fix autotools stuff and add audit support
This commit is contained in:
parent
3b2065d554
commit
e25038bfb0
398
sudo-1.6.9p4-audit.patch
Normal file
398
sudo-1.6.9p4-audit.patch
Normal file
@ -0,0 +1,398 @@
|
|||||||
|
diff -up sudo-1.6.9p4/audit_help.c.audit sudo-1.6.9p4/audit_help.c
|
||||||
|
--- sudo-1.6.9p4/audit_help.c.audit 2007-08-30 20:06:30.000000000 +0400
|
||||||
|
+++ sudo-1.6.9p4/audit_help.c 2007-08-30 20:06:30.000000000 +0400
|
||||||
|
@@ -0,0 +1,81 @@
|
||||||
|
+/*
|
||||||
|
+ * Audit helper functions used throughout sudo
|
||||||
|
+ *
|
||||||
|
+ * Copyright (C) 2007, Red Hat, Inc.
|
||||||
|
+ *
|
||||||
|
+ * Redistribution and use in source and binary forms, with or without
|
||||||
|
+ * modification, are permitted provided that the following conditions
|
||||||
|
+ * are met:
|
||||||
|
+ * 1. Redistributions of source code must retain the above copyright
|
||||||
|
+ * notice, this list of conditions and the following disclaimer.
|
||||||
|
+ * 2. Redistributions in binary form must reproduce the above copyright
|
||||||
|
+ * notice, this list of conditions and the following disclaimer in the
|
||||||
|
+ * documentation and/or other materials provided with the distribution.
|
||||||
|
+ * 3. Neither the name of Julianne F. Haugh nor the names of its contributors
|
||||||
|
+ * may be used to endorse or promote products derived from this software
|
||||||
|
+ * without specific prior written permission.
|
||||||
|
+ *
|
||||||
|
+ * THIS SOFTWARE IS PROVIDED BY JULIE HAUGH AND CONTRIBUTORS ``AS IS'' AND
|
||||||
|
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||||
|
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||||
|
+ * ARE DISCLAIMED. IN NO EVENT SHALL JULIE HAUGH OR CONTRIBUTORS BE LIABLE
|
||||||
|
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||||
|
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||||
|
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||||
|
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||||
|
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||||
|
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||||
|
+ * SUCH DAMAGE.
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+#include <config.h>
|
||||||
|
+
|
||||||
|
+#ifdef WITH_AUDIT
|
||||||
|
+
|
||||||
|
+#include <stdlib.h>
|
||||||
|
+#include <syslog.h>
|
||||||
|
+#include <stdarg.h>
|
||||||
|
+#include <libaudit.h>
|
||||||
|
+#include <errno.h>
|
||||||
|
+#include <stdio.h>
|
||||||
|
+
|
||||||
|
+int audit_fd;
|
||||||
|
+
|
||||||
|
+void audit_help_open (void)
|
||||||
|
+{
|
||||||
|
+ audit_fd = audit_open ();
|
||||||
|
+ if (audit_fd < 0) {
|
||||||
|
+ /* You get these only when the kernel doesn't have
|
||||||
|
+ * audit compiled in. */
|
||||||
|
+ if (errno == EINVAL || errno == EPROTONOSUPPORT ||
|
||||||
|
+ errno == EAFNOSUPPORT)
|
||||||
|
+ return;
|
||||||
|
+ fprintf (stderr, "Cannot open audit interface - aborting.\n");
|
||||||
|
+ exit (1);
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * This function will log a message to the audit system using a predefined
|
||||||
|
+ * message format. Parameter usage is as follows:
|
||||||
|
+ *
|
||||||
|
+ * type - type of message: AUDIT_USER_CMD
|
||||||
|
+ * command - the command being logged
|
||||||
|
+ * result - 1 is "success" and 0 is "failed"
|
||||||
|
+ *
|
||||||
|
+ */
|
||||||
|
+void audit_logger (int type, const char *command, int result)
|
||||||
|
+{
|
||||||
|
+ int err;
|
||||||
|
+
|
||||||
|
+ if (audit_fd < 0)
|
||||||
|
+ return;
