This patch will upgrade Sudo version 1.9.3 to Sudo version 1.9.3 patchlevel 1. To apply: $ cd sudo-1.9.3 $ patch -p1 < sudo-1.9.3p1.patch diff -urNa sudo-1.9.3/ChangeLog sudo-1.9.3p1/ChangeLog --- sudo-1.9.3/ChangeLog Mon Sep 21 08:20:32 2020 +++ sudo-1.9.3p1/ChangeLog Wed Sep 23 12:47:13 2020 @@ -1,8 +1,49 @@ +2020-09-23 Todd C. Miller + + * .hgtags: + Added tag SUDO_1_9_3p1 for changeset 02c47b39359e + [23bf4d95356d] [tip] <1.9> + + * merge sudo 1.9.3p1 from tip + [02c47b39359e] [SUDO_1_9_3p1] <1.9> + + * plugins/sudoers/sudoers.c: + Fix potential NULL deref in debug code. + [c6b8910ac7dc] + + * plugins/sudoers/getspwuid.c: + Close the passwd db before calling getpwnam_shadow(3). Otherwise, we + will get the non-shadow passwd entry ("*") since we called + setpassent(3) earlier to keep the passwd db open. + [71ee5e16e4c5] + + * configure, configure.ac: + Fix configure test for crypt(3) when it is present in libc. Fixes a + regression introduced in sudo 1.9.3. + [0d77733de667] + + * plugins/sudoers/audit.c, plugins/sudoers/logging.c, + plugins/sudoers/logging.h, plugins/sudoers/sudoers.c: + Add SLOG_AUDIT flag for log_warningx() to also audit the message. + This lets us combine audit_failure() and log_warningx() calls with + the same message. + [23a8a5eab2ff] + + * plugins/sudoers/sudoers.c: + Log when user-specified command line options are rejected by + sudoers. We already audit those but in some cases they were not + logged as well. + [30d991993763] + + * NEWS, configure, configure.ac: + Update for sudo 1.9.3p1 + [0cbbb7608c3f] + 2020-09-21 Todd C. Miller * .hgtags: Added tag SUDO_1_9_3 for changeset bdd40c087bec - [eca7e986d20f] [tip] <1.9> + [eca7e986d20f] <1.9> * merge sudo 1.9.3 from tip [bdd40c087bec] [SUDO_1_9_3] <1.9> diff -urNa sudo-1.9.3/NEWS sudo-1.9.3p1/NEWS --- sudo-1.9.3/NEWS Mon Sep 21 06:36:57 2020 +++ sudo-1.9.3p1/NEWS Wed Sep 23 12:45:22 2020 @@ -1,3 +1,19 @@ +What's new in Sudo 1.9.3p1 + + * Fixed a regression introduced in sudo 1.9.3 where the configure + script would not detect the crypt(3) function if it was present + in the C library, not an additional library. + + * Fixed a regression introduced in sudo 1.8.23 with shadow passwd + file authentication on OpenBSD. BSD authentication was not + affected. + + * Sudo now logs when a user-specified command-line option is + rejected by a sudoers rule. Previously, these conditions were + written to the audit log, but the default sudo log file. Affected + command line arguments include -C (--close-from), -D (--chdir), + -R (--chroot), -g (--group) and -u (--user). + What's new in Sudo 1.9.3 * sudoedit will now prompt the user before overwriting an existing @@ -7,7 +23,7 @@ doesn't support symbol hiding. * Sudo now uses a linker script to hide symbols even when the - compiler has native symbol hiding support. This should make is + compiler has native symbol hiding support. This should make it easier to detect omissions in the symbol exports file, regardless of the platform. diff -urNa sudo-1.9.3/configure sudo-1.9.3p1/configure --- sudo-1.9.3/configure Mon Sep 21 06:36:58 2020 +++ sudo-1.9.3p1/configure Wed Sep 23 12:45:22 2020 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for sudo 1.9.3. +# Generated by GNU Autoconf 2.69 for sudo 1.9.3p1. # # Report bugs to . # @@ -590,8 +590,8 @@ # Identity of this package. PACKAGE_NAME='sudo' PACKAGE_TARNAME='sudo' -PACKAGE_VERSION='1.9.3' -PACKAGE_STRING='sudo 