ChangeLog

config.h.in, configure, configure.ac:
Sudo assumes that a uid_t can be cast to unsigned int without problems.

Add a configure check and error out if sizeof(uid_t) > 4. [4b7657e4ce3d]

include/sudo_util.h, lib/eventlog/eventlog.c, lib/iolog/iolog_timing.c, lib/util/json.c, lib/util/lbuf.c, lib/util/sudo_debug.c, plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/display.c, plugins/sudoers/fmtsudoers.c, plugins/sudoers/logging.c, src/exec_preload.c, src/limits.c:
Add macros to determine the length of an integer type in string form.

Adapted from answer #6 in:
https://stackoverflow.com/questions/10536207/ansi-c-maximum-number- of-characters-printing-a-decimal-int [e62734abe89c]

plugins/sudoers/visudo.c:
visudo: use verbose and strict in parser_conf

Where the sudoers_context is available we can use the values of verbose and strict instead of passing around quiet and strict flags. [bc7a60ce0e36]

MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/check_aliases.c, plugins/sudoers/defaults.c, plugins/sudoers/parse.h, plugins/sudoers/parser_warnx.c:
Add parser_warnx() and parser_vwarnx() that displays file:line:col

Used by defaults.c and check_aliases.c. [1b4eff914e92]

plugins/sudoers/sudoers.h, plugins/sudoers/visudo.c:
Promote strict field in sudoers_parser_config from bool to int.

This will be used by visudo to indicate when “visudo -s” is run. [d0f6c8c37e4a]

MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/find_path.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/resolve_cmnd.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h:
Add resolve_cmnd(), a wrapper around find_path().

This is a convenience function that sets PERM_RUNAS and calls find_path(). If the command is not found it will retry with PERM_USER instead. [c7831c462fb9]

src/exec_monitor.c:
Wait on a socketpair for the parent to grant child the controlling tty.

This upgrades the error pipe to a bi-directional socketpair that the parent will write to after it has granted the child process the controlling terminal. That fixes an issue where the child could end up in a tight CPU loop waiting on the parent which may not be scheduled immediately. [36e87999dae1]

plugins/sudoers/sudoers.h:
Undefine AUTH_{SUCCESS,FAILURE,ERROR} before defining them.

Quiets a warning on AIX where usersec.h defines AUTH_SUCCESS and AUTH_FAILURE. We avoided this problem in the past because the old values for AUTH_SUCCESS and AUTH_FAILURE match what AIX defines. [c37c51f861f1]

config.h.in, configure, configure.ac, lib/util/term.c, m4/sudo.m4, src/exec_pty.c:
Only cast TIOCSWINSZ to int on systems that might require it (AIX).

Otherwise we end up with a -Wconversion warning on systems where the ioctl() request argument is unsigned long. [a467e228981f]

plugins/sudoers/display.c, plugins/sudoers/parse.h, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h:
Promote verbose flag to int for display_privs and display_cmnd.

A negative verbosity will prevent non-error output from being displayed. [c7646497b580]

plugins/sudoers/match_command.c, plugins/sudoers/pivot.c, plugins/sudoers/pivot.h, plugins/sudoers/regress/fuzz/fuzz_stubs.c, plugins/sudoers/stubs.c, plugins/sudoers/testsudoers.c:
Remove pivot_get_root() and pivot_get_cwd().

They are unnecessary since struct sudoers_pivot is not opaque. The implementation details are private to match_command.c. [ca522bffdf37]

plugins/sudoers/defaults.c, plugins/sudoers/defaults.h, plugins/sudoers/editor.c, plugins/sudoers/find_path.c, plugins/sudoers/regress/editor/check_editor.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/sudoers.h:
Make flag in union sudo_defs_val bool to match how it is used.

Adjust find_path()’s ignore_dot function argument to match. [52d5311ca360]

plugins/sudoers/audit.c, plugins/sudoers/bsm_audit.c, plugins/sudoers/bsm_audit.h, plugins/sudoers/policy.c, plugins/sudoers/sudoers.h:
Parse euid and egid from sudo front-end.

These are needed by bsm_audit.c. [ca240f519b46]

plugins/sudoers/policy.c, plugins/sudoers/sudoers.h, plugins/sudoers/timestamp.c:
Parse pid and ppid from sudo front-end.

We can now use the stored ppid in ts_init_key(). [4955c478f849]

plugins/sudoers/match_command.c, plugins/sudoers/pivot.c, plugins/sudoers/pivot.h, plugins/sudoers/regress/fuzz/fuzz_stubs.c, plugins/sudoers/stubs.c, plugins/sudoers/sudoers.c, plugins/sudoers/testsudoers.c:
Use struct sudoers_pivot instead of defining sudoers_pivot_t.

We want to pass around a pointer, not the struct itself. [8c6806cee428]

src/exec_ptrace.c:
Only call ptrace_verify_post_exec() for intercept, not log_subcmds.

This fixes a logic goof introduced in sudo 1.9.14. [49df34bb0494]

docs/sudoers.man.in, docs/sudoers.mdoc.in, docs/sudoers_timestamp.man.in, docs/sudoers_timestamp.mdoc.in, plugins/sudoers/check.c, plugins/sudoers/timestamp.c, plugins/sudoers/timestamp.h:
Use the user-ID instead of user-name for the timestamp and lecture file.

This avoids problems if the user name itself contains a path separator. [c93459e59f30]

plugins/sudoers/cvtsudoers.c, plugins/sudoers/pwutil.c, plugins/sudoers/pwutil.h, plugins/sudoers/pwutil_impl.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c, plugins/sudoers/testsudoers_pwutil.h:
Wrap valid_shell and add to sudo_pwutil_set_backend().

This will make it possible to support a different getusershell() implementation for testsudoers in the future. [03da23d61efe]

plugins/sudoers/check_util.c, plugins/sudoers/pwutil.c, plugins/sudoers/pwutil.h, plugins/sudoers/pwutil_impl.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c:
Move check_user_shell() to pwutil.c as user_shell_valid()

This will make it possible to support a different backend which may be used by testsudoers in the future. [44a7540fb761]

plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/check.c, plugins/sudoers/timestamp.h:
Merge check_user() and check_user_interactive(), move getpass callbacks.

The getpass callbacks are now defined in sudo_auth.c, which implements auth_getpass(). As a result, struct getpass_closure is now public and defined in timestamp.h. [1babbb56de42]

plugins/sudoers/auth/passwd.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/auth/sudo_auth.h, plugins/sudoers/lookup.c, plugins/sudoers/match.c, plugins/sudoers/parse.h:
Try to make sudo less vulnerable to ROWHAMMER attacks.

We now use ROWHAMMER-resistent values for ALLOW, DENY, AUTH_SUCCESS, AUTH_FAILURE, AUTH_ERROR and AUTH_NONINTERACTIVE. In addition, we explicitly test for expected values instead of using a negated test against an error value. In the parser match functions this means explicitly checking for ALLOW or DENY instead of accepting anything that is not set to UNSPEC.

Thanks to Andrew J. Adiletta, M. Caner Tol, Yarkin Doroz, and Berk Sunar, all affiliated with the Vernam Applied Cryptography and Cybersecurity Lab at Worcester Polytechnic Institute, for the report. Paper preprint: https://arxiv.org/abs/2309.02545 [df81a335db65]

MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers.h, plugins/sudoers/policy.c, plugins/sudoers/sethost.c, plugins/sudoers/stubs.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c:
sudoers_sethost: refactor code to set host names in sudoers_context.

The sudoers_sethost() function can be shared by the sudoers plugin, visudo, cvtsudoers and testsudoers. [6cece4f67add]

plugins/sudoers/sudoers.c:
Only print “no valid sudoers sources found, quitting” for multiple sources.

If there is only a single source (usually the sudoers file), the open function provide enough of an error message. Printing two error messages is just confusing. [99a282277084]

plugins/sudoers/pwutil.c:
user_in_group: the user’s group vector already includes the primary group.

There’s no need to look up the name of user’s primary group (pw_gid), we always include the primary group ID in the group vector. [53f36984ebc8]

plugins/sudoers/auth/API, plugins/sudoers/auth/aix_auth.c, plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/sia.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/auth/sudo_auth.h:
Restore AUTH_INTR support, it is still needed.

We still need AUTH_INTR to know when to break out of the password prompt loop. [618807782033]

docs/sudoers.man.in, docs/sudoers.mdoc.in, plugins/sudoers/policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h:
Add ignore_perms plugin argument to skip the sudoers file security checks.

This is not intended to be used in a production environment. [92ae0335ee5b]

configure, m4/sudo.m4:
Fix test for unsetenv() returning void with clang 16.

