Remove monitor support until there is a versino of systrace that

uses a lookaside buffer (or we have a better mechanism to use).

INSTALL

@@ -252,14 +252,6 @@ Special features/options:
 	is to compile noexec support if libtool supports building
 	shared objects on your OS.
 
-  --with-systrace[=DIR]
-	Enable support for the systrace(4) tracing facility.  This
-	allows sudo to control execution of further commands by
-	the program being run through sudo.  On systems with
-	systrace(4) support this is a better option than the
-	"noexec" facility.  If DIR is specified it indicates the
-	directory in which to find the systrace.h include file.
-
   --disable-root-mailer
 	By default sudo will run the mailer as root when tattling
 	on a user so as to prevent that user from killing the mailer.

Makefile.in

@@ -101,7 +101,7 @@ PROGS = @PROGS@
 SRCS = alloc.c alloca.c check.c closefrom.c def_data.c defaults.c env.c \
        error.c fileops.c find_path.c fnmatch.c getcwd.c getprogname.c \
        getspwuid.c gettime.c goodpath.c gram.c gram.y interfaces.c ldap.c \
-       logging.c match.c mkstemp.c memrchr.c mon_systrace.c parse.c pwutil.c  \
+       logging.c match.c mkstemp.c memrchr.c parse.c pwutil.c  \
        set_perms.c sigaction.c snprintf.c strcasecmp.c strerror.c strlcat.c \
        strlcpy.c sudo.c sudo_noexec.c sudo_edit.c testsudoers.c tgetpass.c \
        toke.c toke.l tsgetgrpw.c utimes.c visudo.c zero_bytes.c redblack.c \
@@ -263,8 +263,6 @@ mkstemp.o: $(srcdir)/mkstemp.c $(SUDODEP)
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/mkstemp.c
 mon_solaris.o: $(srcdir)/mon_solaris.c $(SUDODEP) $(srcdir)/mon_solaris.h
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/mon_solaris.c
-mon_systrace.o: $(srcdir)/mon_systrace.c $(SUDODEP) $(srcdir)/mon_systrace.h
-	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/mon_systrace.c
 parse.o: $(srcdir)/parse.c $(SUDODEP) $(srcdir)/parse.h $(devdir)/gram.h
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/parse.c
 pwutil.o: $(srcdir)/pwutil.c $(SUDODEP)

WHATSNEW

@@ -5,14 +5,6 @@ What's new in Sudo 1.7?
    apply sudoers Defaults entries before searching for the command.
    It also adds support for per-command Defaults specifications.
 
- * New monitor functionality for systems with the systrace kernel facility
-   (OpenBSD and NetBSD in the default system, FreeBSD and Linux with kernel
-   patched).  When monitoring is enabled, sudo will fork a daemon that
-   monitors the command being run and intercepts the execve() system call,
-   allowing or denying execution of the new command based on a sudoers lookup.
-   The SUDO_* environment variables are also updated if this is supported by
-   the version of systrace(4) on the system.
-
  * Sudoers now supports a #include facility to allow the inclusion of other
    sudoers-format files.
 

config.h.in

@@ -75,9 +75,6 @@
 /* Define to 1 if your `DIR' contains dd_fd. */
 #undef HAVE_DD_FD
 
-/* Define to 1 if you have the <dev/systrace.h> header file. */
-#undef HAVE_DEV_SYSTRACE_H
-
 /* Define to 1 if you have the <dirent.h> header file, and it defines `DIR'.
    */
 #undef HAVE_DIRENT_H
@@ -221,9 +218,6 @@
 /* Define to 1 if you have the `ldap_start_tls_s' function. */
 #undef HAVE_LDAP_START_TLS_S
 
-/* Define to 1 if you have the <linux/systrace.h> header file. */
-#undef HAVE_LINUX_SYSTRACE_H
-
 /* Define to 1 if you have the `lockf' function. */
 #undef HAVE_LOCKF
 
@@ -374,9 +368,6 @@
 /* Define to 1 if you have the `sysconf' function. */
 #undef HAVE_SYSCONF
 
-/* Define to 1 to build support for tracing subprocesses using systrace(4) */
-#undef HAVE_SYSTRACE
-
 /* Define to 1 if you have the <sys/bsdtypes.h> header file. */
 #undef HAVE_SYS_BSDTYPES_H
 
@@ -397,9 +388,6 @@
 /* Define to 1 if you have the <sys/stat.h> header file. */
 #undef HAVE_SYS_STAT_H
 
-/* Define to 1 if you have the <sys/systrace.h> header file. */
-#undef HAVE_SYS_SYSTRACE_H
-
 /* Define to 1 if you have the <sys/types.h> header file. */
 #undef HAVE_SYS_TYPES_H
 

configure.in

@@ -392,13 +392,6 @@ AC_ARG_WITH(bsdauth, [  --with-bsdauth          enable BSD authentication suppor
 		;;
 esac])
 
-AC_ARG_WITH(systrace, [  --with-systrace[[=DIR]]   enable systrace(4) support],
-[case $with_systrace in
-    no)		with_systrace=""
-		;;
-    *)		;;
-esac])
-
 AC_ARG_WITH(project, [  --with-project          enable Solaris project support],
 [case $with_project in
     yes|no)	;;
@@ -1781,19 +1774,6 @@ AC_CHECK_FUNCS(getprogname, , [
     AC_MSG_RESULT($sudo_cv___progname)
 ])
 dnl
-dnl systrace(4) support
-dnl
-if test -n "$with_systrace"; then
-    AC_DEFINE(HAVE_SYSTRACE)
-    if test "$with_systrace" = "yes"; then
-	AC_CHECK_HEADERS(dev/systrace.h sys/systrace.h linux/systrace.h, [break], [], [#include <sys/param.h>])
-    else
-	CPPFLAGS="$CPPFLAGS -I${with_systrace}"
-    fi
-    SUDO_OBJS="${SUDO_OBJS} mon_systrace.o"
-    AC_CHECK_FUNCS(setproctitle)
-fi
-dnl
 dnl Kerberos IV
 dnl
 if test -n "$with_kerb4"; then
@@ -2393,7 +2373,6 @@ AH_TEMPLATE(HAVE_SKEY, [Define to 1 if you use S/Key.])
 AH_TEMPLATE(HAVE_SKEYACCESS, [Define to 1 if your S/Key library has skeyaccess().])
 AH_TEMPLATE(HAVE_ST_MTIM, [Define to 1 if your struct stat has an st_mtim member])
 AH_TEMPLATE(HAVE_ST_MTIMESPEC, [Define to 1 if your struct stat has an st_mtimespec member])
-AH_TEMPLATE(HAVE_SYSTRACE, [Define to 1 to build support for tracing subprocesses using systrace(4)])
 AH_TEMPLATE(HAVE_TERMIOS_H, [Define to 1 if you have the <termios.h> header file and the `tcgetattr' function.])
 AH_TEMPLATE(HAVE_TIMESPEC, [Define to 1 if you have struct timespec in sys/time.h])
 AH_TEMPLATE(HAVE_TIMESPECSUB2, [Define to 1 if you have a timespecsub macro or function that takes two arguments (not three)])

def_data.c

@@ -247,10 +247,6 @@ struct sudo_defs_types sudo_defs_table[] = {
 	"ignore_local_sudoers", T_FLAG,
 	"If LDAP directory is up, do we ignore local sudoers file",
 	NULL,
-    }, {
-	"monitor", T_FLAG,
-	"Monitor children of cmnd and apply sudoers restrictions to them",
-	NULL,
     }, {
 	"closefrom", T_INT,
 	"File descriptors >= %d will be closed before executing a command",

def_data.h

@@ -110,20 +110,18 @@
 #define I_NOEXEC_FILE           54
 #define def_ignore_local_sudoers (sudo_defs_table[55].sd_un.flag)
 #define I_IGNORE_LOCAL_SUDOERS  55
-#define def_monitor             (sudo_defs_table[56].sd_un.flag)
-#define I_MONITOR               56
-#define def_closefrom           (sudo_defs_table[57].sd_un.ival)
-#define I_CLOSEFROM             57
-#define def_closefrom_override  (sudo_defs_table[58].sd_un.flag)
-#define I_CLOSEFROM_OVERRIDE    58
-#define def_env_check           (sudo_defs_table[59].sd_un.list)
-#define I_ENV_CHECK             59
-#define def_env_delete          (sudo_defs_table[60].sd_un.list)
-#define I_ENV_DELETE            60
-#define def_env_keep            (sudo_defs_table[61].sd_un.list)
-#define I_ENV_KEEP              61
-#define def_setenv              (sudo_defs_table[62].sd_un.flag)
-#define I_SETENV                62
+#define def_closefrom           (sudo_defs_table[56].sd_un.ival)
+#define I_CLOSEFROM             56
+#define def_closefrom_override  (sudo_defs_table[57].sd_un.flag)
+#define I_CLOSEFROM_OVERRIDE    57
+#define def_env_check           (sudo_defs_table[58].sd_un.list)
+#define I_ENV_CHECK             58
+#define def_env_delete          (sudo_defs_table[59].sd_un.list)
+#define I_ENV_DELETE            59
+#define def_env_keep            (sudo_defs_table[60].sd_un.list)
+#define I_ENV_KEEP              60
+#define def_setenv              (sudo_defs_table[61].sd_un.flag)
+#define I_SETENV                61
 
