This patch will upgrade Sudo version 1.8.4 patchlevel 1 to Sudo version 1.8.4 patchlevel 2. To apply: $ cd sudo-1.8.4p1 $ patch -p1 < sudo-1.8.4p2.patch diff -urNa sudo-1.8.4p1/ChangeLog sudo-1.8.4p2/ChangeLog --- sudo-1.8.4p1/ChangeLog Tue Feb 21 05:25:58 2012 +++ sudo-1.8.4p2/ChangeLog Mon Feb 27 14:59:37 2012 @@ -1,8 +1,42 @@ +2012-02-27 Todd C. Miller + + * NEWS, configure, configure.in: + bump version to 1.8.4p2 + [db564e1c02cf] [tip] <1.8> + + * src/exec_pty.c: + Fix typo in safe_close() made while converting to debug framework + that prevented it from actually closing anything. + [833a8ce346d2] <1.8> + + * common/Makefile.in, compat/Makefile.in, doc/Makefile.in, + include/Makefile.in: + We need sysconfdir in compat/Makfile to get the proper sudo.conf + path. Add standard prefix and foodir expansion in all Makefiles to + avoid this problem in the future. + [ce1caa89c24d] <1.8> + +2012-02-24 Todd C. Miller + + * plugins/sudoers/ldap.c: + When adding gids to the LDAP filter, only add the primary gid once. + This is consistent with the space computation/allocation. From Eric + Lakin + [229db740f035] <1.8> + + * doc/TROUBLESHOOTING: + Add entry for AIX enhanced RBAC config. + [24f1e176e398] <1.8> + + * mkpkg: + Target Mac OS X 10.5 when building packages. + [7b296251013d] <1.8> + 2012-02-21 Todd C. Miller * .hgtags: Added tag SUDO_1_8_4p1 for changeset aeb6b9701150 - [26bc7af7c304] [tip] <1.8> + [26bc7af7c304] <1.8> * NEWS: List 1.8.4p1 diff -urNa sudo-1.8.4p1/NEWS sudo-1.8.4p2/NEWS --- sudo-1.8.4p1/NEWS Tue Feb 21 05:25:10 2012 +++ sudo-1.8.4p2/NEWS Mon Feb 27 14:57:34 2012 @@ -1,3 +1,14 @@ +What's new in Sudo 1.8.4p2? + + * Fixed a bug introduced in Sudo 1.8.4 where insufficient space + was allocated for group IDs in the LDAP filter. + + * Fixed a bug introduced in Sudo 1.8.4 where the path to sudo.conf + was "/sudo.conf" instead of "/etc/sudo.conf". + + * Fixed a bug introduced in Sudo 1.8.4 which could cause a hang + when I/O logging is enabled and input is from a pipe or file. + What's new in Sudo 1.8.4p1? * Fixed a bug introduced in sudo 1.8.4 that broke adding to or diff -urNa sudo-1.8.4p1/common/Makefile.in sudo-1.8.4p2/common/Makefile.in --- sudo-1.8.4p1/common/Makefile.in Mon Feb 6 16:01:58 2012 +++ sudo-1.8.4p2/common/Makefile.in Mon Feb 27 14:45:08 2012 @@ -25,6 +25,16 @@ top_srcdir = @top_srcdir@ incdir = $(top_srcdir)/include +# Where to install things... +prefix = @prefix@ +exec_prefix = @exec_prefix@ +bindir = @bindir@ +sbindir = @sbindir@ +sysconfdir = @sysconfdir@ +libexecdir = @libexecdir@ +datarootdir = @datarootdir@ +localstatedir = @localstatedir@ + # Compiler & tools to use CC = @CC@ LIBTOOL = @LIBTOOL@ diff -urNa sudo-1.8.4p1/compat/Makefile.in sudo-1.8.4p2/compat/Makefile.in --- sudo-1.8.4p1/compat/Makefile.in Tue Jan 17 10:28:14 2012 +++ sudo-1.8.4p2/compat/Makefile.in Mon Feb 27 14:45:08 2012 @@ -25,6 +25,16 @@ top_srcdir = @top_srcdir@ incdir = $(top_srcdir)/include +# Where to install things... +prefix = @prefix@ +exec_prefix = @exec_prefix@ +bindir = @bindir@ +sbindir = @sbindir@ +sysconfdir = @sysconfdir@ +libexecdir = @libexecdir@ +datarootdir = @datarootdir@ +localstatedir = @localstatedir@ + # Compiler & tools to use CC = @CC@ LIBTOOL = @LIBTOOL@ diff -urNa sudo-1.8.4p1/configure sudo-1.8.4p2/configure --- sudo-1.8.4p1/configure Tue Feb 21 05:17:59 2012 +++ sudo-1.8.4p2/configure Mon Feb 27 14:46:52 2012 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.68 for sudo 1.8.4p1. +# Generated by GNU Autoconf 2.68 for sudo 1.8.4p2. # # Report bugs to . # @@ -570,8 +570,8 @@ # Identity of this package. PACKAGE_NAME='sudo' PACKAGE_TARNAME='sudo' -PACKAGE_VERSION='1.8.4p1' -PACKAGE_STRING='sudo 1.8.4p1' +PACKAGE_VERSION='1.8.4p2' +PACKAGE_STRING='sudo 1.8.4p2' PACKAGE_BUGREPORT='http://www.sudo.ws/bugs/' PACKAGE_URL='' @@ -1447,7 +1447,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures sudo 1.8.4p1 to adapt to many kinds of systems. +\`configure' configures sudo 1.8.4p2 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1512,7 +1512,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of sudo 1.8.4p1:";; + short | recursive ) echo "Configuration of sudo 1.8.4p2:";; esac cat <<\_ACEOF @@ -1730,7 +1730,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -sudo configure 1.8.4p1 +sudo configure 1.8.4p2 generated by GNU Autoconf 2.68 Copyright (C) 2010 Free Software Foundation, Inc. @@ -2434,7 +2434,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by sudo $as_me 1.8.4p1, which was +It was created by sudo $as_me 1.8.4p2, which was generated by GNU Autoconf 2.68. Invocation command line was $ $0 $@ @@ -20506,7 +20506,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by sudo $as_me 1.8.4p1, which was +This file was extended by sudo $as_me 1.8.4p2, which was generated by GNU Autoconf 2.68. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -20572,7 +20572,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -sudo config.status 1.8.4p1 +sudo config.status 1.8.4p2 configured by $0, generated by GNU Autoconf 2.68, with options \\"\$ac_cs_config\\" diff -urNa sudo-1.8.4p1/configure.in sudo-1.8.4p2/configure.in --- sudo-1.8.4p1/configure.in Tue Feb 21 05:17:48 2012 +++ sudo-1.8.4p2/configure.in Mon Feb 27 14:46:46 2012 @@ -3,7 +3,7 @@ dnl dnl Copyright (c) 1994-1996,1998-2012 Todd C. Miller dnl -AC_INIT([sudo], [1.8.4p1], [http://www.sudo.ws/bugs/], [sudo]) +AC_INIT([sudo], [1.8.4p2], [http://www.sudo.ws/bugs/], [sudo]) AC_CONFIG_HEADER([config.h pathnames.h]) dnl dnl Note: this must come after AC_INIT diff -urNa sudo-1.8.4p1/doc/Makefile.in sudo-1.8.4p2/doc/Makefile.in --- sudo-1.8.4p1/doc/Makefile.in Thu Feb 9 11:20:22 2012 +++ sudo-1.8.4p2/doc/Makefile.in Mon Feb 27 14:45:08 2012 @@ -32,6 +32,11 @@ # Where to install things... prefix = @prefix@ +exec_prefix = @exec_prefix@ +bindir = @bindir@ +sbindir = @sbindir@ +sysconfdir = @sysconfdir@ +libexecdir = @libexecdir@ datarootdir = @datarootdir@ localstatedir = @localstatedir@ mandir = @mandir@ diff -urNa sudo-1.8.4p1/doc/TROUBLESHOOTING sudo-1.8.4p2/doc/TROUBLESHOOTING --- sudo-1.8.4p1/doc/TROUBLESHOOTING Wed Jan 4 12:47:41 2012 +++ sudo-1.8.4p2/doc/TROUBLESHOOTING Fri Feb 24 17:31:05 2012 @@ -202,6 +202,17 @@ Alternately, if you do not mind your password being echoed to the screen, you can use the "visiblepw" sudoers option to allow this. +Q) When I run sudo on AIX I get the following error: + setuidx(ID_EFFECTIVE|ID_REAL|ID_SAVED, ROOT_UID): Operation not permitted. +A) AIX's Enhanced RBAC is preventing sudo from running. To fix + this, add the following entry to /etc/security/privcmds (adjust + the path to sudo as needed) and run the setkst command as root: + + /usr/local/bin/sudo: + accessauths = ALLOW_ALL + innateprivs = PV_DAC_UID,PV_DAC_GID + secflags = FSF_EPS + Q) How do you pronounce `sudo'? A) The official pronunciation is soo-doo (for su "do"). However, an alternate pronunciation, a homophone of "pseudo", is also common. diff -urNa sudo-1.8.4p1/include/Makefile.in sudo-1.8.4p2/include/Makefile.in --- sudo-1.8.4p1/include/Makefile.in Thu Feb 9 11:20:22 2012 +++ sudo-1.8.4p2/include/Makefile.in Mon Feb 27 14:45:08 2012 @@ -29,6 +29,11 @@ # Where to install things... prefix = @prefix@ +exec_prefix = @exec_prefix@ +bindir = @bindir@ +sbindir = @sbindir@ +sysconfdir = @sysconfdir@ +libexecdir = @libexecdir@ datarootdir = @datarootdir@ localstatedir = @localstatedir@ diff -urNa sudo-1.8.4p1/mkpkg sudo-1.8.4p2/mkpkg --- sudo-1.8.4p1/mkpkg Tue Feb 7 11:50:46 2012 +++ sudo-1.8.4p2/mkpkg Fri Feb 24 17:30:23 2012 @@ -227,9 +227,11 @@ $configure_opts" ;; macos*) - # Build universal binaries, curently intel-only - export CFLAGS="-O2 -g -arch i386 -arch x86_64" - export LDFLAGS="-arch i386 -arch x86_64" + # Build universal binaries (intel-only) targetting Mac OS X 10.5 + ARCH_FLAGS="-arch i386 -arch x86_64" + SDK_FLAGS="-isysroot /Developer/SDKs/MacOSX10.5.sdk -mmacosx-version-min=10.5" + export CFLAGS="-O2 -g $ARCH_FLAGS $SDK_FLAGS" + export LDFLAGS="$ARCH_FLAGS $SDK_FLAGS" # Note, must indent with tabs, not spaces due to IFS trickery configure_opts="--prefix=$prefix --with-pam diff -urNa sudo-1.8.4p1/plugins/sudoers/ldap.c sudo-1.8.4p2/plugins/sudoers/ldap.c --- sudo-1.8.4p1/plugins/sudoers/ldap.c Wed Jan 4 12:56:29 2012 +++ sudo-1.8.4p2/plugins/sudoers/ldap.c Fri Feb 24 17:31:12 2012 @@ -1166,6 +1166,8 @@ (void) strlcat(buf, ")", sz); } for (i = 0; i < grlist->ngids; i++) { + if (pw->pw_gid == grlist->gids[i]) + continue; (void) snprintf(gidbuf, sizeof(gidbuf), "%u", (unsigned int)grlist->gids[i]); (void) strlcat(buf, "(sudoUser=%#", sz); diff -urNa sudo-1.8.4p1/src/exec_pty.c sudo-1.8.4p2/src/exec_pty.c --- sudo-1.8.4p1/src/exec_pty.c Wed Jan 25 14:58:28 2012 +++ sudo-1.8.4p2/src/exec_pty.c Mon Feb 27 14:46:29 2012 @@ -1251,5 +1251,5 @@ errno = EINVAL; return -1; } - debug_return_int(fd); + debug_return_int(close(fd)); }