From: millert Date: Thu, 31 Jul 2008 16:44:03 +0000 (+0000) Subject: Update to sudo 1.6.9p17 X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=8c9a63b7ad7479c3a474f9302883486596b46bcd;p=openbsd Update to sudo 1.6.9p17 --- diff --git a/usr.bin/sudo/CHANGES b/usr.bin/sudo/CHANGES index fcb8d5596b7..c3124ca8f2e 100644 --- a/usr.bin/sudo/CHANGES +++ b/usr.bin/sudo/CHANGES @@ -2045,3 +2045,73 @@ Sudo 1.6.9p11 released. to the screen if there was a read timeout. Sudo 1.6.9p12 released. + +646) Sudo will now set the nproc resource limit to unlimited on Linux + systems to work around Linux's setuid() resource limit semantics. + On PAM systems the resource limits will be reset by pam_limits.so + before the command is executed. + +647) SELinux support that can be used to implement role based access + control (RBAC). A role and (optional) type may be specified + in sudoers or on the command line. These are then used in the + security context that the command is run as. + +648) Fixed a Kerberos 5 compilation problem with MIT Kerberos. + +Sudo 1.6.9p13 released. + +649) Fixed an invalid assumption in the PAM conversation function + introduced in version 1.6.9p9. The conversation function may + be called for non-password reading purposes as well. + +650) Fixed freeing an uninitialized pointer in -l mode, introduced in + version 1.6.9p13. + +651) Check /etc/sudoers after LDAP even if the user was found in LDAP. + This allows Defaults options in /etc/sudoers to take effect. + +652) Add missing checks for enforcing mode in SELinux RBAC mode. + +Sudo 1.6.9p14 released. + +653) Fixed installation of sudo_noexec.so on AIX. + +654) Updated libtool to version 1.5.26. + +655) Fixed printing of default SELinux role and type in -V mode. + +656) The HOME environment variable is once again preserved by default, + as per the documentation. + +Sudo 1.6.9p15 released. + +657) There was a missing space before the ldap libraries in the Makefile + for some configurations. + +658) LDAPS_PORT may not be defined on older Solaris LDAP SDKs. + +659) If the LDAP server could not be contacted and the user was not present + in sudoers, a syntax error in sudoers was incorrectly reported. + +Sudo 1.6.9p16 released. + +660) The -i flag should imply resetting the environment, as it did in + sudo version prior to 1.6.9. Also, the -i and -E flags are + mutually exclusive. + +661) Fixed the configure test for dirfd() under Linux. + +662) Fixed test for whether -lintl is required to link. + +663) Changed how sudo handles the child process when sending mail. + This fixes a problem on Linux with the mail_always option. + +664) Fixed a problem with line continuation characters inside of + quoted strings. + +Sudo 1.6.9p17 released. + +665) Fixed a crash when the -i flag was used with a uid not in the password + database. + +666) Regenerated parser to pull in a yacc skeleton fix. diff --git a/usr.bin/sudo/INSTALL b/usr.bin/sudo/INSTALL index b03d9e8ef39..1692887912e 100644 --- a/usr.bin/sudo/INSTALL +++ b/usr.bin/sudo/INSTALL @@ -320,6 +320,10 @@ Special features/options: physically live in ${prefix}/etc and /etc/sudoers will be a symbolic link. + --with-selinux + Enable support for role based access control (RBAC) on + systems that support SELinux. + The following options are also configurable at runtime: --with-long-otp-prompt diff --git a/usr.bin/sudo/Makefile.in b/usr.bin/sudo/Makefile.in index 1ed0b8b4931..1650803fe2a 100644 --- a/usr.bin/sudo/Makefile.in +++ b/usr.bin/sudo/Makefile.in @@ -20,7 +20,7 @@ # # @configure_input@ # -# $Sudo: Makefile.in,v 1.246.2.23 2008/01/14 12:22:57 millert Exp $ +# $Sudo: Makefile.in,v 1.246.2.32 2008/06/22 20:29:03 millert Exp $ # #### Start of system configuration section. #### @@ -62,7 +62,9 @@ bindir = @bindir@ sbindir = @sbindir@ sysconfdir = @sysconfdir@ mandir = @mandir@ +noexecfile = @NOEXECFILE@ noexecdir = @NOEXECDIR@ +libexecdir = @libexecdir@ datarootdir = @datarootdir@ # Directory in which to install sudo. @@ -105,7 +107,7 @@ SRCS = alloc.c alloca.c check.c closefrom.c def_data.c defaults.c env.c err.c \ logging.c memrchr.c mkstemp.c parse.c parse.lex parse.yacc set_perms.c \ sigaction.c snprintf.c strcasecmp.c strerror.c strlcat.c strlcpy.c \ sudo.c sudo_noexec.c sudo.tab.c sudo_edit.c testsudoers.c tgetpass.c \ - utimes.c visudo.c zero_bytes.c $(AUTH_SRCS) + utimes.c visudo.c zero_bytes.c selinux.c sesh.c $(AUTH_SRCS) AUTH_SRCS = auth/afs.c auth/aix_auth.c auth/bsdauth.c auth/dce.c auth/fwtk.c \ auth/kerb4.c auth/kerb5.c auth/pam.c auth/passwd.c auth/rfc1938.c \ @@ -131,7 +133,7 @@ TESTOBJS = interfaces.o testsudoers.o $(PARSEOBJS) LIBOBJS = @LIBOBJS@ @ALLOCA@ -VERSION = 1.6.9p12 +VERSION = 1.6.9p17 DISTFILES = $(SRCS) $(HDRS) BUGS CHANGES HISTORY INSTALL INSTALL.configure \ LICENSE Makefile.in PORTING README README.LDAP \ @@ -233,6 +235,7 @@ glob.o: glob.c config.h compat.h emul/glob.h lsearch.o: lsearch.c config.h compat.h emul/search.h memrchr.o: memrchr.c config.h compat.h mkstemp.o: mkstemp.c config.h compat.h +selinux.o: selinux.c $(SUDODEP) snprintf.o: snprintf.c config.h compat.h strcasecmp.o: strcasecmp.c config.h strlcat.o: strlcat.c config.h @@ -276,7 +279,7 @@ sia.o: $(authdir)/sia.c $(AUTHDEP) sudo.man.in: $(srcdir)/sudo.pod @rm -f $(srcdir)/$@ - ( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e 1d -e '/^=pod/q' -e 's/^/.\\" /p' sudo.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudo.pod | sed -e "s/(5)/($$mansectform)/" -e "s/(8)/($$mansectsu)/" >> $@ ) + ( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' sudo.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudo.pod | sed -e "s/(5)/($$mansectform)/" -e "s/(8)/($$mansectsu)/" | perl -p sudo.man.pl >> $@ ) sudo.man: sudo.man.in CONFIG_FILES=$@ CONFIG_HEADERS= sh ./config.status @@ -285,7 +288,7 @@ sudo.cat: sudo.man visudo.man.in: $(srcdir)/visudo.pod @rm -f $(srcdir)/$@ - ( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e 1d -e '/^=pod/q' -e 's/^/.\\" /p' visudo.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" visudo.pod | sed -e "s/(5)/($$mansectform)/" -e "s/(8)/($$mansectsu)/" >> $@ ) + ( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' visudo.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" visudo.pod | sed -e "s/(5)/($$mansectform)/" -e "s/(8)/($$mansectsu)/" >> $@ ) visudo.man: visudo.man.in CONFIG_FILES=$@ CONFIG_HEADERS= sh ./config.status @@ -294,7 +297,7 @@ visudo.cat: visudo.man sudoers.man.in: $(srcdir)/sudoers.pod @rm -f $(srcdir)/$@ - ( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e 1d -e '/^=pod/q' -e 's/^/.\\" /p' sudoers.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectform --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudoers.pod | sed -e "s/(5)/($$mansectform)/" -e "s/(8)/($$mansectsu)/" >> $@ ) + ( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' sudoers.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectform --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudoers.pod | sed -e "s/(5)/($$mansectform)/" -e "s/(8)/($$mansectsu)/" | perl -p sudoers.man.pl >> $@ ) sudoers.man:: sudoers.man.in CONFIG_FILES=$@ CONFIG_HEADERS= sh ./config.status @@ -313,14 +316,11 @@ install-binaries: $(PROGS) $(INSTALL) -O $(install_uid) -G $(install_gid) -M 4111 -s sudo $(DESTDIR)$(sudodir)/sudo rm -f $(DESTDIR)$(sudodir)/sudoedit ln $(DESTDIR)$(sudodir)/sudo $(DESTDIR)$(sudodir)/sudoedit - $(INSTALL) -O $(install_uid) -G $(install_gid) -M 0111 -s visudo $(DESTDIR)$(visudodir)/visudo +@SELINUX@ $(INSTALL) -O $(install_uid) -G $(install_gid) -M 0111 -s sesh $(DESTDIR)$(libexecdir)/sesh install-noexec: sudo_noexec.la - $(LIBTOOL) --mode=install $(INSTALL) sudo_noexec.la $(DESTDIR)$(noexecdir) - -bininst-noexec: sudo_noexec.la - $(LIBTOOL) --mode=install $(INSTALL) sudo_noexec.la $(DESTDIR)$(noexecdir) + test -f .libs/$(noexecfile) && $(INSTALL) -O $(install_uid) -G $(install_gid) -M 0755 .libs/$(noexecfile) $(DESTDIR)$(noexecdir) install-sudoers: test -f $(DESTDIR)$(sudoersdir)/sudoers || \ diff --git a/usr.bin/sudo/auth/kerb5.c b/usr.bin/sudo/auth/kerb5.c index 763ce851b0d..89d43a7dd85 100644 --- a/usr.bin/sudo/auth/kerb5.c +++ b/usr.bin/sudo/auth/kerb5.c @@ -54,7 +54,7 @@ #include "sudo_auth.h" #ifndef lint -__unused static const char rcsid[] = "$Sudo: kerb5.c,v 1.23.2.7 2008/01/13 14:54:40 millert Exp $"; +__unused static const char rcsid[] = "$Sudo: kerb5.c,v 1.23.2.8 2008/02/13 22:17:41 millert Exp $"; #endif /* lint */ #ifdef HAVE_HEIMDAL @@ -185,8 +185,10 @@ kerb5_verify(pw, pass, auth) error_message(error)); goto done; } +#ifdef HAVE_HEIMDAL krb5_get_init_creds_opt_set_default_flags(sudo_context, NULL, krb5_principal_get_realm(sudo_context, princ), opts); +#endif /* Note that we always obtain a new TGT to verify the user */ if ((error = krb5_get_init_creds_password(sudo_context, &credbuf, princ, @@ -217,8 +219,13 @@ kerb5_verify(pw, pass, auth) } done: - if (opts) + if (opts) { +#ifdef HAVE_HEIMDAL krb5_get_init_creds_opt_free(opts); +#else + krb5_get_init_creds_opt_free(sudo_context, opts); +#endif + } if (creds) krb5_free_cred_contents(sudo_context, creds); return (error ? AUTH_FAILURE : AUTH_SUCCESS); diff --git a/usr.bin/sudo/auth/pam.c b/usr.bin/sudo/auth/pam.c index f6024785bd8..b2fe41a7456 100644 --- a/usr.bin/sudo/auth/pam.c +++ b/usr.bin/sudo/auth/pam.c @@ -72,7 +72,7 @@ #endif #ifndef lint -__unused static const char rcsid[] = "$Sudo: pam.c,v 1.43.2.9 2007/12/02 17:13:52 millert Exp $"; +__unused static const char rcsid[] = "$Sudo: pam.c,v 1.43.2.10 2008/02/22 20:19:45 millert Exp $"; #endif /* lint */ static int sudo_conv __P((int, PAM_CONST struct pam_message **, @@ -257,11 +257,6 @@ sudo_conv(num_msg, msg, response, appdata_ptr) return(PAM_CONV_ERR); zero_bytes(*response, num_msg * sizeof(struct pam_response)); - /* Is the sudo prompt standard? (If so, we'l just use PAM's) */ - std_prompt = strncmp(def_prompt, "Password:", 9) == 0 && - (def_prompt[9] == '\0' || - (def_prompt[9] == ' ' && def_prompt[10] == '\0')); - for (pr = *response, pm = *msg, n = num_msg; n--; pr++, pm++) { flags = tgetpass_flags; switch (pm->msg_style) { @@ -269,6 +264,12 @@ sudo_conv(num_msg, msg, response, appdata_ptr) SET(flags, TGP_ECHO); case PAM_PROMPT_ECHO_OFF: prompt = def_prompt; + + /* Is the sudo prompt standard? (If so, we'l just use PAM's) */ + std_prompt = strncmp(def_prompt, "Password:", 9) == 0 && + (def_prompt[9] == '\0' || + (def_prompt[9] == ' ' && def_prompt[10] == '\0')); + /* Only override PAM prompt if it matches /^Password: ?/ */ #if defined(PAM_TEXT_DOMAIN) && defined(HAVE_DGETTEXT) if (!def_passprompt_override && (std_prompt || diff --git a/usr.bin/sudo/config.guess b/usr.bin/sudo/config.guess index eeb9aef181b..f32079abda6 100644 --- a/usr.bin/sudo/config.guess +++ b/usr.bin/sudo/config.guess @@ -1,10 +1,10 @@ #! /bin/sh # Attempt to guess a canonical system name. # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, -# 2000, 2001, 2002, 2003, 2004, 2005, 2006 Free Software Foundation, -# Inc. +# 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008 +# Free Software Foundation, Inc. -timestamp='2006-11-15' +timestamp='2008-01-23' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by @@ -56,8 +56,8 @@ version="\ GNU config.guess ($timestamp) Originally written by Per Bothner. -Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005 -Free Software Foundation, Inc. +Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, +2002, 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." @@ -330,7 +330,7 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in sun4*:SunOS:5.