pool/sudo
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
sudo/sudo-sudoers.patch

116 lines
4.7 KiB
Diff
Raw Normal View History

Accepting request 738914 from home:vitezslav_cizek:branches:Base:System - Update to 1.8,28p1 * The fix for Bug #869 caused "sudo -v" to prompt for a password when "verifypw" is set to "all" (the default) and all of the user's sudoers entries are marked with NOPASSWD. Bug #901. - Update to 1.8.28 * Fixed CVE-2019-14287 (bsc#1153674), a bug where a sudo user may be able to run a command as root when the Runas specification explicitly disallows root access as long as the ALL keyword is listed first. * Sudo will now only set PAM_TTY to the empty string when no terminal is present on Solaris and Linux. This workaround is only needed on those systems which may have PAM modules that misbehave when PAM_TTY is not set. * The mailerflags sudoers option now has a default value even if sendmail support was disabled at configure time. Fixes a crash when the mailerpath sudoers option is set but mailerflags is not. Bug #878. * Sudo will now filter out last login messages on HP-UX unless it a shell is being run via "sudo -s" or "sudo -i". Otherwise, when trusted mode is enabled, these messages will be displayed for each command. * Sudo has a new -B command line option that will ring the terminal bell when prompting for a password. * Sudo no longer refuses to prompt for a password when it cannot determine the user's terminal as long as it can open /dev/tty. This allows sudo to function on systems where /proc is unavailable, such as when running in a chroot environment. * The "env_editor" sudoers flag is now on by default. This makes source builds more consistent with the packages generated by OBS-URL: https://build.opensuse.org/request/show/738914 OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=156
2019-10-28 10:04:59 +00:00
Index: sudo-1.8.28/plugins/sudoers/sudoers.in
Accepting request 318161 from home:kstreitova:branches:Base:System - update to 1.8.14p3: * changes in 1.8.14p3 * Fixed a bug introduced in sudo 1.8.14p2 that prevented sudo from working when no tty was present. Bug #706. * Fixed tty detection on newer AIX systems where dev_t is 64-bit. * changes in 1.8.14p2 * Fixed a bug introduced in sudo 1.8.14 that prevented the lecture file from being created. Bug #704. * changes in 1.8.14p1 * Fixed a bug introduced in sudo 1.8.14 that prevented the sssd backend from working. Bug #703. * changes in 1.8.14 * Log messages on Mac OS X now respect sudoers_locale when sudo is build with NLS support. * The sudo manual pages now pass mandoc -Tlint with no warnings. * Fixed a compilation problem on systems with the sig2str() function that do not define SIG2STR_MAX in signal.h. * Worked around a compiler bug that resulted in unexpected behavior when returning an int from a function declared to return bool without an explicit cast. * Worked around a bug in Mac OS X 10.10 BSD auditing where the au_preselect() fails for AUE_sudo events but succeeds for AUE_DARWIN_sudo. * Fixed a hang on Linux systems with glibc when sudo is linked with jemalloc. * When the user runs a command as a user ID that is not present in the password database via the -u flag, the command is now run with the group ID of the invoking user instead of group ID 0. * Fixed a compilation problem on systems that don't pull in definitions of uid_t and gid_t without sys/types.h or unistd.h. OBS-URL: https://build.opensuse.org/request/show/318161 OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=87
2015-07-24 11:38:45 +00:00
===================================================================
