This patch will upgrade Sudo version 1.6.8 to version 1.6.8 patchlevel 12. To apply: $ cd sudo-1.6.8 $ patch -p1 < sudo-1.6.8p12.patch diff -urN sudo-1.6.8/CHANGES sudo-1.6.8p12/CHANGES --- sudo-1.6.8/CHANGES Fri Aug 6 19:48:11 2004 +++ sudo-1.6.8p12/CHANGES Tue Nov 8 13:23:45 2005 @@ -1470,7 +1470,7 @@ Sudo 1.6.4p1 released. -460) Some special characters were not being escaped properly (e..g '\,') +460) Some special characters were not being escaped properly (e.g. '\,') in command line arguments and would cause a syntax error instead. 461) "sudo -l" would not work if the always_set_home option was set. @@ -1672,7 +1672,7 @@ 524) Merged in LDAP support from Aaron Spangler. 525) Added the --with-pc-insults configure to replace politically - incorrect insults with other ones. + incorrect insults with ones from Alek O. Komarnitsky. 526) Added start_tls support from Gudleik Rasch . @@ -1711,3 +1711,100 @@ 539) Sudo now produces a sensible error message when the targetpw Defaults option is set and a non-existent uid is specified via -u. + +Sudo 1.6.8 released. + +540) Now find the command base and fill in struct stat earlier. + +541) sudoedit now re-opens the temp file as the invoking user. + +542) struct timespec is used throughout the code base. + +543) Added --with-ldap-conf-file option to override /etc/ldap.conf + +544) Added SSL tls_* certificate checking options when using LDAP. + +545) Sudoedit will now only attempt to edit regular files or links. + +546) Sudo now uses futime() or futimes() where possible. + +547) Updated sample.pam to a current version. + +548) Better detection of unchanged files in sudoedit. + +Sudo 1.6.8p1 released. + +549) Bash exported functions are now stripped from the environment passed + to the program to be executed. + +Sudo 1.6.8p2 released. + +550) The CDPATH variable is now stripped from the environment passed + to the program to be executed. + +551) Fix temp file generation on systems where the _PATH_VARTMP macro + lacks a trailing slash. + +Sudo 1.6.8p3 released. + +552) The KRB5CCNAME environment variable is preserved during sudo + execution for password lookups that use GSSAPI. + +Sudo 1.6.8p4 released. + +553) Added a configure check for systems with a 2-argument version of + timespecsub (like BSD/OS). + +554) Added stub struct defintions to sudo.h to quiet compiler warnings + on some systems. + +555) In sudoers Defaults lines, tuples like "lecture" may now be used + without a value, restoring their old boolean-like nature. + +556) Invalid values for a tuple are now handled correctly. + +Sudo 1.6.8p5 released. + +557) Added a set of missing braces needed for MacOS X / Darwin. + +558) Define LDAP_OPT_SUCCESS for those without it. + +Sudo 1.6.8p6 released. + +559) Warn if the user tries to use the -u option when not running a command. + +560) Better PAM error handling and messages. + +561) Fixed setting of $USER when env_reset is enabled. + +Sudo 1.6.8p7 released. + +562) Fixed noexec functionality on Linux. + +563) Fixed minor format string mismatches in some error cases. + +564) Fixed a bug that prevented Heimdal authentication from working. + +Sudo 1.6.8p8 released. + +565) Updated config.guess and config.sub entries for OpenBSD. + +566) A sudoers entry with sudo ALL no longer overwrites the value of + safe_cmnd. + +Sudo 1.6.8p9 released. + +567) Added PS4 and SHELLOPTS to the list of variables to remove from + the environment. + +Sudo 1.6.8p10 released. + +567) Added JAVA_TOOL_OPTIONS to the list of variables to remove from + the environment. + +Sudo 1.6.8p11 released. + +567) Added PERLLIB, PERL5LIB and PERL5OPT to the list of variables to + remove from the environment. + +Sudo 1.6.8p12 released. diff -urN sudo-1.6.8/INSTALL sudo-1.6.8p12/INSTALL --- sudo-1.6.8/INSTALL Thu Aug 5 20:40:58 2004 +++ sudo-1.6.8p12/INSTALL Tue Sep 14 20:21:59 2004 @@ -180,6 +180,10 @@ containing the LDAP include and lib directories. Please see README.LDAP for more information. + --with-ldap-conf-file + Path to LDAP configuration file. If specified, sudo reads + this file instead of /etc/ldap.conf to locate the LDAP server. + --with-authenticate Enable support for the AIX 4.x general authentication function. This will use the authentication scheme specified for the user @@ -187,16 +191,18 @@ --with-pam Enable PAM support. Tested on: - Redhat Linux 5.x, 6.0, and 6.1 - Solaris 2.6 and 7 - HP-UX 11.0 - NOTE: on RedHat Linux you *must* install an /etc/pam.d/sudo file. - You may either use the sample.pam file included with sudo or use - /etc/pam.d/su as a reference. On Solaris and HP-UX 11 systems - you should check (and understand) the contents of /etc/pam.conf. - Do a "man pam.conf" for more information and consider using the - "debug" option, if available, with your PAM libraries in - /etc/pam.conf to obtain syslog output for debugging purposes. + Redhat Linux >= 5.x + Solaris >= 2.6 + HP-UX >= 11.0 + NOTE: on RedHat Linux and Fedora you *must* have an /etc/pam.d/sudo + file install. You may either use the sample.pam file included with + sudo or use /etc/pam.d/su as a reference. The sample.pam file + included with sudo may or may not work with other Linux distributions. + On Solaris and HP-UX 11 systems you should check (and understand) + the contents of /etc/pam.conf. Do a "man pam.conf" for more + information and consider using the "debug" option, if available, + with your PAM libraries in /etc/pam.conf to obtain syslog output + for debugging purposes. --with-AFS Enable AFS support with Kerberos authentication. Should work under @@ -225,6 +231,17 @@ only the newer BSD authentication API is supported. If you don't have /usr/include/bsd_auth.h then you cannot use this. + --with-noexec[=PATH] + Enable support for the "noexec" functionality which prevents + a dynamically-linked program being run by sudo from executing + another program (think shell escapes). Please see the + "PREVENTING SHELL ESCAPES" section in the sudoers man page + for details. If specified, PATH should be a fully qualified + pathname, e.g. /usr/local/libexec/sudo_noexec.so. If PATH + is "no", noexec support will not be compiled in. The default + is to compile noexec support if libtool supports building + shared objects on your OS. + --disable-root-mailer By default sudo will run the mailer as root when tattling on a user so as to prevent that user from killing the mailer. @@ -482,20 +499,20 @@ Don't print the lecture the first time a user runs sudo. --with-editor=PATH - Specify the default editor path for use by visudo. This may be - a single pathname or a colon-separated list of editors. In - the latter case, visudo will choose the editor that matches - the user's USER environment variable or the first editor in - the list that exists. The default is the path to vi on your system. + Specify the default editor path for use by visudo. This may be a + single pathname or a colon-separated list of editors. In the latter + case, visudo will choose the editor that matches the user's VISUAL + or EDITOR environment variables or the first editor in the list that + exists. The default is the path to vi on your system. --with-env-editor - Makes visudo consult the EDITOR and VISUAL environment variables before + Makes visudo consult the VISUAL and EDITOR environment variables before falling back on the default editor list (as specified by --with-editor). Note that this may create a security hole as it allows the user to run any arbitrary command as root without logging. A safer alternative - is to use a colon-separated list of editors with the --with-env-editor - option. visudo will then only use the EDITOR or VISUAL if they match - a value specified via --with-editor. + is to use a colon-separated list of editors with the --with-editor + option. visudo will then only use the VISUAL or EDITOR variables + if they match a value specified via --with-editor. --disable-authentication By default, sudo requires the user to authenticate via a @@ -671,3 +688,10 @@ on Dynix, try using the native compiler (cc). You can do so by removing the config.cache file and then re-running configure with the --with-CC=cc option. + +HP-UX: + The default C compiler shipped with HP-UX does not support creating + position independent code and so is unable to support sudo's "noexec" + functionality. You must use either the HP ANSI C compiler or gcc for + noexec to work. Binary packages of gcc are available from + http://hpux.connect.org.uk/ and http://hpux.cs.utah.edu/. diff -urN sudo-1.6.8/LICENSE sudo-1.6.8p12/LICENSE --- sudo-1.6.8/LICENSE Thu Jun 10 23:11:13 2004 +++ sudo-1.6.8p12/LICENSE Sat Feb 5 16:30:40 2005 @@ -1,6 +1,6 @@ Sudo is distributed under the following ISC-style license: - Copyright (c) 1994-1996,1998-2004 Todd C. Miller + Copyright (c) 1994-1996,1998-2005 Todd C. Miller Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above diff -urN sudo-1.6.8/Makefile.in sudo-1.6.8p12/Makefile.in --- sudo-1.6.8/Makefile.in Fri May 28 16:27:59 2004 +++ sudo-1.6.8p12/Makefile.in Tue Nov 8 13:21:58 2005 @@ -20,7 +20,7 @@ # # @configure_input@ # -# $Sudo: Makefile.in,v 1.246 2004/05/20 01:25:50 aaron Exp $ +# $Sudo: Makefile.in,v 1.253 2004/09/15 20:11:22 millert Exp $ # #### Start of system configuration section. #### @@ -100,11 +100,11 @@ SRCS = alloc.c alloca.c check.c closefrom.c def_data.c defaults.c env.c err.c \ fileops.c find_path.c fnmatch.c getcwd.c getprogname.c getspwuid.c \ - goodpath.c interfaces.c ldap.c lex.yy.c lsearch.c logging.c parse.c \ - parse.lex parse.yacc set_perms.c sigaction.c snprintf.c strcasecmp.c \ - strerror.c strlcat.c strlcpy.c sudo.c sudo_noexec.c sudo.tab.c \ - sudo_edit.c testsudoers.c tgetpass.c utime.c visudo.c zero_bytes.c \ - $(AUTH_SRCS) + gettime.c goodpath.c interfaces.c ldap.c lex.yy.c lsearch.c logging.c \ + parse.c parse.lex parse.yacc set_perms.c sigaction.c snprintf.c \ + strcasecmp.c strerror.c strlcat.c strlcpy.c sudo.c sudo_noexec.c \ + sudo.tab.c sudo_edit.c testsudoers.c tgetpass.c utimes.c visudo.c \ + zero_bytes.c $(AUTH_SRCS) AUTH_SRCS = auth/afs.c auth/aix_auth.c auth/bsdauth.c auth/dce.c auth/fwtk.c \ auth/kerb4.c auth/kerb5.c auth/pam.c auth/passwd.c auth/rfc1938.c \ @@ -120,17 +120,17 @@ PARSEOBJS = sudo.tab.o lex.yy.o alloc.o defaults.o -SUDOBJS = check.o env.o getspwuid.o goodpath.o fileops.o find_path.o \ +SUDOBJS = check.o env.o getspwuid.o gettime.o goodpath.o fileops.o find_path.o \ interfaces.o logging.o parse.o set_perms.o sudo.o sudo_edit.o \ tgetpass.o zero_bytes.o @SUDO_OBJS@ $(AUTH_OBJS) $(PARSEOBJS) -VISUDOBJS = visudo.o fileops.o goodpath.o find_path.o $(PARSEOBJS) +VISUDOBJS = visudo.o fileops.o gettime.o goodpath.o find_path.o $(PARSEOBJS) TESTOBJS = interfaces.o testsudoers.o $(PARSEOBJS) LIBOBJS = @LIBOBJS@ @ALLOCA@ -VERSION = 1.6.8 +VERSION = 1.6.8p12 DISTFILES = $(SRCS) $(HDRS) BUGS CHANGES HISTORY INSTALL INSTALL.configure \ LICENSE Makefile.in PORTING README README.LDAP RUNSON TODO \ @@ -147,7 +147,7 @@ sudo sudo.cat sudo.man sudo.pod sudoers sudoers.cat sudoers.man \ sudoers.pod visudo visudo.cat visudo.man visudo.pod -BINSPECIAL= INSTALL.binary Makefile.binary +BINSPECIAL= INSTALL.binary Makefile.binary libtool SUDODEP = $(srcdir)/sudo.h $(srcdir)/compat.h $(srcdir)/defaults.h \ $(srcdir)/logging.h config.h def_data.h pathnames.h @@ -302,13 +302,17 @@ install-binaries: $(PROGS) $(INSTALL) -O $(install_uid) -G $(install_gid) -M 4111 -s sudo $(DESTDIR)$(sudodir)/sudo - ln -f $(DESTDIR)$(sudodir)/sudo $(DESTDIR)$(sudodir)/sudoedit + rm -f $(DESTDIR)$(sudodir)/sudoedit + ln $(DESTDIR)$(sudodir)/sudo $(DESTDIR)$(sudodir)/sudoedit $(INSTALL) -O $(install_uid) -G $(install_gid) -M 0111 -s visudo $(DESTDIR)$(visudodir)/visudo install-noexec: sudo_noexec.la $(LIBTOOL) --mode=install $(INSTALL) sudo_noexec.la $(DESTDIR)$(noexecdir) +bininst-noexec: sudo_noexec.la + $(LIBTOOL) --mode=install $(INSTALL) sudo_noexec.la $(DESTDIR)$(noexecdir) + install-sudoers: test -f $(DESTDIR)$(sudoersdir)/sudoers || \ $(INSTALL) -O $(sudoers_uid) -G $(sudoers_gid) -M $(sudoers_mode) \ @@ -316,6 +320,8 @@ install-man: $(INSTALL) -O $(install_uid) -G $(install_gid) -M 0444 @mansrcdir@/sudo.$(mantype) $(DESTDIR)$(mandirsu)/sudo.$(mansectsu) + @rm -f $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu) + ln $(DESTDIR)$(mandirsu)/sudo.$(mansectsu) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu) $(INSTALL) -O $(install_uid) -G $(install_gid) -M 0444 @mansrcdir@/visudo.$(mantype) $(DESTDIR)$(mandirsu)/visudo.$(mansectsu) $(INSTALL) -O $(install_uid) -G $(install_gid) -M 0444 @mansrcdir@/sudoers.$(mantype) $(DESTDIR)$(mandirform)/sudoers.$(mansectform) @MAN_POSTINSTALL@ @@ -356,10 +362,11 @@ ls -l ../sudo-$(VERSION).tar.gz bindist: - @mkdir tmp.`arch -l` - @mkdir tmp.`arch -l`/sudo-$(VERSION) ( \ - tdir=tmp.`arch -l`/sudo-$(VERSION) ; \ + ARCH=`uname -m|sed 's:/:_:g'`+`uname -sr|sed 's/ /_/g'` ; \ + mkdir tmp.$$ARCH ; \ + tdir=tmp.$$ARCH/sudo-$(VERSION) ; \ + mkdir $$tdir ; \ for i in $(BINFILES) ; do \ if [ -f $$i ]; then \ cp $$i $$tdir ; \ @@ -370,13 +377,17 @@ exit 1 ; \ fi ; \ done ; \ + if [ -f sudo_noexec.la ]; then \ + cp libtool $$tdir ; \ + $(LIBTOOL) --mode=install $(INSTALL) sudo_noexec.la `pwd`/$$tdir ; \ + ln $$tdir/sudo_noexec.la $$tdir/sudo_noexec.lai ; \ + ln -s . $$tdir/.libs ; \ + fi ; \ cp $(srcdir)/INSTALL.binary $$tdir/INSTALL ; \ - sed -e 's/@_MANTYPE@/$(mantype)/g' -e 's/@_mansectsu@/$(mansectsu)/g' \ - -e 's/@_mansectform@/$(mansectform)/g' $(srcdir)/Makefile.binary \ - > $$tdir/Makefile ; \ - ) - strip sudo - strip visudo - ( cd tmp.`arch -l` && tar Ocf ../sudo-$(VERSION)-`arch -l`.tar sudo-$(VERSION) ) - gzip --best sudo-$(VERSION)-`arch -l`.tar - rm -rf tmp.`arch -l` + sh ./config.status --file=Makefile.binary && cp Makefile.binary $$tdir/Makefile ; \ + strip sudo ; \ + strip visudo ; \ + cd tmp.$$ARCH && tar Ocf ../sudo-$(VERSION)-$$ARCH.tar sudo-$(VERSION) && cd .. ; \ + gzip --best sudo-$(VERSION)-$$ARCH.tar ; \ + rm -rf tmp.$$ARCH ; \ + ) diff -urN sudo-1.6.8/README.LDAP sudo-1.6.8p12/README.LDAP --- sudo-1.6.8/README.LDAP Wed Aug 11 14:29:48 2004 +++ sudo-1.6.8p12/README.LDAP Thu Sep 2 21:56:45 2004 @@ -242,7 +242,12 @@ # Either specify a uri or host & port #host ldapserver #port 389 + # + # URI will override host & port settings + # but only works with LDAP SDK's that support + # ldap_initialize() such as OpenLDAP uri ldap://ldapserver + #uri ldaps://secureldapserver # # must be set or sudo will ignore LDAP sudoers_base ou=SUDOers,dc=example,dc=com @@ -256,6 +261,43 @@ # # LDAP Protocol Version defaults to 3 #ldap_version 3 + # + # Define if you want to use port 389 and switch to + # encryption before the bind credentials are sent + #ssl start_tls + # + # Additional TLS options follow that allow tweaking + # of the SSL/TLS connection + # + #tls_checkpeer yes # verify server SSL certificate + #tls_checkpeer no # ignore server SSL certificate + # + # If you enable tls_checkpeer, specify either tls_cacertfile + # or tls_cacertdir. + # + #tls_cacertfile /etc/certs/trusted_signers.pem + #tls_cacertdir /etc/certs + # + # For systems that don't have /dev/random + # use this along with PRNGD or EGD.pl to seed the + # random number pool to generate cryptographic session keys. + # + #tls_randfile /etc/egd-pool + # + # You may restrict which ciphers are used. Consult your SSL + # documentation for which options go here. + # + #tls_ciphers + # + # Sudo can provide a client certificate when communicating to + # the LDAP server. + # Tips: + # * Enable both lines at the same time. + # * Do not password protect the key file. + # * Ensure the keyfile is only readable by root. + # + #tls_cert /etc/certs/client_cert.pem + #tls_key /etc/certs/client_key.pem # Debugging your LDAP configuration diff -urN sudo-1.6.8/RUNSON sudo-1.6.8p12/RUNSON --- sudo-1.6.8/RUNSON Tue Aug 17 16:20:14 2004 +++ sudo-1.6.8p12/RUNSON Tue Sep 14 15:09:00 2004 @@ -9,10 +9,10 @@ Name Rev Arch Used Version By Options ======= ======= ======= =============== ======= =============== =============== Auspex 1.6.1 sun4 bundled cc 1.3.4 Alek Komarnitsky none -SunOS 4.1.3 sun4 bundled cc 1.6.8 Todd Miller none -SunOS 4.1.3 sun4 gcc2.9.5.2 1.6.8 Todd Miller none +SunOS 4.1.3 sun4 bundled cc 1.6.8p1 Todd Miller none +SunOS 4.1.3 sun4 gcc2.9.5.2 1.6.8p1 Todd Miller none SunOS 4.1.3 sun4 gcc2.7.2.1 1.5.3 Todd Miller --with-kerb4 -SunOS 4.1.3 sun4 gcc2.9.5.2 1.6.8 Todd Miller --with-skey +SunOS 4.1.3 sun4 gcc2.9.5.2 1.6.8p1 Todd Miller --with-skey Solaris 2.5.1 sparc SC4.0 1.5.6p1 Brian Jackson none Solaris 2.5.1 sun4u gcc2.7.2.3 1.5.4 Leon von Stauber none Solaris 2.5.1 i386 gcc2.7.2 1.5.4 Leon von Stauber none @@ -29,10 +29,11 @@ Solaris 7 sun4u Workshop 6.2 1.6.3p7 Donna Dickerson none Solaris 7 sparc gcc2.95.2 1.6.6 Todd Miller --with-skey Solaris 2.6 sun4u egcs 1.1.2 1.5.9p4 Scott Kinnane none -Solaris 8 sun4u gcc2.95.2 1.6.8 Todd Miller --with-skey -Solaris 8 sun4u SC4.2 1.6.8 Todd Miller none +Solaris 8 sun4u gcc2.95.2 1.6.8p1 Todd Miller --with-pam +Solaris 8 sun4u SC4.2 1.6.8p1 Todd Miller --with-pam Solaris 8 sun4u Workshop 6.2 1.6.3p7 Donna Dickerson none Solaris 8 sun4u gcc2.95.3 1.6.6 Banu Yobas none +Solaris 9 sun4u gcc3.3.2 1.6.8p1 Todd Miller --with-pam ISC 4.0 i386 bundled cc 1.4 Andy Smith none ISC 4.0 i386 gcc2.7.0 1.4 Andy Smith none ISC 4.1 i386 bundled cc 1.4 Andy Smith none @@ -44,18 +45,16 @@ HP-UX 9.05 hp700 gcc2.7.2.1 1.5.3 Todd Miller --with-kerb4 HP-UX 9.07 hp700 unbundled cc 1.5 Alek Komarnitsky --with-C2 HP-UX 9.05 hp700 unbundled cc 1.4 Todd Miller none -HP-UX 10.10 hp700 unbundled cc 1.6.7 Todd Miller --with-skey -HP-UX 10.20 hp700 gcc2.9.5.2 1.6.7 Todd Miller --with-skey -HP-UX 10.20 hp700 bundled cc 1.6.7 Todd Miller none +HP-UX 10.20 hp700 gcc3.3.4 1.6.8p1 Todd Miller none +HP-UX 10.20 hp700 bundled cc 1.6.8p1 Todd Miller none +HP-UX 10.20 hp700 unbundled cc 1.6.8p1 Todd Miller none HP-UX 10.20 hp700 gcc 2.95.2 1.6.2 Jeff Earickson --with-DCE -HP-UX 11.00 hp700 ansi-c 1.5.5b1 Alek Komarnitsky --with-C2 -HP-UX 11.00 hp700 bundled cc 1.6.8 Todd Miller none -HP-UX 11.00 hp700 bundled cc 1.6.8 Todd Miller --with-pam -HP-UX 11.00 hp700 gcc 3.2 1.6.8 Todd Miller none -HP-UX 11.00 hp700 gcc 3.2 1.6.8 Todd Miller --with-pam -HP-UX 11.11 hp700 gcc 3.3.2 1.6.8 Todd Miller --with-pam -HP-UX 11.11 hp700 unbundled cc 1.6.8 Todd Miller --with-pam -HP-UX 11.11 hp800 HP C compiler 1.6.5p2 Bill Marmagas --with-pam +HP-UX 11.00 hp700 bundled cc 1.6.8p1 Todd Miller none +HP-UX 11.00 hp700 bundled cc 1.6.8p1 Todd Miller --with-pam +HP-UX 11.00 hp700 gcc 3.2 1.6.8p1 Todd Miller none +HP-UX 11.00 hp700 gcc 3.2 1.6.8p1 Todd Miller --with-pam +HP-UX 11.11 hp700 gcc 3.3.2 1.6.8p1 Todd Miller --with-pam +HP-UX 11.11 hp700 unbundled cc 1.6.8p1 Todd Miller --with-pam Ultrix 4.3 mips bundled cc 1.6.3b2 Todd Miller none Ultrix 4.3 mips gcc2.7.2.1 1.5.9 Todd Miller --with-skey IRIX 4.05H mips gcc2.6.3 1.5.3 Todd Miller none @@ -85,8 +84,8 @@ NEXTSTEP 3.3 i386 bundled cc 1.4 Jonathan Adams none NEXTSTEP 3.3 sparc bundled cc 1.5.3 Mike Kienenberger none DEC UNIX 3.2c alpha bundled cc 1.5.3 Todd Miller none -DEC UNIX 4.0D alpha bundled cc 1.6.8 Todd Miller none -DEC UNIX 4.0D alpha gcc-2.95.2 1.6.8 Todd Miller none +DEC UNIX 4.0D alpha bundled cc 1.6.8p1 Todd Miller none +DEC UNIX 4.0D alpha gcc-2.95.2 1.6.8p1 Todd Miller none DEC UNIX 4.0 alpha gcc-2.7.2.1 1.5.3 Todd Miller --with-kerb4 DEC UNIX 4.0D alpha bundled cc 1.5.3 Randall R. Cable --with-C2 DEC UNIX 4.0E alpha bundled cc 1.5.9p2 Vangelis Haniotakis none @@ -107,8 +106,8 @@ ConvexOS 9.1 convex bundled cc 1.3.6 Todd Miller none ConvexOS 9.1 convex gcc2.4.5 1.3.6 Todd Miller none BSD/OS 4.1 i386 cc 1.6.3 Todd Miller --with-skey -OpenBSD 3.X all gcc-2.95.3 1.6.8 Todd Miller none -OpenBSD 3.X all gcc-3.3.2 1.6.8 Todd Miller --with-bsdauth +OpenBSD 3.X all gcc-2.95.3 1.6.8p1 Todd Miller none +OpenBSD 3.X all gcc-3.3.2 1.6.8p1 Todd Miller --with-bsdauth FreeBSD 1.1 i386 gcc 1.3.2 Dworkin Muller none FreeBSD 2.0.5 i386 gcc 1.3.4 Dworkin Muller none FreeBSD 3.2 i386 gcc 2.7.2.1 1.6 Brian Jackson none @@ -125,7 +124,7 @@ Linux 2.2.6-15 ppc egcs-1.1.2 1.5.9p4 Barbara Schelkle none Linux 2.4.18 i686 gcc-3.2 1.6.7 Todd Miller --with-pam Linux 2.4.20 i686 gcc-3.2.1 1.6.6 Vasily Korytov none -Linux 2.4.20 i686 gcc-3.2.2 1.6.8 Todd Miller --with-pam +Linux 2.4.20 i686 gcc-3.2.2 1.6.8p1 Todd Miller --with-pam Linux 2.4.20 ppc gcc-3.2.3 1.6.7p5 Nicolas Kaiser --with-pam UnixWare 1.1.4 i386 gcc-2.7.2 1.4 Michael Hancock none UnixWare 7.1.1 i686 cc 1.6.5p1 Mike Petkau none diff -urN sudo-1.6.8/TODO sudo-1.6.8p12/TODO --- sudo-1.6.8/TODO Tue Aug 17 15:11:20 2004 +++ sudo-1.6.8p12/TODO Thu Oct 27 20:49:43 2005 @@ -127,17 +127,17 @@ line and that have a constant record length (sparse files) for easy seeking. -46) Move cmnd_base setting and stashing of stat info from parse.c to sudo.c - -47) Investigate using glob(3) instead of fnmatch(3) for path matching. That +46) Investigate using glob(3) instead of fnmatch(3) for path matching. That way we can stat each potential match like we normally would. Patterns ending in '/*' can be replaced with '/basename' as an optimization. -48) Some way of using a new pty for the program run via sudo would prevent +47) Some way of using a new pty for the program run via sudo would prevent access to the caller's /dev/tty (but probably makes job control tricky). -49) Maybe have a database of checksums that commands are verified against. +48) Maybe have a database of checksums that commands are verified against. Basically replace the st_ino/st_dev check with a checksum lookup. -50) Look into testing writability of a file via sudoedit *before* doing +49) Look into testing writability of a file via sudoedit *before* doing the edit; e.g., try opening with O_APPEND. + +50) Add Makefile.in bits to autogenerate Solaris and HP-UX packages diff -urN sudo-1.6.8/TROUBLESHOOTING sudo-1.6.8p12/TROUBLESHOOTING --- sudo-1.6.8/TROUBLESHOOTING Mon May 17 18:20:51 2004 +++ sudo-1.6.8p12/TROUBLESHOOTING Sat Feb 5 13:13:56 2005 @@ -25,9 +25,19 @@ option and rebuild sudo. Q) Sudo never gives me a chance to enter a password using PAM, it just - says 'Sorry, try again.' three times and quits. -A) You didn't setup PAM to work with sudo. On Linux this generally - means installing sample.pam as /etc/pam.d/sudo. + says 'Sorry, try again.' three times and exits. +A) You didn't setup PAM to work with sudo. On Redhat Linux or Fedora + Core this generally means installing sample.pam as /etc/pam.d/sudo. + See the sample.pam file for hints on what to use for other Linux + systems. + +Q) Sudo says 'Account expired or PAM config lacks an "account" + section for sudo, contact your system administrator' and exits + but I know my account has not expired. +A) Your PAM config lacks an "account" specification. On Linux this + usually means you are missing a line like: + account required pam_unix.so + in /etc/pam.d/sudo. Q) Sudo is setup to log via syslog(3) but I'm not getting any log messages. diff -urN sudo-1.6.8/aclocal.m4 sudo-1.6.8p12/aclocal.m4 --- sudo-1.6.8/aclocal.m4 Mon May 17 16:18:36 2004 +++ sudo-1.6.8p12/aclocal.m4 Tue Sep 7 13:14:51 2004 @@ -211,30 +211,6 @@ [SUDO_CHECK_TYPE(ino_t, unsigned int)]) dnl -dnl check for POSIX utime() using struct utimbuf -dnl -AC_DEFUN(SUDO_FUNC_UTIME_POSIX, -[AC_MSG_CHECKING(for POSIX utime) -AC_CACHE_VAL(sudo_cv_func_utime_posix, -[rm -f conftestdata; > conftestdata -AC_TRY_RUN([#include -#include -#include -main() { -struct utimbuf ut; -ut.actime = ut.modtime = time(0); -utime("conftestdata", &ut); -exit(0); -}], sudo_cv_func_utime_posix=yes, sudo_cv_func_utime_posix=no, - sudo_cv_func_utime_posix=no) -rm -f core core.