From fce45b2767ca419a0e55849cf0cc54d64a6b77a6 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Sat, 8 Mar 2025 08:34:11 -0700 Subject: [PATCH] Make ignore_dot the default Add --disable-ignore-dot to disable it and deprecate --with-ignore-dot. --- INSTALL.md | 13 +++++++----- config.h.in | 6 +++--- configure | 41 +++++++++++++++++++++++--------------- configure.ac | 32 +++++++++++++++-------------- plugins/sudoers/defaults.c | 2 +- 5 files changed, 54 insertions(+), 40 deletions(-) diff --git a/INSTALL.md b/INSTALL.md index a448b57ad..a9d6fc2ce 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -736,6 +736,14 @@ Defaults are listed in brackets after the description. of the "env_reset" Defaults option in sudoers to false. Sudoers option: !env_reset + --disable-ignore-dot + By default, sudo will not search for a command in the current + working directory, even if "." or "" in present in the PATH + environment variable. If this option is disabled, sudo + will check the current directory last if it appears anywhere + in PATH. The PATH variable itself is not modified. + Sudoers option: ignore_dot + --disable-path-info Normally, sudo will tell the user when a command could not be found in their $PATH. Some sites may wish to disable this as it could @@ -876,11 +884,6 @@ Defaults are listed in brackets after the description. You must either specify --with-insults or enable insults in the sudoers file for this to have any effect. - --with-ignore-dot - If set, sudo will ignore "." or "" (current dir) in $PATH. - The $PATH itself is not modified. - Sudoers option: ignore_dot - --with-insults Define this if you want to be insulted by default for typing an incorrect password just like the original sudo(8). diff --git a/config.h.in b/config.h.in index 4d31da2b5..d9677775c 100644 --- a/config.h.in +++ b/config.h.in @@ -6,6 +6,9 @@ /* Configure script arguments used to build sudo. */ #undef CONFIGURE_ARGS +/* Define to 1 if you want sudo to honor '.' and "" in the PATH. */ +#undef ALLOW_DOT_PATH + /* Define to 1 if you want the insults from the "classic" version sudo. */ #undef CLASSIC_INSULTS @@ -1138,9 +1141,6 @@ /* Define to 1 if you want the hostname to be entered into the log file. */ #undef HOST_IN_LOG -/* Define to 1 if you want to ignore '.' and empty PATH elements. */ -#undef IGNORE_DOT_PATH - /* The message given when a bad password is entered. */ #undef INCORRECT_PASSWORD diff --git a/configure b/configure index f617c3a7d..f0a9fd0cb 100755 --- a/configure +++ b/configure @@ -1025,6 +1025,7 @@ enable_noargs_shell enable_shell_sets_home enable_path_info enable_env_debug +enable_ignore_dot enable_postinstall enable_zlib enable_env_reset @@ -1737,6 +1738,7 @@ Optional Features: Set $HOME to target user in shell mode --disable-path-info Print 'command not allowed' not 'command not found' --enable-env-debug Whether to enable environment debugging. + --disable-ignore-dot allow '.' and "" in the PATH --enable-postinstall Script to run after the install phase --enable-zlib[=PATH] Whether to enable or disable zlib --enable-env-reset Whether to enable environment resetting by default. @@ -1843,7 +1845,7 @@ Optional Packages: --with-badpri syslog priority for failures (def is "alert") --with-logpath path to the sudo log file --with-loglen maximum length of a log file line (default is 80) - --with-ignore-dot ignore '.' in the PATH + --with-ignore-dot deprecated, use --disable-ignore-dot --without-mail-if-no-user do not send mail if user not in sudoers --with-mail-if-no-host send mail if user in sudoers but not for this host @@ -3715,7 +3717,7 @@ logfac=auth goodpri=notice badpri=alert loglen=80 -ignore_dot=off +ignore_dot=on mail_no_user=on mail_no_host=off mail_no_perms=off @@ -5310,9 +5312,7 @@ then : yes) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: adding CSOps standard options" >&5 printf "%s\n" "$as_me: adding CSOps standard options" >&6;} CHECKSIA=false - with_ignore_dot=yes insults=on - with_env_editor=yes : ${mansectsu='8'} : ${mansectform='5'} : ${mansectmisc='7'} @@ -5664,16 +5664,7 @@ printf "%s\n" "#define MAXLOGFILELEN $loglen" >>confdefs.h # Check whether --with-ignore-dot was given. if test ${with_ignore_dot+y} then : - withval=$with_ignore_dot; case $with_ignore_dot in - yes) ignore_dot=on - printf "%s\n" "#define IGNORE_DOT_PATH 1" >>confdefs.h - - ;; - no) ignore_dot=off - ;; - *) as_fn_error $? "--with-ignore-dot does not take an argument." "$LINENO" 5 - ;; -esac + withval=$with_ignore_dot; enable_ignore_dot="$with_ignore_dot" fi @@ -6635,6 +6626,24 @@ printf "%s\n" "$as_me: WARNING: ignoring unknown argument to --enable-env-debug: fi +# Check whether --enable-ignore-dot was given. +if test ${enable_ignore_dot+y} +then : + enableval=$enable_ignore_dot; case "$enableval" in + yes) ignore_dot=on + ;; + no) ignore_dot=off + printf "%s\n" "#define ALLOW_DOT_PATH 1" >>confdefs.h + + ;; + *) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: ignoring unknown argument to --enable-ignore-dot: $enableval" >&5 +printf "%s\n" "$as_me: WARNING: ignoring unknown argument to --enable-ignore-dot: $enableval" >&2;} + ;; + esac + +fi + + # Check whether --enable-postinstall was given. if test ${enable_postinstall+y} then : @@ -6842,8 +6851,8 @@ then : no) printf "%s\n" "#define NO_LEAKS 1" >>confdefs.h ;; - *) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: ignoring unknown argument to --disable-leaks: $enableval" >&5 -printf "%s\n" "$as_me: WARNING: ignoring unknown argument to --disable-leaks: $enableval" >&2;} + *) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: ignoring unknown argument to --enable-leaks: $enableval" >&5 +printf "%s\n" "$as_me: WARNING: ignoring unknown argument to --enable-leaks: $enableval" >&2;} ;; esac diff --git a/configure.ac b/configure.ac index bb74ef27b..dee452439 100644 --- a/configure.ac +++ b/configure.ac @@ -205,7 +205,7 @@ logfac=auth goodpri=notice badpri=alert loglen=80 -ignore_dot=off +ignore_dot=on mail_no_user=on mail_no_host=off mail_no_perms=off @@ -444,9 +444,7 @@ AC_ARG_WITH(csops, [AS_HELP_STRING([--with-csops], [add CSOps standard options]) [case $with_csops in yes) AC_MSG_NOTICE([adding CSOps standard options]) CHECKSIA=false - with_ignore_dot=yes insults=on - with_env_editor=yes : ${mansectsu='8'} : ${mansectform='5'} : ${mansectmisc='7'} @@ -665,16 +663,7 @@ AC_ARG_WITH(loglen, [AS_HELP_STRING([--with-loglen], [maximum length of a log fi esac]) AC_DEFINE_UNQUOTED(MAXLOGFILELEN, $loglen, [The max number of chars per log file line (for line wrapping).]) -AC_ARG_WITH(ignore-dot, [AS_HELP_STRING([--with-ignore-dot], [ignore '.' in the PATH])], -[case $with_ignore_dot in - yes) ignore_dot=on - AC_DEFINE(IGNORE_DOT_PATH) - ;; - no) ignore_dot=off - ;; - *) AC_MSG_ERROR([--with-ignore-dot does not take an argument.]) - ;; -esac]) +AC_ARG_WITH(ignore-dot, [AS_HELP_STRING([--with-ignore-dot], [deprecated, use --disable-ignore-dot])], [enable_ignore_dot="$with_ignore_dot"]) AC_ARG_WITH(mail-if-no-user, [AS_HELP_STRING([--without-mail-if-no-user], [do not send mail if user not in sudoers])], [case $with_mail_if_no_user in @@ -1279,6 +1268,19 @@ AC_ARG_ENABLE(env_debug, esac ]) +AC_ARG_ENABLE(ignore-dot, +[AS_HELP_STRING([--disable-ignore-dot], [allow '.' and "" in the PATH])], +[ case "$enableval" in + yes) ignore_dot=on + ;; + no) ignore_dot=off + AC_DEFINE(ALLOW_DOT_PATH) + ;; + *) AC_MSG_WARN([ignoring unknown argument to --enable-ignore-dot: $enableval]) + ;; + esac +]) + AC_ARG_ENABLE(postinstall, [AS_HELP_STRING([--enable-postinstall], [Script to run after the install phase])], [ case "$enableval" in @@ -1384,7 +1386,7 @@ AC_ARG_ENABLE(leaks, yes) ;; no) AC_DEFINE(NO_LEAKS) ;; - *) AC_MSG_WARN([ignoring unknown argument to --disable-leaks: $enableval]) + *) AC_MSG_WARN([ignoring unknown argument to --enable-leaks: $enableval]) ;; esac ]) @@ -4759,7 +4761,7 @@ AH_TEMPLATE(HAVE_ST_MTIMESPEC, [Define to 1 if your struct stat has an st_mtimes AH_TEMPLATE(HAVE_ST_NMTIME, [Define to 1 if your struct stat has an st_nmtime member.]) AH_TEMPLATE(HAVE___PROGNAME, [Define to 1 if your crt0.o defines the __progname symbol for you.]) AH_TEMPLATE(HOST_IN_LOG, [Define to 1 if you want the hostname to be entered into the log file.]) -AH_TEMPLATE(IGNORE_DOT_PATH, [Define to 1 if you want to ignore '.' and empty PATH elements.]) +AH_TEMPLATE(ALLOW_DOT_PATH, [Define to 1 if you want sudo to honor '.' and "" in the PATH.]) AH_TEMPLATE(LOGGING, [Define to SLOG_SYSLOG, SLOG_FILE, or SLOG_BOTH.]) AH_TEMPLATE(LONG_OTP_PROMPT, [Define to 1 if you want a two line OTP (S/Key or OPIE) prompt.]) AH_TEMPLATE(NO_AUTHENTICATION, [Define to 1 if you don't want sudo to prompt for a password by default.]) diff --git a/plugins/sudoers/defaults.c b/plugins/sudoers/defaults.c index 880a92057..391b200ca 100644 --- a/plugins/sudoers/defaults.c +++ b/plugins/sudoers/defaults.c @@ -483,7 +483,7 @@ init_defaults(void) #ifdef LONG_OTP_PROMPT def_long_otp_prompt = true; #endif -#ifdef IGNORE_DOT_PATH +#ifndef ALLOW_DOT_PATH def_ignore_dot = true; #endif #ifdef ALWAYS_SEND_MAIL