Accepting request 738914 from home:vitezslav_cizek:branches:Base:System - Update to 1.8,28p1 * The fix for Bug #869 caused "sudo -v" to prompt for a password when "verifypw" is set to "all" (the default) and all of the user's sudoers entries are marked with NOPASSWD. Bug #901. - Update to 1.8.28 * Fixed CVE-2019-14287 (bsc#1153674), a bug where a sudo user may be able to run a command as root when the Runas specification explicitly disallows root access as long as the ALL keyword is listed first. * Sudo will now only set PAM_TTY to the empty string when no terminal is present on Solaris and Linux. This workaround is only needed on those systems which may have PAM modules that misbehave when PAM_TTY is not set. * The mailerflags sudoers option now has a default value even if sendmail support was disabled at configure time. Fixes a crash when the mailerpath sudoers option is set but mailerflags is not. Bug #878. * Sudo will now filter out last login messages on HP-UX unless it a shell is being run via "sudo -s" or "sudo -i". Otherwise, when trusted mode is enabled, these messages will be displayed for each command. * Sudo has a new -B command line option that will ring the terminal bell when prompting for a password. * Sudo no longer refuses to prompt for a password when it cannot determine the user's terminal as long as it can open /dev/tty. This allows sudo to function on systems where /proc is unavailable, such as when running in a chroot environment. * The "env_editor" sudoers flag is now on by default. This makes source builds more consistent with the packages generated by OBS-URL: https://build.opensuse.org/request/show/738914 OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=156
2019-10-28 10:04:59 +00:00
--- sudo-1.8.28.orig/plugins/sudoers/sudoers.in 2019-10-14 17:00:02.176362373 +0200
+++ sudo-1.8.28/plugins/sudoers/sudoers.in 2019-10-14 17:00:04.688378325 +0200
Accepting request 318161 from home:kstreitova:branches:Base:System - update to 1.8.14p3: * changes in 1.8.14p3 * Fixed a bug introduced in sudo 1.8.14p2 that prevented sudo from working when no tty was present. Bug #706. * Fixed tty detection on newer AIX systems where dev_t is 64-bit. * changes in 1.8.14p2 * Fixed a bug introduced in sudo 1.8.14 that prevented the lecture file from being created. Bug #704. * changes in 1.8.14p1 * Fixed a bug introduced in sudo 1.8.14 that prevented the sssd backend from working. Bug #703. * changes in 1.8.14 * Log messages on Mac OS X now respect sudoers_locale when sudo is build with NLS support. * The sudo manual pages now pass mandoc -Tlint with no warnings. * Fixed a compilation problem on systems with the sig2str() function that do not define SIG2STR_MAX in signal.h. * Worked around a compiler bug that resulted in unexpected behavior when returning an int from a function declared to return bool without an explicit cast. * Worked around a bug in Mac OS X 10.10 BSD auditing where the au_preselect() fails for AUE_sudo events but succeeds for AUE_DARWIN_sudo. * Fixed a hang on Linux systems with glibc when sudo is linked with jemalloc. * When the user runs a command as a user ID that is not present in the password database via the -u flag, the command is now run with the group ID of the invoking user instead of group ID 0. * Fixed a compilation problem on systems that don't pull in definitions of uid_t and gid_t without sys/types.h or unistd.h. OBS-URL: https://build.opensuse.org/request/show/318161 OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=87
2015-07-24 11:38:45 +00:00
@@ -32,30 +32,23 @@
- restore accidentally dropped suse-specific patches OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=55
2013-07-02 16:30:47 +00:00
##
## Defaults specification
##
-## You may wish to keep some of the following environment variables
-## when running commands via sudo.
-##
-## Locale settings
-# Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET"
-##
-## Run X applications through sudo; HOME is used to find the
-## .Xauthority file. Note that other programs use HOME to find
-## configuration files and this may lead to privilege escalation!
-# Defaults env_keep += "HOME"
-##
-## X11 resource path settings
-# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH"
-##
-## Desktop path settings
-# Defaults env_keep += "QTDIR KDEDIR"
-##
-## Allow sudo-run commands to inherit the callers' ConsoleKit session
-# Defaults env_keep += "XDG_SESSION_COOKIE"
-##
-## Uncomment to enable special input methods. Care should be taken as
-## this may allow users to subvert the command being run via sudo.
-# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"
Accepting request 255758 from home:tabraham1:branches:Base:System update to sudo-1.8.11p1 OBS-URL: https://build.opensuse.org/request/show/255758 OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=75
2014-10-16 06:00:36 +00:00
-##
- restore accidentally dropped suse-specific patches OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=55
2013-07-02 16:30:47 +00:00
+## Prevent environment variables from influencing programs in an
+## unexpected or harmful way (CVE-2005-2959, CVE-2005-4158, CVE-2006-0151)
+Defaults always_set_home
Accepting request 213857 from home:vitezslav_cizek:branches:Base:System - update to 1.8.9p3 - set secure_path to /usr/sbin:/usr/bin:/sbin:/bin - changes since 1.8.8: * Fixed a bug introduced in sudo 1.8.9 that prevented the tty name from being resolved properly on Linux systems. Bug #630. * Updated config.guess, config.sub and libtool to support the ppc64le architecture (IBM PowerPC Little Endian). * Fixed a problem with gcc 4.8's handling of bit fields that could lead to the noexec flag being enabled even when it was not explicitly set. * Reworked sudo's main event loop to use a simple event subsystem using poll(2) or select(2) as the back end. * It is now possible to statically compile the sudoers plugin into the sudo binary without disabling shared library support. The sudo.conf file may still be used to configure other plugins. * Sudo can now be compiled again with a C preprocessor that does not support variadic macros. * Visudo can now export a sudoers file in JSON format using the new -x flag. * The locale is now set correctly again for visudo and sudoreplay. * The plugin API has been extended to allow the plugin to exclude specific file descriptors from the "closefrom" range. * There is now a workaround for a Solaris-specific problem where NOEXEC was overriding traditional root DAC behavior. * Add user netgroup filtering for SSSD. Previously, rules for a netgroup were applied to all even when they did not belong to the specified netgroup. * On systems with BSD login classes, if the user specified a group (not a user) to run the command as, it was possible to specify a different login class even when the command was not run as the OBS-URL: https://build.opensuse.org/request/show/213857 OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=65
2014-01-15 10:13:18 +00:00
+## Path that will be used for every command run from sudo
+Defaults secure_path="/usr/sbin:/usr/bin:/sbin:/bin"
- restore accidentally dropped suse-specific patches OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=55
2013-07-02 16:30:47 +00:00
+Defaults env_reset
+## Change env_reset to !env_reset in previous line to keep all environment variables
Accepting request 724360 from home:okurz:branches:Base:System Correct typo in sudoers patch OBS-URL: https://build.opensuse.org/request/show/724360 OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=154
2019-08-19 08:38:01 +00:00
+## Following list will no longer be necessary after this change
Accepting request 255758 from home:tabraham1:branches:Base:System update to sudo-1.8.11p1 OBS-URL: https://build.opensuse.org/request/show/255758 OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=75
2014-10-16 06:00:36 +00:00
+Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_ATIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
- restore accidentally dropped suse-specific patches OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=55
2013-07-02 16:30:47 +00:00
+## Comment out the preceding line and uncomment the following one if you need
Accepting request 255758 from home:tabraham1:branches:Base:System update to sudo-1.8.11p1 OBS-URL: https://build.opensuse.org/request/show/255758 OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=75
2014-10-16 06:00:36 +00:00
+## to use special input methods. This may allow users to compromise the root
- restore accidentally dropped suse-specific patches OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=55
2013-07-02 16:30:47 +00:00
+## account if they are allowed to run commands without authentication.
Accepting request 255758 from home:tabraham1:branches:Base:System update to sudo-1.8.11p1 OBS-URL: https://build.opensuse.org/request/show/255758 OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=75
2014-10-16 06:00:36 +00:00
+#Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_ATIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
- restore accidentally dropped suse-specific patches OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=55
2013-07-02 16:30:47 +00:00
+
+## Do not insult users when they enter an incorrect password.
