CHANGES from sudo 1.2 (unofficial version) 01) sudo now works under hpux, aix, sunos, bsd43, ultrix, linux, osf and irix. 02) Files w/o the executable bit will be ignored if they are in your PATH. 03) If execv() fails, perror is called (which prints out an error based on errno) and sudo exits with -1. 04) Included in this shar should also be a version of getpass() derived from the bsd net-2 source which works on bsd, ultrix, hpux, aix, and irix at least. The latter three unixes have what i consider to be a broken getpass() in that if /dev/tty can't be opened it doesn't just use stdin like bsd getpass(). This means you cannot do: rsh host "sudo command" and have it work if your ticket has expired. 05) The Makefile has changed significantly. It now has defines for all supported architectures. 06) Changed MAXCOMMANDLENGTH from 48 bytes to MAXPATHLEN and included sys/param.h where appropriate. 07) Rewrote the code that expands links & paths. It now works correctly. (rewrote find_path.c) 08) Added a define NEED_STRDUP so we don't conflict with the system's strdup(3) 09) Now does *not* pass LD_* environmental vars on to programs that get exec'd. Also removes SHLIB_PATH for hpux and _RLD_* for dec osf. 10) Now searches current dir last if '.' or '' are in PATH. Misses braindeath like './' but if that's in your path you deserve all the trojans you get. 11) Added in linux patches from drew + flex support. 12) Added insults back in from original sudo(8) (define USE_INSULTS). 13) visudo now uses EDITOR envar (from John_Rouillard@dl5000.bc.edu) 14) you can now specify a dir containing commands that a sudoer can do. (from John_Rouillard@dl5000.bc.edu) 15) Ported to Solaris 2.x (based on a port of sudo 1.1 done by UnixOps). 16) Took out setuid(0); setruid(uid); pairs that bracketed calls to update_timestamp() since they are unnecesary and setruid() is broken on systems without a setreuid(2) or setresuid(2) system call. (Ie: AIX and Solaris 2.x). 17) The bulk of sudo now runs with the caller's real uid. Grep for be_root() to find the exceptions. CHANGES from sudo 1.3 18) Added SECURE_PATH as suggested by russells@ccu1.auckland.ac.nz. 19) Reworked clean_envp() to modify environ (not envp) so we can use execvp() safely. 20) Now use execvp() instead of execve() so sudo /bin/kill works under broken solaris. This also fixed sudo /etc/fastboot under stock 4.3 BSD. Basically, this means that any executable shell script that lacks a '#!/bin/sh' magic number will now work with sudo. Personally I think that the broken scripts should be fixed rather than changing sudo, but vendors will be broken. Sigh. 21) Added USE_EXECV define so you can make sudo use execv() if you want. Using execvp() shouldn't be a problem since it is always handed a non-relative path that begins with '/' but some people may not trust execvp(). 22) Log file lines will no longer get truncated. Syslog entries that would overrun the syslog(3) line limit are continued on another entry. 23) When logging to a log file, long entries are indented to improve readability. 24) Whenever the umask is changed, it is changed back to what it was before. 25) Log file is written as mode 600 instead of 644 26) Umask that sudo runs with may now be specified. 27) There is now a "configure" script. 28) Sudo will use ultra fast crypt (ufc) if it finds it for systems w/o a real crypt(3) (non-US ConvexOs/Secure for instance). 29) _BSD_COMPAT is now defined for Irix. 30) The global variable uid is now initialized to -2 because I'm paranoid. 31) Native Solaris 2 port from Matthew.Stier@aisg.com 32) Now use sysconf(2) instead of getdtablesize(2) if it is available (see change #31). Because of the the getdtablesize() emulation for hpux is no longer necesary. 33) Now only do a getcwd(3) or getwd(3) once and do it as the real user. Sudo should no longer complain that it can't get the cwd unless there is a real problem. 34) Changed some malloc'd globals of fixed length to be allocated from the stack instead as there was no win in allocating them from the heap. 35) Fixed AIX STATIC_FLAGS as per the AIX faq. 36) Added -V flag to sudo and visudo (for version) 37) Now treat EACCESS like EPERM when doing stat(2) in find_path.c 38) Added prototypes for sudo functions (via __P macro) 39) configure now uses uname(1) if it exists 40) gethostbyname(3) is now only called if you define FQDN. There's really no reason to not trust gethostname(2) and this way if name service is hosed sudo isn't... 41) added -v (validate) flag to sudo to update a timestamp w/o running a command 42) now use tgetpass() (getpass with a timeout) 43) find_path() now uses realpath(3) 44) wrote versions of realpath(3) and getcwd(3) for those without 45) wrote tgetpass()--a getpass() that times out via select(2) 46) sudo now uses posix signals if available 47) Finally added ConvexOS C2 security support from "Peter A. Nikitser, Systems Software Support, QUT" 48) You can now #undef MAILER if you don't run sendmail or the equivalent. 