isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Use AIX-style shared libraries on AIX by default instead of SVR4-style.

Browse Source 
This removes the need to use the -brtl linker flag which can cause
problems when there are both a .so and .a version of the same library
but with different versions.  This was particularly problematic
when using the AIX freeware version of OpenSSL.  The --with-aix-soname=svr4
option can be used to build SVR4-style shared libs instead.
This commit is contained in:
Todd C. Miller
2022-12-26 07:43:55 -07:00
parent 5165fb9b22
commit 206700c3f0
12 changed files with 109 additions and 116 deletions
Download Patch File Download Diff File Expand all files Collapse all files

67
configure vendored
View File

@@ -721,6 +721,7 @@ OBJEXT
EXEEXT EXEEXT
ac_ct_CC ac_ct_CC
CC CC
sudoers_plugin
plugindir plugindir
pam_login_service pam_login_service
pam_session pam_session
@@ -3590,6 +3591,7 @@ ac_config_headers="$ac_config_headers config.h pathnames.h"
# #
@@ -3640,6 +3642,7 @@ secure_path="not set"
pam_session=on pam_session=on
pam_login_service=sudo pam_login_service=sudo
plugindir="$libexecdir/sudo" plugindir="$libexecdir/sudo"
sudoers_plugin="sudoers.so"
DIGEST=digest.lo DIGEST=digest.lo
devsearch="/dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev" devsearch="/dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev"
# #
@@ -8802,45 +8805,6 @@ case $host_os in *\ *) host_os=`echo "$host_os" | sed 's/ /-/g'`;; esac
fi fi
case "$host_os" in
aix4.[23]|aix4.[23].*|aix[5-9]*)
if test ${LDFLAGS+y}
then :
case " $LDFLAGS " in #(
*" -Wl,-brtl "*) :
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LDFLAGS already contains -Wl,-brtl"; } >&5
(: LDFLAGS already contains -Wl,-brtl) 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; } ;; #(
*) :
as_fn_append LDFLAGS " -Wl,-brtl"
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LDFLAGS=\"\$LDFLAGS\""; } >&5
(: LDFLAGS="$LDFLAGS") 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; }
;;
esac
else case e in #(
e)
LDFLAGS=-Wl,-brtl
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LDFLAGS=\"\$LDFLAGS\""; } >&5
(: LDFLAGS="$LDFLAGS") 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; }
;;
esac
fi
;;
esac
case "$host_os" in case "$host_os" in
hpux11.1[1-9]|hpux11.[2-9][0-9]|hpux1[2-9].*) hpux11.1[1-9]|hpux11.[2-9][0-9]|hpux1[2-9].*)
# Prefer dlopen() over shl_load() # Prefer dlopen() over shl_load()
@@ -17176,6 +17140,21 @@ CC=$lt_save_CC
case "$host_os" in
aix*)
if test X"$aix_use_runtimelinking" != X"yes"; then
# Using traditional AIX dynamic shared objects in an archive file.
noexec_file="$libexecdir/sudo/sudo_noexec.a(sudo_noexec.so)"
intercept_file="$libexecdir/sudo/sudo_intercept.a(sudo_intercept.so)"
sudoers_plugin="sudoers.a(sudoers.so)"
fi
;;
esac
cat >>confdefs.h <<EOF
#define _PATH_SUDOERS_PLUGIN "$sudoers_plugin"
EOF
# Check whether --with-libtool was given. # Check whether --with-libtool was given.
if test ${with_libtool+y} if test ${with_libtool+y}
@@ -34505,28 +34484,28 @@ fi
_intercept_file= _intercept_file=
while test X"$intercept_file" != X"$_intercept_file"; do while test X"$intercept_file" != X"$_intercept_file"; do
_intercept_file="$intercept_file" _intercept_file="$intercept_file"
eval intercept_file="$_intercept_file" eval "intercept_file=\"$_intercept_file\""
done done
# Update exec_prefix in noexec_file # Update exec_prefix in noexec_file
_noexec_file= _noexec_file=
while test X"$noexec_file" != X"$_noexec_file"; do while test X"$noexec_file" != X"$_noexec_file"; do
_noexec_file="$noexec_file" _noexec_file="$noexec_file"
eval noexec_file="$_noexec_file" eval "noexec_file=\"$_noexec_file\""
done done
# Update exec_prefix in sesh_file # Update exec_prefix in sesh_file
_sesh_file= _sesh_file=
while test X"$sesh_file" != X"$_sesh_file"; do while test X"$sesh_file" != X"$_sesh_file"; do
_sesh_file="$sesh_file" _sesh_file="$sesh_file"
eval sesh_file="$_sesh_file" eval "sesh_file=\"$_sesh_file\""
done done
# Update exec_prefix in plugindir # Update exec_prefix in plugindir
_plugindir= _plugindir=
while test X"$plugindir" != X"$_plugindir"; do while test X"$plugindir" != X"$_plugindir"; do
_plugindir="$plugindir" _plugindir="$plugindir"
eval plugindir="$_plugindir" eval "plugindir=\"$_plugindir\""
done done
exec_prefix="$oexec_prefix" exec_prefix="$oexec_prefix"
@@ -36931,6 +36910,7 @@ echo " mail if command not allowed : ${mail_no_perms}" >&6
echo " Pathnames:" >&6 echo " Pathnames:" >&6
echo " log directory : ${log_dir}" >&6 echo " log directory : ${log_dir}" >&6
echo " plugin directory : ${plugindir}" >&6 echo " plugin directory : ${plugindir}" >&6
echo " sudoers plugin : ${sudoers_plugin}" >&6
echo " run directory : ${rundir}" >&6 echo " run directory : ${rundir}" >&6
echo " var directory : ${vardir}" >&6 echo " var directory : ${vardir}" >&6
echo " I/O log directory : ${iolog_dir}" >&6 echo " I/O log directory : ${iolog_dir}" >&6
@@ -36945,6 +36925,7 @@ if test ${with_netsvc-"no"} != "no"; then
elif test ${with_nsswitch-"yes"} != "no"; then elif test ${with_nsswitch-"yes"} != "no"; then
echo " nsswitch file : ${nsswitch_conf}" >&6 echo " nsswitch file : ${nsswitch_conf}" >&6
fi fi
echo " intercept file : ${intercept_file}" >&6
echo " noexec file : ${noexec_file}" >&6 echo " noexec file : ${noexec_file}" >&6
echo " secure path : ${with_secure_path-no}" >&6 echo " secure path : ${with_secure_path-no}" >&6
echo " askpass helper file : ${with_askpass-no}" >&6 echo " askpass helper file : ${with_askpass-no}" >&6