+Defaults !insults
+
Accepting request 318161 from home:kstreitova:branches:Base:System - update to 1.8.14p3: * changes in 1.8.14p3 * Fixed a bug introduced in sudo 1.8.14p2 that prevented sudo from working when no tty was present. Bug #706. * Fixed tty detection on newer AIX systems where dev_t is 64-bit. * changes in 1.8.14p2 * Fixed a bug introduced in sudo 1.8.14 that prevented the lecture file from being created. Bug #704. * changes in 1.8.14p1 * Fixed a bug introduced in sudo 1.8.14 that prevented the sssd backend from working. Bug #703. * changes in 1.8.14 * Log messages on Mac OS X now respect sudoers_locale when sudo is build with NLS support. * The sudo manual pages now pass mandoc -Tlint with no warnings. * Fixed a compilation problem on systems with the sig2str() function that do not define SIG2STR_MAX in signal.h. * Worked around a compiler bug that resulted in unexpected behavior when returning an int from a function declared to return bool without an explicit cast. * Worked around a bug in Mac OS X 10.10 BSD auditing where the au_preselect() fails for AUE_sudo events but succeeds for AUE_DARWIN_sudo. * Fixed a hang on Linux systems with glibc when sudo is linked with jemalloc. * When the user runs a command as a user ID that is not present in the password database via the -u flag, the command is now run with the group ID of the invoking user instead of group ID 0. * Fixed a compilation problem on systems that don't pull in definitions of uid_t and gid_t without sys/types.h or unistd.h. OBS-URL: https://build.opensuse.org/request/show/318161 OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=87
2015-07-24 11:38:45 +00:00
## Uncomment to use a hard-coded PATH instead of the user's to find commands
# Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
##
@@ -66,9 +59,15 @@
- restore accidentally dropped suse-specific patches OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=55
2013-07-02 16:30:47 +00:00
## sudoreplay and reboot. Use sudoreplay to play back logged sessions.
# Defaults log_output
# Defaults!/usr/bin/sudoreplay !log_output
-# Defaults!/usr/local/bin/sudoreplay !log_output
Accepting request 255758 from home:tabraham1:branches:Base:System update to sudo-1.8.11p1 OBS-URL: https://build.opensuse.org/request/show/255758 OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=75
2014-10-16 06:00:36 +00:00
# Defaults!REBOOT !log_output
- restore accidentally dropped suse-specific patches OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=55
2013-07-02 16:30:47 +00:00
+## In the default (unconfigured) configuration, sudo asks for the root password.
+## This allows use of an ordinary user account for administration of a freshly
+## installed system. When configuring sudo, delete the two
+## following lines:
+Defaults targetpw # ask for the password of the target user i.e. root
Accepting request 255758 from home:tabraham1:branches:Base:System update to sudo-1.8.11p1 OBS-URL: https://build.opensuse.org/request/show/255758 OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=75
2014-10-16 06:00:36 +00:00
+ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'!
- restore accidentally dropped suse-specific patches OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=55
2013-07-02 16:30:47 +00:00
+
##
## Runas alias specification
##
Accepting request 318161 from home:kstreitova:branches:Base:System - update to 1.8.14p3: * changes in 1.8.14p3 * Fixed a bug introduced in sudo 1.8.14p2 that prevented sudo from working when no tty was present. Bug #706. * Fixed tty detection on newer AIX systems where dev_t is 64-bit. * changes in 1.8.14p2 * Fixed a bug introduced in sudo 1.8.14 that prevented the lecture file from being created. Bug #704. * changes in 1.8.14p1 * Fixed a bug introduced in sudo 1.8.14 that prevented the sssd backend from working. Bug #703. * changes in 1.8.14 * Log messages on Mac OS X now respect sudoers_locale when sudo is build with NLS support. * The sudo manual pages now pass mandoc -Tlint with no warnings. * Fixed a compilation problem on systems with the sig2str() function that do not define SIG2STR_MAX in signal.h. * Worked around a compiler bug that resulted in unexpected behavior when returning an int from a function declared to return bool without an explicit cast. * Worked around a bug in Mac OS X 10.10 BSD auditing where the au_preselect() fails for AUE_sudo events but succeeds for AUE_DARWIN_sudo. * Fixed a hang on Linux systems with glibc when sudo is linked with jemalloc. * When the user runs a command as a user ID that is not present in the password database via the -u flag, the command is now run with the group ID of the invoking user instead of group ID 0. * Fixed a compilation problem on systems that don't pull in definitions of uid_t and gid_t without sys/types.h or unistd.h. OBS-URL: https://build.opensuse.org/request/show/318161 OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=87
2015-07-24 11:38:45 +00:00
@@ -84,14 +83,6 @@ root ALL=(ALL) ALL
- restore accidentally dropped suse-specific patches OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=55
2013-07-02 16:30:47 +00:00
## Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
-## Uncomment to allow members of group sudo to execute any command
-# %sudo ALL=(ALL) ALL
-
-## Uncomment to allow any user to run sudo if they know the password
-## of the user they are running the command as (root by default).
