Accepting request 392940 from Base:System
1 OBS-URL: https://build.opensuse.org/request/show/392940 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sudo?expand=0&rev=77
This commit is contained in:
Git OBS Bridge
commit
734cf422f8
100
sudo-1.8.16-pam_groups.patch
Normal file
100
sudo-1.8.16-pam_groups.patch
Normal file
@ -0,0 +1,100 @@
|
|||||||
|
# HG changeset patch
|
||||||
|
# User Todd C. Miller <Todd.Miller@courtesan.com>
|
||||||
|
# Date 1461862918 21600
|
||||||
|
# Node ID 814cda6025419e40b417f7d797757e11259feef2
|
||||||
|
# Parent ef0a5428a5744ca1c7fcb1874d1fff37becc6a90
|
||||||
|
Do group setup in policy_init_session() before calling out to the
|
||||||
|
plugin. This makes it possible for the pam_group module to change
|
||||||
|
the group in pam_setcred(). It's a bit bogus since pam_setcred()
|
||||||
|
is documented as not changing the group or user ID, but pam_group
|
||||||
|
is shipped with stock Linux-PAM so we need to support it.
|
||||||
|
|
||||||
|
diff -r ef0a5428a574 -r 814cda602541 src/sudo.c
|
||||||
|
--- a/src/sudo.c Tue Apr 26 14:39:42 2016 -0600
|
||||||
|
+++ b/src/sudo.c Thu Apr 28 11:01:58 2016 -0600
|
||||||
|
@@ -939,7 +939,8 @@
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
- * Setup the execution environment immediately prior to the call to execve()
|
||||||
|
+ * Setup the execution environment immediately prior to the call to execve().
|
||||||
|
+ * Group setup is performed by policy_init_session(), called earlier.
|
||||||
|
* Returns true on success and false on failure.
|
||||||
|
*/
|
||||||
|
bool
|
||||||
|
@@ -1018,30 +1019,6 @@
|
||||||
|
#endif /* HAVE_LOGIN_CAP_H */
|
||||||
|
}
|
||||||
|
|
||||||
|
- /*
|
||||||
|
- * Set groups, including supplementary group vector.
|
||||||
|
- */
|
||||||
|
- if (!ISSET(details->flags, CD_PRESERVE_GROUPS)) {
|
||||||
|
- if (details->ngroups >= 0) {
|
||||||
|
- if (sudo_setgroups(details->ngroups, details->groups) < 0) {
|
||||||
|
- sudo_warn(U_("unable to set supplementary group IDs"));
|
||||||
|
- goto done;
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
-#ifdef HAVE_SETEUID
|
||||||
|
- if (ISSET(details->flags, CD_SET_EGID) && setegid(details->egid)) {
|
||||||
|
- sudo_warn(U_("unable to set effective gid to runas gid %u"),
|
||||||
|
- (unsigned int)details->egid);
|
||||||
|
- goto done;
|
||||||
|
- }
|
||||||
|
-#endif
|
||||||
|
- if (ISSET(details->flags, CD_SET_GID) && setgid(details->gid)) {
|
||||||
|
- sudo_warn(U_("unable to set gid to runas gid %u"),
|
||||||
|
- (unsigned int)details->gid);
|
||||||
|
- goto done;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
if (ISSET(details->flags, CD_SET_PRIORITY)) {
|
||||||
|
if (setpriority(PRIO_PROCESS, 0, details->priority) != 0) {
|
||||||
|
sudo_warn(U_("unable to set process priority"));
|
||||||
|
@@ -1365,6 +1342,35 @@
|
||||||
|
int rval = true;
|
||||||
|
debug_decl(policy_init_session, SUDO_DEBUG_PCOMM)
|
||||||
|
|
||||||
|
+ /*
|
||||||
|
+ * We set groups, including supplementary group vector,
|
||||||
|
+ * as part of the session setup. This allows for dynamic
|
||||||
|
+ * groups to be set via pam_group(8) in pam_setcred(3).
|
||||||
|
+ */
|
||||||
|
+ if (!ISSET(details->flags, CD_PRESERVE_GROUPS)) {
|
||||||
|
+ if (details->ngroups >= 0) {
|
||||||
|
+ if (sudo_setgroups(details->ngroups, details->groups) < 0) {
|
||||||
|
+ sudo_warn(U_("unable to set supplementary group IDs"));
|
||||||
|
+ rval = -1;
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+#ifdef HAVE_SETEUID
|
||||||
|
+ if (ISSET(details->flags, CD_SET_EGID) && setegid(details->egid)) {
|
||||||
|
+ sudo_warn(U_("unable to set effective gid to runas gid %u"),
|
||||||
|
+ (unsigned int)details->egid);
|
||||||
|
+ rval = -1;
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
+#endif
|
||||||
|
+ if (ISSET(details->flags, CD_SET_GID) && setgid(details->gid)) {
|
||||||
|
+ sudo_warn(U_("unable to set gid to runas gid %u"),
|
||||||
|
+ (unsigned int)details->gid);
|
||||||
|
+ rval = -1;
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if (policy_plugin.u.policy->init_session) {
|
||||||
|
/*
|
||||||
|
* Backwards compatibility for older API versions
|
||||||
|
@@ -1381,6 +1387,7 @@
|
||||||
|
}
|
||||||
|
sudo_debug_set_active_instance(sudo_debug_instance);
|
||||||
|
}
|
||||||
|
+done:
|
||||||
|
debug_return_int(rval);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
@ -1,3 +1,11 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Apr 29 11:34:18 UTC 2016 - kstreitova@suse.com
|
||||||
|
|
||||||
|
- add sudo-1.8.16-pam_groups.patch to do group setup in
|
||||||
|
policy_init_session() before calling out to the plugin. This makes
|
||||||
|
it possible for the pam_group module to change the group in
|
||||||
|
pam_setcred() [fate#318850]
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Sat Mar 19 10:02:09 UTC 2016 - mpluskal@suse.com
|
Sat Mar 19 10:02:09 UTC 2016 - mpluskal@suse.com
|
||||||
|
|
||||||
|
|||||||
@ -33,6 +33,7 @@ Source6: %{name}.keyring
|
|||||||
Patch0: sudoers2ldif-env.patch
|
Patch0: sudoers2ldif-env.patch
|
||||||
# PATCH-OPENSUSE: the "SUSE" branding of the default sudo config
|
# PATCH-OPENSUSE: the "SUSE" branding of the default sudo config
|
||||||
Patch1: sudo-sudoers.patch
|
Patch1: sudo-sudoers.patch
|
||||||
|
Patch2: sudo-1.8.16-pam_groups.patch
|
||||||
BuildRequires: audit-devel
|
BuildRequires: audit-devel
|
||||||
BuildRequires: groff
|
BuildRequires: groff
|
||||||
BuildRequires: libselinux-devel
|
BuildRequires: libselinux-devel
|
||||||
@ -73,6 +74,7 @@ Tests for fate#313276
|
|||||||
%setup -q
|
%setup -q
|
||||||
%patch0 -p1
|
%patch0 -p1
|
||||||
%patch1 -p1
|
%patch1 -p1
|
||||||
|
%patch2 -p1
|
||||||
|
|
||||||
%build
|
%build
|
||||||
%ifarch s390 s390x %sparc
|
%ifarch s390 s390x %sparc
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user