*:* | tadpole*:SunOS:5.*:*) echo sparc-sun-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` exit ;; - i86pc:SunOS:5.*:*) + i86pc:SunOS:5.*:* | i86xen:SunOS:5.*:*) echo i386-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` exit ;; sun4*:SunOS:6*:*) @@ -532,7 +532,7 @@ EOF echo rs6000-ibm-aix3.2 fi exit ;; - *:AIX:*:[45]) + *:AIX:*:[456]) IBM_CPU_ID=`/usr/sbin/lsdev -C -c processor -S available | sed 1q | awk '{ print $1 }'` if /usr/sbin/lsattr -El ${IBM_CPU_ID} | grep ' POWER' >/dev/null 2>&1; then IBM_ARCH=rs6000 @@ -781,7 +781,7 @@ EOF i*:CYGWIN*:*) echo ${UNAME_MACHINE}-pc-cygwin exit ;; - i*:MINGW*:*) + *:MINGW*:*) echo ${UNAME_MACHINE}-pc-mingw32 exit ;; i*:windows32*:*) @@ -791,12 +791,18 @@ EOF i*:PW*:*) echo ${UNAME_MACHINE}-pc-pw32 exit ;; - x86:Interix*:[3456]*) - echo i586-pc-interix${UNAME_RELEASE} - exit ;; - EM64T:Interix*:[3456]* | authenticamd:Interix*:[3456]*) - echo x86_64-unknown-interix${UNAME_RELEASE} - exit ;; + *:Interix*:[3456]*) + case ${UNAME_MACHINE} in + x86) + echo i586-pc-interix${UNAME_RELEASE} + exit ;; + EM64T | authenticamd) + echo x86_64-unknown-interix${UNAME_RELEASE} + exit ;; + IA64) + echo ia64-unknown-interix${UNAME_RELEASE} + exit ;; + esac ;; [345]86:Windows_95:* | [345]86:Windows_98:* | [345]86:Windows_NT:*) echo i${UNAME_MACHINE}-pc-mks exit ;; @@ -830,7 +836,14 @@ EOF echo ${UNAME_MACHINE}-pc-minix exit ;; arm*:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-gnu + eval $set_cc_for_build + if echo __ARM_EABI__ | $CC_FOR_BUILD -E - 2>/dev/null \ + | grep -q __ARM_EABI__ + then + echo ${UNAME_MACHINE}-unknown-linux-gnu + else + echo ${UNAME_MACHINE}-unknown-linux-gnueabi + fi exit ;; avr32*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-gnu @@ -951,6 +964,9 @@ EOF x86_64:Linux:*:*) echo x86_64-unknown-linux-gnu exit ;; + xtensa*:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-gnu + exit ;; i*86:Linux:*:*) # The BFD linker knows what the default object file format is, so # first see if it will tell us. cd to the root directory to prevent @@ -1209,9 +1225,15 @@ EOF SX-6:SUPER-UX:*:*) echo sx6-nec-superux${UNAME_RELEASE} exit ;; + SX-7:SUPER-UX:*:*) + echo sx7-nec-superux${UNAME_RELEASE} + exit ;; SX-8:SUPER-UX:*:*) echo sx8-nec-superux${UNAME_RELEASE} exit ;; + SX-8R:SUPER-UX:*:*) + echo sx8r-nec-superux${UNAME_RELEASE} + exit ;; Power*:Rhapsody:*:*) echo powerpc-apple-rhapsody${UNAME_RELEASE} exit ;; @@ -1462,9 +1484,9 @@ This script, last modified $timestamp, has failed to recognize the operating system you are using. It is advised that you download the most up to date version of the config scripts from - http://savannah.gnu.org/cgi-bin/viewcvs/*checkout*/config/config/config.guess + http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess;hb=HEAD and - http://savannah.gnu.org/cgi-bin/viewcvs/*checkout*/config/config/config.sub + http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub;hb=HEAD If the version you run ($0) is already up to date, please send the following data and any information you think might be diff --git a/usr.bin/sudo/config.h b/usr.bin/sudo/config.h index 55ecc94cb35..4a90f38ec68 100644 --- a/usr.bin/sudo/config.h +++ b/usr.bin/sudo/config.h @@ -1,4 +1,4 @@ -/* $OpenBSD: config.h,v 1.8 2007/12/03 15:09:47 millert Exp $ */ +/* $OpenBSD: config.h,v 1.9 2008/07/31 16:44:03 millert Exp $ */ #ifndef _SUDO_CONFIG_H #define _SUDO_CONFIG_H @@ -49,6 +49,7 @@ #define HAVE_SETLOCALE 1 #define HAVE_SETRESUID 1 #define HAVE_SETRLIMIT 1 +#define HAVE_SETSID 1 #define HAVE_SIGACTION 1 #define HAVE_SIG_ATOMIC_T 1 #define HAVE_SNPRINTF 1 diff --git a/usr.bin/sudo/config.h.in b/usr.bin/sudo/config.h.in index 2ce67d7af9d..a009a090ae5 100644 --- a/usr.bin/sudo/config.h.in +++ b/usr.bin/sudo/config.h.in @@ -305,6 +305,9 @@ /* Define to 1 if you have the header file. */ #undef HAVE_SECURITY_PAM_APPL_H +/* Define to 1 to enable SELinux RBAC support. */ +#undef HAVE_SELINUX + /* Define to 1 if you have the `seteuid' function. */ #undef HAVE_SETEUID @@ -320,6 +323,9 @@ /* Define to 1 if you have the `setrlimit' function. */ #undef HAVE_SETRLIMIT +/* Define to 1 if you have the `setsid' function. */ +#undef HAVE_SETSID + /* Define to 1 if you have the `set_auth_parameters' function. */ #undef HAVE_SET_AUTH_PARAMETERS diff --git a/usr.bin/sudo/config.sub b/usr.bin/sudo/config.sub index 92a51de71f4..922d3b5d0bf 100644 --- a/usr.bin/sudo/config.sub +++ b/usr.bin/sudo/config.sub @@ -1,10 +1,10 @@ #! /bin/sh # Configuration validation subroutine script. # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, -# 2000, 2001, 2002, 2003, 2004, 2005, 2006 Free Software Foundation, -# Inc. +# 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008 +# Free Software Foundation, Inc. -timestamp='2006-11-07' +timestamp='2008-01-16' # This file is (in principle) common to ALL GNU software. # The presence of a machine in this file suggests that SOME GNU software @@ -72,8 +72,8 @@ Report bugs and patches to ." version="\ GNU config.sub ($timestamp) -Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005 -Free Software Foundation, Inc. +Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, +2002, 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." @@ -245,12 +245,12 @@ case $basic_machine in | bfin \ | c4x | clipper \ | d10v | d30v | dlx | dsp16xx \ - | fr30 | frv \ + | fido | fr30 | frv \ | h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \ | i370 | i860 | i960 | ia64 \ | ip2k | iq2000 \ | m32c | m32r | m32rle | m68000 | m68k | m88k \ - | maxq | mb | microblaze | mcore \ + | maxq | mb | microblaze | mcore | mep \ | mips | mipsbe | mipseb | mipsel | mipsle \ | mips16 \ | mips64 | mips64el \ @@ -324,7 +324,7 @@ case $basic_machine in | clipper-* | craynv-* | cydra-* \ | d10v-* | d30v-* | dlx-* \ | elxsi-* \ - | f30[01]-* | f700-* | fr30-* | frv-* | fx80-* \ + | f30[01]-* | f700-* | fido-* | fr30-* | frv-* | fx80-* \ | h8300-* | h8500-* \ | hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \ | i*86-* | i860-* | i960-* | ia64-* \ @@ -369,10 +369,14 @@ case $basic_machine in | v850-* | v850e-* | vax-* \ | we32k-* \ | x86-* | x86_64-* | xc16x-* | xps100-* | xscale-* | xscalee[bl]-* \ - | xstormy16-* | xtensa-* \ + | xstormy16-* | xtensa*-* \ | ymp-* \ | z8k-*) ;; + # Recognize the basic CPU types without company name, with glob match. + xtensa*) + basic_machine=$basic_machine-unknown + ;; # Recognize the various machine names and aliases which stand # for a CPU type and a company and sometimes even an OS. 386bsd) @@ -443,6 +447,14 @@ case $basic_machine in basic_machine=ns32k-sequent os=-dynix ;; + blackfin) + basic_machine=bfin-unknown + os=-linux + ;; + blackfin-*) + basic_machine=bfin-`echo $basic_machine | sed 's/^[^-]*-//'` + os=-linux + ;; c90) basic_machine=c90-cray os=-unicos @@ -475,8 +487,8 @@ case $basic_machine in basic_machine=craynv-cray os=-unicosmp ;; - cr16c) - basic_machine=cr16c-unknown + cr16) + basic_machine=cr16-unknown os=-elf ;; crds | unos) @@ -672,6 +684,14 @@ case $basic_machine in basic_machine=m68k-isi os=-sysv ;; + m68knommu) + basic_machine=m68k-unknown + os=-linux + ;; + m68knommu-*) + basic_machine=m68k-`echo $basic_machine | sed 's/^[^-]*-//'` + os=-linux + ;; m88k-omron*) basic_machine=m88k-omron ;; @@ -687,6 +707,10 @@ case $basic_machine in basic_machine=i386-pc os=-mingw32 ;; + mingw32ce) + basic_machine=arm-unknown + os=-mingw32ce + ;; miniframe) basic_machine=m68000-convergent ;; @@ -813,6 +837,14 @@ case $basic_machine in basic_machine=i860-intel os=-osf ;; + parisc) + basic_machine=hppa-unknown + os=-linux + ;; + parisc-*) + basic_machine=hppa-`echo $basic_machine | sed 's/^[^-]*-//'` + os=-linux + ;; pbd) basic_machine=sparc-tti ;; @@ -1021,6 +1053,10 @@ case $basic_machine in basic_machine=tic6x-unknown os=-coff ;; + tile*) + basic_machine=tile-unknown + os=-linux-gnu + ;; tx39) basic_machine=mipstx39-unknown ;; @@ -1226,7 +1262,7 @@ case $os in | -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \ | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \ | -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \ - | -skyos* | -haiku* | -rdos* | -toppers*) + | -skyos* | -haiku* | -rdos* | -toppers* | -drops*) # Remember, each alternative MUST END IN *, to match a version number. ;; -qnx*) @@ -1421,6 +1457,9 @@ case $basic_machine in m68*-cisco) os=-aout ;; + mep-*) + os=-elf + ;; mips*-cisco) os=-elf ;; diff --git a/usr.bin/sudo/configure b/usr.bin/sudo/configure index 38fe5c15e28..c2fd1925a17 100644 --- a/usr.bin/sudo/configure +++ b/usr.bin/sudo/configure @@ -818,9 +818,14 @@ SUDOERS_MODE SUDOERS_UID SUDOERS_GID DEV +SELINUX +BAMAN +LCMAN +SEMAN mansectsu mansectform mansrcdir +NOEXECFILE NOEXECDIR noexec_file INSTALL_NOEXEC @@ -877,6 +882,8 @@ ECHO AR RANLIB STRIP +DSYMUTIL +NMEDIT UNAMEPROG TRPROG NROFFPROG @@ -1567,6 +1574,7 @@ Optional Packages: --with-secure-path override the user's path with a built-in one --without-interfaces don't try to read the ip addr of ether interfaces --with-stow properly handle GNU stow packaging + --with-selinux enable SELinux support --with-gnu-ld assume the C compiler uses GNU ld [default=no] --with-pic try to use only PIC/non-PIC objects [default=use both] @@ -2067,6 +2075,11 @@ echo "$as_me: Configuring Sudo version 1.6.9" >&6;} + + + + + @@ -2106,6 +2119,10 @@ PROGS="sudo visudo" : ${SUDOERS_UID='0'} : ${SUDOERS_GID='0'} DEV="#" +SELINUX="#" +BAMAN='.\" ' +LCMAN='.\" ' +SEMAN='.\" ' AUTH_OBJS= AUTH_REG= AUTH_EXCL= @@ -2118,7 +2135,11 @@ shadow_funcs= shadow_libs= shadow_libs_optional= -test "$mandir" = '${prefix}/man' && mandir='$(prefix)/man' +if test X"$prefix" = X"NONE"; then + test "$mandir" = '${datarootdir}/man' && mandir='$(prefix)/man' +else + test "$mandir" = '${datarootdir}/man' && mandir='$(datarootdir)/man' +fi test "$bindir" = '${exec_prefix}/bin' && bindir='$(exec_prefix)/bin' test "$sbindir" = '${exec_prefix}/sbin' && sbindir='$(exec_prefix)/sbin' test "$sysconfdir" = '${prefix}/etc' -a X"$with_stow" != X"yes" && sysconfdir='/etc' @@ -3922,6 +3943,29 @@ echo "${ECHO_T}no" >&6; } fi + +# Check whether --with-selinux was given. +if test "${with_selinux+set}" = set; then + withval=$with_selinux; case $with_selinux in + yes) cat >>confdefs.h <<\_ACEOF +#define HAVE_SELINUX 1 +_ACEOF + + SUDO_LIBS="${SUDO_LIBS} -lselinux" + SUDO_OBJS="${SUDO_OBJS} selinux.o" + PROGS="${PROGS} sesh" + SELINUX="" + SEMAN="" + ;; + no) ;; + *) { { echo "$as_me:$LINENO: error: \"--with-selinux does not take an argument.\"" >&5 +echo "$as_me: error: \"--with-selinux does not take an argument.\"" >&2;} + { (exit 1); exit 1; }; } + ;; +esac +fi + + # Extract the first word of "egrep", so it can be a program name with args. set dummy egrep; ac_word=$2 { echo "$as_me:$LINENO: checking for $ac_word" >&5 @@ -5870,7 +5914,7 @@ lt_cv_deplibs_check_method='unknown' # whether `pass_all' will *always* work, you probably want this one. case $host_os in -aix4* | aix5*) +aix[4-9]*) lt_cv_deplibs_check_method=pass_all ;; @@ -6085,7 +6129,7 @@ ia64-*-hpux*) ;; *-*-irix6*) # Find out which ABI we are using. - echo '#line 6088 "configure"' > conftest.$ac_ext + echo '#line 6132 "configure"' > conftest.$ac_ext if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? @@ -6257,7 +6301,11 @@ sparc*-*solaris*) *64-bit*) case $lt_cv_prog_gnu_ld in yes*) LD="${LD-ld} -m elf64_sparc" ;; - *) LD="${LD-ld} -64" ;; + *) + if ${LD-ld} -64 -r -o conftest2.o conftest.o >/dev/null 2>&1; then + LD="${LD-ld} -64" + fi + ;; esac ;; esac @@ -6657,7 +6705,6 @@ done # Autoconf 2.13's AC_OBJEXT and AC_EXEEXT macros only works for C compilers! - # find the maximum length of command line arguments { echo "$as_me:$LINENO: checking the maximum length of command line arguments" >&5 echo $ECHO_N "checking the maximum length of command line arguments... $ECHO_C" >&6; } @@ -6972,7 +7019,7 @@ EOF echo "$progname: failed program was:" >&5 cat conftest.