1.9.3' +PACKAGE_VERSION='1.9.3p1' +PACKAGE_STRING='sudo 1.9.3p1' PACKAGE_BUGREPORT='https://bugzilla.sudo.ws/' PACKAGE_URL='' @@ -1584,7 +1584,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures sudo 1.9.3 to adapt to many kinds of systems. +\`configure' configures sudo 1.9.3p1 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1650,7 +1650,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of sudo 1.9.3:";; + short | recursive ) echo "Configuration of sudo 1.9.3p1:";; esac cat <<\_ACEOF @@ -1924,7 +1924,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -sudo configure 1.9.3 +sudo configure 1.9.3p1 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2633,7 +2633,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by sudo $as_me 1.9.3, which was +It was created by sudo $as_me 1.9.3p1, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -25531,11 +25531,13 @@ test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" test "${ac_cv_search_crypt}" != "none required" && shadow_libs="${shadow_libs} ${ac_cv_search_crypt}" - $as_echo "#define HAVE_CRYPT 1" >>confdefs.h - fi + if test "${ac_cv_search_crypt}" != "no"; then + $as_echo "#define HAVE_CRYPT 1" >>confdefs.h + + fi LIBS="$_LIBS" if test "$CHECKSHADOW" = "true" -a -n "$shadow_funcs"; then @@ -27917,7 +27919,7 @@ case "$with_passwd" in yes|maybe) AUTH_OBJS="$AUTH_OBJS getspwuid.lo passwd.lo" - if test test "${ac_cv_search_crypt}" = "no"; then + if test "${ac_cv_search_crypt}" = "no"; then { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: No crypt function found, assuming plaintext passwords" >&5 $as_echo "$as_me: WARNING: No crypt function found, assuming plaintext passwords" >&2;} fi @@ -28626,7 +28628,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by sudo $as_me 1.9.3, which was +This file was extended by sudo $as_me 1.9.3p1, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -28692,7 +28694,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -sudo config.status 1.9.3 +sudo config.status 1.9.3p1 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -urNa sudo-1.9.3/configure.ac sudo-1.9.3p1/configure.ac --- sudo-1.9.3/configure.ac Mon Sep 21 06:36:58 2020 +++ sudo-1.9.3p1/configure.ac Wed Sep 23 12:45:22 2020 @@ -18,7 +18,7 @@ dnl OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. dnl AC_PREREQ([2.59]) -AC_INIT([sudo], [1.9.3], [https://bugzilla.sudo.ws/], [sudo]) +AC_INIT([sudo], [1.9.3p1], [https://bugzilla.sudo.ws/], [sudo]) AC_CONFIG_HEADERS([config.h pathnames.h]) AC_CONFIG_SRCDIR([src/sudo.c]) dnl @@ -4011,8 +4011,10 @@ _LIBS="$LIBS" AC_SEARCH_LIBS([crypt], [crypt crypt_d ufc], [ test "${ac_cv_search_crypt}" != "none required" && shadow_libs="${shadow_libs} ${ac_cv_search_crypt}" - AC_DEFINE(HAVE_CRYPT) ]) + if test "${ac_cv_search_crypt}" != "no"; then + AC_DEFINE(HAVE_CRYPT) + fi LIBS="$_LIBS" if test "$CHECKSHADOW" = "true" -a -n "$shadow_funcs"; then @@ -4612,7 +4614,7 @@ case "$with_passwd" in yes|maybe) AUTH_OBJS="$AUTH_OBJS getspwuid.lo passwd.lo" - if test test "${ac_cv_search_crypt}" = "no"; then + if test "${ac_cv_search_crypt}" = "no"; then AC_MSG_WARN([No crypt function found, assuming plaintext passwords]) fi ;; diff -urNa sudo-1.9.3/plugins/sudoers/audit.c sudo-1.9.3p1/plugins/sudoers/audit.c --- sudo-1.9.3/plugins/sudoers/audit.c Mon Sep 21 06:36:58 2020 +++ sudo-1.9.3p1/plugins/sudoers/audit.c Wed Sep 