Merge sudo 1.9.14 from tip.

--HG--
branch : 1.9

.circleci/config.yml

@@ -56,7 +56,7 @@ jobs:
   build_macos:
     description: Configure, build and package sudo (macOS)
     macos:
-      xcode: 13.2.1 # indicate our selected version of Xcode
+      xcode: 13.4.1 # indicate our selected version of Xcode
     steps:
       - checkout
       - run:

.github/FUNDING.yml

@@ -0,0 +1,2 @@
+github: sudo-project
+open_collective: sudo-project

INSTALL.md

@@ -10,16 +10,16 @@ about the `configure` script itself.
 
 ## System requirements
 
-To build sudo from the source distribution you need a POSIX-compliant
-operating system (any modern version of BSD, Linux, or Unix should work),
-an ANSI/ISO C compiler that supports the "long long" type, variadic
-macros (a C99 feature) as well as the ar, make, and ranlib utilities.
+To build sudo from the source distribution you will need a
+POSIX-compliant operating system (any modern version of BSD, Linux,
+or Unix should work), a C compiler that conforms to ISO C99 or
+higher, and the ar, make, and ranlib utilities.
 
 If you wish to modify the parser then you will need flex version
-2.5.2 or later and either bison or byacc (sudo comes with a
-pre-generated parser).  You'll also have to run configure with the
---with-devel option or pass DEVEL=1 to make.  You can get flex from
-https://github.com/westes/flex/.  You can get GNU bison from
+2.5.2 or later and either bison or byacc (sudo comes with a parser
+generated with GNU bison).  You'll also have to run configure with
+the --with-devel option or pass DEVEL=1 to make.  You can get flex
+from https://github.com/westes/flex/.  You can get GNU bison from
 https://ftp.gnu.org/pub/gnu/bison/ or any GNU mirror.
 
 Some systems will also require that development library packages be
@@ -110,7 +110,8 @@ Defaults are listed in brackets after the description.
         Install plugins and helper programs in DIR/sudo [PREFIX/libexec/sudo]
 
     --sysconfdir=DIR
-        Look for `sudo.conf` and `sudoers` files in DIR. [/etc]
+        Look for configuration files such as `sudo.conf` and `sudoers`
+        in DIR. [/etc]
 
     --includedir=DIR
         Install sudo_plugin.h include file in DIR [PREFIX/include]
@@ -226,9 +227,11 @@ Defaults are listed in brackets after the description.
         -fstack-clash-protection, -fcf-protection and linking with
         -zrelro, -znow, and -znoexecstack where supported.
 
-    --disable-ssp
-        Disable use of the -fstack-protector compiler option.
-        This does not affect the other hardening options.
+    --disable-largefile
+        Disable support for large (64-bit) files on 32-bit systems
+        where the maximum file size is normally 4GB.  By default,
+        configure will enable support for 64-bit file sizes if
+        supported by the operating system.
 
     --disable-leaks
         Avoid leaking memory even when we are headed for exit,
@@ -278,6 +281,10 @@ Defaults are listed in brackets after the description.
         instead.  This option may only be used in conjunction with
         the --enable-static-sudoers option.
 
+    --disable-ssp
+        Disable use of the -fstack-protector compiler option.
+        This does not affect the other hardening options.
+
     --enable-static-sudoers
         By default, the sudoers plugin is built and installed as a
         dynamic shared object.  When the --enable-static-sudoers
@@ -294,6 +301,11 @@ Defaults are listed in brackets after the description.
         use the /usr/lib/tmpfiles.d directory if the file
         /usr/lib/tmpfiles.d/systemd.conf exists.
 
+    --disable-year2038
+	Disable support for dates after January 2038.  By default,
+        configure will enable support for 64-bit time_t values if
+	supported by the operating system.
+
     --enable-zlib[=location]
         Enable the use of the zlib compress library when storing
         I/O log files.  If specified, location is the base directory
@@ -347,6 +359,15 @@ Defaults are listed in brackets after the description.
 
