doesn't include any info from the user's environment. Basically
paranoia.
o Add support for the NO_ROOT_MAILER compile-time option and run the
mailer as the user and not root if NO_ROOT_MAILER is defined.
we don't inadvertantly leak an fd to the child. Apparently Linux's
shadow routines leave the fd open even if you don't call setspent().
Reported by mike@gistnet.com; different patch used.
authentication methods (like PAM) may do their own logging via
syslog. Since we don't use syslog much (usually just once per
session) this doesn't really incur a performance penalty.
It also Fixes a SEGV with pam_kafs.
o Implement mailer_flags
o Store syslog stuff both in int and string form. Setting the string
form magically updates the int version.
o Add boolean attribute to strings where it makes sense to say !foo
changable at runtime (and on a global, per-host and per-user basis).
Both the names and the internal representation are still subject to change.
It was necessary to make sudo_user.runas but a char ** instead of a
char * since this value can be changed by a Defaults line. There is a
similar (but more complicated) issue with sudo_user.prompt but it
is handled differently at the moment.
Add a "-L" flag to list the name of options with their descriptions. This
may only be temporary.
Move some prototypes to parse.h
Be much less restrictive on what is allowed for a username.
gain us anything to run as the user since an attacker can just have
an setuid(0) in their egg. Running as root solves potential problems
wrt signalling.
get it if we are still running, else let init reap it for us. The extra
time it takes to wait lets the user know that mail is being sent.
Install SIGCHLD handler in main() and for POSIX signals, block everything
*except* SIGCHLD.
possible to express things like "failed to validate because user not listed
for this host". Some thigns that were previously VALIDATE_FOO are now
FLAG_FOO. This may change later on.
Reorganized code in log_auth() and sudo.c to deal with above changes.
Safer versions of push/pushcp with in the do { ... } while (0) style
parse.yacc now saves info on the stack to allow parse.c to determine
if a user was listed, but not for the host he/she tried to run on.
Added --with-mail-if-no-host option
o Visudo now locks the sudoers temp file instead of bailing when
the temp file already exists. This fixes the problem of stale
temp files but it does *require* that you not try to put the
temp file in a world-writable directory. This shoud not be
an issue as the temp file should live in the same dir as sudoers.
o Visudo now only installs the temp file as sudoers if it changed.
Tgetpass now takes an echo flag for use with PAM_PROMPT_ECHO_ON
Block SIGINT and SIGTSTP during auth
remove a useless umask setting
Change error from BAD_ALLOCATION -> BAD_AUTH_INIT (for use with sia/PAM)
Some cosmetic changes to auth.c for consistency
It turns out the old DES crypt does the right thing with passwords
longert than 8 characters.
o Fix common typo (necesary -> necessary)
o Update TODO list
but the NOPASSWD flag was set.
Make runasspec, runaslist, runasuser, and nopasswd typeless in parse.yacc
Add support for '!' in the runas list
Fix double printing of '%' and '+' for groups and netgroups respectively
Add *_matched macros (no need for local stack variable). Should only be
used directly after a pop (since top must be >= 2).
