Commit Graph

231 Commits

Author SHA256 Message Date
Dominique Leuenberger
8175b656b8 Accepting request 912793 from Base:System
OBS-URL: https://build.opensuse.org/request/show/912793
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sudo?expand=0&rev=125
2021-08-23 08:07:39 +00:00
Jason Sikes
6c83a9a46c Accepting request 909383 from home:czanik:branches:Base:System
- update to 1.9.7p2 
- enabled openssl support for secure central session
  recording collection (without it's clear text)
- fixed SLES12 build
 * When formatting JSON output, octal numbers are now stored as
   strings, not numbers.  The JSON spec does not actually support
   octal numbers with a '0' prefix.
 * Fixed a compilation issue on Solaris 9.
 * Sudo now can handle the getgroups() function returning a different
   number of groups for subsequent invocations.  GitHub PR #106.
 * When loading a Python plugin, python_plugin.so now verifies
   that the module loaded matches the one we tried to load.  This
   allows sudo to display a more useful error message when trying
   to load a plugin with a name that conflicts with a Python module
   installed in the system location.
 * Sudo no longer sets the the open files resource limit to "unlimited"
   while it runs.  This avoids a problem where sudo's closefrom()
   emulation would need to close a very large number of descriptors
   on systems without a way to determine which ones are actually open.
 * Sudo now includes a configure check for va_copy or __va_copy and
   only defines its own version if the configure test fails.
 * Fixed a bug in sudo's utmp file handling which prevented old
   entries from being reused.  As a result, the utmp (or utmpx)
   file was appended to unnecessarily.  GitHub PR #108.
 * Fixed a bug introduced in sudo 1.9.7 that prevented sudo_logsrvd
   from accepting TLS connections when OpenSSL is used.  Bug #988.
 * Fixed an SELinux sudoedit bug when the edited temporary file
   could not be opened.  The sesh helper would still be run even
   when there are no temporary files available to install.
 * Fixed a compilation problem on FreeBSD.
 * The sudo_noexec.so file is now built as a module on all systems
   other than macOS.  This makes it possible to use other libtool
   implementations such as slibtool.  On macOS shared libraries and
   modules are not interchangeable and the version of libtool shipped
   with sudo must be used.
 * Fixed a few bugs in the getgrouplist() emulation on Solaris when
   reading from the local group file.
 * Fixed a bug in sudo_logsrvd that prevented periodic relay server
   connection retries from occurring in "store_first" mode.
 * Disabled the nss_search()-based getgrouplist() emulation on HP-UX
   due to a crash when the group source is set to "compat" in
   /etc/nsswitch.conf.  This is probably due to a mismatch between
   include/compat/nss_dbdefs.h and what HP-UX uses internally.  On
   HP-UX we now just cycle through groups the slow way using
   getgrent().  Bug #978.

OBS-URL: https://build.opensuse.org/request/show/909383
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=201
2021-08-17 23:42:04 +00:00
Dominique Leuenberger
d4c5802060 Accepting request 908922 from Base:System
Automatic submission by obs-autosubmit

OBS-URL: https://build.opensuse.org/request/show/908922
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sudo?expand=0&rev=124
2021-08-02 10:04:50 +00:00
3a3c58c1c7 Accepting request 905883 from home:ykurlaev:branches:Base:System
Fix LC_TIME incorrectly named LC_ATIME

OBS-URL: https://build.opensuse.org/request/show/905883
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=200
2021-07-28 14:44:04 +00:00
Dominique Leuenberger
fa6184d78b Accepting request 892573 from Base:System
- update to 1.9.7
  * The "fuzz" Makefile target now runs all the fuzzers for 8192
    passes (can be overridden via the FUZZ_RUNS variable).  This makes
    it easier to run the fuzzers in-tree.  To run a fuzzer indefinitely,
    set FUZZ_RUNS=-1, e.g. "make FUZZ_RUNS=-1 fuzz".
  * Fixed fuzzing on FreeBSD where the ld.lld linker returns an
    error by default when a symbol is multiply-defined.
  * Added support for determining local IPv6 addresses on systems
    that lack the getifaddrs() function.  This now works on AIX,
    HP-UX and Solaris (at least).  Bug #969.
  * Fixed a bug introduced in sudo 1.9.6 that caused "sudo -V" to
    report a usage error.  Also, when invoked as sudoedit, sudo now
    allows a more restricted set of options that matches the usage
    statement and documentation.  GitHub issue #95.
  * Fixed a crash in sudo_sendlog when the specified certificate
    or key does not exist or is invalid.  Bug #970
  * Fixed a compilation error when sudo is configured with the
    --disable-log-client option.
  * Sudo's limited support for SUCCESS=return entries in nsswitch.conf
    is now documented.  Bug #971.
  * Sudo now requires autoconf 2.70 or higher to regenerate the
    configure script.  Bug #972.
  * sudo_logsrvd now has a relay mode which can be used to create
    a hierarchy of log servers.  By default, when a relay server is
    defined, messages from the client are forwarded immediately to
    the relay.  However, if the "store_first" setting is enabled,
    the log will be stored locally until the command completes and
    then relayed.  Bug #965.
  * Sudo now links with OpenSSL by default if it is available unless
    the --disable-openssl configure option is used or both the

