Merge sudo 1.8.28 from tip into the 1.8 branch.

--HG--
branch : 1.8

.hgignore

@@ -16,6 +16,7 @@
 Makefile$
 ^config\.(h|log|status)$
 ^libtool$
+^build$
 
 ^ChangeLog$
 ^PVS-Studio.cfg$

INSTALL

@@ -28,7 +28,7 @@ Simple sudo installation
 For most systems and configurations it is possible simply to:
 
     0) If you are upgrading from a previous version of sudo
-       please read the info in the UPGRADE file before proceeding.
+       please read the info in the doc/UPGRADE file before proceeding.
 
     1) Read the `OS dependent notes' section for any particular
        "gotchas" relating to your operating system.
@@ -561,10 +561,11 @@ Development options:
         become corrupted.
 
   --enable-warnings
-	Enable compiler warnings when building sudo with gcc.
+	Enable compiler warnings when building sudo with gcc or clang.
 
   --enable-werror
-	Enable the -Werror compiler option when building sudo with gcc.
+        Enable the -Werror compiler option when building sudo with
+        gcc or clang.
 
   --with-devel
         Configure development options.  This will enable compiler warnings
@@ -670,19 +671,20 @@ Options that set runtime-changeable default values:
   --with-editor=PATH
 	Specify the default editor path for use by visudo.  This may be a
 	single path name or a colon-separated list of editors.  In the latter
-	case, visudo will choose the editor that matches the user's VISUAL
-	or EDITOR environment variables or the first editor in the list that
-	exists.  The default is the path to vi on your system.
+	case, visudo will choose the editor that matches the user's SUDO_EDITOR,
+	VISUAL or EDITOR environment variable, or the first editor in the list
+	that exists.  The default is the path to vi on your system.
 	Sudoers option: editor
 
-  --with-env-editor
-	Makes visudo consult the VISUAL and EDITOR environment variables before
-	falling back on the default editor list (as specified by --with-editor).
-	Note that this may create a security hole as it allows the user to
-	run any arbitrary command as root without logging.  A safer alternative
-	is to use a colon-separated list of editors with the --with-editor
-	option.  visudo will then only use the VISUAL or EDITOR variables
-	if they match a value specified via --with-editor.
+  --with-env-editor=no, --without-env-editor
+	By default, visudo will consult the SUDO_EDITOR, VISUAL and EDITOR
+	environment variables before falling back on the default editor list
+	(as specified by --with-editor).  visudo is typically run as root so
+	this option may allow a user with visudo privileges to run arbitrary
+	commands as root without logging.  Some sites may with to disable this
+	and use a colon-separated list of "safe" editors with the --with-editor
+	option.  visudo will then only use the SUDO_EDITOR, VISUAL or EDITOR
+	variables if they match a value specified via --with-editor.
 	Sudoers option: env_editor
 
   --with-exempt=GROUP
@@ -905,18 +907,13 @@ HP-UX:
 
     sudo	session	required	libpam_hpsec.so.1 bypass_umask
 
-    If every command run via sudo displays information about the last
-    successful login and the last authentication failure you should
-    make use an /etc/pam.conf line like:
-
-    sudo	session	required	libpam_hpsec.so.1 bypass_umask bypass_last_login
-
 Linux:
     PAM and LDAP headers are not installed by default on most Linux
-    systems.  You will need to install the "pam-dev" package if
-    /usr/include/security/pam_appl.h is not present on your system.
-    If you wish to build with LDAP support you will also need the
-    openldap-devel package.
+    systems.  You will need to install the "pam-dev" (rpm) or
+    libpam0g-dev (deb) package if /usr/include/security/pam_appl.h
+    is not present on your system.  If you wish to build with LDAP
+    support you will also need the "openldap-devel" (rpm) or
+    "libldap2-dev" (deb) package.
 
