Accepting request 404258 from Base:System

1 OBS-URL: https://build.opensuse.org/request/show/404258 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sudo?expand=0&rev=80
2016-07-01 07:53:48 +00:00 · 2016-07-01 07:53:48 +00:00 · 9d449a4aed
commit 9d449a4aed
parent 7c7881b119 f28eb4234b
7 changed files with 61 additions and 106 deletions
--- a/sudo-1.8.16-pam_groups.patch
+++ b/sudo-1.8.16-pam_groups.patch
@ -1,100 +0,0 @@
-# HG changeset patch
-# User Todd C. Miller <Todd.Miller@courtesan.com>
-# Date 1461862918 21600
-# Node ID 814cda6025419e40b417f7d797757e11259feef2
-# Parent  ef0a5428a5744ca1c7fcb1874d1fff37becc6a90
-Do group setup in policy_init_session() before calling out to the
-plugin.  This makes it possible for the pam_group module to change
-the group in pam_setcred().  It's a bit bogus since pam_setcred()
-is documented as not changing the group or user ID, but pam_group
-is shipped with stock Linux-PAM so we need to support it.
-
-diff -r ef0a5428a574 -r 814cda602541 src/sudo.c
--- a/src/sudo.c	Tue Apr 26 14:39:42 2016 -0600
-+++ b/src/sudo.c	Thu Apr 28 11:01:58 2016 -0600
-@@ -939,7 +939,8 @@
- }
- 
- /*
- * Setup the execution environment immediately prior to the call to execve()
-+ * Setup the execution environment immediately prior to the call to execve().
-+ * Group setup is performed by policy_init_session(), called earlier.
-  * Returns true on success and false on failure.
-  */
- bool
-@@ -1018,30 +1019,6 @@
- #endif /* HAVE_LOGIN_CAP_H */
-     }
- 
-    /*
-     * Set groups, including supplementary group vector.
-     */
-    if (!ISSET(details->flags, CD_PRESERVE_GROUPS)) {
-	if (details->ngroups >= 0) {
-	    if (sudo_setgroups(details->ngroups, details->groups) < 0) {
-		sudo_warn(U_("unable to set supplementary group IDs"));
-		goto done;
-	    }
-	}
-    }
-#ifdef HAVE_SETEUID
-    if (ISSET(details->flags, CD_SET_EGID) && setegid(details->egid)) {
-	sudo_warn(U_("unable to set effective gid to runas gid %u"),
-	    (unsigned int)details->egid);
-	goto done;
-    }
-#endif
-    if (ISSET(details->flags, CD_SET_GID) && setgid(details->gid)) {
-	sudo_warn(U_("unable to set gid to runas gid %u"),
-	    (unsigned int)details->gid);
-	goto done;
-    }
-
-     if (ISSET(details->flags, CD_SET_PRIORITY)) {
- 	if (setpriority(PRIO_PROCESS, 0, details->priority) != 0) {
- 	    sudo_warn(U_("unable to set process priority"));
-@@ -1365,6 +1342,35 @@
-     int rval = true;
-     debug_decl(policy_init_session, SUDO_DEBUG_PCOMM)
- 
-+    /*
-+     * We set groups, including supplementary group vector,
-+     * as part of the session setup.  This allows for dynamic
-+     * groups to be set via pam_group(8) in pam_setcred(3).
-+     */
-+    if (!ISSET(details->flags, CD_PRESERVE_GROUPS)) {
-+	if (details->ngroups >= 0) {
-+	    if (sudo_setgroups(details->ngroups, details->groups) < 0) {
-+		sudo_warn(U_("unable to set supplementary group IDs"));
-+		rval = -1;
-+		goto done;
-+	    }
-+	}
-+    }
-+#ifdef HAVE_SETEUID
-+    if (ISSET(details->flags, CD_SET_EGID) && setegid(details->egid)) {
-+	sudo_warn(U_("unable to set effective gid to runas gid %u"),
-+	    (unsigned int)details->egid);
-+	rval = -1;
-+	goto done;
-+    }
-+#endif
-+    if (ISSET(details->flags, CD_SET_GID) && setgid(details->gid)) {
-+	sudo_warn(U_("unable to set gid to runas gid %u"),
-+	    (unsigned int)details->gid);
-+	rval = -1;
-+	goto done;
-+    }
-+
-     if (policy_plugin.u.policy->init_session) {
- 	/*
- 	 * Backwards compatibility for older API versions
-@@ -1381,6 +1387,7 @@
- 	}
- 	sudo_debug_set_active_instance(sudo_debug_instance);
-     }
-+done:
-     debug_return_int(rval);
- }
- 
-
--- a/sudo-1.8.16.tar.gz
+++ b/sudo-1.8.16.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:2d83826fc5125bf073acc203dbda1cf2abeee017090ccc9dddb0431a53d5064d
-size 2707358
--- a/sudo-1.8.16.tar.gz.sig
+++ b/sudo-1.8.16.tar.gz.sig
--- a/sudo-1.8.17p1.tar.gz
+++ b/sudo-1.8.17p1.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c690d707fb561b3ecdf6a6de5563bc0b769388eff201c851edbace408bb155cc
+size 2786618
--- a/sudo-1.8.17p1.tar.gz.sig
+++ b/sudo-1.8.17p1.tar.gz.sig
--- a/sudo.changes
+++ b/sudo.changes
@ -1,3 +1,60 @@
+-------------------------------------------------------------------
+Wed Jun 22 21:02:46 UTC 2016 - michael@stroeder.com
+
+- update to 1.8.17p1:
+  * Fixed a bug introduced in 1.8.17 where the user's groups were
+    not set on systems that don't use PAM.  Bug #749.
+
+-------------------------------------------------------------------
+Sun Jun 19 14:01:44 UTC 2016 - michael@stroeder.com
+
+- removed obsolete patch sudo-1.8.16-pam_groups.patch
+- update to 1.8.17:
+ * On AIX, if /etc/security/login.cfg has auth_type set to PAM_AUTH
+   but pam_start(3) fails, fall back to AIX authentication.
+   Bug #740.
+ * Sudo now takes all sudoers sources into account when determining
+   whether or not "sudo -l" or "sudo -b" should prompt for a password.
+   In other words, if both file and ldap sudoers sources are in
+   specified in /etc/nsswitch.conf, "sudo -v" will now require that
+   all entries in both sources be have NOPASSWD (file) or !authenticate
+   (ldap) in the entries.
+ * Sudo now ignores SIGPIPE until the command is executed.  Previously,
+   SIGPIPE was only ignored in a few select places.  Bug #739.
+ * Fixed a bug introduced in sudo 1.8.14 where (non-syslog) log
+   file entries were missing the newline when loglinelen is set to
+   a non-positive number.  Bug #742.
+ * Unix groups are now set before the plugin session intialization
+   code is run.  This makes it possible to use dynamic groups with
+   the Linux-PAM pam_group module.
+ * Fixed a bug where a debugging statement could dereference a NULL
+   pointer when looking up a group that doesn't exist.  Bug #743.
+ * Sudo has been run through the Coverity code scanner.  A number of
+   minor bugs have been fixed as a result.  None were security issues.
+ * SELinux support, which was broken in 1.8.16, has been repaired.
+ * Fixed a bug when logging I/O where all output buffers might not
+   get flushed at exit.
+ * Forward slashes are no longer escaped in the JSON output of
+   "visudo -x".  This was never required by the standard and not
+   escaping them improves readability of the output.
+ * Sudo no longer treats PAM_SESSION_ERR as a fatal error when
+   opening the PAM session.  Other errors from pam_open_session()
+   are still treated as fatal.  This avoids the "policy plugin
+   failed session initialization" error message seen on some systems.
+ * Korean translation for sudo and sudoers from translationproject.org.
+ * Fixed a bug on AIX where the stack size hard resource limit was
+   being set to 2GB instead of 4GB on 64-bit systems.
+ * The SSSD backend now properly supports "sudo -U otheruser -l".
+ * The SSSD backend now uses the value of "ipa_hostname"
+   from sssd.conf, if specified, when matching the host name.
+ * Fixed a hang on some systems when the command is being run in
+   a pty and it failed to execute.
+ * When performing a wildcard match in sudoers, check for an exact
+   string match if the user command was fully-qualified (or resolved
+   via the PATH).  This fixes an issue executing scripts on Linux
+   when there are multiple wildcard matches with the same base name.
+   Bug #746.
+
 -------------------------------------------------------------------
 Mon May 23 08:22:12 UTC 2016 - egeorget@openmailbox.org

--- a/sudo.spec
+++ b/sudo.spec
@ -17,7 +17,7 @@


 Name:           sudo
-Version:        1.8.16
+Version:        1.8.17p1
 Release:        0
 Summary:        Execute some commands as root
 License:        ISC
@ -33,7 +33,6 @@ Source6:        %{name}.keyring
 Patch0:         sudoers2ldif-env.patch
 # PATCH-OPENSUSE: the "SUSE" branding of the default sudo config
 Patch1:         sudo-sudoers.patch
-Patch2:         sudo-1.8.16-pam_groups.patch
 BuildRequires:  audit-devel
 BuildRequires:  cyrus-sasl-devel
 BuildRequires:  groff
@ -75,7 +74,6 @@ Tests for fate#313276
 %setup -q
 %patch0 -p1
 %patch1 -p1
-%patch2 -p1

 %build
 %ifarch s390 s390x %sparc