +600,24 @@ _fill(src, len, olen) /* Copy the string and collapse any escaped characters. */ dst += olen; - for (i = 0, j = 0; i < len; i++, j++) { - if (src[i] == '\\' && i != len - 1) - dst[j] = src[++i]; - else - dst[j] = src[i]; + while (len--) { + if (*src == '\\' && len) { + if (src[1] == 'x' && len >= 3 && + isxdigit((unsigned char) src[2]) && + isxdigit((unsigned char) src[3])) { + *dst++ = hexchar(src); + src += 4; + len -= 3; + } else { + src++; + len--; + *dst++ = *src++; + } + } else { + *dst++ = *src++; + } } - dst[j] = '\0'; + *dst = '\0'; return(TRUE); } @@ -605,63 +709,228 @@ fill_args(s, len, addspace) return(TRUE); } -struct sudoers_state { +struct path_list { + char *path; + struct path_list *next; +}; + +struct include_stack { YY_BUFFER_STATE bs; char *path; + struct path_list *more; /* more files in case of includedir */ int lineno; + int keepopen; }; +static int +pl_compare(v1, v2) + const void *v1; + const void *v2; +{ + const struct path_list * const *p1 = v1; + const struct path_list * const *p2 = v2; + + return(strcmp((*p1)->path, (*p2)->path)); +} + +static char * +switch_dir(stack, dirpath) + struct include_stack *stack; + char *dirpath; +{ + DIR *dir; + int i, count = 0; + char *path = NULL; + struct dirent *dent; + struct stat sb; + struct path_list *pl, *first = NULL; + struct path_list **sorted = NULL; + + if (!(dir = opendir(dirpath))) { + yyerror(dirpath); + return(FALSE); + } + while ((dent = readdir(dir))) { + /* Ignore files that end in '~' or have a '.' in them. */ + if (dent->d_name[0] == '\0' || dent->d_name[NAMLEN(dent) - 1] == '~' + || strchr(dent->d_name, '.') != NULL) { + continue; + } + if (asprintf(&path, "%s/%s", dirpath, dent->d_name) == -1) { + closedir(dir); + goto bad; + } + if (stat(path, &sb) != 0 || !S_ISREG(sb.st_mode)) { + efree(path); + continue; + } + pl = malloc(sizeof(*pl)); + if (pl == NULL) + goto bad; + pl->path = path; + pl->next = first; + first = pl; + count++; + } + closedir(dir); + + if (count == 0) + goto done; + + /* Sort the list as an array. */ + sorted = malloc(sizeof(*sorted) * count); + if (sorted == NULL) + goto bad; + pl = first; + for (i = 0; i < count; i++) { + sorted[i] = pl; + pl = pl->next; + } + qsort(sorted, count, sizeof(*sorted), pl_compare); + + /* Apply sorting to the list. */ + first = sorted[0]; + sorted[count - 1]->next = NULL; + for (i = 1; i < count; i++) + sorted[i - 1]->next = sorted[i]; + efree(sorted); + + /* Pull out the first element for parsing, leave the rest for later. */ + if (count) { + path = first->path; + pl = first->next; + efree(first); + stack->more = pl; + } else { + path = NULL; + } +done: + efree(dirpath); + return(path); +bad: + while (first != NULL) { + pl = first; + first = pl->next; + free(pl->path); + free(pl); + } + efree(sorted); + efree(dirpath); + efree(path); + return(NULL); +} + #define MAX_SUDOERS_DEPTH 128 #define SUDOERS_STACK_INCREMENT 16 +static size_t istacksize, idepth; +static struct include_stack *istack; +static int keepopen; + +void +init_lexer() +{ + struct path_list *pl; + + while (idepth) { + idepth--; + while ((pl = istack[idepth].more) != NULL) { + istack[idepth].more = pl->next; + efree(pl->path); + efree(pl); + } + efree(istack[idepth].path); + if (!istack[idepth].keepopen) + fclose(istack[idepth].bs->yy_input_file); + yy_delete_buffer(istack[idepth].bs); + } + efree(istack); + istack = NULL; + istacksize = idepth = 0; + keepopen = FALSE; +} + static int -switch_buffer(path) +_push_include(path, isdir) char *path; + int isdir; { - static size_t stacksize, depth; - static