Clang has dropped support for K&R function definitions so rewrite the test to require a unsetenv() prototype in stdlib.h. Fixes GitHub issue #302. [1a0ce3a79ee2]

plugins/sudoers/defaults.c:
Disable fast_glob and fdexec if SUDOERS_NAME_MATCH is defined.

We use SUDOERS_NAME_MATCH for fuzzing when we want to avoid searching the file system for commands. [2e6bc1f8fb22]

plugins/sudoers/cvtsudoers.c, plugins/sudoers/match.c:
Do not rely on the definition of ALLOW/DENY being true/false.

We now explicitly check for ALLOW and DENY when checking return values and negating values. [1e4420b64b5d]

plugins/sudoers/auth/API, plugins/sudoers/auth/aix_auth.c, plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/sia.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/auth/sudo_auth.h:
Replace AUTH_INTR return with AUTH_FAILURE.

The two were treated identically by the caller. [e54b06561de1]

plugins/sudoers/policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h:
Move tty_present() into policy.c as sudoers_tty_present().

This function is policy-dependent. For the modern sudo front-end it will simply check tcpgid and/or ttypath. [36a5ece4027a]

plugins/sudoers/defaults.c:
Don’t set defaults values for features that are not present.

This means that lecture_status_dir and timestampdir are only set if _PATH_SUDO_LECTURE_DIR and _PATH_SUDO_TIMEDIR respectively are set. Also, the log server defaults are only set when SUDOERS_LOG_CLIENT is defined. [bb328fffe142]

plugins/sudoers/audit.c:
Call log_allowed() even when “log_allowed” is disabled.

Otherwise, sudo will not send mail if “mail_always” or “mail_all_cmnds” is set. [71d3f06fbee5]

plugins/sudoers/set_perms.c:
Quiet a PVS-Studio false positive about possible NULL dereference.

set_perms() is only called with a NULL ctx for PERM_ROOT, PERM_SUDOERS and PERM_TIMESTAMP. [0ec4b81df902]

plugins/sudoers/audit.c, plugins/sudoers/iolog_path_escapes.c, plugins/sudoers/logging.c, plugins/sudoers/policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/sudoers_ctx_free.c:
Move a few fields from sudoers_user_contect to sudoers_context.

They are not really specific to the user or user-specified. [0e166cff8c3b]

plugins/sudoers/policy.c:
Remove dead code dealing with unknown user and MODE_INVALIDATE.

The timestamp unlink code does not need the user’s struct passwd pointer, just the user name (which we already have). Found by PVS- Studio. [dd41395692e5]

plugins/sudoers/set_perms.c:
Quiet a PVS-Studio false positive about possible NULL dereference.

set_perms() is only called with a NULL ctx for PERM_ROOT, PERM_SUDOERS and PERM_TIMESTAMP. [a6f38a82c80c]

plugins/sample/sample_plugin.c, plugins/sudoers/editor.c, plugins/sudoers/group_plugin.c, plugins/sudoers/policy.c, plugins/sudoers/sudoreplay.c, src/exec_ptrace.c:
Cast int to size_t before adding instead of casting the result.

Quiets PVS-Studio warning V1028. [39b9d54ae277]

src/exec_pty.c:
Use a global static struct exec_closure for the cleanup hook.

This is safer than storing a pointer to a stack variable in the cleanup function since we don’t need to worry about it ever going out of scope. Quiets a clang 15 analyzer warning. [bfb06721d43f]

plugins/sudoers/logging.c:
Plug memory leak if journal_parse_error() fails.

Found by the clang 15 analyzer. [0d7e0567187e]

plugins/sudoers/cvtsudoers.c, plugins/sudoers/file.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/parse.h, plugins/sudoers/policy.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c:
Add struct sudoers_conf to struct sudoers_plugin_context.

There’s now no need to pass this directly to init_parser() since we already pass in a pointer to a sudoers_context struct. [4a60e7b19a1a]

plugins/sudoers/cvtsudoers.c, plugins/sudoers/group_plugin.c, plugins/sudoers/ldap.c, plugins/sudoers/ldap_conf.c, plugins/sudoers/policy.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c, plugins/sudoers/sudo_ldap_conf.h, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c:
Store policy paths in struct sudoers_context.

This removes the need for the getters in policy.c. [8ff3016dc8ad]

MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/cvtsudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/stubs.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/sudoers_ctx_free.c, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c:
Add sudoers_ctx_free() and use it for freeing struct sudoers context.

This replaces sudoers_user_ctx_free() and sudoers_runas_ctx_free(). [ba25344753c3]

plugins/sudoers/audit.c, plugins/sudoers/auth/afs.c, plugins/sudoers/auth/aix_auth.c, plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/dce.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/kerb5.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/passwd.c, plugins/sudoers/auth/rfc1938.c, plugins/sudoers/auth/secureware.c, plugins/sudoers/auth/securid5.c, plugins/sudoers/auth/sia.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/auth/sudo_auth.h, plugins/sudoers/callbacks.c, plugins/sudoers/check.c, plugins/sudoers/check.h, plugins/sudoers/check_aliases.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers.h, plugins/sudoers/cvtsudoers_pwutil.c, plugins/sudoers/defaults.c, plugins/sudoers/defaults.h, plugins/sudoers/display.c, plugins/sudoers/env.c, plugins/sudoers/file.c, plugins/sudoers/fmtsudoers.c, plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y, plugins/sudoers/group_plugin.c, plugins/sudoers/iolog.c, plugins/sudoers/iolog_path_escapes.c, plugins/sudoers/ldap.c, plugins/sudoers/locale.c, plugins/sudoers/logging.c, plugins/sudoers/logging.h, plugins/sudoers/lookup.c, plugins/sudoers/match.c, plugins/sudoers/match_command.c, plugins/sudoers/parse.h, plugins/sudoers/policy.c, plugins/sudoers/prompt.c, plugins/sudoers/pwutil.c, plugins/sudoers/pwutil.h, plugins/sudoers/pwutil_impl.c, plugins/sudoers/regress/exptilde/check_exptilde.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/regress/fuzz/fuzz_stubs.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/set_perms.c, plugins/sudoers/solaris_audit.c, plugins/sudoers/solaris_audit.h, plugins/sudoers/sssd.c, plugins/sudoers/stubs.c, plugins/sudoers/sudo_nss.h, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c, plugins/sudoers/testsudoers_pwutil.h, plugins/sudoers/timestamp.c, plugins/sudoers/toke.c, plugins/sudoers/toke.h, plugins/sudoers/toke.l, plugins/sudoers/visudo.c:
Make struct sudoers_context private to sudoers.c.

We now pass a pointer to the context where necessary. There are a few cases where we need to request the context from sudoers via sudoers_get_context() for the plugin API functions. If the plugin API was able to pass around a closure pointer this would not be necessary. [534d55781084]

plugins/sudoers/parse_ldif.c:
sudoers_parse_ldif: do not free parse_tree before using

The user is expected to pass in an initialized and empty parse_tree so there is no need to free it first. [4d6371e98087]

plugins/sudoers/pwutil_impl.c:
We still need to clamp ngids if getgrouplist2() returns -1.

Otherwise, we end up with ngids set to the number of gids the user belongs to which may be larger than what the front-end specified. Fixes a regression introduced in the last commit here. [4a2aeaf67236]

plugins/sudoers/policy.c, plugins/sudoers/pwutil.c, plugins/sudoers/pwutil_impl.c, plugins/sudoers/sudoers.h:
Move max_groups out of sudoers_user_context and into pwutil.c.

It is only used by the local password pwutil implementation. [c33497cc3291]

plugins/sudoers/check_util.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c:
Pass in directory to check_user_runchroot() and check_user_runcwd().

This way we do not rely on the runas_ctx global. [f70888bdedf6]

plugins/sudoers/audit.c, plugins/sudoers/callbacks.c, plugins/sudoers/check.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/defaults.c, plugins/sudoers/display.c, plugins/sudoers/logging.c, plugins/sudoers/lookup.c, plugins/sudoers/match.c, plugins/sudoers/policy.c, plugins/sudoers/pwutil_impl.c, plugins/sudoers/regress/exptilde/check_exptilde.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/sssd.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c, plugins/sudoers/timestamp.c, plugins/sudoers/visudo.c:
Rename struct sudo_user -> struct sudo_user_context.

Also rename the sudo_user global to user_ctx. [d4b68657a430]

src/exec.c:
fd_matches_tty: only zero out fd_sb if fstat(2) fails.

We need to preserve the contents of the struct stat if the fd is some other type so the check for piped output works correctly. Bug #1057 [ac80d75699d1]

plugins/sudoers/callbacks.c:
Leave the I/O log callbacks in iolog.c

Otherwise, check_iolog_plugin will not link. [4e2304f22e89]

include/sudo_event.h, lib/util/event.c, lib/util/event_poll.c, lib/util/event_select.c, lib/util/util.exp.in:
Use int, not short for events in the event API.

