This patch will upgrade Sudo version 1.8.6 to Sudo version 1.8.6 patchlevel 1. To apply: $ cd sudo-1.8.6 $ patch -p1 < sudo-1.8.6p1.patch diff -urNa sudo-1.8.6/ChangeLog sudo-1.8.6p1/ChangeLog --- sudo-1.8.6/ChangeLog Tue Sep 4 09:13:26 2012 +++ sudo-1.8.6p1/ChangeLog Wed Sep 12 15:34:42 2012 @@ -1,4 +1,46 @@ +2012-09-12 Todd C. Miller + + * NEWS: + Mention support for SUCCESS=return in /etc/nsswitch.conf + [ef1f35aa0863] + + * NEWS, configure, configure.in: + sudo 1.8.6p1 + [73a5e1f004b3] + +2012-09-11 Todd C. Miller + + * plugins/sudoers/env.c: + Avoid setting LOGNAME, USER and USERNAME variables twice when + set_logname is enabled. + [0de4f5fbd1d4] + + * plugins/sudoers/env.c: + Fix duplicate detection in sudo_putenv(), do not prune out the + variable we just set when overwriting an existing instance. Fixes + bug #570 + [854ee714c831] + + * plugins/sudoers/env.c: + Add some debuggging + [a25cd3305823] + 2012-09-04 Todd C. Miller + + * plugins/sudoers/sudo_nss.c: + Disable word wrap in list mode when stdout is a pipe to make "sudo + -l | grep ..." more useful. Adapted from a diff by Daniel Kopecek. + [65ade04511fd] + + * common/lbuf.c: + Print a trailing newline in lbuf_print() when there is not enough + space to do word wrapping and the lbuf does not end with a newline. + [c0200e19cd09] + + * plugins/sudoers/sudo_nss.c, plugins/sudoers/sudoers.c: + Add support for [SUCCESS=return] in nsswitch.conf; from Daniel + Kopecek + [5c480316e3ce] * MANIFEST: Add sssd.c diff -urNa sudo-1.8.6/NEWS sudo-1.8.6p1/NEWS --- sudo-1.8.6/NEWS Tue Sep 4 09:11:23 2012 +++ sudo-1.8.6p1/NEWS Wed Sep 12 15:14:27 2012 @@ -1,3 +1,11 @@ +What's new in Sudo 1.8.6p1? + + * Fixed the setting of LOGNAME, USER and USERNAME variables in the + command's environment when env_reset is enabled (the default). + This was a regression introduced in version 1.8.6. + + * Sudo now honors SUCCESS=return in /etc/nsswitch.conf. + What's new in Sudo 1.8.6? * Sudo is now built with the -fstack-protector flag if the the diff -urNa sudo-1.8.6/common/lbuf.c sudo-1.8.6p1/common/lbuf.c --- sudo-1.8.6/common/lbuf.c Mon Mar 12 14:02:02 2012 +++ sudo-1.8.6p1/common/lbuf.c Wed Sep 12 14:38:22 2012 @@ -247,8 +247,12 @@ /* For very small widths just give up... */ len = lbuf->continuation ? strlen(lbuf->continuation) : 0; if (lbuf->cols <= lbuf->indent + len + 20) { - lbuf->buf[lbuf->len] = '\0'; - lbuf->output(lbuf->buf); + if (lbuf->len > 0) { + lbuf->buf[lbuf->len] = '\0'; + lbuf->output(lbuf->buf); + if (lbuf->buf[lbuf->len - 1] != '\n') + lbuf->output("\n"); + } goto done; } diff -urNa sudo-1.8.6/configure sudo-1.8.6p1/configure --- sudo-1.8.6/configure Tue Sep 4 09:11:23 2012 +++ sudo-1.8.6p1/configure Wed Sep 12 14:39:40 2012 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.68 for sudo 1.8.6. +# Generated by GNU Autoconf 2.68 for sudo 1.8.6p1. # # Report bugs to . # @@ -570,8 +570,8 @@ # Identity of this package. PACKAGE_NAME='sudo' PACKAGE_TARNAME='sudo' -PACKAGE_VERSION='1.8.6' -PACKAGE_STRING='sudo 1.8.6' +PACKAGE_VERSION='1.8.6p1' +PACKAGE_STRING='sudo 1.8.6p1' PACKAGE_BUGREPORT='http://www.sudo.ws/bugs/' PACKAGE_URL='' @@ -1468,7 +1468,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures sudo 1.8.6 to adapt to many kinds of systems. +\`configure' configures sudo 1.8.6p1 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1533,7 +1533,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of sudo 1.8.6:";; + short | recursive ) echo "Configuration of sudo 1.8.6p1:";; esac cat <<\_ACEOF @@ -1759,7 +1759,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -sudo configure 1.8.6 +sudo configure 1.8.6p1 generated by GNU Autoconf 2.68 Copyright (C) 2010 Free Software Foundation, Inc. @@ -2463,7 +2463,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by sudo $as_me 1.8.6, which was +It was created by sudo $as_me 1.8.6p1, which was generated by GNU Autoconf 2.68. Invocation command line was $ $0 $@ @@ -21495,7 +21495,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by sudo $as_me 1.8.6, which was +This file was extended by sudo $as_me 1.8.6p1, which was generated by GNU Autoconf 2.68. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -21561,7 +21561,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -sudo config.status 1.8.6 +sudo config.status 1.8.6p1 configured by $0, generated by GNU Autoconf 2.68, with options \\"\$ac_cs_config\\" diff -urNa sudo-1.8.6/configure.in sudo-1.8.6p1/configure.in --- sudo-1.8.6/configure.in Tue Sep 4 09:11:23 2012 +++ sudo-1.8.6p1/configure.in Wed Sep 12 14:38:22 2012 @@ -3,7 +3,7 @@ dnl dnl Copyright (c) 1994-1996,1998-2012 Todd C. Miller dnl -AC_INIT([sudo], [1.8.6], [http://www.sudo.ws/bugs/], [sudo]) +AC_INIT([sudo], [1.8.6p1], [http://www.sudo.ws/bugs/], [sudo]) AC_CONFIG_HEADER([config.h pathnames.h]) dnl dnl Note: this must come after AC_INIT diff -urNa sudo-1.8.6/plugins/sudoers/env.c sudo-1.8.6p1/plugins/sudoers/env.c --- sudo-1.8.6/plugins/sudoers/env.c Tue Sep 4 09:10:41 2012 +++ sudo-1.8.6p1/plugins/sudoers/env.c Wed Sep 12 14:38:22 2012 @@ -324,15 +324,14 @@ break; } } - /* Prune out duplicate variables. */ + /* Prune out extra instances of the variable we just overwrote. */ if (found && overwrite) { - while (*ep != NULL) { + while (*++ep != NULL) { if (strncmp(str, *ep, len) == 0) { char **cur = ep; while ((*cur = *(cur + 1)) != NULL) cur++; - } else { - ep++; + ep--; } } env.env_len = ep - env.envp; @@ -360,6 +359,8 @@ int rval; debug_decl(sudo_putenv, SUDO_DEBUG_ENV) + sudo_debug_printf(SUDO_DEBUG_INFO, "sudo_putenv: %s", str); + rval = sudo_putenv_nodebug(str, dupcheck, overwrite); if (rval == -1) { #ifdef ENV_DEBUG @@ -489,6 +490,8 @@ int rval; debug_decl(sudo_unsetenv, SUDO_DEBUG_ENV) + sudo_debug_printf(SUDO_DEBUG_INFO, "sudo_unsetenv: %s", name); + rval = sudo_unsetenv_nodebug(name); debug_return_int(rval); @@ -527,6 +530,8 @@ char *val; debug_decl(sudo_getenv, SUDO_DEBUG_ENV) + sudo_debug_printf(SUDO_DEBUG_INFO, "sudo_getenv: %s", name); + val = sudo_getenv_nodebug(name); debug_return_str(val); @@ -658,6 +663,9 @@ delete_it = matches_env_delete(var); if (!delete_it) delete_it = matches_env_check(var) == false; + + sudo_debug_printf(SUDO_DEBUG_INFO, "delete %s: %s", + var, delete_it ? "YES" : "NO"); debug_return_bool(delete_it); } @@ -675,6 +683,8 @@ if (keepit == -1) keepit = matches_env_keep(var); + sudo_debug_printf(SUDO_DEBUG_INFO, "keep %s: %s", + var, keepit ? "YES" : "NO"); debug_return_bool(keepit == true); } @@ -825,12 +835,15 @@ } else { if (!ISSET(didvar, DID_SHELL)) sudo_setenv2("SHELL", sudo_user.pw->pw_shell, false, true); - if (!ISSET(didvar, DID_LOGNAME)) - sudo_setenv2("LOGNAME", user_name, false, true); - if (!ISSET(didvar, DID_USER)) - sudo_setenv2("USER", user_name, false, true); - if (!ISSET(didvar, DID_USERNAME)) - sudo_setenv2("USERNAME", user_name, false, true); + /* We will set LOGNAME later in the !def_set_logname case. */ + if (!def_set_logname) { + if (!ISSET(didvar, DID_LOGNAME)) + sudo_setenv2("LOGNAME", user_name, false, true); + if (!ISSET(didvar, DID_USER)) + sudo_setenv2("USER", user_name, false, true); + if (!ISSET(didvar, DID_USERNAME)) + sudo_setenv2("USERNAME", user_name, false, true); + } } /* If we didn't keep HOME, reset it based on target user. */ @@ -882,8 +895,8 @@ /* * Set $USER, $LOGNAME and $USERNAME to target if "set_logname" is not * disabled. We skip this if we are running a login shell (because - * they have already been set them) or sudoedit (because we want the - * editor to find the user's startup files). + * they have already been set) or sudoedit (because we want the editor + * to find the invoking user's startup files). */ if (def_set_logname && !ISSET(sudo_mode, MODE_LOGIN_SHELL|MODE_EDIT)) { if (!ISSET(didvar, KEPT_LOGNAME)) diff -urNa sudo-1.8.6/plugins/sudoers/sudo_nss.c sudo-1.8.6p1/plugins/sudoers/sudo_nss.c --- sudo-1.8.6/plugins/sudoers/sudo_nss.c Tue Sep 4 09:10:41 2012 +++ sudo-1.8.6p1/plugins/sudoers/sudo_nss.c Wed Sep 12 14:38:23 2012 @@ -18,6 +18,8 @@ #include #include +#include + #include #ifdef STDC_HEADERS # include @@ -99,6 +101,10 @@ /* NOTFOUND affects the most recent entry */ tq_last(&snl)->ret_if_notfound = true; got_match = false; + } else if (strcasecmp(cp, "[SUCCESS=return]") == 0 && got_match) { + /* SUCCESS affects the most recent entry */ + tq_last(&snl)->ret_if_found = true; + got_match = false; } else got_match = false; } @@ -257,11 +263,15 @@ { struct sudo_nss *nss; struct lbuf defs, privs; - int count, olen; + struct stat sb; + int cols, count, olen; debug_decl(display_privs, SUDO_DEBUG_NSS) - lbuf_init(&defs, output, 4, NULL, sudo_user.cols); - lbuf_init(&privs, output, 4, NULL, sudo_user.cols); + cols = sudo_user.cols; + if (fstat(STDOUT_FILENO, &sb) == 0 && S_ISFIFO(sb.st_mode)) + cols = 0; + lbuf_init(&defs, output, 4, NULL, cols); + lbuf_init(&privs, output, 4, NULL, cols); /* Display defaults from all sources. */ lbuf_append(&defs, _("Matching Defaults entries for %s on this host:\n"), diff -urNa sudo-1.8.6/plugins/sudoers/sudoers.c sudo-1.8.6p1/plugins/sudoers/sudoers.c --- sudo-1.8.6/plugins/sudoers/sudoers.c Tue Sep 4 09:10:41 2012 +++ sudo-1.8.6p1/plugins/sudoers/sudoers.c Wed Sep 12 14:38:23 2012 @@ -393,7 +393,7 @@ validated = nss->lookup(nss, validated, pwflag); if (ISSET(validated, VALIDATE_OK)) { - /* Handle "= auth" in netsvc.conf */ + /* Handle [SUCCESS=return] */ if (nss->ret_if_found) break; } else {