Accepting request 1128361 from Base:System
- Update to 1.9.15p2: * Fixed a bug on BSD systems where sudo would not restore the terminal settings on exit if the terminal had parity enabled. GitHub issue #326. - Update to 1.9.15p1: * Fixed a bug introduced in sudo 1.9.15 that prevented LDAP-based sudoers from being able to read the ldap.conf file. GitHub issue #325. - Update to 1.9.15: * Fixed an undefined symbol problem on older versions of macOS when "intercept" or "log_subcmds" are enabled in sudoers. GitHub issue #276. * Fixed "make check" failure related to getpwent(3) wrapping on NetBSD. * Fixed the warning message for "sudo -l command" when the command is not permitted. There was a missing space between "list" and the actual command due to changes in sudo 1.9.14. * Fixed a bug where output could go to the wrong terminal if "use_pty" is enabled (the default) and the standard input, output or error is redirected to a different terminal. Bug #1056. * The visudo utility will no longer create an empty file when the specified sudoers file does not exist and the user exits the editor without making any changes. GitHub issue #294. * The AIX and Solaris sudo packages on www.sudo.ws now support "log_subcmds" and "intercept" with both 32-bit and 64-bit binaries. Previously, they only worked when running binaries with the same word size as the sudo binary. GitHub issue #289. * The sudoers source is now logged in the JSON event log. This makes it possible to tell which rule resulted in a match. * Running "sudo -ll command" now produces verbose output that OBS-URL: https://build.opensuse.org/request/show/1128361 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sudo?expand=0&rev=149
This commit is contained in:
commit
fec9486da2
2
50-wheel-auth-self.conf
Normal file
2
50-wheel-auth-self.conf
Normal file
@ -0,0 +1,2 @@
|
||||
Defaults:%wheel !targetpw
|
||||
%wheel ALL = (root) ALL
|
1
51-wheel.rules
Normal file
1
51-wheel.rules
Normal file
@ -0,0 +1 @@
|
||||
polkit._suse_admin_groups.push("wheel");
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:a08318b1c4bc8582c004d4cd9ae2903abc549e7e46ba815e41fe81d1c0782b62
|
||||
size 5232320
|
Binary file not shown.
3
sudo-1.9.15p2.tar.gz
Normal file
3
sudo-1.9.15p2.tar.gz
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:199c0cdbfa7efcfffa9c88684a8e2fb206a62b70a316507e4a91c89c873bbcc8
|
||||
size 5303642
|
BIN
sudo-1.9.15p2.tar.gz.sig
Normal file
BIN
sudo-1.9.15p2.tar.gz.sig
Normal file
Binary file not shown.
@ -1,8 +1,8 @@
|
||||
Index: sudo-1.9.14p1/plugins/sudoers/sudoers.in
|
||||
Index: sudo-1.9.15p2/plugins/sudoers/sudoers.in
|
||||
===================================================================
|
||||
--- sudo-1.9.14p1.orig/plugins/sudoers/sudoers.in
|
||||
+++ sudo-1.9.14p1/plugins/sudoers/sudoers.in
|
||||
@@ -32,32 +32,23 @@
|
||||
--- sudo-1.9.15p2.orig/plugins/sudoers/sudoers.in
|
||||
+++ sudo-1.9.15p2/plugins/sudoers/sudoers.in
|
||||
@@ -41,32 +41,23 @@
|
||||
##
|
||||
## Defaults specification
|
||||
##
|
||||
@ -52,25 +52,28 @@ Index: sudo-1.9.14p1/plugins/sudoers/sudoers.in
|
||||
##
|
||||
## Uncomment to restore the historic behavior where a command is run in
|
||||
## the user's own terminal.
|
||||
@@ -72,10 +63,16 @@
|
||||
@@ -81,7 +72,6 @@
|
||||
## Set maxseq to a smaller number if you don't have unlimited disk space.
|
||||
# Defaults log_output
|
||||
# Defaults!/usr/bin/sudoreplay !log_output
|
||||
-# Defaults!/usr/local/bin/sudoreplay !log_output
|
||||
# Defaults!REBOOT !log_output
|
||||
# Defaults maxseq = 1000
|
||||
##
|
||||
@@ -95,6 +85,12 @@
|
||||
## slower by these options and also can clutter up the logs.
|
||||
# Defaults!PKGMAN !intercept, !log_subcmds
|
||||
|
||||
+## In the default (unconfigured) configuration, sudo asks for the root password.