This fixes some -Wconversion warnings and fixes an inconsistency between the libsudo_util event API and the plugin event API. The actual struct internals still use shorts to avoid changing the ABI. [2d7fcd66f7e7]

plugins/sudoers/display.c, plugins/sudoers/lookup.c, plugins/sudoers/parse.h, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/testsudoers.c:
Add verbose version of “sudo -l command” by using an extra -l.

The output of “sudo -ll command” consists of the matching sudoers rule (in long form) with the addition of a “Matched” entry that shows the fully-qualfied path along with any arguments. [038d8555e50c]

lib/ssl_compat/ssl_compat.c, logsrvd/logsrvd.c, logsrvd/logsrvd_relay.c, logsrvd/sendlog.c, plugins/sudoers/log_client.c:
Fix checking of SSL_{read,write}_ex() return value.

These have a boolean-style return value. However, our emulated versions can return -1 on error, which we need to preserve for older versions of SSL_get_error() which expect it. [4e812f2456f1]

plugins/sudoers/iolog.c, plugins/sudoers/log_client.c, plugins/sudoers/logging.c, plugins/sudoers/policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h:
Store the source of the matching rule and store in the event log.

The JSON logs will store the matching rule source. [c7ee4ab87610]

include/sudo_eventlog.h, lib/eventlog/eventlog.c, lib/eventlog/eventlog_free.c, lib/eventlog/parse_json.c, lib/eventlog/regress/eventlog_store/test1.json.in, lib/eventlog/regress/eventlog_store/test1.json.out.ok, lib/eventlog/regress/eventlog_store/test2.json.in, lib/eventlog/regress/eventlog_store/test2.json.out.ok, lib/eventlog/regress/eventlog_store/test3.json.in, lib/eventlog/regress/eventlog_store/test3.json.out.ok, lib/eventlog/regress/eventlog_store/test4.json.in, lib/eventlog/regress/eventlog_store/test4.json.out.ok, logsrvd/iolog_writer.c, logsrvd/sendlog.c:
Log source in JSON logs

This makes it possible to tell which rule resulted in a match. [a2573ce8ce3f]

plugins/sudoers/lookup.c, plugins/sudoers/parse.h, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/sudoers.c, plugins/sudoers/testsudoers.c:
Use a single callback for sudoers_lookup() and add a closure pointer.

The single callback now receives all the match info (or UNSPEC if no match was attempted). This makes it possible to use the callback for more than just printing testsudoers output. [547d0256f22a]

include/sudo_digest.h, lib/util/digest.c, lib/util/digest_gcrypt.c, lib/util/digest_openssl.c, lib/util/getentropy.c, lib/util/regress/digest/digest_test.c, lib/util/util.exp.in, plugins/sudoers/filedigest.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l:
sudo_digest_getlen: return size_t, and 0 on error instead of -1

This is an API change, sudo_digest_getlen_v1 remains for binary compatibility. [5866df2f4aab]

etc/sudo-logsrvd.pp, etc/sudo-python.pp, etc/sudo.pp:
Don’t use sudo when building AIX packages

PolyPkg uses “sudo installp -l” to list the built package by default but we may not have sudo privileges on the build host. [e8ed6064193d]

scripts/mkpkg:
Add –configure-only option to quit after the configure run.

This will be used to avoid building the entire package when we just want the 32 or 64 bit sudo_intercept.so and sudo_noexec.so. [22c7cec5a6a1]

scripts/mkpkg:
Parse –disable-python in mkpkg and don’t override -m32 for Solaris.

We want to be able to build without python and to specify the memory model when building 32-bit .so’s for Solaris. [bf21f6e67ff5]

INSTALL.md, Makefile.in, configure, configure.ac:
Add –enable-postinstall, an optional phase when building packages.

This makes it possible to run an arbitrary script between “make install” and the polypkg run. This will be used to copy different word size versions of sudo_intercept.so and sudo_noexec.so. [d4e84fa16ccf]

INSTALL.md, config.h.in, configure, configure.ac, docs/sudo.conf.man.in, docs/sudo.conf.mdoc.in, src/exec_preload.c:
Add basic support for 32-bit and 64-bit LD_PRELOAD equivalents.

The noexec and intercept DSO settings may now include both a 32-bit DSO and a 64-bit DSO specified by a colon. For example: /usr/libexe c/sudo/sudo_intercept.so:/usr/libexec/sudo/sudo_intercept_64.so. [9489d8625acb]

docs/visudo.man.in, docs/visudo.mdoc.in:
visudo: document that a new file is only created if the editor writes it.

If visudo is used to create a new file, the file will only be created if the user writes to the file via the editor. Simply running visudo and exiting the editor will no longer cause the file to be created. There is an exception for file created due to the addition of a @include directive, which need to be present for the sudoers file to parse properly. GitHub issue #294. [21e4d5cc5f43]

plugins/sudoers/visudo.c:
visudo: do not create a new file if the user made no changes

This prevents visudo from creating a new zero-length sudoers file if the user exited the editor without making any changes. Files created via a @include directive are preserved, even if empty, to avoid a parse error. GitHub issue #294. [4f086bb7ecdd]

README.md, docs/CONTRIBUTING.md:
Make the sections on bug reporting consistent with each other.

GitHub issue #292 [d02253b4533d]

src/exec.c, src/exec_nopty.c, src/exec_pty.c, src/sudo_exec.h:
Don’t assume that if std{in,out,err} is a tty, it is the user’s tty.

Previously, sudo only checked that the fd was a terminal, not that it matched sudo’s idea of the user’s terminal. This matters when input or output is redirected to a different terminal. In that case we want to interpose the fd with a pipe even if it refers to a terminal. Bug #1056. [42838100b526]

plugins/sudoers/testsudoers.c:
testsudoers: add -L, -l and -v options.

This makes it possible to test “sudo -l” and “sudo -v” using testsudoers. [871563fd71f0]

plugins/sudoers/lookup.c:
sudoers_lookup_pseudo: sync with sudoers_lookup_check

This makes sudoers_lookup_pseudo(), which is used for pseudo-command like “list” and “validate” a bit more like sudoers_lookup_check(). Time of day checks are performed, and callbacks are supported. We cannot use the same code for regular commands and pseudo-commands due to the “pwcheck == all” case. [534b5e02dc34]

plugins/sudoers/logging.c:
Fix user warning message for “sudo -l command” when not allowed. Reported by the sudo-rs project.

There was a missing space between “list” and the actual command. This also changes the output to include the command as specified by the user, not the path found in the path. Previously, if the command did not exist it would not be included in the message. [f509188ce041]

plugins/python/python_convmessage.c, plugins/python/python_loghandler.c, plugins/python/python_plugin_common.c, plugins/python/sudo_python_module.c, plugins/python/sudo_python_module.h:
Add free function for sudo Python module.

This reduces the amount of memory leaked on unload. [71e459d071be]

plugins/python/python_loghandler.c, plugins/python/python_plugin_common.c, plugins/python/sudo_python_module.c, plugins/python/sudo_python_module.h:
Merge sudo_module_register_loghandler and sudo_module_set_default_loghandler.

We now create the LogHandler class for each interpreter in python_plugin_init() instead of just once in sudo_module_init(). This fixes the crash seen in Py_EndInterpreter() with Python 3.12 and significantly reduces the number of leaked objects tracked by MemorySanitizer. [d257e01240c1]

plugins/python/python_loghandler.c:
Work around a crash with Python 3.12.

In sudo_module_set_default_loghandler() if we don’t leak the reference to py_loghandler we get a crash in Py_EndInterpreter() with Python 3.12. This probably indicates a reference counting bug elsewhere. [89fb0311367c]

plugins/python/python_convmessage.c, plugins/python/python_loghandler.c, plugins/python/sudo_python_module.h:
Make sudo_type_ConvMessage and sudo_type_LogHandler static.

They are not used outside their respective compilation units. [9ec37d3a2f64]

plugins/python/python_plugin_common.c:
_python_plugin_new_interpreter switches to the new interpreter

No need to do PyThreadState_Swap in the caller. [c848e20f3e93]

plugins/python/python_plugin_common.c:
Call PyImport_AppendInittab after pre-initialization.

Also remove redundant PyConfig settings. [e4f463e1094a]

plugins/python/python_plugin_common.c:
Use Py_InitializeFromConfig() not Py_InitializeEx() for Python >= 3.8.

Avoids deprecation warnings on Python 3.12. [56e4c7111744]

NEWS:
The sudoers option is “use_pty”, not “log_pty”

GitHub issue #291 [31cf599c73d5]

plugins/sudoers/sudoers.c:
sudoers_check_common: MODE_PRESERVE_ENV is not valid with MODE_CHECK.