|
||||||
|
+ else {
|
||||||
|
+ err = audit_log_user_command (audit_fd, type, command, NULL, result);
|
||||||
|
+ if( err <= 0 )
|
||||||
|
+ perror("audit_log_user_command()");
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+#endif /* WITH_AUDIT */
|
||||||
|
+
|
||||||
|
diff -up sudo-1.6.9p4/Makefile.in.audit sudo-1.6.9p4/Makefile.in
|
||||||
|
--- sudo-1.6.9p4/Makefile.in.audit 2007-08-15 18:16:57.000000000 +0400
|
||||||
|
+++ sudo-1.6.9p4/Makefile.in 2007-08-30 20:06:30.000000000 +0400
|
||||||
|
@@ -118,11 +118,13 @@ HDRS = compat.h def_data.h defaults.h in
|
||||||
|
|
||||||
|
AUTH_OBJS = sudo_auth.o @AUTH_OBJS@
|
||||||
|
|
||||||
|
+AUDIT_OBJS = audit_help.o
|
||||||
|
+
|
||||||
|
PARSEOBJS = sudo.tab.o lex.yy.o alloc.o defaults.o
|
||||||
|
|
||||||
|
SUDOBJS = check.o env.o getspwuid.o gettime.o goodpath.o fileops.o find_path.o \
|
||||||
|
interfaces.o logging.o parse.o set_perms.o sudo.o sudo_edit.o \
|
||||||
|
- tgetpass.o zero_bytes.o @SUDO_OBJS@ $(AUTH_OBJS) $(PARSEOBJS)
|
||||||
|
+ tgetpass.o zero_bytes.o @SUDO_OBJS@ $(AUTH_OBJS) $(PARSEOBJS) $(AUDIT_OBJS)
|
||||||
|
|
||||||
|
VISUDOBJS = visudo.o fileops.o gettime.o goodpath.o find_path.o $(PARSEOBJS)
|
||||||
|
|
||||||
|
@@ -273,6 +275,9 @@ securid5.o: $(authdir)/securid5.c $(AUTH
|
||||||
|
sia.o: $(authdir)/sia.c $(AUTHDEP)
|
||||||
|
$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/sia.c
|
||||||
|
|
||||||
|
+audit_help.o: audit_help.c sudo.h
|
||||||
|
+ $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(LIBADUIT) $(srcdir)/audit_help.c
|
||||||
|
+
|
||||||
|
sudo.man.in: $(srcdir)/sudo.pod
|
||||||
|
@rm -f $(srcdir)/$@
|
||||||
|
( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e 1d -e '/^=pod/q' -e 's/^/.\\" /p' sudo.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudo.pod | sed -e "s/(5)/($$mansectform)/" -e "s/(8)/($$mansectsu)/" >> $@ )
|
||||||
|
diff -up sudo-1.6.9p4/sudo.h.audit sudo-1.6.9p4/sudo.h
|
||||||
|
--- sudo-1.6.9p4/sudo.h.audit 2007-08-30 20:06:30.000000000 +0400
|
||||||
|
+++ sudo-1.6.9p4/sudo.h 2007-08-30 20:06:30.000000000 +0400
|
||||||
|
@@ -23,6 +23,8 @@
|
||||||
|
#ifndef _SUDO_SUDO_H
|
||||||
|
#define _SUDO_SUDO_H
|
||||||
|
|
||||||
|
+#include <config.h>
|
||||||
|
+
|
||||||
|
#include <pathnames.h>
|
||||||
|
#include <limits.h>
|
||||||
|
#include "compat.h"
|
||||||
|
@@ -274,4 +276,10 @@ extern int sudo_mode;
|
||||||
|
extern int errno;
|
||||||
|
#endif
|
||||||
|
|
||||||
|
+#ifdef WITH_AUDIT
|
||||||
|
+extern int audit_fd;
|
||||||
|
+extern void audit_help_open (void);
|
||||||
|
+extern void audit_logger (int, const char *, int);
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
#endif /* _SUDO_SUDO_H */
|
||||||
|
diff -up sudo-1.6.9p4/sudo.c.audit sudo-1.6.9p4/sudo.c
|
||||||
|
--- sudo-1.6.9p4/sudo.c.audit 2007-08-30 20:06:30.000000000 +0400
|
||||||
|
+++ sudo-1.6.9p4/sudo.c 2007-08-30 20:18:26.000000000 +0400
|
||||||
|
@@ -97,6 +97,10 @@
|
||||||
|
# include <sys/task.h>
|
||||||
|
#endif
|
||||||
|
|
||||||
|
+#ifdef WITH_AUDIT
|
||||||
|
+#include <libaudit.h>
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
#include "sudo.h"
|
||||||
|
#include "interfaces.h"
|
||||||
|
#include "version.h"
|
||||||
|
@@ -292,6 +296,10 @@ main(argc, argv, envp)
|
||||||
|
if (safe_cmnd == NULL)
|
||||||
|
safe_cmnd = estrdup(user_cmnd);
|
||||||
|
|
||||||
|
+#if defined(WITH_AUDIT)
|
||||||
|
+ audit_help_open ();
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* Look up the timestamp dir owner if one is specified.
