Compare commits
8 Commits
Author | SHA1 | Date |
---|---|---|
Daniel Kopecek | be4e37d6fc | |
Radovan Sroka | 42235ced0d | |
Daniel Kopecek | 059f0b4eca | |
Daniel Kopecek | 30cb5895e7 | |
Daniel Kopecek | 854662f98c | |
Daniel Kopecek | a414053332 | |
Radovan Sroka | 87991d3b56 | |
Radovan Sroka | 9726dd3678 |
|
@ -1,18 +1,6 @@
|
|||
sudo-1.7.2p6.tar.gz
|
||||
sudo-1.7.2p2-sudoers
|
||||
/sudo-1.7.4p4.tar.gz
|
||||
/sudo-1.7.2p2-sudoers
|
||||
/sudo-1.7.4p4-sudoers
|
||||
/sudo-1.7.4p5.tar.gz
|
||||
/sudo-1.8.1p2.tar.gz
|
||||
/sudo-1.8.3p1.tar.gz
|
||||
/sudo-1.8.5.tar.gz
|
||||
/sudo-1.8.6.tar.gz
|
||||
/sudo-1.8.6p3.tar.gz
|
||||
/sudo-1.8.6p7.tar.gz
|
||||
/sudo-1.8.8.tar.gz
|
||||
/sudo-1.8.8-sudoers
|
||||
/sudo-1.8.11.tar.gz
|
||||
/sudo-1.8.11p2.tar.gz
|
||||
/sudo-1.8.12.tar.gz
|
||||
/sudo-1.8.14b4.tar.gz
|
||||
/sudo-1.8.17p1.tar.gz
|
||||
/sudo-1.8.18b2.tar.gz
|
||||
/sudo-1.8.18rc2.tar.gz
|
||||
/sudo-1.8.18rc4.tar.gz
|
||||
/sudo-1.8.18.tar.gz
|
||||
/sudo-1.8.18p1.tar.gz
|
||||
|
|
3
sources
3
sources
|
@ -1,2 +1 @@
|
|||
3d4f5c159a562c39c66c7f3aaef3c5b3 sudo-1.8.14b4.tar.gz
|
||||
775b863cdff3a2ee2a26c2d53b51aff5 sudo-1.8.8-sudoers
|
||||
28f5214d5bcb5af5710decb95184a0a6 sudo-1.8.18p1.tar.gz
|
||||
|
|
|
@ -1,12 +0,0 @@
|
|||
diff -up sudo-1.7.2p1/configure.in.envdebug sudo-1.7.2p1/configure.in
|
||||
--- sudo-1.7.2p1/configure.in.envdebug 2009-10-30 12:18:09.000000000 +0100
|
||||
+++ sudo-1.7.2p1/configure.in 2009-10-30 12:19:01.000000000 +0100
|
||||
@@ -1214,7 +1214,7 @@ AC_ARG_ENABLE(env_debug,
|
||||
[AS_HELP_STRING([--enable-env-debug], [Whether to enable environment debugging.])],
|
||||
[ case "$enableval" in
|
||||
yes) AC_MSG_RESULT(yes)
|
||||
- AC_DEFINE(ENV_DEBUG)
|
||||
+ AC_DEFINE(ENV_DEBUG, [], [Environment debugging.])