We should only check for MODE_PRESERVE_ENV when running a command. [8fc6f392cc43]

MANIFEST, plugins/sudoers/match.c, plugins/sudoers/regress/testsudoers/test28.out.ok, plugins/sudoers/regress/testsudoers/test28.sh:
runas_userlist_matches: fix matching a Runas_Spec with an empty runas user.

We should only match a rule with an empty runas user if a group was specified on the command line (sudo -g) without a user (no -u option) or the user specified their own name on the command line. GitHub issue #290 [ba9da369370e]

src/exec_pty.c:
Pass SUDO_TERM_OFLAG to sudo_term_raw() when sudo output is piped.

This fixes a problem with “stair-stepped” output when the sudo-run command’s output is piped to another program and the command reads input from the terminal. [faa06b1e8913]

src/exec_monitor.c, src/exec_pty.c:
Simplify the exec_monitor() foreground flag.

Add cmnd_foreground flag that is only true if sudo is the foreground process and the CD_EXEC_BG flag is not set and pass it to exec_monitor(). This means exec_monitor() no longer needs to check for CD_EXEC_BG. [65ac52524254]

include/sudo_util.h, lib/util/term.c, plugins/sudoers/sudoreplay.c:
sudo_term_raw: change the isig argument into a flags field

There are current two flags: SUDO_TERM_ISIG (enable terminal signals) and SUDO_TERM_OFLAG (preserve output flags). [09eced2fb202]

src/exec_ptrace.c:
Fix a crash in intercept mode running a command with NULL argv[0].

Newer Linux kernels replace a NULL argv[0] with the empty string, we should as well. [d1cb1882d7e8]

src/conversation.c:
sudo_conversation: zero out reply even if no password is requested.

This avoids a potential invalid free in the err label and provides more predictable behavior when mixing message types in a conversation. [79cc9efe3dbf]

plugins/sudoers/log_client.c:
fmt_info_messages: don’t include ttyname if it is NULL

The NULL check was commented out for testing but should have been restored. Fixes a potential protocol error message from sudo_logsrvd. [c983428b3ad8]

logsrvd/iolog_writer.c:
evlog_new: store a new copy of peeraddr, not a pointer to a buffer.

Starting in sudo 1.9.14, eventlog_free() will free the peeraddr member too so it needs to be dynamically allocated. [846cf82b8eab]

config.h.in, configure, configure.ac, include/sudo_compat.h, lib/util/realpath.c:
realpath.c: include limits.h and use sysconf(_SC_SYMLOOP_MAX)

This is more portable and eliminates the need to check for SYMLOOP_MAX (and provide it if missing) in configure. Also quiet some -Wconversion warnings. [beabc1e73e11]

plugins/sudoers/ldap_conf.c:
sudo_krb5_ccname_path: avoid gcc false positive for ccname being NULL

The callers all verify that they don’t pass a NULL ccname so I’m not sure how the compiler is getting confused (and why now?). [93043879e7f2]

plugins/sudoers/check_util.c, plugins/sudoers/regress/testsudoers/test25.out.ok, plugins/sudoers/regress/testsudoers/test25.sh, plugins/sudoers/regress/testsudoers/test26.out.ok, plugins/sudoers/regress/testsudoers/test26.sh:
Only allow the user to specify -D or -R for the special “*” value.

The sudoers file must now explicitly allow the user to specify a directory (sudo -D) or chroot (sudo -R) by setting cwd or chroot to “*”. If a specific cwd or chroot value is set in sudoers, the user may not use the -D or -R options, even if they match the value in sudoers. [790d60c6ed4b]

include/sudo_debug.h, lib/util/sudo_debug.c:
Convert sudo_debug_enter and sudo_debug_exit into macros.

In most cases, these simply expand to a call to sudo_debug_printf2(). We need to keep the function versions around in libsudo_util for backwards compatibility. [b76b35e12afa]

plugins/sudoers/timeout.c:
parse_timeout: move overflow check to the correct location

It was not covering all cases in its original location. Fixes oss- fuzz issue 60454 with fuzz_sudoers. [e40119f18e83]

Merge pull request #287 from AtariDreams/restrict

Give every printf-like function restrict qualifiers [4945ab27d6c4]

src/exec_nopty.c, src/exec_pty.c, src/sudo_exec.h:
struct exec_closure: make rows and cols int, not short

There’s no real space saved by using short and using int avoids a few casts. [8385add04ed2]

include/sudo_compat.h, include/sudo_debug.h, include/sudo_fatal.h, include/sudo_lbuf.h, include/sudo_plugin.h, include/sudo_util.h, lib/eventlog/logwrap.c, lib/util/fatal.c, lib/util/inet_ntop.c, lib/util/lbuf.c, lib/util/snprintf.c, lib/util/strlcat.c, lib/util/strlcpy.c, lib/util/sudo_debug.c, lib/util/ttyname_dev.c, logsrvd/iolog_writer.c, logsrvd/logsrvd_journal.c, plugins/audit_json/audit_json.c, plugins/group_file/plugin_test.c, plugins/python/pyhelpers.c, plugins/python/regress/iohelpers.c, plugins/python/regress/iohelpers.h, plugins/python/regress/testhelpers.c, plugins/python/regress/testhelpers.h, plugins/sudoers/audit.c, plugins/sudoers/check_aliases.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers.h, plugins/sudoers/cvtsudoers_csv.c, plugins/sudoers/defaults.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/ldap_util.c, plugins/sudoers/logging.c, plugins/sudoers/logging.h, plugins/sudoers/parse.h, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/sudo_ldap.h, plugins/sudoers/sudo_printf.c, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c, src/conversation.c, src/exec_preload.c, src/parse_args.c, src/sudo_plugin_int.h:
Give every printf-like function restrict qualifiers

The format value has to be a string literal, every time.

Otherwise, you are not using these functions correctly. To reinforce this fact, I putrestrict over every non-contrib example of this I could find. [e0f8bc0d596a]

plugins/sudoers/iolog_path_escapes.c:
Copy, don’t append group ID in fill_group() and fill_runas_group()

This only affects the case where a group ID cannot be resolved. [74cc29b9f7f0]

lib/util/roundup.c:
sudo_pow2_roundup: fix 64-bit version when shifting 31 or more places

Shift 1UL instead of 1 to avoid overflowing an int. [4d45af829af0]

Merge pull request #286 from AtariDreams/one-more

Optimize sudo_pow2_roundup_v1 [5cff0594a45c]

lib/util/roundup.c:
Optimize sudo_pow2_roundup_v1

No need to call sudo_pow2_roundup_v2. [0bcd411174c0]

lib/util/roundup.c:
Merge pull request #285 from AtariDreams/bug

Remove comment about algorithm being from bit-twiddling hacks [869552550451]

lib/util/roundup.c:
Remove comment about algorithm being from bit-twiddling hacks

Said comment no longer applies. [e2fc0106c79f]

Merge pull request #284 from AtariDreams/fix

Fix fuzzing errors [4abff6645036]

Merge pull request #283 from AtariDreams/bug

Fixed even more signedness and conversion issues [bbf1887a5132]

lib/util/parseln.c, lib/util/roundup.c, logsrvd/logsrvd_journal.c:
Fix fuzzing errors

We should be checking for integer overflow, rather than checking if size is 0.

Additionally, we should set errno to ENOMEM when this overflow happens.

Finally, the most efficient implementation of the round-up-to-2 algorithm involves the clz intrinsic. [db08a808004d]

plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/timestamp.c, plugins/sudoers/tsgetgrpw.c, src/sudo.c:
Fixed even more signedness and conversion issues

This should be the last of them. [ccd65d72c6ac]

include/sudo_debug.h, lib/util/sudo_debug.c, plugins/python/pyhelpers.c, plugins/python/pyhelpers.h, plugins/python/python_loghandler.c, plugins/python/sudo_python_debug.c, plugins/python/sudo_python_debug.h:
Make the debug subsystem unsigned.