|
||||||
|
*/
|
||||||
|
@@ -302,9 +310,13 @@ main(argc, argv, envp)
|
||||||
|
pw = getpwuid(atoi(def_timestampowner + 1));
|
||||||
|
else
|
||||||
|
pw = getpwnam(def_timestampowner);
|
||||||
|
- if (!pw)
|
||||||
|
+ if (!pw) {
|
||||||
|
+#if defined(WITH_AUDIT)
|
||||||
|
+ audit_logger(AUDIT_USER_CMD, user_cmnd, 0);
|
||||||
|
+#endif
|
||||||
|
log_error(0, "timestamp owner (%s): No such user",
|
||||||
|
def_timestampowner);
|
||||||
|
+ }
|
||||||
|
timestamp_uid = pw->pw_uid;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -314,15 +326,22 @@ main(argc, argv, envp)
|
||||||
|
exit(0);
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (ISSET(validated, VALIDATE_ERROR))
|
||||||
|
+ if (ISSET(validated, VALIDATE_ERROR)) {
|
||||||
|
+#if defined(WITH_AUDIT)
|
||||||
|
+ audit_logger(AUDIT_USER_CMD, user_cmnd, 0);
|
||||||
|
+#endif
|
||||||
|
log_error(0, "parse error in %s near line %d", _PATH_SUDOERS,
|
||||||
|
errorlineno);
|
||||||
|
+ }
|
||||||
|
|
||||||
|
/* Is root even allowed to run sudo? */
|
||||||
|
if (user_uid == 0 && !def_root_sudo) {
|
||||||
|
(void) fprintf(stderr,
|
||||||
|
"Sorry, %s has been configured to not allow root to run it.\n",
|
||||||
|
getprogname());
|
||||||
|
+#if defined(WITH_AUDIT)
|
||||||
|
+ audit_logger(AUDIT_USER_CMD, user_cmnd, 0);
|
||||||
|
+#endif
|
||||||
|
exit(1);
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -336,8 +355,12 @@ main(argc, argv, envp)
|
||||||
|
|
||||||
|
/* Bail if a tty is required and we don't have one. */
|
||||||
|
if (def_requiretty) {
|
||||||
|
- if ((fd = open(_PATH_TTY, O_RDWR|O_NOCTTY)) == -1)
|
||||||
|
+ if ((fd = open(_PATH_TTY, O_RDWR|O_NOCTTY)) == -1) {
|
||||||
|
+#if defined(WITH_AUDIT)
|
||||||
|
+ audit_logger(AUDIT_USER_CMD, user_cmnd, 0);
|
||||||
|
+#endif
|
||||||
|
log_error(NO_MAIL, "sorry, you must have a tty to run sudo");
|
||||||
|
+ }
|
||||||
|
else
|
||||||
|
(void) close(fd);
|
||||||
|
}
|
||||||
|
@@ -370,17 +393,27 @@ main(argc, argv, envp)
|
||||||
|
/* Finally tell the user if the command did not exist. */
|
||||||
|
if (cmnd_status == NOT_FOUND_DOT) {
|
||||||
|
warnx("ignoring `%s' found in '.'\nUse `sudo ./%s' if this is the `%s' you wish to run.", user_cmnd, user_cmnd, user_cmnd);
|
||||||
|
+#if defined(WITH_AUDIT)
|
||||||
|
+ audit_logger(AUDIT_USER_CMD, user_cmnd, 0);
|
||||||
|
+#endif
|
||||||
|
exit(1);
|
||||||
|
} else if (cmnd_status == NOT_FOUND) {
|
||||||
|
warnx("%s: command not found", user_cmnd);
|
||||||
|
+#if defined(WITH_AUDIT)
|
||||||
|
+ audit_logger(AUDIT_USER_CMD, user_cmnd, 0);
|
||||||
|
+#endif
|
||||||
|
exit(1);
|
||||||
|
}
|
||||||
|
|
||||||
|
/* If user specified env vars make sure sudoers allows it. */
|
||||||
|
if (ISSET(sudo_mode, MODE_RUN) && !ISSET(validated, FLAG_SETENV)) {
|
||||||
|
- if (ISSET(sudo_mode, MODE_PRESERVE_ENV))
|
||||||
|
+ if (ISSET(sudo_mode, MODE_PRESERVE_ENV)) {
|
||||||
|
+#if defined(WITH_AUDIT)
|
||||||
|
+ audit_logger(AUDIT_USER_CMD, user_cmnd, 0);
|
||||||
|
+#endif
|
||||||
|
log_error(NO_MAIL,
|
||||||
|
"sorry, you are not allowed to preserve the environment");
|
||||||
|
+ }
|
||||||
|
else
|
||||||
|
validate_env_vars(sudo_user.env_vars);
|
||||||
|
}
|
||||||
|
@@ -439,11 +472,23 @@ main(argc, argv, envp)
|
||||||
|
(void) sigaction(SIGTSTP, &saved_sa_tstp, NULL);
|
||||||
|
(void) sigaction(SIGCHLD, &saved_sa_chld, NULL);
|
||||||
|
|
||||||
|
+ if (access(safe_cmnd, X_OK) != 0) {
|
||||||
|
+ warn ("unable to execute %s", safe_cmnd);
|
||||||
|
+#ifdef WITH_AUDIT
|
||||||
|
+ audit_logger(AUDIT_USER_CMD, safe_cmnd, 0);
|
||||||
|
+#endif
|
||||||
|
+ exit(127);
|
||||||
|
+ }
|
||||||
|
+#ifdef WITH_AUDIT
|
||||||
|
+ audit_logger(AUDIT_USER_CMD, safe_cmnd, 1);
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
#ifndef PROFILING
|
||||||
|
if (ISSET(sudo_mode, MODE_BACKGROUND) && fork() > 0)
|
||||||
|
exit(0);
|
||||||
|
- else
|
||||||
|
+ else {
|
||||||
|
execve(safe_cmnd, NewArgv, environ);
|
||||||