 enum def_tupple {
 	never,

def_data.in

@@ -182,9 +182,6 @@ noexec_file
 ignore_local_sudoers
 	T_FLAG
 	"If LDAP directory is up, do we ignore local sudoers file"
-monitor
-	T_FLAG
-	"Monitor children of cmnd and apply sudoers restrictions to them"
 closefrom
 	T_INT
 	"File descriptors >= %d will be closed before executing a command"

gram.h

@@ -15,17 +15,15 @@
 #define PASSWD 271
 #define NOEXEC 272
 #define EXEC 273
-#define MONITOR 274
-#define NOMONITOR 275
-#define SETENV 276
-#define NOSETENV 277
-#define ALL 278
-#define COMMENT 279
-#define HOSTALIAS 280
-#define CMNDALIAS 281
-#define USERALIAS 282
-#define RUNASALIAS 283
-#define ERROR 284
+#define SETENV 274
+#define NOSETENV 275
+#define ALL 276
+#define COMMENT 277
+#define HOSTALIAS 278
+#define CMNDALIAS 279
+#define USERALIAS 280
+#define RUNASALIAS 281
+#define ERROR 282
 #ifndef YYSTYPE_DEFINED
 #define YYSTYPE_DEFINED
 typedef union {

gram.y

@@ -127,8 +127,6 @@ yyerror(s)
 %token <tok> 	 PASSWD			/* passwd req for command (default) */
 %token <tok> 	 NOEXEC			/* preload dummy execve() for cmnd */
 %token <tok> 	 EXEC			/* don't preload dummy execve() */
-%token <tok> 	 MONITOR		/* monitor children of cmnd */
-%token <tok> 	 NOMONITOR		/* disable monitoring of children */
 %token <tok>	 SETENV			/* user may set environment for cmnd */
 %token <tok>	 NOSETENV		/* user may not set environment */
 %token <tok>	 ALL			/* ALL keyword */
@@ -246,8 +244,7 @@ privilege	:	hostlist '=' cmndspeclist {
 			    struct cmndspec *cs;
 			    p->hostlist = $1;
 			    p->cmndlist = $3;
-			    tags.nopasswd = tags.noexec = tags.monitor =
-				tags.setenv = UNSPEC;
+			    tags.nopasswd = tags.noexec = tags.setenv = UNSPEC;
 			    /* propagate tags */
 			    for (cs = $3; cs != NULL; cs = cs->next) {
 				if (cs->tags.nopasswd == UNSPEC)
@@ -256,8 +253,6 @@ privilege	:	hostlist '=' cmndspeclist {
 				    cs->tags.noexec = tags.noexec;
 				if (cs->tags.setenv == UNSPEC)
 				    cs->tags.setenv = tags.setenv;
-				if (cs->tags.monitor == UNSPEC)
-				    cs->tags.monitor = tags.monitor;
 				memcpy(&tags, &cs->tags, sizeof(tags));
 			    }
 			    p->last = NULL;
@@ -364,8 +359,7 @@ runasuser	:	ALIAS {
 		;
 
 cmndtag		:	/* empty */ {
-			    $$.nopasswd = $$.noexec = $$.monitor =
-				$$.setenv = UNSPEC;
+			    $$.nopasswd = $$.noexec = $$.setenv = UNSPEC;
 			}
 		|	cmndtag NOPASSWD {
 			    $$.nopasswd = TRUE;
@@ -385,12 +379,6 @@ cmndtag		:	/* empty */ {
 		|	cmndtag NOSETENV {
 			    $$.setenv = FALSE;
 			}
-		|	cmndtag MONITOR {
-			    $$.monitor = TRUE;
-			}
-		|	cmndtag NOMONITOR {
-			    $$.monitor = FALSE;
-			}
 		;
 
