From 7e8f006888ecd95957dc80a3bda06a44265d188c Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Fri, 15 Nov 2024 20:38:14 -0700 Subject: [PATCH 1/9] get_process_ttyname: always return the terminal device if we find one. If sudo cannot map the device number to a device file, set name to the empty string. The caller now checks for an empty name and only passes the tty path to the plugin if it is non-empty. This allows sudo to run without warnings in a chroot() jail where the terminal device files are not present. GitHub issue #421. --- src/sudo.c | 11 +++++--- src/ttyname.c | 70 ++++++++++++++++++++++++++++++--------------------- 2 files changed, 49 insertions(+), 32 deletions(-) diff --git a/src/sudo.c b/src/sudo.c index 3700a79ee3..49f5bd2337 100644 --- a/src/sudo.c +++ b/src/sudo.c @@ -622,10 +622,13 @@ get_user_info(struct user_details *ud) if (ttydev != (dev_t)-1) { if (asprintf(&info[++i], "ttydev=%lld", (long long)ttydev) == -1) goto oom; - info[++i] = sudo_new_key_val("tty", path); - if (info[i] == NULL) - goto oom; - ud->tty = info[i] + sizeof("tty=") - 1; + /* The terminal device file may be missing in a chroot() jail. */ + if (path[0] != '\0') { + info[++i] = sudo_new_key_val("tty", path); + if (info[i] == NULL) + goto oom; + ud->tty = info[i] + sizeof("tty=") - 1; + } } else { /* tty may not always be present */ if (errno != ENOENT) diff --git a/src/ttyname.c b/src/ttyname.c index a36b6da2fa..ec3160d4b8 100644 --- a/src/ttyname.c +++ b/src/ttyname.c @@ -94,8 +94,10 @@ #if defined(sudo_kp_tdev) /* - * Store the name of the tty to which the process is attached in name. - * Returns name on success and NULL on failure, setting errno. + * Look up terminal device that the process is attached to and + * fill in its name, if available. Sets name to the empty string + * if the device number cannot be mapped to a device name. + * Returns the tty device number on success and -1 on failure, setting errno. */ dev_t get_process_ttyname(char *name, size_t namelen) @@ -135,10 +137,11 @@ get_process_ttyname(char *name, size_t namelen) errno = serrno; ttydev = (dev_t)ki_proc->sudo_kp_tdev; if (sudo_ttyname_dev(ttydev, name, namelen) == NULL) { - sudo_warnx( - U_("unable to find terminal name for device %u, %u"), + sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO, + "unable to find terminal name for device %u, %u", (unsigned int)major(ttydev), (unsigned int)minor(ttydev)); - ttydev = (dev_t)-1; + if (namelen != 0) + *name = '\0'; } } } else { @@ -151,8 +154,10 @@ get_process_ttyname(char *name, size_t namelen) } #elif defined(HAVE_STRUCT_PSINFO_PR_TTYDEV) /* - * Store the name of the tty to which the process is attached in name. - * Returns name on success and NULL on failure, setting errno. + * Look up terminal device that the process is attached to and + * fill in its name, if available. Sets name to the empty string + * if the device number cannot be mapped to a device name. + * Returns the tty device number on success and -1 on failure, setting errno. */ dev_t get_process_ttyname(char *name, size_t namelen) @@ -179,10 +184,11 @@ get_process_ttyname(char *name, size_t namelen) if (ttydev != 0 && ttydev != (dev_t)-1) { errno = serrno; if (sudo_ttyname_dev(ttydev, name, namelen) == NULL) { - sudo_warnx( - U_("unable to find terminal name for device %u, %u"), + sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO, + "unable to find terminal name for device %u, %u", (unsigned int)major(ttydev), (unsigned int)minor(ttydev)); - ttydev = (dev_t)-1; + if (namelen != 0) + *name = '\0'; } goto done; } @@ -197,10 +203,11 @@ get_process_ttyname(char *name, size_t namelen) if (sudo_isatty(i, &sb)) { ttydev = sb.st_rdev; if (sudo_ttyname_dev(ttydev, name, namelen) == NULL) { - sudo_warnx( - U_("unable to find terminal name for device %u, %u"), + sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO, + "unable to find terminal name for device %u, %u", (unsigned int)major(ttydev), (unsigned int)minor(ttydev)); - ttydev = (dev_t)-1; + if (namelen != 0) + *name = '\0'; } goto done; } @@ -217,8 +224,10 @@ get_process_ttyname(char *name, size_t namelen) } #elif defined(__linux__) /* - * Store the name of the tty to which the process is attached in name. - * Returns name on success and NULL on failure, setting errno. + * Look up terminal device that the process is attached to and + * fill in its name, if available. Sets name to the empty string + * if the device number cannot be mapped to a device name. + * Returns the tty device number on success and -1 on failure, setting errno. */ dev_t get_process_ttyname(char *name, size_t namelen) @@ -282,10 +291,11 @@ get_process_ttyname(char *name, size_t namelen) ttydev = (unsigned int)tty_nr; errno = serrno; if (sudo_ttyname_dev(ttydev, name, namelen) == NULL) { - sudo_warnx( - U_("unable to find terminal name for device %u, %u"), + sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO, + "unable to find terminal name for device %u, %u", (unsigned int)major(ttydev), (unsigned int)minor(ttydev)); - ttydev = (dev_t)-1; + if (namelen != 0) + *name = '\0'; } goto done; } @@ -310,10 +320,11 @@ get_process_ttyname(char *name, size_t namelen) if (sudo_isatty(i, &sb)) { ttydev = sb.st_rdev; if (sudo_ttyname_dev(sb.st_rdev, name, namelen) == NULL) { - sudo_warnx( - U_("unable to find terminal name for device %u, %u"), + sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO, + "unable to find terminal name for device %u, %u", (unsigned int)major(ttydev), (unsigned int)minor(ttydev)); - ttydev = (dev_t)-1; + if (namelen != 0) + *name = '\0'; } goto done; } @@ -332,8 +343,10 @@ get_process_ttyname(char *name, size_t namelen) } #elif defined(HAVE_PSTAT_GETPROC) /* - * Store the name of the tty to which the process is attached in name. - * Returns name on success and NULL on failure, setting errno. + * Look up terminal device that the process is attached to and + * fill in its name, if available. Sets name to the empty string + * if the device number cannot be mapped to a device name. + * Returns the tty device number on success and -1 on failure, setting errno. */ dev_t get_process_ttyname(char *name, size_t namelen) @@ -354,11 +367,12 @@ get_process_ttyname(char *name, size_t namelen) errno = serrno; ttydev = makedev(pst.pst_term.psd_major, pst.pst_term.psd_minor); if (sudo_ttyname_dev(ttydev, name, namelen) == NULL) { - sudo_warnx( - U_("unable to find terminal name for device %u, %u"), + sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO, + "unable to find terminal name for device %u, %u", (unsigned int)pst.pst_term.psd_major, (unsigned int)pst.pst_term.psd_minor); - ttydev = (dev_t)-1; + if (namelen != 0) + *name = '\0'; } goto done; } @@ -373,8 +387,8 @@ get_process_ttyname(char *name, size_t namelen) } #else /* - * Store the name of the tty to which the process is attached in name. - * Returns name on success and NULL on failure, setting errno. + * Look up terminal device that the process is attached to and fill in name. + * Returns the tty device number on success and -1 on failure, setting errno. */ dev_t get_process_ttyname(char *name, size_t namelen) From b7efb8ab5b17aaccabe864a0f5aac1c4d0afe450 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Sat, 16 Nov 2024 08:17:51 -0700 Subject: [PATCH 2/9] sudo_ttyname_dev: On Linux try to use /proc/self/fd/{0,1,2} if possible. If one of std{in,out,err} matches the specified device, try to resolve it to a path by using /proc/self/fd/{0,1,2}. This avoids searching all of /dev and works in a chroot where /proc is mounted but /dev/pts is not. GitHub issue #421. --- lib/util/ttyname_dev.c | 30 +++++++++++++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-) diff --git a/lib/util/ttyname_dev.c b/lib/util/ttyname_dev.c index 2136e3de55..77ef76600d 100644 --- a/lib/util/ttyname_dev.c +++ b/lib/util/ttyname_dev.c @@ -253,11 +253,39 @@ char * sudo_ttyname_dev_v1(dev_t rdev, char *buf, size_t buflen) { const char *devsearch, *devsearch_end; - char path[PATH_MAX], *ret; + char path[PATH_MAX], *ret = NULL; const char *cp, *ep; size_t len; debug_decl(sudo_ttyname_dev, SUDO_DEBUG_UTIL); +#ifdef __linux__ + /* + * First check std{in,out,err} and use /proc/self/fd/{0,1,2} if possible. + */ + for (int fd = STDIN_FILENO; fd <= STDERR_FILENO; fd++) { + char fdpath[] = "/proc/self/fd/N"; + struct stat sb; + + if (fstat(fd, &sb) == -1 || !S_ISCHR(sb.st_mode)) + continue; + if (rdev != sb.st_rdev) + continue; + + fdpath[sizeof("/proc/self/fd/N") - 2] = '0' + fd; + len = readlink(fdpath, buf, buflen); + if (len != (size_t)-1) { + if (len == buflen) { + errno = ERANGE; /* buf too small */ + } else { + /* readlink(2) does not NUL-terminate. */ + buf[len] = '\0'; + ret = buf; + } + goto done; + } + } +#endif + /* * First, check /dev/console. */ From 9c63ff0e1bec8706101a320b0f2e3529d76018b3 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Sat, 16 Nov 2024 11:21:39 -0700 Subject: [PATCH 3/9] Pass NULL, not false, to sudoers_format_default_line(). --- plugins/sudoers/cvtsudoers_ldif.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/sudoers/cvtsudoers_ldif.c b/plugins/sudoers/cvtsudoers_ldif.c index aaaf427168..69d1ef9c9e 100644 --- a/plugins/sudoers/cvtsudoers_ldif.c +++ b/plugins/sudoers/cvtsudoers_ldif.c @@ -204,7 +204,7 @@ print_global_defaults_ldif(FILE *fp, lbuf.len = 0; if (!sudo_lbuf_append(&lbuf, "# ")) goto done; - if (!sudoers_format_default_line(&lbuf, parse_tree, opt, false, true)) + if (!sudoers_format_default_line(&lbuf, parse_tree, opt, NULL, true)) goto done; fprintf(fp, "# Unable to translate %s:%d:%d:\n%s\n", opt->file, opt->line, opt->column, lbuf.buf); From 4c99e29bb3a72c3b0caa30c1f20eff21822fcc8d Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Sat, 16 Nov 2024 13:48:23 -0700 Subject: [PATCH 4/9] Use NULL, not false, in the terminating entry of test_data[]. --- lib/util/regress/parse_gids/parse_gids_test.