This allows intercept mode to work with shells that close all open
fds upon startup. The ctor in sudo_intercept.so requests the port
number and secret over the socket inherited from the parent then
closes it. For each policy request, a TCP connection is made to
the sudo parent process to perform the policy check. Child processes
re-use the TCP socket to request the port number and secret just like
the initial process started by sudo does.
Address sanitizer requires that it be preloaded before any other
DSO in LD_PRELOAD. This should not be required for clang, which
links in asan statically by default.
Fixes building on Solaris and probably others. It is possible to
expose msg_control on Solaris but this requires a specific set of
feature flag defines which can cause other complications.
OpenSSL returns an error for SSL_accept() if TLS_client_method()
was used to generate the context (LibreSSL doesn't care).
Prior to sudo 1.9.7, TLS_client_method() and TLS_server_method()
were used in the TLS client and server initialization code respectively.
This was refactored in sudo 1.9.7 to allow the code to be shared.
Bug #988
There is a crash when "group: compat" is used in /etc/nsswitch.conf
that I haven't been able to debug. Since HP-UX doesn't ship the
appropriate headers it is likely that there is a mismatch between
include/compat/nss_dbdefs.h and what HP actually uses.
On Darwin, shared modules and shared libraries are not interchangable
and since we preload sudo_noexec.so via DYLD_INSERT_LIBRARIES it
must be a library, not a module. We must relax the requirement
that libraries begin with a "lib" prefix to work around this
difference. This does mean you must use sudo's libtool on Darwin
(macOS) but that is already a requirement on other systems (notably
HP-UX and SCO) due to a number of libtool patches we require that
haven't be accepted upstream. This is a different fix for PR #102.
Adds "relay_dir" and "store_first" settings to sudo_logsrvd.conf
in the [relay] section. Also adds a --with-relaydir configure
argument to change the default value (usually /var/log/logsrvd-relay.
This adds a dependency on OpenSSL unless it is explicitly disabled
(--disable-openssl) or the sudo log client and server are disabled
(--disable-log-client and --disable-log-server).
For fuzz_policy we redefine getaddrinfo/freeaddrinfo to work around
a DNS timeout problem with name resolution and CIfuzz. However,
this causes a link failure when sanitizers are enabled on systems
that use ld.lld as their linker. Use a big hammer to avoid the
link error.
