Commit Graph

159 Commits

Author SHA256 Message Date
Otto Hollmann
01793c9cfc Accepting request 1128140 from home:ohollmann:branches:Base:System
- Update to 1.9.15p2:
  * Fixed a bug on BSD systems where sudo would not restore the
    terminal settings on exit if the terminal had parity enabled.
    GitHub issue #326.
- Update to 1.9.15p1:
  * Fixed a bug introduced in sudo 1.9.15 that prevented LDAP-based
    sudoers from being able to read the ldap.conf file.
    GitHub issue #325.
- Update to 1.9.15:
  * Fixed an undefined symbol problem on older versions of macOS
    when "intercept" or "log_subcmds" are enabled in sudoers.
    GitHub issue #276.
  * Fixed "make check" failure related to getpwent(3) wrapping
    on NetBSD.
  * Fixed the warning message for "sudo -l command" when the command
    is not permitted.  There was a missing space between "list" and
    the actual command due to changes in sudo 1.9.14.
  * Fixed a bug where output could go to the wrong terminal if
    "use_pty" is enabled (the default) and the standard input, output
    or error is redirected to a different terminal.  Bug #1056.
  * The visudo utility will no longer create an empty file when the
    specified sudoers file does not exist and the user exits the
    editor without making any changes.  GitHub issue #294.
  * The AIX and Solaris sudo packages on www.sudo.ws now support
    "log_subcmds" and "intercept" with both 32-bit and 64-bit
    binaries.  Previously, they only worked when running binaries
    with the same word size as the sudo binary.  GitHub issue #289.
  * The sudoers source is now logged in the JSON event log.  This
    makes it possible to tell which rule resulted in a match.
  * Running "sudo -ll command" now produces verbose output that

OBS-URL: https://build.opensuse.org/request/show/1128140
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=247
2023-11-23 07:21:18 +00:00
Otto Hollmann
27c0857d41 Accepting request 1127862 from home:dimstar:Factory
- Package/ship empty /etc/sudoers.d directory for admins to
  discover where to put their won config.

OBS-URL: https://build.opensuse.org/request/show/1127862
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=246
2023-11-21 11:38:24 +00:00
Otto Hollmann
535b070a67 Accepting request 1114961 from home:ohollmann:branches:Remove-targetpw
- Introduce optional wheel and sudo group policies as separate packages
  (bsc#1203978, jsc#PED-260)

- Install config files into /usr/etc and read from both location:
  /etc and /usr/etc (bsc#1205118)

OBS-URL: https://build.opensuse.org/request/show/1114961
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=245
2023-10-03 12:11:35 +00:00
Otto Hollmann
a1f80d7634 Accepting request 1110618 from home:ohollmann:branches:Base:System
- Update to 1.9.14p3:
  * Fixed a crash with Python 3.12 when the sudo Python python is unloaded.
    This only affects make check for the Python plugin.
  * Adapted the sudo Python plugin test output to match Python 3.12.
- Update to 1.9.14p2:
  * Fixed a crash on Linux systems introduced in version 1.9.14 when running a
    command with a NULL argv[0] if log_subcmds or intercept is enabled in
    sudoers.
  * Fixed a problem with "stair-stepped" output when piping or redirecting the
    output of a sudo command that takes user input when running a command in
    a pseudo-terminal.
  * Fixed a bug introduced in sudo 1.9.14 that affects matching sudoers rules
    containing a Runas_Spec with an empty Runas user. These rules should only
    match when sudo’s -g option is used but were matching even without the -g
    option. #290.

OBS-URL: https://build.opensuse.org/request/show/1110618
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=243
2023-09-12 13:46:37 +00:00
Otto Hollmann
c10ea702eb Accepting request 1098344 from home:polslinux:branches:Base:System
- Update to 1.9.14p1:
  * Fixed an invalid free bug in sudo_logsrvd that was introduced
    in version 1.9.14 which could cause sudo_logsrvd to crash.
  * The sudoers plugin no longer tries to send the terminal name
    to the log server when no terminal is present.  This bug was
    introduced in version 1.9.14.
  * Fixed a bug where if the "intercept" or "log_subcmds" sudoers
    option was enabled and a sub-command was run where the first
    entry of the argument vector didn't match the command being run.
    This resulted in commands like "sudo su -" being killed due to
    the mismatch.  Bug #1050.
  * The sudoers plugin now canonicalizes command path names before
    matching (where possible).  This fixes a bug where sudo could
    execute the wrong path if there are multiple symbolic links with
    the same target and the same base name in sudoers that a user is
    allowed to run.  GitHub issue #228.
  * Improved command matching when a chroot is specified in sudoers.
    The sudoers plugin will now change the root directory id needed
    before performing command matching.  Previously, the root directory
    was simply prepended to the path that was being processed.
  * When NETGROUP_BASE is set in the ldap.conf file, sudo will now
    perform its own netgroup lookups of the host name instead of
    using the system innetgr(3) function.  This guarantees that user
    and host netgroup lookups are performed using  the same LDAP
    server (or servers).
  * Fixed a bug introduced in sudo 1.9.13 that resulted in a missing
    " ; " separator between environment variables and the command
    in log entries.
  * The visudo utility now displays a warning when it ignores a file
    in an include dir such as /etc/sudoers.d.