23 12:45:22 2020 @@ -93,20 +93,17 @@ } int -audit_failure(char *const argv[], char const *const fmt, ...) +vaudit_failure(char *const argv[], char const *const fmt, va_list ap) { int oldlocale, ret; char *message; - va_list ap; - debug_decl(audit_failure, SUDOERS_DEBUG_AUDIT); + debug_decl(vaudit_failure, SUDOERS_DEBUG_AUDIT); /* Audit messages should be in the sudoers locale. */ sudoers_setlocale(SUDOERS_LOCALE_SUDOERS, &oldlocale); - va_start(ap, fmt); if ((ret = vasprintf(&message, _(fmt), ap)) == -1) sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); - va_end(ap); if (ret != -1) { /* Set audit_msg for audit plugins. */ @@ -117,6 +114,20 @@ } sudoers_setlocale(oldlocale, NULL); + + debug_return_int(ret); +} + +int +audit_failure(char *const argv[], char const *const fmt, ...) +{ + va_list ap; + int ret; + debug_decl(audit_failure, SUDOERS_DEBUG_AUDIT); + + va_start(ap, fmt); + ret = vaudit_failure(argv, fmt, ap); + va_end(ap); debug_return_int(ret); } diff -urNa sudo-1.9.3/plugins/sudoers/getspwuid.c sudo-1.9.3p1/plugins/sudoers/getspwuid.c --- sudo-1.9.3/plugins/sudoers/getspwuid.c Wed Jul 15 11:26:06 2020 +++ sudo-1.9.3p1/plugins/sudoers/getspwuid.c Wed Sep 23 12:45:22 2020 @@ -75,8 +75,11 @@ { struct passwd *spw; + /* On OpenBSD we need to closed the non-shadow passwd db first. */ + endpwent(); if ((spw = getpwnam_shadow(pw->pw_name)) != NULL) epw = spw->pw_passwd; + setpassent(1); } #endif /* HAVE_GETPWNAM_SHADOW */ #ifdef HAVE_GETPRPWNAM diff -urNa sudo-1.9.3/plugins/sudoers/logging.c sudo-1.9.3p1/plugins/sudoers/logging.c --- sudo-1.9.3/plugins/sudoers/logging.c Mon Sep 21 06:36:58 2020 +++ sudo-1.9.3p1/plugins/sudoers/logging.c Wed Sep 23 12:45:22 2020 @@ -502,6 +502,13 @@ int len; debug_decl(vlog_warning, SUDOERS_DEBUG_LOGGING); + /* Do auditing first (audit_failure() handles the locale itself). */ + if (ISSET(flags, SLOG_AUDIT)) { + va_copy(ap2, ap); + vaudit_failure(NewArgv, fmt, ap2); + va_end(ap2); + } + /* Need extra copy of ap for sudo_vwarn()/sudo_vwarnx() below. */ va_copy(ap2, ap); diff -urNa sudo-1.9.3/plugins/sudoers/logging.h sudo-1.9.3p1/plugins/sudoers/logging.h --- sudo-1.9.3/plugins/sudoers/logging.h Wed Jul 15 11:26:06 2020 +++ sudo-1.9.3p1/plugins/sudoers/logging.h Wed Sep 23 12:45:22 2020 @@ -44,6 +44,7 @@ #define SLOG_SEND_MAIL 0x08 /* log via mail */ #define SLOG_NO_STDERR 0x10 /* do not log via stderr */ #define SLOG_NO_LOG 0x20 /* do not log via file or syslog */ +#define SLOG_AUDIT 0x40 /* send message to audit as well */ /* * Maximum number of characters to log per entry. The syslogger @@ -74,6 +75,7 @@ bool sudoers_setlocale(int newlocale, int *prevlocale); int sudoers_getlocale(void); int audit_failure(char *const argv[], char const *const fmt, ...) __printflike(2, 3); +int vaudit_failure(char *const argv[], char const *const fmt, va_list ap) __printflike(2, 0); bool log_allowed(int status); bool log_auth_failure(int status, unsigned int tries); bool log_denial(int status, bool inform_user); diff -urNa sudo-1.9.3/plugins/sudoers/sudoers.c sudo-1.9.3p1/plugins/sudoers/sudoers.c --- sudo-1.9.3/plugins/sudoers/sudoers.c Mon Sep 21 06:36:58 2020 +++ sudo-1.9.3p1/plugins/sudoers/sudoers.c Wed Sep 23 12:45:22 2020 @@ -287,11 +287,12 @@ sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO, "def_runchroot %s, user_runchroot %s", - def_runchroot ? def_runchroot : "NULL", user_runchroot); + def_runchroot ? def_runchroot : "none", + user_runchroot ? user_runchroot : "none"); if (def_runchroot == NULL || (strcmp(def_runchroot, "*") != 0 && strcmp(def_runchroot, user_runchroot) != 0)) { - audit_failure(NewArgv, + log_warningx(SLOG_NO_STDERR|SLOG_AUDIT, N_("user not allowed to change root directory to %s"), user_runchroot); sudo_warnx(U_("you are not permitted to use the -R option with %s"), @@ -313,11 +314,12 @@ sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO, "def_runcwd %s, user_runcwd %s, user_cwd %s", - def_runcwd, user_runcwd, user_cwd); + def_runcwd ? def_runcwd : "none", user_runcwd ? user_runcwd : "none", + user_cwd ? user_cwd : "none"); if (strcmp(user_cwd, user_runcwd) != 0) { if (def_runcwd == NULL || strcmp(def_runcwd, "*") != 0) { - audit_failure(NewArgv, + log_warningx(SLOG_NO_STDERR|SLOG_AUDIT, N_("user not allowed to change directory to %s"), user_runcwd); sudo_warnx(U_("you are not permitted to use the -D option with %s"), user_cmnd); @@ -409,7 +411,7 @@ /* Check for -C overriding def_closefrom. */ if (user_closefrom >= 0 && user_closefrom != def_closefrom) { if (!def_closefrom_override) { - audit_failure(NewArgv, + log_warningx(SLOG_NO_STDERR|SLOG_AUDIT, N_("user not allowed to override closefrom limit")); sudo_warnx("%s", U_("you are not permitted to use the -C option")); goto bad; @@ -439,14 +441,13 @@ /* Defer uid/gid checks until after defaults have been updated. */ if (unknown_runas_uid && !def_runas_allow_unknown_id) { - audit_failure(NewArgv, N_("unknown user: %s"), runas_pw->pw_name); - sudo_warnx(U_("unknown user: %s"), runas_pw->pw_name); + log_warningx(SLOG_AUDIT, N_("unknown user: %s"), runas_pw->pw_name); goto done; } if (runas_gr != NULL) { if (unknown_runas_gid && !def_runas_allow_unknown_id) { - audit_failure(NewArgv, N_("unknown group: %s"), runas_gr->gr_name); - sudo_warnx(U_("unknown group: %s"), runas_gr->gr_name); + log_warningx(SLOG_AUDIT, N_("unknown group: %s"), + runas_gr->gr_name); goto done; } } @@ -487,17 +488,16 @@ /* Bail if a tty is required and we don't have one. */ if (def_requiretty && !tty_present()) { - audit_failure(NewArgv, N_("no tty")); + log_warningx(SLOG_NO_STDERR|SLOG_AUDIT, N_("no tty")); sudo_warnx("%s", U_("sorry, you must have a tty to run sudo")); goto bad; } /* Check runas user's shell. */ if (!check_user_shell(runas_pw)) { - audit_failure(NewArgv, N_("invalid shell for user %s: %s"), + log_warningx(SLOG_RAW_MSG|SLOG_AUDIT, + N_("invalid shell for user %s: %s"), runas_pw->pw_name, runas_pw->pw_shell); - log_warningx(SLOG_RAW_MSG, N_("invalid shell for user %s: %s"), - runas_pw->pw_name, runas_pw->pw_shell); goto bad; } @@ -597,7 +597,8 @@ /* If user specified a timeout make sure sudoers allows it. */ if (!def_user_command_timeouts && user_timeout > 0) { - audit_failure(NewArgv, N_("user not allowed to set a command timeout")); + log_warningx(SLOG_NO_STDERR|SLOG_AUDIT, + N_("user not allowed to set a command timeout")); sudo_warnx("%s", U_("sorry, you are not allowed set a command timeout")); goto bad; @@ -606,7 +607,7 @@ /* If user specified env vars make sure sudoers allows it. */ if (ISSET(sudo_mode, MODE_RUN) && !def_setenv) { if (ISSET(sudo_mode, MODE_PRESERVE_ENV)) { - audit_failure(NewArgv, + log_warningx(SLOG_NO_STDERR|SLOG_AUDIT, N_("user not allowed to preserve the environment")); sudo_warnx("%s", U_("sorry, you are not allowed to preserve the environment"));