struct sudoers_state *state; - static int keepopen; FILE *fp; - if (path != NULL) { - /* push current state */ - if (depth >= stacksize) { - if (depth > MAX_SUDOERS_DEPTH) { - yyerror("too many levels of includes"); - return(FALSE); - } - stacksize += SUDOERS_STACK_INCREMENT; - state = (struct sudoers_state *) realloc(state, - sizeof(state) * stacksize); - if (state == NULL) { - yyerror("unable to allocate memory"); - return(FALSE); - } + /* push current state onto stack */ + if (idepth >= istacksize) { + if (idepth > MAX_SUDOERS_DEPTH) { + yyerror("too many levels of includes"); + return(FALSE); + } + istacksize += SUDOERS_STACK_INCREMENT; + istack = (struct include_stack *) realloc(istack, + sizeof(istack) * istacksize); + if (istack == NULL) { + yyerror("unable to allocate memory"); + return(FALSE); } - if ((fp = open_sudoers(path, &keepopen)) == NULL) { + } + if (isdir) { + if (!(path = switch_dir(&istack[idepth], path))) { yyerror(path); return(FALSE); } - state[depth].bs = YY_CURRENT_BUFFER; - state[depth].path = sudoers; - state[depth].lineno = sudolineno; - depth++; + if ((fp = open_sudoers(path, FALSE, &keepopen)) == NULL) { + yyerror(path); + return(FALSE); /* XXX - just to go next one? */ + } + } else { + if ((fp = open_sudoers(path, TRUE, &keepopen)) == NULL) { + yyerror(path); + return(FALSE); + } + istack[idepth].more = NULL; + } + /* Push the old (current) file and open the new one. */ + istack[idepth].path = sudoers; /* push old path */ + istack[idepth].bs = YY_CURRENT_BUFFER; + istack[idepth].lineno = sudolineno; + istack[idepth].keepopen = keepopen; + idepth++; + sudolineno = 1; + sudoers = path; + yy_switch_to_buffer(yy_create_buffer(fp, YY_BUF_SIZE)); + + return(TRUE); +} + +static int +pop_include() +{ + struct path_list *pl; + FILE *fp; + + if (idepth == 0) + return(FALSE); + + if (!keepopen) + fclose(YY_CURRENT_BUFFER->yy_input_file); + yy_delete_buffer(YY_CURRENT_BUFFER); + keepopen = FALSE; + if ((pl = istack[idepth - 1].more) != NULL) { + /* Move to next file in the dir. */ + istack[idepth - 1].more = pl->next; + if ((fp = open_sudoers(pl->path, FALSE, &keepopen)) == NULL) { + yyerror(pl->path); + return(FALSE); /* XXX - just to go next one? */ + } + efree(sudoers); + sudoers = pl->path; sudolineno = 1; - sudoers = path; yy_switch_to_buffer(yy_create_buffer(fp, YY_BUF_SIZE)); + efree(pl); } else { - /* pop */ - if (depth == 0) - return(FALSE); - depth--; - if (!keepopen) - fclose(YY_CURRENT_BUFFER->yy_input_file); - yy_delete_buffer(YY_CURRENT_BUFFER); - yy_switch_to_buffer(state[depth].bs); + idepth--; + yy_switch_to_buffer(istack[idepth].bs); efree(sudoers); - sudoers = state[depth].path; - sudolineno = state[depth].lineno; - keepopen = FALSE; + sudoers = istack[idepth].path; + sudolineno = istack[idepth].lineno; } return(TRUE); } @@ -676,6 +945,8 @@ parse_include(base) /* Pull out path from #include line. */ cp = base + sizeof("#include"); + if (*cp == 'i') + cp += 3; /* includedir */ while (isblank((unsigned char) *cp)) cp++; ep = cp; diff --git a/usr.bin/sudo/vasgroups.c b/usr.bin/sudo/vasgroups.c new file mode 100644 index 00000000000..33a333d7728 --- /dev/null +++ b/usr.bin/sudo/vasgroups.c @@ -0,0 +1,323 @@ +/* + * (c) 2006 Quest Software, Inc. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of Quest Software, Inc. nor the names of its + * contributors may be used to endorse or promote products derived from this + * software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" + +#include <stdlib.h> +#include <sys/types.h> +#include <pwd.h> +#include <string.h> +#include <errno.h> +#include <stdio.h> +#include <dlfcn.h> + +#include <vas.h> + +#include "compat.h" +#include "logging.h" +#include "nonunix.h" +#include "parse.h" +#include "sudo.h" + + +/* Pseudo-boolean types */ +#undef TRUE +#undef FALSE +#define FALSE 0 +#define TRUE 1 + + +static vas_ctx_t *sudo_vas_ctx; +static vas_id_t *sudo_vas_id; +/* Don't use VAS_NAME_FLAG_NO_CACHE or lookups just won't work. + * -tedp, 2006-08-29 */ +static const int update_flags = 0; +static int sudo_vas_available = 0; +static char *err_msg = NULL; +static void *libvas_handle = NULL; + +/* libvas functions */ +static vas_err_t (*v_ctx_alloc) (vas_ctx_t **ctx); +static void (*v_ctx_free) (vas_ctx_t *ctx); +static vas_err_t (*v_id_alloc) (vas_ctx_t *ctx, const char *name, vas_id_t **id); +static void (*v_id_free) (vas_ctx_t *ctx, vas_id_t *id); +static vas_err_t (*v_id_establish_cred_keytab) (vas_ctx_t *ctx, vas_id_t *id, int credflags, const char *keytab); +static vas_err_t (*v_user_init) (vas_ctx_t *ctx, vas_id_t *id, const char *name, int flags, vas_user_t **user); +static void (*v_user_free) (vas_ctx_t *ctx, vas_user_t *user); +static vas_err_t (*v_group_init) (vas_ctx_t *ctx, vas_id_t *id, const char *name, int flags, vas_group_t **group); +static void (*v_group_free) (vas_ctx_t *ctx, vas_group_t *group); +static vas_err_t (*v_user_is_member) (vas_ctx_t *ctx, vas_id_t *id, vas_user_t *user, vas_group_t *group); +static const char* (*v_err_get_string) (vas_ctx_t *ctx, int with_cause); + + +static int resolve_vas_funcs(void); + + +/** + * Whether nonunix group lookups are available. + * @return 1 if available, 0 if not. + */ +int +sudo_nonunix_groupcheck_available(void) +{ + return sudo_vas_available; +} + + +/** + * Check if the user is in the group + * @param group group name which can be in DOMAIN\sam format or just the group + * name + * @param user user name + * @param pwd (unused) + * @return 1 if user is a member of the group, 0 if not (or error occurred) + */ +int +sudo_nonunix_groupcheck( const char* group, const char* user, const struct passwd* pwd ) +{ + static int error_cause_shown = FALSE; + int rval = FALSE; + vas_err_t vaserr; + vas_user_t* vas_user = NULL; + vas_group_t* vas_group = NULL; + + if (!sudo_vas_available) { + if (error_cause_shown == FALSE) { + /* Produce the saved error reason */ + log_error(NO_MAIL|NO_EXIT, "Non-unix group checking unavailable: %s", + err_msg ? err_msg + : "(unknown cause)"); + error_cause_shown = TRUE; + } + return 0; + } + + /* resolve the user and group. The user will be a real Unix account name, + * while the group may be a unix name, or any group name accepted by + * vas_name_to_dn, which means any of: + * - Group Name + * - Group Name@FULLY.QUALIFIED.DOMAIN + * - CN=sudoers,CN=Users,DC=rcdev,DC=vintela,DC=com + * - S-1-2-34-5678901234-5678901234-5678901234-567 + * + * XXX - we may get non-VAS user accounts here. You can add local users to an + * Active Directory group through override files. Should we handle that case? + * */ + if( (vaserr = v_user_init( sudo_vas_ctx, sudo_vas_id, user, update_flags, &vas_user )) != VAS_ERR_SUCCESS ) { + if (vaserr == VAS_ERR_NOT_FOUND) { + /* No such user in AD. Probably a local user. */ + vaserr = VAS_ERR_SUCCESS; + } + goto FINISHED; + } + + if( (vaserr = v_group_init( sudo_vas_ctx, sudo_vas_id, group, update_flags, &vas_group )) != VAS_ERR_SUCCESS ) { + goto FINISHED; + } + + /* do the membership check */ + if( (vaserr = v_user_is_member( sudo_vas_ctx, sudo_vas_id, vas_user, vas_group )) == VAS_ERR_SUCCESS ) { + rval = TRUE; + } + else if (vaserr == VAS_ERR_NOT_FOUND) { + /* fake the vaserr code so no error is triggered */ + vaserr = VAS_ERR_SUCCESS; + } + + +FINISHED: /* cleanups */ + if (vaserr != VAS_ERR_SUCCESS) { + int error_flags = NO_MAIL | MSG_ONLY | (uses_inversion ? 