43
configure.ac
View File

@@ -178,6 +178,7 @@ AC_SUBST([editor])
AC_SUBST([pam_session]) AC_SUBST([pam_session])
AC_SUBST([pam_login_service]) AC_SUBST([pam_login_service])
AC_SUBST([plugindir]) AC_SUBST([plugindir])
AC_SUBST([sudoers_plugin])
# #
# Begin initial values for man page substitution # Begin initial values for man page substitution
# #
@@ -226,6 +227,7 @@ secure_path="not set"
pam_session=on pam_session=on
pam_login_service=sudo pam_login_service=sudo
plugindir="$libexecdir/sudo" plugindir="$libexecdir/sudo"
sudoers_plugin="sudoers.so"
DIGEST=digest.lo DIGEST=digest.lo
devsearch="/dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev" devsearch="/dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev"
# #
@@ -1650,18 +1652,6 @@ dnl Relies on CC host being set
dnl dnl
SUDO_PVS_STUDIO_CFG SUDO_PVS_STUDIO_CFG
dnl
dnl On AIX we need to force libtool to install .so files for the plugins
dnl instead of a .a file that contains the .so. We do this by enabling
dnl runtime linking (where the .so file is installed). This must happen
dnl before the call to LT_INIT
dnl
case "$host_os" in
aix4.[[23]]|aix4.[[23]].*|aix[[5-9]]*)
AX_APPEND_FLAG([-Wl,-brtl], [LDFLAGS])
;;
esac
dnl dnl
dnl On HP-UX 11.11 and higher we prefer dlopen() over shl_load(). dnl On HP-UX 11.11 and higher we prefer dlopen() over shl_load().
dnl Libtool defaults to shl_load() so we need to prime the cache dnl Libtool defaults to shl_load() so we need to prime the cache
@@ -1681,6 +1671,25 @@ dnl
LT_PREREQ([2.2.6b]) LT_PREREQ([2.2.6b])
LT_INIT([dlopen]) LT_INIT([dlopen])
dnl
dnl AIX supports two distinct flavors of shared libraries.
dnl Traditional AIX shared libs are .a files with a .so inside.
dnl AIX SVR4-style shared libs are plain .so files. The --with-aix-soname
dnl option can be used to select the type. We need to set the default
dnl values to match. This must come after the LT_INIT() call.
dnl
case "$host_os" in
aix*)
if test X"$aix_use_runtimelinking" != X"yes"; then
# Using traditional AIX dynamic shared objects in an archive file.
noexec_file="$libexecdir/sudo/sudo_noexec.a(sudo_noexec.so)"
intercept_file="$libexecdir/sudo/sudo_intercept.a(sudo_intercept.so)"
sudoers_plugin="sudoers.a(sudoers.so)"
fi
;;
esac
SUDO_DEFINE_UNQUOTED([_PATH_SUDOERS_PLUGIN], ["$sudoers_plugin"])
dnl dnl
dnl Allow the user to specify an alternate libtool. dnl Allow the user to specify an alternate libtool.
dnl XXX - should be able to skip LT_INIT if we are using a different libtool dnl XXX - should be able to skip LT_INIT if we are using a different libtool
@@ -4156,28 +4165,28 @@ fi
_intercept_file= _intercept_file=