$ac_ext >&5 fi - rm -f conftest* conftst* + rm -rf conftest* conftst* # Do not use the global_symbol_pipe unless it works. if test "$pipe_works" = yes; then @@ -7532,6 +7579,318 @@ fi ;; esac + + case $host_os in + rhapsody* | darwin*) + if test -n "$ac_tool_prefix"; then + # Extract the first word of "${ac_tool_prefix}dsymutil", so it can be a program name with args. +set dummy ${ac_tool_prefix}dsymutil; ac_word=$2 +{ echo "$as_me:$LINENO: checking for $ac_word" >&5 +echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; } +if test "${ac_cv_prog_DSYMUTIL+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + if test -n "$DSYMUTIL"; then + ac_cv_prog_DSYMUTIL="$DSYMUTIL" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_prog_DSYMUTIL="${ac_tool_prefix}dsymutil" + echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done +done +IFS=$as_save_IFS + +fi +fi +DSYMUTIL=$ac_cv_prog_DSYMUTIL +if test -n "$DSYMUTIL"; then + { echo "$as_me:$LINENO: result: $DSYMUTIL" >&5 +echo "${ECHO_T}$DSYMUTIL" >&6; } +else + { echo "$as_me:$LINENO: result: no" >&5 +echo "${ECHO_T}no" >&6; } +fi + + +fi +if test -z "$ac_cv_prog_DSYMUTIL"; then + ac_ct_DSYMUTIL=$DSYMUTIL + # Extract the first word of "dsymutil", so it can be a program name with args. +set dummy dsymutil; ac_word=$2 +{ echo "$as_me:$LINENO: checking for $ac_word" >&5 +echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; } +if test "${ac_cv_prog_ac_ct_DSYMUTIL+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + if test -n "$ac_ct_DSYMUTIL"; then + ac_cv_prog_ac_ct_DSYMUTIL="$ac_ct_DSYMUTIL" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_prog_ac_ct_DSYMUTIL="dsymutil" + echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done +done +IFS=$as_save_IFS + +fi +fi +ac_ct_DSYMUTIL=$ac_cv_prog_ac_ct_DSYMUTIL +if test -n "$ac_ct_DSYMUTIL"; then + { echo "$as_me:$LINENO: result: $ac_ct_DSYMUTIL" >&5 +echo "${ECHO_T}$ac_ct_DSYMUTIL" >&6; } +else + { echo "$as_me:$LINENO: result: no" >&5 +echo "${ECHO_T}no" >&6; } +fi + + if test "x$ac_ct_DSYMUTIL" = x; then + DSYMUTIL=":" + else + case $cross_compiling:$ac_tool_warned in +yes:) +{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools +whose name does not start with the host triplet. If you think this +configuration is useful to you, please write to autoconf@gnu.org." >&5 +echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools +whose name does not start with the host triplet. If you think this +configuration is useful to you, please write to autoconf@gnu.org." >&2;} +ac_tool_warned=yes ;; +esac + DSYMUTIL=$ac_ct_DSYMUTIL + fi +else + DSYMUTIL="$ac_cv_prog_DSYMUTIL" +fi + + if test -n "$ac_tool_prefix"; then + # Extract the first word of "${ac_tool_prefix}nmedit", so it can be a program name with args. +set dummy ${ac_tool_prefix}nmedit; ac_word=$2 +{ echo "$as_me:$LINENO: checking for $ac_word" >&5 +echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; } +if test "${ac_cv_prog_NMEDIT+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + if test -n "$NMEDIT"; then + ac_cv_prog_NMEDIT="$NMEDIT" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_prog_NMEDIT="${ac_tool_prefix}nmedit" + echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done +done +IFS=$as_save_IFS + +fi +fi +NMEDIT=$ac_cv_prog_NMEDIT +if test -n "$NMEDIT"; then + { echo "$as_me:$LINENO: result: $NMEDIT" >&5 +echo "${ECHO_T}$NMEDIT" >&6; } +else + { echo "$as_me:$LINENO: result: no" >&5 +echo "${ECHO_T}no" >&6; } +fi + + +fi +if test -z "$ac_cv_prog_NMEDIT"; then + ac_ct_NMEDIT=$NMEDIT + # Extract the first word of "nmedit", so it can be a program name with args. +set dummy nmedit; ac_word=$2 +{ echo "$as_me:$LINENO: checking for $ac_word" >&5 +echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; } +if test "${ac_cv_prog_ac_ct_NMEDIT+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + if test -n "$ac_ct_NMEDIT"; then + ac_cv_prog_ac_ct_NMEDIT="$ac_ct_NMEDIT" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_prog_ac_ct_NMEDIT="nmedit" + echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done +done +IFS=$as_save_IFS + +fi +fi +ac_ct_NMEDIT=$ac_cv_prog_ac_ct_NMEDIT +if test -n "$ac_ct_NMEDIT"; then + { echo "$as_me:$LINENO: result: $ac_ct_NMEDIT" >&5 +echo "${ECHO_T}$ac_ct_NMEDIT" >&6; } +else + { echo "$as_me:$LINENO: result: no" >&5 +echo "${ECHO_T}no" >&6; } +fi + + if test "x$ac_ct_NMEDIT" = x; then + NMEDIT=":" + else + case $cross_compiling:$ac_tool_warned in +yes:) +{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools +whose name does not start with the host triplet. If you think this +configuration is useful to you, please write to autoconf@gnu.org." >&5 +echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools +whose name does not start with the host triplet. If you think this +configuration is useful to you, please write to autoconf@gnu.org." >&2;} +ac_tool_warned=yes ;; +esac + NMEDIT=$ac_ct_NMEDIT + fi +else + NMEDIT="$ac_cv_prog_NMEDIT" +fi + + + { echo "$as_me:$LINENO: checking for -single_module linker flag" >&5 +echo $ECHO_N "checking for -single_module linker flag... $ECHO_C" >&6; } +if test "${lt_cv_apple_cc_single_mod+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + lt_cv_apple_cc_single_mod=no + if test -z "${LT_MULTI_MODULE}"; then + # By default we will add the -single_module flag. You can override + # by either setting the environment variable LT_MULTI_MODULE + # non-empty at configure time, or by adding -multi_module to the + # link flags. + echo "int foo(void){return 1;}" > conftest.c + $LTCC $LTCFLAGS $LDFLAGS -o libconftest.dylib \ + -dynamiclib ${wl}-single_module conftest.c + if test -f libconftest.dylib; then + lt_cv_apple_cc_single_mod=yes + rm -rf libconftest.dylib* + fi + rm conftest.c + fi +fi +{ echo "$as_me:$LINENO: result: $lt_cv_apple_cc_single_mod" >&5 +echo "${ECHO_T}$lt_cv_apple_cc_single_mod" >&6; } + { echo "$as_me:$LINENO: checking for -exported_symbols_list linker flag" >&5 +echo $ECHO_N "checking for -exported_symbols_list linker flag... $ECHO_C" >&6; } +if test "${lt_cv_ld_exported_symbols_list+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + lt_cv_ld_exported_symbols_list=no + save_LDFLAGS=$LDFLAGS + echo "_main" > conftest.sym + LDFLAGS="$LDFLAGS -Wl,-exported_symbols_list,conftest.sym" + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && + $as_test_x conftest$ac_exeext; then + lt_cv_ld_exported_symbols_list=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + lt_cv_ld_exported_symbols_list=no +fi + +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext + LDFLAGS="$save_LDFLAGS" + +fi +{ echo "$as_me:$LINENO: result: $lt_cv_ld_exported_symbols_list" >&5 +echo "${ECHO_T}$lt_cv_ld_exported_symbols_list" >&6; } + case $host_os in + rhapsody* | darwin1.[0123]) + _lt_dar_allow_undefined='${wl}-undefined ${wl}suppress' ;; + darwin1.*) + _lt_dar_allow_undefined='${wl}-flat_namespace ${wl}-undefined ${wl}suppress' ;; + darwin*) + # if running on 10.5 or later, the deployment target defaults + # to the OS version, if on x86, and 10.4, the deployment + # target defaults to 10.4. Don't you love it? + case ${MACOSX_DEPLOYMENT_TARGET-10.0},$host in + 10.0,*86*-darwin8*|10.0,*-darwin[91]*) + _lt_dar_allow_undefined='${wl}-undefined ${wl}dynamic_lookup' ;; + 10.[012]*) + _lt_dar_allow_undefined='${wl}-flat_namespace ${wl}-undefined ${wl}suppress' ;; + 10.*) + _lt_dar_allow_undefined='${wl}-undefined ${wl}dynamic_lookup' ;; + esac + ;; + esac + if test "$lt_cv_apple_cc_single_mod" = "yes"; then + _lt_dar_single_mod='$single_module' + fi + if test "$lt_cv_ld_exported_symbols_list" = "yes"; then + _lt_dar_export_syms=' ${wl}-exported_symbols_list,$output_objdir/${libname}-symbols.expsym' + else + _lt_dar_export_syms="~$NMEDIT -s \$output_objdir/\${libname}-symbols.expsym \${lib}" + fi + if test "$DSYMUTIL" != ":"; then + _lt_dsymutil="~$DSYMUTIL \$lib || :" + else + _lt_dsymutil= + fi + ;; + esac + + enable_dlopen=no enable_win32_dll=no @@ -7597,7 +7956,7 @@ ac_outfile=conftest.$ac_objext echo "$lt_simple_link_test_code" >conftest.$ac_ext eval "$ac_link" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err _lt_linker_boilerplate=`cat conftest.err` -$rm conftest* +$rm -r conftest* ## CAVEAT EMPTOR: @@ -7629,11 +7988,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:7632: $lt_compile\"" >&5) + (eval echo "\"\$as_me:7991: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:7636: \$? = $ac_status" >&5 + echo "$as_me:7995: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -7903,10 +8262,10 @@ if test -n "$lt_prog_compiler_pic"; then { echo "$as_me:$LINENO: checking if $compiler PIC flag $lt_prog_compiler_pic works" >&5 echo $ECHO_N "checking if $compiler PIC flag $lt_prog_compiler_pic works... $ECHO_C" >&6; } -if test "${lt_prog_compiler_pic_works+set}" = set; then +if test "${lt_cv_prog_compiler_pic_works+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else - lt_prog_compiler_pic_works=no + lt_cv_prog_compiler_pic_works=no ac_outfile=conftest.$ac_objext echo "$lt_simple_compile_test_code" > conftest.$ac_ext lt_compiler_flag="$lt_prog_compiler_pic -DPIC" @@ -7919,27 +8278,27 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:7922: $lt_compile\"" >&5) + (eval echo "\"\$as_me:8281: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:7926: \$? = $ac_status" >&5 + echo "$as_me:8285: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' >conftest.exp $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2 if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then - lt_prog_compiler_pic_works=yes + lt_cv_prog_compiler_pic_works=yes fi fi $rm conftest* fi -{ echo "$as_me:$LINENO: result: $lt_prog_compiler_pic_works" >&5 -echo "${ECHO_T}$lt_prog_compiler_pic_works" >&6; } +{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_pic_works" >&5 +echo "${ECHO_T}$lt_cv_prog_compiler_pic_works" >&6; } -if test x"$lt_prog_compiler_pic_works" = xyes; then +if test x"$lt_cv_prog_compiler_pic_works" = xyes; then case $lt_prog_compiler_pic in "" | " "*) ;; *) lt_prog_compiler_pic=" $lt_prog_compiler_pic" ;; @@ -7966,10 +8325,10 @@ esac wl=$lt_prog_compiler_wl eval lt_tmp_static_flag=\"$lt_prog_compiler_static\" { echo "$as_me:$LINENO: checking if $compiler static flag $lt_tmp_static_flag works" >&5 echo $ECHO_N "checking if $compiler static flag $lt_tmp_static_flag works... $ECHO_C" >&6; } -if test "${lt_prog_compiler_static_works+set}" = set; then +if test "${lt_cv_prog_compiler_static_works+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else - lt_prog_compiler_static_works=no + lt_cv_prog_compiler_static_works=no save_LDFLAGS="$LDFLAGS" LDFLAGS="$LDFLAGS $lt_tmp_static_flag" echo "$lt_simple_link_test_code" > conftest.