mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-08-31 14:25:15 +00:00
Code Issues Releases Wiki Activity

sync

Browse Source
This commit is contained in:
Todd C. Miller
2007-12-08 00:17:21 +00:00
parent ae98617dfe
commit 3e7a467e81
2 changed files with 361 additions and 106 deletions
Download Patch File Download Diff File Expand all files Collapse all files

358
ChangeLog
View File

@@ -1,3 +1,272 @@
2007-12-07 19:09 millert
* ldap.c, schema.OpenLDAP, schema.iPlanet, sudoers2ldif: add -g
support for LDAP
2007-12-03 11:36 millert
* WHATSNEW, sudo.c, sudo.pod, sudo_usage.h.in: The -i and -s flags
can now take an optional command.
2007-12-02 12:13 millert
* def_data.c, def_data.h, def_data.in, sudo.c, sudo.pod,
sudoers.pod, auth/pam.c: Add passprompt_override flag to sudoers
that will cause the prompt to be overridden in all cases. This
flag is also set when the user specifies the -p flag.
2007-12-01 19:51 millert
* sudo.c: Move setting of login class until after sudoers has been
parsed. Set NewArgv[0] for -i after runas_pw has been set.
2007-12-01 19:34 millert
* configure, configure.in: Move the dgettext check.
2007-12-01 11:22 millert
* config.h.in, configure, configure.in, auth/pam.c: Add basic
support for looking up the string "Password: " in the PAM
localized text db. This allows us to determine whether the PAM
prompt is the default "Password: " one even if it has been
localized.
TODO: concatenate non-std PAM prompts and user-specified sudo
prompts.
2007-11-27 18:40 millert
* Makefile.in, config.h.in, configure.in, parse.c, set_perms.c,
sudo.c, configure, sudo.h: Use AC_FUNC_GETGROUPS instead of a
home-grown attempt that was insufficient.
2007-11-27 12:13 millert
* configure, acsite.m4, interfaces.c, memrchr.c: Fix typos;
Martynas Venckus
2007-11-25 19:26 millert
* set_perms.c: Don't assume runas_pw is set; it may not be in the
-g case.
2007-11-25 08:07 millert
* logging.c, set_perms.c: Set aux group vector for PERM_RUNAS and
restore group vector for PERM_ROOT if we previously changed it.
Stash the runas group vector so we don't have to call initgroups
more than once. Also add no-op check to check_perms.
2007-11-21 15:11 millert
* WHATSNEW, check.c, def_data.in, defaults.c, gram.c, gram.h,
gram.y, ldap.c, logging.c, match.c, mon_systrace.c, parse.c,
parse.h, pwutil.c, set_perms.c, sudo.c, sudo.cat, sudo.h,
sudo.man.in, sudo.pod, sudo_usage.h.in, sudoers.cat,
sudoers.man.in, sudoers.pod, testsudoers.c, toke.c, visudo.c,
visudo.cat, visudo.man.in: Add support for runas groups. This
allows the user to run a command with a different effective
group. If the -g option is specified without -u the command will
be run as the current user (only the group will change). the -g
and -u options may be used together. TODO: implement runas group
for ldap improve runas group documentation add
testsudoers support
2007-11-21 15:02 millert
* configure, configure.in: fix setting of mandir
2007-11-21 14:26 millert
* sudo.pod, sudoers.pod: document that ALL implies SETENV
2007-11-21 13:50 millert
* ldap.c: s/setenv_ok/setenv_implied/g
2007-11-21 13:44 millert
* ldap.c: hostname_matches() returns TRUE on match in sudo 1.7.
2007-11-21 13:26 millert
* ldap.c: use strcmp, not strcasecmp when comparing ALL
2007-11-21 11:41 millert
* ldap.c: Make sudo ALL imply setenv. Note that unlike with
file-based sudoers this does affect all the commands in the
sudoRole.
2007-11-21 11:05 millert
* gram.c, gram.y, parse.c, parse.h: sudo "ALL" now implies the
SETENV tag but, unlike an explicit tag, it is not passed on to
other commands in the list.
