Replace --with-timedir and --with-lecture_dir with --with-rundir

and --with-vardir which are the parent directories of the time stamp
and lecture dirs.  These directories need to be searchable by
non-root so that the timestampowner setting can function.

INSTALL

@@ -122,24 +122,24 @@ Directory and file names:
   --docdir=DIR
 	Install other sudo documentation in DIR [DATAROOTDIR/doc/sudo]
 
-  --with-plugindir=PATH
+  --with-plugindir=DIR
 	Set the directory that sudo looks in to find the policy and I/O
 	logging plugins.  Defaults to the LIBEXEC/sudo.
 
-  --with-timedir=PATH
-        Use PATH to store the sudo time stamp files.  By default,
-        configure will use the first existing directory in the
-        following list to construct the time stamp directory:
-        /var/run, /var/db, /var/lib, /var/adm, /usr/adm.
-	For example: /var/run/sudo/ts
+  --with-rundir=DIR
+        Set the directory to be used for sudo-specific files that
+        do not survive a system reboot.  This is typically where
+        the time stamp directory is located.  By default, configure
+        will use the first existing directory in the following list:
+	    /var/run, /var/db, /var/lib, /var/adm, /usr/adm
 	This directory should be cleared when the system reboots.
 
-  --with-lecture-dir=PATH
-        Use PATH to store the sudo time stamp files.  By default,
-        configure will use the first existing directory in the
-        following list to construct the lecture status directory:
-        /var/db, /var/lib, /var/adm, /usr/adm.
-	For example: /var/db/sudo/lectured
+  --with-vardir=DIR
+        Set the directory to be used for sudo-specific files that
+        survive a system reboot.  This is typically where the lecture
+        status directory is stored.  By default, configure will use
+        the first existing directory in the following list:
+	    /var/db, /var/lib, /var/adm, /usr/adm
 	This directory should not be cleared when the system reboots.
 
 Compilation options:

Makefile.in

@@ -33,7 +33,8 @@ localedir = @localedir@
 localstatedir = @localstatedir@
 docdir = @docdir@
 mandir = @mandir@
-timedir = @timedir@
+rundir = @rundir@
+vardir = @vardir@
 
 # User and group ids the installed files should be "owned" by
 install_uid = 0
@@ -296,7 +297,8 @@ package: sudo.pp
 	    sbindir=$(sbindir) \
 	    libexecdir=$(libexecdir) \
 	    includedir=$(includedir) \
-	    timedir=$(timedir) \
+	    vardir=$(vardir) \
+	    rundir=$(rundir) \
 	    mandir=$(mandir) \
 	    localedir=$(localedir) \
 	    docdir=$(docdir) \

configure

@@ -716,8 +716,8 @@ umask_override
 sudo_umask
 password_timeout
 timeout
-lecture_dir
-timedir
+vardir
+rundir
 iolog_dir
 NO_VIZ
 SSP_CFLAGS
@@ -876,7 +876,8 @@ with_passprompt
 with_badpass_message
 with_fqdn
 with_timedir
-with_lecture_dir
+with_rundir
+with_vardir
 with_iologdir
 with_sendmail
 with_sudoers_mode
@@ -1662,8 +1663,9 @@ Optional Packages:
   --with-passprompt       default password prompt
   --with-badpass-message  message the user sees when the password is wrong
   --with-fqdn             expect fully qualified hosts in sudoers
-  --with-timedir=DIR      path to the sudo time stamp dir
-  --with-lecture-dir=DIR  path to the sudo lecture status dir
+  --with-timedir=DIR      deprecated
+  --with-rundir=DIR       path to the sudo time stamp parent dir
+  --with-vardir=DIR       path to the sudo var dir
   --with-iologdir=DIR     directory to store sudo I/O log files in
   --with-sendmail         set path to sendmail
   --without-sendmail      do not send mail at all
@@ -2972,8 +2974,8 @@ $as_echo "$as_me: Configuring Sudo version $PACKAGE_VERSION" >&6;}
 # Begin initial values for man page substitution
 #
 iolog_dir=/var/log/sudo-io
-timedir=/var/adm/sudo/ts
-lecture_dir=/var/adm/sudo/lectured
+rundir=/var/run/sudo
+vardir=/var/adm/sudo
 timeout=5
 password_timeout=5
 sudo_umask=0022
@@ -4720,21 +4722,31 @@ fi
 # Check whether --with-timedir was given.
 if test "${with_timedir+set}" = set; then :
   withval=$with_timedir; case $with_timedir in
-    yes)	as_fn_error $? "\"must give --with-timedir an argument.\"" "$LINENO" 5
-		;;
-    no)		as_fn_error $? "\"--without-timedir not supported.\"" "$LINENO" 5
+    *)		as_fn_error $? "\"--without-timedir no longer supported, see --with-rundir.\"" "$LINENO" 5
 		;;
 esac
 fi
 
