mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-08-22 01:49:11 +00:00
Code Issues Releases Wiki Activity

Merge sudo 1.9.16 from tip.

Browse Source 
--HG--
branch : 1.9
This commit is contained in:
Todd C. Miller 2024-08-17 14:10:08 -06:00
commit c1a6140608
273 changed files with 21855 additions and 15688 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
INSTALL.md
View File

@ -240,7 +240,7 @@ Defaults are listed in brackets after the description.
production environment.
--enable-pie
Build sudo and related programs as as a position independent
Build sudo and related programs as position independent
executables (PIE). This improves the effectiveness of address
space layout randomization (ASLR) on systems that support it.
Sudo will create PIE binaries by default on Linux systems.
@ -476,10 +476,6 @@ Defaults are listed in brackets after the description.
Specify the path to the SSSD shared library, which is loaded
at run-time.
--enable-offensive-insults
Enable potentially offensive sudo insults from the classic
version of sudo.
--enable-pvs-studio
Generate a sample PVS-Studio.cfg file based on the compiler and
platform type. The "pvs-studio" Makefile target can then be
@ -811,14 +807,16 @@ Defaults are listed in brackets after the description.
--with-classic-insults
Uses insults from sudo "classic." If you just specify --with-insults
you will get the classic and CSOps insults. This is on by default if
--with-insults is given.
you will get the classic and CSOps insults. You must either specify
--with-insults or enable insults in the sudoers file for this to have
any effect.
--with-csops-insults
Insults the user with an extra set of insults (some quotes, some
original) from a sysadmin group at CU (CSOps). You must specify
--with-insults as well for this to have any effect. This is on by
default if --with-insults is given.
original) from a sysadmin group at CU (CSOps). If you just specify
--with-insults you will get the classic and CSOps insults. You
must either specify --with-insults or enable insults in the sudoers
file for this to have any effect.
--with-editor=PATH
Specify the default editor path for use by visudo. This may be a
@ -884,13 +882,19 @@ Defaults are listed in brackets after the description.
Sudoers option: ignore_dot
--with-insults
Define this if you want to be insulted for typing an incorrect password
just like the original sudo(8). This is off by default.
Define this if you want to be insulted by default for typing
an incorrect password just like the original sudo(8).
Insults may be optionally disabled in the sudoers file.
Sudoers option: insults
--with-insults=no, --without-insults
By default, sudo will include support for insults that can be
enabled via the sudoers file. However, if --with-insults=no is
used, no insults will be available, even if enabled in sudoers.
--with-insults=disabled
Include support for insults but disable them unless explicitly
enabled in sudoers.
enabled in the sudoers file. This is the default.
Sudoers option: !insults
--with-iologdir[=DIR]
@ -995,9 +999,17 @@ Defaults are listed in brackets after the description.
be separate from the "user path." You will need to customize the
path for your site. This is not applied to users in the group
specified by --with-exemptgroup. If you do not specify a path,
"/bin:/usr/ucb:/usr/bin:/usr/sbin:/sbin:/usr/etc:/etc" is used.
"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
is used.
Sudoers option: secure_path
--with-secure-path-value[=PATH]
Sets the value of "secure_path" that is substituted into
the default sudoers file. This option is intended to be
used by package maintainers who wish to set "secure_path"
to a system-specific value in the default sudoers file.
It does not actually enable "secure-path".
--with-sendmail=PATH
Override configure's guess as to the location of sendmail.
Sudoers option: mailerpath
@ -1077,7 +1089,7 @@ You need to have a C compiler in order to build sudo. Since Solaris
does not come with one by default this means that you either need
to either install the Solaris Studio compiler suite, available for
free from www.oracle.com, or install the GNU C compiler (gcc) which
is can be installed via the pkg utility on Solaris 11 and higher
can be installed via the pkg utility on Solaris 11 and higher
and is distributed on the Solaris Companion CD for older Solaris
releases. You can also download gcc packages from
https://www.opencsw.org/packages/CSWgcc4core/.

4
LICENSE.md
View File

@ -1,6 +1,6 @@
Sudo is distributed under the following license:
Copyright (c) 1994-1996, 1998-2023
Copyright (c) 1994-1996, 1998-2024
Todd C. Miller <Todd.Miller@sudo.ws>
Permission to use, copy, modify, and distribute this software for any
@ -299,7 +299,7 @@ The file getentropy.c bears the following license:
The embedded copy of zlib bears the following license:
Copyright (C) 1995-2022 Jean-loup Gailly and Mark Adler
Copyright (C) 1995-2024 Jean-loup Gailly and Mark Adler
This software is provided 'as-is', without any express or implied
warranty. In no event will the authors be held liable for any damages

3
MANIFEST
View File

@ -32,6 +32,7 @@ docs/cvtsudoers.mdoc.in
docs/fixman.sh
docs/fixmdoc.sed
docs/schema.ActiveDirectory
docs/schema.IBM_LDAP
docs/schema.OpenLDAP
docs/schema.iPlanet
docs/schema.olcSudo
@ -716,6 +717,8 @@ plugins/sudoers/po/hr.mo
plugins/sudoers/po/hr.po
plugins/sudoers/po/hu.mo
plugins/sudoers/po/hu.po
plugins/sudoers/po/id.mo
plugins/sudoers/po/id.po
plugins/sudoers/po/it.mo
plugins/sudoers/po/it.po
plugins/sudoers/po/ja.mo

16
Makefile.in
View File

@ -221,20 +221,24 @@ depend: siglist.c signame.c tsgetusershell.c
lib/util/Makefile.in lib/zlib/Makefile.in \
lib/fuzzstub/Makefile.in lib/eventlog/Makefile.in \
lib/iolog/Makefile.in lib/logsrv/Makefile.in logsrvd/Makefile.in \
lib/protobuf-c/Makefile.in plugins/group_file/Makefile.in \
plugins/sample/Makefile.in plugins/sudoers/Makefile.in \
plugins/system_group/Makefile.in plugins/python/Makefile.in \
src/Makefile.in && \
lib/protobuf-c/Makefile.in lib/ssl_compat/Makefile.in \
plugins/group_file/Makefile.in plugins/audit_json/Makefile.in \
plugins/sample/Makefile.in plugins/sample_approval/Makefile.in \
plugins/sudoers/Makefile.in plugins/system_group/Makefile.in \
plugins/python/Makefile.in src/Makefile.in && \
$(top_builddir)/config.status --file $(top_builddir)/lib/util/Makefile \
--file $(top_builddir)/lib/zlib/Makefile \
--file $(top_builddir)/lib/eventlog/Makefile \
--file $(top_builddir)/lib/fuzzstub/Makefile \
--file $(top_builddir)/lib/eventlog/Makefile \
--file $(top_builddir)/lib/iolog/Makefile \
--file $(top_builddir)/lib/logsrv/Makefile \
--file $(top_builddir)/lib/protobuf-c/Makefile \
--file $(top_builddir)/lib/ssl_compat/Makefile \
--file $(top_builddir)/logsrvd/Makefile \
--file $(top_builddir)/plugins/sample/Makefile \
--file $(top_builddir)/plugins/group_file/Makefile \
--file $(top_builddir)/plugins/audit_json/Makefile \
--file $(top_builddir)/plugins/sample/Makefile \
--file $(top_builddir)/plugins/sample_approval/Makefile \
--file $(top_builddir)/plugins/sudoers/Makefile \
--file $(top_builddir)/plugins/system_group/Makefile \
--file $(top_builddir)/plugins/python/Makefile \

69
NEWS
View File

@ -1,3 +1,72 @@
What's new in Sudo 1.9.16
* Added the "cmddenial_message" sudoers option to provide additional
information to the user when a command is denied by the sudoers
policy. The default message is still displayed.
* The time stamp used for file-based logs is now more consistent
with the time stamp produced by syslog. GitHub issues #327.
* Sudo will now warn the user if it can detect the user's terminal
but cannot determine the path to the terminal device. The sudoers
time stamp file will now use the terminal device number directly.
GitHub issue #329.
* The embedded copy of zlib has been updated to version 1.3.1.
* Improved error handling if generating the list of signals and signal
names fails at build time.
* Fixed a compilation issue on Linux systems without process_vm_readv().
* Fixed cross-compilation with WolfSSL.
* Added a "json_compact" value for the sudoers "log_format" option
which can be used when logging to a file. The existing "json"
value has been aliased to "json_pretty". In a future release,
"json" will be an alias for "json_compact". GitHub issue #357.
* A new "pam_silent" sudoers option has been added which may be
negated to avoid suppressing output from PAM authentication modules.
GitHub issue #216.
* Fixed several cvtsudoers JSON output problems.
GitHub issues #369, #370, #371, #373, #381.
* When sudo runs a command in a pseudo-terminal and the user's
terminal is revoked, the pseudo-terminal's foreground process
group will now receive SIGHUP before the terminal is revoked.
This emulates the behavior of the session leader exiting and is
consistent with what happens when, for example, an ssh session
is closed. GitHub issue #367.
* Fixed "make test" with Python 3.12. GitHub issue #374.
* In schema.ActiveDirectory, fixed the quoting in the example command.
GitHub issue #376.
* Paths specified via a Chdir_Spec or Chroot_Spec in sudoers may
now be double-quoted.
* Sudo insults are now included by default, but disabled unless
the --with-insults configure option is specified or the "insults"
sudoers option is enabled.
* The default sudoers file now enables the "secure_path" option by
default and preserves the EDITOR, VISUAL, and SUDO_EDITOR environment
variables when running visudo. The new --with-secure-path-value
configure option can be used to set the value of "secure_path" in
the default sudoers file. GitHub issue #387.
* A sudoers schema for IBM Directory Server (aka IBM Tivoli Directory
Server, IBM Security Directory Server, and IBM Security Verify
Directory) is now included.
* When cross-compiling sudo, the configure script now assumes that
the snprintf() function is C99-compliant if the C compiler
supports the C99 standard. Previously, configure would use
sudo's own snprintf() when cross-compiling. GitHub issue #386.
What's new in Sudo 1.9.15p5
* Fixed evaluation of the "lecture", "listpw", "verifypw", and

13
README.LDAP.md
View File

@ -96,8 +96,17 @@ copy the schema.iPlanet file to the schema directory with the name 99sudo.ldif.
On Solaris, schemas are stored in /var/Sun/mps/slapd-\`hostname\`/config/schema/.
For Fedora Directory Server, they are stored in /etc/dirsrv/schema/.
After copying the schema file to the appropriate directory, restart
the LDAP server.
For IBM Directory Server, IBM Tivoli Directory Server, IBM Security
Directory Server, and IBM Security Verify Directory, the schema is
supplied in LDIF format. It can be installed using the ldapmodify
utility:
# ldapmodify -c -f schema.IBM_LDAP -h ldapserver:port -w passwod \
-D cn=Manager,dc=example,dc=com
For schema files other than schema.olcSudo and schema.IBM_LDAP, you
will need to restart the LDAP server after copying the schema file
into place.
Finally, using an LDAP browser/editor, enable indexing by editing the
client profile to provide a Service Search Descriptor (SSD) for sudoers,

4
config.h.in
View File

@ -1203,10 +1203,6 @@
/* Define if your C preprocessor does not support variadic macros. */
#undef NO_VARIADIC_MACROS
/* Define to 1 to include offensive insults from the classic version of sudo.
*/
#undef OFFENSIVE_INSULTS
/* Define to the address where bug reports for this package should be sent. */
#undef PACKAGE_BUGREPORT

261
configure vendored
View File

@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.72c for sudo 1.9.15p5.
# Generated by GNU Autoconf 2.72 for sudo 1.9.16.
#
# Report bugs to <https://bugzilla.sudo.ws/>.
#
@ -614,8 +614,8 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='sudo'
PACKAGE_TARNAME='sudo'
PACKAGE_VERSION='1.9.15p5'
PACKAGE_STRING='sudo 1.9.15p5'
PACKAGE_VERSION='1.9.16'
PACKAGE_STRING='sudo 1.9.16'
PACKAGE_BUGREPORT='https://bugzilla.sudo.ws/'
PACKAGE_URL=''
@ -704,6 +704,7 @@ host_os
host_vendor
host_cpu
host
JQ
LDFLAGS_FOR_BUILD
CPPFLAGS_FOR_BUILD
CFLAGS_FOR_BUILD
@ -732,6 +733,7 @@ plugindir
pam_login_service
pam_session
editor
secure_path_status
secure_path
netsvc_conf
nsswitch_conf
@ -826,6 +828,7 @@ PRELOAD_MODULE
INSTALL_NOEXEC
INSTALL_INTERCEPT
INSTALL_BACKUP
visudo
sesh_file
noexec_file
NOEXECDIR
@ -924,7 +927,6 @@ ac_user_opts='
enable_option_checking
with_otp_only
with_alertmail
with_pc_insults
with_devel
with_CC
with_rpath
@ -1000,6 +1002,7 @@ with_nsswitch
with_ldap
with_ldap_conf_file
with_ldap_secret_file
with_secure_path_value
with_secure_path
with_interfaces
with_askpass
@ -1043,7 +1046,6 @@ with_selinux
with_apparmor
enable_sasl
enable_timestamp_type
enable_offensive_insults
enable_package_build
enable_gss_krb5_ccache_name
enable_pvs_studio
@ -1642,7 +1644,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
'configure' configures sudo 1.9.15p5 to adapt to many kinds of systems.
'configure' configures sudo 1.9.16 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@ -1708,7 +1710,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
short | recursive ) echo "Configuration of sudo 1.9.15p5:";;
short | recursive ) echo "Configuration of sudo 1.9.16:";;
esac
cat <<\_ACEOF
@ -1760,8 +1762,6 @@ Optional Features:
--enable-sasl Enable/disable LDAP SASL support
--timestamp-type=TYPE Set the default time stamp record type to global,
ppid or tty.
--enable-offensive-insults
Enable potentially offensive sudo insults.
--enable-package-build Enable options for package building.
--enable-gss-krb5-ccache-name
Use GSS-API to set the Kerberos V cred cache name
@ -1797,7 +1797,6 @@ Optional Packages:
--without-PACKAGE do not use PACKAGE (same as --with-PACKAGE=no)
--with-otp-only deprecated
--with-alertmail deprecated
--with-pc-insults deprecated
--with-devel add development options
--with-CC C compiler to use
--with-rpath deprecated, use --disable-rpath
@ -1885,6 +1884,8 @@ Optional Packages:
--with-ldap[=DIR] enable LDAP support
--with-ldap-conf-file path to LDAP configuration file
--with-ldap-secret-file path to LDAP secret password file
--with-secure-path-value
value of secure_path in the default sudoers file
--with-secure-path override the user's path with a built-in one
--without-interfaces don't try to read the ip addr of network interfaces
--with-askpass=PATH Fully qualified pathname of askpass helper
@ -2003,8 +2004,8 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
sudo configure 1.9.15p5
generated by GNU Autoconf 2.72c
sudo configure 1.9.16
generated by GNU Autoconf 2.72
Copyright (C) 2023 Free Software Foundation, Inc.
This configure script is free software; the Free Software Foundation
@ -2823,8 +2824,8 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
It was created by sudo $as_me 1.9.15p5, which was
generated by GNU Autoconf 2.72c. Invocation command line was
It was created by sudo $as_me 1.9.16, which was
generated by GNU Autoconf 2.72. Invocation command line was
$ $0$ac_configure_args_raw
@ -3166,11 +3167,13 @@ ok |= (argc == 0 || f (e, argv, 0) != argv[0] || f (e, argv, 1) != argv[1]);
# Test code for whether the C compiler supports C99 (global declarations)
ac_c_conftest_c99_globals='
// Does the compiler advertise C99 conformance?
/* Does the compiler advertise C99 conformance? */
#if !defined __STDC_VERSION__ || __STDC_VERSION__ < 199901L
# error "Compiler does not advertise C99 conformance"
#endif
// See if C++-style comments work.
#include <stdbool.h>
extern int puts (const char *);
extern int printf (const char *, ...);
@ -3226,7 +3229,6 @@ typedef const char *ccp;
static inline int
test_restrict (ccp restrict text)
{
// See if C++-style comments work.
// Iterate through items via the restricted pointer.
// Also check for declarations in for loops.
for (unsigned int i = 0; *(text+i) != '\''\0'\''; ++i)
@ -3315,7 +3317,7 @@ ac_c_conftest_c99_main='
# Test code for whether the C compiler supports C11 (global declarations)
ac_c_conftest_c11_globals='
// Does the compiler advertise C11 conformance?
/* Does the compiler advertise C11 conformance? */
#if !defined __STDC_VERSION__ || __STDC_VERSION__ < 201112L
# error "Compiler does not advertise C11 conformance"
#endif
@ -3682,6 +3684,7 @@ sudoers_path='$(sysconfdir)/sudoers'
#
@ -3727,8 +3730,10 @@ netsvc_conf=/etc/netsvc.conf
intercept_file="$libexecdir/sudo/sudo_intercept.so"
noexec_file="$libexecdir/sudo/sudo_noexec.so"
sesh_file="$libexecdir/sudo/sesh"
visudo="$sbindir/visudo"
nsswitch_conf=/etc/nsswitch.conf
secure_path="not set"
secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
secure_path_status="disabled"
pam_session=on
pam_login_service=sudo
plugindir="$libexecdir/sudo"
@ -4388,6 +4393,8 @@ int
main (void)
{
FILE *f = fopen ("conftest.out", "w");
if (!f)
return 1;
return ferror (f) || fclose (f) != 0;
;
@ -4999,23 +5006,6 @@ fi
# Check whether --with-pc-insults was given.
if test ${with_pc_insults+y}
then :
withval=$with_pc_insults; case $with_pc_insults in
yes) enable_offensive_insults=no
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: --with-pc-insults option deprecated, it is now the default" >&5
printf "%s\n" "$as_me: --with-pc-insults option deprecated, it is now the default" >&6;}
;;
no) enable_offensive_insults=yes
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: --without-pc-insults option deprecated, use --enable-offensive-insults" >&5
printf "%s\n" "$as_me: --without-pc-insults option deprecated, use --enable-offensive-insults" >&6;}
;;
esac
fi
# Check whether --with-devel was given.
if test ${with_devel+y}
@ -5313,8 +5303,6 @@ printf "%s\n" "$as_me: adding CSOps standard options" >&6;}
CHECKSIA=false
with_ignore_dot=yes
insults=on
with_classic_insults=yes
with_csops_insults=yes
with_env_editor=yes
: ${mansectsu='8'}
: ${mansectform='5'}
@ -6153,6 +6141,8 @@ esac
fi
with_classic_insults=yes
with_csops_insults=yes
# Check whether --with-insults was given.
if test ${with_insults+y}
@ -6161,14 +6151,12 @@ then :
yes) insults=on
printf "%s\n" "#define USE_INSULTS 1" >>confdefs.h
with_classic_insults=yes
with_csops_insults=yes
;;
disabled) insults=off
with_classic_insults=yes
with_csops_insults=yes
;;
no) insults=off
with_classic_insults=no
with_csops_insults=no
;;
*) as_fn_error $? "--with-insults does not take an argument." "$LINENO" 5
;;
@ -6322,25 +6310,41 @@ EOF
# Check whether --with-secure-path was given.
if test ${with_secure_path+y}
# Check whether --with-secure-path-value was given.
if test ${with_secure_path_value+y}
then :
withval=$with_secure_path; case $with_secure_path in
yes) with_secure_path="/bin:/usr/ucb:/usr/bin:/usr/sbin:/sbin:/usr/etc:/etc"
printf "%s\n" "#define SECURE_PATH \"$with_secure_path\"" >>confdefs.h
secure_path="set to $with_secure_path"
withval=$with_secure_path_value; case $with_secure_path_value in
yes|no) as_fn_error $? "must give --secure-path-value an argument." "$LINENO" 5
;;
no) ;;
*) printf "%s\n" "#define SECURE_PATH \"$with_secure_path\"" >>confdefs.h
secure_path="set to $with_secure_path"
*) secure_path="$with_secure_path_value"
;;
esac
fi
# Check whether --with-secure-path was given.
if test ${with_secure_path+y}
then :
withval=$with_secure_path; case $with_secure_path in
yes) with_secure_path="$secure_path"
;;
no) ;;
*) secure_path="$with_secure_path"
;;
esac
fi
if test "${with_secure_path-no}" != "no"
then :
printf "%s\n" "#define SECURE_PATH \"$secure_path\"" >>confdefs.h
secure_path_status="set to $secure_path"
fi
# Check whether --with-interfaces was given.
if test ${with_interfaces+y}
then :
@ -7063,21 +7067,6 @@ fi
printf "%s\n" "#define TIMESTAMP_TYPE $timestamp_type" >>confdefs.h
# Check whether --enable-offensive_insults was given.
if test ${enable_offensive_insults+y}
then :
enableval=$enable_offensive_insults;
else case e in #(
e) enable_offensive_insults=no ;;
esac
fi
if test "$enable_offensive_insults" = "yes"
then :
printf "%s\n" "#define OFFENSIVE_INSULTS 1" >>confdefs.h
fi
# Check whether --enable-package_build was given.
if test ${enable_package_build+y}
then :
@ -8578,6 +8567,8 @@ int
main (void)
{
FILE *f = fopen ("conftest.out", "w");
if (!f)
return 1;
return ferror (f) || fclose (f) != 0;
;
@ -8836,6 +8827,55 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
for ac_prog in jq
do
# Extract the first word of "$ac_prog", so it can be a program name with args.
set dummy $ac_prog; ac_word=$2
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
printf %s "checking for $ac_word... " >&6; }
if test ${ac_cv_prog_JQ+y}
then :
printf %s "(cached) " >&6
else case e in #(
e) if test -n "$JQ"; then
ac_cv_prog_JQ="$JQ" # Let the user override the test.
else
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
IFS=$as_save_IFS
case $as_dir in #(((
'') as_dir=./ ;;
*/) ;;
*) as_dir=$as_dir/ ;;
esac
for ac_exec_ext in '' $ac_executable_extensions; do
if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then
ac_cv_prog_JQ="$ac_prog"
printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5
break 2
fi
done
done
IFS=$as_save_IFS
fi ;;
esac
fi
JQ=$ac_cv_prog_JQ
if test -n "$JQ"; then
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $JQ" >&5
printf "%s\n" "$JQ" >&6; }
else
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
printf "%s\n" "no" >&6; }
fi
test -n "$JQ" && break
done
test -n "$JQ" || JQ=":"
if test "x$ac_cv_prog_cc_c89" = "xno"
then :
@ -19938,13 +19978,16 @@ fi
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
#include <sys/types.h>
/* Check that off_t can represent 2**63 - 1 correctly.
We can't simply define LARGE_OFF_T to be 9223372036854775807,
#ifndef FTYPE
# define FTYPE off_t
#endif
/* Check that FTYPE can represent 2**63 - 1 correctly.
We can't simply define LARGE_FTYPE to be 9223372036854775807,
since some C++ compilers masquerading as C compilers
incorrectly reject 9223372036854775807. */
#define LARGE_OFF_T (((off_t) 1 << 31 << 31) - 1 + ((off_t) 1 << 31 << 31))
int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
&& LARGE_OFF_T % 2147483647 == 1)
#define LARGE_FTYPE (((FTYPE) 1 << 31 << 31) - 1 + ((FTYPE) 1 << 31 << 31))
int FTYPE_is_large[(LARGE_FTYPE % 2147483629 == 721
&& LARGE_FTYPE % 2147483647 == 1)
? 1 : -1];
int
main (void)
@ -19956,7 +19999,25 @@ main (void)
_ACEOF
if ac_fn_c_try_compile "$LINENO"
then :
ac_cv_sys_largefile_opts="$ac_opt"
if test x"$ac_opt" = x"none needed"
then :
# GNU/Linux s390x and alpha need _FILE_OFFSET_BITS=64 for wide ino_t.
CC="$CC -DFTYPE=ino_t"
if ac_fn_c_try_compile "$LINENO"
then :
else case e in #(
e) CC="$CC -D_FILE_OFFSET_BITS=64"
if ac_fn_c_try_compile "$LINENO"
then :
ac_opt='-D_FILE_OFFSET_BITS=64'
fi
rm -f core conftest.err conftest.$ac_objext conftest.beam ;;
esac
fi
rm -f core conftest.err conftest.$ac_objext conftest.beam
fi
ac_cv_sys_largefile_opts=$ac_opt
ac_opt_found=yes
fi
rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext
@ -24857,6 +24918,20 @@ printf "%s\n" "$as_me: WARNING: Replacing missing/broken (v)snprintf() with sudo
printf "%s\n" "#define PREFER_PORTABLE_SNPRINTF 1" >>confdefs.h
fi
if test X"$ac_cv_build_prog_cc_c99" != X"no"
then :
# If we have a C99 compiler and are cross-compiling, assume
# C99-compliant v?snprintf().
if test X"$ac_cv_have_working_snprintf$ac_cv_have_working_vsnprintf" = X"crosscross"
then :
ac_cv_have_working_snprintf=yes
ac_cv_have_working_vsnprintf=yes
fi
fi
if test X"$ac_cv_have_working_snprintf$ac_cv_have_working_vsnprintf" = X"yesyes"
then :
@ -26326,7 +26401,7 @@ esac
fi
done
if test "$CPPFLAGS" = "$O_CPPFLAGS"; then
if test "$cross_compiling" != "yes" -a "$CPPFLAGS" = "$O_CPPFLAGS"; then
# So we find the openssl compat headers under wolfssl (XXX)
if test ${CPPFLAGS+y}
@ -35802,6 +35877,13 @@ while test X"$noexec_file" != X"$_noexec_file"; do
eval "noexec_file=\"$_noexec_file\""
done
# Update exec_prefix in visudo
_visudo=
while test X"$visudo" != X"$_visudo"; do
_visudo="$visudo"
eval "visudo=\"$_visudo\""
done
# Update exec_prefix in sesh_file
_sesh_file=
while test X"$sesh_file" != X"$_sesh_file"; do
@ -36673,8 +36755,8 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
This file was extended by sudo $as_me 1.9.15p5, which was
generated by GNU Autoconf 2.72c. Invocation command line was
This file was extended by sudo $as_me 1.9.16, which was
generated by GNU Autoconf 2.72. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
CONFIG_HEADERS = $CONFIG_HEADERS
@ -36741,8 +36823,8 @@ ac_cs_config_escaped=`printf "%s\n" "$ac_cs_config" | sed "s/^ //; s/'/'\\\\\\\\
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config='$ac_cs_config_escaped'
ac_cs_version="\\
sudo config.status 1.9.15p5
configured by $0, generated by GNU Autoconf 2.72c,
sudo config.status 1.9.16
configured by $0, generated by GNU Autoconf 2.72,
with options \\"\$ac_cs_config\\"
Copyright (C) 2023 Free Software Foundation, Inc.
@ -38417,18 +38499,18 @@ echo " password prompt : ${passprompt}" >&6
echo " password prompt timeout : ${password_timeout} minutes" >&6
echo " password tries : ${passwd_tries}" >&6
echo " bad password message : ${badpass_message}" >&6
if test "$insults" = "on"; then
i=""
test "$enable_offensive_insults" = "yes" && i="offensive ${i}"
test "$with_python_insults" = "yes" && i="python ${i}"
test "$with_goons_insults" = "yes" && i="goons ${i}"
test "$with_hal_insults" = "yes" && i="hal ${i}"
test "$with_csops_insults" = "yes" && i="csops ${i}"
test "$with_classic_insults" = "yes" && i="classic ${i}"
else
i=no
insult_sets=""
test "$with_python_insults" = "yes" && insult_sets="python ${insult_sets}"
test "$with_goons_insults" = "yes" && insult_sets="goons ${insult_sets}"
test "$with_hal_insults" = "yes" && insult_sets="hal ${insult_sets}"
test "$with_csops_insults" = "yes" && insult_sets="csops ${insult_sets}"
test "$with_classic_insults" = "yes" && insult_sets="classic ${insult_sets}"
if test -z "$insult_sets"; then
insult_sets=no
elif test "$insults" != "on"; then
insult_sets="${insult_sets} (disabled)"
fi
echo " insults : $i" >&6
echo " insults : $insult_sets" >&6
echo " display lecture : ${lecture}" >&6
echo " timestamp (credential) type : ${timestamp_type}" >&6
echo " timestamp (credential) timeout: ${timeout} minutes" >&6
@ -38685,6 +38767,5 @@ fi