2007-11-21 11:02 millert
* visudo.c: Add missing sudo_setpwent() and sudo_setgrent() calls.
Also use sudo_getpwuid() instead of getpwuid().
2007-11-15 11:16 millert
* sudoers: Expand on the dangers of not using visudo to edit
sudoers.
2007-11-08 07:24 millert
* parse.c: Don't quote *?[]! on output since the lexer does not
strip off the backslash when reading those in.
2007-11-07 13:16 millert
* glob.c: expand "u_foo" types to "unsigned foo" to avoid
compatibility issues.
2007-11-04 08:33 millert
* logging.c: Refactor log line generation in to new_logline().
2007-10-25 09:23 millert
* TROUBLESHOOTING: fix typo
2007-10-24 12:41 millert
* config.h.in, configure, configure.in, interfaces.c, interfaces.h,
match.c: Add configure check for struct in6_addr instead of
relying on AF_INET6 since some systems define AF_INET6 but do not
include IPv6 support.
2007-10-21 09:29 millert
* configure, configure.in: Fix block to add -lutil for FreeBSD and
NetBSD when logincap is in use.
2007-10-19 22:28 millert
* configure, configure.in: POSIX states that struct timespec be
declared in time.h so check there regardless of the value of
TIME_WITH_SYS_TIME.
2007-10-17 11:37 millert
* tgetpass.c: Instead of defining a macro to call the appropriate
method for turning on/off echo, just define tc[gs]etattr() and
the related defines that use the correct terminal ioctls if
needed. Also go back to using TCSAFLUSH instead of TCSADRAIN on
all but QNX.
2007-10-08 20:18 millert
* Makefile.in: g/c @ALLOCA@
2007-10-08 20:07 millert
* configure: regen
2007-10-08 20:04 millert
* INSTALL, config.h.in, configure.in, auth/pam.c: Add
--disable-pam-session configure option to disable calling
pam_{open,close}_session. May work around bugs in some PAM
implementations.
2007-10-08 12:00 millert
* tgetpass.c: quiet gcc warnings
2007-10-08 08:41 millert
* tgetpass.c: Avoid printing the prompt if we are already
backgrounded. E.g. if the user runs "sudo foo &" from the shell.
In this case, the call to tcsetattr() will cause SIGTTOU to be
delivered.
2007-09-15 16:07 millert
* def_data.c, def_data.h, def_data.in: Reorder things such that the
definition of env_reset come right before the env variable lists.
2007-09-15 07:50 millert
* parse.h: Shrink type and seqno in struct alias from int to
u_short
2007-09-15 07:24 millert
* alias.c, match.c, parse.c, parse.h: Add a sequence number in the
aliases for loop detection. If we find an alias with the seqno
already set to the current (global) value we know we've visited
it before so ignore it.
2007-09-13 19:05 millert
* TODO, sudo.c, sudo.h, auth/pam.c: PAM wants the full tty path so
add user_ttypath which holds the full path to the tty or is NULL
if no tty was present.
2007-09-13 18:42 millert
* auth/pam.c: Set PAM_RHOST to work around a bug in Solaris 7 and
lower that results in a segv.
2007-09-11 15:43 millert
* gram.c: regen
2007-09-11 15:42 millert
* alias.c, defaults.c, gram.y, list.c, list.h, match.c, parse.c,
parse.h, testsudoers.c, visudo.c: rename lh_ -> tq_
2007-09-10 17:33 millert
* alloc.c: remove some useless casts
2007-09-10 17:32 millert
* alloc.c: pull in inttypes.h for SIZE_MAX; we avoid stdint.h since
inttypes.h predates the final C99 spec and the standard specifies
that it shall include stdint.h anyway
2007-09-06 12:39 millert
* Makefile.in, alloca.c, configure.in: Since we ship with a
pre-generated parser there is no need to ship a bogus alloca
implementation.
