diff --git a/INSTALL b/INSTALL index 030c1e954..05ddf0e19 100644 --- a/INSTALL +++ b/INSTALL @@ -122,24 +122,24 @@ Directory and file names: --docdir=DIR Install other sudo documentation in DIR [DATAROOTDIR/doc/sudo] - --with-plugindir=PATH + --with-plugindir=DIR Set the directory that sudo looks in to find the policy and I/O logging plugins. Defaults to the LIBEXEC/sudo. - --with-timedir=PATH - Use PATH to store the sudo time stamp files. By default, - configure will use the first existing directory in the - following list to construct the time stamp directory: - /var/run, /var/db, /var/lib, /var/adm, /usr/adm. - For example: /var/run/sudo/ts + --with-rundir=DIR + Set the directory to be used for sudo-specific files that + do not survive a system reboot. This is typically where + the time stamp directory is located. By default, configure + will use the first existing directory in the following list: + /var/run, /var/db, /var/lib, /var/adm, /usr/adm This directory should be cleared when the system reboots. - --with-lecture-dir=PATH - Use PATH to store the sudo time stamp files. By default, - configure will use the first existing directory in the - following list to construct the lecture status directory: - /var/db, /var/lib, /var/adm, /usr/adm. - For example: /var/db/sudo/lectured + --with-vardir=DIR + Set the directory to be used for sudo-specific files that + survive a system reboot. This is typically where the lecture + status directory is stored. By default, configure will use + the first existing directory in the following list: + /var/db, /var/lib, /var/adm, /usr/adm This directory should not be cleared when the system reboots. Compilation options: diff --git a/Makefile.in b/Makefile.in index 2ad80b9ab..0111490a2 100644 --- a/Makefile.in +++ b/Makefile.in @@ -33,7 +33,8 @@ localedir = @localedir@ localstatedir = @localstatedir@ docdir = @docdir@ mandir = @mandir@ -timedir = @timedir@ +rundir = @rundir@ +vardir = @vardir@ # User and group ids the installed files should be "owned" by install_uid = 0 @@ -296,7 +297,8 @@ package: sudo.pp sbindir=$(sbindir) \ libexecdir=$(libexecdir) \ includedir=$(includedir) \ - timedir=$(timedir) \ + vardir=$(vardir) \ + rundir=$(rundir) \ mandir=$(mandir) \ localedir=$(localedir) \ docdir=$(docdir) \ diff --git a/configure b/configure index d77ac6382..8547fa417 100755 --- a/configure +++ b/configure @@ -716,8 +716,8 @@ umask_override sudo_umask password_timeout timeout -lecture_dir -timedir +vardir +rundir iolog_dir NO_VIZ SSP_CFLAGS @@ -876,7 +876,8 @@ with_passprompt with_badpass_message with_fqdn with_timedir -with_lecture_dir +with_rundir +with_vardir with_iologdir with_sendmail with_sudoers_mode @@ -1662,8 +1663,9 @@ Optional Packages: --with-passprompt default password prompt --with-badpass-message message the user sees when the password is wrong --with-fqdn expect fully qualified hosts in sudoers - --with-timedir=DIR path to the sudo time stamp dir - --with-lecture-dir=DIR path to the sudo lecture status dir + --with-timedir=DIR deprecated + --with-rundir=DIR path to the sudo time stamp parent dir + --with-vardir=DIR path to the sudo var dir --with-iologdir=DIR directory to store sudo I/O log files in --with-sendmail set path to sendmail --without-sendmail do not send mail at all @@ -2972,8 +2974,8 @@ $as_echo "$as_me: Configuring Sudo version $PACKAGE_VERSION" >&6;} # Begin initial values for man page substitution # iolog_dir=/var/log/sudo-io -timedir=/var/adm/sudo/ts -lecture_dir=/var/adm/sudo/lectured +rundir=/var/run/sudo +vardir=/var/adm/sudo timeout=5 password_timeout=5 sudo_umask=0022 @@ -4720,21 +4722,31 @@ fi # Check whether --with-timedir was given. if test "${with_timedir+set}" = set; then : withval=$with_timedir; case $with_timedir in - yes) as_fn_error $? "\"must give --with-timedir an argument.\"" "$LINENO" 5 - ;; - no) as_fn_error $? "\"--without-timedir not supported.\"" "$LINENO" 5 + *) as_fn_error $? "\"--without-timedir no longer supported, see --with-rundir.\"" "$LINENO" 5 ;; esac fi -# Check whether --with-lecture-dir was given. -if test "${with_lecture_dir+set}" = set; then : - withval=$with_lecture_dir; case $with_lecture_dir in - yes) as_fn_error $? "\"must give --with-lecture-dir an argument.\"" "$LINENO" 5 +# Check whether --with-rundir was given. +if test "${with_rundir+set}" = set; then : + withval=$with_rundir; case $with_rundir in + yes) as_fn_error $? "\"must give --with-rundir an argument.\"" "$LINENO" 5 ;; - no) as_fn_error $? "\"--without-lecture-dir not supported.\"" "$LINENO" 5 + no) as_fn_error $? "\"--without-rundir not supported.\"" "$LINENO" 5 + ;; +esac +fi + + + +# Check whether --with-vardir was given. +if test "${with_vardir+set}" = set; then : + withval=$with_vardir; case $with_vardir in + yes) as_fn_error $? "\"must give --with-vardirdir an argument.\"" "$LINENO" 5 + ;; + no) as_fn_error $? "\"--without-vardirdir not supported.\"" "$LINENO" 5 ;; esac fi @@ -21334,39 +21346,39 @@ else $as_echo "unknown" >&6; } fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for time stamp file location" >&5 -$as_echo_n "checking for time stamp file location... " >&6; } -timedir="$with_timedir" -if test -z "$timedir"; then +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for sudo run dir location" >&5 +$as_echo_n "checking for sudo run dir location... " >&6; } +rundir="$with_rundir" +if test -z "$rundir"; then for d in /var/run /var/db /var/lib /var/adm /usr/adm; do if test -d "$d"; then - timedir="$d/sudo/ts" + rundir="$d/sudo" break fi done fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $timedir" >&5 -$as_echo "$timedir" >&6; } +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $rundir" >&5 +$as_echo "$rundir" >&6; } cat >>confdefs.h <&5 -$as_echo_n "checking for lecture status file location... " >&6; } -lecture_dir="$with_lecture_dir" -if test -z "$lecture_dir"; then +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for sudo var dir location" >&5 +$as_echo_n "checking for sudo var dir location... " >&6; } +vardir="$with_vardir" +if test -z "$vardir"; then for d in /var/db /var/lib /var/adm /usr/adm; do if test -d "$d"; then - lecture_dir="$d/sudo/lectured" + vardir="$d/sudo" break fi done fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lecture_dir" >&5 -$as_echo "$lecture_dir" >&6; } +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $vardir" >&5 +$as_echo "$vardir" >&6; } cat >>confdefs.h <tv_sec = (_ts)->tv_sec; \ - (_tv)->tv_usec = (_ts)->tv_nsec / 1000; \ -} while (0) - -#ifdef HAVE_ST_MTIM -# ifdef HAVE_ST__TIM -# define ctim_get(_x, _y) timespec2timeval(&(_x)->st_ctim.st__tim, (_y)) -# define