Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package sudo for openSUSE:Factory checked in at 2023-09-13 20:43:27 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/sudo (Old) and /work/SRC/openSUSE:Factory/.sudo.new.1766 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "sudo" Wed Sep 13 20:43:27 2023 rev:148 rq:1110628 version:1.9.14p3 Changes: -------- --- /work/SRC/openSUSE:Factory/sudo/sudo.changes 2023-07-25 11:22:46.707520961 +0200 +++ /work/SRC/openSUSE:Factory/.sudo.new.1766/sudo.changes 2023-09-13 20:43:41.480219004 +0200 @@ -1,0 +2,19 @@ +Tue Sep 12 12:33:05 UTC 2023 - Otto Hollmann <[email protected]> + +- Update to 1.9.14p3: + * Fixed a crash with Python 3.12 when the sudo Python python is unloaded. + This only affects make check for the Python plugin. + * Adapted the sudo Python plugin test output to match Python 3.12. +- Update to 1.9.14p2: + * Fixed a crash on Linux systems introduced in version 1.9.14 when running a + command with a NULL argv[0] if log_subcmds or intercept is enabled in + sudoers. + * Fixed a problem with "stair-stepped" output when piping or redirecting the + output of a sudo command that takes user input when running a command in + a pseudo-terminal. + * Fixed a bug introduced in sudo 1.9.14 that affects matching sudoers rules + containing a Runas_Spec with an empty Runas user. These rules should only + match when sudoâs -g option is used but were matching even without the -g + option. #290. + +------------------------------------------------------------------- Old: ---- sudo-1.9.14p1.tar.gz sudo-1.9.14p1.tar.gz.sig New: ---- sudo-1.9.14p3.tar.gz sudo-1.9.14p3.tar.gz.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ sudo.spec ++++++ --- /var/tmp/diff_new_pack.SQAqzC/_old 2023-09-13 20:43:43.276282856 +0200 +++ /var/tmp/diff_new_pack.SQAqzC/_new 2023-09-13 20:43:43.276282856 +0200 @@ -17,7 +17,7 @@ Name: sudo -Version: 1.9.14p1 +Version: 1.9.14p3 Release: 0 Summary: Execute some commands as root License: ISC ++++++ sudo-1.9.14p1.tar.gz -> sudo-1.9.14p3.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sudo-1.9.14p1/ChangeLog new/sudo-1.9.14p3/ChangeLog --- old/sudo-1.9.14p1/ChangeLog 2023-07-11 22:28:01.000000000 +0200 +++ new/sudo-1.9.14p3/ChangeLog 2023-07-24 22:26:27.000000000 +0200 @@ -1,8 +1,166 @@ +2023-07-24 Todd C. Miller <[email protected]> + + * .hgtags: + Added tag SUDO_1_9_14p3 for changeset 6902151970b6 + [0083fdf4fc08] [tip] <1.9> + + * configure, configure.ac: + sudo 1.9.14p3 + [6902151970b6] [SUDO_1_9_14p3] <1.9> + + * NEWS: + Document bug fixes in 1.9.14p3. + [538b0d8db69d] <1.9> + + * plugins/python/python_loghandler.c, + plugins/python/python_plugin_common.c, + plugins/python/sudo_python_module.c, + plugins/python/sudo_python_module.h: + Merge sudo_module_register_loghandler and + sudo_module_set_default_loghandler. + + We now create the LogHandler class for each interpreter in + python_plugin_init() instead of just once in sudo_module_init(). + This fixes the crash seen in Py_EndInterpreter() with Python 3.12 + and significantly reduces the number of leaked objects tracked by + MemorySanitizer. + [92156e042c81] <1.9> + +2023-07-22 Todd C. Miller <[email protected]> + + * plugins/python/python_baseplugin.c, + plugins/python/python_convmessage.c, + plugins/python/python_loghandler.c, + plugins/python/sudo_python_module.c: + sudo_module_register_loghandler: clear sudo_type_LogHandler on error + Also add comments about PyModule_AddObject stealing a ref on + success. + [8f500926c894] <1.9> + +2023-07-21 Todd C. Miller <[email protected]> + + * plugins/python/python_loghandler.c: + Work around a crash with Python 3.12. + + In sudo_module_set_default_loghandler() if we don't leak the + reference to py_loghandler we get a crash in Py_EndInterpreter() + with Python 3.12. This probably indicates a reference counting bug + elsewhere. + [77e8641b7b40] <1.9> + + * plugins/python/python_loghandler.c: + Use PyObject_CallNoArgs() where possible. + [abd4dcbee072] <1.9> + + * plugins/python/python_convmessage.c, + plugins/python/python_loghandler.c, + plugins/python/sudo_python_module.h: + Make sudo_type_ConvMessage and sudo_type_LogHandler static. + + They are not used outside their respective compilation units. + [c8dfb695dba1] <1.9> + +2023-07-20 Todd C. Miller <[email protected]> + + * plugins/python/regress/testhelpers.c: + Adapt to changed formatting of a rejected result in Python 3.12 + [2f89b9e6a104] <1.9> + + * plugins/python/example_audit_plugin.py, plugins/python/pyhelpers.c, + p + lugins/python/regress/testdata/check_example_audit_plugin_receives_a + ccept.stdout, plugins/python/regress/testdata/check_example_audit_pl + ugin_receives_error.stdout, plugins/python/regress/testdata/check_ex + ample_audit_plugin_receives_reject.stdout, plugins/python/regress/te + stdata/check_example_audit_plugin_version_display.stdout, plugins/py + thon/regress/testdata/check_example_audit_plugin_workflow_multiple.s + tdout, plugins/python/regress/testdata/check_example_debugging_c_cal + [email protected], plugins/python/regress/testdata/check_example_debugging + [email protected], plugins/python/regress/testdata/check_example_gro + up_plugin_is_able_to_debug.log, plugins/python/regress/testdata/chec + k_example_policy_plugin_validate_invalidate.log: + Remove trailing whitespace from test