106
configure.ac
View File

@ -3,7 +3,7 @@ dnl Use the top-level autogen.sh script to generate configure and config.h.in
dnl
dnl SPDX-License-Identifier: ISC
dnl
dnl Copyright (c) 1994-1996, 1998-2023 Todd C. Miller <Todd.Miller@sudo.ws>
dnl Copyright (c) 1994-1996, 1998-2024 Todd C. Miller <Todd.Miller@sudo.ws>
dnl
dnl Permission to use, copy, modify, and distribute this software for any
dnl purpose with or without fee is hereby granted, provided that the above
@ -18,7 +18,7 @@ dnl ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
dnl OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
dnl
AC_PREREQ([2.69])
AC_INIT([sudo], [1.9.15p5], [https://bugzilla.sudo.ws/], [sudo])
AC_INIT([sudo], [1.9.16], [https://bugzilla.sudo.ws/], [sudo])
AC_CONFIG_HEADERS([config.h pathnames.h])
AC_CONFIG_SRCDIR([src/sudo.c])
AC_CONFIG_AUX_DIR([scripts])
@ -75,6 +75,7 @@ AC_SUBST([NOEXECFILE])dnl
AC_SUBST([NOEXECDIR])dnl
AC_SUBST([noexec_file])dnl
AC_SUBST([sesh_file])dnl
AC_SUBST([visudo])dnl
AC_SUBST([INSTALL_BACKUP])dnl
AC_SUBST([INSTALL_INTERCEPT])dnl
AC_SUBST([INSTALL_NOEXEC])dnl
@ -176,6 +177,7 @@ AC_SUBST([sssd_lib])
AC_SUBST([nsswitch_conf])
AC_SUBST([netsvc_conf])
AC_SUBST([secure_path])
AC_SUBST([secure_path_status])
AC_SUBST([editor])
AC_SUBST([pam_session])
AC_SUBST([pam_login_service])
@ -225,8 +227,10 @@ netsvc_conf=/etc/netsvc.conf
intercept_file="$libexecdir/sudo/sudo_intercept.so"
noexec_file="$libexecdir/sudo/sudo_noexec.so"
sesh_file="$libexecdir/sudo/sesh"
visudo="$sbindir/visudo"
nsswitch_conf=/etc/nsswitch.conf
secure_path="not set"
secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
secure_path_status="disabled"
pam_session=on
pam_login_service=sudo
plugindir="$libexecdir/sudo"
@ -299,16 +303,6 @@ AC_ARG_WITH(alertmail, [AS_HELP_STRING([--with-alertmail], [deprecated])],
;;
esac])
AC_ARG_WITH(pc-insults, [AS_HELP_STRING([--with-pc-insults], [deprecated])],
[case $with_pc_insults in
yes) enable_offensive_insults=no
AC_MSG_NOTICE([--with-pc-insults option deprecated, it is now the default])
;;
no) enable_offensive_insults=yes
AC_MSG_NOTICE([--without-pc-insults option deprecated, use --enable-offensive-insults])
;;
esac])
dnl
dnl Options for --with
dnl
@ -450,8 +444,6 @@ AC_ARG_WITH(csops, [AS_HELP_STRING([--with-csops], [add CSOps standard options])
CHECKSIA=false
with_ignore_dot=yes
insults=on
with_classic_insults=yes
with_csops_insults=yes
with_env_editor=yes
: ${mansectsu='8'}
: ${mansectform='5'}
@ -973,18 +965,23 @@ AC_ARG_WITH(tty-tickets, [AS_HELP_STRING([--with-tty-tickets], [use a different
;;
esac])
dnl
dnl The order of the insults options is important. The main option
dnl must come first, followed by all-insults, then the individual ones.
dnl The classic and csops insult sets are always included by default.
dnl
with_classic_insults=yes
with_csops_insults=yes
AC_ARG_WITH(insults, [AS_HELP_STRING([--with-insults], [insult the user for entering an incorrect password])],
[case $with_insults in
yes) insults=on
AC_DEFINE(USE_INSULTS)
with_classic_insults=yes
with_csops_insults=yes
;;
disabled) insults=off
with_classic_insults=yes
with_csops_insults=yes
;;
no) insults=off
with_classic_insults=no
with_csops_insults=no
;;
*) AC_MSG_ERROR([--with-insults does not take an argument.])
;;
@ -1071,18 +1068,27 @@ AC_ARG_WITH(ldap-secret-file, [AS_HELP_STRING([--with-ldap-secret-file], [path t
test -n "$with_ldap_secret_file" && ldap_secret="$with_ldap_secret_file"
SUDO_DEFINE_UNQUOTED(_PATH_LDAP_SECRET, "$ldap_secret", [Path to the ldap.secret file])
AC_ARG_WITH(secure-path, [AS_HELP_STRING([--with-secure-path], [override the user's path with a built-in one])],
[case $with_secure_path in
yes) with_secure_path="/bin:/usr/ucb:/usr/bin:/usr/sbin:/sbin:/usr/etc:/etc"
AC_DEFINE_UNQUOTED(SECURE_PATH, "$with_secure_path")
secure_path="set to $with_secure_path"
AC_ARG_WITH(secure-path-value, [AS_HELP_STRING([--with-secure-path-value], [value of secure_path in the default sudoers file])],
[case $with_secure_path_value in
yes|no) AC_MSG_ERROR([must give --secure-path-value an argument.])
;;
no) ;;
*) AC_DEFINE_UNQUOTED(SECURE_PATH, "$with_secure_path")
secure_path="set to $with_secure_path"
*) secure_path="$with_secure_path_value"
;;
esac])
AC_ARG_WITH(secure-path, [AS_HELP_STRING([--with-secure-path], [override the user's path with a built-in one])],
[case $with_secure_path in
yes) with_secure_path="$secure_path"
;;
no) ;;
*) secure_path="$with_secure_path"
;;
esac])
AS_IF([test "${with_secure_path-no}" != "no"], [
AC_DEFINE_UNQUOTED(SECURE_PATH, "$secure_path")
secure_path_status="set to $secure_path"
])
AC_ARG_WITH(interfaces, [AS_HELP_STRING([--without-interfaces], [don't try to read the ip addr of network interfaces])],
[case $with_interfaces in
yes) ;;
@ -1483,11 +1489,6 @@ AC_ARG_ENABLE(timestamp-type,
])
AC_DEFINE_UNQUOTED(TIMESTAMP_TYPE, $timestamp_type)
AC_ARG_ENABLE(offensive_insults,
[AS_HELP_STRING([--enable-offensive-insults], [Enable potentially offensive sudo insults.])],
[], [enable_offensive_insults=no])
AS_IF([test "$enable_offensive_insults" = "yes"], [AC_DEFINE(OFFENSIVE_INSULTS)])
AC_ARG_ENABLE(package_build,
[AS_HELP_STRING([--enable-package-build], [Enable options for package building.])],
[], [enable_package_build=no])
@ -1598,6 +1599,7 @@ AS_IF([test X"$AR" = X"false"], [
AC_MSG_ERROR([the "ar" utility is required to build sudo])
])
AX_PROG_CC_FOR_BUILD
AC_CHECK_PROGS(JQ, jq, :)
AS_IF([test "x$ac_cv_prog_cc_c89" = "xno"], [
AC_MSG_ERROR([Sudo version $PACKAGE_VERSION requires an ANSI C compiler to build.])
@ -2380,7 +2382,7 @@ break)
AC_SYS_LARGEFILE
m4_ifdef([AC_SYS_YEAR2038], [AC_SYS_YEAR2038], [
# GNU libc only allows setting _TIME_BITS when FILE_OFFSET_BITS is also set. # GNU libc defines __TIMESIZE on systems where _TIME_BITS can be set.
AS_IF([test X"$ac_cv_sys_file_offset_bits" = X"yes"], [
AS_IF([test X"$ac_cv_sys_file_offset_bits" = X"64"], [
AC_CHECK_DECL(__TIMESIZE, [
AC_DEFINE([_TIME_BITS], [64], [Number of bits in a timestamp, on hosts where this is settable.])
], [], [
@ -3059,6 +3061,14 @@ AS_IF([test X"$sudo_mktemp" = X"yes"], [
COMPAT_TEST_PROGS="${COMPAT_TEST_PROGS}${COMPAT_TEST_PROGS+ }mktemp_test"
])
AX_FUNC_SNPRINTF
AS_IF([test X"$ac_cv_prog_cc_c99" != X"no"], [
# If we have a C99 compiler and are cross-compiling, assume
# C99-compliant v?snprintf().
AS_IF([test X"$ac_cv_have_working_snprintf$ac_cv_have_working_vsnprintf" = X"crosscross"], [
ac_cv_have_working_snprintf=yes
ac_cv_have_working_vsnprintf=yes
])
])
AS_IF([test X"$ac_cv_have_working_snprintf$ac_cv_have_working_vsnprintf" = X"yesyes"], [
# System has a C99-compliant v?snprintf(), check for v?asprintf()
AC_CHECK_FUNCS([asprintf], [], [
@ -4312,6 +4322,13 @@ while test X"$noexec_file" != X"$_noexec_file"; do
eval "noexec_file=\"$_noexec_file\""
done
# Update exec_prefix in visudo
_visudo=
while test X"$visudo" != X"$_visudo"; do
_visudo="$visudo"
eval "visudo=\"$_visudo\""
done
# Update exec_prefix in sesh_file
_sesh_file=
while test X"$sesh_file" != X"$_sesh_file"; do
@ -4524,18 +4541,18 @@ echo " password prompt : ${passprompt}" >&AS_MESSAGE_FD
echo " password prompt timeout : ${password_timeout} minutes" >&AS_MESSAGE_FD
echo " password tries : ${passwd_tries}" >&AS_MESSAGE_FD
echo " bad password message : ${badpass_message}" >&AS_MESSAGE_FD
if test "$insults" = "on"; then
i=""
test "$enable_offensive_insults" = "yes" && i="offensive ${i}"
test "$with_python_insults" = "yes" && i="python ${i}"
test "$with_goons_insults" = "yes" && i="goons ${i}"
test "$with_hal_insults" = "yes" && i="hal ${i}"
test "$with_csops_insults" = "yes" && i="csops ${i}"
test "$with_classic_insults" = "yes" && i="classic ${i}"
else
i=no
insult_sets=""
test "$with_python_insults" = "yes" && insult_sets="python ${insult_sets}"
test "$with_goons_insults" = "yes" && insult_sets="goons ${insult_sets}"
test "$with_hal_insults" = "yes" && insult_sets="hal ${insult_sets}"
test "$with_csops_insults" = "yes" && insult_sets="csops ${insult_sets}"
test "$with_classic_insults" = "yes" && insult_sets="classic ${insult_sets}"
if test -z "$insult_sets"; then
insult_sets=no
elif test "$insults" != "on"; then
insult_sets="${insult_sets} (disabled)"
fi
echo " insults : $i" >&AS_MESSAGE_FD
echo " insults : $insult_sets" >&AS_MESSAGE_FD
echo " display lecture : ${lecture}" >&AS_MESSAGE_FD
echo " timestamp (credential) type : ${timestamp_type}" >&AS_MESSAGE_FD
echo " timestamp (credential) timeout: ${timeout} minutes" >&AS_MESSAGE_FD
@ -4735,7 +4752,6 @@ AH_TEMPLATE(NO_PAM_SESSION, [Define to 1 if you don't want to use sudo's PAM ses
AH_TEMPLATE(NO_ROOT_MAILER, [Define to avoid running the mailer as root.])
AH_TEMPLATE(NO_ROOT_SUDO, [Define to 1 if root should not be allowed to use sudo.])
AH_TEMPLATE(TIMESTAMP_TYPE, [Define to global, ppid or tty to set the default timestamp record type.])
AH_TEMPLATE(OFFENSIVE_INSULTS, [Define to 1 to include offensive insults from the classic version of sudo.])
AH_TEMPLATE(SECURE_PATH, [A colon-separated list of directories to override the user's PATH with.])
AH_TEMPLATE(SEND_MAIL_WHEN_NOT_OK, [Define to 1 to send mail when the user is not allowed to run a command.])
AH_TEMPLATE(SEND_MAIL_WHEN_NO_HOST, [Define to 1 to send mail when the user is not allowed to run sudo on this host.])

3
docs/HISTORY.md
View File

@ -66,7 +66,8 @@ In 2010, Quest Software began sponsoring Sudo development by hiring
Todd to work on Sudo as part of his full-time job. This enabled
the addition of I/O logging, the plugin API, the log server,
additional regression and fuzz tests, support for binary packages
and more regular releases.
and more regular releases. Quest's sponsorship of Sudo ended in
February of 2024.
## Present Day

70
docs/Makefile.in
View File

@ -140,7 +140,7 @@ $(srcdir)/sudo.man.in: $(srcdir)/sudo.mdoc.in $(srcdir)/sudo.man.in.sed
echo "Generating $@"; \
mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \
mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \
$(SED) -e 's/^\(\.nr [A-Z][A-Z]\) .[A-Z][A-Z]MAN./\1 1/' -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudo.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDO" \)"8"\(.*\)/\1"'$$mansectsu'"\2/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" -f $(srcdir)/sudo.man.in.sed > $@; \
$(SED) -e 's/^\(\.nr [A-Z][A-Z]\) .[A-Z][A-Z]MAN./\1 1/' -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudo.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDO" \)"8"\(.*\)/\1"'$$mansectsu'"\2/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" -e 's/an mdoc input/the sudo.mdoc.in/' -f $(srcdir)/sudo.man.in.sed > $@; \
fi
fixman.sed: $(srcdir)/fixman.sh
@ -150,189 +150,203 @@ fixman.sed: $(srcdir)/fixman.sh
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudo.man.in | $(SED) -f fixman.sed > $@
./sudo.mdoc: $(top_builddir)/config.status $(srcdir)/sudo.mdoc.in
cd $(top_builddir) && $(SHELL) config.status --file=docs/$@
printf '.\\" Automatically generated from the sudo.mdoc.in file. Do not edit.\n' > $@
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudo.mdoc.in >> $@
$(srcdir)/visudo.man.in: $(srcdir)/visudo.mdoc.in
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \
mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \
$(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/visudo.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "VISUDO" \)"8"\(.*\)/\1"'$$mansectsu'"\2/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" > $@; \
$(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/visudo.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "VISUDO" \)"8"\(.*\)/\1"'$$mansectsu'"\2/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" -e 's/an mdoc input/the visudo.mdoc.in/' > $@; \
fi
./visudo.man: $(top_builddir)/config.status $(srcdir)/visudo.man.in fixman.sed
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/visudo.man.in | $(SED) -f fixman.sed > $@
./visudo.mdoc: $(top_builddir)/config.status $(srcdir)/visudo.mdoc.in
cd $(top_builddir) && $(SHELL) config.status --file=docs/$@
printf '.\\" Automatically generated from the visudo.mdoc.in file. Do not edit.\n' > $@
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/visudo.mdoc.in >> $@
$(srcdir)/sudo.conf.man.in: $(srcdir)/sudo.conf.mdoc.in
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \
mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \
$(SED) -e 's/^\(\.nr [A-Z][A-Z]\) .[A-Z][A-Z]MAN./\1 1/' -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudo.conf.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDO.CONF" \)"5"\(.*\)/\1"'$$mansectform'"\2/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" -f $(srcdir)/sudo.conf.man.in.sed > $@; \
$(SED) -e 's/^\(\.nr [A-Z][A-Z]\) .[A-Z][A-Z]MAN./\1 1/' -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudo.conf.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDO.CONF" \)"5"\(.*\)/\1"'$$mansectform'"\2/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" -e 's/an mdoc input/the sudo.conf.mdoc.in/' -f $(srcdir)/sudo.conf.man.in.sed > $@; \
fi
./sudo.conf.man: $(top_builddir)/config.status $(srcdir)/sudo.conf.man.in fixman.sed
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudo.conf.man.in | $(SED) -f fixman.sed > $@
./sudo.conf.mdoc: $(top_builddir)/config.status $(srcdir)/sudo.conf.mdoc.in
cd $(top_builddir) && $(SHELL) config.status --file=docs/$@
printf '.\\" Automatically generated from the sudo.conf.mdoc.in file. Do not edit.\n' > $@
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudo.conf.mdoc.in >> $@
$(srcdir)/sudoers.man.in: $(srcdir)/sudoers.mdoc.in $(srcdir)/sudoers.man.in.sed
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \
mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \
$(SED) -e 's/^\(\.nr [A-Z][A-Z]\) .[A-Z][A-Z]MAN./\1 1/' -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudoers.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDOERS" \)"5"\(.*\)/\1"'$$mansectform'"\2/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" -f $(srcdir)/sudoers.man.in.sed> $@; \
$(SED) -e 's/^\(\.nr [A-Z][A-Z]\) .[A-Z][A-Z]MAN./\1 1/' -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudoers.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDOERS" \)"5"\(.*\)/\1"'$$mansectform'"\2/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" -e 's/an mdoc input/the sudoers.mdoc.in/' -f $(srcdir)/sudoers.man.in.sed> $@; \
fi
./sudoers.man: $(top_builddir)/config.status $(srcdir)/sudoers.man.in fixman.sed
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudoers.man.in | $(SED) -f fixman.sed > $@
./sudoers.mdoc: $(top_builddir)/config.status $(srcdir)/sudoers.mdoc.in $(srcdir)/fixmdoc.sed
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudoers.mdoc.in | $(SED) -f $(srcdir)/fixmdoc.sed > $@
printf '.\\" Automatically generated from the sudoers.mdoc.in file. Do not edit.\n' > $@
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudoers.mdoc.in | $(SED) -f $(srcdir)/fixmdoc.sed >> $@
$(srcdir)/sudoers.ldap.man.in: $(srcdir)/sudoers.ldap.mdoc.in
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \
mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \
$(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudoers.ldap.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDOERS.LDAP" \)"5"\(.*\)/\1"'$$mansectform'"\2/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" > $@; \
$(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudoers.ldap.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDOERS.LDAP" \)"5"\(.*\)/\1"'$$mansectform'"\2/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" -e 's/an mdoc input/the sudoers.ldap.mdoc.in/' > $@; \
fi
./sudoers.ldap.man: $(top_builddir)/config.status $(srcdir)/sudoers.ldap.man.in fixman.sed
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudoers.ldap.man.in | $(SED) -f fixman.sed > $@
./sudoers.ldap.mdoc: $(top_builddir)/config.status $(srcdir)/sudoers.ldap.mdoc.in
cd $(top_builddir) && $(SHELL) config.status --file=docs/$@
printf '.\\" Automatically generated from the sudoers.ldap.mdoc.in file. Do not edit.\n' > $@
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudoers.ldap.mdoc.in >> $@
$(srcdir)/sudoers_timestamp.man.in: $(srcdir)/sudoers_timestamp.mdoc.in
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \
mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \
$(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudoers_timestamp.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDOERS_TIMESTAMP" \)"5"\(.*\)/\1"'$$mansectform'"\2/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" > $@; \
$(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudoers_timestamp.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDOERS_TIMESTAMP" \)"5"\(.*\)/\1"'$$mansectform'"\2/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" -e 's/an mdoc input/the sudoers_timestamp.mdoc.in/' > $@; \
fi
./sudoers_timestamp.man: $(top_builddir)/config.status $(srcdir)/sudoers_timestamp.man.in fixman.sed
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudoers_timestamp.man.in | $(SED) -f fixman.sed > $@
./sudoers_timestamp.mdoc: $(top_builddir)/config.status $(srcdir)/sudoers_timestamp.mdoc.in
cd $(top_builddir) && $(SHELL) config.status --file=docs/$@
printf '.\\" Automatically generated from the sudoers_timestamp.mdoc.in file. Do not edit.\n' > $@
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudoers_timestamp.mdoc.in >> $@
$(srcdir)/cvtsudoers.man.in: $(srcdir)/cvtsudoers.mdoc.in
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \
mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \
$(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/cvtsudoers.mdoc.in | $(MANDOC) -Tman | $(SED) -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" > $@; \
$(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/cvtsudoers.mdoc.in | $(MANDOC) -Tman | $(SED) -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" -e 's/an mdoc input/the cvtsudoers.mdoc.in/' > $@; \
fi
./cvtsudoers.man: $(top_builddir)/config.status $(srcdir)/cvtsudoers.man.in fixman.sed
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/cvtsudoers.man.in | $(SED) -f fixman.sed > $@
./cvtsudoers.mdoc: $(top_builddir)/config.status $(srcdir)/cvtsudoers.mdoc.in
cd $(top_builddir) && $(SHELL) config.status --file=docs/$@
printf '.\\" Automatically generated from the cvtsudoers.mdoc.in file. Do not edit.\n' > $@
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/cvtsudoers.mdoc.in >> $@
$(srcdir)/sudoreplay.man.in: $(srcdir)/sudoreplay.mdoc.in
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \
mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \
$(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudoreplay.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDOREPLAY" \)"8"\(.*\)/\1"'$$mansectsu'"\2/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" > $@; \
$(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudoreplay.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDOREPLAY" \)"8"\(.*\)/\1"'$$mansectsu'"\2/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" -e 's/an mdoc input/the sudoreplay.mdoc.in/' > $@; \
fi
./sudoreplay.man: $(top_builddir)/config.status $(srcdir)/sudoreplay.man.in fixman.sed
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudoreplay.man.in | $(SED) -f fixman.sed > $@
./sudoreplay.mdoc: $(top_builddir)/config.status $(srcdir)/sudoreplay.mdoc.in
cd $(top_builddir) && $(SHELL) config.status --file=docs/$@
printf '.\\" Automatically generated from the sudoreplay.mdoc.in file. Do not edit.\n' > $@
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudoreplay.mdoc.in >> $@
$(srcdir)/sudo_logsrvd.man.in: $(srcdir)/sudo_logsrvd.mdoc.in
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \
mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \
$(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudo_logsrvd.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDO_LOGSRVD" \)"8"\(.*\)/\1"'$$mansectsu'"\2/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" > $@; \
$(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudo_logsrvd.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDO_LOGSRVD" \)"8"\(.*\)/\1"'$$mansectsu'"\2/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" -e 's/an mdoc input/the sudo_logsrvd.mdoc.in/' > $@; \
fi
./sudo_logsrvd.man: $(top_builddir)/config.status $(srcdir)/sudo_logsrvd.man.in fixman.sed
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudo_logsrvd.man.in | $(SED) -f fixman.sed > $@
./sudo_logsrvd.mdoc: $(top_builddir)/config.status $(srcdir)/sudo_logsrvd.mdoc.in
cd $(top_builddir) && $(SHELL) config.status --file=docs/$@
printf '.\\" Automatically generated from the sudo_logsrvd.mdoc.in file. Do not edit.\n' > $@
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudo_logsrvd.mdoc.in >> $@
$(srcdir)/sudo_logsrv.proto.man.in: $(srcdir)/sudo_logsrv.proto.mdoc.in
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \
mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \
$(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudo_logsrv.proto.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDO_LOGSRV.PROTO" \)"5"\(.*\)/\1"'$$mansectform'"\2/' -e "s/(5)/($$mansectform)/g" -e "s/(5)/($$mansectform)/g" > $@; \
$(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudo_logsrv.proto.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDO_LOGSRV.PROTO" \)"5"\(.*\)/\1"'$$mansectform'"\2/' -e "s/(5)/($$mansectform)/g" -e "s/(5)/($$mansectform)/g" -e 's/an mdoc input/the sudo_logsrv.proto.mdoc.in/' > $@; \
fi
./sudo_logsrv.proto.man: $(top_builddir)/config.status $(srcdir)/sudo_logsrv.proto.man.in fixman.sed
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudo_logsrv.proto.man.in | $(SED) -f fixman.sed > $@
./sudo_logsrv.proto.mdoc: $(top_builddir)/config.status $(srcdir)/sudo_logsrv.proto.mdoc.in
cd $(top_builddir) && $(SHELL) config.status --file=docs/$@
printf '.\\" Automatically generated from the sudo_logsrv.proto.mdoc.in file. Do not edit.\n' > $@
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudo_logsrv.proto.mdoc.in >> $@
$(srcdir)/sudo_logsrvd.conf.man.in: $(srcdir)/sudo_logsrvd.conf.mdoc.in
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \
mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \
$(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudo_logsrvd.conf.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDO_LOGSRVD.CONF" \)"5"\(.*\)/\1"'$$mansectform'"\2/' -e "s/(5)/($$mansectform)/g" -e "s/(5)/($$mansectform)/g" > $@; \
$(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudo_logsrvd.conf.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDO_LOGSRVD.CONF" \)"5"\(.*\)/\1"'$$mansectform'"\2/' -e "s/(5)/($$mansectform)/g" -e "s/(5)/($$mansectform)/g" -e 's/an mdoc input/the sudo_logsrvd.conf.mdoc.in/' > $@; \
fi
./sudo_logsrvd.conf.man: $(top_builddir)/config.status $(srcdir)/sudo_logsrvd.conf.man.in fixman.sed
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudo_logsrvd.conf.man.in | $(SED) -f fixman.sed > $@
./sudo_logsrvd.conf.mdoc: $(top_builddir)/config.status $(srcdir)/sudo_logsrvd.conf.mdoc.in
cd $(top_builddir) && $(SHELL) config.status --file=docs/$@
printf '.\\" Automatically generated from the sudo_logsrvd.conf.mdoc.in file. Do not edit.\n' > $@
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudo_logsrvd.conf.mdoc.in >> $@
$(srcdir)/sudo_plugin.man.in: $(srcdir)/sudo_plugin.mdoc.in
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \
mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \
$(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudo_plugin.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDO_PLUGIN" \)"8"\(.*\)/\1"'$$mansectsu'"\2/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" > $@; \
$(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudo_plugin.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDO_PLUGIN" \)"8"\(.*\)/\1"'$$mansectsu'"\2/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" -e 's/an mdoc input/the sudo_plugin.mdoc.in/' > $@; \
fi
./sudo_plugin.man: $(top_builddir)/config.status $(srcdir)/sudo_plugin.man.in fixman.sed
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudo_plugin.man.in | $(SED) -f fixman.sed > $@
./sudo_plugin.mdoc: $(top_builddir)/config.status $(srcdir)/sudo_plugin.mdoc.in
cd $(top_builddir) && $(SHELL) config.status --file=docs/$@
printf '.\\" Automatically generated from the sudo_plugin.mdoc.in file. Do not edit.\n' > $@
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudo_plugin.mdoc.in >> $@
$(srcdir)/sudo_plugin_python.man.in: $(srcdir)/sudo_plugin_python.mdoc.in
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \
mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \
$(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudo_plugin_python.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDO_PLUGIN_PYTHON" \)"8"\(.*\)/\1"'$$mansectsu'"\2/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" > $@; \
$(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudo_plugin_python.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDO_PLUGIN_PYTHON" \)"8"\(.*\)/\1"'$$mansectsu'"\2/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" -e 's/an mdoc input/the sudo_plugin_python.mdoc.in/' > $@; \
fi
./sudo_plugin_python.man: $(top_builddir)/config.status $(srcdir)/sudo_plugin_python.man.in fixman.sed
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudo_plugin_python.man.in | $(SED) -f fixman.sed > $@
./sudo_plugin_python.mdoc: $(top_builddir)/config.status $(srcdir)/sudo_plugin_python.mdoc.in
cd $(top_builddir) && $(SHELL) config.status --file=docs/$@
printf '.\\" Automatically generated from the sudo_plugin_python.mdoc.in file. Do not edit.\n' > $@
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudo_plugin_python.mdoc.in >> $@
$(srcdir)/sudo_sendlog.man.in: $(srcdir)/sudo_sendlog.mdoc.in
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \
mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \
$(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudo_sendlog.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDO_SENDLOG" \)"8"\(.*\)/\1"'$$mansectsu'"\2/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" > $@; \
$(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudo_sendlog.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDO_SENDLOG" \)"8"\(.*\)/\1"'$$mansectsu'"\2/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" -e 's/an mdoc input/the sudo_sendlog.mdoc.in/' > $@; \
fi
./sudo_sendlog.man: $(top_builddir)/config.status $(srcdir)/sudo_sendlog.man.in fixman.sed
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudo_sendlog.man.in | $(SED) -f fixman.sed > $@
./sudo_sendlog.mdoc: $(top_builddir)/config.status $(srcdir)/sudo_sendlog.mdoc.in
cd $(top_builddir) && $(SHELL) config.status --file=docs/$@
printf '.\\" Automatically generated from the sudo_sendlog.mdoc.in file. Do not edit.\n' > $@
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudo_sendlog.mdoc.in >> $@
pre-install:

4
docs/UPGRADE.md
View File

@ -542,7 +542,7 @@ Notes on upgrading from an older release
Defaults !env_reset
There have also been changes to how the "env_keep" and
There have also been changes to how the "env_keep" and
"env_check" options behave.
Prior to sudo 1.6.9, the TERM and PATH environment variables
@ -593,7 +593,7 @@ Notes on upgrading from an older release
without a password and `/bin/ls` as root with a password.
As of sudo 1.6, the same line now means that millert is able
to run run both `/usr/bin/whoami` and `/bin/ls` as user daemon
to run both `/usr/bin/whoami` and `/bin/ls` as user daemon
without a password. To expand on this, take the following
example:

42
docs/cvtsudoers.man.in
View File

@ -1,4 +1,4 @@
.\" Automatically generated from an mdoc input file. Do not edit.
.\" Automatically generated from the cvtsudoers.mdoc.in file. Do not edit.
.\"
.\" SPDX-License-Identifier: ISC
.\"
@ -16,7 +16,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.TH "CVTSUDOERS" "1" "January 16, 2023" "Sudo @PACKAGE_VERSION@" "General Commands Manual"
.TH "CVTSUDOERS" "1" "April 26, 2024" "Sudo @PACKAGE_VERSION@" "General Commands Manual"
.nh
.if n .ad l
.SH "NAME"
@ -912,20 +912,28 @@ A boolean value that, if true, will negate any comparison performed
with the object.
.TP 9n
sha224
A string containing the SHA224 digest of the
\fIcommand\fR.
One or more SHA224 digests for the
\fIcommand\fR
in string form.
Multiple digests of the same type are stored as an array.
.TP 9n
sha256
A string containing the SHA256 digest of the
\fIcommand\fR.
One or more SHA256 digests for the
\fIcommand\fR
in string form.
Multiple digests of the same type are stored as an array.
.TP 9n
sha384
A string containing the SHA384 digest of the
\fIcommand\fR.
One or more SHA384 digests for the
\fIcommand\fR
in string form.
Multiple digests of the same type are stored as an array.
.TP 9n
sha512
A string containing the SHA512 digest of the
\fIcommand\fR.
One or more SHA512 digests for the
\fIcommand\fR
in string form.
Multiple digests of the same type are stored as an array.
.PP
The
\fIrunasusers\fR
@ -1374,7 +1382,19 @@ exhaustive list of people who have contributed to
.SH "BUGS"
If you believe you have found a bug in
\fBcvtsudoers\fR,
you can submit a bug report at https://bugzilla.sudo.ws/
you can either file a bug report in the sudo bug database,
https://bugzilla.sudo.ws/, or open an issue at
https://github.com/sudo-project/sudo/issues.
If you would prefer to use email, messages may be sent to the
sudo-workers mailing list,
https://www.sudo.ws/mailman/listinfo/sudo-workers (public)
or <sudo@sudo.ws> (private).
.PP
Please not report security vulnerabilities through public GitHub
issues, Bugzilla or mailing lists.
Instead, report them via email to <Todd.Miller@sudo.ws>.
You may encrypt your message with PGP if you would like, using
the key found at https://www.sudo.ws/dist/PGPKEYS.
.SH "SUPPORT"
Limited free support is available via the sudo-users mailing list,
see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or

40
docs/cvtsudoers.mdoc.in
View File

@ -15,7 +15,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd January 16, 2023
.Dd April 26, 2024
.Dt CVTSUDOERS 1
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
@ -793,17 +793,25 @@ it will match any command.
A boolean value that, if true, will negate any comparison performed
with the object.
.It sha224
A string containing the SHA224 digest of the
.Em command .
One or more SHA224 digests for the
.Em command
in string form.
Multiple digests of the same type are stored as an array.
.It sha256
A string containing the SHA256 digest of the
.Em command .
One or more SHA256 digests for the
.Em command
in string form.
Multiple digests of the same type are stored as an array.
.It sha384
A string containing the SHA384 digest of the
.Em command .
One or more SHA384 digests for the
.Em command
in string form.
Multiple digests of the same type are stored as an array.
.It sha512
A string containing the SHA512 digest of the
.Em command .
One or more SHA512 digests for the
.Em command
in string form.
Multiple digests of the same type are stored as an array.
.El
.Pp
The
@ -1190,7 +1198,19 @@ exhaustive list of people who have contributed to
.Sh BUGS
If you believe you have found a bug in
.Nm ,
you can submit a bug report at https://bugzilla.sudo.ws/
you can either file a bug report in the sudo bug database,
https://bugzilla.sudo.ws/, or open an issue at
https://github.com/sudo-project/sudo/issues.
If you would prefer to use email, messages may be sent to the
sudo-workers mailing list,
https://www.sudo.ws/mailman/listinfo/sudo-workers (public)
or <sudo@sudo.ws> (private).
.Pp
Please not report security vulnerabilities through public GitHub
issues, Bugzilla or mailing lists.
Instead, report them via email to <Todd.Miller@sudo.ws>.
You may encrypt your message with PGP if you would like, using
the key found at https://www.sudo.ws/dist/PGPKEYS.
.Sh SUPPORT
Limited free support is available via the sudo-users mailing list,
see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or

2
docs/schema.ActiveDirectory
View File

@ -4,7 +4,7 @@
# To extend your Active Directory schema, run one of the following command
# on your Windows DC (default port - Active Directory):
#
# ldifde -i -f schema.ActiveDirectory -c "CN=Schema,CN=Configuration,DC=X" #schemaNamingContext
# ldifde -i -f schema.ActiveDirectory -c "CN=Schema,CN=Configuration,DC=X" "#schemaNamingContext"
#
# or on your Windows DC if using another port (with Active Directory LightWeight Directory Services / ADAM-Active Directory Application Mode)
# Port 50000 by example (or any other port specified when defining the ADLDS/ADAM instance

