isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add support for Ubuntu admin flag file and enable it when building

Browse Source 
Ubuntu packages.
This commit is contained in:
Todd C. Miller
2010-07-28 16:34:11 -04:00
parent 76ce69057e
commit 6d0395ee68
6 changed files with 100 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
INSTALL
View File

@@ -612,6 +612,10 @@ The following options are also configurable at runtime:
--enable-warnings --enable-warnings
Enable compiler warnings when building sudo with gcc. Enable compiler warnings when building sudo with gcc.
--enable-admin-flag
Enable the creation of an Ubuntu-style admin flag file
the first time sudo is run.
Shadow password and C2 support Shadow password and C2 support
============================== ==============================

4
config.h.in
View File

@@ -719,6 +719,10 @@
/* Define to 1 if the `unsetenv' function returns void instead of `int'. */ /* Define to 1 if the `unsetenv' function returns void instead of `int'. */
#undef UNSETENV_VOID #undef UNSETENV_VOID
/* Define to 1 if you want to create ~/.sudo_as_admin_successful if the user
is in the admin group the first time they run sudo. */
#undef USE_ADMIN_FLAG
/* Define to 1 if you want to insult the user for entering an incorrect /* Define to 1 if you want to insult the user for entering an incorrect
password. */ password. */
#undef USE_INSULTS #undef USE_INSULTS

