From: Todd C. Miller <Todd.Miller@courtesan.com>
Date: Wed, 6 Feb 2013 19:06:51 +0000 (-0500)
Subject: Sudo now stores its libexec files in a "sudo" subdirectory instead
X-Git-Tag: SUDO_1_8_7~1^2~245
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=6b09c76a20a77655a4bb4c2597570729803b5f10;p=sudo

Sudo now stores its libexec files in a "sudo" subdirectory instead
of in libexec itself.  For backwards compatibility, if the plugin
is not found in the default plugin directory, sudo will check the
parent directory default directory ends in "/sudo".
---

diff --git a/configure b/configure
index 3a84d37b3..caf0c8723 100755
--- a/configure
+++ b/configure
@@ -2960,10 +2960,10 @@ path_info=on
 ldap_conf=/etc/ldap.conf
 ldap_secret=/etc/ldap.secret
 netsvc_conf=/etc/netsvc.conf
-noexec_file=/usr/local/libexec/sudo_noexec.so
+noexec_file=/usr/local/libexec/sudo/sudo_noexec.so
 nsswitch_conf=/etc/nsswitch.conf
 secure_path="not set"
-PLUGINDIR=/usr/local/libexec
+PLUGINDIR=/usr/local/libexec/sudo
 #
 # End initial values for man page substitution
 #
@@ -3011,6 +3011,19 @@ RTLD_PRELOAD_DEFAULT=
 
 
 
+#
+# Prior to sudo 1.8.7, sudo stored libexec files in $libexecdir.
+# Starting with sudo 1.8.7, $libexecdir/sudo is used so strip
+# off an extraneous "/sudo" from libexecdir.
+#
+case "$libexecdir" in
+    */sudo)
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: libexecdir should not include the \"sudo\" subdirectory" >&5
+$as_echo "$as_me: WARNING: libexecdir should not include the \"sudo\" subdirectory" >&2;}
+	libexecdir=`expr "$libexecdir" : '\\(.*\\)/sudo$'`
+	;;
+esac
+
 
 
 # Check whether --with-otp-only was given.
@@ -5258,7 +5271,7 @@ if test "${with_plugindir+set}" = set; then :
     *)		;;
 esac
 else
-  with_plugindir="$libexecdir"
+  with_plugindir="$libexecdir/sudo"
 fi
 
 
@@ -13659,13 +13672,13 @@ $as_echo_n "checking path to sudo_noexec.so... " >&6; }
 # Check whether --with-noexec was given.
 if test "${with_noexec+set}" = set; then :
   withval=$with_noexec; case $with_noexec in
-    yes)	with_noexec="$libexecdir/sudo_noexec$_shrext"
+    yes)	with_noexec="$libexecdir/sudo/sudo_noexec$_shrext"
 		;;
     no)		;;
     *)		;;
 esac
 else
-  with_noexec="$libexecdir/sudo_noexec$_shrext"
+  with_noexec="$libexecdir/sudo/sudo_noexec$_shrext"
 fi
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $with_noexec" >&5
@@ -21150,7 +21163,7 @@ EOF
 
     fi
     if test X"$with_selinux" != X"no"; then
-	sesh_file="$libexecdir/sesh"
+	sesh_file="$libexecdir/sudo/sesh"
 	_sesh_file=
 	while test X"$sesh_file" != X"$_sesh_file"; do
 	    _sesh_file="$sesh_file"
diff --git a/configure.in b/configure.in
index dbb1ede1f..83bb5d643 100644
--- a/configure.in
+++ b/configure.in
@@ -157,10 +157,10 @@ path_info=on
 ldap_conf=/etc/ldap.conf
 ldap_secret=/etc/ldap.secret
 netsvc_conf=/etc/netsvc.conf
-noexec_file=/usr/local/libexec/sudo_noexec.so
+noexec_file=/usr/local/libexec/sudo/sudo_noexec.so
 nsswitch_conf=/etc/nsswitch.conf
 secure_path="not set"
-PLUGINDIR=/usr/local/libexec
+PLUGINDIR=/usr/local/libexec/sudo
 #
 # End initial values for man page substitution
 #
@@ -221,6 +221,18 @@ dnl libc replacement functions live in compat
 dnl
 AC_CONFIG_LIBOBJ_DIR(compat)
 
