diff --git a/INSTALL b/INSTALL index 69dc236df..a60bbd032 100644 --- a/INSTALL +++ b/INSTALL @@ -625,6 +625,10 @@ The following options are also configurable at runtime: Enable the creation of an Ubuntu-style admin flag file the first time sudo is run. + --disable-env-reset + Disable environment resetting. This sets the default value + of the "env_reset" Defaults option in sudoers to false. + Shadow password and C2 support ============================== diff --git a/NEWS b/NEWS index 0e1396946..079fd5ddd 100644 --- a/NEWS +++ b/NEWS @@ -75,6 +75,10 @@ What's new in Sudo 1.7.5? by the "sudoers_locale" setting ("C" by default). Email send by sudo now includes MIME headers when "sudoers_locale" is not "C". + * The configure script has a new option, --disable-env-reset, to + allow one to change the default for the sudoers Default setting + "env_reset" at compile time. + What's new in Sudo 1.7.4p6? * A bug has been fixed in the I/O logging support that could cause diff --git a/config.h.in b/config.h.in index a6b115615..e0b52fa35 100644 --- a/config.h.in +++ b/config.h.in @@ -27,6 +27,9 @@ variables. */ #undef ENV_EDITOR +/* Define to 1 to enable environment resetting by default. */ +#undef ENV_RESET + /* If defined, users in this group need not enter a passwd (ie "sudo"). */ #undef EXEMPTGROUP diff --git a/configure b/configure index 6ce85ae14..03837c8ea 100755 --- a/configure +++ b/configure @@ -795,6 +795,7 @@ root_sudo insults tty_tickets passwd_tries +env_reset env_editor runas_default fqdn @@ -995,6 +996,7 @@ enable_shell_sets_home enable_path_info enable_env_debug enable_zlib +enable_env_reset enable_warnings enable_admin_flag with_selinux @@ -1651,6 +1653,7 @@ Optional Features: --disable-path-info Print 'command not allowed' not 'command not found' --enable-env-debug Whether to enable environment debugging. --enable-zlib[=PATH] Whether to enable or disable zlib + --enable-env-reset Whether to enable environment resetting by default. --enable-warnings Whether to enable compiler warnings --enable-admin-flag Whether to create a Ubuntu-style admin flag file --enable-gss-krb5-ccache-name @@ -2970,6 +2973,7 @@ $as_echo "$as_me: Configuring Sudo version $PACKAGE_VERSION" >&6;} + # @@ -2998,6 +3002,7 @@ badpass_message="Sorry, try again." fqdn=off runas_default=root env_editor=off +env_reset=on editor=vi passwd_tries=3 tty_tickets=on @@ -5562,6 +5567,35 @@ if test "${enable_zlib+set}" = set; then : fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to enable environment resetting by default" >&5 +$as_echo_n "checking whether to enable environment resetting by default... " >&6; } +# Check whether --enable-env_reset was given. +if test "${enable_env_reset+set}" = set; then : + enableval=$enable_env_reset; case "$enableval" in + yes) env_reset=on + ;; + no) env_reset=off + ;; + *) env_reset=on + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Ignoring unknown argument to --enable-env-reset: $enableval" >&5 +$as_echo "$as_me: WARNING: Ignoring unknown argument to --enable-env-reset: $enableval" >&2;} + ;; + esac + +fi + +if test "$env_reset" = "on"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + $as_echo "#define ENV_RESET TRUE" >>confdefs.h + +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + $as_echo "#define ENV_RESET FALSE" >>confdefs.h + +fi + # Check whether --enable-warnings was given. if test "${enable_warnings+set}" = set; then : enableval=$enable_warnings; case "$enableval" in @@ -6751,13 +6785,13 @@ if test "${lt_cv_nm_interface+set}" = set; then : else lt_cv_nm_interface="BSD nm" echo "int some_variable = 0;" > conftest.$ac_ext - (eval echo "\"\$as_me:6754: $ac_compile\"" >&5) + (eval echo "\"\$as_me:6788: $ac_compile\"" >&5) (eval "$ac_compile" 2>conftest.err) cat conftest.err >&5 - (eval echo "\"\$as_me:6757: $NM \\\"conftest.$ac_objext\\\"\"" >&5) + (eval echo "\"\$as_me:6791: $NM \\\"conftest.$ac_objext\\\"\"" >&5) (eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out) cat conftest.err >&5 - (eval echo "\"\$as_me:6760: output\"" >&5) + (eval echo "\"\$as_me:6794: output\"" >&5) cat conftest.out >&5 if $GREP 'External.*some_variable' conftest.out > /dev/null; then lt_cv_nm_interface="MS dumpbin" @@ -7962,7 +7996,7 @@ ia64-*-hpux*) ;; *-*-irix6*) # Find out which ABI we are using. - echo '#line 7965 "configure"' > conftest.$ac_ext + echo '#line 7999 "configure"' > conftest.