merge sudo 1.8.26 from tip

--HG--
branch : 1.8

Author: millert

.hgignore

@@ -1,8 +1,10 @@
 ~$
-\.o$
+\.i$
 \.l[ao]$
 \.lai$
 \.mo$
+\.o$
+\.plog$
 
 \.diff$
 \.orig$
@@ -16,6 +18,7 @@ Makefile$
 ^libtool$
 
 ^ChangeLog$
+^PVS-Studio.cfg$
 ^doc/.*\.man$
 ^doc/.*\.mdoc$
 ^doc/.*\.man\.sed$
@@ -39,6 +42,6 @@ Makefile$
 ^lib/util/[a-z0-9_]+_test$
 ^lib/util/regress/.*\.(out|err)$
 
-^plugins/sudoers/(cvtsudoers|sudoers|sudoreplay|testsudoers|tsdump|visudo|check_[a-z0-9_]+)$
+^plugins/sudoers/(cvtsudoers|sudoers|sudoreplay|testsudoers|tsdump|visudo|prologue|check_[a-z0-9_]+)$
 ^plugins/sudoers/.*\.(out|toke|err|json|ldif|sudo|ldif2sudo)$
 ^plugins/sudoers/regress/iolog_plugin/iolog$

INSTALL

@@ -365,11 +365,16 @@ Optional features:
         Enable potentially offensive sudo insults from the classic
         version of sudo.
 
+  --enable-pvs-studio
+	Generate a sample PVS-Studio.cfg file based on the compiler and
+	platform type.	The "pvs-studio" Makefile target can then be
+	used if PVS-Studio is installed.
+
 Operating system-specific options:
   --disable-setreuid
-        Disable use of the setreuid() function for operating systems
-        where it is broken.  For instance, 4.4BSD has setreuid()
-        that is not fully functional.
+	Disable use of the setreuid() function for operating systems
+	where it is broken.  For instance, 4.4BSD has setreuid() that
+	is not fully functional.
 
   --disable-setresuid
 	Disable use of the setresuid() function for operating systems

MANIFEST

@@ -28,6 +28,7 @@ doc/fixmdoc.sh
 doc/schema.ActiveDirectory
 doc/schema.OpenLDAP
 doc/schema.iPlanet
+doc/schema.olcSudo
 doc/sudo.cat
 doc/sudo.conf.cat
 doc/sudo.conf.man.in
@@ -132,6 +133,7 @@ lib/util/reallocarray.c
 lib/util/regress/atofoo/atofoo_test.c
 lib/util/regress/fnmatch/fnm_test.c
 lib/util/regress/fnmatch/fnm_test.in
+lib/util/regress/getgrouplist/getgrouplist_test.c
 lib/util/regress/glob/files
 lib/util/regress/glob/globtest.c
 lib/util/regress/glob/globtest.in
@@ -314,9 +316,9 @@ plugins/sudoers/interfaces.c
 plugins/sudoers/interfaces.h
 plugins/sudoers/iolog.c
 plugins/sudoers/iolog.h
+plugins/sudoers/iolog_files.h
 plugins/sudoers/iolog_path.c
 plugins/sudoers/iolog_util.c
-plugins/sudoers/iolog_util.h
 plugins/sudoers/ldap.c
 plugins/sudoers/ldap_conf.c
 plugins/sudoers/ldap_util.c
@@ -372,6 +374,8 @@ plugins/sudoers/po/nl.mo
 plugins/sudoers/po/nl.po
 plugins/sudoers/po/pl.mo
 plugins/sudoers/po/pl.po
+plugins/sudoers/po/pt.mo
+plugins/sudoers/po/pt.po
 plugins/sudoers/po/pt_BR.mo
 plugins/sudoers/po/pt_BR.po
 plugins/sudoers/po/ru.mo
@@ -452,6 +456,15 @@ plugins/sudoers/regress/cvtsudoers/test29.out.ok
 plugins/sudoers/regress/cvtsudoers/test29.sh
 plugins/sudoers/regress/cvtsudoers/test3.out.ok
 plugins/sudoers/regress/cvtsudoers/test3.sh
+plugins/sudoers/regress/cvtsudoers/test30.out.ok
+plugins/sudoers/regress/cvtsudoers/test30.sh
+plugins/sudoers/regress/cvtsudoers/test31.conf
+plugins/sudoers/regress/cvtsudoers/test31.out.ok
+plugins/sudoers/regress/cvtsudoers/test31.sh
+plugins/sudoers/regress/cvtsudoers/test32.out.ok
+plugins/sudoers/regress/cvtsudoers/test32.sh
+plugins/sudoers/regress/cvtsudoers/test33.out.ok
+plugins/sudoers/regress/cvtsudoers/test33.sh
 plugins/sudoers/regress/cvtsudoers/test4.out.ok
 plugins/sudoers/regress/cvtsudoers/test4.sh
 plugins/sudoers/regress/cvtsudoers/test5.out.ok
@@ -605,6 +618,7 @@ plugins/sudoers/regress/sudoers/test9.json.ok
 plugins/sudoers/regress/sudoers/test9.ldif.ok
 plugins/sudoers/regress/sudoers/test9.out.ok
 plugins/sudoers/regress/sudoers/test9.toke.ok
+plugins/sudoers/regress/testsudoers/group
 plugins/sudoers/regress/testsudoers/test1.out.ok
 plugins/sudoers/regress/testsudoers/test1.sh
 plugins/sudoers/regress/testsudoers/test2.inc
@@ -681,6 +695,8 @@ plugins/system_group/Makefile.in
 plugins/system_group/system_group.c
 plugins/system_group/system_group.exp
 po/README
+po/ast.mo
+po/ast.po
 po/ca.mo
 po/ca.po
 po/cs.mo
@@ -721,6 +737,8 @@ po/nn.mo
 po/nn.po
 po/pl.mo
 po/pl.po
+po/pt.mo
+po/pt.po
 po/pt_BR.mo
 po/pt_BR.po
 po/ru.mo

Makefile.in

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2010-2015, 2017 Todd C. Miller <[email protected]>
+# Copyright (c) 2010-2015, 2017-2018 Todd C. Miller <[email protected]>
 #
 # Permission to use, copy, modify, and distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -12,7 +12,6 @@
 # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 #
 
 srcdir = @srcdir@
@@ -89,6 +88,11 @@ CPPCHECK_OPTS = -q --force --enable=warning,performance,portability --suppress=c
 # Default splint options when run from the top-level Makefile
 SPLINT_OPTS = -D__restrict= -checks
 
+# Default PVS-studio options when run from the top-level Makefile
+PVS_CFG = $(top_srcdir)/PVS-Studio.cfg
+PVS_IGNORE = 'V707,V011,V002,V536'
+PVS_LOG_OPTS = -a 'GA:1,2' -e -t errorfile -d $(PVS_IGNORE)
+
 all: config.status
 	for d in $(SUBDIRS); do \
 	    (cd $$d && exec $(MAKE) $@) && continue; \
@@ -131,6 +135,22 @@ cov-upload:
 
 cov-analyze: cov-upload
 
+pvs-studio: config.status
+	files=; \
+	rval=0; \
+	for d in $(SUBDIRS); do \
+	    (cd $$d && exec $(MAKE) PVS_IGNORE="$(PVS_IGNORE)" pvs-log-files) || rval=`expr $$rval + $$?`; \
+	    for f in $$d/*.plog; do \
+		if test "$$f" != "$$d/*.plog"; then \
+		    files="$$files $$f"; \
+		fi; \
+	    done; \
+	done; \
+	if test $$rval -ne 0; then \
+	    exit $$rval; \
+	fi; \
+	plog-converter $(PVS_LOG_OPTS) $$files
+
 install-dirs install-binaries install-includes install-plugin: config.status pre-install
 	for d in $(SUBDIRS); do \
 	    (cd $$d && exec $(MAKE) "INSTALL_OWNER=$(INSTALL_OWNER)" $@) && continue; \

NEWS

@@ -1,3 +1,63 @@
+What's new in Sudo 1.8.26
+
+ * Fixed a bug in cvtsudoers when converting to JSON format when
+   alias expansion is enabled. Bug #853.
+
+ * Sudo no long sets the USERNAME environment variable when running
+   commands. This is a non-standard environment variable that was
+   set on some older Linux systems.
+
+ * Sudo now treats the LOGNAME and USER environment variables (as
+   well as the LOGIN variable on AIX) as a single unit.  If one is
+   preserved or removed from the environment using env_keep, env_check
+   or env_delete, so is the other.
+
+ * Added support for OpenLDAP's TLS_REQCERT setting in ldap.conf.
+
+ * Sudo now logs when the command was suspended and resumed in the
+   I/O logs.  This information is used by sudoreplay to skip the
+   time suspended when replaying the session unless the new -S flag
+   is used.
+
+ * Fixed documentation problems found by the igor utility.  Bug #854.
+
+ * Sudo now prints a warning message when there is an error or end
+   of file while reading the password instead of exiting silently.
+
+ * Fixed a bug in the sudoers LDAP back-end parsing the command_timeout,
+   role, type, privs and limitprivs sudoOptions.  This also affected
+   cvtsudoers conversion from LDIF to sudoers or JSON.
+
+ * Fixed a bug that prevented timeout settings in sudoers from
+   functioning unless a timeout was also specified on the command
+   line.
+
+ * Asturian translation for sudo from translationproject.org.
+
+ * When generating LDIF output, cvtsudoers can now be configured
+   to pad the sudoOrder increment such that the start order is used
+   as a prefix.  Bug #856.
+
+ * Fixed a bug introduced in sudo 1.8.25 that prevented sudo from
+   properly setting the user's groups on AIX.  Bug #857.
+
+ * If the user specifies a group via sudo's -g option that matches
+   any of the target user's groups, it is now allowed even if no
+   groups are present in the Runas_Spec.  Previously, it was only
+   allowed if it matched the target user's primary group.
+
+ * The sudoers LDAP back-end now supports negated sudoRunAsUser and
+   sudoRunAsGroup entries.
+
+ * Sudo now provides a proper error message when the "fqdn" sudoers
+   option is set and it is unable to resolve the local host name.
+   Bug #859.
+
+ * Portuguese translation for sudo and sudoers from translationproject.org.
+
+ * Sudo now includes sudoers LDAP schema for the on-line configuration
+   supported by OpenLDAP.
+
 What's new in Sudo 1.8.25p1
 
  * Fixed a bug introduced in sudo 1.8.25 that caused a crash on

README.LDAP

@@ -57,9 +57,11 @@ Schema Changes
 You must add the appropriate schema to your LDAP server before it
 can store sudoers content.
 
-For OpenLDAP, copy the file schema.OpenLDAP to the schema directory
-(e.g. /etc/openldap/schema).  You must then edit your slapd.conf and
-add an include line the new schema, e.g.
+For OpenLDAP, there are two options, depending on how slapd is configured.
+
+The first option is to copy the file schema.OpenLDAP to the schema
+directory (e.g. /etc/openldap/schema).  You must then edit your
+slapd.conf and add an include line the new schema, e.g.
 
     # Sudo LDAP schema
     include	/etc/openldap/schema/sudo.schema
@@ -72,6 +74,22 @@ the attribute 'sudoUser', e.g.
 
 After making the changes to slapd.conf, restart slapd.
 
+The second option is only for OpenLDAP 2.3 and higher where slapd.conf
+has been configured to use on-line configuration.  If your slapd.conf
+file includes the line:
+
+    database config
+
+it should be possible to use the schema.olcSudo file.
+
+You can apply schema.olcSudo using the ldapadd utility or another
+suitable LDAP browser.  For example:
+
+    # ldapadd -f schema.olcSudo -H ldap://ldapserver -W -x \
+	-D cn=Manager,dc=example,dc=com
+
+There is no need to restart slapd when updating on-line configuration.
+
 For Netscape-derived LDAP servers such as SunONE, iPlanet or Fedora Directory,
 copy the schema.iPlanet file to the schema directory with the name 99sudo.ldif.
 
@@ -118,7 +136,7 @@ Import into your directory server.  The following example is for
 OpenLDAP.  If you are using another directory, provide the LDIF
 file to your LDAP Administrator.
 
-  # ldapadd -f /tmp/sudoers.ldif -h ldapserver \
+  # ldapadd -f /tmp/sudoers.ldif -H ldap://ldapserver \
     -D cn=Manager,dc=example,dc=com -W -x
 
 Step 3: