diff --git a/sudo-1.8.1p2-getgrouplist.patch b/sudo-1.8.1p2-getgrouplist.patch deleted file mode 100644 index 6ccfe5e..0000000 --- a/sudo-1.8.1p2-getgrouplist.patch +++ /dev/null @@ -1,44 +0,0 @@ -diff -up sudo-1.8.1p2/configure.in.getgrouplist sudo-1.8.1p2/configure.in ---- sudo-1.8.1p2/configure.in.getgrouplist 2011-07-12 12:13:29.562597933 +0200 -+++ sudo-1.8.1p2/configure.in 2011-07-12 12:15:27.116597851 +0200 -@@ -2007,7 +2007,7 @@ dnl - AC_FUNC_GETGROUPS - AC_CHECK_FUNCS(strrchr sysconf tzset strftime initgroups getgroups fstat \ - regcomp setlocale nl_langinfo getaddrinfo mbr_check_membership \ -- setrlimit64 sysctl) -+ setrlimit64 sysctl getgrouplist) - AC_CHECK_FUNCS(getline, [], [ - AC_LIBOBJ(getline) - AC_CHECK_FUNCS(fgetln) -diff -up sudo-1.8.1p2/plugins/sudoers/pwutil.c.getgrouplist sudo-1.8.1p2/plugins/sudoers/pwutil.c ---- sudo-1.8.1p2/plugins/sudoers/pwutil.c.getgrouplist 2011-07-12 12:13:17.346597942 +0200 -+++ sudo-1.8.1p2/plugins/sudoers/pwutil.c 2011-07-12 12:19:02.171597700 +0200 -@@ -711,6 +711,28 @@ user_in_group(struct passwd *pw, const c - } - #endif /* HAVE_MBR_CHECK_MEMBERSHIP */ - -+#ifdef HAVE_GETGROUPLIST -+ if (user_ngroups >= 0 && -+ strcmp(pw->pw_name, list_pw ? list_pw->pw_name : user_name) == 0) -+ { -+ gid_t *grouplist, grouptmp; -+ int n_groups, i; -+ n_groups = 1; -+ -+ if (getgrouplist(user_name, user_gid, &grouptmp, &n_groups) == -1) { -+ grouplist = (gid_t *) emalloc(sizeof(gid_t) * (n_groups + 1)); -+ if (getgrouplist(user_name, user_gid, grouplist, &n_groups) > 0) -+ for (i = 0; i < n_groups; i++) -+ if (grouplist[i] == grp->gr_gid) { -+ free(grouplist); -+ retval = TRUE; -+ goto done; -+ } -+ free(grouplist); -+ } -+ } -+#endif /* HAVE_GETGROUPLIST */ -+ - done: - if (grp != NULL) - gr_delref(grp); diff --git a/sudo-1.8.3-pipelist.patch b/sudo-1.8.3-pipelist.patch deleted file mode 100644 index e976f0e..0000000 --- a/sudo-1.8.3-pipelist.patch +++ /dev/null @@ -1,28 +0,0 @@ -diff -up sudo-1.8.3/src/ttysize.c.pipelist sudo-1.8.3/src/ttysize.c ---- sudo-1.8.3/src/ttysize.c.pipelist 2011-10-21 15:01:26.000000000 +0200 -+++ sudo-1.8.3/src/ttysize.c 2011-10-26 02:09:39.582790562 +0200 -@@ -20,6 +20,7 @@ - - #include - #include -+#include - #include - #ifdef STDC_HEADERS - # include -@@ -48,6 +49,16 @@ void - get_ttysize(int *rowp, int *colp) - { - char *p; -+ struct stat st; -+ -+ if (fstat(STDOUT_FILENO, &st) == 0) { -+ if (S_ISFIFO(st.st_mode)) { -+ *rowp = 0; -+ *colp = 0; -+ return; -+ } -+ } -+ - #ifdef TIOCGWINSZ - struct winsize wsize; - diff --git a/sudo-1.8.3p1-CVE-2012-0809.patch b/sudo-1.8.3p1-CVE-2012-0809.patch deleted file mode 100644 index 8010808..0000000 --- a/sudo-1.8.3p1-CVE-2012-0809.patch +++ /dev/null @@ -1,23 +0,0 @@ ---- sudo-1.8.3p1/src/sudo.c Fri Oct 21 09:01:26 2011 -+++ sudo-1.8.3p1/src/sudo.c Tue Jan 24 15:59:03 2012 -@@ -1208,15 +1208,15 @@ - sudo_debug(int level, const char *fmt, ...) - { - va_list ap; -- char *fmt2; -+ char *buf; - - if (level > debug_level) - return; - -- /* Backet fmt with program name and a newline to make it a single write */ -- easprintf(&fmt2, "%s: %s\n", getprogname(), fmt); -+ /* Bracket fmt with program name and a newline to make it a single write */ - va_start(ap, fmt); -- vfprintf(stderr, fmt2, ap); -+ evasprintf(&buf, fmt, ap); - va_end(ap); -- efree(fmt2); -+ fprintf(stderr, "%s: %s\n", getprogname(), buf); -+ efree(buf); - } diff --git a/sudo-1.8.5-pipelist.patch b/sudo-1.8.5-pipelist.patch new file mode 100644 index 0000000..ba587fa --- /dev/null +++ b/sudo-1.8.5-pipelist.patch @@ -0,0 +1,29 @@ +diff -up sudo-1.8.5rc5/common/ttysize.c.pipelist sudo-1.8.5rc5/common/ttysize.c +--- sudo-1.8.5rc5/common/ttysize.c.pipelist 2012-04-06 21:43:19.000000000 +0200 ++++ sudo-1.8.5rc5/common/ttysize.c 2012-05-16 13:03:17.184034854 +0200 +@@ -20,6 +20,7 @@ + + #include + #include ++#include + #include + #ifdef STDC_HEADERS + # include +@@ -71,8 +72,17 @@ get_ttysize_ioctl(int *rowp, int *colp) + void + get_ttysize(int *rowp, int *colp) + { ++ struct stat st; + debug_decl(fork_cmnd, SUDO_DEBUG_EXEC) + ++ if (fstat(STDOUT_FILENO, &st) == 0) { ++ if (S_ISFIFO(st.st_mode)) { ++ *rowp = 0; ++ *colp = 0; ++ return; ++ } ++ } ++ + if (get_ttysize_ioctl(rowp, colp) == -1) { + char *p; + diff --git a/sudo-1.8.3p1-sssd-support.patch b/sudo-1.8.5-sssd-support.patch similarity index 52% rename from sudo-1.8.3p1-sssd-support.patch rename to sudo-1.8.5-sssd-support.patch index 7e510bc..78602af 100644 --- a/sudo-1.8.3p1-sssd-support.patch +++ b/sudo-1.8.5-sssd-support.patch @@ -1,7 +1,7 @@ -diff -up sudo-1.8.3p1/configure.in.sssd-support sudo-1.8.3p1/configure.in ---- sudo-1.8.3p1/configure.in.sssd-support 2012-01-11 19:27:02.604019550 +0100 -+++ sudo-1.8.3p1/configure.in 2012-01-12 16:28:48.031171923 +0100 -@@ -275,6 +275,22 @@ AC_ARG_WITH(linux-audit, [AS_HELP_STRING +diff -up sudo-1.8.5/configure.in.sssd-support sudo-1.8.5/configure.in +--- sudo-1.8.5/configure.in.sssd-support 2012-05-17 10:30:40.796975447 +0200 ++++ sudo-1.8.5/configure.in 2012-05-17 10:30:40.813975145 +0200 +@@ -284,6 +284,22 @@ AC_ARG_WITH(linux-audit, [AS_HELP_STRING ;; esac]) @@ -24,7 +24,7 @@ diff -up sudo-1.8.3p1/configure.in.sssd-support sudo-1.8.3p1/configure.in AC_ARG_WITH(incpath, [AS_HELP_STRING([--with-incpath], [additional places to look for include files])], [case $with_incpath in yes) AC_MSG_ERROR(["must give --with-incpath an argument."]) -@@ -3157,6 +3173,7 @@ AH_TEMPLATE(HAVE_LBER_H, [Define to 1 if +@@ -3331,6 +3347,7 @@ AH_TEMPLATE(HAVE_LBER_H, [Define to 1 if AH_TEMPLATE(HAVE_LDAP, [Define to 1 if you use LDAP for sudoers.]) AH_TEMPLATE(HAVE_LIBINTL_H, [Define to 1 if you have the header file.]) AH_TEMPLATE(HAVE_LINUX_AUDIT, [Define to 1 to enable Linux audit support.]) @@ -32,24 +32,24 @@ diff -up sudo-1.8.3p1/configure.in.sssd-support sudo-1.8.3p1/configure.in AH_TEMPLATE(HAVE_OPIE, [Define to 1 if you use NRL OPIE.]) AH_TEMPLATE(HAVE_PAM, [Define to 1 if you use PAM authentication.]) AH_TEMPLATE(HAVE_PAM_LOGIN, [Define to 1 if you use a specific PAM session for sudo -i.]) -diff -up sudo-1.8.3p1/plugins/sudoers/Makefile.in.sssd-support sudo-1.8.3p1/plugins/sudoers/Makefile.in ---- sudo-1.8.3p1/plugins/sudoers/Makefile.in.sssd-support 2012-01-11 19:27:23.016032415 +0100 -+++ sudo-1.8.3p1/plugins/sudoers/Makefile.in 2012-01-12 16:35:00.527406716 +0100 -@@ -530,6 +530,10 @@ linux_audit.lo: $(srcdir)/linux_audit.c - $(incdir)/missing.h $(incdir)/error.h $(incdir)/alloc.h \ - $(incdir)/gettext.h $(srcdir)/linux_audit.h +diff -up sudo-1.8.5/plugins/sudoers/Makefile.in.sssd-support sudo-1.8.5/plugins/sudoers/Makefile.in +--- sudo-1.8.5/plugins/sudoers/Makefile.in.sssd-support 2012-05-15 18:22:02.000000000 +0200 ++++ sudo-1.8.5/plugins/sudoers/Makefile.in 2012-05-17 10:30:40.815975110 +0200 +@@ -574,6 +574,10 @@ linux_audit.lo: $(srcdir)/linux_audit.c + $(incdir)/gettext.h $(incdir)/sudo_debug.h \ + $(srcdir)/linux_audit.h $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/linux_audit.c +sssd.lo: $(srcdir)/sssd.c $(top_builddir)/config.h \ -+ $(incdir)/missing.h $(incdir)/error.h $(incdir)/alloc.h \ -+ $(incdir)/gettext.h ++ $(incdir)/missing.h $(incdir)/error.h $(incdir)/alloc.h \ ++ $(incdir)/gettext.h + $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/sssd.c logging.lo: $(srcdir)/logging.c $(top_builddir)/config.h $(srcdir)/sudoers.h \ - $(top_builddir)/pathnames.h $(incdir)/missing.h $(incdir)/error.h \ - $(incdir)/alloc.h $(incdir)/list.h $(incdir)/fileops.h \ -diff -up sudo-1.8.3p1/plugins/sudoers/sssd.c.sssd-support sudo-1.8.3p1/plugins/sudoers/sssd.c ---- sudo-1.8.3p1/plugins/sudoers/sssd.c.sssd-support 2012-01-19 13:41:51.885154296 +0100 -+++ sudo-1.8.3p1/plugins/sudoers/sssd.c 2012-02-29 10:05:49.169875120 +0100 -@@ -0,0 +1,1157 @@ + $(top_srcdir)/compat/stdbool.h $(top_builddir)/pathnames.h \ + $(incdir)/missing.h $(incdir)/error.h $(incdir)/alloc.h \ +diff -up sudo-1.8.5/plugins/sudoers/sssd.c.sssd-support sudo-1.8.5/plugins/sudoers/sssd.c +--- sudo-1.8.5/plugins/sudoers/sssd.c.sssd-support 2012-05-17 10:30:40.817975074 +0200 ++++ sudo-1.8.5/plugins/sudoers/sssd.c 2012-05-17 10:58:10.775036464 +0200 +@@ -0,0 +1,1194 @@ +/* + * Copyright (c) 2003-2011 Todd C. Miller + * Copyright (c) 2011 Daniel Kopecek @@ -106,6 +106,7 @@ diff -up sudo-1.8.3p1/plugins/sudoers/sssd.c.sssd-support sudo-1.8.3p1/plugins/s +#include "sudoers.h" +#include "parse.h" +#include "lbuf.h" ++#include "sudo_debug.h" + +extern int debug_level; +#define __sssd_debug debug_level @@ -113,30 +114,31 @@ diff -up sudo-1.8.3p1/plugins/sudoers/sssd.c.sssd-support sudo-1.8.3p1/plugins/s +#define DPRINTF(level, fmt, ...) if (__sssd_debug >= (level)) warningx("%s:%d: "fmt, __PRETTY_FUNCTION__, __LINE__, ##__VA_ARGS__) + +/* sudo_nss implementation */ -+static int sudo_sssd_open(struct sudo_nss *nss); -+static int sudo_sssd_close(struct sudo_nss *nss); -+static int sudo_sssd_parse(struct sudo_nss *nss); -+static void sudo_sssd_parse_options(struct sss_sudo_rule *rule); -+static int sudo_sssd_setdefs(struct sudo_nss *nss); -+static int sudo_sssd_lookup(struct sudo_nss *nss, int ret, int pwflag); -+static int sudo_sssd_display_cmnd(struct sudo_nss *nss, struct passwd *pw); -+static int sudo_sssd_display_defaults(struct sudo_nss *nss, struct passwd *pw, ++static int sudo_sss_open(struct sudo_nss *nss); ++static int sudo_sss_close(struct sudo_nss *nss); ++static int sudo_sss_parse(struct sudo_nss *nss); ++static void sudo_sss_parse_options(struct sss_sudo_rule *rule); ++static int sudo_sss_setdefs(struct sudo_nss *nss); ++static int sudo_sss_lookup(struct sudo_nss *nss, int ret, int pwflag); ++static int sudo_sss_display_cmnd(struct sudo_nss *nss, struct passwd *pw); ++static int sudo_sss_display_defaults(struct sudo_nss *nss, struct passwd *pw, + struct lbuf *lbuf); + -+static int sudo_sssd_display_bound_defaults(struct sudo_nss *nss, ++static int sudo_sss_display_bound_defaults(struct sudo_nss *nss, + struct passwd *pw, struct lbuf *lbuf); + -+static int sudo_sssd_display_privs(struct sudo_nss *nss, struct passwd *pw, ++static int sudo_sss_display_privs(struct sudo_nss *nss, struct passwd *pw, + struct lbuf *lbuf); + + -+static struct sss_sudo_result *sudo_sssd_result_get(struct sudo_nss *nss, ++static struct sss_sudo_result *sudo_sss_result_get(struct sudo_nss *nss, + struct passwd *pw, + uint32_t *state); + -+static void sudo_sssd_attrcpy(struct sss_sudo_attr *dst, const struct sss_sudo_attr *src) ++static void sudo_sss_attrcpy(struct sss_sudo_attr *dst, const struct sss_sudo_attr *src) +{ + int i; ++ debug_decl(sudo_sss_attrcpy, SUDO_DEBUG_LDAP) + + DPRINTF(3, "dst=%p, src=%p", dst, src); + DPRINTF(2, "emalloc: cnt=%d", src->num_values); @@ -148,13 +150,14 @@ diff -up sudo-1.8.3p1/plugins/sudoers/sssd.c.sssd-support sudo-1.8.3p1/plugins/s + for (i = 0; i < dst->num_values; ++i) + dst->values[i] = strdup(src->values[i]); + -+ return; ++ debug_return; +} + -+static void sudo_sssd_rulecpy(struct sss_sudo_rule *dst, const struct sss_sudo_rule *src) ++static void sudo_sss_rulecpy(struct sss_sudo_rule *dst, const struct sss_sudo_rule *src) +{ + int i; -+ ++ debug_decl(sudo_sss_rulecpy, SUDO_DEBUG_LDAP) ++ + DPRINTF(3, "dst=%p, src=%p", dst, src); + DPRINTF(2, "emalloc: cnt=%d", src->num_attrs); + @@ -162,9 +165,11 @@ diff -up sudo-1.8.3p1/plugins/sudoers/sssd.c.sssd-support sudo-1.8.3p1/plugins/s + dst->attrs = emalloc(sizeof(struct sss_sudo_attr) * dst->num_attrs); + + for (i = 0; i < dst->num_attrs; ++i) { -+ sudo_sssd_attrcpy(dst->attrs + i, ++ sudo_sss_attrcpy(dst->attrs + i, + src->attrs + i); + } ++ ++ debug_return; +} + +#define _SUDO_SSS_FILTER_INCLUDE 0 @@ -173,16 +178,17 @@ diff -up sudo-1.8.3p1/plugins/sudoers/sssd.c.sssd-support sudo-1.8.3p1/plugins/s +#define _SUDO_SSS_STATE_HOSTMATCH 0x01 +#define _SUDO_SSS_STATE_USERMATCH 0x02 + -+static struct sss_sudo_result *sudo_sssd_filter_result(struct sss_sudo_result *in_res, int (*filterp)(struct sss_sudo_rule *, void *), int act, void *filterp_arg) ++static struct sss_sudo_result *sudo_sss_filter_result(struct sss_sudo_result *in_res, int (*filterp)(struct sss_sudo_rule *, void *), int act, void *filterp_arg) +{ + struct sss_sudo_result *out_res; + int i, l, r; ++ debug_decl(sudo_sss_filter_result, SUDO_DEBUG_LDAP) + + DPRINTF(3, "in_res=%p, count=%u, act=%s", + in_res, in_res->num_rules, act == _SUDO_SSS_FILTER_EXCLUDE ? "EXCLUDE" : "INCLUDE"); + + if (in_res == NULL) -+ return NULL; ++ debug_return_ptr(NULL); + + DPRINTF(3, "emalloc: cnt=%d", in_res->num_rules); + @@ -200,7 +206,7 @@ diff -up sudo-1.8.3p1/plugins/sudoers/sssd.c.sssd-support sudo-1.8.3p1/plugins/s + act == _SUDO_SSS_FILTER_EXCLUDE ? "not excluded" : "included", + in_res->rules, i, out_res->rules, l, in_res->rules + i); + -+ sudo_sssd_rulecpy(out_res->rules + l, in_res->rules + i); ++ sudo_sss_rulecpy(out_res->rules + l, in_res->rules + i); + ++l; + } + } @@ -212,106 +218,125 @@ diff -up sudo-1.8.3p1/plugins/sudoers/sssd.c.sssd-support sudo-1.8.3p1/plugins/s + + out_res->num_rules = l; + -+ return out_res; ++ debug_return_ptr(out_res); +} + -+struct sudo_sssd_handle { -+ char *username; -+ struct sss_sudo_result *result; -+ struct group_list *grlist; ++struct sudo_sss_handle { ++ char *domainname; ++ struct passwd *pw; +}; + -+struct sudo_nss sudo_nss_sssd = { -+ &sudo_nss_sssd, ++struct sudo_nss sudo_nss_sss = { ++ &sudo_nss_sss, + NULL, -+ sudo_sssd_open, -+ sudo_sssd_close, -+ sudo_sssd_parse, -+ sudo_sssd_setdefs, -+ sudo_sssd_lookup, -+ sudo_sssd_display_cmnd, -+ sudo_sssd_display_defaults, -+ sudo_sssd_display_bound_defaults, -+ sudo_sssd_display_privs ++ sudo_sss_open, ++ sudo_sss_close, ++ sudo_sss_parse, ++ sudo_sss_setdefs, ++ sudo_sss_lookup, ++ sudo_sss_display_cmnd, ++ sudo_sss_display_defaults, ++ sudo_sss_display_bound_defaults, ++ sudo_sss_display_privs +}; + -+ +/* sudo_nss