output. + [11db46e923fc] <1.9> + +2023-07-18 Todd C. Miller <[email protected]> + + * plugins/python/python_plugin_common.c: + Use Py_InitializeFromConfig() not Py_InitializeEx() for Python >= + 3.8. + + Avoids deprecation warnings on Python 3.12. + [99dc5948416d] <1.9> + + * NEWS: + The sudoers option is "use_pty", not "log_pty" + + GitHub issue #291 + [08b582beb2c9] <1.9> + +2023-07-15 Todd C. Miller <[email protected]> + + * .hgtags: + Added tag SUDO_1_9_14p2 for changeset 47c0bf9a7ebb + [6bbe51d30496] <1.9> + + * configure, configure.ac: + sudo 1.9.14p2 + [47c0bf9a7ebb] [SUDO_1_9_14p2] <1.9> + + * plugins/sudoers/match.c: + runas_userlist_matches: fix matching a Runas_Spec with an empty + runas user. + + We should only match a rule with an empty runas user if a group was + specified on the command line (sudo -g) without a user (no -u + option) or the user specified their own name on the command line. + GitHub issue #290 + [164428126ee6] <1.9> + +2023-07-14 Todd C. Miller <[email protected]> + + * NEWS: + Document bug fixes in 1.9.14p2. + [e5cd975816b8] <1.9> + + * src/exec_pty.c: + Pass SUDO_TERM_OFLAG to sudo_term_raw() when sudo output is piped. + + This fixes a problem with "stair-stepped" output when the sudo-run + command's output is piped to another program and the command reads + input from the terminal. + [17009f9817b0] <1.9> + + * src/exec_monitor.c, src/exec_pty.c: + Simplify the exec_monitor() foreground flag. + + Add cmnd_foreground flag that is only true if sudo is the foreground + process and the CD_EXEC_BG flag is not set and pass it to + exec_monitor(). This means exec_monitor() no longer needs to check + for CD_EXEC_BG. + [6cc420fea368] <1.9> + + * include/sudo_util.h, lib/util/term.c, plugins/sudoers/sudoreplay.c: + sudo_term_raw: change the isig argument into a flags field + + There are current two flags: SUDO_TERM_ISIG (enable terminal + signals) and SUDO_TERM_OFLAG (preserve output flags). + [15fdaae9fa3b] <1.9> + +2023-07-12 Todd C. Miller <[email protected]> + + * src/exec_ptrace.c: + Fix a crash in intercept mode running a command with NULL argv[0]. + + Newer Linux kernels replace a NULL argv[0] with the empty string, we + should as well. + [74e81e6d373a] <1.9> + 2023-07-11 Todd C. Miller <[email protected]> * .hgtags: Added tag SUDO_1_9_14p1 for changeset fc033946b1a9 - [ee6033290e91] [tip] <1.9> + [ee6033290e91] <1.9> * configure, configure.ac: sudo 1.9.14p1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sudo-1.9.14p1/NEWS new/sudo-1.9.14p3/NEWS --- old/sudo-1.9.14p1/NEWS 2023-07-11 22:25:30.000000000 +0200 +++ new/sudo-1.9.14p3/NEWS 2023-07-24 22:24:42.000000000 +0200 @@ -1,3 +1,24 @@ +What's new in Sudo 1.9.14p3 + + * Fixed a crash with Python 3.12 when the sudo Python python is + unloaded. This only affects "make check" for the Python plugin. + + * Adapted the sudo Python plugin test output to match Python 3.12. + +What's new in Sudo 1.9.14p2 + + * Fixed a crash on Linux systems introduced in version 1.9.14 when + running a command with a NULL argv[0] if "log_subcmds" or + "intercept" is enabled in sudoers. + + * Fixed a problem with "stair-stepped" output when piping or + redirecting the output of a sudo command that takes user input. + + * Fixed a bug introduced in sudo 1.9.14 that affects matching + sudoers rules containing a Runas_Spec with an empty Runas user. + These rules should only match when sudo's -g option is used but + were matching even without the -g option. GitHub issue #290. + What's new in Sudo 1.9.14p1 * Fixed an invalid free bug in sudo_logsrvd that was introduced @@ -49,7 +70,7 @@ * Fixed a bug where only the first two digits of the TSID field being was logged. Bug #1046. - * The "log_pty" sudoers option is now enabled by default. To + * The "use_pty" sudoers option is now enabled by default. To restore the historic behavior where a command is run in the user's terminal, add "Defaults !use_pty" to the sudoers file. GitHub issue #258. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sudo-1.9.14p1/configure new/sudo-1.9.14p3/configure --- old/sudo-1.9.14p1/configure 2023-07-11 22:26:50.000000000 +0200 +++ new/sudo-1.9.14p3/configure 2023-07-24 22:25:13.000000000 +0200 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.72c for sudo 1.9.14p1. +# Generated by GNU Autoconf 2.72c for sudo 1.9.14p3. # # Report bugs to <https://bugzilla.sudo.ws/>. # @@ -614,8 +614,8 @@ # Identity of this package. PACKAGE_NAME='sudo' PACKAGE_TARNAME='sudo' -PACKAGE_VERSION='1.9.14p1' -PACKAGE_STRING='sudo 1.9.14p1' +PACKAGE_VERSION='1.9.14p3' +PACKAGE_STRING='sudo 1.9.14p3' PACKAGE_BUGREPORT='https://bugzilla.sudo.ws/' PACKAGE_URL='' @@ -1639,7 +1639,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -'configure' configures sudo 1.9.14p1 to adapt to many kinds of systems. +'configure' configures sudo 1.9.14p3 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1705,7 +1705,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of sudo 1.9.14p1:";; + short | recursive ) echo "Configuration of sudo 1.9.14p3:";; esac cat <<\_ACEOF @@ -1999,7 +1999,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -sudo configure 1.9.14p1 +sudo configure 1.9.14p3 generated by GNU Autoconf 2.72c Copyright (C) 2023 Free Software Foundation, Inc. @@ -2819,7 +2819,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by sudo $as_me 1.9.14p1, which was +It was created by sudo $as_me 1.9.14p3, which was generated by GNU Autoconf 2.72c. Invocation command line was $ $0$ac_configure_args_raw @@ -36387,7 +36387,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by sudo $as_me 1.9.14p1, which was +This file was extended by sudo $as_me 1.9.14p3, which was generated by GNU Autoconf 2.72c. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -36455,7 +36455,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config='$ac_cs_config_escaped' ac_cs_version="\\ -sudo config.status 1.9.14p1 +sudo config.status 1.9.14p3 configured by $0, generated by GNU Autoconf 2.72c, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sudo-1.9.14p1/configure.ac new/sudo-1.9.14p3/configure.ac --- old/sudo-1.9.14p1/configure.ac 2023-07-11 22:26:28.000000000 +0200 +++ new/sudo-1.9.14p3/configure.ac 2023-07-24 22:24:51.000000000 +0200 @@ -18,7 +18,7 @@ dnl OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. dnl AC_PREREQ([2.69]) -AC_INIT([sudo], [1.9.14p1], [https://bugzilla.sudo.ws/], [sudo]) +AC_INIT([sudo], [1.9.14p3], [https://bugzilla.sudo.ws/], [sudo]) AC_CONFIG_HEADERS([config.h pathnames.h]) AC_CONFIG_SRCDIR([src/sudo.c]) AC_CONFIG_AUX_DIR([scripts]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sudo-1.9.14p1/include/sudo_util.h new/sudo-1.9.14p3/include/sudo_util.h --- old/sudo-1.9.14p1/include/sudo_util.h 2023-06-27 19:27:17.000000000 +0200 +++ new/sudo-1.9.14p3/include/sudo_util.h 2023-07-24 22:12:11.000000000 +0200 @@ -317,13 +317,15 @@ extern int (*sudo_printf)(int msg_type, const char *fmt, ...); /* term.c */ +#define SUDO_TERM_ISIG 0x01U +#define SUDO_TERM_OFLAG 0x02U sudo_dso_public bool sudo_term_cbreak_v1(int fd); #define sudo_term_cbreak(_a) sudo_term_cbreak_v1((_a)) sudo_dso_public bool sudo_term_copy_v1(int src, int dst); #define sudo_term_copy(_a, _b) sudo_term_copy_v1((_a), (_b)) sudo_dso_public bool sudo_term_noecho_v1(int fd); #define sudo_term_noecho(_a) sudo_term_noecho_v1((_a)) -sudo_dso_public bool sudo_term_raw_v1(int fd, int isig); +sudo_dso_public bool sudo_term_raw_v1(int fd, unsigned int flags); #define sudo_term_raw(_a, _b) sudo_term_raw_v1((_a), (_b)) sudo_dso_public bool sudo_term_restore_v1(int fd, bool flush); #define sudo_term_restore(_a, _b) sudo_term_restore_v1((_a), (_b)) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sudo-1.9.14p1/lib/util/term.c new/sudo-1.9.14p3/lib/util/term.c --- old/sudo-1.9.14p1/lib/util/term.c 2023-06-27 19:27:17.000000000 +0200 +++ new/sudo-1.9.14p3/lib/util/term.c 2023-07-24 22:12:11.000000000 +0200 @@ -178,22 +178,30 @@ } /* - * Set terminal to raw mode with optional terminal signals. + * Set terminal to raw mode as modified by flags. * Returns true on success or false on failure. */ bool -sudo_term_raw_v1(int fd, int isig) +sudo_term_raw_v1(int fd, unsigned int flags) { struct termios term; + tcflag_t oflag; debug_decl(sudo_term_raw, SUDO_DEBUG_UTIL); if (!changed && tcgetattr(fd, &oterm) != 0) debug_return_bool(false); (void) memcpy(&term, &oterm, sizeof(term)); - /* Set terminal to raw mode but optionally enable terminal signals. */ + /* + * Set terminal to raw mode but optionally enable terminal signals + * and/or preserve output flags. + */ + if (ISSET(flags, SUDO_TERM_OFLAG)) + oflag = term.c_oflag; cfmakeraw(&term); - if (isig) + if (ISSET(flags, SUDO_TERM_ISIG)) SET(term.c_lflag, ISIG); + if (ISSET(flags, SUDO_TERM_OFLAG)) + term.c_oflag = oflag; if (tcsetattr_nobg(fd, TCSASOFT|TCSADRAIN, &term) == 0) { changed = 1; debug_return_bool(true); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sudo-1.9.14p1/plugins/python/example_audit_plugin.py new/sudo-1.9.14p3/plugins/python/example_audit_plugin.py --- old/sudo-1.9.14p1/plugins/python/example_audit_plugin.py 2023-02-14 17:52:37.000000000 +0100 +++ new/sudo-1.9.14p3/plugins/python/example_audit_plugin.py 2023-07-24 22:19:27.000000000 +0200 @@ -16,7 +16,7 @@ user_info_dict = sudo.options_as_dict(user_info) user = user_info_dict.get("user", "???") uid = user_info_dict.get("uid", "???") - self._log("-- Started by user {} ({}) -- ".format(user, uid)) + self._log("-- Started by user {} ({}) --".format(user, uid)) def __del__(self): self._log("-- Finished --") diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sudo-1.9.14p1/plugins/python/pyhelpers.c new/sudo-1.9.14p3/plugins/python/pyhelpers.c --- old/sudo-1.9.14p1/plugins/python/pyhelpers.c 2023-02-14 17:52:37.000000000 +0100 +++ new/sudo-1.9.14p3/plugins/python/pyhelpers.c 2023-07-24 22:19:27.000000000 +0200 @@ -363,9 +363,9 @@ Py_DECREF(py_kwargs_sorted); } - sudo_debug_printf(SUDO_DEBUG_DIAG, "%s.%s %s: %s %s\n", class_name, + sudo_debug_printf(SUDO_DEBUG_DIAG, "%s.