[sudo-users] sudo update for older OS X versions available

Kyle J. McKay mackyle at gmail.com
Fri Nov 22 17:17:57 MST 2013 

On Nov 22, 2013, at 12:59, Todd C. Miller wrote:
> It's unfortunate that Apple chooses not to update to sudo 1.8.x.
> They are the only vendor still shipping 1.7.x for new releases as
> far as I know.  I don't know why they choose to not ship sudoedit
> and sudoreplay--that seems short-sighted.  I suppose they assume
> people only use sudo as a way to have unlimited root access.

I agree with you.  But the mind of apple is somewhat inscrutable at  
the best of times.

> Thanks for breaking down the various patches.  It's unfortunate
> that Apple doesn't bother to send potential fixes upstream.  In
> case you are curious:
>
> 0009-Do-not-close-fds-on-OS-X.patch.txt
>
>    This is due to libdispatch having file descriptors open even
>    when grand central dispatch is not in use.  Closing the libdispatch
>    descriptors will cause a crash when executing the command.  A
>    similar Apple-specific change is already in sudo 1.8.x.

Thanks for the info.  I presume that's rdar 6497333 based on the patch  
I culled from opensource.apple.com, but that is, of course, unhelpful  
to those of us outside apple without rdar access (and it doesn't seem  
to be posted to openradar).

> 0010-Handle-EINTR-when-calling-tcsetattr.patch.txt
>
>    This may be due to a bug in xnu, the Mac OS X kernel that I
>    reported in May of 2010.  Apple's bug database is not public
>    but I made a copy of the report here:
> 	http://openradar.appspot.com/radar?id=6402578615107584

Interesting.  But that behavior doesn't seem to violate the spec. for  
read [1].  Although if SA_RESTART is set for the signal it would  
likely violate the spec. for sigaction [2].  Since the current cat.c  
source [3] does not appear to use SA_RESTART, the example that  
produces "cat: stdin: Interrupted system call" does not, strictly  
speaking, look to me like a bug according to the applicable  
standards.  But, as you point out, that may be surprising compared to  
other systems.

>    This patch is dangerous because it could lead to an infinite
>    loop if sudo is not the foreground process.

Hmmm.  On OS X the default action for SIGTTOU (presumably that's the  
signal in question here [4]) is to stop the process and that seems to  
be consistent with the standard [5].  So I think the process would  
just suspend until it was brought back to the foreground wouldn't it?

I wonder if the bash sequence: 'sudo -k; sudo pwd& fg %1' fails to  
prompt correctly without this fix.  (Here 'pwd' is standing in for  
some command where this is a "doh, I meant to use sudo -b instead of  
&" moment.)

> You might want take a look at the mkpkg script included with sudo.
> It will build .pkg files installable on a Mac.  By default it builds
> newer style flat packages but the pp script also supports older
> style package bundles if you need it to.

Thanks for the pointer.  I was thinking there was unlikely to be much  
interest in this update and considering the potential for malware  
abuse an installer package that replaces sudo could do, I thought it  
was best left as a fetch-the-source, build and sudo-make-install  
exercise for those that feel they really need it.  So, in the absence  
of a crowd of clamoring supplicants :), I don't have any plans to post  
an installer (especially since different-binary-based-on-destination- 
os-x-version installers like I did for fakeroot [6] are a real PITA to  
set up initially).

[1] http://pubs.opengroup.org/onlinepubs/000095399/functions/read.html
[2] http://pubs.opengroup.org/onlinepubs/9699919799/functions/sigaction.html
[3] http://www.opensource.apple.com/source/text_cmds/text_cmds-87/cat/cat.c
[4] http://pubs.opengroup.org/onlinepubs/009695299/functions/tcsetattr.html
[5] <http://pubs.opengroup.org/onlinepubs/009696799/xrat/xsh_chap02.html#tag_03_02_04_04 
 >
[6] http://mackyle.github.io/fakeroot/

Kyle

More information about the sudo-users mailing list