 cmnd		:	ALL {

parse.c

@@ -193,8 +193,6 @@ sudoers_lookup(pwflag)
 		def_noexec = tags->noexec;
 	    if (tags->setenv != UNSPEC)
 		def_setenv = tags->setenv;
-	    if (tags->monitor != UNSPEC)
-		def_monitor = tags->monitor;
 	}
     }
     set_perms(PERM_ROOT);
@@ -243,7 +241,6 @@ display_privs(v, pw)
 		continue;
 
 	    for (priv = us->privileges; priv != NULL; priv = priv->next) {
-		tags.monitor = def_monitor;
 		tags.noexec = def_noexec;
 		tags.setenv = def_setenv;
 		tags.nopasswd = !def_authenticate;
@@ -261,10 +258,6 @@ display_privs(v, pw)
 			print_priv(def_runas_default);
 		    }
 		    print_priv(") ");
-		    if (TAG_CHANGED(monitor)) {
-			print_priv(cs->tags.monitor ? "MONITOR: " : "NOMONITOR: ");
-			tags.monitor = cs->tags.monitor;
-		    }
 		    if (TAG_CHANGED(setenv)) {
 			print_priv(cs->tags.setenv ? "SETENV: " : "NOSETENV: ");
 			tags.setenv = cs->tags.setenv;

parse.h

@@ -44,7 +44,6 @@ struct cmndtag {
     char nopasswd;
     char noexec;
     char setenv;
-    char monitor;
     char extra;
 };
 

pathnames.h.in

@@ -111,7 +111,3 @@
 #ifndef _PATH_LDAP_SECRET
 #define	_PATH_LDAP_SECRET	"/etc/ldap.secret"
 #endif /* _PATH_LDAP_SECRET */
-
-#ifndef _PATH_DEV_SYSTRACE
-#define	_PATH_DEV_SYSTRACE	"/dev/systrace"
-#endif /* _PATH_DEV_SYSTRACE */

sudo.c

@@ -405,11 +405,6 @@ main(argc, argv, envp)
 	}
 #endif
 
-#ifdef HAVE_SYSTRACE 
-	if (def_monitor)
-	    systrace_attach(getpid());
-#endif
-
 	/* Override user's umask if configured to do so. */
 	if (def_umask != 0777)
 	    (void) umask(def_umask);

sudo.h

@@ -279,9 +279,6 @@ struct passwd *sudo_getpwuid __P((uid_t));
 struct passwd *sudo_fakepwuid __P((uid_t));
 struct group *sudo_getgrnam __P((const char *));
 struct group *sudo_getgrgid __P((gid_t));
-#ifdef HAVE_SYSTRACE
-void systrace_attach	__P((pid_t));
-#endif
 YY_DECL;
 
 /* Only provide extern declarations outside of sudo.c. */

sudoers.pod

@@ -250,7 +250,7 @@ See L</"SUDOERS OPTIONS"> for a list of supported Defaults parameters.
  Runas_Spec ::= '(' Runas_List ')'
 
  Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
-	       'SETENV:' | 'NOSETENV:' | 'MONITOR:' | 'NOMONITOR:')
+	       'SETENV:' | 'NOSETENV:' )
 
 A B<user specification> determines which commands a user may run
 (and as what user) on specified hosts.  By default, commands are
@@ -285,7 +285,7 @@ but  F</bin/kill> and F</usr/bin/lprm> as B<root>.
 
 A command may have zero or more tags associated with it.  There are
 eight possible tag values, C<NOPASSWD>, C<PASSWD>, C<NOEXEC>, C<EXEC>,
-C<SETENV>, C<NOSETENV>, C<MONITOR> and C<NOMONITOR>.
+C<SETENV> and C<NOSETENV>.
 Once a tag is set on a C<Cmnd>, subsequent C<Cmnd>s in the
 C<Cmnd_Spec_List>, inherit the tag unless it is overridden by the
 opposite tag (i.e.: C<PASSWD> overrides C<NOPASSWD> and C<NOEXEC>
@@ -342,23 +342,6 @@ to the restrictions imposed by I<env_check>, I<env_delete>, or
 I<env_keep>.  As such, only trusted users should be allowed to set
 variables in this manner.
 