 
 
-# Check whether --with-lecture-dir was given.
-if test "${with_lecture_dir+set}" = set; then :
-  withval=$with_lecture_dir; case $with_lecture_dir in
-    yes)	as_fn_error $? "\"must give --with-lecture-dir an argument.\"" "$LINENO" 5
+# Check whether --with-rundir was given.
+if test "${with_rundir+set}" = set; then :
+  withval=$with_rundir; case $with_rundir in
+    yes)	as_fn_error $? "\"must give --with-rundir an argument.\"" "$LINENO" 5
 		;;
-    no)		as_fn_error $? "\"--without-lecture-dir not supported.\"" "$LINENO" 5
+    no)		as_fn_error $? "\"--without-rundir not supported.\"" "$LINENO" 5
+		;;
+esac
+fi
+
+
+
+# Check whether --with-vardir was given.
+if test "${with_vardir+set}" = set; then :
+  withval=$with_vardir; case $with_vardir in
+    yes)	as_fn_error $? "\"must give --with-vardirdir an argument.\"" "$LINENO" 5
+		;;
+    no)		as_fn_error $? "\"--without-vardirdir not supported.\"" "$LINENO" 5
 		;;
 esac
 fi
@@ -21334,39 +21346,39 @@ else
 $as_echo "unknown" >&6; }
 fi
 
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for time stamp file location" >&5
-$as_echo_n "checking for time stamp file location... " >&6; }
-timedir="$with_timedir"
-if test -z "$timedir"; then
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for sudo run dir location" >&5
+$as_echo_n "checking for sudo run dir location... " >&6; }
+rundir="$with_rundir"
+if test -z "$rundir"; then
     for d in /var/run /var/db /var/lib /var/adm /usr/adm; do
 	if test -d "$d"; then
-	    timedir="$d/sudo/ts"
+	    rundir="$d/sudo"
 	    break
 	fi
     done
 fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $timedir" >&5
-$as_echo "$timedir" >&6; }
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $rundir" >&5
+$as_echo "$rundir" >&6; }
 cat >>confdefs.h <<EOF
-#define _PATH_SUDO_TIMEDIR "$timedir"
+#define _PATH_SUDO_TIMEDIR "$rundir/ts"
 EOF
 
 
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for lecture status file location" >&5
-$as_echo_n "checking for lecture status file location... " >&6; }
-lecture_dir="$with_lecture_dir"
-if test -z "$lecture_dir"; then
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for sudo var dir location" >&5
+$as_echo_n "checking for sudo var dir location... " >&6; }
+vardir="$with_vardir"
+if test -z "$vardir"; then
     for d in /var/db /var/lib /var/adm /usr/adm; do
 	if test -d "$d"; then
-	    lecture_dir="$d/sudo/lectured"
+	    vardir="$d/sudo"
 	    break
 	fi
     done
 fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lecture_dir" >&5
-$as_echo "$lecture_dir" >&6; }
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $vardir" >&5
+$as_echo "$vardir" >&6; }
 cat >>confdefs.h <<EOF
-#define _PATH_SUDO_LECTURE_DIR "$lecture_dir"
+#define _PATH_SUDO_LECTURE_DIR "$vardir/lectured"
 EOF
 
 

configure.ac

@@ -90,8 +90,8 @@ dnl
 dnl Variables that get substituted in docs (not overridden by environment)
 dnl
 AC_SUBST([iolog_dir])dnl real initial value from SUDO_IO_LOGDIR
-AC_SUBST([timedir])dnl real initial value from SUDO_TIMEDIR
-AC_SUBST([lecture_dir])dnl real initial value from SUDO_LECTURE_DIR
+AC_SUBST([rundir])dnl real initial value from SUDO_RUNDIR
+AC_SUBST([vardir])dnl real initial value from SUDO_VARDIR
 AC_SUBST([timeout])
 AC_SUBST([password_timeout])
 AC_SUBST([sudo_umask])
@@ -133,8 +133,8 @@ AC_SUBST([PLUGINDIR])
 # Begin initial values for man page substitution
 #
 iolog_dir=/var/log/sudo-io
-timedir=/var/adm/sudo/ts
-lecture_dir=/var/adm/sudo/lectured
+rundir=/var/run/sudo
+vardir=/var/adm/sudo
 timeout=5
 password_timeout=5
 sudo_umask=0022
@@ -781,19 +781,25 @@ else
     AC_MSG_RESULT(no)
 fi
 
-AC_ARG_WITH(timedir, [AS_HELP_STRING([--with-timedir=DIR], [path to the sudo time stamp dir])],
+AC_ARG_WITH(timedir, [AS_HELP_STRING([--with-timedir=DIR], [deprecated])],
 [case $with_timedir in
-    yes)	AC_MSG_ERROR(["must give --with-timedir an argument."])
-		;;
-    no)		AC_MSG_ERROR(["--without-timedir not supported."])
+    *)		AC_MSG_ERROR(["--without-timedir no longer supported, see --with-rundir."])
 		;;
 esac])
 
-AC_ARG_WITH(lecture-dir, [AS_HELP_STRING([--with-lecture-dir=DIR], [path to the sudo lecture status dir])],
-[case $with_lecture_dir in
-    yes)	AC_MSG_ERROR(["must give --with-lecture-dir an argument."])
+AC_ARG_WITH(rundir, [AS_HELP_STRING([--with-rundir=DIR], [path to the sudo time stamp parent dir])],
+[case $with_rundir in
+    yes)	AC_MSG_ERROR(["must give --with-rundir an argument."])
 		;;
-    no)		AC_MSG_ERROR(["--without-lecture-dir not supported."])
+    no)		AC_MSG_ERROR(["--without-rundir not supported."])
+		;;
+esac])
+
+AC_ARG_WITH(vardir, [AS_HELP_STRING([--with-vardir=DIR], [path to the sudo var dir])],
+[case $with_vardir in
+    yes)	AC_MSG_ERROR(["must give --with-vardirdir an argument."])
+		;;
+    no)		AC_MSG_ERROR(["--without-vardirdir not supported."])
 		;;
 esac])
 
@@ -1164,7 +1170,7 @@ else
     SUDO_DEFINE_UNQUOTED(_PATH_SUDO_ASKPASS, NULL)
 fi
 
-AC_ARG_WITH(plugindir, [AS_HELP_STRING([--with-plugindir], [set directory to load plugins from])],
+AC_ARG_WITH(plugindir, [AS_HELP_STRING([--with-plugindir=DIR], [set directory to load plugins from])],
 [case $with_plugindir in
     no)		AC_MSG_ERROR(["illegal argument: --without-plugindir."])
 		;;
@@ -3395,8 +3401,8 @@ if test "$utmp_style" = "LEGACY"; then
     SUDO_PATH_UTMP
 fi
 SUDO_LOGFILE
-SUDO_TIMEDIR
-SUDO_LECTURE_DIR
+SUDO_RUNDIR
+SUDO_VARDIR
 SUDO_IO_LOGDIR
 
 dnl
@@ -3890,42 +3896,7 @@ dnl
 AH_TOP([#ifndef _SUDO_CONFIG_H
 #define _SUDO_CONFIG_H])
 
