merge sudo 1.9.1 from tip

--HG-- branch : 1.9
sudo-project · Jun 18, 2020 · 7ada70e · 7ada70e
2 parents bb40b2a + 65edf63
commit 7ada70e
Show file tree

Hide file tree

Showing 369 changed files with 28,157 additions and 20,162 deletions.
diff --git a/MANIFEST b/MANIFEST
@@ -115,6 +115,7 @@ lib/iolog/regress/iolog_json/test1.in
 lib/iolog/regress/iolog_json/test2.in
 lib/iolog/regress/iolog_json/test2.out.ok
 lib/iolog/regress/iolog_json/test3.in
+lib/iolog/regress/iolog_mkpath/check_iolog_mkpath.c
 lib/iolog/regress/iolog_path/check_iolog_path.c
 lib/iolog/regress/iolog_path/data
 lib/iolog/regress/iolog_util/check_iolog_util.c
@@ -558,6 +559,8 @@ plugins/sudoers/po/pt.mo
 plugins/sudoers/po/pt.po
 plugins/sudoers/po/pt_BR.mo
 plugins/sudoers/po/pt_BR.po
+plugins/sudoers/po/ro.mo
+plugins/sudoers/po/ro.po
 plugins/sudoers/po/ru.mo
 plugins/sudoers/po/ru.po
 plugins/sudoers/po/sk.mo
@@ -809,6 +812,10 @@ plugins/sudoers/regress/sudoers/test9.toke.ok
 plugins/sudoers/regress/testsudoers/group
 plugins/sudoers/regress/testsudoers/test1.out.ok
 plugins/sudoers/regress/testsudoers/test1.sh
+plugins/sudoers/regress/testsudoers/test10.out.ok
+plugins/sudoers/regress/testsudoers/test10.sh
+plugins/sudoers/regress/testsudoers/test11.out.ok
+plugins/sudoers/regress/testsudoers/test11.sh
 plugins/sudoers/regress/testsudoers/test2.inc
 plugins/sudoers/regress/testsudoers/test2.out.ok
 plugins/sudoers/regress/testsudoers/test2.sh
@@ -824,6 +831,8 @@ plugins/sudoers/regress/testsudoers/test7.out.ok
 plugins/sudoers/regress/testsudoers/test7.sh
 plugins/sudoers/regress/testsudoers/test8.out.ok
 plugins/sudoers/regress/testsudoers/test8.sh
+plugins/sudoers/regress/testsudoers/test9.out.ok
+plugins/sudoers/regress/testsudoers/test9.sh
 plugins/sudoers/regress/visudo/test1.out.ok
 plugins/sudoers/regress/visudo/test1.sh
 plugins/sudoers/regress/visudo/test10.out.ok
@@ -930,6 +939,8 @@ po/pt.mo
 po/pt.po
 po/pt_BR.mo
 po/pt_BR.po
+po/ro.mo
+po/ro.po
 po/ru.mo
 po/ru.po
 po/sk.mo

