diff --git a/sudo-sudoers.patch b/sudo-sudoers.patch new file mode 100644 index 0000000..a2810f6 --- /dev/null +++ b/sudo-sudoers.patch @@ -0,0 +1,80 @@ +Index: sudo-1.8.0/plugins/sudoers/sudoers.in +=================================================================== +--- sudo-1.8.0.orig/plugins/sudoers/sudoers.in ++++ sudo-1.8.0/plugins/sudoers/sudoers.in +@@ -31,37 +31,36 @@ + ## + ## Defaults specification + ## +-## You may wish to keep some of the following environment variables +-## when running commands via sudo. +-## +-## Locale settings +-# Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET" +-## +-## Run X applications through sudo; HOME is used to find the +-## .Xauthority file. Note that other programs use HOME to find +-## configuration files and this may lead to privilege escalation! +-# Defaults env_keep += "HOME" +-## +-## X11 resource path settings +-# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH" +-## +-## Desktop path settings +-# Defaults env_keep += "QTDIR KDEDIR" +-## +-## Allow sudo-run commands to inherit the callers' ConsoleKit session +-# Defaults env_keep += "XDG_SESSION_COOKIE" +-## +-## Uncomment to enable special input methods. Care should be taken as +-## this may allow users to subvert the command being run via sudo. +-# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" ++## Prevent environment variables from influencing programs in an ++## unexpected or harmful way (CVE-2005-2959, CVE-2005-4158, CVE-2006-0151) ++Defaults always_set_home ++Defaults env_reset ++## Change env_reset to !env_reset in previous line to keep all environment variables ++## Following list will no longer be necessary after this change ++ ++Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE" ++## Comment out the preceding line and uncomment the following one if you need ++## to use special input methods. This may allow users to compromise the root ++## account if they are allowed to run commands without authentication. ++#Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" ++ ++## Do not insult users when they enter an incorrect password. ++Defaults !insults ++ + ## + ## Uncomment to enable logging of a command's output, except for + ## sudoreplay and reboot. Use sudoreplay to play back logged sessions. + # Defaults log_output + # Defaults!/usr/bin/sudoreplay !log_output +-# Defaults!/usr/local/bin/sudoreplay !log_output + # Defaults!/sbin/reboot !log_output + ++## In the default (unconfigured) configuration, sudo asks for the root password. ++## This allows use of an ordinary user account for administration of a freshly ++## installed system. When configuring sudo, delete the two ++## following lines: ++Defaults targetpw # ask for the password of the target user i.e. root ++ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'! ++ + ## + ## Runas alias specification + ## +@@ -77,14 +76,6 @@ root ALL=(ALL) ALL + ## Same thing without a password + # %wheel ALL=(ALL) NOPASSWD: ALL + +-## Uncomment to allow members of group sudo to execute any command +-# %sudo ALL=(ALL) ALL +- +-## Uncomment to allow any user to run sudo if they know the password +-## of the user they are running the command as (root by default). +-# Defaults targetpw # Ask for the password of the target user +-# ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw' +- + ## Read drop-in files from @sysconfdir@/sudoers.d + ## (the '#' here does not indicate a comment) + #includedir @sysconfdir@/sudoers.d diff --git a/sudo.changes b/sudo.changes index 6abeefb..c5da82e 100644 --- a/sudo.changes +++ b/sudo.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Tue Jul 2 16:30:19 UTC 2013 - dmueller@suse.com + +- restore accidentally dropped suse-specific patches + ------------------------------------------------------------------- Thu Jun 27 18:03:10 UTC 2013 - michael@stroeder.com diff --git a/sudo.spec b/sudo.spec index 823b3b0..7b7c925 100644 --- a/sudo.spec +++ b/sudo.spec @@ -26,6 +26,8 @@ Url: http://www.sudo.ws/ Source0: http://sudo.ws/sudo/dist/%{name}-%{version}.tar.gz Source1: sudo.pamd Source2: README.SUSE +Patch0: sudoers2ldif-env.patch +Patch1: sudo-sudoers.patch BuildRequires: audit-devel BuildRequires: groff BuildRequires: libselinux-devel @@ -53,6 +55,8 @@ These header files are needed for building of sudo plugins. %prep %setup -q +%patch0 -p1 +%patch1 -p1 %build %ifarch s390 s390x %sparc diff --git a/sudoers2ldif-env.patch b/sudoers2ldif-env.patch new file mode 100644 index 0000000..5ad7d25 --- /dev/null +++ b/sudoers2ldif-env.patch @@ -0,0 +1,10 @@ +Index: sudo-1.8.7/plugins/sudoers/sudoers2ldif +=================================================================== +--- sudo-1.8.7.orig/plugins/sudoers/sudoers2ldif ++++ sudo-1.8.7/plugins/sudoers/sudoers2ldif +@@ -1,4 +1,4 @@ +-#!/usr/bin/env perl ++#!/usr/bin/perl + # + # Copyright (c) 2007, 2010-2011, 2013 Todd C. Miller + #