2007-09-06 12:22 millert
* configure: regen
2007-09-06 12:19 millert
* configure.in: remove initial setting of CHECKSIA, we require that
it be unset if not used
2007-09-06 11:55 millert
* Makefile.in: add list.c to SRCS
2007-09-06 07:18 millert
* configure: regen
2007-09-06 07:17 millert
* configure.in: only do SIA checks on Digital Unix
2007-09-05 18:50 millert
* sudoers.cat, sudoers.man.in: regen
2007-09-05 18:48 millert
* ChangeLog, TODO: sync
2007-09-05 18:39 millert
* auth/kerb5.c: Remove call to krb5_cc_register() as it is not
@@ -2511,11 +2780,10 @@
2004-10-26 18:10 millert
* gram.c, gram.h, gram.y, parse.c, parse.h, parse.yacc, sudo.tab.h:
Rewritten parser that converts sudoers into a set of data
structures. This eliminates ordering issues and makes it
possible to apply sudoers Defaults entries before searching for
the command.
* gram.c, gram.h, gram.y, parse.c, parse.h, parse.yacc: Rewritten
parser that converts sudoers into a set of data structures. This
eliminates ordering issues and makes it possible to apply sudoers
Defaults entries before searching for the command.
2004-10-26 18:09 millert
@@ -2668,9 +2936,8 @@
* Makefile.in, configure, configure.in, def_data.c, def_data.h,
def_data.in, lex.yy.c, parse.c, parse.h, parse.lex, parse.yacc,
sudo.c, sudo.h, sudo.tab.h, sudoers.pod: No longer call it
tracing, it is now "monitoring" which should be more a obvious
name to non-hackers.
sudo.c, sudo.h, sudoers.pod: No longer call it tracing, it is now
"monitoring" which should be more a obvious name to non-hackers.
2004-10-01 15:06 millert
@@ -2943,7 +3210,7 @@
2004-09-24 14:11 millert
* lex.yy.c, sudo.tab.h: regen
* lex.yy.c: regen
2004-09-24 14:10 millert
@@ -4348,11 +4615,6 @@
* sudo_noexec.c: stub execve() that just returns EACCES; used for
noexec functionality
2004-01-06 01:42 millert
* sudo.tab.h: Regen w/ updated byacc from OpenBSD; fixes a gcc 3.2
issue with generated code.
2004-01-05 16:10 millert
* def_data.c, def_data.h, def_data.in: Move the environment
@@ -4390,13 +4652,12 @@
2004-01-04 21:48 millert
* def_data.c, def_data.h, def_data.in, env.c, lex.yy.c, parse.c,
parse.h, parse.lex, parse.yacc, sudo.c, sudo.h, sudo.tab.h: Add
support for preloading a shared object containing a dummy
execve() function that just sets error and returns -1. This adds
a "noexec_file" option to load the filename as well as a "noexec"
flag to enable it unconditionally. There is also a NOEXEC tag
that can be attached to specific commands and an EXEC tag to
disable it.
parse.h, parse.lex, parse.yacc, sudo.c, sudo.h: Add support for
preloading a shared object containing a dummy execve() function
that just sets error and returns -1. This adds a "noexec_file"
option to load the filename as well as a "noexec" flag to enable
it unconditionally. There is also a NOEXEC tag that can be
attached to specific commands and an EXEC tag to disable it.
2004-01-04 21:40 millert
@@ -5105,7 +5366,7 @@
2003-01-17 18:10 millert
* lex.yy.c, sudo.tab.h: regen
* lex.yy.c: regen
2003-01-17 18:09 millert
@@ -6185,7 +6446,7 @@
2001-12-12 15:11 millert
* lex.yy.c, sudo.tab.h: regen parser
* lex.yy.c: regen parser
2001-12-12 14:56 millert
@@ -7151,13 +7412,13 @@
2000-03-22 23:38 millert
* lex.yy.c, parse.c, parse.h, parse.lex, parse.yacc, sudo.tab.h,
testsudoers.c, visudo.c: Fully qualified hosts w/ wildcards were
not matching the FQHOST token type. There's really no need for a
separate token for fully-qualified vs. unqualified anymore so
FQHOST is now history and hostname_matches now decides which
hostname (short or long) to check based on whether or not the
pattern contains a '.'.
