Hello community, here is the log from the commit of package sudo for openSUSE:Factory checked in at 2020-05-20 18:37:15 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/sudo (Old) and /work/SRC/openSUSE:Factory/.sudo.new.2738 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "sudo" Wed May 20 18:37:15 2020 rev:110 rq:807048 version:1.9.0 Changes: -------- --- /work/SRC/openSUSE:Factory/sudo/sudo.changes 2020-05-09 19:52:26.244848575 +0200 +++ /work/SRC/openSUSE:Factory/.sudo.new.2738/sudo.changes 2020-05-20 18:37:25.820226682 +0200 @@ -1,0 +2,17 @@ +Mon May 18 20:37:03 UTC 2020 - Kristyna Streitova <[email protected]> + +- Update to 1.9.0 (current stable release) + * for changes between version 1.9.0 and 1.8.31p1 see rc changes + below + +------------------------------------------------------------------- +Mon May 11 08:15:17 UTC 2020 - Kristyna Streitova <[email protected]> + +- Update to 1.9.0rc5 + * The default TLS listener is now only enabled when either the + TLS certificate file is explicitly specified in sudo_logsrvd.conf + or the default TLS certificate file exists in the file system. + There is no change in behavior for listen_address entries + explicitly set in the configuration file. + +------------------------------------------------------------------- Old: ---- sudo-1.9.0rc4.tar.gz sudo-1.9.0rc4.tar.gz.sig New: ---- sudo-1.9.0.tar.gz sudo-1.9.0.tar.gz.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ sudo.spec ++++++ --- /var/tmp/diff_new_pack.haIMRc/_old 2020-05-20 18:37:27.256229691 +0200 +++ /var/tmp/diff_new_pack.haIMRc/_new 2020-05-20 18:37:27.256229691 +0200 @@ -22,14 +22,14 @@ %define use_usretc 1 %endif Name: sudo -Version: 1.9.0rc4 +Version: 1.9.0 Release: 0 Summary: Execute some commands as root License: ISC Group: System/Base URL: https://www.sudo.ws/ -Source0: https://www.sudo.ws/dist/beta/%{name}-%{version}.tar.gz -Source1: https://www.sudo.ws/dist/beta/%{name}-%{version}.tar.gz.sig +Source0: https://www.sudo.ws/dist/%{name}-%{version}.tar.gz +Source1: https://www.sudo.ws/dist/%{name}-%{version}.tar.gz.sig Source2: %{name}.keyring Source3: sudo.pamd Source4: sudo-i.pamd ++++++ sudo-1.9.0rc4.tar.gz -> sudo-1.9.0.tar.gz ++++++ ++++ 3028 lines of diff (skipped) ++++ retrying with extended exclude list diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/sudo-1.9.0rc4/ChangeLog new/sudo-1.9.0/ChangeLog --- old/sudo-1.9.0rc4/ChangeLog 2020-05-07 05:14:31.000000000 +0200 +++ new/sudo-1.9.0/ChangeLog 2020-05-11 18:29:28.000000000 +0200 @@ -1,3 +1,66 @@ +2020-05-11 Todd C. Miller <[email protected]> + + * .hgtags: + Added tag SUDO_1_9_0 for changeset 706d726a2f8e + [d1f2b4ee59d5] [tip] <1.9> + + * MANIFEST, include/sudo_iolog.h, include/sudo_util.h, + lib/iolog/Makefile.in, lib/iolog/host_port.c, + lib/iolog/regress/host_port/host_port_test.c, lib/util/Makefile.in, + lib/util/host_port.c, lib/util/regress/host_port/host_port_test.c, + lib/util/util.exp.in, logsrvd/logsrvd_conf.c, + plugins/sudoers/iolog_client.c: + Rename sudo_parse_host_port -> iolog_parse_host_port and mv to + lib/iolog It is not used outside of the I/O log client and server + and the host:port syntax may change in the future. + [706d726a2f8e] [SUDO_1_9_0] + + * plugins/sudoers/sudoreplay.c: + Remove duplicate inclusion of time.h + [f560858325d5] + +2020-05-08 Todd C. Miller <[email protected]> + + * doc/sudo_logsrvd.conf.man.in, doc/sudo_logsrvd.conf.mdoc.in, + logsrvd/logsrvd.c, logsrvd/logsrvd_conf.c, + plugins/sudoers/iolog_client.c: + Only enable TLS listener by default if we have a cert for it. We + want the log server to work with the default configuration. If the + default certificate path exists, it will be used with the default + listener. If the user explicitly enabled a TLS listener we always + attempt to use it. If TLS was specified but no cert file was set, + the default location will be used (and an error will occur if the + cert cannot be loaded). + [16ade34c38ee] + +2020-05-07 Todd C. Miller <[email protected]> + + * plugins/sudoers/po/sudoers.pot, po/sudo.pot: + regen for 1.9.0 final + [99e507035253] + + * logsrvd/Makefile.in: + regen + [555d817825b0] + + * doc/sudo.man.in, doc/sudo.mdoc.in, src/parse_args.c: + The --preserve-env=list option may be specified more than once. + [8066a9d1b04b] + + * doc/sudo_logsrv.proto.man.in, doc/sudo_logsrv.proto.mdoc.in, + doc/sudoers.man.in, doc/sudoers.mdoc.in: + Quiet some warnings from igor. + [4df4fd274023] + + * MANIFEST, Makefile.in, etc/codespell.exclude, etc/codespell.ignore, + etc/codespell.skip: + Plumb in codespell with a "make spell" target. + [4b1de7ee8648] + + * configure, configure.ac, install-sh: + Fix a few more typos. + [d22a8c46c743] + 2020-05-06 Todd C. Miller <[email protected]> * NEWS, doc/sudo.man.in, doc/sudo.mdoc.in, src/parse_args.c: @@ -11,7 +74,7 @@ processed. While this is a bug in the calling program, there is little downside to erroring out when multiple options of the same type are specified on the command