3
* NEWS, configure, configure.in:
7
2012-09-17 Todd C. Miller <Todd.Miller@courtesan.com>
10
Don't use embedded newline when matching, use \n. This got expanded
11
at some point. Bug #573
14
* plugins/sudoers/sudoreplay.c:
15
Fall back on lstat(2) if d_type in struct dirent is DT_UNKNOWN. Not
16
all file systems support d_type. Bug #572
19
* plugins/sudoers/sudoreplay.c:
20
Avoid calling fclose(NULL) in the error path when we cannot open an
24
2012-09-16 Todd C. Miller <Todd.Miller@courtesan.com>
26
* NEWS, configure, configure.in:
31
When setting the signal handler for SIGTSTP to the default value in
32
non-I/O log mode, store the old handler value for when we restore it
36
2012-09-12 Todd C. Miller <Todd.Miller@courtesan.com>
39
Mention support for SUCCESS=return in /etc/nsswitch.conf
42
* NEWS, configure, configure.in:
46
2012-09-11 Todd C. Miller <Todd.Miller@courtesan.com>
48
* plugins/sudoers/env.c:
49
Avoid setting LOGNAME, USER and USERNAME variables twice when
50
set_logname is enabled.
53
* plugins/sudoers/env.c:
54
Fix duplicate detection in sudo_putenv(), do not prune out the
55
variable we just set when overwriting an existing instance. Fixes
59
* plugins/sudoers/env.c:
63
2012-09-04 Todd C. Miller <Todd.Miller@courtesan.com>
65
* plugins/sudoers/sudo_nss.c:
66
Disable word wrap in list mode when stdout is a pipe to make "sudo
67
-l | grep ..." more useful. Adapted from a diff by Daniel Kopecek.
71
Print a trailing newline in lbuf_print() when there is not enough
72
space to do word wrapping and the lbuf does not end with a newline.
75
* plugins/sudoers/sudo_nss.c, plugins/sudoers/sudoers.c:
76
Add support for [SUCCESS=return] in nsswitch.conf; from Daniel
84
2012-09-01 Todd C. Miller <Todd.Miller@courtesan.com>
86
* plugins/sudoers/po/da.mo, plugins/sudoers/po/fi.mo,
87
plugins/sudoers/po/hr.mo, plugins/sudoers/po/sl.mo,
88
plugins/sudoers/po/uk.mo, src/po/fi.mo, src/po/hr.mo, src/po/it.mo,
89
src/po/ru.mo, src/po/sl.mo, src/po/uk.mo, src/po/vi.mo:
93
* MANIFEST, plugins/sudoers/po/vi.mo:
94
Add Vietnamese sudoers translation from translationproject.org
101
* MANIFEST, plugins/sudoers/po/vi.po:
102
Add Vietnamese sudoers translation from translationproject.org
105
2012-08-29 Todd C. Miller <Todd.Miller@courtesan.com>
107
* Makefile.in, compat/Makefile.in, mkdep.pl:
108
Add missing signame dependency
111
* src/exec.c, src/ttyname.c:
112
Silence compiler warnings.
115
* MANIFEST, compat/Makefile.in, compat/sig2str.c, compat/strsigname.c,
116
config.h.in, configure, configure.in, include/missing.h, mkdep.pl,
117
src/exec.c, src/exec_pty.c:
118
Replace strsigname() with sig2str(), emulating it as needed.
121
* config.h.in, configure, configure.in, src/utmp.c:
122
Use fseeko() for legacy utmp handling if available.
125
2012-08-28 Todd C. Miller <Todd.Miller@courtesan.com>
127
* compat/strsigname.c, config.h.in, configure, configure.in:
128
Detect sys_sigabbrev[] and use it in place of sys_signame[] if
129
present. For some reason glibc does not declare sys_sigabbrev so we
130
must add an extern definition of our own.
133
* compat/strsignal.c, compat/strsigname.c:
134
Handle NULL entries in sys_siglist and sys_signame.
137
* compat/mksiglist.c, compat/mksiglist.h, compat/mksigname.c,
138
compat/mksigname.h, compat/strsignal.c, compat/strsigname.c:
139
Convert my_sys_sig{list,name} -> sudo_sys_sig{list,name}
142
2012-08-27 Todd C. Miller <Todd.Miller@courtesan.com>
149
Pass on SIGTSTP to the command if it was sent by a user process (not
150
the kernel or the terminal) when we are not I/O logging and set the
151
default SIGTSTP handler when we re-send the signal to ourself,
152
restoring our handler after we resume.
156
Shells typically change their process group when they start up so
157
that they can implement job control. Most well-behaved shells
158
change the pgrp back to its original value before suspending so we
159
must not try to restore in that case, lest we race with the child
160
upon resume, potentially stopping sudo with SIGTTOU while the
161
command continues to run. Some shells, such as pdksh, just suspend
162
the shell by sending SIGSTOP to themselves without restoring the
163
pgrp. In this case we need to change the pgrp back for them. Should
167
2012-08-26 Todd C. Miller <Todd.Miller@courtesan.com>
169
* MANIFEST, compat/Makefile.in, compat/mksigname.c,
170
compat/mksigname.h, compat/strsignal.c, compat/strsigname.c,
171
config.h.in, configure, configure.in, include/missing.h, mkdep.pl,
172
src/exec.c, src/exec_pty.c:
173
Use strsigname() to print signal names in the debug output. If the
174
system has no strsigname(), use our own.