|
+ }
|
||||||
|
#else
|
||||||
|
exit(0);
|
||||||
|
#endif /* PROFILING */
|
||||||
|
@@ -456,6 +501,9 @@ main(argc, argv, envp)
|
||||||
|
NewArgv[1] = safe_cmnd;
|
||||||
|
execve(_PATH_BSHELL, NewArgv, environ);
|
||||||
|
}
|
||||||
|
+#ifdef WITH_AUDIT
|
||||||
|
+ audit_logger(AUDIT_USER_CMD, safe_cmnd, 0);
|
||||||
|
+#endif
|
||||||
|
warn("unable to execute %s", safe_cmnd);
|
||||||
|
exit(127);
|
||||||
|
} else if (ISSET(validated, FLAG_NO_USER) || (validated & FLAG_NO_HOST)) {
|
||||||
|
diff -up sudo-1.6.9p4/configure.in.audit sudo-1.6.9p4/configure.in
|
||||||
|
--- sudo-1.6.9p4/configure.in.audit 2007-08-30 20:06:30.000000000 +0400
|
||||||
|
+++ sudo-1.6.9p4/configure.in 2007-08-30 20:06:30.000000000 +0400
|
||||||
|
@@ -150,6 +150,10 @@ dnl
|
||||||
|
dnl Options for --with
|
||||||
|
dnl
|
||||||
|
|
||||||
|
+AC_ARG_WITH(audit,
|
||||||
|
+ [AC_HELP_STRING([--with-audit], [use auditing support @<:@default=yes if found@:>@])],
|
||||||
|
+ [with_audit=$withval], [with_audit=yes])
|
||||||
|
+
|
||||||
|
AC_ARG_WITH(CC, [ --with-CC C compiler to use],
|
||||||
|
[case $with_CC in
|
||||||
|
yes) AC_MSG_ERROR(["must give --with-CC an argument."])
|
||||||
|
@@ -1579,6 +1583,25 @@ dnl
|
||||||
|
: ${mansectsu='8'}
|
||||||
|
: ${mansectform='5'}
|
||||||
|
|
||||||
|
+
|
||||||
|
+AC_SUBST(LIBAUDIT)
|
||||||
|
+if test "$with_audit" = "yes"; then
|
||||||
|
+ # See if we have the audit library
|
||||||
|
+ AC_CHECK_HEADER(libaudit.h, [audit_header="yes"], [audit_header="no"])
|
||||||
|
+ if test "$audit_header" = "yes"; then
|
||||||
|
+ AC_CHECK_LIB(audit, audit_log_user_command,
|
||||||
|
+ [AC_DEFINE(WITH_AUDIT, 1, [Define if you want to enable Audit messages])
|
||||||
|
+ LIBAUDIT="-laudit"])
|
||||||
|
+ fi
|
||||||
|
+ # See if we have the libcap library
|
||||||
|
+ AC_CHECK_HEADERS(sys/capability.h sys/prctl.h, [cap_header="yes"], [cap_header="no"])
|
||||||
|
+ if test "$cap_header" = "yes"; then
|
||||||
|
+ AC_CHECK_LIB(cap, cap_init,
|
||||||
|
+ [AC_DEFINE(HAVE_LIBCAP, 1, [SELinux libcap support])
|
||||||
|
+ SUDO_LIBS="${SUDO_LIBS} -lcap"])
|
||||||
|
+ fi
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
dnl
|
||||||
|
dnl Add in any libpaths or libraries specified via configure
|
||||||
|
dnl
|
||||||
|
diff -up sudo-1.6.9p4/set_perms.c.audit sudo-1.6.9p4/set_perms.c
|
||||||
|
--- sudo-1.6.9p4/set_perms.c.audit 2007-07-06 18:16:22.000000000 +0400
|
||||||
|
+++ sudo-1.6.9p4/set_perms.c 2007-08-30 20:06:30.000000000 +0400
|
||||||
|
@@ -53,6 +53,10 @@
|
||||||
|
#ifdef HAVE_LOGIN_CAP_H
|
||||||
|
# include <login_cap.h>
|
||||||
|
#endif
|
||||||
|
+#if defined(WITH_AUDIT) && defined(HAVE_LIBCAP)
|
||||||
|
+# include <sys/prctl.h>
|
||||||
|
+# include <sys/capability.h>
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
#include "sudo.h"
|
||||||
|
|
||||||
|
@@ -101,22 +105,55 @@ set_perms(perm)
|
||||||
|
if (setresuid(user_uid, user_uid, user_uid))
|
||||||
|
err(1, "setresuid(user_uid, user_uid, user_uid)");
|
||||||
|
break;
|
||||||
|
-
|
||||||
|
+
|
||||||
|
+ case PERM_FULL_RUNAS:
|
||||||
|
+#if defined(WITH_AUDIT) && defined(HAVE_LIBCAP)
|
||||||
|
+ { /* BEGIN CAP BLOCK */
|
||||||
|
+ cap_t new_caps;
|
||||||
|
+ cap_value_t cap_list[] = { CAP_AUDIT_WRITE };
|
||||||
|
+
|
||||||
|
+ if (runas_pw->pw_uid != ROOT_UID) {
|
||||||
|
+ new_caps = cap_init ();
|
||||||
|
+ if (!new_caps)
|
||||||
|
+ err(1, "Error initing capabilities, aborting.\n");
|
||||||
|
+
|
||||||
|
+ if(cap_set_flag(new_caps, CAP_PERMITTED, 1, cap_list, CAP_SET) ||
|
||||||
|
+ cap_set_flag(new_caps, CAP_EFFECTIVE, 1, cap_list, CAP_SET)) {
|
||||||
|
+ err(1, "Error setting capabilities, aborting\n");
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0))
|
||||||
|
+ err(1, "Error setting KEEPCAPS, aborting\n");
|
||||||
|
+ }
|
||||||
|
+#endif
|
||||||
|
+ /* headed for exec(), assume euid == ROOT_UID */
|
||||||
|
+ runas_setup ();
|
||||||
|
+ if (setresuid(def_stay_setuid ?