It was already unsigned in sudoers but not in the front-end or the python plugin. Making this consistent resolves a lot of -Wconversion warnings. Also clean up some other -Wconversion warnings in sudo_debug.c. [c6d20404141c]

Merge pull request #280 from AtariDreams/bug

Mark functions not returning as sudo_noreturn [eaa69a6d85c6]

lib/eventlog/eventlog.c, lib/eventlog/regress/eventlog_store/store_json_test.c, lib/eventlog/regress/eventlog_store/store_sudo_test.c, lib/eventlog/regress/logwrap/check_wrap.c, lib/eventlog/regress/parse_json/check_parse_json.c, lib/iolog/regress/iolog_path/check_iolog_path.c, lib/util/regress/hexchar/hexchar_test.c, lib/util/regress/strsplit/strsplit_test.c, lib/util/regress/sudo_conf/conf_test.c, logsrvd/logsrvd.c, logsrvd/regress/logsrvd_conf/logsrvd_conf_test.c, logsrvd/sendlog.c, plugins/group_file/plugin_test.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/regress/check_symbols/check_symbols.c, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/regress/parser/check_addr.c, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c, src/exec_monitor.c, src/exec_nopty.c, src/exec_pty.c, src/sesh.c, src/sudo.c:
Mark functions not returning as sudo_noreturn

We also put NOTREACHED where it applies. [d688d55f3c4c]

Merge pull request #279 from AtariDreams/bison

Regenerate toke.c using updated flex [3fc1517ec05d]

plugins/sudoers/testsudoers.c:
testsudoers: make lbuf private to dump_sudoers()

It is no longer used directly in main. [c2c5e7b3db6b]

plugins/sudoers/regress/testsudoers/test11.out.ok, plugins/sudoers/regress/testsudoers/test4.out.ok, plugins/sudoers/regress/testsudoers/test5.out.ok, plugins/sudoers/testsudoers.c:
testsudoers: display “Parse error” if there was a parse error.

Previously, we just printed “Command unmatched” which makes it harder to see that an error occurred. [099360b56cc6]

plugins/sudoers/regress/testsudoers/test1.out.ok, plugins/sudoers/regress/testsudoers/test10.out.ok, plugins/sudoers/regress/testsudoers/test15.out.ok, plugins/sudoers/regress/testsudoers/test16.out.ok, plugins/sudoers/regress/testsudoers/test17.out.ok, plugins/sudoers/regress/testsudoers/test18.out.ok, plugins/sudoers/regress/testsudoers/test19.out.ok, plugins/sudoers/regress/testsudoers/test2.out.ok, plugins/sudoers/regress/testsudoers/test20.out.ok, plugins/sudoers/regress/testsudoers/test21.out.ok, plugins/sudoers/regress/testsudoers/test22.out.ok, plugins/sudoers/regress/testsudoers/test23.out.ok, plugins/sudoers/regress/testsudoers/test24.out.ok, plugins/sudoers/regress/testsudoers/test3.out.ok, plugins/sudoers/regress/testsudoers/test6.out.ok, plugins/sudoers/regress/testsudoers/test7.out.ok, plugins/sudoers/regress/testsudoers/test8.out.ok, plugins/sudoers/regress/testsudoers/test9.out.ok, plugins/sudoers/testsudoers.c:
testsudoers: use allowed/denied/unmatched instead of just matched/unmatched

This makes it possible to tell whether an entry was rejected due to a negative match (explicitly denied) as opposed to a non-match. Also fixes a bug where the runas status was only printed for positive matches. [3e9fc5fd7bb9]

plugins/sudoers/lookup.c, plugins/sudoers/parse.h, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/sudoers.c:
Add callbacks to sudoers_lookup() so we can use it in testsudoers.

Also pass in the time to be used for NOTBEFORE/NOTAFTER checks. [bcd59528055a]

plugins/sudoers/toke.c, plugins/sudoers/toke.l:
Regenerate toke.c using updated flex

Use the current version of flex to generate toke.c [118d001d189c]

plugins/sudoers/testsudoers.c:
Merge pull request #278 from AtariDreams/types

Avoid compiler casting warnings Part 2 [894767f88afa]

plugins/sudoers/sudoers.c:
check_user_runcwd: only allow sudo’s -D option if sudoers specifies a runcwd.

Previously, the user could specify the runas user’s home dir for “sudo -i” or the user’s existing cwd when -i is not specified. This behavior was never documented and is inconsistent with how the -R option is handled. [e79eddc35325]

MANIFEST, plugins/sudoers/regress/testsudoers/test24.out.ok, plugins/sudoers/regress/testsudoers/test24.sh, plugins/sudoers/testsudoers.c:
testsudoers: add support for NOTBEFORE and NOTAFTER

Also adds -T option to set the value of “now”. [b2d95b4a131d]

logsrvd/logsrvd.c:
Merge pull request #265 from AtariDreams/types

Avoid compiler casting warnings by assigning to variables of the same type where possible [16d8e7383e3e]

Merge pull request #277 from AtariDreams/debug_return_int(1);

We should be returning 0, not 1, when logservd finishes without errors [19289d607981]

logsrvd/logsrvd.c:
We should be returning 0, not 1, when logservd finishes without errors

1 is for failure, 0 is for no failure, and this does not look like a failure. [7a0d2f4bf5d3]

config.h.in, configure, configure.ac, src/sudo_intercept.c, src/sudo_intercept_common.c:
Fix undefined symbol on macOS for intercept mode and log_subcmds.

macOS does not support direct access to the environ pointer from a shared object. We need to redirect through _NSGetEnviron() instead. Fixes GitHub issue #276. [2cbebcb8082c]

plugins/sudoers/policy.c, plugins/sudoers/sudoers.c:
check_user_runcwd: allow -D option if it matches the cwd in sudoers

Previously, check_user_runcwd() would return true if the runcwd matched the user’s cwd, even if sudoers specified a different one. The user-specified runcwd was ignored but it is better to error out in this case. It is now also possible to use “sudo -D” with the directory specified in sudoers. [d32e07966e0e]

Merge pull request #275 from AtariDreams/emergency

Set command_info to NULL once it is freed [6d1e55f4e7b9]

plugins/sudoers/policy.c:
Set command_info to NULL once it is freed

The lack of setting to NULL is a holdover from when command_info was a local variable and not a global one. However, we given how other global variables are set to NULL, it is best that we do the same here to avoid potential issues should sudoers_policy_store_result be called again after the first time failed, otherwise we could get a double-free. [a1a462a52a98]

Merge pull request #274 from bin-ly/main

Modify the is_script function for match_command.c [05675d16bd52]

docs/sudoers.man.in, docs/sudoers.mdoc.in:
Reference SETENV-related settings in the command environment section.

Based on GitHub PR #273 from Ilya Kulakov. [f8b5ef533800]

Merge pull request #266 from AtariDreams/c99

Do variable length arrays the C99 way [690561b17683]

Merge pull request #269 from trackers-lover/main

correct the return value type of function alias_find_used [30dc3eb4a59a]

plugins/sudoers/match.c:
runaslist_matches: split out user_list and group_list matching.

This makes it possible to call the appropriate runas user or group list match function when resolving aliases instead of calling runaslist_matches() itself. Fixes a bug that prevented the group specified via “sudo -g” from matching when a Runas_Alias was used in the user or group portion of a Runas_Spec. [3e0885e96418]

plugins/sudoers/match.c:
runaslist_matches: remove special case to handle “sudo -g group”

Now that we are guaranteed to have a runas user list for all sudoers rules that contain a runas list, we can remove support for the special case where user_matched is set in the runas group matching conditional. This fixes a bug where “sudo -u myuser -g mygroup” was permitted by a rule like “myuser ALL = (root) ALL”. [d80e907efe77]

plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/regress/sudoers/test27.json.ok, plugins/sudoers/regress/sudoers/test27.ldif.ok, plugins/sudoers/regress/sudoers/test27.out.ok:
Populate runasusers even when only a grouplist is specified.

When a sudoers rule permits the user to run commands as a group, not a user, we should set the runasusers to single member with the special MYSELF token. This guarantees that the only time runasusers will be NULL is when no runaslist is present. [25c293ae5053]

plugins/sudoers/match.c:
runaslist_matches: fix bug when no runas list is specified in sudoers.

If a sudoers rule has no runas list, a user-specified runas group should only be allowed if it matches a group that the default runas user belongs to. Instead, a missing group check allowed the user run commands as the default runas user with an arbitrary group.

This means that a rule like “somebody host = ALL”, which should be equivalent to “somebody host = (root) ALL”, had the same effect as “somebody host = (root:ALL) ALL”. [eeb075b3b79c]

Merge pull request #272 from millert/main

Avoid use of variable length arrays and add ctype(3) casts. [806b2266f6ab]

Merge pull request #270 from moehanabi/main

Add %n$s support for sudo_lbuf_append_v1 [53ad2cdaaabe]

include/sudo_event.h, lib/util/event.c, lib/util/rcstr.c, plugins/sudoers/canon_path.c, plugins/sudoers/ldap_conf.c, plugins/sudoers/sudo_ldap_conf.h:
Do variable length arrays the C99 way

Variable length arrays are supported by C99, but having it denoted as “1” confused the compiler and is not defined.