46
configure vendored
View File

@@ -993,6 +993,7 @@ enable_path_info
enable_env_debug enable_env_debug
enable_zlib enable_zlib
enable_warnings enable_warnings
enable_admin_flag
with_selinux with_selinux
enable_gss_krb5_ccache_name enable_gss_krb5_ccache_name
enable_shared enable_shared
@@ -1647,6 +1648,7 @@ Optional Features:
--enable-env-debug Whether to enable environment debugging. --enable-env-debug Whether to enable environment debugging.
--enable-zlib[=PATH] Whether to enable or disable zlib --enable-zlib[=PATH] Whether to enable or disable zlib
--enable-warnings Whether to enable compiler warnings --enable-warnings Whether to enable compiler warnings
--enable-admin-flag Whether to create a Ubuntu-style admin flag file
--enable-gss-krb5-ccache-name --enable-gss-krb5-ccache-name
Use GSS-API to set the Kerberos V cred cache name Use GSS-API to set the Kerberos V cred cache name
--enable-shared[=PKGS] build shared libraries [default=yes] --enable-shared[=PKGS] build shared libraries [default=yes]
@@ -5398,6 +5400,21 @@ $as_echo "$as_me: WARNING: Ignoring unknown argument to --enable-warnings: $enab
fi fi
# Check whether --enable-admin-flag was given.
if test "${enable_admin_flag+set}" = set; then :
enableval=$enable_admin_flag; case "$enableval" in
yes) $as_echo "#define USE_ADMIN_FLAG 1" >>confdefs.h
;;
no) ;;
*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Ignoring unknown argument to --enable-admin-flag: $enableval" >&5
$as_echo "$as_me: WARNING: Ignoring unknown argument to --enable-admin-flag: $enableval" >&2;}
;;
esac
fi
# Check whether --with-selinux was given. # Check whether --with-selinux was given.
if test "${with_selinux+set}" = set; then : if test "${with_selinux+set}" = set; then :
@@ -6553,13 +6570,13 @@ if test "${lt_cv_nm_interface+set}" = set; then :
else else
lt_cv_nm_interface="BSD nm" lt_cv_nm_interface="BSD nm"
echo "int some_variable = 0;" > conftest.$ac_ext echo "int some_variable = 0;" > conftest.$ac_ext
(eval echo "\"\$as_me:6556: $ac_compile\"" >&5) (eval echo "\"\$as_me:6573: $ac_compile\"" >&5)
(eval "$ac_compile" 2>conftest.err) (eval "$ac_compile" 2>conftest.err)
cat conftest.err >&5 cat conftest.err >&5
(eval echo "\"\$as_me:6559: $NM \\\"conftest.$ac_objext\\\"\"" >&5) (eval echo "\"\$as_me:6576: $NM \\\"conftest.$ac_objext\\\"\"" >&5)
(eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out) (eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out)
cat conftest.err >&5 cat conftest.err >&5
(eval echo "\"\$as_me:6562: output\"" >&5) (eval echo "\"\$as_me:6579: output\"" >&5)
cat conftest.out >&5 cat conftest.out >&5
if $GREP 'External.*some_variable' conftest.out > /dev/null; then if $GREP 'External.*some_variable' conftest.out > /dev/null; then
lt_cv_nm_interface="MS dumpbin" lt_cv_nm_interface="MS dumpbin"
@@ -7764,7 +7781,7 @@ ia64-*-hpux*)
;; ;;
*-*-irix6*) *-*-irix6*)
# Find out which ABI we are using. # Find out which ABI we are using.
echo '#line 7767 "configure"' > conftest.$ac_ext echo '#line 7784 "configure"' > conftest.$ac_ext
if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5 if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5
(eval $ac_compile) 2>&5 (eval $ac_compile) 2>&5
ac_status=$? ac_status=$?
@@ -9156,11 +9173,11 @@ else
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'` -e 's:$: $lt_compiler_flag:'`
(eval echo "\"\$as_me:9159: $lt_compile\"" >&5) (eval echo "\"\$as_me:9176: $lt_compile\"" >&5)
(eval "$lt_compile" 2>conftest.err) (eval "$lt_compile" 2>conftest.err)
ac_status=$? ac_status=$?
cat conftest.err >&5 cat conftest.err >&5
echo "$as_me:9163: \$? = $ac_status" >&5 echo "$as_me:9180: \$? = $ac_status" >&5
if (exit $ac_status) && test -s "$ac_outfile"; then if (exit $ac_status) && test -s "$ac_outfile"; then
# The compiler can only warn and ignore the option if not recognized # The compiler can only warn and ignore the option if not recognized
# So say no if there are warnings other than the usual output. # So say no if there are warnings other than the usual output.
@@ -9495,11 +9512,11 @@ else
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'` -e 's:$: $lt_compiler_flag:'`
(eval echo "\"\$as_me:9498: $lt_compile\"" >&5) (eval echo "\"\$as_me:9515: $lt_compile\"" >&5)
(eval "$lt_compile" 2>conftest.err) (eval "$lt_compile" 2>conftest.err)
ac_status=$? ac_status=$?
cat conftest.err >&5 cat conftest.err >&5
echo "$as_me:9502: \$? = $ac_status" >&5 echo "$as_me:9519: \$? = $ac_status" >&5
if (exit $ac_status) && test -s "$ac_outfile"; then if (exit $ac_status) && test -s "$ac_outfile"; then
# The compiler can only warn and ignore the option if not recognized # The compiler can only warn and ignore the option if not recognized
# So say no if there are warnings other than the usual output. # So say no if there are warnings other than the usual output.
@@ -9600,11 +9617,11 @@ else
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'` -e 's:$: $lt_compiler_flag:'`
(eval echo "\"\$as_me:9603: $lt_compile\"" >&5) (eval echo "\"\$as_me:9620: $lt_compile\"" >&5)
(eval "$lt_compile" 2>out/conftest.err) (eval "$lt_compile" 2>out/conftest.err)
ac_status=$? ac_status=$?
cat out/conftest.err >&5 cat out/conftest.err >&5
echo "$as_me:9607: \$? = $ac_status" >&5 echo "$as_me:9624: \$? = $ac_status" >&5
if (exit $ac_status) && test -s out/conftest2.$ac_objext if (exit $ac_status) && test -s out/conftest2.$ac_objext
then then
# The compiler can only warn and ignore the option if not recognized # The compiler can only warn and ignore the option if not recognized
@@ -9655,11 +9672,11 @@ else
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'` -e 's:$: $lt_compiler_flag:'`
(eval echo "\"\$as_me:9658: $lt_compile\"" >&5) (eval echo "\"\$as_me:9675: $lt_compile\"" >&5)
(eval "$lt_compile" 2>out/conftest.err) (eval "$lt_compile" 2>out/conftest.err)
ac_status=$? ac_status=$?
cat out/conftest.err >&5 cat out/conftest.err >&5
echo "$as_me:9662: \$? = $ac_status" >&5 echo "$as_me:9679: \$? = $ac_status" >&5
if (exit $ac_status) && test -s out/conftest2.$ac_objext if (exit $ac_status) && test -s out/conftest2.$ac_objext
then then
# The compiler can only warn and ignore the option if not recognized # The compiler can only warn and ignore the option if not recognized
@@ -12022,7 +12039,7 @@ else
lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
lt_status=$lt_dlunknown lt_status=$lt_dlunknown
cat > conftest.$ac_ext <<_LT_EOF cat > conftest.$ac_ext <<_LT_EOF
#line 12025 "configure" #line 12042 "configure"
#include "confdefs.h" #include "confdefs.h"
#if HAVE_DLFCN_H #if HAVE_DLFCN_H
@@ -12118,7 +12135,7 @@ else
lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
lt_status=$lt_dlunknown lt_status=$lt_dlunknown
cat > conftest.$ac_ext <<_LT_EOF cat > conftest.$ac_ext <<_LT_EOF
#line 12121 "configure" #line 12138 "configure"
#include "confdefs.h" #include "confdefs.h"
#if HAVE_DLFCN_H #if HAVE_DLFCN_H
@@ -20306,5 +20323,6 @@ fi