+#
+# Prior to sudo 1.8.7, sudo stored libexec files in $libexecdir.
+# Starting with sudo 1.8.7, $libexecdir/sudo is used so strip
+# off an extraneous "/sudo" from libexecdir.
+#
+case "$libexecdir" in
+    */sudo)
+	AC_MSG_WARN([libexecdir should not include the "sudo" subdirectory])
+	libexecdir=`expr "$libexecdir" : '\\(.*\\)/sudo$'`
+	;;
+esac
+
 dnl
 dnl Deprecated --with options (these all warn or generate an error)
 dnl
@@ -1138,7 +1150,7 @@ AC_ARG_WITH(plugindir, [AS_HELP_STRING([--with-plugindir], [set directory to loa
     no)		AC_MSG_ERROR(["illegal argument: --without-plugindir."])
 		;;
     *)		;;
-esac], [with_plugindir="$libexecdir"])
+esac], [with_plugindir="$libexecdir/sudo"])
 
 AC_ARG_WITH(man, [AS_HELP_STRING([--with-man], [manual pages use man macros])],
 [case $with_man in
@@ -1477,11 +1489,11 @@ fi
 AC_MSG_CHECKING(path to sudo_noexec.so)
 AC_ARG_WITH(noexec, [AS_HELP_STRING([--with-noexec[=PATH]], [fully qualified pathname of sudo_noexec.so])],
 [case $with_noexec in
-    yes)	with_noexec="$libexecdir/sudo_noexec$_shrext"
+    yes)	with_noexec="$libexecdir/sudo/sudo_noexec$_shrext"
 		;;
     no)		;;
     *)		;;
-esac], [with_noexec="$libexecdir/sudo_noexec$_shrext"])
+esac], [with_noexec="$libexecdir/sudo/sudo_noexec$_shrext"])
 AC_MSG_RESULT($with_noexec)
 NOEXECFILE="sudo_noexec$_shrext"
 NOEXECDIR="`echo $with_noexec|sed -e 's:^${\([[^}]]*\)}:$(\1):' -e 's:^\(.*\)/[[^/]]*:\1:'`"
@@ -3566,7 +3578,7 @@ if test X"$with_noexec" != X"no" -o X"$with_selinux" != X"no"; then
 	SUDO_DEFINE_UNQUOTED(_PATH_SUDO_NOEXEC, "$noexec_file", [The fully qualified pathname of sudo_noexec.so])
     fi
     if test X"$with_selinux" != X"no"; then
-	sesh_file="$libexecdir/sesh"
+	sesh_file="$libexecdir/sudo/sesh"
 	_sesh_file=
 	while test X"$sesh_file" != X"$_sesh_file"; do
 	    _sesh_file="$sesh_file"
diff --git a/doc/UPGRADE b/doc/UPGRADE
index 8c83aafe3..597cd7012 100644
--- a/doc/UPGRADE
+++ b/doc/UPGRADE
@@ -1,6 +1,13 @@
 Notes on upgrading from an older release
 ========================================
 
+o Upgrading from a version prior to 1.8.7:
+
+    Sudo now stores its libexec files in a "sudo" subdirectory
+    instead of in libexec itself.  For backwards compatibility, if
+    the plugin is not found in the default plugin directory, sudo
+    will check the parent directory default directory ends in "/sudo".
+
 o Upgrading from a version prior to 1.8.2:
 
     When matching Unix groups in the sudoers file, sudo will now
diff --git a/mkpkg b/mkpkg
index df05fe9e9..7c47d249a 100755
--- a/mkpkg
+++ b/mkpkg
@@ -147,7 +147,7 @@ case "$osversion" in
 	# Note, must indent with tabs, not spaces due to IFS trickery
 	# XXX - SuSE uses secure path but only for env_reset
 	configure_opts="--prefix=/usr
-		--libexecdir=/usr/$libexec/sudo
+		--libexecdir=/usr/$libexec
 		--with-logging=syslog
 		--with-logfac=auth
 		--with-all-insults
@@ -197,7 +197,7 @@ case "$osversion" in
 		--disable-setresuid
 		--with-sendmail=/usr/sbin/sendmail
 		--mandir=/usr/share/man
-		--libexecdir=/usr/lib/sudo
+		--libexecdir=/usr/lib
 		--with-secure-path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin
 		$configure_opts"
 	;;
diff --git a/src/Makefile.in b/src/Makefile.in
index 261afd937..93fe043dc 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -122,13 +122,13 @@ install: install-binaries @INSTALL_NOEXEC@
 