-AH_BOTTOM([/*
- * Macros to convert ctime and mtime into timevals.
- */
-#define timespec2timeval(_ts, _tv) do {					\
-    (_tv)->tv_sec = (_ts)->tv_sec;					\
-    (_tv)->tv_usec = (_ts)->tv_nsec / 1000;				\
-} while (0)
-
-#ifdef HAVE_ST_MTIM
-# ifdef HAVE_ST__TIM
-#  define ctim_get(_x, _y)	timespec2timeval(&(_x)->st_ctim.st__tim, (_y))
-#  define mtim_get(_x, _y)	timespec2timeval(&(_x)->st_mtim.st__tim, (_y))
-# else
-#  define ctim_get(_x, _y)	timespec2timeval(&(_x)->st_ctim, (_y))
-#  define mtim_get(_x, _y)	timespec2timeval(&(_x)->st_mtim, (_y))
-# endif
-#else
-# ifdef HAVE_ST_MTIMESPEC
-#  define ctim_get(_x, _y)	timespec2timeval(&(_x)->st_ctimespec, (_y))
-#  define mtim_get(_x, _y)	timespec2timeval(&(_x)->st_mtimespec, (_y))
-# else
-#  define ctim_get(_x, _y)	do { (_y)->tv_sec = (_x)->st_ctime; (_y)->tv_usec = 0; } while (0)
-#  define mtim_get(_x, _y)	do { (_y)->tv_sec = (_x)->st_mtime; (_y)->tv_usec = 0; } while (0)
-# endif /* HAVE_ST_MTIMESPEC */
-#endif /* HAVE_ST_MTIM */
-
-#ifdef __GNUC__
-# define ignore_result(x) do {						       \
-    __typeof__(x) y = (x);						       \
-    (void)y;								       \
-} while(0)
-#else
-# define ignore_result(x)	(void)(x)
-#endif
-
-/* BSD compatibility on some SVR4 systems. */
+AH_BOTTOM([/* BSD compatibility on some SVR4 systems. */
 #ifdef __svr4__
 # define BSD_COMP
 #endif /* __svr4__ */

doc/sudoers.mdoc.in

@@ -19,7 +19,7 @@
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\"
-.Dd January 29, 2014
+.Dd January 31, 2014
 .Dt SUDOERS @mansectform@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -2656,7 +2656,7 @@ This directory should
 .Em not
 be cleared when the system reboots.
 The default is
-.Pa @lecture_dir@ .
+.Pa @libdir@/lectured .
 .It limitprivs
 The default Solaris limit privileges to use when constructing a new
 privilege set for a command.
@@ -2838,7 +2838,7 @@ The directory in which
 stores its time stamp files.
 This directory should be cleared when the system reboots.
 The default is
-.Pa @timedir@ .
+.Pa @rundir@/ts .
 .It timestampowner
 The owner of the lecture status directory, time stamp directory and the
 time stamps stored therein.
@@ -3439,15 +3439,12 @@ file) to the
 line in the
 .Xr sudo.conf @mansectform@
 file.
-.It unable to open @timedir@/username/ttyname
+.It unable to open @rundir@/ts/username
 .Em sudoers
 was unable to read or create the user's time stamp file.
-.It unable to write to @timedir@/username/ttyname
+.It unable to write to @rundir@/ts/username
 .Em sudoers
 was unable to write to the user's time stamp file.
-.It unable to mkdir to @timedir@/username
-.Em sudoers
-was unable to create the user's time stamp directory.
 .El
 .Ss Notes on logging via syslog
 By default,
@@ -3526,10 +3523,14 @@ Local groups file
 List of network groups
 .It Pa @iolog_dir@
 I/O log files
-.It Pa @timedir@
+.It Pa @rundir@/ts
 Directory containing time stamps for the
 .Em sudoers
 security policy
+.It Pa @libdir@/lectured
+Directory containing lecture status files for the
+.Em sudoers
+security policy
 .It Pa /etc/environment
 Initial environment for
 .Fl i
@@ -4092,7 +4093,7 @@ will be updated with the contents of the temporary copy.
 .Em sudoers
 will check the ownership of its time stamp directory
 .Po
-.Pa @timedir@
+.Pa @rundir@/ts
 by default
 .Pc
 and ignore the directory's contents if it is not owned by root or

m4/sudo.m4

@@ -119,37 +119,37 @@ fi
 ])dnl
 
 dnl
-dnl Where the timestamp files go.
+dnl Parent directory for time stamp dir.
 dnl
-AC_DEFUN([SUDO_TIMEDIR], [AC_MSG_CHECKING(for time stamp file location)
-timedir="$with_timedir"
-if test -z "$timedir"; then
+AC_DEFUN([SUDO_RUNDIR], [AC_MSG_CHECKING(for sudo run dir location)
+rundir="$with_rundir"
+if test -z "$rundir"; then
     for d in /var/run /var/db /var/lib /var/adm /usr/adm; do
 	if test -d "$d"; then
-	    timedir="$d/sudo/ts"
+	    rundir="$d/sudo"
 	    break
 	fi
     done
 fi
-AC_MSG_RESULT([$timedir])
-SUDO_DEFINE_UNQUOTED(_PATH_SUDO_TIMEDIR, "$timedir")
+AC_MSG_RESULT([$rundir])
+SUDO_DEFINE_UNQUOTED(_PATH_SUDO_TIMEDIR, "$rundir/ts")
 ])dnl
 
