])dnl
dnl
-dnl Where the timestamp files go, use /var/run/sudo if /var/run exists,
-dnl else /{var,usr}/adm/sudo
+dnl Where the timestamp files go.
dnl
AC_DEFUN(SUDO_TIMEDIR, [AC_MSG_CHECKING(for timestamp file location)
-if test -n "$with_timedir"; then
- AC_MSG_RESULT($with_timedir)
- SUDO_DEFINE_UNQUOTED(_PATH_SUDO_TIMEDIR, "$with_timedir")
- timedir="$with_timedir"
-elif test -d "/var/run"; then
- AC_MSG_RESULT(/var/run/sudo)
- SUDO_DEFINE(_PATH_SUDO_TIMEDIR, "/var/run/sudo")
- timedir="/var/run/sudo"
-elif test -d "/var/adm"; then
- AC_MSG_RESULT(/var/adm/sudo)
- SUDO_DEFINE(_PATH_SUDO_TIMEDIR, "/var/adm/sudo")
- timedir="/var/adm/sudo"
-else
- AC_MSG_RESULT(/usr/adm/sudo)
- SUDO_DEFINE(_PATH_SUDO_TIMEDIR, "/usr/adm/sudo")
- timedir="/usr/adm/sudo"
+timedir="$with_timedir"
+if test -z "$timedir"; then
+ for d in /var/db /var/lib /var/adm /usr/adm; do
+ if test -d "$d"; then
+ timedir="$d/sudo"
+ break;
+ fi
+ done
fi
+AC_MSG_RESULT([$timedir])
+SUDO_DEFINE_UNQUOTED(_PATH_SUDO_TIMEDIR, "$timedir")
])dnl
dnl
# Begin initial values for man page substitution
#
io_logdir=/var/log/sudo-io
-timedir=/var/run/sudo
+timedir=/var/adm/sudo
timeout=5
password_timeout=5
sudo_umask=0022
CHECKSHADOW="false"
test -z "$with_pam" && AUTH_EXCL_DEF="PAM"
: ${with_logincap='yes'}
- # Apple sudo timedir location
- : ${with_timedir='/var/db/sudo'}
;;
*-*-nextstep*)
# lockf() on is broken on the NeXT -- use flock instead
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for timestamp file location" >&5
$as_echo_n "checking for timestamp file location... " >&6; }
-if test -n "$with_timedir"; then
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: $with_timedir" >&5
-$as_echo "$with_timedir" >&6; }
- cat >>confdefs.h <<EOF
-#define _PATH_SUDO_TIMEDIR "$with_timedir"
-EOF
-
- timedir="$with_timedir"
-elif test -d "/var/run"; then
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: /var/run/sudo" >&5
-$as_echo "/var/run/sudo" >&6; }
- cat >>confdefs.h <<\EOF
-#define _PATH_SUDO_TIMEDIR "/var/run/sudo"
-EOF
-
- timedir="/var/run/sudo"
-elif test -d "/var/adm"; then
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: /var/adm/sudo" >&5
-$as_echo "/var/adm/sudo" >&6; }
- cat >>confdefs.h <<\EOF
-#define _PATH_SUDO_TIMEDIR "/var/adm/sudo"
-EOF
-
- timedir="/var/adm/sudo"
-else
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: /usr/adm/sudo" >&5
-$as_echo "/usr/adm/sudo" >&6; }
- cat >>confdefs.h <<\EOF
-#define _PATH_SUDO_TIMEDIR "/usr/adm/sudo"
+timedir="$with_timedir"
+if test -z "$timedir"; then
+ for d in /var/db /var/lib /var/adm /usr/adm; do
+ if test -d "$d"; then
+ timedir="$d/sudo"
+ break;
+ fi
+ done
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $timedir" >&5
+$as_echo "$timedir" >&6; }
+cat >>confdefs.h <<EOF
+#define _PATH_SUDO_TIMEDIR "$timedir"
EOF
- timedir="/usr/adm/sudo"
-fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for I/O log dir location" >&5
# Begin initial values for man page substitution
#
io_logdir=/var/log/sudo-io
-timedir=/var/run/sudo
+timedir=/var/adm/sudo
timeout=5
password_timeout=5
sudo_umask=0022
CHECKSHADOW="false"
test -z "$with_pam" && AUTH_EXCL_DEF="PAM"
: ${with_logincap='yes'}
- # Apple sudo timedir location
- : ${with_timedir='/var/db/sudo'}
;;
*-*-nextstep*)
# lockf() on is broken on the NeXT -- use flock instead
Notes on upgrading from an older release
========================================
+o Upgrading from a version prior to 1.7.4:
+
+ Starting with sudo 1.7.4, the time stamp files have moved from
+ /var/run/sudo to either /var/db/sudo, /var/lib/sudo or /var/adm/sudo.
+ The directories are checked for existence in that order. This
+ prevents users from receiving the sudo lecture every time the
+ system reboots. Time stamp files older than the boot time are
+ ignored on systems where it is possible to determine this.
+
o Upgrading from a version prior to 1.7.0:
- Starting with sudo 1.7.0 comments in the sudoers file must not
+ Starting with sudo 1.7.0, comments in the sudoers file must not
have a digit or minus sign immediately after the comment character
('#'). Otherwise, the comment may be interpreted as a user or
group ID.
o Upgrading from a version prior to 1.6.8:
Prior to sudo 1.6.8, if /var/run did not exist, sudo would put
- the timestamp files in /tmp/.odus. As of sudo 1.6.8, the
- timestamp files will be placed in /var/adm/sudo or /usr/adm/sudo
+ the time stamp files in /tmp/.odus. As of sudo 1.6.8, the
+ time stamp files will be placed in /var/adm/sudo or /usr/adm/sudo
if there is no /var/run directory. This directory will be
created if it does not already exist.
millert ALL=(daemon) NOPASSWD:/usr/bin/whoami, \
(root) PASSWD:/bin/ls, /sbin/dump
- Additionally, sudo now uses a per-user timestamp directory
- instead of a timestamp file. This allows tty timestamps to
- simply be files within the user's timestamp dir. For the
- default, non-tty case, the timestamp on the directory itself
+ Additionally, sudo now uses a per-user time stamp directory
+ instead of a time stamp file. This allows tty time stamps to
+ simply be files within the user's time stamp dir. For the
+ default, non-tty case, the time stamp on the directory itself
is used.
Also, the temporary file used by visudo is now /etc/sudoers.tmp
interpreted. Defaults to "C".
timestampdir The directory in which s\bsu\bud\bdo\bo stores its timestamp files.
- The default is _\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo.
+ The default is _\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo.
timestampowner The owner of the timestamp directory and the timestamps
stored therein. The default is root.
_\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo I/O log files
- _\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo Directory containing time stamps for the
+ _\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo Directory containing time stamps for the
_\bs_\bu_\bd_\bo_\be_\br_\bs security policy
_\b/_\be_\bt_\bc_\b/_\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt Initial environment for -\b-i\bi mode on Linux and
S\bSE\bEC\bCU\bUR\bRI\bIT\bTY\bY N\bNO\bOT\bTE\bES\bS
_\bs_\bu_\bd_\bo_\be_\br_\bs will check the ownership of its time stamp directory
- (_\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo by default) and ignore the directory's contents if it is
+ (_\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo by default) and ignore the directory's contents if it is
not owned by root or if it is writable by a user other than root. On
systems that allow non-root users to give away files via _\bc_\bh_\bo_\bw_\bn(2), if
the time stamp directory is located in a world-writable directory
projects / sudo / commitdiff