Compare commits
7 Commits
Author | SHA1 | Date |
---|---|---|
Daniel Kopecek | ab230f309f | |
Daniel Kopecek | f439d30a98 | |
Daniel Kopecek | 581b0fecea | |
Daniel Kopecek | a9a105e682 | |
Daniel Kopecek | cb637c8790 | |
Peter Robinson | 32c5d458e8 | |
Tom Callaway | 6c167fc332 |
|
@ -12,3 +12,7 @@ sudo-1.7.2p2-sudoers
|
|||
/sudo-1.8.6p7.tar.gz
|
||||
/sudo-1.8.8.tar.gz
|
||||
/sudo-1.8.8-sudoers
|
||||
/sudo-1.8.11.tar.gz
|
||||
/sudo-1.8.11p2.tar.gz
|
||||
/sudo-1.8.12.tar.gz
|
||||
/sudo-1.8.15.tar.gz
|
||||
|
|
2
sources
2
sources
|
@ -1,2 +1,2 @@
|
|||
fc4f074090afd56d9ff4ff4e97321971 sudo-1.8.8.tar.gz
|
||||
775b863cdff3a2ee2a26c2d53b51aff5 sudo-1.8.8-sudoers
|
||||
7cf6b9b76d0478a572432bed481dd7b5 sudo-1.8.15.tar.gz
|
||||
|
|
|
@ -0,0 +1,17 @@
|
|||
diff -up sudo-1.8.11p2/plugins/sudoers/linux_audit.c.auditfix sudo-1.8.11p2/plugins/sudoers/linux_audit.c
|
||||
--- sudo-1.8.11p2/plugins/sudoers/linux_audit.c.auditfix 2014-11-03 12:44:53.674230966 +0100
|
||||
+++ sudo-1.8.11p2/plugins/sudoers/linux_audit.c 2014-11-03 12:45:13.407021599 +0100
|
||||
@@ -57,10 +57,10 @@ linux_audit_open(void)
|
||||
au_fd = audit_open();
|
||||
if (au_fd == -1) {
|
||||
/* Kernel may not have audit support. */
|
||||
- if (errno != EINVAL && errno != EPROTONOSUPPORT && errno != EAFNOSUPPORT) {
|
||||
- sudo_warn(U_("unable to open audit system"));
|
||||
+ if (errno == EINVAL || errno == EPROTONOSUPPORT || errno == EAFNOSUPPORT)
|
||||
au_fd = AUDIT_NOT_CONFIGURED;
|
||||
- }
|
||||
+ else
|
||||
+ sudo_warn(U_("unable to open audit system"));
|
||||
} else {
|
||||
(void)fcntl(au_fd, F_SETFD, FD_CLOEXEC);
|
||||
}
|
|
@ -0,0 +1,55 @@
|
|||
diff -up sudo-1.8.14b3/plugins/sudoers/ldap.c.ldapconfpatch sudo-1.8.14b3/plugins/sudoers/ldap.c
|
||||
--- sudo-1.8.14b3/plugins/sudoers/ldap.c.ldapconfpatch 2015-07-07 18:51:11.000000000 +0200
|
||||
+++ sudo-1.8.14b3/plugins/sudoers/ldap.c 2015-07-09 11:03:25.686645581 +0200
|
||||
@@ -1922,6 +1922,33 @@ sudo_check_krb5_ccname(const char *ccnam
|
||||
}
|
||||
#endif /* HAVE_LDAP_SASL_INTERACTIVE_BIND_S */
|
||||
|
||||
+/*
|
||||
+ * Read a line of input, remove whole line comments and strip off leading
|
||||
+ * and trailing spaces. Returns static storage that is reused.
