From 535b070a6762b3bfa3d0257e7c0160ad739f15fcc88c7ff08d1390e516f9f550 Mon Sep 17 00:00:00 2001 From: Otto Hollmann Date: Tue, 3 Oct 2023 12:11:35 +0000 Subject: [PATCH] Accepting request 1114961 from home:ohollmann:branches:Remove-targetpw - Introduce optional wheel and sudo group policies as separate packages (bsc#1203978, jsc#PED-260) - Install config files into /usr/etc and read from both location: /etc and /usr/etc (bsc#1205118) OBS-URL: https://build.opensuse.org/request/show/1114961 OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=245 --- 50-wheel-auth-self.conf | 2 + 51-wheel.rules | 1 + sudo-sudoers.patch | 13 +++-- sudo.changes | 12 +++++ sudo.spec | 104 ++++++++++++++++++++++++++++++++++++---- system-group-sudo.conf | 2 + 6 files changed, 118 insertions(+), 16 deletions(-) create mode 100644 50-wheel-auth-self.conf create mode 100644 51-wheel.rules create mode 100644 system-group-sudo.conf diff --git a/50-wheel-auth-self.conf b/50-wheel-auth-self.conf new file mode 100644 index 0000000..bac7585 --- /dev/null +++ b/50-wheel-auth-self.conf @@ -0,0 +1,2 @@ +Defaults:%wheel !targetpw +%wheel ALL = (root) ALL diff --git a/51-wheel.rules b/51-wheel.rules new file mode 100644 index 0000000..fa03661 --- /dev/null +++ b/51-wheel.rules @@ -0,0 +1 @@ +polkit._suse_admin_groups.push("wheel"); diff --git a/sudo-sudoers.patch b/sudo-sudoers.patch index 9730b21..ba60208 100644 --- a/sudo-sudoers.patch +++ b/sudo-sudoers.patch @@ -1,7 +1,7 @@ -Index: sudo-1.9.14p1/plugins/sudoers/sudoers.in +Index: sudo-1.9.14p3/plugins/sudoers/sudoers.in =================================================================== ---- sudo-1.9.14p1.orig/plugins/sudoers/sudoers.in -+++ sudo-1.9.14p1/plugins/sudoers/sudoers.in +--- sudo-1.9.14p3.orig/plugins/sudoers/sudoers.in ++++ sudo-1.9.14p3/plugins/sudoers/sudoers.in @@ -32,32 +32,23 @@ ## ## Defaults specification @@ -52,7 +52,7 @@ Index: sudo-1.9.14p1/plugins/sudoers/sudoers.in ## ## Uncomment to restore the historic behavior where a command is run in ## the user's own terminal. -@@ -72,10 +63,16 @@ +@@ -72,10 +63,15 @@ ## Set maxseq to a smaller number if you don't have unlimited disk space. # Defaults log_output # Defaults!/usr/bin/sudoreplay !log_output @@ -62,15 +62,14 @@ Index: sudo-1.9.14p1/plugins/sudoers/sudoers.in +## In the default (unconfigured) configuration, sudo asks for the root password. +## This allows use of an ordinary user account for administration of a freshly -+## installed system. When configuring sudo, delete the two -+## following lines: ++## installed system. +Defaults targetpw # ask for the password of the target user i.e. root +ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'! + ## ## Runas alias specification ## -@@ -91,13 +88,5 @@ root ALL=(ALL:ALL) ALL +@@ -91,13 +87,5 @@ root ALL=(ALL:ALL) ALL ## Same thing without a password # %wheel ALL=(ALL:ALL) NOPASSWD: ALL diff --git a/sudo.changes b/sudo.changes index 1aa2467..5934ac8 100644 --- a/sudo.changes +++ b/sudo.changes @@ -1,3 +1,15 @@ +------------------------------------------------------------------- +Wed Sep 20 08:34:12 UTC 2023 - Ludwig Nussel + +- Introduce optional wheel and sudo group policies as separate packages + (bsc#1203978, jsc#PED-260) + +------------------------------------------------------------------- +Wed Sep 14 13:06:51 UTC 2023 - Otto Hollmann + +- Install config files into /usr/etc and read from both location: + /etc and /usr/etc (bsc#1205118) + ------------------------------------------------------------------- Tue Sep 12 12:33:05 UTC 2023 - Otto Hollmann diff --git a/sudo.spec b/sudo.spec index 9dc0aa2..b99f97b 100644 --- a/sudo.spec +++ b/sudo.spec @@ -16,6 +16,14 @@ # +%if %{defined _distconfdir} +%define confdir %{_distconfdir} +%define confmode 0444 +%else +%define confdir %{_sysconfdir} +%define confmode 0440 +%endif + Name: sudo Version: 1.9.14p3 Release: 0 @@ -31,6 +39,9 @@ Source4: sudo-i.pamd Source5: README.SUSE Source6: fate_313276_test.sh Source7: README_313276.test +Source8: 50-wheel-auth-self.conf +Source9: 51-wheel.rules +Source10: system-group-sudo.conf # PATCH-OPENSUSE: the "SUSE" branding of the default sudo config Patch0: sudo-sudoers.patch BuildRequires: audit-devel @@ -42,6 +53,7 @@ BuildRequires: openldap2-devel BuildRequires: pam-devel BuildRequires: python3-devel BuildRequires: systemd-rpm-macros +BuildRequires: sysuser-tools BuildRequires: zlib-devel Requires(pre): coreutils Requires(pre): permissions @@ -49,12 +61,17 @@ Recommends: sudo-plugin-python %description Sudo is a command that allows users to execute some commands as root. -The %{_sysconfdir}/sudoers file (edited with 'visudo') specifies which users have +%if %{defined _distconfdir} +Sudo reads either %{_sysconfdir}/sudoers or %{_distconfdir}/sudoers +(in that order, whichever one it finds first), to determine what users have +%else +The %{_sysconfdir}/sudoers file specifies which users have +%endif access to sudo and which commands they can run. Sudo logs all its activities to syslogd, so the system administrator can keep an eye on -things. Sudo asks for the password for initializing a check period of a +things. Sudo asks for the password to initialize a check period of a given time N (where N is defined at installation and is set to 5 -minutes by default). +minutes by default). Administrators can edit the sudoers file with 'visudo'. %package plugin-python Summary: Plugin API for python @@ -82,10 +99,39 @@ Requires: %{name} = %{version} %description test Tests for fate#313276 +%package policy-wheel-auth-self +Summary: Users in the wheel group can authenticate as admin +Group: System/Base +Requires: %{name} = %{version} +Requires: group(wheel) + +%description policy-wheel-auth-self +Sudo authentication policy that allows users in the wheel group to +authenticate as root with their own password + +%package policy-sudo-auth-self +Summary: Users in the sudo group can authenticate as admin +Group: System/Base +Requires: %{name} = %{version} +Requires: group(sudo) + +%description policy-sudo-auth-self +Sudo authentication policy that allows users in the sudo group to +authenticate as root with their own password + +%package -n system-group-sudo +Summary: System group 'sudo' +Group: System/Fhs +%{sysusers_requires} + +%description -n system-group-sudo +This package provides the system group 'sudo'. + %prep %autosetup -p1 %build +%sysusers_generate_pre %{SOURCE10} sudo system-group-sudo.conf %ifarch s390 s390x %{sparc} F_PIE=-fPIE %else @@ -98,6 +144,11 @@ export LDFLAGS="-pie" --docdir=%{_docdir}/%{name} \ --with-noexec=%{_libexecdir}/sudo/sudo_noexec.so \ --enable-tmpfiles.d=%{_tmpfilesdir} \ +%if %{defined _distconfdir} + --prefix=/usr \ + --sysconfdir=%{_distconfdir} \ + --enable-adminconf=%{_sysconfdir} \ +%endif --with-pam \ --with-pam-login \ --with-ldap \ @@ -147,7 +198,22 @@ install -m 644 %{SOURCE5} %{buildroot}%{_docdir}/%{name}/ rm -f %{buildroot}%{_docdir}/%{name}/sample.pam rm -f %{buildroot}%{_docdir}/%{name}/sample.syslog.conf rm -f %{buildroot}%{_docdir}/%{name}/schema.OpenLDAP -rm -f %{buildroot}%{_sysconfdir}/sudoers.dist +rm -f %{buildroot}%{confdir}/sudoers.dist + +%if %{defined _distconfdir} +# Move /etc to /usr/etc/ +mkdir -p %{buildroot}%{_distconfdir}/sudoers.d +chmod 644 %{buildroot}%{_distconfdir}/sudoers +echo "@includedir /etc/sudoers.d" >> %{buildroot}%{_distconfdir}/sudoers +%endif + +install -D -m 644 %{SOURCE8} %{buildroot}%{confdir}/sudoers.d/50-wheel-auth-self +install -D -m 644 %{SOURCE9} %{buildroot}/usr/share/polkit-1/rules.d/51-wheel.rules + +sed -e 's/wheel/sudo/g' < %{SOURCE8} > %{buildroot}%{confdir}/sudoers.d/50-sudo-auth-self +sed -e 's/wheel/sudo/g' < %{SOURCE9} > %{buildroot}/usr/share/polkit-1/rules.d/51-sudo.rules + +install -D -m 644 %{SOURCE10} %{buildroot}%{_sysusersdir}/system-group-sudo.conf %find_lang %{name} %find_lang sudoers @@ -172,10 +238,11 @@ done for i in sudo sudo-i ; do test -f %{_sysconfdir}/pam.d/${i}.rpmsave && mv -v %{_sysconfdir}/pam.d/${i}.rpmsave %{_sysconfdir}/pam.d/${i} ||: done +test -f %{_sysconfdir}/sudoers.rpmsave && mv -v %{_sysconfdir}/sudoers.rpmsave %{_sysconfdir}/sudoers ||: %endif %post -chmod 0440 %{_sysconfdir}/sudoers +[ -e %{_sysconfdir}/sudoers ] && chmod 0440 %{_sysconfdir}/sudoers %if 0%{?suse_version} <= 1130 %run_permissions %else @@ -186,6 +253,8 @@ chmod 0440 %{_sysconfdir}/sudoers %verifyscript %verify_permissions -e %{_bindir}/sudo +%pre -n system-group-sudo -f sudo.pre + %files -f %{name}.lang %license LICENSE.md %doc %{_docdir}/%{name} @@ -203,10 +272,11 @@ chmod 0440 %{_sysconfdir}/sudoers %{_mandir}/man8/sudo_logsrvd.8%{?ext_man} %{_mandir}/man8/sudo_sendlog.8%{?ext_man} -%config(noreplace) %attr(0440,root,root) %{_sysconfdir}/sudoers -%attr(0750,root,root) %dir %{_sysconfdir}/sudoers.d -%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sudo.conf -%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sudo_logsrvd.conf +%{!?_distconfdir:%config(noreplace)} %attr(%confmode,root,root) %{confdir}/sudoers +%attr(0750,root,root) %dir %{confdir}/sudoers.d +%attr(0644,root,root) %config(noreplace) %{confdir}/sudo.conf +%attr(0644,root,root) %config(noreplace) %{confdir}/sudo_logsrvd.conf + %if %{defined _distconfdir} %{_pam_vendordir}/sudo %{_pam_vendordir}/sudo-i @@ -251,4 +321,20 @@ chmod 0440 %{_sysconfdir}/sudoers %files test %{_localstatedir}/lib/tests +%files policy-wheel-auth-self +%{confdir}/sudoers.d/50-wheel-auth-self +%dir /usr/share/polkit-1 +%dir %attr(0555,root,root) /usr/share/polkit-1/rules.d +/usr/share/polkit-1/rules.d/51-wheel.rules + +%files policy-sudo-auth-self +%{confdir}/sudoers.d/50-sudo-auth-self +%dir /usr/share/polkit-1 +%dir %attr(0555,root,root) /usr/share/polkit-1/rules.d +/usr/share/polkit-1/rules.d/51-sudo.rules + +%files -n system-group-sudo +%defattr(-,root,root) +%{_sysusersdir}/system-group-sudo.conf + %changelog diff --git a/system-group-sudo.conf b/system-group-sudo.conf new file mode 100644 index 0000000..159eddd --- /dev/null +++ b/system-group-sudo.conf @@ -0,0 +1,2 @@ +# Type Name ID GECOS [HOME] +g sudo -