diff --git a/sudo-1.9.10-update_sudouser_to_utf8.patch b/sudo-1.9.10-update_sudouser_to_utf8.patch deleted file mode 100644 index 8e51797..0000000 --- a/sudo-1.9.10-update_sudouser_to_utf8.patch +++ /dev/null @@ -1,116 +0,0 @@ -From 7f9ea23e7447b8e1308fc282cd13b6cf5d39d3c4 Mon Sep 17 00:00:00 2001 -From: William Brown -Date: Mon, 25 Jul 2022 15:21:39 +1000 -Subject: [PATCH] Update sudoUser to be utf8 in ldap schemas - -In most unix-style LDAP servers, uid is a utf8 string defined by -OID 1.3.6.1.4.1.1466.115.121.1.15. However, sudoUser was defined -as an IA5 String (OID 1.3.6.1.4.1.1466.115.121.1.26) which meant -that sudoUser could only represent a subset of possible values. - -In some cases when using sudoers.ldap, the uid from the machine -which was utf8 was fed back into sudo which would then issue a -search for sudoUsers. If this uid contained utf8 characters, the -ldap server would refuse to match into sudoUsers because these -were limited to IA5. - -This is a safe-forward upgrade as IA5 is a subset of UTF8 meaning -that this change will not impact existing deployments and their -rules. ---- - docs/schema.OpenLDAP | 14 +++++++------- - docs/schema.iPlanet | 6 +++--- - docs/schema.olcSudo | 14 +++++++------- - 3 files changed, 17 insertions(+), 17 deletions(-) - -diff --git a/docs/schema.OpenLDAP b/docs/schema.OpenLDAP -index e1d525f84..451c5250a 100644 ---- a/docs/schema.OpenLDAP -+++ b/docs/schema.OpenLDAP -@@ -7,9 +7,9 @@ - attributetype ( 1.3.6.1.4.1.15953.9.1.1 - NAME 'sudoUser' - DESC 'User(s) who may run sudo' -- EQUALITY caseExactIA5Match -- SUBSTR caseExactIA5SubstringsMatch -- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) -+ EQUALITY caseExactMatch -+ SUBSTR caseExactSubstringsMatch -+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) - - attributetype ( 1.3.6.1.4.1.15953.9.1.2 - NAME 'sudoHost' -@@ -39,14 +39,14 @@ attributetype ( 1.3.6.1.4.1.15953.9.1.5 - attributetype ( 1.3.6.1.4.1.15953.9.1.6 - NAME 'sudoRunAsUser' - DESC 'User(s) impersonated by sudo' -- EQUALITY caseExactIA5Match -- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) -+ EQUALITY caseExactMatch -+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) - - attributetype ( 1.3.6.1.4.1.15953.9.1.7 - NAME 'sudoRunAsGroup' - DESC 'Group(s) impersonated by sudo' -- EQUALITY caseExactIA5Match -- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) -+ EQUALITY caseExactMatch -+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) - - attributetype ( 1.3.6.1.4.1.15953.9.1.8 - NAME 'sudoNotBefore' -diff --git a/docs/schema.iPlanet b/docs/schema.iPlanet -index e51286436..56ad02bc0 100644 ---- a/docs/schema.iPlanet -+++ b/docs/schema.iPlanet -@@ -1,11 +1,11 @@ - dn: cn=schema --attributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) -+attributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'SUDO' ) - attributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) - attributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) - attributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo (deprecated)' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) - attributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) --attributeTypes: ( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) --attributeTypes: ( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) -+attributeTypes: ( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'User(s) impersonated by sudo' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'SUDO' ) -+attributeTypes: ( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'SUDO' ) - attributeTypes: ( 1.3.6.1.4.1.15953.9.1.8 NAME 'sudoNotBefore' DESC 'Start of time interval for which the entry is valid' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) - attributeTypes: ( 1.3.6.1.4.1.15953.9.1.9 NAME 'sudoNotAfter' DESC 'End of time interval for which the entry is valid' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) - attributeTypes: ( 1.3.6.1.4.1.15953.9.1.10 NAME 'sudoOrder' DESC 'an integer to order the sudoRole entries' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) -diff --git a/docs/schema.olcSudo b/docs/schema.olcSudo -index 8748dfc2a..8948ca4ae 100644 ---- a/docs/schema.olcSudo -+++ b/docs/schema.olcSudo -@@ -9,9 +9,9 @@ cn: sudoschema - olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.1 - NAME 