|
||||
+## This allows use of an ordinary user account for administration of a freshly
|
||||
+## installed system. When configuring sudo, delete the two
|
||||
+## following lines:
|
||||
+## installed system.
|
||||
+Defaults targetpw # ask for the password of the target user i.e. root
|
||||
+ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'!
|
||||
+
|
||||
##
|
||||
## Runas alias specification
|
||||
##
|
||||
@@ -91,13 +88,5 @@ root ALL=(ALL:ALL) ALL
|
||||
@@ -110,13 +106,5 @@ root ALL=(ALL:ALL) ALL
|
||||
## Same thing without a password
|
||||
# %wheel ALL=(ALL:ALL) NOPASSWD: ALL
|
||||
|
||||
|
95
sudo.changes
95
sudo.changes
@ -1,3 +1,98 @@
|
||||
-------------------------------------------------------------------
|
||||
Wed Nov 22 12:46:00 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com>
|
||||
|
||||
- Update to 1.9.15p2:
|
||||
* Fixed a bug on BSD systems where sudo would not restore the
|
||||
terminal settings on exit if the terminal had parity enabled.
|
||||
GitHub issue #326.
|
||||
- Update to 1.9.15p1:
|
||||
* Fixed a bug introduced in sudo 1.9.15 that prevented LDAP-based
|
||||
sudoers from being able to read the ldap.conf file.
|
||||
GitHub issue #325.
|
||||
- Update to 1.9.15:
|
||||
* Fixed an undefined symbol problem on older versions of macOS
|
||||
when "intercept" or "log_subcmds" are enabled in sudoers.
|
||||
GitHub issue #276.
|
||||
* Fixed "make check" failure related to getpwent(3) wrapping
|
||||
on NetBSD.
|
||||
* Fixed the warning message for "sudo -l command" when the command
|
||||
is not permitted. There was a missing space between "list" and
|
||||
the actual command due to changes in sudo 1.9.14.
|
||||
* Fixed a bug where output could go to the wrong terminal if
|
||||
"use_pty" is enabled (the default) and the standard input, output
|
||||
or error is redirected to a different terminal. Bug #1056.
|
||||
* The visudo utility will no longer create an empty file when the
|
||||
specified sudoers file does not exist and the user exits the
|
||||
editor without making any changes. GitHub issue #294.
|
||||
* The AIX and Solaris sudo packages on www.sudo.ws now support
|
||||
"log_subcmds" and "intercept" with both 32-bit and 64-bit
|
||||
binaries. Previously, they only worked when running binaries
|
||||
with the same word size as the sudo binary. GitHub issue #289.
|
||||
* The sudoers source is now logged in the JSON event log. This
|
||||
makes it possible to tell which rule resulted in a match.
|
||||
* Running "sudo -ll command" now produces verbose output that
|
||||
includes matching rule as well as the path to the sudoers file
|
||||
the matching rule came from. For LDAP sudoers, the name of the
|
||||
matching sudoRole is printed instead.
|
||||
* The embedded copy of zlib has been updated to version 1.3.
|
||||
* The sudoers plugin has been modified to make it more resilient
|
||||
to ROWHAMMER attacks on authentication and policy matching.
|
||||
This addresses CVE-2023-42465.
|
||||
* The sudoers plugin now constructs the user time stamp file path
|
||||
name using the user-ID instead of the user name. This avoids a
|
||||
potential problem with user names that contain a path separator
|
||||
('/') being interpreted as part of the path name. A similar
|
||||
issue in sudo-rs has been assigned CVE-2023-42456.
|
||||
* A path separator ('/') in a user, group or host name is now
|
||||
replaced with an underbar character ('_') when expanding escapes
|
||||
in @include and @includedir directives as well as the "iolog_file"
|
||||
and "iolog_dir" sudoers Default settings.
|
||||
* The "intercept_verify" sudoers option is now only applied when
|
||||
the "intercept" option is set in sudoers. Previously, it was
|
||||
also applied when "log_subcmds" was enabled. Sudo 1.9.14
|
||||
contained an incorrect fix for this. Bug #1058.
