Rebase to 1.9.2

Resolves: rhbz#1859577

- added logsrvd subpackage
- added openssl-devel buildrequires
Resolves: rhbz#1860653
- fixed sudo runstatedir path
- it was generated as /sudo instead of /run/sudo
Resolves: rhbz#1868215
- added /var/lib/snapd/snap/bin to secure_path variable
Resolves: rhbz#1691996

Signed-off-by: Radovan Sroka <rsroka@redhat.com>

.gitignore

@@ -22,3 +22,4 @@
 /sudo-1.8.29.tar.gz
 /sudo-1.9.0b1.tar.gz
 /sudo-1.9.0b4.tar.gz
+/sudo-1.9.2.tar.gz

configure-runstatedir.patch

@@ -0,0 +1,43 @@
+From 0d7a041f18c5016abb78b74f3cfa505797e704ee Mon Sep 17 00:00:00 2001
+From: Evan Anderson <evan@eaanderson.com>
+Date: Sun, 6 Sep 2020 14:30:54 -0500
+Subject: [PATCH] configure: Fix runstatedir handling for distros that do not
+ support it
+
+runstatedir was added in yet-to-be released autoconf 2.70. Some distros
+are shipping this addition in their autoconf packages, but others, such as Fedora,
+are not. This causes the rundir variable to be set incorrectly if the configure script
+is regenerated with an unpatched autoconf since the runstatedir variable set is deleted
+after regeneration. This change works around that problem by checking that runstatedir
+is non-empty before potentially using it to set the rundir variable
+---
+ configure  | 2 +-
+ m4/sudo.m4 | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/configure b/configure
+index 0f6ceb16c..2e0838e01 100755
+--- a/configure
++++ b/configure
+@@ -26718,7 +26718,7 @@ EOF
+ $as_echo_n "checking for sudo run dir location... " >&6; }
+ if test -n "$with_rundir"; then
+     rundir="$with_rundir"
+-elif test "$runstatedir" != '${localstatedir}/run'; then
++elif test -n "$runstatedir" && test "$runstatedir" != '${localstatedir}/run'; then
+     rundir="$runstatedir/sudo"
+ else
+     # No --with-rundir or --runstatedir specified
+diff --git a/m4/sudo.m4 b/m4/sudo.m4
+index a5a972b3c..b3a40b208 100644
+--- a/m4/sudo.m4
++++ b/m4/sudo.m4
+@@ -120,7 +120,7 @@ dnl
+ AC_DEFUN([SUDO_RUNDIR], [AC_MSG_CHECKING(for sudo run dir location)
+ if test -n "$with_rundir"; then
+     rundir="$with_rundir"
+-elif test "$runstatedir" != '${localstatedir}/run'; then
++elif test -n "$runstatedir" && test "$runstatedir" != '${localstatedir}/run'; then
+     rundir="$runstatedir/sudo"
+ else
+     # No --with-rundir or --runstatedir specified

sources

@@ -1 +1 @@
-SHA512 (sudo-1.9.0b4.tar.gz) = 8f9da58ebb53d751746e8b271d9089a98cbbeb6e82691c3905c5ac11255bc70c7f467c0097d8dab2980fd94ffb8c438d03326f1bc98f0b580ec6e5b06227f559
+SHA512 (sudo-1.9.2.tar.gz) = 20afdf2604b1c93395157382b24f225cd1ff88d3a892362e2d69fecd240c4e7171f05032c08be1778cd1dea6e460025e4241f57272fac0ea3550e220b6d73d21