OBS-URL: https://build.opensuse.org/request/show/892573
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sudo?expand=0&rev=123
2021-05-15 21:15:47 +00:00
dcdcdf182d Accepting request 892541 from home:kstreitova:branches:Base:System
- update to 1.9.7
  * The "fuzz" Makefile target now runs all the fuzzers for 8192
    passes (can be overridden via the FUZZ_RUNS variable).  This makes
    it easier to run the fuzzers in-tree.  To run a fuzzer indefinitely,
    set FUZZ_RUNS=-1, e.g. "make FUZZ_RUNS=-1 fuzz".
  * Fixed fuzzing on FreeBSD where the ld.lld linker returns an
    error by default when a symbol is multiply-defined.
  * Added support for determining local IPv6 addresses on systems
    that lack the getifaddrs() function.  This now works on AIX,
    HP-UX and Solaris (at least).  Bug #969.
  * Fixed a bug introduced in sudo 1.9.6 that caused "sudo -V" to
    report a usage error.  Also, when invoked as sudoedit, sudo now
    allows a more restricted set of options that matches the usage
    statement and documentation.  GitHub issue #95.
  * Fixed a crash in sudo_sendlog when the specified certificate
    or key does not exist or is invalid.  Bug #970
  * Fixed a compilation error when sudo is configured with the
    --disable-log-client option.
  * Sudo's limited support for SUCCESS=return entries in nsswitch.conf
    is now documented.  Bug #971.
  * Sudo now requires autoconf 2.70 or higher to regenerate the
    configure script.  Bug #972.
  * sudo_logsrvd now has a relay mode which can be used to create
    a hierarchy of log servers.  By default, when a relay server is
    defined, messages from the client are forwarded immediately to
    the relay.  However, if the "store_first" setting is enabled,
    the log will be stored locally until the command completes and
    then relayed.  Bug #965.
  * Sudo now links with OpenSSL by default if it is available unless
    the --disable-openssl configure option is used or both the

OBS-URL: https://build.opensuse.org/request/show/892541
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=198
2021-05-12 15:43:09 +00:00
Dominique Leuenberger
a4d639a899 Accepting request 886601 from Base:System
OBS-URL: https://build.opensuse.org/request/show/886601
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sudo?expand=0&rev=122
2021-04-22 16:03:36 +00:00
a2c551b38d Accepting request 886334 from home:dirkmueller:Factory
- update to 1.9.6p1
 * Fixed a regression introduced in sudo 1.9.6 that resulted in an
   error message instead of a usage message when sudo is run with
   no arguments.
 * Fixed a sudo_sendlog compilation problem with the AIX xlC compiler.
 * Fixed a regression introduced in sudo 1.9.4 where the
   --disable-root-mailer configure option had no effect.
 * Added a --disable-leaks configure option that avoids some
   memory leaks on exit that would otherwise occur.  This is intended
   to be used with development tools that measure memory leaks.  It
   is not safe to use in production at this time.
 * Plugged some memory leaks identified by oss-fuzz and ASAN.
 * Fixed the handling of sudoOptions for an LDAP sudoRole that
   contains multiple sudoCommands.  Previously, some of the options
   would only be applied to the first sudoCommand.
 * Fixed a potential out of bounds read in the parsing of NOTBEFORE
   and NOTAFTER sudoers command options (and their LDAP equivalents).
 * The parser used for reading I/O log JSON files is now more
   resilient when processing invalid JSON.
 * Fixed typos that prevented "make uninstall" from working.
 * Fixed a regression introduced in sudo 1.9.4 where the last line
   in a sudoers file might not have a terminating NUL character
   added if no newline was present.
 * Integrated oss-fuzz and LLVM's libFuzzer with sudo.  The new
   --enable-fuzzer configure option can be combined with the
   --enable-sanitizer option to build sudo with fuzzing support.
   Multiple fuzz targets are available for fuzzing different parts
   of sudo.  Fuzzers are built and tested via "make fuzz" or as part
   of "make check" (even when sudo is not built with fuzzing support).
   Fuzzing support currently requires the LLVM clang compiler (not gcc).