implementation */ +// ok -+static int sudo_sssd_open(struct sudo_nss *nss) ++static int sudo_sss_open(struct sudo_nss *nss) +{ -+ struct sudo_sssd_handle *handle; ++ struct sudo_sss_handle *handle; ++ debug_decl(sudo_sss_open, SUDO_DEBUG_LDAP); + + /* Create a handle container. */ -+ handle = emalloc(sizeof(struct sudo_sssd_handle)); -+ handle->result = NULL; -+ handle->username = NULL; -+ handle->grlist = NULL; ++ handle = emalloc(sizeof(struct sudo_sss_handle)); ++ handle->domainname = NULL; ++ handle->pw = sudo_user.pw; + nss->handle = handle; + + DPRINTF(3, "handle=%p", handle); + -+ return 0; ++ debug_return_int(0); +} + +// ok -+static int sudo_sssd_close(struct sudo_nss *nss) ++static int sudo_sss_close(struct sudo_nss *nss) +{ ++ debug_decl(sudo_sss_close, SUDO_DEBUG_LDAP); + efree(nss->handle); -+ return 0; ++ debug_return_int(0); +} + +// ok -+static int sudo_sssd_parse(struct sudo_nss *nss) ++static int sudo_sss_parse(struct sudo_nss *nss) +{ -+ return 0; ++ debug_decl(sudo_sss_parse, SUDO_DEBUG_LDAP); ++ debug_return_int(0); +} + -+static int sudo_sssd_setdefs(struct sudo_nss *nss) ++static int sudo_sss_setdefs(struct sudo_nss *nss) +{ -+ struct sudo_sssd_handle *handle = nss->handle; ++ struct sudo_sss_handle *handle = nss->handle; + -+ struct sss_sudo_result *sres; -+ struct sss_sudo_rule *rule; -+ uint32_t serr; ++ struct sss_sudo_result *sss_result; ++ struct sss_sudo_rule *sss_rule; ++ uint32_t sss_error; + int i; ++ debug_decl(sudo_sss_setdefs, SUDO_DEBUG_LDAP); + + if (handle == NULL) -+ return -1; ++ debug_return_int(-1); + + DPRINTF(1, "Looking for cn=defaults"); + -+ if (sss_sudo_send_recv_defaults(&serr, &sres) != 0) { -+ DPRINTF(2, "sss_sudo_send_recv_defaults: != 0, serr=%u", serr); -+ return -1; ++ if (sss_sudo_send_recv_defaults(handle->pw->pw_uid, handle->pw->pw_name, ++ &sss_error, &handle->domainname, ++ &sss_result) != 0) ++ { ++ DPRINTF(2, "sss_sudo_send_recv_defaults: != 0, sss_error=%u", sss_error); ++ debug_return_int(-1); + } + -+ for (i = 0; i < sres->num_rules; ++i) { -+ DPRINTF(1, "Parsing cn=defaults, %d/%d", i, sres->num_rules); -+ rule = sres->rules + i; -+ sudo_sssd_parse_options(rule); ++ for (i = 0; i < sss_result->num_rules; ++i) { ++ DPRINTF(1, "Parsing cn=defaults, %d/%d", i, sss_result->num_rules); ++ sss_rule = sss_result->rules + i; ++ sudo_sss_parse_options(sss_rule); + } + -+ sss_sudo_free_result(sres); ++ sss_sudo_free_result(sss_result); ++ debug_return_int(0); ++} + -+ DPRINTF(1, "Looking for cn=defaults... end"); ++static int sudo_sss_checkpw(struct sudo_nss *nss, struct passwd *pw) ++{ ++ struct sudo_sss_handle *handle = nss->handle; ++ debug_decl(sudo_sss_checkpw, SUDO_DEBUG_LDAP); + -+ return 0; ++ if (pw->pw_name != handle->pw->pw_name || ++ pw->pw_uid != handle->pw->pw_uid) ++ { ++ DPRINTF(1, "Requested name or uid don't match the initial once, reinitializing..."); ++ handle->pw = pw; ++ ++ if (sudo_sss_setdefs(nss) != 0) ++ debug_return_int(-1); ++ } ++ ++ debug_return_int(0); +} + +static int -+sudo_sssd_check_runas_user(struct sss_sudo_rule *rule) ++sudo_sss_check_runas_user(struct sss_sudo_rule *sss_rule) +{ -+ char **v_arr = NULL; ++ char **val_array = NULL; + char *val; -+ int ret = FALSE, i; ++ int ret = false, i; ++ debug_decl(sudo_sss_check_runas_user, SUDO_DEBUG_LDAP); + + if (!runas_pw) -+ return UNSPEC; -+ ++ debug_return_int(UNSPEC); + + /* get the runas user from the entry */ -+ switch (sss_sudo_get_values(rule, "sudoRunAsUser", &v_arr)) ++ switch (sss_sudo_get_values(sss_rule, "sudoRunAsUser", &val_array)) + { + case 0: + break; @@ -319,7 +344,7 @@ diff -up sudo-1.8.3p1/plugins/sudoers/sssd.c.sssd-support sudo-1.8.3p1/plugins/s + DPRINTF(2, "No result. Trying old style (sudoRunAs)"); + + /* try old style */ -+ switch (sss_sudo_get_values(rule, "sudoRunAs", &v_arr)) ++ switch (sss_sudo_get_values(sss_rule, "sudoRunAs", &val_array)) + { + case 0: + break; @@ -332,12 +357,12 @@ diff -up sudo-1.8.3p1/plugins/sudoers/sssd.c.sssd-support sudo-1.8.3p1/plugins/s + return !strcasecmp(runas_pw->pw_name, def_runas_default); + default: + DPRINTF(2, "sss_sudo_get_values(sudoRunAs): != 0"); -+ return UNSPEC; ++ debug_return_int(UNSPEC); + } + break; + default: + DPRINTF(2, "sss_sudo_get_values(sudoRunAsUser): != 0"); -+ return UNSPEC; ++ debug_return_int(UNSPEC); + } + + /* @@ -358,8 +383,8 @@ diff -up sudo-1.8.3p1/plugins/sudoers/sssd.c.sssd-support sudo-1.8.3p1/plugins/s + */ + + /* walk through values returned, looking for a match */ -+ for (i = 0; v_arr[i] != NULL && !ret; ++i) { -+ val = v_arr[i]; ++ for (i = 0; val_array[i] != NULL && !ret; ++i) { ++ val = val_array[i]; + + DPRINTF(3, "val[%d]=%s", i, val); + @@ -368,20 +393,20 @@ diff -up sudo-1.8.3p1/plugins/sudoers/sssd.c.sssd-support sudo-1.8.3p1/plugins/s + DPRINTF(3, "netgr_"); + if (netgr_matches(val, NULL, NULL, runas_pw->pw_name)) { + DPRINTF(3, "=> match"); -+ ret = TRUE; ++ ret = true; + } + break; + case '%': + DPRINTF(3, "usergr_"); + if (usergr_matches(val, runas_pw->pw_name, runas_pw)) { + DPRINTF(3, "=> match"); -+ ret = TRUE; ++ ret = true; + } + break; + case 'A': + if (strcmp(val, "ALL") == 0) { + DPRINTF(3, "ALL => match"); -+ ret = TRUE; ++ ret = true; + break; + } + /* FALLTHROUGH */ @@ -389,7 +414,7 @@ diff -up sudo-1.8.3p1/plugins/sudoers/sssd.c.sssd-support sudo-1.8.3p1/plugins/s + default: + if (strcasecmp(val, runas_pw->pw_name) == 0) { + DPRINTF(3, "%s == %s (pw_name) => match", val, runas_pw->pw_name); -+ ret = TRUE; ++ ret = true; + } + break; + } @@ -397,215 +422,214 @@ diff -up sudo-1.8.3p1/plugins/sudoers/sssd.c.sssd-support sudo-1.8.3p1/plugins/s + DPRINTF(2, "sssd/ldap sudoRunAsUser '%s' ... %s", val, ret ? "MATCH!" : "not"); + } + -+ sss_sudo_free_values(v_arr); /* cleanup */ ++ sss_sudo_free_values(val_array); /* cleanup */ + -+ return ret; ++ debug_return_int(ret); +} + +static int -+sudo_sssd_check_runas_group(struct sss_sudo_rule *rule) ++sudo_sss_check_runas_group(struct sss_sudo_rule *rule) +{ -+ char **v_arr = NULL; ++ char **val_array = NULL; + char *val; -+ int ret = FALSE, i; ++ int ret = false, i; ++ debug_decl(sudo_sss_check_runas_group, SUDO_DEBUG_LDAP); + + /* runas_gr is only set if the user specified the -g flag */ + if (!runas_gr) -+ return UNSPEC; ++ debug_return_int(UNSPEC); + + /* get the values from the entry */ -+ switch (sss_sudo_get_values(rule, "sudoRunAsGroup", &v_arr)) ++ switch (sss_sudo_get_values(rule, "sudoRunAsGroup", &val_array)) + { + case 0: + break; + case ENOENT: + DPRINTF(2, "No result."); -+ return FALSE; ++ debug_return_int(false); + default: + DPRINTF(2, "sss_sudo_get_values(sudoRunAsGroup): != 0"); -+ return UNSPEC; ++ debug_return_int(UNSPEC); + } + + /* walk through values returned, looking for a match */ -+ for (i = 0; v_arr[i] != NULL; ++i) { -+ val = v_arr[i]; ++ for (i = 0; val_array[i] != NULL; ++i) { ++ val = val_array[i]; + DPRINTF(3, "val[%d]=%s", i, val); + + if (strcmp(val, "ALL") == 