'sudoUser' - DESC 'User(s) who may run sudo' -- EQUALITY caseExactIA5Match -- SUBSTR caseExactIA5SubstringsMatch -- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) -+ EQUALITY caseExactMatch -+ SUBSTR caseExactSubstringsMatch -+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) - # - olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.2 - NAME 'sudoHost' -@@ -41,14 +41,14 @@ olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.5 - olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.6 - NAME 'sudoRunAsUser' - DESC 'User(s) impersonated by sudo' -- EQUALITY caseExactIA5Match -- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) -+ EQUALITY caseExactMatch -+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) - # - olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.7 - NAME 'sudoRunAsGroup' - DESC 'Group(s) impersonated by sudo' -- EQUALITY caseExactIA5Match -- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) -+ EQUALITY caseExactMatch -+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) - # - olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.8 - NAME 'sudoNotBefore' diff --git a/sudo-1.9.11p3.tar.gz b/sudo-1.9.11p3.tar.gz deleted file mode 100644 index db66a26..0000000 --- a/sudo-1.9.11p3.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:4687e7d2f56721708f59cca2e1352c056cb23de526c22725615a42bb094f1f70 -size 4826520 diff --git a/sudo-1.9.11p3.tar.gz.sig b/sudo-1.9.11p3.tar.gz.sig deleted file mode 100644 index 3cd3712..0000000 Binary files a/sudo-1.9.11p3.tar.gz.sig and /dev/null differ diff --git a/sudo-1.9.12.tar.gz b/sudo-1.9.12.tar.gz new file mode 100644 index 0000000..aad3af2 --- /dev/null +++ b/sudo-1.9.12.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:de15733888170c56834daafd34bf983db10fb21039742fcfc396bd32168d6362 +size 4906320 diff --git a/sudo-1.9.12.tar.gz.sig b/sudo-1.9.12.tar.gz.sig new file mode 100644 index 0000000..f031b30 Binary files /dev/null and b/sudo-1.9.12.tar.gz.sig differ diff --git a/sudo.changes b/sudo.changes index aab33a2..e19d99c 100644 --- a/sudo.changes +++ b/sudo.changes @@ -1,3 +1,86 @@ +------------------------------------------------------------------- +Tue Oct 25 23:41:55 UTC 2022 - Jason Sikes + +- Update to 1.9.12: + * Dropped sudo-1.9.10-update_sudouser_to_utf8.patch + * Changes in Sudo 1.9.12: + * Fixed a bug when logging the command’s exit status in intercept mode. + The wrong command could be logged with the exit status. + * For ptrace-based intercept mode, sudo will now attempt to verify that + the command path name, arguments and environment have not changed from + the time when they were authorized by the security policy. The new + intercept_verify sudoers setting can be used to control this behavior. + * Fixed running commands with a relative path (e.g. ./foo) in intercept + mode. Previously, this would fail if sudo’s current working directory + was different from that of the command. + * Sudo now supports passing the execve(2) system call the NULL pointer + for the argv and/or envp arguments when in intercept mode. Linux treats + a NULL pointer like an empty array. + * The sudoers LDAP schema now allows sudoUser, sudoRunasUser and + sudoRunasGroup to include UTF-8 characters, not just 7-bit ASCII. + * Fixed a problem with sudo -i on SELinux when the target user’s home + directory is not searchable by sudo. GitHub issue #160. + * Neovim has been added to the list of visudo editors that support passing + the line number on the command line. + * Fixed a bug in sudo’s SHA384 and SHA512 message digest padding. + * Added a new -N (no-update) command line option to sudo which can be used + to prevent sudo from updating the user’s cached credentials. It is now + possible to determine whether or not a user’s cached credentials are + currently valid by running: + $ sudo -Nnv + and checking the exit value. One use case for this is to indicate in a + shell prompt that sudo is “active” for the user. + * PAM approval modules are no longer invoked when running sub-commands in + intercept mode unless the intercept_authenticate option is set. There is + a substantial performance penalty for calling into PAM for each command + run. PAM approval modules are still called for the initial command. + * Intercept mode on Linux now uses process_vm_readv(2) and process_vm_writev(2) + if available. + * The XDG_CURRENT_DESKTOP environment variable is now preserved by default. + This makes it possible for graphical applications to choose the correct + theme when run via sudo. + * On 64-bit systems, if sudo fails to load a sudoers group plugin, it will + use system-specific heuristics to try to locate a 64-bit version of the plugin. + * The cvtsudoers manual now documents the JSON and CSV output formats. + GitHub issue #172. + * Fixed a bug where sub-commands were not being logged to a remote log server + when log_subcmds was enabled. GitHub issue #174. + * The new log_stdin, log_stdout, log_stderr, log_ttyin, and log_ttyout + sudoers settings can be used to support more fine-grained I/O logging. + The sudo front-end no longer allocates a pseudo-terminal when running a + command if the I/O logging plugin requests logging of stdin, stdout, or + stderr but not terminal input/output. + * Quieted a libgcrypt run-time initialization warning. This fixes Debian + bug #1019428 and Ubuntu bug #1397663. + * Fixed a bug in visudo that caused literal backslashes to be removed from + the EDITOR environment variable. GitHub issue #179. + * The sudo Python plugin now implements the find_spec method instead of the + the deprecated find_module. This fixes a test failure when a newer version + of setuptools that doesn’t include find_module is found on the system. + * Fixed a bug introduced in sudo 1.9.9 where sudo_logsrvd created the process + ID file, usually /var/run/sudo/sudo_logsrvd.pid, as a directory instead of a + plain file. The same bug could result in I/O log directories that end in six + or more X’s being created literally in addition to the name being used as a + template for the mkdtemp(3) function. + * Fixed a long-standing bug where a sudoers rule with a command line argument + of “”, which indicates the command may be run with no arguments, would also + match a literal "" on the command line. GitHub issue #182. + * Added the -I option to visudo which only edits the main sudoers file. Include + files are not edited unless a syntax error is found. + * Fixed sudo -l -U otheruser output when the runas list is empty. Previously, + sudo would list the invoking user instead of the list user. GitHub issue #183. + * Fixed the display of command tags and options in sudo -l output when the RunAs + user or group changes. A new line is started for RunAs changes which means we + need to display the command tags and options again. GitHub issue #184. + * The sesh helper program now uses getopt_long(3) to parse the command line options. + * The embedded copy of zlib has been updated to version 1.2.13. + * Fixed a bug that prevented event log data from being sent to the log server when + I/O logging was not enabled. This only affected systems without PAM or + configurations where the pam_session and pam_setcred options were disabled in + the sudoers file. + * Fixed a bug where sudo -l output included a carriage return after the newline. + This is only needed when displaying to a terminal in raw mode. Bug #1042. + ------------------------------------------------------------------- Sat Sep 10 01:48:29 UTC 2022 - Jason Sikes diff --git a/sudo.spec b/sudo.spec index 6ecc064..9bca8c0 100644 --- a/sudo.spec +++ b/sudo.spec @@ -17,7 +17,7 @@ Name: sudo -Version: 1.9.11p3 +Version: 1.9.12 Release: 0 Summary: Execute some commands as root License: ISC @@ -33,7 +33,6 @@ Source6: fate_313276_test.sh Source7: README_313276.test # PATCH-OPENSUSE: the "SUSE" branding of the default sudo config Patch0: sudo-sudoers.patch -Patch1: sudo-1.9.10-update_sudouser_to_utf8.patch BuildRequires: audit-devel BuildRequires: cyrus-sasl-devel BuildRequires: groff @@ -121,7 +120,7 @@ export LDFLAGS="-pie" --with-sssd %if 0%{?sle_version} < 150000 # the SLES12 way -make %{?_smp_mflags} V=1 +%make_build %else # -B required to make every build give the same result - maybe from bad build deps in Makefiles? %make_build -B @@ -227,7 +226,6 @@ chmod 0440 %{_sysconfdir}/sudoers %{_libexecdir}/%{name}/%{name}/group_file.so %{_libexecdir}/%{name}/%{name}/system_group.so %{_libexecdir}/%{name}/%{name}/audit_json.so -%{_libexecdir}/%{name}/%{name}/sample_approval.so %{_libexecdir}/%{name}/%{name}/sudo_intercept.so %{_libexecdir}/%{name}/libsudo_util.so.* %attr(0711,root,root) %dir %ghost %{_localstatedir}/lib/%{name}