|
||||
+ */
|
||||
+static char *
|
||||
+sudo_ldap_parseln(fp)
|
||||
+ FILE *fp;
|
||||
+{
|
||||
+ size_t len;
|
||||
+ char *cp = NULL;
|
||||
+ static char buf[LINE_MAX];
|
||||
+
|
||||
+ if (fgets(buf, sizeof(buf), fp) != NULL) {
|
||||
+ /* Remove comments */
|
||||
+ if (*buf == '#')
|
||||
+ *buf = '\0';
|
||||
+
|
||||
+ /* Trim leading and trailing whitespace/newline */
|
||||
+ len = strlen(buf);
|
||||
+ while (len > 0 && isspace((unsigned char)buf[len - 1]))
|
||||
+ buf[--len] = '\0';
|
||||
+ for (cp = buf; isblank(*cp); cp++)
|
||||
+ continue;
|
||||
+ }
|
||||
+ return(cp);
|
||||
+}
|
||||
+
|
||||
static bool
|
||||
sudo_ldap_read_config(void)
|
||||
{
|
||||
@@ -1955,7 +1982,7 @@ sudo_ldap_read_config(void)
|
||||
if ((fp = fopen(path_ldap_conf, "r")) == NULL)
|
||||
debug_return_bool(false);
|
||||
|
||||
- while (sudo_parseln(&line, &linesize, NULL, fp) != -1) {
|
||||
+ while ((line = sudo_ldap_parseln(fp)) != NULL) {
|
||||
if (*line == '\0')
|
||||
continue; /* skip empty line */
|
||||
|
||||
@@ -1975,7 +2002,7 @@ sudo_ldap_read_config(void)
|
||||
if (!sudo_ldap_parse_keyword(keyword, value, ldap_conf_global))
|
||||
sudo_ldap_parse_keyword(keyword, value, ldap_conf_conn);
|
||||
}
|
||||
- free(line);
|
||||
+
|
||||
fclose(fp);
|
||||
|
||||
if (!ldap_conf.host) {
|
82
sudo.spec
82
sudo.spec
|
@ -1,14 +1,15 @@
|
|||
Summary: Allows restricted root access for specified users
|
||||
Name: sudo
|
||||
Version: 1.8.8
|
||||
Release: 5%{?dist}
|
||||
Version: 1.8.15
|
||||
Release: 1%{?dist}
|
||||
License: ISC
|
||||
Group: Applications/System
|
||||
URL: http://www.courtesan.com/sudo/
|
||||
Source0: http://www.courtesan.com/sudo/dist/sudo-%{version}.tar.gz
|
||||
Source1: sudo-1.8.8-sudoers
|
||||
Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||
Requires: /etc/pam.d/system-auth, vim-minimal
|
||||
Requires: /etc/pam.d/system-auth
|
||||
Requires: /usr/bin/vi
|
||||
Requires(post): /bin/chmod
|
||||
|
||||
BuildRequires: pam-devel
|
||||
|
@ -25,14 +26,8 @@ BuildRequires: zlib-devel
|
|||
|
||||
# don't strip
|
||||
Patch1: sudo-1.6.7p5-strip.patch
|
||||
# configure.in fix
|
||||
Patch2: sudo-1.7.2p1-envdebug.patch
|
||||
# Fix several issues in the sssd code
|
||||
Patch3: sudo-1.8.8-sssdfixes.patch
|
||||
# Don't accept invalid number in uid/gid specifications
|
||||
Patch4: sudo-1.8.8-strictuidgid.patch
|
||||
# Fix several issues found by the clang static analyzer
|
||||
Patch5: sudo-1.8.8-clangbugs.patch
|
||||
# Patch to read ldap.conf more closely to nss_ldap
|
||||
Patch2: sudo-1.8.14p1-ldapconfpatch.patch
|
||||
|
||||
%description
|
||||
Sudo (superuser do) allows a system administrator to give certain
|
||||
|
@ -58,10 +53,7 @@ plugins that use %{name}.
|
|||
%setup -q
|
||||
|
||||
%patch1 -p1 -b .strip
|
||||
%patch2 -p1 -b .envdebug
|
||||
%patch3 -p1 -b .sssdfixes
|
||||
%patch4 -p1 -b .strictuidgid
|
||||
%patch5 -p1 -b .clangbugs
|
||||
%patch2 -p1 -b .ldapconfpatch
|
||||
|
||||
%build
|
||||
# Remove bundled copy of zlib
|
||||
|
@ -112,6 +104,15 @@ chmod +x $RPM_BUILD_ROOT%{_libexecdir}/sudo/*.so # for stripping, reset in %%fil
