From c2c15aa4e5b3381c6e9887beb0e7834c856accc2 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Wed, 14 Jul 2010 14:57:32 -0400 Subject: [PATCH] Move time stamp files from /var/run/sudo to /var/{db,lib,adm}/sudo. --- aclocal.m4 | 29 +++++++++++------------------ configure | 48 ++++++++++++++---------------------------------- configure.in | 4 +--- doc/UPGRADE | 23 ++++++++++++++++------- doc/sudoers.cat | 6 +++--- 5 files changed, 45 insertions(+), 65 deletions(-) diff --git a/aclocal.m4 b/aclocal.m4 index e2f72b52a..ebb654cd5 100644 --- a/aclocal.m4 +++ b/aclocal.m4 @@ -101,27 +101,20 @@ fi ])dnl dnl -dnl Where the timestamp files go, use /var/run/sudo if /var/run exists, -dnl else /{var,usr}/adm/sudo +dnl Where the timestamp files go. dnl AC_DEFUN(SUDO_TIMEDIR, [AC_MSG_CHECKING(for timestamp file location) -if test -n "$with_timedir"; then - AC_MSG_RESULT($with_timedir) - SUDO_DEFINE_UNQUOTED(_PATH_SUDO_TIMEDIR, "$with_timedir") - timedir="$with_timedir" -elif test -d "/var/run"; then - AC_MSG_RESULT(/var/run/sudo) - SUDO_DEFINE(_PATH_SUDO_TIMEDIR, "/var/run/sudo") - timedir="/var/run/sudo" -elif test -d "/var/adm"; then - AC_MSG_RESULT(/var/adm/sudo) - SUDO_DEFINE(_PATH_SUDO_TIMEDIR, "/var/adm/sudo") - timedir="/var/adm/sudo" -else - AC_MSG_RESULT(/usr/adm/sudo) - SUDO_DEFINE(_PATH_SUDO_TIMEDIR, "/usr/adm/sudo") - timedir="/usr/adm/sudo" +timedir="$with_timedir" +if test -z "$timedir"; then + for d in /var/db /var/lib /var/adm /usr/adm; do + if test -d "$d"; then + timedir="$d/sudo" + break; + fi + done fi +AC_MSG_RESULT([$timedir]) +SUDO_DEFINE_UNQUOTED(_PATH_SUDO_TIMEDIR, "$timedir") ])dnl dnl diff --git a/configure b/configure index b059ccd37..ae92653d1 100755 --- a/configure +++ b/configure @@ -2788,7 +2788,7 @@ $as_echo "$as_me: Configuring Sudo version $PACKAGE_VERSION" >&6;} # Begin initial values for man page substitution # io_logdir=/var/log/sudo-io -timedir=/var/run/sudo +timedir=/var/adm/sudo timeout=5 password_timeout=5 sudo_umask=0022 @@ -13332,8 +13332,6 @@ done CHECKSHADOW="false" test -z "$with_pam" && AUTH_EXCL_DEF="PAM" : ${with_logincap='yes'} - # Apple sudo timedir location - : ${with_timedir='/var/db/sudo'} ;; *-*-nextstep*) # lockf() on is broken on the NeXT -- use flock instead @@ -18029,39 +18027,21 @@ fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for timestamp file location" >&5 $as_echo_n "checking for timestamp file location... " >&6; } -if test -n "$with_timedir"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $with_timedir" >&5 -$as_echo "$with_timedir" >&6; } - cat >>confdefs.h <&5 -$as_echo "/var/run/sudo" >&6; } - cat >>confdefs.h <<\EOF -#define _PATH_SUDO_TIMEDIR "/var/run/sudo" -EOF - - timedir="/var/run/sudo" -elif test -d "/var/adm"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: /var/adm/sudo" >&5 -$as_echo "/var/adm/sudo" >&6; } - cat >>confdefs.h <<\EOF -#define _PATH_SUDO_TIMEDIR "/var/adm/sudo" -EOF - - timedir="/var/adm/sudo" -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: /usr/adm/sudo" >&5 -$as_echo "/usr/adm/sudo" >&6; } - cat >>confdefs.h <<\EOF -#define _PATH_SUDO_TIMEDIR "/usr/adm/sudo" +timedir="$with_timedir" +if test -z "$timedir"; then + for d in /var/db /var/lib /var/adm /usr/adm; do + if test -d "$d"; then + timedir="$d/sudo" + break; + fi + done +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $timedir" >&5 +$as_echo "$timedir" >&6; } +cat >>confdefs.h <&5 diff --git a/configure.in b/configure.in index ac923668e..1db2d928c 100644 --- a/configure.in +++ b/configure.in @@ -101,7 +101,7 @@ AC_SUBST([editor]) # Begin initial values for man page substitution # io_logdir=/var/log/sudo-io -timedir=/var/run/sudo +timedir=/var/adm/sudo timeout=5 password_timeout=5 sudo_umask=0022 @@ -1782,8 +1782,6 @@ case "$host" in CHECKSHADOW="false" test -z "$with_pam" && AUTH_EXCL_DEF="PAM" : ${with_logincap='yes'} - # Apple sudo timedir location - : ${with_timedir='/var/db/sudo'} ;; *-*-nextstep*) # lockf() on is broken on the NeXT -- use flock instead diff --git a/doc/UPGRADE b/doc/UPGRADE index 86e646f35..3e049d226 100644 --- a/doc/UPGRADE +++ b/doc/UPGRADE @@ -1,9 +1,18 @@ Notes on upgrading from an older release ======================================== +o Upgrading from a version prior to 1.7.4: + + Starting with sudo 1.7.4, the time stamp files have moved from + /var/run/sudo to either /var/db/sudo, /var/lib/sudo or /var/adm/sudo. + The directories are checked for existence in that order. This + prevents users from receiving the sudo lecture every time the + system reboots. Time stamp files older than the boot time are + ignored on systems where it is possible to determine this. + o Upgrading from a version prior to 1.7.0: - Starting with sudo 1.7.0 comments in the sudoers file must not + Starting with sudo 1.7.0, comments in the sudoers file must not have a digit or minus sign immediately after the comment character ('#'). Otherwise, the comment may be interpreted as a user or group ID. @@ -73,8 +82,8 @@ o Upgrading from a version prior to 1.6.9: o Upgrading from a version prior to 1.6.8: Prior to sudo 1.6.8, if /var/run did not exist, sudo would put - the timestamp files in /tmp/.odus. As of sudo 1.6.8, the - timestamp files will be placed in /var/adm/sudo or /usr/adm/sudo + the time stamp files in /tmp/.odus. As of sudo 1.6.8, the + time stamp files will be placed in /var/adm/sudo or /usr/adm/sudo if there is no /var/run directory. This directory will be created if it does not already exist. @@ -117,10 +126,10 @@ o Upgrading from a version prior to 1.6: millert ALL=(daemon) NOPASSWD:/usr/bin/whoami, \ (root) PASSWD:/bin/ls, /sbin/dump - Additionally, sudo now uses a per-user timestamp directory - instead of a timestamp file. This allows tty timestamps to - simply be files within the user's timestamp dir. For the - default, non-tty case, the timestamp on the directory itself + Additionally, sudo now uses a per-user time stamp directory + instead of a time stamp file. This allows tty time stamps to + simply be files within the user's time stamp dir. For the + default, non-tty case, the time stamp on the directory itself is used. Also, the temporary file used by visudo is now /etc/sudoers.tmp diff --git a/doc/sudoers.cat b/doc/sudoers.cat index 4e74211f8..8f70e6f5f 100644 --- a/doc/sudoers.cat +++ b/doc/sudoers.cat @@ -1227,7 +1227,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) interpreted. Defaults to "C". timestampdir The directory in which ssuuddoo stores its timestamp files. - The default is _/_v_a_r_/_r_u_n_/_s_u_d_o. + The default is _/_v_a_r_/_a_d_m_/_s_u_d_o. timestampowner The owner of the timestamp directory and the timestamps stored therein. The default is root. @@ -1476,7 +1476,7 @@ FFIILLEESS _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o I/O log files - _/_v_a_r_/_r_u_n_/_s_u_d_o Directory containing time stamps for the + _/_v_a_r_/_a_d_m_/_s_u_d_o Directory containing time stamps for the _s_u_d_o_e_r_s security policy _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t Initial environment for --ii mode on Linux and @@ -1818,7 +1818,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SSEECCUURRIITTYY NNOOTTEESS _s_u_d_o_e_r_s will check the ownership of its time stamp directory - (_/_v_a_r_/_r_u_n_/_s_u_d_o by default) and ignore the directory's contents if it is + (_/_v_a_r_/_a_d_m_/_s_u_d_o by default) and ignore the directory's contents if it is not owned by root or if it is writable by a user other than root. On systems that allow non-root users to give away files via _c_h_o_w_n(2), if the time stamp directory is located in a world-writable directory -- 2.40.0