This patch will upgrade Sudo version 1.8.21 to Sudo version 1.8.21 patchlevel 1. To apply: $ cd sudo-1.8.21 $ patch -p1 < sudo-1.8.21p1.patch diff -urNa sudo-1.8.21/ChangeLog sudo-1.8.21p1/ChangeLog --- sudo-1.8.21/ChangeLog Wed Aug 23 12:14:13 2017 +++ sudo-1.8.21p1/ChangeLog Fri Sep 1 14:15:24 2017 @@ -1,3 +1,65 @@ +2017-09-01 Todd C. Miller + + * NEWS, configure, configure.ac: + Sudo 1.8.21p1 + [7e6bf56cb06c] + + * mkpkg: + The Fedora sudo package uses /etc/ldap.conf not /etc/sudo-ldap.conf. + [7b4e6f50e138] + + * plugins/sudoers/ldap.c, plugins/sudoers/sssd.c: + The fix for matching when no sudoRunAsUser is present in a sudoRole + was incomplete. If no -g option was specified on the command line + but sudoRunAsGroup is present in a sudoRole, we need to treat the + group match as failed instead of missing. + [3aaeeebd924c] + + * plugins/sudoers/check.c, plugins/sudoers/defaults.c: + Sprinkle a few more debugging printfs. + [f7a40f9985cf] + + * plugins/sudoers/sudoreplay.c: + Fix replaying sessions that contain input logs. When the inter- + record timeout expires we need to read the next record if there is + nothing to output. + [443b329ddc60] + + * doc/visudo.cat: + regen + [7ace4ac32116] + + * doc/sudo.cat, doc/sudo.man.in, doc/sudo.mdoc.in: + Fix typo (Auguest vs. August). From David Pocock. + [98a792ff1c90] + +2017-08-31 Todd C. Miller + + * plugins/sudoers/sudo_nss.c: + Go back to returning true from display_privs() on non-error. This + results in "sudo -U otheruser -l" exiting with a status of 0 even + when otheruser is not allowed to run commands. This is appropriate + since the "sudo -l" command was successful. This does not change the + exit value when otheruser runs "sudo -l" themselves, the exit status + will be 1 since that user is not allowed to run commands. Requested + by Radovan Sroka. + [055b78015fcb] + + * plugins/sudoers/ldap.c: + Fix the pass2 ldap query string when no search filter is defined. + Due to the addition of "(sudoUser=*)" to the query we always need + the AND operator, even if no search filter is present. + [631243487d27] + +2017-08-29 Todd C. Miller + + * src/exec_nopty.c: + Don't forward SIGINFO to the child when it is send by the kernel + (not another user process). This is consistent with the handling of + other keyboard-generated signals such as SIGINT, SIGQUIT and + SIGTSTP. Bug #796 + [29603b0a4315] + 2017-08-23 Todd C. Miller * sudo.pp: diff -urNa sudo-1.8.21/NEWS sudo-1.8.21p1/NEWS --- sudo-1.8.21/NEWS Wed Aug 23 12:08:27 2017 +++ sudo-1.8.21p1/NEWS Fri Sep 1 14:13:13 2017 @@ -1,3 +1,30 @@ +What's new in Sudo 1.8.21p1 + + * On systems that support both PAM and SIGINFO, the main sudo + process will no longer forward SIGINFO to the command if the + signal was generated from the keyboard. The command will have + already received SIGINFO since it is part of the same process + group so there's no need for sudo to forward it. This is + consistent with the handling of SIGINT, SIGQUIT and SIGTSTP. + Bug #796 + + * If SUDOERS_SEARCH_FILTER in ldap.conf does not specify a value, + the LDAP search expression used when looking up netgroups and + non-Unix groups had a syntax error if a group plugin was not + specified. + + * "sudo -U otheruser -l" will