pool/sudo
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 181790 from Base:System

Browse Source 
- restore accidentally dropped suse-specific patches 

  * remove CVE-2013-1775
  * remove CVE-2013-1776
  * The non-Unix group plugin is now supported when sudoers data is stored in LDAP.
  * User messages are now always displayed in the user's locale, even when the
  same message is being logged or mailed in a different locale.  
  * Log files created by sudo now explicitly have the group set to group ID 0
  rather than relying on BSD group semantics (which may not be the default).
  * A new exec_background sudoers option can be used to initially run the 
  command without read access to the terminal when running a command in a 
  pseudo-tty. 
  * Sudo now produces better error messages when there is an error in the sudo.conf file.
  * Two new settings have been added to sudo.conf to give the admin better control of 
  how group database queries are performed.
  * There is now a standalone sudo.conf manual page.
  * New support for specifying a SHA-2 digest along with the command in sudoers.
  Supported hash types are sha224, sha256, sha384 and sha512. See the description
  of Digest_Spec in the sudoers manual or the description of sudoCommand in the
  sudoers.ldap manual for details.
  * Fixed potential false positives in visudo's alias cycle detection.
  * Sudo now only builds Position Independent Executables (PIE) by default on Linux
  systems and verifies that a trivial test program builds and runs.

OBS-URL: https://build.opensuse.org/request/show/181790
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sudo?expand=0&rev=56
This commit is contained in:
Stephan Kulow 2013-07-03 08:27:44 +00:00 committed by Git OBS Bridge
commit 96be893e29
4 changed files with 121 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

80
sudo-sudoers.patch Normal file
View File

@ -0,0 +1,80 @@
Index: sudo-1.8.0/plugins/sudoers/sudoers.in
===================================================================
--- sudo-1.8.0.orig/plugins/sudoers/sudoers.in
+++ sudo-1.8.0/plugins/sudoers/sudoers.in
@@ -31,37 +31,36 @@
##
## Defaults specification
##
-## You may wish to keep some of the following environment variables
-## when running commands via sudo.
-##
-## Locale settings
-# Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET"
-##
-## Run X applications through sudo; HOME is used to find the
-## .Xauthority file. Note that other programs use HOME to find
-## configuration files and this may lead to privilege escalation!
-# Defaults env_keep += "HOME"
-##
-## X11 resource path settings
-# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH"
-##
-## Desktop path settings
-# Defaults env_keep += "QTDIR KDEDIR"
-##
-## Allow sudo-run commands to inherit the callers' ConsoleKit session
-# Defaults env_keep += "XDG_SESSION_COOKIE"
-##
-## Uncomment to enable special input methods. Care should be taken as
-## this may allow users to subvert the command being run via sudo.
-# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"
+## Prevent environment variables from influencing programs in an
+## unexpected or harmful way (CVE-2005-2959, CVE-2005-4158, CVE-2006-0151)
+Defaults always_set_home
+Defaults env_reset
+## Change env_reset to !env_reset in previous line to keep all environment variables
+## Following list will no longer be necessary after this change
+
+Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
+## Comment out the preceding line and uncomment the following one if you need
+## to use special input methods. This may allow users to compromise the root
+## account if they are allowed to run commands without authentication.
+#Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"
+
+## Do not insult users when they enter an incorrect password.
+Defaults !insults
+
##
## Uncomment to enable logging of a command's output, except for
## sudoreplay and reboot. Use sudoreplay to play back logged sessions.
# Defaults log_output
# Defaults!/usr/bin/sudoreplay !log_output
-# Defaults!/usr/local/bin/sudoreplay !log_output
# Defaults!/sbin/reboot !log_output
+## In the default (unconfigured) configuration, sudo asks for the root password.
+## This allows use of an ordinary user account for administration of a freshly
+## installed system. When configuring sudo, delete the two
+## following lines:
+Defaults targetpw # ask for the password of the target user i.e. root
+ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'!
+
##
## Runas alias specification
##
@@ -77,14 +76,6 @@ root ALL=(ALL) ALL
## Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
-## Uncomment to allow members of group sudo to execute any command
-# %sudo ALL=(ALL) ALL
-
-## Uncomment to allow any user to run sudo if they know the password
-## of the user they are running the command as (root by default).
-# Defaults targetpw # Ask for the password of the target user
-# ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw'
-
## Read drop-in files from @sysconfdir@/sudoers.d
## (the '#' here does not indicate a comment)
#includedir @sysconfdir@/sudoers.d

27
sudo.changes
View File

@ -1,8 +1,33 @@
-------------------------------------------------------------------
Tue Jul 2 16:30:19 UTC 2013 - dmueller@suse.com
- restore accidentally dropped suse-specific patches
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Jun 27 18:03:10 UTC 2013 - michael@stroeder.com Thu Jun 27 18:03:10 UTC 2013 - michael@stroeder.com
- Update to upstream release 1.8.7 - Update to upstream release 1.8.7
* especially all local patches are obsoleted by upstream fixes * remove CVE-2013-1775
* remove CVE-2013-1776
* The non-Unix group plugin is now supported when sudoers data is stored in LDAP.
* User messages are now always displayed in the user's locale, even when the
same message is being logged or mailed in a different locale.
* Log files created by sudo now explicitly have the group set to group ID 0
rather than relying on BSD group semantics (which may not be the default).
* A new exec_background sudoers option can be used to initially run the
command without read access to the terminal when running a command in a
pseudo-tty.
* Sudo now produces better error messages when there is an error in the sudo.conf file.
* Two new settings have been added to sudo.conf to give the admin better control of
how group database queries are performed.
* There is now a standalone sudo.conf manual page.
* New support for specifying a SHA-2 digest along with the command in sudoers.
Supported hash types are sha224, sha256, sha384 and sha512. See the description
of Digest_Spec in the sudoers manual or the description of sudoCommand in the
sudoers.ldap manual for details.
* Fixed potential false positives in visudo's alias cycle detection.
* Sudo now only builds Position Independent Executables (PIE) by default on Linux
systems and verifies that a trivial test program builds and runs.
------------------------------------------------------------------- -------------------------------------------------------------------
Fri Mar 1 11:12:28 UTC 2013 - vcizek@suse.com Fri Mar 1 11:12:28 UTC 2013 - vcizek@suse.com

5
sudo.spec
View File

@ -26,6 +26,9 @@ Url: http://www.sudo.ws/
Source0: http://sudo.ws/sudo/dist/%{name}-%{version}.tar.gz Source0: http://sudo.ws/sudo/dist/%{name}-%{version}.tar.gz
Source1: sudo.pamd Source1: sudo.pamd
Source2: README.SUSE Source2: README.SUSE
Patch0: sudoers2ldif-env.patch
# PATCH-OPENSUSE: the "SUSE" branding of the default sudo config
Patch1: sudo-sudoers.patch
BuildRequires: audit-devel BuildRequires: audit-devel
BuildRequires: groff BuildRequires: groff
BuildRequires: libselinux-devel BuildRequires: libselinux-devel
@ -53,6 +56,8 @@ These header files are needed for building of sudo plugins.
%prep %prep
%setup -q %setup -q
%patch0 -p1
%patch1 -p1
%build %build
%ifarch s390 s390x %sparc %ifarch s390 s390x %sparc

10
sudoers2ldif-env.patch Normal file
View File

@ -0,0 +1,10 @@
Index: sudo-1.8.7/plugins/sudoers/sudoers2ldif
===================================================================
--- sudo-1.8.7.orig/plugins/sudoers/sudoers2ldif
+++ sudo-1.8.7/plugins/sudoers/sudoers2ldif
@@ -1,4 +1,4 @@
-#!/usr/bin/env perl
+#!/usr/bin/perl
#
# Copyright (c) 2007, 2010-2011, 2013 Todd C. Miller <Todd.Miller@courtesan.com>
#