mirror of
https://github.com/openbsd/src.git
synced 2025-01-10 06:47:55 -08:00
Update to sudo 1.6.9p17
This commit is contained in:
parent
6e7dc0a31a
commit
8c9a63b7ad
@ -2045,3 +2045,73 @@ Sudo 1.6.9p11 released.
|
||||
to the screen if there was a read timeout.
|
||||
|
||||
Sudo 1.6.9p12 released.
|
||||
|
||||
646) Sudo will now set the nproc resource limit to unlimited on Linux
|
||||
systems to work around Linux's setuid() resource limit semantics.
|
||||
On PAM systems the resource limits will be reset by pam_limits.so
|
||||
before the command is executed.
|
||||
|
||||
647) SELinux support that can be used to implement role based access
|
||||
control (RBAC). A role and (optional) type may be specified
|
||||
in sudoers or on the command line. These are then used in the
|
||||
security context that the command is run as.
|
||||
|
||||
648) Fixed a Kerberos 5 compilation problem with MIT Kerberos.
|
||||
|
||||
Sudo 1.6.9p13 released.
|
||||
|
||||
649) Fixed an invalid assumption in the PAM conversation function
|
||||
introduced in version 1.6.9p9. The conversation function may
|
||||
be called for non-password reading purposes as well.
|
||||
|
||||
650) Fixed freeing an uninitialized pointer in -l mode, introduced in
|
||||
version 1.6.9p13.
|
||||
|
||||
651) Check /etc/sudoers after LDAP even if the user was found in LDAP.
|
||||
This allows Defaults options in /etc/sudoers to take effect.
|
||||
|
||||
652) Add missing checks for enforcing mode in SELinux RBAC mode.
|
||||
|
||||
Sudo 1.6.9p14 released.
|
||||
|
||||
653) Fixed installation of sudo_noexec.so on AIX.
|
||||
|
||||
654) Updated libtool to version 1.5.26.
|
||||
|
||||
655) Fixed printing of default SELinux role and type in -V mode.
|
||||
|
||||
656) The HOME environment variable is once again preserved by default,
|
||||
as per the documentation.
|
||||
|
||||
Sudo 1.6.9p15 released.
|
||||
|
||||
657) There was a missing space before the ldap libraries in the Makefile
|
||||
for some configurations.
|
||||
|
||||
658) LDAPS_PORT may not be defined on older Solaris LDAP SDKs.
|
||||
|
||||
659) If the LDAP server could not be contacted and the user was not present
|
||||
in sudoers, a syntax error in sudoers was incorrectly reported.
|
||||
|
||||
Sudo 1.6.9p16 released.
|
||||
|
||||
660) The -i flag should imply resetting the environment, as it did in
|
||||
sudo version prior to 1.6.9. Also, the -i and -E flags are
|
||||
mutually exclusive.
|
||||
|
||||
661) Fixed the configure test for dirfd() under Linux.
|
||||
|
||||
662) Fixed test for whether -lintl is required to link.
|
||||
|
||||
663) Changed how sudo handles the child process when sending mail.
|
||||
This fixes a problem on Linux with the mail_always option.
|
||||
|
||||
664) Fixed a problem with line continuation characters inside of
|
||||
quoted strings.
|
||||
|
||||
Sudo 1.6.9p17 released.
|
||||
|
||||
665) Fixed a crash when the -i flag was used with a uid not in the password
|
||||
database.
|
||||
|
||||
666) Regenerated parser to pull in a yacc skeleton fix.
|
||||
|
@ -320,6 +320,10 @@ Special features/options:
|
||||
physically live in ${prefix}/etc and /etc/sudoers will be
|
||||
a symbolic link.
|
||||
|
||||
--with-selinux
|
||||
Enable support for role based access control (RBAC) on
|
||||
systems that support SELinux.
|
||||
|
||||
The following options are also configurable at runtime:
|
||||
|
||||
--with-long-otp-prompt
|
||||
|
@ -20,7 +20,7 @@
|
||||
#
|
||||
# @configure_input@
|
||||
#
|
||||
# $Sudo: Makefile.in,v 1.246.2.23 2008/01/14 12:22:57 millert Exp $
|
||||
# $Sudo: Makefile.in,v 1.246.2.32 2008/06/22 20:29:03 millert Exp $
|
||||
#
|
||||
|
||||
#### Start of system configuration section. ####
|
||||
@ -62,7 +62,9 @@ bindir = @bindir@
|
||||
sbindir = @sbindir@
|
||||
sysconfdir = @sysconfdir@
|
||||
mandir = @mandir@
|
||||
noexecfile = @NOEXECFILE@
|
||||
noexecdir = @NOEXECDIR@
|
||||
libexecdir = @libexecdir@
|
||||
datarootdir = @datarootdir@
|
||||
|
||||
# Directory in which to install sudo.
|
||||
@ -105,7 +107,7 @@ SRCS = alloc.c alloca.c check.c closefrom.c def_data.c defaults.c env.c err.c \
|
||||
logging.c memrchr.c mkstemp.c parse.c parse.lex parse.yacc set_perms.c \
|
||||
sigaction.c snprintf.c strcasecmp.c strerror.c strlcat.c strlcpy.c \
|
||||
sudo.c sudo_noexec.c sudo.tab.c sudo_edit.c testsudoers.c tgetpass.c \
|
||||
utimes.c visudo.c zero_bytes.c $(AUTH_SRCS)
|
||||
utimes.c visudo.c zero_bytes.c selinux.c sesh.c $(AUTH_SRCS)
|
||||
|
||||
AUTH_SRCS = auth/afs.c auth/aix_auth.c auth/bsdauth.c auth/dce.c auth/fwtk.c \
|
||||
auth/kerb4.c auth/kerb5.c auth/pam.c auth/passwd.c auth/rfc1938.c \
|
||||
@ -131,7 +133,7 @@ TESTOBJS = interfaces.o testsudoers.o $(PARSEOBJS)
|
||||
|
||||
LIBOBJS = @LIBOBJS@ @ALLOCA@
|
||||
|
||||
VERSION = 1.6.9p12
|
||||
VERSION = 1.6.9p17
|
||||
|
||||
DISTFILES = $(SRCS) $(HDRS) BUGS CHANGES HISTORY INSTALL INSTALL.configure \
|
||||
LICENSE Makefile.in PORTING README README.LDAP \
|
||||
@ -233,6 +235,7 @@ glob.o: glob.c config.h compat.h emul/glob.h
|
||||
lsearch.o: lsearch.c config.h compat.h emul/search.h
|
||||
memrchr.o: memrchr.c config.h compat.h
|
||||
mkstemp.o: mkstemp.c config.h compat.h
|
||||
selinux.o: selinux.c $(SUDODEP)
|
||||
snprintf.o: snprintf.c config.h compat.h
|
||||
strcasecmp.o: strcasecmp.c config.h
|
||||
strlcat.o: strlcat.c config.h
|
||||
@ -276,7 +279,7 @@ sia.o: $(authdir)/sia.c $(AUTHDEP)
|
||||
|
||||
sudo.man.in: $(srcdir)/sudo.pod
|
||||
@rm -f $(srcdir)/$@
|
||||
( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e 1d -e '/^=pod/q' -e 's/^/.\\" /p' sudo.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudo.pod | sed -e "s/(5)/($$mansectform)/" -e "s/(8)/($$mansectsu)/" >> $@ )
|
||||
( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' sudo.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudo.pod | sed -e "s/(5)/($$mansectform)/" -e "s/(8)/($$mansectsu)/" | perl -p sudo.man.pl >> $@ )
|
||||
|
||||
sudo.man: sudo.man.in
|
||||
CONFIG_FILES=$@ CONFIG_HEADERS= sh ./config.status
|
||||
@ -285,7 +288,7 @@ sudo.cat: sudo.man
|
||||
|
||||
visudo.man.in: $(srcdir)/visudo.pod
|
||||
@rm -f $(srcdir)/$@
|
||||
( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e 1d -e '/^=pod/q' -e 's/^/.\\" /p' visudo.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" visudo.pod | sed -e "s/(5)/($$mansectform)/" -e "s/(8)/($$mansectsu)/" >> $@ )
|
||||
( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' visudo.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" visudo.pod | sed -e "s/(5)/($$mansectform)/" -e "s/(8)/($$mansectsu)/" >> $@ )
|
||||
|
||||
visudo.man: visudo.man.in
|
||||
CONFIG_FILES=$@ CONFIG_HEADERS= sh ./config.status
|
||||
@ -294,7 +297,7 @@ visudo.cat: visudo.man
|
||||
|
||||
sudoers.man.in: $(srcdir)/sudoers.pod
|
||||
@rm -f $(srcdir)/$@
|
||||
( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e 1d -e '/^=pod/q' -e 's/^/.\\" /p' sudoers.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectform --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudoers.pod | sed -e "s/(5)/($$mansectform)/" -e "s/(8)/($$mansectsu)/" >> $@ )
|
||||
( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' sudoers.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectform --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudoers.pod | sed -e "s/(5)/($$mansectform)/" -e "s/(8)/($$mansectsu)/" | perl -p sudoers.man.pl >> $@ )
|
||||
|
||||
sudoers.man:: sudoers.man.in
|
||||
CONFIG_FILES=$@ CONFIG_HEADERS= sh ./config.status
|
||||
@ -313,14 +316,11 @@ install-binaries: $(PROGS)
|
||||
$(INSTALL) -O $(install_uid) -G $(install_gid) -M 4111 -s sudo $(DESTDIR)$(sudodir)/sudo
|
||||
rm -f $(DESTDIR)$(sudodir)/sudoedit
|
||||
ln $(DESTDIR)$(sudodir)/sudo $(DESTDIR)$(sudodir)/sudoedit
|
||||
|
||||
$(INSTALL) -O $(install_uid) -G $(install_gid) -M 0111 -s visudo $(DESTDIR)$(visudodir)/visudo
|
||||
@SELINUX@ $(INSTALL) -O $(install_uid) -G $(install_gid) -M 0111 -s sesh $(DESTDIR)$(libexecdir)/sesh
|
||||
|
||||
install-noexec: sudo_noexec.la
|
||||
$(LIBTOOL) --mode=install $(INSTALL) sudo_noexec.la $(DESTDIR)$(noexecdir)
|
||||
|
||||
bininst-noexec: sudo_noexec.la
|
||||
$(LIBTOOL) --mode=install $(INSTALL) sudo_noexec.la $(DESTDIR)$(noexecdir)
|
||||
test -f .libs/$(noexecfile) && $(INSTALL) -O $(install_uid) -G $(install_gid) -M 0755 .libs/$(noexecfile) $(DESTDIR)$(noexecdir)
|
||||
|
||||
install-sudoers:
|
||||
test -f $(DESTDIR)$(sudoersdir)/sudoers || \
|
||||
|
@ -54,7 +54,7 @@
|
||||
#include "sudo_auth.h"
|
||||
|
||||
#ifndef lint
|
||||
__unused static const char rcsid[] = "$Sudo: kerb5.c,v 1.23.2.7 2008/01/13 14:54:40 millert Exp $";
|
||||
__unused static const char rcsid[] = "$Sudo: kerb5.c,v 1.23.2.8 2008/02/13 22:17:41 millert Exp $";
|
||||
#endif /* lint */
|
||||
|
||||
#ifdef HAVE_HEIMDAL
|
||||
@ -185,8 +185,10 @@ kerb5_verify(pw, pass, auth)
|
||||
error_message(error));
|
||||
goto done;
|
||||
}
|
||||
#ifdef HAVE_HEIMDAL
|
||||
krb5_get_init_creds_opt_set_default_flags(sudo_context, NULL,
|
||||
krb5_principal_get_realm(sudo_context, princ), opts);
|
||||
#endif
|
||||
|
||||
/* Note that we always obtain a new TGT to verify the user */
|
||||
if ((error = krb5_get_init_creds_password(sudo_context, &credbuf, princ,
|
||||
@ -217,8 +219,13 @@ kerb5_verify(pw, pass, auth)
|
||||
}
|
||||
|
||||
done:
|
||||
if (opts)
|
||||
if (opts) {
|
||||
#ifdef HAVE_HEIMDAL
|
||||
krb5_get_init_creds_opt_free(opts);
|
||||
#else
|
||||
krb5_get_init_creds_opt_free(sudo_context, opts);
|
||||
#endif
|
||||
}
|
||||
if (creds)
|
||||
krb5_free_cred_contents(sudo_context, creds);
|
||||
return (error ? AUTH_FAILURE : AUTH_SUCCESS);
|
||||
|
@ -72,7 +72,7 @@
|
||||
#endif
|
||||
|
||||
#ifndef lint
|
||||
__unused static const char rcsid[] = "$Sudo: pam.c,v 1.43.2.9 2007/12/02 17:13:52 millert Exp $";
|
||||
__unused static const char rcsid[] = "$Sudo: pam.c,v 1.43.2.10 2008/02/22 20:19:45 millert Exp $";
|
||||
#endif /* lint */
|
||||
|
||||
static int sudo_conv __P((int, PAM_CONST struct pam_message **,
|
||||
@ -257,11 +257,6 @@ sudo_conv(num_msg, msg, response, appdata_ptr)
|
||||
return(PAM_CONV_ERR);
|
||||
zero_bytes(*response, num_msg * sizeof(struct pam_response));
|
||||
|
||||
/* Is the sudo prompt standard? (If so, we'l just use PAM's) */
|
||||
std_prompt = strncmp(def_prompt, "Password:", 9) == 0 &&
|
||||
(def_prompt[9] == '\0' ||
|
||||
(def_prompt[9] == ' ' && def_prompt[10] == '\0'));
|
||||
|
||||
for (pr = *response, pm = *msg, n = num_msg; n--; pr++, pm++) {
|
||||
flags = tgetpass_flags;
|
||||
switch (pm->msg_style) {
|
||||
@ -269,6 +264,12 @@ sudo_conv(num_msg, msg, response, appdata_ptr)
|
||||
SET(flags, TGP_ECHO);
|
||||
case PAM_PROMPT_ECHO_OFF:
|
||||
prompt = def_prompt;
|
||||
|
||||
/* Is the sudo prompt standard? (If so, we'l just use PAM's) */
|
||||
std_prompt = strncmp(def_prompt, "Password:", 9) == 0 &&
|
||||
(def_prompt[9] == '\0' ||
|
||||
(def_prompt[9] == ' ' && def_prompt[10] == '\0'));
|
||||
|
||||
/* Only override PAM prompt if it matches /^Password: ?/ */
|
||||
#if defined(PAM_TEXT_DOMAIN) && defined(HAVE_DGETTEXT)
