cc2a3b0d48
What's new in Sudo 1.8.17p1 * Fixed a bug introduced in 1.8.17 where the user's groups were not set on systems that don't use PAM. Bug #749. What's new in Sudo 1.8.17 * On AIX, if /etc/security/login.cfg has auth_type set to PAM_AUTH but pam_start(3) fails, fall back to AIX authentication. Bug #740. * Sudo now takes all sudoers sources into account when determining whether or not "sudo -l" or "sudo -b" should prompt for a password. In other words, if both file and ldap sudoers sources are in specified in /etc/nsswitch.conf, "sudo -v" will now require that all entries in both sources be have NOPASSWD (file) or !authenticate (ldap) in the entries. * Sudo now ignores SIGPIPE until the command is executed. Previously, SIGPIPE was only ignored in a few select places. Bug #739. * Fixed a bug introduced in sudo 1.8.14 where (non-syslog) log file entries were missing the newline when loglinelen is set to a non-positive number. Bug #742. * Unix groups are now set before the plugin session intialization code is run. This makes it possible to use dynamic groups with the Linux-PAM pam_group module. * Fixed a bug where a debugging statement could dereference a NULL pointer when looking up a group that doesn't exist. Bug #743. * Sudo has been run through the Coverity code scanner. A number of minor bugs have been fixed as a result. None were security issues. * SELinux support, which was broken in 1.8.16, has been repaired. * Fixed a bug when logging I/O where all output buffers might not get flushed at exit. * Forward slashes are no longer escaped in the JSON output of "visudo -x". This was never required by the standard and not escaping them improves readability of the output. * Sudo no longer treats PAM_SESSION_ERR as a fatal error when opening the PAM session. Other errors from pam_open_session() are still treated as fatal. This avoids the "policy plugin failed session initialization" error message seen on some systems. * Korean translation for sudo and sudoers from translationproject.org. * Fixed a bug on AIX where the stack size hard resource limit was being set to 2GB instead of 4GB on 64-bit systems. * The SSSD backend now properly supports "sudo -U otheruser -l". * The SSSD backend now uses the value of "ipa_hostname" from sssd.conf, if specified, when matching the host name. * Fixed a hang on some systems when the command is being run in a pty and it failed to execute. * When performing a wildcard match in sudoers, check for an exact string match if the user command was fully-qualified (or resolved via the PATH). This fixes an issue executing scripts on Linux when there are multiple wildcard matches with the same base name. Bug #746. What's new in Sudo 1.8.16 * Fixed a compilation error on Solaris 10 with Stun Studio 12. Bug #727. * When preserving variables from the invoking user's environment, if there are duplicates sudo now only keeps the first instance. * Fixed a bug that could cause warning mail to be sent in list mode (sudo -l) for users without sudo privileges when the LDAP and sssd backends are used. * Fixed a bug that prevented the "mail_no_user" option from working properly with the LDAP backend. * In the LDAP and sssd backends, white space is now ignored between an operator (!, +, +=, -=) when parsing a sudoOption. * It is now possible to disable Path settings in sudo.conf by omitting the path name. * The sudoedit_checkdir Defaults option is now enabled by default and has been extended. When editing files with sudoedit, each directory in the path to be edited is now checked. If a directory is writable by the invoking user, symbolic links will not be followed. If the parent directory of the file to be edited is writable, sudoedit will refuse to edit it. Bug #707. * The netgroup_tuple Defaults option has been added to enable matching of the entire netgroup tuple, not just the host or user portion. Bug #717. * When matching commands based on the SHA2 digest, sudo will now use fexecve(2) to execute the command if it is available. This fixes a time of check versus time of use race condition when the directory holding the command is writable by the invoking user. * On AIX systems, sudo now caches the auth registry string along with password and group information. This fixes a potential problem when a user or group of the same name exists in multiple auth registries. For example, local and LDAP. * Fixed a crash in the SSSD backend when the invoking user is not found. Bug #732. * Added the --enable-asan configure flag to enable address sanitizer support. A few minor memory leaks have been plugged to quiet the ASAN leak detector. * The value of _PATH_SUDO_CONF may once again be overridden via the Makefile. Bug #735. * The sudoers2ldif script now handles multiple roles with same name. * Fixed a compilation error on systems that have the posix_spawn() and posix_spawnp() functions but an unusable spawn.h header. Bug #730. * Fixed support for negating character classes in sudo's version of the fnmatch() function. * Fixed a bug in the LDAP and SSSD backends that could allow an unauthorized user to list another user's privileges. Bug #738. * The PAM conversation function now works around an ambiguity in the PAM spec with respect to multiple messages. Bug #726.
