This patch will upgrade Sudo version 1.6.9 patchlevel 21 to Sudo version 1.6.9 patchlevel 22. To apply: $ cd sudo-1.6.9p21 $ patch -p1 < sudo-1.6.9p22.patch diff -urNa sudo-1.6.9p21/CHANGES sudo-1.6.9p22/CHANGES --- sudo-1.6.9p21/CHANGES Mon Feb 22 19:51:36 2010 +++ sudo-1.6.9p22/CHANGES Fri Apr 9 06:39:48 2010 @@ -2174,3 +2174,14 @@ 685) Users with permission to run sudoedit could run arbitrary commands. Sudo 1.6.9p21 released. + +686) When doing a glob match, short circuit if gl.gl_pathc is 0. + From Mark Kettenis + +687) Documented the security implications of the fast_glob sudoers option. + +688) Sudo will now add the path component to the command even if it simply + "./". This removes an ambiguity between real commands and + possible pseudo-commands in command matching + +Sudo 1.6.9p22 released. diff -urNa sudo-1.6.9p21/Makefile.in sudo-1.6.9p22/Makefile.in --- sudo-1.6.9p21/Makefile.in Tue Feb 23 07:17:53 2010 +++ sudo-1.6.9p22/Makefile.in Fri Apr 9 17:18:05 2010 @@ -20,8 +20,6 @@ # # @configure_input@ # -# $Sudo: Makefile.in,v 1.246.2.39 2009/02/23 14:19:25 millert Exp $ -# #### Start of system configuration section. #### @@ -134,7 +132,7 @@ LIBOBJS = @LIBOBJS@ @ALLOCA@ -VERSION = 1.6.9p21 +VERSION = 1.6.9p22 DISTFILES = $(SRCS) $(HDRS) BUGS CHANGES HISTORY INSTALL INSTALL.configure \ LICENSE Makefile.in PORTING README README.LDAP \ @@ -364,11 +362,9 @@ cleandir: realclean dist: - rm -f ../sudo-$(VERSION).tar.gz - ( cd .. ; TF="/tmp/sudo.dist$$$$" ; rm -f $$TF ; for i in $(DISTFILES) ; \ - do echo sudo-$(VERSION)/$$i >> $$TF ; done ; \ - tar Ocf sudo-$(VERSION).tar \ - `cat $$TF` && gzip --best sudo-$(VERSION).tar && rm -f $$TF) + pax -w -x ustar -s '/^/sudo-$(VERSION)\//' -f ../sudo-$(VERSION).tar \ + $(DISTFILES) + gzip -9f ../sudo-$(VERSION).tar ls -l ../sudo-$(VERSION).tar.gz bindist: diff -urNa sudo-1.6.9p21/alloc.c sudo-1.6.9p22/alloc.c --- sudo-1.6.9p21/alloc.c Tue Sep 11 08:20:15 2007 +++ sudo-1.6.9p22/alloc.c Wed Apr 7 06:33:56 2010 @@ -52,10 +52,6 @@ #include "sudo.h" -#ifndef lint -__unused static const char rcsid[] = "$Sudo: alloc.c,v 1.23.2.4 2007/09/11 12:20:15 millert Exp $"; -#endif /* lint */ - /* * If there is no SIZE_MAX or SIZE_T_MAX we have to assume that size_t * could be signed (as it is on SunOS 4.x). This just means that diff -urNa sudo-1.6.9p21/auth/afs.c sudo-1.6.9p22/auth/afs.c --- sudo-1.6.9p21/auth/afs.c Mon Jun 11 21:28:42 2007 +++ sudo-1.6.9p22/auth/afs.c Wed Apr 7 06:30:06 2010 @@ -50,10 +50,6 @@ #include #include -#ifndef lint -__unused static const char rcsid[] = "$Sudo: afs.c,v 1.10.2.2 2007/06/12 01:28:42 millert Exp $"; -#endif /* lint */ - int afs_verify(pw, pass, auth) struct passwd *pw; diff -urNa sudo-1.6.9p21/auth/aix_auth.c sudo-1.6.9p22/auth/aix_auth.c --- sudo-1.6.9p21/auth/aix_auth.c Wed Jan 28 11:15:18 2009 +++ sudo-1.6.9p22/auth/aix_auth.c Wed Apr 7 06:29:30 2010 @@ -46,10 +46,6 @@ #include "sudo.h" #include "sudo_auth.h" -#ifndef lint -__unused static const char rcsid[] = "$Sudo: aix_auth.c,v 1.18.2.7 2009/01/28 16:15:18 millert Exp $"; -#endif /* lint */ - /* * For a description of the AIX authentication API, see * http://publib16.boulder.ibm.com/doc_link/en_US/a_doc_lib/libs/basetrf1/authenticate.htm diff -urNa sudo-1.6.9p21/auth/bsdauth.c sudo-1.6.9p22/auth/bsdauth.c --- sudo-1.6.9p21/auth/bsdauth.c Mon Jun 11 21:28:42 2007 +++ sudo-1.6.9p22/auth/bsdauth.c Wed Apr 7 06:29:35 2010 @@ -51,10 +51,6 @@ #include "sudo.h" #include "sudo_auth.h" -#ifndef lint -__unused static const char rcsid[] = "$Sudo: bsdauth.c,v 1.16.2.2 2007/06/12 01:28:42 millert Exp $"; -#endif /* lint */ - extern char *login_style; /* from sudo.c */ int diff -urNa sudo-1.6.9p21/auth/dce.c sudo-1.6.9p22/auth/dce.c --- sudo-1.6.9p21/auth/dce.c Mon Jun 11 21:28:42 2007 +++ sudo-1.6.9p22/auth/dce.c Wed Apr 7 06:29:38 2010 @@ -64,10 +64,6 @@ #include "sudo.h" #include "sudo_auth.h" -#ifndef lint -__unused static const char rcsid[] = "$Sudo: dce.c,v 1.11.2.2 2007/06/12 01:28:42 millert Exp $"; -#endif /* lint */ - static int check_dce_status __P((error_status_t, char *)); int diff -urNa sudo-1.6.9p21/auth/fwtk.c sudo-1.6.9p22/auth/fwtk.c --- sudo-1.6.9p21/auth/fwtk.c Mon Jun 11 21:28:42 2007 +++ sudo-1.6.9p22/auth/fwtk.c Wed Apr 7 06:29:41 2010 @@ -54,10 +54,6 @@ #include "sudo.h" #include "sudo_auth.h" -#ifndef lint -__unused static const char rcsid[] = "$Sudo: fwtk.c,v 1.23.2.2 2007/06/12 01:28:42 millert Exp $"; -#endif /* lint */ - int fwtk_init(pw, promptp, auth) struct passwd *pw; diff -urNa sudo-1.6.9p21/auth/kerb4.c sudo-1.6.9p22/auth/kerb4.c --- sudo-1.6.9p21/auth/kerb4.c Mon Jun 11 21:28:42 2007 +++ sudo-1.6.9p22/auth/kerb4.c Wed Apr 7 06:29:43 2010 @@ -47,10 +47,6 @@ #include "sudo.h" #include "sudo_auth.h" -#ifndef lint -__unused static const char rcsid[] = "$Sudo: kerb4.c,v 1.11.2.2 2007/06/12 01:28:42 millert Exp $"; -#endif /* lint */ - int kerb4_init(pw, promptp, auth) struct passwd *pw; diff -urNa sudo-1.6.9p21/auth/kerb5.c sudo-1.6.9p22/auth/kerb5.c --- sudo-1.6.9p21/auth/kerb5.c Thu Oct 23 12:24:27 2008 +++ sudo-1.6.9p22/auth/kerb5.c Wed Apr 7 06:29:45 2010 @@ -53,10 +53,6 @@ #include "sudo.h" #include "sudo_auth.h" -#ifndef lint -__unused static const char rcsid[] = "$Sudo: kerb5.c,v 1.23.2.9 2008/10/23 16:24:27 millert Exp $"; -#endif /* lint */ - #ifdef HAVE_HEIMDAL # define extract_name(c, p) krb5_principal_get_comp_string(c, p, 1) # define krb5_free_data_contents(c, d) krb5_data_free(d) diff -urNa sudo-1.6.9p21/auth/pam.c sudo-1.6.9p22/auth/pam.c --- sudo-1.6.9p21/auth/pam.c Wed Feb 25 07:21:20 2009 +++ sudo-1.6.9p22/auth/pam.c Wed Apr 7 06:29:47 2010 @@ -71,10 +71,6 @@ # define PAM_CONST #endif -#ifndef lint -__unused static const char rcsid[] = "$Sudo: pam.c,v 1.43.2.12 2009/02/25 12:21:20 millert Exp $"; -#endif /* lint */ - static int sudo_conv __P((int, PAM_CONST struct pam_message **, struct pam_response **, VOID *)); static char *def_prompt = "Password:"; diff -urNa sudo-1.6.9p21/auth/passwd.c sudo-1.6.9p22/auth/passwd.c --- sudo-1.6.9p21/auth/passwd.c Mon Jun 11 21:28:42 2007 +++ sudo-1.6.9p22/auth/passwd.c Wed Apr 7 06:29:50 2010 @@ -46,10 +46,6 @@ #include "sudo.h" #include "sudo_auth.h" -#ifndef lint -__unused static const char rcsid[] = "$Sudo: passwd.c,v 1.14.2.2 2007/06/12 01:28:42 millert Exp $"; -#endif /* lint */ - #define DESLEN 13 #define HAS_AGEINFO(p, l) (l == 18 && p[DESLEN] == ',') diff -urNa sudo-1.6.9p21/auth/rfc1938.c sudo-1.6.9p22/auth/rfc1938.c --- sudo-1.6.9p21/auth/rfc1938.c Mon Jun 11 21:28:42 2007 +++ sudo-1.6.9p22/auth/rfc1938.c Wed Apr 7 06:29:52 2010 @@ -68,10 +68,6 @@ #include "sudo.h" #include "sudo_auth.h" -#ifndef lint -__unused static const char rcsid[] = "$Sudo: rfc1938.c,v 1.16.2.2 2007/06/12 01:28:42 millert Exp $"; -#endif /* lint */ - int rfc1938_setup(pw, promptp, auth) struct passwd *pw; diff -urNa sudo-1.6.9p21/auth/secureware.c sudo-1.6.9p22/auth/secureware.c --- sudo-1.6.9p21/auth/secureware.c Mon Jun 11 21:28:42 2007 +++ sudo-1.6.9p22/auth/secureware.c Wed Apr 7 06:29:54 2010 @@ -53,10 +53,6 @@ #include "sudo.h" #include "sudo_auth.h" -#ifndef lint -__unused static const char rcsid[] = "$Sudo: secureware.c,v 1.10.2.2 2007/06/12 01:28:42 millert Exp $"; -#endif /* lint */ - int secureware_init(pw, promptp, auth) struct passwd *pw; diff -urNa sudo-1.6.9p21/auth/securid.c sudo-1.6.9p22/auth/securid.c --- sudo-1.6.9p21/auth/securid.c Mon Jun 11 21:28:42 2007 +++ sudo-1.6.9p22/auth/securid.c Wed Apr 7 06:29:57 2010 @@ -58,10 +58,6 @@ #include "sudo.h" #include "sudo_auth.h" -#ifndef lint -__unused static const char rcsid[] = "$Sudo: securid.c,v 1.12.2.2 2007/06/12 01:28:42 millert Exp $"; -#endif /* lint */ - union config_record configure; int diff -urNa sudo-1.6.9p21/auth/securid5.c sudo-1.6.9p22/auth/securid5.c --- sudo-1.6.9p21/auth/securid5.c Mon Jun 11 20:56:44 2007 +++ sudo-1.6.9p22/auth/securid5.c Wed Apr 7 06:29:59 2010 @@ -60,10 +60,6 @@ #include "sudo.h" #include "sudo_auth.h" -#ifndef lint -__unused static const char rcsid[] = "$Sudo: securid5.c,v 1.6.2.2 2007/06/12 00:56:44 millert Exp $"; -#endif /* lint */ - /* * securid_init - Initialises communications with ACE server * Arguments in: diff -urNa sudo-1.6.9p21/auth/sia.c sudo-1.6.9p22/auth/sia.c --- sudo-1.6.9p21/auth/sia.c Mon Jun 11 21:28:42 2007 +++ sudo-1.6.9p22/auth/sia.c Wed Apr 7 06:30:02 2010 @@ -49,10 +49,6 @@ #include "sudo.h" #include "sudo_auth.h" -#ifndef lint -__unused static const char rcsid[] = "$Sudo: sia.c,v 1.14.2.2 2007/06/12 01:28:42 millert Exp $"; -#endif /* lint */ - static int sudo_collect __P((int, int, uchar_t *, int, prompt_t *)); static char *def_prompt; diff -urNa sudo-1.6.9p21/auth/sudo_auth.c sudo-1.6.9p22/auth/sudo_auth.c --- sudo-1.6.9p21/auth/sudo_auth.c Mon Jun 11 21:28:42 2007 +++ sudo-1.6.9p22/auth/sudo_auth.c Wed Apr 7 06:30:04 2010 @@ -52,10 +52,6 @@ #include "sudo_auth.h" #include "insults.h" -#ifndef lint -__unused static const char rcsid[] = "$Sudo: sudo_auth.c,v 1.33.2.2 2007/06/12 01:28:42 millert Exp $"; -#endif /* lint */ - sudo_auth auth_switch[] = { #ifdef AUTH_STANDALONE AUTH_STANDALONE diff -urNa sudo-1.6.9p21/auth/sudo_auth.h sudo-1.6.9p22/auth/sudo_auth.h --- sudo-1.6.9p21/auth/sudo_auth.h Tue Dec 2 12:31:16 2008 +++ sudo-1.6.9p22/auth/sudo_auth.h Wed Apr 7 06:29:26 2010 @@ -12,8 +12,6 @@ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - * - * $Sudo: sudo_auth.h,v 1.20.2.5 2008/12/02 17:31:16 millert Exp $ */ #ifndef SUDO_AUTH_H diff -urNa sudo-1.6.9p21/check.c sudo-1.6.9p22/check.c --- sudo-1.6.9p21/check.c Wed Feb 25 06:07:43 2009 +++ sudo-1.6.9p22/check.c Wed Apr 7 06:34:46 2010 @@ -62,10 +62,6 @@ #include "sudo.h" -#ifndef lint -__unused static const char rcsid[] = "$Sudo: check.c,v 1.223.2.11 2009/02/25 11:07:43 millert Exp $"; -#endif /* lint */ - /* Status codes for timestamp_status() */ #define TS_CURRENT 0 #define TS_OLD 1 diff -urNa sudo-1.6.9p21/closefrom.c sudo-1.6.9p22/closefrom.c --- sudo-1.6.9p21/closefrom.c Wed Jun 20 07:06:50 2007 +++ sudo-1.6.9p22/closefrom.c Wed Apr 7 06:32:14 2010 @@ -48,10 +48,6 @@ #include "sudo.h" -#ifndef lint -__unused static const char rcsid[] = "$Sudo: closefrom.c,v 1.6.2.3 2007/06/20 11:06:50 millert Exp $"; -#endif /* lint */ - #ifndef HAVE_FCNTL_CLOSEM # ifndef HAVE_DIRFD # define closefrom_fallback closefrom diff -urNa sudo-1.6.9p21/compat.h sudo-1.6.9p22/compat.h --- sudo-1.6.9p21/compat.h Mon Jun 11 21:28:41 2007 +++ sudo-1.6.9p22/compat.h Wed Apr 7 06:32:18 2010 @@ -16,8 +16,6 @@ * Sponsored in part by the Defense Advanced Research Projects * Agency (DARPA) and Air Force Research Laboratory, Air Force * Materiel Command, USAF, under agreement number F39502-99-1-0512. - * - * $Sudo: compat.h,v 1.76.2.4 2007/06/12 01:28:41 millert Exp $ */ #ifndef _SUDO_COMPAT_H diff -urNa sudo-1.6.9p21/configure.in sudo-1.6.9p22/configure.in --- sudo-1.6.9p21/configure.in Mon Feb 23 09:21:31 2009 +++ sudo-1.6.9p22/configure.in Wed Apr 7 06:32:21 2010 @@ -1,6 +1,5 @@ dnl dnl Process this file with GNU autoconf to produce a configure script. -dnl $Sudo: configure.in,v 1.413.2.58 2009/02/23 14:21:31 millert Exp $ dnl dnl Copyright (c) 1994-1996,1998-2007 Todd C. Miller dnl diff -urNa sudo-1.6.9p21/defaults.c sudo-1.6.9p22/defaults.c --- sudo-1.6.9p21/defaults.c Mon Jun 18 11:51:35 2007 +++ sudo-1.6.9p22/defaults.c Wed Apr 7 06:32:23 2010 @@ -51,10 +51,6 @@ #include "sudo.h" -#ifndef lint -__unused static const char rcsid[] = "$Sudo: defaults.c,v 1.48.2.5 2007/06/18 15:51:35 millert Exp $"; -#endif /* lint */ - /* * For converting between syslog numbers and strings. */ diff -urNa sudo-1.6.9p21/defaults.h sudo-1.6.9p22/defaults.h --- sudo-1.6.9p21/defaults.h Fri Feb 13 16:36:43 2004 +++ sudo-1.6.9p22/defaults.h Wed Apr 7 06:34:51 2010 @@ -16,8 +16,6 @@ * Sponsored in part by the Defense Advanced Research Projects * Agency (DARPA) and Air Force Research Laboratory, Air Force * Materiel Command, USAF, under agreement number F39502-99-1-0512. - * - * $Sudo: defaults.h,v 1.28 2004/02/13 21:36:43 millert Exp $ */ #ifndef _SUDO_DEFAULTS_H diff -urNa sudo-1.6.9p21/emul/search.h sudo-1.6.9p22/emul/search.h --- sudo-1.6.9p21/emul/search.h Fri Feb 13 16:36:49 2004 +++ sudo-1.6.9p22/emul/search.h Wed Apr 7 06:29:23 2010 @@ -12,8 +12,6 @@ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - * - * $Sudo: search.h,v 1.9 2004/02/13 21:36:49 millert Exp $ */ #ifndef _SEARCH_H diff -urNa sudo-1.6.9p21/emul/timespec.h sudo-1.6.9p22/emul/timespec.h --- sudo-1.6.9p21/emul/timespec.h Mon Jun 11 07:27:37 2007 +++ sudo-1.6.9p22/emul/timespec.h Wed Apr 7 06:29:19 2010 @@ -12,8 +12,6 @@ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - * - * $Sudo: timespec.h,v 1.1.2.1 2007/06/11 11:27:37 millert Exp $ */ #ifndef _SUDO_TIMESPEC_H diff -urNa sudo-1.6.9p21/env.c sudo-1.6.9p22/env.c --- sudo-1.6.9p21/env.c Wed Nov 5 19:08:36 2008 +++ sudo-1.6.9p22/env.c Wed Apr 7 06:32:26 2010 @@ -51,10 +51,6 @@ #include "sudo.h" -#ifndef lint -__unused static const char rcsid[] = "$Sudo: env.c,v 1.39.2.21 2008/11/06 00:08:36 millert Exp $"; -#endif /* lint */ - /* * Flags used in rebuild_env() */ diff -urNa sudo-1.6.9p21/err.c sudo-1.6.9p22/err.c --- sudo-1.6.9p21/err.c Mon Jun 11 20:56:42 2007 +++ sudo-1.6.9p22/err.c Wed Apr 7 06:30:09 2010 @@ -42,10 +42,6 @@ #include #include "emul/err.h" -#ifndef lint -__unused static const char rcsid[] = "$Sudo: err.c,v 1.2.2.1 2007/06/12 00:56:42 millert Exp $"; -#endif /* lint */ - void #ifdef __STDC__ err(int eval, const char *fmt, ...) diff -urNa sudo-1.6.9p21/fileops.c sudo-1.6.9p22/fileops.c --- sudo-1.6.9p21/fileops.c Mon Jun 11 21:28:41 2007 +++ sudo-1.6.9p22/fileops.c Wed Apr 7 06:32:28 2010 @@ -40,10 +40,6 @@ #include "sudo.h" -#ifndef lint -__unused static const char rcsid[] = "$Sudo: fileops.c,v 1.5.2.5 2007/06/12 01:28:41 millert Exp $"; -#endif /* lint */ - /* * Update the access and modify times on an fd or file. */ diff -urNa sudo-1.6.9p21/find_path.c sudo-1.6.9p22/find_path.c --- sudo-1.6.9p21/find_path.c Mon Jun 11 21:43:01 2007 +++ sudo-1.6.9p22/find_path.c Fri Apr 9 06:12:55 2010 @@ -50,10 +50,6 @@ #include "sudo.h" -#ifndef lint -__unused static const char rcsid[] = "$Sudo: find_path.c,v 1.108.2.4 2007/06/12 01:43:01 millert Exp $"; -#endif /* lint */ - /* * This function finds the full pathname for a command and * stores it in a statically allocated array, filling in a pointer @@ -133,7 +129,10 @@ * Check current dir if dot was in the PATH */ if (!result && checkdot) { - result = sudo_goodpath(infile, sbp); + len = snprintf(command, sizeof(command), "./%s", infile); + if (len <= 0 || len >= sizeof(command)) + errorx(1, "%s: File name too long", infile); + result = sudo_goodpath(command, sbp); if (result && def_ignore_dot) return(NOT_FOUND_DOT); } diff -urNa sudo-1.6.9p21/getcwd.c sudo-1.6.9p22/getcwd.c --- sudo-1.6.9p21/getcwd.c Mon Jun 11 20:56:42 2007 +++ sudo-1.6.9p22/getcwd.c Wed Apr 7 06:32:33 2010 @@ -78,10 +78,6 @@ (dp->d_name[0] == '.' && (dp->d_name[1] == '\0' || \ (dp->d_name[1] == '.' && dp->d_name[2] == '\0'))) -#ifndef lint -__unused static const char rcsid[] = "$Sudo: getcwd.c,v 1.25.2.1 2007/06/12 00:56:42 millert Exp $"; -#endif /* lint */ - char * getcwd(pt, size) char *pt; diff -urNa sudo-1.6.9p21/getprogname.c sudo-1.6.9p22/getprogname.c --- sudo-1.6.9p21/getprogname.c Mon Jun 11 21:28:41 2007 +++ sudo-1.6.9p22/getprogname.c Wed Apr 7 06:32:36 2010 @@ -24,10 +24,6 @@ #include #include -#ifndef lint -__unused static const char rcsid[] = "$Sudo: getprogname.c,v 1.4.2.2 2007/06/12 01:28:41 millert Exp $"; -#endif /* lint */ - const char * getprogname() { diff -urNa sudo-1.6.9p21/getspwuid.c sudo-1.6.9p22/getspwuid.c --- sudo-1.6.9p21/getspwuid.c Mon Jun 11 21:28:41 2007 +++ sudo-1.6.9p22/getspwuid.c Wed Apr 7 06:30:11 2010 @@ -69,10 +69,6 @@ #include "sudo.h" -#ifndef lint -__unused static const char rcsid[] = "$Sudo: getspwuid.c,v 1.65.2.2 2007/06/12 01:28:41 millert Exp $"; -#endif /* lint */ - /* * Global variables (yuck) */ diff -urNa sudo-1.6.9p21/gettime.c sudo-1.6.9p22/gettime.c --- sudo-1.6.9p21/gettime.c Mon Jun 11 21:28:41 2007 +++ sudo-1.6.9p22/gettime.c Wed Apr 7 06:30:14 2010 @@ -28,10 +28,6 @@ #include -#ifndef lint -__unused static const char rcsid[] = "$Sudo: gettime.c,v 1.6.2.5 2007/06/12 01:28:41 millert Exp $"; -#endif /* lint */ - /* * Get the current time via gettimeofday() for systems with * timespecs in struct stat or, otherwise, using time(). diff -urNa sudo-1.6.9p21/goodpath.c sudo-1.6.9p22/goodpath.c --- sudo-1.6.9p21/goodpath.c Mon Jun 11 21:28:41 2007 +++ sudo-1.6.9p22/goodpath.c Wed Apr 7 06:34:49 2010 @@ -38,10 +38,6 @@ #include "sudo.h" -#ifndef lint -__unused static const char rcsid[] = "$Sudo: goodpath.c,v 1.40.2.3 2007/06/12 01:28:41 millert Exp $"; -#endif /* lint */ - /* * Verify that path is a normal file and executable by root. */ diff -urNa sudo-1.6.9p21/ins_2001.h sudo-1.6.9p22/ins_2001.h --- sudo-1.6.9p21/ins_2001.h Fri Feb 13 16:36:43 2004 +++ sudo-1.6.9p22/ins_2001.h Wed Apr 7 06:34:53 2010 @@ -12,8 +12,6 @@ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - * - * $Sudo: ins_2001.h,v 1.29 2004/02/13 21:36:43 millert Exp $ */ #ifndef _SUDO_INS_2001_H diff -urNa sudo-1.6.9p21/ins_classic.h sudo-1.6.9p22/ins_classic.h --- sudo-1.6.9p21/ins_classic.h Fri Feb 13 16:36:43 2004 +++ sudo-1.6.9p22/ins_classic.h Wed Apr 7 06:34:55 2010 @@ -12,8 +12,6 @@ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - * - * $Sudo: ins_classic.h,v 1.30 2004/02/13 21:36:43 millert Exp $ */ #ifndef _SUDO_INS_CLASSIC_H diff -urNa sudo-1.6.9p21/ins_csops.h sudo-1.6.9p22/ins_csops.h --- sudo-1.6.9p21/ins_csops.h Sun Jun 10 12:57:35 2007 +++ sudo-1.6.9p22/ins_csops.h Wed Apr 7 06:30:18 2010 @@ -12,8 +12,6 @@ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - * - * $Sudo: ins_csops.h,v 1.28.2.1 2007/06/10 16:57:35 millert Exp $ */ #ifndef _SUDO_INS_CSOPS_H diff -urNa sudo-1.6.9p21/ins_goons.h sudo-1.6.9p22/ins_goons.h --- sudo-1.6.9p21/ins_goons.h Fri Feb 13 16:36:43 2004 +++ sudo-1.6.9p22/ins_goons.h Wed Apr 7 06:34:57 2010 @@ -12,8 +12,6 @@ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - * - * $Sudo: ins_goons.h,v 1.29 2004/02/13 21:36:43 millert Exp $ */ #ifndef _SUDO_INS_GOONS_H diff -urNa sudo-1.6.9p21/install-sh sudo-1.6.9p22/install-sh --- sudo-1.6.9p21/install-sh Sun Mar 23 10:20:55 2008 +++ sudo-1.6.9p22/install-sh Wed Apr 7 06:23:08 2010 @@ -1,7 +1,7 @@ #! /bin/sh ## (From INN-1.4, written by Rich Salz) -## $Revision: 1.9.4.1 $ +## $Revision$ ## A script to install files and directories. PROGNAME=`basename $0` diff -urNa sudo-1.6.9p21/insults.h sudo-1.6.9p22/insults.h --- sudo-1.6.9p21/insults.h Fri Feb 13 16:36:43 2004 +++ sudo-1.6.9p22/insults.h Wed Apr 7 06:34:59 2010 @@ -12,8 +12,6 @@ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - * - * $Sudo: insults.h,v 1.46 2004/02/13 21:36:43 millert Exp $ */ #ifndef _SUDO_INSULTS_H diff -urNa sudo-1.6.9p21/interfaces.c sudo-1.6.9p22/interfaces.c --- sudo-1.6.9p21/interfaces.c Sun Nov 2 09:53:47 2008 +++ sudo-1.6.9p22/interfaces.c Wed Apr 7 06:30:22 2010 @@ -88,11 +88,6 @@ #include "sudo.h" #include "interfaces.h" -#ifndef lint -__unused static const char rcsid[] = "$Sudo: interfaces.c,v 1.72.2.9 2008/11/02 14:53:47 millert Exp $"; -#endif /* lint */ - - #ifdef HAVE_GETIFADDRS /* diff -urNa sudo-1.6.9p21/interfaces.h sudo-1.6.9p22/interfaces.h --- sudo-1.6.9p21/interfaces.h Wed Oct 24 12:43:27 2007 +++ sudo-1.6.9p22/interfaces.h Wed Apr 7 06:30:25 2010 @@ -16,8 +16,6 @@ * Sponsored in part by the Defense Advanced Research Projects * Agency (DARPA) and Air Force Research Laboratory, Air Force * Materiel Command, USAF, under agreement number F39502-99-1-0512. - * - * $Sudo: interfaces.h,v 1.8.2.3 2007/10/24 16:43:27 millert Exp $ */ #ifndef _SUDO_INTERFACES_H diff -urNa sudo-1.6.9p21/ldap.c sudo-1.6.9p22/ldap.c --- sudo-1.6.9p21/ldap.c Fri Apr 11 10:03:51 2008 +++ sudo-1.6.9p22/ldap.c Wed Apr 7 06:30:28 2010 @@ -70,10 +70,6 @@ #include "sudo.h" #include "parse.h" -#ifndef lint -__unused static const char rcsid[] = "$Sudo: ldap.c,v 1.11.2.38 2008/04/11 14:03:51 millert Exp $"; -#endif /* lint */ - #ifndef LINE_MAX # define LINE_MAX 2048 #endif diff -urNa sudo-1.6.9p21/lex.yy.c sudo-1.6.9p22/lex.yy.c --- sudo-1.6.9p21/lex.yy.c Thu Jun 26 07:54:11 2008 +++ sudo-1.6.9p22/lex.yy.c Wed Apr 7 06:30:30 2010 @@ -3,7 +3,7 @@ /* A lexical scanner generated by flex */ /* Scanner skeleton version: - * $Header: /home/cvs/courtesan/sudo/Attic/lex.yy.c,v 1.46.2.11 2008/06/26 11:53:49 millert Exp $ + * $Header$ */ #define FLEX_SCANNER @@ -1478,10 +1478,6 @@ #include "sudo.h" #include "parse.h" #include - -#ifndef lint -__unused static const char rcsid[] = "$Sudo: lex.yy.c,v 1.46.2.11 2008/06/26 11:53:49 millert Exp $"; -#endif /* lint */ #undef yywrap /* guard against a yywrap macro */ diff -urNa sudo-1.6.9p21/logging.c sudo-1.6.9p22/logging.c --- sudo-1.6.9p21/logging.c Wed Dec 9 11:21:32 2009 +++ sudo-1.6.9p22/logging.c Wed Apr 7 06:30:32 2010 @@ -61,10 +61,6 @@ #include "sudo.h" -#ifndef lint -__unused static const char rcsid[] = "$Sudo: logging.c,v 1.168.2.18 2009/12/09 16:21:32 millert Exp $"; -#endif /* lint */ - static void do_syslog __P((int, char *)); static void do_logfile __P((char *)); static void send_mail __P((char *)); diff -urNa sudo-1.6.9p21/lsearch.c sudo-1.6.9p22/lsearch.c --- sudo-1.6.9p21/lsearch.c Mon Jun 11 20:56:42 2007 +++ sudo-1.6.9p22/lsearch.c Wed Apr 7 06:30:44 2010 @@ -44,9 +44,6 @@ #if defined(LIBC_SCCS) && !defined(lint) static const char sccsid[] = "@(#)lsearch.c 8.1 (Berkeley) 6/4/93"; #endif /* LIBC_SCCS and not lint */ -#ifndef lint -__unused static const char rcsid[] = "$Sudo: lsearch.c,v 1.18.4.1 2007/06/12 00:56:42 millert Exp $"; -#endif /* lint */ typedef int (*cmp_fn_t) __P((const VOID *, const VOID *)); static VOID *linear_base __P((const VOID *, const VOID *, size_t *, size_t, diff -urNa sudo-1.6.9p21/memrchr.c sudo-1.6.9p22/memrchr.c --- sudo-1.6.9p21/memrchr.c Tue Nov 27 12:06:54 2007 +++ sudo-1.6.9p22/memrchr.c Wed Apr 7 06:32:04 2010 @@ -18,13 +18,6 @@ #include #include -#ifndef lint -__unused static const char rcsid[] = "$Sudo: memrchr.c,v 1.1.2.3 2007/11/27 17:06:54 millert Exp $"; -#endif /* lint */ - -#include -#include - /* * Reverse memchr() * Find the last occurrence of 'c' in the buffer 's' of size 'n'. diff -urNa sudo-1.6.9p21/mkinstalldirs sudo-1.6.9p22/mkinstalldirs --- sudo-1.6.9p21/mkinstalldirs Thu Apr 3 10:16:22 2003 +++ sudo-1.6.9p22/mkinstalldirs Wed Apr 7 06:35:05 2010 @@ -4,8 +4,6 @@ # Created: 1993-05-16 # Public domain -# $Sudo: mkinstalldirs,v 1.5 2003/04/03 15:16:22 millert Exp $ - umask 022 errstatus=0 dirmode="" diff -urNa sudo-1.6.9p21/mkstemp.c sudo-1.6.9p22/mkstemp.c --- sudo-1.6.9p21/mkstemp.c Tue Jun 12 13:06:20 2007 +++ sudo-1.6.9p22/mkstemp.c Wed Apr 7 06:32:10 2010 @@ -50,10 +50,6 @@ #include "sudo.h" -#ifndef lint -static const char rcsid[] = "$Sudo: mkstemp.c,v 1.1.2.1 2007/06/12 17:06:20 millert Exp $"; -#endif /* not lint */ - static unsigned int get_random __P((void)); static void seed_random __P((void)); diff -urNa sudo-1.6.9p21/parse.c sudo-1.6.9p22/parse.c --- sudo-1.6.9p21/parse.c Mon Feb 22 19:52:01 2010 +++ sudo-1.6.9p22/parse.c Wed Apr 7 06:32:40 2010 @@ -89,10 +89,6 @@ # include "emul/glob.h" #endif /* HAVE_EXTENDED_GLOB */ -#ifndef lint -__unused static const char rcsid[] = "$Sudo: parse.c,v 