|
||||||
|
+ user_uid : runas_pw->pw_uid,
|
||||||
|
+ runas_pw->pw_uid, runas_pw->pw_uid))
|
||||||
|
+ err(1, "unable to change to runas uid");
|
||||||
|
+
|
||||||
|
+#if defined(WITH_AUDIT) && defined(HAVE_LIBCAP)
|
||||||
|
+ if (runas_pw->pw_uid != ROOT_UID) {
|
||||||
|
+ if (prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0) < 0)
|
||||||
|
+ err(1, "Error resetting KEEPCAPS, aborting\n");
|
||||||
|
+
|
||||||
|
+ if (cap_set_proc(new_caps))
|
||||||
|
+ err(1, "Error dropping capabilities, aborting\n");
|
||||||
|
+
|
||||||
|
+ if (cap_free (new_caps))
|
||||||
|
+ err(1, "Error freeing caps\n");
|
||||||
|
+ }
|
||||||
|
+ } /* END CAP BLOCK */
|
||||||
|
+#endif
|
||||||
|
+ break;
|
||||||
|
+
|
||||||
|
case PERM_RUNAS:
|
||||||
|
(void) setresgid(-1, runas_pw->pw_gid, -1);
|
||||||
|
if (setresuid(-1, runas_pw->pw_uid, -1))
|
||||||
|
err(1, "unable to change to runas uid");
|
||||||
|
break;
|
||||||
|
|
||||||
|
- case PERM_FULL_RUNAS:
|
||||||
|
- /* headed for exec(), assume euid == ROOT_UID */
|
||||||
|
- runas_setup();
|
||||||
|
- if (setresuid(def_stay_setuid ?
|
||||||
|
- user_uid : runas_pw->pw_uid,
|
||||||
|
- runas_pw->pw_uid, runas_pw->pw_uid))
|
||||||
|
- err(1, "unable to change to runas uid");
|
||||||
|
- break;
|
||||||
|
-
|
||||||
|
case PERM_SUDOERS:
|
||||||
|
/* assume euid == ROOT_UID, ruid == user */
|
||||||
|
if (setresgid(-1, SUDOERS_GID, -1))
|
41
sudo-1.6.9p4-autotoolsRecursion.patch
Normal file
41
sudo-1.6.9p4-autotoolsRecursion.patch
Normal file
@ -0,0 +1,41 @@
|
|||||||
|
diff -up sudo-1.6.9p4/acsite.m4.autotoolsRecursion sudo-1.6.9p4/acsite.m4
|
||||||
|
--- sudo-1.6.9p4/acsite.m4.autotoolsRecursion 2007-08-27 12:33:37.000000000 +0400
|
||||||
|
+++ sudo-1.6.9p4/acsite.m4 2007-08-27 12:33:52.000000000 +0400
|
||||||
|
@@ -6319,19 +6319,32 @@ m4_define([lt_join],
|
||||||
|
])
|
||||||
|
|
||||||
|
|
||||||
|
+# lt_car(LIST)
|
||||||
|
+# lt_cdr(LIST)
|
||||||
|
+# ------------
|
||||||
|
+# Manipulate m4 lists.
|
||||||
|
+# These macros are necessary as long as will still need to support
|
||||||
|
+# Autoconf-2.59 which quotes differently.
|
||||||
|
+m4_define([lt_car], [[$1]])
|
||||||
|
+m4_define([lt_cdr],
|
||||||
|
+[m4_if([$#], 0, [m4_fatal([$0: cannot be called without arguments])],
|
||||||
|
+ [$#], 1, [],
|
||||||
|
+ [m4_dquote(m4_shift($@))])])
