This patch will upgrade Sudo version 1.8.11 to Sudo version 1.8.11 patchlevel 1. To apply: $ cd sudo-1.8.11 $ patch -p1 < sudo-1.8.11p1.patch diff -urNa sudo-1.8.11/ChangeLog sudo-1.8.11p1/ChangeLog --- sudo-1.8.11/ChangeLog Tue Sep 23 11:03:13 2014 +++ sudo-1.8.11p1/ChangeLog Tue Oct 7 20:29:28 2014 @@ -1,3 +1,179 @@ +2014-10-07 Todd C. Miller + + * NEWS: + Remove change that is part of 1.8.12 not 1.8.11p1 + [8fdad4c4f314] + + * NEWS, configure, configure.ac: + Update for sudo 1.8.11p1 + [80e9898f7c04] + + * src/regress/ttyname/check_ttyname.c: + Only check stdin for the tty and avoid the check entirely if we + don't have a way to get the tty from the kernel. Bug #643 + [deb799e16416] + + * lib/util/sudo_debug.c: + Make a copy of ap in sudo_debug_vprintf2() in case the static buffer + is not big enough and we need to call vasprintf(). + [a5d32b9d63be] + + * src/sudo.c: + Avoid comparing new cwd with old one if getcwd() failed. Bug #670 + [e99093578ca7] + + * plugins/sudoers/env.c: + Fix debugging printout output for env_should_keep() + [a9e7ea4b6751] + +2014-10-06 Todd C. Miller + + * Makefile.in, include/Makefile.in: + Use INSTALL_OWNER instead of -O/-G flags so we can work with the + autotools install-sh too. Bug #669 + [a5f87f6a52b7] + + * plugins/sudoers/policy.c, plugins/sudoers/sudoers.c: + Move sudo_printf to policy.c to match sudo_conv. + [f2d6065c3daf] + +2014-10-05 Todd C. Miller + + * MANIFEST, include/sudo_fatal.h, lib/util/Makefile.in, + lib/util/fatal.c, lib/util/sudo_printf.c, lib/util/util.exp.in, + plugins/sudoers/Makefile.in, plugins/sudoers/sudo_printf.c, + plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, + src/conversation.c, src/sudo.c, src/sudo_plugin_int.h: + Add sudo_warn_set_conversation() to specify a conversation function + to use for warn/fatal. If no conversation function is specified, the + standard error will be used. We now only need sudo_printf() for + things that use the parser. + [d6049e53e3e3] + +2014-10-03 Todd C. Miller + + * doc/sudo.cat, doc/sudo.man.in, doc/sudo.mdoc.in: + Use correct names when referring to subsections in the sudoers + manual. + [7a016916f0ab] + +2014-10-02 Todd C. Miller + + * MANIFEST, config.h.in, configure, configure.ac, + lib/util/inet_ntop.c, src/net_ifs.c: + Use inet_ntop() instead of inet_ntoa() and include a version for + systems that are missing it. + [1a1a70dba9c0] + +2014-10-01 Todd C. Miller + + * configure, configure.ac: + Fix detection of functions in network libs like -lsocket, -lnsl and + -linet when we have already added those libs to NET_LIBS. Fixes a + problem where inet_pton() was not detected on Solaris. + [27e10183649e] + + * NEWS: + Mention --disable-shared-libutil fix. + [7efe70688237] + + * src/Makefile.in: + Always use --tag=disable-static to avoid installing a static + sudo_noexec. + [5d7d58879f99] + + * configure, configure.ac, lib/util/Makefile.in, + plugins/sudoers/Makefile.in: + Instead of building libutil statically for --disable-shared-libutil, + just treat it as a convenience library. Do the same with sudoers for + --enable-static-sudoers. Fixes link errors on Solaris among others + when --disable-shared-libutil is used. + [c5357fe78ab7] + + * configure, configure.ac, lib/util/Makefile.in, + plugins/group_file/Makefile.in, plugins/sample/Makefile.in, + plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in: + Remove LT_LDMAP and LT_LDOPT and just use LT_LDEXPORTS for the + compiler-specific option to restrict symbol exporting. + [09e8dab6f528] + + * src/preload.c: + Include sys/types.h to get gid_t, etc used in sudo_compat.h. Fixes a + build issue on Solaris. + [b8917967df41] + +2014-09-29 Todd C. Miller + + * src/regress/ttyname/check_ttyname.c: + Fix cust & pasto in error message when there is a mismatch between + the sudo and libc ttys. From Diego Elio Petteno'. Bug #643 + [87d5f1a49535] + +2014-09-27 Todd C. Miller + + * plugins/sudoers/env.c: + Add BASH_FUNC_* to environment blacklist for newer-style bash + functions. + [b6e66c4a782e] + + * Makefile.in: + Pull additional password prompts out of mkpkg instead of hard-coding + them. + [d2a6da883b34] + + * NEWS: + Add post-1.8.11 changes + [11169ace8fa4] + + * Makefile.in, configure.ac, plugins/sudoers/auth/pam.c, + plugins/sudoers/auth/sia.c, plugins/sudoers/po/sudoers.pot: + Add a space after "Password:" in default password prompt so it is + easier to read when pwfeedback is enabled. + [a7750d845b5b] + + * plugins/sudoers/auth/sudo_auth.c: + Simplify how we count the password tries + [71b9f2021561] + + * plugins/sudoers/auth/sia.c, plugins/sudoers/auth/sudo_auth.c: + Block SIGINT and SIGQUIT while verifying passwords so that + authentication modules that use sleep() are not interrupted. If the + user interrupted authentication, exit the loop. + [1cfafd7fcb13] + + * configure, configure.ac: + Remove Convex support; it is not modern enough to run sudo 1.8. + [c3bdfbb2ee11] + + * configure, configure.ac: + Only check for -lshadow if we haven't already found getspnam() in + libc. Rather than treat this specially, just add -lshadow as another + place to search in addition to -lgen. + [fdf06757f25d] + +2014-09-26 Todd C. Miller + + * plugins/sudoers/auth/sudo_auth.c: + If all authentication methods fail init/setup, fail with an error. + [4cd0481bf05e] + + * plugins/sudoers/auth/sudo_auth.c: + Move pass_warn() so that it is defined before it is called(). + [6ea697e89fef] + +2014-09-24 Todd C. Miller + + * pp: + Remove duplicate Requires: line in generated rpm spec file. + [335703b110c7] + + * pp: + In pp_files_expand() set _target to be empty. Fixes a problem with + Solaris sh where simply using typeset doesn't causes the variable to + be treated as local so we can inadvertantly inherit a value from a + previous call. + [f3cecca3c7b0] + 2014-09-23 Todd C. Miller * configure, configure.ac: diff -urNa sudo-1.8.11/Makefile.in sudo-1.8.11p1/Makefile.in --- sudo-1.8.11/Makefile.in Tue Sep 23 10:40:15 2014 +++ sudo-1.8.11p1/Makefile.in Tue Oct 7 14:26:20 2014 @@ -265,7 +265,7 @@ ln -s $$lang $(DESTDIR)$(localedir)/$$lang$(LOCALEDIR_SUFFIX); \ fi; \ fi; \ - $(INSTALL) -O $(install_uid) -G $(install_gid) -m 0644 $$podir/$$lang.mo $(DESTDIR)$(localedir)/$$lang/LC_MESSAGES/$$domain.mo; \ + $(INSTALL) $(INSTALL_OWNER) -m 0644 $$podir/$$lang.mo $(DESTDIR)$(localedir)/$$lang/LC_MESSAGES/$$domain.mo; \ done; \ echo ""; \ done; \ diff -urNa sudo-1.8.11/NEWS sudo-1.8.11p1/NEWS --- sudo-1.8.11/NEWS Tue Sep 23 10:55:17 2014 +++ sudo-1.8.11p1/NEWS Tue Oct 7 20:29:03 2014 @@ -1,3 +1,30 @@ +What's new in Sudo 1.8.11p1 + + * Fixed a compilation problem on some systems when the + --disable-shared-libutil configure option was specified. + + * The user can no longer interrupt the sleep after an incorrect + password on PAM systems using pam_unix. + Bug #666 + + * Fixed a compilation problem on Linux systems that do not use PAM. + Bug #667 + + * "make install" will now work with the stock GNU autotools + install-sh script. Bug #669 + + * Fixed a crash with "sudo -i" when the current working directory + does not exist. Bug #670 + + * Fixed a potential crash in the debug subsystem when logging a message + larger that 1024 bytes. + + * Fixed a "make check" failure for ttyname when stdin is closed and + stdout and stderr are redirected to a different tty. Bug #643 + + * Added BASH_FUNC_* to environment blacklist to match newer-style + bash functions. + What's new in Sudo 1.8.11 * The sudoers plugin no longer uses setjmp/longjmp to recover diff -urNa sudo-1.8.11/configure sudo-1.8.11p1/configure --- sudo-1.8.11/configure Tue Sep 23 11:01:12 2014 +++ sudo-1.8.11p1/configure Tue Oct 7 14:26:20 2014 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for sudo 1.8.11. +# Generated by GNU Autoconf 2.69 for sudo 1.8.11p1. # # Report bugs to . # @@ -590,8 +590,8 @@ # Identity of this package. PACKAGE_NAME='sudo' PACKAGE_TARNAME='sudo' -PACKAGE_VERSION='1.8.11' -PACKAGE_STRING='sudo 1.8.11' +PACKAGE_VERSION='1.8.11p1' +PACKAGE_STRING='sudo 1.8.11p1' PACKAGE_BUGREPORT='http://www.sudo.ws/bugs/' PACKAGE_URL='' @@ -781,13 +781,11 @@ SUDOERS_OBJS COMMON_OBJS LT_DEP_LIBS -LT_STATIC_LIBUTIL LT_STATIC LT_LDEXPORTS LT_LDDEP -LT_LDOPT -LT_LDMAP LT_LDFLAGS +LIBUTIL_LDFLAGS SUDOERS_LDFLAGS LDFLAGS CPPFLAGS @@ -1509,7 +1507,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures sudo 1.8.11 to adapt to many kinds of systems. +\`configure' configures sudo 1.8.11p1 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1574,7 +1572,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of sudo 1.8.11:";; + short | recursive ) echo "Configuration of sudo 1.8.11p1:";; esac cat <<\_ACEOF @@ -1809,7 +1807,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -sudo configure 1.8.11 +sudo configure 1.8.11p1 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2518,7 +2516,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by sudo $as_me 1.8.11, which was +It was created by sudo $as_me 1.8.11p1, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2983,8 +2981,6 @@ - - # # Begin initial values for man page substitution # @@ -3067,10 +3063,8 @@ RC_LINK= COMPAT_EXP= CHECKSHADOW=true -shadow_defs= shadow_funcs= shadow_libs= -shadow_libs_optional= CONFIGURE_ARGS="$@" RTLD_PRELOAD_VAR="LD_PRELOAD" @@ -14733,9 +14727,7 @@ ;; *-*-linux*|*-*-k*bsd*-gnu) OSDEFS="${OSDEFS} -D_GNU_SOURCE" - # Some Linux versions need to link with -lshadow shadow_funcs="getspnam" - shadow_libs_optional="-lshadow" test -z "$with_pam" && AUTH_EXCL_DEF="PAM" ;; *-*-gnu*) @@ -14744,16 +14736,6 @@ ac_cv_func_lockf=no ac_cv_func_flock=yes ;; - *-convex-bsd*) - OSDEFS="${OSDEFS} -D_CONVEX_SOURCE" - if test -z "$GCC"; then - CFLAGS="${CFLAGS} -D__STDC__" - fi - - shadow_defs="-D_AUDIT -D_ACL -DSecureWare" - shadow_funcs="getprpwnam" - shadow_libs="-lprot" - ;; *-*-ultrix*) OS="ultrix" shadow_funcs="getauthuid" @@ -19075,6 +19057,8 @@ fi +OLIBS="$LIBS" +LIBS="${LIBS} ${NET_LIBS}" ac_fn_c_check_func "$LINENO" "socket" "ac_cv_func_socket" if test "x$ac_cv_func_socket" = xyes; then : @@ -19146,6 +19130,9 @@ fi +LIBS="$OLIBS" +OLIBS="$LIBS" +LIBS="${LIBS} ${NET_LIBS}" ac_fn_c_check_func "$LINENO" "inet_ntoa" "ac_cv_func_inet_ntoa" if test "x$ac_cv_func_inet_ntoa" = xyes; then : $as_echo "#define HAVE_INET_NTOA 1" >>confdefs.h @@ -19223,6 +19210,9 @@ fi +LIBS="$OLIBS" +OLIBS="$LIBS" +LIBS="${LIBS} ${NET_LIBS}" found=false INET_PTON_LIBS= ac_fn_c_check_func "$LINENO" "inet_pton" "ac_cv_func_inet_pton" @@ -19307,6 +19297,7 @@ fi +LIBS="$OLIBS" if test X"$found" != X"true"; then case " $LIBOBJS " in *" inet_pton.