Merge sudo 1.9.15p2 from tip.

--HG-- branch : 1.9
sudo-project · Nov 9, 2023 · 22298e1 · 22298e1
2 parents 70e1e98 + 62895ea
commit 22298e1
Show file tree

Hide file tree

Showing 7 changed files with 73 additions and 35 deletions.
diff --git a/NEWS b/NEWS
@@ -1,3 +1,9 @@
+What's new in Sudo 1.9.15p2
+
+ * Fixed a bug on BSD systems where sudo would not restore the
+   terminal settings on exit if the terminal had parity enabled.
+   GitHub issue #326.
+
 What's new in Sudo 1.9.15p1
 
  * Fixed a bug introduced in sudo 1.9.15 that prevented LDAP-based

diff --git a/configure b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.72c for sudo 1.9.15p1.
+# Generated by GNU Autoconf 2.72c for sudo 1.9.15p2.
 #
 # Report bugs to <https://bugzilla.sudo.ws/>.
 #
@@ -614,8 +614,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='sudo'
 PACKAGE_TARNAME='sudo'
-PACKAGE_VERSION='1.9.15p1'
-PACKAGE_STRING='sudo 1.9.15p1'
+PACKAGE_VERSION='1.9.15p2'
+PACKAGE_STRING='sudo 1.9.15p2'
 PACKAGE_BUGREPORT='https://bugzilla.sudo.ws/'
 PACKAGE_URL=''
 
@@ -1642,7 +1642,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-'configure' configures sudo 1.9.15p1 to adapt to many kinds of systems.
+'configure' configures sudo 1.9.15p2 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1708,7 +1708,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of sudo 1.9.15p1:";;
+     short | recursive ) echo "Configuration of sudo 1.9.15p2:";;
    esac
   cat <<\_ACEOF
 
@@ -2003,7 +2003,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-sudo configure 1.9.15p1
+sudo configure 1.9.15p2
 generated by GNU Autoconf 2.72c
 
 Copyright (C) 2023 Free Software Foundation, Inc.
@@ -2823,7 +2823,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by sudo $as_me 1.9.15p1, which was
+It was created by sudo $as_me 1.9.15p2, which was
 generated by GNU Autoconf 2.72c.  Invocation command line was
 
   $ $0$ac_configure_args_raw
@@ -36671,7 +36671,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by sudo $as_me 1.9.15p1, which was
+This file was extended by sudo $as_me 1.9.15p2, which was
 generated by GNU Autoconf 2.72c.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -36739,7 +36739,7 @@ ac_cs_config_escaped=`printf "%s\n" "$ac_cs_config" | sed "s/^ //; s/'/'\\\\\\\\
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config='$ac_cs_config_escaped'
 ac_cs_version="\\
-sudo config.status 1.9.15p1
+sudo config.status 1.9.15p2
 configured by $0, generated by GNU Autoconf 2.72c,
   with options \\"\$ac_cs_config\\"
 

diff --git a/configure.ac b/configure.ac
@@ -18,7 +18,7 @@ dnl ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 dnl OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 dnl
 AC_PREREQ([2.69])
-AC_INIT([sudo], [1.9.15p1], [https://bugzilla.sudo.ws/], [sudo])
+AC_INIT([sudo], [1.9.15p2], [https://bugzilla.sudo.ws/], [sudo])
 AC_CONFIG_HEADERS([config.h pathnames.h])
 AC_CONFIG_SRCDIR([src/sudo.c])
 AC_CONFIG_AUX_DIR([scripts])

diff --git a/lib/util/term.c b/lib/util/term.c
@@ -178,6 +178,8 @@ sudo_term_restore_v1(int fd, bool flush)
 	ret = true;
 	goto unlock;
     }
+#if !TCSASOFT
+    /* Only systems without TCSASOFT make changes to c_cflag. */
     if ((term.c_cflag & CONTROL_FLAGS) != (cur_term.c_cflag & CONTROL_FLAGS)) {
 	sudo_debug_printf(SUDO_DEBUG_INFO, "%s: not restoring terminal, "
 	    "c_cflag changed; 0x%x, expected 0x%x", __func__,
@@ -186,6 +188,7 @@ sudo_term_restore_v1(int fd, bool flush)
 	ret = true;
 	goto unlock;
     }
+#endif
     if ((term.c_lflag & LOCAL_FLAGS) != (cur_term.c_lflag & LOCAL_FLAGS)) {
 	sudo_debug_printf(SUDO_DEBUG_INFO, "%s: not restoring terminal, "
 	    "c_lflag changed; 0x%x, expected 0x%x", __func__,

diff --git a/plugins/sudoers/sudoers.h b/plugins/sudoers/sudoers.h
@@ -78,7 +78,6 @@ struct group_list {
 
 /*
  * Parse configuration settings.
- * Do not change the order without updating SUDOERS_PARSER_CONFIG_INITIALIZER.
  */
 struct sudoers_parser_config {
     const char *sudoers_path;
@@ -91,26 +90,30 @@ struct sudoers_parser_config {
     gid_t sudoers_gid;
 };
 #define SUDOERS_PARSER_CONFIG_INITIALIZER {				\
-    NULL,	/* sudoers_path */					\
-    false,	/* strict */						\
-    1,		/* verbose level 1 */					\
-    true,	/* recovery */						\
-    false,	/* ignore_perms */					\
-    SUDOERS_MODE,							\
-    SUDOERS_UID,							\
-    SUDOERS_GID								\
+    .sudoers_path = NULL,						\
+    .strict = false,							\
+    .verbose = 1,							\
+    .recovery = true,							\
+    .ignore_perms = false,						\
+    .sudoers_mode = SUDOERS_MODE,					\
+    .sudoers_uid = SUDOERS_UID,						\
+    .sudoers_gid = SUDOERS_GID						\
 }
 
 /*
  * Settings passed in from the sudo front-end.
- * Do not change the order without updating SUDOERS_CONTEXT_INITIALIZER.
  */
 struct sudoers_plugin_settings {
     const char *plugin_dir;
     const char *ldap_conf;
     const char *ldap_secret;
     unsigned int flags;
 };
+#define SUDOERS_PLUGIN_SETTINGS_INITIALIZER {				\
+    .plugin_dir = _PATH_SUDO_PLUGIN_DIR,				\
+    .ldap_conf = _PATH_LDAP_CONF,					\
+    .ldap_secret = _PATH_LDAP_SECRET					\
+}
 
 /*
  * Info pertaining to the invoking user.
@@ -183,11 +186,6 @@ struct sudoers_runas_context {
 #endif
 };
 
-#define SUDOERS_CONTEXT_INITIALIZER {					\
-    SUDOERS_PARSER_CONFIG_INITIALIZER,					\
-    { _PATH_SUDO_PLUGIN_DIR, _PATH_LDAP_CONF, _PATH_LDAP_SECRET }	\
-}
-
 /*
  * Global configuration for the sudoers module.
  */
@@ -205,6 +203,10 @@ struct sudoers_context {
     unsigned int mode;
     char uuid_str[37];
 };
+#define SUDOERS_CONTEXT_INITIALIZER {					\
+    SUDOERS_PARSER_CONFIG_INITIALIZER,					\
+    SUDOERS_PLUGIN_SETTINGS_INITIALIZER,				\
+}
 
 /*
  * sudo_get_gidlist() type values

diff --git a/scripts/mkpkg b/scripts/mkpkg
@@ -104,7 +104,7 @@ configure="${scriptdir}/../configure"
 osrelease=`echo "$osversion" | sed -e 's/^[^0-9]*//' -e 's/-.*$//'`
 : ${MAKE=make}
 
-if [ $build_packages = true -a $osversion = unknown ]; then
+if [ $build_packages = true -a "$osversion" = "unknown" ]; then
     echo "unable to determine platform" 1>&2
     exit 1
 fi

diff --git a/scripts/pp b/scripts/pp
@@ -1,6 +1,6 @@
 #!/bin/sh
 # Copyright 2023 One Identity LLC. ALL RIGHTS RESERVED
-pp_revision="20230127"
+pp_revision="20231108"
  # Copyright 2018 One Identity LLC.  ALL RIGHTS RESERVED.
  #
  # Redistribution and use in source and binary forms, with or without
@@ -794,6 +794,11 @@ pp_strip_binaries () {
     fi
 }
 
+pp_is_version_greater () {
+  smaller_version="$(echo -e "$1\n$2" | sort -V | head -1)"
+  test x"$smaller_version" = x"$1"
+}
+
 pp_if_true=0
 pp_if_false=0
 