|
||||
* Changes to terminal settings are now performed atomically, where
|
||||
possible. If the command is being run in a pseudo-terminal and
|
||||
the user's terminal is already in raw mode, sudo will not change
|
||||
the user's terminal settings. This prevents concurrent sudo
|
||||
processes from restoring the terminal settings to the wrong values.
|
||||
GitHub issue #312.
|
||||
* Reverted a change from sudo 1.9.4 that resulted in PAM session
|
||||
modules being called with the environment of the command to be
|
||||
run instead of the environment of the invoking user.
|
||||
GitHub issue #318.
|
||||
* New Indonesian translation from translationproject.org.
|
||||
* The sudo_logsrvd server will now raise its open file descriptor
|
||||
limit to the maximum allowed value when it starts up. Each
|
||||
connection can require up to nine open file descriptors so the
|
||||
default soft limit may be too low.
|
||||
* Better log message when rejecting a command if the "intercept"
|
||||
option is enabled and the "intercept_allow_setid" option is
|
||||
disabled. Previously, "command not allowed" would be logged and
|
||||
the user had no way of knowing what the actual problem was.
|
||||
* Sudo will now log the invoking user's environment as "submitenv"
|
||||
in the JSON logs. The command's environment ("runenv") is no
|
||||
longer logged for commands rejected by the sudoers file or an
|
||||
approval plugin.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Nov 21 08:56:42 UTC 2023 - Dominique Leuenberger <dimstar@opensuse.org>
|
||||
|
||||
- Package/ship empty /etc/sudoers.d directory for admins to
|
||||
discover where to put their won config.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Sep 20 08:34:12 UTC 2023 - Ludwig Nussel <lnussel@suse.com>
|
||||
|
||||
- Introduce optional wheel and sudo group policies as separate packages
|
||||
(bsc#1203978, jsc#PED-260)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Sep 14 13:06:51 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com>
|
||||
|
||||
- Install config files into /usr/etc and read from both location:
|
||||
/etc and /usr/etc (bsc#1205118)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Sep 12 12:33:05 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com>
|
||||
|
||||
|
107
sudo.spec
107
sudo.spec
@ -16,8 +16,16 @@
|
||||
#
|
||||
|
||||
|
||||
%if %{defined _distconfdir}
|
||||
%define confdir %{_distconfdir}
|
||||
%define confmode 0444
|
||||
%else
|
||||
%define confdir %{_sysconfdir}
|
||||
%define confmode 0440
|
||||
%endif
|
||||
|
||||
Name: sudo
|
||||
Version: 1.9.14p3
|
||||
Version: 1.9.15p2
|
||||
Release: 0
|
||||
Summary: Execute some commands as root
|
||||
License: ISC
|
||||
@ -31,6 +39,9 @@ Source4: sudo-i.pamd
|
||||
Source5: README.SUSE
|
||||
Source6: fate_313276_test.sh
|
||||
Source7: README_313276.test
|
||||
Source8: 50-wheel-auth-self.conf
|
||||
Source9: 51-wheel.rules
|
||||
Source10: system-group-sudo.conf
|
||||
# PATCH-OPENSUSE: the "SUSE" branding of the default sudo config
|
||||
Patch0: sudo-sudoers.patch
|
||||
BuildRequires: audit-devel
|
||||
@ -42,6 +53,7 @@ BuildRequires: openldap2-devel
|
||||
BuildRequires: pam-devel
|
||||
BuildRequires: python3-devel
|
||||
BuildRequires: systemd-rpm-macros
|
||||
BuildRequires: sysuser-tools
|
||||
BuildRequires: zlib-devel
|
||||
Requires(pre): coreutils
|
||||
Requires(pre): permissions
|
||||
@ -49,12 +61,17 @@ Recommends: sudo-plugin-python
|
||||
|
||||
%description
|
||||
Sudo is a command that allows users to execute some commands as root.
|
||||
The %{_sysconfdir}/sudoers file (edited with 'visudo') specifies which users have
|
||||
%if %{defined _distconfdir}
|
||||
Sudo reads either %{_sysconfdir}/sudoers or %{_distconfdir}/sudoers
|
||||
(in that order, whichever one it finds first), to determine what users have
|
||||
%else
|
||||
The %{_sysconfdir}/sudoers file specifies which users have
|
||||
%endif
|
||||
access to sudo and which commands they can run. Sudo logs all its
|
||||
activities to syslogd, so the system administrator can keep an eye on
|
||||
things. Sudo asks for the password for initializing a check period of a
|
||||
things. Sudo asks for the password to initialize a check period of a
|
||||
given time N (where N is defined at installation and is set to 5
|
||||
minutes by default).
|
||||
minutes by default). Administrators can edit the sudoers file with 'visudo'.
|
||||
|
||||
%package plugin-python
|
||||
Summary: Plugin API for python
|
||||
@ -82,10 +99,39 @@ Requires: %{name} = %{version}
|
||||
%description test
|
||||
Tests for fate#313276
|
||||
|
||||
%package policy-wheel-auth-self
|
||||
Summary: Users in the wheel group can authenticate as admin
|
||||
Group: System/Base
|
||||
Requires: %{name} = %{version}
|
||||
Requires: group(wheel)
|
||||
|
||||
%description policy-wheel-auth-self
|
||||
Sudo authentication policy that allows users in the wheel group to
|
||||
authenticate as root with their own password
|
||||
|
||||
%package policy-sudo-auth-self
|
||||
Summary: Users in the sudo group can authenticate as admin
|
||||
Group: System/Base
|
||||
Requires: %{name} = %{version}
|
||||
Requires: group(sudo)
|
||||
|
||||
%description policy-sudo-auth-self
|
||||
Sudo authentication policy that allows users in the sudo group to
|
||||
authenticate as root with their own password
|
||||
|
||||
%package -n system-group-sudo
|
||||
Summary: System group 'sudo'
|
||||
Group: System/Fhs
|
||||
%{sysusers_requires}
|
||||
|
||||
%description -n system-group-sudo
|
||||
This package provides the system group 'sudo'.
|
||||
|
||||
%prep
|
||||
%autosetup -p1
|
||||
|
||||
%build
|
||||
%sysusers_generate_pre %{SOURCE10} sudo system-group-sudo.conf
|
||||
%ifarch s390 s390x %{sparc}
|
||||
F_PIE=-fPIE
|
||||
%else
|
||||
@ -98,6 +144,11 @@ export LDFLAGS="-pie"
|
||||
--docdir=%{_docdir}/%{name} \
|
||||
--with-noexec=%{_libexecdir}/sudo/sudo_noexec.so \
|
||||
--enable-tmpfiles.d=%{_tmpfilesdir} \
|
||||
%if %{defined _distconfdir}
|
||||
--prefix=/usr \
|
||||
--sysconfdir=%{_distconfdir} \
|
||||
--enable-adminconf=%{_sysconfdir} \
|
||||
%endif
|
||||
--with-pam \
|
||||
--with-pam-login \
|
||||
--with-ldap \
|
||||
@ -147,7 +198,22 @@ install -m 644 %{SOURCE5} %{buildroot}%{_docdir}/%{name}/
|
||||
rm -f %{buildroot}%{_docdir}/%{name}/sample.pam
|
||||
rm -f %{buildroot}%{_docdir}/%{name}/sample.syslog.conf
|
||||
rm -f %{buildroot}%{_docdir}/%{name}/schema.OpenLDAP
|
||||
rm -f %{buildroot}%{_sysconfdir}/sudoers.dist
|
||||
rm -f %{buildroot}%{confdir}/sudoers.dist
|
||||
|
||||
%if %{defined _distconfdir}
|
||||
# Move /etc to /usr/etc/
|
||||
mkdir -p %{buildroot}%{_distconfdir}/sudoers.d %{buildroot}%{_sysconfdir}/sudoers.d
|
||||
chmod 644 %{buildroot}%{_distconfdir}/sudoers
|
||||
echo "@includedir /etc/sudoers.d" >> %{buildroot}%{_distconfdir}/sudoers
|
||||
%endif
|
||||
|
||||
install -D -m 644 %{SOURCE8} %{buildroot}%{confdir}/sudoers.d/50-wheel-auth-self
|
||||
install -D -m 644 %{SOURCE9} %{buildroot}/usr/share/polkit-1/rules.d/51-wheel.rules
|
||||
|
||||
sed -e 's/wheel/sudo/g' < %{SOURCE8} > %{buildroot}%{confdir}/sudoers.d/50-sudo-auth-self
|
||||
