Merge sudo 1.9.5 from tip

--HG--
branch : 1.9

MANIFEST

@@ -182,8 +182,10 @@ lib/util/nanosleep.c
 lib/util/openat.c
 lib/util/parseln.c
 lib/util/pipe2.c
+lib/util/pread.c
 lib/util/progname.c
 lib/util/pw_dup.c
+lib/util/pwrite.c
 lib/util/reallocarray.c
 lib/util/regress/fnmatch/fnm_test.c
 lib/util/regress/fnmatch/fnm_test.in
@@ -993,6 +995,7 @@ scripts/unanon
 src/Makefile.in
 src/conversation.c
 src/copy_file.c
+src/edit_open.c
 src/env_hooks.c
 src/exec.c
 src/exec_common.c
@@ -1017,6 +1020,7 @@ src/solaris.c
 src/sudo.c
 src/sudo.h
 src/sudo_edit.c
+src/sudo_edit.h
 src/sudo_exec.h
 src/sudo_noexec.c
 src/sudo_plugin_int.h

Makefile.in

@@ -94,7 +94,7 @@ XGETTEXT_OPTS = -F -k_ -kN_ -kU_ --copyright-holder="Todd C. Miller" \
 		--flag sudo_lbuf_append_quoted:3:c-format --foreign-user
 
 # Default cppcheck options when run from the top-level Makefile
-CPPCHECK_OPTS = -q --force --enable=warning,performance,portability --suppress=constStatement --error-exitcode=1 --inline-suppr -Dva_copy=va_copy -U__cplusplus -UQUAD_MAX -UQUAD_MIN -UUQUAD_MAX -U_POSIX_HOST_NAME_MAX -U_POSIX_PATH_MAX -U__NBBY -DNSIG=64
+CPPCHECK_OPTS = -q --enable=warning,performance,portability --suppress=constStatement --suppress=compareBoolExpressionWithInt --error-exitcode=1 --inline-suppr -Dva_copy=va_copy -U__cplusplus -UQUAD_MAX -UQUAD_MIN -UUQUAD_MAX -U_POSIX_HOST_NAME_MAX -U_POSIX_PATH_MAX -U__NBBY -DNSIG=64
 
 # Default splint options when run from the top-level Makefile
 SPLINT_OPTS = -D__restrict= -checks

NEWS

@@ -1,3 +1,66 @@
+What's new in Sudo 1.9.5
+
+ * Fixed a crash introduced in 1.9.4 when running "sudo -i" as an
+   unknown user.  This is related to but distinct from Bug #948.
+
+ * If the "lecture_file" setting is enabled in sudoers, it must now
+   refer to a regular file or a symbolic link to a regular file.
+
+ * Fixed a potential use-after-free bug in sudo_logsrvd when the
+   server shuts down if there are existing connections from clients
+   that are only logging events and not session I/O data.
+
+ * Fixed a buffer size mismatch when serializing the list of IP
+   addresses for configured network interfaces.  This bug is not
+   actually exploitable since the allocated buffer is large enough
+   to hold the list of addresses.
+
+ * If sudo is executed with a name other that "sudo" or "sudoedit",
+   it will now fall back to "sudo" as the program name.  This affects
+   warning, help and usage messages as well as the matching of Debug
+   lines in the /etc/sudo.conf file.  Previously, it was possible
+   for the invoking user to manipulate the program name by setting
+   argv[0] to an arbitrary value when executing sudo.
+
+ * Sudo now checks for failure when setting the close-on-exec flag
+   on open file descriptors.  This should never fail but, if it
+   were to, there is the possibility of a file descriptor leak to
+   a child process (such as the command sudo runs).
+
+ * Fixed CVE-2021-23239, a potential information leak in sudoedit
+   that could be used to test for the existence of directories not
+   normally accessible to the user in certain circumstances.  When
+   creating a new file, sudoedit checks to make sure the parent
+   directory of the new file exists before running the editor.
+   However, a race condition exists if the invoking user can replace
+   (or create) the parent directory.  If a symbolic link is created
+   in place of the parent directory, sudoedit will run the editor
+   as long as the target of the link exists.  If the target of the
+   link does not exist, an error message will be displayed.  The
+   race condition can be used to test for the existence of an
+   arbitrary directory.  However, it _cannot_ be used to write to
+   an arbitrary location.
+
+ * Fixed CVE-2021-23240, a flaw in the temporary file handling of
+   sudoedit's SELinux RBAC support.  On systems where SELinux is
+   enabled, a user with sudoedit permissions may be able to set the
+   owner of an arbitrary file to the user-ID of the target user.
+   On Linux kernels that support "protected symlinks", setting
+   /proc/sys/fs/protected_symlinks to 1 will prevent the bug from
+   being exploited.  For more information see
+   https://www.sudo.ws/alerts/sudoedit_selinux.html.
+
+ * Added writability checks for sudoedit when SELinux RBAC is in use.
+   This makes sudoedit behavior consistent regardless of whether
+   or not SELinux RBAC is in use.  Previously, the "sudoedit_checkdir"
+   setting had no effect for RBAC entries.
+
+ * A new sudoers option "selinux" can be used to disable sudo's
+   SELinux RBAC support.
+
+ * Quieted warnings from PVS Studio, clang analyzer, and cppcheck.
+   Added suppression annotations for PVS Studio false positives.
+
 What's new in Sudo 1.9.4p2
 
  * Fixed a bug introduced in sudo 1.9.4p1 which could lead to a crash

configure

@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for sudo 1.9.4p2.
+# Generated by GNU Autoconf 2.69 for sudo 1.9.5.
 #
 # Report bugs to <https://bugzilla.sudo.ws/>.
 #
@@ -590,8 +590,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='sudo'
 PACKAGE_TARNAME='sudo'
-PACKAGE_VERSION='1.9.4p2'
-PACKAGE_STRING='sudo 1.9.4p2'
+PACKAGE_VERSION='1.9.5'
+PACKAGE_STRING='sudo 1.9.5'
 PACKAGE_BUGREPORT='https://bugzilla.sudo.ws/'
 PACKAGE_URL=''
 
@@ -1584,7 +1584,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures sudo 1.9.4p2 to adapt to many kinds of systems.
+\`configure' configures sudo 1.9.5 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1650,7 +1650,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of sudo 1.9.4p2:";;
+     short | recursive ) echo "Configuration of sudo 1.9.5:";;
    esac
   cat <<\_ACEOF
 
@@ -1924,7 +1924,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-sudo configure 1.9.4p2
+sudo configure 1.9.5
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2633,7 +2633,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by sudo $as_me 1.9.4p2, which was
+It was created by sudo $as_me 1.9.5, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -2928,8 +2928,6 @@ as_fn_append ac_header_list " sys/statvfs.h"
 as_fn_append ac_func_list " fexecve"
 as_fn_append ac_func_list " killpg"
 as_fn_append ac_func_list " nl_langinfo"
-as_fn_append ac_func_list " pread"
-as_fn_append ac_func_list " pwrite"
 as_fn_append ac_func_list " faccessat"
 as_fn_append ac_func_list " wordexp"
 as_fn_append ac_func_list " getauxval"
@@ -19437,10 +19435,6 @@ done
 
 
 
-
-
-
-
 case "$host_os" in
     hpux*)
 	if test X"$ac_cv_func_pread" = X"yes"; then
@@ -19466,6 +19460,58 @@ done
 	fi
 	;;
 esac
+for ac_func in pread
+do :
+  ac_fn_c_check_func "$LINENO" "pread" "ac_cv_func_pread"
+if test "x$ac_cv_func_pread" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_PREAD 1
+_ACEOF
+
+else
+
+    case " $LIBOBJS " in
+  *" pread.$ac_objext "* ) ;;
+  *) LIBOBJS="$LIBOBJS pread.$ac_objext"
+ ;;
+esac
+
+
+    for _sym in sudo_pread; do
+	COMPAT_EXP="${COMPAT_EXP}${_sym}
+"
+    done
+
+
+fi
+done
+
+for ac_func in pwrite
+do :
+  ac_fn_c_check_func "$LINENO" "pwrite" "ac_cv_func_pwrite"
+if test "x$ac_cv_func_pwrite" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_PWRITE 1
+_ACEOF
+
+else
+
+    case " $LIBOBJS " in
+  *" pwrite.$ac_objext "* ) ;;
+  *) LIBOBJS="$LIBOBJS pwrite.$ac_objext"
+ ;;
+esac
+
+
+    for _sym in sudo_pwrite; do
+	COMPAT_EXP="${COMPAT_EXP}${_sym}
+"
+    done
+
+
+fi
+done
+
 for ac_func in cfmakeraw
 do :
   ac_fn_c_check_func "$LINENO" "cfmakeraw" "ac_cv_func_cfmakeraw"
@@ -22884,17 +22930,26 @@ if test "x$ac_cv_func_getprogname" = xyes; then :
   cat >>confdefs.h <<_ACEOF
 #define HAVE_GETPROGNAME 1
 _ACEOF
- for ac_func in setprogname
+
+    for ac_func in setprogname
 do :
   ac_fn_c_check_func "$LINENO" "setprogname" "ac_cv_func_setprogname"
 if test "x$ac_cv_func_setprogname" = xyes; then :
   cat >>confdefs.h <<_ACEOF
 #define HAVE_SETPROGNAME 1
 _ACEOF
 