177
2012-08-23 Todd C. Miller <Todd.Miller@courtesan.com>
179
* plugins/sudoers/regress/testsudoers/test5.inc,
180
plugins/sudoers/regress/testsudoers/test5.sh:
181
Remove generated file and change path for temporary include file.
184
* plugins/sudoers/Makefile.in:
185
When running regress tests, list pass/fail rate for each dir
186
(testsudoers and visudo) instead of the total. Also prevent the
187
result files from clobbering each other by keeping them in the
188
relevant directories.
191
* plugins/sudoers/gram.c, plugins/sudoers/gram.y,
192
plugins/sudoers/toke.c, plugins/sudoers/toke.l:
193
Don't print an error message in yyerror() if open_sudoers() fails,
194
we've already printed an error message. Also restore the check for
195
sudoers_warnings in yyerror().
198
* plugins/sudoers/gram.c, plugins/sudoers/gram.y,
199
plugins/sudoers/toke.c, plugins/sudoers/toke.h,
200
plugins/sudoers/toke.l:
201
Avoid printing the >>> parse error <<< message for testsudoers when
202
the -t flag is specified.
205
2012-08-22 Todd C. Miller <Todd.Miller@courtesan.com>
207
* plugins/sudoers/parse.c:
208
Fix NULL deref when an entry has no Runas_Entry
211
* plugins/sudoers/po/ja.mo, plugins/sudoers/po/ja.po,
212
plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po,
213
plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po,
214
src/po/ja.mo, src/po/ja.po, src/po/pl.mo, src/po/pl.po,
215
src/po/zh_CN.mo, src/po/zh_CN.po:
216
sync with translationproject.org
223
* plugins/sudoers/check.c:
224
Correct the check_user() comment header.
227
* plugins/sudoers/auth/sudo_auth.c:
228
Change a log_fatal() into log_error() when no auth methods are
229
configured. The caller already checks the return value.
232
* plugins/sudoers/logging.c:
233
Add missing debug_return
236
2012-08-21 Todd C. Miller <Todd.Miller@courtesan.com>
238
* doc/sudo.cat, doc/sudo.man.in, doc/sudo.mdoc.in,
239
doc/sudo_plugin.cat, doc/sudo_plugin.man.in,
240
doc/sudo_plugin.mdoc.in, doc/sudoers.cat, doc/sudoers.ldap.cat,
241
doc/sudoers.ldap.man.in, doc/sudoers.ldap.mdoc.in,
242
doc/sudoers.man.in, doc/sudoers.mdoc.in:
243
Make the capitalization consistent for .Ss and .Sx
246
* doc/Makefile.in, doc/fixman.sh, doc/fixmdoc.sh, doc/sudo.cat,
247
doc/sudo.man.in, doc/sudo.mdoc.in:
248
Add COMMAND EXECUTION section that describes how sudo runs the
249
command, the extra sudo processes and signal handling.
252
2012-08-18 Todd C. Miller <Todd.Miller@courtesan.com>
258
2012-08-17 Todd C. Miller <Todd.Miller@courtesan.com>
260
* compat/Makefile.in:
261
Don't echo the awk command when building siglist.in
264
* doc/fixman.sh, doc/sudo.cat, doc/sudo.man.in, doc/sudo.mdoc.in,
265
doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in:
270
The HISTORY, LICENSE and CONTRIBUTORS files are not longer
274
* MANIFEST, plugins/sudoers/po/da.po, plugins/sudoers/po/fi.po,
275
plugins/sudoers/po/hr.po, plugins/sudoers/po/it.mo,
276
plugins/sudoers/po/it.po, plugins/sudoers/po/sl.po,
277
plugins/sudoers/po/uk.po, src/po/de.mo, src/po/de.po, src/po/fi.po,
278
src/po/hr.po, src/po/it.po, src/po/ru.po, src/po/sl.po,
279
src/po/uk.po, src/po/vi.po:
280
Sync with translationproject.org and add Italian sudoers
284
2012-08-16 Todd C. Miller <Todd.Miller@courtesan.com>
286
* doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in:
287
Expand description of fqdn to talk about systems where the hosts
288
file is searched before DNS.
291
2012-08-15 Todd C. Miller <Todd.Miller@courtesan.com>
294
For cat pages there is nothing to make unless DEVEL is set.
297
* configure, configure.in, doc/Makefile.in:
298
Always use mandoc to format cat pages and remove now-extraneous
299
nroff configure tests.
303
sync polypkg from git
306
* plugins/sudoers/sudoers.c:
307
Use AI_FQDN instead of AI_CANONNAME if available since "canonical"
308
is not always the same as "fully qualified".