while test X"$intercept_file" != X"$_intercept_file"; do while test X"$intercept_file" != X"$_intercept_file"; do
_intercept_file="$intercept_file" _intercept_file="$intercept_file"
eval intercept_file="$_intercept_file" eval "intercept_file=\"$_intercept_file\""
done done
# Update exec_prefix in noexec_file # Update exec_prefix in noexec_file
_noexec_file= _noexec_file=
while test X"$noexec_file" != X"$_noexec_file"; do while test X"$noexec_file" != X"$_noexec_file"; do
_noexec_file="$noexec_file" _noexec_file="$noexec_file"
eval noexec_file="$_noexec_file" eval "noexec_file=\"$_noexec_file\""
done done
# Update exec_prefix in sesh_file # Update exec_prefix in sesh_file
_sesh_file= _sesh_file=
while test X"$sesh_file" != X"$_sesh_file"; do while test X"$sesh_file" != X"$_sesh_file"; do
_sesh_file="$sesh_file" _sesh_file="$sesh_file"
eval sesh_file="$_sesh_file" eval "sesh_file=\"$_sesh_file\""
done done
# Update exec_prefix in plugindir # Update exec_prefix in plugindir
_plugindir= _plugindir=
while test X"$plugindir" != X"$_plugindir"; do while test X"$plugindir" != X"$_plugindir"; do
_plugindir="$plugindir" _plugindir="$plugindir"
eval plugindir="$_plugindir" eval "plugindir=\"$_plugindir\""
done done
exec_prefix="$oexec_prefix" exec_prefix="$oexec_prefix"
@@ -4410,6 +4419,7 @@ echo " mail if command not allowed : ${mail_no_perms}" >&AS_MESSAGE_FD
echo " Pathnames:" >&AS_MESSAGE_FD echo " Pathnames:" >&AS_MESSAGE_FD
echo " log directory : ${log_dir}" >&AS_MESSAGE_FD echo " log directory : ${log_dir}" >&AS_MESSAGE_FD
echo " plugin directory : ${plugindir}" >&AS_MESSAGE_FD echo " plugin directory : ${plugindir}" >&AS_MESSAGE_FD
echo " sudoers plugin : ${sudoers_plugin}" >&AS_MESSAGE_FD
echo " run directory : ${rundir}" >&AS_MESSAGE_FD echo " run directory : ${rundir}" >&AS_MESSAGE_FD
echo " var directory : ${vardir}" >&AS_MESSAGE_FD echo " var directory : ${vardir}" >&AS_MESSAGE_FD
echo " I/O log directory : ${iolog_dir}" >&AS_MESSAGE_FD echo " I/O log directory : ${iolog_dir}" >&AS_MESSAGE_FD
@@ -4424,6 +4434,7 @@ if test ${with_netsvc-"no"} != "no"; then
elif test ${with_nsswitch-"yes"} != "no"; then elif test ${with_nsswitch-"yes"} != "no"; then
echo " nsswitch file : ${nsswitch_conf}" >&AS_MESSAGE_FD echo " nsswitch file : ${nsswitch_conf}" >&AS_MESSAGE_FD
fi fi
echo " intercept file : ${intercept_file}" >&AS_MESSAGE_FD
echo " noexec file : ${noexec_file}" >&AS_MESSAGE_FD echo " noexec file : ${noexec_file}" >&AS_MESSAGE_FD
echo " secure path : ${with_secure_path-no}" >&AS_MESSAGE_FD echo " secure path : ${with_secure_path-no}" >&AS_MESSAGE_FD
echo " askpass helper file : ${with_askpass-no}" >&AS_MESSAGE_FD echo " askpass helper file : ${with_askpass-no}" >&AS_MESSAGE_FD