|
||||
;;
|
||||
no) AC_MSG_RESULT(no)
|
||||
;;
|
|
@ -1,17 +0,0 @@
|
|||
diff -up sudo-1.8.11p2/plugins/sudoers/linux_audit.c.auditfix sudo-1.8.11p2/plugins/sudoers/linux_audit.c
|
||||
--- sudo-1.8.11p2/plugins/sudoers/linux_audit.c.auditfix 2014-11-03 12:44:53.674230966 +0100
|
||||
+++ sudo-1.8.11p2/plugins/sudoers/linux_audit.c 2014-11-03 12:45:13.407021599 +0100
|
||||
@@ -57,10 +57,10 @@ linux_audit_open(void)
|
||||
au_fd = audit_open();
|
||||
if (au_fd == -1) {
|
||||
/* Kernel may not have audit support. */
|
||||
- if (errno != EINVAL && errno != EPROTONOSUPPORT && errno != EAFNOSUPPORT) {
|
||||
- sudo_warn(U_("unable to open audit system"));
|
||||
+ if (errno == EINVAL || errno == EPROTONOSUPPORT || errno == EAFNOSUPPORT)
|
||||
au_fd = AUDIT_NOT_CONFIGURED;
|
||||
- }
|
||||
+ else
|
||||
+ sudo_warn(U_("unable to open audit system"));
|
||||
} else {
|
||||
(void)fcntl(au_fd, F_SETFD, FD_CLOEXEC);
|
||||
}
|
|
@ -1,55 +0,0 @@
|
|||
diff -up sudo-1.8.14b3/plugins/sudoers/ldap.c.ldapconfpatch sudo-1.8.14b3/plugins/sudoers/ldap.c
|
||||
--- sudo-1.8.14b3/plugins/sudoers/ldap.c.ldapconfpatch 2015-07-07 18:51:11.000000000 +0200
|
||||
+++ sudo-1.8.14b3/plugins/sudoers/ldap.c 2015-07-09 11:03:25.686645581 +0200
|
||||
@@ -1922,6 +1922,33 @@ sudo_check_krb5_ccname(const char *ccnam
|
||||
}
|
||||
#endif /* HAVE_LDAP_SASL_INTERACTIVE_BIND_S */
|
||||
|
||||
+/*
|
||||
+ * Read a line of input, remove whole line comments and strip off leading
|
||||
+ * and trailing spaces. Returns static storage that is reused.
|
||||
+ */
|
||||
+static char *
|
||||
+sudo_ldap_parseln(fp)
|
||||
+ FILE *fp;
|
||||
+{
|
||||
+ size_t len;
|
||||
+ char *cp = NULL;
|
||||
+ static char buf[LINE_MAX];
|
||||
+
|
||||
+ if (fgets(buf, sizeof(buf), fp) != NULL) {
|
||||
+ /* Remove comments */
|
||||
+ if (*buf == '#')
|
||||
+ *buf = '\0';
|
||||
+
|
||||
+ /* Trim leading and trailing whitespace/newline */
|
||||
+ len = strlen(buf);
|
||||
+ while (len > 0 && isspace((unsigned char)buf[len - 1]))
|
||||
+ buf[--len] = '\0';
|
||||
+ for (cp = buf; isblank(*cp); cp++)
|
||||
+ continue;
|
||||
+ }
|
||||
+ return(cp);
|
||||
+}
|
||||
+
|
||||
static bool
|
||||
sudo_ldap_read_config(void)
|
||||
{
|
||||
@@ -1955,7 +1982,7 @@ sudo_ldap_read_config(void)
|
||||
if ((fp = fopen(path_ldap_conf, "r")) == NULL)
|
||||
debug_return_bool(false);
|
||||
|
||||
- while (sudo_parseln(&line, &linesize, NULL, fp) != -1) {
|
||||
+ while ((line = sudo_ldap_parseln(fp)) != NULL) {
|
||||
if (*line == '\0')
|
||||
continue; /* skip empty line */
|
||||
|
||||
@@ -1975,7 +2002,7 @@ sudo_ldap_read_config(void)
|
||||
if (!sudo_ldap_parse_keyword(keyword, value, ldap_conf_global))
|
||||
sudo_ldap_parse_keyword(keyword, value, ldap_conf_conn);
|
||||
}
|
||||
- free(line);
|
||||
+
|
||||
fclose(fp);
|
||||
|
||||
if (!ldap_conf.host) {
|
|
@ -1,38 +0,0 @@
|
|||
diff -up sudo-1.8.14b4/doc/sudoers.cat.docpassexpire sudo-1.8.14b4/doc/sudoers.cat
|
||||
--- sudo-1.8.14b4/doc/sudoers.cat.docpassexpire 2015-06-09 00:47:07.000000000 +0200
|
||||
+++ sudo-1.8.14b4/doc/sudoers.cat 2015-07-14 13:11:11.116000185 +0200
|
||||
@@ -1328,8 +1328,8 @@ SSUUDDOOEERRSS OOPPTTIIOONN
|
||||
fractional component if minute granularity is
|
||||
insufficient, for example 2.5. The default is 5. Set
|
||||
this to 0 to always prompt for a password. If set to a
|
||||
- value less than 0 the user's time stamp will never
|
||||
- expire. This can be used to allow users to create or
|
||||
+ value less than 0 the user's time stamp will not
|
||||
+ expire until reboot. This can be used to allow users to create or
|
||||
delete their own time stamps via ``sudo -v'' and ``sudo
|
||||
-k'' respectively.