-# Defaults targetpw # Ask for the password of the target user
-# ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw'
-
## Read drop-in files from @sysconfdir@/sudoers.d
## (the '#' here does not indicate a comment)
#includedir @sysconfdir@/sudoers.d
Accepting request 738914 from home:vitezslav_cizek:branches:Base:System - Update to 1.8,28p1 * The fix for Bug #869 caused "sudo -v" to prompt for a password when "verifypw" is set to "all" (the default) and all of the user's sudoers entries are marked with NOPASSWD. Bug #901. - Update to 1.8.28 * Fixed CVE-2019-14287 (bsc#1153674), a bug where a sudo user may be able to run a command as root when the Runas specification explicitly disallows root access as long as the ALL keyword is listed first. * Sudo will now only set PAM_TTY to the empty string when no terminal is present on Solaris and Linux. This workaround is only needed on those systems which may have PAM modules that misbehave when PAM_TTY is not set. * The mailerflags sudoers option now has a default value even if sendmail support was disabled at configure time. Fixes a crash when the mailerpath sudoers option is set but mailerflags is not. Bug #878. * Sudo will now filter out last login messages on HP-UX unless it a shell is being run via "sudo -s" or "sudo -i". Otherwise, when trusted mode is enabled, these messages will be displayed for each command. * Sudo has a new -B command line option that will ring the terminal bell when prompting for a password. * Sudo no longer refuses to prompt for a password when it cannot determine the user's terminal as long as it can open /dev/tty. This allows sudo to function on systems where /proc is unavailable, such as when running in a chroot environment. * The "env_editor" sudoers flag is now on by default. This makes source builds more consistent with the packages generated by OBS-URL: https://build.opensuse.org/request/show/738914 OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=156
2019-10-28 10:04:59 +00:00
Index: sudo-1.8.28/doc/sudoers.mdoc.in
Accepting request 318161 from home:kstreitova:branches:Base:System - update to 1.8.14p3: * changes in 1.8.14p3 * Fixed a bug introduced in sudo 1.8.14p2 that prevented sudo from working when no tty was present. Bug #706. * Fixed tty detection on newer AIX systems where dev_t is 64-bit. * changes in 1.8.14p2 * Fixed a bug introduced in sudo 1.8.14 that prevented the lecture file from being created. Bug #704. * changes in 1.8.14p1 * Fixed a bug introduced in sudo 1.8.14 that prevented the sssd backend from working. Bug #703. * changes in 1.8.14 * Log messages on Mac OS X now respect sudoers_locale when sudo is build with NLS support. * The sudo manual pages now pass mandoc -Tlint with no warnings. * Fixed a compilation problem on systems with the sig2str() function that do not define SIG2STR_MAX in signal.h. * Worked around a compiler bug that resulted in unexpected behavior when returning an int from a function declared to return bool without an explicit cast. * Worked around a bug in Mac OS X 10.10 BSD auditing where the au_preselect() fails for AUE_sudo events but succeeds for AUE_DARWIN_sudo. * Fixed a hang on Linux systems with glibc when sudo is linked with jemalloc. * When the user runs a command as a user ID that is not present in the password database via the -u flag, the command is now run with the group ID of the invoking user instead of group ID 0. * Fixed a compilation problem on systems that don't pull in definitions of uid_t and gid_t without sys/types.h or unistd.h. OBS-URL: https://build.opensuse.org/request/show/318161 OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=87
2015-07-24 11:38:45 +00:00
===================================================================
Accepting request 738914 from home:vitezslav_cizek:branches:Base:System - Update to 1.8,28p1 * The fix for Bug #869 caused "sudo -v" to prompt for a password when "verifypw" is set to "all" (the default) and all of the user's sudoers entries are marked with NOPASSWD. Bug #901. - Update to 1.8.28 * Fixed CVE-2019-14287 (bsc#1153674), a bug where a sudo user may be able to run a command as root when the Runas specification explicitly disallows root access as long as the ALL keyword is listed first. * Sudo will now only set PAM_TTY to the empty string when no terminal is present on Solaris and Linux. This workaround is only needed on those systems which may have PAM modules that misbehave when PAM_TTY is not set. * The mailerflags sudoers option now has a default value even if sendmail support was disabled at configure time. Fixes a crash when the mailerpath sudoers option is set but mailerflags is not. Bug #878. * Sudo will now filter out last login messages on HP-UX unless it a shell is being run via "sudo -s" or "sudo -i". Otherwise, when trusted mode is enabled, these messages will be displayed for each command. * Sudo has a new -B command line option that will ring the terminal bell when prompting for a password. * Sudo no longer refuses to prompt for a password when it cannot determine the user's terminal as long as it can open /dev/tty. This allows sudo to function on systems where /proc is unavailable, such as when running in a chroot environment. * The "env_editor" sudoers flag is now on by default. This makes source builds more consistent with the packages generated by OBS-URL: https://build.opensuse.org/request/show/738914 OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=156
2019-10-28 10:04:59 +00:00
--- sudo-1.8.28.orig/doc/sudoers.mdoc.in 2019-10-14 17:00:02.176362373 +0200
+++ sudo-1.8.28/doc/sudoers.mdoc.in 2019-10-14 17:03:30.841685660 +0200
@@ -1972,7 +1972,7 @@ is present in the
Accepting request 182920 from home:vitezslav_cizek:branches:Base:System - fix the default flag settings in manual to reflect changes caused by sudo-sudoers.patch (bnc#823292) OBS-URL: https://build.opensuse.org/request/show/182920 OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=61
2013-07-12 14:58:55 +00:00
.Em env_keep
Accepting request 738914 from home:vitezslav_cizek:branches:Base:System - Update to 1.8,28p1 * The fix for Bug #869 caused "sudo -v" to prompt for a password when "verifypw" is set to "all" (the default) and all of the user's sudoers entries are marked with NOPASSWD. Bug #901. - Update to 1.8.28 * Fixed CVE-2019-14287 (bsc#1153674), a bug where a sudo user may be able to run a command as root when the Runas specification explicitly disallows root access as long as the ALL keyword is listed first. * Sudo will now only set PAM_TTY to the empty string when no terminal is present on Solaris and Linux. This workaround is only needed on those systems which may have PAM modules that misbehave when PAM_TTY is not set. * The mailerflags sudoers option now has a default value even if sendmail support was disabled at configure time. Fixes a crash when the mailerpath sudoers option is set but mailerflags is not. Bug #878. * Sudo will now filter out last login messages on HP-UX unless it a shell is being run via "sudo -s" or "sudo -i". Otherwise, when trusted mode is enabled, these messages will be displayed for each command. * Sudo has a new -B command line option that will ring the terminal bell when prompting for a password. * Sudo no longer refuses to prompt for a password when it cannot determine the user's terminal as long as it can open /dev/tty. This allows sudo to function on systems where /proc is unavailable, such as when running in a chroot environment. * The "env_editor" sudoers flag is now on by default. This makes source builds more consistent with the packages generated by OBS-URL: https://build.opensuse.org/request/show/738914 OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=156
2019-10-28 10:04:59 +00:00
list, both of which are strongly discouraged.
Accepting request 182920 from home:vitezslav_cizek:branches:Base:System - fix the default flag settings in manual to reflect changes caused by sudo-sudoers.patch (bnc#823292) OBS-URL: https://build.opensuse.org/request/show/182920 OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=61
2013-07-12 14:58:55 +00:00
This flag is
-.Em off
+.Em on
by default.
.It authenticate
If set, users must authenticate themselves via a password (or other
Accepting request 738914 from home:vitezslav_cizek:branches:Base:System - Update to 1.8,28p1 * The fix for Bug #869 caused "sudo -v" to prompt for a password when "verifypw" is set to "all" (the default) and all of the user's sudoers entries are marked with NOPASSWD. Bug #901. - Update to 1.8.28 * Fixed CVE-2019-14287 (bsc#1153674), a bug where a sudo user may be able to run a command as root when the Runas specification explicitly disallows root access as long as the ALL keyword is listed first. * Sudo will now only set PAM_TTY to the empty string when no terminal is present on Solaris and Linux. This workaround is only needed on those systems which may have PAM modules that misbehave when PAM_TTY is not set. * The mailerflags sudoers option now has a default value even if sendmail support was disabled at configure time. Fixes a crash when the mailerpath sudoers option is set but mailerflags is not. Bug #878. * Sudo will now filter out last login messages on HP-UX unless it a shell is being run via "sudo -s" or "sudo -i". Otherwise, when trusted mode is enabled, these messages will be displayed for each command. * Sudo has a new -B command line option that will ring the terminal bell when prompting for a password. * Sudo no longer refuses to prompt for a password when it cannot determine the user's terminal as long as it can open /dev/tty. This allows sudo to function on systems where /proc is unavailable, such as when running in a chroot environment. * The "env_editor" sudoers flag is now on by default. This makes source builds more consistent with the packages generated by OBS-URL: https://build.opensuse.org/request/show/738914 OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=156
2019-10-28 10:04:59 +00:00
@@ -2364,7 +2364,7 @@ If set,
Accepting request 182920 from home:vitezslav_cizek:branches:Base:System - fix the default flag settings in manual to reflect changes caused by sudo-sudoers.patch (bnc#823292) OBS-URL: https://build.opensuse.org/request/show/182920 OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=61
2013-07-12 14:58:55 +00:00
.Nm sudo
will insult users when they enter an incorrect password.
This flag is
-.Em @insults@
+.Em off
by default.
.It log_host
If set, the host name will be logged in the (non-syslog)
Accepting request 738914 from home:vitezslav_cizek:branches:Base:System - Update to 1.8,28p1 * The fix for Bug #869 caused "sudo -v" to prompt for a password when "verifypw" is set to "all" (the default) and all of the user's sudoers entries are marked with NOPASSWD. Bug #901. - Update to 1.8.28 * Fixed CVE-2019-14287 (bsc#1153674), a bug where a sudo user may be able to run a command as root when the Runas specification explicitly disallows root access as long as the ALL keyword is listed first. * Sudo will now only set PAM_TTY to the empty string when no terminal is present on Solaris and Linux. This workaround is only needed on those systems which may have PAM modules that misbehave when PAM_TTY is not set. * The mailerflags sudoers option now has a default value even if sendmail support was disabled at configure time. Fixes a crash when the mailerpath sudoers option is set but mailerflags is not. Bug #878. * Sudo will now filter out last login messages on HP-UX unless it a shell is being run via "sudo -s" or "sudo -i". Otherwise, when trusted mode is enabled, these messages will be displayed for each command. * Sudo has a new -B command line option that will ring the terminal bell when prompting for a password. * Sudo no longer refuses to prompt for a password when it cannot determine the user's terminal as long as it can open /dev/tty. This allows sudo to function on systems where /proc is unavailable, such as when running in a chroot environment. * The "env_editor" sudoers flag is now on by default. This makes source builds more consistent with the packages generated by OBS-URL: https://build.opensuse.org/request/show/738914 OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=156
2019-10-28 10:04:59 +00:00
@@ -2941,7 +2941,7 @@ database as an argument to the
Accepting request 182920 from home:vitezslav_cizek:branches:Base:System - fix the default flag settings in manual to reflect changes caused by sudo-sudoers.patch (bnc#823292) OBS-URL: https://build.opensuse.org/request/show/182920 OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=61
2013-07-12 14:58:55 +00:00
.Fl u
option.
This flag is
-.Em off
+.Em on
by default.
.It tty_tickets
If set, users must authenticate on a per-tty basis.
Reference in New Issue Copy Permalink