|
||||||
|
+
|
||||||
|
+
|
||||||
|
# lt_combine(SEP, PREFIX-LIST, INFIX, SUFFIX1, [SUFFIX2...])
|
||||||
|
# ----------------------------------------------------------
|
||||||
|
# Produce a SEP delimited list of all paired combinations of elements of
|
||||||
|
# PREFIX-LIST with SUFFIX1 through SUFFIXn. Each element of the list
|
||||||
|
# has the form PREFIXmINFIXSUFFIXn.
|
||||||
|
m4_define([lt_combine],
|
||||||
|
-[m4_if([$2], [[]], [],
|
||||||
|
- [lt_join(m4_quote(m4_default([$1], [, ])),
|
||||||
|
- _$0([$1], m4_car($2)[$3], m4_shiftn(3, $@)),
|
||||||
|
- $0([$1], m4_cdr($2), m4_shiftn(2, $@)))])])
|
||||||
|
+[m4_if([$2], [], [],
|
||||||
|
+ [lt_join(m4_quote(m4_default([$1], [[, ]])),
|
||||||
|
+ _$0([$1], lt_car($2)[$3], m4_shiftn(3, $@)),
|
||||||
|
+ $0([$1], lt_cdr($2), m4_shiftn(2, $@)))])])
|
||||||
|
m4_define([_lt_combine],
|
||||||
|
[m4_if([$3], [], [],
|
||||||
|
- [lt_join(m4_quote(m4_default([$1], [, ])),
|
||||||
|
+ [lt_join(m4_quote(m4_default([$1], [[, ]])),
|
||||||
|
[$2$3],
|
||||||
|
$0([$1], [$2], m4_shiftn(3, $@)))])[]dnl
|
||||||
|
])
|
@ -9,17 +9,6 @@
|
|||||||
if test -z "$SKIP_SETRESUID"; then
|
if test -z "$SKIP_SETRESUID"; then
|
||||||
AC_CHECK_FUNCS(setresuid, [SKIP_SETREUID=yes])
|
AC_CHECK_FUNCS(setresuid, [SKIP_SETREUID=yes])
|
||||||
fi
|
fi
|
||||||
--- sudo-1.6.9p4/configure.getgrouplist 2007-08-15 15:23:44.000000000 +0200
|
|
||||||
+++ sudo-1.6.9p4/configure 2007-08-20 13:26:25.000000000 +0200
|
|
||||||
@@ -14235,7 +14235,7 @@
|
|
||||||
|
|
||||||
for ac_func in strchr strrchr memchr memcpy memset sysconf tzset \
|
|
||||||
strftime setrlimit initgroups getgroups fstat gettimeofday \
|
|
||||||
- setlocale getaddrinfo
|
|
||||||
+ setlocale getaddrinfo getgrouplist
|
|
||||||
do
|
|
||||||
as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
|
|
||||||
echo "$as_me:$LINENO: checking for $ac_func" >&5
|
|
||||||
--- sudo-1.6.9p4/check.c.getgrouplist 2007-07-06 21:52:13.000000000 +0200
|
--- sudo-1.6.9p4/check.c.getgrouplist 2007-07-06 21:52:13.000000000 +0200
|
||||||
+++ sudo-1.6.9p4/check.c 2007-08-20 13:21:10.000000000 +0200
|
+++ sudo-1.6.9p4/check.c 2007-08-20 13:21:10.000000000 +0200
|
||||||
@@ -308,6 +308,24 @@
|
@@ -308,6 +308,24 @@
|
||||||
@ -47,15 +36,4 @@
|
|||||||
return(FALSE);
|
return(FALSE);
|
||||||
}
|
}
|
||||||
|
|
||||||
--- sudo-1.6.9p4/config.h.in.getgrouplist 2007-08-20 11:41:32.000000000 +0200
|
|
||||||
+++ sudo-1.6.9p4/config.h.in 2007-08-20 13:21:10.000000000 +0200
|
|
||||||
@@ -140,6 +140,9 @@
|
|
||||||
/* Define to 1 if you have the `getgroups' function. */
|
|
||||||
#undef HAVE_GETGROUPS
|
|
||||||
|
|
||||||
+/* Define to 1 if you have the `getgrouplist' function. */
|
|
||||||
+#undef HAVE_GETGROUPLIST
|
|
||||||
+
|
|
||||||
/* Define to 1 if you have the `getifaddrs' function. */
|
|
||||||
#undef HAVE_GETIFADDRS
|
|
||||||
|
|
||||||
|
12
sudo-1.6.9p4-getprpwnam.patch
Normal file
12
sudo-1.6.9p4-getprpwnam.patch
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
diff -up sudo-1.6.9p4/configure.in.getprpwnam sudo-1.6.9p4/configure.in
|
||||||
|
--- sudo-1.6.9p4/configure.in.getprpwnam 2007-08-27 13:24:54.000000000 +0400
|
||||||
|