|
||||
if (!def_passprompt_override && (std_prompt ||
|
||||
|
56
usr.bin/sudo/config.guess
vendored
56
usr.bin/sudo/config.guess
vendored
@ -1,10 +1,10 @@
|
||||
#! /bin/sh
|
||||
# Attempt to guess a canonical system name.
|
||||
# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
|
||||
# 2000, 2001, 2002, 2003, 2004, 2005, 2006 Free Software Foundation,
|
||||
# Inc.
|
||||
# 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008
|
||||
# Free Software Foundation, Inc.
|
||||
|
||||
timestamp='2006-11-15'
|
||||
timestamp='2008-01-23'
|
||||
|
||||
# This file is free software; you can redistribute it and/or modify it
|
||||
# under the terms of the GNU General Public License as published by
|
||||
@ -56,8 +56,8 @@ version="\
|
||||
GNU config.guess ($timestamp)
|
||||
|
||||
Originally written by Per Bothner.
|
||||
Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005
|
||||
Free Software Foundation, Inc.
|
||||
Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001,
|
||||
2002, 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc.
|
||||
|
||||
This is free software; see the source for copying conditions. There is NO
|
||||
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
|
||||
@ -330,7 +330,7 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
|
||||
sun4*:SunOS:5.*:* | tadpole*:SunOS:5.*:*)
|
||||
echo sparc-sun-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
|
||||
exit ;;
|
||||
i86pc:SunOS:5.*:*)
|
||||
i86pc:SunOS:5.*:* | i86xen:SunOS:5.*:*)
|
||||
echo i386-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
|
||||
exit ;;
|
||||
sun4*:SunOS:6*:*)
|
||||
@ -532,7 +532,7 @@ EOF
|
||||
echo rs6000-ibm-aix3.2
|
||||
fi
|
||||
exit ;;
|
||||
*:AIX:*:[45])
|
||||
*:AIX:*:[456])
|
||||
IBM_CPU_ID=`/usr/sbin/lsdev -C -c processor -S available | sed 1q | awk '{ print $1 }'`
|
||||
if /usr/sbin/lsattr -El ${IBM_CPU_ID} | grep ' POWER' >/dev/null 2>&1; then
|
||||
IBM_ARCH=rs6000
|
||||
@ -781,7 +781,7 @@ EOF
|
||||
i*:CYGWIN*:*)
|
||||
echo ${UNAME_MACHINE}-pc-cygwin
|
||||
exit ;;
|
||||
i*:MINGW*:*)
|
||||
*:MINGW*:*)
|
||||
echo ${UNAME_MACHINE}-pc-mingw32
|
||||
exit ;;
|
||||
i*:windows32*:*)
|
||||
@ -791,12 +791,18 @@ EOF
|
||||
i*:PW*:*)
|
||||
echo ${UNAME_MACHINE}-pc-pw32
|
||||
exit ;;
|
||||
x86:Interix*:[3456]*)
|
||||
echo i586-pc-interix${UNAME_RELEASE}
|
||||
exit ;;
|
||||
EM64T:Interix*:[3456]* | authenticamd:Interix*:[3456]*)
|
||||
echo x86_64-unknown-interix${UNAME_RELEASE}
|
||||
exit ;;
|
||||
*:Interix*:[3456]*)
|
||||
case ${UNAME_MACHINE} in
|
||||
x86)
|
||||
echo i586-pc-interix${UNAME_RELEASE}
|
||||
exit ;;
|
||||
EM64T | authenticamd)
|
||||
echo x86_64-unknown-interix${UNAME_RELEASE}
|
||||
exit ;;
|
||||
IA64)
|
||||
echo ia64-unknown-interix${UNAME_RELEASE}
|
||||
exit ;;
|
||||
esac ;;
|
||||
[345]86:Windows_95:* | [345]86:Windows_98:* | [345]86:Windows_NT:*)
|
||||
echo i${UNAME_MACHINE}-pc-mks
|
||||
exit ;;
|
||||
@ -830,7 +836,14 @@ EOF
|
||||
echo ${UNAME_MACHINE}-pc-minix
|
||||
exit ;;
|
||||
arm*:Linux:*:*)
|
||||
echo ${UNAME_MACHINE}-unknown-linux-gnu
|
||||
eval $set_cc_for_build
|
||||
if echo __ARM_EABI__ | $CC_FOR_BUILD -E - 2>/dev/null \
|
||||
| grep -q __ARM_EABI__
|
||||
then
|
||||
echo ${UNAME_MACHINE}-unknown-linux-gnu
|
||||
else
|
||||
echo ${UNAME_MACHINE}-unknown-linux-gnueabi
|
||||
fi
|
||||
exit ;;
|
||||
avr32*:Linux:*:*)
|
||||
echo ${UNAME_MACHINE}-unknown-linux-gnu
|
||||
@ -951,6 +964,9 @@ EOF
|
||||
x86_64:Linux:*:*)
|
||||
echo x86_64-unknown-linux-gnu
|
||||
exit ;;
|
||||
xtensa*:Linux:*:*)
|
||||
echo ${UNAME_MACHINE}-unknown-linux-gnu
|
||||
exit ;;
|
||||
i*86:Linux:*:*)
|
||||
# The BFD linker knows what the default object file format is, so
|
||||
# first see if it will tell us. cd to the root directory to prevent
|
||||
@ -1209,9 +1225,15 @@ EOF
|
||||
SX-6:SUPER-UX:*:*)
|
||||
echo sx6-nec-superux${UNAME_RELEASE}
|
||||
exit ;;
|
||||
SX-7:SUPER-UX:*:*)
|
||||
echo sx7-nec-superux${UNAME_RELEASE}
|
||||
exit ;;
|
||||
SX-8:SUPER-UX:*:*)
|
||||
echo sx8-nec-superux${UNAME_RELEASE}
|
||||
exit ;;
|
||||
SX-8R:SUPER-UX:*:*)
|
||||
echo sx8r-nec-superux${UNAME_RELEASE}
|
||||
exit ;;
|
||||
Power*:Rhapsody:*:*)
|
||||
echo powerpc-apple-rhapsody${UNAME_RELEASE}
|
||||
exit ;;
|
||||
@ -1462,9 +1484,9 @@ This script, last modified $timestamp, has failed to recognize
|
||||
the operating system you are using. It is advised that you
|
||||
download the most up to date version of the config scripts from
|
||||
|
||||
http://savannah.gnu.org/cgi-bin/viewcvs/*checkout*/config/config/config.guess
|
||||
http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess;hb=HEAD
|
||||
and
|
||||
http://savannah.gnu.org/cgi-bin/viewcvs/*checkout*/config/config/config.sub
|
||||
http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub;hb=HEAD
|
||||
|
||||
If the version you run ($0) is already up to date, please
|
||||
send the following data and any information you think might be
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: config.h,v 1.8 2007/12/03 15:09:47 millert Exp $ */
|
||||
/* $OpenBSD: config.h,v 1.9 2008/07/31 16:44:03 millert Exp $ */
|
||||
|
||||
#ifndef _SUDO_CONFIG_H
|
||||
#define _SUDO_CONFIG_H
|
||||
@ -49,6 +49,7 @@
|
||||
#define HAVE_SETLOCALE 1
|
||||
#define HAVE_SETRESUID 1
|
||||
#define HAVE_SETRLIMIT 1
|
||||
#define HAVE_SETSID 1
|
||||
#define HAVE_SIGACTION 1
|
||||
#define HAVE_SIG_ATOMIC_T 1
|
||||
#define HAVE_SNPRINTF 1
|
||||
|
@ -305,6 +305,9 @@
|
||||
/* Define to 1 if you have the <security/pam_appl.h> header file. */
|
||||
#undef HAVE_SECURITY_PAM_APPL_H
|
||||
|
||||
/* Define to 1 to enable SELinux RBAC support. */
|
||||
#undef HAVE_SELINUX
|
||||
|
||||
/* Define to 1 if you have the `seteuid' function. */
|
||||
#undef HAVE_SETEUID
|
||||
|
||||
@ -320,6 +323,9 @@
|
||||
/* Define to 1 if you have the `setrlimit' function. */
|
||||
#undef HAVE_SETRLIMIT
|
||||
|
||||
/* Define to 1 if you have the `setsid' function. */
|
||||
#undef HAVE_SETSID
|
||||
|
||||
/* Define to 1 if you have the `set_auth_parameters' function. */
|
||||
#undef HAVE_SET_AUTH_PARAMETERS
|
||||
|
||||
|
63
usr.bin/sudo/config.sub
vendored
63
usr.bin/sudo/config.sub
vendored
@ -1,10 +1,10 @@
|
||||
#! /bin/sh
|
||||
# Configuration validation subroutine script.
|
||||
# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
|
||||
# 2000, 2001, 2002, 2003, 2004, 2005, 2006 Free Software Foundation,
|
||||
# Inc.
|
||||
# 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008
|
||||
# Free Software Foundation, Inc.
|
||||
|
||||
timestamp='2006-11-07'
|
||||
timestamp='2008-01-16'
|
||||
|
||||
# This file is (in principle) common to ALL GNU software.
|
||||
# The presence of a machine in this file suggests that SOME GNU software
|
||||
@ -72,8 +72,8 @@ Report bugs and patches to <config-patches@gnu.org>."
|
||||
version="\
|
||||
GNU config.sub ($timestamp)
|
||||
|
||||
Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005
|
||||
Free Software Foundation, Inc.
|
||||
Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001,
|
||||
2002, 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc.
|
||||
|
||||
This is free software; see the source for copying conditions. There is NO
|
||||
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
|
||||
@ -245,12 +245,12 @@ case $basic_machine in
|
||||
| bfin \
|
||||
| c4x | clipper \
|
||||
| d10v | d30v | dlx | dsp16xx \
|
||||
| fr30 | frv \
|
||||
| fido | fr30 | frv \
|
||||
| h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \
|
||||
| i370 | i860 | i960 | ia64 \
|
||||
| ip2k | iq2000 \
|
||||
| m32c | m32r | m32rle | m68000 | m68k | m88k \
|
||||
| maxq | mb | microblaze | mcore \
|
||||
| maxq | mb | microblaze | mcore | mep \
|
||||
| mips | mipsbe | mipseb | mipsel | mipsle \
|
||||
| mips16 \
|
||||
| mips64 | mips64el \
|
||||
@ -324,7 +324,7 @@ case $basic_machine in
|
||||
| clipper-* | craynv-* | cydra-* \
|
||||
| d10v-* | d30v-* | dlx-* \
|
||||
| elxsi-* \
|
||||
| f30[01]-* | f700-* | fr30-* | frv-* | fx80-* \
|
||||
| f30[01]-* | f700-* | fido-* | fr30-* | frv-* | fx80-* \
|
||||
| h8300-* | h8500-* \
|
||||
| hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \
|
||||
| i*86-* | i860-* | i960-* | ia64-* \
|
||||
@ -369,10 +369,14 @@ case $basic_machine in
|
||||
| v850-* | v850e-* | vax-* \
|
||||
| we32k-* \
|
||||
| x86-* | x86_64-* | xc16x-* | xps100-* | xscale-* | xscalee[bl]-* \
|
||||
| xstormy16-* | xtensa-* \
|
||||
| xstormy16-* | xtensa*-* \
|
||||
| ymp-* \
|
||||
| z8k-*)
|
||||
;;
|
||||
# Recognize the basic CPU types without company name, with glob match.
|
||||
xtensa*)
|
||||
basic_machine=$basic_machine-unknown
|
||||
;;
