From: Todd C. Miller Date: Tue, 15 Jan 2002 22:47:29 +0000 (+0000) Subject: Add a configure option to turn off use of POSIX saved IDs X-Git-Tag: SUDO_1_6_5~15 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=f03942725327b742cf34bd80e0bade9d225effff;p=sudo Add a configure option to turn off use of POSIX saved IDs --- diff --git a/INSTALL b/INSTALL index 802bf9a3b..42db5fdef 100644 --- a/INSTALL +++ b/INSTALL @@ -68,13 +68,16 @@ Configuration: --cache-file=FILE Cache test results in FILE - --help + --config-cache, -C + Alias for `--cache-file=config.cache' + + --help, -h Print the usage/help info - --no-create + --no-create, -n Do not create output files - --quiet, --silent + --quiet, --silent, -q Do not print `checking...' messages Directory and file names: @@ -193,12 +196,20 @@ Special features/options: command line. --with-bsdauth - Enable support for BSD authentication on BSD/OS. This option - assumes --with-logincap as well. It is not possible to mix - BSD authentication with other authentication methods (and there - really should be no need to do so). Note that only the newer - BSD authentication API is supported. If you don't have - /usr/include/bsd_auth.h then you cannot use this. + Enable support for BSD authentication on BSD/OS and OpenBSD. + This option assumes --with-logincap as well. It is not + possible to mix BSD authentication with other authentication + methods (and there really should be no need to do so). Note + that only the newer BSD authentication API is supported. + If you don't have /usr/include/bsd_auth.h then you cannot + use this. + + --disable-saved-ids + Disable use of POSIX saved IDs. Normally, sudo will try to + use POSIX saved IDs if they are supported. However, some + implementations are broken. If sudo aborts with an error like: + "seteuid(0): Operation not permitted" + you probably need to disable POSIX saved ID support. --disable-sia Disable SIA support. This is the "Security Integration Architecture" @@ -583,12 +594,11 @@ Linux: the "#define HAVE_LSEARCH 1" line in config.h and add lsearch.o to the LIBOBJS line in the Makefile. - It is not possible to access the sudoers file via NFS on Linux. - This is due to a bug in the Linux client-side NFS implementation. - It has been fixed in the developement kernel but, as of Aug 27, - 1999, the fixes have not made it into the mainstream kernel. - There is a workaround on the sudo ftp site, linux_nfs.patch, - if you need to NFS-mount sudoers on Linux. + If you are using a Linux kernel older than 2.4 it is not possible + to access the sudoers file via NFS. This is due to a bug in + the Linux client-side NFS implementation that has since been + fixed. There is a workaround on the sudo ftp site, linux_nfs.patch, + if you need to NFS-mount sudoers on older Linux kernels. Mac OS X: It has been reported that for sudo to work on Mac OS X it must diff --git a/TROUBLESHOOTING b/TROUBLESHOOTING index d39d8b47e..ca35ade57 100644 --- a/TROUBLESHOOTING +++ b/TROUBLESHOOTING @@ -17,6 +17,12 @@ A) Sudo must be setuid root to do its work. You need to do something like your $PATH before the directory containing sudo. If you are going to have '.' in your path you should make sure it is at the end. +Q) Sudo compiles but when I run it I get "seteuid(0): Operation not permitted" + and sudo quits. +A) The operating system you are running probably has broken support for + POSIX saved IDs. You should run configure with the "--disable-saved-ids" + option and rebuild sudo. + Q) Sudo never gives me a chance to enter a password using PAM, it just says 'Sorry, try again.' three times and quits. A) You didn't setup PAM to work with sudo. On Linux this generally diff --git a/config.h.in b/config.h.in index 8d4749a66..9bc70c59d 100644 --- a/config.h.in +++ b/config.h.in @@ -358,6 +358,9 @@ /* Define if root should not be allowed to use sudo. */ #undef NO_ROOT_SUDO +/* Define to avoid using POSIX saved ids. */ +#undef NO_SAVED_IDS + /* The default password prompt. */ #undef PASSPROMPT diff --git a/configure.in b/configure.in index cfe3b9e03..7d73a70bd 100644 --- a/configure.in +++ b/configure.in @@ -964,6 +964,21 @@ AC_ARG_ENABLE(authentication, esac ], AC_MSG_RESULT(yes)) +AC_MSG_CHECKING(whether to disable use of POSIX saved ids) +AC_ARG_ENABLE(saved-ids, +[ --saved-ids Don't try to use POSIX saved ids], +[ case "$enableval" in + yes) AC_MSG_RESULT(no) + ;; + no) AC_MSG_RESULT(yes) + AC_DEFINE(NO_SAVED_IDS, 1, [Define to avoid using POSIX saved ids.]) + ;; + *) AC_MSG_RESULT(no) + echo "Ignoring unknown argument to --enable-saved-ids: $enableval" + ;; + esac +], AC_MSG_RESULT(no)) + AC_MSG_CHECKING(whether to disable shadow password support) AC_ARG_ENABLE(shadow, [ --disable-shadow Never use shadow passwords], diff --git a/set_perms.c b/set_perms.c index d18c7147e..8520abc9e 100644 --- a/set_perms.c +++ b/set_perms.c @@ -75,7 +75,7 @@ static const char rcsid[] = "$Sudo$"; static void runas_setup __P((void)); static void fatal __P((char *)); -#if defined(_SC_SAVED_IDS) && defined(_SC_VERSION) +#if !defined(NO_SAVED_IDS) && defined(_SC_SAVED_IDS) && defined(_SC_VERSION) /* * Set real and effective uids and gids based on perm. * Since we have POSIX saved IDs we can get away with just @@ -140,7 +140,7 @@ set_perms_posix(perm, sudo_mode) break; } } -#endif /* _SC_SAVED_IDS && _SC_VERSION */ +#endif /* !NO_SAVED_IDS && _SC_SAVED_IDS && _SC_VERSION */ #ifdef HAVE_SETREUID /* diff --git a/sudo.c b/sudo.c index b4578cf36..87a76eb42 100644 --- a/sudo.c +++ b/sudo.c @@ -260,7 +260,7 @@ main(argc, argv, envp) * set the real, effective and saved uids to 0 and use set_perms_fallback() * instead of set_perms_posix(). */ -#if defined(_SC_SAVED_IDS) && defined(_SC_VERSION) +#if !defined(NO_SAVED_IDS) && defined(_SC_SAVED_IDS) && defined(_SC_VERSION) if (!def_flag(I_STAY_SETUID) && set_perms == set_perms_posix) { if (setuid(0)) { perror("setuid(0)"); @@ -888,7 +888,7 @@ initial_setup() (void) sigaction(SIGCHLD, &sa, NULL); /* Set set_perms pointer to the correct function */ -#if defined(_SC_SAVED_IDS) && defined(_SC_VERSION) +#if !defined(NO_SAVED_IDS) && defined(_SC_SAVED_IDS) && defined(_SC_VERSION) if (sysconf(_SC_SAVED_IDS) == 1 && sysconf(_SC_VERSION) >= 199009) set_perms = set_perms_posix; else