merge sudo 1.9.3p1 from tip

millert · millert · commit cfa5b999247e · 2020-09-23T12:45:31.000-06:00
--HG--
branch : 1.9
diff --git a/NEWS b/NEWS
@@ -1,3 +1,19 @@
+What's new in Sudo 1.9.3p1
+
+ * Fixed a regression introduced in sudo 1.9.3 where the configure
+   script would not detect the crypt(3) function if it was present
+   in the C library, not an additional library.
+
+ * Fixed a regression introduced in sudo 1.8.23 with shadow passwd
+   file authentication on OpenBSD.  BSD authentication was not
+   affected.
+
+ * Sudo now logs when a user-specified command-line option is
+   rejected by a sudoers rule.  Previously, these conditions were
+   written to the audit log, but the default sudo log file.  Affected
+   command line arguments include -C (--close-from), -D (--chdir),
+   -R (--chroot), -g (--group) and -u (--user).
+
 What's new in Sudo 1.9.3
 
  * sudoedit will now prompt the user before overwriting an existing
@@ -7,7 +23,7 @@ What's new in Sudo 1.9.3
    doesn't support symbol hiding.
 
  * Sudo now uses a linker script to hide symbols even when the
-   compiler has native symbol hiding support.  This should make is
+   compiler has native symbol hiding support.  This should make it
    easier to detect omissions in the symbol exports file, regardless
    of the platform.
 
diff --git a/configure b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for sudo 1.9.3.
+# Generated by GNU Autoconf 2.69 for sudo 1.9.3p1.
 #
 # Report bugs to <https://bugzilla.sudo.ws/>.
 #
@@ -590,8 +590,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='sudo'
 PACKAGE_TARNAME='sudo'
-PACKAGE_VERSION='1.9.3'
-PACKAGE_STRING='sudo 1.9.3'
+PACKAGE_VERSION='1.9.3p1'
+PACKAGE_STRING='sudo 1.9.3p1'
 PACKAGE_BUGREPORT='https://bugzilla.sudo.ws/'
 PACKAGE_URL=''
 
@@ -1584,7 +1584,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures sudo 1.9.3 to adapt to many kinds of systems.
+\`configure' configures sudo 1.9.3p1 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1650,7 +1650,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of sudo 1.9.3:";;
+     short | recursive ) echo "Configuration of sudo 1.9.3p1:";;
    esac
   cat <<\_ACEOF
 
@@ -1924,7 +1924,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-sudo configure 1.9.3
+sudo configure 1.9.3p1
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2633,7 +2633,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by sudo $as_me 1.9.3, which was
+It was created by sudo $as_me 1.9.3p1, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -25531,11 +25531,13 @@ if test "$ac_res" != no; then :
   test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
 
 	test "${ac_cv_search_crypt}" != "none required" && shadow_libs="${shadow_libs} ${ac_cv_search_crypt}"
-	$as_echo "#define HAVE_CRYPT 1" >>confdefs.h
-
 
 fi
 
+    if test "${ac_cv_search_crypt}" != "no"; then
+	$as_echo "#define HAVE_CRYPT 1" >>confdefs.h
+
+    fi
     LIBS="$_LIBS"
 