+++ sudo-1.6.9p4/configure.in 2007-08-27 13:25:48.000000000 +0400
|
||||||
|
@@ -1975,7 +1975,7 @@ if test "$CHECKSHADOW" = "true"; then
|
||||||
|
AC_CHECK_FUNCS(getspnam, [CHECKSHADOW="false"], [AC_CHECK_LIB(gen, getspnam, AC_DEFINE(HAVE_GETSPNAM) [SUDO_LIBS="${SUDO_LIBS} -lgen"; LIBS="${LIBS} -lgen"])])
|
||||||
|
fi
|
||||||
|
if test "$CHECKSHADOW" = "true"; then
|
||||||
|
- AC_CHECK_FUNC(getprpwnam, [AC_DEFINE(HAVE_GETPRPWNAM) [CHECKSHADOW="false"; SECUREWARE=1], AC_CHECK_LIB(sec, getprpwnam, AC_DEFINE(HAVE_GETPRPWNAM) [CHECKSHADOW="false"; SECUREWARE=1; SUDO_LIBS="${SUDO_LIBS} -lsec"; LIBS="${LIBS} -lsec"], AC_CHECK_LIB(security, getprpwnam, AC_DEFINE(HAVE_GETPRPWNAM) [CHECKSHADOW="false"; SECUREWARE=1; SUDO_LIBS="${SUDO_LIBS} -lsecurity"; LIBS="${LIBS} -lsecurity"], AC_CHECK_LIB(prot, getprpwnam, AC_DEFINE(HAVE_GETPRPWNAM) [CHECKSHADOW="false"; SECUREWARE=1; SUDO_LIBS="${SUDO_LIBS} -lprot"; LIBS="${LIBS} -lprot"])))])
|
||||||
|
+ AC_CHECK_FUNC(getprpwnam, [AC_DEFINE(HAVE_GETPRPWNAM) CHECKSHADOW="false"; SECUREWARE=1], [AC_CHECK_LIB(sec, getprpwnam, [AC_DEFINE(HAVE_GETPRPWNAM) CHECKSHADOW="false"; SECUREWARE=1; SUDO_LIBS="${SUDO_LIBS} -lsec"; LIBS="${LIBS} -lsec"], [AC_CHECK_LIB(security, getprpwnam, [AC_DEFINE(HAVE_GETPRPWNAM) CHECKSHADOW="false"; SECUREWARE=1; SUDO_LIBS="${SUDO_LIBS} -lsecurity"; LIBS="${LIBS} -lsecurity"], [AC_CHECK_LIB(prot, getprpwnam, [AC_DEFINE(HAVE_GETPRPWNAM) CHECKSHADOW="false"; SECUREWARE=1; SUDO_LIBS="${SUDO_LIBS} -lprot"; LIBS="${LIBS} -lprot"])])])])
|
||||||
|
fi
|
||||||
|
if test -n "$SECUREWARE"; then
|
||||||
|
AC_CHECK_FUNCS(bigcrypt set_auth_parameters initprivs)
|
@ -14,18 +14,6 @@
|
|||||||
if (pam_status != PAM_SUCCESS) {
|
if (pam_status != PAM_SUCCESS) {
|
||||||
log_error(USE_ERRNO|NO_EXIT|NO_MAIL, "unable to initialize PAM");
|
log_error(USE_ERRNO|NO_EXIT|NO_MAIL, "unable to initialize PAM");
|
||||||
return(AUTH_FATAL);
|
return(AUTH_FATAL);
|
||||||
--- sudo-1.6.9p4/config.h.in.login 2007-08-15 15:22:19.000000000 +0200
|
|
||||||
+++ sudo-1.6.9p4/config.h.in 2007-08-20 11:08:34.000000000 +0200
|
|
||||||
@@ -266,6 +266,9 @@
|
|
||||||
/* Define to 1 if you use PAM authentication. */
|
|
||||||
#undef HAVE_PAM
|
|
||||||
|
|
||||||
+/* Define to 1 if you use specific PAM session for sodo -i. */
|
|
||||||
+#undef HAVE_PAM_LOGIN
|
|
||||||
+
|
|
||||||
/* Define to 1 if you have the <pam/pam_appl.h> header file. */
|
|
||||||
#undef HAVE_PAM_PAM_APPL_H
|
|
||||||
|
|
||||||
--- sudo-1.6.9p4/env.c.login 2007-07-31 20:04:31.000000000 +0200
|
--- sudo-1.6.9p4/env.c.login 2007-07-31 20:04:31.000000000 +0200
|
||||||
+++ sudo-1.6.9p4/env.c 2007-08-20 11:24:48.000000000 +0200
|
+++ sudo-1.6.9p4/env.c 2007-08-20 11:24:48.000000000 +0200
|
||||||
@@ -104,7 +104,7 @@
|
@@ -104,7 +104,7 @@
|
||||||
@ -56,7 +44,7 @@
|
|||||||
|
|
||||||
+AC_ARG_WITH(pam-login, [ --with-pam-login enable specific PAM session for sudo -i],
|
+AC_ARG_WITH(pam-login, [ --with-pam-login enable specific PAM session for sudo -i],
|
||||||
+[case $with_pam_login in
|
+[case $with_pam_login in
|
||||||
+ yes) AC_DEFINE(HAVE_PAM_LOGIN)
|
+ yes) AC_DEFINE([HAVE_PAM_LOGIN], [], ["Define to 1 if you use specific PAM session for sodo -i."])