sed -e 's/wheel/sudo/g' < %{SOURCE9} > %{buildroot}/usr/share/polkit-1/rules.d/51-sudo.rules
|
||||
|
||||
install -D -m 644 %{SOURCE10} %{buildroot}%{_sysusersdir}/system-group-sudo.conf
|
||||
|
||||
%find_lang %{name}
|
||||
%find_lang sudoers
|
||||
@ -172,10 +238,11 @@ done
|
||||
for i in sudo sudo-i ; do
|
||||
test -f %{_sysconfdir}/pam.d/${i}.rpmsave && mv -v %{_sysconfdir}/pam.d/${i}.rpmsave %{_sysconfdir}/pam.d/${i} ||:
|
||||
done
|
||||
test -f %{_sysconfdir}/sudoers.rpmsave && mv -v %{_sysconfdir}/sudoers.rpmsave %{_sysconfdir}/sudoers ||:
|
||||
%endif
|
||||
|
||||
%post
|
||||
chmod 0440 %{_sysconfdir}/sudoers
|
||||
[ -e %{_sysconfdir}/sudoers ] && chmod 0440 %{_sysconfdir}/sudoers
|
||||
%if 0%{?suse_version} <= 1130
|
||||
%run_permissions
|
||||
%else
|
||||
@ -186,6 +253,8 @@ chmod 0440 %{_sysconfdir}/sudoers
|
||||
%verifyscript
|
||||
%verify_permissions -e %{_bindir}/sudo
|
||||
|
||||
%pre -n system-group-sudo -f sudo.pre
|
||||
|
||||
%files -f %{name}.lang
|
||||
%license LICENSE.md
|
||||
%doc %{_docdir}/%{name}
|
||||
@ -203,10 +272,12 @@ chmod 0440 %{_sysconfdir}/sudoers
|
||||
%{_mandir}/man8/sudo_logsrvd.8%{?ext_man}
|
||||
%{_mandir}/man8/sudo_sendlog.8%{?ext_man}
|
||||
|
||||
%config(noreplace) %attr(0440,root,root) %{_sysconfdir}/sudoers
|
||||
%attr(0750,root,root) %dir %{_sysconfdir}/sudoers.d
|
||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sudo.conf
|
||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sudo_logsrvd.conf
|
||||
%{!?_distconfdir:%config(noreplace)} %attr(%confmode,root,root) %{confdir}/sudoers
|
||||
%attr(0750,root,root) %dir %{confdir}/sudoers.d
|
||||
%{?_distconfdir:%attr(0750,root,root) %dir %{_sysconfdir}/sudoers.d}
|
||||
%attr(0644,root,root) %config(noreplace) %{confdir}/sudo.conf
|
||||
%attr(0644,root,root) %config(noreplace) %{confdir}/sudo_logsrvd.conf
|
||||
|
||||
%if %{defined _distconfdir}
|
||||
%{_pam_vendordir}/sudo
|
||||
%{_pam_vendordir}/sudo-i
|
||||
@ -251,4 +322,20 @@ chmod 0440 %{_sysconfdir}/sudoers
|
||||
%files test
|
||||
%{_localstatedir}/lib/tests
|
||||
|
||||
%files policy-wheel-auth-self
|
||||
%{confdir}/sudoers.d/50-wheel-auth-self
|
||||
%dir /usr/share/polkit-1
|
||||
%dir %attr(0555,root,root) /usr/share/polkit-1/rules.d
|
||||
/usr/share/polkit-1/rules.d/51-wheel.rules
|
||||
|
||||
%files policy-sudo-auth-self
|
||||
%{confdir}/sudoers.d/50-sudo-auth-self
|
||||
%dir /usr/share/polkit-1
|
||||
%dir %attr(0555,root,root) /usr/share/polkit-1/rules.d
|
||||
/usr/share/polkit-1/rules.d/51-sudo.rules
|
||||
|
||||
%files -n system-group-sudo
|
||||
%defattr(-,root,root)
|
||||
%{_sysusersdir}/system-group-sudo.conf
|
||||
|
||||
%changelog
|
||||
|
2
system-group-sudo.conf
Normal file
2
system-group-sudo.conf
Normal file
@ -0,0 +1,2 @@
|
||||
# Type Name ID GECOS [HOME]
|
||||
g sudo -
|
Loading…
Reference in New Issue
Block a user