26
docs/sudo.conf.man.in
View File

@@ -17,7 +17,7 @@
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" .\"
.nr SL @SEMAN@ .nr SL @SEMAN@
.TH "SUDO.CONF" "@mansectform@" "May 31, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .TH "SUDO.CONF" "@mansectform@" "December 22, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh .nh
.if n .ad l .if n .ad l
.SH "NAME" .SH "NAME"
@@ -127,7 +127,7 @@ In other words:
.nf .nf
.sp .sp
.RS 4n .RS 4n
Plugin sudoers_policy sudoers.so Plugin sudoers_policy @sudoers_module@
.RE .RE
.fi .fi
.PP .PP
@@ -135,7 +135,7 @@ is equivalent to:
.nf .nf
.sp .sp
.RS 4n .RS 4n
Plugin sudoers_policy @plugindir@/sudoers.so Plugin sudoers_policy @plugindir@/@sudoers_module@
.RE .RE
.fi .fi
.PP .PP
@@ -149,7 +149,7 @@ For example:
.nf .nf
.sp .sp
.RS 4n .RS 4n
Plugin sudoers_policy sudoers.so Plugin sudoers_policy @sudoers_module@
.RE .RE
.fi .fi
.PP .PP
@@ -164,7 +164,7 @@ For example, to override the compile-time default sudoers file mode:
.nf .nf
.sp .sp
.RS 4n .RS 4n
Plugin sudoers_policy sudoers.so sudoers_mode=0440 Plugin sudoers_policy @sudoers_module@ sudoers_mode=0440
.RE .RE
.fi .fi
.PP .PP
@@ -191,9 +191,9 @@ This is equivalent to the following:
.nf .nf
.sp .sp
.RS 4n .RS 4n
Plugin sudoers_policy sudoers.so Plugin sudoers_policy @sudoers_module@
Plugin sudoers_io sudoers.so Plugin sudoers_io @sudoers_module@
Plugin sudoers_audit sudoers.so Plugin sudoers_audit @sudoers_module@
.RE .RE
.fi .fi
.PP .PP
@@ -626,7 +626,7 @@ entries are also supported starting with
\fBsudo\fR \fBsudo\fR
1.8.12 and are matched by either the base name of the plugin that was loaded 1.8.12 and are matched by either the base name of the plugin that was loaded
(for example (for example
\fIsudoers.so\fR) \fI@sudoers_module@\fR)
or by the plugin's fully-qualified path name. or by the plugin's fully-qualified path name.
Previously, the Previously, the
\fBsudoers\fR \fBsudoers\fR
@@ -745,9 +745,9 @@ front-end configuration
# The plugin_options are optional. # The plugin_options are optional.
# #
# The sudoers plugin is used by default if no Plugin lines are present. # The sudoers plugin is used by default if no Plugin lines are present.
#Plugin sudoers_policy sudoers.so #Plugin sudoers_policy @sudoers_module@
#Plugin sudoers_io sudoers.so #Plugin sudoers_io @sudoers_module@
#Plugin sudoers_audit sudoers.so #Plugin sudoers_audit @sudoers_module@
# #
# Sudo askpass: # Sudo askpass:
@@ -870,7 +870,7 @@ front-end configuration
# Multiple subsystem@priority may be specified, separated by a comma. # Multiple subsystem@priority may be specified, separated by a comma.
# #
#Debug sudo @log_dir@/sudo_debug all@debug #Debug sudo @log_dir@/sudo_debug all@debug
#Debug sudoers.so @log_dir@/sudoers_debug all@debug #Debug @sudoers_plugin@ @log_dir@/sudoers_debug all@debug
.RE .RE
.fi .fi
.SH "SEE ALSO" .SH "SEE ALSO"

26
docs/sudo.conf.mdoc.in
View File

@@ -16,7 +16,7 @@
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" .\"
.nr SL @SEMAN@ .nr SL @SEMAN@
.Dd May 31, 2022 .Dd December 22, 2022
.Dt SUDO.CONF @mansectform@ .Dt SUDO.CONF @mansectform@
.Os Sudo @PACKAGE_VERSION@ .Os Sudo @PACKAGE_VERSION@
.Sh NAME .Sh NAME
@@ -122,12 +122,12 @@ setting, which defaults to
.Pa @plugindir@ . .Pa @plugindir@ .
In other words: In other words:
.Bd -literal -offset 4n .Bd -literal -offset 4n
Plugin sudoers_policy sudoers.so Plugin sudoers_policy @sudoers_module@
.Ed .Ed
.Pp .Pp
is equivalent to: is equivalent to:
.Bd -literal -offset 4n .Bd -literal -offset 4n
Plugin sudoers_policy @plugindir@/sudoers.so Plugin sudoers_policy @plugindir@/@sudoers_module@
.Ed .Ed
.Pp .Pp
If the plugin was compiled statically into the If the plugin was compiled statically into the
@@ -138,7 +138,7 @@ should be specified without a leading directory,
as it does not actually exist in the file system. as it does not actually exist in the file system.
For example: For example:
.Bd -literal -offset 4n .Bd -literal -offset 4n
Plugin sudoers_policy sudoers.so Plugin sudoers_policy @sudoers_module@
.Ed .Ed
.Pp .Pp
Starting with Starting with
@@ -150,7 +150,7 @@ are passed as arguments to the plugin's
function. function.
For example, to override the compile-time default sudoers file mode: For example, to override the compile-time default sudoers file mode:
.Bd -literal -offset 4n .Bd -literal -offset 4n
Plugin sudoers_policy sudoers.so sudoers_mode=0440 Plugin sudoers_policy @sudoers_module@ sudoers_mode=0440
.Ed .Ed
.Pp .Pp
See the See the
@@ -174,9 +174,9 @@ plugin will be used as the default security policy, for I/O logging
(if enabled by the policy), and for auditing. (if enabled by the policy), and for auditing.
This is equivalent to the following: This is equivalent to the following:
.Bd -literal -offset 4n .Bd -literal -offset 4n
Plugin sudoers_policy sudoers.so Plugin sudoers_policy @sudoers_module@
Plugin sudoers_io sudoers.so Plugin sudoers_io @sudoers_module@
Plugin sudoers_audit sudoers.so Plugin sudoers_audit @sudoers_module@
.Ed .Ed
.Pp .Pp
Starting with Starting with
@@ -570,7 +570,7 @@ entries are also supported starting with
.Nm sudo .Nm sudo
1.8.12 and are matched by either the base name of the plugin that was loaded 1.8.12 and are matched by either the base name of the plugin that was loaded
(for example (for example
.Pa sudoers.so ) .Pa @sudoers_module@ )
or by the plugin's fully-qualified path name. or by the plugin's fully-qualified path name.
Previously, the Previously, the
.Nm sudoers .Nm sudoers
@@ -674,9 +674,9 @@ front-end configuration
# The plugin_options are optional. # The plugin_options are optional.
# #
# The sudoers plugin is used by default if no Plugin lines are present. # The sudoers plugin is used by default if no Plugin lines are present.
#Plugin sudoers_policy sudoers.so #Plugin sudoers_policy @sudoers_module@
#Plugin sudoers_io sudoers.so #Plugin sudoers_io @sudoers_module@
#Plugin sudoers_audit sudoers.so #Plugin sudoers_audit @sudoers_module@
# #
# Sudo askpass: # Sudo askpass:
@@ -799,7 +799,7 @@ front-end configuration
# Multiple subsystem@priority may be specified, separated by a comma. # Multiple subsystem@priority may be specified, separated by a comma.
# #
#Debug sudo @log_dir@/sudo_debug all@debug #Debug sudo @log_dir@/sudo_debug all@debug
#Debug sudoers.so @log_dir@/sudoers_debug all@debug #Debug @sudoers_plugin@ @log_dir@/sudoers_debug all@debug
.Ed .Ed
.Sh SEE ALSO .Sh SEE ALSO
.Xr sudo_plugin @mansectform@ , .Xr sudo_plugin @mansectform@ ,

