pool/sudo
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 950728 from home:simotek:branches:Base:System

Browse Source 
- Update to 1.9.9
   * Sudo can now be built with OpenSSL 3.0 without generating
     warnings about deprecated OpenSSL APIs.
   * A digest can now be specified along with the ALL command in
     the LDAP and SSSD back-ends. Sudo 1.9.0 introduced support for
     this in the sudoers file but did not include corresponding
     changes for the other back-ends.
   * visudo now only warns about an undefined alias or a cycle in
     an alias once for each alias.
   * The sudoRole cn was truncated by a single character in warning
     messages. GitHub issue #115.
   * The cvtsudoers utility has new --group-file and --passwd-file
     options to use a custom passwd or group file when the
     --match-local option is also used.
   * The cvtsudoers utility can now filter or match based on a command.
   * The cvtsudoers utility can now produce output in csv
     (comma-separated value) format. This can be used to help generate
     entitlement reports.
   * Fixed a bug in sudo_logsrvd that could result in the connection
     being dropped for very long command lines.
   * Fixed a bug where sudo_logsrvd would not accept a restore point
     of zero.
   * Fixed a bug in visudo where the value of the editor setting was
     not used if it did not match the user’s EDITOR environment
     variable. This was only a problem if the env_editor setting was
     not enabled. Bug #1000.
   * Sudo now builds with the -fcf-protection compiler option and the
     -z now linker option if supported.
   * The output of sudoreplay -l now more closely matches the
     traditional sudo log format.
   * The sudo_sendlog utility will now use the full contents of the
     log.json file, if present. This makes it possible to send
     sudo-format I/O logs that use the newer log.json format to
     sudo_logsrvd without losing any information.
   * Fixed compilation of the arc4random_buf() replacement on systems
     with arc4random() but no arc4random_buf(). Bug #1008.
   * Sudo now uses its own getentropy() by default on Linux. The GNU
     libc version of getentropy() will fail on older kernels that
     don’t support the getrandom() system call.
   * It is now possible to build sudo with WolfSSL’s OpenSSL
     compatibility layer by using the --enable-wolfssl configure
     option.
   * Fixed a bug related to Daylight Saving Time when parsing
     timestamps in Generalized Time format. This affected the NOTBEFORE
     and NOTAFTER options in sudoers. Bug #1006.
   * Added the -O and -P options to visudo, which can be used to check
     or set the owner and permissions. This can be used in conjunction
     with the -c option to check that the sudoers file ownership and
     permissions are correct. Bug #1007.
   * It is now possible to set resource limits in the sudoers file
     itself. The special values default and “user” refer to the
     default system limit and invoking user limit respectively. The
     core dump size limit is now set to 0 by default unless overridden
     by the sudoers file.
   * The cvtsudoers utility can now merge multiple sudoers sources into
     a single, combined sudoers file. If there are conflicting entries,
     cvtsudoers will attempt to resolve them but manual intervention
     may be required. The merging of sudoers rules is currently fairly
     simplistic but will be improved in a future release.
   * Sudo was parsing but not applying the “deref” and “tls_reqcert”
     ldap.conf settings. This meant the options were effectively ignored
     which broke dereferencing of aliases in LDAP. Bug #1013.
   * Clarified in the sudo man page that the security policy may
     override the user’s PATH environment variable. Bug #1014.
   * When sudo is run in non-interactive mode (with the -n option), it
     will now attempt PAM authentication and only exit with an error if
     user interaction is required. This allows PAM modules that don’t
     interact with the user to succeed. Previously, sudo would not
     attempt authentication if the -n option was specified. Bug #956
     and GitHub issue #83.
   * Fixed a regression introduced in version 1.9.1 when sudo is built
     with the --with-fqdn configure option. The local host name was
     being resolved before the sudoers file was processed, making it
     impossible to disable DNS lookups by negating the fqdn sudoers
     option. Bug #1016.
   * Added support for negated sudoUser attributes in the LDAP and SSSD
     sudoers back ends. A matching sudoUser that is negated will cause
     the sudoRole containing it to be ignored.
   * Fixed a bug where the stack resource limit could be set to a value
     smaller than that of the invoking user and not be reset before the
     command was run. Bug #1016.
- sudo no longer ships schema for LDAP.
- sudo-feature-negated-LDAP-users.patch dropped, included upstream
- refreshed sudo-sudoers.patch

