Compare commits
11 Commits
Author | SHA1 | Date |
---|---|---|
Daniel Kopecek | 056e957f08 | |
Daniel Kopecek | 31596d9ea3 | |
Daniel Kopecek | dbe960c0de | |
Daniel Kopecek | 0631d15912 | |
Tom Callaway | f33c1d92e6 | |
Peter Robinson | c17e72131c | |
Daniel Kopecek | a8b0119f23 | |
Daniel Kopecek | f7e0c8a06f | |
Ville Skyttä | 65a202a635 | |
Daniel Kopecek | 9eeaef0b85 | |
Daniel Kopecek | 5ad9e5110c |
|
@ -10,3 +10,8 @@ sudo-1.7.2p2-sudoers
|
|||
/sudo-1.8.6.tar.gz
|
||||
/sudo-1.8.6p3.tar.gz
|
||||
/sudo-1.8.6p7.tar.gz
|
||||
/sudo-1.8.8.tar.gz
|
||||
/sudo-1.8.8-sudoers
|
||||
/sudo-1.8.11.tar.gz
|
||||
/sudo-1.8.11p2.tar.gz
|
||||
/sudo-1.8.12.tar.gz
|
||||
|
|
4
sources
4
sources
|
@ -1,2 +1,2 @@
|
|||
56f74aed3a7b32f2b01a34d65ac86f85 sudo-1.7.4p4-sudoers
|
||||
126abfa2e841139e774d4c67d80f0e5b sudo-1.8.6p7.tar.gz
|
||||
775b863cdff3a2ee2a26c2d53b51aff5 sudo-1.8.8-sudoers
|
||||
87558f3a55c62bc9244b19594f103ffa sudo-1.8.12.tar.gz
|
||||
|
|
|
@ -1,17 +0,0 @@
|
|||
diff -up sudo-1.7.4p3/aclocal.m4.m4path sudo-1.7.4p3/aclocal.m4
|
||||
--- sudo-1.7.4p3/aclocal.m4.m4path 2010-09-07 13:11:59.095198365 +0200
|
||||
+++ sudo-1.7.4p3/aclocal.m4 2010-09-07 13:12:25.718209211 +0200
|
||||
@@ -368,8 +368,8 @@ EOF
|
||||
dnl
|
||||
dnl Pull in libtool macros
|
||||
dnl
|
||||
-m4_include([libtool.m4])
|
||||
-m4_include([ltoptions.m4])
|
||||
-m4_include([ltsugar.m4])
|
||||
-m4_include([ltversion.m4])
|
||||
-m4_include([lt~obsolete.m4])
|
||||
+m4_include([m4/libtool.m4])
|
||||
+m4_include([m4/ltoptions.m4])
|
||||
+m4_include([m4/ltsugar.m4])
|
||||
+m4_include([m4/ltversion.m4])
|
||||
+m4_include([m4/lt~obsolete.m4])
|
|
@ -0,0 +1,54 @@
|
|||
diff -up sudo-1.8.11b4/plugins/sudoers/ldap.c.ldapconfpatch sudo-1.8.11b4/plugins/sudoers/ldap.c
|
||||
--- sudo-1.8.11b4/plugins/sudoers/ldap.c.ldapconfpatch 2014-07-22 22:52:34.000000000 +0200
|
||||
+++ sudo-1.8.11b4/plugins/sudoers/ldap.c 2014-09-15 11:22:11.122094452 +0200
|
||||
@@ -1550,6 +1550,33 @@ sudo_check_krb5_ccname(const char *ccnam
|
||||
}
|
||||
#endif /* HAVE_LDAP_SASL_INTERACTIVE_BIND_S */
|
||||
|
||||
+/*
|
||||
+ * Read a line of input, remove whole line comments and strip off leading
|
||||
+ * and trailing spaces. Returns static storage that is reused.