91
docs/schema.IBM_LDAP Normal file
View File

@ -0,0 +1,91 @@
#
# sudoers schema for IBM Directory Server, also known as Tivoli Directory
# Server, IBM Security Directory Server, and IBM Security Verify Directory.
#
# To import: ldapmodify -c -D binddn -h host:port -w password -f schema.IBM_LDAP
# Substitute the correct values for binddn, host:port and password.
#
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
-
add: ibmattributetypes
ibmattributetypes: ( 1.3.6.1.4.1.15953.9.1.1 DBNAME( 'sudoUser' 'sudoUser' ) ACCESS-CLASS normal LENGTH 512 )
dn: cn=schema
changetype: modify
add: attributetypes
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
add: ibmattributetypes
ibmattributetypes: ( 1.3.6.1.4.1.15953.9.1.2 DBNAME( 'sudoHost' 'sudoHost' ) ACCESS-CLASS normal LENGTH 512 )
dn: cn=schema
changetype: modify
add: attributetypes
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
add: ibmattributetypes
ibmattributetypes: ( 1.3.6.1.4.1.15953.9.1.3 DBNAME( 'sudoCommand' 'sudoCommand' ) ACCESS-CLASS normal LENGTH 2048 )
dn: cn=schema
changetype: modify
add: attributetypes
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo (deprecated)' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
add: ibmattributetypes
ibmattributetypes: ( 1.3.6.1.4.1.15953.9.1.4 DBNAME( 'sudoRunAs' 'sudoRunAs' ) ACCESS-CLASS normal LENGTH 512 )
dn: cn=schema
changetype: modify
add: attributetypes
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
add: ibmattributetypes
ibmattributetypes: ( 1.3.6.1.4.1.15953.9.1.5 DBNAME( 'sudoOption' 'sudoOption' ) ACCESS-CLASS normal LENGTH 512 )
dn: cn=schema
changetype: modify
add: attributetypes
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'User(s) impersonated by sudo' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
-
add: ibmattributetypes
ibmattributetypes: ( 1.3.6.1.4.1.15953.9.1.6 DBNAME( 'sudoRunAsUser' 'sudoRunAsUser' ) ACCESS-CLASS normal LENGTH 512 )
dn: cn=schema
changetype: modify
add: attributetypes
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
-
add: ibmattributetypes
ibmattributetypes: ( 1.3.6.1.4.1.15953.9.1.7 DBNAME( 'sudoRunAsGroup' 'sudoRunAsGroup' ) ACCESS-CLASS normal LENGTH 512 )
dn: cn=schema
changetype: modify
add: attributetypes
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.8 NAME 'sudoNotBefore' DESC 'Start of time interval for which the entry is valid' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
-
add: ibmattributetypes
ibmattributetypes: ( 1.3.6.1.4.1.15953.9.1.8 DBNAME( 'sudoNotBefore' 'sudoNotBefore' ) ACCESS-CLASS normal LENGTH 512 )
dn: cn=schema
changetype: modify
add: attributetypes
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.9 NAME 'sudoNotAfter' DESC 'End of time interval for which the entry is valid' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
-
add: ibmattributetypes
ibmattributetypes: ( 1.3.6.1.4.1.15953.9.1.9 DBNAME( 'sudoNotAfter' 'sudoNotAfter' ) ACCESS-CLASS normal LENGTH 512 )
dn: cn=schema
changetype: modify
add: attributetypes
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.10 NAME 'sudoOrder' DESC 'an integer to order the sudoRole entries' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
-
add: ibmattributetypes
ibmattributetypes: ( 1.3.6.1.4.1.15953.9.1.10 DBNAME( 'sudoOrder' 'sudoOrder' ) ACCESS-CLASS normal )
dn: cn=schema
changetype: modify
add: objectClasses
objectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL DESC 'Sudoer Entries' MUST ( cn ) MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ sudoOrder $ sudoNotBefore $ sudoNotAfter $ description ) )

18
docs/sudo.conf.man.in
View File

@ -1,4 +1,4 @@
.\" Automatically generated from an mdoc input file. Do not edit.
.\" Automatically generated from the sudo.conf.mdoc.in file. Do not edit.
.\"
.\" SPDX-License-Identifier: ISC
.\"
@ -911,8 +911,20 @@ exhaustive list of people who have contributed to
\fBsudo\fR.
.SH "BUGS"
If you believe you have found a bug in
\fBsudo\fR,
you can submit a bug report at https://bugzilla.sudo.ws/
\fBsudo.conf\fR,
you can either file a bug report in the sudo bug database,
https://bugzilla.sudo.ws/, or open an issue at
https://github.com/sudo-project/sudo/issues.
If you would prefer to use email, messages may be sent to the
sudo-workers mailing list,
https://www.sudo.ws/mailman/listinfo/sudo-workers (public)
or <sudo@sudo.ws> (private).
.PP
Please not report security vulnerabilities through public GitHub
issues, Bugzilla or mailing lists.
Instead, report them via email to <Todd.Miller@sudo.ws>.
You may encrypt your message with PGP if you would like, using
the key found at https://www.sudo.ws/dist/PGPKEYS.
.SH "SUPPORT"
Limited free support is available via the sudo-users mailing list,
see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or

16
docs/sudo.conf.mdoc.in
View File

@ -841,8 +841,20 @@ exhaustive list of people who have contributed to
.Nm sudo .
.Sh BUGS
If you believe you have found a bug in
.Nm sudo ,
you can submit a bug report at https://bugzilla.sudo.ws/
.Nm ,
you can either file a bug report in the sudo bug database,
https://bugzilla.sudo.ws/, or open an issue at
https://github.com/sudo-project/sudo/issues.
If you would prefer to use email, messages may be sent to the
sudo-workers mailing list,
https://www.sudo.ws/mailman/listinfo/sudo-workers (public)
or <sudo@sudo.ws> (private).
.Pp
Please not report security vulnerabilities through public GitHub
issues, Bugzilla or mailing lists.
Instead, report them via email to <Todd.Miller@sudo.ws>.
You may encrypt your message with PGP if you would like, using
the key found at https://www.sudo.ws/dist/PGPKEYS.
.Sh SUPPORT
Limited free support is available via the sudo-users mailing list,
see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or

19
docs/sudo.man.in
View File

@ -1,4 +1,4 @@
.\" Automatically generated from an mdoc input file. Do not edit.
.\" Automatically generated from the sudo.mdoc.in file. Do not edit.
.\"
.\" SPDX-License-Identifier: ISC
.\"
@ -1415,6 +1415,9 @@ Default editor to use in
\fRSUDO_GID\fR
Set to the group-ID of the user who invoked sudo.
.TP 17n
\fRSUDO_HOME\fR
Set to the home directory of the user who invoked sudo.
.TP 17n
\fRSUDO_PROMPT\fR
Used as the default password prompt unless the
\fB\-p\fR
@ -1722,7 +1725,19 @@ set-user-ID shell scripts are generally safe).
.SH "BUGS"
If you believe you have found a bug in
\fBsudo\fR,
you can submit a bug report at https://bugzilla.sudo.ws/
you can either file a bug report in the sudo bug database,
https://bugzilla.sudo.ws/, or open an issue at
https://github.com/sudo-project/sudo/issues.
If you would prefer to use email, messages may be sent to the
sudo-workers mailing list,
https://www.sudo.ws/mailman/listinfo/sudo-workers (public)
or <sudo@sudo.ws> (private).
.PP
Please not report security vulnerabilities through public GitHub
issues, Bugzilla or mailing lists.
Instead, report them via email to <Todd.Miller@sudo.ws>.
You may encrypt your message with PGP if you would like, using
the key found at https://www.sudo.ws/dist/PGPKEYS.
.SH "SUPPORT"
Limited free support is available via the sudo-users mailing list,
see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or

16
docs/sudo.mdoc.in
View File

@ -1345,6 +1345,8 @@ Default editor to use in
(sudoedit) mode.
.It Ev SUDO_GID
Set to the group-ID of the user who invoked sudo.
.It Ev SUDO_HOME
Set to the home directory of the user who invoked sudo.
.It Ev SUDO_PROMPT
Used as the default password prompt unless the
.Fl p
@ -1611,7 +1613,19 @@ set-user-ID shell scripts are generally safe).
.Sh BUGS
If you believe you have found a bug in
.Nm ,
you can submit a bug report at https://bugzilla.sudo.ws/
you can either file a bug report in the sudo bug database,
https://bugzilla.sudo.ws/, or open an issue at
https://github.com/sudo-project/sudo/issues.
If you would prefer to use email, messages may be sent to the
sudo-workers mailing list,
https://www.sudo.ws/mailman/listinfo/sudo-workers (public)
or <sudo@sudo.ws> (private).
.Pp
Please not report security vulnerabilities through public GitHub
issues, Bugzilla or mailing lists.
Instead, report them via email to <Todd.Miller@sudo.ws>.
You may encrypt your message with PGP if you would like, using
the key found at https://www.sudo.ws/dist/PGPKEYS.
.Sh SUPPORT
Limited free support is available via the sudo-users mailing list,
see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or

18
docs/sudo_logsrv.proto.man.in
View File

@ -1,4 +1,4 @@
.\" Automatically generated from an mdoc input file. Do not edit.
.\" Automatically generated from the sudo_logsrv.proto.mdoc.in file. Do not edit.
.\"
.\" SPDX-License-Identifier: ISC
.\"
@ -893,8 +893,20 @@ exhaustive list of people who have contributed to
\fBsudo\fR.
.SH "BUGS"
If you believe you have found a bug in
\fBsudo\fR,
you can submit a bug report at https://bugzilla.sudo.ws/
\fBsudo_logsrv.proto\fR,
you can either file a bug report in the sudo bug database,
https://bugzilla.sudo.ws/, or open an issue at
https://github.com/sudo-project/sudo/issues.
If you would prefer to use email, messages may be sent to the
sudo-workers mailing list,
https://www.sudo.ws/mailman/listinfo/sudo-workers (public)
or <sudo@sudo.ws> (private).
.PP
Please not report security vulnerabilities through public GitHub
issues, Bugzilla or mailing lists.
Instead, report them via email to <Todd.Miller@sudo.ws>.
You may encrypt your message with PGP if you would like, using
the key found at https://www.sudo.ws/dist/PGPKEYS.
.SH "SUPPORT"
Limited free support is available via the sudo-users mailing list,
see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or

16
docs/sudo_logsrv.proto.mdoc.in
View File

@ -810,8 +810,20 @@ exhaustive list of people who have contributed to
.Nm sudo .
.Sh BUGS
If you believe you have found a bug in
.Nm sudo ,
you can submit a bug report at https://bugzilla.sudo.ws/
.Nm ,
you can either file a bug report in the sudo bug database,
https://bugzilla.sudo.ws/, or open an issue at
https://github.com/sudo-project/sudo/issues.
If you would prefer to use email, messages may be sent to the
sudo-workers mailing list,
https://www.sudo.ws/mailman/listinfo/sudo-workers (public)
or <sudo@sudo.ws> (private).
.Pp
Please not report security vulnerabilities through public GitHub
issues, Bugzilla or mailing lists.
Instead, report them via email to <Todd.Miller@sudo.ws>.
You may encrypt your message with PGP if you would like, using
the key found at https://www.sudo.ws/dist/PGPKEYS.
.Sh SUPPORT
Limited free support is available via the sudo-users mailing list,
see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or

75
docs/sudo_logsrvd.conf.man.in
View File

@ -1,4 +1,4 @@
.\" Automatically generated from an mdoc input file. Do not edit.
.\" Automatically generated from the sudo_logsrvd.conf.mdoc.in file. Do not edit.
.\"
.\" SPDX-License-Identifier: ISC
.\"
@ -16,7 +16,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.TH "SUDO_LOGSRVD.CONF" "@mansectform@" "January 16, 2023" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.TH "SUDO_LOGSRVD.CONF" "@mansectform@" "March 9, 2024" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh
.if n .ad l
.SH "NAME"
@ -682,15 +682,58 @@ Defaults to
.TP 6n
log_format = string
The event log format.
Supported log formats are
\(lqsudo\(rq
for traditional sudo-style logs and
\(lqjson\(rq
for JSON-format logs.
The JSON log entries contain the full contents of the accept, reject, exit
Supported log formats are:
.PP
.RS 6n
.PD 0
.TP 6n
json
Currently, this is an alias for
\fIjson_pretty\fR.
In a future version of
\fBsudo_logsrvd\fR,
\fIjson\fR
will be equivalent to
\fIjson_compact\fR.
JSON log entries contain the full contents of the accept, reject, exit
and alert messages.
.PD
.TP 6n
json_compact
Log events in
\(lqcompact\(rq
(minified) JSON format.
Each event is written as a separate JSON object on single line without
extraneous white space.
Due to limitations of the protocol, JSON events sent via
\fIsyslog\fR
may be truncated.
.TP 6n
json_pretty
Log events in
\(lqpretty\(rq
JSON format.
When logging to a file, the entire file is treated as a single JSON
object consisting of multiple events, each event spanning multiple lines.
When logging via
\fIsyslog\fR,
there is no difference between the
\fIjson_pretty\fR
and
\fIjson_compact\fR
formats.
.TP 6n
sudo
Log events in traditional sudo-style log format.
See the
\fIEVENT LOGGING\fR
section in
sudoers(@mansectform@)
for details.
.PP
The default value is
\fIsudo\fR.
.RE
.SS "syslog"
The
\fIsyslog\fR
@ -1096,8 +1139,20 @@ exhaustive list of people who have contributed to
\fBsudo\fR.
.SH "BUGS"
If you believe you have found a bug in
\fBsudo\fR,
you can submit a bug report at https://bugzilla.sudo.ws/
\fBsudo_logsrvd.conf\fR,
you can either file a bug report in the sudo bug database,
https://bugzilla.sudo.ws/, or open an issue at
https://github.com/sudo-project/sudo/issues.
If you would prefer to use email, messages may be sent to the
sudo-workers mailing list,
https://www.sudo.ws/mailman/listinfo/sudo-workers (public)
or <sudo@sudo.ws> (private).
.PP
Please not report security vulnerabilities through public GitHub
issues, Bugzilla or mailing lists.
Instead, report them via email to <Todd.Miller@sudo.ws>.
You may encrypt your message with PGP if you would like, using
the key found at https://www.sudo.ws/dist/PGPKEYS.
.SH "SUPPORT"
Limited free support is available via the sudo-users mailing list,
see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or

66
docs/sudo_logsrvd.conf.mdoc.in
View File

@ -15,7 +15,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd January 16, 2023
.Dd March 9, 2024
.Dt SUDO_LOGSRVD.CONF @mansectform@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
@ -611,13 +611,49 @@ Defaults to
.Em false .
.It log_format = string
The event log format.
Supported log formats are
.Dq sudo
for traditional sudo-style logs and
.Dq json
for JSON-format logs.
The JSON log entries contain the full contents of the accept, reject, exit
Supported log formats are:
.Bl -tag -width 4n
.It json
Currently, this is an alias for
.Em json_pretty .
In a future version of
.Nm sudo_logsrvd ,
.Em json
will be equivalent to
.Em json_compact .
JSON log entries contain the full contents of the accept, reject, exit
and alert messages.
.It json_compact
Log events in
.Dq compact
(minified) JSON format.
Each event is written as a separate JSON object on single line without
extraneous white space.
Due to limitations of the protocol, JSON events sent via
.Em syslog
may be truncated.
.It json_pretty
Log events in
.Dq pretty
JSON format.
When logging to a file, the entire file is treated as a single JSON
object consisting of multiple events, each event spanning multiple lines.
When logging via
.Em syslog ,
there is no difference between the
.Em json_pretty
and
.Em json_compact
formats.
.It sudo
Log events in traditional sudo-style log format.
See the
.Em "EVENT LOGGING"
section in
.Xr sudoers @mansectform@
for details.
.El
.Pp
The default value is
.Em sudo .
.El
@ -1020,8 +1056,20 @@ exhaustive list of people who have contributed to
.Nm sudo .
.Sh BUGS
If you believe you have found a bug in
.Nm sudo ,
you can submit a bug report at https://bugzilla.sudo.ws/
.Nm ,
you can either file a bug report in the sudo bug database,
https://bugzilla.sudo.ws/, or open an issue at
https://github.com/sudo-project/sudo/issues.
If you would prefer to use email, messages may be sent to the
sudo-workers mailing list,
https://www.sudo.ws/mailman/listinfo/sudo-workers (public)
or <sudo@sudo.ws> (private).
.Pp
Please not report security vulnerabilities through public GitHub
issues, Bugzilla or mailing lists.
Instead, report them via email to <Todd.Miller@sudo.ws>.
You may encrypt your message with PGP if you would like, using
the key found at https://www.sudo.ws/dist/PGPKEYS.
.Sh SUPPORT
Limited free support is available via the sudo-users mailing list,
see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or

25
docs/sudo_logsrvd.man.in
View File

@ -1,8 +1,8 @@
.\" Automatically generated from an mdoc input file. Do not edit.
.\" Automatically generated from the sudo_logsrvd.mdoc.in file. Do not edit.
.\"
.\" SPDX-License-Identifier: ISC
.\"
.\" Copyright (c) 2019-2023 Todd C. Miller <Todd.Miller@sudo.ws>
.\" Copyright (c) 2019-2024 Todd C. Miller <Todd.Miller@sudo.ws>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
@ -16,7 +16,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.TH "SUDO_LOGSRVD" "@mansectsu@" "January 16, 2023" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
.TH "SUDO_LOGSRVD" "@mansectsu@" "July 14, 2024" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
.nh
.if n .ad l
.SH "NAME"
@ -277,7 +277,7 @@ If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Colorado
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:sudo
Organization Name (eg, company) [Internet Widgets Pty Ltd]:sudo
Organizational Unit Name (eg, section) []:sudo Certificate Authority
Common Name (e.g., server FQDN or YOUR name) []:sudo Root CA
Email Address []:
@ -335,7 +335,7 @@ If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Colorado
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:sudo
Organization Name (eg, company) [Internet Widgets Pty Ltd]:sudo
Organizational Unit Name (eg, section) []:sudo log server
Common Name (e.g., server FQDN or YOUR name) []:logserver.example.com
Email Address []:
@ -440,6 +440,7 @@ If peer authentication is enabled on the client, a copy of
must be present on the client system too.
.SH "SEE ALSO"
sudo.conf(@mansectform@),
sudo_logsrv.proto(@mansectform@),
sudo_logsrvd.conf(@mansectform@),
sudoers(@mansectform@),
sudo(@mansectsu@),
@ -462,7 +463,19 @@ exhaustive list of people who have contributed to
.SH "BUGS"
If you believe you have found a bug in
\fBsudo_logsrvd\fR,
you can submit a bug report at https://bugzilla.sudo.ws/
you can either file a bug report in the sudo bug database,
https://bugzilla.sudo.ws/, or open an issue at
https://github.com/sudo-project/sudo/issues.
If you would prefer to use email, messages may be sent to the
sudo-workers mailing list,
https://www.sudo.ws/mailman/listinfo/sudo-workers (public)
or <sudo@sudo.ws> (private).
.PP
Please not report security vulnerabilities through public GitHub
issues, Bugzilla or mailing lists.
Instead, report them via email to <Todd.Miller@sudo.ws>.
You may encrypt your message with PGP if you would like, using
the key found at https://www.sudo.ws/dist/PGPKEYS.
.SH "SUPPORT"
Limited free support is available via the sudo-users mailing list,
see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or

23
docs/sudo_logsrvd.mdoc.in
View File

@ -1,7 +1,7 @@
.\"
.\" SPDX-License-Identifier: ISC
.\"
.\" Copyright (c) 2019-2023 Todd C. Miller <Todd.Miller@sudo.ws>
.\" Copyright (c) 2019-2024 Todd C. Miller <Todd.Miller@sudo.ws>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
@ -15,7 +15,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd January 16, 2023
.Dd July 14, 2024
.Dt SUDO_LOGSRVD @mansectsu@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
@ -253,7 +253,7 @@ If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Colorado
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:sudo
Organization Name (eg, company) [Internet Widgets Pty Ltd]:sudo
Organizational Unit Name (eg, section) []:sudo Certificate Authority
Common Name (e.g., server FQDN or YOUR name) []:sudo Root CA
Email Address []:
@ -302,7 +302,7 @@ If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Colorado
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:sudo
Organization Name (eg, company) [Internet Widgets Pty Ltd]:sudo
Organizational Unit Name (eg, section) []:sudo log server
Common Name (e.g., server FQDN or YOUR name) []:logserver.example.com
Email Address []:
@ -397,6 +397,7 @@ If peer authentication is enabled on the client, a copy of
must be present on the client system too.
.Sh SEE ALSO
.Xr sudo.conf @mansectform@ ,
.Xr sudo_logsrv.proto @mansectform@ ,
.Xr sudo_logsrvd.conf @mansectform@ ,
.Xr sudoers @mansectform@ ,
.Xr sudo @mansectsu@ ,
@ -418,7 +419,19 @@ exhaustive list of people who have contributed to
.Sh BUGS
If you believe you have found a bug in
.Nm ,
you can submit a bug report at https://bugzilla.sudo.ws/
you can either file a bug report in the sudo bug database,
https://bugzilla.sudo.ws/, or open an issue at
https://github.com/sudo-project/sudo/issues.
If you would prefer to use email, messages may be sent to the
sudo-workers mailing list,
https://www.sudo.ws/mailman/listinfo/sudo-workers (public)
or <sudo@sudo.ws> (private).
.Pp
Please not report security vulnerabilities through public GitHub
issues, Bugzilla or mailing lists.
Instead, report them via email to <Todd.Miller@sudo.ws>.
You may encrypt your message with PGP if you would like, using
the key found at https://www.sudo.ws/dist/PGPKEYS.
.Sh SUPPORT
Limited free support is available via the sudo-users mailing list,
see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or

47
docs/sudo_plugin.man.in
View File

@ -1,8 +1,8 @@
.\" Automatically generated from an mdoc input file. Do not edit.
.\" Automatically generated from the sudo_plugin.mdoc.in file. Do not edit.
.\"
.\" SPDX-License-Identifier: ISC
.\"
.\" Copyright (c) 2009-2023 Todd C. Miller <Todd.Miller@sudo.ws>
.\" Copyright (c) 2009-2024 Todd C. Miller <Todd.Miller@sudo.ws>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
@ -16,7 +16,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.TH "SUDO_PLUGIN" "5" "July 10, 2023" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.TH "SUDO_PLUGIN" "5" "August 14, 2024" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh
.if n .ad l
.SH "NAME"
@ -674,10 +674,18 @@ process or 0 if there is no terminal present.
Only available starting with API version 1.2.
.TP 6n
tty=string
The path to the user's terminal device.
If the user has no terminal device associated with the session,
the value will be empty, as in
\(oqtty=\(cq.
The path to the user's terminal device, if one exists.
This entry is only present if the user has a terminal device
associated with the session.
.TP 6n
ttydev=dev_t
The number of the user's terminal device, if one exists,
formatted as a
\fIlong long\fR
value.
This entry is only present if the user has a terminal device
associated with the session.
Only available starting with API version 1.22.
.TP 6n
uid=uid_t
The real user-ID of the user invoking
@ -1552,7 +1560,7 @@ front-end to determine which elements of the
vector are files to be edited.
The
\(oq--\(cq
element must immediately precede the first file to be editied.
element must immediately precede the first file to be edited.
If
\fIsudoedit_nfiles\fR
is not specified, the
@ -5474,6 +5482,13 @@ The
entry was added to the
\fIcommand_info\fR
list.
.TP 6n
Version 1.22 (sudo 1.9.16)
The
\fIttydev\fR
entry was added to the
\fIuser_info\fR
list.
.SH "SEE ALSO"
sudo.conf(@mansectform@),
sudoers(@mansectform@),
@ -5494,8 +5509,20 @@ exhaustive list of people who have contributed to
\fBsudo\fR.
.SH "BUGS"
If you believe you have found a bug in
\fBsudo\fR,
you can submit a bug report at https://bugzilla.sudo.ws/
\fBsudo_plugin\fR,
you can either file a bug report in the sudo bug database,
https://bugzilla.sudo.ws/, or open an issue at
https://github.com/sudo-project/sudo/issues.
If you would prefer to use email, messages may be sent to the
sudo-workers mailing list,
https://www.sudo.ws/mailman/listinfo/sudo-workers (public)
or <sudo@sudo.ws> (private).
.PP
Please not report security vulnerabilities through public GitHub
issues, Bugzilla or mailing lists.
Instead, report them via email to <Todd.Miller@sudo.ws>.
You may encrypt your message with PGP if you would like, using
the key found at https://www.sudo.ws/dist/PGPKEYS.
.SH "SUPPORT"
Limited free support is available via the sudo-users mailing list,
see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or

43
docs/sudo_plugin.mdoc.in
View File

@ -1,7 +1,7 @@
.\"
.\" SPDX-License-Identifier: ISC
.\"
.\" Copyright (c) 2009-2023 Todd C. Miller <Todd.Miller@sudo.ws>
.\" Copyright (c) 2009-2024 Todd C. Miller <Todd.Miller@sudo.ws>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
@ -15,7 +15,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd July 10, 2023
.Dd August 14, 2024
.Dt SUDO_PLUGIN @mansectform@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
@ -600,10 +600,17 @@ device associated with the
process or 0 if there is no terminal present.
Only available starting with API version 1.2.
.It tty=string
The path to the user's terminal device.
If the user has no terminal device associated with the session,
the value will be empty, as in
.Ql tty= .
The path to the user's terminal device, if one exists.
This entry is only present if the user has a terminal device
associated with the session.
.It ttydev=dev_t
The number of the user's terminal device, if one exists,
formatted as a
.Vt long long
value.
This entry is only present if the user has a terminal device
associated with the session.
Only available starting with API version 1.22.
.It uid=uid_t
The real user-ID of the user invoking
.Nm sudo .
@ -1393,7 +1400,7 @@ front-end to determine which elements of the
vector are files to be edited.
The
.Ql --
element must immediately precede the first file to be editied.
element must immediately precede the first file to be edited.
If
.Em sudoedit_nfiles
is not specified, the
@ -4857,6 +4864,12 @@ The
entry was added to the
.Fa command_info
list.
.It Version 1.22 (sudo 1.9.16)
The
.Em ttydev
entry was added to the
.Fa user_info
list.
.El
.Sh SEE ALSO
.Xr sudo.conf @mansectform@ ,
@ -4877,8 +4890,20 @@ exhaustive list of people who have contributed to
.Nm sudo .
.Sh BUGS
If you believe you have found a bug in
.Nm sudo ,
you can submit a bug report at https://bugzilla.sudo.ws/
.Nm ,
you can either file a bug report in the sudo bug database,
https://bugzilla.sudo.ws/, or open an issue at
https://github.com/sudo-project/sudo/issues.
If you would prefer to use email, messages may be sent to the
sudo-workers mailing list,
https://www.sudo.ws/mailman/listinfo/sudo-workers (public)
or <sudo@sudo.ws> (private).
.Pp
Please not report security vulnerabilities through public GitHub
issues, Bugzilla or mailing lists.
Instead, report them via email to <Todd.Miller@sudo.ws>.
You may encrypt your message with PGP if you would like, using
the key found at https://www.sudo.ws/dist/PGPKEYS.
.Sh SUPPORT
Limited free support is available via the sudo-users mailing list,
see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or

18
docs/sudo_plugin_python.man.in
View File

@ -1,4 +1,4 @@
.\" Automatically generated from an mdoc input file. Do not edit.
.\" Automatically generated from the sudo_plugin_python.mdoc.in file. Do not edit.
.\"
.\" SPDX-License-Identifier: ISC
.\"
@ -1868,8 +1868,20 @@ exhaustive list of people who have contributed to
Python plugin support is currently considered experimental.
.PP
If you believe you have found a bug in
\fBsudo\fR,
you can submit a bug report at https://bugzilla.sudo.ws/
\fBsudo_plugin_python\fR,
you can either file a bug report in the sudo bug database,
https://bugzilla.sudo.ws/, or open an issue at
https://github.com/sudo-project/sudo/issues.
If you would prefer to use email, messages may be sent to the
sudo-workers mailing list,
https://www.sudo.ws/mailman/listinfo/sudo-workers (public)
or <sudo@sudo.ws> (private).
.PP
Please not report security vulnerabilities through public GitHub
issues, Bugzilla or mailing lists.
Instead, report them via email to <Todd.Miller@sudo.ws>.
You may encrypt your message with PGP if you would like, using
the key found at https://www.sudo.ws/dist/PGPKEYS.
.SH "SECURITY CONSIDERATIONS"
All Python plugin handling is implemented inside the
\fI@python_plugin@\fR

16
docs/sudo_plugin_python.mdoc.in
View File

@ -1519,8 +1519,20 @@ exhaustive list of people who have contributed to
Python plugin support is currently considered experimental.
.Pp
If you believe you have found a bug in
.Nm sudo ,
you can submit a bug report at https://bugzilla.sudo.ws/
.Nm ,
you can either file a bug report in the sudo bug database,
https://bugzilla.sudo.ws/, or open an issue at
https://github.com/sudo-project/sudo/issues.
If you would prefer to use email, messages may be sent to the
sudo-workers mailing list,
https://www.sudo.ws/mailman/listinfo/sudo-workers (public)
or <sudo@sudo.ws> (private).
.Pp
Please not report security vulnerabilities through public GitHub
issues, Bugzilla or mailing lists.
Instead, report them via email to <Todd.Miller@sudo.ws>.
You may encrypt your message with PGP if you would like, using
the key found at https://www.sudo.ws/dist/PGPKEYS.
.Sh SECURITY CONSIDERATIONS
All Python plugin handling is implemented inside the
.Pa @python_plugin@

21
docs/sudo_sendlog.man.in
View File

@ -1,8 +1,8 @@
.\" Automatically generated from an mdoc input file. Do not edit.
.\" Automatically generated from the sudo_sendlog.mdoc.in file. Do not edit.
.\"
.\" SPDX-License-Identifier: ISC
.\"
.\" Copyright (c) 2019-2023 Todd C. Miller <Todd.Miller@sudo.ws>
.\" Copyright (c) 2019-2024 Todd C. Miller <Todd.Miller@sudo.ws>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
@ -16,7 +16,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.TH "SUDO_SENDLOG" "@mansectsu@" "January 16, 2023" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
.TH "SUDO_SENDLOG" "@mansectsu@" "July 14, 2024" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
.nh
.if n .ad l
.SH "NAME"
@ -169,6 +169,7 @@ Sudo front-end configuration
.SH "SEE ALSO"
sudo.conf(@mansectform@),
sudo(@mansectsu@),
sudo_logsrv.proto(@mansectform@),
sudo_logsrvd(@mansectsu@)
.SH "AUTHORS"
Many people have worked on
@ -187,7 +188,19 @@ exhaustive list of people who have contributed to
.SH "BUGS"
If you believe you have found a bug in
\fBsudo_sendlog\fR,
you can submit a bug report at https://bugzilla.sudo.ws/
you can either file a bug report in the sudo bug database,
https://bugzilla.sudo.ws/, or open an issue at
https://github.com/sudo-project/sudo/issues.
If you would prefer to use email, messages may be sent to the
sudo-workers mailing list,
https://www.sudo.ws/mailman/listinfo/sudo-workers (public)
or <sudo@sudo.ws> (private).
.PP
Please not report security vulnerabilities through public GitHub
issues, Bugzilla or mailing lists.
Instead, report them via email to <Todd.Miller@sudo.ws>.
You may encrypt your message with PGP if you would like, using
the key found at https://www.sudo.ws/dist/PGPKEYS.
.SH "SUPPORT"
Limited free support is available via the sudo-users mailing list,
see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or

