This patch will upgrade Sudo version 1.6.8 patchlevel 6 to version 1.6.8 patchlevel 7. To apply: $ cd sudo-1.6.8p6 $ patch -p1 < sudo-1.6.8p7.patch diff -ura sudo-1.6.8p6/CHANGES sudo-1.6.8p7/CHANGES --- sudo-1.6.8p6/CHANGES Sat Jan 1 16:00:18 2005 +++ sudo-1.6.8p7/CHANGES Sun Feb 6 08:37:44 2005 @@ -1770,3 +1770,11 @@ 558) Define LDAP_OPT_SUCCESS for those without it. Sudo 1.6.8p6 released. + +559) Warn if the user tries to use the -u option when not running a command. + +560) Better PAM error handling and messages. + +561) Fixed setting of $USER when env_reset is enabled. + +Sudo 1.6.8p7 released. diff -ura sudo-1.6.8p6/LICENSE sudo-1.6.8p7/LICENSE --- sudo-1.6.8p6/LICENSE Thu Jun 10 21:11:27 2004 +++ sudo-1.6.8p7/LICENSE Sat Feb 5 14:30:40 2005 @@ -1,6 +1,6 @@ Sudo is distributed under the following ISC-style license: - Copyright (c) 1994-1996,1998-2004 Todd C. Miller + Copyright (c) 1994-1996,1998-2005 Todd C. Miller Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above diff -ura sudo-1.6.8p6/Makefile.in sudo-1.6.8p7/Makefile.in --- sudo-1.6.8p6/Makefile.in Sat Jan 1 16:10:36 2005 +++ sudo-1.6.8p7/Makefile.in Mon Jan 31 11:53:12 2005 @@ -130,7 +130,7 @@ LIBOBJS = @LIBOBJS@ @ALLOCA@ -VERSION = 1.6.8p6 +VERSION = 1.6.8p7 DISTFILES = $(SRCS) $(HDRS) BUGS CHANGES HISTORY INSTALL INSTALL.configure \ LICENSE Makefile.in PORTING README README.LDAP RUNSON TODO \ diff -ura sudo-1.6.8p6/TROUBLESHOOTING sudo-1.6.8p7/TROUBLESHOOTING --- sudo-1.6.8p6/TROUBLESHOOTING Mon May 17 16:21:15 2004 +++ sudo-1.6.8p7/TROUBLESHOOTING Sat Feb 5 11:13:56 2005 @@ -25,9 +25,19 @@ option and rebuild sudo. Q) Sudo never gives me a chance to enter a password using PAM, it just - says 'Sorry, try again.' three times and quits. -A) You didn't setup PAM to work with sudo. On Linux this generally - means installing sample.pam as /etc/pam.d/sudo. + says 'Sorry, try again.' three times and exits. +A) You didn't setup PAM to work with sudo. On Redhat Linux or Fedora + Core this generally means installing sample.pam as /etc/pam.d/sudo. + See the sample.pam file for hints on what to use for other Linux + systems. + +Q) Sudo says 'Account expired or PAM config lacks an "account" + section for sudo, contact your system administrator' and exits + but I know my account has not expired. +A) Your PAM config lacks an "account" specification. On Linux this + usually means you are missing a line like: + account required pam_unix.so + in /etc/pam.d/sudo. Q) Sudo is setup to log via syslog(3) but I'm not getting any log messages. diff -ura sudo-1.6.8p6/auth/pam.c sudo-1.6.8p7/auth/pam.c --- sudo-1.6.8p6/auth/pam.c Mon Jun 28 08:51:50 2004 +++ sudo-1.6.8p7/auth/pam.c Sat Feb 5 11:03:15 2005 @@ -91,8 +91,7 @@ pam_conv.conv = sudo_conv; pam_status = pam_start("sudo", pw->pw_name, &pam_conv, &pamh); if (pam_status != PAM_SUCCESS) { - log_error(USE_ERRNO|NO_EXIT|NO_MAIL, - "unable to initialize PAM"); + log_error(USE_ERRNO|NO_EXIT|NO_MAIL, "unable to initialize PAM"); return(AUTH_FATAL); } if (strcmp(user_tty, "unknown")) @@ -125,25 +124,30 @@ *pam_status); return(AUTH_FAILURE); case PAM_NEW_AUTHTOK_REQD: - log_error(NO_EXIT|NO_MAIL, "%s, %s" + log_error(NO_EXIT|NO_MAIL, "%s, %s", "Account or password is expired", "reset your password and try again"); - *pam_status = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK); + *pam_status = pam_chauthtok(pamh, + PAM_CHANGE_EXPIRED_AUTHTOK); if (*pam_status == PAM_SUCCESS) return(AUTH_SUCCESS); if ((s = pam_strerror(pamh, *pam_status))) - log_error(NO_EXIT|NO_MAIL, "pam_chauthtok: %s",s); + log_error(NO_EXIT|NO_MAIL, "pam_chauthtok: %s", s); return(AUTH_FAILURE); + case PAM_AUTHTOK_EXPIRED: + log_error(NO_EXIT|NO_MAIL, + "Password expired, contact your system administrator"); + return(AUTH_FATAL); case PAM_ACCT_EXPIRED: - log_error(NO_EXIT|NO_MAIL, "%s, %s" - "Account or password is expired", - "contact your system administrator"); - /* FALLTHROUGH */ - default: - return(AUTH_FAILURE); + log_error(NO_EXIT|NO_MAIL, "%s %s", + "Account expired or PAM config lacks an \"account\"", + "section for sudo, contact your system administrator"); + return(AUTH_FATAL); } + /* FALLTHROUGH */ case PAM_AUTH_ERR: case PAM_MAXTRIES: + case PAM_PERM_DENIED: return(AUTH_FAILURE); default: if ((s = pam_strerror(pamh, *pam_status))) diff -ura sudo-1.6.8p6/env.c sudo-1.6.8p7/env.c --- sudo-1.6.8p6/env.c Thu Dec 2 09:17:03 2004 +++ sudo-1.6.8p7/env.c Sun Feb 6 08:37:01 2005 @@ -69,7 +69,7 @@ #undef DID_LOGNAME #define DID_LOGNAME 0x10 #undef DID_USER -#define DID_USER 0x12 +#define DID_USER 0x20 #undef VNULL #define VNULL (VOID *)NULL diff -ura sudo-1.6.8p6/sudo.c sudo-1.6.8p7/sudo.c --- sudo-1.6.8p6/sudo.c Tue Aug 24 12:01:13 2004 +++ sudo-1.6.8p7/sudo.c Mon Jan 31 11:52:40 2005 @@ -837,6 +837,12 @@ NewArgv++; } + if (user_runas != NULL && !ISSET(rval, (MODE_EDIT|MODE_RUN))) { + if (excl != '\0') + warnx("the `-u' and '-%c' options may not be used together", excl); + usage(1); + } + if ((NewArgc == 0 && (rval & MODE_EDIT)) || (NewArgc > 0 && !(rval & (MODE_RUN | MODE_EDIT)))) usage(1); diff -ura sudo-1.6.8p6/sudo.cat sudo-1.6.8p7/sudo.cat --- sudo-1.6.8p6/sudo.cat Thu Nov 25 10:35:55 2004 +++ sudo-1.6.8p7/sudo.cat Sat Feb 5 16:05:45 2005 @@ -61,7 +61,7 @@ -1.6.8p5 November 26, 2004 1 +1.6.8p7 February 5, 2005 1 @@ -127,7 +127,7 @@ -1.6.8p5 November 26, 2004 2 +1.6.8p7 February 5, 2005 2 @@ -193,7 +193,7 @@ -1.6.8p5 November 26, 2004 3 +1.6.8p7 February 5, 2005 3 @@ -259,7 +259,7 @@ -1.6.8p5 November 26, 2004 4 +1.6.8p7 February 5, 2005 4 @@ -325,7 +325,7 @@ -1.6.8p5 November 26, 2004 5 +1.6.8p7 February 5, 2005 5 @@ -391,7 +391,7 @@ -1.6.8p5 November 26, 2004 6 +1.6.8p7 February 5, 2005 6 @@ -457,7 +457,7 @@ -1.6.8p5 November 26, 2004 7 +1.6.8p7 February 5, 2005 7 @@ -523,7 +523,7 @@ -1.6.8p5 November 26, 2004 8 +1.6.8p7 February 5, 2005 8 @@ -589,6 +589,6 @@ -1.6.8p5 November 26, 2004 9 +1.6.8p7 February 5, 2005 9 diff -ura sudo-1.6.8p6/sudo.man.in sudo-1.6.8p7/sudo.man.in --- sudo-1.6.8p6/sudo.man.in Thu Nov 25 10:35:09 2004 +++ sudo-1.6.8p7/sudo.man.in Sat Feb 5 14:29:49 2005 @@ -149,7 +149,7 @@ .\" ======================================================================== .\" .IX Title "SUDO @mansectsu@" -.TH SUDO @mansectsu@ "November 26, 2004" "1.6.8p5" "MAINTENANCE COMMANDS" +.TH SUDO @mansectsu@ "February 5, 2005" "1.6.8p7" "MAINTENANCE COMMANDS" .SH "NAME" sudo, sudoedit \- execute a command as another user .SH "SYNOPSIS" diff -ura sudo-1.6.8p6/sudoers.cat sudo-1.6.8p7/sudoers.cat --- sudo-1.6.8p6/sudoers.cat Sun Nov 28 14:13:36 2004 +++ sudo-1.6.8p7/sudoers.cat Sat Feb 5 16:05:45 2005 @@ -61,7 +61,7 @@ -1.6.8p5 November 28, 2004 1 +1.6.8p7 February 5, 2005 1 @@ -127,7 +127,7 @@ -1.6.8p5 November 28, 2004 2 +1.6.8p7 February 5, 2005 2 @@ -193,7 +193,7 @@ -1.6.8p5 November 28, 2004 3 +1.6.8p7 February 5, 2005 3 @@ -259,7 +259,7 @@ -1.6.8p5 November 28, 2004 4 +1.6.8p7 February 5, 2005 4 @@ -325,7 +325,7 @@ -1.6.8p5 November 28, 2004 5 +1.6.8p7 February 5, 2005 5 @@ -391,7 +391,7 @@ -1.6.8p5 November 28, 2004 6 +1.6.8p7 February 5, 2005 6 @@ -457,7 +457,7 @@ -1.6.8p5 November 28, 2004 7 +1.6.8p7 February 5, 2005 7 @@ -523,7 +523,7 @@ -1.6.8p5 November 28, 2004 8 +1.6.8p7 February 5, 2005 8 @@ -589,7 +589,7 @@ -1.6.8p5 November 28, 2004 9 +1.6.8p7 February 5, 2005 9 @@ -655,7 +655,7 @@ -1.6.8p5 November 28, 2004 10 +1.6.8p7 February 5, 2005 10 @@ -721,7 +721,7 @@ -1.6.8p5 November 28, 2004 11 +1.6.8p7 February 5, 2005 11 @@ -787,7 +787,7 @@ -1.6.8p5 November 28, 2004 12 +1.6.8p7 February 5, 2005 12 @@ -853,7 +853,7 @@ -1.6.8p5 November 28, 2004 13 +1.6.8p7 February 5, 2005 13 @@ -919,7 +919,7 @@ -1.6.8p5 November 28, 2004 14 +1.6.8p7 February 5, 2005 14 @@ -985,7 +985,7 @@ -1.6.8p5 November 28, 2004 15 +1.6.8p7 February 5, 2005 15 @@ -1051,7 +1051,7 @@ -1.6.8p5 November 28, 2004 16 +1.6.8p7 February 5, 2005 16 @@ -1117,7 +1117,7 @@ -1.6.8p5 November 28, 2004 17 +1.6.8p7 February 5, 2005 17 @@ -1183,7 +1183,7 @@ -1.6.8p5 November 28, 2004 18 +1.6.8p7 February 5, 2005 18 @@ -1249,7 +1249,7 @@ -1.6.8p5 November 28, 2004 19 +1.6.8p7 February 5, 2005 19 @@ -1315,7 +1315,7 @@ -1.6.8p5 November 28, 2004 20 +1.6.8p7 February 5, 2005 20 @@ -1381,7 +1381,7 @@ -1.6.8p5 November 28, 2004 21 +1.6.8p7 February 5, 2005 21 @@ -1447,7 +1447,7 @@ -1.6.8p5 November 28, 2004 22 +1.6.8p7 February 5, 2005 22 @@ -1513,6 +1513,6 @@ -1.6.8p5 November 28, 2004 23 +1.6.8p7 February 5, 2005 23 diff -ura sudo-1.6.8p6/sudoers.man.in sudo-1.6.8p7/sudoers.man.in --- sudo-1.6.8p6/sudoers.man.in Sun Nov 28 14:13:35 2004 +++ sudo-1.6.8p7/sudoers.man.in Sat Feb 5 14:30:10 2005 @@ -149,7 +149,7 @@ .\" ======================================================================== .\" .IX Title "SUDOERS @mansectform@" -.TH SUDOERS @mansectform@ "November 28, 2004" "1.6.8p5" "MAINTENANCE COMMANDS" +.TH SUDOERS @mansectform@ "February 5, 2005" "1.6.8p7" "MAINTENANCE COMMANDS" .SH "NAME" sudoers \- list of which users may execute what .SH "DESCRIPTION" diff -ura sudo-1.6.8p6/version.h sudo-1.6.8p7/version.h --- sudo-1.6.8p6/version.h Sat Jan 1 16:10:39 2005 +++ sudo-1.6.8p7/version.h Mon Jan 31 11:53:15 2005 @@ -23,6 +23,6 @@ #ifndef _SUDO_VERSION_H #define _SUDO_VERSION_H -static const char version[] = "1.6.8p6"; +static const char version[] = "1.6.8p7"; #endif /* _SUDO_VERSION_H */ diff -ura sudo-1.6.8p6/visudo.cat sudo-1.6.8p7/visudo.cat --- sudo-1.6.8p6/visudo.cat Thu Nov 25 10:36:28 2004 +++ sudo-1.6.8p7/visudo.cat Sat Feb 5 16:05:45 2005 @@ -61,7 +61,7 @@ -1.6.8p5 November 26, 2004 1 +1.6.8p7 February 5, 2005 1 @@ -127,7 +127,7 @@ -1.6.8p5 November 26, 2004 2 +1.6.8p7 February 5, 2005 2 @@ -193,6 +193,6 @@ -1.6.8p5 November 26, 2004 3 +1.6.8p7 February 5, 2005 3 diff -ura sudo-1.6.8p6/visudo.man.in sudo-1.6.8p7/visudo.man.in --- sudo-1.6.8p6/visudo.man.in Thu Nov 25 10:35:24 2004 +++ sudo-1.6.8p7/visudo.man.in Sat Feb 5 14:30:14 2005 @@ -149,7 +149,7 @@ .\" ======================================================================== .\" .IX Title "VISUDO @mansectsu@" -.TH VISUDO @mansectsu@ "November 26, 2004" "1.6.8p5" "MAINTENANCE COMMANDS" +.TH VISUDO @mansectsu@ "February 5, 2005" "1.6.8p7" "MAINTENANCE COMMANDS" .SH "NAME" visudo \- edit the sudoers file .SH "SYNOPSIS"