     if test "$CHECKSHADOW" = "true" -a -n "$shadow_funcs"; then
@@ -27917,7 +27919,7 @@ fi
 case "$with_passwd" in
 yes|maybe)
     AUTH_OBJS="$AUTH_OBJS getspwuid.lo passwd.lo"
-    if test test "${ac_cv_search_crypt}" = "no"; then
+    if test "${ac_cv_search_crypt}" = "no"; then
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: No crypt function found, assuming plaintext passwords" >&5
 $as_echo "$as_me: WARNING: No crypt function found, assuming plaintext passwords" >&2;}
     fi
@@ -28626,7 +28628,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by sudo $as_me 1.9.3, which was
+This file was extended by sudo $as_me 1.9.3p1, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -28692,7 +28694,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-sudo config.status 1.9.3
+sudo config.status 1.9.3p1
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
diff --git a/configure.ac b/configure.ac
@@ -18,7 +18,7 @@ dnl ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 dnl OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 dnl
 AC_PREREQ([2.59])
-AC_INIT([sudo], [1.9.3], [https://bugzilla.sudo.ws/], [sudo])
+AC_INIT([sudo], [1.9.3p1], [https://bugzilla.sudo.ws/], [sudo])
 AC_CONFIG_HEADERS([config.h pathnames.h])
 AC_CONFIG_SRCDIR([src/sudo.c])
 dnl
@@ -4011,8 +4011,10 @@ if test ${with_passwd-'no'} != "no"; then
     _LIBS="$LIBS"
     AC_SEARCH_LIBS([crypt], [crypt crypt_d ufc], [
 	test "${ac_cv_search_crypt}" != "none required" && shadow_libs="${shadow_libs} ${ac_cv_search_crypt}"
-	AC_DEFINE(HAVE_CRYPT)
     ])
+    if test "${ac_cv_search_crypt}" != "no"; then
+	AC_DEFINE(HAVE_CRYPT)
+    fi
     LIBS="$_LIBS"
 
     if test "$CHECKSHADOW" = "true" -a -n "$shadow_funcs"; then
@@ -4612,7 +4614,7 @@ dnl
 case "$with_passwd" in
 yes|maybe)
     AUTH_OBJS="$AUTH_OBJS getspwuid.lo passwd.lo"
-    if test test "${ac_cv_search_crypt}" = "no"; then
+    if test "${ac_cv_search_crypt}" = "no"; then
 	AC_MSG_WARN([No crypt function found, assuming plaintext passwords])
     fi
     ;;
diff --git a/plugins/sudoers/audit.c b/plugins/sudoers/audit.c
@@ -93,20 +93,17 @@ audit_failure_int(char *const argv[], const char *message)
 }
 
 int
-audit_failure(char *const argv[], char const *const fmt, ...)
+vaudit_failure(char *const argv[], char const *const fmt, va_list ap)
 {
     int oldlocale, ret;
     char *message;
-    va_list ap;
-    debug_decl(audit_failure, SUDOERS_DEBUG_AUDIT);
+    debug_decl(vaudit_failure, SUDOERS_DEBUG_AUDIT);
 
     /* Audit messages should be in the sudoers locale. */
     sudoers_setlocale(SUDOERS_LOCALE_SUDOERS, &oldlocale);
 
-    va_start(ap, fmt);
     if ((ret = vasprintf(&message, _(fmt), ap)) == -1)
 	sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
-    va_end(ap);
 
     if (ret != -1) {
 	/* Set audit_msg for audit plugins.  */
@@ -121,6 +118,20 @@ audit_failure(char *const argv[], char const *const fmt, ...)
     debug_return_int(ret);
 }
 
+int
+audit_failure(char *const argv[], char const *const fmt, ...)
+{
+    va_list ap;
+    int ret;
+    debug_decl(audit_failure, SUDOERS_DEBUG_AUDIT);
+
+    va_start(ap, fmt);
+    ret = vaudit_failure(argv, fmt, ap);
+    va_end(ap);
+
+    debug_return_int(ret);
+}
+
 static int
 sudoers_audit_open(unsigned int version, sudo_conv_t conversation,
     sudo_printf_t plugin_printf, char * const settings[],
diff --git a/plugins/sudoers/getspwuid.c b/plugins/sudoers/getspwuid.c
@@ -75,8 +75,11 @@ sudo_getepw(const struct passwd *pw)
     {
 	struct passwd *spw;
 
