Rebase to 1.8.28

Resolves: rhbz#1761533

- set always_set_home by default
  Resolves: rhbz#1728687

- Sync sudoers options from rhel8 to fedora
  Resolves: rhbz#1761781

- CVE-2019-14287
  Resolves: rhbz#1761584

.gitignore

@@ -17,3 +17,4 @@
 /sudo-1.8.25.tar.gz
 /sudo-1.8.25p1.tar.gz
 /sudo-1.8.27.tar.gz
+/sudo-1.8.28.tar.gz

sources

@@ -1 +1 @@
-SHA512 (sudo-1.8.27.tar.gz) = 0480def650ab880ab9e6c51c606a06897fd638f0381e99c038f5aa47d064aaa2fb35b73eee7f86e73185e18d5dbb8b6ba49c616b1785a1edb2dd6d7b2fa4fcac
+SHA512 (sudo-1.8.28.tar.gz) = 09e589cdfd18d7c43b0859a0e11c008b3cb995ae4f8c89c717c5242db9e5696361eb574ebe74a0b5316afffb3a8037f7a7f3c249176e8ed9caffeb4cd860ddc7

sudo.spec

@@ -1,9 +1,7 @@
-%global user            millert
-
 Summary: Allows restricted root access for specified users
 Name: sudo
-Version: 1.8.27
-Release: 3%{?dist}
+Version: 1.8.28
+Release: 1%{?dist}
 License: ISC
 URL: http://www.courtesan.com/sudo/
 Source0: https://www.sudo.ws/dist/%{name}-%{version}.tar.gz
@@ -191,6 +189,16 @@ EOF
 %{_mandir}/man8/sudo_plugin.8*
 
 %changelog
+* Tue Oct 15 2019 Radovan Sroka <rsroka@redhat.com> - 1.8.28-1
+- rebase to 1.8.28
+Resolves: rhbz#1761533
+- set always_set_home by default
+Resolves: rhbz#1728687
+- Sync sudoers options from rhel8 to fedora
+Resolves: rhbz#1761781
+- CVE-2019-14287
+Resolves: rhbz#1761584
+
 * Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.27-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
 

sudoers

@@ -30,7 +30,7 @@
 # Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
 
 ## Services
-# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig
+# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable
 
 ## Updating the locate database
 # Cmnd_Alias LOCATE = /usr/bin/updatedb
@@ -54,13 +54,37 @@
 #
 Defaults   !visiblepw
 
+#
+# Preserving HOME has security implications since many programs
+# use it when searching for configuration files. Note that HOME
+# is already set when the the env_reset option is enabled, so
+# this option is only effective for configurations where either
+# env_reset is disabled or HOME is present in the env_keep list.
+#
+Defaults    always_set_home
+Defaults    match_group_by_gid
+
+# Prior to version 1.8.15, groups listed in sudoers that were not
+# found in the system group database were passed to the group
+# plugin, if any. Starting with 1.8.15, only groups of the form
+# %:group are resolved via the group plugin by default.
+# We enable always_query_group_plugin to restore old behavior.
+# Disable this option for new behavior.
+Defaults    always_query_group_plugin
+
 Defaults    env_reset
 Defaults    env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
-Defaults    env_keep += "MAIL QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
+Defaults    env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
 Defaults    env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
 Defaults    env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
 Defaults    env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
 
+#
+# Adding HOME to env_keep may enable a user to run unrestricted
+# commands via sudo.
+#
+# Defaults   env_keep += "HOME"
+
 Defaults    secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 
 ## Next comes the main part: which users can run what software on