Note that because we don’t get the inferred NULL terminator, we have to increase the malloc size by one. [4e33419e940e]

lib/eventlog/eventlog.c, lib/eventlog/eventlog_free.c, lib/eventlog/parse_json.c, lib/iolog/hostcheck.c, lib/iolog/regress/iolog_path/check_iolog_path.c, lib/util/event.c, lib/util/explicit_bzero.c, lib/util/fatal.c, lib/util/getaddrinfo.c, lib/util/getentropy.c, lib/util/hexchar.c, lib/util/inet_ntop.c, lib/util/json.c, lib/util/lbuf.c, lib/util/mksiglist.c, lib/util/mksigname.c, lib/util/multiarch.c, lib/util/progname.c, lib/util/sig2str.c, lib/util/snprintf.c, lib/util/sudo_conf.c, lib/util/term.c, lib/util/uuid.c, logsrvd/iolog_writer.c, logsrvd/logsrvd.c, logsrvd/sendlog.c, plugins/audit_json/audit_json.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers_pwutil.c, plugins/sudoers/editor.c, plugins/sudoers/getdate.c, plugins/sudoers/getdate.y, plugins/sudoers/iolog.c, plugins/sudoers/parse.c, plugins/sudoers/policy.c, plugins/sudoers/pwutil.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/regress/starttime/check_starttime.c, plugins/sudoers/sssd.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/timestr.c, plugins/sudoers/tsdump.c, plugins/sudoers/visudo.c, src/conversation.c, src/exec_monitor.c, src/limits.c, src/parse_args.c, src/sesh.c, src/sudo.c, src/sudo.h:
Avoid compiler casting warnings by assigning to the same type where possible

This saves instructions that are related to casting as well as compiler warnings. [d47033551fca]

lib/util/mktemp.c, lib/util/regress/tailq/hltq_test.c, lib/util/sudo_debug.c, lib/util/ttyname_dev.c, plugins/group_file/plugin_test.c, plugins/sudoers/editor.c, plugins/sudoers/filedigest.c, plugins/sudoers/match_addr.c, plugins/sudoers/match_digest.c, plugins/sudoers/regress/env_match/check_env_pattern.c, plugins/sudoers/regress/exptilde/check_exptilde.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/tsdump.c, plugins/sudoers/visudo.c, src/exec_monitor.c, src/limits.c, src/sesh.c, src/sudo.c, src/sudo.h, src/sudo_edit.c:
Avoid compiler casting warnings Part 2

This saves instructions that are related to casting as well as compiler warnings. [685a954b019f]

plugins/sudoers/visudo.c:
Work around a macOS a kernel bug where tcsetpgrp() does not restart.

I reported this bug to Apple over 12 years ago. [77871464e563]

plugins/sudoers/visudo.c:
run_command: run editor in foreground if visudo is the foreground process

The command is now always run in its own process group. If visudo is run in the foreground, the command is run in the foreground too. Otherwise, run the command in the background. There is a race between the tcsetpgrp() call in the parent and the execve() in the child. If we lose the race and the command needs the controlling terminal, it will be stopped with SIGTTOU or SIGTTIN, which the waitpid() loop will handle. [e8e14e0024da]

plugins/sudoers/visudo.c:
Accept carriage return for EOL in addition to newline.

Since visudo doesn’t alter the terminal settings it is possible for the terminal to have the ONLCR bit set in the output control flags. In that case, we will get a CR, not a NL when the user presses enter/return. One way this can happen is if visudo is run in the background from a shell that supports line editing and the editor restores the (cbreak-style) terminal mode when it finishes. [14538e74fd02]

plugins/sudoers/cvtsudoers.c, plugins/sudoers/file.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/parse.h, plugins/sudoers/policy.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c:
Move sudoers search path to struct sudoers_parser_config.

That way we can avoid passing it to init_parser() directly. We still need sudoers_search_path to be shared between the lexer and the parser. [5e6c6a08aded]

plugins/sudoers/cvtsudoers.c, plugins/sudoers/file.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/parse.h, plugins/sudoers/policy.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/set_perms.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/toke_util.c, plugins/sudoers/visudo.c:
Add struct sudoers_parser_config and pass it to init_parser().

This struct contains parser configuration such as the sudoers file uid/gid/mode and parse flags such as verbose, strict and recovery. [ed8042e7a49a]

include/sudo_iolog.h, lib/iolog/iolog_gets.c:
iolog_gets: change size parameter to int to match fgets/gzgets

Return an error, setting errno to EINVAL, for negative sizes. [27534bcb58a7]

plugins/sudoers/policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h:
Rename force_umask to override_umask and make it private to sudoers.c.

Add getter for policy.c. [1c8a56c767f3]

plugins/sudoers/check.h, plugins/sudoers/regress/fuzz/fuzz_stubs.c, plugins/sudoers/set_perms.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/timestamp.c:
Make timestamp_uid and timestamp_gid private to timestamp.c.

Add getter (for set_perms.c) and setter (for sudoers.c). [ad49d0ee7e6f]

plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/sudo_auth.h, plugins/sudoers/policy.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/sudoers.h:
Make login_style private to bsdauth.c

Add a setter for policy.c to handle auth_type from the front-end. [962af1d3d0fd]

Merge pull request #260 from AtariDreams/size_t

Prefer size_t over int, as casting can take extra instructions [c0fd1027e105]

plugins/sudoers/cvtsudoers.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/parse.h, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c:
Rename init_parser_ext() to init_parser() and remove old wrapper.

There was only one consumer of the init_parser() wrapper now that reset_parser() has been introduced. [4be1b8965ce6]

plugins/sudoers/ldap.c, plugins/sudoers/ldap_conf.c, plugins/sudoers/policy.c, plugins/sudoers/sudoers.h:
Make path_ldap_conf and path_ldap_secret private to policy.c.

Add getters for both so the ldap code can access them. [90a2107d6ec7]

plugins/sudoers/file.c, plugins/sudoers/policy.c, plugins/sudoers/sudoers.h, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/visudo.c:
Make sudoers_file private to policy.c and visudo.c.

We just need a way for the policy (and visudo) to override the default sudoers path. This adds a getter to be used in file.c when sudoers is first opened. [657aa80f3af8]

plugins/sudoers/visudo.c:
Track the destination sudoers path for each parsed file.

When adminconfdir is enabled, the destination pathh may be different from the path we opened. We always store an edited file in the adminconfdir (if enabled). This makes it possible to use visudo when /etc/sudoers is located on a read-only file system. [de896a012d81]

logsrvd/logsrvd_conf.c:
No longer need to set AI_NUMERICSERV while fuzzing.

Now that getaddrinfo() is stubbed out while fuzzing we can remove the hack that set AI_NUMERICSERV. [8e3deb584c1c]

src/exec_pty.c:
Better support for “sudo -b” when running the command in a pty.

When a command is run via “sudo -b” it has no access to terminal input. In non-pty mode, the command runs in an orphaned process group and reads from the controlling terminal fail with EIO. We cannot do the same while running in a pty but if we set stdin to a half-closed pipe, reads from it will get EOF. That is close enough. [a284611a18fd]

src/exec_nopty.c, src/exec_pty.c, src/selinux.c, src/sudo.h, src/ttyname.c:
Avoid calling isatty()/ttyname() on std{in,out,err} if not a char dev.

The user controls these fds so we should avoid calling ioctl(2) on them unless they correspond to actual character device files. [745430b563db]

src/parse_args.c, src/sudo_usage.h.in:
Hard-code usage() and help() for an 80-column terminal.

Trying to tailor the help and usage output to the terminal width is simply not worth it and could be abused to mark a socket as “trusted” on Linux if there are additional kernel bugs like CVE-2023-2002. [d06fa6322ffb]

include/sudo_util.h, lib/util/ttysize.c, lib/util/util.exp.in, plugins/sudoers/sudoreplay.c, src/parse_args.c, src/sudo.c:
Add an fd argument to sudo_get_ttysize() instead of always using stderr.

For sudoreplay we open /dev/tty, so use that instead of stderr when determining the terminal size. [4afc292d3cf4]

configure, configure.ac:
Use -no-undefined on macOS to avoid “-undefined dynamic_lookup” warnings.

Starting with macOS 13, the linker warns when “-undefined dynamic_lookup” is used. This is added by libtool by default on macOS but we can suppress it by passing -no-undefined to libtool. [afeb9acd894c]

docs/UPGRADE.md, docs/sudoers.man.in, docs/sudoers.mdoc.in, plugins/sudoers/defaults.c:
Enable the use_pty option by default for sudo 1.9.14.

GitHub issue #258 [86a1a6da1878]

plugins/sudoers/policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h:
Split up the monolithic sudoers_policy_main() function.

This splits the code to find the command, perform a sudoers lookup, ask for a password as needed, and perform post-lokup checks out into sudoers_check_common(). The old sudoers_policy_main() has been replaced by sudoers_check_cmnd() (called by sudoers_policy_check()), sudoers_validate_user() (called by sudoers_policy_validate()) and sudoers_list() (called by sudoers_policy_list()). The list_user lookup is now performed in sudoers_list(). [59e0b245c776]

plugins/sudoers/sudoers.c:
Move the root_sudo check until after we apply per-command Defaults.

