Merge sudo 1.9.12 from tip.

--HG--
branch : 1.9

Author: millert

.github/workflows/codeql-analysis.yml

@@ -13,12 +13,12 @@ name: "CodeQL"
 
 on:
   push:
-    branches: [ main ]
+    branches: [ "main" ]
   pull_request:
     # The branches below must be a subset of the branches above
-    branches: [ main ]
+    branches: [ "main" ]
   schedule:
-    - cron: '19 3 * * 2'
+    - cron: '25 15 * * 0'
 
 jobs:
   analyze:
@@ -34,37 +34,39 @@ jobs:
       matrix:
         language: [ 'cpp', 'python' ]
         # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
-        # Learn more about CodeQL language support at https://git.io/codeql-language-support
+        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
+      uses: github/codeql-action/init@v2
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
         # By default, queries listed here will override any specified in a config file.
         # Prefix the list here with "+" to use these queries and those in the config file.
-        # queries: ./path/to/local/query, your-org/your-repo/queries@main
+        
+        # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+        # queries: security-extended,security-and-quality
 
+        
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
+      uses: github/codeql-action/autobuild@v2
 
     # ℹ️ Command-line programs to run using the OS shell.
-    # 📚 https://git.io/JvXDl
+    # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
 
-    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
-    #    and modify them (or add more) to build your code if your project
-    #    uses a compiled language
+    #   If the Autobuild fails above, remove it and uncomment the following three lines. 
+    #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
 
-    #- run: |
-    #   make bootstrap
-    #   make release
+    # - run: |
+    #   echo "Run, Build Application using script"
+    #   ./location_of_script_within_repo/buildscript.sh
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
+      uses: github/codeql-action/analyze@v2

INSTALL.md

@@ -30,13 +30,13 @@ for a list of packages required to build sudo.
 
 ## Simple sudo installation
 
-0. If you are upgrading from a previous version of sudo, read
+1. If you are upgrading from a previous version of sudo, read
    [docs/UPGRADE.md](docs/UPGRADE.md) before proceeding.
 
-1. Read the "OS dependent notes" section for any particular
+2. Read the "OS dependent notes" section for any particular
    "gotchas" relating to your operating system.
 
-2. `cd` to the source or build directory and type `./configure`
+3. `cd` to the source or build directory and type `./configure`
    to generate a Makefile and config.h file suitable for building
    sudo.  Before you actually run configure you should read the
    "Available configure options" section to see if there are
@@ -320,7 +320,7 @@ Defaults are listed in brackets after the description.
         Adds the specified library (or libraries) to SUDO_LIBS and
         and VISUDO_LIBS so sudo will link against them.  If the
         library doesn't start with "-l" or end in ".a" or ".o" a
-        "-l" will be pre-pended to it.  Multiple libraries may be
+        "-l" will be prepended to it.  Multiple libraries may be
         specified as long as they are space separated.
 
     --with-libtool=PATH

LICENSE.md

@@ -296,7 +296,7 @@ The file getentropy.c bears the following license:
 
 The embedded copy of zlib bears the following license:
 
-    Copyright (C) 1995-2017 Jean-loup Gailly and Mark Adler
+    Copyright (C) 1995-2022 Jean-loup Gailly and Mark Adler
 
     This software is provided 'as-is', without any express or implied
     warranty.  In no event will the authors be held liable for any damages
@@ -319,7 +319,7 @@ The embedded copy of zlib bears the following license:
 
 The embedded copy of protobuf-c bears the following license:
 
-    Copyright (c) 2008-2018, Dave Benson and the protobuf-c authors.
+    Copyright (c) 2008-2022, Dave Benson and the protobuf-c authors.
     All rights reserved.
 
     Redistribution and use in source and binary forms, with or without

MANIFEST

@@ -220,6 +220,7 @@ lib/util/event_select.c
 lib/util/explicit_bzero.c
 lib/util/fatal.c
 lib/util/fchmodat.c
+lib/util/fchownat.c
 lib/util/fnmatch.c
 lib/util/freezero.c
 lib/util/fstatat.c
@@ -251,6 +252,8 @@ lib/util/mkdirat.c
 lib/util/mksiglist.c
 lib/util/mksigname.c
 lib/util/mktemp.c
+lib/util/mmap_alloc.c
+lib/util/multiarch.c
 lib/util/nanosleep.c
 lib/util/openat.c
 lib/util/parseln.c
@@ -278,6 +281,8 @@ lib/util/regress/glob/globtest.c
 lib/util/regress/glob/globtest.in
 lib/util/regress/harness.in
 lib/util/regress/mktemp/mktemp_test.c
+lib/util/regress/multiarch/multiarch_test.c
+lib/util/regress/open_parent_dir/open_parent_dir_test.c
 lib/util/regress/parse_gids/parse_gids_test.c
 lib/util/regress/progname/progname_test.c
 lib/util/regress/strsig/strsig_test.c
@@ -1018,6 +1023,8 @@ plugins/sudoers/regress/testsudoers/test17.out.ok
 plugins/sudoers/regress/testsudoers/test17.sh
 plugins/sudoers/regress/testsudoers/test18.out.ok
 plugins/sudoers/regress/testsudoers/test18.sh
+plugins/sudoers/regress/testsudoers/test19.out.ok
+plugins/sudoers/regress/testsudoers/test19.sh
 plugins/sudoers/regress/testsudoers/test2.inc
 plugins/sudoers/regress/testsudoers/test2.out.ok
 plugins/sudoers/regress/testsudoers/test2.sh
@@ -1196,6 +1203,7 @@ src/exec.c
 src/exec_common.c
 src/exec_intercept.c
 src/exec_intercept.h
+src/exec_iolog.c
 src/exec_monitor.c
 src/exec_nopty.c
 src/exec_preload.c

Makefile.in

@@ -58,10 +58,10 @@ python_version = @PYTHON_VERSION@
 
 SUBDIRS = lib/util @ZLIB_SRC@ lib/eventlog lib/fuzzstub lib/iolog \
 	  lib/protobuf-c @LOGSRV_SRC@ @LOGSRVD_SRC@ plugins/audit_json \
-	  plugins/group_file plugins/sample_approval plugins/sudoers \
-	  plugins/system_group @PYTHON_PLUGIN_SRC@ src include docs examples
+	  plugins/group_file plugins/sudoers plugins/system_group \
+	  @PYTHON_PLUGIN_SRC@ src include docs examples
 
-SAMPLES = plugins/sample
+SAMPLES = plugins/sample plugins/sample_approval
 
 VERSION = @PACKAGE_VERSION@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
@@ -70,6 +70,8 @@ LIBTOOL_DEPS = @LIBTOOL_DEPS@
 
 SHELL = @SHELL@
 
+EGREP = @EGREP@
+GREP = @GREP@
 SED = @SED@
 
 INSTALL = $(SHELL) $(scriptdir)/install-sh -c
@@ -105,19 +107,19 @@ PVS_IGNORE = 'V707,V011,V002,V536,V568'
 PVS_LOG_OPTS = -a 'GA:1,2' -e -t errorfile -d $(PVS_IGNORE)
 
 all: config.status
-	for d in $(SUBDIRS); do \
+	for d in $(SUBDIRS) $(SAMPLES); do \
 	    (cd $$d && exec $(MAKE) $@) && continue; \
 	    exit $$?; \
 	done
 
 check check-verbose check-fuzzer fuzz pre-install: config.status
-	for d in $(SUBDIRS); do \
+	for d in $(SUBDIRS) $(SAMPLES); do \
 	    (cd $$d && exec $(MAKE) $@) && continue; \
 	    exit $$?; \
 	done
 
 uncrustify.files: Makefile
-	grep '\.[ch]$$' $(top_srcdir)/MANIFEST | egrep -v '(/zlib/|/(arc4random|arc4random_uniform|chacha_private|charclass|fnmatch|getaddrinfo|getcwd|getdate|getentropy|getopt|getopt_long|glob|gram|inet_ntop|inet_pton|log_server.pb-c|mktemp|pw_dup|reallocarray|mktemp_test|protobuf-c|snprintf|stdbool|strlcat|strlcpy|sudo_queue|toke)\.[ch]$$)'  > uncrustify.files
+	$(GREP) '\.[ch]$$' $(top_srcdir)/MANIFEST | $(EGREP) -v '(/zlib/|/(arc4random|arc4random_uniform|chacha_private|charclass|fnmatch|getaddrinfo|getcwd|getdate|getentropy|getopt|getopt_long|glob|gram|inet_ntop|inet_pton|log_server.pb-c|mktemp|pw_dup|reallocarray|mktemp_test|protobuf-c|snprintf|stdbool|strlcat|strlcpy|sudo_queue|toke)\.[ch]$$)'  > uncrustify.files
 
