Compare commits
7 Commits
Author | SHA1 | Date |
---|---|---|
Radovan Sroka | 170c92e796 | |
Jens Petersen | 4a1dd8c9f1 | |
alakatos | 3b7c898b0a | |
Cropi | ef428e03d8 | |
Radovan Sroka | f1d474206e | |
Radovan Sroka | 4278f81f02 | |
Radovan Sroka | 885ce4ca3e |
|
@ -17,3 +17,9 @@
|
|||
/sudo-1.8.25.tar.gz
|
||||
/sudo-1.8.25p1.tar.gz
|
||||
/sudo-1.8.27.tar.gz
|
||||
/sudo-1.8.28.tar.gz
|
||||
/sudo-1.8.28p1.tar.gz
|
||||
/sudo-1.8.29.tar.gz
|
||||
/sudo-1.9.0b1.tar.gz
|
||||
/sudo-1.9.0b4.tar.gz
|
||||
/sudo-1.9.2.tar.gz
|
||||
|
|
|
@ -0,0 +1,43 @@
|
|||
From 0d7a041f18c5016abb78b74f3cfa505797e704ee Mon Sep 17 00:00:00 2001
|
||||
From: Evan Anderson <evan@eaanderson.com>
|
||||
Date: Sun, 6 Sep 2020 14:30:54 -0500
|
||||
Subject: [PATCH] configure: Fix runstatedir handling for distros that do not
|
||||
support it
|
||||
|
||||
runstatedir was added in yet-to-be released autoconf 2.70. Some distros
|
||||
are shipping this addition in their autoconf packages, but others, such as Fedora,
|
||||
are not. This causes the rundir variable to be set incorrectly if the configure script
|
||||
is regenerated with an unpatched autoconf since the runstatedir variable set is deleted
|
||||
after regeneration. This change works around that problem by checking that runstatedir
|
||||
is non-empty before potentially using it to set the rundir variable
|
||||
---
|
||||
configure | 2 +-
|
||||
m4/sudo.m4 | 2 +-
|
||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/configure b/configure
|
||||
index 0f6ceb16c..2e0838e01 100755
|
||||
--- a/configure
|
||||
+++ b/configure
|
||||
@@ -26718,7 +26718,7 @@ EOF
|
||||
$as_echo_n "checking for sudo run dir location... " >&6; }
|
||||
if test -n "$with_rundir"; then
|
||||
rundir="$with_rundir"
|
||||
-elif test "$runstatedir" != '${localstatedir}/run'; then
|
||||
+elif test -n "$runstatedir" && test "$runstatedir" != '${localstatedir}/run'; then
|
||||
rundir="$runstatedir/sudo"
|
||||
else
|
||||
# No --with-rundir or --runstatedir specified
|
||||
diff --git a/m4/sudo.m4 b/m4/sudo.m4
|
||||
index a5a972b3c..b3a40b208 100644
|
||||
--- a/m4/sudo.m4
|
||||
+++ b/m4/sudo.m4
|
||||
@@ -120,7 +120,7 @@ dnl
|
||||
AC_DEFUN([SUDO_RUNDIR], [AC_MSG_CHECKING(for sudo run dir location)
|
||||
if test -n "$with_rundir"; then
|
||||
rundir="$with_rundir"
|
||||
-elif test "$runstatedir" != '${localstatedir}/run'; then
|
||||
+elif test -n "$runstatedir" && test "$runstatedir" != '${localstatedir}/run'; then
|
||||
rundir="$runstatedir/sudo"
|
||||
else
|
||||
# No --with-rundir or --runstatedir specified
|
2
sources
2
sources
|
@ -1 +1 @@
|
|||
SHA512 (sudo-1.8.27.tar.gz) = 0480def650ab880ab9e6c51c606a06897fd638f0381e99c038f5aa47d064aaa2fb35b73eee7f86e73185e18d5dbb8b6ba49c616b1785a1edb2dd6d7b2fa4fcac
|
||||
SHA512 (sudo-1.9.2.tar.gz) = 20afdf2604b1c93395157382b24f225cd1ff88d3a892362e2d69fecd240c4e7171f05032c08be1778cd1dea6e460025e4241f57272fac0ea3550e220b6d73d21
|
||||
|
|
87
sudo.spec
87
sudo.spec
|
@ -1,12 +1,10 @@
|
|||
%global user millert
|
||||
|
||||
Summary: Allows restricted root access for specified users
|
||||
Name: sudo
|
||||
Version: 1.8.27
|
||||
Release: 3%{?dist}
|
||||
Version: 1.9.2
|
||||
Release: 1%{?dist}
|
||||
License: ISC
|
||||
URL: http://www.courtesan.com/sudo/
|
||||
Source0: https://www.sudo.ws/dist/%{name}-%{version}.tar.gz
|
||||
Source0: https://www.sudo.ws/dist/beta/%{name}-%{version}.tar.gz
|
||||
Source1: sudoers
|
||||
Requires: pam
|
||||
Recommends: vim-minimal
|
||||
|
@ -26,6 +24,7 @@ BuildRequires: zlib-devel
|
|||
|
||||
# don't strip
|
||||
Patch1: sudo-1.6.7p5-strip.patch
|
||||
Patch2: configure-runstatedir.patch
|
||||
|
||||
%description
|
||||
Sudo (superuser do) allows a system administrator to give certain
|
||||
|
@ -46,10 +45,22 @@ Requires: %{name} = %{version}-%{release}
|
|||
The %{name}-devel package contains header files developing sudo
|
||||
plugins that use %{name}.