diff --git a/NEWS b/NEWS
@@ -1,3 +1,75 @@
+What's new in Sudo 1.9.1
+
+ * Fixed an AIX-specific problem when I/O logging was enabled.
+   The terminal device was not being properly set to raw mode.
+   Bug #927.
+
+ * Corrected handling of sudo_logsrvd connections without associated
+   I/O log data.  This fixes support for RejectMessage as well as
+   AcceptMessage when the expect_iobufs flag is not set.
+
+ * Added an "iolog_path" entry to the JSON-format event log produced
+   by sudo_logsrvd.  Previously, it was only possible to determine
+   the I/O log file an event belonged to using sudo-format logs.
+
+ * Fixed the bundle IDs for sudo-logsrvd and sudo-python macOS packages.
+
+ * I/O log files produced by the sudoers plugin now clear the write
+   bits on the I/O log timing file when the log is complete.  This
+   is consistent with how sudo_logsrvd indicates that a log is
+   complete.
+
+ * The sudoreplay utility has a new "-F" (follow) command line
+   option to allow replaying a session that is still in progress,
+   similar to "tail -f".
+
+ * The @include and @includedir directives can be used in sudoers
+   instead of #include and #includedir.  In addition, include paths
+   may now have embedded white space by either using a double-quoted
+   string or escaping the space characters with a backslash.
+
+ * Fixed some Solaris 11.4 compilation errors.
+
+ * When running a command in a pty, sudo will no longer try to
+   suspend itself if the user's tty has been revoked (for instance
+   when the parent ssh daemon is killed).  This fixes a bug where
+   sudo would continuously suspend the command (which would succeed),
+   then suspend itself (which would fail due to the missing tty)
+   and then resume the command.
+
+ * If sudo's event loop fails due to the tty being revoked, remove
+   the user's tty events and restart the event loop (once).  This
+   fixes a problem when running "sudo reboot" in a pty on some
+   systems.  When the event loop exited unexpectedly, sudo would
+   kill the command running in the pty, which in the case of "reboot",
+   could lead to the system being in a half-rebooted state.
+
+ * Fixed a regression introduced in sudo 1.8.23 in the LDAP and
+   SSSD back-ends where a missing sudoHost attribute was treated
+   as an "ALL" wildcard value.  A sudoRole with no sudoHost attribute
+   is now ignored as it was prior to version 1.8.23.
+
+ * The audit plugin API has been changed slightly.  The sudo front-end
+   now audits an accept event itself after all approval plugins are
+   run and the I/O logging plugins (if any) are opened.  This makes
+   it possible for an audit plugin to only log a single overall
+   accept event if desired.
+
+ * The sudoers plugin can now be loaded as an audit plugin.  Logging
+   of successful commands is now performed in the audit plugin's
+   accept function.  As a result, commands are now only logged if
+   allowed by sudoers and all approval plugins.  Commands rejected
+   by an approval plugin are now also logged by the sudoers plugin.
+
+ * Romanian translation for sudo and sudoers from translationproject.org.
+
+ * Fixed a regression introduced in sudo 1.9.0 where sudoedit did
+   not remove its temporary files after installing them.  Bug #929.
+
+ * Fixed a regression introduced in sudo 1.9.0 where the iolog_file
+   setting in sudoers and sudo_logsrvd.conf caused an error if the
+   file name ended in six or more X's.
+
 What's new in Sudo 1.9.0
 
  * Fixed a test failure in the strsig_test regress test on FreeBSD.
@@ -17,8 +89,8 @@ What's new in Sudo 1.9.0
    or send existing sudo I/O logs to a centralized server.
 
  * It is now possible to write sudo plugins in Python 3 when sudo
-   is configured with the --enable-python> option.  See the
-   sudo_plugin_python.man.html manual for details.
+   is configured with the --enable-python option.  See the
+   sudo_plugin_python manual for details.
 
    Sudo 1.9.0 comes with several Python example plugins that get
    installed sudo's examples directory.
@@ -412,10 +484,10 @@ What's new in Sudo 1.8.25
  * Fixed a bug introduced in sudo 1.8.24 where sudoNotAfter in the LDAP
    back-end was not being properly parsed.  Bug #845.
 
- * When sudo runs a command in a pseudo-tty, the slave device is
-   now closed in the main process immediately after starting the
-   monitor process.  This removes the need for an AIX-specific
-   workaround that was added in sudo 1.8.24.
+ * When sudo runs a command in a pseudo-terminal, the follower
+   device is now closed in the main process immediately after
+   starting the monitor process.  This removes the need for an
+   AIX-specific workaround that was added in sudo 1.8.24.
 
  * Added support for monotonic timers on HP-UX.
 

diff --git a/aclocal.m4 b/aclocal.m4
@@ -1,6 +1,6 @@
-# generated automatically by aclocal 1.16.1 -*- Autoconf -*-
+# generated automatically by aclocal 1.16.2 -*- Autoconf -*-
 
-# Copyright (C) 1996-2018 Free Software Foundation, Inc.
+# Copyright (C) 1996-2020 Free Software Foundation, Inc.
 
