[sudo-users] sudo update for older OS X versions available
Kyle J. McKay
mackyle at gmail.com
Thu Nov 21 18:20:18 MST 2013
On Nov 21, 2013, at 13:31, Todd C. Miller wrote:
> While this may be useful for folks who don't want to upgrade to
> sudo 1.8.x, there really shouldn't be any problem building and running
> current sudo releases on older versions of Mac OS X. If there are,
> that's something I'd like to address.
You might want to look at patches 0001, 0009 and 0012 in the patches
directory [2].
The other goal of the update is to match as closely as possible the
included-with-os-x-sudo configure options. At least with sudo
1.7.10p7 the default configure options when building on OS X do not
match apple's choices. Installing an sudo built like that will result
in some different and possibly surprising behavior. The update [1]
avoids that. Some of the necessary configure options are OS X version
dependent (for example, older versions of OS X expect sudo to log to
local2 not authpriv so that option has to be provided when building
for an older system which the build script does).
I have not compared the latest sudo 1.8.x release to the list of
patches [2] to see if those changes have been picked up or now have
options available to select them. All the patches are summarized in
the README_PATCHES.txt [3] file (with extended descriptions at the top
of each individual patch file) except for one in the build script
which is that HAVE_TCSETPGRP is never set when --without-iologdir is
used, but it is tested for and different code is generated even under
--without-iologdir, so the build script sets HAVE_TCSETPGRP manually.
While I'm sure the out-of-the-box sudo (both 1.7.10p7 and the latest
1.8.x) will likely build and install and probably work with the
default configure options, some of the behavior will be a surprise
compared to the apple-provided sudo and the goal was to provide an
easy sudo update path for older OS X versions that does not result in
unexpected sudo behavior changes.
Since apple is shipping 1.7.10p7 (including some apple tweaks) with OS
X 10.9.0 instead of the latest 1.8.x it seems safest to stay with that
version on OS X unless there's a special need to do otherwise.
TL;DR: The update [1] provides a means to get the CVE-2013-1775 fix
for older OS X versions while matching as closely as possible the as-
shipped-with-os-x sudo version, patches, behavior and configure
options. Installing the latest sudo 1.8.x will not do that.
Kyle
[1] http://repo.or.cz/w/sudo-osx-update.git
[2] http://repo.or.cz/w/sudo-osx-update.git/tree/HEAD:/patches
[3] http://repo.or.cz/w/sudo-osx-update.git/blob/HEAD:/patches/README_PATCHES.txt
More information about the sudo-users
mailing list