* *.core])dnl -AC_MSG_RESULT($sudo_cv_func_utime_posix) -if test $sudo_cv_func_utime_posix = yes; then - AC_DEFINE(HAVE_UTIME_POSIX, 1, [Define if you have a POSIX utime() (uses struct utimbuf).]) -fi -]) - -dnl dnl check for working fnmatch(3) dnl AC_DEFUN(SUDO_FUNC_FNMATCH, diff -urN sudo-1.6.8/auth/kerb5.c sudo-1.6.8p12/auth/kerb5.c --- sudo-1.6.8/auth/kerb5.c Sun Jun 6 20:02:56 2004 +++ sudo-1.6.8p12/auth/kerb5.c Tue Mar 29 23:38:36 2005 @@ -55,7 +55,7 @@ #endif /* lint */ #ifdef HAVE_HEIMDAL -# define extract_name(c, p) krb5_principal_get_comp_string(c, p, 0) +# define extract_name(c, p) krb5_principal_get_comp_string(c, p, 1) # define krb5_free_data_contents(c, d) krb5_data_free(d) # define ENCTYPE_DES_CBC_MD5 ETYPE_DES_CBC_MD5 /* XXX */ #else diff -urN sudo-1.6.8/auth/pam.c sudo-1.6.8p12/auth/pam.c --- sudo-1.6.8/auth/pam.c Mon Jun 28 10:51:50 2004 +++ sudo-1.6.8p12/auth/pam.c Sat Feb 5 13:03:15 2005 @@ -91,8 +91,7 @@ pam_conv.conv = sudo_conv; pam_status = pam_start("sudo", pw->pw_name, &pam_conv, &pamh); if (pam_status != PAM_SUCCESS) { - log_error(USE_ERRNO|NO_EXIT|NO_MAIL, - "unable to initialize PAM"); + log_error(USE_ERRNO|NO_EXIT|NO_MAIL, "unable to initialize PAM"); return(AUTH_FATAL); } if (strcmp(user_tty, "unknown")) @@ -125,25 +124,30 @@ *pam_status); return(AUTH_FAILURE); case PAM_NEW_AUTHTOK_REQD: - log_error(NO_EXIT|NO_MAIL, "%s, %s" + log_error(NO_EXIT|NO_MAIL, "%s, %s", "Account or password is expired", "reset your password and try again"); - *pam_status = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK); + *pam_status = pam_chauthtok(pamh, + PAM_CHANGE_EXPIRED_AUTHTOK); if (*pam_status == PAM_SUCCESS) return(AUTH_SUCCESS); if ((s = pam_strerror(pamh, *pam_status))) - log_error(NO_EXIT|NO_MAIL, "pam_chauthtok: %s",s); + log_error(NO_EXIT|NO_MAIL, "pam_chauthtok: %s", s); return(AUTH_FAILURE); + case PAM_AUTHTOK_EXPIRED: + log_error(NO_EXIT|NO_MAIL, + "Password expired, contact your system administrator"); + return(AUTH_FATAL); case PAM_ACCT_EXPIRED: - log_error(NO_EXIT|NO_MAIL, "%s, %s" - "Account or password is expired", - "contact your system administrator"); - /* FALLTHROUGH */ - default: - return(AUTH_FAILURE); + log_error(NO_EXIT|NO_MAIL, "%s %s", + "Account expired or PAM config lacks an \"account\"", + "section for sudo, contact your system administrator"); + return(AUTH_FATAL); } + /* FALLTHROUGH */ case PAM_AUTH_ERR: case PAM_MAXTRIES: + case PAM_PERM_DENIED: return(AUTH_FAILURE); default: if ((s = pam_strerror(pamh, *pam_status))) diff -urN sudo-1.6.8/check.c sudo-1.6.8p12/check.c --- sudo-1.6.8/check.c Thu Jun 10 16:19:38 2004 +++ sudo-1.6.8p12/check.c Thu Mar 24 20:55:31 2005 @@ -60,7 +60,7 @@ #include "sudo.h" #ifndef lint -static const char rcsid[] = "$Sudo: check.c,v 1.223 2004/06/10 20:19:38 millert Exp $"; +static const char rcsid[] = "$Sudo: check.c,v 1.226 2004/09/08 15:48:23 millert Exp $"; #endif /* lint */ /* Status codes for timestamp_status() */ @@ -149,10 +149,9 @@ char *timestampdir; char *timestampfile; { - if (timestamp_uid != 0) set_perms(PERM_TIMESTAMP); - if (touch(timestampfile ? timestampfile : timestampdir, time(NULL)) == -1) { + if (touch(-1, timestampfile ? timestampfile : timestampdir, NULL) == -1) { if (timestampfile) { int fd = open(timestampfile, O_WRONLY|O_CREAT|O_TRUNC, 0600); @@ -317,7 +316,7 @@ dirparent = def_timestampdir; len = easprintf(timestampdir, "%s/%s", dirparent, user_name); if (len >= PATH_MAX) - log_error(0, "timestamp path too long: %s", timestampdir); + log_error(0, "timestamp path too long: %s", *timestampdir); /* * Timestamp file may be a file in the directory or NUL to use @@ -336,12 +335,12 @@ else len = easprintf(timestampfile, "%s/%s/%s", dirparent, user_name, p); if (len >= PATH_MAX) - log_error(0, "timestamp path too long: %s", timestampfile); + log_error(0, "timestamp path too long: %s", *timestampfile); } else if (def_targetpw) { len = easprintf(timestampfile, "%s/%s/%s", dirparent, user_name, *user_runas); if (len >= PATH_MAX) - log_error(0, "timestamp path too long: %s", timestampfile); + log_error(0, "timestamp path too long: %s", *timestampfile); } else *timestampfile = NULL; } @@ -466,7 +465,7 @@ /* If bad uid or file mode, complain and kill the bogus file. */ if (sb.st_uid != timestamp_uid) { log_error(NO_EXIT, - "%s owned by uid %ud, should be uid %lu", + "%s owned by uid %lu, should be uid %lu", timestampfile, (unsigned long) sb.st_uid, (unsigned long) timestamp_uid); (void) unlink(timestampfile); @@ -497,6 +496,7 @@ if (def_timestamp_timeout < 0 && sb.st_mtime != 0) status = TS_CURRENT; else { + /* XXX - should use timespec here */ now = time(NULL); if (def_timestamp_timeout && now - sb.st_mtime < 60 * def_timestamp_timeout) { @@ -531,15 +531,14 @@ remove_timestamp(remove) int remove; { - char *timestampdir; - char *timestampfile; - char *ts; + struct timespec ts; + char *timestampdir, *timestampfile, *path; int status; build_timestamp(×tampdir, ×tampfile); status = timestamp_status(timestampdir, timestampfile, user_name, FALSE); if (status == TS_OLD || status == TS_CURRENT) { - ts = timestampfile ? timestampfile : timestampdir; + path = timestampfile ? timestampfile : timestampdir; if (remove) { if (timestampfile) status = unlink(timestampfile); @@ -547,12 +546,14 @@ status = rmdir(timestampdir); if (status == -1 && errno != ENOENT) { log_error(NO_EXIT, "can't remove %s (%s), will reset to Epoch", - ts, strerror(errno)); + path, strerror(errno)); remove = FALSE; } + } else { + timespecclear(&ts); + if (touch(-1, path, &ts) == -1) + err(1, "can't reset %s to Epoch", path); } - if (!remove && touch(ts, 0) == -1) - err(1, "can't reset %s to Epoch", ts); } free(timestampdir); diff -urN sudo-1.6.8/compat.h sudo-1.6.8p12/compat.h --- sudo-1.6.8/compat.h Sun Jun 6 19:58:10 2004 +++ sudo-1.6.8p12/compat.h Fri Sep 10 12:31:15 2004 @@ -17,7 +17,7 @@ * Agency (DARPA) and Air Force Research Laboratory, Air Force * Materiel Command, USAF, under agreement number F39502-99-1-0512. * - * $Sudo: compat.h,v 1.76 2004/06/06 23:58:10 millert Exp $ + * $Sudo: compat.h,v 1.80 2004/09/10 16:31:15 millert Exp $ */ #ifndef _SUDO_COMPAT_H @@ -212,6 +212,14 @@ #endif /* + * Define futimes() in terms of futimesat() if needed. + */ +#if !defined(HAVE_FUTIMES) && defined(HAVE_FUTIMESAT) +# define futimes(_f, _tv) futimesat(_f, NULL, _tv) +# define HAVE_FUTIMES +#endif + +/* * If we lack getprogname(), emulate with __progname if possible. * Otherwise, add a prototype for use with our own getprogname.c. */ @@ -223,5 +231,30 @@ const char *getprogname __P((void)); #endif /* HAVE___PROGNAME */ #endif /* !HAVE_GETPROGNAME */ + +#ifndef HAVE_TIMESPEC +struct timespec { + time_t tv_sec; + long tv_nsec; +}; +#endif /* !HAVE_TIMESPEC */ + +#ifndef timespecclear +# define timespecclear(ts) (ts)->tv_sec = (ts)->tv_nsec = 0 +#endif +#ifndef timespecisset +# define timespecisset(ts) ((ts)->tv_sec || (ts)->tv_nsec) +#endif +#ifndef timespecsub +# define timespecsub(minuend, subrahend, difference) \ + do { \ + (difference)->tv_sec = (minuend)->tv_sec - (subrahend)->tv_sec; \ + (difference)->tv_nsec = (minuend)->tv_nsec - (subrahend)->tv_nsec; \ + if ((difference)->tv_nsec < 0) { \ + (difference)->tv_nsec += 1000000000L; \ + (difference)->tv_sec--; \ + } \ + } while (0) +#endif #endif /* _SUDO_COMPAT_H */ diff -urN sudo-1.6.8/config.guess sudo-1.6.8p12/config.guess --- sudo-1.6.8/config.guess Mon Aug 9 19:04:35 2004 +++ sudo-1.6.8p12/config.guess Tue May 31 17:11:19 2005 @@ -197,35 +197,9 @@ # CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used. echo "${machine}-${os}${release}" exit 0 ;; - amiga:OpenBSD:*:*) - echo m68k-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - hp300:OpenBSD:*:*) - echo m68k-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - mac68k:OpenBSD:*:*) - echo m68k-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - macppc:OpenBSD:*:*) - echo powerpc-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - mvme68k:OpenBSD:*:*) - echo m68k-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - mvme88k:OpenBSD:*:*) - echo m88k-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - mvmeppc:OpenBSD:*:*) - echo powerpc-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - sgi:OpenBSD:*:*) - echo mips64-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - sun3:OpenBSD:*:*) - echo m68k-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; *:OpenBSD:*:*) - echo ${UNAME_MACHINE}-unknown-openbsd${UNAME_RELEASE} + UNAME_MACHINE_ARCH=`arch | sed 's/OpenBSD.//'` + echo ${UNAME_MACHINE_ARCH}-unknown-openbsd${UNAME_RELEASE} exit 0 ;; alpha:OSF1:*:*) if test $UNAME_RELEASE = "V4.0"; then diff -urN sudo-1.6.8/config.h.in sudo-1.6.8p12/config.h.in --- sudo-1.6.8/config.h.in Tue Jun 1 16:43:43 2004 +++ sudo-1.6.8p12/config.h.in Thu Nov 25 12:31:54 2004 @@ -3,11 +3,11 @@ #ifndef _SUDO_CONFIG_H #define _SUDO_CONFIG_H -/* Define if the `syslog' function returns a non-zero int to denote failure. - */ +/* Define to 1 if the `syslog' function returns a non-zero int to denote + failure. */ #undef BROKEN_SYSLOG -/* Define if you want the insults from the "classic" version sudo. */ +/* Define to 1 if you want the insults from the "classic" version sudo. */ #undef CLASSIC_INSULTS /* Define to one of `_getb67', `GETB67', `getb67' for Cray-2 and Cray-YMP @@ -15,35 +15,36 @@ */ #undef CRAY_STACKSEG_END -/* Define if you want insults culled from the twisted minds of CSOps. */ +/* Define to 1 if you want insults culled from the twisted minds of CSOps. */ #undef CSOPS_INSULTS /* Define to 1 if using `alloca.c'. */ #undef C_ALLOCA -/* Define if you want sudo to display "command not allowed" instead of +/* Define to 1 if you want sudo to display "command not allowed" instead of "command not found" when a command cannot be found. */ #undef DONT_LEAK_PATH_INFO /* A colon-separated list of pathnames to be used as the editor for visudo. */ #undef EDITOR -/* Define if you want visudo to honor the EDITOR and VISUAL env variables. */ +/* Define to 1 if you want visudo to honor the EDITOR and VISUAL env + variables. */ #undef ENV_EDITOR /* If defined, users in this group need not enter a passwd (ie "sudo"). */ #undef EXEMPTGROUP -/* Define if you want to require fully qualified hosts in sudoers. */ +/* Define to 1 if you want to require fully qualified hosts in sudoers. */ #undef FQDN -/* Define if you want insults from the "Goon Show". */ +/* Define to 1 if you want insults from the "Goon Show". */ #undef GOONS_INSULTS -/* Define if you want 2001-like insults. */ +/* Define to 1 if you want 2001-like insults. */ #undef HAL_INSULTS -/* Define if you use AFS. */ +/* Define to 1 if you use AFS. */ #undef HAVE_AFS /* Define to 1 if you have `alloca', as a function or macro. */ @@ -56,44 +57,41 @@ /* Define to 1 if you have the `asprintf' function. */ #undef HAVE_ASPRINTF -/* Define if you use AIX general authentication. */ +/* Define to 1 if you use AIX general authentication. */ #undef HAVE_AUTHENTICATE /* Define to 1 if you have the `bigcrypt' function. */ #undef HAVE_BIGCRYPT -/* Define if you use BSD authentication. */ +/* Define to 1 if you use BSD authentication. */ #undef HAVE_BSD_AUTH_H /* Define to 1 if you have the `closefrom' function. */ #undef HAVE_CLOSEFROM -/* Define if you use OSF DCE. */ +/* Define to 1 if you use OSF DCE. */ #undef HAVE_DCE +/* Define to 1 if your `DIR' contains dd_fd. */ +#undef HAVE_DD_FD + /* Define to 1 if you have the header file, and it defines `DIR'. */ #undef HAVE_DIRENT_H -/* Define to 1 if you have the `dirfd' function (not macro). */ +/* Define to 1 if you have the `dirfd' function or macro. */ #undef HAVE_DIRFD -/* Define to 1 if your `DIR' contains dd_fd. */ -#undef HAVE_DD_FD - /* Define to 1 if you have the `dispcrypt' function. */ #undef HAVE_DISPCRYPT /* Define to 1 if you have the header file. */ #undef HAVE_ERR_H -/* Define to 1 if you have the `fchown' function. */ -#undef HAVE_FCHOWN - /* Define to 1 if you have the `flock' function. */ #undef HAVE_FLOCK -/* Define if you have the `fnmatch' function. */ +/* Define to 1 if you have the `fnmatch' function. */ #undef HAVE_FNMATCH /* Define to 1 if you have the `freeifaddrs' function. */ @@ -102,11 +100,20 @@ /* Define to 1 if you have the `fstat' function. */ #undef HAVE_FSTAT -/* Define if you use the FWTK authsrv daemon. */ +/* Define to 1 if you have the `futime' function. */ +#undef HAVE_FUTIME + +/* Define to 1 if you have the `futimes' function. */ +#undef HAVE_FUTIMES + +/* Define to 1 if you have the `futimesat' function. */ +#undef HAVE_FUTIMESAT + +/* Define to 1 if you use the FWTK authsrv daemon. */ #undef HAVE_FWTK -/* Define if you have the `getauthuid' function. (ULTRIX 4.x shadow passwords) - */ +/* Define to 1 if you have the `getauthuid' function. (ULTRIX 4.x shadow + passwords) */ #undef HAVE_GETAUTHUID /* Define to 1 if you have the `getcwd' function. */ @@ -121,22 +128,26 @@ /* Define to 1 if you have the `getprogname' function. */ #undef HAVE_GETPROGNAME -/* Define if you have the `getprpwnam' function. (SecureWare-style shadow +/* Define to 1 if you have the `getprpwnam' function. (SecureWare-style shadow passwords) */ #undef HAVE_GETPRPWNAM -/* Define if you have the `getpwanam' function. (SunOS 4.x shadow passwords) - */ +/* Define to 1 if you have the `getpwanam' function. (SunOS 4.x shadow + passwords) */ #undef HAVE_GETPWANAM -/* Define if you have the `getspnam' function (SVR4-style shadow passwords) */ +/* Define to 1 if you have the `getspnam' function (SVR4-style shadow + passwords) */ #undef HAVE_GETSPNAM -/* Define if you have the `getspwuid' function. (HP-UX <= 9.X shadow +/* Define to 1 if you have the `getspwuid' function. (HP-UX <= 9.X shadow passwords) */ #undef HAVE_GETSPWUID -/* Define if your Kerberos is Heimdal. */ +/* Define to 1 if you have the `gettimeofday' function. */ +#undef HAVE_GETTIMEOFDAY + +/* Define to 1 if your Kerberos is Heimdal. */ #undef HAVE_HEIMDAL /* Define to 1 if you have the `initgroups' function. */ @@ -154,30 +165,30 @@ /* Define if you have isblank(3). */ #undef HAVE_ISBLANK -/* Define if you have the `iscomsec' function. (HP-UX >= 10.x check for shadow - enabled) */ +/* Define to 1 if you have the `iscomsec' function. (HP-UX >= 10.x check for + shadow enabled) */ #undef HAVE_ISCOMSEC -/* Define if you have the `issecure' function. (SunOS 4.x check for shadow - enabled) */ +/* Define to 1 if you have the `issecure' function. (SunOS 4.x check for + shadow enabled) */ #undef HAVE_ISSECURE -/* Define if you use Kerberos IV. */ +/* Define to 1 if you use Kerberos IV. */ #undef HAVE_KERB4 -/* Define if you use Kerberos V. */ +/* Define to 1 if you use Kerberos V. */ #undef HAVE_KERB5 -/* Define if you use LDAP. */ -#undef HAVE_LDAP - -/* Define if your LDAP needs . (OpenLDAP does not) */ +/* Define to 1 if your LDAP needs . (OpenLDAP does not) */ #undef HAVE_LBER_H -/* Define if your LDAP Supports URLs. (OpenLDAP does) */ +/* Define to 1 if you use LDAP for sudoers. */ +#undef HAVE_LDAP + +/* Define to 1 if you have the `ldap_initialize' function. */ #undef HAVE_LDAP_INITIALIZE -/* Define if your LDAP Supports start_tls_s. (OpenLDAP does) */ +/* Define to 1 if you have the `ldap_start_tls_s' function. */ #undef HAVE_LDAP_START_TLS_S /* Define to 1 if you have the `lockf' function. */ @@ -213,10 +224,10 @@ /* Define to 1 if you have the header file. */ #undef HAVE_NETGROUP_H -/* Define if you use NRL OPIE. */ +/* Define to 1 if you use NRL OPIE. */ #undef HAVE_OPIE -/* Define if you use PAM. */ +/* Define to 1 if you use PAM authentication. */ #undef HAVE_PAM /* Define to 1 if you have the header file. */ @@ -228,7 +239,7 @@ /* Define if your struct sockadr has an sa_len field. */ #undef HAVE_SA_LEN -/* Define if you use SecurID. */ +/* Define to 1 if you use SecurID for authentication. */ #undef HAVE_SECURID /* Define to 1 if you have the `seteuid' function. */ @@ -246,22 +257,22 @@ /* Define to 1 if you have the `set_auth_parameters' function. */ #undef HAVE_SET_AUTH_PARAMETERS -/* Define if you use SIA. */ +/* Define to 1 if you use SIA authentication. */ #undef HAVE_SIA /* Define to 1 if you have the `sigaction' function. */ #undef HAVE_SIGACTION -/* Define if has the sigaction_t typedef. */ +/* Define to 1 if has the sigaction_t typedef. */ #undef HAVE_SIGACTION_T /* Define to 1 if the system has the type `sig_atomic_t'. */ #undef HAVE_SIG_ATOMIC_T -/* Define if you use S/Key. */ +/* Define to 1 if you use S/Key. */ #undef HAVE_SKEY -/* Define if your S/Key library has skeyaccess(). */ +/* Define to 1 if your S/Key library has skeyaccess(). */ #undef HAVE_SKEYACCESS /* Define to 1 if you have the `snprintf' function. */ @@ -300,6 +311,12 @@ /* Define to 1 if you have the `strrchr' function. */ #undef HAVE_STRRCHR +/* Define to 1 if your struct stat has an st_mtim member */ +#undef HAVE_ST_MTIM + +/* Define to 1 if your struct stat has an st_mtimespec member */ +#undef HAVE_ST_MTIMESPEC + /* Define to 1 if you have the `sysconf' function. */ #undef HAVE_SYSCONF @@ -326,28 +343,32 @@ /* Define to 1 if you have the header file. */ #undef HAVE_SYS_TYPES_H -/* Define if you have the header file and the `tcgetattr' +/* Define to 1 if you have the header file and the `tcgetattr' function. */ #undef HAVE_TERMIOS_H /* Define to 1 if you have the header file. */ #undef HAVE_TERMIO_H +/* Define to 1 if you have struct timespec in sys/time.h */ +#undef HAVE_TIMESPEC + +/* Define to 1 if you have a timespecsub macro or function that takes + two arguments (not three) */ +#undef HAVE_TIMESPECSUB2 + /* Define to 1 if you have the `tzset' function. */ #undef HAVE_TZSET /* Define to 1 if you have the header file. */ #undef HAVE_UNISTD_H -/* Define to 1 if you have the `utime' function. */ -#undef HAVE_UTIME +/* Define to 1 if you have the `utimes' function. */ +#undef HAVE_UTIMES /* Define to 1 if you have the header file. */ #undef HAVE_UTIME_H -/* Define if you have a POSIX utime() (uses struct utimbuf). */ -#undef HAVE_UTIME_POSIX - /* Define to 1 if you have the `vasprintf' function. */ #undef HAVE_VASPRINTF @@ -363,13 +384,13 @@ /* Define to 1 if you have the `_innetgr' function. */ #undef HAVE__INNETGR -/* Define if your crt0.o defines the __progname symbol for you. */ +/* Define to 1 if your crt0.o defines the __progname symbol for you. */ #undef HAVE___PROGNAME -/* Define if you want the hostname to be entered into the log file. */ +/* Define to 1 if you want the hostname to be entered into the log file. */ #undef HOST_IN_LOG -/* Define if you want to ignore '.' and empty $PATH elements */ +/* Define to 1 if you want to ignore '.' and empty PATH elements */ #undef IGNORE_DOT_PATH /* The message given when a bad password is entered. */ @@ -384,7 +405,7 @@ /* Define if sizeof(long) == sizeof(long long). */ #undef LONG_IS_QUAD -/* Define if you want a two line OTP (S/Key or OPIE) prompt. */ +/* Define to 1 if you want a two line OTP (S/Key or OPIE) prompt. */ #undef LONG_OTP_PROMPT /* The subject of the mail sent by sudo to the MAILTO user/address. */ @@ -400,17 +421,17 @@ */ #undef MAX_UID_T_LEN -/* Define if you don't want sudo to prompt for a password by default. */ +/* Define to 1 if you don't want sudo to prompt for a password by default. */ #undef NO_AUTHENTICATION -/* Define if you don't want users to get the lecture the first they user sudo. - */ +/* Define to 1 if you don't want users to get the lecture the first they user + sudo. */ #undef NO_LECTURE /* Define to avoid runing the mailer as root. */ #undef NO_ROOT_MAILER -/* Define if root should not be allowed to use sudo. */ +/* Define to 1 if root should not be allowed to use sudo. */ #undef NO_ROOT_SUDO /* Define to avoid using POSIX saved ids. */ @@ -422,7 +443,8 @@ /* The passwd prompt timeout (in minutes). */ #undef PASSWORD_TIMEOUT -/* Define to replace politically incorrect insults with less offensive ones. */ +/* Define to 1 to replace politically incorrect insults with less offensive + ones. */ #undef PC_INSULTS /* The syslog priority sudo will use for unsuccessful attempts/errors. */ @@ -437,23 +459,23 @@ /* The user sudo should run commands as by default. */ #undef RUNAS_DEFAULT -/* Define to override the user's path with a built-in one. */ +/* Define to 1 to override the user's path with a built-in one. */ #undef SECURE_PATH -/* Define to send mail when the user is not allowed to run a command. */ +/* Define to 1 to send mail when the user is not allowed to run a command. */ #undef SEND_MAIL_WHEN_NOT_OK -/* Define to send mail when the user is not allowed to run sudo on this host. - */ +/* Define to 1 to send mail when the user is not allowed to run sudo on this + host. */ #undef SEND_MAIL_WHEN_NO_HOST -/* Define to send mail when the user is not in the sudoers file. */ +/* Define to 1 to send mail when the user is not in the sudoers file. */ #undef SEND_MAIL_WHEN_NO_USER -/* Define if you want sudo to start a shell if given no arguments. */ +/* Define to 1 if you want sudo to start a shell if given no arguments. */ #undef SHELL_IF_NO_ARGS -/* Define if you want sudo to set $HOME in shell mode. */ +/* Define to 1 if you want sudo to set $HOME in shell mode. */ #undef SHELL_SETS_HOME /* If using the C implementation of alloca, define if you know the @@ -467,7 +489,7 @@ /* Define to 1 if you have the ANSI C header files. */ #undef STDC_HEADERS -/* Define if the code in interfaces.c does not compile for you. */ +/* Define to 1 if the code in interfaces.c does not compile for you. */ #undef STUB_LOAD_INTERFACES /* The umask that the root-run prog should use. */ @@ -479,18 +501,18 @@ /* The number of tries a user gets to enter their password. */ #undef TRIES_FOR_PASSWORD -/* Define if you wish to use execv() instead of execvp() when running +/* Define to 1 if you wish to use execv() instead of execvp() when running programs. */ #undef USE_EXECV -/* Define if you want to insult the user for entering an incorrect password. - */ +/* Define to 1 if you want to insult the user for entering an incorrect + password. */ #undef USE_INSULTS -/* Define if you use stow packaging. */ +/* Define to 1 if you use GNU stow packaging. */ #undef USE_STOW -/* Define if you want a different ticket file for each tty. */ +/* Define to 1 if you want a different ticket file for each tty. */ #undef USE_TTY_TICKETS /* Define to "void" if your compiler supports void pointers, else use "char". @@ -545,6 +567,22 @@ /* Define to empty if the keyword `volatile' does not work. Warning: valid code using `volatile' can become incorrect without. Disable with care. */ #undef volatile + +/* + * Macros to pull sec and nsec parts of mtime from struct stat. + */ +#ifdef HAVE_ST_MTIM +# define mtim_getsec(_x) ((_x).st_mtim.tv_sec) +# define mtim_getnsec(_x) ((_x).st_mtim.tv_nsec) +#else +# ifdef HAVE_ST_MTIMESPEC +# define mtim_getsec(_x) ((_x).st_mtimespec.tv_sec) +# define mtim_getnsec(_x) ((_x).st_mtimespec.tv_nsec) +# else +# define mtim_getsec(_x) ((_x).st_mtime) +# define mtim_getnsec(_x) (0) +# endif /* HAVE_ST_MTIMESPEC */ +#endif /* HAVE_ST_MTIM */ /* * Emulate a subset of waitpid() if we don't have it. diff -urN sudo-1.6.8/config.sub sudo-1.6.8p12/config.sub --- sudo-1.6.8/config.sub Mon Jan 20 16:07:51 2003 +++ sudo-1.6.8p12/config.sub Tue May 31 17:11:38 2005 @@ -369,6 +369,12 @@ basic_machine=a29k-none os=-bsd ;; + amd64) + basic_machine=x86_64-pc + ;; + amd64-*) + basic_machine=x86_64-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; amdahl) basic_machine=580-amdahl os=-sysv diff -urN sudo-1.6.8/configure sudo-1.6.8p12/configure --- sudo-1.6.8/configure Thu Jun 3 12:34:54 2004 +++ sudo-1.6.8p12/configure Thu Oct 27 20:48:25 2005 @@ -1105,6 +1105,7 @@ --with-hal-insults include 2001-like insults --with-goons-insults include the insults from the "Goon Show" --with-ldap[=DIR] enable LDAP support + --with-ldap-conf-file path to LDAP configuration file --with-pc-insults replace politically incorrect insults with less offensive ones --with-secure-path override the user's path with a built-in one --without-interfaces don't try to read the ip addr of ether interfaces @@ -1114,7 +1115,7 @@ both] --with-tags[=TAGS] include additional configurations [automatic] - --with-noexec fully qualified pathname of sudo_noexec.so + --with-noexec=PATH fully qualified pathname of sudo_noexec.so Some influential environment variables: CC C compiler command @@ -1630,8 +1631,7 @@ withval="$with_otp_only" case $with_otp_only in yes) with_passwd=no - -cat >>confdefs.h <<\_ACEOF + cat >>confdefs.h <<\_ACEOF #define WITHOUT_PASSWD 1 _ACEOF @@ -1852,8 +1852,7 @@ echo "$as_me: error: \"cannot use both S/Key and OPIE\"" >&2;} { (exit 1); exit 1; }; } fi - -cat >>confdefs.h <<\_ACEOF + cat >>confdefs.h <<\_ACEOF #define HAVE_SKEY 1 _ACEOF @@ -1877,8 +1876,7 @@ echo "$as_me: error: \"cannot use both S/Key and OPIE\"" >&2;} { (exit 1); exit 1; }; } fi - -cat >>confdefs.h <<\_ACEOF + cat >>confdefs.h <<\_ACEOF #define HAVE_OPIE 1 _ACEOF @@ -1896,8 +1894,7 @@ if test "${with_long_otp_prompt+set}" = set; then withval="$with_long_otp_prompt" case $with_long_otp_prompt in - yes) -cat >>confdefs.h <<\_ACEOF + yes) cat >>confdefs.h <<\_ACEOF #define LONG_OTP_PROMPT 1 _ACEOF @@ -1922,8 +1919,7 @@ withval="$with_SecurID" case $with_SecurID in no) with_SecurID="";; - *) -cat >>confdefs.h <<\_ACEOF + *) cat >>confdefs.h <<\_ACEOF #define HAVE_SECURID 1 _ACEOF @@ -1942,8 +1938,7 @@ withval="$with_fwtk" case $with_fwtk in no) with_fwtk="";; - *) -cat >>confdefs.h <<\_ACEOF + *) cat >>confdefs.h <<\_ACEOF #define HAVE_FWTK 1 _ACEOF @@ -1990,8 +1985,7 @@ if test "${with_authenticate+set}" = set; then withval="$with_authenticate" case $with_authenticate in - yes) -cat >>confdefs.h <<\_ACEOF + yes) cat >>confdefs.h <<\_ACEOF #define HAVE_AUTHENTICATE 1 _ACEOF @@ -2015,8 +2009,7 @@ if test "${with_pam+set}" = set; then withval="$with_pam" case $with_pam in - yes) -cat >>confdefs.h <<\_ACEOF + yes) cat >>confdefs.h <<\_ACEOF #define HAVE_PAM 1 _ACEOF @@ -2040,8 +2033,7 @@ if test "${with_AFS+set}" = set; then withval="$with_AFS" case $with_AFS in - yes) -cat >>confdefs.h <<\_ACEOF + yes) cat >>confdefs.h <<\_ACEOF #define HAVE_AFS 1 _ACEOF @@ -2064,8 +2056,7 @@ if test "${with_DCE+set}" = set; then withval="$with_DCE" case $with_DCE in - yes) -cat >>confdefs.h <<\_ACEOF + yes) cat >>confdefs.h <<\_ACEOF #define HAVE_DCE 1 _ACEOF @@ -2132,8 +2123,7 @@ echo "$as_me:$LINENO: result: yes" >&5 echo "${ECHO_T}yes" >&6 else - -cat >>confdefs.h <<\_ACEOF + cat >>confdefs.h <<\_ACEOF #define NO_LECTURE 1 _ACEOF @@ -2156,8 +2146,7 @@ echo "$as_me: error: \"--without-logging not supported.