311
2012-08-14 Todd C. Miller <Todd.Miller@courtesan.com>
313
* doc/sudoers.mdoc.in:
314
Fix some typos. Describe error messages not related to policy
318
* plugins/sudoers/defaults.c, plugins/sudoers/defaults.h,
319
plugins/sudoers/visudo.c:
320
Add new check_defaults() function to check (but not update) the
321
Defaults entries. Visudo can now use this instead of
322
update_defaults to check all the defaults regardless instead of just
323
the global Defaults entries.
326
2012-08-13 Todd C. Miller <Todd.Miller@courtesan.com>
328
* doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in:
329
Document sudoers log format.
333
Update for sudo 1.8.5p3
336
* src/load_plugins.c:
337
Add missing check for I/O plugin API version when checking for the
338
presence of I/O plugin hooks.
342
Can't call debug code in the process_hooks_xxx functions() since
343
ctime() may look up the timezone via the TZ environment variable.
346
2012-08-10 Todd C. Miller <Todd.Miller@courtesan.com>
348
* src/exec_common.c, src/sesh.c, src/utmp.c:
349
Include signal.h before sudo_exec.h since it uses sigset_t * in the
353
* doc/sudo.cat, doc/sudo.man.in, doc/sudo.mdoc.in, doc/sudoreplay.cat,
354
doc/sudoreplay.man.in, doc/sudoreplay.mdoc.in, doc/visudo.cat,
355
doc/visudo.man.in, doc/visudo.mdoc.in:
356
Remove OPTIONS section; options now go inside DESCRIPTION
359
* plugins/sudoers/po/sudoers.pot, src/po/sudo.pot:
363
* MANIFEST, NEWS, plugins/sudoers/po/da.mo, plugins/sudoers/po/da.po,
364
plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po,
365
plugins/sudoers/po/fi.mo, plugins/sudoers/po/fi.po,
366
plugins/sudoers/po/hr.mo, plugins/sudoers/po/hr.po,
367
plugins/sudoers/po/ja.mo, plugins/sudoers/po/ja.po,
368
plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po,
369
plugins/sudoers/po/sl.mo, plugins/sudoers/po/sl.po,
370
plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po,
371
plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po,
372
src/po/da.mo, src/po/da.po, src/po/hr.mo, src/po/hr.po,
373
src/po/sl.mo, src/po/sl.po, src/po/vi.mo, src/po/vi.po:
374
Sync with translationproject.org and add new Slovenian translation.
377
* common/alloc.c, plugins/sudoers/check.c, plugins/sudoers/env.c,
378
plugins/sudoers/linux_audit.c, plugins/sudoers/sudoers.c,
379
plugins/sudoers/testsudoers.c:
380
Reduce the number of "internal error, foo overflow" messages that
381
need to be translated.
385
Mention HP-UX reboot fix.
388
* INSTALL, NEWS, common/sudo_debug.c, configure, configure.in,
389
doc/CONTRIBUTORS, include/sudo_debug.h, mkdep.pl, pathnames.h.in,
390
plugins/sudoers/Makefile.in, plugins/sudoers/sssd.c,
391
plugins/sudoers/sudo_nss.c, plugins/sudoers/sudoers.c:
392
Support for using SSSD (http://fedorahosted.org/sssd/) as a sudoers
393
data source. From Daniel Kopecek and Pavel Brezina.
396
2012-08-09 Todd C. Miller <Todd.Miller@courtesan.com>
398
* common/sudo_conf.c, src/load_plugins.c:
399
If sudo.conf contains an I/O plugin but no policy plugin, use
400
sudoers for the policy plugin. If a policy plugin is specified
401
without an I/O plugin, only the policy plugin will be loaded.
404
* doc/Makefile.in, doc/sudoers.man.in:
405
Do not modify the .Os section when building the .man.in file from
409
* doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in:
410
Add a note about wildcards matching multiple words and include an
411
example. Also mention that for sudoedit, a wildcard in command line
412
args does not match a slash.
415
2012-08-07 Todd C. Miller <Todd.Miller@courtesan.com>
417
* src/exec_pty.c, src/sudo_exec.h:
418
Fix a comment, update a variable name in a prototype; all cosmetic.
421
* plugins/sudoers/iolog.c:
422
Cast 2nd argument of lseek() to off_t if it is a constant for
423
systems with 64-bit off_t but without a proper lseek() prototype.
426
* compat/getline.c, plugins/sudoers/check.c, plugins/sudoers/env.c,
427
plugins/sudoers/gram.c, plugins/sudoers/gram.y,
428
plugins/sudoers/visudo.c:
429
Fix some warnings from clang checker-267
432
* plugins/sample/sample_plugin.c:
433
Fix memory leak found by clang checker-267
436
2012-08-06 Todd C. Miller <Todd.Miller@courtesan.com>
438
* src/exec.c, src/exec_pty.c, src/sudo.h, src/sudo_exec.h:
439
If we receive a signal from the command we executed, do not forward
440
it back to the command. This fixes a problem with BSD-derived
441
versions of the reboot command which send SIGTERM to all other
442
processes, including the sudo process. Sudo would then deliver
443
SIGTERM to reboot which would die before calling the reboot() system
444
call, effectively leaving the system in single user mode.
447
2012-08-03 Todd C. Miller <Todd.Miller@courtesan.com>
449
* doc/fixman.sh, doc/fixmdoc.sh:
450
Remove section about Solaris 10 on other systems. Add missing
451
sudoers.man.in bit to fixman.sh.