49) AFS support from adamh@austin.ibm.com 50) If you define BOTH_LOGS in sudo.h you can log both via syslog(3) *ans* to a log file. 51) Added ultrix /etc/auth (enhanced security) support. 52) Sudo now will work with a 4.2BSD syslog (SunOS < 4 && ultrix). Personally, I'd say you are better off logging to a file if your syslog is this ancient. 53) Changed realpath(3) to sudo_realpath() since we need to do the chdir(2) with the invoking uid. sudo_realpath() should be faster than vendor-supplied realpath(3)'s anyway... 54) No longer create a static binary on AIX since it reportedly causes problem on newer versions on AIX 3.x. 55) If sudo_realpath cannot chdir() back to cwd sudo will print and error and exit. Previously it would either fail silently or print an incorrect error message. 56) Moved code to send error mail to be after the log message. From rouilj@cs.umb.edu. 57) Added SUDO_USER and SUDO_UID envars. Suggested by John P. Rouillard (. 62) All .{c,lex,yacc} files now include both sys/types.h and unistd.h so we are sure to get the typedef of uid_t. CHANGES from sudo 1.3.1 63) Added preliminary support for DEC OSF/1 protected passwords (shadow passwords). CHANGES from sudo 1.3.1pl1 64) More support for DEC OSF/1 protected passwords (shadow passwords). CHANGES from sudo 1.3.1pl2 65) Fixed mail logging to include the username as it should have. 66) Added hostname to log message in error mail. 67) Added -l flag to sudo to list the allowed/forbidden commands. Suggested by matthew@gateway.bsis.com (Matthew Stier) 68) Fixed bison warnings for parse.yacc and visudo.yacc. Pointed out by alfie@dcs.warwick.ac.uk (Nick Holloway). CHANGES from sudo 1.3.1pl3 69) Sudo will now exit with an error if the command to be run is > MAXPATHLEN. 70) Test in configure for termios support was insufficient. It thought Nextstep 3.2 had termios just because it as termios.h (need to link with -posix for termios on NeXT's) CHANGES from sudo 1.3.1pl4 71) First stab at Skey support. 72) Sudo now sets IFS to be SPACE, TAB, NEWLINE. 73) Sudo now sets the real and effective gid to root's group (based on passwd file). 74) Sudo now checks that the sudoers file is owned by a certain user and not readable or writable by anyone else. (based on a suggestion by Joerg Schumacher ) 75) Visudo now sets the owner on the new sudoers file based on #74 76) Sudo and visudo will now compile with byacc (Berkeley yacc). 77) If the rename(2) of stmp -> sudoers fails /bin/mv is executed before bailing. Based on code from Case Larsen . 78) User-level configuration is now done in options.h. 79) Moved all compatibility #defines to compat.h 80) Incorporated new parsing code from Chris Jepeway . This is much better than the previous parser. 81) Rewrote visudo.c and tickled parse.yacc to work with it. Visudo now gives you options if a parse error occurs rather than blindly dumping you back in the editor. 82) Took out all references to realpath since we are now checking based in inode and device (with Chris' new parser). The upshot of this is that path matches are done safely and the symlink problem has gone away. 83) Fixed bison warnings from new parse.yacc. 84) Added a default case to parse.lex to error on unmatched tokens as Chris sugggested. 85) Converted configure.in and acsite.m4 to autoconf 2.1. 86) Added lsearch.c and search.h for os's w/o lsearch()/lfind(). 87) Sudo now checks to see that the file it is executing is a regular file (was just checking the execute bit so dirs slipped through). Pointed out by Barb Dijker . 88) Fixed a problem on HP-UX trusted systems with getpwuid() returning "*" unless the real uid is 0. Reported by Brian Cunnie (cunnie@nyc.hp.com). 89) configure now checks for size_t and ssize_t in unistd.h as well as sys/types.h. 90) configure now checks for egrep before actually using it. 91) configure now checks for a working void implementation (ie: void * as a generic pointer) and sets VOID to void or char accordingly. 92) Added support for SunOS 4.x C2 security (shadow passwords) from Kendall Libby (fubar@shore.net) 93) Changed all occurences of bzero() to memset() and bcopy() to memmove(). 94) Fixed a bug in sudo.c. If a user has no passwd entry sudo would dump core (writing to a garbage pointer). Pointed out by Stephen Schaefer . 95) Worked around a bug in AIX's lex in parse.c. AIX lex doesn't seem to handle {x,y} range notation correctly. Bleah. 96) Sudo would not report a failed attempt if the user entered at the 2nd password: prompt so someone trying to guess a password could just invoked sudo multiple times and try one passwd at a time. Reported by Jonathan Adams . 