+else
+
+    for _sym in sudo_setprogname; do
+	COMPAT_EXP="${COMPAT_EXP}${_sym}
+"
+    done
+
 fi
 done
 
+
 else
 
     { $as_echo "$as_me:${as_lineno-$LINENO}: checking for __progname" >&5
@@ -22936,6 +22991,12 @@ $as_echo "$sudo_cv___progname" >&6; }
     done
 
 
+    for _sym in sudo_setprogname; do
+	COMPAT_EXP="${COMPAT_EXP}${_sym}
+"
+    done
+
+
 fi
 done
 
@@ -28755,7 +28816,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by sudo $as_me 1.9.4p2, which was
+This file was extended by sudo $as_me 1.9.5, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -28821,7 +28882,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-sudo config.status 1.9.4p2
+sudo config.status 1.9.5
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 

configure.ac

@@ -3,7 +3,7 @@ dnl Use the top-level autogen.sh script to generate configure and config.h.in
 dnl
 dnl SPDX-License-Identifier: ISC
 dnl
-dnl Copyright (c) 1994-1996, 1998-2020 Todd C. Miller <Todd.Miller@sudo.ws>
+dnl Copyright (c) 1994-1996, 1998-2021 Todd C. Miller <Todd.Miller@sudo.ws>
 dnl
 dnl Permission to use, copy, modify, and distribute this software for any
 dnl purpose with or without fee is hereby granted, provided that the above
@@ -18,7 +18,7 @@ dnl ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 dnl OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 dnl
 AC_PREREQ([2.59])
-AC_INIT([sudo], [1.9.4p2], [https://bugzilla.sudo.ws/], [sudo])
+AC_INIT([sudo], [1.9.5], [https://bugzilla.sudo.ws/], [sudo])
 AC_CONFIG_HEADERS([config.h pathnames.h])
 AC_CONFIG_SRCDIR([src/sudo.c])
 dnl
@@ -2641,7 +2641,7 @@ dnl
 dnl Function checks
 dnl
 AC_FUNC_GETGROUPS
-AC_CHECK_FUNCS_ONCE([fexecve killpg nl_langinfo pread pwrite faccessat wordexp getauxval fseeko])
+AC_CHECK_FUNCS_ONCE([fexecve killpg nl_langinfo faccessat wordexp getauxval fseeko])
 case "$host_os" in
     hpux*)
 	if test X"$ac_cv_func_pread" = X"yes"; then
@@ -2654,6 +2654,14 @@ case "$host_os" in
 	fi
 	;;
 esac
+AC_CHECK_FUNCS([pread], [], [
+    AC_LIBOBJ(pread)
+    SUDO_APPEND_COMPAT_EXP(sudo_pread)
+])
+AC_CHECK_FUNCS([pwrite], [], [
+    AC_LIBOBJ(pwrite)
+    SUDO_APPEND_COMPAT_EXP(sudo_pwrite)
+])
 AC_CHECK_FUNCS([cfmakeraw], [], [
     AC_LIBOBJ(cfmakeraw)
     SUDO_APPEND_COMPAT_EXP(sudo_cfmakeraw)
@@ -3301,9 +3309,11 @@ esac
 LIBS="$OLIBS"
 
 dnl
-dnl Check for getprogname() or __progname
+dnl Check for getprogname()/setprogname() or __progname
 dnl
-AC_CHECK_FUNCS([getprogname], [AC_CHECK_FUNCS([setprogname])], [
+AC_CHECK_FUNCS([getprogname], [
+    AC_CHECK_FUNCS([setprogname], [], [SUDO_APPEND_COMPAT_EXP(sudo_setprogname)])
+], [
     AC_MSG_CHECKING([for __progname])
     AC_CACHE_VAL(sudo_cv___progname, [
     AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[extern char *__progname; if (__progname[0] == '\0') return 1;]])], [sudo_cv___progname=yes], [sudo_cv___progname=no])])
@@ -3312,6 +3322,7 @@ AC_CHECK_FUNCS([getprogname], [AC_CHECK_FUNCS([setprogname])], [
     fi
     AC_MSG_RESULT($sudo_cv___progname)
     SUDO_APPEND_COMPAT_EXP(sudo_getprogname)
+    SUDO_APPEND_COMPAT_EXP(sudo_setprogname)
 ])
 dnl
 dnl Check for __func__ or __FUNCTION__

doc/LICENSE

@@ -1,6 +1,6 @@
 Sudo is distributed under the following license:
 
-   Copyright (c) 1994-1996, 1998-2020
+   Copyright (c) 1994-1996, 1998-2021
         Todd C. Miller <Todd.Miller@sudo.ws>
 
    Permission to use, copy, modify, and distribute this software for any