Merge sudo 1.9.9 from tip.

--HG--
branch : 1.9

Author: millert

.circleci/config.yml

@@ -0,0 +1,110 @@
+version: 2.1
+
+jobs:
+  build:
+    description: Configure, build and package sudo
+    parameters:
+      ldap:
+        description: if true, build sudo's LDAP support
+        default: false
+        type: boolean
+      wolfssl:
+        description: if true, build sudo with wolfSSL support
+        default: false
+        type: boolean
+      static_sudoers:
+        description: if true, build sudoers statically
+        default: false
+        type: boolean
+      logsrvd:
+        description: if true, build sudo_logsrvd and sudoers client
+        default: true
+        type: boolean
+      intercept:
+        description: if true, build intercept support
+        default: true
+        type: boolean
+    docker:
+      - image: docker.io/sudoproject/ubuntu:latest
+        user: build
+    steps:
+      - checkout
+      - run:
+          name: "Building and packaging sudo"
+          command: ./scripts/mkpkg <<# parameters.ldap >>--flavor=ldap --with-sssd --with-sssd-lib=/usr/lib/x86_64-linux-gnu <</ parameters.ldap >><<# parameters.wolfssl >>--enable-wolfssl <</ parameters.wolfssl >><<^ parameters.logsrvd >>--disable-log-server --disable-log-client <</ parameters.logsrvd >><<^ parameters.intercept >>--disable-intercept <</ parameters.intercept >><<# parameters.static_sudoers >>--enable-static-sudoers <</ parameters.static_sudoers >>--enable-warnings --enable-werror --enable-sanitizer
+      # Save workspace for subsequent jobs (i.e. test)
+      - persist_to_workspace:
+          root: .
+          paths:
+            - .
+  test:
+    description: run sudo tests in a pre-built workspace
+    docker:
+      - image: docker.io/sudoproject/ubuntu:latest
+        user: build
+    steps:
+      # Reuse the workspace from the build job
+      - attach_workspace:
+          at: .
+      - run:
+          name: "Running tests"
+          command: make check
+          environment:
+              # Leak sanitizer requires ptrace, disable it
+              ASAN_OPTIONS: detect_leaks=0
+
+# Orchestrate our job run sequence
+workflows:
+  version: 2
+  build_and_test:
+    jobs:
+      - build:
+          name: build-ldap
+          ldap: true
+          filters:
+            branches:
+              only: main
+      - build:
+          name: build-wolfssl
+          wolfssl: true
+          filters:
+            branches:
+              only: main
+      - build:
+          name: build-static-sudoers
+          static_sudoers: true
+          filters:
+            branches:
+              only: main
+      - build:
+          name: build-nologsrvd
+          logsrvd: false
+          filters:
+            branches:
+              only: main
+      - build:
+          name: build-nointercept
+          logsrvd: false
+          filters:
+            branches:
+              only: main
+      - test:
+          name: test-ldap
+          requires:
+            - build-ldap
+      - test:
+          name: test-wolfssl
+          requires:
+            - build-wolfssl
+      - test:
+          name: test-static-sudoers
+          requires:
+            - build-static-sudoers
+      - test:
+          name: test-nologsrvd
+          requires:
+            - build-nologsrvd
+      - test:
+          name: test-nointercept
+          requires:
+            - build-nointercept

.github/workflows/codeql-analysis.yml

@@ -0,0 +1,70 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ main ]
+  schedule:
+    - cron: '19 3 * * 2'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'cpp', 'python' ]
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
+        # Learn more about CodeQL language support at https://git.io/codeql-language-support
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v2
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v1
+      with:
+        languages: ${{ matrix.language }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+        # queries: ./path/to/local/query, your-org/your-repo/queries@main
+
+    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+    # If this step fails, then you should remove it and run the build manually (see below)
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v1
+
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 https://git.io/JvXDl
+
+    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
+    #    and modify them (or add more) to build your code if your project
+    #    uses a compiled language
+
+    #- run: |
+    #   make bootstrap
+    #   make release
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v1

.gitignore

@@ -26,9 +26,9 @@ ChangeLog
 PVS-Studio.cfg
 uncrustify.files
 
-doc/*.man
-doc/*.mdoc
-doc/fixman.sed
+docs/*.man
+docs/*.mdoc
+docs/fixman.sed
 
 examples/sudo.conf
 
@@ -39,6 +39,7 @@ init.d/sudo.conf
 
 src/sudo
 src/sesh
+src/check_net_ifs
 src/check_noexec
 src/check_ttyname
 src/intercept.exp
@@ -51,6 +52,7 @@ lib/iolog/check_iolog_[a-z]*
 lib/iolog/fuzz_iolog_[a-z]*
 lib/iolog/host_port_test
 
+lib/util/getgids
 lib/util/mksiglist
 lib/util/mksiglist.h
 lib/util/mksigname

.hgignore

@@ -22,9 +22,9 @@ Makefile$
 ^ChangeLog$
 ^PVS-Studio\.cfg$
 ^uncrustify\.files$
-^doc/.*\.man$
-^doc/.*\.mdoc$
-^doc/fixman\.sed$
+^docs/.*\.man$
+^docs/.*\.mdoc$
+^docs/fixman\.sed$
 
 ^etc/init\.d/sudo\.conf$
 
@@ -36,17 +36,18 @@ Makefile$
 ^pathnames\.h$
 ^src/sudo$
 ^src/sesh$
-^src/check_(noexec|ttyname)$
+^src/check_(net_ifs|noexec|ttyname)$
 ^src/intercept\.exp$
 ^src/sudo_usage\.h$
 
 ^lib/eventlog/check_wrap$
 ^lib/eventlog/regress/logwrap/check_wrap.out$
 
-^lib/iolog/check_iolog_(json|mkpath|path|util)$
+^lib/iolog/check_iolog_(json|mkpath|path|timing)$
 ^lib/iolog/fuzz_iolog_(json|legacy|timing)$
 ^lib/iolog/host_port_test$
 
+^lib/util/getgids$
 ^lib/util/mksiglist$
 ^lib/util/mksiglist.h$
 ^lib/util/mksigname$