It is possible, though unlikely, for “root_sudo” to be used in a per-command Defaults statement. [ca1903576e0d]

plugins/sudoers/sudoers.c:
sudoers_policy_main: restore locale if sudoers_lookup() fails.

Previously, if sudoers_lookup() set VALIDATE_ERROR, the sudoers locale would still be in effect instead of the original locale. [24df4eebbfc8]

plugins/sudoers/parse.c:
sudoers_lookup_pseudo: remove validated function argument

This was always set to FLAG_NO_USER|FLAG_NO_HOST which are cleared at the top of the fuction. Make validated a local variables, initialized to 0, instead. No change in behavior. [72e6207850fc]

src/exec_iolog.c, src/exec_nopty.c, src/exec_pty.c, src/sudo_exec.h:
Replace tty_mode global with term_raw flag in struct exec_closure.

The pty_cleanup hook needs access to the closure so add pty_cleanup_init() to store a pointer to the closure for use by pty_cleanup_hook(). [cc01f0da46d9]

src/exec_pty.c:
On resume, always sync the pty terminal settings with /dev/tty.

Changes made to the terminal settings while the command is suspended are now reflected in the pty when the command is resumed. This is more consistent with the non-pty behavior and allows for the removal of the “tty_initialized” global. One downside to this change is that if a terminal-based program using the pty is stopped with SIGSTOP it may have the wrong terminal settings on resume. However, this is no different from the non-pty case. [3e59765dea31]

Merge pull request #252 from bin-ly/main

fix typo in uninstall target [4a1d3542345c]

Merge pull request #244 from ffontaine/main

configure.ac: fix openssl static build [af40f67e9771]

m4/openssl.m4:
configure.ac: fix openssl static build

Do not use AX_APPEND_FLAG as it will break static builds by removing duplicates such as -lz or -latomic which are needed by -lssl and -lcrypto. This will fix the following build failure with sparc which needs -latomic:

Checking for X509_STORE_CTX_get0_cert configure:21215:
/home/thomas/autobuild/instance-3/output-1/host/bin/sparc-buildroot- linux-uclibc-gcc -o conftest -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -Os -g0 -static -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -DZLIB_CONST -static conftest.c -L/home/thomas/autobuild/instance-3/output-1/host/bin/../sparc- buildroot-linux-uclibc/sysroot/usr/lib -lssl -lz -pthread -latomic -lcrypto >&5 /home/thomas/autobuild/instance-3/output-1/host/lib/gcc/sparc- buildroot-linux-uclibc/10.4.0/../../../../sparc-buildroot-linux- uclibc/bin/ld:
/home/thomas/autobuild/instance-3/output-1/host/bin/../sparc- buildroot-linux-uclibc/sysroot/usr/lib/libcrypto.a(x509cset.o): in function X509_CRL_up_ref': x509cset.c:(.text+0x108): undefined reference to __atomic_fetch_add_4’

[…]

In file included from ./hostcheck.c:38:
../../include/sudo_compat.h:342:41: error: conflicting types for ‘ASN1_STRING_data’ 342 | # define ASN1_STRING_get0_data(x) ASN1_STRING_data(x) | ^~~~~~~~~~~~~~~~

Fixes:

• http://autobuild.buildroot.org/results/8be59dd94e4916f9457cb435104e3 6e62a28373b

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@…> [487cfc17c742]

Merge pull request #240 from thesamesam/c23

sudo_fatal: Fix build where compiler recognises [[noreturn]] attribut… [22ae0d4402ac]

include/sudo_fatal.h:
sudo_fatal: Fix build where compiler recognises [[noreturn]] attribute (C23)

If the compiler supports [[noreturn]] as a attribute as in C23, then we define sudo_noreturn to be it. When that’s the case, we must place it at the beginning of the declaration, before any other extension attributes (__attribute(…)).

A bug has been filed with GCC regarding rejecting/accepting mixed attribute styles.

sudo_dso_public is always an extension attribute, while sudo_noreturn only might be, so put it first.

This only shows up with GCC 13 so far (see the linked GCC bug for a bit more exploration). Clang 16 does support the attribute but doesn’t let you use it for earlier language versions (need to pass explicit -std=c2x, unlike with GCC here).

This is essentially a followup to e707ffe58b3ccfe5c72f54c38eac1d7069d5021e.

Tested with GCC 13.0.1 20230212 (unreleased), GCC 12.2.1 20230211, Clang 16.0.0_rc2, and Clang 15.0.7.

Bug: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108796 Closes:
https://github.com/sudo-project/sudo/issues/239 Fixes:
e707ffe58b3ccfe5c72f54c38eac1d7069d5021e Fixes:
16ae61dcd7d3cd8bf6eb10a22fa742d4505da4e9 [806b5f3a6485]

Merge pull request #230 from trackers-lover/main

Return value does not match [1dc4317beaf7]

Merge pull request #235 from kernelmethod/apparmor_dependencies

Replace the Debian libselinux1 dependency with libapparmor1 [ca29638c5c34]

etc/sudo.pp:
Replace the Debian libselinux1 dependency with libapparmor1

Debian >= 10 uses AppArmor by default instead of SELinux, so SELinux-related sudo features are typically going to be unusable in Debian installs. This changes the dependency on libselinux1 to be a dependency on libapparmor1 for .deb packages built with make package. [5779ce23a161]

docs/sudoers.man.in, docs/sudoers.mdoc.in, docs/sudoreplay.man.in, docs/sudoreplay.mdoc.in, include/sudo_lbuf.h, lib/eventlog/eventlog.c, lib/iolog/iolog_json.c, lib/util/lbuf.c, lib/util/util.exp.in, plugins/sudoers/sudoreplay.c:
Escape control characters in log messages and “sudoreplay -l” output. The log message contains user-controlled strings that could include things like terminal control characters. Space characters in the command path are now also escaped.

Command line arguments that contain spaces are surrounded with single quotes and any literal single quote or backslash characters are escaped with a backslash. This makes it possible to distinguish multiple command line arguments from a single argument that contains spaces.

Issue found by Matthieu Barjole and Victor Cutillas of Synacktiv (https://synacktiv.com). [1cd37144190c]

Merge pull request #227 from sohomdatta1/integer_underflow

Prevent integer underflow due to environment variable [c6c716352077]

plugins/sudoers/env.c:
Prevent integer underflow due to environment variable

Gaurd against replacing quotes when the environment variable val_len is 1. [1b926824dcf8]

Merge pull request #226 from rtczza/main

debug_return_int use error [7743f67838ae]

Merge pull request #218 from sohomdatta1/snprintf

[snprintf] Check for ‘\0’ to prevent undef memory read [050882923c98]

Merge pull request #214 from BornThisWay/1124_repeated_invocation

check_syntax(): Remove duplicate calls to init_defaults() [3383fb0a6f5f]

Merge pull request #212 from BornThisWay/1122_null_deref

sudo_rcstr_dup: Fix potential NULL pointer deref [58fcefa888fa]

Merge pull request #210 from BornThisWay/1121_typo

Fix some typos [9d1e9278effb]

Merge pull request #208 from BornThisWay/1121_return

intercept_read: Print and then return. [615c2d5fca36]

Merge pull request #205 from BornThisWay/1119_access_null_pointer

sudo_mmap_strdup_v1: Fix potential NULL pointer deref [bad55afc72bb]

Merge pull request #200 from BornThisWay/fix_mem_leak_converse

Fix memory leak of pass in converse(). [b411801abdf7]

Merge pull request #196 from sohomdatta1/main

Prevent cvtsudoers from reading into undefined memory [f21c417bbbb3]

Merge pull request #177 from a1346054/fixes

Makefile.in: replace egrep and fix target name [751aa03eb470]

Merge pull request #165 from bdrung/xdg-current-desktop

Add XDG_CURRENT_DESKTOP to initial_keepenv_table [3d2e82e32ea8]

Merge pull request #168 from likunyur/lky

Remove unnecessary initialization and casts. [fcb251c895ce]

Merge pull request #169 from kempstonjoystick/main

Fix incorrect SHA384/512 digest calculation. [f016c3a37255]

lib/util/sha2.c:
Fix incorrect SHA384/512 digest calculation.