OBS-URL: https://build.opensuse.org/request/show/1098344
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=241
2023-07-24 07:33:45 +00:00
Otto Hollmann
dd0ccf68c1 Accepting request 1077512 from home:mkoutny:pam-nl
- sudo.pamd: Use common-session-nonlogin for >15 codestreams
  More info in https://github.com/SUSE/pam-config/pull/16

OBS-URL: https://build.opensuse.org/request/show/1077512
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=239
2023-04-06 13:54:53 +00:00
f00f1f5870 - Update to 1.9.13p2 (bsc#1208595, CVE-2023-27320):
This bug was introduced in sudo 1.9.8.

OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=237
2023-03-17 10:11:22 +00:00
Jason Sikes
67b4f8099e Accepting request 1070277 from home:jsikes:branches:Base:System
Update to 1.9.13p3! Enjoy.

OBS-URL: https://build.opensuse.org/request/show/1070277
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=235
2023-03-09 02:49:46 +00:00
Jason Sikes
ab630daf5c Accepting request 1068080 from home:jsikes:branches:Base:System
Update that fixes bsc1208595! Enjoy.

OBS-URL: https://build.opensuse.org/request/show/1068080
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=233
2023-02-28 01:47:49 +00:00
Jason Sikes
23d15e05f3 Accepting request 1066577 from home:jsikes:branches:Base:System
Update to 1.9.13p1! Enjoy.

OBS-URL: https://build.opensuse.org/request/show/1066577
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=231
2023-02-23 08:56:52 +00:00
Jason Sikes
bf67a396fd Accepting request 1065829 from home:jsikes:branches:Base:System
Update to 1.9.13! Enjoy.

OBS-URL: https://build.opensuse.org/request/show/1065829
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=229
2023-02-15 22:46:09 +00:00
Jason Sikes
f0df0be3cd Accepting request 1060306 from home:jsikes:branches:Base:System
Fix that addresses bsc#1207082. Enjoy!

OBS-URL: https://build.opensuse.org/request/show/1060306
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=227
2023-01-22 22:07:43 +00:00
Jason Sikes
5e11511896 Accepting request 1037190 from home:jsikes:branches:Base:System
Update to sudo-1.9.12p1! Enjoy.

OBS-URL: https://build.opensuse.org/request/show/1037190
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=225
2022-11-21 22:44:26 +00:00
Jason Sikes
a4384d0471 Accepting request 1033421 from home:jsikes:branches:Base:System
Fix for CVE-2022-43995! Enjoy.

OBS-URL: https://build.opensuse.org/request/show/1033421
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=223
2022-11-05 01:36:10 +00:00
Jason Sikes
829dc336b7 Accepting request 1032754 from home:jsikes:branches:Base:System
Changes for bsc#1203978 and PED-260! Enjoy.

OBS-URL: https://build.opensuse.org/request/show/1032754
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=221
2022-11-01 22:57:05 +00:00
Jason Sikes
4fec79beac Accepting request 1031218 from home:jsikes:branches:Base:System
Update to 1.9.12! Enjoy.

OBS-URL: https://build.opensuse.org/request/show/1031218
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=219
2022-10-26 22:34:34 +00:00
Jason Sikes
80565d39fb Accepting request 1002370 from home:jsikes:branches:Base:System
Fixed bsc#1177578. It's small. No, it's 'FUN-SIZED'! Enjoy!

OBS-URL: https://build.opensuse.org/request/show/1002370
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=217
2022-09-13 23:23:53 +00:00
Jason Sikes
1b78263838 Accepting request 998277 from home:jsikes:branches:Base:System
Updated. Enjoy!

OBS-URL: https://build.opensuse.org/request/show/998277
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=215
2022-08-23 23:14:55 +00:00
Jason Sikes
211bbb80cf Accepting request 993732 from home:kukuk:branches:Base:System
- Use %_pam_vendordir macro
- Fix errors around LICENSE.md (fixes building on SLE12 SP5 again)

OBS-URL: https://build.opensuse.org/request/show/993732
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=213
2022-08-20 00:48:17 +00:00
Jason Sikes
188f5779d8 Accepting request 964503 from home:dirkmueller:Factory
- update to 1.9.10:
  * Added new log_passwords and passprompt_regex sudoers options. If
    log_passwords is disabled, sudo will attempt to prevent passwords from being
    logged. If sudo detects any of the regular expressions in the passprompt_regex
    list in the terminal output, sudo will log ‘*’ characters instead of the
    terminal input until a newline or carriage return is found in the input or an
    output character is received.
  * Added new log_passwords and passprompt_regex settings to sudo_logsrvd that
    operate like the sudoers options when logging terminal input.
  * Fixed several few bugs in the cvtsudoers utility when merging multiple sudoers
    sources.
  * Fixed a bug in sudo_logsrvd parsing the sudo_logsrvd.conf file, where the
    retry_interval in the [relay] section was not being recognized.
  * Restored the pre-1.9.9 behavior of not performing authentication when sudo’s -n
    option is specified. A new noninteractive_auth sudoers option has been added to
    enable PAM authentication in non-interactive mode. GitHub issue #131.
  * On systems with /proc, if the /proc/self/stat (Linux) or /proc/pid/psinfo
    (other systems) file is missing or invalid, sudo will now check file
    descriptors 0-2 to determine the user’s terminal. Bug #1020.
  * Fixed a compilation problem on Debian kFreeBSD. Bug #1021.
  * Fixed a crash in sudo_logsrvd when running in relay mode if an alert message is
    received.
  * Fixed an issue that resulting in “problem with defaults entries” email to be
    sent if a user ran sudo when the sudoers entry in the nsswitch.conf file
    includes “sss” but no sudo provider is configured in /etc/sssd/sssd.conf.
  * Updated the warning displayed when the invoking user is not allowed to run
    sudo. If sudo has been configured to send mail on failed attempts (see the
    mail_* flags in sudoers), it will now print “This incident has been reported to
    the administrator.” If the mailto or mailerpath sudoers settings are disabled,
    the message will not be printed and no mail will be sent.