|
||||
|
||||
diff -up sudo-1.8.14b4/doc/sudoers.man.in.docpassexpire sudo-1.8.14b4/doc/sudoers.man.in
|
||||
--- sudo-1.8.14b4/doc/sudoers.man.in.docpassexpire 2015-07-14 13:11:11.116000185 +0200
|
||||
+++ sudo-1.8.14b4/doc/sudoers.man.in 2015-07-14 13:14:17.261222481 +0200
|
||||
@@ -2822,7 +2822,7 @@ Set this to
|
||||
to always prompt for a password.
|
||||
If set to a value less than
|
||||
\fR0\fR
|
||||
-the user's time stamp will never expire.
|
||||
+the user's time stamp will not expire until reboot.
|
||||
This can be used to allow users to create or delete their own time stamps via
|
||||
\(Lq\fRsudo -v\fR\(Rq
|
||||
and
|
||||
diff -up sudo-1.8.14b4/doc/sudoers.mdoc.in.docpassexpire sudo-1.8.14b4/doc/sudoers.mdoc.in
|
||||
--- sudo-1.8.14b4/doc/sudoers.mdoc.in.docpassexpire 2015-04-07 18:15:50.000000000 +0200
|
||||
+++ sudo-1.8.14b4/doc/sudoers.mdoc.in 2015-07-14 13:11:11.117000176 +0200
|
||||
@@ -2647,7 +2647,7 @@ Set this to
|
||||
to always prompt for a password.
|
||||
If set to a value less than
|
||||
.Li 0
|
||||
-the user's time stamp will never expire.
|
||||
+the user's time stamp will not expire until reboot.
|
||||
This can be used to allow users to create or delete their own time stamps via
|
||||
.Dq Li sudo -v
|
||||
and
|
|
@ -1,60 +0,0 @@
|
|||
diff -up sudo-1.8.8/plugins/sudoers/auth/pam.c.clangbugs sudo-1.8.8/plugins/sudoers/auth/pam.c
|
||||
--- sudo-1.8.8/plugins/sudoers/auth/pam.c.clangbugs 2013-09-30 23:41:07.899529555 +0200
|
||||
+++ sudo-1.8.8/plugins/sudoers/auth/pam.c 2013-09-30 23:41:58.988707761 +0200
|
||||
@@ -246,6 +246,7 @@ sudo_pam_begin_session(struct passwd *pw
|
||||
(void) pam_end(pamh, *pam_status | PAM_DATA_SILENT);
|
||||
pamh = NULL;
|
||||
status = AUTH_FAILURE;
|
||||
+ goto done;
|
||||
}
|
||||
}
|
||||
|
||||
diff -up sudo-1.8.8/plugins/sudoers/sssd.c.clangbugs sudo-1.8.8/plugins/sudoers/sssd.c
|
||||
--- sudo-1.8.8/plugins/sudoers/sssd.c.clangbugs 2013-09-30 23:44:20.404200629 +0200
|
||||
+++ sudo-1.8.8/plugins/sudoers/sssd.c 2013-09-30 23:49:05.998194738 +0200
|
||||
