isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
7,034 Commits 1 Branch 0 Tags
38a5b0a655a8f35a1963a1f825fe28ee96b9740c
Commit Graph

625 Commits

Author SHA1 Message Date
Todd C. Miller
f4d2978f30 Add -Wsign-compare to --enable-warnings 2013-10-23 15:02:22 -06:00
Todd C. Miller
58f71c00ec Bump version to 1.8.9 2013-10-14 11:00:12 -06:00
Todd C. Miller
79acd5db49 Simple event subsystem that uses poll() or select(). Basically a 
simplied subset of libevent2.  Currently only fd events are supported
(since that's all we need).  The poll() backend is used by default,
except on Mac OS X where poll() is broken for devices (including
/dev/tty and ptys).
 2013-10-12 05:53:43 -06:00
Todd C. Miller
40b24c5da0 Add configure checks for the exec functions we will dummy out. This 
is only really needed on Mac OS X when symbol interposition is being
performed but won't hurt elsewhere.
 2013-08-21 10:09:04 -06:00
Todd C. Miller
b0f5c498f8 Fix installation of sudo_noexec on Mac OS X. 
Use library symbol interposition on Mac OS X 10.4 and higher so
we don't need to set DYLD_FORCE_FLAT_NAMESPACE=1.
 2013-08-20 15:14:17 -06:00
Todd C. Miller
3c2a9b9948 Don't redefine opterr, optind, optopt, optarg in getopt_long.c. 
Add a check for optreset which is a BSD extension and provide a
definition in getopt_long.c if it is not present.
 2013-08-16 13:50:48 -06:00
Todd C. Miller
8b1d645534 Simplify usage messages a bit and make --help output more closely 
resemble GNU usage wrt long options.  Sync usage and man page
SYNOPSYS sections and improve long options in the manual pages.
Now that we have long options we don't need to give the mnemonic
for the single-character options in the description.
 2013-08-14 10:30:51 -06:00
Todd C. Miller
5dc56ea81d Add atoid() function to convert a string to an id_t (uid, gid or 
pid).  We have to be careful to choose() either strtol() or strtoul()
depending on whether the string appears to be signed or unsigned.
Always using strtoul() is unsafe on 64-bit platforms since the
uid might be represented as a negative number and (unsigned long)-1
on a 64-bit system is 0xffffffffffffffff not 0xffffffff.
Fixes a problem with uids larger than 0x7fffffff on 32-bit platforms.
 2013-08-07 11:23:19 -06:00
Todd C. Miller
52954481e1 Add pam_service and pam_login_service sudoers settings to control 
the service name passed to pam_start.
 2013-08-06 11:01:36 -06:00
Todd C. Miller
1f3ea50afd Implement memset_s() and use it instead of zero_bytes(). 
A new constant, SUDO_CONV_REPL_MAX, is defined by the plugin
API as the max conversation reply length.  This constant can be
used as a max value for memset_s() when clearing passwords
filled in by the conversation function.
 2013-08-03 08:30:06 -06:00
Todd C. Miller
9309c9eab7 Use getopt_long() so we can make the -h flag take an optional argument. 
Includes a version for those without it.
 2013-07-17 17:00:55 -06:00
Todd C. Miller
1e4497331c Bump version to 1.8.8 2013-07-16 16:29:42 -06:00
Todd C. Miller
c057692da7 On Solaris 11 and higher, tag binaries for ASLR if supported by the 
linker.
 2013-05-30 09:29:36 -04:00
Todd C. Miller
67d8af4be5 Restrict default creation of PIE binaries (-fPIE and -pie) to Linux. 
OpenBSD also supports PIE but enables it by default so we don't
need to do anything.  This fixes problems on systems with a version
of GNU ld that accepts -pie but where the run-time linker doesn't
actually support PIE.  Also verify that a trivial PIE binary works
unless PIE is explicitly enabled.
 2013-05-28 14:40:45 -04:00
Todd C. Miller
521e17b13b Attempt to detect PIE failure on Solaris 10 with GNU as and GNU ld 
where we can end up crashing due to malloc() failures.  Sems OK
when Using Sun as and ld.
 2013-05-24 16:47:16 -04:00
Todd C. Miller
62c7945c00 Add -fPIE to PIE_LDFLAGS as per gcc manual. 2013-05-23 22:47:28 -04:00
Todd C. Miller
ca4f8d9495 PIE is broken on FreeBSD/arm 2013-05-03 14:33:26 -04:00
Todd C. Miller
95b50f84af Use time(&now) instead of now = time(NULL) when storing the current 
time in a time_t (better compiler error checking).
Better parsing and printing of 64-bit time_t on 32-bit platforms.
 2013-04-23 13:15:22 -04:00
Todd C. Miller
d1580ff592 Error out in configure if the compiler doesn't support "long long". 2013-04-16 14:36:42 -04:00
Todd C. Miller
89759fa36c For big endian architectures just use memcpy() instead of BE macros 
in a loop.
 2013-04-15 11:05:52 -04:00
Todd C. Miller
35375a2b7e Initial implementation of checksum support in sudoers. 
Currently supports SHA-224, SHA-256, SHA-384, SHA-512.
TODO: checksum format validation in parser and base64 support.
      checksum support for ldap sudoers
 2013-04-14 07:00:21 -04:00
Todd C. Miller
e003c793b3 Use AC_LINK_IFELSE instead of AC_TRY_LINK 
Fix printing of status message for visibility checks when the test fails.