1.160.2.24 2009/02/10 19:04:51 millert Exp $"; -#endif /* lint */ - static int command_matches_dir __P((char *, size_t)); static int command_matches_glob __P((char *, char *)); static int command_matches_fnmatch __P((char *, char *)); @@ -348,7 +344,7 @@ * else return false. */ #define GLOB_FLAGS (GLOB_NOSORT | GLOB_MARK | GLOB_BRACE | GLOB_TILDE) - if (glob(sudoers_cmnd, GLOB_FLAGS, NULL, &gl) != 0) { + if (glob(sudoers_cmnd, GLOB_FLAGS, NULL, &gl) != 0 || gl.gl_pathc == 0) { globfree(&gl); return(FALSE); } diff -urNa sudo-1.6.9p21/parse.h sudo-1.6.9p22/parse.h --- sudo-1.6.9p21/parse.h Sat Feb 9 09:44:48 2008 +++ sudo-1.6.9p22/parse.h Wed Apr 7 06:32:43 2010 @@ -13,8 +13,6 @@ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - * - * $Sudo: parse.h,v 1.14.2.2 2008/02/09 14:44:48 millert Exp $ */ #ifndef _SUDO_PARSE_H diff -urNa sudo-1.6.9p21/parse.lex sudo-1.6.9p22/parse.lex --- sudo-1.6.9p21/parse.lex Thu Jun 26 07:54:11 2008 +++ sudo-1.6.9p22/parse.lex Wed Apr 7 06:32:46 2010 @@ -54,10 +54,6 @@ #include "parse.h" #include -#ifndef lint -__unused static const char rcsid[] = "$Sudo: parse.lex,v 1.132.2.10 2008/06/26 11:53:50 millert Exp $"; -#endif /* lint */ - #undef yywrap /* guard against a yywrap macro */ extern YYSTYPE yylval; diff -urNa sudo-1.6.9p21/parse.yacc sudo-1.6.9p22/parse.yacc --- sudo-1.6.9p21/parse.yacc Thu Oct 30 10:40:41 2008 +++ sudo-1.6.9p22/parse.yacc Wed Apr 7 06:32:52 2010 @@ -69,10 +69,6 @@ #include "emul/search.h" #endif /* HAVE_LSEARCH */ -#ifndef lint -__unused static const char rcsid[] = "$Sudo: parse.yacc,v 1.204.2.14 2008/10/30 14:40:04 millert Exp $"; -#endif /* lint */ - /* * We must define SIZE_MAX for yacc's skeleton.c. * If there is no SIZE_MAX or SIZE_T_MAX we have to assume that size_t diff -urNa sudo-1.6.9p21/pathnames.h.in sudo-1.6.9p22/pathnames.h.in --- sudo-1.6.9p21/pathnames.h.in Mon Nov 10 08:07:50 2008 +++ sudo-1.6.9p22/pathnames.h.in Wed Apr 7 06:32:55 2010 @@ -17,8 +17,6 @@ * Sponsored in part by the Defense Advanced Research Projects * Agency (DARPA) and Air Force Research Laboratory, Air Force * Materiel Command, USAF, under agreement number F39502-99-1-0512. - * - * $Sudo: pathnames.h.in,v 1.51.2.5 2008/11/10 13:07:50 millert Exp $ */ /* diff -urNa sudo-1.6.9p21/selinux.c sudo-1.6.9p22/selinux.c --- sudo-1.6.9p21/selinux.c Fri Feb 22 15:33:10 2008 +++ sudo-1.6.9p22/selinux.c Wed Apr 7 06:33:53 2010 @@ -49,10 +49,6 @@ #include "sudo.h" #include "pathnames.h" -#ifndef lint -__unused static const char rcsid[] = "$Sudo: selinux.c,v 1.2.2.4 2008/02/22 20:33:10 millert Exp $"; -#endif /* lint */ - /* * This function attempts to revert the relabeling done to the tty. * fd - referencing the opened ttyn diff -urNa sudo-1.6.9p21/sesh.c sudo-1.6.9p22/sesh.c --- sudo-1.6.9p21/sesh.c Sat Feb 9 09:44:49 2008 +++ sudo-1.6.9p22/sesh.c Wed Apr 7 06:32:58 2010 @@ -29,10 +29,6 @@ #include "compat.h" -#ifndef lint -__unused static const char rcsid[] = "$Sudo: sesh.c,v 1.1.2.1 2008/02/09 14:44:49 millert Exp $"; -#endif /* lint */ - int main (int argc, char **argv) { diff -urNa sudo-1.6.9p21/set_perms.c sudo-1.6.9p22/set_perms.c --- sudo-1.6.9p21/set_perms.c Sat Apr 25 10:12:55 2009 +++ sudo-1.6.9p22/set_perms.c Wed Apr 7 06:33:58 2010 @@ -56,10 +56,6 @@ #include "sudo.h" -#ifndef lint -__unused static const char rcsid[] = "$Sudo: set_perms.c,v 1.30.2.8 2009/04/25 14:12:55 millert Exp $"; -#endif /* lint */ - #ifdef __TANDEM # define ROOT_UID 65535 #else diff -urNa sudo-1.6.9p21/sigaction.c sudo-1.6.9p22/sigaction.c --- sudo-1.6.9p21/sigaction.c Mon Jun 11 21:28:42 2007 +++ sudo-1.6.9p22/sigaction.c Wed Apr 7 06:34:02 2010 @@ -23,10 +23,6 @@ #include -#ifndef lint -__unused static const char rcsid[] = "$Sudo: sigaction.c,v 1.5.2.2 2007/06/12 01:28:42 millert Exp $"; -#endif /* lint */ - int sigaction(signo, sa, osa) int signo; diff -urNa sudo-1.6.9p21/snprintf.c sudo-1.6.9p22/snprintf.c --- sudo-1.6.9p21/snprintf.c Mon Jun 11 21:28:42 2007 +++ sudo-1.6.9p22/snprintf.c Wed Apr 7 06:34:04 2010 @@ -75,10 +75,6 @@ #include -#ifndef lint -__unused static const char rcsid[] = "$Sudo: snprintf.c,v 1.14.4.2 2007/06/12 01:28:42 millert Exp $"; -#endif /* lint */ - static int xxxprintf __P((char **, size_t, int, const char *, va_list)); /* diff -urNa sudo-1.6.9p21/strcasecmp.c sudo-1.6.9p22/strcasecmp.c --- sudo-1.6.9p21/strcasecmp.c Tue Jun 12 12:19:15 2007 +++ sudo-1.6.9p22/strcasecmp.c Wed Apr 7 06:34:07 2010 @@ -18,10 +18,6 @@ #include #include -#ifndef lint -__unused static const char rcsid[] = "$Sudo: strcasecmp.c,v 1.3.4.2 2007/06/12 16:19:15 millert Exp $"; -#endif /* lint */ - /* * Case insensitive string compare routines, same semantics as str[n]cmp() * (assumes ASCII..). diff -urNa sudo-1.6.9p21/strerror.c sudo-1.6.9p22/strerror.c --- sudo-1.6.9p21/strerror.c Mon Jun 11 21:28:42 2007 +++ sudo-1.6.9p22/strerror.c Wed Apr 7 06:34:10 2010 @@ -24,10 +24,6 @@ #include #include -#ifndef lint -__unused static const char rcsid[] = "$Sudo: strerror.c,v 1.8.2.2 2007/06/12 01:28:42 millert Exp $"; -#endif /* lint */ - /* * Map errno -> error string. */ diff -urNa sudo-1.6.9p21/strlcat.c sudo-1.6.9p22/strlcat.c --- sudo-1.6.9p21/strlcat.c Mon Jun 11 21:28:42 2007 +++ sudo-1.6.9p22/strlcat.c Wed Apr 7 06:34:16 2010 @@ -22,11 +22,6 @@ #include #include -#ifndef lint -__unused static const char rcsid[] = "$Sudo: strlcat.c,v 1.4.2.2 2007/06/12 01:28:42 millert Exp $"; -#endif /* lint */ - - /* * Appends src to string dst of size siz (unlike strncat, siz is the * full size of dst, not space left). At most siz-1 characters diff -urNa sudo-1.6.9p21/strlcpy.c sudo-1.6.9p22/strlcpy.c --- sudo-1.6.9p21/strlcpy.c Mon Jun 11 21:28:42 2007 +++ sudo-1.6.9p22/strlcpy.c Wed Apr 7 06:34:21 2010 @@ -21,10 +21,6 @@ #include #include -#ifndef lint -__unused static const char rcsid[] = "$Sudo: strlcpy.c,v 1.4.2.2 2007/06/12 01:28:42 millert Exp $"; -#endif /* lint */ - /* * Copy src to string dst of size siz. At most siz-1 characters * will be copied. Always NUL terminates (unless siz == 0). diff -urNa sudo-1.6.9p21/sudo.c sudo-1.6.9p22/sudo.c --- sudo-1.6.9p21/sudo.c Wed Dec 9 11:18:09 2009 +++ sudo-1.6.9p22/sudo.c Wed Apr 7 06:34:24 2010 @@ -104,10 +104,6 @@ #include "interfaces.h" #include "version.h" -#ifndef lint -__unused __unused static const char rcsid[] = "$Sudo: sudo.c,v 1.369.2.54 2009/12/09 16:18:09 millert Exp $"; -#endif /* lint */ - /* * Prototypes */ diff -urNa sudo-1.6.9p21/sudo.h sudo-1.6.9p22/sudo.h --- sudo-1.6.9p21/sudo.h Wed Feb 25 06:07:43 2009 +++ sudo-1.6.9p22/sudo.h Wed Apr 7 06:34:27 2010 @@ -16,8 +16,6 @@ * Sponsored in part by the Defense Advanced Research Projects * Agency (DARPA) and Air Force Research Laboratory, Air Force * Materiel Command, USAF, under agreement number F39502-99-1-0512. - * - * $Sudo: sudo.h,v 1.209.2.15 2009/02/25 11:07:43 millert Exp $ */ #ifndef _SUDO_SUDO_H diff -urNa sudo-1.6.9p21/sudo.man.in sudo-1.6.9p22/sudo.man.in --- sudo-1.6.9p21/sudo.man.in Tue Feb 23 07:20:23 2010 +++ sudo-1.6.9p22/sudo.man.in Wed Apr 7 06:34:30 2010 @@ -18,7 +18,6 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.\" $Sudo: sudo.man.in,v 1.29.2.32 2009/02/25 11:08:39 millert Exp $ .\" Automatically generated by Pod::Man 2.16 (Pod::Simple 3.05) .\" .