* lex.yy.c, parse.c, parse.h, parse.lex, parse.yacc, testsudoers.c,
visudo.c: Fully qualified hosts w/ wildcards were not matching
the FQHOST token type. There's really no need for a separate
token for fully-qualified vs. unqualified anymore so FQHOST is
now history and hostname_matches now decides which hostname
(short or long) to check based on whether or not the pattern
contains a '.'.
2000-03-22 23:09 millert
@@ -7973,7 +8234,7 @@
* BUGS, INSTALL, Makefile.in, TODO, aclocal.m4, check.c,
config.h.in, configure, configure.in, defaults.c, defaults.h,
find_path.c, lex.yy.c, logging.c, parse.h, parse.lex, parse.yacc,
sudo.c, sudo.h, sudo.tab.h, testsudoers.c, version.c, visudo.c,
sudo.c, sudo.h, testsudoers.c, version.c, visudo.c,
auth/aix_auth.c, auth/fwtk.c, auth/kerb5.c, auth/pam.c,
auth/rfc1938.c, auth/sia.c, auth/sudo_auth.c: Add support for
"Defaults" line in sudoers to make configuration variables
@@ -8223,21 +8484,17 @@
* CHANGES: recent changes
1999-08-24 12:40 millert
* sudo.tab.h: these should be generated with byacc, not bison
1999-08-24 12:40 millert
* lex.yy.c: regen
1999-08-24 11:58 millert
* parse.h, parse.yacc, sudo.tab.h: In "sudo -l" mode, the type of
the stored (expanded) alias was not stored with the contents.
This could lead to incorrect output if the sudoers file had
different alias types with the same name. Normal parsing (ie:
not in '-l' mode) is unaffected.
* parse.h, parse.yacc: In "sudo -l" mode, the type of the stored
(expanded) alias was not stored with the contents. This could
lead to incorrect output if the sudoers file had different alias
types with the same name. Normal parsing (ie: not in '-l' mode)
is unaffected.
1999-08-23 12:47 millert
@@ -8382,12 +8639,12 @@
1999-08-14 11:34 millert
* Makefile.in, INSTALL, README, config.h.in, configure,
configure.in, getspwuid.c, lex.yy.c, parse.lex, parse.yacc,
sudo.tab.h: o --with-otp deprecated, use --without-passwd instead
o real dependencies in the Makefile o --with-devel option to
enable yacc, lex, and -Wall o style -- "foo -> bar" becomes
"foo->bar" o ALL goes back to being a token, not a string but
don't leak memory o rename hsotspec -> host in parse.yacc
configure.in, getspwuid.c, lex.yy.c, parse.lex, parse.yacc: o
--with-otp deprecated, use --without-passwd instead o real
dependencies in the Makefile o --with-devel option to enable
yacc, lex, and -Wall o style -- "foo -> bar" becomes "foo->bar" o
ALL goes back to being a token, not a string but don't leak
memory o rename hsotspec -> host in parse.yacc
1999-08-12 12:26 millert
@@ -8578,7 +8835,7 @@
1999-08-04 11:31 millert
* lex.yy.c, sudo.tab.h: regen
* lex.yy.c: regen
1999-08-04 10:54 millert
@@ -9169,10 +9426,9 @@
1999-04-07 19:18 millert
* parse.yacc, sudo.tab.h, sudoers.cat, sudoers.html, sudoers.man,
sudoers.pod: You can now specifiy a host list instead of just a
host or alias. Ie: user = host1,host2,ALIAS,!host3 my_command
now works.
* parse.yacc, sudoers.cat, sudoers.html, sudoers.man, sudoers.pod:
You can now specifiy a host list instead of just a host or alias.
Ie: user = host1,host2,ALIAS,!host3 my_command now works.
1999-04-07 02:59 millert

109
TODO
View File

@@ -21,143 +21,142 @@ TODO list (most will be addressed in sudo 2.0)
08) Make runas_user a struct "runas" with user and group components.
(maybe uid and gid too???)
09) Add -g group/gid option.