|
||||
+ */
|
||||
+static char *
|
||||
+sudo_ldap_parseln(fp)
|
||||
+ FILE *fp;
|
||||
+{
|
||||
+ size_t len;
|
||||
+ char *cp = NULL;
|
||||
+ static char buf[LINE_MAX];
|
||||
+
|
||||
+ if (fgets(buf, sizeof(buf), fp) != NULL) {
|
||||
+ /* Remove comments */
|
||||
+ if (*buf == '#')
|
||||
+ *buf = '\0';
|
||||
+
|
||||
+ /* Trim leading and trailing whitespace/newline */
|
||||
+ len = strlen(buf);
|
||||
+ while (len > 0 && isspace((unsigned char)buf[len - 1]))
|
||||
+ buf[--len] = '\0';
|
||||
+ for (cp = buf; isblank(*cp); cp++)
|
||||
+ continue;
|
||||
+ }
|
||||
+ return(cp);
|
||||
+}
|
||||
+
|
||||
static bool
|
||||
sudo_ldap_read_config(void)
|
||||
{
|
||||
@@ -1575,7 +1602,7 @@ sudo_ldap_read_config(void)
|
||||
if ((fp = fopen(path_ldap_conf, "r")) == NULL)
|
||||
debug_return_bool(false);
|
||||
|
||||
- while (sudo_parseln(&line, &linesize, NULL, fp) != -1) {
|
||||
+ while ((line = sudo_ldap_parseln(fp)) != NULL) {
|
||||
if (*line == '\0')
|
||||
continue; /* skip empty line */
|
||||
|
||||
@@ -1595,7 +1622,6 @@ sudo_ldap_read_config(void)
|
||||
if (!sudo_ldap_parse_keyword(keyword, value, ldap_conf_global))
|
||||
sudo_ldap_parse_keyword(keyword, value, ldap_conf_conn);
|
||||
}
|
||||
- free(line);
|
||||
fclose(fp);
|
||||
|
||||
if (!ldap_conf.host)
|
|
@ -0,0 +1,17 @@
|
|||
diff -up sudo-1.8.11p2/plugins/sudoers/linux_audit.c.auditfix sudo-1.8.11p2/plugins/sudoers/linux_audit.c
|
||||
--- sudo-1.8.11p2/plugins/sudoers/linux_audit.c.auditfix 2014-11-03 12:44:53.674230966 +0100
|
||||
+++ sudo-1.8.11p2/plugins/sudoers/linux_audit.c 2014-11-03 12:45:13.407021599 +0100
|
||||
@@ -57,10 +57,10 @@ linux_audit_open(void)
|
||||
au_fd = audit_open();
|
||||
if (au_fd == -1) {
|
||||
/* Kernel may not have audit support. */
|
||||
- if (errno != EINVAL && errno != EPROTONOSUPPORT && errno != EAFNOSUPPORT) {
|
||||
- sudo_warn(U_("unable to open audit system"));
|
||||
+ if (errno == EINVAL || errno == EPROTONOSUPPORT || errno == EAFNOSUPPORT)
|
||||
au_fd = AUDIT_NOT_CONFIGURED;
|
||||
- }
|
||||
+ else
|
||||
+ sudo_warn(U_("unable to open audit system"));
|
||||
} else {
|
||||
(void)fcntl(au_fd, F_SETFD, FD_CLOEXEC);
|
||||
}
|
|
@ -1,77 +0,0 @@
|
|||
diff -up sudo-1.8.6p3/plugins/sudoers/audit.c.orig sudo-1.8.6p3/plugins/sudoers/audit.c
|
||||
--- sudo-1.8.6p3/plugins/sudoers/audit.c.orig 2012-11-07 13:04:55.424637797 +0100
|
||||
+++ sudo-1.8.6p3/plugins/sudoers/audit.c 2012-11-07 13:06:53.705032954 +0100
|
||||
@@ -26,6 +26,11 @@
|
||||
# include <stdlib.h>
|
||||
# endif
|
||||
#endif /* STDC_HEADERS */
|
||||
+#ifdef HAVE_STDBOOL_H
|
||||
+# include <stdbool.h>
|
||||
+#else
|
||||
+# include "compat/stdbool.h"
|
||||
+#endif /* HAVE_STDBOOL_H */
|
||||
#include <stdarg.h>
|
||||
|
||||
#include "missing.h"
|
||||
diff -up sudo-1.8.6p3/plugins/sudoers/logging.c.orig sudo-1.8.6p3/plugins/sudoers/logging.c
|
||||
--- sudo-1.8.6p3/plugins/sudoers/logging.c.orig 2012-11-07 13:04:55.424637797 +0100
|
||||
+++ sudo-1.8.6p3/plugins/sudoers/logging.c 2012-11-07 13:06:53.705032954 +0100
|
||||
@@ -247,14 +247,20 @@ do_logfile(char *msg)
|
||||
}
|
||||
|
||||
/*
|
||||
- * Log and mail the denial message, optionally informing the user.
|
||||
+ * Log, audit and mail the denial message, optionally informing the user.