OBS-URL: https://build.opensuse.org/request/show/886334
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=196
2021-04-19 08:23:29 +00:00
Dominique Leuenberger
afef573fda Accepting request 867171 from Base:System
OBS-URL: https://build.opensuse.org/request/show/867171
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sudo?expand=0&rev=121
2021-01-27 17:57:02 +00:00
f367b20479 Accepting request 867170 from home:simotek:branches:Base:System
Add some bugzilla references used in SLE and Leap to make some bots happy

OBS-URL: https://build.opensuse.org/request/show/867170
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=194
2021-01-27 12:10:14 +00:00
706ef1b183 Accepting request 867021 from home:simotek:branches:Base:System
- Update to 1.9.5.p2
    * When invoked as sudoedit, the same set of command line
      options are now accepted as for sudo -e. The -H and -P
      options are now rejected for sudoedit and sudo -e which
      matches the sudo 1.7 behavior. This is part of the fix for
      CVE-2021-3156.
    * Fixed a potential buffer overflow when unescaping backslashes
      in the command's arguments. Normally, sudo escapes special
      characters when running a command via a shell (sudo -s or
      sudo -i). However, it was also possible to run sudoedit with
      the -s or -i flags in which case no escaping had actually
      been done, making a buffer overflow possible.
      This fixes CVE-2021-3156. (bsc#1181090)
    * Fixed sudo's setprogname(3) emulation on systems that don't
      provide it.
    * Fixed a problem with the sudoers log server client where a
      partial write to the server could result the sudo process
      consuming large amounts of CPU time due to a cycle in the
      buffer queue. Bug #954.
    * Added a missing dependency on libsudo_util in libsudo_eventlog.
      Fixes a link error when building sudo statically.
    * The user's KRB5CCNAME environment variable is now preserved
      when performing PAM authentication. This fixes GSSAPI
      authentication when the user has a non-default ccache.

OBS-URL: https://build.opensuse.org/request/show/867021
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=193
2021-01-27 06:57:42 +00:00
Dominique Leuenberger
5c0ac59b2d Accepting request 863081 from Base:System
OBS-URL: https://build.opensuse.org/request/show/863081
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sudo?expand=0&rev=120
2021-01-18 10:27:27 +00:00
9eb248bcec Accepting request 863080 from home:kstreitova:branches:Base:System
- Update to 1.9.5.p1
  * Fixed a regression introduced in sudo 1.9.5 where the editor run
    by sudoedit was set-user-ID root unless SELinux RBAC was in use.
    The editor is now run with the user's real and effective user-IDs.
- News in 1.9.5
  * Fixed a crash introduced in 1.9.4 when running "sudo -i" as an
    unknown user.  This is related to but distinct from Bug #948.
  * If the "lecture_file" setting is enabled in sudoers, it must now
    refer to a regular file or a symbolic link to a regular file.
  * Fixed a potential use-after-free bug in sudo_logsrvd when the
    server shuts down if there are existing connections from clients
    that are only logging events and not session I/O data.
  * Fixed a buffer size mismatch when serializing the list of IP
    addresses for configured network interfaces.  This bug is not
    actually exploitable since the allocated buffer is large enough
    to hold the list of addresses.
  * If sudo is executed with a name other than "sudo" or "sudoedit",
    it will now fall back to "sudo" as the program name.  This affects
    warning, help and usage messages as well as the matching of Debug
    lines in the /etc/sudo.conf file.  Previously, it was possible
    for the invoking user to manipulate the program name by setting
    argv[0] to an arbitrary value when executing sudo.
  * Sudo now checks for failure when setting the close-on-exec flag
    on open file descriptors.  This should never fail but, if it
    were to, there is the possibility of a file descriptor leak to
    a child process (such as the command sudo runs).
  * Fixed CVE-2021-23239, a potential information leak in sudoedit
    that could be used to test for the existence of directories not
    normally accessible to the user in certain circumstances.  When
    creating a new file, sudoedit checks to make sure the parent