@@ -310,11 +310,10 @@ static int sudo_sss_close(struct sudo_ns
|
||||
debug_decl(sudo_sss_close, SUDO_DEBUG_SSSD);
|
||||
|
||||
if (nss && nss->handle) {
|
||||
- handle = nss->handle;
|
||||
- dlclose(handle->ssslib);
|
||||
+ handle = nss->handle;
|
||||
+ dlclose(handle->ssslib);
|
||||
+ efree(nss->handle);
|
||||
}
|
||||
-
|
||||
- efree(nss->handle);
|
||||
debug_return_int(0);
|
||||
}
|
||||
|
||||
@@ -705,17 +704,21 @@ sudo_sss_result_get(struct sudo_nss *nss
|
||||
sudo_sss_result_filterp, _SUDO_SSS_FILTER_INCLUDE, NULL);
|
||||
|
||||
if (f_sss_result != NULL) {
|
||||
- if (f_sss_result->num_rules > 0) {
|
||||
- if (state != NULL) {
|
||||
- sudo_debug_printf(SUDO_DEBUG_DEBUG, "state |= HOSTMATCH");
|
||||
- *state |= _SUDO_SSS_STATE_HOSTMATCH;
|
||||
+ if (f_sss_result->num_rules > 0) {
|
||||
+ if (state != NULL) {
|
||||
+ sudo_debug_printf(SUDO_DEBUG_DEBUG, "state |= HOSTMATCH");
|
||||
+ *state |= _SUDO_SSS_STATE_HOSTMATCH;
|
||||
+ }
|
||||
}
|
||||
- }
|
||||
- }
|
||||
|
||||
- sudo_debug_printf(SUDO_DEBUG_DEBUG,
|
||||
- "u_sss_result=(%p, %u) => f_sss_result=(%p, %u)", u_sss_result,
|
||||
- u_sss_result->num_rules, f_sss_result, f_sss_result->num_rules);
|
||||
+ sudo_debug_printf(SUDO_DEBUG_DEBUG,
|
||||
+ "u_sss_result=(%p, %u) => f_sss_result=(%p, %u)", u_sss_result,
|
||||
+ u_sss_result->num_rules, f_sss_result, f_sss_result->num_rules);
|
||||
+ } else {
|
||||
+ sudo_debug_printf(SUDO_DEBUG_DEBUG,
|
||||
+ "u_sss_result=(%p, %u) => f_sss_result=NULL",
|
||||
+ u_sss_result, u_sss_result->num_rules);
|
||||
+ }
|
||||
|
||||
handle->fn_free_result(u_sss_result);
|
||||
|
|
@ -1,119 +0,0 @@
|
|||
diff -up sudo-1.8.8/plugins/sudoers/sssd.c.sssdfixes sudo-1.8.8/plugins/sudoers/sssd.c
|
||||
--- sudo-1.8.8/plugins/sudoers/sssd.c.sssdfixes 2013-09-30 23:18:49.641913457 +0200
|
||||
+++ sudo-1.8.8/plugins/sudoers/sssd.c 2013-09-30 23:25:54.819376696 +0200
|
||||
@@ -534,30 +534,31 @@ sudo_sss_check_runas_group(struct sudo_s
|
||||
* Walk through search results and return true if we have a runas match,
|
||||
* else false. RunAs info is optional.