19
docs/sudo_sendlog.mdoc.in
View File

@ -1,7 +1,7 @@
.\"
.\" SPDX-License-Identifier: ISC
.\"
.\" Copyright (c) 2019-2023 Todd C. Miller <Todd.Miller@sudo.ws>
.\" Copyright (c) 2019-2024 Todd C. Miller <Todd.Miller@sudo.ws>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
@ -15,7 +15,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd January 16, 2023
.Dd July 14, 2024
.Dt SUDO_SENDLOG @mansectsu@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
@ -155,6 +155,7 @@ Sudo front-end configuration
.Sh SEE ALSO
.Xr sudo.conf @mansectform@ ,
.Xr sudo @mansectsu@ ,
.Xr sudo_logsrv.proto @mansectform@ ,
.Xr sudo_logsrvd @mansectsu@
.Sh AUTHORS
Many people have worked on
@ -172,7 +173,19 @@ exhaustive list of people who have contributed to
.Sh BUGS
If you believe you have found a bug in
.Nm ,
you can submit a bug report at https://bugzilla.sudo.ws/
you can either file a bug report in the sudo bug database,
https://bugzilla.sudo.ws/, or open an issue at
https://github.com/sudo-project/sudo/issues.
If you would prefer to use email, messages may be sent to the
sudo-workers mailing list,
https://www.sudo.ws/mailman/listinfo/sudo-workers (public)
or <sudo@sudo.ws> (private).
.Pp
Please not report security vulnerabilities through public GitHub
issues, Bugzilla or mailing lists.
Instead, report them via email to <Todd.Miller@sudo.ws>.
You may encrypt your message with PGP if you would like, using
the key found at https://www.sudo.ws/dist/PGPKEYS.
.Sh SUPPORT
Limited free support is available via the sudo-users mailing list,
see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or

40
docs/sudoers.ldap.man.in
View File

@ -1,4 +1,4 @@
.\" Automatically generated from an mdoc input file. Do not edit.
.\" Automatically generated from the sudoers.ldap.mdoc.in file. Do not edit.
.\"
.\" SPDX-License-Identifier: ISC
.\"
@ -16,7 +16,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.TH "SUDOERS.LDAP" "@mansectform@" "June 7, 2023" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.TH "SUDOERS.LDAP" "@mansectform@" "June 25, 2024" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh
.if n .ad l
.SH "NAME"
@ -651,20 +651,24 @@ distribution includes versions of the
\fBsudoers\fR
schema for multiple LDAP servers:
.TP 6n
\fIschema.OpenLDAP\fR
OpenLDAP slapd and
OpenBSD
ldapd
\fIschema.ActiveDirectory\fR
Microsoft Active Directory
.TP 6n
\fIschema.olcSudo\fR
OpenLDAP slapd 2.3 and higher when on-line configuration is enabled
\fIschema.IBM_LDAP\fR
IBM Directory Server, also known as IBM Tivoli Directory Server,
IBM Security Directory Server, and IBM Security Verify Directory
.TP 6n
\fIschema.iPlanet\fR
Netscape-derived servers such as the iPlanet, Oracle,
and 389 Directory Servers
.TP 6n
\fIschema.ActiveDirectory\fR
Microsoft Active Directory
\fIschema.olcSudo\fR
OpenLDAP slapd 2.3 and higher when on-line configuration is enabled
.TP 6n
\fIschema.OpenLDAP\fR
OpenLDAP slapd and
OpenBSD
ldapd
.PP
The schema in OpenLDAP format is also included in the
\fIEXAMPLES\fR
@ -1783,8 +1787,20 @@ See the
section for more information.
.SH "BUGS"
If you believe you have found a bug in
\fBsudo\fR,
you can submit a bug report at https://bugzilla.sudo.ws/
\fBsudoers.ldap\fR,
you can either file a bug report in the sudo bug database,
https://bugzilla.sudo.ws/, or open an issue at
https://github.com/sudo-project/sudo/issues.
If you would prefer to use email, messages may be sent to the
sudo-workers mailing list,
https://www.sudo.ws/mailman/listinfo/sudo-workers (public)
or <sudo@sudo.ws> (private).
.PP
Please not report security vulnerabilities through public GitHub
issues, Bugzilla or mailing lists.
Instead, report them via email to <Todd.Miller@sudo.ws>.
You may encrypt your message with PGP if you would like, using
the key found at https://www.sudo.ws/dist/PGPKEYS.
.SH "SUPPORT"
Limited free support is available via the sudo-users mailing list,
see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or

35
docs/sudoers.ldap.mdoc.in
View File

@ -15,7 +15,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd June 7, 2023
.Dd June 25, 2024
.Dt SUDOERS.LDAP @mansectform@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
@ -616,17 +616,20 @@ distribution includes versions of the
.Nm sudoers
schema for multiple LDAP servers:
.Bl -tag -width 4n
.It Pa schema.ActiveDirectory
Microsoft Active Directory
.It Pa schema.IBM_LDAP
IBM Directory Server, also known as IBM Tivoli Directory Server,
IBM Security Directory Server, and IBM Security Verify Directory
.It Pa schema.iPlanet
Netscape-derived servers such as the iPlanet, Oracle,
and 389 Directory Servers
.It Pa schema.olcSudo
OpenLDAP slapd 2.3 and higher when on-line configuration is enabled
.It Pa schema.OpenLDAP
OpenLDAP slapd and
.Ox
ldapd
.It Pa schema.olcSudo
OpenLDAP slapd 2.3 and higher when on-line configuration is enabled
.It Pa schema.iPlanet
Netscape-derived servers such as the iPlanet, Oracle,
and 389 Directory Servers
.It Pa schema.ActiveDirectory
Microsoft Active Directory
.El
.Pp
The schema in OpenLDAP format is also included in the
@ -1635,8 +1638,20 @@ See the
section for more information.
.Sh BUGS
If you believe you have found a bug in
.Nm sudo ,
you can submit a bug report at https://bugzilla.sudo.ws/
.Nm ,
you can either file a bug report in the sudo bug database,
https://bugzilla.sudo.ws/, or open an issue at
https://github.com/sudo-project/sudo/issues.
If you would prefer to use email, messages may be sent to the
sudo-workers mailing list,
https://www.sudo.ws/mailman/listinfo/sudo-workers (public)
or <sudo@sudo.ws> (private).
.Pp
Please not report security vulnerabilities through public GitHub
issues, Bugzilla or mailing lists.
Instead, report them via email to <Todd.Miller@sudo.ws>.
You may encrypt your message with PGP if you would like, using
the key found at https://www.sudo.ws/dist/PGPKEYS.
.Sh SUPPORT
Limited free support is available via the sudo-users mailing list,
see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or

142
docs/sudoers.man.in
View File

@ -1,8 +1,8 @@
.\" Automatically generated from an mdoc input file. Do not edit.
.\" Automatically generated from the sudoers.mdoc.in file. Do not edit.
.\"
.\" SPDX-License-Identifier: ISC
.\"
.\" Copyright (c) 1994-1996, 1998-2005, 2007-2023
.\" Copyright (c) 1994-1996, 1998-2005, 2007-2024
.\" Todd C. Miller <Todd.Miller@sudo.ws>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
@ -25,7 +25,7 @@
.nr BA @BAMAN@
.nr LC @LCMAN@
.nr PS @PSMAN@
.TH "SUDOERS" "@mansectform@" "December 19, 2023" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.TH "SUDOERS" "@mansectform@" "July 14, 2024" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh
.if n .ad l
.SH "NAME"
@ -292,6 +292,14 @@ The
option can be used to select the type of time stamp record
\fBsudoers\fR
will use.
.PP
The
\fBtsdump\fR
utility, included with the sudo source distribution, can be used to
display the contents of a time stamp file.
See
sudoers_timestamp(@mansectform@)
for details of the time stamp file format.
.SS "Logging"
By default,
\fBsudoers\fR
@ -3816,6 +3824,22 @@ by default.
.sp
This setting is only supported by version 1.8.8 or higher.
.TP 18n
pam_silent
If set, PAM authentication will be performed in silent mode.
This prevents PAM authentication modules from generating output.
In some cases, this may suppress important information about why
authentication failed.
For example, PAM modules such as
\fIpam_faillock\fR
will only display a warning if
\fIpam_silent\fR
is disabled.
This flag is
\fIon\fR
by default.
.sp
This setting is only supported by version 1.8.16 or higher.
.TP 18n
passprompt_override
If set, the prompt specified by
\fIpassprompt\fR
@ -4280,6 +4304,14 @@ user's terminal device even after the main program has finished
executing.
By running the command in a separate pseudo-terminal, this attack is
no longer possible.
.sp
A side effect of running the command in a new pseudo-terminal is
that input will be passed to the command even if it is non-interactive.
This means that, for example, keys pressed while a non-interactive
command is running will be consumed by
\fBsudo\fR
instead of being passed to the shell after the command exits.
.sp
This flag is
\fIon\fR
by default for
@ -4388,7 +4420,7 @@ it will
\(lqroll over\(rq
to zero, after which
\fBsudoers\fR
will truncate and re-use any existing I/O log path names.
will truncate and reuse any existing I/O log path names.
.sp
This setting is only supported by version 1.8.7 or higher.
.TP 18n
@ -4499,6 +4531,19 @@ option.
This option is only available when sudo is built with AppArmor
support.
.TP 18n
cmddenial_message
.br
It set,
\fBsudo\fR
will display this message when a user is denied access to run the
specified command, but is listed in the
\fIsudoers\fR
file for the host.
This can be used to provide additional, site-specific information
to the user when a command is denied by the security policy.
It does not override the standard warning the user receives when
a command is denied.
.TP 18n
authfail_message
Message that is displayed after a user fails to authenticate.
The message may include the
@ -5352,18 +5397,45 @@ Supported log formats are:
.PD 0
.TP 6n
json
Logs in JSON format.
Currently, this is an alias for
\fIjson_pretty\fR.
In a future version of
\fBsudo\fR,
\fIjson\fR
will be equivalent to
\fIjson_compact\fR.
JSON log entries contain the full user details as well as the execution
environment if the command was allowed.
.PD
.TP 6n
json_compact
Log events in
\(lqcompact\(rq
(minified) JSON format.
Each event is written as a separate JSON object on single line without
extraneous white space.
Due to limitations of the protocol, JSON events sent via
\fIsyslog\fR
may be truncated.
.PD
.TP 6n
json_pretty
Log events in
\(lqpretty\(rq
JSON format.
When logging to a file, the entire file is treated as a single JSON
object consisting of multiple events, each event spanning multiple lines.
When logging via
\fIsyslog\fR,
there is no difference between the
\fIjson_pretty\fR
and
\fIjson_compact\fR
formats.
.TP 6n
sudo
Traditional sudo-style logs, see
Log events in traditional sudo-style format, see
\fIEVENT LOGGING\fR
for a description of the log file format.
for details.
.PP
This setting affects logs sent via
syslog(3)
@ -5576,17 +5648,37 @@ If set,
will use this value in place of the user's
\fRPATH\fR
environment variable.
This option can be used to reset the
\fRPATH\fR
to a known good value that contains directories for system administrator
commands such as
There are two basic use cases for
\fIsecure_path\fR:
.PP
.RS 14n
.PD 0
.TP 3n
1.\&
To make it possible for
\fBsudo\fR
to find system administrator commands located in directories that
may not be in the default user path, such as
\fI/usr/sbin\fR.
.sp
.PD
.TP 3n
2.\&
To help protect scripts and programs that execute other commands without
first setting
\fRPATH\fR
to a safe value.
Otherwise, a user with limited privileges may be able to run arbitrary
commands by manipulating the
\fRPATH\fR
if the command being run executes other commands without using a
fully-qualified path name.
.PP
Users in the group specified by the
\fIexempt_group\fR
option are not affected by
\fIsecure_path\fR.
This option is @secure_path@ by default.
This option is @secure_path_status@ by default.
.RE
.TP 14n
syslog
Syslog facility if syslog is being used for logging (negate to
@ -6757,7 +6849,7 @@ Once the I/O log sequence number reaches
\fImaxseq\fR,
it will be reset to zero and
\fBsudoers\fR
will truncate and re-use any existing I/O logs.
will truncate and reuse any existing I/O logs.
.SH "FILES"
.TP 26n
\fI@sysconfdir@/sudo.conf\fR
@ -7834,7 +7926,7 @@ If no terminal is present or the
option is set to
\(lqppid\(rq,
the start time of the parent process is used instead.
In most cases this will prevent a time stamp record from being re-used
In most cases this will prevent a time stamp record from being reused
without the user entering a password when logging out and back in again.
.SH "DEBUGGING"
Versions 1.8.4 and higher of the
@ -7958,10 +8050,12 @@ glob(3),
mktemp(3),
strftime(3),
sudo.conf(@mansectform@),
sudo_logsrv.proto(@mansectform@),
sudo_plugin(@mansectform@),
sudoers.ldap(@mansectform@),
sudoers_timestamp(@mansectform@),
sudo(@mansectsu@),
sudo_logsrvd(@mansectsu@),
visudo(@mansectsu@)
.SH "AUTHORS"
Many people have worked on
@ -8013,8 +8107,20 @@ option in
\fIsudoers\fR.
.SH "BUGS"
If you believe you have found a bug in
\fBsudo\fR,
you can submit a bug report at https://bugzilla.sudo.ws/
\fBsudoers\fR,
you can either file a bug report in the sudo bug database,
https://bugzilla.sudo.ws/, or open an issue at
https://github.com/sudo-project/sudo/issues.
If you would prefer to use email, messages may be sent to the
sudo-workers mailing list,
https://www.sudo.ws/mailman/listinfo/sudo-workers (public)
or <sudo@sudo.ws> (private).
.PP
Please not report security vulnerabilities through public GitHub
issues, Bugzilla or mailing lists.
Instead, report them via email to <Todd.Miller@sudo.ws>.
You may encrypt your message with PGP if you would like, using
the key found at https://www.sudo.ws/dist/PGPKEYS.
.SH "SUPPORT"
Limited free support is available via the sudo-users mailing list,
see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or

126
docs/sudoers.mdoc.in
View File

@ -1,7 +1,7 @@
.\"
.\" SPDX-License-Identifier: ISC
.\"
.\" Copyright (c) 1994-1996, 1998-2005, 2007-2023
.\" Copyright (c) 1994-1996, 1998-2005, 2007-2024
.\" Todd C. Miller <Todd.Miller@sudo.ws>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
@ -25,7 +25,7 @@
.nr BA @BAMAN@
.nr LC @LCMAN@
.nr PS @PSMAN@
.Dd December 19, 2023
.Dd July 14, 2024
.Dt SUDOERS @mansectform@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
@ -280,6 +280,14 @@ The
option can be used to select the type of time stamp record
.Nm
will use.
.Pp
The
.Nm tsdump
utility, included with the sudo source distribution, can be used to
display the contents of a time stamp file.
See
.Xr sudoers_timestamp @mansectform@
for details of the time stamp file format.
.Ss Logging
By default,
.Nm
@ -3615,6 +3623,21 @@ This flag is
by default.
.Pp
This setting is only supported by version 1.8.8 or higher.
.It pam_silent
If set, PAM authentication will be performed in silent mode.
This prevents PAM authentication modules from generating output.
In some cases, this may suppress important information about why
authentication failed.
For example, PAM modules such as
.Em pam_faillock
will only display a warning if
.Em pam_silent
is disabled.
This flag is
.Em on
by default.
.Pp
This setting is only supported by version 1.8.16 or higher.
.It passprompt_override
If set, the prompt specified by
.Em passprompt
@ -4052,6 +4075,14 @@ user's terminal device even after the main program has finished
executing.
By running the command in a separate pseudo-terminal, this attack is
no longer possible.
.Pp
A side effect of running the command in a new pseudo-terminal is
that input will be passed to the command even if it is non-interactive.
This means that, for example, keys pressed while a non-interactive
command is running will be consumed by
.Nm sudo
instead of being passed to the shell after the command exits.
.Pp
This flag is
.Em on
by default for
@ -4155,7 +4186,7 @@ it will
.Dq roll over
to zero, after which
.Nm
will truncate and re-use any existing I/O log path names.
will truncate and reuse any existing I/O log path names.
.Pp
This setting is only supported by version 1.8.7 or higher.
.It passwd_tries
@ -4263,6 +4294,17 @@ option.
This option is only available when sudo is built with AppArmor
support.
.\}
.It cmddenial_message
It set,
.Nm sudo
will display this message when a user is denied access to run the
specified command, but is listed in the
.Em sudoers
file for the host.
This can be used to provide additional, site-specific information
to the user when a command is denied by the security policy.
It does not override the standard warning the user receives when
a command is denied.
.It authfail_message
Message that is displayed after a user fails to authenticate.
The message may include the
@ -5027,16 +5069,41 @@ The event log format.
Supported log formats are:
.Bl -tag -width 4n
.It json
Logs in JSON format.
Currently, this is an alias for
.Em json_pretty .
In a future version of
.Nm sudo ,
.Em json
will be equivalent to
.Em json_compact .
JSON log entries contain the full user details as well as the execution
environment if the command was allowed.
.It json_compact
Log events in
.Dq compact
(minified) JSON format.
Each event is written as a separate JSON object on single line without
extraneous white space.
Due to limitations of the protocol, JSON events sent via
.Em syslog
may be truncated.
.It json_pretty
Log events in
.Dq pretty
JSON format.
When logging to a file, the entire file is treated as a single JSON
object consisting of multiple events, each event spanning multiple lines.
When logging via
.Em syslog ,
there is no difference between the
.Em json_pretty
and
.Em json_compact
formats.
.It sudo
Traditional sudo-style logs, see
Log events in traditional sudo-style format, see
.Sx "EVENT LOGGING"
for a description of the log file format.
for details.
.El
.Pp
This setting affects logs sent via
@ -5228,17 +5295,32 @@ If set,
will use this value in place of the user's
.Ev PATH
environment variable.
This option can be used to reset the
.Ev PATH
to a known good value that contains directories for system administrator
commands such as
There are two basic use cases for
.Em secure_path :
.Bl -enum -width 1n
.It
To make it possible for
.Nm sudo
to find system administrator commands located in directories that
may not be in the default user path, such as
.Pa /usr/sbin .
.It
To help protect scripts and programs that execute other commands without
first setting
.Ev PATH
to a safe value.
Otherwise, a user with limited privileges may be able to run arbitrary
commands by manipulating the
.Ev PATH
if the command being run executes other commands without using a
fully-qualified path name.
.El
.Pp
Users in the group specified by the
.Em exempt_group
option are not affected by
.Em secure_path .
This option is @secure_path@ by default.
This option is @secure_path_status@ by default.
.It syslog
Syslog facility if syslog is being used for logging (negate to
disable syslog logging).
@ -6286,7 +6368,7 @@ Once the I/O log sequence number reaches
.Em maxseq ,
it will be reset to zero and
.Nm
will truncate and re-use any existing I/O logs.
will truncate and reuse any existing I/O logs.
.Sh FILES
.Bl -tag -width 24n
.It Pa @sysconfdir@/sudo.conf
@ -7266,7 +7348,7 @@ If no terminal is present or the
option is set to
.Dq ppid ,
the start time of the parent process is used instead.
In most cases this will prevent a time stamp record from being re-used
In most cases this will prevent a time stamp record from being reused
without the user entering a password when logging out and back in again.
.Sh DEBUGGING
Versions 1.8.4 and higher of the
@ -7371,10 +7453,12 @@ manual.
.Xr mktemp 3 ,
.Xr strftime 3 ,
.Xr sudo.conf @mansectform@ ,
.Xr sudo_logsrv.proto @mansectform@ ,
.Xr sudo_plugin @mansectform@ ,
.Xr sudoers.ldap @mansectform@ ,
.Xr sudoers_timestamp @mansectform@ ,
.Xr sudo @mansectsu@ ,
.Xr sudo_logsrvd @mansectsu@ ,
.Xr visudo @mansectsu@
.Sh AUTHORS
Many people have worked on
@ -7425,8 +7509,20 @@ option in
.Em sudoers .
.Sh BUGS
If you believe you have found a bug in
.Nm sudo ,
you can submit a bug report at https://bugzilla.sudo.ws/
.Nm ,
you can either file a bug report in the sudo bug database,
https://bugzilla.sudo.ws/, or open an issue at
https://github.com/sudo-project/sudo/issues.
If you would prefer to use email, messages may be sent to the
sudo-workers mailing list,
https://www.sudo.ws/mailman/listinfo/sudo-workers (public)
or <sudo@sudo.ws> (private).
.Pp
Please not report security vulnerabilities through public GitHub
issues, Bugzilla or mailing lists.
Instead, report them via email to <Todd.Miller@sudo.ws>.
You may encrypt your message with PGP if you would like, using
the key found at https://www.sudo.ws/dist/PGPKEYS.
.Sh SUPPORT
Limited free support is available via the sudo-users mailing list,
see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or

49
docs/sudoers_timestamp.man.in
View File

@ -1,4 +1,4 @@
.\" Automatically generated from an mdoc input file. Do not edit.
.\" Automatically generated from the sudoers_timestamp.mdoc.in file. Do not edit.
.\"
.\" SPDX-License-Identifier: ISC
.\"
@ -16,7 +16,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.TH "SUDOERS_TIMESTAMP" "@mansectform@" "September 20, 2023" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.TH "SUDOERS_TIMESTAMP" "@mansectform@" "November 26, 2023" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh
.if n .ad l
.SH "NAME"
@ -60,14 +60,14 @@ Time stamp records have the following structure:
.sp
.RS 0n
/* Time stamp entry types */
#define TS_GLOBAL 0x01 /* not restricted by tty or ppid */
#define TS_TTY 0x02 /* restricted by tty */
#define TS_PPID 0x03 /* restricted by ppid */
#define TS_LOCKEXCL 0x04 /* special lock record */
#define TS_GLOBAL 0x01U /* not restricted by tty or ppid */
#define TS_TTY 0x02U /* restricted by tty */
#define TS_PPID 0x03U /* restricted by ppid */
#define TS_LOCKEXCL 0x04U /* special lock record */
/* Time stamp flags */
#define TS_DISABLED 0x01 /* entry disabled */
#define TS_ANYUID 0x02 /* ignore uid, only valid in key */
#define TS_DISABLED 0x01U /* entry disabled */
#define TS_ANYUID 0x02U /* ignore uid, only valid in key */
struct timestamp_entry {
unsigned short version; /* version number */
@ -138,7 +138,7 @@ or of the parent process for records of type
\fRTS_PPID\fR.
The
\fIstart_time\fR
is used to help prevent re-use of a time stamp record after a
is used to help prevent reuse of a time stamp record after a
user has logged out.
Not all systems support a method to easily retrieve a process's
start time.
@ -174,6 +174,13 @@ records of type
u.ppid
The ID of the parent process for records of type
\fRTS_PPID\fR.
.PP
The
\fBtsdump\fR
utility, included with the sudo source distribution, can be used to
display the contents of a
\fIsudoers\fR
time stamp file.
.SH "LOCKING"
In
\fBsudoers\fR
@ -250,13 +257,13 @@ Information about the terminal device was stored in
tty-based time stamp files for validity checks.
This included the terminal device numbers, inode number and, on systems
where it was not updated when the device was written to, the inode change time.
This helped prevent re-use of the time stamp file after logout.
This helped prevent reuse of the time stamp file after logout.
.TP 6n
1.8.6p7
The terminal session ID was added to tty-based time stamp files to
prevent re-use of the time stamp by the same user in a different
prevent reuse of the time stamp by the same user in a different
terminal session.
It also helped prevent re-use of the time stamp file on systems where
It also helped prevent reuse of the time stamp file on systems where
the terminal device's inode change time was updated by writing.
.TP 6n
1.8.10
@ -273,7 +280,7 @@ entire file and the lock is held until authentication is complete.
1.8.22
The start time of the terminal session leader or parent process is
now stored in non-global time stamp records.
This prevents re-use of the time stamp file after logout in most cases.
This prevents reuse of the time stamp file after logout in most cases.
.sp
Support was added for the kernel-based tty time stamps available in
OpenBSD
@ -300,8 +307,20 @@ exhaustive list of people who have contributed to
\fBsudo\fR.
.SH "BUGS"
If you believe you have found a bug in
\fBsudo\fR,
you can submit a bug report at https://bugzilla.sudo.ws/
\fBsudoers_timestamp\fR,
you can either file a bug report in the sudo bug database,
https://bugzilla.sudo.ws/, or open an issue at
https://github.com/sudo-project/sudo/issues.
If you would prefer to use email, messages may be sent to the
sudo-workers mailing list,
https://www.sudo.ws/mailman/listinfo/sudo-workers (public)
or <sudo@sudo.ws> (private).
.PP
Please not report security vulnerabilities through public GitHub
issues, Bugzilla or mailing lists.
Instead, report them via email to <Todd.Miller@sudo.ws>.
You may encrypt your message with PGP if you would like, using
the key found at https://www.sudo.ws/dist/PGPKEYS.
.SH "SUPPORT"
Limited free support is available via the sudo-users mailing list,
see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or

47
docs/sudoers_timestamp.mdoc.in
View File

@ -15,7 +15,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd September 20, 2023
.Dd November 26, 2023
.Dt SUDOERS_TIMESTAMP @mansectform@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
@ -58,14 +58,14 @@ number and a 16-bit record size.
Time stamp records have the following structure:
.Bd -literal
/* Time stamp entry types */
#define TS_GLOBAL 0x01 /* not restricted by tty or ppid */
#define TS_TTY 0x02 /* restricted by tty */
#define TS_PPID 0x03 /* restricted by ppid */
#define TS_LOCKEXCL 0x04 /* special lock record */
#define TS_GLOBAL 0x01U /* not restricted by tty or ppid */
#define TS_TTY 0x02U /* restricted by tty */
#define TS_PPID 0x03U /* restricted by ppid */
#define TS_LOCKEXCL 0x04U /* special lock record */
/* Time stamp flags */
#define TS_DISABLED 0x01 /* entry disabled */
#define TS_ANYUID 0x02 /* ignore uid, only valid in key */
#define TS_DISABLED 0x01U /* entry disabled */
#define TS_ANYUID 0x02U /* ignore uid, only valid in key */
struct timestamp_entry {
unsigned short version; /* version number */
@ -128,7 +128,7 @@ or of the parent process for records of type
.Dv TS_PPID .
The
.Em start_time
is used to help prevent re-use of a time stamp record after a
is used to help prevent reuse of a time stamp record after a
user has logged out.
Not all systems support a method to easily retrieve a process's
start time.
@ -162,6 +162,13 @@ records of type
The ID of the parent process for records of type
.Dv TS_PPID .
.El
.Pp
The
.Nm tsdump
utility, included with the sudo source distribution, can be used to
display the contents of a
.Em sudoers
time stamp file.
.Sh LOCKING
In
.Nm sudoers
@ -232,12 +239,12 @@ Information about the terminal device was stored in
tty-based time stamp files for validity checks.
This included the terminal device numbers, inode number and, on systems
where it was not updated when the device was written to, the inode change time.
This helped prevent re-use of the time stamp file after logout.
This helped prevent reuse of the time stamp file after logout.
.It 1.8.6p7
The terminal session ID was added to tty-based time stamp files to
prevent re-use of the time stamp by the same user in a different
prevent reuse of the time stamp by the same user in a different
terminal session.
It also helped prevent re-use of the time stamp file on systems where
It also helped prevent reuse of the time stamp file on systems where
the terminal device's inode change time was updated by writing.
.It 1.8.10
A new, multi-record time stamp file format was introduced that uses a
@ -251,7 +258,7 @@ entire file and the lock is held until authentication is complete.
.It 1.8.22
The start time of the terminal session leader or parent process is
now stored in non-global time stamp records.
This prevents re-use of the time stamp file after logout in most cases.
This prevents reuse of the time stamp file after logout in most cases.
.Pp
Support was added for the kernel-based tty time stamps available in
.Ox
@ -277,8 +284,20 @@ exhaustive list of people who have contributed to
.Nm sudo .
.Sh BUGS
If you believe you have found a bug in
.Nm sudo ,
you can submit a bug report at https://bugzilla.sudo.ws/
.Nm ,
you can either file a bug report in the sudo bug database,
https://bugzilla.sudo.ws/, or open an issue at
https://github.com/sudo-project/sudo/issues.
If you would prefer to use email, messages may be sent to the
sudo-workers mailing list,
https://www.sudo.ws/mailman/listinfo/sudo-workers (public)
or <sudo@sudo.ws> (private).
.Pp
Please not report security vulnerabilities through public GitHub
issues, Bugzilla or mailing lists.
Instead, report them via email to <Todd.Miller@sudo.ws>.
You may encrypt your message with PGP if you would like, using
the key found at https://www.sudo.ws/dist/PGPKEYS.
.Sh SUPPORT
Limited free support is available via the sudo-users mailing list,
see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or

19
docs/sudoreplay.man.in
View File

@ -1,4 +1,4 @@
.\" Automatically generated from an mdoc input file. Do not edit.
.\" Automatically generated from the sudoreplay.mdoc.in file. Do not edit.
.\"
.\" SPDX-License-Identifier: ISC
.\"
@ -170,7 +170,7 @@ In this mode,
will list available sessions in a format similar to the
\fBsudo\fR
log file format, sorted by file name (or sequence number).
Any control characters present in the log data are formated in octal
Any control characters present in the log data are formatted in octal
with a leading
\(oq#\(cq
character.
@ -178,6 +178,7 @@ For example, a horizontal tab is displayed as
\(oq#011\(cq
and an embedded carriage return is displayed as
\(oq#015\(cq.
Space characters in the command name and arguments are also formatted in octal.
.sp
If a
\fIsearch expression\fR
@ -517,7 +518,19 @@ exhaustive list of people who have contributed to
.SH "BUGS"
If you believe you have found a bug in
\fBsudoreplay\fR,
you can submit a bug report at https://bugzilla.sudo.ws/
you can either file a bug report in the sudo bug database,
https://bugzilla.sudo.ws/, or open an issue at
https://github.com/sudo-project/sudo/issues.
If you would prefer to use email, messages may be sent to the
sudo-workers mailing list,
https://www.sudo.ws/mailman/listinfo/sudo-workers (public)
or <sudo@sudo.ws> (private).
.PP
Please not report security vulnerabilities through public GitHub
issues, Bugzilla or mailing lists.
Instead, report them via email to <Todd.Miller@sudo.ws>.
You may encrypt your message with PGP if you would like, using
the key found at https://www.sudo.ws/dist/PGPKEYS.
.SH "SUPPORT"
Limited free support is available via the sudo-users mailing list,
see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or

14
docs/sudoreplay.mdoc.in
View File

@ -460,7 +460,19 @@ exhaustive list of people who have contributed to
.Sh BUGS
If you believe you have found a bug in
.Nm ,
you can submit a bug report at https://bugzilla.sudo.ws/
you can either file a bug report in the sudo bug database,
https://bugzilla.sudo.ws/, or open an issue at
https://github.com/sudo-project/sudo/issues.
If you would prefer to use email, messages may be sent to the
sudo-workers mailing list,
https://www.sudo.ws/mailman/listinfo/sudo-workers (public)
or <sudo@sudo.ws> (private).
.Pp
Please not report security vulnerabilities through public GitHub
issues, Bugzilla or mailing lists.
Instead, report them via email to <Todd.Miller@sudo.ws>.
You may encrypt your message with PGP if you would like, using
the key found at https://www.sudo.ws/dist/PGPKEYS.
.Sh SUPPORT
Limited free support is available via the sudo-users mailing list,
see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or

16
docs/visudo.man.in
View File

@ -1,4 +1,4 @@
.\" Automatically generated from an mdoc input file. Do not edit.
.\" Automatically generated from the visudo.mdoc.in file. Do not edit.
.\"
.\" SPDX-License-Identifier: ISC
.\"
@ -531,7 +531,19 @@ allows shell escapes.
.SH "BUGS"
If you believe you have found a bug in
\fBvisudo\fR,
you can submit a bug report at https://bugzilla.sudo.ws/
you can either file a bug report in the sudo bug database,
https://bugzilla.sudo.ws/, or open an issue at
https://github.com/sudo-project/sudo/issues.
If you would prefer to use email, messages may be sent to the
sudo-workers mailing list,
https://www.sudo.ws/mailman/listinfo/sudo-workers (public)
or <sudo@sudo.ws> (private).
.PP
Please not report security vulnerabilities through public GitHub
issues, Bugzilla or mailing lists.
Instead, report them via email to <Todd.Miller@sudo.ws>.
You may encrypt your message with PGP if you would like, using
the key found at https://www.sudo.ws/dist/PGPKEYS.
.SH "SUPPORT"
Limited free support is available via the sudo-users mailing list,
see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or

14
docs/visudo.mdoc.in
View File

@ -508,7 +508,19 @@ allows shell escapes.
.Sh BUGS
If you believe you have found a bug in
.Nm ,
you can submit a bug report at https://bugzilla.sudo.ws/
you can either file a bug report in the sudo bug database,
https://bugzilla.sudo.ws/, or open an issue at
https://github.com/sudo-project/sudo/issues.
If you would prefer to use email, messages may be sent to the
sudo-workers mailing list,
https://www.sudo.ws/mailman/listinfo/sudo-workers (public)
or <sudo@sudo.ws> (private).
.Pp
Please not report security vulnerabilities through public GitHub
issues, Bugzilla or mailing lists.
Instead, report them via email to <Todd.Miller@sudo.ws>.
You may encrypt your message with PGP if you would like, using
the key found at https://www.sudo.ws/dist/PGPKEYS.
.Sh SUPPORT
Limited free support is available via the sudo-users mailing list,
see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or

3
etc/codespell.exclude
View File

@ -1,4 +1,4 @@
"You empty-headed animal food trough wiper!",
N_("You empty-headed animal food trough wiper!"),
* Returns true if any tags set in nt differ between ot and nt, else false.
#define TAGS_CHANGED(ot, nt) \
((TAG_SET((nt).follow) && (nt).follow != (ot).follow) || \
@ -33,3 +33,4 @@
* Tim Fraser
echo ".Nd sudo" >> conftest
* as per FIPS 180-4: Secure Hash Standard (SHS)
{ "wast", tZONE, -HOUR(7) }, /* West Australian Standard */

4
etc/sudo-logsrvd.pp
View File

@ -5,7 +5,7 @@
from sudo clients.
This makes it possible to have all sudo I/O logs on a central server."
vendor="Todd C. Miller"
copyright="(c) 2019-2021 Todd C. Miller"
copyright="Copyright 2019-2024 Todd C. Miller"
%if [aix]
# Convert to 4 part version for AIX, including patch level
@ -261,7 +261,7 @@ This makes it possible to have all sudo I/O logs on a central server."
pp_systemd_service_exec_args="-n"
pp_systemd_service_man="man:sudo_logsrvd(8) man:sudo_logsrvd.conf(5)"
pp_systemd_service_documentation="https://www.sudo.ws/man.html"
pp_systemd_service_after="syslog.target network.target auditd.service"
pp_systemd_service_after="network.target auditd.service"
pp_systemd_service_killmode="process"
pp_systemd_service_type="exec"
pp_systemd_system_target="multi-user.target"

2
etc/sudo-python.pp
View File

@ -3,7 +3,7 @@
summary="Sudo Python plugin framework"
description="The sudo Python plugin allows you to extend sudo using Python."
vendor="Todd C. Miller"
copyright="(c) 2019-2021 Todd C. Miller"
copyright="Copyright 2019-2024 Todd C. Miller"
%if [aix]
# Convert to 4 part version for AIX, including patch level

2
etc/sudo.pp
View File

@ -10,7 +10,7 @@ limited root privileges to users and log root activity. \
The basic philosophy is to give as few privileges as possible but \
still allow people to get their work done."
vendor="Todd C. Miller"
copyright="(c) 1993-1996,1998-2021 Todd C. Miller"
copyright="Copyright 1994-1996,1998-2024 Todd C. Miller"
sudoedit_man=`echo ${pp_destdir}$mandir/*/sudoedit.*|sed "s:^${pp_destdir}::"`
sudoedit_man_target=`basename $sudoedit_man | sed 's/edit//'`

2
include/compat/glob.h
View File

@ -69,7 +69,7 @@ typedef struct {
#define GLOB_NOMATCH (-3) /* No match and GLOB_NOCHECK not set. */
#define GLOB_NOSYS (-4) /* Function not supported. */
sudo_dso_public int sudo_glob(const char *, int, int (*)(const char *, int), glob_t *);
sudo_dso_public int sudo_glob(const char * restrict, int, int (*)(const char *, int), glob_t * restrict);
sudo_dso_public void sudo_globfree(glob_t *);
#define glob(_a, _b, _c, _d) sudo_glob((_a), (_b), (_c), (_d))

19
include/sudo_compat.h
View File

@ -28,6 +28,9 @@
#include <sys/stat.h> /* to avoid problems with mismatched headers and libc */
#include <unistd.h> /* to avoid problems with mismatched headers and libc */
#include <stdio.h>
#if !defined(HAVE_UTIMENSAT) || !defined(HAVE_FUTIMENS)
# include <time.h>
#endif
#if !defined(HAVE_VSNPRINTF) || !defined(HAVE_VASPRINTF) || \
!defined(HAVE_VSYSLOG) || defined(PREFER_PORTABLE_SNPRINTF)
# include <stdarg.h>
@ -347,7 +350,7 @@ sudo_dso_public ssize_t sudo_getdelim(char ** restrict bufp, size_t * restrict b
# define getdelim(_a, _b, _c, _d) sudo_getdelim((_a), (_b), (_c), (_d))
#elif defined(HAVE_DECL_GETDELIM) && !HAVE_DECL_GETDELIM
/* getdelim present in libc but missing prototype (old gcc fixed includes?) */
ssize_t getdelim(char **bufp, size_t *bufsizep, int delim, FILE *fp);
ssize_t getdelim(char ** restrict bufp, size_t * restrict bufsizep, int delim, FILE * restrict fp);
#endif /* HAVE_GETDELIM */
#ifndef HAVE_GETUSERSHELL
sudo_dso_public char *sudo_getusershell(void);
@ -366,12 +369,12 @@ void setusershell(void);
void endusershell(void);
#endif /* HAVE_GETUSERSHELL */
#ifndef HAVE_GMTIME_R
sudo_dso_public struct tm *sudo_gmtime_r(const time_t *, struct tm *);
sudo_dso_public struct tm *sudo_gmtime_r(const time_t * restrict, struct tm * restrict);
# undef gmtime_r
# define gmtime_r(_a, _b) sudo_gmtime_r((_a), (_b))
#endif /* HAVE_GMTIME_R */
#ifndef HAVE_LOCALTIME_R
sudo_dso_public struct tm *sudo_localtime_r(const time_t *, struct tm *);
sudo_dso_public struct tm *sudo_localtime_r(const time_t * restrict, struct tm * restrict);
# undef localtime_r
# define localtime_r(_a, _b) sudo_localtime_r((_a), (_b))
#endif /* HAVE_LOCALTIME_R */
@ -379,7 +382,7 @@ sudo_dso_public struct tm *sudo_localtime_r(const time_t *, struct tm *);
sudo_dso_public time_t sudo_timegm(struct tm *);
#endif /* HAVE_TIMEGM */
#ifndef HAVE_UTIMENSAT
sudo_dso_public int sudo_utimensat(int fd, const char *file, const struct timespec *times, int flag);
sudo_dso_public int sudo_utimensat(int fd, const char *file, const struct timespec times[2], int flag);
# undef utimensat
# define utimensat(_a, _b, _c, _d) sudo_utimensat((_a), (_b), (_c), (_d))
#endif /* HAVE_UTIMENSAT */
@ -389,12 +392,12 @@ sudo_dso_public int sudo_fchmodat(int dfd, const char *path, mode_t mode, int fl
# define fchmodat(_a, _b, _c, _d) sudo_fchmodat((_a), (_b), (_c), (_d))
#endif /* HAVE_FCHMODAT */
#ifndef HAVE_FSTATAT
sudo_dso_public int sudo_fstatat(int dfd, const char *path, struct stat *sb, int flag);
sudo_dso_public int sudo_fstatat(int dfd, const char * restrict path, struct stat * restrict sb, int flag);
# undef fstatat
# define fstatat(_a, _b, _c, _d) sudo_fstatat((_a), (_b), (_c), (_d))
#endif /* HAVE_FSTATAT */
#ifndef HAVE_FUTIMENS
sudo_dso_public int sudo_futimens(int fd, const struct timespec *times);
sudo_dso_public int sudo_futimens(int fd, const struct timespec times[2]);
# undef futimens
# define futimens(_a, _b) sudo_futimens((_a), (_b))
#endif /* HAVE_FUTIMENS */
@ -508,12 +511,12 @@ sudo_dso_public int sudo_str2sig(const char *signame, int *signum);
# define str2sig(_a, _b) sudo_str2sig((_a), (_b))
#endif /* HAVE_STR2SIG */
#if !defined(HAVE_INET_NTOP) && defined(NEED_INET_NTOP)
sudo_dso_public char *sudo_inet_ntop(int af, const void *src, char *dst, socklen_t size);
sudo_dso_public const char *sudo_inet_ntop(int af, const void * restrict src, char * restrict dst, socklen_t size);
# undef inet_ntop
# define inet_ntop(_a, _b, _c, _d) sudo_inet_ntop((_a), (_b), (_c), (_d))
#endif /* HAVE_INET_NTOP */
#ifndef HAVE_INET_PTON
sudo_dso_public int sudo_inet_pton(int af, const char *src, void *dst);
sudo_dso_public int sudo_inet_pton(int af, const char * restrict src, void * restrict dst);
# undef inet_pton
# define inet_pton(_a, _b, _c) sudo_inet_pton((_a), (_b), (_c))
#endif /* HAVE_INET_PTON */

16
include/sudo_debug.h
View File

@ -153,6 +153,13 @@ struct sudo_conf_debug_file_list;
"<- %s @ %s:%d := %ld", (_func), (_file), (_line), (_ret)); \
} while (0)
# define sudo_debug_exit_dev_t(_func, _file, _line, _sys, _ret) \
do { \
sudo_debug_printf2(NULL, NULL, 0, (_sys) | SUDO_DEBUG_TRACE, \
"<- %s @ %s:%d := %lu", (_func), (_file), (_line), \
(unsigned long)(_ret)); \
} while (0)
# if SIZEOF_ID_T == 8
# define sudo_debug_exit_id_t(_func, _file, _line, _sys, _ret) \
do { \
@ -231,6 +238,7 @@ struct sudo_conf_debug_file_list;
# define sudo_debug_exit_int(_a, _b, _c, _d, _e) ((void)&(_d))
# define sudo_debug_exit_uint(_a, _b, _c, _d, _e) ((void)&(_d))
# define sudo_debug_exit_long(_a, _b, _c, _d, _e) ((void)&(_d))
# define sudo_debug_exit_dev_t(_a, _b, _c, _d, _e) ((void)&(_d))
# define sudo_debug_exit_id_t(_a, _b, _c, _d, _e) ((void)&(_d))
# define sudo_debug_exit_size_t(_a, _b, _c, _d, _e) ((void)&(_d))
# define sudo_debug_exit_ssize_t(_a, _b, _c, _d, _e) ((void)&(_d))
@ -267,6 +275,14 @@ struct sudo_conf_debug_file_list;
return sudo_debug_ret; \
} while (0)
#define debug_return_dev_t(ret) \
do { \
dev_t sudo_debug_ret = (ret); \
sudo_debug_exit_dev_t(__func__, __FILE__, __LINE__, sudo_debug_subsys,\
sudo_debug_ret); \
return sudo_debug_ret; \
} while (0)
#define debug_return_id_t(ret) \
do { \
id_t sudo_debug_ret = (ret); \

5
include/sudo_eventlog.h
View File

@ -43,7 +43,8 @@ enum event_type {
/* Supported eventlog formats. */
enum eventlog_format {
EVLOG_SUDO,
EVLOG_JSON
EVLOG_JSON_COMPACT,
EVLOG_JSON_PRETTY
};
/* Eventlog flag values. */
@ -114,7 +115,7 @@ struct eventlog {
char **runargv;
char **runenv;
char **env_add;
struct timespec submit_time;
struct timespec event_time;
struct timespec iolog_offset;
struct timespec run_time;
int exit_value;

2
include/sudo_iolog.h
View File

@ -94,7 +94,7 @@ struct iolog_file {
struct iolog_path_escape {
const char *name;
size_t (*copy_fn)(char *, size_t, void *);
size_t (*copy_fn)(char * restrict, size_t, void * restrict );
};
/* host_port.c */

2
include/sudo_plugin.h
View File

@ -21,7 +21,7 @@
/* API version major/minor */
#define SUDO_API_VERSION_MAJOR 1
#define SUDO_API_VERSION_MINOR 21
#define SUDO_API_VERSION_MINOR 22
#define SUDO_API_MKVERSION(x, y) (((x) << 16) | (y))
#define SUDO_API_VERSION SUDO_API_MKVERSION(SUDO_API_VERSION_MAJOR, SUDO_API_VERSION_MINOR)

8
include/sudo_util.h
View File

@ -195,7 +195,7 @@ sudo_dso_public int sudo_getgrouplist2_v1(const char *name, gid_t basegid, GETGR
#define sudo_getgrouplist2(_a, _b, _c, _d) sudo_getgrouplist2_v1((_a), (_b), (_c), (_d))
/* hexchar.c */
sudo_dso_public int sudo_hexchar_v1(const char *s);
sudo_dso_public int sudo_hexchar_v1(const char s[restrict static 2]);
#define sudo_hexchar(_a) sudo_hexchar_v1(_a)
/* key_val.c */
@ -242,7 +242,7 @@ sudo_dso_public int sudo_mmap_protect_v1(void *ptr);
#define sudo_mmap_protect(_a) sudo_mmap_protect_v1(_a)
/* multiarch.c */
sudo_dso_public char *sudo_stat_multiarch_v1(const char *path, struct stat *sb);
sudo_dso_public char *sudo_stat_multiarch_v1(const char * restrict path, struct stat * restrict sb);
#define sudo_stat_multiarch(_a, _b) sudo_stat_multiarch_v1((_a), (_b))
/* parseln.c */
@ -350,9 +350,9 @@ sudo_dso_public void sudo_get_ttysize_v2(int fd, int *rowp, int *colp);
#define sudo_get_ttysize(_a, _b, _c) sudo_get_ttysize_v2((_a), (_b), (_c))
/* uuid.c */
sudo_dso_public void sudo_uuid_create_v1(unsigned char uuid_out[16]);
sudo_dso_public void sudo_uuid_create_v1(unsigned char uuid_out[restrict static 16]);
#define sudo_uuid_create(_a) sudo_uuid_create_v1((_a))
sudo_dso_public char *sudo_uuid_to_string_v1(unsigned char uuid[16], char *dst, size_t dstsiz);
sudo_dso_public char *sudo_uuid_to_string_v1(const unsigned char uuid[restrict static 16], char * restrict dst, size_t dstsiz);
#define sudo_uuid_to_string(_a, _b, _c) sudo_uuid_to_string_v1((_a), (_b), (_c))
#endif /* SUDO_UTIL_H */

41
lib/eventlog/Makefile.in
View File

@ -1,7 +1,7 @@
#
# SPDX-License-Identifier: ISC
#
# Copyright (c) 2020-2023 Todd C. Miller <Todd.Miller@sudo.ws>
# Copyright (c) 2020-2024 Todd C. Miller <Todd.Miller@sudo.ws>
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
@ -32,6 +32,7 @@ incdir = $(top_srcdir)/include
# Compiler & tools to use
CC = @CC@
CPP = @CPP@
LIBTOOL = @LIBTOOL@
EGREP = @EGREP@
SED = @SED@
@ -117,7 +118,7 @@ Makefile: $(srcdir)/Makefile.in
$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $<
.c.i:
$(CC) -E -o $@ $(CPPFLAGS) $<
$(CPP) $(CPPFLAGS) $< > $@
.i.plog:
ifile=$<; rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $${ifile%i}c --i-file $< --output-file $@
@ -223,9 +224,9 @@ check_parse_json.i: $(srcdir)/regress/parse_json/check_parse_json.c \
$(incdir)/sudo_json.h $(incdir)/sudo_plugin.h \
$(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
$(srcdir)/parse_json.h $(top_builddir)/config.h
$(CC) -E -o $@ $(CPPFLAGS) $<
$(CPP) $(CPPFLAGS) $(srcdir)/regress/parse_json/check_parse_json.c > $@
check_parse_json.plog: check_parse_json.i
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/regress/parse_json/check_parse_json.c --i-file $< --output-file $@
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/regress/parse_json/check_parse_json.c --i-file check_parse_json.i --output-file $@
check_wrap.lo: $(srcdir)/regress/logwrap/check_wrap.c \
$(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
$(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \
@ -237,9 +238,9 @@ check_wrap.i: $(srcdir)/regress/logwrap/check_wrap.c \
$(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \
$(incdir)/sudo_plugin.h $(incdir)/sudo_util.h \
$(top_builddir)/config.h
$(CC) -E -o $@ $(CPPFLAGS) $<
$(CPP) $(CPPFLAGS) $(srcdir)/regress/logwrap/check_wrap.c > $@
check_wrap.plog: check_wrap.i
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/regress/logwrap/check_wrap.c --i-file $< --output-file $@
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/regress/logwrap/check_wrap.c --i-file check_wrap.i --output-file $@
eventlog.lo: $(srcdir)/eventlog.c $(incdir)/compat/stdbool.h \
$(incdir)/sudo_compat.h $(incdir)/sudo_debug.h \
$(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \
@ -255,9 +256,9 @@ eventlog.i: $(srcdir)/eventlog.c $(incdir)/compat/stdbool.h \
$(incdir)/sudo_lbuf.h $(incdir)/sudo_plugin.h \
$(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
$(top_builddir)/config.h $(top_builddir)/pathnames.h
$(CC) -E -o $@ $(CPPFLAGS) $<
$(CPP) $(CPPFLAGS) $(srcdir)/eventlog.c > $@
eventlog.plog: eventlog.i
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/eventlog.c --i-file $< --output-file $@
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/eventlog.c --i-file eventlog.i --output-file $@
eventlog_conf.lo: $(srcdir)/eventlog_conf.c $(incdir)/compat/stdbool.h \
$(incdir)/sudo_compat.h $(incdir)/sudo_debug.h \
$(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \
@ -273,9 +274,9 @@ eventlog_conf.i: $(srcdir)/eventlog_conf.c $(incdir)/compat/stdbool.h \
$(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \
$(incdir)/sudo_util.h $(top_builddir)/config.h \
$(top_builddir)/pathnames.h
$(CC) -E -o $@ $(CPPFLAGS) $<
$(CPP) $(CPPFLAGS) $(srcdir)/eventlog_conf.c > $@
eventlog_conf.plog: eventlog_conf.i
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/eventlog_conf.c --i-file $< --output-file $@
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/eventlog_conf.c --i-file eventlog_conf.i --output-file $@
eventlog_free.lo: $(srcdir)/eventlog_free.c $(incdir)/compat/stdbool.h \
$(incdir)/sudo_compat.h $(incdir)/sudo_debug.h \
$(incdir)/sudo_eventlog.h $(incdir)/sudo_queue.h \
@ -285,9 +286,9 @@ eventlog_free.i: $(srcdir)/eventlog_free.c $(incdir)/compat/stdbool.h \
$(incdir)/sudo_compat.h $(incdir)/sudo_debug.h \
$(incdir)/sudo_eventlog.h $(incdir)/sudo_queue.h \
$(incdir)/sudo_util.h $(top_builddir)/config.h
$(CC) -E -o $@ $(CPPFLAGS) $<
$(CPP) $(CPPFLAGS) $(srcdir)/eventlog_free.c > $@
eventlog_free.plog: eventlog_free.i
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/eventlog_free.c --i-file $< --output-file $@
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/eventlog_free.c --i-file eventlog_free.i --output-file $@
logwrap.lo: $(srcdir)/logwrap.c $(incdir)/compat/stdbool.h \
$(incdir)/sudo_compat.h $(incdir)/sudo_debug.h \
$(incdir)/sudo_eventlog.h $(incdir)/sudo_queue.h \
@ -297,9 +298,9 @@ logwrap.i: $(srcdir)/logwrap.c $(incdir)/compat/stdbool.h \
$(incdir)/sudo_compat.h $(incdir)/sudo_debug.h \
$(incdir)/sudo_eventlog.h $(incdir)/sudo_queue.h \
$(incdir)/sudo_util.h $(top_builddir)/config.h
$(CC) -E -o $@ $(CPPFLAGS) $<
$(CPP) $(CPPFLAGS) $(srcdir)/logwrap.c > $@
logwrap.plog: logwrap.i
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/logwrap.c --i-file $< --output-file $@
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/logwrap.c --i-file logwrap.i --output-file $@
parse_json.lo: $(srcdir)/parse_json.c $(incdir)/compat/stdbool.h \
$(incdir)/sudo_compat.h $(incdir)/sudo_debug.h \
$(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \
@ -315,9 +316,9 @@ parse_json.i: $(srcdir)/parse_json.c $(incdir)/compat/stdbool.h \
$(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \
$(incdir)/sudo_util.h $(srcdir)/parse_json.h \
$(top_builddir)/config.h
$(CC) -E -o $@ $(CPPFLAGS) $<
$(CPP) $(CPPFLAGS) $(srcdir)/parse_json.c > $@
parse_json.plog: parse_json.i
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/parse_json.c --i-file $< --output-file $@
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/parse_json.c --i-file parse_json.i --output-file $@
store_json_test.lo: $(srcdir)/regress/eventlog_store/store_json_test.c \
$(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
$(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \
@ -331,9 +332,9 @@ store_json_test.i: $(srcdir)/regress/eventlog_store/store_json_test.c \
$(incdir)/sudo_json.h $(incdir)/sudo_plugin.h \
$(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
$(srcdir)/parse_json.h $(top_builddir)/config.h
$(CC) -E -o $@ $(CPPFLAGS) $<
$(CPP) $(CPPFLAGS) $(srcdir)/regress/eventlog_store/store_json_test.c > $@
store_json_test.plog: store_json_test.i
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/regress/eventlog_store/store_json_test.c --i-file $< --output-file $@
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/regress/eventlog_store/store_json_test.c --i-file store_json_test.i --output-file $@
store_sudo_test.lo: $(srcdir)/regress/eventlog_store/store_sudo_test.c \
$(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
$(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \
@ -345,6 +346,6 @@ store_sudo_test.i: $(srcdir)/regress/eventlog_store/store_sudo_test.c \
$(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \
$(incdir)/sudo_lbuf.h $(incdir)/sudo_plugin.h \
$(incdir)/sudo_util.h $(top_builddir)/config.h
$(CC) -E -o $@ $(CPPFLAGS) $<
$(CPP) $(CPPFLAGS) $(srcdir)/regress/eventlog_store/store_sudo_test.c > $@
store_sudo_test.plog: store_sudo_test.i
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/regress/eventlog_store/store_sudo_test.c --i-file $< --output-file $@
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/regress/eventlog_store/store_sudo_test.c --i-file store_sudo_test.i --output-file $@

68
lib/eventlog/eventlog.c
View File

@ -264,7 +264,7 @@ closefrom_nodebug(int lowfd)
/* Close fds [lowfd, startfd) that are not in debug_fds. */
for (fd = lowfd; fd < startfd; fd++) {
if (sudo_isset(debug_fds, fd))
if (fd < 0 || sudo_isset(debug_fds, fd))
continue;
sudo_debug_printf(SUDO_DEBUG_DEBUG|SUDO_DEBUG_LINENO,
"closing fd %d", fd);
@ -620,7 +620,7 @@ oom:
/*
* Store the contents of struct eventlog as JSON.
* The submit_time and iolog_path members are not stored, they should
* The event_time and iolog_path members are not stored, they should
* be stored and formatted by the caller.
*/
bool
@ -638,7 +638,7 @@ eventlog_store_json(struct json_container *jsonc, const struct eventlog *evlog)
/*
* The most important values are written first in case
* the log record gets truncated.
* Note: submit_time and iolog_path are not stored here.
* Note: event_time and iolog_path are not stored here.
*/
json_value.type = JSON_STRING;
@ -1130,7 +1130,8 @@ do_syslog(int event_type, int flags, struct eventlog_args *args,
case EVLOG_SUDO:
ret = do_syslog_sudo(pri, lbuf.buf, evlog);
break;
case EVLOG_JSON:
case EVLOG_JSON_COMPACT:
case EVLOG_JSON_PRETTY:
ret = do_syslog_json(pri, event_type, args, evlog);
break;
default:
@ -1205,11 +1206,12 @@ done:
}
static bool
do_logfile_json(int event_type, struct eventlog_args *args,
const struct eventlog *evlog)
do_logfile_json(enum eventlog_format format, int event_type,
struct eventlog_args *args, const struct eventlog *evlog)
{
const struct eventlog_config *evl_conf = eventlog_getconf();
const char *logfile = evl_conf->logpath;
const bool compact = format == EVLOG_JSON_COMPACT;
struct stat sb;
char *json_str;
int ret = false;
@ -1219,7 +1221,7 @@ do_logfile_json(int event_type, struct eventlog_args *args,
if ((fp = evl_conf->open_log(EVLOG_FILE, logfile)) == NULL)
debug_return_bool(false);
json_str = format_json(event_type, args, evlog, false);
json_str = format_json(event_type, args, evlog, compact);
if (json_str == NULL)
goto done;
@ -1229,25 +1231,32 @@ do_logfile_json(int event_type, struct eventlog_args *args,
goto done;
}
/* Note: assumes file ends in "\n}\n" */
if (fstat(fileno(fp), &sb) == -1) {
sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO|SUDO_DEBUG_LINENO,
"unable to stat %s", logfile);
goto done;
}
if (sb.st_size == 0) {
/* New file */
putc('{', fp);
} else if (fseeko(fp, -3, SEEK_END) == 0) {
/* Continue file, overwrite the final "\n}\n" */
putc(',', fp);
if (!compact) {
/* Note: assumes file ends in "\n}\n" */
if (fstat(fileno(fp), &sb) == -1) {
sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO|SUDO_DEBUG_LINENO,
"unable to stat %s", logfile);
goto done;
}
if (sb.st_size == 0) {
/* New file */
putc('{', fp);
} else if (fseeko(fp, -3, SEEK_END) == 0) {
/* Continue file, overwrite the final "\n}\n" */
putc(',', fp);
} else {
sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO|SUDO_DEBUG_LINENO,
"unable to seek %s", logfile);
goto done;
}
fputs(json_str, fp);
fputs("\n}\n", fp); /* close JSON */
} else {
sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO|SUDO_DEBUG_LINENO,
"unable to seek %s", logfile);
goto done;
/* Compact (minified) JSON records, one per line. */
putc('{', fp);
fputs(json_str, fp);
fputs("}\n", fp);
}
fputs(json_str, fp);
fputs("\n}\n", fp); /* close JSON */
fflush(fp);
/* XXX - check for file error and recover */
@ -1293,8 +1302,9 @@ do_logfile(int event_type, int flags, struct eventlog_args *args,
ret = do_logfile_sudo(lbuf.buf ? lbuf.buf : args->reason, evlog,
args->event_time);
break;
case EVLOG_JSON:
ret = do_logfile_json(event_type, args, evlog);
case EVLOG_JSON_COMPACT:
case EVLOG_JSON_PRETTY:
ret = do_logfile_json(evl_conf->format, event_type, args, evlog);
break;
default:
sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
@ -1317,7 +1327,7 @@ eventlog_accept(const struct eventlog *evlog, int flags,
bool ret = true;
debug_decl(eventlog_accept, SUDO_DEBUG_UTIL);
args.event_time = &evlog->submit_time;
args.event_time = &evlog->event_time;
args.json_info_cb = info_cb;
args.json_info = info;
@ -1345,7 +1355,7 @@ eventlog_reject(const struct eventlog *evlog, int flags, const char *reason,
debug_decl(eventlog_reject, SUDO_DEBUG_UTIL);
args.reason = reason;
args.event_time = &evlog->submit_time;
args.event_time = &evlog->event_time;
args.json_info_cb = info_cb;
args.json_info = info;
@ -1444,7 +1454,7 @@ eventlog_exit(const struct eventlog *evlog, int flags)
debug_decl(eventlog_exit, SUDO_DEBUG_UTIL);
if (sudo_timespecisset(&evlog->run_time)) {
sudo_timespecadd(&evlog->submit_time, &evlog->run_time, &exit_time);
sudo_timespecadd(&evlog->event_time, &evlog->run_time, &exit_time);
args.event_time = &exit_time;
}

2
lib/eventlog/parse_json.c
View File

@ -424,7 +424,7 @@ json_store_run_time(struct json_item *item, struct eventlog *evlog)
static bool
json_store_timestamp(struct json_item *item, struct eventlog *evlog)
{
return json_store_timespec(item, &evlog->submit_time);
return json_store_timespec(item, &evlog->event_time);
}
static bool

9
lib/fuzzstub/Makefile.in
View File

@ -1,7 +1,7 @@
#
# SPDX-License-Identifier: ISC
#
# Copyright (c) 2021 Todd C. Miller <Todd.Miller@sudo.ws>
# Copyright (c) 2021-2024 Todd C. Miller <Todd.Miller@sudo.ws>
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
@ -32,6 +32,7 @@ incdir = $(top_srcdir)/include
# Compiler & tools to use
CC = @CC@
CPP = @CPP@
LIBTOOL = @LIBTOOL@
# C preprocessor flags
@ -102,7 +103,7 @@ Makefile: $(srcdir)/Makefile.in
$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $<
.c.i:
$(CC) -E -o $@ $(CPPFLAGS) $<
$(CPP) $(CPPFLAGS) $< > $@
.i.plog:
ifile=$<; rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $${ifile%i}c --i-file $< --output-file $@
@ -171,6 +172,6 @@ fuzzstub.lo: $(srcdir)/fuzzstub.c $(incdir)/compat/stdbool.h \
fuzzstub.i: $(srcdir)/fuzzstub.c $(incdir)/compat/stdbool.h \
$(incdir)/sudo_compat.h $(incdir)/sudo_util.h \
$(top_builddir)/config.h
$(CC) -E -o $@ $(CPPFLAGS) $<
$(CPP) $(CPPFLAGS) $(srcdir)/fuzzstub.c > $@
fuzzstub.plog: fuzzstub.i
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/fuzzstub.c --i-file $< --output-file $@
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/fuzzstub.c --i-file fuzzstub.i --output-file $@