|
|||
# Remove execute permission on this script so we don't pull in perl deps
|
||||
chmod -x $RPM_BUILD_ROOT%{_pkgdocdir}/sudoers2ldif
|
||||
|
||||
# Don't package LICENSE as a doc
|
||||
rm -rf $RPM_BUILD_ROOT%{_pkgdocdir}/LICENSE
|
||||
|
||||
# Remove examples; Examples can be found in man pages too.
|
||||
rm -rf $RPM_BUILD_ROOT%{_datadir}/examples/sudo
|
||||
|
||||
#Remove all .la files
|
||||
find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';'
|
||||
|
||||
%find_lang sudo
|
||||
%find_lang sudoers
|
||||
|
||||
|
@ -126,6 +127,7 @@ account include system-auth
|
|||
password include system-auth
|
||||
session optional pam_keyinit.so revoke
|
||||
session required pam_limits.so
|
||||
session include system-auth
|
||||
EOF
|
||||
|
||||
cat > $RPM_BUILD_ROOT/etc/pam.d/sudo-i << EOF
|
||||
|
@ -134,7 +136,7 @@ auth include sudo
|
|||
account include sudo
|
||||
password include sudo
|
||||
session optional pam_keyinit.so force revoke
|
||||
session required pam_limits.so
|
||||
session include sudo
|
||||
EOF
|
||||
|
||||
|
||||
|
@ -147,9 +149,10 @@ rm -rf $RPM_BUILD_ROOT
|
|||
%attr(0750,root,root) %dir /etc/sudoers.d/
|
||||
%config(noreplace) /etc/pam.d/sudo
|
||||
%config(noreplace) /etc/pam.d/sudo-i
|
||||
%attr(0644,root,root) %{_tmpfilesdir}/sudo.conf
|
||||
%dir /var/db/sudo
|
||||
%attr(4111,root,root) %{_bindir}/sudo
|
||||
%attr(4111,root,root) %{_bindir}/sudoedit
|
||||
%{_bindir}/sudoedit
|
||||
%attr(0111,root,root) %{_bindir}/sudoreplay
|
||||
%attr(0755,root,root) %{_sbindir}/visudo
|
||||
%dir %{_libexecdir}/sudo
|
||||
|
@ -158,6 +161,8 @@ rm -rf $RPM_BUILD_ROOT
|
|||
%attr(0644,root,root) %{_libexecdir}/sudo/sudoers.so
|
||||
%attr(0644,root,root) %{_libexecdir}/sudo/group_file.so
|
||||
%attr(0644,root,root) %{_libexecdir}/sudo/system_group.so
|
||||
%attr(0644,root,root) %{_libexecdir}/sudo/libsudo_util.so.?.?.?
|
||||
%{_libexecdir}/sudo/libsudo_util.so.?
|
||||
%{_mandir}/man5/sudoers.5*
|
||||
%{_mandir}/man5/sudoers.ldap.5*
|
||||
%{_mandir}/man5/sudo.conf.5*
|
||||
|
@ -167,6 +172,8 @@ rm -rf $RPM_BUILD_ROOT
|
|||
%{_mandir}/man8/visudo.8*
|
||||
%dir %{_pkgdocdir}/
|
||||
%{_pkgdocdir}/*
|
||||
%{!?_licensedir:%global license %%doc}
|
||||
%license doc/LICENSE
|
||||
%exclude %{_pkgdocdir}/ChangeLog
|
||||
|
||||
|
||||
|
@ -179,8 +186,49 @@ rm -rf $RPM_BUILD_ROOT
|
|||
%doc plugins/sample/sample_plugin.c
|
||||
%{_includedir}/sudo_plugin.h
|
||||
%{_mandir}/man8/sudo_plugin.8*
|
||||
%attr(0644,root,root) %{_libexecdir}/sudo/libsudo_util.so
|
||||
|
||||
%changelog
|
||||
* Thu Nov 5 2015 Daniel Kopecek <dkopecek@redhat.com> - 1.8.15-1
|
||||
- update to 1.8.15
|
||||
- fixes CVE-2015-5602
|
||||
|
||||
* Wed Feb 18 2015 Daniel Kopecek <dkopecek@redhat.com> - 1.8.12
|
||||
- update to 1.8.12
|
||||
- fixes CVE-2014-9680
|
||||
|
||||
* Mon Nov 3 2014 Daniel Kopecek <dkopecek@redhat.com> - 1.8.11p2-1
|
||||
- update to 1.8.11p2
|
||||
- added patch to fix upstream bug #671 -- exiting immediately
|
||||
when audit is disabled
|
||||
|
||||
* Tue Sep 30 2014 Daniel Kopecek <dkopecek@redhat.com> - 1.8.11-1
|
||||
- update to 1.8.11
|
||||
- major changes & fixes:
|
||||
- when running a command in the background, sudo will now forward
|
||||
SIGINFO to the command
|
||||
- the passwords in ldap.conf and ldap.secret may now be encoded in base64.
|
||||
- SELinux role changes are now audited. For sudoedit, we now audit
|
||||
the actual editor being run, instead of just the sudoedit command.
|
||||
- it is now possible to match an environment variable's value as well as
|
||||
its name using env_keep and env_check
|
||||
- new files created via sudoedit as a non-root user now have the proper group id
|
||||
- sudoedit now works correctly in conjunction with sudo's SELinux RBAC support
|
||||
- it is now possible to disable network interface probing in sudo.conf by
|
||||
changing the value of the probe_interfaces setting
|
||||
- when listing a user's privileges (sudo -l), the sudoers plugin will now prompt
|
||||
for the user's password even if the targetpw, rootpw or runaspw options are set.
|
||||
- the new use_netgroups sudoers option can be used to explicitly enable or disable
|
||||
netgroups support
|
||||
- visudo can now export a sudoers file in JSON format using the new -x flag
|
||||
- added patch to read ldap.conf more closely to nss_ldap
|
||||
- require /usr/bin/vi instead of vim-minimal
|
||||
- include pam.d/system-auth in PAM session phase from pam.d/sudo
|
||||
- include pam.d/sudo in PAM session phase from pam.d/sudo-i
|
||||
|
||||
* Tue Aug 5 2014 Tom Callaway <spot@fedoraproject.org> - 1.8.8-6
|
||||
- fix license handling
|
||||
|
||||
* Sun Jun 08 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.8.8-5
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
|
||||
|
||||
|
|
Loading…
Reference in New Issue