\"" >&2;} { (exit 1); exit 1; }; } ;; - syslog) -cat >>confdefs.h <<\_ACEOF + syslog) cat >>confdefs.h <<\_ACEOF #define LOGGING SLOG_SYSLOG _ACEOF @@ -2351,8 +2340,7 @@ esac fi; if test "$ignore_dot" = "on"; then - -cat >>confdefs.h <<\_ACEOF + cat >>confdefs.h <<\_ACEOF #define IGNORE_DOT_PATH 1 _ACEOF @@ -2381,8 +2369,7 @@ esac fi; if test "$mail_no_user" = "on"; then - -cat >>confdefs.h <<\_ACEOF + cat >>confdefs.h <<\_ACEOF #define SEND_MAIL_WHEN_NO_USER 1 _ACEOF @@ -2411,8 +2398,7 @@ esac fi; if test "$mail_no_host" = "on"; then - -cat >>confdefs.h <<\_ACEOF + cat >>confdefs.h <<\_ACEOF #define SEND_MAIL_WHEN_NO_HOST 1 _ACEOF @@ -2441,8 +2427,7 @@ esac fi; if test "$mail_noperms" = "on"; then - -cat >>confdefs.h <<\_ACEOF + cat >>confdefs.h <<\_ACEOF #define SEND_MAIL_WHEN_NOT_OK 1 _ACEOF @@ -2575,8 +2560,7 @@ esac fi; if test "$fqdn" = "on"; then - -cat >>confdefs.h <<\_ACEOF + cat >>confdefs.h <<\_ACEOF #define FQDN 1 _ACEOF @@ -2824,8 +2808,7 @@ esac fi; if test "$env_editor" = "on"; then - -cat >>confdefs.h <<\_ACEOF + cat >>confdefs.h <<\_ACEOF #define ENV_EDITOR 1 _ACEOF @@ -2925,8 +2908,7 @@ echo $ECHO_N "checking whether to use execvp or execv... $ECHO_C" >&6 echo "$as_me:$LINENO: result: execv" >&5 echo "${ECHO_T}execv" >&6 - -cat >>confdefs.h <<\_ACEOF + cat >>confdefs.h <<\_ACEOF #define USE_EXECV 1 _ACEOF @@ -2957,8 +2939,7 @@ esac fi; if test "$tty_tickets" = "on"; then - -cat >>confdefs.h <<\_ACEOF + cat >>confdefs.h <<\_ACEOF #define USE_TTY_TICKETS 1 _ACEOF @@ -2989,8 +2970,7 @@ esac fi; if test "$insults" = "on"; then - -cat >>confdefs.h <<\_ACEOF + cat >>confdefs.h <<\_ACEOF #define USE_INSULTS 1 _ACEOF @@ -3024,8 +3004,7 @@ if test "${with_classic_insults+set}" = set; then withval="$with_classic_insults" case $with_classic_insults in - yes) -cat >>confdefs.h <<\_ACEOF + yes) cat >>confdefs.h <<\_ACEOF #define CLASSIC_INSULTS 1 _ACEOF @@ -3043,8 +3022,7 @@ if test "${with_csops_insults+set}" = set; then withval="$with_csops_insults" case $with_csops_insults in - yes) -cat >>confdefs.h <<\_ACEOF + yes) cat >>confdefs.h <<\_ACEOF #define CSOPS_INSULTS 1 _ACEOF @@ -3062,8 +3040,7 @@ if test "${with_hal_insults+set}" = set; then withval="$with_hal_insults" case $with_hal_insults in - yes) -cat >>confdefs.h <<\_ACEOF + yes) cat >>confdefs.h <<\_ACEOF #define HAL_INSULTS 1 _ACEOF @@ -3081,8 +3058,7 @@ if test "${with_goons_insults+set}" = set; then withval="$with_goons_insults" case $with_goons_insults in - yes) -cat >>confdefs.h <<\_ACEOF + yes) cat >>confdefs.h <<\_ACEOF #define GOONS_INSULTS 1 _ACEOF @@ -3101,8 +3077,7 @@ withval="$with_ldap" case $with_ldap in no) with_ldap="";; - *) -cat >>confdefs.h <<\_ACEOF + *) cat >>confdefs.h <<\_ACEOF #define HAVE_LDAP 1 _ACEOF @@ -3114,13 +3089,22 @@ esac fi; +# Check whether --with-ldap-conf-file or --without-ldap-conf-file was given. +if test "${with_ldap_conf_file+set}" = set; then + withval="$with_ldap_conf_file" +cat >>confdefs.h <<_ACEOF +#define _PATH_LDAP_CONF "$with_ldap_conf_file" +_ACEOF + +fi; + + # Check whether --with-pc-insults or --without-pc-insults was given. if test "${with_pc_insults+set}" = set; then withval="$with_pc_insults" case $with_pc_insults in - yes) -cat >>confdefs.h <<\_ACEOF + yes) cat >>confdefs.h <<\_ACEOF #define PC_INSULTS 1 _ACEOF @@ -3152,8 +3136,7 @@ if test "${with_secure_path+set}" = set; then withval="$with_secure_path" case $with_secure_path in - yes) -cat >>confdefs.h <<_ACEOF + yes) cat >>confdefs.h <<_ACEOF #define SECURE_PATH "/bin:/usr/ucb:/usr/bin:/usr/sbin:/sbin:/usr/etc:/etc" _ACEOF @@ -3186,8 +3169,7 @@ yes) echo "$as_me:$LINENO: result: yes" >&5 echo "${ECHO_T}yes" >&6 ;; - no) -cat >>confdefs.h <<\_ACEOF + no) cat >>confdefs.h <<\_ACEOF #define STUB_LOAD_INTERFACES 1 _ACEOF @@ -3213,8 +3195,7 @@ case $with_stow in yes) echo "$as_me:$LINENO: result: yes" >&5 echo "${ECHO_T}yes" >&6 - -cat >>confdefs.h <<\_ACEOF + cat >>confdefs.h <<\_ACEOF #define USE_STOW 1 _ACEOF @@ -3244,8 +3225,7 @@ ;; no) echo "$as_me:$LINENO: result: no" >&5 echo "${ECHO_T}no" >&6 - -cat >>confdefs.h <<\_ACEOF + cat >>confdefs.h <<\_ACEOF #define NO_AUTHENTICATION 1 _ACEOF @@ -3273,8 +3253,7 @@ ;; no) echo "$as_me:$LINENO: result: yes" >&5 echo "${ECHO_T}yes" >&6 - -cat >>confdefs.h <<\_ACEOF + cat >>confdefs.h <<\_ACEOF #define NO_ROOT_MAILER 1 _ACEOF @@ -3324,8 +3303,7 @@ ;; no) echo "$as_me:$LINENO: result: yes" >&5 echo "${ECHO_T}yes" >&6 - -cat >>confdefs.h <<\_ACEOF + cat >>confdefs.h <<\_ACEOF #define NO_SAVED_IDS 1 _ACEOF @@ -3376,8 +3354,7 @@ yes) echo "$as_me:$LINENO: result: yes" >&5 echo "${ECHO_T}yes" >&6 ;; - no) -cat >>confdefs.h <<\_ACEOF + no) cat >>confdefs.h <<\_ACEOF #define NO_ROOT_SUDO 1 _ACEOF @@ -3404,8 +3381,7 @@ case "$enableval" in yes) echo "$as_me:$LINENO: result: yes" >&5 echo "${ECHO_T}yes" >&6 - -cat >>confdefs.h <<\_ACEOF + cat >>confdefs.h <<\_ACEOF #define HOST_IN_LOG 1 _ACEOF @@ -3433,8 +3409,7 @@ case "$enableval" in yes) echo "$as_me:$LINENO: result: yes" >&5 echo "${ECHO_T}yes" >&6 - -cat >>confdefs.h <<\_ACEOF + cat >>confdefs.h <<\_ACEOF #define SHELL_IF_NO_ARGS 1 _ACEOF @@ -3462,8 +3437,7 @@ case "$enableval" in yes) echo "$as_me:$LINENO: result: yes" >&5 echo "${ECHO_T}yes" >&6 - -cat >>confdefs.h <<\_ACEOF + cat >>confdefs.h <<\_ACEOF #define SHELL_SETS_HOME 1 _ACEOF @@ -3494,8 +3468,7 @@ ;; no) echo "$as_me:$LINENO: result: yes" >&5 echo "${ECHO_T}yes" >&6 - -cat >>confdefs.h <<\_ACEOF + cat >>confdefs.h <<\_ACEOF #define DONT_LEAK_PATH_INFO 1 _ACEOF @@ -5446,7 +5419,7 @@ ;; *-*-irix6*) # Find out which ABI we are using. - echo '#line 5449 "configure"' > conftest.$ac_ext + echo '#line 5422 "configure"' > conftest.$ac_ext if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? @@ -6607,7 +6580,7 @@ # Provide some information about the compiler. -echo "$as_me:6610:" \ +echo "$as_me:6583:" \ "checking for Fortran 77 compiler version" >&5 ac_compiler=`set X $ac_compile; echo $2` { (eval echo "$as_me:$LINENO: \"$ac_compiler --version &5\"") >&5 @@ -7616,11 +7589,11 @@ -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:7619: $lt_compile\"" >&5) + (eval echo "\"\$as_me:7592: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:7623: \$? = $ac_status" >&5 + echo "$as_me:7596: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -7848,11 +7821,11 @@ -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:7851: $lt_compile\"" >&5) + (eval echo "\"\$as_me:7824: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:7855: \$? = $ac_status" >&5 + echo "$as_me:7828: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -7915,11 +7888,11 @@ -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:7918: $lt_compile\"" >&5) + (eval echo "\"\$as_me:7891: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:7922: \$? = $ac_status" >&5 + echo "$as_me:7895: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -9895,7 +9868,7 @@ lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext < conftest.$ac_ext <&5) + (eval echo "\"\$as_me:12105: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:12136: \$? = $ac_status" >&5 + echo "$as_me:12109: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -12196,11 +12169,11 @@ -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:12199: $lt_compile\"" >&5) + (eval echo "\"\$as_me:12172: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:12203: \$? = $ac_status" >&5 + echo "$as_me:12176: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -13400,7 +13373,7 @@ lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext < conftest.$ac_ext <&5) + (eval echo "\"\$as_me:14296: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:14327: \$? = $ac_status" >&5 + echo "$as_me:14300: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -14387,11 +14360,11 @@ -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:14390: $lt_compile\"" >&5) + (eval echo "\"\$as_me:14363: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:14394: \$? = $ac_status" >&5 + echo "$as_me:14367: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -16299,11 +16272,11 @@ -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:16302: $lt_compile\"" >&5) + (eval echo "\"\$as_me:16275: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:16306: \$? = $ac_status" >&5 + echo "$as_me:16279: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -16531,11 +16504,11 @@ -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:16534: $lt_compile\"" >&5) + (eval echo "\"\$as_me:16507: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:16538: \$? = $ac_status" >&5 + echo "$as_me:16511: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -16598,11 +16571,11 @@ -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:16601: $lt_compile\"" >&5) + (eval echo "\"\$as_me:16574: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:16605: \$? = $ac_status" >&5 + echo "$as_me:16578: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -18578,7 +18551,7 @@ lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext < conftest.$ac_ext <>confdefs.h <<\_ACEOF + cat >>confdefs.h <<\_ACEOF #define BROKEN_SYSLOG 1 _ACEOF @@ -20262,8 +20230,6 @@ fi done - - CHECKSHADOW="false" fi @@ -20390,8 +20356,7 @@ echo "$as_me:$LINENO: result: $ac_cv_lib_sec_iscomsec" >&5 echo "${ECHO_T}$ac_cv_lib_sec_iscomsec" >&6 if test $ac_cv_lib_sec_iscomsec = yes; then - -cat >>confdefs.h <<\_ACEOF + cat >>confdefs.h <<\_ACEOF #define HAVE_ISCOMSEC 1 _ACEOF @@ -20575,8 +20540,7 @@ echo "$as_me:$LINENO: result: $ac_cv_func_sia_ses_init" >&5 echo "${ECHO_T}$ac_cv_func_sia_ses_init" >&6 if test $ac_cv_func_sia_ses_init = yes; then - -cat >>confdefs.h <<\_ACEOF + cat >>confdefs.h <<\_ACEOF #define HAVE_SIA 1 _ACEOF @@ -20651,8 +20615,7 @@ fi if test -n "$SECUREWARE"; then - -cat >>confdefs.h <<\_ACEOF + cat >>confdefs.h <<\_ACEOF #define HAVE_GETPRPWNAM 1 _ACEOF @@ -21395,8 +21358,7 @@ echo "$as_me:$LINENO: result: $ac_cv_lib_auth_getauthuid" >&5 echo "${ECHO_T}$ac_cv_lib_auth_getauthuid" >&6 if test $ac_cv_lib_auth_getauthuid = yes; then - -cat >>confdefs.h <<\_ACEOF + cat >>confdefs.h <<\_ACEOF #define HAVE_GETAUTHUID 1 _ACEOF SUDO_LIBS="${SUDO_LIBS} -lauth"; LIBS="${LIBS} -lauth" @@ -22004,8 +21966,7 @@ echo "$as_me:$LINENO: result: $ac_cv_lib_gen_getspnam" >&5 echo "${ECHO_T}$ac_cv_lib_gen_getspnam" >&6 if test $ac_cv_lib_gen_getspnam = yes; then - -cat >>confdefs.h <<\_ACEOF + cat >>confdefs.h <<\_ACEOF #define HAVE_GETSPNAM 1 _ACEOF SUDO_LIBS="${SUDO_LIBS} -lgen"; LIBS="${LIBS} -lgen" @@ -23503,8 +23464,7 @@ echo "${ECHO_T}$ac_cv_sys_posix_termios" >&6 if test "$ac_cv_sys_posix_termios" = "yes"; then - -cat >>confdefs.h <<\_ACEOF + cat >>confdefs.h <<\_ACEOF #define HAVE_TERMIOS_H 1 _ACEOF @@ -23928,8 +23888,7 @@ fi if test $ac_cv_header_bsd_auth_h = yes; then - -cat >>confdefs.h <<\_ACEOF + cat >>confdefs.h <<\_ACEOF #define HAVE_BSD_AUTH_H 1 _ACEOF with_passwd=no; AUTH_OBJS=bsdauth.o @@ -24092,8 +24051,7 @@ else - -cat >>confdefs.h <<\_ACEOF + cat >>confdefs.h <<\_ACEOF #define sig_atomic_t int _ACEOF @@ -24154,13 +24112,69 @@ #define HAVE_SIGACTION_T 1 _ACEOF - cat >>confdefs.h <<\_ACEOF #define HAVE_SIGACTION_T 1 _ACEOF fi +echo "$as_me:$LINENO: checking for struct timespec" >&5 +echo $ECHO_N "checking for struct timespec... $ECHO_C" >&6 +if test "${ac_cv_type_struct_timespec+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + cat >conftest.$ac_ext <<_ACEOF +#line $LINENO "configure" +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include +#include +#include + +int +main () +{ +if ((struct timespec *) 0) + return 0; +if (sizeof (struct timespec)) + return 0; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 + (eval $ac_compile) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -s conftest.$ac_objext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_type_struct_timespec=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +ac_cv_type_struct_timespec=no +fi +rm -f conftest.$ac_objext conftest.$ac_ext +fi +echo "$as_me:$LINENO: result: $ac_cv_type_struct_timespec" >&5 +echo "${ECHO_T}$ac_cv_type_struct_timespec" >&6 +if test $ac_cv_type_struct_timespec = yes; then + cat >>confdefs.h <<\_ACEOF +#define HAVE_TIMESPEC 1 +_ACEOF + +fi + echo "$as_me:$LINENO: checking for size_t" >&5 echo $ECHO_N "checking for size_t... $ECHO_C" >&6 if test "${sudo_cv_type_size_t+set}" = set; then @@ -24663,7 +24677,7 @@ for ac_func in strchr strrchr memchr memcpy memset sysconf tzset \ - strftime setrlimit initgroups fstat fchown + strftime setrlimit initgroups fstat gettimeofday do as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` echo "$as_me:$LINENO: checking for $ac_func" >&5 @@ -25888,7 +25902,7 @@ done -for ac_func in utime +for ac_func in utimes do as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` echo "$as_me:$LINENO: checking for $ac_func" >&5 @@ -25967,15 +25981,16 @@ cat >>confdefs.h <<_ACEOF #define `echo "HAVE_$ac_func" | $as_tr_cpp` 1 _ACEOF - echo "$as_me:$LINENO: checking for POSIX utime" >&5 -echo $ECHO_N "checking for POSIX utime... $ECHO_C" >&6 -if test "${sudo_cv_func_utime_posix+set}" = set; then + + +for ac_func in futimes futimesat +do +as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` +echo "$as_me:$LINENO: checking for $ac_func" >&5 +echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 +if eval "test \"\${$as_ac_var+set}\" = set"; then echo $ECHO_N "(cached) $ECHO_C" >&6 else - rm -f conftestdata; > conftestdata -if test "$cross_compiling" = yes; then - sudo_cv_func_utime_posix=no -else cat >conftest.$ac_ext <<_ACEOF #line $LINENO "configure" /* confdefs.h. */ @@ -25983,54 +25998,161 @@ cat confdefs.h >>conftest.$ac_ext cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ -#include -#include -#include -main() { -struct utimbuf ut; -ut.actime = ut.modtime = time(0); -utime("conftestdata", &ut); -exit(0); +/* System header to define __stub macros and hopefully few prototypes, + which can conflict with char $ac_func (); below. + Prefer to if __STDC__ is defined, since + exists even on freestanding compilers. */ +#ifdef __STDC__ +# include +#else +# include +#endif +/* Override any gcc2 internal prototype to avoid an error. */ +#ifdef __cplusplus +extern "C" +{ +#endif +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char $ac_func (); +/* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ +#if defined (__stub_$ac_func) || defined (__stub___$ac_func) +choke me +#else +char (*f) () = $ac_func; +#endif +#ifdef __cplusplus } +#endif + +int +main () +{ +return f != $ac_func; + ; + return 0; +} _ACEOF -rm -f conftest$ac_exeext +rm -f conftest.$ac_objext conftest$ac_exeext if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { ac_try='./conftest$ac_exeext' + (exit $ac_status); } && + { ac_try='test -s conftest$ac_exeext' { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); }; }; then - sudo_cv_func_utime_posix=yes + eval "$as_ac_var=yes" else - echo "$as_me: program exited with status $ac_status" >&5 -echo "$as_me: failed program was:" >&5 + echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 -( exit $ac_status ) -sudo_cv_func_utime_posix=no +eval "$as_ac_var=no" fi -rm -f core core.* *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext +rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext fi -rm -f core core.* *.core +echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5 +echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 +if test `eval echo '${'$as_ac_var'}'` = yes; then + cat >>confdefs.h <<_ACEOF +#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1 +_ACEOF + break fi -echo "$as_me:$LINENO: result: $sudo_cv_func_utime_posix" >&5 -echo "${ECHO_T}$sudo_cv_func_utime_posix" >&6 -if test $sudo_cv_func_utime_posix = yes; then +done -cat >>confdefs.h <<\_ACEOF -#define HAVE_UTIME_POSIX 1 +else + +for ac_func in futime +do +as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` +echo "$as_me:$LINENO: checking for $ac_func" >&5 +echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 +if eval "test \"\${$as_ac_var+set}\" = set"; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + cat >conftest.$ac_ext <<_ACEOF +#line $LINENO "configure" +/* confdefs.h. */ _ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +/* System header to define __stub macros and hopefully few prototypes, + which can conflict with char $ac_func (); below. + Prefer to if __STDC__ is defined, since + exists even on freestanding compilers. */ +#ifdef __STDC__ +# include +#else +# include +#endif +/* Override any gcc2 internal prototype to avoid an error. */ +#ifdef __cplusplus +extern "C" +{ +#endif +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char $ac_func (); +/* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ +#if defined (__stub_$ac_func) || defined (__stub___$ac_func) +choke me +#else +char (*f) () = $ac_func; +#endif +#ifdef __cplusplus +} +#endif +int +main () +{ +return f != $ac_func; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + (eval $ac_link) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -s conftest$ac_exeext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + eval "$as_ac_var=yes" +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +eval "$as_ac_var=no" fi +rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext +fi +echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5 +echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 +if test `eval echo '${'$as_ac_var'}'` = yes; then + cat >>confdefs.h <<_ACEOF +#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1 +_ACEOF -else - LIBOBJS="$LIBOBJS utime.$ac_objext" fi done + LIBOBJS="$LIBOBJS utimes.$ac_objext" +fi +done echo "$as_me:$LINENO: checking for working fnmatch with FNM_CASEFOLD" >&5 echo $ECHO_N "checking for working fnmatch with FNM_CASEFOLD... $ECHO_C" >&6 @@ -26079,8 +26201,7 @@ echo "$as_me:$LINENO: result: $sudo_cv_func_fnmatch" >&5 echo "${ECHO_T}$sudo_cv_func_fnmatch" >&6 if test $sudo_cv_func_fnmatch = yes; then - -cat >>confdefs.h <<\_ACEOF + cat >>confdefs.h <<\_ACEOF #define HAVE_FNMATCH 1 _ACEOF @@ -26322,6 +26443,47 @@ fi done +if test X"$ac_cv_type_struct_timespec" != X"no"; then + echo "$as_me:$LINENO: checking for struct stat.st_mtim" >&5 +echo $ECHO_N "checking for struct stat.st_mtim... $ECHO_C" >&6 +if test "${ac_cv_member_struct_stat_st_mtim+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + cat >conftest.$ac_ext <<_ACEOF +#line $LINENO "configure" +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +static struct stat ac_aggr; +if (ac_aggr.st_mtim) +return 0; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 + (eval $ac_compile) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -s conftest.$ac_objext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_member_struct_stat_st_mtim=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + cat >conftest.$ac_ext <<_ACEOF #line $LINENO "configure" /* confdefs.h. */ @@ -26329,7 +26491,199 @@ cat confdefs.h >>conftest.$ac_ext cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ +$ac_includes_default +int +main () +{ +static struct stat ac_aggr; +if (sizeof ac_aggr.st_mtim) +return 0; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 + (eval $ac_compile) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -s conftest.$ac_objext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_member_struct_stat_st_mtim=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +ac_cv_member_struct_stat_st_mtim=no +fi +rm -f conftest.$ac_objext conftest.$ac_ext +fi +rm -f conftest.$ac_objext conftest.$ac_ext +fi +echo "$as_me:$LINENO: result: $ac_cv_member_struct_stat_st_mtim" >&5 +echo "${ECHO_T}$ac_cv_member_struct_stat_st_mtim" >&6 +if test $ac_cv_member_struct_stat_st_mtim = yes; then + cat >>confdefs.h <<\_ACEOF +#define HAVE_ST_MTIM 1 +_ACEOF + +else + echo "$as_me:$LINENO: checking for struct stat.st_mtimespec" >&5 +echo $ECHO_N "checking for struct stat.st_mtimespec... $ECHO_C" >&6 +if test "${ac_cv_member_struct_stat_st_mtimespec+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + cat >conftest.$ac_ext <<_ACEOF +#line $LINENO "configure" +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +static struct stat ac_aggr; +if (ac_aggr.st_mtimespec) +return 0; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 + (eval $ac_compile) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -s conftest.$ac_objext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_member_struct_stat_st_mtimespec=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +cat >conftest.$ac_ext <<_ACEOF +#line $LINENO "configure" +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +static struct stat ac_aggr; +if (sizeof ac_aggr.st_mtimespec) +return 0; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 + (eval $ac_compile) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -s conftest.$ac_objext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_member_struct_stat_st_mtimespec=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +ac_cv_member_struct_stat_st_mtimespec=no +fi +rm -f conftest.$ac_objext conftest.$ac_ext +fi +rm -f conftest.$ac_objext conftest.$ac_ext +fi +echo "$as_me:$LINENO: result: $ac_cv_member_struct_stat_st_mtimespec" >&5 +echo "${ECHO_T}$ac_cv_member_struct_stat_st_mtimespec" >&6 +if test $ac_cv_member_struct_stat_st_mtimespec = yes; then + cat >>confdefs.h <<\_ACEOF +#define HAVE_ST_MTIMESPEC 1 +_ACEOF + +fi + +fi + + echo "$as_me:$LINENO: checking for two-parameter timespecsub" >&5 +echo $ECHO_N "checking for two-parameter timespecsub... $ECHO_C" >&6 + cat >conftest.$ac_ext <<_ACEOF +#line $LINENO "configure" +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ #include +#include +int +main () +{ +struct timespec ts1, ts2; +ts1.tv_sec = 1; ts1.tv_nsec = 0; ts2.tv_sec = 0; ts2.tv_nsec = 0; +#ifndef timespecsub +#error missing timespecsub +#endif +timespecsub(&ts1, &ts2); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 + (eval $ac_compile) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -s conftest.$ac_objext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + cat >>confdefs.h <<\_ACEOF +#define HAVE_TIMESPECSUB2 1 +_ACEOF + + echo "$as_me:$LINENO: result: yes" >&5 +echo "${ECHO_T}yes" >&6 +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +echo "$as_me:$LINENO: result: no" >&5 +echo "${ECHO_T}no" >&6 +fi +rm -f conftest.