blob: d5247b7f7c7cd2cc0646cee9fb3cd3728747da12 [file] [log] [blame]
2010-09-06 Todd C. Miller <>
* match.c:
When matching the runas user and runas group (-u and -g command line
options), keep track of runas group and runas user matches
separately. Only return a positive match if we have a match for
both runas user and runas group (if specified).
2010-09-04 Todd C. Miller <>
* ldap.c, parse.c:
Do not return -1 on error from the display functions; the call
expects a return value >= 0.
* ldap.c:
display_bound_defaults now returns a count so make the stub return
0, not 1.
2010-09-03 Todd C. Miller <>
* get_pty.c:
It looks like AIX doesn't need to push STREAMS modules for ptys.
2010-08-30 Todd C. Miller <>
Install sudoers file from the build dir not hte src dir.
2010-08-26 Todd C. Miller <>
* set_perms.c:
If runas_pw changes, reset the stashed runas aux group vector.
Otherwise, if runas_default is set in a per-command Defaults
statement, the command runs with root's aux group vector (i.e. the
one that was used when locating the command).
Add target to generate sudoers file Remove generated sudoers file as
part of distclean
2010-08-23 millert <>
* exec.c:
When not logging I/O install a handler for SIGCONT and deliver it to
the command upon resume. Fixes bugzilla #431
2010-08-21 Todd C. Miller <>
* sudo.c:
Don't need to fork and wait when compiled with --disable-pam-session
2010-08-20 Todd C. Miller <>
* lbuf.c:
Convert a remaining puts() and putchar() to use the output function.
2010-08-18 Todd C. Miller <>
Replace sudoers with in DISTFILES
* env.c:
Set dupcheck to TRUE when setting new HOME value if !env_reset but
always_set_home is true. Prevents a duplicate HOME in the
environment (old value plus the new one) introduced in 9f97e4b43a4b.
* configure,, sudoers,
Substitute sysconfdir in the installed sudoers file to get the
correct path for sudoers.d.
2010-08-17 Todd C. Miller <>
* boottime.c, get_pty.c:
Fix typos that prevented compilation on Irix; Friedrich Haubensak
2010-08-14 Todd C. Miller <>
* auth/pam.c:
If the user hits ^C while a password is being read, error out before
reading any further passwords in the pam conversation function.
Otherwise, if multiple PAM auth methods are required, the user will
have to hit ^C for each one.
2010-08-09 Todd C. Miller <>
* exec.c:
Fix waitpid() loop termination condition.
* exec_pty.c:
Use sudo_waitpid() instead of bare waitpid()
2010-08-07 Todd C. Miller <>
* sudo.pp:
Set pp_kit_version and strip off patchlevel
* sudo.pp:
Better handling of versions with a patchlevel. For rpm and deb, use
the patchlevel+1 as the release. For AIX, use the patchlevel as the
4th version number. For the rest, just leave the patchlevel in the
version string.
2010-08-06 Todd C. Miller <>
* auth/sudo_auth.c:
For non-standalone auth methods, stop reading the password if the
user enters ^C at the prompt.
* check.c:
When removing/resetting the timestamp file ignore the tty ticket
2010-08-04 Todd C. Miller <>
Fix typo
2010-08-03 Todd C. Miller <>
* check.c:
Do not produce a warning for "sudo -k" if the ticket file does not
2010-08-02 Todd C. Miller <>
* aclocal.m4, configure:
Add cross-compile defaults for remaining AC_TRY_RUN usage.
2010-07-31 Todd C. Miller <>
* aclocal.m4,, configure,, snprintf.c:
and AC_CHECK_SIZEOF([long int]) instead of rolling our own.
2010-07-30 Todd C. Miller <>
* .hgtags:
Added tag SUDO_1_7_4 for changeset 2920a3b9d568
* pp:
Debian: Remove dots from decoded release number AIX: looser matching
of file command output for AIX 5.1
[2920a3b9d568] [SUDO_1_7_4]
* .hgtags:
Added tag SUDO_1_7_4 for changeset 0d844aa34c1d
2010-07-29 Todd C. Miller <>
* exec_pty.c:
exec_monitor is static
* pp:
Update to latest version
2010-07-28 Todd C. Miller <>
* sudo.pp:
Let pp determine pp_aix_version itself.
* INSTALL,, configure,, mkpkg, sudo.c:
Add support for Ubuntu admin flag file and enable it when building
Ubuntu packages.
* sudo.pp, sudoers:
Add commented out SuSE-like targetpw settings
* configure,
Only try to use +DAportable for non-GCC on hppa Check the value of
$pic_flag insteaf of whether the compiler is ANSI C when detecting
the HP-UX bundled C compiler.
* configure,
Prevent configure from adding the -g flag unless in devel mode
2010-07-27 Todd C. Miller <>
* sudo.pp:
Go back to sudo-flavor to match existing packages and only use an
underscore for those that need it.
* sudo.pp:
Use sudo_$flavor instead of sudo-$flavor since that causes the least
amount of trouble for the various package managers.
* mkpkg:
Fix handling of the ldap flavor Remove destdir unless --debug was
specified Make distclean before running configure if there is a
Makefile present
* configure,
Back out version change in 5baf2187a138
* mkpkg:
Pass extra args on to configure on HP-UX, if we don't have the HP C
compiler, disable zlib to prevent gcc from finding it in
* configure,, mkpkg:
Use the HP ANSI C compiler on HP-UX if possible
* sudoreplay.c:
Some getline() implementations (FreeBSD 8.0) do not ignore the
length pointer when the line pointer is NULL as they should.
* sudoreplay.c:
Don't need to check for *cp being non-zero, isdigit() will do that.
* sudoreplay.c:
Add setlocale() so the command line arguments that use floating
point work in different locales. Since sudo now logs the timing
data in the C locale we must Parse the seconds in the timing file
manually instead of using strtod(). Furthermore, sudo 1.7.3 logged
the number of seconds with the user's locale so if the decimal point
is not '.' try using the locale-specific version.
* exec.c:
Do I/O logging in the C locale so the floating point numbers in the
timing file are not locale-dependent.
* sudoreplay.c:
Use errorx() not error() for thingsthat don't set errno.
2010-07-26 Todd C. Miller <>
* sudo.pp:
Add Tru64 kit support
* pp:
Better support for 1.2.3 style versions in Tru64 kits
* pp:
Remove apparently unnecessary use of sudo
Create timedir as part of install-dirs target.
* exec_pty.c:
Handle ENXIO from read/write which can occur when reading/writing a
pty that has gone away. Fixes bugzilla 422
* pwutil.c:
sudo_pwdup() was not expanding an empty pw_shell to _PATH_BSHELL
* mkpkg:
platform is a pp flag not a variable
*, mkpkg, sudo.pp:
Add simple arg parsing for mkpkg so we can set debug, flavor or
* pp:
Make rpm backend work on AIX 5.x
2010-07-25 Todd C. Miller <>
* sudoers:
Add commented out Defaults entry for log_output
2010-07-23 Todd C. Miller <>
Install binary files with -b~ to make a backup. Fixes "text file
busy" error on HP-UX during install.
* install-sh:
"mv -f" on HP-UX doesn't unlink the destination first so add an
explicit rm before moving the temporary into place.
* configure,
Some more ${foo} -> $(foo) conversion for consistent Makefiles.
2010-07-22 Todd C. Miller <>
Add missing include of maillock.h for Solaris
Change the default syslog facility from local2 to authpriv (or auth
if the operating system doesn't support authpriv).
*, configure,, sudo.pp:
Install sudoers as /etc/sudoers on RPM and debian systems where the
package manager will not replace a user-modified configuration file.
This fixes upgrades from the vendor sudo packages.
* pp:
RPM: use %config(noreplace) instead of %config for volatile This
results in the new file being installed with a .rpmnew suffix
instead of the file being replaced and the old one renamed with a
.rpmsave suffix.
2010-07-21 Todd C. Miller <>
* boottime.c, mkstemps.c:
Include time.h for struct timeval.
* exec_pty.c:
The return value of strsignal() may be const and should be treated
as const regardless.
*,, sudoers.pod:
Mention that will not match, nor will localhost unless
that is the actual host name.
fix typo
* pp:
Updated pp with latest patches
* WHATSNEW, exec.c, exec_pty.c, set_perms.c, sudo.c, sudo.h:
If pam is in use, wait until the process has finished before calling
regen sudoers manual
* UPGRADE, sudoers, sudoers.pod:
Add commented out line to add HOME to env_keep and add a warning to
the note about the HOME change in UPGRADE.
2010-07-20 Todd C. Miller <>
* sudoreplay.c:
Add LINE_MAX define for those without it.
Mention that tty_tickets is now the default.
* INSTALL, UPGRADE,, configure,, defaults.c,,, sudoers.pod:
The tty_tickets option is now on by default.
Mention that AIX authdb support has been fixed.
* aix.c:
setauthdb() only sets the "old" registry if it was set by a previous
call to setauthdb(). To restore the original value, passing NULL
(or an empty string) to setauthdb() is sufficient.
2010-07-19 Todd C. Miller <>
*,, sudoers.pod:
Mention new handling of HOME in always_set_home and set_home
*,, sudo.pod:
fix typo
* UPGRADE, WHATSNEW, env.c,,, sudo.pod:
Reset HOME when env_reset is enabled unless it is in env_keep
*,, sudoers.pod:
The default for set_logname has been "true" for some time now.
*,, sudoers.pod:
Document that MAIL it set in env_reset mode.
* boottime.c:
Add missing include of time.h
* defaults.c, sudo.c:
Check return value of setdefs() but don't stop setting defaults if
we hit an unknown one.
* logging.c:
Fix check for dup2() return value.
* visudo.c:
Treat an unknown defaults entry as a parse error.
* env.c:
Check KEPT_MAIL not DID_MAIL when determining whether to set MAIL in
-i and env_reset mode.
* env.c:
Add PYTHONUSERBASE to initial_badenv_table
* WHATSNEW, aclocal.m4,, configure,, env.c,,,, sudo.pod:
If env_reset is enabled, set the MAIL environment variable based on
the target user unless MAIL is explicitly preserved in sudoers.
2010-07-17 Todd C. Miller <>
* pp:
decode debian code names
fix typo
2010-07-16 Todd C. Miller <>
Add entry about SuSE bash script fix.
* sudo.c:
Restore RLIMIT_NPROC after the uid switch if it appears that
runas_setup() did not do it for us. Fixes a bash script problem on
2010-07-15 Todd C. Miller <>
* mkpkg, pp, sudo.pp:
Restore the dot removal in the os version reported by polypkg. Adapt
mkpkg and sudo.pp to the change.
2010-07-16 Todd C. Miller <>
Mention polypkg
Update for sudo 1.7.4
document --with-pam-login
*,, sudoers.pod:
The tag is NOSETENV, not UNSETENV. From Petr Uzel.
2010-07-15 Todd C. Miller <>
* sudo.pp:
Include flavor in solaris package name
* mkpkg:
Older shells don't support IFS= so set explictly to space, tab,
* mkpkg:
Use '=' not '==' in test
* mkpkg:
Fix typo that prevented debian from matching
* mkpkg:
Add missing prefix setting for debian
* sudo.pp:
Use tab indents to reduce the chance of problem with <<- Uncomment
some env_keep lines for RHEL, SLES and Debian to more closely match
the vendor sudoers files.
* sudo.pp:
Fix indentation Fix the debian %set section, pp does not set
pp_deb_distro Uncomment %sudo line in sudoers for debian Add pam.d
to %files for debian Remove the /etc/sudo-ldap.conf symlink on
debian for ldap flavor
* sudoers:
Add commented out env_keep entries, sample Aliases and a %sudo line
for debian.
* configure,
Remove check for egrep; configure has its own
Use enable_zlib instead of enableval for consistency
2010-07-14 Todd C. Miller <>
* mkpkg:
Enable zlib for linux distros
* mkpkg:
Add ldap flavor to default build
* mkpkg, sudo.pp:
Simplify rpm linux distro settings
* UPGRADE, aclocal.m4, configure,,,,
Move time stamp files from /var/run/sudo to /var/{db,lib,adm}/sudo.