OBS-URL: https://build.opensuse.org/request/show/863080
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=191
2021-01-14 12:56:29 +00:00
Dominique Leuenberger
ecf254c1e7 Accepting request 858237 from Base:System
OBS-URL: https://build.opensuse.org/request/show/858237
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sudo?expand=0&rev=119
2020-12-24 18:37:30 +00:00
67744f343b Accepting request 858236 from home:kstreitova:branches:Base:System
- Update to 1.9.4p2
  * Fixed a bug introduced in sudo 1.9.4p1 which could lead to a crash
    if the sudoers file contains a runas user-specific Defaults entry.
    Bug #951.
- News in 1.9.4p1
  * Fixed a regression introduced in version 1.9.4 where sudo would
    not build when configured using the --without-sendmail option.
    Bug #947.
  * Fixed a problem where if I/O logging was disabled and sudo was
    unable to connect to sudo_logsrvd, the command would still be
    allowed to run even when the "ignore_logfile_errors" sudoers
    option was enabled.
  * Fixed a crash introduced in version 1.9.4 when attempting to run
    a command as a non-existent user.  Bug #948.
  * The installed sudo.conf file now has the default sudoers Plugin
    lines commented out.  This fixes a potential conflict when there
    is both a system-installed version of sudo and a user-installed
    version.  GitHub issue #75.
  * Fixed a regression introduced in sudo 1.9.4 where sudo would run
    the command as a child process even when a pseudo-terminal was
    not in use and the "pam_session" and "pam_setcred" options were
    disabled.  GitHub issue #76.
  * Fixed a regression introduced in sudo 1.8.9 where the "closefrom"
    sudoers option could not be set to a value of 3.  Bug #950.

OBS-URL: https://build.opensuse.org/request/show/858236
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=189
2020-12-23 00:37:04 +00:00
Dominique Leuenberger
c51d123007 Accepting request 853290 from Base:System
OBS-URL: https://build.opensuse.org/request/show/853290
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sudo?expand=0&rev=118
2020-12-08 12:23:44 +00:00
eb1d457912 Accepting request 851947 from home:kstreitova:branches:Base:System
- Update to 1.9.4
  * The sudoers parser will now detect when an upper-case reserved
    word is used when declaring an alias.  Now instead of "syntax
    error, unexpected CHROOT, expecting ALIAS" the message will be
    "syntax error, reserved word CHROOT used as an alias name".
    Bug #941.
  * Better handling of sudoers files without a final newline.
    The parser now adds a newline at end-of-file automatically which
    removes the need for special cases in the parser.
  * Fixed a regression introduced in sudo 1.9.1 in the sssd back-end
    where an uninitialized pointer could be freed on an error path.
    GitHub issue #67.
  * The core logging code is now shared between sudo_logsrvd and
    the sudoers plugin.
  * JSON log entries sent to syslog now use "minimal" JSON which
    skips all non-essential whitespace.
  * The sudoers plugin can now produce JSON-formatted logs.  The
    "log_format" sudoers option can be used to select sudo or json
    format logs.  The default is sudo format logs.
  * The sudoers plugin and visudo now display the column number in
    syntax error messages in addition to the line number.  Bug #841.
  * If I/O logging is not enabled but "log_servers" is set, the
    sudoers plugin will now log accept events to sudo_logsrvd.
    Previously, the accept event was only sent when I/O logging was
    enabled.  The sudoers plugin now sends reject and alert events too.
  * The sudo logsrv protocol has been extended to allow an AlertMessage
    to contain an optional array of InfoMessage, as AcceptMessage
    and RejectMessage already do.
  * Fixed a bug in sudo_logsrvd where receipt of SIGHUP would result
    in duplicate entries in the debug log when debugging was enabled.