%s %s: %s%s%s\n", class_name, function_name, message, args_str ? args_str : "()", - kwargs_str ? kwargs_str : ""); + kwargs_str ? " " : "", kwargs_str ? kwargs_str : ""); free(args_str); free(kwargs_str); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sudo-1.9.14p1/plugins/python/python_baseplugin.c new/sudo-1.9.14p3/plugins/python/python_baseplugin.c --- old/sudo-1.9.14p1/plugins/python/python_baseplugin.c 2023-02-14 17:52:37.000000000 +0100 +++ new/sudo-1.9.14p3/plugins/python/python_baseplugin.c 2023-07-24 22:19:30.000000000 +0200 @@ -74,6 +74,7 @@ goto cleanup; } + // PyModule_AddObject steals a reference to py_class on success Py_INCREF(py_class); rc = SUDO_RC_OK; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sudo-1.9.14p1/plugins/python/python_convmessage.c new/sudo-1.9.14p3/plugins/python/python_convmessage.c --- old/sudo-1.9.14p1/plugins/python/python_convmessage.c 2023-02-14 17:52:37.000000000 +0100 +++ new/sudo-1.9.14p3/plugins/python/python_convmessage.c 2023-07-24 22:19:30.000000000 +0200 @@ -23,7 +23,7 @@ #include "sudo_python_module.h" -PyTypeObject *sudo_type_ConvMessage; +static PyTypeObject *sudo_type_ConvMessage; static PyObject * _sudo_ConvMessage__Init(PyObject *py_self, PyObject *py_args, PyObject *py_kwargs) @@ -91,6 +91,7 @@ goto cleanup; } + // PyModule_AddObject steals the reference to py_class on success Py_INCREF(py_class); rc = SUDO_RC_OK; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sudo-1.9.14p1/plugins/python/python_loghandler.c new/sudo-1.9.14p3/plugins/python/python_loghandler.c --- old/sudo-1.9.14p1/plugins/python/python_loghandler.c 2023-02-14 17:52:37.000000000 +0100 +++ new/sudo-1.9.14p3/plugins/python/python_loghandler.c 2023-07-24 22:19:30.000000000 +0200 @@ -23,8 +23,9 @@ #include "sudo_python_module.h" -PyObject *sudo_type_LogHandler; - +#if PY_MAJOR_VERSION == 3 && PY_MINOR_VERSION < 9 +# define PyObject_CallNoArgs(_o) PyObject_CallObject((_o), NULL) +#endif static void _debug_plugin(int log_level, const char *log_message) @@ -124,67 +125,58 @@ {NULL, NULL, 0, NULL} }; -// This function registers sudo.LogHandler class +// This function creates the sudo.LogHandler class and adds it +// to the root logger. int -sudo_module_register_loghandler(PyObject *py_module) +sudo_module_set_default_loghandler() { debug_decl(sudo_module_register_loghandler, PYTHON_DEBUG_INTERNAL); - PyObject *py_logging_module = NULL, *py_streamhandler = NULL; + PyObject *py_sudo, *py_logging_module = NULL, *py_logger = NULL, + *py_streamhandler = NULL, *py_class = NULL, + *py_loghandler = NULL, *py_result = NULL; + + py_sudo = PyImport_ImportModule("sudo"); + if (py_sudo == NULL) + goto cleanup; py_logging_module = PyImport_ImportModule("logging"); if (py_logging_module == NULL) goto cleanup; + // Get the root logger which all loggers descend from. + py_logger = PyObject_CallMethod(py_logging_module, "getLogger", NULL); + if (py_logger == NULL) + goto cleanup; + py_streamhandler = PyObject_GetAttrString(py_logging_module, "StreamHandler"); if (py_streamhandler == NULL) goto cleanup; - sudo_type_LogHandler = sudo_module_create_class("sudo.LogHandler", + // Create our own handler that is a sub-class of StreamHandler + py_class = sudo_module_create_class("sudo.LogHandler", _sudo_LogHandler_class_methods, py_streamhandler); - if (sudo_type_LogHandler == NULL) + if (py_class == NULL) goto cleanup; - if (PyModule_AddObject(py_module, "LogHandler", sudo_type_LogHandler) < 0) + // PyModule_AddObject steals a reference to py_class on success + if (PyModule_AddObject(py_sudo, "LogHandler", py_class) < 0) goto cleanup; + Py_INCREF(py_class); - Py_INCREF(sudo_type_LogHandler); - -cleanup: - Py_CLEAR(py_streamhandler); - Py_CLEAR(py_logging_module); - debug_return_int(PyErr_Occurred() ? SUDO_RC_ERROR : SUDO_RC_OK); -} - -// This sets sudo.LogHandler as the default log handler: -// logging.getLogger().addHandler(sudo.LogHandler()) -int -sudo_module_set_default_loghandler(void) -{ - debug_decl(sudo_module_set_default_loghandler, PYTHON_DEBUG_INTERNAL); - - PyObject *py_loghandler = NULL, *py_logging_module = NULL, - *py_logger = NULL, *py_result = NULL; - - py_loghandler = PyObject_CallObject(sudo_type_LogHandler, NULL); + py_loghandler = PyObject_CallNoArgs(py_class); if (py_loghandler == NULL) goto cleanup; - py_logging_module = PyImport_ImportModule("logging"); - if (py_logging_module == NULL) - goto cleanup; - - py_logger = PyObject_CallMethod(py_logging_module, "getLogger", NULL); - if (py_logger == NULL) - goto cleanup; - py_result = PyObject_CallMethod(py_logger, "addHandler", "O", py_loghandler); cleanup: Py_CLEAR(py_result); + Py_CLEAR(py_loghandler); + Py_CLEAR(py_class); + Py_CLEAR(py_streamhandler); Py_CLEAR(py_logger); Py_CLEAR(py_logging_module); - Py_CLEAR(py_loghandler); - + Py_CLEAR(py_sudo); debug_return_int(PyErr_Occurred() ? SUDO_RC_ERROR : SUDO_RC_OK); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sudo-1.9.14p1/plugins/python/python_plugin_common.c new/sudo-1.9.14p3/plugins/python/python_plugin_common.c --- old/sudo-1.9.14p1/plugins/python/python_plugin_common.c 2023-02-14 17:53:02.000000000 +0100 +++ new/sudo-1.9.14p3/plugins/python/python_plugin_common.c 2023-07-24 22:19:30.000000000 +0200 @@ -366,18 +366,32 @@ debug_decl(_python_plugin_register_plugin_in_py_ctx, PYTHON_DEBUG_PLUGIN_LOAD); if (!Py_IsInitialized()) { + if (_save_inittab() != SUDO_RC_OK) + debug_return_int(SUDO_RC_ERROR); + PyImport_AppendInittab("sudo", sudo_module_init); + // Disable environment variables effecting the python interpreter // This is important since we are running code here as root, the // user should not be able to alter what is running any how. +#if (PY_MAJOR_VERSION > 3) || (PY_MINOR_VERSION >= 8) + PyStatus status; + PyConfig config; + + PyConfig_InitPythonConfig(&config); + config.isolated = 1; + config.use_environment = 0; + config.user_site_directory = 0; + status = Py_InitializeFromConfig(&config); + PyConfig_Clear(&config); + if (PyStatus_Exception(status)) + debug_return_int(SUDO_RC_ERROR); +#else Py_IgnoreEnvironmentFlag = 1; Py_IsolatedFlag = 1; Py_NoUserSiteDirectory = 1; - if (_save_inittab() != SUDO_RC_OK) - debug_return_int(SUDO_RC_ERROR); - - PyImport_AppendInittab("sudo", sudo_module_init); Py_InitializeEx(0); +#endif py_ctx.py_main_interpreter = PyThreadState_Get(); // This ensures we import "sudo" module in the main interpreter, @@ -518,8 +532,9 @@ } PyThreadState_Swap(plugin_ctx->py_interpreter); - if (sudo_module_set_default_loghandler() < 0) + if (sudo_module_set_default_loghandler() != SUDO_RC_OK) { goto cleanup; + } if (_python_plugin_set_path(plugin_ctx, _lookup_value(plugin_options, "ModulePath")) != SUDO_RC_OK) { goto cleanup; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sudo-1.9.14p1/plugins/python/regress/testdata/check_example_audit_plugin_receives_accept.stdout new/sudo-1.9.14p3/plugins/python/regress/testdata/check_example_audit_plugin_receives_accept.stdout --- old/sudo-1.9.14p1/plugins/python/regress/testdata/check_example_audit_plugin_receives_accept.stdout 2023-02-14 17:52:37.000000000 +0100 +++ new/sudo-1.9.14p3/plugins/python/regress/testdata/check_example_audit_plugin_receives_accept.stdout 2023-07-24 22:19:27.000000000 +0200 @@ -1,4 +1,4 @@ -(AUDIT) -- Started by user testuser1 (123) -- +(AUDIT) -- Started by user testuser1 (123) -- (AUDIT) Requested command: id --help (AUDIT) Accepted command: /sbin/id --help (AUDIT) By the plugin: accepter plugin name (type=POLICY) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sudo-1.9.14p1/plugins/python/regress/testdata/check_example_audit_plugin_receives_error.stdout new/sudo-1.9.14p3/plugins/python/regress/testdata/check_example_audit_plugin_receives_error.stdout --- old/sudo-1.9.14p1/plugins/python/regress/testdata/check_example_audit_plugin_receives_error.stdout 2023-02-14 17:52:37.000000000 +0100 +++ new/sudo-1.9.14p3/plugins/python/regress/testdata/check_example_audit_plugin_receives_error.stdout 2023-07-24 22:19:27.000000000 +0200 @@ -1,4 +1,4 @@ -(AUDIT) -- Started by user ??? (???) -- +(AUDIT) -- Started by user ??? (???) -- (AUDIT) Requested command: id (AUDIT) Plugin errorer plugin name (type=AUDIT) got an error: Some error has happened (AUDIT) Sudo has run into an error: 222 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sudo-1.9.14p1/plugins/python/regress/testdata/check_example_audit_plugin_receives_reject.stdout new/sudo-1.9.14p3/plugins/python/regress/testdata/check_example_audit_plugin_receives_reject.stdout --- old/sudo-1.9.14p1/plugins/python/regress/testdata/check_example_audit_plugin_receives_reject.stdout 2023-02-14 17:52:37.000000000 +0100 +++ new/sudo-1.9.14p3/plugins/python/regress/testdata/check_example_audit_plugin_receives_reject.stdout 2023-07-24 22:19:27.000000000 +0200 @@ -1,4 +1,4 @@ -(AUDIT) -- Started by user root (0) -- +(AUDIT) -- Started by user root (0) -- (AUDIT) Requested command: passwd (AUDIT) Rejected by plugin rejecter plugin name (type=IO): Rejected just because! (AUDIT) The command was not executed diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sudo-1.9.14p1/plugins/python/regress/testdata/check_example_audit_plugin_version_display.stdout new/sudo-1.9.14p3/plugins/python/regress/testdata/check_example_audit_plugin_version_display.stdout --- old/sudo-1.9.14p1/plugins/python/regress/testdata/check_example_audit_plugin_version_display.stdout 2023-02-14 17:52:37.000000000 +0100 +++ new/sudo-1.9.14p3/plugins/python/regress/testdata/check_example_audit_plugin_version_display.stdout 2023-07-24 22:19:27.000000000 +0200 @@ -1,4 +1,4 @@ -(AUDIT) -- Started by user root (0) -- +(AUDIT) -- Started by user root (0) -- Python Example Audit Plugin Python audit plugin (API 1.0): SudoAuditPlugin (loaded from 'SRC_DIR/example_audit_plugin.py') Python Example Audit Plugin (version=1.0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sudo-1.9.14p1/plugins/python/regress/testdata/check_example_audit_plugin_workflow_multiple.stdout new/sudo-1.9.14p3/plugins/python/regress/testdata/check_example_audit_plugin_workflow_multiple.stdout --- old/sudo-1.9.14p1/plugins/python/regress/testdata/check_example_audit_plugin_workflow_multiple.stdout 2023-02-14 17:52:37.000000000 +0100 +++ new/sudo-1.9.14p3/plugins/python/regress/testdata/check_example_audit_plugin_workflow_multiple.stdout 2023-07-24 22:19:27.000000000 +0200 @@ -1,6 +1,6 @@ -(AUDIT1) -- Started by user default (1000) -- +(AUDIT1) -- Started by user default (1000) -- (AUDIT1) Requested command: id --help -(AUDIT2) -- Started by user default (1000) -- +(AUDIT2) -- Started by user default (1000) -- (AUDIT2) Requested command: id --help (AUDIT1) Accepted command: /sbin/id --help (AUDIT1) By the plugin: accepter plugin name (type=POLICY) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sudo-1.9.14p1/plugins/python/regress/testdata/[email protected] new/sudo-1.9.14p3/plugins/python/regress/testdata/[email protected] --- old/sudo-1.9.14p1/plugins/python/regress/testdata/[email protected] 2023-02-14 17:52:37.000000000 +0100 +++ new/sudo-1.9.14p3/plugins/python/regress/testdata/[email protected] 2023-07-24 22:19:27.000000000 +0200 @@ -1,6 +1,6 @@ -sudo.debug was called with arguments: (DEBUG.ERROR, 'My demo purpose plugin shows this ERROR level debug message') -sudo.debug was called with arguments: (DEBUG.INFO, 'My demo purpose plugin shows this INFO level debug message') +sudo.debug was called with arguments: (DEBUG.ERROR, 'My demo purpose plugin shows this ERROR level debug message') +sudo.debug was called with arguments: (DEBUG.INFO, 'My demo purpose plugin shows this INFO level debug message') LogHandler.emit was called LogHandler.emit was called -sudo.options_as_dict was called with arguments: (('ModulePath=SRC_DIR/example_debugging.py', 'ClassName=DebugDemoPlugin'),) -sudo.options_as_dict returned result: [('ClassName', 'DebugDemoPlugin'), ('ModulePath', 'SRC_DIR/example_debugging.py')] +sudo.options_as_dict was called with arguments: (('ModulePath=SRC_DIR/example_debugging.py', 'ClassName=DebugDemoPlugin'),) +sudo.options_as_dict returned result: [('ClassName', 'DebugDemoPlugin'), ('ModulePath', 'SRC_DIR/example_debugging.py')] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sudo-1.9.14p1/plugins/python/regress/testdata/[email protected] new/sudo-1.9.14p3/plugins/python/regress/testdata/[email protected] --- old/sudo-1.9.14p1/plugins/python/regress/testdata/[email protected] 2023-02-14 17:52:37.000000000 +0100 +++ new/sudo-1.9.14p3/plugins/python/regress/testdata/[email protected] 2023-07-24 22:19:27.000000000 +0200 @@ -1,11 +1,11 @@ __init__ @ SRC_DIR/example_debugging.py:58 calls C function: -sudo.debug was called with arguments: (DEBUG.ERROR, 'My demo purpose plugin shows this ERROR level debug message') +sudo.debug was called with arguments: (DEBUG.ERROR, 'My demo purpose plugin shows this ERROR level debug message') __init__ @ SRC_DIR/example_debugging.py:63 calls C function: -sudo.debug was called with arguments: (DEBUG.INFO, 'My demo purpose plugin shows this INFO level debug message') +sudo.debug was called with arguments: (DEBUG.INFO, 'My demo purpose plugin shows this INFO level debug message') handle @ logging/__init__.py calls C function: LogHandler.emit was called handle @ logging/__init__.py calls C function: LogHandler.emit was called __init__ @ SRC_DIR/example_debugging.py:85 calls C function: -sudo.options_as_dict was called with arguments: (('ModulePath=SRC_DIR/example_debugging.py', 'ClassName=DebugDemoPlugin'),) -sudo.options_as_dict returned result: [('ClassName', 'DebugDemoPlugin'), ('ModulePath', 'SRC_DIR/example_debugging.py')] +sudo.options_as_dict was called with arguments: (('ModulePath=SRC_DIR/example_debugging.py', 'ClassName=DebugDemoPlugin'),) +sudo.options_as_dict returned result: [('ClassName', 'DebugDemoPlugin'), ('ModulePath', 'SRC_DIR/example_debugging.py')] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sudo-1.9.14p1/plugins/python/regress/testdata/check_example_group_plugin_is_able_to_debug.log new/sudo-1.9.14p3/plugins/python/regress/testdata/check_example_group_plugin_is_able_to_debug.log --- old/sudo-1.9.14p1/plugins/python/regress/testdata/check_example_group_plugin_is_able_to_debug.log 2023-02-14 17:52:37.000000000 +0100 +++ new/sudo-1.9.14p3/plugins/python/regress/testdata/check_example_group_plugin_is_able_to_debug.log 2023-07-24 22:19:27.000000000 +0200 @@ -1,4 +1,4 @@ SudoGroupPlugin.__init__ was called with arguments: () [('args', ('ModulePath=SRC_DIR/example_group_plugin.py', 'ClassName=SudoGroupPlugin')), ('version', '1.0')] SudoGroupPlugin.__init__ returned result: <example_group_plugin.SudoGroupPlugin object> -SudoGroupPlugin.query was called with arguments: ('user', 'group', ('pw_name', 'pw_passwd', 1001, 101, 'pw_gecos', 'pw_dir', 'pw_shell')) -SudoGroupPlugin.query returned result: 0 +SudoGroupPlugin.query was called with arguments: ('user', 'group', ('pw_name', 'pw_passwd', 1001, 101, 'pw_gecos', 'pw_dir', 'pw_shell')) +SudoGroupPlugin.query returned result: 0 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sudo-1.9.14p1/plugins/python/regress/testdata/check_example_policy_plugin_validate_invalidate.log new/sudo-1.9.14p3/plugins/python/regress/testdata/check_example_policy_plugin_validate_invalidate.log --- old/sudo-1.9.14p1/plugins/python/regress/testdata/check_example_policy_plugin_validate_invalidate.log 2023-02-14 17:52:37.000000000 +0100 +++ new/sudo-1.9.14p3/plugins/python/regress/testdata/check_example_policy_plugin_validate_invalidate.log 2023-07-24 22:19:27.000000000 +0200 @@ -1,8 +1,8 @@ SudoPolicyPlugin.__init__ was called with arguments: () [('plugin_options', ('ModulePath=SRC_DIR/example_policy_plugin.py', 'ClassName=SudoPolicyPlugin')), ('settings', ()), ('user_env', ()), ('user_info', ()), ('version', '1.0')] SudoPolicyPlugin.__init__ returned result: <example_policy_plugin.SudoPolicyPlugin object> -SudoPolicyPlugin.validate was called with arguments: () -SudoPolicyPlugin.validate returned result: None -SudoPolicyPlugin.invalidate was called with arguments: (1,) -SudoPolicyPlugin.invalidate returned result: None -SudoPolicyPlugin.invalidate was called with arguments: (0,) -SudoPolicyPlugin.invalidate returned result: None +SudoPolicyPlugin.validate was called with arguments: () +SudoPolicyPlugin.validate returned result: None +SudoPolicyPlugin.invalidate was called with arguments: (1,) +SudoPolicyPlugin.invalidate returned result: None +SudoPolicyPlugin.invalidate was called with arguments: (0,) +SudoPolicyPlugin.invalidate returned result: None diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sudo-1.9.14p1/plugins/python/regress/testhelpers.c