 ### Optional features:
 
+    --enable-adminconf=[DIR]
+        Search for configuration files in adminconfdir (PREFIX/etc
+        by default) in preference to configuration files in sysconfdir
+        (/etc by default).  This can be used on systems where
+        sysconfdir is located on a read-only filesystem.  When this
+        option is enabled, the visudo utility will store edited
+        sudoers files in adminconfdir if the original was located
+        in sysconfdir.
+
     --disable-root-mailer
         By default sudo will run the mailer as root when tattling
         on a user so as to prevent that user from killing the mailer.

MANIFEST

@@ -116,9 +116,31 @@ lib/eventlog/eventlog.c
 lib/eventlog/eventlog_conf.c
 lib/eventlog/eventlog_free.c
 lib/eventlog/logwrap.c
+lib/eventlog/parse_json.c
+lib/eventlog/parse_json.h
+lib/eventlog/regress/eventlog_store/store_json_test.c
+lib/eventlog/regress/eventlog_store/store_sudo_test.c
+lib/eventlog/regress/eventlog_store/test1.json.in
+lib/eventlog/regress/eventlog_store/test1.json.out.ok
+lib/eventlog/regress/eventlog_store/test1.sudo.out.ok
+lib/eventlog/regress/eventlog_store/test2.json.in
+lib/eventlog/regress/eventlog_store/test2.json.out.ok
+lib/eventlog/regress/eventlog_store/test2.sudo.out.ok
+lib/eventlog/regress/eventlog_store/test3.json.in
+lib/eventlog/regress/eventlog_store/test3.json.out.ok
+lib/eventlog/regress/eventlog_store/test3.sudo.out.ok
+lib/eventlog/regress/eventlog_store/test4.json.in
+lib/eventlog/regress/eventlog_store/test4.json.out.ok
+lib/eventlog/regress/eventlog_store/test4.sudo.out.ok
 lib/eventlog/regress/logwrap/check_wrap.c
 lib/eventlog/regress/logwrap/check_wrap.in
 lib/eventlog/regress/logwrap/check_wrap.out.ok
+lib/eventlog/regress/parse_json/check_parse_json.c
+lib/eventlog/regress/parse_json/test1.in
+lib/eventlog/regress/parse_json/test2.in
+lib/eventlog/regress/parse_json/test2.out.ok
+lib/eventlog/regress/parse_json/test3.in
+lib/eventlog/regress/parse_json/test3.out.ok
 lib/fuzzstub/Makefile.in
 lib/fuzzstub/fuzzstub.c
 lib/iolog/Makefile.in
@@ -132,7 +154,6 @@ lib/iolog/iolog_filter.c
 lib/iolog/iolog_flush.c
 lib/iolog/iolog_gets.c
 lib/iolog/iolog_json.c
-lib/iolog/iolog_json.h
 lib/iolog/iolog_legacy.c
 lib/iolog/iolog_loginfo.c
 lib/iolog/iolog_mkdirs.c
@@ -197,12 +218,6 @@ lib/iolog/regress/iolog_filter/test3/timing
 lib/iolog/regress/iolog_filter/test3/ttyin
 lib/iolog/regress/iolog_filter/test3/ttyin.filtered
 lib/iolog/regress/iolog_filter/test3/ttyout
-lib/iolog/regress/iolog_json/check_iolog_json.c
-lib/iolog/regress/iolog_json/test1.in
-lib/iolog/regress/iolog_json/test2.in
-lib/iolog/regress/iolog_json/test2.out.ok
-lib/iolog/regress/iolog_json/test3.in
-lib/iolog/regress/iolog_json/test3.out.ok
 lib/iolog/regress/iolog_mkpath/check_iolog_mkpath.c