\" Standard preamble: diff -urNa sudo-1.6.9p21/sudo.pod sudo-1.6.9p22/sudo.pod --- sudo-1.6.9p21/sudo.pod Wed Feb 25 06:07:43 2009 +++ sudo-1.6.9p22/sudo.pod Wed Apr 7 06:34:32 2010 @@ -18,7 +18,6 @@ Agency (DARPA) and Air Force Research Laboratory, Air Force Materiel Command, USAF, under agreement number F39502-99-1-0512. -$Sudo: sudo.pod,v 1.70.2.26 2009/02/25 11:07:43 millert Exp $ =pod =head1 NAME diff -urNa sudo-1.6.9p21/sudo.tab.c sudo-1.6.9p22/sudo.tab.c --- sudo-1.6.9p21/sudo.tab.c Thu Oct 30 10:40:42 2008 +++ sudo-1.6.9p22/sudo.tab.c Wed Apr 7 06:33:01 2010 @@ -88,10 +88,6 @@ #include "emul/search.h" #endif /* HAVE_LSEARCH */ -#ifndef lint -__unused static const char rcsid[] = "$Sudo: sudo.tab.c,v 1.76.2.16 2008/10/30 14:40:28 millert Exp $"; -#endif /* lint */ - /* * We must define SIZE_MAX for yacc's skeleton.c. * If there is no SIZE_MAX or SIZE_T_MAX we have to assume that size_t diff -urNa sudo-1.6.9p21/sudo_edit.c sudo-1.6.9p22/sudo_edit.c --- sudo-1.6.9p21/sudo_edit.c Sun Nov 2 09:53:47 2008 +++ sudo-1.6.9p22/sudo_edit.c Wed Apr 7 06:34:36 2010 @@ -61,10 +61,6 @@ #include "sudo.h" -#ifndef lint -__unused static const char rcsid[] = "$Sudo: sudo_edit.c,v 1.6.2.11 2008/11/02 14:53:47 millert Exp $"; -#endif /* lint */ - extern sigaction_t saved_sa_int, saved_sa_quit, saved_sa_tstp; extern char **environ; diff -urNa sudo-1.6.9p21/sudo_noexec.c sudo-1.6.9p22/sudo_noexec.c --- sudo-1.6.9p21/sudo_noexec.c Mon Jun 11 20:56:43 2007 +++ sudo-1.6.9p22/sudo_noexec.c Wed Apr 7 06:34:40 2010 @@ -28,10 +28,6 @@ #include -#ifndef lint -__unused static const char rcsid[] = "$Sudo: sudo_noexec.c,v 1.5.2.2 2007/06/12 00:56:43 millert Exp $"; -#endif /* lint */ - /* * Dummy versions of the execve() family of syscalls. We don't need * to stub out all of them, just the ones that correspond to actual diff -urNa sudo-1.6.9p21/sudoers.cat sudo-1.6.9p22/sudoers.cat --- sudo-1.6.9p21/sudoers.cat Tue Feb 23 07:20:48 2010 +++ sudo-1.6.9p22/sudoers.cat Wed Apr 7 09:45:30 2010 @@ -22,8 +22,7 @@ what EBNF is; it is fairly simple, and the definitions below are annotated. - QQuuiicckk gguuiiddee ttoo EEBBNNFF - + QQuuiicckk gguuiiddee ttoo EEBBNNFF EBNF is a concise and exact way of describing the grammar of a language. Each EBNF definition is made up of _p_r_o_d_u_c_t_i_o_n _r_u_l_e_s. E.g., @@ -51,29 +50,26 @@ is a verbatim character string (as opposed to a symbol name). - AAlliiaasseess - + AAlliiaasseess There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias. + Alias ::= 'User_Alias' User_Alias (':' User_Alias)* | + 'Runas_Alias' Runas_Alias (':' Runas_Alias)* | + 'Host_Alias' Host_Alias (':' Host_Alias)* | + 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)* +1.6.9p21 April 7, 2010 1 -1.6.9p21 February 23, 2010 1 - - SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - Alias ::= 'User_Alias' User_Alias (':' User_Alias)* | - 'Runas_Alias' Runas_Alias (':' Runas_Alias)* | - 'Host_Alias' Host_Alias (':' Host_Alias)* | - 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)* User_Alias ::= NAME '=' User_List @@ -125,20 +121,21 @@ '!'* +netgroup | '!'* Runas_Alias + A Runas_List is similar to a User_List except that it can + also contain uids (prefixed with '#') and instead of + User_Aliases it can contain Runas_Aliases. Note that -1.6.9p21 February 23, 2010 2 +1.6.9p21 April 7, 2010 2 + SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - A Runas_List is similar to a User_List except that it can - also contain uids (prefixed with '#') and instead of - User_Aliases it can contain Runas_Aliases. Note that usernames and groups are matched as strings. In other words, two users (groups) with the same uid (gid) are considered to be distinct. If you wish to match all @@ -190,10 +187,13 @@ he/she wishes. However, you may also specify command line arguments (including wildcards). Alternately, you can specify "" to indicate that the command may only be run + wwiitthhoouutt command line arguments. A directory is a fully + qualified pathname ending in a '/'. When you specify a + directory in a Cmnd_List, the user will be able to run any -1.6.9p21 February 23, 2010 3 +1.6.9p21 April 7, 2010 3 @@ -202,9 +202,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - wwiitthhoouutt command line arguments. A directory is a fully - qualified pathname ending in a '/'. When you specify a - directory in a Cmnd_List, the user will be able to run any file within that directory (but not in any subdirectories therein). @@ -218,8 +215,7 @@ --ee option (or as ssuuddooeeddiitt). It may take command line arguments just as a normal command does. - DDeeffaauullttss - + DDeeffaauullttss Certain configuration options may be changed from their default values at runtime via one or more Default_Entry lines. These may affect all users on any host, all users @@ -257,22 +253,22 @@ See "SUDOERS OPTIONS" for a list of supported Defaults parameters. + UUsseerr SSppeecciiffiiccaattiioonn + User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \ + (':' Host_List '=' Cmnd_Spec_List)* -1.6.9p21 February 23, 2010 4 +1.6.9p21 April 7, 2010 4 + SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - UUsseerr SSppeecciiffiiccaattiioonn - User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \ - (':' Host_List '=' Cmnd_Spec_List)* - Cmnd_Spec_List ::= Cmnd_Spec | Cmnd_Spec ',' Cmnd_Spec_List @@ -290,8 +286,7 @@ Let's break that down into its constituent parts: - RRuunnaass__SSppeecc - + RRuunnaass__SSppeecc A Runas_Spec is simply a Runas_List (as defined above) enclosed in a set of parentheses. If you do not specify a Runas_Spec in the user specification, a default Runas_Spec @@ -314,8 +309,7 @@ Then user ddggbb is now allowed to run _/_b_i_n_/_l_s as ooppeerraattoorr, but _/_b_i_n_/_k_i_l_l and _/_u_s_r_/_b_i_n_/_l_p_r_m as rroooott. - TTaagg__SSppeecc - + TTaagg__SSppeecc A command may have zero or more tags associated with it. There are six possible tag values, NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV and NOSETENV. Once a tag is set on a @@ -323,22 +317,23 @@ tag unless it is overridden by the opposite tag (i.e.: PASSWD overrides NOPASSWD and NOEXEC overrides EXEC). + _N_O_P_A_S_S_W_D _a_n_d _P_A_S_S_W_D + By default, ssuuddoo requires that a user authenticate him or + herself before running a command. This behavior can be + modified via the NOPASSWD tag. Like a Runas_Spec, the -1.6.9p21 February 23, 2010 5 +1.6.9p21 April 7, 2010 5 -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - _N_O_P_A_S_S_W_D _a_n_d _P_A_S_S_W_D +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - By default, ssuuddoo requires that a user authenticate him or - herself before running a command. This behavior can be - modified via the NOPASSWD tag. Like a Runas_Spec, the + NOPASSWD tag sets a default for the commands that follow it in the Cmnd_Spec_List. Conversely, the PASSWD tag can be used to reverse things. For example: @@ -388,24 +383,23 @@ _e_n_v___c_h_e_c_k, _e_n_v___d_e_l_e_t_e, or _e_n_v___k_e_e_p. As such, only trusted users should be allowed to set variables in this manner. If the command matched is AALLLL, the SETENV tag is implied + for that command; this default may be overridden by use of + the UNSETENV tag. + WWiillddccaarrddss + ssuuddoo allows shell-style _w_i_l_d_c_a_r_d_s (aka meta or glob -1.6.9p21 February 23, 2010 6 +1.6.9p21 April 7, 2010 6 + SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - for that command; this default may be overridden by use of - the UNSETENV tag. - - WWiillddccaarrddss - - ssuuddoo allows shell-style _w_i_l_d_c_a_r_d_s (aka meta or glob characters) to be used in hostnames, pathnames and command line arguments in the _s_u_d_o_e_r_s file. Wildcard matching is done via the PPOOSSIIXX _g_l_o_b(3) and _f_n_m_a_t_c_h(3) routines. Note @@ -432,8 +426,7 @@ match _/_u_s_r_/_b_i_n_/_w_h_o but not _/_u_s_r_/_b_i_n_/_X_1_1_/_x_t_e_r_m. - EExxcceeppttiioonnss ttoo wwiillddccaarrdd rruulleess - + EExxcceeppttiioonnss ttoo wwiillddccaarrdd rruulleess The following exceptions apply to the above rules: "" If the empty string "" is the only command line @@ -441,8 +434,7 @@ command is not allowed to be run with aannyy arguments. - OOtthheerr ssppeecciiaall cchhaarraacctteerrss aanndd rreesseerrvveedd wwoorrddss - + OOtthheerr ssppeecciiaall cchhaarraacctteerrss