97) Added User_Alias facility. 98) Rewrote most of the ip address / network support. Now works on all systems sudo has currently been tested on. 99) Sudo now sets SUDO_COMMAND and SUDO_GID envariables in addition to SUDO_USER and SUDO_UID. 100) Added changes to configure.in for UnixWare. (from John Warburton ) 101) Merged in changes for Interactive Unix and RISCos. (from Andy Smith ) 102) Added testsudoers (from Chris Jepeway ). 103) Added fix for parse.yacc to avoid the kludge I was doing. (from Chris Jepeway ) 104) Now remove the IFS envar if set instead of setting it to a "safe" value to avoid problems with make and others. 105) Added FAST_MATCH option to check basenames of sudo command and paths listed in sudoers file. If the basename doesn't match then it is not a match. If the basename matches, then do a stat to make sure it is a valid match. 106) Now only stat(2) cmnd once in path_matches() (in parse.c). Sudo was stating cmnd for *every* attempted match. Now the stat struct is cached (ie: the var is a static). 107) Signal handlers in visudo are now only installed after the stmp file is opened. Previously, it was possible to erase an open stmp file by sending visudo a signal within a small window. 108) Added Goon Show insults from Russell Street . 109) Broke out the insults into separate include files (insults.h is the master and includes the appropriate one). 110) Now use getwd() instead of getcwd() and provide emulation for OS's w/o it. This was done since some OS's with getwd() implement getcwd() via a pipe to pwd(1). By emulating getwd() by calling getcwd() on OS's w/o getwd() we lose nothing since the compiler should optimize away the extra function call. 111) Added crypt() for DEC OSF/1 3.x enhanced security. From "Richard L Jackson Jr" . 112) Added an option to run the command in the background (-b) as suggested by Jonathan Adams 113) First stab at kerberos support. I'm not really sure it is possible to do this in a sane manor. Sigh. 114) Better kerberos support. Had to use setreuid(2) but falls back on a kludge if that does not exist or is broken. 115) Added -p (password prompt) support. Suggested by "David W. Cooley" 116) Added partial implementation of -l (list) flag. This is probably as good as it will get until sudo:tng. 117) Added anti-spoofing code to tighten up a race condition where a user could run sudo some_link and then change where the link pointed after the old link had been validated but before the exec(). 118) Now update timestamp file via utime() (and emulate via utimes() if necesary) to eliminate a small race. Works with both POSIX utime() as well as old utime() in BSD <= 4.3. 119) Kerberos ticket file now lives in same dirs as sudo timestamp files (to avoid trouncing on normal ticket file) and is removed after validation. 120) Now log tty user is on as well as pwd in sudo logs. CHANGES from sudo 1.3.2 BETA 121) Fixed a bug in the anti-spoofing check. 122) Fixed up ISC support so that it works and looks like non-streams stuff in interfaces.c. 123) Now deal correctly with ip implementations that has an sa_len field in struct sockaddr. 124) Check ownership and permissions on timestamp dir and ignore if not owned by root and mode 0700. Problem pointed out by Larry Auton and Navjot Singh . 125) Ignore timestamp files with preposterous dates to keep people from faking out sudo on OS's that allow you to give away files to root. Problem pointed out by Larry Auton and Navjot Singh . 126) A timeout of 0 will now cause a password to be entered every time. Based on a suggestion by Larry Auton and Navjot Singh . CHANGES from sudo 1.3.3 BETA 127) Cleaned up interfaces.c so that it is more readable. 128) Added support for syslog()'s that don't guarantee delivery of a message. HP-UX is the only known offender. 129) No longer use memmove() since memcpy() does what we need and configure doesn't always catch memmove() even when it is there (may be a library problem). 130) Updated man page to reflect two more security issues. 131) Cleaned up shadow password support in check.c. It should now be readable. 132) Added SCO support. 133) Added check to configure to find the max length of a uid_t in characters. 134) Removed uid2str() since we now know how big a uid_t/gid_t can be. This elminates a few malloc()'s. 135) Added support for multiple insult types. Based on code and a suggestion from Dieter Dworkin Muller . 136) Replaced clean_env() and rmenv() with a rewritten clean_env() that should be a little faster. This also makes it easier to add to the list of "dangerous" envariables. 137) Added netgroup support. Netgroups must start with a leading "+" to that sudo knows it is a netgroup. 138) Split out sudoers file format into its own man page. As suggested by Andy Smith . 