pool/sudo
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 1114961 from home:ohollmann:branches:Remove-targetpw

Browse Source 
- Introduce optional wheel and sudo group policies as separate packages
  (bsc#1203978, jsc#PED-260)

- Install config files into /usr/etc and read from both location:
  /etc and /usr/etc (bsc#1205118)

OBS-URL: https://build.opensuse.org/request/show/1114961
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=245
This commit is contained in:
Otto Hollmann 2023-10-03 12:11:35 +00:00 committed by Git OBS Bridge
parent a1f80d7634
commit 535b070a67
6 changed files with 118 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
50-wheel-auth-self.conf Normal file
View File

@ -0,0 +1,2 @@
Defaults:%wheel !targetpw
%wheel ALL = (root) ALL

1
51-wheel.rules Normal file
View File

@ -0,0 +1 @@
polkit._suse_admin_groups.push("wheel");

13
sudo-sudoers.patch
View File

@ -1,7 +1,7 @@
Index: sudo-1.9.14p1/plugins/sudoers/sudoers.in Index: sudo-1.9.14p3/plugins/sudoers/sudoers.in
=================================================================== ===================================================================
--- sudo-1.9.14p1.orig/plugins/sudoers/sudoers.in --- sudo-1.9.14p3.orig/plugins/sudoers/sudoers.in
+++ sudo-1.9.14p1/plugins/sudoers/sudoers.in +++ sudo-1.9.14p3/plugins/sudoers/sudoers.in
@@ -32,32 +32,23 @@ @@ -32,32 +32,23 @@
## ##
## Defaults specification ## Defaults specification
@ -52,7 +52,7 @@ Index: sudo-1.9.14p1/plugins/sudoers/sudoers.in
## ##
## Uncomment to restore the historic behavior where a command is run in ## Uncomment to restore the historic behavior where a command is run in
## the user's own terminal. ## the user's own terminal.
@@ -72,10 +63,16 @@ @@ -72,10 +63,15 @@
## Set maxseq to a smaller number if you don't have unlimited disk space. ## Set maxseq to a smaller number if you don't have unlimited disk space.
# Defaults log_output # Defaults log_output
# Defaults!/usr/bin/sudoreplay !log_output # Defaults!/usr/bin/sudoreplay !log_output
@ -62,15 +62,14 @@ Index: sudo-1.9.14p1/plugins/sudoers/sudoers.in
+## In the default (unconfigured) configuration, sudo asks for the root password. +## In the default (unconfigured) configuration, sudo asks for the root password.
+## This allows use of an ordinary user account for administration of a freshly +## This allows use of an ordinary user account for administration of a freshly
+## installed system. When configuring sudo, delete the two +## installed system.
+## following lines:
+Defaults targetpw # ask for the password of the target user i.e. root +Defaults targetpw # ask for the password of the target user i.e. root
+ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'! +ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'!
+ +
## ##
## Runas alias specification ## Runas alias specification
## ##
@@ -91,13 +88,5 @@ root ALL=(ALL:ALL) ALL @@ -91,13 +87,5 @@ root ALL=(ALL:ALL) ALL
## Same thing without a password ## Same thing without a password
# %wheel ALL=(ALL:ALL) NOPASSWD: ALL # %wheel ALL=(ALL:ALL) NOPASSWD: ALL

12
sudo.changes
View File

@ -1,3 +1,15 @@
-------------------------------------------------------------------
Wed Sep 20 08:34:12 UTC 2023 - Ludwig Nussel <lnussel@suse.com>
- Introduce optional wheel and sudo group policies as separate packages
(bsc#1203978, jsc#PED-260)
-------------------------------------------------------------------
Wed Sep 14 13:06:51 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com>
- Install config files into /usr/etc and read from both location:
/etc and /usr/etc (bsc#1205118)
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Sep 12 12:33:05 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com> Tue Sep 12 12:33:05 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com>