*, mkpkg, sudo.pp:
Add ldap "flavor" for debian, controlled by the SUDO_FLAVOR
environment variable.
* sudo.pp:
Create sudo group on debian
* mkpkg, sudo.pp:
Add debian 4/5/6 and use the dot when doing version matches
*,, sudoers.pod:
Remove spurious "and"; from debian
* aclocal.m4, configure:
Use a loop when searching for mv, sendmail and sh
* aclocal.m4, configure,,,,
sudoers.pod,,, visudo.pod:
Substitute the value of EDITOR into the sudoers and visudo manuals.
2010-07-13 Todd C. Miller <>
* mkpkg, pp, sudo.pp:
Initial debian 4.0 support
* mkpkg:
Some platforms need -fPIE instead of -fpie
Add packaging bits to DISTFILES
* auth/pam.c:
Only set PAM_RHOST for Solaris, where it is needed to avoid a bug.
On Linux it causes a DNS lookup via libaudit.
* sudo.psf:
We now use pp to generate HP-UX packages
2010-07-12 Todd C. Miller <>
* auth/pam.c:
Fix indentation
isntall-man -> install-doc
* configure,,,,,,,,,,,
Bump version to 1.7.4
* INSTALL.binary,,
Remove remaining bits of the old binary package
* sudo.pp:
Use for packaging
*, mkpkg, pp:
Use for packaging
* install-sh:
Just ignore the -c option, it is the default Add support for -d
* env.c, logging.c,
Do not strip binaries.
* INSTALL, configure,
Add --insults=disabled configure option to allow people to build in
insult support but have the insults disabled unless explicitly
enabled in sudoers.
2010-07-10 Todd C. Miller <>
* env.c, sudoreplay.c:
Fix K&R compilation
2010-07-09 Todd C. Miller <>
* auth/pam.c,, configure,, env.c, sudo.c,
Add support for a sudo-i pam.d file to be used for "sudo -i".
Adapted from a RedHat patch.
Fix installation of
*,, configure,, missing.h,
mkstemp.c, mkstemps.c, sudo_edit.c:
Use mkstemps() instead of mkstemp() in sudoedit. This allows
sudoedit to preserve the file extension (if any) which may be used
by the editor (like emacs) to choose the editing mode.
2010-07-08 Todd C. Miller <>
* ldap.c,,, sudoers.ldap.pod:
TLS_CACERT is now an alias for TLS_CACERTFILE. OpenLDAP uses
TLS_CACERT, not TLS_CACERTFILE in its ldap.conf. Other LDAP client
code, such as nss_ldap, uses TLS_CACERTFILE. Also document why you
should avoid disabling TLS_CHECKPEER is possible.
2010-07-07 Todd C. Miller <>
* toke.c, toke.l:
Add suport for negated user/host/command lists in a Defaults entry.
E.g. Defaults:!baduser noexec
2010-07-01 Todd C. Miller <>
* sudoers.ldap.pod:
fix typo.
2010-06-29 Todd C. Miller <>
* .hgtags:
Added tag SUDO_1_7_3 for changeset 72fd1f510a08
* configure,,,,,,,,,,,
Sudo 1.7.3 GA
[72fd1f510a08] [SUDO_1_7_3]
* alias.c, alloc.c, auth/afs.c, auth/aix_auth.c, auth/bsdauth.c,
auth/dce.c, auth/fwtk.c, auth/kerb4.c, auth/kerb5.c, auth/pam.c,
auth/passwd.c, auth/rfc1938.c, auth/secureware.c, auth/securid.c,
auth/securid5.c, auth/sia.c, auth/sudo_auth.c, boottime.c, check.c,
defaults.c, env.c, exec.c, exec_pty.c, fileops.c, find_path.c,
fnmatch.c, get_pty.c, getcwd.c, getdate.c, getdate.y, getline.c,
getspwuid.c, glob.c, goodpath.c, gram.c, gram.y, interfaces.c,
iolog.c, lbuf.c, ldap.c, logging.c, match.c, parse.c, parse_args.c,
pwutil.c, set_perms.c, snprintf.c, sudo.c, sudo_edit.c, sudo_nss.c,
sudoreplay.c, term.c, testsudoers.c, tgetpass.c, toke.c, toke.l,
tsgetgrpw.c, visudo.c:
Include strings.h even if string.h exists since they may define
different things. Fixes warnings on AIX and others.
* env.c:
Do not rely on env.env_len when unsetting a variable, just use the
NULL terminator.
* env.c:
In unsetenv() check for NULL or empty name as per POSIX 1003.1-2008
2010-06-28 Todd C. Miller <>
*,, sudoers.ldap.pod:
Mention that multiple URI lines are merged into a single one.
Document AIX fixes
2010-06-26 Todd C. Miller <>
* env.c, sudo.c, sudo.h:
For env_init() just use environ not the envp from main().
2010-06-25 Todd C. Miller <>
* configure,,,,,,,,,,,
Update version to 1.7.3rc1
fqdn issue is resolved
* env.c:
In unsetenv(), assign ep in the for loop instead of doing it
earlier. This version of the code does not change env.envp in
between when ep is assigned and when it is used but older versions
(e.g. 1.7.2) do.
* aix.c:
Use S_REGISTRY instead of S_AUTHSYSTEM as the argument to
getuserattr() when fetching the administrative domain to be used by
setauthdb(). This was suggested by AIX support and is consistent
with what OpenSSH does.
* vasgroups.c:
Use warningx() instead of log_error() since the latter is not
available to visudo or testsudoers. This does mean that they don't
end up in syslog.
* sudo.c:
Defer call to sudo_nonunix_groupcheck_cleanup() until after we have
closed the sudoers sources. From Quest sudo.
* pwutil.c:
Ignore case when matching user/group names in the cache. From Quest
2010-06-24 Todd C. Miller <>
*, configure,, selinux.c:
Add check for setkeycreatecon() when --with-selinux is specified.
* configure,
Bump version to 1.7.3b5 Error out if libaudit.h is missing or
ununable when --with-linux-audit was specified
* aix.c:
K&R function declaration for aix_setauthdb()
* env.c, sudo.c, sudo.h:
If env_init() was called implicitly via getenv(), setenv() or
putenv() just use the specified envp instead of mallocing a new
copy. This prevents an infinite loop on OpenBSD which calls
getenv() from malloc() to get MALLOC_OPTIONS.
* ldap.c:
Add support for multiple URI lines by joining the contents and
passing the result to ldap_initialize.
2010-06-23 Todd C. Miller <>
* pwutil.c, set_perms.c, sudo_nss.c:
Bracket initgroups with calls to aix_setauthdb() and
* aix.c:
Include compat.h before alloc.h to get __P
* auth/aix_auth.c:
Include usersec.h for authenticate() prototype
* aix.c:
Add missing includes Add missing trailing NUL in userinfo string
2010-06-22 Todd C. Miller <>
* HISTORY, history.pod:
Mention when LDAP was incorporated.
2010-06-21 Todd C. Miller <>
* configure:
Define _LINUX_SOURCE_COMPAT on AIX for strsignal() prototype, it is
not covered by _ALL_SOURCE.
* pwutil.c:
Include usersec.h on AIX to get IDtouser() prototype.
Define _LINUX_SOURCE_COMPAT on AIX for strsignal() prototype, it is
not covered by _ALL_SOURCE.
2010-06-18 Todd C. Miller <>
* iolog.c:
Add a cast to quiet a compiler warning.
* boottime.c:
Use memset() instead of zero_bytes() since we don't include sudo.h
getline.o is already in LIB_OBJS, do not need it in COMMON_OBJS
* getdate.c, getdate.y:
Quiet a compiler warning.
* defaults.c, sudo.c:
Call set_fqdn() after sudoers has parsed instead of inline as a
Do not call set_fqdn() until sudoers parses (where is gets run as a
* sudo.c:
Do not call set_fqdn() until sudoers parses (where is gets run as a
callback). Otherwise, if sudo is built --with-fqdn the fqdn will be
set even if !fqdn is set in sudoers.
* configure,,,,,,,,,,,
Bump version to 1.7.3b4
mention the change in tty ticket behavior when there is no tty
remove done items
* aix.c:
Remove comment; NAME in usrinfo should be user name.
* check.c:
Do not update tty ticket if there is no tty.
*,, sudo.pod:
No longer need to use -- with the -s flag
Add missing $(srcdir) to target
Do not rely on BSD make's $>
* configure,
Set timedir to /var/db/sudo for darwin to match Apple sudo's
2010-06-16 Todd C. Miller <>
*, configure,
Move aix.o from SUDO_OBJS to COMMON_OBJS
*, configure,, defaults.c, iolog.c,
Check for zlib.h in addition to libz.
*, exec.c, exec_pty.c, sudo.h, sudo_exec.h:
Move functions and symbols shared between exec.c and exec_pty.c into
* sudo.h:
Add missing prototypes for aix_setauthdb and aix_restoreauthdb
Comment out rules to build and .cat files unless --with-
* aix.c, pwutil.c, set_perms.c, sudo.h:
Fix AIX compilation problems.
* sudo.c:
Cast isalnum() arg to unsigned char.
Add Linux audit support.
* sudo.c:
Quote any non-alphanumeric characters other than '_' or '-' when
passing a command to be run via the shell for the -s and -i options.
* sudo.c:
Add missing braces that broke -i mode.
* linux_audit.c:
Fix linux_audit_command() return value
2010-06-15 Todd C. Miller <>
*, linux_audit.c, linux_audit.h:
Add Linux audit support.
2010-06-16 Todd C. Miller <>
* INSTALL, audit.c, bsm_audit.c,, configure,,
logging.h, selinux.c:
Add Linux audit support.
2010-06-15 Todd C. Miller <>
* sudoreplay.c,,, sudoreplay.pod:
Sync sudoreplay with trunk
* exec_pty.c:
Remove an XXX
* aix.c, configure,, pwutil.c, set_perms.c, sudo.h:
Set usrinfo for AIX Set adminstrative domain for the process when
looking up user's password info and when preparing for execve().
* ldap.c, parse.c:
Better prefix determination now that we can't rely on len==0 to tell
the beginning on an entry.
* WHATSNEW, ldap.c,,,
Add support for multiple sudoers_base entries in ldap.conf. From
Joachim Henke
* configure,
Remove duplicate setsid check
*,, configure,, exec_pty.c,
logging.c, missing.h, setsid.c:
Move setsid emulation into setsid.c
* exec_pty.c, logging.c, selinux.c, sudo.c, tgetpass.c:
Check for dup2() failure.
*, configure,
Remove dup2 check, it is not optional.
2010-06-14 Todd C. Miller <>
Add mbr_check_membership support and SELinux fixes
Sync SRCS and DISTFILES with reality
Update OS specific notes. Delete some really ancient ones and move
older ones to the end of the list.
Bump for sudo 1.7.3 Merge some changes from trunk
* selinux.c, sudo.c:
Call selinux_restore_tty() as part of cleanup() so it gets called
from error()/errorx()
* compat.h:
No longer use SA_NOCLDSTOP
* interfaces.h, match.c:
Move union sudo_in_addr_un into interfaces.h
Update copyright year
* HISTORY, LICENSE, aix.c, alias.c, alloc.h, boottime.c, bsm_audit.h,
compat.h, defaults.c, defaults.h, env.c, fileops.c, find_path.c,
gettime.c, gram.y, history.pod, lbuf.h, license.pod, logging.c,
match.c, missing.h, nanosleep.c, parse.h, set_perms.c,,, sudoers.ldap.pod,
sudoreplay.c, term.c, tgetpass.c, toke.l, visudo.c,,, visudo.pod:
Update copyright year
Remove varsub as part of clean
* match.c:
Quiet a compiler warning.
