| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
660) The -i flag should imply resetting the environment, as it did in
sudo version prior to 1.6.9. Also, the -i and -E flags are
mutually exclusive.
661) Fixed the configure test for dirfd() under Linux.
662) Fixed test for whether -lintl is required to link.
663) Changed how sudo handles the child process when sending mail.
This fixes a problem on Linux with the mail_always option.
664) Fixed a problem with line continuation characters inside of
quoted strings.
|
|
Major changes since Sudo 1.6.9p15:
o There was missing whitespace before the ldap libraries in the Makefile
for some configurations.
o LDAPS_PORT may not be defined on older Solaris LDAP SDKs.
o If the LDAP server could not be contacted and the user was not present
in sudoers, a syntax error in sudoers was incorrectly reported.
|
|
and ${REAL_ROOT_GROUP} instead. The pkginstall framework checks for
the name of the user and group, not the uid and gid, when comparing
permissions. This fixes the following spurious warning from appearing:
The following files are used by sudo-1.6.9p15 and have
the wrong ownership and/or permissions:
/usr/pkg/etc/sudoers (m=0440, o=0, g=0)
|
|
653) Fixed installation of sudo_noexec.so on AIX.
654) Updated libtool to version 1.5.26.
655) Fixed printing of default SELinux role and type in -V mode.
656) The HOME environment variable is once again preserved by default,
as per the documentation.
|
|
pkgsrc changes:
- Explict to depends security/heimdal package when kerberos option is
specified. PR pkg/37999 should be fixed.
Change:
646) Sudo will now set the nproc resource limit to unlimited on Linux
systems to work around Linux's setuid() resource limit semantics.
On PAM systems the resource limits will be reset by pam_limits.so
before the command is executed.
647) SELinux support that can be used to implement role based access
control (RBAC). A role and (optional) type may be specified
in sudoers or on the command line. These are then used in the
security context that the command is run as.
648) Fixed a Kerberos 5 compilation problem with MIT Kerberos.
Sudo 1.6.9p13 released.
649) Fixed an invalid assumption in the PAM conversation function
introduced in version 1.6.9p9. The conversation function may
be called for non-password reading purposes as well.
650) Fixed freeing an uninitialized pointer in -l mode, introduced in
version 1.6.9p13.
651) Check /etc/sudoers after LDAP even if the user was found in LDAP.
This allows Defaults options in /etc/sudoers to take effect.
652) Add missing checks for enforcing mode in SELinux RBAC mode.
Sudo 1.6.9p14 released.
|
|
config.h.in
configure
configure.in
ldap.c
Add DIST_SUBDIR to handle this situation.
Bump PKG_REVISION.
|
|
Changes from 1.6.9p11:
641) Added a configure check for the ber_set_option() function.
642) Fixed a compilation problem with the HP-UX K&R C compiler.
643) Revamped the Kerberos 5 ticket verification code.
644) Added support for the checkpeer ldap.conf variable for
netscape-based LDAP SDKs.
645) Fixed a problem where an incomplete password could be echoed
to the screen if there was a read timeout.
|
|
637) Fixed a compilation problem on SCO related to how they
store the high resolution timestamps in struct stat.
638) Avoid checking the passwd file group multiple times
in the LDAP query when the user's passwd group is also
listed in the supplemental group vector.
639) The URI specifier can now be used in ldap.conf even when
the LDAP SDK doesn't support ldap_initialize().
640) New %p prompt escape that expands to the user whose password
is being prompted, as specified by the rootpw, targetpw and
runaspw sudoers flags. Based on a diff from Patrick Schoenfeld.
|
|
created in unprivileged pkgsrc mode. PKGREVISION++
|
|
|
|
Major changes since Sudo 1.6.9p9:
o Moved LDAP options into a table for simplified parsing/setting.
o Fixed a problem with how some LDAP options were being applied.
o Added support for connecting directly to LDAP servers via SSL/TLS
for servers that don't support the start_tls extension.
|
|
bump PKGREVISION.
A little bug fix seems to applied.
-rw-r--r-- 1 taca taca 578259 Dec 3 19:38 sudo-1.6.9p9.tar.gz-prev
-rw-r--r-- 1 taca taca 578262 Dec 5 00:27 sudo-1.6.9p9.tar.gz
diff -dupNr sudo-1.6.9p9-20071203/parse.c sudo-1.6.9p9/parse.c
--- sudo-1.6.9p9-20071203/parse.c 2007-11-28 08:29:59.000000000 +0900
+++ sudo-1.6.9p9/parse.c 2007-12-05 00:26:40.000000000 +0900
@@ -90,7 +90,7 @@
#endif /* HAVE_EXTENDED_GLOB */
#ifndef lint
-__unused static const char rcsid[] = "$Sudo: parse.c,v 1.160.2.14 2007/10/24 16:43:27 millert Exp $";
+__unused static const char rcsid[] = "$Sudo: parse.c,v 1.160.2.15 2007/12/04 15:26:40 millert Exp $";
#endif /* lint */
/*
@@ -202,7 +202,7 @@ sudoers_lookup(pwflag)
return(VALIDATE_OK |
(no_passwd == TRUE ? FLAG_NOPASS : 0) |
(no_execve == TRUE ? FLAG_NOEXEC : 0) |
- (setenv_ok == TRUE ? FLAG_SETENV : 0));
+ (setenv_ok >= TRUE ? FLAG_SETENV : 0));
} else if ((runas_matches == TRUE && cmnd_matches == FALSE) ||
(runas_matches == FALSE && cmnd_matches == TRUE)) {
/*
@@ -212,7 +212,7 @@ sudoers_lookup(pwflag)
return(VALIDATE_NOT_OK |
(no_passwd == TRUE ? FLAG_NOPASS : 0) |
(no_execve == TRUE ? FLAG_NOEXEC : 0) |
- (setenv_ok == TRUE ? FLAG_SETENV : 0));
+ (setenv_ok >= TRUE ? FLAG_SETENV : 0));
}
}
top--;
diff -dupNr sudo-1.6.9p9-20071203/sudo.c sudo-1.6.9p9/sudo.c
--- sudo-1.6.9p9-20071203/sudo.c 2007-12-03 02:13:52.000000000 +0900
+++ sudo-1.6.9p9/sudo.c 2007-12-04 01:12:03.000000000 +0900
@@ -730,8 +730,10 @@ parse_args(argc, argv)
while (NewArgc > 0) {
if (NewArgv[0][0] == '-') {
- if (NewArgv[0][1] != '\0' && NewArgv[0][2] != '\0')
+ if (NewArgv[0][1] != '\0' && NewArgv[0][2] != '\0') {
warnx("please use single character options");
+ usage(1);
+ }
switch (NewArgv[0][1]) {
case 'p':
|
|
Major changes since Sudo 1.6.9p8:
o The ALL command in sudoers now implies SETENV permissions.
o The command search is now performed using the target user's
auxiliary group vector, not just the target's primary group.
o When determining if the PAM prompt is the default "Password: ",
compare the localized version if possible.
o New passprompt_override option in sudoers to cause sudo's prompt
to be used in all cases. Also set when the -p flag is used.
|
|
- Reduce patch size.
Build problem on DragonFly BSD was noted by YONETANI Tomokazu
via private mail.
|
|
Major changes since Sudo 1.6.9p7:
o Fixed a bug where a sudoers entry with no runas user specified
was treated differently from a line with the default runas user
explicitly specified.
|
|
pkgsrc change: added DESTDIR support.
Major changes since Sudo 1.6.9p6:
o Reverted back to to using TCSAFLUSH instead of TCSADRAIN when
turning off echo during password reading.
o Fixed a configure bug that was preventing the addition of -lutil for
login.conf support on FreeBSD and NetBSD.
o Added a configure check for struct in6_addr since some systems
define AF_INET6 but have no real IPv6 support.
|
|
Major changes since Sudo 1.6.9p5:
o Worked around bugs in the session support of some PAM implementations.
The full tty path is now passed to PAM as well.
o Sudo now only prints the password prompt if the process is in the
foreground.
o inttypes.h is now included when appropriate if it is present.
o Simplified alias allocation in the parser.
|
|
options added to PKG_SUPPORTED_OPTIONS automagically. Duplicate options
removed.
|
|
617) Fixed a bug in the IP address matching introduced by the IPV6 merge.
618) For "visudo -f file" we now use the permissions of the original file
and not the hard-coded sudoers owner/group/mode. This makes
it possible to use visudo with a revision control system.
619) Fixed sudoedit when used on a non-existent file.
620) Regenerated configure using autoconf 2.6.1 and libtool 1.5.24.
621) Groups and netgroups are now valid in an LDAP sudoRunas statement.
|
|
pkgsrc change:
Make these options mutual exclusive: kerberos pam skey.
(Really, combinations of kerberos and pam, pam and skey are conflicts.)
CHANGES:
609) Worked around a bug ins some PAM implementations that caused a crash
when no tty was present.
610) Fixed a crash on some platforms in the error logging function.
611) Documentation improvements.
Sudo 1.6.9p1 released.
612) Fixed updating of the saved environment when the environ pointer
gets changed out from underneath us.
Sudo 1.6.9p2 released.
613) Fixed a bug related to supplemental group matching introduced
in 1.6.9.
Sudo 1.6.9p3 released.
614) Added IPv6 support from YOSHIFUJI Hideaki.
615) Fixed sudo_noexec installation path.
616) Fixed a K&R compilation error.
Sudo 1.6.9p4 released.
|
|
|
|
|
|
a fetch location for old distfiles so that we don't need to always keep
this package at the latest release.
|
|
authentication; that can be enabled by adding pam to the package options
if users desire.
|
|
and visudo manpages in man/man1, and the sudoers manpage in man/man5.
Remove the platform-specific PLISTs that only differed in the location
of the man pages.
Bump the PKGREVISION to 5.
|
|
(in fact, it's not clear that there is a good way to do so). The resulting
configuration works fine *except* if it encounters a host that has 3DES
but no DES service keys in its keytab.
Fix this by explicitly passing 0 ("default enctype") to Kerberos.
|
|
install script. The latter are special install-sh script options that
check whether the invoking user is the root user or not, which is
completely unnecessary.
|
|
|
|
cleanse environment of variables that alter behavior of Kerberos library
so the user can't override the default keytab location, and do *not*
ignore missing keytab errors. Prevents root compromise via spoofed KDC
on systems with Kerberos libraries but no host key in keytab, no keytab,
or keytab overidden via environment.
Don't insist that the keytab key be DES -- some Kerberos sites are 3DES/AES
only.
Somewhat less invasive than the fix Todd incorporated into the 1.6.9 branch
of sudo (presently beta) but equivalent (though not as clean).
|
|
|
|
|
|
Always use "man" instead of catpages.
Make sure "run" directory is precreated, so you don't get:
/usr/bin/sudo sudo: can't mkdir /var/run/sudo: No such file or directory
Bump PKGREVISION.
Okayed by maintainer back in December. The only concern was
that /var/run may not be for all platforms, but this is same
as other packages to (not specific to sudo).
|
|
packages. Convert LDAP-based applications to depend on openldap-client, and
bump PKGREVISION for those that depend on it by default.
|
|
Fix for http://secunia.com/advisories/18358/
Bump to nb1
|
|
long. PR#32378 by Stefan Krüger.
Changes:
Added PS4 and SHELLOPTS to the list of variables to remove from
the environment. (Already in pkgsrc)
Added JAVA_TOOL_OPTIONS to the list of variables to remove from
the environment.
Added PERLLIB, PERL5LIB and PERL5OPT to the list of variables to
remove from the environment. (Already in pkgsrc)
|
|
automatically detects whether we want the pkginstall machinery to be
used by the package Makefile.
|
|
|
|
|
|
CONFIGURE_ARGS.
|
|
- http://www.sudo.ws/sudo/alerts/perl_env.html
- Add "PERLLIB", "PERL5LIB" and the "PERL5OPT" to the list of
environment variables to be cleaned.
|
|
the environment before letting the user execute bash scripts.
Bump PKGREVISION.
From Debian.
|
|
Hi joerg! 8-)
|
|
shared linking the noexec wrapper is not build.
|
|
|
|
|
|
|
|
1.6.8p7 include:
562) Fixed noexec functionality on Linux.
564) Fixed a bug that prevented Heimdal authentication from working.
566) A sudoers entry with sudo ALL no longer overwrites the value of
safe_cmnd. This fixes the privilege escalation vulnerability
noted in http://www.courtesan.com/sudo/alerts/path_race.html
|
|
user settable variable. Set PKG_SUGGESTED_OPTIONS instead. Also,
make use of PKG_OPTIONS_LEGACY_VARS.
Reviewed by wiz.
|
|
|
|
Changes:
557) Added a set of missing braces needed for MacOS X / Darwin.
558) Define LDAP_OPT_SUCCESS for those without it.
559) Warn if the user tries to use the -u option when not running a command.
560) Better PAM error handling and messages.
561) Fixed setting of $USER when env_reset is enabled.
|