mtim_get(_x, _y) timespec2timeval(&(_x)->st_mtim.st__tim, (_y)) -# else -# define ctim_get(_x, _y) timespec2timeval(&(_x)->st_ctim, (_y)) -# define mtim_get(_x, _y) timespec2timeval(&(_x)->st_mtim, (_y)) -# endif -#else -# ifdef HAVE_ST_MTIMESPEC -# define ctim_get(_x, _y) timespec2timeval(&(_x)->st_ctimespec, (_y)) -# define mtim_get(_x, _y) timespec2timeval(&(_x)->st_mtimespec, (_y)) -# else -# define ctim_get(_x, _y) do { (_y)->tv_sec = (_x)->st_ctime; (_y)->tv_usec = 0; } while (0) -# define mtim_get(_x, _y) do { (_y)->tv_sec = (_x)->st_mtime; (_y)->tv_usec = 0; } while (0) -# endif /* HAVE_ST_MTIMESPEC */ -#endif /* HAVE_ST_MTIM */ - -#ifdef __GNUC__ -# define ignore_result(x) do { \ - __typeof__(x) y = (x); \ - (void)y; \ -} while(0) -#else -# define ignore_result(x) (void)(x) -#endif - -/* BSD compatibility on some SVR4 systems. */ +AH_BOTTOM([/* BSD compatibility on some SVR4 systems. */ #ifdef __svr4__ # define BSD_COMP #endif /* __svr4__ */ diff --git a/doc/sudoers.mdoc.in b/doc/sudoers.mdoc.in index dfd7ceb7d..e0c80313a 100644 --- a/doc/sudoers.mdoc.in +++ b/doc/sudoers.mdoc.in @@ -19,7 +19,7 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.Dd January 29, 2014 +.Dd January 31, 2014 .Dt SUDOERS @mansectform@ .Os Sudo @PACKAGE_VERSION@ .Sh NAME @@ -2656,7 +2656,7 @@ This directory should .Em not be cleared when the system reboots. The default is -.Pa @lecture_dir@ . +.Pa @libdir@/lectured . .It limitprivs The default Solaris limit privileges to use when constructing a new privilege set for a command. @@ -2838,7 +2838,7 @@ The directory in which stores its time stamp files. This directory should be cleared when the system reboots. The default is -.Pa @timedir@ . +.Pa @rundir@/ts . .It timestampowner The owner of the lecture status directory, time stamp directory and the time stamps stored therein. @@ -3439,15 +3439,12 @@ file) to the line in the .Xr sudo.conf @mansectform@ file. -.It unable to open @timedir@/username/ttyname +.It unable to open @rundir@/ts/username .Em sudoers was unable to read or create the user's time stamp file. -.It unable to write to @timedir@/username/ttyname +.It unable to write to @rundir@/ts/username .Em sudoers was unable to write to the user's time stamp file. -.It unable to mkdir to @timedir@/username -.Em sudoers -was unable to create the user's time stamp directory. .El .Ss Notes on logging via syslog By default, @@ -3526,10 +3523,14 @@ Local groups file List of network groups .It Pa @iolog_dir@ I/O log files -.It Pa @timedir@ +.It Pa @rundir@/ts Directory containing time stamps for the .Em sudoers security policy +.It Pa @libdir@/lectured +Directory containing lecture status files for the +.Em sudoers +security policy .It Pa /etc/environment Initial environment for .Fl i @@ -4092,7 +4093,7 @@ will be updated with the contents of the temporary copy. .Em sudoers will check the ownership of its time stamp directory .Po -.Pa @timedir@ +.Pa @rundir@/ts by default .Pc and ignore the directory's contents if it is not owned by root or diff --git a/m4/sudo.m4 b/m4/sudo.m4 index 73678be02..2673a1a97 100644 --- a/m4/sudo.m4 +++ b/m4/sudo.m4 @@ -119,37 +119,37 @@ fi ])dnl dnl -dnl Where the timestamp files go. +dnl Parent directory for time stamp dir. dnl -AC_DEFUN([SUDO_TIMEDIR], [AC_MSG_CHECKING(for time stamp file location) -timedir="$with_timedir" -if