now have an exit value of 0 even + if "otheruser" has no sudo privileges. The exit value when a + user attempts to lists their own privileges or when a command + is specified is unchanged. + + * Fixed a regression introduced in sudo 1.8.21 where sudoreplay + playback would hang for I/O logs that contain terminal input. + + * Sudo 1.8.18 contained an incomplete fix for the matching of + entries in the LDAP and SSSD backends when a sudoRunAsGroup is + specified but no sudoRunAsUser is present in the sudoRole. + What's new in Sudo 1.8.21 * The path that sudo uses to search for terminal devices can now diff -urNa sudo-1.8.21/configure sudo-1.8.21p1/configure --- sudo-1.8.21/configure Wed Aug 23 12:10:32 2017 +++ sudo-1.8.21p1/configure Fri Sep 1 14:13:13 2017 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for sudo 1.8.21. +# Generated by GNU Autoconf 2.69 for sudo 1.8.21p1. # # Report bugs to . # @@ -590,8 +590,8 @@ # Identity of this package. PACKAGE_NAME='sudo' PACKAGE_TARNAME='sudo' -PACKAGE_VERSION='1.8.21' -PACKAGE_STRING='sudo 1.8.21' +PACKAGE_VERSION='1.8.21p1' +PACKAGE_STRING='sudo 1.8.21p1' PACKAGE_BUGREPORT='https://bugzilla.sudo.ws/' PACKAGE_URL='' @@ -1538,7 +1538,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures sudo 1.8.21 to adapt to many kinds of systems. +\`configure' configures sudo 1.8.21p1 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1603,7 +1603,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of sudo 1.8.21:";; + short | recursive ) echo "Configuration of sudo 1.8.21p1:";; esac cat <<\_ACEOF @@ -1861,7 +1861,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -sudo configure 1.8.21 +sudo configure 1.8.21p1 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2570,7 +2570,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by sudo $as_me 1.8.21, which was +It was created by sudo $as_me 1.8.21p1, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -27005,7 +27005,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by sudo $as_me 1.8.21, which was +This file was extended by sudo $as_me 1.8.21p1, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -27071,7 +27071,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -sudo config.status 1.8.21 +sudo config.status 1.8.21p1 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -urNa sudo-1.8.21/configure.ac sudo-1.8.21p1/configure.ac --- sudo-1.8.21/configure.ac Wed Aug 23 12:08:34 2017 +++ sudo-1.8.21p1/configure.ac Fri Sep 1 14:13:13 2017 @@ -4,7 +4,7 @@ dnl Copyright (c) 1994-1996,1998-2017 Todd C. Miller dnl AC_PREREQ([2.59]) -AC_INIT([sudo], [1.8.21], [https://bugzilla.sudo.ws/], [sudo]) +AC_INIT([sudo], [1.8.21p1], [https://bugzilla.sudo.ws/], [sudo]) AC_CONFIG_HEADER([config.h pathnames.h]) AC_CONFIG_SRCDIR([src/sudo.c]) dnl diff -urNa sudo-1.8.21/doc/sudo.cat sudo-1.8.21p1/doc/sudo.cat --- sudo-1.8.21/doc/sudo.cat Wed Aug 23 12:07:29 2017 +++ sudo-1.8.21p1/doc/sudo.cat Fri Sep 1 14:13:13 2017 @@ -638,4 +638,4 @@ file distributed with ssuuddoo or https://www.sudo.ws/license.html for complete details. -Sudo 1.8.21 Auguest 2, 2017 Sudo 1.8.21 +Sudo 1.8.21 August 2, 2017 Sudo 1.8.21 diff -urNa sudo-1.8.21/doc/sudo.man.in sudo-1.8.21p1/doc/sudo.man.in --- sudo-1.8.21/doc/sudo.man.in Wed Aug 