pool/sudo
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 998277 from home:jsikes:branches:Base:System

Browse Source 
Updated. Enjoy!

OBS-URL: https://build.opensuse.org/request/show/998277
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=215
This commit is contained in:
Jason Sikes 2022-08-23 23:14:55 +00:00 committed by Git OBS Bridge
parent 211bbb80cf
commit 1b78263838
8 changed files with 212 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

116
sudo-1.9.10-update_sudouser_to_utf8.patch Normal file
View File

@ -0,0 +1,116 @@
From 7f9ea23e7447b8e1308fc282cd13b6cf5d39d3c4 Mon Sep 17 00:00:00 2001
From: William Brown <wbrown@suse.de>
Date: Mon, 25 Jul 2022 15:21:39 +1000
Subject: [PATCH] Update sudoUser to be utf8 in ldap schemas
In most unix-style LDAP servers, uid is a utf8 string defined by
OID 1.3.6.1.4.1.1466.115.121.1.15. However, sudoUser was defined
as an IA5 String (OID 1.3.6.1.4.1.1466.115.121.1.26) which meant
that sudoUser could only represent a subset of possible values.
In some cases when using sudoers.ldap, the uid from the machine
which was utf8 was fed back into sudo which would then issue a
search for sudoUsers. If this uid contained utf8 characters, the
ldap server would refuse to match into sudoUsers because these
were limited to IA5.
This is a safe-forward upgrade as IA5 is a subset of UTF8 meaning
that this change will not impact existing deployments and their
rules.
---
docs/schema.OpenLDAP | 14 +++++++-------
docs/schema.iPlanet | 6 +++---
docs/schema.olcSudo | 14 +++++++-------
3 files changed, 17 insertions(+), 17 deletions(-)
diff --git a/docs/schema.OpenLDAP b/docs/schema.OpenLDAP
index e1d525f84..451c5250a 100644
--- a/docs/schema.OpenLDAP
+++ b/docs/schema.OpenLDAP
@@ -7,9 +7,9 @@
attributetype ( 1.3.6.1.4.1.15953.9.1.1
NAME 'sudoUser'
DESC 'User(s) who may run sudo'
- EQUALITY caseExactIA5Match
- SUBSTR caseExactIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+ EQUALITY caseExactMatch
+ SUBSTR caseExactSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
attributetype ( 1.3.6.1.4.1.15953.9.1.2
NAME 'sudoHost'
@@ -39,14 +39,14 @@ attributetype ( 1.3.6.1.4.1.15953.9.1.5
attributetype ( 1.3.6.1.4.1.15953.9.1.6
NAME 'sudoRunAsUser'
DESC 'User(s) impersonated by sudo'
- EQUALITY caseExactIA5Match
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+ EQUALITY caseExactMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
attributetype ( 1.3.6.1.4.1.15953.9.1.7
NAME 'sudoRunAsGroup'
DESC 'Group(s) impersonated by sudo'
- EQUALITY caseExactIA5Match
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+ EQUALITY caseExactMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
attributetype ( 1.3.6.1.4.1.15953.9.1.8
NAME 'sudoNotBefore'
diff --git a/docs/schema.iPlanet b/docs/schema.iPlanet
index e51286436..56ad02bc0 100644
--- a/docs/schema.iPlanet
+++ b/docs/schema.iPlanet
@@ -1,11 +1,11 @@
dn: cn=schema
-attributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
+attributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'SUDO' )
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo (deprecated)' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
-attributeTypes: ( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
-attributeTypes: ( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
+attributeTypes: ( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'User(s) impersonated by sudo' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'SUDO' )
+attributeTypes: ( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'SUDO' )
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.8 NAME 'sudoNotBefore' DESC 'Start of time interval for which the entry is valid' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.9 NAME 'sudoNotAfter' DESC 'End of time interval for which the entry is valid' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.10 NAME 'sudoOrder' DESC 'an integer to order the sudoRole entries' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
diff --git a/docs/schema.olcSudo b/docs/schema.olcSudo
index 8748dfc2a..8948ca4ae 100644
--- a/docs/schema.olcSudo
+++ b/docs/schema.olcSudo
@@ -9,9 +9,9 @@ cn: sudoschema
olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.1
NAME 'sudoUser'
DESC 'User(s) who may run sudo'
- EQUALITY caseExactIA5Match
- SUBSTR caseExactIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+ EQUALITY caseExactMatch
+ SUBSTR caseExactSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
#
olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.2
NAME 'sudoHost'
@@ -41,14 +41,14 @@ olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.5
olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.6
NAME 'sudoRunAsUser'
DESC 'User(s) impersonated by sudo'
- EQUALITY caseExactIA5Match
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+ EQUALITY caseExactMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
#
olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.7
NAME 'sudoRunAsGroup'
DESC 'Group(s) impersonated by sudo'
- EQUALITY caseExactIA5Match
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+ EQUALITY caseExactMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
#
olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.8
NAME 'sudoNotBefore'

3
sudo-1.9.10.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:44a1461098e7c7b8e6ac597499c24fb2e43748c0c139a8b4944e57d1349a64f4
size 4516568

BIN
sudo-1.9.10.tar.gz.sig
View File

Binary file not shown.

3
sudo-1.9.11p3.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:4687e7d2f56721708f59cca2e1352c056cb23de526c22725615a42bb094f1f70
size 4826520

BIN
sudo-1.9.11p3.tar.gz.sig Normal file
View File

Binary file not shown.

15
sudo-sudoers.patch
View File

@ -1,7 +1,7 @@
Index: sudo-1.9.9/plugins/sudoers/sudoers.in
===================================================================
--- sudo-1.9.9.orig/plugins/sudoers/sudoers.in
+++ sudo-1.9.9/plugins/sudoers/sudoers.in
diff --git a/plugins/sudoers/sudoers.in b/plugins/sudoers/sudoers.in
index 5efda5d..ddd311a 100644
--- a/plugins/sudoers/sudoers.in
+++ b/plugins/sudoers/sudoers.in
@@ -32,30 +32,23 @@
##
## Defaults specification
@ -50,12 +50,13 @@ Index: sudo-1.9.9/plugins/sudoers/sudoers.in
## Uncomment to use a hard-coded PATH instead of the user's to find commands
# Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
##
@@ -66,9 +59,15 @@
## sudoreplay and reboot. Use sudoreplay to play back logged sessions.
@@ -68,10 +61,16 @@
## Set maxseq to a smaller number if you don't have unlimited disk space.
# Defaults log_output
# Defaults!/usr/bin/sudoreplay !log_output
-# Defaults!/usr/local/bin/sudoreplay !log_output
# Defaults!REBOOT !log_output
# Defaults maxseq = 1000
+## In the default (unconfigured) configuration, sudo asks for the root password.
+## This allows use of an ordinary user account for administration of a freshly
@ -67,7 +68,7 @@ Index: sudo-1.9.9/plugins/sudoers/sudoers.in
##
## Runas alias specification
##
@@ -84,13 +83,5 @@ root ALL=(ALL:ALL) ALL
@@ -87,13 +86,5 @@ root ALL=(ALL:ALL) ALL
## Same thing without a password
# %wheel ALL=(ALL:ALL) NOPASSWD: ALL

81
sudo.changes
View File

@ -1,3 +1,84 @@
-------------------------------------------------------------------
Sat Aug 20 02:04:06 UTC 2022 - Jason Sikes <jsikes@suse.com>
- Update to 1.9.11p3:
* Changes in Sudo 1.9.11
* Fixed a crash in the Python module with Python 3.9.10 on some systems.
Additionally, make check now passes for Python 3.9.10.
* Error messages sent via email now include more details, including the file
name and the line number and column of the error. Multiple errors are sent in
a single message. Previously, only the first error was included.
* Fixed logging of parse errors in JSON format. Previously, the JSON logger would
not write entries unless the command and runuser were set. These may not be
known at the time a parse error is encountered.
* Fixed a potential crash parsing sudoers lines larger than twice the value of
LINE_MAX on systems that lack the getdelim() function.
* The tests run by make check now unset the LANGUAGE environment variable.
Otherwise, localization strings will not match if LANGUAGE is set to a
non-English locale. Bug #1025.
* The “starttime” test now passed when run under Debian faketime. Bug #1026.
* The Kerberos authentication module now honors the custom password prompt if one
has been specified.
* The embedded copy of zlib has been updated to version 1.2.12.
* Updated the version of libtool used by sudo to version 2.4.7.
* Sudo now defines _TIME_BITS to 64 on systems that define __TIMESIZE in the
header files (currently only GNU libc). This is required to allow the use of
64-bit time values on some 32-bit systems.
* Sudos intercept and log_subcmds options no longer force the command to run in
its own pseudo-terminal. It is now also possible to intercept the system(3) function.
* Fixed a bug in sudo_logsrvd when run in store-first relay mode where the commit
point messages sent by the server were incorrect if the command was suspended
or received a window size change event.
* Fixed a potential crash in sudo_logsrvd when the tls_dhparams configuration
setting was used.
* The intercept and log_subcmds functionality can now use ptrace(2) on Linux
systems that support seccomp(2) filtering. This has the advantage of working
for both static and dynamic binaries and can work with sudos SELinux RBAC mode.
The following architectures are currently supported: i386, x86_64, aarch64, arm,
mips (log_subcmds only), powerpc, riscv, and s390x. The default is to use
ptrace(2) where possible; the new intercept_type sudoers setting can be used
to explicitly set the type.
* New Georgian translation from translationproject.org.
* Fixed creating packages on CentOS Stream.
* Fixed a bug in the intercept and log_subcmds support where the execve(2)
wrapper was using the current environment instead of the passed environment
pointer. Bug #1030.
* Added AppArmor integration for Linux. A sudoers rule can now specify an
APPARMOR_PROFILE option to run a command confined by the named AppArmor profile.
* Fixed parsing of the server_log setting in sudo_logsrvd.conf. Non-paths were
being treated as paths and an actual path was treated as an error.
* Changes in Sudo 1.9.11p1:
* Correctly handle EAGAIN in the I/O read/right events. This fixes a hang seen on
some systems when piping a large amount of data through sudo, such as via rsync.
Bug #963.
* Changes to avoid implementation or unspecified behavior when bit shifting signed
values in the protobuf library.
* Fixed a compilation error on Linux/aarch64.
* Fixed the configure check for seccomp(2) support on Linux.
* Corrected the EBNF specification for tags in the sudoers manual page.
GitHub issue #153.
* Changes in Sudo 1.9.11p2:
* Fixed a compilation error on Linux/x86_64 with the x32 ABI.
* Fixed a regression introduced in 1.9.11p1 that caused a warning when logging to
sudo_logsrvd if the command returned no output.
* Changes in Sudo 1.9.11p3:
* Fixed “connection reset” errors on AIX when running shell scripts with the intercept
or log_subcmds sudoers options enabled. Bug #1034.
* Fixed very slow execution of shell scripts when the intercept or log_subcmds sudoers
options are set on systems that enable Nagles algorithm on the loopback device,
such as AIX. Bug #1034.
* Modified sudo-sudoers.patch
- Added sudo-1.9.10-update_sudouser_to_utf8.patch
* [bsc#1197998]
* Enable sudouser LDAP schema to use UTF-8 encodings.
* Sourced from https://github.com/sudo-project/sudo/pull/163
* Credit to William Brown, william.brown@suse.com
-------------------------------------------------------------------
Mon Aug 8 09:17:43 UTC 2022 - Thorsten Kukuk <kukuk@suse.com>

7
sudo.spec
View File

@ -17,7 +17,7 @@
Name: sudo
Version: 1.9.10
Version: 1.9.11p3
Release: 0
Summary: Execute some commands as root
License: ISC
@ -33,6 +33,7 @@ Source6: fate_313276_test.sh
Source7: README_313276.test
# PATCH-OPENSUSE: the "SUSE" branding of the default sudo config
Patch0: sudo-sudoers.patch
Patch1: sudo-1.9.10-update_sudouser_to_utf8.patch
BuildRequires: audit-devel
BuildRequires: cyrus-sasl-devel
BuildRequires: groff
@ -235,13 +236,13 @@ chmod 0440 %{_sysconfdir}/sudoers
%{_tmpfilesdir}/sudo.conf
%files plugin-python
%{_mandir}/man8/sudo_plugin_python.8%{?ext_man}
%{_mandir}/man5/sudo_plugin_python.5%{?ext_man}
%{_libexecdir}/%{name}/%{name}/python_plugin.so
%files devel
%doc plugins/sample/sample_plugin.c
%{_includedir}/sudo_plugin.h
%{_mandir}/man8/sudo_plugin.8%{?ext_man}
%{_mandir}/man5/sudo_plugin.5%{?ext_man}
%attr(0644,root,root) %{_libexecdir}/%{name}/libsudo_util.so
%{_libexecdir}/%{name}/sudo/*.la
%{_libexecdir}/%{name}/*.la