OBS-URL: https://build.opensuse.org/request/show/851947
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=187
2020-12-05 17:13:38 +00:00
Dominique Leuenberger
76e78fce99 Accepting request 850806 from Base:System
OBS-URL: https://build.opensuse.org/request/show/850806
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sudo?expand=0&rev=117
2020-11-26 22:12:07 +00:00
67aea91c5c Accepting request 850805 from home:kstreitova:branches:Base:System
[bsc#1162675]

OBS-URL: https://build.opensuse.org/request/show/850805
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=185
2020-11-25 18:35:03 +00:00
Dominique Leuenberger
3c934f78b3 Accepting request 848942 from Base:System
OBS-URL: https://build.opensuse.org/request/show/848942
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sudo?expand=0&rev=116
2020-11-21 11:39:16 +00:00
921bef68a5 Accepting request 848421 from home:kstreitova:branches:Base:System
- Update to 1.9.3p1
  * Fixed a regression introduced in sudo 1.9.3 where the configure
    script would not detect the crypt(3) function if it was present
    in the C library, not an additional library.
  * Fixed a regression introduced in sudo 1.8.23 with shadow passwd
    file authentication on OpenBSD.  BSD authentication was not
    affected.
  * Sudo now logs when a user-specified command-line option is
    rejected by a sudoers rule.  Previously, these conditions were
    written to the audit log, but the default sudo log file.  Affected
    command line arguments include -C (--close-from), -D (--chdir),
    -R (--chroot), -g (--group) and -u (--user).
- News in 1.9.3
  * Fixed building the Python plugin on systems with a compiler that
    doesn't support symbol hiding.
  * Sudo now uses a linker script to hide symbols even when the
    compiler has native symbol hiding support.  This should make it
    easier to detect omissions in the symbol exports file, regardless
    of the platform.
  * Fixed the libssl dependency in Debian packages for older releases
    that use libssl1.0.0.
  * Sudo and visudo now provide more detailed messages when a syntax
    error is detected in sudoers.  The offending line and token are
    now displayed.  If the parser was generated by GNU bison,
    additional information about what token was expected is also
    displayed.  Bug #841.
  * Sudoers rules must now end in either a newline or the end-of-file.
    Previously, it was possible to have multiple rules on a single
    line, separated by white space.  The use of an end-of-line
    terminator makes it possible to display accurate error messages.

OBS-URL: https://build.opensuse.org/request/show/848421
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=183
2020-11-16 19:04:11 +00:00
Dominique Leuenberger
0009b7713c Accepting request 833520 from Base:System
OBS-URL: https://build.opensuse.org/request/show/833520
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sudo?expand=0&rev=115
2020-09-14 10:03:54 +00:00
85a5bf7b1e Accepting request 832691 from home:mvarlese:branches:Base:System
- Modified the secure_path to include the other two default paths 
  which are commonly available to $user. This will offer a better
  and more consistent UX.

OBS-URL: https://build.opensuse.org/request/show/832691
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=181
2020-09-10 15:58:50 +00:00
Dominique Leuenberger
56b1f3fa8c Accepting request 830736 from Base:System
OBS-URL: https://build.opensuse.org/request/show/830736
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sudo?expand=0&rev=114
2020-09-01 18:04:43 +00:00
d429a52e63 Accepting request 829280 from home:olh:branches:Base:System
- This rpm packages decides about the permissions of /etc/sudoers.d

OBS-URL: https://build.opensuse.org/request/show/829280
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=179
2020-08-31 10:31:58 +00:00
Dominique Leuenberger
3e2b8f7393 Accepting request 822941 from Base:System
OBS-URL: https://build.opensuse.org/request/show/822941
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sudo?expand=0&rev=113
2020-07-28 15:23:34 +00:00
15dabdc9eb Accepting request 822654 from home:polslinux:branches:Base:System
- Update to 1.9.2:
  * The configure script now uses pkg-config to find the openssl cflags
    and libs where possible.
  * The contents of the log.json I/O log file is now documented in
    the sudoers manual.
  * The sudoers plugin now properly exports the sudoers_audit symbol
    on systems where the compiler lacks symbol visibility controls.
    This caused a regression in 1.9.1 where a successful sudo command
    was not logged due to the missing audit plugin. Bug #931.
  * Fixed a regression introduced in 1.9.1 that can result in crash
    when there is a syntax error in the sudoers file. Bug #934.
- Rebase sudo-sudoers.patch

OBS-URL: https://build.opensuse.org/request/show/822654
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=177
2020-07-27 09:19:24 +00:00
Dominique Leuenberger
dcd2c9420e Accepting request 818179 from Base:System
OBS-URL: https://build.opensuse.org/request/show/818179
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sudo?expand=0&rev=112
2020-07-06 14:13:54 +00:00
dbdbd2f5a2 Accepting request 817736 from home:kukuk:branches:Base:System
- Move python plugin support to own sub-package, we don't want
  python in a really minimal system [bsc#1173200]