+	/* On OpenBSD we need to closed the non-shadow passwd db first. */
+	endpwent();
 	if ((spw = getpwnam_shadow(pw->pw_name)) != NULL)
 	    epw = spw->pw_passwd;
+	setpassent(1);
     }
 #endif /* HAVE_GETPWNAM_SHADOW */
 #ifdef HAVE_GETPRPWNAM
diff --git a/plugins/sudoers/logging.c b/plugins/sudoers/logging.c
@@ -502,6 +502,13 @@ vlog_warning(int flags, int errnum, const char *fmt, va_list ap)
     int len;
     debug_decl(vlog_warning, SUDOERS_DEBUG_LOGGING);
 
+    /* Do auditing first (audit_failure() handles the locale itself). */
+    if (ISSET(flags, SLOG_AUDIT)) {
+	va_copy(ap2, ap);
+	vaudit_failure(NewArgv, fmt, ap2);
+	va_end(ap2);
+    }
+
     /* Need extra copy of ap for sudo_vwarn()/sudo_vwarnx() below. */
     va_copy(ap2, ap);
 
diff --git a/plugins/sudoers/logging.h b/plugins/sudoers/logging.h
@@ -44,6 +44,7 @@
 #define SLOG_SEND_MAIL		0x08	/* log via mail */
 #define SLOG_NO_STDERR		0x10	/* do not log via stderr */
 #define SLOG_NO_LOG		0x20	/* do not log via file or syslog */
+#define SLOG_AUDIT		0x40	/* send message to audit as well */
 
 /*
  * Maximum number of characters to log per entry.  The syslogger
@@ -74,6 +75,7 @@ bool sudoers_warn_setlocale(bool restore, int *cookie);
 bool sudoers_setlocale(int newlocale, int *prevlocale);
 int sudoers_getlocale(void);
 int audit_failure(char *const argv[], char const *const fmt, ...) __printflike(2, 3);
+int vaudit_failure(char *const argv[], char const *const fmt, va_list ap) __printflike(2, 0);
 bool log_allowed(int status);
 bool log_auth_failure(int status, unsigned int tries);
 bool log_denial(int status, bool inform_user);
diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c
@@ -287,11 +287,12 @@ check_user_runchroot(void)
 
     sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
 	"def_runchroot %s, user_runchroot %s",
-	def_runchroot ? def_runchroot : "NULL", user_runchroot);
+	def_runchroot ? def_runchroot : "none",
+	user_runchroot ? user_runchroot : "none");
 
     if (def_runchroot == NULL || (strcmp(def_runchroot, "*") != 0 &&
 	    strcmp(def_runchroot, user_runchroot) != 0)) {
-	audit_failure(NewArgv,
+	log_warningx(SLOG_NO_STDERR|SLOG_AUDIT,
 	    N_("user not allowed to change root directory to %s"),
 	    user_runchroot);
 	sudo_warnx(U_("you are not permitted to use the -R option with %s"),
@@ -313,11 +314,12 @@ check_user_runcwd(void)
 
     sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
 	"def_runcwd %s, user_runcwd %s, user_cwd %s",
-	def_runcwd, user_runcwd, user_cwd);
+	def_runcwd ? def_runcwd : "none", user_runcwd ? user_runcwd : "none",
+	user_cwd ? user_cwd : "none");
 
     if (strcmp(user_cwd, user_runcwd) != 0) {
 	if (def_runcwd == NULL || strcmp(def_runcwd, "*") != 0) {
-	    audit_failure(NewArgv,
+	    log_warningx(SLOG_NO_STDERR|SLOG_AUDIT,
 		N_("user not allowed to change directory to %s"), user_runcwd);
 	    sudo_warnx(U_("you are not permitted to use the -D option with %s"),
 		user_cmnd);
@@ -409,7 +411,7 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
     /* Check for -C overriding def_closefrom. */
     if (user_closefrom >= 0 && user_closefrom != def_closefrom) {
 	if (!def_closefrom_override) {
-	    audit_failure(NewArgv,
+	    log_warningx(SLOG_NO_STDERR|SLOG_AUDIT,
 		N_("user not allowed to override closefrom limit"));
 	    sudo_warnx("%s", U_("you are not permitted to use the -C option"));
 	    goto bad;
@@ -439,14 +441,13 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
 