* getdate.c, getdate.y:
Quiet a compiler warning.
* ldap.c, sudo.h:
Make the remaining functions in ldap.c static
* ldap.c:
Make private functions static. Diff from Joachim Henke
* schema.ActiveDirectory:
Updates from Alain Roy to provide better examples for importing the
schema and to fix problems caused by Windows validating attributes
which have not yet been added before committing the changes.
2010-06-12 Todd C. Miller <>
*, configure,,,
Generate .cat files directly from instead of .man using
default values in
2010-06-11 Todd C. Miller <>
* configure,, sudo.c,
Print configure args with verbose version information.
* visudo.c:
Remove tfd from struct sudoersfile; it is not used. Add prev pointer
to struct sudoersfile. Declare list of sudoersfile using TQ_DECLARE.
Use tq_append to append sudoers entries to the tail queue.
2010-06-10 Todd C. Miller <>
Describe tty timestamp improvements
* toke.c, toke.l:
A comment character may not be part of a command line argument
unless it is quoted with a backslash. Fixes parsing of:
testuser ALL=NOPASSWD: /usr/bin/wl #comment foo bar closes bz #441
* sudoers.pod:
Make this read a little bit better when passwd_timeout is 0.
Use the --file argument to config.status instead of setting
*, sudo.pod:
Attempt to handle a default password prompt timeout of zero more
* toke.c, toke.l:
Do not override value of keepopen global, instead restore it to the
value we pushed onto the stack when popping.
* exec.c, exec_pty.c, logging.c, mon_systrace.c, tgetpass.c:
Use SA_INTERRUPT in sa_flags
* getdate.c, getdate.y, ldap.c, sudoreplay.c:
Silence some compiler warnings
2010-06-09 Todd C. Miller <>
* exec.c, exec_pty.c, sudo.c, sudo.h:
Implement background mode. If I/O logging we use pipes instead of a
* compat.h, exec.c, exec_pty.c, mksiglist.c, strsignal.c, tgetpass.c:
Move compat definition of NSIG to compat.h
* tgetpass.c:
Ignore SIGPIPE for "sudo -S"
* tgetpass.c:
Properly handle TGP_ECHO again. Print a newline if the user
interrupted password input.
* exec_pty.c:
Use POSIX tcgetpgrp() instead of BSD TIOCGPGRP ioctl
2010-06-08 Todd C. Miller <>
* exec.c, exec_pty.c, selinux.c, sudo.c, sudo.h:
Return an error from selinux_setup() instead of exiting. Call
selinux_setup() from exec_setup().
* compat.h:
Add definition of WCOREDUMP for systems without it. This is known
to work on AIX and SunOS 4, but may be incorrect on other systems
that lack WCOREDUMP.
* check.c, compat.h,, configure,, iolog.c,
nanosleep.c, sudo_edit.c, visudo.c:
Replace timerfoo macros with timevalfoo since the timer macros are
known to be busted on some systems.
* toke.c, toke.l:
If a file in a #includedir has improper permissions or owner just
skip it. This prevents packages that incorrectly install a file
into /etc/sudoers.d from breaking sudo so easily. Syntax errors in
#includedir files still result in a parse error (for now).
* TODO, auth/pam.c, exec.c, exec_pty.c, set_perms.c, sudo.c, sudo.h:
Defer call to pam_close_session() until after the command finishes
if there is a monitor process.
* WHATSNEW, def_data.c, def_data.h,, exec.c,,, sudoers.pod:
Add use_pty sudoers option to force use of a pty even when not
logging I/O.
* env.c, sudo.c, sudo.h:
Instead of trying to keep the global environment in sync with our
private copy, provide our own getenv() that returns values from the
private environment and use env_get() to pass the environment in to
* set_perms.c:
Fix typo
2010-06-07 Todd C. Miller <>
* sudo.h:
Rename pty.c -> get_pty.c
* iolog.c:
Add #define for maximum session id
*, configure,, exec.c, exec_pty.c, iolog.c,
selinux.c, sudo.c, sudo.h, sudo_edit.c:
Split exec.c into exec.c and exec_pty.c Pass a flag in to
sudo_execve to indicate whether we need to wait for the command
to finish (fork + execve vs. execve).
*, configure,, get_pty.c, pty.c:
Rename pty.c -> get_pty.c
* aclocal.m4, configure,
Fix --without-iologdir
2010-06-06 Todd C. Miller <>
* iolog.c:
Only use I/O input log file if def_log_input is set and output file
if def_log_output is set.
2010-06-05 Todd C. Miller <>
* parse_args.c, sudo.c:
Include sudo_usage.h after sudo.h now that it has function
prototypes to guarantee that __P is defined.
2010-06-04 Todd C. Miller <>
* tgetpass.c:
Do signal setup after turning off echo, not before. If we are using
a tty but are not the foreground pgrp this will generate SIGTTOU so
we want the default action to be taken (suspend process). Use an
array for signals received instead of a single variable so we don't
lose any when there are multiple different signals.
* defaults.h, lbuf.h, sudo.h:
Reorg function prototypes a bit
*, parse_args.c, sudo.c, sudo.h,
Move argument parsing into parse_args.c
*,, configure,, missing.h,
mksiglist.c, mksiglist.h,, strsignal.c:
Build our own sys_siglist for systems that lack it.
* exec.c, iolog.c, missing.h, sudo_edit.c:
K&R fixes
* exec.c, pty.c, sudo.c, sudo.h, sudo_edit.c:
Log sudoedit sessions as well; adapted from trunk
* configure:
* INSTALL,, WHATSNEW, aclocal.m4, configure,,
def_data.c, def_data.h,, defaults.c, exec.c, gram.c,
gram.h, gram.y, iolog.c, parse.c, parse.h,, pty.c,
script.c, selinux.c, sudo.c, sudo.h,,,
sudoers.pod, sudoreplay.c,,,
sudoreplay.pod, term.c:
Merge I/O logging changes from trunk. Disabling I/O log support at
compile time does not currently work. Sudoedit is not yet hooked up
to I/O logging.
2010-06-03 Todd C. Miller <>
* INSTALL, configure,
Add --enable-warnings configure option
* check.c, lbuf.h, script.c, sudo.c, sudo_nss.c:
Fix K&R compilation issues on HP-UX.
* lbuf.c, lbuf.h, ldap.c, parse.c, sudo.c, sudo_nss.c:
Pass in output function to lbuf_init() instead of writing to stdout.
A side effect is that the usage info can now go to stderr as it
should. Add support for embedded newlines in lbuf and use that
instead of multiple calls to lbuf_print.
* configure,,,
Use numeric registers to handle conditionals instead of trying to do
it all with text processing.
* sudoers.pod:
Document per-command SELinux settings
* sudo.pod:
timestamp -> time stamp
* tsgetgrpw.c:
Set close on exec flag in private versions of setpwent() and
* logging.c:
Make send_mail() take a printf-style argument list
*,, aclocal.m4, acsite.m4,
config.guess,, config.sub, configure,,, m4/libtool.m4, m4/ltoptions.m4, m4/ltsugar.m4,
m4/ltversion.m4, m4/lt~obsolete.m4:
Update to autoconf 2.65 and libtool 2.2.6b
* boottime.c:
Don't use TRUE/FALSE which may not be defined.
*,, sudo.pod:
Document new tty_ticket behavior
* find_path.c, sudo.c, sudo.h, visudo.c:
Make find_path() a little more generic by not checking def_foo
variables inside it. Instead, pass in ignore_dot as a function
* check.c:
Store info from stat(2)ing the tty in the tty ticket when tty
tickets are in use. If the tty lives on a devpts (Linux) or devices
(Solaris) filesystem, stash the ctime in the tty ticket file, as it
is not updated when the tty is written to. This helps us determine
when a tty has been reused without the user authenticating again
with sudo.
* boottime.c, check.c, sudo.h:
get_boottime() now fills in a timeval struct
2010-06-02 Todd C. Miller <>
* check.c, compat.h,, configure,, fileops.c,
gettime.c, sudo.h, sudo_edit.c, visudo.c:
Use timeval directly instead of converting to timespec when dealing
with file times and time of day.
* auth/pam.c:
Fix OpenPAM detection for newer versions.
* vasgroups.c:
Sync with Quest sudo git repo
* aclocal.m4, configure,
HP-UX ld uses +b instead or -R or -rpath Fix typo in libvas check
libvas may need libdl for dlopen() Add missing template for
ENV_DEBUG Adapted from Quest sudo
Fix typos; from Quest Sudo
Use value of SHELL from configure in Makefile
2010-05-28 Todd C. Miller <>
* env.c:
Handle duplicate variables in the environment. For unsetenv(), keep
looking even after remove the first instance. For sudo_putenv(),
check for and remove dupes after we replace an existing value.
2010-04-29 Todd C. Miller <>
* visudo.c:
Fix a crash when checking a sudoers file that has aliases that
reference themselves. Based on a diff from David Wood.
2010-04-15 Todd C. Miller <>
* alias.c:
Fix use after free in error message when a duplicate alias exists.
2010-04-14 Todd C. Miller <>
* visudo.c:
Set errorfile to the sudoers path if we set parse_error manually.
This prevents a NULL dereference in printf() when checking a sudoers
file in strict mode when alias errors are present.
2010-04-12 Todd C. Miller <>
* TODO,,, sudoers.pod:
Fix typo
2010-04-09 Todd C. Miller <>
* find_path.c:
Qualify the command even if it is in the current working directory,
e.g. "./foo" instead of just returning "foo". This removes an
ambiguity between real commands and possible pseudo-commands in
command matching.
2010-04-07 Todd C. Miller <>
*,, sudoers.pod:
Add a note about the security implications of the fast_glob option.
* memrchr.c:
Remove duplicate includes
2010-03-22 Todd C. Miller <>
* configure,
Fix installation of sudoers.ldap in "make install" when --with-ldap
was specified without a directory. From Prof. Dr. Andreas Mueller
2010-03-09 Todd C. Miller <>
* match.c:
When doing a glob match, short circuit if gl.gl_pathc is 0. From
Mark Kettenis.
2010-03-08 Todd C. Miller <>
* script.c:
Use parent process group id instead of parent process id when
checking foreground status and suspending parent. Fixes an issue
when running commands under /usr/bin/time and others.
* env.c:
In setenv(), if the var is empty, return 1 and set errno to EINVAL
instead of returning EINVAL directly.
2010-02-22 Todd C. Miller <>
* match.c:
Check for pseudo-command by looking at the first character of the
command in sudoers instead of checking the user-supplied command for
a slash.
2010-02-09 Todd C. Miller <>
* toke.l:
Avoid a duplicate fclose() of the sudoers file.
* toke.l:
Fix size arg when realloc()ing include stack. From Daniel Kopecek
2010-02-06 Todd C. Miller <>
* aix.c,, configure,
Use setrlimit64(), if available, instead of setrlimit() when setting
AIX resource limits since rlim_t is 32bits.
* logging.c:
Fix use after free when sending error messages. From Timo Juhani
2010-01-18 Todd C. Miller <>
* ChangeLog,
Generate the ChangeLog as part of "make dist" instead of having it
in the repo.
2010-01-17 Todd C. Miller <>
Generate correct ChangeLog for 1.7 branch.