|
||||
# Recognize the various machine names and aliases which stand
|
||||
# for a CPU type and a company and sometimes even an OS.
|
||||
386bsd)
|
||||
@ -443,6 +447,14 @@ case $basic_machine in
|
||||
basic_machine=ns32k-sequent
|
||||
os=-dynix
|
||||
;;
|
||||
blackfin)
|
||||
basic_machine=bfin-unknown
|
||||
os=-linux
|
||||
;;
|
||||
blackfin-*)
|
||||
basic_machine=bfin-`echo $basic_machine | sed 's/^[^-]*-//'`
|
||||
os=-linux
|
||||
;;
|
||||
c90)
|
||||
basic_machine=c90-cray
|
||||
os=-unicos
|
||||
@ -475,8 +487,8 @@ case $basic_machine in
|
||||
basic_machine=craynv-cray
|
||||
os=-unicosmp
|
||||
;;
|
||||
cr16c)
|
||||
basic_machine=cr16c-unknown
|
||||
cr16)
|
||||
basic_machine=cr16-unknown
|
||||
os=-elf
|
||||
;;
|
||||
crds | unos)
|
||||
@ -672,6 +684,14 @@ case $basic_machine in
|
||||
basic_machine=m68k-isi
|
||||
os=-sysv
|
||||
;;
|
||||
m68knommu)
|
||||
basic_machine=m68k-unknown
|
||||
os=-linux
|
||||
;;
|
||||
m68knommu-*)
|
||||
basic_machine=m68k-`echo $basic_machine | sed 's/^[^-]*-//'`
|
||||
os=-linux
|
||||
;;
|
||||
m88k-omron*)
|
||||
basic_machine=m88k-omron
|
||||
;;
|
||||
@ -687,6 +707,10 @@ case $basic_machine in
|
||||
basic_machine=i386-pc
|
||||
os=-mingw32
|
||||
;;
|
||||
mingw32ce)
|
||||
basic_machine=arm-unknown
|
||||
os=-mingw32ce
|
||||
;;
|
||||
miniframe)
|
||||
basic_machine=m68000-convergent
|
||||
;;
|
||||
@ -813,6 +837,14 @@ case $basic_machine in
|
||||
basic_machine=i860-intel
|
||||
os=-osf
|
||||
;;
|
||||
parisc)
|
||||
basic_machine=hppa-unknown
|
||||
os=-linux
|
||||
;;
|
||||
parisc-*)
|
||||
basic_machine=hppa-`echo $basic_machine | sed 's/^[^-]*-//'`
|
||||
os=-linux
|
||||
;;
|
||||
pbd)
|
||||
basic_machine=sparc-tti
|
||||
;;
|
||||
@ -1021,6 +1053,10 @@ case $basic_machine in
|
||||
basic_machine=tic6x-unknown
|
||||
os=-coff
|
||||
;;
|
||||
tile*)
|
||||
basic_machine=tile-unknown
|
||||
os=-linux-gnu
|
||||
;;
|
||||
tx39)
|
||||
basic_machine=mipstx39-unknown
|
||||
;;
|
||||
@ -1226,7 +1262,7 @@ case $os in
|
||||
| -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \
|
||||
| -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \
|
||||
| -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \
|
||||
| -skyos* | -haiku* | -rdos* | -toppers*)
|
||||
| -skyos* | -haiku* | -rdos* | -toppers* | -drops*)
|
||||
# Remember, each alternative MUST END IN *, to match a version number.
|
||||
;;
|
||||
-qnx*)
|
||||
@ -1421,6 +1457,9 @@ case $basic_machine in
|
||||
m68*-cisco)
|
||||
os=-aout
|
||||
;;
|
||||
mep-*)
|
||||
os=-elf
|
||||
;;
|
||||
mips*-cisco)
|
||||
os=-elf
|
||||
;;
|
||||
|
609
usr.bin/sudo/configure
vendored
609
usr.bin/sudo/configure
vendored
File diff suppressed because it is too large
Load Diff
@ -1,6 +1,6 @@
|
||||
dnl
|
||||
dnl Process this file with GNU autoconf to produce a configure script.
|
||||
dnl $Sudo: configure.in,v 1.413.2.43 2008/01/21 16:46:50 millert Exp $
|
||||
dnl $Sudo: configure.in,v 1.413.2.53 2008/06/22 20:23:56 millert Exp $
|
||||
dnl
|
||||
dnl Copyright (c) 1994-1996,1998-2007 Todd C. Miller <Todd.Miller@courtesan.com>
|
||||
dnl
|
||||
@ -33,9 +33,14 @@ AC_SUBST(SUDOERS_MODE)
|
||||
AC_SUBST(SUDOERS_UID)
|
||||
AC_SUBST(SUDOERS_GID)
|
||||
AC_SUBST(DEV)
|
||||
AC_SUBST(SELINUX)
|
||||
AC_SUBST(BAMAN)
|
||||
AC_SUBST(LCMAN)
|
||||
AC_SUBST(SEMAN)
|
||||
AC_SUBST(mansectsu)
|
||||
AC_SUBST(mansectform)
|
||||
AC_SUBST(mansrcdir)
|
||||
AC_SUBST(NOEXECFILE)
|
||||
AC_SUBST(NOEXECDIR)
|
||||
AC_SUBST(noexec_file)
|
||||
AC_SUBST(INSTALL_NOEXEC)
|
||||
@ -109,6 +114,10 @@ PROGS="sudo visudo"
|
||||
: ${SUDOERS_UID='0'}
|
||||
: ${SUDOERS_GID='0'}
|
||||
DEV="#"
|
||||
SELINUX="#"
|
||||
BAMAN='.\" '
|
||||
LCMAN='.\" '
|
||||
SEMAN='.\" '
|
||||
AUTH_OBJS=
|
||||
AUTH_REG=
|
||||
AUTH_EXCL=
|
||||
@ -127,7 +136,11 @@ shadow_libs_optional=
|
||||
dnl
|
||||
dnl Override default configure dirs...
|
||||
dnl
|
||||
test "$mandir" = '${prefix}/man' && mandir='$(prefix)/man'
|
||||
if test X"$prefix" = X"NONE"; then
|
||||
test "$mandir" = '${datarootdir}/man' && mandir='$(prefix)/man'
|
||||
else
|
||||
test "$mandir" = '${datarootdir}/man' && mandir='$(datarootdir)/man'
|
||||
fi
|
||||
test "$bindir" = '${exec_prefix}/bin' && bindir='$(exec_prefix)/bin'
|
||||
test "$sbindir" = '${exec_prefix}/sbin' && sbindir='$(exec_prefix)/sbin'
|
||||
test "$sysconfdir" = '${prefix}/etc' -a X"$with_stow" != X"yes" && sysconfdir='/etc'
|
||||
@ -1114,6 +1127,20 @@ AC_ARG_ENABLE(path_info,
|
||||
esac
|
||||
], AC_MSG_RESULT(no))
|
||||
|
||||
AC_ARG_WITH(selinux, [ --with-selinux enable SELinux support],
|
||||
[case $with_selinux in
|
||||
yes) AC_DEFINE(HAVE_SELINUX)
|
||||
SUDO_LIBS="${SUDO_LIBS} -lselinux"
|
||||
SUDO_OBJS="${SUDO_OBJS} selinux.o"
|
||||
PROGS="${PROGS} sesh"
|
||||
SELINUX=""
|
||||
SEMAN=""
|
||||
;;
|
||||
no) ;;
|
||||
*) AC_MSG_ERROR(["--with-selinux does not take an argument."])
|
||||
;;
|
||||
esac])
|
||||
|
||||
dnl
|
||||
dnl If we don't have egrep we can't do anything...
|
||||
dnl
|
||||
@ -1160,6 +1187,7 @@ AC_ARG_WITH(noexec, [ --with-noexec[=PATH] fully qualified pathname of sud
|
||||
*) ;;
|
||||
esac], [with_noexec="$libexecdir/sudo_noexec$_shrext"])
|
||||
AC_MSG_RESULT($with_noexec)
|
||||
NOEXECFILE="sudo_noexec$_shrext"
|
||||
NOEXECDIR="`echo $with_noexec|sed 's:^\(.*\)/[[^/]]*:\1:'`"
|
||||
|
||||
dnl
|
||||
@ -1382,7 +1410,7 @@ case "$host" in
|
||||
: ${mansectsu='1m'}
|
||||
: ${mansectform='4'}
|
||||
;;
|
||||
*-*-linux*)
|
||||
*-*-linux*|*-*-k*bsd*-gnu)
|
||||
OSDEFS="${OSDEFS} -D_GNU_SOURCE"
|
||||
# Some Linux versions need to link with -lshadow
|
||||
shadow_funcs="getspnam"
|
||||
@ -1633,7 +1661,7 @@ if test "$OS" != "ultrix"; then
|
||||
fi
|
||||
fi
|
||||
if test ${with_logincap-'no'} != "no"; then
|
||||
AC_CHECK_HEADERS(login_cap.h, [
|
||||
AC_CHECK_HEADERS(login_cap.h, [LCMAN=""
|
||||
case "$OS" in
|
||||
freebsd|netbsd) SUDO_LIBS="${SUDO_LIBS} -lutil"
|
||||
;;
|
||||
@ -1681,7 +1709,7 @@ dnl
|
||||
AC_FUNC_GETGROUPS
|
||||
AC_CHECK_FUNCS(strchr strrchr memchr memcpy memset sysconf tzset \
|
||||
strftime setrlimit initgroups getgroups fstat gettimeofday \
|
||||
setlocale getaddrinfo)
|
||||
setlocale getaddrinfo setsid)
|
||||
if test -z "$SKIP_SETRESUID"; then
|
||||
AC_CHECK_FUNCS(setresuid, [SKIP_SETREUID=yes])
|
||||
fi
|
||||
@ -1736,7 +1764,7 @@ dnl
|
||||
dnl Check for the dirfd function/macro. If not found, look for dd_fd in DIR.
|
||||
dnl
|
||||
AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <sys/types.h>
|
||||
#include <$ac_header_dirent>]], [[DIR d; (void)dirfd(&d);]])], [AC_DEFINE(HAVE_DIRFD)], [AC_TRY_LINK([#include <sys/types.h>
|
||||
#include <$ac_header_dirent>]], [[DIR *d; (void)dirfd(d);]])], [AC_DEFINE(HAVE_DIRFD)], [AC_TRY_LINK([#include <sys/types.h>
|
||||
#include <$ac_header_dirent>], [DIR d; memset(&d, 0, sizeof(d)); return(d.dd_fd);], [AC_DEFINE(HAVE_DD_FD)])])
|
||||
dnl
|
||||
dnl If NEED_SNPRINTF is set, add snprintf.c to LIBOBJS
|
||||
@ -1839,8 +1867,13 @@ if test ${with_pam-"no"} != "no"; then
|
||||
esac], AC_MSG_RESULT(yes))
|
||||
case $host in
|
||||
*-*-linux*|*-*-solaris*)
|
||||
AC_CHECK_FUNCS(dgettext, [],
|
||||
[AC_CHECK_LIB(intl, dgettext, [LIBS="${LIBS} -lintl"]
|
||||
# dgettext() may be defined to dgettext_libintl in the
|
||||
# header file, so first check that it links w/ additional
|
||||
# libs, then try with -lintl
|
||||
AC_LINK_IFELSE([AC_LANG_PROGRAM(
|
||||
[[#include <libintl.h>]], [(void)dgettext((char *)0, (char *)0);])],
|
||||
[AC_DEFINE(HAVE_DGETTEXT)],
|
||||
[AC_CHECK_LIB(intl, dgettext, [LIBS="${LIBS} -lintl"]
|
||||
[AC_DEFINE(HAVE_DGETTEXT)])])
|
||||
;;
|
||||
esac
|
||||
@ -1868,8 +1901,7 @@ dnl
|
||||
if test ${with_bsdauth-'no'} != "no"; then
|
||||
AC_CHECK_HEADER(bsd_auth.h, AC_DEFINE(HAVE_BSD_AUTH_H)
|
||||
[AUTH_OBJS="$AUTH_OBJS bsdauth.o"]
|
||||
[BSDAUTH_USAGE='[[-a auth_type]] ']
|
||||
[AUTH_EXCL=BSD_AUTH],
|
||||
[AUTH_EXCL=BSD_AUTH; BAMAN=""],
|
||||
[AC_MSG_ERROR([BSD authentication was specified but bsd_auth.h could not be found])])
|
||||
fi
|
||||
|
||||
@ -2296,7 +2328,7 @@ if test ${with_ldap-'no'} != "no"; then
|
||||
AC_CHECK_FUNCS(ldap_initialize ldap_start_tls_s ldapssl_init ldapssl_set_strength)
|
||||
AC_CHECK_HEADERS([ldap_ssl.h] [mps/ldap_ssl.h], [break], [], [#include <ldap.h>])
|
||||
|
||||
SUDO_LIBS="${SUDO_LIBS}${LDAP_LIBS}"
|
||||
SUDO_LIBS="${SUDO_LIBS} ${LDAP_LIBS}"
|
||||
LIBS="$_LIBS"
|
||||
LDFLAGS="$_LDFLAGS"
|
||||
# XXX - OpenLDAP has deprecated ldap_get_values()
|
||||
@ -2360,13 +2392,11 @@ dnl
|
||||
test "$exec_prefix" = "NONE" && exec_prefix='$(prefix)'
|
||||
|
||||
dnl
|
||||
dnl Defer setting _PATH_SUDO_NOEXEC until after exec_prefix is set
|
||||
dnl Defer setting _PATH_SUDO_NOEXEC and _PATH_SUDO_SESH
|
||||
dnl until after exec_prefix is set
|
||||
dnl XXX - this is gross!
|
||||
dnl
|
||||
if test "$with_noexec" != "no"; then
|
||||
PROGS="${PROGS} sudo_noexec.la"
|
||||
INSTALL_NOEXEC="install-noexec"
|
||||
|
||||
if test X"$with_noexec" != X"no" -o X"$with_selinux" != X"no"; then
|
||||
oexec_prefix="$exec_prefix"
|
||||
if test "$exec_prefix" = '$(prefix)'; then
|
||||
if test "$prefix" = "NONE"; then
|
||||
@ -2375,8 +2405,17 @@ if test "$with_noexec" != "no"; then
|
||||
exec_prefix="$prefix"
|
||||
fi
|
||||
fi
|
||||
eval noexec_file="$with_noexec"
|
||||
AC_DEFINE_UNQUOTED(_PATH_SUDO_NOEXEC, "$noexec_file", [The fully qualified pathname of sudo_noexec.so])
|
||||
if test X"$with_noexec" != X"no"; then
|
||||
PROGS="${PROGS} sudo_noexec.la"
|
||||
INSTALL_NOEXEC="install-noexec"
|
||||
|
||||
eval noexec_file="$with_noexec"
|
||||
AC_DEFINE_UNQUOTED(_PATH_SUDO_NOEXEC, "$noexec_file", [The fully qualified pathname of sudo_noexec.so])
|
||||
fi
|
||||
if test X"$with_selinux" != X"no"; then
|
||||
eval sesh_file="$libexecdir/sesh"
|
||||
AC_DEFINE_UNQUOTED(_PATH_SUDO_SESH, "$sesh_file", [The fully qualified pathname of sesh])
|
||||
fi
|
||||
exec_prefix="$oexec_prefix"
|
||||
fi
|
||||
|
||||
@ -2437,6 +2476,7 @@ AH_TEMPLATE(HAVE_OPIE, [Define to 1 if you use NRL OPIE.])
|
||||
AH_TEMPLATE(HAVE_PAM, [Define to 1 if you use PAM authentication.])
|
||||
AH_TEMPLATE(HAVE_PROJECT_H, [Define to 1 if you have the <project.h> header file.])
|
||||
AH_TEMPLATE(HAVE_SECURID, [Define to 1 if you use SecurID for authentication.])
|
||||
AH_TEMPLATE(HAVE_SELINUX, [Define to 1 to enable SELinux RBAC support.])
|
||||
AH_TEMPLATE(HAVE_SIA, [Define to 1 if you use SIA authentication.])
|
||||
AH_TEMPLATE(HAVE_SIGACTION_T, [Define to 1 if <signal.h> has the sigaction_t typedef.])
|
||||
AH_TEMPLATE(HAVE_SKEY, [Define to 1 if you use S/Key.])
|
||||
|
@ -263,6 +263,14 @@ struct sudo_defs_types sudo_defs_table[] = {
|
||||
"env_keep", T_LIST|T_BOOL,
|
||||
"Environment variables to preserve:",
|
||||
NULL,
|
||||
}, {
|
||||
"role", T_STR,
|
||||
"SELinux role to use in the new security context: %s",
|
||||
NULL,
|
||||
}, {
|
||||
"type", T_STR,
|
||||
"SELinux type to use in the new security context: %s",
|
||||
NULL,
|
||||
}, {
|
||||
NULL, 0, NULL
|
||||
}
|
||||
|
@ -118,6 +118,10 @@
|
||||
#define I_ENV_DELETE 58
|
||||
#define def_env_keep (sudo_defs_table[59].sd_un.list)
|
||||
#define I_ENV_KEEP 59
|
||||
#define def_role (sudo_defs_table[60].sd_un.str)
|
||||
#define I_ROLE 60
|
||||
#define def_type (sudo_defs_table[61].sd_un.str)
|
||||
#define I_TYPE 61
|
||||
|
||||
enum def_tupple {
|
||||
never,
|
||||
|
@ -191,3 +191,9 @@ env_delete
|
||||
env_keep
|
||||
T_LIST|T_BOOL
|
||||
"Environment variables to preserve:"
|
||||
role
|
||||
T_STR
|
||||
"SELinux role to use in the new security context: %s"
|
||||
type
|
||||
T_STR
|
||||
"SELinux type to use in the new security context: %s"
|
||||
|
@ -52,7 +52,7 @@
|
||||
#include "sudo.h"
|
||||
|
||||
#ifndef lint
|
||||
__unused static const char rcsid[] = "$Sudo: env.c,v 1.39.2.17 2007/07/31 18:04:31 millert Exp $";
|
||||
__unused static const char rcsid[] = "$Sudo: env.c,v 1.39.2.19 2008/06/21 19:04:07 millert Exp $";
|
||||
#endif /* lint */
|
||||
|
||||
/*
|
||||
@ -198,6 +198,7 @@ static const char *initial_checkenv_table[] = {
|
||||
static const char *initial_keepenv_table[] = {
|
||||
"COLORS",
|
||||
"DISPLAY",
|
||||
"HOME",
|
||||
"HOSTNAME",
|
||||
"KRB5CCNAME",
|
||||
"LS_COLORS",
|
||||
@ -405,7 +406,7 @@ rebuild_env(envp, sudo_mode, noexec)
|
||||
ps1 = NULL;
|
||||
didvar = 0;
|
||||
memset(&env, 0, sizeof(env));
|
||||
if (def_env_reset) {
|
||||
if (def_env_reset || ISSET(sudo_mode, MODE_LOGIN_SHELL)) {
|
||||
/* Pull in vars we want to keep from the old environment. */
|
||||
for (ep = envp; *ep; ep++) {
|
||||
int keepit;
|
||||
@ -536,6 +537,7 @@ rebuild_env(envp, sudo_mode, noexec)
|
||||
#endif
|
||||
|
||||
/* Set $USER, $LOGNAME and $USERNAME to target if "set_logname" is true. */
|
||||
/* XXX - not needed for MODE_LOGIN_SHELL */
|
||||
if (def_set_logname && runas_pw->pw_name) {
|
||||
if (!ISSET(didvar, KEPT_LOGNAME))
|
||||
insert_env(format_env("LOGNAME", runas_pw->pw_name, VNULL), &env, 1);
|
||||
@ -546,6 +548,7 @@ rebuild_env(envp, sudo_mode, noexec)
|
||||
}
|
||||
|
||||
/* Set $HOME for `sudo -H'. Only valid at PERM_FULL_RUNAS. */
|
||||
/* XXX - not needed for MODE_LOGIN_SHELL */
|
||||
if (runas_pw->pw_dir) {
|
||||
if (ISSET(sudo_mode, MODE_RESET_HOME) ||
|
||||
(ISSET(sudo_mode, MODE_RUN) && (def_always_set_home ||
|
||||
|
@ -1,7 +1,7 @@
|
||||
#! /bin/sh
|
||||
|
||||
## (From INN-1.4, written by Rich Salz)
|
||||
## $Revision: 1.8 $
|
||||
## $Revision: 1.9 $
|
||||
## A script to install files and directories.
|
||||
|
||||
PROGNAME=`basename $0`
|
||||
@ -182,7 +182,7 @@ fi
|
||||
|
||||
## Get the destination and a temp file in the destination diretory.
|
||||
if [ -d "$2" ] ; then
|
||||
DEST="$2/$1"
|
||||
DEST="$2/`basename $1`"
|
||||
TEMP="$2/$$.tmp"
|
||||
else
|
||||
DEST="$2"
|
||||
|
@ -71,7 +71,7 @@
|
||||
#include "parse.h"
|
||||
|
||||
#ifndef lint
|
||||
__unused static const char rcsid[] = "$Sudo: ldap.c,v 1.11.2.36 2008/01/21 16:08:26 millert Exp $";
|
||||
__unused static const char rcsid[] = "$Sudo: ldap.c,v 1.11.2.38 2008/04/11 14:03:51 millert Exp $";
|
||||
#endif /* lint */
|
||||
|
||||
#ifndef LINE_MAX
|
||||
@ -82,6 +82,10 @@ __unused static const char rcsid[] = "$Sudo: ldap.c,v 1.11.2.36 2008/01/21 16:08
|
||||
# define LDAP_OPT_SUCCESS LDAP_SUCCESS
|
||||
#endif
|
||||
|
||||
#ifndef LDAPS_PORT
|
||||
# define LDAPS_PORT 636
|
||||
#endif
|
||||
|
||||
#define DPRINTF(args, level) if (ldap_conf.debug >= level) warnx args
|
||||
|
||||
#define CONF_BOOL 0
|
||||
@ -1189,6 +1193,13 @@ sudo_ldap_check(pwflag)
|
||||
if (setenv_implied)
|
||||
def_setenv = TRUE;
|
||||
sudo_ldap_parse_options(ld, entry);
|
||||
#ifdef HAVE_SELINUX
|
||||
/* Set role and type if not specified on command line. */
|
||||
if (user_role == NULL)
|
||||
user_role = def_role;
|
||||
if (user_type == NULL)
|
||||
user_type = def_type;
|
||||
#endif /* HAVE_SELINUX */
|
||||
/* make sure we don't reenter loop */
|
||||
ret = VALIDATE_OK;
|
||||
/* break from inside for loop */
|
||||
|
@ -27,6 +27,7 @@
|
||||
#include <sys/types.h>
|
||||
#include <sys/param.h>
|
||||
#include <sys/stat.h>
|
||||
#include <sys/ioctl.h>
|
||||
#include <sys/wait.h>
|
||||
#include <stdio.h>
|
||||
#ifdef STDC_HEADERS
|
||||
@ -56,11 +57,12 @@
|
||||
#include <signal.h>
|
||||
#include <time.h>
|
||||
#include <errno.h>
|
||||
#include <fcntl.h>
|
||||
|
||||
#include "sudo.h"
|
||||
|
||||
#ifndef lint
|
||||
__unused static const char rcsid[] = "$Sudo: logging.c,v 1.168.2.13 2007/11/25 13:07:38 millert Exp $";
|
||||
__unused static const char rcsid[] = "$Sudo: logging.c,v 1.168.2.16 2008/06/22 20:23:57 millert Exp $";
|
||||
#endif /* lint */
|
||||
|
||||
static void do_syslog __P((int, char *));
|
||||
@ -458,9 +460,9 @@ send_mail(line)
|
||||
{
|
||||
FILE *mail;
|
||||
char *p;
|
||||
int pfd[2];
|
||||
pid_t pid;
|
||||
sigset_t set, oset;
|
||||
int fd, pfd[2], status;
|
||||
pid_t pid, rv;
|
||||
sigaction_t sa;
|
||||
#ifndef NO_ROOT_MAILER
|
||||
static char *root_envp[] = {
|
||||
"HOME=/",
|
||||
@ -476,17 +478,79 @@ send_mail(line)
|
||||
if (!def_mailerpath || !def_mailto)
|
||||
return;
|
||||
|
||||
(void) sigemptyset(&set);
|
||||
(void) sigaddset(&set, SIGCHLD);
|
||||
(void) sigprocmask(SIG_BLOCK, &set, &oset);
|
||||
/* Fork and return, child will daemonize. */
|
||||
switch (pid = fork()) {
|
||||
case -1:
|
||||
/* Error */
|
||||
err(1, "cannot fork");
|
||||
break;
|
||||
case 0:
|
||||
/* Child */
|
||||
switch (pid = fork()) {
|
||||
case -1:
|
||||
/* Error. */
|
||||
mysyslog(LOG_ERR, "cannot fork: %m");
|
||||
_exit(1);
|
||||
case 0:
|
||||
/* Grandchild continues below. */
|
||||
break;
|
||||
default:
|
||||
/* Parent will wait for us. */
|
||||
_exit(0);
|
||||
}
|
||||
break;
|
||||
default:
|
||||
/* Parent */
|
||||
do {
|
||||
#ifdef HAVE_WAITPID
|
||||
rv = waitpid(pid, &status, 0);
|
||||
#else
|
||||
rv = wait(&status);
|
||||
#endif
|
||||
} while (rv == -1 && errno == EINTR);
|
||||
return;
|
||||
}
|
||||
|
||||
if (pipe(pfd) == -1)
|
||||
err(1, "cannot open pipe");
|
||||
/* Daemonize - disassociate from session/tty. */
|
||||
#ifdef HAVE_SETSID
|
||||
if (setsid() == -1)
|
||||
warn("setsid");
|
||||
#else
|
||||
setpgrp(0, 0);
|
||||
# ifdef TIOCNOTTY
|
||||
if ((fd = open(_PATH_TTY, O_RDWR, 0644)) != -1) {
|
||||
ioctl(fd, TIOCNOTTY, NULL);
|
||||
close(fd);
|
||||
}
|
||||
# endif
|
||||
#endif
|
||||
chdir("/");
|
||||
if ((fd = open(_PATH_DEVNULL, O_RDWR, 0644)) != -1) {
|
||||
(void) dup2(fd, STDIN_FILENO);
|
||||
(void) dup2(fd, STDOUT_FILENO);
|
||||
(void) dup2(fd, STDERR_FILENO);
|
||||
}
|
||||
|
||||
/* Close password and other fds so we don't leak. */
|
||||
endpwent();
|
||||
closefrom(STDERR_FILENO + 1);
|
||||
|
||||
/* Ignore SIGPIPE in case mailer exits prematurely (or is missing). */
|
||||
sigemptyset(&sa.sa_mask);
|
||||
sa.sa_flags = 0;
|
||||
sa.sa_handler = SIG_IGN;
|
||||
(void) sigaction(SIGPIPE, &sa, NULL);
|
||||
|
||||
if (pipe(pfd) == -1) {
|
||||
mysyslog(LOG_ERR, "cannot open pipe: %m");
|
||||
_exit(1);
|
||||
}
|
||||
|
||||
switch (pid = fork()) {
|
||||
case -1:
|
||||
/* Error. */
|
||||
err(1, "cannot fork");
|
||||
mysyslog(LOG_ERR, "cannot fork: %m");
|
||||
_exit(1);
|
||||
break;
|
||||
case 0:
|
||||
{
|
||||
@ -517,9 +581,6 @@ send_mail(line)
|
||||
}
|
||||
argv[i] = NULL;
|
||||
|
||||
/* Close password file so we don't leak the fd. */
|
||||
endpwent();
|
||||
|
||||
/*
|
||||
* Depending on the config, either run the mailer as root
|
||||
* (so user cannot kill it) or as the user (for the paranoid).