 reformat: uncrustify.files
 	( cd $(top_srcdir) && uncrustify -c etc/uncrustify.cfg --replace --no-backup -F $(top_builddir)/uncrustify.files )
@@ -126,19 +128,19 @@ check-format: uncrustify.files
 	( cd $(top_srcdir) && uncrustify -c etc/uncrustify.cfg --check -F $(top_builddir)/uncrustify.files )
 
 spell:
-	( cd $(top_srcdir) && codespell -I etc/codespell.ignore -x etc/codespell.exclude `egrep -v -f etc/codespell.skip MANIFEST` )
+	( cd $(top_srcdir) && codespell -I etc/codespell.ignore -x etc/codespell.exclude `$(EGREP) -v -f etc/codespell.skip MANIFEST` )
 
 cppcheck: config.status
 	rval=0; \
-	for d in $(SUBDIRS); do \
+	for d in $(SUBDIRS) $(SAMPLES); do \
 	    echo checking $$d; \
 	    (cd $$d && exec $(MAKE) CPPCHECK_OPTS="$(CPPCHECK_OPTS)" $@) || rval=`expr $$rval + $$?`; \
 	done; \
 	exit $$rval
 
 splint: config.status
 	rval=0; \
-	for d in $(SUBDIRS); do \
+	for d in $(SUBDIRS) $(SAMPLES); do \
 	    echo splinting $$d; \
 	    (cd $$d && exec $(MAKE) SPLINT_OPTS="$(SPLINT_OPTS)" $@) || rval=`expr $$rval + $$?`; \
 	done; \
@@ -161,7 +163,7 @@ cov-analyze: cov-upload
 pvs-studio: config.status
 	files=; \
 	rval=0; \
-	for d in $(SUBDIRS); do \
+	for d in $(SUBDIRS) $(SAMPLES); do \
 	    (cd $$d && exec $(MAKE) PVS_IGNORE="$(PVS_IGNORE)" pvs-log-files) || rval=`expr $$rval + $$?`; \
 	    for f in $$d/*.plog; do \
 		if test "$$f" != "$$d/*.plog"; then \
@@ -234,7 +236,7 @@ depend: siglist.c signame.c
 
 ChangeLog:
 	if test -d $(srcdir)/.hg; then \
-	    if hg log -R $(srcdir) --style=changelog -r "sort(branch(.) or follow(), -date)" > $@.tmp; then \
+	    if hg log -R $(srcdir) --template=changelog -r "sort(branch(.) or follow(), -date)" > $@.tmp; then \
 		mv -f $@.tmp $(srcdir)/$@; \
 	    else \
 		rm -f $@.tmp; \
@@ -440,4 +442,4 @@ sandwich:
 	fi
 
 .PHONY: clean mostlyclean distclean cleandir clobber realclean ChangeLog \
-        me a sandwhich check-format reformat
+        me a sandwich check-format reformat