454
2012-08-02 Todd C. Miller <Todd.Miller@courtesan.com>
456
* doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in:
457
Expand section on Solaris privileges.
461
Expand a bit on the Solaris priv set changes.
464
* plugins/sudoers/gram.c, plugins/sudoers/gram.y,
465
plugins/sudoers/parse.c, plugins/sudoers/parse.h,
466
plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c:
467
The second argument to init_parser() is now bool.
470
* plugins/sudoers/gram.c, plugins/sudoers/gram.y:
471
Fix printing of parse error message to stderr.
474
* plugins/sudoers/check.c, plugins/sudoers/defaults.c,
475
plugins/sudoers/match.c, plugins/sudoers/parse.c,
476
plugins/sudoers/parse.h, plugins/sudoers/sudoers.c,
477
plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c:
478
If a command matches using an empty Runas_List (i.e. Runas_List is
479
present but empty) and the -u option was not specified, set runas_pw
480
to user_pw instead of using runas_default. This is intended to be
481
used in conjunction with the Solaris Privilege Set support for rules
482
that grant privileges without changing the user.
485
* doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in,
486
plugins/sudoers/gram.c, plugins/sudoers/gram.h,
487
plugins/sudoers/gram.y, plugins/sudoers/match.c,
488
plugins/sudoers/parse.c, plugins/sudoers/sudoers_version.h:
489
Add support for parsing an empty Runas_List, which only allows the
490
command to be run as the invoking user. This can be used in
491
conjunction with the Solaris Privilege Set support to grant
492
privileges without changing the user.
495
2012-08-01 Todd C. Miller <Todd.Miller@courtesan.com>
498
Fix HP-UX, just use ".TH name section" like the vendor manuals.
501
* plugins/sudoers/toke.c, plugins/sudoers/toke.l:
502
Fix compilation on Solaris
505
* .hgignore, MANIFEST, doc/Makefile.in, doc/fixman.sh, doc/fixmdoc.sh,
506
doc/sudo.man.sh, doc/sudo.mdoc.sh, doc/sudoers.man.sh,
508
Generate a sed script file when munging *.mdoc or *.man instead of
509
passing sed expressions on the command line. Older seds do not
510
support \n in a replacement so generate and run a sed script
514
* doc/Makefile.in, doc/sudo.man.in, doc/sudo_plugin.man.in,
515
doc/sudoers.ldap.man.in, doc/sudoers.man.in, doc/sudoreplay.man.in,
517
Use "Sudo VERSION" as the 4th arg to .TH instead of just "VERSION"
520
2012-07-31 Todd C. Miller <Todd.Miller@courtesan.com>
523
When checking whether a signal is user-generated, compare si_code
524
against SI_USER instead of <= 0 since on HP-UX, terminal-related
525
signals get a code of 0.
529
SuSE Enterprise Linux uses RLIMIT_NPROC and _SC_CHILD_MAX
530
interchangably. This causes problems when setting RLIMIT_NPROC to
531
RLIM_INFINITY due to a bug in bash where bash tries to honor the
532
value of _SC_CHILD_MAX but treats a value of -1 as an error, and
533
uses a default value of 32 instead.
535
Previously, we just checked RLIMIT_NPROC and, if it was unlimited,
536
restored the previous value of RLIMIT_NPROC. However, that makes it
537
impossible to set nproc to unlimited. We now only restore the nproc
538
resource limit if sysconf(_SC_CHILD_MAX) is negative. In most
539
cases, pam_limits will set RLIMIT_NPROC for us.
542
2012-07-30 Todd C. Miller <Todd.Miller@courtesan.com>
544
* plugins/sudoers/ldap.c:
545
Active Directory apparently requires that tenths of a second be
546
present in a date so append .0 to the "now" value in the time
547
filter. Also remove space for the global AND from TIMEFILTER_LENGTH
548
since it was not being used consistently. Buffers of
549
TIMEFILTER_LENGTH now need to account for the terminating NUL byte.
552
* plugins/sudoers/toke.c, plugins/sudoers/toke.l:
556
2012-07-29 Todd C. Miller <Todd.Miller@courtesan.com>
559
Remove pod versinons of HISTORY, CONTRIBUTORS and LICENSE as they
560
were not being kept in sync.
563
* doc/HISTORY, doc/Makefile.in, doc/contributors.pod, doc/history.pod,
565
Remove pod versinons of HISTORY, CONTRIBUTORS and LICENSE as they
566
were not being kept in sync.
569
2012-07-27 Todd C. Miller <Todd.Miller@courtesan.com>
571
* plugins/sudoers/logging.c:
572
Fix printing of the permission denied message to standard error when
573
a user is not allowed to run a command. This got broken by the
574
recent logging changes.
577
* plugins/sudoers/sudoers_version.h:
578
Bump grammar version for Solaris privs.
581
* doc/schema.ActiveDirectory:
582
Fix errors introduced when sudoNotBefore, sudoNotAfter and sudoOrder
583
were added. From David Hicks.
586
2012-07-26 Todd C. Miller <Todd.Miller@courtesan.com>
588
* plugins/sudoers/Makefile.in:
589
Remove lex.yy.c when building toke.c
593
Fix building docs in a build dir.
596
* doc/sudo.man.pl, doc/sudo.pod, doc/sudo_plugin.pod,
597
doc/sudoers.ldap.pod, doc/sudoers.man.pl, doc/sudoers.pod,
598
doc/sudoreplay.pod, doc/visudo.pod:
599
Remove pod versions of the manual; we now use mdoc.
602
* MANIFEST, doc/Makefile.in, doc/sudo.man.sh, doc/sudo.mdoc.sh,
603
doc/sudoers.man.sh, doc/sudoers.mdoc.sh:
604
Add post-processing scripts to strip out login class, BSD auth,
605
SELinux and privilege set bits when they are not supported.
608
* NEWS, configure.in, doc/CONTRIBUTORS, doc/Makefile.in,
609
doc/contributors.pod, doc/sudoers.cat, doc/sudoers.man.in,
610
doc/sudoers.man.pl, doc/sudoers.mdoc.in, doc/sudoers.pod,
611
plugins/sudoers/def_data.c, plugins/sudoers/def_data.h,
612
plugins/sudoers/def_data.in, plugins/sudoers/gram.c,
613
plugins/sudoers/gram.h, plugins/sudoers/gram.y,
614
plugins/sudoers/parse.c, plugins/sudoers/parse.h,
615
plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h,
616
plugins/sudoers/testsudoers.c, plugins/sudoers/toke.c,
617
plugins/sudoers/toke.l, src/sudo.c, src/sudo.h:
618
Merge in Solaris privilege support by Darren Moffat and John
622
2012-07-25 Todd C. Miller <Todd.Miller@courtesan.com>
624
* doc/contributors.pod:
625
Sync with CONTRIBUTORS file
628
* doc/sudo.man.in, doc/sudo_plugin.man.in, doc/sudoers.ldap.man.in,
629
doc/sudoers.man.in, doc/sudoreplay.man.in:
630
Regen .man.in files with my private mandoc.
637
2012-07-20 Todd C. Miller <Todd.Miller@courtesan.com>
639
* doc/sudo.man.in, doc/sudo_plugin.man.in, doc/sudoers.ldap.man.in,
640
doc/sudoers.man.in, doc/sudoreplay.man.in, doc/visudo.man.in:
641
Regen .man.in files with hacked mandoc to avoid issues with historic
645
2012-07-19 Todd C. Miller <Todd.Miller@courtesan.com>
647
* doc/sudo.mdoc.in, doc/sudoers.mdoc.in:
652
Fix dependencies for .man.in files.
656
Add doc/*.mdoc to ignore file
659
* INSTALL, MANIFEST, NEWS, configure, configure.in, doc/Makefile.in,
660
doc/sudo.cat, doc/sudo.man.in, doc/sudo.mdoc.in,
661
doc/sudo_plugin.cat, doc/sudo_plugin.man.in,
662
doc/sudo_plugin.mdoc.in, doc/sudoers.cat, doc/sudoers.ldap.cat,
663
doc/sudoers.ldap.man.in, doc/sudoers.ldap.mdoc.in,
664
doc/sudoers.man.in, doc/sudoers.mdoc.in, doc/sudoreplay.cat,
665
doc/sudoreplay.man.in, doc/sudoreplay.mdoc.in, doc/visudo.cat,
666
doc/visudo.man.in, doc/visudo.mdoc.in:
667
Build .man.in and .cat files from .mdoc.in files. Add new --with-man
668
and --with-mdoc configure options.
671
2012-07-18 Todd C. Miller <Todd.Miller@courtesan.com>
673
* doc/sudo.mdoc.in, doc/sudo_plugin.mdoc.in, doc/sudoers.ldap.mdoc.in,
674
doc/sudoers.mdoc.in, doc/sudoreplay.mdoc.in, doc/visudo.mdoc.in:
675
Sudo manuals formatted in mdoc, to replace the pod versions.
678
* doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.pod,
679
doc/sudoers.cat, doc/sudoers.ldap.cat, doc/sudoers.ldap.man.in,
680
doc/sudoers.ldap.pod, doc/sudoers.man.in, doc/sudoers.pod,
681
doc/sudoreplay.cat, doc/sudoreplay.man.in, doc/sudoreplay.pod,
682
doc/visudo.cat, doc/visudo.man.in, doc/visudo.pod:
683
More minor costmetic fixes.
686
2012-07-12 Todd C. Miller <Todd.Miller@courtesan.com>
688
* doc/sudo.cat, doc/sudo.man.in, doc/sudo.pod:
689
Minor cosmetic fixes.
692
2012-07-11 Todd C. Miller <Todd.Miller@courtesan.com>
694
* plugins/sudoers/logging.c, plugins/sudoers/po/sudoers.pot:
695
Use "a password is required" instead of "password required" when the
696
-n flag is used and we need to read a password.
699
2012-07-10 Todd C. Miller <Todd.Miller@courtesan.com>
702
Mention logging changes.
705
* plugins/sudoers/po/sudoers.pot:
709
* doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.pod:
710
Document that other mail_* flags have precedence over mail_badpass.
