This patch will upgrade Sudo version 1.8.3 to Sudo version 1.8.3 patchlevel 1. To apply: $ cd sudo-1.8.3 $ patch -p1 < sudo-1.8.3p1.patch diff -urNa sudo-1.8.3/ChangeLog sudo-1.8.3p1/ChangeLog --- sudo-1.8.3/ChangeLog Fri Oct 21 09:21:35 2011 +++ sudo-1.8.3p1/ChangeLog Tue Oct 25 15:15:38 2011 @@ -1,8 +1,25 @@ +2011-10-25 Todd C. Miller + + * plugins/sudoers/Makefile.in: + check_addr needs to link with the network libraries on Solaris + [322bd70e316e] + + * plugins/sudoers/match.c: + When matching a RunasAlias for a runas group, pass the alias in as + the group_list, not the user_list. From Daniel Kopecek. + [766545edf141] + + * plugins/sudoers/check.c, plugins/sudoers/sudoers.c: + We need to init the auth system regardless of whether we need a + password since we will be closing the PAM session in the monitor + process. Fixes a crash in the monitor on Solaris; bugzilla #518 + [e82809f86fb3] + 2011-10-21 Todd C. Miller * .hgtags: Added tag SUDO_1_8_3 for changeset 82bec4d3a203 - [6c953ef6f577] [tip] <1.8> + [6c953ef6f577] <1.8> * Update Japanese sudoers translation from translationproject.org [82bec4d3a203] [SUDO_1_8_3] <1.8> diff -urNa sudo-1.8.3/NEWS sudo-1.8.3p1/NEWS --- sudo-1.8.3/NEWS Fri Oct 21 09:01:41 2011 +++ sudo-1.8.3p1/NEWS Tue Oct 25 14:58:26 2011 @@ -1,3 +1,11 @@ +What's new in Sudo 1.8.3p1? + + * Fixed a crash in the monitor process on Solaris when NOPASSWD + was specified or when authentication was disabled. + + * Fixed matching of a Runas_Alias in the group section of a + Runas_Spec. + What's new in Sudo 1.8.3? * Fixed expansion of strftime() escape sequences in the "log_dir" diff -urNa sudo-1.8.3/configure sudo-1.8.3p1/configure --- sudo-1.8.3/configure Fri Oct 21 09:01:41 2011 +++ sudo-1.8.3p1/configure Tue Oct 25 10:11:54 2011 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.68 for sudo 1.8.3. +# Generated by GNU Autoconf 2.68 for sudo 1.8.3p1. # # Report bugs to . # @@ -570,8 +570,8 @@ # Identity of this package. PACKAGE_NAME='sudo' PACKAGE_TARNAME='sudo' -PACKAGE_VERSION='1.8.3' -PACKAGE_STRING='sudo 1.8.3' +PACKAGE_VERSION='1.8.3p1' +PACKAGE_STRING='sudo 1.8.3p1' PACKAGE_BUGREPORT='http://www.sudo.ws/bugs/' PACKAGE_URL='' @@ -1446,7 +1446,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures sudo 1.8.3 to adapt to many kinds of systems. +\`configure' configures sudo 1.8.3p1 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1511,7 +1511,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of sudo 1.8.3:";; + short | recursive ) echo "Configuration of sudo 1.8.3p1:";; esac cat <<\_ACEOF @@ -1728,7 +1728,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -sudo configure 1.8.3 +sudo configure 1.8.3p1 generated by GNU Autoconf 2.68 Copyright (C) 2010 Free Software Foundation, Inc. @@ -2432,7 +2432,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by sudo $as_me 1.8.3, which was +It was created by sudo $as_me 1.8.3p1, which was generated by GNU Autoconf 2.68. Invocation command line was $ $0 $@ @@ -20615,7 +20615,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by sudo $as_me 1.8.3, which was +This file was extended by sudo $as_me 1.8.3p1, which was generated by GNU Autoconf 2.68. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -20681,7 +20681,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -sudo config.status 1.8.3 +sudo config.status 1.8.3p1 configured by $0, generated by GNU Autoconf 2.68, with options \\"\$ac_cs_config\\" diff -urNa sudo-1.8.3/configure.in sudo-1.8.3p1/configure.in --- sudo-1.8.3/configure.in Fri Oct 21 09:01:41 2011 +++ sudo-1.8.3p1/configure.in Tue Oct 25 10:11:40 2011 @@ -3,7 +3,7 @@ dnl dnl Copyright (c) 1994-1996,1998-2011 Todd C. Miller dnl -AC_INIT([sudo], [1.8.3], [http://www.sudo.ws/bugs/], [sudo]) +AC_INIT([sudo], [1.8.3p1], [http://www.sudo.ws/bugs/], [sudo]) AC_CONFIG_HEADER([config.h pathnames.h]) dnl dnl Note: this must come after AC_INIT diff -urNa sudo-1.8.3/plugins/sudoers/Makefile.in sudo-1.8.3p1/plugins/sudoers/Makefile.in --- sudo-1.8.3/plugins/sudoers/Makefile.in Fri Oct 21 09:01:25 2011 +++ sudo-1.8.3p1/plugins/sudoers/Makefile.in Tue Oct 25 14:55:00 2011 @@ -174,7 +174,7 @@ $(LIBTOOL) --mode=link $(CC) -o $@ $(TEST_OBJS) $(LDFLAGS) libparsesudoers.la $(LIBS) $(NET_LIBS) @LIBDL@ check_addr: $(CHECK_ADDR_OBJS) $(LT_LIBS) - $(LIBTOOL) --mode=link $(CC) -o $@ $(CHECK_ADDR_OBJS) $(LDFLAGS) $(LIBS) + $(LIBTOOL) --mode=link $(CC) -o $@ $(CHECK_ADDR_OBJS) $(LDFLAGS) $(LIBS) $(NET_LIBS) check_iolog_path: $(CHECK_IOLOG_PATH_OBJS) $(LT_LIBS) $(LIBTOOL) --mode=link $(CC) -o $@ $(CHECK_IOLOG_PATH_OBJS) $(LDFLAGS) $(LIBS) diff -urNa sudo-1.8.3/plugins/sudoers/check.c sudo-1.8.3p1/plugins/sudoers/check.c --- sudo-1.8.3/plugins/sudoers/check.c Fri Oct 21 09:01:25 2011 +++ sudo-1.8.3p1/plugins/sudoers/check.c Tue Oct 25 10:08:12 2011 @@ -104,7 +104,36 @@ char *prompt; struct stat sb; int status, rval = TRUE; + int need_pass = def_authenticate; + /* + * Init authentication system regardless of whether we need a password. + * Required for proper PAM session support. + */ + auth_pw = get_authpw(); + if (sudo_auth_init(auth_pw) == -1) { + rval = -1; + goto done; + } + + if (need_pass) { + /* Always need a password when -k was specified with the command. */ + if (ISSET(mode, MODE_IGNORE_TICKET)) { + SET(validated, FLAG_CHECK_USER); + } else { + /* + * Don't prompt for the root passwd or if the user is exempt. + * If the user is not changing uid/gid, no need for a password. + */ + if (user_uid == 0 || (user_uid == runas_pw->pw_uid && + (!runas_gr || user_in_group(sudo_user.pw, runas_gr->gr_name))) + || user_is_exempt()) + need_pass = FALSE; + } + } + if (!need_pass) + goto done; + /* Stash the tty's ctime for tty ticket comparison. */ if (def_tty_tickets && user_ttypath && stat(user_ttypath, &sb) == 0) { tty_info.dev = sb.st_dev; @@ -112,27 +141,6 @@ tty_info.rdev = sb.st_rdev; if (tty_is_devpts(user_ttypath)) ctim_get(&sb, &tty_info.ctime); - } - - /* Init authentication system regardless of whether we need a password. */ - auth_pw = get_authpw(); - if (sudo_auth_init(auth_pw) == -1) { - rval = -1; - goto done; - } - - /* Always prompt for a password when -k was specified with the command. */ - if (ISSET(mode, MODE_IGNORE_TICKET)) { - SET(validated, FLAG_CHECK_USER); - } else { - /* - * Don't prompt for the root passwd or if the user is exempt. - * If the user is not changing uid/gid, no need for a password. - */ - if (user_uid == 0 || (user_uid == runas_pw->pw_uid && - (!runas_gr || user_in_group(sudo_user.pw, runas_gr->gr_name))) || - user_is_exempt()) - goto done; } if (build_timestamp(×tampdir, ×tampfile) == -1) { diff -urNa sudo-1.8.3/plugins/sudoers/match.c sudo-1.8.3p1/plugins/sudoers/match.c --- sudo-1.8.3/plugins/sudoers/match.c Fri Oct 21 09:01:25 2011 +++ sudo-1.8.3p1/plugins/sudoers/match.c Tue Oct 25 11:10:17 2011 @@ -209,7 +209,7 @@ break; case ALIAS: if ((a = alias_find(m->name, RUNASALIAS)) != NULL) { - rval = _runaslist_matches(&a->members, &empty); + rval = _runaslist_matches(&empty, &a->members); if (rval != UNSPEC) group_matched = m->negated ? !rval : rval; break; diff -urNa sudo-1.8.3/plugins/sudoers/sudoers.c sudo-1.8.3p1/plugins/sudoers/sudoers.c --- sudo-1.8.3/plugins/sudoers/sudoers.c Fri Oct 21 09:01:26 2011 +++ sudo-1.8.3p1/plugins/sudoers/sudoers.c Tue Oct 25 10:08:12 2011 @@ -433,13 +433,9 @@ rebuild_env(); /* Require a password if sudoers says so. */ - if (def_authenticate) { - int rc = check_user(validated, sudo_mode); - if (rc != TRUE) { - rval = rc; - goto done; - } - } + rval = check_user(validated, sudo_mode); + if (rval != TRUE) + goto done; /* If run as root with SUDO_USER set, set sudo_user.pw to that user. */ /* XXX - causes confusion when root is not listed in sudoers */