|
||||
*/
|
||||
-static void
|
||||
+void
|
||||
log_denial(int status, bool inform_user)
|
||||
{
|
||||
char *logline, *message;
|
||||
debug_decl(log_denial, SUDO_DEBUG_LOGGING)
|
||||
|
||||
+ /* Handle auditing first. */
|
||||
+ if (ISSET(status, FLAG_NO_USER | FLAG_NO_HOST))
|
||||
+ audit_failure(NewArgv, _("No user or host"));
|
||||
+ else
|
||||
+ audit_failure(NewArgv, _("validation failure"));
|
||||
+
|
||||
/* Set error message. */
|
||||
if (ISSET(status, FLAG_NO_USER))
|
||||
message = _("user NOT in sudoers");
|
||||
@@ -312,12 +318,6 @@ log_failure(int status, int flags)
|
||||
debug_decl(log_failure, SUDO_DEBUG_LOGGING)
|
||||
bool inform_user = true;
|
||||
|
||||
- /* Handle auditing first. */
|
||||
- if (ISSET(status, FLAG_NO_USER | FLAG_NO_HOST))
|
||||
- audit_failure(NewArgv, _("No user or host"));
|
||||
- else
|
||||
- audit_failure(NewArgv, _("validation failure"));
|
||||
-
|
||||
/* The user doesn't always get to see the log message (path info). */
|
||||
if (!ISSET(status, FLAG_NO_USER | FLAG_NO_HOST) && def_path_info &&
|
||||
(flags == NOT_FOUND_DOT || flags == NOT_FOUND))
|
||||
diff -up sudo-1.8.6p3/plugins/sudoers/logging.h.orig sudo-1.8.6p3/plugins/sudoers/logging.h
|
||||
--- sudo-1.8.6p3/plugins/sudoers/logging.h.orig 2012-11-07 13:04:55.425637802 +0100
|
||||
+++ sudo-1.8.6p3/plugins/sudoers/logging.h 2012-11-07 13:06:53.706032965 +0100
|
||||
@@ -56,6 +56,7 @@ void audit_success(char *exec_args[]);
|
||||
void audit_failure(char *exec_args[], char const *const fmt, ...);
|
||||
void log_allowed(int status);
|
||||
void log_auth_failure(int status, int tries);
|
||||
+void log_denial(int status, bool inform_user);
|
||||
void log_failure(int status, int flags);
|
||||
void log_error(int flags, const char *fmt, ...) __printflike(2, 3);
|
||||
void log_fatal(int flags, const char *fmt, ...) __printflike(2, 3) __attribute__((__noreturn__));
|
||||
diff -up sudo-1.8.6p3/plugins/sudoers/sudoers.c.orig sudo-1.8.6p3/plugins/sudoers/sudoers.c
|
||||
--- sudo-1.8.6p3/plugins/sudoers/sudoers.c.orig 2012-11-07 13:04:55.425637802 +0100
|
||||
+++ sudo-1.8.6p3/plugins/sudoers/sudoers.c 2012-11-07 13:06:53.706032965 +0100
|
||||
@@ -466,7 +466,7 @@ sudoers_policy_main(int argc, char * con
|
||||
rval = check_user(validated, sudo_mode);
|
||||
if (rval != true) {
|
||||
if (!ISSET(validated, VALIDATE_OK))
|
||||
- log_failure(validated, cmnd_status);
|
||||
+ log_denial(validated, false);
|
||||
goto done;
|
||||
}
|
||||
|
|
@ -0,0 +1,60 @@
|
|||
diff -up sudo-1.8.8/plugins/sudoers/auth/pam.c.clangbugs sudo-1.8.8/plugins/sudoers/auth/pam.c
|
||||
--- sudo-1.8.8/plugins/sudoers/auth/pam.c.clangbugs 2013-09-30 23:41:07.899529555 +0200
|
||||
+++ sudo-1.8.8/plugins/sudoers/auth/pam.c 2013-09-30 23:41:58.988707761 +0200
|
||||
@@ -246,6 +246,7 @@ sudo_pam_begin_session(struct passwd *pw
|
||||
(void) pam_end(pamh, *pam_status | PAM_DATA_SILENT);
|
||||
pamh = NULL;
|
||||
status = AUTH_FAILURE;
|
||||
+ goto done;
|
||||
}
|
||||
}
|
||||
|
||||
diff -up sudo-1.8.8/plugins/sudoers/sssd.c.clangbugs sudo-1.8.8/plugins/sudoers/sssd.c
|
||||
--- sudo-1.8.8/plugins/sudoers/sssd.c.clangbugs 2013-09-30 23:44:20.404200629 +0200
|
||||
+++ sudo-1.8.8/plugins/sudoers/sssd.c 2013-09-30 23:49:05.998194738 +0200
|
||||
@@ -310,11 +310,10 @@ static int sudo_sss_close(struct sudo_ns
|
||||
debug_decl(sudo_sss_close, SUDO_DEBUG_SSSD);
|
||||
|
||||
if (nss && nss->handle) {
|
||||
- handle = nss->handle;
|
||||
- dlclose(handle->ssslib);
|
||||
+ handle = nss->handle;
|
||||
+ dlclose(handle->ssslib);
|
||||
+ efree(nss->handle);
|
||||
}
|
||||
-
|
||||
- efree(nss->handle);
|
||||
debug_return_int(0);
|
||||
}
|
||||
|
||||
@@ -705,17 +704,21 @@ sudo_sss_result_get(struct sudo_nss *nss
|
||||
sudo_sss_result_filterp, _SUDO_SSS_FILTER_INCLUDE, NULL);
|
||||
|
||||
if (f_sss_result != NULL) {
|
||||
- if (f_sss_result->num_rules > 0) {
|
||||
- if (state != NULL) {
|
||||
- sudo_debug_printf(SUDO_DEBUG_DEBUG, "state |= HOSTMATCH");
|
||||
- *state |= _SUDO_SSS_STATE_HOSTMATCH;
|
||||
+ if (f_sss_result->num_rules > 0) {
|
||||
+ if (state != NULL) {
|
||||
+ sudo_debug_printf(SUDO_DEBUG_DEBUG, "state |= HOSTMATCH");
|
||||
+ *state |= _SUDO_SSS_STATE_HOSTMATCH;
|
||||
+ }
|
||||
}
|
||||
- }
|
||||
- }
|
||||
|
||||
- sudo_debug_printf(SUDO_DEBUG_DEBUG,
|
||||
- "u_sss_result=(%p, %u) => f_sss_result=(%p, %u)", u_sss_result,
|
||||
- u_sss_result->num_rules, f_sss_result, f_sss_result->num_rules);
|
||||
+ sudo_debug_printf(SUDO_DEBUG_DEBUG,
|
||||
+ "u_sss_result=(%p, %u) => f_sss_result=(%p, %u)", u_sss_result,
|
||||
+ u_sss_result->num_rules, f_sss_result, f_sss_result->num_rules);
|
||||
+ } else {
|
||||
+ sudo_debug_printf(SUDO_DEBUG_DEBUG,
|
||||
+ "u_sss_result=(%p, %u) => f_sss_result=NULL",
|
||||
+ u_sss_result, u_sss_result->num_rules);
|
||||
+ }
|
||||
|
||||
handle->fn_free_result(u_sss_result);
|
||||
|
|
@ -0,0 +1,119 @@
|
|||
diff -up sudo-1.8.8/plugins/sudoers/sssd.c.sssdfixes sudo-1.8.8/plugins/sudoers/sssd.c
|
||||
--- sudo-1.8.8/plugins/sudoers/sssd.c.sssdfixes 2013-09-30 23:18:49.641913457 +0200
|
||||
+++ sudo-1.8.8/plugins/sudoers/sssd.c 2013-09-30 23:25:54.819376696 +0200
|
||||
@@ -534,30 +534,31 @@ sudo_sss_check_runas_group(struct sudo_s
|
||||
* Walk through search results and return true if we have a runas match,
|
||||
* else false. RunAs info is optional.
|
||||
*/
|
||||
-static int
|
||||
+static bool
|
||||
sudo_sss_check_runas(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
|
||||
{
|
||||
- int ret;
|
||||
+ bool ret;
|
||||
debug_decl(sudo_sss_check_runas, SUDO_DEBUG_SSSD);
|
||||
|
||||
if (rule == NULL)
|
||||
- debug_return_int(false);
|
||||
+ debug_return_bool(false);
|
||||
|
||||
ret = sudo_sss_check_runas_user(handle, rule) != false &&
|
||||
sudo_sss_check_runas_group(handle, rule) != false;
|
||||
|
||||
- debug_return_int(ret);
|
||||
+ debug_return_bool(ret);
|
||||
}
|
||||
|
||||
-static int
|
||||
+static bool
|
||||
sudo_sss_check_host(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
|
||||
{
|
||||
char **val_array, *val;
|
||||
- int ret = false, i;
|
||||
+ bool ret = false;
|
||||
+ int i;
|
||||
debug_decl(sudo_sss_check_host, SUDO_DEBUG_SSSD);
|
||||
|
||||
if (rule == NULL)
|
||||
- debug_return_int(ret);
|
||||
+ debug_return_bool(ret);
|
||||
|
||||
/* get the values from the rule */
|
||||
switch (handle->fn_get_values(rule, "sudoHost", &val_array))
|
||||
@@ -566,10 +567,10 @@ sudo_sss_check_host(struct sudo_sss_hand
|
||||
break;
|
||||
case ENOENT:
|
||||
sudo_debug_printf(SUDO_DEBUG_INFO, "No result.");
|
||||
- debug_return_int(false);
|
||||
+ debug_return_bool(false);
|
||||
default:
|
||||
sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoHost): != 0");
|
||||
- debug_return_int(ret);
|
||||
+ debug_return_bool(ret);
|
||||
}
|
||||
|
||||
/* walk through values */
|
||||
@@ -589,7 +590,52 @@ sudo_sss_check_host(struct sudo_sss_hand
|
||||
|
||||
handle->fn_free_values(val_array);
|
||||
|
||||
- debug_return_int(ret);
|
||||
+ debug_return_bool(ret);
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * Look for netgroup specifcations in the sudoUser attribute and
|
||||
+ * if found, filter according to netgroup membership.