aanndd rreesseerrvveedd wwoorrddss The pound sign ('#') is used to indicate a comment (unless it is part of a #include directive or unless it occurs in the context of a user name and is followed by one or more @@ -454,26 +446,26 @@ causes a match to succeed. It can be used wherever one might otherwise use a Cmnd_Alias, User_Alias, Runas_Alias, or Host_Alias. You should not try to define your own + _a_l_i_a_s called AALLLL as the built-in alias will be used in + preference to your own. Please note that using AALLLL can be + dangerous since in a command context, it allows the user + to run aannyy command on the system. + An exclamation point ('!') can be used as a logical _n_o_t + operator both in an _a_l_i_a_s and in front of a Cmnd. This + allows one to exclude certain values. Note, however, that -1.6.9p21 February 23, 2010 7 +1.6.9p21 April 7, 2010 7 + SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - _a_l_i_a_s called AALLLL as the built-in alias will be used in - preference to your own. Please note that using AALLLL can be - dangerous since in a command context, it allows the user - to run aannyy command on the system. - - An exclamation point ('!') can be used as a logical _n_o_t - operator both in an _a_l_i_a_s and in front of a Cmnd. This - allows one to exclude certain values. Note, however, that using a ! in conjunction with the built-in ALL alias to allow a user to run "all but a few" commands rarely works as intended (see SECURITY NOTES below). @@ -520,26 +512,26 @@ a colon-separated list of editors in the editor variable. vviissuuddoo will then only use the EDITOR or VISUAL if they match a + value specified in editor. This flag is + _o_f_f by default. + env_reset If set, ssuuddoo will reset the environment to + only contain the LOGNAME, SHELL, USER, + USERNAME and the SUDO_* variables. Any + variables in the caller's environment that + match the env_keep and env_check lists are -1.6.9p21 February 23, 2010 8 +1.6.9p21 April 7, 2010 8 + SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - value specified in editor. This flag is - _o_f_f by default. - - env_reset If set, ssuuddoo will reset the environment to - only contain the LOGNAME, SHELL, USER, - USERNAME and the SUDO_* variables. Any - variables in the caller's environment that - match the env_keep and env_check lists are then added. The default contents of the env_keep and env_check lists are displayed when ssuuddoo is run by root with the _-_V @@ -586,26 +578,26 @@ is used. This thwarts the efforts of rogue operators who would attempt to add roles to _/_e_t_c_/_s_u_d_o_e_r_s. When this option + is present, _/_e_t_c_/_s_u_d_o_e_r_s does not even + need to exist. Since this option tells + ssuuddoo how to behave when no specific LDAP + entries have been matched, this sudoOption + is only meaningful for the cn=defaults + section. This flag is _o_f_f by default. + insults If set, ssuuddoo will insult users when they -1.6.9p21 February 23, 2010 9 +1.6.9p21 April 7, 2010 9 + SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - is present, _/_e_t_c_/_s_u_d_o_e_r_s does not even - need to exist. Since this option tells - ssuuddoo how to behave when no specific LDAP - entries have been matched, this sudoOption - is only meaningful for the cn=defaults - section. This flag is _o_f_f by default. - - insults If set, ssuuddoo will insult users when they enter an incorrect password. This flag is _o_f_f by default. @@ -652,26 +644,26 @@ noexec If set, all commands run via ssuuddoo will behave as if the NOEXEC tag has been set, + unless overridden by a EXEC tag. See the + description of _N_O_E_X_E_C _a_n_d _E_X_E_C below as + well as the "PREVENTING SHELL ESCAPES" + section at the end of this manual. This + flag is _o_f_f by default. + path_info Normally, ssuuddoo will tell the user when a + command could not be found in their PATH -1.6.9p21 February 23, 2010 10 +1.6.9p21 April 7, 2010 10 + SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - unless overridden by a EXEC tag. See the - description of _N_O_E_X_E_C _a_n_d _E_X_E_C below as - well as the "PREVENTING SHELL ESCAPES" - section at the end of this manual. This - flag is _o_f_f by default. - - path_info Normally, ssuuddoo will tell the user when a - command could not be found in their PATH environment variable. Some sites may wish to disable this as it could be used to gather information on the location of @@ -718,26 +710,26 @@ running ssuuddooeeddiitt. Disabling _r_o_o_t___s_u_d_o provides no real additional security; it exists purely for historical reasons. + This flag is _o_n by default. + rootpw If set, ssuuddoo will prompt for the root + password instead of the password of the + invoking user. This flag is _o_f_f by + default. + runaspw If set, ssuuddoo will prompt for the password -1.6.9p21 February 23, 2010 11 +1.6.9p21 April 7, 2010 11 -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - This flag is _o_n by default. +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - rootpw If set, ssuuddoo will prompt for the root - password instead of the password of the - invoking user. This flag is _o_f_f by - default. - runaspw If set, ssuuddoo will prompt for the password of the user defined by the _r_u_n_a_s___d_e_f_a_u_l_t option (defaults to root) instead of the password of the invoking user. This flag @@ -785,32 +777,40 @@ user's /etc/passwd entry if not). This flag is _o_f_f by default. + fast_glob Normally, ssuuddoo uses the _g_l_o_b(3) function + to do shell-style globbing when matching + pathnames. However, since it accesses the + file system, _g_l_o_b(3) can take a long time + to complete for some patterns, especially + when the pattern references a network file + system that is mounted on demand -1.6.9p21 February 23, 2010 12 +1.6.9p21 April 7, 2010 12 + SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - fast_glob Normally, ssuuddoo uses the _g_l_o_b(3) function - to do shell-style globbing when matching - pathnames. However, since it accesses the - file system, _g_l_o_b(3) can take a long time - to complete for some patterns, especially - when the pattern references a network file - system that is mounted on demand (automounted). The _f_a_s_t___g_l_o_b option causes ssuuddoo to use the _f_n_m_a_t_c_h(3) function, which does not access the file system to do its matching. The disadvantage of _f_a_s_t___g_l_o_b is that it is unable to match relative pathnames such as - _._/_l_s or _._._/_b_i_n_/_l_s. This flag is _o_f_f by - default. + _._/_l_s or _._._/_b_i_n_/_l_s. This has security + implications when path names that include + globbing characters are used with the + negation operator, '!', as such rules can + be trivially bypassed. As such, this + option should not be used when _s_u_d_o_e_r_s + contains rules that contain negated path + names which include globbing characters. + This flag is _o_f_f by default. stay_setuid Normally, when ssuuddoo executes a command the real and effective UIDs are set to the @@ -853,7 +853,7 @@ -1.6.9p21 February 23, 2010 13 +1.6.9p21 April 7, 2010 13 @@ -919,7 +919,7 @@ -1.6.9p21 February 23, 2010 14 +1.6.9p21 April 7, 2010 14 @@ -985,7 +985,7 @@ -1.6.9p21 February 23, 2010 15 +1.6.9p21 April 7, 2010 15 @@ -1051,7 +1051,7 @@ -1.6.9p21 February 23, 2010 16 +1.6.9p21 April 7, 2010 16 @@ -1117,7 +1117,7 @@ -1.6.9p21 February 23, 2010 17 +1.6.9p21 April 7, 2010 17 @@ -1183,7 +1183,7 @@ -1.6.9p21 February 23, 2010 18 +1.6.9p21 April 7, 2010 18 @@ -1249,7 +1249,7 @@ -1.6.9p21 February 23, 2010 19 +1.6.9p21 April 7, 2010 19 @@ -1315,7 +1315,7 @@ -1.6.9p21 February 23, 2010 20 +1.6.9p21 April 7, 2010 20 @@ -1381,7 +1381,7 @@ -1.6.9p21 February 23, 2010 21 +1.6.9p21 April 7, 2010 21 @@ -1447,7 +1447,7 @@ -1.6.9p21 February 23, 2010 22 +1.6.9p21 April 7, 2010 22 @@ -1462,6 +1462,24 @@ restrictions should be considered advisory at best (and reinforced by policy). + Furthermore, if the _f_a_s_t___g_l_o_b option is in use, it is not + possible to reliably negate commands where the path name + includes globbing (aka wildcard) characters. This is + because the C library's _f_n_m_a_t_c_h(3) function cannot resolve + relative paths. While this is typically only an + inconvenience for rules that grant privileges, it can + result in a security issue for rules that subtract or + revoke privileges. + + For example, given the following _s_u_d_o_e_r_s entry: + + john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*, + /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root + + User jjoohhnn can still run /usr/bin/passwd root if _f_a_s_t___g_l_o_b + is enabled by changing to _/_u_s_r_/_b_i_n and running ./passwd + root instead. + PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS Once ssuuddoo executes a program, that program is free to do whatever it pleases, including run other programs. This @@ -1492,6 +1510,18 @@ Note, however, that this applies only to native dynamically-linked executables. Statically- linked executables and foreign executables + + + +1.6.9p21 April 7, 2010 23 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + running under binary emulation are not affected. To tell whether or not ssuuddoo supports _n_o_e_x_e_c, you @@ -1510,18 +1540,6 @@ there is no foolproof way to know whether or not _n_o_e_x_e_c will work at compile-time. _n_o_e_x_e_c should work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64 - - - -1.6.9p21 February 23, 2010 23 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - UNIX, MacOS X, and HP-UX 11.x. It is known nnoott to work on AIX and UnixWare. _n_o_e_x_e_c is expected to work on most operating systems that support @@ -1558,6 +1576,18 @@ CCAAVVEEAATTSS The _s_u_d_o_e_r_s file should aallwwaayyss be edited by the vviissuuddoo command which locks the file and does grammatical + + + +1.6.9p21 April 7, 2010 24 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + checking. It is imperative that _s_u_d_o_e_r_s be free of syntax errors since ssuuddoo will not run with a syntactically incorrect _s_u_d_o_e_r_s file. @@ -1576,18 +1606,6 @@ Limited free support is available via the sudo-users mailing list, see http://www.sudo.ws/mailman/listinfo/sudo-users to - - - -1.6.9p21 February 23, 2010 24 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - subscribe or search the archives. DDIISSCCLLAAIIMMEERR @@ -1627,24 +1645,6 @@ - - - - - - - - - - - - - - - - - - -1.6.9p21 February 23, 2010 25 +1.6.9p21 April 7, 2010 25 diff -urNa sudo-1.6.9p21/sudoers.man.in sudo-1.6.9p22/sudoers.man.in --- sudo-1.6.9p21/sudoers.man.in Tue Feb 23 07:20:32 2010 +++ sudo-1.6.9p22/sudoers.man.in Wed Apr 7 09:45:27 2010 @@ -1,4 +1,4 @@ -.\" Copyright (c) 1994-1996, 1998-2005, 2007 +.\" Copyright (c) 1994-1996, 1998-2005, 2007-2010 .\" Todd C. Miller .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -18,19 +18,10 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.\" $Sudo: sudoers.man.in,v 1.45.2.34 2009/02/21 22:08:42 millert Exp $ -.\" Automatically generated by Pod::Man 2.16 (Pod::Simple 3.05) +.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07) .\" .\" Standard preamble: .\" ======================================================================== -.de Sh \" Subsection heading -.br -.if t .Sp -.ne 5 -.PP -\fB\\$1\fR -.PP -.. .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp @@ -74,7 +65,7 @@ .el .ds Aq ' .\" .\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .ie \nF \{\ @@ -153,7 +144,7 @@ .\" ======================================================================== .\" .IX Title "SUDOERS @mansectform@" -.TH SUDOERS @mansectform@ "February 23, 2010" "1.6.9p21" "MAINTENANCE COMMANDS" +.TH SUDOERS @mansectform@ "April 7, 2010" "1.6.9p21" "MAINTENANCE COMMANDS" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -173,7 +164,7 @@ The \fIsudoers\fR grammar will be described below in Extended Backus-Naur Form (\s-1EBNF\s0). Don't despair if you don't know what \s-1EBNF\s0 is; it is fairly simple, and the definitions below are annotated. -.Sh "Quick guide to \s-1EBNF\s0" +.SS "Quick guide to \s-1EBNF\s0" .IX Subsection "Quick guide to EBNF" \&\s-1EBNF\s0 is a concise and exact way of describing the grammar of a language. Each \s-1EBNF\s0 definition is made up of \fIproduction rules\fR. E.g., @@ -206,7 +197,7 @@ Parentheses may be used to group symbols together. For clarity, we will use single quotes ('') to designate what is a verbatim character string (as opposed to a symbol name). -.Sh "Aliases" +.SS "Aliases" .IX Subsection "Aliases" There are four kinds of aliases: \f(CW\*(C`User_Alias\*(C'\fR, \f(CW\*(C`Runas_Alias\*(C'\fR, \&\f(CW\*(C`Host_Alias\*(C'\fR and \f(CW\*(C`Cmnd_Alias\*(C'\fR. @@ -340,7 +331,7 @@ is used to permit a user to run \fBsudo\fR with the \fB\-e\fR option (or as \fBsudoedit\fR). It may take command line arguments just as a normal command does. -.Sh "Defaults" +.SS "Defaults" .IX Subsection "Defaults" Certain configuration options may be changed from their default values at runtime via one or more \f(CW\*(C`Default_Entry\*(C'\fR lines. These @@ -377,7 +368,7 @@ that does not exist in a list. .PP See \*(L"\s-1SUDOERS\s0 \s-1OPTIONS\s0\*(R" for a list of supported Defaults parameters. -.Sh "User Specification" +.SS "User Specification" .IX Subsection "User Specification" .Vb 2 \& User_Spec ::= User_List Host_List \*(Aq=\*(Aq Cmnd_Spec_List \e @@ -399,7 +390,7 @@ run as \fBroot\fR, but this can be changed on a per-command basis. .PP Let's break that down into its constituent parts: -.Sh "Runas_Spec" +.SS "Runas_Spec" .IX Subsection "Runas_Spec" A \f(CW\*(C`Runas_Spec\*(C'\fR is simply a \f(CW\*(C`Runas_List\*(C'\fR (as defined above) enclosed in a set of parentheses. If you do not specify a @@ -427,7 +418,7 @@ .PP Then user \fBdgb\fR is now allowed to run \fI/bin/ls\fR as \fBoperator\fR, but \fI/bin/kill\fR and \fI/usr/bin/lprm\fR as \fBroot\fR. -.Sh "Tag_Spec" +.SS "Tag_Spec" .IX Subsection "Tag_Spec" A command may have zero or more tags associated with it. There are six possible tag values, \f(CW\*(C`NOPASSWD\*(C'\fR, \f(CW\*(C`PASSWD\*(C'\fR, \f(CW\*(C`NOEXEC\*(C'\fR, \f(CW\*(C`EXEC\*(C'\fR, @@ -498,7 +489,7 @@ variables in this manner. If the command matched is \fB\s-1ALL\s0\fR, the \&\f(CW\*(C`SETENV\*(C'\fR tag is implied for that command; this default may be overridden by use of the \f(CW\*(C`UNSETENV\*(C'\fR tag. -.Sh "Wildcards" +.SS "Wildcards" .IX Subsection "Wildcards" \&\fBsudo\fR allows shell-style \fIwildcards\fR (aka meta or glob characters) to be used in hostnames, pathnames and command line arguments in @@ -537,7 +528,7 @@ .Ve .PP match \fI/usr/bin/who\fR but not \fI/usr/bin/X11/xterm\fR. -.Sh "Exceptions to wildcard rules" +.SS "Exceptions to wildcard rules" .IX Subsection "Exceptions to wildcard rules" The following exceptions apply to the above rules: .ie n .IP """""" 8 @@ -546,7 +537,7 @@ If the empty string \f(CW""\fR is the only command line argument in the \&\fIsudoers\fR entry it means that command is not allowed to be run with \fBany\fR arguments. -.Sh "Other special characters and reserved words" +.SS "Other special characters and reserved words" .IX Subsection "Other special characters and reserved words" The pound sign ('#') is used to indicate a comment (unless it is part of a #include directive or unless it occurs in the context of @@ -789,7 +780,12 @@ option causes \fBsudo\fR to use the \fIfnmatch\fR\|(3) function, which does not access the file system to do its matching. The disadvantage of \fIfast_glob\fR is that it is unable to match relative pathnames -such as \fI./ls\fR or \fI../bin/ls\fR. This flag is \fIoff\fR by default. +such as \fI./ls\fR or \fI../bin/ls\fR. This has security implications +when path names that include globbing characters are used with the +negation operator, \f(CW\*(Aq!