 install-dirs:
 	$(SHELL) $(top_srcdir)/mkinstalldirs $(DESTDIR)$(bindir) \
-	    $(DESTDIR)$(noexecdir)
+	    $(DESTDIR)$(libexecdir)/sudo $(DESTDIR)$(noexecdir)
 
 install-binaries: install-dirs $(PROGS)
 	$(INSTALL) -b~ -O $(install_uid) -G $(install_gid) -m 04755 sudo $(DESTDIR)$(bindir)/sudo
 	rm -f $(DESTDIR)$(bindir)/sudoedit
 	ln -s sudo $(DESTDIR)$(bindir)/sudoedit
-	if [ -f sesh ]; then $(INSTALL) -b~ -O $(install_uid) -G $(install_gid) -M 0755 sesh $(DESTDIR)$(libexecdir)/sesh; fi
+	if [ -f sesh ]; then $(INSTALL) -b~ -O $(install_uid) -G $(install_gid) -M 0755 sesh $(DESTDIR)$(libexecdir)/sudo/sesh; fi
 
 install-doc:
 
@@ -143,7 +143,7 @@ install-plugin:
 
 uninstall:
 	-rm -f	$(DESTDIR)$(bindir)/sudo $(DESTDIR)$(bindir)/sudoedit \
-		$(DESTDIR)$(libexecdir)/sesh \
+		$(DESTDIR)$(libexecdir)/sudo/sesh \
 		$(DESTDIR)$(noexecdir)/$(noexecfile)
 
 check:
diff --git a/src/load_plugins.c b/src/load_plugins.c
index fbf5e3207..23f5b3670 100644
--- a/src/load_plugins.c
+++ b/src/load_plugins.c
@@ -66,6 +66,7 @@ sudo_load_plugin(struct plugin_container *policy_plugin,
     void *handle;
     char path[PATH_MAX];
     bool rval = false;
+    int status;
     debug_decl(sudo_load_plugin, SUDO_DEBUG_PLUGIN)
 
     if (info->path[0] == '/') {
@@ -75,6 +76,7 @@ sudo_load_plugin(struct plugin_container *policy_plugin,
 	    warningx(_("%s: %s"), info->path, strerror(ENAMETOOLONG));
 	    goto done;
 	}
+	status = stat(path, &sb);
     } else {
 	if (snprintf(path, sizeof(path), "%s%s", _PATH_SUDO_PLUGIN_DIR,
 	    info->path) >= sizeof(path)) {
@@ -84,11 +86,22 @@ sudo_load_plugin(struct plugin_container *policy_plugin,
 		strerror(ENAMETOOLONG));
 	    goto done;
 	}
+	/* Try parent dir for compatibility with old plugindir default. */
+	if ((status = stat(path, &sb)) != 0) {
+	    char *cp = strrchr(path, '/');
+	    if (cp > path + 4 && cp[-5] == '/' && cp[-4] == 's' &&
+		cp[-3] == 'u' && cp[-2] == 'd' && cp[-1] == 'o') {
+		int serrno = errno;
+		strlcpy(cp - 4, info->path, sizeof(path) - (cp - 4 - path));
+		if ((status = stat(path, &sb)) != 0)
+		    errno = serrno;
+	    }
+	}
     }
-    if (stat(path, &sb) != 0) {
+    if (status != 0) {
 	warningx(_("error in %s, line %d while loading plugin `%s'"),
 	    _PATH_SUDO_CONF, info->lineno, info->symbol_name);
-	warning("%s", path);
+	warning("%s%s", _PATH_SUDO_PLUGIN_DIR, info->path);
 	goto done;
     }
     if (sb.st_uid != ROOT_UID) {
diff --git a/sudo.pp b/sudo.pp
index 50307e983..fd5168395 100644
--- a/sudo.pp
+++ b/sudo.pp
@@ -262,7 +262,9 @@ still allow people to get their work done."
 	$sbindir/visudo     	0755
 	$bindir/sudoreplay  	0755
 	$includedir/sudo_plugin.h 0644
-	$libexecdir/*		$shlib_mode optional
+	$libexecdir/sudo/	0755
+	$libexecdir/sudo/sesh	0755 optional,ignore-others
+	$libexecdir/sudo/*	$shlib_mode optional
 	$sudoersdir/sudoers.d/	0750 $sudoers_uid:$sudoers_gid
 	$timedir/		0700 root:
 	$docdir/		0755