$ac_objext conftest.$ac_ext +fi +cat >conftest.$ac_ext <<_ACEOF +#line $LINENO "configure" +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include #include <$ac_header_dirent> int main () @@ -26351,8 +26705,7 @@ ac_status=$? echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); }; }; then - -cat >>confdefs.h <<\_ACEOF + cat >>confdefs.h <<\_ACEOF #define HAVE_DIRFD 1 _ACEOF @@ -26389,8 +26742,7 @@ ac_status=$? echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); }; }; then - -cat >>confdefs.h <<\_ACEOF + cat >>confdefs.h <<\_ACEOF #define HAVE_DD_FD 1 _ACEOF @@ -26405,7 +26757,7 @@ if test -n "$NEED_SNPRINTF"; then LIBOBJS="$LIBOBJS snprintf.$ac_objext" fi -if test -z "$LIB_CRYPT"; then +if test -z "$LIB_CRYPT" -a "$with_pam" != "yes"; then echo "$as_me:$LINENO: checking for crypt" >&5 echo $ECHO_N "checking for crypt... $ECHO_C" >&6 if test "${ac_cv_func_crypt+set}" = set; then @@ -27953,8 +28305,7 @@ fi if test "$sudo_cv___progname" = "yes"; then - -cat >>confdefs.h <<\_ACEOF + cat >>confdefs.h <<\_ACEOF #define HAVE___PROGNAME 1 _ACEOF @@ -27968,8 +28319,7 @@ done if test -n "$with_kerb4"; then - -cat >>confdefs.h <<\_ACEOF + cat >>confdefs.h <<\_ACEOF #define HAVE_KERB4 1 _ACEOF @@ -28549,8 +28899,7 @@ fi if test -n "$KRB5CONFIG"; then - -cat >>confdefs.h <<\_ACEOF + cat >>confdefs.h <<\_ACEOF #define HAVE_KERB5 1 _ACEOF @@ -28590,8 +28939,7 @@ echo "$as_me:$LINENO: result: yes" >&5 echo "${ECHO_T}yes" >&6 - -cat >>confdefs.h <<\_ACEOF + cat >>confdefs.h <<\_ACEOF #define HAVE_HEIMDAL 1 _ACEOF @@ -28606,8 +28954,7 @@ fi fi if test -n "$with_kerb5" -a -z "$KRB5CONFIG"; then - -cat >>confdefs.h <<\_ACEOF + cat >>confdefs.h <<\_ACEOF #define HAVE_KERB5 1 _ACEOF @@ -28697,8 +29044,7 @@ echo "$as_me:$LINENO: result: yes" >&5 echo "${ECHO_T}yes" >&6 - -cat >>confdefs.h <<\_ACEOF + cat >>confdefs.h <<\_ACEOF #define HAVE_HEIMDAL 1 _ACEOF @@ -29254,8 +29600,7 @@ echo "$as_me:$LINENO: result: $ac_cv_lib_skey_skeyaccess" >&5 echo "${ECHO_T}$ac_cv_lib_skey_skeyaccess" >&6 if test $ac_cv_lib_skey_skeyaccess = yes; then - -cat >>confdefs.h <<\_ACEOF + cat >>confdefs.h <<\_ACEOF #define HAVE_SKEYACCESS 1 _ACEOF @@ -29869,8 +30214,7 @@ if test "$with_passwd" = "no"; then - -cat >>confdefs.h <<\_ACEOF + cat >>confdefs.h <<\_ACEOF #define WITHOUT_PASSWD 1 _ACEOF @@ -31088,6 +31432,137 @@ ;; esac fi + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff -urN sudo-1.6.8/configure.in sudo-1.6.8p12/configure.in --- sudo-1.6.8/configure.in Thu Jun 3 12:37:32 2004 +++ sudo-1.6.8p12/configure.in Thu Nov 25 12:31:20 2004 @@ -1,6 +1,6 @@ dnl dnl Process this file with GNU autoconf to produce a configure script. -dnl $Sudo: configure.in,v 1.413 2004/06/03 16:37:32 millert Exp $ +dnl $Sudo: configure.in,v 1.420 2004/09/08 15:49:25 millert Exp $ dnl dnl Copyright (c) 1994-1996,1998-2004 Todd C. Miller dnl @@ -127,7 +127,7 @@ AC_ARG_WITH(otp-only, [ --with-otp-only deprecated], [case $with_otp_only in yes) with_passwd=no - AC_DEFINE(WITHOUT_PASSWD, 1, [Define to avoid using the passwd/shadow file for authentication.]) + AC_DEFINE(WITHOUT_PASSWD) AC_MSG_NOTICE([--with-otp-only option deprecated, treating as --without-passwd]) ;; esac]) @@ -170,7 +170,7 @@ esac]) AC_ARG_WITH(incpath, [ --with-incpath additional places to look for include files], -[case $with_incpath in +[case $with_incpath in yes) AC_MSG_ERROR(["must give --with-incpath an argument."]) ;; no) AC_MSG_ERROR(["--without-incpath not supported."]) @@ -183,7 +183,7 @@ esac]) AC_ARG_WITH(libpath, [ --with-libpath additional places to look for libraries], -[case $with_libpath in +[case $with_libpath in yes) AC_MSG_ERROR(["must give --with-libpath an argument."]) ;; no) AC_MSG_ERROR(["--without-libpath not supported."]) @@ -193,7 +193,7 @@ esac]) AC_ARG_WITH(libraries, [ --with-libraries additional libraries to link with], -[case $with_libraries in +[case $with_libraries in yes) AC_MSG_ERROR(["must give --with-libraries an argument."]) ;; no) AC_MSG_ERROR(["--without-libraries not supported."]) @@ -203,7 +203,7 @@ esac]) AC_ARG_WITH(devel, [ --with-devel add development options], -[case $with_devel in +[case $with_devel in yes) AC_MSG_NOTICE([Setting up for development: -Wall, flex, yacc]) PROGS="${PROGS} testsudoers" OSDEFS="${OSDEFS} -DSUDO_DEVEL" @@ -215,7 +215,7 @@ esac]) AC_ARG_WITH(efence, [ --with-efence link with -lefence for malloc() debugging], -[case $with_efence in +[case $with_efence in yes) AC_MSG_NOTICE([Sudo will link with -lefence (Electric Fence)]) LIBS="${LIBS} -lefence" if test -f /usr/local/lib/libefence.a; then @@ -228,7 +228,7 @@ esac]) AC_ARG_WITH(csops, [ --with-csops add CSOps standard options], -[case $with_csops in +[case $with_csops in yes) AC_MSG_NOTICE([Adding CSOps standard options]) CHECKSIA=false with_ignore_dot=yes @@ -261,7 +261,7 @@ *) if test -n "$with_opie"; then AC_MSG_ERROR(["cannot use both S/Key and OPIE"]) fi - AC_DEFINE(HAVE_SKEY, 1, [Define if you use S/Key.]) + AC_DEFINE(HAVE_SKEY) AC_MSG_CHECKING(whether to try S/Key authentication) AC_MSG_RESULT(yes) AUTH_OBJS="${AUTH_OBJS} rfc1938.o" @@ -274,7 +274,7 @@ *) if test -n "$with_skey"; then AC_MSG_ERROR(["cannot use both S/Key and OPIE"]) fi - AC_DEFINE(HAVE_OPIE, 1, [Define if you use NRL OPIE.]) + AC_DEFINE(HAVE_OPIE) AC_MSG_CHECKING(whether to try NRL OPIE authentication) AC_MSG_RESULT(yes) AUTH_OBJS="${AUTH_OBJS} rfc1938.o" @@ -283,7 +283,7 @@ AC_ARG_WITH(long-otp-prompt, [ --with-long-otp-prompt use a two line OTP (skey/opie) prompt], [case $with_long_otp_prompt in - yes) AC_DEFINE(LONG_OTP_PROMPT, 1, [Define if you want a two line OTP (S/Key or OPIE) prompt.]) + yes) AC_DEFINE(LONG_OTP_PROMPT) AC_MSG_CHECKING(whether to use a two line prompt for OTP authentication) AC_MSG_RESULT(yes) long_otp_prompt=on @@ -297,7 +297,7 @@ AC_ARG_WITH(SecurID, [ --with-SecurID[[=DIR]] enable SecurID support], [case $with_SecurID in no) with_SecurID="";; - *) AC_DEFINE(HAVE_SECURID, 1, [Define if you use SecurID.]) + *) AC_DEFINE(HAVE_SECURID) AC_MSG_CHECKING(whether to use SecurID for authentication) AC_MSG_RESULT(yes) with_passwd=no @@ -307,7 +307,7 @@ AC_ARG_WITH(fwtk, [ --with-fwtk[[=DIR]] enable FWTK AuthSRV support], [case $with_fwtk in no) with_fwtk="";; - *) AC_DEFINE(HAVE_FWTK, 1, [Define if you use the FWTK authsrv daemon.]) + *) AC_DEFINE(HAVE_FWTK) AC_MSG_CHECKING(whether to use FWTK AuthSRV for authentication) AC_MSG_RESULT(yes) with_passwd=no @@ -333,7 +333,7 @@ AC_ARG_WITH(authenticate, [ --with-authenticate enable AIX general authentication support], [case $with_authenticate in - yes) AC_DEFINE(HAVE_AUTHENTICATE, 1, [Define if you use AIX general authentication.]) + yes) AC_DEFINE(HAVE_AUTHENTICATE) AC_MSG_CHECKING(whether to use AIX general authentication) AC_MSG_RESULT(yes) with_passwd=no @@ -346,7 +346,7 @@ AC_ARG_WITH(pam, [ --with-pam enable PAM support], [case $with_pam in - yes) AC_DEFINE(HAVE_PAM, 1, [Define if you use PAM.]) + yes) AC_DEFINE(HAVE_PAM) AC_MSG_CHECKING(whether to use PAM authentication) AC_MSG_RESULT(yes) with_passwd=no @@ -359,7 +359,7 @@ AC_ARG_WITH(AFS, [ --with-AFS enable AFS support], [case $with_AFS in - yes) AC_DEFINE(HAVE_AFS, 1, [Define if you use AFS.]) + yes) AC_DEFINE(HAVE_AFS) AC_MSG_CHECKING(whether to try AFS (kerberos) authentication) AC_MSG_RESULT(yes) AUTH_OBJS="${AUTH_OBJS} afs.o" @@ -371,7 +371,7 @@ AC_ARG_WITH(DCE, [ --with-DCE enable DCE support], [case $with_DCE in - yes) AC_DEFINE(HAVE_DCE, 1, [Define if you use OSF DCE.]) + yes) AC_DEFINE(HAVE_DCE) AC_MSG_CHECKING(whether to try DCE (kerberos) authentication) AC_MSG_RESULT(yes) AUTH_OBJS="${AUTH_OBJS} dce.o" @@ -399,7 +399,7 @@ AC_MSG_CHECKING(whether to lecture users the first time they run sudo) AC_ARG_WITH(lecture, [ --without-lecture don't print lecture for first-time sudoer], -[case $with_lecture in +[case $with_lecture in yes|short|always) lecture=once ;; no|none|never) lecture=never @@ -410,18 +410,18 @@ if test "$lecture" = "once"; then AC_MSG_RESULT(yes) else - AC_DEFINE(NO_LECTURE, 1, [Define if you don't want users to get the lecture the first they user sudo.]) + AC_DEFINE(NO_LECTURE) AC_MSG_RESULT(no) fi AC_MSG_CHECKING(whether sudo should log via syslog or to a file by default) AC_ARG_WITH(logging, [ --with-logging log via syslog, file, or both], -[case $with_logging in +[case $with_logging in yes) AC_MSG_ERROR(["must give --with-logging an argument."]) ;; no) AC_MSG_ERROR(["--without-logging not supported."]) ;; - syslog) AC_DEFINE(LOGGING, SLOG_SYSLOG, [Define to SLOG_SYSLOG, SLOG_FILE, or SLOG_BOTH.]) + syslog) AC_DEFINE(LOGGING, SLOG_SYSLOG) AC_MSG_RESULT(syslog) ;; file) AC_DEFINE(LOGGING, SLOG_FILE) @@ -436,7 +436,7 @@ AC_MSG_CHECKING(which syslog facility sudo should log with) AC_ARG_WITH(logfac, [ --with-logfac syslog facility to log with (default is "local2")], -[case $with_logfac in +[case $with_logfac in yes) AC_MSG_ERROR(["must give --with-logfac an argument."]) ;; no) AC_MSG_ERROR(["--without-logfac not supported."]) @@ -451,7 +451,7 @@ AC_MSG_CHECKING(at which syslog priority to log commands) AC_ARG_WITH(goodpri, [ --with-goodpri syslog priority for commands (def is "notice")], -[case $with_goodpri in +[case $with_goodpri in yes) AC_MSG_ERROR(["must give --with-goodpri an argument."]) ;; no) AC_MSG_ERROR(["--without-goodpri not supported."]) @@ -467,7 +467,7 @@ AC_MSG_CHECKING(at which syslog priority to log failures) AC_ARG_WITH(badpri, [ --with-badpri syslog priority for failures (def is "alert")], -[case $with_badpri in +[case $with_badpri in yes) AC_MSG_ERROR(["must give --with-badpri an argument."]) ;; no) AC_MSG_ERROR(["--without-badpri not supported."]) @@ -482,7 +482,7 @@ AC_MSG_RESULT($badpri) AC_ARG_WITH(logpath, [ --with-logpath path to the sudo log file], -[case $with_logpath in +[case $with_logpath in yes) AC_MSG_ERROR(["must give --with-logpath an argument."]) ;; no) AC_MSG_ERROR(["--without-logpath not supported."]) @@ -491,7 +491,7 @@ AC_MSG_CHECKING(how long a line in the log file should be) AC_ARG_WITH(loglen, [ --with-loglen maximum length of a log file line (default is 80)], -[case $with_loglen in +[case $with_loglen in yes) AC_MSG_ERROR(["must give --with-loglen an argument."]) ;; no) AC_MSG_ERROR(["--without-loglen not supported."]) @@ -506,7 +506,7 @@ AC_MSG_CHECKING(whether sudo should ignore '.' or '' in \$PATH) AC_ARG_WITH(ignore-dot, [ --with-ignore-dot ignore '.' in the PATH], -[case $with_ignore_dot in +[case $with_ignore_dot in yes) ignore_dot=on ;; no) ignore_dot=off @@ -515,7 +515,7 @@ ;; esac]) if test "$ignore_dot" = "on"; then - AC_DEFINE(IGNORE_DOT_PATH, 1, [Define if you want to ignore '.' and empty \$PATH elements]) + AC_DEFINE(IGNORE_DOT_PATH) AC_MSG_RESULT(yes) else AC_MSG_RESULT(no) @@ -523,7 +523,7 @@ AC_MSG_CHECKING(whether to send mail when a user is not in sudoers) AC_ARG_WITH(mail-if-no-user, [ --without-mail-if-no-user do not send mail if user not in sudoers], -[case $with_mail_if_no_user in +[case $with_mail_if_no_user in yes) mail_no_user=on ;; no) mail_no_user=off @@ -532,7 +532,7 @@ ;; esac]) if test "$mail_no_user" = "on"; then - AC_DEFINE(SEND_MAIL_WHEN_NO_USER, 1, [Define to send mail when the user is not in the sudoers file.]) + AC_DEFINE(SEND_MAIL_WHEN_NO_USER) AC_MSG_RESULT(yes) else AC_MSG_RESULT(no) @@ -540,7 +540,7 @@ AC_MSG_CHECKING(whether to send mail when user listed but not for this host) AC_ARG_WITH(mail-if-no-host, [ --with-mail-if-no-host send mail if user in sudoers but not for this host], -[case $with_mail_if_no_host in +[case $with_mail_if_no_host in yes) mail_no_host=on ;; no) mail_no_host=off @@ -549,7 +549,7 @@ ;; esac]) if test "$mail_no_host" = "on"; then - AC_DEFINE(SEND_MAIL_WHEN_NO_HOST, 1, [Define to send mail when the user is not allowed to run sudo on this host.]) + AC_DEFINE(SEND_MAIL_WHEN_NO_HOST) AC_MSG_RESULT(yes) else AC_MSG_RESULT(no) @@ -557,7 +557,7 @@ AC_MSG_CHECKING(whether to send mail when a user tries a disallowed command) AC_ARG_WITH(mail-if-noperms, [ --with-mail-if-noperms send mail if user not allowed to run command], -[case $with_mail_if_noperms in +[case $with_mail_if_noperms in yes) mail_noperms=on ;; no) mail_noperms=off @@ -566,7 +566,7 @@ ;; esac]) if test "$mail_noperms" = "on"; then - AC_DEFINE(SEND_MAIL_WHEN_NOT_OK, 1, [Define to send mail when the user is not allowed to run a command.]) + AC_DEFINE(SEND_MAIL_WHEN_NOT_OK) AC_MSG_RESULT(yes) else AC_MSG_RESULT(no) @@ -574,7 +574,7 @@ AC_MSG_CHECKING(who should get the mail that sudo sends) AC_ARG_WITH(mailto, [ --with-mailto who should get sudo mail (default is "root")], -[case $with_mailto in +[case $with_mailto in yes) AC_MSG_ERROR(["must give --with-mailto an argument."]) ;; no) AC_MSG_ERROR(["--without-mailto not supported."]) @@ -586,7 +586,7 @@ AC_MSG_RESULT([$mailto]) AC_ARG_WITH(mailsubject, [ --with-mailsubject subject of sudo mail], -[case $with_mailsubject in +[case $with_mailsubject in yes) AC_MSG_ERROR(["must give --with-mailsubject an argument."]) ;; no) AC_MSG_WARN([Sorry, --without-mailsubject not supported.]) @@ -600,7 +600,7 @@ AC_MSG_CHECKING(for bad password prompt) AC_ARG_WITH(passprompt, [ --with-passprompt default password prompt], -[case $with_passprompt in +[case $with_passprompt in yes) AC_MSG_ERROR(["must give --with-passprompt an argument."]) ;; no) AC_MSG_WARN([Sorry, --without-passprompt not supported.]) @@ -612,7 +612,7 @@ AC_MSG_CHECKING(for bad password message) AC_ARG_WITH(badpass-message, [ --with-badpass-message message the user sees when the password is wrong], -[case $with_badpass_message in +[case $with_badpass_message in yes) AC_MSG_ERROR(["Must give --with-badpass-message an argument."]) ;; no) AC_MSG_WARN([Sorry, --without-badpass-message not supported.]) @@ -625,7 +625,7 @@ AC_MSG_CHECKING(whether to expect fully qualified hosts in sudoers) AC_ARG_WITH(fqdn, [ --with-fqdn expect fully qualified hosts in sudoers], -[case $with_fqdn in +[case $with_fqdn in yes) fqdn=on ;; no) fqdn=off @@ -634,14 +634,14 @@ ;; esac]) if test "$fqdn" = "on"; then - AC_DEFINE(FQDN, 1, [Define if you want to require fully qualified hosts in sudoers.]) + AC_DEFINE(FQDN) AC_MSG_RESULT(yes) else AC_MSG_RESULT(no) fi AC_ARG_WITH(timedir, [ --with-timedir path to the sudo timestamp dir], -[case $with_timedir in +[case $with_timedir in yes) AC_MSG_ERROR(["must give --with-timedir an argument."]) ;; no) AC_MSG_ERROR(["--without-timedir not supported."]) @@ -650,7 +650,7 @@ AC_ARG_WITH(sendmail, [ --with-sendmail=path set path to sendmail --without-sendmail do not send mail at all], -[case $with_sendmail in +[case $with_sendmail in yes) with_sendmail="" ;; no) ;; @@ -659,7 +659,7 @@ esac]) AC_ARG_WITH(sudoers-mode, [ --with-sudoers-mode mode of sudoers file (defaults to 0440)], -[case $with_sudoers_mode in +[case $with_sudoers_mode in yes) AC_MSG_ERROR(["must give --with-sudoers-mode an argument."]) ;; no) AC_MSG_ERROR(["--without-sudoers-mode not supported."]) @@ -673,7 +673,7 @@ esac]) AC_ARG_WITH(sudoers-uid, [ --with-sudoers-uid uid that owns sudoers file (defaults to 0)], -[case $with_sudoers_uid in +[case $with_sudoers_uid in yes) AC_MSG_ERROR(["must give --with-sudoers-uid an argument."]) ;; no) AC_MSG_ERROR(["--without-sudoers-uid not supported."]) @@ -685,7 +685,7 @@ esac]) AC_ARG_WITH(sudoers-gid, [ --with-sudoers-gid gid that owns sudoers file (defaults to 0)], -[case $with_sudoers_gid in +[case $with_sudoers_gid in yes) AC_MSG_ERROR(["must give --with-sudoers-gid an argument."]) ;; no) AC_MSG_ERROR(["--without-sudoers-gid not supported."]) @@ -699,7 +699,7 @@ AC_MSG_CHECKING(for umask programs should be run with) AC_ARG_WITH(umask, [ --with-umask umask with which the prog should run (default is 022) --without-umask Preserves the umask of the user invoking sudo.], -[case $with_umask in +[case $with_umask in yes) AC_MSG_ERROR(["must give --with-umask an argument."]) ;; no) sudo_umask=0777 @@ -718,7 +718,7 @@ AC_MSG_CHECKING(for default user to run commands as) AC_ARG_WITH(runas-default, [ --with-runas-default User to run commands as (default is "root")], -[case $with_runas_default in +[case $with_runas_default in yes) AC_MSG_ERROR(["must give --with-runas-default an argument."]) ;; no) AC_MSG_ERROR(["--without-runas-default not supported."]) @@ -730,7 +730,7 @@ AC_MSG_RESULT([$runas_default]) AC_ARG_WITH(exempt, [ --with-exempt=group no passwd needed for users in this group], -[case $with_exempt in +[case $with_exempt in yes) AC_MSG_ERROR(["must give --with-exempt an argument."]) ;; no) AC_MSG_ERROR(["--without-exempt not supported."]) @@ -743,7 +743,7 @@ AC_MSG_CHECKING(for editor that visudo should use) AC_ARG_WITH(editor, [ --with-editor=path Default editor for visudo (defaults to vi)], -[case $with_editor in +[case $with_editor in yes) AC_MSG_ERROR(["must give --with-editor an argument."]) ;; no) AC_MSG_ERROR(["--without-editor not supported."]) @@ -755,7 +755,7 @@ AC_MSG_CHECKING(whether to obey EDITOR and VISUAL environment variables) AC_ARG_WITH(env-editor, [ --with-env-editor Use the environment variable EDITOR for visudo], -[case $with_env_editor in +[case $with_env_editor in yes) env_editor=on ;; no) env_editor=off @@ -764,7 +764,7 @@ ;; esac]) if test "$env_editor" = "on"; then - AC_DEFINE(ENV_EDITOR, 1, [Define if you want visudo to honor the EDITOR and VISUAL env variables.]) + AC_DEFINE(ENV_EDITOR) AC_MSG_RESULT(yes) else AC_MSG_RESULT(no) @@ -772,7 +772,7 @@ AC_MSG_CHECKING(number of tries a user gets to enter their password) AC_ARG_WITH(passwd-tries, [ --with-passwd-tries number of tries to enter password (default is 3)], -[case $with_passwd_tries in +[case $with_passwd_tries in yes) ;; no) AC_MSG_ERROR(["--without-editor not supported."]) ;; @@ -786,7 +786,7 @@ AC_MSG_CHECKING(time in minutes after which sudo will ask for a password again) AC_ARG_WITH(timeout, [ --with-timeout minutes before sudo asks for passwd again (def is 5 minutes)], -[case $with_timeout in +[case $with_timeout in yes) ;; no) timeout=0 ;; @@ -800,7 +800,7 @@ AC_MSG_CHECKING(time in minutes after the password prompt will time out) AC_ARG_WITH(password-timeout, [ --with-password-timeout passwd prompt timeout in minutes (default is 5 minutes)], -[case $with_password_timeout in +[case $with_password_timeout in yes) ;; no) password_timeout=0 ;; @@ -813,10 +813,10 @@ AC_MSG_RESULT($password_timeout) AC_ARG_WITH(execv, [ --with-execv use execv() instead of execvp()], -[case $with_execv in +[case $with_execv in yes) AC_MSG_CHECKING(whether to use execvp or execv) AC_MSG_RESULT(execv) - AC_DEFINE(USE_EXECV, 1, [Define if you wish to use execv() instead of execvp() when running programs.]) + AC_DEFINE(USE_EXECV) ;; no) ;; *) AC_MSG_ERROR(["--with-execv does not take an argument."]) @@ -825,7 +825,7 @@ AC_MSG_CHECKING(whether to use per-tty ticket files) AC_ARG_WITH(tty-tickets, [ --with-tty-tickets use a different ticket file for each tty], -[case $with_tty_tickets in +[case $with_tty_tickets in yes) tty_tickets=on ;; no) tty_tickets=off @@ -834,7 +834,7 @@ ;; esac]) if test "$tty_tickets" = "on"; then - AC_DEFINE(USE_TTY_TICKETS, 1, [Define if you want a different ticket file for each tty.]) + AC_DEFINE(USE_TTY_TICKETS) AC_MSG_RESULT(yes) else AC_MSG_RESULT(no) @@ -842,7 +842,7 @@ AC_MSG_CHECKING(whether to include insults) AC_ARG_WITH(insults, [ --with-insults insult the user for entering an incorrect password], -[case $with_insults in +[case $with_insults in yes) insults=on with_classic_insults=yes with_csops_insults=yes @@ -853,14 +853,14 @@ ;; esac]) if test "$insults" = "on"; then - AC_DEFINE(USE_INSULTS, 1, [Define if you want to insult the user for entering an incorrect password.]) + AC_DEFINE(USE_INSULTS) AC_MSG_RESULT(yes) else AC_MSG_RESULT(no) fi AC_ARG_WITH(all-insults, [ --with-all-insults include all the sudo insult sets], -[case $with_all_insults in +[case $with_all_insults in yes) with_classic_insults=yes with_csops_insults=yes with_hal_insults=yes @@ -872,8 +872,8 @@ esac]) AC_ARG_WITH(classic-insults, [ --with-classic-insults include the insults from the "classic" sudo], -[case $with_classic_insults in - yes) AC_DEFINE(CLASSIC_INSULTS, 1, [Define if you want the insults from the "classic" version sudo.]) +[case $with_classic_insults in + yes) AC_DEFINE(CLASSIC_INSULTS) ;; no) ;; *) AC_MSG_ERROR(["--with-classic-insults does not take an argument."]) @@ -881,8 +881,8 @@ esac]) AC_ARG_WITH(csops-insults, [ --with-csops-insults include CSOps insults], -[case $with_csops_insults in - yes) AC_DEFINE(CSOPS_INSULTS, 1, [Define if you want insults culled from the twisted minds of CSOps.]) +[case $with_csops_insults in + yes) AC_DEFINE(CSOPS_INSULTS) ;; no) ;; *) AC_MSG_ERROR(["--with-csops-insults does not take an argument."]) @@ -890,8 +890,8 @@ esac]) AC_ARG_WITH(hal-insults, [ --with-hal-insults include 2001-like insults], -[case $with_hal_insults in - yes) AC_DEFINE(HAL_INSULTS, 1, [Define if you want 2001-like insults.]) +[case $with_hal_insults in + yes) AC_DEFINE(HAL_INSULTS) ;; no) ;; *) AC_MSG_ERROR(["--with-hal-insults does not take an argument."]) @@ -899,8 +899,8 @@ esac]) AC_ARG_WITH(goons-insults, [ --with-goons-insults include the insults from the "Goon Show"], -[case $with_goons_insults in - yes) AC_DEFINE(GOONS_INSULTS, 1, [Define if you want insults from the "Goon Show".]) +[case $with_goons_insults in + yes) AC_DEFINE(GOONS_INSULTS) ;; no) ;; *) AC_MSG_ERROR(["--with-goons-insults does not take an argument."]) @@ -910,15 +910,17 @@ AC_ARG_WITH(ldap, [ --with-ldap[[=DIR]] enable LDAP support], [case $with_ldap in no) with_ldap="";; - *) AC_DEFINE(HAVE_LDAP, 1, [Define if you use LDAP.]) + *) AC_DEFINE(HAVE_LDAP) AC_MSG_CHECKING(whether to use sudoers from LDAP) AC_MSG_RESULT(yes) ;; esac]) +AC_ARG_WITH(ldap-conf-file, [ --with-ldap-conf-file path to LDAP configuration file], +[AC_DEFINE_UNQUOTED(_PATH_LDAP_CONF, "$with_ldap_conf_file", [Path to the ldap.conf file])]) AC_ARG_WITH(pc-insults, [ --with-pc-insults replace politically incorrect insults with less offensive ones], -[case $with_pc_insults in - yes) AC_DEFINE(PC_INSULTS, 1, [Define to replace politically incorrect insults with less offensive ones.]) +[case $with_pc_insults in + yes) AC_DEFINE(PC_INSULTS) ;; no) ;; *) AC_MSG_ERROR(["--with-pc-insults does not take an argument."]) @@ -938,8 +940,8 @@ AC_MSG_CHECKING(whether to override the user's path) AC_ARG_WITH(secure-path, [ --with-secure-path override the user's path with a built-in one], -[case $with_secure_path in - yes) AC_DEFINE_UNQUOTED(SECURE_PATH, "/bin:/usr/ucb:/usr/bin:/usr/sbin:/sbin:/usr/etc:/etc", [Define to override the user's path with a built-in one.]) +[case $with_secure_path in + yes) AC_DEFINE_UNQUOTED(SECURE_PATH, "/bin:/usr/ucb:/usr/bin:/usr/sbin:/sbin:/usr/etc:/etc") AC_MSG_RESULT([:/usr/ucb:/usr/bin:/usr/sbin:/sbin:/usr/etc:/etc]) ;; no) AC_MSG_RESULT(no) @@ -951,10 +953,10 @@ AC_MSG_CHECKING(whether to get ip addresses from the network interfaces) AC_ARG_WITH(interfaces, [ --without-interfaces don't try to read the ip addr of ether interfaces], -[case $with_interfaces in +[case $with_interfaces in yes) AC_MSG_RESULT(yes) ;; - no) AC_DEFINE(STUB_LOAD_INTERFACES, 1, [Define if the code in interfaces.c does not compile for you.]) + no) AC_DEFINE(STUB_LOAD_INTERFACES) AC_MSG_RESULT(no) ;; *) AC_MSG_ERROR(["--with-interfaces does not take an argument."]) @@ -965,7 +967,7 @@ AC_ARG_WITH(stow, [ --with-stow properly handle GNU stow packaging], [case $with_stow in yes) AC_MSG_RESULT(yes) - AC_DEFINE(USE_STOW, 1, [Define if you use stow packaging.]) + AC_DEFINE(USE_STOW) ;; no) AC_MSG_RESULT(no) ;; @@ -985,7 +987,7 @@ yes) AC_MSG_RESULT(yes) ;; no) AC_MSG_RESULT(no) - AC_DEFINE(NO_AUTHENTICATION, 1, [Define if you don't want sudo to prompt for a password by default.]) + AC_DEFINE(NO_AUTHENTICATION) ;; *) AC_MSG_RESULT(no) AC_MSG_WARN([Ignoring unknown argument to --enable-authentication: $enableval]) @@ -1000,7 +1002,7 @@ yes) AC_MSG_RESULT(no) ;; no) AC_MSG_RESULT(yes) - AC_DEFINE(NO_ROOT_MAILER, 1, [Define to avoid runing the mailer as root.]) + AC_DEFINE(NO_ROOT_MAILER) ;; *) AC_MSG_RESULT(no) AC_MSG_WARN([Ignoring unknown argument to --enable-root-mailer: $enableval]) @@ -1033,7 +1035,7 @@ yes) AC_MSG_RESULT(no) ;; no) AC_MSG_RESULT(yes) - AC_DEFINE(NO_SAVED_IDS, 1, [Define to avoid using POSIX saved ids.]) + AC_DEFINE(NO_SAVED_IDS) ;; *) AC_MSG_RESULT(no) AC_MSG_WARN([Ignoring unknown argument to --enable-saved-ids: $enableval]) @@ -1059,10 +1061,10 @@ AC_MSG_CHECKING(whether root should be allowed to use sudo) AC_ARG_ENABLE(root-sudo, [ --disable-root-sudo Don't allow root to run sudo], -[ case "$enableval" in +[ case "$enableval" in yes) AC_MSG_RESULT(yes) ;; - no) AC_DEFINE(NO_ROOT_SUDO, 1, [Define if root should not be allowed to use sudo.]) + no) AC_DEFINE(NO_ROOT_SUDO) AC_MSG_RESULT(no) root_sudo=off ;; @@ -1076,7 +1078,7 @@ [ --enable-log-host Log the hostname in the log file], [ case "$enableval" in yes) AC_MSG_RESULT(yes) - AC_DEFINE(HOST_IN_LOG, 1, [Define if you want the hostname to be entered into the log file.]) + AC_DEFINE(HOST_IN_LOG) ;; no) AC_MSG_RESULT(no) ;; @@ -1091,7 +1093,7 @@ [ --enable-noargs-shell If sudo is given no arguments run a shell], [ case "$enableval" in yes) AC_MSG_RESULT(yes) - AC_DEFINE(SHELL_IF_NO_ARGS, 1, [Define if you want sudo to start a shell if given no arguments.]) + AC_DEFINE(SHELL_IF_NO_ARGS) ;; no) AC_MSG_RESULT(no) ;; @@ -1107,7 +1109,7 @@ set $HOME to target user in shell mode], [ case "$enableval" in yes) AC_MSG_RESULT(yes) - AC_DEFINE(SHELL_SETS_HOME, 1, [Define if you want sudo to set $HOME in shell mode.]) + AC_DEFINE(SHELL_SETS_HOME) ;; no) AC_MSG_RESULT(no) ;; @@ -1124,7 +1126,7 @@ yes) AC_MSG_RESULT(no) ;; no) AC_MSG_RESULT(yes) - AC_DEFINE(DONT_LEAK_PATH_INFO, 1, [Define if you want sudo to display "command not allowed" instead of "command not found" when a command cannot be found.]) + AC_DEFINE(DONT_LEAK_PATH_INFO) ;; *) AC_MSG_RESULT(no) AC_MSG_WARN([Ignoring unknown argument to --enable-path-info: $enableval]) @@ -1172,8 +1174,8 @@ eval _shrext="$shrext" fi AC_MSG_CHECKING(path to sudo_noexec.so) -AC_ARG_WITH(noexec, [ --with-noexec fully qualified pathname of sudo_noexec.so], -[case $with_noexec in +AC_ARG_WITH(noexec, [ --with-noexec[=PATH] fully qualified pathname of sudo_noexec.so], +[case $with_noexec in yes) with_noexec="$libexecdir/sudo_noexec$_shrext" ;; no) ;; @@ -1241,8 +1243,6 @@ # check for password adjunct functions (shadow passwords) if test "$CHECKSHADOW" = "true"; then AC_CHECK_FUNCS(getpwanam issecure, , [break]) - AH_TEMPLATE([HAVE_GETPWANAM], [Define if you have the `getpwanam' function. (SunOS 4.x shadow passwords)]) - AH_TEMPLATE([HAVE_ISSECURE], [Define if you have the `issecure' function. (SunOS 4.x check for shadow enabled)]) CHECKSHADOW="false" fi ;; @@ -1307,11 +1307,10 @@ fi ;; *-*-hpux9.