 Mac OS X:
     The pseudo-tty support in the Mac OS X kernel has bugs related

MANIFEST

@@ -20,7 +20,6 @@ doc/LICENSE
 doc/Makefile.in
 doc/TROUBLESHOOTING
 doc/UPGRADE
-doc/cvtsudoers.cat
 doc/cvtsudoers.man.in
 doc/cvtsudoers.mdoc.in
 doc/fixman.sh
@@ -29,30 +28,23 @@ doc/schema.ActiveDirectory
 doc/schema.OpenLDAP
 doc/schema.iPlanet
 doc/schema.olcSudo
-doc/sudo.cat
-doc/sudo.conf.cat
 doc/sudo.conf.man.in
+doc/sudo.conf.man.in.sed
 doc/sudo.conf.mdoc.in
 doc/sudo.man.in
 doc/sudo.man.in.sed
 doc/sudo.mdoc.in
-doc/sudo_plugin.cat
 doc/sudo_plugin.man.in
 doc/sudo_plugin.mdoc.in
-doc/sudoers.cat
-doc/sudoers.ldap.cat
 doc/sudoers.ldap.man.in
 doc/sudoers.ldap.mdoc.in
 doc/sudoers.man.in
 doc/sudoers.man.in.sed
 doc/sudoers.mdoc.in
-doc/sudoers_timestamp.cat
 doc/sudoers_timestamp.man.in
 doc/sudoers_timestamp.mdoc.in
-doc/sudoreplay.cat
 doc/sudoreplay.man.in
 doc/sudoreplay.mdoc.in
-doc/visudo.cat
 doc/visudo.man.in
 doc/visudo.mdoc.in
 examples/Makefile.in
@@ -105,10 +97,10 @@ lib/util/fatal.c
 lib/util/fnmatch.c
 lib/util/getaddrinfo.c
 lib/util/getcwd.c
+lib/util/getdelim.c
 lib/util/getentropy.c
 lib/util/getgrouplist.c
 lib/util/gethostname.c
-lib/util/getline.c
 lib/util/getopt_long.c
 lib/util/gettime.c
 lib/util/gidlist.c
@@ -135,13 +127,15 @@ lib/util/reallocarray.c
 lib/util/regress/atofoo/atofoo_test.c
 lib/util/regress/fnmatch/fnm_test.c
 lib/util/regress/fnmatch/fnm_test.in
+lib/util/regress/getdelim/getdelim_test.c
 lib/util/regress/getgrouplist/getgrouplist_test.c
 lib/util/regress/glob/files
 lib/util/regress/glob/globtest.c
 lib/util/regress/glob/globtest.in
 lib/util/regress/mktemp/mktemp_test.c
 lib/util/regress/parse_gids/parse_gids_test.c
 lib/util/regress/progname/progname_test.c
+lib/util/regress/strsig/strsig_test.c
 lib/util/regress/strsplit/strsplit_test.c
 lib/util/regress/sudo_conf/conf_test.c
 lib/util/regress/sudo_conf/test1.in
@@ -181,6 +175,7 @@ lib/util/sha2.c
 lib/util/sig2str.c
 lib/util/siglist.in
 lib/util/snprintf.c
+lib/util/str2sig.c
 lib/util/strlcat.c
 lib/util/strlcpy.c
 lib/util/strndup.c
@@ -332,12 +327,16 @@ plugins/sudoers/logging.h
 plugins/sudoers/logwrap.c
 plugins/sudoers/match.c
 plugins/sudoers/match_addr.c
+plugins/sudoers/match_command.c
+plugins/sudoers/match_digest.c
 plugins/sudoers/mkdefaults
 plugins/sudoers/mkdir_parents.c
 plugins/sudoers/parse.c
 plugins/sudoers/parse.h
 plugins/sudoers/parse_ldif.c
 plugins/sudoers/po/README
+plugins/sudoers/po/ast.mo
+plugins/sudoers/po/ast.po
 plugins/sudoers/po/ca.mo
 plugins/sudoers/po/ca.po
 plugins/sudoers/po/cs.mo
@@ -399,6 +398,8 @@ plugins/sudoers/po/vi.mo
 plugins/sudoers/po/vi.po
 plugins/sudoers/po/zh_CN.mo
 plugins/sudoers/po/zh_CN.po
+plugins/sudoers/po/zh_TW.mo
+plugins/sudoers/po/zh_TW.po
 plugins/sudoers/policy.c
 plugins/sudoers/prompt.c
 plugins/sudoers/pwutil.c
@@ -448,6 +449,7 @@ plugins/sudoers/regress/cvtsudoers/test24.out.ok
 plugins/sudoers/regress/cvtsudoers/test24.sh
 plugins/sudoers/regress/cvtsudoers/test25.out.ok
 plugins/sudoers/regress/cvtsudoers/test25.sh
+plugins/sudoers/regress/cvtsudoers/test26.err.ok
 plugins/sudoers/regress/cvtsudoers/test26.out.ok
 plugins/sudoers/regress/cvtsudoers/test26.sh
 plugins/sudoers/regress/cvtsudoers/test27.out.ok
@@ -463,6 +465,7 @@ plugins/sudoers/regress/cvtsudoers/test30.sh
 plugins/sudoers/regress/cvtsudoers/test31.conf
 plugins/sudoers/regress/cvtsudoers/test31.out.ok
 plugins/sudoers/regress/cvtsudoers/test31.sh
+plugins/sudoers/regress/cvtsudoers/test32.err.ok
 plugins/sudoers/regress/cvtsudoers/test32.out.ok
 plugins/sudoers/regress/cvtsudoers/test32.sh
 plugins/sudoers/regress/cvtsudoers/test33.out.ok
@@ -626,7 +629,6 @@ plugins/sudoers/regress/testsudoers/test1.sh
 plugins/sudoers/regress/testsudoers/test2.inc
 plugins/sudoers/regress/testsudoers/test2.out.ok
 plugins/sudoers/regress/testsudoers/test2.sh
-plugins/sudoers/regress/testsudoers/test3.d/root
 plugins/sudoers/regress/testsudoers/test3.out.ok
 plugins/sudoers/regress/testsudoers/test3.sh
 plugins/sudoers/regress/testsudoers/test4.out.ok

Makefile.in

@@ -1,4 +1,6 @@
 #
+# SPDX-License-Identifier: ISC
+#
 # Copyright (c) 2010-2015, 2017-2018 Todd C. Miller <Todd.Miller@sudo.ws>
 #
 # Permission to use, copy, modify, and distribute this software for any
@@ -89,7 +91,7 @@ CPPCHECK_OPTS = -q --force --enable=warning,performance,portability --suppress=c
 SPLINT_OPTS = -D__restrict= -checks
 
 # Default PVS-studio options when run from the top-level Makefile
-PVS_CFG = $(top_srcdir)/PVS-Studio.cfg
+PVS_CFG = $(top_builddir)/PVS-Studio.cfg
 PVS_IGNORE = 'V707,V011,V002,V536'
 PVS_LOG_OPTS = -a 'GA:1,2' -e -t errorfile -d $(PVS_IGNORE)
 

NEWS

@@ -1,3 +1,85 @@
+What's new in Sudo 1.8.28
+
+ * Sudo will now only set PAM_TTY to the empty string when no
+   terminal is present on Solaris and Linux.  This workaround is
+   only needed on those systems which may have PAM modules that
+   misbehave when PAM_TTY is not set.
+
+ * The mailerflags sudoers option now has a default value even if
+   sendmail support was disabled at configure time.  Fixes a crash
+   when the mailerpath sudoers option is set but mailerflags is not.
+   Bug #878.
+
+ * Sudo will now filter out last login messages on HP-UX unless it
+   a shell is being run via "sudo -s" or "sudo -i".  Otherwise,
+   when trusted mode is enabled, these messages will be displayed
+   for each command.
+
+ * On AIX, when the user's password has expired and PAM is not in use,
+   sudo will now allow the user to change their password.
+   Bug #883.
+
+ * Sudo has a new -B command line option that will ring the terminal
+   bell when prompting for a password.
+
+ * Sudo no longer refuses to prompt for a password when it cannot
+   determine the user's terminal as long as it can open /dev/tty.
+   This allows sudo to function on systems where /proc is unavailable,
+   such as when running in a chroot environment.
+
+ * The "env_editor" sudoers flag is now on by default.  This makes
+   source builds more consistent with the packages generated by
+   sudo's mkpkg script.
+
+ * Sudo no longer ships with pre-formatted copies of the manual pages.
+   These were included for systems like IRIX that don't ship with an
+   nroff utility.  There are now multiple Open Source nroff replacements
+   so this should no longer be an issue.
+
+ * Fixed a bad interaction with configure's --prefix and
+   --disable-shared options.  Bug #886.
+
+ * More verbose error message when a password is required and no terminal
+   is present.  Bug #828.
+
+ * Command tags, such as NOPASSWD, are honored when a user tries to run a
+   command that is allowed by sudoers but which does not actually
+   exist on the file system.  Bug #888.
+
+ * Asturian translation for sudoers from translationproject.org.
+
+ * I/O log timing files now store signal suspend and resume information
+   in the form of a signal name instead of a number.
+
+ * Fixed a bug introduced in 1.8.24 that prevented sudo from honoring
+   the value of "ipa_hostname" from sssd.conf, if specified, when
+   matching the host name.
+
+ * Fixed a bug introduced in 1.8.21 that prevented the core dump
+   resource limit set in the pam_limits module from taking effect.
+   Bug #894.
+
+ * Fixed parsing of double-quoted Defaults group and netgroup bindings.
+
+ * The user ID is now used when matching sudoUser attributes in LDAP.
+   Previously, the user name, group name and group IDs were used
+   when matching but not the user ID.
+
+ * Sudo now writes PAM messages to the user's terminal, if available,
+   instead of the standard output or standard error.  This prevents
+   PAM output from being intermixed with that of the command when
+   output is sent to a file or pipe.  Bug #895.
+
+ * Sudoedit now honors the umask and umask_override settings in sudoers.
+   Previously, the user's umask was used as-is.
+
+ * Fixed a bug where the terminal's file context was not restored
+   when using SELinux RBAC.  Bug #898.
+
+ * Fixed CVE-2019-14287, a bug where a sudo user may be able to
+   run a command as root when the Runas specification explicitly
+   disallows root access as long as the ALL keyword is listed first.
+
 What's new in Sudo 1.8.27
 
  * On HP-UX, sudo will now update the utmps file when running a command