From e0d912d1db43fbabc79ea057d01ce59a4f4d3762 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Tue, 7 Nov 2023 14:47:48 -0700 Subject: [PATCH 1/5] Use C99 designated struct initializers. This is less error-prone and would have avoided GitHub issue #325. --- plugins/sudoers/sudoers.h | 32 +++++++++++++++++--------------- 1 file changed, 17 insertions(+), 15 deletions(-) diff --git a/plugins/sudoers/sudoers.h b/plugins/sudoers/sudoers.h index 9ef219564a..c7f386ba1b 100644 --- a/plugins/sudoers/sudoers.h +++ b/plugins/sudoers/sudoers.h @@ -78,7 +78,6 @@ struct group_list { /* * Parse configuration settings. - * Do not change the order without updating SUDOERS_PARSER_CONFIG_INITIALIZER. */ struct sudoers_parser_config { const char *sudoers_path; @@ -91,19 +90,18 @@ struct sudoers_parser_config { gid_t sudoers_gid; }; #define SUDOERS_PARSER_CONFIG_INITIALIZER { \ - NULL, /* sudoers_path */ \ - false, /* strict */ \ - 1, /* verbose level 1 */ \ - true, /* recovery */ \ - false, /* ignore_perms */ \ - SUDOERS_MODE, \ - SUDOERS_UID, \ - SUDOERS_GID \ + .sudoers_path = NULL, \ + .strict = false, \ + .verbose = 1, \ + .recovery = true, \ + .ignore_perms = false, \ + .sudoers_mode = SUDOERS_MODE, \ + .sudoers_uid = SUDOERS_UID, \ + .sudoers_gid = SUDOERS_GID \ } /* * Settings passed in from the sudo front-end. - * Do not change the order without updating SUDOERS_CONTEXT_INITIALIZER. */ struct sudoers_plugin_settings { const char *plugin_dir; @@ -111,6 +109,11 @@ struct sudoers_plugin_settings { const char *ldap_secret; unsigned int flags; }; +#define SUDOERS_PLUGIN_SETTINGS_INITIALIZER { \ + .plugin_dir = _PATH_SUDO_PLUGIN_DIR, \ + .ldap_conf = _PATH_LDAP_CONF, \ + .ldap_secret = _PATH_LDAP_SECRET \ +} /* * Info pertaining to the invoking user. @@ -183,11 +186,6 @@ struct sudoers_runas_context { #endif }; -#define SUDOERS_CONTEXT_INITIALIZER { \ - SUDOERS_PARSER_CONFIG_INITIALIZER, \ - { _PATH_SUDO_PLUGIN_DIR, _PATH_LDAP_CONF, _PATH_LDAP_SECRET } \ -} - /* * Global configuration for the sudoers module. */ @@ -205,6 +203,10 @@ struct sudoers_context { unsigned int mode; char uuid_str[37]; }; +#define SUDOERS_CONTEXT_INITIALIZER { \ + SUDOERS_PARSER_CONFIG_INITIALIZER, \ + SUDOERS_PLUGIN_SETTINGS_INITIALIZER, \ +} /* * sudo_get_gidlist() type values From 0497bde983675c2ba793a5e2d23483a55063f517 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Wed, 8 Nov 2023 08:16:57 -0700 Subject: [PATCH 2/5] Quote $osversion since it may include whitespace. --- scripts/mkpkg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/mkpkg b/scripts/mkpkg index 29b93de776..5871dc8fe3 100755 --- a/scripts/mkpkg +++ b/scripts/mkpkg @@ -104,7 +104,7 @@ configure="${scriptdir}/../configure" osrelease=`echo "$osversion" | sed -e 's/^[^0-9]*//' -e 's/-.*$//'` : ${MAKE=make} -if [ $build_packages = true -a $osversion = unknown ]; then +if [ $build_packages = true -a "$osversion" = "unknown" ]; then echo "unable to determine platform" 1>&2 exit 1 fi From a6ac589cc14b8e171422ee9f42de3fd4ad64a49a Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Wed, 8 Nov 2023 16:58:02 -0700 Subject: [PATCH 3/5] sudo_term_restore: don't check c_cflag on systems with TCSASOFT. If TCSASOFT is present, tcsetattr() will ignore c_cflag. Fixes a bug where sudo_term_restore() would refuse to change the terminal settings back if the PARENB control flag was set. GitHub issue #326. --- lib/util/term.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/lib/util/term.c b/lib/util/term.c index a7286b59fd..a195c8151b 100644 --- a/lib/util/term.c +++ b/lib/util/term.c @@ -178,6 +178,8 @@ sudo_term_restore_v1(int fd, bool flush) ret = true; goto unlock; } +#if !TCSASOFT + /* Only systems without TCSASOFT make changes to c_cflag. */ if ((term.c_cflag & CONTROL_FLAGS) != (cur_term.c_cflag & CONTROL_FLAGS)) { sudo_debug_printf(SUDO_DEBUG_INFO, "%s: not restoring terminal, " "c_cflag changed; 0x%x, expected 0x%x", __func__, @@ -186,6 +188,7 @@ sudo_term_restore_v1(int fd, bool flush) ret = true; goto unlock; } +#endif if ((term.c_lflag & LOCAL_FLAGS) != (cur_term.c_lflag & LOCAL_FLAGS)) { sudo_debug_printf(SUDO_DEBUG_INFO, "%s: not restoring terminal, " "c_lflag changed; 0x%x, expected 0x%x", __func__, From 0f40753d46bfd704869e77d25c765a81ff1e3457 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Wed, 8 Nov 2023 18:46:03 -0700 Subject: [PATCH 4/5] Update PolyPkg from upstream. --- scripts/pp | 45 ++++++++++++++++++++++++++++++++++++--------- 1 file changed, 36 insertions(+), 9 deletions(-) diff --git a/scripts/pp b/scripts/pp index 855acc425b..2a9413f564 100755 --- a/scripts/pp +++ b/scripts/pp @@ -1,6 +1,6 @@ #!/bin/sh # Copyright 2023 One Identity LLC. ALL RIGHTS RESERVED -pp_revision="20230127" +pp_revision="20231108" # Copyright 2018 One Identity LLC. ALL RIGHTS RESERVED. # # Redistribution and use in source and binary forms, with or without @@ -794,6 +794,11 @@ pp_strip_binaries () { fi } +pp_is_version_greater () { + smaller_version="$(echo -e "$1\n$2" | sort -V | head -1)" + test x"$smaller_version" = x"$1" +} + pp_if_true=0 pp_if_false=0 @@ -1293,6 +1298,7 @@ pp_files_expand () { if test $# -gt 0; then _a=`eval echo \"$1\"` case ",$_a," in *,volatile,*) _flags="${_flags}v";; esac + case ",$_a," in *,missingok,*) _flags="${_flags}m";; esac case ",$_a," in *,optional,*) _optional=true;; esac case ",$_a," in *,symlink,*) _has_target=true;; esac case ",$_a," in *,ignore-others,*) _flags="${_flags}i";; esac @@ -1948,6 +1954,10 @@ pp_backend_aix () { cat $root_wrkdir/$pp_aix_bff_name.$ex.inventory fi >&2 + for fileset in ${pp_aix_deprecated_filesets}; do + echo "$fileset" + done >$user_wrkdir/$pp_aix_bff_name.$ex.namelist + if test x"" != x"${pp_aix_copyright:-$copyright}"; then echo "${pp_aix_copyright:-$copyright}" > $user_wrkdir/$pp_aix_bff_name.$ex.copyright echo "${pp_aix_copyright:-$copyright}" > $root_wrkdir/$pp_aix_bff_name.$ex.copyright @@ -5702,7 +5712,10 @@ pp_rpm_writefiles () { test x"$farch" = x"noarch" || pp_add_to_list pp_rpm_arch_seen $farch fi - case $f in *v*) _l="%config(noreplace) $_l";; esac + case $f in + *v*) _l="%config(noreplace) $_l";; + *m*) _l="%config(missingok) $_l";; + esac echo "$_l" done echo @@ -6321,7 +6334,7 @@ pp_rpm_service_group_make_init_script () { local script=/etc/init.d/$grp local out=$pp_destdir$script - pp_add_file_if_missing $script run 755 || return 0 + pp_add_file_if_missing $script run 755 m || return 0 cat <<-. >>$out #!/bin/sh @@ -6411,7 +6424,7 @@ pp_rpm_service_make_service_files () { local out=$pp_destdir$script local _process _cmd _rpmlevels - pp_add_file_if_missing $script run 755 || return 0 + pp_add_file_if_missing $script run 755 m || return 0 #-- start out as an empty shell script cat <<-'.' >$out @@ -7954,8 +7967,8 @@ pp_backend_bsd_init () { pp_bsd_desc= pp_bsd_message= - # FreeBSD uses package.txz, DragonFly uses package.pkg. - if [ "$pp_bsd_os" = "DragonFly" ]; then + # Newer "pkg" (>=1.17.0) generates package.pkg, before that package.txz. + if pp_is_version_greater 1.17.0 "$(pkg --version)"; then pp_bsd_pkg_sfx=pkg else pp_bsd_pkg_sfx=txz @@ -8982,17 +8995,29 @@ pp_systemd_service_install_common () { ;; esac fi - else - RUNNING=1 + fi + + # If the service is not running according to its sysv script (eg. systemd service + # is not using a pidfile the sysv script needs), or its sysv script is not present any more, + # check how systemd thinks. + # We also try to restart the service in case something went wrong with it. + if $systemctl_cmd is-active "$svc" >/dev/null 2>&1 || $systemctl_cmd is-failed "$svc" >/dev/null 2>&1; then + $systemctl_cmd stop "$svc" >/dev/null 2>&1 + RUNNING=0 fi # Enable the $svc.service $systemctl_cmd daemon-reload >/dev/null 2>&1 + + # We do