*) - AC_DEFINE(BROKEN_SYSLOG, 1, [Define if the `syslog' function returns a non-zero int to denote failure.]) + AC_DEFINE(BROKEN_SYSLOG) if test "$CHECKSHADOW" = "true"; then AC_CHECK_FUNCS(getspwuid) - AH_TEMPLATE([HAVE_GETSPWUID], [Define if you have the `getspwuid' function. (HP-UX <= 9.X shadow passwords)]) CHECKSHADOW="false" fi @@ -1325,7 +1324,7 @@ ;; *-*-hpux10.*) if test "$CHECKSHADOW" = "true"; then - AC_CHECK_LIB(sec, getprpwnam, AC_DEFINE(HAVE_GETPRPWNAM) AC_CHECK_LIB(sec, iscomsec, AC_DEFINE(HAVE_ISCOMSEC, 1, [Define if you have the `iscomsec' function. (HP-UX >= 10.x check for shadow enabled)])) [SUDO_LIBS="${SUDO_LIBS} -lsec"; LIBS="${LIBS} -lsec"; SECUREWARE=1]) + AC_CHECK_LIB(sec, getprpwnam, AC_DEFINE(HAVE_GETPRPWNAM) AC_CHECK_LIB(sec, iscomsec, AC_DEFINE(HAVE_ISCOMSEC)) [SUDO_LIBS="${SUDO_LIBS} -lsec"; LIBS="${LIBS} -lsec"; SECUREWARE=1]) CHECKSHADOW="false" fi ;; @@ -1359,7 +1358,7 @@ # use SIA by default, if we have it, else SecureWare # unless overridden on the command line if test "$CHECKSIA" = "true"; then - AC_CHECK_FUNC(sia_ses_init, [AC_DEFINE(HAVE_SIA, 1, [Define if you use SIA.])] [ + AC_CHECK_FUNC(sia_ses_init, [AC_DEFINE(HAVE_SIA)] [ if test -n "$with_skey" -o -n "$with_opie" -o -n "$with_otp_only" -o -n "$with_long_otp_prompt" -o -n "$with_SecurID" -o -n "$with_fwtk" -o -n "$with_kerb4" -o -n "$with_kerb5" -o -n "$with_pam" -o -n "$with_AFS" -o -n "$with_DCE"; then AC_MSG_ERROR(["you cannot mix SIA and other authentication schemes. You can turn off SIA support via the --disable-sia option"]) fi]; CHECKSHADOW=false) @@ -1370,7 +1369,7 @@ fi if test -n "$SECUREWARE"; then - AC_DEFINE(HAVE_GETPRPWNAM, 1, [Define if you have the `getprpwnam' function. (SecureWare-style shadow passwords)]) + AC_DEFINE(HAVE_GETPRPWNAM) # -ldb includes bogus versions of snprintf/vsnprintf AC_CHECK_FUNCS(snprintf, , [NEED_SNPRINTF=1]) AC_CHECK_FUNCS(vsnprintf, , [NEED_SNPRINTF=1]) @@ -1441,7 +1440,7 @@ *-*-ultrix*) OS="ultrix" if test "$CHECKSHADOW" = "true"; then - AC_CHECK_LIB(auth, getauthuid, AC_DEFINE(HAVE_GETAUTHUID, 1, [Define if you have the `getauthuid' function. (ULTRIX 4.x shadow passwords)]) [SUDO_LIBS="${SUDO_LIBS} -lauth"; LIBS="${LIBS} -lauth"]) + AC_CHECK_LIB(auth, getauthuid, AC_DEFINE(HAVE_GETAUTHUID) [SUDO_LIBS="${SUDO_LIBS} -lauth"; LIBS="${LIBS} -lauth"]) CHECKSHADOW="false" fi ;; @@ -1607,7 +1606,7 @@ dnl We check for SVR4-style first and then SecureWare-style. dnl if test "$CHECKSHADOW" = "true"; then - AC_CHECK_FUNCS(getspnam, [CHECKSHADOW="false"], [AC_CHECK_LIB(gen, getspnam, AC_DEFINE(HAVE_GETSPNAM, 1, [Define if you have the `getspnam' function (SVR4-style shadow passwords)]) [SUDO_LIBS="${SUDO_LIBS} -lgen"; LIBS="${LIBS} -lgen"])]) + AC_CHECK_FUNCS(getspnam, [CHECKSHADOW="false"], [AC_CHECK_LIB(gen, getspnam, AC_DEFINE(HAVE_GETSPNAM) [SUDO_LIBS="${SUDO_LIBS} -lgen"; LIBS="${LIBS} -lgen"])]) fi if test "$CHECKSHADOW" = "true"; then AC_CHECK_FUNC(getprpwnam, [AC_DEFINE(HAVE_GETPRPWNAM) [CHECKSHADOW="false"; SECUREWARE=1], AC_CHECK_LIB(sec, getprpwnam, AC_DEFINE(HAVE_GETPRPWNAM) [CHECKSHADOW="false"; SECUREWARE=1; SUDO_LIBS="${SUDO_LIBS} -lsec"; LIBS="${LIBS} -lsec"], AC_CHECK_LIB(security, getprpwnam, AC_DEFINE(HAVE_GETPRPWNAM) [CHECKSHADOW="false"; SECUREWARE=1; SUDO_LIBS="${SUDO_LIBS} -lsecurity"; LIBS="${LIBS} -lsecurity"], AC_CHECK_LIB(prot, getprpwnam, AC_DEFINE(HAVE_GETPRPWNAM) [CHECKSHADOW="false"; SECUREWARE=1; SUDO_LIBS="${SUDO_LIBS} -lprot"; LIBS="${LIBS} -lprot"])))]) @@ -1642,7 +1641,7 @@ if test "$OS" != "ultrix"; then AC_SYS_POSIX_TERMIOS if test "$ac_cv_sys_posix_termios" = "yes"; then - AC_DEFINE(HAVE_TERMIOS_H, 1, [Define if you have the header file and the `tcgetattr' function.]) + AC_DEFINE(HAVE_TERMIOS_H) else AC_CHECK_HEADERS(termio.h) fi @@ -1651,17 +1650,20 @@ AC_CHECK_HEADERS(login_cap.h) fi if test "$with_bsdauth" = "yes"; then - AC_CHECK_HEADER(bsd_auth.h, AC_DEFINE(HAVE_BSD_AUTH_H, 1, [Define if you use BSD authentication.]) [with_passwd=no; AUTH_OBJS=bsdauth.o], -) + AC_CHECK_HEADER(bsd_auth.h, AC_DEFINE(HAVE_BSD_AUTH_H) [with_passwd=no; AUTH_OBJS=bsdauth.o], -) fi dnl dnl typedef checks dnl AC_TYPE_MODE_T AC_TYPE_UID_T -AC_CHECK_TYPES([sig_atomic_t], , [AC_DEFINE(sig_atomic_t, int, [Define to `int' if does not define.])], [#include +AC_CHECK_TYPES([sig_atomic_t], , [AC_DEFINE(sig_atomic_t, int)], [#include #include ]) -AC_CHECK_TYPES([sigaction_t], [AC_DEFINE(HAVE_SIGACTION_T, 1, [Define if has the sigaction_t typedef.])], ,[#include +AC_CHECK_TYPES([sigaction_t], [AC_DEFINE(HAVE_SIGACTION_T)], ,[#include #include ]) +AC_CHECK_TYPE([struct timespec], [AC_DEFINE(HAVE_TIMESPEC)], , [#include +#include +#include ]) SUDO_TYPE_SIZE_T SUDO_TYPE_SSIZE_T SUDO_TYPE_DEV_T @@ -1681,7 +1683,7 @@ dnl Function checks dnl AC_CHECK_FUNCS(strchr strrchr memchr memcpy memset sysconf tzset \ - strftime setrlimit initgroups fstat fchown) + strftime setrlimit initgroups fstat gettimeofday) AC_CHECK_FUNCS(seteuid, , [AC_DEFINE(NO_SAVED_IDS)]) if test -z "$SKIP_SETRESUID"; then AC_CHECK_FUNCS(setresuid, [SKIP_SETREUID=yes]) @@ -1702,18 +1704,30 @@ AC_CHECK_FUNCS(waitpid wait3, [break]) AC_CHECK_FUNCS(innetgr _innetgr, [AC_CHECK_FUNCS(getdomainname) [break]]) AC_CHECK_FUNCS(lsearch, , [AC_CHECK_LIB(compat, lsearch, AC_CHECK_HEADER(search.h, AC_DEFINE(HAVE_LSEARCH) [LIBS="${LIBS} -lcompat"], AC_LIBOBJ(lsearch), -), AC_LIBOBJ(lsearch))]) -AC_CHECK_FUNCS(utime, [SUDO_FUNC_UTIME_POSIX], [AC_LIBOBJ(utime)]) -SUDO_FUNC_FNMATCH(AC_DEFINE(HAVE_FNMATCH, 1, [Define if you have the `fnmatch' function.]), AC_LIBOBJ(fnmatch)) +AC_CHECK_FUNCS(utimes, [AC_CHECK_FUNCS(futimes futimesat, [break])], [AC_CHECK_FUNCS(futime) AC_LIBOBJ(utimes)]) +SUDO_FUNC_FNMATCH(AC_DEFINE(HAVE_FNMATCH), AC_LIBOBJ(fnmatch)) SUDO_FUNC_ISBLANK AC_REPLACE_FUNCS(strerror strcasecmp sigaction strlcpy strlcat closefrom) AC_CHECK_FUNCS(snprintf vsnprintf asprintf vasprintf, , [NEED_SNPRINTF=1]) +if test X"$ac_cv_type_struct_timespec" != X"no"; then + AC_CHECK_MEMBER([struct stat.st_mtim], AC_DEFINE(HAVE_ST_MTIM), [AC_CHECK_MEMBER([struct stat.st_mtimespec], AC_DEFINE([HAVE_ST_MTIMESPEC]))]) + AC_MSG_CHECKING([for two-parameter timespecsub]) + AC_TRY_COMPILE([#include +#include ], [struct timespec ts1, ts2; +ts1.tv_sec = 1; ts1.tv_nsec = 0; ts2.tv_sec = 0; ts2.tv_nsec = 0; +#ifndef timespecsub +#error missing timespecsub +#endif +timespecsub(&ts1, &ts2);], + [AC_DEFINE(HAVE_TIMESPECSUB2) + AC_MSG_RESULT(yes)], [AC_MSG_RESULT(no)]) +fi dnl dnl Check for the dirfd function/macro. If not found, look for dd_fd in DIR. dnl AC_TRY_LINK([#include -#include <$ac_header_dirent>], [DIR d; (void)dirfd(&d);], [AC_DEFINE(HAVE_DIRFD, 1, [Define if you have the `fnmatch' function or macro.])], [AC_TRY_LINK([#include -#include <$ac_header_dirent>], [DIR d; (void)&d.dd_fd;], [AC_DEFINE(HAVE_DD_FD, - 1, [Define to 1 if your `DIR' contains dd_fd.])], [])]) +#include <$ac_header_dirent>], [DIR d; (void)dirfd(&d);], [AC_DEFINE(HAVE_DIRFD)], [AC_TRY_LINK([#include +#include <$ac_header_dirent>], [DIR d; (void)&d.dd_fd;], [AC_DEFINE(HAVE_DD_FD)], [])]) dnl dnl If NEED_SNPRINTF is set, add snprintf.c to LIBOBJS dnl (it contains snprintf, vsnprintf, asprintf, and vasprintf) @@ -1724,7 +1738,7 @@ dnl dnl if crypt(3) not in libc, look elsewhere dnl -if test -z "$LIB_CRYPT"; then +if test -z "$LIB_CRYPT" -a "$with_pam" != "yes"; then AC_CHECK_FUNC(crypt, , [AC_CHECK_LIB(crypt, crypt, [SUDO_LIBS="${SUDO_LIBS} -lcrypt"; LIBS="${LIBS} -lcrypt"], AC_CHECK_LIB(crypt_d, crypt, [SUDO_LIBS="${SUDO_LIBS} -lcrypt_d"; LIBS="${LIBS} -lcrypt_d"], AC_CHECK_LIB(ufc, crypt, [SUDO_LIBS="${SUDO_LIBS} -lufc"; LIBS="${LIBS} -lufc"])))]) fi dnl @@ -1760,7 +1774,7 @@ AC_TRY_LINK(, [extern char *__progname; (void)puts(__progname);], [sudo_cv___progname=yes], [sudo_cv___progname=no])]) if test "$sudo_cv___progname" = "yes"; then - AC_DEFINE(HAVE___PROGNAME, 1, [Define if your crt0.o defines the __progname symbol for you.]) + AC_DEFINE(HAVE___PROGNAME) else AC_LIBOBJ(getprogname) fi @@ -1770,7 +1784,7 @@ dnl Kerberos IV dnl if test -n "$with_kerb4"; then - AC_DEFINE(HAVE_KERB4, 1, [Define if you use Kerberos IV.]) + AC_DEFINE(HAVE_KERB4) dnl dnl Use the specified directory, if any, else search for correct inc dir dnl @@ -1833,7 +1847,7 @@ if test "$with_kerb5" = "yes"; then AC_CHECK_PROG(KRB5CONFIG, krb5-config, yes, "") if test -n "$KRB5CONFIG"; then - AC_DEFINE(HAVE_KERB5, 1, [Define if you use Kerberos V.]) + AC_DEFINE(HAVE_KERB5) AUTH_OBJS="${AUTH_OBJS} kerb5.o" CPPFLAGS="$CPPFLAGS `krb5-config --cflags`" SUDO_LIBS="$SUDO_LIBS `krb5-config --libs`" @@ -1844,13 +1858,13 @@ AC_TRY_COMPILE([#include ], [const char *tmp = heimdal_version;], [ AC_MSG_RESULT(yes) - AC_DEFINE(HAVE_HEIMDAL, 1, [Define if your Kerberos is Heimdal.]) + AC_DEFINE(HAVE_HEIMDAL) ] ) fi fi if test -n "$with_kerb5" -a -z "$KRB5CONFIG"; then - AC_DEFINE(HAVE_KERB5, 1, [Define if you use Kerberos V.]) + AC_DEFINE(HAVE_KERB5) dnl dnl Use the specified directory, if any, else search for correct inc dir dnl @@ -1878,7 +1892,7 @@ AC_TRY_COMPILE([#include ], [const char *tmp = heimdal_version;], [ AC_MSG_RESULT(yes) - AC_DEFINE(HAVE_HEIMDAL, 1, [Define if your Kerberos is Heimdal.]) + AC_DEFINE(HAVE_HEIMDAL) SUDO_LIBS="${SUDO_LIBS} -lkrb5 -ldes -lcom_err -lasn1" AC_CHECK_LIB(roken, main, [SUDO_LIBS="${SUDO_LIBS} -lroken"]) ], [ @@ -1986,7 +2000,7 @@ AC_MSG_WARN([Unable to locate skey.h, you will have to edit the Makefile and add -I/path/to/skey/includes to CPPFLAGS]) fi AC_CHECK_LIB(skey, main, [found=yes], [AC_MSG_WARN([Unable to locate libskey.a, you will have to edit the Makefile and add -L/path/to/skey/lib to SUDO_LDFLAGS])]) - AC_CHECK_LIB(skey, skeyaccess, AC_DEFINE(HAVE_SKEYACCESS, 1, [Define if your S/Key library has skeyaccess().])) + AC_CHECK_LIB(skey, skeyaccess, AC_DEFINE(HAVE_SKEYACCESS)) LDFLAGS="$O_LDFLAGS" SUDO_LIBS="${SUDO_LIBS} -lskey" fi @@ -2144,7 +2158,7 @@ dnl Use passwd (and secureware) auth modules? dnl if test "$with_passwd" = "no"; then - AC_DEFINE(WITHOUT_PASSWD, 1, [Define to avoid using the passwd/shadow file for authentication.]) + AC_DEFINE(WITHOUT_PASSWD) if test -z "$AUTH_OBJS"; then AC_MSG_ERROR([no authentication methods defined.]) fi @@ -2180,7 +2194,7 @@ dnl Defer setting _PATH_SUDO_NOEXEC until after exec_prefix is set dnl XXX - this is gross! dnl -if test "$with_noexec" != "no"; then +if test "$with_noexec" != "no"; then PROGS="${PROGS} sudo_noexec.la" INSTALL_NOEXEC="install-noexec" @@ -2214,8 +2228,77 @@ fi dnl -dnl Special bits for autoheader +dnl Autoheader templates dnl +AH_TEMPLATE(BROKEN_SYSLOG, [Define to 1 if the `syslog' function returns a non-zero int to denote failure.]) +AH_TEMPLATE(CLASSIC_INSULTS, [Define to 1 if you want the insults from the "classic" version sudo.]) +AH_TEMPLATE(CSOPS_INSULTS, [Define to 1 if you want insults culled from the twisted minds of CSOps.]) +AH_TEMPLATE(DONT_LEAK_PATH_INFO, [Define to 1 if you want sudo to display "command not allowed" instead of "command not found" when a command cannot be found.]) +AH_TEMPLATE(ENV_EDITOR, [Define to 1 if you want visudo to honor the EDITOR and VISUAL env variables.]) +AH_TEMPLATE(FQDN, [Define to 1 if you want to require fully qualified hosts in sudoers.]) +AH_TEMPLATE(GOONS_INSULTS, [Define to 1 if you want insults from the "Goon Show".]) +AH_TEMPLATE(HAL_INSULTS, [Define to 1 if you want 2001-like insults.]) +AH_TEMPLATE(HAVE_AFS, [Define to 1 if you use AFS.]) +AH_TEMPLATE(HAVE_AUTHENTICATE, [Define to 1 if you use AIX general authentication.]) +AH_TEMPLATE(HAVE_BSD_AUTH_H, [Define to 1 if you use BSD authentication.]) +AH_TEMPLATE(HAVE_DCE, [Define to 1 if you use OSF DCE.]) +AH_TEMPLATE(HAVE_DD_FD, [Define to 1 if your `DIR' contains dd_fd.]) +AH_TEMPLATE(HAVE_DIRFD, [Define to 1 if you have the `dirfd' function or macro.]) +AH_TEMPLATE(HAVE_FNMATCH, [Define to 1 if you have the `fnmatch' function.]) +AH_TEMPLATE(HAVE_FWTK, [Define to 1 if you use the FWTK authsrv daemon.]) +AH_TEMPLATE(HAVE_GETAUTHUID, [Define to 1 if you have the `getauthuid' function. (ULTRIX 4.x shadow passwords)]) +AH_TEMPLATE(HAVE_GETPRPWNAM, [Define to 1 if you have the `getprpwnam' function. (SecureWare-style shadow passwords)]) +AH_TEMPLATE(HAVE_GETPWANAM, [Define to 1 if you have the `getpwanam' function. (SunOS 4.x shadow passwords)]) +AH_TEMPLATE(HAVE_GETSPNAM, [Define to 1 if you have the `getspnam' function (SVR4-style shadow passwords)]) +AH_TEMPLATE(HAVE_GETSPWUID, [Define to 1 if you have the `getspwuid' function. (HP-UX <= 9.X shadow passwords)]) +AH_TEMPLATE(HAVE_HEIMDAL, [Define to 1 if your Kerberos is Heimdal.]) +AH_TEMPLATE(HAVE_ISCOMSEC, [Define to 1 if you have the `iscomsec' function. (HP-UX >= 10.x check for shadow enabled)]) +AH_TEMPLATE(HAVE_ISSECURE, [Define to 1 if you have the `issecure' function. (SunOS 4.x check for shadow enabled)]) +AH_TEMPLATE(HAVE_KERB4, [Define to 1 if you use Kerberos IV.]) +AH_TEMPLATE(HAVE_KERB5, [Define to 1 if you use Kerberos V.]) +AH_TEMPLATE(HAVE_LBER_H, [Define to 1 if your LDAP needs . (OpenLDAP does not)]) +AH_TEMPLATE(HAVE_LDAP, [Define to 1 if you use LDAP for sudoers.]) +AH_TEMPLATE(HAVE_OPIE, [Define to 1 if you use NRL OPIE.]) +AH_TEMPLATE(HAVE_PAM, [Define to 1 if you use PAM authentication.]) +AH_TEMPLATE(HAVE_SECURID, [Define to 1 if you use SecurID for authentication.]) +AH_TEMPLATE(HAVE_SIA, [Define to 1 if you use SIA authentication.]) +AH_TEMPLATE(HAVE_SIGACTION_T, [Define to 1 if has the sigaction_t typedef.]) +AH_TEMPLATE(HAVE_SKEY, [Define to 1 if you use S/Key.]) +AH_TEMPLATE(HAVE_SKEYACCESS, [Define to 1 if your S/Key library has skeyaccess().]) +AH_TEMPLATE(HAVE_ST_MTIM, [Define to 1 if your struct stat has an st_mtim member]) +AH_TEMPLATE(HAVE_ST_MTIMESPEC, [Define to 1 if your struct stat has an st_mtimespec member]) +AH_TEMPLATE(HAVE_TERMIOS_H, [Define to 1 if you have the header file and the `tcgetattr' function.]) +AH_TEMPLATE(HAVE_TIMESPEC, [Define to 1 if you have struct timespec in sys/time.h]) +AH_TEMPLATE(HAVE_TIMESPECSUB2, [Define to 1 if you have a timespecsub macro or function that takes two arguments (not three)]) +AH_TEMPLATE(HAVE___PROGNAME, [Define to 1 if your crt0.o defines the __progname symbol for you.]) +AH_TEMPLATE(HOST_IN_LOG, [Define to 1 if you want the hostname to be entered into the log file.]) +AH_TEMPLATE(IGNORE_DOT_PATH, [Define to 1 if you want to ignore '.' and empty PATH elements]) +AH_TEMPLATE(LOGGING, [Define to SLOG_SYSLOG, SLOG_FILE, or SLOG_BOTH.]) +AH_TEMPLATE(LONG_OTP_PROMPT, [Define to 1 if you want a two line OTP (S/Key or OPIE) prompt.]) +AH_TEMPLATE(NO_AUTHENTICATION, [Define to 1 if you don't want sudo to prompt for a password by default.]) +AH_TEMPLATE(NO_LECTURE, [Define to 1 if you don't want users to get the lecture the first they user sudo.]) +AH_TEMPLATE(NO_ROOT_MAILER, [Define to avoid runing the mailer as root.]) +AH_TEMPLATE(NO_ROOT_SUDO, [Define to 1 if root should not be allowed to use sudo.]) +AH_TEMPLATE(NO_SAVED_IDS, [Define to avoid using POSIX saved ids.]) +AH_TEMPLATE(PC_INSULTS, [Define to 1 to replace politically incorrect insults with less offensive ones.]) +AH_TEMPLATE(SECURE_PATH, [Define to 1 to override the user's path with a built-in one.]) +AH_TEMPLATE(SEND_MAIL_WHEN_NOT_OK, [Define to 1 to send mail when the user is not allowed to run a command.]) +AH_TEMPLATE(SEND_MAIL_WHEN_NO_HOST, [Define to 1 to send mail when the user is not allowed to run sudo on this host.]) +AH_TEMPLATE(SEND_MAIL_WHEN_NO_USER, [Define to 1 to send mail when the user is not in the sudoers file.]) +AH_TEMPLATE(SHELL_IF_NO_ARGS, [Define to 1 if you want sudo to start a shell if given no arguments.]) +AH_TEMPLATE(SHELL_SETS_HOME, [Define to 1 if you want sudo to set $HOME in shell mode.]) +AH_TEMPLATE(STUB_LOAD_INTERFACES, [Define to 1 if the code in interfaces.c does not compile for you.]) +AH_TEMPLATE(USE_EXECV, [Define to 1 if you wish to use execv() instead of execvp() when running programs.]) +AH_TEMPLATE(USE_INSULTS, [Define to 1 if you want to insult the user for entering an incorrect password.]) +AH_TEMPLATE(USE_STOW, [Define to 1 if you use GNU stow packaging.]) +AH_TEMPLATE(USE_TTY_TICKETS, [Define to 1 if you want a different ticket file for each tty.]) +AH_TEMPLATE(WITHOUT_PASSWD, [Define to avoid using the passwd/shadow file for authentication.]) +AH_TEMPLATE(WITHOUT_PASSWD, [Define to avoid using the passwd/shadow file for authentication.]) +AH_TEMPLATE(sig_atomic_t, [Define to `int' if does not define.]) + +dnl +dnl Bits to copy verbatim into config.h.in +dnl AH_VERBATIM([_GNU_SOURCE], [/* Enable GNU extensions on systems that have them. */ #ifndef _GNU_SOURCE @@ -2238,6 +2321,22 @@ #define _SUDO_CONFIG_H]) AH_BOTTOM([/* + * Macros to pull sec and nsec parts of mtime from struct stat. + */ +#ifdef HAVE_ST_MTIM +# define mtim_getsec(_x) ((_x).st_mtim.tv_sec) +# define mtim_getnsec(_x) ((_x).st_mtim.tv_nsec) +#else +# ifdef HAVE_ST_MTIMESPEC +# define mtim_getsec(_x) ((_x).st_mtimespec.tv_sec) +# define mtim_getnsec(_x) ((_x).st_mtimespec.tv_nsec) +# else +# define mtim_getsec(_x) ((_x).st_mtime) +# define mtim_getnsec(_x) (0) +# endif /* HAVE_ST_MTIMESPEC */ +#endif /* HAVE_ST_MTIM */ + +/* * Emulate a subset of waitpid() if we don't have it. */ #ifdef HAVE_WAITPID diff -urN sudo-1.6.8/def_data.c sudo-1.6.8p12/def_data.c --- sudo-1.6.8/def_data.c Fri Feb 13 15:59:38 2004 +++ sudo-1.6.8p12/def_data.c Mon Nov 29 12:32:44 2004 @@ -15,8 +15,8 @@ static struct def_values def_data_verifypw[] = { { "never", never }, - { "any", any }, { "all", all }, + { "any", any }, { "always", always }, { NULL, 0 }, }; diff -urN sudo-1.6.8/def_data.h sudo-1.6.8p12/def_data.h --- sudo-1.6.8/def_data.h Fri Feb 13 15:59:38 2004 +++ sudo-1.6.8p12/def_data.h Mon Nov 29 12:32:44 2004 @@ -120,5 +120,5 @@ once, always, any, - all, + all }; diff -urN sudo-1.6.8/def_data.in sudo-1.6.8p12/def_data.in --- sudo-1.6.8/def_data.in Fri Feb 13 15:59:38 2004 +++ sudo-1.6.8p12/def_data.in Sun Nov 28 16:05:13 2004 @@ -166,7 +166,7 @@ verifypw T_TUPLE|T_BOOL "When to require a password for 'verify' pseudocommand: %s" - never any all always + never all any always noexec T_FLAG "Preload the dummy exec functions contained in 'noexec_file'" diff -urN sudo-1.6.8/defaults.c sudo-1.6.8p12/defaults.c --- sudo-1.6.8/defaults.c Sun Jun 6 19:58:10 2004 +++ sudo-1.6.8p12/defaults.c Fri Nov 26 14:22:43 2004 @@ -345,13 +345,10 @@ } break; case T_TUPLE: - if (!val) { - /* Check for bogus boolean usage or lack of a value. */ - if (!ISSET(cur->type, T_BOOL) || op != FALSE) { - warnx("no value specified for `%s' on line %d", - var, sudolineno); - return(FALSE); - } + if (!val && !ISSET(cur->type, T_BOOL)) { + warnx("no value specified for `%s' on line %d", + var, sudolineno); + return(FALSE); } if (!store_tuple(val, cur, op)) { warnx("value `%s' is invalid for option `%s'", val, var); @@ -564,16 +561,16 @@ * This does assume that the first entry in the tuple enum will * be the equivalent to a boolean "false". */ - if (op == FALSE) { - def->sd_un.ival = 0; + if (!val) { + def->sd_un.ival = (op == FALSE) ? 