Accepting request 950730 from Base:System

OBS-URL: https://build.opensuse.org/request/show/950730 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sudo?expand=0&rev=127
2022-02-03 22:15:48 +00:00 · 2022-02-03 22:15:48 +00:00 · 8f8097e0ab
commit 8f8097e0ab
parent e1878025fc c1da9ded70
7 changed files with 116 additions and 57 deletions
--- a/sudo-1.9.8p2.tar.gz
+++ b/sudo-1.9.8p2.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:9e3b8b8da7def43b6e60c257abe80467205670fd0f7c081de1423c414b680f2d
-size 4302256
--- a/sudo-1.9.8p2.tar.gz.sig
+++ b/sudo-1.9.8p2.tar.gz.sig
--- a/sudo-1.9.9.tar.gz
+++ b/sudo-1.9.9.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6d6ee863a3bc26c87661093a74ec63e10fd031ceba714642d21636dfe25e3e00
+size 4456969
--- a/sudo-1.9.9.tar.gz.sig
+++ b/sudo-1.9.9.tar.gz.sig
--- a/sudo-sudoers.patch
+++ b/sudo-sudoers.patch
@ -1,7 +1,7 @@
-Index: sudo-1.8.31/plugins/sudoers/sudoers.in
+Index: sudo-1.9.9/plugins/sudoers/sudoers.in
 ===================================================================
--- sudo-1.8.31.orig/plugins/sudoers/sudoers.in
-+++ sudo-1.8.31/plugins/sudoers/sudoers.in
+--- sudo-1.9.9.orig/plugins/sudoers/sudoers.in
+++ sudo-1.9.9/plugins/sudoers/sudoers.in
@@ -32,30 +32,23 @@
 ##
 ## Defaults specification
@ -67,48 +67,17 @@ Index: sudo-1.8.31/plugins/sudoers/sudoers.in
 ##
 ## Runas alias specification
 ##
-@@ -84,13 +84,5 @@
+@@ -84,13 +83,5 @@ root ALL=(ALL:ALL) ALL
 ## Same thing without a password
- # %wheel ALL=(ALL) NOPASSWD: ALL
+ # %wheel ALL=(ALL:ALL) NOPASSWD: ALL
 