139) Updated testsudoers.c to grok netgroups. CHANGES from sudo 1.3.4 BETA 140) Added SecurID support from Giles Todd . 141) Added -s flag to start a root shell and -- to signify end of args. 142) Sped up logging routines by replacing strncpy()'s with strcat()'s. This is safe because we dyanically allocate logline to be big enough. 143) Now support command line arguments in the sudoers file. 144) Sped up the loading on command line arguments. This fixes the "commands with large argc's take forever to run" bug. 145) Expanded MAXCOMMANDLEN to 8K since we now have to deal with command line arguments. Added bounds checking in fill() and append() so we don't drop core. XXX - 8k makes sudo *SLOW* 146) Added support in the lexer for "termination characters" to be escaped. Ie: you can now use [\,:=] in command line args as long as you escape with a \. 147) Testsudoers can now deal with commands that have arguments. 148) If a file is not executable or not a regular file sudo will now give the appropriate error message instead of just "command not found" which is misleading. 149) Fixed a bug where if FQDN is set, load_interfaces() was never called. 150) tty is now a global so it can be used in the ticket file at a later date. 151) Strings in the parser are now allocated dynamically. This results in a large speedup as compared to a 1K array on the stack. I have freed the strings in the parser where appropriate but that may not catch all instances. Even so, the average sudo now takes up less memory than the 1K array version. 152) Fixed a bug in tgetpass() and configure that broke termio/termios support for some OS's. 153) Added cheapo implementation of tty-based timestamps. The correct way is to have username be a directory with the tty tickets inside. However, the current code does not take to that very well, and it does not allow the two systems to coexist. Therefore, instead of timestampdir/user/tty it is timestampdir/user.tty. 154) Added support for building in other than the source directory. Based on changes from "Simon J. Gerraty" 155) options.h and pathnames.h are now included via angle brackets (<>) so as to use the -I include path. This way, those using a shadow build tree may have local copies of these headers w/o clobbering the distribution ones. 156) EXEMPTGROUP is now a string (group name) and user_is_exempt() is now less of a hack. It uses getgrnam(EXEMPTGROUP) to get a list of users in the exempted group. 157) --prefix and --exe_prefix are now honored in the Makefile. 158) Sudo will now behave reasonably in the case where the sudoers file location is mounted via NFS and the client does not have "root" NFS privs. 159) _PATH_SUDO_SUDOERS, _PATH_SUDO_STMP, and SUDOERS_OWNER are now set via the Makefile since that appears to be what most people expect... 160) Now include a pre-generated version of parse.lex since so many versions of lex are brain damaged. If parse.lex is changed a new lex.yy.c will be generated. The distribution copy is sudo-lex.yy.c. 161) Upgraded to GNU autoconf version 1.5. There are now even *more* options. CHANGES from sudo 1.3.5 BETA 162) Fixed S/Key support. 163) Cleaned up shadow password support further by moving much of it to getspwuid.c. 164) First cut at DCE support. [needs work to be functional] 165) New Digital UNIX C2 support based on code from "Randy M. Hayman" 166) S/key support now works with the generic bellcore s/key as well as the s/key from Wietse Venema's logdaemon. (Previously only worked with the logdaemon s/key). As an added bonus the s/key challenge is now embedded in the password prompt for a cleaner look. 167) lsearch.c will now compile on a strict ANSI C compiler. ANSI doesn't allow pointer arithmetic on a "void *" but gcc does. 168) Bought back latest HP-UX DCE support from Jeff Earickson . 169) configure now comletely groks $SUDO_LIBS and $VISUDO_LIBS. Plain old $LIBS is no longer used. LDFLAGS has also been split up into $SUDO_LDFLAGS and $VISUDO_LDFLAGS. The reason for this is that sudo often needs extra libs for alternate authentication schemes but visudo rarely does. 170) The code to copy command arguments flaied for large values of argc due to realloc() lossage. We now cheat and treat argv[] as a flat string (since that's what it is) and use pointer arithmetic to compute the length. Kind of sneaky but it works (and is relatively fast). CHANGES from sudo 1.3.6 BETA 171) Added support for UN*X groups in sudoers based on code from Dougal Scott . 172) interfaces.c should work on ISC UN*X again. 173) All source files are <= 14 characters for old SYSV filesystems. CHANGES from sudo 1.3.7 GAMMA 174) Minor configure[.in] fixes. 175) tgetpass.c now compiles on OS's that put the definition of fd_set in CHANGES from sudo 1.4