-=head3 MONITOR and NOMONITOR
-
-If B<sudo> has been configured with the C<--with-systrace> option,
-the C<MONITOR> tag can be used to cause programs spawned by a command
-to be checked against I<sudoers> and logged just like they would
-be if run through B<sudo> directly.  This is useful in conjunction
-with commands that allow shell escapes such as editors, shells and
-paginators.
-
-In the following example, user B<chuck> may run any command on the
-machine research in monitor mode.
-
- chuck	research = MONITOR: ALL
-
-See the L<PREVENTING SHELL ESCAPES> section below for more details
-on how C<MONITOR> works and whether or not it will work on your system.
-
 =head2 Wildcards
 
 B<sudo> allows shell-style I<wildcards> (aka meta or glob characters)
@@ -603,16 +586,6 @@ If set, mail will be sent to the I<mailto> user if the invoking
 user is not in the I<sudoers> file.  This flag is I<@mail_no_user@>
 by default.
 
-=item monitor
-
-If set, all commands run via B<sudo> will behave as if the C<MONITOR>
-tag has been set, unless overridden by a C<NOMONITOR> tag.  See the
-description of I<MONITOR and NOMONITOR> below as well as the L<PREVENTING
-SHELL ESCAPES> section at the end of this manual.  Be aware that
-tracing is only supported on certain operating systems.  On systems
-where it is not supported this flag will have no effect.
-This flag is I<off> by default.
-
 =item noexec
 
 If set, all commands run via B<sudo> will behave as if the C<NOEXEC>
@@ -1286,7 +1259,7 @@ which lets a user bypass B<sudo>'s access control and logging.
 Common programs that permit shell escapes include shells (obviously),
 editors, paginators, mail and terminal programs.
 
-There are three basic approaches to this problem:
+There are two basic approaches to this problem:
 
 =over 10
 
@@ -1341,31 +1314,6 @@ executing other commands (such as a shell).  If you are unsure
 whether or not your system is capable of supporting I<noexec> you
 can always just try it out and see if it works.
 
-=item monitor
-
-On operating systems that support the B<systrace> pseudo-device,
-the C<--with-systrace> configure option can be used to compile
-support for proccess monitoring in B<sudo>.  In monitor mode
-B<sudo> can transparently intercept a new command, allow or deny
-it based on I<sudoers>, and log the result.  This does require that
-B<sudo> become a daemon that persists until the command and all its
-descendents have exited.
-
-To enable monitor mode on a per-command basis, use the C<MONITOR>
-tag as documented in the User Specification section above.  Here
-is that example again:
-
- chuck	research = MONITOR: ALL
-
-This allows user B<chuck> to run any command on the machine research
-in monitor mode.  Any commands run via shell escapes will be logged
-by B<sudo>.
-
-At the time of this writing the B<systrace> pseudo-device comes
-standard with OpenBSD and NetBSD and is available as patches to
-FreeBSD, MacOS X and Linux.  See L<http://www.systrace.org/> for
-more information.
-
 =back
 
 Note that restricting shell escapes is not a panacea.  Programs

testsudoers.c

@@ -474,7 +474,7 @@ print_privilege(priv)
 	    print_member(m);
 	}
 	fputs(" = ", stdout);
-	tags.nopasswd = tags.noexec = tags.monitor = UNSPEC;
+	tags.nopasswd = tags.noexec = UNSPEC;
 	for (cs = p->cmndlist; cs != NULL; cs = cs->next) {
 	    if (cs != p->cmndlist)
 		fputs(", ", stdout);
@@ -491,8 +491,6 @@ print_privilege(priv)
 		printf("%sPASSWD: ", cs->tags.nopasswd ? "NO" : "");
 	    if (cs->tags.noexec != UNSPEC && cs->tags.noexec != tags.noexec)
 		printf("%sEXEC: ", cs->tags.noexec ? "NO" : "");
-	    if (cs->tags.monitor != UNSPEC && cs->tags.monitor != tags.monitor)
-		printf("%sMONITOR: ", cs->tags.monitor ? "" : "NO");
 	    print_member(cs->cmnd);
 	    memcpy(&tags, &cs->tags, sizeof(tags));
 	}

toke.l

@@ -286,16 +286,6 @@ NOSETENV[[:blank:]]*:	{
 			    	return(NOSETENV);
 			}
 
-NOMONITOR[[:blank:]]*:	{
-			    	LEXTRACE("NOMONITOR ");
-			    	return(NOMONITOR);
-			}
-
-MONITOR[[:blank:]]*:	{
-			    	LEXTRACE("MONITOR ");
-			    	return(MONITOR);
-			}
-
 \+{WORD}		{
 			    /* netgroup */
 			    if (!fill(yytext, yyleng))