|
||||
@ -531,6 +592,7 @@ send_mail(line)
|
||||
set_perms(PERM_FULL_USER);
|
||||
execv(mpath, argv);
|
||||
#endif /* NO_ROOT_MAILER */
|
||||
mysyslog(LOG_ERR, "cannot execute %s: %m", mpath);
|
||||
_exit(127);
|
||||
}
|
||||
break;
|
||||
@ -562,10 +624,14 @@ send_mail(line)
|
||||
(void) fprintf(mail, "\n\n%s : %s : %s : %s\n\n", user_host,
|
||||
get_timestr(), user_name, line);
|
||||
fclose(mail);
|
||||
|
||||
(void) sigprocmask(SIG_SETMASK, &oset, NULL);
|
||||
/* If mailer is done, wait for it now. If not, we'll get it later. */
|
||||
reapchild(SIGCHLD);
|
||||
do {
|
||||
#ifdef HAVE_WAITPID
|
||||
rv = waitpid(pid, &status, 0);
|
||||
#else
|
||||
rv = wait(&status);
|
||||
#endif
|
||||
} while (rv == -1 && errno == EINTR);
|
||||
_exit(0);
|
||||
}
|
||||
|
||||
/*
|
||||
@ -596,26 +662,6 @@ mail_auth(status, line)
|
||||
send_mail(line);
|
||||
}
|
||||
|
||||
/*
|
||||
* SIGCHLD sig handler--wait for children as they die.
|
||||
*/
|
||||
RETSIGTYPE
|
||||
reapchild(sig)
|
||||
int sig;
|
||||
{
|
||||
int status, serrno = errno;
|
||||
#ifdef sudo_waitpid
|
||||
pid_t pid;
|
||||
|
||||
do {
|
||||
pid = sudo_waitpid(-1, &status, WNOHANG);
|
||||
} while (pid != 0 && (pid != -1 || errno == EINTR));
|
||||
#else
|
||||
(void) wait(&status);
|
||||
#endif
|
||||
errno = serrno;
|
||||
}
|
||||
|
||||
/*
|
||||
* Return an ascii string with the current date + time
|
||||
* Uses strftime() if available, else falls back to ctime().
|
||||
|
@ -90,7 +90,7 @@
|
||||
#endif /* HAVE_EXTENDED_GLOB */
|
||||
|
||||
#ifndef lint
|
||||
__unused static const char rcsid[] = "$Sudo: parse.c,v 1.160.2.15 2007/12/04 15:26:40 millert Exp $";
|
||||
__unused static const char rcsid[] = "$Sudo: parse.c,v 1.160.2.16 2008/02/09 14:44:48 millert Exp $";
|
||||
#endif /* lint */
|
||||
|
||||
/*
|
||||
@ -198,6 +198,21 @@ sudoers_lookup(pwflag)
|
||||
/*
|
||||
* User was granted access to cmnd on host as user.
|
||||
*/
|
||||
#ifdef HAVE_SELINUX
|
||||
/* Set role and type if not specified on command line. */
|
||||
if (user_role == NULL) {
|
||||
if (match[top-1].role != NULL)
|
||||
user_role = match[top-1].role;
|
||||
else
|
||||
user_role = def_role;
|
||||
}
|
||||
if (user_type == NULL) {
|
||||
if (match[top-1].type != NULL)
|
||||
user_type = match[top-1].type;
|
||||
else
|
||||
user_type = def_type;
|
||||
}
|
||||
#endif
|
||||
set_perms(PERM_ROOT);
|
||||
return(VALIDATE_OK |
|
||||
(no_passwd == TRUE ? FLAG_NOPASS : 0) |
|
||||
|
@ -14,7 +14,7 @@
|
||||
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
*
|
||||
* $Sudo: parse.h,v 1.14.2.1 2007/06/23 21:36:48 millert Exp $
|
||||
* $Sudo: parse.h,v 1.14.2.2 2008/02/09 14:44:48 millert Exp $
|
||||
*/
|
||||
|
||||
#ifndef _SUDO_PARSE_H
|
||||
@ -35,6 +35,8 @@ struct matchstack {
|
||||
int nopass;
|
||||
int noexec;
|
||||
int setenv;
|
||||
char *role;
|
||||
char *type;
|
||||
};
|
||||
|
||||
/*
|
||||
@ -46,6 +48,15 @@ struct sudo_command {
|
||||
char *args;
|
||||
};
|
||||
|
||||
/*
|
||||
* SELinux-specific container struct.
|
||||
* Currently just contains a role and type.
|
||||
*/
|
||||
struct selinux_info {
|
||||
char *role;
|
||||
char *type;
|
||||
};
|
||||
|
||||
#define user_matches (match[top-1].user)
|
||||
#define cmnd_matches (match[top-1].cmnd)
|
||||
#define host_matches (match[top-1].host)
|
||||
@ -64,6 +75,12 @@ struct command_match {
|
||||
char *cmnd;
|
||||
size_t cmnd_len;
|
||||
size_t cmnd_size;
|
||||
char *role;
|
||||
size_t role_len;
|
||||
size_t role_size;
|
||||
char *type;
|
||||
size_t type_len;
|
||||
size_t type_size;
|
||||
int nopasswd;
|
||||
int noexecve;
|
||||
int setenv;
|
||||
|
@ -55,7 +55,7 @@
|
||||
#include <sudo.tab.h>
|
||||
|
||||
#ifndef lint
|
||||
__unused static const char rcsid[] = "$Sudo: parse.lex,v 1.132.2.7 2007/08/25 02:48:01 millert Exp $";
|
||||
__unused static const char rcsid[] = "$Sudo: parse.lex,v 1.132.2.10 2008/06/26 11:53:50 millert Exp $";
|
||||
#endif /* lint */
|
||||
|
||||
#undef yywrap /* guard against a yywrap macro */
|
||||
@ -151,7 +151,7 @@ DEFVAR [a-z_]+
|
||||
}
|
||||
|
||||
<INSTR>{
|
||||
\\\n[[:blank:]]* {
|
||||
\\[[:blank:]]*\n[[:blank:]]* {
|
||||
/* Line continuation char followed by newline. */
|
||||
++sudolineno;
|
||||
LEXTRACE("\n");
|
||||
@ -163,12 +163,13 @@ DEFVAR [a-z_]+
|
||||
return(WORD);
|
||||
}
|
||||
|
||||
([^\"\n]|\\\")+ {
|
||||
\\ {
|
||||
LEXTRACE("BACKSLASH ");
|
||||
append(yytext, yyleng);
|
||||
}
|
||||
|
||||
([^\"\n\\]|\\\")+ {
|
||||
LEXTRACE("STRBODY ");
|
||||
/* Push back line continuation char if present */
|
||||
if (yyleng > 2 && yytext[yyleng - 1] == '\\' &&
|
||||
isspace((unsigned char)yytext[yyleng - 2]))
|
||||
yyless(yyleng - 1);
|
||||
append(yytext, yyleng);
|
||||
}
|
||||
}
|
||||
@ -326,11 +327,21 @@ NOSETENV[[:blank:]]*: {
|
||||
if (strcmp(yytext, "ALL") == 0) {
|
||||
LEXTRACE("ALL ");
|
||||
return(ALL);
|
||||
} else {
|
||||
fill(yytext, yyleng);
|
||||
LEXTRACE("ALIAS ");
|
||||
return(ALIAS);
|
||||
}
|
||||
#ifdef HAVE_SELINUX
|
||||
/* XXX - restrict type/role to initial state */
|
||||
if (strcmp(yytext, "TYPE") == 0) {
|
||||
LEXTRACE("TYPE ");
|
||||
return(TYPE);
|
||||
}
|
||||
if (strcmp(yytext, "ROLE") == 0) {
|
||||
LEXTRACE("ROLE ");
|
||||
return(ROLE);
|
||||
}
|
||||
#endif /* HAVE_SELINUX */
|
||||
fill(yytext, yyleng);
|
||||
LEXTRACE("ALIAS ");
|
||||
return(ALIAS);
|
||||
}
|
||||
|
||||
<GOTRUNAS>(#[0-9-]+|{WORD}) {
|
||||
|
@ -70,7 +70,7 @@
|
||||
#endif /* HAVE_LSEARCH */
|
||||
|
||||
#ifndef lint
|
||||
__unused static const char rcsid[] = "$Sudo: parse.yacc,v 1.204.2.10 2008/01/16 23:20:53 millert Exp $";
|
||||
__unused static const char rcsid[] = "$Sudo: parse.yacc,v 1.204.2.13 2008/02/27 20:34:42 millert Exp $";
|
||||
#endif /* lint */
|
||||
|
||||
/*
|
||||
@ -140,6 +140,8 @@ int top = 0, stacksize = 0;
|
||||
match[top].nopass = def_authenticate ? UNSPEC : TRUE; \
|
||||
match[top].noexec = def_noexec ? TRUE : UNSPEC; \
|
||||
match[top].setenv = def_setenv ? TRUE : UNSPEC; \
|
||||
match[top].role = NULL; \
|
||||
match[top].type = NULL; \
|
||||
top++; \
|
||||
} while (0)
|
||||
|
||||
@ -156,6 +158,8 @@ int top = 0, stacksize = 0;
|
||||
match[top].nopass = match[top-1].nopass; \
|
||||
match[top].noexec = match[top-1].noexec; \
|
||||
match[top].setenv = match[top-1].setenv; \
|
||||
match[top].role = estrdup(match[top-1].role); \
|
||||
match[top].type = estrdup(match[top-1].type); \
|
||||
top++; \
|
||||
} while (0)
|
||||
|
||||
@ -163,8 +167,11 @@ int top = 0, stacksize = 0;
|
||||
do { \
|
||||
if (top == 0) \
|
||||
yyerror("matching stack underflow"); \
|
||||
else \
|
||||
else { \
|
||||
efree(match[top-1].role); \
|
||||
efree(match[top-1].type); \
|
||||
top--; \
|
||||
} \
|
||||
} while (0)
|
||||
|
||||
|
||||
@ -182,6 +189,12 @@ int top = 0, stacksize = 0;
|
||||
#define append_runas(s, p) append(s, &cm_list[cm_list_len].runas, \
|
||||
&cm_list[cm_list_len].runas_len, &cm_list[cm_list_len].runas_size, p)
|
||||
|
||||
#define append_role(s, p) append(s, &cm_list[cm_list_len].role, \
|
||||
&cm_list[cm_list_len].role_len, &cm_list[cm_list_len].role_size, p)
|
||||
|
||||
#define append_type(s, p) append(s, &cm_list[cm_list_len].type, \
|
||||
&cm_list[cm_list_len].type_len, &cm_list[cm_list_len].type_size, p)
|
||||
|
||||
#define append_entries(s, p) append(s, &ga_list[ga_list_len-1].entries, \
|
||||
&ga_list[ga_list_len-1].entries_len, \
|
||||
&ga_list[ga_list_len-1].entries_size, p)
|
||||
@ -240,6 +253,7 @@ yyerror(s)
|
||||
int BOOLEAN;
|
||||
struct sudo_command command;
|
||||
int tok;
|
||||
struct selinux_info seinfo;
|
||||
}
|
||||
|
||||
%start file /* special start symbol */
|
||||
@ -269,6 +283,8 @@ yyerror(s)
|
||||
%token <tok> RUNASALIAS /* Runas_Alias keyword */
|
||||
%token <tok> ':' '=' ',' '!' '+' '-' /* union member tokens */
|
||||
%token <tok> ERROR
|
||||
%token <tok> TYPE /* SELinux type */
|
||||
%token <tok> ROLE /* SELinux role */
|
||||
|
||||
/*
|
||||
* NOTE: these are not true booleans as there are actually 4 possible values:
|
||||
@ -283,6 +299,9 @@ yyerror(s)
|
||||
%type <BOOLEAN> oprunasuser
|
||||
%type <BOOLEAN> runaslist
|
||||
%type <BOOLEAN> user
|
||||
%type <seinfo> selinux
|
||||
%type <string> rolespec
|
||||
%type <string> typespec
|
||||
|
||||
%%
|
||||
|
||||
@ -394,6 +413,12 @@ privilege : hostlist '=' cmndspeclist {
|
||||
no_passwd = def_authenticate ? UNSPEC : TRUE;
|
||||
no_execve = def_noexec ? TRUE : UNSPEC;
|
||||
setenv_ok = def_setenv ? TRUE : UNSPEC;
|
||||
#ifdef HAVE_SELINUX
|
||||
efree(match[top-1].role);
|
||||
match[top-1].role = NULL;
|
||||
efree(match[top-1].type);
|
||||
match[top-1].type = NULL;
|
||||
#endif
|
||||
}
|
||||
;
|
||||
|
||||
@ -457,7 +482,18 @@ cmndspeclist : cmndspec
|
||||
| cmndspeclist ',' cmndspec
|
||||
;
|
||||
|
||||
cmndspec : { SETENV_RESET; } runasspec cmndtag opcmnd {
|
||||
cmndspec : { SETENV_RESET; } runasspec selinux cmndtag opcmnd {
|
||||
#ifdef HAVE_SELINUX
|
||||
/* Replace inherited role/type as needed. */
|
||||
if ($3.role != NULL) {
|
||||
efree(match[top-1].role);
|
||||
match[top-1].role = $3.role;
|
||||
}
|
||||
if ($3.type != NULL) {
|
||||
efree(match[top-1].type);
|
||||
match[top-1].type = $3.type;
|
||||
}
|
||||
#endif
|
||||
/*
|
||||
* Push the entry onto the stack if it is worth
|
||||
* saving and reset cmnd_matches for next cmnd.