0 : NO_EXIT); + + log_error(error_flags, "Error while checking group membership " + "for user \"%s\", group \"%s\", error: %s%s.", user, group, + v_err_get_string(sudo_vas_ctx, 1), + /* A helpful hint if there seems to be a non-FQDN as the domain */ + (strchr(group, '@') && !strchr(group, '.')) + ? "\nMake sure the fully qualified domain name is specified" + : ""); + } + if( vas_group ) v_group_free( sudo_vas_ctx, vas_group ); + if( vas_user ) v_user_free( sudo_vas_ctx, vas_user ); + + return(rval); +} + + +static void +set_err_msg(const char *msg, ...) { + va_list ap; + + if (!msg) /* assert */ + return; + + if (err_msg) + free(err_msg); + + va_start(ap, msg); + + if (vasprintf(&err_msg, msg, ap) == -1) + err_msg = NULL; + + va_end(ap); +} + + +/** + * Initialise nonunix_groupcheck state. + */ +void +sudo_nonunix_groupcheck_init(void) +{ + vas_err_t vaserr; + void *libvas; + + if (err_msg) { + free(err_msg); + err_msg = NULL; + } + + libvas = dlopen(LIBVAS_SO, RTLD_LAZY); + if (!libvas) { + set_err_msg("dlopen() failed: %s", dlerror()); + return; + } + + libvas_handle = libvas; + + if (resolve_vas_funcs() != 0) + return; + + if (VAS_ERR_SUCCESS == (vaserr = v_ctx_alloc(&sudo_vas_ctx))) { + + if (VAS_ERR_SUCCESS == (vaserr = v_id_alloc(sudo_vas_ctx, "host/", &sudo_vas_id))) { + + if (update_flags & VAS_NAME_FLAG_NO_LDAP) { + sudo_vas_available = 1; + return; /* OK */ + } else { /* Get a keytab */ + if ((vaserr = v_id_establish_cred_keytab( sudo_vas_ctx, + sudo_vas_id, + VAS_ID_FLAG_USE_MEMORY_CCACHE + | VAS_ID_FLAG_KEEP_COPY_OF_CRED + | VAS_ID_FLAG_NO_INITIAL_TGT, + NULL )) == VAS_ERR_SUCCESS) { + sudo_vas_available = 1; + return; /* OK */ + } + + if (!err_msg) + set_err_msg("unable to establish creds: %s", + v_err_get_string(sudo_vas_ctx, 1)); + } + + v_id_free(sudo_vas_ctx, sudo_vas_id); + sudo_vas_id = NULL; + } + + /* This is the last opportunity to get an error message from libvas */ + if (!err_msg) + set_err_msg("Error initializing non-unix group checking: %s", + v_err_get_string(sudo_vas_ctx, 1)); + + v_ctx_free(sudo_vas_ctx); + sudo_vas_ctx = NULL; + } + + if (!err_msg) + set_err_msg("Failed to get a libvas handle for non-unix group checking (unknown cause)"); + + sudo_vas_available = 0; +} + + +/** + * Clean up nonunix_groupcheck state. + */ +void +sudo_nonunix_groupcheck_cleanup() +{ + if (err_msg) { + free(err_msg); + err_msg = NULL; + } + + if (sudo_vas_available) { + v_id_free(sudo_vas_ctx, sudo_vas_id); + sudo_vas_id = NULL; + + v_ctx_free(sudo_vas_ctx); + sudo_vas_ctx = NULL; + + sudo_vas_available = FALSE; + } + + if (libvas_handle) { + if (dlclose(libvas_handle) != 0) + log_error(NO_MAIL|NO_EXIT, "dlclose() failed: %s", dlerror()); + libvas_handle = NULL; + } +} + +#define RESOLVE_OR_ERR(fptr, sym) \ + do { \ + void *_fptr = dlsym(libvas_handle, (sym)); \ + if (!