Accepting request 59319 from Base:System
Accepted submit request 59319 from user puzel OBS-URL: https://build.opensuse.org/request/show/59319 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sudo?expand=0&rev=32
This commit is contained in:
Ruediger Oertel
Git OBS Bridge
commit
0855073113
93
sudo-CVE-2011-0010.patch
Normal file
93
sudo-CVE-2011-0010.patch
Normal file
@ -0,0 +1,93 @@
|
||||
# User Todd C. Miller <Todd.Miller@courtesan.com>
|
||||
# Date 1294760019 18000
|
||||
# Node ID fe8a94f96542335c02d09fba81077c1dcc6381b5
|
||||
# Parent 8f9303326db73a2e00cd53c2515db8188386cfc0
|
||||
If the user is running sudo as himself but as a different group we
|
||||
need to prompt for a password.
|
||||
|
||||
Index: sudo-1.7.2p7/check.c
|
||||
===================================================================
|
||||
--- sudo-1.7.2p7.orig/check.c
|
||||
+++ sudo-1.7.2p7/check.c
|
||||
@@ -93,7 +93,13 @@ check_user(validated, mode)
|
||||
/* do not check or update timestamp */
|
||||
status = TS_ERROR;
|
||||
} else {
|
||||
- if (user_uid == 0 || user_uid == runas_pw->pw_uid || user_is_exempt())
|
||||
+ /*
|
||||
+ * Don't prompt for the root passwd or if the user is exempt.
|
||||
+ * If the user is not changing uid/gid, no need for a password.
|
||||
+ */
|
||||
+ if (user_uid == 0 || (user_uid == runas_pw->pw_uid &&
|
||||
+ (!runas_gr || user_in_group(sudo_user.pw, runas_gr->gr_name))) ||
|
||||
+ user_is_exempt())
|
||||
return;
|
||||
|
||||
build_timestamp(×tampdir, ×tampfile);
|
||||
Index: sudo-1.7.2p7/pwutil.c
|
||||
===================================================================
|
||||
--- sudo-1.7.2p7.orig/pwutil.c
|
||||
+++ sudo-1.7.2p7/pwutil.c
|
||||
@@ -565,3 +565,50 @@ sudo_endgrent()
|
||||
sudo_freegrcache();
|
||||
#endif
|
||||
}
|
||||
+
|
||||
+
|
||||
+int
|
||||
+user_in_group(struct passwd *pw, const char *group)
|
||||
+{
|
||||
+ char **gr_mem;
|
||||
+ int i;
|
||||
+ struct group *grp;
|
||||
+ int retval = FALSE;
|
||||
+
|
||||
+ grp = sudo_getgrnam(group);
|
||||
+ if (grp == NULL)
|
||||
+ goto done;
|
||||
+
|
||||
+ /* check against user's primary (passwd file) gid */
|
||||
+ if (grp->gr_gid == pw->pw_gid) {
|
||||
+ retval = TRUE;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
+ * If we are matching the invoking or list user and that user has a
|
||||
+ * supplementary group vector, check it.
|
||||
+ */
|
||||
+ if (user_ngroups > 0 &&
|
||||
+ strcmp(pw->pw_name, list_pw ? list_pw->pw_name : user_name) == 0) {
|
||||
+ for (i = 0; i < user_ngroups; i++) {
|
||||
+ if (grp->gr_gid == user_groups[i]) {
|
||||
+ retval = TRUE;
|
||||
+ goto done;
|
||||
+ }
|
||||
+ }
|
||||
+ } else
|
||||
+ {
|
||||
+ if (grp != NULL && grp->gr_mem != NULL) {
|
||||
+ for (gr_mem = grp->gr_mem; *gr_mem; gr_mem++) {
|
||||
+ if (strcmp(*gr_mem, pw->pw_name) == 0) {
|
||||
+ retval = TRUE;
|
||||
+ goto done;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+done:
|
||||
+ return(retval);
|
||||
+}
|
||||
Index: sudo-1.7.2p7/sudo.h
|
||||
===================================================================
|
||||
--- sudo-1.7.2p7.orig/sudo.h
|
||||
+++ sudo-1.7.2p7/sudo.h
|
||||
@@ -316,6 +316,7 @@ struct passwd *sudo_getpwuid __P((uid_t)
|
||||
struct group *sudo_getgrnam __P((const char *));
|
||||
struct group *sudo_fakegrnam __P((const char *));
|
||||
struct group *sudo_getgrgid __P((gid_t));
|
||||
+int user_in_group(struct passwd *pw, const char *group);
|
||||
#ifdef HAVE_SELINUX
|
||||
void selinux_exec __P((char *, char *, char **, int));
|
||||
#endif
|
||||
10
sudo.changes
10
sudo.changes
@ -1,3 +1,13 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Jan 27 09:18:05 UTC 2011 - cprause@novell.com
|
||||
|
||||
- added openldap schema file (bnc#667558)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Jan 13 10:11:35 UTC 2011 - puzel@novell.com
|
||||
|
||||
- add sudo-CVE-2011-0010.patch (bnc#663881)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Jun 28 06:38:35 UTC 2010 - jengelh@medozas.de
|
||||
|
||||
|
||||
@ -38,6 +38,7 @@ Patch4: %{name}-1.7.1-strip.diff
|
||||
Patch5: %{name}-1.7.1-secure_path.diff
|
||||
Patch6: %{name}-1.7.1-env.diff
|
||||
Patch7: %{name}-1.7.1-pam_rhost.diff
|
||||
Patch8: sudo-CVE-2011-0010.patch
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
|
||||
%description
|
||||
@ -66,6 +67,7 @@ Authors:
|
||||
%patch5
|
||||
%patch6
|
||||
%patch7
|
||||
%patch8 -p1
|
||||
cp %{SOURCE2} .
|
||||
|
||||
%build
|
||||
@ -102,6 +104,8 @@ install -m 644 %{SOURCE1} $RPM_BUILD_ROOT%{_sysconfdir}/pam.d/sudo
|
||||
install -m 755 sudoers2ldif $RPM_BUILD_ROOT%{_sbindir}/sudoers2ldif
|
||||
rm -f $RPM_BUILD_ROOT%{_bindir}/sudoedit
|
||||
ln -sf %{_bindir}/sudo $RPM_BUILD_ROOT%{_bindir}/sudoedit
|
||||
install -d -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/openldap/schema
|
||||
install -m 644 schema.OpenLDAP $RPM_BUILD_ROOT%{_sysconfdir}/openldap/schema/sudo.schema
|
||||
|
||||
%post
|
||||
chmod 0440 %{_sysconfdir}/sudoers
|
||||
@ -116,6 +120,9 @@ rm -rf $RPM_BUILD_ROOT
|
||||
%config(noreplace) %attr(0440,root,root) %{_sysconfdir}/sudoers
|
||||
%config %{_sysconfdir}/pam.d/sudo
|
||||
%attr(4755,root,root) %{_bindir}/sudo
|
||||
%dir %{_sysconfdir}/openldap
|
||||
%dir %{_sysconfdir}/openldap/schema
|
||||
%attr(0444,root,root) %config %{_sysconfdir}/openldap/schema/sudo.schema
|
||||
%{_bindir}/sudoedit
|
||||
%{_sbindir}/*
|
||||
%{_libexecdir}/sudo
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user