0 || group_matches(val, runas_gr)) -+ ret = TRUE; ++ ret = true; + + DPRINTF(2, "sssd/ldap sudoRunAsGroup '%s' ... %s", val, ret ? "MATCH!" : "not"); + } + -+ sss_sudo_free_values(v_arr); ++ sss_sudo_free_values(val_array); + -+ return ret; ++ debug_return_int(ret); +} + +/* -+ * Walk through search results and return TRUE if we have a runas match, -+ * else FALSE. RunAs info is optional. ++ * Walk through search results and return true if we have a runas match, ++ * else false. RunAs info is optional. + */ +static int -+sudo_sssd_check_runas(struct sss_sudo_rule *rule) ++sudo_sss_check_runas(struct sss_sudo_rule *rule) +{ + int ret; ++ debug_decl(sudo_sss_check_runas, SUDO_DEBUG_LDAP); + + if (rule == NULL) -+ return FALSE; ++ debug_return_int(false); + -+ ret = sudo_sssd_check_runas_user(rule) != FALSE && -+ sudo_sssd_check_runas_group(rule) != FALSE; ++ ret = sudo_sss_check_runas_user(rule) != false && ++ sudo_sss_check_runas_group(rule) != false; + -+ return ret; ++ debug_return_int(ret); +} + -+static int sudo_sssd_check_host(struct sss_sudo_rule *rule) ++static int sudo_sss_check_host(struct sss_sudo_rule *rule) +{ -+ char **v_arr, *val; -+ int ret = FALSE, i; ++ char **val_array, *val; ++ int ret = false, i; ++ debug_decl(sudo_sss_check_host, SUDO_DEBUG_LDAP); + + if (rule == NULL) -+ return ret; ++ debug_return_int(ret); + + /* get the values from the rule */ -+ switch (sss_sudo_get_values(rule, "sudoHost", &v_arr)) ++ switch (sss_sudo_get_values(rule, "sudoHost", &val_array)) + { + case 0: + break; + case ENOENT: + DPRINTF(2, "No result."); -+ return FALSE; ++ debug_return_int(false); + default: + DPRINTF(2, "sss_sudo_get_values(sudoHost): != 0"); -+ return ret; ++ debug_return_int(ret); + } + + /* walk through values */ -+ for (i = 0; v_arr[i] != NULL; ++i) { -+ val = v_arr[i]; ++ for (i = 0; val_array[i] != NULL; ++i) { ++ val = val_array[i]; + DPRINTF(3, "val[%d]=%s", i, val); + + /* match any or address or netgroup or hostname */ + if (!strcmp(val, "ALL") || addr_matches(val) || + netgr_matches(val, user_host, user_shost, NULL) || + hostname_matches(user_shost, user_host, val)) -+ ret = TRUE; ++ ret = true; + + DPRINTF(2, "sssd/ldap sudoHost '%s' ... %s", val, ret ? "MATCH!" : "not"); + } + -+ sss_sudo_free_values(v_arr); ++ sss_sudo_free_values(val_array); + -+ return ret; ++ debug_return_int(ret); +} + -+static int sudo_sssd_result_filterp(struct sss_sudo_rule *rule, void *unused) ++static int sudo_sss_result_filterp(struct sss_sudo_rule *rule, void *unused) +{ + (void)unused; ++ debug_decl(sudo_sss_result_filterp, SUDO_DEBUG_LDAP); + -+ if (sudo_sssd_check_host(rule)) -+ return 1; ++ if (sudo_sss_check_host(rule)) ++ debug_return_int(1); + else -+ return 0; ++ debug_return_int(0); +} + -+static struct sss_sudo_result *sudo_sssd_result_get(struct sudo_nss *nss, -+ struct passwd *pw, -+ uint32_t *state) ++static struct sss_sudo_result *sudo_sss_result_get(struct sudo_nss *nss, struct passwd *pw, uint32_t *state) +{ -+ struct sudo_sssd_handle *handle = nss->handle; -+ struct sss_sudo_result *u_sres, *f_sres; -+ uint32_t serr = 0, ret; ++ struct sudo_sss_handle *handle = nss->handle; ++ struct sss_sudo_result *u_sss_result, *f_sss_result; ++ uint32_t sss_error = 0, ret; ++ debug_decl(sudo_sss_result_get, SUDO_DEBUG_LDAP); + -+ DPRINTF(1, "pw_name=%s", pw->pw_name); ++ if (sudo_sss_checkpw(nss, pw) != 0) ++ debug_return_ptr(NULL); + -+ u_sres = f_sres = NULL; ++ DPRINTF(1, " username=%s", handle->pw->pw_name); ++ DPRINTF(1, "domainname=%s", handle->domainname); + -+ switch (ret = sss_sudo_send_recv(pw->pw_name, &serr, &u_sres)) ++ u_sss_result = f_sss_result = NULL; ++ ++ switch (ret = sss_sudo_send_recv(handle->pw->pw_uid, handle->pw->pw_name, ++ handle->domainname, &sss_error, &u_sss_result)) + { + case 0: -+ switch (serr) { ++ switch (sss_error) { + case 0: -+ if (u_sres != NULL) { ++ if (u_sss_result != NULL) { + if (state != NULL) { + DPRINTF(3, "state |= USERMATCH"); + *state |= _SUDO_SSS_STATE_USERMATCH; + } -+ DPRINTF(2, "Received %u rule(s)", u_sres->num_rules); ++ DPRINTF(2, "Received %u rule(s)", u_sss_result->num_rules); + } else { -+ DPRINTF(2, "Internal error: u_sres == NULL && serr == 0"); -+ return NULL; ++ DPRINTF(2, "Internal error: u_sss_result == NULL && sss_error == 0"); ++ debug_return_ptr(NULL); + } + break; + case ENOENT: + DPRINTF(2, "No result."); + default: -+ DPRINTF(2, "serr=%u\n", serr); -+ return NULL; ++ DPRINTF(2, "sss_error=%u\n", sss_error); ++ debug_return_ptr(NULL); + } + break; + default: + DPRINTF(2, "sss_sudo_send_recv: != 0: ret=%d", ret); -+ return NULL; ++ debug_return_ptr(NULL); + } + -+ f_sres = sudo_sssd_filter_result(u_sres, sudo_sssd_result_filterp, _SUDO_SSS_FILTER_INCLUDE, NULL); ++ f_sss_result = sudo_sss_filter_result(u_sss_result, sudo_sss_result_filterp, ++ _SUDO_SSS_FILTER_INCLUDE, NULL); + -+ if (f_sres != NULL) -+ if (f_sres->num_rules > 0) ++ if (f_sss_result != NULL) ++ if (f_sss_result->num_rules > 0) + if (state != NULL) { + DPRINTF(3, "state |= HOSTMATCH"); + *state |= _SUDO_SSS_STATE_HOSTMATCH; + } + -+ DPRINTF(3, "u_sres=(%p, %u) => f_sres=(%p, %u)", -+ u_sres, u_sres->num_rules, f_sres, f_sres->num_rules); ++ DPRINTF(3, "u_sss_result=(%p, %u) => f_sss_result=(%p, %u)", ++ u_sss_result, u_sss_result->num_rules, f_sss_result, f_sss_result->num_rules); + -+ sss_sudo_free_result(u_sres); ++ sss_sudo_free_result(u_sss_result); + -+ /* Store everything in the sudo_nss handle. */ -+ handle->result = NULL; -+ -+ if (handle->username != NULL) { -+ DPRINTF(3, "Freeing previously stored username"); -+ efree(handle->username); -+ } -+ -+ handle->username = estrdup(pw->pw_name); -+ handle->grlist = user_group_list; -+ -+ return f_sres; ++ debug_return_ptr(f_sss_result); +} + +/* + * Search for boolean "option" in sudoOption. -+ * Returns TRUE if found and allowed, FALSE if negated, else UNSPEC. ++ * Returns true if found and allowed, false if negated, else UNSPEC. + */ +static int -+sudo_sssd_check_bool(struct sss_sudo_rule *rule, char *option) ++sudo_sss_check_bool(struct sss_sudo_rule *rule, char *option) +{ -+ char ch, *var, **v_arr = NULL; ++ char ch, *var, **val_array = NULL; + int i, ret = UNSPEC; ++ debug_decl(sudo_sss_check_bool, SUDO_DEBUG_LDAP); + + if (rule == NULL) -+ return ret; ++ debug_return_int(ret); + -+ switch (sss_sudo_get_values(rule, "sudoOption", &v_arr)) ++ switch (sss_sudo_get_values(rule, "sudoOption", &val_array)) + { + case 0: + break; + case ENOENT: + DPRINTF(2, "No result."); -+ return ret; ++ debug_return_int(ret); + default: + DPRINTF(2, "sss_sudo_get_values: != 0"); -+ return ret; ++ debug_return_int(ret); + } + + /* walk through options */ -+ for (i = 0; v_arr[i] != NULL; ++i) { -+ var = v_arr[i]; ++ for (i = 0; val_array[i] != NULL; ++i) { ++ var = val_array[i]; + DPRINTF(2, "sssd/ldap sudoOption: '%s'", var); + + if ((ch = *var) == '!') @@ -614,57 +638,58 @@ diff -up