2010-01-17 Todd C. Miller <>
*,, aix.c, alias.c, alloc.c, alloc.h,
auth/afs.c, auth/aix_auth.c, auth/bsdauth.c, auth/dce.c,
auth/fwtk.c, auth/kerb4.c, auth/kerb5.c, auth/pam.c, auth/passwd.c,
auth/rfc1938.c, auth/secureware.c, auth/securid.c, auth/securid5.c,
auth/sia.c, auth/sudo_auth.c, auth/sudo_auth.h, check.c,
closefrom.c, compat.h,, defaults.c, defaults.h,
emul/charclass.h, emul/timespec.h, env.c, error.c, error.h,
fileops.c, find_path.c, getcwd.c, getprogname.c, getspwuid.c,
gettime.c, goodpath.c, gram.c, gram.y, ins_2001.h, ins_classic.h,
ins_csops.h, ins_goons.h, insults.h, interfaces.c, interfaces.h,
isblank.c, lbuf.c, lbuf.h, ldap.c, list.c, list.h, logging.c,
logging.h, match.c, memrchr.c, missing.h, mkinstalldirs, mkstemp.c,
mon_systrace.c, nanosleep.c, parse.c, parse.h,,
pty.c, pwutil.c, redblack.c, redblack.h, sample.pam, sample.sudoers,
sample.syslog.conf, script.c, selinux.c, sesh.c, set_perms.c,
sigaction.c, snprintf.c, strcasecmp.c, strerror.c, strlcat.c,
strlcpy.c, strsignal.c, sudo.c, sudo.h,, sudo.pod,
sudo_edit.c, sudo_noexec.c, sudo_nss.c, sudo_nss.h,,, sudoers.ldap.pod,, sudoers.pod,
sudoers2ldif, sudoreplay.c,, sudoreplay.pod,
term.c, testsudoers.c, tgetpass.c, timestr.c, toke.c, toke.l,
utimes.c, visudo.c,, visudo.pod, zero_bytes.c:
Remove CVS $Sudo$ tags.
2009-12-26 Todd C. Miller <>
make this match sudoers SYNOPSIS
* lbuf.c, parse.c:
Print a newline between Runas and Command-specific defaults in sudo
* term.c:
Use SET and CLR macros in term_raw
* sudoreplay.c:
Set stdin to non-blocking mode early instead of in check_input. Use
term_raw instead of term_cbreak since the data we get has already
been expanded via OPOST.
2009-12-23 Todd C. Miller <>
* script.c, term.c:
Enable/disable all postprocessing instead of just nl->crnl
processing since things like tab expansion matter too. However, if
stdout is a tty leave postprocessing on in the pty since we run into
problems doing it only on the real stdout with .e.g nvi.
2009-12-19 Todd C. Miller <>
* check.c:
If tty_tickets is enabled and there is no tty, prompt for a
password. Do not lecture user for "sudo -k command" if user has a
Document missing options: --with-efence and --with-bsm-audit
*,, sudo.pod,,,, sudoers.ldap.pod,, sudoers.pod,,, sudoreplay.pod,,, visudo.pod:
username -> user name groupname -> group name hostname -> host name
* INSTALL, README.LDAP, sudoers.pod:
filename -> file name like the rest of the docs
2009-12-17 Todd C. Miller <>
* parse.c:
Fix printing of entries with multiple host entries on a single line.
2009-12-14 Todd C. Miller <>
* sudoers.pod:
Mention that targetpw affects the timestamp file name.
* def_data.c, def_data.h,, defaults.c, script.c,
Add compress_transcript option.
2009-12-13 Todd C. Miller <>
* configure,
bump to 1.7.3b2
* pwutil.c, set_perms.c, sudo.c, sudo_nss.c:
Better split of membership vs. traditional group check in
user_in_group(). Allow user_ngroups to be < 0 if getgroups() fails.
2009-12-12 Todd C. Miller <>
* pwutil.c:
Fix pasto and add default return value.
* check.c, match.c, pwutil.c, sudo.h:
refactor group member checking into user_in_group()
* check.c,, configure,, match.c, sudo.c,
Add support for mbr_check_membership() as present in darwin.
2009-12-10 Todd C. Miller <>
* match.c:
Rename label to be accurate
*, boottime.c, check.c,, configure,, sudo.h:
Treat timestamp files from before we booted as old. Idea from and
Apple patch.
2009-12-09 Todd C. Miller <>
* sudo.c, sudo.pod,
Allow the -u flag to be used in conjunction with the -v flag as per
older versions of sudo.
* logging.c:
fix typo in last commit
2009-12-08 Todd C. Miller <>
* logging.c:
Convert fmt_first and fmt_confd into macros.
* sudoers.pod:
timeouts can be floats now
* WHATSNEW, def_data.c, def_data.h,, defaults.c,
defaults.h, mkdefaults:
Add support for floating point timeout values (e.g. 2.5 minutes).
2009-12-07 Todd C. Miller <>
* sudo.pod:
The -L flag will be removed in sudo 1.7.4
2009-12-06 Todd C. Miller <>
* sudoreplay.c:
Fix a bug due to order of operators.
2009-11-23 Todd C. Miller <>
* match.c:
cmnd_matches() already deals with negation so _cmndlist_matches()
does not need to do so itself. Fixes a bug with negated entries in
a Cmnd_List.
2009-11-22 Todd C. Miller <>
* sudo.c:
Don't exit() from open_sudoers, just return NULL for all errors.
* script.c:
Can't rely on the shell sending us SIGCONT when transitioning from
backgroup to foreground process.
* toke.c, toke.l:
Add missing extern def for parse_error
2009-11-21 Todd C. Miller <>
* toke.c, toke.l:
Avoid a parse error when #includedir doesn't find any files. Closes
bug #375
Include and in the distribution tarball.
2009-11-15 Todd C. Miller <>
* script.c:
Start command out in foreground mode if stdout is a tty. Works
around issues with some curses-based programs that don't handle
tcsetattr getting interrupted by a signal. Still allows us to avoid
hogging the tty if the command is part of a pipeline.
* script.c, sudo.c, sudo.h, sudoreplay.c, term.c, tgetpass.c:
Use a socketpair to pass signals from parent to child. Child will
now pass command status change info back via the socketpair. This
allows the parent to distinguish between signals it has been sent
directly and signals the command has received. It also means the
parent can once again print the signal notifications to the tty so
all writes to the pty master occur in the parent. The command is
now always started in background mode with tty signals handled by
the parent.
2009-11-04 Todd C. Miller <>
* configure,
Fix a few typos in the descriptions; from Jeff Makey Only do the
check for krb5_get_init_creds_opt_free() taking two arguments if we
find krb5_get_init_creds_opt_alloc(). Otherwise we will get a false
positive when using our own krb5_get_init_creds_opt_free which takes
only a single argument.
2009-11-03 Todd C. Miller <>
* configure,
Remove a spurious comma in the kerb5 bits.
* auth/kerb5.c:
Call krb5_get_init_creds_opt_init() in our emulated
krb5_get_init_creds_opt_alloc() for MIT kerberos.
2009-11-01 Todd C. Miller <>
* script.c:
Need to ignore SIGTT{IN,OU} in child when running the command in the
background. Also some minor cleanup.
2009-10-31 Todd C. Miller <>
* script.c:
Instead of calling sigsuspend when waiting for SIGUSR[12] from
parent, install the signal handlers w/o SA_RESTART and let them
interrupt waitpid().
* script.c:
Pass along SIGHUP and SIGTERM from parent to child.
* script.c:
Close unused bits of script_fds in processes that don't need them.
Restore default SIGCONT handler in child.
* script.c:
Update foreground/background status in SIGCONT handler in parent
2009-10-25 Todd C. Miller <>
* script.c:
Defer setting terminal into raw mode until just before we fork() and
only do it if sudo is the foreground process. If we get SIGTT{IN,OU}
and sudo is already in the foreground be sure to set raw mode before
continuing the child.
2009-10-24 Todd C. Miller <>
* script.c:
Fix handling of SIGTTOU/SIGTTIN in program being run. We now only
give the command the controlling tty if the main sudo process is the
foreground process.
* script.c:
Don't bother with sudo_waitpid() here for now.
* script.c:
fix non-zlib case
2009-10-23 Todd C. Miller <>
* script.c:
Remove non-wroking code that crept into rev 1.55
2009-10-22 Todd C. Miller <>
* INSTALL, configure,, script.c, sudoreplay.c:
First pass at zlib support for transcript data files
remove vestiges of ZLDFLAGS
* script.c:
Add missing variable declaration for when TIOCSCTTY is not defined.
Need to include sys/termio.h for TIOCSCTTY on some systems.
* script.c:
when resuming command, send SIGCONT to its pgrp not just pid
* selinux.c:
remove unused variable
* script.c:
include selinux.h for is_selinux_enabled() proto
* script.c:
Don't use log_error() in the child process.
* script.c:
Do I/O in parent instead of child since the parent can have both
/dev/tty as well as the pty fds open. The child just sets things up
and waits for its grandchild and writes the signal description to
the pty master if the command was killed by a signal.
2009-10-18 Todd C. Miller <>
* missing.h, sudo.h:
Move two struct forward declarations from sudo.h to missing.h
* script.c:
Make comment at the top of script_exec() match reality.
* sudo.c:
if neither stdin nor stdout is a tty, check stderr
Add back dependecy of gram.h on gram.y
* script.c:
Make transcript mode work as long as we can figure out our tty, even
if it is not stdin. We'd like to use /dev/tty but that won't be
valid after the setsid().
2009-10-17 Todd C. Miller <>
*, configure,, pty.c:
Add support for IRIX-style dynamic ptys
*, alloc.h, getline.c, sudo.h, sudoreplay.c:
Move alloc.c protos into alloc.h
* missing.h:
Move prototypes for missing libc functions to missing.h
*, sudo.h, sudoreplay.c:
Move prototypes for missing libc functions to missing.h
2009-10-16 Todd C. Miller <>
*, configure,
Disable transcript support if no tcsetpgrp until we support older
BSD-style job control.
* configure,, pty.c, script.c:
Break out pty code into pty.c
* compat.h,, configure,
add killpg macro if no killpg function
*, configure,, script.c:
Push ptem and ldterm for STERAMS-based systems when allocating a
2009-10-15 Todd C. Miller <>
* script.c:
Sprinkle some more O_NOCTTY and call grantpt() before unlockpt()
* script.c:
Call tcgetpgrp() in the parent, not the child and have the child
spin until it is granted. Fixes a race on darwin.
* script.c:
Only use TIOCNOTTY in the non-setsid case. If no TIOCSCTTY, just
reopen slave.
2009-10-14 Todd C. Miller <>
* script.c:
In script mode, if the command is killed by a signal, print the
signal description as well as a core dump notification like the
shell does.
*,, configure,, strsignal.c,
Add check for strsignal() and a simple implementation if it is not
there but sys_siglist is
* script.c:
Add missing WUNTRACED and store the signal that stopped the
grandchild in suspended, not signo.
* script.c:
g/c unused code
* script.c:
Associate the grandchild's pgrp with the tty instead of the child's
and just get suspend notifications via SIGCHLD instead of directly.
This fixes a hang with programs that try to set terminal attributes
and is more consistent with how the shell handles things.
2009-10-12 Todd C. Miller <>
* script.c:
Move setpgid() of child into the parent side of the fork() where it
2009-10-11 Todd C. Miller <>
* script.c:
fix typo
* script.c:
Run command in its own pgrp (like the shell does) for easier
signalling. No need to relay SIGINT or SIGQUIT to parent, just send
to grandchild. Don't want grandchild stopped events in the child
(only termination). Flush output after suspending grandchild before
signalling parent.
* script.c:
Back out revision 1.34; the problem lies elsewhere.
* script.c:
Don't set stdout to blocking mode when flushing remaining output.
It can cause us to hang when trying to exit. Need to investigate
* script.c:
Handle SIGTTOU and remove some debugging.
* term.c:
Back out revision 1.10 as the signal that interrupts us may be
SIGTTOU or SIGTTIN which the caller must handle.
* script.c:
Apparently we need to send SIGSTOP to the command as well as ourself
when we get SIGTSTP, the kernel doesn't automatically stop the
process for us.
* script.c:
Use an extra process to act as the glue bewteen the sessions
associated with the user's controlling tty (what the shell uses) and
the tty that sudo is using to do its logging. Basically, this means
that if we get, e.g. SIGTSTP from the process sudo is running, we
relay the signal to the parent so it's shell can do the job control.
* term.c:
Handle getting/setting terminal attributes when the fd is in non-
blocking mode.