 -## Uncomment to allow members of group sudo to execute any command
-# %sudo	ALL=(ALL) ALL
+-# %sudo	ALL=(ALL:ALL) ALL
 -
 -## Uncomment to allow any user to run sudo if they know the password
 -## of the user they are running the command as (root by default).
 -# Defaults targetpw  # Ask for the password of the target user
-# ALL ALL=(ALL) ALL  # WARNING: only use this together with 'Defaults targetpw'
+-# ALL ALL=(ALL:ALL) ALL  # WARNING: only use this together with 'Defaults targetpw'
 -
 ## Read drop-in files from @sysconfdir@/sudoers.d
 @includedir @sysconfdir@/sudoers.d
-Index: sudo-1.8.31/doc/sudoers.mdoc.in
-===================================================================
--- sudo-1.8.31.orig/doc/sudoers.mdoc.in
-+++ sudo-1.8.31/doc/sudoers.mdoc.in
-@@ -1985,7 +1985,7 @@ is present in the
- .Em env_keep
- list, both of which are strongly discouraged.
- This flag is
-.Em off
-+.Em on
- by default.
- .It authenticate
- If set, users must authenticate themselves via a password (or other
-@@ -2376,7 +2376,7 @@ If set,
- .Nm sudo
- will insult users when they enter an incorrect password.
- This flag is
-.Em @insults@
-+.Em off
- by default.
- .It log_allowed
- If set,
-@@ -3009,7 +3009,7 @@ database as an argument to the
- .Fl u
- option.
- This flag is
-.Em off
-+.Em on
- by default.
- .It tty_tickets
- If set, users must authenticate on a per-tty basis.
--- a/sudo.changes
+++ b/sudo.changes
@ -1,3 +1,98 @@
+-------------------------------------------------------------------
+Tue Feb  1 02:27:04 UTC 2022 - Simon Lees <simonf.lees@suse.com>
+
+- Update to 1.9.9
+   * Sudo can now be built with OpenSSL 3.0 without generating
+     warnings about deprecated OpenSSL APIs.
+   * A digest can now be specified along with the ALL command in
+     the LDAP and SSSD back-ends. Sudo 1.9.0 introduced support for
+     this in the sudoers file but did not include corresponding
+     changes for the other back-ends.
+   * visudo now only warns about an undefined alias or a cycle in
+     an alias once for each alias.
+   * The sudoRole cn was truncated by a single character in warning
+     messages. GitHub issue #115.
+   * The cvtsudoers utility has new --group-file and --passwd-file
+     options to use a custom passwd or group file when the
+     --match-local option is also used.
+   * The cvtsudoers utility can now filter or match based on a command.
+   * The cvtsudoers utility can now produce output in csv
+     (comma-separated value) format. This can be used to help generate
+     entitlement reports.
+   * Fixed a bug in sudo_logsrvd that could result in the connection
+     being dropped for very long command lines.
+   * Fixed a bug where sudo_logsrvd would not accept a restore point
+     of zero.
+   * Fixed a bug in visudo where the value of the editor setting was
+     not used if it did not match the user’s EDITOR environment
+     variable. This was only a problem if the env_editor setting was
+     not enabled. Bug #1000.
+   * Sudo now builds with the -fcf-protection compiler option and the
+     -z now linker option if supported.
+   * The output of sudoreplay -l now more closely matches the
+     traditional sudo log format.
+   * The sudo_sendlog utility will now use the full contents of the
+     log.json file, if present. This makes it possible to send
+     sudo-format I/O logs that use the newer log.json format to
+     sudo_logsrvd without losing any information.
+   * Fixed compilation of the arc4random_buf() replacement on systems
+     with arc4random() but no arc4random_buf(). Bug #1008.
+   * Sudo now uses its own getentropy() by default on Linux. The GNU
+     libc version of getentropy() will fail on older kernels that
+     don’t support the getrandom() system call.
+   * It is now possible to build sudo with WolfSSL’s OpenSSL
+     compatibility layer by using the --enable-wolfssl configure
+     option.
+   * Fixed a bug related to Daylight Saving Time when parsing
+     timestamps in Generalized Time format. This affected the NOTBEFORE
+     and NOTAFTER options in sudoers. Bug #1006.
+   * Added the -O and -P options to visudo, which can be used to check
+     or set the owner and permissions. This can be used in conjunction
+     with the -c option to check that the sudoers file ownership and
+     permissions are correct. Bug #1007.
+   * It is now possible to set resource limits in the sudoers file
+     itself. The special values default and “user” refer to the
+     default system limit and invoking user limit respectively. The
+     core dump size limit is now set to 0 by default unless overridden
+     by the sudoers file.
+   * The cvtsudoers utility can now merge multiple sudoers sources into
+     a single, combined sudoers file. If there are conflicting entries,
+     cvtsudoers will attempt to resolve them but manual intervention
+     may be required. The merging of sudoers rules is currently fairly
+     simplistic but will be improved in a future release.
+   * Sudo was parsing but not applying the “deref” and “tls_reqcert”
+     ldap.conf settings. This meant the options were effectively ignored
+     which broke dereferencing of aliases in LDAP. Bug #1013.
+   * Clarified in the sudo man page that the security policy may
+     override the user’s PATH environment variable. Bug #1014.
+   * When sudo is run in non-interactive mode (with the -n option), it
+     will now attempt PAM authentication and only exit with an error if
+     user interaction is required. This allows PAM modules that don’t
+     interact with the user to succeed. Previously, sudo would not
+     attempt authentication if the -n option was specified. Bug #956
+     and GitHub issue #83.
+   * Fixed a regression introduced in version 1.9.1 when sudo is built
+     with the --with-fqdn configure option. The local host name was
+     being resolved before the sudoers file was processed, making it
+     impossible to disable DNS lookups by negating the fqdn sudoers
+     option. Bug #1016.
+   * Added support for negated sudoUser attributes in the LDAP and SSSD
+     sudoers back ends. A matching sudoUser that is negated will cause
+     the sudoRole containing it to be ignored.
+   * Fixed a bug where the stack resource limit could be set to a value
+     smaller than that of the invoking user and not be reset before the
+     command was run. Bug #1016.
+- sudo no longer ships schema for LDAP.
+- sudo-feature-negated-LDAP-users.patch dropped, included upstream
+- refreshed sudo-sudoers.patch
+
+-------------------------------------------------------------------
+Thu Jan 27 03:00:26 UTC 2022 - Simon Lees <sflees@suse.de>
+
+- Add support in the LDAP filter for negated users, patch taken
+  from upstream (jsc#20068)
+  * Adds sudo-feature-negated-LDAP-users.patch
+
 -------------------------------------------------------------------
 Wed Sep 22 12:27:51 UTC 2021 - Kristyna Streitova <kstreitova@suse.com>

@ -78,7 +173,7 @@ Wed Sep 22 12:27:51 UTC 2021 - Kristyna Streitova <kstreitova@suse.com>
 -------------------------------------------------------------------
 Fri Jul 30 07:35:39 UTC 2021 - peter czanik <peter@czanik.hu>

- update to 1.9.7p2 
+- update to 1.9.7p2
 - enabled openssl support for secure central session
  recording collection (without it's clear text)
 - fixed SLES12 build
@ -197,8 +292,8 @@ Wed May 12 15:22:11 UTC 2021 - Kristyna Streitova <kstreitova@suse.com>
    Bug #820.
  * Corrected the description of which groups may be specified via the
    -g option in the Runas_Spec section.  Bug #975.
- 
- 
+
+
 -------------------------------------------------------------------
 Sat Mar 20 18:25:12 UTC 2021 - Dirk Müller <dmueller@suse.com>

--- a/sudo.spec
+++ b/sudo.spec
@ -1,7 +1,7 @@
 #
 # spec file for package sudo
 #
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -22,7 +22,7 @@
 %define use_usretc 1
 %endif
 Name:           sudo
-Version:        1.9.8p2
+Version:        1.9.9
 Release:        0
 Summary:        Execute some commands as root
 License:        ISC
@ -88,8 +88,7 @@ Requires:       %{name} = %{version}
 Tests for fate#313276

 %prep
-%setup -q
-%patch0 -p1
+%autosetup -p1

 %build
 %ifarch s390 s390x %{sparc}
@ -140,7 +139,6 @@ install -m 644 %{SOURCE4} %{buildroot}%{_distconfdir}/pam.d/sudo-i
 rm -f %{buildroot}%{_bindir}/sudoedit
 ln -sf %{_bindir}/sudo %{buildroot}%{_bindir}/sudoedit
 install -d -m 755 %{buildroot}%{_sysconfdir}/openldap/schema
-install -m 644 doc/schema.OpenLDAP %{buildroot}%{_sysconfdir}/openldap/schema/sudo.schema
 install -m 644 %{SOURCE5} %{buildroot}%{_docdir}/%{name}/
 rm -f %{buildroot}%{_docdir}/%{name}/sample.pam
 rm -f %{buildroot}%{_docdir}/%{name}/sample.syslog.conf
@ -154,9 +152,10 @@ cat sudoers.lang >> %{name}.lang
 install -d -m 755 %{buildroot}%{_localstatedir}/lib/tests/sudo
 install -m 755 %{SOURCE6} %{buildroot}%{_localstatedir}/lib/tests/sudo
 install -m 755 %{SOURCE7} %{buildroot}%{_localstatedir}/lib/tests/sudo
-install -d %{buildroot}%{_docdir}/%{name}-test
-install -m 644 %{buildroot}%{_docdir}/%{name}/LICENSE %{buildroot}%{_docdir}/%{name}-test/LICENSE
-rm -fv %{buildroot}%{_docdir}/%{name}/LICENSE
+
+install -d %{buildroot}%{_licensedir}/%{name}
+install -m 644 %{buildroot}%{_docdir}/%{name}/LICENSE.md %{buildroot}%{_licensedir}/%{name}/LICENSE.md
+rm -fv %{buildroot}%{_docdir}/%{name}/LICENSE.md

 %if %{defined use_usretc}
 %pre
@ -185,7 +184,7 @@ chmod 0440 %{_sysconfdir}/sudoers
 %verify_permissions -e %{_bindir}/sudo

 %files -f %{name}.lang
-%license doc/LICENSE
+%license doc/LICENSE.md
 %doc %{_docdir}/%{name}
 %{_mandir}/man1/cvtsudoers.1%{?ext_man}
 %{_mandir}/man5/sudoers.5%{?ext_man}
@ -213,9 +212,6 @@ chmod 0440 %{_sysconfdir}/sudoers
 %config(noreplace) %{_sysconfdir}/pam.d/sudo-i
 %endif
 %attr(4755,root,root) %{_bindir}/sudo
-%dir %{_sysconfdir}/openldap
-%dir %{_sysconfdir}/openldap/schema
-%attr(0444,root,root) %config %{_sysconfdir}/openldap/schema/sudo.schema
 %{_bindir}/sudoedit
 %{_bindir}/sudoreplay
 %{_bindir}/cvtsudoers
@ -252,6 +248,5 @@ chmod 0440 %{_sysconfdir}/sudoers

 %files test
 %{_localstatedir}/lib/tests
-%{_docdir}/%{name}-test/

 %changelog