sudo-1.8.3p1/plugins/sudoers/sssd.c.sssd-support sudo-1.8.3p1/plugins/s + ret = (ch != '!'); + } + -+ sss_sudo_free_values(v_arr); ++ sss_sudo_free_values(val_array); + -+ return ret; ++ debug_return_int(ret); +} + +/* -+ * Walk through search results and return TRUE if we have a command match, -+ * FALSE if disallowed and UNSPEC if not matched. ++ * Walk through search results and return true if we have a command match, ++ * false if disallowed and UNSPEC if not matched. + */ +static int -+sudo_sssd_check_command(struct sss_sudo_rule *rule, int *setenv_implied) ++sudo_sss_check_command(struct sss_sudo_rule *rule, int *setenv_implied) +{ -+ char **v_arr = NULL, *val; ++ char **val_array = NULL, *val; + char *allowed_cmnd, *allowed_args; + int i, foundbang, ret = UNSPEC; ++ debug_decl(sudo_sss_check_command, SUDO_DEBUG_LDAP); + + if (rule == NULL) -+ return ret; ++ debug_return_int(ret); + -+ switch (sss_sudo_get_values(rule, "sudoCommand", &v_arr)) ++ switch (sss_sudo_get_values(rule, "sudoCommand", &val_array)) + { + case 0: + break; + case ENOENT: + DPRINTF(2, "No result."); -+ return ret; ++ debug_return_int(ret); + default: + DPRINTF(2, "sss_sudo_get_values: != 0"); -+ return ret; ++ debug_return_int(ret); + } + -+ for (i = 0; v_arr[i] != NULL && ret != FALSE; ++i) { -+ val = v_arr[i]; ++ for (i = 0; val_array[i] != NULL && ret != false; ++i) { ++ val = val_array[i]; + + DPRINTF(3, "val[%d]=%s", i, val); + + /* Match against ALL ? */ + if (!strcmp(val, "ALL")) { -+ ret = TRUE; ++ ret = true; + if (setenv_implied != NULL) -+ *setenv_implied = TRUE; ++ *setenv_implied = true; + DPRINTF(2, "sssd/ldap sudoCommand '%s' ... MATCH!", val); + continue; + } + + /* check for !command */ + if (*val == '!') { -+ foundbang = TRUE; ++ foundbang = true; + allowed_cmnd = estrdup(1 + val); /* !command */ + } else { -+ foundbang = FALSE; ++ foundbang = false; + allowed_cmnd = estrdup(val); /* command */ + } + @@ -679,44 +704,45 @@ diff -up sudo-1.8.3p1/plugins/sudoers/sssd.c.sssd-support sudo-1.8.3p1/plugins/s + * If allowed (no bang) set ret but keep on checking. + * If disallowed (bang), exit loop. + */ -+ ret = foundbang ? FALSE : TRUE; ++ ret = foundbang ? false : true; + } + -+ DPRINTF(2, "sssd/ldap sudoCommand '%s' ... %s", val, ret == TRUE ? "MATCH!" : "not"); ++ DPRINTF(2, "sssd/ldap sudoCommand '%s' ... %s", val, ret == true ? "MATCH!" : "not"); + efree(allowed_cmnd); /* cleanup */ + } + -+ sss_sudo_free_values(v_arr); /* more cleanup */ ++ sss_sudo_free_values(val_array); /* more cleanup */ + -+ return ret; ++ debug_return_int(ret); +} + +static void -+sudo_sssd_parse_options(struct sss_sudo_rule *rule) ++sudo_sss_parse_options(struct sss_sudo_rule *rule) +{ + int i; + char op, *v, *val; -+ char **v_arr = NULL; ++ char **val_array = NULL; ++ debug_decl(sudo_sss_parse_options, SUDO_DEBUG_LDAP); + + if (rule == NULL) -+ return; ++ debug_return; + -+ switch (sss_sudo_get_values(rule, "sudoOption", &v_arr)) ++ switch (sss_sudo_get_values(rule, "sudoOption", &val_array)) + { + case 0: + break; + case ENOENT: + DPRINTF(2, "No result."); -+ return; ++ debug_return; + default: + DPRINTF(2, "sss_sudo_get_values(sudoOption): != 0"); -+ return; ++ debug_return; + } + + /* walk through options */ -+ for (i = 0; v_arr[i] != NULL; i++) { -+ DPRINTF(2, "sssd/ldap sudoOption: '%s'", v_arr[i]); -+ v = estrdup(v_arr[i]); ++ for (i = 0; val_array[i] != NULL; i++) { ++ DPRINTF(2, "sssd/ldap sudoOption: '%s'", val_array[i]); ++ v = estrdup(val_array[i]); + + /* check for equals sign past first char */ + val = strchr(v, '='); @@ -729,31 +755,33 @@ diff -up sudo-1.8.3p1/plugins/sudoers/sssd.c.sssd-support sudo-1.8.3p1/plugins/s + set_default(v, val, (int) op); + } else { + /* case var=val */ -+ set_default(v, val, TRUE); ++ set_default(v, val, true); + } + } else if (*v == '!') { + /* case !var Boolean False */ -+ set_default(v + 1, NULL, FALSE); ++ set_default(v + 1, NULL, false); + } else { + /* case var Boolean True */ -+ set_default(v, NULL, TRUE); ++ set_default(v, NULL, true); + } + efree(v); + } + -+ sss_sudo_free_values(v_arr); ++ sss_sudo_free_values(val_array); ++ debug_return; +} + -+static int sudo_sssd_lookup(struct sudo_nss *nss, int ret, int pwflag) ++static int sudo_sss_lookup(struct sudo_nss *nss, int ret, int pwflag) +{ + int rc, setenv_implied; + -+ struct sss_sudo_result *sres = NULL; ++ struct sss_sudo_result *sss_result = NULL; + struct sss_sudo_rule *rule; + uint32_t i, state = 0; ++ debug_decl(sudo_sss_lookup, SUDO_DEBUG_LDAP); + + /* Fetch list of sudoRole entries that match user and host. */ -+ sres = sudo_sssd_result_get(nss, sudo_user.pw, &state); ++ sss_result = sudo_sss_result_get(nss, sudo_user.pw, &state); + + /* + * The following queries are only determine whether or not a @@ -766,18 +794,18 @@ diff -up sudo-1.8.3p1/plugins/sudoers/sssd.c.sssd-support sudo-1.8.3p1/plugins/s + (pwflag == -1) ? never : sudo_defs_table[pwflag].sd_un.tuple; + + DPRINTF(2, "perform search for pwflag %d", pwflag); -+ if (sres != NULL) { -+ for (i = 0; i < sres->num_rules; i++) { -+ rule = sres->rules + i; -+ if ((pwcheck == any && doauth != FALSE) || -+ (pwcheck == all && doauth == FALSE)) { -+ doauth = sudo_sssd_check_bool(rule, "authenticate"); ++ if (sss_result != NULL) { ++ for (i = 0; i < sss_result->num_rules; i++) { ++ rule = sss_result->rules + i; ++ if ((pwcheck == any && doauth != false) || ++ (pwcheck == all && doauth == false)) { ++ doauth = sudo_sss_check_bool(rule, "authenticate"); + } + /* Only check the command when listing another user. */ + if (user_uid == 0 || list_pw == NULL || + user_uid == list_pw->pw_uid || -+ sudo_sssd_check_command(rule, NULL)) { -+ matched = TRUE; ++ sudo_sss_check_command(rule, NULL)) { ++ matched = true; + break; + } + } @@ -792,11 +820,11 @@ diff -up sudo-1.8.3p1/plugins/sudoers/sssd.c.sssd-support sudo-1.8.3p1/plugins/s + break; + case all: + case any: -+ if (doauth == FALSE) -+ def_authenticate = FALSE; ++ if (doauth == false) ++ def_authenticate = false; + break; + case never: -+ def_authenticate = FALSE; ++ def_authenticate = false; + break; + default: + break; @@ -808,22 +836,22 @@ diff -up sudo-1.8.3p1/plugins/sudoers/sssd.c.sssd-support sudo-1.8.3p1/plugins/s + + DPRINTF(1, "searching SSSD/LDAP for sudoers entries"); + -+ setenv_implied = FALSE; -+ if (sres != NULL) { -+ for (i = 0; i < sres->num_rules; i++) { -+ rule = sres->rules + i; -+ if (!sudo_sssd_check_runas(rule)) ++ setenv_implied = false; ++ if (sss_result != NULL) { ++ for (i = 0; i < sss_result->num_rules; i++) { ++ rule = sss_result->rules + i; ++ if (!sudo_sss_check_runas(rule)) + continue; -+ rc = sudo_sssd_check_command(rule, &setenv_implied); ++ rc = sudo_sss_check_command(rule, &setenv_implied); + if (rc != UNSPEC) { + /* We have a match. */ -+ DPRINTF(1, "Command %sallowed", rc == TRUE ? "" : "NOT "); -+ if (rc == TRUE) { ++ DPRINTF(1, "Command %sallowed", rc == true ? "" : "NOT "); ++ if (rc == true) { + DPRINTF(3, "SSSD rule: %p", rule); + /* Apply entry-specific options. */ + if (setenv_implied) -+ def_setenv = TRUE; -+ sudo_sssd_parse_options(rule); ++ def_setenv = true; ++ sudo_sss_parse_options(rule); +#ifdef HAVE_SELINUX + /* Set role and type if not specified on command line. */ + if (user_role == NULL) @@ -855,36 +883,40 @@ diff -up sudo-1.8.3p1/plugins/sudoers/sssd.c.sssd-support sudo-1.8.3p1/plugins/s + if (state & _SUDO_SSS_STATE_HOSTMATCH) + CLR(ret, FLAG_NO_HOST); + -+ DPRINTF(3, "sudo_sssd_lookup(%d)=0x%02x", pwflag, ret); ++ DPRINTF(3, "sudo_sss_lookup(%d)=0x%02x", pwflag, ret); + -+ return ret; ++ debug_return_int(ret); +} + -+static int sudo_sssd_display_cmnd(struct sudo_nss *nss, struct passwd *pw) ++static int sudo_sss_display_cmnd(struct sudo_nss *nss, struct passwd *pw) +{ -+ struct sudo_sssd_handle *handle = nss->handle; -+ struct sss_sudo_result *sres = NULL; ++ struct sudo_sss_handle *handle = nss->handle; ++ struct sss_sudo_result *sss_result = NULL; + struct sss_sudo_rule *rule; -+ int i, found = FALSE; ++ int i, found = false; ++ debug_decl(sudo_sss_display_cmnd, SUDO_DEBUG_LDAP); + + if (handle == NULL) + goto done; + ++ if (sudo_sss_checkpw(nss, pw) != 0) ++ debug_return_int(-1); ++ + /* -+ * The sudo_sssd_result_get() function returns all nodes that match ++ * The sudo_sss_result_get() function returns all nodes that match + * the user and the host. + */ + DPRINTF(1, "sssd/ldap search for command list"); -+ sres = sudo_sssd_result_get(nss, pw, NULL); ++ sss_result = sudo_sss_result_get(nss, pw, NULL); + -+ if (sres == NULL) ++ if (sss_result == NULL) + goto done; + -+ for (i = 0; i < sres->num_rules; i++) { -+ rule = sres->rules + i; -+ if (sudo_sssd_check_command(rule, NULL) && -+ sudo_sssd_check_runas(rule)) { -+ found = TRUE; ++ for (i = 0; i < sss_result->num_rules; i++) { ++ rule = sss_result->rules + i; ++ if (sudo_sss_check_command(rule, NULL) && ++ sudo_sss_check_runas(rule)) { ++ found = true; + goto done; + } + } @@ -894,37 +926,44 @@ diff -up sudo-1.8.3p1/plugins/sudoers/sssd.c.sssd-support sudo-1.8.3p1/plugins/s + printf("%s%s%s\n", safe_cmnd ? safe_cmnd : user_cmnd, + user_args ? " " : "", user_args ? user_args : ""); + -+ if (sres != NULL) -+ sss_sudo_free_result(sres); ++ if (sss_result != NULL) ++ sss_sudo_free_result(sss_result); + -+ return !found; ++ debug_return_int(!found); +} + -+static int sudo_sssd_display_defaults(struct sudo_nss *nss, struct passwd *pw, ++static int sudo_sss_display_defaults(struct sudo_nss *nss, struct passwd *pw, + struct lbuf *lbuf) +{ -+ struct sudo_sssd_handle *handle = nss->handle; ++ struct sudo_sss_handle *handle = nss->handle; + + struct sss_sudo_rule *rule; -+ struct sss_sudo_result *sres = NULL; ++ struct sss_sudo_result *sss_result = NULL; + -+ uint32_t serr = 0; ++ uint32_t sss_error = 0; + -+ char *prefix, *val, **v_arr = NULL; ++ char *prefix, *val, **val_array = NULL; + int count = 0, i, j; + ++ debug_decl(sudo_sss_display_defaults, SUDO_DEBUG_LDAP); ++ + if (handle == NULL) + goto done; + -+ if (sss_sudo_send_recv_defaults(&serr, &sres) != 0) { -+ DPRINTF(2, "sss_sudo_send_recv_defaults: !=0, serr=%u", serr); ++ if (sss_sudo_send_recv_defaults(pw->pw_uid, pw->pw_name, ++ &sss_error, &handle->domainname, ++ &sss_result) != 0) ++ { ++ DPRINTF(2, "sss_sudo_send_recv_defaults: !=0, sss_error=%u", sss_error); + goto done; + } + -+ for (i = 0; i < sres->num_rules; ++i) { -+ rule = sres->rules + i; ++ handle->pw = pw; + -+ switch (sss_sudo_get_values(rule, "sudoOption", &v_arr)) ++ for (i = 0; i < sss_result->num_rules; ++i) { ++ rule = sss_result->rules + i; ++ ++ switch (sss_sudo_get_values(rule, "sudoOption", &val_array)) + { + case 0: + break; @@ -941,62 +980,52 @@ diff -up sudo-1.8.3p1/plugins/sudoers/sssd.c.sssd-support sudo-1.8.3p1/plugins/s + else + prefix = ", "; + -+ for (j = 0; v_arr[j] != NULL; ++j) { -+ val = v_arr[j]; ++ for (j = 0; val_array[j] != NULL; ++j) { ++ val = val_array[j]; + lbuf_append(lbuf, "%s%s", prefix, val); + prefix = ", "; + count++; + } + -+ sss_sudo_free_values(v_arr); -+ v_arr = NULL; ++ sss_sudo_free_values(val_array); ++ val_array = NULL; + } + -+ sss_sudo_free_result(sres); ++ sss_sudo_free_result(sss_result); +done: -+ return count; ++ debug_return_int(count); +} + +// ok -+static int sudo_sssd_display_bound_defaults(struct sudo_nss *nss, ++static int sudo_sss_display_bound_defaults(struct sudo_nss *nss, + struct passwd *pw, struct lbuf *lbuf) +{ -+ return 0; ++ debug_decl(sudo_sss_display_bound_defaults, SUDO_DEBUG_LDAP); ++ debug_return_int(0); +} + -+static int sudo_sssd_display_entry_long(struct sss_sudo_rule *rule, struct lbuf *lbuf) ++static int sudo_sss_display_entry_long(struct sss_sudo_rule *rule, struct lbuf *lbuf) +{ -+ char **v_arr = NULL; ++ char **val_array = NULL; + int count = 0, i; -+ -+#if 0 /* do we need this? */ -+ char *rdn; -+ /* extract the dn, only show the first rdn */ -+ rdn = sudo_ldap_get_first_rdn(ld, entry); -+ if (rdn != NULL) -+ lbuf_append(lbuf, _("\nLDAP Role: %s\n"), rdn); -+ else -+ lbuf_append(lbuf, _("\nLDAP Role: UNKNOWN\n")); -+ if (rdn) -+ ldap_memfree(rdn); -+#endif ++ debug_decl(sudo_sss_display_entry_long, SUDO_DEBUG_LDAP); + + /* get the RunAsUser Values from the entry */ + lbuf_append(lbuf, " RunAsUsers: "); -+ switch (sss_sudo_get_values(rule, "sudoRunAsUser", &v_arr)) ++ switch (sss_sudo_get_values(rule, "sudoRunAsUser", &val_array)) + { + case 0: -+ for (i = 0; v_arr[i] != NULL; ++i) -+ lbuf_append(lbuf, "%s%s", i != 0 ? ", " : "", v_arr[i]); -+ sss_sudo_free_values(v_arr); ++ for (i = 0; val_array[i] != NULL; ++i) ++ lbuf_append(lbuf, "%s%s", i != 0 ? ", " : "", val_array[i]); ++ sss_sudo_free_values(val_array); + break; + case ENOENT: -+ switch (sss_sudo_get_values(rule, "sudoRunAs", &v_arr)) ++ switch (sss_sudo_get_values(rule, "sudoRunAs", &val_array)) + { + case 0: -+ for (i = 0; v_arr[i] != NULL; ++i) -+ lbuf_append(lbuf, "%s%s", i != 0 ? ", " : "", v_arr[i]); -+ sss_sudo_free_values(v_arr); ++ for (i = 0; val_array[i] != NULL; ++i) ++ lbuf_append(lbuf, "%s%s", i != 0 ? ", " : "", val_array[i]); ++ sss_sudo_free_values(val_array); + break; + case ENOENT: + DPRINTF(2, "No result."); @@ -1004,23 +1033,23 @@ diff -up sudo-1.8.3p1/plugins/sudoers/sssd.c.sssd-support sudo-1.8.3p1/plugins/s + break; + default: + DPRINTF(2, "sss_sudo_get_values(sudoRunAs): != 0"); -+ return count; ++ debug_return_int(count); + } + break; + default: + DPRINTF(2, "sss_sudo_get_values(sudoRunAsUser): != 0"); -+ return count; ++ debug_return_int(count); + } + lbuf_append(lbuf, "\n"); + + /* get the RunAsGroup Values from the entry */ -+ switch (sss_sudo_get_values(rule, "sudoRunAsGroup", &v_arr)) ++ switch (sss_sudo_get_values(rule, "sudoRunAsGroup", &val_array)) + { + case 0: + lbuf_append(lbuf, " RunAsGroups: "); -+ for (i = 0; v_arr[i] != NULL; ++i) -+ lbuf_append(lbuf, "%s%s", i != 0 ? ", " : "", v_arr[i]); -+ sss_sudo_free_values(v_arr); ++ for (i = 0; val_array[i] != NULL; ++i) ++ lbuf_append(lbuf, "%s%s", i != 0 ? ", " : "", val_array[i]); ++ sss_sudo_free_values(val_array); + lbuf_append(lbuf, "\n"); + break; + case ENOENT: @@ -1028,18 +1057,17 @@ diff -up sudo-1.8.3p1/plugins/sudoers/sssd.c.sssd-support sudo-1.8.3p1/plugins/s + break; + default: + DPRINTF(2, "sss_sudo_get_values(sudoRunAsGroup): != 0"); -+ return count; ++ debug_return_int(count); + } + -+ + /* get the Option Values from the entry */ -+ switch (sss_sudo_get_values(rule, "sudoOption", &v_arr)) ++ switch (sss_sudo_get_values(rule, "sudoOption", &val_array)) + { + case 0: + lbuf_append(lbuf, " Options: "); -+ for (i = 0; v_arr[i] != NULL; ++i) -+ lbuf_append(lbuf, "%s%s", i != 0 ? ", " : "", v_arr[i]); -+ sss_sudo_free_values(v_arr); ++ for (i = 0; val_array[i] != NULL; ++i) ++ lbuf_append(lbuf, "%s%s", i != 0 ? ", " : "", val_array[i]); ++ sss_sudo_free_values(val_array); + lbuf_append(lbuf, "\n"); + break; + case ENOENT: @@ -1047,54 +1075,55 @@ diff -up sudo-1.8.3p1/plugins/sudoers/sssd.c.sssd-support sudo-1.8.3p1/plugins/s + break; + default: + DPRINTF(2, "sss_sudo_get_values(sudoOption): != 0"); -+ return count; ++ debug_return_int(count); + } + + /* Get the command values from the entry. */ -+ switch (sss_sudo_get_values(rule, "sudoCommand", &v_arr)) { ++ switch (sss_sudo_get_values(rule, "sudoCommand", &val_array)) { + case 0: + lbuf_append(lbuf, _(" Commands:\n")); -+ for (i = 0; v_arr[i] != NULL; ++i) { -+ lbuf_append(lbuf, "\t%s\n", v_arr[i]); ++ for (i = 0; val_array[i] != NULL; ++i) { ++ lbuf_append(lbuf, "\t%s\n", val_array[i]); + count++; + } -+ sss_sudo_free_values(v_arr); ++ sss_sudo_free_values(val_array); + break; + case ENOENT: + DPRINTF(2, "No result."); + break; + default: + DPRINTF(2, "sss_sudo_get_values(sudoCommand): != 0"); -+ return count; ++ debug_return_int(count); + } + -+ return count; ++ debug_return_int(count); +} + -+static int sudo_sssd_display_entry_short(struct sss_sudo_rule *rule, struct lbuf *lbuf) ++static int sudo_sss_display_entry_short(struct sss_sudo_rule *rule, struct lbuf *lbuf) +{ -+ char **v_arr = NULL; ++ char **val_array = NULL; + int count = 0, i; ++ debug_decl(sudo_sss_display_entry_short, SUDO_DEBUG_LDAP); + + lbuf_append(lbuf, " ("); + + /* get the RunAsUser Values from the entry */ -+ switch (sss_sudo_get_values(rule, "sudoRunAsUser", &v_arr)) ++ switch (sss_sudo_get_values(rule, "sudoRunAsUser", &val_array)) + { + case 0: -+ for (i = 0; v_arr[i] != NULL; ++i) -+ lbuf_append(lbuf, "%s%s", i != 0 ? ", " : "", v_arr[i]); -+ sss_sudo_free_values(v_arr); ++ for (i = 0; val_array[i] != NULL; ++i) ++ lbuf_append(lbuf, "%s%s", i != 0 ? ", " : "", val_array[i]); ++ sss_sudo_free_values(val_array); + break; + case ENOENT: + DPRINTF(2, "No result. Trying old style (sudoRunAs)."); + /* try old style */ -+ switch (sss_sudo_get_values(rule, "sudoRunAs", &v_arr)) ++ switch (sss_sudo_get_values(rule, "sudoRunAs", &val_array)) + { + case 0: -+ for (i = 0; v_arr[i] != NULL; ++i) -+ lbuf_append(lbuf, "%s%s", i != 0 ? ", " : "", v_arr[i]); -+ sss_sudo_free_values(v_arr); ++ for (i = 0; val_array[i] != NULL; ++i) ++ lbuf_append(lbuf, "%s%s", i != 0 ? ", " : "", val_array[i]); ++ sss_sudo_free_values(val_array); + break; + case ENOENT: + DPRINTF(2, "No result."); @@ -1102,120 +1131,128 @@ diff -up sudo-1.8.3p1/plugins/sudoers/sssd.c.sssd-support sudo-1.8.3p1/plugins/s + break; + default: + DPRINTF(2, "sss_sudo_get_values(sudoRunAs): != 0"); -+ return count; ++ debug_return_int(count); + } + break; + default: + DPRINTF(2, "sss_sudo_get_values(sudoRunAsUser): != 0"); -+ return count; ++ debug_return_int(count); + } + + /* get the RunAsGroup Values from the entry */ -+ switch (sss_sudo_get_values(rule, "sudoRunAsGroup", &v_arr)) ++ switch (sss_sudo_get_values(rule, "sudoRunAsGroup", &val_array)) + { + case 0: + lbuf_append(lbuf, " : "); -+ for (i = 0; v_arr[i] != NULL; ++i) -+ lbuf_append(lbuf, "%s%s", i != 0 ? ", " : "", v_arr[i]); -+ sss_sudo_free_values(v_arr); ++ for (i = 0; val_array[i] != NULL; ++i) ++ lbuf_append(lbuf, "%s%s", i != 0 ? ", " : "", val_array[i]); ++ sss_sudo_free_values(val_array); + break; + case ENOENT: + DPRINTF(2, "No result."); + break; + default: + DPRINTF(2, "sss_sudo_get_values(sudoRunAsGroup): != 0"); -+ return count; ++ debug_return_int(count); + } + + lbuf_append(lbuf, ") "); + + /* get the Option Values from the entry */ -+ switch (sss_sudo_get_values(rule, "sudoOption", &v_arr)) ++ switch (sss_sudo_get_values(rule, "sudoOption", &val_array)) + { + case 0: -+ for (i = 0; v_arr[i] != NULL; ++i) { -+ char *cp = v_arr[i]; ++ for (i = 0; val_array[i] != NULL; ++i) { ++ char *cp = val_array[i]; + if (*cp == '!') + cp++; + if (strcmp(cp, "authenticate") == 0) -+ lbuf_append(lbuf, v_arr[i][0] == '!' ? ++ lbuf_append(lbuf, val_array[i][0] == '!' ? + "NOPASSWD: " : "PASSWD: "); + else if (strcmp(cp, "noexec") == 0) -+ lbuf_append(lbuf, v_arr[i][0] == '!' ? ++ lbuf_append(lbuf, val_array[i][0] == '!' ? + "EXEC: " : "NOEXEC: "); + else if (strcmp(cp, "setenv") == 0) -+ lbuf_append(lbuf, v_arr[i][0] == '!' ? ++ lbuf_append(lbuf, val_array[i][0] == '!' ? + "NOSETENV: " : "SETENV: "); + } + -+ sss_sudo_free_values(v_arr); ++ sss_sudo_free_values(val_array); + break; + case ENOENT: + DPRINTF(2, "No result."); + break; + default: + DPRINTF(2, "sss_sudo_get_values(sudoOption): != 0"); -+ return count; ++ debug_return_int(count); + } + + /* get the Command Values from the entry */ -+ switch (sss_sudo_get_values(rule, "sudoCommand", &v_arr)) { ++ switch (sss_sudo_get_values(rule, "sudoCommand", &val_array)) { + case 0: -+ for (i = 0; v_arr[i] != NULL; ++i) { -+ lbuf_append(lbuf, "%s%s", i != 0 ? ", " : "", v_arr[i]); ++ for (i = 0; val_array[i] != NULL; ++i) { ++ lbuf_append(lbuf, "%s%s", i != 0 ? ", " : "", val_array[i]); + count++; + } -+ sss_sudo_free_values(v_arr); ++ sss_sudo_free_values(val_array); + break; + case ENOENT: + DPRINTF(2, "No result."); + break; + default: + DPRINTF(2, "sss_sudo_get_values(sudoCommand): != 0"); -+ return count; ++ debug_return_int(count); + } + lbuf_append(lbuf, "\n"); + -+ return count; ++ debug_return_int(count); +} + -+static int sudo_sssd_display_privs(struct sudo_nss *nss, struct passwd *pw, ++static int sudo_sss_display_privs(struct sudo_nss *nss, struct passwd *pw, + struct lbuf *lbuf) +{ -+ struct sss_sudo_result *sres = NULL; ++ struct sudo_sss_handle *handle = nss->handle; ++ ++ struct sss_sudo_result *sss_result = NULL; + struct sss_sudo_rule *rule; + unsigned int i, count = 0; ++ debug_decl(sudo_sss_display_privs, SUDO_DEBUG_LDAP); ++ ++ if (handle == NULL) ++ debug_return_int(-1); ++ if (sudo_sss_checkpw(nss, pw) != 0) ++ debug_return_int(-1); + + DPRINTF(2, "sssd/ldap search for command list"); + -+ sres = sudo_sssd_result_get(nss, pw, NULL); ++ sss_result = sudo_sss_result_get(nss, pw, NULL); + -+ if (sres == NULL) -+ return count; ++ if (sss_result == NULL) ++ debug_return_int(count); + + /* Display all matching entries. */ -+ for (i = 0; i < sres->num_rules; ++i) { -+ rule = sres->rules + i; ++ for (i = 0; i < sss_result->num_rules; ++i) { ++ rule = sss_result->rules + i; + if (long_list) -+ count += sudo_sssd_display_entry_long(rule, lbuf); ++ count += sudo_sss_display_entry_long(rule, lbuf); + else -+ count += sudo_sssd_display_entry_short(rule, lbuf); ++ count += sudo_sss_display_entry_short(rule, lbuf); + } + -+ if (sres != NULL) -+ sss_sudo_free_result(sres); ++ if (sss_result != NULL) ++ sss_sudo_free_result(sss_result); + -+ return count; ++ debug_return_int(count); +} -diff -up sudo-1.8.3p1/plugins/sudoers/sudo_nss.c.sssd-support sudo-1.8.3p1/plugins/sudoers/sudo_nss.c ---- sudo-1.8.3p1/plugins/sudoers/sudo_nss.c.sssd-support 2012-01-18 18:21:10.155151843 +0100 -+++ sudo-1.8.3p1/plugins/sudoers/sudo_nss.c 2012-01-18 18:29:40.366473444 +0100 +diff -up sudo-1.8.5/plugins/sudoers/sudo_nss.c.sssd-support sudo-1.8.5/plugins/sudoers/sudo_nss.c +--- sudo-1.8.5/plugins/sudoers/sudo_nss.c.sssd-support 2012-03-12 19:02:14.000000000 +0100 ++++ sudo-1.8.5/plugins/sudoers/sudo_nss.c 2012-05-17 10:30:40.819975039 +0200 @@ -47,8 +47,11 @@ extern struct sudo_nss sudo_nss_file; #ifdef HAVE_LDAP extern struct sudo_nss sudo_nss_ldap; #endif +#ifdef HAVE_SSSD -+extern struct sudo_nss sudo_nss_sssd; ++extern struct sudo_nss sudo_nss_sss; +#endif -#if defined(HAVE_LDAP) && defined(_PATH_NSSWITCH_CONF) @@ -1223,32 +1260,29 @@ diff -up sudo-1.8.3p1/plugins/sudoers/sudo_nss.c.sssd-support sudo-1.8.3p1/plugi /* * Read in /etc/nsswitch.conf * Returns a tail queue of matches. -@@ -60,6 +63,7 @@ sudo_read_nss(void) +@@ -58,6 +61,9 @@ sudo_read_nss(void) + { + FILE *fp; char *cp; - int saw_files = FALSE; - int saw_ldap = FALSE; -+ int saw_sssd = FALSE; - int got_match = FALSE; - static struct sudo_nss_list snl; - -@@ -80,9 +84,16 @@ sudo_read_nss(void) - if (strcasecmp(cp, "files") == 0 && !saw_files) { - tq_append(&snl, &sudo_nss_file); - got_match = TRUE; -+#if defined(HAVE_LDAP) ++#if defined(HAVE_SSSD) ++ bool saw_sss = false; ++#endif + bool saw_files = false; + bool saw_ldap = false; + bool got_match = false; +@@ -84,6 +90,11 @@ sudo_read_nss(void) } else if (strcasecmp(cp, "ldap") == 0 && !saw_ldap) { tq_append(&snl, &sudo_nss_ldap); - got_match = TRUE; -+#endif + got_match = true; +#if defined(HAVE_SSSD) -+ } else if (strcasecmp(cp, "sss") == 0 && !saw_sssd) { -+ tq_append(&snl, &sudo_nss_sssd); -+ got_match = TRUE; ++ } else if (strcasecmp(cp, "sss") == 0 && !saw_sss) { ++ tq_append(&snl, &sudo_nss_sss); ++ got_match = true; +#endif } else if (strcasecmp(cp, "[NOTFOUND=return]") == 0 && got_match) { /* NOTFOUND affects the most recent entry */ - tq_last(&snl)->ret_if_notfound = TRUE; -@@ -105,7 +116,7 @@ nomatch: + tq_last(&snl)->ret_if_notfound = true; +@@ -106,7 +117,7 @@ nomatch: #else /* HAVE_LDAP && _PATH_NSSWITCH_CONF */ @@ -1257,32 +1291,37 @@ diff -up sudo-1.8.3p1/plugins/sudoers/sudo_nss.c.sssd-support sudo-1.8.3p1/plugi /* * Read in /etc/netsvc.conf (like nsswitch.conf on AIX) -@@ -118,6 +129,7 @@ sudo_read_nss(void) +@@ -117,6 +128,9 @@ sudo_read_nss(void) + { + FILE *fp; char *cp, *ep; - int saw_files = FALSE; - int saw_ldap = FALSE; -+ int saw_sssd = FALSE; - int got_match = FALSE; - static struct sudo_nss_list snl; - -@@ -149,11 +161,20 @@ sudo_read_nss(void) - tq_append(&snl, &sudo_nss_file); - got_match = TRUE; - ep = &cp[5]; -+#if defined(HAVE_LDAP) - } else if (!saw_ldap && strncasecmp(cp, "ldap", 4) == 0 && - (isspace((unsigned char)cp[4]) || cp[4] == '\0')) { - tq_append(&snl, &sudo_nss_ldap); - got_match = TRUE; - ep = &cp[4]; -+#endif +#if defined(HAVE_SSSD) -+ } else if (!saw_sssd && strncasecmp(cp, "sss", 3) == 0 && ++ bool saw_sss = false; ++#endif + bool saw_files = false; + bool saw_ldap = false; + bool got_match = false; +@@ -156,6 +170,13 @@ sudo_read_nss(void) + tq_append(&snl, &sudo_nss_ldap); + got_match = true; + ep = &cp[4]; ++#if defined(HAVE_SSSD) ++ } else if (!saw_sss && strncasecmp(cp, "sss", 3) == 0 && + (isspace((unsigned char)cp[3]) || cp[3] == '\0')) { -+ tq_append(&snl, &sudo_nss_sssd); -+ got_match = TRUE; ++ tq_append(&snl, &sudo_nss_sss); ++ got_match = true; + ep = &cp[3]; +#endif } else { - got_match = FALSE; + got_match = false; } +@@ -195,6 +216,9 @@ sudo_read_nss(void) + static struct sudo_nss_list snl; + debug_decl(sudo_read_nss, SUDO_DEBUG_NSS) + ++# ifdef HAVE_SSSD ++ tq_append(&snl, &sudo_nss_sss); ++# endif + # ifdef HAVE_LDAP + tq_append(&snl, &sudo_nss_ldap); + # endif diff --git a/sudo.spec b/sudo.spec index 444c68d..858b309 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,7 +1,7 @@ Summary: Allows restricted root access for specified users Name: sudo -Version: 1.8.3p1 -Release: 6%{?dist} +Version: 1.8.5 +Release: 1%{?dist} License: ISC Group: Applications/System URL: http://www.courtesan.com/sudo/ @@ -29,11 +29,9 @@ Patch2: sudo-1.7.2p1-envdebug.patch # add m4/ to paths in aclocal.m4 Patch3: sudo-1.7.4p3-m4path.patch # disable word wrapping if the ouput is piped -Patch4: sudo-1.8.3-pipelist.patch -# CVE-2012-0809 -Patch5: sudo-1.8.3p1-CVE-2012-0809.patch +Patch4: sudo-1.8.5-pipelist.patch # SSSD support -Patch6: sudo-1.8.3p1-sssd-support.patch +Patch5: sudo-1.8.5-sssd-support.patch %description Sudo (superuser do) allows a system administrator to give certain @@ -62,8 +60,7 @@ plugins that use %{name}. %patch2 -p1 -b .envdebug %patch3 -p1 -b .m4path %patch4 -p1 -b .pipelist -%patch5 -p1 -b .CVE-2012-0809 -%patch6 -p1 -b .sssd-support +%patch5 -p1 -b .sssd-support # Remove execute permission on this script so we don't pull in perl deps chmod -x plugins/sudoers/sudoers2ldif @@ -95,8 +92,8 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" --with-ldap \ --with-selinux \ --with-passprompt="[sudo] password for %p: " \ - --with-linux-audit \ - --with-sssd + --with-linux-audit +# --with-sssd # --without-kerb5 \ # --without-kerb4 make @@ -141,9 +138,6 @@ rm -rf $RPM_BUILD_ROOT %files -f sudo_all.lang %defattr(-,root,root) -%doc ChangeLog NEWS README* MANIFEST -%doc doc/HISTORY doc/LICENSE doc/TROUBLESHOOTING doc/UPGRADE -%doc doc/schema.* plugins/sudoers/sudoers2ldif doc/sample.* %attr(0440,root,root) %config(noreplace) /etc/sudoers %attr(0750,root,root) %dir /etc/sudoers.d/ %config(noreplace) /etc/pam.d/sudo @@ -162,6 +156,7 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/sudoedit.8* %{_mandir}/man8/sudoreplay.8* %{_mandir}/man8/visudo.8* +%{_docdir}/sudo-%{version}/* # Make sure permissions are ok even if we're updating @@ -175,6 +170,11 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/sudo_plugin.8* %changelog +* Thu May 17 2012 Daniel Kopecek - 1.8.5-1 +- update to 1.8.5 +- fixed CVE-2012-2337 +- temporarily disabled SSSD support + * Wed Feb 29 2012 Daniel Kopecek - 1.8.3p1-6 - fixed problems with undefined symbols (rhbz#798517)