|
||||
@ -482,6 +518,7 @@ cmndspec : { SETENV_RESET; } runasspec cmndtag opcmnd {
|
||||
pushcp;
|
||||
else if (user_matches == TRUE && keepall)
|
||||
pushcp;
|
||||
|
||||
cmnd_matches = UNSPEC;
|
||||
}
|
||||
;
|
||||
@ -502,6 +539,97 @@ opcmnd : cmnd {
|
||||
}
|
||||
;
|
||||
|
||||
rolespec : ROLE '=' WORD {
|
||||
#ifdef HAVE_SELINUX
|
||||
if (printmatches == TRUE && host_matches == TRUE &&
|
||||
user_matches == TRUE && runas_matches == TRUE)
|
||||
append_role($3, NULL);
|
||||
$$ = $3;
|
||||
#else
|
||||
free($3);
|
||||
$$ = NULL;
|
||||
#endif /* HAVE_SELINUX */
|
||||
}
|
||||
;
|
||||
|
||||
typespec : TYPE '=' WORD {
|
||||
#ifdef HAVE_SELINUX
|
||||
if (printmatches == TRUE && host_matches == TRUE &&
|
||||
user_matches == TRUE && runas_matches == TRUE)
|
||||
append_type($3, NULL);
|
||||
$$ = $3;
|
||||
#else
|
||||
free($3);
|
||||
$$ = NULL;
|
||||
#endif /* HAVE_SELINUX */
|
||||
}
|
||||
;
|
||||
|
||||
selinux : /* empty */ {
|
||||
#ifdef HAVE_SELINUX
|
||||
if (printmatches == TRUE && host_matches == TRUE &&
|
||||
user_matches == TRUE && runas_matches == TRUE) {
|
||||
/* Inherit role. */
|
||||
cm_list[cm_list_len].role =
|
||||
estrdup(cm_list[cm_list_len-1].role);
|
||||
cm_list[cm_list_len].role_len =
|
||||
cm_list[cm_list_len-1].role_len;
|
||||
cm_list[cm_list_len].role_size =
|
||||
cm_list[cm_list_len-1].role_len + 1;
|
||||
/* Inherit type. */
|
||||
cm_list[cm_list_len].type =
|
||||
estrdup(cm_list[cm_list_len-1].type);
|
||||
cm_list[cm_list_len].type_len =
|
||||
cm_list[cm_list_len-1].type_len;
|
||||
cm_list[cm_list_len].type_size =
|
||||
cm_list[cm_list_len-1].type_len + 1;
|
||||
}
|
||||
#endif /* HAVE_SELINUX */
|
||||
$$.role = NULL;
|
||||
$$.type = NULL;
|
||||
}
|
||||
| rolespec {
|
||||
#ifdef HAVE_SELINUX
|
||||
if (printmatches == TRUE && host_matches == TRUE &&
|
||||
user_matches == TRUE && runas_matches == TRUE) {
|
||||
/* Inherit type. */
|
||||
cm_list[cm_list_len].type =
|
||||
estrdup(cm_list[cm_list_len-1].type);
|
||||
cm_list[cm_list_len].type_len =
|
||||
cm_list[cm_list_len-1].type_len;
|
||||
cm_list[cm_list_len].type_size =
|
||||
cm_list[cm_list_len-1].type_len + 1;
|
||||
}
|
||||
#endif /* HAVE_SELINUX */
|
||||
$$.role = $1;
|
||||
$$.type = NULL;
|
||||
}
|
||||
| typespec {
|
||||
#ifdef HAVE_SELINUX
|
||||
if (printmatches == TRUE && host_matches == TRUE &&
|
||||
user_matches == TRUE && runas_matches == TRUE) {
|
||||
/* Inherit role. */
|
||||
cm_list[cm_list_len].role =
|
||||
estrdup(cm_list[cm_list_len-1].role);
|
||||
cm_list[cm_list_len].role_len =
|
||||
cm_list[cm_list_len-1].role_len;
|
||||
cm_list[cm_list_len].role_size =
|
||||
cm_list[cm_list_len-1].role_len + 1;
|
||||
}
|
||||
#endif /* HAVE_SELINUX */
|
||||
$$.type = $1;
|
||||
$$.role = NULL;
|
||||
}
|
||||
| rolespec typespec {
|
||||
$$.role = $1;
|
||||
$$.type = $2;
|
||||
}
|
||||
| typespec rolespec {
|
||||
$$.type = $1;
|
||||
$$.role = $2;
|
||||
}
|
||||
;
|
||||
|
||||
runasspec : /* empty */ {
|
||||
if (printmatches == TRUE && host_matches == TRUE &&
|
||||
user_matches == TRUE) {
|
||||
@ -514,7 +642,7 @@ runasspec : /* empty */ {
|
||||
cm_list[cm_list_len].runas_len =
|
||||
cm_list[cm_list_len-1].runas_len;
|
||||
cm_list[cm_list_len].runas_size =
|
||||
cm_list[cm_list_len-1].runas_size;
|
||||
cm_list[cm_list_len-1].runas_len + 1;
|
||||
}
|
||||
}
|
||||
/*
|
||||
@ -1102,6 +1230,14 @@ list_matches()
|
||||
(void) printf("(%s) ", def_runas_default);
|
||||
}
|
||||
|
||||
#ifdef HAVE_SELINUX
|
||||
/* SELinux role and type */
|
||||
if (cm_list[count].role != NULL)
|
||||
(void) printf("ROLE=%s ", cm_list[count].role);
|
||||
if (cm_list[count].type != NULL)
|
||||
(void) printf("TYPE=%s ", cm_list[count].type);
|
||||
#endif
|
||||
|
||||
/* Is execve(2) disabled? */
|
||||
if (cm_list[count].noexecve == TRUE && !def_noexec)
|
||||
(void) fputs("NOEXEC: ", stdout);
|
||||
@ -1141,6 +1277,8 @@ list_matches()
|
||||
for (count = 0; count < cm_list_len; count++) {
|
||||
efree(cm_list[count].runas);
|
||||
efree(cm_list[count].cmnd);
|
||||
efree(cm_list[count].role);
|
||||
efree(cm_list[count].type);
|
||||
}
|
||||
efree(cm_list);
|
||||
cm_list = NULL;
|
||||
@ -1245,6 +1383,7 @@ expand_match_list()
|
||||
}
|
||||
|
||||
cm_list[cm_list_len].runas = cm_list[cm_list_len].cmnd = NULL;
|
||||
cm_list[cm_list_len].type = cm_list[cm_list_len].role = NULL;
|
||||
cm_list[cm_list_len].nopasswd = FALSE;
|
||||
cm_list[cm_list_len].noexecve = FALSE;
|
||||
cm_list[cm_list_len].setenv = FALSE;
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* pathnames.h. Generated by configure. */
|
||||
/* pathnames.h. Generated from pathnames.h.in by configure. */
|
||||
/*
|
||||
* Copyright (c) 1996, 1998, 1999, 2001, 2004
|
||||
* Todd C. Miller <Todd.Miller@courtesan.com>.
|
||||
@ -19,7 +19,7 @@
|
||||
* Agency (DARPA) and Air Force Research Laboratory, Air Force
|
||||
* Materiel Command, USAF, under agreement number F39502-99-1-0512.
|
||||
*
|
||||
* $Sudo: pathnames.h.in,v 1.51.2.3 2007/06/19 21:25:48 millert Exp $
|
||||
* $Sudo: pathnames.h.in,v 1.51.2.4 2008/02/09 14:44:48 millert Exp $
|
||||
*/
|
||||
|
||||
/*
|
||||
@ -87,7 +87,7 @@
|
||||
#endif /* _PATH_SUDO_SENDMAIL */
|
||||
|
||||
#ifndef _PATH_SUDO_NOEXEC
|
||||
#define _PATH_SUDO_NOEXEC "/usr/libexec/sudo_noexec"
|
||||
#define _PATH_SUDO_NOEXEC "/usr/local/libexec/sudo_noexec.so"
|
||||
#endif /* _PATH_SUDO_NOEXEC */
|
||||
|
||||
#ifndef _PATH_VI
|
||||
@ -102,6 +102,10 @@
|
||||
#define _PATH_BSHELL "/bin/sh"
|
||||
#endif /* _PATH_BSHELL */
|
||||
|
||||
#ifndef _PATH_SUDO_SESH
|
||||
#define _PATH_SUDO_SESH "/usr/local/libexec/sesh"
|
||||
#endif /* _PATH_SUDO_SESH */
|
||||
|
||||
#ifndef _PATH_TMP
|
||||
#define _PATH_TMP "/tmp/"
|
||||
#endif /* _PATH_TMP */
|
||||
|
@ -18,7 +18,7 @@
|
||||
* Agency (DARPA) and Air Force Research Laboratory, Air Force
|
||||
* Materiel Command, USAF, under agreement number F39502-99-1-0512.
|
||||
*
|
||||
* $Sudo: pathnames.h.in,v 1.51.2.3 2007/06/19 21:25:48 millert Exp $
|
||||
* $Sudo: pathnames.h.in,v 1.51.2.4 2008/02/09 14:44:48 millert Exp $
|
||||
*/
|
||||
|
||||
/*
|
||||
@ -101,6 +101,10 @@
|
||||
#undef _PATH_BSHELL
|
||||
#endif /* _PATH_BSHELL */
|
||||
|
||||
#ifndef _PATH_SUDO_SESH
|
||||
#undef _PATH_SUDO_SESH
|
||||
#endif /* _PATH_SUDO_SESH */
|
||||
|
||||
#ifndef _PATH_TMP
|
||||
#define _PATH_TMP "/tmp/"
|
||||
#endif /* _PATH_TMP */
|
||||
|
@ -96,13 +96,16 @@
|
||||
# include <project.h>
|
||||
# include <sys/task.h>
|
||||
#endif
|
||||
#ifdef HAVE_SELINUX
|
||||
# include <selinux/selinux.h>
|
||||
#endif
|
||||
|
||||
#include "sudo.h"
|
||||
#include "interfaces.h"
|
||||
#include "version.h"
|
||||
|
||||
#ifndef lint
|
||||
__unused __unused static const char rcsid[] = "$Sudo: sudo.c,v 1.369.2.34 2007/12/13 14:12:49 millert Exp $";
|
||||
__unused __unused static const char rcsid[] = "$Sudo: sudo.c,v 1.369.2.43 2008/07/02 10:28:43 millert Exp $";
|
||||
#endif /* lint */
|
||||
|
||||
/*
|
||||
@ -152,7 +155,7 @@ login_cap_t *lc;
|
||||
#ifdef HAVE_BSD_AUTH_H
|
||||
char *login_style;
|
||||
#endif /* HAVE_BSD_AUTH_H */
|
||||
sigaction_t saved_sa_int, saved_sa_quit, saved_sa_tstp, saved_sa_chld;
|
||||
sigaction_t saved_sa_int, saved_sa_quit, saved_sa_tstp;
|
||||
|
||||
|
||||
int
|
||||
@ -201,8 +204,6 @@ main(argc, argv, envp)
|
||||
(void) sigaction(SIGINT, &sa, &saved_sa_int);
|
||||
(void) sigaction(SIGQUIT, &sa, &saved_sa_quit);
|
||||
(void) sigaction(SIGTSTP, &sa, &saved_sa_tstp);
|
||||
sa.sa_handler = reapchild;
|
||||
(void) sigaction(SIGCHLD, &sa, &saved_sa_chld);
|
||||
|
||||
/*
|
||||
* Turn off core dumps and close open files.