713
* plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/check.c,
714
plugins/sudoers/logging.c, plugins/sudoers/logging.h,
715
plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h:
716
Move log_denial() calls and logic to log_failure(). Move
717
authentication failure logging to log_auth_failure(). Both of these
718
call audit_failure() for us.
720
This subtly changes logging for commands that are denied by sudoers
721
but where the user failed to enter the correct password.
722
Previously, these would be logged as "N incorrect password attempts"
723
but now are logged as "command not allowed". Fixes bug #563
726
2012-07-06 Todd C. Miller <Todd.Miller@courtesan.com>
729
Do not set a resource limit to zero when we are unable to fetch a
730
value from /etc/security/limits.
733
2012-07-05 Todd C. Miller <Todd.Miller@courtesan.com>
736
Add "Provides: sudo" to debian sudo-ldap package
739
2012-07-02 Todd C. Miller <Todd.Miller@courtesan.com>
741
* configure, configure.in, zlib/Makefile.in:
742
Define NO_VIZ for zlib when gcc doesn't support symbol visibility
746
* configure, configure.in:
747
Use the autoconf cache when checking for symbol export control
751
* INSTALL, common/Makefile.in, compat/Makefile.in, configure,
752
configure.in, mkpkg, plugins/sample/Makefile.in,
753
plugins/sample_group/Makefile.in, plugins/sudoers/Makefile.in,
754
plugins/system_group/Makefile.in, src/Makefile.in:
755
Add configure check for building PIE executables instead of doing it
760
MacOS pp backend doesn't like modes longer than 4 characters.
763
2012-07-01 Todd C. Miller <Todd.Miller@courtesan.com>
765
* configure, configure.in:
766
Add -Wc,-fstack-protector to LT_LDFLAGS instead of adding
767
-fstack-protector to LDFLAGS so it doesn't get stripped out. Libtool
768
will strip -fstack-protector from the linker flags and we always
772
2012-06-29 Todd C. Miller <Todd.Miller@courtesan.com>
774
* doc/sudo.cat, doc/sudo.man.in, doc/sudo_plugin.cat,
775
doc/sudo_plugin.man.in, doc/sudoers.cat, doc/sudoers.ldap.cat,
776
doc/sudoers.ldap.man.in, doc/sudoers.man.in, doc/sudoreplay.cat,
777
doc/sudoreplay.man.in, doc/visudo.cat, doc/visudo.man.in:
781
* NEWS, doc/sudoers.ldap.pod:
782
Document improved Tivoli Directory Server support.
785
* config.h.in, configure, configure.in, plugins/sudoers/ldap.c:
786
Add support for ldaps using Tivoli LDAP libraries. Add ldap.conf
787
option to specify Tivoli key db password. Allow TLS ciphers to be
788
configured for Tivoli.
791
2012-06-28 Todd C. Miller <Todd.Miller@courtesan.com>
793
* plugins/sudoers/ldap.c:
794
Tivoli Directory Server 6.3 libs always return a (bogus) error when
795
setting LDAP_OPT_CONNECT_TIMEOUT.
802
* plugins/sudoers/ldap.c:
803
Treat LDAP_OPT_CONNECT_TIMEOUT (Tivoli Directory Server 6.3) the
804
same as LDAP_OPT_CONNECT_TIMEOUT (OpenSSH). Don't make failure to a
805
set an ldap option fatal.
808
2012-06-27 Todd C. Miller <Todd.Miller@courtesan.com>
810
* plugins/sudoers/sudoers.c:
811
Zero pointers in sudo_user struct after freeing, just in case.
814
* plugins/sudoers/sudoers.c:
815
Free user_gids in close function if it has not already been freed.
818
* plugins/sudoers/pwutil.c, plugins/sudoers/sudoers.c,
819
plugins/sudoers/sudoers.h:
820
Defer group ID to name resolution until we actually need it.
824
It is safe to read in sudo.conf before calling user_info().
827
* plugins/sudoers/env.c, plugins/sudoers/ldap.c:
828
Use MAX_UID_T_LEN + 1 for uid/gid buffers, not MAX_UID_T_LEN to
829
prevent potential truncation. Bug #562.
832
2012-06-25 Todd C. Miller <Todd.Miller@courtesan.com>
835
If installing with installp, error out if there is already an
836
instance of the rpm package installed.
840
Add --disable-nls for AIX
843
2012-06-22 Todd C. Miller <Todd.Miller@courtesan.com>
846
Debian sudo-ldap packages should now depend on libldap-2.4-2, not
850
2012-06-21 Todd C. Miller <Todd.Miller@courtesan.com>
853
Add Homepage and Bugs to debian control file.