0 : 1; } else { - for (v = def->values; v != NULL; v++) { + for (v = def->values; v->sval != NULL; v++) { if (strcmp(v->sval, val) == 0) { def->sd_un.ival = v->ival; break; } } - if (v == NULL) + if (v->sval == NULL) return(FALSE); } if (def->callback) diff -urN sudo-1.6.8/emul/utime.h sudo-1.6.8p12/emul/utime.h --- sudo-1.6.8/emul/utime.h Fri Feb 13 16:25:52 2004 +++ sudo-1.6.8p12/emul/utime.h Sat Sep 11 12:25:27 2004 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 1998, 1999 Todd C. Miller + * Copyright (c) 1996,1998,1999,2004 Todd C. Miller * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -22,6 +22,10 @@ time_t modtime; /* mod time */ }; -int utime __P((const char *, const struct utimbuf *)); +#ifdef __STDC__ +int utime(const char *, const struct utimbuf *); +#else +int utime(); +#endif #endif /* _UTIME_H */ diff -urN sudo-1.6.8/env.c sudo-1.6.8p12/env.c --- sudo-1.6.8/env.c Sun Jun 6 19:58:10 2004 +++ sudo-1.6.8p12/env.c Tue Nov 8 13:21:33 2005 @@ -52,7 +52,7 @@ #include "sudo.h" #ifndef lint -static const char rcsid[] = "$Sudo: env.c,v 1.39 2004/06/06 23:58:10 millert Exp $"; +static const char rcsid[] = "$Sudo: env.c,v 1.42 2004/09/08 15:57:49 millert Exp $"; #endif /* lint */ /* @@ -69,7 +69,7 @@ #undef DID_LOGNAME #define DID_LOGNAME 0x10 #undef DID_USER -#define DID_USER 0x12 +#define DID_USER 0x20 #undef VNULL #define VNULL (VOID *)NULL @@ -88,6 +88,7 @@ */ static const char *initial_badenv_table[] = { "IFS", + "CDPATH", "LOCALDOMAIN", "RES_OPTIONS", "HOSTALIASES", @@ -123,6 +124,12 @@ "TERMCAP", /* XXX - only if it starts with '/' */ "ENV", "BASH_ENV", + "PS4", + "SHELLOPTS", + "JAVA_TOOL_OPTIONS", + "PERLLIB", + "PERL5LIB", + "PERL5OPT", NULL }; @@ -141,7 +148,7 @@ static size_t env_len; /* number of slots used, not counting NULL */ /* - * Zero out environment and replace with a minimal set of + * Zero out environment and replace with a minimal set of KRB5CCNAME * USER, LOGNAME, HOME, TZ, PATH (XXX - should just set path to default) * May set user_path, user_shell, and/or user_prompt as side effects. */ @@ -149,8 +156,9 @@ zero_env(envp) char **envp; { - char **ep, **nep; - static char *newenv[7]; + static char *newenv[9]; + char **ep, **nep = newenv; + char **ne_last = &newenv[(sizeof(newenv) / sizeof(newenv[0])) - 1]; extern char *prev_user; for (ep = envp; *ep; ep++) { @@ -159,6 +167,10 @@ if (strncmp("HOME=", *ep, 5) == 0) break; continue; + case 'K': + if (strncmp("KRB5CCNAME=", *ep, 11) == 0) + break; + continue; case 'L': if (strncmp("LOGNAME=", *ep, 8) == 0) break; @@ -195,9 +207,26 @@ if (**nep == **ep) break; } - if (*nep == NULL) - *nep++ = *ep; + if (*nep == NULL) { + if (nep < ne_last) + *nep++ = *ep; + else + errx(1, "internal error, attempt to write outside newenv"); + } } + +#ifdef HAVE_LDAP + /* + * Prevent OpenLDAP from reading any user dotfiles + * or files in the current directory. + * + */ + if (nep < ne_last) + *nep++ = "LDAPNOINIT=1"; + else + errx(1, "internal error, attempt to write outside newenv"); +#endif + return(&newenv[0]); } @@ -313,6 +342,13 @@ /* Pull in vars we want to keep from the old environment. */ for (ep = envp; *ep; ep++) { keepit = 0; + + /* Skip variables with values beginning with () (bash functions) */ + if ((cp = strchr(*ep, '=')) != NULL) { + if (strncmp(cp, "=() ", 3) == 0) + continue; + } + for (cur = def_env_keep; cur; cur = cur->next) { len = strlen(cur->value); /* Deal with '*' wildcard */ @@ -395,6 +431,12 @@ for (ep = envp; *ep; ep++) { okvar = 1; + /* Skip variables with values beginning with () (bash functions) */ + if ((cp = strchr(*ep, '=')) != NULL) { + if (strncmp(cp, "=() ", 3) == 0) + continue; + } + /* Skip anything listed in env_delete. */ for (cur = def_env_delete; cur && okvar; cur = cur->next) { len = strlen(cur->value); @@ -463,7 +505,7 @@ * http://www.fortran-2000.com/ArnaudRecipes/sharedlib.html * XXX - should prepend to original value, if any */ - if (noexec && def_noexec_file != NULL) + if (noexec && def_noexec_file != NULL) { #if defined(__darwin__) || defined(__APPLE__) insert_env(format_env("DYLD_INSERT_LIBRARIES", def_noexec_file, VNULL), 1); insert_env(format_env("DYLD_FORCE_FLAT_NAMESPACE", VNULL), 1); @@ -474,6 +516,7 @@ insert_env(format_env("LD_PRELOAD", def_noexec_file, VNULL), 1); # endif #endif + } /* Set PS1 if SUDO_PS1 is set. */ if (ps1) diff -urN sudo-1.6.8/fileops.c sudo-1.6.8p12/fileops.c --- sudo-1.6.8/fileops.c Mon May 31 21:16:49 2004 +++ sudo-1.6.8p12/fileops.c Wed Sep 8 11:48:23 2004 @@ -22,6 +22,7 @@ #include #include +#include #ifdef HAVE_FLOCK # include #endif /* HAVE_FLOCK */ @@ -31,41 +32,38 @@ #endif /* HAVE_UNISTD_H */ #include #include -#ifdef HAVE_UTIME -# ifdef HAVE_UTIME_H -# include -# endif /* HAVE_UTIME_H */ -#else -# include "emul/utime.h" -#endif /* HAVE_UTIME */ #include "sudo.h" #ifndef lint -static const char rcsid[] = "$Sudo: fileops.c,v 1.5 2004/02/13 21:36:43 millert Exp $"; +static const char rcsid[] = "$Sudo: fileops.c,v 1.9 2004/09/08 15:48:23 millert Exp $"; #endif /* lint */ /* - * Update the access and modify times on a file. + * Update the access and modify times on an fd or file. */ int -touch(path, when) +touch(fd, path, tsp) + int fd; char *path; - time_t when; + struct timespec *tsp; { -#ifdef HAVE_UTIME_POSIX - struct utimbuf ut, *utp; + struct timeval times[2]; - ut.actime = ut.modtime = when; - utp = &ut; -#else - /* BSD <= 4.3 has no struct utimbuf */ - time_t utp[2]; + if (tsp != NULL) { + times[0].tv_sec = times[1].tv_sec = tsp->tv_sec; + times[0].tv_usec = times[1].tv_usec = tsp->tv_nsec / 1000; + } - utp[0] = utp[1] = when; -#endif /* HAVE_UTIME_POSIX */ - - return(utime(path, utp)); +#if defined(HAVE_FUTIME) || defined(HAVE_FUTIMES) + if (fd != -1) + return(futimes(fd, tsp ? times : NULL)); + else +#endif + if (path != NULL) + return(utimes(path, tsp ? times : NULL)); + else + return(-1); } /* diff -urN sudo-1.6.8/find_path.c sudo-1.6.8p12/find_path.c --- sudo-1.6.8/find_path.c Mon Aug 2 14:16:25 2004 +++ sudo-1.6.8p12/find_path.c Tue Aug 24 14:01:12 2004 @@ -51,7 +51,7 @@ #include "sudo.h" #ifndef lint -static const char rcsid[] = "$Sudo: find_path.c,v 1.108 2004/06/07 00:02:56 millert Exp $"; +static const char rcsid[] = "$Sudo: find_path.c,v 1.109 2004/08/24 18:01:12 millert Exp $"; #endif /* lint */ /* @@ -62,9 +62,10 @@ * but it is in '.' and IGNORE_DOT is set. */ int -find_path(infile, outfile, path) +find_path(infile, outfile, sbp, path) char *infile; /* file to find */ char **outfile; /* result parameter */ + struct stat *sbp; /* stat result parameter */ char *path; /* path to search */ { static char command[PATH_MAX]; /* qualified filename */ @@ -83,7 +84,7 @@ */ if (strchr(infile, '/')) { strlcpy(command, infile, sizeof(command)); /* paranoia */ - if (sudo_goodpath(command)) { + if (sudo_goodpath(command, sbp)) { *outfile = command; return(FOUND); } else @@ -120,7 +121,7 @@ len = snprintf(command, sizeof(command), "%s/%s", path, infile); if (len <= 0 || len >= sizeof(command)) errx(1, "%s: File name too long", infile); - if ((result = sudo_goodpath(command))) + if ((result = sudo_goodpath(command, sbp))) break; path = n + 1; @@ -132,7 +133,7 @@ * Check current dir if dot was in the PATH */ if (!result && checkdot) { - result = sudo_goodpath(infile); + result = sudo_goodpath(infile, sbp); if (result && def_ignore_dot) return(NOT_FOUND_DOT); } diff -urN sudo-1.6.8/gettime.c sudo-1.6.8p12/gettime.c --- sudo-1.6.8/gettime.c Wed Dec 31 19:00:00 1969 +++ sudo-1.6.8p12/gettime.c Wed Sep 8 11:47:09 2004 @@ -0,0 +1,50 @@ +/* + * Copyright (c) 2004 Todd C. Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include +#include +#include +#include + +#include "config.h" +#include + +#ifndef lint +static const char rcsid[] = "$Sudo: gettime.c,v 1.1 2004/09/08 15:47:09 millert Exp $"; +#endif /* lint */ + +/* + * Get the current time via gettimeofday() for systems with + * timespecs in struct stat or, otherwise, using time(). + * XXX - configure check for gettimeofday() - XXX + */ +int +gettime(ts) + struct timespec *ts; +{ + int rval; +#if defined(HAVE_GETTIMEOFDAY) && (defined(HAVE_ST_MTIM) || defined(HAVE_ST_MTIMESPEC)) + struct timeval tv; + + rval = gettimeofday(&tv, NULL); + ts->tv_sec = tv.tv_sec; + ts->tv_nsec = tv.tv_usec * 1000; +#else + rval = (int)time(&ts->tv_sec); + ts->tv_nsec = 0; +#endif + return (rval); +} diff -urN sudo-1.6.8/goodpath.c sudo-1.6.8p12/goodpath.c --- sudo-1.6.8/goodpath.c Wed Jul 21 14:57:26 2004 +++ sudo-1.6.8p12/goodpath.c Tue Aug 24 14:01:13 2004 @@ -40,15 +40,16 @@ #include "sudo.h" #ifndef lint -static const char rcsid[] = "$Sudo: goodpath.c,v 1.40 2004/02/13 21:36:43 millert Exp $"; +static const char rcsid[] = "$Sudo: goodpath.c,v 1.41 2004/08/24 18:01:13 millert Exp $"; #endif /* lint */ /* * Verify that path is a normal file and executable by root. */ char * -sudo_goodpath(path) +sudo_goodpath(path, sbp) const char *path; + struct stat *sbp; { struct stat sb; @@ -65,5 +66,7 @@ return(NULL); } + if (sbp != NULL) + (void) memcpy(sbp, &sb, sizeof(struct stat)); return((char *)path); } diff -urN sudo-1.6.8/ins_csops.h sudo-1.6.8p12/ins_csops.h --- sudo-1.6.8/ins_csops.h Fri Feb 13 16:36:43 2004 +++ sudo-1.6.8p12/ins_csops.h Tue Sep 14 17:43:31 2004 @@ -13,7 +13,7 @@ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. * - * $Sudo: ins_csops.h,v 1.28 2004/02/13 21:36:43 millert Exp $ + * $Sudo: ins_csops.h,v 1.29 2004/09/14 21:43:31 millert Exp $ */ #ifndef _SUDO_INS_CSOPS_H @@ -28,7 +28,11 @@ "stty: unknown mode: doofus", "I can't hear you -- I'm using the scrambler.", "The more you drive -- the dumber you get.", +#ifdef PC_INSULTS + "Listen, broccoli brains, I don't have time to listen to this trash.", +#else "Listen, burrito brains, I don't have time to listen to this trash.", +#endif "I've seen penguins that can type better than that.", "Have you considered trying to match wits with a rutabaga?", "You speak an infinite deal of nothing", diff -urN sudo-1.6.8/ldap.c sudo-1.6.8p12/ldap.c --- sudo-1.6.8/ldap.c Thu Aug 5 21:13:04 2004 +++ sudo-1.6.8p12/ldap.c Sun Jun 19 17:31:51 2005 @@ -57,19 +57,19 @@ #include "parse.h" #ifndef lint -static const char rcsid[] = "$Sudo: ldap.c,v 1.11 2004/08/03 02:34:20 aaron Exp $"; +static const char rcsid[] = "$Sudo: ldap.c,v 1.14 2004/09/02 04:03:25 aaron Exp $"; #endif /* lint */ /* LDAP code below */ -#ifndef LDAP_CONFIG -#define LDAP_CONFIG "/etc/ldap.conf" -#endif - #ifndef BUF_SIZ #define BUF_SIZ 1024 #endif +#ifndef LDAP_OPT_SUCCESS +#define LDAP_OPT_SUCCESS LDAP_SUCCESS +#endif + extern int printmatches; /* ldap configuration structure */ @@ -82,6 +82,13 @@ char *bindpw; char *base; char *ssl; + int tls_checkpeer; + char *tls_cacertfile; + char *tls_cacertdir; + char *tls_random_file; + char *tls_cipher_suite; + char *tls_certfile; + char *tls_keyfile; int debug; } ldap_conf; @@ -271,8 +278,6 @@ /* Match against ALL ? */ if (!strcasecmp(*p,"ALL")) { ret=1; - if (safe_cmnd) free (safe_cmnd); - safe_cmnd=estrdup(user_cmnd); if (ldap_conf.debug>1) printf(" MATCH!\n"); continue; } @@ -464,6 +469,19 @@ return b ; } +/* + * Map yes/true/on to 1, no/false/off to 0, else -1 + */ +int +_atobool(s) + char *s; +{ + if (!strcasecmp(s,"yes") || !strcasecmp(s,"true") || !strcasecmp(s,"on")) + return 1; + if (!strcasecmp(s,"no") || !strcasecmp(s,"false") || !strcasecmp(s,"off")) + return 0; + return -1; +} int sudo_ldap_read_config() @@ -474,7 +492,9 @@ char *keyword; char *value; - f=fopen(LDAP_CONFIG,"r"); + ldap_conf.tls_checkpeer=-1; /* default */ + + f=fopen(_PATH_LDAP_CONF,"r"); if (!f) return 0; while (f && fgets(buf,sizeof(buf)-1,f)){ c=buf; @@ -506,6 +526,7 @@ #define MATCH_S(x,y) if (!strcasecmp(keyword,x)) \ { if (y) free(y); y=estrdup(value); } #define MATCH_I(x,y) if (!strcasecmp(keyword,x)) { y=atoi(value); } +#define MATCH_B(x,y) if (!strcasecmp(keyword,x)) { y=_atobool(value); } @@ -514,6 +535,13 @@ MATCH_S("host", ldap_conf.host) else MATCH_I("port", ldap_conf.port) else MATCH_S("ssl", ldap_conf.ssl) + else MATCH_B("tls_checkpeer", ldap_conf.tls_checkpeer) + else MATCH_S("tls_cacertfile", ldap_conf.tls_cacertfile) + else MATCH_S("tls_cacertdir", ldap_conf.tls_cacertdir) + else MATCH_S("tls_randfile", ldap_conf.tls_random_file) + else MATCH_S("tls_ciphers", ldap_conf.tls_cipher_suite) + else MATCH_S("tls_cert", ldap_conf.tls_certfile) + else MATCH_S("tls_key", ldap_conf.tls_keyfile) else MATCH_I("ldap_version", ldap_conf.version) else MATCH_S("uri", ldap_conf.uri) else MATCH_S("binddn", ldap_conf.binddn) @@ -541,13 +569,18 @@ if (ldap_conf.debug>1) { printf("LDAP Config Summary\n"); printf("===================\n"); +#ifdef HAVE_LDAP_INITIALIZE + if (ldap_conf.uri){ + printf("uri %s\n", ldap_conf.uri); + } else +#endif + { printf("host %s\n", ldap_conf.host ? ldap_conf.host : "(NONE)"); printf("port %d\n", ldap_conf.port); + } printf("ldap_version %d\n", ldap_conf.version); - printf("uri %s\n", ldap_conf.uri ? - ldap_conf.uri : "(NONE)"); printf("sudoers_base %s\n", ldap_conf.base ? ldap_conf.base : "(NONE) <---Sudo will ignore ldap)"); printf("binddn %s\n", ldap_conf.binddn ? @@ -555,7 +588,7 @@ printf("bindpw %s\n", ldap_conf.bindpw ? ldap_conf.bindpw : "(anonymous)"); #ifdef HAVE_LDAP_START_TLS_S - printf("ssl %s\n", ldap_conf.ssl ? + printf("ssl %s\n", ldap_conf.ssl ? ldap_conf.ssl : "(no)"); #endif printf("===================\n"); @@ -681,7 +714,62 @@ if (!sudo_ldap_read_config()) return VALIDATE_ERROR; + /* macro to set option, error on failure plus consistent debugging */ +#define SET_OPT(opt,optname,val) \ + if (ldap_conf.val!=NULL) { \ + if (ldap_conf.debug>1) fprintf(stderr, \ + "ldap_set_option(LDAP_OPT_%s,\"%s\")\n",optname,ldap_conf.val); \ + rc=ldap_set_option(ld,opt,ldap_conf.val); \ + if(rc != LDAP_OPT_SUCCESS){ \ + fprintf(stderr,"ldap_set_option(LDAP_OPT_%s,\"%s\")=%d: %s\n", \ + optname, ldap_conf.val, rc, ldap_err2string(rc)); \ + return VALIDATE_ERROR ; \ + } \ + } \ + /* like above, but assumes val is in int */ +#define SET_OPTI(opt,optname,val) \ + if (ldap_conf.debug>1) fprintf(stderr, \ + "ldap_set_option(LDAP_OPT_%s,0x%02x)\n",optname,ldap_conf.val); \ + rc=ldap_set_option(ld,opt,&ldap_conf.val); \ + if(rc != LDAP_OPT_SUCCESS){ \ + fprintf(stderr,"ldap_set_option(LDAP_OPT_%s,0x%02x)=%d: %s\n", \ + optname, ldap_conf.val, rc, ldap_err2string(rc)); \ + return VALIDATE_ERROR ; \ + } \ + + /* attempt to setup ssl options */ +#ifdef LDAP_OPT_X_TLS_CACERTFILE + SET_OPT(LDAP_OPT_X_TLS_CACERTFILE, "X_TLS_CACERTFILE", tls_cacertfile); +#endif /* LDAP_OPT_X_TLS_CACERTFILE */ + +#ifdef LDAP_OPT_X_TLS_CACERTDIR + SET_OPT(LDAP_OPT_X_TLS_CACERTDIR, "X_TLS_CACERTDIR", tls_cacertdir); +#endif /* LDAP_OPT_X_TLS_CACERTDIR */ + +#ifdef LDAP_OPT_X_TLS_CERTFILE + SET_OPT(LDAP_OPT_X_TLS_CERTFILE, "X_TLS_CERTFILE", tls_certfile); +#endif /* LDAP_OPT_X_TLS_CERTFILE */ + +#ifdef LDAP_OPT_X_TLS_KEYFILE + SET_OPT(LDAP_OPT_X_TLS_KEYFILE, "X_TLS_KEYFILE", tls_keyfile); +#endif /* LDAP_OPT_X_TLS_KEYFILE */ + +#ifdef LDAP_OPT_X_TLS_CIPHER_SUITE + SET_OPT(LDAP_OPT_X_TLS_CIPHER_SUITE, "X_TLS_CIPHER_SUITE", tls_cipher_suite); +#endif /* LDAP_OPT_X_TLS_CIPHER_SUITE */ + +#ifdef LDAP_OPT_X_TLS_RANDOM_FILE + SET_OPT(LDAP_OPT_X_TLS_RANDOM_FILE, "X_TLS_RANDOM_FILE", tls_random_file); +#endif /* LDAP_OPT_X_TLS_RANDOM_FILE */ + +#ifdef LDAP_OPT_X_TLS_REQUIRE_CERT + /* check the server certificate? */ + if (ldap_conf.tls_checkpeer!=-1){ + SET_OPTI(LDAP_OPT_X_TLS_REQUIRE_CERT,"X_TLS_REQUIRE_CERT",tls_checkpeer); + } +#endif /* LDAP_OPT_X_TLS_REQUIRE_CERT */ + /* attempt connect */ #ifdef HAVE_LDAP_INITIALIZE if (ldap_conf.uri) { @@ -713,13 +801,7 @@ #ifdef LDAP_OPT_PROTOCOL_VERSION /* Set the LDAP Protocol version */ - - rc=ldap_set_option(ld,LDAP_OPT_PROTOCOL_VERSION,&ldap_conf.version); - if(rc){ - fprintf(stderr,"ldap_set_option(protocol=%d)=%d : %s\n", - ldap_conf.version, rc, ldap_err2string(rc)); - return VALIDATE_ERROR ; - } + SET_OPTI(LDAP_OPT_PROTOCOL_VERSION,"PROTOCOL_VERSION", version); #endif /* LDAP_OPT_PROTOCOL_VERSION */ diff -urN sudo-1.6.8/mkdefaults sudo-1.6.8p12/mkdefaults --- sudo-1.6.8/mkdefaults Fri Jan 16 17:10:55 2004 +++ sudo-1.6.8p12/mkdefaults Mon Nov 29 12:32:29 2004 @@ -109,8 +109,9 @@ # Print out def_tuple if (@tuple_values) { print HEADER "\nenum def_tupple {\n"; - foreach (@tuple_values) { - print HEADER "\t$_,\n"; + for ($i = 0; $i <= $#tuple_values; $i++) { + printf HEADER "\t%s%s\n", $tuple_values[$i], + $i != $#tuple_values ? "," : ""; } print HEADER "};\n"; } diff -urN sudo-1.6.8/parse.c sudo-1.6.8p12/parse.c --- sudo-1.6.8/parse.c Thu Aug 5 18:30:23 2004 +++ sudo-1.6.8p12/parse.c Sun Jun 19 16:03:24 2005 @@ -82,7 +82,7 @@ #endif /* HAVE_FNMATCH */ #ifndef lint -static const char rcsid[] = "$Sudo: parse.c,v 1.160 2004/08/02 18:44:58 millert Exp $"; +static const char rcsid[] = "$Sudo: parse.c,v 1.161 2004/08/24 18:01:13 millert Exp $"; #endif /* lint */ /* @@ -230,27 +230,25 @@ * otherwise, return TRUE if user_cmnd names one of the inodes in path. */ int -command_matches(path, sudoers_args) - char *path; +command_matches(sudoers_cmnd, sudoers_args) + char *sudoers_cmnd; char *sudoers_args; { - int plen; - static struct stat cst; - struct stat pst; - DIR *dirp; + struct stat sudoers_stat; struct dirent *dent; char buf[PATH_MAX]; - static char *cmnd_base; + DIR *dirp; /* Check for pseudo-commands */ if (strchr(user_cmnd, '/') == NULL) { /* - * Return true if both path and user_cmnd are "sudoedit" AND + * Return true if both sudoers_cmnd and user_cmnd are "sudoedit" AND * a) there are no args in sudoers OR * b) there are no args on command line and none req by sudoers OR * c) there are args in sudoers and on command line and they match */ - if (strcmp(path, "sudoedit") != 0 || strcmp(user_cmnd, "sudoedit") != 0) + if (strcmp(sudoers_cmnd, "sudoedit") != 0 || + strcmp(user_cmnd, "sudoedit") != 0) return(FALSE); if (!sudoers_args || (!user_args && sudoers_args && !strcmp("\"\"", sudoers_args)) || @@ -258,29 +256,17 @@ fnmatch(sudoers_args, user_args ? user_args : "", 0) == 0)) { if (safe_cmnd) free(safe_cmnd); - safe_cmnd = estrdup(path); + safe_cmnd = estrdup(sudoers_cmnd); return(TRUE); } else return(FALSE); } - plen = strlen(path); - - /* Only need to stat user_cmnd and set base once since it never changes */ - if (cmnd_base == NULL) { - if (stat(user_cmnd, &cst) == -1) - return(FALSE); - if ((cmnd_base = strrchr(user_cmnd, '/')) == NULL) - cmnd_base = user_cmnd; - else - cmnd_base++; - } - /* - * If the pathname has meta characters in it use fnmatch(3) - * to do the matching + * If sudoers_cmnd has meta characters in it, use fnmatch(3) + * to do the matching. */ - if (has_meta(path)) { + if (has_meta(sudoers_cmnd)) { /* * Return true if fnmatch(3) succeeds AND * a) there are no args in sudoers OR @@ -288,7 +274,7 @@ * c) there are args in sudoers and on command line and they match * else return false. */ - if (fnmatch(path, user_cmnd, FNM_PATHNAME) != 0) + if (fnmatch(sudoers_cmnd, user_cmnd, FNM_PATHNAME) != 0) return(FALSE); if (!sudoers_args || (!user_args && sudoers_args && !strcmp("\"\"", sudoers_args)) || @@ -301,19 +287,22 @@ } else return(FALSE); } else { + size_t dlen = strlen(sudoers_cmnd); + /* * No meta characters * Check to make sure this is not a directory spec (doesn't end in '/') */ - if (path[plen - 1] != '/') { - char *p; + if (sudoers_cmnd[dlen - 1] != '/') { + char *base; - /* Only proceed if cmnd_base and basename(path) are the same */ - if ((p = strrchr(path, '/')) == NULL) - p = path; + /* Only proceed if user_base and basename(sudoers_cmnd) match */ + if ((base = strrchr(sudoers_cmnd, '/')) == NULL) + base = sudoers_cmnd; else - p++; - if (strcmp(cmnd_base, p) != 0 || stat(path, &pst) == -1) + base++; + if (strcmp(user_base, base) != 0 || + stat(sudoers_cmnd, &sudoers_stat) == -1) return(FALSE); /* @@ -322,7 +311,8 @@ * b) there are no args on command line and none req by sudoers OR * c) there are args in sudoers and on command line and they match */ - if (cst.st_dev != pst.st_dev || cst.st_ino != pst.st_ino) + if (user_stat->st_dev != sudoers_stat.st_dev || + user_stat->st_ino != sudoers_stat.st_ino) return(FALSE); if (!sudoers_args || (!user_args && sudoers_args && !strcmp("\"\"", sudoers_args)) || @@ -330,31 +320,33 @@ fnmatch(sudoers_args, user_args ? user_args : "", 0) == 0)) { if (safe_cmnd) free(safe_cmnd); - safe_cmnd = estrdup(path); + safe_cmnd = estrdup(sudoers_cmnd); return(TRUE); } else return(FALSE); } /* - * Grot through path's directory entries, looking for cmnd_base. + * Grot through sudoers_cmnd's directory entries, looking for user_base. */ - dirp = opendir(path); + dirp = opendir(sudoers_cmnd); if (dirp == NULL) return(FALSE); - if (strlcpy(buf, path, sizeof(buf)) >= sizeof(buf)) + if (strlcpy(buf, sudoers_cmnd, sizeof(buf)) >= sizeof(buf)) return(FALSE); while ((dent = readdir(dirp)) != NULL) { /* ignore paths > PATH_MAX (XXX - log) */ - buf[plen] = '\0'; + buf[dlen] = '\0'; if (strlcat(buf, dent->d_name, sizeof(buf)) >= sizeof(buf)) continue; /* only stat if basenames are the same */ - if (strcmp(cmnd_base, dent->d_name) != 0 || stat(buf, &pst) == -1) + if (strcmp(user_base, dent->d_name) != 0 || + stat(buf, &sudoers_stat) == -1) continue; - if (cst.st_dev == pst.st_dev && cst.st_ino == pst.st_ino) { + if (user_stat->st_dev == sudoers_stat.st_dev && + user_stat->st_ino == sudoers_stat.st_ino) { if (safe_cmnd) free(safe_cmnd); safe_cmnd = estrdup(buf); diff -urN sudo-1.6.8/parse.yacc sudo-1.6.8p12/parse.yacc --- sudo-1.6.8/parse.yacc Wed Aug 11 14:29:10 2004 +++ sudo-1.6.8p12/parse.yacc Sun Jun 19 14:24:32 2005 @@ -676,10 +676,6 @@ } $$ = TRUE; - - if (safe_cmnd) - free(safe_cmnd); - safe_cmnd = estrdup(user_cmnd); } | ALIAS { aliasinfo *aip; diff -urN sudo-1.6.8/pathnames.h.in sudo-1.6.8p12/pathnames.h.in --- sudo-1.6.8/pathnames.h.in Mon May 17 16:28:54 2004 +++ sudo-1.6.8p12/pathnames.h.in Thu Aug 26 23:44:35 2004 @@ -18,7 +18,7 @@ * Agency (DARPA) and Air Force Research Laboratory, Air Force * Materiel Command, USAF, under agreement number F39502-99-1-0512. * - * $Sudo: pathnames.h.in,v 1.51 2004/05/17 20:28:54 millert Exp $ + * $Sudo: pathnames.h.in,v 1.52 2004/08/27 03:44:35 aaron Exp $ */ /* @@ -108,3 +108,7 @@ #ifndef _PATH_USRTMP #define _PATH_USRTMP "/usr/tmp/" #endif /* _PATH_USRTMP */ + +#ifndef _PATH_LDAP_CONF +#define _PATH_LDAP_CONF "/etc/ldap.conf" +#endif /* _PATH_LDAP_CONF */ diff -urN sudo-1.6.8/sample.pam sudo-1.6.8p12/sample.pam --- sudo-1.6.8/sample.pam Sat Dec 18 16:24:13 1999 +++ sudo-1.6.8p12/sample.pam Mon Sep 6 12:10:42 2004 @@ -1,8 +1,30 @@ #%PAM-1.0 -# Sample /etc/pam.d/sudo file for RedHat Linux 5.0 and above. -# This is where you configure your authorization method. The uncommented -# line below does 'normal' (/etc/passwd) authentication. The commented line -# just above is what I use on my system, which allows my users to validate -# against our Windows NT domain. - GJC -#auth required /lib/security/pam_smb_auth.so -auth required /lib/security/pam_pwdb.so shadow nullok +# Sample /etc/pam.d/sudo file for RedHat 9 / Fedora Core. +# For other Linux distributions you may want to +# use /etc/pam.d/sshd or /etc/pam.d/su as a guide. +# +# There are two basic ways to configure PAM, either via pam_stack +# or by explicitly specifying the various methods to use. +# +# Here we use pam_stack +auth required pam_stack.so service=system-auth +account required pam_stack.so service=system-auth +password required pam_stack.so service=system-auth +session required pam_stack.so service=system-auth +# +# Alternately, you can specify the authentication method directly. +# Here we use pam_unix for normal password authentication. +#auth required pam_env.so +#auth sufficient pam_unix.so +#account required pam_unix.so +#password required pam_cracklib.so retry=3 type= +#password required pam_unix.so nullok use_authtok md5 shadow +#session required pam_limits.so +#session required pam_unix.so +# +# Another option is to use SMB for authentication. +#auth required pam_env.so +#auth sufficient pam_smb_auth.so +#account required pam_smb_auth.so +#password required pam_smb_auth.so +#session required pam_limits.so diff -urN sudo-1.6.8/sudo.c sudo-1.6.8p12/sudo.c --- sudo-1.6.8/sudo.c Fri Aug 6 19:42:52 2004 +++ sudo-1.6.8p12/sudo.c Sun Jun 19 16:35:46 2005 @@ -93,7 +93,7 @@ #include "version.h" #ifndef lint -static const char rcsid[] = "$Sudo: sudo.c,v 1.369 2004/08/06 23:42:52 millert Exp $"; +static const char rcsid[] = "$Sudo: sudo.c,v 1.370 2004/08/24 18:01:13 millert Exp $"; #endif /* lint */ /* @@ -275,6 +275,8 @@ /* Validate the user but don't search for pseudo-commands. */ validated = sudoers_lookup(pwflag); } + if (safe_cmnd == NULL) + safe_cmnd = user_cmnd; /* * If we are using set_perms_posix() and the stay_setuid flag was not set, @@ -391,14 +393,6 @@ exit(0); } - /* This *must* have been set if we got a match but... */ - if (safe_cmnd == NULL) { - log_error(MSG_ONLY, - "internal error, safe_cmnd never got set for %s; %s", - user_cmnd, - "please report this error at http://courtesan.com/sudo/bugs/"); - } - /* Override user's umask if configured to do so. */ if (def_umask != 0777) (void) umask(def_umask); @@ -622,16 +616,17 @@ /* Resolve the path and return. */ rval = FOUND; + user_stat = emalloc(sizeof(struct stat)); if (sudo_mode & (MODE_RUN | MODE_EDIT)) { if (ISSET(sudo_mode, MODE_RUN)) { /* XXX - default_runas may be modified during parsing of sudoers */ set_perms(PERM_RUNAS); - rval = find_path(NewArgv[0], &user_cmnd, user_path); + rval = find_path(NewArgv[0], &user_cmnd, user_stat, user_path); set_perms(PERM_ROOT); if (rval != FOUND) { /* Failed as root, try as invoking user. */ set_perms(PERM_USER); - rval = find_path(NewArgv[0], &user_cmnd, user_path); + rval = find_path(NewArgv[0], &user_cmnd, user_stat, user_path); set_perms(PERM_ROOT); } } @@ -662,6 +657,10 @@ *--to = '\0'; } } + if ((user_base = strrchr(user_cmnd, '/')) != NULL) + user_base++; + else + user_base = user_cmnd; return(rval); } @@ -832,6 +831,12 @@ NewArgv++; } + if (user_runas != NULL && !ISSET(rval, (MODE_EDIT|MODE_RUN))) { + if (excl != '\0') + warnx("the `-u' and '-%c' options may not be used together", excl); + usage(1); + } + if ((NewArgc == 0 && (rval & MODE_EDIT)) || (NewArgc > 0 && !