@@ -1293,6 +1298,7 @@ pp_files_expand () {
     if test $# -gt 0; then
         _a=`eval echo \"$1\"`
 	case ",$_a," in *,volatile,*) _flags="${_flags}v";; esac
+	case ",$_a," in *,missingok,*) _flags="${_flags}m";; esac
 	case ",$_a," in *,optional,*) _optional=true;; esac
 	case ",$_a," in *,symlink,*) _has_target=true;; esac
 	case ",$_a," in *,ignore-others,*) _flags="${_flags}i";; esac
@@ -1948,6 +1954,10 @@ pp_backend_aix () {
                 cat $root_wrkdir/$pp_aix_bff_name.$ex.inventory
             fi >&2
 
+            for fileset in ${pp_aix_deprecated_filesets}; do
+                echo "$fileset"
+            done >$user_wrkdir/$pp_aix_bff_name.$ex.namelist
+
 	    if test x"" != x"${pp_aix_copyright:-$copyright}"; then
 	        echo "${pp_aix_copyright:-$copyright}" > $user_wrkdir/$pp_aix_bff_name.$ex.copyright
 	        echo "${pp_aix_copyright:-$copyright}" > $root_wrkdir/$pp_aix_bff_name.$ex.copyright
@@ -5702,7 +5712,10 @@ pp_rpm_writefiles () {
 	    test x"$farch" = x"noarch" || pp_add_to_list pp_rpm_arch_seen $farch
 	fi
 
-	case $f in *v*) _l="%config(noreplace) $_l";; esac
+	case $f in
+		*v*) _l="%config(noreplace) $_l";;
+		*m*) _l="%config(missingok) $_l";;
+	esac
 	echo "$_l"
     done
     echo
@@ -6321,7 +6334,7 @@ pp_rpm_service_group_make_init_script () {
     local script=/etc/init.d/$grp
     local out=$pp_destdir$script
 
-    pp_add_file_if_missing $script run 755 || return 0
+    pp_add_file_if_missing $script run 755 m || return 0
 
     cat <<-. >>$out
 	#!/bin/sh
@@ -6411,7 +6424,7 @@ pp_rpm_service_make_service_files () {
     local out=$pp_destdir$script
     local _process _cmd _rpmlevels
 
-    pp_add_file_if_missing $script run 755 || return 0
+    pp_add_file_if_missing $script run 755 m || return 0
 
     #-- start out as an empty shell script
     cat <<-'.' >$out
@@ -7954,8 +7967,8 @@ pp_backend_bsd_init () {
     pp_bsd_desc=
     pp_bsd_message=
 
-    # FreeBSD uses package.txz, DragonFly uses package.pkg.
-    if [ "$pp_bsd_os" = "DragonFly" ]; then
+    # Newer "pkg" (>=1.17.0) generates package.pkg, before that package.txz.
+    if pp_is_version_greater 1.17.0 "$(pkg --version)"; then
         pp_bsd_pkg_sfx=pkg
     else
         pp_bsd_pkg_sfx=txz
@@ -8982,17 +8995,29 @@ pp_systemd_service_install_common () {
                                 ;;
                         esac
                     fi
-                else
-                    RUNNING=1
+                fi
+
+                # If the service is not running according to its sysv script (eg. systemd service
+                # is not using a pidfile the sysv script needs), or its sysv script is not present any more,
+                # check how systemd thinks.
+                # We also try to restart the service in case something went wrong with it.
+                if $systemctl_cmd is-active "$svc" >/dev/null 2>&1 || $systemctl_cmd is-failed "$svc" >/dev/null 2>&1; then
+                        $systemctl_cmd stop "$svc" >/dev/null 2>&1
+                        RUNNING=0
                 fi
 
                 # Enable the $svc.service
                 $systemctl_cmd daemon-reload >/dev/null 2>&1
+
+                # We do not need the init.d script any more, and it causes problems on SLES
+                # where systemd sysv compatibility is enforced and broken on default installs
+                rm -f "/etc/init.d/$svc"
+
                 $systemctl_cmd enable $svc.service >/dev/null 2>&1
 
                 # Now that the service has been enabled, start it again if it was running before.
                 if [ $RUNNING -eq 0 ]; then
-                    /etc/init.d/$svc start > /dev/null 2>&1
+                    $systemctl_cmd start $svc.service >/dev/null 2>&1
                 fi
             fi
         }
@@ -9058,6 +9083,8 @@ pp_systemd_service_remove_common () {
                 _pp_systemd_init
             fi
 
+            $systemctl_cmd stop $svc.service > /dev/null 2>&1
+
             # Remove the systemd unit service file
             if [ "x$systemd_service_dir" != "x$systemd_system_unit_dir" ]; then
                 rm -f "$systemd_system_unit_dir/$svc.service"