12
configure.in
View File

@@ -1277,6 +1277,17 @@ AC_ARG_ENABLE(warnings,
esac esac
]) ])
AC_ARG_ENABLE(admin-flag,
[AS_HELP_STRING([--enable-admin-flag], [Whether to create a Ubuntu-style admin flag file])],
[ case "$enableval" in
yes) AC_DEFINE(USE_ADMIN_FLAG)
;;
no) ;;
*) AC_MSG_WARN([Ignoring unknown argument to --enable-admin-flag: $enableval])
;;
esac
])
AC_ARG_WITH(selinux, [AS_HELP_STRING([--with-selinux], [enable SELinux support])], AC_ARG_WITH(selinux, [AS_HELP_STRING([--with-selinux], [enable SELinux support])],
[case $with_selinux in [case $with_selinux in
yes) SELINUX_USAGE="[[-r role]] [[-t type]] " yes) SELINUX_USAGE="[[-r role]] [[-t type]] "
@@ -2859,6 +2870,7 @@ AH_TEMPLATE(SEND_MAIL_WHEN_NO_USER, [Define to 1 to send mail when the user is n
AH_TEMPLATE(SHELL_IF_NO_ARGS, [Define to 1 if you want sudo to start a shell if given no arguments.]) AH_TEMPLATE(SHELL_IF_NO_ARGS, [Define to 1 if you want sudo to start a shell if given no arguments.])
AH_TEMPLATE(SHELL_SETS_HOME, [Define to 1 if you want sudo to set $HOME in shell mode.]) AH_TEMPLATE(SHELL_SETS_HOME, [Define to 1 if you want sudo to set $HOME in shell mode.])
AH_TEMPLATE(STUB_LOAD_INTERFACES, [Define to 1 if the code in interfaces.c does not compile for you.]) AH_TEMPLATE(STUB_LOAD_INTERFACES, [Define to 1 if the code in interfaces.c does not compile for you.])
AH_TEMPLATE(USE_ADMIN_FLAG, [Define to 1 if you want to create ~/.sudo_as_admin_successful if the user is in the admin group the first time they run sudo.])
AH_TEMPLATE(USE_INSULTS, [Define to 1 if you want to insult the user for entering an incorrect password.]) AH_TEMPLATE(USE_INSULTS, [Define to 1 if you want to insult the user for entering an incorrect password.])
AH_TEMPLATE(USE_STOW, [Define to 1 if you use GNU stow packaging.]) AH_TEMPLATE(USE_STOW, [Define to 1 if you use GNU stow packaging.])
AH_TEMPLATE(WITHOUT_PASSWD, [Define to avoid using the passwd/shadow file for authentication.]) AH_TEMPLATE(WITHOUT_PASSWD, [Define to avoid using the passwd/shadow file for authentication.])

