Rebase to 1.9.2
Resolves: rhbz#1859577 - added logsrvd subpackage - added openssl-devel buildrequires Resolves: rhbz#1860653 - fixed sudo runstatedir path - it was generated as /sudo instead of /run/sudo Resolves: rhbz#1868215 - added /var/lib/snapd/snap/bin to secure_path variable Resolves: rhbz#1691996 Signed-off-by: Radovan Sroka <rsroka@redhat.com>
This commit is contained in:
parent
4a1dd8c9f1
commit
170c92e796
|
@ -22,3 +22,4 @@
|
|||
/sudo-1.8.29.tar.gz
|
||||
/sudo-1.9.0b1.tar.gz
|
||||
/sudo-1.9.0b4.tar.gz
|
||||
/sudo-1.9.2.tar.gz
|
||||
|
|
|
@ -0,0 +1,43 @@
|
|||
From 0d7a041f18c5016abb78b74f3cfa505797e704ee Mon Sep 17 00:00:00 2001
|
||||
From: Evan Anderson <evan@eaanderson.com>
|
||||
Date: Sun, 6 Sep 2020 14:30:54 -0500
|
||||
Subject: [PATCH] configure: Fix runstatedir handling for distros that do not
|
||||
support it
|
||||
|
||||
runstatedir was added in yet-to-be released autoconf 2.70. Some distros
|
||||
are shipping this addition in their autoconf packages, but others, such as Fedora,
|
||||
are not. This causes the rundir variable to be set incorrectly if the configure script
|
||||
is regenerated with an unpatched autoconf since the runstatedir variable set is deleted
|
||||
after regeneration. This change works around that problem by checking that runstatedir
|
||||
is non-empty before potentially using it to set the rundir variable
|
||||
---
|
||||
configure | 2 +-
|
||||
m4/sudo.m4 | 2 +-
|
||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/configure b/configure
|
||||
index 0f6ceb16c..2e0838e01 100755
|
||||
--- a/configure
|
||||
+++ b/configure
|
||||
@@ -26718,7 +26718,7 @@ EOF
|
||||
$as_echo_n "checking for sudo run dir location... " >&6; }
|
||||
if test -n "$with_rundir"; then
|
||||
rundir="$with_rundir"
|
||||
-elif test "$runstatedir" != '${localstatedir}/run'; then
|
||||
+elif test -n "$runstatedir" && test "$runstatedir" != '${localstatedir}/run'; then
|
||||
rundir="$runstatedir/sudo"
|
||||
else
|
||||
# No --with-rundir or --runstatedir specified
|
||||
diff --git a/m4/sudo.m4 b/m4/sudo.m4
|
||||
index a5a972b3c..b3a40b208 100644
|
||||
--- a/m4/sudo.m4
|
||||
+++ b/m4/sudo.m4
|
||||
@@ -120,7 +120,7 @@ dnl
|
||||
AC_DEFUN([SUDO_RUNDIR], [AC_MSG_CHECKING(for sudo run dir location)
|
||||
if test -n "$with_rundir"; then
|
||||
rundir="$with_rundir"
|
||||
-elif test "$runstatedir" != '${localstatedir}/run'; then
|
||||
+elif test -n "$runstatedir" && test "$runstatedir" != '${localstatedir}/run'; then
|
||||
rundir="$runstatedir/sudo"
|
||||
else
|
||||
# No --with-rundir or --runstatedir specified
|
2
sources
2
sources
|
@ -1 +1 @@
|
|||
SHA512 (sudo-1.9.0b4.tar.gz) = 8f9da58ebb53d751746e8b271d9089a98cbbeb6e82691c3905c5ac11255bc70c7f467c0097d8dab2980fd94ffb8c438d03326f1bc98f0b580ec6e5b06227f559
|
||||
SHA512 (sudo-1.9.2.tar.gz) = 20afdf2604b1c93395157382b24f225cd1ff88d3a892362e2d69fecd240c4e7171f05032c08be1778cd1dea6e460025e4241f57272fac0ea3550e220b6d73d21
|
||||
|
|
|
@ -1,149 +0,0 @@
|
|||
changeset 12288:1064b906ca68
|
||||
|
||||
Ignore a failure to restore the RLIMIT_CORE resource limit.
|
||||
Linux containers don't allow RLIMIT_CORE to be set back to RLIM_INFINITY
|
||||
if we set the limit to zero, even for root. This is not a problem
|
||||
outside the container.
|
||||
author Todd C. Miller <Todd.Miller@sudo.ws>
|
||||
date Sat, 14 Mar 2020 11:13:55 -0600
|
||||
parents 72ca06a294b4
|
||||
children 40629e6fd692
|
||||
files src/limits.c
|
||||
diffstat 1 files changed, 61 insertions(+), 10 deletions(-) [+]
|
||||
line wrap: on
|
||||
line diff
|
||||
|
||||
--- a/src/limits.c Thu Mar 12 17:39:56 2020 -0600
|
||||
+++ b/src/limits.c Sat Mar 14 11:13:55 2020 -0600
|
||||
@@ -114,13 +114,21 @@
|
||||
|
||||
if (getrlimit(RLIMIT_CORE, &corelimit) == -1)
|
||||
sudo_warn("getrlimit(RLIMIT_CORE)");
|
||||
+ sudo_debug_printf(SUDO_DEBUG_INFO, "RLIMIT_CORE [%lld, %lld] -> [0, 0]",
|
||||
+ (long long)corelimit.rlim_cur, (long long)corelimit.rlim_max);
|
||||
if (setrlimit(RLIMIT_CORE, &rl) == -1)
|
||||
sudo_warn("setrlimit(RLIMIT_CORE)");
|
||||
#ifdef __linux__
|
||||
/* On Linux, also set PR_SET_DUMPABLE to zero (reset by execve). */
|
||||
- if ((dumpflag = prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)) == -1)
|
||||
+ if ((dumpflag = prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)) == -1) {
|
||||
+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
|
||||
+ "prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)");
|
||||
dumpflag = 0;
|
||||
- (void) prctl(PR_SET_DUMPABLE, 0, 0, 0, 0);
|
||||
+ }
|
||||
+ if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) == -1) {
|
||||
+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
|
||||
+ "prctl(PR_SET_DUMPABLE, %d, 0, 0, 0)", dumpflag);
|
||||
+ }
|
||||
#endif /* __linux__ */
|
||||
coredump_disabled = true;
|
||||
|
||||
@@ -136,10 +144,20 @@
|
||||
debug_decl(restore_coredump, SUDO_DEBUG_UTIL);
|
||||
|
||||
if (coredump_disabled) {
|
||||
- if (setrlimit(RLIMIT_CORE, &corelimit) == -1)
|
||||
- sudo_warn("setrlimit(RLIMIT_CORE)");
|
||||
+ /*
|
||||
+ * Linux containers don't allow RLIMIT_CORE to be set back to
|
||||
+ * RLIM_INFINITY if we set the limit to zero, even for root.
