diff --git a/sudo-1.9.10-update_sudouser_to_utf8.patch b/sudo-1.9.10-update_sudouser_to_utf8.patch new file mode 100644 index 0000000..8e51797 --- /dev/null +++ b/sudo-1.9.10-update_sudouser_to_utf8.patch @@ -0,0 +1,116 @@ +From 7f9ea23e7447b8e1308fc282cd13b6cf5d39d3c4 Mon Sep 17 00:00:00 2001 +From: William Brown +Date: Mon, 25 Jul 2022 15:21:39 +1000 +Subject: [PATCH] Update sudoUser to be utf8 in ldap schemas + +In most unix-style LDAP servers, uid is a utf8 string defined by +OID 1.3.6.1.4.1.1466.115.121.1.15. However, sudoUser was defined +as an IA5 String (OID 1.3.6.1.4.1.1466.115.121.1.26) which meant +that sudoUser could only represent a subset of possible values. + +In some cases when using sudoers.ldap, the uid from the machine +which was utf8 was fed back into sudo which would then issue a +search for sudoUsers. If this uid contained utf8 characters, the +ldap server would refuse to match into sudoUsers because these +were limited to IA5. + +This is a safe-forward upgrade as IA5 is a subset of UTF8 meaning +that this change will not impact existing deployments and their +rules. +--- + docs/schema.OpenLDAP | 14 +++++++------- + docs/schema.iPlanet | 6 +++--- + docs/schema.olcSudo | 14 +++++++------- + 3 files changed, 17 insertions(+), 17 deletions(-) + +diff --git a/docs/schema.OpenLDAP b/docs/schema.OpenLDAP +index e1d525f84..451c5250a 100644 +--- a/docs/schema.OpenLDAP ++++ b/docs/schema.OpenLDAP +@@ -7,9 +7,9 @@ + attributetype ( 1.3.6.1.4.1.15953.9.1.1 + NAME 'sudoUser' + DESC 'User(s) who may run sudo' +- EQUALITY caseExactIA5Match +- SUBSTR caseExactIA5SubstringsMatch +- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) ++ EQUALITY caseExactMatch ++ SUBSTR caseExactSubstringsMatch ++ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) + + attributetype ( 1.3.6.1.4.1.15953.9.1.2 + NAME 'sudoHost' +@@ -39,14 +39,14 @@ attributetype ( 1.3.6.1.4.1.15953.9.1.5 + attributetype ( 1.3.6.1.4.1.15953.9.1.6 + NAME 'sudoRunAsUser' + DESC 'User(s) impersonated by sudo' +- EQUALITY caseExactIA5Match +- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) ++ EQUALITY caseExactMatch ++ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) + + attributetype ( 1.3.6.1.4.1.15953.9.1.7 + NAME 'sudoRunAsGroup' + DESC 'Group(s) impersonated by sudo' +- EQUALITY caseExactIA5Match +- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) ++ EQUALITY caseExactMatch ++ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) + + attributetype ( 1.3.6.1.4.1.15953.9.1.8 + NAME 'sudoNotBefore' +diff --git a/docs/schema.iPlanet b/docs/schema.iPlanet +index e51286436..56ad02bc0 100644 +--- a/docs/schema.iPlanet ++++ b/docs/schema.iPlanet +@@ -1,11 +1,11 @@ + dn: cn=schema +-attributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) ++attributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'SUDO' ) + attributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) + attributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) + attributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo (deprecated)' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) + attributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) +-attributeTypes: ( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) +-attributeTypes: ( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) ++attributeTypes: ( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'User(s) impersonated by sudo' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'SUDO' ) ++attributeTypes: ( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'SUDO' ) + attributeTypes: ( 1.3.6.1.4.1.15953.9.1.8 NAME 'sudoNotBefore' DESC 'Start of time interval for which the entry is valid' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) + attributeTypes: ( 1.3.6.1.4.1.15953.9.1.9 NAME 'sudoNotAfter' DESC 'End of time interval for which the entry is valid' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) + attributeTypes: ( 1.3.6.1.4.1.15953.9.1.10 NAME 'sudoOrder' DESC 'an integer to order the sudoRole entries' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) +diff --git a/docs/schema.olcSudo b/docs/schema.olcSudo +index 8748dfc2a..8948ca4ae 100644 +--- a/docs/schema.olcSudo ++++ b/docs/schema.olcSudo +@@ -9,9 +9,9 @@ cn: sudoschema + olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.1 + NAME 'sudoUser' + DESC 'User(s) who may run sudo' +- EQUALITY caseExactIA5Match +- SUBSTR caseExactIA5SubstringsMatch +- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) ++ EQUALITY caseExactMatch ++ SUBSTR caseExactSubstringsMatch ++ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) + # + olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.2 + NAME 'sudoHost' +@@ -41,14 +41,14 @@ olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.5 + olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.6 + NAME 'sudoRunAsUser' + DESC 'User(s) impersonated by sudo' +- EQUALITY caseExactIA5Match +- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) ++ EQUALITY caseExactMatch ++ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) + # + olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.7 + NAME 'sudoRunAsGroup' + DESC 'Group(s) impersonated by sudo' +- EQUALITY caseExactIA5Match +- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) ++ EQUALITY caseExactMatch ++ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) + # + olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.8 + NAME 'sudoNotBefore' diff --git a/sudo-1.9.10.tar.gz b/sudo-1.9.10.tar.gz deleted file mode 100644 index df3423a..0000000 --- a/sudo-1.9.10.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:44a1461098e7c7b8e6ac597499c24fb2e43748c0c139a8b4944e57d1349a64f4 -size 4516568 diff --git a/sudo-1.9.10.tar.gz.sig b/sudo-1.9.10.tar.gz.sig deleted file mode 100644 index 09462e3..0000000 Binary files a/sudo-1.9.10.tar.gz.sig and /dev/null differ diff --git a/sudo-1.9.11p3.tar.gz b/sudo-1.9.11p3.tar.gz new file mode 100644 index 0000000..db66a26 --- /dev/null +++ b/sudo-1.9.11p3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4687e7d2f56721708f59cca2e1352c056cb23de526c22725615a42bb094f1f70 +size 4826520 diff --git a/sudo-1.9.11p3.tar.gz.sig b/sudo-1.9.11p3.tar.gz.sig new file mode 100644 index 0000000..3cd3712 Binary files /dev/null and b/sudo-1.9.11p3.tar.gz.sig differ diff --git a/sudo-sudoers.patch b/sudo-sudoers.patch index 3db0d09..2806c4e 100644 --- a/sudo-sudoers.patch +++ b/sudo-sudoers.patch @@ -1,7 +1,7 @@ -Index: sudo-1.9.9/plugins/sudoers/sudoers.in -=================================================================== ---- sudo-1.9.9.orig/plugins/sudoers/sudoers.in -+++ sudo-1.9.9/plugins/sudoers/sudoers.in +diff --git a/plugins/sudoers/sudoers.in b/plugins/sudoers/sudoers.in +index 5efda5d..ddd311a 100644 +--- a/plugins/sudoers/sudoers.in ++++ b/plugins/sudoers/sudoers.in @@ -32,30 +32,23 @@ ## ## Defaults specification @@ -50,12 +50,13 @@ Index: sudo-1.9.9/plugins/sudoers/sudoers.in ## Uncomment to use a hard-coded PATH instead of the user's to find commands # Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" ## -@@ -66,9 +59,15 @@ - ## sudoreplay and reboot. Use sudoreplay to play back logged sessions. +@@ -68,10 +61,16 @@ + ## Set maxseq to a smaller number if you don't have unlimited disk space. # Defaults log_output # Defaults!/usr/bin/sudoreplay !log_output -# Defaults!/usr/local/bin/sudoreplay !log_output # Defaults!REBOOT !log_output + # Defaults maxseq = 1000 +## In the default (unconfigured) configuration, sudo asks for the root password. +## This allows use of an ordinary user account for administration of a freshly @@ -67,7 +68,7 @@ Index: sudo-1.9.9/plugins/sudoers/sudoers.in ## ## Runas alias specification ## -@@ -84,13 +83,5 @@ root ALL=(ALL:ALL) ALL +@@ -87,13 +86,5 @@ root ALL=(ALL:ALL) ALL ## Same thing without a password # %wheel ALL=(ALL:ALL) NOPASSWD: ALL diff --git a/sudo.changes b/sudo.changes index 09087f1..3eafa65 100644 --- a/sudo.changes +++ b/sudo.changes @@ -1,3 +1,84 @@ +------------------------------------------------------------------- +Sat Aug 20 02:04:06 UTC 2022 - Jason Sikes + +- Update to 1.9.11p3: + * Changes in Sudo 1.9.11 + * Fixed a crash in the Python module with Python 3.9.10 on some systems. + Additionally, make check now passes for Python 3.9.10. + * Error messages sent via email now include more details, including the file + name and the line number and column of the error. Multiple errors are sent in + a single message. Previously, only the first error was included. + * Fixed logging of parse errors in JSON format. Previously, the JSON logger would + not write entries unless the command and runuser were set. These may not be + known at the time a parse error is encountered. + * Fixed a potential crash parsing sudoers lines larger than twice the value of + LINE_MAX on systems that lack the getdelim() function. + * The tests run by make check now unset the LANGUAGE environment variable. + Otherwise, localization strings will not match if LANGUAGE is set to a + non-English locale. Bug #1025. + * The “starttime” test now passed when run under Debian faketime. Bug #1026. + * The Kerberos authentication