OBS-URL: https://build.opensuse.org/request/show/950728
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=207
This commit is contained in:
Kristyna Streitova 2022-02-02 12:27:10 +00:00 committed by Git OBS Bridge
parent bb99464edf
commit c1da9ded70
8 changed files with 109 additions and 354 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
sudo-1.9.8p2.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:9e3b8b8da7def43b6e60c257abe80467205670fd0f7c081de1423c414b680f2d
size 4302256

BIN
sudo-1.9.8p2.tar.gz.sig
View File

Binary file not shown.

3
sudo-1.9.9.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:6d6ee863a3bc26c87661093a74ec63e10fd031ceba714642d21636dfe25e3e00
size 4456969

BIN
sudo-1.9.9.tar.gz.sig Normal file
View File

Binary file not shown.

295
sudo-feature-negated-LDAP-users.patch
View File

@ -1,295 +0,0 @@
From e88087721be391ec851b3cad8a88a5476f03d317 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
Date: Tue, 18 Jan 2022 11:20:22 -0700
Subject: [PATCH] Add support in the LDAP filter for negated users. Based on a
diff from Simon Lees
---
docs/sudoers.ldap.man.in | 31 ++++------
docs/sudoers.ldap.mdoc.in | 28 ++++-----
plugins/sudoers/ldap.c | 116 ++++++++++++++++++++++++++++----------
3 files changed, 109 insertions(+), 66 deletions(-)
diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c
index 4b768fdfb..e3c47b9bc 100644
--- a/plugins/sudoers/ldap.c
+++ b/plugins/sudoers/ldap.c
@@ -1,7 +1,7 @@
/*
* SPDX-License-Identifier: ISC
*
- * Copyright (c) 2003-2020 Todd C. Miller <Todd.Miller@sudo.ws>
+ * Copyright (c) 2003-2022 Todd C. Miller <Todd.Miller@sudo.ws>
*
* This code is derived from software contributed by Aaron Spangler.
*
@@ -315,18 +315,18 @@ sudo_ldap_get_values_len(LDAP *ld, LDAPMessage *entry, char *attr, int *rc)
/*
* Walk through search results and return true if we have a matching
* non-Unix group (including netgroups), else false.
+ * A matching entry that is negated will always return false.
*/
static int
sudo_ldap_check_non_unix_group(LDAP *ld, LDAPMessage *entry, struct passwd *pw)
{
struct berval **bv, **p;
bool ret = false;
- char *val;
int rc;
debug_decl(sudo_ldap_check_non_unix_group, SUDOERS_DEBUG_LDAP);
if (!entry)
- debug_return_bool(ret);
+ debug_return_bool(false);
/* get the values from the entry */
bv = sudo_ldap_get_values_len(ld, entry, "sudoUser", &rc);
@@ -338,18 +338,29 @@ sudo_ldap_check_non_unix_group(LDAP *ld, LDAPMessage *entry, struct passwd *pw)
/* walk through values */
for (p = bv; *p != NULL && !ret; p++) {
- val = (*p)->bv_val;
+ bool negated = false;
+ char *val = (*p)->bv_val;
+
+ if (*val == '!') {
+ val++;
+ negated = true;
+ }