$ac_ext if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5 (eval $ac_compile) 2>&5 ac_status=$? @@ -9354,11 +9388,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:9357: $lt_compile\"" >&5) + (eval echo "\"\$as_me:9391: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:9361: \$? = $ac_status" >&5 + echo "$as_me:9395: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -9693,11 +9727,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:9696: $lt_compile\"" >&5) + (eval echo "\"\$as_me:9730: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:9700: \$? = $ac_status" >&5 + echo "$as_me:9734: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -9798,11 +9832,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:9801: $lt_compile\"" >&5) + (eval echo "\"\$as_me:9835: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:9805: \$? = $ac_status" >&5 + echo "$as_me:9839: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -9853,11 +9887,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:9856: $lt_compile\"" >&5) + (eval echo "\"\$as_me:9890: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:9860: \$? = $ac_status" >&5 + echo "$as_me:9894: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -12220,7 +12254,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<_LT_EOF -#line 12223 "configure" +#line 12257 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -12316,7 +12350,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<_LT_EOF -#line 12319 "configure" +#line 12353 "configure" #include "confdefs.h" #if HAVE_DLFCN_H diff --git a/configure.in b/configure.in index 59c9bad07..b30b0eedd 100644 --- a/configure.in +++ b/configure.in @@ -88,6 +88,7 @@ AC_SUBST([badpass_message]) AC_SUBST([fqdn]) AC_SUBST([runas_default]) AC_SUBST([env_editor]) +AC_SUBST([env_reset]) AC_SUBST([passwd_tries]) AC_SUBST([tty_tickets]) AC_SUBST([insults]) @@ -125,6 +126,7 @@ badpass_message="Sorry, try again." fqdn=off runas_default=root env_editor=off +env_reset=on editor=vi passwd_tries=3 tty_tickets=on @@ -1267,6 +1269,27 @@ AC_ARG_ENABLE(zlib, [AS_HELP_STRING([--enable-zlib[[=PATH]]], [Whether to enable or disable zlib])], []) +AC_MSG_CHECKING(whether to enable environment resetting by default) +AC_ARG_ENABLE(env_reset, +[AS_HELP_STRING([--enable-env-reset], [Whether to enable environment resetting by default.])], +[ case "$enableval" in + yes) env_reset=on + ;; + no) env_reset=off + ;; + *) env_reset=on + AC_MSG_WARN([Ignoring unknown argument to --enable-env-reset: $enableval]) + ;; + esac +]) +if test "$env_reset" = "on"; then + AC_MSG_RESULT(yes) + AC_DEFINE(ENV_RESET, TRUE) +else + AC_MSG_RESULT(no) + AC_DEFINE(ENV_RESET, FALSE) +fi + AC_ARG_ENABLE(warnings, [AS_HELP_STRING([--enable-warnings], [Whether to enable compiler warnings])], [ case "$enableval" in diff --git a/doc/sudoers.man.in b/doc/sudoers.man.in index bc53531b1..e5f361116 100644 --- a/doc/sudoers.man.in +++ b/doc/sudoers.man.in @@ -875,7 +875,7 @@ and \f(CW\*(C`env_check\*(C'\fR lists are then added. The default contents of t \&\f(CW\*(C`env_keep\*(C'\fR and \f(CW\*(C`env_check\*(C'\fR lists are displayed when \fBsudo\fR is run by root with the \fI\-V\fR option. If the \fIsecure_path\fR option is set, its value will be used for the \f(CW\*(C`PATH\*(C'\fR environment variable. -This flag is \fIon\fR by default. +This flag is \fI@env_reset@\fR by default. .IP "fast_glob" 16 .IX Item "fast_glob" Normally, \fBsudo\fR uses the \fIglob\fR\|(3) function to do shell-style diff --git a/doc/sudoers.pod b/doc/sudoers.pod index bed3e844b..540966c58 100644 --- a/doc/sudoers.pod +++ b/doc/sudoers.pod @@ -741,7 +741,7 @@ and C lists are then added. The default contents of the C and C lists are displayed when B is run by root with the I<-V> option. If the I option is set, its value will be used for the C environment variable. -This flag is I by default. +This flag is I<@env_reset@> by default. =item fast_glob diff --git a/plugins/sudoers/defaults.c b/plugins/sudoers/defaults.c index b83443207..1c19b3b98 100644 --- a/plugins/sudoers/defaults.c +++ b/plugins/sudoers/defaults.c @@ -446,7 +446,7 @@ init_defaults(void) def_iolog_file = estrdup("%{seq}"); def_iolog_dir = estrdup(_PATH_SUDO_IO_LOGDIR); def_sudoers_locale = estrdup("C"); - def_env_reset = TRUE; + def_env_reset = ENV_RESET; def_set_logname = TRUE; def_closefrom = STDERR_FILENO + 1;