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -12,7 +12,7 @@
 # PARTICULAR PURPOSE.
 
 m4_ifndef([AC_CONFIG_MACRO_DIRS], [m4_defun([_AM_CONFIG_MACRO_DIRS], [])m4_defun([AC_CONFIG_MACRO_DIRS], [_AM_CONFIG_MACRO_DIRS($@)])])
-# Copyright (C) 1999-2018 Free Software Foundation, Inc.
+# Copyright (C) 1999-2020 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -250,7 +250,7 @@ for i in list(range(0, 4)): minverhex = (minverhex << 8) + minver[[i]]
 sys.exit(sys.hexversion < minverhex)"
   AS_IF([AM_RUN_LOG([$1 -c "$prog"])], [$3], [$4])])
 
-# Copyright (C) 2001-2018 Free Software Foundation, Inc.
+# Copyright (C) 2001-2020 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,

diff --git a/config.h.in b/config.h.in
@@ -107,6 +107,10 @@
    */
 #undef HAVE_DECL_ERRNO
 
+/* Define to 1 if you have the declaration of `getdelim', and to 0 if you
+   don't. */
+#undef HAVE_DECL_GETDELIM
+
 /* Define to 1 if you have the declaration of `getdomainname', and to 0 if you
    don't. */
 #undef HAVE_DECL_GETDOMAINNAME

diff --git a/configure b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for sudo 1.9.0.
+# Generated by GNU Autoconf 2.69 for sudo 1.9.1.
 #
 # Report bugs to <https://bugzilla.sudo.ws/>.
 #
@@ -590,8 +590,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='sudo'
 PACKAGE_TARNAME='sudo'
-PACKAGE_VERSION='1.9.0'
-PACKAGE_STRING='sudo 1.9.0'
+PACKAGE_VERSION='1.9.1'
+PACKAGE_STRING='sudo 1.9.1'
 PACKAGE_BUGREPORT='https://bugzilla.sudo.ws/'
 PACKAGE_URL=''
 
@@ -846,6 +846,7 @@ infodir
 docdir
 oldincludedir
 includedir
+runstatedir
 localstatedir
 sharedstatedir
 sysconfdir
@@ -1070,6 +1071,7 @@ datadir='${datarootdir}'
 sysconfdir='${prefix}/etc'
 sharedstatedir='${prefix}/com'
 localstatedir='${prefix}/var'
+runstatedir='${localstatedir}/run'
 includedir='${prefix}/include'
 oldincludedir='/usr/include'
 docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'
@@ -1322,6 +1324,15 @@ do
   | -silent | --silent | --silen | --sile | --sil)
     silent=yes ;;
 
+  -runstatedir | --runstatedir | --runstatedi | --runstated \
+  | --runstate | --runstat | --runsta | --runst | --runs \
+  | --run | --ru | --r)
+    ac_prev=runstatedir ;;
+  -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \
+  | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \
+  | --run=* | --ru=* | --r=*)
+    runstatedir=$ac_optarg ;;
+
   -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
     ac_prev=sbindir ;;
   -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
@@ -1459,7 +1470,7 @@ fi
 for ac_var in	exec_prefix prefix bindir sbindir libexecdir datarootdir \
 		datadir sysconfdir sharedstatedir localstatedir includedir \
 		oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
-		libdir localedir mandir
+		libdir localedir mandir runstatedir
 do
   eval ac_val=\$$ac_var
   # Remove trailing slashes.
@@ -1572,7 +1583,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures sudo 1.9.0 to adapt to many kinds of systems.
+\`configure' configures sudo 1.9.1 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1612,6 +1623,7 @@ Fine tuning of the installation directories:
   --sysconfdir=DIR        read-only single-machine data [/etc]
   --sharedstatedir=DIR    modifiable architecture-independent data [PREFIX/com]
   --localstatedir=DIR     modifiable single-machine data [PREFIX/var]
+  --runstatedir=DIR       modifiable per-process data [LOCALSTATEDIR/run]
   --libdir=DIR            object code libraries [EPREFIX/lib]
   --includedir=DIR        C header files [PREFIX/include]
   --oldincludedir=DIR     C header files for non-gcc [/usr/include]
@@ -1637,7 +1649,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of sudo 1.9.0:";;
+     short | recursive ) echo "Configuration of sudo 1.9.1:";;
    esac
   cat <<\_ACEOF
 