OBS-URL: https://build.opensuse.org/request/show/817736
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=175
2020-07-01 21:57:29 +00:00
Dominique Leuenberger
98e2460df4 Accepting request 816529 from Base:System
OBS-URL: https://build.opensuse.org/request/show/816529
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sudo?expand=0&rev=111
2020-06-25 14:46:26 +00:00
b5bdc3e34f Accepting request 815881 from home:vitezslav_cizek:branches:Base:System
- Update to 1.9.1
  * Fixed an AIX-specific problem when I/O logging was enabled.
     The terminal device was not being properly set to raw mode.
     Bug #927.
   * Corrected handling of sudo_logsrvd connections without associated
     I/O log data.  This fixes support for RejectMessage as well as
     AcceptMessage when the expect_iobufs flag is not set.
   * Added an "iolog_path" entry to the JSON-format event log produced
     by sudo_logsrvd.  Previously, it was only possible to determine
     the I/O log file an event belonged to using sudo-format logs.
   * Fixed the bundle IDs for sudo-logsrvd and sudo-python macOS packages.
   * I/O log files produced by the sudoers plugin now clear the write
     bits on the I/O log timing file when the log is complete.  This
     is consistent with how sudo_logsrvd indicates that a log is
     complete.
   * The sudoreplay utility has a new "-F" (follow) command line
     option to allow replaying a session that is still in progress,
     similar to "tail -f".
   * The @include and @includedir directives can be used in sudoers
     instead of #include and #includedir.  In addition, include paths
     may now have embedded white space by either using a double-quoted
     string or escaping the space characters with a backslash.
   * When running a command in a pty, sudo will no longer try to
     suspend itself if the user's tty has been revoked (for instance
     when the parent ssh daemon is killed).  This fixes a bug where
     sudo would continuously suspend the command (which would succeed),
     then suspend itself (which would fail due to the missing tty)
     and then resume the command.
   * If sudo's event loop fails due to the tty being revoked, remove
     the user's tty events and restart the event loop (once).  This

OBS-URL: https://build.opensuse.org/request/show/815881
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=173
2020-06-23 09:01:54 +00:00
Dominique Leuenberger
91b6e6fb29 Accepting request 807048 from Base:System
OBS-URL: https://build.opensuse.org/request/show/807048
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sudo?expand=0&rev=110
2020-05-20 16:37:15 +00:00
1b5790329f Accepting request 807045 from home:kstreitova:branches:Base:System
- Update to 1.9.0 (current stable release)
  * for changes between version 1.9.0 and 1.8.31p1 see rc changes
    below

OBS-URL: https://build.opensuse.org/request/show/807045
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=171
2020-05-18 20:53:40 +00:00
097139f659 Accepting request 802665 from home:kstreitova:branches:Base:System
- Update to 1.9.0rc5
  * The default TLS listener is now only enabled when either the
    TLS certificate file is explicitly specified in sudo_logsrvd.conf
    or the default TLS certificate file exists in the file system.
    There is no change in behavior for listen_address entries
    explicitly set in the configuration file.

OBS-URL: https://build.opensuse.org/request/show/802665
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=170
2020-05-14 17:32:58 +00:00
Dominique Leuenberger
886f84dad7 Accepting request 801234 from Base:System
OBS-URL: https://build.opensuse.org/request/show/801234
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sudo?expand=0&rev=109
2020-05-09 17:52:18 +00:00
282f49c3fc Accepting request 801195 from home:kstreitova:branches:Base:System
- Update to 1.9.0rc4
  * Various spelling fixes. Bug #925.
  * The struct passwd passed to PAM session modules is now looked up
    by user name, not user-ID, when possible. Fixes a problem with
    the pam_limits module and configurations where multiple user names
    share the same ID. Debian bug #734752.
  * Sudo command line options that take a value may only be specified
    once. This is to help guard against problems caused by poorly
    written scripts that invoke sudo with user-controlled input. Bug #924. 