 2013-04-02 16:56:59 -04:00
Todd C. Miller
4bd1b5e35c We no longer use mbr_check_membership() and setrlimit64() is 
AIX-specific.
 2013-04-02 16:52:59 -04:00
Todd C. Miller
7364f0ce98 Do exec_prefix expansion when enable_shared even if noexec is 
not enabled.
 2013-04-02 12:25:54 -04:00
Todd C. Miller
3a83dbafbe Fix getgrouplist() check. 2013-04-01 14:58:31 -04:00
Todd C. Miller
b4ca9535b4 Fix a typo in a comment and make sure we don't mistakenly include 
_PATH_SUDO_ASKPASS and _PATH_SUDO_SESH in config.h.in
 2013-03-21 16:35:18 -04:00
Todd C. Miller
575466027b Use $host_os not $host when we only care about the os name and version. 2013-03-19 15:59:23 -04:00
Todd C. Miller
017c7a15d3 Suppress duplicate -L and -I flags. 2013-03-19 14:10:26 -04:00
Todd C. Miller
3c139fa3c9 If we find sasl/sasl.h there's no need to check for sasl.h too 2013-03-19 13:04:24 -04:00
Todd C. Miller
46da6159de Add -R flags at the very end after configure link tests are done 
since we can only count on libtool to accept -R, the compiler front
end may not.
Also unify the libldap and libibmldap tests using AC_SEARCH_LIBS
and check for -lCsup on HP-UX which is needed by libibmldap (but
is not an explicit dependency).
 2013-03-19 11:52:54 -04:00
Todd C. Miller
0b99679274 Back out changes that broke detection of skey, opie and ldap 
libraries.
 2013-03-18 16:34:01 -04:00
Todd C. Miller
1a51a993de On HP-UX, libibmldap has a hidden dependency on libCsup 2013-03-18 15:19:12 -04:00
Todd C. Miller
eef31be22a Only create static helper libs when --disable-shared is specified. 2013-03-18 10:15:48 -04:00
Todd C. Miller
c8f630c060 Replace --with-rpath and --with-blibpath with --disable-rpath. 
Now that we use libtool for linking we can just use the -R
flag and have libtool translate it to the proper linker flag.
 2013-03-18 09:27:07 -04:00
Todd C. Miller
1614c3cad1 Document sesh Path setting. 2013-03-14 20:13:54 -04:00
Todd C. Miller
7f32d1ca4c Make sesh path configurable in sudo.conf 2013-03-14 16:49:42 -04:00
Todd C. Miller
4493554290 Use -fno-pie and -nopie if supported when --disable-pie is specified. 2013-03-14 16:06:13 -04:00
Todd C. Miller
d07d453ab5 Define _REENTRANT for HP-UX when we add -lpthread to SUDO_LIBS. 
Fixes a problem with errno sometimes not being set on error on HP-UX.
 2013-03-07 11:54:17 -05:00
Todd C. Miller
9722784e1c Always install plugins with a .so extension regardless of what 
extension the system uses for shared libraries.  That way the
group_plugin sudoers setting can be shared between heterogenous
systems.
 2013-03-06 17:08:10 -05:00
Todd C. Miller
e30b0bd121 Use pstat() on HP-UX to determine the tty device. 2013-02-28 09:01:08 -05:00
Todd C. Miller
59692ad282 Add pam_session sudoers option. 2013-02-24 06:15:37 -05:00
Todd C. Miller
e07280eeeb Rename sample_group plugin to group_file. 
Install group_file and system_group plugins by default.
 2013-02-18 15:32:36 -05:00
Todd C. Miller
6b09c76a20 Sudo now stores its libexec files in a "sudo" subdirectory instead 
of in libexec itself.  For backwards compatibility, if the plugin
is not found in the default plugin directory, sudo will check the
parent directory default directory ends in "/sudo".
 2013-02-06 14:06:51 -05:00
Todd C. Miller
0bd79612b1 Use PLUGINDIR in the manuals and fix a typo in the sample sudo.conf. 2013-02-05 10:56:58 -05:00
Todd C. Miller
6bc3d4aed5 Use nss_search() to implement getgrouplist() where available. Tested 
on Solaris and HP-UX.  We need to include a compatibility header
for HP-UX which uses the Solaris nsswitch implementation but doesn't
ship nss_dbdefs.h.
 2013-01-22 15:41:15 -05:00
Todd C. Miller
a06a14838f Use _getgroupsbymember() on Solaris to get the groups list. Fixes 
performance problems with the getgroupslist() compat on Solaris
systems with network-based group databases.
 2013-01-18 14:58:12 -05:00
Todd C. Miller
adbc8a574f Use -fstack-protector-all in preference to -fstack-protector 
where supported.
 2013-01-11 09:39:59 -05:00
Todd C. Miller
34d018fb91 Only test for -fstack-protector and -fvisibility=hidden on GNU 
compatible compilers.
 2013-01-10 21:27:40 -05:00
Todd C. Miller
6e560f2bab Break out stack smashing protector options into SSP_CFLAGS and 
SSP_LDFLAGS so we can use it everywhere (unlike LT_LDFLAGS).
 2013-01-03 14:20:49 -05:00
Todd C. Miller
948253a156 Disable PIE on FreeBSD/ia64, otherwise sudo will segfault. 2012-12-27 16:25:51 -05:00