2009-10-07 Todd C. Miller <>
* sudoreplay.c,,, sudoreplay.pod:
Add support for pausing and changing the speed in interactive mode.
* script.c:
Already define O_NOCTTY in compat.h, don't need it here
2009-10-06 Todd C. Miller <>
* sudoreplay.c:
Add missing protos
2009-09-30 Todd C. Miller <>
* sudo_edit.c:
Always update the stashed mtime of the temp file instead of using
what we have for the original because the time resolution of the
filesystem the temporary is on may not match that of the filesystem
that holds the original. Should fix bz #371 found by Philippe Levan.
* sudoreplay.c:
Use cbreak mode instead of raw mode and add signal handlers to
restore the tty on interrupt.
* script.c, sudo.h, term.c:
Retain NL to NLCR conversion on the real tty and skip it on the pty
we allocate. That way, if stdout is not a pty there are no extra
carriage returns.
* script.c:
Fix log_output(); just pass in a string and a length.
2009-09-28 Todd C. Miller <>
* script.c:
do not use errno when complaining out lack of a tty
2009-09-27 Todd C. Miller <>
*, sudoreplay.c, term.c:
Instead of messing with line endings, just set terminal to raw mode
in sudoreplay.
* term.c:
When copying the terminal attributes to the pty, be sure not to set
ONLCR. This prevents extra carriage returns from ending up in the
script output file.
* script.c:
Convert a do {} while into a while
Use if then instead of test && when installing binaries that may not
* script.c:
Add O_NOCTTY when opening a tty device. Explicitly disconnect from
old tty before associatng with new one.
* script.c, selinux.c, sudo.c, sudo.h:
First cut at refactoring some of the selinux code so it can be used
in conjunction with sudo's transcript support.
2009-09-26 Todd C. Miller <>
* aclocal.m4, configure,
Fix default case of transcript_enabled being unset.
* script.c, sudoreplay.c:
* INSTALL,, aclocal.m4, configure,, sudo.c:
Hook up --disable-transcript and --enable-transcript=DIR
2009-09-25 Todd C. Miller <>
* aclocal.m4, configure,,
transcript=DIR option to specify the directory
* configure,,, sudoers.pod:
Substitute in default value for secure_path
* sudo.pod:
Mention that the password must be followed by a newline with the -S
2009-09-20 Todd C. Miller <>
* script.c:
Go back to dropping out of the select() loop when the process dies;
Linux ptys apparently don't behave the same as BSD in regards to
select(). No need to flush remaining output to the transcript, only
to stdout. Add back code to check the master pty for additional data
when we exit the main select loop.
2009-09-19 Todd C. Miller <>
Add getline.o to COMMON_OBJS
sudoreplay depends on libsudo.a
More pwutil.o into COMMON_OBJS
* pwutil.c, testsudoers.c, tsgetgrpw.c:
Remove my_* redirection in pwutil.c for testsudoers and just use the
normal libc get{pw,gr}* names.
*,, sudoreplay.pod:
More time and date examples
*, configure,, nanosleep.c, sudoreplay.c:
Move nanosleep() emulation into its own file Check librt.a for
nanosleep if we don't find it in libc
*, configure,
Build libsudo with the common bits and link things against that.
* script.c:
Fix final flush.
* script.c:
Keep reading from the pty master -> log file until read returns <=
0. Do our best to write everything to stdout when flushing any
remaining bits.
* sudoreplay.c:
Use unbuffered I/O when writing to stdout and make sure we write the
entire buffer.
2009-09-18 Todd C. Miller <>
* sudoreplay.c:
Only use max_wait if it is non-zero
* getdate.c, getdate.y, getline.c:
Need compat.h here
* sudoreplay.c:
Fix nanosleep emulation
* script.c:
Fix comment after #endif
* sudoreplay.c:
Add protos for missing libc bits
* configure,
add missing line continuation char
*, configure,, getline.c:
Implement getline() in terms of fgetln() if we have it.
* sudoreplay.c:
Print year when formatting log line
* sudoreplay.pod:
Document cwd, attempt to document time/date formats.
* sudoreplay.c:
Fix getline return value check.
*,, configure,, getline.c,
Use getline() if the system has it, else use provide our own for
* script.c:
Refactor code to update output and timing files.
2009-09-17 Todd C. Miller <>
* sudoreplay.c:
Make sudo_getln() behave more like glibc getline.
* script.c:
When flushing remaining output, also update timing file.
* sudoreplay.c:
Use get_timestr() and make the -l output look like the regular sudo
* logging.c, sudo.h, timestr.c:
Make get_timestr() take a time_t so we can use it properly in
* script.c:
Create session dir earlier now that we update the seq number early.
2009-09-16 Todd C. Miller <>
* sudoreplay.c:
Use fromdate and todate as the keywords instead of from and to; the
short forms will still be accepted.
* sudoreplay.c:
Fix reading long liensin sudo_getln()
* script.c, sudoreplay.c:
Log the cwd in the script log file. Add sudo_getln() to read
arbitrarily long lines.
*, logging.c, sudo.h, timestr.c:
Move get_timestr() into its own source file so sudoreplay can use
2009-09-15 Todd C. Miller <>
* sudoreplay.c:
Add to and from perdicates (date ranges); needs documentation
2009-09-14 Todd C. Miller <>
*, getdate.c, getdate.y:
Fix warning and add generated getdate.c
*, getdate.y:
Add getdate.y to be used for sudoreplay date parsing.
2009-09-13 Todd C. Miller <>
* sudoreplay.c:
Check more than just the first character of a predicate
*,, sudoreplay.pod:
Add examples, sort predicates
*, sudoreplay.c,,,
Implement search expressions in sudoreplay similar in concept to
what find or tcpdump uses. TODO: date ranges
2009-09-07 Todd C. Miller <>
* script.c:
Remove vhangup as it was hanging up the wrong tty. Should really
vhangup in the child after it as set its tty.
* sudoers.pod:
Fix cut at documenting transcript support.
* logging.c:
ID= -> TSID= for transcript ID
2009-09-06 Todd C. Miller <>
* sudoers.pod:
Move fast_glob description to where it belongs in sorted order
* def_data.c, def_data.h,, gram.c, gram.h, gram.y,
parse.c, parse.h, sudo.c:
Rename script -> transcript
2009-09-03 Todd C. Miller <>
* compat.h:
Add timeradd and timersub for those without them
* script.c:
Sanity check sessid before using it.
* sudo.c:
Only set the session id if we are running a command or editing a
* script.c:
Actually. qsort is fine since most versions fal back to a cheaper
sort when the number of elements to sort is small (like in our
*, configure,, script.c:
Check for dup2 and use dup instead if we don't have it.
* script.c, sudo.c, sudo.h:
Move the code to dup2 the script fds to low numbered descriptors
into script_duplow() and fix the fd sorting.
* script.c, sudo.c, sudo.h:
Move script_setup() back to immediately before we drop privs and
call the new script_nextid() in its place, which will set
sudo_user.sessid for the logging functions.
2009-09-01 Todd C. Miller <>
Install sudoreplay
* sudoreplay.c:
remove unused variable
2009-08-30 Todd C. Miller <>
* logging.c, script.c, sudo.c, sudo.h:
Log the session ID, if there is one. Currently logs ID=XXXXXX,
perhaps should be SESSIONID or SESSID.
*, configure,,,, sudoreplay.pod:
Add sudoreplay docs
* sudoreplay.c:
add -V (version) flag
* sudoreplay.c:
Hook up max_wait.
* script.c, sudoreplay.c:
Use base36 number for the ID and store script files with paths like
/var/log/sudo-session/00/00/00{,.tim,.scr}. This gives us 36^6
(2,176,782,336) unique IDs.
2009-08-23 Todd C. Miller <>
Add check for regcomp
* sudoreplay.c:
Add support for selecting by pattern and tty when listing.
2009-08-17 Todd C. Miller <>
* sudoreplay.c:
The beginnings of a list mode.
2009-08-16 Todd C. Miller <>
fix pasto
Add scaffolding for building sudoreplay
* sudoreplay.c:
include error.h first arg to nanotime is const
* sudoreplay.c:
Initial cut at sudoreplay; replay a sudo session.
2009-08-08 Todd C. Miller <>
* script.c:
Fix wait() usage and use correct wait status.
* sudo.c, sudo.h, tgetpass.c:
Add protos for term_* to sudo.h
* script.c:
Fix detection of the child process exiting. Since the child is in
its own session we should only ever get SIGCHLD for that process but
better safe than sorry.
Add UNIX98 pty support.
* configure,, script.c:
Add UNIX98 pty support.
2009-08-07 Todd C. Miller <>
* term.c:
For raw mode, don't bother clearing BRKINT or PARMRK and clear IUCLC
if it is defined.
* auth/pam.c:
Set PAM_RUSER and PAM_RHOST early so they can be used during
authentication. Based on a patch from Jamie Beverly.
* match.c:
Close dir before returning if strlcpy() reports overflow. From
Martynas Venckus.
*, configure,, script.c:
On Linux, the openpty proto libes in pty.h
* script.c:
Call vhangup on exit if the system has it Use setpgrp() if no
2009-08-06 Todd C. Miller <>
*, configure,
Add checks for revoke and vhangup if we don't have openpty
* script.c:
Session logging guts that got forgotten in the previous commit.
*, aclocal.m4, compat.h,, configure,, def_data.c, def_data.h,, gram.c, gram.h,
gram.y, parse.c, parse.h,, sudo.c, sudo.h, term.c,
First cut at session logging for sudo. Still need to write
get_pty() for Unix 98 and old-style BSD ptys. Also needs
documentation and general cleanup.
2009-08-05 Todd C. Miller <>
* sudo.c, sudo_edit.c:
Fix a bug introduced with def_closefrom. The value of def_closefrom
already includes the +1.
2009-07-29 Todd C. Miller <>
Generate sudo distributions with pax in ustar mode. No longer need
to use a temp file or have the source dir name match the version.
2009-07-18 Todd C. Miller <>
* toke.c, toke.l:
Fix expansion of %h in #include names. Fixes bugzilla 363
2009-07-12 Todd C. Miller <>
* mkdefaults:
If no arg assume
Update for 1.7.2
[f5ad45f69f05] [SUDO_1_7_2]
* ChangeLog:
2009-06-30 Todd C. Miller <>
*,, sudoers.pod:
Add missing single quotes around a colon in Runas_Spec definition.
From Elias Benali.
2009-06-29 Todd C. Miller <>
* redblack.c:
In rbrepair, re-color the root or the first non-block node we find
to be black. Re-coloring the root is probably not needed but won't
2009-06-26 Todd C. Miller <>
* redblack.c:
When repairing the tree, don't touch the root node.
2009-06-25 Todd C. Miller <>
* set_perms.c:
Protect call to setegid in runas_setup with #ifdef HAVE_SETEUID.
Reported by Josef Schmid.
2009-06-23 Todd C. Miller <>
* sudoers.pod:
Document that we accept env_pam-style environment files
* env.c:
Adapt to accept pam_env-style /etc/environment which allows shell-
style lines such as: export EDITOR="/usr/bin/vi"
* sudoers.pod:
Make it clear that env_delete only works when !env_reset. From Lo??c
2009-06-15 Todd C. Miller <>
* sudo.pod, sudoers.pod:
Add non-unix group bits, adapted from Quest
build the .cat page in the current working dir, not the src dir
* env.c:
Return EINVAL in setenv() if var is NULL or the empty string to
match glibc behavior.
2009-06-13 Todd C. Miller <>
* configure,
2009-06-11 Todd C. Miller <>
2009-06-09 Todd C. Miller <>
Document --with-libvas and --with-libvas-rpath
2009-05-29 Todd C. Miller <>
* ldap.c, sudoers.ldap.pod:
For netscape-derived LDAP SDKs the cert and key paths may be a
directory or a file. However, version 5.0 of the SDK only seems to
support using a directory. If ldapssl_clientauth_init fails and the
cert or key paths look like they could be files, strip off the last
path element and try again.
