ChangeLog

2023-02-05 Todd C. Miller

configure, configure.ac:
Use AS_IF instead of if; then where possible. [56946f4ac23a] [tip]

2023-02-03 Todd C. Miller

NEWS:
Mention the fix for GitHub #237. [70aafdaced09]

src/exec_pty.c, src/tgetpass.c:
Display error in error message if we can’t restore the terminal. [aa2c60802b33]

2023-02-02 Todd C. Miller

src/exec_pty.c, src/tgetpass.c:
Display an error message if unable to restore terminal settings. [a1efb1dca169]

Makefile.in, etc/sudo.pp, plugins/sudoers/Makefile.in:
Get rid of sudoersdir and just use sysconfdir. There is no need for sudoersdir when it is always just set to sysconfdir. [690b44edcec2]

src/exec_pty.c:
pty_finish: only restore the terminal if sudo is the foreground process [357d90f11750]

src/exec_pty.c:
Better background job detection when running a command in a pty. If sudo is not the process group leader and stdin is not a tty, we may be running as a background job via a shell script. Start the command in the background to avoid changing the terminal mode from a background process. GitHub issue #237 [6c74910ea869]

src/exec_pty.c:
suspend_sudo_pty: stop the process group even if sudo is not the leader. When sudo is not the process group leader, we still need to stop sudo’s process group and not just the sudo process itself. If we only send the signal to sudo itself, the shell will not notice if it is not in monitor mode. This can happen when sudo is run from a shell script, for example. In this case we need to signal the shell itself. If the process group leader is no longer present, we must kill the command since there will be no one to resume us. [44bb3267a55e]

lib/util/term.c:
Add debug tracing to tcsetattr_nobg(). [b7a17174f1cf]

2023-01-31 Todd C. Miller

plugins/sudoers/regress/fuzz/fuzz_policy.c:
Avoid compilation errors if getaddrinfo() or freeaddrinfo() are macros. If this is the case we probably can’t stub out the functions but at least the fuzzer will compile. [2482db79d3b9]

src/net_ifs.c:
Initialize the integer result parameter passed to SIOCGIFANUM. It appears that passing in a non-zero value causes the ioctl() to fail. From Tim Rice. [071633f9929c]

logsrvd/logsrvd.c, logsrvd/logsrvd_relay.c, plugins/sudoers/log_client.c:
Protect use of AF_INET6 with HAVE_STRUCT_IN6_ADDR guards. From Tim Rice. [661c26064544]

config.h.in, configure, configure.ac, include/sudo_compat.h:
Add configure test for NSIG, _NSIG or __NSIG. This is better than just defining NSIG in sudo_compat.h if it is not defined since signal.h may not have been included. [f1c94c5f825b]

logsrvd/logsrvd_conf.c:
Avoid DNS lookups when fuzzing. [384ffdead655]

2023-01-30 Todd C. Miller

etc/sudo-logsrvd.pp, etc/sudo-python.pp, etc/sudo.pp, scripts/mkpkg, scripts/pp:
No longer need to treat Rocky or Alma Linux specially. We now treat them the same as RHEL. [190afa102ca6]

2023-01-29 Todd C. Miller

Merge pull request #230 from trackers-lover/main

Return value does not match [1dc4317beaf7]

2023-01-29 bianguangze@…

lib/util/sudo_conf.c:
Modify return value parameter [eb1e78bb2f91]

2023-01-27 Todd C. Miller

scripts/build_pkgs:
Store conf hash in vm_servers instead of vmid. Add a shutdown command fallback to the conf file. [2f7eeb5c3f04]

plugins/sudoers/po/cs.mo, plugins/sudoers/po/cs.po, plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, plugins/sudoers/po/fr.mo, plugins/sudoers/po/fr.po, plugins/sudoers/po/hr.mo, plugins/sudoers/po/hr.po, plugins/sudoers/po/ko.mo, plugins/sudoers/po/ko.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/ro.mo, plugins/sudoers/po/ro.po, plugins/sudoers/po/ru.po, plugins/sudoers/po/sv.mo, plugins/sudoers/po/sv.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, plugins/sudoers/po/zh_CN.po, plugins/sudoers/po/zh_TW.po, po/cs.mo, po/cs.po, po/de.mo, po/de.po, po/eo.mo, po/eo.po, po/fr.mo, po/fr.po, po/hr.mo, po/hr.po, po/ko.mo, po/ko.po, po/pl.mo, po/pl.po, po/ro.mo, po/ro.po, po/sv.mo, po/sv.po, po/uk.mo, po/uk.po, po/zh_CN.po, po/zh_TW.po:
Updated translations from translationproject.org [fa9569203e16]

configure, m4/hardening.m4:
Fix a typo. [ebf4c16e0079]

config.h.in, configure, scripts/config.guess, scripts/config.sub:
Regen with latest autoconf git. [9a0bbbb682fc]

etc/sudo-logsrvd.pp, etc/sudo-python.pp, etc/sudo.pp, scripts/mkpkg, scripts/pp:
Recognize Alma Linux and Rocky Linux (Open Source RHEL clones) [b1dbb7b75824]

NEWS:
Mention the recent intercept/log_subcmds fix. [cbd60701de52]

scripts/mkpkg:
Fix determination of the number of CPU cores on Linux. [6ac6a9b074bf]

2023-01-26 Todd C. Miller

MANIFEST, plugins/sudoers/po/ka.po:
New Georgian translation from translationproject.org [17681b870666]

Merge pull request #235 from kernelmethod/apparmor_dependencies

Replace the Debian libselinux1 dependency with libapparmor1 [ca29638c5c34]

2023-01-26 kernelmethod

etc/sudo.pp:
Replace the Debian libselinux1 dependency with libapparmor1

Debian >= 10 uses AppArmor by default instead of SELinux, so SELinux-related sudo features are typically going to be unusable in Debian installs. This changes the dependency on libselinux1 to be a dependency on libapparmor1 for .deb packages built with make package. [5779ce23a161]

2023-01-25 Todd C. Miller

src/exec_ptrace.c:
get_execve_info: defer setting pathname until argbuf is finalized If we reallocate the buffer (via growbuf()) in ptrace_read_vec(), the address of argbuf may change. If so, the value stored in pathname will no longer be valid. GitHub issue #194. [f75aa1eb5d95]

src/exec_intercept.c, src/exec_ptrace.c:
Correct error message when command doesn’t exist in intercept mode. Previously, we would always use EACCES, even when ENOENT was appropriate. This also affected log_subcmds. [5bc0ecd5d4e6]

2023-01-24 Todd C. Miller

plugins/sudoers/po/sudoers.pot, po/sudo.pot:
Update .pot files for 1.9.13 [c6a247e05a91]

2023-01-23 Todd C. Miller

NEWS:
Update for 1.9.13. [c9c5b6af5ea5]

src/exec_ptrace.h:
Include elf.h, not linux/elf.h but define NT_ARM_SYSTEM_CALL if missing. Older kernel headers are missing the definition of EM_ARM in linux/elf.h. GitHub issue #232 [8bed5e7f8857]

lib/util/regress/regex/regex_test.c:
Add tests for escaped digits. [7e5b7e5e2409]

lib/util/regex.c:
check_pattern: handle escaped digits since GNU libc accepts them. [a20d5a047963]

2023-01-22 Todd C. Miller

include/sudo_eventlog.h, lib/eventlog/eventlog.c, plugins/sudoers/sudoreplay.c:
Add eventlog_store_sudo() and use it in sudoreplay. This replaces the custom log formatting used by “sudoreplay -l”. [26dd2367fbdd]

2023-01-21 Todd C. Miller

scripts/build_pkgs, scripts/mkpkg:
Add –build-only flag to skip building packages. [46c0213b2668]

2023-01-20 Todd C. Miller

scripts/mkpkg, scripts/pp:
Suport building packages on DragonFly BSD. [65920923add2]

configure, configure.ac, m4/visibility.m4:
Try to link a simple shared object with -Wl,–no-undefined. This only works for gcc-style compilers, which should not be a problem. The source uses environ (FreeBSD) and errno (OpenBSD). [1c2d9f90bc6d]

scripts/build_pkgs:
Pass the name to the config.cache file to the build script. If –cache-file is not specified, no config.cache file will be used. Add an “omit_artifacts” setting for platforms where we don’t publish artifacts. [c87221f36bf4]

2023-01-19 Todd C. Miller

lib/util/regex.c:
check_pattern: accept a backslash before the numeric bound like glibc. This helps avoid out-of-memory conditions when fuzzing on Linux. [07f14dba22ed]

configure, configure.ac:
Don’t use -Wl,–no-undefined with the sanitizers/fuzzers. It breaks linking when using -fsanitize with clang at least. [a6331135bd73]

docs/SECURITY.md:
Add a link to the sudo security advisories archive. [7137d1d214e5]

config.h.in, configure, configure.ac:
Eliminate usage of obsolete 2-argument AC_CHECK_TYPE macro. [96b37c574fc2]

config.h.in, configure, configure.ac, plugins/sudoers/starttime.c, src/regress/ttyname/check_ttyname.c, src/ttyname.c:
Add support for the struct kinfo_proc on Dragonfly BSD. [4c1a7d223d66]

configure, configure.ac:
Need to link sudo and sudoers with -lutil on Dragonfly BSD. It is safer to just search for setusercontext() in libc and libutil instead of matching on the operating system. [b91a288c9968]

configure, configure.ac:
Elminate the $OS variable, we can just use $host_os instead. [0293bf9d4dd4]

plugins/sudoers/editor.c:
Restore the line that set errno to ENOENT when find_path() fails. This was inadvertently removed when the “goto bad” was added. [b957909a1a75]

configure, configure.ac, m4/ldap.m4:
Add -Wl,–no-undefined to LDFLAGS if it is supported. This will find missing symbols at build-time instead of run-time. Don’t use it on FreeBSD where environ is filled in by the dynamic loader. We also need to pull in -llber with -lldap where possible (instead of relying on DT_NEEDED) to avoid undefined symbol errors when building with LDAP support. [c88bd9fd05c9]

plugins/sample/README:
The sample plugin is now built by default to avoid bit rot. GitHub issue #234. [aac2a29136e1]

plugins/sample/sample_plugin.c:
The change from sudo_printf -> sudo_plugin_printf was incomplete. Fixes GitHub issue #234. [4f8333e3f7b8]

2023-01-18 Todd C. Miller

configure, m4/pie.m4:
Solaris: use lt_prog_compiler_pic instead of assuming -KPIC [36b94699ad63]

configure, m4/hardening.m4, m4/pie.m4:
Solaris: the aslr, nxheap and nxstack link options are only for executables. Move them back to PIE_LDFLAGS, which is only used when linking a binary. [970d533cd9b2]

configure, m4/hardening.m4, m4/pie.m4:
Solaris: move aslr linker option to hardening and try to build real PIEs These flags are specific to the Solaris linker. [c5439fec5cb3]

configure, m4/hardening.m4, m4/pie.m4:
Enable non-executable heap and stack options for Solaris ld. [5be638b9bd79]

configure, configure.ac, m4/hardening.m4:
Limit some of the hardening tests to compilers that define GNUC. This should avoid false positives on other compilers. [1b3b36a2ff2b]

plugins/python/regress/testdata/check_multiple_approval_plugin_and_a rguments.stdout:
Update expected plugin version. [19b2963008a2]

docs/sudo_plugin.man.in, docs/sudo_plugin.mdoc.in, include/sudo_plugin.h, plugins/sudoers/policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, src/sudo.c, src/sudo.h, src/sudo_edit.c:
Pass back the number of files to edit when using sudoedit. The sudo front-end can use this to determine where the list of files to edit begins. [c9c1e6e81438]

docs/sudoers.man.in, docs/sudoers.mdoc.in, docs/sudoreplay.man.in, docs/sudoreplay.mdoc.in, include/sudo_lbuf.h, lib/eventlog/eventlog.c, lib/iolog/iolog_json.c, lib/util/lbuf.c, lib/util/util.exp.in, plugins/sudoers/sudoreplay.c:
Escape control characters in log messages and “sudoreplay -l” output. The log message contains user-controlled strings that could include things like terminal control characters. Space characters in the command path are now also escaped.

Command line arguments that contain spaces are surrounded with single quotes and any literal single quote or backslash characters are escaped with a backslash. This makes it possible to distinguish multiple command line arguments from a single argument that contains spaces.

Issue found by Matthieu Barjole and Victor Cutillas of Synacktiv (https://synacktiv.com). [1cd37144190c]

NEWS:
Merge in sudo 1.9.12p2 changes. [d5a2cd780f27]

2023-01-17 Todd C. Miller

configure, m4/hardening.m4:
Add back the linker check for -fstack-clash-protection. This is expected to fix GitHub issue #231. [c08c0a7c8613]

2023-01-17 trackers-love

lib/util/sudo_conf.c:
Return value does not match [2c7c350c3d97]

2023-01-16 Todd C. Miller

docs/cvtsudoers.man.in, docs/cvtsudoers.mdoc.in, docs/sudo.conf.man.in, docs/sudo.conf.mdoc.in, docs/sudo_logsrvd.conf.man.in, docs/sudo_logsrvd.conf.mdoc.in, docs/sudoers.ldap.man.in, docs/sudoers.ldap.mdoc.in, docs/sudoers.man.in, docs/sudoers.mdoc.in, docs/visudo.man.in, docs/visudo.mdoc.in:
Stop using 8n width in tagged lists. Use either 4n, when the body is expected to wrap or the width of the longest tag when no wrapping is expected. [2b1bc5d31250]

docs/cvtsudoers.man.in, docs/cvtsudoers.mdoc.in, docs/sudo.man.in, docs/sudo.mdoc.in, docs/sudo_logsrvd.man.in, docs/sudo_logsrvd.mdoc.in, docs/sudo_sendlog.man.in, docs/sudo_sendlog.mdoc.in, docs/sudoreplay.man.in, docs/sudoreplay.mdoc.in, docs/visudo.man.in, docs/visudo.mdoc.in:
Use -width Ds for the options list, not -width Fl. [598dbf3d2fea]

docs/sudo.man.in, docs/sudo.mdoc.in, docs/sudo_logsrvd.conf.man.in, docs/sudo_logsrvd.conf.mdoc.in, docs/sudo_plugin_python.man.in, docs/sudo_plugin_python.mdoc.in:
Reduce the offset of bullet lists to 1n. [893b6fd25564]

INSTALL.md:
Shorten –with-passprompt and –with-mailsubject arguments to a single word. The script that generates the web version of this file doesn’t expect options to include whitespace. [063dc2c168aa]

2023-01-15 Todd C. Miller

INSTALL.md:
Shorten –with-badpass-message argument to a single word. The fix_install script can’t deal with whitespace in options. [17761c19a4b8]

LICENSE.md:
Make numbered lists more markdown-friendly. Also add line breaks when there are multiple authors. [d22146e06e27]

INSTALL.md:
Make lists of directories more markdown-friendly. [b3295e422b33]

2023-01-12 Todd C. Miller

lib/iolog/regress/iolog_mkpath/check_iolog_mkpath.c:
Check for errors when removing the temp directory. If we cannot remove the directory tree that may indicate a file or directory mode problem. [4a162644b61f]

lib/iolog/iolog_mkdtemp.c:
iolog_mkdtemp: fix pasto in last commit Set mode to iolog_dirmode, not iolog_filemode [713773e23472]

plugins/sudoers/editor.c, plugins/sudoers/sudoers.c, plugins/sudoers/visudo.c:
sudoedit: do not permit editor arguments to include “–” (CVE-2023-22809) We use “–” to separate the editor and arguments from the files to edit. If the editor arguments include “–”, sudo can be tricked into allowing the user to edit a file not permitted by the security policy. Thanks to Matthieu Barjole and Victor Cutillas of Synacktiv (https://synacktiv.com) for finding this bug. [2ca90805f471]

2023-01-09 Todd C. Miller

lib/util/sha2.c:
In SHA256Pad and SHA512Pad use 511 and 1023 respectively for bitwise AND. Previously we were using 504 and 1016 which still produces the correct result since padding is done in 8-bit bytes. However, using size-1 for the bitwise AND makes the intent clearer and likely would have prevented the previous bug in SHA512Pad. From Matthieu Barjole and Victor Cutillas of Synacktiv (https://synacktiv.com) [4b6a50800ecd]

plugins/sudoers/env.c:
env_file_next_local: change the order of the val_len check. It makes more sense to verify that val_len > 1 before using it. This is not a problem in practice because val[val_len - 1] is guaranteed not to underflow but it can confuse reviewers and static analyzers. [9d6bed4e3fd0]

plugins/sudoers/env.c:
Fix typo in check for environment variables that start with ‘=’. [6dc466c8bf82]

lib/util/lbuf.c:
sudo_lbuf_print: no longer need to check for lbuf->len > 0. Now that lbuf length is unsigned the earlier check for len == 0 is sufficient. [bdfc863f5b5c]

lib/util/lbuf.c:
Increase minimum allocation size from 256 to 1024 bytes. [0f49c8728151]

plugins/sudoers/sudoreplay.c:
Fix IS_IDLOG macro, it was testing the wrong byte for the NUL. This causes the macro to evaluate to false even for valid TSIDs. [77686e4508d3]

2023-01-04 Todd C. Miller

plugins/sudoers/toke.c, plugins/sudoers/toke.l:
sudoers_trace_print: this is a no-op if not debugging [df34de2e60f4]

lib/util/lbuf.c:
sudo_lbuf_expand: don’t allocate less than 256 bytes at a time. [a747682156e6]

2023-01-03 Todd C. Miller

lib/util/lbuf.c:
sudo_lbuf_expand: round nearest power of two instead of multiple of 256. [840855b501de]

LICENSE.md:
Update copyright year. [5ff97b5e6bcd]

include/sudo_lbuf.h, lib/util/lbuf.c:
sudo_lbuf_expand: check for possible integer overflow The numeric fields in struct sudo_lbuf are now unsigned so that wraparound is defined, this make the overflow checks simpler. Problem deteced by oss-fuzz using the fuzz_sudoers fuzzer. [6dc670d15276]

MANIFEST, lib/iolog/iolog_json.c, lib/iolog/regress/iolog_json/test3.in, lib/iolog/regress/iolog_json/test3.out.ok:
Decode \u00XX in a JSON string now that we escape control chars. We don’t write Unicode to the log.json file, only 8-bit ASCII. [83dcacb35309]

MANIFEST, include/sudo_util.h, lib/util/Makefile.in, lib/util/hexchar.c, lib/util/regress/hexchar/hexchar_test.c, lib/util/util.exp.in, plugins/sudoers/Makefile.in, plugins/sudoers/hexchar.c, plugins/sudoers/match_digest.c, plugins/sudoers/parse.h, plugins/sudoers/regress/parser/check_hexchar.c, plugins/sudoers/toke_util.c:
Move hexchar() from the sudoers plugin to lib/util. [4a6c57c1b66a]

lib/util/mkdir_parents.c:
sudo_open_parent_dir: adjust loop terminating condition Checking for ep < pathend should be a bit clearer than ep != ‘\0’ and has the advantage of working when pathend doesn’t point to a NUL byte. No intended change in behavior. [cee4e0c71070]

lib/iolog/iolog_mkdtemp.c:
iolog_mkdtemp: fix failure when the specified path contains subdirectories. This fixes a bug introduced in sudo 1.9.12. [3a1d5b01b446]

lib/iolog/regress/iolog_mkpath/check_iolog_mkpath.c:
check_iolog_mkpath: fix exit value [9ac13d6657f6]

2023-01-02 Todd C. Miller

Merge pull request #227 from sohomdatta1/integer_underflow

Prevent integer underflow due to environment variable [c6c716352077]

2023-01-02 Sohom

plugins/sudoers/env.c:
Prevent integer underflow due to environment variable

Gaurd against replacing quotes when the environment variable val_len is 1. [1b926824dcf8]

2023-01-01 Todd C. Miller

lib/util/regex.c:
glibc allows the ‘,’ in {low,high} to be escaped with a backslash. Adjust bound parsing to match this. [b2bbac2bab6a]

2022-12-31 Todd C. Miller

configure, configure.ac:
Fix logic goof in 05781ba6f1f3, disable replacements when fuzzing. Not the other way around. [abcf2deb9d0e]

2022-12-30 Todd C. Miller

configure, configure.ac, docs/sudo_plugin_python.man.in, docs/sudo_plugin_python.mdoc.in, docs/sudoers.man.in, docs/sudoers.mdoc.in:
Substitute python plugin file name in sudo_plugin_python documentation. Also use prefix for group plugin fallback path section in sudoers manual. [e245808fbe74]

lib/iolog/Makefile.in, lib/iolog/regress/fuzz/fuzz_iolog_legacy.dict, lib/iolog/regress/fuzz/fuzz_iolog_timing.dict:
Use correct dictionary file format. Also use the new dictionaries in the Makefile fuzz target. [c39e699cb9b6]

MANIFEST, lib/iolog/regress/corpus/seed/log_legacy/less.log, lib/iolog/regress/corpus/seed/log_legacy/smtpctl.log, lib/iolog/regress/corpus/seed/log_legacy/vi.log, lib/iolog/regress/corpus/seed/timing/timing.5, lib/iolog/regress/corpus/seed/timing/timing.6, lib/iolog/regress/corpus/seed/timing/timing.7, lib/iolog/regress/corpus/seed/timing/timing.8, lib/iolog/regress/corpus/seed/timing/timing.9:
Add some addition entries for the I/O log fuzzer seed corpus. [51d4bf5f014c]

MANIFEST, lib/iolog/regress/fuzz/fuzz_iolog_legacy.dict, lib/iolog/regress/fuzz/fuzz_iolog_timing.dict:
Add dictionaries for fuzz_iolog_legacy and fuzz_iolog_timing. [84d1e53ea8eb]

include/sudo_fatal.h:
Don’t send warn/fatal output to the debug file when fuzzing. [968fedf79f23]

lib/util/getentropy.c:
Back out the genentropy.c portion of c648cfe9ff0f We don’t need to special-case FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION now that we use the glibc arc4random() where available. [7d69e44e3e9b]

2022-12-29 Todd C. Miller

lib/iolog/regress/fuzz/fuzz_iolog_json.c, lib/iolog/regress/fuzz/fuzz_iolog_legacy.c, lib/iolog/regress/fuzz/fuzz_iolog_timing.c, lib/util/regress/fuzz/fuzz_sudo_conf.c, logsrvd/regress/fuzz/fuzz_logsrvd_conf.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c:
Use initprogname(), not setprogname() in the fuzzers. This results in better coverage for progname.c. [dede53f4b0db]

lib/util/regress/sudo_conf/conf_test.c, lib/util/regress/sudo_conf/test1.out.ok, lib/util/regress/sudo_conf/test2.out.ok, lib/util/regress/sudo_conf/test3.out.ok, lib/util/regress/sudo_conf/test4.out.ok, lib/util/regress/sudo_conf/test5.out.ok, lib/util/regress/sudo_conf/test6.out.ok, lib/util/regress/sudo_conf/test7.out.ok:
Add probe_interfaces and intercept_path. [f00ecf67a5e1]

lib/util/regress/fuzz/fuzz_sudo_conf.c:
Exercise getter functions. [3208a9508724]

configure, configure.ac:
Avoid using our function replacements when fuzzing (where possible). We don’t want to fuzz the function replacements themselves as this can skew the coverage reports. [05781ba6f1f3]

plugins/python/regress/check_python_examples.c:
Disable sudo_debug tests when fuzzing. The debug code is disable when fuzzing is enabled to avoid coverage issues. [2c90549a0918]

lib/util/fatal.c, lib/util/getentropy.c, lib/util/sudo_conf.c:
Avoid compiling some code paths that are unreachable when fuzzing. [c648cfe9ff0f]

plugins/sudoers/regress/serialize_list/check_serialize_list.c:
Plug memory leak. [6189ff1db193]

2022-12-28 Todd C. Miller

plugins/sudoers/regress/fuzz/fuzz_policy.dict:
Update fuzz_policy keywords to match current policy settings. [0db960f83cf1]

plugins/sudoers/regress/fuzz/fuzz_sudoers.dict:
Add example users and groups to the dictionary. [6fd8ad758aed]

plugins/sudoers/env.c, plugins/sudoers/sudoers.c, src/parse_args.c:
parse_args: an environment variable may not start with ‘=’. Also check VAR=val format in validate_env_vars() and add an error message if insert_env_vars() fails. [b9b9acae1671]

plugins/sudoers/env.c:
rebuild_env: avoid a potential NULL dereference in fuzz_policy [90f5d579dd69]

plugins/sudoers/sudoers.c:
sudoers_policy_main: plug memory leak of iolog_path on error. [99cbe3d513e6]

plugins/sudoers/env.c:
rebuild_env: avoid a potential NULL dereference in fuzz_policy [de05b4f00f35]

plugins/sudoers/regress/fuzz/fuzz_policy.c:
The contents of the env_add array should not include the leading “env=” prefix. The previous fix for this was incomplete. [849fee26133a]

plugins/sudoers/env.c:
validate_env_vars: more efficient errbuf handling Also avoid appending to errbuf if it is already full. [1ffd174fa0ea]

2022-12-27 Todd C. Miller

docs/sudo.man.in, docs/sudo.mdoc.in:
Document that -k does not interfere with sudo on other terminals. This should help clarify the difference between “sudo -k” and “sudo -K”. [589d750faf30]

lib/util/regex.c, lib/util/regress/regex/regex_test.c:
Check for bound values larger than 255 and reject them. This is to prevent the fuzzers from running out of memory. [f172a6d64a34]

scripts/pp:
Use the POSIX shell “command -v” instead of “which” to find programs. Fix false detection of init.d/service status. [aee53eddfc18]

etc/sudo.pp:
Fix example dir mode on RedHat/Fedora. [f5fd86f35bc5]

etc/sudo.pp:
Use sed instead of ed to modify the packaged sudoers file. Some Linux distros do not include /bin/ed by default. [217ef1afaacb]

2022-12-26 Todd C. Miller

docs/sudo.conf.man.in, docs/sudo.conf.mdoc.in:
Use @intercept_file@ and @noexec_file@ like the example file. [726e060da20e]

docs/sudoers.man.in, docs/sudoers.mdoc.in:
There is a @pam_login_service@ substitution but no @pam_service@. Just use sudo instead of @pam_service@. [b16f28ccc847]

examples/sudo.conf.in:
Use @sudoers_plugin@ instead of @sudoers_module@. [4c92b9ef93b5]

docs/sudo.conf.man.in, docs/sudo.conf.mdoc.in, docs/sudoers.man.in, docs/sudoers.mdoc.in, docs/visudo.man.in, docs/visudo.mdoc.in:
Use @sudoers_plugin@ instead of @sudoers_module@. [3c50a97c1bbd]

INSTALL.md, NEWS, config.h.in, configure, configure.ac, docs/UPGRADE.md, scripts/config.guess, scripts/config.sub:
sudo 1.9.13 Document the changes to AIX plugins in docs/UPGRADE.md and regenerate configure using the latest autoconf from git. [b897ca965a0f]

scripts/build_pkgs:
Remove anything after whitespace in MANIFEST when building tarball. This is consistent with how sudo’s Makefile builds the tarball. [db48ecf91964]

MANIFEST:
Zap trailing whitespace. [7be2d953e0ca]

configure, configure.ac, docs/sudo.conf.man.in, docs/sudo.conf.mdoc.in, docs/sudoers.man.in, docs/sudoers.mdoc.in, docs/visudo.man.in, docs/visudo.mdoc.in, examples/sudo.conf.in, pathnames.h.in, src/load_plugins.c, src/preload.c:
Use AIX-style shared libraries on AIX by default instead of SVR4-style. This removes the need to use the -brtl linker flag which can cause problems when there are both a .so and .a version of the same library but with different versions. This was particularly problematic when using the AIX freeware version of OpenSSL. The –with-aix-soname=svr4 option can be used to build SVR4-style shared libs instead. [268bd3bc7717]

lib/util/sudo_dso.c, src/load_plugins.c:
sudo_dso_load: add AIX fallback path from shlib.so to shlib.a(shlib.so). If the .so file is missing but the .a file exists, try to dlopen() the AIX .a file using the .so name as the member. We need to avoid breaking existing configurations if the type of AIX shared library changes when sudo is upgraded. [f64cf05bb2c2]

plugins/sudoers/group_plugin.c, src/load_plugins.c:
Remove the owner and mode checks when loading a sudo plugin. The sudo.conf file is considered a trusted source of information and these checks suffer from TOCTOU issues anyway. The checks complicate loading of shared objects since we need to perform fallback processing twice. [60a811d58138]

MANIFEST, plugins/python/Makefile.in, plugins/python/python_importblocker.c, plugins/python/python_plugin_common.c, plugins/python/regress/check_python_examples.c, plugins/python/regress/testdata/sudo.conf.developer_mode, plugins/python/regress/testdata/sudo.conf.normal_mode, plugins/python/regress/testhelpers.c, plugins/python/regress/testhelpers.h, plugins/python/sudo_python_module.h:
Remove the Python plugin import blocker code. The sudo.conf file is considered a trusted source of information and these checks suffer from TOCTOU issues anyway. [1d261d802b82]

MANIFEST, docs/sudo.conf.man.in, docs/sudo.conf.mdoc.in, docs/sudo_plugin_python.man.in, docs/sudo_plugin_python.mdoc.in, examples/sudo.conf.in, lib/util/regress/corpus/seed/sudo_conf/sudo.conf.1, lib/util/regress/corpus/seed/sudo_conf/sudo.conf.2, lib/util/regress/corpus/seed/sudo_conf/sudo.conf.3, lib/util/regress/fuzz/fuzz_sudo_conf.dict, lib/util/regress/sudo_conf/conf_test.c, lib/util/regress/sudo_conf/test1.in, lib/util/regress/sudo_conf/test1.out.ok, lib/util/regress/sudo_conf/test2.out.ok, lib/util/regress/sudo_conf/test3.out.ok, lib/util/regress/sudo_conf/test4.out.ok, lib/util/regress/sudo_conf/test5.out.ok, lib/util/regress/sudo_conf/test6.out.ok, lib/util/regress/sudo_conf/test7.out.ok, lib/util/regress/sudo_conf/test8.err.ok, lib/util/regress/sudo_conf/test8.in, lib/util/regress/sudo_conf/test8.out.ok, lib/util/sudo_conf.c:
Remove developer mode from sudo.conf, it is no longer used. [2b350bfe4d7c]

plugins/sudoers/sudoers_version.h:
Bump SUDOERS_GRAMMAR_VERSION to 50 for the new list pseudo-command. [60e6e3b59b1e]

2022-12-25 Todd C. Miller

docs/Makefile.in, docs/sudo.man.in, docs/sudo.mdoc.in, docs/sudo_plugin_python.man.in, docs/sudo_plugin_python.mdoc.in, docs/sudoreplay.man.in, docs/sudoreplay.mdoc.in:
Use “.Sy root” instead of “.Em root” when talking about the root user. Replace MANDOCPROG with “mandoc” now that MANDOCPROG has been removed. [a0b80a88eb7c]

2022-12-22 Todd C. Miller

Merge pull request #226 from rtczza/main

debug_return_int use error [7743f67838ae]

2022-12-23 wanglujun

src/exec_pty.c:
debug_return_int use error [b69796b9b10b]

2022-12-22 Todd C. Miller

lib/util/sudo_dso.c, src/load_plugins.c:
Fix support for AIX-style path(module) syntax in sudo.conf Plugin lines. [b8666283d2f2]

2022-12-20 Todd C. Miller

docs/sudo.man.in, docs/sudo.mdoc.in:
Mention the “list” privilege in the description of the -U option. [f5416004ef2e]

docs/sudo.man.in, docs/sudo.mdoc.in, src/parse_args.c, src/sudo_usage.h.in:
Add [arg …] after command in SYNOPSIS and usage output. Use Ar markup when referring to the command and args. [40fca0824680]

2022-12-17 Todd C. Miller

src/exec_preload.c:
fmtstr: call va_arg() for %c when computing length. Even though we don’t need to read the actual char to know its length, we do need to consume it to get the correct value for the next format. [fadd0047868b]

configure, m4/sanitizer.m4:
SUDO_CHECK_SANITIZER: quote “$3” in awk script so m4 doesn’t eat it. [fcf1661bfebd]

lib/util/regress/json/json_test.c:
Add missing sudo_json_free(). [fa5e5af55927]

MANIFEST, lib/util/Makefile.in, lib/util/regex.c, lib/util/regress/regex/regex_test.c:
check_pattern: check bounds as a repetition operator too. Add regess to verify check_pattern() via sudo_regex_compile(). [48cbddf476a5]

lib/util/regex.c:
Instead of collapsing duplicate repetition characters, reject them. This is implementation-specific behavior–some regcomp(3) will reject duplicate repetition characters (BSD), others will try to support them (Glibc) but may allocate excessive amounts of memory. [a0cb75d9b5e5]

MANIFEST, docs/CONTRIBUTORS.md, po/sq.mo, po/sq.po:
New Albanian translation from translationproject.org [4a8dedc6500d]

2022-12-15 Todd C. Miller

MANIFEST, include/sudo_json.h, lib/eventlog/eventlog.c, lib/iolog/iolog_loginfo.c, lib/iolog/regress/iolog_json/check_iolog_json.c, lib/util/Makefile.in, lib/util/json.c, lib/util/regress/json/json_test.c, lib/util/util.exp.in, logsrvd/logsrvd_local.c, plugins/audit_json/audit_json.c, plugins/sudoers/cvtsudoers_json.c:
Add basic regress for JSON functions. Fix a bug in escaped control character handling. Roll back changes to buffer if sudo_json_add_value() fails. [8b61266511fe]

plugins/python/regress/iohelpers.c, plugins/python/regress/testhelpers.c:
Add missing memory allocation failure checks. Inspired by GitHub PR #221 [9f09479191e9]

2022-12-14 Todd C. Miller

lib/util/json.c:
Escape control characters in strings. [9668cd68daee]

2022-12-12 Todd C. Miller

docs/sudo.man.in, docs/sudo.mdoc.in:
Mention the audit plugin in the “Process model” section. Remove extraneous information describing how sudo may exec the command directly, this is already included in the non-pty section. [9d01a9682ed2]

2022-12-11 Todd C. Miller

plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/sudoers.c:
Plug a memory leak of list_cmnd in the fuzzers. [b413becfb8db]

plugins/sudoers/cvtsudoers.c:
Suppress PVS Studio watning about reassigning a variable the same value. Working around the warning would result in more fragile code. [b4227e531fb7]

lib/util/regress/multiarch/multiarch_test.c:
Fix memory leak in multiarch_test to quiet leak sanitizer. [1491ce67725c]

plugins/python/python_plugin_audit.c, plugins/python/python_plugin_common.c, plugins/python/python_plugin_io.c, plugins/python/python_plugin_policy.c:
Fix some dead stores noted by PVS Studio. Since rc is initialized to SUDO_RC_ERROR there is no need to set it to SUDO_RC_ERROR again on failure if rc has not been changed since initialization. [f6c075dedfe3]

docs/sudoers.man.in, docs/sudoers.mdoc.in, plugins/sudoers/logging.c, plugins/sudoers/match_command.c, plugins/sudoers/parse.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/toke.c, plugins/sudoers/toke.l:
Add “list” pseudo-command to allow a user to list another user’s privs. Previously, only root or a user with the ability to run any command as either root or the target user on the current host could use the -U option. For “sudo -l [-U otheruser] command”, NewArgv[0] is now set to “list” (just like “sudo -l”) and the actual command to be checked starts with NewArgv[1]. [225eac96d11f]

2022-12-09 Todd C. Miller

etc/codespell.exclude:
Adjust a line to quiet codespell warning. [f920076a902d]

2022-12-08 Todd C. Miller

Makefile.in:
Only build ChangeLog from a repo checkout, not a release tarball. The CODEOWNERS file is not present in the release tarball so we can use that when determining what is (or is not) a repo checkout. [290ce43f0f66]

docs/CODEOWNERS:
Add CODEOWNERS file, currently all owned by @millert. [3becb02b5cd6]

.gitignore, .hgignore, Makefile.in:
Only regenerate ChangeLog if there have been changes. Also check that “hg –version” or “git –version” works before using hg or git. Bug #1043. [d9a28bb02621]

2022-12-07 Todd C. Miller

plugins/sudoers/parse.c:
Fix potential crash introduced in the fix for GitHub issue #134. If a user’s sudoers entry did not have any RunAs user’s set, running “sudo -U otheruser -l” would dereference a NULL pointer. We need to compare the default RunAs user if the sudoers entry does not specify one explicitly. Problem reported by Andreas Mueller who also suggested a different solution in PR #219. [3d12dfeef26b]

scripts/build_pkgs:
Defer installing the SIGCHLD handler until after non-job commands run. Lock the socket dir to avoid races in open_persistent_connection(). Also avoid using “ssh -f” since that may return before the socket is created. Strip carriage returns from log when running in a pty. [d0da1a261fbc]

2022-12-06 Todd C. Miller

configure, m4/sudo.m4:
Fix a typo in SUDO_CHECK_NET_FUNC. [08cb2ba84897]

lib/util/inet_ntop.c:
Fix -Wsign-compare warning. [45e2716ece56]

configure, m4/sudo.m4:
Initialize “found” in SUDO_CHECK_NET_FUNC. [a5daeb77e6bb]

configure, m4/sudo.m4:
Fix pasto introduced in last commit. [7e1b09977be3]

lib/eventlog/Makefile.in, lib/iolog/Makefile.in, lib/util/Makefile.in, logsrvd/Makefile.in, plugins/python/Makefile.in, plugins/sudoers/Makefile.in, src/Makefile.in:
Fix failure in check targets when there is no UTF-8 C locale. [721c8bdff28f]

configure, configure.ac, m4/sudo.m4:
Add SUDO_CHECK_NET_FUNC to check functions in the network libraries. If a function is not found, check again with “-lsocket”, “-linet”, “-lsocket -lnsl”, or “-lresolv”. Also display network libs in final summary as well as the different linker flags. [a0ce3347cd8d]

configure, m4/sudo.m4:
Make sure HAVE_MAILLOCK_H is defined on Solaris 10. [bb9f3a1beff5]

configure, configure.ac:
Remove extraneous “(cached)” line when the -C option is used. We do not need to call AC_CACHE_VAL() to ensure that a variable is cached, its name just needs to match the pattern cv. [b8ffa09d0cd7]

configure, m4/sudo.m4:
Make path checks in sudo.m4 cachable. [0bcfa73702d3]

configure, configure.ac:
Use AC_PATH_PROGS_FEATURE_CHECK to find mandoc/nroff. We don’t use the NROFFPROG or MANDOCPROG any longer so no need to set those. [7d96680046a6]

configure, configure.ac:
Don’t check for _sys_siglist if sys_siglist is found. [2c70aba3935c]

configure, configure.ac:
Fix check for sys_sigabbrev. [b8537a76815f]

2022-12-05 Todd C. Miller

configure, configure.ac:
Skip test for func on C99 and above, avoid extra _sys_signame test. [71f3497a6a3a]

MANIFEST, aclocal.m4, configure, configure.ac, m4/gettext.m4:
Move gettext checks to m4/gettext.m4 [693029542e06]

MANIFEST, aclocal.m4, configure, configure.ac, m4/ldap.m4:
Move LDAP library checks to m4/ldap.m4 and make more tests cacheable. [85fa1f49298a]

MANIFEST, aclocal.m4, configure, configure.ac, m4/openssl.m4:
Move OpenSSL/wolfSSL checks to m4/openssl.m4 [08b90f3cef52]

MANIFEST, aclocal.m4, configure, configure.ac, m4/pie.m4:
Move PIE executable checks to m4/pie.m4 [6b5cac6cecd5]

MANIFEST, aclocal.m4, configure, configure.ac, m4/sanitizer.m4:
Move address sanitizer and fuzzer checks to m4/sanitizer.m4 [a6372917d53b]

MANIFEST, aclocal.m4, configure, configure.ac, m4/visibility.m4:
Move symbol visibility checks to m4/visibility.m4 [4684049c2d2c]

MANIFEST, aclocal.m4, configure, configure.ac, m4/hardening.m4:
Move hardening checks to m4/hardening.m4 [c03abb3c9f55]

configure, configure.ac, m4/sudo.m4:
Make cpp variadic arguments check into a macro and move to sudo.m4. Also move the PVS-Studio.cfg generation to sudo.m4. [c1a8d3b46be1]

2022-12-03 Todd C. Miller

lib/util/snprintf.c:
Sync with OpenBSD. [157439118867]

Merge pull request #218 from sohomdatta1/snprintf

[snprintf] Check for ‘\0’ to prevent undef memory read [050882923c98]

2022-12-03 Sohom

lib/util/snprintf.c:
[snprintf] Check for ‘\0’ to prevent undef memory read [aff60c479c10]

2022-12-01 Todd C. Miller

lib/eventlog/eventlog.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/tsdump.c, plugins/sudoers/visudo.c, src/parse_args.c, src/regress/noexec/check_noexec.c:
Place C23 attributes before keywords in function declarations. In practice this means we must use “sudo_noreturn static foo(void)” instead of “static sudo_noreturn foo(void)”. [6c1836dcb2d6]

2022-11-30 Todd C. Miller

scripts/build_pkgs:
Convert from using IPC::Open3 to IPC::Run. Run tests in a pty so check_ttyname works as expected. Explicitly set short command line options letters in GetOptions(). Add a debug flag to help see what is going on internally. Add hook for die() to kill running jobs when we are dying. SSH_AGENT_PID will not be present if the agent is forwarded. In close_persistent_connections() only close active connections. [d49e1ac7e2f2]

2022-11-29 Todd C. Miller

config.h.in, configure.ac, include/sudo_compat.h:
Use C23 [[fallthrough]] and [[noreturn]] attributes if supported. If the C23 attributes are not supported, use gcc-style attributes where possible. [57676068e9a9]

configure, configure.ac:
Move the check for the fallthrough attribute outside the warnings block. Use AX_APPEND_FLAG instead of addind to CFLAGS directly. [dc22d8238827]

2022-11-28 Todd C. Miller

scripts/build_pkgs:
The distributed package build script I use to build all sudo packages. This is not included in the release tarball because it is of limited use to other people. [94c58cc272c8]

2022-11-25 Todd C. Miller

Makefile.in:
Pass the list of files to include in the tarball on stdin. This avoids any limit on the size of argv. [0af8578c89fe]

2022-11-23 Todd C. Miller

Merge pull request #214 from BornThisWay/1124_repeated_invocation

check_syntax(): Remove duplicate calls to init_defaults() [3383fb0a6f5f]

2022-11-24 modric

plugins/sudoers/visudo.c:
check_syntax(): Remove duplicate calls to init_defaults() [048ccd968df9]

2022-11-22 Todd C. Miller

plugins/sample/sample_plugin.c:
build_command_info: free command_info on failure. Once upon a time, command_info was a stack variable, now it is dynamically allocated. Coverity CID 299987. [a80110e49952]

plugins/sample/sample_plugin.c:
Better handling of out-of-memory conditions. [ee3e47c4d272]

plugins/group_file/group_file.c:
Keep group file open until the call to myendgrent(). This restores the previous behavior. [79751f7308d7]

lib/util/json.c, plugins/group_file/getgrent.c, plugins/sudoers/cvtsudoers_merge.c, plugins/sudoers/env.c, plugins/sudoers/iolog.c, plugins/sudoers/ldap.c, plugins/sudoers/ldap_conf.c, plugins/sudoers/log_client.c, plugins/sudoers/match_command.c, plugins/sudoers/strvec_join.c, plugins/sudoers/tsgetgrpw.c, plugins/sudoers/visudo.c, src/sudo.c:
Eliminate a few harmless dead stores. Quiets warnings from Infer. [8bed7579b75d]

plugins/sudoers/ldap_util.c:
sudo_ldap_parse_option: add explicit NULL check for strchr(). This should not be needed since we only use the returned pointer if it is larger than the string passed to strchr(). Quiets a warning from Infer. [852aec3e0450]

logsrvd/logsrvd_journal.c:
journal_fdopen: free journal_path and close journal before setting Fixes a potential resource leak that currently cannot happen. Quiets a warning from Infer. [bfe41e247c35]

plugins/sudoers/ldap.c:
sudo_ldap_result_add_entry: check sudo_ldap_get_values_len() return value. Previously, we just compared the error code with LDAP_NO_MEMORY when checking for sudoOrder since this is the only error we care about. We now return NULL for LDAP_NO_MEMORY and ignore other errors. Quiets a warning from Infer. [6e5a490b735c]

plugins/group_file/getgrent.c, plugins/sudoers/tsgetgrpw.c, plugins/sudoers/tsgetgrpw.h:
Refactor code to open passwd/group file and add setpassent/setgroupent. This makes the “stayopen” semantics match the system passwd/group functions. The getpwent/getgrent functions now open the database if it is not already open. [27bfa97ad47c]

plugins/sudoers/Makefile.in, plugins/sudoers/gram.h:
gram.h: #line directives should reference gram.h not y.tab.h. [7a2d4a24d839]

scripts/mkpkg:
Use clang, not /usr/bin/cc on FreeBSD and macOS. While /usr/bin/cc is clang on those platforms, some static analyzers get confused if we don’t run it as clang. [d0c1f5940789]

2022-11-21 Todd C. Miller

Merge pull request #212 from BornThisWay/1122_null_deref

sudo_rcstr_dup: Fix potential NULL pointer deref [58fcefa888fa]

2022-11-22 modric

lib/util/rcstr.c:
sudo_rcstr_dup: Fix potential NULL pointer deref [f45acaded1e5]

2022-11-21 Todd C. Miller

plugins/sudoers/check.c:
Add a reminder to the default lecture that the password will not echo. This line is only displayed when the pwfeedback option is disabled. GitHub issue #195. [7bc25043c760]

Merge pull request #210 from BornThisWay/1121_typo

Fix some typos [9d1e9278effb]

2022-11-21 modric

plugins/python/regress/testhelpers.h, plugins/sudoers/parse.c:
Fix some typos [d7d1c3ade748]

2022-11-20 Todd C. Miller

Merge pull request #208 from BornThisWay/1121_return

intercept_read: Print and then return. [615c2d5fca36]

2022-11-21 modric

src/exec_intercept.c:
intercept_read: Print and then return. [049547eb7ac0]

2022-11-20 Todd C. Miller

Merge pull request #205 from BornThisWay/1119_access_null_pointer

sudo_mmap_strdup_v1: Fix potential NULL pointer deref [bad55afc72bb]

2022-11-19 modric

lib/util/mmap_alloc.c:
sudo_mmap_strdup_v1: Fix potential NULL pointer deref [f8da23aff2ec]

2022-11-18 Todd C. Miller

src/sudo_intercept.c:
copy_vector: plug memory leak in error path Only the array was being freed, not the contents. GitHub issue #202. [cd1407dbe65f]

2022-11-17 Todd C. Miller

scripts/mkpkg:
Better matching of macOS version to SDK path. [db7f2cbdb023]

Merge pull request #200 from BornThisWay/fix_mem_leak_converse

Fix memory leak of pass in converse(). [b411801abdf7]

plugins/sudoers/auth/passwd.c:
sudo_passwd_cleanup: Set auth->data to NULL after freeing. GitHub issue #201 [e558188bd99d]

2022-11-17 modric

plugins/sudoers/auth/pam.c:
Fix memory leak of pass in converse(). [052c99eaad8f]

2022-11-16 Todd C. Miller

config.h.in, configure, configure.ac:
Use AC_SYS_YEAR2038 instead of setting _TIME_BITS by hand. [049113d798e9]

configure, m4/ax_append_flag.m4, m4/ax_check_compile_flag.m4, m4/ax_func_snprintf.m4, m4/ax_prog_cc_for_build.m4:
Update macros from autoconf-archive. [48b960c883df]

plugins/sudoers/regress/corpus/seed/ldif/pr196.ldif, plugins/sudoers/regress/visudo/test3.sh:
Fix typo; excerise -> exercise [42cdb396b72b]

config.h.in, configure, scripts/config.guess, scripts/config.sub:
Regenerate with the autoconf 2.72a pre-release. [51d043878181]

configure.ac:
Fix insufficient quoting in AC_CHECK_LIB() calls. [78d37b60a912]

autogen.sh:
If AUTOCONF_VERSION is unset, use version 2.71 not 2.69. [108faf700aa7]

configure.ac, m4/ax_func_getaddrinfo.m4, m4/sudo.m4:
Replace foo in descriptions with ‘foo’ [ba63cef7bbe8]

2022-11-15 Todd C. Miller

configure, configure.ac:
Add -Wvla and -Walloca to –enable-warnings [7b9b59e35905]

2022-11-11 Todd C. Miller

plugins/sudoers/pwutil.c:
sudo_debug_group_list: short-circuit if groups is NULL [0f8f11ef82b6]

configure, configure.ac:
configure: only check for getauxval() if getentropy() is missing. [c056c2fc3898]

config.h.in, configure, configure.ac:
Remove checks for random() and lrand48(), they are no longer used. Also remove duplicate checks for arc4random() and getentropy(). [e3433874211d]

configure, configure.ac:
Skip check for cpp variadic macro support if the compiler supports C99. [42efc9934ef5]

configure, configure.ac:
HI-UX/MPP is based on OSF-1, not HP-UX Completely untested. [c55ba59cd24d]

configure, configure.ac:
Only check for utmps.h on HP-UX. [682bb16545cf]

configure, configure.ac:
Only check for sys/syscall.h on Linux. We only use it in the Linux- specific getentropy() emulation code. [eac313bfc142]

config.h.in, configure, configure.ac:
configure: avoid running unnecessary tests on modern systems. Remove AC_SYS_POSIX_TERMIOS, AC_TYPE_MODE_T, AC_TYPE_UID_T. Add missing checks for int16_t, uint16_t, int32_t, and int64_t. Only check for intmax_t, uintmax_t and bit-width types if missing both inttypes.h and stdint.h. Remove unused clockid_t replacement. [9f1f9d365f60]

MANIFEST, plugins/sudoers/regress/cvtsudoers/test40.out.ok, plugins/sudoers/regress/cvtsudoers/test40.sh:
Add a regress check for the cvtsudoers filter crash. GitHub issue #198. [f0abea1f10d0]

Makefile.in, lib/eventlog/Makefile.in, lib/iolog/Makefile.in, lib/util/Makefile.in, logsrvd/Makefile.in, plugins/python/Makefile.in, plugins/sudoers/Makefile.in, src/Makefile.in:
The name of the C locale w/ UTF-8 support is not always C.UTF-8. Use a pattern to find it (if present) and use that value instead of hard-coding C.UTF-8. This works around a leak sanitizer crash on certain inputs. [99aeb5a875f7]

2022-11-10 Todd C. Miller

plugins/sudoers/parse_ldif.c:
Fix a potential use-after-free bug with cvtsudoers filtering. In role_to_sudoers() when merging a privilege to the previous one where the runas lists are the same we need to re-use the runas lists of the last command in the previous privilege, not the first. Otherwise, the check in free_cmndspec() will not notice the re-used runas lists. Reported/analyzed by Sohom Datta. GitHub issue #198. [29d1380d2fe0]

MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/regress/corpus/seed/ldif/invalid_b64.ldif, plugins/sudoers/regress/corpus/seed/ldif/pr196.ldif, plugins/sudoers/regress/corpus/seed/ldif/sample.ldif, plugins/sudoers/regress/corpus/seed/ldif/valid_b64.ldif, plugins/sudoers/regress/cvtsudoers/test39.sh:
Copy some LDIF test data from the cvtsudoers tests to the seed corpus. This includes a test to exercise the fix in PR #196. [f74d65cf34d1]

plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c:
Set LDAP base for sudoers_parse_ldif(). Without this set the fuzzer will not exercise the dn parsing. [c154b1a5d287]

src/exec_ptrace.h:
Include linux/elf.h, not elf.h to make sure we get NT_ARM_SYSTEM_CALL. The NT_PRSTATUS define is present in both files. [4a4e3142381a]

2022-11-09 Todd C. Miller

include/sudo_compat.h:
Remove CMSG_* compatibility macros, they are no longer used. [5914434ecb5c]

lib/util/multiarch.c, lib/util/sudo_dso.c:
Add missing include of sys/stat.h [d3b0f701c75f]

include/sudo_util.h:
Move forward declaration of struct stat before its first use. [f3cc645d197c]

plugins/sudoers/regress/cvtsudoers/test28.sh, plugins/sudoers/regress/cvtsudoers/test29.sh, plugins/sudoers/regress/cvtsudoers/test33.sh, plugins/sudoers/regress/cvtsudoers/test39.sh:
Use a consistent base when testing cvtsudoers conversion from ldif. [a22cb486b2a3]

MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/regress/cvtsudoers/test39.out.ok, plugins/sudoers/regress/cvtsudoers/test39.sh, plugins/sudoers/regress/harness.in:
Test parsing LDIF when a backslash is the last char of the file. If run with address sanitizer, this test will crash when the fix in ceaf706ab74b is reverted. [f50c78b7ed32]

Merge pull request #196 from sohomdatta1/main

Prevent cvtsudoers from reading into undefined memory [f21c417bbbb3]

2022-11-09 Sohom

plugins/sudoers/parse_ldif.c:
[cvtsudoers]: Prevent sudo from reading into undefined memory [ceaf706ab74b]

2022-11-08 Todd C. Miller

plugins/sudoers/auth/passwd.c:
sudo_passwd_verify: zero out des_pass before returning. [c809232fdb7d]

2022-11-07 Todd C. Miller

src/exec_pty.c:
Don’t kill the parent process group on suspend if it is not sudo’s pid. If sudo is not the process group leader we must only send the suspend signal to sudo itself. When sudo is run via a shell script, it usually has the same process group as the shell script interpreter. We do not want to suspend the script itself when the command run by sudo is suspended. [e6715ec62335]

src/exec_nopty.c, src/regress/intercept/test_ptrace.c, src/sudo_exec.h, src/suspend_nopty.c:
Pass sudo’s process ID to suspend_sudo_nopty() since we already know it. Saves an unnecessary getpid(2) call. [1e12d9b0ce53]

src/exec_nopty.c:
Call terminate_command() with use_pgrp = false when not running in a pty. When sudo runs a command in the user’s existing terminal the command is run in the same process group as sudo itself. The proper way to terminate it is to use kill(2), not killpg(3) [3d9862963e92]

src/exec_monitor.c, src/exec_nopty.c, src/exec_pty.c, src/sudo_exec.h:
Fix handling of signal forwarding when running commands in a script. We need to forward signals from a process in the same pgrp if the pgrp leader is not either sudo or the command itself. [d1bf60eac57f]

src/regress/intercept/test_ptrace.c:
Make test_ptrace compile again after recent changes. [e766db5aa9d4]

src/exec_intercept.c, src/exec_intercept.h, src/exec_ptrace.c:
Update the cwd for log_subcmds too. Fixes a problem for intercept_method=trace when running a relative command from a different directory than what sudo ws started from. GitHub issue #194 [b831f2397d9f]

2022-11-04 Todd C. Miller

NEWS, aclocal.m4, configure, configure.ac:
sudo 1.9.12p1 [6268fbabdb16]

2022-11-03 Todd C. Miller

lib/iolog/host_port.c:
Include time.h for struct timespec used by sudo_iolog.h. [369c8e799652]

src/sudo.c:
Display sudo_mode in hex in debug log. This makes it easier to match against the MODE_ defines. [971e8f88bc12]

2022-11-01 Todd C. Miller

plugins/sudoers/auth/bsdauth.c:
bsdauth_verify: do not write to prompt, it is now const [1969a562cf14]

plugins/sudoers/toke.c, plugins/sudoers/toke.l:
Store raw sudoers lines in the debug log. Also add a “sudoerslex” prefix to the token debug info in sudoers_trace_print(). [be03aef496cb]

2022-10-31 Todd C. Miller

plugins/sudoers/toke.c, plugins/sudoers/toke.l:
The line numbers in sudoers_trace_print() were off by one. The line counter is incremented when a newline is seen so the output actually refers to the previous line. [a97182a63419]

plugins/sudoers/auth/API, plugins/sudoers/auth/afs.c, plugins/sudoers/auth/aix_auth.c, plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/dce.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/kerb5.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/passwd.c, plugins/sudoers/auth/rfc1938.c, plugins/sudoers/auth/secureware.c, plugins/sudoers/auth/securid5.c, plugins/sudoers/auth/sia.c, plugins/sudoers/auth/sudo_auth.h:
Make the second arg to the sudo auth verify function const. This may be either a plaintext password or a password prompt. Either way it should not be modified by the verify function. [11aefc2bc3da]

2022-10-29 Todd C. Miller

plugins/sudoers/match.c:
Move debugging info from hostname_matches() to host_matches(). [2a53d2dcd1f5]

2022-10-28 Todd C. Miller

plugins/sudoers/pwutil.c:
Add debugging to sudo_set_grlist() and sudo_set_gidlist(). [620d6f7fb4f8]

plugins/sudoers/auth/passwd.c:
Fix CVE-2022-43995, potential heap overflow for passwords < 8 characters. Starting with sudo 1.8.0 the plaintext password buffer is dynamically sized so it is not safe to assume that it is at least 9 bytes in size. Found by Hugo Lefeuvre (University of Manchester) with ConfFuzz. [a6229aa26fbf]

2022-10-27 Todd C. Miller

configure, configure.ac:
configure: better test for -fstack-clash-protection The gcc front- end may accept -fstack-clash-protection even if the machine-specific code does not support it. We use a test program with a large stack allocation to try to cause the compiler to insert the stack clash protection code, or fail if not supported. GitHub issue #191 [bbfbe758258c]

configure, configure.ac:
Check that compiler accepts -fstack-clash-protection and -fcf- protection. Previously, we only checked that linker accepted them. GitHub issue #191 [7d36b89b6e4d]

2022-10-26 Todd C. Miller

src/exec_ptrace.c:
Fix compilation error on Linux/mips. [ae4c28d8a050]

2022-10-21 Todd C. Miller

src/Makefile.in:
Regenerate dependencies for src/sesh.c. [ada8f04afc6d]

plugins/audit_json/Makefile.in, plugins/sample_approval/Makefile.in:
Sync clean target with other Makefile.in files. [8048628a554e]

Makefile.in, plugins/sample/Makefile.in:
Build the sample plugin but do not install it by default. We no longer install the sample approval plugin. [a8644924b6a1]

plugins/sample/sample_plugin.c:
Adapt to current plugin API and fix warnings. [d822f1a10361]

2022-10-20 Todd C. Miller

plugins/sudoers/sudoers.c:
Disable admin_flag by setting to NULL, not false. Found by cppcheck. [6e32481e0555]

NEWS:
Bug #1042. [85d508b6d5e5]

include/sudo_util.h, lib/util/fatal.c, lib/util/term.c, lib/util/util.exp.in, src/conversation.c:
Only add trailing carriage return to messages if output is a raw tty. If output is being written to a terminal in “raw” mode, we need to add a carriage return after the newline to avoid “stair-step” output. However, we should not write the carriage return if the terminal is in “cooked” mode, output to a pipe, or output redirected to a file. Bug #1042. [14f5bf04245f]

docs/sudoers.man.in, docs/sudoers.mdoc.in:
Make it clear that runas_default sets the default user for Runas_Spec. Also use mention runas_default in other parts of the manual, use @runas_default@ instead of root and add markup around user names. GitHub issue #186. [73f0b82a2b22]

lib/util/multiarch.c, lib/util/sudo_dso.c:
Fix a typo, muti-arch -> multi-arch GitHub issue #185 [d88270b9e98f]

2022-10-19 Todd C. Miller

NEWS:
Mention log_servers eventlog fix. [484b76589309]

plugins/sudoers/policy.c:
Don’t NULL out the plugin close function when logging to a log server. If sudo calls execve(2) directly the accept info will not be sent. We also need the sudo front-end to wait until the command finishes to send the exit status. [11976aa84040]

2022-10-17 Todd C. Miller

INSTALL.md:
Fix numbering in “Simple sudo installation” [695bec2a6223]

2022-10-14 Todd C. Miller

NEWS:
zlib 1.2.13 update [2119981787f0]

plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/fr.mo, plugins/sudoers/po/fr.po, plugins/sudoers/po/ja.mo, plugins/sudoers/po/ja.po, plugins/sudoers/po/ko.mo, plugins/sudoers/po/ko.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/ro.mo, plugins/sudoers/po/ro.po, plugins/sudoers/po/sr.mo, plugins/sudoers/po/sr.po, plugins/sudoers/po/sv.mo, plugins/sudoers/po/sv.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, po/cs.mo, po/cs.po, po/de.mo, po/de.po, po/fr.mo, po/fr.po, po/ja.mo, po/ja.po, po/ka.mo, po/ka.po, po/ko.mo, po/ko.po, po/pl.mo, po/pl.po, po/ro.mo, po/ro.po, po/sr.mo, po/sr.po, po/sv.mo, po/sv.po, po/uk.mo, po/uk.po:
Updated translations from translationproject.org [b1f28405c58d]

lib/zlib/zconf.h.in:
Don’t define _LARGEFILE64_SOURCE or _LFS64_LARGEFILE. We don’t need them and the missing prototype for crc32_combine_gen64() issue has been fixed upstream. [39eb41f1dba4]

2022-10-13 Todd C. Miller

lib/zlib/compress.c, lib/zlib/crc32.c, lib/zlib/deflate.c, lib/zlib/deflate.h, lib/zlib/gzlib.c, lib/zlib/gzread.c, lib/zlib/gzwrite.c, lib/zlib/infback.c, lib/zlib/inflate.c, lib/zlib/inftrees.c, lib/zlib/inftrees.h, lib/zlib/trees.c, lib/zlib/uncompr.c, lib/zlib/zconf.h.in, lib/zlib/zlib.h, lib/zlib/zutil.c, lib/zlib/zutil.h:
Update embedded copy of zlib to version 1.2.13. Fixes CVE-2022-37434. [737d6de5253c]

lib/util/fchownat.c:
Add fchownat() for systems without it. [7c4aeda51522]

2022-10-10 Todd C. Miller

NEWS:
Update NEWS for 1.9.12. [a4b090f3f6c8]

plugins/sudoers/po/sudoers.pot, po/sudo.pot:
Update .pot files for 1.9.12 [179fba83936d]

src/selinux.c, src/sesh.c, src/sudo_edit.c:
Use getopt() and getopt_long() for sesh command line options. [fbaa6c75e2ef]

plugins/sudoers/def_data.c, plugins/sudoers/def_data.in:
Update the description of intercept_verify [63f80a7cd4a6]

2022-10-07 Todd C. Miller

src/load_plugins.c:
Silence a warning from the Solaris Studio compiler. [49a3c72cb539]

docs/sudo_plugin.man.in, docs/sudo_plugin.mdoc.in, include/sudo_eventlog.h, include/sudo_json.h, include/sudo_plugin.h, lib/eventlog/eventlog.c, lib/iolog/iolog_loginfo.c, lib/iolog/regress/iolog_json/check_iolog_json.c, lib/util/json.c, logsrvd/logsrvd_local.c, plugins/audit_json/audit_json.c, plugins/sudoers/sudoers.h, src/env_hooks.c, src/exec_intercept.c, src/net_ifs.c, src/sudo_intercept_common.c, src/sudo_plugin_int.h:
Avoid a -Wshadow warning on Solaris 9. [e6bc419fa976]

lib/util/mmap_alloc.c:
Fix a build error on Solaris 9. [679b60caf5a3]

2022-10-06 Todd C. Miller

plugins/sudoers/parse.c:
Fix display of command tags and options in “sudo -l” when RunAs changes. A new line is started when RunAs changes which means we need to display the command tags and options again. GitHub issue #184 [3180777986de]

plugins/sudoers/fmtsudoers.c:
Fix printing of MYSELF when listing another user’s privileges. We need to use list_pw if it is set instead of user_name. GitHub issue #183 [268044635b44]

NEWS:
Update NEWS file with recent changes. [200ac32d330b]

MANIFEST, include/sudo_util.h, lib/util/Makefile.in, lib/util/multiarch.c, lib/util/regress/multiarch/multiarch_test.c, lib/util/sudo_dso.c, lib/util/util.exp.in, src/load_plugins.c:
Apply multiarch rules when loading plugins too. [f53fe06fce06]

2022-10-05 Todd C. Miller

lib/util/sudo_dso.c:
sudo_dso_load: try multi-arch on Linux if we can’t load the path. For example, if loading /usr/lib/libsss_sudo.so fails, try again with /usr/lib/x86_64-linux-gnu/libsss_sudo.so. [4eabffa486b5]

MANIFEST, lib/util/Makefile.in, lib/util/regress/open_parent_dir/open_parent_dir_test.c:
Add test for sudo open_parent_dir() [2d6b1be616c9]

MANIFEST, plugins/sudoers/regress/testsudoers/test19.out.ok, plugins/sudoers/regress/testsudoers/test19.sh:
Add test for matching a literal "" command line argument as "" in sudoers. GitHub issue #182. [ccb5dc8b23ee]

2022-10-04 Todd C. Miller

docs/visudo.man.in, docs/visudo.mdoc.in, plugins/sudoers/visudo.c:
Add -I flag to disable editing include files unless there is an error. This can be used when you only want to edit a single sudoers file unless there is a pre-existing syntax error. [18fbf720fdbf]

plugins/sudoers/match_command.c:
Do not match a literal "" command line argument as "" in sudoers. If the empty string is specified in sudoers, no user args are allowed. GitHub issue #182. [5de0370eddcb]

lib/util/sudo_conf.c, plugins/sudoers/sudoers.c, plugins/sudoers/testsudoers.c, plugins/sudoers/timestamp.c:
sudo_secure_open_{file,dir}: always check thatreturn value is not -1. Avoids false positives from static analyzers that can’t figure out that the fd is always valid when error is SUDO_PATH_SECURE. [f0ebb2b836b9]

lib/iolog/iolog_mkdtemp.c:
Correct return value when mkdtempat() fails. [5a491fac8f49]

lib/util/mkdir_parents.c:
sudo_open_parent_dir: stop before creating the last path component Fix a regression introduced in sudo 1.9.9 where the entire directory path was created instead of just the parent directory. [fdaa5aeb744b]

2022-10-01 Todd C. Miller

Makefile.in, scripts/log2cl.pl:
Use “hg log –template” instead of “hg log –style”. [63f020404fbb]

2022-09-29 Todd C. Miller

plugins/sudoers/strlcpy_unesc.c, plugins/sudoers/sudoers.c, src/parse_args.c:
Mark code that escapes/unescapes “sudo -s cmd args…” for removal. A future version of the plugin API will defer any such escaping to the policy plugin so it can be configurable. [658d1bba4319]

NEWS:
Update with recent changes. [4a739e30c77f]

docs/cvtsudoers.man.in, docs/cvtsudoers.mdoc.in:
Improve the description of JSON output. [258b57ce22ab]

2022-09-28 Todd C. Miller

INSTALL.md, etc/codespell.ignore, lib/eventlog/eventlog.c, plugins/group_file/getgrent.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/tsgetgrpw.c, plugins/sudoers/tsgetgrpw.h, src/exec_nopty.c:
Fix typos found by codespell 2.2.1. [3beaf856c861]

logsrvd/iolog_writer.c:
Change max user-ID and group-ID from INT_MAX to UINT_MAX. [0971e5f9f398]

logsrvd/logsrvd_local.c:
Add support for NumberList stored in an InfoMessage. [a762fe45e5cc]

logsrvd/iolog_writer.c, logsrvd/logsrvd.c, logsrvd/logsrvd_local.c, plugins/sudoers/log_client.c:
Add missing NULL checks for mandatory fields in protobuf messages. Also no longer reject an InfoMessage with an unknown value_case, just log and ignore it. [41c38e7f075b]

2022-09-27 Todd C. Miller

plugins/sudoers/log_client.c:
Don’t send ttyname to log server if it is NULL. Otherwise the log server will reject the AcceptMessage because a NULL string is not allowed. [df7fea4bef26]

src/exec_nopty.c:
HP-UX has struct winsize in termios.h. [5827a1f234fe]

plugins/python/Makefile.in, src/Makefile.in:
Regen dependencies [817623addc62]

docs/sudoers.man.in, docs/sudoers.mdoc.in, src/exec.c, src/exec_nopty.c, src/exec_pty.c, src/regress/intercept/test_ptrace.c, src/sudo_exec.h, src/suspend_nopty.c:
Add support for logging stdin/stdout/stderr in the non-pty exec path. If we are logging I/O but not terminal input/output (either because no terminal is present or because that is what the plugin requested), the non-pty exec path is now taken. [205c68d452df]

MANIFEST, src/Makefile.in, src/exec.c, src/exec_iolog.c, src/exec_nopty.c, src/exec_pty.c, src/regress/noexec/check_noexec.c, src/sudo_exec.h, src/sudo_intercept_common.c:
Move exec code to call into I/O log plugin to exec_iolog.c. This will be shared with exec_nopty.c in the future to log stdin/stdout/stderr without running the command in a pty. Both exec_pty.c and exec_nopty.c now use the same closure. [45a19e8e3721]

plugins/python/python_importblocker.c:
Implement find_spec, not the deprecated find_module. Fixes a test failure due to find_module having removed from setuptools. [cc1e68c0ee1e]

2022-09-23 Todd C. Miller

plugins/sudoers/editor.c, plugins/sudoers/regress/editor/check_editor.c:
copy_arg: fix copying an escaped backslash GitHub issue #179 [d21d95ec5cb0]

2022-09-22 Todd C. Miller

config.h.in, configure, configure.ac, include/sudo_compat.h, lib/util/mktemp.c:
Use mkdtempat_np() and mkostempsat_np() on macOS [ad0cd430347e]

2022-09-21 Todd C. Miller

include/sudo_iolog.h, lib/iolog/iolog_mkdirs.c, lib/iolog/iolog_mkdtemp.c, lib/util/mkdir_parents.c, logsrvd/logsrvd.c, logsrvd/logsrvd_journal.c:
Convert remaining uses of sudo_mkdir_parents() to sudo_open_parent_dir(). [62fd9644a605]

MANIFEST, config.h.in, configure, configure.ac, include/sudo_compat.h, lib/util/Makefile.in, scripts/mkdep.pl:
Add fchownat() systems without it. [d51316f1026d]

config.h.in, configure, configure.ac, include/sudo_compat.h, lib/util/mktemp.c, plugins/python/regress/iohelpers.h:
Add mkdtempat() and mkostempsat() for systems without them. [099468742d16]

docs/sudoers.man.in, docs/sudoers.mdoc.in, include/sudo_util.h, lib/util/secure_path.c, lib/util/sudo_conf.c, plugins/sudoers/regress/testsudoers/test11.out.ok, plugins/sudoers/sudoers.c, plugins/sudoers/testsudoers.c, plugins/sudoers/timestamp.c:
Use sudo_secure_open_file() instead of sudo_secure_file() where possible. Both sudo_secure_open_file() and sudo_secure_open_dir() are now passed a struct stat pointer like sudo_secure_file() and sudo_secure_dir(). [c4e4c3f74ea4]

include/sudo_util.h, lib/util/mkdir_parents.c, lib/util/secure_path.c, lib/util/util.exp.in, plugins/sudoers/timestamp.c:
Fix potential TOCTOU when creating time stamp directory and file. [d36591f966c5]

lib/util/mkdir_parents.c:
sudo_mkdir_parents: just use memcpy() to copy the path component. Using snprintf() for this is overkill, we need to do the same length check either way. [8ea754871a54]

lib/util/Makefile.in:
regen [ab40def3376c]

2022-09-20 Todd C. Miller

lib/util/digest_gcrypt.c:
Quiet libgcrypt run-time warning about not being initialized. Fixes Debian bug #1019428 and Ubuntu bug #1397663. [ebf9a6477d5d]

docs/sudoers.man.in, docs/sudoers.mdoc.in, plugins/sudoers/audit.c, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/defaults.h, plugins/sudoers/parse.c, plugins/sudoers/policy.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h:
Split log_{input,output} into log_{stdin,ttyin} and log_{ttyout,stdout,stderr} If log_input is set, log_{stdin,ttyin} will be set as well. If log_output is set, log_{stdout,stderr,ttyout} will be set as well. This provides more fine-grained control over I/O logging and makes it possible to disable logging piped or redirected intput or output. [5b7ea42ac63b]

LICENSE.md, include/protobuf-c/protobuf-c.h, lib/protobuf-c/protobuf-c.c:
Update to protobuf-c 1.4.1 We already had all the relevant fixes so this is just cosmetic. [aa51e48afe49]

src/load_plugins.c:
new_container: no need to initialize container pointer in declaration. From Li zeming. [729a8a417d88]

2022-09-15 Todd C. Miller

plugins/sudoers/policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h:
Use tcpgid if passed from sudo front-end and use it in tty_present(). This can be used as another indicator that a terminal is present without having to open /dev/tty. [b804b8b7fc03]

2022-09-13 Todd C. Miller

docs/cvtsudoers.man.in, docs/cvtsudoers.mdoc.in, docs/sudo.conf.man.in, docs/sudo.conf.mdoc.in, docs/sudo.man.in, docs/sudo.mdoc.in, docs/sudo_logsrv.proto.man.in, docs/sudo_logsrv.proto.mdoc.in, docs/sudo_logsrvd.conf.man.in, docs/sudo_logsrvd.conf.mdoc.in, docs/sudo_logsrvd.man.in, docs/sudo_logsrvd.mdoc.in, docs/sudo_plugin.man.in, docs/sudo_plugin.mdoc.in, docs/sudo_sendlog.man.in, docs/sudo_sendlog.mdoc.in, docs/sudoers.ldap.man.in, docs/sudoers.ldap.mdoc.in, docs/sudoers.man.in, docs/sudoers.mdoc.in, docs/sudoers_timestamp.man.in, docs/sudoers_timestamp.mdoc.in, docs/sudoreplay.man.in, docs/sudoreplay.mdoc.in, docs/visudo.man.in, docs/visudo.mdoc.in:
Remove most uses of the deprecated Li macro which has no effect. Also fix some other incorrect markup. [8f94cc555092]

2022-09-12 Todd C. Miller

Makefile.in, lib/eventlog/Makefile.in, lib/iolog/Makefile.in, lib/util/Makefile.in, logsrvd/Makefile.in, plugins/python/Makefile.in, plugins/sudoers/Makefile.in, src/Makefile.in:
Use $(GREP) and $(EGREP) variables in Makefile.in files. [cf8d7fb45169]

Merge pull request #177 from a1346054/fixes

Makefile.in: replace egrep and fix target name [751aa03eb470]

2022-09-12 a1346054

Makefile.in:
Fix incorrect makefile target name [318288fb712f]

Makefile.in:
Use grep -E instead of egrep [4a2d9543643c]

2022-09-11 Todd C. Miller

docs/sudo_plugin.man.in, docs/sudo_plugin.mdoc.in:
Document apparmor_profile, intercept_verify, and update_ticket. [d55caa1af788]

docs/sudo_plugin_python.man.in, docs/sudo_plugin_python.mdoc.in:
Fix some of the markup to be more consistent with sudo_plugin.mdoc.in. Also reword a few awkward phrases. [8682c067c38b]

docs/sudo_plugin.man.in, docs/sudo_plugin.mdoc.in:
Use correct markup of function arguments and struct members. Also remove most uses of the deprecated Li macro which has no effect. [59b01b9ff183]

docs/sudo_plugin.man.in, docs/sudo_plugin.mdoc.in:
Move the init_session() errstr description to where it belongs. [8c1e7cb23d1f]

docs/sudoers.man.in, docs/sudoers.mdoc.in:
Fix a typo [591b75013070]

2022-09-07 Todd C. Miller

plugins/sudoers/logging.c:
log_parse_error: make errstr const to quiet a -Wwrite-strings warning [9827a2a01316]

config.h.in, configure.ac, include/sudo_compat.h, include/sudo_debug.h, include/sudo_fatal.h, include/sudo_lbuf.h, include/sudo_util.h, lib/eventlog/eventlog.c, plugins/sudoers/check_aliases.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers.h, plugins/sudoers/defaults.c, plugins/sudoers/logging.h, plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/toke.h, plugins/sudoers/tsdump.c, plugins/sudoers/visudo.c, src/parse_args.c, src/regress/noexec/check_noexec.c, src/sudo.h:
Move gcc-style attribute macros to config.h.in Renamed __malloc -> sudo_malloclike, __printflike -> sudo_printflike, __printf0like -> sudo_printf0like. Add sudo_noreturn instead of attribute((noreturn)). We do not use stdnoreturn.h since it has been deprecated in C23 in favor of the [[noreturn]] attribute. [ad3c04a1bbb0]

plugins/sudoers/visudo.c:
Add __printf0like to visudo_track_error(). [7a118c40d360]

2022-09-06 Todd C. Miller

plugins/sudoers/gram.y:
Back out unintended change in last commit. [5d52c966212d]

plugins/sudoers/gram.y, plugins/sudoers/logging.c, plugins/sudoers/logging.h:
It is possibble for sudoerserrorf() to be called with a NULL format. So log_parse_error() needs to check fmt for NULL before using it. [5b779a6888c9]

2022-09-03 Todd C. Miller

docs/UPGRADE.md:
Mention how to restore the historic core resource limit behavior. [bfd792bd9d07]

plugins/sudoers/audit.c:
Set MODE_POLICY_INTERCEPTED for log_subcmds too. This fixes a problem where sub-commands were not being logged to the remote log server, if configured. Since we don’t go through sudoers_policy_main() again for log_subcmds, we set the flag in sudoers_audit_accept() instead. The reason this is complicated is that when I/O logging is enabled the initial accept message gets sent as part of the remote logging handshake. GitHub issue #174 [297fa6bbd769]

2022-09-02 Todd C. Miller

NEWS:
Update with latest changes. [d7ca5db7adc7]

docs/cvtsudoers.mdoc.in:
Fix typo. [7629516758e2]

plugins/sudoers/sudoers.c:
Only check the admin flag file once in intercept mode. [c439914e08e1]

docs/cvtsudoers.man.in, docs/cvtsudoers.mdoc.in:
Document cvtsudoers CSV output format [c5164466cae2]

2022-08-31 Todd C. Miller

docs/cvtsudoers.man.in, docs/cvtsudoers.mdoc.in:
Document cvtsudoers JSON output format [9fce227c2c61]

2022-08-30 Todd C. Miller

src/exec_ptrace.c:
Zero out register struct before calling ptrace_getregs(). Quiets a spurious valgrind warning. [32f19e2e508f]

2022-08-29 Todd C. Miller

docs/sudoers.man.in, docs/sudoers.mdoc.in:
intercept_verify is fast, but the policy check is (relatively) slow. [0a120a78bd37]

src/exec_ptrace.c:
Realloc the buffer used to store argv and envp as needed. We now store the vector immediately after the string table. It is possible for argv and its contents to be invalidated by realloc() when reading envp so we store the pointers as offsets until we are done allocating. [7620f3dceac4]

2022-08-28 Todd C. Miller

src/exec_ptrace.c, src/exec_ptrace.h:
ptrace_verify_post_exec: use /proc/PID/cmdline and /proc/PID/environ There is no reason to read these directly from the tracee when we rely on /proc being mounted to access /proc/PID/exe. [5da938210647]

src/exec_ptrace.c:
Protect ptrace_readv_string() with #ifdef HAVE_PROCESS_VM_READV [cc8e71c4c529]

2022-08-25 Todd C. Miller

docs/sudoers.man.in, docs/sudoers.mdoc.in:
Rework the intercept section in “Preventing shell escapes”. [5e5b1ea90ce1]

.github/workflows/codeql-analysis.yml:
Update CodeQL Action to v2 using current example config. [d0aa8b4dda28]

lib/util/arc4random.c:
Suppress PVS-Studio false positive. [32fd02734378]

src/exec_intercept.c:
intercept_check_policy_req: an empty argv[] is now supported [a668708cc0a9]

config.h.in, configure, configure.ac, src/exec_ptrace.c:
Use process_vm_readv(2) and process_vm_writev(2) if available. This is faster than reading/writing from/to the remote process one word at a time using PTRACE_PEEKDATA and PTRACE_POKEDATA. [d0c5ed82738c]

plugins/sudoers/check.c:
Skip all of check_user() for intercept unless intercept_authenticate set. Previously we were calling the PAM approval modules even in intercept mode which can take a lot of time. We may wish to make PAM approval configurable in intercept mode in the future. [e06fbc7e4ca6]

plugins/sudoers/sudoers.c:
Only set MODE_POLICY_INTERCEPTED on subsequent policy checks. This fixes a bug where MODE_POLICY_INTERCEPTED was set too early if the intercept option was set globally in sudoers. It should only be set after the original command has executed. [8f5d47c2635a]

2022-08-23 Todd C. Miller

docs/sudoers.man.in, docs/sudoers.mdoc.in:
intercept_verify also compares the environment. Also mention the overhead involved in checking things. [44da04558285]

2022-08-22 Todd C. Miller

src/exec_ptrace.c:
ptrace_getregs: make compat check more generic No need to use different checks for mips and non-mips, the compiler will optimize away the superfluous check. [0f2ff0f3f388]

src/preload.c:
Correct type of sudoers_audit. GitHub issue #61 [17a7806ad3ba]

2022-08-20 Todd C. Miller

src/sesh.c:
Fix shadowed variable warning. [e200b6b5b4fd]

2022-08-19 Todd C. Miller

src/exec_ptrace.h:
Fix shadowed variable warning on aarch64. [84169692bd1c]

src/regress/intercept/test_ptrace.c:
Quiet another -Wwrite-strings warning. [ff2860056976]

src/exec_ptrace.c:
ptrace_getregs: try to determine compat mode if caller doesn’t know. In ptrace_verify_post_exec(), we don’t know whether the executable that is now running is a native or compat binary. In most cases ptrace_getregs() will be able to figure it out for us. [fb0fa29ff554]

src/exec_ptrace.c:
ptrace_intercept_execve: fail syscall rather than killing process on error. If the execve(2) args are bogus pointers, we should just return an error instead of killing the process. For consistency with the kernel, convert EIO from ptrace(2) to EFAULT. Also convert some ptrace(2) warnings to debug printfs so sudo is less chatty. [3d30c6d28005]

2022-08-18 Todd C. Miller

src/exec_ptrace.c:
Treat argv and closure->run_argv of different sizes as a mismatch. If argv and closure->run_argv match up to the point where we hit a NULL but one of them has additional entries, we still need to rewrite argv. [91d522d9c3b6]

src/exec_ptrace.c:
Handle the case where argc is 0 when allocating space for argv. We need to pass the pathname to the policy plugin in argv[0] so we must be sure to allocate space for it even if argc is 0. [953f92c9e7a5]

src/sudo_intercept.c:
copy_vector: treat a NULL pointer as an empty vector. Linux execve(2) allows argv to be NULL so we must allocate an empty vector in this case and not return an error. [cf30608ed6cb]

src/exec_preload.c:
Update debug_decl name for sudo_preload_dso -> sudo_preload_dso_alloc change. [b0db53a62c7a]

src/exec_intercept.c:
Handle the case where argc is 0 when rebuilding argv. We need to pass the pathname to the policy plugin in argv[0] so we must be sure to allocate space for it even if argc is 0. [10358fc408a1]

src/exec_ptrace.c:
Handle sysconf(_SC_ARG_MAX) failure, Coverity CID 276504. [ddb88da56bd7]

plugins/sudoers/match_digest.c:
Avoid a Coverity false positive. [dd9fd747bd7f]

plugins/sudoers/getdate.c, plugins/sudoers/getdate.y:
Remove cast from time_t to int to avoid a Coverity false positive. The cast should not be required. [a305b10eb17e]

2022-08-11 Todd C. Miller

docs/sudoers.man.in, docs/sudoers.mdoc.in, plugins/sudoers/group_plugin.c:
Use multilib rules to look for a 64-bit group plugin on failure. If sudo_dso_load() fails on a 64-bit system, try to load a 64-bit native version of the file using system-dependent multilib rules. If we don’t support multilib on the platform, check for a version of the file that ends in “64” before the .so suffix. [d36bcc89ee34]

docs/sudo_plugin.man.in:
regen [c14c0882a07d]

2022-08-08 Todd C. Miller

plugins/sudoers/env.c, src/env_hooks.c:
In putenv(3) replacement reject a string with no ‘=’ or that starts with one. [59c6e6e5232b]

2022-08-05 Todd C. Miller

LICENSE.md:
Update copyright year for embedded zlib. [2c52d016e583]

2022-08-04 Todd C. Miller

configure, configure.ac:
Use our own arc4random() in preference to the glibc version. The glibc arc4random() may fail in chroot on older kernels and exit. [9b4a62c9f468]

lib/util/sudo_dso.c:
sudo_dso_load: restore original error for AIX on failure. For AIX, if dlopen() fails we try again with RTLD_MEMBER set and a default member (shr.o or shr_64.o). However, if that also fails, the user will receive a useless error message that doesn’t correspond to the actual problem. We now retry the original dlopen() if the fallback to RTLD_MEMBER fails, which has the effect of restoring the original error message. [ec539996a4aa]

2022-08-02 Todd C. Miller

Merge pull request #165 from bdrung/xdg-current-desktop

Add XDG_CURRENT_DESKTOP to initial_keepenv_table [3d2e82e32ea8]

NEWS, configure, configure.ac:
Sudo 1.9.12. [08c096ada8b2]

docs/sudo_plugin.mdoc.in, include/sudo_plugin.h, plugins/python/regr ess/testdata/check_multiple_approval_plugin_and_arguments.stdout, src/exec.c:
Bump the sudo plugin minor version. The “update_ticket” entry was added to the settings list and the “intercept_verify” entry was added to the command_info list. [3259f3199798]

docs/sudo.man.in, docs/sudo.mdoc.in, plugins/sudoers/check.c, plugins/sudoers/policy.c, plugins/sudoers/sudoers.h, src/parse_args.c, src/sudo.c, src/sudo.h, src/sudo_usage.h.in:
Add a way to run a command without updating the cached credentials. This can also be used to test for whether or not the user’s credentials are currently cached. [f5825a6f881b]

Merge pull request #168 from likunyur/lky

Remove unnecessary initialization and casts. [fcb251c895ce]

Merge pull request #169 from kempstonjoystick/main

Fix incorrect SHA384/512 digest calculation. [f016c3a37255]

2022-08-02 Tim Shearer

lib/util/sha2.c:
Fix incorrect SHA384/512 digest calculation.