|
||||
+ * returns:
|
||||
+ * true -> netgroup spec found && negroup member
|
||||
+ * false -> netgroup spec found && not a meber of netgroup
|
||||
+ * true -> netgroup spec not found (filtered by SSSD already, netgroups are an exception)
|
||||
+ */
|
||||
+bool sudo_sss_filter_user_netgroup(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
|
||||
+{
|
||||
+ bool ret = false, netgroup_spec_found = false;
|
||||
+ char **val_array, *val;
|
||||
+ int i;
|
||||
+ debug_decl(sudo_sss_check_user_netgroup, SUDO_DEBUG_SSSD);
|
||||
+
|
||||
+ if (!handle || !rule)
|
||||
+ debug_return_bool(ret);
|
||||
+
|
||||
+ switch (handle->fn_get_values(rule, "sudoUser", &val_array)) {
|
||||
+ case 0:
|
||||
+ break;
|
||||
+ case ENOENT:
|
||||
+ sudo_debug_printf(SUDO_DEBUG_INFO, "No result.");
|
||||
+ debug_return_bool(ret);
|
||||
+ default:
|
||||
+ sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoUser): != 0");
|
||||
+ debug_return_bool(ret);
|
||||
+ }
|
||||
+
|
||||
+ for (i = 0; val_array[i] != NULL && !ret; ++i) {
|
||||
+ val = val_array[i];
|
||||
+ if (*val == '+') {
|
||||
+ netgroup_spec_found = true;
|
||||
+ }
|
||||
+ sudo_debug_printf(SUDO_DEBUG_DEBUG, "val[%d]=%s", i, val);
|
||||
+ if (strcmp(val, "ALL") == 0 || netgr_matches(val, NULL, NULL, user_name)) {
|
||||
+ ret = true;
|
||||
+ sudo_debug_printf(SUDO_DEBUG_DIAG,
|
||||
+ "sssd/ldap sudoUser '%s' ... MATCH! (%s)", val, user_name);
|
||||
+ }
|
||||
+ }
|
||||
+ handle->fn_free_values(val_array);
|
||||
+ debug_return_bool(netgroup_spec_found ? ret : true);
|
||||
}
|
||||
|
||||
static int
|
||||
@@ -599,7 +645,8 @@ sudo_sss_result_filterp(struct sudo_sss_
|
||||
(void)unused;
|
||||
debug_decl(sudo_sss_result_filterp, SUDO_DEBUG_SSSD);
|
||||
|
||||
- if (sudo_sss_check_host(handle, rule))
|
||||
+ if (sudo_sss_check_host(handle, rule) &&
|
||||
+ sudo_sss_filter_user_netgroup(handle, rule))
|
||||
debug_return_int(1);
|
||||
else
|
||||
debug_return_int(0);
|
|
@ -0,0 +1,53 @@
|
|||
diff -up sudo-1.8.8/plugins/sudoers/match.c.strictuidgid sudo-1.8.8/plugins/sudoers/match.c
|
||||
--- sudo-1.8.8/plugins/sudoers/match.c.strictuidgid 2013-09-30 23:30:12.359263967 +0200
|
||||
+++ sudo-1.8.8/plugins/sudoers/match.c 2013-09-30 23:31:04.335443002 +0200
|
||||
@@ -777,14 +777,16 @@ hostname_matches(char *shost, char *lhos
|
||||
bool
|
||||
userpw_matches(char *sudoers_user, char *user, struct passwd *pw)
|
||||
{
|
||||
- debug_decl(userpw_matches, SUDO_DEBUG_MATCH)
|
||||
-
|
||||
- if (pw != NULL && *sudoers_user == '#') {
|
||||
- uid_t uid = (uid_t) atoi(sudoers_user + 1);
|
||||
- if (uid == pw->pw_uid)
|
||||