|
||||
+ */
|
||||
+ if (setrlimit(RLIMIT_CORE, &corelimit) == -1) {
|
||||
+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
|
||||
+ "setrlimit(RLIMIT_CORE, [%lld, %lld])",
|
||||
+ (long long)corelimit.rlim_cur, (long long)corelimit.rlim_max);
|
||||
+ }
|
||||
#ifdef __linux__
|
||||
- (void) prctl(PR_SET_DUMPABLE, dumpflag, 0, 0, 0);
|
||||
+ if (prctl(PR_SET_DUMPABLE, dumpflag, 0, 0, 0) == -1) {
|
||||
+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
|
||||
+ "prctl(PR_SET_DUMPABLE, %d, 0, 0, 0)", dumpflag);
|
||||
+ }
|
||||
#endif /* __linux__ */
|
||||
}
|
||||
debug_return;
|
||||
@@ -162,8 +180,14 @@
|
||||
|
||||
if (getrlimit(RLIMIT_NPROC, &nproclimit) != 0)
|
||||
sudo_warn("getrlimit(RLIMIT_NPROC)");
|
||||
+ sudo_debug_printf(SUDO_DEBUG_INFO, "RLIMIT_NPROC [%lld, %lld] -> [inf, inf]",
|
||||
+ (long long)nproclimit.rlim_cur, (long long)nproclimit.rlim_max);
|
||||
if (setrlimit(RLIMIT_NPROC, &rl) == -1) {
|
||||
rl.rlim_cur = rl.rlim_max = nproclimit.rlim_max;
|
||||
+ sudo_debug_printf(SUDO_DEBUG_INFO,
|
||||
+ "RLIMIT_NPROC [%lld, %lld] -> [%lld, %lld]",
|
||||
+ (long long)nproclimit.rlim_cur, (long long)nproclimit.rlim_max,
|
||||
+ (long long)rl.rlim_cur, (long long)rl.rlim_max);
|
||||
if (setrlimit(RLIMIT_NPROC, &rl) != 0)
|
||||
sudo_warn("setrlimit(RLIMIT_NPROC)");
|
||||
}
|
||||
@@ -180,8 +204,11 @@
|
||||
#ifdef __linux__
|
||||
debug_decl(restore_nproc, SUDO_DEBUG_UTIL);
|
||||
|
||||
- if (setrlimit(RLIMIT_NPROC, &nproclimit) != 0)
|
||||
- sudo_warn("setrlimit(RLIMIT_NPROC)");
|
||||
+ if (setrlimit(RLIMIT_NPROC, &nproclimit) != 0) {
|
||||
+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
|
||||
+ "setrlimit(RLIMIT_NPROC, [%lld, %lld])",
|
||||
+ (long long)nproclimit.rlim_cur, (long long)nproclimit.rlim_max);
|
||||
+ }
|
||||
|
||||
debug_return;
|
||||
#endif /* __linux__ */
|
||||
@@ -203,6 +230,11 @@
|
||||
struct saved_limit *lim = &saved_limits[idx];
|
||||
if (getrlimit(lim->resource, &lim->oldlimit) == -1)
|
||||
continue;
|
||||
+ sudo_debug_printf(SUDO_DEBUG_INFO,
|
||||
+ "getrlimit(lim->name) -> [%lld, %lld]",
|
||||
+ (long long)lim->oldlimit.rlim_cur,
|
||||
+ (long long)lim->oldlimit.rlim_max);
|
||||
+
|
||||
lim->saved = true;
|
||||
if (lim->newlimit.rlim_cur != RLIM_INFINITY) {
|
||||
/* Don't reduce the soft resource limit. */
|
||||
@@ -217,13 +249,28 @@
|
||||
lim->newlimit.rlim_max = lim->oldlimit.rlim_max;
|
||||
}
|
||||
if ((rc = setrlimit(lim->resource, &lim->newlimit)) == -1) {
|
||||
- if (lim->fallback != NULL)
|
||||
- rc = setrlimit(lim->resource, lim->fallback);
|
||||
+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
|
||||
+ "setrlimit(%s, [%lld, %lld])", lim->name,
|
||||
+ (long long)lim->newlimit.rlim_cur,
|
||||
+ (long long)lim->newlimit.rlim_max);
|
||||
+ if (lim->fallback != NULL) {
|
||||
+ if ((rc = setrlimit(lim->resource, lim->fallback)) == -1) {
|
||||
+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
|
||||
+ "setrlimit(%s, [%lld, %lld])", lim->name,
|
||||
+ (long long)lim->fallback->rlim_cur,
|
||||
+ (long long)lim->fallback->rlim_max);
|
||||
+ }
|
||||
+ }
|
||||
if (rc == -1) {
|
||||
/* Try setting new rlim_cur to old rlim_max. */
|
||||
lim->newlimit.rlim_cur = lim->oldlimit.rlim_max;
|
||||
lim->newlimit.rlim_max = lim->oldlimit.rlim_max;
|
||||
- rc = setrlimit(lim->resource, &lim->newlimit);
|
||||
+ if ((rc = setrlimit(lim->resource, &lim->newlimit)) == -1) {
|
||||
+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
|
||||
+ "setrlimit(%s, [%lld, %lld])", lim->name,
|
||||
+ (long long)lim->newlimit.rlim_cur,
|
||||
+ (long long)lim->newlimit.rlim_max);
|
||||
+ }
|
||||
}
|
||||
if (rc == -1)
|
||||
sudo_warn("setrlimit(%s)", lim->name);
|
||||
@@ -254,6 +301,10 @@
|
||||
if (rc != -1 || errno != EINVAL)
|
||||
break;
|
||||
|
||||
+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
|
||||
+ "setrlimit(%s, [%lld, %lld])", lim->name,
|
||||
+ (long long)rl.rlim_cur, (long long)rl.rlim_max);
|
||||
+
|
||||
/*
|
||||
* Soft limit could be lower than current resource usage.
|
||||
* This can be an issue on NetBSD with RLIMIT_STACK and ASLR.
|
59
sudo.spec
59
sudo.spec
|
@ -1,13 +1,10 @@
|
|||
%global patchlevel b4
|
||||
%global upstream_version %{version}%{patchlevel}
|
||||
|
||||
Summary: Allows restricted root access for specified users
|
||||
Name: sudo
|
||||
Version: 1.9.0
|
||||
Release: 0.1.%{patchlevel}%{?dist}
|
||||
Version: 1.9.2
|
||||
Release: 1%{?dist}
|
||||
License: ISC
|
||||
URL: http://www.courtesan.com/sudo/
|
||||
Source0: https://www.sudo.ws/dist/beta/%{name}-%{upstream_version}.tar.gz
|
||||
Source0: https://www.sudo.ws/dist/beta/%{name}-%{version}.tar.gz
|
||||
Source1: sudoers
|
||||
Requires: pam
|
||||
Recommends: vim-minimal
|
||||
|
@ -27,8 +24,7 @@ BuildRequires: zlib-devel
|
|||
|
||||
# don't strip
|
||||
Patch1: sudo-1.6.7p5-strip.patch
|
||||
# https://www.sudo.ws/repos/sudo/rev/1064b906ca68
|
||||
Patch2: sudo-1.9-RLIMIT_CORE.patch
|
||||
Patch2: configure-runstatedir.patch
|
||||
|
||||
%description
|
||||
Sudo (superuser do) allows a system administrator to give certain
|
||||
|
@ -49,11 +45,22 @@ Requires: %{name} = %{version}-%{release}
|
|||
The %{name}-devel package contains header files developing sudo
|
||||
plugins that use %{name}.
|
||||
|
||||
|
||||
%package logsrvd
|
||||
Summary: High-performance log server for %{name}
|
||||
Requires: %{name} = %{version}-%{release}
|
||||
BuildRequires: openssl-devel
|
||||
|
||||
|
||||
%description logsrvd
|
||||
%{name}-logsrvd is a high-performance log server that accepts event and I/O logs from sudo.
|
||||
It can be used to implement centralized logging of sudo logs.
|
||||
|
||||
%prep
|
||||
%setup -q -n %{name}-%{upstream_version}
|
||||
%setup -q
|
||||
|
||||
%patch1 -p1 -b .strip
|
||||
%patch2 -p1 -b .orig
|
||||
%patch2 -p1 -b .runstatedir
|
||||
|
||||
%build
|
||||
# Remove bundled copy of zlib
|
||||
|
@ -73,6 +80,7 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now"
|
|||
--sbindir=%{_sbindir} \
|
||||
--libdir=%{_libdir} \
|
||||
--docdir=%{_pkgdocdir} \
|
||||
--enable-openssl \
|
||||
--disable-root-mailer \
|
||||
--with-logging=syslog \
|
||||
--with-logfac=authpriv \
|
||||
|
@ -157,8 +165,8 @@ EOF
|
|||
%config(noreplace) /etc/pam.d/sudo
|
||||
%config(noreplace) /etc/pam.d/sudo-i
|
||||
%attr(0644,root,root) %{_tmpfilesdir}/sudo.conf
|
||||
%attr(0644,root,root) /etc/dnf/protected.d/sudo.conf
|
||||
%attr(0644,root,root) /etc/sudo.conf
|
||||
%attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/sudo.conf
|
||||
%attr(0640,root,root) %config(noreplace) /etc/sudo.conf
|
||||
%dir /var/db/sudo
|
||||
%dir /var/db/sudo/lectured
|
||||
%attr(4111,root,root) %{_bindir}/sudo
|
||||
|
@ -167,8 +175,6 @@ EOF
|
|||
%attr(0755,root,root) %{_sbindir}/visudo
|
||||
%{_bindir}/cvtsudoers
|
||||
%dir %{_libexecdir}/sudo
|
||||
%attr(0755,root,root) %{_sbindir}/sudo_logsrvd
|
||||
%attr(0755,root,root) %{_sbindir}/sudo_sendlog
|
||||
%attr(0755,root,root) %{_libexecdir}/sudo/sesh
|
||||
%attr(0644,root,root) %{_libexecdir}/sudo/sudo_noexec.so
|
||||
%attr(0644,root,root) %{_libexecdir}/sudo/sudoers.so
|
||||
|
@ -188,11 +194,7 @@ EOF
|
|||
%{_mandir}/man8/visudo.8*
|
||||
%{_mandir}/man1/cvtsudoers.1.gz
|
||||
%{_mandir}/man5/sudoers_timestamp.5.gz
|
||||
%{_mandir}/man5/sudo_logsrv.proto.5.gz
|
||||
%{_mandir}/man5/sudo_logsrvd.conf.5.gz
|
||||
%{_mandir}/man8/sudo_logsrvd.8.gz
|
||||
%{_mandir}/man8/sudo_plugin_python.8.gz
|
||||
%{_mandir}/man8/sudo_sendlog.8.gz
|
||||
%dir %{_pkgdocdir}/
|
||||
%{_pkgdocdir}/*
|
||||
%{!?_licensedir:%global license %%doc}
|
||||
|
@ -209,7 +211,28 @@ EOF
|
|||
%{_includedir}/sudo_plugin.h
|
||||
%{_mandir}/man8/sudo_plugin.8*
|
||||
|
||||
%files logsrvd
|
||||
%attr(0640,root,root) %config(noreplace) /etc/sudo_logsrvd.conf
|
||||
%attr(0755,root,root) %{_sbindir}/sudo_logsrvd
|
||||
%attr(0755,root,root) %{_sbindir}/sudo_sendlog
|
||||
%{_mandir}/man5/sudo_logsrv.proto.5.gz
|
||||
%{_mandir}/man5/sudo_logsrvd.conf.5.gz
|
||||
%{_mandir}/man8/sudo_logsrvd.8.gz
|
||||
%{_mandir}/man8/sudo_sendlog.8.gz
|
||||
|
||||
%changelog
|
||||
* Tue Sep 15 2020 Radovan Sroka <rsroka@redhat.com> - 1.9.2-1
|
||||
- rebase to 1.9.2
|
||||
Resolves: rhbz#1859577
|
||||
- added logsrvd subpackage
|
||||
- added openssl-devel buildrequires
|
||||
Resolves: rhbz#1860653
|
||||
- fixed sudo runstatedir path
|
||||
- it was generated as /sudo instead of /run/sudo
|
||||
Resolves: rhbz#1868215
|
||||
- added /var/lib/snapd/snap/bin to secure_path variable
|
||||
Resolves: rhbz#1691996
|
||||
|
||||
* Wed Mar 25 2020 Attila Lakatos <alakatos@redhat.com> - 1.9.0-0.1.b4
|
||||
- update to latest development version 1.9.0b4
|
||||
Resolves: rhbz#1816593
|
||||
|
|
2
sudoers
2
sudoers
|
@ -85,7 +85,7 @@ Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY
|
|||
#
|
||||
# Defaults env_keep += "HOME"
|
||||
|
||||
Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
|
||||
Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin
|
||||
|
||||
## Next comes the main part: which users can run what software on
|
||||
## which machines (the sudoers file can be shared between multiple
|
||||
|
|
Loading…
Reference in New Issue