isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

checkpoint

Browse Source
This commit is contained in:
Todd C. Miller
2004-12-17 18:12:20 +00:00
parent bb76440b4f
commit e05905dd16
2 changed files with 71 additions and 57 deletions
Download Patch File Download Diff File Expand all files Collapse all files

50
CHANGES
View File

@@ -1752,39 +1752,63 @@ Sudo 1.6.8p3 released.
Sudo 1.6.8p4 released. Sudo 1.6.8p4 released.
553) New monitor functionality for systems with systrace(4). When tracing 553) Added a configure check for systems with a 2-argument version of
timespecsub (like BSD/OS).
554) Added stub struct defintions to sudo.h to quiet compiler warnings
on some systems.
555) In sudoers Defaults lines, tuples like "lecture" may now be used
without a value, restoring their old boolean-like nature.
556) Invalid values for a tuple are now handled correctly.
Sudo 1.6.8p5 released.
557) New monitor functionality for systems with systrace(4). When tracing
is enabled sudo will fork a daemon that traces the command and is enabled sudo will fork a daemon that traces the command and
intercepts and execve() calls and allows/denies the call based on intercepts and execve() calls and allows/denies the call based on
a sudoers lookup. Also updates the command's environment with a sudoers lookup. Also updates the command's environment with
the SUDO_* variables if supported by the version of systrace(4). the SUDO_* variables if supported by the version of systrace(4).
554) Added support for multiple sudoers file via #include. 558) Added support for multiple sudoers file via #include.
555) An empty sudoers file is no longer a parse error. 559) An empty sudoers file is no longer a parse error.
556) Fixed error handling if the lexer runs out of memory. 560) Fixed error handling if the lexer runs out of memory.
557) Optimized lexer slightly by removing use of unput() and removing 561) Optimized lexer slightly by removing use of unput() and removing
some ambiguity with the Default keyword. some ambiguity with the Default keyword.
558) Wildcard matches on commands now use glob() and stat() so 562) Wildcard matches on commands now use glob() and stat() so
that relative paths work correctly in conjunction with wildcards. that relative paths work correctly in conjunction with wildcards.
559) Rewritten parser that converts sudoers into a set of data structures. 563) Rewritten parser that converts sudoers into a set of data structures.
This eliminates ordering issues and makes it possible to apply This eliminates ordering issues and makes it possible to apply
sudoers Defaults entries before searching for the command. sudoers Defaults entries before searching for the command.
560) Visudo will now warn about aliases that are defined but not used. 564) Visudo will now warn about aliases that are defined but not used.
561) "sudo -l" now takes an optional username which lets root see other 565) The new -U option can now be used with "sudo -l" to let root
users' privs. (or a user with "sudo ALL) see another user's privs.
562) The "secure_path" run-time Defaults option has been restored. 566) The "secure_path" run-time Defaults option has been restored.
563) Password and group data is now cached for fast lookup. 567) Password and group data is now cached for fast lookup.
564) Sudo will use the supplemental group vector if it is present 568) Sudo will use the supplemental group vector if it is present
instead of doing string comparisons of the group members. This instead of doing string comparisons of the group members. This
is useful for systems with nsswitch.conf where group data can be in is useful for systems with nsswitch.conf where group data can be in
either /etc/group or some other database (NIS, NIS+, LDAP, etc) either /etc/group or some other database (NIS, NIS+, LDAP, etc)
and getgrnam() only returns data from one source. and getgrnam() only returns data from one source.
569) Visudo can now handle VISUAL or EDITOR environment variables
that contain command line arguments.
570) Added support for per-command defaults enties.
571) "sudo -l" now takes an optional 'command' argument to check whether
a specific command is allowed.
572) The file descriptor at which sudo starts closing all open files
is now configurable via sudoers and, optionally, the command line.

78
TODO
View File

@@ -36,104 +36,94 @@ TODO list (most will be addressed in sudo 2.0)
13) Add test for how to read ether interfaces in configure script 13) Add test for how to read ether interfaces in configure script
14) Add configure option to enable old behavior of visudo (O_EXCL)? 14) Use strtol() and strtoul(), not atoi()
--without-sudoers-lock?
15) Use strtol() and strtoul(), not atoi() 15) Make syslog stuff work on vanilla ultrix
16) Look into %e, %p, %k in parse.lex 16) Implement date_format and log_format options.
17) Make syslog stuff work on vanilla ultrix 17) Add support for: Default:user@host
18) Implement date_format and log_format options. 18) Make visudo rcs-aware
19) Add support for: Default:user@host 19) Some people want to be able to specify a special password in sudoers
20) Make visudo rcs-aware
21) Some people want to be able to specify a special password in sudoers
in addition or instead of the normal one. The best argument for in addition or instead of the normal one. The best argument for
this so far is to be able to use separate passwords for the this so far is to be able to use separate passwords for the
target users that are not the passwd file ones. target users that are not the passwd file ones.
22) Add support for trusted users. E.g. allow user to run a certain 20) Add support for trusted users. E.g. allow user to run a certain
command regardless of what dir it is in if it is owned by the command regardless of what dir it is in if it is owned by the
trusted user. trusted user.
23) Add a flag similar to '-l' but that spits out sudo commands in 21) Add a flag similar to '-l' but that spits out sudo commands in
a format suitable for cut & paste into sudoers. a format suitable for cut & paste into sudoers.
24) Someone wants a recursive version of the dir specifier. Ie: 22) Someone wants a recursive version of the dir specifier. Ie:
SOME_MODIFIER:/usr/local/ to allow anything under /usr/local to be run. SOME_MODIFIER:/usr/local/ to allow anything under /usr/local to be run.
25) An option to set the shell to the target user would make sense. 23) An option to set the shell to the target user would make sense.
See other target user-related issues above. See other target user-related issues above.
26) Add an option (-D) to dump the defaults after the sudoers file 24) Add an option (-D) to dump the defaults after the sudoers file
has been parsed. Should only be available to root and should has been parsed. Should only be available to root and should
allow a -u user modifier. Maybe dump all of sudoers? allow a -u user modifier. Maybe dump all of sudoers?
27) For sudo 1.7 wipe out the environment by default. 25) For sudo 1.7 wipe out the environment by default.
28) Allow /etc/sudoers to be a symlink but require the parent dir to 26) Allow /etc/sudoers to be a symlink but require the parent dir to
be root-owned and not writable by anything else. Should really be root-owned and not writable by anything else. Should really
traverse the tree to the root doing this. traverse the tree to the root doing this.
29) Improve interfaces.c STREAMS code (see ntpd's ntp_io.c for hints) 27) Improve interfaces.c STREAMS code (see ntpd's ntp_io.c for hints)
30) Wildcard support for user and group names? (netgroup too?) 28) Wildcard support for user and group names? (netgroup too?)
31) If root_sudo is off, still allow sudo -u to non-root users? 29) If root_sudo is off, still allow sudo -u to non-root users?
32) Add configure option to id user based on euid not ruid? 30) Use proper links in .pod files
33) Split $EDITOR/$VISUAL in visudo into an argument vector based on whitespace 31) Parse gids like %#0
34) Use proper links in .pod files 32) For AIX, call getuserattr() to get resource limits and set them
35) Parse gids like %#0
36) For AIX, call getuserattr() to get resource limits and set them
as appropriate, see: as appropriate, see:
http://nscp.upenn.edu/aix4.3html/libs/basetrf1/getuserattr.htm#A16691a89 http://nscp.upenn.edu/aix4.3html/libs/basetrf1/getuserattr.htm#A16691a89
37) Add an insult_path variable that is intialized to "builtin" but that 33) Add an insult_path variable that is intialized to "builtin" but that
can point to other files containing an insult count as the first can point to other files containing an insult count as the first
line and that have a constant record length (sparse files) for line and that have a constant record length (sparse files) for
easy seeking. easy seeking.
38) Some way of using a new pty for the program run via sudo would prevent 34) Some way of using a new pty for the program run via sudo would prevent
access to the caller's /dev/tty (but probably makes job control tricky). access to the caller's /dev/tty (but probably makes job control tricky).
39) Maybe have a database of checksums that commands are verified against. 35) Maybe have a database of checksums that commands are verified against.
Basically replace the st_ino/st_dev check with a checksum lookup. Basically replace the st_ino/st_dev check with a checksum lookup.
40) Look into testing writability of a file via sudoedit *before* doing 36) Look into testing writability of a file via sudoedit *before* doing
the edit; e.g., try opening with O_APPEND. the edit; e.g., try opening with O_APPEND.
41) Add Makefile.in bits to autogenerate Solaris and Irix packages 37) Add Makefile.in bits to autogenerate Solaris and Irix packages
42) Add monitor support for Solaris using /proc/$$/ctl w/ PCSENTRY 38) Add monitor support for Solaris using /proc/$$/ctl w/ PCSENTRY
(use PRSABORT flag to indicate failure). (use PRSABORT flag to indicate failure).
43) Add a session mode where sudo allocates a pty and logs everything 39) Add a session mode where sudo allocates a pty and logs everything
that occurs ala script(1). that occurs ala script(1).
44) Use pam_open_session() and pam_close_session() (requires a persistent 40) Use pam_open_session() and pam_close_session() (requires a persistent
sudo process to call pam_close_session()). Maybe add xauth support for sudo process to call pam_close_session()). Maybe add xauth support for
the non-pam case? the non-pam case?
45) Should "monitor" and MONITOR/NOMONITOR be disabled for non-systrace? 41) Should "monitor" and MONITOR/NOMONITOR be disabled for non-systrace?
46) Add substitution mechanism in sudoers to subst, e.g. editors for sudoedit 42) Add substitution mechanism in sudoers to subst, e.g. editors for sudoedit
47) Move prototypes to extern.h 43) Move prototypes to extern.h
48) Get rid of VALIDATE_NOT_OK and just set/clear VALIDATE_OK 44) Get rid of VALIDATE_NOT_OK and just set/clear VALIDATE_OK
49) visudo -c should also sanity check aliases 45) visudo -c should also sanity check aliases
50) Make testsudoers stat files? Needed to deal with glob() in parser. 46) Use AC_CHECK_DECLS for systems w/o proper prototypes? Maybe errno too?
51) Allow arguments to the -l flag so users can check to see if they can 47) nicer defaults output for "sudo -l" and implement for LDAP too
run specific commands.