Accepting request 964503 from home:dirkmueller:Factory

- update to 1.9.10: * Added new log_passwords and passprompt_regex sudoers options. If log_passwords is disabled, sudo will attempt to prevent passwords from being logged. If sudo detects any of the regular expressions in the passprompt_regex list in the terminal output, sudo will log ‘*’ characters instead of the terminal input until a newline or carriage return is found in the input or an output character is received. * Added new log_passwords and passprompt_regex settings to sudo_logsrvd that operate like the sudoers options when logging terminal input. * Fixed several few bugs in the cvtsudoers utility when merging multiple sudoers sources. * Fixed a bug in sudo_logsrvd parsing the sudo_logsrvd.conf file, where the retry_interval in the [relay] section was not being recognized. * Restored the pre-1.9.9 behavior of not performing authentication when sudo’s -n option is specified. A new noninteractive_auth sudoers option has been added to enable PAM authentication in non-interactive mode. GitHub issue #131. * On systems with /proc, if the /proc/self/stat (Linux) or /proc/pid/psinfo (other systems) file is missing or invalid, sudo will now check file descriptors 0-2 to determine the user’s terminal. Bug #1020. * Fixed a compilation problem on Debian kFreeBSD. Bug #1021. * Fixed a crash in sudo_logsrvd when running in relay mode if an alert message is received. * Fixed an issue that resulting in “problem with defaults entries” email to be sent if a user ran sudo when the sudoers entry in the nsswitch.conf file includes “sss” but no sudo provider is configured in /etc/sssd/sssd.conf. * Updated the warning displayed when the invoking user is not allowed to run sudo. If sudo has been configured to send mail on failed attempts (see the mail_* flags in sudoers), it will now print “This incident has been reported to the administrator.” If the mailto or mailerpath sudoers settings are disabled, the message will not be printed and no mail will be sent. OBS-URL: https://build.opensuse.org/request/show/964503 OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=211
2022-03-25 04:48:17 +00:00 · 2022-03-25 04:48:17 +00:00 · 188f5779d8
commit 188f5779d8
parent c9aee8b1e3
8 changed files with 57 additions and 171 deletions
--- a/feature-upstream-restrict-sudo-U-other-l.patch
+++ b/feature-upstream-restrict-sudo-U-other-l.patch
@ -1,143 +0,0 @@
-From 9f695f0fcc749b3cdebc453ba4fdeae84114f3ae Mon Sep 17 00:00:00 2001
-From: "Todd C. Miller" <Todd.Miller@sudo.ws>
-Date: Mon, 14 Feb 2022 13:09:55 -0700
-Subject: [PATCH] Restrict "sudo -U other -l" to users with sudo ALL for root
- or "other". Having "sudo ALL" permissions in no longer sufficient to be able
- to list another user's privileges.  The invoking user must now have "sudo
- ALL" for root or the target user. GitHub issue #134
-
---
- docs/sudo.man.in         | 11 ++++++-----
- docs/sudo.mdoc.in        | 11 ++++++-----
- plugins/sudoers/parse.c  | 34 ++++++++++++++++++++++++----------
- plugins/sudoers/policy.c |  5 +++++
- 4 files changed, 41 insertions(+), 20 deletions(-)
-
-Index: sudo-1.9.9/docs/sudo.man.in
-===================================================================
--- sudo-1.9.9.orig/docs/sudo.man.in
-+++ sudo-1.9.9/docs/sudo.man.in
-@@ -664,11 +664,12 @@ option to list the privileges for
- \fIuser\fR
- instead of for the invoking user.
- The security policy may restrict listing other users' privileges.
-The
-+When using the
- \fIsudoers\fR
-policy only allows root or a user with the
-\fRALL\fR
-privilege on the current host to use this option.
-+policy, only root or a user with the ability to run any command as
-+either root or the specified
-+\fIuser\fR
-+on the current host may use this option.
- .TP 12n
- \fB\-T\fR \fItimeout\fR, \fB\--command-timeout\fR=\fItimeout\fR
- Used to set a timeout for the command.
-Index: sudo-1.9.9/docs/sudo.mdoc.in
-===================================================================
--- sudo-1.9.9.orig/docs/sudo.mdoc.in
-+++ sudo-1.9.9/docs/sudo.mdoc.in
-@@ -620,11 +620,12 @@ option to list the privileges for
- .Ar user
- instead of for the invoking user.
- The security policy may restrict listing other users' privileges.
-The
-+When using the
- .Em sudoers
-policy only allows root or a user with the
-.Li ALL
-privilege on the current host to use this option.
-+policy, only root or a user with the ability to run any command as
-+either root or the specified
-+.Ar user
-+on the current host may use this option.
- .It Fl T Ar timeout , Fl -command-timeout Ns = Ns Ar timeout
- Used to set a timeout for the command.
- If the timeout expires before the command has exited, the
-Index: sudo-1.9.9/plugins/sudoers/parse.c
-===================================================================
--- sudo-1.9.9.orig/plugins/sudoers/parse.c
-+++ sudo-1.9.9/plugins/sudoers/parse.c
-@@ -43,24 +43,26 @@ static int
- sudoers_lookup_pseudo(struct sudo_nss_list *snl, struct passwd *pw,
-     int validated, int pwflag)
- {
-    int match;
-+    struct passwd *root_pw = NULL;
-     struct sudo_nss *nss;
-     struct cmndspec *cs;
-     struct privilege *priv;
-     struct userspec *us;
-     struct defaults *def;
-    int nopass;
-+    int nopass, match = DENY;
-     enum def_tuple pwcheck;
-     debug_decl(sudoers_lookup_pseudo, SUDOERS_DEBUG_PARSER);
- 
-     pwcheck = (pwflag == -1) ? never : sudo_defs_table[pwflag].sd_un.tuple;
-     nopass = (pwcheck == never || pwcheck == all) ? true : false;
- 
-    if (list_pw == NULL)
-	SET(validated, FLAG_NO_CHECK);
-     CLR(validated, FLAG_NO_USER);
-     CLR(validated, FLAG_NO_HOST);
-    match = DENY;
-+    if (list_pw != NULL) {
-+	root_pw = sudo_getpwuid(ROOT_UID);
-+    } else {
-+	SET(validated, FLAG_NO_CHECK);
-+    }
-     TAILQ_FOREACH(nss, snl, entries) {
- 	if (nss->query(nss, pw) == -1) {
- 	    /* The query function should have printed an error message. */
-@@ -89,16 +91,28 @@ sudoers_lookup_pseudo(struct sudo_nss_li
- 		    }
- 		    if (match == ALLOW)
- 			continue;
-		    /* Only check the command when listing another user. */
-+
-+		    /* Only check runas/command when listing another user. */
- 		    if (user_uid == 0 || list_pw == NULL ||
-			user_uid == list_pw->pw_uid ||
-			cmnd_matches(nss->parse_tree, cs->cmnd, cs->runchroot,
-			NULL) == ALLOW)
-			    match = ALLOW;
-+			    user_uid == list_pw->pw_uid) {
-+			match = ALLOW;
-+			continue;
-+		    }
-+		    /* Runas user must match list user or root. */
-+		    if (userlist_matches(nss->parse_tree, list_pw,
-+			    cs->runasuserlist) == DENY ||
-+			    userlist_matches(nss->parse_tree, root_pw,
-+			    cs->runasuserlist) != ALLOW)
-+			continue;
-+		    if (cmnd_matches(nss->parse_tree, cs->cmnd, cs->runchroot,
-+			    NULL) == ALLOW)
-+			match = ALLOW;
- 		}
- 	    }
- 	}
-     }
-+    if (root_pw != NULL)
-+	sudo_pw_delref(root_pw);
-     if (match == ALLOW || user_uid == 0) {
- 	/* User has an entry for this host. */
- 	SET(validated, VALIDATE_SUCCESS);
-Index: sudo-1.9.9/plugins/sudoers/policy.c
-===================================================================
--- sudo-1.9.9.orig/plugins/sudoers/policy.c
-+++ sudo-1.9.9/plugins/sudoers/policy.c
-@@ -1217,6 +1217,11 @@ sudoers_policy_list(int argc, char * con
- 	    sudo_warnx(U_("unknown user %s"), list_user);
- 	    debug_return_int(-1);
- 	}
-+	/* A user may only list another user they have runas access to. */
-+	if (runas_pw != NULL)
-+	    sudo_pw_delref(runas_pw);
-+	runas_pw = list_pw;
-+	sudo_pw_addref(list_pw);
-     }
-     ret = sudoers_policy_main(argc, argv, I_LISTPW, NULL, verbose, NULL);
-     if (list_user) {
--- a/sudo-1.9.10.tar.gz
+++ b/sudo-1.9.10.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:44a1461098e7c7b8e6ac597499c24fb2e43748c0c139a8b4944e57d1349a64f4
+size 4516568
--- a/sudo-1.9.10.tar.gz.sig
+++ b/sudo-1.9.10.tar.gz.sig
--- a/sudo-1.9.9-honor-T_opt.patch
+++ b/sudo-1.9.9-honor-T_opt.patch
@ -1,22 +0,0 @@
-From 1f3815c4fb3f282250ff30626979d224e30b4b05 Mon Sep 17 00:00:00 2001
-From: Jaroslav Jindrak <dzejrou@gmail.com>
-Date: Wed, 9 Feb 2022 17:37:26 +0100
-Subject: [PATCH] Do not unset user timeout when no default timeout is set.
-
---
- plugins/sudoers/policy.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/plugins/sudoers/policy.c b/plugins/sudoers/policy.c
-index 26c4be3fe..0482b58dd 100644
--- a/plugins/sudoers/policy.c
-+++ b/plugins/sudoers/policy.c
-@@ -865,7 +865,7 @@ sudoers_policy_store_result(bool accepted, char *argv[], char *envp[],
- 
-     if (def_command_timeout > 0 || user_timeout > 0) {
- 	int timeout = user_timeout;
-	if (timeout == 0 || def_command_timeout < timeout)
-+    if (timeout == 0 || (def_command_timeout > 0 && def_command_timeout < timeout))
- 	    timeout = def_command_timeout;
- 	if (asprintf(&command_info[info_len++], "timeout=%u", timeout) == -1)
- 	    goto oom;
--- a/sudo-1.9.9.tar.gz
+++ b/sudo-1.9.9.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:6d6ee863a3bc26c87661093a74ec63e10fd031ceba714642d21636dfe25e3e00
-size 4456969
--- a/sudo-1.9.9.tar.gz.sig
+++ b/sudo-1.9.9.tar.gz.sig
--- a/sudo.changes
+++ b/sudo.changes
@ -1,3 +1,56 @@
+-------------------------------------------------------------------
+Thu Mar 24 08:18:58 UTC 2022 - Dirk Müller <dmueller@suse.com>
+
+- update to 1.9.10:
+  * Added new log_passwords and passprompt_regex sudoers options. If
+    log_passwords is disabled, sudo will attempt to prevent passwords from being
+    logged. If sudo detects any of the regular expressions in the passprompt_regex
+    list in the terminal output, sudo will log ‘*’ characters instead of the
+    terminal input until a newline or carriage return is found in the input or an
+    output character is received.
+  * Added new log_passwords and passprompt_regex settings to sudo_logsrvd that
+    operate like the sudoers options when logging terminal input.
+  * Fixed several few bugs in the cvtsudoers utility when merging multiple sudoers
+    sources.
+  * Fixed a bug in sudo_logsrvd parsing the sudo_logsrvd.conf file, where the
+    retry_interval in the [relay] section was not being recognized.
+  * Restored the pre-1.9.9 behavior of not performing authentication when sudo’s -n
+    option is specified. A new noninteractive_auth sudoers option has been added to
+    enable PAM authentication in non-interactive mode. GitHub issue #131.
+  * On systems with /proc, if the /proc/self/stat (Linux) or /proc/pid/psinfo
+    (other systems) file is missing or invalid, sudo will now check file
+    descriptors 0-2 to determine the user’s terminal. Bug #1020.
+  * Fixed a compilation problem on Debian kFreeBSD. Bug #1021.
+  * Fixed a crash in sudo_logsrvd when running in relay mode if an alert message is
+    received.
+  * Fixed an issue that resulting in “problem with defaults entries” email to be
+    sent if a user ran sudo when the sudoers entry in the nsswitch.conf file
+    includes “sss” but no sudo provider is configured in /etc/sssd/sssd.conf.
+  * Updated the warning displayed when the invoking user is not allowed to run
+    sudo. If sudo has been configured to send mail on failed attempts (see the
+    mail_* flags in sudoers), it will now print “This incident has been reported to
+    the administrator.” If the mailto or mailerpath sudoers settings are disabled,
+    the message will not be printed and no mail will be sent.
+  * Fixed a bug where the user-specified command timeout was not being honored if
+    the sudoers rule did not also specify a timeout.
+  * Added support for using POSIX extended regular expressions in sudoers rules. A
+    command and/or arguments in sudoers are treated as a regular expression if they
+    start with a ‘^’ character and end with a ‘$’. The command and arguments are
+    matched separately, either one (or both) may be a regular expression.
+  * A user may now only run sudo -U otheruser -l if they have a “sudo ALL”
+    privilege where the RunAs user contains either root or otheruser. Previously,
+    having “sudo ALL” was sufficient, regardless of the RunAs user. GitHub issue
+    #134.
+  * The sudo lecture is now displayed immediately before the password prompt. As a
+    result, sudo will no longer display the lecture unless the user needs to enter
+    a password. Authentication methods that don’t interact with the user via a
+    terminal do not trigger the lecture.
+  * Sudo now uses its own closefrom() emulation on Linux systems. The glibc version
+    may not work in a chroot jail where /proc is not available. If close_range(2)
+    is present, it will be used in preference to /proc/self/fd.
+- drop sudo-1.9.9-honor-T_opt.patch , feature-upstream-restrict-sudo-U-other-l.patch
+  (upstream) 
+
 -------------------------------------------------------------------
 Thu Mar  3 12:00:46 UTC 2022 - Jason Sikes <jsikes@suse.com>

--- a/sudo.spec
+++ b/sudo.spec
@ -22,7 +22,7 @@
 %define use_usretc 1
 %endif
 Name:           sudo
-Version:        1.9.9
+Version:        1.9.10
 Release:        0
 Summary:        Execute some commands as root
 License:        ISC
@ -38,8 +38,6 @@ Source6:        fate_313276_test.sh
 Source7:        README_313276.test
 # PATCH-OPENSUSE: the "SUSE" branding of the default sudo config
 Patch0:         sudo-sudoers.patch
-Patch1:         feature-upstream-restrict-sudo-U-other-l.patch
-Patch2:         sudo-1.9.9-honor-T_opt.patch
 BuildRequires:  audit-devel
 BuildRequires:  cyrus-sasl-devel
 BuildRequires:  groff