856
2012-06-20 Todd C. Miller <Todd.Miller@courtesan.com>
859
fix typo when setting aix_freeware
862
* common/Makefile.in, compat/Makefile.in, configure, configure.in,
863
doc/Makefile.in, include/Makefile.in, plugins/sample/Makefile.in,
864
plugins/sample_group/Makefile.in, plugins/sudoers/Makefile.in,
865
plugins/system_group/Makefile.in, src/Makefile.in, zlib/Makefile.in:
866
Don't run regress tests or sudoers sanity check (using the newly-
867
built visudo) when cross compiling. Bug #560
870
* MANIFEST, configure, configure.in, plugins/sample/Makefile.in,
871
plugins/sample/sample_plugin.exp, plugins/sample/sample_plugin.map,
872
plugins/sample/sample_plugin.sym, plugins/sample_group/Makefile.in,
873
plugins/sample_group/sample_group.exp,
874
plugins/sample_group/sample_group.map,
875
plugins/sample_group/sample_group.sym, plugins/sudoers/Makefile.in,
876
plugins/sudoers/sudoers.exp, plugins/sudoers/sudoers.map,
877
plugins/sudoers/sudoers.sym, plugins/system_group/Makefile.in,
878
plugins/system_group/system_group.exp,
879
plugins/system_group/system_group.map,
880
plugins/system_group/system_group.sym:
881
Rename foo.sym -> foo.exp Remove foo.map from the repo and generate
882
it on demand Use a loader option file for HP-UX ld to explicitly
887
Remove extraneous backslash
890
* plugins/sudoers/regress/check_symbols/check_symbols.c:
891
Don't check for errorx as an exported symbols as it is now a macro.
892
Check for user_in_group() instead.
895
2012-06-19 Todd C. Miller <Todd.Miller@courtesan.com>
897
* configure, configure.in:
898
Adjust ld map file support to use an anonymous scope to match the
902
2012-06-18 Todd C. Miller <Todd.Miller@courtesan.com>
904
* config.h.in, configure, configure.in, include/gettext.h:
905
Older versions of Solaris lack ngettext()
908
* configure, configure.in:
909
Move the check for -static-libgcc until after AC_LANG_WERROR has
910
been called and use AX_CHECK_COMPILE_FLAG().
914
Sudo defines HAVE_SETLOCALE not HAVE_LOCALE_H
917
* include/error.h, include/sudo_debug.h:
918
Fix gcc 2.x variant macro support.
921
* plugins/sudoers/logging.c, plugins/sudoers/sudoreplay.c:
922
Fix compilation on gcc 2.95 and other compilers that only allow
923
variable declarations at the beginning of a block.
926
* configure, configure.in, plugins/sudoers/Makefile.in:
927
Link check_symbols with SUDO_LIBS to make sure we link with the
928
requisite libraries to successfully dlopen sudoers.so. This is
929
needed on HP-UX where a program dlopen()ing a shared object that
930
uses pthreads must also be linked with pthreads (and HP-UX LDAP uses
934
* plugins/sudoers/regress/check_symbols/check_symbols.c:
935
Add check for exported local symbols. This will cause a "make
936
check" failure on systems where we don't support symbol hiding.
939
* configure, configure.in:
940
Additional ${foo} -> $(foo) Makefile tweaks.
943
* plugins/sample/sample_plugin.map,
944
plugins/sample_group/sample_group.map, plugins/sudoers/sudoers.map,
945
plugins/system_group/system_group.map:
946
No need to provide a name for the scope in the map file since we
947
don't use the it for versioning.
950
2012-06-17 Todd C. Miller <Todd.Miller@courtesan.com>
952
* MANIFEST, plugins/sudoers/Makefile.in,
953
plugins/sudoers/regress/check_symbols/check_symbols.c:
954
Add regress test for symbol visibility.
957
2012-06-15 Todd C. Miller <Todd.Miller@courtesan.com>
959
* NEWS, configure, configure.in:
963
* configure, configure.in, include/missing.h:
964
Add support for controlling symbol visibility using the HP and
968
* plugins/sudoers/iolog.c, plugins/sudoers/iolog_path.c,
969
plugins/sudoers/regress/iolog_path/check_iolog_path.c,
970
plugins/sudoers/sudoers.h:
971
Use the expanded io log dir when updating the sequence number.
972
Includes a workaround for older versions of sudo where the sequence
973
number was stored in the unexpanded io log dir.
976
2012-06-14 Todd C. Miller <Todd.Miller@courtesan.com>
979
Simplify "sudo -s" argv rewriting.
982
* MANIFEST, configure, configure.in, plugins/sample/Makefile.in,
983
plugins/sample_group/Makefile.in, plugins/sudoers/Makefile.in,
984
plugins/system_group/Makefile.in, src/Makefile.in,
986
Don't use a map file for sudo_noexec.so since Solaris ld doesn't
987
allow '*' in the global section. The libtool export flag is now
988
added to LT_LDFLAGS instead of commenting/uncommenting lines.
991
2012-06-13 Todd C. Miller <Todd.Miller@courtesan.com>
993
* config.h.in, configure, configure.in, include/missing.h:
994
The visibility attribute was actually added in gcc 3.3.x, not 4.0.
995
Just assume that if -fvisibility=hidden works that the attribute is
999
* plugins/sudoers/check.c, plugins/sudoers/iolog.c,
1000
plugins/sudoers/iolog_path.c, plugins/sudoers/ldap.c,
1001
plugins/sudoers/match.c, plugins/sudoers/pwutil.c,
1002
plugins/sudoers/set_perms.c, plugins/sudoers/sudoers.c,
1003
plugins/sudoers/sudoers.h, plugins/sudoers/sudoers.map,
1004
plugins/sudoers/sudoers.sym, plugins/sudoers/testsudoers.c,
1005
plugins/system_group/system_group.c:
1006
Export group cache from sudoers.so for system_group.so to use.