Resolves an issue where certain message sizes result in an incorrect checksum. Specifically, when: (n*8) mod 1024 == 896 where n is the file size in bytes. [e9f235a8d432]

2022-08-01 Todd C. Miller

src/exec.c, src/selinux.c, src/sesh.c, src/sudo.c, src/sudo.h:
Defer chdir(2) until sesh when running with SELinux. We need to be running with the correct security context or the chdir(2) may fail. GitHub issue #160. [a8713dd21be9]

2022-08-01 Li zeming

lib/util/arc4random.c:
util/arc4random: (void*) type pointer passing address could remove cast

Signed-off-by: Li zeming <zeming@…> [aa4e8c73f131]

lib/iolog/hostcheck.c:
iolog/hostcheck: These two parameters do not need to be initialized and assigned, the following code is directly assigned

Signed-off-by: Li zeming <zeming@…> [dd657435f277]

2022-07-31 Todd C. Miller

Merge pull request #166 from c4rlo/patch-1

visudo.c: add nvim (Neovim) to lineno_editor list [97e0a7b00daa]

2022-07-31 Carlo Teubner

plugins/sudoers/visudo.c:
visudo.c: add nvim (Neovim) to lineno_editor list

Neovim supports it: https://neovim.io/doc/user/starting.html#-+ [020b59cf0f6b]

2022-07-29 Todd C. Miller

docs/sudoers.man.in, docs/sudoers.mdoc.in:
Document the TOCTOU issue with intercept mode. Describe how intercept_verify attempts to reduce the risk. [b118de8d4c66]

etc/codespell.exclude, etc/codespell.ignore:
Update a codespell exclude pattern. [3193ffb4c938]

docs/sudoers.man.in, docs/sudoers.mdoc.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/defaults.c, plugins/sudoers/policy.c, src/exec_ptrace.c, src/sudo.c, src/sudo.h:
Add intercept_verify sudoers option to control execve(2) argument checking. [79131cfb0125]

src/exec_ptrace.c:
Use PTRACE_EVENT_EXEC to stop execution before return from execve(2). We can now verify that the arguments match what we accepted before the command actually runs. If there is a mismatch, the process is killed. Shell scripts must be handled specially since the path executed will be the interpreter, not the script name. Linux allows interpreters to be nested up to 4 deep. [5e7b1828dbb0]

plugins/sudoers/sudoers.c:
Only set MODE_POLICY_INTERCEPTED if we are running a command. Fixes an error with “sudo -l” when intercept is enabled globally. [7a1d0ff5a498]

2022-07-29 Benjamin Drung

plugins/sudoers/env.c:
Add XDG_CURRENT_DESKTOP to initial_keepenv_table

Qt needs XDG_CURRENT_DESKTOP to be set to determine the correct theme.

Since DISPLAY and XAUTHORITY are already in the default table of variables to preserve in the environment, just add XDG_CURRENT_DESKTOP to it.

Bug: https://launchpad.net/bugs/1958055 Signed-off-by: Benjamin Drung <bdrung@…> [aa5132684c89]

2022-07-27 Todd C. Miller

src/exec_ptrace.c:
The length returned by ptrace_read_string() include the NUL. We were wasting a extra byte in the string table for each entry. [b1220aae7141]

2022-07-26 Todd C. Miller

include/sudo_compat.h, include/sudo_util.h:
Use gcc’s malloc attribute for malloc-like allocation functions. [bff3b0ab89c5]

lib/util/mmap_alloc.c:
Avoid a Coverity positive. [81f526688296]

src/exec_preload.c:
fmtstr: add missing va_end() for the overflow case Coverity CID 275335 [42a4f4467ca5]

lib/util/sudo_debug.c:
Fix potential NULL pointer deference found by clang-analyzer. [5b0a9c0f2e71]

src/sudo.c, src/sudo_intercept_common.c:
Quiet some harmless PVS-Studio warnings. [9b9cc92f0585]

src/exec_intercept.c:
Reject relative command paths if runcwd is not set. This is now treated as a policy rejection. [bf35a6818c77]

src/exec_intercept.c:
intercept_check_policy: close saved_dir before returning [04adba5e85fa]

src/exec_intercept.c:
Change to runcwd during the policy check where possible. Otherwise, attempts to run “./command” from a shell with intercept set will fail if the current working directory is different from the main sudo process. [cd218f081cf2]

2022-07-25 Todd C. Miller

include/sudo_util.h, lib/util/mmap_alloc.c, lib/util/util.exp.in, src/sudo_intercept.c:
For preload DSO make copies of cmnd, argv, envp and map them read- only. [56a160c55e4c]

src/exec_preload.c, src/sudo_exec.h, src/sudo_intercept.c, src/sudo_intercept_common.c:
Use sudo_mmap_alloc functions in DSO-based intercept code. [806dacd141ad]

lib/util/snprintf.c:
Use sudo_mmap_alloc functions instead of private versions. We no longer need to keep track of the allocation size. [6f375ed7a927]

MANIFEST, include/sudo_util.h, lib/util/Makefile.in, lib/util/mmap_alloc.c, lib/util/util.exp.in:
Add sudo_mmap_{alloc,allocarrary,strdup,free} functions. These allocate memory via mmap anonymous regions and store the mapped size immediately before the returned pointer as an unsigned long. They are intended to be used in cases where malloc(3) and free(3) are unsuitable due to concerns about corrupting global state in multi- threaded programs or signal handlers. [803b4a82bedd]

docs/sudoers.ldap.man.in, docs/sudoers.ldap.mdoc.in:
Sync with schema.OpenLDAP for user/group utf8 support. [14705b52a4f9]

Merge pull request #163 from Firstyear/20220725-sudo-ldap-schema

Update sudoUser to be utf8 in ldap schemas [91354fc2ed23]

src/sudo_intercept.c:
resolve_path: skip non-regular files [2ed5efdb48ea]

2022-07-25 William Brown

docs/schema.OpenLDAP, docs/schema.iPlanet, docs/schema.olcSudo:
Update sudoUser to be utf8 in ldap schemas

In most unix-style LDAP servers, uid is a utf8 string defined by OID 1.3.6.1.4.1.1466.115.121.1.15. However, sudoUser was defined as an IA5 String (OID 1.3.6.1.4.1.1466.115.121.1.26) which meant that sudoUser could only represent a subset of possible values.

In some cases when using sudoers.ldap, the uid from the machine which was utf8 was fed back into sudo which would then issue a search for sudoUsers. If this uid contained utf8 characters, the ldap server would refuse to match into sudoUsers because these were limited to IA5.

This is a safe-forward upgrade as IA5 is a subset of UTF8 meaning that this change will not impact existing deployments and their rules. [7a47e711ca88]

2022-07-14 Todd C. Miller

src/exec_intercept.c, src/sudo.c:
Make sure the plugin provides a command, argv and envp. [7e4e93118622]

lib/util/sudo_debug.c, src/exec_intercept.c, src/exec_preload.c, src/exec_ptrace.c, src/sudo_intercept.c, src/sudo_intercept_common.c:
Linux execve(2) allows argv or envp to be NULL. Add checks to make sure we don’t deference a NULL pointer. [be380b71df62]

2022-07-13 Todd C. Miller

src/exec_intercept.c:
intercept_check_policy: add oom label and fix approval failure case. If the approval plugin fails we need to set the state to POLICY_REJECT just like we do if the policy rejected the command. [e7ba37e32af7]

2022-07-09 Todd C. Miller

plugins/sudoers/cvtsudoers_csv.c, plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/cvtsudoers_merge.c, plugins/sudoers/def_data.in, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/parse.c, plugins/sudoers/parse.h, plugins/sudoers/policy.c, src/apparmor.c:
Fix a few whitespace issues. [deb6391a3ba0]

plugins/sudoers/regress/fuzz/fuzz_policy.c:
Increase the realloc increment from 128 to 1024. The contents of the env_add array should not include the leading “env=” prefix. [d8c0067fc3fd]

plugins/sudoers/env.c:
sudo_putenv_nodebug: require that the environment string include a ‘=’ [fb200f301070]

2022-07-08 Todd C. Miller

plugins/sudoers/visudo.c:
If update_defaults() fails, treat it as a parse error. [d9860eb2257a]

plugins/sudoers/getdate.c, plugins/sudoers/getdate.y, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/toke.c, plugins/sudoers/toke.l:
Add additional PVS-studio suppression comments for generated code. [dfb89944dcce]

2022-07-07 Todd C. Miller

plugins/sudoers/match_command.c:
Fix compilation error when SUDOERS_NAME_MATCH is defined. [3b76707bc5fa]

plugins/sudoers/match_command.c:
Fix a NOPASSWD issue with a non-existent command when fdexec=always In command_matches_all(), if the command is fully-qualified and open_cmnd() return false, only treat it as an error if we are able to stat(2) the command. For “sudo ALL” a non-existent command is not an error. [e2d756137ce9]

plugins/sudoers/regress/testsudoers/test18.sh:
Quote ^foo$ on command line to protect it from the shell. [0f1274e0be93]

2022-07-05 Todd C. Miller

lib/eventlog/regress/logwrap/check_wrap.c, lib/util/regress/closefrom/closefrom_test.c, lib/util/regress/fnmatch/fnm_test.c, lib/util/regress/getgrouplist/getgrouplist_test.c, lib/util/regress/glob/globtest.c, lib/util/regress/parse_gids/parse_gids_test.c, lib/util/regress/progname/progname_test.c, lib/util/regress/strsig/strsig_test.c, lib/util/regress/strsplit/strsplit_test.c, lib/util/regress/strtofoo/strtobool_test.c, lib/util/regress/strtofoo/strtoid_test.c, lib/util/regress/strtofoo/strtomode_test.c, lib/util/regress/strtofoo/strtonum_test.c, lib/util/regress/sudo_conf/conf_test.c, lib/util/regress/sudo_parseln/parseln_test.c, lib/util/regress/tailq/hltq_test.c, lib/util/regress/uuid/uuid_test.c, logsrvd/regress/logsrvd_conf/logsrvd_conf_test.c, plugins/python/regress/check_python_examples.c, src/exec_ptrace.c:
Add explicit include of unistd.h for getopt(3) and related variables. [e1c369cd5ae8]

2022-07-04 Todd C. Miller

plugins/sudoers/cvtsudoers.c, src/sudo_intercept_common.c:
Merge pull request #161 from likunyur/lky

sudoers/cvtsudoers: Remove the repeated ‘;’ from code [9b961a3b9c86]

2022-07-04 Li kunyu

src/sudo_intercept_common.c:
src/send: Remove the repeated ‘;’ from code

Signed-off-by: Li kunyu <kunyu@…> [6fc809eac0b1]

plugins/sudoers/cvtsudoers.c:
sudoers/cvtsudoers: Remove the repeated ‘;’ from code

Signed-off-by: Li kunyu <kunyu@…> [75582c880c30]

2022-07-01 Todd C. Miller

lib/util/timegm.c:
In timegm() initialize tm_isdst to 0 like tzcode does. [d3f2d10c3559]

2022-06-30 Todd C. Miller

include/intercept.pb-c.h, include/sudo_event.h, src/exec_intercept.c, src/exec_intercept.h, src/intercept.pb-c.c, src/intercept.proto, src/sudo_intercept_common.c:
Stop sending an InterceptResponse to a PolicyCheckRequest for log_subcmds. There’s no real reason for the command to wait for sudo send back a response that will always be a PolicyAcceptMessage. [d2fe28a652d0]

plugins/sudoers/sudoers.c:
sudoers_main: defer setting return value until the end when running a command Otherwise, we could return success when there was an error from a system call or memory allocation failure. [bd993a2948ce]

plugins/sudoers/audit.c, plugins/sudoers/logging.c, plugins/sudoers/logging.h, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h:
Save the initial command run via sudo and use it when logging exit status. Otherwise, if we are in intercept mode or logging sub- commands the exit status will be logged with the wrong command. [54e3494473ac]

2022-06-29 Todd C. Miller

lib/zlib/zconf.h.in:
Define _LARGEFILE64_SOURCE if _FILE_OFFSET_BITS == 64. Fixes a -Wwrite-strings warning on 32-bit systems. [61eff691496f]

lib/util/strsignal.c:
Quiet another -Wwrite-strings warning. [a03bb85d581d]

lib/protobuf-c/protobuf-c.c:
Fix a clang analyzer 14 warning about a possible NULL deref. [4c0db4ac3e1d]

lib/iolog/Makefile.in, lib/logsrv/Makefile.in, lib/protobuf-c/Makefile.in, plugins/sudoers/Makefile.in, src/Makefile.in:
Regenerate dependencies [ff7de2b59097]

scripts/mkdep.pl:
Do not check files generated by protbuf-c with PVS-Studio [86f56c21339f]

logsrvd/logsrv_util.c, logsrvd/logsrvd.c, logsrvd/logsrvd_conf.c, logsrvd/logsrvd_queue.c, logsrvd/sendlog.c, logsrvd/tls_client.c, plugins/sudoers/log_client.c, src/sudo_intercept_common.c:
Quiet some harmless PVS Studio warnings. [476fbef7a0c4]

logsrvd/logsrvd_conf.c, logsrvd/sendlog.c:
Use “unable to allocate memory” warning on malloc failure. This is consistent with the rest of the sudo source code. [5954fc067647]

lib/eventlog/Makefile.in, lib/fuzzstub/Makefile.in, lib/iolog/Makefile.in, lib/iolog/host_port.c, lib/logsrv/Makefile.in, lib/protobuf-c/Makefile.in, lib/util/Makefile.in, lib/util/getentropy.c, lib/util/roundup.c, logsrvd/iolog_writer.c, logsrvd/logsrv_util.c, logsrvd/logsrvd.c, logsrvd/logsrvd_conf.c, logsrvd/logsrvd_journal.c, logsrvd/logsrvd_local.c, logsrvd/logsrvd_queue.c, logsrvd/logsrvd_relay.c, logsrvd/sendlog.c, logsrvd/tls_client.c, logsrvd/tls_init.c, plugins/sudoers/log_client.c, src/Makefile.in, src/apparmor.c:
Add missing PVS Studio Open Source comments. Also avoid checking protobuf-c source and protobuf-c generated files. [e1277c1f6585]

lib/iolog/host_port.c, lib/iolog/hostcheck.c, lib/util/roundup.c, logsrvd/iolog_writer.c, logsrvd/logsrv_util.c, logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c, logsrvd/logsrvd_journal.c, logsrvd/logsrvd_local.c, logsrvd/logsrvd_queue.c, logsrvd/logsrvd_relay.c, logsrvd/sendlog.c, logsrvd/sendlog.h, logsrvd/tls_client.c, logsrvd/tls_common.h, logsrvd/tls_init.c, plugins/python/pyhelpers.h, plugins/python/regress/iohelpers.h, plugins/sudoers/log_client.c:
Use #include <config.h> not #include “config.h” for consistency. Otherwise, some compilers may do the wrong thing in a build dir if there is a config.h file in the source dir too. [79aaab18dc6d]

2022-06-28 Todd C. Miller

plugins/sudoers/group_plugin.c:
Update group_plugin_load() stub to match its prototype. [9ea7126e6d5c]

configure, configure.ac, include/sudo_iolog.h, lib/eventlog/eventlog.c, lib/eventlog/logwrap.c, lib/iolog/host_port.c, lib/iolog/regress/host_port/host_port_test.c, lib/iolog/regress/iolog_mkpath/check_iolog_mkpath.c, lib/util/aix.c, lib/util/getgrouplist.c, lib/util/getopt_long.c, lib/util/lbuf.c, lib/util/logfac.c, lib/util/logpri.c, lib/util/regress/progname/progname_test.c, lib/util/snprintf.c, lib/util/sudo_conf.c, lib/util/sudo_debug.c, logsrvd/logsrvd_conf.c, logsrvd/logsrvd_local.c, logsrvd/logsrvd_relay.c, logsrvd/sendlog.c, plugins/audit_json/audit_json.c, plugins/python/python_convmessage.c, plugins/python/python_plugin_common.c, plugins/python/regress/check_python_examples.c, plugins/python/sudo_python_module.c, plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/sudo_auth.h, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers_csv.c, plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/cvtsudoers_pwutil.c, plugins/sudoers/defaults.c, plugins/sudoers/defaults.h, plugins/sudoers/editor.c, plugins/sudoers/env.c, plugins/sudoers/exptilde.c, plugins/sudoers/getdate.c, plugins/sudoers/getdate.y, plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y, plugins/sudoers/group_plugin.c, plugins/sudoers/insults.h, plugins/sudoers/iolog.c, plugins/sudoers/ldap.c, plugins/sudoers/ldap_conf.c, plugins/sudoers/log_client.c, plugins/sudoers/logging.c, plugins/sudoers/parse.c, plugins/sudoers/policy.c, plugins/sudoers/pwutil.c, plugins/sudoers/regress/editor/check_editor.c, plugins/sudoers/regress/exptilde/check_exptilde.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/regress/parser/check_gentime.c, plugins/sudoers/regress/serialize_list/check_serialize_list.c, plugins/sudoers/regress/unescape/check_unesc.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/sudoers_hooks.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c, src/edit_open.c, src/exec_common.c, src/parse_args.c, src/regress/noexec/check_noexec.c, src/selinux.c, src/sudo.c, src/sudo_edit.c, src/sudo_intercept.c:
Make sudo pass -Wwrite-strings [7ac3dd7b1634]

configure, configure.ac:
A typo prevented -Wno-deprecated-declarations from being used on macOS. [4d6d4b9e7191]

2022-06-27 Todd C. Miller

src/preload.c:
Fix missing prototype warning. [66e460d3c1d2]

lib/zlib/zconf.h.in:
Define _LFS64_LARGEFILE, _LARGEFILE64_SOURCE if 64-bit or _LARGE_FILES set. autoconf does not define _LARGEFILE64_SOURCE by default but zlib expects it (its own configure script will define it). Fixes a missing prototype for crc32_combine_gen64() on AIX and HP-UX. [c5b314bebbcb]

configure, configure.ac, include/sudo_iolog.h, include/sudo_util.h, lib/iolog/host_port.c, lib/iolog/regress/fuzz/fuzz_iolog_json.c, lib/iolog/regress/fuzz/fuzz_iolog_legacy.c, lib/iolog/regress/fuzz/fuzz_iolog_timing.c, lib/iolog/regress/iolog_json/check_iolog_json.c, lib/iolog/regress/iolog_timing/check_iolog_timing.c, lib/util/regress/fuzz/fuzz_sudo_conf.c, lib/util/regress/glob/globtest.c, lib/util/regress/mktemp/mktemp_test.c, lib/util/strtoid.c, logsrvd/logsrvd.c, logsrvd/logsrvd_relay.c, logsrvd/regress/fuzz/fuzz_logsrvd_conf.c, logsrvd/sendlog.c, plugins/python/pyhelpers.c, plugins/python/python_plugin_approval.c, plugins/python/python_plugin_approval_multi.inc, plugins/python/python_plugin_audit.c, plugins/python/python_plugin_audit_multi.inc, plugins/python/python_plugin_common.c, plugins/python/python_plugin_group.c, plugins/python/python_plugin_io.c, plugins/python/python_plugin_io_multi.inc, plugins/python/python_plugin_policy.c, plugins/python/regress/check_python_examples.c, plugins/python/sudo_python_module.c, plugins/sudoers/audit.c, plugins/sudoers/getdate.c, plugins/sudoers/getdate.y, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/iolog.c, plugins/sudoers/log_client.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/regress/fuzz/fuzz_stubs.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/stubs.c, plugins/sudoers/timestamp.c, plugins/sudoers/timestr.c, plugins/sudoers/tsgetgrpw.h, plugins/sudoers/unesc_str.c, src/copy_file.c, src/exec_ptrace.c, src/load_plugins.c, src/net_ifs.c, src/sudo.h, src/sudo_intercept.c, src/sudo_intercept_common.c, src/sudo_noexec.c:
Make sudo pass -Wmissing-prototypes [195b024b9f54]

src/exec_ptrace.c:
Include inttypes.h if stdint.h is not present. Bug #1035 [da6185c4c418]

2022-06-21 Todd C. Miller

src/exec_ptrace.c:
readlink(2) does NUL-terminate the buffer, do it manually. Fixes a bug where the current working directory could include garbage in intercept mode using ptrace(2). [dc7c547f518f]

src/exec_preload.c, src/sudo_exec.h, src/sudo_intercept_common.c:
sudo_preload_dso: make the envp function argument const This lets us fix an inappropriate cast in sudo_intercept_common.c. [c2fa860b684e]

src/exec_intercept.c:
intercept_write: remove unused CD_USE_PTRACE code. It is not possible to end up in intercept_write when CD_USE_PTRACE is set. [f8bdc5e37294]

2022-06-20 Todd C. Miller

NEWS, configure, configure.ac:
Sudo 1.9.11p3 [c96ded63ae46]

src/exec_intercept.c, src/sudo_intercept_common.c:
Set TCP_NODELAY on the socket used for intercept IPC to reduce latency. On some systems, Nagle’s algorithm was delaying receipt of the data, causing commands with intercept or log_subcmds to run slowly. Related to Bug #1034. [11b129850ac1]

src/sudo_intercept_common.c:
Use blocking I/O when talking to the sudo process. Also check for EAGAIN/EINTR when reading the message size. Fixes a problem seen on AIX where recv_intercept_response() could fail unexpectedly. Bug #1034. [8554618665a2]

src/exec_intercept.c:
Add debug printfs when send/recv return EAGAIN or EINTR. These are not actually errors but can help gain insight into what is going on and, in the case of EAGAIN, whether or not there may be a kernel resource starvation problem. [fd2dee906d2f]

2022-06-14 Todd C. Miller

plugins/sudoers/logging.c:
log_exit_status: make local variables match struct evlog members. [f93d5141e818]

2022-06-13 Todd C. Miller

lib/util/getgrouplist.c:
Quiet a compiler warning on macOS. The getgrouplist() groups array on macOS is int * instead of gid_t *. [c64bf72a1416]

2022-06-12 Todd C. Miller

NEWS, configure, configure.ac:
Sudo 1.9.11p2 [9505276e5c97]

2022-06-11 Todd C. Miller

src/exec_ptrace.h:
Fix compilation on Linux/x32; GitHub issue #158 [8cebfdd49205]

2022-06-10 Todd C. Miller

plugins/sudoers/policy.c:
Fix pasto in comment after HAVE_PRIV_SET #endif [2275ab3b016d]

include/sudo_compat.h:
Fix typo, we should define SSIZE_MAX if it is not defined. [51c68f801479]

2022-06-09 Todd C. Miller

plugins/sudoers/env.c:
Change black list -> blocklist This was missed in the previous conversion. [da610ebb5cb1]

plugins/sudoers/audit.c, plugins/sudoers/iolog.c, plugins/sudoers/log_client.c, plugins/sudoers/log_client.h, plugins/sudoers/logging.c, plugins/sudoers/logging.h, plugins/sudoers/policy.c, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/sudoers.h:
Save a pointer to the event_alloc parameter in the plugin open function. That way we don’t need to pass event_alloc around to the log client functions. [a8a47f3770b3]

lib/protobuf-c/protobuf-c.c:
Fix regression with zero-length messages introduced in protobuf-c PR 500. [42062b9f75d5]

2022-06-08 Todd C. Miller

NEWS, configure, configure.ac:
Sudo 1.9.11p1 [7fcfdaacb15e]

2022-06-07 Todd C. Miller

src/exec_pty.c:
Make read and write events persistent and disable as needed. For the read callback, disable reader when the buffer is full. For the write callback, disable writer when the buffer is consumed. [2b6953dc4224]

config.h.in, configure, configure.ac, src/sudo_exec.h, src/sudo_noexec.c:
Check for SECCOMP_MODE_FILTER not SECCOMP_SET_MODE_FILTER. This matches the actual prctl() call we use. [4222768293d1]

Merge pull request #157 from 0x2b3bfa0/improve-tag-spec-ebnf-docs

Improve Tag_Spec EBNF documentation [f528335aded5]

logsrvd/logsrvd.c, logsrvd/logsrvd_relay.c, logsrvd/sendlog.c:
Treat EINTR in a callback like we do EAGAIN. We shouldn’t get EINTR in practice since we set SA_RESTART when registering signal handlers but it doesn’t hurt to be consistent. [acf3394e2df2]

Merge pull request #156 from delroth/aarch64-build

exec_ptrace: fix missing sudo_pt_regs on aarch64 [a7062c609a96]

2022-06-07 Pierre Bourdon

src/exec_ptrace.h:
exec_ptrace: fix missing sudo_pt_regs on aarch64

AArch64 already had an existing “user_pt_regs” struct and didn’t need a struct alias before the renaming to “sudo_pt_regs”. Make the code build again by adding the now missing alias.

Fixes: 2eb8ff17 [3b55f40e9b83]

2022-06-07 Helio Machado

docs/sudoers.man.in, docs/sudoers.mdoc.in:
Improve Tag_Spec EBNF documentation [7e23ec31d124]

2022-06-07 Todd C. Miller

Merge pull request #154 from 0x2b3bfa0/fix-tag-spec-docs

Add missing colon in Tag_Spec documentation [ec8f4610b677]

Merge pull request #152 from particleflux/fix-sudoers-typo

Fix typo in sudoers comment [bbbcff4c14ba]

2022-06-07 Helio Machado

docs/sudoers.man.in, docs/sudoers.mdoc.in:
Add missing colon in Tag_Spec documentation [e6f4c612e22a]

2022-06-07 Stefan Linke

plugins/sudoers/sudoers.in:
Fix typo in sudoers comment

Fix a typo in the sudoers comment about maxseq param.

Introduced by 906eb19ece47023c659b4b3db2e7a6bb57dff0d9 in 1.9.11. [b38fae41b3eb]

2022-06-06 Todd C. Miller

lib/protobuf-c/protobuf-c.c:
Only shift unsigned values to avoid implementation-specific behavior. This converts the arithmetic shifts to logical shifts. [e25aa8e9891a]

lib/protobuf-c/protobuf-c.c:
Fix issue protobuf-c#499: unsigned integer overflow Signed-off-by:
10054172 <hui.zhang@…> [f3637be4df4f]

include/sudo_event.h, lib/util/event_select.c:
Fix building with select (not poll) when fd_set is not defined in sys/types.h. We can use a void * for the fd_set arrays and just add a cast when using the FD_SET macros. [5c636cbc11f0]

src/exec_pty.c:
Reinstall the event handler if we get EAGAIN from read/write callback. The read and write events do not set SUDO_EV_PERSIST so we need to explicitly re-enable the event if there is still data to be read. Bug #963. [0006cb6531f4]

logsrvd/logsrvd.c, logsrvd/logsrvd_relay.c, logsrvd/sendlog.c:
If write(2) returns EAGAIN just re-enter the event loop. This is consistent with how we handle EAGAIN for read(2). [e6478d917a0f]

docs/sudo_plugin_python.man.in, docs/sudo_plugin_python.mdoc.in:
Document how setting ModulePath affects the Python search path. Also advise the user to use a unique prefix to avoid name space collisions with installed Python modules. Bug #1031. [68a9d50d7806]

configure, configure.ac, docs/sudo_plugin_python.man.in, docs/sudo_plugin_python.mdoc.in:
Add EXAMPLES variables for use in the man pages for the examples directory. [148272d9a6d3]

2022-06-04 Todd C. Miller

plugins/sudoers/po/cs.mo, plugins/sudoers/po/cs.po:
Updated translations from translationproject.org [985902730e5b]

plugins/sudoers/po/hr.mo, po/hr.mo:
Rebuild Croatian message catalog. [438136f65c13]

2022-06-03 Todd C. Miller

.gitignore, .hgignore:
Add new test binaries to the ignore files. [ea9de2ded48d]

po/cs.mo, po/cs.po:
Updated translations from translationproject.org [eac0aba546ed]

lib/protobuf-c/protobuf-c.c:
Define WORDS_BIGENDIAN on big endian systems. Instead of a configure check, we use endian.h (or a fallback). [4d5603a9528c]

include/intercept.pb-c.h, include/log_server.pb-c.h, include/protobuf-c/protobuf-c.h, lib/protobuf-c/protobuf-c.c, scripts/unanon:
Update to protobuf-c 1.4.0 [47ff9b8bab21]

logsrvd/logsrvd.c, plugins/sudoers/cvtsudoers_csv.c:
Quiet two clang analyzer false positives. [2c878f7853cc]

src/exec_intercept.c:
Move a comment to the correct location. [caacb3fae078]

logsrvd/logsrvd.c:
union sockaddr_union: pass in sockaddr_union * instead of sockaddr *. This eliminates the need for a few casts and is consistent with how create_listener() is written. [4def05f8d895]

src/exec_ptrace.c:
Eliminate some dead stores that clang-analyzer complains about. [3aac29fe0101]

src/exec_ptrace.c:
ptrace_read_vec: don’t try to free memory on the error path This is leftover from when ptrace_read_string() allocated its own memory. [7f5b5d21bce9]

config.h.in, configure, configure.ac, src/sudo_intercept.c:
Avoid using vfork(2) in the DSO system(3) wrapper. Traditional vfork(2) semantics make it unsafe for use for more than just vfork(2) + execve(2). [9a8ce7aef55d]

2022-06-02 Todd C. Miller

po/vi.mo, po/vi.po:
Updated translations from translationproject.org [e3197ef8a98d]

NEWS:
Mention sudo_logsrvd.conf “log_server” parsing fix. [575a31b83bfd]

MANIFEST, logsrvd/Makefile.in, logsrvd/regress/logsrvd_conf/sudo_logsrvd.conf.1.in, logsrvd/regress/logsrvd_conf/sudo_logsrvd.conf.2.in, logsrvd/regress/logsrvd_conf/tls/sudo_logsrvd.conf.1.in, logsrvd/regress/logsrvd_conf/tls/sudo_logsrvd.conf.2.in:
For logsrvd_conf_test include both tls and non-tls configs. [ec1815793aab]

MANIFEST, logsrvd/Makefile.in, logsrvd/regress/logsrvd_conf/cacert.pem, logsrvd/regress/logsrvd_conf/logsrvd_cert.pem, logsrvd/regress/logsrvd_conf/logsrvd_conf_test.c, logsrvd/regress/logsrvd_conf/logsrvd_dhparams.pem, logsrvd/regress/logsrvd_conf/logsrvd_key.pem, logsrvd/regress/logsrvd_conf/sudo_logsrvd.conf.1.in, logsrvd/regress/logsrvd_conf/sudo_logsrvd.conf.2.in:
Add a simple regression test for logsrvd.conf parser. Unlike the parser fuzzer, this includes sample certs and keys. This test would have detected the BIO_new_file() bug in set_dhparams(). [7ddabb9d022f]

logsrvd/logsrvd_conf.c:
Fix inverted logic when setting server_log. A value that starts with a ‘/’ should be treated as a path. [8941fd924fbf]

plugins/audit_json/Makefile.in, plugins/sample_approval/Makefile.in:
Use abs_top_builddir instead of pwd/$(top_builddir). [0f4e20a7aeed]

2022-06-01 Todd C. Miller

lib/util/regress/parse_gids/parse_gids_test.c:
Plug a memory leak. [8a9eb498ed55]

plugins/sudoers/parse_ldif.c:
Fix bug in last commit, need to reinitialize role to NULL. [1e454b967993]

plugins/sudoers/parse_ldif.c:
Simplify the check for when we can reuse the previous user and host specs. This makes the code easier to read and quiets a cppcheck false positive. [037c4943f1ac]

docs/Makefile.in:
Install the plugin man pages in section 5 (or 4 for System V). The manual had the correct section in the text but was installed in the wrong directory. [5df7d3f9a010]

plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, plugins/sudoers/po/fr.mo, plugins/sudoers/po/fr.po, plugins/sudoers/po/hr.mo, plugins/sudoers/po/hr.po, plugins/sudoers/po/ko.mo, plugins/sudoers/po/ko.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/ro.mo, plugins/sudoers/po/ro.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, po/de.mo, po/de.po, po/eo.mo, po/eo.po, po/fr.mo, po/fr.po, po/hr.mo, po/hr.po, po/ko.mo, po/ko.po, po/pl.mo, po/pl.po, po/ro.mo, po/ro.po, po/uk.mo, po/uk.po:
Updated translations from translationproject.org [9ac84e5c9250]

NEWS:
Sudo now supports intercepting system(3). [a46db96a3b03]

2022-05-31 Todd C. Miller

plugins/sudoers/log_client.c:
Only display “unable to connect to log server” warning once. Previously, in intercept mode, if the log server is unreachable the message would be printed for each sub-command. [df4c53518bb7]

src/exec.c, src/exec_monitor.c, src/exec_nopty.c, src/sudo_exec.h:
When using ptrace(2), push the point where we suspend into exec_cmnd(). This should reduce the amount of time the child has to wait for the parent to use PTRACE_SEIZE to seize control and then PTRACE_CONT to continue the child. [f9caab4bf18b]

config.h.in, configure, configure.ac, src/sudo_intercept.c:
Add configure check for vfork(2) and fall back to fork(2) if missing. [ddfaba8d2a09]

docs/sudo.conf.man.in, docs/sudo.conf.mdoc.in, docs/sudoers.man.in, docs/sudoers.mdoc.in, src/intercept.exp.in, src/sudo_intercept.c:
Add support for intercepting the system(3) function. This also means we can log system(3) with log_subcmds. [aca241d96c0b]

include/compat/endian.h:
Newer compilers define BYTE_ORDER and ORDER{BIG,LITTLE}ENDIAN Also add riscv the little endian list. [55731e5517fc]

2022-05-29 Todd C. Miller

configure, configure.ac:
On AIX, fmemopen(3) has a bug where feof() returns false at EOF. See https://www.ibm.com/support/pages/apar/IJ11845 [a703278bceed]

2022-05-27 Todd C. Miller

plugins/sudoers/defaults.c:
Fix potential signed integer overflow on 32-bit CPUs. Converting fractional minutes to nanoseconds could overflow a 32-bit integer, use long long instead. [b1d2afc0cc4d]

plugins/sudoers/Makefile.in:
Fix path to example sudoers file, it is now in the build dir. [899850a04adf]

plugins/sudoers/gram.c, plugins/sudoers/gram.y:
init_options: initialize apparmor_profile to NULL [ad0de9e0474f]

NEWS:
Update with latest 1.9.11 changes. [12650d2b6184]

docs/sudoers.man.in, docs/sudoers.mdoc.in:
Fix typo [ce83f628330c]

docs/CONTRIBUTORS.md:
Update contributors. [5b69f27ea398]

logsrvd/tls_init.c:
Fix uninitialized use of ca_store when building with wolfSSL. [e7cc6d8d9f7e]

docker/debian/testing/Dockerfile, docker/ubuntu/devel/Dockerfile, docker/ubuntu/latest/Dockerfile, docker/ubuntu/rolling/Dockerfile:
Newer Debian/Ubuntu uses libsepol-dev not libsepol1-dev. [b2c1326bfb0d]

configure, configure.ac, plugins/sudoers/def_data.h, plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/toke.c, src/Makefile.in:
Regenerate files after merging AppArmor integration. [d24fcec2cb87]

Merge pull request #148 from kernelmethod/apparmor_support

Add AppArmor support to sudo [fcbfb2410afd]

docs/sudoers.man.in, docs/sudoers.mdoc.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, src/parse_args.c, src/sudo.c, src/sudo.h:
Merge branch ‘main’ into apparmor_support [7832ecc5eb7f]

2022-05-26 Todd C. Miller

src/sudo_intercept.c:
Pass envp, not environ, to real execve() from exec_wrapper() if possible. The replacement execve() function was passing the global environ to exec_wrapper() instead of the envp parameter. This caused the command to be run with the wrong environment on AIX systems, and possibly others, when intercept or log_subcmds was enabled. Bug #1030. [dc0187c68c1b]

plugins/sudoers/po/sudoers.pot, po/sudo.pot:
Update .pot files for 1.9.11 [b4c8ec57842f]

src/exec_ptrace.c:
Consolidate some translatable strings. [05dae7c3c8da]

logsrvd/logsrvd.c, logsrvd/logsrvd_journal.c, logsrvd/logsrvd_relay.c, logsrvd/sendlog.c, plugins/sudoers/log_client.c, src/exec_intercept.c:
Standardize protobuf “unable to unpack” warning messages. [6f4e026c7a02]

docs/sudo_plugin.man.in, docs/sudo_plugin.mdoc.in, include/sudo_plugin.h, plugins/python/regress/testdata/check_multipl e_approval_plugin_and_arguments.stdout, src/exec.c:
Bump plugin minor version and document new intercept-related settings. There should have been a minor version bump for sudo 1.9.8 when intercept was originally implemented. [2b7591704df4]

2022-05-25 Todd C. Miller

plugins/sudoers/policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h:
Reset intercept_allow_setid if intercept_type changes from trace to dso. But only reset intercept_allow_setid if the user didn’t explicitly set it. [e398111d824e]

2022-05-24 Todd C. Miller

etc/sudo-logsrvd.pp, etc/sudo-python.pp, etc/sudo.pp:
CentOS Stream only uses a major version number, no minor version. This prevents the packages from being created as foo.el.arch.rpm since we were assuming that the version number was two digits. [a3caed91ea8c]

src/exec_ptrace.c, src/exec_ptrace.h:
Add support for running o32 and n32 binaries on mips64. [887ab363f2a4]

src/exec_ptrace.c, src/exec_ptrace.h, src/sudo_exec.h:
Enable ptrace support for MIPS but only for log_subcmds. It is not possible to change the syscall return value on MIPS so we cannot support full intercept mode. Another complication on MIPS is that if a system call is invoked via syscall(_NR###), v0 holds __NR_O32_Linux and the real syscall is in the first arg (a0) and other args are shifted by one. [0345a4137047]

docs/sudoers.man.in, docs/sudoers.mdoc.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/defaults.c, plugins/sudoers/policy.c, plugins/sudoers/sudoers.h, src/exec_ptrace.c, src/parse_args.c, src/sudo.c, src/sudo.h, src/sudo_exec.h:
Add intercept_type sudoers option to set intercept/log_subcmds mechanism. [b97e461f7da1]

2022-05-23 kernelmethod

MANIFEST, include/sudo_debug.h, src/Makefile.in, src/apparmor.c, src/parse_args.c, src/sudo.c, src/sudo.h:
Add an apparmor_profile sudo setting

Define a new sudo setting, apparmor_profile, that can be used to pass in an AppArmor profile that should be used to confine commands. If apparmor_profile is specified, sudo will execute the command using the new apparmor_execve function, which confines the command under the provided profile before exec’ing it. [a54897efe031]

plugins/sudoers/check.c, plugins/sudoers/cvtsudoers_csv.c, plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/cvtsudoers_merge.c, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/fmtsudoers.c, plugins/sudoers/gram.y, plugins/sudoers/parse.c, plugins/sudoers/parse.h, plugins/sudoers/policy.c, plugins/sudoers/regress/fuzz/fuzz_policy.dict, plugins/sudoers/regress/fuzz/fuzz_sudoers.dict, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/toke.l:
Add an APPARMOR_PROFILE user spec option to sudoers

sudoers now supports an APPARMOR_PROFILE option, which can be specified as e.g.

alice ALL=(ALL:ALL) APPARMOR_PROFILE=foo ALL

The line above says “user alice can run any command as any user/group, under confinement by the AppArmor profile ‘foo’.” Profiles can be specified in any way that complies with the rules of aa_change_profile(2). For instance, the sudoers configuration

alice ALL=(ALL:ALL) APPARMOR_PROFILE=unconfined ALL

allows alice to run any command unconfined (i.e., without an AppArmor profile), while

alice ALL=(ALL:ALL) APPARMOR_PROFILE=foo//&bar ALL

tells sudoers that alice can run any command under the stacked AppArmor profiles ‘foo’ and ‘bar’.

The intention of this option is to give sysadmins on Linux distros supporting AppArmor better options for fine-grained access control. Among other things, this option can enforce mandatory access control (MAC) over the operations that a privileged user is able to perform to ensure that they cannot privesc past the boundaries of a specified profile. It can also be used to limit which users are able to get unconfined system access, by enforcing a default AppArmor profile on all users and then specifying ‘APPARMOR_PROFILE=unconfined’ for a privileged subset of users. [2afe8c910959]

config.h.in, configure.ac, scripts/mkdep.pl, scripts/mkpkg:
Add a –with-apparmor build flag

Add a new build flag, –with-apparmor, that builds sudo with AppArmor support. Modify the build script for Debian and Ubuntu to enable this flag by default. [596b4e6dce4d]

INSTALL.md, docs/sudoers.man.in, docs/sudoers.mdoc.in:
Add documentation for AppArmor support
- Document the AppArmor userspec option in the sudoers man pages.
- Add information about the –with-apparmor build configuration option to INSTALL.md. [524dde965b94]

2022-05-22 kernelmethod

docker/debian/latest/Dockerfile, docker/debian/testing/Dockerfile, docker/ubuntu/devel/Dockerfile, docker/ubuntu/latest/Dockerfile, docker/ubuntu/rolling/Dockerfile:
Add libapparmor-dev to the Debian and Ubuntu Dockerfiles

Install libapparmor-dev on Debian- and Ubuntu-based Docker images so that they can build sudo with AppArmor support. [8491c8b6d240]

2022-05-19 Todd C. Miller

src/exec_nopty.c, src/exec_pty.c:
Pass the WUNTRACED flag to waitpid() even if __WALL is present. Otherwise, we won’t get the wait status of a suspended command that is not being traced. [7c2b46ec73be]

configure, configure.ac, lib/iolog/Makefile.in, lib/logsrv/Makefile.in, logsrvd/Makefile.in, plugins/sudoers/Makefile.in:
Use explicit library dependencies instead of implicit. We now include all the dependent libraries when linking. Fixes a linking problem on CentOS Stream 9. [6f06cdbb1552]

plugins/sudoers/logging.c:
mail_parse_errors: allocate the correct amount of space for mail body. Use strlen(), not sizeof(), on “problem parsing sudoers” since it is a tranlated string and not a constant. This was caught by the existing overflow checks. [5aa53136cd9d]

2022-05-18 Todd C. Miller

MANIFEST, src/Makefile.in, src/exec_nopty.c, src/exec_pty.c, src/regress/intercept/test_ptrace.c, src/sudo_exec.h, src/suspend_nopty.c:
Move code to suspend sudo when no pty is in use to separate file. Use this in test_ptrace.c to be able to suspend just like sudo does. [ddef421918b7]

2022-05-17 Todd C. Miller

src/exec_nopty.c, src/exec_ptrace.c, src/exec_pty.c, src/regress/intercept/test_ptrace.c, src/sudo_exec.h:
Fix suspending a sudo-run shell in ptrace intercept mode with no pty. When ptracing a process, we receive the signal-delivery-stop signal before the group-stop signal. If sudo is running the command in the same terminal, we need to wait until the stop signal is actually delivered to the command before we can suspend sudo itself. If we suspend sudo before receiving the group-stop, the command will be restarted with PTRACE_LISTEN too late and will miss the SIGCONT from sudo. [bf9a482ecddd]

docs/TROUBLESHOOTING.md, docs/sudo_logsrvd.man.in, docs/sudo_logsrvd.mdoc.in:
OpenSSL 3.x requires the key usage extension be present in CA and certs. Certificates generated with a CA that doesn’t set the key usage extension will fail to validate if “tls_verify” is enabled. [3ae4ef1ecf57]

logsrvd/tls_init.c:
Include the cert or ca file in error messages where applicable. [3e0558886a3d]

logsrvd/tls_init.c:
Add missing include of string.h for strerror(3). [253a5634d441]

logsrvd/logsrvd.c, logsrvd/logsrvd_relay.c, logsrvd/sendlog.c, logsrvd/tls_client.c, logsrvd/tls_init.c, plugins/sudoers/log_client.c:
If ERR_reason_error_string() returns NULL, fall back on strerror(errno). That way we get reasonable error messages for missing files, etc. [d2423ef0e284]

logsrvd/tls_init.c:
set_dhparams: pass BIO_new_file() “r” for the file mode, not O_RDONLY. Unlike BIO_new_fp(), BIO_new_file() takes an fopen-style mode string. [7a67aec88cb4]

src/exec_ptrace.c:
The set_sc_arg3, get_sc_arg3 and set_sc_arg4 functions are not used. Use ifdef notyet to disable for now since they may be used in the future. [99d2f2a42da5]

2022-05-16 Todd C. Miller

src/exec_ptrace.h, src/sudo_exec.h:
Use x86_64 preprocessor symbol, not amd64 Also clarify a comment about MIPS ptrace. [b02ad513eb64]

src/exec_ptrace.h, src/sudo_exec.h:
ptrace support has been tested on Debian/s390x. It should also work on s390 but this has not been tested. I have not added a compat mode to trace 31-bit binaries on s390x due to the lack of a test system. [3176433e7456]

src/exec_ptrace.h:
Define sudo_pt_regs instead of user_pt_regs and include the struct keyword. On s390, the struct is typedef’d without a name. [b2b74f378eef]

src/exec_ptrace.h, src/sudo_exec.h:
ptrace support has been tested on Debian/riscv64. [e1011074d984]

2022-05-15 Todd C. Miller

plugins/sudoers/sudoers.in:
Add maxseq setting to log_output example. This should make it more obvious that you need to adjust maxseq unless you have (virtually) unlimited disk space. [5203240a248b]

scripts/mkpkg:
Fix dependency check for libssl on Debian/Ubuntu with OpenSSL 3. Also add check for python 3.10 and 3.11 and remove versions < 3.4. Fixes building on Ubuntu 22.04. [c9114582911c]

2022-05-14 Todd C. Miller

src/exec_ptrace.h:
Tracing 32-bit arm binaries from a 64-bit sudo works. [c1e1602874ed]

src/exec_ptrace.c:
ptrace_write_string: the terminating NUL fix was reverted by mistake. [587dd11b2783]

src/exec_ptrace.h, src/sudo_exec.h:
ptrace-based intercept has now been tested on 32-bit arm [493b17a89e63]

2022-05-13 Todd C. Miller

src/exec_ptrace.h:
Don’t use PTRACE_SET_SYSCALL for 32-bit arm binaries running on aarch64. Use PTRACE_SETREGSET with NT_ARM_SYSTEM_CALL instead just like we would for a 64-bit binary. Newer Linux headers don’t define PTRACE_SET_SYSCALL for aarch64. [5930846e9c9e]

src/regress/intercept/test_ptrace.c:
Replace verbose flag with debug flag. This is more accurate since it actually uses the debug subsystem. [dda8b8af8bd2]

src/exec_ptrace.h:
Initial cut at MIPS support, untested. Mips is a bit different in that most Linux distros appear to use the n32 ABI on 64-bit CPUs. We don’t currently support tracing a 64-bit binary from a 32-bit sudo. We could suport tracing o32 ABI binaries in compat mode, though. [05e5e246463a]

2022-05-12 Todd C. Miller

src/regress/intercept/test_ptrace.c:
Add have_seccomp_action(“trap”) call to check for SECCOMP_MODE_FILTER. [250c6b72c4f4]

src/exec_ptrace.c, src/exec_ptrace.h:
Add arm-specific code to set the system call number. Fixes rejection of commands due to policy on arm when in intercept mode. [74c5bd26713b]

scripts/mkpkg:
Fix OS major version detection on CentOS Stream [cd4d5aaf59a7]

src/exec_ptrace.c:
Repair ptrace_write_vec() for compat binaries. [77ee302b0631]

src/regress/intercept/test_ptrace.c:
Fix a crash when not run in verbose mode. [adf481623228]

src/exec_ptrace.c:
ptrace_intercept_execve: read back the updated syscall args in test mode. This makes it easier to detect problems with the syscall rewrite code when testing with test_ptrace. [4eb9e09d90d9]

2022-05-11 Todd C. Miller

src/exec_ptrace.c, src/exec_ptrace.h, src/sudo_exec.h:
Enable ptrace intercept on powerpc. Tested on ppc64 and ppc64le. [fbd12baa1a02]

src/exec_ptrace.c:
Fix tracing compat binaries on big endian systems. We need to swap the order of the two 32-bit addresses for big-endian. [375004a3ef09]

src/exec_ptrace.c:
Move code to write a string vector to ptrace_write_vec(). [8401e0397f11]

src/exec_ptrace.c:
Fix compilation error on systems with no compat arch. Currently only affects i386. [b95c707298c5]

MANIFEST, src/Makefile.in, src/exec_intercept.h, src/exec_ptrace.c, src/regress/intercept/test_ptrace.c, src/sudo_exec.h:
Add test_ptrace program to test ptrace-based intercept support. [5f7162bcdbfd]

src/exec_ptrace.c:
Use unsigned long for addresses so we don’t have to worry about sign extension. [7a0d4ea2fa70]

2022-05-10 Todd C. Miller

src/exec_ptrace.c:
ptrace_write_string: make sure we always write the terminating NUL. We can’t check *str for NUL since it may not have been written yet. [9d95217981ac]

src/exec_ptrace.c:
Fix compilation error when SECCOMP_AUDIT_ARCH_COMPAT is not defined. [3162054bac24]

2022-05-09 Todd C. Miller

src/exec_ptrace.c, src/exec_ptrace.h:
It is now safe to make WORDALIGN use compat (not native) aligment. We allocate space for an extra pointer between argv and the string table for compat binaries so there is no need to align address to sizeof(long). [898626f1cdf6]

src/exec_ptrace.c, src/exec_ptrace.h:
Use the entire word in ptrace_get_vec_len() and ptrace_read_vec(). For compat binaries, use the upper 32-bits as the next word instead of calling ptrace(2) to get it. This reduces the number of ptrace(2) calls when reading argv and envp for compat binaries. [cf5d1ae47dbe]

2022-05-07 Todd C. Miller

src/exec_ptrace.c:
We don’t need to align strings in the string table. We align the start of the string table to a word boundary to help prevent overlap when writing the pointers. However, the actual strings themselves don’t need to be aligned. [219a1a07fc2e]

2022-05-06 Todd C. Miller

src/exec_ptrace.c:
Avoid potentially overwriting string table when writing argv. In compat mode, if argc is odd, writing the last pointer of argv will overlap with the address of argv[0], so leave an extra word in between. Also remove incorrect comments about PTRACE_PEEKDATA unaligned access. [13f7e63a31bd]

src/exec_ptrace.c, src/exec_ptrace.h:
Use native word size for padding and when reading/writing strings. If we try to use the compat word size we can end up in a situation where a subsequent PTRACE_POKEDATA overwrites part of what we’ve already written since it always writes in sizeof(long) units. [e0d7fdc3f8e2]

2022-05-05 Todd C. Miller

src/exec_ptrace.c:
ptrace_intercept_execve: rewrite path to exec if changed by the policy [089f0e32cf2a]

src/exec_ptrace.c:
ptrace_intercept_execve: plug memory leak of get_execve_info() buffer [5ce2cf252c80]

MANIFEST, src/Makefile.in, src/exec_intercept.h, src/exec_ptrace.c, src/exec_ptrace.h:
Move register definitions to exec_ptrace.h [59cc9bec6925]

src/exec_ptrace.c:
Add support for intercepting 32-bit binaries on 64-bit systems. We need to define the ptrace register struct ourselves for the 32-bit system since there is no good way to get it from the system headers. Currently only implemented for x86_64 and aarch64. [a0407bb1fee0]

src/exec_ptrace.c:
Add setters and getters for ptrace(2) register access. This will be used when running 32-bit binaries from a 64-bit sudo. [f7da9453d9fa]

src/exec_ptrace.c:
exec_ptrace_handled: don’t return early if ptrace_intercept_execve() fails. We need to continue the traced process even if there is a fatal error. Otherwise, sudo will appear to hang as the running process is left in PTRACE_EVENT stop. [5b3bd75c4486]

src/exec_ptrace.c:
Don’t use PTRACE_GETREGS, it is too complicated when runing compat binaries. Unlike PTRACE_GETREGSET, PTRACE_GETREGS requires that we manually map registers from 64-bit to 32-bit layouts when running, e.g. a 32-bit binary from a 64-bit sudo process. [bb3476230373]

2022-05-04 Todd C. Miller

docs/sudoers.man.in, docs/sudoers.mdoc.in, plugins/sudoers/defaults.c, plugins/sudoers/policy.c, plugins/sudoers/sudoers.h, src/exec_nopty.c, src/exec_pty.c, src/parse_args.c, src/sudo.c, src/sudo.h, src/sudo_exec.h:
Initialize intercept_allow_setid to true if we use ptrace(2) and seccomp(2). [57e58c0ada44]

2022-05-03 Todd C. Miller

src/exec_nopty.c, src/exec_ptrace.c, src/exec_pty.c, src/sudo_exec.h:
If the process is already being traced, just resume it and clear flags. This makes it possible to run sudo in ptrace intercept mode from within a shell (or other process) that is already being traced by sudo. [db4d7cd5f673]

src/exec_ptrace.c:
exec_ptrace_handled: fix delivery of non-stop signals. We need to deliver signals to the tracee as long as it is not a group stop. Fixes a hang while tracing another sudo process. [4ede8b4cfbd9]

src/exec_nopty.c:
Make SIGCHLD handler more consistent with the pty version. No real change other than a few debug statements. [bd52284b1e2a]

plugins/sudoers/parse.c:
sudoers_lookup_check: preserve intercepted flag when reinitializing cmnd_info Otherwise we may not reject an attempt to run a set-user- ID command. [43d72d1537b2]

src/exec_nopty.c, src/exec_pty.c:
Kill the command if intercept_setup() or ptrace_seize() fail. [1037f81b327b]

2022-05-02 Todd C. Miller

plugins/sudoers/match_command.c:
Move intercept setid check out of do_stat() and into its own function. For command_matches_all() we should only perform the setid check if the file exists and intercept is enabled. Otherwise, we can end up returning an error if the fully-qualified command does not exist. Fixes a regression introduced in sudo 1.9.0 with the support for digests in conjunction with “sudo ALL”. [1b5f9ed2160a]

src/exec_ptrace.c:
Add support for intercepting x32 binaries on Linux x64_64. [c5fc89f38c43]

2022-04-29 Todd C. Miller

NEWS, configure, configure.ac:
Sudo 1.9.11 [d3e832f94348]

plugins/sudoers/auth/kerb5.c, src/exec_ptrace.c:
Fix typos [8ef3e84fc62e]

MANIFEST, docs/CONTRIBUTORS.md, po/ka.mo, po/ka.po:
New Georgian translation from translationproject.org [f6b9c7d2192c]

src/exec_ptrace.c:
Short-circuit the policy check if the command doesn’t exist. Otherwise, both sudo and the shell will report the error. [f16f1b6705d9]

src/exec_ptrace.c:
Add support for replacing argv in ptrace intecept mode. The new argv is written below the tracee’s stack and the system call argument is replaced with the new argv address. [3974c784be8b]

src/exec_ptrace.c:
Check architecture in the seccomp filter. Currently only supports the native architecture. [13f88e436ae0]

src/exec_common.c, src/exec_monitor.c, src/exec_nopty.c, src/exec_ptrace.c:
Suspend the child process and wait for SIGUSR when using ptrace. This fixes a race condition in ptrace-based intercept mode when running the command in a pty. It was possible for the monitor to receive SIGCHLD when the command sent itself SIGSTOP before the main sudo process did. [cf1f0bea9931]

plugins/sudoers/parse.c, src/exec.c, src/selinux.c, src/sudo.h:
Enable intercept and log_subcmds for SELinux using ptrace and seccomp. [5d7a3df4457e]

src/exec_intercept.c, src/exec_intercept.h, src/exec_ptrace.c, src/sudo.c, src/sudo.h:
For ptrace intercept mode, do not do a policy check for the initial command. We can skip the policy check for the execve(2) of the initial command since it has already been check. Otherwise, we would log the command twice. When using fexecve(2) due to a digest check, there should be no need to skip the initial command since it will be executed via execveat(2) not execve(2). However, on older kernels without execveat(2), glibc will emulate fexecve(2) using /proc which will result in the extra log entry. [e411d6bc3855]

docs/sudo.conf.man.in, docs/sudo.conf.mdoc.in, docs/sudoers.man.in, docs/sudoers.mdoc.in:
Update intercept documentation. [f44f1cb2a5d2]

src/exec_intercept.c, src/exec_ptrace.c:
In ptrace(2) intercept mode, add execveat to the seccomp(2) filter. This allows us to avoid logging the initial command twice regardless of whether the kernel supports execveat(2) or not. [d39bd5adac13]

src/exec_ptrace.c:
Use PTRACE_GETREGS/PTRACE_SETREGS on platforms that support it. This has a better chance of working on things like user-mode Linux. [c53475bd4020]

MANIFEST, src/Makefile.in, src/exec_intercept.c, src/exec_intercept.h, src/exec_nopty.c, src/exec_ptrace.c, src/exec_pty.c, src/sudo_exec.h:
Check the policy for ptrace-based intercept mode. [6eadd667ca6d]

src/exec_ptrace.c:
Add support for getting the execve(2) arguments via ptrace(2). This will be used to perform a policy check in intercept mode. [84b23ae53e2f]

MANIFEST, src/Makefile.in, src/exec.c, src/exec_common.c, src/exec_intercept.c, src/exec_nopty.c, src/exec_ptrace.c, src/exec_pty.c, src/sudo.h, src/sudo_exec.h:
Add scaffolding for ptrace-based intercept mode. [34a6269ac4eb]

include/sudo_compat.h, src/exec_monitor.c, src/exec_nopty.c, src/exec_pty.c:
Stop using the WCONTINUED flag with waitpid(2). We don’t use it for anything other than a debug message and it will cause problems when intercept mode starts using ptrace(2). [1f55993d68eb]

src/exec_nopty.c, src/exec_pty.c:
Handle multiple child processes in the SIGCHLD handler. This is required by the uncoming ptrace intercept code. [6dd72fb8f53f]

2022-04-24 Todd C. Miller

logsrvd/iolog_writer.c, logsrvd/logsrvd_journal.c, plugins/sudoers/log_client.c:
sudo_logsrvd: update elapsed time for winsize and suspend in journal mode Fixes a bug in store-first relay mode where the commit point messages sent by the server were incorrect. [5607e8c7b559]

2022-04-23 Todd C. Miller

docs/visudo.man.in, docs/visudo.mdoc.in:
Fix typo; GitHub issue #144 [fb1a539569b4]

2022-04-20 Todd C. Miller

docs/TROUBLESHOOTING.md:
Expand section about expired accounts to include /etc/shadow info. GitHub issue #143 [78368dadddfb]

src/exec_monitor.c:
Add struct command details * to struct monitor_closure. This will be used in the future by the ptrace intercept code. [0603acf1ff96]

src/exec.c:
Translate “unable to set limit privileges” strings. [a8426e224497]

ABOUT-NLS, MANIFEST, docs/CONTRIBUTING.md:
Remove ABOUT-NLS file, it is no longer maintained as part of GNU gettext. Expand the Translations section in CONTRIBUTING.md. [b4f0269a8f13]

src/exec.c, src/exec_intercept.c:
Don’t require a pty for intercept or log_subcmmds. The code to take back control of the tty before a policy check doesn’t appear to be needed. If the command is run in its own pty, sudo has control over the user’s tty. If the command is run in the user’s tty, sudo should be in the foreground process group. [bddcc0d9fee6]

2022-04-19 Todd C. Miller

config.h.in, configure, configure.ac:
Define _TIME_BITS=64 on systems that define __TIMESIZE, like GNU libc. This should be replaced by a specialized autoconf macro when one becomes available. [f63b7f9ea5c2]

2022-04-11 Todd C. Miller

plugins/python/regress/testdata/check_example_group_plugin_is_able_t o_debug.log, plugins/python/regress/testhelpers.c:
clean_output: prune lines that consisting of ‘^’ characters and whitespace. Starting with Python 3.11, backtraces may contain a line with ‘^’ characters to bring attention to the important part of the line. Also replace “REJECT” with “0” in backtrace output for Python 3.11. [f6a5d1c05b2b]

2022-04-04 Todd C. Miller

configure, configure.ac:
Fix check for EVP_MD_CTX_new() when -pthread is in Libs.private. [4f3fd0d1fd34]

2022-04-01 Todd C. Miller

configure, configure.ac, lib/eventlog/Makefile.in, lib/fuzzstub/Makefile.in, lib/iolog/Makefile.in, lib/logsrv/Makefile.in, lib/protobuf-c/Makefile.in, lib/util/Makefile.in, lib/zlib/Makefile.in, logsrvd/Makefile.in, plugins/audit_json/Makefile.in, plugins/group_file/Makefile.in, plugins/python/Makefile.in, plugins/sample/Makefile.in, plugins/sample_approval/Makefile.in, plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in, src/Makefile.in:
Rename SSP_(C|LD)FLAGS -> HARDENING_(C|LD)FLAGS [92aa57606481]

INSTALL.md:
Mention other hardening compilation and linker options. [7da9cf428e39]

2022-03-31 Todd C. Miller

configure, configure.ac:
Fix check for EVP_MD_CTX_new using static libcrypto with dependencies. [c02d6b6e474c]

configure, m4/libtool.m4, m4/ltoptions.m4, m4/ltsugar.m4, m4/ltversion.m4, m4/lt~obsolete.m4, scripts/ltmain.sh:
Update to libtool 2.4.7. [b8824f6b792c]

2022-03-30 Todd C. Miller

configure, configure.ac:
–enable-openssl: don’t add non-existent directories to PKG_CONFIG_LIBDIR [daa9cab172da]

2022-03-29 Todd C. Miller

scripts/mkpkg:
Fix a typo in the AIX section. [4d122a222632]

2022-03-28 Todd C. Miller

lib/zlib/crc32.c, lib/zlib/crc32.h, lib/zlib/deflate.c, lib/zlib/deflate.h, lib/zlib/gzguts.h, lib/zlib/gzlib.c, lib/zlib/gzread.c, lib/zlib/gzwrite.c, lib/zlib/infback.c, lib/zlib/inffast.c, lib/zlib/inflate.c, lib/zlib/inflate.h, lib/zlib/inftrees.c, lib/zlib/trees.c, lib/zlib/zlib.exp, lib/zlib/zlib.h, lib/zlib/zutil.c, lib/zlib/zutil.h:
Update embedded copy of zlib to version 1.2.12. Fixes CVE-2018-25032 [3e2517079d86]

2022-03-16 Todd C. Miller

plugins/sudoers/auth/kerb5.c:
Minor style nit. [9bdde2c81a3d]

Merge pull request #138 from dfskoll/main

If we’re using Kerberos, don’t overwrite a custom prompt [266b04c9ee0a]

2022-03-16 Dianne Skoll

plugins/sudoers/auth/kerb5.c:
If we’re using Kerberos, don’t overwrite a custom prompt if one was given with -p

Thanks to @thend20 for testing this patch. [e62136f88c3e]

2022-03-15 Todd C. Miller

src/conversation.c:
Write the \r\n pair to ttyfp if possible, falling back on fp. This is consistent with the vfprintf() call and fixes a problem introduced by the last commit where the newline could be written before the message instead of after. [3aaebbec4ee5]

include/sudo_util.h, plugins/sudoers/regress/starttime/check_starttime.c:
Adjust starttime test when run under Debian faketime. Bug #1026 [b8ac7dec6e11]

2022-03-14 Todd C. Miller

src/conversation.c:
sudo_conversation_printf: convert trailing nl to cr + nl combo. This fixes output when the terminal is in raw mode and is consistent with how sudo_conversation() behaves. [e377f2a71021]

lib/eventlog/eventlog.c, src/exec_monitor.c, src/exec_nopty.c, src/exec_pty.c, src/tgetpass.c:
Block SIGCHLD when forking the mailer. Otherwise, it may be picked up by the signal handler instead of our waitpid(2) call. Don’t warn if waitpid() returns 0 in a SIGCHLD handler. [e34a3f90de5b]

plugins/sudoers/sudoers.c:
Do not warn, log or send mail for errors when reinitializing defaults. If there is a problem, we would have already warned, logged or mailed it. The one exception is the initial defaults, which should never fail. [0d273f4d307d]

plugins/sudoers/logging.c, plugins/sudoers/logging.h, plugins/sudoers/parse.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/sudoers.c:
If there are multiple parse errors, send them in a single mail message. [5de37ad1101f]

lib/eventlog/Makefile.in, lib/iolog/Makefile.in, lib/util/Makefile.in, logsrvd/Makefile.in, plugins/python/Makefile.in, plugins/sudoers/Makefile.in, src/Makefile.in:
Unset LANGUAGE when running tests, otherwise it may override LC_ALL. Bug #1025. [87573102f25b]

2022-03-11 Todd C. Miller

plugins/sudoers/visudo.c:
Looser owner/permission checks for an uninstalled sudoers file. We don’t check the owner or permissions on a sudoers file that is specified as an argument to visudo by default. However, the owner and mode of files included via @includedir were still checked. This commit makes the owner and permissions checks for filed included via @includedir follow the same as for the original sudoers file. [db78857306d4]

lib/util/regress/getdelim/getdelim_test.c:
getdelim_test: increase longstr to check end pointer after realloc This would have caught the recent bug in our getdelim replacement when run under address-sanitizer or valgrind. [6559a42a3205]

plugins/sudoers/check_aliases.c:
Add missing va_start/va_end around call to sudoers_error_hook(). Coverity CID 250885 [49d026ba67b2]

lib/util/getdelim.c:
Correctly update the end pointer when we expand the buffer. From Robert Manner. [99617ae8332d]

2022-03-10 Todd C. Miller

lib/util/secure_path.c:
sudo_secure_path: pass the struct stat * argument directly to stat(2) Set the pointer to a struct stat on the stack if st is NULL. Avoids a needless memcpy() at the end. [11636745ce29]

plugins/sudoers/gram.c, plugins/sudoers/gram.y:
Fix off-by-one when storing line number in userspec. We store the line number after parsing the newline so we need to subtract one. [40d6521a966e]

lib/eventlog/eventlog.c:
For alert messages, the command or runuser may not be set. This fixes the logging of parse errors when JSON logging is enabled. [cfde228ef422]

plugins/sudoers/defaults.c, plugins/sudoers/defaults.h, plugins/sudoers/group_plugin.c, plugins/sudoers/iolog.c, plugins/sudoers/locale.c, plugins/sudoers/logging.h, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c:
Pass file, line and column to sudoers defaults callbacks. [04a26b1a224c]

plugins/sudoers/audit.c, plugins/sudoers/check_aliases.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/defaults.c, plugins/sudoers/file.c, plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y, plugins/sudoers/logging.c, plugins/sudoers/logging.h, plugins/sudoers/parse.h, plugins/sudoers/policy.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/regress/sudoers/test18.toke.ok, plugins/sudoers/regress/visudo/test2.err.ok, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/visudo.c:
Add a hook for sudoers parse errors (including defaults and aliases). The hook can be used to log parser errors (sudoers module) or keep track of which files have an error (visudo). Previously, we only kept track of a single parse error. [601915bb6265]

2022-03-09 Todd C. Miller

plugins/sudoers/file.c, plugins/sudoers/ldap.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/regress/sudoers/test18.out.ok, plugins/sudoers/sssd.c, plugins/sudoers/sudo_nss.h, plugins/sudoers/sudoers.c, plugins/sudoers/testsudoers.c:
Add a source to struct sudo_nss and use it if getdefs() fails. Also remove useless “Problem with defaults entries” warning in testsudoers. [f9ba65e975a0]

2022-03-08 Todd C. Miller

lib/iolog/regress/iolog_path/check_iolog_path.c, lib/util/regress/getgrouplist/getgrouplist_test.c:
Plug a few test memory leaks now that they return from main(). [dc4db97a1d57]

2022-03-06 Todd C. Miller

lib/eventlog/regress/logwrap/check_wrap.c, plugins/sudoers/regress/parser/check_addr.c:
Remove extra newline in sudo_warnx() calls. [3366401671fc]

plugins/sudoers/check_aliases.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/file.c, plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y, plugins/sudoers/sudoers.h, plugins/sudoers/visudo.c:
Preserve the column and error message when there is a syntax error. This information is now included in the error mail sent to root. [a224b006bfb3]

plugins/python/python_plugin_common.c:
Deinit python subinterpreters in reverse order (last to first). This appears to work around a crash on OpenBSD with Python 3.9.10. [ad4d7b33da9b]

2022-03-03 Todd C. Miller

lib/eventlog/Makefile.in, lib/iolog/Makefile.in, lib/util/Makefile.in, logsrvd/Makefile.in, plugins/python/Makefile.in, plugins/sudoers/Makefile.in, src/Makefile.in:
For ‘make check-verbose’ run fuzzers with -verbose=1 This is the default for libFuzzer but not for the stub fuzzer lib. [7f2551a87c08]

2022-03-02 Todd C. Miller

INSTALL.md:
INSTALL.md: Mention “make check” and “make check-verbose” [17a30e329ba7]

scripts/generate_test_coverage.sh:
Repair generate_test_coverage.sh after move to scripts directory. [ffef93da0436]

Makefile.in, docs/Makefile.in, examples/Makefile.in, include/Makefile.in, lib/eventlog/Makefile.in, lib/fuzzstub/Makefile.in, lib/iolog/Makefile.in, lib/logsrv/Makefile.in, lib/protobuf-c/Makefile.in, lib/util/Makefile.in, lib/zlib/Makefile.in, logsrvd/Makefile.in, plugins/audit_json/Makefile.in, plugins/group_file/Makefile.in, plugins/python/Makefile.in, plugins/sample/Makefile.in, plugins/sample_approval/Makefile.in, plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in, src/Makefile.in:
Add check-verbose Makefile target that runs tests in verbose mode. [929d079dbfc7]

lib/eventlog/regress/logwrap/check_wrap.c, lib/iolog/regress/host_port/host_port_test.c, lib/iolog/regress/iolog_filter/check_iolog_filter.c, lib/iolog/regress/iolog_json/check_iolog_json.c, lib/iolog/regress/iolog_mkpath/check_iolog_mkpath.c, lib/iolog/regress/iolog_path/check_iolog_path.c, lib/iolog/regress/iolog_timing/check_iolog_timing.c, lib/util/regress/closefrom/closefrom_test.c, lib/util/regress/fnmatch/fnm_test.c, lib/util/regress/getdelim/getdelim_test.c, lib/util/regress/getgrouplist/getgids.c, lib/util/regress/getgrouplist/getgrouplist_test.c, lib/util/regress/glob/globtest.c, lib/util/regress/mktemp/mktemp_test.c, lib/util/regress/parse_gids/parse_gids_test.c, lib/util/regress/progname/progname_test.c, lib/util/regress/strsig/strsig_test.c, lib/util/regress/strsplit/strsplit_test.c, lib/util/regress/strtofoo/strtobool_test.c, lib/util/regress/strtofoo/strtoid_test.c, lib/util/regress/strtofoo/strtomode_test.c, lib/util/regress/strtofoo/strtonum_test.c, lib/util/regress/sudo_conf/conf_test.c, lib/util/regress/sudo_parseln/parseln_test.c, lib/util/regress/tailq/hltq_test.c, lib/util/regress/uuid/uuid_test.c:
Add -v option parsing to regress tests, currently a no-op. This will be used by a “check-verbose” target in the future. [9cdcc23e6a70]

2022-03-01 Todd C. Miller

plugins/python/regress/check_python_examples.c, plugins/python/regress/testhelpers.h:
Less verbose output unless the -v option is used. Also display a test summary at the end. [b18a8f6526e9]

src/regress/net_ifs/check_net_ifs.c, src/regress/noexec/check_noexec.c, src/regress/ttyname/check_ttyname.c:
verbose flag is boolean, not int [8663ac48be27]

configure.ac:
Update copyright year. [461698b72a64]

plugins/sudoers/Makefile.in, src/Makefile.in:
Regenerate dependencies. [f007ec225986]

MANIFEST, configure, configure.ac, lib/util/Makefile.in, lib/util/regress/closefrom/closefrom_test.c:
Add sudo_closefrom() regression test. [14f4439a8437]

NEWS, config.h.in, configure, configure.ac, lib/util/closefrom.c:
Use close_range(2) in closefrom() emulation if available. On Linux, prefer our own closefrom() emulation since the glibc version may fail if /proc is not present and close_range() is not supported. On FreeBSD, closefrom(3) will either call the closefrom or close_range system call, depending on which is available. [d84eff07783f]

configure, configure.ac:
Repair –enable-pvs-studio on Linux. [add3c7fff7f5]

configure, configure.ac:
Mention apple radar 3710161 in the comment about broken macOS poll(2). [ffb6c8c070dc]

2022-02-28 Todd C. Miller

src/regress/net_ifs/check_net_ifs.c, src/regress/noexec/check_noexec.c, src/regress/ttyname/check_ttyname.c:
Only display test totals unless run in verbose mode. [f543b41f226e]

lib/util/regress/harness.in, plugins/sudoers/regress/harness.in:
Allow test harness to be run from any directory. Also add missing copyright notice. [5e60bc5beb52]

lib/util/regress/harness.in:
Adapt test harness for lib/util and move to regress directory. [f415d958bca7]

.gitignore, .hgignore, MANIFEST, configure, configure.ac, lib/util/Makefile.in, plugins/sudoers/Makefile.in, plugins/sudoers/harness.in, plugins/sudoers/regress/harness.in:
Adapt test harness for lib/util and move to regress directory. [5f488712f797]

lib/fuzzstub/fuzzstub.c:
Make fuzzer stub main() quiet by default. LLVM LibFuzzer displays the input and running time by default but we don’t care about that for the stub fuzzer library. [728005c2de78]

.gitignore, .hgignore, MANIFEST, configure, configure.ac, plugins/sudoers/Makefile.in, plugins/sudoers/harness.in:
Move the cvtsudoers/sudoers/testsudoers/visudo tests into a script. It is easier to maintain these tests in script form. The output now more closely matches that of the other tests. The harness script can be invoked directly and supports running specific tests. [fbad6e93201e]

2022-02-27 Todd C. Miller

plugins/sudoers/po/fi.mo, plugins/sudoers/po/fi.po:
Updated translations from translationproject.org [b2622a56fcbc]

2022-02-25 Todd C. Miller

logsrvd/regress/fuzz/fuzz_logsrvd_conf.c:
sudo_regex_compile_v1 stub: set errstr on error [2da61535e60d]

logsrvd/Makefile.in, logsrvd/regress/fuzz/fuzz_logsrvd_conf.c:
fuzz_logsrvd_conf: add stub version of sudo_regex_compile_v1(). We want to fuzz our parser, not the libc regular expression code. [2662a181acc8]

plugins/sudoers/regress/testsudoers/test18.out.ok, plugins/sudoers/regress/testsudoers/test18.sh:
testsudoers/test18: don’t rely on /usr/bin/w being present Fixes a test failure on Alpine Linux. [5b3915cef32b]

2022-02-24 Todd C. Miller

configure, configure.ac:
Add configure check for gzclearerr() when using system zlib. [388dd60cd577]

configure, configure.ac:
Fix PVS-Studio platform check for macOS. [cc46ae5d60a3]

plugins/sudoers/ldap.c:
sudo_ldap_parse_options: fix memory leak of sudoRole cn string. Coverity CID 249976 [bcf86c362e05]

src/sudo_intercept_common.c:
command_allowed: plug memory leak on strdup() failure. Coverity CID 249972 [f15a58ed68d6]

2022-02-23 Todd C. Miller

plugins/sudoers/check.c:
display_lecture: just return if callback is NULL [3e7352fbc28b]

lib/eventlog/eventlog.c:
For alert messages it is possible for evlog to be NULL. Coverity CID 238641 [3e89523699fd]

logsrvd/logsrv_util.c:
iolog_seekto: initialize struct timing_closure before using. Coverity CID 249977 [ea53680a2367]

logsrvd/iolog_writer.c:
iolog_rewrite: initialize struct timing_closure before using. Coverity CID 249971 [d214237f3ce8]

scripts/mkpkg:
Allow ARCH_FLAGS to be overridden and handle macOS 12. [f04f3405fa50]

scripts/mkpkg:
Prefer if [ … ]; then over if test …; then. [4ba3e6ed7280]

.circleci/config.yml:
Do not build with -Werror on macOS. Some macOS warnings are bogus, for instance it has an incorrect getgrouplist(3) definition. [7e5f469cb0ec]

.circleci/config.yml:
Build and test macos with circleci. [fc62dc986646]

2022-02-22 Todd C. Miller

NEWS:
Mention lecture behavior change. [cc034a54eb11]

lib/iolog/regress/iolog_filter/check_iolog_filter.c:
Fix compilation on systems without a real openat(2). [25067ad6772b]

plugins/sudoers/match_digest.c:
Better warning message when the digest in sudoers is the wrong length. [c2043906f356]

lib/iolog/regress/fuzz/fuzz_iolog_json.c, lib/iolog/regress/fuzz/fuzz_iolog_legacy.c, lib/iolog/regress/fuzz/fuzz_iolog_timing.c, lib/util/regress/fuzz/fuzz_sudo_conf.c, logsrvd/regress/fuzz/fuzz_logsrvd_conf.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c:
Do not disable fuzzer output if SUDO_FUZZ_VERBOSE env variable is set. [fd3d5706ffda]

2022-02-21 Todd C. Miller

plugins/sudoers/auth/afs.c, plugins/sudoers/auth/dce.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/check.c, plugins/sudoers/check.h, plugins/sudoers/timestamp.c:
Display the lecture immediately before prompting for a password. This means we no longer display the lecture unless the user is going to enter a password. Authentication methods that don’t interact with the user via the terminal don’t trigger the lecture. [17ef981664c3]

NEWS, plugins/sudoers/logging.c:
Add back warning when a user is not allowed to run a command. Previously, the warning was displayed when a user was not in the sudoers file, or was present but not listed for the local host. The new behavior is to display the warning if a command is denied and mail is sent to the administrator. Whether or not mail is sent is controlled by the “mail_*” flags in sudoers. The warning text is now “This incident has been reported to the administrator.” which is hopefully less confusing. The message will not be printed if either the “mailto” or “mailerpath” sudoers settings are disabled. [dcaeadb7e558]

docs/sudoers.man.in, docs/sudoers.mdoc.in:
Document that negating mailto or mailerpath disables sending mail. [02d8aabd9af3]

TODO:
Remove obsolete TODO file. [98e112abab92]

2022-02-20 Todd C. Miller

plugins/sudoers/logging.c:
Don’t try to send mail if mailto not set or the mailer is not present. [37166e692a9c]

2022-02-18 Todd C. Miller

plugins/sudoers/po/cs.mo, plugins/sudoers/po/cs.po, plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, plugins/sudoers/po/fr.mo, plugins/sudoers/po/fr.po, plugins/sudoers/po/hr.mo, plugins/sudoers/po/hr.po, plugins/sudoers/po/ja.mo, plugins/sudoers/po/ja.po, plugins/sudoers/po/ko.mo, plugins/sudoers/po/ko.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/sr.mo, plugins/sudoers/po/sr.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po, plugins/sudoers/po/zh_TW.mo, plugins/sudoers/po/zh_TW.po, po/cs.mo, po/cs.po, po/de.mo, po/de.po, po/eo.mo, po/eo.po, po/fi.mo, po/fi.po, po/fr.mo, po/fr.po, po/hr.mo, po/hr.po, po/ja.mo, po/ja.po, po/ko.mo, po/ko.po, po/pl.mo, po/pl.po, po/ro.mo, po/ro.po, po/sr.mo, po/sr.po, po/uk.mo, po/uk.po, po/vi.mo, po/vi.po, po/zh_CN.mo, po/zh_CN.po, po/zh_TW.mo, po/zh_TW.po:
Updated translations from translationproject.org [194b42011062]

MANIFEST, lib/iolog/Makefile.in, lib/iolog/regress/iolog_filter/check_iolog_filter.c, lib/iolog/regress/iolog_filter/test1/log, lib/iolog/regress/iolog_filter/test1/timing, lib/iolog/regress/iolog_filter/test1/ttyin, lib/iolog/regress/iolog_filter/test1/ttyin.filtered, lib/iolog/regress/iolog_filter/test1/ttyout, lib/iolog/regress/iolog_filter/test2/log, lib/iolog/regress/iolog_filter/test2/timing, lib/iolog/regress/iolog_filter/test2/ttyin, lib/iolog/regress/iolog_filter/test2/ttyin.filtered, lib/iolog/regress/iolog_filter/test2/ttyout, lib/iolog/regress/iolog_filter/test3/log, lib/iolog/regress/iolog_filter/test3/timing, lib/iolog/regress/iolog_filter/test3/ttyin, lib/iolog/regress/iolog_filter/test3/ttyin.filtered, lib/iolog/regress/iolog_filter/test3/ttyout:
Add tests for iolog filtering. This is the functionality used by the log_passwords and passprompt_regex options. [07e587dfd765]

lib/iolog/iolog_filter.c:
iolog_pwfilt_run: apply regex on ttyout even if we disabled filtering. The heuristic used to decide when to disable filtering is when we see another ttyout buffer or find a cr or nl in the ttyin buffer. However, we should also check the buffer that caused us to disable filtering for a matching regex that would re-enable filtering. Programs that prompt for a password twice might otherwise not have the second password filtered. [f34bf167c3b4]

2022-02-16 Todd C. Miller

INSTALL.md, README.LDAP.md, docs/TROUBLESHOOTING.md, docs/UPGRADE.md, docs/sudo.conf.man.in, docs/sudo.conf.mdoc.in, docs/sudo.man.in, docs/sudo.mdoc.in, docs/sudo_logsrv.proto.man.in, docs/sudo_logsrv.proto.mdoc.in, docs/sudo_logsrvd.conf.man.in, docs/sudo_logsrvd.conf.mdoc.in, docs/sudo_plugin.man.in, docs/sudo_plugin.mdoc.in, docs/sudo_plugin_python.man.in, docs/sudo_plugin_python.mdoc.in, docs/sudoers.ldap.man.in, docs/sudoers.ldap.mdoc.in, docs/sudoers.man.in, docs/sudoers.mdoc.in, docs/sudoreplay.man.in, docs/sudoreplay.mdoc.in, docs/visudo.man.in, docs/visudo.mdoc.in, examples/sudo_logsrvd.conf.in:
Avoid using “note that” and “note: " in documentation. [d75995c86fe0]

INSTALL.md, README.LDAP.md, README.md, docs/CONTRIBUTING.md, docs/CONTRIBUTORS.md, docs/SECURITY.md, docs/TROUBLESHOOTING.md, docs/UPGRADE.md, docs/cvtsudoers.man.in, docs/cvtsudoers.mdoc.in, docs/sudo.conf.man.in, docs/sudo.conf.mdoc.in, docs/sudo.man.in, docs/sudo.mdoc.in, docs/sudo_logsrv.proto.man.in, docs/sudo_logsrv.proto.mdoc.in, docs/sudo_logsrvd.conf.man.in, docs/sudo_logsrvd.conf.mdoc.in, docs/sudo_logsrvd.man.in, docs/sudo_logsrvd.mdoc.in, docs/sudo_plugin.man.in, docs/sudo_plugin.mdoc.in, docs/sudo_plugin_python.man.in, docs/sudo_plugin_python.mdoc.in, docs/sudo_sendlog.man.in, docs/sudo_sendlog.mdoc.in, docs/sudoers.ldap.man.in, docs/sudoers.ldap.mdoc.in, docs/sudoers.man.in, docs/sudoers.mdoc.in, docs/sudoers_timestamp.man.in, docs/sudoers_timestamp.mdoc.in, docs/sudoreplay.man.in, docs/sudoreplay.mdoc.in, docs/visudo.man.in, docs/visudo.mdoc.in:
Remove “please” from the documentation, it is considered bad style. [9c4a7bc1b48c]

docs/UPGRADE.md:
Mention regular expressions and “sudo -l -U user” behavior change. [9bf947ed3e30]

docs/sudoers.man.in, docs/sudoers.mdoc.in:
Add security notes about regular expressions in sudoers rules. [1748e3a05906]

NEWS:
Update NEWS for GitHub issue #134. [c69636554901]

2022-02-15 Todd C. Miller

lib/eventlog/eventlog.c:
do_logfile_sudo: plug memory leak of full_line Coverity CID 249329 [d1d2bc51077a]

plugins/sudoers/logging.c:
log_server_alert: plug potential memory leak Coverity CID 249328 [4d01a8e7dffb]

plugins/sudoers/logging.c:
fmt_authfail_message: compute the exact amount of space needed. Instead of truncating on overflow, warn and return NULL. [96542ddc9674]

plugins/sudoers/parse.c:
Fix potential NULL deref if getpwuid(0) fails. Coverity CID 249326 [23249273cd01]

2022-02-14 Todd C. Miller

docs/sudo.man.in, docs/sudo.mdoc.in, plugins/sudoers/parse.c, plugins/sudoers/policy.c:
Restrict “sudo -U other -l” to users with sudo ALL for root or “other”. Having “sudo ALL” permissions in no longer sufficient to be able to list another user’s privileges. The invoking user must now have “sudo ALL” for root or the target user. GitHub issue #134 [e2b4f8400599]

2022-02-13 Todd C. Miller

NEWS:
Reword some of the NEWS items for 1.9.10. [b2d757e7889c]

2022-02-12 Todd C. Miller

docs/sudo_logsrvd.conf.man.in, docs/sudo_logsrvd.conf.mdoc.in, docs/sudoers.man.in, docs/sudoers.mdoc.in, lib/util/regex.c, po/sudo.pot:
Limit regular expressions to 1024 characters each. Avoids a problem with the fuzzer creating large regular expressions that blow up the glibc regcomp(). [83b1cac11c79]

2022-02-11 Todd C. Miller

.gitignore, .hgignore, MANIFEST, configure, configure.ac, examples/Makefile.in, examples/sudo.conf.in, examples/syslog.conf, examples/syslog.conf.in:
Substitute values in the example syslog.conf too. Also update ignore files for example changes [b13a7e6a630c]

MANIFEST, configure, configure.ac, docs/sudo.conf.man.in, docs/sudo.conf.mdoc.in, docs/sudo.man.in, docs/sudo.mdoc.in, docs/sudo_logsrvd.conf.man.in, docs/sudo_logsrvd.conf.mdoc.in, docs/sudo_plugin_python.man.in, docs/sudo_plugin_python.mdoc.in, docs/sudoers.man.in, docs/sudoers.mdoc.in, examples/Makefile.in, examples/sudo_logsrvd.conf, examples/sudo_logsrvd.conf.in, examples/sudoers, examples/sudoers.in:
Substitute paths set by configure in examples. Bug #1023 [f528fe7a8f88]

plugins/sudoers/po/sudoers.pot, po/sudo.pot:
Update Project-Id-Version to 1.9.10. [0ad7934baa9f]

plugins/sudoers/po/sudoers.pot:
Update .pot files for 1.9.10 [c7a477455e2e]

NEWS, configure, configure.ac:
Sudo 1.9.10 [b437c4c37971]

MANIFEST, docs/sudo_logsrvd.conf.man.in, docs/sudo_logsrvd.conf.mdoc.in, docs/sudoers.man.in, docs/sudoers.mdoc.in, include/sudo_util.h, lib/iolog/iolog_filter.c, lib/util/Makefile.in, lib/util/regex.c, lib/util/util.exp.in, plugins/sudoers/defaults.c, plugins/sudoers/match_command.c, plugins/sudoers/regress/sudoers/test28.in, plugins/sudoers/regress/sudoers/test28.json.ok, plugins/sudoers/regress/sudoers/test28.ldif.ok, plugins/sudoers/regress/sudoers/test28.ldif2sudo.ok, plugins/sudoers/regress/sudoers/test28.out.ok, plugins/sudoers/regress/sudoers/test28.toke.ok, plugins/sudoers/sudoreplay.c, plugins/sudoers/toke.c, plugins/sudoers/toke.h, plugins/sudoers/toke.l, plugins/sudoers/toke_util.c:
Add helper function to compile a regex that supports (?i). [d680d423d2df]

2022-02-10 Todd C. Miller

MANIFEST, configure, configure.ac, docs/sudoers.man.in, docs/sudoers.mdoc.in, examples/sudoers, plugins/sudoers/fmtsudoers.c, plugins/sudoers/match_command.c, plugins/sudoers/parse.h, plugins/sudoers/regress/sudoers/test28.in, plugins/sudoers/regress/sudoers/test28.json.ok, plugins/sudoers/regress/sudoers/test28.ldif.ok, plugins/sudoers/regress/sudoers/test28.ldif2sudo.ok, plugins/sudoers/regress/sudoers/test28.out.ok, plugins/sudoers/regress/sudoers/test28.toke.ok, plugins/sudoers/regress/sudoers/test29.in, plugins/sudoers/regress/sudoers/test29.json.ok, plugins/sudoers/regress/sudoers/test29.ldif.ok, plugins/sudoers/regress/sudoers/test29.out.ok, plugins/sudoers/regress/sudoers/test29.toke.ok, plugins/sudoers/regress/testsudoers/test18.out.ok, plugins/sudoers/regress/testsudoers/test18.sh, plugins/sudoers/toke.c, plugins/sudoers/toke.h, plugins/sudoers/toke.l, plugins/sudoers/toke_util.c:
Add support for matching command and args using regular expressions. Either the command, its arguments or both may be (separate) regular expressions. [bef0b1a14771]

plugins/sudoers/gram.c, plugins/sudoers/gram.y:
Clear sudoers_errstr after it is used. This way we avoid printing the same error message more than once if there are multiple ERROR tokens returned from the lexer. [8a7509cd1c46]

logsrvd/logsrvd_local.c:
store_iobuf_local: fix potential double free on the error path. [f9a0e3cb3c7f]

docs/cvtsudoers.man.in, docs/cvtsudoers.mdoc.in, docs/sudo.conf.man.in, docs/sudo.conf.mdoc.in, docs/sudo.man.in, docs/sudo.mdoc.in, docs/sudo_logsrv.proto.man.in, docs/sudo_logsrv.proto.mdoc.in, docs/sudo_logsrvd.conf.man.in, docs/sudo_logsrvd.conf.mdoc.in, docs/sudo_logsrvd.man.in, docs/sudo_logsrvd.mdoc.in, docs/sudo_plugin.man.in, docs/sudo_plugin.mdoc.in, docs/sudo_plugin_python.man.in, docs/sudo_plugin_python.mdoc.in, docs/sudo_sendlog.man.in, docs/sudo_sendlog.mdoc.in, docs/sudoers.ldap.man.in, docs/sudoers.ldap.mdoc.in, docs/sudoers.man.in, docs/sudoers.mdoc.in, docs/sudoers_timestamp.man.in, docs/sudoers_timestamp.mdoc.in, docs/sudoreplay.man.in, docs/sudoreplay.mdoc.in, docs/visudo.man.in, docs/visudo.mdoc.in:
Update links to sudo web site and reference markdown docs. [da9a9eb04f04]

docs/cvtsudoers.man.in, docs/cvtsudoers.mdoc.in, docs/sudo.conf.man.in, docs/sudo.conf.mdoc.in, docs/sudo.man.in, docs/sudo.mdoc.in, docs/sudo_logsrvd.man.in, docs/sudo_logsrvd.mdoc.in, docs/sudo_plugin_python.man.in, docs/sudo_plugin_python.mdoc.in, docs/sudoers.man.in, docs/sudoers.mdoc.in, docs/sudoreplay.man.in, docs/sudoreplay.mdoc.in, docs/visudo.man.in, docs/visudo.mdoc.in:
Use a 4n indent for code blocks instead of the default 6n. [7322dd26a3d4]

plugins/sudoers/testsudoers.c:
testsudoers: disable argument permutation in GNU getopt This makes it easier to test commands with arguments. [fb005b03a75e]

lib/iolog/iolog_filter.c:
iolog_pwfilt_run: fix types in error return [663deea257d0]

lib/iolog/iolog_filter.c, plugins/sudoers/iolog.c:
Free potential leaks of passprompt_regex_handle. Coverity CID 249057 [d562ea42ab66]

2022-02-09 Todd C. Miller

Merge pull request #133 from Dzejrou/main

Do not unset user timeout when no default timeout is set. [58504381014e]

2022-02-09 Jaroslav Jindrak

plugins/sudoers/policy.c:
Do not unset user timeout when no default timeout is set. [25f32be7d18d]

2022-02-08 Todd C. Miller

plugins/sudoers/fmtsudoers.c, plugins/sudoers/parse.h, plugins/sudoers/regress/sudoers/test2.in, plugins/sudoers/regress/sudoers/test2.json.ok, plugins/sudoers/regress/sudoers/test2.ldif.ok, plugins/sudoers/regress/sudoers/test2.ldif2sudo.ok, plugins/sudoers/regress/sudoers/test2.out.ok, plugins/sudoers/regress/sudoers/test2.toke.ok:
Don’t escape double quotes (”) in a command when printing it. Previously, cvtsudoers and “sudo -l” would escape double quotes in a command or command line argument, which is not valid sudoers syntax. [3bd0505b03e2]

docs/sudoers.man.in, docs/sudoers.mdoc.in:
A few minor (mostly cosmetic) fixes. Add missing ALL to Runas_Member and Host. Replace some tabs with spaces. Fix the syntax of a sudoedit example. [a943116eb35b]

2022-02-04 Todd C. Miller

Merge pull request #132 from ninedotnine/patch-1

Sync example sudoers with default sudoers [8c903452e624]

2022-02-04 dan soucy

examples/sudoers:
Sync example sudoers with default sudoers

sudoers.in was changed by 1d13533 [f34657ff9345]

2022-02-04 Todd C. Miller

ABOUT-NLS, INSTALL.md, NEWS, README.LDAP.md, docs/CONTRIBUTING.md, plugins/sudoers/po/README, po/README:
Upgrade http links to https where possible and fix some broken links. [e33d61fdafdb]

2022-02-03 Todd C. Miller

plugins/sudoers/logging.c:
Remove “This incident will be reported.” from user warnings. This used to indicate that email had been sent to the administrator telling them that someone tried to run sudo. Whether or not sudo sends email is now configurable, so the warning may not be accurate. It is also confusing to the user since they will not know who the incident is being reported to. See also https://xkcd.com/838/ [b2860bb51393]

plugins/sudoers/sssd.c:
Log fn_get_values() return code in the debug log on error. Also move a nested switch() statement out of ‘case 0’ for improved readability. [ad609804a70c]

plugins/sudoers/sssd.c:
Do not return an error if we cannot connect to the SSSD connector. This may simply mean that nsswitch.conf lists sss as a sudoers source but SSSD is not configured for sudo. Otherwise, the user will receive a useless “problem with defaults entries” when the sssd backend tries to fetch the global defaults. Bug #1022. [60bb147ed3e6]

plugins/sudoers/log_client.c, plugins/sudoers/logging.c:
Set client_closure to NULL after freeing it. [20da8f0c9226]

plugins/sudoers/log_client.c:
client_closure_alloc: init write_bufs/free_bufs before other allocations. We must initialize the tail queues before any possible call to client_closure_free(), such as due to malloc() failure. [5dd7d1ba2b76]

logsrvd/logsrvd_journal.c:
Add missing default return in last commit. [e17820ba6ff8]

logsrvd/logsrvd_journal.c:
sudo_logsrvd: make sure journal exists before writing the alert message. Fixes a potential NULL dereference when journaling an alert message. [19d109fb1420]

include/sudo_compat.h:
Fix compilation on Debian kFreeBSD. The configure script correctly detects that utimensat() and futimens() are missing but the headers define stub versions of the functions. Including sys/stat.h pulls in the system definitions so we can override them safely. Bug #1021. [10775e14164a]

2022-02-02 Todd C. Miller

src/ttyname.c:
Add fallback if /proc/self/stat or /proc/pid/psinfo is missing or invalid. If the /proc file indicates no terminal is present there is no fallback. Bug #1020 [c32620c9f115]

2022-02-01 Todd C. Miller

docs/sudoers.man.in, docs/sudoers.mdoc.in, plugins/sudoers/check.c, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/defaults.c:
Add sudoers option to perform authentication even in non-interative mode. If noninteractive_auth is set, authentication methods that do not require input from the user’s terminal may proceed. It is off by default, which restores the pre-1.9.9 behavior of “sudo -n”. [f06dcd0957d0]

MANIFEST, lib/iolog/iolog_filter.c, logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.7:
Work around a glibc regcomp() bug with repeated ‘+’ operators. Glibc regcomp() has a bug where it uses excessive memory for repeated ‘+’ ops. Collapse them to avoid running the fuzzer out of memory. [db423326311f]

logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.1, logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.2, logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.3, logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.4, logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.5, logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.6:
Rebase seed corpus on updated sudo_logsrvd.conf example. [1f30b95c6ce6]

logsrvd/logsrvd_conf.c:
Fix parsing of “retry_interval” in the relay section. The setting was present but the callback was missing so it could not be parsed in the conf file. [09666425a392]

logsrvd/logsrvd_conf.c:
Use TIME_T_MAX as the upper limit when parsing timeouts. [989eaa812d4e]

plugins/sudoers/auth/pam.c:
converse: don’t set response pointer on error Linux pam_conv(3) says not to set the pointer on PAM_CONV_ERR. [79934c8631c0]

2022-01-31 Todd C. Miller

MANIFEST, plugins/sudoers/regress/cvtsudoers/sudoers4:
Add missing sudoers4 test file for new cvtsudoers test. [5b9f3084d9e9]

MANIFEST, plugins/sudoers/cvtsudoers_merge.c, plugins/sudoers/regress/cvtsudoers/test38.out.ok, plugins/sudoers/regress/cvtsudoers/test38.sh:
defaults_check_conflict: it is only really a conflict if the binding match If the Defaults name matched but the binding does not, we can simply leave it be. Fixes a problem where given two sudoers sources that have a host specified, if they contain conflicting Defaults entries we would drop one of the Defaults instead of keeping both after making them host-specific. [9b8ad3d1e163]

MANIFEST, plugins/sudoers/cvtsudoers_merge.c, plugins/sudoers/regress/cvtsudoers/sudoers1, plugins/sudoers/regress/cvtsudoers/sudoers2, plugins/sudoers/regress/cvtsudoers/sudoers3, plugins/sudoers/regress/cvtsudoers/test34.out.ok, plugins/sudoers/regress/cvtsudoers/test34.sh, plugins/sudoers/regress/cvtsudoers/test35.out.ok, plugins/sudoers/regress/cvtsudoers/test35.sh, plugins/sudoers/regress/cvtsudoers/test36.out.ok, plugins/sudoers/regress/cvtsudoers/test36.sh, plugins/sudoers/regress/cvtsudoers/test37.out.ok, plugins/sudoers/regress/cvtsudoers/test37.sh:
Make it possible to merge a host-based Defaults with a global one. We convert the global Defaults to a host-based one with a single “ALL” member. Later, when we simplify the host list, we’ll convert this back to a global Defaults. [152c16a608c1]

2022-01-29 Todd C. Miller

logsrvd/logsrvd_conf.c:
Check for garbage after [section] in sudo_logsrvd.conf. [46a222b60747]

logsrvd/regress/fuzz/fuzz_logsrvd_conf.dict, plugins/sudoers/regress/fuzz/fuzz_sudoers.dict:
Sync fuzzing dictionary with current configuration keyword list. [9af3929a2f6a]

2022-01-28 Todd C. Miller

docs/sudo_logsrvd.conf.man.in, docs/sudo_logsrvd.conf.mdoc.in, examples/sudo_logsrvd.conf, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c, logsrvd/logsrvd_local.c:
Add new log_passwords and passprompt_regex settings. When logging terminal input, if log_passwords is false and any of the regular expressions in the passprompt_regex list are found in the terminal output, terminal input will be replaced with ‘*’ characters until a newline or carriage return is found in the input or an output character is received. [1d07eaada99c]

MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/iolog.c, plugins/sudoers/policy.c, plugins/sudoers/regress/serialize_list/check_serialize_list.c, plugins/sudoers/regress/unescape/check_unesc.c, plugins/sudoers/serialize_list.c, plugins/sudoers/sudoers.h, plugins/sudoers/unesc_str.c:
Escape/unescape commas when serializing/deserializing a stringlist. [17c422c0b236]

plugins/sudoers/defaults.c, plugins/sudoers/defaults.h, plugins/sudoers/group_plugin.c, plugins/sudoers/iolog.c, plugins/sudoers/locale.c, plugins/sudoers/logging.h, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c:
Pass the operator to the Defaults callback too. That way we can tell what to do in callbacks for lists. [d541809b62bf]

MANIFEST, include/sudo_iolog.h, lib/iolog/Makefile.in, lib/iolog/iolog_filter.c:
lib/iolog: add support for filtering password out of tty input If a password regex is found in the tty output, tty input will be replaced with ‘*’ chars until a newline or another tty output character is received. [19c3a58dfe29]

docs/sudoers.man.in, docs/sudoers.mdoc.in, plugins/sudoers/Makefile.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/defaults.c, plugins/sudoers/defaults.h, plugins/sudoers/iolog.c, plugins/sudoers/policy.c, plugins/sudoers/sudoers.c:
Add a new sudoers settings log_passwords and passprompt_regex. When logging terminal input, if log_passwords is disabled and any of the regular expressions in the passprompt_regex list are found in the terminal output, terminal input will be replaced with ‘*’ characters until a newline or carriage return is found in the input or an output character is received. [5fa969cfdef4]

plugins/sudoers/def_data.c, plugins/sudoers/def_data.in, plugins/sudoers/defaults.c, plugins/sudoers/defaults.h:
Add a flag to avoid splitting list entries on white space. [32ac4cd5eae7]

2022-01-27 Todd C. Miller

docs/sudoers.ldap.man.in, docs/sudoers.ldap.mdoc.in:
“plain text” -> “plaintext” for consistency. [6cbefac27286]

2022-01-25 Todd C. Miller

po/ro.mo, po/ro.po:
Updated translations from translationproject.org [c264de490846]

INSTALL.configure:
Sync with autoconf git. [efd6e2df1b4f]

scripts/mkdep.pl:
Fix potential infinite loop when trying to format long lines. [e17a3b7b657b]

2022-01-20 Todd C. Miller

docs/sudo.man.in, docs/sudo.mdoc.in:
Document how commands are passed to the shell for the -i and -s options. The concatenation of command and arguments and escaping of special characters was not documented. Text adapted from GitHub issue #121 from Kris Rinzwind [852f803234af]

docs/TROUBLESHOOTING.md:
Also mention no_new_privs error in the troubleshooting guide. [70cc0679098f]

INSTALL.md, docs/TROUBLESHOOTING.md, docs/sudo.conf.man.in, docs/sudo.conf.mdoc.in, docs/sudo.man.in, docs/sudo.mdoc.in, docs/sudo_plugin.man.in, docs/sudo_plugin.mdoc.in, docs/sudo_plugin_python.man.in, docs/sudo_plugin_python.mdoc.in, docs/sudoers.ldap.man.in, docs/sudoers.ldap.mdoc.in, docs/sudoers.man.in, docs/sudoers.mdoc.in, docs/visudo.man.in, docs/visudo.mdoc.in:
Replace uid and gid with user-ID and group-ID in more places. [2b6bc95509fd]

2022-01-19 Todd C. Miller

INSTALL.md:
PAM is enabled on NetBSD by default too. [3bc31511f687]

INSTALL.md, README.LDAP.md, docs/HISTORY.md, docs/TROUBLESHOOTING.md, docs/UPGRADE.md:
Use the Oxford comma consistently, it is helpful in technical documents. [3df4b26d035e]

docs/sudo.man.in, docs/sudo.mdoc.in:
Document the error message when no_new_privs is set. [492a154dec10]

docs/sudoers.ldap.man.in, docs/sudoers.ldap.mdoc.in:
Sudo now recovers from sudoers syntax errors. [77d457c4e722]

docs/cvtsudoers.man.in, docs/cvtsudoers.mdoc.in, docs/sudo.conf.man.in, docs/sudo.conf.mdoc.in, docs/sudo.man.in, docs/sudo.mdoc.in, docs/sudo_logsrv.proto.man.in, docs/sudo_logsrv.proto.mdoc.in, docs/sudo_logsrvd.conf.man.in, docs/sudo_logsrvd.conf.mdoc.in, docs/sudo_plugin.man.in, docs/sudo_plugin.mdoc.in, docs/sudo_plugin_python.man.in, docs/sudo_plugin_python.mdoc.in, docs/sudoers.ldap.man.in, docs/sudoers.ldap.mdoc.in, docs/sudoers.man.in, docs/sudoers.mdoc.in, docs/sudoreplay.man.in, docs/sudoreplay.mdoc.in, docs/visudo.man.in, docs/visudo.mdoc.in, examples/sudo.conf.in, examples/sudo_logsrvd.conf:
Use the Oxford comma consistently, it is helpful in technical documents. [e8d29c772963]

INSTALL.md:
Mention docker configuration. [8312350518cb]

plugins/sudoers/ldap_util.c:
Quiet a cppcheck false positive. [023468af3269]

docs/CONTRIBUTING.md:
Mention https://www.sudo.ws/security/fuzzing/ in the fuzzing section. [87767f7b89ad]

plugins/sudoers/sssd.c:
Fix logic inversion when setting negated flag. [3e4051bc9f30]

src/sudo.c:
Quiet a PVS-Studio format string warning. [77e953f3c46f]

2022-01-18 Todd C. Miller

plugins/sudoers/po/sudoers.pot, po/sudo.pot:
Regen .pot files. [b999972bc90d]

NEWS:
Bug #1016, #1017 and negated sudoUser in LDAP. [4ec54e728437]

plugins/sudoers/defaults.c:
Don’t set/run early Defaults if a custom defaults_list is specified. Defaults settings passed in by the front end are already “early” so there is no need to treat any of them as special.

Otherwise, we end up running the early defaults callbacks before sudoers has been parsed. This means that, for instance, it is not possible to disable the fqdn flag before its callback is run if sudo is build with the –with-fqdn option. Bug #1016. [8c6eaa503793]

plugins/sudoers/defaults.c, plugins/sudoers/defaults.h:
Mark is_early_default(), run_early_defaults(), set_early_default() static. They are not used outside of defaults.c. [1045e8c7a92e]

plugins/sudoers/sssd.c:
Add support in SSSD for negated users. [bca3d02cdd8b]

docs/sudoers.ldap.man.in, docs/sudoers.ldap.mdoc.in, plugins/sudoers/ldap.c:
Add support in the LDAP filter for negated users. Based on a diff from Simon Lees [e1d48d44229e]

2022-01-12 Todd C. Miller

lib/util/mkdir_parents.c:
Use PATH_MAX, not NAME_MAX+1 for the directory entry length. On some systems, such as Solaris, the max length of a directory entry is filesystem-dependent. We could use fpathconf() and dynamically allocate the name but it is simpler to just use PATH_MAX here. [d1a097783717]

plugins/python/python_plugin_common.c:
Only emulate Py_FinalizeEx for Python 3.[0-5]. [b314942c0f2f]

lib/util/getcwd.c, lib/util/mkdir_parents.c:
Use POSIX NAME_MAX, not the obsolete MAXNAMLEN define. Fixes compilation with musl libc. [a1609b2d968f]

2022-01-11 Todd C. Miller

src/limits.c:
When applying fallback limits, make sure we don’t reduce rlim_max. Fixes a problem where sudo could reduce the max stack size on some systems if the original limit was higher than the fallback limit, but not unlimited/infinity. [1fef77204f17]

src/limits.c:
Don’t modify the stack limit if it is >= SUDO_STACK_MIN. [b9e473780083]

plugins/sudoers/Makefile.in:
The pre-install target requires visudo, add an explicit dependency. [b5b073d2fc9b]

2022-01-09 Todd C. Miller

src/sudo.c:
If sudo is not set-user-ID root, check for the no_new_privs flag on Linux. This flag disables set-user-ID at execve(2) time and may be set by default for some containers. GitHub issue #129. [462249058274]

2022-01-08 Todd C. Miller

docs/sudoers.man.in, docs/sudoers.mdoc.in, plugins/sudoers/auth/pam.c, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/policy.c, plugins/sudoers/sudoers.h, src/parse_args.c:
Add pam_askpass_service sudoers setting for “sudo -A”. This makes it possible to use a different PAM configuration for when “sudo -A” is used. The main use case is to only use PAM modules that can interact with the askpass program. GitHub issue #112. [5f59bc3f9d81]

2022-01-07 Todd C. Miller

lib/iolog/iolog_loginfo.c:
Improve debugging info when fdopen() fails. [0d9711d8564a]

2022-01-06 Todd C. Miller

plugins/sudoers/sssd.c:
sss_sudo_free_values() checks for NULL, no need to do it manually. [ccf012907a01]

plugins/sudoers/getdate.c, plugins/sudoers/getdate.y:
Quiet a clang analyzer false positive. [90b6791616b0]

2022-01-05 Todd C. Miller

plugins/sudoers/getdate.c, plugins/sudoers/getdate.y:
Quiet a clang analyzer false positive. [3c66e9be5f24]

plugins/sudoers/auth/sudo_auth.c:
Fix return value for non-interactive mode for non-standalone auth methods. AUTH_NONINTERACTIVE was being stored in the wrong variable. [199a180e7fab]

plugins/sudoers/po/fi.mo, plugins/sudoers/po/fi.po, plugins/sudoers/po/ja.mo, plugins/sudoers/po/ja.po, plugins/sudoers/po/ko.mo, plugins/sudoers/po/ko.po, po/fi.mo, po/fi.po, po/ko.mo, po/ko.po, po/tr.mo, po/tr.po:
Updated translations from translationproject.org [032877650fe6]

plugins/sudoers/cvtsudoers_merge.c:
defaults_var_matches() should return bool, not enum match_result. Remove enum match_result as it is no longer used. [6559769ddcd1]

plugins/sudoers/audit.c, plugins/sudoers/auth/sudo_auth.c:
Quiet two PVS-studio warnings. [3a7c89cff3d6]

plugins/sudoers/auth/pam.c:
Remove PAM_TTY workaround for old, buggy PAM modules. In the past, some PAM modules assumed that PAM_TTY was set and would misbehave (or crash) if not. This was primarily obsolete versions of Linux- PAM, so it should now be safe to remove this. Setting PAM_TTY to an empty string can cause its own set of issues. GitHub issue #74 [491cb67ea43b]

2022-01-04 Todd C. Miller

NEWS:
Mention fix for Bug #956 and GitHub issue #83. [8692b9985381]

plugins/sudoers/auth/API, plugins/sudoers/auth/afs.c, plugins/sudoers/auth/aix_auth.c, plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/dce.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/securid5.c, plugins/sudoers/auth/sia.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/auth/sudo_auth.h, plugins/sudoers/check.c, plugins/sudoers/logging.c, plugins/sudoers/sudoers.h:
Push non-interactive mode checking down into the auth methods. For “sudo -n” we only want to reject a command if user input is actually required. In the case of PAM at least, we may not need to interact with the user. Bug #956, GitHub issue #83 [bc9653ffe82f]

2022-01-03 Todd C. Miller

plugins/sudoers/cvtsudoers_merge.c, plugins/sudoers/regress/cvtsudoers/sudoers1, plugins/sudoers/regress/cvtsudoers/sudoers2, plugins/sudoers/regress/cvtsudoers/sudoers3, plugins/sudoers/regress/cvtsudoers/test34.out.ok, plugins/sudoers/regress/cvtsudoers/test35.out.ok, plugins/sudoers/regress/cvtsudoers/test36.out.ok:
userspec_overridden: fix checks when there is more than one userspec [199996d29f50]

MANIFEST, plugins/sudoers/cvtsudoers_merge.c, plugins/sudoers/regress/cvtsudoers/test35.out.ok, plugins/sudoers/regress/cvtsudoers/test36.out.ok, plugins/sudoers/regress/cvtsudoers/test36.sh:
Fix merging of global/ALL entries when each input file has a host. If a host is specified for the input file, cvtsudoers will bind global Defaults to that host and change host “ALL” in a userspec to the host name. However, if all the input files have matching hosts we can simplify the merged file by converting back to ALL after resolving conflicts. [bfdb2edfca71]

LICENSE.md:
Welcome to 2022. [039e8c0efd7e]

docs/Makefile.in:
LICENSE.md moved to the top-level src dir. [b1c2687eef9d]

2021-12-22 Todd C. Miller

Merge pull request #127 from Tyler887/main

Typo [c4780c2a3056]

2021-12-22 Tyler887

INSTALL.md:
Typo [b650bec9f275]

2021-12-22 Todd C. Miller

NEWS, docs/UPGRADE.md, plugins/sudoers/policy.c, src/selinux.c, src/sudo.c:
Back out changes to enable SELinux by default. This may return in a future release in a different form. [73e46fbe5c27]

LICENSE.md, MANIFEST, README.md, docs/LICENSE.md:
Move LICENSE.md out of docs and back to the top-level. GitHub expects it to be in the top-level directory. [3c62dd396aff]

2021-12-20 Todd C. Miller

MANIFEST, plugins/sudoers/cvtsudoers_merge.c, plugins/sudoers/regress/cvtsudoers/test35.out.ok, plugins/sudoers/regress/cvtsudoers/test35.sh:
cvtsudoers: fix a regression when merging matching Defaults. If a host is specified with a sudoers file, we have to treat Defaults as Defaults@host checking for duplicates. [9db413953938]

2021-12-18 Todd C. Miller

plugins/sudoers/gram.c, plugins/sudoers/gram.y:
add_defaults: add defs == NULL check to quiet coverity false positive [a534eee04069]

2021-12-17 Todd C. Miller

plugins/sudoers/cvtsudoers_merge.c, plugins/sudoers/regress/cvtsudoers/test34.out.ok, plugins/sudoers/regress/cvtsudoers/test34.sh:
When merging Defaults, allow a subsequent global Defaults (no binding) to override a prior Defaults setting with a binding. [0be52fa6d4d8]

plugins/sudoers/gram.c, plugins/sudoers/gram.y:
add_defaults: defs can never be NULL [9ba97823b757]

plugins/sudoers/cvtsudoers_merge.c:
Plug memory leak when making a default host-specific. We don’t need to allocate new space for the binding list, just the members of the list. [5667d09136f2]

2021-12-16 Todd C. Miller

MANIFEST, examples/Makefile.in, examples/cvtsudoers.conf:
Add an example cvtsudoers.conf file. [aa738148e712]

docs/cvtsudoers.man.in, docs/cvtsudoers.mdoc.in, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers.h:
Add group_file, match_local, and passwd_file to cvtsudoers.conf. Previously, these were only settable via command line options. [a7a8b0af3c42]

2021-12-12 Todd C. Miller

docs/TROUBLESHOOTING.md:
Remove question about running Solaris 11 binaries on Solaris 10. Current versions of sudo use many APIs that are not present on Solaris 10. If you want a sudo Solaris 10 binary, build it on Solaris 10, not 11. [0346a46cf595]

MANIFEST, plugins/sudoers/regress/cvtsudoers/test34.out.ok, plugins/sudoers/regress/cvtsudoers/test34.sh:
Add simple test for cvtsudoers merge functionality. [fda86b17249a]

plugins/sudoers/po/cs.mo, plugins/sudoers/po/cs.po, plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, plugins/sudoers/po/fr.mo, plugins/sudoers/po/fr.po, plugins/sudoers/po/hr.mo, plugins/sudoers/po/hr.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/sr.mo, plugins/sudoers/po/sr.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po, plugins/sudoers/po/zh_TW.mo, plugins/sudoers/po/zh_TW.po, po/cs.mo, po/cs.po, po/de.mo, po/de.po, po/eo.mo, po/eo.po, po/fr.mo, po/fr.po, po/hr.mo, po/hr.po, po/ja.mo, po/ja.po, po/pl.mo, po/pl.po, po/sr.mo, po/sr.po, po/uk.mo, po/uk.po, po/zh_CN.mo, po/zh_CN.po, po/zh_TW.mo, po/zh_TW.po:
Updated translations from translationproject.org [edfdaac9b1e7]

MANIFEST, plugins/sudoers/po/es.mo, plugins/sudoers/po/es.po:
Add sudoers Spanish translation from translationproject.org [502d45c0af5f]

2021-12-11 Todd C. Miller

NEWS:
Bugs #1013 and #1014 [1a7b533c5829]

lib/util/mkdir_parents.c:
sudo_mkdir_parents: make sure the path we created is a directory For extra paranoia, verify that the directory we created is still a directory before we fchown() it. [75c23aaa9fca]

docs/sudo.man.in, docs/sudo.mdoc.in:
In SECURITY NOTES, clarify that PATH may be overridden by the policy. Bug #1014 [4f7035d6b921]

MANIFEST, config.h.in, configure, configure.ac, include/sudo_compat.h, include/sudo_util.h, lib/util/Makefile.in, lib/util/mkdir_parents.c, lib/util/mkdirat.c, logsrvd/logsrvd.c, plugins/sudoers/timestamp.c, scripts/mkdep.pl:
Avoid TOCTOU in sudo_mkdir_parents() using openat(2) and mkdirat(2). This also allows us to make path const as it should be. [46db77e4afb8]

plugins/sudoers/ldap_conf.c, plugins/sudoers/sudo_ldap_conf.h:
Sudo parsed “deref” and “tls_reqcert” in ldap.conf but didn’t set the options. The switch() in the sudo_ldap_set_options_table() function needed to be updated to treat CONF_DEREF_VAL and CONF_REQCERT_VAL data types as int. Fix from Dennis Filder. Bug #1013. [5f5bdf9010d7]

2021-12-10 Todd C. Miller

docs/SECURITY.md:
Minor formatting tweak so we can import into the sudo web site. [220c647b6635]

plugins/sudoers/defaults.c, plugins/sudoers/pwutil_impl.c:
Fix CodeQL “Multiplication result converted to larger type” warnings. [a17db0b94018]

2021-12-09 Todd C. Miller

docs/SECURITY.md:
Surround email addresses with angle brackets, not square backets. [b9514c0165f2]

2021-12-08 Todd C. Miller

plugins/sudoers/po/fi.mo, plugins/sudoers/po/fi.po, plugins/sudoers/po/ja.mo, plugins/sudoers/po/ja.po, plugins/sudoers/po/sr.mo, plugins/sudoers/po/sr.po, po/fa.mo, po/fa.po, po/fi.mo, po/fi.po, po/ja.mo, po/ja.po, po/sr.mo, po/sr.po, po/zh_CN.mo, po/zh_CN.po, po/zh_TW.mo, po/zh_TW.po:
Updated translations from translationproject.org [b2815226875b]

plugins/sudoers/po/sudoers.pot, po/sudo.pot:
Update .pot files for 1.9.9 [e4e903808160]

2021-12-06 Todd C. Miller

README.LDAP.md, docs/CONTRIBUTING.md, docs/TROUBLESHOOTING.md, docs/UPGRADE.md:
Minor formatting tweaks. [eee91b1fc68c]

2021-12-05 Todd C. Miller

INSTALL, INSTALL.md, MANIFEST, README, README.LDAP, README.LDAP.md, README.md, docs/CONTRIBUTING.md, docs/CONTRIBUTORS, docs/CONTRIBUTORS.md, docs/HISTORY, docs/HISTORY.md, docs/LICENSE, docs/LICENSE.md, docs/Makefile.in, docs/TROUBLESHOOTING, docs/TROUBLESHOOTING.md, docs/UPGRADE, docs/UPGRADE.md, etc/sudo- logsrvd.pp, etc/sudo-python.pp, etc/sudo.pp:
Convert README and docs files to markdown. This makes things look better on GitHub and we can use the markdown version directly in the new sudo web site. [1cdcbce74a73]

2021-12-04 Todd C. Miller

docs/SECURITY.md:
Policy -> Disclosure Policy [13f278869e03]

Merge pull request #124 from juspence/main

Allow sudo -g anyone and sudo -u anyone -g anytwo [1a000f5aaba1]

2021-12-04 juspence

plugins/sudoers/sudoers.in:
Allow sudo -g anyone and sudo -u anyone -g anytwo

When only the user (ALL) is specified explicitly, and the group is implied, only sudo -u works. Specifying both the user and group, like (ALL:ALL), is required to:
1. Use sudo -g by itself (with no -u user) 2) Use sudo -u and -g together, with a -g group that is different from the -u user’s primary group [ca31aaa0b074]

2021-12-02 Todd C. Miller

lib/util/Makefile.in:
Add build dir to include search path for mksiglist.h and mksigname.h Fixes out of tree builds on systems without sys_siglist[] or sys_signame[]. GitHub issue #123. [fccd76813052]

2021-11-29 Todd C. Miller

MANIFEST, plugins/sudoers/cvtsudoers_merge.c, plugins/sudoers/regress/cvtsudoers/sudoers1, plugins/sudoers/regress/cvtsudoers/sudoers2, plugins/sudoers/regress/cvtsudoers/sudoers3:
cvtsudoers: better merging of lists that are not exact duplicates When merging rules, if one list would be overridden by another, remove the overridden rule and continue merging. [19dc52bd9c6f]

2021-11-28 Todd C. Miller

NEWS:
Update NEWS with latest changes. [fafe74e0b20f]

2021-11-27 Todd C. Miller

src/edit_open.c:
dir_is_writable: don’t treat EPERM from faccessat() as a fatal error. We can get EPERM on Linux with SELinux. GitHub issue #122. [25bbc56b2f6d]

2021-11-24 Todd C. Miller

docs/cvtsudoers.man.in, docs/cvtsudoers.mdoc.in, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers.h, plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/cvtsudoers_merge.c:
cvtsudoers: add -l option to log merge actions The “-l logfile” option can be used to store a log of what actions cvtsudoers took when merging multiple files. For example, which aliases were renamed, which entries were overriden or removed as duplicated. [fa96976882aa]

NEWS, configure, configure.ac:
Sudo 1.9.9 [dad415a982bc]

2021-11-21 Todd C. Miller

MANIFEST, docs/CONTRIBUTORS, po/fa.mo, po/fa.po:
New Persian (Farsi) translation from translationproject.org [3665533a7219]

2021-11-20 Todd C. Miller

plugins/sudoers/cvtsudoers_csv.c:
Quiet a PVS Studio warning. The warning that need_comma is always false is correct but in this case it is better to use a consistent construct so that if the code is re-ordered no bugs are introduced. [5109a34444f5]

lib/util/getentropy.c:
Pass correct size to free_zero(). Coverity CID 241233 [2ba51f57deb5]

plugins/sudoers/alias.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers_csv.c, plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/cvtsudoers_merge.c, plugins/sudoers/defaults.c, plugins/sudoers/fmtsudoers_cvt.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/parse.c, plugins/sudoers/parse.h, plugins/sudoers/parse_ldif.c:
Add reference counting to Defaults bindings. Previously, we checked that the previous entry’s binding pointer was not the same while freeing. However, to be able to merge Defaults records we cannot rely on Defaults entries with the same binding being immediately adjacent. This removes the prev_binding checks in favor of a reference count which allows us to plug the memory leak in cvtsudoers when merging Defaults. [0a789516622b]

2021-11-19 Todd C. Miller

MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/alias.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers.h, plugins/sudoers/cvtsudoers_merge.c, plugins/sudoers/parse.h:
cvtsudoers: merge aliases when multiple sudoers files are specified Duplicate aliases are remove. If there are conflicting alias names, the conflicts are renamed by appending a numerical suffix. For example, if there are two SERVERS Host_Aliases, the second one will be renamed to SERVERS_1. [d9b602626b8c]

plugins/sudoers/cvtsudoers_merge.c:
cvtsudoers: merge Defaults when multiple sudoers files are specified If a hostname is specified with the sudoers file, it will be used to make the Defaults setting host-specific, if possible. Duplicate Defaults settings are removed and conflicts are warned about. It is not possible to resolve all conflicts automatically. [756b05304ccb]

plugins/sudoers/cvtsudoers_merge.c:
cvtsudoers: merge userspecs when multiple sudoers files are specified If a hostname is specified with the sudoers file, it will be used to make the userspec host-specific, if possible. Duplicate userspecs are removed but conflicting entries are not currently pruned. [643b533bb4f4]

docs/cvtsudoers.man.in, docs/cvtsudoers.mdoc.in:
Document how to merge sudoers files with cvtsudoers. [241c3786f5a8]

plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/parse.h, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/sssd.c:
init_parse_tree() now takes ownership of lhost and shost, if any. This means that lhost and shost in struct sudoers_parse_tree are no longer const and that free_parse_tree() will free lhost/shost. The only consumer that passed in lho.st/shost was the SSSD back-end which has been updated to avoid a double-free. [650bb75666fb]

plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers_merge.c:
cvtsudoers: use init_parse_tree() to initialize a parse tree. Also free the parse tree before exit. [9d8f8bb88192]

MANIFEST, Makefile.in, etc/macos-background.png, etc/sudo- logsrvd.pp, etc/sudo-python.pp, etc/sudo.pp:
Add a background image for the macOS installer. [39889307b278]

scripts/pp:
Update PolyPkg [44b1d08be1b0]

2021-11-18 Todd C. Miller

scripts/mkpkg:
mkpkg: handle a macOS SDK that just uses the major version. For example, MacOSX11.sdk instead of MacOSX11.3.sdk. [ce41fc5aa672]

lib/util/Makefile.in:
Add missing dependencies for timegm. [b20c4936504b]

2021-11-16 Todd C. Miller

plugins/sudoers/cvtsudoers.c:
Add support for specifying the hostname as a prefix to the sudoers file. If present, the host name is copied into the struct sudoers_parse_tree. [e87e11cccb6e]

2021-11-11 Todd C. Miller

plugins/sudoers/cvtsudoers.c:
cvtsudoers: parse multiple sudoers files and store them in a tail queue In the future the parsed files will be merged before they are output. [89c77b3f4157]

plugins/sudoers/cvtsudoers.c, plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y, plugins/sudoers/parse.h:
Add sudoers_parse_tree_list, a tail queue of struct sudoers_parse_tree. This will be used to store multiple parse trees and merge them into a single sudoers_parse_tree. [073ada18f18b]

docs/CONTRIBUTING.md:
Fix formatting of links. [df50208b3f70]

MANIFEST, docs/CONTRIBUTING.md:
Add contributing guide. [a99f3a0757f6]

.github/workflows/codeql-analysis.yml:
Create codeql-analysis.yml [efab25dab29c]

2021-11-10 Todd C. Miller

MANIFEST, docs/SECURITY.md:
Add security doc, inspired by the Microsoft template. [0a8012f8ee35]

.gitignore, .hgignore, INSTALL, MANIFEST, Makefile.in, README, configure, configure.ac, doc/CONTRIBUTORS, doc/HISTORY, doc/LICENSE, doc/Makefile.in, doc/TROUBLESHOOTING, doc/UPGRADE, doc/cvtsudoers.man.in, doc/cvtsudoers.mdoc.in, doc/fixman.sh, doc/fixmdoc.sed, doc/schema.ActiveDirectory, doc/schema.OpenLDAP, doc/schema.iPlanet, doc/schema.olcSudo, doc/sudo.conf.man.in, doc/sudo.conf.man.in.sed, doc/sudo.conf.mdoc.in, doc/sudo.man.in, doc/sudo.man.in.sed, doc/sudo.mdoc.in, doc/sudo_logsrv.proto.man.in, doc/sudo_logsrv.proto.mdoc.in, doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in, doc/sudo_logsrvd.man.in, doc/sudo_logsrvd.mdoc.in, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, doc/sudo_plugin_python.man.in, doc/sudo_plugin_python.mdoc.in, doc/sudo_sendlog.man.in, doc/sudo_sendlog.mdoc.in, doc/sudoers.ldap.man.in, doc/sudoers.ldap.mdoc.in, doc/sudoers.man.in, doc/sudoers.man.in.sed, doc/sudoers.mdoc.in, doc/sudoers_timestamp.man.in, doc/sudoers_timestamp.mdoc.in, doc/sudoreplay.man.in, doc/sudoreplay.mdoc.in, doc/visudo.man.in, doc/visudo.mdoc.in, docs/CONTRIBUTORS, docs/HISTORY, docs/LICENSE, docs/Makefile.in, docs/TROUBLESHOOTING, docs/UPGRADE, docs/cvtsudoers.man.in, docs/cvtsudoers.mdoc.in, docs/fixman.sh, docs/fixmdoc.sed, docs/schema.ActiveDirectory, docs/schema.OpenLDAP, docs/schema.iPlanet, docs/schema.olcSudo, docs/sudo.conf.man.in, docs/sudo.conf.man.in.sed, docs/sudo.conf.mdoc.in, docs/sudo.man.in, docs/sudo.man.in.sed, docs/sudo.mdoc.in, docs/sudo_logsrv.proto.man.in, docs/sudo_logsrv.proto.mdoc.in, docs/sudo_logsrvd.conf.man.in, docs/sudo_logsrvd.conf.mdoc.in, docs/sudo_logsrvd.man.in, docs/sudo_logsrvd.mdoc.in, docs/sudo_plugin.man.in, docs/sudo_plugin.mdoc.in, docs/sudo_plugin_python.man.in, docs/sudo_plugin_python.mdoc.in, docs/sudo_sendlog.man.in, docs/sudo_sendlog.mdoc.in, docs/sudoers.ldap.man.in, docs/sudoers.ldap.mdoc.in, docs/sudoers.man.in, docs/sudoers.man.in.sed, docs/sudoers.mdoc.in, docs/sudoers_timestamp.man.in, docs/sudoers_timestamp.mdoc.in, docs/sudoreplay.man.in, docs/sudoreplay.mdoc.in, docs/visudo.man.in, docs/visudo.mdoc.in, etc/codespell.skip:
Rename “doc” directory to “docs” for better GitHub compatibility. [1268c3ae0916]

lib/util/Makefile.in:
Use $(SED), not sed, when generating mksiglist.h/mksigname.h [7a7b636a3f32]

configure, configure.ac, lib/iolog/Makefile.in, lib/util/Makefile.in, logsrvd/Makefile.in, plugins/sudoers/Makefile.in:
Add configure check for sha1sum and use “openssh dgst -sha1” if missing. Only needed when building the seed corpus zip files. [3c74ceba0446]

include/sudo_compat.h:
sudo_compat.h: include unistd.h regardless of OS type This helps to avoid issues with mismatched headers and libraries. [4a22435a2832]

2021-11-09 Todd C. Miller

plugins/sudoers/visudo.c:
install_sudoers: fix return value when there is no temp file to install This can happen when no changes were made. Also preserve the edited temp file on error if we are unable to move it into place. [01c1052ac874]

plugins/python/regress/testdata/check_multiple_approval_plugin_and_a rguments.stdout:
Bump plugin version in test data to 1.18. [138b9f6a6143]

plugins/sudoers/defaults.c:
free_defs_val: free rlimits like strings (which they are). [ade32de829cb]

plugins/sudoers/visudo.c:
Rename {check,set}_perms variable to {check,set}_mode. Avoids a name clash with the set_perms() function. [a2dfa0d36690]

src/edit_open.c:
Avoid symbol name clash with is_writable() function variable. Rename “is_writable” variable to “writable”. [a52bd106933b]

doc/sudoers.man.in, doc/sudoers.mdoc.in:
Document new resource limit settings. [022e51bff860]

doc/UPGRADE:
Mention that the core dump size resource limit now defaults to 0. [22997e8008c9]

doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, include/sudo_plugin.h, src/exec.c:
Document resource limit support in command_info[] and Bump plugin API minor. This is supported beginning with sudo 1.9.9 and plugin API 1.17. [2004a71a11b3]

2021-11-08 Todd C. Miller

config.h.in, configure, configure.ac, plugins/sudoers/defaults.c, src/limits.c:
Use strtoul() on systems without strtoull(). We can assume that systems without strtoull() have 32-bit resource limits. [59c1be5a0387]

src/exec.c, src/limits.c, src/sudo.c, src/sudo.h:
Add front-end support for setting resouce limits. The special value “user” means preserve the invoking user’s limit. The value “default” means don’t override the default limit for the user as assigned by the system (PAM, loging.conf, userdb, etc). [7ad6961d5d72]

plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/defaults.c, plugins/sudoers/defaults.h, plugins/sudoers/mkdefaults, plugins/sudoers/policy.c:
Add basic support for setting resource limits in sudoers. The default for rlimit_core is “0,0” Resource limits are passed back to the front-end in command_info[] when set. [298d5e228635]

src/edit_open.c:
switch_user_nonfatal: only define if using faccessat() [1a6b2c0240f5]

2021-11-06 Todd C. Miller

doc/visudo.man.in, doc/visudo.mdoc.in, plugins/sudoers/visudo.c:
visudo: add -O and -P options to check/set owner and permissions. This can be used in conjunction with the -c option to check that the sudoers file ownership and permissions are correct. Bug #1007 [1f20721148b0]

2021-11-05 Todd C. Miller

doc/UPGRADE:
UPGRADE: mention SELinux behavior change. [0b8cef633225]

src/selinux.c, src/sudo.h, src/sudo_edit.c:
Rename selinux_setcon -> selinux_setexeccon [50bde2e4d922]

src/selinux.c:
In the SELinux role is “unconfined_r”, disable SELinux support. We only want to apply SELinux to confined users. This is a bit of a hack as unconfined_r is specific to the targeted policy. [aaa8ee97f31e]

src/exec_monitor.c, src/exec_nopty.c, src/selinux.c, src/sudo.c, src/sudo.h, src/sudo_edit.c:
Separate out the code to compute the context from selinux_setup(). This makes it possible to determine whether we really need to execute the command via the sesh helper. What was left of selinux_setup() is now selinux_relabel_tty() and selinux_audit_role_change(). [687a81e59fdd]

plugins/sudoers/policy.c, src/selinux.c, src/sudo.c:
Pass status of selinux sudoers setting to front-end as selinux-rbac. The front-end uses this to decide whether or not to enable SELinux. If selinux-rbac is true or if it is not present and selinux_role or selinux_type are set, SELinux support is enabled. Previously, SELinux support was only enabled if a role was specified. [2f21ae08ebbd]

src/edit_open.c:
dir_is_writable: add fallback if changing UIDs fails The SELinux policy may not allow uid/gid changes which will break the writability checks and cause sudoedit to fail. [5c5928a0c314]

2021-11-04 Todd C. Miller

scripts/mkpkg:
Build python package on Fedora [7261434fc60c]

2021-11-01 Todd C. Miller

src/selinux.c:
Make get_exec_context static, it is unused outside selinux.c. [be59f91e53dd]

doc/sudo.conf.mdoc.in:
Fix lint warning: skipping paragraph macro: Pp before Bd [f84297a652d8]

2021-10-31 Todd C. Miller

doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, doc/sudo_plugin_python.man.in, doc/sudo_plugin_python.mdoc.in:
Escape some minus signs (’-’) as required by newer groff. [4a1a2d6d5c19]

MANIFEST, config.h.in, configure, configure.ac, include/sudo_compat.h, lib/util/timegm.c, plugins/sudoers/Makefile.in, plugins/sudoers/gentime.c, plugins/sudoers/gmtoff.c, plugins/sudoers/parse.h, scripts/mkdep.pl:
parse_gentime: use timegm() to generate time since the epoch The timegm() function is non-standard but widely available. Provide an implementation for those systems that lack it. Bug #1006 [3ca20dfdb44c]

include/sudo_compat.h, lib/util/Makefile.in, scripts/mkdep.pl:
Fix pasto in gmtime_r and localtime_r macros. Also add missing Makefile targets for them. [2310e188fdd4]

plugins/sudoers/gmtoff.c:
Take daylight saving time into consideration when computing offset. Otherwise, the resulting time may be off by and hour, depending on whether DST is currently active compared to the target time. [20c60fe8e8fc]

2021-10-29 Todd C. Miller

scripts/mkpkg:
Back out f2d82771e7dd, arm64e on macOS is still in preview state. Until arm64e on macOS is finalized, continue to build arm64 packages. [6c3bbd6ffc3a]

2021-10-27 Todd C. Miller

scripts/mkpkg:
Build arm64e ABI binaries on macOS 11 and above. We originally used arm64 here but the correct ABI is arm64e. The arm64 arch will be removed in a future release. [f2d82771e7dd]

logsrvd/logsrvd_local.c:
Use iolog_openat() when opening the log.json file in the I/O log dir. [9041b20b8d01]

2021-10-26 Todd C. Miller

logsrvd/tls_init.c:
Use BIO_new_file() not BIO_new_fd() to read dhparams file. Older versions of OpenSSL and wolfSSL lack BIO_new_fd(). Also explicitly include openssl/bio.h and openssl/dh.h for wolfSSL. [8338f58d5ba0]

INSTALL, config.h.in, configure, configure.ac:
wolfSSL not WolfSSL [4ee7f96ef87c]

.circleci/config.yml:
Add wolfSSL variant to continuous integration tests. [dbbab23e069c]

docker/debian/latest/Dockerfile, docker/debian/testing/Dockerfile, docker/ubuntu/devel/Dockerfile, docker/ubuntu/latest/Dockerfile, docker/ubuntu/rolling/Dockerfile:
Add libwolfssl-dev to Debian and Ubuntu Dockerfiles Fedora does not appear to have an official wolfssl package. [12c0feaa0ebb]

doc/sudoers.man.in, doc/sudoers.mdoc.in:
White space in an include file path supported by sudo 1.9.1 or higher. [9a22034de181]

2021-10-25 Todd C. Miller

INSTALL, config.h.in, configure, configure.ac, include/sudo_compat.h, lib/iolog/hostcheck.c, lib/util/digest_openssl.c, lib/util/getentropy.c, logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_relay.c, logsrvd/sendlog.c, logsrvd/sendlog.h, logsrvd/tls_client.c, logsrvd/tls_common.h, logsrvd/tls_init.c, plugins/sudoers/log_client.c, plugins/sudoers/log_client.h:
Add support for WolfSSL’s OpenSSL compatibility layer. Based on changes from Hayden Roche [568557ecb77b]

lib/util/Makefile.in, plugins/sudoers/Makefile.in:
regenerate dependencies [d36bf7724e49]

logsrvd/iolog_writer.c, logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c, logsrvd/logsrvd_journal.c, logsrvd/logsrvd_local.c, logsrvd/logsrvd_queue.c, logsrvd/logsrvd_relay.c, logsrvd/regress/fuzz/fuzz_logsrvd_conf.c, logsrvd/sendlog.c, logsrvd/sendlog.h:
Move include of log_server.pb-c.h into logsrvd.h and sendlog.h This way there is no include file order issue with the PROTOBUF_C_VERSION_NUMBER check. [23678487ffaf]

docker/debian/latest/Dockerfile, docker/debian/testing/Dockerfile, docker/fedora/latest/Dockerfile, docker/fedora/rawhide/Dockerfile, docker/ubuntu/devel/Dockerfile, docker/ubuntu/latest/Dockerfile, docker/ubuntu/rolling/Dockerfile:
Add pkg-config to all Dockerfile [63457bb84c4d]

2021-10-24 Todd C. Miller

logsrvd/tls_init.c:
Use SSL_FILETYPE_PEM with SSL_CTX_use_PrivateKey_file, not X509_FILETYPE_PEM While they are defined to the same value in OpenSSL one should not rely on this. [1a1557931dbf]

2021-10-23 Todd C. Miller

configure, configure.ac:
Fix setting _PATH_ASAN_LIB, need to double up the square brackets. [98143164620a]

logsrvd/sendlog.c:
sudo_sendlog: send runenv, rungid and runuid from log.json too With this change, sudo_sendlog can now round-trip sudo-style I/O logs that use the newer log.json format without losing any information. [d9d3dad6cca3]

2021-10-22 Todd C. Miller

config.h.in, configure, configure.ac, lib/util/arc4random.c:
arc4random: need to include sys/random.h on Solaris too. This was removed when Linux genentropy() was disabled. [18ea9b386950]

2021-10-21 Todd C. Miller

lib/iolog/hostcheck.c, lib/util/inet_ntop.c, logsrvd/logsrv_util.h, plugins/sudoers/log_client.h:
Make sure INET_ADDRSTRLEN and INET6_ADDRSTRLEN are defined. [e347465e0a05]

plugins/sudoers/audit.c, plugins/sudoers/iolog.c, plugins/sudoers/log_client.c, plugins/sudoers/log_client.h, plugins/sudoers/logging.c, plugins/sudoers/logging.h:
Only include log_client.h if SUDOERS_LOG_CLIENT is defined. [c318f74cf2a8]

Merge pull request #118 from larb0b/main

Define MAP_FAILED where relevant if undefined [74f3e9f1a1f4]

2021-10-21 Larkin Nickle

lib/util/getentropy.c, lib/util/regress/mktemp/mktemp_test.c, lib/util/snprintf.c:
Define MAP_FAILED where relevant if undefined

On systems such as HP-UX 10.20, MAP_FAILED is not defined. [9f4976caa567]

2021-10-20 Todd C. Miller

configure, m4/libtool.m4:
Improve macOS version detection to support macOS 11 and simplify legacy logic From Jeremy Huddleston Sequoia [f09b45ab460a]

logsrvd/sendlog.c:
sudo_sendlog: send multiple I/O log records together if possible Try to fill the write buffer and then send to the server instead of sending records one at a time. [0b084cd75d64]

logsrvd/sendlog.c, logsrvd/sendlog.h:
sudo_sendlog: support multiple write buffers like sudo_logsrvd [a46b88eff200]

configure, configure.ac, lib/util/Makefile.in:
Always link libsudo_util.so with libcrypto.so if using OpenSSL. We may need to use RAND_bytes() in the getentropy() emulation. [9c805a008d76]

config.h.in, configure, configure.ac, lib/util/getentropy.c, plugins/sudoers/boottime.c:
Add an explicit check for sys/sysctl.h. This test needs to be done after AC_LANG_WERROR to avoid including sys/sysctl.h on systems where it is marked as deprecated via a #warning directive. [d9f1f97b0f37]

config.h.in, configure, configure.ac, lib/util/arc4random.c:
Use our own getentropy() by default on Linux. The glibc getentropy() emulation will fail on older kernels that don’t support getrandom(). Also use sudo_fatal() instead of sending SIGKILL on getentropy() failure. GitHub issue #117. [1ca9d10ff780]

lib/util/getentropy.c:
Use the OpenSSL RAND_bytes() function if getrandom() fails. [5f82f6d2ea36]

lib/util/Makefile.in, lib/util/arc4random_buf.c, scripts/mkdep.pl:
Fix compilation of standalone arc4random_buf(). Apparently this code was never compiled anywhere. [a66c68c3a976]

lib/util/uuid.c:
sudo_uuid_create: no longer need a union for the uuid. [a9277bf0078c]

2021-10-19 Todd C. Miller

lib/eventlog/eventlog_free.c:
eventlog_free: free signal_name too [1da686483f2a]

lib/iolog/regress/fuzz/fuzz_iolog_json.dict:
Add new log.json keywords [f4a30fc6c4ed]

lib/iolog/regress/fuzz/fuzz_iolog_json.c:
fuzz_iolog_json: initialize exit_value to -1 [bac9826b95a1]

logsrvd/logsrvd.c:
Fix potential use-after-free when calling iolog_flush_all(). We need to call iolog_flush_all() before scheduling the commit point. If we fail to schedule to commit point, the closure will be freed. Coverity CID 220557 [364736f15a06]

logsrvd/sendlog.c:
sendlog: use runargv from log.json if available [88a0f4d7bb94]

logsrvd/sendlog.c:
sudo_sendlog: send exit data in eventlog if present [fdacc0f68c56]

include/sudo_eventlog.h, lib/eventlog/eventlog.c, logsrvd/logsrvd_local.c, plugins/sudoers/logging.c:
No longer need to pass exit params to eventlog_exit(), use struct eventlog. Now that struct eventlog includes the exit parameters we can simplify how eventlog_exit() is called. [8580c0e8334d]

include/sudo_eventlog.h, lib/iolog/iolog_json.c, lib/iolog/iolog_loginfo.c, logsrvd/iolog_writer.c:
Read command run_time, signal and exit_value from I/O log log.json file. [05223c4cca0c]

logsrvd/logsrvd_local.c:
Log the command run-time and exit status in the I/O log. [8b02b373f79b]

lib/eventlog/eventlog.c:
format_json: fix pasto when setting dumped_core boolean [ca11285c088a]

2021-10-18 Todd C. Miller

lib/eventlog/eventlog.c, logsrvd/logsrvd_local.c:
Handle a missing run_time in an ExitMessage. It is now possible to pass a NULL run_time to eventlog_exit(). [f3e989682931]

2021-10-16 Todd C. Miller

doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in, logsrvd/logsrvd.c:
No need to flush logs before commit point if we flush after each write. Also document that logs are flushed before sending a commit point even when flushing is disabled. [50323241569d]

2021-10-15 Todd C. Miller

MANIFEST, include/sudo_iolog.h, lib/iolog/Makefile.in, lib/iolog/iolog_conf.c, lib/iolog/iolog_flush.c, logsrvd/iolog_writer.c, logsrvd/logsrvd.c, logsrvd/logsrvd.h:
Flush I/O logs before we send a commit point. The commit point message means we have written the data to disk so we should not be buffering it any longer. We do not currently fsync(2) the data after flushing, perhaps we should. [5233172b7531]

logsrvd/logsrv_util.c:
Do not treat a resume point of [0, 0] as an error. If the connecton is interrupted before sudo sends back a commit_point message, resuming at [0, 0] is correct. Also add a warning on unexpected EOF parsing the timing file. [105f29878ad7]

2021-10-11 Todd C. Miller

plugins/sudoers/sudoers.c:
Display a more helpful message if the user tries to run “sudo cd”. Since “cd” is a shell built-in command it cannot be run directly via sudo. The user either needs to spawn a shell via “sudo -s” or use the -D option to run a command in a specific directory. [4d45797dfb11]

configure, configure.ac:
Don’t install sudoers.a when configured with –enable-static- sudoers. We already avoid installing it when –disable-shared-util is specified. [0d2022bc07cb]

2021-10-10 Todd C. Miller

scripts/mkpkg:
mkpkg: preserve make exit value on exit Fixes a problem where the exit value from mkpkg was 0 even on error. [0d0f15bf10cf]

plugins/sudoers/cvtsudoers_csv.c:
Fix typos in SELinux and Solaris priv support. [16b9a1459f1d]

MANIFEST, doc/cvtsudoers.man.in, doc/cvtsudoers.mdoc.in, plugins/sudoers/Makefile.in, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers.h, plugins/sudoers/cvtsudoers_csv.c:
cvtsudoers: initial support for CSV output For CSV output we double quotes strings that contain commas. For each literal double quote character present inside the string, two double quotes are output. [8f7763b74563]

lib/iolog/Makefile.in, lib/util/Makefile.in, logsrvd/Makefile.in, plugins/sudoers/Makefile.in:
regenerate dependencies [09d11b5c7d41]

docker/README, etc/codespell.ignore:
Fix typo and avoid a codespell false positive. [81a365b29c3c]

2021-10-08 Todd C. Miller

.circleci/config.yml:
Add build-nointercept and test-nointercept [d39877327ccc]

2021-10-07 Todd C. Miller

.circleci/config.yml:
circleci: test multiple build options We now do separate builds with LDAP/SSSD enabled, logsrv client/server disabled, and static-sudoers enabled. [4d8a9b45156c]

configure, configure.ac, plugins/sudoers/Makefile.in:
Fix fuzzer build with when –enable-static-sudoers is used. This introduces a sudoers-specific version of LT_STATIC instead of appending the –tag=disable-shared to SUDOERS_LDFLAGS. I’ve also removed the -static flag as it should not be needed. [864a2fd4e3f7]

2021-10-05 Todd C. Miller

docker/README:
Mention –security-opt=seccomp=unconfined workaround for bleeding edge. May be needed for Fedora rawhide and Ubuntu testing, among others. [a465fdb0a7de]

configure, configure.ac:
Try to handle the case where libasan.so is a linker script. Fixes check_noexec with ASAN on Fedora where libasan.so just includes the actual library file. [f96d1d0cea53]

.circleci/config.yml, docker/README, docker/fedora/latest/Dockerfile, docker/fedora/rawhide/Dockerfile:
Enable address and undefined behavior sanitizers in CI builds. We need to disable leak sanitizer during “make check” because it uses ptrace which is not allowed for unprivileged containers. [9378e3856a60]

2021-10-04 Todd C. Miller

.circleci/config.yml:
Switch to Ubuntu latest for circleci build. [1270ca1ba47d]

.circleci/config.yml, docker/debian/latest/Dockerfile, docker/debian/testing/Dockerfile, docker/fedora/latest/Dockerfile, docker/fedora/rawhide/Dockerfile, docker/ubuntu/devel/Dockerfile, docker/ubuntu/latest/Dockerfile, docker/ubuntu/rolling/Dockerfile:
Add build user for circleci instead of running as root. [27dcb5218cb2]

.circleci/config.yml, MANIFEST, docker/README, docker/debian/latest/Dockerfile, docker/debian/testing/Dockerfile, docker/fedora/latest/Dockerfile, docker/fedora/rawhide/Dockerfile, docker/ubuntu/devel/Dockerfile, docker/ubuntu/latest/Dockerfile, docker/ubuntu/rolling/Dockerfile:
Use circleci for continuous integegration. Build container descriptions are in the new docker directory. [d5b5b16b0624]

2021-10-03 Todd C. Miller

.gitignore, .hgignore:
Update ignore file. [7fe8afa88e96]

2021-10-01 Todd C. Miller

plugins/sudoers/sudoreplay.c:
Sync “sudo -l” output with normal sudo log format. It now prints runchroot and runcwd (falling back on cwd). As a result, submithost is now printed first, matching sudo. Also avoid printing NULL pointers and skip entries that don’t have at least command, submituser and runuser set. [0d6b96ec88a1]

lib/iolog/iolog_json.c:
iolog_parse_json_object: optimize for large argv [5fa1929189a3]

2021-09-29 Todd C. Miller

configure, configure.ac:
Add “-fcf-protection” to SSP_CFLAGS and SSP_LDFLAGS if supported. Can be disabled via –disable-hardening. [589507ecadf4]

configure, configure.ac:
Add “-z now” to hardened link options if supported. Can be disabled via –disable-hardening. [11ff1d86440b]

doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/editor.c, plugins/sudoers/regress/editor/check_editor.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/visudo.c:
find_editor: remove the env_error argument There is no case where we should fail to find an editor just because the values of EDITOR, VISUAL and SUDO_EDITOR are unavailable. Both sudoedit and the “env_editor” sudoers setting are documented as falling back on the hard-coded list of editors in the “editors” sudoers setting. Bug #1000 [caa529a0cab6]

plugins/sudoers/check_aliases.c:
Use sudo_printf(SUDO_CONV_ERROR_MSG) instead of fprintf(stderr). Avoids extraneous output in the fuzzer. [981d3abd96c7]

plugins/sudoers/Makefile.in, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c:
Stub out sudo_printf() and avoid other use of stderr in fuzzers. This makes it possible to parse sudoers without using quiet mode, resulting in better coverage. [3215cad4174f]

2021-09-28 Todd C. Miller

lib/iolog/regress/fuzz/fuzz_iolog_json.c, lib/iolog/regress/fuzz/fuzz_iolog_legacy.c, lib/iolog/regress/fuzz/fuzz_iolog_timing.c, lib/util/regress/fuzz/fuzz_sudo_conf.c, logsrvd/regress/fuzz/fuzz_logsrvd_conf.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c:
Use a consistent version of fuzz_conversation() with all fuzzers. Also undo a change to fuzz_sudoers.c that snuck in to the last commit. [8a94b06302b7]

lib/iolog/regress/fuzz/fuzz_iolog_json.c, lib/iolog/regress/fuzz/fuzz_iolog_legacy.c, lib/iolog/regress/fuzz/fuzz_iolog_timing.c, lib/util/regress/fuzz/fuzz_sudo_conf.c, logsrvd/regress/fuzz/fuzz_logsrvd_conf.c, plugins/sudoers/Makefile.in, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c:
Fuzzers should not produce output. Excessive output makes the fuzzer runs much less efficient. [b9c485009c0f]

logsrvd/logsrv_util.c:
expand_buf: fix conditional for when we need to preserve existing data It is possible for the buffer offset to be zero when the length is non-zero. The proper value to use is the same as is used for the memcpy/memmove size. Fixes buffer corruption caused by a very long command line that usually results in a dropped connection. [59a4319b3463]

2021-09-27 Todd C. Miller

config.h.in, configure, configure.ac, lib/util/closefrom.c:
Emulate closefrom() on macOS using proc_pidinfo(). This avoids relying on /dev/fd which may not exist in a chroot jail. Adapted from a change in OpenSSH by likan_999.student AT sina.com [2e86d4150ce5]

2021-09-26 Todd C. Miller

src/edit_open.c:
Handle EMLINK and EFTYPE errno values for O_NOFOLLOW failure. FreeBSD returns EMLINK and NetBSD returns EFTYPE instead of ELOOP. This is only used to present the user with a more appropriate error message. [ca5499c8c40f]

2021-09-24 Todd C. Miller

plugins/sudoers/cvtsudoers.c:
Fix typo in last commit, use boolean AND not bitwise. [685bd5d9ce6f]

doc/cvtsudoers.man.in, doc/cvtsudoers.mdoc.in, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers.h, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/parse.h:
Add the ability to filter/match by command via the -m option. For example “cvtsudoers -m cmd=/bin/ls” would only display entries that would allow /bin/ls to be allowed or denied. [3534a0170c59]

2021-09-23 Todd C. Miller

doc/cvtsudoers.man.in, doc/cvtsudoers.mdoc.in, plugins/sudoers/Makefile.in, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers.h, plugins/sudoers/pwutil.c:
Add –group-file and –passwd-file options to cvtsudoers. These are based on the code in testsudoers. [3286dd5dd0bf]

2021-09-22 Todd C. Miller

lib/util/mkdir_parents.c:
Move cppcheck suppression annotation to where it needs to be. [17d601bc91f3]

lib/util/mksigname.c:
format string fix: print signal number as unsigned. Quiets a cppcheck warning; mksiglist.c already has this fixed. [a28b72dceec4]

plugins/sudoers/ldap_util.c:
Fix memory leak on error path if snprintf() overflows. Coverity CID 188804 [73872d2e2cd0]

2021-09-21 Todd C. Miller

plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/kerb5.c, plugins/sudoers/auth/passwd.c, plugins/sudoers/auth/secureware.c, plugins/sudoers/auth/securid5.c:
Avoid reinitializing other auth methods. [af0495460943]

plugins/sudoers/toke.c, plugins/sudoers/toke.l:
expand_include: add bounds checking when expanding %h escape. [3c0ca1f0d4e5]

plugins/sudoers/iolog.c, plugins/sudoers/ldap.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l:
Check snprintf() return values even if we preallocated the correct amount. There are no remaining unchecked snprintf() that can actually overflow. [0eaf1d4daa84]

include/sudo_iolog.h, lib/iolog/iolog_nextid.c:
iolog_nextid(): make iolog_dir argument const. We make a copy of the directory so there’s no real reason that parameter can’t be const. [f278847ca9aa]

plugins/sudoers/ldap_util.c:
Amend truncation fix, the real problem was the size passed to snprintf(). sudo_rcstr_alloc() takes a length (not a size) parameter so when calling snprintf() we need to add one to the length. [92f8a8b86d20]

plugins/sudoers/ldap_util.c:
Fix truncation of the last char of the sudoRole cn passed to append_default(). This string is primarily used for warning messages. Also check the snprintf() return value to avoid silent truncation. GitHub issue #115 [22b8d7bc62f8]

2021-09-20 Todd C. Miller

NEWS, configure, configure.ac:
Sudo 1.9.8p2 [f29fdeb8ae5b]

etc/codespell.exclude:
Standardize on “front-end” not “front end” in the man pages. [b0ad634852e7]

configure, configure.ac:
fix typo [4d8738449daa]

logsrvd/logsrvd_journal.c:
Reuse existing journal file for an accepted/rejected sub-command. Otherwise we end up with zero-length files in the incoming queue dir and may end up relaying one of those instead of the actual journal file. [545897a2761c]

plugins/sudoers/regress/fuzz/fuzz_sudoers.c:
Re-enable error output for the sudoers parser. It is only the alias and defaults warnings we need to suppress. [114bd7756a7c]

src/exec_intercept.c:
Add intercept_cleanup() stub for when building w/o intercept support. [bd6f32a90787]

src/exec_intercept.c, src/exec_nopty.c, src/exec_pty.c, src/sudo_exec.h:
Add intercept_cleanup() to free the closure used by intercept_accept_cb(). [55f6aea8b517]

plugins/sudoers/auth/pam.c:
Don’t re-initialize PAM for sub-commands. [faa7aec4d145]

logsrvd/logsrvd_local.c:
sudo_logsrvd: only send log ID for first command of a session There is no need to send the log ID for each sub-command. [625b18c5f821]

plugins/sudoers/log_client.c:
Only store the first log id received from the server. Plugs a small memory leak in intercept mode if the log server sends the log ID again for sub-commands. [ca2ad5b219cd]

2021-09-19 Todd C. Miller

plugins/sudoers/regress/fuzz/fuzz_sudoers.c:
fuzz_sudoers: don’t warn about unknown defaults entries Some fuzzing inputs cause a huge number of warnings and displaying them all can result in the fuzz run timing out. If we disable the warnings we can avoid the timeout. [4823ee305937]

plugins/sudoers/defaults.c, plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y, plugins/sudoers/policy.c:
Limit paths for command, cwd and chroot to PATH_MAX bytes. This helps prevent the fuzzer from going off the rails. [9550fa76a645]

plugins/sudoers/sudoers.c:
sudo -i: missing NULL terminator when moving argv to make room for –login Fixes a potential crash for “sudo -i” when the target user has bash as the shell (which needs the –login option). Bug #998. [4b297f2ead15]

lib/eventlog/eventlog.c:
Only append argv[] to the log line if argv[0] is not NULL. It should not be possible to reach this point with a command defined but argv[] empty but it doesn’t hurt to check. [61f9cf744673]

2021-09-18 Todd C. Miller

plugins/sudoers/check_aliases.c:
Only warn about an undefined alias or a cycle a single time. There’s no point in warning about the same problem multiple times. This implementation assumes a small number of warnings and so just uses a simple listed link. [4461f65d1bad]

configure, configure.ac:
Remove now-unused CHECK_INTERCEPT variable. [447dbf8bea48]

plugins/sudoers/toke.c, plugins/sudoers/toke.l:
Quiet pvs-studio false positive: V557 Array overrun is possible. Make the zero length check explicit so as not to confuse static (or human) analyzers. [512ab29a9f28]

2021-09-17 Todd C. Miller

MANIFEST, plugins/sudoers/regress/testsudoers/test17.out.ok, plugins/sudoers/regress/testsudoers/test17.sh:
Test that digest matching works with LDAP sudoCommand: ALL [f7ec49401d4f]

plugins/sudoers/ldap_util.c:
Allow a digest to be specified with the “ALL” command for ldap/sssd back-ends. This has been possible with sudoers file entries since sudo 1.9.0 but no corresponding change was made for ldap/sssd. [89a30bbd7dac]

lib/eventlog/eventlog.c:
Use localtime_r() not gmtime_r() when formatting the local time. This is consistent with how sudo formatted time stamps prior to the logging code being split off into libeventlog. We only need to use gmtime_r() for ISO 8601 time. [aee6e29ba9d6]

lib/eventlog/eventlog.c, lib/iolog/regress/iolog_path/check_iolog_path.c, lib/util/sudo_debug.c, plugins/audit_json/audit_json.c, plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/fmtsudoers.c, plugins/sudoers/ldap.c, plugins/sudoers/parse.c, plugins/sudoers/timestr.c:
Check strftime(3) return value in all cases. Old versions of strftime(3) didn’t guarantee to NUL-terminate the buffer so we explicitly clear the last byte of the buffer and check it. [bc402e4bd4d2]

config.h.in, configure, configure.ac, logsrvd/tls_init.c:
tls_init.c: use SSL_CTX_set0_tmp_dh_pkey if present. Fixes a warning on OpenSSL 3.0 and plugs a memory leak of dhparams on config reload. [02027ea86d3b]

configure, configure.ac, lib/util/digest_openssl.c:
Use the EVP digest routines instead of calling SHA2 functions directly. Avoids compiler warnings with OpenSSL 3.0. EVP_MD_CTX_new() is only available for OpenSSL 1.1 and higher–we will fall back to sudo’s SHA2 code if necessary. [6fbac28175f9]

configure, configure.ac:
When using pkg-config, don’t assume the names of the ssl and crypto libs. On the HP-UX build machines these are named libssl_pic.a and libcrypto_pic.a to avoid conflicting with the system libs. [a8eb772b3a4d]

lib/util/sudo_debug.c:
Store milliseconds in the debug file timestamp. Sometime second granularity is not enough. [1df3e75f1133]

MANIFEST, config.h.in, configure, configure.ac, include/sudo_compat.h, lib/util/gmtime_r.c, lib/util/localtime_r.c:
Add gmtime_r and localtime_r tests and compat if missing. [709671c493a3]

lib/eventlog/eventlog.c, lib/iolog/iolog_path.c, lib/iolog/regress/iolog_path/check_iolog_path.c, lib/util/sudo_debug.c, plugins/audit_json/audit_json.c, plugins/sample_approval/sample_approval.c, plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/fmtsudoers.c, plugins/sudoers/getdate.c, plugins/sudoers/getdate.y, plugins/sudoers/gmtoff.c, plugins/sudoers/ldap.c, plugins/sudoers/parse.c, plugins/sudoers/timestr.c:
Use gmtime_r() and localtime_r() instead of gmtime() and localtime(). [5758514b25cb]

doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in:
Plugin lines are for approval and audit plugins too. [67bb7c0687f2]

doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in, doc/sudo.man.in, doc/sudo.mdoc.in, doc/sudo_logsrvd.man.in, doc/sudo_logsrvd.mdoc.in, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, doc/sudo_plugin_python.man.in, doc/sudo_plugin_python.mdoc.in, doc/sudo_sendlog.man.in, doc/sudo_sendlog.mdoc.in, doc/sudoers.man.in, doc/sudoers.mdoc.in, doc/visudo.man.in, doc/visudo.mdoc.in:
Standardize on “front-end” not “front end” in the man pages. [68748f8cc8a6]

MANIFEST, plugins/sudoers/regress/testsudoers/test16.out.ok, plugins/sudoers/regress/testsudoers/test16.sh:
Add a test to exercise Bug #994 [eef2ece0e8d4]

scripts/mkpkg:
mkpkg: limit the number of cores used to 16 [5b8f2aa834b8]

2021-09-16 Todd C. Miller

NEWS:
fix typo [120b1e7d2aca]

NEWS:
Bug #994. [14ea3a741b25]

plugins/sudoers/ldap_util.c:
Always allocate a struct sudo_command for the command, even for ALL. This was missed in the previous set of changes, resulting in a crash for LDAP and SSSD rules that give sudo “ALL” privileges. Bug #994. [91d0379b068a]

plugins/sudoers/Makefile.in:
Add SUDOERS_LDFLAGS to FUZZ_LDFLAGS Fixes a fuzzer link error when building with ldap if the ldap libs are not in the default library search path. [a450881f9763]

configure, configure.ac:
Fix the OpenSSL link order for the non-pkg-config case. Since -lssl depends on -lcrypto, -lcrypto must be listed after -lssl. Fixes linking of non-dynamic OpenSSL libs. [787724ab6e87]

2021-09-15 Todd C. Miller

NEWS, configure, configure.ac:
Sudo 1.9.8p1 [fc8c69d55348]

src/sudo_intercept_common.c:
sudo_interposer_init: verify message type from sudo We should only get a HelloResponse from sudo at this point. [a021319260b3]

include/intercept.pb-c.h, src/exec_intercept.c, src/intercept.pb-c.c, src/intercept.proto, src/sudo_intercept_common.c:
Avoid symbol name clash to fix –enable-static-sudoers linking. [5cc5e415844f]

2021-09-14 Todd C. Miller

plugins/sudoers/defaults.c, plugins/sudoers/policy.c:
append_defaults() should not be passed a value for boolean flags. The operation should simply be set to true/false. Also treat a NULL file as coming from the front-end. Bug #993. [86e69d358916]

2021-09-13 Todd C. Miller

configure, configure.ac, plugins/python/Makefile.in, scripts/mkdep.pl, src/Makefile.in:
Teach mkdep.pl about –tag=disable-static in LTFLAGS. If static objs are disabled we need to add explicit dependencies for .o files. The OpenBSD libtool doesn’t use a pic object file when linking executables so we need to build the non-pic objects too. [cdefeeb41a64]

configure, configure.ac:
Use SUDO_APPEND_LIBPATH when appending to LIBTLS and LIBMD. The OpenSSL pkgconfig files only include -L paths, not -R paths. Using SUDO_APPEND_LIBPATH ensures the rpath is set correctly so the binaries will run (not just link). [29d051972287]

INSTALL, configure, configure.ac:
Add –enable-openssl-pkgconfig-template option. This can be used to find the correct openssl pkg-config file if it is not named “openssl” (also libcrypto). [77cd3463cefa]

plugins/sudoers/getdate.c, plugins/sudoers/getdate.y:
Some POSIX yacc fixes for bison 3.8 yyerror() must be extern void declare tokens with type instead of using separate %type lines [c4e57f9e7df5]

2021-09-09 Todd C. Miller

.gitignore, .hgignore:
Add src/intercept.exp to ignore files. [4eaa182a8808]

2021-09-08 Todd C. Miller

plugins/sudoers/po/cs.mo:
regen [8c168099301b]

NEWS:
Mention –enable-static-sudoers fix. [c93a42253fd0]

configure, configure.ac:
Fix typo introduced in 1.9.7 that set SUDO_LDFLAGS to SUDOERS_LDFLAGS. Copy pasta is not always the best kind of pasta. [08188442f77b]

MANIFEST, configure, configure.ac, m4/sudo.m4, src/Makefile.in, src/intercept.exp, src/intercept.exp.in, src/sudo_intercept.c:
sudo_intercept.so: only replace execvpe() if it is present. execvpe() is a GNU extension also found on *BSD (but not macOS). [26153ad9c6ca]

NEWS:
We now intercept more than just execve(). [33e453f035f8]

2021-09-07 Todd C. Miller

src/sudo_intercept.c:
Implement simple PATH resolution for execvp(). We want to use PATH from the current value of the environment, not the initial value of PATH when the policy was opened. This is a little different from how real execvp() works since we use stat() instead of just execve(). [fae58e1962cc]

doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in, doc/sudoers.man.in, doc/sudoers.mdoc.in, src/intercept.exp, src/sudo_intercept.c:
Add support for execl, execle, execlp, execvp, and execvpe. Currently, PATH traversal is handled by sudoers which uses the original PATH, not the one updated by the shell. [59dfbbd39bf6]

2021-09-03 Todd C. Miller

plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y:
Remove conditional include of alloca.h, we don’t define HAVE_ALLOCA_H. The configure check for alloca() was removed long ago but this got missed. [4c64529df149]

doc/sudoers.man.in, doc/sudoers.mdoc.in:
Define RBAC and mention incompatibility with intercept/log_subcmds. [a44d8f96cad6]

2021-09-02 Todd C. Miller

src/exec_intercept.c:
Fix computation of the token address when handling a partial read. We want to treat it as an array of bytes, not an array of tokens. Coverity CID 240011 [0bb3fb3315ce]

plugins/sudoers/parse.c:
Quiet a PVS-Studio format string warning. [4e445c646dc8]

plugins/sudoers/po/sudoers.pot, po/sudo.pot:
Regen .pot files. [4cec17bc24da]

plugins/sudoers/po/cs.po:
Updated translations from translationproject.org [62fdbab57411]

2021-09-01 Todd C. Miller

src/Makefile.in:
regen [a2f37ca5473b]

configure, configure.ac, lib/util/sudo_conf.c, scripts/mkdep.pl, src/Makefile.in, src/exec_common.c, src/exec_intercept.c:
Do not compile intercept code if –disable-intercept is specified. [9d31e2822c24]

doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in:
We now intercept execv() too. [f0eac891cb5c]

INSTALL:
INSTALL: –disable-intercept will also disable “log_subcmds” [55ddfdae455d]

doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/parse.c:
Can’t use intercept or log_subcmds with SELinux RBAC. SELinux policy will prevent the inherited socket from sudo from being used and may also restrict the ability to connect back to the sudo process. [b73409172859]

m4/ax_prog_cc_for_build.m4:
Fix typo in comment. [3259f09e6952]

po/cs.mo, po/cs.po:
Updated translations from translationproject.org [7543d0d50ee2]

include/intercept.pb-c.h, src/exec_intercept.c, src/intercept.pb-c.c, src/intercept.proto, src/sudo_exec.h, src/sudo_intercept_common.c:
Switch to a 128-bit token instead of a 64-bit secret. Protobuf doesn’t have a 128-bit type so use two u64s. We now support partial reads of the token. [e39ece25fb3b]

2021-08-31 Todd C. Miller

MANIFEST, lib/util/Makefile.in, lib/util/regress/uuid/uuid_test.c, lib/util/uuid.c:
Fix random uuid generation, no need to convert between byte order. Also add regression test. [fd2940acffc2]

include/intercept.pb-c.h, src/exec_intercept.c, src/intercept.pb-c.c, src/intercept.proto, src/sudo_intercept_common.c:
sudo_intercept.so: send the secret immediately after connecting. Sending the secret out of band, before the message size is read, should make it harder to mount a DoS attack. [4c8b6577bd8c]

src/sudo_intercept_common.c:
Handle reading large messages that don’t fit in a single recv(). We know the length of what we are receiving so just loop until we have it all, get EOF or an error. [1b8aa927ea83]

configure, configure.ac:
Add checks for -fstack-clash-protection and -Wl,-z,noexecstack We use -Wc,-fstack-clash-protection as the linker flag to prevent libtool from removing it from the link line. [7cd701b5039e]

src/exec_intercept.c:
Make the sudo side of the intercept socket non-blocking. [3fe7129ea1f2]

src/exec_intercept.c:
Handle partial read/write by dropping back into the event loop. [fa216d963e18]

src/exec_intercept.c:
intercept_check_policy: Fix double free introduced in last commit If the command is not accepted we don’t rebuild command_info[] and must not free it. It will be freed by the policy instead. [8bbd2af0924b]

2021-08-27 Todd C. Miller

include/intercept.pb-c.h, src/exec_intercept.c, src/intercept.pb-c.c, src/intercept.proto, src/sudo_intercept_common.c:
Update runcwd in command_info[] before passing it to the audit plugin. Since sudoers does rejected commands itself the runcwd will still not be correct for those. [5462a5e1d760]

src/exec_preload.c:
Fix LD_PRELOAD formatting when there is an existing LD_PRELOAD var. [04d8d7750ff6]

2021-08-26 Todd C. Miller

src/exec_intercept.c:
intercept_check_policy: fix potential NUL dereference on the error path. [4d1b3f39ccb1]

NEWS, doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/policy.c, src/exec.c, src/exec_common.c, src/exec_nopty.c, src/exec_pty.c, src/sudo.c, src/sudo.h:
Rename log_children -> log_subcmds [abd73fc939c3]

plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, plugins/sudoers/po/fr.mo, plugins/sudoers/po/fr.po, plugins/sudoers/po/hr.mo, plugins/sudoers/po/hr.po, plugins/sudoers/po/it.mo, plugins/sudoers/po/it.po, plugins/sudoers/po/ko.mo, plugins/sudoers/po/ko.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/pt.mo, plugins/sudoers/po/pt.po, plugins/sudoers/po/pt_BR.mo, plugins/sudoers/po/pt_BR.po, plugins/sudoers/po/sr.mo, plugins/sudoers/po/sr.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po, plugins/sudoers/po/zh_TW.mo, plugins/sudoers/po/zh_TW.po, po/eo.mo, po/eo.po, po/fr.mo, po/fr.po, po/hr.mo, po/hr.po, po/ko.mo, po/ko.po, po/pl.mo, po/pl.po, po/pt.mo, po/pt.po, po/pt_BR.mo, po/pt_BR.po, po/tr.mo, po/tr.po, po/uk.mo, po/uk.po, po/zh_CN.mo, po/zh_CN.po, po/zh_TW.mo, po/zh_TW.po:
Updated translations from translationproject.org [f948528780fb]

lib/util/sudo_debug.c:
Add sudo_debug_register_v2() stub for fuzzing build. [ba522c0c2075]

src/exec_intercept.c:
Fix use-after-free on error. Also remove useless free of a ptr that is always NULL on the error path. [75200535be80]

src/exec_common.c:
No longer need to remap intercept fd but we do need to remap debug fd. The intercept fd is closed in the ctor but the debug fd will still be open. [b48125b884f3]

include/sudo_debug.h, lib/util/sudo_debug.c, lib/util/util.exp.in, logsrvd/logsrvd.c, logsrvd/sendlog.c, plugins/audit_json/audit_json.c, plugins/python/sudo_python_debug.c, plugins/sample_approval/sample_approval.c, plugins/sudoers/sudoers_debug.c, plugins/sudoers/sudoreplay.c, src/sesh.c, src/sudo.c, src/sudo_intercept_common.c:
sudo_debug_register: add minfd argument to specify lowest fd number Use this in sudo_intercept.so to avoid allocating a low-numbered fd which the shell reserves for use by scripts. [50b23c4d0531]

src/exec_intercept.c:
Fix command name of sub-command in logs when log_children is set. [c1b35686d8b4]

2021-08-25 Todd C. Miller

plugins/sudoers/audit.c, plugins/sudoers/logging.c, plugins/sudoers/logging.h:
log_allowed: pass struct eventlog * instead of argv[] and envp[]. This lets us log based on the command_info[] list passed in from the front-end. Previously, much of the struct eventlog was constructed from internal sudoers state instead. [4c4a7ddfeba3]

include/sudo_compat.h:
sudo_compat.h: include unistd.h on HP-UX to safely redefine pread/pwrite HP-UX 11.31 defines static functions for pread() and pwrite() which will conflict with our macros. [2dd64cdc261f]

config.h.in, configure, configure.ac, include/intercept.pb-c.h, src/exec_intercept.c, src/exec_nopty.c, src/exec_pty.c, src/intercept.pb-c.c, src/intercept.proto, src/sudo_exec.h, src/sudo_intercept_common.c:
Change intercept IPC to use a localhost socket instead of inherited fd. This allows intercept mode to work with shells that close all open fds upon startup. The ctor in sudo_intercept.so requests the port number and secret over the socket inherited from the parent then closes it. For each policy request, a TCP connection is made to the sudo parent process to perform the policy check. Child processes re-use the TCP socket to request the port number and secret just like the initial process started by sudo does. [7e7e4a389f11]

src/exec_intercept.c:
Add a state variable to intercept_closure, replaces policy_result. [60fae103a4cd]

plugins/sudoers/match_command.c:
command_matches: avoid printf("%s") of NULL in debug for sudo ALL. [5c81c2c32b4c]

Merge pull request #111 from commodo/fix-cflags

lib/util/Makefile.in: use host CFLAGS and CPPFLAGS for mksig{name,list} [ee86d28da792]

2021-08-25 Alexandru Ardelean

lib/util/Makefile.in:
lib: util: Makefile.in: use host CFLAGS and CPPFLAGS for mksig{name,list}

When cross-build support was added for mkig{name,list} was added, the CFLAGS and CPPFLAGS should have been updated to the HOSTCFLAGS/HOSTCPPFLAGS vars.

In a cross-build scenario, some of these flags don’t match what the compiler can understand (because they may be architecture specific) and may fail the build.

Using the HOSTCFLAGS/HOSTCPPFLAGS works and builds successfully. Also the output binary works on the target.

This is in continuation of
- https://github.com/sudo-project/sudo/pull/104
- https://github.com/sudo-project/sudo/pull/109
Signed-off-by: Alexandru Ardelean <ardeleanalex@…> [f76870e1a6c5]

2021-08-24 Todd C. Miller

src/exec_intercept.c:
Fold intercept_closure_reset() into intercept_close(). [ff00ab240672]

src/exec_preload.c:
Fix typo that caused SUDO_INTERCEPT_FD to overwrite LD_PRELOAD. [e4cd1043c7bb]

src/exec_preload.c:
Fix off-by-one that could result in duplicate SUDO_INTERCEPT_FD vars. [9044d0dff708]

src/sudo_intercept.c:
Fix typo in macOS execv change. [1c637d909382]

2021-08-21 Todd C. Miller

doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in, doc/sudoers.man.in, doc/sudoers.mdoc.in, src/intercept.exp, src/sudo_intercept.c:
Add execv(3) support to sudo_intercept.so. This allows intercept to work with csh which uses execv(3) not execve(2). [690ebf72b6f8]

2021-08-20 Todd C. Miller

doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in, doc/sudoers.man.in, doc/sudoers.mdoc.in:
Sync the list of functions trapped by sudo_noexec.so. [b1f7799209ff]

doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in:
Add a Debug example for sudo_intercept.so Don’t try to enumerate all the sudo programs that support debugging since all of them do. [9c1201eaaca2]

doc/sudoers.man.in, doc/sudoers.mdoc.in:
Update sudoers Debug example to match the debug changes from sudo 1.8.12. [7c831aa9b6d5]

doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in:
sudo_intercept.so only intercepts execve(2) for now. [7314abc72fb9]

plugins/sudoers/parse.c:
Fix formatting for bound defaults with multiple entries in the binding. The entries in the binding were separated with " ," instead of “, “. [14442701f793]

MANIFEST, src/Makefile.in, src/intercept.exp:
Add exports file for sudo_intercept.so that only exports execve() [ac97417435ab]

src/Makefile.in, src/sudo_intercept.c, src/sudo_intercept_common.c:
Add some debugging to the sudo_intercept.so. [2dee003b5cc7]

config.h.in, configure, configure.ac:
Use AC_FUNC_FSEEKO instead of AC_CHECK_FUNCS_ONCE([fseeko]). This will define _LARGEFILE_SOURCE, if needed, to make the prototype visible on older systems. [3f4314f6a795]

2021-08-19 Todd C. Miller

config.h.in, configure, configure.ac, include/sudo_compat.h:
We still need the pread/pwrite hack for HP-UX 11.11 at least. This time around, avoid defining _LARGEFILE64_SOURCE and just declare pread64/pwrite64 ourselves. [66e01b14a10f]

include/sudo_compat.h:
Fix prototypes for sudo_pread() and sudo_pwrite(). [15acfc576a71]

src/exec_intercept.c:
intercept_fd_cb: store the passed fd in newfd, not fd only affects the old BSD-style fd passing code, not POSIX-style. [4b13aa4593ba]

lib/util/Makefile.in:
Fix mksiglist and mksigname dependencies. [31519cc5ec2b]

doc/sudoers.man.in, doc/sudoers.mdoc.in:
set-user-ID and set-group-ID not set user-ID and set group-ID. [0ddf5fedc896]

NEWS:
The fix for bug #989 will make sudo 1.9.8. Also mention intercept_authenticate and intercept_allow_setid. [fa8b7444486b]

plugins/sudoers/po/sudoers.pot:
regen [c8993c070218]

.gitignore, .hgignore, MANIFEST, aclocal.m4, configure, configure.ac, lib/util/Makefile.in, lib/util/mksiglist.c, lib/util/mksiglist.h, lib/util/mksigname.c, lib/util/mksigname.h, lib/util/sys_siglist.h, lib/util/sys_signame.h, m4/ax_prog_cc_for_build.m4:
Cross-build support for mksigname and mksiglist We must build these with the host C compiler but use the target preprocessor to generate the output. [bf2919b63fb9]

2021-08-19 a1346054

.clang-format, INSTALL, MANIFEST, autogen.sh, doc/LICENSE, etc/sudo.pp, examples/Makefile.in:
Minor cleanup (#110)

fix trivial shell script issues

remove trailing whitespace [f9d4de3dee50]

2021-08-19 Todd C. Miller

logsrvd/logsrvd_conf.c, plugins/sudoers/check.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/exptilde.c, plugins/sudoers/iolog.c, plugins/sudoers/logging.c, plugins/sudoers/mkdefaults, plugins/sudoers/policy.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/sudoers.c, plugins/sudoers/testsudoers.c, plugins/sudoers/tsdump.c:
Replace messages like “unknown foo: %s” with “unknown foo %s”. The colon really doesn’t belong there; we generally use a colon to separate a message from the warning detail. [a1b99c8821ae]

doc/sudoers.man.in, doc/sudoers.mdoc.in:
log_server_peer_cert and log_server_peer_key are not required by default. They are only required if sudo_logsrvd has tls_checkpeer enabled. [0d9099ce5d74]

logsrvd/logsrvd_conf.c:
Sync warning messages with sudoers/logging.c Avoids 3 translation strings that were effectively duplicated. [eb058a820998]

2021-08-18 Todd C. Miller

lib/protobuf-c/Makefile.in, src/Makefile.in:
regen [ab9d4b22d7cb]

doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/match_command.c, plugins/sudoers/parse.c, plugins/sudoers/parse.h, plugins/sudoers/regress/fuzz/fuzz_sudoers.c:
Add intercept_allow_setid sudoers option, disabled by default. With this change, a shell in intercept mode cannot run a setuid or setgid binary by default. On most systems, the dynamic loader will ignore LD_PRELOAD for setuid/setgid binaries such as sudo which would effectively disable intercept mode. [cdb876f62882]

plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/match.c:
Always allocate a struct sudo_command for the command, even for ALL. Previously we special-cased handling of ALL but this complicates some upcoming changes. [d552109d739c]

2021-08-16 Todd C. Miller

etc/codespell.exclude:
Update TAGS_CHANGED macro based on parse.h [261e4bad3f55]

doc/sudo.man.in, doc/sudo.mdoc.in, doc/sudoers.man.in, doc/sudoers.mdoc.in:
Better document the limitations of intercept mode. Also mention log_children under “Preventing shell escapes” [0dfca8d0672d]

plugins/sudoers/po/sudoers.pot, po/sudo.pot:
Update .pot files for 1.9.8. [ed2582c37765]

doc/sudoers.man.in, doc/sudoers.mdoc.in:
Try to clarify log_server_peer_key and log_server_peer_cert. These are client-side not server-side. [ffa4ee3e2557]

logsrvd/logsrvd_conf.c:
Print the section when warning about an illegal key in the conf file. This should make it easier to tell when a setting is present in the wrong section. [8150a7775155]

2021-08-14 Todd C. Miller

lib/eventlog/eventlog.c:
new_logline: limit offset to two significant digits after the decimal Now instead of TSID=0001L3@5.168230749 we would log TSID=0001L3@5.16. [089f7a1285cb]

logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c, logsrvd/logsrvd_journal.c:
Set umask to be less restrictive before creating parent directories. Otherwise we could end up creating them with a more restrictive mode than indended. Coverity CID 221592 [1bbb3621106a]

lib/eventlog/eventlog.c:
new_logline: handle case where evlog is NULL [e14ded2179e8]

logsrvd/logsrvd_local.c:
store_alert_local: fix memory leak on error path Coverity CID 238642 [2a3c7fb50c38]

plugins/sudoers/audit.c:
log_server_accept: fix memory leak of evlog when logging a sub- command. Coverity CID 238643 [36a7325b3dc2]

src/exec_intercept.c:
Fix memory leak when client requests secret. Move closure allocation closer to where it is used. [773ffe0cb216]

logsrvd/logsrvd_local.c:
store_accept_local: fix return value on error [de0d06a1ade2]

2021-08-13 Todd C. Miller

lib/eventlog/eventlog.c:
Cast iolog_offset.tv_sec to long long for %lld printf format. Quiets a compiler warning on systems where tv_sec in struct timeval is not long long. [54d757357a00]

doc/sudoreplay.man.in, doc/sudoreplay.mdoc.in, lib/iolog/iolog_timing.c, plugins/sudoers/sudoreplay.c:
Add support for an optional offset when parsing the ID to replay. The offset is a suffix in the form of @sec[.nanosec] [f8cda41ea0ae]

include/sudo_eventlog.h, lib/eventlog/eventlog.c, logsrvd/logsrvd_local.c, plugins/sudoers/logging.c:
For intercepted commands, log an offset into the current I/O log. This can be used with sudoreplay to jump to when a specific command was executed within a session log. [fd9431d7c878]

logsrvd/logsrvd_local.c:
Don’t overwrite closure->evlog for sub-commands. [925c97582b1d]

config.h.in, configure, configure.ac, include/sudo_compat.h:
Older Solaris has getusershell() et al but does not declare it. [df4cd6a5e07f]

src/exec_intercept.c, src/exec_nopty.c, src/exec_pty.c, src/sudo_intercept_common.c:
Add missing stdint.h and sudo_rand.h includes. Needed for arc4random() and uin64_t. [47fd965524fe]

include/intercept.pb-c.h, src/exec_intercept.c, src/exec_nopty.c, src/exec_pty.c, src/intercept.pb-c.c, src/intercept.proto, src/sudo_exec.h, src/sudo_intercept_common.c:
Pass a secret value to sudo_intercept.so and verify after policy check. The goal is to make it harder for someone to have a fake policy checker. This will not stop a determined adversary since the secret is present in the address space of the running process. [7938c63384df]

2021-08-11 Todd C. Miller

MANIFEST, src/Makefile.in, src/exec.c, src/exec_intercept.c:
Split off intercept code into exec_intercept.c. [2c05715c4885]

scripts/mkpkg:
Add trivial support for FreeBSD packages. The actual FreeBSD port supports multiple options but this is sufficient for testing purposes. [6bb8a1cdf26c]

scripts/pp:
FreeBSD: Set default directory and file mode if not specified in %files Otherwise, a mode of 0 will be used, potentially rendering the system unusable. [a3be86a5f85f]

plugins/sudoers/logging.c:
Use same check for intercepted commands as log_server_accept(). Previously, log_server_reject() and log_server_alert() just checked whether client_closure has been set. [41177f7c32f4]

logsrvd/logsrvd.c, logsrvd/logsrvd_relay.c, logsrvd/sendlog.c, plugins/sudoers/log_client.c:
Call shutdown() on sockets before closing() if they are connected. This should ensure that the other side sees any queued data before the connection is dropped. [beaafc6c17cf]

logsrvd/logsrvd.c, logsrvd/logsrvd_relay.c, logsrvd/sendlog.c, plugins/sudoers/log_client.c:
If SSL_shutdown() returns 0 it needs to be called one more time. [52bb0acfb659]

plugins/sudoers/editor.c:
resolve_editor: sudoers_gc_remove(editor) before freeing it. [534cc939264f]

2021-08-10 Todd C. Miller

lib/util/mksigname.h, lib/util/siglist.in:
Sync siglist.in with the generated files. The change to prefer SIGSYS over SIGUNUSED wasn’t made to siglist.in. Also, mksigname.c doesn’t need to explicitly set sudo_sys_signame[0]. [c331b05f8fc5]

plugins/sudoers/Makefile.in, plugins/sudoers/editor.c, plugins/sudoers/gc.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h:
Add garbage collection to resolve_editor(). Fixes a leak when evaluating the policy multiple times if sudoedit is set. [ab011d864e87]

2021-08-09 Todd C. Miller

src/exec_common.c:
Fix compilation when configure option –disable-shared is specified. [98687e01c8e4]

doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/check.c, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h:
Add intercept_authenticate sudoers option, defaults to false. By default, sudoers will not require authentication of commands run via an intercepted session. To require authenticaton of subsequent commands, enable intercept_authenticate in sudoers. [b428c75da1ad]

config.h.in, configure, configure.ac, src/exec.c, src/sudo_intercept_common.c:
If msg_control is not present in struct msghdr use msg_accrights instead. Fixes building on Solaris and probably others. It is possible to expose msg_control on Solaris but this requires a specific set of feature flag defines which can cause other complications. [6ee77b869a8c]

configure, configure.ac, src/exec_preload.c:
Require that our dso be first in the list to make sure it takes effect. Otherwise, another dso could take precedence and ours would not be run. [58ba4086357c]

configure, configure.ac, pathnames.h.in, src/Makefile.in, src/exec_preload.c:
If building with address sanitizer make sure its DSO is first. Address sanitizer requires that it be preloaded before any other DSO in LD_PRELOAD. This should not be required for clang, which links in asan statically by default. [a812062f42a8]

plugins/sudoers/policy.c, plugins/sudoers/sudoers.c:
Plug some memory leaks when sudoers_policy_main is called multiple times. These would get cleaned up a policy close time but we don’t want to bloat sudo’s memory footprint when running a shell with multiple commands. [7fee001ffeae]

plugins/sudoers/audit.c, plugins/sudoers/iolog.c, plugins/sudoers/log_client.c, plugins/sudoers/log_client.h, plugins/sudoers/logging.c:
Fix logging intercepted commands to a log server in sudoers. Only available when the server supports the subcommands capability. [5975770561de]

plugins/sudoers/audit.c, plugins/sudoers/logging.c, plugins/sudoers/logging.h:
Use a separate uuid for intercepted commands. We use the uuid to match the command with its exit status. [467f0db6e2c6]

plugins/sudoers/policy.c, plugins/sudoers/sudoers.c:
Avoid some double frees in the fuzzer Now that sudoers free old values of NewArgv and command_info the fuzzer needs to reset those values. Otherwise we end up with stashed values that have already been garbage collected. [2a1b5808d272]

NEWS, configure, configure.ac:
Sudo 1.9.8 [bc96c8f95abf]

doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/fmtsudoers.c, plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y, plugins/sudoers/parse.c, plugins/sudoers/parse.h, plugins/sudoers/policy.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l:
Add “intercept” Defaults setting to allow interception of sub- commands. This causes “intercept” to be set to true in command_info[] which the sudo front-end will use to determine whether or not to intercept attempts to run further commands, such as from a shell. Also add “log_children” which will use the same mechanism but only log (audit) further commands. [f42e11c0fde9]

INSTALL, configure, configure.ac, doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in, examples/sudo.conf.in, include/sudo_conf.h, lib/util/sudo_conf.c, lib/util/util.exp.in, pathnames.h.in, src/Makefile.in, src/exec.c, src/exec_common.c, src/selinux.c, src/sesh.c, src/sudo.c, src/sudo.h, src/sudo_exec.h:
Add support for loading the sudo_intercept.so DSO. [47d84cc8a8ed]

include/sudo_compat.h, src/exec.c, src/exec_common.c, src/exec_monitor.c, src/exec_nopty.c, src/exec_pty.c, src/selinux.c, src/sesh.c, src/sudo_exec.h:
Allocate a socketpair to communicate with sudo_intercept.so over. This is used for the intercept and log_children options. [b40091760952]

plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/pam.c, plugins/sudoers/defaults.c, plugins/sudoers/defaults.h, plugins/sudoers/file.c, plugins/sudoers/ldap.c, plugins/sudoers/ldap_util.c, plugins/sudoers/policy.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/sssd.c, plugins/sudoers/sudo_ldap.h, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h:
Make it possible to call the sudoers policy check function multiple times. We need to reset the Defaults values to their original state. [3187e87d7fb6]

plugins/sudoers/set_perms.c:
Allow set_perms(PERM_INITIAL) to be called more than once. If the perm stack depth is non-zero when set_perms(PERM_INITIAL) is called, rewind it first and re-initialize the stack depth to 0. Fixes a user-after-free bug if set_perms(PERM_INITIAL) is called multiple times. [fdf9a2e07eb1]

plugins/sudoers/audit.c, plugins/sudoers/logging.c, plugins/sudoers/logging.h:
Use run_argv and run_envp passed into the audit plugin for event logging. Previously we used NewArgv[] and env_get() but now that logging is performed via an audit plugin we should use the values passed in. [d8e031fc2389]

doc/sudo_logsrv.proto.man.in, doc/sudo_logsrv.proto.mdoc.in, include/log_server.pb-c.h, lib/logsrv/log_server.pb-c.c, lib/logsrv/log_server.proto, logsrvd/logsrvd.c:
Allow multiple accept/reject messages during a logsrv conversation. The log server now advertises a subcommands flag if it supports logging subcommands (e.g. commands run from a sudo-spawned program like a shell). The client should only log additional commands during a session if this flag is set in the ServerHello message. [5b88982604e8]

MANIFEST, Makefile.in, configure, configure.ac, lib/logsrv/Makefile.in, lib/logsrv/protobuf-c.c, lib/protobuf-c/Makefile.in, lib/protobuf-c/protobuf-c.c:
Add separate convenience lib for protobuf-c We need to use it for sudo <-> sudo_intercept.so communication. [9529d7f9db18]

MANIFEST, include/intercept.pb-c.h, src/Makefile.in, src/intercept.pb-c.c, src/intercept.proto:
Define protocol for sudo <-> sudo_intercept.so communication. Uses google protocol buffers. [139ba292e226]

src/exec.c, src/sudo.c, src/sudo.h:
Implement the sudo side of the sudo_intercept.so communication. [4a7face9ed17]

MANIFEST, src/Makefile.in, src/exec.c, src/exec_common.c, src/sudo_exec.h, src/sudo_intercept.c, src/sudo_intercept_common.c:
Implement sudo_intercept.so. Uses protobuf to talk to main sudo process over a socketpair. [fc21ae0f663e]

src/sudo.c, src/sudo.h:
Add return values for most of the plugin function wrappers that returned void. Previously, they would just exit if there was an error. Now the error is passed back up the stack so we can use them in sudo_intercept.so. [87cb4b0e7dff]

src/sudo.c:
Reduce the number of function args passed to plugin wrappers. This makes sudo_settings, user_info, submit_argv, submit_envp and submit_optind global. This will be required for calling the wrapper from outside of sudo.c where we may not have access to those variables. [525bffcf911c]

src/exec.c, src/sudo.c, src/sudo.h:
Call the approval plugin after the policy plugin accepts a command. Previously, for intercepted commands we only called the policy plugin. [4df18aaa8708]

src/exec.c:
Take control of the tty and save its settings before doing a policy check. Otherwise the policy plugin won’t be able to read the password. [6a422974d472]

MANIFEST, src/Makefile.in, src/exec_common.c, src/exec_preload.c, src/sudo_exec.h, src/sudo_intercept.c, src/sudo_intercept_common.c:
Move preload_dso() to its own file and rename to sudo_preload_dso(). It now takes an intercept fd as an optional argument instead of a list of extra variables to add. This lets us check whether it is already set to the expected value (and add it if not). sudo_intercept.so now uses sudo_preload_dso() to make sure that LD_PRELOAD and SUDO_INTERCEPT_FD are set properly before executing. [447e96378d01]

src/exec_preload.c, src/sudo_intercept_common.c:
Add debug support to sudo_intercept.so [586ea125cebb]

src/exec.c, src/exec_nopty.c, src/exec_pty.c:
Make the log_children option only log and not check policy. [0524c7e87174]

plugins/sudoers/prompt.c:
expand_prompt: use correct strlcpy() size parameter The available size passed to strlcpy() was computed incorrectly. Switch to updating the length after writing to the new prompt instead of computing it each time. The actual buffer size is computed and allocated correctly so there is no real consequence to this bug. Found by Qualys. [c03f1c2f8f35]

2021-08-03 Todd C. Miller

doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in, examples/sudo_logsrvd.conf:
The tls_verify setting only affects server behavior, not the client. Originally, there was a flag in the ServerHello message to indicate that the client should verify the server cert, but this was removed TLS was moved to a separate port. Client validation of the server certificate is now configured in the sudoers file instead. [344b51f3eee3]

2021-08-02 Todd C. Miller

scripts/mkpkg:
On macOS, don’t disable tty tickets and set password timeout to 0. This more closely matches the options used by the macOS version of sudo. [bd21c492921c]

plugins/sudoers/find_path.c:
Add some debugging info to find_path() [dd7aebb432d6]

2021-07-30 Todd C. Miller

lib/iolog/iolog_mkdtemp.c:
iolog_mkdtemp: umask must not be more restrictive than the file modes. We need this even though we will be calling mkdtemp() since the umask affects the mode of any parent directories. [c545b3369eae]

2021-07-29 Todd C. Miller

plugins/sudoers/visudo.c:
Plug memory leak in error path when sudoers cannot be opened. [3df6b32149b8]

plugins/sudoers/defaults.c:
Trying to use “+=” or “-=” operators on a non-list is an error. Previously, they were simply treated as “=” for non-lists. [3e0d47d0b4ea]

src/regress/net_ifs/check_net_ifs.c:
Plug a memory leak in check_net_ifs found by address sanitizer. [bff1ad993476]

configure, configure.ac:
Prefix sanitizer and fuzzer options with -XCClinker in ASAN_LDFLAGS. Otherwise libtool may ignore the options when linking. [ed1120f3813d]

2021-07-27 Todd C. Miller

logsrvd/tls_init.c:
Display the correct error message if X509_verify_cert() fails. We must use X509_STORE_CTX_get_error() and X509_verify_cert_error_string() instead of the generic OpenSSL error functions. [778bbbe68e28]

lib/eventlog/eventlog.c:
In new_logline check for NULL args->reason for EVLOG_RAW. This can’t happen in practice since we never set EVLOG_RAW without passing in a reason. Coverity CID 237142 237143 [83f9038151db]

lib/eventlog/eventlog.c:
format_json: don’t dereference evlog if it is NULL. Also silence a PVS Studio false positive. [150039f65d26]

2021-07-26 Todd C. Miller

configure, configure.ac:
Bump version to 1.9.7p2 [388bf6af8434]

NEWS:
Sudo 1.9.7p2 [153a6c96a8ec]

config.h.in, configure, configure.ac, include/sudo_compat.h, logsrvd/tls_client.c, logsrvd/tls_init.c, plugins/sudoers/log_client.c:
Use TLS_method() instead of TLS_client_method() throughout. OpenSSL returns an error for SSL_accept() if TLS_client_method() was used to generate the context (LibreSSL doesn’t care).

Prior to sudo 1.9.7, TLS_client_method() and TLS_server_method() were used in the TLS client and server initialization code respectively. This was refactored in sudo 1.9.7 to allow the code to be shared. Bug #988 [1ca00726b4d6]

plugins/sudoers/regress/fuzz/fuzz_policy.c:
Only replace getaddrinfo for FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION. This works around an issue on SCO which uses inline functions in the header files which call the actual, versioned, library function. [64cbf884b7f9]

2021-07-26 MertsA

src/utmp.c:
Rewind utmp file pointer after searching for entry (#108)

getutline() advances the file pointer until it matches or reaches EOF. pututline() starts from the current position in utmp. This rewinds the file pointer to the beginning to avoid allocating additional spurious utmp entries. [142555f7a47e]

2021-07-25 Todd C. Miller

configure, configure.ac, m4/sudo.m4:
Use AC_CACHE_CHECK in place of AC_MSG_CHECKING + AC_CACHE_VAL where possible. [7b0fb8de8276]

config.h.in, configure, configure.ac, include/sudo_compat.h:
Add configure check for va_copy instead of using #ifdef This prevents the va_copy compat #define from being used if sudo_compat.h is somehow included before stdarg.h. [fcfd53b859ac]

2021-07-23 Todd C. Miller

src/limits.c:
Avoid using RLIM_INFINITY for the nofile soft limit to prevent closefrom_fallback() from closing too many file descriptors. [e807ca9bfb6a]

plugins/sudoers/logging.c:
Include signal.h for SIG2STR_MAX and sig2str(). [ad17a1be07e2]

2021-07-15 Todd C. Miller

include/sudo_eventlog.h, lib/eventlog/eventlog.c, logsrvd/iolog_writer.c, plugins/sudoers/logging.c, plugins/sudoers/policy.c, plugins/sudoers/sudoers.h:
Create a UUID and log it in the JSON version of the event log. [8a1ad98fac51]

include/sudo_eventlog.h, lib/eventlog/eventlog.c, logsrvd/logsrvd_local.c, plugins/sudoers/logging.c:
Remove unused info_cb and info arguments from eventlog_exit() [c614ef1afa12]

2021-07-09 Todd C. Miller

include/sudo_eventlog.h, lib/eventlog/eventlog.c:
Add support for logging exit status events. For sudo-formatted logs, this is a record with “EXIT=number” and potentially “SIGNAL=name” after the command. For JSON-format logs, a new “exit” record is logged which contains an “exit_value” and potentially “signal” and “core_dumped”. JSON-format logs now incude a UUID to associate the “exit” record with the “accept” record. [52e40ae4b79a]

doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/logging.c, plugins/sudoers/logging.h, plugins/sudoers/policy.c, plugins/sudoers/regress/fuzz/fuzz_policy.c:
Add log_exit_status sudoers option to log when a command exits. This option defaults to off. [cac3ca7ad193]

doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in, examples/sudo_logsrvd.conf, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c, logsrvd/logsrvd_local.c:
Add log_exit setting in the sudo_logsrvd.conf eventlog stanza This causes sudo_logsrvd to log a record with the exit status or terminating signal in response to an ExitMessage. [1a15f676974a]

2021-07-08 Todd C. Miller

plugins/python/python_plugin_common.c:
Check that the python module we actually loaded is what we intended. This is intended to provide a more useful error message if the user defines a module which conflicts with a system python module. For example, a module called test.py would conflicts with the system python test module. [0676191e4741]

2021-07-02 Todd C. Miller

doc/CONTRIBUTORS:
Mention that xkcd inspired the sandwich logo. [c7839328e21f]

doc/HISTORY:
Mention log server and fuzzers under Quest contributions. [f4a081f75cd0]

2021-06-26 Todd C. Miller

src/sesh.c, src/sudo.c, src/sudo_edit.c:
Don’t assume that the number of groups returned by getgroups() is static. On systems where getgroups() returns results based on more than just the per-process group vector in the kernel it is possible for the number of groups to change in between invocations. Based on GitHub PR #106 from Pierre-Olivier Martel. [dbc7a173a7b8]

doc/Makefile.in:
Use “mandoc -Tlint -Wwarning” instead of -Wstyle. The style checks now include “referenced manual not found” warnings which is not helpful. [251757f22498]

2021-06-22 Todd C. Miller

logsrvd/Makefile.in, src/Makefile.in:
regen [c6a21b385d57]

2021-06-21 Todd C. Miller

lib/fuzzstub/fuzzstub.c:
Change ms from size_t to long. Avoids a spurious test failure on Solaris 9 [c26f8d233ea9]

plugins/sudoers/interfaces.c, src/net_ifs.c:
Move definition of INADDR_NONE from interfaces.c to net_ifs.c. Fixes compilation on Solaris 9. [9da2276cf944]

2021-06-19 Todd C. Miller

logsrvd/logsrvd.c:
Fix dead store found by clang analyzer. [5c85aeef651e]

logsrvd/logsrvd_conf.c:
Fix prefix skipping when the prefix is embedded and not separate. This doesn’t currently matter since the progname and the “: " are stored in separate messages. Found by clang analyzer. [321e90e1b347]

logsrvd/logsrvd_relay.c:
Remove dead store found by clang analyzer. [5fd56f26e1ba]

2021-06-16 Todd C. Miller

plugins/audit_json/audit_json.c:
Make sure we store an octal number (like umask) as a string. JSON doesn’t (portably) support octal numbers with a leading zero. [3ac37bb42f1e]

logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c, logsrvd/regress/fuzz/fuzz_logsrvd_conf.c:
Replace logsrvd_is_early() with logsrvd_warn_stderr(). This is now defined in logsrvd_conf.c which removes a dependency on another compilation unit for the fuzzer. [3594cf3ec397]

2021-06-15 Todd C. Miller

logsrvd/logsrvd_local.c:
Silence a compiler warning on Solaris. [fd9ba461b601]

logsrvd/logsrvd.c:
Reduce scope of errstr variable so it is only declared for OpenSSL. [eebe09a17f4b]

plugins/sudoers/po/sudoers.pot, po/sudo.pot:
regen [05b8391c6d13]

logsrvd/iolog_writer.c, logsrvd/logsrv_util.c, logsrvd/logsrvd.c, logsrvd/logsrvd_conf.c, logsrvd/logsrvd_journal.c, logsrvd/logsrvd_local.c, logsrvd/logsrvd_queue.c, logsrvd/logsrvd_relay.c, logsrvd/sendlog.c, logsrvd/tls_init.c:
Use sudo_warnx?() instead of sudo_debug_printf for errors. We now hook the warn functions so the messages are logged. The messages still show up in the debug log too. [9e25dc71b4cc]

2021-06-14 Todd C. Miller

MANIFEST, config.h.in, configure, configure.ac, include/sudo_compat.h, lib/util/Makefile.in, lib/util/regress/vsyslog/vsyslog_test.c, lib/util/vsyslog.c, scripts/mkdep.pl:
Remove vsyslog(3) emulation, it is no longer used. [7d1b78c2037a]

2021-06-13 Todd C. Miller

logsrvd/logsrvd_conf.c, logsrvd/regress/fuzz/fuzz_logsrvd_conf.c:
If logsrvd_config not set fall back to using stderr for warnings. Also fix fuzz_logsrvd_conf link error. [eeaafe1b3e09]

doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in, examples/sudo_logsrvd.conf, logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c:
Add support for logging server warning/error messages. We can use sudo_warn_set_conversation() to set a conversation function that either writes to a log file or calls syslog(). [5d8e13f053d0]

2021-06-11 Todd C. Miller

NEWS, configure, configure.ac:
Sudo 1.9.7p1 [29f478993ef3]

2021-06-09 Todd C. Miller

plugins/audit_json/audit_json.c:
Check arrays that are passed in for NULL before using them. [925ba5b0f2cb]

configure, configure.ac:
Disable nss_search()-based group lookups on HP-UX for now. There is a crash when “group: compat” is used in /etc/nsswitch.conf that I haven’t been able to debug. Since HP-UX doesn’t ship the appropriate headers it is likely that there is a mismatch between include/compat/nss_dbdefs.h and what HP actually uses. [28b00005c785]

2021-06-08 Todd C. Miller

logsrvd/logsrvd.c, logsrvd/logsrvd.h:
Remove logsrvd closure ERROR state and use a boolean flag instead. Fixes a bug where we would not insert a journal file that failed to relay into the queue because its state was changed from CONNECTING to ERROR after failing to connect. [638285a4bedb]

include/compat/nss_dbdefs.h, lib/util/getgrouplist.c:
Add NSS_TRYAGAIN and correct buflen in struct nss_XbyY_buf_t. Add some function argument names. Also use struct nss_db_state * instead of void * in nss_db_root_t. We don’t define struct nss_db_state but since it is a pointer all we need is a forward declaration. [bc848fb97671]

2021-06-07 Todd C. Miller

lib/fuzzstub/fuzzstub.c, lib/iolog/Makefile.in, lib/util/Makefile.in, logsrvd/Makefile.in:
Make sure we link with libsudo_util after libfuzzstub. This only affects builds with a static libsudo_util. Also fix a warning on HP- UX about main not being public. [18ff1f108c4e]

MANIFEST, lib/util/Makefile.in, lib/util/regress/getgrouplist/getgids.c:
Add getgids utility to simular “id -G” using sudo_getgrouplist2() [aed11065818d]

lib/util/getgrouplist.c:
Make sure we don’t read or write past the end of the group buffer. We need to leave room for the terminating NULL in gr_mem. It is possible for gbm->numgids > gbm->maxgids if we ran out of room. [25a3ee849fd4]

2021-06-04 Todd C. Miller

lib/util/getgrouplist.c:
Add some debugging to sudo_getgrouplist2(). [4d79e92c8ee8]

2021-06-02 Todd C. Miller

src/load_plugins.c:
Fix some debug_decl typos and remove an unneeded cast. [fafa91ac3def]

plugins/sudoers/defaults.h:
T_TIMEOUT is not a bitwise flag so doesn’t need to be a power of 2. [66019af6d642]

2021-05-28 Todd C. Miller

src/load_plugins.c:
sudo_stat_plugin(): set errno but do not warn if plugin path too long. The caller will display the warning (using errno) so there is no need to do it twice. [c8614b374a35]

2021-05-26 Todd C. Miller

doc/sudoreplay.man.in, doc/sudoreplay.mdoc.in:
sudoreplay does not parse sudoers to find the value of iolog_dir. The default value for the I/O log directory is set at build time. [3cf72612e992]

plugins/sudoers/policy.c:
Fix group list ref leak in sudoers_policy_store_result() on error path. [34785448a275]

2021-05-24 Todd C. Miller

plugins/sudoers/policy.c:
Update comment to match reality. [ec3e0a40d1ec]

2021-05-13 Todd C. Miller

configure, configure.ac, scripts/ltmain.sh, src/Makefile.in:
Build sudo_noexec.so as a module on systems other then Darwin. On Darwin, shared modules and shared libraries are not interchangable and since we preload sudo_noexec.so via DYLD_INSERT_LIBRARIES it must be a library, not a module. We must relax the requirement that libraries begin with a “lib” prefix to work around this difference. This does mean you must use sudo’s libtool on Darwin (macOS) but that is already a requirement on other systems (notably HP-UX and SCO) due to a number of libtool patches we require that haven’t be accepted upstream. This is a different fix for PR #102. [2e5454c56d3c]

configure, configure.ac:
Use -Wno-deprecated-declarations on macOS This quiets warnings about LDAP and audit libraries being deprecated. We will use them until they are removed in a future version of macOS. [6fbdf644865c]

2021-05-12 Todd C. Miller

scripts/mkpkg:
Use /usr/bin/cc on FreeBSD and macOS. [7d6bcea0e544]

plugins/sudoers/log_client.c:
Don’t include errno in “unable to connect to log server” message. There should be a more specific message, usually with an error string, displayed earlier. [e599f9b0fd1c]

src/ttyname.c:
Fix compiler warning on FreeBSD. [2c6fc866fb5b]

lib/iolog/hostcheck.c:
Explicitly include netinet/in.h for struct sockaddr_in and sockaddr+_in6. Fixes a compilation problem on FreeBSD. [2277c8f37c34]

2021-05-10 Todd C. Miller

plugins/sudoers/po/zh_TW.mo, plugins/sudoers/po/zh_TW.po:
Updated translations from translationproject.org [3d6d49097b98]

plugins/sudoers/log_client.c:
Better warning when close function is passed a non-terminal signal. [8b8628249e4d]

logsrvd/logsrvd_local.c:
Remove line causing store_suspend_local() to return false on success. This is something that should have been removed as part of the local I/O logging refactor. [e8ae1e61b8b2]

src/exec_pty.c:
Don’t set the command status in the closure when the command is suspended. This should only be set for signals that terminate the process. Fixes a bug where the sudo front-end could call the plugin close function with a non-terminal signal argument. [a95024bfb6e8]

2021-05-07 Todd C. Miller

plugins/python/pyhelpers.c, plugins/python/python_plugin_policy.c:
Quiet -Wshadow warnings from gcc. [7ff2985ba650]

NEWS, doc/sudoers.man.in, doc/sudoers.mdoc.in:
The -g option may also be used with any group the target user belongs to. The description in the Runas_Spec section incorrectly stated that the -g option could not be used if no runas group was set. Bug #975. [67d1948d1aa8]

configure, configure.ac:
Remove redundant “configuring Sudo version X.YY” line. We now display this along with the summary info at the end. [0d7c908f8d4c]

configure, configure.ac:
Don’t check for -Wl,-z,relro twice. [a30dce71fb26]

2021-05-06 Todd C. Miller

plugins/sudoers/po/fi.mo, plugins/sudoers/po/fi.po, plugins/sudoers/po/hr.mo, plugins/sudoers/po/hr.po, plugins/sudoers/po/ko.mo, plugins/sudoers/po/ko.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/pt.mo, plugins/sudoers/po/pt.po, plugins/sudoers/po/sv.mo, plugins/sudoers/po/sv.po, plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po:
Updated translations from translationproject.org [9303a20fe480]

scripts/mkpkg:
Build python plugin for RHEL 6 as well. [edaa6ec0e255]

configure, configure.ac:
Remove shell-style quotes in configure warning/error/notice messages. Square bracket quotes are used, no need for shell-style double quotes. [e6de284df511]

NEWS, configure, configure.ac:
Summarize configure settings after all tests have run. This makes it a lot easier to see what features have been enabled. [12ea96affed5]

2021-05-04 Todd C. Miller

INSTALL, configure, configure.ac:
Remove –with-efence option, there are better options available. [78fd5ceb2c52]

NEWS:
Move misplaced changes into the 1.9.7 section where they belong. [1519f7a4669b]

lib/util/regress/sudo_conf/conf_test.c:
Awful hack to pass on macOS where group_source=dynamic by default. [b038bfab8c34]

plugins/sudoers/po/ca.mo, plugins/sudoers/po/ca.po, plugins/sudoers/po/cs.mo, plugins/sudoers/po/cs.po, plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, plugins/sudoers/po/fr.mo, plugins/sudoers/po/fr.po, plugins/sudoers/po/it.mo, plugins/sudoers/po/it.po, plugins/sudoers/po/ja.mo, plugins/sudoers/po/ja.po, plugins/sudoers/po/sr.mo, plugins/sudoers/po/sr.po, plugins/sudoers/po/sv.mo, plugins/sudoers/po/sv.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, po/ca.mo, po/ca.po, po/it.mo, po/it.po, po/sr.mo, po/sr.po:
Updated translations from translationproject.org [7b156da85d13]

NEWS:
Document late stage 1.9.7 changes. [28756df7dcb4]

doc/sudo_sendlog.man.in, doc/sudo_sendlog.mdoc.in, logsrvd/sendlog.c, logsrvd/sendlog.h:
sudo_sendlog: rename -m (max-time) to -s (stop-after). [4f016111b242]

logsrvd/logsrv_util.c, logsrvd/logsrvd.c, logsrvd/logsrvd_journal.c:
Update closure->elapsed_time in journal_seek(). Otherwise the commit point messages won’t be accurate when restarting. [6cd4db44b8ee]

doc/sudo_sendlog.man.in, doc/sudo_sendlog.mdoc.in, logsrvd/sendlog.c, logsrvd/sendlog.h:
Add “-m elapsed” option to specify the max elapsed time of records to send. Useful for testing the ability of the server to handle restarted log transfers. [cd9c9235e320]

2021-05-03 Todd C. Miller

logsrvd/logsrvd.c, logsrvd/logsrvd_relay.c:
Disable reading from client or relay when sending error to client. We treat an error from the relay as fatal and must stop processing data from both client and relay to make sure we don’t get out of sync. [258f9691b3d9]

logsrvd/iolog_writer.c, logsrvd/logsrvd.c, logsrvd/logsrvd_local.c:
Fix I/O log restart of locally-store logs. This got broken a while ago when evlog in struct connection_closure was changed to a pointer. [8b59122891f9]

scripts/pp:
Fix detection of the volatile flag when other flags are present. Otherwise flags fields like “volatile,ignore-other” will be ignored by the Debian and BSD back ends. [0d120b9eab71]

src/limits.c:
Fix debug message when prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) fails. GitHub issue #101 [7d266c174457]

logsrvd/logsrvd_relay.c, logsrvd/sendlog.c, logsrvd/tls_client.c, logsrvd/tls_common.h, plugins/sudoers/log_client.c:
Don’t hard-code the TLS connect timeout, use normal connect timeout. For sudo_logsrvd, this is the relay connect_timeout setting. For sudoers, this is the log_server_timeout setting. [49e29f187f5a]

2021-05-02 Todd C. Miller

logsrvd/logsrvd_queue.c:
Add missing closedir(3) in logsrvd_queue_scan(). Coverity CID 221591 [e9745c64a721]

NEWS:
Mention “log_server_verify” bug fix. [a70060c34e7a]

configure, configure.ac, doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in, examples/sudo_logsrvd.conf, m4/sudo.m4, pathnames.h.in:
Rename logsrvd log dir to /var/log/sudo_logsrvd. [fb979be9927e]

doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in, examples/sudo_logsrvd.conf, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c, logsrvd/logsrvd_queue.c:
Make the failed relay retry interval configurable. This is the amount of time to wait before trying to resend a journal to the relay server after a connection error. [cbc04201a63e]

2021-05-01 Todd C. Miller

MANIFEST, logsrvd/Makefile.in, logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_journal.c, logsrvd/logsrvd_queue.c, logsrvd/logsrvd_relay.c:
Send outgoing messages to the relay server on startup. Also attempt to retry messages that could not be relayed periodically. [7ed12983af85]

lib/util/fatal.c:
Avoid clobbering errno in warning(). [3282a7db7f51]

logsrvd/logsrvd_relay.c:
Set relay name string to NULL after dropping the reference. Otherwise it is possible to decrement the reference more than once. [245d4e60ea21]

2021-04-30 Todd C. Miller

plugins/sudoers/iolog.c:
Fix cut & pasto that prevented the verify_server option from being set. The “log_server_verify” setting passed from the policy plugin was applied to the “keepalive” option instead of “verify_server”. From Krisztian Kovacs. [06f716981ad0]

2021-04-29 Todd C. Miller

doc/sudo_logsrvd.man.in, doc/sudo_logsrvd.mdoc.in, logsrvd/logsrvd.c:
Write client and server information to debug file on SIGUSR1 This can be used to debug client problems such as a connection not being closed as expected. [e6e3a4ba02f4]

doc/sudo_logsrvd.man.in, doc/sudo_logsrvd.mdoc.in:
Document journal file directories in store_first mode. [a08de0c20127]

logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_journal.c:
Create journal files in an incoming directory, move to outgoing when complete. This will make it possible to process completed journal files periodically if the relay server is down. [5ced00c6eb7e]

logsrvd/logsrvd_relay.c:
Add missing connection_close() call for relay-only connections. For an immediate relay we will close the connection when the client disconnects (or there is a timeout). However, for store-and-forward mode the client has already disconnected at the time we are relaying. [e51e98489c6d]

2021-04-27 Todd C. Miller

plugins/sudoers/po/sudoers.pot:
regen [4aa3f848b223]

logsrvd/logsrvd_conf.c:
Replace non-ascii characters in warning string. [5e99ac170a15]

lib/util/regress/getgrouplist/getgrouplist_test.c, lib/util/regress/tailq/hltq_test.c, plugins/sudoers/regress/check_symbols/check_symbols.c, plugins/sudoers/regress/editor/check_editor.c, plugins/sudoers/regress/exptilde/check_exptilde.c, plugins/sudoers/regress/parser/check_base64.c, plugins/sudoers/regress/parser/check_fill.c, plugins/sudoers/regress/parser/check_gentime.c, plugins/sudoers/regress/parser/check_hexchar.c, plugins/sudoers/regress/starttime/check_starttime.c, plugins/sudoers/regress/unescape/check_unesc.c:
Quiet clang analyzer false positive in regress tests. [190ad1f287d8]

MANIFEST, logsrvd/Makefile.in, logsrvd/iolog_writer.c, logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_local.c:
Move local iolog log functions to logsrvd_local.c [e16e2a1d8209]

logsrvd/logsrvd_relay.c:
Better client error reporting on relay server connection error. More detailed error messages may be found in the debug log. [d0807790327d]

logsrvd/logsrvd.c:
Update debug pid string when sudo_logsrvd becomes a daemon. [33069e2da7d5]

2021-04-26 Todd C. Miller

logsrvd/logsrvd.c:
Must call SSL_shutdown() before closing the underlying socket. This got broken by some code rearrangement when relay mode was added. [a3a8c4d10565]

logsrvd/logsrvd.c, logsrvd/logsrvd_relay.c:
Recover if the client or relay server closes the TLS connection uncleanly. The other end of the connection should perform a proper TLS shutdown but as long as we are in the correct state there is no need to treat this as a user-visible error. [90887bc2235f]

NEWS, aclocal.m4, configure, configure.ac:
Sudo 1.9.7 [c1ea457eca11]

MANIFEST, plugins/python/Makefile.in, plugins/python/lsan_suppr.txt:
Add a suppression file for the libpython leaks. This is a big hammer but it seems like the best we can do for now. Allows “make check” to succeed when address sanitizer is used. [4500cd1e835e]

2021-04-25 Todd C. Miller

plugins/sudoers/Makefile.in, plugins/sudoers/editor.c, plugins/sudoers/regress/editor/check_editor.c:
When spliting EDITOR check for escaped quote characters. Also add check_editor to sudoers “make check”. [0d8001299358]

2021-04-24 Todd C. Miller

MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/editor.c, plugins/sudoers/regress/editor/check_editor.c:
Treat a lone backslash at the end of a string as a literal backslash. GitHub issue #99 [40a53e523003]

doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in:
Fix typo. [614379733a17]

2021-04-23 Todd C. Miller

plugins/python/pyhelpers.c:
Avoid a potential NULL dereference when mutating args_str. Coverit CID 221401 [69f3c7f8e524]

logsrvd/logsrvd_journal.c:
Avoid calling fread() with a NUL buffer if msg_len is 0. Coverity CID 221399 [ed605b7a3186]

logsrvd/logsrvd.c:
Set a restrictive umask so new files are only read/write by owner. Coverity CID 221402 [595465e4baa2]

logsrvd/logsrvd.c:
In connection_closure_free() only close sock if it is not -1. When relaying from a journal there will be no socket. Coverity CID 221403 [fd4f27067c3f]

logsrvd/logsrvd.c:
Avoid potential NULL dereference in get_free_buf(). Coverity CID 221400 [6cb5491bf812]

logsrvd/logsrvd.c, logsrvd/logsrvd_relay.c:
Remove some now-dead code in the error path. Coverity CID 221397 and 221398 [edc860f72f98]

logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_journal.c, logsrvd/logsrvd_relay.c:
Use function pointers for each client message type instead of conditionals. This separats out the message handler from the functions that store or relay the message contents. [f596480880fa]

logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_relay.c:
Add enqueue_error_message() helper function. Formats and enqueues an error message and enables the write event. [122bd89fe5e3]

logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_journal.c, logsrvd/logsrvd_relay.c:
Forward the journaled entry after it has been stored locally. [a187d5a7ea28]

logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_journal.c:
Stash the value of the store_first config setting in connection_closure. If the configuration changes it should not affect a connection that is already in progress. [6617c2b7ece5]

MANIFEST, logsrvd/Makefile.in, logsrvd/iolog_writer.c, logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c, logsrvd/logsrvd_journal.c, logsrvd/logsrvd_relay.c:
Journal messages to disk when store_first is set in the relay section. Instead of forwarding messages immediately, they are journaled locally in wire format. This will be used to implement relay store-and-forward mode. [aa0c537258e7]

INSTALL, configure, configure.ac, doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in, doc/sudo_logsrvd.mdoc.in, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c, m4/sudo.m4, pathnames.h.in:
Add configuration for sudo_logsrvd store-and-forward mode. Adds “relay_dir” and “store_first” settings to sudo_logsrvd.conf in the [relay] section. Also adds a –with-relaydir configure argument to change the default value (usually /var/log/logsrvd-relay. [6f064ed6d20e]

src/signal.c:
Make sure SIGCHLD is not ignored when sudo is executed. If SIGCHLD is ignored there is a race condition between when the process is executed and when the SIGCHLD handler is installed. This fixes the bug described by GitHub PR #98 [b4c91a0f72e7]

2021-04-20 Todd C. Miller

config.h.in, configure, configure.ac:
Remove the HP-UX 11.0 pread64() hack, it causes problems on modern HP-UX. [fea8ebd0b88d]

src/limits.c:
Add minimum value to consider when overriding resource limits. Currently only used for RLIMIT_DATA and RLIMIT_AS.

This works around a problem on HP-UX where setting RLIMIT_DATA changes the resource limits for both 32-bit and 64-bit processes. HP-UX processes start out with RLIMIT_DATA set based on the values of the maxdsiz and maxdsiz_64bit kernel tunables, depending on whether they are 32-bit or 64-bit. By default this limit is 1GB for 32-bit processes and 4GB for 64-bit. However, once RLIMIT_DATA is changed, it does not appear to be possible to restore the old values. This can result in a 64-bit process that is executed by a 32-bit shell getting the 32-bit RLIMIT_DATA instead of the 64-bit one. Bug #973 [8778a27abfaf]

2021-04-19 Todd C. Miller

logsrvd/logsrvd_relay.c:
Don’t use msg_len as a length after converting it to network byte order. [3f2496be1130]

logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_relay.c:
Use the packed message buffer when relaying if possible. There’s no need to rebuild the message buffer for anything but RestartMessage and ClientHello. [903fa50f48c9]

2021-04-18 Todd C. Miller

logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_relay.c:
Allocate the data buffer in get_free_buf() too. We always know the size of the data buffer we need at allocation time. [c02dc245aa40]

2021-04-17 Todd C. Miller

logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_relay.c:
Relay ChangeWindowSize and CommandSuspend events too. [cb20a1de47e3]

2021-04-16 Todd C. Miller

plugins/python/pyhelpers.c, plugins/python/regress/testdata/check_ex ample_debugging_c_calls@diag.log, plugins/python/regress/testdata/ch eck_example_debugging_c_calls@info.log, plugins/python/regress/testd ata/check_example_group_plugin_is_able_to_debug.log:
Regenerate test output with python 3.10a7 Also adjust debug tests so they pass on older python versions [03aeda971872]

configure, m4/python.m4:
determine Python (3.10) version number correctly. from upstream automake [1f4136509aca]

MANIFEST, aclocal.m4, m4/python.m4, m4/runlog.m4:
Move python.m4 and runlog.m4 to the m4 directory. Previously they were inline in aclocal.m4. [6ec4c92539a7]

2021-04-15 Todd C. Miller

configure, configure.ac:
Add hiuxmpp where we have hpux for special cases. Also move the HP- UX 11.00 pread(2) workaround into the section where pread(2) is tested for, not before it. [f6cc1820e0fb]

etc/sudo-logsrvd.pp, etc/sudo-python.pp:
Only replace the last instance of “sudo” in example and doc dir. Otherwise we end up with weird paths for a prefix like /opt/sudo. [113bdf79f00f]

2021-04-13 Todd C. Miller

doc/sudoers.ldap.mdoc.in:
Fix lint warning. [aa4a4f0b0da1]

doc/sudo_logsrvd.man.in, doc/sudo_logsrvd.mdoc.in:
Mention relay mode and update TLS example. [a50a23542c05]

etc/sudo-logsrvd.pp, etc/sudo.pp:
If libssl_dep was not passed in, use ldd to determine its value. Normally, mkpkg will figure this out, but if the user does “make package” outside of the mkpkg script, libssl_dep will not be set. [87329797daca]

2021-04-12 Todd C. Miller

INSTALL, configure, configure.ac, doc/UPGRADE:
Enable the use of OpenSSL if log client/server not disabled. This adds a dependency on OpenSSL unless it is explicitly disabled (–disable-openssl) or the sudo log client and server are disabled (–disable-log-client and –disable-log-server). [618f504240d2]

2021-04-09 Todd C. Miller

etc/codespell.skip:
configure aux scripts moved to the scripts directory [1cfcbfd128ed]

logsrvd/Makefile.in, logsrvd/logsrvd_conf.c:
Set logsrvd_config to NULL in logsrvd_conf_cleanup() after freeing it. Fixes a double free in fuzz_logsrvd_conf (but not sudo_logsrvd itself). Also fix linking fuzz_logsrvd_conf with OpenSSL. [ad78729467d4]

logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.1, logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.2, logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.3, logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.4, logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.5, logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.6, logsrvd/regress/fuzz/fuzz_logsrvd_conf.c, logsrvd/regress/fuzz/fuzz_logsrvd_conf.dict:
Update sudo_logsrvd.conf fuzzer to match configuration changes. [85ae32ce6f44]

doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in, examples/sudo_logsrvd.conf:
Document relay configuration changes. [d66eb842a6ef]

2021-04-08 Todd C. Miller

logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c, logsrvd/logsrvd_relay.c:
Move relay configuration into its own section and add TLS options. TLS options in the relay section will be used if specified, otherwise the TLS options from the server section are used. [0695e9b9b067]

logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c, logsrvd/logsrvd_relay.c:
Add “server” and “relay” to getters/callbacks specific to server and relay. [618b4fa5325c]

logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c, logsrvd/logsrvd_relay.c:
Remove struct logsrvd_tls_config. Now that the SSL context is initialized in logsrvd_conf.c there’s no need to export TLS configuration other than tls_check_peer. [4fb0fdc417e1]

logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c, logsrvd/logsrvd_relay.c:
No longer need struct logsrvd_tls_runtime, use SSL_CTX instead. [61e0bdf1499d]

logsrvd/logsrvd.c, logsrvd/logsrvd_conf.c:
Move allocation of the TLS context to logsrvd_conf_apply(). This way we get certificate errors at configuration time, not after. It also means that a change to the config file that renders the TLS settings invalid will no longer cause the server to exit. The new config will just be ignored as if there was a syntax error. [352ecb58618f]

logsrvd/tls_init.c:
Only initialize the SSL library once. [e17215eec1d6]

2021-04-07 Todd C. Miller

plugins/sudoers/timestamp.c:
Sanity check struct timespec in timestamp file. Coverity CID 220564 [68dfceeb105e]

plugins/sudoers/timestamp.c:
Check lseek(fd, 0, SEEK_CUR) for -1 return value. Not actually possible in practice. Coverity CID 220568. [27105922d3be]

src/net_ifs.c:
Check for NULL ifa->ifa_addr and ifa->ifa_netmask in both loops. [373961966099]

2021-04-07 Radovan Sroka

src/sudo_edit.c:
Fixed bad condition for sesh args

In selinux_edit_copy_tfiles() when there is only one file and the open() fails then number of arguments is lower than expected. Sudo should return error with or without “Defaults !sudoedit_checkdir” set.

This was found with regression testing of CVE-2021-23240.

Signed-off-by: Radovan Sroka <rsroka@…> [947ce862c0bf]

2021-04-06 Todd C. Miller

src/net_ifs.c:
Plug memory leak on overflow; Coverity CID 220556 [86b71e5dec5c]

logsrvd/logsrvd.c:
In schedule_commit_point() do not free the closure on error. It is the caller’s responsibility to free resources on error. Coverity CID 220557 [e6629496ab03]

plugins/sudoers/pwutil.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c:
Cast NULL terminator argument to char * when calling sudo_mkgrent(). Avoids a portability issue on systems where NULL is not a pointer. [cdb9cf0ad2ea]

logsrvd/tls_init.c:
Rename LOGSRVD_DEFAULT_CIPHER_LST13 to DEFAULT_CIPHER_LST13 [a5d7da05cf09]

logsrvd/tls_client.c:
Include string.h for strerror(3) prototype. [57f5cfe43a89]

logsrvd/logsrvd_relay.c:
Move connect_relay_tls() so we don’t need a prototype for it. Fixes a warning when sudo is not configured to use OpenSSL. [0c73cfebf32b]

doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in, examples/sudo_logsrvd.conf:
Document relay and connect_timeout server settings. [a101d54b451e]

MANIFEST, logsrvd/Makefile.in, logsrvd/logsrv_util.h, logsrvd/sendlog.c, logsrvd/sendlog.h, logsrvd/tls_client.c, logsrvd/tls_common.h:
Move common TLS client code to tls_client.c and use it in sendlog.c. [5334b6c4bef8]

logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c:
Rename listen_address -> server_address and add reference counting. This will be used by the upcoming relay mode. [f8ef9c83c3c8]

logsrvd/logsrvd.c:
Try to send an error message to client for some client_msg_cb() failures. [0805636e8114]

logsrvd/logsrvd.c:
Split most of server_commit_cb() out into schedule_commit_point(). This allows it to be used by the relay code too. [c985c2f9e5d5]

MANIFEST, logsrvd/Makefile.in, logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c, logsrvd/logsrvd_relay.c:
Add a relay mode to sudo_logsrvd where it forwards instead of stores. Relay hosts are be specified in the server section of sudo_logsrvd.conf. [071c231e76a9]

logsrvd/Makefile.in, logsrvd/logsrvd.h, logsrvd/logsrvd_relay.c, logsrvd/sendlog.c, logsrvd/tls_common.h:
Add support for relaying to another sudo_logsrvd via TLS. [c47397ce4098]

MANIFEST, include/sudo_util.h, lib/util/Makefile.in, lib/util/rcstr.c, lib/util/util.exp.in, plugins/sudoers/Makefile.in, plugins/sudoers/alias.c, plugins/sudoers/check_aliases.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/ldap.c, plugins/sudoers/ldap_util.c, plugins/sudoers/rcstr.c, plugins/sudoers/sssd.c, plugins/sudoers/sudoers.h, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/visudo.c:
Move reference-counted string code from sudoers to libsudo_util. It will be used by sudo_logsrvd too. [d228aaf9b6fa]

logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c, logsrvd/logsrvd_relay.c:
Add sa_host to struct server_address as a ref counted string. Also convert sa_str to ref counted string. [4e8abb84c11d]

logsrvd/logsrvd_conf.c:
Don’t allow a wildcard address for the relay parameter. [4a80d18d025b]

logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c:
Add logsrvd_conf_cleanup() to free the conf data structures on exit. There is no longer a need to do anything in shutdown_cb() other than break out of the event loop. [9e4d7456fb7a]

src/tgetpass.c:
Set user group list when executing the askpass helper. Under normal circumstances the existing group list will match the list fetched by sudo. However, if sudo is executed by a process that has changed the group list via setgroups(2) and “group_source” in sudo.conf is set to “dynamic” it is possible for them to be different.

If group_source in sudo.conf is set to “dynamic” it is possible for the group list [2b1d4ffb9cf6]

logsrvd/logsrv_util.h, logsrvd/logsrvd.c, logsrvd/logsrvd.h:
Use a tailq of write buffers instead of a single one per connection. This allows us to queue up multiple messages for writing like the sudoers client supports. Currently, each connection has its own free list. In the future we may want a single free list with low and high water marks. [b5df1b4d79c7]

configure.ac:
Increase autoconf minimum version to 2.70. Some of the macros deprecated in 2.70 are required by older versions. For example, AC_PROG_CC now does the work of AC_PROG_CC_STDC. Bug #972 [223a584b6241]

MANIFEST, Makefile.in, config.guess, config.sub, configure, configure.ac, doc/Makefile.in, examples/Makefile.in, include/Makefile.in, install-sh, lib/util/Makefile.in, lib/zlib/Makefile.in, logsrvd/Makefile.in, ltmain.sh, plugins/audit_json/Makefile.in, plugins/group_file/Makefile.in, plugins/python/Makefile.in, plugins/sample/Makefile.in, plugins/sample_approval/Makefile.in, plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in, scripts/config.guess, scripts/config.sub, scripts/install-sh, scripts/ltmain.sh, src/Makefile.in:
Move autoconf auxiliary files to the scripts directory. [5ea8182c11d9]

2021-04-05 Todd C. Miller

doc/sudoers.ldap.man.in, doc/sudoers.ldap.mdoc.in:
Document SUCCESS=return support in sudoers nsswitch.conf entries. Based on a patch from Dennis Filder. Bug #971. [1d631d1b6244]

2021-04-01 Todd C. Miller

plugins/sudoers/audit.c:
Move log_server_accept() out from under the #ifdef SUDOERS_LOG_CLIENT Fixes a link error when sudo is configured with –disable-log-client. [1bb7efdbddd5]

2021-04-01 Radovan Sroka

src/selinux.c:
Removed depricated security_context_t

Signed-off-by: Radovan Sroka <rsroka@…> [14aba55909fc]

2021-03-31 Todd C. Miller

logsrvd/sendlog.c:
Return NULL if init_tls_client_context() fails. Otherwise, we will call SSL_new with a freed SSL context. Bug #970 [5fbadce88524]

2021-03-30 Todd C. Miller

src/parse_args.c:
Use separate getopt config for sudoedit. Avoids a problem where the user gets an exclusive usage error message when using a sudo- specific option. GitHub issue #95 [b6207568e50a]

src/parse_args.c, src/sudo_usage.h.in:
Add -h and -V to sudoedit usage and customize help output for sudoedit. Also add missing -B option to usage strings. [0d8fa214f8c3]

src/parse_args.c:
Don’t report a usage error for “sudo -V”. GitHub issue #95 [a18573251751]

etc/sudo-logsrvd.pp, etc/sudo-python.pp, etc/sudo.pp:
Do not include parent directories in rpm and deb files. Fixes a directory conflict with the AIX sudo rpm package. Other deb/rpm packages were not affected because parent dirs are omitted for a prefix of /usr. [f7d8db9670bb]

2021-03-29 Todd C. Miller

src/net_ifs.c:
SCO OpenServer uses SIOCGIFANUM, not SIOCGIFNUM. On OpenServer, SIOCGIFNUM is the number of network interfaces, not the number of ifreq structs. [a992ea37b071]

2021-03-27 Todd C. Miller

src/net_ifs.c:
Add support for HP-UX SIOCGLIFNUM and SIOCGLIFCONF ioctls. We need to use both SIOCGIFCONF and SIOCGLIFCONF since SIOCGLIFCONF only returns IPv6 addresses. [7a53304872b9]

2021-03-24 Todd C. Miller

src/net_ifs.c:
Move get_net_ifs stub to the top and remove unused INET_ADDRSTRLEN def. [15bb7bc0ecb8]

src/net_ifs.c:
No longer need ifr_tmp variable, just reuse ifr. Now that we store the string version of the address before fetching the netmask we can just re-use ifr. This simplifies things and is safer since if there is space for the address there must also be space for the mask. [89ade84d0a6d]

src/net_ifs.c:
SCO OpenServer 5 returns a bogus value for SIOCGIFNUM. Gleaned from sendmail. [0616f2103f0b]

src/net_ifs.c:
Use SIOCGSIZIFCONF or SIOCGIFNUM where available. Still falls back to a loop if not but now maxes out at 2048 interfaces instead of potentially looping forever. [f19cd2f827d5]

configure, configure.ac, src/net_ifs.c:
Remove support for obsolete ISC UNIX and MIPS RISC/OS systems. They were getting in the way of net_its.c simplification. [4e2b7ce2fb7b]

2021-03-22 Todd C. Miller

src/net_ifs.c:
Use SIOCGLIFCONF to get interface list where supported (Solaris). HP-UX has a SIOCGLIFCONF but it is incompatible (and appears to only return IPv6 addresses). Also add IPv6 support using SIOCGIFCONF (probably AIX only) and make sure ifr_tmpbuf[] is properly aligned. [d2eebba41618]

MANIFEST, src/Makefile.in, src/regress/net_ifs/check_net_ifs.c:
Add simple regress check to display the network interfaces found. [6c1a5a50056e]

2021-03-19 Todd C. Miller

INSTALL:
Suggest clang 11 or higher, some fuzzers may hang when used with clang 10. [abcf94949ca2]

2021-03-18 Todd C. Miller

MANIFEST, logsrvd/Makefile.in, logsrvd/regress/fuzz/fuzz_logsrvd_conf.dict:
Add dictionary file for fuzz_logsrvd_conf. [f9e154751a5f]

Makefile.in, doc/Makefile.in, examples/Makefile.in, include/Makefile.in, lib/eventlog/Makefile.in, lib/fuzzstub/Makefile.in, lib/iolog/Makefile.in, lib/logsrv/Makefile.in, lib/util/Makefile.in, lib/zlib/Makefile.in, logsrvd/Makefile.in, plugins/audit_json/Makefile.in, plugins/group_file/Makefile.in, plugins/python/Makefile.in, plugins/sample/Makefile.in, plugins/sample_approval/Makefile.in, plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in, src/Makefile.in:
Add a new “fuzz” target that executes the fuzzers for 8192 runs each. To run indefinately, set FUZZ_RUNS=-1, e.g. “make FUZZ_RUNS=-1 fuzz” [5fd3d7e9430f]

MANIFEST, lib/iolog/Makefile.in, lib/iolog/regress/corpus/log_json/id.json, lib/iolog/regress/corpus/log_json/ls.json, lib/iolog/regress/corpus/log_json/mailq.json, lib/iolog/regress/corpus/log_json/make.json, lib/iolog/regress/corpus/log_json/pkg_add.json, lib/iolog/regress/corpus/log_json/pkg_delete.json, lib/iolog/regress/corpus/log_json/printenv.json, lib/iolog/regress/corpus/log_legacy/id.log, lib/iolog/regress/corpus/log_legacy/ls.log, lib/iolog/regress/corpus/log_legacy/mailq.log, lib/iolog/regress/corpus/log_legacy/make.log, lib/iolog/regress/corpus/log_legacy/pkg_add.log, lib/iolog/regress/corpus/log_legacy/pkg_delete.log, lib/iolog/regress/corpus/log_legacy/printenv.log, lib/iolog/regress/corpus/seed/log_json/id.json, lib/iolog/regress/corpus/seed/log_json/ls.json, lib/iolog/regress/corpus/seed/log_json/mailq.json, lib/iolog/regress/corpus/seed/log_json/make.json, lib/iolog/regress/corpus/seed/log_json/pkg_add.json, lib/iolog/regress/corpus/seed/log_json/pkg_delete.json, lib/iolog/regress/corpus/seed/log_json/printenv.json, lib/iolog/regress/corpus/seed/log_legacy/id.log, lib/iolog/regress/corpus/seed/log_legacy/ls.log, lib/iolog/regress/corpus/seed/log_legacy/mailq.log, lib/iolog/regress/corpus/seed/log_legacy/make.log, lib/iolog/regress/corpus/seed/log_legacy/pkg_add.log, lib/iolog/regress/corpus/seed/log_legacy/pkg_delete.log, lib/iolog/regress/corpus/seed/log_legacy/printenv.log, lib/iolog/regress/corpus/seed/timing/timing.1, lib/iolog/regress/corpus/seed/timing/timing.2, lib/iolog/regress/corpus/seed/timing/timing.3, lib/iolog/regress/corpus/seed/timing/timing.4, lib/iolog/regress/corpus/timing/timing.1, lib/iolog/regress/corpus/timing/timing.2, lib/iolog/regress/corpus/timing/timing.3, lib/iolog/regress/corpus/timing/timing.4, lib/util/Makefile.in, lib/util/regress/corpus/seed/sudo_conf/sudo.conf.1, lib/util/regress/corpus/seed/sudo_conf/sudo.conf.2, lib/util/regress/corpus/seed/sudo_conf/sudo.conf.3, lib/util/regress/corpus/sudo_conf/sudo.conf.1, lib/util/regress/corpus/sudo_conf/sudo.conf.2, lib/util/regress/corpus/sudo_conf/sudo.conf.3, logsrvd/Makefile.in, logsrvd/regress/corpus/logsrvd_conf/logsrvd.conf.1, logsrvd/regress/corpus/logsrvd_conf/logsrvd.conf.2, logsrvd/regress/corpus/logsrvd_conf/logsrvd.conf.3, logsrvd/regress/corpus/logsrvd_conf/logsrvd.conf.4, logsrvd/regress/corpus/logsrvd_conf/logsrvd.conf.5, logsrvd/regress/corpus/logsrvd_conf/logsrvd.conf.6, logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.1, logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.2, logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.3, logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.4, logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.5, logsrvd/regress/corpus/seed/logsrvd_conf/logsrvd.conf.6, plugins/sudoers/Makefile.in, plugins/sudoers/regress/corpus/policy/policy.1, plugins/sudoers/regress/corpus/policy/policy.2, plugins/sudoers/regress/corpus/policy/policy.3, plugins/sudoers/regress/corpus/policy/policy.4, plugins/sudoers/regress/corpus/policy/policy.5, plugins/sudoers/regress/corpus/seed/policy/policy.1, plugins/sudoers/regress/corpus/seed/policy/policy.2, plugins/sudoers/regress/corpus/seed/policy/policy.3, plugins/sudoers/regress/corpus/seed/policy/policy.4, plugins/sudoers/regress/corpus/seed/policy/policy.5:
Move corpus files to a seed subdirectory. [ba6dd7f30d22]

lib/fuzzstub/fuzzstub.c:
We can now rely on LLVMFuzzerTestOneInput to flush stdout. [f20f353eeb87]

plugins/sudoers/Makefile.in:
Fix fuzz_sudoers output comparison when fuzzing is enabled. libFuzzer outputs additional info to stderr that our stub doesn’t. [49434e4eceaa]

lib/iolog/regress/fuzz/fuzz_iolog_json.c, lib/iolog/regress/fuzz/fuzz_iolog_legacy.c, lib/iolog/regress/fuzz/fuzz_iolog_timing.c, lib/util/regress/fuzz/fuzz_sudo_conf.c, logsrvd/regress/fuzz/fuzz_logsrvd_conf.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c:
Flush stdout before successful return from LLVMFuzzerTestOneInput(). Fixes a problem with diag lines from libFuzzer being interspersed with test output. [f0b701120128]

configure, configure.ac:
Use –allow-multiple-definition to work around an issue with ld.lld. For fuzz_policy we redefine getaddrinfo/freeaddrinfo to work around a DNS timeout problem with name resolution and CIfuzz. However, this causes a link failure when sanitizers are enabled on systems that use ld.lld as their linker. Use a big hammer to avoid the link error. [2b9df5329c0e]

MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/testsudoers.c, plugins/sudoers/testsudoers_pwutil.c, plugins/sudoers/tsgetgrpw.c, plugins/sudoers/tsgetgrpw.h:
Do not redefine system group and passwd functions for testsudoers. Instead, prefix the replacements with “testsudoers_” and use a custom pwutil backend so they get used. [6bfd2f8d01c0]

Makefile.in, doc/Makefile.in, examples/Makefile.in, include/Makefile.in, lib/eventlog/Makefile.in, lib/fuzzstub/Makefile.in, lib/iolog/Makefile.in, lib/logsrv/Makefile.in, lib/util/Makefile.in, lib/zlib/Makefile.in, logsrvd/Makefile.in, plugins/audit_json/Makefile.in, plugins/group_file/Makefile.in, plugins/python/Makefile.in, plugins/sample/Makefile.in, plugins/sample_approval/Makefile.in, plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in, src/Makefile.in:
Rename “fuzz” makefile target to “check-fuzzer”. It’s purpose is to run the fuzzers are part of a normal “make check” to avoid bit rot, not to perform a fuzzer run. The fuzz_logsrvd_conf fuzzer was not wired up to “make check” previously. [01c03ccfd3f0]

2021-03-15 Todd C. Miller

NEWS, configure, configure.ac:
Sudo 1.9.6p1 [93d95d3f23b1]

2021-03-15 Alexandru Ardelean

plugins/sudoers/policy.c:
plugins: sudoers: policy: add MODE_IMPLIED_SHELL to RUN_VALID_FLAGS

Since this flag isn’t set, the sudo_mode variable gets invalidated and running the ‘sudo’ command seems to error out with message ‘sudoers_policy_check: invalid mode flags from sudo front end:
0x80001”’ [b98b418f1997]

2021-03-13 Todd C. Miller

NEWS:
fix typo [c7367647bd7c]

2021-03-10 Todd C. Miller

NEWS:
Bug #968 [e08853fca88e]

MANIFEST, logsrvd/Makefile.in, logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/sendlog.c, logsrvd/sendlog.h, logsrvd/tls_common.h, logsrvd/tls_init.c:
Move common TLS initialization code to tls_init.c. [118c7d41ad48]

plugins/sudoers/po/ja.mo, plugins/sudoers/po/ja.po, po/tr.mo, po/tr.po:
Updated translations from translationproject.org [cbc05710d6ba]

plugins/sudoers/Makefile.in, plugins/sudoers/gram.c:
Use HAVE_STDINT_H instead of trying to guess based on STDC_VERSION. Fixes compilation with pre-C99 headers when the compiler supports C99. [05ebf79d02c7]

include/sudo_compat.h, lib/util/secure_path.c:
Remove compatibility defines for POSIX sys/stat.h macros. Modern systems have them and we no longer support pre-POSIX systems. This fixes potential redefinition of the macros if sys/stat.h is included after sudo_compat.h. Bug #968. [d10d0b9b60e1]

lib/eventlog/logwrap.c, plugins/python/python_plugin_approval_multi.inc, plugins/python/python_plugin_audit_multi.inc, plugins/python/python_plugin_io_multi.inc, src/get_pty.c:
Quiet a few Solaris Studio compiler warnings. [1d82509f2e44]

configure, configure.ac:
Add -Wno-unknown-pragmas along with -Wall. We don’t want warnings about unknown pragmas in system headers. [ac15fa0e3d95]

scripts/pp:
Solaris 11.4 removed /usr/bin/optisa, use /usr/bin/isainfo instead. [97d8bb91cf02]

2021-03-08 Todd C. Miller

configure, configure.ac:
Compare OS name against freebsd* and netbsd* not freebsd and netbsd. Fixes an issue on NetBSD where host_os starts with netbsdelf. [2e813d52a7d6]

plugins/sudoers/Makefile.in:
Add @SUDOERS_LIBS@ to FUZZ_LIBS for -lutil on FreeBSD and NetBSD [38a7b3a9eb90]

lib/util/Makefile.in, plugins/python/Makefile.in, src/Makefile.in:
Set locale for all “make check” targets. [1a80048486d4]

2021-03-07 Todd C. Miller

configure, configure.ac:
AIX 6.1 may have a broken fmemopen(). We only use it for the fuzzers so ignore it for AIX < 7.1. [ad909c1479ff]

2021-03-06 Todd C. Miller

scripts/pp:
Only put specific directories in the ROOT section of the AIX package. Previously, /usr and /opt were placed in USR and everything else went in ROOT. Now, only /dev, /etc, /sbin and /var go in ROOT. [6f1fbe8fea31]

plugins/sudoers/po/cs.mo, plugins/sudoers/po/cs.po, plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, plugins/sudoers/po/fi.mo, plugins/sudoers/po/fi.po, plugins/sudoers/po/fr.mo, plugins/sudoers/po/fr.po, plugins/sudoers/po/hr.mo, plugins/sudoers/po/hr.po, plugins/sudoers/po/ko.mo, plugins/sudoers/po/ko.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/pt.mo, plugins/sudoers/po/pt.po, plugins/sudoers/po/pt_BR.mo, plugins/sudoers/po/pt_BR.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po, plugins/sudoers/po/zh_TW.mo, plugins/sudoers/po/zh_TW.po, po/cs.mo, po/cs.po, po/de.mo, po/de.po, po/eo.mo, po/eo.po, po/fi.mo, po/fi.po, po/fr.mo, po/fr.po, po/hr.mo, po/hr.po, po/ja.mo, po/ja.po, po/ko.mo, po/ko.po, po/pl.mo, po/pl.po, po/pt.mo, po/pt.po, po/pt_BR.mo, po/pt_BR.po, po/uk.mo, po/uk.po, po/zh_CN.mo, po/zh_CN.po, po/zh_TW.mo, po/zh_TW.po:
Updated translations from translationproject.org [53c17c8d56e9]

2021-03-05 Todd C. Miller

logsrvd/logsrvd.c, logsrvd/logsrvd_conf.c:
Remove unused tls parameter, we now use a per-address tls flag. [2be727a37b9c]

2021-03-03 Todd C. Miller

doc/sudoers.man.in, doc/sudoers.mdoc.in:
Document double escaping of backslashes. Bug #961. [ae51e4899555]

NEWS, configure, configure.ac:
No longer need to define _DARWIN_UNLIMITED_GETGROUPS on macOS. We now define _DARWIN_C_SOURCE which accomplishes the same thing. [c233df4c1ae4]

plugins/sudoers/auth/pam.c:
Fix a potential use-after-free in conversation function. The prompt passed in to sudo_pam_verify() will be freed later by check_user_interactive() so we need to reset the stashed value. From Pavel Heimlich. Bug #967. [86bc6ee3c493]

plugins/sudoers/pwutil.c:
No need to update cp after storing gr->gr_name, it is not used, Coverity CID 219314 [27bace364dc9]

2021-03-02 Todd C. Miller

NEWS:
Mention GitHub issue #56. [47b8b9fac52b]

plugins/sudoers/po/sudoers.pot:
regen [923899bcc63d]

include/sudo_eventlog.h, lib/eventlog/eventlog.c, logsrvd/iolog_writer.c, logsrvd/logsrvd.c, logsrvd/logsrvd.h:
Log peer address in sudo_logsrvd JSON-format logs. The peer that connected to us might not be the same host where the log entry originated. [4e2488efaf97]

NEWS, doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in, lib/util/sudo_conf.c:
Make “group_source=dynamic” the default on macOS. Recent versions of macOS do not reliably return all of a user’s non-local groups via getgroups(2), even when _DARWIN_UNLIMITED_GETGROUPS is defined. Bug #946. [491720b06a68]

lib/eventlog/Makefile.in, lib/iolog/Makefile.in, lib/util/Makefile.in, logsrvd/Makefile.in, plugins/sudoers/Makefile.in:
For regess/fuzz set LC_ALL to C.UTF-8 if possible, falling back on C. Works around a crash in leak sanitizer when the locale is set to C and TLS support is enabled. [4345912b9bd8]

2021-03-01 Todd C. Miller

plugins/sudoers/toke.c, plugins/sudoers/toke.l:
Initialize the lbuf used by sudoers_trace_print() in init_lexer(). Free the old buffer if there is one, otherwise it would never be freed. [1893ecc06718]

lib/util/lbuf.c:
In sudo_lbuf_destroy(), reset error, len and size. [7a6f980c2215]

NEWS:
Mention the integer overflow check in store_timespec(). [f41519e1dae9]

plugins/sudoers/regress/fuzz/fuzz_policy.c:
In find_path() stub only make a copy in outfile if returning FOUND. Fixed a recently-introduced memory leak in the fuzzer. [2045b1afc0b5]

2021-02-28 Todd C. Miller

lib/util/sudo_debug.c:
Disable debug code for FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION It will not be used and just confuses the coverage stats. [3307c855b77d]

plugins/sudoers/regress/fuzz/fuzz_policy.c:
Expand stub getaddrinfo() to resolve “localhost”. [e1035616ad99]

plugins/sudoers/regress/fuzz/fuzz_policy.c:
Improve fuzz_policy coverage and set defaults in setdefs not parse. Now exercises session open/close and set additional defaults to exercise more code paths. [2843a0b930fd]

plugins/sudoers/match_command.c, plugins/sudoers/match_digest.c:
Improve SUDOERS_NAME_MATCH support. Now supports digests and performs better directory matching. [2f2d63596256]

plugins/sudoers/policy.c:
Add MODE_CHECK to LIST_VALID_FLAGS, fixes “sudo -l command”. [eff4cbe95d75]

2021-02-26 Todd C. Miller

MANIFEST, include/sudo_iolog.h, lib/iolog/Makefile.in, lib/iolog/iolog_clearerr.c, lib/iolog/iolog_close.c, lib/iolog/iolog_eof.c, lib/iolog/iolog_fileio.c, lib/iolog/iolog_gets.c, lib/iolog/iolog_mkdirs.c, lib/iolog/iolog_mkdtemp.c, lib/iolog/iolog_mkpath.c, lib/iolog/iolog_nextid.c, lib/iolog/iolog_open.c, lib/iolog/iolog_openat.c, lib/iolog/iolog_read.c, lib/iolog/iolog_seek.c, lib/iolog/iolog_swapids.c, lib/iolog/iolog_util.c, lib/iolog/iolog_write.c, lib/iolog/regress/fuzz/fuzz_iolog_timing.c, logsrvd/iolog_writer.c, logsrvd/regress/fuzz/fuzz_logsrvd_conf.c:
Split iolog_fileio.c into multiple files. [9b7c4f1b781f]

plugins/sudoers/defaults.c:
Correct the integer overflow check in store_timespec(). Fixes oss- fuzz issue #31463 [3765d5c4ecd3]

plugins/sudoers/regress/sudoers/test27.ldif2sudo.ok:
Update file that was missed in test27 changes. [5824f54afa88]

MANIFEST, include/sudo_iolog.h, lib/iolog/Makefile.in, lib/iolog/iolog_conf.c, lib/iolog/iolog_fileio.c, lib/iolog/iolog_loginfo.c:
Break out I/O log config handling into iolog_conf.c. [546f503f9bb4]

lib/fuzzstub/Makefile.in, lib/iolog/Makefile.in, logsrvd/Makefile.in, plugins/sudoers/Makefile.in:
regen Makefile.in [43c54f94e9c8]

examples/Makefile.in, lib/eventlog/Makefile.in, plugins/sudoers/Makefile.in:
Add some missing files to the clean target [20754fec5ff1]

plugins/sudoers/regress/sudoers/test27.in, plugins/sudoers/regress/sudoers/test27.json.ok, plugins/sudoers/regress/sudoers/test27.ldif.ok, plugins/sudoers/regress/sudoers/test27.ldif2sudo.ok, plugins/sudoers/regress/sudoers/test27.out.ok, plugins/sudoers/regress/sudoers/test27.toke.ok:
Add netgroup check to sudoers test27 [1b45a6794b2d]

plugins/sudoers/regress/fuzz/fuzz_sudoers.out.ok:
Sync with fuzz_sudoers changes. [1481cef048ad]

plugins/sudoers/regress/fuzz/fuzz_sudoers.c:
Fuzz with runuser and rungroup specified too. [2d8ceb465cea]

MANIFEST, plugins/sudoers/regress/sudoers/test27.in, plugins/sudoers/regress/sudoers/test27.json.ok, plugins/sudoers/regress/sudoers/test27.ldif.ok, plugins/sudoers/regress/sudoers/test27.ldif2sudo.ok, plugins/sudoers/regress/sudoers/test27.out.ok, plugins/sudoers/regress/sudoers/test27.toke.ok:
Add test to exercise RunasSpec without a RunasUser. [ee22ac488aca]

MANIFEST, plugins/sudoers/regress/sudoers/test22.sudo.ok, plugins/sudoers/regress/sudoers/test23.sudo.ok, plugins/sudoers/regress/sudoers/test24.sudo.ok, plugins/sudoers/regress/sudoers/test26.sudo.ok:
Remove unused regress files. [71d943734bb8]

logsrvd/regress/fuzz/fuzz_logsrvd_conf.c:
Don’t try to run getters if we failed to parse the config file. [734bb56c24ed]

2021-02-25 Todd C. Miller

plugins/sudoers/regress/fuzz/fuzz_policy.c:
Add a stub getaddrinfo(3) to avoid a DNS timeout in CIfuzz. [5f725de1e3ad]

plugins/sudoers/regress/fuzz/fuzz_policy.c:
Fix runchroot, runcwd, tty_tickets. Add timestampowner. [d8a945bea98d]

plugins/sudoers/policy.c:
Only add command_info to garbage collector on successful return. Otherwise it will be freed on failure. [c3d0461efaa1]

plugins/sudoers/regress/fuzz/fuzz_sudoers.c:
Add user millert to group sudo, which is often the exempt group. [fac833a2cf3b]

plugins/sudoers/regress/fuzz/fuzz_policy.c:
Add some defaults settings in sudo_file_parse(). We don’t have a real policy file but we still want to exercise callbacks in sudoers.c. [9f3d3f668973]

plugins/sudoers/sudoers.c:
Do not free sudo_user.iolog_{file,path} in sudo_user_free(). They are not dynamically allocated. [59c102ba67cf]

lib/iolog/regress/fuzz/fuzz_iolog_timing.c:
Remove unnecessary warnings, we want to fail silently. [4b1ee5dd2cb4]

logsrvd/regress/fuzz/fuzz_logsrvd_conf.c:
No longer need to stub out eventlog config functions. [08c40b6a63c9]

MANIFEST, logsrvd/Makefile.in, logsrvd/regress/corpus/logsrvd_conf/logsrvd.conf.4, logsrvd/regress/corpus/logsrvd_conf/logsrvd.conf.5, logsrvd/regress/corpus/logsrvd_conf/logsrvd.conf.6, logsrvd/regress/fuzz/fuzz_logsrvd_conf.c:
Call public getters in logsrvd.conf fuzzer and add to corpus. Now exercises the syslog config erorr path. [0b314e4e0696]

plugins/sudoers/regress/fuzz/fuzz_policy.c:
Add more passes to policy fuzzer Now execises list, list other user and show_version. [21a1cc9665ec]

plugins/sudoers/defaults.c, plugins/sudoers/policy.c, plugins/sudoers/regress/fuzz/fuzz_policy.c:
Implement sudoers_policy_deregister_hooks() Register/deregister hooks in fuzz_policy and also call show_version(). [8849644a75de]

plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c:
Add sudoers debug register/deregister. [5fba9b19c6fa]

plugins/sudoers/defaults.c:
Remove unnecessary break statement. [aa18c2957f82]

plugins/sudoers/regress/fuzz/fuzz_sudoers.out.ok, plugins/sudoers/regress/sudoers/test14.in, plugins/sudoers/regress/sudoers/test14.json.ok, plugins/sudoers/regress/sudoers/test14.ldif.ok, plugins/sudoers/regress/sudoers/test14.ldif2sudo.ok, plugins/sudoers/regress/sudoers/test14.out.ok, plugins/sudoers/regress/sudoers/test14.toke.ok:
Include a sha384 digest in the test corpus. [6c405febff10]

plugins/sudoers/regress/fuzz/fuzz_sudoers.c:
Parse sudoers file in the C locale. [82d6afbe499b]

MANIFEST, plugins/sudoers/regress/sudoers/test26.in, plugins/sudoers/regress/sudoers/test26.json.ok, plugins/sudoers/regress/sudoers/test26.ldif.ok, plugins/sudoers/regress/sudoers/test26.ldif2sudo.ok, plugins/sudoers/regress/sudoers/test26.out.ok, plugins/sudoers/regress/sudoers/test26.sudo.ok, plugins/sudoers/regress/sudoers/test26.toke.ok:
Add regress test with all current Defaults settings. Currently skips SELinux and Solaris privilege settings. [79e82a58ccde]

2021-02-24 Todd C. Miller

MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/env.c, plugins/sudoers/sudoers.h, plugins/sudoers/sudoers_hooks.c:
Move env hooks into sudoers_hooks.c. [7296d05b9206]

plugins/sudoers/regress/fuzz/fuzz_sudoers.c:
No need to call check_defaults() and check_aliases() in quiet mode. [0d0f93849388]

plugins/sudoers/gc.c:
sudoers_gc_init() is not currently used [e74d2870ae25]

MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/fmtsudoers.c, plugins/sudoers/fmtsudoers_cvt.c:
Split fmtsudoers.c into the parts used by sudoers plugin and cvtsudoers. Only testsudoers and cvtsudoers use the full set of formatting functions. [8c57e80ae655]

plugins/sudoers/regress/fuzz/fuzz_sudoers.c:
Check defaults settings too. [7dc7d66f47e7]

MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/regress/fuzz/fuzz_stubs.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c:
Add fuzzer-specific stubs source file. [815c28958d42]

Makefile.in:
Do not overwrite existing ChangeLog file if there is no hg/git dir. We don’t want “make install” from a source tarball to nuke the ChangeLog. [f7aba6a01d85]

lib/iolog/Makefile.in, lib/util/Makefile.in, logsrvd/Makefile.in, plugins/sudoers/Makefile.in:
Remove fuzzer targets in “make clean” [25b068bc254b]

.gitignore, .hgignore:
Ignore fuzzer targets [d920254ce731]

lib/iolog/regress/fuzz/fuzz_iolog_json.c, lib/iolog/regress/fuzz/fuzz_iolog_legacy.c, lib/iolog/regress/fuzz/fuzz_iolog_timing.c, lib/util/regress/fuzz/fuzz_sudo_conf.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c:
Set program name in fuzzers so we get consisten warnings. [1ee4b5478d1c]

plugins/sudoers/Makefile.in, plugins/sudoers/regress/fuzz/fuzz_policy.c:
Use real eventlog config fuctions instead of stubs. [eed6fc4df1f6]

include/sudo_iolog.h, lib/iolog/iolog_fileio.c, lib/iolog/iolog_loginfo.c:
Move iolog info log writing to iolog_loginfo.c [292915dae440]

MANIFEST, lib/iolog/Makefile.in, lib/iolog/iolog_loginfo.c, lib/iolog/iolog_timing.c, lib/iolog/iolog_util.c, lib/iolog/regress/iolog_timing/check_iolog_timing.c, lib/iolog/regress/iolog_util/check_iolog_util.c:
Split iolog_util.c into iolog_loginfo.c and iolog_timing.c. Also rename check_iolog_util -> check_iolog_timing. [5b5249e4aa96]

MANIFEST, lib/iolog/Makefile.in, lib/iolog/iolog_legacy.c, lib/iolog/iolog_util.c:
Move legacy I/O log info file parsing to iolog_legacy.c [94b767bb56c7]

MANIFEST, include/sudo_eventlog.h, lib/eventlog/Makefile.in, lib/eventlog/eventlog.c, lib/eventlog/eventlog_conf.c:
Move eventlog config code into eventlog_conf.c [656d65215e50]

MANIFEST, lib/eventlog/Makefile.in, lib/eventlog/eventlog.c, lib/eventlog/eventlog_free.c:
Move eventlog_free() into its own file. [a5ff36ac0ebb]

logsrvd/regress/fuzz/fuzz_logsrvd_conf.c:
Stub out eventlog and iolog configuration setters. [cc32ba7436cd]

MANIFEST, plugins/sudoers/defaults.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.out.ok:
Update Defaults settings after parsing sudoers. Also stub out dump_defaults when fuzzing as it is not used. [fa1e7c7b42c2]

plugins/sudoers/Makefile.in, plugins/sudoers/b64_decode.c, plugins/sudoers/b64_encode.c, plugins/sudoers/base64.c:
Split base64 encode/decode functions into separate source files. They are independent functions. [ab0904c5122c]

plugins/sudoers/regress/fuzz/fuzz_policy.c:
fuzz_printf and fuzz_conversation can be stubs. [9b11c9a3f3c3]

2021-02-23 Todd C. Miller

plugins/sudoers/regress/fuzz/fuzz_sudoers.c:
Exercise tilde expansion if used in runcwd or runchroot. [a6f0995c6a55]

plugins/sudoers/check_aliases.c:
Move alias checking code out of visudo.c and into check_aliases.c. [5c0a91978441]

plugins/sudoers/Makefile.in, plugins/sudoers/regress/fuzz/fuzz_sudoers.c:
Check aliases in fuzz_sudoers if the policy parsed correctly. [b272e634f204]

MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/parse.h, plugins/sudoers/visudo.c:
Move alias checking code out of visudo.c and into check_aliases.c. [b9c23c958935]

plugins/sudoers/Makefile.in, plugins/sudoers/regress/fuzz/fuzz_sudoers.c:
We don’t need to link fuzz_sudoers with file.c. [4fcd15e8cdcf]

lib/iolog/regress/fuzz/fuzz_iolog_json.dict, lib/util/regress/fuzz/fuzz_sudo_conf.dict, plugins/sudoers/regress/fuzz/fuzz_policy.dict, plugins/sudoers/regress/fuzz/fuzz_sudoers.dict, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.dict:
Strings in dictionary files need to be quoted. [8a95ea335d2d]

MANIFEST, lib/iolog/Makefile.in, lib/iolog/regress/fuzz/fuzz_iolog_json.dict, lib/util/Makefile.in, lib/util/regress/fuzz/fuzz_sudo_conf.dict, plugins/sudoers/Makefile.in, plugins/sudoers/regress/fuzz/fuzz_policy.dict, plugins/sudoers/regress/fuzz/fuzz_sudoers.dict, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.dict:
Add dictionary files for fuzzers where possible. [4d9147fd50fd]

2021-02-22 Todd C. Miller

plugins/sudoers/regress/fuzz/fuzz_sudoers.c:
Also free safe_cmnd so it doesn’t leak. [5071a1ffa5d0]

plugins/sudoers/stubs.c, plugins/sudoers/testsudoers.c:
Return NOT_FOUND from the set_cmnd_path() stub since we don’t set user_cmnd. The purpose of set_cmnd_path() is to reset user_cmnd based on a new runchroot. For the stub version we don’t modify user_cmnd and so must not return a status of FOUND. Fixes oss-fuzz issue #31250 which only affected the fuzzer and not sudo. [36fe416668df]

plugins/sudoers/Makefile.in, plugins/sudoers/regress/fuzz/fuzz_sudoers.out.ok:
Fix fuzz_sudoers output matching. [6cec1e5aa799]

lib/fuzzstub/fuzzstub.c:
Print “running” and “executed” lines to stderr like libfuzzer does. [b76b7a4a6ff3]

plugins/sudoers/pwutil_impl.c:
Support passing sudo_make_gidlist_item() an array of gids. The gids are formatted as strings, not gid_t. [d1608f63ae91]

plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.out.ok:
Prime user/group cached and set the interface list. Also match parsed policy against multiple users. [ec19b5658a2a]

plugins/sudoers/pwutil.c, plugins/sudoers/sudoers.h:
Add sudo_mkgrent(), to be used to prime the group cache in tests/fuzzers. [333f0887abbc]

2021-02-21 Todd C. Miller

plugins/sudoers/Makefile.in, plugins/sudoers/regress/fuzz/fuzz_sudoers.c:
Perform matching in fuzz_sudoers for inputs that parse correctly. The fuzzer now exercised the normal match code as well as the pseudo-command (list, validate, etc) match code. Privileges are also listed for well-formed sudoers file. [8caf505d7341]

plugins/sudoers/match_command.c, plugins/sudoers/match_digest.c, plugins/sudoers/parse.h:
Add back SUDOERS_NAME_MATCH and enable it when fuzzing. This avoids the test environment from influencing sudoers matching. [496b3a7184a8]

plugins/sudoers/match_command.c:
Add missing globfree(3) in command_matches_glob() when matching a directory. [1d6d28d6eb61]

2021-02-19 Todd C. Miller

lib/util/sudo_dso.c:
Add support on AIX for loading plugins that are .a (not .so) files. It is possible to specify the member name in parens after the path, e.g. sudoers.a(shr.o) for 32-bit or sudoers.a(shr_64.o) for 64-bit. If no member is specified in the path and dlopen() fails with ENOEXEC, try again with an explicit member, either shr.o or shr_64.o. [90d975989148]

Makefile.in, doc/Makefile.in, examples/Makefile.in, include/Makefile.in, lib/eventlog/Makefile.in, lib/fuzzstub/Makefile.in, lib/iolog/Makefile.in, lib/logsrv/Makefile.in, lib/util/Makefile.in, lib/zlib/Makefile.in, logsrvd/Makefile.in, plugins/audit_json/Makefile.in, plugins/group_file/Makefile.in, plugins/python/Makefile.in, plugins/sample/Makefile.in, plugins/sample_approval/Makefile.in, plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in, src/Makefile.in:
Add clean rules to .PHONY target. [dea3468f3f7b]

2021-02-18 Todd C. Miller

Makefile.in, doc/Makefile.in, examples/Makefile.in, include/Makefile.in, lib/eventlog/Makefile.in, lib/fuzzstub/Makefile.in, lib/iolog/Makefile.in, lib/logsrv/Makefile.in, lib/util/Makefile.in, lib/zlib/Makefile.in, logsrvd/Makefile.in, plugins/audit_json/Makefile.in, plugins/group_file/Makefile.in, plugins/python/Makefile.in, plugins/sample/Makefile.in, plugins/sample_approval/Makefile.in, plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in, src/Makefile.in:
Add install-fuzz Makefile target to install the fuzzers and seed corpus. The FUZZ_DESTDIR make variable needs to be set in the environment or on the command line. [89c4dc1e8cb0]

plugins/sudoers/Makefile.in:
Only display fuzz_policy output if the fuzzer exits with an error. [c6927227be4a]

plugins/sudoers/regress/corpus/policy/policy.1, plugins/sudoers/regress/fuzz/fuzz_policy.c:
Call list, validate and invalidate entry points too. We need a separate open/close for each one. [fbbc5bdb4541]

INSTALL, configure, configure.ac:
Add –disable-ssp configure option. This allows for disabling -fstack-protector without turning off the other hardening options. [1d9ca18e4fa9]

lib/util/regress/getdelim/getdelim_test.c:
Test the error case by closing the underlying fd. Note that we don’t use ferror() here since our getdelim() has no way to set the error flag if there is a memory allocation error. [df0464968e2c]

lib/util/regress/getdelim/getdelim_test.c:
Test the case where getdelim() must reallocate the buffer. Reproduces Bug #960. [df4dbc0830be]

lib/eventlog/eventlog.c:
When logging JSON to syslog, wrap the contents in a “sudo” object. This makes it easier for log parsers to identify what is a sudo log entry. [2c96aeaabc8e]

plugins/sudoers/regress/fuzz/fuzz_policy.c:
Restore the check for sudoers_policy.close == NULL. The fuzzers run as part of “make check” too in which case NO_LEAKS won’t be defined and the close function will be set to NULL. [8418ff5f6dfb]

lib/iolog/iolog_json.c:
Use %td when printing the difference of two pointers. [608de9ab3902]

plugins/sudoers/parse.c:
Don’t print a NULL as a string if role/type/privs/limitprivs is not set. We can’t rely on printf("%s”, NULL) not crashing. [4a04efbcbff9]

plugins/sudoers/sudoers.c:
Fix compilation error on Solaris introduced with sudo_user_free(). [0ce4e0ac807e]

2021-02-17 Todd C. Miller

NEWS:
Bug #960. [82303f217d8b]

plugins/sudoers/toke.c, plugins/sudoers/toke.l:
Distinguish between EOF and error using feof(3), not ferror(3). Our getdelim(3) emulation won’t set the error flag if the error is due to an allocation failure. This explains the premature EOF without error seen in Bug #960. [5a70875f92fa]

lib/util/getdelim.c:
Reset end pointer when reallocing the line buffer in getdelim(). Fixes excessive memory allocations for long lines. Bug #960. [d6dd6893b38a]

lib/eventlog/Makefile.in, lib/iolog/Makefile.in, plugins/sudoers/Makefile.in:
Remove duplicated MALLOC_OPTIONS and MALLOC_CONF env variables. [2f7695aadad9]

lib/iolog/iolog_json.c:
On parse error, display line and column instead of the offending line. [bbda04a5b05d]

logsrvd/Makefile.in, plugins/sudoers/Makefile.in:
regen [20e093fd76f0]

NEWS, configure, configure.ac:
Sudo 1.9.6 [1c76fe52426f]

2021-02-16 Todd C. Miller

lib/iolog/iolog_json.c, lib/iolog/iolog_util.c:
Pass I/O log memory allocation errors up to the caller. [4777add71679]

INSTALL, config.h.in, configure, configure.ac, doc/sudoers.man.in, doc/sudoers.mdoc.in, pathnames.h.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/defaults.c, plugins/sudoers/timestamp.c:
Add admin_flag sudoers option and make –enable-admin-flag take a path. It is now possible to disable the Ubuntu admin flag in sudoers or change its location. GitHub issue #56 [d77c3876fa95]

plugins/sudoers/exptilde.c, plugins/sudoers/regress/exptilde/check_exptilde.c:
Fix tilde expansion of paths with no user like ~/foo. The ‘/’ separator was missing in the resulting path. [dbba61f76d6c]

doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in, lib/util/sudo_conf.c, plugins/sudoers/policy.c:
Limit max_groups in sudo.conf to 1024. The max_groups setting should no longer be needed anyway. [aee7843e0c7d]

plugins/sudoers/policy.c, plugins/sudoers/sudoers.c:
In sudoers_policy_close() call sudoers_cleanup() instead of sudo_user_free(). If we didn’t call sudoers_policy_main() due to an early error there may be more things to clean up. [683d69d84aa6]

plugins/sudoers/policy.c:
Check for invalid flag combinations from front-end for all cases. The checks are now performed in the check_policy, list, validate and invalidate functions instead of as part of the open function. We can’t perform the checks in open because we don’t yet know what operation is going to be performed. [b09105b3bb42]

plugins/sudoers/policy.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/sudoers.c:
Always dynamically allocate user_cmnd, it is freed in sudo_user_free(). Instead of setting user_cmnd in the policy functions, always set argv. Calling sudoers_policy_main() with argc of 0 is no longer allowed. [820f1f4e5c44]

plugins/sudoers/policy.c:
No need for sudoers_cleanup() in sudoers_policy_invalidate(). The sudoers close() function is now called even for “sudo -k”. Also no need to set user_cmnd, it is not used in this code path. [c2c9832c32f4]

2021-02-15 Todd C. Miller

MANIFEST, logsrvd/Makefile.in, logsrvd/logsrvd_conf.c, logsrvd/regress/corpus/logsrvd_conf/logsrvd.conf.1, logsrvd/regress/corpus/logsrvd_conf/logsrvd.conf.2, logsrvd/regress/corpus/logsrvd_conf/logsrvd.conf.3, logsrvd/regress/fuzz/fuzz_logsrvd_conf.c:
Add simple fuzzer for sudo_logsrvd.conf parser. [8b5cd9e24656]

lib/iolog/regress/fuzz/fuzz_iolog_timing.c:
Fix unlinking of timing temp file. [8b0ce6d777c8]

lib/eventlog/Makefile.in, lib/iolog/Makefile.in, plugins/python/Makefile.in, plugins/sudoers/Makefile.in:
Set MALLOC_OPTIONS and MALLOC_CONF for all regress targets. [47e8b85d1d9a]

MANIFEST, lib/util/Makefile.in, lib/util/regress/corpus/sudo_conf/sudo.conf.1, lib/util/regress/corpus/sudo_conf/sudo.conf.2, lib/util/regress/corpus/sudo_conf/sudo.conf.3, lib/util/regress/fuzz/fuzz_sudo_conf.c:
Add simple fuzzer for sudo.conf parser. [8a530402f936]

plugins/sudoers/policy.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h:
Free struct sudo_user in sudoers_policy_close() and sudoers_cleanup(). Also, do not NULL out the close function if NO_LEAKS is defined. [f3fbf78e6e41]

MANIFEST, lib/iolog/Makefile.in, lib/iolog/regress/corpus/log_legacy/id, lib/iolog/regress/corpus/log_legacy/id.log, lib/iolog/regress/corpus/log_legacy/ls, lib/iolog/regress/corpus/log_legacy/ls.log, lib/iolog/regress/corpus/log_legacy/mailq, lib/iolog/regress/corpus/log_legacy/mailq.log, lib/iolog/regress/corpus/log_legacy/make, lib/iolog/regress/corpus/log_legacy/make.log, lib/iolog/regress/corpus/log_legacy/pkg_add, lib/iolog/regress/corpus/log_legacy/pkg_add.log, lib/iolog/regress/corpus/log_legacy/pkg_delete, lib/iolog/regress/corpus/log_legacy/pkg_delete.log, lib/iolog/regress/corpus/log_legacy/printenv, lib/iolog/regress/corpus/log_legacy/printenv.log, plugins/sudoers/Makefile.in:
For “make fuzz” only fuzz the seed corpus. This way we avoid files generated by the fuzzer itself. [42ace1dec313]

2021-02-14 Todd C. Miller

plugins/sudoers/env.c, plugins/sudoers/gc.c, plugins/sudoers/policy.c, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h:
Fix sudoers garbage collection and run it in policy fuzzer. [c0d572fd9921]

.github/workflows/main.yml:
Rename master -> main [57000edd1aff]

plugins/sudoers/policy.c:
Do not include errno string for invalid params from front-end. [2d0b55b3041f]

plugins/sudoers/parse.c, plugins/sudoers/policy.c, plugins/sudoers/regress/fuzz/fuzz_policy.c:
Always dynamically allocate user_role, user_type, user_privs, user_limitprivs [f5992824219d]

plugins/sudoers/policy.c:
Remove dead code, front-end does not set runas_privs or runas_limitprivs [6ce3da323452]

plugins/sudoers/iolog.c:
Plug memory leak if there are duplicate user_info or command_info entries. [21865246a4dc]

2021-02-13 Todd C. Miller

.github/workflows/main.yml:
Add CIFuzz workflow to run fuzzers on push or PR. https://google.github.io/oss-fuzz/getting-started/continuous- integration/ [47f1c8015ec5]

plugins/sudoers/check.h, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/timestamp.c:
Move create_admin_success_flag() to timestamp.c. [0675f230288c]

configure, configure.ac:
Error out if fuzzer/sanitizer enabled but not supported by the compiler. [289afba93f79]

plugins/sudoers/regress/fuzz/fuzz_policy.c:
The push() function was not updating the size after reallocating. [e089aaeee3b2]

plugins/sudoers/pwutil_impl.c, src/sudo.c:
If sudo_getgrouplist2() returns -1, clamp ngroups based on max_groups. The ngroups parameter is an out parameter that is filled in with the actual number of groups, which may be less than the static number allocated when max_groups is set in sudo.conf. Fixes a potential out of bounds read found by LLVM libFuzzer. [a26461ccf891]

2021-02-12 Todd C. Miller

plugins/sudoers/policy.c:
Reset sudoers path, owner and mode before parsing plugin arguments. This is only needed when calling sudoers_policy_deserialize_info() more than once, which is true for the policy fuzzer. [a25a6210f48c]

plugins/sudoers/sudoers.c:
Cleanup sudoers sources on denial and error too. [454b7adcfa21]

plugins/sudoers/pwutil.c:
Fix sudo_getgrgid reference count bug when gid doesn’t exist. This one was missed when the other user/group lookup functions were fixed. [20e3fad6768b]

plugins/sudoers/policy.c:
Plug memory leak if there are duplicate user_info entries. [b8ddcfa0a051]

MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/regress/corpus/policy/policy.1, plugins/sudoers/regress/corpus/policy/policy.2, plugins/sudoers/regress/corpus/policy/policy.3, plugins/sudoers/regress/corpus/policy/policy.4, plugins/sudoers/regress/corpus/policy/policy.5, plugins/sudoers/regress/fuzz/fuzz_policy.c, plugins/sudoers/sudoers.c:
Fuzz sudoers policy module API. Includes a test case to reproduce CVE-2021-3156. [576d065759cf]

lib/iolog/Makefile.in, plugins/sudoers/Makefile.in:
Make fuzz targets depend on fuzzer stub library. We really want a dependency on $(LIB_FUZZING_ENGINE) but that could be a flag like “-fsanitize=fuzzer” instead of a path. [0963418f1cf9]

lib/util/Makefile.in:
regen [dd872eceb19e]

MANIFEST, plugins/sudoers/Makefile.in:
Move audit.c from libparsesudoers to the sudoers module itself. Now that audit.c contains the audit module it doesn’t belong in libparsesudoers. [3df4f6e10f54]

configure, configure.ac:
Do not pass AX_APPEND_FLAG more than a single flag. GitHub issue #92 [ed9ccdd41231]

2021-02-10 Todd C. Miller

lib/eventlog/Makefile.in, lib/iolog/Makefile.in, logsrvd/Makefile.in, plugins/sudoers/Makefile.in:
Fix up some .la file library dependencies. libsudo_iolog.la already depends on libsudo_util.la and libsudo_eventlog.la so we don’t need to list those explicitly when libsudo_iolog.la is listed. [d8b55cf698b5]

lib/eventlog/eventlog.c, lib/util/Makefile.in, lib/util/progname.c, lib/util/regress/progname/progname_test.c, lib/util/sudo_conf.c, lib/util/util.exp.in, plugins/sudoers/audit.c, plugins/sudoers/find_path.c, plugins/sudoers/iolog.c, plugins/sudoers/match_command.c, plugins/sudoers/sudoers.c, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c, src/sudo_edit.c, src/sudo_noexec.c:
Use sudo_basename() instead of doing the equivalent manually. [67e2b5d68a73]

MANIFEST, include/sudo_util.h, lib/util/Makefile.in, lib/util/basename.c, lib/util/util.exp.in:
Add a GNU-compatible version of basename(3). Unlike POSIX basename(3), the GNU variant does not modify its argument. Note that basename of a path ending in “/” returns an empty string. [693e1d39718a]

2021-02-09 Todd C. Miller

lib/iolog/iolog_fileio.c:
feof(3) returns non-zero at EOF, not necessarily 1. On Illumos at least it returns a value other than 1. [fc2242fe7c6e]

plugins/sudoers/toke.c, plugins/sudoers/toke.l:
Portable workaround for getdelim(3) implementations modify buf on EOF. We should assume that the contents of buf are undefined when getdelim(3) returns -1. We now peek ahead one char and skip the getdelim(3) call if EOF is detected. This will preserve the original value of the last line. [1e353f05a0fa]

plugins/sudoers/toke.c, plugins/sudoers/toke.l:
Some getdelim(3) implementations write a NUL to the buffer on EOF. AIX and Illumos appear to have this behavior. We now preserve the first character of the buffer on EOF to work around this. Fixes reporting of syntax errors on the last line of a file. [22611c14c1d1]

plugins/sudoers/Makefile.in:
Fuzz the example sudoers file, not the default one. The default sudoers uses @includedir which can result in different output, depending on the permissions of /etc/sudoers.d. [1b325a1d0e0a]

configure, configure.ac:
illumos has a broken fmemopen(3), don’t use it. [d297ee0339e6]

2021-02-08 Todd C. Miller

config.h.in, configure, configure.ac, include/sudo_compat.h:
Add configure check for SSIZE_MAX [ca7699154705]

lib/iolog/iolog_json.c:
Suppress PVS Studio false positives. [6d8fcec047e5]

src/sesh.c:
Silence a clang analyzer false positive. [8bc3e89f6fbb]

plugins/sudoers/toke_util.c:
Silence a clang analyzer false positive. [2489166fc372]

lib/fuzzstub/fuzzstub.c:
Fix CID 217123, size check always false on 64-bit systems. [3c018b5d43a8]

plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c:
Make open_sudoers() always return NULL like fuzz_sudoers.c [042de90307ae]

plugins/sudoers/regress/sudoers/test4.toke.ok, plugins/sudoers/regress/sudoers/test5.toke.ok, plugins/sudoers/regress/sudoers/test7.toke.ok, plugins/sudoers/regress/sudoers/test8.toke.ok:
Update *.toke.ok now that lexer doesn’t call sudoerserror() itself. [d60c0d33b5b4]

plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y, plugins/sudoers/toke.c, plugins/sudoers/toke.h, plugins/sudoers/toke.l:
The lexer now sets an error string before returning ERROR. The parser will use that when reporting on an ERROR state. This prevents the lexer from reporting errors about tokens that are not actually consumed by the parser and we don’t have to worry about both the lexer and the parser reporting errors. It also means we only get one error per sudoers line. [7ffb0d28862f]

plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y, plugins/sudoers/toke.c, plugins/sudoers/toke.l:
Go back to storing the last error file/line in sudoerserrorf(). This is still the best way to avoid displaying more than one error per line. [21da59d69c5f]

configure, configure.ac:
Add -fsanitize=fuzzer-no-link to ASAN_LDFLAGS too, not just ASAN_CFLAGS. [d3c719c72d79]

MANIFEST, Makefile.in, doc/Makefile.in, examples/Makefile.in, include/Makefile.in, lib/eventlog/Makefile.in, lib/fuzzstub/Makefile.in, lib/iolog/Makefile.in, lib/logsrv/Makefile.in, lib/util/Makefile.in, lib/zlib/Makefile.in, logsrvd/Makefile.in, plugins/audit_json/Makefile.in, plugins/group_file/Makefile.in, plugins/python/Makefile.in, plugins/sample/Makefile.in, plugins/sample_approval/Makefile.in, plugins/sudoers/Makefile.in, plugins/sudoers/regress/fuzz/fuzz_sudoers.out.ok, plugins/system_group/Makefile.in, src/Makefile.in:
Add fuzz Makefile target and run fuzzer corpus in make check. [a66085f05dea]

2021-02-07 Todd C. Miller

MANIFEST, Makefile.in, configure, configure.ac, lib/fuzzstub/Makefile.in, lib/fuzzstub/fuzzstub.c, lib/iolog/regress/fuzz/fuzz_iolog_json.c, lib/iolog/regress/fuzz/fuzz_iolog_legacy.c, lib/iolog/regress/fuzz/fuzz_iolog_timing.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c:
Add stub library that just feeds files to the fuzzing target. This will allow the fuzzers to be run as part of “make check”. [aa8fda20c3f8]

scripts/mkpkg:
Append to CFLAGS and LDFLAGS instead of overriding them when adding -m64. [d02cf3c28198]

config.h.in, configure, configure.ac, lib/iolog/regress/fuzz/fuzz_iolog_json.c, lib/iolog/regress/fuzz/fuzz_iolog_legacy.c, lib/iolog/regress/fuzz/fuzz_iolog_timing.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c:
Fall back to a temp file if fmemopen() is not available(). [87f804b98c18]

plugins/sudoers/gram.c, plugins/sudoers/gram.y:
Add missing return statement when NO_LEAKS is not defined. [25b8e1041b62]

lib/eventlog/Makefile.in:
Remove remnants of liblogsrv. [5030114bb12f]

INSTALL, configure, configure.ac, lib/iolog/Makefile.in, plugins/sudoers/Makefile.in:
Add –enable-fuzzer-linker and –enable-fuzzer-engine options. These will allow the fuzzers to be built as part of oss-fuzz. [c3176bd8b95b]

2021-02-06 Todd C. Miller

.gitignore, .hgignore:
Sync ignore files. [ddf136d412f7]

plugins/sudoers/Makefile.in:
Fix linking of sudoers fuzzers with static libsudo_util. [86d07a5a671d]

INSTALL, configure, configure.ac, lib/iolog/Makefile.in, plugins/sudoers/Makefile.in:
Add –enable-fuzzer option to use when building fuzzers [01e31362c2b0]

INSTALL, configure, configure.ac:
Replace –enable-asan with –enable-sanitizer It is not possible to set the sanitizer flags at configure time. [115d869e1d55]

2021-02-06 Anton Bershanskiy

src/copy_file.c:
Fix comment typo in src/copy_file.c [60dbf6da4712]

2021-02-06 Todd C. Miller

lib/iolog/Makefile.in, lib/iolog/regress/fuzz/fuzz_iolog_json.c, lib/iolog/regress/fuzz/fuzz_iolog_legacy.c, lib/iolog/regress/fuzz/fuzz_iolog_timing.c, plugins/sudoers/Makefile.in, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c:
Build (but don’t run) fuzzers as part of “make check”. Uses a stub to make it possible to link w/o libfuzzer. The goal is to ensure the fuzzers are always buildable and avoid bit rot. [9186e252b8bf]

lib/iolog/Makefile.in, plugins/sudoers/Makefile.in:
Add libsudo_eventlog.la as a dependency of libsudo_iolog.la No longer need to link against libsudo_eventlog.la in sudoers. [508097f86035]

2021-02-05 Todd C. Miller

MANIFEST, lib/iolog/regress/corpus/log_json/id.json, lib/iolog/regress/corpus/log_json/ls.json, lib/iolog/regress/corpus/log_json/mailq.json, lib/iolog/regress/corpus/log_json/make.json, lib/iolog/regress/corpus/log_json/pkg_add.json, lib/iolog/regress/corpus/log_json/pkg_delete.json, lib/iolog/regress/corpus/log_json/printenv.json, lib/iolog/regress/corpus/log_legacy/id, lib/iolog/regress/corpus/log_legacy/ls, lib/iolog/regress/corpus/log_legacy/mailq, lib/iolog/regress/corpus/log_legacy/make, lib/iolog/regress/corpus/log_legacy/pkg_add, lib/iolog/regress/corpus/log_legacy/pkg_delete, lib/iolog/regress/corpus/log_legacy/printenv, lib/iolog/regress/corpus/timing/timing.1, lib/iolog/regress/corpus/timing/timing.2, lib/iolog/regress/corpus/timing/timing.3, lib/iolog/regress/corpus/timing/timing.4:
Add more test files for fuzzers. [22256acfbe23]

2021-02-05 Daniel Milnes

doc/sudo.mdoc.in:
Fix the typo in the mdoc [e0ad7f93e678]

doc/sudo.man.in:
Fix a tiny typo in the Sudo manpage [d52c308677bf]

2021-02-04 Todd C. Miller

MANIFEST, lib/iolog/regress/fuzz/fuzz_iolog_timing.c:
fuzzer for I/O log timing files [7b32f8eecfd6]

lib/iolog/iolog_json.c:
In JSON, name/value pairs must be separated by a comma. Previously we didn’t require the comma to be there. [bb70cecf6360]

lib/iolog/iolog_json.c:
Detect integer overflow when converting JSON_ARRAY to string vector. Extremely unlikely to happen but better safe than sorry. [60a7a4d3a1d8]

2021-02-03 Todd C. Miller

plugins/sudoers/toke.c, plugins/sudoers/toke.l:
Only strip double quotes from an include path if len >= 2. Found locally using libfuzzer/oss-fuzz. [274d0a05081b]

plugins/sudoers/regress/fuzz/fuzz_sudoers.c:
Don’t allow the sudoers fuzzer to open include files. If we allow the fuzzer to choose include paths it will include random files in the file system. This leads to bug reports that cannot be reproduced. [b8ffce94f30a]

plugins/sudoers/toke.c, plugins/sudoers/toke.l:
If getdelim() returns a string with embedded NULs, truncate on first one. This should avoid some issues with the fuzzer. [e90e61d4bb0e]

plugins/sudoers/toke.c, plugins/sudoers/toke.l:
Reallocate the buffer correctly when appending a newline. Fixes a potential buffer overflow introduced in the last commit. [50b0f77aed5f]

plugins/sudoers/alias.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y:
Don’t free the alias name in alias_add() if the alias already exists. We need to be able to display it using alias_error(). Only free what we actually allocated in alias_add() on error and let the caller handle cleanup. Note that we cannot completely fill in the alias until it is inserted. Otherwise, we will have modified the file and members parameters even if there was an error. As a result, we have to remove those from the leak list after alias_add(), not before. [6a920646d7d1]

plugins/sudoers/toke.c, plugins/sudoers/toke.l:
Fix NUL termination when parsing a sudoers file with no ending newline. oss-fuzz issue #30252 [5c75d8e15966]

plugins/sudoers/toke.c, plugins/sudoers/toke.l:
sudoersrestart() does not reset state to INITIAL, do it in init_lexer(). Fixes spurious errors from fuzz_sudoers, which calls the parser multiple times. [bf2c1c3b82e6]

plugins/sudoers/regress/parser/check_fill.c, plugins/sudoers/toke.c, plugins/sudoers/toke.h, plugins/sudoers/toke.l, plugins/sudoers/toke_util.c:
Push lexer leak tracking down into check_fill.c. This lets us track things correctly when buffers are realloc()d. Rewrote fill() and append() to be more readable. [a1e61a4a7aad]

plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/visudo.c:
Use sudoersrestart() in fuzz_sudoers.c Since we run the parser multiple times we need to restart it each time. [64792d363f62]

plugins/sudoers/regress/fuzz/fuzz_sudoers.c:
Parser needs user_shost for the %h escape in @include expansion. Fixes oss-fuzz issue #30238 [b043e413be31]

INSTALL:
The –disable-leaks option is not recommended for production use. [cb37a56f4e99]

plugins/sudoers/gram.c, plugins/sudoers/gram.y:
Remove options from the leak list before freeing them. Should fix oss-fuzz issue #30236 [1ee6dac8c027]

MANIFEST, include/sudo_iolog.h, lib/iolog/iolog_util.c, lib/iolog/regress/fuzz/fuzz_iolog_legacy.c:
Add fuzzer for legacy I/O log info file. [3f4ed83660ca]

doc/Makefile.in, plugins/sudoers/Makefile.in:
Fix uninstall target; there were missing line continuation chars. GitHub issue #87 [02cffb51c15c]

2021-02-02 Todd C. Miller

plugins/sudoers/cvtsudoers.c, plugins/sudoers/parse_ldif.c:
Don’t close fp in sudoers_parse_ldif() The caller should be the one to handle this. [e8d830851379]

.gitignore, .hgignore:
Update ignore files. [0c8245d8097c]

plugins/sudoers/alias.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y:
Got back to calling alias_free() on alias_add() failure. We now need to remove the name and members from the leak list before calling alias_add() since alias_add() will consume them for both success and failure. [65c95a84f8ca]

plugins/sudoers/regress/fuzz/fuzz_sudoers.c:
close sudoersin, not fp, and reset it to be safe [f616d1c7c09a]

lib/iolog/regress/fuzz/fuzz_iolog_json.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c:
Add missing fclose(3) of fmemopen(3) stream; it does not modify the data. [9207901dcccd]

lib/iolog/iolog_json.c:
Check for unexpected value after checking the name, not before. [6f973cc4378d]

lib/util/progname.c:
Allow getprogname() to succeed as long as __progname is present. Also simplify the progname code so we only need a single implementation. [300a29bd117e]

lib/iolog/iolog_json.c:
Fix potential leak of evlog->runuser. Also warn if we find an unexpected JSON type. [0ec615b3d4e0]

2021-02-01 Todd C. Miller

plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c:
Parse into a local parse_tree and add missing cleanup. Since parsed_policy is for the sudoers parser we should declare our own. [c418d65e7bb4]

plugins/sudoers/regress/fuzz/fuzz_sudoers.c:
Call init_parser() after parsing to clean up completely. [2063d26ab401]

MANIFEST, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/regress/sudoers/test25.in, plugins/sudoers/regress/sudoers/test25.json.ok, plugins/sudoers/regress/sudoers/test25.ldif.ok, plugins/sudoers/regress/sudoers/test25.out.ok, plugins/sudoers/regress/sudoers/test25.toke.ok, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/toke_util.c:
Plug a few more parser leaks. [c9478efdd65d]

plugins/sudoers/gram.c, plugins/sudoers/gram.y:
Make parser_leak_remove(type, NULL) a no-op. [7699e99a028a]

MANIFEST, lib/iolog/regress/fuzz/fuzz_iolog_json.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c:
Add initial fuzzers to be used by oss-fuzz. These are not yet hooked up to the sudo build. [5593a755f359]

plugins/sudoers/gc.c, plugins/sudoers/sudoers.h:
Garbage collect unused gc_remove() function. [ff561edd846e]

plugins/sudoers/Makefile.in, plugins/sudoers/regress/testsudoers/test11.sh, plugins/sudoers/regress/testsudoers/test12.sh, plugins/sudoers/regress/testsudoers/test13.sh, plugins/sudoers/regress/testsudoers/test4.sh, plugins/sudoers/regress/testsudoers/test5.sh:
The parser should be leak free, re-enable leak detection in ASAN. [a89599540a5a]

plugins/sudoers/alias.c, plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y, plugins/sudoers/parse.h, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/toke_util.c:
Add garbage collection to the sudoers parser to clean up on error. This makes it possible to avoid memory leaks when there is a parse error. [ef739da324bb]

2021-01-31 Todd C. Miller

plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/ldap.c, plugins/sudoers/ldap_util.c, plugins/sudoers/parse.h, plugins/sudoers/sssd.c, plugins/sudoers/sudo_ldap.h:
Move new_member_all to ldap_util.c, it is only used by ldap/sssd. [9df2efb6956a]

2021-01-30 Todd C. Miller

lib/iolog/iolog_json.c:
Fix crashes trying to parse invalid JSON. Found locally using libfuzzer/oss-fuzz. [b74c8c260d60]

lib/iolog/iolog_json.c:
Plug memory leak if a key is listed more than once in the log.json file. [764ef247f13e]

lib/iolog/regress/iolog_json/check_iolog_json.c:
Fix crash when file does not exist. [55a46b75e6ed]

plugins/sudoers/gentime.c:
Strict tz offset parsing. Fixes an out of bounds read found locally using libfuzzer/oss-fuzz. [72266f1af75d]

plugins/sudoers/ldap_util.c:
Don’t leak memory for duplicate command options. The last option wins but we also now warn about the duplicate. Found locally using libfuzzer/oss-fuzz. [f1cd342e62f7]

plugins/sudoers/ldap_util.c:
Copy command options when converting a sudoRole with multiple sudoCommands. A sudoRole with multiple sudoCommands is converted to a privilege with multiple cmndspecs. However, we were not copying some of the command options to subsequent cmndspecs in the list. [d8309574a756]

plugins/sudoers/parse_ldif.c:
Fix memory leak if the last line is folded. Fixes issue 30080 by ClusterFuzz-External [404f38aa19a6]

INSTALL, configure, configure.ac:
Add –disable-leaks configure option. This enables the extra freeing of memory before exit also enabled by –enable-asan. To be used by oss-fuzz. [faddd42273a4]

plugins/sudoers/gentime.c:
Stricter parsing of generalized time. Fixes potential out of bounds read found by libfuzzer/oss-fuzz. [4548e29ea5e0]

2021-01-29 Todd C. Miller

plugins/sudoers/parse_ldif.c:
Don’t bother calling ldif_to_sudoers() if there are no roles to convert. [242394d46fb1]

lib/iolog/iolog_json.c:
In json_stack_push() treat stack exhaustion like memory allocation failure. Return NULL instead of treating as a fatal error. This should make life a little easier for oss-fuzz. [84c7c3b7971a]

plugins/sudoers/sudoers.c:
Update comment about return values for resolve_host(). [0e92fe582db1]

plugins/sudoers/logging.c, plugins/sudoers/policy.c:
Fix NO_ROOT_MAILER, broken by the eventlog refactor in sudo 1.9.4. init_eventlog_config() is called immediately after initializing the Defaults settings, which is before struct sudo_user is setup. This adds a call to eventlog_set_mailuid() if NO_ROOT_MAILER is defined after the invoking user is determined. Reported by Roman Fiedler. [e0d4f196ba02]

2021-01-28 Todd C. Miller

MANIFEST:
Add plugins/sudoers/strvec_join.c [1dfeb8ab9fdb]

plugins/sudoers/strvec_join.c, plugins/sudoers/sudoers.c:
Fix compilation on systems without a native strlcpy() function. [7b28feb4350a]

logsrvd/logsrvd.c, logsrvd/sendlog.c:
Break up the long help string into multiple printf() statements. AIX xlc compiler doesn’t like cpp directives in between strings. Also fixes a complaint from cppcheck and makes translation easier. [e55b4061f598]

plugins/sudoers/regress/unescape/check_unesc.c, plugins/sudoers/strvec_join.c, plugins/sudoers/sudoers.h:
strvec_join: free result on error and actually use separator char [801546807a8a]

2021-01-27 Todd C. Miller

plugins/sudoers/Makefile.in, plugins/sudoers/regress/unescape/check_unesc.c:
Test strvec_join() using strlcpy_unesc(). Emulates an overflow like:
sudoedit -s ‘' perl -e 'print "A" x 65536' [8d9a063adde5]

plugins/sudoers/Makefile.in, plugins/sudoers/strvec_join.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h:
Refactor code to flatten an argument vector into a string. This is used when building up the user_args string. [a6ae655d91a1]

MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/regress/unescape/check_unesc.c, plugins/sudoers/strlcpy_unesc.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h:
Add strlcpy_unescape() function to undo escaping from front-end. Includes unit test. [abfaa390d275]

plugins/sudoers/parse_ldif.c:
Add missing check for reallocarray() failure. Found by OSS-Fuzz. [fcda06966ed7]

2021-01-26 Todd C. Miller

plugins/python/pyhelpers.c, plugins/python/pyhelpers.h, plugins/python/python_convmessage.c, plugins/python/sudo_python_module.c:
Remove Py_SSIZE2SIZE to quiet cppcheck warnings. Tuple size cannot be negative and we already handle the case where it is zero. [d6ec5e558a0e]

src/parse_args.c:
The program name may now only be “sudo” or “sudoedit”. We no longer need to check for any string that ends in “edit”. [caed524c6ba0]

2021-01-23 Todd C. Miller

plugins/sudoers/timestamp.c:
Fix the memset offset when converting a v1 timestamp to TS_LOCKEXCL. We want to zero the struct starting at flags, not type (which was just set). Found by Qualys. [09f98816fc89]

src/parse_args.c:
Don’t assume that argv is allocated as a single flat buffer. While this is how the kernel behaves it is not a portable assumption. The assumption may also be violated if getopt_long(3) permutes arguments. Found by Qualys. [c125fbe68783]

NEWS, configure, configure.ac:
Sudo 1.9.5p2 [89a357d8da4e]

src/parse_args.c:
Reset valid_flags to MODE_NONINTERACTIVE for sudoedit. This is consistent with how the -e option is handled. Also reject -H and -P flags for sudoedit as was done in sudo 1.7. Found by Qualys, this is part of the fix for CVE-2021-3156. [9b97f1787804]

plugins/sudoers/policy.c:
Add sudoedit flag checks in plugin that are consistent with front- end. Don’t assume the sudo front-end is sending reasonable mode flags. These checks need to be kept consistent between the sudo front-end and the sudoers plugin. [a97dc92eae6b]

plugins/sudoers/sudoers.c:
Fix potential buffer overflow when unescaping backslashes in user_args. Also, do not try to unescaping backslashes unless in run mode and we are running the command via a shell. Found by Qualys, this fixes CVE-2021-3156. [049ad90590be]

2021-01-22 Fabrice Fontaine

lib/eventlog/Makefile.in:
lib/eventlog/Makefile.in: fix static build without closefrom

Since version 1.9.4 and https://github.com/sudo- project/sudo/commit/bd1ca79cca827a92e904f022e49df121931d4ff5, when closefrom is not available, libsudo_eventlog.a depends on libsudo_util.a. So reflect this dependency in the libtool file to avoid the following static build failure of logsrvd:

/bin/bash ../libtool –tag=disable-static –mode=link /home/buildroot/autobuild/instance-1/output-1/host/bin/powerpc- linux-gcc -o sudo_logsrvd logsrv_util.o iolog_writer.o logsrvd.o logsrvd_conf.o -static -Wl,–enable-new-dtags -Wl,-z,relro ../lib/iolog/libsudo_iolog.la ../lib/eventlog/libsudo_eventlog.la ../lib/logsrv/liblogsrv.la /bin/bash ../libtool –tag=disable-static –mode=link /home/buildroot/autobuild/instance-1/output-1/host/bin/powerpc- linux-gcc -o sudo_sendlog logsrv_util.o sendlog.o -static -Wl,– enable-new-dtags -Wl,-z,relro ../lib/iolog/libsudo_iolog.la ../lib/eventlog/libsudo_eventlog.la ../lib/logsrv/liblogsrv.la libtool: link:
/home/buildroot/autobuild/instance-1/output-1/host/bin/powerpc- linux-gcc -o sudo_logsrvd logsrv_util.o iolog_writer.o logsrvd.o logsrvd_conf.o -static -Wl,–enable-new-dtags -Wl,-z -Wl,relro ../lib/iolog/.libs/libsudo_iolog.a /home/buildroot/autobuild/instanc e-1/output-1/build/sudo-1.9.5p1/lib/util/.libs/libsudo_util.a -lpthread -lz ../lib/eventlog/.libs/libsudo_eventlog.a ../lib/logsrv/.libs/liblogsrv.a /home/buildroot/autobuild/instance-1/output-1/host/opt/ext- toolchain/bin/../lib/gcc/powerpc-buildroot-linux- uclibc/8.3.0/../../../../powerpc-buildroot-linux-uclibc/bin/ld:
../lib/eventlog/.libs/libsudo_eventlog.a(eventlog.o): in function send_mail.constprop.1': eventlog.c:(.text+0x149c): undefined reference to sudo_closefrom’ collect2: error: ld returned 1 exit status

Fixes:
- http://autobuild.buildroot.org/results/515b45f876fa9de03c9235f86017f 4dc10eb3b54
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@…> [4e42d276c336]

2021-01-21 Todd C. Miller

plugins/sudoers/log_client.c:
Do not add an unfinished write buffer to the queue if it is already present. In client_msg_cb() we only remove a buffer from the queue when it is finished. Inserting the buf again can cause a cycle in the queue. [b398dcc0933d]

2021-01-20 Todd C. Miller

plugins/sudoers/log_client.c:
Fix problem when SSL_read() returns SSL_ERROR_WANT_WRITE. This can happen when the socket cannot be written to immediately. We need to set the read_instead_of_write flag in that case, not write_instead_of_read. Also sync comments with sendlog.c. Bug #954 [e4239bb932aa]

2021-01-18 Pavel Březina

plugins/sudoers/auth/pam.c:
pam: pass KRB5CCNAME to pam_authenticate environment if available

If a PAM module wants to authenticate user using GSSAPI, the authentication is broken if non-default ccache name is used in KRB5CCNAME environment variable.

One way to mitigate this would be to add this to env_keep, but this also makes the variable available in the executed command which may not be always desirable.

This patch sets KRB5CCNAME for pam_authenticate only, if it is available and not yet set. [90aba6ba6e03]

2021-01-15 Todd C. Miller

lib/util/progname.c:
Fix setprogname() emulation on systems without it. For fully- qualified paths, store the string starting after the last slash, not at the slash itself. [111fde52d116]

2021-01-11 Todd C. Miller

NEWS, configure, configure.ac:
Sudo 1.9.5p1 [2dbbab94d4b6]

src/sudo_edit.c:
Run the editor with the user’s real and effective uid and gid. Fixes a bug introduced in sudo 1.9.5 where the editor was run setuid root unless SELinux RBAC was in use. [30fe53c07aa7]

NEWS:
fix typo [52e7767881ba]

src/copy_file.c, src/edit_open.c:
Add casts to quiet two warnings on Solaris. [f76126f6d68d]

2021-01-09 Todd C. Miller

plugins/sudoers/po/sudoers.pot, po/sudo.pot:
Update .pot files for 1.9.5. [49dae07bda23]

2021-01-08 Todd C. Miller

NEWS, configure, configure.ac, doc/LICENSE, etc/sudo-logsrvd.pp, etc/sudo-python.pp, etc/sudo.pp:
Sudo 1.9.5 [3a0e500981a8]

doc/sudoers.man.in, doc/sudoers.man.in.sed, doc/sudoers.mdoc.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/defaults.c, plugins/sudoers/policy.c:
Allow SELinux support to be disabled via the sudoers file. Defaults to true if sudo is built with SELinux support and SELinux is not disabled on the system. [c457eaae8692]

2021-01-06 Todd C. Miller

plugins/python/python_importblocker.c:
Add a comment to verify_import() to clarify its purpose. [30ef680f4104]

lib/eventlog/eventlog.c, lib/util/arc4random.c, lib/util/sudo_debug.c, plugins/audit_json/audit_json.c, plugins/python/python_convmessage.c, plugins/sudoers/auth/pam.c, plugins/sudoers/getdate.c, plugins/sudoers/getdate.y, plugins/sudoers/goodpath.c, plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y, plugins/sudoers/rcstr.c, plugins/sudoers/redblack.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/toke_util.c, plugins/sudoers/visudo.c, src/exec_common.c, src/sesh.c, src/sudo.c, src/sudo_edit.c:
Suppress PVS Studio false positives. [077f46549351]

plugins/sudoers/gram.c, plugins/sudoers/gram.y:
Plug a memory leak in sudoerserrorf(). [a3c14cf0283e]

plugins/sudoers/editor.c, plugins/sudoers/fmtsudoers.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/ldap_util.c, plugins/sudoers/parse.h, plugins/sudoers/starttime.c, plugins/sudoers/tsgetgrpw.c, src/ttyname.c:
Quiet a few harmless cppcheck warnings. [ab123790b3fd]

src/copy_file.c, src/sudo_edit.c:
In sudoedit, use sudo_check_temp_file() for non-SELinux too. [b5d5bd506487]

MANIFEST, src/Makefile.in, src/edit_open.c, src/sesh.c, src/sudo_edit.c, src/sudo_edit.h, src/sudo_exec.h:
Move safe open code out of sudo_edit.c and into edit_open.c. [108fcca05798]

src/Makefile.in, src/edit_open.c, src/sesh.c, src/sudo_edit.c, src/sudo_edit.h:
Add directory writability checks for SELinux RBAC sudoedit. These were never added to the SELinux RBAC path. [0d4f28b5a8e2]

src/edit_open.c, src/exec.c, src/exec_pty.c, src/sesh.c, src/sudo.c, src/sudo.h, src/sudo_edit.c, src/sudo_edit.h, src/tgetpass.c:
Add struct sudo_cred to hold the invoking or runas user credentials. We can use this when we need to pass around credential info instead of the user_details and command_details structs. [20594f3f00c1]

src/edit_open.c, src/sesh.c, src/sudo_edit.c, src/sudo_edit.h:
Rename run_cred -> cur_cred and stash existing creds in set_tmpdir(). For sudo_edit_open() et al what we need is a copy of the current cred to restore after dir_is_writable() changes to the user cred. [dcfce8a11282]

configure, configure.ac, include/sudo_compat.h, lib/util/progname.c:
Add setprogname(3) for those without it. [e2f1d1ecedb0]

src/sesh.c, src/sudo_edit.c:
Split up sesh_sudoedit() so it is organized more like sudo_edit.c. The new sesh_edit_create_tfiles() and sesh_edit_copy_tfiles() functions are analogous to sudo_edit_create_tfiles() and sudo_edit_copy_tfiles(). Also use “sudoedit” in the warning/error messages from sesh_sudoedit(). Otherwise, the user gets a mix of messages from sudoedit and sesh. [5510be4b2129]

Makefile.in, lib/eventlog/Makefile.in, lib/iolog/Makefile.in, lib/logsrv/Makefile.in, lib/util/Makefile.in, logsrvd/Makefile.in, plugins/audit_json/Makefile.in, plugins/group_file/Makefile.in, plugins/python/Makefile.in, plugins/sample/Makefile.in, plugins/sample_approval/Makefile.in, plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in, src/Makefile.in:
Remove the –force option from the cppcheck args, it causes errors. [57f2ad72e874]

include/sudo_util.h, lib/util/progname.c, lib/util/util.exp.in, src/sudo.c:
For sudo, only allow “sudo” or “sudoedit” as the program name. The program name is also used when matching Debug lines in sudo.conf. We don’t want the user to be able to influence sudo.conf Debug matching. The string “sudoedit” is treated the same as “sudo” in sudo.conf. Problem reported by Matthias Gerstner of SUSE. [1d32c53859f9]

lib/iolog/iolog_fileio.c, lib/util/sudo_debug.c, plugins/group_file/getgrent.c, plugins/sudoers/linux_audit.c, plugins/sudoers/tsgetgrpw.c:
Check the return value of fcntl() when setting FD_CLOEXEC. This should never fail unless the fd is invalid. Problem reported by Matthias Gerstner of SUSE. [f1ca39a0d870]

src/sudo_edit.c:
Fix potential directory existing info leak in sudoedit. When creating a new file, sudoedit checks to make sure the parent directory exists so it can provide the user with a sensible error message. However, this could be used to test for the existence of directories not normally accessible to the user by pointing to them with a symbolic link when the parent directory is controlled by the user. Problem reported by Matthias Gerstner of SUSE. [ea19d0073c02]

src/copy_file.c, src/sesh.c, src/sudo_edit.c, src/sudo_exec.h:
Add security checks before using temp files for SELinux RBAC sudoedit. Otherwise, it may be possible for the user running sudoedit to replace the newly-created temporary files with a symbolic link and have sudoedit set the owner of an arbitrary file. Problem reported by Matthias Gerstner of SUSE. [8fcb36ef422a]

plugins/sudoers/po/hr.mo, plugins/sudoers/po/hr.po, plugins/sudoers/po/it.mo, plugins/sudoers/po/it.po, plugins/sudoers/po/ko.mo, plugins/sudoers/po/ko.po, plugins/sudoers/po/sr.mo, plugins/sudoers/po/sr.po, plugins/sudoers/po/sv.mo, plugins/sudoers/po/sv.po, po/ko.mo, po/ko.po, po/sr.mo, po/sr.po, po/sv.mo, po/sv.po:
Updated translations from translationproject.org [e68c92c767f1]

2021-01-04 Todd C. Miller

plugins/sudoers/sudoers.c:
Use debug_return_int() not debug_return_bool() to return -1. Found by PVS Studio. [f1f67ca51aeb]

plugins/sudoers/logging.c:
Fix a crash introduced in 1.9.4 when running “sudo -i” as an unknown user. [d1a3f0f4d0f9]

2021-01-03 Todd C. Miller

plugins/sudoers/check.c:
Make sure lecture file is a regular file before reading it. [c9c68eff1e45]

2021-01-02 Todd C. Miller

Makefile.in, lib/eventlog/Makefile.in, lib/iolog/Makefile.in, lib/logsrv/Makefile.in, lib/util/Makefile.in, logsrvd/Makefile.in, plugins/audit_json/Makefile.in, plugins/group_file/Makefile.in, plugins/group_file/plugin_test.c, plugins/python/Makefile.in, plugins/sample/Makefile.in, plugins/sample_approval/Makefile.in, plugins/sudoers/Makefile.in, plugins/sudoers/parse.h, plugins/system_group/Makefile.in, src/Makefile.in:
Minor fixes pointed out by cppcheck. Also add compareBoolExpressionWithInt to suppression list. [52316819700e]

logsrvd/logsrvd.c:
Avoid potential use after free with eventlog-only connections. Coverity CID 215884. [cca5cffabe42]

src/exec.c:
Cannot do direct exec of a command when SELinux RBAC is enabled. [2706b0fc1451]

MANIFEST, configure, configure.ac, include/sudo_compat.h, lib/util/Makefile.in, lib/util/pread.c, lib/util/pwrite.c, scripts/mkdep.pl:
Add emulation of pread(3) and pwrite(3) for systems without them. This makes it possible to remove some ugly #ifdefs and only affects very old systems. [1c2a31bda598]

lib/iolog/iolog_fileio.c, plugins/sudoers/match_command.c, plugins/sudoers/timestamp.c:
Remove #ifdefs around code using pread(3) and pwrite(3). [3830fdf650df]

plugins/sudoers/Makefile.in:
Regen now that ldap.c and sssd.c no longer need gram.h [5cc4e107f301]

2020-12-30 Todd C. Miller

lib/util/fatal.c:
Fix deregistration of a callback that is not at the head of the list. The SLIST_FOREACH_PREVPTR macro doesn’t work the way I thought it did. Just store our own prev pointer and use that instead. [04c290fe1fcb]

2020-12-21 Todd C. Miller

src/net_ifs.c:
Fix the buffer size parameter when serializing the interface list. Problem reported by Matthias Gerstner of SUSE. [b0cae3ac8e46]

2020-12-20 Todd C. Miller

NEWS, configure, configure.ac:
Sudo 1.9.4p2 [8bb8ec358990]

plugins/sudoers/sudoers.c:
The runas user must be set before applying runas-based Defaults. This effectively backs out changeset f738f5ac5350, which made it possible to log the command when an invalid user was specified. The policy plugin API doesn’t supply the command until the check function, at which point we’ve already denied the command due to the invalid user. Bug #951. [8a415f555cf9]

2020-12-18 Todd C. Miller

etc/uncrustify-small.cfg, etc/uncrustify.cfg:
Don’t enable mod_remove_empty_return We like to use an empty return for stub functions. [018ef129dc24]

2020-12-16 Todd C. Miller

plugins/sudoers/policy.c:
The lower bounds for the “closefrom” option is 3, not 4. This is a regression introduced in sudo 1.8.9 with the strtonum() conversion. Bug #950. [fb06603b9a12]

2020-12-15 Todd C. Miller

NEWS, configure, configure.ac:
Sudo 1.9.4p1 [59c37ec1a128]

2020-12-11 Todd C. Miller

doc/sudoers.man.in, doc/sudoers.mdoc.in:
Direct execution of a command is incompatible with using a log server. [91afbbde217a]

plugins/sudoers/audit.c:
Set sudoers_audit.close to NULL if not using a log server. [231abb92a3b2]

2020-12-08 Todd C. Miller

config.guess, config.h.in, config.sub, configure, configure.ac:
Regenerate configure script with autoconf 2.71. Also fix some warnings from the new version. [cd1c7615e861]

2020-12-07 Todd C. Miller

config.h.in, configure, configure.ac, src/sudo.c:
Define _DARWIN_UNLIMITED_GETGROUPS on macOS to suport > 16 groups. On macOS 10.6 and above, getgroups(2) can return more than NGROUPS_MAX if _DARWIN_UNLIMITED_GETGROUPS or _DARWIN_C_SOURCE is defined. Bug #946 [2e7d3c3cf18b]

2020-12-05 Todd C. Miller

doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in, examples/sudo.conf.in:
Comment out the default plugin lines in the example sudo.conf. Fixes a problem when there are multiple versions of sudo installed and not all suport the audit plugin, such as on macOS. GitHub issue #75 [aaed5d7a3471]

plugins/sudoers/logging.c, plugins/sudoers/policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h:
Store the user-provided runas user and group name in struct sudo_user. This makes it available for event logging in case the name doesn’t resolve. [98d70ba8a2a6]

plugins/sudoers/logging.c:
Log submit group to event log. [3e7ace99f7f8]

plugins/sudoers/logging.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h:
Store iolog_path in struct sudo_user for use in the event log. [35bc39ec8ad5]

2020-12-04 Todd C. Miller

plugins/sudoers/logging.c, plugins/sudoers/sudoers.c:
Defer lookup of runas user until sudoers_main() for better logging. The log message now includes user info and the command attempted. [f738f5ac5350]

lib/eventlog/eventlog.c:
Don’t assume that just because command is non-NULL, argv is non- NULL. [4fac4ae88e4e]

plugins/sudoers/logging.c:
Fix a crash introduced in 1.9.4 when running command as an unknown user. Bug #948 [8b24c140ec7c]

2020-12-03 Todd C. Miller

logsrvd/logsrvd.c:
When shutting down the server, close non-I/O log connections immediately. Avoids a timeout during server shutdown while the server waits for active connections to close. [26bfda2c8f67]

src/sudo.c:
Audit errors from policy_init_session(), audit_accept(), and audit_reject(). [638e583754ac]

src/sudo.c:
Do not run the command if the audit accept function fails. Also add warnings if the audit reject or error functions fail. [ca94ef438961]

plugins/sudoers/log_client.c:
Reduce the number of error messages when we can’t connect to the audit server. Add the error string to “unable to connect to log server” instead of using an extra error message for the connect(2) failure. [25ac7ac5bfdf]

plugins/sudoers/log_client.c:
Use correct error message when the TLS connection is dropped. Was:
“recv: Unknown error 0”, now: “lost connection to log server”. [5c3f319b1f75]

2020-12-02 Todd C. Miller

plugins/sudoers/alias.c, plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y, plugins/sudoers/parse.h:
Change alias_add() to return bool and set errno on failure. This fixes a localization problem where the error message could have been reported in the wrong locale. [1859fe3da40c]

2020-11-30 Todd C. Miller

lib/eventlog/eventlog.c:
Fix build when configured using –without-sendmail Bug #947 [41db1aad85bb]

2020-11-29 Todd C. Miller

plugins/sudoers/po/fr.mo, plugins/sudoers/po/fr.po, plugins/sudoers/po/hr.mo, plugins/sudoers/po/hr.po, plugins/sudoers/po/ja.mo, plugins/sudoers/po/ja.po, plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po, po/hr.mo, po/hr.po:
Updated translations from translationproject.org [96a5cfe3c66b]

2020-11-24 Todd C. Miller

NEWS:
sudo_logsrvd.conf pid_file change. [fdc0276c7e0e]

logsrvd/logsrvd.c:
Don’t try to unlink a NULL pointer. [95babad9636a]

doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in, logsrvd/logsrvd.c, logsrvd/logsrvd_conf.c:
If pid_file is set to an empty value, disable the use of a pid file. [d4462105ab4b]

doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in, logsrvd/logsrvd.c:
Don’t overwrite sudo_logsrvd.pid if it is a symbolic link. [d79f97a0a533]

INSTALL, configure, configure.ac, etc/codespell.exclude, plugins/sudoers/env.c:
Fix typo detected by codespell 2.0.0 Also avoid some new false positives [d973f44e2396]

2020-11-23 Todd C. Miller

etc/uncrustify-small.cfg, etc/uncrustify.cfg, plugins/python/regress/testhelpers.h, plugins/sudoers/env.c, plugins/sudoers/sudo_ldap_conf.h:
Set pp_ignore_define_body=false in uncrustify config. Need to work around a bug that produces closed brace errors, see https://github.com/uncrustify/uncrustify/issues/2569 [5e4692fca707]

plugins/sudoers/po/cs.mo, plugins/sudoers/po/cs.po, plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, plugins/sudoers/po/hr.mo, plugins/sudoers/po/hr.po, plugins/sudoers/po/it.mo, plugins/sudoers/po/it.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/pt.mo, plugins/sudoers/po/pt.po, plugins/sudoers/po/pt_BR.mo, plugins/sudoers/po/pt_BR.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, plugins/sudoers/po/zh_TW.mo, plugins/sudoers/po/zh_TW.po, po/hr.mo, po/hr.po, po/it.mo, po/it.po:
Updated translations from translationproject.org [156162e6e07e]

2020-11-18 Todd C. Miller

lib/util/sudo_conf.c:
Fix calling sudo_conf_read() multiple times with different conf_types. The change to reinitialize the configuration data when sudo_conf_read() is called again didn’t take into account that sudo calls sudo_conf_read() twice–once for the debug info and once for everything else. [b6869b7da3c2]

2020-11-17 Todd C. Miller

plugins/sudoers/policy.c, plugins/sudoers/sudoers.c:
Don’t free the private copy of the environment until the close function. We may need to use it when logging from the audit reject function. [5118eb5797fb]

plugins/sudoers/log_client.c:
It is possible for evlog->argv or evlog->envp to be NULL. [798ff96301bf]

src/exec_pty.c, src/sudo.c, src/sudo.h:
Pass command_info[] to audit plugin on I/O log plugin reject or error. The audit plugin should cope with a NULL command_info but there’s no reason not to pass the info when we have it. [e361897d0192]

doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, plugins/sudoers/audit.c:
For the audit plugin, command_info may be NULL. Fixes a NULL dereference in sudoers_audit when an I/O logging plugin rejects input/output or returns an error. [9abee774e7e1]

plugins/sudoers/defaults.c:
Add missing initialization of def_log_format to sudo. [8c824f6dcfdd]

2020-11-16 Todd C. Miller

config.h.in, configure, configure.ac:
Newer LibreSSL has SSL_CTX_set_ciphersuites but it is not enabled. Add a check for the function declaration in openssl/ssl.h. [d6d0665572ec]

doc/sudoers.man.in, doc/sudoers.mdoc.in:
Event log data is sent to sudo_logsrvd even when not I/O logging. [d720f4ad3d40]

2020-11-14 Todd C. Miller

plugins/sudoers/po/sudoers.pot:
Regenerate sudoers.pot for 1.9.4 [127283726e97]

NEWS, configure, configure.ac:
Update for sudo 1.9.4. [2cb747911aef]

plugins/sudoers/audit.c:
Update struct eventlog based on command_info[] from front-end. The I/O log path is not known until the I/O log plugins have run and other plugins may alter the execution environment. [3ad14a88052e]

plugins/sudoers/alias.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/logging.h, plugins/sudoers/regress/testsudoers/test13.out.ok, plugins/sudoers/toke.h:
Add sudoerserrorf(), a printf-style yyerror() function. Use this to display a better error message when using a reserved work in an alias definition. [1bb3915f61b6]

2020-11-13 Todd C. Miller

scripts/mkpkg:
Build universal binaries on macOS 11.0 and higher. The resulting package should work on Macs based on Apple Silicon. [91cdeda79e66]

2020-11-12 Todd C. Miller

plugins/sudoers/editor.c:
Support EDITOR environment variable that includes quotes. Quote support is limited to the beginning of a word. Also handles characters escaped with a backslash. [ebb7f3c6240c]

2020-11-11 Todd C. Miller

plugins/python/Makefile.in, plugins/python/pyhelpers.c, plugins/python/python_plugin_common.c, plugins/python/regress/iohelpers.h, plugins/python/regress/testdata/ check_example_debugging_c_calls@diag.log, plugins/python/regress/tes tdata/check_example_debugging_c_calls@info.log, plugins/python/regre ss/testdata/check_example_debugging_plugin@info.log, plugins/python/ regress/testdata/check_example_debugging_py_calls@diag.log, plugins/ python/regress/testdata/check_example_debugging_py_calls@info.log, p lugins/python/regress/testdata/check_example_group_plugin_is_able_to debug.log, plugins/python/regress/testdata/check_example_io_plugin command_log.stored, plugins/python/regress/testdata/check_example_io _plugin_command_log_multiple1.stored, plugins/python/regress/testdat a/check_example_io_plugin_command_log_multiple2.stored, plugins/pyth on/regress/testdata/check_example_io_plugin_failed_to_start_command. stored, plugins/python/regress/testdata/check_example_io_plugin_fail s_with_python_backtrace.stderr, plugins/python/regress/testdata/chec k_example_policy_plugin_validate_invalidate.log, plugins/python/regr ess/testdata/check_loading_fails_not_owned_by_root.stderr, plugins/p ython/regress/testdata/check_loading_fails_wrong_classname.stderr, p lugins/python/regress/testdata/check_loading_fails_wrong_path.stderr , plugins/python/regress/testdata/check_multiple_approval_plugin_and _arguments.stdout, plugins/python/regress/testdata/check_python_plug ins_do_not_affect_each_other.stdout, plugins/python/regress/testhelpers.c, plugins/python/regress/testhelpers.h:
Back out regex use in python tests, filter the output instead. This makes it possible to regenerate the test output again. Also adds an update_test_data target to the Makefile. [3837f51a8072]

plugins/sudoers/ldap.c:
Ignore sudoNotBefore and sudoNotAfter unless ldap.conf contains SUDOERS_TIMED This is consistent with the pre-1.8.24 behavior. Bug #945 [d1e1bb5a6cc1]

src/sudo.c:
Stay setuid until just before executing the command. Fixes a problem with pam_xauth which checks effective and real uids to get the real identity of the user. [2c6fef0107c8]