sudo-1.9-RLIMIT_CORE.patch

@@ -1,149 +0,0 @@
- changeset 12288:1064b906ca68
-
-Ignore a failure to restore the RLIMIT_CORE resource limit.
-Linux containers don't allow RLIMIT_CORE to be set back to RLIM_INFINITY
-if we set the limit to zero, even for root.  This is not a problem
-outside the container.
-author 	Todd C. Miller <Todd.Miller@sudo.ws>
-date 	Sat, 14 Mar 2020 11:13:55 -0600
-parents 	72ca06a294b4
-children 	40629e6fd692
-files 	src/limits.c
-diffstat 	1 files changed, 61 insertions(+), 10 deletions(-) [+]
-line wrap: on
- line diff
-
---- a/src/limits.c	Thu Mar 12 17:39:56 2020 -0600
-+++ b/src/limits.c	Sat Mar 14 11:13:55 2020 -0600
-@@ -114,13 +114,21 @@
-
-     if (getrlimit(RLIMIT_CORE, &corelimit) == -1)
- 	sudo_warn("getrlimit(RLIMIT_CORE)");
-+    sudo_debug_printf(SUDO_DEBUG_INFO, "RLIMIT_CORE [%lld, %lld] -> [0, 0]",
-+	(long long)corelimit.rlim_cur, (long long)corelimit.rlim_max);
-     if (setrlimit(RLIMIT_CORE, &rl) == -1)
- 	sudo_warn("setrlimit(RLIMIT_CORE)");
- #ifdef __linux__
-     /* On Linux, also set PR_SET_DUMPABLE to zero (reset by execve). */
--    if ((dumpflag = prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)) == -1)
-+    if ((dumpflag = prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)) == -1) {
-+	sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
-+	    "prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)");
- 	dumpflag = 0;
--    (void) prctl(PR_SET_DUMPABLE, 0, 0, 0, 0);
-+    }
-+    if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) == -1) {
-+	sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
-+	    "prctl(PR_SET_DUMPABLE, %d, 0, 0, 0)", dumpflag);
-+    }
- #endif /* __linux__ */
-     coredump_disabled = true;
-
-@@ -136,10 +144,20 @@
-     debug_decl(restore_coredump, SUDO_DEBUG_UTIL);
-
-     if (coredump_disabled) {
--	if (setrlimit(RLIMIT_CORE, &corelimit) == -1)
--	    sudo_warn("setrlimit(RLIMIT_CORE)");
-+	/*
-+	 * Linux containers don't allow RLIMIT_CORE to be set back to
-+	 * RLIM_INFINITY if we set the limit to zero, even for root.
-+	 */
-+	if (setrlimit(RLIMIT_CORE, &corelimit) == -1) {
-+	    sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
-+		"setrlimit(RLIMIT_CORE, [%lld, %lld])",
-+		(long long)corelimit.rlim_cur, (long long)corelimit.rlim_max);
-+	}
- #ifdef __linux__
--	(void) prctl(PR_SET_DUMPABLE, dumpflag, 0, 0, 0);
-+	if (prctl(PR_SET_DUMPABLE, dumpflag, 0, 0, 0) == -1) {
-+	    sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
-+		"prctl(PR_SET_DUMPABLE, %d, 0, 0, 0)", dumpflag);
-+	}
- #endif /* __linux__ */
-     }
-     debug_return;
-@@ -162,8 +180,14 @@
-
-     if (getrlimit(RLIMIT_NPROC, &nproclimit) != 0)
- 	sudo_warn("getrlimit(RLIMIT_NPROC)");
-+    sudo_debug_printf(SUDO_DEBUG_INFO, "RLIMIT_NPROC [%lld, %lld] -> [inf, inf]",
-+	(long long)nproclimit.rlim_cur, (long long)nproclimit.rlim_max);
-     if (setrlimit(RLIMIT_NPROC, &rl) == -1) {
- 	rl.rlim_cur = rl.rlim_max = nproclimit.rlim_max;
-+	sudo_debug_printf(SUDO_DEBUG_INFO,
-+	    "RLIMIT_NPROC [%lld, %lld] -> [%lld, %lld]",
-+	    (long long)nproclimit.rlim_cur, (long long)nproclimit.rlim_max,
-+	    (long long)rl.rlim_cur, (long long)rl.rlim_max);
- 	if (setrlimit(RLIMIT_NPROC, &rl) != 0)
- 	    sudo_warn("setrlimit(RLIMIT_NPROC)");
-     }
-@@ -180,8 +204,11 @@
- #ifdef __linux__
-     debug_decl(restore_nproc, SUDO_DEBUG_UTIL);
-
--    if (setrlimit(RLIMIT_NPROC, &nproclimit) != 0)
--	sudo_warn("setrlimit(RLIMIT_NPROC)");
-+    if (setrlimit(RLIMIT_NPROC, &nproclimit) != 0) {
-+	sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
-+	    "setrlimit(RLIMIT_NPROC, [%lld, %lld])",
-+	    (long long)nproclimit.rlim_cur, (long long)nproclimit.rlim_max);
-+    }
-
-     debug_return;
- #endif /* __linux__ */
-@@ -203,6 +230,11 @@
- 	struct saved_limit *lim = &saved_limits[idx];
- 	if (getrlimit(lim->resource, &lim->oldlimit) == -1)
- 	    continue;
-+	sudo_debug_printf(SUDO_DEBUG_INFO,
-+	    "getrlimit(lim->name) -> [%lld, %lld]",
-+	    (long long)lim->oldlimit.rlim_cur,
-+	    (long long)lim->oldlimit.rlim_max);
-+
- 	lim->saved = true;
- 	if (lim->newlimit.rlim_cur != RLIM_INFINITY) {
- 	    /* Don't reduce the soft resource limit. */
-@@ -217,13 +249,28 @@
- 		lim->newlimit.rlim_max = lim->oldlimit.rlim_max;
- 	}
- 	if ((rc = setrlimit(lim->resource, &lim->newlimit)) == -1) {
--	    if (lim->fallback != NULL)
--		rc = setrlimit(lim->resource, lim->fallback);
-+	    sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
-+		"setrlimit(%s, [%lld, %lld])", lim->name,
-+		(long long)lim->newlimit.rlim_cur,
-+		(long long)lim->newlimit.rlim_max);
-+	    if (lim->fallback != NULL) {
-+		if ((rc = setrlimit(lim->resource, lim->fallback)) == -1) {
-+		    sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
-+			"setrlimit(%s, [%lld, %lld])", lim->name,
-+			(long long)lim->fallback->rlim_cur,
-+			(long long)lim->fallback->rlim_max);
-+		}
-+	    }
- 	    if (rc == -1) {
- 		/* Try setting new rlim_cur to old rlim_max. */
- 		lim->newlimit.rlim_cur = lim->oldlimit.rlim_max;
- 		lim->newlimit.rlim_max = lim->oldlimit.rlim_max;
--		rc = setrlimit(lim->resource, &lim->newlimit);
-+		if ((rc = setrlimit(lim->resource, &lim->newlimit)) == -1) {
-+		    sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
-+			"setrlimit(%s, [%lld, %lld])", lim->name,
-+			(long long)lim->newlimit.rlim_cur,
-+			(long long)lim->newlimit.rlim_max);
-+		}
- 	    }
- 	    if (rc == -1)
- 		sudo_warn("setrlimit(%s)", lim->name);
-@@ -254,6 +301,10 @@
- 		if (rc != -1 || errno != EINVAL)
- 		    break;
-
-+		sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
-+		    "setrlimit(%s, [%lld, %lld])", lim->name,
-+		    (long long)rl.rlim_cur, (long long)rl.rlim_max);
-+
- 		/*
- 		 * Soft limit could be lower than current resource usage.
- 		 * This can be an issue on NetBSD with RLIMIT_STACK and ASLR.