 lib/iolog/regress/iolog_path/check_iolog_path.c
 lib/iolog/regress/iolog_path/data
@@ -236,7 +251,6 @@ lib/util/fnmatch.c
 lib/util/freezero.c
 lib/util/fstatat.c
 lib/util/getaddrinfo.c
-lib/util/getcwd.c
 lib/util/getdelim.c
 lib/util/getentropy.c
 lib/util/getgrouplist.c
@@ -276,11 +290,13 @@ lib/util/pw_dup.c
 lib/util/pwrite.c
 lib/util/rcstr.c
 lib/util/reallocarray.c
+lib/util/realpath.c
 lib/util/regex.c
 lib/util/regress/closefrom/closefrom_test.c
 lib/util/regress/corpus/seed/sudo_conf/sudo.conf.1
 lib/util/regress/corpus/seed/sudo_conf/sudo.conf.2
 lib/util/regress/corpus/seed/sudo_conf/sudo.conf.3
+lib/util/regress/digest/digest_test.c
 lib/util/regress/fnmatch/fnm_test.c
 lib/util/regress/fnmatch/fnm_test.in
 lib/util/regress/fuzz/fuzz_sudo_conf.c
@@ -598,6 +614,7 @@ plugins/sudoers/b64_encode.c
 plugins/sudoers/boottime.c
 plugins/sudoers/bsm_audit.c
 plugins/sudoers/bsm_audit.h
+plugins/sudoers/canon_path.c
 plugins/sudoers/check.c
 plugins/sudoers/check.h
 plugins/sudoers/check_aliases.c
@@ -645,6 +662,7 @@ plugins/sudoers/iolog.c
 plugins/sudoers/iolog_path_escapes.c
 plugins/sudoers/ldap.c
 plugins/sudoers/ldap_conf.c
+plugins/sudoers/ldap_innetgr.c
 plugins/sudoers/ldap_util.c
 plugins/sudoers/linux_audit.c
 plugins/sudoers/linux_audit.h
@@ -661,6 +679,7 @@ plugins/sudoers/mkdefaults
 plugins/sudoers/parse.c
 plugins/sudoers/parse.h
 plugins/sudoers/parse_ldif.c
+plugins/sudoers/pivot.c
 plugins/sudoers/po/README
 plugins/sudoers/po/ast.mo
 plugins/sudoers/po/ast.po
@@ -1034,6 +1053,7 @@ plugins/sudoers/regress/sudoers/test9.ldif.ok
 plugins/sudoers/regress/sudoers/test9.out.ok
 plugins/sudoers/regress/sudoers/test9.toke.ok
 plugins/sudoers/regress/testsudoers/group
+plugins/sudoers/regress/testsudoers/passwd
 plugins/sudoers/regress/testsudoers/test1.out.ok
 plugins/sudoers/regress/testsudoers/test1.sh
 plugins/sudoers/regress/testsudoers/test10.out.ok
@@ -1061,6 +1081,12 @@ plugins/sudoers/regress/testsudoers/test2.out.ok
 plugins/sudoers/regress/testsudoers/test2.sh
 plugins/sudoers/regress/testsudoers/test20.out.ok
 plugins/sudoers/regress/testsudoers/test20.sh
+plugins/sudoers/regress/testsudoers/test21.out.ok
+plugins/sudoers/regress/testsudoers/test21.sh
+plugins/sudoers/regress/testsudoers/test22.out.ok
+plugins/sudoers/regress/testsudoers/test22.sh
+plugins/sudoers/regress/testsudoers/test23.out.ok
+plugins/sudoers/regress/testsudoers/test23.sh
 plugins/sudoers/regress/testsudoers/test3.out.ok
 plugins/sudoers/regress/testsudoers/test3.sh
 plugins/sudoers/regress/testsudoers/test4.out.ok
@@ -1275,8 +1301,7 @@ src/sudo_intercept_common.c
 src/sudo_noexec.c
 src/sudo_plugin_int.h
 src/sudo_usage.h.in
-src/suspend_nopty.c
-src/tcsetpgrp_nobg.c
+src/suspend_parent.c
 src/tgetpass.c
 src/ttyname.c
 src/utmp.c

Makefile.in

@@ -1,7 +1,7 @@
 #
 # SPDX-License-Identifier: ISC
 #
-# Copyright (c) 2010-2015, 2017-2022 Todd C. Miller <[email protected]>
+# Copyright (c) 2010-2015, 2017-2023 Todd C. Miller <[email protected]>
 #
 # Permission to use, copy, modify, and distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -31,6 +31,7 @@ exec_prefix = @exec_prefix@
 bindir = @bindir@
 sbindir = @sbindir@
 sysconfdir = @sysconfdir@
+adminconfdir = @adminconfdir@
 libexecdir = @libexecdir@
 includedir = @includedir@
 datarootdir = @datarootdir@

NEWS

@@ -1,3 +1,96 @@
+What's new in Sudo 1.9.14
+
+ * Fixed a bug where if the "intercept" or "log_subcmds" sudoers
+   option was enabled and a sub-command was run where the first
+   entry of the argument vector didn't match the command being run.
+   This resulted in commands like "sudo su -" being killed due to
+   the mismatch.  Bug #1050.
+
+ * The sudoers plugin now canonicalizes command path names before
+   matching (where possible).  This fixes a bug where sudo could
+   execute the wrong path if there are multiple symbolic links with
+   the same target and the same base name in sudoers that a user is
+   allowed to run.  GitHub issue #228.
+
+ * Improved command matching when a chroot is specified in sudoers.
+   The sudoers plugin will now change the root directory id needed
+   before performing command matching.  Previously, the root directory
+   was simply prepended to the path that was being processed.
+
+ * When NETGROUP_BASE is set in the ldap.conf file, sudo will now
+   perform its own netgroup lookups of the host name instead of
+   using the system innetgr(3) function.  This guarantees that user
+   and host netgroup lookups are performed using  the same LDAP
+   server (or servers).
+
+ * Fixed a bug introduced in sudo 1.9.13 that resulted in a missing
+   " ; " separator between environment variables and the command
+   in log entries.
+
+ * The visudo utility now displays a warning when it ignores a file
+   in an include dir such as /etc/sudoers.d.
+
+ * When running a command in a pseudo-terminal, sudo will initialize
+   the terminal settings even if it is the background process.
+   Previously, sudo only initialized the pseudo-terminal when running
+   in the foreground.  This fixes an issue where a program that
+   checks the window size would read the wrong value when sudo was
+   running in the background.
+
+ * Fixed a bug where only the first two digits of the TSID field
+   being was logged.  Bug #1046.
+
+ * The "log_pty" sudoers option is now enabled by default.  To
+   restore the historic behavior where a command is run in the
+   user's terminal, add "Defaults !use_pty" to the sudoers file.
+   GitHub issue #258.
+
+ * Sudo's "-b" option now works when the command is run in a
+   pseudo-terminal.
+
+ * When disabling core dumps, sudo now only modifies the soft limit
+   and leaves the hard limit as-is.  This avoids problems on Linux
+   when sudo does not have CAP_SYS_RESOURCE, which may be the case
+   when run inside a container.  GitHub issue #42.
+
+ * Sudo configuration file paths have been converted to colon-separated
+   lists of paths.  This makes it possible to have configuration
+   files on a read-only file system while still allowing for local
+   modifications in a different (writable) directory.  The new
+   --enable-adminconf configure option can be used to specify a
+   directory that is searched for configuration files in preference
+   to the sysconfdir (which is usually /etc).
+
+ * The "intercept_verify" sudoers option is now only applied when
+   the "intercept" option is set in sudoers.  Previously, it was
+   also applied when "log_subcmds" was enabled.
+
+ * The NETGROUP_QUERY ldap.conf parameter can now be disabled for
+   LDAP servers that do not support querying the nisNetgroup object
+   by its nisNetgroupTriple attribute, while still allowing sudo to
+   query the LDAP server directly to determine netgroup membership.
+
+ * Fixed a long-standing bug where a sudoers rule without an explicit
+   runas list allowed the user to run a command as root and any
+   group instead of just one of the groups that root is a member
+   of.  For example, a rule such as "myuser ALL = ALL" would permit
+   "sudo -u root -g othergroup" even if root did not belong to
+   "othergroup".
+
+ * Fixed a bug where a sudoers rule with an explicit runas list
+   allowed a user to run sudo commands as themselves.  For example,
+   a rule such as "myuser ALL = (root) ALL", "myuser" should only
+   allow commands to be run as root (optionally using one of root's
+   groups).  However, the rule also allowed the user to run
+   "sudo -u myuser -g myuser command".
+
+ * Fixed a bug that prevented the user from specifying a group on
+   the command line via "sudo -g" if the rule's Runas_Spec contained
+   a Runas_Alias.
+
+ * Sudo now requires a C compiler that conforms to ISO C99 or higher
+   to build.
+
 What's new in Sudo 1.9.13p3
 
  * Fixed a bug introduced in sudo 1.9.13 that caused a syntax error