14
docs/sudoers.man.in
View File

@@ -25,7 +25,7 @@
.nr BA @BAMAN@ .nr BA @BAMAN@
.nr LC @LCMAN@ .nr LC @LCMAN@
.nr PS @PSMAN@ .nr PS @PSMAN@
.TH "SUDOERS" "@mansectform@" "December 9, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .TH "SUDOERS" "@mansectform@" "December 22, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh .nh
.if n .ad l .if n .ad l
.SH "NAME" .SH "NAME"
@@ -72,9 +72,9 @@ plugin, the following configuration can be used.
.nf .nf
.sp .sp
.RS 4n .RS 4n
Plugin sudoers_audit sudoers.so Plugin sudoers_audit @sudoers_module@
Plugin sudoers_policy sudoers.so Plugin sudoers_policy @sudoers_module@
Plugin sudoers_io sudoers.so Plugin sudoers_io @sudoers_module@
.RE .RE
.fi .fi
.PP .PP
@@ -87,7 +87,7 @@ sudo.conf(@mansectform@)
file. file.
Plugin arguments, if any, should be listed after the path to the plugin Plugin arguments, if any, should be listed after the path to the plugin
(i.e., after (i.e., after
\fIsudoers.so\fR). \fI@sudoers_module@\fR).
The arguments are only effective for the plugin that opens (and parses) the The arguments are only effective for the plugin that opens (and parses) the
\fIsudoers\fR \fIsudoers\fR
file. file.
@@ -105,7 +105,7 @@ For example:
.nf .nf
.sp .sp
.RS 4n .RS 4n
Plugin sudoers_audit sudoers.so sudoers_mode=0400 error_recovery=false Plugin sudoers_audit @sudoers_module@ sudoers_mode=0400 error_recovery=false
.RE .RE
.fi .fi
.PP .PP
@@ -7813,7 +7813,7 @@ For example:
.nf .nf
.sp .sp
.RS 0n .RS 0n
Debug sudoers.so @log_dir@/sudoers_debug match@info,nss@info Debug @sudoers_plugin@ @log_dir@/sudoers_debug match@info,nss@info
.RE .RE
.fi .fi
.PP .PP

14
docs/sudoers.mdoc.in
View File

@@ -25,7 +25,7 @@
.nr BA @BAMAN@ .nr BA @BAMAN@
.nr LC @LCMAN@ .nr LC @LCMAN@
.nr PS @PSMAN@ .nr PS @PSMAN@
.Dd December 9, 2022 .Dd December 22, 2022
.Dt SUDOERS @mansectform@ .Dt SUDOERS @mansectform@
.Os Sudo @PACKAGE_VERSION@ .Os Sudo @PACKAGE_VERSION@
.Sh NAME .Sh NAME
@@ -70,9 +70,9 @@ to use the
.Nm .Nm
plugin, the following configuration can be used. plugin, the following configuration can be used.
.Bd -literal -offset 4n .Bd -literal -offset 4n
Plugin sudoers_audit sudoers.so Plugin sudoers_audit @sudoers_module@
Plugin sudoers_policy sudoers.so Plugin sudoers_policy @sudoers_module@
Plugin sudoers_io sudoers.so Plugin sudoers_io @sudoers_module@
.Ed .Ed
.Pp .Pp
Starting with Starting with
@@ -84,7 +84,7 @@ plugin in the
file. file.
Plugin arguments, if any, should be listed after the path to the plugin Plugin arguments, if any, should be listed after the path to the plugin
(i.e., after (i.e., after
.Pa sudoers.so ) . .Pa @sudoers_module@ ) .
The arguments are only effective for the plugin that opens (and parses) the The arguments are only effective for the plugin that opens (and parses) the
.Em sudoers .Em sudoers
file. file.
@@ -100,7 +100,7 @@ plugin.
Multiple arguments may be specified, separated by white space. Multiple arguments may be specified, separated by white space.
For example: For example:
.Bd -literal -offset 4n .Bd -literal -offset 4n
Plugin sudoers_audit sudoers.so sudoers_mode=0400 error_recovery=false Plugin sudoers_audit @sudoers_module@ sudoers_mode=0400 error_recovery=false
.Ed .Ed
.Pp .Pp
The following plugin arguments are supported: The following plugin arguments are supported:
@@ -7228,7 +7228,7 @@ utility functions
.Pp .Pp
For example: For example:
.Bd -literal .Bd -literal
Debug sudoers.so @log_dir@/sudoers_debug match@info,nss@info Debug @sudoers_plugin@ @log_dir@/sudoers_debug match@info,nss@info
.Ed .Ed
.Pp .Pp
For more information, see the For more information, see the