104
sudo.spec
View File

@ -16,6 +16,14 @@
# #
%if %{defined _distconfdir}
%define confdir %{_distconfdir}
%define confmode 0444
%else
%define confdir %{_sysconfdir}
%define confmode 0440
%endif
Name: sudo Name: sudo
Version: 1.9.14p3 Version: 1.9.14p3
Release: 0 Release: 0
@ -31,6 +39,9 @@ Source4: sudo-i.pamd
Source5: README.SUSE Source5: README.SUSE
Source6: fate_313276_test.sh Source6: fate_313276_test.sh
Source7: README_313276.test Source7: README_313276.test
Source8: 50-wheel-auth-self.conf
Source9: 51-wheel.rules
Source10: system-group-sudo.conf
# PATCH-OPENSUSE: the "SUSE" branding of the default sudo config # PATCH-OPENSUSE: the "SUSE" branding of the default sudo config
Patch0: sudo-sudoers.patch Patch0: sudo-sudoers.patch
BuildRequires: audit-devel BuildRequires: audit-devel
@ -42,6 +53,7 @@ BuildRequires: openldap2-devel
BuildRequires: pam-devel BuildRequires: pam-devel
BuildRequires: python3-devel BuildRequires: python3-devel
BuildRequires: systemd-rpm-macros BuildRequires: systemd-rpm-macros
BuildRequires: sysuser-tools
BuildRequires: zlib-devel BuildRequires: zlib-devel
Requires(pre): coreutils Requires(pre): coreutils
Requires(pre): permissions Requires(pre): permissions
@ -49,12 +61,17 @@ Recommends: sudo-plugin-python
%description %description
Sudo is a command that allows users to execute some commands as root. Sudo is a command that allows users to execute some commands as root.
The %{_sysconfdir}/sudoers file (edited with 'visudo') specifies which users have %if %{defined _distconfdir}
Sudo reads either %{_sysconfdir}/sudoers or %{_distconfdir}/sudoers
(in that order, whichever one it finds first), to determine what users have
%else
The %{_sysconfdir}/sudoers file specifies which users have
%endif
access to sudo and which commands they can run. Sudo logs all its access to sudo and which commands they can run. Sudo logs all its
activities to syslogd, so the system administrator can keep an eye on activities to syslogd, so the system administrator can keep an eye on
things. Sudo asks for the password for initializing a check period of a things. Sudo asks for the password to initialize a check period of a
given time N (where N is defined at installation and is set to 5 given time N (where N is defined at installation and is set to 5
minutes by default). minutes by default). Administrators can edit the sudoers file with 'visudo'.
%package plugin-python %package plugin-python
Summary: Plugin API for python Summary: Plugin API for python
@ -82,10 +99,39 @@ Requires: %{name} = %{version}
%description test %description test
Tests for fate#313276 Tests for fate#313276
%package policy-wheel-auth-self
Summary: Users in the wheel group can authenticate as admin
Group: System/Base
Requires: %{name} = %{version}
Requires: group(wheel)
%description policy-wheel-auth-self
Sudo authentication policy that allows users in the wheel group to
authenticate as root with their own password
%package policy-sudo-auth-self
Summary: Users in the sudo group can authenticate as admin
Group: System/Base
Requires: %{name} = %{version}
Requires: group(sudo)
%description policy-sudo-auth-self
Sudo authentication policy that allows users in the sudo group to
authenticate as root with their own password
%package -n system-group-sudo
Summary: System group 'sudo'
Group: System/Fhs
%{sysusers_requires}
%description -n system-group-sudo
This package provides the system group 'sudo'.
%prep %prep
%autosetup -p1 %autosetup -p1
%build %build
%sysusers_generate_pre %{SOURCE10} sudo system-group-sudo.conf
%ifarch s390 s390x %{sparc} %ifarch s390 s390x %{sparc}
F_PIE=-fPIE F_PIE=-fPIE
%else %else
@ -98,6 +144,11 @@ export LDFLAGS="-pie"
--docdir=%{_docdir}/%{name} \ --docdir=%{_docdir}/%{name} \
--with-noexec=%{_libexecdir}/sudo/sudo_noexec.so \ --with-noexec=%{_libexecdir}/sudo/sudo_noexec.so \
--enable-tmpfiles.d=%{_tmpfilesdir} \ --enable-tmpfiles.d=%{_tmpfilesdir} \
%if %{defined _distconfdir}
--prefix=/usr \
--sysconfdir=%{_distconfdir} \
--enable-adminconf=%{_sysconfdir} \
%endif
--with-pam \ --with-pam \
--with-pam-login \ --with-pam-login \
--with-ldap \ --with-ldap \
@ -147,7 +198,22 @@ install -m 644 %{SOURCE5} %{buildroot}%{_docdir}/%{name}/
rm -f %{buildroot}%{_docdir}/%{name}/sample.pam rm -f %{buildroot}%{_docdir}/%{name}/sample.pam
rm -f %{buildroot}%{_docdir}/%{name}/sample.syslog.conf rm -f %{buildroot}%{_docdir}/%{name}/sample.syslog.conf
rm -f %{buildroot}%{_docdir}/%{name}/schema.OpenLDAP rm -f %{buildroot}%{_docdir}/%{name}/schema.OpenLDAP
rm -f %{buildroot}%{_sysconfdir}/sudoers.dist rm -f %{buildroot}%{confdir}/sudoers.dist
%if %{defined _distconfdir}
# Move /etc to /usr/etc/
mkdir -p %{buildroot}%{_distconfdir}/sudoers.d
chmod 644 %{buildroot}%{_distconfdir}/sudoers
echo "@includedir /etc/sudoers.d" >> %{buildroot}%{_distconfdir}/sudoers
%endif
install -D -m 644 %{SOURCE8} %{buildroot}%{confdir}/sudoers.d/50-wheel-auth-self
install -D -m 644 %{SOURCE9} %{buildroot}/usr/share/polkit-1/rules.d/51-wheel.rules
sed -e 's/wheel/sudo/g' < %{SOURCE8} > %{buildroot}%{confdir}/sudoers.d/50-sudo-auth-self
sed -e 's/wheel/sudo/g' < %{SOURCE9} > %{buildroot}/usr/share/polkit-1/rules.d/51-sudo.rules
install -D -m 644 %{SOURCE10} %{buildroot}%{_sysusersdir}/system-group-sudo.conf
%find_lang %{name} %find_lang %{name}
%find_lang sudoers %find_lang sudoers
@ -172,10 +238,11 @@ done
for i in sudo sudo-i ; do for i in sudo sudo-i ; do
test -f %{_sysconfdir}/pam.d/${i}.rpmsave && mv -v %{_sysconfdir}/pam.d/${i}.rpmsave %{_sysconfdir}/pam.d/${i} ||: test -f %{_sysconfdir}/pam.d/${i}.rpmsave && mv -v %{_sysconfdir}/pam.d/${i}.rpmsave %{_sysconfdir}/pam.d/${i} ||:
done done
test -f %{_sysconfdir}/sudoers.rpmsave && mv -v %{_sysconfdir}/sudoers.rpmsave %{_sysconfdir}/sudoers ||:
%endif %endif
%post %post
chmod 0440 %{_sysconfdir}/sudoers [ -e %{_sysconfdir}/sudoers ] && chmod 0440 %{_sysconfdir}/sudoers
%if 0%{?suse_version} <= 1130 %if 0%{?suse_version} <= 1130
%run_permissions %run_permissions
%else %else
@ -186,6 +253,8 @@ chmod 0440 %{_sysconfdir}/sudoers
%verifyscript %verifyscript
%verify_permissions -e %{_bindir}/sudo %verify_permissions -e %{_bindir}/sudo
%pre -n system-group-sudo -f sudo.pre
%files -f %{name}.lang %files -f %{name}.lang
%license LICENSE.md %license LICENSE.md
%doc %{_docdir}/%{name} %doc %{_docdir}/%{name}
@ -203,10 +272,11 @@ chmod 0440 %{_sysconfdir}/sudoers
%{_mandir}/man8/sudo_logsrvd.8%{?ext_man} %{_mandir}/man8/sudo_logsrvd.8%{?ext_man}
%{_mandir}/man8/sudo_sendlog.8%{?ext_man} %{_mandir}/man8/sudo_sendlog.8%{?ext_man}
%config(noreplace) %attr(0440,root,root) %{_sysconfdir}/sudoers %{!?_distconfdir:%config(noreplace)} %attr(%confmode,root,root) %{confdir}/sudoers
%attr(0750,root,root) %dir %{_sysconfdir}/sudoers.d %attr(0750,root,root) %dir %{confdir}/sudoers.d
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sudo.conf %attr(0644,root,root) %config(noreplace) %{confdir}/sudo.conf
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sudo_logsrvd.conf %attr(0644,root,root) %config(noreplace) %{confdir}/sudo_logsrvd.conf
%if %{defined _distconfdir} %if %{defined _distconfdir}
%{_pam_vendordir}/sudo %{_pam_vendordir}/sudo
%{_pam_vendordir}/sudo-i %{_pam_vendordir}/sudo-i
@ -251,4 +321,20 @@ chmod 0440 %{_sysconfdir}/sudoers
%files test %files test
%{_localstatedir}/lib/tests %{_localstatedir}/lib/tests
%files policy-wheel-auth-self
%{confdir}/sudoers.d/50-wheel-auth-self
%dir /usr/share/polkit-1
%dir %attr(0555,root,root) /usr/share/polkit-1/rules.d
/usr/share/polkit-1/rules.d/51-wheel.rules
%files policy-sudo-auth-self
%{confdir}/sudoers.d/50-sudo-auth-self
%dir /usr/share/polkit-1
%dir %attr(0555,root,root) /usr/share/polkit-1/rules.d
/usr/share/polkit-1/rules.d/51-sudo.rules
%files -n system-group-sudo
%defattr(-,root,root)
%{_sysusersdir}/system-group-sudo.conf
%changelog %changelog

2
system-group-sudo.conf Normal file
View File

@ -0,0 +1,2 @@
# Type Name ID GECOS [HOME]
g sudo -