|
||||||
+ AC_MSG_CHECKING(whether to use PAM login)
|
+ AC_MSG_CHECKING(whether to use PAM login)
|
||||||
+ AC_MSG_RESULT(yes)
|
+ AC_MSG_RESULT(yes)
|
||||||
+ ;;
|
+ ;;
|
||||||
|
21
sudo.spec
21
sudo.spec
@ -1,7 +1,7 @@
|
|||||||
Summary: Allows restricted root access for specified users
|
Summary: Allows restricted root access for specified users
|
||||||
Name: sudo
|
Name: sudo
|
||||||
Version: 1.6.9p4
|
Version: 1.6.9p4
|
||||||
Release: 1%{?dist}
|
Release: 2%{?dist}
|
||||||
License: BSD
|
License: BSD
|
||||||
Group: Applications/System
|
Group: Applications/System
|
||||||
URL: http://www.courtesan.com/sudo/
|
URL: http://www.courtesan.com/sudo/
|
||||||
@ -15,6 +15,8 @@ BuildRequires: groff
|
|||||||
BuildRequires: openldap-devel
|
BuildRequires: openldap-devel
|
||||||
BuildRequires: flex
|
BuildRequires: flex
|
||||||
BuildRequires: bison
|
BuildRequires: bison
|
||||||
|
BuildRequires: automake autoconf libtool
|
||||||
|
BuildRequires: audit-libs-devel libcap-devel
|
||||||
|
|
||||||
# don't strip
|
# don't strip
|
||||||
Patch1: sudo-1.6.7p5-strip.patch
|
Patch1: sudo-1.6.7p5-strip.patch
|
||||||
@ -22,6 +24,9 @@ Patch1: sudo-1.6.7p5-strip.patch
|
|||||||
Patch2: sudo-1.6.9p4-login.patch
|
Patch2: sudo-1.6.9p4-login.patch
|
||||||
# the rest, see changelog
|
# the rest, see changelog
|
||||||
Patch3: sudo-1.6.9p4-getgrouplist.patch
|
Patch3: sudo-1.6.9p4-getgrouplist.patch
|
||||||
|
Patch4: sudo-1.6.9p4-autotoolsRecursion.patch
|
||||||
|
Patch5: sudo-1.6.9p4-getprpwnam.patch
|
||||||
|
Patch6: sudo-1.6.9p4-audit.patch
|
||||||
|
|
||||||
%description
|
%description
|
||||||
Sudo (superuser do) allows a system administrator to give certain
|
Sudo (superuser do) allows a system administrator to give certain
|
||||||
@ -39,6 +44,11 @@ on many different machines.
|
|||||||
%patch1 -p1 -b .strip
|
%patch1 -p1 -b .strip
|
||||||
%patch2 -p1 -b .login
|
%patch2 -p1 -b .login
|
||||||
%patch3 -p1 -b .getgrouplist
|
%patch3 -p1 -b .getgrouplist
|
||||||
|
%patch4 -p1 -b .autotoolsRecursion
|
||||||
|
%patch5 -p1 -b .getprpwnam
|
||||||
|
%patch6 -p1 -b .audit
|
||||||
|
|
||||||
|
autoreconf
|
||||||
|
|
||||||
%build
|
%build
|
||||||
%ifarch s390 s390x
|
%ifarch s390 s390x
|
||||||
@ -47,10 +57,7 @@ F_PIE=-fPIE
|
|||||||
F_PIE=-fpie
|
F_PIE=-fpie
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
# Note: there is a problem rebuild the ./configure script (for pam-login patch),
|
export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie"
|
||||||
# so we use -DHAVE_PAM_LOGIN rather than --with-pam-login...
|
|
||||||
# (it's workaround that should be fixed)
|
|
||||||
export CFLAGS="$RPM_OPT_FLAGS $F_PIE -DHAVE_PAM_LOGIN" LDFLAGS="-pie"
|
|
||||||
|
|
||||||
%configure \
|
%configure \
|
||||||
--prefix=%{_prefix} \
|
--prefix=%{_prefix} \
|
||||||
@ -59,6 +66,7 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE -DHAVE_PAM_LOGIN" LDFLAGS="-pie"
|
|||||||
--with-logging=syslog \
|
--with-logging=syslog \
|
||||||
--with-logfac=authpriv \
|
--with-logfac=authpriv \
|
||||||
--with-pam \
|
--with-pam \
|
||||||
|
--with-pam-login \
|
||||||
--with-editor=/bin/vi \
|
--with-editor=/bin/vi \
|
||||||
--with-env-editor \
|
--with-env-editor \
|
||||||
--with-ignore-dot \
|
--with-ignore-dot \
|
||||||
@ -120,6 +128,9 @@ rm -rf $RPM_BUILD_ROOT
|
|||||||
/bin/chmod 0440 /etc/sudoers || :
|
/bin/chmod 0440 /etc/sudoers || :
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Aug 30 2007 Peter Vrabec <pvrabec@redhat.com> 1.6.9p4-2
|
||||||
|
- fix autotools stuff and add audit support
|
||||||
|
|
||||||
* Mon Aug 20 2007 Peter Vrabec <pvrabec@redhat.com> 1.6.9p4-1
|
* Mon Aug 20 2007 Peter Vrabec <pvrabec@redhat.com> 1.6.9p4-1
|
||||||
- upgrade to upstream release
|
- upgrade to upstream release
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user