[sudo-workers] [PATCH] Do not use undocumented Autoconf variables in the AC_SEARCH_LIBS macro

Winchenbach, Samuel Samuel-Winchenbach at idexx.com
Fri Jan 25 08:12:01 MST 2019 

Hi,

We are using autoconf caching and we noticed that lcrypt is not being
linked when sudo is being configured from the cache.

We discovered $ac_lib is not set when autoconf is cached which prevents needed libraries from being linked in.

Steps to reproduce issue:
$ ./configure --config-cache --prefix=/usr --exec-prefix=/usr --sysconfdir=/etc --localstatedir=/var \
 --program-prefix=""  --disable-nls --disable-static --enable-shared  --without-lecture \
 --without-sendmail --without-umask --with-logging=syslog --without-interfaces --with-env-editor \
 --without-pam --enable-zlib --without-ldap
$ make | grep lcrypt
    /bin/sh ../../libtool  --tag=disable-static --mode=link gcc -Wl,-z,relro  -o sudoers.la sudo_auth.lo getspwuid.lo passwd.lo boottime.lo check.lo editor.lo env.lo env_pattern.lo file.lo find_path.lo fmtsudoers.lo gc.lo goodpath.lo group_plugin.lo interfaces.lo iolog.lo iolog_path.lo locale.lo logging.lo logwrap.lo mkdir_parents.lo parse.lo policy.lo prompt.lo set_perms.lo starttime.lo sudo_nss.lo sudoers.lo timestamp.lo  libparsesudoers.la -lcrypt   ../../lib/util/libsudo_util.la  -lz -module;; \
    /bin/sh ../../libtool  --tag=disable-static --mode=link gcc -Wl,-z,relro  -Wc,-fstack-protector-strong  -o sudoers.la sudo_auth.lo getspwuid.lo passwd.lo boottime.lo check.lo editor.lo env.lo env_pattern.lo file.lo find_path.lo fmtsudoers.lo gc.lo goodpath.lo group_plugin.lo interfaces.lo iolog.lo iolog_path.lo locale.lo logging.lo logwrap.lo mkdir_parents.lo parse.lo policy.lo prompt.lo set_perms.lo starttime.lo sudo_nss.lo sudoers.lo timestamp.lo  libparsesudoers.la -lcrypt   ../../lib/util/libsudo_util.la  -lz -module -avoid-version -rpath /usr/libexec/sudo -shrext .so;; \
libtool: link: gcc -shared  -fPIC -DPIC  .libs/sudo_auth.o .libs/getspwuid.o .libs/passwd.o .libs/boottime.o .libs/check.o .libs/editor.o .libs/env.o .libs/env_pattern.o .libs/file.o .libs/find_path.o .libs/fmtsudoers.o .libs/gc.o .libs/goodpath.o .libs/group_plugin.o .libs/interfaces.o .libs/iolog.o .libs/iolog_path.o .libs/locale.o .libs/logging.o .libs/logwrap.o .libs/mkdir_parents.o .libs/parse.o .libs/policy.o .libs/prompt.o .libs/set_perms.o .libs/starttime.o .libs/sudo_nss.o .libs/sudoers.o .libs/timestamp.o  -Wl,--whole-archive ./.libs/libparsesudoers.a -Wl,--no-whole-archive  -Wl,-rpath -Wl,/home/swinchen/projects/repos/sudo/lib/util/.libs -Wl,-rpath -Wl,/usr/libexec/sudo -lcrypt ../../lib/util/.libs/libsudo_util.so -lpthread -ldl -lz  -Wl,-z -Wl,relro -fstack-protector-strong   -Wl,-soname -Wl,sudoers.so -o .libs/sudoers.so

$ make clean
$ ./configure --config-cache --prefix=/usr --exec-prefix=/usr --sysconfdir=/etc --localstatedir=/var \
 --program-prefix=""  --disable-nls --disable-static --enable-shared  --without-lecture \
 --without-sendmail --without-umask --with-logging=syslog --without-interfaces --with-env-editor \
 --without-pam --enable-zlib --without-ldap
$ make | grep lcrypt
$

Notice there are no lines indiciating that lcrypt is being linked in on the second build.