|
||||
*/
|
||||
-static int
|
||||
+static bool
|
||||
sudo_sss_check_runas(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
|
||||
{
|
||||
- int ret;
|
||||
+ bool ret;
|
||||
debug_decl(sudo_sss_check_runas, SUDO_DEBUG_SSSD);
|
||||
|
||||
if (rule == NULL)
|
||||
- debug_return_int(false);
|
||||
+ debug_return_bool(false);
|
||||
|
||||
ret = sudo_sss_check_runas_user(handle, rule) != false &&
|
||||
sudo_sss_check_runas_group(handle, rule) != false;
|
||||
|
||||
- debug_return_int(ret);
|
||||
+ debug_return_bool(ret);
|
||||
}
|
||||
|
||||
-static int
|
||||
+static bool
|
||||
sudo_sss_check_host(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
|
||||
{
|
||||
char **val_array, *val;
|
||||
- int ret = false, i;
|
||||
+ bool ret = false;
|
||||
+ int i;
|
||||
debug_decl(sudo_sss_check_host, SUDO_DEBUG_SSSD);
|
||||
|
||||
if (rule == NULL)
|
||||
- debug_return_int(ret);
|
||||
+ debug_return_bool(ret);
|
||||
|
||||
/* get the values from the rule */
|
||||
switch (handle->fn_get_values(rule, "sudoHost", &val_array))
|
||||
@@ -566,10 +567,10 @@ sudo_sss_check_host(struct sudo_sss_hand
|
||||
break;
|
||||
case ENOENT:
|
||||
sudo_debug_printf(SUDO_DEBUG_INFO, "No result.");
|
||||
- debug_return_int(false);
|
||||
+ debug_return_bool(false);
|
||||
default:
|
||||
sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoHost): != 0");
|
||||
- debug_return_int(ret);
|
||||
+ debug_return_bool(ret);
|
||||
}
|
||||
|
||||
/* walk through values */
|
||||
@@ -589,7 +590,52 @@ sudo_sss_check_host(struct sudo_sss_hand
|
||||
|
||||
handle->fn_free_values(val_array);
|
||||
|
||||
- debug_return_int(ret);
|
||||
+ debug_return_bool(ret);
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * Look for netgroup specifcations in the sudoUser attribute and
|
||||
+ * if found, filter according to netgroup membership.
|
||||
+ * returns:
|
||||
+ * true -> netgroup spec found && negroup member
|
||||
+ * false -> netgroup spec found && not a meber of netgroup
|
||||
+ * true -> netgroup spec not found (filtered by SSSD already, netgroups are an exception)
|
||||
+ */
|
||||
+bool sudo_sss_filter_user_netgroup(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
|
||||
+{
|
||||
+ bool ret = false, netgroup_spec_found = false;
|
||||
+ char **val_array, *val;
|
||||
+ int i;
|
||||
+ debug_decl(sudo_sss_check_user_netgroup, SUDO_DEBUG_SSSD);
|
||||
+
|
||||
+ if (!handle || !rule)
|
||||
+ debug_return_bool(ret);
|
||||
+
|
||||
+ switch (handle->fn_get_values(rule, "sudoUser", &val_array)) {
|
||||
+ case 0:
|
||||
+ break;
|
||||
+ case ENOENT:
|
||||
+ sudo_debug_printf(SUDO_DEBUG_INFO, "No result.");
|
||||
+ debug_return_bool(ret);
|
||||
+ default:
|
||||
+ sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoUser): != 0");
|
||||
+ debug_return_bool(ret);
|
||||
+ }
|
||||
+
|
||||
+ for (i = 0; val_array[i] != NULL && !ret; ++i) {
|
||||
+ val = val_array[i];
|
||||
+ if (*val == '+') {
|
||||
+ netgroup_spec_found = true;
|
||||
+ }
|
||||
+ sudo_debug_printf(SUDO_DEBUG_DEBUG, "val[%d]=%s", i, val);
|
||||
+ if (strcmp(val, "ALL") == 0 || netgr_matches(val, NULL, NULL, user_name)) {
|
||||
+ ret = true;
|
||||
+ sudo_debug_printf(SUDO_DEBUG_DIAG,
|
||||
+ "sssd/ldap sudoUser '%s' ... MATCH! (%s)", val, user_name);
|
||||
+ }
|
||||
+ }
|
||||
+ handle->fn_free_values(val_array);
|
||||
+ debug_return_bool(netgroup_spec_found ? ret : true);
|
||||
}
|
||||
|
||||
static int
|
||||
@@ -599,7 +645,8 @@ sudo_sss_result_filterp(struct sudo_sss_