- Update to 1.9.0rc3
  * The sudo-logsrvd package now installs a systemd service on Linux
    distros that use systemd.
  * The I/O plugin is now closed before the policy plugin on command
    exit.
  * When copying the edited files to the original path, sudoedit now
    allocates any additional space needed before writing. Previously,
    it could truncate the destination file if the file system was
    full. Bug #922.
  * Fixed a compilation issue with Python 3.8.
  * Changed how TLS connections are made to the log server. Instead
    of using a starttls type approach where TLS and plaintext
    connections share the same point we now use separate ports for
    plaintext and TLS connections. A (tls) flag can be specified after
    the host:port to indicate that the connection should be secured
    with TLS. This avoids a potention man-in-the-middle attack that
    could cause the connection to be forced into plaintext mode.
    Unfortunately, this change breaks compatibility with the
    previous release candidates.

OBS-URL: https://build.opensuse.org/request/show/801195
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=168
2020-05-07 13:00:36 +00:00
Dominique Leuenberger
5d9be849da Accepting request 794970 from Base:System
OBS-URL: https://build.opensuse.org/request/show/794970
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sudo?expand=0&rev=108
2020-04-22 18:43:08 +00:00
33bc44b1c2 Accepting request 794969 from home:kstreitova:branches:Base:System
- build with enable-python to support python plugins

OBS-URL: https://build.opensuse.org/request/show/794969
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=166
2020-04-17 17:15:44 +00:00
0c25f52ff5 Add python3 BuildRequires
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=165
2020-04-17 16:51:00 +00:00
3ed4d64671 Accepting request 794915 from home:kstreitova:branches:Base:System
- Update to 1.9.0rc2
  * Fixed a test failure in the strsig_test regress test on FreeBSD.
  * Sudo now includes a logging daemon, sudo_logsrvd, which can be
    used to implement centralized logging of I/O logs.  TLS connections
    are supported when sudo is configured with the --enable-openssl
    option.  For more information, see the sudo_logsrvd, logsrvd.conf
    and sudo_logsrv.proto manuals as well as the log_servers setting
    in the sudoers manual.
    The --disable-log-server and --disable-log-client configure
    options can be used to disable building the I/O log server and/or
    remote I/O log support in the sudoers plugin.
  * The new sudo_sendlog utility can be used to test sudo_logsrvd
    or send existing sudo I/O logs to a centralized server.
  * It is now possible to write sudo plugins in Python 3 when sudo
    is configured with the --enable-python> option.  See the
    sudo_plugin_python.man.html manual for details.
    Sudo 1.9.0 comes with several Python example plugins that get
    installed sudo's examples directory.
    The sudo blog article "What's new in sudo 1.9: Python"
    (https://blog.sudo.ws/posts/2020/01/whats-new-in-sudo-1.9-python/)
    includes a simple tutorial on writing python plugins.
  * Sudo now supports an "audit" plugin type.  An audit plugin
    receives accept, reject, exit and error messages and can be used
    to implement custom logging that is independent of the underlying
    security policy.   Multiple audit plugins may be specified in
    the sudo.conf file.  A sample audit plugin is included that
    writes logs in JSON format.
  * Sudo now supports an "approval" plugin type.  An approval plugin
    is run only after the main security policy (such as sudoers) accepts
    a command to be run.  The approval policy may perform additional

OBS-URL: https://build.opensuse.org/request/show/794915
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=164
2020-04-17 16:50:20 +00:00
Dominique Leuenberger
125c0406ef Accepting request 785885 from Base:System
OBS-URL: https://build.opensuse.org/request/show/785885
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sudo?expand=0&rev=107
2020-03-19 18:45:31 +00:00
1d4f8044cd Accepting request 785827 from home:polslinux:branches:Base:System
- Update to 1.8.31p1
  * Sudo once again ignores a failure to restore the RLIMIT_CORE
    resource limit, as it did prior to version 1.8.29.
    Linux containers don't allow RLIMIT_CORE to be set back to
    RLIM_INFINITY if we set the limit to zero, even for root,
    which resulted in a warning from sudo.