$ac_ext @@ -7982,20 +8341,20 @@ else $echo "X$_lt_linker_boilerplate" | $Xsed -e '/^$/d' > conftest.exp $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2 if diff conftest.exp conftest.er2 >/dev/null; then - lt_prog_compiler_static_works=yes + lt_cv_prog_compiler_static_works=yes fi else - lt_prog_compiler_static_works=yes + lt_cv_prog_compiler_static_works=yes fi fi - $rm conftest* + $rm -r conftest* LDFLAGS="$save_LDFLAGS" fi -{ echo "$as_me:$LINENO: result: $lt_prog_compiler_static_works" >&5 -echo "${ECHO_T}$lt_prog_compiler_static_works" >&6; } +{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_static_works" >&5 +echo "${ECHO_T}$lt_cv_prog_compiler_static_works" >&6; } -if test x"$lt_prog_compiler_static_works" = xyes; then +if test x"$lt_cv_prog_compiler_static_works" = xyes; then : else lt_prog_compiler_static= @@ -8023,11 +8382,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:8026: $lt_compile\"" >&5) + (eval echo "\"\$as_me:8385: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:8030: \$? = $ac_status" >&5 + echo "$as_me:8389: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -8107,12 +8466,13 @@ echo $ECHO_N "checking whether the $compiler linker ($LD) supports shared librar # it will be wrapped by ` (' and `)$', so one must not match beginning or # end of line. Example: `a|bc|.*d.*' will exclude the symbols `a' and `bc', # as well as any symbol that contains `d'. - exclude_expsyms="_GLOBAL_OFFSET_TABLE_" + exclude_expsyms='_GLOBAL_OFFSET_TABLE_|_GLOBAL__F[ID]_.*' # Although _GLOBAL_OFFSET_TABLE_ is a valid symbol C name, most a.out # platforms (ab)use it in PIC code, but their linkers get confused if # the symbol is explicitly referenced. Since portable code cannot # rely on this symbol name, it's probably fine to never include it in # preloaded symbol tables. + # Exclude shared library initialization/finalization symbols. extract_expsyms_cmds= # Just being paranoid about ensuring that cc_basename is set. for cc_temp in $compiler""; do @@ -8171,7 +8531,7 @@ cc_basename=`$echo "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"` # See if GNU ld supports shared libraries. case $host_os in - aix3* | aix4* | aix5*) + aix[3-9]*) # On AIX/PPC, the GNU linker is very broken if test "$host_cpu" != ia64; then ld_shlibs=no @@ -8390,7 +8750,7 @@ _LT_EOF fi ;; - aix4* | aix5*) + aix[4-9]*) if test "$host_cpu" = ia64; then # On IA64, the linker does run time linking by default, so we don't # have to do anything special. @@ -8410,7 +8770,7 @@ _LT_EOF # Test if we are trying to use run time linking or normal # AIX style linking. If -brtl is somewhere in LDFLAGS, we # need to do runtime linking. - case $host_os in aix4.[23]|aix4.[23].*|aix5*) + case $host_os in aix4.[23]|aix4.[23].*|aix[5-9]*) for ld_flag in $LDFLAGS; do if (test $ld_flag = "-brtl" || test $ld_flag = "-Wl,-brtl"); then aix_use_runtimelinking=yes @@ -8682,11 +9042,10 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi link_all_deplibs=yes if test "$GCC" = yes ; then output_verbose_link_cmd='echo' - archive_cmds='$CC -dynamiclib $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring' - module_cmds='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags' - # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin lds - archive_expsym_cmds='sed -e "s,#.*,," -e "s,^[ ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}' - module_expsym_cmds='sed -e "s,#.*,," -e "s,^[ ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}' + archive_cmds="\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring $_lt_dar_single_mod${_lt_dsymutil}" + module_cmds="\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dsymutil}" + archive_expsym_cmds="sed 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring ${_lt_dar_single_mod}${_lt_dar_export_syms}${_lt_dsymutil}" + module_expsym_cmds="sed -e 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dar_export_syms}${_lt_dsymutil}" else case $cc_basename in xlc*) @@ -9206,7 +9565,7 @@ aix3*) soname_spec='${libname}${release}${shared_ext}$major' ;; -aix4* | aix5*) +aix[4-9]*) version_type=linux need_lib_prefix=no need_version=no @@ -9724,6 +10083,21 @@ esac echo "${ECHO_T}$dynamic_linker" >&6; } test "$dynamic_linker" = no && can_build_shared=no +if test "${lt_cv_sys_lib_search_path_spec+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + lt_cv_sys_lib_search_path_spec="$sys_lib_search_path_spec" +fi + +sys_lib_search_path_spec="$lt_cv_sys_lib_search_path_spec" +if test "${lt_cv_sys_lib_dlsearch_path_spec+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + lt_cv_sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec" +fi + +sys_lib_dlsearch_path_spec="$lt_cv_sys_lib_dlsearch_path_spec" + variables_saved_for_relink="PATH $shlibpath_var $runpath_var" if test "$GCC" = yes; then variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH" @@ -10043,7 +10417,7 @@ fi { echo "$as_me:$LINENO: result: $ac_cv_lib_dld_shl_load" >&5 echo "${ECHO_T}$ac_cv_lib_dld_shl_load" >&6; } if test $ac_cv_lib_dld_shl_load = yes; then - lt_cv_dlopen="shl_load" lt_cv_dlopen_libs="-dld" + lt_cv_dlopen="shl_load" lt_cv_dlopen_libs="-ldld" else { echo "$as_me:$LINENO: checking for dlopen" >&5 echo $ECHO_N "checking for dlopen... $ECHO_C" >&6; } @@ -10319,7 +10693,7 @@ fi { echo "$as_me:$LINENO: result: $ac_cv_lib_dld_dld_link" >&5 echo "${ECHO_T}$ac_cv_lib_dld_dld_link" >&6; } if test $ac_cv_lib_dld_dld_link = yes; then - lt_cv_dlopen="dld_link" lt_cv_dlopen_libs="-dld" + lt_cv_dlopen="dld_link" lt_cv_dlopen_libs="-ldld" fi @@ -10368,7 +10742,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext < conftest.$ac_ext <&6;} # Generated automatically by $PROGRAM (GNU $PACKAGE $VERSION$TIMESTAMP) # NOTE: Changes made to this file will be lost: look at ltmain.sh. # -# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007 +# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008 # Free Software Foundation, Inc. # # This file is part of GNU Libtool: @@ -10947,6 +11322,10 @@ predeps=$lt_predeps # shared library. postdeps=$lt_postdeps +# The directories searched by this compiler when creating a shared +# library +compiler_lib_search_dirs=$lt_compiler_lib_search_dirs + # The library search path used internally by the compiler when linking # a shared library. compiler_lib_search_path=$lt_compiler_lib_search_path @@ -11142,6 +11521,7 @@ fi { echo "$as_me:$LINENO: result: $with_noexec" >&5 echo "${ECHO_T}$with_noexec" >&6; } +NOEXECFILE="sudo_noexec$_shrext" NOEXECDIR="`echo $with_noexec|sed 's:^\(.*\)/[^/]*:\1:'`" if test "$with_devel" = "yes" -a -n "$GCC"; then @@ -11734,7 +12114,7 @@ fi : ${mansectsu='1m'} : ${mansectform='4'} ;; - *-*-linux*) + *-*-linux*|*-*-k*bsd*-gnu) OSDEFS="${OSDEFS} -D_GNU_SOURCE" # Some Linux versions need to link with -lshadow shadow_funcs="getspnam" @@ -13675,7 +14055,7 @@ if test `eval echo '${'$as_ac_Header'}'` = yes; then cat >>confdefs.h <<_ACEOF #define `echo "HAVE_$ac_header" | $as_tr_cpp` 1 _ACEOF - + LCMAN="" case "$OS" in freebsd|netbsd) SUDO_LIBS="${SUDO_LIBS} -lutil" ;; @@ -15151,9 +15531,10 @@ LIBS=$ac_save_LIBS + for ac_func in strchr strrchr memchr memcpy memset sysconf tzset \ strftime setrlimit initgroups getgroups fstat gettimeofday \ - setlocale getaddrinfo + setlocale getaddrinfo setsid do as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` { echo "$as_me:$LINENO: checking for $ac_func" >&5 @@ -17930,7 +18311,7 @@ cat >>conftest.$ac_ext <<_ACEOF int main () { -DIR d; (void)dirfd(&d); +DIR *d; (void)dirfd(d); ; return 0; } @@ -19736,56 +20117,20 @@ fi case $host in *-*-linux*|*-*-solaris*) - -for ac_func in dgettext -do -as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` -{ echo "$as_me:$LINENO: checking for $ac_func" >&5 -echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; } -if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF + # dgettext() may be defined to dgettext_libintl in the + # header file, so first check that it links w/ additional + # libs, then try with -lintl + cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF cat confdefs.h >>conftest.$ac_ext cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ -/* Define $ac_func to an innocuous variant, in case declares $ac_func. - For example, HP-UX 11i declares gettimeofday. */ -#define $ac_func innocuous_$ac_func - -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char $ac_func (); below. - Prefer to if __STDC__ is defined, since - exists even on freestanding compilers. */ - -#ifdef __STDC__ -# include -#else -# include -#endif - -#undef $ac_func - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char $ac_func (); -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined __stub_$ac_func || defined __stub___$ac_func -choke me -#endif - +#include int main () { -return $ac_func (); +(void)dgettext((char *)0, (char *)0); ; return 0; } @@ -19808,27 +20153,15 @@ eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 test ! -s conftest.err } && test -s conftest$ac_exeext && $as_test_x conftest$ac_exeext; then - eval "$as_ac_var=yes" + cat >>confdefs.h <<\_ACEOF +#define HAVE_DGETTEXT 1 +_ACEOF + else echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 - eval "$as_ac_var=no" -fi - -rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ - conftest$ac_exeext conftest.$ac_ext -fi -ac_res=`eval echo '${'$as_ac_var'}'` - { echo "$as_me:$LINENO: result: $ac_res" >&5 -echo "${ECHO_T}$ac_res" >&6; } -if test `eval echo '${'$as_ac_var'}'` = yes; then - cat >>confdefs.h <<_ACEOF -#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1 -_ACEOF - -else - { echo "$as_me:$LINENO: checking for dgettext in -lintl" >&5 + { echo "$as_me:$LINENO: checking for dgettext in -lintl" >&5 echo $ECHO_N "checking for dgettext in -lintl... $ECHO_C" >&6; } if test "${ac_cv_lib_intl_dgettext+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -19898,8 +20231,9 @@ _ACEOF fi fi -done +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext ;; esac fi @@ -20051,8 +20385,7 @@ if test $ac_cv_header_bsd_auth_h = yes; then _ACEOF AUTH_OBJS="$AUTH_OBJS bsdauth.o" - BSDAUTH_USAGE='[-a auth_type] ' - AUTH_EXCL=BSD_AUTH + AUTH_EXCL=BSD_AUTH; BAMAN="" else { { echo "$as_me:$LINENO: error: BSD authentication was specified but bsd_auth.h could not be found" >&5 echo "$as_me: error: BSD authentication was specified but bsd_auth.h could not be found" >&2;} @@ -22781,7 +23114,7 @@ fi done - SUDO_LIBS="${SUDO_LIBS}${LDAP_LIBS}" + SUDO_LIBS="${SUDO_LIBS} ${LDAP_LIBS}" LIBS="$_LIBS" LDFLAGS="$_LDFLAGS" # XXX - OpenLDAP has deprecated ldap_get_values() @@ -22903,10 +23236,7 @@ fi test "$exec_prefix" = "NONE" && exec_prefix='$(prefix)' -if test "$with_noexec" != "no"; then - PROGS="${PROGS} sudo_noexec.la" - INSTALL_NOEXEC="install-noexec" - +if test X"$with_noexec" != X"no" -o X"$with_selinux" != X"no"; then oexec_prefix="$exec_prefix" if test "$exec_prefix" = '$(prefix)'; then if test "$prefix" = "NONE"; then @@ -22915,12 +23245,25 @@ if test "$with_noexec" != "no"; then exec_prefix="$prefix" fi fi - eval noexec_file="$with_noexec" + if test X"$with_noexec" != X"no"; then + PROGS="${PROGS} sudo_noexec.la" + INSTALL_NOEXEC="install-noexec" + + eval noexec_file="$with_noexec" cat >>confdefs.h <<_ACEOF #define _PATH_SUDO_NOEXEC "$noexec_file" _ACEOF + fi + if test X"$with_selinux" != X"no"; then + eval sesh_file="$libexecdir/sesh" + +cat >>confdefs.h <<_ACEOF +#define _PATH_SUDO_SESH "$sesh_file" +_ACEOF + + fi exec_prefix="$oexec_prefix" fi @@ -23601,9 +23944,14 @@ SUDOERS_MODE!$SUDOERS_MODE$ac_delim SUDOERS_UID!$SUDOERS_UID$ac_delim SUDOERS_GID!$SUDOERS_GID$ac_delim DEV!$DEV$ac_delim +SELINUX!$SELINUX$ac_delim +BAMAN!$BAMAN$ac_delim +LCMAN!$LCMAN$ac_delim +SEMAN!$SEMAN$ac_delim mansectsu!$mansectsu$ac_delim mansectform!$mansectform$ac_delim mansrcdir!$mansrcdir$ac_delim +NOEXECFILE!$NOEXECFILE$ac_delim NOEXECDIR!$NOEXECDIR$ac_delim noexec_file!$noexec_file$ac_delim INSTALL_NOEXEC!$INSTALL_NOEXEC$ac_delim @@ -23637,11 +23985,6 @@ path_info!$path_info$ac_delim EGREPPROG!$EGREPPROG$ac_delim CC!$CC$ac_delim ac_ct_CC!