2020-11-10 Todd C. Miller

plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/ldap.c, plugins/sudoers/ldap_util.c, plugins/sudoers/parse.h, plugins/sudoers/sssd.c:
Introduce new_member_all() for code that doesn’t include gram.h. The ldap and sssd back-ends no longer require gram.h which fixes a compilation issue with IBM LDAP. [1729532cda27]

lib/util/sudo_conf.c, lib/util/sudo_debug.c, logsrvd/logsrvd.c:
On SIGHUP, deregister the old debug instance before registering a new one. Otherwise, if debugging is enabled we will get an extra log instance each time sudo_logsrvd reeives SIGHUP which results in duplicate lines in the debug log. [538633994d8a]

2020-11-09 Todd C. Miller

plugins/sudoers/log_client.c, plugins/sudoers/log_client.h:
Refactor code to format the client message after the hello. [12d29d129166]

doc/sudo_logsrv.proto.man.in, doc/sudo_logsrv.proto.mdoc.in, include/log_server.pb-c.h, lib/eventlog/eventlog.c, lib/logsrv/log_server.pb-c.c, lib/logsrv/log_server.proto, logsrvd/iolog_writer.c, logsrvd/logsrvd.c, plugins/sudoers/log_client.c:
Add info_msgs to AlertMessage and populate it. This lets us log eventlog info along with the alert if it is available. [493a047a4463]

plugins/sudoers/audit.c, plugins/sudoers/logging.c, plugins/sudoers/logging.h:
Use sudoers_to_eventlog() and init_log_details() in sudoers_audit_accept(). log_deserialize_info() can be private to iolog.c again. [0b4e03904f3d]

plugins/sudoers/Makefile.in, plugins/sudoers/audit.c, plugins/sudoers/iolog.c, plugins/sudoers/log_client.c, plugins/sudoers/log_client.h, plugins/sudoers/logging.c, plugins/sudoers/logging.h:
Log reject and alert messages to the log server if one is defined. [087cf87d10af]

plugins/sudoers/logging.c:
Treat an authentication failure as a reject, not an alert. This matters when logging via sudo_logsrvd. It also lets us remove a special case in vlog_warning(). [ae489d3f20a8]

MANIFEST, config.h.in, configure, configure.ac, plugins/sudoers/Makefile.in, plugins/sudoers/audit.c, plugins/sudoers/iolog.c, plugins/sudoers/iolog_client.c, plugins/sudoers/iolog_plugin.h, plugins/sudoers/log_client.c, plugins/sudoers/sudoers.c:
Rename iolog_client -> log_client. The logsrvd client code is now used for more than just I/O logging. [ea47ce43bbee]

MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/audit.c, plugins/sudoers/iolog.c, plugins/sudoers/iolog_plugin.h, plugins/sudoers/log_client.c, plugins/sudoers/log_client.h:
Rename iolog_plugin.h to log_client.h. It is no longer I/O log specific and is used by sudoers_audit too. [cde784a59490]

configure, configure.ac:
Remove hack to define YYTOKENTYPE, it breaks newer bison. [8b919ef33db7]

plugins/sudoers/gram.c, plugins/sudoers/gram.h:
Regenerate with bison 3.7.3 [9fb81b933c43]

include/sudo_eventlog.h, lib/eventlog/eventlog.c:
Use struct eventlog *evlog, not struct eventlog *details. [a9b5f3c2902f]

2020-11-06 Todd C. Miller

lib/eventlog/eventlog.c:
For logsrvd AlertMessages, evlog will be NULL. [d048f7b429d5]

lib/eventlog/eventlog.c:
Append errstr to reason for alert and reject events if specified. Previously, we logged the error string separately but this is not consistent with how it is logged in other formats. [68c76e530248]

plugins/sudoers/logging.c:
Fix cut & pasto in debug subsystem. [c39dd60b6d2d]

2020-11-04 Todd C. Miller

plugins/sudoers/iolog_client.c:
Refactor code to format InfoMesage array into fmt_info_messages(). Add free_info_messages() to free the array. [e6223d325c77]

plugins/sudoers/Makefile.in, plugins/sudoers/audit.c, plugins/sudoers/iolog.c, plugins/sudoers/iolog_client.c, plugins/sudoers/iolog_plugin.h:
Log accept messages in sudoers_audit if not I/O logging. [cdb5c443c97d]

plugins/sudoers/iolog.c, plugins/sudoers/iolog_client.c, plugins/sudoers/iolog_plugin.h:
Refactor sudoers_io_open_remote() into log_server_open(). Also rename client_close() to log_server_close(). This keeps more of the client code details out of iolog.c and will be used when logging accept messages from the audit plugin. [e3f6ba6768b8]

plugins/sudoers/iolog.c:
Move argv and envp setting into iolog_deserialize_info(). [613b97f1d7bc]

logsrvd/logsrvd.c:
Avoid early return in handle_accept() if expect_iobufs not set. [918adc8234f0]

2020-11-02 Todd C. Miller

doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, include/sudo_plugin.h, plugins/python/regress/testdata/check_multipl e_approval_plugin_and_arguments.stdout, src/exec.c, src/load_plugins.c:
Add event_alloc to the audit plugin API. The sudoers audit plugin will use this to communicate with sudo_logsrvd. [c2fc2911476b]

logsrvd/sendlog.c, plugins/sudoers/iolog_client.c:
Set server_name before initiating TLS connection so verify function works. Fixes a crash in the SSL_VERIFY_PEER callback. Also call inet_ntop(3) with addr pointer, not sockaddr pointer so we get the correct IP address. [7a7dcebbe889]

plugins/sudoers/alias.c, plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/defaults.c, plugins/sudoers/defaults.h, plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y, plugins/sudoers/parse.c, plugins/sudoers/parse.h, plugins/sudoers/regress/sudoers/test18.toke.ok, plugins/sudoers/regress/sudoers/test2.ldif.ok, plugins/sudoers/regress/sudoers/test3.ldif.ok, plugins/sudoers/regress/sudoers/test6.ldif.ok, plugins/sudoers/regress/visudo/test2.err.ok, plugins/sudoers/regress/visudo/test3.err.ok, plugins/sudoers/visudo.c:
Store column number for aliases, defaults and userspecs too. This is used to provided the column number along with the line number in error messages. For aliases we store the column of the alias name, not the value since that is what visudo generally needs. [1c9d86b88517]

2020-11-01 Todd C. Miller

plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/regress/testsudoers/test11.out.ok, plugins/sudoers/regress/testsudoers/test12.out.ok, plugins/sudoers/regress/testsudoers/test13.out.ok:
Display column number in parse error messages too. Bug #841 [0aea28dec8f2]

plugins/sudoers/iolog_client.c, plugins/sudoers/iolog_plugin.h:
Move tls initialized flag into client_closure. We may call tls_init() from multiple places in the future so a static initialized flag will cause problems. [00b2b02c24c5]

plugins/sudoers/cvtsudoers_json.c:
Fix -Wshadow warnings caused by json enum member. [ea336980bb6a]

2020-10-30 Todd C. Miller

ABOUT-NLS, INSTALL, NEWS, configure.ac, doc/UPGRADE, doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, doc/sudoers.ldap.man.in, doc/sudoers.ldap.mdoc.in, doc/sudoers.man.in, doc/sudoers.mdoc.in, doc/sudoers_timestamp.man.in, doc/sudoers_timestamp.mdoc.in, doc/visudo.man.in, doc/visudo.mdoc.in, examples/sudo.conf.in, include/compat/getaddrinfo.h, install-sh, lib/util/getaddrinfo.c, lib/util/getentropy.c, lib/util/regress/sudo_conf/test1.in, lib/util/regress/sudo_parseln/test1.in, lib/util/regress/vsyslog/vsyslog_test.c, lib/util/strtoid.c, logsrvd/logsrvd.c, logsrvd/logsrvd_conf.c, logsrvd/sendlog.c, m4/sudo.m4, plugins/group_file/group_file.c, plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/passwd.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/def_data.c, plugins/sudoers/def_data.in, plugins/sudoers/editor.c, plugins/sudoers/env.c, plugins/sudoers/find_path.c, plugins/sudoers/gram.y, plugins/sudoers/group_plugin.c, plugins/sudoers/iolog_client.c, plugins/sudoers/stubs.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/timestamp.c, plugins/sudoers/visudo.c, src/load_plugins.c, src/sudo.c, src/sudo_noexec.c, src/tgetpass.c:
Apply Google inclusive language guidelines. Also replace backwards with backward. [678fbce6054f]

2020-10-29 Todd C. Miller

doc/sudoers.ldap.man.in, doc/sudoers.ldap.mdoc.in:
Refernce IBM LDAP libs, not Tivoli since that is how it is packaged. We still use Tivoli when talking about the server itself but refer to it as the “IBM Tivoli Directory Server”. [9f97a7e6b67a]

doc/sudoers.ldap.man.in, doc/sudoers.ldap.mdoc.in:
Add a newline before “This option is …” [853f819f0241]

doc/sudoers.man.in:
regen [8b29097f2cd1]

2020-10-28 Todd C. Miller

lib/eventlog/regress/logwrap/check_wrap.c, lib/eventlog/regress/logwrap/check_wrap.in, lib/eventlog/regress/logwrap/check_wrap.out.ok:
Test eventlog_writeln() when word wrap is disabled. [73acb7fbef59]

configure, configure.ac:
Bison generates an extra enum containing the parser tokens. This conflicts with the IBM ldap.h at least. Prevent it from being exposed by defining YYTOKENTYPE. [f3445ad76687]

configure, configure.ac:
IBM LDAP packages use a lib64 directory for 64-bit libraries. We need to add this to LDFLAGS so the linker is able to find the correct libs when building 64-bit binaries. [701b83f6cd13]

config.h.in, configure, configure.ac, plugins/sudoers/ldap.c:
Use ssl_err2string() in message on ldap_ssl_client_init() failure. Displaying SSL reason code directly is not user-friendly. [aaf272403f3e]

2020-10-27 Todd C. Miller

lib/eventlog/eventlog.c:
For JSON logs, write the most important log elements first. This is important for syslog where the record could be truncated. [58fc957c41bb]

doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/logging.c, plugins/sudoers/sudoers.c:
Add log_format sudoers setting to select sudo or json format logs. Defaults to sudo-format logs. [2936d2750af0]

include/sudo_json.h, lib/eventlog/eventlog.c, lib/util/json.c:
Support “minimal” JSON which skips all non-essention whitespace. This replaces the old “compact” mode which is only used for syslog. [be07bca67019]

plugins/sudoers/logging.c:
Don’t warn about log failure more than once. [b4dc59a58d1d]

2020-10-26 Todd C. Miller

lib/eventlog/eventlog.c:
Check for fdopen(3) failure in send_mail(). [e08b17bf26ce]

MANIFEST, include/sudo_eventlog.h, lib/eventlog/Makefile.in, lib/eventlog/eventlog.c, lib/eventlog/logwrap.c, lib/eventlog/regress/logwrap/check_wrap.c, lib/eventlog/regress/logwrap/check_wrap.in, lib/eventlog/regress/logwrap/check_wrap.out.ok, plugins/sudoers/Makefile.in, plugins/sudoers/logging.c, plugins/sudoers/logging.h, plugins/sudoers/logwrap.c, plugins/sudoers/regress/logging/check_wrap.c, plugins/sudoers/regress/logging/check_wrap.in, plugins/sudoers/regress/logging/check_wrap.out.ok, plugins/sudoers/sudoers.c:
Add support for file log line wrapping in libeventlog. [935c30cf7633]

include/sudo_eventlog.h, lib/eventlog/eventlog.c, logsrvd/logsrvd_conf.c, plugins/sudoers/defaults.c, plugins/sudoers/logging.c, plugins/sudoers/logging.h, plugins/sudoers/stubs.c, plugins/sudoers/sudoers.c, plugins/sudoers/testsudoers.c:
Use real setters for the eventlog config. This makes it possible to have a base config that the callers can modify instead of replacing the config wholesale. [2ca1e7d376c2]

include/sudo_eventlog.h, lib/eventlog/eventlog.c, plugins/sudoers/Makefile.in, plugins/sudoers/audit.c, plugins/sudoers/defaults.c, plugins/sudoers/locale.c, plugins/sudoers/logging.c, plugins/sudoers/logging.h, plugins/sudoers/policy.c, plugins/sudoers/stubs.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c:
Use libeventlog in sudoers instead of doing our own logging. [d8306755201a]

lib/eventlog/eventlog.c, plugins/sudoers/logging.c:
Log the short version of the tty in sudoers-format logs. This is consistent with historical practice. [69440e4659a8]

lib/eventlog/eventlog.c:
Add default values in eventlog_setconf(). [582d359a8ec0]

include/sudo_eventlog.h, lib/eventlog/Makefile.in, lib/eventlog/eventlog.c, logsrvd/logsrvd.c, plugins/sudoers/Makefile.in, plugins/sudoers/defaults.c, plugins/sudoers/logging.h:
Add support for mailing eventlog entries and for logging raw messages. These will be used by the sudoers plugin. [acab8209ddd0]

include/sudo_eventlog.h, lib/eventlog/eventlog.c, lib/iolog/iolog_fileio.c:
If no JSON callback is provided, store the contents of struct eventlog. This moves the JSON formatting of struct eventlog out of libsudo_iolog and into libsudo_eventlog where it belongs. [260a7ec65485]

include/sudo_eventlog.h, lib/eventlog/eventlog.c, logsrvd/logsrvd.c:
struct eventlog contains submit_time, no need to pass it in directly. [a3ac404e6a59]

include/sudo_eventlog.h, lib/eventlog/eventlog.c, logsrvd/logsrvd.c:
Add an errstr argument to eventlog_alert(). [e2afd2f1c092]

plugins/sudoers/Makefile.in, plugins/sudoers/iolog.c, plugins/sudoers/iolog_client.c, plugins/sudoers/iolog_plugin.h:
Make a copy of the strings stored in iolog_details and struct eventlog. Previously, we just made the strings const and relied on the front-end not changing them. Now the sudoers I/O log plugin behavior is consistent with the policy plugin. [406632298bd5]

plugins/sudoers/Makefile.in, plugins/sudoers/iolog.c, plugins/sudoers/iolog_client.c, plugins/sudoers/iolog_plugin.h:
Use struct eventlog in iolog_details. [c22e05f420fe]

include/sudo_eventlog.h, include/sudo_iolog.h, lib/eventlog/eventlog.c, lib/iolog/Makefile.in, lib/iolog/iolog_fileio.c, lib/iolog/iolog_json.c, lib/iolog/iolog_util.c, logsrvd/Makefile.in, logsrvd/iolog_writer.c, logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/sendlog.c, logsrvd/sendlog.h, plugins/sudoers/Makefile.in, plugins/sudoers/iolog.c, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/sudoreplay.c:
Use struct eventlog in place of struct iolog_info. [9fef7a5f077b]

logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c:
No longer need eventlog-related getters in logsrvd.c [e3ab80a9a892]

MANIFEST, logsrvd/Makefile.in, logsrvd/eventlog.c, logsrvd/iolog_writer.c, logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c:
Use libeventlog in sudo_logsrvd. [3dd22be50c30]

MANIFEST, Makefile.in, configure, configure.ac, include/sudo_eventlog.h, lib/eventlog/Makefile.in, lib/eventlog/eventlog.c, logsrvd/logsrvd.h:
Refactor eventlog code into a library [2e02c25be009]

2020-10-20 Todd C. Miller

lib/iolog/Makefile.in, lib/logsrv/Makefile.in, lib/util/Makefile.in, logsrvd/Makefile.in, plugins/python/Makefile.in, plugins/sudoers/Makefile.in, src/Makefile.in:
regen Makefiles [d9064a0c53ae]

scripts/mkpkg:
Build 64-bit binaries on HP-UX ia64 [3f8b599e7d7f]

2020-10-16 Todd C. Miller

plugins/sudoers/Makefile.in:
Explicitly set umask when running tests. Some tests create files that must not be world-writable. [9186ea1d2696]

plugins/sudoers/policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h:
sudoers_policy_store() -> sudoers_policy_store_result() [3dad5322916b]

2020-10-14 Todd C. Miller

plugins/sudoers/policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h:
Rename sudoers_policy_exec_setup() -> sudoers_policy_store(). It is called even when there is no command to execute. Also pass in status of whether or not the command was accepted. [a0ded23e81c4]

2020-10-10 Todd C. Miller

plugins/sudoers/Makefile.in, plugins/sudoers/regress/cvtsudoers/test1.sh, plugins/sudoers/regress/cvtsudoers/test10.sh, plugins/sudoers/regress/cvtsudoers/test11.sh, plugins/sudoers/regress/cvtsudoers/test12.sh, plugins/sudoers/regress/cvtsudoers/test13.sh, plugins/sudoers/regress/cvtsudoers/test14.sh, plugins/sudoers/regress/cvtsudoers/test15.sh, plugins/sudoers/regress/cvtsudoers/test16.sh, plugins/sudoers/regress/cvtsudoers/test17.sh, plugins/sudoers/regress/cvtsudoers/test18.sh, plugins/sudoers/regress/cvtsudoers/test19.sh, plugins/sudoers/regress/cvtsudoers/test2.sh, plugins/sudoers/regress/cvtsudoers/test20.sh, plugins/sudoers/regress/cvtsudoers/test21.sh, plugins/sudoers/regress/cvtsudoers/test22.sh, plugins/sudoers/regress/cvtsudoers/test23.sh, plugins/sudoers/regress/cvtsudoers/test24.sh, plugins/sudoers/regress/cvtsudoers/test25.sh, plugins/sudoers/regress/cvtsudoers/test26.sh, plugins/sudoers/regress/cvtsudoers/test27.sh, plugins/sudoers/regress/cvtsudoers/test28.sh, plugins/sudoers/regress/cvtsudoers/test29.sh, plugins/sudoers/regress/cvtsudoers/test3.sh, plugins/sudoers/regress/cvtsudoers/test30.sh, plugins/sudoers/regress/cvtsudoers/test31.sh, plugins/sudoers/regress/cvtsudoers/test32.sh, plugins/sudoers/regress/cvtsudoers/test33.sh, plugins/sudoers/regress/cvtsudoers/test4.sh, plugins/sudoers/regress/cvtsudoers/test5.sh, plugins/sudoers/regress/cvtsudoers/test6.sh, plugins/sudoers/regress/cvtsudoers/test7.sh, plugins/sudoers/regress/cvtsudoers/test8.sh, plugins/sudoers/regress/cvtsudoers/test9.sh, plugins/sudoers/regress/testsudoers/test1.sh, plugins/sudoers/regress/testsudoers/test10.sh, plugins/sudoers/regress/testsudoers/test11.sh, plugins/sudoers/regress/testsudoers/test12.sh, plugins/sudoers/regress/testsudoers/test13.sh, plugins/sudoers/regress/testsudoers/test14.sh, plugins/sudoers/regress/testsudoers/test15.sh, plugins/sudoers/regress/testsudoers/test2.sh, plugins/sudoers/regress/testsudoers/test3.sh, plugins/sudoers/regress/testsudoers/test4.sh, plugins/sudoers/regress/testsudoers/test5.sh, plugins/sudoers/regress/testsudoers/test6.sh, plugins/sudoers/regress/testsudoers/test7.sh, plugins/sudoers/regress/testsudoers/test8.sh, plugins/sudoers/regress/testsudoers/test9.sh, plugins/sudoers/regress/visudo/test1.sh, plugins/sudoers/regress/visudo/test10.sh, plugins/sudoers/regress/visudo/test2.sh, plugins/sudoers/regress/visudo/test3.sh, plugins/sudoers/regress/visudo/test4.sh, plugins/sudoers/regress/visudo/test5.sh, plugins/sudoers/regress/visudo/test6.sh, plugins/sudoers/regress/visudo/test7.sh, plugins/sudoers/regress/visudo/test8.sh, plugins/sudoers/regress/visudo/test9.sh:
Pass path to testsudoers, visudo or cvtsudoers in the environment. Falls back on the unqualified command if the environment variable is not set. [a7b8c413b66d]

2020-10-09 Todd C. Miller

plugins/sudoers/sssd.c:
Init cmnds to NULL in rule_to_priv() so we don’t free a bogus pointer. In the sssd backend, the rule_to_priv() cleanup code assumes cmnds can be passed to fn_free_values(), which was not the case if we receive an error getting values for “sudoCommand”. This is a regression introduced in sudo 1.9.1. Fix from Ron Bowes. GitHub issue #67. [a3fe4615f039]

2020-10-06 Todd C. Miller

plugins/sudoers/match_command.c, plugins/sudoers/match_digest.c, plugins/sudoers/parse.h:
Pass runchroot to match_digest() too. We use the open fd for the actual I/O but having runchroot makes it possible to report the correct file name in error messages. [2e1d142e2fe5]

2020-10-04 Todd C. Miller

NEWS:
GitHub issue #61 was fixed in sudo 1.9.3. [55e54b3111f0]

2020-09-29 Todd C. Miller

plugins/sudoers/def_data.h, plugins/sudoers/mkdefaults:
Fix indentation of enum def_tuple. [237db08cc1a3]

2020-09-28 Todd C. Miller

plugins/sudoers/toke.c, plugins/sudoers/toke.l:
Remove special case EOF handling; lines now always end in a newline. Previously we needed to emulate some of the state transitions that happen at end-of-line at end-of-file as well. Those are no longer needed now that we are guaranteed to always have a newline at the end. [4c0c21b081f7]

2020-09-27 Todd C. Miller

plugins/sudoers/toke.c, plugins/sudoers/toke.l:
Increment sudolinebuf.size after realloc(). [b871905c3442]

plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y, plugins/sudoers/regress/sudoers/test13.toke.ok, plugins/sudoers/toke.c, plugins/sudoers/toke.l:
Add a newline at end of line if one is missing. This is simpler than having to support entries that end at EOF too. [cb335acb1064]

MANIFEST, plugins/sudoers/regress/testsudoers/test14.out.ok, plugins/sudoers/regress/testsudoers/test14.sh, plugins/sudoers/regress/testsudoers/test15.out.ok, plugins/sudoers/regress/testsudoers/test15.sh:
Add tests for entries without a newline. [98a50d8301a8]

plugins/sudoers/toke.c, plugins/sudoers/toke.l:
Fix handling of a command spec without a newline at the end. For include files, we may need to inject a newline token now that the grammar requires lines to end with a newline or EOF. There is no END (EOF) token processed after popping off an include file since everything is just treated as one big file. [3e6c62ea7237]

plugins/sudoers/toke.c, plugins/sudoers/toke.l:
Mark sudoerserror() messages for translation. [d6a173cea48b]

plugins/sudoers/regress/sudoers/test8.toke.ok, plugins/sudoers/toke.c, plugins/sudoers/toke.l:
Fix line number accounting when a string contains a newline. Strings are not allowed to span multiple lines without a continuation character. Also provide a better error message if we are in the middle of a string and hit EOF. [cf34b0a3beba]

2020-09-26 Todd C. Miller

plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/sudoers.h, plugins/sudoers/toke.c, plugins/sudoers/toke.l:
Use sudoerschar (yychar) instead of last_token. The parser already provides a way to examing the last token processed, we don’t need to add our own. [ba35fe36bd56]

2020-09-25 Todd C. Miller

lib/util/closefrom.c, lib/util/getentropy.c, lib/util/pipe2.c, lib/util/term.c, lib/util/ttyname_dev.c, plugins/sudoers/auth/pam.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/env.c, plugins/sudoers/getdate.c, plugins/sudoers/getdate.y, plugins/sudoers/gmtoff.c, plugins/sudoers/locale.c, plugins/sudoers/logging.h, plugins/sudoers/policy.c, plugins/sudoers/starttime.c, plugins/sudoers/sudoers.c, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c, plugins/system_group/system_group.c, src/load_plugins.c, src/sudo.c, src/sudo_plugin_int.h, src/tgetpass.c, src/ttyname.c:
Fix -Wshadow warnings. [5480e97a1160]

configure, configure.ac:
Add -Wshadow to warning flags if the compiler supports it. [6f29b5ebc2b8]

MANIFEST, plugins/sudoers/regress/testsudoers/test13.out.ok, plugins/sudoers/regress/testsudoers/test13.sh:
Add test for syntax error when defining an alias using a reserved word. [4c90b3952ed1]

doc/sudoers.man.in, doc/sudoers.mdoc.in:
Fix pasto, TIMEOUT not CMND_TIMEOUT. [842ad3a578f2]

NEWS, doc/UPGRADE, doc/sudoers.man.in, doc/sudoers.man.in.sed, doc/sudoers.mdoc.in:
Document reserved words that cannot be used as alias names. Bug #941 [4b37a2174cd2]

plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/sudoers_version.h:
Detect when a reserved word is used when declaring an alias. Now instead of “syntax error, unexpected CHROOT, expecting ALIAS” the message is “syntax error, reserved word used as an alias name” Bug #941 [dfc55de5526c]

2020-09-23 Todd C. Miller

plugins/sudoers/sudoers.c:
Fix potential NULL deref in debug code. [c6b8910ac7dc]

plugins/sudoers/getspwuid.c:
Close the passwd db before calling getpwnam_shadow(3). Otherwise, we will get the non-shadow passwd entry (”*") since we called setpassent(3) earlier to keep the passwd db open. [71ee5e16e4c5]

configure, configure.ac:
Fix configure test for crypt(3) when it is present in libc. Fixes a regression introduced in sudo 1.9.3. [0d77733de667]

plugins/sudoers/audit.c, plugins/sudoers/logging.c, plugins/sudoers/logging.h, plugins/sudoers/sudoers.c:
Add SLOG_AUDIT flag for log_warningx() to also audit the message. This lets us combine audit_failure() and log_warningx() calls with the same message. [23a8a5eab2ff]

plugins/sudoers/sudoers.c:
Log when user-specified command line options are rejected by sudoers. We already audit those but in some cases they were not logged as well. [30d991993763]

NEWS, configure, configure.ac:
Update for sudo 1.9.3p1 [0cbbb7608c3f]

2020-09-20 Todd C. Miller

configure, configure.ac:
Move warning about plaintext password to the end of configure. It is unlikely to be noticed at the beginning of the output. [b3b5abcedc73]

2020-09-19 Todd C. Miller

plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, plugins/sudoers/po/fr.mo, plugins/sudoers/po/fr.po, plugins/sudoers/po/ja.mo, plugins/sudoers/po/ja.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/pt.mo, plugins/sudoers/po/pt.po, plugins/sudoers/po/pt_BR.mo, plugins/sudoers/po/pt_BR.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po, plugins/sudoers/po/zh_TW.mo, plugins/sudoers/po/zh_TW.po, po/eo.mo, po/eo.po, po/fi.mo, po/fi.po, po/fr.mo, po/fr.po:
Updated translations from translationproject.org [54b5484b2756]

2020-09-18 Todd C. Miller

config.h.in, configure, configure.ac, plugins/sudoers/auth/passwd.c:
Use a simple string compare on systems without crypt(3). This is only used on systems without PAM, BSD authentication or AIX authentication. Bug #940. [aed39197f364]

src/utmp.c:
Fix typo in last commit. [30a77a50f7b2]

2020-09-17 Todd C. Miller

src/sudo_edit.c:
Only use faccessat(3) if AT_EACCESS is defined. Apparently Android (bionic) has faccessat() but not AT_EACCESS. Bug #940. [18604919a023]

src/utmp.c:
Guard use of ttyslot() with HAVE_TTYSLOT, fix guard for utmp_setid(). This should make it easier to compile sudo on Android which doesn’t provide a way to write to the utmp file. Bug #940. [69fe5b8426cd]

2020-09-16 Todd C. Miller

po/zh_CN.mo, po/zh_CN.po:
Updated translations from translationproject.org [ef72535d71a5]

plugins/sudoers/po/cs.mo, plugins/sudoers/po/cs.po, plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, plugins/sudoers/po/fi.mo, plugins/sudoers/po/fi.po, plugins/sudoers/po/fr.mo, plugins/sudoers/po/fr.po, plugins/sudoers/po/hr.mo, plugins/sudoers/po/hr.po, plugins/sudoers/po/it.mo, plugins/sudoers/po/it.po, plugins/sudoers/po/ja.mo, plugins/sudoers/po/ja.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/pt.mo, plugins/sudoers/po/pt.po, plugins/sudoers/po/pt_BR.mo, plugins/sudoers/po/pt_BR.po, plugins/sudoers/po/sr.mo, plugins/sudoers/po/sr.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, plugins/sudoers/po/zh_TW.mo, plugins/sudoers/po/zh_TW.po, po/cs.mo, po/cs.po, po/de.mo, po/de.po, po/eo.mo, po/eo.po, po/fi.mo, po/fi.po, po/fr.mo, po/fr.po, po/hr.mo, po/hr.po, po/it.mo, po/it.po, po/ja.mo, po/ja.po, po/pl.mo, po/pl.po, po/pt.mo, po/pt.po, po/pt_BR.mo, po/pt_BR.po, po/sr.mo, po/sr.po, po/tr.mo, po/tr.po, po/uk.mo, po/uk.po, po/zh_TW.mo, po/zh_TW.po:
Updated translations from translationproject.org [48fdb293a803]

configure, configure.ac, plugins/sudoers/po/sudoers.pot:
Back out sudo 1.9.3b1 version change. [70cee88da8b1]

2020-09-14 Todd C. Miller

NEWS, configure, configure.ac, plugins/sudoers/defaults.c, plugins/sudoers/po/sudoers.pot:
Fix typo in warning for T_CHPATH, list ‘~’ not ‘*’ twice. Bug #938 [d516bebe9644]

2020-09-12 Todd C. Miller

plugins/sudoers/po/sudoers.pot, po/sudo.pot:
Update .pot files for 1.9.3. [47cedd231dd6]

2020-09-10 Todd C. Miller

plugins/sudoers/iolog_client.c:
Add missing check for strdup() failure. Coverity CID 214243 [86cf4da0cd81]

examples/sudoers:
Sync example sudoers with manual page. [1ccf32907f11]

2020-09-09 Todd C. Miller

doc/sudoers.man.in, doc/sudoers.mdoc.in:
Add simple runchroot and runcwd examples. Also document the limitation of command-based Defaults settings. [6a610884670c]

plugins/sudoers/sudoers.c:
Add callback for runchroot Defaults and require password -D/-R checks. Using a command-based Default for runchroot will still only work for paths that exist both in and outside the chroot. [a50148e16b89]

plugins/sudoers/defaults.c, plugins/sudoers/match.c, plugins/sudoers/match_command.c, plugins/sudoers/parse.c, plugins/sudoers/parse.h, plugins/sudoers/sudoers.c, plugins/sudoers/testsudoers.c:
Pass a struct to the match functions to track the resolved command. This makes it possible to update user_cmnd and cmnd_status modified by per-rule CHROOT settings. [c71faa1f5ea1]

plugins/sudoers/defaults.c, plugins/sudoers/editor.c, plugins/sudoers/find_path.c, plugins/sudoers/goodpath.c, plugins/sudoers/match.c, plugins/sudoers/match_command.c, plugins/sudoers/parse.c, plugins/sudoers/parse.h, plugins/sudoers/stubs.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c:
Take the chroot into account when search for the command. This could a a user-specific chroot via the -R option, a runchroot Defaults value, or a per-command CHROOT spec in the sudoers rule. [d8765611b48c]

2020-09-06 Todd C. Miller

configure, configure.ac:
Remove closefrom_fallback() from lib/util/util.exp. It is a static function and should not be exported. [dc09dc563197]

2020-09-06 Evan Anderson

configure, m4/sudo.m4:
configure: Fix runstatedir handling for distros that do not support it

runstatedir was added in yet-to-be released autoconf 2.70. Some distros are shipping this addition in their autoconf packages, but others, such as Fedora, are not. This causes the rundir variable to be set incorrectly if the configure script is regenerated with an unpatched autoconf since the runstatedir variable set is deleted after regeneration. This change works around that problem by checking that runstatedir is non-empty before potentially using it to set the rundir variable [35c1eb25dd9d]

2020-09-05 Todd C. Miller

lib/util/Makefile.in:
We need to link with NET_LIBS for gai_strerror() on some systems. From Tim Rice [b10aeb7ec2ed]

ltmain.sh:
Fix sco library versioning; fallout from frebsd-elf reorg. From Tim Rice [072a37c2d3cb]

configure, configure.ac:
SVR4/5 fixes and long password support for OpenServer 6 & 5. From Tim Rice [8622970c77c3]

lib/logsrv/protobuf-c.c:
Use config.h to handle systems without inline function support. [1ba5301de713]

configure, configure.ac:
Prefer dlopen() over shl_load() on HP-UX 11.11 and higher. [065316970f79]

include/sudo_fatal.h, lib/util/fatal.c:
Define sudo_warn_setlocale_t and use sudo_conv_t in sudo_fatal.h. Works around a bug in older versions of the HP ANSI C compiler and results in more readable code. [0e53ec783100]

configure, configure.ac:
HP-UX cc may not allow __declspec(dllexport) to be used in conjunction with “#pragma HP_DEFINED_EXTERNAL” when redefining standard libc functions. [7190082c3a09]

2020-09-04 Todd C. Miller

configure, configure.ac:
Fix check for hiding unexported symbols on HP-UX. We need to pass the -b option to the compiler, not just the linker, so it will choose the PIC C runtime. [bc1b9351cbce]

src/regress/ttyname/check_ttyname.c:
Check that the files are character devices before comparing st_rdev. [d9f8b730d131]

src/regress/ttyname/check_ttyname.c:
Fix regress when ttyname(3) returns the same device under a different name. On systems that have both new and old pty names we can end up with a name mismatch even though the underlying device is the same. [3760f44d81d4]

plugins/sudoers/regress/testsudoers/test3.sh:
Use the same pattern of redefining TESTDIR as test10.sh. Adapted from a diff from Tim Rice. [378590625bfd]

logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c:
Rename sa_len -> sa_size to avoid a conflict on UnixWare and others. On some systems, sa_len is a #define for 4.4BSD compatibility. [a369d15175dd]

plugins/sudoers/pwutil.c:
Include strings.h for strcasecmp(3). From Tim Rice [27be3ee47426]

lib/util/getentropy.c:
Add missing #ifdef HAVE_CLOCK_GETTIME in getentropy_fallback() From Tim Rice [4bdcf1048196]

plugins/sudoers/Makefile.in:
Regen for check_exptilde.o [b3e2a87b5144]

lib/util/Makefile.in, scripts/mkdep.pl:
Add missing dependency info for cfmakeraw.lo in lib/util/Makefile.in From Tim Rice [18d953844745]

plugins/sudoers/auth/pam.c:
Be consistent and use __hpux not hpux like the rest of sudo. [dd5ef59dc980]

lib/logsrv/protobuf-c.c:
Replace “static inline” with “static __inline” for older compilers. [a09412277d0f]

MANIFEST, include/log_server.pb-c.h, lib/logsrv/Makefile.in, lib/logsrv/log_server.pb-c.c, logsrvd/eventlog.c, logsrvd/iolog_writer.c, logsrvd/logsrvd.c, logsrvd/sendlog.c, plugins/sudoers/iolog_client.c, scripts/unanon:
Post-process protoc-c files to avoid depending on anonymous unions. Based on a patch from Michael Osipov. GitHub issue #60 [13ab1ec22477]

src/preload.c:
Add sudoers_audit to sudo_sudoers_plugin_symbols[] array. Fixes loading of sudoers_audit when configured with –enable-static- sudoers. GitHub issue #61 [f0bd4b5cd7b3]

2020-09-03 Todd C. Miller

plugins/sudoers/gram.c, plugins/sudoers/gram.y:
Fix copy and paste error; Coverity CID 214191 [49044d66dffc]

plugins/sudoers/visudo.c:
Fix memory leak on error found by the clang 10.01 analyzer. [12de4dd014eb]

src/limits.c:
Use correct size for curlim and maxlim. [1fc6aea5ece0]

configure, configure.ac, doc/Makefile.in:
Only install man pages for logsrvd and python plugin if we build them. GitHub issue #58 [e92799dd4886]

Makefile.in, configure, configure.ac, doc/Makefile.in:
Remove obsolete mansrcdir variable, add _SRC suffix to LOGSRV and LOGSRVD [aa9c0f8cb227]

2020-09-02 Todd C. Miller

logsrvd/eventlog.c, plugins/sudoers/logging.c:
If the command was run in a chroot, add it to the log. [0cda78f7ed40]

MANIFEST, plugins/sudoers/regress/testsudoers/test12.out.ok, plugins/sudoers/regress/testsudoers/test12.sh:
Add test of multiple syntax errors. Where possible, the portion of the line before the error should be still be interpreted. [3af61a54586f]

logsrvd/eventlog.c, logsrvd/iolog_writer.c, plugins/sudoers/logging.c, plugins/sudoers/policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h:
Log the runcwd not submitcwd in the sudo-style log file. The log entry should reflect the working directory the command actually ran in. [a477dee74683]

plugins/sudoers/gram.c, plugins/sudoers/gram.y:
Fix error recovery in a privilege after a ‘:’ separator. [02c4b5872a38]

plugins/sudoers/gram.c, plugins/sudoers/gram.y:
Initialize runchroot and runcwd in init_options() [13bebf71955d]

MANIFEST:
Fix path to check_exptilde.c [7dc831cbd59d]

include/log_server.pb-c.h, include/protobuf-c/protobuf-c.h, lib/logsrv/protobuf-c.c:
Update to protobuf-c 1.3.3 [22a88bccb611]

2020-09-01 Todd C. Miller

plugins/sudoers/gram.c, plugins/sudoers/gram.h:
Regenerate the parser with “bison -y” for verbose syntax error messages. [e1530c5b8960]

NEWS:
Add chroot/chdir changes. [9367855da7d1]

doc/sudo.man.in, doc/sudo.mdoc.in, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.in, plugins/sudoers/defaults.c, plugins/sudoers/defaults.h, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, src/parse_args.c, src/sudo_usage.h.in:
Support “” for CWD/CHROOT to allow user to specify cwd or chroot. Adds two new command line options, -D (–chdir) and -R (–chroot) that can only be used when sudoers sets runcwd or runchroot to “”. [afeb73867b66]

MANIFEST, lib/util/Makefile.in, plugins/sudoers/Makefile.in, plugins/sudoers/exptilde.c, plugins/sudoers/regress/exptilde/check_exptilde.c:
Unit test for exptilde [f0d7b0031fea]

MANIFEST, plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/fmtsudoers.c, plugins/sudoers/ldap_util.c, plugins/sudoers/parse.c, plugins/sudoers/regress/sudoers/test24.in, plugins/sudoers/regress/sudoers/test24.json.ok, plugins/sudoers/regress/sudoers/test24.ldif.ok, plugins/sudoers/regress/sudoers/test24.ldif2sudo.ok, plugins/sudoers/regress/sudoers/test24.out.ok, plugins/sudoers/regress/sudoers/test24.sudo.ok, plugins/sudoers/regress/sudoers/test24.toke.ok:
Add support for runchroot and runcwd to “sudo -l” and cvtsudoers. [9f5ecd22d822]

include/sudo_iolog.h, lib/iolog/iolog_fileio.c, lib/iolog/iolog_json.c, lib/iolog/iolog_util.c, logsrvd/iolog_writer.c, logsrvd/logsrvd.h, plugins/sudoers/iolog.c, plugins/sudoers/iolog_client.c, plugins/sudoers/iolog_plugin.h:
Read/write runchroot and runcwd entries in the JSON event log. [3edb8305abe9]

MANIFEST, doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/Makefile.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/defaults.c, plugins/sudoers/defaults.h, plugins/sudoers/exptilde.c, plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y, plugins/sudoers/parse.c, plugins/sudoers/parse.h, plugins/sudoers/policy.c, plugins/sudoers/regress/sudoers/test1.toke.ok, plugins/sudoers/regress/sudoers/test11.toke.ok, plugins/sudoers/regress/sudoers/test12.toke.ok, plugins/sudoers/regress/sudoers/test13.toke.ok, plugins/sudoers/regress/sudoers/test14.toke.ok, plugins/sudoers/regress/sudoers/test15.toke.ok, plugins/sudoers/regress/sudoers/test16.toke.ok, plugins/sudoers/regress/sudoers/test17.toke.ok, plugins/sudoers/regress/sudoers/test18.toke.ok, plugins/sudoers/regress/sudoers/test19.toke.ok, plugins/sudoers/regress/sudoers/test22.toke.ok, plugins/sudoers/regress/sudoers/test3.toke.ok, plugins/sudoers/regress/sudoers/test4.toke.ok, plugins/sudoers/regress/sudoers/test6.toke.ok, plugins/sudoers/regress/sudoers/test8.toke.ok, plugins/sudoers/sudoers.h, plugins/sudoers/sudoers_version.h, plugins/sudoers/toke.c, plugins/sudoers/toke.l:
Add CHROOT and CWD sudoers options. Also matching runchroot and runcwd Defaults settings. [2f0aca92c360]

2020-08-31 Todd C. Miller

NEWS, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, include/sudo_plugin.h, plugins/python/regress/testdata/check_multipl e_approval_plugin_and_arguments.stdout, src/exec.c, src/limits.c, src/sudo.c, src/sudo.h:
Pass resource limits values to the plugin in user_info[] Sudo resets the resource limits early in its execution so the plugin cannot tell what the original limits were itself. [64957c5875f3]

doc/Makefile.in, doc/sudo_logsrvd.man.in, doc/sudo_plugin_python.man.in, doc/sudo_plugin_python.mdoc.in, lib/logsrv/Makefile.in, lib/util/cfmakeraw.c, lib/util/fchmodat.c, lib/util/fstatat.c, lib/util/getdelim.c, lib/util/getusershell.c, lib/util/openat.c, lib/util/regress/getdelim/getdelim_test.c, lib/util/regress/strsig/strsig_test.c, lib/util/regress/strtofoo/strtobool_test.c, lib/util/regress/strtofoo/strtoid_test.c, lib/util/regress/strtofoo/strtomode_test.c, lib/util/regress/strtofoo/strtonum_test.c, lib/util/regress/vsyslog/vsyslog_test.c, lib/util/roundup.c, lib/util/strtoid.c, lib/util/strtonum.c, lib/util/term.c, lib/util/unlinkat.c, logsrvd/Makefile.in, logsrvd/eventlog.c, logsrvd/iolog_writer.c, logsrvd/logsrv_util.c, plugins/python/Makefile.in, plugins/python/pyhelpers.c, plugins/python/pyhelpers.h, plugins/python/python_baseplugin.c, plugins/python/python_convmessage.c, plugins/python/python_importblocker.c, plugins/python/python_loghandler.c, plugins/python/python_plugin_approval.c, plugins/python/python_plugin_audit.c, plugins/python/python_plugin_common.c, plugins/python/python_plugin_common.h, plugins/python/python_plugin_group.c, plugins/python/python_plugin_io.c, plugins/python/python_plugin_policy.c, plugins/python/sudo_python_debug.c, plugins/python/sudo_python_module.c, plugins/python/sudo_python_module.h, plugins/sudoers/fmtsudoers.c, plugins/sudoers/group_plugin.c, plugins/sudoers/ldap_conf.c, plugins/sudoers/parse.c, plugins/sudoers/parse_ldif.c, plugins/sudoers/set_perms.c, plugins/sudoers/starttime.c, plugins/sudoers/tsdump.c, src/exec_monitor.c, src/exec_nopty.c, src/limits.c, src/ttyname.c:
Update copyright year on some files where it was out of date. [2086262cd012]

2020-08-27 Todd C. Miller

doc/sudoers.man.in, doc/sudoers.mdoc.in, doc/visudo.man.in, doc/visudo.mdoc.in:
Refer to “syntax error” instead of “parse error”. This is the term the parser uses when there is an actual error. [7134b6869432]

plugins/sudoers/visudo.c:
Remove superfluous “parse error in sudoers near line N” message. The sudoers parser now produces better syntax error messages so we don’t need visudo to print its own. [9c32131fb6ac]

plugins/sudoers/visudo.c:
Don’t override errorfile and errorlineno set by check_aliases(). Now that alias parsing stores the file and line number, visudo can use that information to go to the line with an error when re-editing. [896d1f73ca02]

2020-08-25 Todd C. Miller

config.h.in, configure, configure.ac, lib/util/sig2str.c, lib/util/str2sig.c:
Use sigabbrev_np(3) to access signal abbreviations if supported. glibc-2.32 has removed sys_sigabbrev[], we can use sigabbrev_np(3) instead. [e30482f26924]

2020-08-17 Todd C. Miller

NEWS:
Briefly describe how to restore historical parse error behavior. [1ede927d99b3]

NEWS, doc/UPGRADE:
Mention eof-of-line terminator and plugin argument changes. [96cd7a3477fa]

doc/sudoers.man.in, doc/sudoers.mdoc.in, src/load_plugins.c:
Fix sudoers_policy plugin options when sudoers_audit is not listed. As of sudo 1.9.1 the sudoers file is opened by the audit plugin, not the policy plugin. As a result, plugin options set for sudoers_policy have no effect. If sudoers_policy has plugin options in sudo.conf and sudoers_audit is not listed, move the options to sudoers_audit so they will have an effect. [839a9a9c0cc3]

doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/file.c, plugins/sudoers/policy.c, plugins/sudoers/sudoers.h:
sudoers error recovery can be configured via an “error_recovery” setting. This setting is an argument to the sudoers plugin, similar to how sudoers_file, sudoers_mode, sudoers_uid, etc. are implemented. The default value is true. [86f7059f9e45]

plugins/sudoers/regress/testsudoers/test11.sh:
Make this test pass with bison’s verbose error messages. [a2a8e4ca3f63]

2020-08-16 Todd C. Miller

plugins/sudoers/gram.c, plugins/sudoers/gram.y:
Recover from a syntax error after the ‘:’ in a privilege spec. For compound privilege specs, don’t throw away the entire thing if we have a syntax error, only the part after the error is encountered. [d6ef4e6ca624]

plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/regress/sudoers/test5.toke.ok:
Add explicit end-of-line matching in the parser for better error messages. A valid line in sudoers must end in a newline or EOF. Previously, it was possible (though not documented) to have multiple user specs on a single line. Now, each must be on its own line. [9f513e9b10ee]

plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y, plugins/sudoers/toke.c, plugins/sudoers/toke.l:
Add NOMATCH token and use it in the lexer for an unmatched pattern. The ERROR token is now only used for errors detected by the lexer and for which we’ve already printed an error. This lets us remove the hack in sudoerserror() and just check last_token to determine whether or not to display the error. [0ca11ad5b7f3]

2020-08-15 Todd C. Miller

plugins/sudoers/gram.c, plugins/sudoers/gram.y:
Enable error recovery for syntax erorrs that don’t end with a newline. A syntax error on the last line of a sudoers file with no trailing newline is now recoverable. [020f76d7f369]

plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/regress/testsudoers/test11.out.ok:
Add error recovery for unexpected tokens after include/includedir. [1aedd819916d]

NEWS:
Sudo 1.9.3 changes so far. [bc6c6321a065]

configure, configure.ac:
sudo 1.9.3 [432950d9f778]

2020-08-14 Todd C. Miller

scripts/pp:
Format the macOS minor version number with two digits. This way we get consistent 4-digit version numbers even for macOS verions like 10.3 or 11.0 where the minor number is a single digit. For example. 10.3 will be formatted as 1003 and 11.0 will be 1100. [7f48e10be9ae]

2020-08-13 Todd C. Miller

lib/zlib/infback.c, lib/zlib/inflate.c:
Add missing ZFALLTHROUGH and use spaces not tabs. [4b1c71cfb8a9]

scripts/pp:
Fix probe for macOS Big Sur “sw_vers -productName” now returns “macOS”, not “Mac OS X” [4caad8ca5b0c]

2020-08-12 Todd C. Miller

plugins/python/pyhelpers.c, plugins/python/python_plugin_common.h, plugins/python/sudo_python_module.c, src/parse_args.c, src/selinux.c:
Fix some warnings from pvs-studio [fa83bb619209]

Makefile.in, lib/iolog/iolog_fileio.c, lib/iolog/iolog_json.c, lib/util/aix.c, lib/util/sudo_debug.c, logsrvd/logsrvd.c, logsrvd/sendlog.c, plugins/audit_json/audit_json.c, plugins/sudoers/auth/aix_auth.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/securid5.c, plugins/sudoers/bsm_audit.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/env.c, plugins/sudoers/iolog.c, plugins/sudoers/iolog_client.c, plugins/sudoers/ldap.c, plugins/sudoers/ldap_conf.c, plugins/sudoers/linux_audit.c, plugins/sudoers/logging.c, plugins/sudoers/parse.c, plugins/sudoers/policy.c, plugins/sudoers/set_perms.c, plugins/sudoers/sssd.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c, src/copy_file.c, src/exec.c, src/exec_common.c, src/exec_monitor.c, src/exec_nopty.c, src/exec_pty.c, src/load_plugins.c, src/parse_args.c, src/selinux.c, src/sesh.c, src/solaris.c, src/sudo.c, src/sudo_edit.c, src/tgetpass.c, src/utmp.c:
Fix some warnings from pvs-studio [164a51c446da]

plugins/sudoers/ldap.c, plugins/sudoers/ldap_util.c, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/sssd.c:
Use angle quotes when including gram.h and def_data.c. Otherwise, we can include the wrong file when doing an out-of-source build when configured using –with-devel. [105e52a86e22]

lib/util/fatal.c, lib/util/regress/fnmatch/fnm_test.c, logsrvd/logsrvd.c, logsrvd/logsrvd_conf.c, logsrvd/sendlog.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/iolog_client.c, plugins/sudoers/logging.c, plugins/sudoers/match.c, plugins/sudoers/match_command.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/visudo.c, src/parse_args.c:
Move inclusion of compat headers up with the system headers. Now that sudo_dso_public is defined in config.h we don’t need sudo_compat.h before including the compat headers. [da2103ee7ba8]

config.h.in, configure.ac, include/compat/fnmatch.h, include/compat/getaddrinfo.h, include/compat/getopt.h, include/compat/glob.h, include/compat/sha2.h, include/sudo_compat.h, include/sudo_conf.h, include/sudo_debug.h, include/sudo_digest.h, include/sudo_dso.h, include/sudo_event.h, include/sudo_fatal.h, include/sudo_json.h, include/sudo_lbuf.h, include/sudo_rand.h, include/sudo_util.h, lib/iolog/regress/host_port/host_port_test.c, lib/iolog/regress/iolog_json/check_iolog_json.c, lib/iolog/regress/iolog_mkpath/check_iolog_mkpath.c, lib/iolog/regress/iolog_path/check_iolog_path.c, lib/iolog/regress/iolog_util/check_iolog_util.c, lib/util/mksiglist.c, lib/util/mksigname.c, lib/util/regress/fnmatch/fnm_test.c, lib/util/regress/getdelim/getdelim_test.c, lib/util/regress/getgrouplist/getgrouplist_test.c, lib/util/regress/glob/globtest.c, lib/util/regress/mktemp/mktemp_test.c, lib/util/regress/parse_gids/parse_gids_test.c, lib/util/regress/progname/progname_test.c, lib/util/regress/strsig/strsig_test.c, lib/util/regress/strsplit/strsplit_test.c, lib/util/regress/strtofoo/strtobool_test.c, lib/util/regress/strtofoo/strtoid_test.c, lib/util/regress/strtofoo/strtomode_test.c, lib/util/regress/strtofoo/strtonum_test.c, lib/util/regress/sudo_conf/conf_test.c, lib/util/regress/sudo_parseln/parseln_test.c, lib/util/regress/tailq/hltq_test.c, lib/util/regress/vsyslog/vsyslog_test.c, lib/util/term.c, logsrvd/logsrvd.c, logsrvd/sendlog.c, plugins/audit_json/audit_json.c, plugins/group_file/group_file.c, plugins/group_file/plugin_test.c, plugins/python/python_plugin_approval.c, plugins/python/python_plugin_audit.c, plugins/python/python_plugin_group.c, plugins/python/python_plugin_io.c, plugins/python/python_plugin_policy.c, plugins/sample/sample_plugin.c, plugins/sample_approval/sample_approval.c, plugins/sudoers/audit.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/iolog.c, plugins/sudoers/policy.c, plugins/sudoers/regress/check_symbols/check_symbols.c, plugins/sudoers/regress/env_match/check_env_pattern.c, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/regress/logging/check_wrap.c, plugins/sudoers/regress/parser/check_addr.c, plugins/sudoers/regress/parser/check_base64.c, plugins/sudoers/regress/parser/check_digest.c, plugins/sudoers/regress/parser/check_fill.c, plugins/sudoers/regress/parser/check_gentime.c, plugins/sudoers/regress/parser/check_hexchar.c, plugins/sudoers/regress/starttime/check_starttime.c, plugins/sudoers/sudoers.h, plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/tsdump.c, plugins/sudoers/visudo.c, plugins/system_group/system_group.c, src/env_hooks.c, src/regress/noexec/check_noexec.c, src/regress/ttyname/check_ttyname.c, src/sesh.c, src/sudo.c, src/sudo_noexec.c:
Rename __dso_public -> sudo_dso_public and move to config.h. [12550ec04e3a]

lib/iolog/host_port.c, lib/iolog/iolog_fileio.c, lib/iolog/iolog_json.c, lib/iolog/iolog_path.c, lib/iolog/iolog_util.c, lib/util/ttyname_dev.c, logsrvd/eventlog.c, logsrvd/iolog_writer.c, logsrvd/logsrv_util.c, logsrvd/logsrvd.c, logsrvd/logsrvd_conf.c, logsrvd/sendlog.c, plugins/audit_json/audit_json.c, plugins/sample/sample_plugin.c, plugins/sample_approval/sample_approval.c, plugins/sudoers/locale.c, plugins/sudoers/sudoers.h, plugins/sudoers/sudoreplay.c, src/net_ifs.c, src/sesh.c, src/sudo.h:
We no longer need to include sudo_gettext.h before sudo_compat.h [660770ab7e7b]

.gitignore, .hgignore:
Add *.map to the ignore file. [e96b46d418db]

2020-08-11 Todd C. Miller

etc/uncrustify.cfg:
Update to uncrustify 0.71.0 [dabd7b24c0d9]

doc/sudo.man.in, doc/sudo.mdoc.in, doc/sudoers.man.in, doc/sudoers.mdoc.in:
Mention visudo in sudo(8) and document sudoers error recovery. [44acd34811fb]

2020-08-10 Todd C. Miller

MANIFEST, config.h.in, configure, configure.ac, include/sudo_compat.h, lib/util/Makefile.in, lib/util/freezero.c, lib/util/getentropy.c, plugins/sudoers/auth/aix_auth.c, plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/passwd.c, plugins/sudoers/auth/secureware.c, plugins/sudoers/auth/securid5.c, plugins/sudoers/auth/sia.c, plugins/sudoers/auth/sudo_auth.c, scripts/mkdep.pl, src/conversation.c:
Use OpenBSD-compatible freezero() in place of explicit_bzero() + free() [af0a9ed1e259]

MANIFEST, config.h.in, configure, configure.ac, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, include/sudo_compat.h, include/sudo_plugin.h, lib/util/Makefile.in, lib/util/arc4random.c, lib/util/explicit_bzero.c, lib/util/getentropy.c, lib/util/memset_s.c, lib/util/sha2.c, plugins/sudoers/auth/aix_auth.c, plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/passwd.c, plugins/sudoers/auth/secureware.c, plugins/sudoers/auth/securid5.c, plugins/sudoers/auth/sia.c, plugins/sudoers/auth/sudo_auth.c, scripts/mkdep.pl, src/conversation.c:
Switch from memset_s() -> explicit_bzero(). memset_s() (and all of Annex K) is likely to be removed from the a future version of the standard. [c0f81ef1ee3c]

plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y, plugins/sudoers/toke.c, plugins/sudoers/toke.l:
Define YYERROR_VERBOSE for bison and rename COMMENT -> ‘\n’ This results in better error messages when there is a parse error [7ba896f285a9]

plugins/sudoers/mkdefaults:
Some minor cleanup. Use ntuples instead of tuple_last Strip leading and trailing double quotes using a single gsub() ntuples will never be zero so don’t bother checking No need to explicitly close files in END [b841147900df]

2020-08-07 Todd C. Miller

lib/util/event.c, plugins/sudoers/cvtsudoers_pwutil.c, plugins/sudoers/defaults.c, plugins/sudoers/linux_audit.c, plugins/sudoers/logging.c, plugins/sudoers/pwutil.c, plugins/sudoers/pwutil_impl.c, src/selinux.c:
Quiet some clang 10 analyzer warnings. [4147311f6278]

logsrvd/sendlog.c:
Refactor freeing of InfoMessage list into free_info_messages(). Also fixes a false positive from the clang analyzer. [25a6f0035a33]

plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y, plugins/sudoers/regress/testsudoers/test11.out.ok, plugins/sudoers/regress/testsudoers/test11.sh:
Require that a @include line end with a newline or EOF. We now parse the entire line before reading the include file. This is less surprising behavior and results in better error messages. [ad6a2c991db6]

plugins/sudoers/defaults.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/parse.c, plugins/sudoers/regress/sudoers/test1.out.ok, plugins/sudoers/regress/sudoers/test10.out.ok, plugins/sudoers/regress/sudoers/test11.out.ok, plugins/sudoers/regress/sudoers/test12.out.ok, plugins/sudoers/regress/sudoers/test13.out.ok, plugins/sudoers/regress/sudoers/test14.out.ok, plugins/sudoers/regress/sudoers/test15.out.ok, plugins/sudoers/regress/sudoers/test16.out.ok, plugins/sudoers/regress/sudoers/test17.out.ok, plugins/sudoers/regress/sudoers/test18.out.ok, plugins/sudoers/regress/sudoers/test18.toke.ok, plugins/sudoers/regress/sudoers/test19.out.ok, plugins/sudoers/regress/sudoers/test2.out.ok, plugins/sudoers/regress/sudoers/test20.out.ok, plugins/sudoers/regress/sudoers/test21.out.ok, plugins/sudoers/regress/sudoers/test22.out.ok, plugins/sudoers/regress/sudoers/test23.out.ok, plugins/sudoers/regress/sudoers/test3.out.ok, plugins/sudoers/regress/sudoers/test4.out.ok, plugins/sudoers/regress/sudoers/test4.toke.ok, plugins/sudoers/regress/sudoers/test5.out.ok, plugins/sudoers/regress/sudoers/test5.toke.ok, plugins/sudoers/regress/sudoers/test6.out.ok, plugins/sudoers/regress/sudoers/test7.out.ok, plugins/sudoers/regress/sudoers/test7.toke.ok, plugins/sudoers/regress/sudoers/test8.out.ok, plugins/sudoers/regress/sudoers/test8.toke.ok, plugins/sudoers/regress/sudoers/test9.out.ok, plugins/sudoers/regress/testsudoers/test1.out.ok, plugins/sudoers/regress/testsudoers/test10.out.ok, plugins/sudoers/regress/testsudoers/test11.out.ok, plugins/sudoers/regress/testsudoers/test2.out.ok, plugins/sudoers/regress/testsudoers/test3.out.ok, plugins/sudoers/regress/testsudoers/test4.out.ok, plugins/sudoers/regress/testsudoers/test5.out.ok, plugins/sudoers/regress/testsudoers/test6.out.ok, plugins/sudoers/regress/testsudoers/test7.out.ok, plugins/sudoers/regress/testsudoers/test8.out.ok, plugins/sudoers/regress/testsudoers/test9.out.ok, plugins/sudoers/regress/visudo/test2.err.ok, plugins/sudoers/regress/visudo/test3.err.ok, plugins/sudoers/regress/visudo/test8.err.ok, plugins/sudoers/regress/visudo/test8.sh, plugins/sudoers/testsudoers.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/visudo.c:
Display more specific parser error messages when possible. [91dd5d67bb83]

plugins/sudoers/file.c:
Let the sudoers parser recover after a parse error. We currently just discard the line with the error. [712537665215]

plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/regress/testsudoers/test11.out.ok, plugins/sudoers/toke.c, plugins/sudoers/toke.h, plugins/sudoers/toke.l:
Keep track of the position of the current token for error messages. [a5f6bd38267e]

2020-08-06 Todd C. Miller

plugins/sudoers/Makefile.in:
regen [28026a042255]

plugins/sample_approval/sample_approval.exp:
Sync sample_approval.exp with sample_approval.c [e810da8a6772]

plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/regress/testsudoers/test11.out.ok, plugins/sudoers/toke.c, plugins/sudoers/toke.h, plugins/sudoers/toke.l:
Store the current line in our own buffer for better error messages. [33b2042e0028]

2020-08-05 Todd C. Miller

etc/sudo-logsrvd.pp, etc/sudo.pp, scripts/mkpkg:
Fix libssl dependency on Debian-based systems. Older systems may still have libssl1.0.0, not libssl1.1. [0de802ec595a]

plugins/sudoers/toke.c, plugins/sudoers/toke.l:
Add workaround for yyless() not resetting yy_at_bol. [5defcd893f6a]

2020-08-03 Todd C. Miller

configure, configure.ac:
Always use a linker script to hide symbols if it is supported. We use this even if the compiler has symbol visibility support so we will notice mismatches between the exports file and __dso_public annotations in the source code. [1679ac3124b1]

MANIFEST, configure, configure.ac, plugins/python/python_plugin.exp, plugins/python/python_plugin.exp.in:
Rename python_plugin.exp.in -> python_plugin.exp There is nothing dynamic in this file. [f34cc08c026c]

MANIFEST, configure, configure.ac, plugins/python/python_plugin.exp.in, plugins/python/python_plugin_approval_multi.inc, plugins/python/python_plugin_audit_multi.inc:
Add missing python_plugin.exp.in file and remove unneeded __dso_public This fixes building the python plugin on systems where the compiler doesn’t support symbol hiding (but wherethe linker does). [e0305faf8282]

2020-08-02 Todd C. Miller

plugins/sudoers/mkdefaults:
Use “foo in bar” syntax for testing existence of a key. [0807ae0db0a7]

plugins/sudoers/Makefile.in, plugins/sudoers/toke.c:
Replace /FALLTHROUGH/ in generated code. [a7590ec10b16]

2020-08-01 Todd C. Miller

lib/zlib/infback.c, lib/zlib/inflate.c, lib/zlib/zconf.h.in:
Add ZFALLTHROUGH macro to use instead of /* FALLTHROUGH */ comments. [92ec8a466095]

config.h.in, configure, configure.ac, include/sudo_compat.h, lib/util/arc4random_buf.c, lib/util/glob.c, lib/util/snprintf.c, lib/util/strtonum.c, logsrvd/sendlog.c, plugins/python/pyhelpers.c, plugins/sudoers/auth/pam.c, plugins/sudoers/check.c, plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/defaults.c, plugins/sudoers/fmtsudoers.c, plugins/sudoers/ldap_util.c, plugins/sudoers/match.c, plugins/sudoers/parse_ldif.c, plugins/sudoers/sssd.c, plugins/sudoers/sudo_printf.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/timestamp.c, plugins/sudoers/visudo.c, src/conversation.c, src/exec_monitor.c, src/exec_pty.c, src/parse_args.c, src/regress/noexec/check_noexec.c, src/tgetpass.c:
Use the fallthrough attribute instead of /* FALLTHROUGH */ comments. [ce33e87ddfd6]

2020-07-30 Todd C. Miller

plugins/sudoers/Makefile.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/mkdefaults:
Rewrite mkdefaults in awk. [f069ca4eae59]

2020-07-22 Todd C. Miller

doc/CONTRIBUTORS:
Update translators. [5252e2d1a61a]

doc/sudo.man.in, doc/sudo.mdoc.in, src/copy_file.c:
Prompt user before truncating a file to zero bytes. Bug #922. [8bfaa57d5bd4]

2020-07-21 kuberlog

config.h.in, configure.ac:
configure.ac: fix documentation about lecture [382c2809eda1]

2020-07-19 Todd C. Miller

plugins/sudoers/po/cs.mo, plugins/sudoers/po/cs.po, plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, plugins/sudoers/po/ja.mo, plugins/sudoers/po/ja.po, plugins/sudoers/po/ko.mo, plugins/sudoers/po/ko.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/pt.mo, plugins/sudoers/po/pt.po, plugins/sudoers/po/pt_BR.mo, plugins/sudoers/po/pt_BR.po, plugins/sudoers/po/ro.mo, plugins/sudoers/po/ro.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po, plugins/sudoers/po/zh_TW.mo, plugins/sudoers/po/zh_TW.po, po/cs.mo, po/cs.po, po/de.mo, po/de.po, po/eo.mo, po/eo.po, po/ja.mo, po/ja.po, po/ko.mo, po/ko.po, po/pl.mo, po/pl.po, po/pt.mo, po/pt.po, po/pt_BR.mo, po/pt_BR.po, po/ro.mo, po/ro.po, po/tr.mo, po/tr.po, po/uk.mo, po/uk.po, po/zh_CN.mo, po/zh_CN.po, po/zh_TW.mo, po/zh_TW.po:
Updated translations from translationproject.org [74fbf2ca39e1]

2020-07-16 Todd C. Miller

configure, configure.ac:
Handle openssl where there is no separate libcrypto pkgconfig file. In this case, just use the full openssl libs to get the sha2 functions. [f724510bb416]

INSTALL, configure, configure.ac:
Ignore –enable-gcrypt if –enable-openssl is also specified. [39d493d7e549]

2020-07-15 Todd C. Miller

NEWS, configure, configure.ac:
Sudo 1.9.2 [9af764b239c2]

config.h.in, configure, configure.ac:
Fix some warnings displayed by autoconf 2.69b This fixes the missing HAVE_GSSAPI_GSSAPI_H define in config.h.in. TODO: replace shadow_funcs variable in function checks with literals [9d8f67e1f8fe]

2020-07-12 Todd C. Miller

plugins/sudoers/audit.c:
Initialize sudo_conv and sudo_printf in sudoers_audit_open(). We will need them if there is an error parsing sudoers and leaving them unset can result in NULL deref. Also set the text domain to “sudoers” like we do for the policy and I/O logging open functions. Bug #934. [e88919ff4900]

2020-07-11 Todd C. Miller

plugins/sudoers/po/it.mo, plugins/sudoers/po/it.po, plugins/sudoers/po/ko.mo, plugins/sudoers/po/ko.po, plugins/sudoers/po/ro.mo, plugins/sudoers/po/ro.po, po/it.mo, po/it.po, po/ko.mo, po/ko.po, po/ro.mo, po/ro.po:
Updated translations from translationproject.org [2488a1479208]

2020-07-06 Todd C. Miller

plugins/sudoers/sudoers.exp:
Export sudoers_audit symbol for compilers without symbol visibility. [081f6729cb38]

doc/sudoers.man.in, doc/sudoers.mdoc.in:
Document the contents of the log.json file. [b1ea749fffc2]

lib/iolog/iolog_fileio.c:
Fix typo, runas_uid should be runas_gid. [7b2c0fd84a60]

examples/sudo.conf.in:
Add sudoers_audit line for completeness, matching the documentation. When sudoers is loaded as a policy plugin, it will be loaded automatically as an audit plugin. Listing it explicitly in the default sudo.conf file helps bring attention to the fact that sudoers now supports the audit plugin type. [7145a02ed280]

plugins/sudoers/defaults.c:
Add some debugging statements around Defaults lookup. [b95e2a9b6555]

plugins/sudoers/sudoers.in:
Replace #includedir with @includedir in default sudoers file. [d18945ec728e]

2020-06-26 Todd C. Miller

configure, m4/libtool.m4:
Allow HP-UX share libs and modules to link against static libs. hppa64 and ia64 use PIC by default [0553c60b922a]

2020-06-25 Todd C. Miller

configure, configure.ac:
Use pkg-config to find the openssl cflags and libs if possible. We support linking against static openssl libs too. [55442f4fea5e]

2020-06-24 Todd C. Miller

scripts/pp:
Fix parsing of /etc/redhat-release on RHEL 8. RedHat dropped the word “server” from the release name in redhat-release which results in the awk script printing the wrong field. Instead of using awk, just use sed to pull out the version number immediately following the word “release”. [a283acb4622a]

plugins/sudoers/po/sudoers.pot, po/sudo.pot:
regen without `scare quotes’ [31f021892137]

plugins/sudoers/def_data.c, plugins/sudoers/def_data.in, src/parse_args.c, src/sudo.c:
Replace or remove use of `scare quotes’ These don’t translate well and look odd in many fonts. [3c7fa8f93543]

2020-06-20 Todd C. Miller

lib/zlib/infback.c, lib/zlib/inflate.c:
Add FALLTHROUGH comments to quiet -Wimplicit-fallthrough [f724957b7cae]

src/solaris.c:
Fix implicit fallthrough warning and add break to default cases. [74d8c68eb160]

configure, configure.ac, m4/ax_func_snprintf.m4, m4/sudo.m4:
Fix some warnings from configure test programs. [6cff0cdb066a]

configure, configure.ac:
Add -Wimplicit-fallthrough to –enable-warnings if available. Note that clang 10 has support for -Wimplicit-fallthrough in C code but doesn’t recognize lint-style FALLTHROUGH comments like gcc does so we can’t use it. [cf70a1ab3ea9]

configure, configure.ac:
Drop old test for -lcposix for ISC Unix. [1bfd474c8819]

2020-06-19 Todd C. Miller

README:
Mention sudo-blog announce list. [526dc0cc1e83]

NEWS:
Bugs #860 and #917 were fixed in 1.9.0. [51a347785dbf]

2020-06-18 Todd C. Miller

plugins/sudoers/po/sudoers.pot:
regen to fix a typo [9755e76fcd8b]

MANIFEST, lib/iolog/Makefile.in, lib/iolog/regress/iolog_mkpath/check_iolog_mkpath.c:
Add regress test to catch swapids() bug when called by iolog_mkdtemp() [deff1dc2f144]

plugins/sudoers/po/cs.mo, plugins/sudoers/po/cs.po, po/ro.mo, po/ro.po:
Updated translations from translationproject.org [9007c89029ea]

2020-06-16 Todd C. Miller

doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in:
Document the order in which the plugin open/close functions are called. [48ec66882e1a]

NEWS, lib/iolog/iolog_fileio.c:
Fix a typo that prevented swapids() from restoring the original gid. This led to a regression when the iolog_file setting ends in six or more X’s or when the I/O logs are stored on NFS. [522d8ec470cb]

2020-06-15 Todd C. Miller

src/exec_monitor.c, src/exec_pty.c, src/get_pty.c, src/sudo.h, src/sudo_exec.h:
Replace master/slave in code with leader/follower. [230f5343d961]

NEWS, doc/sudoers.man.in, doc/sudoers.mdoc.in, examples/sudoers, plugins/sudoers/regress/cvtsudoers/sudoers, plugins/sudoers/regress/cvtsudoers/sudoers.defs, plugins/sudoers/regress/cvtsudoers/test13.out.ok, plugins/sudoers/regress/cvtsudoers/test19.out.ok, plugins/sudoers/regress/visudo/test6.sh:
Replace terms master and blacklist in docs and examples. [2908ac6c0fe0]

NEWS:
Bug #929 [c1f5a01d1af6]

2020-06-14 Todd C. Miller

src/sudo_edit.c:
Clean up temporary sudoedit files on success; Bug #929 This is a regression introduced in sudo 1.9.0. [2bc4822b7382]

2020-06-12 Todd C. Miller

NEWS:
New Romanian translation [fd753dfa0a84]

2020-06-11 Todd C. Miller

plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, plugins/sudoers/po/fr.mo, plugins/sudoers/po/fr.po, plugins/sudoers/po/hr.mo, plugins/sudoers/po/hr.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/pt.mo, plugins/sudoers/po/pt.po, plugins/sudoers/po/pt_BR.mo, plugins/sudoers/po/pt_BR.po, plugins/sudoers/po/sr.mo, plugins/sudoers/po/sr.po, plugins/sudoers/po/sv.mo, plugins/sudoers/po/sv.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po, plugins/sudoers/po/zh_TW.mo, plugins/sudoers/po/zh_TW.po, po/cs.mo, po/cs.po, po/de.mo, po/de.po, po/eo.mo, po/eo.po, po/fi.mo, po/fi.po, po/fr.mo, po/fr.po, po/hr.mo, po/hr.po, po/pl.mo, po/pl.po, po/pt.mo, po/pt.po, po/pt_BR.mo, po/pt_BR.po, po/sv.mo, po/sv.po, po/tr.mo, po/tr.po, po/uk.mo, po/uk.po, po/zh_CN.mo, po/zh_CN.po, po/zh_TW.mo, po/zh_TW.po:
Updated translations from translationproject.org [570aacc81015]

MANIFEST, doc/CONTRIBUTORS, plugins/sudoers/po/ro.mo, plugins/sudoers/po/ro.po, po/ro.mo, po/ro.po:
Romanian translation from translationproject.org. [1e277907378e]

NEWS:
Add missing entry for the LDAP/SSSD sudoHost regression. Also add new Romanian translation [624eb5e8e612]

2020-06-07 Todd C. Miller

plugins/sudoers/sudoers.c:
Fix a typo in the audit string when “sudo -E” is not allowed. [85bcb3b1f7d8]

2020-06-06 Todd C. Miller

plugins/python/regress/testhelpers.c:
Check asprintf() return value. [456bb2d7c37f]

scripts/mkpkg:
Prefer the python3 in /usr/bin on Solaris. The /opt/csw version, if it exists, may be a 32-bit version which we can’t link with. Also handle the case where the /usr/bin/python3 link is missing. [2ed7715e6b2e]

config.h.in, configure, configure.ac, include/sudo_compat.h:
Declare getdelim(3) if it exists in libc but is not prototyped in stdio.h. This can happen on systems with a gcc packages that was built on and older versions of the OS where getdelim(3) was not present. [e78803280641]

aclocal.m4, configure, configure.ac:
For python3-config, only use -I and -L/-l from –cflags and –ldflags output. Otherwise we may get other flags used to build python that conflict with what sudo uses. [7a8d3c5fd2ae]

scripts/mkpkg:
Build 64-bit binaries and the python package on Solaris 11 and above. No longer prefer the Solaris Studio C compiler over gcc, it causes issues with the Python plugin. [a92f9641bd07]

logsrvd/sendlog.c:
Fix memory leak on error in fmt_info_messages(). [511ac9ba6819]

NEWS:
Update for 1.9.1b1 [562b0add8e04]

2020-06-05 Todd C. Miller

plugins/sudoers/po/sudoers.pot, po/sudo.pot:
regen for sudo 1.9.1 [8960aceb2519]

2020-06-04 Todd C. Miller

plugins/sudoers/audit.c, plugins/sudoers/logging.c, plugins/sudoers/logging.h:
Add basic support for reject and error audit events to sudoers. This is only used when logging events from plugins other than sudoers, such as an approval plugin. With this change, if an approval plugin rejects the command the denial will be logged in the sudoers log file using the message from the approval plugin. [c7abc39b0e37]

plugins/sudoers/bsm_audit.c, plugins/sudoers/solaris_audit.c, scripts/mkpkg:
Fix Solaris and BSM audit warnings. Use BSM audit on Illumos, which lacks Solaris audit. [3844e8a24f59]

plugins/sudoers/policy.c:
Track whether the session was opened in sudoers. In sudoers_policy_close() only warn about being unable to run the command if we actually opened the session (and thus passed all approval plugins). [f99b434d121b]

src/sudo.c:
Only display an error in the built-in policy close if command is set. If a policy or approval plugin denies the command, command_details will not have been filled out. [245024004df2]

plugins/sudoers/ldap.c, plugins/sudoers/parse.c, plugins/sudoers/sssd.c:
Avoid passing NULL to printf in match debug code for LDAP/SSSD. The file name in struct userspec was not set for the LDAP and SSSD backends. There is no actual file in this case so set the name to LDAP/SSSD. Also add a guard to make sure we don’t try to print NULL in sudoers_lookup_check() if name is left unset. [240efcda496e]

2020-06-03 Todd C. Miller

plugins/sudoers/linux_audit.c, plugins/sudoers/linux_audit.h:
Add missing const to linux_audit_command()’s argv function argument. [cb219f1ccb6e]

plugins/sudoers/ldap.c, plugins/sudoers/sssd.c:
When converting LDAP to sudoers, ignore entries with no sudoHost attribute. Otherwise, sudo_ldap_role_to_priv() will treat a NULL host list as as the “ALL” wildcard. This regression was introduced in sudo 1.8.23, which was the first version to convert LDAP sudoRole objects to sudoers internal data structures. Thanks to Andreas Mueller for reporting and debugging this problem. [484d0d3b892e]

2020-06-02 Todd C. Miller

doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in, src/load_plugins.c:
Load the sudoers module as an audit plugin if loaded as a policy plugin. Now that logging of successful commands is performed by sudoers as an audit plugin we need to load sudoers_audit if sudoers_policy is also loaded. Otherwise, accpted commands will not be logged. [f20bee20f4c7]

plugins/sudoers/audit.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/bsm_audit.c, plugins/sudoers/bsm_audit.h, plugins/sudoers/logging.c, plugins/sudoers/logging.h, plugins/sudoers/policy.c, plugins/sudoers/solaris_audit.c, plugins/sudoers/solaris_audit.h, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h:
Defer logging of the successful command until approval plugins have run. This adds audit plugin support to the sudoers module, currently only used for accept events. As a result, the sudoers file is now initially parsed as an audit plugin. [552c13bd0287]

doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, doc/sudo_plugin_python.man.in, doc/sudo_plugin_python.mdoc.in, include/sudo_plugin.h, plugins/audit_json/audit_json.c, plugins/python/sudo_python_module.c, src/sudo.c:
Add support for “accept” audit events sent by the sudo front-end. With this change, the sudo front-end will send an “accept” audit event to the audit plugins after all the I/O logging plugins have been initialized. This can be used by an audit plugin that does not care about the result of the individual policy and approval plugins and only wants to receive a single “accept” event if all policy and approval plugins have succeeded. The plugin_type argument for events sent by the front-end is SUDO_FRONT_END (0). [6b3cb94fedb9]

src/exec_pty.c:
If event loop fails due to ENXIO, remove /dev/tty events and recover. This fixes an issue on Solaris 11.4 (and probably others) with “sudo reboot” when I/O logging is enabled. Previously, sudo would kill the command if it was still running after the event loop terminated, leaving the system in a half-dead state. [e12e3040b067]

2020-06-01 Todd C. Miller

src/exec_pty.c:
Don’t try to suspend sudo if the user’s tty has gone away. Fixes a problem on Solaris 11.4 (and possibly others) where sudo continually tries to put itself in the background after the user’s terminal has been revoked. [92f172b46b9c]

src/exec_pty.c:
Back out WIP code that was mistakenly committed. [41f57239b2c4]

scripts/mkpkg:
Don’t enable BSM audit on Solaris 10, it is missing AUE_sudo [3b32087b1ed3]

src/exec_pty.c, src/get_pty.c:
On Solaris 11.4 the openpty(3) prototype lives in termios.h. [d6e353e8b9df]

plugins/sudoers/solaris_audit.c:
Add missing stdlib.h include and fix solaris_audit_failure() error return. [5748d8fd24c4]

scripts/mkpkg:
Use Solaris audit for Solaris 11, not BSM audit. BSM audit is no longer supported in Solaris 11.4. [01f2189f439d]

2020-05-26 Todd C. Miller

src/exec.c:
Check audit plugins for a close function too before execing command directly. We cannot exec the command directly if any of the policy or audit plugins use a close function. [5aa6db56ce32]

2020-05-22 Todd C. Miller

NEWS:
Mention Bug #927. [0fd9e757d80b]

2020-05-20 Todd C. Miller

configure, configure.ac, m4/sudo.m4:
Add basic support for –runstatedir If the user specifies –runstatedir but not –with-rundir, use runstatdir as the parent directory of the sudo rundir.

In the future we may deprecate –with-rundir in favor of –runstatedir but that will require changes for systems with no /var/run directory. [14879831fe6e]

MANIFEST, NEWS, doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/gram.c, plugins/sudoers/gram.h, plugins/sudoers/gram.y, plugins/sudoers/regress/testsudoers/test10.out.ok, plugins/sudoers/regress/testsudoers/test10.sh, plugins/sudoers/regress/testsudoers/test11.out.ok, plugins/sudoers/regress/testsudoers/test11.sh, plugins/sudoers/regress/testsudoers/test2.out.ok, plugins/sudoers/regress/testsudoers/test2.sh, plugins/sudoers/regress/testsudoers/test3.out.ok, plugins/sudoers/regress/testsudoers/test3.sh, plugins/sudoers/regress/testsudoers/test4.sh, plugins/sudoers/regress/testsudoers/test5.sh, plugins/sudoers/regress/testsudoers/test8.out.ok, plugins/sudoers/regress/testsudoers/test8.sh, plugins/sudoers/regress/testsudoers/test9.out.ok, plugins/sudoers/regress/testsudoers/test9.sh, plugins/sudoers/sudoers_version.h, plugins/sudoers/testsudoers.c, plugins/sudoers/toke.c, plugins/sudoers/toke.h, plugins/sudoers/toke.l:
Add support for @include and @includedir These are less confusing than #include and #includedir when the hash character is also the comment character.