|
||||
@ -270,25 +271,22 @@ main(argc, argv, envp)
|
||||
validated = sudo_ldap_check(pwflag);
|
||||
|
||||
/* Skip reading /etc/sudoers if LDAP told us to */
|
||||
if (def_ignore_local_sudoers); /* skips */
|
||||
else if (ISSET(validated, VALIDATE_OK) && !printmatches); /* skips */
|
||||
else if (ISSET(validated, VALIDATE_OK) && printmatches)
|
||||
{
|
||||
if (!def_ignore_local_sudoers) {
|
||||
int v;
|
||||
|
||||
check_sudoers(); /* check mode/owner on _PATH_SUDOERS */
|
||||
|
||||
/* User is found in LDAP and we want a list of all sudo commands the
|
||||
* user can do, so consult sudoers but throw away result.
|
||||
*/
|
||||
sudoers_lookup(pwflag);
|
||||
/* Local sudoers file overrides LDAP if we have a match. */
|
||||
v = sudoers_lookup(pwflag);
|
||||
if (validated == VALIDATE_ERROR || ISSET(v, VALIDATE_OK))
|
||||
validated = v;
|
||||
}
|
||||
else
|
||||
#else
|
||||
check_sudoers(); /* check mode/owner on _PATH_SUDOERS */
|
||||
|
||||
/* Validate the user but don't search for pseudo-commands. */
|
||||
validated = sudoers_lookup(pwflag);
|
||||
#endif
|
||||
{
|
||||
check_sudoers(); /* check mode/owner on _PATH_SUDOERS */
|
||||
|
||||
/* Validate the user but don't search for pseudo-commands. */
|
||||
validated = sudoers_lookup(pwflag);
|
||||
}
|
||||
if (safe_cmnd == NULL)
|
||||
safe_cmnd = estrdup(user_cmnd);
|
||||
|
||||
@ -437,13 +435,18 @@ main(argc, argv, envp)
|
||||
(void) sigaction(SIGINT, &saved_sa_int, NULL);
|
||||
(void) sigaction(SIGQUIT, &saved_sa_quit, NULL);
|
||||
(void) sigaction(SIGTSTP, &saved_sa_tstp, NULL);
|
||||
(void) sigaction(SIGCHLD, &saved_sa_chld, NULL);
|
||||
|
||||
#ifndef PROFILING
|
||||
if (ISSET(sudo_mode, MODE_BACKGROUND) && fork() > 0)
|
||||
exit(0);
|
||||
else
|
||||
else {
|
||||
#ifdef HAVE_SELINUX
|
||||
if (is_selinux_enabled() > 0 && user_role != NULL)
|
||||
selinux_exec(user_role, user_type, NewArgv, environ,
|
||||
ISSET(sudo_mode, MODE_LOGIN_SHELL));
|
||||
#endif
|
||||
execve(safe_cmnd, NewArgv, environ);
|
||||
}
|
||||
#else
|
||||
exit(0);
|
||||
#endif /* PROFILING */
|
||||
@ -610,8 +613,10 @@ init_vars(sudo_mode, envp)
|
||||
log_error(USE_ERRNO|MSG_ONLY, "can't get hostname");
|
||||
|
||||
set_runaspw(*user_runas); /* may call log_error() */
|
||||
if (*user_runas[0] == '#' && runas_pw->pw_name && runas_pw->pw_name[0])
|
||||
*user_runas = estrdup(runas_pw->pw_name);
|
||||
if (*user_runas[0] == '#') {
|
||||
if (runas_pw->pw_name != *user_runas && runas_pw->pw_name[0])
|
||||
*user_runas = estrdup(runas_pw->pw_name);
|
||||
}
|
||||
|
||||
/*
|
||||
* Get current working directory. Try as user, fall back to root.
|
||||
@ -858,6 +863,28 @@ parse_args(argc, argv)
|
||||
case 'E':
|
||||
SET(rval, MODE_PRESERVE_ENV);
|
||||
break;
|
||||
#ifdef HAVE_SELINUX
|
||||
case 'r':
|
||||
/* Must have an associated SELinux role. */
|
||||
if (NewArgv[1] == NULL)
|
||||
usage(1);
|
||||
|
||||
user_role = NewArgv[1];
|
||||
|
||||
NewArgc--;
|
||||
NewArgv++;
|
||||
break;
|
||||
case 't':
|
||||
/* Must have an associated SELinux type. */
|
||||
if (NewArgv[1] == NULL)
|
||||
usage(1);
|
||||
|
||||
user_type = NewArgv[1];
|
||||
|
||||
NewArgc--;
|
||||
NewArgv++;
|
||||
break;
|
||||
#endif
|
||||
case '-':
|
||||
NewArgc--;
|
||||
NewArgv++;
|
||||
@ -893,7 +920,10 @@ args_done:
|
||||
warnx("you may not specify environment variables in edit mode");
|
||||
usage(1);
|
||||
}
|
||||
|
||||
if (ISSET(rval, MODE_PRESERVE_ENV) && ISSET(rval, MODE_LOGIN_SHELL)) {
|
||||
warnx("you may not specify both the `-i' and `-E' options");
|
||||
usage(1);
|
||||
}
|
||||
if (user_runas != NULL && !ISSET(rval, (MODE_EDIT|MODE_RUN))) {
|
||||
if (excl != '\0')
|
||||
warnx("the `-u' and '-%c' options may not be used together", excl);
|
||||
@ -992,9 +1022,25 @@ static void
|
||||
initial_setup()
|
||||
{
|
||||
int miss[3], devnull = -1;
|
||||
#if defined(RLIMIT_CORE) && !defined(SUDO_DEVEL)
|
||||
#if defined(__linux__) || (defined(RLIMIT_CORE) && !defined(SUDO_DEVEL))
|
||||
struct rlimit rl;
|
||||
#endif
|
||||
|
||||
#if defined(__linux__)
|
||||
/*
|
||||
* Unlimit the number of processes since Linux's setuid() will
|
||||
* apply resource limits when changing uid and return EAGAIN if
|
||||
* nproc would be violated by the uid switch.
|
||||
*/
|
||||
rl.rlim_cur = rl.rlim_max = RLIM_INFINITY;
|
||||
if (setrlimit(RLIMIT_NPROC, &rl)) {
|
||||
if (getrlimit(RLIMIT_NPROC, &rl) == 0) {
|
||||
rl.rlim_cur = rl.rlim_max;
|
||||
(void)setrlimit(RLIMIT_NPROC, &rl);
|
||||
}
|
||||
}
|
||||
#endif /* __linux__ */
|
||||
#if defined(RLIMIT_CORE) && !defined(SUDO_DEVEL)
|
||||
/*
|
||||
* Turn off core dumps.
|
||||
*/
|
||||
@ -1194,6 +1240,11 @@ set_runaspw(user)
|
||||
runas_pw = emalloc(sizeof(struct passwd));
|
||||
(void) memset((VOID *)runas_pw, 0, sizeof(struct passwd));
|
||||
runas_pw->pw_uid = atoi(user + 1);
|
||||
runas_pw->pw_name = user;
|
||||
runas_pw->pw_passwd = "*";
|
||||
runas_pw->pw_gecos = user;
|
||||
runas_pw->pw_dir = "/";
|
||||
runas_pw->pw_shell = estrdup(_PATH_BSHELL);
|
||||
}
|
||||
} else {
|
||||
runas_pw = sudo_getpwnam(user);
|
||||
@ -1272,8 +1323,14 @@ usage(exit_val)
|
||||
#endif
|
||||
#ifdef HAVE_LOGIN_CAP_H
|
||||
" [-c class|-]",
|
||||
#endif
|
||||
#ifdef HAVE_SELINUX
|
||||
" [-r role]",
|
||||
#endif
|
||||
" [-p prompt]",
|
||||
#ifdef HAVE_SELINUX
|
||||
" [-t type]",
|
||||
#endif
|
||||
" [-u username|#uid]",
|
||||
" [VAR=value]",
|
||||
" {-i | -s | <command>}",
|
||||
|
@ -17,7 +17,7 @@
|
||||
* Agency (DARPA) and Air Force Research Laboratory, Air Force
|
||||
* Materiel Command, USAF, under agreement number F39502-99-1-0512.
|
||||
*
|
||||
* $Sudo: sudo.h,v 1.209.2.13 2007/11/27 23:41:23 millert Exp $
|
||||
* $Sudo: sudo.h,v 1.209.2.14 2008/02/09 14:44:48 millert Exp $
|
||||
*/
|
||||
|
||||
#ifndef _SUDO_SUDO_H
|
||||
@ -53,6 +53,10 @@ struct sudo_user {
|
||||
int ngroups;
|
||||
GETGROUPS_T *groups;
|
||||
struct list_member *env_vars;
|
||||
#ifdef HAVE_SELINUX
|
||||
char *role;
|
||||
char *type;
|
||||
#endif
|
||||
};
|
||||
|
||||
/*
|
||||
@ -149,6 +153,8 @@ struct sudo_user {
|
||||
#define safe_cmnd (sudo_user.cmnd_safe)
|
||||
#define login_class (sudo_user.class_name)
|
||||
#define runas_pw (sudo_user._runas_pw)
|
||||
#define user_role (sudo_user.role)
|
||||
#define user_type (sudo_user.type)
|
||||
|
||||
/*
|
||||
* We used to use the system definition of PASS_MAX or _PASSWD_LEN,
|
||||
@ -262,6 +268,9 @@ char *sudo_getepw __P((const struct passwd *));
|
||||
int pam_prep_user __P((struct passwd *));
|
||||
void zero_bytes __P((volatile VOID *, size_t));
|
||||
int gettime __P((struct timespec *));
|
||||
#ifdef HAVE_SELINUX
|
||||
void selinux_exec __P((char *, char *, char **, char **, int));
|
||||
#endif
|
||||
YY_DECL;
|
||||
|
||||
/* Only provide extern declarations outside of sudo.c. */
|
||||
|
@ -1,4 +1,3 @@
|
||||
=cut
|
||||
Copyright (c) 1994-1996, 1998-2005, 2007
|
||||
Todd C. Miller <Todd.Miller@courtesan.com>
|
||||
|
||||
@ -19,7 +18,7 @@ Sponsored in part by the Defense Advanced Research Projects
|
||||
Agency (DARPA) and Air Force Research Laboratory, Air Force
|
||||
Materiel Command, USAF, under agreement number F39502-99-1-0512.
|
||||
|
||||
$Sudo: sudo.pod,v 1.70.2.20 2008/01/05 23:59:42 millert Exp $
|
||||
$Sudo: sudo.pod,v 1.70.2.24 2008/02/19 18:22:11 millert Exp $
|
||||
=pod
|
||||
|
||||
=head1 NAME
|
||||
@ -30,11 +29,16 @@ sudo, sudoedit - execute a command as another user
|
||||
|
||||
B<sudo> B<-h> | B<-K> | B<-k> | B<-L> | B<-l> | B<-V> | B<-v>
|
||||
|
||||
B<sudo> [B<-bEHPS>] S<[B<-a> I<auth_type>]>
|
||||
S<[B<-c> I<class>|I<->]> S<[B<-p> I<prompt>]> S<[B<-u> I<username>|I<#uid>]>
|
||||
B<sudo> [B<-bEHPS>]
|
||||
S<[B<-a> I<auth_type>]>
|
||||
S<[B<-c> I<class>|I<->]>
|
||||
S<[B<-p> I<prompt>]>
|
||||
S<[B<-u> I<username>|I<#uid>]>
|
||||
S<[B<VAR>=I<value>]> S<{B<-i> | B<-s> | I<command>}>
|
||||
|
||||
B<sudoedit> [B<-S>] S<[B<-a> I<auth_type>]> S<[B<-c> I<class>|I<->]>
|
||||
B<sudoedit> [B<-S>]
|
||||
S<[B<-a> I<auth_type>]>
|
||||
S<[B<-c> I<class>|I<->]>
|
||||
S<[B<-p> I<prompt>]> S<[B<-u> I<username>|I<#uid>]>
|
||||
file ...
