pool/sudo
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
a4384d0471
sudo/sudo-sudoers.patch

73 lines
3.3 KiB
Diff
Raw Normal View History

Accepting request 998277 from home:jsikes:branches:Base:System Updated. Enjoy! OBS-URL: https://build.opensuse.org/request/show/998277 OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=215
2022-08-24 01:14:55 +02:00
diff --git a/plugins/sudoers/sudoers.in b/plugins/sudoers/sudoers.in
Accepting request 1002370 from home:jsikes:branches:Base:System Fixed bsc#1177578. It's small. No, it's 'FUN-SIZED'! Enjoy! OBS-URL: https://build.opensuse.org/request/show/1002370 OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=217
2022-09-14 01:23:53 +02:00
index 5efda5d..e757da4 100644
Accepting request 998277 from home:jsikes:branches:Base:System Updated. Enjoy! OBS-URL: https://build.opensuse.org/request/show/998277 OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=215
2022-08-24 01:14:55 +02:00
--- a/plugins/sudoers/sudoers.in
+++ b/plugins/sudoers/sudoers.in
Accepting request 1002370 from home:jsikes:branches:Base:System Fixed bsc#1177578. It's small. No, it's 'FUN-SIZED'! Enjoy! OBS-URL: https://build.opensuse.org/request/show/1002370 OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=217
2022-09-14 01:23:53 +02:00
@@ -32,32 +32,23 @@
- restore accidentally dropped suse-specific patches OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=55
2013-07-02 18:30:47 +02:00
##
## Defaults specification
##
-## You may wish to keep some of the following environment variables
-## when running commands via sudo.
-##
-## Locale settings
-# Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET"
-##
-## Run X applications through sudo; HOME is used to find the
-## .Xauthority file. Note that other programs use HOME to find
-## configuration files and this may lead to privilege escalation!
-# Defaults env_keep += "HOME"
-##
-## X11 resource path settings
-# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH"
-##
-## Desktop path settings
-# Defaults env_keep += "QTDIR KDEDIR"
-##
-## Allow sudo-run commands to inherit the callers' ConsoleKit session
-# Defaults env_keep += "XDG_SESSION_COOKIE"
-##
-## Uncomment to enable special input methods. Care should be taken as
-## this may allow users to subvert the command being run via sudo.
-# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"
Accepting request 255758 from home:tabraham1:branches:Base:System update to sudo-1.8.11p1 OBS-URL: https://build.opensuse.org/request/show/255758 OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=75
2014-10-16 08:00:36 +02:00
-##
Accepting request 1002370 from home:jsikes:branches:Base:System Fixed bsc#1177578. It's small. No, it's 'FUN-SIZED'! Enjoy! OBS-URL: https://build.opensuse.org/request/show/1002370 OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=217
2022-09-14 01:23:53 +02:00
-## Uncomment to use a hard-coded PATH instead of the user's to find commands
-# Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
- restore accidentally dropped suse-specific patches OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=55
2013-07-02 18:30:47 +02:00
+## Prevent environment variables from influencing programs in an
+## unexpected or harmful way (CVE-2005-2959, CVE-2005-4158, CVE-2006-0151)
+Defaults always_set_home
+Defaults env_reset
+## Change env_reset to !env_reset in previous line to keep all environment variables
Accepting request 724360 from home:okurz:branches:Base:System Correct typo in sudoers patch OBS-URL: https://build.opensuse.org/request/show/724360 OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=154
2019-08-19 10:38:01 +02:00
+## Following list will no longer be necessary after this change
Accepting request 905883 from home:ykurlaev:branches:Base:System Fix LC_TIME incorrectly named LC_ATIME OBS-URL: https://build.opensuse.org/request/show/905883 OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=200
2021-07-28 16:44:04 +02:00
+Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
- restore accidentally dropped suse-specific patches OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=55
2013-07-02 18:30:47 +02:00
+## Comment out the preceding line and uncomment the following one if you need
Accepting request 255758 from home:tabraham1:branches:Base:System update to sudo-1.8.11p1 OBS-URL: https://build.opensuse.org/request/show/255758 OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=75
2014-10-16 08:00:36 +02:00
+## to use special input methods. This may allow users to compromise the root
- restore accidentally dropped suse-specific patches OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=55
2013-07-02 18:30:47 +02:00
+## account if they are allowed to run commands without authentication.
Accepting request 908959 from home:ykurlaev:branches:Base:System2 - Fix commented out "Defaults env_keep" in sudo-sudoers.patch OBS-URL: https://build.opensuse.org/request/show/908959 OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=203
2021-09-21 16:53:15 +02:00
+#Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"
- restore accidentally dropped suse-specific patches OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=55
2013-07-02 18:30:47 +02:00
+
+## Do not insult users when they enter an incorrect password.
+Defaults !insults
+
Accepting request 1002370 from home:jsikes:branches:Base:System Fixed bsc#1177578. It's small. No, it's 'FUN-SIZED'! Enjoy! OBS-URL: https://build.opensuse.org/request/show/1002370 OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=217
2022-09-14 01:23:53 +02:00
+## Use this PATH instead of the user's to find commands.
+Defaults secure_path="/usr/sbin:/usr/bin:/sbin:/bin"
Accepting request 318161 from home:kstreitova:branches:Base:System - update to 1.8.14p3: * changes in 1.8.14p3 * Fixed a bug introduced in sudo 1.8.14p2 that prevented sudo from working when no tty was present. Bug #706. * Fixed tty detection on newer AIX systems where dev_t is 64-bit. * changes in 1.8.14p2 * Fixed a bug introduced in sudo 1.8.14 that prevented the lecture file from being created. Bug #704. * changes in 1.8.14p1 * Fixed a bug introduced in sudo 1.8.14 that prevented the sssd backend from working. Bug #703. * changes in 1.8.14 * Log messages on Mac OS X now respect sudoers_locale when sudo is build with NLS support. * The sudo manual pages now pass mandoc -Tlint with no warnings. * Fixed a compilation problem on systems with the sig2str() function that do not define SIG2STR_MAX in signal.h. * Worked around a compiler bug that resulted in unexpected behavior when returning an int from a function declared to return bool without an explicit cast. * Worked around a bug in Mac OS X 10.10 BSD auditing where the au_preselect() fails for AUE_sudo events but succeeds for AUE_DARWIN_sudo. * Fixed a hang on Linux systems with glibc when sudo is linked with jemalloc. * When the user runs a command as a user ID that is not present in the password database via the -u flag, the command is now run with the group ID of the invoking user instead of group ID 0. * Fixed a compilation problem on systems that don't pull in definitions of uid_t and gid_t without sys/types.h or unistd.h. OBS-URL: https://build.opensuse.org/request/show/318161 OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=87
2015-07-24 13:38:45 +02:00
##
Accepting request 1002370 from home:jsikes:branches:Base:System Fixed bsc#1177578. It's small. No, it's 'FUN-SIZED'! Enjoy! OBS-URL: https://build.opensuse.org/request/show/1002370 OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=217
2022-09-14 01:23:53 +02:00
## Uncomment to send mail if the user does not enter the correct password.
# Defaults mail_badpass
Accepting request 1032754 from home:jsikes:branches:Base:System Changes for bsc#1203978 and PED-260! Enjoy. OBS-URL: https://build.opensuse.org/request/show/1032754 OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=221
2022-11-01 23:57:05 +01:00
@@ -68,7 +59,6 @@
Accepting request 998277 from home:jsikes:branches:Base:System Updated. Enjoy! OBS-URL: https://build.opensuse.org/request/show/998277 OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=215