sudo.spec

@@ -1,13 +1,10 @@
-%global patchlevel b4
-%global upstream_version %{version}%{patchlevel}
-
 Summary: Allows restricted root access for specified users
 Name: sudo
-Version: 1.9.0
-Release: 0.1.%{patchlevel}%{?dist}
+Version: 1.9.2
+Release: 1%{?dist}
 License: ISC
 URL: http://www.courtesan.com/sudo/
-Source0: https://www.sudo.ws/dist/beta/%{name}-%{upstream_version}.tar.gz
+Source0: https://www.sudo.ws/dist/beta/%{name}-%{version}.tar.gz
 Source1: sudoers
 Requires: pam
 Recommends: vim-minimal
@@ -27,8 +24,7 @@ BuildRequires: zlib-devel
 
 # don't strip
 Patch1: sudo-1.6.7p5-strip.patch
-# https://www.sudo.ws/repos/sudo/rev/1064b906ca68
-Patch2: sudo-1.9-RLIMIT_CORE.patch
+Patch2: configure-runstatedir.patch
 
 %description
 Sudo (superuser do) allows a system administrator to give certain
@@ -49,11 +45,22 @@ Requires:       %{name} = %{version}-%{release}
 The %{name}-devel package contains header files developing sudo
 plugins that use %{name}.
 