|
||||
|
||||
|
||||
%package logsrvd
|
||||
Summary: High-performance log server for %{name}
|
||||
Requires: %{name} = %{version}-%{release}
|
||||
BuildRequires: openssl-devel
|
||||
|
||||
|
||||
%description logsrvd
|
||||
%{name}-logsrvd is a high-performance log server that accepts event and I/O logs from sudo.
|
||||
It can be used to implement centralized logging of sudo logs.
|
||||
|
||||
%prep
|
||||
%setup -q
|
||||
|
||||
%patch1 -p1 -b .strip
|
||||
%patch2 -p1 -b .runstatedir
|
||||
|
||||
%build
|
||||
# Remove bundled copy of zlib
|
||||
|
@ -69,6 +80,7 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now"
|
|||
--sbindir=%{_sbindir} \
|
||||
--libdir=%{_libdir} \
|
||||
--docdir=%{_pkgdocdir} \
|
||||
--enable-openssl \
|
||||
--disable-root-mailer \
|
||||
--with-logging=syslog \
|
||||
--with-logfac=authpriv \
|
||||
|
@ -153,7 +165,8 @@ EOF
|
|||
%config(noreplace) /etc/pam.d/sudo
|
||||
%config(noreplace) /etc/pam.d/sudo-i
|
||||
%attr(0644,root,root) %{_tmpfilesdir}/sudo.conf
|
||||
%attr(0644,root,root) /etc/dnf/protected.d/sudo.conf
|
||||
%attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/sudo.conf
|
||||
%attr(0640,root,root) %config(noreplace) /etc/sudo.conf
|
||||
%dir /var/db/sudo
|
||||
%dir /var/db/sudo/lectured
|
||||
%attr(4111,root,root) %{_bindir}/sudo
|
||||
|
@ -165,7 +178,9 @@ EOF
|
|||
%attr(0755,root,root) %{_libexecdir}/sudo/sesh
|
||||
%attr(0644,root,root) %{_libexecdir}/sudo/sudo_noexec.so
|
||||
%attr(0644,root,root) %{_libexecdir}/sudo/sudoers.so
|
||||
%attr(0644,root,root) %{_libexecdir}/sudo/audit_json.so
|
||||
%attr(0644,root,root) %{_libexecdir}/sudo/group_file.so
|
||||
%attr(0644,root,root) %{_libexecdir}/sudo/sample_approval.so
|
||||
%attr(0644,root,root) %{_libexecdir}/sudo/system_group.so
|
||||
%attr(0644,root,root) %{_libexecdir}/sudo/libsudo_util.so.?.?.?
|
||||
%{_libexecdir}/sudo/libsudo_util.so.?
|
||||
|
@ -179,6 +194,7 @@ EOF
|
|||
%{_mandir}/man8/visudo.8*
|
||||
%{_mandir}/man1/cvtsudoers.1.gz
|
||||
%{_mandir}/man5/sudoers_timestamp.5.gz
|
||||
%{_mandir}/man8/sudo_plugin_python.8.gz
|
||||
%dir %{_pkgdocdir}/
|
||||
%{_pkgdocdir}/*
|
||||
%{!?_licensedir:%global license %%doc}
|
||||
|
@ -195,7 +211,66 @@ EOF
|
|||
%{_includedir}/sudo_plugin.h
|
||||
%{_mandir}/man8/sudo_plugin.8*
|
||||
|
||||
%files logsrvd
|
||||
%attr(0640,root,root) %config(noreplace) /etc/sudo_logsrvd.conf
|
||||
%attr(0755,root,root) %{_sbindir}/sudo_logsrvd
|
||||
%attr(0755,root,root) %{_sbindir}/sudo_sendlog
|
||||
%{_mandir}/man5/sudo_logsrv.proto.5.gz
|
||||
%{_mandir}/man5/sudo_logsrvd.conf.5.gz
|
||||
%{_mandir}/man8/sudo_logsrvd.8.gz
|
||||
%{_mandir}/man8/sudo_sendlog.8.gz
|
||||
|
||||
%changelog
|
||||
* Tue Sep 15 2020 Radovan Sroka <rsroka@redhat.com> - 1.9.2-1
|
||||
- rebase to 1.9.2
|
||||
Resolves: rhbz#1859577
|
||||
- added logsrvd subpackage
|
||||
- added openssl-devel buildrequires
|
||||
Resolves: rhbz#1860653
|
||||
- fixed sudo runstatedir path
|
||||
- it was generated as /sudo instead of /run/sudo
|
||||
Resolves: rhbz#1868215
|
||||
- added /var/lib/snapd/snap/bin to secure_path variable
|
||||
Resolves: rhbz#1691996
|
||||
|
||||
* Wed Mar 25 2020 Attila Lakatos <alakatos@redhat.com> - 1.9.0-0.1.b4
|
||||
- update to latest development version 1.9.0b4
|
||||
Resolves: rhbz#1816593
|
||||
- setrlimit(RLIMIT_CORE): Operation not permitted warning message fix
|
||||
Resolves: rhbz#1773148
|
||||
|
||||
* Mon Feb 24 2020 Attila Lakatos <alakatos@redhat.com> - 1.9.0-0.1.b1
|
||||
- update to latest development version 1.9.0b1
|
||||
- added sudo_logsrvd and sudo_sendlog to files and their appropriate man pages
|
||||
Resolves: rhbz#1787823
|
||||
- Stack based buffer overflow in when pwfeedback is enabled
|
||||
Resolves: rhbz#1796945
|
||||
- fixes: CVE-2019-18634
|
||||
- By using ! character in the shadow file instead of a password hash can access to a run as all sudoer account
|
||||
Resolves: rhbz#1786709
|
||||
- fixes CVE-2019-19234
|
||||
- attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user
|
||||
Resolves: rhbz#1786705
|
||||
- fixes CVE-2019-19232
|
||||
|
||||
* Mon Nov 11 2019 Radovan Sroka <rsroka@redhat.com> - 1.8.29-1
|
||||
- rebase to 1.8.29
|
||||
Resolves: rhbz#1766233
|
||||
|
||||
* Tue Oct 22 2019 Radovan Sroka <rsroka@redhat.com> - 1.8.28p1-1
|
||||
- rebase to 1.8.28p1
|
||||
Resolves: rhbz#1762350
|
||||
|
||||
* Tue Oct 15 2019 Radovan Sroka <rsroka@redhat.com> - 1.8.28-1
|
||||
- rebase to 1.8.28
|
||||
Resolves: rhbz#1761533
|
||||
- set always_set_home by default
|
||||
Resolves: rhbz#1728687
|
||||
- Sync sudoers options from rhel8 to fedora
|
||||
Resolves: rhbz#1761781
|
||||
- CVE-2019-14287
|
||||
Resolves: rhbz#1761584
|
||||
|
||||
* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.27-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
||||
|
||||
|
|
28
sudoers
28
sudoers
|
@ -30,7 +30,7 @@
|
|||
# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
|
||||
|
||||
## Services
|
||||
# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig
|
||||
# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable
|
||||
|
||||
## Updating the locate database
|
||||
# Cmnd_Alias LOCATE = /usr/bin/updatedb
|
||||
|
@ -54,6 +54,24 @@
|
|||
#
|
||||
Defaults !visiblepw
|
||||
|
||||
#
|
||||
# Preserving HOME has security implications since many programs
|
||||
# use it when searching for configuration files. Note that HOME
|
||||
# is already set when the the env_reset option is enabled, so
|
||||
# this option is only effective for configurations where either
|
||||
# env_reset is disabled or HOME is present in the env_keep list.
|
||||
#
|
||||
Defaults always_set_home
|
||||
Defaults match_group_by_gid
|
||||
|
||||
# Prior to version 1.8.15, groups listed in sudoers that were not
|
||||
# found in the system group database were passed to the group
|
||||
# plugin, if any. Starting with 1.8.15, only groups of the form
|
||||
# %:group are resolved via the group plugin by default.
|
||||
# We enable always_query_group_plugin to restore old behavior.
|
||||
# Disable this option for new behavior.
|
||||
Defaults always_query_group_plugin
|
||||
|
||||
Defaults env_reset
|
||||
Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
|
||||
Defaults env_keep += "MAIL QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
|
||||
|
@ -61,7 +79,13 @@ Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES
|
|||
Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
|
||||
Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
|
||||
|
||||
Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
|
||||
#
|
||||
# Adding HOME to env_keep may enable a user to run unrestricted
|
||||
# commands via sudo.
|
||||
#
|
||||
# Defaults env_keep += "HOME"
|
||||
|
||||
Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin
|
||||
|
||||
## Next comes the main part: which users can run what software on
|
||||
## which machines (the sudoers file can be shared between multiple
|
||||
|
|
Loading…
Reference in New Issue