     /* Defer uid/gid checks until after defaults have been updated. */
     if (unknown_runas_uid && !def_runas_allow_unknown_id) {
-	audit_failure(NewArgv, N_("unknown user: %s"), runas_pw->pw_name);
-	sudo_warnx(U_("unknown user: %s"), runas_pw->pw_name);
+	log_warningx(SLOG_AUDIT, N_("unknown user: %s"), runas_pw->pw_name);
 	goto done;
     }
     if (runas_gr != NULL) {
 	if (unknown_runas_gid && !def_runas_allow_unknown_id) {
-	    audit_failure(NewArgv, N_("unknown group: %s"), runas_gr->gr_name);
-	    sudo_warnx(U_("unknown group: %s"), runas_gr->gr_name);
+	    log_warningx(SLOG_AUDIT, N_("unknown group: %s"),
+		runas_gr->gr_name);
 	    goto done;
 	}
     }
@@ -487,16 +488,15 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
 
     /* Bail if a tty is required and we don't have one.  */
     if (def_requiretty && !tty_present()) {
-	audit_failure(NewArgv, N_("no tty"));
+	log_warningx(SLOG_NO_STDERR|SLOG_AUDIT, N_("no tty"));
 	sudo_warnx("%s", U_("sorry, you must have a tty to run sudo"));
 	goto bad;
     }
 
     /* Check runas user's shell. */
     if (!check_user_shell(runas_pw)) {
-	audit_failure(NewArgv, N_("invalid shell for user %s: %s"),
-	    runas_pw->pw_name, runas_pw->pw_shell);
-	log_warningx(SLOG_RAW_MSG, N_("invalid shell for user %s: %s"),
+	log_warningx(SLOG_RAW_MSG|SLOG_AUDIT,
+	    N_("invalid shell for user %s: %s"),
 	    runas_pw->pw_name, runas_pw->pw_shell);
 	goto bad;
     }
@@ -597,7 +597,8 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
 
     /* If user specified a timeout make sure sudoers allows it. */
     if (!def_user_command_timeouts && user_timeout > 0) {
-	audit_failure(NewArgv, N_("user not allowed to set a command timeout"));
+	log_warningx(SLOG_NO_STDERR|SLOG_AUDIT,
+	    N_("user not allowed to set a command timeout"));
 	sudo_warnx("%s",
 	    U_("sorry, you are not allowed set a command timeout"));
 	goto bad;
@@ -606,7 +607,7 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
     /* If user specified env vars make sure sudoers allows it. */
     if (ISSET(sudo_mode, MODE_RUN) && !def_setenv) {
 	if (ISSET(sudo_mode, MODE_PRESERVE_ENV)) {
-	    audit_failure(NewArgv,
+	    log_warningx(SLOG_NO_STDERR|SLOG_AUDIT,
 		N_("user not allowed to preserve the environment"));
 	    sudo_warnx("%s",
 		U_("sorry, you are not allowed to preserve the environment"));

Original file line number	Diff line number	Diff line change
`@@ -75,8 +75,11 @@ sudo_getepw(const struct passwd *pw)`
`75`	`75`	`{`
`76`	`76`	`struct passwd *spw;`
`77`	`77`
	`78`	`+ /* On OpenBSD we need to closed the non-shadow passwd db first. */`
	`79`	`+ endpwent();`
`78`	`80`	`if ((spw = getpwnam_shadow(pw->pw_name)) != NULL)`
`79`	`81`	`epw = spw->pw_passwd;`
	`82`	`+ setpassent(1);`
`80`	`83`	`}`
`81`	`84`	`#endif /* HAVE_GETPWNAM_SHADOW */`
`82`	`85`	`#ifdef HAVE_GETPRPWNAM`