|
||||
|
||||
@ -458,11 +462,15 @@ Default editor to use in B<-e> (sudoedit) mode
|
||||
|
||||
=head1 FILES
|
||||
|
||||
=over 4
|
||||
=over 24
|
||||
|
||||
=item F<@sysconfdir@/sudoers>C< >List of who can run what
|
||||
=item F<@sysconfdir@/sudoers>
|
||||
|
||||
=item F<@timedir@>C< >Directory containing timestamps
|
||||
List of who can run what
|
||||
|
||||
=item F<@timedir@>
|
||||
|
||||
Directory containing timestamps
|
||||
|
||||
=back
|
||||
|
||||
@ -495,8 +503,9 @@ to make the C<cd> and file redirection work.
|
||||
|
||||
=head1 SEE ALSO
|
||||
|
||||
L<grep(1)>, L<su(1)>, L<stat(2)>, L<login_cap(3)>, L<passwd(5)>,
|
||||
L<sudoers(5)>, L<visudo(8)>
|
||||
L<grep(1)>, L<su(1)>, L<stat(2)>,
|
||||
L<login_cap(3)>,
|
||||
L<passwd(5)>, L<sudoers(5)>, L<visudo(8)>
|
||||
|
||||
=head1 AUTHORS
|
||||
|
||||
|
@ -62,10 +62,10 @@
|
||||
#include "sudo.h"
|
||||
|
||||
#ifndef lint
|
||||
__unused static const char rcsid[] = "$Sudo: sudo_edit.c,v 1.6.2.8 2007/09/03 20:28:31 millert Exp $";
|
||||
__unused static const char rcsid[] = "$Sudo: sudo_edit.c,v 1.6.2.9 2008/06/21 00:47:52 millert Exp $";
|
||||
#endif /* lint */
|
||||
|
||||
extern sigaction_t saved_sa_int, saved_sa_quit, saved_sa_tstp, saved_sa_chld;
|
||||
extern sigaction_t saved_sa_int, saved_sa_quit, saved_sa_tstp;
|
||||
extern char **environ;
|
||||
|
||||
/*
|
||||
@ -231,11 +231,10 @@ int sudo_edit(argc, argv, envp)
|
||||
nargv[ac++] = tf[i++].tfile;
|
||||
nargv[ac] = NULL;
|
||||
|
||||
/* We wait for our own children and can be suspended. */
|
||||
/* Allow the editor to be suspended. */
|
||||
sigemptyset(&sa.sa_mask);
|
||||
sa.sa_flags = SA_RESTART;
|
||||
sa.sa_handler = SIG_DFL;
|
||||
(void) sigaction(SIGCHLD, &sa, NULL);
|
||||
(void) sigaction(SIGTSTP, &saved_sa_tstp, NULL);
|
||||
|
||||
/*
|
||||
@ -251,7 +250,6 @@ int sudo_edit(argc, argv, envp)
|
||||
/* child */
|
||||
(void) sigaction(SIGINT, &saved_sa_int, NULL);
|
||||
(void) sigaction(SIGQUIT, &saved_sa_quit, NULL);
|
||||
(void) sigaction(SIGCHLD, &saved_sa_chld, NULL);
|
||||
set_perms(PERM_FULL_USER);
|
||||
endpwent();
|
||||
endgrent();
|
||||
|
@ -1,4 +1,3 @@
|
||||
=cut
|
||||
Copyright (c) 1994-1996, 1998-2005, 2007
|
||||
Todd C. Miller <Todd.Miller@courtesan.com>
|
||||
|
||||
@ -19,7 +18,7 @@ Sponsored in part by the Defense Advanced Research Projects
|
||||
Agency (DARPA) and Air Force Research Laboratory, Air Force
|
||||
Materiel Command, USAF, under agreement number F39502-99-1-0512.
|
||||
|
||||
$Sudo: sudoers.pod,v 1.95.2.23 2008/01/05 23:59:42 millert Exp $
|
||||
$Sudo: sudoers.pod,v 1.95.2.27 2008/07/12 12:49:04 millert Exp $
|
||||
=pod
|
||||
|
||||
=head1 NAME
|
||||
@ -299,7 +298,7 @@ For example:
|
||||
ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
|
||||
|
||||
would allow the user B<ray> to run F</bin/kill>, F</bin/ls>, and
|
||||
F</usr/bin/lprm> as root on the machine rushmore as B<root> without
|
||||
F</usr/bin/lprm> as B<root> on the machine rushmore without
|
||||
authenticating himself. If we only want B<ray> to be able to
|
||||
run F</bin/kill> without a password the entry would be:
|
||||
|
||||
@ -500,14 +499,14 @@ of B<sudo>).
|
||||
|
||||
=item ignore_local_sudoers
|
||||
|
||||
If set via LDAP, parsing of @sysconfdir@/sudoers will be skipped.
|
||||
If set via LDAP, parsing of F<@sysconfdir@/sudoers> will be skipped.
|
||||
This is intended for Enterprises that wish to prevent the usage of local
|
||||
sudoers files so that only LDAP is used. This thwarts the efforts of
|
||||
rogue operators who would attempt to add roles to @sysconfdir@/sudoers.
|
||||
When this option is present, @sysconfdir@/sudoers does not even need to exist.
|
||||
Since this option tells B<sudo> how to behave when no specific LDAP entries
|
||||
have been matched, this sudoOption is only meaningful for the cn=defaults
|
||||
section. This flag is I<off> by default.
|
||||
rogue operators who would attempt to add roles to F<@sysconfdir@/sudoers>.
|
||||
When this option is present, F<@sysconfdir@/sudoers> does not even need to
|
||||
exist. Since this option tells B<sudo> how to behave when no specific LDAP
|
||||
entries have been matched, this sudoOption is only meaningful for the
|
||||
C<cn=defaults> section. This flag is I<off> by default.
|
||||
|
||||
=item insults
|
||||
|
||||
@ -1021,15 +1020,18 @@ B<notice>, and B<warning>.
|
||||
|
||||
=head1 FILES
|
||||
|
||||
=over 4
|
||||
=over 24
|
||||
|
||||
=item F<@sysconfdir@/sudoers>
|
||||
|
||||
=item F<@sysconfdir@/sudoers>C< >
|
||||
List of who can run what
|
||||
|
||||
=item F</etc/group>C< >
|
||||
=item F</etc/group>
|
||||
|
||||
Local groups file
|
||||
|
||||
=item F</etc/netgroup>C< >
|
||||
=item F</etc/netgroup>
|
||||
|
||||
List of network groups
|
||||
|
||||
=back
|
||||
|
@ -75,7 +75,7 @@
|
||||
#endif /* HAVE_FNMATCH */
|
||||
|
||||
#ifndef lint
|
||||
__unused static const char rcsid[] = "$Sudo: testsudoers.c,v 1.88.2.6 2007/10/24 16:43:27 millert Exp $";
|
||||
__unused static const char rcsid[] = "$Sudo: testsudoers.c,v 1.88.2.7 2008/02/09 14:44:49 millert Exp $";
|
||||
#endif /* lint */
|
||||
|
||||
|
||||
@ -542,6 +542,10 @@ main(argc, argv)
|
||||
(void) printf("no_passwd : %d\n", no_passwd);
|
||||
(void) printf("runas_match: %d\n", runas_matches);
|
||||
(void) printf("runas : %s\n", *user_runas);
|
||||
if (match[top-1].role)
|
||||
(void) printf("role : %s\n", match[top-1].role);
|
||||
if (match[top-1].type)
|
||||
(void) printf("type : %s\n", match[top-1].type);
|
||||
top--;
|
||||
}
|
||||
}
|
||||
|
@ -70,7 +70,7 @@
|
||||
#include "sudo.h"
|
||||
|
||||
#ifndef lint
|
||||
__unused static const char rcsid[] = "$Sudo: tgetpass.c,v 1.111.2.6 2008/01/16 18:03:24 millert Exp $";
|
||||
__unused static const char rcsid[] = "$Sudo: tgetpass.c,v 1.111.2.7 2008/06/21 00:27:01 millert Exp $";
|
||||
#endif /* lint */
|
||||
|
||||
#ifndef TCSASOFT
|
||||
@ -88,14 +88,6 @@ __unused static const char rcsid[] = "$Sudo: tgetpass.c,v 1.111.2.6 2008/01/16 1
|
||||
# endif
|
||||
#endif
|
||||
|
||||
/*
|
||||
* QNX 6 (at least) has issues with TCSAFLUSH.
|
||||
*/
|
||||
#ifdef __QNX__
|
||||
#undef TCSAFLUSH
|
||||
#define TCSAFLUSH TCSADRAIN
|
||||
#endif
|
||||
|
||||
/*
|
||||
* Compat macros for non-termios systems.
|
||||
*/
|
||||
|
@ -17,12 +17,12 @@
|
||||
* Agency (DARPA) and Air Force Research Laboratory, Air Force
|
||||
* Materiel Command, USAF, under agreement number F39502-99-1-0512.
|
||||
*
|
||||
* $Sudo: version.h,v 1.66.2.15 2008/01/14 12:22:57 millert Exp $
|
||||
* $Sudo: version.h,v 1.66.2.20 2008/06/22 20:29:03 millert Exp $
|
||||
*/
|
||||
|
||||
#ifndef _SUDO_VERSION_H
|
||||
#define _SUDO_VERSION_H
|
||||
|
||||
static const char version[] = "1.6.9p12";
|
||||
static const char version[] = "1.6.9p17";
|
||||
|
||||
#endif /* _SUDO_VERSION_H */
|
||||
|
@ -78,7 +78,7 @@
|
||||
#include "version.h"
|
||||
|
||||
#ifndef lint
|
||||
__unused static const char rcsid[] = "$Sudo: visudo.c,v 1.166.2.10 2007/09/01 13:39:13 millert Exp $";
|
||||
__unused static const char rcsid[] = "$Sudo: visudo.c,v 1.166.2.11 2008/06/21 00:47:52 millert Exp $";
|
||||
#endif /* lint */
|
||||
|
||||
struct sudoersfile {
|
||||
@ -590,12 +590,7 @@ run_command(path, argv)
|
||||
char **argv;
|
||||
{
|
||||
int status;
|
||||
pid_t pid;
|
||||
sigset_t set, oset;
|
||||
|
||||
(void) sigemptyset(&set);
|
||||
(void) sigaddset(&set, SIGCHLD);
|
||||
(void) sigprocmask(SIG_BLOCK, &set, &oset);
|
||||
pid_t pid, rv;
|
||||
|
||||
switch (pid = fork()) {
|
||||
case -1:
|
||||
@ -603,7 +598,6 @@ run_command(path, argv)
|
||||
Exit(-1);
|
||||
break; /* NOTREACHED */
|
||||
case 0:
|
||||
(void) sigprocmask(SIG_SETMASK, &oset, NULL);
|
||||
endpwent();
|
||||
closefrom(STDERR_FILENO + 1);
|
||||
execv(path, argv);
|
||||
@ -612,15 +606,15 @@ run_command(path, argv)
|
||||
break; /* NOTREACHED */
|
||||
}
|
||||
|
||||
do {
|
||||
#ifdef sudo_waitpid
|
||||
pid = sudo_waitpid(pid, &status, 0);
|
||||
rv = sudo_waitpid(pid, &status, 0);
|
||||
#else
|
||||
pid = wait(&status);
|
||||
rv = wait(&status);
|
||||
#endif
|
||||
} while (rv == -1 && errno == EINTR);
|
||||
|
||||
(void) sigprocmask(SIG_SETMASK, &oset, NULL);
|
||||
|
||||
if (pid == -1 || !WIFEXITED(status))
|
||||
if (rv == -1 || !WIFEXITED(status))
|
||||
return(-1);
|
||||
return(WEXITSTATUS(status));
|
||||
}
|
||||
|
@ -1,4 +1,3 @@
|
||||
=cut
|
||||
Copyright (c) 1996,1998-2005, 2007 Todd C. Miller <Todd.Miller@courtesan.com>
|
||||
|
||||
Permission to use, copy, modify, and distribute this software for any
|
||||
@ -18,7 +17,7 @@ Sponsored in part by the Defense Advanced Research Projects
|
||||
Agency (DARPA) and Air Force Research Laboratory, Air Force
|
||||
Materiel Command, USAF, under agreement number F39502-99-1-0512.
|
||||
|
||||
$Sudo: visudo.pod,v 1.38.2.9 2007/08/13 16:23:31 millert Exp $
|
||||
$Sudo: visudo.pod,v 1.38.2.10 2008/02/19 15:45:12 millert Exp $
|
||||
=pod
|
||||
|
||||
=head1 NAME
|
||||
@ -125,11 +124,15 @@ Used by visudo if VISUAL is not set
|
||||
|
||||
=head1 FILES
|
||||
|
||||
=over 4
|
||||
=over 24
|
||||
|
||||
=item F<@sysconfdir@/sudoers>C< >List of who can run what
|
||||
=item F<@sysconfdir@/sudoers>
|
||||
|
||||
=item F<@sysconfdir@/sudoers.tmp>C< >Lock file for visudo
|
||||
List of who can run what
|
||||
|
||||
=item F<@sysconfdir@/sudoers.tmp>
|
||||
|
||||
Lock file for visudo
|
||||
|
||||
=back
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user