8
mkpkg
View File

@@ -150,8 +150,14 @@ case "$platform" in
make_opts='docdir=$(datarootdir)/doc/packages/$(PACKAGE_TARNAME)' make_opts='docdir=$(datarootdir)/doc/packages/$(PACKAGE_TARNAME)'
;; ;;
deb*) deb*|ubu*)
prefix=/usr prefix=/usr
# If Ubuntu, add --enable-admin-flag
case "$platform" in
ubu*)
configure_opts="${configure_opts}${configure_opts+$tab}--enable-admin-flag${tab}--without-lecture"
;;
esac
# Note, must indent with tabs, not spaces due to IFS trickery # Note, must indent with tabs, not spaces due to IFS trickery
if test "$flavor" = "ldap"; then if test "$flavor" = "ldap"; then
configure_opts="${configure_opts}${configure_opts+$tab}--with-ldap configure_opts="${configure_opts}${configure_opts+$tab}--with-ldap

41
plugins/sudoers/sudoers.c
View File

@@ -118,6 +118,7 @@ static int sudoers_policy_version(int verbose);
static struct passwd *get_authpw(void); static struct passwd *get_authpw(void);
static int deserialize_info(char * const settings[], char * const user_info[]); static int deserialize_info(char * const settings[], char * const user_info[]);
static char *find_editor(int nfiles, char **files, char ***argv_out); static char *find_editor(int nfiles, char **files, char ***argv_out);
static void create_admin_success_flag(void);
/* XXX */ /* XXX */
extern int runas_ngroups; extern int runas_ngroups;
@@ -495,6 +496,9 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
goto done; goto done;
} }
/* Create Ubuntu-style dot file to indicate sudo was successful. */
create_admin_success_flag();
/* Finally tell the user if the command did not exist. */ /* Finally tell the user if the command did not exist. */
if (cmnd_status == NOT_FOUND_DOT) { if (cmnd_status == NOT_FOUND_DOT) {
audit_failure(NewArgv, "command in current directory"); audit_failure(NewArgv, "command in current directory");
@@ -1422,6 +1426,43 @@ find_editor(int nfiles, char **files, char ***argv_out)
return editor_path; return editor_path;
} }
#ifdef USE_ADMIN_FLAG
static void
create_admin_success_flag(void)
{
struct stat statbuf;
char flagfile[PATH_MAX];
int fd, n;
/* Check whether the user is in the admin group. */
if (!user_in_group(sudo_user.pw, "admin"))
return;
/* Build path to flag file. */
n = snprintf(flagfile, sizeof(flagfile), "%s/.sudo_as_admin_successful",
user_dir);
if (n <= 0 || n >= sizeof(flagfile))
return;
/* Create admin flag file if it doesn't already exist. */
set_perms(PERM_USER);
if (stat(flagfile, &statbuf) == 0) {
set_perms(PERM_ROOT);
return;
}
fd = open(flagfile, O_CREAT|O_WRONLY|O_EXCL, 0644);
close(fd);
set_perms(PERM_ROOT);
}
#else /* !USE_ADMIN_FLAG */
static void
create_admin_success_flag(void)
{
/* STUB */
}
#endif /* USE_ADMIN_FLAG */
struct policy_plugin sudoers_policy = { struct policy_plugin sudoers_policy = {
SUDO_POLICY_PLUGIN, SUDO_POLICY_PLUGIN,
SUDO_API_VERSION, SUDO_API_VERSION,