- debug_return_bool(true);
|
||||
- }
|
||||
- debug_return_bool(strcmp(sudoers_user, user) == 0);
|
||||
+ debug_decl(userpw_matches, SUDO_DEBUG_MATCH)
|
||||
+ if (pw != NULL && *sudoers_user == '#') {
|
||||
+ char *end = NULL;
|
||||
+ uid_t uid = (uid_t) strtol(sudoers_user + 1, &end, 10);
|
||||
+ if (end != NULL && (sudoers_user[1] != '\0' && *end == '\0')) {
|
||||
+ if (uid == pw->pw_uid)
|
||||
+ debug_return_bool(true);
|
||||
+ }
|
||||
+ }
|
||||
+ debug_return_bool(strcmp(sudoers_user, user) == 0);
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -794,14 +796,16 @@ userpw_matches(char *sudoers_user, char
|
||||
bool
|
||||
group_matches(char *sudoers_group, struct group *gr)
|
||||
{
|
||||
- debug_decl(group_matches, SUDO_DEBUG_MATCH)
|
||||
-
|
||||
- if (*sudoers_group == '#') {
|
||||
- gid_t gid = (gid_t) atoi(sudoers_group + 1);
|
||||
- if (gid == gr->gr_gid)
|
||||
- debug_return_bool(true);
|
||||
- }
|
||||
- debug_return_bool(strcmp(gr->gr_name, sudoers_group) == 0);
|
||||
+ debug_decl(group_matches, SUDO_DEBUG_MATCH)
|
||||
+ if (*sudoers_group == '#') {
|
||||
+ char *end = NULL;
|
||||
+ gid_t gid = (gid_t) strtol(sudoers_group + 1, &end, 10);
|
||||
+ if (end != NULL && (sudoers_group[1] != '\0' && *end == '\0')) {
|
||||
+ if (gid == gr->gr_gid)
|
||||
+ debug_return_bool(true);
|
||||
+ }
|
||||
+ }
|
||||
+ debug_return_bool(strcmp(gr->gr_name, sudoers_group) == 0);
|
||||
}
|
||||
|
||||
/*
|
124
sudo.spec
124
sudo.spec
|
@ -1,14 +1,16 @@
|
|||
Summary: Allows restricted root access for specified users
|
||||
Name: sudo
|
||||
Version: 1.8.6p7
|
||||
Release: 2%{?dist}
|
||||
Version: 1.8.12
|
||||
Release: 1%{?dist}
|
||||
License: ISC
|
||||
Group: Applications/System
|
||||
URL: http://www.courtesan.com/sudo/
|
||||
Source0: http://www.courtesan.com/sudo/dist/sudo-%{version}.tar.gz
|
||||
Source1: sudo-1.7.4p4-sudoers
|
||||
Source1: sudo-1.8.8-sudoers
|
||||
Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||
Requires: /etc/pam.d/system-auth, vim-minimal
|
||||
Requires: /etc/pam.d/system-auth
|
||||
Requires: /usr/bin/vi
|
||||
Requires(post): /bin/chmod
|
||||
|
||||
BuildRequires: pam-devel
|
||||
BuildRequires: groff
|
||||
|
@ -24,8 +26,8 @@ BuildRequires: zlib-devel
|
|||
|
||||
# don't strip
|
||||
Patch1: sudo-1.6.7p5-strip.patch
|
||||
# configure.in fix
|
||||
Patch2: sudo-1.7.2p1-envdebug.patch
|
||||
# Patch to read ldap.conf more closely to nss_ldap
|
||||
Patch2: sudo-1.8.11b4-ldapconfpatch.patch
|
||||
|
||||
%description
|
||||
Sudo (superuser do) allows a system administrator to give certain
|
||||
|
@ -51,9 +53,11 @@ plugins that use %{name}.
|
|||
%setup -q
|
||||
|
||||
%patch1 -p1 -b .strip
|
||||
%patch2 -p1 -b .envdebug
|
||||
%patch2 -p1 -b .ldapconfpatch
|
||||
|
||||
%build
|
||||
# Remove bundled copy of zlib
|
||||
rm -rf zlib/
|
||||
autoreconf -I m4 -fv --install
|
||||
|
||||
%ifarch s390 s390x sparc64
|
||||
|
@ -68,7 +72,7 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now"
|
|||
--prefix=%{_prefix} \
|
||||
--sbindir=%{_sbindir} \
|
||||
--libdir=%{_libdir} \
|
||||
--docdir=%{_datadir}/doc/%{name}-%{version} \
|
||||
--docdir=%{_pkgdocdir} \
|
||||
--with-logging=syslog \
|
||||
--with-logfac=authpriv \
|
||||
--with-pam \
|
||||
|
@ -95,10 +99,16 @@ install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo
|
|||
install -p -d -m 750 $RPM_BUILD_ROOT/etc/sudoers.d
|
||||
install -p -c -m 0440 %{SOURCE1} $RPM_BUILD_ROOT/etc/sudoers
|
||||
|
||||
chmod +x $RPM_BUILD_ROOT%{_libexecdir}/*.so # for stripping, reset in %%files
|
||||
chmod +x $RPM_BUILD_ROOT%{_libexecdir}/sudo/*.so # for stripping, reset in %%files
|
||||
|
||||
# Remove execute permission on this script so we don't pull in perl deps
|
||||
chmod -x $RPM_BUILD_ROOT%{_docdir}/sudo-*/sudoers2ldif
|
||||
chmod -x $RPM_BUILD_ROOT%{_pkgdocdir}/sudoers2ldif
|
||||
|
||||
# Don't package LICENSE as a doc
|
||||
rm -rf $RPM_BUILD_ROOT%{_pkgdocdir}/LICENSE
|
||||
|
||||
# Remove examples; Examples can be found in man pages too.
|
||||
rm -rf $RPM_BUILD_ROOT%{_datadir}/examples/sudo
|
||||
|
||||
%find_lang sudo
|
||||
%find_lang sudoers
|
||||
|
@ -114,6 +124,7 @@ account include system-auth
|
|||
password include system-auth
|
||||
session optional pam_keyinit.so revoke
|
||||
session required pam_limits.so
|
||||
session include system-auth
|
||||
EOF
|
||||
|
||||
cat > $RPM_BUILD_ROOT/etc/pam.d/sudo-i << EOF
|
||||
|
@ -122,7 +133,7 @@ auth include sudo
|
|||
account include sudo
|
||||
password include sudo
|
||||
session optional pam_keyinit.so force revoke
|
||||
session required pam_limits.so
|
||||
session include sudo
|
||||
EOF
|
||||
|
||||
|
||||
|
@ -140,17 +151,25 @@ rm -rf $RPM_BUILD_ROOT
|
|||
%attr(4111,root,root) %{_bindir}/sudoedit
|
||||
%attr(0111,root,root) %{_bindir}/sudoreplay
|
||||
%attr(0755,root,root) %{_sbindir}/visudo
|
||||
%attr(0755,root,root) %{_libexecdir}/sesh
|
||||
%attr(0644,root,root) %{_libexecdir}/sudo_noexec.so
|
||||
%attr(0644,root,root) %{_libexecdir}/sudoers.so
|
||||
%dir %{_libexecdir}/sudo
|
||||
%attr(0755,root,root) %{_libexecdir}/sudo/sesh
|
||||
%attr(0644,root,root) %{_libexecdir}/sudo/sudo_noexec.so
|
||||
%attr(0644,root,root) %{_libexecdir}/sudo/sudoers.so
|
||||
%attr(0644,root,root) %{_libexecdir}/sudo/group_file.so
|
||||
%attr(0644,root,root) %{_libexecdir}/sudo/system_group.so
|
||||
%attr(0644,root,root) %{_libexecdir}/sudo/libsudo_util.so.*
|
||||
%{_mandir}/man5/sudoers.5*
|
||||
%{_mandir}/man5/sudoers.ldap.5*
|
||||
%{_mandir}/man5/sudo.conf.5*
|
||||
%{_mandir}/man8/sudo.8*
|
||||
%{_mandir}/man8/sudoedit.8*
|
||||
%{_mandir}/man8/sudoreplay.8*
|
||||
%{_mandir}/man8/visudo.8*
|
||||
%dir %{_docdir}/sudo-%{version}
|
||||
%{_docdir}/sudo-%{version}/*
|
||||
%dir %{_pkgdocdir}/
|
||||
%{_pkgdocdir}/*
|
||||
%{!?_licensedir:%global license %%doc}
|
||||
%license doc/LICENSE
|
||||
%exclude %{_pkgdocdir}/ChangeLog
|
||||
|
||||
|
||||
# Make sure permissions are ok even if we're updating
|
||||
|
@ -162,8 +181,81 @@ rm -rf $RPM_BUILD_ROOT
|
|||
%doc plugins/sample/sample_plugin.c
|
||||
%{_includedir}/sudo_plugin.h
|
||||
%{_mandir}/man8/sudo_plugin.8*
|
||||
%attr(0644,root,root) %{_libexecdir}/sudo/libsudo_util.so
|
||||
%attr(0644,root,root) %{_libexecdir}/sudo/*.la
|
||||
|
||||
%changelog
|
||||
* Wed Feb 18 2015 Daniel Kopecek <dkopecek@redhat.com> - 1.8.12
|
||||
- update to 1.8.12
|
||||
- fixes CVE-2014-9680
|
||||
|
||||
* Mon Nov 3 2014 Daniel Kopecek <dkopecek@redhat.com> - 1.8.11p2-1
|
||||
- update to 1.8.11p2
|
||||
- added patch to fix upstream bug #671 -- exiting immediately
|
||||
when audit is disabled
|
||||
|
||||
* Tue Sep 30 2014 Daniel Kopecek <dkopecek@redhat.com> - 1.8.11-1
|
||||
- update to 1.8.11
|
||||
- major changes & fixes:
|
||||
- when running a command in the background, sudo will now forward
|
||||
SIGINFO to the command
|
||||
- the passwords in ldap.conf and ldap.secret may now be encoded in base64.