OBS-URL: https://build.opensuse.org/request/show/964503
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=211
2022-03-25 04:48:17 +00:00
c9aee8b1e3 Accepting request 959556 from home:jsikes:branches:Base:System
Fix for bsc 1193446. Enjoy!

OBS-URL: https://build.opensuse.org/request/show/959556
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=209
2022-03-07 11:36:16 +00:00
Jason Sikes
86ffaf5f6b Accepting request 955502 from home:simotek:branches:Base:System
- Restrict use of sudo -U other -l to people who have permission
  to run commands as that user (bsc#1181703, jsc#SLE-22569)
  * feature-upstream-restrict-sudo-U-other-l.patch

OBS-URL: https://build.opensuse.org/request/show/955502
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=208
2022-02-17 01:40:01 +00:00
c1da9ded70 Accepting request 950728 from home:simotek:branches:Base:System
- Update to 1.9.9
   * Sudo can now be built with OpenSSL 3.0 without generating
     warnings about deprecated OpenSSL APIs.
   * A digest can now be specified along with the ALL command in
     the LDAP and SSSD back-ends. Sudo 1.9.0 introduced support for
     this in the sudoers file but did not include corresponding
     changes for the other back-ends.
   * visudo now only warns about an undefined alias or a cycle in
     an alias once for each alias.
   * The sudoRole cn was truncated by a single character in warning
     messages. GitHub issue #115.
   * The cvtsudoers utility has new --group-file and --passwd-file
     options to use a custom passwd or group file when the
     --match-local option is also used.
   * The cvtsudoers utility can now filter or match based on a command.
   * The cvtsudoers utility can now produce output in csv
     (comma-separated value) format. This can be used to help generate
     entitlement reports.
   * Fixed a bug in sudo_logsrvd that could result in the connection
     being dropped for very long command lines.
   * Fixed a bug where sudo_logsrvd would not accept a restore point
     of zero.
   * Fixed a bug in visudo where the value of the editor setting was
     not used if it did not match the user’s EDITOR environment
     variable. This was only a problem if the env_editor setting was
     not enabled. Bug #1000.
   * Sudo now builds with the -fcf-protection compiler option and the
     -z now linker option if supported.
   * The output of sudoreplay -l now more closely matches the
     traditional sudo log format.
   * The sudo_sendlog utility will now use the full contents of the
     log.json file, if present. This makes it possible to send
     sudo-format I/O logs that use the newer log.json format to
     sudo_logsrvd without losing any information.
   * Fixed compilation of the arc4random_buf() replacement on systems
     with arc4random() but no arc4random_buf(). Bug #1008.
   * Sudo now uses its own getentropy() by default on Linux. The GNU
     libc version of getentropy() will fail on older kernels that
     don’t support the getrandom() system call.
   * It is now possible to build sudo with WolfSSL’s OpenSSL
     compatibility layer by using the --enable-wolfssl configure
     option.
   * Fixed a bug related to Daylight Saving Time when parsing
     timestamps in Generalized Time format. This affected the NOTBEFORE
     and NOTAFTER options in sudoers. Bug #1006.
   * Added the -O and -P options to visudo, which can be used to check
     or set the owner and permissions. This can be used in conjunction
     with the -c option to check that the sudoers file ownership and
     permissions are correct. Bug #1007.
   * It is now possible to set resource limits in the sudoers file
     itself. The special values default and “user” refer to the
     default system limit and invoking user limit respectively. The
     core dump size limit is now set to 0 by default unless overridden
     by the sudoers file.
   * The cvtsudoers utility can now merge multiple sudoers sources into
     a single, combined sudoers file. If there are conflicting entries,
     cvtsudoers will attempt to resolve them but manual intervention
     may be required. The merging of sudoers rules is currently fairly
     simplistic but will be improved in a future release.
   * Sudo was parsing but not applying the “deref” and “tls_reqcert”
     ldap.conf settings. This meant the options were effectively ignored
     which broke dereferencing of aliases in LDAP. Bug #1013.
   * Clarified in the sudo man page that the security policy may
     override the user’s PATH environment variable. Bug #1014.
   * When sudo is run in non-interactive mode (with the -n option), it
     will now attempt PAM authentication and only exit with an error if
     user interaction is required. This allows PAM modules that don’t
     interact with the user to succeed. Previously, sudo would not
     attempt authentication if the -n option was specified. Bug #956
     and GitHub issue #83.
   * Fixed a regression introduced in version 1.9.1 when sudo is built
     with the --with-fqdn configure option. The local host name was
     being resolved before the sudoers file was processed, making it
     impossible to disable DNS lookups by negating the fqdn sudoers
     option. Bug #1016.
   * Added support for negated sudoUser attributes in the LDAP and SSSD
     sudoers back ends. A matching sudoUser that is negated will cause
     the sudoRole containing it to be ignored.
   * Fixed a bug where the stack resource limit could be set to a value
     smaller than that of the invoking user and not be reset before the
     command was run. Bug #1016.
- sudo no longer ships schema for LDAP.
- sudo-feature-negated-LDAP-users.patch dropped, included upstream
- refreshed sudo-sudoers.patch