$ac_objext "* ) ;; @@ -19321,6 +19312,8 @@ done fi +OLIBS="$LIBS" +LIBS="${LIBS} ${NET_LIBS}" ac_fn_c_check_func "$LINENO" "syslog" "ac_cv_func_syslog" if test "x$ac_cv_func_syslog" = xyes; then : @@ -19392,11 +19385,13 @@ fi +LIBS="$OLIBS" # # Check for getaddrinfo and add any required libs to NET_LIBS. # If it was added to LIBOBJS we need to export the symbols. # OLIBS="$LIBS" +LIBS="${LIBS} ${NET_LIBS}" { $as_echo "$as_me:${as_lineno-$LINENO}: checking for getaddrinfo" >&5 $as_echo_n "checking for getaddrinfo... " >&6; } if ${ax_cv_func_getaddrinfo+:} false; then : @@ -19577,7 +19572,7 @@ ;; *) for lib in $LIBS; do - case "$OLIBS" in + case "$NET_LIBS" in *"$lib"*) ;; *) NET_LIBS="${NET_LIBS} $lib";; esac @@ -21323,29 +21318,10 @@ fi done - if test "$found" = "yes" -a -n "$shadow_libs_optional"; then - LIBS="$LIBS $shadow_libs_optional" - for ac_func in $shadow_funcs -do : - as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` -ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" -if eval test \"x\$"$as_ac_var"\" = x"yes"; then : - cat >>confdefs.h <<_ACEOF -#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 -_ACEOF - found=yes -fi -done - - if test "$found" = "yes"; then - shadow_libs="$shadow_libs $shadow_libs_optional" - fi - fi if test "$found" = "yes"; then case "$shadow_funcs" in *getprpwnam*) SECUREWARE=1;; esac - test -n "$shadow_defs" && OSDEFS="${OSDEFS} $shadow_defs" else shadow_libs= fi @@ -21377,7 +21353,7 @@ return 0; } _ACEOF -for ac_lib in '' gen; do +for ac_lib in '' gen shadow; do if test -z "$ac_lib"; then ac_res="none required" else @@ -22077,11 +22053,10 @@ if test X"$STATIC_SUDOERS" = X""; then as_fn_error $? "\"--disable-shared-libutil may only be specified with --enable-static-sudoers or when dynamic linking is disabled.\"" "$LINENO" 5 else - # Disable use shared version of libsudo_util. - LT_STATIC_LIBUTIL="--tag=disable-shared" + # Do not install sudoers or libsudo_util. + SUDOERS_LDFLAGS="${SUDOERS_LDFLAGS}${SUDOERS_LDFLAGS+ }-no-install" + LIBUTIL_LDFLAGS="${LIBUTIL_LDFLAGS}${LIBUTIL_LDFLAGS+ }-no-install" fi -else - LT_STATIC_LIBUTIL="$LT_STATIC" fi # On HP-UX, you cannot dlopen() a shared object that uses pthreads unless @@ -22462,7 +22437,7 @@ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $sudo_cv_var_gnu_ld_anon_map" >&5 $as_echo "$sudo_cv_var_gnu_ld_anon_map" >&6; } if test "$sudo_cv_var_gnu_ld_anon_map" = "yes"; then - LT_LDEXPORTS=; LT_LDDEP="\$(shlib_map)"; LT_LDMAP="-Wl,--version-script,\$(shlib_map)" + LT_LDDEP="\$(shlib_map)"; LT_LDEXPORTS="-Wl,--version-script,\$(shlib_map)" fi else case "$host_os" in @@ -22508,7 +22483,7 @@ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $sudo_cv_var_solaris_ld_anon_map" >&5 $as_echo "$sudo_cv_var_solaris_ld_anon_map" >&6; } if test "$sudo_cv_var_solaris_ld_anon_map" = "yes"; then - LT_LDEXPORTS=; LT_LDDEP="\$(shlib_map)"; LT_LDMAP="-Wl,-M,\$(shlib_map)" + LT_LDDEP="\$(shlib_map)"; LT_LDEXPORTS="-Wl,-M,\$(shlib_map)" fi ;; hpux*) @@ -22553,7 +22528,7 @@ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $sudo_cv_var_hpux_ld_symbol_export" >&5 $as_echo "$sudo_cv_var_hpux_ld_symbol_export" >&6; } if test "$sudo_cv_var_hpux_ld_symbol_export" = "yes"; then - LT_LDEXPORTS=; LT_LDDEP="\$(shlib_opt)"; LT_LDOPT="-Wl,-c,\$(shlib_opt)" + LT_LDDEP="\$(shlib_opt)"; LT_LDEXPORTS="-Wl,-c,\$(shlib_opt)" fi ;; esac @@ -23718,7 +23693,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by sudo $as_me 1.8.11, which was +This file was extended by sudo $as_me 1.8.11p1, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -23784,7 +23759,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -sudo config.status 1.8.11 +sudo config.status 1.8.11p1 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -urNa sudo-1.8.11/configure.ac sudo-1.8.11p1/configure.ac --- sudo-1.8.11/configure.ac Tue Sep 23 11:01:12 2014 +++ sudo-1.8.11p1/configure.ac Tue Oct 7 14:26:20 2014 @@ -4,7 +4,7 @@ dnl Copyright (c) 1994-1996,1998-2014 Todd C. Miller dnl AC_PREREQ([2.59]) -AC_INIT([sudo], [1.8.11], [http://www.sudo.ws/bugs/], [sudo]) +AC_INIT([sudo], [1.8.11p1], [http://www.sudo.ws/bugs/], [sudo]) AC_CONFIG_HEADER([config.h pathnames.h]) AC_CONFIG_SRCDIR([src/sudo.c]) dnl @@ -21,13 +21,11 @@ AC_SUBST([CPPFLAGS]) AC_SUBST([LDFLAGS]) AC_SUBST([SUDOERS_LDFLAGS]) +AC_SUBST([LIBUTIL_LDFLAGS]) AC_SUBST([LT_LDFLAGS]) -AC_SUBST([LT_LDMAP]) -AC_SUBST([LT_LDOPT]) AC_SUBST([LT_LDDEP]) AC_SUBST([LT_LDEXPORTS]) AC_SUBST([LT_STATIC]) -AC_SUBST([LT_STATIC_LIBUTIL]) AC_SUBST([LT_DEP_LIBS]) AC_SUBST([COMMON_OBJS]) AC_SUBST([SUDOERS_OBJS]) @@ -223,10 +221,8 @@ dnl Other vaiables dnl CHECKSHADOW=true -shadow_defs= shadow_funcs= shadow_libs= -shadow_libs_optional= CONFIGURE_ARGS="$@" dnl @@ -1908,9 +1904,7 @@ ;; *-*-linux*|*-*-k*bsd*-gnu) OSDEFS="${OSDEFS} -D_GNU_SOURCE" - # Some Linux versions need to link with -lshadow shadow_funcs="getspnam" - shadow_libs_optional="-lshadow" test -z "$with_pam" && AUTH_EXCL_DEF="PAM" ;; *-*-gnu*) @@ -1919,16 +1913,6 @@ ac_cv_func_lockf=no ac_cv_func_flock=yes ;; - *-convex-bsd*) - OSDEFS="${OSDEFS} -D_CONVEX_SOURCE" - if