+
+%package        logsrvd
+Summary:        High-performance log server for %{name}
+Requires:       %{name} = %{version}-%{release}
+BuildRequires:  openssl-devel
+
+
+%description    logsrvd
+%{name}-logsrvd is a high-performance log server that accepts event and I/O logs from sudo.
+It can be used to implement centralized logging of sudo logs.
+
 %prep
-%setup -q -n %{name}-%{upstream_version}
+%setup -q
 
 %patch1 -p1 -b .strip
-%patch2 -p1 -b .orig
+%patch2 -p1 -b .runstatedir
 
 %build
 # Remove bundled copy of zlib
@@ -73,6 +80,7 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now"
         --sbindir=%{_sbindir} \
         --libdir=%{_libdir} \
         --docdir=%{_pkgdocdir} \
+	--enable-openssl \
         --disable-root-mailer \
         --with-logging=syslog \
         --with-logfac=authpriv \
@@ -157,8 +165,8 @@ EOF
 %config(noreplace) /etc/pam.d/sudo
 %config(noreplace) /etc/pam.d/sudo-i
 %attr(0644,root,root) %{_tmpfilesdir}/sudo.conf
-%attr(0644,root,root) /etc/dnf/protected.d/sudo.conf
-%attr(0644,root,root) /etc/sudo.conf
+%attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/sudo.conf
+%attr(0640,root,root) %config(noreplace) /etc/sudo.conf
 %dir /var/db/sudo
 %dir /var/db/sudo/lectured
 %attr(4111,root,root) %{_bindir}/sudo
@@ -167,8 +175,6 @@ EOF
 %attr(0755,root,root) %{_sbindir}/visudo
 %{_bindir}/cvtsudoers
 %dir %{_libexecdir}/sudo
-%attr(0755,root,root) %{_sbindir}/sudo_logsrvd
-%attr(0755,root,root) %{_sbindir}/sudo_sendlog
 %attr(0755,root,root) %{_libexecdir}/sudo/sesh
 %attr(0644,root,root) %{_libexecdir}/sudo/sudo_noexec.so
 %attr(0644,root,root) %{_libexecdir}/sudo/sudoers.so
@@ -188,11 +194,7 @@ EOF
 %{_mandir}/man8/visudo.8*
 %{_mandir}/man1/cvtsudoers.1.gz
 %{_mandir}/man5/sudoers_timestamp.5.gz
-%{_mandir}/man5/sudo_logsrv.proto.5.gz
-%{_mandir}/man5/sudo_logsrvd.conf.5.gz
-%{_mandir}/man8/sudo_logsrvd.8.gz
 %{_mandir}/man8/sudo_plugin_python.8.gz
-%{_mandir}/man8/sudo_sendlog.8.gz
 %dir %{_pkgdocdir}/
 %{_pkgdocdir}/*
 %{!?_licensedir:%global license %%doc}
@@ -209,7 +211,28 @@ EOF
 %{_includedir}/sudo_plugin.h
 %{_mandir}/man8/sudo_plugin.8*
 
+%files logsrvd
+%attr(0640,root,root) %config(noreplace) /etc/sudo_logsrvd.conf
+%attr(0755,root,root) %{_sbindir}/sudo_logsrvd
+%attr(0755,root,root) %{_sbindir}/sudo_sendlog
+%{_mandir}/man5/sudo_logsrv.proto.5.gz
+%{_mandir}/man5/sudo_logsrvd.conf.5.gz
+%{_mandir}/man8/sudo_logsrvd.8.gz
+%{_mandir}/man8/sudo_sendlog.8.gz
+
 %changelog
+* Tue Sep 15 2020 Radovan Sroka <rsroka@redhat.com> - 1.9.2-1
+- rebase to 1.9.2
+Resolves: rhbz#1859577
+- added logsrvd subpackage
+- added openssl-devel buildrequires
+Resolves: rhbz#1860653
+- fixed sudo runstatedir path
+- it was generated as /sudo instead of /run/sudo
+Resolves: rhbz#1868215
+- added /var/lib/snapd/snap/bin to secure_path variable
+Resolves: rhbz#1691996
+
 * Wed Mar 25 2020 Attila Lakatos <alakatos@redhat.com> - 1.9.0-0.1.b4
 - update to latest development version 1.9.0b4
 Resolves: rhbz#1816593

sudoers

@@ -85,7 +85,7 @@ Defaults    env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY
 #
 # Defaults   env_keep += "HOME"
 
-Defaults    secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+Defaults    secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin
 
 ## Next comes the main part: which users can run what software on 
 ## which machines (the sudoers file can be shared between multiple