137
lib/iolog/Makefile.in
View File

@ -1,7 +1,7 @@
#
# SPDX-License-Identifier: ISC
#
# Copyright (c) 2011-2023 Todd C. Miller <Todd.Miller@sudo.ws>
# Copyright (c) 2011-2024 Todd C. Miller <Todd.Miller@sudo.ws>
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
@ -33,6 +33,7 @@ cross_compiling = @CROSS_COMPILING@
# Compiler & tools to use
CC = @CC@
CPP = @CPP@
LIBTOOL = @LIBTOOL@
SHA1SUM = @SHA1SUM@
EGREP = @EGREP@
@ -154,7 +155,7 @@ Makefile: $(srcdir)/Makefile.in
$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $<
.c.i:
$(CC) -E -o $@ $(CPPFLAGS) $<
$(CPP) $(CPPFLAGS) $< > $@
.i.plog:
ifile=$<; rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $${ifile%i}c --i-file $< --output-file $@
@ -370,9 +371,9 @@ check_iolog_filter.i: $(srcdir)/regress/iolog_filter/check_iolog_filter.c \
$(incdir)/sudo_fatal.h $(incdir)/sudo_iolog.h \
$(incdir)/sudo_plugin.h $(incdir)/sudo_util.h \
$(top_builddir)/config.h
$(CC) -E -o $@ $(CPPFLAGS) $<
$(CPP) $(CPPFLAGS) $(srcdir)/regress/iolog_filter/check_iolog_filter.c > $@
check_iolog_filter.plog: check_iolog_filter.i
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/regress/iolog_filter/check_iolog_filter.c --i-file $< --output-file $@
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/regress/iolog_filter/check_iolog_filter.c --i-file check_iolog_filter.i --output-file $@
check_iolog_mkpath.lo: $(srcdir)/regress/iolog_mkpath/check_iolog_mkpath.c \
$(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
$(incdir)/sudo_fatal.h $(incdir)/sudo_iolog.h \
@ -384,9 +385,9 @@ check_iolog_mkpath.i: $(srcdir)/regress/iolog_mkpath/check_iolog_mkpath.c \
$(incdir)/sudo_fatal.h $(incdir)/sudo_iolog.h \
$(incdir)/sudo_plugin.h $(incdir)/sudo_util.h \
$(top_builddir)/config.h
$(CC) -E -o $@ $(CPPFLAGS) $<
$(CPP) $(CPPFLAGS) $(srcdir)/regress/iolog_mkpath/check_iolog_mkpath.c > $@
check_iolog_mkpath.plog: check_iolog_mkpath.i
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/regress/iolog_mkpath/check_iolog_mkpath.c --i-file $< --output-file $@
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/regress/iolog_mkpath/check_iolog_mkpath.c --i-file check_iolog_mkpath.i --output-file $@
check_iolog_path.lo: $(srcdir)/regress/iolog_path/check_iolog_path.c \
$(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
$(incdir)/sudo_fatal.h $(incdir)/sudo_iolog.h \
@ -398,9 +399,9 @@ check_iolog_path.i: $(srcdir)/regress/iolog_path/check_iolog_path.c \
$(incdir)/sudo_fatal.h $(incdir)/sudo_iolog.h \
$(incdir)/sudo_plugin.h $(incdir)/sudo_util.h \
$(top_builddir)/config.h
$(CC) -E -o $@ $(CPPFLAGS) $<
$(CPP) $(CPPFLAGS) $(srcdir)/regress/iolog_path/check_iolog_path.c > $@
check_iolog_path.plog: check_iolog_path.i
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/regress/iolog_path/check_iolog_path.c --i-file $< --output-file $@
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/regress/iolog_path/check_iolog_path.c --i-file check_iolog_path.i --output-file $@
check_iolog_timing.lo: $(srcdir)/regress/iolog_timing/check_iolog_timing.c \
$(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
$(incdir)/sudo_fatal.h $(incdir)/sudo_iolog.h \
@ -412,9 +413,9 @@ check_iolog_timing.i: $(srcdir)/regress/iolog_timing/check_iolog_timing.c \
$(incdir)/sudo_fatal.h $(incdir)/sudo_iolog.h \
$(incdir)/sudo_plugin.h $(incdir)/sudo_util.h \
$(top_builddir)/config.h
$(CC) -E -o $@ $(CPPFLAGS) $<
$(CPP) $(CPPFLAGS) $(srcdir)/regress/iolog_timing/check_iolog_timing.c > $@
check_iolog_timing.plog: check_iolog_timing.i
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/regress/iolog_timing/check_iolog_timing.c --i-file $< --output-file $@
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/regress/iolog_timing/check_iolog_timing.c --i-file check_iolog_timing.i --output-file $@
fuzz_iolog_json.lo: $(srcdir)/regress/fuzz/fuzz_iolog_json.c \
$(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
$(incdir)/sudo_debug.h $(incdir)/sudo_eventlog.h \
@ -428,9 +429,9 @@ fuzz_iolog_json.i: $(srcdir)/regress/fuzz/fuzz_iolog_json.c \
$(incdir)/sudo_fatal.h $(incdir)/sudo_iolog.h \
$(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \
$(incdir)/sudo_util.h $(top_builddir)/config.h
$(CC) -E -o $@ $(CPPFLAGS) $<
$(CPP) $(CPPFLAGS) $(srcdir)/regress/fuzz/fuzz_iolog_json.c > $@
fuzz_iolog_json.plog: fuzz_iolog_json.i
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/regress/fuzz/fuzz_iolog_json.c --i-file $< --output-file $@
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/regress/fuzz/fuzz_iolog_json.c --i-file fuzz_iolog_json.i --output-file $@
fuzz_iolog_legacy.lo: $(srcdir)/regress/fuzz/fuzz_iolog_legacy.c \
$(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
$(incdir)/sudo_debug.h $(incdir)/sudo_eventlog.h \
@ -444,9 +445,9 @@ fuzz_iolog_legacy.i: $(srcdir)/regress/fuzz/fuzz_iolog_legacy.c \
$(incdir)/sudo_fatal.h $(incdir)/sudo_iolog.h \
$(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \
$(incdir)/sudo_util.h $(top_builddir)/config.h
$(CC) -E -o $@ $(CPPFLAGS) $<
$(CPP) $(CPPFLAGS) $(srcdir)/regress/fuzz/fuzz_iolog_legacy.c > $@
fuzz_iolog_legacy.plog: fuzz_iolog_legacy.i
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/regress/fuzz/fuzz_iolog_legacy.c --i-file $< --output-file $@
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/regress/fuzz/fuzz_iolog_legacy.c --i-file fuzz_iolog_legacy.i --output-file $@
fuzz_iolog_timing.lo: $(srcdir)/regress/fuzz/fuzz_iolog_timing.c \
$(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
$(incdir)/sudo_debug.h $(incdir)/sudo_eventlog.h \
@ -460,9 +461,9 @@ fuzz_iolog_timing.i: $(srcdir)/regress/fuzz/fuzz_iolog_timing.c \
$(incdir)/sudo_fatal.h $(incdir)/sudo_iolog.h \
$(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \
$(incdir)/sudo_util.h $(top_builddir)/config.h
$(CC) -E -o $@ $(CPPFLAGS) $<
$(CPP) $(CPPFLAGS) $(srcdir)/regress/fuzz/fuzz_iolog_timing.c > $@
fuzz_iolog_timing.plog: fuzz_iolog_timing.i
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/regress/fuzz/fuzz_iolog_timing.c --i-file $< --output-file $@
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/regress/fuzz/fuzz_iolog_timing.c --i-file fuzz_iolog_timing.i --output-file $@
host_port.lo: $(srcdir)/host_port.c $(incdir)/compat/stdbool.h \
$(incdir)/sudo_compat.h $(incdir)/sudo_debug.h \
$(incdir)/sudo_gettext.h $(incdir)/sudo_iolog.h \
@ -474,9 +475,9 @@ host_port.i: $(srcdir)/host_port.c $(incdir)/compat/stdbool.h \
$(incdir)/sudo_gettext.h $(incdir)/sudo_iolog.h \
$(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
$(top_builddir)/config.h
$(CC) -E -o $@ $(CPPFLAGS) $<
$(CPP) $(CPPFLAGS) $(srcdir)/host_port.c > $@
host_port.plog: host_port.i
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/host_port.c --i-file $< --output-file $@
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/host_port.c --i-file host_port.i --output-file $@
host_port_test.lo: $(srcdir)/regress/host_port/host_port_test.c \
$(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
$(incdir)/sudo_fatal.h $(incdir)/sudo_iolog.h \
@ -488,9 +489,9 @@ host_port_test.i: $(srcdir)/regress/host_port/host_port_test.c \
$(incdir)/sudo_fatal.h $(incdir)/sudo_iolog.h \
$(incdir)/sudo_plugin.h $(incdir)/sudo_util.h \
$(top_builddir)/config.h
$(CC) -E -o $@ $(CPPFLAGS) $<
$(CPP) $(CPPFLAGS) $(srcdir)/regress/host_port/host_port_test.c > $@
host_port_test.plog: host_port_test.i
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/regress/host_port/host_port_test.c --i-file $< --output-file $@
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/regress/host_port/host_port_test.c --i-file host_port_test.i --output-file $@
hostcheck.lo: $(srcdir)/hostcheck.c $(incdir)/compat/stdbool.h \
$(incdir)/hostcheck.h $(incdir)/sudo_compat.h \
$(incdir)/sudo_debug.h $(incdir)/sudo_queue.h \
@ -500,9 +501,9 @@ hostcheck.i: $(srcdir)/hostcheck.c $(incdir)/compat/stdbool.h \
$(incdir)/hostcheck.h $(incdir)/sudo_compat.h \
$(incdir)/sudo_debug.h $(incdir)/sudo_queue.h \
$(incdir)/sudo_util.h $(top_builddir)/config.h
$(CC) -E -o $@ $(CPPFLAGS) $<
$(CPP) $(CPPFLAGS) $(srcdir)/hostcheck.c > $@
hostcheck.plog: hostcheck.i
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/hostcheck.c --i-file $< --output-file $@
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/hostcheck.c --i-file hostcheck.i --output-file $@
iolog_clearerr.lo: $(srcdir)/iolog_clearerr.c $(incdir)/compat/stdbool.h \
$(incdir)/sudo_compat.h $(incdir)/sudo_debug.h \
$(incdir)/sudo_iolog.h $(incdir)/sudo_queue.h \
@ -512,9 +513,9 @@ iolog_clearerr.i: $(srcdir)/iolog_clearerr.c $(incdir)/compat/stdbool.h \
$(incdir)/sudo_compat.h $(incdir)/sudo_debug.h \
$(incdir)/sudo_iolog.h $(incdir)/sudo_queue.h \
$(top_builddir)/config.h
$(CC) -E -o $@ $(CPPFLAGS) $<
$(CPP) $(CPPFLAGS) $(srcdir)/iolog_clearerr.c > $@
iolog_clearerr.plog: iolog_clearerr.i
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/iolog_clearerr.c --i-file $< --output-file $@
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/iolog_clearerr.c --i-file iolog_clearerr.i --output-file $@
iolog_close.lo: $(srcdir)/iolog_close.c $(incdir)/compat/stdbool.h \
$(incdir)/sudo_compat.h $(incdir)/sudo_debug.h \
$(incdir)/sudo_iolog.h $(incdir)/sudo_queue.h \
@ -524,9 +525,9 @@ iolog_close.i: $(srcdir)/iolog_close.c $(incdir)/compat/stdbool.h \
$(incdir)/sudo_compat.h $(incdir)/sudo_debug.h \
$(incdir)/sudo_iolog.h $(incdir)/sudo_queue.h \
$(top_builddir)/config.h
$(CC) -E -o $@ $(CPPFLAGS) $<
$(CPP) $(CPPFLAGS) $(srcdir)/iolog_close.c > $@
iolog_close.plog: iolog_close.i
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/iolog_close.c --i-file $< --output-file $@
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/iolog_close.c --i-file iolog_close.i --output-file $@
iolog_conf.lo: $(srcdir)/iolog_conf.c $(incdir)/compat/stdbool.h \
$(incdir)/sudo_compat.h $(incdir)/sudo_debug.h \
$(incdir)/sudo_iolog.h $(incdir)/sudo_queue.h \
@ -538,9 +539,9 @@ iolog_conf.i: $(srcdir)/iolog_conf.c $(incdir)/compat/stdbool.h \
$(incdir)/sudo_iolog.h $(incdir)/sudo_queue.h \
$(incdir)/sudo_util.h $(top_builddir)/config.h \
$(top_builddir)/pathnames.h
$(CC) -E -o $@ $(CPPFLAGS) $<
$(CPP) $(CPPFLAGS) $(srcdir)/iolog_conf.c > $@
iolog_conf.plog: iolog_conf.i
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/iolog_conf.c --i-file $< --output-file $@
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/iolog_conf.c --i-file iolog_conf.i --output-file $@
iolog_eof.lo: $(srcdir)/iolog_eof.c $(incdir)/compat/stdbool.h \
$(incdir)/sudo_compat.h $(incdir)/sudo_debug.h \
$(incdir)/sudo_iolog.h $(incdir)/sudo_queue.h \
@ -550,9 +551,9 @@ iolog_eof.i: $(srcdir)/iolog_eof.c $(incdir)/compat/stdbool.h \
$(incdir)/sudo_compat.h $(incdir)/sudo_debug.h \
$(incdir)/sudo_iolog.h $(incdir)/sudo_queue.h \
$(top_builddir)/config.h
$(CC) -E -o $@ $(CPPFLAGS) $<
$(CPP) $(CPPFLAGS) $(srcdir)/iolog_eof.c > $@
iolog_eof.plog: iolog_eof.i
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/iolog_eof.c --i-file $< --output-file $@
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/iolog_eof.c --i-file iolog_eof.i --output-file $@
iolog_filter.lo: $(srcdir)/iolog_filter.c $(incdir)/compat/stdbool.h \
$(incdir)/sudo_compat.h $(incdir)/sudo_debug.h \
$(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \
@ -566,9 +567,9 @@ iolog_filter.i: $(srcdir)/iolog_filter.c $(incdir)/compat/stdbool.h \
$(incdir)/sudo_iolog.h $(incdir)/sudo_plugin.h \
$(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
$(top_builddir)/config.h
$(CC) -E -o $@ $(CPPFLAGS) $<
$(CPP) $(CPPFLAGS) $(srcdir)/iolog_filter.c > $@
iolog_filter.plog: iolog_filter.i
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/iolog_filter.c --i-file $< --output-file $@
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/iolog_filter.c --i-file iolog_filter.i --output-file $@
iolog_flush.lo: $(srcdir)/iolog_flush.c $(incdir)/compat/stdbool.h \
$(incdir)/sudo_compat.h $(incdir)/sudo_debug.h \
$(incdir)/sudo_iolog.h $(incdir)/sudo_queue.h \
@ -578,9 +579,9 @@ iolog_flush.i: $(srcdir)/iolog_flush.c $(incdir)/compat/stdbool.h \
$(incdir)/sudo_compat.h $(incdir)/sudo_debug.h \
$(incdir)/sudo_iolog.h $(incdir)/sudo_queue.h \
$(top_builddir)/config.h
$(CC) -E -o $@ $(CPPFLAGS) $<
$(CPP) $(CPPFLAGS) $(srcdir)/iolog_flush.c > $@
iolog_flush.plog: iolog_flush.i
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/iolog_flush.c --i-file $< --output-file $@
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/iolog_flush.c --i-file iolog_flush.i --output-file $@
iolog_gets.lo: $(srcdir)/iolog_gets.c $(incdir)/compat/stdbool.h \
$(incdir)/sudo_compat.h $(incdir)/sudo_debug.h \
$(incdir)/sudo_iolog.h $(incdir)/sudo_queue.h \
@ -590,9 +591,9 @@ iolog_gets.i: $(srcdir)/iolog_gets.c $(incdir)/compat/stdbool.h \
$(incdir)/sudo_compat.h $(incdir)/sudo_debug.h \
$(incdir)/sudo_iolog.h $(incdir)/sudo_queue.h \
$(top_builddir)/config.h
$(CC) -E -o $@ $(CPPFLAGS) $<
$(CPP) $(CPPFLAGS) $(srcdir)/iolog_gets.c > $@
iolog_gets.plog: iolog_gets.i
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/iolog_gets.c --i-file $< --output-file $@
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/iolog_gets.c --i-file iolog_gets.i --output-file $@
iolog_json.lo: $(srcdir)/iolog_json.c $(incdir)/compat/stdbool.h \
$(incdir)/sudo_compat.h $(incdir)/sudo_debug.h \
$(incdir)/sudo_eventlog.h $(incdir)/sudo_iolog.h \
@ -602,9 +603,9 @@ iolog_json.i: $(srcdir)/iolog_json.c $(incdir)/compat/stdbool.h \
$(incdir)/sudo_compat.h $(incdir)/sudo_debug.h \
$(incdir)/sudo_eventlog.h $(incdir)/sudo_iolog.h \
$(incdir)/sudo_queue.h $(top_builddir)/config.h
$(CC) -E -o $@ $(CPPFLAGS) $<
$(CPP) $(CPPFLAGS) $(srcdir)/iolog_json.c > $@
iolog_json.plog: iolog_json.i
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/iolog_json.c --i-file $< --output-file $@
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/iolog_json.c --i-file iolog_json.i --output-file $@
iolog_legacy.lo: $(srcdir)/iolog_legacy.c $(incdir)/compat/stdbool.h \
$(incdir)/sudo_compat.h $(incdir)/sudo_debug.h \
$(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \
@ -618,9 +619,9 @@ iolog_legacy.i: $(srcdir)/iolog_legacy.c $(incdir)/compat/stdbool.h \
$(incdir)/sudo_gettext.h $(incdir)/sudo_iolog.h \
$(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \
$(incdir)/sudo_util.h $(top_builddir)/config.h
$(CC) -E -o $@ $(CPPFLAGS) $<
$(CPP) $(CPPFLAGS) $(srcdir)/iolog_legacy.c > $@
iolog_legacy.plog: iolog_legacy.i
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/iolog_legacy.c --i-file $< --output-file $@
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/iolog_legacy.c --i-file iolog_legacy.i --output-file $@
iolog_loginfo.lo: $(srcdir)/iolog_loginfo.c $(incdir)/compat/stdbool.h \
$(incdir)/sudo_compat.h $(incdir)/sudo_debug.h \
$(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \
@ -636,9 +637,9 @@ iolog_loginfo.i: $(srcdir)/iolog_loginfo.c $(incdir)/compat/stdbool.h \
$(incdir)/sudo_json.h $(incdir)/sudo_plugin.h \
$(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
$(top_builddir)/config.h
$(CC) -E -o $@ $(CPPFLAGS) $<
$(CPP) $(CPPFLAGS) $(srcdir)/iolog_loginfo.c > $@
iolog_loginfo.plog: iolog_loginfo.i
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/iolog_loginfo.c --i-file $< --output-file $@
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/iolog_loginfo.c --i-file iolog_loginfo.i --output-file $@
iolog_mkdirs.lo: $(srcdir)/iolog_mkdirs.c $(incdir)/compat/stdbool.h \
$(incdir)/sudo_compat.h $(incdir)/sudo_debug.h \
$(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \
@ -652,9 +653,9 @@ iolog_mkdirs.i: $(srcdir)/iolog_mkdirs.c $(incdir)/compat/stdbool.h \
$(incdir)/sudo_iolog.h $(incdir)/sudo_plugin.h \
$(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
$(top_builddir)/config.h
$(CC) -E -o $@ $(CPPFLAGS) $<
$(CPP) $(CPPFLAGS) $(srcdir)/iolog_mkdirs.c > $@
iolog_mkdirs.plog: iolog_mkdirs.i
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/iolog_mkdirs.c --i-file $< --output-file $@
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/iolog_mkdirs.c --i-file iolog_mkdirs.i --output-file $@
iolog_mkdtemp.lo: $(srcdir)/iolog_mkdtemp.c $(incdir)/compat/stdbool.h \
$(incdir)/sudo_compat.h $(incdir)/sudo_debug.h \
$(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \
@ -668,9 +669,9 @@ iolog_mkdtemp.i: $(srcdir)/iolog_mkdtemp.c $(incdir)/compat/stdbool.h \
$(incdir)/sudo_iolog.h $(incdir)/sudo_plugin.h \
$(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
$(top_builddir)/config.h
$(CC) -E -o $@ $(CPPFLAGS) $<
$(CPP) $(CPPFLAGS) $(srcdir)/iolog_mkdtemp.c > $@
iolog_mkdtemp.plog: iolog_mkdtemp.i
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/iolog_mkdtemp.c --i-file $< --output-file $@
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/iolog_mkdtemp.c --i-file iolog_mkdtemp.i --output-file $@
iolog_mkpath.lo: $(srcdir)/iolog_mkpath.c $(incdir)/compat/stdbool.h \
$(incdir)/sudo_compat.h $(incdir)/sudo_debug.h \
$(incdir)/sudo_iolog.h $(incdir)/sudo_queue.h \
@ -680,9 +681,9 @@ iolog_mkpath.i: $(srcdir)/iolog_mkpath.c $(incdir)/compat/stdbool.h \
$(incdir)/sudo_compat.h $(incdir)/sudo_debug.h \
$(incdir)/sudo_iolog.h $(incdir)/sudo_queue.h \
$(top_builddir)/config.h
$(CC) -E -o $@ $(CPPFLAGS) $<
$(CPP) $(CPPFLAGS) $(srcdir)/iolog_mkpath.c > $@
iolog_mkpath.plog: iolog_mkpath.i
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/iolog_mkpath.c --i-file $< --output-file $@
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/iolog_mkpath.c --i-file iolog_mkpath.i --output-file $@
iolog_nextid.lo: $(srcdir)/iolog_nextid.c $(incdir)/compat/stdbool.h \
$(incdir)/sudo_compat.h $(incdir)/sudo_debug.h \
$(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \
@ -696,9 +697,9 @@ iolog_nextid.i: $(srcdir)/iolog_nextid.c $(incdir)/compat/stdbool.h \
$(incdir)/sudo_iolog.h $(incdir)/sudo_plugin.h \
$(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
$(top_builddir)/config.h
$(CC) -E -o $@ $(CPPFLAGS) $<
$(CPP) $(CPPFLAGS) $(srcdir)/iolog_nextid.c > $@
iolog_nextid.plog: iolog_nextid.i
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/iolog_nextid.c --i-file $< --output-file $@
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/iolog_nextid.c --i-file iolog_nextid.i --output-file $@
iolog_open.lo: $(srcdir)/iolog_open.c $(incdir)/compat/stdbool.h \
$(incdir)/sudo_compat.h $(incdir)/sudo_debug.h \
$(incdir)/sudo_iolog.h $(incdir)/sudo_queue.h \
@ -708,9 +709,9 @@ iolog_open.i: $(srcdir)/iolog_open.c $(incdir)/compat/stdbool.h \
$(incdir)/sudo_compat.h $(incdir)/sudo_debug.h \
$(incdir)/sudo_iolog.h $(incdir)/sudo_queue.h \
$(incdir)/sudo_util.h $(top_builddir)/config.h
$(CC) -E -o $@ $(CPPFLAGS) $<
$(CPP) $(CPPFLAGS) $(srcdir)/iolog_open.c > $@
iolog_open.plog: iolog_open.i
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/iolog_open.c --i-file $< --output-file $@
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/iolog_open.c --i-file iolog_open.i --output-file $@
iolog_openat.lo: $(srcdir)/iolog_openat.c $(incdir)/compat/stdbool.h \
$(incdir)/sudo_compat.h $(incdir)/sudo_debug.h \
$(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \
@ -724,9 +725,9 @@ iolog_openat.i: $(srcdir)/iolog_openat.c $(incdir)/compat/stdbool.h \
$(incdir)/sudo_iolog.h $(incdir)/sudo_plugin.h \
$(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
$(top_builddir)/config.h
$(CC) -E -o $@ $(CPPFLAGS) $<
$(CPP) $(CPPFLAGS) $(srcdir)/iolog_openat.c > $@
iolog_openat.plog: iolog_openat.i
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/iolog_openat.c --i-file $< --output-file $@
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/iolog_openat.c --i-file iolog_openat.i --output-file $@
iolog_path.lo: $(srcdir)/iolog_path.c $(incdir)/compat/stdbool.h \
$(incdir)/sudo_compat.h $(incdir)/sudo_debug.h \
$(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \
@ -740,9 +741,9 @@ iolog_path.i: $(srcdir)/iolog_path.c $(incdir)/compat/stdbool.h \
$(incdir)/sudo_iolog.h $(incdir)/sudo_plugin.h \
$(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
$(top_builddir)/config.h
$(CC) -E -o $@ $(CPPFLAGS) $<
$(CPP) $(CPPFLAGS) $(srcdir)/iolog_path.c > $@
iolog_path.plog: iolog_path.i
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/iolog_path.c --i-file $< --output-file $@
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/iolog_path.c --i-file iolog_path.i --output-file $@
iolog_read.lo: $(srcdir)/iolog_read.c $(incdir)/compat/stdbool.h \
$(incdir)/sudo_compat.h $(incdir)/sudo_debug.h \
$(incdir)/sudo_iolog.h $(incdir)/sudo_queue.h \
@ -752,9 +753,9 @@ iolog_read.i: $(srcdir)/iolog_read.c $(incdir)/compat/stdbool.h \
$(incdir)/sudo_compat.h $(incdir)/sudo_debug.h \
$(incdir)/sudo_iolog.h $(incdir)/sudo_queue.h \
$(top_builddir)/config.h
$(CC) -E -o $@ $(CPPFLAGS) $<
$(CPP) $(CPPFLAGS) $(srcdir)/iolog_read.c > $@
iolog_read.plog: iolog_read.i
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/iolog_read.c --i-file $< --output-file $@
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/iolog_read.c --i-file iolog_read.i --output-file $@
iolog_seek.lo: $(srcdir)/iolog_seek.c $(incdir)/compat/stdbool.h \
$(incdir)/sudo_compat.h $(incdir)/sudo_debug.h \
$(incdir)/sudo_iolog.h $(incdir)/sudo_queue.h \
@ -764,9 +765,9 @@ iolog_seek.i: $(srcdir)/iolog_seek.c $(incdir)/compat/stdbool.h \
$(incdir)/sudo_compat.h $(incdir)/sudo_debug.h \
$(incdir)/sudo_iolog.h $(incdir)/sudo_queue.h \
$(top_builddir)/config.h
$(CC) -E -o $@ $(CPPFLAGS) $<
$(CPP) $(CPPFLAGS) $(srcdir)/iolog_seek.c > $@
iolog_seek.plog: iolog_seek.i
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/iolog_seek.c --i-file $< --output-file $@
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/iolog_seek.c --i-file iolog_seek.i --output-file $@
iolog_swapids.lo: $(srcdir)/iolog_swapids.c $(incdir)/compat/stdbool.h \
$(incdir)/sudo_compat.h $(incdir)/sudo_debug.h \
$(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \
@ -778,9 +779,9 @@ iolog_swapids.i: $(srcdir)/iolog_swapids.c $(incdir)/compat/stdbool.h \
$(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \
$(incdir)/sudo_iolog.h $(incdir)/sudo_plugin.h \
$(incdir)/sudo_queue.h $(top_builddir)/config.h
$(CC) -E -o $@ $(CPPFLAGS) $<
$(CPP) $(CPPFLAGS) $(srcdir)/iolog_swapids.c > $@
iolog_swapids.plog: iolog_swapids.i
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/iolog_swapids.c --i-file $< --output-file $@
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/iolog_swapids.c --i-file iolog_swapids.i --output-file $@
iolog_timing.lo: $(srcdir)/iolog_timing.c $(incdir)/compat/stdbool.h \
$(incdir)/sudo_compat.h $(incdir)/sudo_debug.h \
$(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \
@ -794,9 +795,9 @@ iolog_timing.i: $(srcdir)/iolog_timing.c $(incdir)/compat/stdbool.h \
$(incdir)/sudo_gettext.h $(incdir)/sudo_iolog.h \
$(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \
$(incdir)/sudo_util.h $(top_builddir)/config.h
$(CC) -E -o $@ $(CPPFLAGS) $<
$(CPP) $(CPPFLAGS) $(srcdir)/iolog_timing.c > $@
iolog_timing.plog: iolog_timing.i
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/iolog_timing.c --i-file $< --output-file $@
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/iolog_timing.c --i-file iolog_timing.i --output-file $@
iolog_util.lo: $(srcdir)/iolog_util.c $(incdir)/compat/stdbool.h \
$(incdir)/sudo_compat.h $(incdir)/sudo_debug.h \
$(incdir)/sudo_iolog.h $(incdir)/sudo_queue.h \
@ -806,9 +807,9 @@ iolog_util.i: $(srcdir)/iolog_util.c $(incdir)/compat/stdbool.h \
$(incdir)/sudo_compat.h $(incdir)/sudo_debug.h \
$(incdir)/sudo_iolog.h $(incdir)/sudo_queue.h \
$(top_builddir)/config.h
$(CC) -E -o $@ $(CPPFLAGS) $<
$(CPP) $(CPPFLAGS) $(srcdir)/iolog_util.c > $@
iolog_util.plog: iolog_util.i
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/iolog_util.c --i-file $< --output-file $@
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/iolog_util.c --i-file iolog_util.i --output-file $@
iolog_write.lo: $(srcdir)/iolog_write.c $(incdir)/compat/stdbool.h \
$(incdir)/sudo_compat.h $(incdir)/sudo_debug.h \
$(incdir)/sudo_iolog.h $(incdir)/sudo_queue.h \
@ -818,6 +819,6 @@ iolog_write.i: $(srcdir)/iolog_write.c $(incdir)/compat/stdbool.h \
$(incdir)/sudo_compat.h $(incdir)/sudo_debug.h \
$(incdir)/sudo_iolog.h $(incdir)/sudo_queue.h \
$(top_builddir)/config.h
$(CC) -E -o $@ $(CPPFLAGS) $<
$(CPP) $(CPPFLAGS) $(srcdir)/iolog_write.c > $@
iolog_write.plog: iolog_write.i
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/iolog_write.c --i-file $< --output-file $@
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/iolog_write.c --i-file iolog_write.i --output-file $@

2
lib/iolog/iolog_legacy.c
View File

@ -84,7 +84,7 @@ iolog_parse_loginfo_legacy(FILE *fp, const char *iolog_dir,
goto done;
}
*ep = '\0';
evlog->submit_time.tv_sec =
evlog->event_time.tv_sec =
(time_t)sudo_strtonum(cp, 0, TIME_T_MAX, &errstr);
if (errstr != NULL) {
sudo_warn(U_("%s: time stamp %s: %s"), iolog_dir, cp, errstr);