not need the init.d script any more, and it causes problems on SLES + # where systemd sysv compatibility is enforced and broken on default installs + rm -f "/etc/init.d/$svc" + $systemctl_cmd enable $svc.service >/dev/null 2>&1 # Now that the service has been enabled, start it again if it was running before. if [ $RUNNING -eq 0 ]; then - /etc/init.d/$svc start > /dev/null 2>&1 + $systemctl_cmd start $svc.service >/dev/null 2>&1 fi fi } @@ -9058,6 +9083,8 @@ pp_systemd_service_remove_common () { _pp_systemd_init fi + $systemctl_cmd stop $svc.service > /dev/null 2>&1 + # Remove the systemd unit service file if [ "x$systemd_service_dir" != "x$systemd_system_unit_dir" ]; then rm -f "$systemd_system_unit_dir/$svc.service" From 62895ea442c8095c640c12a61695d4c75260f587 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Wed, 8 Nov 2023 20:10:02 -0700 Subject: [PATCH 5/5] Sudo 1.9.15p2 --- NEWS | 6 ++++++ configure | 18 +++++++++--------- configure.ac | 2 +- 3 files changed, 16 insertions(+), 10 deletions(-) diff --git a/NEWS b/NEWS index dd9fbe3ad2..ad16f8932e 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,9 @@ +What's new in Sudo 1.9.15p2 + + * Fixed a bug on BSD systems where sudo would not restore the + terminal settings on exit if the terminal had parity enabled. + GitHub issue #326. + What's new in Sudo 1.9.15p1 * Fixed a bug introduced in sudo 1.9.15 that prevented LDAP-based diff --git a/configure b/configure index 66f45fed4c..dd61b3fb64 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.72c for sudo 1.9.15p1. +# Generated by GNU Autoconf 2.72c for sudo 1.9.15p2. # # Report bugs to . # @@ -614,8 +614,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='sudo' PACKAGE_TARNAME='sudo' -PACKAGE_VERSION='1.9.15p1' -PACKAGE_STRING='sudo 1.9.15p1' +PACKAGE_VERSION='1.9.15p2' +PACKAGE_STRING='sudo 1.9.15p2' PACKAGE_BUGREPORT='https://bugzilla.sudo.ws/' PACKAGE_URL='' @@ -1642,7 +1642,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -'configure' configures sudo 1.9.15p1 to adapt to many kinds of systems. +'configure' configures sudo 1.9.15p2 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1708,7 +1708,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of sudo 1.9.15p1:";; + short | recursive ) echo "Configuration of sudo 1.9.15p2:";; esac cat <<\_ACEOF @@ -2003,7 +2003,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -sudo configure 1.9.15p1 +sudo configure 1.9.15p2 generated by GNU Autoconf 2.72c Copyright (C) 2023 Free Software Foundation, Inc. @@ -2823,7 +2823,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by sudo $as_me 1.9.15p1, which was +It was created by sudo $as_me 1.9.15p2, which was generated by GNU Autoconf 2.72c. Invocation command line was $ $0$ac_configure_args_raw @@ -36671,7 +36671,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by sudo $as_me 1.9.15p1, which was +This file was extended by sudo $as_me 1.9.15p2, which was generated by GNU Autoconf 2.72c. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -36739,7 +36739,7 @@ ac_cs_config_escaped=`printf "%s\n" "$ac_cs_config" | sed "s/^ //; s/'/'\\\\\\\\ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config='$ac_cs_config_escaped' ac_cs_version="\\ -sudo config.status 1.9.15p1 +sudo config.status 1.9.15p2 configured by $0, generated by GNU Autoconf 2.72c, with options \\"\$ac_cs_config\\" diff --git a/configure.ac b/configure.ac index 66004a7a3c..5769911ae6 100644 --- a/configure.ac +++ b/configure.ac @@ -18,7 +18,7 @@ dnl ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF dnl OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. dnl AC_PREREQ([2.69]) -AC_INIT([sudo], [1.9.15p1], [https://bugzilla.sudo.ws/], [sudo]) +AC_INIT([sudo], [1.9.15p2], [https://bugzilla.sudo.ws/], [sudo]) AC_CONFIG_HEADERS([config.h pathnames.h]) AC_CONFIG_SRCDIR([src/sudo.c]) AC_CONFIG_AUX_DIR([scripts])