NEWS

@@ -1,3 +1,127 @@
+What's new in Sudo 1.9.12
+
+ * Fixed a bug in the ptrace-based intercept mode where the current
+   working directory could include garbage at the end.
+
+ * Fixed a compilation error on systems that lack the stdint.h
+   header.  Bug #1035
+
+ * Fixed a bug when logging the command's exit status in intercept
+   mode.  The wrong command could be logged with the exit status.
+
+ * For ptrace-based intercept mode, sudo will now attempt to
+   verify that the command path name, arguments and environment
+   have not changed from the time when they were authorized by the
+   security policy.  The new "intercept_verify" sudoers setting can
+   be used to control this behavior.
+
+ * Fixed running commands with a relative path (e.g. ./foo) in
+   intercept mode.  Previously, this would fail if sudo's current
+   working directory was different from that of the command.
+
+ * Sudo now supports passing the execve(2) system call the NULL
+   pointer for the `argv` and/or `envp` arguments when in intercept
+   mode.  Linux treats a NULL pointer like an empty array.
+
+ * The sudoers LDAP schema now allows sudoUser, sudoRunasUser and
+   sudoRunasGroup to include UTF-8 characters, not just 7-bit ASCII.
+
+ * Fixed a problem with "sudo -i" on SELinux when the target user's
+   home directory is not searchable by sudo.  GitHub issue #160.
+
+ * Neovim has been added to the list of visudo editors that support
+   passing the line number on the command line.
+
+ * Fixed a bug in sudo's SHA384 and SHA512 message digest padding.
+
+ * Added a new "-N" (--no-update) command line option to sudo which
+   can be used to prevent sudo from updating the user's cached
+   credentials.  It is now possible to determine whether or not a
+   user's cached credentials are currently valid by running:
+
+	$ sudo -Nnv
+
+   and checking the exit value.  One use case for this is to indicate
+   in a shell prompt that sudo is "active" for the user.
+
+ * PAM approval modules are no longer invoked when running sub-commands
+   in intercept mode unless the "intercept_authenticate" option is set.
+   There is a substantial performance penalty for calling into PAM
+   for each command run.  PAM approval modules are still called for
+   the initial command.
+
+ * Intercept mode on Linux now uses process_vm_readv(2) and
+   process_vm_writev(2) if available.
+
+ * The XDG_CURRENT_DESKTOP environment variable is now preserved
+   by default.  This makes it possible for graphical applications
+   to choose the correct theme when run via sudo.
+
+ * On 64-bit systems, if sudo fails to load a sudoers group plugin,
+   it will use system-specific heuristics to try to locate a 64-bit
+   version of the plugin.
+
+ * The cvtsudoers manual now documents the JSON and CSV output
+   formats.  GitHub issue #172.
+
+ * Fixed a bug where sub-commands were not being logged to a remote
+   log server when log_subcmds was enabled.  GitHub issue #174.
+
+ * The new log_stdin, log_stdout, log_stderr, log_ttyin, and log_ttyout
+   sudoers settings can be used to support more fine-grained I/O logging.
+   The sudo front-end no longer allocates a pseudo-terminal when running
+   a command if the I/O logging plugin requests logging of stdin, stdout,
+   or stderr but not terminal input/output.
+
+ * Quieted a libgcrypt run-time initialization warning.
+   This fixes Debian bug #1019428 and Ubuntu bug #1397663.
+
+ * Fixed a bug in visudo that caused literal backslashes to be removed
+   from the EDITOR environment variable.  GitHub issue #179.
+
+ * The sudo Python plugin now implements the "find_spec" method instead
+   of the the deprecated "find_module".  This fixes a test failure when
+   a newer version of setuptools that doesn't include "find_module" is
+   found on the system.
+
+ * Fixed a bug introduced in sudo 1.9.9 where sudo_logsrvd created
+   the process ID file, usually /var/run/sudo/sudo_logsrvd.pid, as
+   a directory instead of a plain file.  The same bug could result
+   in I/O log directories that end in six or more X's being created
+   literally in addition to the name being used as a template for
+   the mkdtemp(3) function.
+
+ * Fixed a long-standing bug where a sudoers rule with a command
+   line argument of "", which indicates the command may be run with
+   no arguments, would also match a literal "" on the command line.
+   GitHub issue #182.
+
+ * Added the -I option to visudo which only edits the main sudoers
+   file.  Include files are not edited unless a syntax error is found.
+
+ * Fixed "sudo -l -U otheruser" output when the runas list is empty.
+   Previously, sudo would list the invoking user instead of the
+   list user.  GitHub issue #183.
+
+ * Fixed the display of command tags and options in "sudo -l" output
+   when the RunAs user or group changes.  A new line is started for
+   RunAs changes which means we need to display the command tags
+   and options again.  GitHub issue #184.
+
+ * The sesh helper program now uses getopt_long(3) to parse the
+   command line options.
+
+ * The embedded copy of zlib has been updated to version 1.2.13.
+
+ * Fixed a bug that prevented event log data from being sent to the
+   log server when I/O logging was not enabled.  This only affected
+   systems without PAM or configurations where the pam_session and
+   pam_setcred options were disabled in the sudoers file.
+
+ * Fixed a bug where "sudo -l" output included a carriage return
+   after the newline.  This is only needed when displaying to a
+   terminal in raw mode.  Bug #1042.
+
 What's new in Sudo 1.9.11p3
 
  * Fixed "connection reset" errors on AIX when running shell scripts