module now honors the custom password prompt if one + has been specified. + * The embedded copy of zlib has been updated to version 1.2.12. + * Updated the version of libtool used by sudo to version 2.4.7. + * Sudo now defines _TIME_BITS to 64 on systems that define __TIMESIZE in the + header files (currently only GNU libc). This is required to allow the use of + 64-bit time values on some 32-bit systems. + * Sudo’s intercept and log_subcmds options no longer force the command to run in + its own pseudo-terminal. It is now also possible to intercept the system(3) function. + * Fixed a bug in sudo_logsrvd when run in store-first relay mode where the commit + point messages sent by the server were incorrect if the command was suspended + or received a window size change event. + * Fixed a potential crash in sudo_logsrvd when the tls_dhparams configuration + setting was used. + * The intercept and log_subcmds functionality can now use ptrace(2) on Linux + systems that support seccomp(2) filtering. This has the advantage of working + for both static and dynamic binaries and can work with sudo’s SELinux RBAC mode. + The following architectures are currently supported: i386, x86_64, aarch64, arm, + mips (log_subcmds only), powerpc, riscv, and s390x. The default is to use + ptrace(2) where possible; the new intercept_type sudoers setting can be used + to explicitly set the type. + * New Georgian translation from translationproject.org. + * Fixed creating packages on CentOS Stream. + * Fixed a bug in the intercept and log_subcmds support where the execve(2) + wrapper was using the current environment instead of the passed environment + pointer. Bug #1030. + * Added AppArmor integration for Linux. A sudoers rule can now specify an + APPARMOR_PROFILE option to run a command confined by the named AppArmor profile. + * Fixed parsing of the server_log setting in sudo_logsrvd.conf. Non-paths were + being treated as paths and an actual path was treated as an error. + + * Changes in Sudo 1.9.11p1: + * Correctly handle EAGAIN in the I/O read/right events. This fixes a hang seen on + some systems when piping a large amount of data through sudo, such as via rsync. + Bug #963. + * Changes to avoid implementation or unspecified behavior when bit shifting signed + values in the protobuf library. + * Fixed a compilation error on Linux/aarch64. + * Fixed the configure check for seccomp(2) support on Linux. + * Corrected the EBNF specification for tags in the sudoers manual page. + GitHub issue #153. + + * Changes in Sudo 1.9.11p2: + * Fixed a compilation error on Linux/x86_64 with the x32 ABI. + * Fixed a regression introduced in 1.9.11p1 that caused a warning when logging to + sudo_logsrvd if the command returned no output. + + * Changes in Sudo 1.9.11p3: + * Fixed “connection reset” errors on AIX when running shell scripts with the intercept + or log_subcmds sudoers options enabled. Bug #1034. + * Fixed very slow execution of shell scripts when the intercept or log_subcmds sudoers + options are set on systems that enable Nagle’s algorithm on the loopback device, + such as AIX. Bug #1034. + + * Modified sudo-sudoers.patch + +- Added sudo-1.9.10-update_sudouser_to_utf8.patch + * [bsc#1197998] + * Enable sudouser LDAP schema to use UTF-8 encodings. + * Sourced from https://github.com/sudo-project/sudo/pull/163 + * Credit to William Brown, william.brown@suse.com + ------------------------------------------------------------------- Mon Aug 8 09:17:43 UTC 2022 - Thorsten Kukuk diff --git a/sudo.spec b/sudo.spec index 1df5382..6ecc064 100644 --- a/sudo.spec +++ b/sudo.spec @@ -17,7 +17,7 @@ Name: sudo -Version: 1.9.10 +Version: 1.9.11p3 Release: 0 Summary: Execute some commands as root License: ISC @@ -33,6 +33,7 @@ Source6: fate_313276_test.sh Source7: README_313276.test # PATCH-OPENSUSE: the "SUSE" branding of the default sudo config Patch0: sudo-sudoers.patch +Patch1: sudo-1.9.10-update_sudouser_to_utf8.patch BuildRequires: audit-devel BuildRequires: cyrus-sasl-devel BuildRequires: groff @@ -235,13 +236,13 @@ chmod 0440 %{_sysconfdir}/sudoers %{_tmpfilesdir}/sudo.conf %files plugin-python -%{_mandir}/man8/sudo_plugin_python.8%{?ext_man} +%{_mandir}/man5/sudo_plugin_python.5%{?ext_man} %{_libexecdir}/%{name}/%{name}/python_plugin.so %files devel %doc plugins/sample/sample_plugin.c %{_includedir}/sudo_plugin.h -%{_mandir}/man8/sudo_plugin.8%{?ext_man} +%{_mandir}/man5/sudo_plugin.5%{?ext_man} %attr(0644,root,root) %{_libexecdir}/%{name}/libsudo_util.so %{_libexecdir}/%{name}/sudo/*.la %{_libexecdir}/%{name}/*.la