2022-08-24 01:14:55 +02:00
## Set maxseq to a smaller number if you don't have unlimited disk space.
- restore accidentally dropped suse-specific patches OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=55
2013-07-02 18:30:47 +02:00
# Defaults log_output
# Defaults!/usr/bin/sudoreplay !log_output
-# Defaults!/usr/local/bin/sudoreplay !log_output
Accepting request 255758 from home:tabraham1:branches:Base:System update to sudo-1.8.11p1 OBS-URL: https://build.opensuse.org/request/show/255758 OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=75
2014-10-16 08:00:36 +02:00
# Defaults!REBOOT !log_output
Accepting request 998277 from home:jsikes:branches:Base:System Updated. Enjoy! OBS-URL: https://build.opensuse.org/request/show/998277 OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=215
2022-08-24 01:14:55 +02:00
# Defaults maxseq = 1000
- restore accidentally dropped suse-specific patches OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=55
2013-07-02 18:30:47 +02:00
Accepting request 1032754 from home:jsikes:branches:Base:System Changes for bsc#1203978 and PED-260! Enjoy. OBS-URL: https://build.opensuse.org/request/show/1032754 OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=221
2022-11-01 23:57:05 +01:00
@@ -87,9 +84,6 @@ root ALL=(ALL:ALL) ALL
- restore accidentally dropped suse-specific patches OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=55
2013-07-02 18:30:47 +02:00
## Same thing without a password
Accepting request 950728 from home:simotek:branches:Base:System - Update to 1.9.9 * Sudo can now be built with OpenSSL 3.0 without generating warnings about deprecated OpenSSL APIs. * A digest can now be specified along with the ALL command in the LDAP and SSSD back-ends. Sudo 1.9.0 introduced support for this in the sudoers file but did not include corresponding changes for the other back-ends. * visudo now only warns about an undefined alias or a cycle in an alias once for each alias. * The sudoRole cn was truncated by a single character in warning messages. GitHub issue #115. * The cvtsudoers utility has new --group-file and --passwd-file options to use a custom passwd or group file when the --match-local option is also used. * The cvtsudoers utility can now filter or match based on a command. * The cvtsudoers utility can now produce output in csv (comma-separated value) format. This can be used to help generate entitlement reports. * Fixed a bug in sudo_logsrvd that could result in the connection being dropped for very long command lines. * Fixed a bug where sudo_logsrvd would not accept a restore point of zero. * Fixed a bug in visudo where the value of the editor setting was not used if it did not match the user’s EDITOR environment variable. This was only a problem if the env_editor setting was not enabled. Bug #1000. * Sudo now builds with the -fcf-protection compiler option and the -z now linker option if supported. * The output of sudoreplay -l now more closely matches the traditional sudo log format. * The sudo_sendlog utility will now use the full contents of the log.json file, if present. This makes it possible to send sudo-format I/O logs that use the newer log.json format to sudo_logsrvd without losing any information. * Fixed compilation of the arc4random_buf() replacement on systems with arc4random() but no arc4random_buf(). Bug #1008. * Sudo now uses its own getentropy() by default on Linux. The GNU libc version of getentropy() will fail on older kernels that don’t support the getrandom() system call. * It is now possible to build sudo with WolfSSL’s OpenSSL compatibility layer by using the --enable-wolfssl configure option. * Fixed a bug related to Daylight Saving Time when parsing timestamps in Generalized Time format. This affected the NOTBEFORE and NOTAFTER options in sudoers. Bug #1006. * Added the -O and -P options to visudo, which can be used to check or set the owner and permissions. This can be used in conjunction with the -c option to check that the sudoers file ownership and permissions are correct. Bug #1007. * It is now possible to set resource limits in the sudoers file itself. The special values default and “user” refer to the default system limit and invoking user limit respectively. The core dump size limit is now set to 0 by default unless overridden by the sudoers file. * The cvtsudoers utility can now merge multiple sudoers sources into a single, combined sudoers file. If there are conflicting entries, cvtsudoers will attempt to resolve them but manual intervention may be required. The merging of sudoers rules is currently fairly simplistic but will be improved in a future release. * Sudo was parsing but not applying the “deref” and “tls_reqcert” ldap.conf settings. This meant the options were effectively ignored which broke dereferencing of aliases in LDAP. Bug #1013. * Clarified in the sudo man page that the security policy may override the user’s PATH environment variable. Bug #1014. * When sudo is run in non-interactive mode (with the -n option), it will now attempt PAM authentication and only exit with an error if user interaction is required. This allows PAM modules that don’t interact with the user to succeed. Previously, sudo would not attempt authentication if the -n option was specified. Bug #956 and GitHub issue #83. * Fixed a regression introduced in version 1.9.1 when sudo is built with the --with-fqdn configure option. The local host name was being resolved before the sudoers file was processed, making it impossible to disable DNS lookups by negating the fqdn sudoers option. Bug #1016. * Added support for negated sudoUser attributes in the LDAP and SSSD sudoers back ends. A matching sudoUser that is negated will cause the sudoRole containing it to be ignored. * Fixed a bug where the stack resource limit could be set to a value smaller than that of the invoking user and not be reset before the command was run. Bug #1016. - sudo no longer ships schema for LDAP. - sudo-feature-negated-LDAP-users.patch dropped, included upstream - refreshed sudo-sudoers.patch OBS-URL: https://build.opensuse.org/request/show/950728 OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=207
2022-02-02 13:27:10 +01:00
# %wheel ALL=(ALL:ALL) NOPASSWD: ALL
- restore accidentally dropped suse-specific patches OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=55
2013-07-02 18:30:47 +02:00
-## Uncomment to allow members of group sudo to execute any command
Accepting request 950728 from home:simotek:branches:Base:System - Update to 1.9.9 * Sudo can now be built with OpenSSL 3.0 without generating warnings about deprecated OpenSSL APIs. * A digest can now be specified along with the ALL command in the LDAP and SSSD back-ends. Sudo 1.9.0 introduced support for this in the sudoers file but did not include corresponding changes for the other back-ends. * visudo now only warns about an undefined alias or a cycle in an alias once for each alias. * The sudoRole cn was truncated by a single character in warning messages. GitHub issue #115. * The cvtsudoers utility has new --group-file and --passwd-file options to use a custom passwd or group file when the --match-local option is also used. * The cvtsudoers utility can now filter or match based on a command. * The cvtsudoers utility can now produce output in csv (comma-separated value) format. This can be used to help generate entitlement reports. * Fixed a bug in sudo_logsrvd that could result in the connection being dropped for very long command lines. * Fixed a bug where sudo_logsrvd would not accept a restore point of zero. * Fixed a bug in visudo where the value of the editor setting was not used if it did not match the user’s EDITOR environment variable. This was only a problem if the env_editor setting was not enabled. Bug #1000. * Sudo now builds with the -fcf-protection compiler option and the -z now linker option if supported. * The output of sudoreplay -l now more closely matches the traditional sudo log format. * The sudo_sendlog utility will now use the full contents of the log.json file, if present. This makes it possible to send sudo-format I/O logs that use the newer log.json format to sudo_logsrvd without losing any information. * Fixed compilation of the arc4random_buf() replacement on systems with arc4random() but no arc4random_buf(). Bug #1008. * Sudo now uses its own getentropy() by default on Linux. The GNU libc version of getentropy() will fail on older kernels that don’t support the getrandom() system call. * It is now possible to build sudo with WolfSSL’s OpenSSL compatibility layer by using the --enable-wolfssl configure option. * Fixed a bug related to Daylight Saving Time when parsing timestamps in Generalized Time format. This affected the NOTBEFORE and NOTAFTER options in sudoers. Bug #1006. * Added the -O and -P options to visudo, which can be used to check or set the owner and permissions. This can be used in conjunction with the -c option to check that the sudoers file ownership and permissions are correct. Bug #1007. * It is now possible to set resource limits in the sudoers file itself. The special values default and “user” refer to the default system limit and invoking user limit respectively. The core dump size limit is now set to 0 by default unless overridden by the sudoers file. * The cvtsudoers utility can now merge multiple sudoers sources into a single, combined sudoers file. If there are conflicting entries, cvtsudoers will attempt to resolve them but manual intervention may be required. The merging of sudoers rules is currently fairly simplistic but will be improved in a future release. * Sudo was parsing but not applying the “deref” and “tls_reqcert” ldap.conf settings. This meant the options were effectively ignored which broke dereferencing of aliases in LDAP. Bug #1013. * Clarified in the sudo man page that the security policy may override the user’s PATH environment variable. Bug #1014. * When sudo is run in non-interactive mode (with the -n option), it will now attempt PAM authentication and only exit with an error if user interaction is required. This allows PAM modules that don’t interact with the user to succeed. Previously, sudo would not attempt authentication if the -n option was specified. Bug #956 and GitHub issue #83. * Fixed a regression introduced in version 1.9.1 when sudo is built with the --with-fqdn configure option. The local host name was being resolved before the sudoers file was processed, making it impossible to disable DNS lookups by negating the fqdn sudoers option. Bug #1016. * Added support for negated sudoUser attributes in the LDAP and SSSD sudoers back ends. A matching sudoUser that is negated will cause the sudoRole containing it to be ignored. * Fixed a bug where the stack resource limit could be set to a value smaller than that of the invoking user and not be reset before the command was run. Bug #1016. - sudo no longer ships schema for LDAP. - sudo-feature-negated-LDAP-users.patch dropped, included upstream - refreshed sudo-sudoers.patch OBS-URL: https://build.opensuse.org/request/show/950728 OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=207
2022-02-02 13:27:10 +01:00
-# %sudo ALL=(ALL:ALL) ALL
- restore accidentally dropped suse-specific patches OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=55
2013-07-02 18:30:47 +02:00
-
Accepting request 1032754 from home:jsikes:branches:Base:System Changes for bsc#1203978 and PED-260! Enjoy. OBS-URL: https://build.opensuse.org/request/show/1032754 OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=221
2022-11-01 23:57:05 +01:00
## Uncomment to allow any user to run sudo if they know the password
## of the user they are running the command as (root by default).
# Defaults targetpw # Ask for the password of the target user
Reference in New Issue Copy Permalink