Below is an output of the autogenerated configure file with annotations
explaining the issue:

	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing crypt" >&5
$as_echo_n "checking for library containing crypt... " >&6; }
if ${ac_cv_search_crypt+:} false; then :
  $as_echo_n "(cached) " >&6
else
=========================NOT RUN WHEN CACHED=========================
|  ac_func_search_save_LIBS=$LIBS
|cat confdefs.h - <<_ACEOF >conftest.$ac_ext
|/* end confdefs.h.  */
|
|/* Override any GCC internal prototype to avoid an error.
|   Use char because int might match the return type of a GCC
|   builtin and then its argument prototype would still apply.  */
|#ifdef __cplusplus
|extern "C"
|#endif
|char crypt ();
|int
|main ()
|{
|return crypt ();
|  ;
|  return 0;
|}
|_ACEOF
|for ac_lib in '' crypt crypt_d ufc; do    <------ $ac_lib set here
|  if test -z "$ac_lib"; then
|    ac_res="none required"
|  else
|    ac_res=-l$ac_lib
|    LIBS="-l$ac_lib  $ac_func_search_save_LIBS"
|  fi
|  if ac_fn_c_try_link "$LINENO"; then :
|  ac_cv_search_crypt=$ac_res
|fi
|rm -f core conftest.err conftest.$ac_objext \
|    conftest$ac_exeext
|  if ${ac_cv_search_crypt+:} false; then :
|  break
|fi
|done
|if ${ac_cv_search_crypt+:} false; then :
|
|else
|  ac_cv_search_crypt=no
|fi
|rm conftest.$ac_ext
|LIBS=$ac_func_search_save_LIBS
|fi
=====================================================================
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_crypt" >&5
$as_echo "$ac_cv_search_crypt" >&6; }
ac_res=$ac_cv_search_crypt
if test "$ac_res" != no; then :
  test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
  test -n "$ac_lib" && shadow_libs="${shadow_libs} $ac_res"
fi
           ^^^^^^ $ac_lib has not been set when there is a cache hit

Signed-off-by: Samuel A. Winchenbach <samuel-winchenbach at idexx.com>
Signed-off-by: Adam Labbe <adam-labbe at idexx.com>
---
diff -r ecb89088a884 -r f9759fc9eeee configure.ac
--- a/configure.ac	Tue Jan 22 06:41:16 2019 -0700
+++ b/configure.ac	Thu Jan 24 13:11:08 2019 -0500
@@ -3755,7 +3755,9 @@
     dnl
     if test -z "$LIB_CRYPT"; then
 	_LIBS="$LIBS"
-	AC_SEARCH_LIBS([crypt], [crypt crypt_d ufc], [test -n "$ac_lib" && shadow_libs="${shadow_libs} $ac_res"])
+	AC_SEARCH_LIBS([crypt], [crypt crypt_d ufc],
+                   [test "${ac_cv_search_crypt}" != "none required" && shadow_libs="${shadow_libs} ${ac_cv_search_crypt}"],
+                   [AC_MSG_FAILURE([crypt was not found on your system])])
 	LIBS="$_LIBS"
     fi
 
@@ -3775,10 +3777,16 @@
 	LIBS="$_LIBS"
     fi
     if test "$CHECKSHADOW" = "true"; then
-	AC_SEARCH_LIBS([getspnam], [gen shadow], [AC_DEFINE(HAVE_GETSPNAM)] [CHECKSHADOW=false; test -n "$ac_lib" && shadow_libs="${shadow_libs} $ac_res"])
+	AC_SEARCH_LIBS([getspnam], [gen shadow],
+                   [AC_DEFINE(HAVE_GETSPNAM)] [CHECKSHADOW=false]
+                   [test "${ac_cv_search_getspnam}" != "none required" && shadow_libs="${shadow_libs} ${ac_cv_search_getspnam}"],
+                   [AC_MSG_FAILURE([getspnam was not found on your system])])
     fi
     if test "$CHECKSHADOW" = "true"; then
-	AC_SEARCH_LIBS([getprpwnam], [sec security prot], [AC_DEFINE(HAVE_GETPRPWNAM)] [CHECKSHADOW=false; SECUREWARE=1; test -n "$ac_lib" && shadow_libs="${shadow_libs} $ac_res"])
+	AC_SEARCH_LIBS([getprpwnam], [sec security prot],
+                   [AC_DEFINE(HAVE_GETPRPWNAM)] [CHECKSHADOW=false; SECUREWARE=1]
+                   [test "${ac_cv_search_getprpwnam}" != "none required" && shadow_libs="${shadow_libs} ${ac_cv_search_getprpwnam}"],
+                   [AC_MSG_FAILURE([getprpwnam was not found on your system])])
     fi
     if test -n "$shadow_libs"; then
 	# sudoers needs to link with shadow libs for password auth

More information about the sudo-workers mailing list