@@ -1912,7 +1924,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-sudo configure 1.9.0
+sudo configure 1.9.1
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2621,7 +2633,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by sudo $as_me 1.9.0, which was
+It was created by sudo $as_me 1.9.1, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -15605,6 +15617,9 @@ fi
 		    *)		RTLD_PRELOAD_VAR="LDR_PRELOAD";;
 		esac
 
+		# cfmakeraw is broken on AIX (and is not documented)
+		: ${ac_cv_func_cfmakeraw='no'}
+
 		# strnlen/strndup may be broken on AIX < 6 depending
 		# on the libc version, use our own.
 		if test $OSMAJOR -lt 6; then
@@ -19457,7 +19472,8 @@ fi
 
       { $as_echo "$as_me:${as_lineno-$LINENO}: checking python include flags" >&5
 $as_echo_n "checking python include flags... " >&6; }
-      PYTHON_INCLUDE=`$PYTHON_CONFIG --cflags`
+      # Pull out python include path, ignore other flags
+      PYTHON_INCLUDE=`$PYTHON_CONFIG --cflags | tr " " "\n" | grep "^-I" | sort -u | tr "\n" " "`
       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PYTHON_INCLUDE" >&5
 $as_echo "$PYTHON_INCLUDE" >&6; }
 
@@ -19474,6 +19490,7 @@ fi
       { $as_echo "$as_me:${as_lineno-$LINENO}: checking python linker flags" >&5
 $as_echo_n "checking python linker flags... " >&6; }
       PYTHON_LIBS=`$PYTHON_CONFIG --ldflags $PY_EMBED`
+      PYTHON_LIBS=`$PYTHON_CONFIG --ldflags $PY_EMBED | tr " " "\n" | grep "^-[lL]" | tr "\n" " "`
       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PYTHON_LIBS" >&5
 $as_echo "$PYTHON_LIBS" >&6; }
 
@@ -19884,6 +19901,19 @@ if test "x$ac_cv_func_getdelim" = xyes; then :
 #define HAVE_GETDELIM 1
 _ACEOF
 
+    # Out of date gcc fixed includes may result in missing getdelim() prototype
+    ac_fn_c_check_decl "$LINENO" "getdelim" "ac_cv_have_decl_getdelim" "$ac_includes_default"
+if test "x$ac_cv_have_decl_getdelim" = xyes; then :
+  ac_have_decl=1
+else
+  ac_have_decl=0
+fi
+
+cat >>confdefs.h <<_ACEOF
+#define HAVE_DECL_GETDELIM $ac_have_decl
+_ACEOF
+
+
 else
 
     case " $LIBOBJS " in
@@ -26500,8 +26530,12 @@ EOF
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for sudo run dir location" >&5
 $as_echo_n "checking for sudo run dir location... " >&6; }
-rundir="$with_rundir"
-if test -z "$rundir"; then
+if test -n "$with_rundir"; then
+    rundir="$with_rundir"
+elif test "$runstatedir" != '${localstatedir}/run'; then
+    rundir="$runstatedir/sudo"
+else
+    # No --with-rundir or --runstatedir specified
     for d in /run /var/run /var/db /var/lib /var/adm /usr/adm; do
 	if test -d "$d"; then
 	    rundir="$d/sudo"
@@ -27810,6 +27844,7 @@ test "$datarootdir" = '${prefix}/share' && datarootdir='$(prefix)/share'
 test "$docdir" = '${datarootdir}/doc/${PACKAGE_TARNAME}' && docdir='$(datarootdir)/doc/$(PACKAGE_TARNAME)'
 test "$localedir" = '${datarootdir}/locale' && localedir='$(datarootdir)/locale'
 test "$localstatedir" = '${prefix}/var' && localstatedir='$(prefix)/var'
+test "$runstatedir" = '${localstatedir}/run' && runstatedir='$(localstatedir)/run'
 test "$sysconfdir" = '${prefix}/etc' && sysconfdir='/etc'
 
 if test X"$INIT_SCRIPT" != X""; then
@@ -28329,7 +28364,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by sudo $as_me 1.9.0, which was
+This file was extended by sudo $as_me 1.9.1, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -28395,7 +28430,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-sudo config.status 1.9.0
+sudo config.status 1.9.1
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"