10) Should be able to mix Cmnd_Alias's and command args. Ie:
09) Should be able to mix Cmnd_Alias's and command args. Ie:
pete ALL=PASSWD [A-z]*,!PASSWD root
where PASSWD was defined to be /usr/bin/passwd.
This requires the arg parsing to happen in the yacc grammer.
At the very least, commands and args have to become separate
tokens in the lexer.
11) Add a per-tty restriction? Ie: only can run foo from /dev/console.
10) Add a per-tty restriction? Ie: only can run foo from /dev/console.
12) Add test for how to read ether interfaces in configure script
11) Add test for how to read ether interfaces in configure script
13) Use strtol() and strtoul(), not atoi()
12) Use strtol() and strtoul(), not atoi()
14) Implement date_format and log_format options.
13) Implement date_format and log_format options.
15) Add support for: Default:user@host
14) Add support for: Default:user@host
16) Some people want to be able to specify a special password in sudoers
15) Some people want to be able to specify a special password in sudoers
in addition or instead of the normal one. The best argument for
this so far is to be able to use separate passwords for the
target users that are not the passwd file ones.
17) Add support for trusted users. E.g. allow user to run a certain
16) Add support for trusted users. E.g. allow user to run a certain
command regardless of what dir it is in if it is owned by the
trusted user.
18) Add a flag similar to '-l' but that spits out sudo commands in
17) Add a flag similar to '-l' but that spits out sudo commands in
a format suitable for cut & paste into sudoers.
19) Someone wants a recursive version of the dir specifier. Ie:
18) Someone wants a recursive version of the dir specifier. Ie:
SOME_MODIFIER:/usr/local/ to allow anything under /usr/local to be run.
20) An option to set the shell to the target user would make sense.
19) An option to set the shell to the target user would make sense.
See other target user-related issues above.
21) Add an option (-D) to dump the defaults after the sudoers file
20) Add an option (-D) to dump the defaults after the sudoers file
has been parsed. Should only be available to root and should
allow a -u user modifier. Maybe dump all of sudoers?
22) Allow /etc/sudoers to be a symlink but require the parent dir to
21) Allow /etc/sudoers to be a symlink but require the parent dir to
be root-owned and not writable by anything else. Should really
traverse the tree to the root doing this.
23) Improve interfaces.c STREAMS code (see ntpd's ntp_io.c for hints)
22) Improve interfaces.c STREAMS code (see ntpd's ntp_io.c for hints)
24) Wildcard support for user and group names? (netgroup too?)
23) Wildcard support for user and group names? (netgroup too?)
25) If root_sudo is off, still allow sudo -u to non-root users?
24) If root_sudo is off, still allow sudo -u to non-root users?
26) Parse gids like %#0
25) Parse gids like %#0
27) For AIX, use setpenv() and setpcred() if they exist
26) For AIX, use setpenv() and setpcred() if they exist
http://publibn.boulder.ibm.com/doc_link/en_US/a_doc_lib/libs/basetrf2/setpenv.htm
http://publib16.boulder.ibm.com/pseries/en_US/libs/basetrf2/setpcred.htm
28) Add an insult_path variable that is intialized to "builtin" but that
27) Add an insult_path variable that is intialized to "builtin" but that
can point to other files containing an insult count as the first
line and that have a constant record length (sparse files) for
easy seeking.
29) Some way of using a new pty for the program run via sudo would prevent
28) Some way of using a new pty for the program run via sudo would prevent
access to the caller's /dev/tty (but probably makes job control tricky).
30) Maybe have a database of checksums that commands are verified against.
29) Maybe have a database of checksums that commands are verified against.
Basically replace the st_ino/st_dev check with a checksum lookup.
31) Look into testing writability of a file via sudoedit *before* doing
30) Look into testing writability of a file via sudoedit *before* doing
the edit; e.g., try opening with O_APPEND.
32) Add Makefile.in bits to autogenerate Solaris and Irix packages
31) Add Makefile.in bits to autogenerate Solaris and Irix packages
33) Add a session mode where sudo allocates a pty and logs everything
32) Add a session mode where sudo allocates a pty and logs everything
that occurs ala script(1).