test -z "$GCC"; then - CFLAGS="${CFLAGS} -D__STDC__" - fi - - shadow_defs="-D_AUDIT -D_ACL -DSecureWare" - shadow_funcs="getprpwnam" - shadow_libs="-lprot" - ;; *-*-ultrix*) OS="ultrix" shadow_funcs="getauthuid" @@ -2650,6 +2634,8 @@ dnl If socket(2) not in libc, check -lsocket and -linet dnl May need to link with *both* -lnsl and -lsocket due to unresolved symbols dnl +OLIBS="$LIBS" +LIBS="${LIBS} ${NET_LIBS}" AC_CHECK_FUNC(socket, [], [ for libs in "-lsocket" "-linet" "-lsocket -lnsl"; do _libs= @@ -2666,11 +2652,14 @@ SUDO_CHECK_LIB($lib, socket, [NET_LIBS="${NET_LIBS} $libs"; break], [], [$extralibs]) done ]) +LIBS="$OLIBS" dnl dnl If inet_ntoa(3) not in libc, check -lnsl and -linet dnl May need to link with *both* -lnsl and -lsocket due to unresolved symbols dnl Some systems may have inet_ntoa() in libresolv. dnl +OLIBS="$LIBS" +LIBS="${LIBS} ${NET_LIBS}" AC_CHECK_FUNC(inet_ntoa, [AC_DEFINE(HAVE_INET_NTOA)], [ for libs in "-lsocket" "-linet" "-lsocket -lnsl" "-lresolv"; do _libs= @@ -2691,11 +2680,14 @@ ], [], [$extralibs]) done ]) +LIBS="$OLIBS" dnl dnl If inet_pton(3) not in libc, check -lnsl and -linet dnl May need to link with *both* -lnsl and -lsocket due to unresolved symbols dnl Some systems may have inet_pton() in libresolv. dnl +OLIBS="$LIBS" +LIBS="${LIBS} ${NET_LIBS}" found=false INET_PTON_LIBS= AC_CHECK_FUNC(inet_pton, [ @@ -2723,6 +2715,7 @@ ], [], [$extralibs]) done ]) +LIBS="$OLIBS" if test X"$found" != X"true"; then AC_LIBOBJ(inet_pton) SUDO_APPEND_COMPAT_EXP(sudo_inet_pton) @@ -2730,6 +2723,8 @@ dnl dnl If syslog(3) not in libc, check -lsocket, -lnsl and -linet dnl +OLIBS="$LIBS" +LIBS="${LIBS} ${NET_LIBS}" AC_CHECK_FUNC(syslog, [], [ for libs in "-lsocket" "-linet" "-lsocket -lnsl"; do _libs= @@ -2746,11 +2741,13 @@ SUDO_CHECK_LIB($lib, syslog, [NET_LIBS="${NET_LIBS} $libs"; break], [], [$extralibs]) done ]) +LIBS="$OLIBS" # # Check for getaddrinfo and add any required libs to NET_LIBS. # If it was added to LIBOBJS we need to export the symbols. # OLIBS="$LIBS" +LIBS="${LIBS} ${NET_LIBS}" AX_FUNC_GETADDRINFO case " $LIBOBJS " in *" getaddrinfo.$ac_objext "* ) @@ -2780,7 +2777,7 @@ ;; *) for lib in $LIBS; do - case "$OLIBS" in + case "$NET_LIBS" in *"$lib"*) ;; *) NET_LIBS="${NET_LIBS} $lib";; esac @@ -3430,18 +3427,10 @@ LIBS="$LIBS $shadow_libs" found=no AC_CHECK_FUNCS($shadow_funcs, [found=yes]) - if test "$found" = "yes" -a -n "$shadow_libs_optional"; then - LIBS="$LIBS $shadow_libs_optional" - AC_CHECK_FUNCS($shadow_funcs, [found=yes]) - if test "$found" = "yes"; then - shadow_libs="$shadow_libs $shadow_libs_optional" - fi - fi if test "$found" = "yes"; then case "$shadow_funcs" in *getprpwnam*) SECUREWARE=1;; esac - test -n "$shadow_defs" && OSDEFS="${OSDEFS} $shadow_defs" else shadow_libs= fi @@ -3449,7 +3438,7 @@ LIBS="$_LIBS" fi if test "$CHECKSHADOW" = "true"; then - AC_SEARCH_LIBS([getspnam], [gen], [AC_DEFINE(HAVE_GETSPNAM)] [CHECKSHADOW=false; test -n "$ac_lib" && shadow_libs="${shadow_libs} $ac_res"]) + AC_SEARCH_LIBS([getspnam], [gen shadow], [AC_DEFINE(HAVE_GETSPNAM)] [CHECKSHADOW=false; test -n "$ac_lib" && shadow_libs="${shadow_libs} $ac_res"]) fi if test "$CHECKSHADOW" = "true"; then AC_SEARCH_LIBS([getprpwnam], [sec security prot], [AC_DEFINE(HAVE_GETPRPWNAM)] [CHECKSHADOW=false; SECUREWARE=1; test -n "$ac_lib" && shadow_libs="${shadow_libs} $ac_res"]) @@ -3632,11 +3621,10 @@ if test X"$STATIC_SUDOERS" = X""; then AC_MSG_ERROR(["--disable-shared-libutil may only be specified with --enable-static-sudoers or when dynamic linking is disabled."]) else - # Disable use shared version of libsudo_util. - LT_STATIC_LIBUTIL="--tag=disable-shared" + # Do not install sudoers or libsudo_util. + SUDOERS_LDFLAGS="${SUDOERS_LDFLAGS}${SUDOERS_LDFLAGS+ }-no-install" + LIBUTIL_LDFLAGS="${LIBUTIL_LDFLAGS}${LIBUTIL_LDFLAGS+ }-no-install" fi -else - LT_STATIC_LIBUTIL="$LT_STATIC" fi # On HP-UX, you cannot dlopen() a shared object that uses pthreads unless @@ -3739,7 +3727,7 @@ ] ) if test "$sudo_cv_var_gnu_ld_anon_map" = "yes"; then - LT_LDEXPORTS=; LT_LDDEP="\$(shlib_map)"; LT_LDMAP="-Wl,--version-script,\$(shlib_map)" + LT_LDDEP="\$(shlib_map)"; LT_LDEXPORTS="-Wl,--version-script,\$(shlib_map)" fi else case "$host_os" in @@ -3765,7 +3753,7 @@ ] ) if test "$sudo_cv_var_solaris_ld_anon_map" = "yes"; then - LT_LDEXPORTS=; LT_LDDEP="\$(shlib_map)"; LT_LDMAP="-Wl,-M,\$(shlib_map)" + LT_LDDEP="\$(shlib_map)"; LT_LDEXPORTS="-Wl,-M,\$(shlib_map)" fi ;; hpux*) @@ -3790,7 +3778,7 @@ ] ) if test "$sudo_cv_var_hpux_ld_symbol_export" = "yes"; then - LT_LDEXPORTS=; LT_LDDEP="\$(shlib_opt)"; LT_LDOPT="-Wl,-c,\$(shlib_opt)" + LT_LDDEP="\$(shlib_opt)"; LT_LDEXPORTS="-Wl,-c,\$(shlib_opt)" fi ;; esac diff -urNa sudo-1.8.11/doc/sudo.cat sudo-1.8.11p1/doc/sudo.cat --- sudo-1.8.11/doc/sudo.cat Tue Sep 23 10:40:16 2014 +++ sudo-1.8.11p1/doc/sudo.cat Tue Oct 7 14:26:20 2014 @@ -167,7 +167,7 @@ attempts to change to that user's home directory before running the shell. The command is run with an environment similar to the one a user would receive at log in. The - _C_o_m_m_a_n_d _E_n_v_i_r_o_n_m_e_n_t section in the sudoers(4) manual + _C_o_m_m_a_n_d _e_n_v_i_r_o_n_m_e_n_t section in the sudoers(4) manual documents how the --ii option affects the environment in which a command is run when the _s_u_d_o_e_r_s policy is in use. @@ -435,7 +435,7 @@ those commands. Because of this, care must be taken when giving users access to commands via ssuuddoo to verify that the command does not inadvertently give the user an effective root shell. For more - information, please see the _P_R_E_V_E_N_T_I_N_G _S_H_E_L_L _E_S_C_A_P_E_S section in + information, please see the _P_r_e_v_e_n_t_i_n_g _s_h_e_l_l _e_s_c_a_p_e_s section in sudoers(4). To prevent the disclosure of potentially sensitive information, ssuuddoo diff -urNa sudo-1.8.11/doc/sudo.man.in sudo-1.8.11p1/doc/sudo.man.in --- sudo-1.8.11/doc/sudo.man.in Fri Mar 7 14:51:21 2014 +++ sudo-1.8.11p1/doc/sudo.man.in Tue Oct 7 14:26:20 2014 @@ -21,7 +21,7 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.TH "SUDO" "@mansectsu@" "February 15, 2014" "Sudo @PACKAGE_VERSION@" "System Manager's Manual" +.TH "SUDO" "8" "February 15, 2014" "Sudo @PACKAGE_VERSION@" "System Manager's Manual" .nh .if n .ad l .SH "NAME" @@ -367,7 +367,7 @@ The command is run with an environment similar to the one a user would receive at log in. The -\fICommand Environment\fR +\fICommand environment\fR section in the sudoers(@mansectform@) manual documents how the @@ -879,7 +879,7 @@ to verify that the command does not inadvertently give the user an effective root shell. For more information, please see the -\fIPREVENTING SHELL ESCAPES\fR +\fIPreventing shell escapes\fR section in sudoers(@mansectform@). .PP diff -urNa sudo-1.8.11/doc/sudo.mdoc.in sudo-1.8.11p1/doc/sudo.mdoc.in --- sudo-1.8.11/doc/sudo.mdoc.in Fri Mar 7 14:51:19 2014 +++ sudo-1.8.11p1/doc/sudo.mdoc.in Tue Oct 7 14:26:20 2014 @@ -334,7 +334,7 @@ The command is run with an environment similar to the one a user would receive at log in. The -.Em Command Environment +.Em Command environment section in the .Xr sudoers @mansectform@ manual documents how the @@ -814,7 +814,7 @@ to verify that the command does not inadvertently give the user an effective root shell. For more information, please see the -.Em PREVENTING SHELL ESCAPES +.Em Preventing shell escapes section in .Xr sudoers @mansectform@ . .Pp diff -urNa sudo-1.8.11/include/Makefile.in sudo-1.8.11p1/include/Makefile.in --- sudo-1.8.11/include/Makefile.in Fri Mar 7 14:51:19 2014 +++ sudo-1.8.11p1/include/Makefile.in Tue Oct 7 14:26:20 2014 @@ -27,6 +27,7 @@ # Our install program supports extra flags... INSTALL = $(SHELL) $(top_srcdir)/install-sh -c +INSTALL_OWNER = -o $(install_uid) -g $(install_gid) # Where to install things... prefix = @prefix@ @@ -65,7 +66,7 @@ install-doc: install-includes: install-dirs - $(INSTALL) -O $(install_uid) -G $(install_gid) -m 0644 $(srcdir)/sudo_plugin.h $(DESTDIR)$(includedir) + $(INSTALL) $(INSTALL_OWNER) -m 0644 $(srcdir)/sudo_plugin.h $(DESTDIR)$(includedir) install-plugin: diff -urNa sudo-1.8.11/lib/util/Makefile.in sudo-1.8.11p1/lib/util/Makefile.in --- sudo-1.8.11/lib/util/Makefile.in Tue Sep 23 10:40:16 2014 +++ sudo-1.8.11p1/lib/util/Makefile.in Tue Oct 7 14:26:20 2014 @@ -45,7 +45,7 @@ # Compiler & tools to use CC = @CC@ -LIBTOOL = @LIBTOOL@ @LT_STATIC_LIBUTIL@ +LIBTOOL = @LIBTOOL@ @LT_STATIC@ SED = @SED@ # Our install program supports extra flags... @@ -60,7 +60,7 @@ # Flags to pass to the link stage LDFLAGS = @LDFLAGS@ -LT_LDFLAGS = @LT_LDFLAGS@ @LT_LDMAP@ @LT_LDOPT@ @LT_LDEXPORTS@ +LT_LDFLAGS = @LIBUTIL_LDFLAGS@ @LT_LDFLAGS@ @LT_LDEXPORTS@ # PIE flags PIE_CFLAGS = @PIE_CFLAGS@ @@ -134,7 +134,12 @@ @$(SED) 's/^/+e /' $(shlib_exp) > $@ libsudo_util.la: $(LTOBJS) @LT_LDDEP@ - $(LIBTOOL) --mode=link $(CC) -o $@ $(LDFLAGS) $(LT_LDFLAGS) $(LTOBJS) -version-info $(SHLIB_VERSION) -rpath $(libexecdir)/sudo @LT_DEP_LIBS@ @LIBDL@ + case "$(LT_LDFLAGS)" in \ + *-no-install*) \ + $(LIBTOOL) --mode=link $(CC) -o $@ $(LDFLAGS) $(LT_LDFLAGS) $(LTOBJS);; \ + *) \ + $(LIBTOOL) --mode=link $(CC) -o $@ $(LDFLAGS) $(LT_LDFLAGS) $(LTOBJS) -version-info $(SHLIB_VERSION) -rpath $(libexecdir)/sudo @LT_DEP_LIBS@ @LIBDL@;; \ + esac siglist.c: mksiglist ./mksiglist > $@ @@ -182,8 +187,8 @@ pre-install: install: install-dirs - case "$(LIBTOOL)" in \ - *disable-shared*) ;; \ + case "$(LT_LDFLAGS)" in \ + *-no-install*) ;; \ *) if [ X"$(shlib_enable)" = X"yes" ]; then \ INSTALL_BACKUP='~' $(LIBTOOL) --quiet --mode=install $(INSTALL) $(INSTALL_OWNER) libsudo_util.la $(DESTDIR)$(libexecdir)/sudo; \ fi;; \ diff -urNa sudo-1.8.11/lib/util/sudo_debug.c sudo-1.8.11p1/lib/util/sudo_debug.c --- sudo-1.8.11/lib/util/sudo_debug.c Tue Sep 23 10:40:15 2014 +++ sudo-1.8.11p1/lib/util/sudo_debug.c Tue Oct 7 14:26:20 2014 @@ -370,8 +370,7 @@ sudo_debug_vprintf2(const char *func, const char *file, int lineno, int level, const char *fmt, va_list ap) { - int buflen, pri, subsys, saved_errno = errno; - char static_buf[1024], *buf = static_buf; + int pri, subsys; if (!sudo_debug_initialized) return; @@ -382,10 +381,15 @@ /* Make sure we want debug info at this level. */ if (subsys < num_subsystems && sudo_debug_settings[subsys] >= pri) { + char static_buf[1024], *buf = static_buf; + int buflen, saved_errno = errno; + va_list ap2; + + va_copy(ap2, ap); buflen = fmt ? vsnprintf(static_buf, sizeof(static_buf), fmt, ap) : 0; if (buflen >= (int)sizeof(static_buf)) { /* Not enough room in static buf, allocate dynamically. */ - buflen = vasprintf(&buf, fmt, ap); + buflen = vasprintf(&buf, fmt, ap2); } if (buflen != -1) { int errcode = ISSET(level, SUDO_DEBUG_ERRNO) ? saved_errno : 0; @@ -396,9 +400,9 @@ if (buf != static_buf) free(buf); } + va_end(ap2); + errno = saved_errno; } - - errno = saved_errno; } #ifdef NO_VARIADIC_MACROS diff -urNa sudo-1.8.11/plugins/group_file/Makefile.in sudo-1.8.11p1/plugins/group_file/Makefile.in --- sudo-1.8.11/plugins/group_file/Makefile.in Tue Sep 23 10:40:17 2014 +++ sudo-1.8.11p1/plugins/group_file/Makefile.in Tue Oct 7 14:26:20 2014 @@ -47,7 +47,7 @@ # Flags to pass to the link stage LDFLAGS = @LDFLAGS@ -LT_LDFLAGS = @LT_LDFLAGS@ @LT_LDMAP@ @LT_LDOPT@ @LT_LDEXPORTS@ +LT_LDFLAGS = @LT_LDFLAGS@ @LT_LDEXPORTS@ # PIE flags PIE_CFLAGS = @PIE_CFLAGS@ diff -urNa sudo-1.8.11/plugins/sample/Makefile.in sudo-1.8.11p1/plugins/sample/Makefile.in --- sudo-1.8.11/plugins/sample/Makefile.in Tue Sep 23 10:40:15 2014 +++ sudo-1.8.11p1/plugins/sample/Makefile.in Tue Oct 7 14:26:20 2014 @@ -46,7 +46,7 @@ # Flags to pass to the link stage LDFLAGS = @LDFLAGS@ -LT_LDFLAGS = @LT_LDFLAGS@ @LT_LDMAP@ @LT_LDOPT@ @LT_LDEXPORTS@ +LT_LDFLAGS = @LT_LDFLAGS@ @LT_LDEXPORTS@ # PIE flags PIE_CFLAGS = @PIE_CFLAGS@ diff -urNa sudo-1.8.11/plugins/sudoers/Makefile.in sudo-1.8.11p1/plugins/sudoers/Makefile.in --- sudo-1.8.11/plugins/sudoers/Makefile.in Tue Sep 23 10:40:17 2014 +++ sudo-1.8.11p1/plugins/sudoers/Makefile.in Tue Oct 7 14:26:20 2014 @@ -65,7 +65,7 @@ # Flags to pass to the link stage LDFLAGS = @LDFLAGS@ -LT_LDFLAGS = @SUDOERS_LDFLAGS@ @LT_LDFLAGS@ @LT_LDMAP@ @LT_LDOPT@ @LT_LDEXPORTS@ +LT_LDFLAGS = @SUDOERS_LDFLAGS@ @LT_LDFLAGS@ @LT_LDEXPORTS@ # PIE flags PIE_CFLAGS = @PIE_CFLAGS@ @@ -201,7 +201,12 @@ $(LIBTOOL) --mode=link $(CC) -o $@ $(LIBPARSESUDOERS_OBJS) -no-install sudoers.la: $(SUDOERS_OBJS) $(LT_LIBS) libparsesudoers.la @LT_LDDEP@ - $(LIBTOOL) @LT_STATIC@ --mode=link $(CC) $(LDFLAGS) $(LT_LDFLAGS) -o $@ $(SUDOERS_OBJS) libparsesudoers.la $(SUDOERS_LIBS) -module -avoid-version -rpath $(plugindir) -shrext .so + case "$(LT_LDFLAGS)" in \ + *-no-install*) \ + $(LIBTOOL) @LT_STATIC@ --mode=link $(CC) $(LDFLAGS) $(LT_LDFLAGS) -o $@ $(SUDOERS_OBJS) libparsesudoers.la $(SUDOERS_LIBS) -module;; \ + *) \ + $(LIBTOOL) @LT_STATIC@ --mode=link $(CC) $(LDFLAGS) $(LT_LDFLAGS) -o $@ $(SUDOERS_OBJS) libparsesudoers.la $(SUDOERS_LIBS) -module -avoid-version -rpath $(plugindir) -shrext .so;; \ + esac visudo: libparsesudoers.la $(VISUDO_OBJS) $(LT_LIBS) $(LIBTOOL) --mode=link $(CC) -o $@ $(VISUDO_OBJS) $(LDFLAGS) $(PIE_LDFLAGS) $(SSP_LDFLAGS) libparsesudoers.la $(LIBS) $(VISUDO_LIBS) @@ -309,9 +314,12 @@ @LDAP@$(INSTALL) $(INSTALL_OWNER) -m 0755 $(srcdir)/sudoers2ldif $(DESTDIR)$(docdir) install-plugin: sudoers.la install-dirs - if [ X"$(shlib_enable)" = X"yes" ]; then \ - INSTALL_BACKUP='~' $(LIBTOOL) --mode=install $(INSTALL) $(INSTALL_OWNER) -m $(shlib_mode) sudoers.la $(DESTDIR)$(plugindir); \ - fi + case "$(LT_LDFLAGS)" in \ + *-no-install*) ;; \ + *) if [ X"$(shlib_enable)" = X"yes" ]; then \ + INSTALL_BACKUP='~' $(LIBTOOL) --mode=install $(INSTALL) $(INSTALL_OWNER) -m $(shlib_mode) sudoers.la $(DESTDIR)$(plugindir); \ + fi;; \ + esac install-sudoers: install-dirs $(INSTALL) -d $(INSTALL_OWNER) -m 0750 $(DESTDIR)$(sudoersdir)/sudoers.d diff -urNa sudo-1.8.11/plugins/sudoers/auth/sia.c sudo-1.8.11p1/plugins/sudoers/auth/sia.c --- sudo-1.8.11/plugins/sudoers/auth/sia.c Tue Sep 23 10:40:15 2014 +++ sudo-1.8.11p1/plugins/sudoers/auth/sia.c Tue Oct 7 14:26:20 2014 @@ -43,6 +43,7 @@ # include #endif /* HAVE_UNISTD_H */ #include +#include #include #include "sudoers.h" @@ -62,6 +63,8 @@ sudo_collect(int timeout, int rendition, uchar_t *title, int nprompts, prompt_t *prompts) { + int rval; + sigset_t mask, omask; debug_decl(sudo_collect, SUDO_DEBUG_AUTH) switch (rendition) { @@ -82,7 +85,18 @@ break; } - debug_return_int(sia_collect_trm(timeout, rendition, title, nprompts, prompts)); + /* Unblock SIGINT and SIGQUIT during password entry. */ + sigemptyset(&mask); + sigaddset(&mask, SIGINT); + sigaddset(&mask, SIGQUIT); + sigprocmask(SIG_UNBLOCK, &mask, &omask); + + rval = sia_collect_trm(timeout, rendition, title, nprompts, prompts); + + /* Restore previous signal mask. */ + sigprocmask(SIG_SETMASK, &omask, NULL); + + debug_return_int(rval); } int @@ -118,7 +132,7 @@ def_prompt = prompt; /* for sudo_collect */ - /* XXX - need a way to detect user hitting return or EOF at prompt */ + /* XXX - need a way to detect user hitting ^C or EOF at prompt */ if (sia_ses_reauthent(sudo_collect, siah) == SIASUCCESS) debug_return_int(AUTH_SUCCESS); else diff -urNa sudo-1.8.11/plugins/sudoers/auth/sudo_auth.c sudo-1.8.11p1/plugins/sudoers/auth/sudo_auth.c --- sudo-1.8.11/plugins/sudoers/auth/sudo_auth.c Tue Sep 23 10:40:15 2014 +++ sudo-1.8.11p1/plugins/sudoers/auth/sudo_auth.c Tue Oct 7 14:26:20 2014 @@ -95,8 +95,6 @@ static int standalone; -static void pass_warn(void); - /* * Initialize sudoers authentication method(s). * Returns 0 on success and -1 on error. @@ -161,6 +159,30 @@ debug_return_int(status == AUTH_FATAL ? -1 : 0); } +static void +pass_warn(void) +{ + const char *warning = def_badpass_message; + debug_decl(pass_warn, SUDO_DEBUG_AUTH) + +#ifdef INSULT + if (def_insults) + warning = INSULT; +#endif + sudo_printf(SUDO_CONV_ERROR_MSG, "%s\n", warning); + + debug_return; +} + +static bool +user_interrupted(void) +{ + sigset_t mask; + + return (sigpending(&mask) == 0 && + (sigismember(&mask, SIGINT) || sigismember(&mask, SIGQUIT))); +} + /* * Verify the specified user. * Returns true if verified, false if not or -1 on error. @@ -168,22 +190,15 @@ int verify_user(struct passwd *pw, char *prompt, int validated) { - unsigned int counter = def_passwd_tries + 1; - int success = AUTH_FAILURE; - int status, rval; + unsigned int ntries; + int rval, status, success = AUTH_FAILURE; char *p; sudo_auth *auth; - sigaction_t sa, osa; + sigset_t mask, omask; + sigaction_t sa, saved_sigtstp; debug_decl(verify_user, SUDO_DEBUG_AUTH) - /* Enable suspend during password entry. */ - sigemptyset(&sa.sa_mask); - sa.sa_flags = SA_RESTART; - sa.sa_handler = SIG_DFL; - (void) sigaction(SIGTSTP, &sa, &osa); - /* Make sure we have at least one auth method. */ - /* XXX - check FLAG_DISABLED too */ if (auth_switch[0].name == NULL) { audit_failure(NewArgc, NewArgv, N_("no authentication methods")); log_warningx(SLOG_SEND_MAIL, @@ -193,17 +208,52 @@ debug_return_int(-1); } - while (--counter) { + /* Enable suspend during password entry. */ + sigemptyset(&sa.sa_mask); + sa.sa_flags = SA_RESTART; + sa.sa_handler = SIG_DFL; + (void) sigaction(SIGTSTP, &sa, &saved_sigtstp); + + /* + * We treat authentication as a critical section and block + * keyboard-generated signals such as SIGINT and SIGQUIT + * which might otherwise interrupt a sleep(3). + * They are temporarily unblocked by auth_getpass(). + */ + sigemptyset(&mask); + sigaddset(&mask, SIGINT); + sigaddset(&mask, SIGQUIT); + (void) sigprocmask(SIG_BLOCK, &mask, &omask); + + for (ntries = 0; ntries < def_passwd_tries; ntries++) { + int num_methods = 0; + + /* If user attempted to interrupt password verify, quit now. */ + if (user_interrupted()) + goto done; + + if (ntries != 0) + pass_warn(); + /* Do any per-method setup and unconfigure the method if needed */ for (auth = auth_switch; auth->name; auth++) { - if (auth->setup && !IS_DISABLED(auth)) { + if (IS_DISABLED(auth)) + continue; + num_methods++; + if (auth->setup != NULL) { status = (auth->setup)(pw, &prompt, auth); if (status == AUTH_FAILURE) SET(auth->flags, FLAG_DISABLED); - else if (status == AUTH_FATAL) + else if (status == AUTH_FATAL || user_interrupted()) goto done; /* assume error msg already printed */ } } + if (num_methods == 0) { + audit_failure(NewArgc, NewArgv, N_("no authentication methods")); + log_warningx(SLOG_SEND_MAIL, + N_("Unable to initialize authentication methods.")); + debug_return_int(-1); + } /* Get the password unless the auth function will do it for us */ if (standalone) { @@ -221,25 +271,30 @@ continue; success = auth->status = (auth->verify)(pw, p, auth); - if (auth->status != AUTH_FAILURE) - goto done; + if (success != AUTH_FAILURE) + break; } if (!standalone) memset_s(p, SUDO_CONV_REPL_MAX, 0, strlen(p)); - pass_warn(); + + if (success != AUTH_FAILURE) + goto done; } done: + /* Restore signal handlers and signal mask. */ + (void) sigaction(SIGTSTP, &saved_sigtstp, NULL); + (void) sigprocmask(SIG_SETMASK, &omask, NULL); + switch (success) { case AUTH_SUCCESS: - (void) sigaction(SIGTSTP, &osa, NULL); rval = true; break; case AUTH_INTR: case AUTH_FAILURE: - if (counter != def_passwd_tries) + if (ntries != 0) validated |= FLAG_BAD_PASSWORD; - log_auth_failure(validated, def_passwd_tries - counter); + log_auth_failure(validated, ntries); rval = false; break; case AUTH_FATAL: @@ -310,26 +365,12 @@ debug_return_int(status == AUTH_FATAL ? -1 : 1); } -static void -pass_warn(void) -{ - const char *warning = def_badpass_message; - debug_decl(pass_warn, SUDO_DEBUG_AUTH) - -#ifdef INSULT - if (def_insults) - warning = INSULT; -#endif - sudo_printf(SUDO_CONV_ERROR_MSG, "%s\n", warning); - - debug_return; -} - char * auth_getpass(const char *prompt, int timeout, int type) { struct sudo_conv_message msg; struct sudo_conv_reply repl; + sigset_t mask, omask; debug_decl(auth_getpass, SUDO_DEBUG_AUTH) /* Mask user input if pwfeedback set and echo is off. */ @@ -340,7 +381,14 @@ if (def_visiblepw) type |= SUDO_CONV_PROMPT_ECHO_OK; - /* Call conversation function */ + /* Unblock SIGINT and SIGQUIT during password entry. */ + /* XXX - do in tgetpass() itself instead? */ + sigemptyset(&mask); + sigaddset(&mask, SIGINT); + sigaddset(&mask, SIGQUIT); + (void) sigprocmask(SIG_UNBLOCK, &mask, &omask); + + /* Call conversation function. */ memset(&msg, 0, sizeof(msg)); msg.msg_type = type; msg.timeout = def_passwd_timeout * 60; @@ -348,6 +396,10 @@ memset(&repl, 0, sizeof(repl)); sudo_conv(1, &msg, &repl); /* XXX - check for ENOTTY? */ + + /* Restore previous signal mask. */ + (void) sigprocmask(SIG_SETMASK, &omask, NULL); + debug_return_str_masked(repl.reply); } diff -urNa sudo-1.8.11/plugins/sudoers/env.c sudo-1.8.11p1/plugins/sudoers/env.c --- sudo-1.8.11/plugins/sudoers/env.c Tue Sep 23 10:40:17 2014 +++ sudo-1.8.11p1/plugins/sudoers/env.c Tue Oct 7 14:26:20 2014 @@ -170,6 +170,7 @@ "PYTHONUSERBASE", /* python, per user site-packages directory */ "RUBYLIB", /* ruby, library load path */ "RUBYOPT", /* ruby, extra command line options */ + "BASH_FUNC_*", /* new-style bash functions */ NULL }; @@ -676,7 +677,7 @@ } } sudo_debug_printf(SUDO_DEBUG_INFO, "keep %s: %s", - var, keepit ? "YES" : "NO"); + var, keepit == true ? "YES" : "NO"); debug_return_bool(keepit == true); } diff -urNa sudo-1.8.11/plugins/system_group/Makefile.in sudo-1.8.11p1/plugins/system_group/Makefile.in --- sudo-1.8.11/plugins/system_group/Makefile.in Tue Sep 23 10:40:15 2014 +++ sudo-1.8.11p1/plugins/system_group/Makefile.in Tue Oct 7 14:26:20 2014 @@ -47,7 +47,7 @@ # Flags to pass to the link stage LDFLAGS = @LDFLAGS@ -LT_LDFLAGS = @LT_LDFLAGS@ @LT_LDMAP@ @LT_LDOPT@ @LT_LDEXPORTS@ +LT_LDFLAGS = @LT_LDFLAGS@ @LT_LDEXPORTS@ # PIE flags PIE_CFLAGS = @PIE_CFLAGS@ diff -urNa sudo-1.8.11/pp sudo-1.8.11p1/pp --- sudo-1.8.11/pp Tue Sep 23 10:40:15 2014 +++ sudo-1.8.11p1/pp Tue Oct 7 14:26:20 2014 @@ -1,6 +1,6 @@ #!/bin/sh # Copyright 2014 Quest Software, Inc. ALL RIGHTS RESERVED -pp_revision="20140711" +pp_revision="20140924" # Copyright 2012 Quest Software, Inc. ALL RIGHTS RESERVED. # # Redistribution and use in source and binary forms, with or without @@ -1285,6 +1285,7 @@ #-- process the flags argument _flags= + _target= _optional=false _has_target=false _ignore=false @@ -5664,7 +5665,6 @@ pp_rpm_label "Vendor" "${pp_rpm_vendor:-$vendor}" >>$specfile pp_rpm_label "Packager" "$pp_rpm_packager" >>$specfile pp_rpm_label "Provides" "$pp_rpm_provides" >>$specfile - pp_rpm_label "Requires" "$pp_rpm_requires" >>$specfile test -n "$pp_rpm_serial" && pp_warn "pp_rpm_serial deprecated" if test -n "$pp_rpm_epoch"; then diff -urNa sudo-1.8.11/src/Makefile.in sudo-1.8.11p1/src/Makefile.in --- sudo-1.8.11/src/Makefile.in Tue Sep 23 10:40:17 2014 +++ sudo-1.8.11p1/src/Makefile.in Tue Oct 7 14:26:20 2014 @@ -28,7 +28,7 @@ # Compiler & tools to use CC = @CC@ -LIBTOOL = @LIBTOOL@ @LT_STATIC@ +LIBTOOL = @LIBTOOL@ --tag=disable-static SED = @SED@ # Our install program supports extra flags... diff -urNa sudo-1.8.11/src/preload.c sudo-1.8.11p1/src/preload.c --- sudo-1.8.11/src/preload.c Tue Sep 23 10:40:15 2014 +++ sudo-1.8.11p1/src/preload.c Tue Oct 7 14:26:20 2014 @@ -16,6 +16,7 @@ #include +#include #ifdef HAVE_GSS_KRB5_CCACHE_NAME # if defined(HAVE_GSSAPI_GSSAPI_KRB5_H) # include diff -urNa sudo-1.8.11/src/regress/ttyname/check_ttyname.c sudo-1.8.11p1/src/regress/ttyname/check_ttyname.c --- sudo-1.8.11/src/regress/ttyname/check_ttyname.c Tue Sep 23 10:40:15 2014 +++ sudo-1.8.11p1/src/regress/ttyname/check_ttyname.c Tue Oct 7 14:26:20 2014 @@ -50,31 +50,32 @@ int main(int argc, char *argv[]) { - char *cp, *tty_libc = NULL, *tty_sudo; - int fd, rval = 1; + char *tty_libc = NULL, *tty_sudo; + int rval = 1; initprogname(argc > 0 ? argv[0] : "check_ttyname"); - /* Lookup tty name via sudo (using kernel info if possible). */ - if ((tty_sudo = get_process_ttyname()) == NULL) - tty_sudo = sudo_estrdup("none"); + /* Lookup tty name using kernel info if possible. */ + tty_sudo = get_process_ttyname(); - /* Lookup tty name via libc and compare to kernel tty. */ - for (fd = STDERR_FILENO; fd >= STDIN_FILENO; fd--) { - cp = ttyname(fd); - if (cp != NULL) { - if (tty_libc == NULL || strcmp(cp, tty_libc) != 0) { - sudo_efree(tty_libc); - tty_libc = sudo_estrdup(cp); - } - if (tty_sudo != NULL && strcmp(tty_libc, tty_sudo) == 0) { - rval = 0; - break; - } - } - } - if (tty_libc == NULL && tty_sudo == NULL) +#if defined(HAVE_STRUCT_KINFO_PROC2_P_TDEV) || \ + defined(HAVE_STRUCT_KINFO_PROC_P_TDEV) || \ + defined(HAVE_STRUCT_KINFO_PROC_KI_TDEV) || \ + defined(HAVE_STRUCT_KINFO_PROC_KP_EPROC_E_TDEV) || \ + defined(HAVE__TTYNAME_DEV) || defined(HAVE_STRUCT_PSINFO_PR_TTYDEV) || \ + defined(HAVE_PSTAT_GETPROC) || defined(__linux__) + + /* Lookup tty name attached to stdin via libc. */ + tty_libc = ttyname(STDIN_FILENO); +#endif + + /* Compare libc and kernel ttys. */ + if (tty_libc != NULL && tty_sudo != NULL) { + if (strcmp(tty_libc, tty_sudo) == 0) + rval = 0; + } else if (tty_libc == NULL && tty_sudo == NULL) { rval = 0; + } if (rval == 0) { printf("%s: OK (%s)\n", getprogname(), tty_sudo ? tty_sudo : "none"); @@ -83,10 +84,9 @@ rval = 0; } else { printf("%s: FAIL %s (sudo) vs. %s (libc)\n", getprogname(), - tty_sudo ? tty_sudo : "none", tty_libc ? tty_sudo : "none"); + tty_sudo ? tty_sudo : "none", tty_libc ? tty_libc : "none"); } - sudo_efree(tty_libc); sudo_efree(tty_sudo); exit(rval); } diff -urNa sudo-1.8.11/src/sudo.c sudo-1.8.11p1/src/sudo.c --- sudo-1.8.11/src/sudo.c Tue Sep 23 10:40:17 2014 +++ sudo-1.8.11p1/src/sudo.c Tue Oct 7 14:26:20 2014 @@ -1000,8 +1000,9 @@ * Only change cwd if we have chroot()ed or the policy modules * specifies a different cwd. Must be done after uid change. */ - if (details->cwd) { - if (details->chroot || strcmp(details->cwd, user_details.cwd) != 0) { + if (details->cwd != NULL) { + if (details->chroot || user_details.cwd == NULL || + strcmp(details->cwd, user_details.cwd) != 0) { /* Note: cwd is relative to the new root, if any. */ if (chdir(details->cwd) != 0) { sudo_warn(U_("unable to change directory to %s"), details->cwd);