Resolves an issue where certain message sizes result in an incorrect checksum. Specifically, when: (n*8) mod 1024 == 896 where n is the file size in bytes. [e9f235a8d432]

lib/util/arc4random.c:
util/arc4random: (void*) type pointer passing address could remove cast

Signed-off-by: Li zeming <zeming@…> [aa4e8c73f131]

lib/iolog/hostcheck.c:
iolog/hostcheck: These two parameters do not need to be initialized and assigned, the following code is directly assigned

Signed-off-by: Li zeming <zeming@…> [dd657435f277]

Merge pull request #166 from c4rlo/patch-1

visudo.c: add nvim (Neovim) to lineno_editor list [97e0a7b00daa]

plugins/sudoers/visudo.c:
visudo.c: add nvim (Neovim) to lineno_editor list

Neovim supports it: https://neovim.io/doc/user/starting.html#-+ [020b59cf0f6b]

plugins/sudoers/env.c:
Add XDG_CURRENT_DESKTOP to initial_keepenv_table

Qt needs XDG_CURRENT_DESKTOP to be set to determine the correct theme.

Since DISPLAY and XAUTHORITY are already in the default table of variables to preserve in the environment, just add XDG_CURRENT_DESKTOP to it.

Bug: https://launchpad.net/bugs/1958055 Signed-off-by: Benjamin Drung <bdrung@…> [aa5132684c89]

Merge pull request #163 from Firstyear/20220725-sudo-ldap-schema

Update sudoUser to be utf8 in ldap schemas [91354fc2ed23]

docs/schema.OpenLDAP, docs/schema.iPlanet, docs/schema.olcSudo:
Update sudoUser to be utf8 in ldap schemas

In most unix-style LDAP servers, uid is a utf8 string defined by OID 1.3.6.1.4.1.1466.115.121.1.15. However, sudoUser was defined as an IA5 String (OID 1.3.6.1.4.1.1466.115.121.1.26) which meant that sudoUser could only represent a subset of possible values.

In some cases when using sudoers.ldap, the uid from the machine which was utf8 was fed back into sudo which would then issue a search for sudoUsers. If this uid contained utf8 characters, the ldap server would refuse to match into sudoUsers because these were limited to IA5.

This is a safe-forward upgrade as IA5 is a subset of UTF8 meaning that this change will not impact existing deployments and their rules. [7a47e711ca88]

plugins/sudoers/cvtsudoers.c, src/sudo_intercept_common.c:
Merge pull request #161 from likunyur/lky

sudoers/cvtsudoers: Remove the repeated ‘;’ from code [9b961a3b9c86]

src/sudo_intercept_common.c:
src/send: Remove the repeated ‘;’ from code

Signed-off-by: Li kunyu <kunyu@…> [6fc809eac0b1]

plugins/sudoers/cvtsudoers.c:
sudoers/cvtsudoers: Remove the repeated ‘;’ from code

Signed-off-by: Li kunyu <kunyu@…> [75582c880c30]

Merge pull request #157 from 0x2b3bfa0/improve-tag-spec-ebnf-docs

Improve Tag_Spec EBNF documentation [f528335aded5]

Merge pull request #156 from delroth/aarch64-build

exec_ptrace: fix missing sudo_pt_regs on aarch64 [a7062c609a96]

src/exec_ptrace.h:
exec_ptrace: fix missing sudo_pt_regs on aarch64

AArch64 already had an existing “user_pt_regs” struct and didn’t need a struct alias before the renaming to “sudo_pt_regs”. Make the code build again by adding the now missing alias.

Fixes: 2eb8ff17 [3b55f40e9b83]

Merge pull request #154 from 0x2b3bfa0/fix-tag-spec-docs

Add missing colon in Tag_Spec documentation [ec8f4610b677]

Merge pull request #152 from particleflux/fix-sudoers-typo

Fix typo in sudoers comment [bbbcff4c14ba]

plugins/sudoers/sudoers.in:
Fix typo in sudoers comment

Fix a typo in the sudoers comment about maxseq param.

Introduced by 906eb19ece47023c659b4b3db2e7a6bb57dff0d9 in 1.9.11. [b38fae41b3eb]

Merge pull request #148 from kernelmethod/apparmor_support

Add AppArmor support to sudo [fcbfb2410afd]

MANIFEST, include/sudo_debug.h, src/Makefile.in, src/apparmor.c, src/parse_args.c, src/sudo.c, src/sudo.h:
Add an apparmor_profile sudo setting

Define a new sudo setting, apparmor_profile, that can be used to pass in an AppArmor profile that should be used to confine commands. If apparmor_profile is specified, sudo will execute the command using the new apparmor_execve function, which confines the command under the provided profile before exec’ing it. [a54897efe031]

plugins/sudoers/check.c, plugins/sudoers/cvtsudoers_csv.c, plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/cvtsudoers_merge.c, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/fmtsudoers.c, plugins/sudoers/gram.y, plugins/sudoers/parse.c, plugins/sudoers/parse.h, plugins/sudoers/policy.c, plugins/sudoers/regress/fuzz/fuzz_policy.dict, plugins/sudoers/regress/fuzz/fuzz_sudoers.dict, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/toke.l:
Add an APPARMOR_PROFILE user spec option to sudoers

sudoers now supports an APPARMOR_PROFILE option, which can be specified as e.g.

alice ALL=(ALL:ALL) APPARMOR_PROFILE=foo ALL

The line above says “user alice can run any command as any user/group, under confinement by the AppArmor profile ‘foo’.” Profiles can be specified in any way that complies with the rules of aa_change_profile(2). For instance, the sudoers configuration

alice ALL=(ALL:ALL) APPARMOR_PROFILE=unconfined ALL

allows alice to run any command unconfined (i.e., without an AppArmor profile), while

alice ALL=(ALL:ALL) APPARMOR_PROFILE=foo//&bar ALL

tells sudoers that alice can run any command under the stacked AppArmor profiles ‘foo’ and ‘bar’.

The intention of this option is to give sysadmins on Linux distros supporting AppArmor better options for fine-grained access control. Among other things, this option can enforce mandatory access control (MAC) over the operations that a privileged user is able to perform to ensure that they cannot privesc past the boundaries of a specified profile. It can also be used to limit which users are able to get unconfined system access, by enforcing a default AppArmor profile on all users and then specifying ‘APPARMOR_PROFILE=unconfined’ for a privileged subset of users. [2afe8c910959]

config.h.in, configure.ac, scripts/mkdep.pl, scripts/mkpkg:
Add a –with-apparmor build flag

Add a new build flag, –with-apparmor, that builds sudo with AppArmor support. Modify the build script for Debian and Ubuntu to enable this flag by default. [596b4e6dce4d]

INSTALL.md, docs/sudoers.man.in, docs/sudoers.mdoc.in:
Add documentation for AppArmor support

• Document the AppArmor userspec option in the sudoers man pages.
• Add information about the –with-apparmor build configuration option to INSTALL.md. [524dde965b94]

docker/debian/latest/Dockerfile, docker/debian/testing/Dockerfile, docker/ubuntu/devel/Dockerfile, docker/ubuntu/latest/Dockerfile, docker/ubuntu/rolling/Dockerfile:
Add libapparmor-dev to the Debian and Ubuntu Dockerfiles

Install libapparmor-dev on Debian- and Ubuntu-based Docker images so that they can build sudo with AppArmor support. [8491c8b6d240]

Merge pull request #138 from dfskoll/main

If we’re using Kerberos, don’t overwrite a custom prompt [266b04c9ee0a]

plugins/sudoers/auth/kerb5.c:
If we’re using Kerberos, don’t overwrite a custom prompt if one was given with -p

Thanks to @thend20 for testing this patch. [e62136f88c3e]

Merge pull request #133 from Dzejrou/main

Do not unset user timeout when no default timeout is set. [58504381014e]

Merge pull request #132 from ninedotnine/patch-1

Sync example sudoers with default sudoers [8c903452e624]

examples/sudoers:
Sync example sudoers with default sudoers

sudoers.in was changed by 1d13533 [f34657ff9345]

plugins/sudoers/defaults.c:
Don’t set/run early Defaults if a custom defaults_list is specified. Defaults settings passed in by the front end are already “early” so there is no need to treat any of them as special.

Otherwise, we end up running the early defaults callbacks before sudoers has been parsed. This means that, for instance, it is not possible to disable the fqdn flag before its callback is run if sudo is build with the –with-fqdn option. Bug #1016. [8c6eaa503793]

Merge pull request #127 from Tyler887/main

Typo [c4780c2a3056]

Merge pull request #124 from juspence/main

Allow sudo -g anyone and sudo -u anyone -g anytwo [1a000f5aaba1]

plugins/sudoers/sudoers.in:
Allow sudo -g anyone and sudo -u anyone -g anytwo

When only the user (ALL) is specified explicitly, and the group is implied, only sudo -u works. Specifying both the user and group, like (ALL:ALL), is required to:

1. Use sudo -g by itself (with no -u user) 2) Use sudo -u and -g together, with a -g group that is different from the -u user’s primary group [ca31aaa0b074]