OBS-URL: https://build.opensuse.org/request/show/950728
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=207
2022-02-02 12:27:10 +00:00
bb99464edf Accepting request 949359 from home:simotek:branches:Base:System
- Add support in the LDAP filter for negated users, patch taken
  from upstream (jsc#20068)
  * Adds sudo-feature-negated-LDAP-users.patch

OBS-URL: https://build.opensuse.org/request/show/949359
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=206
2022-01-31 08:20:47 +00:00
baf92a7f64 OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=205 2021-12-05 19:32:13 +00:00
Jason Sikes
274646d6dc Accepting request 920883 from home:kstreitova:sudo
- update to 1.9.8p2
  * Fixed a potential out-of-bounds read with "sudo -i" when the
    target user's shell is bash.  This is a regression introduced
    in sudo 1.9.8.  Bug #998.
  * sudo_logsrvd now only sends a log ID for first command of a session.
    There is no need to send the log ID for each sub-command.
  * Fixed a few minor memory leaks in intercept mode.
  * Fixed a problem with sudo_logsrvd in relay mode if "store_first"
    was enabled when handling sub-commands.  A new zero-length journal
    file was created for each sub-command instead of simply using
    the existing journal file.
- update to 1.9.8p1
  * Fixed support for passing a prompt (sudo -p) or a login class
    (sudo -l) on the command line.  This is a regression introduced
    in sudo 1.9.8.  Bug #993.
  * Fixed a crash with "sudo ALL" rules in the LDAP and SSSD back-ends.
    This is a regression introduced in sudo 1.9.8.  Bug #994.
  * Fixed a compilation error when the --enable-static-sudoers configure
    option was specified.  This is a regression introduced in sudo
    1.9.8 caused by a symbol clash with the intercept and log server
    protobuf functions.
  * It is now possible to transparently intercepting sub-commands
    executed by the original command run via sudo.  Intercept support
    is implemented using LD_PRELOAD (or the equivalent supported by
    the system) and so has some limitations.  The two main limitations
    are that only dynamic executables are supported and only the
    execl, execle, execlp, execv, execve, execvp, and execvpe library
    functions are currently intercepted. Its main use case is to
    support restricting privileged shells run via sudo.
    To support this, there is a new "intercept" Defaults setting and

OBS-URL: https://build.opensuse.org/request/show/920883
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=204
2021-09-22 14:50:58 +00:00
Jason Sikes
d4c80a2758 Accepting request 908959 from home:ykurlaev:branches:Base:System2
- Fix commented out "Defaults env_keep" in sudo-sudoers.patch

OBS-URL: https://build.opensuse.org/request/show/908959
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=203
2021-09-21 14:53:15 +00:00
Jason Sikes
8f39b9fd2e Accepting request 909589 from home:dirkmueller:Factory
- update to 1.9.7p2:
  * When formatting JSON output, octal numbers are now stored as strings, not
    numbers. The JSON spec does not actually support octal numbers with a 0
    prefix.
  * Sudo now can handle the getgroups() function returning a different number
    of groups for subsequent invocations. GitHub PR #106.
  * When loading a Python plugin, python_plugin.so now verifies that the module
    loaded matches the one we tried to load. This allows sudo to display a more
    useful error message when trying to load a plugin with a name that conflicts
    with a Python module installed in the system location.
  * Sudo no longer sets the the open files resource limit to unlimited while it
    runs. This avoids a problem where sudo's closefrom() emulation would need to
    close a very large number of descriptors on systems without a way to determine
    which ones are actually open.
  * Sudo now includes a configure check for va_copy or __va_copy and only defines
    its own version if the configure test fails.
  * Fixed a bug in sudo's utmp file handling which prevented old entries from being
    reused. As a result, the utmp (or utmpx) file was appended to unnecessarily.
  * ixed a bug introduced in sudo 1.9.7 that prevented sudo_logsrvd from
    accepting TLS connections when OpenSSL is used. Bug #988.
  * Fixed an SELinux sudoedit bug when the edited temporary file could not be
    opened. The sesh helper would still be run even when there are no temporary
    files available to install.
  * The sudo_noexec.so file is now built as a module on all systems other than
    macOS. This makes it possible to use other libtool implementations such as
    slibtool. On macOS shared libraries and modules are not interchangeable and
    the version of libtool shipped with sudo must be used.