|
||||
(void)unused;
|
||||
debug_decl(sudo_sss_result_filterp, SUDO_DEBUG_SSSD);
|
||||
|
||||
- if (sudo_sss_check_host(handle, rule))
|
||||
+ if (sudo_sss_check_host(handle, rule) &&
|
||||
+ sudo_sss_filter_user_netgroup(handle, rule))
|
||||
debug_return_int(1);
|
||||
else
|
||||
debug_return_int(0);
|
|
@ -1,53 +0,0 @@
|
|||
diff -up sudo-1.8.8/plugins/sudoers/match.c.strictuidgid sudo-1.8.8/plugins/sudoers/match.c
|
||||
--- sudo-1.8.8/plugins/sudoers/match.c.strictuidgid 2013-09-30 23:30:12.359263967 +0200
|
||||
+++ sudo-1.8.8/plugins/sudoers/match.c 2013-09-30 23:31:04.335443002 +0200
|
||||
@@ -777,14 +777,16 @@ hostname_matches(char *shost, char *lhos
|
||||
bool
|
||||
userpw_matches(char *sudoers_user, char *user, struct passwd *pw)
|
||||
{
|
||||
- debug_decl(userpw_matches, SUDO_DEBUG_MATCH)
|
||||
-
|
||||
- if (pw != NULL && *sudoers_user == '#') {
|
||||
- uid_t uid = (uid_t) atoi(sudoers_user + 1);
|
||||
- if (uid == pw->pw_uid)
|
||||
- debug_return_bool(true);
|
||||
- }
|
||||
- debug_return_bool(strcmp(sudoers_user, user) == 0);
|
||||
+ debug_decl(userpw_matches, SUDO_DEBUG_MATCH)
|
||||
+ if (pw != NULL && *sudoers_user == '#') {
|
||||
+ char *end = NULL;
|
||||
+ uid_t uid = (uid_t) strtol(sudoers_user + 1, &end, 10);
|
||||
+ if (end != NULL && (sudoers_user[1] != '\0' && *end == '\0')) {
|
||||
+ if (uid == pw->pw_uid)
|
||||
+ debug_return_bool(true);
|
||||
+ }
|
||||
+ }
|
||||
+ debug_return_bool(strcmp(sudoers_user, user) == 0);
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -794,14 +796,16 @@ userpw_matches(char *sudoers_user, char
|
||||
bool
|
||||
group_matches(char *sudoers_group, struct group *gr)
|
||||
{
|
||||
- debug_decl(group_matches, SUDO_DEBUG_MATCH)
|
||||
-
|
||||
- if (*sudoers_group == '#') {
|
||||
- gid_t gid = (gid_t) atoi(sudoers_group + 1);
|
||||
- if (gid == gr->gr_gid)
|
||||
- debug_return_bool(true);
|
||||
- }
|
||||
- debug_return_bool(strcmp(gr->gr_name, sudoers_group) == 0);
|
||||
+ debug_decl(group_matches, SUDO_DEBUG_MATCH)
|
||||
+ if (*sudoers_group == '#') {
|
||||
+ char *end = NULL;
|
||||
+ gid_t gid = (gid_t) strtol(sudoers_group + 1, &end, 10);
|
||||
+ if (end != NULL && (sudoers_group[1] != '\0' && *end == '\0')) {
|
||||
+ if (gid == gr->gr_gid)
|
||||
+ debug_return_bool(true);
|
||||
+ }
|
||||
+ }
|
||||
+ debug_return_bool(strcmp(gr->gr_name, sudoers_group) == 0);
|
||||
}
|
||||
|
||||
/*
|
47
sudo.spec
47
sudo.spec
|
@ -1,12 +1,12 @@
|
|||
Summary: Allows restricted root access for specified users
|
||||
Name: sudo
|
||||
Version: 1.8.14b4
|
||||
Release: 2%{?dist}
|
||||
Version: 1.8.18p1
|
||||
Release: 1%{?dist}
|
||||
License: ISC
|
||||
Group: Applications/System
|
||||
URL: http://www.courtesan.com/sudo/
|
||||
Source0: http://www.courtesan.com/sudo/dist/sudo-%{version}.tar.gz
|
||||
Source1: sudo-1.8.8-sudoers
|
||||
Source1: sudoers
|
||||
Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||
Requires: /etc/pam.d/system-auth
|
||||
Requires: /usr/bin/vi
|
||||
|
@ -26,11 +26,6 @@ BuildRequires: zlib-devel
|
|||
|
||||
# don't strip
|
||||
Patch1: sudo-1.6.7p5-strip.patch
|
||||
# Patch to read ldap.conf more closely to nss_ldap
|
||||
Patch2: sudo-1.8.14b3-ldapconfpatch.patch
|
||||
# Patch makes changes in documentation bz:1162070
|
||||
Patch3: sudo-1.8.14b4-docpassexpire.patch
|
||||
|
||||
|
||||
%description
|
||||
Sudo (superuser do) allows a system administrator to give certain
|
||||
|
@ -56,8 +51,6 @@ plugins that use %{name}.