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/util/regress/parse_gids/parse_gids_test.c b/lib/util/regress/parse_gids/parse_gids_test.c index 3a94a72e60..1edf29f34b 100644 --- a/lib/util/regress/parse_gids/parse_gids_test.c +++ b/lib/util/regress/parse_gids/parse_gids_test.c @@ -50,7 +50,7 @@ static struct parse_gids_test test_data[] = { { "1,2,3,4", &test_data[0].basegid, 0, 5, test1_out }, { "1,2,3,4", NULL, 0, 4, test2_out }, { "1,-2,3,4", &test_data[2].basegid, 0, 5, test3_out }, - { NULL, false, 0, 0, NULL } + { NULL, NULL, 0, 0, NULL } }; static void From 9613ef9445d0d8d507f369b12f223f6b7b5b4cf2 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Sat, 16 Nov 2024 11:33:21 -0700 Subject: [PATCH 5/9] Cast hook functions to sudo_hook_fn_t to fix C23 compile error. The sudo plugin API defines sudo_hook_fn_t as a function with unspecified arguments. This is no longer supported in C23 so use a variadic function for sudo_hook_fn_t instead. Moving to a union may be a better long-term fix. GitHub issue #420. --- include/sudo_plugin.h | 4 ++++ plugins/sudoers/policy.c | 8 ++++---- src/hooks.c | 4 ++-- 3 files changed, 10 insertions(+), 6 deletions(-) diff --git a/include/sudo_plugin.h b/include/sudo_plugin.h index 4a68f46926..24a20d1903 100644 --- a/include/sudo_plugin.h +++ b/include/sudo_plugin.h @@ -96,7 +96,11 @@ typedef int (*sudo_printf_t)(int msg_type, const char * restrict fmt, ...); #endif /* Hook functions typedefs. */ +#if defined(__STDC_VERSION__) && (__STDC_VERSION__ >= 202311L) +typedef int (*sudo_hook_fn_t)(...); +#else typedef int (*sudo_hook_fn_t)(); +#endif typedef int (*sudo_hook_fn_setenv_t)(const char *name, const char *value, int overwrite, void *closure); typedef int (*sudo_hook_fn_putenv_t)(char *string, void *closure); typedef int (*sudo_hook_fn_getenv_t)(const char *name, char **value, void *closure); diff --git a/plugins/sudoers/policy.c b/plugins/sudoers/policy.c index 20f67a1c64..e3fe259c7f 100644 --- a/plugins/sudoers/policy.c +++ b/plugins/sudoers/policy.c @@ -1358,10 +1358,10 @@ sudoers_policy_version(int verbose) } static struct sudo_hook sudoers_hooks[] = { - { SUDO_HOOK_VERSION, SUDO_HOOK_SETENV, sudoers_hook_setenv, NULL }, - { SUDO_HOOK_VERSION, SUDO_HOOK_UNSETENV, sudoers_hook_unsetenv, NULL }, - { SUDO_HOOK_VERSION, SUDO_HOOK_GETENV, sudoers_hook_getenv, NULL }, - { SUDO_HOOK_VERSION, SUDO_HOOK_PUTENV, sudoers_hook_putenv, NULL }, + { SUDO_HOOK_VERSION, SUDO_HOOK_SETENV, (sudo_hook_fn_t)sudoers_hook_setenv, NULL }, + { SUDO_HOOK_VERSION, SUDO_HOOK_UNSETENV, (sudo_hook_fn_t)sudoers_hook_unsetenv, NULL }, + { SUDO_HOOK_VERSION, SUDO_HOOK_GETENV, (sudo_hook_fn_t)sudoers_hook_getenv, NULL }, + { SUDO_HOOK_VERSION, SUDO_HOOK_PUTENV, (sudo_hook_fn_t)sudoers_hook_putenv, NULL }, { 0, 0, NULL, NULL } }; diff --git a/src/hooks.c b/src/hooks.c index 8ef3e935ef..a7befe3977 100644 --- a/src/hooks.c +++ b/src/hooks.c @@ -125,7 +125,7 @@ process_hooks_unsetenv(const char *name) /* Hook registration internals. */ static int register_hook_internal(struct sudo_hook_list *head, - int (*hook_fn)(), void *closure) + sudo_hook_fn_t hook_fn, void *closure) { struct sudo_hook_entry *hook; debug_decl(register_hook_internal, SUDO_DEBUG_HOOKS); @@ -185,7 +185,7 @@ register_hook(struct sudo_hook *hook) /* Hook deregistration internals. */ static void deregister_hook_internal(struct sudo_hook_list *head, - int (*hook_fn)(), void *closure) + sudo_hook_fn_t hook_fn, void *closure) { struct sudo_hook_entry *hook, *prev = NULL; debug_decl(deregister_hook_internal, SUDO_DEBUG_HOOKS); From 3d85f2e98fc350aa88881ed118f51ebabb64ad17 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Sun, 17 Nov 2024 13:01:10 -0700 Subject: [PATCH 6/9] Add some casts to quiet -Wconversion --- lib/util/setgroups.c | 2 +- plugins/sudoers/sudo_printf.c | 2 +- src/conversation.c | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/util/setgroups.c b/lib/util/setgroups.c index 7298fcc04a..83e0c4a9a0 100644 --- a/lib/util/setgroups.c +++ b/lib/util/setgroups.c @@ -50,7 +50,7 @@ sudo_setgroups_v1(int ngids, const GETGROUPS_T *gids) if (maxgids == -1) maxgids = NGROUPS_MAX; if (ngids > maxgids) - ret = setgroups(maxgids, (GETGROUPS_T *)gids); + ret = setgroups((int)maxgids, (GETGROUPS_T *)gids); } debug_return_int(ret); } diff --git a/plugins/sudoers/sudo_printf.c b/plugins/sudoers/sudo_printf.c index f5ca602319..cb6bf47b8a 100644 --- a/plugins/sudoers/sudo_printf.c +++ b/plugins/sudoers/sudo_printf.c @@ -69,7 +69,7 @@ sudo_printf_int(int msg_type, const char * restrict fmt, ...) va_end(ap); } if (len != -1) { - if (fwrite(buf, 1, len, ttyfp ? ttyfp : fp) == 0) + if (fwrite(buf, 1, (size_t)len, ttyfp ? ttyfp : fp) == 0) len = -1; if (buf != sbuf) free(buf); diff --git a/src/conversation.c b/src/conversation.c index ea2469ff37..9cc340c4d4 100644 --- a/src/conversation.c +++ b/src/conversation.c @@ -219,7 +219,7 @@ sudo_conversation_printf(int msg_type, const char * restrict fmt, ...) va_end(ap); } if (len != -1) { - if (fwrite(buf, 1, len, ttyfp ? ttyfp : fp) == 0) + if (fwrite(buf, 1, (size_t)len, ttyfp ? ttyfp : fp) == 0) len = -1; if (buf != sbuf) free(buf); From da20ccec08788ea5284ef2599c0b5aa221273c36 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Sun, 17 Nov 2024 09:46:38 -0700 Subject: [PATCH 7/9] Avoid multiple calls to sysonf() via the MAX macro. The expansion of MAX would result in multiple calls to sysconf(). It is less error-prone to store the result of sysconf() in a long. --- plugins/sudoers/cvtsudoers_pwutil.c | 10 ++++++---- plugins/sudoers/pwutil_impl.c | 13 ++++++++----- 2 files changed, 14 insertions(+), 9 deletions(-) diff --git a/plugins/sudoers/cvtsudoers_pwutil.c b/plugins/sudoers/cvtsudoers_pwutil.c index 35ccbdd4aa..914ea0f4ae 100644 --- a/plugins/sudoers/cvtsudoers_pwutil.c +++ b/plugins/sudoers/cvtsudoers_pwutil.c @@ -403,7 +403,7 @@ cvtsudoers_make_grlist_item(const struct passwd *pw, char * const *unused1) struct cache_item_grlist *grlitem; struct sudoers_string *s; struct group_list *grlist; - size_t groupname_len; + long groupname_len; debug_decl(cvtsudoers_make_grlist_item, SUDOERS_DEBUG_NSS); /* @@ -421,7 +421,9 @@ cvtsudoers_make_grlist_item(const struct passwd *pw, char * const *unused1) } #ifdef _SC_LOGIN_NAME_MAX - groupname_len = (size_t)MAX(sysconf(_SC_LOGIN_NAME_MAX), 32); + groupname_len = sysconf(_SC_LOGIN_NAME_MAX); + if (groupname_len < 32) + groupname_len = 32; #else groupname_len = MAX(LOGIN_NAME_MAX, 32); #endif @@ -429,7 +431,7 @@ cvtsudoers_make_grlist_item(const struct passwd *pw, char * const *unused1) /* Allocate in one big chunk for easy freeing. */ nsize = strlen(pw->pw_name) + 1; total = sizeof(*grlitem) + nsize; - total += groupname_len * ngroups; + total += (size_t)groupname_len * ngroups; again: if ((grlitem = calloc(1, total)) == NULL) { @@ -470,7 +472,7 @@ cvtsudoers_make_grlist_item(const struct passwd *pw, char * const *unused1) } len = strlen(s->str) + 1; if ((size_t)(cp - (char *)grlitem) + len > total) { - total += len + groupname_len; + total += len + (size_t)groupname_len; free(grlitem); goto again; } diff --git a/plugins/sudoers/pwutil_impl.c b/plugins/sudoers/pwutil_impl.c index a2e3394e4f..86600296df 100644 --- a/plugins/sudoers/pwutil_impl.c +++ b/plugins/sudoers/pwutil_impl.c @@ -363,12 +363,13 @@ PREFIX(make_gidlist_item)(const struct passwd *pw, int ngids, GETGROUPS_T *gids, struct cache_item * PREFIX(make_grlist_item)(const struct passwd *pw, char * const *unused1) { - char *cp; - size_t groupname_len, len, ngroups, nsize, total; + size_t len, ngroups, nsize, total; struct cache_item_grlist *grlitem; struct group_list *grlist; struct gid_list *gidlist; struct group *grp = NULL; + long groupname_len; + char *cp; int i; debug_decl(sudo_make_grlist_item, SUDOERS_DEBUG_NSS); @@ -381,7 +382,9 @@ PREFIX(make_grlist_item)(const struct passwd *pw, char * const *unused1) } #ifdef _SC_LOGIN_NAME_MAX - groupname_len = (size_t)MAX(sysconf(_SC_LOGIN_NAME_MAX), 32); + groupname_len = sysconf(_SC_LOGIN_NAME_MAX); + if (groupname_len < 32) + groupname_len = 32; #else groupname_len = MAX(LOGIN_NAME_MAX, 32); #endif @@ -390,7 +393,7 @@ PREFIX(make_grlist_item)(const struct passwd *pw, char * const *unused1) nsize = strlen(pw->pw_name) + 1; total = sizeof(*grlitem) + nsize; total += sizeof(char *) * (size_t)gidlist->ngids; - total += groupname_len * (size_t)gidlist->ngids; + total += (size_t)(groupname_len * gidlist->ngids); again: if ((grlitem = calloc(1, total)) == NULL) { @@ -429,7 +432,7 @@ PREFIX(make_grlist_item)(const struct passwd *pw, char * const *unused1) if ((grp = sudo_getgrgid(gidlist->gids[i])) != NULL) { len = strlen(grp->gr_name) + 1; if ((size_t)(cp - (char *)grlitem) + len > total) { - total += len + groupname_len; + total += len + (size_t)groupname_len; free(grlitem); sudo_gr_delref(grp); goto again; From f8987fc0bb135d8adf368a86f698c603f666a3e2 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Mon, 18 Nov 2024 11:05:48 -0700 Subject: [PATCH 8/9] Work around a bug in UBSan that is causing CI failures. https://gcc.gnu.org/bugzilla/show_bug.cgi?id=116834 --- plugins/sudoers/sudoreplay.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/sudoers/sudoreplay.c b/plugins/sudoers/sudoreplay.c index e8b1b0c135..d4aa2662c6 100644 --- a/plugins/sudoers/sudoreplay.c +++ b/plugins/sudoers/sudoreplay.c @@ -1678,9 +1678,9 @@ read_keyboard(int fd, int what, void *v) static void display_usage(FILE *fp) { - fprintf(fp, _("usage: %s [-hnRS] [-d dir] [-m num] [-s num] ID\n"), + fprintf(fp, "usage: %s [-hnRS] [-d dir] [-m num] [-s num] ID\n", getprogname()); - fprintf(fp, _("usage: %s [-h] [-d dir] -l [search expression]\n"), + fprintf(fp, "usage: %s [-h] [-d dir] -l [search expression]\n", getprogname()); } From 73cbe4e7e1630c4420b6451c7f4ec3b61dbd148c Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Mon, 25 Nov 2024 08:34:04 -0700 Subject: [PATCH 9/9] Sudo 1.9.16p2 --- NEWS | 15 +++++++++++++++ configure | 18 +++++++++--------- configure.ac | 2 +- 3 files changed, 25 insertions(+), 10 deletions(-) diff --git a/NEWS b/NEWS index 41cf250239..9ca4af00a1 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,18 @@ +What's new in Sudo 1.9.16p2 + + * Sudo now passes the terminal device number to the policy plugin + even if it cannot resolve it to a path name. This allows sudo + to run without warnings in a chroot jail when the terminal device + files are not present. GitHub issue #421. + + * On Linux systems, sudo will now attempt to use the symbolic links + in /proc/self/fd/{0,1,2} when resolving the terminal device + number. This can allow sudo to map a terminal device to its + path name even when /dev/pts is not mounted in a chroot jail. + + * Fixed compilation errors with gcc and clang in C23 mode. + C23 no longer supports functions with unspecified arguments. + What's new in Sudo 1.9.16p1 * Fixed the test for cross-compiling when checking for C99 snprintf(). diff --git a/configure b/configure index 135adec9be..63012a5177 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.72 for sudo 1.9.16p1. +# Generated by GNU Autoconf 2.72 for sudo 1.9.16p2. # # Report bugs to . # @@ -614,8 +614,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='sudo' PACKAGE_TARNAME='sudo' -PACKAGE_VERSION='1.9.16p1' -PACKAGE_STRING='sudo 1.9.16p1' +PACKAGE_VERSION='1.9.16p2' +PACKAGE_STRING='sudo 1.9.16p2' PACKAGE_BUGREPORT='https://bugzilla.sudo.ws/' PACKAGE_URL='' @@ -1645,7 +1645,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -'configure' configures sudo 1.9.16p1 to adapt to many kinds of systems. +'configure' configures sudo 1.9.16p2 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1711,7 +1711,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of sudo 1.9.16p1:";; + short | recursive ) echo "Configuration of sudo 1.9.16p2:";; esac cat <<\_ACEOF @@ -2006,7 +2006,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -sudo configure 1.9.16p1 +sudo configure 1.9.16p2 generated by GNU Autoconf 2.72 Copyright (C) 2023 Free Software Foundation, Inc. @@ -2826,7 +2826,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by sudo $as_me 1.9.16p1, which was +It was created by sudo $as_me 1.9.16p2, which was generated by GNU Autoconf 2.72. Invocation command line was $ $0$ac_configure_args_raw @@ -36774,7 +36774,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by sudo $as_me 1.9.16p1, which was +This file was extended by sudo $as_me 1.9.16p2, which was generated by GNU Autoconf 2.72. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -36842,7 +36842,7 @@ ac_cs_config_escaped=`printf "%s\n" "$ac_cs_config" | sed "s/^ //; s/'/'\\\\\\\\ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config='$ac_cs_config_escaped' ac_cs_version="\\ -sudo config.status 1.9.16p1 +sudo config.status 1.9.16p2 configured by $0, generated by GNU Autoconf 2.72, with options \\"\$ac_cs_config\\" diff --git a/configure.ac b/configure.ac index 15a4047d36..a7eb40e3ed 100644 --- a/configure.ac +++ b/configure.ac @@ -18,7 +18,7 @@ dnl ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF dnl OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. dnl AC_PREREQ([2.69]) -AC_INIT([sudo], [1.9.16p1], [https://bugzilla.sudo.ws/], [sudo]) +AC_INIT([sudo], [1.9.16p2], [https://bugzilla.sudo.ws/], [sudo]) AC_CONFIG_HEADERS([config.h pathnames.h]) AC_CONFIG_SRCDIR([src/sudo.c]) AC_CONFIG_AUX_DIR([scripts])