6
lib/iolog/iolog_loginfo.c
View File

@ -123,7 +123,7 @@ iolog_write_info_file_legacy(int dfd, struct eventlog *evlog)
}
fprintf(fp, "%lld:%s:%s:%s:%s:%d:%d\n%s\n",
(long long)evlog->submit_time.tv_sec,
(long long)evlog->event_time.tv_sec,
evlog->submituser ? evlog->submituser : "unknown",
evlog->runuser ? evlog->runuser : RUNAS_DEFAULT,
evlog->rungroup ? evlog->rungroup : "",
@ -168,12 +168,12 @@ iolog_write_info_file_json(int dfd, struct eventlog *evlog)
goto oom;
json_value.type = JSON_NUMBER;
json_value.u.number = evlog->submit_time.tv_sec;
json_value.u.number = evlog->event_time.tv_sec;
if (!sudo_json_add_value(&jsonc, "seconds", &json_value))
goto oom;
json_value.type = JSON_NUMBER;
json_value.u.number = evlog->submit_time.tv_nsec;
json_value.u.number = evlog->event_time.tv_nsec;
if (!sudo_json_add_value(&jsonc, "nanoseconds", &json_value))
goto oom;

24
lib/iolog/regress/iolog_path/check_iolog_path.c
View File

@ -252,24 +252,24 @@ main(int argc, char *argv[])
sudo_fatal(NULL);
break;
case 7:
if (dir_in != NULL)
free(dir_in);
dir_in = strdup(line);
free(dir_in);
if ((dir_in = strdup(line)) == NULL)
sudo_fatal(NULL);
break;
case 8:
if (file_in != NULL)
free(file_in);
file_in = strdup(line);
free(file_in);
if ((file_in = strdup(line)) == NULL)
sudo_fatal(NULL);
break;
case 9:
if (dir_out != NULL)
free(dir_out);
dir_out = strdup(line);
free(dir_out);
if ((dir_out = strdup(line)) == NULL)
sudo_fatal(NULL);
break;
case 10:
if (file_out != NULL)
free(file_out);
file_out = strdup(line);
free(file_out);
if ((file_out = strdup(line)) == NULL)
sudo_fatal(NULL);
break;
case 11:
errors += do_check(dir_in, file_in, dir_out, file_out);

5
lib/logsrv/Makefile.in
View File

@ -1,7 +1,7 @@
#
# SPDX-License-Identifier: ISC
#
# Copyright (c) 2019-2020 Todd C. Miller <Todd.Miller@sudo.ws>
# Copyright (c) 2019-2024 Todd C. Miller <Todd.Miller@sudo.ws>
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
@ -32,6 +32,7 @@ incdir = $(top_srcdir)/include
# Compiler & tools to use
CC = @CC@
CPP = @CPP@
LIBTOOL = @LIBTOOL@
# Libraries
@ -100,7 +101,7 @@ Makefile: $(srcdir)/Makefile.in
$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $<
.c.i:
$(CC) -E -o $@ $(CPPFLAGS) $<
$(CPP) $(CPPFLAGS) $< > $@
.i.plog:
ifile=$<; rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $${ifile%i}c --i-file $< --output-file $@

9
lib/protobuf-c/Makefile.in
View File

@ -1,7 +1,7 @@
#
# SPDX-License-Identifier: ISC
#
# Copyright (c) 2019-2020 Todd C. Miller <Todd.Miller@sudo.ws>
# Copyright (c) 2019-2024 Todd C. Miller <Todd.Miller@sudo.ws>
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
@ -32,6 +32,7 @@ incdir = $(top_srcdir)/include
# Compiler & tools to use
CC = @CC@
CPP = @CPP@
LIBTOOL = @LIBTOOL@
# C preprocessor flags
@ -95,7 +96,7 @@ Makefile: $(srcdir)/Makefile.in
$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $<
.c.i:
$(CC) -E -o $@ $(CPPFLAGS) $<
$(CPP) $(CPPFLAGS) $< > $@
.i.plog:
ifile=$<; rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $${ifile%i}c --i-file $< --output-file $@
@ -175,6 +176,6 @@ protobuf-c.lo: $(srcdir)/protobuf-c.c $(incdir)/compat/endian.h \
$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/protobuf-c.c
protobuf-c.i: $(srcdir)/protobuf-c.c $(incdir)/compat/endian.h \
$(incdir)/protobuf-c/protobuf-c.h $(top_builddir)/config.h
$(CC) -E -o $@ $(CPPFLAGS) $<
$(CPP) $(CPPFLAGS) $(srcdir)/protobuf-c.c > $@
protobuf-c.plog: protobuf-c.i
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/protobuf-c.c --i-file $< --output-file $@
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/protobuf-c.c --i-file protobuf-c.i --output-file $@

9
lib/ssl_compat/Makefile.in
View File

@ -1,7 +1,7 @@
#
# SPDX-License-Identifier: ISC
#
# Copyright (c) 2023 Todd C. Miller <Todd.Miller@sudo.ws>
# Copyright (c) 2023-2024 Todd C. Miller <Todd.Miller@sudo.ws>
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
@ -32,6 +32,7 @@ incdir = $(top_srcdir)/include
# Compiler & tools to use
CC = @CC@
CPP = @CPP@
LIBTOOL = @LIBTOOL@
# Libraries
@ -100,7 +101,7 @@ Makefile: $(srcdir)/Makefile.in
$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $<
.c.i:
$(CC) -E -o $@ $(CPPFLAGS) $<
$(CPP) $(CPPFLAGS) $< > $@
.i.plog:
ifile=$<; rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $${ifile%i}c --i-file $< --output-file $@
@ -184,6 +185,6 @@ ssl_compat.lo: $(srcdir)/ssl_compat.c $(incdir)/sudo_compat.h \
$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/ssl_compat.c
ssl_compat.i: $(srcdir)/ssl_compat.c $(incdir)/sudo_compat.h \
$(incdir)/sudo_ssl_compat.h $(top_builddir)/config.h
$(CC) -E -o $@ $(CPPFLAGS) $<
$(CPP) $(CPPFLAGS) $(srcdir)/ssl_compat.c > $@
ssl_compat.plog: ssl_compat.i
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/ssl_compat.c --i-file $< --output-file $@
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/ssl_compat.c --i-file ssl_compat.i --output-file $@

486
lib/util/Makefile.in
View File

File diff suppressed because it is too large Load Diff

2
lib/util/chacha_private.h
View File

@ -92,7 +92,7 @@ chacha_encrypt_bytes(chacha_ctx *x,const u8 *m,u8 *c,u32 bytes)
u32 j0, j1, j2, j3, j4, j5, j6, j7, j8, j9, j10, j11, j12, j13, j14, j15;
u8 *ctarget = NULL;
u8 tmp[64];
u_int i;
u32 i;
if (!bytes) return;

2
lib/util/event.c
View File

@ -637,7 +637,7 @@ sudo_ev_dispatch_v1(struct sudo_event_base *base)
/*
* Run main event loop.
* Returns 0 on success, 1 if no events registered and -1 on error
* Returns 0 on success, 1 if no events registered and -1 on error
*/
int
sudo_ev_loop_v1(struct sudo_event_base *base, unsigned int flags)

2
lib/util/fatal.c
View File

@ -303,7 +303,7 @@ sudo_fatal_callback_deregister_v1(sudo_fatal_callback_t func)
}
/*
* Set the conversation function to use for output insteaf of the
* Set the conversation function to use for output instead of the
* standard error. If conv is NULL, switch back to standard error.
*/
void

2
lib/util/fnmatch.c
View File

@ -227,7 +227,7 @@ leadingclosebrace:
/* NOT a properly balanced [expr] pattern, EOS terminated
* or ranges containing a slash in FNM_PATHNAME mode pattern
* fall out to to the rewind and test '[' literal code path
* fall out to the rewind and test '[' literal code path
*/
if (!**pattern || (slash && (**pattern == '/')))
break;

2
lib/util/fstatat.c
View File

@ -32,7 +32,7 @@
#ifndef HAVE_FSTATAT
int
sudo_fstatat(int dfd, const char *path, struct stat *sb, int flag)
sudo_fstatat(int dfd, const char * restrict path, struct stat * restrict sb, int flag)
{
int odfd, ret = -1;

2
lib/util/gethostname.c
View File

@ -41,7 +41,7 @@ sudo_gethostname_v1(void)
#ifdef _SC_HOST_NAME_MAX
host_name_max = (size_t)sysconf(_SC_HOST_NAME_MAX);
if (host_name_max == (size_t)-1)
if ((ssize_t)host_name_max <= 0)
#endif
host_name_max = 255; /* POSIX and historic BSD */

79
lib/util/glob.c
View File

@ -138,33 +138,33 @@ struct glob_lim {
};
static int compare(const void *, const void *);
static int g_Ctoc(const Char *, char *, size_t);
static int g_lstat(Char *, struct stat *, glob_t *);
static int g_Ctoc(const Char * restrict, char * restrict, size_t);
static int g_lstat(Char * restrict, struct stat * restrict, glob_t *restrict);
static DIR *g_opendir(Char *, glob_t *);
static Char *g_strchr(const Char *, int);
static int g_strncmp(const Char *, const char *, size_t);
static int g_stat(Char *, struct stat *, glob_t *);
static int glob0(const Char *, glob_t *, struct glob_lim *);
static int glob1(Char *, Char *, glob_t *, struct glob_lim *);
static int g_stat(Char * restrict, struct stat * restrict, glob_t * restrict);
static int glob0(const Char * restrict, glob_t * restrict, struct glob_lim * restrict);
static int glob1(Char *, Char *, glob_t * restrict, struct glob_lim * restrict);
static int glob2(Char *, Char *, Char *, Char *, Char *, Char *,
glob_t *, struct glob_lim *);
glob_t * restrict, struct glob_lim * restrict);
static int glob3(Char *, Char *, Char *, Char *, Char *,
Char *, Char *, glob_t *, struct glob_lim *);
static int globextend(const Char *, glob_t *, struct glob_lim *,
struct stat *);
Char *, Char *, glob_t * restrict, struct glob_lim * restrict);
static int globextend(const Char * restrict, glob_t * restrict, struct glob_lim * restrict,
struct stat * restrict);
static const Char *
globtilde(const Char *, Char *, size_t, glob_t *);
static int globexp1(const Char *, glob_t *, struct glob_lim *);
static int globexp2(const Char *, const Char *, glob_t *,
struct glob_lim *);
globtilde(const Char * restrict, Char * restrict, size_t, glob_t * restrict);
static int globexp1(const Char * restrict, glob_t * restrict, struct glob_lim * restrict);
static int globexp2(const Char *, const Char *, glob_t * restrict,
struct glob_lim * restrict);
static int match(Char *, Char *, Char *);
#ifdef DEBUG
static void qprintf(const char *, Char *);
static void qprintf(const char * restrict, Char * restrict);
#endif
int
sudo_glob(const char *pattern, int flags, int (*errfunc)(const char *, int),
glob_t *pglob)
sudo_glob(const char * restrict pattern, int flags, int (*errfunc)(const char *, int),
glob_t * restrict pglob)
{
const unsigned char *patnext;
int c;
@ -220,7 +220,7 @@ sudo_glob(const char *pattern, int flags, int (*errfunc)(const char *, int),
* characters
*/
static int
globexp1(const Char *pattern, glob_t *pglob, struct glob_lim *limitp)
globexp1(const Char * restrict pattern, glob_t * restrict pglob, struct glob_lim * restrict limitp)
{
const Char* ptr = pattern;
@ -241,10 +241,11 @@ globexp1(const Char *pattern, glob_t *pglob, struct glob_lim *limitp)
* If it fails then it tries to glob the rest of the pattern and returns.
*/
static int
globexp2(const Char *ptr, const Char *pattern, glob_t *pglob,
struct glob_lim *limitp)
globexp2(const Char *ptr, const Char *pattern, glob_t * restrict pglob,
struct glob_lim * restrict limitp)
{
int i, rv;
size_t i;
int rv;
Char *lm, *ls;
const Char *pe, *pm, *pl;
Char patbuf[PATH_MAX];
@ -346,7 +347,7 @@ globexp2(const Char *ptr, const Char *pattern, glob_t *pglob,
* expand tilde from the passwd file.
*/
static const Char *
globtilde(const Char *pattern, Char *patbuf, size_t patbuf_len, glob_t *pglob)
globtilde(const Char * restrict pattern, Char * restrict patbuf, size_t patbuf_len, glob_t * restrict pglob)
{
struct passwd *pwd;
char *h;
@ -413,7 +414,7 @@ g_strncmp(const Char *s1, const char *s2, size_t n)
}
static int
g_charclass(const Char **patternp, Char **bufnextp)
g_charclass(const Char ** restrict patternp, Char ** restrict bufnextp)
{
const Char *pattern = *patternp + 1;
Char *bufnext = *bufnextp;
@ -447,7 +448,7 @@ g_charclass(const Char **patternp, Char **bufnextp)
* to find no matches.
*/
static int
glob0(const Char *pattern, glob_t *pglob, struct glob_lim *limitp)
glob0(const Char * restrict pattern, glob_t * restrict pglob, struct glob_lim * restrict limitp)
{
const Char *qpatnext;
int c, err;
@ -551,7 +552,7 @@ compare(const void *p, const void *q)
}
static int
glob1(Char *pattern, Char *pattern_last, glob_t *pglob, struct glob_lim *limitp)
glob1(Char *pattern, Char *pattern_last, glob_t * restrict pglob, struct glob_lim * restrict limitp)
{
Char pathbuf[PATH_MAX];
@ -570,7 +571,7 @@ glob1(Char *pattern, Char *pattern_last, glob_t *pglob, struct glob_lim *limitp)
*/
static int
glob2(Char *pathbuf, Char *pathbuf_last, Char *pathend, Char *pathend_last,
Char *pattern, Char *pattern_last, glob_t *pglob, struct glob_lim *limitp)
Char *pattern, Char *pattern_last, glob_t * restrict pglob, struct glob_lim * restrict limitp)
{
struct stat sb;
Char *p, *q;
@ -638,8 +639,8 @@ glob2(Char *pathbuf, Char *pathbuf_last, Char *pathend, Char *pathend_last,
static int
glob3(Char *pathbuf, Char *pathbuf_last, Char *pathend, Char *pathend_last,
Char *pattern, Char *restpattern, Char *restpattern_last, glob_t *pglob,
struct glob_lim *limitp)
Char *pattern, Char *restpattern, Char *restpattern_last, glob_t * restrict pglob,
struct glob_lim * restrict limitp)
{
struct dirent *dp;
DIR *dirp;
@ -721,8 +722,8 @@ glob3(Char *pathbuf, Char *pathbuf_last, Char *pathend, Char *pathend_last,
* gl_pathv points to (gl_offs + gl_pathc + 1) items.
*/
static int
globextend(const Char *path, glob_t *pglob, struct glob_lim *limitp,
struct stat *sb)
globextend(const Char * restrict path, glob_t * restrict pglob, struct glob_lim * restrict limitp,
struct stat * restrict sb)
{
char **pathv;
size_t i, newn, len;
@ -892,7 +893,7 @@ g_opendir(Char *str, glob_t *pglob)
}
static int
g_lstat(Char *fn, struct stat *sb, glob_t *pglob)
g_lstat(Char * restrict fn, struct stat * restrict sb, glob_t * restrict pglob)
{
char buf[PATH_MAX];
@ -902,7 +903,7 @@ g_lstat(Char *fn, struct stat *sb, glob_t *pglob)
}
static int
g_stat(Char *fn, struct stat *sb, glob_t *pglob)
g_stat(Char * restrict fn, struct stat * restrict sb, glob_t * restrict pglob)
{
char buf[PATH_MAX];
@ -922,7 +923,7 @@ g_strchr(const Char *str, int ch)
}
static int
g_Ctoc(const Char *str, char *buf, size_t len)
g_Ctoc(const Char * restrict str, char * restrict buf, size_t len)
{
while (len--) {
@ -934,20 +935,20 @@ g_Ctoc(const Char *str, char *buf, size_t len)
#ifdef DEBUG
static void
qprintf(const char *str, Char *s)
qprintf(const char * restrict str, Char * restrict s)
{
Char *p;
(void)printf("%s:\n", str);
for (p = s; *p; p++)
(void)fputc(CHAR(*p), stdout);
(void)fputc('\n', stdout);
(void)putchar(CHAR(*p));
(void)putchar('\n');
for (p = s; *p; p++)
(void)fputc(*p & M_PROTECT ? '"' : ' ', stdout);
(void)fputc('\n', stdout);
(void)putchar(*p & M_PROTECT ? '"' : ' ');
(void)putchar('\n');
for (p = s; *p; p++)
(void)fputc(ismeta(*p) ? '_' : ' ', stdout);
(void)fputc('\n', stdout);
(void)putchar(ismeta(*p) ? '_' : ' ');
(void)putchar('\n');
}
#endif /* DEBUG */
#endif /* HAVE_GLOB */

2
lib/util/gmtime_r.c
View File

@ -36,7 +36,7 @@
* Still has the normal gmtime() side effects.
*/
struct tm *
sudo_gmtime_r(const time_t *timer, struct tm *result)
sudo_gmtime_r(const time_t * restrict timer, struct tm * restrict result)
{
struct tm *tm;

2
lib/util/hexchar.c
View File

@ -32,7 +32,7 @@
* Returns a value 0-255 on success or -1 for invalid input.
*/
int
sudo_hexchar_v1(const char *s)
sudo_hexchar_v1(const char s[restrict static 2])
{
unsigned char result[2];
unsigned int i;

6
lib/util/inet_pton.c
View File

@ -89,7 +89,7 @@ inet_pton4(const char *src, u_char *dst)
const char *pch;
if ((pch = strchr(digits, ch)) != NULL) {
u_int new = *tp * 10 + (pch - digits);
unsigned int new = *tp * 10 + (pch - digits);
if (new > 255)
return (0);
@ -135,7 +135,7 @@ inet_pton6(const char *src, u_char *dst)
u_char tmp[NS_IN6ADDRSZ], *tp, *endp, *colonp;
const char *xdigits, *curtok;
int ch, saw_xdigit, count_xdigit;
u_int val;
unsigned int val;
/* cppcheck-suppress uninitvar */
memset((tp = tmp), 0, NS_IN6ADDRSZ);
@ -233,7 +233,7 @@ inet_pton6(const char *src, u_char *dst)
* Paul Vixie, 1996.
*/
int
sudo_inet_pton(int af, const char *src, void *dst)
sudo_inet_pton(int af, const char * restrict src, void * restrict dst)
{
switch (af) {
case AF_INET:

2
lib/util/json.c
View File

@ -265,6 +265,7 @@ sudo_json_close_object_v1(struct json_container *jsonc)
}
if (!json_append_buf(jsonc, "}"))
debug_return_bool(false);
jsonc->need_comma = true;
debug_return_bool(true);
}
@ -309,6 +310,7 @@ sudo_json_close_array_v1(struct json_container *jsonc)
}
if (!json_append_buf(jsonc, "]"))
debug_return_bool(false);
jsonc->need_comma = true;
debug_return_bool(true);
}

6
lib/util/lbuf.c
View File

@ -415,8 +415,8 @@ sudo_lbuf_println(struct sudo_lbuf *lbuf, char *line, size_t len)
cp = ep;
/*
* If there is more to print, reset have, incremement cp past
* the whitespace, and print a line continuaton char if needed.
* If there is more to print, reset have, increment cp past
* the whitespace, and print a line continuation char if needed.
*/
if (cp != NULL) {
have = lbuf->cols - indent;
@ -474,7 +474,7 @@ sudo_lbuf_print_v1(struct sudo_lbuf *lbuf)
}
done:
lbuf->len = 0; /* reset the buffer for re-use. */
lbuf->len = 0; /* reset the buffer for reuse. */
lbuf->error = 0;
debug_return;

2
lib/util/localtime_r.c
View File

@ -36,7 +36,7 @@
* Still has the normal localtime() side effects.
*/
struct tm *
sudo_localtime_r(const time_t *timer, struct tm *result)
sudo_localtime_r(const time_t * restrict timer, struct tm * restrict result)
{
struct tm *tm;

4
lib/util/multiarch.c
View File

@ -44,7 +44,7 @@
* Returns a dynamically allocated string on success and NULL on failure.
*/
char *
sudo_stat_multiarch_v1(const char *path, struct stat *sb)
sudo_stat_multiarch_v1(const char * restrict path, struct stat * restrict sb)
{
# if defined(__ILP32__)
const char *libdirs[] = { "/libx32/", "/lib/", "/libexec/", NULL };
@ -96,7 +96,7 @@ sudo_stat_multiarch_v1(const char *path, struct stat *sb)
}
#else
char *
sudo_stat_multiarch_v1(const char *path, struct stat *sb)
sudo_stat_multiarch_v1(const char * restrict path, struct stat * restrict sb)
{
return NULL;
}

2
lib/util/regress/mktemp/mktemp_test.c
View File

@ -151,6 +151,8 @@ main(int argc, char *argv[])
argv += optind;
pg = (size_t)sysconf(_SC_PAGESIZE);
if (pg == (size_t)-1)
sudo_fatal("sysconf(_SC_PAGESIZE)");
if (getcwd(cwd, sizeof cwd - 1) == NULL)
sudo_fatal("getcwd");
clen = strlen(cwd);

2
lib/util/snprintf.c
View File

@ -412,7 +412,7 @@ xxxprintf(char ** restrict strp, size_t strsize, int alloc, const char * restric
/*
* Get the argument indexed by nextarg. If the argument table is
* built, use it to get the argument. If its not, get the next
* built, use it to get the argument. If it's not, get the next
* argument (and arguments must be gotten sequentially).
*/
#define GETARG(type) \

2
lib/util/sudo_dso.c
View File

@ -124,7 +124,7 @@ sudo_dso_findsym_v1(void *vhandle, const char *symbol)
}
/*
* Note that the behavior of of SUDO_DSO_NEXT and SUDO_DSO_SELF
* Note that the behavior of SUDO_DSO_NEXT and SUDO_DSO_SELF
* differs from most implementations when called from
* a shared library.
*/

2
lib/util/ttyname_dev.c
View File

@ -29,8 +29,6 @@
# include <sys/mkdev.h>
#elif defined(MAJOR_IN_SYSMACROS)
# include <sys/sysmacros.h>
#else
# include <sys/param.h>
#endif
#include <stdio.h>
#include <stdlib.h>

10
lib/util/utimens.c
View File

@ -106,7 +106,7 @@ utimens_ts_to_tv(int fd, const char *file, const struct timespec *ts,
* Emulate futimens() via futimes()
*/
int
sudo_futimens(int fd, const struct timespec *ts)
sudo_futimens(int fd, const struct timespec ts[2])
{
struct timeval tv[2], *times = NULL;
@ -122,7 +122,7 @@ sudo_futimens(int fd, const struct timespec *ts)
* Emulate futimens() via futime()
*/
int
sudo_futimens(int fd, const struct timespec *ts)
sudo_futimens(int fd, const struct timespec ts[2])
{
struct utimbuf utb, *times = NULL;
@ -142,7 +142,7 @@ sudo_futimens(int fd, const struct timespec *ts)
* Nothing to do but fail.
*/
int
sudo_futimens(int fd, const struct timespec *ts)
sudo_futimens(int fd, const struct timespec ts[2])
{
errno = ENOSYS;
return -1;
@ -154,7 +154,7 @@ sudo_futimens(int fd, const struct timespec *ts)
* Emulate utimensat() via utimes()
*/
int
sudo_utimensat(int fd, const char *file, const struct timespec *ts, int flag)
sudo_utimensat(int fd, const char *file, const struct timespec ts[2], int flag)
{
struct timeval tv[2], *times = NULL;
@ -175,7 +175,7 @@ sudo_utimensat(int fd, const char *file, const struct timespec *ts, int flag)
* Emulate utimensat() via utime()
*/
int
sudo_utimensat(int fd, const char *file, const struct timespec *ts, int flag)
sudo_utimensat(int fd, const char *file, const struct timespec ts[2], int flag)
{
struct utimbuf utb, *times = NULL;

4
lib/util/uuid.c
View File

@ -50,7 +50,7 @@ struct uuid {
* As per RFC 4122 section 4.4.
*/
void
sudo_uuid_create_v1(unsigned char uuid_out[16])
sudo_uuid_create_v1(unsigned char uuid_out[restrict static 16])
{
struct uuid uuid;
@ -71,7 +71,7 @@ sudo_uuid_create_v1(unsigned char uuid_out[16])
* Format a uuid as a 36-byte string (plus one for the NUL).
*/
char *
sudo_uuid_to_string_v1(unsigned char uuid[16], char *dst, size_t dstsiz)
sudo_uuid_to_string_v1(const unsigned char uuid[restrict static 16], char * restrict dst, size_t dstsiz)
{
const char hex[] = "0123456789abcdef";
char *cp = dst;

47
lib/zlib/deflate.c
View File

@ -1,5 +1,5 @@
/* deflate.c -- compress data using the deflation algorithm
* Copyright (C) 1995-2023 Jean-loup Gailly and Mark Adler
* Copyright (C) 1995-2024 Jean-loup Gailly and Mark Adler
* For conditions of distribution and use, see copyright notice in zlib.h
*/
@ -52,7 +52,7 @@
#include "deflate.h"
const char deflate_copyright[] =
" deflate 1.3 Copyright 1995-2023 Jean-loup Gailly and Mark Adler ";
" deflate 1.3.1 Copyright 1995-2024 Jean-loup Gailly and Mark Adler ";
/*
If you use the zlib library in a product, an acknowledgment is welcome
in the documentation of your product. If for some reason you cannot
@ -493,7 +493,7 @@ int ZEXPORT deflateInit2_(z_streamp strm, int level, int method,
* symbols from which it is being constructed.
*/
s->pending_buf = (uchf *) ZALLOC(strm, s->lit_bufsize, 4);
s->pending_buf = (uchf *) ZALLOC(strm, s->lit_bufsize, LIT_BUFS);
s->pending_buf_size = (ulg)s->lit_bufsize * 4;
if (s->window == Z_NULL || s->prev == Z_NULL || s->head == Z_NULL ||
@ -503,8 +503,14 @@ int ZEXPORT deflateInit2_(z_streamp strm, int level, int method,
deflateEnd (strm);
return Z_MEM_ERROR;
}
#ifdef LIT_MEM
s->d_buf = (ushf *)(s->pending_buf + (s->lit_bufsize << 1));
s->l_buf = s->pending_buf + (s->lit_bufsize << 2);
s->sym_end = s->lit_bufsize - 1;
#else
s->sym_buf = s->pending_buf + s->lit_bufsize;
s->sym_end = (s->lit_bufsize - 1) * 3;
#endif
/* We avoid equality with lit_bufsize*3 because of wraparound at 64K
* on 16 bit machines and because stored blocks are restricted to
* 64K-1 bytes.
@ -720,9 +726,15 @@ int ZEXPORT deflatePrime(z_streamp strm, int bits, int value) {
if (deflateStateCheck(strm)) return Z_STREAM_ERROR;
s = strm->state;
#ifdef LIT_MEM
if (bits < 0 || bits > 16 ||
(uchf *)s->d_buf < s->pending_out + ((Buf_size + 7) >> 3))
return Z_BUF_ERROR;
#else
if (bits < 0 || bits > 16 ||
s->sym_buf < s->pending_out + ((Buf_size + 7) >> 3))
return Z_BUF_ERROR;
#endif
do {
put = Buf_size - s->bi_valid;
if (put > bits)
@ -1294,7 +1306,7 @@ int ZEXPORT deflateCopy(z_streamp dest, z_streamp source) {
ds->window = (Bytef *) ZALLOC(dest, ds->w_size, 2*sizeof(Byte));
ds->prev = (Posf *) ZALLOC(dest, ds->w_size, sizeof(Pos));
ds->head = (Posf *) ZALLOC(dest, ds->hash_size, sizeof(Pos));
ds->pending_buf = (uchf *) ZALLOC(dest, ds->lit_bufsize, 4);
ds->pending_buf = (uchf *) ZALLOC(dest, ds->lit_bufsize, LIT_BUFS);
if (ds->window == Z_NULL || ds->prev == Z_NULL || ds->head == Z_NULL ||
ds->pending_buf == Z_NULL) {
@ -1305,10 +1317,15 @@ int ZEXPORT deflateCopy(z_streamp dest, z_streamp source) {
zmemcpy(ds->window, ss->window, ds->w_size * 2 * sizeof(Byte));
zmemcpy((voidpf)ds->prev, (voidpf)ss->prev, ds->w_size * sizeof(Pos));
zmemcpy((voidpf)ds->head, (voidpf)ss->head, ds->hash_size * sizeof(Pos));
zmemcpy(ds->pending_buf, ss->pending_buf, (uInt)ds->pending_buf_size);
zmemcpy(ds->pending_buf, ss->pending_buf, ds->lit_bufsize * LIT_BUFS);
ds->pending_out = ds->pending_buf + (ss->pending_out - ss->pending_buf);
#ifdef LIT_MEM
ds->d_buf = (ushf *)(ds->pending_buf + (ds->lit_bufsize << 1));
ds->l_buf = ds->pending_buf + (ds->lit_bufsize << 2);
#else
ds->sym_buf = ds->pending_buf + ds->lit_bufsize;
#endif
ds->l_desc.dyn_tree = ds->dyn_ltree;
ds->d_desc.dyn_tree = ds->dyn_dtree;
@ -1539,13 +1556,21 @@ local uInt longest_match(deflate_state *s, IPos cur_match) {
*/
local void check_match(deflate_state *s, IPos start, IPos match, int length) {
/* check that the match is indeed a match */
if (zmemcmp(s->window + match,
s->window + start, length) != EQUAL) {
fprintf(stderr, " start %u, match %u, length %d\n",
start, match, length);
Bytef *back = s->window + (int)match, *here = s->window + start;
IPos len = length;
if (match == (IPos)-1) {
/* match starts one byte before the current window -- just compare the
subsequent length-1 bytes */
back++;
here++;
len--;
}
if (zmemcmp(back, here, len) != EQUAL) {
fprintf(stderr, " start %u, match %d, length %d\n",
start, (int)match, length);
do {
fprintf(stderr, "%c%c", s->window[match++], s->window[start++]);
} while (--length != 0);
fprintf(stderr, "(%02x %02x)", *back++, *here++);
} while (--len != 0);
z_error("invalid match");
}
if (z_verbose > 1) {