Add non-Unix group .o to COMMON_OBJS and substitute in path to flex.
2009-05-27 Todd C. Miller <>
* configure,, match.c, sudo.c, vasgroups.c:
Update non-Unix group support from Quest, as reworked by me.
* toke.c:
* toke.l:
Add support for escaped hex chars in names, e.g. \x20 for space.
2009-05-25 Todd C. Miller <>
* LICENSE,, aclocal.m4, alias.c, auth/aix_auth.c,
auth/pam.c, auth/sudo_auth.c, auth/sudo_auth.h, check.c, env.c,
fileops.c, glob.c, gram.y, interfaces.c, lbuf.c, ldap.c, logging.c,
logging.h, match.c, parse.c, parse.h,, pwutil.c,
set_perms.c, sudo.c, sudo.h, sudo.pod, sudo_nss.c, sudo_nss.h,, sudoers.ldap.pod, sudoers.pod, testsudoers.c,
tgetpass.c, toke.l, visudo.c:
Update copyright years.
2009-05-24 Todd C. Miller <>
* interfaces.c, lbuf.c:
Minor fixes for Minix-3
2009-05-22 Todd C. Miller <>
* set_perms.c:
Handle getgroups() returning 0. Also add missing check for
2009-05-19 Todd C. Miller <>
*,, configure,, sudo.c,
version.h, visudo.c:
Replace version.h with PACKAGE_VERSION set via AC_INIT in configure.
2009-05-18 Todd C. Miller <>
* set_perms.c:
Remove group setting code in setusercontext case, we will do it
ourselves later on in runas_setup. Set the gid after
initgroups/setgroups is called, since on Mac OS X it seems to change
the egid.
2009-05-17 Todd C. Miller <>
* LICENSE,,, match.c, nonunix.h, sudo.c,
Initial bits of non-unix group support using Quest Authentication
* toke.c, toke.l:
Accept %:foo as a non-Unix group
* toke.c, toke.l:
Allow user/group to be double quoted in the case of non-Unix groups
which contain spaces.
2009-05-11 Todd C. Miller <>
* match.c:
Don't allow the user to specify the default runas user if their
sudoers entry only allows them to run as a group.
2009-05-10 Todd C. Miller <>
* sudo.c:
Must call audit_success before we change uids.
* logging.c, set_perms.c, sudo.h, testsudoers.c:
Add option for set_perm to not exit on failure and use this in the
logging routines.
* parse.c:
In -l mode, if the user is only allowed to run as a group, display
the user's name, not root's before the allowed group.
* sudo.c:
Fix -g mode, broken by rev 1.503 which had the side effect of
setting the runas user to root unilaterally.
2009-05-08 Todd C. Miller <>
* fileops.c:
When unlocking a file with fcntl, use F_SETLK, not F_SETLKW.
* pwutil.c:
Only cache by the method we fetched for pwd and grp lookups.
Previously we cached both by namd and id but this can cause problems
for entries that share the same id. Also add more info in the error
message in case the insert fails (which should now be impossible).
2009-04-30 Todd C. Miller <>
* sudoers.pod:
Add a clarification from Nick Sieger
2009-04-25 Todd C. Miller <>
* env.c:
Inline the setting of the environment string.
2009-04-24 Todd C. Miller <>
* env.c:
setenv(3) in Linux treats a NUL value as the empty string setenv(3)
in BSD doesn't return an error if the name has '=' in it, it just
treats the '=' as end of string.
2009-04-22 Todd C. Miller <>
* toke.c, toke.l:
Not all systems have d_namlen
2009-04-20 Todd C. Miller <>
* sudoers.pod:
Fix up some pod2html issues.
2009-04-19 Todd C. Miller <>
* interfaces.c:
Check for NULL ifa_addr and ifa_netmask. Adapted from a diff from
Quest Software.
* sudoers.pod:
Ignore files ending in '~' in sudo.d (emacs backup files)
* toke.c, toke.l:
Ignore files ending in '~' in sudo.d (emacs backup files)
2009-04-18 Todd C. Miller <>
*,, sudoers.pod, toke.c, toke.l:
For #includedir, ignore any file containing a dot
*, version.h:
Bump version
* gram.c, gram.y, parse.c, parse.h, sudo.c, sudo.h,,, sudoers.pod, testsudoers.c, toke.c, toke.l,
Implement #includedir directive. Files in an includedir are not
edited by visudo unless they contain a syntax error.
* ChangeLog:
[8741ed61a78b] [SUDO_1_7_1]
Forgot umask_override
* ChangeLog, TODO:
2009-04-16 Todd C. Miller <>
* visudo.c:
Rewind stream if we fdopen sudoers since it may not be at the
beginning. Set the keepopen flag on already-open files too so the
lexer doesn't close them out from under us.
* visudo.c:
Print the proper file name when there is a parse error in an include
2009-04-11 Todd C. Miller <>
2009-04-10 Todd C. Miller <>
* configure,
Fix a warning when --without-ldap is specified.
2009-04-05 Todd C. Miller <>
* alias.c, parse.h, visudo.c:
Store aliases that we remove during check_aliases in a freelist and
free them at the end so we don't leak memory.
2009-03-28 Todd C. Miller <>
* visudo.c:
Check aliases in -c mode too.
* alias.c, parse.h, visudo.c:
Make alias_remove return the alias struct instead of freeing it
directly. Fixes a use after free in alias_remove_recursive, the only
* alias.c, match.c, parse.c, parse.h, visudo.c:
Rename find_alias -> alias_find for consistency.
2009-03-27 Todd C. Miller <>
* visudo.c:
When checking for unused aliases, recurse if the alias points to
another alias.
2009-03-16 Todd C. Miller <>
* ldap.c:
Back out rev 1.105 for now. Real ldapux_client.conf support will be
done later after some refactoring.
2009-03-14 Todd C. Miller <>
* ldap.c:
Treat ldap_hostport the same as "host" for ldapux.
* configure,
Only check for ldap_sasl_interactive_bind_s if we can find sasl.h.
Fixes compilation with ldapux.
2009-03-12 Todd C. Miller <>
* fileops.c:
fix char subscript
2009-03-11 Todd C. Miller <>
remove errant carriage returns
* audit.c, env.c:
fix K&R compilation
2009-03-10 Todd C. Miller <>
Add missing HAVE_BSM_AUDIT
Add 1.7.1 features
Mention --with-netsvc
* sudoers.ldap.pod:
Document netsvc.conf support
* configure,,, sudo.c, sudo_nss.c,
Add support for AIX netsvc.conf (like nsswitch.conf).
2009-03-08 Todd C. Miller <>
*, configure,, env.c:
Add --enable-env-debug flag to enable environment sanity checks.
* sudoers.ldap.pod, sudoers.pod:
Work around some pod2html issue.
2009-03-07 Todd C. Miller <>
* env.c:
Only sync environ for putenv, setenv, and unsetenv. We need to make
sure that sudo_putenv and sudo_setenv only modify env.envp, not
2009-03-02 Todd C. Miller <>
* env.c:
* env.c:
Fix unsetenv when UNSETENV_VOID
* aclocal.m4, configure:
* ldap.c:
tivoli-based ldap does not have ldapssl_err2string
* configure:
2009-03-01 Todd C. Miller <>
*, configure,, ldap.c:
Add support for Tivoli-based LDAP start TLS as seen in AIX.
* env.c:
Add sanity checks for setenv/unsetenv
Include bsm_audit.h in the tarball
*, version.h:
bump version for sudo 1.7.1
* aclocal.m4, auth/aix_auth.c,, configure,,
env.c, ldap.c, sudo.h:
Replace sudo_setenv/sudo_unsetenv with calls to setenv/unsetenv and
provide our own setenv/unsetenv/putenv that operates on own env
pointer. Make sync_env() inline in setenv/unsetenv/putenv functions.
2009-02-25 Todd C. Miller <>
* sudo.c:
Make "sudoedit -h" work as expected
* auth/pam.c:
Make sure def_prompt is always defined. This is a workaround for
pam configs that prompt for a password in the session but don't have
an auth line. A better fix is to expand the sudo prompt earlier and
set def_prompt to that when initializing.
* sudo.pod:
Mention that the helper for -A may be graphical.
Document what happens if there is no tty.
* sudo.c:
cosmetic changes
* term.c:
Fix term_restore
* sudo.c:
Fix "sudo -k" with no other args
2009-02-24 Todd C. Miller <>
* check.c, sudo.c, sudo.pod,
Allow the -k flag to be specified in conjunction with a command or
another option that may require authentication.
2009-02-23 Todd C. Miller <>
* configure,
Remove unneeded AC_CANONICAL_TARGET; from Diego E. 'Flameeyes'
Parallel make fix. From Diego E. 'Flameeyes'
2009-02-21 Todd C. Miller <>
* def_data.c, def_data.h,, sudo.c, sudoers.pod:
Implement umask_override
* toke.c:
* sudoers.pod, toke.l, visudo.c:
Implement %h escape in sudoers include filenames.
* audit.c:
Need to include compat.h
*, audit.c, bsm_audit.c, bsm_audit.h, logging.h, sudo.c:
Make audit_success and audit_failure generic functions in
preparation for integrating linux audit support.
* term.c:
remove duplicate include
2009-02-20 Todd C. Miller <>
* bsm_audit.c:
Add missing include
* sudo.c:
May need to update the runas user after parsing command-based
2009-02-18 Todd C. Miller <>
* glob.c:
Add missing pair of braces introduced with character class support.
2009-02-15 Todd C. Miller <>
* def_data.c, def_data.h,, sudoers.pod, tgetpass.c:
Rename pwstars to pwfeedback
2009-02-11 Todd C. Miller <>
* bsm_audit.c, bsm_audit.h:
Add const to make MacOS happy.
*, auth/sudo_auth.c, bsm_audit.c, bsm_audit.h, configure,, sudo.c:
Add bsm audit support from Christian S.J. Peron
* term.c:
This is new code, no DARPA notice.
2009-02-10 Todd C. Miller <>
* def_data.c, def_data.h,, match.c, sudoers.pod:
Rename simple_glob -> fast_glob
* match.c:
g/c unused var
* def_data.c, def_data.h,, match.c, sudoers.pod:
Add simple_glob option to use fnmatch() instead of glob(). This is
useful when you need to specify patterns that reference network file
* tgetpass.c:
add term_* proto
* sudoers.pod:
mention glob()
2009-02-09 Todd C. Miller <>
* tgetpass.c:
Delete any pwstars we wrote after the user hits return. That way
there is no record on screen as to the user's password length.
2009-02-08 Todd C. Miller <>
* term.c:
Move terminal setting bits from tgetpass.c to term.c
*, def_data.c, def_data.h,, sudoers.pod,
Add pwstars sudoers option that causes sudo to print a star every
time the user presses a key.
2009-02-03 Todd C. Miller <>
Fix up F<> brokenness for and
2009-01-27 Todd C. Miller <>
* ldap.c:
For ldap_search_ext_s() the sizelimit param should be 0, not -1, to
indicate no limit. From Mark Janssen.
2009-01-17 Todd C. Miller <>
* toke.c, toke.l:
Comments that begin with #- should not be parsed as uids.
2009-01-09 Todd C. Miller <>
* sudo.c:
Do not try to set the close on exec flag if we didn't actually open
2008-12-19 Todd C. Miller <>
* ChangeLog:
[e11f0e4c1bdd] [SUDO_1_7_0]
2008-12-14 Todd C. Miller <>
2008-12-09 Todd C. Miller <>
* auth/pam.c:
Return PAM_AUTH_ERR instead of PAM_CONV_ERR if user enters ^C at the
password prompt.
* configure,
Don't try to build on HP-UX with the bundled compiler
as it cannot generate shared objects.
