[sudo-users] sudo update for older OS X versions available

[Kyle J. McKay]

On Nov 21, 2013, at 13:31, Todd C. Miller wrote:
> While this may be useful for folks who don't want to upgrade to
> sudo 1.8.x, there really shouldn't be any problem building and running
> current sudo releases on older versions of Mac OS X.  If there are,
> that's something I'd like to address.

You might want to look at patches 0001, 0009 and 0012 in the patches  
directory [2].

The other goal of the update is to match as closely as possible the  
included-with-os-x-sudo configure options.  At least with sudo  
1.7.10p7 the default configure options when building on OS X do not  
match apple's choices.  Installing an sudo built like that will result  
in some different and possibly surprising behavior.  The update [1]  
avoids that.  Some of the necessary configure options are OS X version  
dependent (for example, older versions of OS X expect sudo to log to  
local2 not authpriv so that option has to be provided when building  
for an older system which the build script does).

I have not compared the latest sudo 1.8.x release to the list of  
patches [2] to see if those changes have been picked up or now have  
options available to select them.  All the patches are summarized in  
the README_PATCHES.txt [3] file (with extended descriptions at the top  
of each individual patch file) except for one in the build script  
which is that HAVE_TCSETPGRP is never set when --without-iologdir is  
used, but it is tested for and different code is generated even under  
--without-iologdir, so the build script sets HAVE_TCSETPGRP manually.

While I'm sure the out-of-the-box sudo (both 1.7.10p7 and the latest  
1.8.x) will likely build and install and probably work with the  
default configure options, some of the behavior will be a surprise  
compared to the apple-provided sudo and the goal was to provide an  
easy sudo update path for older OS X versions that does not result in  
unexpected sudo behavior changes.

Since apple is shipping 1.7.10p7 (including some apple tweaks) with OS  
X 10.9.0 instead of the latest 1.8.x it seems safest to stay with that  
version on OS X unless there's a special need to do otherwise.

TL;DR: The update [1] provides a means to get the CVE-2013-1775 fix  
for older OS X versions while matching as closely as possible the as- 
shipped-with-os-x sudo version, patches, behavior and configure  
options.  Installing the latest sudo 1.8.x will not do that.

Kyle

[1] http://repo.or.cz/w/sudo-osx-update.git
[2] http://repo.or.cz/w/sudo-osx-update.git/tree/HEAD:/patches
[3] http://repo.or.cz/w/sudo-osx-update.git/blob/HEAD:/patches/README_PATCHES.txt