23 12:07:29 2017 +++ sudo-1.8.21p1/doc/sudo.man.in Fri Sep 1 14:13:13 2017 @@ -21,7 +21,7 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.TH "SUDO" "8" "Auguest 2, 2017" "Sudo @PACKAGE_VERSION@" "System Manager's Manual" +.TH "SUDO" "8" "August 2, 2017" "Sudo @PACKAGE_VERSION@" "System Manager's Manual" .nh .if n .ad l .SH "NAME" diff -urNa sudo-1.8.21/doc/sudo.mdoc.in sudo-1.8.21p1/doc/sudo.mdoc.in --- sudo-1.8.21/doc/sudo.mdoc.in Wed Aug 23 12:07:28 2017 +++ sudo-1.8.21p1/doc/sudo.mdoc.in Fri Sep 1 14:13:13 2017 @@ -19,7 +19,7 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.Dd Auguest 2, 2017 +.Dd August 2, 2017 .Dt SUDO @mansectsu@ .Os Sudo @PACKAGE_VERSION@ .Sh NAME diff -urNa sudo-1.8.21/doc/visudo.cat sudo-1.8.21p1/doc/visudo.cat --- sudo-1.8.21/doc/visudo.cat Thu Jul 20 16:35:08 2017 +++ sudo-1.8.21p1/doc/visudo.cat Fri Sep 1 14:13:13 2017 @@ -212,4 +212,4 @@ file distributed with ssuuddoo or https://www.sudo.ws/license.html for complete details. -Sudo 1.8.20 February 22, 2017 Sudo 1.8.20 +Sudo 1.8.21 February 22, 2017 Sudo 1.8.21 diff -urNa sudo-1.8.21/mkpkg sudo-1.8.21p1/mkpkg --- sudo-1.8.21/mkpkg Wed Aug 23 12:07:29 2017 +++ sudo-1.8.21p1/mkpkg Fri Sep 1 14:13:13 2017 @@ -169,7 +169,6 @@ with_linux_audit=true with_pam_login=true with_sssd=true - with_sudo_ldap_conf=true ;; esac diff -urNa sudo-1.8.21/plugins/sudoers/check.c sudo-1.8.21p1/plugins/sudoers/check.c --- sudo-1.8.21/plugins/sudoers/check.c Fri Jan 13 21:30:18 2017 +++ sudo-1.8.21p1/plugins/sudoers/check.c Fri Sep 1 14:13:13 2017 @@ -127,6 +127,8 @@ ret = true; break; } + sudo_debug_printf(SUDO_DEBUG_INFO, + "%s: check user flag overrides time stamp", __func__); /* FALLTHROUGH */ default: @@ -192,6 +194,9 @@ * If the user is not changing uid/gid, no need for a password. */ if (!def_authenticate || user_is_exempt()) { + sudo_debug_printf(SUDO_DEBUG_INFO, "%s: %s", __func__, + !def_authenticate ? "authentication disabled" : + "user exempt from authentication"); ret = true; goto done; } @@ -204,6 +209,8 @@ if (runas_privs == NULL && runas_limitprivs == NULL) #endif { + sudo_debug_printf(SUDO_DEBUG_INFO, + "%s: user running command as self", __func__); ret = true; goto done; } diff -urNa sudo-1.8.21/plugins/sudoers/defaults.c sudo-1.8.21p1/plugins/sudoers/defaults.c --- sudo-1.8.21/plugins/sudoers/defaults.c Wed Aug 23 12:07:28 2017 +++ sudo-1.8.21p1/plugins/sudoers/defaults.c Fri Sep 1 14:13:13 2017 @@ -238,6 +238,9 @@ int rc; debug_decl(parse_default_entry, SUDOERS_DEBUG_DEFAULTS) + sudo_debug_printf(SUDO_DEBUG_INFO, "%s: %s:%d %s=%s op=%d", + __func__, file, lineno, def->name, val ? val : "", op); + /* * If no value specified, the boolean flag must be set for non-flags. * Only flags and tuples support boolean "true". diff -urNa sudo-1.8.21/plugins/sudoers/ldap.c sudo-1.8.21p1/plugins/sudoers/ldap.c --- sudo-1.8.21/plugins/sudoers/ldap.c Wed Aug 23 12:07:28 2017 +++ sudo-1.8.21p1/plugins/sudoers/ldap.c Fri Sep 1 14:13:13 2017 @@ -781,7 +781,7 @@ } static int -sudo_ldap_check_runas_user(LDAP *ld, LDAPMessage *entry, int group_matched) +sudo_ldap_check_runas_user(LDAP *ld, LDAPMessage *entry, int *group_matched) { struct berval **bv, **p; char *val; @@ -793,9 +793,18 @@ if (bv == NULL) bv = ldap_get_values_len(ld, entry, "sudoRunAs"); /* old style */ if (bv == NULL) { + DPRINTF2("sudoRunAsUser: no result."); + if (*group_matched == UNSPEC) { + /* We haven't check for sudoRunAsGroup yet, check now. */ + bv = ldap_get_values_len(ld, entry, "sudoRunAsGroup"); + if (bv != NULL) { + *group_matched = false; + ldap_value_free_len(bv); + } + } if (!ISSET(sudo_user.flags, RUNAS_USER_SPECIFIED)) debug_return_int(UNSPEC); - switch (group_matched) { + switch (*group_matched) { case UNSPEC: /* * No runas user or group entries. Match runas_default @@ -875,6 +884,7 @@ /* get the values from the entry */ bv = ldap_get_values_len(ld, entry, "sudoRunAsGroup"); if (bv == NULL) { + DPRINTF2("sudoRunAsGroup: no result."); if (!ISSET(sudo_user.flags, RUNAS_USER_SPECIFIED)) { if (runas_pw->pw_gid == runas_gr->gr_gid) ret = true; /* runas group matches passwd db */ @@ -912,7 +922,7 @@ if (ISSET(sudo_user.flags, RUNAS_GROUP_SPECIFIED)) group_matched = sudo_ldap_check_runas_group(ld, entry); - user_matched = sudo_ldap_check_runas_user(ld, entry, group_matched); + user_matched = sudo_ldap_check_runas_user(ld, entry, &group_matched); debug_return_bool(group_matched != false && user_matched != false); } @@ -1847,12 +1857,10 @@ ldap_conf.timed ? timebuffer : "", (ldap_conf.timed || ldap_conf.search_filter) ? ")" : ""); } else { - len = asprintf(&filt, "%s%s(sudoUser=*)(sudoUser=%s*)%s%s", - (ldap_conf.timed || ldap_conf.search_filter) ? "(&" : "", + len = asprintf(&filt, "(&%s(sudoUser=*)(sudoUser=%s*)%s)", ldap_conf.search_filter ? ldap_conf.search_filter : "", query_netgroups ? "+" : "%:", - ldap_conf.timed ? timebuffer : "", - (ldap_conf.timed || ldap_conf.search_filter) ? ")" : ""); + ldap_conf.timed ? timebuffer : ""); } if (len == -1) sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); diff -urNa sudo-1.8.21/plugins/sudoers/sssd.c sudo-1.8.21p1/plugins/sudoers/sssd.c --- sudo-1.8.21/plugins/sudoers/sssd.c Wed May 10 09:38:43 2017 +++ sudo-1.8.21p1/plugins/sudoers/sssd.c Fri Sep 1 14:13:13 2017 @@ -583,7 +583,7 @@ } static int -sudo_sss_check_runas_user(struct sudo_sss_handle *handle, struct sss_sudo_rule *sss_rule, int group_matched) +sudo_sss_check_runas_user(struct sudo_sss_handle *handle, struct sss_sudo_rule *sss_rule, int *group_matched) { const char *host = handle->ipa_host ? handle->ipa_host : user_runhost; const char *shost = handle->ipa_shost ? handle->ipa_shost : user_srunhost; @@ -603,9 +603,17 @@ break; case ENOENT: sudo_debug_printf(SUDO_DEBUG_INFO, "sudoRunAsUser: no result."); + if (*group_matched == UNSPEC) { + /* We haven't check for sudoRunAsGroup yet, check now. */ + i = handle->fn_get_values(sss_rule, "sudoRunAsGroup", &val_array); + if (i == 0) { + *group_matched = false; + handle->fn_free_values(val_array); + } + } if (!ISSET(sudo_user.flags, RUNAS_USER_SPECIFIED)) debug_return_int(UNSPEC); - switch (group_matched) { + switch (*group_matched) { case UNSPEC: /* * No runas user or group entries. Match runas_default @@ -755,7 +763,7 @@ if (ISSET(sudo_user.flags, RUNAS_GROUP_SPECIFIED)) group_matched = sudo_sss_check_runas_group(handle, rule); - user_matched = sudo_sss_check_runas_user(handle, rule, group_matched); + user_matched = sudo_sss_check_runas_user(handle, rule, &group_matched); debug_return_bool(group_matched != false && user_matched != false); } diff -urNa sudo-1.8.21/plugins/sudoers/sudo_nss.c sudo-1.8.21p1/plugins/sudoers/sudo_nss.c --- sudo-1.8.21/plugins/sudoers/sudo_nss.c Fri Jan 13 21:30:15 2017 +++ sudo-1.8.21p1/plugins/sudoers/sudo_nss.c Fri Sep 1 14:13:13 2017 @@ -268,8 +268,7 @@ /* * Print out privileges for the specified user. - * Returns true if the user is allowed to run commands, false if not - * or -1 on error. + * Returns true on success or -1 on error. */ int display_privs(struct sudo_nss_list *snl, struct passwd *pw) @@ -348,7 +347,7 @@ sudo_lbuf_destroy(&defs); sudo_lbuf_destroy(&privs); - debug_return_int(count > 0); + debug_return_int(true); bad: sudo_lbuf_destroy(&defs); sudo_lbuf_destroy(&privs); diff -urNa sudo-1.8.21/plugins/sudoers/sudoreplay.c sudo-1.8.21p1/plugins/sudoers/sudoreplay.c --- sudo-1.8.21/plugins/sudoers/sudoreplay.c Wed Aug 23 12:07:28 2017 +++ sudo-1.8.21p1/plugins/sudoers/sudoreplay.c Fri Sep 1 14:13:13 2017 @@ -806,6 +806,31 @@ debug_return_int(0); } +/* + * Read next timing record. + * Exits the event loop on EOF, breaks out on error. + */ +static void +next_timing_record(struct replay_closure *closure) +{ + debug_decl(next_timing_record, SUDO_DEBUG_UTIL) + + switch (read_timing_record(closure)) { + case 0: + /* success */ + break; + case 1: + /* EOF */ + sudo_ev_loopexit(closure->evbase); + break; + default: + /* error */ + sudo_ev_loopbreak(closure->evbase); + break; + } + debug_return; +} + static bool fill_iobuf(struct replay_closure *closure) { @@ -851,30 +876,20 @@ const struct timing_closure *timing = &closure->timing; debug_decl(delay_cb, SUDO_DEBUG_UTIL) - /* Delay done, read I/O log record or change window size. */ + /* Check for window change event and resize as needed. */ if (timing->idx == IOFD_TIMING) { resize_terminal(timing->u.winsize.rows, timing->u.winsize.cols); - switch (read_timing_record(closure)) { - case 0: - /* success */ - break; - case 1: - /* EOF */ - sudo_ev_loopexit(closure->evbase); - break; - default: - /* error */ - sudo_ev_loopbreak(closure->evbase); - break; - } + next_timing_record(closure); debug_return; } - /* Even if we are not replaying, we still have to delay. */ - if (timing->idx >= IOFD_MAX || io_log_files[timing->idx].fd.v == NULL) + /* If we are not replaying this stream, just read the next record. */ + if (timing->idx >= IOFD_MAX || !io_log_files[timing->idx].enabled) { + next_timing_record(closure); debug_return; + } - /* Enable write event. */ + /* We are replaying this strean, enable write event. */ if (sudo_ev_add(closure->evbase, closure->output_ev, NULL, false) == -1) sudo_fatal(U_("unable to add event to queue")); @@ -1046,7 +1061,11 @@ #else iol->fd.f = fopen(path, "r"); #endif - debug_return_int(iol->fd.v ? 0 : -1); + if (iol->fd.v == NULL) { + iol->enabled = false; + debug_return_int(-1); + } + debug_return_int(0); } /* diff -urNa sudo-1.8.21/src/exec_nopty.c sudo-1.8.21p1/src/exec_nopty.c --- sudo-1.8.21/src/exec_nopty.c Wed Aug 23 12:07:28 2017 +++ sudo-1.8.21p1/src/exec_nopty.c Fri Sep 1 14:13:13 2017 @@ -134,6 +134,9 @@ sudo_ev_loopexit(ec->evbase); } debug_return; +#ifdef SIGINFO + case SIGINFO: +#endif case SIGINT: case SIGQUIT: case SIGTSTP: