Accepting request 181790 from Base:System
- restore accidentally dropped suse-specific patches * remove CVE-2013-1775 * remove CVE-2013-1776 * The non-Unix group plugin is now supported when sudoers data is stored in LDAP. * User messages are now always displayed in the user's locale, even when the same message is being logged or mailed in a different locale. * Log files created by sudo now explicitly have the group set to group ID 0 rather than relying on BSD group semantics (which may not be the default). * A new exec_background sudoers option can be used to initially run the command without read access to the terminal when running a command in a pseudo-tty. * Sudo now produces better error messages when there is an error in the sudo.conf file. * Two new settings have been added to sudo.conf to give the admin better control of how group database queries are performed. * There is now a standalone sudo.conf manual page. * New support for specifying a SHA-2 digest along with the command in sudoers. Supported hash types are sha224, sha256, sha384 and sha512. See the description of Digest_Spec in the sudoers manual or the description of sudoCommand in the sudoers.ldap manual for details. * Fixed potential false positives in visudo's alias cycle detection. * Sudo now only builds Position Independent Executables (PIE) by default on Linux systems and verifies that a trivial test program builds and runs. OBS-URL: https://build.opensuse.org/request/show/181790 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sudo?expand=0&rev=56
This commit is contained in:
Stephan Kulow
Git OBS Bridge
commit
96be893e29
80
sudo-sudoers.patch
Normal file
80
sudo-sudoers.patch
Normal file
@ -0,0 +1,80 @@
|
||||
Index: sudo-1.8.0/plugins/sudoers/sudoers.in
|
||||
===================================================================
|
||||
--- sudo-1.8.0.orig/plugins/sudoers/sudoers.in
|
||||
+++ sudo-1.8.0/plugins/sudoers/sudoers.in
|
||||
@@ -31,37 +31,36 @@
|
||||
##
|
||||
## Defaults specification
|
||||
##
|
||||
-## You may wish to keep some of the following environment variables
|
||||
-## when running commands via sudo.
|
||||
-##
|
||||
-## Locale settings
|
||||
-# Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET"
|
||||
-##
|
||||
-## Run X applications through sudo; HOME is used to find the
|
||||
-## .Xauthority file. Note that other programs use HOME to find
|
||||
-## configuration files and this may lead to privilege escalation!
|
||||
-# Defaults env_keep += "HOME"
|
||||
-##
|
||||
-## X11 resource path settings
|
||||
-# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH"
|
||||
-##
|
||||
-## Desktop path settings
|
||||
-# Defaults env_keep += "QTDIR KDEDIR"
|
||||
-##
|
||||
-## Allow sudo-run commands to inherit the callers' ConsoleKit session
|
||||
-# Defaults env_keep += "XDG_SESSION_COOKIE"
|
||||
-##
|
||||
-## Uncomment to enable special input methods. Care should be taken as
|
||||
-## this may allow users to subvert the command being run via sudo.
|
||||
-# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"
|
||||
+## Prevent environment variables from influencing programs in an
|
||||
+## unexpected or harmful way (CVE-2005-2959, CVE-2005-4158, CVE-2006-0151)
|
||||
+Defaults always_set_home
|
||||
+Defaults env_reset
|
||||
+## Change env_reset to !env_reset in previous line to keep all environment variables
|
||||
+## Following list will no longer be necessary after this change
|
||||
+
|
||||
+Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
|
||||
+## Comment out the preceding line and uncomment the following one if you need
|
||||
+## to use special input methods. This may allow users to compromise the root
|
||||
+## account if they are allowed to run commands without authentication.
|
||||
+#Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"
|
||||
+
|
||||
+## Do not insult users when they enter an incorrect password.
|
||||
+Defaults !insults
|
||||
+
|
||||
##
|
||||
## Uncomment to enable logging of a command's output, except for
|
||||
## sudoreplay and reboot. Use sudoreplay to play back logged sessions.
|
||||
# Defaults log_output
|
||||
# Defaults!/usr/bin/sudoreplay !log_output
|
||||
-# Defaults!/usr/local/bin/sudoreplay !log_output
|
||||
# Defaults!/sbin/reboot !log_output
|
||||
|
||||
+## In the default (unconfigured) configuration, sudo asks for the root password.
|
||||
+## This allows use of an ordinary user account for administration of a freshly
|
||||
+## installed system. When configuring sudo, delete the two
|
||||
+## following lines:
|
||||
+Defaults targetpw # ask for the password of the target user i.e. root
|
||||
+ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'!
|
||||
+
|
||||
##
|
||||
## Runas alias specification
|
||||
##
|
||||
@@ -77,14 +76,6 @@ root ALL=(ALL) ALL
|
||||
## Same thing without a password
|
||||
# %wheel ALL=(ALL) NOPASSWD: ALL
|
||||
|
||||
-## Uncomment to allow members of group sudo to execute any command
|
||||
-# %sudo ALL=(ALL) ALL
|
||||
-
|
||||
-## Uncomment to allow any user to run sudo if they know the password
|
||||
-## of the user they are running the command as (root by default).
|
||||
-# Defaults targetpw # Ask for the password of the target user
|
||||
-# ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw'
|
||||
-
|
||||
## Read drop-in files from @sysconfdir@/sudoers.d
|
||||
## (the '#' here does not indicate a comment)
|
||||
#includedir @sysconfdir@/sudoers.d
|
||||
27
sudo.changes
27
sudo.changes
@ -1,8 +1,33 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Jul 2 16:30:19 UTC 2013 - dmueller@suse.com
|
||||
|
||||
- restore accidentally dropped suse-specific patches
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Jun 27 18:03:10 UTC 2013 - michael@stroeder.com
|
||||
|
||||
- Update to upstream release 1.8.7
|
||||
* especially all local patches are obsoleted by upstream fixes
|
||||
* remove CVE-2013-1775
|
||||
* remove CVE-2013-1776
|
||||
* The non-Unix group plugin is now supported when sudoers data is stored in LDAP.
|
||||
* User messages are now always displayed in the user's locale, even when the
|
||||
same message is being logged or mailed in a different locale.
|
||||
* Log files created by sudo now explicitly have the group set to group ID 0
|
||||
rather than relying on BSD group semantics (which may not be the default).
|
||||
* A new exec_background sudoers option can be used to initially run the
|
||||
command without read access to the terminal when running a command in a
|
||||
pseudo-tty.
|
||||
* Sudo now produces better error messages when there is an error in the sudo.conf file.
|
||||
* Two new settings have been added to sudo.conf to give the admin better control of
|
||||
how group database queries are performed.
|
||||
* There is now a standalone sudo.conf manual page.
|
||||
* New support for specifying a SHA-2 digest along with the command in sudoers.
|
||||
Supported hash types are sha224, sha256, sha384 and sha512. See the description
|
||||
of Digest_Spec in the sudoers manual or the description of sudoCommand in the
|
||||
sudoers.ldap manual for details.
|
||||
* Fixed potential false positives in visudo's alias cycle detection.
|
||||
* Sudo now only builds Position Independent Executables (PIE) by default on Linux
|
||||
systems and verifies that a trivial test program builds and runs.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Mar 1 11:12:28 UTC 2013 - vcizek@suse.com
|
||||
|
||||
@ -26,6 +26,9 @@ Url: http://www.sudo.ws/
|
||||
Source0: http://sudo.ws/sudo/dist/%{name}-%{version}.tar.gz
|
||||
Source1: sudo.pamd
|
||||
Source2: README.SUSE
|
||||
Patch0: sudoers2ldif-env.patch
|
||||
# PATCH-OPENSUSE: the "SUSE" branding of the default sudo config
|
||||
Patch1: sudo-sudoers.patch
|
||||
BuildRequires: audit-devel
|
||||
BuildRequires: groff
|
||||
BuildRequires: libselinux-devel
|
||||
@ -53,6 +56,8 @@ These header files are needed for building of sudo plugins.
|
||||
|
||||
%prep
|
||||
%setup -q
|
||||
%patch0 -p1
|
||||
%patch1 -p1
|
||||
|
||||
%build
|
||||
%ifarch s390 s390x %sparc
|
||||
|
||||
10
sudoers2ldif-env.patch
Normal file
10
sudoers2ldif-env.patch
Normal file
@ -0,0 +1,10 @@
|
||||
Index: sudo-1.8.7/plugins/sudoers/sudoers2ldif
|
||||
===================================================================
|
||||
--- sudo-1.8.7.orig/plugins/sudoers/sudoers2ldif
|
||||
+++ sudo-1.8.7/plugins/sudoers/sudoers2ldif
|
||||
@@ -1,4 +1,4 @@
|
||||
-#!/usr/bin/env perl
|
||||
+#!/usr/bin/perl
|
||||
#
|
||||
# Copyright (c) 2007, 2010-2011, 2013 Todd C. Miller <Todd.Miller@courtesan.com>
|
||||
#
|
||||
Loading…
Reference in New Issue
Block a user