This commit also adds real parsing of include directives as opposed to the pure lexer approach used previously. As a result, it is now possible to include files with spaces by either using a double- quoted string or escaping the space characters with a backslash. [c422a5c8ea5d]

2020-05-19 Todd C. Miller

lib/iolog/iolog_fileio.c:
In iolog_openat() enable the write bit on pre-existing files if needed. This prevents problems caused by the change to strip the write bit from the timing file when it is finished. [a6b0da3f7b94]

plugins/sudoers/visudo.c:
In visudo check that an include file is regular file before using it. Avoids a generic “input in flex scanner failed” error message. [287d90d359a6]

plugins/sudoers/toke.c, plugins/sudoers/toke.l:
Fix a memory leak on error when including a file or directory. [02db03f7b565]

2020-05-18 Todd C. Miller

NEWS, configure, configure.ac:
Sudo 1.9.1 [57a1a5f05500]

doc/sudoreplay.man.in, doc/sudoreplay.mdoc.in, plugins/sudoers/sudoreplay.c:
Add a follow option (-F) to support replaying a live session. By default, sudoreplay will exit when it reaches the end of the timing file. With the -F option, it will keep going until the timing file is finished and its write bit is cleared. [12ab27768cad]

include/sudo_iolog.h, lib/iolog/iolog_fileio.c:
Add iolog_clearerr() that acts like clearerr(3). Works for both compressed and uncompressed I/O logs. [c83b88285c2c]

plugins/sudoers/iolog.c:
Clear the write bit from the I/O log timing file when it is complete. This matches the behavior of sudo_logsrvd. [0bc8a012db26]

logsrvd/logsrvd.c, logsrvd/sendlog.c:
Use PACKAGE_VERSION instead of 0.1 as the client and server version. [d1e3ac049cf7]

lib/util/Makefile.in, lib/util/aix.c, lib/util/fatal.c, lib/util/getusershell.c, lib/util/gidlist.c, lib/util/json.c, lib/util/mkdir_parents.c, lib/util/strsignal.c, lib/util/strtoid.c, lib/util/strtomode.c, lib/util/strtonum.c, lib/util/sudo_conf.c, lib/util/sudo_debug.c:
Set DEFAULT_TEXT_DOMAIN in lib/util’s Makefile not individual .c files. We no longer need to include sudo_gettext.h before sudo_compat.h [ead9b6a434b8]

lib/iolog/iolog_fileio.c, lib/iolog/iolog_json.c, lib/iolog/iolog_path.c, lib/iolog/iolog_util.c, lib/iolog/regress/host_port/host_port_test.c, lib/iolog/regress/iolog_json/check_iolog_json.c, lib/iolog/regress/iolog_path/check_iolog_path.c, lib/iolog/regress/iolog_util/check_iolog_util.c, lib/util/digest_gcrypt.c, lib/util/event.c, lib/util/event_select.c, lib/util/fnmatch.c, lib/util/getaddrinfo.c, lib/util/getcwd.c, lib/util/getdelim.c, lib/util/getgrouplist.c, lib/util/getopt_long.c, lib/util/glob.c, lib/util/inet_pton.c, lib/util/json.c, lib/util/key_val.c, lib/util/lbuf.c, lib/util/locking.c, lib/util/mkdir_parents.c, lib/util/mktemp.c, lib/util/parseln.c, lib/util/progname.c, lib/util/pw_dup.c, lib/util/regress/fnmatch/fnm_test.c, lib/util/regress/getdelim/getdelim_test.c, lib/util/regress/getgrouplist/getgrouplist_test.c, lib/util/regress/glob/globtest.c, lib/util/regress/mktemp/mktemp_test.c, lib/util/regress/parse_gids/parse_gids_test.c, lib/util/regress/progname/progname_test.c, lib/util/regress/strsplit/strsplit_test.c, lib/util/regress/sudo_conf/conf_test.c, lib/util/regress/sudo_parseln/parseln_test.c, lib/util/regress/tailq/hltq_test.c, lib/util/regress/vsyslog/vsyslog_test.c, lib/util/secure_path.c, lib/util/sha2.c, lib/util/sig2str.c, lib/util/snprintf.c, lib/util/str2sig.c, lib/util/strndup.c, lib/util/strtobool.c, lib/util/sudo_conf.c, lib/util/sudo_debug.c, lib/util/sudo_dso.c, lib/util/term.c, lib/util/ttyname_dev.c, lib/util/vsyslog.c, plugins/audit_json/audit_json.c, plugins/group_file/getgrent.c, plugins/group_file/group_file.c, plugins/python/sudo_python_debug.c, plugins/sample/sample_plugin.c, plugins/sample_approval/sample_approval.c, plugins/sudoers/alias.c, plugins/sudoers/auth/afs.c, plugins/sudoers/auth/aix_auth.c, plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/dce.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/kerb5.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/passwd.c, plugins/sudoers/auth/rfc1938.c, plugins/sudoers/auth/secureware.c, plugins/sudoers/auth/securid5.c, plugins/sudoers/auth/sia.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/boottime.c, plugins/sudoers/check.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/cvtsudoers_pwutil.c, plugins/sudoers/defaults.c, plugins/sudoers/editor.c, plugins/sudoers/env.c, plugins/sudoers/env_pattern.c, plugins/sudoers/filedigest.c, plugins/sudoers/find_path.c, plugins/sudoers/fmtsudoers.c, plugins/sudoers/gentime.c, plugins/sudoers/getdate.c, plugins/sudoers/getdate.y, plugins/sudoers/getspwuid.c, plugins/sudoers/goodpath.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/group_plugin.c, plugins/sudoers/interfaces.c, plugins/sudoers/iolog.c, plugins/sudoers/iolog_path_escapes.c, plugins/sudoers/ldap.c, plugins/sudoers/ldap_conf.c, plugins/sudoers/ldap_util.c, plugins/sudoers/locale.c, plugins/sudoers/logging.c, plugins/sudoers/logwrap.c, plugins/sudoers/match.c, plugins/sudoers/match_addr.c, plugins/sudoers/match_command.c, plugins/sudoers/match_digest.c, plugins/sudoers/parse.c, plugins/sudoers/parse_ldif.c, plugins/sudoers/policy.c, plugins/sudoers/prompt.c, plugins/sudoers/pwutil.c, plugins/sudoers/pwutil_impl.c, plugins/sudoers/rcstr.c, plugins/sudoers/regress/check_symbols/check_symbols.c, plugins/sudoers/regress/env_match/check_env_pattern.c, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/regress/logging/check_wrap.c, plugins/sudoers/regress/parser/check_addr.c, plugins/sudoers/regress/parser/check_base64.c, plugins/sudoers/regress/parser/check_digest.c, plugins/sudoers/regress/parser/check_fill.c, plugins/sudoers/regress/parser/check_gentime.c, plugins/sudoers/regress/parser/check_hexchar.c, plugins/sudoers/set_perms.c, plugins/sudoers/sssd.c, plugins/sudoers/starttime.c, plugins/sudoers/strlist.c, plugins/sudoers/stubs.c, plugins/sudoers/sudo_nss.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers_debug.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/timeout.c, plugins/sudoers/timestamp.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/toke_util.c, plugins/sudoers/tsdump.c, plugins/sudoers/tsgetgrpw.c, plugins/sudoers/visudo.c, plugins/system_group/system_group.c, src/conversation.c, src/env_hooks.c, src/exec.c, src/exec_common.c, src/exec_monitor.c, src/exec_nopty.c, src/exec_pty.c, src/get_pty.c, src/hooks.c, src/limits.c, src/load_plugins.c, src/net_ifs.c, src/parse_args.c, src/preserve_fds.c, src/regress/noexec/check_noexec.c, src/regress/ttyname/check_ttyname.c, src/signal.c, src/sudo.c, src/sudo_edit.c, src/sudo_noexec.c, src/tcsetpgrp_nobg.c, src/tgetpass.c, src/ttyname.c, src/utmp.c:
Include string.h unconditionally and only use strings.h for strn?casecmp() In the pre-POSIX days BSD had strings.h, not string.h. Now strings.h is only used for non-ANSI string functions. [f7f633de570a]

lib/iolog/host_port.c, lib/iolog/iolog_fileio.c, lib/iolog/iolog_json.c, lib/iolog/iolog_path.c, lib/iolog/iolog_util.c, lib/iolog/regress/host_port/host_port_test.c, lib/iolog/regress/iolog_json/check_iolog_json.c, lib/iolog/regress/iolog_path/check_iolog_path.c, lib/iolog/regress/iolog_util/check_iolog_util.c, lib/util/aix.c, lib/util/arc4random.c, lib/util/arc4random_buf.c, lib/util/arc4random_uniform.c, lib/util/cfmakeraw.c, lib/util/closefrom.c, lib/util/digest.c, lib/util/digest_gcrypt.c, lib/util/digest_openssl.c, lib/util/dup3.c, lib/util/event_poll.c, lib/util/event_select.c, lib/util/fatal.c, lib/util/fchmodat.c, lib/util/fnmatch.c, lib/util/fstatat.c, lib/util/getaddrinfo.c, lib/util/getcwd.c, lib/util/getdelim.c, lib/util/getgrouplist.c, lib/util/gethostname.c, lib/util/getopt_long.c, lib/util/gettime.c, lib/util/getusershell.c, lib/util/gidlist.c, lib/util/glob.c, lib/util/isblank.c, lib/util/json.c, lib/util/key_val.c, lib/util/lbuf.c, lib/util/locking.c, lib/util/logfac.c, lib/util/logpri.c, lib/util/memset_s.c, lib/util/mkdir_parents.c, lib/util/mksiglist.c, lib/util/mksigname.c, lib/util/mktemp.c, lib/util/openat.c, lib/util/parseln.c, lib/util/pipe2.c, lib/util/progname.c, lib/util/pw_dup.c, lib/util/reallocarray.c, lib/util/regress/fnmatch/fnm_test.c, lib/util/regress/getgrouplist/getgrouplist_test.c, lib/util/regress/glob/globtest.c, lib/util/regress/mktemp/mktemp_test.c, lib/util/regress/parse_gids/parse_gids_test.c, lib/util/regress/progname/progname_test.c, lib/util/regress/strsig/strsig_test.c, lib/util/regress/strsplit/strsplit_test.c, lib/util/regress/strtofoo/strtobool_test.c, lib/util/regress/strtofoo/strtoid_test.c, lib/util/regress/strtofoo/strtomode_test.c, lib/util/regress/strtofoo/strtonum_test.c, lib/util/regress/sudo_conf/conf_test.c, lib/util/regress/sudo_parseln/parseln_test.c, lib/util/regress/tailq/hltq_test.c, lib/util/regress/vsyslog/vsyslog_test.c, lib/util/roundup.c, lib/util/secure_path.c, lib/util/setgroups.c, lib/util/sha2.c, lib/util/sig2str.c, lib/util/snprintf.c, lib/util/str2sig.c, lib/util/strlcat.c, lib/util/strlcpy.c, lib/util/strndup.c, lib/util/strsignal.c, lib/util/strsplit.c, lib/util/strtobool.c, lib/util/strtoid.c, lib/util/strtomode.c, lib/util/strtonum.c, lib/util/sudo_conf.c, lib/util/sudo_debug.c, lib/util/sudo_dso.c, lib/util/term.c, lib/util/ttysize.c, lib/util/unlinkat.c, lib/util/utimens.c, lib/util/uuid.c, plugins/audit_json/audit_json.c, plugins/group_file/getgrent.c, plugins/group_file/group_file.c, plugins/group_file/plugin_test.c, plugins/python/regress/testhelpers.h, plugins/python/sudo_python_debug.h, plugins/sample/sample_plugin.c, plugins/sample_approval/sample_approval.c, plugins/sudoers/alias.c, plugins/sudoers/audit.c, plugins/sudoers/base64.c, plugins/sudoers/boottime.c, plugins/sudoers/bsm_audit.c, plugins/sudoers/check.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/cvtsudoers_pwutil.c, plugins/sudoers/defaults.c, plugins/sudoers/digestname.c, plugins/sudoers/editor.c, plugins/sudoers/env.c, plugins/sudoers/env_pattern.c, plugins/sudoers/file.c, plugins/sudoers/filedigest.c, plugins/sudoers/find_path.c, plugins/sudoers/fmtsudoers.c, plugins/sudoers/gc.c, plugins/sudoers/gentime.c, plugins/sudoers/getdate.c, plugins/sudoers/getdate.y, plugins/sudoers/getspwuid.c, plugins/sudoers/gmtoff.c, plugins/sudoers/goodpath.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/group_plugin.c, plugins/sudoers/hexchar.c, plugins/sudoers/interfaces.c, plugins/sudoers/iolog_client.c, plugins/sudoers/iolog_path_escapes.c, plugins/sudoers/ldap_conf.c, plugins/sudoers/linux_audit.c, plugins/sudoers/locale.c, plugins/sudoers/logging.c, plugins/sudoers/logwrap.c, plugins/sudoers/match.c, plugins/sudoers/match_command.c, plugins/sudoers/match_digest.c, plugins/sudoers/parse.c, plugins/sudoers/parse_ldif.c, plugins/sudoers/prompt.c, plugins/sudoers/pwutil.c, plugins/sudoers/pwutil_impl.c, plugins/sudoers/rcstr.c, plugins/sudoers/redblack.c, plugins/sudoers/regress/check_symbols/check_symbols.c, plugins/sudoers/regress/env_match/check_env_pattern.c, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/regress/logging/check_wrap.c, plugins/sudoers/regress/parser/check_addr.c, plugins/sudoers/regress/parser/check_base64.c, plugins/sudoers/regress/parser/check_digest.c, plugins/sudoers/regress/parser/check_fill.c, plugins/sudoers/regress/parser/check_gentime.c, plugins/sudoers/regress/parser/check_hexchar.c, plugins/sudoers/regress/starttime/check_starttime.c, plugins/sudoers/set_perms.c, plugins/sudoers/solaris_audit.c, plugins/sudoers/sssd.c, plugins/sudoers/strlist.c, plugins/sudoers/stubs.c, plugins/sudoers/sudo_nss.c, plugins/sudoers/sudo_printf.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers_debug.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/timeout.c, plugins/sudoers/timestamp.c, plugins/sudoers/timestr.c, plugins/sudoers/toke_util.c, plugins/sudoers/tsdump.c, plugins/sudoers/tsgetgrpw.c, plugins/sudoers/visudo.c, plugins/system_group/system_group.c, src/conversation.c, src/copy_file.c, src/env_hooks.c, src/exec.c, src/exec_common.c, src/exec_nopty.c, src/get_pty.c, src/hooks.c, src/limits.c, src/load_plugins.c, src/openbsd.c, src/parse_args.c, src/preload.c, src/preserve_fds.c, src/selinux.c, src/sesh.c, src/signal.c, src/solaris.c, src/sudo_edit.c, src/tcsetpgrp_nobg.c, src/tgetpass.c, src/utmp.c:
We no longer need to include headers we don’t use for sudo*.h files. Previously we needed to include headers required by the various sudo*h files. Now those files are more self-sufficient and we should only include headers needed by code in the various .c files. [72cbeae218e7]

include/sudo_compat.h, include/sudo_conf.h, include/sudo_debug.h, include/sudo_iolog.h, include/sudo_json.h, include/sudo_util.h, plugins/sudoers/sudoers.h:
Add dependent system includes to make sudo_.h more standalone. In the past we’ve relied on the various .c files to include the system headers that define types that the sudo_.h headers require. This is fragile and can cause issues when includes get re-ordered. [a9fb765c0fba]

plugins/sudoers/env.c:
Fix typo in PERLIO_DEBUG (trailing whitespace). This has no effect unless env_reset is disabled. From Allan Wirth [bdf9c9e7f455]

2020-05-17 Sebastian Rasmussen

plugins/sudoers/visudo.c:
Fix typo in warning message. [01b8fab9fdf5]

2020-05-15 Todd C. Miller

lib/util/mksiglist.h, lib/util/mksigname.h:
Prefer SIGSYS if SIGUNUSED is defined to the same value. Fixes a regress failure on musl libc where SIGSYS and SIGUNUSED share the same value. [e030acf8a670]

plugins/python/regress/testhelpers.h:
Add missing sys/wait.h include; fixes a compilation problem on musl libc. [9a6a09e74a14]

lib/iolog/hostcheck.c:
Add missing sys/types.h include; fixes a compilation problem on musl libc. [7c8ea831203b]

include/sudo_compat.h:
Only define WCONTINUED and WIFCONTINUED if neither are already defined. Fixes a warning on musl libc where WIFCONTINUED is defined in stdlib.h for some reason. [9f55ae24b479]

2020-05-16 Dan Robertson

include/sudo_debug.h:
Fix includes when building with musl

Include sys/types.h for mode_t and id_t in sudo_debug.h [15abb56a1edf]

2020-05-15 Todd C. Miller

scripts/mkpkg:
Enable OpenSSL on RHEL 6 too. The version of OpenSSL in RHEL 6 is new enough for the log server to use. [853fd8a74207]

logsrvd/logsrvd_conf.c:
Don’t print errno for the “TLS not supported” message. [c94540d3d632]

2020-05-14 Todd C. Miller

etc/sudo-logsrvd.pp, etc/sudo-python.pp:
Fix macOS bundle IDs for sudo-logsrvd and sudo-python packages [a9f6aea56e40]

2020-05-13 Todd C. Miller

logsrvd/eventlog.c:
Add iolog_path to the JSON-format event log [924d8836ead0]

logsrvd/logsrvd.c, logsrvd/logsrvd.h:
Rename FLUSHED state to FINISHED This makes more sense when receiving event-only logs. [9e2736246e0d]

2020-05-12 Todd C. Miller

logsrvd/logsrvd.c, logsrvd/logsrvd.h:
Fix handling of connections without associated I/O logs. This fixes reject events as well as accept events without the expect_iobufs flag set. [3ddb52ae0af4]

logsrvd/sendlog.c:
Fix handling of accept and reject messages without an I/O log. Only set expect_iobufs in AcceptMessage if sending I/O logs. Set state to FINISHED immediately after sending a RejectMessage. [767e75944d4f]

doc/sudo_sendlog.man.in, doc/sudo_sendlog.mdoc.in, logsrvd/sendlog.c, logsrvd/sendlog.h:
Add -A and -R options to test logging of accept and reject events. If -A is specified, no I/O will be sent, only the accept event. For -R, a reject event with the specified reason is sent. [90db0e6f9b68]

configure, configure.ac:
cfmakeraw(3) is broken on AIX, don’t use it there The cfmakeraw(3) function exists but does not set VMIN to 1 or VTIME to 0 in c_cc[] in struct termios, which makes it useless. The AIX version also doesn’t clear the CSIZE and PARENB flags from c_cflag. [bbdcae2c5fb5]

NEWS:
fix pastos [cbf517081e74]

2020-05-11 Todd C. Miller

MANIFEST, include/sudo_iolog.h, include/sudo_util.h, lib/iolog/Makefile.in, lib/iolog/host_port.c, lib/iolog/regress/host_port/host_port_test.c, lib/util/Makefile.in, lib/util/host_port.c, lib/util/regress/host_port/host_port_test.c, lib/util/util.exp.in, logsrvd/logsrvd_conf.c, plugins/sudoers/iolog_client.c:
Rename sudo_parse_host_port -> iolog_parse_host_port and mv to lib/iolog It is not used outside of the I/O log client and server and the host:port syntax may change in the future. [706d726a2f8e] [SUDO_1_9_0]

plugins/sudoers/sudoreplay.c:
Remove duplicate inclusion of time.h [f560858325d5]

2020-05-08 Todd C. Miller

doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in, logsrvd/logsrvd.c, logsrvd/logsrvd_conf.c, plugins/sudoers/iolog_client.c:
Only enable TLS listener by default if we have a cert for it. We want the log server to work with the default configuration. If the default certificate path exists, it will be used with the default listener. If the user explicitly enabled a TLS listener we always attempt to use it. If TLS was specified but no cert file was set, the default location will be used (and an error will occur if the cert cannot be loaded). [16ade34c38ee]

2020-05-07 Todd C. Miller

plugins/sudoers/po/sudoers.pot, po/sudo.pot:
regen for 1.9.0 final [99e507035253]

logsrvd/Makefile.in:
regen [555d817825b0]

doc/sudo.man.in, doc/sudo.mdoc.in, src/parse_args.c:
The –preserve-env=list option may be specified more than once. [8066a9d1b04b]

doc/sudo_logsrv.proto.man.in, doc/sudo_logsrv.proto.mdoc.in, doc/sudoers.man.in, doc/sudoers.mdoc.in:
Quiet some warnings from igor. [4df4fd274023]

MANIFEST, Makefile.in, etc/codespell.exclude, etc/codespell.ignore, etc/codespell.skip:
Plumb in codespell with a “make spell” target. [4b1de7ee8648]

configure, configure.ac, install-sh:
Fix a few more typos. [d22a8c46c743]

2020-05-06 Todd C. Miller

NEWS, doc/sudo.man.in, doc/sudo.mdoc.in, src/parse_args.c:
Don’t allow duplicate values for command line options that take an argument. Previously, if multiple instances of the same command line option were specified, the last one would be used. This meant that, for example, “sudo -u someuser -u otheruser id” would run the command as “otheruser”. This has the potential to cause problems for programs that run sudo with a user-specified command that do not use the “–” option to indicate that no more options should be processed. While this is a bug in the calling program, there is little downside to erroring out when multiple options of the same type are specified on the command line. Bug #924 [66e2612e7672]

NEWS:
Debian bug #734752 [d3285c45ac4b]

src/sudo.c, src/sudo.h:
Look up runas user by name, not euid, where possible. Fixes a problem when there are multiple users with the same user-ID where the PAM session modules could be called with the wrong user name. Debian bug #734752 [b45608f29a02]

src/sesh.c:
Fix ironic typo in spelling fixes. Bug #925 [73de90df6ff9]

scripts/pp:
Sync PolyPkg from upstream. [ac5e4b830177]

NEWS, TODO, config.h.in, configure.ac, doc/sudo_plugin_python.man.in, doc/sudo_plugin_python.mdoc.in, etc/sudo.pp, include/compat/getaddrinfo.h, include/sudo_event.h, include/sudo_util.h, lib/util/fnmatch.c, lib/util/getaddrinfo.c, lib/util/regress/vsyslog/vsyslog_test.c, logsrvd/logsrvd.c, plugins/audit_json/audit_json.c, plugins/python/example_debugging.py, plugins/python/regress/check_python_examples.c, plugins/python/regress/testhelpers.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/iolog.c, plugins/sudoers/iolog_client.c, plugins/sudoers/parse.h, plugins/sudoers/pwutil.h, plugins/sudoers/regress/cvtsudoers/test30.sh, scripts/mkdep.pl, src/exec.c, src/exec_monitor.c, src/exec_pty.c, src/sesh.c:
Apply spelling fixes. Fixes from PR #30 (ka7) and Bug #925 (fossies.org codespell) [1fb13dc3991b]

2020-05-05 Todd C. Miller

Makefile.in, etc/sudo-python.pp:
Use the proper python version in the libpython dependency on Debian. The configure script already detects the python version, we just need to use it. [4e49c53f206f]

plugins/sudoers/po/sv.mo, plugins/sudoers/po/sv.po, po/ja.mo, po/ja.po, po/sv.mo, po/sv.po:
Updated translations from translationproject.org [abdb2d6fe7cb]

NEWS:
Bug #922 and Bug #923 [7a77f74c436f]

2020-05-04 Todd C. Miller

etc/sudo.pp:
Fix Debian ldap dependency broken in last commit. [4980b1b653ef]

etc/sudo.pp:
Fix “make package” on Debian when linux_audit is not set. [a00d7dec5821]

doc/sudo_logsrv.proto.man.in, doc/sudo_logsrv.proto.mdoc.in, include/log_server.pb-c.h, lib/logsrv/log_server.pb-c.c, lib/logsrv/log_server.proto, logsrvd/logsrvd.c, logsrvd/sendlog.c, plugins/sudoers/iolog_client.c:
Add a ClientHello message that client sends to the server. This makes it easier to detect a plaintext client sending to a TLS port. Without this, the TLS server will be silent as it waits for the client to initiate the TLS connection. [22c033bcf456]

logsrvd/sendlog.c, plugins/sudoers/iolog_client.c:
Better error messages when there is a problem with the TLS connection. If SSL_read, SSL_write or SSL_connect fails we can use the reason string to let the user know what the problem is. [92f603e37e40]

doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in, logsrvd/logsrvd_conf.c:
Make the default certificate and key paths match the example file. [f642836bfcf0]

logsrvd/logsrvd.c, plugins/sudoers/iolog_client.c:
Warn about tls errors during startup so the user has a clue. We write messages to stderr until we become a daemon. [25ad61aa7dab]

doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in, doc/sudo_sendlog.man.in, doc/sudo_sendlog.mdoc.in, doc/sudoers.man.in, doc/sudoers.mdoc.in, include/log_server.pb-c.h, lib/logsrv/log_server.pb-c.c, lib/logsrv/log_server.proto, logsrvd/logsrvd.c, logsrvd/sendlog.c:
Remove the tls parameter from the ServerHello message. The TLS connection is now initiated before ServerHello is received. [9d8b76f14cda]

doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in, doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/defaults.c, plugins/sudoers/iolog.c, plugins/sudoers/iolog_client.c, plugins/sudoers/iolog_plugin.h, plugins/sudoers/policy.c:
Adapt sudoers iolog client to log server dual port changes. The TLS handshake now occurs before the ServerHello message is read. This fixes potential man-in-the-middle attacks and works better with TLS 1.3. [8137b029a3fe]

doc/sudo_logsrv.proto.man.in, doc/sudo_logsrv.proto.mdoc.in, doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in, examples/sudo_logsrvd.conf, logsrvd/logsrv_util.h, logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c, logsrvd/sendlog.c:
Use port 30343 for plaintext and port 30344 for TLS. For TLS connections we now do the TLS handshake immediately before the ServerHello message. This lets the client recieve an alert from the server is there is a handshake error after the TLS connect has succeeded. It also means that the contents of the ServerHello are protected from a man-in-the-middle attack. [bb4d8b57b3dd]

include/sudo_util.h, lib/util/host_port.c, lib/util/regress/host_port/host_port_test.c, logsrvd/logsrvd_conf.c, plugins/sudoers/iolog_client.c:
Add support for a tls flag in sudo_parse_host_port(). If the string “(tls)” appears at the end, the tls flag is set to true and the default tls port is used if necessary. [f0d9a225cd75]

logsrvd/sendlog.c, plugins/sudoers/iolog_client.c:
Plug memory leaks in sudo_sendlog [886254bcae6a]

lib/util/event.c, lib/util/event_poll.c, lib/util/event_select.c:
Handle EAGAIN like we do ENOMEM from poll() and select(). On some systems, poll() and select() can return EAGAIN instead of ENOMEM if there is a kernel resource shortage. In this case we just re-enter the event loop and retry. [048df2548dcc]

2020-05-03 Todd C. Miller

configure, configure.ac:
Use the –embed when running “python3-config –ldflags” if supported. Newer versions of python3-config only include libpython in the output when the –embed is used. Otherwise, “python3-config –libs” and “python3-config –ldflags” only list the libraries python is dependent on and not the python library itself. [d90dc892c726]

2020-04-30 Todd C. Miller

logsrvd/sendlog.c, plugins/sudoers/iolog_client.c:
On error, remove the connection with an error without freeing the closure. Fixes the final message at the end when there is a network error. [0e1952eb707b]

lib/util/event_poll.c:
Do not call poll(2) or ppoll(2) with nfds > RLIMIT_NOFILE. Both poll(2) and ppoll(2) will return EINVAL if the nfds function argument is larger than the max files per process resource limit. Prevent this by limiting the max number entries in the pfds[] array to the RLIMIT_NOFILE soft limit. [ab0f798bb024]

2020-04-29 Todd C. Miller

include/sudo_event.h, lib/util/event.c:
The timeout parameter of sudo_ev_add() should be const. [de85c8897aad]

2020-04-28 Todd C. Miller

plugins/sudoers/iolog_client.c:
Don’t free TLS on error in tls_init(), it is freed in client_closure_free(). Fixes a double free on error introduced with the TLS state cleanup in client_closure_free(). [f1b478f2ec13]

logsrvd/logsrvd.c:
Check for tls_config->dhparams_path being non-NULL before using it. [09348a25bfd2]

2020-04-23 Todd C. Miller

doc/sudo_sendlog.man.in, doc/sudo_sendlog.mdoc.in:
Document the TLS and test options. [e5f6b6c46c25]

logsrvd/sendlog.c:
Allow -t option even without OpenSSL Also add -t to the usage message [d874c9a67ed6]

logsrvd/sendlog.c:
Use sudo_strtonum() instead of relying on strtoll(). Older, pre-C99, systems may not include strtoll() in their C library. [a1a610bbe022]

include/protobuf-c/protobuf-c.h:
Allow this to build on systems without stdint.h by using config.h. Old, pre-C99, systems may have inttypes.h but not stdint.h. [72e603875b82]

2020-04-22 Todd C. Miller

etc/sudo-logsrvd.pp, scripts/pp:
Fix support for pp_systemd_disabled and check for systemd existence. On our build schroots we don’t have systemctl installed but do have the /etc/systemd and /lib/systemd (or /usr/lib/systemd) directories. [93917f4130b0]

etc/sudo-logsrvd.pp:
Set pp_macos_service_id instead of pp_macos_default_service_id_prefix. It is only effective to set pp_macos_default_service_id_prefix in the indivisual %service sections (and not %set) so we may was well use pp_macos_service_id which includes the service name. [84ccf13e7076]

etc/sudo-logsrvd.pp:
Set launchd service id prefix to “ws.sudo.” The default value in PolyPkg is “com.quest.rc.” [eb581d74573e]

scripts/pp:
Fix macOS package creation. [556c0051c0fc]

2020-04-21 Todd C. Miller

plugins/sudoers/iolog_client.c:
Shut down the TLS connection cleanly in client_closure_free(). Also free the SSL data which is part of the client closure. [258ec8832cbd]

src/exec_monitor.c, src/exec_nopty.c, src/selinux.c, src/sudo.c, src/sudo.h, src/sudo_edit.c, src/sudo_exec.h:
Fix sudoedit when running with SELinux RBAC mode. We can’t use run_command() to run sesh, that will use the sudo event loop (and might run it in a pty!). There’s no need to relabel the tty when copying files. Get the path to sesh from sudo.conf.

Currently, for SELinux RBAC, the editor runs with the target user’s security context. This defeats the purpose of sudoedit. Fixing that requires passing file descriptors between the main sudo process (running with the invoking user’s security context) and sesh (runnning with the target user’s security context). [81c9ec600894]

MANIFEST, src/Makefile.in, src/copy_file.c, src/sesh.c, src/sudo_edit.c, src/sudo_exec.h:
Refactor the sudoedit code to copy files so it can be shared. The SELinux sudoedit code now extends the destination file the same way the non-SELinux version does. [82c44299309e]

src/sudo_edit.c:
Do not remove sudoedit temporary files if we cannot overwrite the real file. The warning message says the files were preserved but they actually got removed. [685f2de6bb2e]

include/compat/glob.h, lib/util/glob.c:
Make gl_pathc, gl_matchc and gl_offs size_t in glob_t to match POSIX. [c3586082d3ea]

scripts/pp:
Only remove the systemd unit service file if we copied it manually. If the service file was installed as part of the package it will be removed automatically when the package is uninstalled. [e98e1493c5bf]

2020-04-20 Todd C. Miller

doc/sudo_logsrv.proto.man.in, doc/sudo_logsrv.proto.mdoc.in:
Document TLS settings in ServerHello [22ae16f41585]

2020-04-17 Todd C. Miller

src/sudo_edit.c:
Extend the original file before to the new size before updating it. Instead of opening the original file for writing w/ tuncation, we first extend the file with zeroes (by writing, not seeking), then overwrite it. This should allow sudo to fail early if the disk is out of space before it overwrites the original file. [aef4db03e9e1]

src/sudo.c:
I/O log plugins should be closed before the policy plugin, not after. [dec6fccf63d4]

plugins/sudoers/set_perms.c:
Fix typo [82b0efbb6c26]

plugins/sudoers/iolog.c:
Only display error string once on I/O error. We already include the error string in the format so no need to use errno too. [59795855d6a2]

plugins/sudoers/iolog.c, plugins/sudoers/policy.c:
Free passwd and group caches in I/O plugin after log_warning(), not before. The logging functions may try to use the cache via set_perms(PERM_ROOT). [652b925b9658]

2020-04-17 Laszlo Orban

logsrvd/logsrvd.c:
add missing shudown of TLS connection [14b25a0f4f6b]

2020-04-16 Todd C. Miller

etc/sudo-logsrvd.pp, scripts/pp:
Disable systemd support on Linux systems that don’t use it. [3c01c91dbfb2]

2020-04-14 Todd C. Miller

configure, configure.ac:
1.9.0 final [acf3b4592384]

etc/sudo-logsrvd.pp, scripts/pp:
Update PolyPkg from my branch with systemd support. [a7a487496209]

2020-04-09 Todd C. Miller

plugins/python/example_conversation.py, plugins/python/example_io_plugin.py, plugins/python/regress/testdata /check_example_io_plugin_fails_with_python_backtrace.stdout:
If the signal.Signals enum is not present, search the dictionary. The Signals enum was added in Python 3.5. If it is not present we need to iterate over the dictionary items, looking for signal name to number mappings. Fixes the signal tests with Python 3.4. [22811794ed46]

plugins/python/regress/check_python_examples.c, plugins/python/sudo_python_module.c:
Python dictionaries are sparse so we cannot use pos as an index. When converting sudo options from a dictionary to a tuple we need to track the current index into the tuple separately from the position of the dictionary entry. [07cb8a0c7f21]

2020-04-08 Todd C. Miller

etc/sudo-logsrvd.pp:
Fix handling of /etc/sudo_logsrvd.conf in the sudo-logsrvd package. For rpm and deb we include the file directly and mark it volatile. For all others we copy it in the postinstall script from the example dir if the file doesn’t already exist. [83264a96b923]

scripts/mkpkg:
Check for the Sun Studio C compiler on Solaris under /opt. Also intialize with_python to false. [52e28d55f9a6]

po/sudo.pot:
regen [faaacb7777d4]

lib/util/parseln.c:
Explicitly include stdio.h for getdelim(3) [3b0bff3ef388]

logsrvd/logsrvd.c:
Reload sudo.conf upon SIGUP This makes it possible to update the Debug settings in sudo.conf and have them take effect on reload. [9fb7baf9a3ad]

logsrvd/logsrvd.c, logsrvd/sendlog.c, plugins/sudoers/iolog_client.c:
Store the result of ERR_get_error() so we can use it for both warn and debug. Otherwise, only the debug framework gets the actual error and the user won’t see the problem. [039565f16d13]

logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c:
Disable IPv4-mapped IPv6 addresses in the listener. Also store the host + port string and use it in error messages. [3fbac477ef6b]

configure, configure.ac, examples/Makefile.in:
Install the example sudo_logsrvd.conf unless one already exists [89c41b936c44]

2020-04-07 Todd C. Miller

examples/sudo_logsrvd.conf:
Make the path to logsrvd_cert.pem match the documentation. [b2a45e7c9cdb]

etc/sudo-logsrvd.pp, logsrvd/logsrvd.c:
Create the pid file parent directory if it doesn’t already exist. Also package the run directory in the sudo_logsrvd PolyPkg file. [ac8b573e8545]

configure, configure.ac:
Sudo 1.9.0rc1 [7d437646afc2]

MANIFEST:
Include all python plugin files in MANIFEST, not the directory itself. [4aa09dd70b9e]

plugins/python/example_approval_plugin.py, plugins/python/example_audit_plugin.py, plugins/python/example_group_plugin.py, plugins/python/example_io_plugin.py, plugins/python/example_policy_plugin.py, plugins/python/regress/test data/check_example_io_plugin_fails_with_python_backtrace.stdout:
Avoid using typing annotations so tests run with Python 3.4. [88b7048bc4a6]

plugins/python/python_plugin_common.c, plugins/python/regress/testda ta/check_loading_fails_missing_classname.stderr:
Sort the list of possible plugins before printing it. This gives more reproducible error messages for the tests. [ea33f4970268]

plugins/python/regress/iohelpers.h, plugins/python/regress/testdata/ check_example_group_plugin_is_able_to_debug.log, plugins/python/regr ess/testdata/check_example_io_plugin_command_log.stored, plugins/pyt hon/regress/testdata/check_example_io_plugin_command_log_multiple1.s tored, plugins/python/regress/testdata/check_example_io_plugin_comma nd_log_multiple2.stored, plugins/python/regress/testdata/check_examp le_io_plugin_failed_to_start_command.stored, plugins/python/regress/ testdata/check_example_io_plugin_fails_with_python_backtrace.stderr, plugins/python/regress/testdata/check_loading_fails_wrong_path.stder r, plugins/python/regress/testdata/check_multiple_approval_plugin_an d_arguments.stdout, plugins/python/regress/testdata/check_python_plu gins_do_not_affect_each_other.stdout, plugins/python/regress/testhelpers.h:
Use regular expressions when matching expected and actual text. [f2562728481a]

plugins/python/regress/iohelpers.h, plugins/python/regress/testdata/ check_example_debugging_c_calls@info.log, plugins/python/regress/tes tdata/check_example_debugging_plugin@info.log, plugins/python/regress/testhelpers.c:
Use regex to match init.py instead of hacking it in verify_log_lines() [8bf71289e585]

plugins/python/pyhelpers.c, plugins/python/python_plugin_common.c, plugins/python/regress/check_python_examples.c, plugins/python/regress/iohelpers.c, plugins/python/regress/plugin_approval_test.py, plugins/python/regre ss/testdata/check_example_debugging_c_calls@diag.log, plugins/python /regress/testdata/check_example_debugging_c_calls@info.log, plugins/ python/regress/testdata/check_example_debugging_py_calls@diag.log, p lugins/python/regress/testdata/check_example_debugging_py_calls@info .log, plugins/python/regress/testdata/check_example_policy_plugin_va lidate_invalidate.log, plugins/python/regress/testdata/check_loading _fails_wrong_classname.stderr, plugins/python/regress/testdata/check _multiple_approval_plugin_and_arguments.stdout, plugins/python/regress/testhelpers.h:
Make most python tests pass with Python 3.4 Dictionary order is not stable in Python < 3.6 so we need to sort by key to have consistent results. The LogHandler output is also different on older Python versions. Also, don’t stop running python tests after the first error. [aaa06cb5fac1]

plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c:
Increase the maximum delay again for slower systems. Otherwise we may get a spurious test failure. [6660908aa93d]

plugins/python/Makefile.in, plugins/sudoers/Makefile.in, scripts/mkdep.pl:
Handle dependencies for .h files in the same directory as the source. Fixes missing header dependencies for the sudoers and python plugins. [3109dd5cf61e]

etc/sudo.pp:
Remove bits for Tru64 kit-style packages [0e9a9580d76c]

MANIFEST, Makefile.in, configure, configure.ac, etc/sudo-logsrvd.pp, etc/sudo-python.pp, etc/sudo.pp:
Split sudo_logsrvd and the python plugin into their own packages. [9aee8247f0ba]

scripts/mkpkg:
Build python packages where possible. [7a2b993bb8ac]

2020-04-06 Todd C. Miller

plugins/sudoers/iolog_client.c:
Don’t pass a NULL submitcwd or ttyname value to the server. It is possible for the cwd and/or tty to be missing. If we send a NULL pointer to the server where it expects a string the AcceptMessage will fail to parse. [4f96d1c6e41c]

include/sudo_plugin.h:
Disable -Wstrict-prototypes for sudo_hook_fn_t typedef. [15d2a1332865]

plugins/python/python_plugin_common.c:
Fall back to using Py_Finalize() for Python version < 3.6 [e7ad63e57c79]

2020-04-06 Robert Manner

logsrvd/eventlog.c:
logsrvd/eventlog.c: add a newline after each log message for logfile output [457f77b8f3be]

lib/iolog/iolog_fileio.c:
lib/iolog/iolog_fileio.c: do not call fchown on invalid fd

Fixes the warning in the log: iolog_write_info_file_json: unable to fchown 0:0 /var/log/…: Bad file descriptor [bccdaf007db8]

logsrvd/iolog_writer.c:
logsrvd/iolog_writer.c: treat runuid, rungid 0 as valid (usually ==root) [5a7c447e9619]

2020-04-05 Todd C. Miller

po/eo.mo, po/eo.po, po/sr.mo, po/sr.po:
Updated translations from translationproject.org [6e47dbfdba2c]

2020-04-03 Todd C. Miller

examples/Makefile.in:
Install example sudo_logsrvd.conf file [c1c6f4c8119d]

doc/sudoers.man.in, doc/sudoers.mdoc.in:
Make it clear in the sudoers grammar that sudoedit needs file args. Debian bug #571621 [b6358b602623]

2020-04-02 Todd C. Miller

NEWS:
Fixed Debian bugs #571621, #596631 and #669687 [6058c1c46739]

doc/sudo.man.in, doc/sudo.mdoc.in, plugins/sudoers/env.c:
Truncate the command args at 4096 chars when formatting SUDO_COMMAND. We have to limit the length of SUDO_COMMAND to avoid getting E2BIG from execve(2) for very long argument vectors. The command’s environment also counts against the ARG_MAX limit. Debian bug #596631 [ff1fa8e3377f]

plugins/sudoers/auth/pam.c:
Do not try to delete creds we did not set. If pam_setcred() fails when opening the PAM session, we don’t want to call it with PAM_DELETE_CRED when closing the session. [c31039431c46]

2020-04-01 Todd C. Miller

plugins/sudoers/auth/API, plugins/sudoers/auth/aix_auth.c, plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/kerb5.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/passwd.c, plugins/sudoers/auth/secureware.c, plugins/sudoers/auth/sia.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/auth/sudo_auth.h, plugins/sudoers/check.c, plugins/sudoers/sudoers.h:
Add a force flag to sudo_auth_cleanup() to force immediate cleanup. This is used for PAM authentication to make sure pam_end() is called via sudo_auth_cleanup() when the user authenticates successfully but sudoers denies the command. Debian bug #669687 [98cb9d98f547]

plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c:
Increase the maximum delay for slower systems. Otherwise we may get a spurious test failure. [e4c1fffd427c]

doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in:
Document when cwd_optional was added. [165447e1d7fa]

2020-03-31 Todd C. Miller

NEWS, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, plugins/sudoers/policy.c, src/exec.c, src/sudo.c, src/sudo.h:
Add cwd_optional to command details and enable it in the sudoers plugin. If cwd_optional is set to true, a failure to set the cwd will be a warning, not an error, and the command will still run. Debian bug #598519 [a6694704d92f]

doc/sudo.man.in, doc/sudo.mdoc.in:
The policy close function is responsible for closing the PAM session. [db4af211ff75]

.clang-format:
Config file for clang-format 8.x and higher based on webkit style. This approximates what I want the sudo coding style to look like. Only deviations from webkit style are included. [d3ec3a8401cf]

src/exec_pty.c:
Don’t kill the command just because the loop exited unexpectedly. We currently have no good way to distinguish between an error executing the command and an error while the command is running.

In the future, we should have additional status codes so we can tell what type of condition caused the loop to exit.

For now, only kill the command if cstat is left uninitialized. [9492d60783fe]

2020-03-29 Todd C. Miller

logsrvd/logsrvd.c:
Write process ID as an unsigned int (with a cast). On Solaris, pid_t may be typedef’d as a long but the actual range is 32 bits at most. [b9a818d77142]

doc/LICENSE:
Add license info for a few other files. These are all ISC licensed but it is still best to have them all listed in one place. [dd37dc484ea5]

plugins/sudoers/po/ca.mo, plugins/sudoers/po/ca.po, plugins/sudoers/po/cs.mo, plugins/sudoers/po/cs.po, plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po, plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po, plugins/sudoers/po/fi.mo, plugins/sudoers/po/fi.po, plugins/sudoers/po/fr.mo, plugins/sudoers/po/fr.po, plugins/sudoers/po/hr.mo, plugins/sudoers/po/hr.po, plugins/sudoers/po/it.mo, plugins/sudoers/po/it.po, plugins/sudoers/po/ja.mo, plugins/sudoers/po/ja.po, plugins/sudoers/po/ko.mo, plugins/sudoers/po/ko.po, plugins/sudoers/po/nb.mo, plugins/sudoers/po/nb.po, plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, plugins/sudoers/po/pt.mo, plugins/sudoers/po/pt.po, plugins/sudoers/po/pt_BR.mo, plugins/sudoers/po/pt_BR.po, plugins/sudoers/po/sv.mo, plugins/sudoers/po/sv.po, plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po, plugins/sudoers/po/zh_TW.mo, plugins/sudoers/po/zh_TW.po, po/ca.mo, po/ca.po, po/cs.mo, po/cs.po, po/de.mo, po/de.po, po/eo.mo, po/eo.po, po/fi.mo, po/fi.po, po/fr.mo, po/fr.po, po/hr.mo, po/hr.po, po/it.mo, po/it.po, po/ja.mo, po/ja.po, po/ko.mo, po/ko.po, po/nb.mo, po/nb.po, po/pl.mo, po/pl.po, po/pt.mo, po/pt.po, po/pt_BR.mo, po/pt_BR.po, po/sv.mo, po/sv.po, po/tr.mo, po/tr.po, po/uk.mo, po/uk.po, po/vi.mo, po/vi.po, po/zh_CN.mo, po/zh_CN.po, po/zh_TW.mo, po/zh_TW.po:
Updated translations from translationproject.org [58d62352abff]

lib/util/getusershell.c, lib/util/host_port.c, lib/util/roundup.c, logsrvd/iolog_writer.c, logsrvd/logsrv_util.c, logsrvd/logsrv_util.h, logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c, logsrvd/sendlog.c, logsrvd/sendlog.h, plugins/sudoers/iolog_client.c, plugins/sudoers/iolog_plugin.h:
Some new source files got created with my old email address. [ede435f55f5c]

.gitignore, .hgignore:
Ignore pycache directories. [5901cfb35a74]

include/sudo_iolog.h, lib/iolog/iolog_util.c, logsrvd/sendlog.c, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/sudoreplay.c:
iolog_parse_loginfo() now opens the log file itself. [bf03f505fc94]

include/sudo_iolog.h, lib/iolog/Makefile.in, lib/iolog/iolog_fileio.c, lib/iolog/iolog_util.c, logsrvd/eventlog.c, logsrvd/iolog_writer.c, logsrvd/logsrvd.h, logsrvd/sendlog.c, plugins/sudoers/Makefile.in, plugins/sudoers/iolog.c, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/sudoreplay.c:
Write an extended I/O info log in JSON format. This will be used by sudoreplay if it exists to get more information about the command being replayed. [5fc89148c214]

MANIFEST, doc/sudoreplay.man.in, doc/sudoreplay.mdoc.in, include/sudo_iolog.h, lib/iolog/Makefile.in, lib/iolog/iolog_json.c, lib/iolog/iolog_util.c, plugins/sudoers/sudoreplay.c:
Parse I/O JSON info file in JSON if present. The JSON version includes more information than the original “log” file in the I/O log dir. [269ae210ea34]

logsrvd/iolog_writer.c, logsrvd/logsrvd.h:
Store runenv in the I/O log info file too. [15f90fb3748f]

plugins/sudoers/Makefile.in, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c:
Create files for check_iolog_plugin in the build dir, not src dir. [bdaea95b47fc]

include/sudo_json.h, lib/iolog/iolog_fileio.c, lib/util/json.c, logsrvd/eventlog.c, logsrvd/iolog_writer.c, logsrvd/logsrvd.h, plugins/audit_json/audit_json.c:
Do not use JSON_ARRAY with sudo_json_add_value() [c74b75adb90f]

MANIFEST, lib/iolog/Makefile.in, lib/iolog/iolog_json.c, lib/iolog/iolog_json.h, lib/iolog/regress/iolog_json/check_iolog_json.c, lib/iolog/regress/iolog_json/test1.in, lib/iolog/regress/iolog_json/test2.in, lib/iolog/regress/iolog_json/test2.out.ok, lib/iolog/regress/iolog_json/test3.in, lib/util/json.c:
Add tests for the simple json parser. [9ede5000f4c7]

lib/iolog/iolog_json.c:
Simply the JSON parsing code a bit. We can use a single stack for nested objects and arrays. There is also no need to track the current object and array separately. This allows us to remove the array special case when assigning a value. [4a34e528d9f0]

NEWS:
Update NEWS for 1.9.0b5 changes [bf8db62788d3]

logsrvd/logsrvd.c:
sudo_logsrvd now exits with an error if it cannot open any listen sockets. [47a22f71e286]

configure, doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in, doc/sudo_logsrvd.man.in, doc/sudo_logsrvd.mdoc.in, examples/sudo_logsrvd.conf, logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c, m4/sudo.m4, pathnames.h.in:
Create a pidfile for sudo_logsrvd when not run with the -n flag. [9f1b8edff6cc]

etc/sudo.pp:
Add sudo_logsrvd as a service so it gets started at boot. [d2ac9eb87dbf]

plugins/sudoers/po/sudoers.pot:
Update sudoers.pot with json parser warnings. [2b277f799d2e]

2020-03-19 Todd C. Miller

scripts/mkpkg:
Enable OpenSSL on systems that can support it. [976370b9d9db]

2020-03-17 Todd C. Miller

config.h.in, configure, configure.ac, logsrvd/logsrvd.c:
Add configure check for SSL_CTX_get0_certificate(). Dummy out verify_server_cert() if it is not present to allow building on older OpenSSL versions. Rewriting this to work with old OpenSSL is not worth the trouble. [61349d2533fe]

lib/iolog/hostcheck.c:
Include stdlib.h for malloc(3) prototype. We shouldn’t rely on it to be implicitly included via OpenSSL headers. [9f4f7d3d3662]

2020-03-16 Todd C. Miller

plugins/sudoers/policy.c:
Only set errstr for plugin API version 1.15 and above. [780722091e9f]

2020-03-14 Todd C. Miller

NEWS:
Sudo 1.8.31p1 [40629e6fd692]

src/limits.c:
Ignore a failure to restore the RLIMIT_CORE resource limit. Linux containers don’t allow RLIMIT_CORE to be set back to RLIM_INFINITY if we set the limit to zero, even for root. This is not a problem outside the container. [1064b906ca68]

2020-03-12 Todd C. Miller

plugins/sudoers/po/sudoers.pot, po/sudo.pot:
regen [72ca06a294b4]

include/sudo_event.h, lib/util/event.c:
Add SUDO_EV_MASK to mask off invalid event values. Now used by sudo_ev_init() to avoid bogus events. [10a5d1afa1c9]

2020-03-11 Todd C. Miller

plugins/python/regress/iohelpers.c, plugins/python/regress/testhelpers.c:
Avoid using sprintf(), vsprintf(), strcat(), and strncat(). It is less error-prone to use functions with a return value that indicates when truncation ocurred. [21938a3b1548]

plugins/sudoers/match_digest.c:
Work around two Coverity false positives; CID 208813 208815 [389bf3749ed2]

logsrvd/logsrvd.c:
Fix potential use-after-free; Coverity CID 208814 [e575532efe35]

plugins/python/regress/iohelpers.h, plugins/python/regress/testdata/ check_example_debugging_c_calls@info.log, plugins/python/regress/tes tdata/check_example_debugging_plugin@info.log, plugins/python/regress/testhelpers.c:
Don’t hard-code path to logging/init.py or line numbers. Allows python plugin tests to success on versions other than 3.7. [659d3d3fcb8b]

doc/LICENSE:
Add copyright for the Python bindings. [cc64df1f85f2]

plugins/sudoers/match_command.c:
Fix typo introduced on systems with O_PATH or O_EXEC [e8fea3eabf99]

NEWS:
Update for sudo 1.9.0 [39158cb4af26]

doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/fmtsudoers.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/match.c, plugins/sudoers/match_command.c, plugins/sudoers/regress/sudoers/test14.in, plugins/sudoers/regress/sudoers/test14.json.ok, plugins/sudoers/regress/sudoers/test14.ldif.ok, plugins/sudoers/regress/sudoers/test14.ldif2sudo.ok, plugins/sudoers/regress/sudoers/test14.out.ok, plugins/sudoers/regress/sudoers/test14.toke.ok, plugins/sudoers/sudoers_version.h:
Allow the ALL keyword to be specified with a digest list. [9856ed3cde7f]

doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/fmtsudoers.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/ldap_util.c, plugins/sudoers/match.c, plugins/sudoers/match_command.c, plugins/sudoers/match_digest.c, plugins/sudoers/parse.h, plugins/sudoers/regress/sudoers/test14.in, plugins/sudoers/regress/sudoers/test14.json.ok, plugins/sudoers/regress/sudoers/test14.ldif.ok, plugins/sudoers/regress/sudoers/test14.ldif2sudo.ok, plugins/sudoers/regress/sudoers/test14.out.ok, plugins/sudoers/regress/sudoers/test14.toke.ok, plugins/sudoers/sudo_ldap.h:
Allow a list of digests to be specified for a command. [e0e9ecee870b]

plugins/sudoers/ldap_util.c, plugins/sudoers/parse_ldif.c:
A struct member of type ALL should have its name field set to NULL. [484b9af004af]

doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/toke.c, plugins/sudoers/toke.l:
Allow Cmd_Alias in addition to Cmnd_Alias. Some people find using Cmd_Alias more natural. [55edb5057091]

2020-03-01 Todd C. Miller

doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/auth/pam.c, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/defaults.c:
Add pam_ruser and pam_rhost sudoers flags. [b1d494440004]

logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/sendlog.c, logsrvd/sendlog.h:
Store the event base in the client closure. Explicitly passing the event base removes the need to set a default base. [0e4ae8d810f8]

plugins/sudoers/iolog.c:
Revert change to initialize io_operations earlier. Instead, check io_operations.open for NULL which is the case for “sudo -V”. Also move the early return in sudoers_io_open() for “sudo -V” until after we have initialized debugging. [0e9e7a99725d]

2020-02-28 Todd C. Miller

plugins/sudoers/iolog.c:
Initialize io_operations earlier. [ab235d88f8ae]

2020-02-27 Todd C. Miller

plugins/sudoers/iolog_client.c:
Mark up some remaining TODOs [847c9328a7b5]

src/conversation.c:
Sudo’s -S option should override the SUDO_CONV_PREFER_TTY flag. [f5737b68c0bf]

plugins/python/pyhelpers.c, plugins/python/python_plugin_policy.c, plugins/python/sudo_python_module.c:
Use C99 func instead of gcc-specific PRETTY_FUNCTION [db4f5d7c200e]

2020-02-27 Robert Manner

plugins/python/example_debugging.py, plugins/python/regress/testdata /check_example_debugging_c_calls@diag.log, plugins/python/regress/te stdata/check_example_debugging_c_calls@info.log, plugins/python/regr ess/testdata/check_example_debugging_plugin@err.log, plugins/python/ regress/testdata/check_example_debugging_plugin@info.log:
plugins/python/regress: add a test and example of using the python logger [ed23b3ba375f]

MANIFEST, doc/sudo_plugin_python.man.in, doc/sudo_plugin_python.mdoc.in, plugins/python/Makefile.in, plugins/python/python_baseplugin.c, plugins/python/python_convmessage.c, plugins/python/python_importblocker.c, plugins/python/python_loghandler.c, plugins/python/python_plugin_common.c, plugins/python/sudo_python_module.c, plugins/python/sudo_python_module.h:
plugins/python/sudo_module: add sudo.LogHandler

so python log system can be used with sudo logsystem. Loggers use it by default (the handler is set on the root logger). If that is not the intent, it can be overridden explicitly. [45b8902ce188]

2020-02-26 Todd C. Miller

INSTALL, Makefile.in, config.h.in, configure, configure.ac, lib/iolog/iolog_fileio.c, plugins/sudoers/Makefile.in, plugins/sudoers/iolog.c, plugins/sudoers/iolog_client.c, plugins/sudoers/iolog_plugin.h, plugins/sudoers/sudoers.c:
Add –disable-log-server and –disable-log-client configure options. These can be used to optionally disable building sudo_logsrvd and support for remote I/O logging in the sudoers plugin respectively. [bc802e022f22]

2020-02-26 Robert Manner

doc/sudo_plugin_python.man.in, doc/sudo_plugin_python.mdoc.in, plugins/python/python_plugin_common.c, plugins/python/regress/check_python_examples.c, plugins/python/regre ss/testdata/check_loading_fails_missing_classname.stderr, plugins/py thon/regress/testdata/check_loading_succeeds_with_missing_classname. stdout:
plugins/python: autodetect ClassName field

If “ClassName” is not specified, load the one and only sudo.Plugin from the module (if so), otherwise display which plugins are available from which the system admin can choose. [b9dbbf1b6e97]

doc/sudo_plugin_python.man.in, doc/sudo_plugin_python.mdoc.in, plugins/python/Makefile.in, plugins/python/python_plugin_common.c:
plugins/python/plugin_common: add a default search path for python plugins

If the ModulePath is relative, assume it is under “/usr/local/libexec/sudo/python” or wherever the sudo plugins are in a “python” subdirectory. [5f75db882754]

plugins/python/regress/check_python_examples.c, plugins/python/regre ss/testdata/check_example_audit_plugin_version_display.stdout, plugi ns/python/regress/testdata/check_example_debugging_py_calls@info.log , plugins/python/regress/testdata/check_example_io_plugin_version_di splay_full.stdout, plugins/python/regress/testdata/check_example_pol icy_plugin_version_display_full.stdout, plugins/python/regress/testd ata/check_multiple_approval_plugin_and_arguments.stdout:
plugins/python/regress: update tests for show_version changes
- plugin->show_version is not marked NULL any more.
- if verbose, it also displays which python class was loaded from which file [e30a1e43e3c2]

plugins/python/python_plugin_approval.c, plugins/python/python_plugin_audit.c, plugins/python/python_plugin_common.c, plugins/python/python_plugin_common.h, plugins/python/python_plugin_io.c, plugins/python/python_plugin_policy.c:
plugins/python: make show_version display the plugin in verbose mode

Before it only displayed the plugin version, now it also displays which python plugin is loaded to be more useful. [8c94175ead70]

plugins/python/python_plugin_approval.c, plugins/python/python_plugin_common.c:
plugins/python/approval: fix show_version crash when it is not implemented

For approval plugins show_version is not optional. [61f6b4679d6b]

2020-02-24 Todd C. Miller

plugins/sudoers/policy.c, plugins/sudoers/sudoers.c:
Avoid calling sudoers_policy_exec_setup() on error. We only want to pass the execution environment back for commands that are accepted or rejected. Also avoid potentially freeing the wrong pointer when garbage collection is enabled. [a3a202e89951]

2020-02-22 Todd C. Miller

logsrvd/eventlog.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c:
Open event log at config time instead of open/close for each entry. If logging via syslog, do the openlog() at config time instead. We still lock the log file prior to writing to it but unlock immediately after. [3236bd001160]

lib/util/locking.c:
Fix unlocking of an entire file with lockf(). Since lockf() uses the files’s current offset, we need to seek to the start of the file to unlock the entire file. [e415af1de6ca]

2020-02-21 Robert Manner

doc/sudo_plugin_python.man.in, doc/sudo_plugin_python.mdoc.in:
doc/sudo_plugin_python: add approval plugin to supported plugins [5034917e6902]

2020-02-20 Todd C. Miller

lib/util/util.exp.in:
Add sudo_json_free_v1 to symbol exports file too. [0a91a2986952]

lib/util/Makefile.in, logsrvd/Makefile.in, plugins/sudoers/Makefile.in:
Regenerate dependencies to match the recent JSON changes. [5da86c77629c]

plugins/python/python_convmessage.c:
Add missing check for calloc(3) failure. [589c32ff2cf1]

2020-02-19 Robert Manner

doc/sudo_plugin_python.man.in, doc/sudo_plugin_python.mdoc.in:
doc/sudo_plugin_python: document approval plugin and PluginReject [9e61203dcb8d]

plugins/python/sudo_python_module.c:
plugins/python/sudo_python_module.c: remove unused declaration

We do not use structsequence any more. [a5570ba5ad8b]

2020-02-18 Todd C. Miller

logsrvd/logsrvd.c, logsrvd/logsrvd.h:
Re-register listeners on SIGHUP. Previously, a config reload would refresh the listener address list but the changes had no effect on the actual addresses being listened on. [c1c0ada6c594]

logsrvd/logsrvd.c:
Fix compilation error when not built with OpenSSL support. Adds a missing #ifdef HAVE_OPENSSL and reorders code to avoid the need for a static init_tls_server_context() prototype. [976c469eeb57]

2020-02-18 Robert Manner

plugins/python/python_plugin_common.c:
plugins/python: restore the original python inittab after interpreter deinit [b78a5d995de9]

2020-02-17 Todd C. Miller

doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in, include/sudo_json.h, lib/util/json.c, logsrvd/eventlog.c:
Add support for JSON structured logging using syslog. Note that depending on the system, the default syslog buffer may not be large enough to store all the logging data. [15a6667b1198]

doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in, examples/sudo_logsrvd.conf, logsrvd/eventlog.c, logsrvd/iolog_writer.c, logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c:
Add support for JSON logging in sudo_logsrvd. [8b013b899e3b]

include/sudo_json.h, lib/util/json.c, lib/util/util.exp.in, plugins/audit_json/audit_json.c, plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/regress/sudoers/test10.json.ok, plugins/sudoers/regress/sudoers/test9.json.ok:
Rework the JSON API to write to a memory buffer, not a stdio stream. [ec4e4053e95e]

logsrvd/logsrvd.c, logsrvd/logsrvd_conf.c:
Fix support for reloading the config in sudo_logsrvd. We need to re- initialize the TLS server context. Also fix a memory leak of the TLS parameters on reload. [c4ca45502f3e]

2020-02-17 Robert Manner

plugins/python/pyhelpers.c, plugins/python/pyhelpers.h, plugins/python/python_plugin_common.c, plugins/python/regress/check_python_examples.c, plugins/python/regre ss/testdata/check_example_debugging_load@diag.log, plugins/python/regress/testhelpers.c:
plugins/python: only deinit interpreters when sudo unlinks the plugin

This only happens when sudo unloads the last python plugin. The reason doing so is because there are some python modules which does not support importing them again after destroying the interpreter which has imported them previously.

Another solution would be to just leak the interpreters (let the kernel free up), but then there might be some python resources like open files would not get cleaned up correctly if the plugin is badly written.

Tests are meant to test the scenario sudo does, so I have modified them to generally do not unlink but only a few times (~per plugin type) so it does not use 48 interpreters (one gets started on every plugin->open) and it is visible at least which type of plugin fails deinit if there is an error. [13cdead652aa]

plugins/python/python_plugin_common.c, plugins/python/sudo_python_debug.c:
plugins/python/debug: adapt debug refcount solution of sudoers plugin [dc815e383c39]

2020-02-16 Todd C. Miller

plugins/sudoers/iolog_client.c:
The environment in the accept message is runenv not submitenv. The I/O logging plugin is passed the environment the command will run with, not the user’s original environment. [b3e1ee513001]

2020-02-15 Todd C. Miller

include/sudo_compat.h, lib/iolog/iolog_fileio.c, plugins/audit_json/audit_json.c, src/utmp.c:
Add compatibility define for fseeko(3). This is better than cluttering up the code with #ifdefs for obsolete systems. [a9123f768fe0]

2020-02-14 Todd C. Miller

MANIFEST, plugins/sudoers/regress/testsudoers/test8.out.ok, plugins/sudoers/regress/testsudoers/test8.sh:
Add test for #include directive without a trailing newline. [dfcfad5c7c41]

plugins/sudoers/toke.c, plugins/sudoers/toke.l:
Don’t require a newline at the end of include or includedir directives. [3d6aa5531609]

2020-02-14 Robert Manner

plugins/python/regress/testhelpers.c:
plugins/python/regress/testhelpers.c: replace fromisoformat

fromisoformat is only supported from python >=3.7 [86bf6de82376]

2020-02-13 Robert Manner

plugins/python/python_plugin_common.h, plugins/python/sudo_python_module.c:
plugins/python: add missing annotations to help cpychecker [fd66659bd681]

plugins/python/python_plugin_common.c:
plugins/python/python_plugin_common.c: release py_args in close

even if the arguments are not used (eg. when there is no “close” call in the plugin).

It was not really a memleak, because interpreter is deinitialized anyway, which frees the object. [5de8c111d40d]

plugins/python/python_plugin_approval.c:
plugins/python/python_plugin_approval: fix negative ref count

The python_plugin_api_rc_call function already decrements the refcount of py_args. Python avoids the double free, but the error gets shown if using python debug build. [4370af5b9092]

2020-02-12 Robert Manner

plugins/python/regress/check_python_examples.c:
plugins/python/regress: still some memleak fix [c60050b79a5e]

plugins/python/python_plugin_audit.c, plugins/python/python_plugin_common.c, plugins/python/python_plugin_common.h, plugins/python/python_plugin_io.c, plugins/python/python_plugin_policy.c:
plugins/python: make storing errstr more explicit

The error is always stored in plugin_ctx, but it is only set into errstr if the API version is enough. (Previously it worked the opposite: we only stored the error if API level was enough.) [5b4fa733c876]

plugins/python/regress/check_python_examples.c:
plugins/python/regress: strengthen errstr verification

Tests did not catch the issue where errstr was not set correctly, but its pointer contained the expected data, because the memory allocator reused the same space for storing the string.

Now it is either verified to be NULL, or reset to NULL. [973e52ed3f68]

plugins/python/regress/check_python_examples.c:
plugins/python/regress: simplify plugin option creation [628142f39c63]

2020-02-11 Todd C. Miller

include/sudo_debug.h, lib/util/sudo_debug.c, lib/util/util.exp.in, plugins/audit_json/audit_json.c, plugins/python/sudo_python_debug.c, plugins/sample_approval/sample_approval.c, plugins/sudoers/sudoers_debug.c:
Move duplicated code to parse plugin debug flags to libsudo_util. There’s no need for four copies of sudo_debug_parse_flags(). [cfd9d624d8b1]

2020-02-11 Robert Manner

plugins/python/python_plugin_common.c, plugins/python/sudo_python_module.c, plugins/python/sudo_python_module.h:
plugins/python/sudo_module: let a reject also supply error message

Same as sudo.PluginError exception, have a sudo.PluginReject exception as well. Added common base exception as well. [e2e36f4778d4]

plugins/python/regress/check_python_examples.c, plugins/python/regress/plugin_approval_test.py, plugins/python/regre ss/testdata/check_multiple_approval_plugin_and_arguments.stderr, plu gins/python/regress/testdata/check_multiple_approval_plugin_and_argu ments.stdout, plugins/python/regress/testhelpers.c, plugins/python/regress/testhelpers.h:
plugins/python/regress: add tests for approval plugin [31bd830a36fa]

MANIFEST, plugins/python/Makefile.in, plugins/python/python_plugin_approval.c, plugins/python/python_plugin_approval_multi.inc, plugins/python/python_plugin_common.c, plugins/python/python_plugin_common.h, plugins/python/sudo_python_module.c:
plugins/python: add python approval plugin wrapper [489ef35ac957]

MANIFEST, plugins/python/Makefile.in, plugins/python/example_approval_plugin.py:
plugins/python: add python approval plugin example [4ed865e04c0a]

2020-02-10 Todd C. Miller

MANIFEST, plugins/sudoers/regress/sudoers/test23.in, plugins/sudoers/regress/sudoers/test23.json.ok, plugins/sudoers/regress/sudoers/test23.ldif.ok, plugins/sudoers/regress/sudoers/test23.ldif2sudo.ok, plugins/sudoers/regress/sudoers/test23.out.ok, plugins/sudoers/regress/sudoers/test23.sudo.ok, plugins/sudoers/regress/sudoers/test23.toke.ok:
Add regress test for parsing Defaults lists. Currently only env_check, env_delete, env_keep and log_servers are lists. [dfda2dec37d3]

doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in:
Clarify that approval close happens after auditing. Also fix a few typos. [8f9fb2f0b5a7]

doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, include/sudo_plugin.h, plugins/sample_approval/sample_approval.c, src/sudo.c:
Add open and close functions to the approval plugin API. We need a close function to be able to to free memory allocated for errstr. Unlike the other plugins, the close function is called immediately after the plugin’s check or show_version function. The plugin does not remain open until the command completes. [6611bafc8ace]

plugins/audit_json/audit_json.c:
Use unique function names to avoid confusion with front-end functions. Also add a missing sudo_debug_enter() after debug registration. [b127b0997ecb]

scripts/log2cl.pl:
Use Text::Wrap instead of perl’s built-in format function. This still breaks log filename incorrectly but is a step in the right direction. [2184fe794ecb]

Makefile.in, scripts/log2cl.pl:
Avoid changing directory when generating the ChangeLog file. Instead, pass the repo path to either hg or log2cl.pl [736e90c9fe6d]

2020-02-10 Robert Manner

src/sudo.c:
src/sudo.c: call audit plugin close when result is a wait status [0bfe6bc588a3]

Makefile.in:
Makefile.in: fix install target for out of source build

The scriptdir contained a path relative to where the target was started. The scripts are called like “$scriptdir/script_name” which is fine with relative path as well, until the current directory is not changed. But things like cd $srcdir && $scriptdir/script_name fails (if building in separate build directory). [7c0958b47925]

doc/sudo_plugin_python.man.in, doc/sudo_plugin_python.mdoc.in:
doc/sudo_plugin_python: document python audit plugin support [2a2f6227bae0]

doc/sudo_plugin_python.man.in, doc/sudo_plugin_python.mdoc.in:
doc/sudo_plugin_python: document returning error string [cf32faa3805f]

doc/sudo_plugin_python.man.in, doc/sudo_plugin_python.mdoc.in:
doc/sudo_plugin_python: update python manual for constant -> enum changes [e2cd8737978c]

2020-02-08 Todd C. Miller

lib/iolog/regress/iolog_path/check_iolog_path.c, lib/util/mksiglist.c, lib/util/mksigname.c, lib/util/regress/fnmatch/fnm_test.c, lib/util/regress/getdelim/getdelim_test.c, lib/util/regress/glob/globtest.c, lib/util/regress/parse_gids/parse_gids_test.c, lib/util/regress/progname/progname_test.c, lib/util/regress/sudo_parseln/parseln_test.c, logsrvd/logsrvd.c, logsrvd/sendlog.c, plugins/group_file/plugin_test.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/logging.c, plugins/sudoers/regress/check_symbols/check_symbols.c, plugins/sudoers/regress/env_match/check_env_pattern.c, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/regress/logging/check_wrap.c, plugins/sudoers/regress/parser/check_addr.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/tsdump.c, plugins/sudoers/visudo.c, src/exec.c, src/exec_monitor.c, src/exec_nopty.c, src/exec_pty.c, src/parse_args.c, src/regress/noexec/check_noexec.c:
Use EXIT_SUCCESS and EXIT_FAILURE more consistently. [1b78154a35f3]

src/parse_args.c, src/sudo.c, src/sudo.h:
Mark main sudo usage() function noreturn. This splits the usage printing out into display_usage(). [400d23c2a6f1]

include/sudo_json.h, lib/util/json.c, lib/util/util.exp.in, plugins/sudoers/cvtsudoers_json.c:
Use json functions from libsudo_util in cvtsudoers. [c4316ce76fe6]

2020-02-07 Todd C. Miller

plugins/sample_approval/sample_approval.c:
Check localtime() return value; coverity CID 208156 [e2697b46f7e2]

plugins/audit_json/audit_json.c:
Check fseeko() return value; coverity CID 207993 [3abd610ae63b]

logsrvd/sendlog.c, logsrvd/sendlog.h:
Make restart and elapsed members of the closure structs not pointers. Fixes coverity CID 207992 [2dbace19cb6a]

lib/iolog/iolog_fileio.c:
Check return value of sudo_lock_file(); coverity CID 207991 [e2862d70dea8]

logsrvd/logsrvd.c:
Only keepalive if accept() succeeded; coverity CID 207990 [0c35e46495a2]

2020-02-06 Todd C. Miller

MANIFEST, Makefile.in, doc/Makefile.in, examples/Makefile.in, generate_test_coverage.sh, include/Makefile.in, lib/iolog/Makefile.in, lib/logsrv/Makefile.in, lib/util/Makefile.in, lib/zlib/Makefile.in, log2cl.pl, logsrvd/Makefile.in, mkdep.pl, mkinstalldirs, mkpkg, plugins/audit_json/Makefile.in, plugins/group_file/Makefile.in, plugins/python/Makefile.in, plugins/sample/Makefile.in, plugins/sample_approval/Makefile.in, plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in, pp, scripts/generate_test_coverage.sh, scripts/log2cl.pl, scripts/mkdep.pl, scripts/mkinstalldirs, scripts/mkpkg, scripts/pp, src/Makefile.in:
Move some scripts from the top level src dir to a scripts dir. [0be8e958cbc2]

MANIFEST, plugins/sample_approval/Makefile.in, plugins/sample_approval/sample_approval.c, plugins/sample_approval/sample_approval.exp:
Add sample approval plugin that simply tests for “business hours” [8005b14fd0c7]

Makefile.in, configure, configure.ac:
Add sample approval plugin that simply tests for “business hours” [9d7370fea2c3]

src/load_plugins.c:
Refactor code to alloc and insert a new plugin_container. The only outlier is the policy plugin which is not part of a list since there can only be a single policy plugin. [610c6e01eb0b]

plugins/audit_json/audit_json.c:
Tech audit_json about approval plugin accept/reject [b1e568bacd87]

doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, include/sudo_plugin.h, src/load_plugins.c, src/sudo.c, src/sudo_plugin_int.h:
Add an approval plugin type that runs after the policy plugin. The basic idea is that the approval plugin adds an additional layer of policy. There can be multiple approval plugins. [2b57fac1ad0b]

doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in:
plugin documentation fixes: o whitespace cleanup o show_version doesn’t have an errstr argument o document runas_user and runas_group in command_info[] o add missing .El at before start of audit section [73cb9ca71ef7]

2020-02-06 Robert Manner

plugins/python/sudo_python_module.c:
plugins/python/sudo_python_module.c: fix options_as_dict if no equal sign

The intented behaviour was that those get skipped, but the PyList_GetItem sets the interpreter into error state, so python has raised exception. [4f99dd186eb9]

plugins/python/regress/check_python_examples.c, plugins/python/regre ss/testdata/check_example_audit_plugin_receives_accept.stdout, plugi ns/python/regress/testdata/check_example_audit_plugin_receives_error .stdout, plugins/python/regress/testdata/check_example_audit_plugin_ receives_reject.stdout, plugins/python/regress/testdata/check_exampl e_audit_plugin_version_display.stdout, plugins/python/regress/testda ta/check_example_audit_plugin_workflow_multiple.stderr, plugins/pyth on/regress/testdata/check_example_audit_plugin_workflow_multiple.std out:
plugins/python/regress/check_python_examples: add audit_plugin tests [fcc483a569ff]

plugins/python/python_plugin_common.c, plugins/python/python_plugin_common.h, plugins/python/python_plugin_io.c, plugins/python/python_plugin_policy.c:
plugins/python/python_plugin_common: close can get custom arguments

For the audit plugin. Ensure we do not fail if plugin_ctx->py_instance is NULL (because plugin init has failed). [dd1c0be3d8e7]

plugins/python/example_group_plugin.py, plugins/python/example_io_plugin.py, plugins/python/example_policy_plugin.py, plugins/python/regress/test data/check_example_io_plugin_fails_with_python_backtrace.stdout:
plugins/python/example_*.py: document returning error string [ee55ef4a3cb6]

plugins/python/example_conversation.py, plugins/python/example_debugging.py, plugins/python/example_group_plugin.py, plugins/python/example_io_plugin.py, plugins/python/example_policy_plugin.py, plugins/python/regress/test data/check_example_debugging_c_calls@info.log, plugins/python/regres s/testdata/check_example_debugging_plugin@info.log, plugins/python/r egress/testdata/check_example_io_plugin_fails_with_python_backtrace. stdout:
plugins/python/example*.py: pep8 fixes (mainly line too long) [56b15859cc9a]

2020-02-05 Todd C. Miller

plugins/audit_json/audit_json.exp:
Exported symbol is audit_json [a39e9cc1047b]

doc/sudo_plugin_python.man.in, doc/sudo_plugin_python.mdoc.in:
Silence lint warning. [fbba7f8dc3ef]

plugins/sudoers/policy.c:
Add runas_user and runas_group (if set) to command_info for audit plugin. Otherwise, the audit plugin has to look up the runas name and group by user or group ID. [711731384693]

src/tgetpass.c:
Only enable pwfeedback when reading password from /dev/tty. This effectively disables pwfeedback when the -S or -A options are used. [71da469aab20]

2020-02-05 Robert Manner

plugins/python/regress/check_python_examples.c:
plugins/python/regress: load/unload module for each testcase

so they can start from clean state. (My problem was optional argument tests has destroyed the callbacks.) [ab90adbb9328]

plugins/python/python_plugin_common.c, plugins/python/python_plugin_common.h, plugins/python/python_plugin_group.c, plugins/python/python_plugin_io.c, plugins/python/python_plugin_policy.c, plugins/python/sudo_python_module.c, plugins/python/sudo_python_module.h:
plugins/python: add support for callback errstr arguments

Plugins can raise a sudo.PluginError exception to add context message for the failure.

The callback’s errstr gets filled up with the specified message. But, as sudo expects a string constant (will not free the string), we store it in the plugin context at least until next callback invocation. [240bf4c627f0]

plugins/python/regress/check_python_examples.c, plugins/python/regress/plugin_errorstr.py:
plugins/python/regress: add test for callback error msg return [44a71a20f94c]

plugins/python/python_plugin_io.c, plugins/python/python_plugin_policy.c:
plugins/python_plugin_io,policy: fix version display in verbose mode

Unfortunately the test did not catch this mistake, because it only searches that “Python policy plugin API version” string is present and does not check the version. [7da28d01063f]

2020-02-04 Robert Manner

plugins/python/example_conversation.py, plugins/python/example_debugging.py, plugins/python/example_group_plugin.py, plugins/python/example_io_plugin.py, plugins/python/example_policy_plugin.py, plugins/python/pyhelpers.c, plugins/python/pyhelpers.h, plugins/python/python_plugin_common.c, p lugins/python/regress/testdata/check_example_debugging_c_calls@diag. log, plugins/python/regress/testdata/check_example_debugging_c_calls @info.log, plugins/python/regress/testdata/check_example_group_plugi n_is_able_to_debug.log, plugins/python/sudo_python_module.c:
plugins/python/sudo_python_module.c: use IntEnums instead of constants

It is a bit more code, but it is more “pythonic” and easier to debug as the enum values also know their names.

It is also an API break, eg. sudo.RC_OK becomes sudo.RC.OK as sudo.RC will be the “type” of the enum, but I guess that is acceptable before the initial release. [2a0845428e2b]

2020-02-03 Robert Manner

plugins/python/python_plugin_policy.c:
plugins/python/python_plugin_policy: add missing debug return [2bf4cc35de9c]

2020-02-03 Laszlo Orban

logsrvd/sendlog.c:
fixed compiler error when sudo is configured without –enable- openssl [fb19fb96c41d]

2020-02-03 Robert Manner

MANIFEST, plugins/python/Makefile.in, plugins/python/python_plugin_audit.c, plugins/python/python_plugin_audit_multi.inc, plugins/python/sudo_python_module.c:
plugins/python: add python audit plugin wrapper [92bf3ccbd35d]

MANIFEST, plugins/python/Makefile.in, plugins/python/example_audit_plugin.py:
plugins/python: add example python audit plugin [15abd19f6fdb]

2020-02-02 Todd C. Miller

doc/sudo_logsrvd.conf.man.in, doc/sudo_plugin.man.in:
Regenerate .man.in files from .mdoc.in [6d04628b3bbb]

doc/sudo_plugin.mdoc.in:
Update documentation for setbase when the given base is NULL. [03054c46d322]

plugins/sudoers/iolog_client.c, src/sudo.c:
For plugin events, set the sudo event base for setbase(NULL). This makes it possible for a plugin to change the event base to a local one and then reset it back to its original value. [f95ab1a5fd5a]

2020-02-01 Todd C. Miller

plugins/sudoers/iolog_client.c:
Don’t display “error in event loop” on loop break reading ServerHello. We should already have displayed a more useful error message. Otherwise, we can get two “error in event loop” warnings if the TLS handshake fails (in addition to other error messages). [c42b8158ab36]

2020-01-31 Todd C. Miller

plugins/sudoers/iolog.c, plugins/sudoers/iolog_client.c, plugins/sudoers/iolog_plugin.h:
Read ServerHello message synchronously before the command is executed. Otherwise, the command could be run before the TLS handshake completes. [4dab1676ae41]

2020-01-31 Robert Manner

plugins/python/pyhelpers.c, plugins/python/pyhelpers.h, plugins/python/python_convmessage.c:
plugins/python/pyhelpers: add helpers for attribute handling

to simplify code a bit. [c3eb52c88a04]

2020-01-30 Todd C. Miller

doc/sudo_plugin.mdoc.in:
Document audit plugin in the sudo_plugin manual. [e2aab376bae1]

include/sudo_plugin.h, plugins/audit_json/audit_json.c, src/sudo.c:
Change audit close arguments to a type and value. That way we can distinguish between different error types. [37abbe9f39b5]

MANIFEST, Makefile.in, configure, configure.ac, m4/sudo.m4, pathnames.h.in, plugins/audit_json/Makefile.in, plugins/audit_json/audit_json.c, plugins/audit_json/audit_json.exp:
Example audit plugin that writes JSON output to a log file. [295d9d1a1209]

plugins/python/python_plugin_io.c, plugins/python/python_plugin_io_multi.inc, plugins/python/python_plugin_policy.c, plugins/python/regress/check_python_examples.c:
Adapt python plugin to new plugin API changes [974e76db3a3a]

plugins/sudoers/audit.c, plugins/sudoers/iolog.c, plugins/sudoers/logging.c, plugins/sudoers/logging.h, plugins/sudoers/policy.c, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h:
Pass back a failure or error string to the front end. The audit_failure() function now stores the failure string. This will allow an audit plugin to log the reason if the user’s request is a rejected. [5bb4e000a7ec]

doc/sudo_plugin.mdoc.in, include/sudo_plugin.h, src/exec_pty.c, src/load_plugins.c, src/parse_args.c, src/sudo.c, src/sudo.h, src/sudo_plugin_int.h:
Define a new plugin type that receives accept and reject messages. This can be used to implement logging-only plugins. The plugin functions now take an errstr argument that can be used to return an error string to be logged on failure or error. [361aab49325f]

MANIFEST, config.h.in, configure, configure.ac, include/sudo_rand.h, lib/util/arc4random.c, lib/util/arc4random_buf.c:
Add tests for arc4random_buf() and an implementation for those without. [e89dabfd5a41]

MANIFEST, include/sudo_util.h, lib/util/Makefile.in, lib/util/util.exp.in, lib/util/uuid.c:
Add code to generate universally unique identifiers. We create type 4, variant 1 uuids (random). [22aff362662e]

MANIFEST, include/sudo_json.h, lib/util/Makefile.in, lib/util/json.c, lib/util/util.exp.in:
Add a simple API for writing JSON records. To be used by the upcoming JSON audit module. [734b29194a82]

2020-01-29 Todd C. Miller

NEWS:
Sudo 1.8.31 changes. [3d12f4cb4d9f]

src/tgetpass.c:
Fix a buffer overflow when pwfeedback is enabled and input is a not a tty. In getln() if the user enters ^U (erase line) and the write(2) fails, the remaining buffer size is reset but the current pointer is not. While here, fix an incorrect break for erase when write(2) fails. Also disable pwfeedback when input is not a tty as it cannot work. CVE-2019-18634 Credit: Joe Vennix from Apple Information Security. [4830bdf1a683]

2020-01-28 Todd C. Miller

plugins/sudoers/sudoers.c:
Fix warning about unresolved host name with “sudo -l -h hostname”. The resolve_host() function returns 0 on success, not bool. [9af5bb6e4036]

configure, configure.ac:
Check for presence of fseeko() regardless of utmp type. [d0c254ba8311]

plugins/python/regress/check_python_examples.c:
Fix typo in a test: python_policy->close not python_io->close [34d8631cc501]

lib/util/getentropy.c:
Allow getentropy.c to compile when MAP_ANON is unavailable. [d707e07f1a9c]

MANIFEST, lib/util/Makefile.in, lib/util/arc4random.c, lib/util/arc4random.h:
Remove multi-thread support from arc4random. Sudo is not multi- threaded so we don’t need the added complexity. [77c1795e0aaa]

2020-01-28 Robert Manner

plugins/python/sudo_python_module.c:
plugins/sudo_python_module: Fix double free in sudo.options_as_dict function

PyArg_ParseTuple sets the py_config_tuple pointer, but it does not increment the reference count, so by decrementing, we end up freeing the argument passed in. [511aeb75a905]

plugins/python/example_io_plugin.py, plugins/python/regress/testdata /check_example_io_plugin_fails_with_python_backtrace.stdout:
plugins/python/example_io_plugin: close the file at destroy

to avoid warning of debug python build. [6730352ab2d8]

2020-01-28 Todd C. Miller

lib/util/arc4random.h, lib/util/getentropy.c:
Backed out changeset 9dce3ebb2c37 MAP_SGI_ANYADDR cannot be used in place of MAP_ANON [b261d200435a]

2020-01-28 Robert Manner

plugins/python/Makefile.in, plugins/python/regress/check_python_examples.c, plugins/python/regress/testhelpers.c, plugins/python/regress/testhelpers.h:
plugins/python: memleak fixes in test

The main problem was that string array objects were constructed differently:
- if constructed by the test, then the elements were constant
- if constructed by the plugin, then the elements were allocated
Modified it so that now each array contains allocated strings so they can be handled similarly. For freeing, I have used the str_array_free function from the plugin, so I have linked its object into the test runner.

