Accepting request 794970 from Base:System

OBS-URL: https://build.opensuse.org/request/show/794970 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sudo?expand=0&rev=108
2020-04-22 18:43:08 +00:00 · 2020-04-22 18:43:08 +00:00 · 5d9be849da
commit 5d9be849da
parent 125c0406ef 33bc44b1c2
6 changed files with 104 additions and 11 deletions
--- a/sudo-1.8.31p1.tar.gz
+++ b/sudo-1.8.31p1.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:c73cfdfbc1c5cc259fcc3a355e1bacfed99c5580daeadec9704a24cd5e6d15d8
-size 3351312
--- a/sudo-1.8.31p1.tar.gz.sig
+++ b/sudo-1.8.31p1.tar.gz.sig
--- a/sudo-1.9.0rc2.tar.gz
+++ b/sudo-1.9.0rc2.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9b21df2def88776be80d4815b231b9b208930f6b5b25e2e7ac9d0ff2d1c5158d
+size 3722476
--- a/sudo-1.9.0rc2.tar.gz.sig
+++ b/sudo-1.9.0rc2.tar.gz.sig
--- a/sudo.changes
+++ b/sudo.changes
@ -1,3 +1,84 @@
+-------------------------------------------------------------------
+Fri Apr 17 17:07:06 UTC 2020 - Kristyna Streitova <kstreitova@suse.com>
+
+- build with enable-python to support python plugins 
+
+-------------------------------------------------------------------
+Fri Apr 17 11:51:49 UTC 2020 - Kristyna Streitova <kstreitova@suse.com>
+
+- Update to 1.9.0rc2
+  * Fixed a test failure in the strsig_test regress test on FreeBSD.
+  * Sudo now includes a logging daemon, sudo_logsrvd, which can be
+    used to implement centralized logging of I/O logs.  TLS connections
+    are supported when sudo is configured with the --enable-openssl
+    option.  For more information, see the sudo_logsrvd, logsrvd.conf
+    and sudo_logsrv.proto manuals as well as the log_servers setting
+    in the sudoers manual.
+    The --disable-log-server and --disable-log-client configure
+    options can be used to disable building the I/O log server and/or
+    remote I/O log support in the sudoers plugin.
+  * The new sudo_sendlog utility can be used to test sudo_logsrvd
+    or send existing sudo I/O logs to a centralized server.
+  * It is now possible to write sudo plugins in Python 3 when sudo
+    is configured with the --enable-python> option.  See the
+    sudo_plugin_python.man.html manual for details.
+    Sudo 1.9.0 comes with several Python example plugins that get
+    installed sudo's examples directory.
+    The sudo blog article "What's new in sudo 1.9: Python"
+    (https://blog.sudo.ws/posts/2020/01/whats-new-in-sudo-1.9-python/)
+    includes a simple tutorial on writing python plugins.
+  * Sudo now supports an "audit" plugin type.  An audit plugin
+    receives accept, reject, exit and error messages and can be used
+    to implement custom logging that is independent of the underlying
+    security policy.   Multiple audit plugins may be specified in
+    the sudo.conf file.  A sample audit plugin is included that
+    writes logs in JSON format.
+  * Sudo now supports an "approval" plugin type.  An approval plugin
+    is run only after the main security policy (such as sudoers) accepts
+    a command to be run.  The approval policy may perform additional
+    checks, potentially interacting with the user.  Multiple approval
+    plugins may be specified in the sudo.conf file.  Only if all
+    approval plugins succeed will the command be allowed.
+  * Sudo's -S command line option now causes the sudo conversation
+    function to write to the standard output or standard error instead
+    of the terminal device.
+  * It is now possible to use "Cmd_Alias" instead of "Cmnd_Alias" for
+    people who find the former more natural.
+  * The new "pam_ruser" and "pam_rhost" sudoers settings can be used
+    to enable or disable setting the PAM remote user and/or host
+    values during PAM session setup.
+  * More than one SHA-2 digest may now be specified for a single
+    command.  Multiple digests must be separated by a comma.
+  * It is now possible to specify a SHA-2 digest in conjunction with
+    the "ALL" reserved word in a command specification.  This allows
+    one to give permission to run any command that matches the
+    specified digest, regardless of its path.
+  * Sudo and sudo_logsrvd now create an extended I/O log info file
+    in JSON format that contains additional information about the
+    command that was run, such as the host name.  The sudoreplay
+    utility uses this file in preference to the legacy log file.
+  * The sudoreplay utility can now match on a host name in list mode.
+    The list output also now includes the host name if one is present
+    in the log file.
+  * For "sudo -i", if the target user's home directory does not
+    exist, sudo will now warn about the problem but run the command
+    in the current working directory.  Previously, this was a fatal
+    error.  Debian bug #598519.
+  * The command line arguments in the SUDO_COMMAND environment
+    variable are now truncated at 4096 characters.  This avoids an
+    "Argument list too long" error when executing a command with a
+    large number of arguments.  Debian bug #596631.
+  * Sudo now properly ends the PAM transaction when the user
+    authenticates successfully but sudoers denies the command.
+    Debian bug #669687.
+  * The sudoers grammar in the manual now indicates that "sudoedit"
+    requires one or more arguments.  Debian bug #571621.
+- Pack /usr/sbin/{sudo_logsrvd,sudo_sendlog} binaries and their
+  manpages
+- Pack /usr/lib/sudo/sudo/{audit_json.so,sample_approval.so} plugins
+- Pack /etc/sudo.conf and /etc/sudo_logsrvd.conf configuration files
+- Run spec-cleaner
+
 -------------------------------------------------------------------
 Tue Mar 17 07:46:06 UTC 2020 - Paolo Stivanin <info@paolostivanin.com>

--- a/sudo.spec
+++ b/sudo.spec
@ -21,16 +21,15 @@
 %else
 %define use_usretc 1
 %endif
-
 Name:           sudo
-Version:        1.8.31p1
+Version:        1.9.0rc2
 Release:        0
 Summary:        Execute some commands as root
 License:        ISC
 Group:          System/Base
 URL:            https://www.sudo.ws/
-Source0:        https://sudo.ws/sudo/dist/%{name}-%{version}.tar.gz
-Source1:        https://sudo.ws/sudo/dist/%{name}-%{version}.tar.gz.sig
+Source0:        https://www.sudo.ws/dist/beta/%{name}-%{version}.tar.gz
+Source1:        https://www.sudo.ws/dist/beta/%{name}-%{version}.tar.gz.sig
 Source2:        %{name}.keyring
 Source3:        sudo.pamd
 Source4:        sudo-i.pamd
@ -45,6 +44,7 @@ BuildRequires:  groff
 BuildRequires:  libselinux-devel
 BuildRequires:  openldap2-devel
 BuildRequires:  pam-devel
+BuildRequires:  python3-devel
 BuildRequires:  systemd-rpm-macros
 BuildRequires:  zlib-devel
 Requires(pre):  coreutils
@ -103,6 +103,7 @@ export LDFLAGS="-pie"
    --with-tty-tickets \
    --enable-shell-sets-home \
    --enable-warnings \
+    --enable-python \
    --with-sendmail=%{_sbindir}/sendmail \
    --with-sudoers-mode=0440 \
    --with-env-editor \
@ -111,7 +112,7 @@ export LDFLAGS="-pie"
    --with-rundir=%{_localstatedir}/lib/sudo \
    --with-sssd
 # -B required to make every build give the same result - maybe from bad build deps in Makefiles?
-make -B %{?_smp_mflags}
+%make_build -B

 %install
 %make_install install_uid=`id -u` install_gid=`id -g`
@ -143,15 +144,14 @@ rm -fv %{buildroot}%{_docdir}/%{name}/LICENSE
 %pre
 # move outdated pam.d/*.rpmsave files away
 for i in sudo sudo-i ; do
-    test -f /etc/pam.d/${i}.rpmsave && mv -v /etc/pam.d/${i}.rpmsave /etc/pam.d/${i}.rpmsave.old ||:
+    test -f %{_sysconfdir}/pam.d/${i}.rpmsave && mv -v %{_sysconfdir}/pam.d/${i}.rpmsave %{_sysconfdir}/pam.d/${i}.rpmsave.old ||:
 done

 %posttrans
 # Migration to /usr/etc.
 for i in  sudo sudo-i ; do
-  test -f /etc/pam.d/${i}.rpmsave && mv -v /etc/pam.d/${i}.rpmsave /etc/pam.d/${i} ||:
+  test -f %{_sysconfdir}/pam.d/${i}.rpmsave && mv -v %{_sysconfdir}/pam.d/${i}.rpmsave %{_sysconfdir}/pam.d/${i} ||:
 done
-
 %endif

 %post
@ -178,9 +178,16 @@ chmod 0440 %{_sysconfdir}/sudoers
 %{_mandir}/man8/sudoedit.8%{?ext_man}
 %{_mandir}/man8/sudoreplay.8%{?ext_man}
 %{_mandir}/man8/visudo.8%{?ext_man}
+%{_mandir}/man5/sudo_logsrv.proto.5%{?ext_man}
+%{_mandir}/man5/sudo_logsrvd.conf.5%{?ext_man}
+%{_mandir}/man8/sudo_logsrvd.8%{?ext_man}
+%{_mandir}/man8/sudo_plugin_python.8%{?ext_man}
+%{_mandir}/man8/sudo_sendlog.8%{?ext_man}

 %config(noreplace) %attr(0440,root,root) %{_sysconfdir}/sudoers
 %dir %{_sysconfdir}/sudoers.d
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sudo.conf
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sudo_logsrvd.conf
 %if %{defined use_usretc}
 %{_distconfdir}/pam.d/sudo
 %{_distconfdir}/pam.d/sudo-i
@ -196,6 +203,8 @@ chmod 0440 %{_sysconfdir}/sudoers
 %{_bindir}/sudoreplay
 %{_bindir}/cvtsudoers
 %{_sbindir}/visudo
+%{_sbindir}/sudo_logsrvd
+%{_sbindir}/sudo_sendlog
 %dir %{_libexecdir}/%{name}
 %{_libexecdir}/%{name}/sesh
 %{_libexecdir}/%{name}/sudo_noexec.so
@ -203,6 +212,9 @@ chmod 0440 %{_sysconfdir}/sudoers
 %{_libexecdir}/%{name}/%{name}/sudoers.so
 %{_libexecdir}/%{name}/%{name}/group_file.so
 %{_libexecdir}/%{name}/%{name}/system_group.so
+%{_libexecdir}/%{name}/%{name}/audit_json.so
+%{_libexecdir}/%{name}/%{name}/sample_approval.so
+%{_libexecdir}/%{name}/%{name}/python_plugin.so
 %{_libexecdir}/%{name}/libsudo_util.so.*
 %attr(0711,root,root) %dir %ghost %{_localstatedir}/lib/%{name}
 %attr(0700,root,root) %dir %ghost %{_localstatedir}/lib/%{name}/ts