From 3ed4d64671eeeb3a05731ea39851b0d281a976a2be1eaf867615dfea02a11420 Mon Sep 17 00:00:00 2001 From: Kristyna Streitova Date: Fri, 17 Apr 2020 16:50:20 +0000 Subject: [PATCH] Accepting request 794915 from home:kstreitova:branches:Base:System - Update to 1.9.0rc2 * Fixed a test failure in the strsig_test regress test on FreeBSD. * Sudo now includes a logging daemon, sudo_logsrvd, which can be used to implement centralized logging of I/O logs. TLS connections are supported when sudo is configured with the --enable-openssl option. For more information, see the sudo_logsrvd, logsrvd.conf and sudo_logsrv.proto manuals as well as the log_servers setting in the sudoers manual. The --disable-log-server and --disable-log-client configure options can be used to disable building the I/O log server and/or remote I/O log support in the sudoers plugin. * The new sudo_sendlog utility can be used to test sudo_logsrvd or send existing sudo I/O logs to a centralized server. * It is now possible to write sudo plugins in Python 3 when sudo is configured with the --enable-python> option. See the sudo_plugin_python.man.html manual for details. Sudo 1.9.0 comes with several Python example plugins that get installed sudo's examples directory. The sudo blog article "What's new in sudo 1.9: Python" (https://blog.sudo.ws/posts/2020/01/whats-new-in-sudo-1.9-python/) includes a simple tutorial on writing python plugins. * Sudo now supports an "audit" plugin type. An audit plugin receives accept, reject, exit and error messages and can be used to implement custom logging that is independent of the underlying security policy. Multiple audit plugins may be specified in the sudo.conf file. A sample audit plugin is included that writes logs in JSON format. * Sudo now supports an "approval" plugin type. An approval plugin is run only after the main security policy (such as sudoers) accepts a command to be run. The approval policy may perform additional OBS-URL: https://build.opensuse.org/request/show/794915 OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=164 --- sudo-1.8.31p1.tar.gz | 3 -- sudo-1.8.31p1.tar.gz.sig | Bin 543 -> 0 bytes sudo-1.9.0rc2.tar.gz | 3 ++ sudo-1.9.0rc2.tar.gz.sig | Bin 0 -> 566 bytes sudo.changes | 76 +++++++++++++++++++++++++++++++++++++++ sudo.spec | 25 ++++++++----- 6 files changed, 96 insertions(+), 11 deletions(-) delete mode 100644 sudo-1.8.31p1.tar.gz delete mode 100644 sudo-1.8.31p1.tar.gz.sig create mode 100644 sudo-1.9.0rc2.tar.gz create mode 100644 sudo-1.9.0rc2.tar.gz.sig diff --git a/sudo-1.8.31p1.tar.gz b/sudo-1.8.31p1.tar.gz deleted file mode 100644 index 2582a37..0000000 --- a/sudo-1.8.31p1.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:c73cfdfbc1c5cc259fcc3a355e1bacfed99c5580daeadec9704a24cd5e6d15d8 -size 3351312 diff --git a/sudo-1.8.31p1.tar.gz.sig b/sudo-1.8.31p1.tar.gz.sig deleted file mode 100644 index 06155ca77cfb6c2be12cc56690bb833c6c2c59bdf1a7c1151ca39090518b50ba..0000000000000000000000000000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 543 zcmV+)0^t3L0vrSY0SEvF1p;1e6Z`-Q2@t9Dz#-10aQmS<5B(lH*Hd_cCinnenTppL zeK?a4+&pw2Z&lBc+70Ovjk1e>2hKAen`VdAQ_b*JQ8!W_Bq1B$u4gQm;#qbQZADNB zh7k%KB~d%*1V;@pO6RF^7ssaM;J#d1D7Ft!+wKjYOB?=>7v*b{0qb$Zz=BcC1Fj3Y zaI~N@qT5X(p~9b9GN-Nt7PKSTCoq^1@w#LCSO9k3FD^KcAkOP~8@RMReA4M_#buB7 zDID=JTN1+cXTCVwFz6uajCJYw!|r~Eg~7z*EaDITCbPtE49x8`fkKP1!>;d)Z!URL z_>W)lVYkyuK_rF^2iKBc{h`V-axO2aKygQyyPG`+#*(v$Jm{C;FM12QDaM5$3ljP@ zWsM_eCP%d4)RWjVk|`y!&dn-yKycJWn#mCqouKlv2F=Z%$OH-}R{p%>^z3*V3?G-q zs|8q;YWqQUrsk+ZC0z}(82)@z=1jo6R$@jZOgcZIkz!T34ImVAQ)R#O3v;icT{Glt zX1X~Q65eQPq2bCI$gS{;@@g-mO&3BpFN~JhUkWx^)Tj<_&~0Q_d=5*of&tZvhi@Hu zB{7k_9OkiA(D>r8Z{nJ~i^uQs`q;UHM0$z`ZPXG!D5UKRQ zAU-F`U1kGB*mgtv6jH>bM{~KUlty+!b;E-jk-lO1l`hm6qnVRZ@O&#uljT& zwl?;bH!k335X7?TXk6kxPGEshA0vAl*#&uw)rX75VEh$FS5crNVERO7B2$`pn#b#r zX`)<gu&8&uTqT9bg+0g4dr<62)WV1YWD~@&iN#qRuAJc(&P&F~JovsRKIML^b*|s{@$}j`7mGde1AD!Qq=n=~OWMzE$C7TeO~Q!X>&hrv)LJc{&YrZN-dpm@F82hGAeGJ{D7 z$OF7LIshCIsl>$o6M(a9%Zfwui!glIwwGj-`ftP7?M?2;4m%bb?l$SY-d9x|0R + +- Update to 1.9.0rc2 + * Fixed a test failure in the strsig_test regress test on FreeBSD. + * Sudo now includes a logging daemon, sudo_logsrvd, which can be + used to implement centralized logging of I/O logs. TLS connections + are supported when sudo is configured with the --enable-openssl + option. For more information, see the sudo_logsrvd, logsrvd.conf + and sudo_logsrv.proto manuals as well as the log_servers setting + in the sudoers manual. + The --disable-log-server and --disable-log-client configure + options can be used to disable building the I/O log server and/or + remote I/O log support in the sudoers plugin. + * The new sudo_sendlog utility can be used to test sudo_logsrvd + or send existing sudo I/O logs to a centralized server. + * It is now possible to write sudo plugins in Python 3 when sudo + is configured with the --enable-python> option. See the + sudo_plugin_python.man.html manual for details. + Sudo 1.9.0 comes with several Python example plugins that get + installed sudo's examples directory. + The sudo blog article "What's new in sudo 1.9: Python" + (https://blog.sudo.ws/posts/2020/01/whats-new-in-sudo-1.9-python/) + includes a simple tutorial on writing python plugins. + * Sudo now supports an "audit" plugin type. An audit plugin + receives accept, reject, exit and error messages and can be used + to implement custom logging that is independent of the underlying + security policy. Multiple audit plugins may be specified in + the sudo.conf file. A sample audit plugin is included that + writes logs in JSON format. + * Sudo now supports an "approval" plugin type. An approval plugin + is run only after the main security policy (such as sudoers) accepts + a command to be run. The approval policy may perform additional + checks, potentially interacting with the user. Multiple approval + plugins may be specified in the sudo.conf file. Only if all + approval plugins succeed will the command be allowed. + * Sudo's -S command line option now causes the sudo conversation + function to write to the standard output or standard error instead + of the terminal device. + * It is now possible to use "Cmd_Alias" instead of "Cmnd_Alias" for + people who find the former more natural. + * The new "pam_ruser" and "pam_rhost" sudoers settings can be used + to enable or disable setting the PAM remote user and/or host + values during PAM session setup. + * More than one SHA-2 digest may now be specified for a single + command. Multiple digests must be separated by a comma. + * It is now possible to specify a SHA-2 digest in conjunction with + the "ALL" reserved word in a command specification. This allows + one to give permission to run any command that matches the + specified digest, regardless of its path. + * Sudo and sudo_logsrvd now create an extended I/O log info file + in JSON format that contains additional information about the + command that was run, such as the host name. The sudoreplay + utility uses this file in preference to the legacy log file. + * The sudoreplay utility can now match on a host name in list mode. + The list output also now includes the host name if one is present + in the log file. + * For "sudo -i", if the target user's home directory does not + exist, sudo will now warn about the problem but run the command + in the current working directory. Previously, this was a fatal + error. Debian bug #598519. + * The command line arguments in the SUDO_COMMAND environment + variable are now truncated at 4096 characters. This avoids an + "Argument list too long" error when executing a command with a + large number of arguments. Debian bug #596631. + * Sudo now properly ends the PAM transaction when the user + authenticates successfully but sudoers denies the command. + Debian bug #669687. + * The sudoers grammar in the manual now indicates that "sudoedit" + requires one or more arguments. Debian bug #571621. +- Pack /usr/sbin/{sudo_logsrvd,sudo_sendlog} binaries and their + manpages +- Pack /usr/lib/sudo/sudo/{audit_json.so,sample_approval.so} plugins +- Pack /etc/sudo.conf and /etc/sudo_logsrvd.conf configuration files +- Run spec-cleaner + ------------------------------------------------------------------- Tue Mar 17 07:46:06 UTC 2020 - Paolo Stivanin diff --git a/sudo.spec b/sudo.spec index 867a445..614d7e6 100644 --- a/sudo.spec +++ b/sudo.spec @@ -21,16 +21,15 @@ %else %define use_usretc 1 %endif - Name: sudo -Version: 1.8.31p1 +Version: 1.9.0rc2 Release: 0 Summary: Execute some commands as root License: ISC Group: System/Base URL: https://www.sudo.ws/ -Source0: https://sudo.ws/sudo/dist/%{name}-%{version}.tar.gz -Source1: https://sudo.ws/sudo/dist/%{name}-%{version}.tar.gz.sig +Source0: https://www.sudo.ws/dist/beta/%{name}-%{version}.tar.gz +Source1: https://www.sudo.ws/dist/beta/%{name}-%{version}.tar.gz.sig Source2: %{name}.keyring Source3: sudo.pamd Source4: sudo-i.pamd @@ -111,7 +110,7 @@ export LDFLAGS="-pie" --with-rundir=%{_localstatedir}/lib/sudo \ --with-sssd # -B required to make every build give the same result - maybe from bad build deps in Makefiles? -make -B %{?_smp_mflags} +%make_build -B %install %make_install install_uid=`id -u` install_gid=`id -g` @@ -143,15 +142,14 @@ rm -fv %{buildroot}%{_docdir}/%{name}/LICENSE %pre # move outdated pam.d/*.rpmsave files away for i in sudo sudo-i ; do - test -f /etc/pam.d/${i}.rpmsave && mv -v /etc/pam.d/${i}.rpmsave /etc/pam.d/${i}.rpmsave.old ||: + test -f %{_sysconfdir}/pam.d/${i}.rpmsave && mv -v %{_sysconfdir}/pam.d/${i}.rpmsave %{_sysconfdir}/pam.d/${i}.rpmsave.old ||: done %posttrans # Migration to /usr/etc. for i in sudo sudo-i ; do - test -f /etc/pam.d/${i}.rpmsave && mv -v /etc/pam.d/${i}.rpmsave /etc/pam.d/${i} ||: + test -f %{_sysconfdir}/pam.d/${i}.rpmsave && mv -v %{_sysconfdir}/pam.d/${i}.rpmsave %{_sysconfdir}/pam.d/${i} ||: done - %endif %post @@ -178,6 +176,11 @@ chmod 0440 %{_sysconfdir}/sudoers %{_mandir}/man8/sudoedit.8%{?ext_man} %{_mandir}/man8/sudoreplay.8%{?ext_man} %{_mandir}/man8/visudo.8%{?ext_man} +%{_mandir}/man5/sudo_logsrv.proto.5%{?ext_man} +%{_mandir}/man5/sudo_logsrvd.conf.5%{?ext_man} +%{_mandir}/man8/sudo_logsrvd.8%{?ext_man} +%{_mandir}/man8/sudo_plugin_python.8%{?ext_man} +%{_mandir}/man8/sudo_sendlog.8%{?ext_man} %config(noreplace) %attr(0440,root,root) %{_sysconfdir}/sudoers %dir %{_sysconfdir}/sudoers.d @@ -196,6 +199,8 @@ chmod 0440 %{_sysconfdir}/sudoers %{_bindir}/sudoreplay %{_bindir}/cvtsudoers %{_sbindir}/visudo +%{_sbindir}/sudo_logsrvd +%{_sbindir}/sudo_sendlog %dir %{_libexecdir}/%{name} %{_libexecdir}/%{name}/sesh %{_libexecdir}/%{name}/sudo_noexec.so @@ -203,11 +208,15 @@ chmod 0440 %{_sysconfdir}/sudoers %{_libexecdir}/%{name}/%{name}/sudoers.so %{_libexecdir}/%{name}/%{name}/group_file.so %{_libexecdir}/%{name}/%{name}/system_group.so +%{_libexecdir}/%{name}/%{name}/audit_json.so +%{_libexecdir}/%{name}/%{name}/sample_approval.so %{_libexecdir}/%{name}/libsudo_util.so.* %attr(0711,root,root) %dir %ghost %{_localstatedir}/lib/%{name} %attr(0700,root,root) %dir %ghost %{_localstatedir}/lib/%{name}/ts %dir %{_tmpfilesdir} %{_tmpfilesdir}/sudo.conf +%attr(0644,root,root) %config %{_sysconfdir}/sudo.conf +%attr(0644,root,root) %config %{_sysconfdir}/sudo_logsrvd.conf %files devel %doc plugins/sample/sample_plugin.c