 dnl
-dnl Where the lecture status files go.
+dnl Parent directory for the lecture status dir.
 dnl
-AC_DEFUN([SUDO_LECTURE_DIR], [AC_MSG_CHECKING(for lecture status file location)
-lecture_dir="$with_lecture_dir"
-if test -z "$lecture_dir"; then
+AC_DEFUN([SUDO_VARDIR], [AC_MSG_CHECKING(for sudo var dir location)
+vardir="$with_vardir"
+if test -z "$vardir"; then
     for d in /var/db /var/lib /var/adm /usr/adm; do
 	if test -d "$d"; then
-	    lecture_dir="$d/sudo/lectured"
+	    vardir="$d/sudo"
 	    break
 	fi
     done
 fi
-AC_MSG_RESULT([$lecture_dir])
-SUDO_DEFINE_UNQUOTED(_PATH_SUDO_LECTURE_DIR, "$lecture_dir")
+AC_MSG_RESULT([$vardir])
+SUDO_DEFINE_UNQUOTED(_PATH_SUDO_LECTURE_DIR, "$vardir/lectured")
 ])dnl
 
 dnl

plugins/sudoers/Makefile.in

@@ -31,8 +31,9 @@ top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 incdir = $(top_srcdir)/include
 docdir = @docdir@
-timedir = @timedir@
 libdir = @libdir@
+rundir = @rundir@
+vardir = @vardir@
 cross_compiling = @CROSS_COMPILING@
 
 # Compiler & tools to use
@@ -288,8 +289,10 @@ install-dirs:
 	$(SHELL) $(top_srcdir)/mkinstalldirs $(DESTDIR)$(plugindir) \
 	    $(DESTDIR)$(visudodir) $(DESTDIR)$(replaydir) \
 	    $(DESTDIR)$(sudoersdir) $(DESTDIR)$(docdir) \
-	    `echo $(DESTDIR)$(timedir)|sed 's,/[^/]*$$,,'`
-	$(INSTALL) -d -O $(install_uid) -G $(install_gid) -m 0700 $(DESTDIR)$(timedir)
+	    `echo $(DESTDIR)$(rundir)|sed 's,/[^/]*$$,,'` \
+	    `echo $(DESTDIR)$(vardir)|sed 's,/[^/]*$$,,'`
+	$(INSTALL) -d -O $(install_uid) -G $(install_gid) -m 0711 $(DESTDIR)$(rundir)
+	$(INSTALL) -d -O $(install_uid) -G $(install_gid) -m 0711 $(DESTDIR)$(vardir)
 
 install-binaries: visudo sudoreplay install-dirs
 	$(INSTALL) -b~ -O $(install_uid) -G $(install_gid) -m 0755 sudoreplay $(DESTDIR)$(replaydir)/sudoreplay

sudo.pp

@@ -225,7 +225,7 @@ still allow people to get their work done."
 
 	# OS-level directories that should generally exist but might not.
 	extradirs=`echo ${pp_destdir}/${mandir}/[mc]* | sed "s#${pp_destdir}/##g"`
-	extradirs="$extradirs `dirname $docdir` `dirname $timedir`"
+	extradirs="$extradirs `dirname $docdir` `dirname $rundir` `dirname $vardir`"
 	test -d ${pp_destdir}${localedir} && extradirs="$extradirs $localedir"
 	test -d ${pp_destdir}/etc/pam.d && extradirs="${extradirs} /etc/pam.d"
 	for dir in $bindir $sbindir $libexecdir $includedir $extradirs; do
@@ -266,7 +266,8 @@ still allow people to get their work done."
 	$libexecdir/sudo/sesh	0755 optional,ignore-others
 	$libexecdir/sudo/*	$shlib_mode optional
 	$sudoersdir/sudoers.d/	0750 $sudoers_uid:$sudoers_gid
-	$timedir/		0700 root:
+	$rundir/		0711 root:
+	$vardir/		0711 root:
 	$docdir/		0755
 	$docdir/sudoers2ldif	0755 optional,ignore-others
 %if [deb]