line. Bug #924 - [66e2612e7672] [tip] + [66e2612e7672] * NEWS: Debian bug #734752 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/sudo-1.9.0rc4/MANIFEST new/sudo-1.9.0/MANIFEST --- old/sudo-1.9.0rc4/MANIFEST 2020-05-06 01:06:09.000000000 +0200 +++ new/sudo-1.9.0/MANIFEST 2020-05-11 18:28:22.000000000 +0200 @@ -57,12 +57,15 @@ doc/sudoreplay.mdoc.in doc/visudo.man.in doc/visudo.mdoc.in +etc/codespell.exclude +etc/codespell.ignore +etc/codespell.skip etc/init.d/aix.sh.in etc/init.d/hpux.sh.in etc/init.d/sudo.conf.in -etc/sudo.pp etc/sudo-logsrvd.pp etc/sudo-python.pp +etc/sudo.pp examples/Makefile.in examples/pam.conf examples/sudo.conf.in @@ -99,12 +102,14 @@ include/sudo_util.h install-sh lib/iolog/Makefile.in +lib/iolog/host_port.c lib/iolog/hostcheck.c lib/iolog/iolog_fileio.c lib/iolog/iolog_json.c lib/iolog/iolog_json.h lib/iolog/iolog_path.c lib/iolog/iolog_util.c +lib/iolog/regress/host_port/host_port_test.c lib/iolog/regress/iolog_json/check_iolog_json.c lib/iolog/regress/iolog_json/test1.in lib/iolog/regress/iolog_json/test2.in @@ -147,7 +152,6 @@ lib/util/getusershell.c lib/util/gidlist.c lib/util/glob.c -lib/util/host_port.c lib/util/inet_ntop.c lib/util/inet_pton.c lib/util/isblank.c @@ -179,7 +183,6 @@ lib/util/regress/glob/files lib/util/regress/glob/globtest.c lib/util/regress/glob/globtest.in -lib/util/regress/host_port/host_port_test.c lib/util/regress/mktemp/mktemp_test.c lib/util/regress/parse_gids/parse_gids_test.c lib/util/regress/progname/progname_test.c diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/sudo-1.9.0rc4/configure.ac new/sudo-1.9.0/configure.ac --- old/sudo-1.9.0rc4/configure.ac 2020-05-07 05:14:02.000000000 +0200 +++ new/sudo-1.9.0/configure.ac 2020-05-11 18:28:22.000000000 +0200 @@ -18,7 +18,7 @@ dnl OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. dnl AC_PREREQ([2.59]) -AC_INIT([sudo], [1.9.0rc4], [https://bugzilla.sudo.ws/], [sudo]) +AC_INIT([sudo], [1.9.0], [https://bugzilla.sudo.ws/], [sudo]) AC_CONFIG_HEADER([config.h pathnames.h]) AC_CONFIG_SRCDIR([src/sudo.c]) dnl @@ -261,7 +261,7 @@ COMPAT_EXP= SIGNAME= dnl -dnl Other vaiables +dnl Other variables dnl WEAK_ALIAS=no CHECKSHADOW=true @@ -1051,7 +1051,7 @@ ;; [[1-9]]*) passwd_tries=$with_passwd_tries ;; - *) AC_MSG_ERROR(["you must enter the numer of tries, > 0"]) + *) AC_MSG_ERROR(["you must enter the number of tries, > 0"]) ;; esac]) AC_DEFINE_UNQUOTED(TRIES_FOR_PASSWORD, $passwd_tries, [The number of tries a user gets to enter their password.]) @@ -1065,7 +1065,7 @@ ;; [[0-9]]*) timeout=$with_timeout ;; - *) AC_MSG_ERROR(["you must enter the numer of minutes."]) + *) AC_MSG_ERROR(["you must enter the number of minutes."]) ;; esac]) AC_DEFINE_UNQUOTED(TIMEOUT, $timeout, [The number of minutes before sudo asks for a password again.]) @@ -1079,7 +1079,7 @@ ;; [[0-9]]*) password_timeout=$with_password_timeout ;; - *) AC_MSG_ERROR(["you must enter the numer of minutes."]) + *) AC_MSG_ERROR(["you must enter the number of minutes."]) ;; esac]) AC_DEFINE_UNQUOTED(PASSWORD_TIMEOUT, $password_timeout, [The passwd prompt timeout (in minutes).]) @@ -1584,7 +1584,7 @@ ]) AC_ARG_ENABLE(devsearch, -[AS_HELP_STRING([--enable-devsearch=PATH], [The colon-delimited path to search for device nodes when determing the tty name.])], +[AS_HELP_STRING([--enable-devsearch=PATH], [The colon-delimited path to search for device nodes when determining the tty name.])], [case $enableval in yes) # use default value ;; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/sudo-1.9.0rc4/doc/sudo.man.in new/sudo-1.9.0/doc/sudo.man.in --- old/sudo-1.9.0rc4/doc/sudo.man.in 2020-05-07 05:12:40.000000000 +0200 +++ new/sudo-1.9.0/doc/sudo.man.in 2020-05-11 18:28:22.000000000 +0200 @@ -25,7 +25,7 @@ .nr BA @BAMAN@ .nr LC @LCMAN@ .nr PS @PSMAN@ -.TH "SUDO" "@mansectsu@" "May 6, 2020" "Sudo @PACKAGE_VERSION@" "System Manager's Manual" +.TH "SUDO" "@mansectsu@" "May 7, 2020" "Sudo @PACKAGE_VERSION@" "System Manager's Manual" .nh .if n .ad l .SH "NAME" @@ -290,6 +290,7 @@ from the user's environment. The security policy may return an error if the user does not have permission to preserve the environment. +This option may be specified multiple times. .TP 12n \fB\-e\fR, \fB\--edit\fR Edit one or more files instead of running a command. @@ -686,7 +687,8 @@ \fBsudo\fR should stop processing command line arguments. .PP -Options that take a value may only be specified once. +Options that take a value may only be specified once unless +otherwise indicated in the description. This is to help guard against problems caused by poorly written scripts that invoke \fBsudo\fR diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/sudo-1.9.0rc4/doc/sudo.mdoc.in new/sudo-1.9.0/doc/sudo.mdoc.in --- old/sudo-1.9.0rc4/doc/sudo.mdoc.in 2020-05-07 05:12:40.000000000 +0200 +++ new/sudo-1.9.0/doc/sudo.mdoc.in 2020-05-11 18:28:23.000000000 +0200 @@ -24,7 +24,7 @@ .nr BA @BAMAN@ .nr LC @LCMAN@ .nr PS @PSMAN@ -.Dd May 6, 2020 +.Dd May 7, 2020 .Dt SUDO @mansectsu@ .Os Sudo @PACKAGE_VERSION@ .Sh NAME @@ -280,6 +280,7 @@ from the user's environment. The security policy may return an error if the user does not have permission to preserve the environment. +This option may be specified multiple times. .It Fl e , -edit Edit one or more files instead of running a command. In lieu of a path name, the string "sudoedit" is used when consulting @@ -638,7 +639,8 @@ should stop processing command line arguments. .El .Pp -Options that take a value may only be specified once. +Options that take a value may only be specified once unless +otherwise indicated in the description. This is to help guard against problems caused by poorly written scripts that invoke .Nm sudo diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/sudo-1.9.0rc4/doc/sudo_logsrv.proto.man.in new/sudo-1.9.0/doc/sudo_logsrv.proto.man.in --- old/sudo-1.9.0rc4/doc/sudo_logsrv.proto.man.in 2020-05-05 21:24:23.000000000 +0200 +++ new/sudo-1.9.0/doc/sudo_logsrv.proto.man.in 2020-05-11 18:28:22.000000000 +0200 @@ -582,7 +582,7 @@ Server closes the connection. After receiving the final \fIcommit_point\fR, -the client client shuts down its side of the TLS connection if TLS +the client shuts down its side of the TLS connection if TLS is in use, and closes the connection. .TP 5n 11.\& diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/sudo-1.9.0rc4/doc/sudo_logsrv.proto.mdoc.in new/sudo-1.9.0/doc/sudo_logsrv.proto.mdoc.in --- old/sudo-1.9.0rc4/doc/sudo_logsrv.proto.mdoc.in 2020-05-05 21:24:23.000000000 +0200 +++ new/sudo-1.9.0/doc/sudo_logsrv.proto.mdoc.in 2020-05-11 18:28:22.000000000 +0200 @@ -535,7 +535,7 @@ Server closes the connection. After receiving the final .Em commit_point , -the client client shuts down its side of the TLS connection if TLS +the client shuts down its side of the TLS connection if TLS is in use, and closes the connection. .It Server shuts down its side of the TLS connection if TLS is in use, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/sudo-1.9.0rc4/doc/sudo_logsrvd.conf.man.in new/sudo-1.9.0/doc/sudo_logsrvd.conf.man.in --- old/sudo-1.9.0rc4/doc/sudo_logsrvd.conf.man.in 2020-05-05 21:24:23.000000000 +0200 +++ new/sudo-1.9.0/doc/sudo_logsrvd.conf.man.in 2020-05-11 18:28:23.000000000 +0200 @@ -16,7 +16,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.TH "SUDO_LOGSRVD.CONF" "@mansectform@" "April 30, 2020" "Sudo @PACKAGE_VERSION@" "File Formats Manual" +.TH "SUDO_LOGSRVD.CONF" "@mansectform@" "May 8, 2020" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .nh .if n .ad l .SH "NAME" @@ -154,7 +154,10 @@ The path to a certificate authority bundle file, in PEM format, to use instead of the system's default certificate authority database when authenticating clients. -The default is to use the system's default certificate authority database. +The default is to use +\fI/etc/ssl/sudo/cacert.pem\fR +if it exists, otherwise the system's default certificate authority +database is used. .TP 10n tls_cert = path The path to the server's certificate file, in PEM format. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/sudo-1.9.0rc4/doc/sudo_logsrvd.conf.mdoc.in new/sudo-1.9.0/doc/sudo_logsrvd.conf.mdoc.in --- old/sudo-1.9.0rc4/doc/sudo_logsrvd.conf.mdoc.in 2020-05-05 21:24:23.000000000 +0200 +++ new/sudo-1.9.0/doc/sudo_logsrvd.conf.mdoc.in 2020-05-11 18:28:23.000000000 +0200 @@ -15,7 +15,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd April 30, 2020 +.Dd May 8, 2020 .Dt SUDO_LOGSRVD.CONF @mansectform@ .Os Sudo @PACKAGE_VERSION@ .Sh NAME @@ -138,7 +138,10 @@ The path to a certificate authority bundle file, in PEM format, to use instead of the system's default certificate authority database when authenticating clients. -The default is to use the system's default certificate authority database. +The default is to use +.Pa /etc/ssl/sudo/cacert.pem +if it exists, otherwise the system's default certificate authority +database is used. .It tls_cert = path The path to the server's certificate file, in PEM format. The default value is diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/sudo-1.9.0rc4/doc/sudoers.man.in new/sudo-1.9.0/doc/sudoers.man.in --- old/sudo-1.9.0rc4/doc/sudoers.man.in 2020-05-05 21:24:23.000000000 +0200 +++ new/sudo-1.9.0/doc/sudoers.man.in 2020-05-11 18:28:23.000000000 +0200 @@ -4614,14 +4614,12 @@ invoking the editor directly. .TP 18n log_servers +A list of one or more remote servers to use for I/O log storage, separated +by white space. Starting with \fBsudo\fR 1.9, it is possible to send I/O logs to a remote server instead of logging them locally. -The -\fIlog_servers\fR -setting specifies one or more hosts to connect to for -remote I/O log storage. Log servers must be running \fBsudo_logsrvd\fR or another service that implements the protocol described by diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/sudo-1.9.0rc4/doc/sudoers.mdoc.in new/sudo-1.9.0/doc/sudoers.mdoc.in --- old/sudo-1.9.0rc4/doc/sudoers.mdoc.in 2020-05-05 