OBS-URL: https://build.opensuse.org/request/show/909589
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=202
2021-09-21 14:50:01 +00:00
Jason Sikes
6c83a9a46c Accepting request 909383 from home:czanik:branches:Base:System
- update to 1.9.7p2 
- enabled openssl support for secure central session
  recording collection (without it's clear text)
- fixed SLES12 build
 * When formatting JSON output, octal numbers are now stored as
   strings, not numbers.  The JSON spec does not actually support
   octal numbers with a '0' prefix.
 * Fixed a compilation issue on Solaris 9.
 * Sudo now can handle the getgroups() function returning a different
   number of groups for subsequent invocations.  GitHub PR #106.
 * When loading a Python plugin, python_plugin.so now verifies
   that the module loaded matches the one we tried to load.  This
   allows sudo to display a more useful error message when trying
   to load a plugin with a name that conflicts with a Python module
   installed in the system location.
 * Sudo no longer sets the the open files resource limit to "unlimited"
   while it runs.  This avoids a problem where sudo's closefrom()
   emulation would need to close a very large number of descriptors
   on systems without a way to determine which ones are actually open.
 * Sudo now includes a configure check for va_copy or __va_copy and
   only defines its own version if the configure test fails.
 * Fixed a bug in sudo's utmp file handling which prevented old
   entries from being reused.  As a result, the utmp (or utmpx)
   file was appended to unnecessarily.  GitHub PR #108.
 * Fixed a bug introduced in sudo 1.9.7 that prevented sudo_logsrvd
   from accepting TLS connections when OpenSSL is used.  Bug #988.
 * Fixed an SELinux sudoedit bug when the edited temporary file
   could not be opened.  The sesh helper would still be run even
   when there are no temporary files available to install.
 * Fixed a compilation problem on FreeBSD.
 * The sudo_noexec.so file is now built as a module on all systems
   other than macOS.  This makes it possible to use other libtool
   implementations such as slibtool.  On macOS shared libraries and
   modules are not interchangeable and the version of libtool shipped
   with sudo must be used.
 * Fixed a few bugs in the getgrouplist() emulation on Solaris when
   reading from the local group file.
 * Fixed a bug in sudo_logsrvd that prevented periodic relay server
   connection retries from occurring in "store_first" mode.
 * Disabled the nss_search()-based getgrouplist() emulation on HP-UX
   due to a crash when the group source is set to "compat" in
   /etc/nsswitch.conf.  This is probably due to a mismatch between
   include/compat/nss_dbdefs.h and what HP-UX uses internally.  On
   HP-UX we now just cycle through groups the slow way using
   getgrent().  Bug #978.

OBS-URL: https://build.opensuse.org/request/show/909383
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=201
2021-08-17 23:42:04 +00:00
3a3c58c1c7 Accepting request 905883 from home:ykurlaev:branches:Base:System
Fix LC_TIME incorrectly named LC_ATIME

OBS-URL: https://build.opensuse.org/request/show/905883
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=200
2021-07-28 14:44:04 +00:00
dcdcdf182d Accepting request 892541 from home:kstreitova:branches:Base:System
- update to 1.9.7
  * The "fuzz" Makefile target now runs all the fuzzers for 8192
    passes (can be overridden via the FUZZ_RUNS variable).  This makes
    it easier to run the fuzzers in-tree.  To run a fuzzer indefinitely,
    set FUZZ_RUNS=-1, e.g. "make FUZZ_RUNS=-1 fuzz".
  * Fixed fuzzing on FreeBSD where the ld.lld linker returns an
    error by default when a symbol is multiply-defined.
  * Added support for determining local IPv6 addresses on systems
    that lack the getifaddrs() function.  This now works on AIX,
    HP-UX and Solaris (at least).  Bug #969.
  * Fixed a bug introduced in sudo 1.9.6 that caused "sudo -V" to
    report a usage error.  Also, when invoked as sudoedit, sudo now
    allows a more restricted set of options that matches the usage
    statement and documentation.  GitHub issue #95.
  * Fixed a crash in sudo_sendlog when the specified certificate
    or key does not exist or is invalid.  Bug #970
  * Fixed a compilation error when sudo is configured with the
    --disable-log-client option.
  * Sudo's limited support for SUCCESS=return entries in nsswitch.conf
    is now documented.  Bug #971.
  * Sudo now requires autoconf 2.70 or higher to regenerate the
    configure script.  Bug #972.
  * sudo_logsrvd now has a relay mode which can be used to create
    a hierarchy of log servers.  By default, when a relay server is
    defined, messages from the client are forwarded immediately to
    the relay.  However, if the "store_first" setting is enabled,
    the log will be stored locally until the command completes and
    then relayed.  Bug #965.
  * Sudo now links with OpenSSL by default if it is available unless
    the --disable-openssl configure option is used or both the