35
lib/zlib/deflate.h
View File

@ -1,5 +1,5 @@
/* deflate.h -- internal compression state
* Copyright (C) 1995-2018 Jean-loup Gailly
* Copyright (C) 1995-2024 Jean-loup Gailly
* For conditions of distribution and use, see copyright notice in zlib.h
*/
@ -23,6 +23,10 @@
# define GZIP
#endif
/* define LIT_MEM to slightly increase the speed of deflate (order 1% to 2%) at
the cost of a larger memory footprint */
/* #define LIT_MEM */
/* ===========================================================================
* Internal compression state.
*/
@ -217,7 +221,14 @@ typedef struct internal_state {
/* Depth of each subtree used as tie breaker for trees of equal frequency
*/
#ifdef LIT_MEM
# define LIT_BUFS 5
ushf *d_buf; /* buffer for distances */
uchf *l_buf; /* buffer for literals/lengths */
#else
# define LIT_BUFS 4
uchf *sym_buf; /* buffer for distances and literals/lengths */
#endif
uInt lit_bufsize;
/* Size of match buffer for literals/lengths. There are 4 reasons for
@ -239,7 +250,7 @@ typedef struct internal_state {
* - I can't count above 4
*/
uInt sym_next; /* running index in sym_buf */
uInt sym_next; /* running index in symbol buffer */
uInt sym_end; /* symbol table full when sym_next reaches this */
ulg opt_len; /* bit length of current block with optimal trees */
@ -318,6 +329,25 @@ void ZLIB_INTERNAL _tr_stored_block(deflate_state *s, charf *buf,
extern const uch ZLIB_INTERNAL _dist_code[];
#endif
#ifdef LIT_MEM
# define _tr_tally_lit(s, c, flush) \
{ uch cc = (c); \
s->d_buf[s->sym_next] = 0; \
s->l_buf[s->sym_next++] = cc; \
s->dyn_ltree[cc].Freq++; \
flush = (s->sym_next == s->sym_end); \
}
# define _tr_tally_dist(s, distance, length, flush) \
{ uch len = (uch)(length); \
ush dist = (ush)(distance); \
s->d_buf[s->sym_next] = dist; \
s->l_buf[s->sym_next++] = len; \
dist--; \
s->dyn_ltree[_length_code[len]+LITERALS+1].Freq++; \
s->dyn_dtree[d_code(dist)].Freq++; \
flush = (s->sym_next == s->sym_end); \
}
#else
# define _tr_tally_lit(s, c, flush) \
{ uch cc = (c); \
s->sym_buf[s->sym_next++] = 0; \
@ -337,6 +367,7 @@ void ZLIB_INTERNAL _tr_stored_block(deflate_state *s, charf *buf,
s->dyn_dtree[d_code(dist)].Freq++; \
flush = (s->sym_next == s->sym_end); \
}
#endif
#else
# define _tr_tally_lit(s, c, flush) flush = _tr_tally(s, 0, c)
# define _tr_tally_dist(s, distance, length, flush) \

8
lib/zlib/gzguts.h
View File

@ -1,5 +1,5 @@
/* gzguts.h -- zlib internal header definitions for gz* operations
* Copyright (C) 2004-2019 Mark Adler
* Copyright (C) 2004-2024 Mark Adler
* For conditions of distribution and use, see copyright notice in zlib.h
*/
@ -210,9 +210,5 @@ char ZLIB_INTERNAL *gz_strwinerror(DWORD error);
/* GT_OFF(x), where x is an unsigned value, is true if x > maximum z_off64_t
value -- needed when comparing unsigned to z_off64_t, which is signed
(possible z_off64_t types off_t, off64_t, and long are all signed) */
#ifdef INT_MAX
# define GT_OFF(x) (sizeof(int) == sizeof(z_off64_t) && (x) > INT_MAX)
#else
unsigned ZLIB_INTERNAL gz_intmax(void);
# define GT_OFF(x) (sizeof(int) == sizeof(z_off64_t) && (x) > gz_intmax())
#endif
#define GT_OFF(x) (sizeof(int) == sizeof(z_off64_t) && (x) > gz_intmax())

12
lib/zlib/gzlib.c
View File

@ -1,5 +1,5 @@
/* gzlib.c -- zlib functions common to reading and writing gzip files
* Copyright (C) 2004-2019 Mark Adler
* Copyright (C) 2004-2024 Mark Adler
* For conditions of distribution and use, see copyright notice in zlib.h
*/
@ -563,20 +563,20 @@ void ZLIB_INTERNAL gz_error(gz_statep state, int err, const char *msg) {
#endif
}
#ifndef INT_MAX
/* portably return maximum value for an int (when limits.h presumed not
available) -- we need to do this to cover cases where 2's complement not
used, since C standard permits 1's complement and sign-bit representations,
otherwise we could just use ((unsigned)-1) >> 1 */
unsigned ZLIB_INTERNAL gz_intmax(void) {
unsigned p, q;
p = 1;
#ifdef INT_MAX
return INT_MAX;
#else
unsigned p = 1, q;
do {
q = p;
p <<= 1;
p++;
} while (p > q);
return q >> 1;
}
#endif
}

2
lib/zlib/inflate.c
View File

@ -1386,7 +1386,7 @@ int ZEXPORT inflateSync(z_streamp strm) {
/* if first time, start search in bit buffer */
if (state->mode != SYNC) {
state->mode = SYNC;
state->hold <<= state->bits & 7;
state->hold >>= state->bits & 7;
state->bits -= state->bits & 7;
len = 0;
while (state->bits >= 8) {

6
lib/zlib/inftrees.c
View File

@ -1,5 +1,5 @@
/* inftrees.c -- generate Huffman trees for efficient decoding
* Copyright (C) 1995-2023 Mark Adler
* Copyright (C) 1995-2024 Mark Adler
* For conditions of distribution and use, see copyright notice in zlib.h
*/
@ -9,7 +9,7 @@
#define MAXBITS 15
const char inflate_copyright[] =
" inflate 1.3 Copyright 1995-2023 Mark Adler ";
" inflate 1.3.1 Copyright 1995-2024 Mark Adler ";
/*
If you use the zlib library in a product, an acknowledgment is welcome
in the documentation of your product. If for some reason you cannot
@ -57,7 +57,7 @@ int ZLIB_INTERNAL inflate_table(codetype type, unsigned short FAR *lens,
35, 43, 51, 59, 67, 83, 99, 115, 131, 163, 195, 227, 258, 0, 0};
static const unsigned short lext[31] = { /* Length codes 257..285 extra */
16, 16, 16, 16, 16, 16, 16, 16, 17, 17, 17, 17, 18, 18, 18, 18,
19, 19, 19, 19, 20, 20, 20, 20, 21, 21, 21, 21, 16, 198, 203};
19, 19, 19, 19, 20, 20, 20, 20, 21, 21, 21, 21, 16, 203, 77};
static const unsigned short dbase[32] = { /* Distance codes 0..29 base */
1, 2, 3, 4, 5, 7, 9, 13, 17, 25, 33, 49, 65, 97, 129, 193,
257, 385, 513, 769, 1025, 1537, 2049, 3073, 4097, 6145,

4
lib/zlib/inftrees.h
View File

@ -41,8 +41,8 @@ typedef struct {
examples/enough.c found in the zlib distribution. The arguments to that
program are the number of symbols, the initial root table size, and the
maximum bit length of a code. "enough 286 9 15" for literal/length codes
returns returns 852, and "enough 30 6 15" for distance codes returns 592.
The initial root table size (9 or 6) is found in the fifth argument of the
returns 852, and "enough 30 6 15" for distance codes returns 592. The
initial root table size (9 or 6) is found in the fifth argument of the
inflate_table() calls in inflate.c and infback.c. If the root table size is
changed, then these maximum sizes would be need to be recalculated and
updated. */

20
lib/zlib/trees.c
View File

@ -1,5 +1,5 @@
/* trees.c -- output deflated data using Huffman coding
* Copyright (C) 1995-2021 Jean-loup Gailly
* Copyright (C) 1995-2024 Jean-loup Gailly
* detect_data_type() function provided freely by Cosmin Truta, 2006
* For conditions of distribution and use, see copyright notice in zlib.h
*/
@ -899,14 +899,19 @@ local void compress_block(deflate_state *s, const ct_data *ltree,
const ct_data *dtree) {
unsigned dist; /* distance of matched string */
int lc; /* match length or unmatched char (if dist == 0) */
unsigned sx = 0; /* running index in sym_buf */
unsigned sx = 0; /* running index in symbol buffers */
unsigned code; /* the code to send */
int extra; /* number of extra bits to send */
if (s->sym_next != 0) do {
#ifdef LIT_MEM
dist = s->d_buf[sx];
lc = s->l_buf[sx++];
#else
dist = s->sym_buf[sx++] & 0xff;
dist += (unsigned)(s->sym_buf[sx++] & 0xff) << 8;
lc = s->sym_buf[sx++];
#endif
if (dist == 0) {
send_code(s, lc, ltree); /* send a literal byte */
Tracecv(isgraph(lc), (stderr," '%c' ", lc));
@ -931,8 +936,12 @@ local void compress_block(deflate_state *s, const ct_data *ltree,
}
} /* literal or match pair ? */
/* Check that the overlay between pending_buf and sym_buf is ok: */
/* Check for no overlay of pending_buf on needed symbols */
#ifdef LIT_MEM
Assert(s->pending < 2 * (s->lit_bufsize + sx), "pendingBuf overflow");
#else
Assert(s->pending < s->lit_bufsize + sx, "pendingBuf overflow");
#endif
} while (sx < s->sym_next);
@ -1082,9 +1091,14 @@ void ZLIB_INTERNAL _tr_flush_block(deflate_state *s, charf *buf,
* the current block must be flushed.
*/
int ZLIB_INTERNAL _tr_tally(deflate_state *s, unsigned dist, unsigned lc) {
#ifdef LIT_MEM
s->d_buf[s->sym_next] = (ush)dist;
s->l_buf[s->sym_next++] = (uch)lc;
#else
s->sym_buf[s->sym_next++] = (uch)dist;
s->sym_buf[s->sym_next++] = (uch)(dist >> 8);
s->sym_buf[s->sym_next++] = (uch)lc;
#endif
if (dist == 0) {
/* lc is the unmatched char */
s->dyn_ltree[lc].Freq++;

10
lib/zlib/zconf.h.in
View File

@ -1,5 +1,5 @@
/* zconf.h -- configuration of the zlib compression library
* Copyright (C) 1995-2016 Jean-loup Gailly, Mark Adler
* Copyright (C) 1995-2024 Jean-loup Gailly, Mark Adler
* For conditions of distribution and use, see copyright notice in zlib.h
*/
@ -329,14 +329,6 @@
# endif
#endif
#ifndef Z_ARG /* function prototypes for stdarg */
# if defined(STDC) || defined(Z_HAVE_STDARG_H)
# define Z_ARG(args) args
# else
# define Z_ARG(args) ()
# endif
#endif
/* The following definitions for FAR are needed only for MSDOS mixed
* model programming (small or medium model with some far allocations).
* This was tested only with MSC; for other MSDOS compilers you may have

22
lib/zlib/zlib.h
View File

@ -1,7 +1,7 @@
/* zlib.h -- interface of the 'zlib' general purpose compression library
version 1.3, August 18th, 2023
version 1.3.1, January 22nd, 2024
Copyright (C) 1995-2023 Jean-loup Gailly and Mark Adler
Copyright (C) 1995-2024 Jean-loup Gailly and Mark Adler
This software is provided 'as-is', without any express or implied
warranty. In no event will the authors be held liable for any damages
@ -37,11 +37,11 @@
extern "C" {
#endif
#define ZLIB_VERSION "1.3"
#define ZLIB_VERNUM 0x1300
#define ZLIB_VERSION "1.3.1"
#define ZLIB_VERNUM 0x1310
#define ZLIB_VER_MAJOR 1
#define ZLIB_VER_MINOR 3
#define ZLIB_VER_REVISION 0
#define ZLIB_VER_REVISION 1
#define ZLIB_VER_SUBREVISION 0
/*
@ -936,10 +936,10 @@ ZEXTERN int ZEXPORT inflateSync(z_streamp strm);
inflateSync returns Z_OK if a possible full flush point has been found,
Z_BUF_ERROR if no more input was provided, Z_DATA_ERROR if no flush point
has been found, or Z_STREAM_ERROR if the stream structure was inconsistent.
In the success case, the application may save the current current value of
total_in which indicates where valid compressed data was found. In the
error case, the application may repeatedly call inflateSync, providing more
input each time, until success or end of the input data.
In the success case, the application may save the current value of total_in
which indicates where valid compressed data was found. In the error case,
the application may repeatedly call inflateSync, providing more input each
time, until success or end of the input data.
*/
ZEXTERN int ZEXPORT inflateCopy(z_streamp dest,
@ -1758,14 +1758,14 @@ ZEXTERN uLong ZEXPORT crc32_combine(uLong crc1, uLong crc2, z_off_t len2);
seq1 and seq2 with lengths len1 and len2, CRC-32 check values were
calculated for each, crc1 and crc2. crc32_combine() returns the CRC-32
check value of seq1 and seq2 concatenated, requiring only crc1, crc2, and
len2.
len2. len2 must be non-negative.
*/
/*
ZEXTERN uLong ZEXPORT crc32_combine_gen(z_off_t len2);
Return the operator corresponding to length len2, to be used with
crc32_combine_op().
crc32_combine_op(). len2 must be non-negative.
*/
ZEXTERN uLong ZEXPORT crc32_combine_op(uLong crc1, uLong crc2, uLong op);

27
lib/zlib/zutil.h
View File

@ -1,5 +1,5 @@
/* zutil.h -- internal interface and configuration of the compression library
* Copyright (C) 1995-2022 Jean-loup Gailly, Mark Adler
* Copyright (C) 1995-2024 Jean-loup Gailly, Mark Adler
* For conditions of distribution and use, see copyright notice in zlib.h
*/
@ -56,7 +56,7 @@ typedef unsigned long ulg;
extern z_const char * const z_errmsg[10]; /* indexed by 2-zlib_error */
/* (size given to avoid silly warnings with Visual C++) */
#define ERR_MSG(err) z_errmsg[Z_NEED_DICT-(err)]
#define ERR_MSG(err) z_errmsg[(err) < -6 || (err) > 2 ? 9 : 2 - (err)]
#define ERR_RETURN(strm,err) \
return (strm->msg = ERR_MSG(err), (err))
@ -137,17 +137,8 @@ extern z_const char * const z_errmsg[10]; /* indexed by 2-zlib_error */
# endif
#endif
#if defined(MACOS) || defined(TARGET_OS_MAC)
#if defined(MACOS)
# define OS_CODE 7
# ifndef Z_SOLO
# if defined(__MWERKS__) && __dest_os != __be_os && __dest_os != __win32_os
# include <unix.h> /* for fdopen */
# else
# ifndef fdopen
# define fdopen(fd,mode) NULL /* No fdopen() */
# endif
# endif
# endif
#endif
#ifdef __acorn
@ -170,18 +161,6 @@ extern z_const char * const z_errmsg[10]; /* indexed by 2-zlib_error */
# define OS_CODE 19
#endif
#if defined(_BEOS_) || defined(RISCOS)
# define fdopen(fd,mode) NULL /* No fdopen() */
#endif
#if (defined(_MSC_VER) && (_MSC_VER > 600)) && !defined __INTERIX
# if defined(_WIN32_WCE)
# define fdopen(fd,mode) NULL /* No fdopen() */
# else
# define fdopen(fd,type) _fdopen(fd,type)
# endif
#endif
#if defined(__BORLANDC__) && !defined(MSDOS)
#pragma warn -8004
#pragma warn -8008

57
logsrvd/Makefile.in
View File

@ -1,7 +1,7 @@
#
# SPDX-License-Identifier: ISC
#
# Copyright (c) 2019-2023 Todd C. Miller <Todd.Miller@sudo.ws>
# Copyright (c) 2019-2024 Todd C. Miller <Todd.Miller@sudo.ws>
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
@ -34,6 +34,7 @@ cross_compiling = @CROSS_COMPILING@
# Compiler & tools to use
CC = @CC@
CPP = @CPP@
LIBTOOL = @LIBTOOL@
SHA1SUM = @SHA1SUM@
EGREP = @EGREP@
@ -169,7 +170,7 @@ Makefile: $(srcdir)/Makefile.in
$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $<
.c.i:
$(CC) -E -o $@ $(CPPFLAGS) $<
$(CPP) $(CPPFLAGS) $< > $@
.i.plog:
ifile=$<; rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $${ifile%i}c --i-file $< --output-file $@
@ -333,9 +334,9 @@ fuzz_logsrvd_conf.i: $(srcdir)/regress/fuzz/fuzz_logsrvd_conf.c \
$(incdir)/sudo_util.h $(srcdir)/logsrv_util.h \
$(srcdir)/logsrvd.h $(srcdir)/tls_common.h \
$(top_builddir)/config.h
$(CC) -E -o $@ $(CPPFLAGS) $<
$(CPP) $(CPPFLAGS) $(srcdir)/regress/fuzz/fuzz_logsrvd_conf.c > $@
fuzz_logsrvd_conf.plog: fuzz_logsrvd_conf.i
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/regress/fuzz/fuzz_logsrvd_conf.c --i-file $< --output-file $@
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/regress/fuzz/fuzz_logsrvd_conf.c --i-file fuzz_logsrvd_conf.i --output-file $@
iolog_writer.o: $(srcdir)/iolog_writer.c $(incdir)/compat/stdbool.h \
$(incdir)/log_server.pb-c.h $(incdir)/protobuf-c/protobuf-c.h \
$(incdir)/sudo_compat.h $(incdir)/sudo_debug.h \
@ -355,9 +356,9 @@ iolog_writer.i: $(srcdir)/iolog_writer.c $(incdir)/compat/stdbool.h \
$(incdir)/sudo_ssl_compat.h $(incdir)/sudo_util.h \
$(srcdir)/logsrv_util.h $(srcdir)/logsrvd.h \
$(srcdir)/tls_common.h $(top_builddir)/config.h
$(CC) -E -o $@ $(CPPFLAGS) $<
$(CPP) $(CPPFLAGS) $(srcdir)/iolog_writer.c > $@
iolog_writer.plog: iolog_writer.i
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/iolog_writer.c --i-file $< --output-file $@
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/iolog_writer.c --i-file iolog_writer.i --output-file $@
logsrv_util.o: $(srcdir)/logsrv_util.c $(incdir)/compat/stdbool.h \
$(incdir)/sudo_compat.h $(incdir)/sudo_debug.h \
$(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \
@ -371,9 +372,9 @@ logsrv_util.i: $(srcdir)/logsrv_util.c $(incdir)/compat/stdbool.h \
$(incdir)/sudo_iolog.h $(incdir)/sudo_plugin.h \
$(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
$(srcdir)/logsrv_util.h $(top_builddir)/config.h
$(CC) -E -o $@ $(CPPFLAGS) $<
$(CPP) $(CPPFLAGS) $(srcdir)/logsrv_util.c > $@
logsrv_util.plog: logsrv_util.i
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/logsrv_util.c --i-file $< --output-file $@
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/logsrv_util.c --i-file logsrv_util.i --output-file $@
logsrvd.o: $(srcdir)/logsrvd.c $(incdir)/compat/getopt.h \
$(incdir)/compat/stdbool.h $(incdir)/hostcheck.h \
$(incdir)/log_server.pb-c.h $(incdir)/protobuf-c/protobuf-c.h \
@ -399,9 +400,9 @@ logsrvd.i: $(srcdir)/logsrvd.c $(incdir)/compat/getopt.h \
$(incdir)/sudo_ssl_compat.h $(incdir)/sudo_util.h \
$(srcdir)/logsrv_util.h $(srcdir)/logsrvd.h $(srcdir)/tls_common.h \
$(top_builddir)/config.h $(top_builddir)/pathnames.h
$(CC) -E -o $@ $(CPPFLAGS) $<
$(CPP) $(CPPFLAGS) $(srcdir)/logsrvd.c > $@
logsrvd.plog: logsrvd.i
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/logsrvd.c --i-file $< --output-file $@
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/logsrvd.c --i-file logsrvd.i --output-file $@
logsrvd_conf.o: $(srcdir)/logsrvd_conf.c $(incdir)/compat/getaddrinfo.h \
$(incdir)/compat/stdbool.h $(incdir)/log_server.pb-c.h \
$(incdir)/protobuf-c/protobuf-c.h $(incdir)/sudo_compat.h \
@ -423,9 +424,9 @@ logsrvd_conf.i: $(srcdir)/logsrvd_conf.c $(incdir)/compat/getaddrinfo.h \
$(incdir)/sudo_util.h $(srcdir)/logsrv_util.h \
$(srcdir)/logsrvd.h $(srcdir)/tls_common.h \
$(top_builddir)/config.h $(top_builddir)/pathnames.h
$(CC) -E -o $@ $(CPPFLAGS) $<
$(CPP) $(CPPFLAGS) $(srcdir)/logsrvd_conf.c > $@
logsrvd_conf.plog: logsrvd_conf.i
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/logsrvd_conf.c --i-file $< --output-file $@
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/logsrvd_conf.c --i-file logsrvd_conf.i --output-file $@
logsrvd_conf_test.o: $(srcdir)/regress/logsrvd_conf/logsrvd_conf_test.c \
$(incdir)/compat/stdbool.h $(incdir)/log_server.pb-c.h \
$(incdir)/protobuf-c/protobuf-c.h $(incdir)/sudo_compat.h \
@ -441,9 +442,9 @@ logsrvd_conf_test.i: $(srcdir)/regress/logsrvd_conf/logsrvd_conf_test.c \
$(incdir)/sudo_ssl_compat.h $(incdir)/sudo_util.h \
$(srcdir)/logsrv_util.h $(srcdir)/logsrvd.h \
$(srcdir)/tls_common.h $(top_builddir)/config.h
$(CC) -E -o $@ $(CPPFLAGS) $<
$(CPP) $(CPPFLAGS) $(srcdir)/regress/logsrvd_conf/logsrvd_conf_test.c > $@
logsrvd_conf_test.plog: logsrvd_conf_test.i
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/regress/logsrvd_conf/logsrvd_conf_test.c --i-file $< --output-file $@
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/regress/logsrvd_conf/logsrvd_conf_test.c --i-file logsrvd_conf_test.i --output-file $@
logsrvd_journal.o: $(srcdir)/logsrvd_journal.c $(incdir)/compat/stdbool.h \
$(incdir)/log_server.pb-c.h \
$(incdir)/protobuf-c/protobuf-c.h $(incdir)/sudo_compat.h \
@ -467,9 +468,9 @@ logsrvd_journal.i: $(srcdir)/logsrvd_journal.c $(incdir)/compat/stdbool.h \
$(incdir)/sudo_util.h $(srcdir)/logsrv_util.h \
$(srcdir)/logsrvd.h $(srcdir)/tls_common.h \
$(top_builddir)/config.h
$(CC) -E -o $@ $(CPPFLAGS) $<
$(CPP) $(CPPFLAGS) $(srcdir)/logsrvd_journal.c > $@
logsrvd_journal.plog: logsrvd_journal.i
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/logsrvd_journal.c --i-file $< --output-file $@
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/logsrvd_journal.c --i-file logsrvd_journal.i --output-file $@
logsrvd_local.o: $(srcdir)/logsrvd_local.c $(incdir)/compat/stdbool.h \
$(incdir)/log_server.pb-c.h $(incdir)/protobuf-c/protobuf-c.h \
$(incdir)/sudo_compat.h $(incdir)/sudo_conf.h \
@ -493,9 +494,9 @@ logsrvd_local.i: $(srcdir)/logsrvd_local.c $(incdir)/compat/stdbool.h \
$(incdir)/sudo_ssl_compat.h $(incdir)/sudo_util.h \
$(srcdir)/logsrv_util.h $(srcdir)/logsrvd.h \
$(srcdir)/tls_common.h $(top_builddir)/config.h
$(CC) -E -o $@ $(CPPFLAGS) $<
$(CPP) $(CPPFLAGS) $(srcdir)/logsrvd_local.c > $@
logsrvd_local.plog: logsrvd_local.i
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/logsrvd_local.c --i-file $< --output-file $@
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/logsrvd_local.c --i-file logsrvd_local.i --output-file $@
logsrvd_queue.o: $(srcdir)/logsrvd_queue.c $(incdir)/compat/stdbool.h \
$(incdir)/log_server.pb-c.h $(incdir)/protobuf-c/protobuf-c.h \
$(incdir)/sudo_compat.h $(incdir)/sudo_conf.h \
@ -517,9 +518,9 @@ logsrvd_queue.i: $(srcdir)/logsrvd_queue.c $(incdir)/compat/stdbool.h \
$(incdir)/sudo_ssl_compat.h $(incdir)/sudo_util.h \
$(srcdir)/logsrv_util.h $(srcdir)/logsrvd.h \
$(srcdir)/tls_common.h $(top_builddir)/config.h
$(CC) -E -o $@ $(CPPFLAGS) $<
$(CPP) $(CPPFLAGS) $(srcdir)/logsrvd_queue.c > $@
logsrvd_queue.plog: logsrvd_queue.i
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/logsrvd_queue.c --i-file $< --output-file $@
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/logsrvd_queue.c --i-file logsrvd_queue.i --output-file $@
logsrvd_relay.o: $(srcdir)/logsrvd_relay.c $(incdir)/compat/stdbool.h \
$(incdir)/log_server.pb-c.h $(incdir)/protobuf-c/protobuf-c.h \
$(incdir)/sudo_compat.h $(incdir)/sudo_debug.h \
@ -541,9 +542,9 @@ logsrvd_relay.i: $(srcdir)/logsrvd_relay.c $(incdir)/compat/stdbool.h \
$(incdir)/sudo_util.h $(srcdir)/logsrv_util.h \
$(srcdir)/logsrvd.h $(srcdir)/tls_common.h \
$(top_builddir)/config.h
$(CC) -E -o $@ $(CPPFLAGS) $<
$(CPP) $(CPPFLAGS) $(srcdir)/logsrvd_relay.c > $@
logsrvd_relay.plog: logsrvd_relay.i
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/logsrvd_relay.c --i-file $< --output-file $@
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/logsrvd_relay.c --i-file logsrvd_relay.i --output-file $@
sendlog.o: $(srcdir)/sendlog.c $(incdir)/compat/getaddrinfo.h \
$(incdir)/compat/getopt.h $(incdir)/compat/stdbool.h \
$(incdir)/hostcheck.h $(incdir)/log_server.pb-c.h \
@ -567,9 +568,9 @@ sendlog.i: $(srcdir)/sendlog.c $(incdir)/compat/getaddrinfo.h \
$(incdir)/sudo_ssl_compat.h $(incdir)/sudo_util.h \
$(srcdir)/logsrv_util.h $(srcdir)/sendlog.h $(srcdir)/tls_common.h \
$(top_builddir)/config.h
$(CC) -E -o $@ $(CPPFLAGS) $<
$(CPP) $(CPPFLAGS) $(srcdir)/sendlog.c > $@
sendlog.plog: sendlog.i
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/sendlog.c --i-file $< --output-file $@
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/sendlog.c --i-file sendlog.i --output-file $@
tls_client.o: $(srcdir)/tls_client.c $(incdir)/compat/stdbool.h \
$(incdir)/hostcheck.h $(incdir)/sudo_compat.h \
$(incdir)/sudo_debug.h $(incdir)/sudo_event.h \
@ -587,9 +588,9 @@ tls_client.i: $(srcdir)/tls_client.c $(incdir)/compat/stdbool.h \
$(incdir)/sudo_ssl_compat.h $(incdir)/sudo_util.h \
$(srcdir)/logsrv_util.h $(srcdir)/tls_common.h \
$(top_builddir)/config.h
$(CC) -E -o $@ $(CPPFLAGS) $<
$(CPP) $(CPPFLAGS) $(srcdir)/tls_client.c > $@
tls_client.plog: tls_client.i
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/tls_client.c --i-file $< --output-file $@
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/tls_client.c --i-file tls_client.i --output-file $@
tls_init.o: $(srcdir)/tls_init.c $(incdir)/compat/stdbool.h \
$(incdir)/hostcheck.h $(incdir)/sudo_compat.h \
$(incdir)/sudo_debug.h $(incdir)/sudo_event.h \
@ -605,6 +606,6 @@ tls_init.i: $(srcdir)/tls_init.c $(incdir)/compat/stdbool.h \
$(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \
$(incdir)/sudo_ssl_compat.h $(srcdir)/tls_common.h \
$(top_builddir)/config.h
$(CC) -E -o $@ $(CPPFLAGS) $<
$(CPP) $(CPPFLAGS) $(srcdir)/tls_init.c > $@
tls_init.plog: tls_init.i
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/tls_init.c --i-file $< --output-file $@
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/tls_init.c --i-file tls_init.i --output-file $@

4
logsrvd/iolog_writer.c
View File

@ -150,8 +150,8 @@ evlog_new(TimeSpec *submit_time, InfoMessage **info_msgs, size_t infolen,
/* Submit time. */
if (submit_time != NULL) {
evlog->submit_time.tv_sec = (time_t)submit_time->tv_sec;
evlog->submit_time.tv_nsec = (long)submit_time->tv_nsec;
evlog->event_time.tv_sec = (time_t)submit_time->tv_sec;
evlog->event_time.tv_nsec = (long)submit_time->tv_nsec;
}
/* Default values */

11
logsrvd/logsrvd.c
View File

@ -1259,15 +1259,24 @@ verify_peer_identity(int preverify_ok, X509_STORE_CTX *ctx)
X509 *peer_cert;
debug_decl(verify_peer_identity, SUDO_DEBUG_UTIL);
current_cert = X509_STORE_CTX_get_current_cert(ctx);
/* if pre-verification of the cert failed, just propagate that result back */
if (preverify_ok != 1) {
int err = X509_STORE_CTX_get_error(ctx);
char current_cert_name[256] = "";
if (current_cert != NULL)
X509_NAME_oneline(X509_get_subject_name(current_cert), current_cert_name, sizeof(current_cert_name));
sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
"TLS verification failed for cert '%s': '%d:%s'", current_cert_name,
err, X509_verify_cert_error_string(err));
debug_return_int(0);
}
/* since this callback is called for each cert in the chain,
* check that current cert is the peer's certificate
*/
current_cert = X509_STORE_CTX_get_current_cert(ctx);
peer_cert = X509_STORE_CTX_get0_cert(ctx);
if (current_cert != peer_cert) {

11
logsrvd/logsrvd_conf.c
View File

@ -901,8 +901,13 @@ cb_eventlog_format(struct logsrvd_config *config, const char *str, size_t offset
{
debug_decl(cb_eventlog_format, SUDO_DEBUG_UTIL);
/* FFR - make "json" an alias for EVLOG_JSON_COMPACT instead. */
if (strcmp(str, "json") == 0)
config->eventlog.log_format = EVLOG_JSON;
config->eventlog.log_format = EVLOG_JSON_PRETTY;
else if (strcmp(str, "json_compact") == 0)
config->eventlog.log_format = EVLOG_JSON_COMPACT;
else if (strcmp(str, "json_pretty") == 0)
config->eventlog.log_format = EVLOG_JSON_PRETTY;
else if (strcmp(str, "sudo") == 0)
config->eventlog.log_format = EVLOG_SUDO;
else
@ -1292,8 +1297,8 @@ logsrvd_open_eventlog(struct logsrvd_config *config)
int flags;
debug_decl(logsrvd_open_eventlog, SUDO_DEBUG_UTIL);
/* Cannot append to a JSON file. */
if (config->eventlog.log_format == EVLOG_JSON) {
/* Cannot append to a JSON file that is a single object. */
if (config->eventlog.log_format == EVLOG_JSON_PRETTY) {
flags = O_RDWR|O_CREAT;
} else {
flags = O_WRONLY|O_APPEND|O_CREAT;

Some files were not shown because too many files have changed in this diff Show More