new/sudo-1.9.14p3/plugins/python/regress/testhelpers.c --- old/sudo-1.9.14p1/plugins/python/regress/testhelpers.c 2023-02-14 17:53:02.000000000 +0100 +++ new/sudo-1.9.14p3/plugins/python/regress/testhelpers.c 2023-07-24 22:19:27.000000000 +0200 @@ -268,7 +268,15 @@ // Convert ": REJECT" to ": 0" + rest of line memcpy(cp, ": 0", 3); memmove(cp + 3, cp + 8, strlen(cp + 8) + 1); + } else { + // Python 3.12 may use <RC.REJECT: 0> instead of 0 + cp = strstr(line_data, "<RC.REJECT: 0>"); + if (cp != NULL) { + *cp = '0'; + memmove(cp + 1, cp + 14, strlen(cp + 14) + 1); + } } + } VERIFY_TRUE(strlcat(stored_str, line_data, sizeof(stored_str)) < sizeof(stored_str)); // we have enough space in buffer diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sudo-1.9.14p1/plugins/python/sudo_python_module.c new/sudo-1.9.14p3/plugins/python/sudo_python_module.c --- old/sudo-1.9.14p1/plugins/python/sudo_python_module.c 2023-02-14 17:52:37.000000000 +0100 +++ new/sudo-1.9.14p3/plugins/python/sudo_python_module.c 2023-07-24 22:19:30.000000000 +0200 @@ -479,28 +479,26 @@ return; PyObject *py_enum_class = NULL; - { - PyObject *py_enum_module = PyImport_ImportModule("enum"); - if (py_enum_module == NULL) { - Py_CLEAR(py_constants_dict); - debug_return; - } - - py_enum_class = PyObject_CallMethod(py_enum_module, - "IntEnum", "sO", enum_name, - py_constants_dict); - - Py_CLEAR(py_constants_dict); - Py_CLEAR(py_enum_module); + PyObject *py_enum_module = PyImport_ImportModule("enum"); + if (py_enum_module == NULL) { + Py_CLEAR(py_constants_dict); + debug_return; } + py_enum_class = PyObject_CallMethod(py_enum_module, + "IntEnum", "sO", enum_name, + py_constants_dict); + + Py_CLEAR(py_constants_dict); + Py_CLEAR(py_enum_module); + if (py_enum_class == NULL) { debug_return; } + // PyModule_AddObject steals the reference to py_enum_class on success if (PyModule_AddObject(py_module, enum_name, py_enum_class) < 0) { Py_CLEAR(py_enum_class); - debug_return; } debug_return; @@ -597,9 +595,6 @@ if (sudo_module_register_baseplugin(py_module) != SUDO_RC_OK) goto cleanup; - if (sudo_module_register_loghandler(py_module) != SUDO_RC_OK) - goto cleanup; - cleanup: if (PyErr_Occurred()) { Py_CLEAR(py_module); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sudo-1.9.14p1/plugins/python/sudo_python_module.h new/sudo-1.9.14p3/plugins/python/sudo_python_module.h --- old/sudo-1.9.14p1/plugins/python/sudo_python_module.h 2023-02-14 17:53:02.000000000 +0100 +++ new/sudo-1.9.14p3/plugins/python/sudo_python_module.h 2023-07-24 22:19:30.000000000 +0200 @@ -29,9 +29,6 @@ extern PyObject *sudo_exc_PluginError; // an error with message extern PyTypeObject *sudo_type_Plugin; -extern PyTypeObject *sudo_type_ConvMessage; - -extern PyObject *sudo_type_LogHandler; PyObject *sudo_module_create_class(const char *class_name, PyMethodDef *class_methods, PyObject *base_class); @@ -49,9 +46,6 @@ int sudo_module_register_baseplugin(PyObject *py_module); CPYCHECKER_NEGATIVE_RESULT_SETS_EXCEPTION -int sudo_module_register_loghandler(PyObject *py_module); - -CPYCHECKER_NEGATIVE_RESULT_SETS_EXCEPTION int sudo_module_set_default_loghandler(void); PyObject *python_sudo_debug(PyObject *py_self, PyObject *py_args); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sudo-1.9.14p1/plugins/sudoers/match.c new/sudo-1.9.14p3/plugins/sudoers/match.c --- old/sudo-1.9.14p1/plugins/sudoers/match.c 2023-06-14 04:21:09.000000000 +0200 +++ new/sudo-1.9.14p3/plugins/sudoers/match.c 2023-07-24 22:09:10.000000000 +0200 @@ -188,8 +188,14 @@ user_matched = !m->negated; break; case MYSELF: - if (!ISSET(sudo_user.flags, RUNAS_USER_SPECIFIED) || - strcmp(user_name, runas_pw->pw_name) == 0) + /* + * Only match a rule with an empty runas user if a group + * was specified on the command line without a user _or_ + * the user specified their own name on the command line. + */ + if ((!ISSET(sudo_user.flags, RUNAS_USER_SPECIFIED) && + ISSET(sudo_user.flags, RUNAS_GROUP_SPECIFIED)) || + strcmp(user_name, runas_pw->pw_name) == 0) user_matched = !m->negated; break; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sudo-1.9.14p1/plugins/sudoers/sudoreplay.c new/sudo-1.9.14p3/plugins/sudoers/sudoreplay.c --- old/sudo-1.9.14p1/plugins/sudoers/sudoreplay.c 2023-06-27 19:27:17.000000000 +0200 +++ new/sudo-1.9.14p3/plugins/sudoers/sudoreplay.c 2023-07-24 22:12:11.000000000 +0200 @@ -629,7 +629,7 @@ /* Open fd for /dev/tty and set to raw mode. */ if (interactive) { ttyfd = open(_PATH_TTY, O_RDWR); - while (!sudo_term_raw(ttyfd, 1)) { + while (!sudo_term_raw(ttyfd, SUDO_TERM_ISIG)) { if (errno != EINTR) sudo_fatal("%s", U_("unable to set tty to raw mode")); kill(getpid(), SIGTTOU); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sudo-1.9.14p1/src/exec_monitor.c new/sudo-1.9.14p3/src/exec_monitor.c --- old/sudo-1.9.14p1/src/exec_monitor.c 2023-06-27 19:27:17.000000000 +0200 +++ new/sudo-1.9.14p3/src/exec_monitor.c 2023-07-24 22:12:11.000000000 +0200 @@ -373,7 +373,7 @@ close(io_fds[SFD_STDERR]); /* Wait for parent to grant us the tty if we are foreground. */ - if (foreground && !ISSET(details->flags, CD_EXEC_BG)) { + if (foreground) { struct timespec ts = { 0, 1000 }; /* 1us */ sudo_debug_printf(SUDO_DEBUG_DEBUG, "%s: waiting for controlling tty", __func__); @@ -652,7 +652,7 @@ setpgid(mc.cmnd_pid, mc.cmnd_pgrp); /* Make the command