Happy path is now free of “definitely lost” memleaks, so the test can be used for valgrind. [657ffd948be5]

2020-01-28 Laszlo Orban

logsrvd/sendlog.c, logsrvd/sendlog.h:
Refactor sudo_sendlog in order to be able to send one I/O log multiple times in parallel (for testing purposes) [c9afea455ab6]

2020-01-27 Todd C. Miller

lib/util/arc4random.h, lib/util/getentropy.c:
Fix compilation on IRIX; Bug #915 IRIX lacks MAP_ANON (and MAP_ANONYMOUS) but we can use the IRIX-specific flag MAP_SGI_ANYADDR instead. From Kazuo Kuroi [9dce3ebb2c37]

2020-01-24 Todd C. Miller

plugins/sudoers/check.c:
Fix crash in sudo 1.8.30 when suspending sudo at the password prompt. The closure pointer in sudo_conv_callback was being filled in with a struct getpass_closure ** instead of a struct getpass_closure *. The bug was introduced in the fix for Bug #910; previously the closure variable was a struct getpass_closure, not a pointer. Fix from Michael Norton; Bug #914. [011b6a7663ef]

2020-01-24 Robert Manner

plugins/python/pyhelpers.c, plugins/python/pyhelpers.h, plugins/python/python_plugin_common.c, plugins/python/python_plugin_common.h, plugins/python/python_plugin_group.c, plugins/python/python_plugin_io.c, plugins/python/python_plugin_policy.c:
plugins/python: use separate python interpreter for each plugin

On each plugin initialization we create a separate python interpreter which gets stored in the plugin_ctx. The main interpreter is stored in py_ctx and is used for creating more interpreters (if more plugins get loaded) and final python deinitialization.

The “traceback” module import and the ImportBlocker initialization was moved, because it has to happen inside the plugin specific interpreters. [eb9308e5eacb]

plugins/python/regress/check_python_examples.c, plugins/python/regress/plugin_conflict.py, plugins/python/regress/te stdata/check_python_plugins_do_not_affect_each_other.stdout:
plugins/python/regress: add a failing textcase about python plugins affect each other

Since python plugins are run inside the same interpreter, they affect each other’s state, which would be better to avoid. [1628425d608c]

2020-01-23 Todd C. Miller

doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in:
Document new tls_verify setting. [3e4bc6e4d301]

config.h.in, configure, configure.ac:
Use AC_CHECK_DECLS when checking for SSL_CTX_set_min_proto_version Also use AC_CHECK_FUNCS to check for the other OpenSSL functions [f3e36090a31e]

2020-01-23 Robert Manner

doc/sudo_plugin_python.man.in, doc/sudo_plugin_python.mdoc.in:
doc/sudo_plugin_python: update doc about the multiple I/O plugin loading [08e7c479954b]

plugins/python/Makefile.in:
plugins/python/Makefile.in: update autogenerated header dependencies [54c0c7f11046]

plugins/python/pyhelpers.c, plugins/python/pyhelpers.h, plugins/python/python_plugin_common.c, plugins/python/regress/check_python_examples.c, plugins/python/regre ss/testdata/check_example_io_plugin_command_log_multiple.stderr, plugins/python/sudo_python_module.c:
plugins/python/pyhelpers: have a default sudo_printf function

Adapted the default sudo_printf from sudoers plugin to be able to print errors before plugin open() gets called. (This is used by the multiple io plugin loading to display error for too much plugin load.)

Since this makes us always have a sudo_log, I have removed the logic about whether it is available or not. [fdd4842b3ba2]

src/load_plugins.c:
src/load_plugins.c: plugins can supply a clone function

if they want to support getting loaded multiple times. [33ff0027f686]

2020-01-23 Laszlo Orban

examples/sudo_logsrvd.conf, include/log_server.pb-c.h, lib/logsrv/log_server.pb-c.c, lib/logsrv/log_server.proto, logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c, plugins/sudoers/iolog_client.c:
logserver option to disable certificate verification on server side and server authentication on client side [9b171f3af727]

2020-01-22 Todd C. Miller

src/load_plugins.c:
Refactor code to allocate and fill struct plugin_container. This will help avoid duplicate code in the audit and approval plugins. [8ad9ba987131]

doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in, doc/sudoers.man.in, doc/sudoers.mdoc.in, examples/sudo_logsrvd.conf:
Document TCP keepalive options in the manual pages. [7afe9293b503]

doc/CONTRIBUTORS:
Add proper diacritical to Róbert’s name. [9ca9ea59cdd4]

2020-01-22 Robert Manner

plugins/python/regress/check_python_examples.c, plugins/python/regre ss/testdata/check_example_io_plugin_command_log_multiple.stderr, plu gins/python/regress/testdata/check_example_io_plugin_command_log_mul tiple.stdout, plugins/python/regress/testdata/check_example_io_plugi n_command_log_multiple1.stored, plugins/python/regress/testdata/chec k_example_io_plugin_command_log_multiple2.stored, plugins/python/regress/testhelpers.c, plugins/python/regress/testhelpers.h:
plugins/python/regress: add a testcase for multiple io plugin loading

to verify 2 python plugins can work next to each other. [916dd4f44bcf]

2020-01-22 Laszlo Orban

include/log_server.pb-c.h, lib/logsrv/log_server.pb-c.c, lib/logsrv/log_server.proto, logsrvd/logsrvd.c, logsrvd/sendlog.c, plugins/sudoers/iolog_client.c:
Rename tls_checkpeer to tls_reqcert in ServerHello message [b69630f1f5b4]

2020-01-22 Robert Manner

plugins/python/python_baseplugin.c, plugins/python/python_convmessage.c:
plugins/python: fix return value typo for the error case [a7088391d8fb]

2020-01-21 Todd C. Miller

etc/sudo.pp, examples/Makefile.in, examples/sudo.conf.in:
Install a default sudo.conf file. [e2b4613cced9]

aclocal.m4, autogen.sh, config.h.in, configure, configure.ac, include/sudo_compat.h, logsrvd/logsrvd.c, logsrvd/sendlog.c, plugins/sudoers/iolog_client.c:
Add support for building on OpenSSL 1.0.2. This adds compatibility defines for some OpenSSL 1.1.x functions. [17e50378c8ee]

2020-01-21 Robert Manner

plugins/python/python_plugin_io.c, plugins/python/python_plugin_io_multi.inc:
plugins/python/plugin_io: enable loading of multiple io plugins

Separate sudo io plugin symbols are created which stores wrapper functions adding the context of which python plugin the callback is about.

These sudo io plugin “slots” get generated with macros by the preprocessor.

This makes sudo support loading multiple python IO plugins like this: (note the differences in the symbol names)

Plugin python_io python_plugin.so ModulePath=… ClassName=SudoIOPlugin1 Plugin python_io1 python_plugin.so ModulePath=… ClassName=SudoIOPlugin2 Plugin python_io2 python_plugin.so ModulePath=… ClassName=SudoIOPlugin3 [cb45052d227a]

2020-01-21 Laszlo Orban

plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/defaults.c, plugins/sudoers/iolog.c, plugins/sudoers/iolog_client.c, plugins/sudoers/iolog_plugin.h, plugins/sudoers/policy.c:
sudoers: disable SO_KEEPALIVE socket option based on log_server_disable_keepalive flag in sudoers [ad48ee6fbcb7]

examples/sudo_logsrvd.conf, logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c:
logserver: enable/disable SO_KEEPALIVE socket option based on tcp_keepalive configuration option in sudo_logsrvd.conf [c0d919468e95]

2020-01-20 Todd C. Miller

include/hostcheck.h:
No need to export the validate_hostname() symbol. We don’t export symbols in convenience libraries, only installed DSOs. [f26897793700]

lib/iolog/hostcheck.c:
Fix a few pointer signedness warnings on Linux. [6a4f68430e69]

include/sudo_compat.h, lib/iolog/hostcheck.c, logsrvd/logsrvd.c, plugins/sudoers/iolog.c, plugins/sudoers/iolog_client.c, plugins/sudoers/iolog_plugin.h, src/net_ifs.c:
Store the server host name and IP in client_closure_fill(). Also check for getpeername() and inet_ntop() failure. [22df6ff5fcaf]

logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/sendlog.c, logsrvd/sendlog.h, plugins/sudoers/iolog_client.c, plugins/sudoers/iolog_plugin.h:
Fix handling of SSL_ERROR_WANT_{READ,WRITE} during normal I/O. If we get SSL_ERROR_WANT_WRITE during SSL_read(), we need to resume the SSL_read(), not call SSL_write() as we were doing. Likewise for SSL_ERROR_WANT_READ received from SSL_write(). This introduces a flag so we call the proper callback even when the I/O direction doesn’t match the read/write calls. [7162125ad7b7]

lib/util/Makefile.in:
Add siglist.c and signame.c as dependencies for depend target. Fixes running “make depend” in lib/util dir when siglist.c or signame.c are not already present. [9d7aa4107136]

Makefile.in, doc/Makefile.in, examples/Makefile.in, include/Makefile.in, lib/iolog/Makefile.in, lib/logsrv/Makefile.in, lib/util/Makefile.in, lib/zlib/Makefile.in, logsrvd/Makefile.in, plugins/group_file/Makefile.in, plugins/python/Makefile.in, plugins/sample/Makefile.in, plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in, src/Makefile.in:
Add abs_top_srcdir and abs_top_builddir and use them. Configure provides absolution versions of srcdir, builddir, top_srcdir and top_builddir. We can use these instead of calling pwd. [597ba26af997]

2020-01-20 Robert Manner

plugins/python/Makefile.in:
plugins/python/Makefile.in: remove path prefix from examples to make install target work [ba31bde08e17]

2020-01-19 Todd C. Miller

lib/iolog/Makefile.in:
Rebuild dependencies after hostcheck.c include changes. [3a4e808e5038]

2020-01-18 Todd C. Miller

include/hostcheck.h, lib/iolog/hostcheck.c, logsrvd/logsrvd.c, plugins/sudoers/iolog_client.c:
Add debugging statements to certificate checks. [81f813c8c1f1]

MANIFEST, lib/iolog/Makefile.in, lib/iolog/hostcheck.c, plugins/sudoers/iolog.c:
Portability fixes and correct path to hostcheck.h in MANIFEST. Include sys/socket.h for getpeername(). Link with -lnsl on Solaris to get inet_pton(). [060371a21669]

lib/iolog/Makefile.in, lib/logsrv/Makefile.in, lib/util/Makefile.in, lib/zlib/Makefile.in, logsrvd/Makefile.in, plugins/group_file/Makefile.in, plugins/python/Makefile.in, plugins/sample/Makefile.in, plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in, src/Makefile.in:
Using “libtool –clean” to remove regular files is slow. We only need to use libtool’s clean mode to remove files created by libtool. [510af2b052c6]

2020-01-17 Todd C. Miller

.gitignore, .hgignore:
Add examples/sudo.conf to ignore files. [9eb86d1b8661]

doc/sudo.conf.mdoc.in, examples/sudo.conf.in:
Remove whitespace at the end of the line in example sudo.conf [88b0ae1f8a18]

doc/sudo_plugin_python.mdoc.in:
Fix mdoc lint warnings by removing .Pp before and after .Ss. [e59218682d7f]

2020-01-17 Robert Manner

plugins/python/regress/check_python_examples.c, plugins/python/regress/iohelpers.c, plugins/python/regress/iohelpers.h, plugins/python/regress/testhelpers.c, plugins/python/regress/testhelpers.h:
plugins/python/regress: add missing license texts [b0e4b41b2834]

2020-01-16 Todd C. Miller

logsrvd/logsrvd.c:
Fix TLS accept when SSL_accept() returns SSL_ERROR_WANT_WRITE. We need to switch from SUDO_EV_READ to SUDO_EV_WRITE for this case. [71ada9bfa056]

logsrvd/sendlog.c, plugins/sudoers/iolog_client.c, plugins/sudoers/iolog_plugin.h:
Fix TLS connect when SSL_connect returns SSL_ERROR_WANT_READ. We need to switch from SUDO_EV_WRITE to SUDO_EV_READ for this case. Also make the tls connect events private to tls_timed_connect() with their own closure. There is no need to store them in the client closure. [afda37d1dd26]

logsrvd/iolog_writer.c:
Store submit time in struct iolog_info. Fixes missing time stamp in remote I/O log info file. [dcd1dfa00646]

src/sudo_edit.c:
Treat EROFS (like EACCES) as a non-fatal error in dir_is_writable(). Fixes sudoedit on macOS 10.15 and above where the root file system is mounted read-only. See https://support.apple.com/en-us/HT210650. From Dan Villiom Podlaski Christiansen. Bug #913 [cc636a1af1b6]

2020-01-15 Todd C. Miller

lib/util/event.c, plugins/sudoers/iolog_client.c:
Really fix flushing of data in client_close(). Now that we call fmt_exit_message() from client_close() we do not need to try to determine whether the read or write events were pending in the old base.

We can’t tell anyway because the active flag in the event was cleared when the old sudo event base was destroyed. It is correct to enable both the read and write events after formatting the ExitMessage. [c59e77060c37]

plugins/sudoers/iolog.c, plugins/sudoers/iolog_client.c, plugins/sudoers/iolog_path_escapes.c:
Use SUDOERS_DEBUG_* not SUDO_DEBUG_* in debug_decl() for the sudoers plugin. [2d0c049e689e]

src/sudo.c, src/sudo_plugin_int.h:
Wrap calls to plugin event callbacks to use the plugin’s debug instance. Otherwise, the debug output in a plugin’s event callback will go to the sudo debug file, not sudoers. [02e227cfc715]

lib/util/regress/strsig/strsig_test.c:
FreeBSD is missing SIGLWP (aka SIGTHR) in sys_signame[]. Don’t test SIGLWP on FreeBSD where it is reserved for the thread library and is not listed in sys_signame[]. [95cbafc79b4d]

configure, configure.ac:
We want to use DT_RUNPATH in preference to DT_RPATH in ELF binaries. Otherwise, LD_LIBRARY_PATH does not work when running the tests. The GNU linker’s –enable-new-dtags can be used to do this. We don’t do this on NetBSD where RPATH already supports LD_LIBRARY_PATH. [2c6c9a348d81]

2020-01-15 Laszlo Orban

plugins/sudoers/Makefile.in, plugins/sudoers/iolog_client.c:
do server identity validation in iolog plugin [b1bec55bbed6]

logsrvd/Makefile.in, logsrvd/logsrvd.c, logsrvd/logsrvd.h:
do client identity validation in logserver [e415409dfe0b]

MANIFEST, include/hostcheck.h, lib/iolog/Makefile.in, lib/iolog/hostcheck.c:
implement host validation for the audit server SSL certificates [7f48e57bece2]

2020-01-14 Todd C. Miller

plugins/sudoers/sudoers_debug.c:
Fix reference counting when both sudoers policy and I/O log are loaded. If both sudoers policy and I/O log plugins are loaded, debug_files will be empty when the I/O plugin is initialized. This changes the logic to always increase the reference count if the instance is valid. [18adfeb3727b]

src/load_plugins.c:
Fix handling of duplicate policy and I/O plugins. The warning message said the later I/O plugin was ignored but it actually overwrote the existing one instead. The first registered plugin of the same name now is used, as was intended. Specifying more than one policy plugin is no longer a fatal error; this allows the admin to fix the situation. [dde476072346]

2020-01-14 Robert Manner

aclocal.m4, configure, configure.ac, plugins/python/regress/check_python_examples.c, plugins/python/regress/testhelpers.c, plugins/python/regress/testhelpers.h, plugins/python/sudo_python_debug.h:
plugins/python: various portability improvements [d6aa5e2585ef]

plugins/python/example_conversation.py, plugins/python/example_io_plugin.py, plugins/python/regress/testdata /check_example_conversation_plugin_reason_log_with_suspend.stdout, p lugins/python/regress/testdata/check_example_io_plugin_command_log.s tored, plugins/python/regress/testdata/check_example_io_plugin_fails with_python_backtrace.stdout:
plugins/python/example{io,conversation}: avoid printing signal number

They are platform dependant, so their test would fail on some platforms. While we could create separate plugin for the tests, I like the idea that the examples are ensured to be working.

I believe this is a good compromise for being able to auto update the test cases. [7b46d305e7d9]

plugins/python/Makefile.in, plugins/python/regress/check_python_examples.c:
plugins/python/regress: load the python plugin dynamically

instead of linking with it. [084c61e7d565]

2020-01-11 Todd C. Miller

src/sudo_edit.c:
For sudoedit_checkdir consider a user-owner directory to be writable. The non-faccessat() code already did this so this just brings the faccessat() path into alignment. Bug #912 [91a1a9c0ba40]

2020-01-10 Todd C. Miller

doc/CONTRIBUTORS:
Add newline before list of artwork authors. [1be0fe5f7d7a]

doc/LICENSE:
Update copyright year. [f4ef4c1990af]

2020-01-10 Robert Manner

plugins/python/example_policy_plugin.py:
plugins/python/example_policy_plugin.py: extend user env changing example

Make the demonstration extend the environment with a new variable. Easier to read, and makes the testing able to check for that it is working. [77c09cc38298]

generate_test_coverage.sh:
generate_test_coverage.sh: example script to ease test coverage generation

Uses lcov and genhtml to generate test coverage. It is meant to be run in a clean directory. Extra configure options can be added as script arguments.

Example execution:

mkdir build cd build ../generate_test_coverage.sh –enable-python [a52c480639aa]

2020-01-09 Todd C. Miller

plugins/sudoers/logging.c:
Remove MAXSYSLOGTRIES, it is no longer used. [dbd274fd8330]

2020-01-09 Robert Manner

plugins/python/python_plugin_common.c, plugins/python/python_plugin_policy.c:
plugins/python/python_plugin_policy: fix validate() call

When calling validate() python function, TypeError exception was thrown (“argument list must be a tuple”), because the call does not have arguments, and python does not accept empty tuple for execution. NULL must be used instead, which was handled as argument construction failure previously. [5ac3c2acee9b]

plugins/python/example_policy_plugin.py:
plugins/python/example_policy_plugin.py: make allowed_commands ordered

Storing them as “tuple” instead of “set”, so they have a fix order. This makes the output of the list() example stable. (“set” is printed out in random order) [470ccf46a088]

plugins/python/example_io_plugin.py, plugins/python/example_policy_plugin.py, plugins/python/python_plugin_common.c, plugins/python/python_plugin_io.c, plugins/python/python_plugin_policy.c:
plugins/python: fix confusing version display

IO/Group/Policy Python API version is displayed instead of sudo version, because that is not very meaningful in this context.

They are only displayed in verbose mode.

Example plugins express it more concrete that they are displaying their version, not the API version. [af9d969231a9]

2020-01-08 Robert Manner

plugins/python/example_conversation.py:
plugins/python/example_conversation.py: make log path configurable

Similarly to IO plugin example. (It is easier to test it this way.) [6526a842ee21]

2020-01-07 Todd C. Miller

src/sudo.c:
Iterate over io_plugins list in the iolog_* wrappers. Moving the iteration into the wrapper functions simplifies the calling code. [1e803fb8fd1f]

src/sudo.c:
policy_plugin is global, no need to pass it to policy_* functions. [676c85f87b3c]

configure, configure.ac:
If –enable-openssl or –enable-gcrypt is given a path, append to LDFLAGS. Previously we appended the path to SUDOERS_LDFLAGS but now that we use OpenSSL in the log server, LDFLAGS is the correct one to use. [8b30cffe500f]

doc/CONTRIBUTORS:
Add Robert Manner [fe8bb27dcff3]

2020-01-07 Robert Manner

plugins/python/example_io_plugin.py:
plugins/python/example_io_plugin.py: fix backtrace during destructor

If the plugin fails to open the file for writing, constructor will raise an exception and exit before creating the “_log” member variable. So the destructor will also raise a backtrace. (Which python ignores, but dumps out to stderr.) [09cfa2edb38c]

plugins/python/python_plugin_common.c:
plugins/python/python_plugin_common: raise debug level for module import [b261d22e3c2e]

plugins/python/regress/testdata/check_example_conversation_plugin_re ason_log_with_suspend.conversation, plugins/python/regress/testdata/ check_example_conversation_plugin_reason_log_with_suspend.stderr, pl ugins/python/regress/testdata/check_example_conversation_plugin_reas on_log_with_suspend.stdout, plugins/python/regress/testdata/check_ex ample_conversation_plugin_reason_log_with_suspend.stored, plugins/py thon/regress/testdata/check_example_conversation_plugin_reason_log_w ithout_suspend.conversation, plugins/python/regress/testdata/check_e xample_conversation_plugin_reason_log_without_suspend.stderr, plugin s/python/regress/testdata/check_example_conversation_plugin_reason_l og_without_suspend.stdout, plugins/python/regress/testdata/check_exa mple_conversation_plugin_reason_log_without_suspend.stored, plugins/ python/regress/testdata/check_example_conversation_plugin_user_inter rupts.conv, plugins/python/regress/testdata/check_example_conversati on_plugin_user_interrupts.conversation, plugins/python/regress/testd ata/check_example_conversation_plugin_user_interrupts.stderr, plugin s/python/regress/testdata/check_example_conversation_plugin_user_int errupts.stdout, plugins/python/regress/testdata/check_example_debugg ing_c_calls@diag.log, plugins/python/regress/testdata/check_example_ debugging_c_calls@info.log, plugins/python/regress/testdata/check_ex ample_debugging_load@diag.log, plugins/python/regress/testdata/check _example_debugging_plugin@err.log, plugins/python/regress/testdata/c heck_example_debugging_plugin@info.log, plugins/python/regress/testd ata/check_example_debugging_py_calls@diag.log, plugins/python/regres s/testdata/check_example_debugging_py_calls@info.log, plugins/python /regress/testdata/check_example_debugging_sudo_cb@info.log, plugins/ python/regress/testdata/check_example_group_plugin_is_able_to_debug. log, plugins/python/regress/testdata/check_example_io_plugin_command _log.stderr, plugins/python/regress/testdata/check_example_io_plugin command_log.stdout, plugins/python/regress/testdata/check_example_i o_plugin_command_log.stored, plugins/python/regress/testdata/check_e xample_io_plugin_failed_to_start_command.stderr, plugins/python/regr ess/testdata/check_example_io_plugin_failed_to_start_command.stdout, plugins/python/regress/testdata/check_example_io_plugin_failed_to_st art_command.stored, plugins/python/regress/testdata/check_example_io plugin_fails_with_python_backtrace.stderr, plugins/python/regress/t estdata/check_example_io_plugin_fails_with_python_backtrace.stdout, p lugins/python/regress/testdata/check_example_io_plugin_version_displ ay.stderr, plugins/python/regress/testdata/check_example_io_plugin_v ersion_display.stdout, plugins/python/regress/testdata/check_example io_plugin_version_display.stored, plugins/python/regress/testdata/c heck_example_policy_plugin_accepted_execution.stderr, plugins/python /regress/testdata/check_example_policy_plugin_accepted_execution.std out, plugins/python/regress/testdata/check_example_policy_plugin_den ied_execution.stderr, plugins/python/regress/testdata/check_example policy_plugin_denied_execution.stdout, plugins/python/regress/testda ta/check_example_policy_plugin_failed_execution.stderr, plugins/pyth on/regress/testdata/check_example_policy_plugin_failed_execution.std out, plugins/python/regress/testdata/check_example_policy_plugin_lis t.stderr, plugins/python/regress/testdata/check_example_policy_plugi n_list.stdout, plugins/python/regress/testdata/check_example_policy plugin_validate_invalidate.log, plugins/python/regress/testdata/chec k_example_policy_plugin_version_display.stderr, plugins/python/regre ss/testdata/check_example_policy_plugin_version_display.stdout, plug ins/python/regress/testdata/check_loading_fails_missing_classname.st derr, plugins/python/regress/testdata/check_loading_fails_missing_cl assname.stdout, plugins/python/regress/testdata/check_loading_fails missing_path.stderr, plugins/python/regress/testdata/check_loading_f ails_missing_path.stdout, plugins/python/regress/testdata/check_load ing_fails_not_owned_by_root.stderr, plugins/python/regress/testdata/ check_loading_fails_not_owned_by_root.stdout, plugins/python/regress /testdata/check_loading_fails_wrong_classname.stderr, plugins/python /regress/testdata/check_loading_fails_wrong_classname.stdout, plugin s/python/regress/testdata/check_loading_fails_wrong_path.stderr, plu gins/python/regress/testdata/check_loading_fails_wrong_path.stdout:
plugins/python/regress/testdata: generated data for the pyplugin tests [cec6c9036644]

plugins/python/example_debugging.py:
plugins/python/example_debugging: fix typo in comment [38de8ea0b0e9]

2020-01-06 Laszlo Orban

plugins/sudoers/iolog.c, plugins/sudoers/iolog_client.c, plugins/sudoers/iolog_plugin.h:
save a pointer to the currently connected audit server in the closure object [f1c14c43ab40]

2020-01-05 Todd C. Miller

plugins/sudoers/timestamp.c:
Sanity check size when converting the first record to TS_LOCKEXCL Coverity CID 206591 [5b94873c4051]

include/sudo_iolog.h, lib/iolog/iolog_fileio.c:
Fix coverity CID 206586. Potential use after free calling gzstrerror() after gzclose(). [4bcba58004c8]

plugins/sudoers/cvtsudoers.c:
Use canonical pattern when freeing a tail queue. Avoids some coverity false positives when using TAILQ_FOREACH_SAFE to free the tail queue. [9019d7ad9958]

2020-01-03 Robert Manner

MANIFEST, plugins/python/Makefile.in, plugins/python/regress/check_python_examples.c, plugins/python/regress/iohelpers.c, plugins/python/regress/iohelpers.h, plugins/python/regress/testdata/sudo.conf.developer_mode, plugins/python/regress/testdata/sudo.conf.normal_mode, plugins/python/regress/testhelpers.c, plugins/python/regress/testhelpers.h:
plugins/python/regress: adds tests for python plugin feature and examples [7ab4daed9558]

2020-01-03 Todd C. Miller

plugins/sudoers/iolog_client.c:
Avoid potential NULL deref in tls_timed_connect() error path. Coverity CID 206396 [730687307b24]

logsrvd/sendlog.c:
Check for sudo_ev_add() failure; Coverity CID 206395 206397 [7008560eac95]

2020-01-02 Todd C. Miller

doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in, examples/sudo.conf.in:
Update sample sudo.conf with all supported settings. The deprecated “max_groups” setting is not documented. [e17f7bf95578]

doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in, examples/sudo.conf.in, lib/util/regress/sudo_conf/test1.in, lib/util/regress/sudo_parseln/test1.in:
Remove POD-style C<> markup (typewriter font) from sudo.conf [b69d4743c860]

MANIFEST, configure, configure.ac, examples/Makefile.in, examples/sudo.conf, examples/sudo.conf.in:
Substitute plugin dir into examples/sudo.conf [8c481a21c098]

2020-01-02 Robert Manner

plugins/sudoers/sudoers_debug.c:
plugins/sudoers/sudoers_debug.c: fix harmless debug deregistration warning

If the debug sudoers subsystem is not registered, because it does not get any file names to deal with (TAILQ_EMPTY(debug_files)), deregistration of the subsystem outputs a warning:

sudo: sudo_debug_deregister_v1: invalid instance ID -1, max -1

This patch prevents that by only increasing the refcount if the debug_instance was registered successfully. [939042599498]

plugins/python/Makefile.in:
plugins/python/Makefile.in: fix the install path of examples

Examples are installed by default to “docdir”, which refers to PACKAGE_TARNAME variable which was empty for the python plugin Makefile.in

So the examples were installed to ‘…/share/doc/examples’ instead of ‘…/share/doc/sudo/examples’. This also made them be skipped from the package.

Also the install target now depends on install-doc so the examples gets installed also (similarly as other examples). [e4c07404a3fc]

doc/sudo_plugin_python.man.in, doc/sudo_plugin_python.mdoc.in:
doc/sudo_plugin_python: indent code examples for easier readability [c91ee22bfc83]

doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in:
doc/sudo.conf: document developer_mode option [127215dca183]

2019-12-31 Todd C. Miller

doc/UPGRADE:
fix typo in previous [3031418fba2b]

Makefile.in:
In update-pot match *.c not *c. [77a1139fef99]

NEWS, doc/UPGRADE:
Changes in sudo 1.8.30 [dfaac62074f4]

2019-12-26 Todd C. Miller

Makefile.in:
Add check for up to date def_data.[ch] in check-dist target. [ffaf150e76a5]

2019-12-25 Todd C. Miller

src/limits.c:
Use 64-bit resource limits on AIX. [b8b76c47c8a7]

src/limits.c:
When restoring old resource limits, try to recover if we receive EINVAL. On NetBSD, setrlimit(2) can return EINVAL if the new soft limit is lower than the current resource usage. This can be a problem when restoring the old stack limit if sudo has raised it. [50bdbdbea1b7]

src/limits.c:
Sudo doesn’t require such a large stack. [f93eb9e0c105]

plugins/sudoers/Makefile.in:
Restore check for readable /etc/sudoers in pre-install target. If there is no installed sudoers there is nothing to check… [99e65bc54052]

config.h.in, configure, configure.ac:
Enable OpenBSD extensions on NetBSD to get reallocarray(3) prototype. [e303dca0c1cb]

include/sudo_event.h:
Add forward declaration of struct timeval for deprecated APIs. [e41bdbbbc067]

lib/util/sig2str.c, lib/util/str2sig.c:
Fix compilation on systems with SIGRTMIN/SIGRTMAX but not _SC_RTSIG_MAX. [8e40c62e00f8]

include/sudo_compat.h:
Older systems may not support WCONTINUED. [730bede52ff0]

plugins/sudoers/logging.c:
Support systems that have nl_langinfo(3) but not the CODESET define. Fixes compilation on old NetBSD versions. [03e7cff93172]

plugins/sudoers/starttime.c:
Fix a typo; HAVE_KINFO_PROC2_NETBSD not HAVE_KINFO_PROC2_NETBSD2 [0c46a062f888]

2019-12-23 Todd C. Miller

MANIFEST, Makefile.in, configure, configure.ac, etc/init.d/aix.sh.in, etc/init.d/hpux.sh.in, etc/init.d/sudo.conf.in, etc/sudo.pp, init.d/aix.sh.in, init.d/hpux.sh.in, init.d/sudo.conf.in, src/Makefile.in, sudo.pp:
Move init.d and sudo.pp to the etc dir. [81c9cbbc8ea9]

MANIFEST, config.h.in, configure, configure.ac, include/sudo_compat.h, lib/util/cfmakeraw.c:
Add cfmakeraw() for systems without it. [48f48eaf2a68]

MANIFEST:
Remove indent.pro from MANIFEST [2b6a24282b8c]

.gitignore, .hgignore:
Add uncrustify.files to ignore file. [056b0df738a9]

doc/sudo_plugin_python.man.in, doc/sudo_plugin_python.mdoc.in:
Substitute @prefix@ in for the example paths. We can’t use @exampledir@ here since it contains Makefile variables. [1744e2bcc813]

2019-12-22 Todd C. Miller

include/sudo_debug.h, lib/iolog/iolog_fileio.c, lib/iolog/iolog_path.c, lib/iolog/iolog_util.c, lib/util/aix.c, lib/util/digest.c, lib/util/digest_gcrypt.c, lib/util/digest_openssl.c, lib/util/event.c, lib/util/event_poll.c, lib/util/event_select.c, lib/util/gettime.c, lib/util/getusershell.c, lib/util/gidlist.c, lib/util/host_port.c, lib/util/key_val.c, lib/util/lbuf.c, lib/util/locking.c, lib/util/logfac.c, lib/util/logpri.c, lib/util/mkdir_parents.c, lib/util/parseln.c, lib/util/secure_path.c, lib/util/setgroups.c, lib/util/strsplit.c, lib/util/strtobool.c, lib/util/strtoid.c, lib/util/strtomode.c, lib/util/sudo_conf.c, lib/util/term.c, lib/util/ttyname_dev.c, lib/util/ttysize.c, logsrvd/eventlog.c, logsrvd/iolog_writer.c, logsrvd/logsrv_util.c, logsrvd/logsrvd.c, logsrvd/logsrvd_conf.c, logsrvd/sendlog.c, plugins/python/python_plugin_common.c, plugins/python/sudo_python_debug.c, plugins/sudoers/alias.c, plugins/sudoers/audit.c, plugins/sudoers/auth/afs.c, plugins/sudoers/auth/aix_auth.c, plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/dce.c, plugins/sudoers/auth/fwtk.c, plugins/sudoers/auth/kerb5.c, plugins/sudoers/auth/pam.c, plugins/sudoers/auth/passwd.c, plugins/sudoers/auth/rfc1938.c, plugins/sudoers/auth/secureware.c, plugins/sudoers/auth/securid5.c, plugins/sudoers/auth/sia.c, plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/base64.c, plugins/sudoers/boottime.c, plugins/sudoers/bsm_audit.c, plugins/sudoers/check.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/cvtsudoers_pwutil.c, plugins/sudoers/defaults.c, plugins/sudoers/digestname.c, plugins/sudoers/editor.c, plugins/sudoers/env.c, plugins/sudoers/env_pattern.c, plugins/sudoers/file.c, plugins/sudoers/filedigest.c, plugins/sudoers/find_path.c, plugins/sudoers/fmtsudoers.c, plugins/sudoers/gc.c, plugins/sudoers/gentime.c, plugins/sudoers/getspwuid.c, plugins/sudoers/goodpath.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/group_plugin.c, plugins/sudoers/hexchar.c, plugins/sudoers/interfaces.c, plugins/sudoers/iolog.c, plugins/sudoers/iolog_client.c, plugins/sudoers/iolog_path_escapes.c, plugins/sudoers/ldap.c, plugins/sudoers/ldap_conf.c, plugins/sudoers/ldap_util.c, plugins/sudoers/linux_audit.c, plugins/sudoers/locale.c, plugins/sudoers/logging.c, plugins/sudoers/logwrap.c, plugins/sudoers/match.c, plugins/sudoers/match_addr.c, plugins/sudoers/match_command.c, plugins/sudoers/match_digest.c, plugins/sudoers/parse.c, plugins/sudoers/parse_ldif.c, plugins/sudoers/policy.c, plugins/sudoers/prompt.c, plugins/sudoers/pwutil.c, plugins/sudoers/pwutil_impl.c, plugins/sudoers/rcstr.c, plugins/sudoers/redblack.c, plugins/sudoers/set_perms.c, plugins/sudoers/sssd.c, plugins/sudoers/starttime.c, plugins/sudoers/strlist.c, plugins/sudoers/stubs.c, plugins/sudoers/sudo_nss.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers_debug.c, plugins/sudoers/sudoreplay.c, plugins/sudoers/testsudoers.c, plugins/sudoers/timeout.c, plugins/sudoers/timestamp.c, plugins/sudoers/toke.c, plugins/sudoers/toke.l, plugins/sudoers/toke_util.c, plugins/sudoers/tsdump.c, plugins/sudoers/visudo.c, src/exec.c, src/exec_common.c, src/exec_nopty.c, src/exec_pty.c, src/get_pty.c, src/hooks.c, src/limits.c, src/load_plugins.c, src/net_ifs.c, src/parse_args.c, src/preserve_fds.c, src/selinux.c, src/sesh.c, src/signal.c, src/solaris.c, src/sudo.c, src/sudo_edit.c, src/tgetpass.c, src/ttyname.c, src/utmp.c:
debug_decl and debug_decl_vars now require a semicolon at the end. [c05890653007]

2019-12-21 Todd C. Miller

MANIFEST, doc/Makefile.in, doc/sudo_plugin_python.man.in, doc/sudo_plugin_python.mdoc.in:
Add sudo_plugin_python manual page. Based on markdown docs from Robert Manner. [65f2af21832d]

2019-12-18 Todd C. Miller

plugins/sudoers/sudoers.c, src/limits.c:
Output the name of the limit when warning about setrlimit or getrlimit. From Kimmo Suominen. [92ed66b5cc1f]

2019-12-14 Todd C. Miller

aclocal.m4, config.h.in, configure:
regen [81961af46679]

MANIFEST:
Add python module files to MANIFEST [f223a19117bb]

doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in:
Update SUDO_CONV_REPL_MAX in docs. [120970879b36]

Makefile.in:
Remove uncrustify.files in clean target [ba843b8f2e80]

2019-12-13 Todd C. Miller

Makefile.in, etc/uncrustify-small.cfg, etc/uncrustify.cfg, indent.pro:
Add uncrustify config file for new sudo code style. [7c3b3f733134]

include/sudo_plugin.h:
Bump SUDO_CONV_REPL_MAX from 255 to 1023 [9127fb27eb55]

lib/util/digest_gcrypt.c, plugins/sudoers/auth/passwd.c, plugins/sudoers/auth/secureware.c:
Minor style cleanups. Remove extraneous break after return statement. Convert two old K&R function declarations. [19f8b7a3d2d1]

2019-12-11 Todd C. Miller

src/selinux.c:
Save/restore the raw form of the file context in case mctrans is not available. [786a04ba33ab]

2019-12-10 Robert Manner

plugins/python/python_plugin_common.c:
plugins/python: make group plugin able to debug

It does not get the debug settings, so it looks them up through sudo_conf. [fe4dbf8345b6]

include/sudo_conf.h, lib/util/regress/sudo_conf/conf_test.c, lib/util/regress/sudo_conf/test1.in, lib/util/regress/sudo_conf/test1.out.ok, lib/util/regress/sudo_conf/test2.out.ok, lib/util/regress/sudo_conf/test3.out.ok, lib/util/regress/sudo_conf/test4.out.ok, lib/util/regress/sudo_conf/test5.out.ok, lib/util/regress/sudo_conf/test6.out.ok, lib/util/regress/sudo_conf/test7.out.ok, lib/util/regress/sudo_conf/test8.err.ok, lib/util/regress/sudo_conf/test8.in, lib/util/regress/sudo_conf/test8.out.ok, lib/util/sudo_conf.c, lib/util/util.exp.in, plugins/sudoers/group_plugin.c, src/load_plugins.c:
src/load_plugins, plugins/sudoers: added developer_mode sudo.conf option

It can be used to disable the enforcement that a plugin (shared object or an imported python module) must be owned by root and not modifiable by others. This can make plugin development easier. [a9f86943d30c]

2019-12-09 Todd C. Miller

MANIFEST, config.h.in, configure, configure.ac, doc/sudoers.man.in, doc/sudoers.mdoc.in, include/sudo_compat.h, lib/util/Makefile.in, lib/util/getusershell.c, mkdep.pl, plugins/sudoers/check.c, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h:
Add runas_check_shell flag to require a runas user to have a valid shell. Not enabled by default. [9e7936e0ccfe]

doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/defaults.c, plugins/sudoers/sudoers.c:
Add a new flag “allow_unknown_runas_id” to control matching of unknown IDs. Previous, sudo would always allow unknown user or group IDs if the sudoers entry permitted it. This included the “ALL” alias. With this change, the admin must explicitly enable support for unknown IDs. [ebdbb5c7f60b]

2019-12-07 Todd C. Miller

lib/util/term.c:
Use cfmakeraw() in sudo_term_raw() instead of doing it manually. [b8ff5f81399f]

plugins/sudoers/iolog.c, plugins/sudoers/iolog_client.c, plugins/sudoers/iolog_plugin.h:
Fix event loop called via I/O log close function. We need to set events that were pending in the old base in the new one. Fixes sending the final I/O log data and the ExitMessage to the server. [dcba4ce2196c]

doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, include/sudo_plugin.h, src/sudo.c:
Replace timeleft with pending in sudo plugin event API. [5f49af23af38]

plugins/sudoers/sudoreplay.c:
Use sudo_ev_pending() instead of the deprecated sudo_ev_timeleft(). [c6cce5275f1e]

include/sudo_event.h, lib/util/event.c, lib/util/util.exp.in:
Add sudo_ev_pending(), used to check whether an event is pending. [edcea66bda32]

plugins/sudoers/Makefile.in:
Add TLS libs when linking check_iolog_plugin [d84a5f5c6bc1]

2019-12-06 Todd C. Miller

plugins/sudoers/iolog_client.c:
Remove extraneous newlines in some sudo_warnx() calls. [d3dbf0f93372]

doc/sudoers.man.in, doc/sudoers.mdoc.in:
Document log_server_cabundle, log_server_peer_cert and log_server_peer_key [edea4d048221]

Merge pull request #16 from laczau/master

Proper handling of certificate chain file [44939e511321]

2019-12-06 Laszlo Orban

logsrvd/logsrvd.c:
cert files can contain the full chain of trust, so load all certs in every case for verification [ca26bb970ef5]

2019-12-05 Todd C. Miller

doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in:
Sync init_session() prototype with sudo_plugin.h and fix a typo. [1501cdfa8e76]

2019-12-05 Robert Manner

plugins/python/example_conversation.py, plugins/python/example_debugging.py:
plugins/python: example plugin demonstrating conversation and debug API [e487d2240607]

include/sudo_debug.h, lib/util/sudo_debug.c, lib/util/util.exp.in:
lib/util/sudo_debug.c: add a function for querying if debugging is needed

for a level. Rationale: this way we can avoid computing details for the log which will not happen at all if the computation is slow. [d636c26d192d]

2019-12-04 Todd C. Miller

plugins/sudoers/check.c:
Only update the time stamp entry after the approval function has succeeded. Bug #910 [9b2022e6f11d]

2019-12-04 Robert Manner

plugins/python/sudo_python_debug.c, plugins/python/sudo_python_debug.h:
plugins/python: add sudo debug helpers [1d48021e86ad]

2019-12-04 Todd C. Miller

Merge pull request #14 from sudo-project/tls-config-default-values

Audit Server - add default values for cert paths [f30a48f8b5d5]

2019-12-04 Laszlo Orban

logsrvd/logsrvd.c, logsrvd/logsrvd_conf.c:
add default values for cert paths [a76ca8a3ca9f]

2019-12-03 Todd C. Miller

lib/util/sudo_debug.c:
Add reference counting to debug register/deregister. Fixes a potential problem when an instance is re-registered. [270e739fd0b3]

plugins/sudoers/sudoers_debug.c:
Only deregister the sudoers debug instance on last close. Reference count calls to sudoers_debug_register and only deregister sudoers_debug_instance when refcnt reaches 0. Fixes a problem where the debug system was deregistered when the sudoers policy is closed even though the iolog plugin is active. [2b73f3e9fc32]

2019-12-02 Robert Manner

plugins/python/python_importblocker.c:
plugins/python: add ImportBlocker which forbids loading unsafe python modules

If non root can alter any imported python modules, he is able to run anything he would like to as root user. This class is a helper to avoid such situation.

This feature can be disabled with ‘DeveloperMode=1’ plugin option. [26be6228724f]

2019-11-28 Laszlo Orban

plugins/sudoers/iolog_client.c, plugins/sudoers/iolog_plugin.h:
implement tls layer in iolog plugin [c25837909952]

plugins/sudoers/iolog.c, plugins/sudoers/policy.c:
process tls config options [510fdfd39d71]

plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in:
add audit server tls related configuration options to sudoers [f4135025ff1d]

plugins/sudoers/Makefile.in:
optionally link sudoers with openssl libs [750f87200eab]

2019-11-27 Laszlo Orban

logsrvd/logsrvd.c:
Merge pull request #11 from sudo-project/audit-server-tls-async

Sudo audit Server - TLS protocol update [923f6d914ec5]

2019-11-26 Laszlo Orban

logsrvd/logsrvd.c:
disable timeout for the reader after ServerHello message [e579450aafa1]

2019-11-25 Todd C. Miller

logsrvd/logsrvd.c:
Exit if the first call to logsrvd_conf_read() fails. It is not fatal if subsequent calls fail (due to SIGHUP) since we keep a copy of the old config before installing the new one. [c20866ea9d03]

Makefile.in, plugins/sudoers/Makefile.in:
Add some missing files to “make clean” and “make distclean” [d1b559e9e1ab]

.gitignore, .hgignore:
Update .hgignore and convert to .gitignore [c8b92b55e74a]

2019-11-22 Laszlo Orban

logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c:
use event timeout instead of socket timeout [5c72d1d18aec]

logsrvd/sendlog.c, logsrvd/sendlog.h:
adapt sudo sendlog (async communication, unencrypted ServerHello message) [0269d852f6c6]

logsrvd/logsrvd.c, logsrvd/logsrvd.h:
ServerHello message is now unencrypted, TLS communication has been refactored to full async [d138cbe2253e]

include/log_server.pb-c.h, lib/logsrv/log_server.pb-c.c, lib/logsrv/log_server.proto, logsrvd/logsrvd.c:
extend ServerHello message with two fields (tls, tls_checkpeer) [6d7965d29cd4]

2019-11-21 Robert Manner

Makefile.in:
Makefile.in: fix calling log2cl when doing out of source build

If doing build out of source and not calling configure by absolute path, $(top_srcdir) variable will contain a path relative to the directory we stand in. So, after changing the current directory “cd $(srcdir)”, this path will point to somewhere else making the install step fail. [58a22fce613f]

plugins/python/python_baseplugin.c, plugins/python/python_convmessage.c, plugins/python/sudo_python_module.c, plugins/python/sudo_python_module.h:
plugins/python: add a sudo python module [c512c48170ae]

2019-11-20 Todd C. Miller

doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, plugins/sudoers/policy.c, src/sudo.c:
For plugin API 1.15 and up, always call the plugin close function. Previously, it was only called when a command was run (including sudoedit). Now, plugin operations list, validate, invalidate, and show_version are also closed. [6cdcb5624908]

2019-11-19 Todd C. Miller

plugins/sudoers/iolog_client.c:
Avoid NULL deref on an error path if calloc() fails. Coverity CID 205873 [bad732813149]

src/conversation.c:
Fix potential fd leak when converting trailing newline to cr + nl. Coverity CID 205872 [4597abb8ee1f]

doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in, doc/sudo_logsrvd.man.in, doc/sudo_logsrvd.mdoc.in, examples/sudo_logsrvd.conf:
Document the process of creating self-signed certificates for sudo_logsrvd. Based on a document from Laszlo Orban. [0be730e58f17]

plugins/group_file/plugin_test.c:
Sync with argument handling in group_plugin.c [937475aa2c3f]

plugins/sudoers/group_plugin.c:
If a group plugin has optional arguments, NULL terminate the vector. Otherwise, the plugin cannot determine the end of arguments. The behavior now matches the plugin documentation. [51e02f75a447]

2019-11-19 Robert Manner

plugins/python/example_group_plugin.py:
plugins/python: add example python group plugin [9f9d7cc2d5db]

plugins/python/example_policy_plugin.py:
plugins/python: add example python policy plugin [6cc0d47edae0]

plugins/python/example_io_plugin.py:
plugins/python: add example io python plugin [d22532c34748]

2019-11-18 Todd C. Miller

doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, src/sudo.c:
If there is no session or terminal group ID, pass the plugin a value of 0. This behavior already matches what is documented in the sudo_plugin manual for “sid” but the “tcpgid” entry needed to be updated. [2d720153c4cf]

plugins/sudoers/sudoers.c:
Don’t touch the local iolog sequence file if we are logging remotely [3c5dc60a9d11]

plugins/sudoers/iolog_client.c:
Plug a memory leak found by leak sanitizer [13aac57d0506]

plugins/sudoers/iolog.c, plugins/sudoers/iolog_client.c, plugins/sudoers/iolog_plugin.h:
Make a shallow copy of user_env in I/O plugin in case it is reallocated. The policy plugin’s session init function may reallocate the user environment pointer. Fixes a use after free when PAM is used. [3eb35dac2743]

doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/policy.c:
Rename “log_server” in sudoers to “log_servers” to match I/O plugin. [1dbe79c18760]

2019-11-17 Todd C. Miller

logsrvd/logsrvd.c:
Check closure->ssl for non-NULL instead of logsrvd_conf_get_tls_opt(). It’s a little more obvious this way and ssl is only non-NULL when the tls option is enabled anyway. [3436430c064b]

logsrvd/logsrvd.c:
Init iolog_dir_fd and sock in connection_closure before adding to list. Otherwise we could close the wrong fds in the error path. [1643211f8b46]

doc/CONTRIBUTORS:
Add Laszlo Orban [2836214cd4b8]

2019-11-16 Todd C. Miller

doc/sudo_logsrvd.conf.man.in:
regen [4a44bfc42b4b]

doc/sudo_logsrvd.conf.mdoc.in, examples/sudo_logsrvd.conf:
Change TLS example file locations to be under /etc/ssl/sudo. [f4c302a3bcb9]

doc/sudo_logsrvd.conf.mdoc.in, examples/sudo_logsrvd.conf:
Document sudo_logsrvd TLS configuration. [97260e6acfaf]

2019-11-15 Todd C. Miller

include/sudo_event.h:
Include time.h for struct timespec. [8bd80773d0fa]

lib/util/util.exp.in:
Add sudo_ev_set_v1 to the exports file. [fd6b66378e5d]

doc/sudoers.man.in, doc/sudoers.mdoc.in:
Document the log_server and log_server_timeout options [7d7429b73d25]

MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/defaults.c, plugins/sudoers/iolog.c, plugins/sudoers/iolog_client.c, plugins/sudoers/iolog_plugin.h, plugins/sudoers/policy.c, src/exec_nopty.c, src/exec_pty.c, src/sudo.c:
Add support for logging to the log server [158a8e80faab]

doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, include/sudo_event.h, include/sudo_plugin.h, lib/util/event.c, plugins/sudoers/iolog.c, plugins/sudoers/policy.c, src/Makefile.in, src/exec.c, src/exec_monitor.c, src/exec_nopty.c, src/exec_pty.c, src/load_plugins.c, src/preload.c, src/sudo.c, src/sudo.h, src/sudo_plugin_int.h:
Add a plugin interface to sudo main event loop. [123662f454da]

MANIFEST, Makefile.in, configure, configure.ac, include/log_server.pb-c.h, include/protobuf-c/protobuf-c.h, lib/logsrv/Makefile.in, lib/logsrv/log_server.pb-c.c, lib/logsrv/log_server.proto, lib/logsrv/protobuf-c.c, logsrvd/Makefile.in, logsrvd/log_server.pb-c.c, logsrvd/log_server.pb-c.h, logsrvd/log_server.proto, logsrvd/protobuf-c/protobuf-c.c, logsrvd/protobuf-c/protobuf-c.h:
Move protobuf-c.c, log_server.proto, log_server.pb-c.[ch] to lib/logsrv [6772a775471f]

lib/util/event.c:
When freeing an event base, reset ev->base to NULL for associated events. [7199d3967059]

logsrvd/logsrvd_conf.c:
Move cb_timeout() out from under the HAVE_OPENSSL ifdef. [c7fc294ce21a]

INSTALL, config.h.in, configure, configure.ac, logsrvd/Makefile.in, logsrvd/logsrvd.c:
LibreSSL and older OpenSSL don’t support SSL_CTX_set_ciphersuites(). Add a configure test and skip TLS 1.3 setup if it is missing. We still accept the tls_ciphers13 config setting but it will be ignored. [06d478442971]

logsrvd/logsrvd.c, logsrvd/sendlog.c:
Minor style nits that I missed during review. [7209ccc5a3cf]

logsrvd/sendlog.c:
Avoid calling SSL_CTX_free() on an uninitialized pointer in an error path. [2df423e30773]

Merge pull request #9 from sudo-project/audit-server-tls-support

Audit server tls support [0aded6c1deec]

2019-11-13 Laszlo Orban

logsrvd/Makefile.in, logsrvd/sendlog.c:
update sudo_sendlog to support openssl tls [ab4be8367862]

2019-11-12 Todd C. Miller

src/limits.c:
Simplify resource limit fallback logic a bit. [cdab60b50079]

2019-11-11 Todd C. Miller

doc/CONTRIBUTORS:
Add sudo logo designers [94c841c8bc28]

src/limits.c:
Don’t set the RLIMIT_STACK soft/hard limits to unlimited. Use 8Mb for soft and 64Mb for hard. Works around issues on macOS and docker. See also Bug #908 [1d7f52c32360]

src/tgetpass.c:
Restore resource limits before executing the askpass program. Linux with docker seems to have issues executing a program when the stack size is unlimited. Bug #908 [28cb58a5ac94]

src/conversation.c:
Check for replies pointer being NULL just in case. [7c0c4c6b001e]

2019-11-11 Laszlo Orban

examples/sudo_logsrvd.conf, logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c:
set timeout value for the socket [e884292ab6c9]

2019-11-09 Todd C. Miller

src/conversation.c:
Convert trailing newline to carriage return + newline for tty. Does not currently handle embedded newlines. [ad195e045150]

2019-11-08 Todd C. Miller

lib/util/fatal.c:
Only write a carriage return if output is to a tty. [f605335649ea]

lib/util/fatal.c:
Include a carriage return when printing warning messages. Otherwise, if the command is running in a pty the output is stair-stepped. [f23d4f0ed902]

2019-11-08 Laszlo Orban

configure, logsrvd/Makefile.in, logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c:
make audit server openssl dependency optional; tls layer is compiled only if sudo is built with –enable-openssl feature switch [c360a34c89c0]

2019-11-07 Todd C. Miller

lib/util/util.exp.in:
Add sudo_parse_host_port_v1 and sudo_pow2_roundup_v1 to exports file. [e8b529115871]

2019-11-07 Laszlo Orban

logsrvd/logsrvd.c:
fixed segfault when connection_closure_free() tries to remove a non- existent connection object from the list [4d6dd38d59f6]

2019-11-06 Todd C. Miller

lib/util/closefrom.c:
Fix typo in closefrom emulation. [b23a6c512d4a]

plugins/sudoers/env.c:
Do not warn about a missing /etc/environment file on Linux without PAM. Bug #907 [f85ff5ee2caf]

2019-11-05 Todd C. Miller

doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/cvtsudoers.c, plugins/sudoers/gram.c, plugins/sudoers/gram.y, plugins/sudoers/parse.h, plugins/sudoers/regress/parser/check_fill.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c, plugins/sudoers/toke_util.c, plugins/sudoers/visudo.c:
Transparently handle the “sudo sudoedit” problem. Some admin are confused about how to give users sudoedit permission and many users try to run sudoedit via sudo instead of directly. If the user runs “sudo sudoedit” sudo will now treat it as plain “sudoedit” after issuing a warning. If the admin has specified a fully-qualified path for sudoedit in sudoers, sudo will treat it as just “sudoedit” and match accordingly. In visudo (but not sudo), a fully-qualified path for sudoedit is now treated as an error. [5cdcfd9a6c33]

logsrvd/iolog_writer.c, logsrvd/sendlog.c:
Rename cwd -> submitcwd to match man page. [bc9ea396055a]

2019-11-05 Laszlo Orban

logsrvd/logsrvd.c:
verify server/client certs with CA certificate chain file [a177af7d7bbf]

2019-11-05 Todd C. Miller

MANIFEST, lib/util/Makefile.in, lib/util/host_port.c, lib/util/regress/host_port/host_port_test.c:
Add unit test for parse_host_port and make an empty port an error. [b6b895cdc010]

2019-11-04 Todd C. Miller

lib/util/host_port.c:
Fill in host and port pointers on success. [794368ebd367]

2019-11-04 Laszlo Orban

logsrvd/logsrvd.c:
fix copy-paste mistake [2fe897c77485]

2019-11-02 Todd C. Miller

MANIFEST, include/sudo_util.h, lib/util/Makefile.in, lib/util/host_port.c, logsrvd/logsrvd_conf.c:
Split out code to parse host:port into a utility function. [d8331e72394d]

MANIFEST, include/sudo_util.h, lib/util/Makefile.in, lib/util/roundup.c, logsrvd/logsrv_util.c, logsrvd/logsrv_util.h, logsrvd/logsrvd.c, logsrvd/sendlog.c:
Move bufsize_roundup() -> sudo_pow2_roundup() in libsudo_util. [791f5c353ef1]

lib/iolog/Makefile.in, logsrvd/Makefile.in:
Add missing depend target [75107bcfff3d]

lib/iolog/Makefile.in, lib/util/Makefile.in, logsrvd/Makefile.in, plugins/group_file/Makefile.in, plugins/sample/Makefile.in, plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in, src/Makefile.in:
We haven’t needed -I$(top_srcdir) for a long time. [6974ea4a6c8c]

lib/util/closefrom.c:
In closefrom_fallback() use the interval [OPEN_MAX, INT_MAX]. We want to try closing at least OPEN_MAX fds but no more than INT_MAX. On 64-bit systems it is possible for sysconf(_SC_OPEN_MAX) to return a value larger than INT_MAX when the number of open files is unlimited. [08d6fea1c894]

plugins/sudoers/logging.c, src/exec_monitor.c, src/selinux.c, src/tgetpass.c:
Use dup3() instead of dup2(). This is less error prone since dup3() returns an error if old == new. Sudo guarantees that fds 0-2 are already open. [a9ffaa8a8a55]

MANIFEST, config.h.in, configure, configure.ac, include/sudo_compat.h, lib/util/Makefile.in, lib/util/dup3.c, mkdep.pl:
Add dup3() emulation. [7bd8864dee7e]

plugins/sudoers/logging.c, src/exec_monitor.c, src/exec_pty.c, src/tgetpass.c:
Open all pipes using pipe2() with O_CLOEXEC. We no longer depend on calling closefrom() before exec. [176ae5cf1d94]

src/exec.c, src/tgetpass.c:
Call closefrom() before we change to a non-root UID. This prevents another process from changing the NOFILE resource limit of the child process and defeating the closefrom() call. Reported by Joe Vennix from Apple Information Security. [f93d52b24976]

MANIFEST, logsrvd/Makefile.in:
Regenerate Makefile and sort MANIFEST [24664d6c9d47]

2019-11-01 Todd C. Miller

doc/sudo.man.in, doc/sudo.mdoc.in:
Reference timestamp_type and timestamp_timeout in sudoers. This should help users find details on how time stamp files work. [d5aa7c0b404c]

2019-10-31 Laszlo Orban

logsrvd/logsrvd.c:
process tls config params in the audit server and establish TLS connection accordingly [33ce32c140af]

2019-10-29 Todd C. Miller

src/limits.c:
macOS does not allow rlim_cur to be set to RLIM_INFINITY for RLIMIT_NOFILE. We need to use OPEN_MAX instead as per the macOS setrlimit manual. Bug #904 [2a00e62eaeb0]

2019-10-28 Todd C. Miller

Makefile.in:
Fix ChangeLog generation on a branch. [69409e5b1179]

2019-10-27 Todd C. Miller

logsrvd/sendlog.c:
Remove unused copy of iolog_seekto(). [1d730d414cd9]

2019-10-25 Laszlo Orban

examples/sudo_logsrvd.conf, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c:
add configuration options for TLS [291a9986d6e9]

2019-10-24 Todd C. Miller

MANIFEST, doc/Makefile.in, doc/sudo_logsrv.proto.man.in, doc/sudo_logsrv.proto.mdoc.in, doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in, examples/sudo_logsrvd.conf, logsrvd/iolog_writer.c:
Document the sudo log server protocol [46de0934987c]

include/sudo_iolog.h, lib/iolog/iolog_fileio.c, logsrvd/logsrvd_conf.c, plugins/sudoers/iolog.c:
Read logsrvd.conf in two steps: first read, then apply if OK. This fixes a problem where when logsrvd.conf was reloaded while running (due to SIGHUP) and there was an error we could end up with a partial config. [d3244c318c5b]

include/sudo_iolog.h, lib/iolog/iolog_util.c, lib/iolog/regress/iolog_util/check_iolog_util.c, logsrvd/iolog_writer.c, logsrvd/logsrv_util.c, logsrvd/sendlog.c, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/sudoreplay.c:
Add iolog_ prefix to exported functions in iolog_util.c [62027c8e1abd]

include/sudo_iolog.h, lib/iolog/iolog_fileio.c, logsrvd/logsrvd_conf.c, plugins/sudoers/iolog.c, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c:
Simplify iolog_set_user and iolog_set_group [e82c5078b02c]

MANIFEST, config.h.in, configure, configure.ac, include/sudo_compat.h, lib/util/Makefile.in, lib/util/fchmodat.c, lib/util/fstatat.c, mkdep.pl:
Add fchmodat() and fstatat() emulation. Note that fchmodat() emulation does not support AT_SYMLINK_NOFOLLOW [8232c22e71c7]

doc/sudo_logsrvd.man.in, doc/sudo_logsrvd.mdoc.in, logsrvd/iolog_writer.c, logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c:
Clear the write bit on the timing file for completed logs. This allows us to tell whether or not a log can be restarted. [b2180b6ef53b]

logsrvd/logsrvd.c:
Redirect std{in,out,err} to /dev/null even when given the -n option. [376186a8d9cc]

include/sudo_iolog.h, lib/iolog/iolog_fileio.c, lib/iolog/iolog_path.c, lib/iolog/regress/iolog_path/check_iolog_path.c, lib/iolog/regress/iolog_path/data, logsrvd/iolog_writer.c, plugins/sudoers/iolog.c, plugins/sudoers/iolog_path_escapes.c, plugins/sudoers/sudoers.c:
Simplify expand_iolog_path() [4f0f85f659d1]

plugins/sudoers/po/sudoers.pot, po/sudo.pot:
regen [e268d56da49c]

examples/sudo_logsrvd.conf, include/sudo_iolog.h, lib/iolog/iolog_fileio.c, logsrvd/Makefile.in, logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c:
Make the logsrvd port and list address configurable. [69d73358888d]

Makefile.in, logsrvd/Makefile.in, logsrvd/iolog_writer.c, logsrvd/logsrvd.c, logsrvd/logsrvd_conf.c, logsrvd/sendlog.c:
Mark logsrvd and sendlog strings for translation in the sudoers domain [24b1fd6250fb]

logsrvd/Makefile.in, logsrvd/logsrvd.c, logsrvd/sendlog.c:
Add long option support to logsrvd and sendlog. [ecb2fae83abb]

logsrvd/iolog_writer.c, logsrvd/logsrvd.c, logsrvd/logsrvd.h:
Return an error to the client on error instead of dropping the connection. [2e40ca902100]

examples/sudo_logsrvd.conf, logsrvd/logsrvd_conf.c:
Convert sudo_logsrvd.conf to ini file format [91dff03d0795]

MANIFEST, examples/sudo_logsrvd.conf, include/sudo_util.h, lib/util/Makefile.in, lib/util/logfac.c, lib/util/logpri.c, lib/util/util.exp.in, logsrvd/Makefile.in, logsrvd/eventlog.c, logsrvd/iolog_writer.c, logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c, plugins/sudoers/defaults.c:
Add basic support for event logging using a sudo-style log format. [eb6aa3672e6f]

logsrvd/logsrvd.c, logsrvd/sendlog.c:
Add OpenBSD malloc options. [a0d79af0c430]

MANIFEST, logsrvd/Makefile.in, logsrvd/buffer.c, logsrvd/buffer.h, logsrvd/iolog_writer.c, logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/sendlog.c, logsrvd/sendlog.h:
Allow messages up to 2Mb in size. [af79754aaf53]

MANIFEST, configure, configure.ac, doc/Makefile.in, doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in, doc/sudo_logsrvd.man.in, doc/sudo_logsrvd.mdoc.in, doc/sudo_sendlog.man.in, doc/sudo_sendlog.mdoc.in, examples/sudo_logsrvd.conf, m4/sudo.m4:
Add manual pages for logsrvd and sendlog. [f437259d81ae]

include/sudo_iolog.h, lib/iolog/iolog_fileio.c, logsrvd/iolog_writer.c, logsrvd/logsrvd.c:
Add restart support for compresses I/O logs. [1191fac5ff52]

logsrvd/sendlog.c, logsrvd/sendlog.h:
Fix client side of restart. Seek to the target point there too so we start sending from the right place. [403bf22a6dad]

include/sudo_iolog.h, lib/iolog/iolog_util.c, logsrvd/iolog_writer.c, logsrvd/sendlog.c, plugins/sudoers/sudoreplay.c:
Move read_timing_record() into libsudo_iolog [65a984f7fa7a]

MANIFEST, lib/iolog/iolog_fileio.c, logsrvd/Makefile.in, logsrvd/buffer.c, logsrvd/buffer.h, logsrvd/iolog_writer.c, logsrvd/logsrv_util.c, logsrvd/logsrv_util.h, logsrvd/logsrvd.h, logsrvd/sendlog.c, logsrvd/sendlog.h:
Rename buffer.c -> logsrv_util.c and add iolog_seekto() [0ff1a6fdaecd]

logsrvd/logsrvd.c, logsrvd/sendlog.c:
Fix some warnings from the clang static analyzer. [95de486cfb65]

logsrvd/sendlog.c:
Fix Coverity CID 204353, fd leak on error path. [3519d910c777]

logsrvd/logsrvd_conf.c:
Fix Coverity CID 204355, resource leak on error path. [c5c50c6bae16]

lib/iolog/iolog_fileio.c:
Avoid TOCTOU in iolog_mkdirs; Coverity CID 204356 [0c8679a731f5]

lib/util/mkdir_parents.c:
Avoid TOCTOU in sudo_mkdir_parents; Coverity CID 204357 [e9eeae60dff2]

logsrvd/log_server.pb-c.c, logsrvd/log_server.pb-c.h, logsrvd/log_server.proto:
Add NumberList to InfoMessage. Also make comments fit in 80 columns when formatted as a man page. [fd7af0bb2477]

configure, configure.ac, include/sudo_rand.h, logsrvd/Makefile.in, logsrvd/logsrvd.c:
Command line option processing for logsrvd [0f2248532960]

MANIFEST, examples/sudo_logsrvd.conf, logsrvd/Makefile.in, logsrvd/iolog_writer.c, logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c, pathnames.h.in:
Add config file support for logsrvd [4e643a95c88b]

MANIFEST, include/sudo_util.h, lib/util/Makefile.in, lib/util/mkdir_parents.c, lib/util/util.exp.in, plugins/sudoers/Makefile.in, plugins/sudoers/mkdir_parents.c, plugins/sudoers/sudoers.h:
Move mkdir_parents to libsudo_util. [3f540eb94282]

MANIFEST, Makefile.in, configure, configure.ac, include/sudo_iolog.h, include/sudo_util.h, lib/iolog/Makefile.in, lib/iolog/iolog_fileio.c, lib/iolog/iolog_path.c, lib/iolog/iolog_util.c, lib/iolog/regress/iolog_path/check_iolog_path.c, lib/iolog/regress/iolog_path/data, lib/iolog/regress/iolog_util/check_iolog_util.c, lib/util/sudo_conf.c, logsrvd/Makefile.in, logsrvd/iolog_writer.c, logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c, logsrvd/sendlog.c, logsrvd/sendlog.h, plugins/sample/sample_plugin.c, plugins/sudoers/Makefile.in, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/iolog.c, plugins/sudoers/iolog.h, plugins/sudoers/iolog_files.h, plugins/sudoers/iolog_path.c, plugins/sudoers/iolog_path_escapes.c, plugins/sudoers/iolog_util.c, plugins/sudoers/iolog_util.h, plugins/sudoers/policy.c, plugins/sudoers/regress/iolog_path/check_iolog_path.c, plugins/sudoers/regress/iolog_path/data, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/regress/iolog_util/check_iolog_util.c, plugins/sudoers/set_perms.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, plugins/sudoers/sudoreplay.c, src/sudo.h:
Refactor code in sudoers that creates I/O log files to share with logsrvd. [3aa1fa95650d]

Makefile.in, include/sudo_iolog.h, lib/iolog/iolog_path.c, lib/iolog/regress/iolog_path/check_iolog_path.c, logsrvd/iolog_writer.c, logsrvd/logsrvd.h, logsrvd/logsrvd_conf.c, plugins/sudoers/iolog_path_escapes.c, plugins/sudoers/sudoers.c:
Enable sudo_logsrvd.conf settings. [8e7b37d1d2a9]

include/sudo_iolog.h, lib/iolog/iolog_fileio.c, lib/iolog/iolog_util.c, logsrvd/iolog_writer.c, logsrvd/logsrvd.h, logsrvd/sendlog.c, plugins/sudoers/iolog.c, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/sudoreplay.c:
Use openat(2) when opening files in the I/O log directory. [1ab2e278e1d9]

logsrvd/Makefile.in, sudo.pp:
Add sudo_ prefix to logsrvd and sendlog. [acbaed157ae5]

logsrvd/iolog_writer.c, logsrvd/log_server.pb-c.c, logsrvd/log_server.pb-c.h, logsrvd/log_server.proto, logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/sendlog.c, logsrvd/sendlog.h:
Rename ExecMessage -> AcceptMessage and add RejectMessage [a080c4eb7c4b]

MANIFEST, config.h.in, configure, configure.ac, include/sudo_compat.h, lib/util/openat.c, lib/util/unlinkat.c, src/sudo_edit.c:
Move openat() emulation to lib/util and at unlinkat() emulation. [756ace7fdf38]

logsrvd/iolog_writer.c, logsrvd/logsrvd.c, logsrvd/sendlog.c:
Add debugging for logsrvd and sendlog [4c86dbceb611]

MANIFEST, doc/LICENSE, logsrvd/Makefile.in, logsrvd/protobuf-c/protobuf-c.c, logsrvd/protobuf-c/protobuf-c.h:
Import protobuf-c source since to avoid an external dependency. The files generated with protoc-c are not standalone. We need to include protobuf-c.c and protobuf-c.h from the protobuf-c distribution too. Building protoc-c requires a relative recent version of gcc which limits its portability. [0ea50a59cab7]

logsrvd/Makefile.in, logsrvd/iolog_writer.c, logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/sendlog.c, logsrvd/sendlog.h:
Add support for restarting I/O log transfers. [748e8f4f7fec]

MANIFEST, Makefile.in, configure, configure.ac, logsrvd/Makefile.in, logsrvd/iolog.h, logsrvd/iolog_reader.c, logsrvd/iolog_writer.c, logsrvd/log_server.pb-c.c, logsrvd/log_server.pb-c.h, logsrvd/log_server.proto, logsrvd/logsrvd.c, logsrvd/logsrvd.h, logsrvd/sendlog.c, logsrvd/sendlog.h, sudo.pp:
Import proof of concept sudo log server. [a0687ba66feb]

MANIFEST, logsrvd/Makefile.in, logsrvd/iolog.h, logsrvd/iolog_reader.c, logsrvd/iolog_writer.c, logsrvd/logsrvd.h, logsrvd/sendlog.c, logsrvd/sendlog.h, mkdep.pl, plugins/sudoers/Makefile.in, plugins/sudoers/iolog.h, plugins/sudoers/iolog_util.c, plugins/sudoers/iolog_util.h, plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c, plugins/sudoers/regress/iolog_util/check_iolog_util.c, plugins/sudoers/sudoreplay.c:
Refactor I/O log code so it can be shared between sudoers and logsrvd [b6608769ba8a]

lib/util/strtonum.c:
Avoid invalid read when minval > maxval [7f1a6f992e4f]

2019-10-23 Todd C. Miller

NEWS, plugins/sudoers/policy.c, src/sudo.c:
Don’t pass an invalid session or process group ID to the plugin. Fixes a regression in 1.8.28 when there is no terminal session leader. [d9c626167b3c]

2019-10-22 Robert Manner

plugins/python/pyhelpers.c, plugins/python/pyhelpers.h, plugins/python/pyhelpers_cpychecker.h, plugins/python/python_plugin_common.c, plugins/python/python_plugin_common.h, plugins/python/python_plugin_group.c, plugins/python/python_plugin_io.c, plugins/python/python_plugin_policy.c:
plugins/python: a plugin which can load policy/io plugin written in python [2c7620c8052f]

Makefile.in, configure.ac, plugins/python/Makefile.in:
Makefile.in, configure.ac: add python plugin build [09b305e2cd54]

2019-10-21 Todd C. Miller

plugins/sudoers/po/sudoers.pot, po/sudo.pot:
regen [70f4543f177c]

src/limits.c:
Not all systems support RLIMIT_NPROC and RLIMIT_RSS [26b8e2afe755]

doc/Makefile.in, examples/Makefile.in, include/Makefile.in, lib/util/Makefile.in, lib/zlib/Makefile.in, plugins/group_file/Makefile.in, plugins/sample/Makefile.in, plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in, src/Makefile.in:
Add depend target to all Makefile.in files. [0a22d80ef716]

NEWS, configure, configure.ac, doc/UPGRADE:
Sudo 1.8.29 [736c9a5c3720]

MANIFEST, lib/util/Makefile.in, src/Makefile.in, src/exec.c, src/limits.c, src/sudo.c, src/sudo.h:
Set resource limits in the sudo process to unlimited. We don’t want sudo to be limited by the caller’s resource limits. The original resource limits are restore before session setup. [6c3bf214caf0]

2019-10-20 Todd C. Miller

plugins/sudoers/starttime.c, src/ttyname.c:
Older FreeBSD needs sys/param.h included before sys/user.h. From Darren Tucker [88c060df0439]

include/sudo_util.h, lib/util/getgrouplist.c, lib/util/gidlist.c, lib/util/regress/strtofoo/strtoid_test.c, lib/util/strtoid.c, lib/util/util.exp.in, plugins/group_file/getgrent.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/cvtsudoers_pwutil.c, plugins/sudoers/iolog.c, plugins/sudoers/match.c, plugins/sudoers/policy.c, plugins/sudoers/pwutil.c, plugins/sudoers/regress/iolog_path/check_iolog_path.c, plugins/sudoers/sudoers.c, plugins/sudoers/testsudoers.c, plugins/sudoers/tsgetgrpw.c, plugins/sudoers/visudo.c, plugins/system_group/system_group.c, src/sudo.c:
Rename sudo_strtoid() to sudo_strtoidx() and add simplified sudo_strtoid() [94a418cdbae6]

2019-10-19 Todd C. Miller

doc/UPGRADE, doc/sudo.conf.man.in, doc/sudo.conf.mdoc.in, doc/sudo.man.in, doc/sudo.mdoc.in, doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, doc/sudoers.ldap.man.in, doc/sudoers.ldap.mdoc.in, doc/sudoers.man.in, doc/sudoers.mdoc.in, doc/sudoers_timestamp.man.in, doc/sudoers_timestamp.mdoc.in, doc/visudo.man.in, doc/visudo.mdoc.in, plugins/sudoers/cvtsudoers_json.c, plugins/sudoers/iolog.c, plugins/sudoers/ldap.c, plugins/sudoers/policy.c, plugins/sudoers/pwutil.c, plugins/sudoers/sssd.c, plugins/sudoers/testsudoers.c, src/exec.c:
Refer to user-ID and group-ID instead of “user ID” and “group ID” [36d7bd4ab52d]

2019-10-18 Todd C. Miller

doc/sudoers.man.in, doc/sudoers.mdoc.in:
sudoedit doesn’t create a new PAM session so PAM umask does not apply. [8ae167d0ae7c]

doc/sudo_plugin.man.in, doc/sudo_plugin.mdoc.in, doc/sudoers.man.in, doc/sudoers.mdoc.in, include/sudo_plugin.h, plugins/sudoers/policy.c, plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, src/exec.c, src/sudo.c, src/sudo.h:
Change how the umask is handled with PAM and login.conf. If the umask is explicitly set in sudoers, use that value regardless of what is in PAM or login.conf. If using the default umask from sudoers, allow PAM or login.conf to override it. Bug #900 [7c0a835ac512]

2019-10-17 Todd C. Miller

doc/sudoers.man.in, doc/sudoers.mdoc.in, plugins/sudoers/audit.c, plugins/sudoers/def_data.c, plugins/sudoers/def_data.h, plugins/sudoers/def_data.in, plugins/sudoers/defaults.c, plugins/sudoers/logging.c:
Add log_allowed and log_denied sudoers flags, defaulting to true. [fb1e188a3d05]

lib/util/Makefile.in, plugins/sudoers/Makefile.in, src/Makefile.in:
Enable security auditing malloc options for “make check”. [333632dd3134]

2019-10-16 Todd C. Miller

doc/sudoers.man.in, doc/sudoers.mdoc.in:
Be more consistent with how we talk about sudoers Defaults settings. Use “flag” not “option” when referring to boolean flags. Use “setting” in place of “Defaults setting” in most places. Use “the foo option” instead of “sudo’s foo option” for command line options. [8058378c4b35]

plugins/sudoers/Makefile.in:
No need to check existing sudoers file when installing to DESTDIR This check can cause problems on systems where /etc/sudoers.d is not readable. [2ec01e9fe408]

lib/util/str2sig.c:
Inclue sudo_util.h to get sudo_strtonum() prototype. [8b0b4ee28d5f]

lib/util/str2sig.c:
strtonum -> sudo_strtonum [4d2363678583]

MANIFEST:
Add split out strtofoo tests. [0cc598502faf]

lib/util/strtonum.c:
Make sure we don’t go past the end of the string when out of range. [2b89961c524a]

lib/util/regress/strtofoo/strtonum_test.c, lib/util/strtonum.c:
Fix stronum() regress test and the errno value for out of range numbers. [3547d022bead]

lib/util/Makefile.in, lib/util/regress/atofoo/atofoo_test.c, lib/util/regress/strtofoo/strtobool_test.c, lib/util/regress/strtofoo/strtoid_test.c, lib/util/regress/strtofoo/strtomode_test.c, lib/util/regress/strtofoo/strtonum_test.c:
Split atofoo.c regress into multiple tests. [75b7547e33bd]

NEWS, configure, configure.ac:
Sudo 1.8.28p1 [09ceaddc94f9]

2019-10-15 Todd C. Miller

plugins/sudoers/parse.c:
The fix for bug #869 broke “sudo -v” when verifypw=all (the default) [aac35bcd8584]

2019-10-14 Todd C. Miller

include/sudo_compat.h, include/sudo_util.h, lib/util/Makefile.in, lib/util/closefrom.c, lib/util/getaddrinfo.c, lib/util/strtonum.c, lib/util/sudo_conf.c, lib/util/ttysize.c, plugins/sudoers/boottime.c, plugins/sudoers/cvtsudoers.c, plugins/sudoers/defaults.c, plugins/sudoers/iolog.c, plugins/sudoers/iolog_util.c, plugins/sudoers/ldap_conf.c, plugins/sudoers/match_addr.c, plugins/sudoers/policy.c, plugins/sudoers/regress/logging/check_wrap.c, plugins/sudoers/regress/parser/check_addr.c, plugins/sudoers/regress/starttime/check_starttime.c, src/parse_args.c, src/sesh.c, src/sudo.c, src/ttyname.c:
Use sudo_strtonum() explicitly instead of via a macro. [f75f786eddd5]

config.h.in, configure, configure.ac, include/sudo_compat.h, lib/util/Makefile.in, lib/util/strtoid.c, lib/util/strtonum.c, lib/util/util.exp.in, mkdep.pl:
Always use our own strtonum and implement sudo_strtoid in terms of it. [94b1114ef79d]

plugins/sudoers/pwutil.c:
Use errno in warning when sudo_make_*_item() fails. Previously we always said “out of memory” if not ENOENT. [68e5a208c242]

plugins/sudoers/Makefile.in, plugins/sudoers/parse_ldif.c, plugins/sudoers/regress/cvtsudoers/test26.err.ok, plugins/sudoers/regress/cvtsudoers/test26.sh:
Reject non-LDIF input when converting from LDIF to sudoers or JSON. [2d08d4aa0e01]

2019-10-10 Todd C. Miller

plugins/sudoers/po/ca.mo, plugins/sudoers/po/da.mo, plugins/sudoers/po/el.mo, plugins/sudoers/po/eu.mo, plugins/sudoers/po/fi.mo, plugins/sudoers/po/fur.mo, plugins/sudoers/po/hr.mo, plugins/sudoers/po/hu.mo, plugins/sudoers/po/ko.mo, plugins/sudoers/po/lt.mo, plugins/sudoers/po/nl.mo, plugins/sudoers/po/ru.mo, plugins/sudoers/po/sk.mo, plugins/sudoers/po/sl.mo, plugins/sudoers/po/sr.mo, plugins/sudoers/po/tr.mo, plugins/sudoers/po/zh_CN.mo, po/ast.mo, po/ca.mo, po/es.mo, po/eu.mo, po/fi.mo, po/fur.mo, po/gl.mo, po/hr.mo, po/hu.mo, po/ko.mo, po/nl.mo, po/nn.mo, po/ru.mo, po/sk.mo, po/sl.mo, po/sr.mo, po/sudo.pot, po/vi.mo, po/zh_CN.mo:
regen [362645d256b7]

NEWS, lib/util/strtoid.c:
Treat an ID of -1 as invalid since that means “no change”. Fixes CVE-2019-14287. Found by Joe Vennix from Apple Information Security. [83db8dba09e7]

lib/util/regress/atofoo/atofoo_test.c, plugins/sudoers/regress/testsudoers/test5.out.ok, plugins/sudoers/regress/testsudoers/test5.sh:
Add sudo_strtoid() tests for -1 and range errors. Also adjust testsudoers/test5 which relied upon gid -1 parsing. [db06a8336c09]

2019-10-06 Todd C. Miller

INSTALL, configure, configure.ac:
Back out compiler override for now. [f03f7fd7ff8b]

configure, configure.ac:
Only prefer clang over gcc on BSD systems. [2309baa23a00]

2019-10-05 Todd C. Miller

Makefile.in:
Fix “make pvs-studio” run in a build dir [a49635de3777]

2019-09-27 Todd C. Miller

plugins/sudoers/po/sudoers.pot, po/sudo.pot:
regen [430d45f3b461]

NEWS:
Bug #898 [3d07895888e8]

src/exec.c, src/exec_monitor.c, src/exec_nopty.c, src/exec_pty.c, src/selinux.c, src/sudo.c, src/sudo.h:
Fix restoring the file context of the user’s tty with SELinux. Also fix broken tty labeling when running a command in a pty. Includes a fix for a typo introduced in the last change set. [eb3f547b08f8]

lib/util/arc4random.c:
_rs_random_buf is currently unused [e384fc3625e8]

src/selinux.c:
Add some debugging around context setting and tty labeling Also be more extact with error return values [ed66480282c7]

2019-09-21 Todd C. Miller

lib/util/sudo_debug.c:
Better error message when debug log file cannot be opened. [09e0cdff0c49]

2019-09-20 Todd C. Miller

.hgignore:
Ignore in-tree build directory. [66577c63f097]

configure, configure.ac:
Set CC before AC_USE_SYSTEM_EXTENSIONS to get our preferred compiler.