OBS-URL: https://build.opensuse.org/request/show/785827
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=162
2020-03-17 10:42:59 +00:00
Dominique Leuenberger
6ef976cb00 Accepting request 772143 from Base:System
OBS-URL: https://build.opensuse.org/request/show/772143
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sudo?expand=0&rev=106
2020-02-15 21:23:40 +00:00
ac3c196343 Accepting request 772142 from home:kstreitova:branches:Base:System
- Update to 1.8.31
  Major changes between version 1.8.31 and 1.8.30:
  * This version fixes a potential security issue that can lead to
    a buffer overflow if the pwfeedback option is enabled in
    sudoers [CVE-2019-18634] [bsc#1162202]
  * The sudoedit_checkdir option now treats a user-owned directory
    as writable, even if it does not have the write bit set at the
    time of check. Symbolic links will no longer be followed by
    sudoedit in any user-owned directory. Bug #912.
  * Fixed a crash introduced in sudo 1.8.30 when suspending sudo
    at the password prompt. Bug #914.
  * Fixed compilation on systems where the mmap MAP_ANON flag is
    not available. Bug #915.
  Major changes between version 1.8.30 and 1.8.29:
  * Sudo now closes file descriptors before changing uids. This
    prevents a non-root process from interfering with sudo's ability
    to close file descriptors on systems that support the prlimit(2)
    system call.
  * Sudo now treats an attempt to run sudo sudoedit as simply
    sudoedit If the sudoers file contains a fully-qualified path
    to sudoedit, sudo will now treat it simply as sudoedit
    (with no path). Visudo will will now treat a fully-qualified
    path to sudoedit as an error. Bug #871.
  * Fixed a bug introduced in sudo 1.8.28 where sudo would warn
    about a missing /etc/environment file on AIX and Linux when
    PAM is not enabled. Bug #907.
  * Fixed a bug on Linux introduced in sudo 1.8.29 that prevented
    the askpass program from running due to an unlimited stack size
    resource limit. Bug #908.
  * If a group provider plugin has optional arguments, the argument

OBS-URL: https://build.opensuse.org/request/show/772142
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=160
2020-02-07 16:27:51 +00:00
Dominique Leuenberger
d5d48c17b0 Accepting request 756015 from Base:System
OBS-URL: https://build.opensuse.org/request/show/756015
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sudo?expand=0&rev=105
2019-12-18 13:43:05 +00:00
6db166dae8 Accepting request 754614 from home:kukuk:branches:Base:System
- Move pam.d/sudo* files to /usr/etc

OBS-URL: https://build.opensuse.org/request/show/754614
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=158
2019-12-12 09:24:53 +00:00
Dominique Leuenberger
0f9ceb41c1 Accepting request 743446 from Base:System
OBS-URL: https://build.opensuse.org/request/show/743446
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sudo?expand=0&rev=104
2019-10-30 13:42:14 +00:00
7c6c82c48c Accepting request 738914 from home:vitezslav_cizek:branches:Base:System
- Update to 1.8,28p1
  * The fix for Bug #869 caused "sudo -v" to prompt for a password
    when "verifypw" is set to "all" (the default) and all of the
    user's sudoers entries are marked with NOPASSWD.  Bug #901.

- Update to 1.8.28
 * Fixed CVE-2019-14287 (bsc#1153674),
   a bug where a sudo user may be able to
   run a command as root when the Runas specification explicitly
   disallows root access as long as the ALL keyword is listed first.
   * Sudo will now only set PAM_TTY to the empty string when no
   terminal is present on Solaris and Linux.  This workaround is
   only needed on those systems which may have PAM modules that
   misbehave when PAM_TTY is not set.
 * The mailerflags sudoers option now has a default value even if
   sendmail support was disabled at configure time.  Fixes a crash
   when the mailerpath sudoers option is set but mailerflags is not.
   Bug #878.
 * Sudo will now filter out last login messages on HP-UX unless it
   a shell is being run via "sudo -s" or "sudo -i".  Otherwise,
   when trusted mode is enabled, these messages will be displayed
   for each command.
 * Sudo has a new -B command line option that will ring the terminal
   bell when prompting for a password.
 * Sudo no longer refuses to prompt for a password when it cannot
   determine the user's terminal as long as it can open /dev/tty.
   This allows sudo to function on systems where /proc is unavailable,
   such as when running in a chroot environment.
 * The "env_editor" sudoers flag is now on by default.  This makes
   source builds more consistent with the packages generated by

OBS-URL: https://build.opensuse.org/request/show/738914
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=156
2019-10-28 10:04:59 +00:00
Dominique Leuenberger
31f8884bee Accepting request 724506 from Base:System
OBS-URL: https://build.opensuse.org/request/show/724506
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sudo?expand=0&rev=103
2019-08-27 13:20:45 +00:00
69d80cc452 Accepting request 724360 from home:okurz:branches:Base:System
Correct typo in sudoers patch

OBS-URL: https://build.opensuse.org/request/show/724360
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=154
2019-08-19 08:38:01 +00:00