21:24:23.000000000 +0200 +++ new/sudo-1.9.0/doc/sudoers.mdoc.in 2020-05-11 18:28:22.000000000 +0200 @@ -4304,14 +4304,12 @@ to get their accustomed editor configuration instead of invoking the editor directly. .It log_servers +A list of one or more remote servers to use for I/O log storage, separated +by white space. Starting with .Nm sudo 1.9, it is possible to send I/O logs to a remote server instead of logging them locally. -The -.Em log_servers -setting specifies one or more hosts to connect to for -remote I/O log storage. Log servers must be running .Nm sudo_logsrvd or another service that implements the protocol described by diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/sudo-1.9.0rc4/etc/codespell.exclude new/sudo-1.9.0/etc/codespell.exclude --- old/sudo-1.9.0rc4/etc/codespell.exclude 1970-01-01 01:00:00.000000000 +0100 +++ new/sudo-1.9.0/etc/codespell.exclude 2020-05-11 18:28:23.000000000 +0200 @@ -0,0 +1,32 @@ + * Returns true if any tags set in nt differ between ot and nt, else false. +#define TAGS_CHANGED(ot, nt) \ + ((TAG_SET((nt).follow) && (nt).follow != (ot).follow) || \ + (TAG_SET((nt).log_input) && (nt).log_input != (ot).log_input) || \ + (TAG_SET((nt).log_output) && (nt).log_output != (ot).log_output) || \ + (TAG_SET((nt).noexec) && (nt).noexec != (ot).noexec) || \ + (TAG_SET((nt).nopasswd) && (nt).nopasswd != (ot).nopasswd) || \ + (TAG_SET((nt).setenv) && (nt).setenv != (ot).setenv) || \ + (TAG_SET((nt).send_mail) && (nt).send_mail != (ot).send_mail)) + sv sw ta te tg th tr uk ur vi wa wo zh_CN zh_HK + if (!PyArg_ParseTupleAndKeywords(py_args ? py_args : py_empty, py_kwargs, "Ois|i:sudo.ConvMessage", keywords, + $ans = <STDIN>; + if ($ans =~ /^[yY]/) { +.nr BA @BAMAN@ +.if \n(BA \{\ +.Nd convert between sudoers file formats +.Nd configuration for sudo front end +.Nd execute a command as another user +.Nd Sudo log server protocol +.Nd configuration for sudo_logsrvd +.Nd sudo event and I/O log server +.Nd Sudo Plugin API +.Nd Sudo Plugin API (Python) +.Nd send sudo I/O log to log server +.Nd sudo LDAP configuration +.Nd default sudo security policy plugin +.Nd Sudoers Time Stamp Format +.Nd replay sudo session logs +.Nd edit the sudoers file + * If path doesn't end in /, return true iff cmnd & path name the same inode; + * Tim Fraser + echo ".Nd sudo" >> conftest diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/sudo-1.9.0rc4/etc/codespell.ignore new/sudo-1.9.0/etc/codespell.ignore --- old/sudo-1.9.0rc4/etc/codespell.ignore 1970-01-01 01:00:00.000000000 +0100 +++ new/sudo-1.9.0/etc/codespell.ignore 2020-05-11 18:28:22.000000000 +0200 @@ -0,0 +1,14 @@ +Ois +SOM +VAS +alloced +edn +fIDN +ist +numer +pleas +sav +thur +toke +vas +wit diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/sudo-1.9.0rc4/etc/codespell.skip new/sudo-1.9.0/etc/codespell.skip --- old/sudo-1.9.0rc4/etc/codespell.skip 1970-01-01 01:00:00.000000000 +0100 +++ new/sudo-1.9.0/etc/codespell.skip 2020-05-11 18:28:22.000000000 +0200 @@ -0,0 +1,25 @@ +\.in\.sed$ +/data +Makefile\.in +^ChangeLog$ +^MANIFEST$ +^aclocal\.m4$ +^autogen\.sh$ +^config\.guess$ +^config\.h\.in$ +^config\.sub$ +^configure$ +^doc/.*\.man\.in$ +^doc/CONTRIBUTORS$ +^etc/codespell +^lib/util/fnmatch\.c$ +^lib/util/getaddrinfo\.c$ +^lib/zlib/ +^libtool$ +^ltmain\.sh$ +^m4/libtool\.m4$ +^m4/lt.*\.m4$ +^mkinstalldirs$ +^plugins/sudoers/po/ +^po/ +^scripts/pp$ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/sudo-1.9.0rc4/include/sudo_iolog.h new/sudo-1.9.0/include/sudo_iolog.h --- old/sudo-1.9.0rc4/include/sudo_iolog.h 2020-03-29 13:05:08.000000000 +0200 +++ new/sudo-1.9.0/include/sudo_iolog.h 2020-05-11 18:28:23.000000000 +0200 @@ -107,6 +107,9 @@ size_t (*copy_fn)(char *, size_t, void *); }; +/* host_port.c */ +bool iolog_parse_host_port(char *str, char **hostp, char **portp, bool *tlsp, char *defport, char *defport_tls); + /* iolog_path.c */ bool expand_iolog_path(const char *inpath, char *path, size_t pathlen, const struct iolog_path_escape *escapes, void *closure); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/sudo-1.9.0rc4/include/sudo_util.h new/sudo-1.9.0/include/sudo_util.h --- old/sudo-1.9.0rc4/include/sudo_util.h 2020-05-06 17:10:03.000000000 +0200 +++ new/sudo-1.9.0/include/sudo_util.h 2020-05-11 18:28:23.000000000 +0200 @@ -207,10 +207,6 @@ __dso_public int sudo_getgrouplist2_v1(const char *name, gid_t basegid, GETGROUPS_T **groupsp, int *ngroupsp); #define sudo_getgrouplist2(_a, _b, _c, _d) sudo_getgrouplist2_v1((_a), (_b), (_c), (_d)) -/* host_port.c */ -__dso_public bool sudo_parse_host_port_v1(char *str, char **hostp, char **portp, bool *tlsp, char *defport, char *defport_tls); -#define sudo_parse_host_port(_a, _b, _c, _d, _e, _f) sudo_parse_host_port_v1((_a), (_b), (_c), (_d), (_e), (_f)) - /* key_val.c */ __dso_public char *sudo_new_key_val_v1(const char *key, const char *value); #define sudo_new_key_val(_a, _b) sudo_new_key_val_v1((_a), (_b)) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/sudo-1.9.0rc4/lib/iolog/host_port.c