if (*val == '+') {
if (netgr_matches(val, def_netgroup_tuple ? user_runhost : NULL,
def_netgroup_tuple ? user_srunhost : NULL, pw->pw_name))
ret = true;
- DPRINTF2("ldap sudoUser netgroup '%s' ... %s", val,
- ret ? "MATCH!" : "not");
+ DPRINTF2("ldap sudoUser netgroup '%s%s' ... %s",
+ negated ? "!" : "", val, ret ? "MATCH!" : "not");
} else {
if (group_plugin_query(pw->pw_name, val + 2, pw))
ret = true;
- DPRINTF2("ldap sudoUser non-Unix group '%s' ... %s", val,
- ret ? "MATCH!" : "not");
+ DPRINTF2("ldap sudoUser non-Unix group '%s%s' ... %s",
+ negated ? "!" : "", val, ret ? "MATCH!" : "not");
+ }
+ /* A negated match overrides all other entries. */
+ if (ret && negated) {
+ ret = false;
+ break;
}
}
@@ -928,7 +939,8 @@ sudo_netgroup_lookup(LDAP *ld, struct passwd *pw,
static char *
sudo_ldap_build_pass1(LDAP *ld, struct passwd *pw)
{
- char *buf, timebuffer[TIMEFILTER_LENGTH + 1], idbuf[MAX_UID_T_LEN + 1];
+ char timebuffer[TIMEFILTER_LENGTH + 1], idbuf[MAX_UID_T_LEN + 1];
+ char *buf, *notbuf;
struct ldap_netgroup_list netgroups;
struct ldap_netgroup *ng = NULL;
struct gid_list *gidlist;
@@ -940,34 +952,45 @@ sudo_ldap_build_pass1(LDAP *ld, struct passwd *pw)
STAILQ_INIT(&netgroups);
- /* If there is a filter, allocate space for the global AND. */
- if (ldap_conf.timed || ldap_conf.search_filter)
+ if (ldap_conf.timed || ldap_conf.search_filter) {
+ /* Allocate space for the global AND. */
sz += 3;
- /* Add LDAP search filter if present. */
- if (ldap_conf.search_filter)
- sz += strlen(ldap_conf.search_filter);
+ /* Add LDAP search filter if present. */
+ if (ldap_conf.search_filter)
+ sz += strlen(ldap_conf.search_filter);
+
+ /* If timed, add space for time limits. */
+ if (ldap_conf.timed)
+ sz += TIMEFILTER_LENGTH;
+ }
+
+ /* Add space for the global OR clause + (sudoUser=ALL) + NOT + NUL. */
+ sz += sizeof("(|(sudoUser=ALL)(!(|)))");
- /* Then add (|(sudoUser=USERNAME)(sudoUser=#uid)(sudoUser=ALL)) + NUL */
- sz += 29 + (12 + MAX_UID_T_LEN) + sudo_ldap_value_len(pw->pw_name);
+ /* Add space for username and uid, including the negated versions. */
+ sz += ((sizeof("(sudoUser=)(sudoUser=#)") - 1 +
+ sudo_ldap_value_len(pw->pw_name) + MAX_UID_T_LEN) * 2) + 2;
/* Add space for primary and supplementary groups and gids */
if ((grp = sudo_getgrgid(pw->pw_gid)) != NULL) {
- sz += 12 + sudo_ldap_value_len(grp->gr_name);
+ sz += ((sizeof("(sudoUser=%)") - 1 +
+ sudo_ldap_value_len(grp->gr_name)) * 2) + 1;
}
- sz += 13 + MAX_UID_T_LEN;
+ sz += ((sizeof("(sudoUser=%#)") - 1 + MAX_UID_T_LEN) * 2) + 1;
if ((grlist = sudo_get_grlist(pw)) != NULL) {
for (i = 0; i < grlist->ngroups; i++) {
if (grp != NULL && strcasecmp(grlist->groups[i], grp->gr_name) == 0)
continue;
- sz += 12 + sudo_ldap_value_len(grlist->groups[i]);
+ sz += ((sizeof("(sudoUser=%)") - 1 +
+ sudo_ldap_value_len(grlist->groups[i])) * 2) + 1;
}
}
if ((gidlist = sudo_get_gidlist(pw, ENTRY_TYPE_ANY)) != NULL) {
for (i = 0; i < gidlist->ngids; i++) {
if (pw->pw_gid == gidlist->gids[i])
continue;
- sz += 13 + MAX_UID_T_LEN;
+ sz += ((sizeof("(sudoUser=%#)") - 1 + MAX_UID_T_LEN) * 2) + 1;
}
}
@@ -976,7 +999,7 @@ sudo_ldap_build_pass1(LDAP *ld, struct passwd *pw)
DPRINTF1("Looking up netgroups for %s", pw->pw_name);
if (sudo_netgroup_lookup(ld, pw, &netgroups)) {
STAILQ_FOREACH(ng, &netgroups, entries) {
- sz += 14 + strlen(ng->name);
+ sz += ((sizeof("(sudoUser=+)") - 1 + strlen(ng->name)) * 2) + 1;
}
} else {
/* sudo_netgroup_lookup() failed, clean up. */
@@ -988,12 +1011,12 @@ sudo_ldap_build_pass1(LDAP *ld, struct passwd *pw)
}
}
- /* If timed, add space for time limits. */
- if (ldap_conf.timed)
- sz += TIMEFILTER_LENGTH;
- if ((buf = malloc(sz)) == NULL)
+ buf = malloc(sz);
+ notbuf = malloc(sz);
+ if (buf == NULL || notbuf == NULL)
goto bad;
*buf = '\0';
+ *notbuf = '\0';
/*
* If timed or using a search filter, start a global AND clause to
@@ -1009,23 +1032,35 @@ sudo_ldap_build_pass1(LDAP *ld, struct passwd *pw)
CHECK_STRLCAT(buf, "(|(sudoUser=", sz);
CHECK_LDAP_VCAT(buf, pw->pw_name, sz);
CHECK_STRLCAT(buf, ")", sz);
+ CHECK_STRLCAT(notbuf, "(sudoUser=!", sz);
+ CHECK_LDAP_VCAT(notbuf, pw->pw_name, sz);
+ CHECK_STRLCAT(notbuf, ")", sz);
/* Append user-ID */
(void) snprintf(idbuf, sizeof(idbuf), "%u", (unsigned int)pw->pw_uid);
CHECK_STRLCAT(buf, "(sudoUser=#", sz);
CHECK_STRLCAT(buf, idbuf, sz);
CHECK_STRLCAT(buf, ")", sz);
+ CHECK_STRLCAT(notbuf, "(sudoUser=!#", sz);
+ CHECK_STRLCAT(notbuf, idbuf, sz);
+ CHECK_STRLCAT(notbuf, ")", sz);
/* Append primary group and group-ID */
if (grp != NULL) {
CHECK_STRLCAT(buf, "(sudoUser=%", sz);
CHECK_LDAP_VCAT(buf, grp->gr_name, sz);
CHECK_STRLCAT(buf, ")", sz);
+ CHECK_STRLCAT(notbuf, "(sudoUser=!%", sz);
+ CHECK_LDAP_VCAT(notbuf, grp->gr_name, sz);
+ CHECK_STRLCAT(notbuf, ")", sz);
}
(void) snprintf(idbuf, sizeof(idbuf), "%u", (unsigned int)pw->pw_gid);
CHECK_STRLCAT(buf, "(sudoUser=%#", sz);
CHECK_STRLCAT(buf, idbuf, sz);
CHECK_STRLCAT(buf, ")", sz);
+ CHECK_STRLCAT(notbuf, "(sudoUser=!%#", sz);
+ CHECK_STRLCAT(notbuf, idbuf, sz);
+ CHECK_STRLCAT(notbuf, ")", sz);
/* Append supplementary groups and group-IDs */
if (grlist != NULL) {
@@ -1035,6 +1070,9 @@ sudo_ldap_build_pass1(LDAP *ld, struct passwd *pw)
CHECK_STRLCAT(buf, "(sudoUser=%", sz);
CHECK_LDAP_VCAT(buf, grlist->groups[i], sz);
CHECK_STRLCAT(buf, ")", sz);
+ CHECK_STRLCAT(notbuf, "(sudoUser=!%", sz);
+ CHECK_LDAP_VCAT(notbuf, grlist->groups[i], sz);
+ CHECK_STRLCAT(notbuf, ")", sz);
}
}
if (gidlist != NULL) {
@@ -1046,6 +1084,9 @@ sudo_ldap_build_pass1(LDAP *ld, struct passwd *pw)
CHECK_STRLCAT(buf, "(sudoUser=%#", sz);
CHECK_STRLCAT(buf, idbuf, sz);
CHECK_STRLCAT(buf, ")", sz);
+ CHECK_STRLCAT(notbuf, "(sudoUser=!%#", sz);
+ CHECK_STRLCAT(notbuf, idbuf, sz);
+ CHECK_STRLCAT(notbuf, ")", sz);
}
}
@@ -1063,12 +1104,20 @@ sudo_ldap_build_pass1(LDAP *ld, struct passwd *pw)
CHECK_STRLCAT(buf, "(sudoUser=+", sz);
CHECK_LDAP_VCAT(buf, ng->name, sz);
CHECK_STRLCAT(buf, ")", sz);
+ CHECK_STRLCAT(notbuf, "(sudoUser=!+", sz);
+ CHECK_LDAP_VCAT(notbuf, ng->name, sz);
+ CHECK_STRLCAT(notbuf, ")", sz);
free(ng->name);
free(ng);
}
- /* Add ALL to list and end the global OR. */
- CHECK_STRLCAT(buf, "(sudoUser=ALL)", sz);
+ /* Add ALL to list. */
+ CHECK_STRLCAT(buf, "(sudoUser=ALL))", sz);
+
+ /* Add filter for negated entries. */
+ CHECK_STRLCAT(buf, "(!(|", sz);
+ CHECK_STRLCAT(buf, notbuf, sz);
+ CHECK_STRLCAT(buf, ")", sz);
/* Add the time restriction, or simply end the global OR. */
if (ldap_conf.timed) {
@@ -1079,8 +1128,10 @@ sudo_ldap_build_pass1(LDAP *ld, struct passwd *pw)
} else if (ldap_conf.search_filter) {
CHECK_STRLCAT(buf, ")", sz); /* closes the global OR */
}
+
CHECK_STRLCAT(buf, ")", sz); /* closes the global OR or the global AND */
+ free(notbuf);
debug_return_str(buf);
overflow:
sudo_warnx(U_("internal error, %s overflow"), __func__);
@@ -1097,6 +1148,7 @@ sudo_ldap_build_pass1(LDAP *ld, struct passwd *pw)
free(ng);
}
free(buf);
+ free(notbuf);
debug_return_str(NULL);
}
@@ -1133,16 +1185,18 @@ sudo_ldap_build_pass2(void)
* those get ANDed in to the expression.
*/
if (query_netgroups && def_group_plugin) {
- len = asprintf(&filt, "%s%s(|(sudoUser=+*)(sudoUser=%%:*))%s%s",
+ len = asprintf(&filt, "%s%s(|(sudoUser=+*)(sudoUser=!+*)(sudoUser=%%:*)(sudoUser=!%%:*))%s%s",
(ldap_conf.timed || ldap_conf.search_filter) ? "(&" : "",
ldap_conf.search_filter ? ldap_conf.search_filter : "",
ldap_conf.timed ? timebuffer : "",
(ldap_conf.timed || ldap_conf.search_filter) ? ")" : "");
} else {
- len = asprintf(&filt, "(&%s(sudoUser=*)(sudoUser=%s*)%s)",
+ len = asprintf(&filt, "%s%s(|(sudoUser=%s*)(sudoUser=!%s*))%s%s",
+ (ldap_conf.timed || ldap_conf.search_filter) ? "(&" : "",
ldap_conf.search_filter ? ldap_conf.search_filter : "",
- query_netgroups ? "+" : "%:",
- ldap_conf.timed ? timebuffer : "");
+ query_netgroups ? "+" : "%:", query_netgroups ? "+" : "%:",
+ ldap_conf.timed ? timebuffer : "",
+ (ldap_conf.timed || ldap_conf.search_filter) ? ")" : "");
}
if (len == -1)
filt = NULL;

45
sudo-sudoers.patch
View File

@ -1,7 +1,7 @@
Index: sudo-1.8.31/plugins/sudoers/sudoers.in Index: sudo-1.9.9/plugins/sudoers/sudoers.in
=================================================================== ===================================================================
--- sudo-1.8.31.orig/plugins/sudoers/sudoers.in --- sudo-1.9.9.orig/plugins/sudoers/sudoers.in
+++ sudo-1.8.31/plugins/sudoers/sudoers.in +++ sudo-1.9.9/plugins/sudoers/sudoers.in
@@ -32,30 +32,23 @@ @@ -32,30 +32,23 @@
## ##
## Defaults specification ## Defaults specification
@ -67,48 +67,17 @@ Index: sudo-1.8.31/plugins/sudoers/sudoers.in
## ##
## Runas alias specification ## Runas alias specification
## ##
@@ -84,13 +84,5 @@ @@ -84,13 +83,5 @@ root ALL=(ALL:ALL) ALL
## Same thing without a password ## Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL # %wheel ALL=(ALL:ALL) NOPASSWD: ALL
-## Uncomment to allow members of group sudo to execute any command -## Uncomment to allow members of group sudo to execute any command
-# %sudo ALL=(ALL) ALL -# %sudo ALL=(ALL:ALL) ALL
- -
-## Uncomment to allow any user to run sudo if they know the password -## Uncomment to allow any user to run sudo if they know the password
-## of the user they are running the command as (root by default). -## of the user they are running the command as (root by default).
-# Defaults targetpw # Ask for the password of the target user -# Defaults targetpw # Ask for the password of the target user
-# ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw' -# ALL ALL=(ALL:ALL) ALL # WARNING: only use this together with 'Defaults targetpw'
- -
## Read drop-in files from @sysconfdir@/sudoers.d ## Read drop-in files from @sysconfdir@/sudoers.d
@includedir @sysconfdir@/sudoers.d @includedir @sysconfdir@/sudoers.d
Index: sudo-1.8.31/doc/sudoers.mdoc.in
===================================================================
--- sudo-1.8.31.orig/doc/sudoers.mdoc.in
+++ sudo-1.8.31/doc/sudoers.mdoc.in
@@ -1985,7 +1985,7 @@ is present in the
.Em env_keep
list, both of which are strongly discouraged.
This flag is
-.Em off
+.Em on
by default.
.It authenticate
If set, users must authenticate themselves via a password (or other
@@ -2376,7 +2376,7 @@ If set,
.Nm sudo
will insult users when they enter an incorrect password.
This flag is
-.Em @insults@
+.Em off
by default.
.It log_allowed
If set,
@@ -3009,7 +3009,7 @@ database as an argument to the
.Fl u
option.
This flag is
-.Em off
+.Em on
by default.
.It tty_tickets
If set, users must authenticate on a per-tty basis.

88
sudo.changes
View File

@ -1,3 +1,91 @@
-------------------------------------------------------------------
Tue Feb 1 02:27:04 UTC 2022 - Simon Lees <simonf.lees@suse.com>
- Update to 1.9.9
* Sudo can now be built with OpenSSL 3.0 without generating
warnings about deprecated OpenSSL APIs.
* A digest can now be specified along with the ALL command in
the LDAP and SSSD back-ends. Sudo 1.9.0 introduced support for
this in the sudoers file but did not include corresponding
changes for the other back-ends.
* visudo now only warns about an undefined alias or a cycle in
an alias once for each alias.
* The sudoRole cn was truncated by a single character in warning
messages. GitHub issue #115.
* The cvtsudoers utility has new --group-file and --passwd-file
options to use a custom passwd or group file when the
--match-local option is also used.
* The cvtsudoers utility can now filter or match based on a command.
* The cvtsudoers utility can now produce output in csv
(comma-separated value) format. This can be used to help generate
entitlement reports.
* Fixed a bug in sudo_logsrvd that could result in the connection
being dropped for very long command lines.
* Fixed a bug where sudo_logsrvd would not accept a restore point
of zero.
* Fixed a bug in visudo where the value of the editor setting was
not used if it did not match the users EDITOR environment
variable. This was only a problem if the env_editor setting was
not enabled. Bug #1000.
* Sudo now builds with the -fcf-protection compiler option and the
-z now linker option if supported.
* The output of sudoreplay -l now more closely matches the
traditional sudo log format.
* The sudo_sendlog utility will now use the full contents of the
log.json file, if present. This makes it possible to send
sudo-format I/O logs that use the newer log.json format to
sudo_logsrvd without losing any information.
* Fixed compilation of the arc4random_buf() replacement on systems
with arc4random() but no arc4random_buf(). Bug #1008.
* Sudo now uses its own getentropy() by default on Linux. The GNU
libc version of getentropy() will fail on older kernels that
dont support the getrandom() system call.
* It is now possible to build sudo with WolfSSLs OpenSSL
compatibility layer by using the --enable-wolfssl configure
option.
* Fixed a bug related to Daylight Saving Time when parsing
timestamps in Generalized Time format. This affected the NOTBEFORE
and NOTAFTER options in sudoers. Bug #1006.
* Added the -O and -P options to visudo, which can be used to check
or set the owner and permissions. This can be used in conjunction
with the -c option to check that the sudoers file ownership and
permissions are correct. Bug #1007.
* It is now possible to set resource limits in the sudoers file
itself. The special values default and “user” refer to the
default system limit and invoking user limit respectively. The
core dump size limit is now set to 0 by default unless overridden
by the sudoers file.
* The cvtsudoers utility can now merge multiple sudoers sources into
a single, combined sudoers file. If there are conflicting entries,
cvtsudoers will attempt to resolve them but manual intervention
may be required. The merging of sudoers rules is currently fairly
simplistic but will be improved in a future release.
* Sudo was parsing but not applying the “deref” and “tls_reqcert”
ldap.conf settings. This meant the options were effectively ignored
which broke dereferencing of aliases in LDAP. Bug #1013.
* Clarified in the sudo man page that the security policy may
override the users PATH environment variable. Bug #1014.
* When sudo is run in non-interactive mode (with the -n option), it
will now attempt PAM authentication and only exit with an error if
user interaction is required. This allows PAM modules that dont
interact with the user to succeed. Previously, sudo would not
attempt authentication if the -n option was specified. Bug #956
and GitHub issue #83.
* Fixed a regression introduced in version 1.9.1 when sudo is built
with the --with-fqdn configure option. The local host name was
being resolved before the sudoers file was processed, making it
impossible to disable DNS lookups by negating the fqdn sudoers
option. Bug #1016.
* Added support for negated sudoUser attributes in the LDAP and SSSD
sudoers back ends. A matching sudoUser that is negated will cause
the sudoRole containing it to be ignored.
* Fixed a bug where the stack resource limit could be set to a value
smaller than that of the invoking user and not be reset before the
command was run. Bug #1016.
- sudo no longer ships schema for LDAP.
- sudo-feature-negated-LDAP-users.patch dropped, included upstream
- refreshed sudo-sudoers.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Jan 27 03:00:26 UTC 2022 - Simon Lees <sflees@suse.de> Thu Jan 27 03:00:26 UTC 2022 - Simon Lees <sflees@suse.de>

