Accepting request 794915 from home:kstreitova:branches:Base:System

- Update to 1.9.0rc2
  * Fixed a test failure in the strsig_test regress test on FreeBSD.
  * Sudo now includes a logging daemon, sudo_logsrvd, which can be
    used to implement centralized logging of I/O logs.  TLS connections
    are supported when sudo is configured with the --enable-openssl
    option.  For more information, see the sudo_logsrvd, logsrvd.conf
    and sudo_logsrv.proto manuals as well as the log_servers setting
    in the sudoers manual.
    The --disable-log-server and --disable-log-client configure
    options can be used to disable building the I/O log server and/or
    remote I/O log support in the sudoers plugin.
  * The new sudo_sendlog utility can be used to test sudo_logsrvd
    or send existing sudo I/O logs to a centralized server.
  * It is now possible to write sudo plugins in Python 3 when sudo
    is configured with the --enable-python> option.  See the
    sudo_plugin_python.man.html manual for details.
    Sudo 1.9.0 comes with several Python example plugins that get
    installed sudo's examples directory.
    The sudo blog article "What's new in sudo 1.9: Python"
    (https://blog.sudo.ws/posts/2020/01/whats-new-in-sudo-1.9-python/)
    includes a simple tutorial on writing python plugins.
  * Sudo now supports an "audit" plugin type.  An audit plugin
    receives accept, reject, exit and error messages and can be used
    to implement custom logging that is independent of the underlying
    security policy.   Multiple audit plugins may be specified in
    the sudo.conf file.  A sample audit plugin is included that
    writes logs in JSON format.
  * Sudo now supports an "approval" plugin type.  An approval plugin
    is run only after the main security policy (such as sudoers) accepts
    a command to be run.  The approval policy may perform additional

OBS-URL: https://build.opensuse.org/request/show/794915
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=164

sudo-1.8.31p1.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:c73cfdfbc1c5cc259fcc3a355e1bacfed99c5580daeadec9704a24cd5e6d15d8
-size 3351312

sudo-1.9.0rc2.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9b21df2def88776be80d4815b231b9b208930f6b5b25e2e7ac9d0ff2d1c5158d
+size 3722476

sudo.changes

@@ -1,3 +1,79 @@
+-------------------------------------------------------------------
+Fri Apr 17 11:51:49 UTC 2020 - Kristyna Streitova <kstreitova@suse.com>
+
+- Update to 1.9.0rc2
+  * Fixed a test failure in the strsig_test regress test on FreeBSD.
+  * Sudo now includes a logging daemon, sudo_logsrvd, which can be
+    used to implement centralized logging of I/O logs.  TLS connections
+    are supported when sudo is configured with the --enable-openssl
+    option.  For more information, see the sudo_logsrvd, logsrvd.conf
+    and sudo_logsrv.proto manuals as well as the log_servers setting
+    in the sudoers manual.
+    The --disable-log-server and --disable-log-client configure
+    options can be used to disable building the I/O log server and/or
+    remote I/O log support in the sudoers plugin.
+  * The new sudo_sendlog utility can be used to test sudo_logsrvd
+    or send existing sudo I/O logs to a centralized server.
+  * It is now possible to write sudo plugins in Python 3 when sudo
+    is configured with the --enable-python> option.  See the
+    sudo_plugin_python.man.html manual for details.
+    Sudo 1.9.0 comes with several Python example plugins that get
+    installed sudo's examples directory.
+    The sudo blog article "What's new in sudo 1.9: Python"
+    (https://blog.sudo.ws/posts/2020/01/whats-new-in-sudo-1.9-python/)
+    includes a simple tutorial on writing python plugins.
+  * Sudo now supports an "audit" plugin type.  An audit plugin
+    receives accept, reject, exit and error messages and can be used
+    to implement custom logging that is independent of the underlying
+    security policy.   Multiple audit plugins may be specified in
+    the sudo.conf file.  A sample audit plugin is included that
+    writes logs in JSON format.
+  * Sudo now supports an "approval" plugin type.  An approval plugin
+    is run only after the main security policy (such as sudoers) accepts
+    a command to be run.  The approval policy may perform additional
+    checks, potentially interacting with the user.  Multiple approval
+    plugins may be specified in the sudo.conf file.  Only if all
+    approval plugins succeed will the command be allowed.
+  * Sudo's -S command line option now causes the sudo conversation
+    function to write to the standard output or standard error instead
+    of the terminal device.
+  * It is now possible to use "Cmd_Alias" instead of "Cmnd_Alias" for
+    people who find the former more natural.
+  * The new "pam_ruser" and "pam_rhost" sudoers settings can be used
+    to enable or disable setting the PAM remote user and/or host
+    values during PAM session setup.
+  * More than one SHA-2 digest may now be specified for a single
+    command.  Multiple digests must be separated by a comma.
+  * It is now possible to specify a SHA-2 digest in conjunction with
+    the "ALL" reserved word in a command specification.  This allows
+    one to give permission to run any command that matches the
+    specified digest, regardless of its path.
+  * Sudo and sudo_logsrvd now create an extended I/O log info file
+    in JSON format that contains additional information about the
+    command that was run, such as the host name.  The sudoreplay
+    utility uses this file in preference to the legacy log file.
+  * The sudoreplay utility can now match on a host name in list mode.
+    The list output also now includes the host name if one is present
+    in the log file.
+  * For "sudo -i", if the target user's home directory does not
+    exist, sudo will now warn about the problem but run the command
+    in the current working directory.  Previously, this was a fatal
+    error.  Debian bug #598519.
+  * The command line arguments in the SUDO_COMMAND environment
+    variable are now truncated at 4096 characters.  This avoids an
+    "Argument list too long" error when executing a command with a
+    large number of arguments.  Debian bug #596631.
+  * Sudo now properly ends the PAM transaction when the user
+    authenticates successfully but sudoers denies the command.
+    Debian bug #669687.
+  * The sudoers grammar in the manual now indicates that "sudoedit"
+    requires one or more arguments.  Debian bug #571621.
+- Pack /usr/sbin/{sudo_logsrvd,sudo_sendlog} binaries and their
+  manpages
+- Pack /usr/lib/sudo/sudo/{audit_json.so,sample_approval.so} plugins
+- Pack /etc/sudo.conf and /etc/sudo_logsrvd.conf configuration files
+- Run spec-cleaner
+
 -------------------------------------------------------------------
 Tue Mar 17 07:46:06 UTC 2020 - Paolo Stivanin <info@paolostivanin.com>
 

sudo.spec

@@ -21,16 +21,15 @@
 %else
 %define use_usretc 1
 %endif
-
 Name:           sudo
-Version:        1.8.31p1
+Version:        1.9.0rc2
 Release:        0
 Summary:        Execute some commands as root
 License:        ISC
 Group:          System/Base
 URL:            https://www.sudo.ws/
-Source0:        https://sudo.ws/sudo/dist/%{name}-%{version}.tar.gz
-Source1:        https://sudo.ws/sudo/dist/%{name}-%{version}.tar.gz.sig
+Source0:        https://www.sudo.ws/dist/beta/%{name}-%{version}.tar.gz
+Source1:        https://www.sudo.ws/dist/beta/%{name}-%{version}.tar.gz.sig
 Source2:        %{name}.keyring
 Source3:        sudo.pamd
 Source4:        sudo-i.pamd
@@ -111,7 +110,7 @@ export LDFLAGS="-pie"
     --with-rundir=%{_localstatedir}/lib/sudo \
     --with-sssd
 # -B required to make every build give the same result - maybe from bad build deps in Makefiles?
-make -B %{?_smp_mflags}
+%make_build -B
 
 %install
 %make_install install_uid=`id -u` install_gid=`id -g`
@@ -143,15 +142,14 @@ rm -fv %{buildroot}%{_docdir}/%{name}/LICENSE
 %pre
 # move outdated pam.d/*.rpmsave files away
 for i in sudo sudo-i ; do
-    test -f /etc/pam.d/${i}.rpmsave && mv -v /etc/pam.d/${i}.rpmsave /etc/pam.d/${i}.rpmsave.old ||:
+    test -f %{_sysconfdir}/pam.d/${i}.rpmsave && mv -v %{_sysconfdir}/pam.d/${i}.rpmsave %{_sysconfdir}/pam.d/${i}.rpmsave.old ||:
 done
 
 %posttrans
 # Migration to /usr/etc.
 for i in  sudo sudo-i ; do
-  test -f /etc/pam.d/${i}.rpmsave && mv -v /etc/pam.d/${i}.rpmsave /etc/pam.d/${i} ||:
+  test -f %{_sysconfdir}/pam.d/${i}.rpmsave && mv -v %{_sysconfdir}/pam.d/${i}.rpmsave %{_sysconfdir}/pam.d/${i} ||:
 done
-
 %endif
 
 %post
@@ -178,6 +176,11 @@ chmod 0440 %{_sysconfdir}/sudoers
 %{_mandir}/man8/sudoedit.8%{?ext_man}
 %{_mandir}/man8/sudoreplay.8%{?ext_man}
 %{_mandir}/man8/visudo.8%{?ext_man}
+%{_mandir}/man5/sudo_logsrv.proto.5%{?ext_man}
+%{_mandir}/man5/sudo_logsrvd.conf.5%{?ext_man}
+%{_mandir}/man8/sudo_logsrvd.8%{?ext_man}
+%{_mandir}/man8/sudo_plugin_python.8%{?ext_man}
+%{_mandir}/man8/sudo_sendlog.8%{?ext_man}
 
 %config(noreplace) %attr(0440,root,root) %{_sysconfdir}/sudoers
 %dir %{_sysconfdir}/sudoers.d
@@ -196,6 +199,8 @@ chmod 0440 %{_sysconfdir}/sudoers
 %{_bindir}/sudoreplay
 %{_bindir}/cvtsudoers
 %{_sbindir}/visudo
+%{_sbindir}/sudo_logsrvd
+%{_sbindir}/sudo_sendlog
 %dir %{_libexecdir}/%{name}
 %{_libexecdir}/%{name}/sesh
 %{_libexecdir}/%{name}/sudo_noexec.so
@@ -203,11 +208,15 @@ chmod 0440 %{_sysconfdir}/sudoers
 %{_libexecdir}/%{name}/%{name}/sudoers.so
 %{_libexecdir}/%{name}/%{name}/group_file.so
 %{_libexecdir}/%{name}/%{name}/system_group.so
+%{_libexecdir}/%{name}/%{name}/audit_json.so
+%{_libexecdir}/%{name}/%{name}/sample_approval.so
 %{_libexecdir}/%{name}/libsudo_util.so.*
 %attr(0711,root,root) %dir %ghost %{_localstatedir}/lib/%{name}
 %attr(0700,root,root) %dir %ghost %{_localstatedir}/lib/%{name}/ts
 %dir %{_tmpfilesdir}
 %{_tmpfilesdir}/sudo.conf
+%attr(0644,root,root) %config %{_sysconfdir}/sudo.conf
+%attr(0644,root,root) %config %{_sysconfdir}/sudo_logsrvd.conf
 
 %files devel
 %doc plugins/sample/sample_plugin.c