diff --git a/sudo-1.8.16-pam_groups.patch b/sudo-1.8.16-pam_groups.patch new file mode 100644 index 0000000..03ffc31 --- /dev/null +++ b/sudo-1.8.16-pam_groups.patch @@ -0,0 +1,100 @@ +# HG changeset patch +# User Todd C. Miller +# Date 1461862918 21600 +# Node ID 814cda6025419e40b417f7d797757e11259feef2 +# Parent ef0a5428a5744ca1c7fcb1874d1fff37becc6a90 +Do group setup in policy_init_session() before calling out to the +plugin. This makes it possible for the pam_group module to change +the group in pam_setcred(). It's a bit bogus since pam_setcred() +is documented as not changing the group or user ID, but pam_group +is shipped with stock Linux-PAM so we need to support it. + +diff -r ef0a5428a574 -r 814cda602541 src/sudo.c +--- a/src/sudo.c Tue Apr 26 14:39:42 2016 -0600 ++++ b/src/sudo.c Thu Apr 28 11:01:58 2016 -0600 +@@ -939,7 +939,8 @@ + } + + /* +- * Setup the execution environment immediately prior to the call to execve() ++ * Setup the execution environment immediately prior to the call to execve(). ++ * Group setup is performed by policy_init_session(), called earlier. + * Returns true on success and false on failure. + */ + bool +@@ -1018,30 +1019,6 @@ + #endif /* HAVE_LOGIN_CAP_H */ + } + +- /* +- * Set groups, including supplementary group vector. +- */ +- if (!ISSET(details->flags, CD_PRESERVE_GROUPS)) { +- if (details->ngroups >= 0) { +- if (sudo_setgroups(details->ngroups, details->groups) < 0) { +- sudo_warn(U_("unable to set supplementary group IDs")); +- goto done; +- } +- } +- } +-#ifdef HAVE_SETEUID +- if (ISSET(details->flags, CD_SET_EGID) && setegid(details->egid)) { +- sudo_warn(U_("unable to set effective gid to runas gid %u"), +- (unsigned int)details->egid); +- goto done; +- } +-#endif +- if (ISSET(details->flags, CD_SET_GID) && setgid(details->gid)) { +- sudo_warn(U_("unable to set gid to runas gid %u"), +- (unsigned int)details->gid); +- goto done; +- } +- + if (ISSET(details->flags, CD_SET_PRIORITY)) { + if (setpriority(PRIO_PROCESS, 0, details->priority) != 0) { + sudo_warn(U_("unable to set process priority")); +@@ -1365,6 +1342,35 @@ + int rval = true; + debug_decl(policy_init_session, SUDO_DEBUG_PCOMM) + ++ /* ++ * We set groups, including supplementary group vector, ++ * as part of the session setup. This allows for dynamic ++ * groups to be set via pam_group(8) in pam_setcred(3). ++ */ ++ if (!ISSET(details->flags, CD_PRESERVE_GROUPS)) { ++ if (details->ngroups >= 0) { ++ if (sudo_setgroups(details->ngroups, details->groups) < 0) { ++ sudo_warn(U_("unable to set supplementary group IDs")); ++ rval = -1; ++ goto done; ++ } ++ } ++ } ++#ifdef HAVE_SETEUID ++ if (ISSET(details->flags, CD_SET_EGID) && setegid(details->egid)) { ++ sudo_warn(U_("unable to set effective gid to runas gid %u"), ++ (unsigned int)details->egid); ++ rval = -1; ++ goto done; ++ } ++#endif ++ if (ISSET(details->flags, CD_SET_GID) && setgid(details->gid)) { ++ sudo_warn(U_("unable to set gid to runas gid %u"), ++ (unsigned int)details->gid); ++ rval = -1; ++ goto done; ++ } ++ + if (policy_plugin.u.policy->init_session) { + /* + * Backwards compatibility for older API versions +@@ -1381,6 +1387,7 @@ + } + sudo_debug_set_active_instance(sudo_debug_instance); + } ++done: + debug_return_int(rval); + } + + diff --git a/sudo.changes b/sudo.changes index 2b1d9c9..7051654 100644 --- a/sudo.changes +++ b/sudo.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Fri Apr 29 11:34:18 UTC 2016 - kstreitova@suse.com + +- add sudo-1.8.16-pam_groups.patch to do group setup in + policy_init_session() before calling out to the plugin. This makes + it possible for the pam_group module to change the group in + pam_setcred() [fate#318850] + ------------------------------------------------------------------- Sat Mar 19 10:02:09 UTC 2016 - mpluskal@suse.com diff --git a/sudo.spec b/sudo.spec index 635e71a..aed9e07 100644 --- a/sudo.spec +++ b/sudo.spec @@ -33,6 +33,7 @@ Source6: %{name}.keyring Patch0: sudoers2ldif-env.patch # PATCH-OPENSUSE: the "SUSE" branding of the default sudo config Patch1: sudo-sudoers.patch +Patch2: sudo-1.8.16-pam_groups.patch BuildRequires: audit-devel BuildRequires: groff BuildRequires: libselinux-devel @@ -73,6 +74,7 @@ Tests for fate#313276 %setup -q %patch0 -p1 %patch1 -p1 +%patch2 -p1 %build %ifarch s390 s390x %sparc