the foreground process for the pty follower. */ - if (foreground && !ISSET(details->flags, CD_EXEC_BG)) { + if (foreground) { if (tcsetpgrp(io_fds[SFD_FOLLOWER], mc.cmnd_pgrp) == -1) { sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, "%s: unable to set foreground pgrp to %d (command)", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sudo-1.9.14p1/src/exec_ptrace.c new/sudo-1.9.14p3/src/exec_ptrace.c --- old/sudo-1.9.14p1/src/exec_ptrace.c 2023-06-27 19:27:17.000000000 +0200 +++ new/sudo-1.9.14p3/src/exec_ptrace.c 2023-07-24 22:12:11.000000000 +0200 @@ -1795,7 +1795,7 @@ } /* We can only pass the pathname to exececute via argv[0] (plugin API). */ - orig_argv0 = argv[0]; + orig_argv0 = argv[0] ? argv[0] : (char *)""; argv[0] = pathname; if (argc == 0) { /* Rewrite an empty argv[] with the path to execute. */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sudo-1.9.14p1/src/exec_pty.c new/sudo-1.9.14p3/src/exec_pty.c --- old/sudo-1.9.14p1/src/exec_pty.c 2023-05-03 21:26:54.000000000 +0200 +++ new/sudo-1.9.14p3/src/exec_pty.c 2023-07-24 22:12:11.000000000 +0200 @@ -56,6 +56,7 @@ TAILQ_HEAD(monitor_message_list, monitor_message); static struct monitor_message_list monitor_messages = TAILQ_HEAD_INITIALIZER(monitor_messages); +static unsigned int term_raw_flags; static void sync_ttysize(struct exec_closure *ec); static void schedule_signal(struct exec_closure *ec, int signo); @@ -161,8 +162,8 @@ } /* - * Check whether we are running in the foregroup. - * Updates the foreground flag and updates the window size. + * Check whether sudo is running in the foreground. + * Updates the foreground flag in the closure. * Returns 0 if there is no tty, the foreground process group ID * on success, or -1 on failure (tty revoked). */ @@ -208,7 +209,7 @@ if (ec->foreground) { /* Foreground process, set tty to raw mode. */ - if (sudo_term_raw(io_fds[SFD_USERTTY], 0)) + if (sudo_term_raw(io_fds[SFD_USERTTY], term_raw_flags)) ec->term_raw = true; } else { /* Background process, no access to tty. */ @@ -263,7 +264,7 @@ "%s: command received SIG%s, parent running in the foregound", __func__, signame); if (!ec->term_raw) { - if (sudo_term_raw(io_fds[SFD_USERTTY], 0)) + if (sudo_term_raw(io_fds[SFD_USERTTY], term_raw_flags)) ec->term_raw = true; } ret = SIGCONT_FG; /* resume command in foreground */ @@ -1072,7 +1073,7 @@ struct exec_closure ec = { 0 }; struct plugin_container *plugin; int evloop_retries = -1; - bool pipeline = false; + bool cmnd_foreground; sigset_t set, oset; struct sigaction sa; struct stat sb; @@ -1183,14 +1184,14 @@ sudo_debug_printf(SUDO_DEBUG_INFO, "stdin not a tty, not logging"); if (S_ISFIFO(sb.st_mode)) - pipeline = true; + SET(details->flags, CD_EXEC_BG); io_fds[SFD_STDIN] = dup(STDIN_FILENO); if (io_fds[SFD_STDIN] == -1) sudo_fatal("dup"); } else { sudo_debug_printf(SUDO_DEBUG_INFO, "stdin not a tty, creating a pipe"); - pipeline = true; + SET(details->flags, CD_EXEC_BG); if (pipe2(io_pipe[STDIN_FILENO], O_CLOEXEC) != 0) sudo_fatal("%s", U_("unable to create pipe")); io_buf_new(STDIN_FILENO, io_pipe[STDIN_FILENO][1], @@ -1217,7 +1218,7 @@ */ sudo_debug_printf(SUDO_DEBUG_INFO, "terminal input not available, creating empty pipe"); - pipeline = true; + SET(details->flags, CD_EXEC_BG); if (pipe2(io_pipe[STDIN_FILENO], O_CLOEXEC) != 0) sudo_fatal("%s", U_("unable to create pipe")); io_fds[SFD_STDIN] = io_pipe[STDIN_FILENO][0]; @@ -1229,15 +1230,18 @@ /* Not logging stdout, do not interpose. */ sudo_debug_printf(SUDO_DEBUG_INFO, "stdout not a tty, not logging"); - if (S_ISFIFO(sb.st_mode)) - pipeline = true; + if (S_ISFIFO(sb.st_mode)) { + SET(details->flags, CD_EXEC_BG); + term_raw_flags = SUDO_TERM_OFLAG; + } io_fds[SFD_STDOUT] = dup(STDOUT_FILENO); if (io_fds[SFD_STDOUT] == -1) sudo_fatal("dup"); } else { sudo_debug_printf(SUDO_DEBUG_INFO, "stdout not a tty, creating a pipe"); - pipeline = true; + SET(details->flags, CD_EXEC_BG); + term_raw_flags = SUDO_TERM_OFLAG; if (pipe2(io_pipe[STDOUT_FILENO], O_CLOEXEC) != 0) sudo_fatal("%s", U_("unable to create pipe")); io_buf_new(io_pipe[STDOUT_FILENO][0], STDOUT_FILENO, @@ -1250,8 +1254,6 @@ /* Not logging stderr, do not interpose. */ sudo_debug_printf(SUDO_DEBUG_INFO, "stderr not a tty, not logging"); - if (S_ISFIFO(sb.st_mode)) - pipeline = true; io_fds[SFD_STDERR] = dup(STDERR_FILENO); if (io_fds[SFD_STDERR] == -1) sudo_fatal("dup"); @@ -1275,13 +1277,11 @@ "%s: unable to copy terminal settings to pty", __func__); ec.foreground = false; } - - /* Start in raw mode unless part of a pipeline or backgrounded. */ - if (ec.foreground) { - if (!pipeline && !ISSET(details->flags, CD_EXEC_BG)) { - if (sudo_term_raw(io_fds[SFD_USERTTY], 0)) - ec.term_raw = true; - } + /* Start in raw mode unless the command will run in the background. */ + cmnd_foreground = ec.foreground && !ISSET(details->flags, CD_EXEC_BG); + if (cmnd_foreground) { + if (sudo_term_raw(io_fds[SFD_USERTTY], 0)) + ec.term_raw = true; } /* @@ -1324,8 +1324,7 @@ * In this case, we rely on the command receiving SIGTTOU or SIGTTIN * when it needs access to the controlling tty. */ - exec_monitor(details, &oset, ec.foreground && !pipeline, sv[1], - intercept_sv[1]); + exec_monitor(details, &oset, cmnd_foreground, sv[1], intercept_sv[1]); cstat->type = CMD_ERRNO; cstat->val = errno; if (send(sv[1], cstat, sizeof(*cstat), 0) == -1) {