(rval & (MODE_RUN | MODE_EDIT)))) usage(1); @@ -890,10 +895,10 @@ (statbuf.st_mode & 07777), SUDOERS_MODE); else if (statbuf.st_uid != SUDOERS_UID) log_error(0, "%s is owned by uid %lu, should be %lu", _PATH_SUDOERS, - (unsigned long) statbuf.st_uid, SUDOERS_UID); + (unsigned long) statbuf.st_uid, (unsigned long) SUDOERS_UID); else if (statbuf.st_gid != SUDOERS_GID) log_error(0, "%s is owned by gid %lu, should be %lu", _PATH_SUDOERS, - (unsigned long) statbuf.st_gid, SUDOERS_GID); + (unsigned long) statbuf.st_gid, (unsigned long) SUDOERS_GID); else { /* Solaris sometimes returns EAGAIN so try 10 times */ for (i = 0; i < 10 ; i++) { @@ -1075,7 +1080,7 @@ } else if (def_targetpw) { if (runas_pw->pw_name == NULL) log_error(NO_MAIL|MSG_ONLY, "no passwd entry for %lu!", - runas_pw->pw_uid); + (unsigned long) runas_pw->pw_uid); pw = runas_pw; } else pw = sudo_user.pw; Binary files sudo-1.6.8/sudo.cat and sudo-1.6.8p12/sudo.cat differ diff -urN sudo-1.6.8/sudo.h sudo-1.6.8p12/sudo.h --- sudo-1.6.8/sudo.h Wed Jul 21 14:57:26 2004 +++ sudo-1.6.8p12/sudo.h Wed Mar 23 18:44:46 2005 @@ -17,7 +17,7 @@ * Agency (DARPA) and Air Force Research Laboratory, Air Force * Materiel Command, USAF, under agreement number F39502-99-1-0512. * - * $Sudo: sudo.h,v 1.209 2004/06/05 17:42:04 millert Exp $ + * $Sudo: sudo.h,v 1.213 2004/09/08 15:48:23 millert Exp $ */ #ifndef _SUDO_SUDO_H @@ -35,6 +35,7 @@ struct sudo_user { struct passwd *pw; struct passwd *_runas_pw; + struct stat *cmnd_stat; char *path; char *shell; char *tty; @@ -43,9 +44,10 @@ char *shost; char **runas; char *prompt; - char *cmnd_safe; char *cmnd; char *cmnd_args; + char *cmnd_base; + char *cmnd_safe; char *class_name; }; @@ -128,6 +130,8 @@ #define user_runas (sudo_user.runas) #define user_cmnd (sudo_user.cmnd) #define user_args (sudo_user.cmnd_args) +#define user_base (sudo_user.cmnd_base) +#define user_stat (sudo_user.cmnd_stat) #define user_path (sudo_user.path) #define user_prompt (sudo_user.prompt) #define user_host (sudo_user.host) @@ -157,6 +161,10 @@ #define TGP_ECHO 0x01 /* leave echo on when reading passwd */ #define TGP_STDIN 0x02 /* read from stdin, not /dev/tty */ +struct passwd; +struct timespec; +struct timeval; + /* * Function prototypes */ @@ -168,6 +176,12 @@ #ifndef HAVE_GETCWD char *getcwd __P((char *, size_t size)); #endif +#ifndef HAVE_UTIMES +int utimes __P((const char *, const struct timeval *)); +#endif +#ifdef HAVE_FUTIME +int futimes __P((int, const struct timeval *)); +#endif #ifndef HAVE_SNPRINTF int snprintf __P((char *, size_t, const char *, ...)); #endif @@ -189,9 +203,9 @@ #ifndef HAVE_STRLCPY size_t strlcpy __P((char *, const char *, size_t)); #endif -char *sudo_goodpath __P((const char *)); +char *sudo_goodpath __P((const char *, struct stat *)); char *tgetpass __P((const char *, int, int)); -int find_path __P((char *, char **, char *)); +int find_path __P((char *, char **, struct stat *, char *)); void check_user __P((int)); void verify_user __P((struct passwd *, char *)); int sudoers_lookup __P((int)); @@ -219,13 +233,14 @@ void dump_auth_methods __P((void)); void init_envtables __P((void)); int lock_file __P((int, int)); -int touch __P((char *, time_t)); +int touch __P((int, char *, struct timespec *)); int user_is_exempt __P((void)); void set_fqdn __P((void)); int set_runaspw __P((char *)); char *sudo_getepw __P((const struct passwd *)); int pam_prep_user __P((struct passwd *)); void zero_bytes __P((volatile VOID *, size_t)); +int gettime __P((struct timespec *)); YY_DECL; /* Only provide extern declarations outside of sudo.c. */ diff -urN sudo-1.6.8/sudo.man.in sudo-1.6.8p12/sudo.man.in --- sudo-1.6.8/sudo.man.in Tue Aug 17 14:53:39 2004 +++ sudo-1.6.8p12/sudo.man.in Tue Nov 8 13:22:15 2005 @@ -17,7 +17,7 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.\" $Sudo: sudo.man.in,v 1.29 2004/08/17 18:53:31 millert Exp $ +.\" $Sudo: sudo.pod,v 1.73 2004/09/08 18:34:38 millert Exp $ .\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14 .\" .\" Standard preamble: @@ -149,7 +149,7 @@ .\" ======================================================================== .\" .IX Title "SUDO @mansectsu@" -.TH SUDO @mansectsu@ "August 17, 2004" "1.6.8" "MAINTENANCE COMMANDS" +.TH SUDO @mansectsu@ "June 20, 2005" "1.6.8p12" "MAINTENANCE COMMANDS" .SH "NAME" sudo, sudoedit \- execute a command as another user .SH "SYNOPSIS" @@ -406,13 +406,15 @@ \&\f(CW\*(C`LD_*\*(C'\fR, \f(CW\*(C`_RLD_*\*(C'\fR, \f(CW\*(C`SHLIB_PATH\*(C'\fR (\s-1HP\-UX\s0 only), and \f(CW\*(C`LIBPATH\*(C'\fR (\s-1AIX\s0 only) environment variables are removed from the environment passed on to all commands executed. \fBsudo\fR will also remove the \f(CW\*(C`IFS\*(C'\fR, -\&\f(CW\*(C`ENV\*(C'\fR, \f(CW\*(C`BASH_ENV\*(C'\fR, \f(CW\*(C`KRB_CONF\*(C'\fR, \f(CW\*(C`KRBCONFDIR\*(C'\fR, \f(CW\*(C`KRBTKFILE\*(C'\fR, +\&\f(CW\*(C`CDPATH\*(C'\fR, \f(CW\*(C`ENV\*(C'\fR, \f(CW\*(C`BASH_ENV\*(C'\fR, \f(CW\*(C`KRB_CONF\*(C'\fR, \f(CW\*(C`KRBCONFDIR\*(C'\fR, \f(CW\*(C`KRBTKFILE\*(C'\fR, \&\f(CW\*(C`KRB5_CONFIG\*(C'\fR, \f(CW\*(C`LOCALDOMAIN\*(C'\fR, \f(CW\*(C`RES_OPTIONS\*(C'\fR, \f(CW\*(C`HOSTALIASES\*(C'\fR, \&\f(CW\*(C`NLSPATH\*(C'\fR, \f(CW\*(C`PATH_LOCALE\*(C'\fR, \f(CW\*(C`TERMINFO\*(C'\fR, \f(CW\*(C`TERMINFO_DIRS\*(C'\fR and \&\f(CW\*(C`TERMPATH\*(C'\fR variables as they too can pose a threat. If the \&\f(CW\*(C`TERMCAP\*(C'\fR variable is set and is a pathname, it too is ignored. Additionally, if the \f(CW\*(C`LC_*\*(C'\fR or \f(CW\*(C`LANGUAGE\*(C'\fR variables contain the -\&\f(CW\*(C`/\*(C'\fR or \f(CW\*(C`%\*(C'\fR characters, they are ignored. If \fBsudo\fR has been +\&\f(CW\*(C`/\*(C'\fR or \f(CW\*(C`%\*(C'\fR characters, they are ignored. Environment variables +with a value beginning with \f(CW\*(C`()\*(C'\fR are also removed as they could +be interpreted as \fBbash\fR functions. If \fBsudo\fR has been compiled with SecurID support, the \f(CW\*(C`VAR_ACE\*(C'\fR, \f(CW\*(C`USR_ACE\*(C'\fR and \&\f(CW\*(C`DLC_ACE\*(C'\fR variables are cleared as well. The list of environment variables that \fBsudo\fR clears is contained in the output of @@ -460,42 +462,6 @@ of this, care must be taken when giving users access to commands via \fBsudo\fR to verify that the command does not inadvertently give the user an effective root shell. -.SH "EXAMPLES" -.IX Header "EXAMPLES" -Note: the following examples assume suitable sudoers(@mansectform@) entries. -.PP -To get a file listing of an unreadable directory: -.PP -.Vb 1 -\& $ sudo ls /usr/local/protected -.Ve -.PP -To list the home directory of user yazza on a machine where the -file system holding ~yazza is not exported as root: -.PP -.Vb 1 -\& $ sudo -u yazza ls ~yazza -.Ve -.PP -To edit the \fIindex.html\fR file as user www: -.PP -.Vb 1 -\& $ sudo -u www vi ~www/htdocs/index.html -.Ve -.PP -To shutdown a machine: -.PP -.Vb 1 -\& $ sudo shutdown -r +15 "quick reboot" -.Ve -.PP -To make a usage listing of the directories in the /home -partition. Note that this runs the commands in a sub-shell -to make the \f(CW\*(C`cd\*(C'\fR and file redirection work. -.PP -.Vb 1 -\& $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE" -.Ve .SH "ENVIRONMENT" .IX Header "ENVIRONMENT" \&\fBsudo\fR utilizes the following environment variables: @@ -558,6 +524,46 @@ \& @sysconfdir@/sudoers List of who can run what \& @timedir@ Directory containing timestamps .Ve +.SH "EXAMPLES" +.IX Header "EXAMPLES" +Note: the following examples assume suitable sudoers(@mansectform@) entries. +.PP +To get a file listing of an unreadable directory: +.PP +.Vb 1 +\& $ sudo ls /usr/local/protected +.Ve +.PP +To list the home directory of user yazza on a machine where the +file system holding ~yazza is not exported as root: +.PP +.Vb 1 +\& $ sudo -u yazza ls ~yazza +.Ve +.PP +To edit the \fIindex.html\fR file as user www: +.PP +.Vb 1 +\& $ sudo -u www vi ~www/htdocs/index.html +.Ve +.PP +To shutdown a machine: +.PP +.Vb 1 +\& $ sudo shutdown -r +15 "quick reboot" +.Ve +.PP +To make a usage listing of the directories in the /home +partition. Note that this runs the commands in a sub-shell +to make the \f(CW\*(C`cd\*(C'\fR and file redirection work. +.PP +.Vb 1 +\& $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE" +.Ve +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIgrep\fR\|(1), \fIsu\fR\|(1), \fIstat\fR\|(2), \fIlogin_cap\fR\|(3), sudoers(@mansectform@), +passwd(@mansectform@), visudo(@mansectsu@) .SH "AUTHORS" .IX Header "AUTHORS" Many people have worked on \fBsudo\fR over the years; this @@ -571,16 +577,6 @@ See the \s-1HISTORY\s0 file in the \fBsudo\fR distribution or visit http://www.sudo.ws/sudo/history.html for a short history of \fBsudo\fR. -.SH "BUGS" -.IX Header "BUGS" -If you feel you have found a bug in sudo, please submit a bug report -at http://www.sudo.ws/sudo/bugs/ -.SH "DISCLAIMER" -.IX Header "DISCLAIMER" -\&\fBSudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties, -including, but not limited to, the implied warranties of merchantability -and fitness for a particular purpose are disclaimed. -See the \s-1LICENSE\s0 file distributed with \fBsudo\fR for complete details. .SH "CAVEATS" .IX Header "CAVEATS" There is no easy way to prevent a user from gaining a root shell @@ -604,11 +600,25 @@ creating their own program that gives them a root shell regardless of any '!' elements in the user specification. .PP -Running shell scripts via \fBsudo\fR can expose the same kernel bugs -that make setuid shell scripts unsafe on some operating systems -(if your \s-1OS\s0 supports the /dev/fd/ directory, setuid shell scripts -are generally safe). -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIgrep\fR\|(1), \fIsu\fR\|(1), \fIstat\fR\|(2), \fIlogin_cap\fR\|(3), sudoers(@mansectform@), -passwd(@mansectform@), visudo(@mansectsu@) +Running shell scripts via \fBsudo\fR can expose the same kernel bugs that +make setuid shell scripts unsafe on some operating systems (if your \s-1OS\s0 +has a /dev/fd/ directory, setuid shell scripts are generally safe). +.SH "BUGS" +.IX Header "BUGS" +If you feel you have found a bug in \fBsudo\fR, please submit a bug report +at http://www.sudo.ws/sudo/bugs/ +.SH "SUPPORT" +.IX Header "SUPPORT" +Commercial support is available for \fBsudo\fR, see +http://www.sudo.ws/sudo/support.html for details. +.PP +Limited free support is available via the sudo-users mailing list, +see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or +search the archives. +.SH "DISCLAIMER" +.IX Header "DISCLAIMER" +\&\fBSudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties, +including, but not limited to, the implied warranties of merchantability +and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0 +file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html +for complete details. diff -urN sudo-1.6.8/sudo.pod sudo-1.6.8p12/sudo.pod --- sudo-1.6.8/sudo.pod Tue Aug 17 14:53:16 2004 +++ sudo-1.6.8p12/sudo.pod Thu Nov 11 16:30:04 2004 @@ -18,7 +18,7 @@ Agency (DARPA) and Air Force Research Laboratory, Air Force Materiel Command, USAF, under agreement number F39502-99-1-0512. -$Sudo: sudo.pod,v 1.70 2004/08/17 18:53:16 millert Exp $ +$Sudo: sudo.pod,v 1.73 2004/09/08 18:34:38 millert Exp $ =pod =head1 NAME @@ -313,13 +313,15 @@ C, C<_RLD_*>, C (HP-UX only), and C (AIX only) environment variables are removed from the environment passed on to all commands executed. B will also remove the C, -C, C, C, C, C, +C, C, C, C, C, C, C, C, C, C, C, C, C, C and C variables as they too can pose a threat. If the C variable is set and is a pathname, it too is ignored. Additionally, if the C or C variables contain the -C or C<%> characters, they are ignored. If B has been +C or C<%> characters, they are ignored. Environment variables +with a value beginning with C<()> are also removed as they could +be interpreted as B functions. If B has been compiled with SecurID support, the C, C and C variables are cleared as well. The list of environment variables that B clears is contained in the output of @@ -368,33 +370,6 @@ via B to verify that the command does not inadvertently give the user an effective root shell. -=head1 EXAMPLES - -Note: the following examples assume suitable L entries. - -To get a file listing of an unreadable directory: - - $ sudo ls /usr/local/protected - -To list the home directory of user yazza on a machine where the -file system holding ~yazza is not exported as root: - - $ sudo -u yazza ls ~yazza - -To edit the F file as user www: - - $ sudo -u www vi ~www/htdocs/index.html - -To shutdown a machine: - - $ sudo shutdown -r +15 "quick reboot" - -To make a usage listing of the directories in the /home -partition. Note that this runs the commands in a sub-shell -to make the C and file redirection work. - - $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE" - =head1 ENVIRONMENT B utilizes the following environment variables: @@ -433,6 +408,38 @@ @sysconfdir@/sudoers List of who can run what @timedir@ Directory containing timestamps +=head1 EXAMPLES + +Note: the following examples assume suitable L entries. + +To get a file listing of an unreadable directory: + + $ sudo ls /usr/local/protected + +To list the home directory of user yazza on a machine where the +file system holding ~yazza is not exported as root: + + $ sudo -u yazza ls ~yazza + +To edit the F file as user www: + + $ sudo -u www vi ~www/htdocs/index.html + +To shutdown a machine: + + $ sudo shutdown -r +15 "quick reboot" + +To make a usage listing of the directories in the /home +partition. Note that this runs the commands in a sub-shell +to make the C and file redirection work. + + $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE" + +=head1 SEE ALSO + +L, L, L, L, L, +L, L + =head1 AUTHORS Many people have worked on B over the years; this @@ -445,18 +452,6 @@ http://www.sudo.ws/sudo/history.html for a short history of B. -=head1 BUGS - -If you feel you have found a bug in sudo, please submit a bug report -at http://www.sudo.ws/sudo/bugs/ - -=head1 DISCLAIMER - -B is provided ``AS IS'' and any express or implied warranties, -including, but not limited to, the implied warranties of merchantability -and fitness for a particular purpose are disclaimed. -See the LICENSE file distributed with B for complete details. - =head1 CAVEATS There is no easy way to prevent a user from gaining a root shell @@ -478,12 +473,28 @@ creating their own program that gives them a root shell regardless of any '!' elements in the user specification. -Running shell scripts via B can expose the same kernel bugs -that make setuid shell scripts unsafe on some operating systems -(if your OS supports the /dev/fd/ directory, setuid shell scripts -are generally safe). +Running shell scripts via B can expose the same kernel bugs that +make setuid shell scripts unsafe on some operating systems (if your OS +has a /dev/fd/ directory, setuid shell scripts are generally safe). -=head1 SEE ALSO +=head1 BUGS -L, L, L, L, L, -L, L +If you feel you have found a bug in B, please submit a bug report +at http://www.sudo.ws/sudo/bugs/ + +=head1 SUPPORT + +Commercial support is available for B, see +http://www.sudo.ws/sudo/support.html for details. + +Limited free support is available via the sudo-users mailing list, +see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or +search the archives. + +=head1 DISCLAIMER + +B is provided ``AS IS'' and any express or implied warranties, +including, but not limited to, the implied warranties of merchantability +and fitness for a particular purpose are disclaimed. See the LICENSE +file distributed with B or http://www.sudo.ws/sudo/license.html +for complete details. diff -urN sudo-1.6.8/sudo.tab.c sudo-1.6.8p12/sudo.tab.c --- sudo-1.6.8/sudo.tab.c Wed Aug 11 14:29:36 2004 +++ sudo-1.6.8p12/sudo.tab.c Sun Jun 19 16:07:26 2005 @@ -4,7 +4,7 @@ #if __GNUC__ >= 2 __attribute__ ((unused)) #endif /* __GNUC__ >= 2 */ - = "$OpenBSD: skeleton.c,v 1.23 2004/03/12 13:39:50 henning Exp $"; + = "$OpenBSD: skeleton.c,v 1.24 2005/06/10 16:40:45 pvalchev Exp $"; #endif #include #define YYBYACC 1 @@ -89,7 +89,7 @@ #endif /* HAVE_LSEARCH */ #ifndef lint -static const char rcsid[] = "$Sudo: sudo.tab.c,v 1.76 2004/08/11 18:29:36 millert Exp $"; +static const char rcsid[] = "$Sudo: parse.yacc,v 1.204 2004/08/11 18:29:10 millert Exp $"; #endif /* lint */ /* @@ -674,7 +674,7 @@ short *yysslim; YYSTYPE *yyvs; int yystacksize; -#line 890 "parse.yacc" +#line 886 "parse.yacc" #define MOREALIASES (32) aliasinfo *aliases = NULL; @@ -1740,14 +1740,10 @@ } yyval.BOOLEAN = TRUE; - - if (safe_cmnd) - free(safe_cmnd); - safe_cmnd = estrdup(user_cmnd); } break; case 61: -#line 684 "parse.yacc" +#line 680 "parse.yacc" { aliasinfo *aip; @@ -1779,7 +1775,7 @@ } break; case 62: -#line 713 "parse.yacc" +#line 709 "parse.yacc" { if (printmatches == TRUE) { if (in_alias == TRUE) { @@ -1807,11 +1803,11 @@ } break; case 65: -#line 744 "parse.yacc" +#line 740 "parse.yacc" { push; } break; case 66: -#line 744 "parse.yacc" +#line 740 "parse.yacc" { if ((MATCHED(host_matches) || pedantic) && !add_alias(yyvsp[-3].string, HOST_ALIAS, host_matches)) { @@ -1822,7 +1818,7 @@ } break; case 71: -#line 762 "parse.yacc" +#line 758 "parse.yacc" { push; if (printmatches == TRUE) { @@ -1835,7 +1831,7 @@ } break; case 72: -#line 771 "parse.yacc" +#line 767 "parse.yacc" { if ((MATCHED(cmnd_matches) || pedantic) && !add_alias(yyvsp[-3].string, CMND_ALIAS, cmnd_matches)) { @@ -1850,11 +1846,11 @@ } break; case 73: -#line 785 "parse.yacc" +#line 781 "parse.yacc" { ; } break; case 77: -#line 793 "parse.yacc" +#line 789 "parse.yacc" { if (printmatches == TRUE) { in_alias = TRUE; @@ -1866,7 +1862,7 @@ } break; case 78: -#line 801 "parse.yacc" +#line 797 "parse.yacc" { if ((yyvsp[0].BOOLEAN != NOMATCH || pedantic) && !add_alias(yyvsp[-3].string, RUNAS_ALIAS, yyvsp[0].BOOLEAN)) { @@ -1880,11 +1876,11 @@ } break; case 81: -#line 818 "parse.yacc" +#line 814 "parse.yacc" { push; } break; case 82: -#line 818 "parse.yacc" +#line 814 "parse.yacc" { if ((MATCHED(user_matches) || pedantic) && !add_alias(yyvsp[-3].string, USER_ALIAS, user_matches)) { @@ -1896,19 +1892,19 @@ } break; case 85: -#line 833 "parse.yacc" +#line 829 "parse.yacc" { SETMATCH(user_matches, yyvsp[0].BOOLEAN); } break; case 86: -#line 836 "parse.yacc" +#line 832 "parse.yacc" { SETNMATCH(user_matches, yyvsp[0].BOOLEAN); } break; case 87: -#line 841 "parse.yacc" +#line 837 "parse.yacc" { if (userpw_matches(yyvsp[0].string, user_name, sudo_user.pw)) yyval.BOOLEAN = TRUE; @@ -1918,7 +1914,7 @@ } break; case 88: -#line 848 "parse.yacc" +#line 844 "parse.yacc" { if (usergr_matches(yyvsp[0].string, user_name, sudo_user.pw)) yyval.BOOLEAN = TRUE; @@ -1928,7 +1924,7 @@ } break; case 89: -#line 855 "parse.yacc" +#line 851 "parse.yacc" { if (netgr_matches(yyvsp[0].string, NULL, NULL, user_name)) yyval.BOOLEAN = TRUE; @@ -1938,7 +1934,7 @@ } break; case 90: -#line 862 "parse.yacc" +#line 858 "parse.yacc" { aliasinfo *aip = find_alias(yyvsp[0].string, USER_ALIAS); @@ -1963,12 +1959,12 @@ } break; case 91: -#line 884 "parse.yacc" +#line 880 "parse.yacc" { yyval.BOOLEAN = TRUE; } break; -#line 1920 "sudo.tab.c" +#line 1916 "sudo.tab.c" } yyssp -= yym; yystate = *yyssp; diff -urN sudo-1.6.8/sudo_edit.c sudo-1.6.8p12/sudo_edit.c --- sudo-1.6.8/sudo_edit.c Tue Aug 17 15:11:47 2004 +++ sudo-1.6.8p12/sudo_edit.c Thu Nov 25 12:32:34 2004 @@ -17,7 +17,9 @@ #include "config.h" #include +#include #include +#include #include #include #include @@ -49,11 +51,12 @@ #include #include #include +#include #include "sudo.h" #ifndef lint -static const char rcsid[] = "$Sudo: sudo_edit.c,v 1.6 2004/08/17 19:11:47 millert Exp $"; +static const char rcsid[] = "$Sudo: sudo_edit.c,v 1.16 2004/09/15 16:16:20 millert Exp $"; #endif /* lint */ extern sigaction_t saved_sa_int, saved_sa_quit, saved_sa_tstp, saved_sa_chld; @@ -70,13 +73,14 @@ const char *tmpdir; char **nargv, **ap, *editor, *cp; char buf[BUFSIZ]; - int i, ac, ofd, tfd, nargc, rval; + int i, ac, ofd, tfd, nargc, rval, tmplen; sigaction_t sa; struct stat sb; + struct timespec ts1, ts2; struct tempfile { char *tfile; char *ofile; - time_t omtime; /* XXX - use st_mtimespec / st_mtim? */ + struct timespec omtim; off_t osize; } *tf; @@ -91,15 +95,15 @@ #endif else tmpdir = _PATH_TMP; + tmplen = strlen(tmpdir); + while (tmplen > 0 && tmpdir[tmplen - 1] == '/') + tmplen--; /* - * For each file specified, by the user, make a tempoary version - * and copy the contents of the original to it. We make these files - * as root so the user can't steal them out from under us until we are - * done writing (and at that point the user will be able to edit the - * file anyway). + * For each file specified by the user, make a temporary version + * and copy the contents of the original to it. * XXX - It would be nice to lock the original files but that means - * keeping an fd open for each file. + * keeping an extra fd open for each file. */ tf = emalloc2(argc - 1, sizeof(*tf)); memset(tf, 0, (argc - 1) * sizeof(*tf)); @@ -112,7 +116,7 @@ #else if (stat(tf[i].ofile, &sb) != 0) { #endif - close(ofd); + close(ofd); /* XXX - could reset errno */ ofd = -1; } } @@ -124,18 +128,27 @@ i--; continue; } - sb.st_mtime = 0; - sb.st_size = 0; + memset(&sb, 0, sizeof(sb)); + } else if (!S_ISREG(sb.st_mode)) { + warnx("%s: not a regular file", *ap); + close(ofd); + argc--; + i--; + continue; } tf[i].ofile = *ap; - tf[i].omtime = sb.st_mtime; + tf[i].omtim.tv_sec = mtim_getsec(sb); + tf[i].omtim.tv_nsec = mtim_getnsec(sb); tf[i].osize = sb.st_size; if ((cp = strrchr(tf[i].ofile, '/')) != NULL) cp++; else cp = tf[i].ofile; - easprintf(&tf[i].tfile, "%s%s.XXXXXXXX", tmpdir, cp); - if ((tfd = mkstemp(tf[i].tfile)) == -1) { + easprintf(&tf[i].tfile, "%.*s/%s.XXXXXXXX", tmplen, tmpdir, cp); + set_perms(PERM_USER); + tfd = mkstemp(tf[i].tfile); + set_perms(PERM_ROOT); + if (tfd == -1) { warn("mkstemp"); goto cleanup; } @@ -149,16 +162,24 @@ goto cleanup; } } + close(ofd); } -#ifdef HAVE_FCHOWN - fchown(tfd, user_uid, user_gid); -#else - chown(tf[i].tfile, user_uid, user_gid); +#ifdef HAVE_FSTAT + /* + * If we are unable to set the mtime on the temp file to the value + * of the original file just make the stashed mtime match the temp + * file's mtime. It is better than nothing and we only use the info + * to determine whether or not a file has been modified. + */ + if (touch(tfd, NULL, &tf[i].omtim) == -1) { + if (fstat(tfd, &sb) == 0) { + tf[i].omtim.tv_sec = mtim_getsec(sb); + tf[i].omtim.tv_nsec = mtim_getnsec(sb); + } + /* XXX - else error? */ + } #endif - if (ofd != -1) - close(ofd); close(tfd); - touch(tf[i].tfile, tf[i].omtime); } if (argc == 1) return(1); /* no files readable, you lose */ @@ -203,8 +224,10 @@ (void) sigaction(SIGTSTP, &saved_sa_tstp, NULL); /* - * Fork and exec the editor as with the invoking user's creds. + * Fork and exec the editor with the invoking user's creds, + * keeping track of the time spent in the editor. */ + gettime(&ts1); kidpid = fork(); if (kidpid == -1) { warn("fork"); @@ -240,6 +263,7 @@ break; } } while (pid != -1 || errno == EINTR); + gettime(&ts2); if (pid == -1 || !WIFEXITED(i)) rval = 1; else @@ -247,24 +271,42 @@ /* Copy contents of temp files to real ones */ for (i = 0; i < argc - 1; i++) { - /* XXX - open file with PERM_USER for nfs? */ - if ((tfd = open(tf[i].tfile, O_RDONLY, 0644)) == -1) { - warn("unable to read edited file %s, cannot update %s", - tf[i].tfile, tf[i].ofile); + set_perms(PERM_USER); + tfd = open(tf[i].tfile, O_RDONLY, 0644); + set_perms(PERM_ROOT); + if (tfd < 0) { + warn("unable to read %s", tf[i].tfile); + warnx("%s left unmodified", tf[i].ofile); continue; } #ifdef HAVE_FSTAT if (fstat(tfd, &sb) == 0) { + if (!S_ISREG(sb.st_mode)) { + warnx("%s: not a regular file", tf[i].tfile); + warnx("%s left unmodified", tf[i].ofile); + continue; + } + if (tf[i].osize == sb.st_size && + tf[i].omtim.tv_sec == mtim_getsec(sb) && + tf[i].omtim.tv_nsec == mtim_getnsec(sb)) { + /* + * If mtime and size match but the user spent no measurable + * time in the editor we can't tell if the file was changed. + */ +#ifdef HAVE_TIMESPECSUB2 + timespecsub(&ts1, &ts2); #else - if (stat(tf[i].tfile, &sb) == 0) { + timespecsub(&ts1, &ts2, &ts2); #endif - if (tf[i].osize == sb.st_size && tf[i].omtime == sb.st_mtime) { - warnx("%s unchanged", tf[i].ofile); - unlink(tf[i].tfile); - close(tfd); - continue; + if (timespecisset(&ts2)) { + warnx("%s unchanged", tf[i].ofile); + unlink(tf[i].tfile); + close(tfd); + continue; + } } } +#endif set_perms(PERM_RUNAS); ofd = open(tf[i].ofile, O_WRONLY|O_TRUNC|O_CREAT, 0644); set_perms(PERM_ROOT); @@ -274,7 +316,7 @@ close(tfd); continue; } - while ((nread = read(tfd, buf, sizeof(buf))) != 0) { + while ((nread = read(tfd, buf, sizeof(buf))) > 0) { if ((nwritten = write(ofd, buf, nread)) != nread) { if (nwritten == -1) warn("%s", tf[i].ofile); @@ -283,14 +325,17 @@ break; } } - if (nread == 0) + if (nread == 0) { + /* success, got EOF */ unlink(tf[i].tfile); - else { + } else if (nread < 0) { + warn("unable to read temporary file"); + warnx("contents of edit session left in %s", tf[i].tfile); + } else { warn("unable to write to %s", tf[i].ofile); warnx("contents of edit session left in %s", tf[i].tfile); } close(ofd); - close(tfd); } return(rval); diff -urN sudo-1.6.8/sudo_noexec.c sudo-1.6.8p12/sudo_noexec.c --- sudo-1.6.8/sudo_noexec.c Fri Feb 13 16:36:43 2004 +++ sudo-1.6.8p12/sudo_noexec.c Sat Mar 12 18:41:55 2005 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2004 Todd C. Miller + * Copyright (c) 2004-2005 Todd C. Miller * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -17,9 +17,14 @@ #include "config.h" #include +#ifdef __STDC__ +# include +#else +# include +#endif #ifndef lint -static const char rcsid[] = "$Sudo: sudo_noexec.c,v 1.5 2004/02/13 21:36:43 millert Exp $"; +static const char rcsid[] = "$Sudo: sudo_noexec.c,v 1.11 2005/03/10 15:09:28 millert Exp $"; #endif /* lint */ /* @@ -34,24 +39,72 @@ extern int errno; #endif -#define DUMMY(fn, args, atypes) \ -int \ -fn args \ - atypes \ -{ \ - errno = EACCES; \ - return(-1); \ +#define DUMMY_BODY \ +{ \ + errno = EACCES; \ + return(-1); \ } -DUMMY(execve, (path, argv, envp), - const char *path; char *const argv[]; char *const envp[];) -DUMMY(_execve, (path, argv, envp), - const char *path; char *const argv[]; char *const envp[];) -DUMMY(execv, (path, argv, envp), - const char *path; char *const argv[];) -DUMMY(_execv, (path, argv, envp), - const char *path; char *const argv[];) -DUMMY(fexecve, (fd, argv, envp), - int fd; char *const argv[]; char *const envp[];) -DUMMY(_fexecve, (fd, argv, envp), - int fd; char *const argv[]; char *const envp[];) +#ifdef __STDC__ + +#define DUMMY2(fn, t1, t2) \ +int \ +fn(t1 a1, t2 a2) \ +DUMMY_BODY + +#define DUMMY3(fn, t1, t2, t3) \ +int \ +fn(t1 a1, t2 a2, t3 a3) \ +DUMMY_BODY + +#define DUMMY_VA(fn, t1, t2) \ +int \ +fn(t1 a1, t2 a2, ...) \ +DUMMY_BODY + +#else /* !