23
sudo.spec
View File

@ -1,7 +1,7 @@
# #
# spec file for package sudo # spec file for package sudo
# #
# Copyright (c) 2021 SUSE LLC # Copyright (c) 2022 SUSE LLC
# #
# All modifications and additions to the file contributed by third parties # All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed # remain the property of their copyright owners, unless otherwise agreed
@ -22,7 +22,7 @@
%define use_usretc 1 %define use_usretc 1
%endif %endif
Name: sudo Name: sudo
Version: 1.9.8p2 Version: 1.9.9
Release: 0 Release: 0
Summary: Execute some commands as root Summary: Execute some commands as root
License: ISC License: ISC
@ -38,8 +38,6 @@ Source6: fate_313276_test.sh
Source7: README_313276.test Source7: README_313276.test
# PATCH-OPENSUSE: the "SUSE" branding of the default sudo config # PATCH-OPENSUSE: the "SUSE" branding of the default sudo config
Patch0: sudo-sudoers.patch Patch0: sudo-sudoers.patch
# PATCH-Upstream fixes jira SLE-20068 - sflees@suse.de
Patch1: sudo-feature-negated-LDAP-users.patch
BuildRequires: audit-devel BuildRequires: audit-devel
BuildRequires: cyrus-sasl-devel BuildRequires: cyrus-sasl-devel
BuildRequires: groff BuildRequires: groff
@ -90,8 +88,7 @@ Requires: %{name} = %{version}
Tests for fate#313276 Tests for fate#313276
%prep %prep
%setup -q %autosetup -p1
%patch0 -p1
%build %build
%ifarch s390 s390x %{sparc} %ifarch s390 s390x %{sparc}
@ -142,7 +139,6 @@ install -m 644 %{SOURCE4} %{buildroot}%{_distconfdir}/pam.d/sudo-i
rm -f %{buildroot}%{_bindir}/sudoedit rm -f %{buildroot}%{_bindir}/sudoedit
ln -sf %{_bindir}/sudo %{buildroot}%{_bindir}/sudoedit ln -sf %{_bindir}/sudo %{buildroot}%{_bindir}/sudoedit
install -d -m 755 %{buildroot}%{_sysconfdir}/openldap/schema install -d -m 755 %{buildroot}%{_sysconfdir}/openldap/schema
install -m 644 doc/schema.OpenLDAP %{buildroot}%{_sysconfdir}/openldap/schema/sudo.schema
install -m 644 %{SOURCE5} %{buildroot}%{_docdir}/%{name}/ install -m 644 %{SOURCE5} %{buildroot}%{_docdir}/%{name}/
rm -f %{buildroot}%{_docdir}/%{name}/sample.pam rm -f %{buildroot}%{_docdir}/%{name}/sample.pam
rm -f %{buildroot}%{_docdir}/%{name}/sample.syslog.conf rm -f %{buildroot}%{_docdir}/%{name}/sample.syslog.conf
@ -156,9 +152,10 @@ cat sudoers.lang >> %{name}.lang
install -d -m 755 %{buildroot}%{_localstatedir}/lib/tests/sudo install -d -m 755 %{buildroot}%{_localstatedir}/lib/tests/sudo
install -m 755 %{SOURCE6} %{buildroot}%{_localstatedir}/lib/tests/sudo install -m 755 %{SOURCE6} %{buildroot}%{_localstatedir}/lib/tests/sudo
install -m 755 %{SOURCE7} %{buildroot}%{_localstatedir}/lib/tests/sudo install -m 755 %{SOURCE7} %{buildroot}%{_localstatedir}/lib/tests/sudo
install -d %{buildroot}%{_docdir}/%{name}-test
install -m 644 %{buildroot}%{_docdir}/%{name}/LICENSE %{buildroot}%{_docdir}/%{name}-test/LICENSE install -d %{buildroot}%{_licensedir}/%{name}
rm -fv %{buildroot}%{_docdir}/%{name}/LICENSE install -m 644 %{buildroot}%{_docdir}/%{name}/LICENSE.md %{buildroot}%{_licensedir}/%{name}/LICENSE.md
rm -fv %{buildroot}%{_docdir}/%{name}/LICENSE.md
%if %{defined use_usretc} %if %{defined use_usretc}
%pre %pre
@ -187,7 +184,7 @@ chmod 0440 %{_sysconfdir}/sudoers
%verify_permissions -e %{_bindir}/sudo %verify_permissions -e %{_bindir}/sudo
%files -f %{name}.lang %files -f %{name}.lang
%license doc/LICENSE %license doc/LICENSE.md
%doc %{_docdir}/%{name} %doc %{_docdir}/%{name}
%{_mandir}/man1/cvtsudoers.1%{?ext_man} %{_mandir}/man1/cvtsudoers.1%{?ext_man}
%{_mandir}/man5/sudoers.5%{?ext_man} %{_mandir}/man5/sudoers.5%{?ext_man}
@ -215,9 +212,6 @@ chmod 0440 %{_sysconfdir}/sudoers
%config(noreplace) %{_sysconfdir}/pam.d/sudo-i %config(noreplace) %{_sysconfdir}/pam.d/sudo-i
%endif %endif
%attr(4755,root,root) %{_bindir}/sudo %attr(4755,root,root) %{_bindir}/sudo
%dir %{_sysconfdir}/openldap
%dir %{_sysconfdir}/openldap/schema
%attr(0444,root,root) %config %{_sysconfdir}/openldap/schema/sudo.schema
%{_bindir}/sudoedit %{_bindir}/sudoedit
%{_bindir}/sudoreplay %{_bindir}/sudoreplay
%{_bindir}/cvtsudoers %{_bindir}/cvtsudoers
@ -254,6 +248,5 @@ chmod 0440 %{_sysconfdir}/sudoers
%files test %files test
%{_localstatedir}/lib/tests %{_localstatedir}/lib/tests
%{_docdir}/%{name}-test/
%changelog %changelog