6
docs/visudo.man.in
View File

@@ -21,7 +21,7 @@
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\" .\"
.TH "VISUDO" "@mansectsu@" "October 4, 2022" "Sudo @PACKAGE_VERSION@" "System Manager's Manual" .TH "VISUDO" "@mansectsu@" "December 22, 2022" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
.nh .nh
.if n .ad l .if n .ad l
.SH "NAME" .SH "NAME"
@@ -323,13 +323,13 @@ plugin to override the default
path name, user-ID, group-ID, and file mode. path name, user-ID, group-ID, and file mode.
These arguments, if present, should be listed after the path to the plugin These arguments, if present, should be listed after the path to the plugin
(i.e., after (i.e., after
\fIsudoers.so\fR). \fI@sudoers_module@\fR).
Multiple arguments may be specified, separated by white space. Multiple arguments may be specified, separated by white space.
For example: For example:
.nf .nf
.sp .sp
.RS 4n .RS 4n
Plugin sudoers_policy sudoers.so sudoers_mode=0400 Plugin sudoers_policy @sudoers_module@ sudoers_mode=0400
.RE .RE
.fi .fi
.PP .PP

6
docs/visudo.mdoc.in
View File

@@ -20,7 +20,7 @@
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\" .\"
.Dd October 4, 2022 .Dd December 22, 2022
.Dt VISUDO @mansectsu@ .Dt VISUDO @mansectsu@
.Os Sudo @PACKAGE_VERSION@ .Os Sudo @PACKAGE_VERSION@
.Sh NAME .Sh NAME
@@ -314,11 +314,11 @@ plugin to override the default
path name, user-ID, group-ID, and file mode. path name, user-ID, group-ID, and file mode.
These arguments, if present, should be listed after the path to the plugin These arguments, if present, should be listed after the path to the plugin
(i.e., after (i.e., after
.Pa sudoers.so ) . .Pa @sudoers_module@ ) .
Multiple arguments may be specified, separated by white space. Multiple arguments may be specified, separated by white space.
For example: For example:
.Bd -literal -offset 4n .Bd -literal -offset 4n
Plugin sudoers_policy sudoers.so sudoers_mode=0400 Plugin sudoers_policy @sudoers_module@ sudoers_mode=0400
.Ed .Ed
.Pp .Pp
The following arguments are supported: The following arguments are supported:

10
examples/sudo.conf.in
View File

@@ -11,9 +11,9 @@
# The plugin_options are optional. # The plugin_options are optional.
# #
# The sudoers plugin is used by default if no Plugin lines are present. # The sudoers plugin is used by default if no Plugin lines are present.
#Plugin sudoers_policy sudoers.so #Plugin sudoers_policy @sudoers_module@
#Plugin sudoers_io sudoers.so #Plugin sudoers_io @sudoers_module@
#Plugin sudoers_audit sudoers.so #Plugin sudoers_audit @sudoers_module@
# #
# Sudo askpass: # Sudo askpass:
@@ -51,7 +51,7 @@
# The compiled-in value is usually sufficient and should only be changed # The compiled-in value is usually sufficient and should only be changed
# if you rename or move the sudo_intercept.so file. # if you rename or move the sudo_intercept.so file.
# #
#Path intercept @plugindir@/sudo_intercept.so #Path intercept @intercept_file@
# #
# Sudo noexec: # Sudo noexec:
@@ -65,7 +65,7 @@
# The compiled-in value is usually sufficient and should only be changed # The compiled-in value is usually sufficient and should only be changed
# if you rename or move the sudo_noexec.so file. # if you rename or move the sudo_noexec.so file.
# #
#Path noexec @plugindir@/sudo_noexec.so #Path noexec @noexec_file@
# #
# Sudo plugin directory: # Sudo plugin directory:

4
pathnames.h.in
View File

@@ -182,6 +182,10 @@
# undef _PATH_SUDO_DEVSEARCH # undef _PATH_SUDO_DEVSEARCH
#endif /* _PATH_SUDO_DEVSEARCH */ #endif /* _PATH_SUDO_DEVSEARCH */
#ifndef _PATH_SUDOERS_PLUGIN
# undef _PATH_SUDOERS_PLUGIN
#endif /* _PATH_SUDOERS_PLUGIN */
#ifndef _PATH_ASAN_LIB #ifndef _PATH_ASAN_LIB
# undef _PATH_ASAN_LIB # undef _PATH_ASAN_LIB
#endif /* _PATH_ASAN_LIB */ #endif /* _PATH_ASAN_LIB */

7
src/load_plugins.c
View File

@@ -34,9 +34,6 @@
#include "sudo_plugin_int.h" #include "sudo_plugin_int.h"
#include "sudo_dso.h" #include "sudo_dso.h"
/* We always use the same name for the sudoers plugin, regardless of the OS */
#define SUDOERS_PLUGIN "sudoers.so"
#ifdef ENABLE_SUDO_PLUGIN_API #ifdef ENABLE_SUDO_PLUGIN_API
static int static int
sudo_stat_plugin(struct plugin_info *info, char *fullpath, sudo_stat_plugin(struct plugin_info *info, char *fullpath,
@@ -55,7 +52,7 @@ sudo_stat_plugin(struct plugin_info *info, char *fullpath,
} else { } else {
#ifdef STATIC_SUDOERS_PLUGIN #ifdef STATIC_SUDOERS_PLUGIN
/* Check static symbols. */ /* Check static symbols. */
if (strcmp(info->path, SUDOERS_PLUGIN) == 0) { if (strcmp(info->path, _PATH_SUDOERS_PLUGIN) == 0) {
if (strlcpy(fullpath, info->path, pathsize) >= pathsize) { if (strlcpy(fullpath, info->path, pathsize) >= pathsize) {
errno = ENAMETOOLONG; errno = ENAMETOOLONG;
goto done; goto done;
@@ -466,7 +463,7 @@ sudo_load_sudoers_plugin(const char *symbol_name, bool optional)
goto done; goto done;
} }
info->symbol_name = strdup(symbol_name); info->symbol_name = strdup(symbol_name);
info->path = strdup(SUDOERS_PLUGIN); info->path = strdup(_PATH_SUDOERS_PLUGIN);
if (info->symbol_name == NULL || info->path == NULL) { if (info->symbol_name == NULL || info->path == NULL) {
sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
free_plugin_info(info); free_plugin_info(info);

2
src/preload.c
View File

@@ -64,7 +64,7 @@ static struct sudo_preload_symbol sudo_sudoers_plugin_symbols[] = {
*/ */
static struct sudo_preload_table sudo_preload_table[] = { static struct sudo_preload_table sudo_preload_table[] = {
{ (char *)0, SUDO_DSO_DEFAULT, sudo_rtld_default_symbols }, { (char *)0, SUDO_DSO_DEFAULT, sudo_rtld_default_symbols },
{ "sudoers.so", &sudo_sudoers_plugin_symbols, sudo_sudoers_plugin_symbols }, { _PATH_SUDOERS_PLUGIN, &sudo_sudoers_plugin_symbols, sudo_sudoers_plugin_symbols },
{ (char *)0, (void *)0, (struct sudo_preload_symbol *)0 } { (char *)0, (void *)0, (struct sudo_preload_symbol *)0 }
}; };