__STDC__ */ + +#define DUMMY2(fn, t1, t2) \ +int \ +fn(a1, a2) \ +t1 a1; t2 a2; \ +DUMMY_BODY + +#define DUMMY3(fn, t1, t2, t3) \ +int \ +fn(a1, a2, a3) \ +t1 a1; t2 a2; t3 a3; \ +DUMMY_BODY + +#define DUMMY_VA(fn, t1, t2) \ +int \ +fn(a1, a2, va_alist) \ +t1 a1; t2 a2; va_dcl \ +DUMMY_BODY + +#endif /* !__STDC__ */ + +DUMMY_VA(execl, const char *, const char *) +DUMMY_VA(_execl, const char *, const char *) +DUMMY_VA(__execl, const char *, const char *) +DUMMY_VA(execle, const char *, const char *) +DUMMY_VA(_execle, const char *, const char *) +DUMMY_VA(__execle, const char *, const char *) +DUMMY_VA(execlp, const char *, const char *) +DUMMY_VA(_execlp, const char *, const char *) +DUMMY_VA(__execlp, const char *, const char *) +DUMMY2(execv, const char *, char * const *) +DUMMY2(_execv, const char *, char * const *) +DUMMY2(__execv, const char *, char * const *) +DUMMY2(execvp, const char *, char * const *) +DUMMY2(_execvp, const char *, char * const *) +DUMMY2(__execvp, const char *, char * const *) +DUMMY3(execvP, const char *, const char *, char * const *) +DUMMY3(_execvP, const char *, const char *, char * const *) +DUMMY3(__execvP, const char *, const char *, char * const *) +DUMMY3(execve, const char *, char * const *, char * const *) +DUMMY3(_execve, const char *, char * const *, char * const *) +DUMMY3(__execve, const char *, char * const *, char * const *) +DUMMY3(fexecve, int , char * const *, char * const *) +DUMMY3(_fexecve, int , char * const *, char * const *) +DUMMY3(__fexecve, int , char * const *, char * const *) Binary files sudo-1.6.8/sudoers.cat and sudo-1.6.8p12/sudoers.cat differ diff -urN sudo-1.6.8/sudoers.man.in sudo-1.6.8p12/sudoers.man.in --- sudo-1.6.8/sudoers.man.in Fri Aug 6 19:32:37 2004 +++ sudo-1.6.8p12/sudoers.man.in Tue Nov 8 13:22:19 2005 @@ -17,7 +17,7 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.\" $Sudo: sudoers.man.in,v 1.45 2004/08/06 23:32:31 millert Exp $ +.\" $Sudo: sudoers.pod,v 1.96 2004/09/06 20:45:27 millert Exp $ .\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14 .\" .\" Standard preamble: @@ -149,7 +149,7 @@ .\" ======================================================================== .\" .IX Title "SUDOERS @mansectform@" -.TH SUDOERS @mansectform@ "August 6, 2004" "1.6.8" "MAINTENANCE COMMANDS" +.TH SUDOERS @mansectform@ "June 20, 2005" "1.6.8p12" "MAINTENANCE COMMANDS" .SH "NAME" sudoers \- list of which users may execute what .SH "DESCRIPTION" @@ -728,6 +728,8 @@ .RE .RS 12 .Sp +If no value is specified, a value of \fIonce\fR is implied. +Negating the option results in a value of \fInever\fR being used. The default value is \fI@lecture@\fR. .RE .IP "lecture_file" 12 @@ -780,7 +782,9 @@ .RE .RS 12 .Sp -The default value is `all'. +If no value is specified, a value of \fIall\fR is implied. +Negating the option results in a value of \fInever\fR being used. +The default value is \fIall\fR. .RE .IP "listpw" 12 .IX Item "listpw" @@ -804,7 +808,9 @@ .RE .RS 12 .Sp -The default value is `any'. +If no value is specified, a value of \fIany\fR is implied. +Negating the option results in a value of \fInever\fR being used. +The default value is \fIany\fR. .RE .PP \&\fBLists that can be used in a boolean context\fR: @@ -1069,6 +1075,13 @@ The following characters must be escaped with a backslash ('\e') when used as part of a word (e.g. a username or hostname): \&'@', '!', '=', ':', ',', '(', ')', '\e'. +.SH "FILES" +.IX Header "FILES" +.Vb 3 +\& @sysconfdir@/sudoers List of who can run what +\& /etc/group Local groups file +\& /etc/netgroup List of network groups +.Ve .SH "EXAMPLES" .IX Header "EXAMPLES" Since the \fIsudoers\fR file is parsed in a single pass, order is @@ -1366,6 +1379,9 @@ (such as changing or overwriting files) that could lead to unintended privilege escalation. In the specific case of an editor, a safer approach is to give the user permission to run \fBsudoedit\fR. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIrsh\fR\|(1), \fIsu\fR\|(1), \fIfnmatch\fR\|(3), sudo(@mansectsu@), visudo(@mansectsu@) .SH "CAVEATS" .IX Header "CAVEATS" The \fIsudoers\fR file should \fBalways\fR be edited by the \fBvisudo\fR @@ -1378,13 +1394,22 @@ case), you either need to have the machine's hostname be fully qualified as returned by the \f(CW\*(C`hostname\*(C'\fR command or use the \fIfqdn\fR option in \&\fIsudoers\fR. -.SH "FILES" -.IX Header "FILES" -.Vb 3 -\& @sysconfdir@/sudoers List of who can run what -\& /etc/group Local groups file -\& /etc/netgroup List of network groups -.Ve -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIrsh\fR\|(1), \fIsu\fR\|(1), \fIfnmatch\fR\|(3), sudo(@mansectsu@), visudo(@mansectsu@) +.SH "BUGS" +.IX Header "BUGS" +If you feel you have found a bug in \fBsudo\fR, please submit a bug report +at http://www.sudo.ws/sudo/bugs/ +.SH "SUPPORT" +.IX Header "SUPPORT" +Commercial support is available for \fBsudo\fR, see +http://www.sudo.ws/sudo/support.html for details. +.PP +Limited free support is available via the sudo-users mailing list, +see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or +search the archives. +.SH "DISCLAIMER" +.IX Header "DISCLAIMER" +\&\fBSudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties, +including, but not limited to, the implied warranties of merchantability +and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0 +file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html +for complete details. diff -urN sudo-1.6.8/sudoers.pod sudo-1.6.8p12/sudoers.pod --- sudo-1.6.8/sudoers.pod Fri Aug 6 19:57:27 2004 +++ sudo-1.6.8p12/sudoers.pod Sun Nov 28 16:08:40 2004 @@ -18,7 +18,7 @@ Agency (DARPA) and Air Force Research Laboratory, Air Force Materiel Command, USAF, under agreement number F39502-99-1-0512. -$Sudo: sudoers.pod,v 1.95 2004/08/06 23:56:15 millert Exp $ +$Sudo: sudoers.pod,v 1.96 2004/09/06 20:45:27 millert Exp $ =pod =head1 NAME @@ -633,6 +633,8 @@ =back +If no value is specified, a value of I is implied. +Negating the option results in a value of I being used. The default value is I<@lecture@>. =item lecture_file @@ -697,7 +699,9 @@ =back -The default value is `all'. +If no value is specified, a value of I is implied. +Negating the option results in a value of I being used. +The default value is I. =item listpw @@ -726,7 +730,9 @@ =back -The default value is `any'. +If no value is specified, a value of I is implied. +Negating the option results in a value of I being used. +The default value is I. =back @@ -982,6 +988,12 @@ used as part of a word (e.g. a username or hostname): '@', '!', '=', ':', ',', '(', ')', '\'. +=head1 FILES + + @sysconfdir@/sudoers List of who can run what + /etc/group Local groups file + /etc/netgroup List of network groups + =head1 EXAMPLES Since the I file is parsed in a single pass, order is @@ -1226,6 +1238,10 @@ privilege escalation. In the specific case of an editor, a safer approach is to give the user permission to run B. +=head1 SEE ALSO + +L, L, L, L, L + =head1 CAVEATS The I file should B be edited by the B @@ -1239,12 +1255,24 @@ as returned by the C command or use the I option in I. -=head1 FILES +=head1 BUGS - @sysconfdir@/sudoers List of who can run what - /etc/group Local groups file - /etc/netgroup List of network groups +If you feel you have found a bug in B, please submit a bug report +at http://www.sudo.ws/sudo/bugs/ -=head1 SEE ALSO +=head1 SUPPORT -L, L, L, L, L +Commercial support is available for B, see +http://www.sudo.ws/sudo/support.html for details. + +Limited free support is available via the sudo-users mailing list, +see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or +search the archives. + +=head1 DISCLAIMER + +B is provided ``AS IS'' and any express or implied warranties, +including, but not limited to, the implied warranties of merchantability +and fitness for a particular purpose are disclaimed. See the LICENSE +file distributed with B or http://www.sudo.ws/sudo/license.html +for complete details. diff -urN sudo-1.6.8/utime.c sudo-1.6.8p12/utime.c --- sudo-1.6.8/utime.c Fri Feb 13 16:36:43 2004 +++ sudo-1.6.8p12/utime.c Wed Dec 31 19:00:00 1969 @@ -1,61 +0,0 @@ -/* - * Copyright (c) 1996, 1998, 1999, 2001 - * Todd C. Miller . - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - * - * Sponsored in part by the Defense Advanced Research Projects - * Agency (DARPA) and Air Force Research Laboratory, Air Force - * Materiel Command, USAF, under agreement number F39502-99-1-0512. - */ - -#include "config.h" - -#include -#include -#include -#ifdef HAVE_UNISTD_H -# include -#endif /* HAVE_UNISTD_H */ - -#include "compat.h" -#include "emul/utime.h" - -#ifndef lint -static const char rcsid[] = "$Sudo: utime.c,v 1.37 2004/02/13 21:36:43 millert Exp $"; -#endif /* lint */ - - -/* - * Emulate utime(3) via utimes(2). - * utime(3) sets the access and mod times of the named file. - */ -int -utime(file, tvp) - const char *file; - const struct utimbuf *utp; -{ - if (upt) { - struct timeval tv[2]; - - tv[0].tv_sec = ut.actime; - tv[0].tv_usec = 0; - - tv[1].tv_sec = ut.modtime; - tv[1].tv_usec = 0; - - return(utimes(file, tv); - } else { - return(utimes(file, NULL); - } -} diff -urN sudo-1.6.8/utimes.c sudo-1.6.8p12/utimes.c --- sudo-1.6.8/utimes.c Wed Dec 31 19:00:00 1969 +++ sudo-1.6.8p12/utimes.c Sat Sep 11 12:24:28 2004 @@ -0,0 +1,72 @@ +/* + * Copyright (c) 2004 Todd C. Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include +#include +#include +#include + +#include "config.h" + +#ifdef HAVE_UTIME_H +# include +#else +# include +#endif + +#ifndef lint +static const char rcsid[] = "$Sudo: utimes.c,v 1.3 2004/09/11 16:24:28 millert Exp $"; +#endif /* lint */ + +#ifndef HAVE_UTIMES +/* + * Emulate utimes() via utime() + */ +int +utimes(file, times) + const char *file; + const struct timeval *times; +{ + if (times != NULL) { + struct utimbuf utb; + + utb.actime = (time_t)times[0].tv_sec; + utb.modtime = (time_t)times[1].tv_sec; + return(utime(file, &utb)); + } else + return(utime(file, NULL)); +} +#endif /* !HAVE_UTIMES */ + +#ifdef HAVE_FUTIME +/* + * Emulate futimes() via futime() + */ +int +futimes(fd, times) + int fd; + const struct timeval *times; +{ + if (times != NULL) { + struct utimbuf utb; + + utb.actime = (time_t)times[0].tv_sec; + utb.modtime = (time_t)times[1].tv_sec; + return(futime(fd, &utb)); + } else + return(futime(fd, NULL)); +} +#endif /* HAVE_FUTIME */ diff -urN sudo-1.6.8/version.h sudo-1.6.8p12/version.h --- sudo-1.6.8/version.h Fri May 28 16:28:01 2004 +++ sudo-1.6.8p12/version.h Tue Nov 8 13:22:02 2005 @@ -17,12 +17,12 @@ * Agency (DARPA) and Air Force Research Laboratory, Air Force * Materiel Command, USAF, under agreement number F39502-99-1-0512. * - * $Sudo: version.h,v 1.66 2004/02/13 21:36:43 millert Exp $ + * $Sudo: version.h,v 1.67 2004/09/15 19:18:38 millert Exp $ */ #ifndef _SUDO_VERSION_H #define _SUDO_VERSION_H -static const char version[] = "1.6.8"; +static const char version[] = "1.6.8p12"; #endif /* _SUDO_VERSION_H */ diff -urN sudo-1.6.8/visudo.c sudo-1.6.8p12/visudo.c --- sudo-1.6.8/visudo.c Mon Aug 2 14:44:58 2004 +++ sudo-1.6.8p12/visudo.c Thu Nov 25 12:32:40 2004 @@ -33,6 +33,7 @@ #include #include #include +#include #ifndef __TANDEM # include #endif @@ -72,7 +73,7 @@ #include "version.h" #ifndef lint -static const char rcsid[] = "$Sudo: visudo.c,v 1.166 2004/08/02 18:44:58 millert Exp $"; +static const char rcsid[] = "$Sudo: visudo.c,v 1.170 2004/09/08 15:48:23 millert Exp $"; #endif /* lint */ /* @@ -130,8 +131,10 @@ int stmp_fd; /* stmp file descriptor */ int n; /* length parameter */ int ch; /* getopt char */ - time_t now; /* time now */ - struct stat stmp_sb, sudoers_sb; /* to check for changes */ + struct timespec ts1, ts2; /* time before and after edit */ + struct timespec sudoers_mtim; /* starting mtime of sudoers file */ + off_t sudoers_size; /* starting size of sudoers file */ + struct stat sb; /* stat buffer */ /* Warn about aliases that are used before being defined. */ pedantic = 1; @@ -192,11 +195,14 @@ if (!lock_file(sudoers_fd, SUDO_TLOCK)) errx(1, "sudoers file busy, try again later"); #ifdef HAVE_FSTAT - if (fstat(sudoers_fd, &sudoers_sb) == -1) + if (fstat(sudoers_fd, &sb) == -1) #else - if (stat(sudoers, &sudoers_sb) == -1) + if (stat(sudoers, &sb) == -1) #endif err(1, "can't stat %s", sudoers); + sudoers_size = sb.st_size; + sudoers_mtim.tv_sec = mtim_getsec(sb); + sudoers_mtim.tv_nsec = mtim_getnsec(sb); /* * Open sudoers temp file. @@ -209,7 +215,7 @@ setup_signals(); /* Copy sudoers -> stmp and reset the mtime */ - if (sudoers_sb.st_size) { + if (sudoers_size) { while ((n = read(sudoers_fd, buf, sizeof(buf))) > 0) if (write(stmp_fd, buf, n) != n) err(1, "write error"); @@ -220,8 +226,8 @@ write(stmp_fd, buf, 1); } + (void) touch(stmp_fd, stmp, &sudoers_mtim); (void) close(stmp_fd); - (void) touch(stmp, sudoers_sb.st_mtime); /* Parse sudoers to pull in editor and env_editor conf values. */ if ((yyin = fopen(stmp, "r"))) { @@ -248,7 +254,7 @@ if (UserEditor && *UserEditor == '\0') UserEditor = NULL; else if (UserEditor) { - if (find_path(UserEditor, &Editor, getenv("PATH")) == FOUND) { + if (find_path(UserEditor, &Editor, NULL, getenv("PATH")) == FOUND) { UserEditor = Editor; } else { if (def_env_editor) { @@ -318,7 +324,7 @@ EditorPath = estrdup(def_editor); Editor = strtok(EditorPath, ":"); do { - if (sudo_goodpath(Editor)) + if (sudo_goodpath(Editor, NULL)) break; } while ((Editor = strtok(NULL, ":"))); @@ -354,17 +360,18 @@ * XPG4 specifies that vi's exit value is a function of the * number of errors during editing (?!?!). */ - now = time(NULL); + gettime(&ts1); if (run_command(Editor, av) != -1) { + gettime(&ts2); /* * Sanity checks. */ - if (stat(stmp, &stmp_sb) < 0) { + if (stat(stmp, &sb) < 0) { warnx("cannot stat temporary file (%s), %s unchanged", stmp, sudoers); Exit(-1); } - if (stmp_sb.st_size == 0) { + if (sb.st_size == 0) { warnx("zero length temporary file (%s), %s unchanged", stmp, sudoers); Exit(-1); @@ -412,7 +419,7 @@ switch (whatnow()) { case 'Q' : parse_error = FALSE; /* ignore parse error */ break; - case 'x' : if (sudoers_sb.st_size == 0) + case 'x' : if (sudoers_size == 0) unlink(sudoers); Exit(0); break; @@ -423,10 +430,22 @@ /* * If the user didn't change the temp file, just unlink it. */ - if (sudoers_sb.st_mtime != now && sudoers_sb.st_mtime == stmp_sb.st_mtime && - sudoers_sb.st_size == stmp_sb.st_size) { - warnx("sudoers file unchanged"); - Exit(0); + if (sudoers_size == sb.st_size && + sudoers_mtim.tv_sec == mtim_getsec(sb) && + sudoers_mtim.tv_nsec == mtim_getnsec(sb)) { + /* + * If mtime and size match but the user spent no measurable + * time in the editor we can't tell if the file was changed. + */ +#ifdef HAVE_TIMESPECSUB2 + timespecsub(&ts1, &ts2); +#else + timespecsub(&ts1, &ts2, &ts2); +#endif + if (timespecisset(&ts2)) { + warnx("sudoers file unchanged"); + Exit(0); + } } /* Binary files sudo-1.6.8/visudo.cat and sudo-1.6.8p12/visudo.cat differ diff -urN sudo-1.6.8/visudo.man.in sudo-1.6.8p12/visudo.man.in --- sudo-1.6.8/visudo.man.in Fri Aug 6 14:18:31 2004 +++ sudo-1.6.8p12/visudo.man.in Tue Nov 8 13:22:22 2005 @@ -17,7 +17,7 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.\" $Sudo: visudo.man.in,v 1.20 2004/06/08 19:58:05 millert Exp $ +.\" $Sudo: visudo.pod,v 1.39 2004/09/06 20:45:27 millert Exp $ .\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14 .\" .\" Standard preamble: @@ -149,7 +149,7 @@ .\" ======================================================================== .\" .IX Title "VISUDO @mansectsu@" -.TH VISUDO @mansectsu@ "June 8, 2004" "1.6.8" "MAINTENANCE COMMANDS" +.TH VISUDO @mansectsu@ "June 20, 2005" "1.6.8p12" "MAINTENANCE COMMANDS" .SH "NAME" visudo \- edit the sudoers file .SH "SYNOPSIS" @@ -221,8 +221,23 @@ .IX Item "-V" The \fB\-V\fR (version) option causes \fBvisudo\fR to print its version number and exit. -.SH "ERRORS" -.IX Header "ERRORS" +.SH "ENVIRONMENT" +.IX Header "ENVIRONMENT" +The following environment variables are used only if \fBvisudo\fR +was configured with the \fI\-\-with\-env\-editor\fR option: +.PP +.Vb 2 +\& VISUAL Invoked by visudo as the editor to use +\& EDITOR Used by visudo if VISUAL is not set +.Ve +.SH "FILES" +.IX Header "FILES" +.Vb 2 +\& @sysconfdir@/sudoers List of who can run what +\& @sysconfdir@/sudoers.tmp Lock file for visudo +.Ve +.SH "DIAGNOSTICS" +.IX Header "DIAGNOSTICS" .IP "sudoers file busy, try again later." 4 .IX Item "sudoers file busy, try again later." Someone else is currently editing the \fIsudoers\fR file. @@ -251,21 +266,9 @@ setting should be placed before any \f(CW\*(C`Runas_Alias\*(C'\fR or User specifications. In \fB\-s\fR (strict) mode this is an error, not a warning. -.SH "ENVIRONMENT" -.IX Header "ENVIRONMENT" -The following environment variables are used only if \fBvisudo\fR -was configured with the \fI\-\-with\-env\-editor\fR option: -.PP -.Vb 2 -\& VISUAL Invoked by visudo as the editor to use -\& EDITOR Used by visudo if VISUAL is not set -.Ve -.SH "FILES" -.IX Header "FILES" -.Vb 2 -\& @sysconfdir@/sudoers List of who can run what -\& @sysconfdir@/sudoers.tmp Lock file for visudo -.Ve +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIvi\fR\|(1), sudoers(@mansectform@), sudo(@mansectsu@), vipw(@mansectsu@) .SH "AUTHOR" .IX Header "AUTHOR" Many people have worked on \fIsudo\fR over the years; this version of @@ -277,20 +280,26 @@ .PP See the \s-1HISTORY\s0 file in the sudo distribution or visit http://www.sudo.ws/sudo/history.html for more details. +.SH "CAVEATS" +.IX Header "CAVEATS" +There is no easy way to prevent a user from gaining a root shell if +the editor used by \fBvisudo\fR allows shell escapes. .SH "BUGS" .IX Header "BUGS" -If you feel you have found a bug in sudo, please submit a bug report +If you feel you have found a bug in \fBvisudo\fR, please submit a bug report at http://www.sudo.ws/sudo/bugs/ +.SH "SUPPORT" +.IX Header "SUPPORT" +Commercial support is available for \fBsudo\fR, see +http://www.sudo.ws/sudo/support.html for details. +.PP +Limited free support is available via the sudo-users mailing list, +see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or +search the archives. .SH "DISCLAIMER" .IX Header "DISCLAIMER" \&\fBVisudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties, including, but not limited to, the implied warranties of merchantability -and fitness for a particular purpose are disclaimed. -See the \s-1LICENSE\s0 file distributed with \fBsudo\fR for complete details. -.SH "CAVEATS" -.IX Header "CAVEATS" -There is no easy way to prevent a user from gaining a root shell if -the editor used by \fBvisudo\fR allows shell escapes. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIvi\fR\|(1), sudoers(@mansectform@), sudo(@mansectsu@), vipw(@mansectsu@) +and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0 +file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html +for complete details. diff -urN sudo-1.6.8/visudo.pod sudo-1.6.8p12/visudo.pod --- sudo-1.6.8/visudo.pod Tue Jun 8 15:55:53 2004 +++ sudo-1.6.8p12/visudo.pod Mon Sep 6 16:45:27 2004 @@ -18,7 +18,7 @@ Agency (DARPA) and Air Force Research Laboratory, Air Force Materiel Command, USAF, under agreement number F39502-99-1-0512. -$Sudo: visudo.pod,v 1.38 2004/06/08 19:55:53 millert Exp $ +$Sudo: visudo.pod,v 1.39 2004/09/06 20:45:27 millert Exp $ =pod =head1 NAME @@ -106,8 +106,21 @@ =back -=head1 ERRORS +=head1 ENVIRONMENT +The following environment variables are used only if B +was configured with the I<--with-env-editor> option: + + VISUAL Invoked by visudo as the editor to use + EDITOR Used by visudo if VISUAL is not set + +=head1 FILES + + @sysconfdir@/sudoers List of who can run what + @sysconfdir@/sudoers.tmp Lock file for visudo + +=head1 DIAGNOSTICS + =over 4 =item sudoers file busy, try again later. @@ -145,19 +158,10 @@ =back -=head1 ENVIRONMENT +=head1 SEE ALSO -The following environment variables are used only if B -was configured with the I<--with-env-editor> option: +L, L, L, L - VISUAL Invoked by visudo as the editor to use - EDITOR Used by visudo if VISUAL is not set - -=head1 FILES - - @sysconfdir@/sudoers List of who can run what - @sysconfdir@/sudoers.tmp Lock file for visudo - =head1 AUTHOR Many people have worked on I over the years; this version of @@ -168,23 +172,29 @@ See the HISTORY file in the sudo distribution or visit http://www.sudo.ws/sudo/history.html for more details. +=head1 CAVEATS + +There is no easy way to prevent a user from gaining a root shell if +the editor used by B allows shell escapes. + =head1 BUGS -If you feel you have found a bug in sudo, please submit a bug report +If you feel you have found a bug in B, please submit a bug report at http://www.sudo.ws/sudo/bugs/ -=head1 DISCLAIMER +=head1 SUPPORT -B is provided ``AS IS'' and any express or implied warranties, -including, but not limited to, the implied warranties of merchantability -and fitness for a particular purpose are disclaimed. -See the LICENSE file distributed with B for complete details. +Commercial support is available for B, see +http://www.sudo.ws/sudo/support.html for details. -=head1 CAVEATS +Limited free support is available via the sudo-users mailing list, +see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or +search the archives. -There is no easy way to prevent a user from gaining a root shell if -the editor used by B allows shell escapes. +=head1 DISCLAIMER -=head1 SEE ALSO - -L, L, L, L +B is provided ``AS IS'' and any express or implied warranties, +including, but not limited to, the implied warranties of merchantability +and fitness for a particular purpose are disclaimed. See the LICENSE +file distributed with B or http://www.sudo.ws/sudo/license.html +for complete details.