|
||||
- SELinux role changes are now audited. For sudoedit, we now audit
|
||||
the actual editor being run, instead of just the sudoedit command.
|
||||
- it is now possible to match an environment variable's value as well as
|
||||
its name using env_keep and env_check
|
||||
- new files created via sudoedit as a non-root user now have the proper group id
|
||||
- sudoedit now works correctly in conjunction with sudo's SELinux RBAC support
|
||||
- it is now possible to disable network interface probing in sudo.conf by
|
||||
changing the value of the probe_interfaces setting
|
||||
- when listing a user's privileges (sudo -l), the sudoers plugin will now prompt
|
||||
for the user's password even if the targetpw, rootpw or runaspw options are set.
|
||||
- the new use_netgroups sudoers option can be used to explicitly enable or disable
|
||||
netgroups support
|
||||
- visudo can now export a sudoers file in JSON format using the new -x flag
|
||||
- added patch to read ldap.conf more closely to nss_ldap
|
||||
- require /usr/bin/vi instead of vim-minimal
|
||||
- include pam.d/system-auth in PAM session phase from pam.d/sudo
|
||||
- include pam.d/sudo in PAM session phase from pam.d/sudo-i
|
||||
|
||||
* Tue Aug 5 2014 Tom Callaway <spot@fedoraproject.org> - 1.8.8-5
|
||||
- fix license handling
|
||||
|
||||
* Sat May 31 2014 Peter Robinson <pbrobinson@fedoraproject.org> 1.8.8-4
|
||||
- Drop ChangeLog, we ship NEWS
|
||||
|
||||
* Mon Mar 10 2014 Daniel Kopecek <dkopecek@redhat.com> - 1.8.8-3
|
||||
- remove bundled copy of zlib before compilation
|
||||
- drop the requiretty Defaults setting from sudoers
|
||||
|
||||
* Sat Jan 25 2014 Ville Skyttä <ville.skytta@iki.fi> - 1.8.8-2
|
||||
- Own the %%{_libexecdir}/sudo dir.
|
||||
|
||||
* Mon Sep 30 2013 Daniel Kopecek <dkopecek@redhat.com> - 1.8.8-1
|
||||
- update to 1.8.8
|
||||
- major changes & fixes:
|
||||
- LDAP SASL support now works properly with Kerberos
|
||||
- root may no longer change its SELinux role without entering a password
|
||||
- user messages are now always displayed in the user's locale, even when
|
||||
the same message is being logged or mailed in a different locale.
|
||||
- log files created by sudo now explicitly have the group set to group
|
||||
ID 0 rather than relying on BSD group semantics
|
||||
- sudo now stores its libexec files in a sudo subdirectory instead of in
|
||||
libexec itself
|
||||
- system_group and group_file sudoers group provider plugins are now
|
||||
installed by default
|
||||
- the paths to ldap.conf and ldap.secret may now be specified as arguments
|
||||
to the sudoers plugin in the sudo.conf file
|
||||
- ...and many new features and settings. See the upstream ChangeLog for the
|
||||
full list.
|
||||
- several sssd support fixes
|
||||
- added patch to make uid/gid specification parsing more strict (don't accept
|
||||
an invalid number as uid/gid)
|
||||
- use the _pkgdocdir macro
|
||||
(see https://fedoraproject.org/wiki/Changes/UnversionedDocdirs)
|
||||
- fixed several bugs found by the clang static analyzer
|
||||
- added %%post dependency on chmod
|
||||
|
||||
* Sun Aug 04 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.8.6p7-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
|
||||
|
||||
|
|
Loading…
Reference in New Issue