From: Todd C. Miller Date: Wed, 17 Nov 2004 19:09:21 +0000 (+0000) Subject: sync X-Git-Tag: SUDO_1_7_0~807 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=0e71bf81ace09e083606fead2d256d35113330d6;p=sudo sync --- diff --git a/CHANGES b/CHANGES index 85a93af20..0847726c2 100644 --- a/CHANGES +++ b/CHANGES @@ -1742,35 +1742,49 @@ Sudo 1.6.8p2 released. 550) The CDPATH variable is now stripped from the environment passed to the program to be executed. +551) Fix temp file generation on systems where the _PATH_VARTMP macro + lacks a trailing slash. + Sudo 1.6.8p3 released. -551) New monitor functionality for systems with systrace(4). When tracing +552) The KRB5CCNAME environment variable is preserved during sudo + execution for password lookups that use GSSAPI. + +Sudo 1.6.8p4 released. + +553) New monitor functionality for systems with systrace(4). When tracing is enabled sudo will fork a daemon that traces the command and intercepts and execve() calls and allows/denies the call based on a sudoers lookup. Also updates the command's environment with the SUDO_* variables if supported by the version of systrace(4). -552) Added support for multiple sudoers file via #include. +554) Added support for multiple sudoers file via #include. -553) An empty sudoers file is no longer a parse error. +555) An empty sudoers file is no longer a parse error. -554) Fixed error handling if the lexer runs out of memory. +556) Fixed error handling if the lexer runs out of memory. -555) Optimized lexer slightly by removing use of unput() and removing +557) Optimized lexer slightly by removing use of unput() and removing some ambiguity with the Default keyword. -556) Wildcard matches on commands now use glob() and stat() so +558) Wildcard matches on commands now use glob() and stat() so that relative paths work correctly in conjunction with wildcards. -557) Rewritten parser that converts sudoers into a set of data structures. +559) Rewritten parser that converts sudoers into a set of data structures. This eliminates ordering issues and makes it possible to apply sudoers Defaults entries before searching for the command. -558) Visudo will now warn about aliases that are defined but not used. +560) Visudo will now warn about aliases that are defined but not used. -559) "sudo -l" now takes an optional username which lets root see other +561) "sudo -l" now takes an optional username which lets root see other users' privs. -560) The "secure_path" run-time Defaults option has been restored. +562) The "secure_path" run-time Defaults option has been restored. + +563) Password and group data is now cached for fast lookup. -561) Password and group data is now cached for fast lookup. +564) Sudo will use the supplemental group vector if it is present + instead of doing string comparisons of the group members. This + is useful for systems with nsswitch.conf where group data can be in + either /etc/group or some other database (NIS, NIS+, LDAP, etc) + and getgrnam() only returns data from one source. diff --git a/TODO b/TODO index 2dda3e30c..68f86fbc4 100644 --- a/TODO +++ b/TODO @@ -39,104 +39,101 @@ TODO list (most will be addressed in sudo 2.0) 14) Add configure option to enable old behavior of visudo (O_EXCL)? --without-sudoers-lock? -15) Make 'sudo -l user' if run as root do a "sudo -l" output for the specified - user. +15) Use strtol() and strtoul(), not atoi() -16) Use strtol() and strtoul(), not atoi() +16) Look into %e, %p, %k in parse.lex -17) Look into %e, %p, %k in parse.lex +17) Make syslog stuff work on vanilla ultrix -18) Make syslog stuff work on vanilla ultrix +18) Implement date_format and log_format options. -19) Implement date_format and log_format options. +19) Add support for: Default:user@host -20) Add support for: Default:user@host +20) Make visudo rcs-aware -21) Make visudo rcs-aware - -22) Some people want to be able to specify a special password in sudoers +21) Some people want to be able to specify a special password in sudoers in addition or instead of the normal one. The best argument for this so far is to be able to use separate passwords for the target users that are not the passwd file ones. -23) Add support for trusted users. E.g. allow user to run a certain +22) Add support for trusted users. E.g. allow user to run a certain command regardless of what dir it is in if it is owned by the trusted user. -24) Add a flag similar to '-l' but that spits out sudo commands in +23) Add a flag similar to '-l' but that spits out sudo commands in a format suitable for cut & paste into sudoers. -25) Someone wants a recursive version of the dir specifier. Ie: +24) Someone wants a recursive version of the dir specifier. Ie: SOME_MODIFIER:/usr/local/ to allow anything under /usr/local to be run. 25) An option to set the shell to the target user would make sense. See other target user-related issues above. -27) Add an option (-D) to dump the defaults after the sudoers file +26) Add an option (-D) to dump the defaults after the sudoers file has been parsed. Should only be available to root and should - allow a -u user modifier. + allow a -u user modifier. Maybe dump all of sudoers? -28) For sudo 1.7 wipe out the environment by default. +27) For sudo 1.7 wipe out the environment by default. -29) Allow /etc/sudoers to be a symlink but require the parent dir to +28) Allow /etc/sudoers to be a symlink but require the parent dir to be root-owned and not writable by anything else. Should really traverse the tree to the root doing this. -30) Improve interfaces.c STREAMS code (see ntpd's ntp_io.c for hints) +29) Improve interfaces.c STREAMS code (see ntpd's ntp_io.c for hints) -31) Wildcard support for user and group names? (netgroup too?) +30) Wildcard support for user and group names? (netgroup too?) -32) If root_sudo is off, still allow sudo -u to non-root users? +31) If root_sudo is off, still allow sudo -u to non-root users? -33) Add configure option to id user based on euid not ruid? +32) Add configure option to id user based on euid not ruid? -34) Split $EDITOR/$VISUAL in visudo into an argument vector based on whitespace +33) Split $EDITOR/$VISUAL in visudo into an argument vector based on whitespace -35) Use proper links in .pod files +34) Use proper links in .pod files -36) Parse gids like %#0 +35) Parse gids like %#0 -37) For AIX, call getuserattr() to get resource limits and set them +36) For AIX, call getuserattr() to get resource limits and set them as appropriate, see: http://nscp.upenn.edu/aix4.3html/libs/basetrf1/getuserattr.htm#A16691a89 -38) Add an insult_path variable that is intialized to "builtin" but that +37) Add an insult_path variable that is intialized to "builtin" but that can point to other files containing an insult count as the first line and that have a constant record length (sparse files) for easy seeking. -39) Some way of using a new pty for the program run via sudo would prevent +38) Some way of using a new pty for the program run via sudo would prevent access to the caller's /dev/tty (but probably makes job control tricky). -40) Maybe have a database of checksums that commands are verified against. +39) Maybe have a database of checksums that commands are verified against. Basically replace the st_ino/st_dev check with a checksum lookup. -41) Look into testing writability of a file via sudoedit *before* doing +40) Look into testing writability of a file via sudoedit *before* doing the edit; e.g., try opening with O_APPEND. -42) Add Makefile.in bits to autogenerate Solaris and Irix packages +41) Add Makefile.in bits to autogenerate Solaris and Irix packages -43) Add monitor support for Solaris using /proc/$$/ctl w/ PCSENTRY +42) Add monitor support for Solaris using /proc/$$/ctl w/ PCSENTRY (use PRSABORT flag to indicate failure). -44) Add a session mode where sudo allocates a pty and logs everything +43) Add a session mode where sudo allocates a pty and logs everything that occurs ala script(1). -45) Use pam_open_session() and pam_close_session() (requires a persistent +44) Use pam_open_session() and pam_close_session() (requires a persistent sudo process to call pam_close_session()). Maybe add xauth support for the non-pam case? -46) Should "monitor" and MONITOR/NOMONITOR be disabled for non-systrace? +45) Should "monitor" and MONITOR/NOMONITOR be disabled for non-systrace? -47) Add substitution mechanism in sudoers to subst, e.g. editors for sudoedit +46) Add substitution mechanism in sudoers to subst, e.g. editors for sudoedit -48) Move prototypes to extern.h +47) Move prototypes to extern.h -49) Get rid of VALIDATE_NOT_OK and just set/clear VALIDATE_OK +48) Get rid of VALIDATE_NOT_OK and just set/clear VALIDATE_OK -50) visudo -c should also sanity check aliases +49) visudo -c should also sanity check aliases -51) Make testsudoers stat files? Needed to deal with glob() in parser. +50) Make testsudoers stat files? Needed to deal with glob() in parser. -52) Allow arguments to the -l flag so users can check to see if they can +51) Allow arguments to the -l flag so users can check to see if they can run specific commands.