\*(Aq\fR, as such rules can be trivially bypassed. +As such, this option should not be used when \fIsudoers\fR contains rules +that contain negated path names which include globbing characters. +This flag is \fIoff\fR by default. .IP "stay_setuid" 16 .IX Item "stay_setuid" Normally, when \fBsudo\fR executes a command the real and effective @@ -1356,6 +1352,24 @@ different name, or use a shell escape from an editor or other program. Therefore, these kind of restrictions should be considered advisory at best (and reinforced by policy). +.PP +Furthermore, if the \fIfast_glob\fR option is in use, it is not possible +to reliably negate commands where the path name includes globbing +(aka wildcard) characters. This is because the C library's +\&\fIfnmatch\fR\|(3) function cannot resolve relative paths. While this +is typically only an inconvenience for rules that grant privileges, +it can result in a security issue for rules that subtract or revoke +privileges. +.PP +For example, given the following \fIsudoers\fR entry: +.PP +.Vb 2 +\& john ALL = /usr/bin/passwd [a\-zA\-Z0\-9]*, /usr/bin/chsh [a\-zA\-Z0\-9]*, +\& /usr/bin/chfn [a\-zA\-Z0\-9]*, !/usr/bin/* root +.Ve +.PP +User \fBjohn\fR can still run \f(CW\*(C`/usr/bin/passwd root\*(C'\fR if \fIfast_glob\fR is +enabled by changing to \fI/usr/bin\fR and running \f(CW\*(C`./passwd root\*(C'\fR instead. .SH "PREVENTING SHELL ESCAPES" .IX Header "PREVENTING SHELL ESCAPES" Once \fBsudo\fR executes a program, that program is free to do whatever diff -urNa sudo-1.6.9p21/sudoers.pod sudo-1.6.9p22/sudoers.pod --- sudo-1.6.9p21/sudoers.pod Sat Feb 21 17:08:43 2009 +++ sudo-1.6.9p22/sudoers.pod Wed Apr 7 09:44:03 2010 @@ -1,4 +1,4 @@ -Copyright (c) 1994-1996, 1998-2005, 2007 +Copyright (c) 1994-1996, 1998-2005, 2007-2010 Todd C. Miller Permission to use, copy, modify, and distribute this software for any @@ -18,7 +18,6 @@ Agency (DARPA) and Air Force Research Laboratory, Air Force Materiel Command, USAF, under agreement number F39502-99-1-0512. -$Sudo: sudoers.pod,v 1.95.2.34 2009/02/21 22:08:43 millert Exp $ =pod =head1 NAME @@ -670,7 +669,12 @@ option causes B to use the L function, which does not access the file system to do its matching. The disadvantage of I is that it is unable to match relative pathnames -such as F<./ls> or F<../bin/ls>. This flag is I by default. +such as F<./ls> or F<../bin/ls>. This has security implications +when path names that include globbing characters are used with the +negation operator, C<'!'>, as such rules can be trivially bypassed. +As such, this option should not be used when I contains rules +that contain negated path names which include globbing characters. +This flag is I by default. =item stay_setuid @@ -1269,6 +1273,22 @@ different name, or use a shell escape from an editor or other program. Therefore, these kind of restrictions should be considered advisory at best (and reinforced by policy). + +Furthermore, if the I option is in use, it is not possible +to reliably negate commands where the path name includes globbing +(aka wildcard) characters. This is because the C library's +L function cannot resolve relative paths. While this +is typically only an inconvenience for rules that grant privileges, +it can result in a security issue for rules that subtract or revoke +privileges. + +For example, given the following I entry: + + john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*, + /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root + +User B can still run C if I is +enabled by changing to F and running C<./passwd root> instead. =head1 PREVENTING SHELL ESCAPES diff -urNa sudo-1.6.9p21/sudoers2ldif sudo-1.6.9p22/sudoers2ldif --- sudo-1.6.9p21/sudoers2ldif Thu Jun 28 10:45:19 2007 +++ sudo-1.6.9p22/sudoers2ldif Wed Apr 7 06:33:26 2010 @@ -5,8 +5,6 @@ # Converts a sudoers file to LDIF format in prepration for loading into # the LDAP server. # -# $Sudo: sudoers2ldif,v 1.2.2.1 2007/06/28 14:45:19 millert Exp $ -# # BUGS: # Does not yet handle multiple lines with : in them diff -urNa sudo-1.6.9p21/testsudoers.c sudo-1.6.9p22/testsudoers.c --- sudo-1.6.9p21/testsudoers.c Wed Oct 29 13:56:46 2008 +++ sudo-1.6.9p22/testsudoers.c Wed Apr 7 06:33:31 2010 @@ -74,11 +74,6 @@ # include "emul/fnmatch.h" #endif /* HAVE_FNMATCH */ -#ifndef lint -__unused static const char rcsid[] = "$Sudo: testsudoers.c,v 1.88.2.8 2008/10/29 17:31:58 millert Exp $"; -#endif /* lint */ - - /* * Prototypes */ diff -urNa sudo-1.6.9p21/tgetpass.c sudo-1.6.9p22/tgetpass.c --- sudo-1.6.9p21/tgetpass.c Sun Nov 2 09:53:47 2008 +++ sudo-1.6.9p22/tgetpass.c Wed Apr 7 06:33:34 2010 @@ -69,10 +69,6 @@ #include "sudo.h" -#ifndef lint -__unused static const char rcsid[] = "$Sudo: tgetpass.c,v 1.111.2.9 2008/11/02 14:53:47 millert Exp $"; -#endif /* lint */ - #ifndef TCSASOFT # define TCSASOFT 0 #endif diff -urNa sudo-1.6.9p21/utimes.c sudo-1.6.9p22/utimes.c --- sudo-1.6.9p21/utimes.c Mon Jun 11 20:56:43 2007 +++ sudo-1.6.9p22/utimes.c Wed Apr 7 06:33:37 2010 @@ -31,10 +31,6 @@ #include -#ifndef lint -__unused static const char rcsid[] = "$Sudo: utimes.c,v 1.8.2.3 2007/06/12 00:56:43 millert Exp $"; -#endif /* lint */ - #ifndef HAVE_UTIMES /* * Emulate utimes() via utime() diff -urNa sudo-1.6.9p21/version.h sudo-1.6.9p22/version.h --- sudo-1.6.9p21/version.h Tue Feb 10 14:06:18 2009 +++ sudo-1.6.9p22/version.h Fri Apr 9 06:36:45 2010 @@ -16,13 +16,11 @@ * Sponsored in part by the Defense Advanced Research Projects * Agency (DARPA) and Air Force Research Laboratory, Air Force * Materiel Command, USAF, under agreement number F39502-99-1-0512. - * - * $Sudo: version.h,v 1.66.2.24 2009/02/10 19:06:18 millert Exp $ */ #ifndef _SUDO_VERSION_H #define _SUDO_VERSION_H -static const char version[] = "1.6.9p21"; +static const char version[] = "1.6.9p22"; #endif /* _SUDO_VERSION_H */ diff -urNa sudo-1.6.9p21/visudo.c sudo-1.6.9p22/visudo.c --- sudo-1.6.9p21/visudo.c Sun Nov 2 09:45:50 2008 +++ sudo-1.6.9p22/visudo.c Wed Apr 7 06:33:40 2010 @@ -77,10 +77,6 @@ #include "sudo.h" #include "version.h" -#ifndef lint -__unused static const char rcsid[] = "$Sudo: visudo.c,v 1.166.2.12 2008/11/02 14:45:50 millert Exp $"; -#endif /* lint */ - struct sudoersfile { char *path; char *tpath; diff -urNa sudo-1.6.9p21/visudo.man.in sudo-1.6.9p22/visudo.man.in --- sudo-1.6.9p21/visudo.man.in Tue Feb 23 07:20:43 2010 +++ sudo-1.6.9p22/visudo.man.in Wed Apr 7 06:33:44 2010 @@ -17,7 +17,6 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.\" $Sudo: visudo.man.in,v 1.20.2.26 2009/02/10 19:06:18 millert Exp $ .\" Automatically generated by Pod::Man 2.16 (Pod::Simple 3.05) .\" .\" Standard preamble: diff -urNa sudo-1.6.9p21/visudo.pod sudo-1.6.9p22/visudo.pod --- sudo-1.6.9p21/visudo.pod Tue Feb 10 09:45:03 2009 +++ sudo-1.6.9p22/visudo.pod Wed Apr 7 06:33:46 2010 @@ -17,7 +17,6 @@ Agency (DARPA) and Air Force Research Laboratory, Air Force Materiel Command, USAF, under agreement number F39502-99-1-0512. -$Sudo: visudo.pod,v 1.38.2.11 2008/12/03 17:42:06 millert Exp $ =pod =head1 NAME diff -urNa sudo-1.6.9p21/zero_bytes.c sudo-1.6.9p22/zero_bytes.c --- sudo-1.6.9p21/zero_bytes.c Mon Jun 11 21:28:42 2007 +++ sudo-1.6.9p22/zero_bytes.c Wed Apr 7 06:33:51 2010 @@ -19,10 +19,6 @@ #include #include -#ifndef lint -__unused static const char rcsid[] = "$Sudo: zero_bytes.c,v 1.2.2.2 2007/06/12 01:28:42 millert Exp $"; -#endif /* lint */ - /* * Like bzero(3) but with a volatile pointer. The hope is that * the compiler will not be able to optimize away this function.