34) Use pam_open_session() and pam_close_session() (requires a persistent
33) Use pam_open_session() and pam_close_session() (requires a persistent
sudo process to call pam_close_session()). Maybe add xauth support for
the non-pam case?
35) Add substitution mechanism in sudoers to subst, e.g. editors for sudoedit
34) Add substitution mechanism in sudoers to subst, e.g. editors for sudoedit
36) Move prototypes to extern.h?
35) Move prototypes to extern.h?
37) Get rid of VALIDATE_NOT_OK and just set/clear VALIDATE_OK
36) Get rid of VALIDATE_NOT_OK and just set/clear VALIDATE_OK
38) visudo -c should also sanity check aliases
37) visudo -c should also sanity check aliases
39) Use AC_CHECK_DECLS for systems w/o proper prototypes? Maybe errno too?
38) Use AC_CHECK_DECLS for systems w/o proper prototypes? Maybe errno too?
40) Flesh out testsudoers and fix glob/opendir issues. Use custom netgroup
39) Flesh out testsudoers and fix glob/opendir issues. Use custom netgroup
code too?
41) Think some more about giving admins a way to test commands for a user
40) Think some more about giving admins a way to test commands for a user
on a specific host with a different sudoers file.
42) Add nsswitch.conf parsing to LDAP support.
41) Add nsswitch.conf parsing to LDAP support.
43) Refactor duplicated code in ldap.c into wrapper functions.
42) Refactor duplicated code in ldap.c into wrapper functions.
44) Return command from command_matches() instead of setting safe_cmnd directly.
43) Return command from command_matches() instead of setting safe_cmnd directly.
45) Roll visudo into sudo ala sudoedit.
44) Roll visudo into sudo ala sudoedit.
46) Add ticket file to ticket dir in non-tty tickets case so we
45) Add ticket file to ticket dir in non-tty tickets case so we
can mix tty and non-tty ticket schemes.
47) Use ldap_get_values_len() instead of ldap_get_values() for
46) Use ldap_get_values_len() instead of ldap_get_values() for
OpenLDAP (what about others?)
48) Add support for NOEXEC w/ 64-bit AIX executables.
47) Add support for NOEXEC w/ 64-bit AIX executables.
http://publib.boulder.ibm.com/infocenter/pseries/v5r3/index.jsp?topic=/com.ibm.xlf91a.doc/xlfug/comp64.htm
49) Examine debian fqdn diffs.
48) Revisit debian fqdn diffs.
50) Add gettext() support
49) Add gettext() support. Can borrow some translations from PAM.
51) Refactor common env code in logging.c
52) Add :group to Runas user specs
53) Convert the other capitalized files into .pod so we can get decent html
50) Convert the other capitalized files into .pod so we can get decent html
form them? E.g. README, etc. E.g.
pod2text -l -i0 history.pod > HISTORY
pod2html --noindex history.pod > history.html
54) Use mkstemp() for visudo temp files? Also re-examine locking.
51) Use mkstemp() for visudo temp files? Also re-examine locking.
55) Add SSL support for ldap, see http://docs.sun.com/source/816-5616-10/ssl.htm#12979 and enablefor "ssl on"
52) Add SSL support for ldap, see http://docs.sun.com/source/816-5616-10/ssl.htm#12979 and enablefor "ssl on"
56) verbose sudo -V output make it clear whether env_reset is active
53) Run sudo thorugh valgrind
57) Run sudo thorugh valgrind
58) Make -a and -c options in sudo.pod only visible when available.
54) Make -a and -c options in sudo.pod only visible when available.
Could use an nroff register combines with configure substitute magic.
Note that configure substitution runs on the .man.in file not the
.pod file.
59) Consolidate line wrap code.
55) Consolidate line wrap code.
56) How can we distinguish between a bare '\\' and one that is escaping
glob chars? Right now we convert \\ -> \ in the lexer which
causes the confusion.
57) For LDAP entries, should be able to parse the per-command options
since they may affect the outcome (e.g. default_runas).