68 lines
2.5 KiB
Text
68 lines
2.5 KiB
Text
$NetBSD: patch-af,v 1.33 2016/09/12 17:12:24 taca Exp $
|
|
|
|
* Add "--with-nbsdops" option, NetBSD standard options.
|
|
* Link with util(3) in the case of DragonFly, too.
|
|
* When specified "--with-kerb5" option, test existence of several functions
|
|
even if there is krb5-config. krb5-config dosen't give all definitions for
|
|
functions (HAVE_KRB5_*).
|
|
* Remove setting sysconfdir to "/etc".
|
|
|
|
--- configure.ac.orig 2016-06-22 16:36:23.000000000 +0000
|
|
+++ configure.ac
|
|
@@ -439,6 +439,20 @@ AC_ARG_WITH(csops, [AS_HELP_STRING([--wi
|
|
;;
|
|
esac])
|
|
|
|
++AC_ARG_WITH(nbsdops, [AS_HELP_STRING([--with-nbsdops], [add NetBSD standard opt
|
|
+ions])],
|
|
+[case $with_nbsdops in
|
|
+ yes) echo 'Adding NetBSD standard options'
|
|
+ CHECKSIA=false
|
|
+ with_ignore_dot=yes
|
|
+ with_env_editor=yes
|
|
+ with_tty_tickets=yes
|
|
+ ;;
|
|
+ no) ;;
|
|
+ *) echo "Ignoring unknown argument to --with-nbsdops: $with_nbsdops"
|
|
+ ;;
|
|
+esac])
|
|
+
|
|
AC_ARG_WITH(passwd, [AS_HELP_STRING([--without-passwd], [don't use passwd/shadow file for authentication])],
|
|
[case $with_passwd in
|
|
yes|no) AC_MSG_CHECKING(whether to use shadow/passwd file authentication)
|
|
@@ -1951,7 +1965,7 @@ case "$host" in
|
|
: ${mansectsu='1m'}
|
|
: ${mansectform='4'}
|
|
;;
|
|
- *-*-linux*|*-*-k*bsd*-gnu)
|
|
+ *-*-linux*|*-*-k*bsd*-gnu|*-*-gnukfreebsd)
|
|
shadow_funcs="getspnam"
|
|
test -z "$with_pam" && AUTH_EXCL_DEF="PAM"
|
|
;;
|
|
@@ -2299,7 +2313,7 @@ SUDO_MAILDIR
|
|
if test ${with_logincap-'no'} != "no"; then
|
|
AC_CHECK_HEADERS([login_cap.h], [LOGINCAP_USAGE='[[-c class]] '; LCMAN=1
|
|
case "$OS" in
|
|
- freebsd|netbsd)
|
|
+ dragonfly*|freebsd|netbsd)
|
|
SUDO_LIBS="${SUDO_LIBS} -lutil"
|
|
SUDOERS_LIBS="${SUDOERS_LIBS} -lutil"
|
|
;;
|
|
@@ -3381,6 +3395,8 @@ if test ${with_kerb5-'no'} != "no"; then
|
|
])
|
|
AUTH_OBJS="$AUTH_OBJS kerb5.lo"
|
|
fi
|
|
+fi
|
|
+if test ${with_kerb5-'no'} != "no"; then
|
|
_LIBS="$LIBS"
|
|
LIBS="${LIBS} ${SUDOERS_LIBS}"
|
|
AC_CHECK_FUNCS([krb5_verify_user krb5_init_secure_context])
|
|
@@ -4220,7 +4236,7 @@ test "$datarootdir" = '${prefix}/share'
|
|
test "$docdir" = '${datarootdir}/doc/${PACKAGE_TARNAME}' && docdir='$(datarootdir)/doc/$(PACKAGE_TARNAME)'
|
|
test "$localedir" = '${datarootdir}/locale' && localedir='$(datarootdir)/locale'
|
|
test "$localstatedir" = '${prefix}/var' && localstatedir='$(prefix)/var'
|
|
-test "$sysconfdir" = '${prefix}/etc' && sysconfdir='/etc'
|
|
+dnl test "$sysconfdir" = '${prefix}/etc' && sysconfdir='/etc'
|
|
|
|
dnl
|
|
dnl Substitute into the Makefile and man pages
|