_fptr) { \ + set_err_msg("dlsym() failed: %s", dlerror()); \ + return -1; \ + } \ + fptr = _fptr; \ + } while (0) + + +/** + * Resolve all the libvas functions. + * Returns -1 and sets err_msg if something went wrong, or 0 on success. + */ +int +resolve_vas_funcs(void) +{ + if (!libvas_handle) /* assert */ + return -1; + + RESOLVE_OR_ERR(v_ctx_alloc, "vas_ctx_alloc"); + RESOLVE_OR_ERR(v_ctx_free, "vas_ctx_free"); + RESOLVE_OR_ERR(v_id_alloc, "vas_id_alloc"); + RESOLVE_OR_ERR(v_id_free, "vas_id_free"); + RESOLVE_OR_ERR(v_id_establish_cred_keytab, "vas_id_establish_cred_keytab"); + RESOLVE_OR_ERR(v_user_init, "vas_user_init"); + RESOLVE_OR_ERR(v_user_free, "vas_user_free"); + RESOLVE_OR_ERR(v_group_init, "vas_group_init"); + RESOLVE_OR_ERR(v_group_free, "vas_group_free"); + RESOLVE_OR_ERR(v_user_is_member, "vas_user_is_member"); + RESOLVE_OR_ERR(v_err_get_string, "vas_err_get_string"); + + return 0; +} diff --git a/usr.bin/sudo/version.h b/usr.bin/sudo/version.h deleted file mode 100644 index 2367c908b02..00000000000 --- a/usr.bin/sudo/version.h +++ /dev/null @@ -1,29 +0,0 @@ -/* - * Copyright (c) 1996, 1998-2005, 2008 - * Todd C. Miller <Todd.Miller@courtesan.com> - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - * - * Sponsored in part by the Defense Advanced Research Projects - * Agency (DARPA) and Air Force Research Laboratory, Air Force - * Materiel Command, USAF, under agreement number F39502-99-1-0512. - * - * $Sudo: version.h,v 1.72 2009/03/01 01:00:28 millert Exp $ - */ - -#ifndef _SUDO_VERSION_H -#define _SUDO_VERSION_H - -static const char version[] = "1.7.1"; - -#endif /* _SUDO_VERSION_H */ diff --git a/usr.bin/sudo/visudo.c b/usr.bin/sudo/visudo.c index 6f92f086bd8..b48fc24745f 100644 --- a/usr.bin/sudo/visudo.c +++ b/usr.bin/sudo/visudo.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 1998-2005, 2007-2008 + * Copyright (c) 1996, 1998-2005, 2007-2009 * Todd C. Miller <Todd.Miller@courtesan.com> * * Permission to use, copy, modify, and distribute this software for any @@ -85,18 +85,18 @@ #include "parse.h" #include "redblack.h" #include <gram.h> -#include "version.h" #ifndef lint -__unused static const char rcsid[] = "$Sudo: visudo.c,v 1.231 2009/04/16 12:22:04 millert Exp $"; +__unused static const char rcsid[] = "$Sudo: visudo.c,v 1.234 2009/05/25 12:02:42 millert Exp $"; #endif /* lint */ struct sudoersfile { char *path; - int fd; char *tpath; + int fd; int tfd; int modified; + int doedit; struct sudoersfile *next; }; @@ -172,7 +172,7 @@ main(argc, argv) while ((ch = getopt(argc, argv, "Vcf:sq")) != -1) { switch (ch) { case 'V': - (void) printf("%s version %s\n", getprogname(), version); + (void) printf("%s version %s\n", getprogname(), PACKAGE_VERSION); exit(0); case 'c': checkonly++; /* check mode */ @@ -215,8 +215,9 @@ main(argc, argv) * Parse the existing sudoers file(s) in quiet mode to highlight any * existing errors and to pull in editor and env_editor conf values. */ - if ((yyin = open_sudoers(sudoers_path, NULL)) == NULL) + if ((yyin = open_sudoers(sudoers_path, TRUE, NULL)) == NULL) { error(1, "%s", sudoers_path); + } init_parser(sudoers_path, 0); yyparse(); (void) update_defaults(SETDEF_GENERIC|SETDEF_HOST|SETDEF_USER); @@ -228,6 +229,8 @@ main(argc, argv) /* Edit the sudoers file(s) */ tq_foreach_fwd(&sudoerslist, sp) { + if (!sp->doedit) + continue; if (sp != tq_first(&sudoerslist)) { printf("press return to edit %s: ", sp->path); while ((ch = getchar()) != EOF && ch != '\n') @@ -747,8 +750,9 @@ check_syntax(sudoers_path, quiet, strict) * any subsequent files #included via a callback from the parser. */ FILE * -open_sudoers(path, keepopen) +open_sudoers(path, doedit, keepopen) const char *path; + int doedit; int *keepopen; { struct sudoersfile *entry; @@ -766,6 +770,8 @@ open_sudoers(path, keepopen) entry->next = NULL; entry->fd = open(entry->path, O_RDWR | O_CREAT, SUDOERS_MODE); entry->tpath = NULL; + entry->tfd = -1; + entry->doedit = doedit; if (entry->fd == -1) { warning("%s", entry->path); efree(entry); |