new/sudo-1.9.0/lib/iolog/host_port.c --- old/sudo-1.9.0rc4/lib/iolog/host_port.c 1970-01-01 01:00:00.000000000 +0100 +++ new/sudo-1.9.0/lib/iolog/host_port.c 2020-05-11 18:28:23.000000000 +0200 @@ -0,0 +1,106 @@ +/* + * SPDX-License-Identifier: ISC + * + * Copyright (c) 2019-2020 Todd C. Miller <[email protected]> + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include "config.h" + +#include <sys/types.h> + +#ifdef HAVE_STDBOOL_H +# include <stdbool.h> +#else +# include "compat/stdbool.h" +#endif /* HAVE_STDBOOL_H */ +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <ctype.h> + +#include "sudo_gettext.h" /* must be included before sudo_compat.h */ +#include "sudo_compat.h" +#include "sudo_debug.h" +#include "sudo_util.h" + +/* + * Parse a string in the form host[:port] where host can also be + * an IPv4 address or an IPv6 address in square brackets. + * Fills in hostp and portp which may point within str, which is modified. + */ +bool +iolog_parse_host_port(char *str, char **hostp, char **portp, bool *tlsp, + char *defport, char *defport_tls) +{ + char *flags, *port, *host = str; + bool ret = false; + bool tls = false; + debug_decl(iolog_parse_host_port, SUDO_DEBUG_UTIL); + + /* Check for IPv6 address like [::0] followed by optional port */ + if (*host == '[') { + host++; + port = strchr(host, ']'); + if (port == NULL) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, + "invalid IPv6 address %s", str); + goto done; + } + *port++ = '\0'; + switch (*port) { + case ':': + port++; + break; + case '\0': + port = NULL; /* no port specified */ + break; + case '(': + /* flag, handled below */ + break; + default: + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, + "invalid IPv6 address %s", str); + goto done; + } + } else { + port = strrchr(host, ':'); + if (port != NULL) + *port++ = '\0'; + } + + /* Check for optional tls flag at the end. */ + flags = strchr(port ? port : host, '('); + if (flags != NULL) { + if (strcasecmp(flags, "(tls)") == 0) + tls = true; + *flags = '\0'; + if (port == flags) + port = NULL; + } + + if (port == NULL) + port = tls ? defport_tls : defport; + else if (*port == '\0') + goto done; + + *hostp = host; + *portp = port; + *tlsp = tls; + + ret = true; + +done: + debug_return_bool(ret); +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/sudo-1.9.0rc4/lib/iolog/regress/host_port/host_port_test.c new/sudo-1.9.0/lib/iolog/regress/host_port/host_port_test.c --- old/sudo-1.9.0rc4/lib/iolog/regress/host_port/host_port_test.c 1970-01-01 01:00:00.000000000 +0100 +++ new/sudo-1.9.0/lib/iolog/regress/host_port/host_port_test.c 2020-05-11 18:28:23.000000000 +0200 @@ -0,0 +1,151 @@ +/* + * SPDX-License-Identifier: ISC + * + * Copyright (c) 2019-2020 Todd C. Miller <[email protected]> + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include <config.h> + +#include <sys/types.h> +#include <stdio.h> +#include <stdlib.h> +#ifdef HAVE_STRING_H +# include <string.h> +#endif /* HAVE_STRING_H */ +#ifdef HAVE_STRINGS_H +# include <strings.h> +#endif /* HAVE_STRINGS_H */ +#ifdef HAVE_STDBOOL_H +# include <stdbool.h> +#else +# include "compat/stdbool.h" +#endif +#include <time.h> +#include <unistd.h> + +#include "sudo_compat.h" +#include "sudo_fatal.h" +#include "sudo_iolog.h" +#include "sudo_util.h" + +__dso_public int main(int argc, char *argv[]); + +/* + * Test that iolog_parse_host_port() works as expected. + */ + +struct host_port_test { + const char *str; /* input string */ + const char *host; /* parsed host */ + const char *port; /* parsed port */ + bool tls; /* parsed TLS flag */ + char *defport; /* default port */ + char *defport_tls; /* default port */ + bool ret; /* return value */ +}; + +static struct host_port_test test_data[] = { + /* No TLS */ + { "xerxes", "xerxes", "12345", false, "12345", NULL, true }, + { "xerxes:12345", "xerxes", "12345", false, "67890", NULL, true }, + { "127.0.0.1", "127.0.0.1", "12345", false, "12345", NULL, true }, + { "127.0.0.1:12345", "127.0.0.1", "12345", false, "67890", NULL, true }, + { "[::1]", "::1", "12345", false, "12345", NULL, true }, + { "[::1]:12345", "::1", "12345", false, "67890", NULL, true }, + + /* With TLS */ + { "xerxes(tls)", "xerxes", "12345", true, "5678", "12345", true }, + { "xerxes:12345(tls)", "xerxes", "12345", true, "5678", "67890", true }, + { "127.0.0.1(tls)", "127.0.0.1", "12345", true, "5678", "12345", true }, + { "127.0.0.1:12345(tls)", "127.0.0.1", "12345", true, "5678", "67890", true }, + { "[::1](tls)", "::1", "12345", true, "5678", "12345", true }, + { "[::1]:12345(tls)", "::1", "12345", true, "5678", "67890", true }, + + /* Errors */ + { "xerxes:", NULL, NULL, false, "12345", NULL, false }, /* missing port */ + { "127.0.0.1:", NULL, NULL, false, "12345", NULL, false }, /* missing port */ + { "[::1:12345", NULL, NULL, false, "67890", NULL, false }, /* missing bracket */ + { "[::1]:", NULL, NULL, false, "12345", NULL, false }, /* missing port */ + { NULL } +}; + +int +main(int argc, char *argv[]) +{ + int i, errors = 0, ntests = 0; + char *host, *port, *copy = NULL; + bool ret, tls; + + initprogname(argc > 0 ? argv[0] : "host_port_test"); + + for (i = 0; test_data[i].str != NULL; i++) { + host = port = NULL; + tls = false; + free(copy); + if ((copy = strdup(test_data[i].str)) == NULL) + sudo_fatal_nodebug(NULL); + + ntests++; + ret = iolog_parse_host_port(copy, &host, &port, &tls, + test_data[i].defport, test_data[i].defport_tls); + if (ret != test_data[i].ret) { + sudo_warnx_nodebug("test #%d: %s: returned %s, expected %s", + ntests, test_data[i].str, ret ? "true" : "false", + test_data[i].ret ? "true" : "false"); + errors++; + continue; + } + if (!ret) + continue; + + if (host == NULL) { + sudo_warnx_nodebug("test #%d: %s: NULL host", + ntests, test_data[i].str); + errors++; + continue; + } + if (strcmp(host, test_data[i].host) != 0) { + sudo_warnx_nodebug("test #%d: %s: bad host, expected %s, got %s", + ntests, test_data[i].str, test_data[i].host, host); + errors++; + continue; + } + if (port == NULL) { + sudo_warnx_nodebug("test #%d: %s: NULL port", + ntests, test_data[i].str); + errors++; + continue; + } + if (strcmp(port, test_data[i].port) != 0) { + sudo_warnx_nodebug("test #%d: %s: bad port, expected %s, got %s", + ntests, test_data[i].str, test_data[i].port, port); + errors++; + continue; + } + if (tls != test_data[i].tls) { + sudo_warnx_nodebug("test #%d: %s: bad tls, expected %s, got %s", + ntests, test_data[i].str, test_data[i].tls ? "true" : "false", + tls ? "true" : "false"); + errors++; + continue; + } + } + free(copy); + if (ntests != 0) { + printf("%s: %d tests run, %d errors, %d%% success rate\n", + getprogname(), ntests, errors, (ntests - errors) * 100 / ntests); + } + exit(errors); +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/sudo-1.9.0rc4/lib/util/host_port.c new/sudo-1.9.0/lib/util/host_port.c --- old/sudo-1.9.0rc4/lib/util/host_port.c 2020-05-05 21:24:23.000000000 +0200 +++ new/sudo-1.9.0/lib/util/host_port.c 1970-01-01 01:00:00.000000000 +0100 @@ -1,106 +0,0 @@ -/* - * SPDX-License-Identifier: ISC - * - * Copyright (c) 2019-2020 Todd C. Miller <[email protected]> - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include "config.h" - -#include <sys/types.h> - -#ifdef HAVE_STDBOOL_H -# include <stdbool.h> -#else -# include "compat/stdbool.h" -#endif /* HAVE_STDBOOL_H */ -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <ctype.h> - -#include "sudo_gettext.h" /* must be included before sudo_compat.h */ -#include "sudo_compat.h" -#include "sudo_debug.h" -#include "sudo_util.h" - -/* - * Parse a string in the form host[:port] where host can also be - * an IPv4 address or an IPv6 address in square brackets. - * Fills in hostp and portp which may point within str, which is modified. - */ -bool -sudo_parse_host_port_v1(char *str, char **hostp, char **portp, bool *tlsp, - char *defport, char *defport_tls) -{ - char *flags, *port, *host = str; - bool ret = false; - bool tls = false; - debug_decl(sudo_parse_host_port, SUDO_DEBUG_UTIL); - - /* Check for IPv6 address like [::0] followed by optional port */ - if (*host == '[') { - host++; - port = strchr(host, ']'); - if (port == NULL) { - sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, - "invalid IPv6 address %s", str); - goto done; - } - *port++ = '\0'; - switch (*port) { - case ':': - port++; - break; - case '\0': - port = NULL; /* no port specified */ - break; - case '(': - /* flag, handled below */ - break; - default: - sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, - "invalid IPv6 address %s", str); - goto done; - } - } else { - port = strrchr(host, ':'); - if (port != NULL) - *port++ = '\0'; - } - - /* Check for optional tls flag at the end. */ - flags = strchr(port ? port : host, '('); - if (flags != NULL) { - if (strcasecmp(flags, "(tls)") == 0) - tls = true; - *flags = '\0'; - if (port == flags) - port = NULL; - } - - if (port == NULL) - port = tls ? defport_tls : defport; - else if (*port == '\0') - goto done; - - *hostp = host; - *portp = port; - *tlsp = tls; - - ret = true; - -done: - debug_return_bool(ret); -} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/sudo-1.9.0rc4/lib/util/regress/host_port/host_port_test.c new/sudo-1.9.0/lib/util/regress/host_port/host_port_test.c --- old/sudo-1.9.0rc4/lib/util/regress/host_port/host_port_test.c 2020-05-05 21:24:23.000000000 +0200 +++ new/sudo-1.9.0/lib/util/regress/host_port/host_port_test.c 1970-01-01 01:00:00.000000000 +0100 @@ -1,148 +0,0 @@ -/* - * SPDX-License-Identifier: ISC - * - * Copyright (c) 2019-2020 Todd C. Miller <[email protected]> - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include <config.h> - -#include <sys/types.h> -#include <stdio.h> -#include <stdlib.h> -#ifdef HAVE_STRING_H -# include <string.h> -#endif /* HAVE_STRING_H */ -#ifdef HAVE_STRINGS_H -# include <strings.h> -#endif /* HAVE_STRINGS_H */ -#ifdef HAVE_STDBOOL_H -# include <stdbool.h> -#else -# include "compat/stdbool.h" -#endif - -#include "sudo_compat.h" -#include "sudo_fatal.h" -#include "sudo_util.h" - -__dso_public int main(int argc, char *argv[]); - -/* - * Test that sudo_parse_host_port() works as expected. - */ - -struct host_port_test { - const char *str; /* input string */ - const char *host; /* parsed host */ - const char *port; /* parsed port */ - bool tls; /* parsed TLS flag */ - char *defport; /* default port */ - char *defport_tls; /* default port */ - bool ret; /* return value */ -}; - -static struct host_port_test test_data[] = { - /* No TLS */ - { "xerxes", "xerxes", "12345", false, "12345", NULL, true }, - { "xerxes:12345", "xerxes", "12345", false, "67890", NULL, true }, - { "127.0.0.1", "127.0.0.1", "12345", false, "12345", NULL, true }, - { "127.0.0.1:12345", "127.0.0.1", "12345", false, "67890", NULL, true }, - { "[::1]", "::1", "12345", false, "12345", NULL, true }, - { "[::1]:12345", "::1", "12345", false, "67890", NULL, true }, - - /* With TLS */ - { "xerxes(tls)", "xerxes", "12345", true, "5678", "12345", true }, - { "xerxes:12345(tls)", "xerxes", "12345", true, "5678", "67890", true }, - { "127.0.0.1(tls)", "127.0.0.1", "12345", true, "5678", "12345", true }, - { "127.0.0.1:12345(tls)", "127.0.0.1", "12345", true, "5678", "67890", true }, - { "[::1](tls)", "::1", "12345", true, "5678", "12345", true }, - { "[::1]:12345(tls)", "::1", "12345", true, "5678", "67890", true }, - - /* Errors */ - { "xerxes:", NULL, NULL, false, "12345", NULL, false }, /* missing port */ - { "127.0.0.1:", NULL, NULL, false, "12345", NULL, false }, /* missing port */ - { "[::1:12345", NULL, NULL, false, "67890", NULL, false }, /* missing bracket */ - { "[::1]:", NULL, NULL, false, "12345", NULL, false }, /* missing port */ - { NULL } -}; - -int -main(int argc, char *argv[]) -{ - int i, errors = 0, ntests = 0; - char *host, *port, *copy = NULL; - bool ret, tls; - - initprogname(argc > 0 ? argv[0] : "host_port_test"); - - for (i = 0; test_data[i].str != NULL; i++) { - host = port = NULL; - tls = false; - free(copy); - if ((copy = strdup(test_data[i].str)) == NULL) - sudo_fatal_nodebug(NULL); - - ntests++; - ret = sudo_parse_host_port(copy, &host, &port, &tls, - test_data[i].defport, test_data[i].defport_tls); - if (ret != test_data[i].ret) { - sudo_warnx_nodebug("test #%d: %s: returned %s, expected %s", - ntests, test_data[i].str, ret ? "true" : "false", - test_data[i].ret ? "true" : "false"); - errors++; - continue; - } - if (!ret) - continue; - - if (host == NULL) { - sudo_warnx_nodebug("test #%d: %s: NULL host", - ntests, test_data[i].str); - errors++; - continue; - } - if (strcmp(host, test_data[i].host) != 0) { - sudo_warnx_nodebug("test #%d: %s: bad host, expected %s, got %s", - ntests, test_data[i].str, test_data[i].host, host); - errors++; - continue; - } - if (port == NULL) { - sudo_warnx_nodebug("test #%d: %s: NULL port", - ntests, test_data[i].str); - errors++; - continue; - } - if (strcmp(port, test_data[i].port) != 0) { - sudo_warnx_nodebug("test #%d: %s: bad port, expected %s, got %s", - ntests, test_data[i].str, test_data[i].port, port); - errors++; - continue; - } - if (tls != test_data[i].tls) { - sudo_warnx_nodebug("test #%d: %s: bad tls, expected %s, got %s", - ntests, test_data[i].str, test_data[i].tls ? "true" : "false", - tls ? "true" : "false"); - errors++; - continue; - } - } - free(copy); - if (ntests != 0) { - printf("%s: %d tests run, %d errors, %d%% success rate\n", - getprogname(), ntests, errors, (ntests - errors) * 100 / ntests); - } - exit(errors); -} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/sudo-1.9.0rc4/lib/util/util.exp.in new/sudo-1.9.0/lib/util/util.exp.in --- old/sudo-1.9.0rc4/lib/util/util.exp.in 2020-02-20 20:20:15.000000000 +0100 +++ new/sudo-1.9.0/lib/util/util.exp.in 2020-05-11 18:28:23.000000000 +0200 @@ -108,7 +108,6 @@ sudo_mkdir_parents_v1 sudo_new_key_val_v1 sudo_parse_gids_v1 -sudo_parse_host_port_v1 sudo_parseln_v1 sudo_parseln_v2 sudo_pow2_roundup_v1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/sudo-1.9.0rc4/logsrvd/logsrvd.c new/sudo-1.9.0/logsrvd/logsrvd.c --- old/sudo-1.9.0rc4/logsrvd/logsrvd.c 2020-05-06 17:12:09.000000000 +0200 +++ new/sudo-1.9.0/logsrvd/logsrvd.c 2020-05-11 18:28:23.000000000 +0200 @@ -1193,11 +1193,17 @@ /* set the location of the CA bundle file for verification */ if (SSL_CTX_load_verify_locations(ctx, tls_config->cacert_path, NULL) <= 0) { - errstr = ERR_reason_error_string(ERR_get_error()); + errstr = ERR_reason_error_string(ERR_get_error()); sudo_warnx("SSL_CTX_load_verify_locations: %s", errstr); goto bad; } - } + } else { + if (!SSL_CTX_set_default_verify_paths(ctx)) { + errstr = ERR_reason_error_string(ERR_get_error()); + sudo_warnx("SSL_CTX_set_default_verify_paths: %s", errstr); + goto bad; + } + } /* only verify server cert if it is set in the configuration */ if (tls_config->verify) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/sudo-1.9.0rc4/logsrvd/logsrvd_conf.c new/sudo-1.9.0/logsrvd/logsrvd_conf.c --- old/sudo-1.9.0rc4/logsrvd/logsrvd_conf.c 2020-05-05 21:24:23.000000000 +0200 +++ new/sudo-1.9.0/logsrvd/logsrvd_conf.c 2020-05-11 18:28:23.000000000 +0200 @@ -382,7 +382,7 @@ } /* Parse host[:port] */ - if (!sudo_parse_host_port(copy, &host, &port, &tls, DEFAULT_PORT, + if (!iolog_parse_host_port(copy, &host, &port, &tls, DEFAULT_PORT, DEFAULT_PORT_TLS)) goto done; if (host[0] == '*' && host[1] == '\0') @@ -982,15 +982,23 @@ } #if defined(HAVE_OPENSSL) - config->server.tls_config.cacert_path = strdup(DEFAULT_CA_CERT_PATH); - if (config->server.tls_config.cacert_path == NULL) { - sudo_warn(NULL); - goto bad; + /* + * Only set default CA and cert paths if the files actually exist. + * This ensures we don't enable TLS by default when it is not configured. + */ + if (access(DEFAULT_CA_CERT_PATH, R_OK) == 0) { + config->server.tls_config.cacert_path = strdup(DEFAULT_CA_CERT_PATH); + if (config->server.tls_config.cacert_path == NULL) { + sudo_warn(NULL); + goto bad; + } } - config->server.tls_config.cert_path = strdup(DEFAULT_SERVER_CERT_PATH); - if (config->server.tls_config.cert_path == NULL) { - sudo_warn(NULL); - goto bad; + if (access(DEFAULT_SERVER_CERT_PATH, R_OK) == 0) { + config->server.tls_config.cert_path = strdup(DEFAULT_SERVER_CERT_PATH); + if (config->server.tls_config.cert_path == NULL) { + sudo_warn(NULL); + goto bad; + } } config->server.tls_config.pkey_path = strdup(DEFAULT_SERVER_KEY_PATH); if (config->server.tls_config.pkey_path == NULL) { @@ -1056,11 +1064,36 @@ /* There can be multiple addresses so we can't set a default earlier. */ if (TAILQ_EMPTY(&config->server.addresses)) { + /* Enable plaintext listender. */ if (!cb_listen_address(config, "*:" DEFAULT_PORT)) debug_return_bool(false); #if defined(HAVE_OPENSSL) - if (!cb_listen_address(config, "*:" DEFAULT_PORT_TLS "(tls)")) - debug_return_bool(false); + /* If a certificate was specified, enable the TLS listener too. */ + if (config->server.tls_config.cert_path != NULL) { + if (!cb_listen_address(config, "*:" DEFAULT_PORT_TLS "(tls)")) + debug_return_bool(false); + } + } else { + struct listen_address *addr; + + /* Sanity check the TLS configuration. */ + TAILQ_FOREACH(addr, &config->server.addresses, entries) { + if (!addr->tls) + continue; + /* + * If a TLS listener was explicitly enabled but the cert path + * was not, use the default. + */ + if (config->server.tls_config.cert_path == NULL) { + config->server.tls_config.cert_path = + strdup(DEFAULT_SERVER_CERT_PATH); + if (config->server.tls_config.cert_path == NULL) { + sudo_warn(NULL); + debug_return_bool(false); + } + } + break; + } #endif } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/sudo-1.9.0rc4/plugins/sudoers/iolog_client.c new/sudo-1.9.0/plugins/sudoers/iolog_client.c --- old/sudo-1.9.0rc4/plugins/sudoers/iolog_client.c 2020-05-06 17:14:36.000000000 +0200 +++ new/sudo-1.9.0/plugins/sudoers/iolog_client.c 2020-05-11 18:28:23.000000000 +0200 @@ -60,6 +60,7 @@ #include "sudoers.h" #include "sudo_event.h" +#include "sudo_iolog.h" #include "iolog_plugin.h" #include "hostcheck.h" @@ -217,9 +218,15 @@ closure->log_details->ca_bundle, NULL) <= 0) { errstr = ERR_reason_error_string(ERR_get_error()); sudo_warnx(U_("%s: %s"), closure->log_details->ca_bundle, - errstr); - sudo_warnx(U_("unable to load certificate authority bundle %s"), - closure->log_details->ca_bundle); + errstr); + sudo_warnx(U_("unable to load certificate authority bundle %s"), + closure->log_details->ca_bundle); + goto bad; + } + } else { + if (!SSL_CTX_set_default_verify_paths(closure->ssl_ctx)) { + errstr = ERR_reason_error_string(ERR_get_error()); + sudo_warnx("SSL_CTX_set_default_verify_paths: %s", errstr); goto bad; } } @@ -543,7 +550,7 @@ STAILQ_FOREACH(server, closure->log_details->log_servers, entries) { free(copy); copy = strdup(server->str); - if (!sudo_parse_host_port(copy, &host, &port, &tls, DEFAULT_PORT, + if (!iolog_parse_host_port(copy, &host, &port, &tls, DEFAULT_PORT, DEFAULT_PORT_TLS)) { sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, "unable to parse %s", copy); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/sudo-1.9.0rc4/plugins/sudoers/sudoreplay.c new/sudo-1.9.0/plugins/sudoers/sudoreplay.c --- old/sudo-1.9.0rc4/plugins/sudoers/sudoreplay.c 2020-03-29 13:05:08.000000000 +0200 +++ new/sudo-1.9.0/plugins/sudoers/sudoreplay.c 2020-05-11 18:28:23.000000000 +0200 @@ -55,7 +55,6 @@ #endif /* HAVE_STDBOOL_H */ #include <regex.h> #include <signal.h> -#include <time.h> #include <pathnames.h> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/sudo-1.9.0rc4/src/parse_args.c new/sudo-1.9.0/src/parse_args.c --- old/sudo-1.9.0rc4/src/parse_args.c 2020-05-07 05:12:40.000000000 +0200 +++ new/sudo-1.9.0/src/parse_args.c 2020-05-11 18:28:23.000000000 +0200 @@ -356,8 +356,6 @@ sudo_settings[ARG_PRESERVE_ENVIRONMENT].value = "true"; SET(flags, MODE_PRESERVE_ENV); } else { - if (extra_env.env_len != 0) - usage(); parse_env_list(&extra_env, optarg); } break;