1009
* MANIFEST, configure, configure.in, include/missing.h,
1010
plugins/sample/Makefile.in, plugins/sample/sample_plugin.map,
1011
plugins/sample_group/Makefile.in,
1012
plugins/sample_group/sample_group.map, plugins/sudoers/Makefile.in,
1013
plugins/sudoers/iolog.c, plugins/sudoers/sudoers.c,
1014
plugins/sudoers/sudoers.map, plugins/system_group/Makefile.in,
1015
plugins/system_group/system_group.map, src/sudo_noexec.c,
1016
src/sudo_noexec.map:
1017
Use gcc's visibility attribute to specify when symbols are visible
1018
or hidden, if available. If not available, use an ELF version
1019
script if it is supported. If all else fails, fall back to using
1020
libtool's -export-symbols.
1023
2012-06-12 Todd C. Miller <Todd.Miller@courtesan.com>
1026
Add mode for installed locale files but leave the directories with
1027
default mode and owner.
1030
2012-06-11 Todd C. Miller <Todd.Miller@courtesan.com>
1033
Install AIX packages under /opt/freeware with links in /usr/bin and
1034
/usr/sbin. This matches the layout of the sudo package from AIX
1038
* Makefile.in, configure, configure.in, plugins/sample/Makefile.in,
1039
plugins/sample_group/Makefile.in, plugins/sudoers/Makefile.in,
1040
plugins/system_group/Makefile.in, src/Makefile.in, sudo.pp:
1041
Install shared objects with mode 0644 except on HP-UX which needs
1042
the executable bit set.
1045
* Makefile.in, doc/Makefile.in, include/Makefile.in,
1046
plugins/sudoers/Makefile.in, src/Makefile.in:
1047
Make installed file modes consistent with the file modes in the sudo
1051
2012-06-08 Todd C. Miller <Todd.Miller@courtesan.com>
1054
Add "%:" prefix when talking about QAS non-Unix group support.
1058
Fix packaging of symbolic links on HP-UX when the link source
1059
already exists in the filesystem.
1063
Only specify prefix if we are overriding the default value. Fixes
1064
the man dir (/usr/local/man vs. /usr/local/share/man).
1068
Fix setting of sudoedit_man variable.
1072
Echo the command when linking the sudoedit manual.
1075
2012-06-07 Todd C. Miller <Todd.Miller@courtesan.com>
1078
Build .deb packages with selinux support.
1081
2012-06-04 Todd C. Miller <Todd.Miller@courtesan.com>
1084
Don't list paths for unstripped binaries in the lintial overrides.
1088
Add support for Installed-Size header in control file, required by
1089
newer debian versions.
1093
Fix extended description in .deb files.
1097
Add Depends, Replaces and Conflicts headers for .deb packages.
1100
2012-06-01 Todd C. Miller <Todd.Miller@courtesan.com>
1102
* plugins/sudoers/sudo_nss.c:
1103
If there are no privs to print, write the message to the lbuf
1104
instead of printing it directly.
1107
2012-05-31 Todd C. Miller <Todd.Miller@courtesan.com>
1110
Set -e in %pos and %preun for debian to quiet a lintian warning.
1113
* doc/Makefile.in, src/Makefile.in, sudo.pp:
1114
Install sudoedit and the sudoedit manual as symbolic links, not hard
1115
links and package them as such.
1119
Make sudo binary permissions 755 instead of 111 Add lintian
1120
overrides file for .deb files.
1123
* configure, configure.in, doc/Makefile.in, mkpkg:
1124
Replace out of date MAN_POSTINSTALL with MANCOMPRESS and
1125
MANCOMPRESSEXT which can be used to compress the installed manual
1126
pages. Compress the man pages for .deb files to appease lintian.
1131
* fix modes to be more in line with what Debian expects
1133
* install LICENSE as copyright and ChangeLog as changelog
1134
* create stub changelog.debian
1138
Fix find command to properly skip files in the DEBIAN dir when
1143
Use a debian-compliant package maintainer field.
1146
2012-05-30 Todd C. Miller <Todd.Miller@courtesan.com>
1148
* plugins/sudoers/sudoreplay.c:
1149
No need to loop over atomic_writev(), it guarantees to write all
1150
data or return an error.
1152
Fix handling of stdout/stderr that contains "\r\n" and handle a
1153
"\r\n" pair that spans a buffer.
1
1156
2012-05-29 Todd C. Miller <Todd.Miller@courtesan.com>
4
1159
Update for sudo 1.8.5p2
1162
* plugins/sudoers/sudoreplay.c:
1163
Instead of doing extra write()s when replaying stdout, build up a
1164
vector for writev() instead. This results in far fewer system
7
1168
2012-05-27 Todd C. Miller <Todd.Miller@courtesan.com>
9
1170
* src/env_hooks.c, src/sudo.h, src/tgetpass.c: