This makes it possible to run an arbitrary script between "make
install" and the polypkg run. This will be used to copy different
word size versions of sudo_intercept.so and sudo_noexec.so.
The noexec and intercept DSO settings may now include both a 32-bit
DSO and a 64-bit DSO specified by a colon. For example:
/usr/libexec/sudo/sudo_intercept.so:/usr/libexec/sudo/sudo_intercept_64.so.
This is more portable and eliminates the need to check for SYMLOOP_MAX
(and provide it if missing) in configure. Also quiet some -Wconversion
warnings.
macOS does not support direct access to the environ pointer from a
shared object. We need to redirect through _NSGetEnviron() instead.
Fixes GitHub issue #276.
Configuration paths in sudo are now a colon-separated list of files
with the adminconfdir instance first (if enabled), followed by a
sysconfdir instance.
This means that _PATH_SUDO_CONF, _PATH_SUDOERS, _PATH_SUDO_LOGSRVD_CONF,
and _PATH_CVTSUDOERS_CONF can now specify multiple files. The first
file that exists is used.
Implementations of _FORTIFY_SOURCE require the header file to be
included. Also remove the useless test of an empty program with
_FORTIFY_SOURCE defined. Pointed out by Florian Weimer.
The ldap_init() function is marked as deprecated and not defined
by default on some systems. This can cause an error for compilers
that do not support implicit function declarations.
From Florian Weimer.
Starting with macOS 13, the linker warns when "-undefined dynamic_lookup"
is used. This is added by libtool by default on macOS but we can
suppress it by passing -no-undefined to libtool.
Wheh netgroup_base is set we now do out own netgroup lookups using
LDAP. Previously, LDAP was queried directly to get a list of the
netgroups the user belongs to but other netgroups queries went
through innetgr(3). This makes it possible to use netgroups
in LDAP sudoers on systems that don't have an innetgr() function.
GitHub issue #251.
This will find missing symbols at build-time instead of run-time.
Don't use it on FreeBSD where environ is filled in by the dynamic loader.
We also need to pull in -llber with -lldap where possible (instead
of relying on DT_NEEDED) to avoid undefined symbol errors when
building with LDAP support.