* emul/charclass.h, glob.c, lbuf.c, tgetpass.c:
K&R compilation fixes
* parse.c:
Use tq_foreach_fwd when checking pseudo-commands to make it clear
that we are not short-circuiting on last match. When pwcheck is
'all', initialize nopass to TRUE and override it with the first non-
TRUE entry.
2008-12-08 Todd C. Miller <>
* parse.c:
Do not short circuit pseudo commands when we get a match since,
depending on the settings, we may need to examine all commands for
2008-12-03 Todd C. Miller <>
* sudoers.pod:
hostnames may also contain wildcards
remove stamp-* files and linux core files in clean target
2008-12-02 Todd C. Miller <>
* auth/sudo_auth.h,, configure,
Use HAVE_SIA_SES_INIT instead of HAVE_SIA for Digital UNIX
2008-11-26 Todd C. Miller <>
* configure,
correctly enable SIA on Digital UNIX
* ChangeLog:
2008-11-25 Todd C. Miller <>
* check.c, sudo.h, tgetpass.c:
Even if neither stdin nor stdout are ttys we may still have /dev/tty
available to us.
2008-11-24 Todd C. Miller <>
* sudoers.pod:
fix typos; Markus Lude
* ChangeLog:
* toke.c:
* toke.l:
Fix matching of a line that only consists of a comment char
2008-11-22 Todd C. Miller <>
* auth/pam.c:
MacOS pam will retry conversation function if it fails so just treat
^C as an empty password.
* visudo.c:
When checking for alias use, also check defaults bindings.
* redblack.c:
unused var
* redblack.c:
Replace my rbdelete with Emin's version (which actually works ;-)
2008-11-19 Todd C. Miller <>
* testsudoers.c:
malloc debugging
* visudo.c:
malloc options in devel mode for visudo too
2008-11-18 Todd C. Miller <>
* sudo.c:
fix compilation on non-C99; from Theo
* visudo.c:
fix check_aliases
* alias.c:
when destroying an alias, free the correct data pointer
* auth/sudo_auth.h:
add proto for aixauth_cleanup; from Dale King
2008-11-15 Todd C. Miller <>
* sudo.pod, sudoers.pod, visudo.pod:
standardize on the term 'option' for command line options (not flag)
2008-11-14 Todd C. Miller <>
Add note on configuring HP-UX pam
2008-11-11 Todd C. Miller <>
* check.c, sudo.c:
Move tty checks into check_user() so we only do them if we actually
need a password.
* sudo.c:
Don't error out if no tty or askpass unless we actually need to
2008-11-10 Todd C. Miller <>
* ChangeLog:
*, sudo.c:
s/overriden/overridden/; from Tobias Stoeckmann
2008-11-09 Todd C. Miller <>
* WHATSNEW, visudo.c:
check sudoers owner and mode in strict mode
* gram.c, toke.c:
Update copyright years.
* LICENSE, alias.c, alloc.c, auth/afs.c, auth/aix_auth.c,
auth/bsdauth.c, auth/fwtk.c, auth/kerb4.c, auth/kerb5.c, auth/pam.c,
auth/securid.c, auth/securid5.c, auth/sia.c, auth/sudo_auth.h,
closefrom.c, compat.h, defaults.c, defaults.h, env.c, fileops.c,
gettime.c, gram.y, ins_csops.h, insults.h, interfaces.c,
interfaces.h, lbuf.c, license.pod, list.c, logging.c, logging.h,
parse.c, parse.h, pwutil.c, redblack.c, redblack.h, snprintf.c,
sudo.c, sudo.pod, sudo_edit.c, sudo_nss.h, sudoers.pod,
testsudoers.c, toke.l, tsgetgrpw.c, utimes.c, version.h, visudo.c,
visudo.pod, zero_bytes.c:
Update copyright years.
* emul/charclass.h, fnmatch.c, glob.c:
add my copyright
2008-11-08 Todd C. Miller <>
* toke.c, toke.l:
The loop in fill_cmnd() was going one byte too far past the end,
resulting in a NUL being written immediately after the buffer end.
add sections on tgetpass changes
* tgetpass.c:
Treat EOF w/o newline as an error.
2008-11-07 Todd C. Miller <>
* parse.c:
Fix "sudo -v" when NOPASSWD is set.
* auth/bsdauth.c, auth/fwtk.c, auth/pam.c, auth/sudo_auth.c,
No longer treat an empty password at the prompt as special. To quit
out of sudo you now need to hit ^C at the password prompt.
* def_data.c, def_data.h,, sudo.c, sudoers.pod:
Sudo will now refuse to run if no tty is present unless the new
visiblepw sudoers flag is set.
2008-11-06 Todd C. Miller <>
* aix.c:
* aix.c:
fix fallback value for RLIM_SAVED_MAX
* auth/aix_auth.c, auth/sudo_auth.h:
Move clearing of AUTHSTATE into aixauth_cleanup.
* auth/aix_auth.c, env.c:
Unset AUTHSTATE after calling authenticate() as it may not be
correct for the user we are running the command as.
* isblank.c:
Add isblank() function for systems without it. Needed for POSIX
character class matching in fnmatch.c and glob.c.
2008-11-05 Todd C. Miller <>
expound on sudo and cd
2008-11-04 Todd C. Miller <>
* ChangeLog:
* sudoers.pod:
mention defauts parse order
2008-11-03 Todd C. Miller <>
*, aclocal.m4, compat.h, configure:
Add isblank() function for systems without it. Needed for POSIX
character class matching in fnmatch.c and glob.c.
add emul/charclass.h to HDRS
2008-11-02 Todd C. Miller <>
* defaults.c, parse.c, testsudoers.c, visudo.c:
Move update_defaults into defaults.c and call it properly from
visudo and testsudoers.
* defaults.c, interfaces.c, pwutil.c, sudo.c, sudo_edit.c, tgetpass.c,
use zero_bytes() instead of memset() for consistency
* logging.c, mon_systrace.c, parse.c, sudo.c, sudo_edit.c, tgetpass.c,
Zero out sigaction_t before use in case it has non-standard entries.
* match.c:
quiet gcc
* match.c:
Short circuit glob() checks if basename(pattern) !=
basename(command). Refactor code that checks for a command in a
directory and use it in the glob case if the resolved pattern ends
in a '/'.
2008-11-01 Todd C. Miller <>
* defaults.h, parse.c, sudo.c, testsudoers.c, visudo.c:
Defer setting runas defaults until after runaspw/gr is setup.
2008-10-29 Todd C. Miller <>
* match.c, sudo.c, testsudoers.c:
Use MAXHOSTNAMELEN+1 when allocating host/domain name since some
systems do not include space for the NUL in the size. Also manually
NUL-terminate buffer from gethostname() since POSIX is wishy-washy
on this.
2008-10-26 Todd C. Miller <>
* sudo.c, sudoers.pod:
When setting the umask, use the union of the user's umask and the
default value set in sudoers so that we never lower the user's umask
when running a command.
* sudo.c:
Don't try to read from a zero-length sudoers file. Remove the bogus
Solaris work-around for EAGAIN. Since we now use fgetc() it should
not be a problem.
2008-10-25 Todd C. Miller <>
* parse.c:
In update_defaults() check the return value of user*_matches against
ALLOW so we don't inadvertantly match on UNSPEC.
2008-10-24 Todd C. Miller <>
regen man pages; no more hyphenation
* sudo.c:
Don't error out on a zero-length sudoers file. With the advent of
#include the user could create a situation where sudo is unusable.
2008-10-23 Todd C. Miller <>
* auth/kerb5.c,, configure,
Newer heimdal has 2-argument krb5_get_init_creds_opt_free() like MIT
krb5. Really old heimdal has no krb5_get_init_creds_opt_alloc() at
all. Add configure tests to handle all the cases.
2008-10-08 Todd C. Miller <>
* sudo.pod:
* sudoers.pod:
document sudoers_locale
* sudo.pod, sudo_edit.c:
add SUDO_EDITOR variable that sudoedit uses in preference to VISUAL
* toke.c, toke.l:
In fill_cmnd(), collapse any escaped sudo-specific characters.
Allows character classes to be used in pathnames.
2008-10-03 Todd C. Miller <>
* lbuf.c:
fix typo in non-C89 function declaration
* sudoers.pod:
Mention POSIX characters classes now that out fnmatch() and glob()
support them.
* sample.sudoers, sudoers.pod:
Replace [A-z] (which won't match in UTF8) with [A-Za-z] which is
locale agnostic.
* parse.h:
use __signed char if we are going to assign a negative value since
on Power, char is unsigned by default
*, configure,
Add tests for __signed char and signed char.
* aix.c:
Fix AIX limit setting. getuserattr() returns values in disk blocks
rather than bytes. The default hard stack size in newer AIX is
RLIM_SAVED_MAX. From Dale King.
2008-09-26 Todd C. Miller <>
* emul/charclass.h, fnmatch.c, glob.c:
Add character class support to included glob(3) and fnmatch(3).
2008-09-16 Todd C. Miller <>
* emul/fnmatch.h:
Remove UCB advertising clause and some compatibility defines.
2008-09-14 Todd C. Miller <>
* sudo_edit.c:
Check EDITOR/VISUAL to make sure sudoedit is not re-invoking itself
or sudo. This allows one to set EDITOR to sudoedit without getting
into an infinite loop of sudoedit running itself until the path gets
too big.
* def_data.c, def_data.h,, defaults.c, sudo.c:
Add sudoers_locale Defaults option to override the default sudoers
locale of "C".
2008-09-13 Todd C. Miller <>
* sudo.c:
Set locale to system default except for during sudoers parse.
2008-09-12 Todd C. Miller <>
* match.c:
Redo change in 1.34 to use pointer arithmetic.
2008-09-11 Todd C. Miller <>
* match.c:
Fix a dereference (read) of a freed pointer. Reported by Patrick
2008-08-23 Todd C. Miller <>
* sudo.c:
Set locale to "C" to avoid interpretation issues with character
ranges in sudoers. May want to make the locale a sudoers option in
the future.
2008-08-20 Todd C. Miller <>
we no longer use setproctitle
* sudo.h:
remove #if 1
* LICENSE, mkstemp.c:
Use my replacement mkstemp() from the mktemp package.
2008-07-12 Todd C. Miller <>
* gram.c:
regen with yacc skeleton bug fixed
* sudoers.pod:
Remove duplicate "as root". From Martin Toft.
2008-07-02 Todd C. Miller <>
* pwutil.c, sudo.c, sudo.h, testsudoers.c:
Flesh out the fake passwd entry used for running commands as a uid
not listed in the passwd database. Fixes an issue with some PAM
2008-07-01 Todd C. Miller <>
* sudo.c:
Error out in -i mode if the user has no shell. This can happen when
running commands as a uid with no password entry.
2008-06-26 Todd C. Miller <>
* toke.c, toke.l:
Better fix for line continuation inside double quotes. Now accepts
whitespace between the backslash and the newline like the main
2008-06-25 Todd C. Miller <>
* toke.c, toke.l:
Fix line continuation in strings. It was only being honored if
preceded by whitespace.
2008-06-22 Todd C. Miller <>
*, configure,, logging.c:
Replace the double fork with a fork + daemonize.
2008-06-21 Todd C. Miller <>
* env.c, sudo.c:
The -i flag should imply env_reset. This got broken in sudo 1.6.9.
* logging.c, sudo.c, sudo_edit.c, visudo.c:
Change how the mailer is waited for. Instead of having a SIGCHLD
handler, use the double fork trick to orphan the child that opens
the pipe to sendmail. Fixes a problem running su on some Linux
2008-06-20 Todd C. Miller <>
* configure,
Fix configure test for dirfd() on Linux where DIR is opaque.
2008-06-17 Todd C. Miller <>
* tgetpass.c:
Get rid of the QNX TCSAFLUSH -> TCSADRAIN hack. If QNX still has
this problem we'll need to revisit this again.
2008-06-11 Todd C. Miller <>
* logging.c:
Ignore SIGPIPE instead of blocking it when piping to the mailer. If
we only block the signal it may be delivered later when we unblock.