test -z "$timedir"; then +AC_DEFUN([SUDO_RUNDIR], [AC_MSG_CHECKING(for sudo run dir location) +rundir="$with_rundir" +if test -z "$rundir"; then for d in /var/run /var/db /var/lib /var/adm /usr/adm; do if test -d "$d"; then - timedir="$d/sudo/ts" + rundir="$d/sudo" break fi done fi -AC_MSG_RESULT([$timedir]) -SUDO_DEFINE_UNQUOTED(_PATH_SUDO_TIMEDIR, "$timedir") +AC_MSG_RESULT([$rundir]) +SUDO_DEFINE_UNQUOTED(_PATH_SUDO_TIMEDIR, "$rundir/ts") ])dnl dnl -dnl Where the lecture status files go. +dnl Parent directory for the lecture status dir. dnl -AC_DEFUN([SUDO_LECTURE_DIR], [AC_MSG_CHECKING(for lecture status file location) -lecture_dir="$with_lecture_dir" -if test -z "$lecture_dir"; then +AC_DEFUN([SUDO_VARDIR], [AC_MSG_CHECKING(for sudo var dir location) +vardir="$with_vardir" +if test -z "$vardir"; then for d in /var/db /var/lib /var/adm /usr/adm; do if test -d "$d"; then - lecture_dir="$d/sudo/lectured" + vardir="$d/sudo" break fi done fi -AC_MSG_RESULT([$lecture_dir]) -SUDO_DEFINE_UNQUOTED(_PATH_SUDO_LECTURE_DIR, "$lecture_dir") +AC_MSG_RESULT([$vardir]) +SUDO_DEFINE_UNQUOTED(_PATH_SUDO_LECTURE_DIR, "$vardir/lectured") ])dnl dnl diff --git a/plugins/sudoers/Makefile.in b/plugins/sudoers/Makefile.in index ce24cd28e..30df76ad7 100644 --- a/plugins/sudoers/Makefile.in +++ b/plugins/sudoers/Makefile.in @@ -31,8 +31,9 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ incdir = $(top_srcdir)/include docdir = @docdir@ -timedir = @timedir@ libdir = @libdir@ +rundir = @rundir@ +vardir = @vardir@ cross_compiling = @CROSS_COMPILING@ # Compiler & tools to use @@ -288,8 +289,10 @@ install-dirs: $(SHELL) $(top_srcdir)/mkinstalldirs $(DESTDIR)$(plugindir) \ $(DESTDIR)$(visudodir) $(DESTDIR)$(replaydir) \ $(DESTDIR)$(sudoersdir) $(DESTDIR)$(docdir) \ - `echo $(DESTDIR)$(timedir)|sed 's,/[^/]*$$,,'` - $(INSTALL) -d -O $(install_uid) -G $(install_gid) -m 0700 $(DESTDIR)$(timedir) + `echo $(DESTDIR)$(rundir)|sed 's,/[^/]*$$,,'` \ + `echo $(DESTDIR)$(vardir)|sed 's,/[^/]*$$,,'` + $(INSTALL) -d -O $(install_uid) -G $(install_gid) -m 0711 $(DESTDIR)$(rundir) + $(INSTALL) -d -O $(install_uid) -G $(install_gid) -m 0711 $(DESTDIR)$(vardir) install-binaries: visudo sudoreplay install-dirs $(INSTALL) -b~ -O $(install_uid) -G $(install_gid) -m 0755 sudoreplay $(DESTDIR)$(replaydir)/sudoreplay diff --git a/sudo.pp b/sudo.pp index fc4fa795b..9974ab06a 100644 --- a/sudo.pp +++ b/sudo.pp @@ -225,7 +225,7 @@ still allow people to get their work done." # OS-level directories that should generally exist but might not. extradirs=`echo ${pp_destdir}/${mandir}/[mc]* | sed "s#${pp_destdir}/##g"` - extradirs="$extradirs `dirname $docdir` `dirname $timedir`" + extradirs="$extradirs `dirname $docdir` `dirname $rundir` `dirname $vardir`" test -d ${pp_destdir}${localedir} && extradirs="$extradirs $localedir" test -d ${pp_destdir}/etc/pam.d && extradirs="${extradirs} /etc/pam.d" for dir in $bindir $sbindir $libexecdir $includedir $extradirs; do @@ -266,7 +266,8 @@ still allow people to get their work done." $libexecdir/sudo/sesh 0755 optional,ignore-others $libexecdir/sudo/* $shlib_mode optional $sudoersdir/sudoers.d/ 0750 $sudoers_uid:$sudoers_gid - $timedir/ 0700 root: + $rundir/ 0711 root: + $vardir/ 0711 root: $docdir/ 0755 $docdir/sudoers2ldif 0755 optional,ignore-others %if [deb]