|
|||
%setup -q
|
||||
|
||||
%patch1 -p1 -b .strip
|
||||
%patch2 -p1 -b .ldapconfpatch
|
||||
%patch3 -p1 -b .docpassexpire
|
||||
|
||||
%build
|
||||
# Remove bundled copy of zlib
|
||||
|
@ -77,6 +70,7 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now"
|
|||
--sbindir=%{_sbindir} \
|
||||
--libdir=%{_libdir} \
|
||||
--docdir=%{_pkgdocdir} \
|
||||
--disable-root-mailer \
|
||||
--with-logging=syslog \
|
||||
--with-logfac=authpriv \
|
||||
--with-pam \
|
||||
|
@ -100,6 +94,7 @@ make install DESTDIR="$RPM_BUILD_ROOT" install_uid=`id -u` install_gid=`id -g` s
|
|||
|
||||
chmod 755 $RPM_BUILD_ROOT%{_bindir}/* $RPM_BUILD_ROOT%{_sbindir}/*
|
||||
install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo
|
||||
install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo/lectured
|
||||
install -p -d -m 750 $RPM_BUILD_ROOT/etc/sudoers.d
|
||||
install -p -c -m 0440 %{SOURCE1} $RPM_BUILD_ROOT/etc/sudoers
|
||||
|
||||
|
@ -155,6 +150,7 @@ rm -rf $RPM_BUILD_ROOT
|
|||
%config(noreplace) /etc/pam.d/sudo-i
|
||||
%attr(0644,root,root) %{_tmpfilesdir}/sudo.conf
|
||||
%dir /var/db/sudo
|
||||
%dir /var/db/sudo/lectured
|
||||
%attr(4111,root,root) %{_bindir}/sudo
|
||||
%{_bindir}/sudoedit
|
||||
%attr(0111,root,root) %{_bindir}/sudoreplay
|
||||
|
@ -193,6 +189,37 @@ rm -rf $RPM_BUILD_ROOT
|
|||
%{_libexecdir}/sudo/libsudo_util.so
|
||||
|
||||
%changelog
|
||||
* Tue Nov 08 2016 Daniel Kopecek <dkopecek@redhat.com> 1.8.18p1-1
|
||||
- update to 1.8.18p1
|
||||
- fixes CVE-2016-7076
|
||||
|
||||
* Wed Sep 21 2016 Radovan Sroka <rsroka@redhat.com> 1.8.18-1
|
||||
- update to 1.8.18
|
||||
- dropped sudo-1.8.14p1-ldapconfpatch.patch
|
||||
upstreamed --> https://www.sudo.ws/pipermail/sudo-workers/2016-September/001006.html
|
||||
- added --disable-root-mailer as configure option
|
||||
Resolves: rhbz#1324091
|
||||
|
||||
* Mon Jul 11 2016 Daniel Kopecek <dkopecek@redhat.com> 1.8.17p1-1
|
||||
- update to 1.8.17p1
|
||||
- install the /var/db/sudo/lectured
|
||||
|
||||
* Wed Jun 1 2016 Daniel Kopecek <dkopecek@redhat.com> 1.8.15-2
|
||||
- removed INPUTRC from env_keep to prevent a possible info leak
|
||||
Resolves: rhbz#1340701
|
||||
|
||||
* Thu Nov 5 2015 Daniel Kopecek <dkopecek@redhat.com> 1.8.15-1
|
||||
- update to 1.8.15
|
||||
- fixes CVE-2015-5602
|
||||
|
||||
* Mon Jul 27 2015 Radovan Sroka <rsroka@redhat.com> 1.8.14p3-1
|
||||
- update to 1.8.14p3
|
||||
|
||||
* Mon Jul 20 2015 Radovan Sroka <rsroka@redhat.com> 1.8.14p1-1
|
||||
- update to 1.8.14p1-1
|
||||
- rebase sudo-1.8.14b3-ldapconfpatch.patch -> sudo-1.8.14p1-ldapconfpatch.patch
|
||||
- rebase sudo-1.8.14b4-docpassexpire.patch -> sudo-1.8.14p1-docpassexpire.patch
|
||||
|
||||
* Tue Jul 14 2015 Radovan Sroka <rsroka@redhat.com> 1.8.12-2
|
||||
- add patch3 sudo.1.8.14b4-passexpire.patch that makes change in documentation about timestamp_time
|
||||
- Resolves: rhbz#1162070
|
||||
|
|
|
@ -0,0 +1,96 @@
|
|||
## Sudoers allows particular users to run various commands as
|
||||
## the root user, without needing the root password.
|
||||
##
|
||||
## Examples are provided at the bottom of the file for collections
|
||||
## of related commands, which can then be delegated out to particular
|
||||
## users or groups.
|
||||
##
|
||||
## This file must be edited with the 'visudo' command.
|
||||
|
||||
## Host Aliases
|
||||
## Groups of machines. You may prefer to use hostnames (perhaps using
|
||||
## wildcards for entire domains) or IP addresses instead.
|
||||
# Host_Alias FILESERVERS = fs1, fs2
|
||||
# Host_Alias MAILSERVERS = smtp, smtp2
|
||||
|
||||
## User Aliases
|
||||
## These aren't often necessary, as you can use regular groups
|
||||
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
|
||||
## rather than USERALIAS
|
||||
# User_Alias ADMINS = jsmith, mikem
|
||||
|
||||
|
||||
## Command Aliases
|
||||
## These are groups of related commands...
|
||||
|
||||
## Networking
|
||||
# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool
|
||||
|
||||
## Installation and management of software
|
||||
# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
|
||||
|
||||
## Services
|
||||
# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig
|
||||
|
||||
## Updating the locate database
|
||||
# Cmnd_Alias LOCATE = /usr/bin/updatedb
|
||||
|
||||
## Storage
|
||||
# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount
|
||||
|
||||
## Delegating permissions
|
||||
# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp
|
||||
|
||||
## Processes
|
||||
# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall
|
||||
|
||||
## Drivers
|
||||
# Cmnd_Alias DRIVERS = /sbin/modprobe
|
||||
|
||||
# Defaults specification
|
||||
|
||||
#
|
||||
# Refuse to run if unable to disable echo on the tty.
|
||||
#
|
||||
Defaults !visiblepw
|
||||
|
||||
Defaults env_reset
|
||||
Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
|
||||
Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
|
||||
Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
|
||||
Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
|
||||
Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
|
||||
|
||||
Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin
|
||||
|
||||
## Next comes the main part: which users can run what software on
|
||||
## which machines (the sudoers file can be shared between multiple
|
||||
## systems).
|
||||
## Syntax:
|
||||
##
|
||||
## user MACHINE=COMMANDS
|
||||
##
|
||||
## The COMMANDS section may have other options added to it.
|
||||
##
|
||||
## Allow root to run any commands anywhere
|
||||
root ALL=(ALL) ALL
|
||||
|
||||
## Allows members of the 'sys' group to run networking, software,
|
||||
## service management apps and more.
|
||||
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
|
||||
|
||||
## Allows people in group wheel to run all commands
|
||||
%wheel ALL=(ALL) ALL
|
||||
|
||||
## Same thing without a password
|
||||
# %wheel ALL=(ALL) NOPASSWD: ALL
|
||||
|
||||
## Allows members of the users group to mount and unmount the
|
||||
## cdrom as root
|
||||
# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
|
||||
|
||||
## Allows members of the users group to shutdown this system
|
||||
# %users localhost=/sbin/shutdown -h now
|
||||
|
||||
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
|
||||
#includedir /etc/sudoers.d
|
Loading…
Reference in New Issue