Also, there is no need to block SIGCHLD since we no longer do the
double fork. The normal SIGCHLD handler is sufficient.
2008-06-08 Todd C. Miller <>
* configure,
Add description for NO_PAM_SESSION, from a redhat patch.
2008-06-06 Todd C. Miller <>
*,, sudo.pod:
Fix typos in -i usage
2008-05-18 Todd C. Miller <>
* configure,
Redo the test for dgettext() in a way that hopefully will work
around the libintl_dgettext() undefined problem.
2008-05-11 Todd C. Miller <>
* schema.ActiveDirectory:
change filename in comment
2008-05-10 Todd C. Miller <>
Reference schema.ActiveDirectory
2008-05-09 Todd C. Miller <>
* schema.OpenLDAP, schema.iPlanet:
Mark sudoRunAs as deprecated.
* schema.ActiveDirectory:
add sudoRunAsUser and sudoRunAsGroup
* schema.ActiveDirectory:
Active Directory schema by Chantal Paradis and Eric Paquet
2008-05-08 Todd C. Miller <>
* parse.c:
remove an XXX that was fixed
* ChangeLog:
* parse.c:
Initialize tags to UNSPEC instead of def_* in "sudo -l" mode. This
fixes a problem where the tag value printed was influenced by
defaults set in the first pass through the parser.
2008-05-04 Todd C. Miller <>
*, sudo.psf:
No point in packaging the TODO file
* ChangeLog:
2008-05-03 Todd C. Miller <>
* WHATSNEW, def_data.c, def_data.h,, env.c, sudo.c,
sudo.h,,, sudoers.pod:
Add env_file Defaults option that is similar to /etc/environment on
some systems.
2008-05-02 Todd C. Miller <>
change version to 1.7.0
initial valgrind pass done
2008-04-23 Todd C. Miller <>
* ldap.c:
Fix typo/think in sudo_ldap_read_secret() when storing the secret.
2008-04-11 Todd C. Miller <>
* ldap.c:
define LDAPS_PORT if the system headers do not
2008-04-10 Todd C. Miller <>
* gram.c, gram.y:
Fix another memory leak in init_parser().
* configure,
There was a missing space before the ldap libs in SUDO_LIBS for some
* alias.c, gram.c, gram.y, toke.c, toke.l:
Clean up some memory leaks pointed out by valgrind.
2008-04-07 Todd C. Miller <>
* sudo.c:
fix "sudo -s" broken by mode/flags breakout
* configure,
remove duplicate check for dgettext
2008-04-05 Todd C. Miller <>
* aix.c:
Fall back to default stanza if no user-specific limit is found.
2008-04-02 Todd C. Miller <>
* snprintf.c:
include stdint.h if present
* snprintf.c:
Use LLONG_MAX, not the old QUAD_MAX
2008-04-01 Todd C. Miller <>
* sudoers.ldap.pod:
fix cut and pasto
2008-03-31 Todd C. Miller <>
* pwutil.c:
Add #ifdef PURITY
2008-03-30 Todd C. Miller <>
* auth/bsdauth.c:
remove useless cast
2008-03-27 Todd C. Miller <>
* ChangeLog:
* sudo.h:
Split MODE_* defines into primary and flags.
2008-03-26 Todd C. Miller <>
* aix.c:
It turns out the logic for getting AIX limits is more convoluted
than I realized and differs depending on whether the soft and/or
hard limits are defined.
2008-03-23 Todd C. Miller <>
*, configure,
Back out AIX-specific change to set the sudo_noexec path to the .a
file, we do really want to use the .so file. Since libtool doesn't
do that correctly, just install the .so file ourselves in the
* install-sh:
If the file given to install is a path, only use the basename of the
file when building the destination path.
2008-03-18 Todd C. Miller <>
* sudo.c:
parse_args() cleanup: Sort command line options in the getopt()
switch The -U option requires a parameter Normalize a few ISSET
calls Split mode into mode and flags and retire the now-obsolete
excl variable
* WHATSNEW, check.c, sudo.c,, sudo.h,, sudo.pod,
Add -n (non-interactive) flag.
* sudo.c:
Move version printing, etc. into a separate function.
* sudo.c:
Don't try to cleanup nsswitch if it has not been initialized.
2008-03-17 Todd C. Miller <>
* logging.c:
Block SIGPIPE in send_mail() so sudo is not killed by a problem
executing the mailer.
2008-03-14 Todd C. Miller <>
* configure,
AIX shared libs end in .a, not .so.
2008-03-13 Todd C. Miller <>
* env.c:
Preserve HOME by default too. Matches documentation and previous
2008-03-12 Todd C. Miller <>
* sudo.c:
Use getopt() to parse the command line. We need to be able to
intersperse env variables and options yet still honor "--"" which
complicates things slightly.
2008-03-06 Todd C. Miller <>
* ChangeLog:
* acsite.m4, configure,
update to libtool-1.5.26
* config.guess, config.sub:
update from libtool-1.5.26 distribution
* aix.c, sudo.h:
attempt to fix compilation errors on AIX
fix typo in last commit
Add WHATSNEW file to the distribution
* visudo.c:
use warningx instead of fprintf(stderr, ...)
* list.c:
add DEBUG to list2tq
* ChangeLog, TODO:
mention mailfrom
*, aix.c,, configure,,
set_perms.c, sudo.h:
Add aix_setlimits() to set resource limits on AIX using a
combination of getuserattr() and setrlimit(). Currently untested.
2008-03-05 Todd C. Miller <>
* def_data.c, def_data.h,, logging.c,,, sudoers.pod:
Add mailfrom Defaults option that sets the value of the From: field
in the warning/error mail. If unset the login name of the invoking
user is used.
* defaults.c:
store a copy of _PATH_SUDO_ASKPASS in def_askpass that is freeable
* gram.c, gram.y:
When adding a default, only call list2tq() once to do the list to tq
conversion. It is not legal to call list2tq multiple times on the
same list since list2tq consumes and modifies the list argument.
*,, sudoers.ldap.pod:
comment out XXXs for now
mention askpass
2008-03-04 Todd C. Miller <>
* sudo.c:
Error out if both -A and -S are specified Error out if -A is
specified but no askpass is configured
* configure,
we are not going to ship a sudo-specific askpass
2008-03-03 Todd C. Miller <>
* sudo.h:
fix definition of TGP_ASKPASS
* def_data.c,
make askpass boolean-capable
document --with-askpass
2008-03-02 Todd C. Miller <>
* sudo.pod,, sudoers.pod:
document -A and askpass
* auth/sudo_auth.c, check.c, configure,, def_data.c,
def_data.h,, defaults.c,, sudo.c, sudo.h,, tgetpass.c:
Add support for running a helper program to read the password when
no tty is present (or when specified with the -A flag). TODO: docs.
* def_data.c,
add missing printf format to SELinux role and type strings
2008-02-27 Todd C. Miller <>
* INSTALL, configure,
Disable use of gss_krb5_ccache_name() by default and add
--enable-gss-krb5-ccache-name configure option to enable it. It
seems that gss_krb5_ccache_name() doesn't work properly with some
combinations of Heimdal and OpenLDAP.
2008-02-22 Todd C. Miller <>
* selinux.c:
Ignore setexeccon() failing in permissive mode. Also add a call to
setkeycreatecon() (though this is probably insufficient). From Dan
* auth/pam.c:
Only set std_prompt for the PAM_PROMPT_* cases. The conversation
function may be called for non-password reading purposes so we must
be careful not to use def_prompt in cases where it may not be set.
2008-02-20 Todd C. Miller <>
* selinux.c:
Don't free the new tty context, we need to keep it around when we
restore the tty context after the command completes
2008-02-19 Todd C. Miller <>
* selinux.c:
*, sudo.pod:
Only put login_cap(3) in SEE ALSO section if we have login.conf
2008-02-18 Todd C. Miller <>
* sudoers.pod:
Substitute in comment characters for lines partaining to login.conf,
BSD auth and SELinux and only enable them if pertinent.
Substitute in comment characters for lines partaining to login.conf,
BSD auth and SELinux and only enable them if pertinent.
* sudo.pod:
Substitute in comment characters for lines partaining to login.conf,
BSD auth and SELinux and only enable them if pertinent.
Substitute in comment characters for lines partaining to login.conf,
BSD auth and SELinux and only enable them if pertinent.
*, configure,
Substitute in comment characters for lines partaining to login.conf,
BSD auth and SELinux and only enable them if pertinent.
*, sudo.pod, sudoers.ldap.pod, sudoers.pod, visudo.pod:
Remove the =cut on the first line (above the copyright notice) to
quiet pod2man. Also remove the hackery in the FILES section and
just deal with the fact that there will a newline between each
2008-02-17 Todd C. Miller <>
run when generating
* configure,,
comment out SELinux manual bits unless --with-selinux was specified
* sudoers.pod:
document role and type defaults for SELinux
* sudo.c,,, sudo.pod,
Document "sudo -ll" and make "sudo -l -l" be equivalent.
2008-02-15 Todd C. Miller <>
* configure,
Treat k*bsd*-gnu like Linux, not BSD. Fixes compilation problems on
Debian GNU/kFreeBSD.
2008-02-13 Todd C. Miller <>
* auth/kerb5.c:
Avoid Heimdal'isms introduced in the rev 1.32 rewrite of
* logging.c, logging.h, sudo.c:
Remove dependence on VALIDATE_NOT_OK in logging functions. Split
log_auth() into log_allowed() and log_denial() Replace mail_auth()
with should_mail() and a call to send_mail()
2008-02-10 Todd C. Miller <>
* ldap.c:
Add debugging so we can tell if the krb5 ccache is accessible
mention --with-selinux
2008-02-09 Todd C. Miller <>
* configure:
* selinux.c:
add Sudo tag
* sudo.c,, sudo.h,, sudo.pod,,,, sudoers.ldap.pod,
testsudoers.c, toke.c, toke.l:
Add support for SELinux RBAC. Sudoers entries may specify a role
and type. There are also role and type defaults that may be used.
To make sure a transition occurs, when using RBAC commands are
executed via the new sesh binary. Based on initial changes from Dan
* sesh.c:
Add support for SELinux RBAC. Sudoers entries may specify a role
and type. There are also role and type defaults that may be used.
To make sure a transition occurs, when using RBAC commands are
executed via the new sesh binary. Based on initial changes from Dan
*,,, def_data.c, def_data.h,, gram.c, gram.h, gram.y, ldap.c, parse.c, parse.h,, selinux.c:
Add support for SELinux RBAC. Sudoers entries may specify a role
and type. There are also role and type defaults that may be used.
To make sure a transition occurs, when using RBAC commands are
executed via the new sesh binary. Based on initial changes from Dan
2008-02-08 Todd C. Miller <>
* lbuf.c, ldap.c, parse.c, sudo.c, sudo.h, sudo_nss.c:
Add long list (sudo -ll) support for printing verbose LDAP and
sudoers file entries. Still need to update manual.
2008-02-03 Todd C. Miller <>
* ldap.c, parse.c, sudo.h, sudo_nss.c, sudo_nss.h:
Unify the -l output for file and ldap based sudoers and use lbufs
for both. The ldap output does not currently include options that
cannot be represented as tags. This will be remedied in a long list
output mode to come.
2008-01-27 Todd C. Miller <>
* set_perms.c:
Use a specific error message for errno == EAGAIN when setuid() et al
fails. On Linux systems setuid() will fail with errno set to EAGAIN
if changing to the new uid would result in a resource limit
* sudo.c:
Unlimit nproc on Linux systems where calling the setuid() family of
syscalls causes the nroc resource limit to be checked. The limits
will be reset by when PAM is used. In the non-PAM
case the nproc limit will remain unlimited but there doesn't seem to
be a way around that other than having sudo parse
/etc/security/limits.conf directly.
* env.c, sudo.c, sudo.pod:
Only read /etc/environment on Linux and AIX
2008-01-23 Todd C. Miller <>