[sudo-users] sudo update for older OS X versions available
Kyle J. McKay
mackyle at gmail.com
Thu Nov 21 18:20:18 MST 2013
On Nov 21, 2013, at 13:31, Todd C. Miller wrote:
> While this may be useful for folks who don't want to upgrade to
> sudo 1.8.x, there really shouldn't be any problem building and running
> current sudo releases on older versions of Mac OS X. If there are,
> that's something I'd like to address.
You might want to look at patches 0001, 0009 and 0012 in the patches
The other goal of the update is to match as closely as possible the
included-with-os-x-sudo configure options. At least with sudo
1.7.10p7 the default configure options when building on OS X do not
match apple's choices. Installing an sudo built like that will result
in some different and possibly surprising behavior. The update 
avoids that. Some of the necessary configure options are OS X version
dependent (for example, older versions of OS X expect sudo to log to
local2 not authpriv so that option has to be provided when building
for an older system which the build script does).
I have not compared the latest sudo 1.8.x release to the list of
patches  to see if those changes have been picked up or now have
options available to select them. All the patches are summarized in
the README_PATCHES.txt  file (with extended descriptions at the top
of each individual patch file) except for one in the build script
which is that HAVE_TCSETPGRP is never set when --without-iologdir is
used, but it is tested for and different code is generated even under
--without-iologdir, so the build script sets HAVE_TCSETPGRP manually.
While I'm sure the out-of-the-box sudo (both 1.7.10p7 and the latest
1.8.x) will likely build and install and probably work with the
default configure options, some of the behavior will be a surprise
compared to the apple-provided sudo and the goal was to provide an
easy sudo update path for older OS X versions that does not result in
unexpected sudo behavior changes.
Since apple is shipping 1.7.10p7 (including some apple tweaks) with OS
X 10.9.0 instead of the latest 1.8.x it seems safest to stay with that
version on OS X unless there's a special need to do otherwise.
TL;DR: The update  provides a means to get the CVE-2013-1775 fix
for older OS X versions while matching as closely as possible the as-
shipped-with-os-x sudo version, patches, behavior and configure
options. Installing the latest sudo 1.8.x will not do that.
More information about the sudo-users