$ac_ct_CC$ac_delim -EXEEXT!$EXEEXT$ac_delim -OBJEXT!$OBJEXT$ac_delim -CPP!$CPP$ac_delim -build!$build$ac_delim -build_cpu!$build_cpu$ac_delim _ACEOF if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 97; then @@ -23683,6 +24026,11 @@ _ACEOF ac_delim='%!_!# ' for ac_last_try in false false false false false :; do cat >conf$$subs.sed <<_ACEOF +EXEEXT!$EXEEXT$ac_delim +OBJEXT!$OBJEXT$ac_delim +CPP!$CPP$ac_delim +build!$build$ac_delim +build_cpu!$build_cpu$ac_delim build_vendor!$build_vendor$ac_delim build_os!$build_os$ac_delim host!$host$ac_delim @@ -23701,6 +24049,8 @@ ECHO!$ECHO$ac_delim AR!$AR$ac_delim RANLIB!$RANLIB$ac_delim STRIP!$STRIP$ac_delim +DSYMUTIL!$DSYMUTIL$ac_delim +NMEDIT!$NMEDIT$ac_delim UNAMEPROG!$UNAMEPROG$ac_delim TRPROG!$TRPROG$ac_delim NROFFPROG!$NROFFPROG$ac_delim @@ -23712,7 +24062,7 @@ KRB5CONFIG!$KRB5CONFIG$ac_delim LTLIBOBJS!$LTLIBOBJS$ac_delim _ACEOF - if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 27; then + if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 34; then break elif $ac_last_try; then { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5 @@ -24102,21 +24452,22 @@ echo "$as_me: $ac_file is unchanged" >&6;} fi rm -f "$tmp/out12" # Compute $ac_file's index in $config_headers. +_am_arg=$ac_file _am_stamp_count=1 for _am_header in $config_headers :; do case $_am_header in - $ac_file | $ac_file:* ) + $_am_arg | $_am_arg:* ) break ;; * ) _am_stamp_count=`expr $_am_stamp_count + 1` ;; esac done -echo "timestamp for $ac_file" >`$as_dirname -- $ac_file || -$as_expr X$ac_file : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ - X$ac_file : 'X\(//\)[^/]' \| \ - X$ac_file : 'X\(//\)$' \| \ - X$ac_file : 'X\(/\)' \| . 2>/dev/null || -echo X$ac_file | +echo "timestamp for $_am_arg" >`$as_dirname -- "$_am_arg" || +$as_expr X"$_am_arg" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ + X"$_am_arg" : 'X\(//\)[^/]' \| \ + X"$_am_arg" : 'X\(//\)$' \| \ + X"$_am_arg" : 'X\(/\)' \| . 2>/dev/null || +echo X"$_am_arg" | sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/ q @@ -24320,6 +24671,8 @@ fi + + diff --git a/usr.bin/sudo/configure.in b/usr.bin/sudo/configure.in index 32994e9a7b2..109fc9a721f 100644 --- a/usr.bin/sudo/configure.in +++ b/usr.bin/sudo/configure.in @@ -1,6 +1,6 @@ dnl dnl Process this file with GNU autoconf to produce a configure script. -dnl $Sudo: configure.in,v 1.413.2.43 2008/01/21 16:46:50 millert Exp $ +dnl $Sudo: configure.in,v 1.413.2.53 2008/06/22 20:23:56 millert Exp $ dnl dnl Copyright (c) 1994-1996,1998-2007 Todd C. Miller dnl @@ -33,9 +33,14 @@ AC_SUBST(SUDOERS_MODE) AC_SUBST(SUDOERS_UID) AC_SUBST(SUDOERS_GID) AC_SUBST(DEV) +AC_SUBST(SELINUX) +AC_SUBST(BAMAN) +AC_SUBST(LCMAN) +AC_SUBST(SEMAN) AC_SUBST(mansectsu) AC_SUBST(mansectform) AC_SUBST(mansrcdir) +AC_SUBST(NOEXECFILE) AC_SUBST(NOEXECDIR) AC_SUBST(noexec_file) AC_SUBST(INSTALL_NOEXEC) @@ -109,6 +114,10 @@ PROGS="sudo visudo" : ${SUDOERS_UID='0'} : ${SUDOERS_GID='0'} DEV="#" +SELINUX="#" +BAMAN='.\" ' +LCMAN='.\" ' +SEMAN='.\" ' AUTH_OBJS= AUTH_REG= AUTH_EXCL= @@ -127,7 +136,11 @@ shadow_libs_optional= dnl dnl Override default configure dirs... dnl -test "$mandir" = '${prefix}/man' && mandir='$(prefix)/man' +if test X"$prefix" = X"NONE"; then + test "$mandir" = '${datarootdir}/man' && mandir='$(prefix)/man' +else + test "$mandir" = '${datarootdir}/man' && mandir='$(datarootdir)/man' +fi test "$bindir" = '${exec_prefix}/bin' && bindir='$(exec_prefix)/bin' test "$sbindir" = '${exec_prefix}/sbin' && sbindir='$(exec_prefix)/sbin' test "$sysconfdir" = '${prefix}/etc' -a X"$with_stow" != X"yes" && sysconfdir='/etc' @@ -1114,6 +1127,20 @@ AC_ARG_ENABLE(path_info, esac ], AC_MSG_RESULT(no)) +AC_ARG_WITH(selinux, [ --with-selinux enable SELinux support], +[case $with_selinux in + yes) AC_DEFINE(HAVE_SELINUX) + SUDO_LIBS="${SUDO_LIBS} -lselinux" + SUDO_OBJS="${SUDO_OBJS} selinux.o" + PROGS="${PROGS} sesh" + SELINUX="" + SEMAN="" + ;; + no) ;; + *) AC_MSG_ERROR(["--with-selinux does not take an argument."]) + ;; +esac]) + dnl dnl If we don't have egrep we can't do anything... dnl @@ -1160,6 +1187,7 @@ AC_ARG_WITH(noexec, [ --with-noexec[=PATH] fully qualified pathname of sud *) ;; esac], [with_noexec="$libexecdir/sudo_noexec$_shrext"]) AC_MSG_RESULT($with_noexec) +NOEXECFILE="sudo_noexec$_shrext" NOEXECDIR="`echo $with_noexec|sed 's:^\(.*\)/[[^/]]*:\1:'`" dnl @@ -1382,7 +1410,7 @@ case "$host" in : ${mansectsu='1m'} : ${mansectform='4'} ;; - *-*-linux*) + *-*-linux*|*-*-k*bsd*-gnu) OSDEFS="${OSDEFS} -D_GNU_SOURCE" # Some Linux versions need to link with -lshadow shadow_funcs="getspnam" @@ -1633,7 +1661,7 @@ if test "$OS" != "ultrix"; then fi fi if test ${with_logincap-'no'} != "no"; then - AC_CHECK_HEADERS(login_cap.h, [ + AC_CHECK_HEADERS(login_cap.h, [LCMAN="" case "$OS" in freebsd|netbsd) SUDO_LIBS="${SUDO_LIBS} -lutil" ;; @@ -1681,7 +1709,7 @@ dnl AC_FUNC_GETGROUPS AC_CHECK_FUNCS(strchr strrchr memchr memcpy memset sysconf tzset \ strftime setrlimit initgroups getgroups fstat gettimeofday \ - setlocale getaddrinfo) + setlocale getaddrinfo setsid) if test -z "$SKIP_SETRESUID"; then AC_CHECK_FUNCS(setresuid, [SKIP_SETREUID=yes]) fi @@ -1736,7 +1764,7 @@ dnl dnl Check for the dirfd function/macro. If not found, look for dd_fd in DIR. dnl AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include -#include <$ac_header_dirent>]], [[DIR d; (void)dirfd(&d);]])], [AC_DEFINE(HAVE_DIRFD)], [AC_TRY_LINK([#include +#include <$ac_header_dirent>]], [[DIR *d; (void)dirfd(d);]])], [AC_DEFINE(HAVE_DIRFD)], [AC_TRY_LINK([#include #include <$ac_header_dirent>], [DIR d; memset(&d, 0, sizeof(d)); return(d.dd_fd);], [AC_DEFINE(HAVE_DD_FD)])]) dnl dnl If NEED_SNPRINTF is set, add snprintf.c to LIBOBJS @@ -1839,8 +1867,13 @@ if test ${with_pam-"no"} != "no"; then esac], AC_MSG_RESULT(yes)) case $host in *-*-linux*|*-*-solaris*) - AC_CHECK_FUNCS(dgettext, [], - [AC_CHECK_LIB(intl, dgettext, [LIBS="${LIBS} -lintl"] + # dgettext() may be defined to dgettext_libintl in the + # header file, so first check that it links w/ additional + # libs, then try with -lintl + AC_LINK_IFELSE([AC_LANG_PROGRAM( + [[#include ]], [(void)dgettext((char *)0, (char *)0);])], + [AC_DEFINE(HAVE_DGETTEXT)], + [AC_CHECK_LIB(intl, dgettext, [LIBS="${LIBS} -lintl"] [AC_DEFINE(HAVE_DGETTEXT)])]) ;; esac @@ -1868,8 +1901,7 @@ dnl if test ${with_bsdauth-'no'} != "no"; then AC_CHECK_HEADER(bsd_auth.h, AC_DEFINE(HAVE_BSD_AUTH_H) [AUTH_OBJS="$AUTH_OBJS bsdauth.o"] - [BSDAUTH_USAGE='[[-a auth_type]] '] - [AUTH_EXCL=BSD_AUTH], + [AUTH_EXCL=BSD_AUTH; BAMAN=""], [AC_MSG_ERROR([BSD authentication was specified but bsd_auth.h could not be found])]) fi @@ -2296,7 +2328,7 @@ if test ${with_ldap-'no'} != "no"; then AC_CHECK_FUNCS(ldap_initialize ldap_start_tls_s ldapssl_init ldapssl_set_strength) AC_CHECK_HEADERS([ldap_ssl.h] [mps/ldap_ssl.h], [break], [], [#include ]) - SUDO_LIBS="${SUDO_LIBS}${LDAP_LIBS}" + SUDO_LIBS="${SUDO_LIBS} ${LDAP_LIBS}" LIBS="$_LIBS" LDFLAGS="$_LDFLAGS" # XXX - OpenLDAP has deprecated ldap_get_values() @@ -2360,13 +2392,11 @@ dnl test "$exec_prefix" = "NONE" && exec_prefix='$(prefix)' dnl -dnl Defer setting _PATH_SUDO_NOEXEC until after exec_prefix is set +dnl Defer setting _PATH_SUDO_NOEXEC and _PATH_SUDO_SESH +dnl until after exec_prefix is set dnl XXX - this is gross! dnl -if test "$with_noexec" != "no"; then - PROGS="${PROGS} sudo_noexec.la" - INSTALL_NOEXEC="install-noexec" - +if test X"$with_noexec" != X"no" -o X"$with_selinux" != X"no"; then oexec_prefix="$exec_prefix" if test "$exec_prefix" = '$(prefix)'; then if test "$prefix" = "NONE"; then @@ -2375,8 +2405,17 @@ if test "$with_noexec" != "no"; then exec_prefix="$prefix" fi fi - eval noexec_file="$with_noexec" - AC_DEFINE_UNQUOTED(_PATH_SUDO_NOEXEC, "$noexec_file", [The fully qualified pathname of sudo_noexec.so]) + if test X"$with_noexec" != X"no"; then + PROGS="${PROGS} sudo_noexec.la" + INSTALL_NOEXEC="install-noexec" + + eval noexec_file="$with_noexec" + AC_DEFINE_UNQUOTED(_PATH_SUDO_NOEXEC, "$noexec_file", [The fully qualified pathname of sudo_noexec.so]) + fi + if test X"$with_selinux" != X"no"; then + eval sesh_file="$libexecdir/sesh" + AC_DEFINE_UNQUOTED(_PATH_SUDO_SESH, "$sesh_file", [The fully qualified pathname of sesh]) + fi exec_prefix="$oexec_prefix" fi @@ -2437,6 +2476,7 @@ AH_TEMPLATE(HAVE_OPIE, [Define to 1 if you use NRL OPIE.]) AH_TEMPLATE(HAVE_PAM, [Define to 1 if you use PAM authentication.]) AH_TEMPLATE(HAVE_PROJECT_H, [Define to 1 if you have the header file.]) AH_TEMPLATE(HAVE_SECURID, [Define to 1 if you use SecurID for authentication.]) +AH_TEMPLATE(HAVE_SELINUX, [Define to 1 to enable SELinux RBAC support.]) AH_TEMPLATE(HAVE_SIA, [Define to 1 if you use SIA authentication.]) AH_TEMPLATE(HAVE_SIGACTION_T, [Define to 1 if has the sigaction_t typedef.]) AH_TEMPLATE(HAVE_SKEY, [Define to 1 if you use S/Key.]) diff --git a/usr.bin/sudo/def_data.c b/usr.bin/sudo/def_data.c index 944a55c2355..ff9ebc654c9 100644 --- a/usr.bin/sudo/def_data.c +++ b/usr.bin/sudo/def_data.c @@ -263,6 +263,14 @@ struct sudo_defs_types sudo_defs_table[] = { "env_keep", T_LIST|T_BOOL, "Environment variables to preserve:", NULL, + }, { + "role", T_STR, + "SELinux role to use in the new security context: %s", + NULL, + }, { + "type", T_STR, + "SELinux type to use in the new security context: %s", + NULL, }, { NULL, 0, NULL } diff --git a/usr.bin/sudo/def_data.h b/usr.bin/sudo/def_data.h index 13d81bf7089..bbbd2ab0a5f 100644 --- a/usr.bin/sudo/def_data.h +++ b/usr.bin/sudo/def_data.h @@ -118,6 +118,10 @@ #define I_ENV_DELETE 58 #define def_env_keep (sudo_defs_table[59].sd_un.list) #define I_ENV_KEEP 59 +#define def_role (sudo_defs_table[60].sd_un.str) +#define I_ROLE 60 +#define def_type (sudo_defs_table[61].sd_un.str) +#define I_TYPE 61 enum def_tupple { never, diff --git a/usr.bin/sudo/def_data.in b/usr.bin/sudo/def_data.in index 47370b83ecf..afc4e4cfc68 100644 --- a/usr.bin/sudo/def_data.in +++ b/usr.bin/sudo/def_data.in @@ -191,3 +191,9 @@ env_delete env_keep T_LIST|T_BOOL "Environment variables to preserve:" +role + T_STR + "SELinux role to use in the new security context: %s" +type + T_STR + "SELinux type to use in the new security context: %s" diff --git a/usr.bin/sudo/env.c b/usr.bin/sudo/env.c index 6cb26d38095..dba49551150 100644 --- a/usr.bin/sudo/env.c +++ b/usr.bin/sudo/env.c @@ -52,7 +52,7 @@ #include "sudo.h" #ifndef lint -__unused static const char rcsid[] = "$Sudo: env.c,v 1.39.2.17 2007/07/31 18:04:31 millert Exp $"; +__unused static const char rcsid[] = "$Sudo: env.c,v 1.39.2.19 2008/06/21 19:04:07 millert Exp $"; #endif /* lint */ /* @@ -198,6 +198,7 @@ static const char *initial_checkenv_table[] = { static const char *initial_keepenv_table[] = { "COLORS", "DISPLAY", + "HOME", "HOSTNAME", "KRB5CCNAME", "LS_COLORS", @@ -405,7 +406,7 @@ rebuild_env(envp, sudo_mode, noexec) ps1 = NULL; didvar = 0; memset(&env, 0, sizeof(env)); - if (def_env_reset) { + if (def_env_reset || ISSET(sudo_mode, MODE_LOGIN_SHELL)) { /* Pull in vars we want to keep from the old environment. */ for (ep = envp; *ep; ep++) { int keepit; @@ -536,6 +537,7 @@ rebuild_env(envp, sudo_mode, noexec) #endif /* Set $USER, $LOGNAME and $USERNAME to target if "set_logname" is true. */ + /* XXX - not needed for MODE_LOGIN_SHELL */ if (def_set_logname && runas_pw->pw_name) { if (!ISSET(didvar, KEPT_LOGNAME)) insert_env(format_env("LOGNAME", runas_pw->pw_name, VNULL), &env, 1); @@ -546,6 +548,7 @@ rebuild_env(envp, sudo_mode, noexec) } /* Set $HOME for `sudo -H'. Only valid at PERM_FULL_RUNAS. */ + /* XXX - not needed for MODE_LOGIN_SHELL */ if (runas_pw->pw_dir) { if (ISSET(sudo_mode, MODE_RESET_HOME) || (ISSET(sudo_mode, MODE_RUN) && (def_always_set_home || diff --git a/usr.bin/sudo/install-sh b/usr.bin/sudo/install-sh index 124c991e959..3b069404e5a 100644 --- a/usr.bin/sudo/install-sh +++ b/usr.bin/sudo/install-sh @@ -1,7 +1,7 @@ #! /bin/sh ## (From INN-1.4, written by Rich Salz) -## $Revision: 1.8 $ +## $Revision: 1.9 $ ## A script to install files and directories. PROGNAME=`basename $0` @@ -182,7 +182,7 @@ fi ## Get the destination and a temp file in the destination diretory. if [ -d "$2" ] ; then - DEST="$2/$1" + DEST="$2/`basename $1`" TEMP="$2/$$.tmp" else DEST="$2" diff --git a/usr.bin/sudo/ldap.c b/usr.bin/sudo/ldap.c index 9097310cbf9..8ee0ba73d9c 100644 --- a/usr.bin/sudo/ldap.c +++ b/usr.bin/sudo/ldap.c @@ -71,7 +71,7 @@ #include "parse.h" #ifndef lint -__unused static const char rcsid[] = "$Sudo: ldap.c,v 1.11.2.36 2008/01/21 16:08:26 millert Exp $"; +__unused static const char rcsid[] = "$Sudo: ldap.c,v 1.11.2.38 2008/04/11 14:03:51 millert Exp $"; #endif /* lint */ #ifndef LINE_MAX @@ -82,6 +82,10 @@ __unused static const char rcsid[] = "$Sudo: ldap.c,v 1.11.2.36 2008/01/21 16:08 # define LDAP_OPT_SUCCESS LDAP_SUCCESS #endif +#ifndef LDAPS_PORT +# define LDAPS_PORT 636 +#endif + #define DPRINTF(args, level) if (ldap_conf.debug >= level) warnx args #define CONF_BOOL 0 @@ -1189,6 +1193,13 @@ sudo_ldap_check(pwflag) if (setenv_implied) def_setenv = TRUE; sudo_ldap_parse_options(ld, entry); +#ifdef HAVE_SELINUX + /* Set role and type if not specified on command line. */ + if (user_role == NULL) + user_role = def_role; + if (user_type == NULL) + user_type = def_type; +#endif /* HAVE_SELINUX */ /* make sure we don't reenter loop */ ret = VALIDATE_OK; /* break from inside for loop */ diff --git a/usr.bin/sudo/logging.c b/usr.bin/sudo/logging.c index b03a4020098..80d0f5a37d1 100644 --- a/usr.bin/sudo/logging.c +++ b/usr.bin/sudo/logging.c @@ -27,6 +27,7 @@ #include #include #include +#include #include #include #ifdef STDC_HEADERS @@ -56,11 +57,12 @@ #include #include #include +#include #include "sudo.h" #ifndef lint -__unused static const char rcsid[] = "$Sudo: logging.c,v 1.168.2.13 2007/11/25 13:07:38 millert Exp $"; +__unused static const char rcsid[] = "$Sudo: logging.c,v 1.168.2.16 2008/06/22 20:23:57 millert Exp $"; #endif /* lint */ static void do_syslog __P((int, char *)); @@ -458,9 +460,9 @@ send_mail(line) { FILE *mail; char *p; - int pfd[2]; - pid_t pid; - sigset_t set, oset; + int fd, pfd[2], status; + pid_t pid, rv; + sigaction_t sa; #ifndef NO_ROOT_MAILER static char *root_envp[] = { "HOME=/", @@ -476,17 +478,79 @@ send_mail(line) if (!def_mailerpath || !def_mailto) return; - (void) sigemptyset(&set); - (void) sigaddset(&set, SIGCHLD); - (void) sigprocmask(SIG_BLOCK, &set, &oset); + /* Fork and return, child will daemonize. */ + switch (pid = fork()) { + case -1: + /* Error */ + err(1, "cannot fork"); + break; + case 0: + /* Child */ + switch (pid = fork()) { + case -1: + /* Error. */ + mysyslog(LOG_ERR, "cannot fork: %m"); + _exit(1); + case 0: + /* Grandchild continues below. */ + break; + default: + /* Parent will wait for us. */ + _exit(0); + } + break; + default: + /* Parent */ + do { +#ifdef HAVE_WAITPID + rv = waitpid(pid, &status, 0); +#else + rv = wait(&status); +#endif + } while (rv == -1 && errno == EINTR); + return; + } + + /* Daemonize - disassociate from session/tty. */ +#ifdef HAVE_SETSID + if (setsid() == -1) + warn("setsid"); +#else + setpgrp(0, 0); +# ifdef TIOCNOTTY + if ((fd = open(_PATH_TTY, O_RDWR, 0644)) != -1) { + ioctl(fd, TIOCNOTTY, NULL); + close(fd); + } +# endif +#endif + chdir("/"); + if ((fd = open(_PATH_DEVNULL, O_RDWR, 0644)) != -1) { + (void) dup2(fd, STDIN_FILENO); + (void) dup2(fd, STDOUT_FILENO); + (void) dup2(fd, STDERR_FILENO); + } - if (pipe(pfd) == -1) - err(1, "cannot open pipe"); + /* Close password and other fds so we don't leak. */ + endpwent(); + closefrom(STDERR_FILENO + 1); + + /* Ignore SIGPIPE in case mailer exits prematurely (or is missing). */ + sigemptyset(&sa.sa_mask); + sa.sa_flags = 0; + sa.sa_handler = SIG_IGN; + (void) sigaction(SIGPIPE, &sa, NULL); + + if (pipe(pfd) == -1) { + mysyslog(LOG_ERR, "cannot open pipe: %m"); + _exit(1); + } switch (pid = fork()) { case -1: /* Error. */ - err(1, "cannot fork"); + mysyslog(LOG_ERR, "cannot fork: %m"); + _exit(1); break; case 0: { @@ -517,9 +581,6 @@ send_mail(line) } argv[i] = NULL; - /* Close password file so we don't leak the fd. */ - endpwent(); - /* * Depending on the config, either run the mailer as root * (so user cannot kill it) or as the user (for the paranoid). @@ -531,6 +592,7 @@ send_mail(line) set_perms(PERM_FULL_USER); execv(mpath, argv); #endif /* NO_ROOT_MAILER */ + mysyslog(LOG_ERR, "cannot execute %s: %m", mpath); _exit(127); } break; @@ -562,10 +624,14 @@ send_mail(line) (void) fprintf(mail, "\n\n%s : %s : %s : %s\n\n", user_host, get_timestr(), user_name, line); fclose(mail); - - (void) sigprocmask(SIG_SETMASK, &oset, NULL); - /* If mailer is done, wait for it now. If not, we'll get it later. */ - reapchild(SIGCHLD); + do { +#ifdef HAVE_WAITPID + rv = waitpid(pid, &status, 0); +#else + rv = wait(&status); +#endif + } while (rv == -1 && errno == EINTR); + _exit(0); } /* @@ -596,26 +662,6 @@ mail_auth(status, line) send_mail(line); } -/* - * SIGCHLD sig handler--wait for children as they die. - */ -RETSIGTYPE -reapchild(sig) - int sig; -{ - int status, serrno = errno; -#ifdef sudo_waitpid - pid_t pid; - - do { - pid = sudo_waitpid(-1, &status, WNOHANG); - } while (pid != 0 && (pid != -1 || errno == EINTR)); -#else - (void) wait(&status); -#endif - errno = serrno; -} - /* * Return an ascii string with the current date + time * Uses strftime() if available, else falls back to ctime(). diff --git a/usr.bin/sudo/parse.c b/usr.bin/sudo/parse.c index ce943f64eff..8c4a1e5bb59 100644 --- a/usr.bin/sudo/parse.c +++ b/usr.bin/sudo/parse.c @@ -90,7 +90,7 @@ #endif /* HAVE_EXTENDED_GLOB */ #ifndef lint -__unused static const char rcsid[] = "$Sudo: parse.c,v 1.160.2.15 2007/12/04 15:26:40 millert Exp $"; +__unused static const char rcsid[] = "$Sudo: parse.c,v 1.160.2.16 2008/02/09 14:44:48 millert Exp $"; #endif /* lint */ /* @@ -198,6 +198,21 @@ sudoers_lookup(pwflag) /* * User was granted access to cmnd on host as user. */ +#ifdef HAVE_SELINUX + /* Set role and type if not specified on command line. */ + if (user_role == NULL) { + if (match[top-1].role != NULL) + user_role = match[top-1].role; + else + user_role = def_role; + } + if (user_type == NULL) { + if (match[top-1].type != NULL) + user_type = match[top-1].type; + else + user_type = def_type; + } +#endif set_perms(PERM_ROOT); return(VALIDATE_OK | (no_passwd == TRUE ? FLAG_NOPASS : 0) | diff --git a/usr.bin/sudo/parse.h b/usr.bin/sudo/parse.h index 9ad008a3ae9..a9bbc8e0e7a 100644 --- a/usr.bin/sudo/parse.h +++ b/usr.bin/sudo/parse.h @@ -14,7 +14,7 @@ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. * - * $Sudo: parse.h,v 1.14.2.1 2007/06/23 21:36:48 millert Exp $ + * $Sudo: parse.h,v 1.14.2.2 2008/02/09 14:44:48 millert Exp $ */ #ifndef _SUDO_PARSE_H @@ -35,6 +35,8 @@ struct matchstack { int nopass; int noexec; int setenv; + char *role; + char *type; }; /* @@ -46,6 +48,15 @@ struct sudo_command { char *args; }; +/* + * SELinux-specific container struct. + * Currently just contains a role and type. + */ +struct selinux_info { + char *role; + char *type; +}; + #define user_matches (match[top-1].user) #define cmnd_matches (match[top-1].cmnd) #define host_matches (match[top-1].host) @@ -64,6 +75,12 @@ struct command_match { char *cmnd; size_t cmnd_len; size_t cmnd_size; + char *role; + size_t role_len; + size_t role_size; + char *type; + size_t type_len; + size_t type_size; int nopasswd; int noexecve; int setenv; diff --git a/usr.bin/sudo/parse.lex b/usr.bin/sudo/parse.lex index 1c4bbc79b9a..41eba105d28 100644 --- a/usr.bin/sudo/parse.lex +++ b/usr.bin/sudo/parse.lex @@ -55,7 +55,7 @@ #include #ifndef lint -__unused static const char rcsid[] = "$Sudo: parse.lex,v 1.132.2.7 2007/08/25 02:48:01 millert Exp $"; +__unused static const char rcsid[] = "$Sudo: parse.lex,v 1.132.2.10 2008/06/26 11:53:50 millert Exp $"; #endif /* lint */ #undef yywrap /* guard against a yywrap macro */ @@ -151,7 +151,7 @@ DEFVAR [a-z_]+ } { - \\\n[[:blank:]]* { + \\[[:blank:]]*\n[[:blank:]]* { /* Line continuation char followed by newline. */ ++sudolineno; LEXTRACE("\n"); @@ -163,12 +163,13 @@ DEFVAR [a-z_]+ return(WORD); } - ([^\"\n]|\\\")+ { + \\ { + LEXTRACE("BACKSLASH "); + append(yytext, yyleng); + } + + ([^\"\n\\]|\\\")+ { LEXTRACE("STRBODY "); - /* Push back line continuation char if present */ - if (yyleng > 2 && yytext[yyleng - 1] == '\\' && - isspace((unsigned char)yytext[yyleng - 2])) - yyless(yyleng - 1); append(yytext, yyleng); } } @@ -326,11 +327,21 @@ NOSETENV[[:blank:]]*: { if (strcmp(yytext, "ALL") == 0) { LEXTRACE("ALL "); return(ALL); - } else { - fill(yytext, yyleng); - LEXTRACE("ALIAS "); - return(ALIAS); } +#ifdef HAVE_SELINUX + /* XXX - restrict type/role to initial state */ + if (strcmp(yytext, "TYPE") == 0) { + LEXTRACE("TYPE "); + return(TYPE); + } + if (strcmp(yytext, "ROLE") == 0) { + LEXTRACE("ROLE "); + return(ROLE); + } +#endif /* HAVE_SELINUX */ + fill(yytext, yyleng); + LEXTRACE("ALIAS "); + return(ALIAS); } (#[0-9-]+|{WORD}) { diff --git a/usr.bin/sudo/parse.yacc b/usr.bin/sudo/parse.yacc index 5b1c856bb16..93871b23892 100644 --- a/usr.bin/sudo/parse.yacc +++ b/usr.bin/sudo/parse.yacc @@ -70,7 +70,7 @@ #endif /* HAVE_LSEARCH */ #ifndef lint -__unused static const char rcsid[] = "$Sudo: parse.yacc,v 1.204.2.10 2008/01/16 23:20:53 millert Exp $"; +__unused static const char rcsid[] = "$Sudo: parse.yacc,v 1.204.2.13 2008/02/27 20:34:42 millert Exp $"; #endif /* lint */ /* @@ -140,6 +140,8 @@ int top = 0, stacksize = 0; match[top].nopass = def_authenticate ? UNSPEC : TRUE; \ match[top].noexec = def_noexec ? TRUE : UNSPEC; \ match[top].setenv = def_setenv ? TRUE : UNSPEC; \ + match[top].role = NULL; \ + match[top].type = NULL; \ top++; \ } while (0) @@ -156,6 +158,8 @@ int top = 0, stacksize = 0; match[top].nopass = match[top-1].nopass; \ match[top].noexec = match[top-1].noexec; \ match[top].setenv = match[top-1].setenv; \ + match[top].role = estrdup(match[top-1].role); \ + match[top].type = estrdup(match[top-1].type); \ top++; \ } while (0) @@ -163,8 +167,11 @@ int top = 0, stacksize = 0; do { \ if (top == 0) \ yyerror("matching stack underflow"); \ - else \ + else { \ + efree(match[top-1].role); \ + efree(match[top-1].type); \ top--; \ + } \ } while (0) @@ -182,6 +189,12 @@ int top = 0, stacksize = 0; #define append_runas(s, p) append(s, &cm_list[cm_list_len].runas, \ &cm_list[cm_list_len].runas_len, &cm_list[cm_list_len].runas_size, p) +#define append_role(s, p) append(s, &cm_list[cm_list_len].role, \ + &cm_list[cm_list_len].role_len, &cm_list[cm_list_len].role_size, p) + +#define append_type(s, p) append(s, &cm_list[cm_list_len].type, \ + &cm_list[cm_list_len].type_len, &cm_list[cm_list_len].type_size, p) + #define append_entries(s, p) append(s, &ga_list[ga_list_len-1].entries, \ &ga_list[ga_list_len-1].entries_len, \ &ga_list[ga_list_len-1].entries_size, p) @@ -240,6 +253,7 @@ yyerror(s) int BOOLEAN; struct sudo_command command; int tok; + struct selinux_info seinfo; } %start file /* special start symbol */ @@ -269,6 +283,8 @@ yyerror(s) %token RUNASALIAS /* Runas_Alias keyword */ %token ':' '=' ',' '!' '+' '-' /* union member tokens */ %token ERROR +%token TYPE /* SELinux type */ +%token ROLE /* SELinux role */ /* * NOTE: these are not true booleans as there are actually 4 possible values: @@ -283,6 +299,9 @@ yyerror(s) %type oprunasuser %type runaslist %type user +%type selinux +%type rolespec +%type typespec %% @@ -394,6 +413,12 @@ privilege : hostlist '=' cmndspeclist { no_passwd = def_authenticate ? UNSPEC : TRUE; no_execve = def_noexec ? TRUE : UNSPEC; setenv_ok = def_setenv ? TRUE : UNSPEC; +#ifdef HAVE_SELINUX + efree(match[top-1].role); + match[top-1].role = NULL; + efree(match[top-1].type); + match[top-1].type = NULL; +#endif } ; @@ -457,7 +482,18 @@ cmndspeclist : cmndspec | cmndspeclist ',' cmndspec ; -cmndspec : { SETENV_RESET; } runasspec cmndtag opcmnd { +cmndspec : { SETENV_RESET; } runasspec selinux cmndtag opcmnd { +#ifdef HAVE_SELINUX + /* Replace inherited role/type as needed. */ + if ($3.role != NULL) { + efree(match[top-1].role); + match[top-1].role = $3.role; + } + if ($3.type != NULL) { + efree(match[top-1].type); + match[top-1].type = $3.type; + } +#endif /* * Push the entry onto the stack if it is worth * saving and reset cmnd_matches for next cmnd. @@ -482,6 +518,7 @@ cmndspec : { SETENV_RESET; } runasspec cmndtag opcmnd { pushcp; else if (user_matches == TRUE && keepall) pushcp; + cmnd_matches = UNSPEC; } ; @@ -502,6 +539,97 @@ opcmnd : cmnd { } ; +rolespec : ROLE '=' WORD { +#ifdef HAVE_SELINUX + if (printmatches == TRUE && host_matches == TRUE && + user_matches == TRUE && runas_matches == TRUE) + append_role($3, NULL); + $$ = $3; +#else + free($3); + $$ = NULL; +#endif /* HAVE_SELINUX */ + } + ; + +typespec : TYPE '=' WORD { +#ifdef HAVE_SELINUX + if (printmatches == TRUE && host_matches == TRUE && + user_matches == TRUE && runas_matches == TRUE) + append_type($3, NULL); + $$ = $3; +#else + free($3); + $$ = NULL; +#endif /* HAVE_SELINUX */ + } + ; + +selinux : /* empty */ { +#ifdef HAVE_SELINUX + if (printmatches == TRUE && host_matches == TRUE && + user_matches == TRUE && runas_matches == TRUE) { + /* Inherit role. */ + cm_list[cm_list_len].role = + estrdup(cm_list[cm_list_len-1].role); + cm_list[cm_list_len].role_len = + cm_list[cm_list_len-1].role_len; + cm_list[cm_list_len].role_size = + cm_list[cm_list_len-1].role_len + 1; + /* Inherit type. */ + cm_list[cm_list_len].type = + estrdup(cm_list[cm_list_len-1].type); + cm_list[cm_list_len].type_len = + cm_list[cm_list_len-1].type_len; + cm_list[cm_list_len].type_size = + cm_list[cm_list_len-1].type_len + 1; + } +#endif /* HAVE_SELINUX */ + $$.role = NULL; + $$.type = NULL; + } + | rolespec { +#ifdef HAVE_SELINUX + if (printmatches == TRUE && host_matches == TRUE && + user_matches == TRUE && runas_matches == TRUE) { + /* Inherit type. */ + cm_list[cm_list_len].type = + estrdup(cm_list[cm_list_len-1].type); + cm_list[cm_list_len].type_len = + cm_list[cm_list_len-1].type_len; + cm_list[cm_list_len].type_size = + cm_list[cm_list_len-1].type_len + 1; + } +#endif /* HAVE_SELINUX */ + $$.role = $1; + $$.type = NULL; + } + | typespec { +#ifdef HAVE_SELINUX + if (printmatches == TRUE && host_matches == TRUE && + user_matches == TRUE && runas_matches == TRUE) { + /* Inherit role. */ + cm_list[cm_list_len].role = + estrdup(cm_list[cm_list_len-1].role); + cm_list[cm_list_len].role_len = + cm_list[cm_list_len-1].role_len; + cm_list[cm_list_len].role_size = + cm_list[cm_list_len-1].role_len + 1; + } +#endif /* HAVE_SELINUX */ + $$.type = $1; + $$.role = NULL; + } + | rolespec typespec { + $$.role = $1; + $$.type = $2; + } + | typespec rolespec { + $$.type = $1; + $$.role = $2; + } + ; + runasspec : /* empty */ { if (printmatches == TRUE && host_matches == TRUE && user_matches == TRUE) { @@ -514,7 +642,7 @@ runasspec : /* empty */ { cm_list[cm_list_len].runas_len = cm_list[cm_list_len-1].runas_len; cm_list[cm_list_len].runas_size = - cm_list[cm_list_len-1].runas_size; + cm_list[cm_list_len-1].runas_len + 1; } } /* @@ -1102,6 +1230,14 @@ list_matches() (void) printf("(%s) ", def_runas_default); } +#ifdef HAVE_SELINUX + /* SELinux role and type */ + if (cm_list[count].role != NULL) + (void) printf("ROLE=%s ", cm_list[count].role); + if (cm_list[count].type != NULL) + (void) printf("TYPE=%s ", cm_list[count].type); +#endif + /* Is execve(2) disabled? */ if (cm_list[count].noexecve == TRUE && !def_noexec) (void) fputs("NOEXEC: ", stdout); @@ -1141,6 +1277,8 @@ list_matches() for (count = 0; count < cm_list_len; count++) { efree(cm_list[count].runas); efree(cm_list[count].cmnd); + efree(cm_list[count].role); + efree(cm_list[count].type); } efree(cm_list); cm_list = NULL; @@ -1245,6 +1383,7 @@ expand_match_list() } cm_list[cm_list_len].runas = cm_list[cm_list_len].cmnd = NULL; + cm_list[cm_list_len].type = cm_list[cm_list_len].role = NULL; cm_list[cm_list_len].nopasswd = FALSE; cm_list[cm_list_len].noexecve = FALSE; cm_list[cm_list_len].setenv = FALSE; diff --git a/usr.bin/sudo/pathnames.h b/usr.bin/sudo/pathnames.h index 67b0a8bb543..2cde4325c9d 100644 --- a/usr.bin/sudo/pathnames.h +++ b/usr.bin/sudo/pathnames.h @@ -1,4 +1,4 @@ -/* pathnames.h. Generated by configure. */ +/* pathnames.h. Generated from pathnames.h.in by configure. */ /* * Copyright (c) 1996, 1998, 1999, 2001, 2004 * Todd C. Miller . @@ -19,7 +19,7 @@ * Agency (DARPA) and Air Force Research Laboratory, Air Force * Materiel Command, USAF, under agreement number F39502-99-1-0512. * - * $Sudo: pathnames.h.in,v 1.51.2.3 2007/06/19 21:25:48 millert Exp $ + * $Sudo: pathnames.h.in,v 1.51.2.4 2008/02/09 14:44:48 millert Exp $ */ /* @@ -87,7 +87,7 @@ #endif /* _PATH_SUDO_SENDMAIL */ #ifndef _PATH_SUDO_NOEXEC -#define _PATH_SUDO_NOEXEC "/usr/libexec/sudo_noexec" +#define _PATH_SUDO_NOEXEC "/usr/local/libexec/sudo_noexec.so" #endif /* _PATH_SUDO_NOEXEC */ #ifndef _PATH_VI @@ -102,6 +102,10 @@ #define _PATH_BSHELL "/bin/sh" #endif /* _PATH_BSHELL */ +#ifndef _PATH_SUDO_SESH +#define _PATH_SUDO_SESH "/usr/local/libexec/sesh" +#endif /* _PATH_SUDO_SESH */ + #ifndef _PATH_TMP #define _PATH_TMP "/tmp/" #endif /* _PATH_TMP */ diff --git a/usr.bin/sudo/pathnames.h.in b/usr.bin/sudo/pathnames.h.in index cef07932eb6..3fc32495cf1 100644 --- a/usr.bin/sudo/pathnames.h.in +++ b/usr.bin/sudo/pathnames.h.in @@ -18,7 +18,7 @@ * Agency (DARPA) and Air Force Research Laboratory, Air Force * Materiel Command, USAF, under agreement number F39502-99-1-0512. * - * $Sudo: pathnames.h.in,v 1.51.2.3 2007/06/19 21:25:48 millert Exp $ + * $Sudo: pathnames.h.in,v 1.51.2.4 2008/02/09 14:44:48 millert Exp $ */ /* @@ -101,6 +101,10 @@ #undef _PATH_BSHELL #endif /* _PATH_BSHELL */ +#ifndef _PATH_SUDO_SESH +#undef _PATH_SUDO_SESH +#endif /* _PATH_SUDO_SESH */ + #ifndef _PATH_TMP #define _PATH_TMP "/tmp/" #endif /* _PATH_TMP */ diff --git a/usr.bin/sudo/sudo.c b/usr.bin/sudo/sudo.c index 021e0e560b7..3405e1f5def 100644 --- a/usr.bin/sudo/sudo.c +++ b/usr.bin/sudo/sudo.c @@ -96,13 +96,16 @@ # include # include #endif +#ifdef HAVE_SELINUX +# include +#endif #include "sudo.h" #include "interfaces.h" #include "version.h" #ifndef lint -__unused __unused static const char rcsid[] = "$Sudo: sudo.c,v 1.369.2.34 2007/12/13 14:12:49 millert Exp $"; +__unused __unused static const char rcsid[] = "$Sudo: sudo.c,v 1.369.2.43 2008/07/02 10:28:43 millert Exp $"; #endif /* lint */ /* @@ -152,7 +155,7 @@ login_cap_t *lc; #ifdef HAVE_BSD_AUTH_H char *login_style; #endif /* HAVE_BSD_AUTH_H */ -sigaction_t saved_sa_int, saved_sa_quit, saved_sa_tstp, saved_sa_chld; +sigaction_t saved_sa_int, saved_sa_quit, saved_sa_tstp; int @@ -201,8 +204,6 @@ main(argc, argv, envp) (void) sigaction(SIGINT, &sa, &saved_sa_int); (void) sigaction(SIGQUIT, &sa, &saved_sa_quit); (void) sigaction(SIGTSTP, &sa, &saved_sa_tstp); - sa.sa_handler = reapchild; - (void) sigaction(SIGCHLD, &sa, &saved_sa_chld); /* * Turn off core dumps and close open files. @@ -270,25 +271,22 @@ main(argc, argv, envp) validated = sudo_ldap_check(pwflag); /* Skip reading /etc/sudoers if LDAP told us to */ - if (def_ignore_local_sudoers); /* skips */ - else if (ISSET(validated, VALIDATE_OK) && !printmatches); /* skips */ - else if (ISSET(validated, VALIDATE_OK) && printmatches) - { - check_sudoers(); /* check mode/owner on _PATH_SUDOERS */ + if (!def_ignore_local_sudoers) { + int v; - /* User is found in LDAP and we want a list of all sudo commands the - * user can do, so consult sudoers but throw away result. - */ - sudoers_lookup(pwflag); - } - else -#endif - { check_sudoers(); /* check mode/owner on _PATH_SUDOERS */ - /* Validate the user but don't search for pseudo-commands. */ - validated = sudoers_lookup(pwflag); + /* Local sudoers file overrides LDAP if we have a match. */ + v = sudoers_lookup(pwflag); + if (validated == VALIDATE_ERROR || ISSET(v, VALIDATE_OK)) + validated = v; } +#else + check_sudoers(); /* check mode/owner on _PATH_SUDOERS */ + + /* Validate the user but don't search for pseudo-commands. */ + validated = sudoers_lookup(pwflag); +#endif if (safe_cmnd == NULL) safe_cmnd = estrdup(user_cmnd); @@ -437,13 +435,18 @@ main(argc, argv, envp) (void) sigaction(SIGINT, &saved_sa_int, NULL); (void) sigaction(SIGQUIT, &saved_sa_quit, NULL); (void) sigaction(SIGTSTP, &saved_sa_tstp, NULL); - (void) sigaction(SIGCHLD, &saved_sa_chld, NULL); #ifndef PROFILING if (ISSET(sudo_mode, MODE_BACKGROUND) && fork() > 0) exit(0); - else + else { +#ifdef HAVE_SELINUX + if (is_selinux_enabled() > 0 && user_role != NULL) + selinux_exec(user_role, user_type, NewArgv, environ, + ISSET(sudo_mode, MODE_LOGIN_SHELL)); +#endif execve(safe_cmnd, NewArgv, environ); + } #else exit(0); #endif /* PROFILING */ @@ -610,8 +613,10 @@ init_vars(sudo_mode, envp) log_error(USE_ERRNO|MSG_ONLY, "can't get hostname"); set_runaspw(*user_runas); /* may call log_error() */ - if (*user_runas[0] == '#' && runas_pw->pw_name && runas_pw->pw_name[0]) - *user_runas = estrdup(runas_pw->pw_name); + if (*user_runas[0] == '#') { + if (runas_pw->pw_name != *user_runas && runas_pw->pw_name[0]) + *user_runas = estrdup(runas_pw->pw_name); + } /* * Get current working directory. Try as user, fall back to root. @@ -858,6 +863,28 @@ parse_args(argc, argv) case 'E': SET(rval, MODE_PRESERVE_ENV); break; +#ifdef HAVE_SELINUX + case 'r': + /* Must have an associated SELinux role. */ + if (NewArgv[1] == NULL) + usage(1); + + user_role = NewArgv[1]; + + NewArgc--; + NewArgv++; + break; + case 't': + /* Must have an associated SELinux type. */ + if (NewArgv[1] == NULL) + usage(1); + + user_type = NewArgv[1]; + + NewArgc--; + NewArgv++; + break; +#endif case '-': NewArgc--; NewArgv++; @@ -893,7 +920,10 @@ args_done: warnx("you may not specify environment variables in edit mode"); usage(1); } - + if (ISSET(rval, MODE_PRESERVE_ENV) && ISSET(rval, MODE_LOGIN_SHELL)) { + warnx("you may not specify both the `-i' and `-E' options"); + usage(1); + } if (user_runas != NULL && !ISSET(rval, (MODE_EDIT|MODE_RUN))) { if (excl != '\0') warnx("the `-u' and '-%c' options may not be used together", excl); @@ -992,9 +1022,25 @@ static void initial_setup() { int miss[3], devnull = -1; -#if defined(RLIMIT_CORE) && !defined(SUDO_DEVEL) +#if defined(__linux__) || (defined(RLIMIT_CORE) && !defined(SUDO_DEVEL)) struct rlimit rl; +#endif +#if defined(__linux__) + /* + * Unlimit the number of processes since Linux's setuid() will + * apply resource limits when changing uid and return EAGAIN if + * nproc would be violated by the uid switch. + */ + rl.rlim_cur = rl.rlim_max = RLIM_INFINITY; + if (setrlimit(RLIMIT_NPROC, &rl)) { + if (getrlimit(RLIMIT_NPROC, &rl) == 0) { + rl.rlim_cur = rl.rlim_max; + (void)setrlimit(RLIMIT_NPROC, &rl); + } + } +#endif /* __linux__ */ +#if defined(RLIMIT_CORE) && !defined(SUDO_DEVEL) /* * Turn off core dumps. */ @@ -1194,6 +1240,11 @@ set_runaspw(user) runas_pw = emalloc(sizeof(struct passwd)); (void) memset((VOID *)runas_pw, 0, sizeof(struct passwd)); runas_pw->pw_uid = atoi(user + 1); + runas_pw->pw_name = user; + runas_pw->pw_passwd = "*"; + runas_pw->pw_gecos = user; + runas_pw->pw_dir = "/"; + runas_pw->pw_shell = estrdup(_PATH_BSHELL); } } else { runas_pw = sudo_getpwnam(user); @@ -1272,8 +1323,14 @@ usage(exit_val) #endif #ifdef HAVE_LOGIN_CAP_H " [-c class|-]", +#endif +#ifdef HAVE_SELINUX + " [-r role]", #endif " [-p prompt]", +#ifdef HAVE_SELINUX + " [-t type]", +#endif " [-u username|#uid]", " [VAR=value]", " {-i | -s | }", diff --git a/usr.bin/sudo/sudo.h b/usr.bin/sudo/sudo.h index 665deb639f4..889cd4abc83 100644 --- a/usr.bin/sudo/sudo.h +++ b/usr.bin/sudo/sudo.h @@ -17,7 +17,7 @@ * Agency (DARPA) and Air Force Research Laboratory, Air Force * Materiel Command, USAF, under agreement number F39502-99-1-0512. * - * $Sudo: sudo.h,v 1.209.2.13 2007/11/27 23:41:23 millert Exp $ + * $Sudo: sudo.h,v 1.209.2.14 2008/02/09 14:44:48 millert Exp $ */ #ifndef _SUDO_SUDO_H @@ -53,6 +53,10 @@ struct sudo_user { int ngroups; GETGROUPS_T *groups; struct list_member *env_vars; +#ifdef HAVE_SELINUX + char *role; + char *type; +#endif }; /* @@ -149,6 +153,8 @@ struct sudo_user { #define safe_cmnd (sudo_user.cmnd_safe) #define login_class (sudo_user.class_name) #define runas_pw (sudo_user._runas_pw) +#define user_role (sudo_user.role) +#define user_type (sudo_user.type) /* * We used to use the system definition of PASS_MAX or _PASSWD_LEN, @@ -262,6 +268,9 @@ char *sudo_getepw __P((const struct passwd *)); int pam_prep_user __P((struct passwd *)); void zero_bytes __P((volatile VOID *, size_t)); int gettime __P((struct timespec *)); +#ifdef HAVE_SELINUX +void selinux_exec __P((char *, char *, char **, char **, int)); +#endif YY_DECL; /* Only provide extern declarations outside of sudo.c. */ diff --git a/usr.bin/sudo/sudo.pod b/usr.bin/sudo/sudo.pod index b6562b08ac3..f88c68f04b9 100644 --- a/usr.bin/sudo/sudo.pod +++ b/usr.bin/sudo/sudo.pod @@ -1,4 +1,3 @@ -=cut Copyright (c) 1994-1996, 1998-2005, 2007 Todd C. Miller @@ -19,7 +18,7 @@ Sponsored in part by the Defense Advanced Research Projects Agency (DARPA) and Air Force Research Laboratory, Air Force Materiel Command, USAF, under agreement number F39502-99-1-0512. -$Sudo: sudo.pod,v 1.70.2.20 2008/01/05 23:59:42 millert Exp $ +$Sudo: sudo.pod,v 1.70.2.24 2008/02/19 18:22:11 millert Exp $ =pod =head1 NAME @@ -30,11 +29,16 @@ sudo, sudoedit - execute a command as another user B B<-h> | B<-K> | B<-k> | B<-L> | B<-l> | B<-V> | B<-v> -B [B<-bEHPS>] S<[B<-a> I]> -S<[B<-c> I|I<->]> S<[B<-p> I]> S<[B<-u> I|I<#uid>]> +B [B<-bEHPS>] +S<[B<-a> I]> +S<[B<-c> I|I<->]> +S<[B<-p> I]> +S<[B<-u> I|I<#uid>]> S<[B=I]> S<{B<-i> | B<-s> | I}> -B [B<-S>] S<[B<-a> I]> S<[B<-c> I|I<->]> +B [B<-S>] +S<[B<-a> I]> +S<[B<-c> I|I<->]> S<[B<-p> I]> S<[B<-u> I|I<#uid>]> file ... @@ -458,11 +462,15 @@ Default editor to use in B<-e> (sudoedit) mode =head1 FILES -=over 4 +=over 24 + +=item F<@sysconfdir@/sudoers> + +List of who can run what -=item F<@sysconfdir@/sudoers>C< >List of who can run what +=item F<@timedir@> -=item F<@timedir@>C< >Directory containing timestamps +Directory containing timestamps =back @@ -495,8 +503,9 @@ to make the C and file redirection work. =head1 SEE ALSO -L, L, L, L, L, -L, L +L, L, L, +L, +L, L, L =head1 AUTHORS diff --git a/usr.bin/sudo/sudo_edit.c b/usr.bin/sudo/sudo_edit.c index 50759996518..5ed8e66ce92 100644 --- a/usr.bin/sudo/sudo_edit.c +++ b/usr.bin/sudo/sudo_edit.c @@ -62,10 +62,10 @@ #include "sudo.h" #ifndef lint -__unused static const char rcsid[] = "$Sudo: sudo_edit.c,v 1.6.2.8 2007/09/03 20:28:31 millert Exp $"; +__unused static const char rcsid[] = "$Sudo: sudo_edit.c,v 1.6.2.9 2008/06/21 00:47:52 millert Exp $"; #endif /* lint */ -extern sigaction_t saved_sa_int, saved_sa_quit, saved_sa_tstp, saved_sa_chld; +extern sigaction_t saved_sa_int, saved_sa_quit, saved_sa_tstp; extern char **environ; /* @@ -231,11 +231,10 @@ int sudo_edit(argc, argv, envp) nargv[ac++] = tf[i++].tfile; nargv[ac] = NULL; - /* We wait for our own children and can be suspended. */ + /* Allow the editor to be suspended. */ sigemptyset(&sa.sa_mask); sa.sa_flags = SA_RESTART; sa.sa_handler = SIG_DFL; - (void) sigaction(SIGCHLD, &sa, NULL); (void) sigaction(SIGTSTP, &saved_sa_tstp, NULL); /* @@ -251,7 +250,6 @@ int sudo_edit(argc, argv, envp) /* child */ (void) sigaction(SIGINT, &saved_sa_int, NULL); (void) sigaction(SIGQUIT, &saved_sa_quit, NULL); - (void) sigaction(SIGCHLD, &saved_sa_chld, NULL); set_perms(PERM_FULL_USER); endpwent(); endgrent(); diff --git a/usr.bin/sudo/sudoers.pod b/usr.bin/sudo/sudoers.pod index 91dfd849446..c5ebc61250f 100644 --- a/usr.bin/sudo/sudoers.pod +++ b/usr.bin/sudo/sudoers.pod @@ -1,4 +1,3 @@ -=cut Copyright (c) 1994-1996, 1998-2005, 2007 Todd C. Miller @@ -19,7 +18,7 @@ Sponsored in part by the Defense Advanced Research Projects Agency (DARPA) and Air Force Research Laboratory, Air Force Materiel Command, USAF, under agreement number F39502-99-1-0512. -$Sudo: sudoers.pod,v 1.95.2.23 2008/01/05 23:59:42 millert Exp $ +$Sudo: sudoers.pod,v 1.95.2.27 2008/07/12 12:49:04 millert Exp $ =pod =head1 NAME @@ -299,7 +298,7 @@ For example: ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm would allow the user B to run F, F, and -F as root on the machine rushmore as B without +F as B on the machine rushmore without authenticating himself. If we only want B to be able to run F without a password the entry would be: @@ -500,14 +499,14 @@ of B). =item ignore_local_sudoers -If set via LDAP, parsing of @sysconfdir@/sudoers will be skipped. +If set via LDAP, parsing of F<@sysconfdir@/sudoers> will be skipped. This is intended for Enterprises that wish to prevent the usage of local sudoers files so that only LDAP is used. This thwarts the efforts of -rogue operators who would attempt to add roles to @sysconfdir@/sudoers. -When this option is present, @sysconfdir@/sudoers does not even need to exist. -Since this option tells B how to behave when no specific LDAP entries -have been matched, this sudoOption is only meaningful for the cn=defaults -section. This flag is I by default. +rogue operators who would attempt to add roles to F<@sysconfdir@/sudoers>. +When this option is present, F<@sysconfdir@/sudoers> does not even need to +exist. Since this option tells B how to behave when no specific LDAP +entries have been matched, this sudoOption is only meaningful for the +C section. This flag is I by default. =item insults @@ -1021,15 +1020,18 @@ B, and B. =head1 FILES -=over 4 +=over 24 + +=item F<@sysconfdir@/sudoers> -=item F<@sysconfdir@/sudoers>C< > List of who can run what -=item FC< > +=item F + Local groups file -=item FC< > +=item F + List of network groups =back diff --git a/usr.bin/sudo/testsudoers.c b/usr.bin/sudo/testsudoers.c index 756d331e74e..3b213f36f2b 100644 --- a/usr.bin/sudo/testsudoers.c +++ b/usr.bin/sudo/testsudoers.c @@ -75,7 +75,7 @@ #endif /* HAVE_FNMATCH */ #ifndef lint -__unused static const char rcsid[] = "$Sudo: testsudoers.c,v 1.88.2.6 2007/10/24 16:43:27 millert Exp $"; +__unused static const char rcsid[] = "$Sudo: testsudoers.c,v 1.88.2.7 2008/02/09 14:44:49 millert Exp $"; #endif /* lint */ @@ -542,6 +542,10 @@ main(argc, argv) (void) printf("no_passwd : %d\n", no_passwd); (void) printf("runas_match: %d\n", runas_matches); (void) printf("runas : %s\n", *user_runas); + if (match[top-1].role) + (void) printf("role : %s\n", match[top-1].role); + if (match[top-1].type) + (void) printf("type : %s\n", match[top-1].type); top--; } } diff --git a/usr.bin/sudo/tgetpass.c b/usr.bin/sudo/tgetpass.c index 9e22b5d64c2..2c94cdb11a2 100644 --- a/usr.bin/sudo/tgetpass.c +++ b/usr.bin/sudo/tgetpass.c @@ -70,7 +70,7 @@ #include "sudo.h" #ifndef lint -__unused static const char rcsid[] = "$Sudo: tgetpass.c,v 1.111.2.6 2008/01/16 18:03:24 millert Exp $"; +__unused static const char rcsid[] = "$Sudo: tgetpass.c,v 1.111.2.7 2008/06/21 00:27:01 millert Exp $"; #endif /* lint */ #ifndef TCSASOFT @@ -88,14 +88,6 @@ __unused static const char rcsid[] = "$Sudo: tgetpass.c,v 1.111.2.6 2008/01/16 1 # endif #endif -/* - * QNX 6 (at least) has issues with TCSAFLUSH. - */ -#ifdef __QNX__ -#undef TCSAFLUSH -#define TCSAFLUSH TCSADRAIN -#endif - /* * Compat macros for non-termios systems. */ diff --git a/usr.bin/sudo/version.h b/usr.bin/sudo/version.h index a51e62a4f0d..c9459cc1957 100644 --- a/usr.bin/sudo/version.h +++ b/usr.bin/sudo/version.h @@ -17,12 +17,12 @@ * Agency (DARPA) and Air Force Research Laboratory, Air Force * Materiel Command, USAF, under agreement number F39502-99-1-0512. * - * $Sudo: version.h,v 1.66.2.15 2008/01/14 12:22:57 millert Exp $ + * $Sudo: version.h,v 1.66.2.20 2008/06/22 20:29:03 millert Exp $ */ #ifndef _SUDO_VERSION_H #define _SUDO_VERSION_H -static const char version[] = "1.6.9p12"; +static const char version[] = "1.6.9p17"; #endif /* _SUDO_VERSION_H */ diff --git a/usr.bin/sudo/visudo.c b/usr.bin/sudo/visudo.c index 0310d84d4cd..4fdcd8f46a3 100644 --- a/usr.bin/sudo/visudo.c +++ b/usr.bin/sudo/visudo.c @@ -78,7 +78,7 @@ #include "version.h" #ifndef lint -__unused static const char rcsid[] = "$Sudo: visudo.c,v 1.166.2.10 2007/09/01 13:39:13 millert Exp $"; +__unused static const char rcsid[] = "$Sudo: visudo.c,v 1.166.2.11 2008/06/21 00:47:52 millert Exp $"; #endif /* lint */ struct sudoersfile { @@ -590,12 +590,7 @@ run_command(path, argv) char **argv; { int status; - pid_t pid; - sigset_t set, oset; - - (void) sigemptyset(&set); - (void) sigaddset(&set, SIGCHLD); - (void) sigprocmask(SIG_BLOCK, &set, &oset); + pid_t pid, rv; switch (pid = fork()) { case -1: @@ -603,7 +598,6 @@ run_command(path, argv) Exit(-1); break; /* NOTREACHED */ case 0: - (void) sigprocmask(SIG_SETMASK, &oset, NULL); endpwent(); closefrom(STDERR_FILENO + 1); execv(path, argv); @@ -612,15 +606,15 @@ run_command(path, argv) break; /* NOTREACHED */ } + do { #ifdef sudo_waitpid - pid = sudo_waitpid(pid, &status, 0); + rv = sudo_waitpid(pid, &status, 0); #else - pid = wait(&status); + rv = wait(&status); #endif + } while (rv == -1 && errno == EINTR); - (void) sigprocmask(SIG_SETMASK, &oset, NULL); - - if (pid == -1 || !WIFEXITED(status)) + if (rv == -1 || !WIFEXITED(status)) return(-1); return(WEXITSTATUS(status)); } diff --git a/usr.bin/sudo/visudo.pod b/usr.bin/sudo/visudo.pod index 0743b938672..d914fab45e7 100644 --- a/usr.bin/sudo/visudo.pod +++ b/usr.bin/sudo/visudo.pod @@ -1,4 +1,3 @@ -=cut Copyright (c) 1996,1998-2005, 2007 Todd C. Miller Permission to use, copy, modify, and distribute this software for any @@ -18,7 +17,7 @@ Sponsored in part by the Defense Advanced Research Projects Agency (DARPA) and Air Force Research Laboratory, Air Force Materiel Command, USAF, under agreement number F39502-99-1-0512. -$Sudo: visudo.pod,v 1.38.2.9 2007/08/13 16:23:31 millert Exp $ +$Sudo: visudo.pod,v 1.38.2.10 2008/02/19 15:45:12 millert Exp $ =pod =head1 NAME @@ -125,11 +124,15 @@ Used by visudo if VISUAL is not set =head1 FILES -=over 4 +=over 24 + +=item F<@sysconfdir@/sudoers> + +List of who can run what -=item F<@sysconfdir@/sudoers>C< >List of who can run what +=item F<@sysconfdir@/sudoers.tmp> -=item F<@sysconfdir@/sudoers.tmp>C< >Lock file for visudo +Lock file for visudo =back