OBS-URL: https://build.opensuse.org/request/show/892541
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=198
2021-05-12 15:43:09 +00:00
a2c551b38d Accepting request 886334 from home:dirkmueller:Factory
- update to 1.9.6p1
 * Fixed a regression introduced in sudo 1.9.6 that resulted in an
   error message instead of a usage message when sudo is run with
   no arguments.
 * Fixed a sudo_sendlog compilation problem with the AIX xlC compiler.
 * Fixed a regression introduced in sudo 1.9.4 where the
   --disable-root-mailer configure option had no effect.
 * Added a --disable-leaks configure option that avoids some
   memory leaks on exit that would otherwise occur.  This is intended
   to be used with development tools that measure memory leaks.  It
   is not safe to use in production at this time.
 * Plugged some memory leaks identified by oss-fuzz and ASAN.
 * Fixed the handling of sudoOptions for an LDAP sudoRole that
   contains multiple sudoCommands.  Previously, some of the options
   would only be applied to the first sudoCommand.
 * Fixed a potential out of bounds read in the parsing of NOTBEFORE
   and NOTAFTER sudoers command options (and their LDAP equivalents).
 * The parser used for reading I/O log JSON files is now more
   resilient when processing invalid JSON.
 * Fixed typos that prevented "make uninstall" from working.
 * Fixed a regression introduced in sudo 1.9.4 where the last line
   in a sudoers file might not have a terminating NUL character
   added if no newline was present.
 * Integrated oss-fuzz and LLVM's libFuzzer with sudo.  The new
   --enable-fuzzer configure option can be combined with the
   --enable-sanitizer option to build sudo with fuzzing support.
   Multiple fuzz targets are available for fuzzing different parts
   of sudo.  Fuzzers are built and tested via "make fuzz" or as part
   of "make check" (even when sudo is not built with fuzzing support).
   Fuzzing support currently requires the LLVM clang compiler (not gcc).

OBS-URL: https://build.opensuse.org/request/show/886334
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=196
2021-04-19 08:23:29 +00:00
f367b20479 Accepting request 867170 from home:simotek:branches:Base:System
Add some bugzilla references used in SLE and Leap to make some bots happy

OBS-URL: https://build.opensuse.org/request/show/867170
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=194
2021-01-27 12:10:14 +00:00
706ef1b183 Accepting request 867021 from home:simotek:branches:Base:System
- Update to 1.9.5.p2
    * When invoked as sudoedit, the same set of command line
      options are now accepted as for sudo -e. The -H and -P
      options are now rejected for sudoedit and sudo -e which
      matches the sudo 1.7 behavior. This is part of the fix for
      CVE-2021-3156.
    * Fixed a potential buffer overflow when unescaping backslashes
      in the command's arguments. Normally, sudo escapes special
      characters when running a command via a shell (sudo -s or
      sudo -i). However, it was also possible to run sudoedit with
      the -s or -i flags in which case no escaping had actually
      been done, making a buffer overflow possible.
      This fixes CVE-2021-3156. (bsc#1181090)
    * Fixed sudo's setprogname(3) emulation on systems that don't
      provide it.
    * Fixed a problem with the sudoers log server client where a
      partial write to the server could result the sudo process
      consuming large amounts of CPU time due to a cycle in the
      buffer queue. Bug #954.
    * Added a missing dependency on libsudo_util in libsudo_eventlog.
      Fixes a link error when building sudo statically.
    * The user's KRB5CCNAME environment variable is now preserved
      when performing PAM authentication. This fixes GSSAPI
      authentication when the user has a non-default ccache.

OBS-URL: https://build.opensuse.org/request/show/867021
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=193
2021-01-27 06:57:42 +00:00
9eb248bcec Accepting request 863080 from home:kstreitova:branches:Base:System
- Update to 1.9.5.p1
  * Fixed a regression introduced in sudo 1.9.5 where the editor run
    by sudoedit was set-user-ID root unless SELinux RBAC was in use.
    The editor is now run with the user's real and effective user-IDs.
- News in 1.9.5
  * Fixed a crash introduced in 1.9.4 when running "sudo -i" as an
    unknown user.  This is related to but distinct from Bug #948.
  * If the "lecture_file" setting is enabled in sudoers, it must now
    refer to a regular file or a symbolic link to a regular file.
  * Fixed a potential use-after-free bug in sudo_logsrvd when the
    server shuts down if there are existing connections from clients
    that are only logging events and not session I/O data.
  * Fixed a buffer size mismatch when serializing the list of IP
    addresses for configured network interfaces.  This bug is not
    actually exploitable since the allocated buffer is large enough
    to hold the list of addresses.
  * If sudo is executed with a name other than "sudo" or "sudoedit",
    it will now fall back to "sudo" as the program name.  This affects
    warning, help and usage messages as well as the matching of Debug
    lines in the /etc/sudo.conf file.  Previously, it was possible
    for the invoking user to manipulate the program name by setting
    argv[0] to an arbitrary value when executing sudo.
  * Sudo now checks for failure when setting the close-on-exec flag
    on open file descriptors.  This should never fail but, if it
    were to, there is the possibility of a file descriptor leak to
    a child process (such as the command sudo runs).
  * Fixed CVE-2021-23239, a potential information leak in sudoedit
    that could be used to test for the existence of directories not
    normally accessible to the user in certain circumstances.  When
    creating a new file, sudoedit checks to make sure the parent

OBS-URL: https://build.opensuse.org/request/show/863080
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=191
2021-01-14 12:56:29 +00:00
67744f343b Accepting request 858236 from home:kstreitova:branches:Base:System
- Update to 1.9.4p2
  * Fixed a bug introduced in sudo 1.9.4p1 which could lead to a crash
    if the sudoers file contains a runas user-specific Defaults entry.
    Bug #951.
- News in 1.9.4p1
  * Fixed a regression introduced in version 1.9.4 where sudo would
    not build when configured using the --without-sendmail option.
    Bug #947.
  * Fixed a problem where if I/O logging was disabled and sudo was
    unable to connect to sudo_logsrvd, the command would still be
    allowed to run even when the "ignore_logfile_errors" sudoers
    option was enabled.
  * Fixed a crash introduced in version 1.9.4 when attempting to run
    a command as a non-existent user.  Bug #948.
  * The installed sudo.conf file now has the default sudoers Plugin
    lines commented out.  This fixes a potential conflict when there
    is both a system-installed version of sudo and a user-installed
    version.  GitHub issue #75.
  * Fixed a regression introduced in sudo 1.9.4 where sudo would run
    the command as a child process even when a pseudo-terminal was
    not in use and the "pam_session" and "pam_setcred" options were
    disabled.  GitHub issue #76.
  * Fixed a regression introduced in sudo 1.8.9 where the "closefrom"
    sudoers option could not be set to a value of 3.  Bug #950.

OBS-URL: https://build.opensuse.org/request/show/858236
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=189
2020-12-23 00:37:04 +00:00
eb1d457912 Accepting request 851947 from home:kstreitova:branches:Base:System
- Update to 1.9.4
  * The sudoers parser will now detect when an upper-case reserved
    word is used when declaring an alias.  Now instead of "syntax
    error, unexpected CHROOT, expecting ALIAS" the message will be
    "syntax error, reserved word CHROOT used as an alias name".
    Bug #941.
  * Better handling of sudoers files without a final newline.
    The parser now adds a newline at end-of-file automatically which
    removes the need for special cases in the parser.
  * Fixed a regression introduced in sudo 1.9.1 in the sssd back-end
    where an uninitialized pointer could be freed on an error path.
    GitHub issue #67.
  * The core logging code is now shared between sudo_logsrvd and
    the sudoers plugin.
  * JSON log entries sent to syslog now use "minimal" JSON which
    skips all non-essential whitespace.
  * The sudoers plugin can now produce JSON-formatted logs.  The
    "log_format" sudoers option can be used to select sudo or json
    format logs.  The default is sudo format logs.
  * The sudoers plugin and visudo now display the column number in
    syntax error messages in addition to the line number.  Bug #841.
  * If I/O logging is not enabled but "log_servers" is set, the
    sudoers plugin will now log accept events to sudo_logsrvd.
    Previously, the accept event was only sent when I/O logging was
    enabled.  The sudoers plugin now sends reject and alert events too.
  * The sudo logsrv protocol has been extended to allow an AlertMessage
    to contain an optional array of InfoMessage, as AcceptMessage
    and RejectMessage already do.
  * Fixed a bug in sudo_logsrvd where receipt of SIGHUP would result
    in duplicate entries in the debug log when debugging was enabled.

OBS-URL: https://build.opensuse.org/request/show/851947
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=187
2020-12-05 17:13:38 +00:00
67aea91c5c Accepting request 850805 from home:kstreitova:branches:Base:System
[bsc#1162675]

OBS-URL: https://build.opensuse.org/request/show/850805
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=185
2020-11-25 18:35:03 +00:00
921bef68a5 Accepting request 848421 from home:kstreitova:branches:Base:System
- Update to 1.9.3p1
  * Fixed a regression introduced in sudo 1.9.3 where the configure
    script would not detect the crypt(3) function if it was present
    in the C library, not an additional library.
  * Fixed a regression introduced in sudo 1.8.23 with shadow passwd
    file authentication on OpenBSD.  BSD authentication was not
    affected.
  * Sudo now logs when a user-specified command-line option is
    rejected by a sudoers rule.  Previously, these conditions were
    written to the audit log, but the default sudo log file.  Affected
    command line arguments include -C (--close-from), -D (--chdir),
    -R (--chroot), -g (--group) and -u (--user).
- News in 1.9.3
  * Fixed building the Python plugin on systems with a compiler that
    doesn't support symbol hiding.
  * Sudo now uses a linker script to hide symbols even when the
    compiler has native symbol hiding support.  This should make it
    easier to detect omissions in the symbol exports file, regardless
    of the platform.
  * Fixed the libssl dependency in Debian packages for older releases
    that use libssl1.0.0.
  * Sudo and visudo now provide more detailed messages when a syntax
    error is detected in sudoers.  The offending line and token are
    now displayed.  If the parser was generated by GNU bison,
    additional information about what token was expected is also
    displayed.  Bug #841.
  * Sudoers rules must now end in either a newline or the end-of-file.
    Previously, it was possible to have multiple rules on a single
    line, separated by white space.  The use of an end-of-line
    terminator makes it possible to display accurate error messages.

OBS-URL: https://build.opensuse.org/request/show/848421
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=183
2020-11-16 19:04:11 +00:00
85a5bf7b1e Accepting request 832691 from home:mvarlese:branches:Base:System
- Modified the secure_path to include the other two default paths 
  which are commonly available to $user. This will offer a better
  and more consistent UX.

OBS-URL: https://build.opensuse.org/request/show/832691
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=181
2020-09-10 15:58:50 +00:00
d429a52e63 Accepting request 829280 from home:olh:branches:Base:System
- This rpm packages decides about the permissions of /etc/sudoers.d

OBS-URL: https://build.opensuse.org/request/show/829280
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=179
2020-08-31 10:31:58 +00:00
15dabdc9eb Accepting request 822654 from home:polslinux:branches:Base:System
- Update to 1.9.2:
  * The configure script now uses pkg-config to find the openssl cflags
    and libs where possible.
  * The contents of the log.json I/O log file is now documented in
    the sudoers manual.
  * The sudoers plugin now properly exports the sudoers_audit symbol
    on systems where the compiler lacks symbol visibility controls.
    This caused a regression in 1.9.1 where a successful sudo command
    was not logged due to the missing audit plugin. Bug #931.
  * Fixed a regression introduced in 1.9.1 that can result in crash
    when there is a syntax error in the sudoers file. Bug #934.
- Rebase sudo-sudoers.patch

OBS-URL: https://build.opensuse.org/request/show/822654
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=177
2020-07-27 09:19:24 +00:00
dbdbd2f5a2 Accepting request 817736 from home:kukuk:branches:Base:System
- Move python plugin support to own sub-package, we don't want
  python in a really minimal system [bsc#1173200]

OBS-URL: https://build.opensuse.org/request/show/817736
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=175
2020-07-01 21:57:29 +00:00
b5bdc3e34f Accepting request 815881 from home:vitezslav_cizek:branches:Base:System
- Update to 1.9.1
  * Fixed an AIX-specific problem when I/O logging was enabled.
     The terminal device was not being properly set to raw mode.
     Bug #927.
   * Corrected handling of sudo_logsrvd connections without associated
     I/O log data.  This fixes support for RejectMessage as well as
     AcceptMessage when the expect_iobufs flag is not set.
   * Added an "iolog_path" entry to the JSON-format event log produced
     by sudo_logsrvd.  Previously, it was only possible to determine
     the I/O log file an event belonged to using sudo-format logs.
   * Fixed the bundle IDs for sudo-logsrvd and sudo-python macOS packages.
   * I/O log files produced by the sudoers plugin now clear the write
     bits on the I/O log timing file when the log is complete.  This
     is consistent with how sudo_logsrvd indicates that a log is
     complete.
   * The sudoreplay utility has a new "-F" (follow) command line
     option to allow replaying a session that is still in progress,
     similar to "tail -f".
   * The @include and @includedir directives can be used in sudoers
     instead of #include and #includedir.  In addition, include paths
     may now have embedded white space by either using a double-quoted
     string or escaping the space characters with a backslash.
   * When running a command in a pty, sudo will no longer try to
     suspend itself if the user's tty has been revoked (for instance
     when the parent ssh daemon is killed).  This fixes a bug where
     sudo would continuously suspend the command (which would succeed),
     then suspend itself (which would fail due to the missing tty)
     and then resume the command.
   * If sudo's event loop fails due to the tty being revoked, remove
     the user's tty events and restart the event loop (once).  This

OBS-URL: https://build.opensuse.org/request/show/815881
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=173
2020-06-23 09:01:54 +00:00
1b5790329f Accepting request 807045 from home:kstreitova:branches:Base:System
- Update to 1.9.0 (current stable release)
  * for changes between version 1.9.0 and 1.8.31p1 see rc changes
    below

OBS-URL: https://build.opensuse.org/request/show/807045
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=171
2020-05-18 20:53:40 +00:00
097139f659 Accepting request 802665 from home:kstreitova:branches:Base:System
- Update to 1.9.0rc5
  * The default TLS listener is now only enabled when either the
    TLS certificate file is explicitly specified in sudo_logsrvd.conf
    or the default TLS certificate file exists in the file system.
    There is no change in behavior for listen_address entries
    explicitly set in the configuration file.

OBS-URL: https://build.opensuse.org/request/show/802665
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=170
2020-05-14 17:32:58 +00:00
282f49c3fc Accepting request 801195 from home:kstreitova:branches:Base:System
- Update to 1.9.0rc4
  * Various spelling fixes. Bug #925.
  * The struct passwd passed to PAM session modules is now looked up
    by user name, not user-ID, when possible. Fixes a problem with
    the pam_limits module and configurations where multiple user names
    share the same ID. Debian bug #734752.
  * Sudo command line options that take a value may only be specified
    once. This is to help guard against problems caused by poorly
    written scripts that invoke sudo with user-controlled input. Bug #924. 

- Update to 1.9.0rc3
  * The sudo-logsrvd package now installs a systemd service on Linux
    distros that use systemd.
  * The I/O plugin is now closed before the policy plugin on command
    exit.
  * When copying the edited files to the original path, sudoedit now
    allocates any additional space needed before writing. Previously,
    it could truncate the destination file if the file system was
    full. Bug #922.
  * Fixed a compilation issue with Python 3.8.
  * Changed how TLS connections are made to the log server. Instead
    of using a starttls type approach where TLS and plaintext
    connections share the same point we now use separate ports for
    plaintext and TLS connections. A (tls) flag can be specified after
    the host:port to indicate that the connection should be secured
    with TLS. This avoids a potention man-in-the-middle attack that
    could cause the connection to be forced into plaintext mode.
    Unfortunately, this change breaks compatibility with the
    previous release candidates.

OBS-URL: https://build.opensuse.org/request/show/801195
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=168
2020-05-07 13:00:36 +00:00
33bc44b1c2 Accepting request 794969 from home:kstreitova:branches:Base:System
- build with enable-python to support python plugins

OBS-URL: https://build.opensuse.org/request/show/794969
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=166
2020-04-17 17:15:44 +00:00
3ed4d64671 Accepting request 794915 from home:kstreitova:branches:Base:System
- Update to 1.9.0rc2
  * Fixed a test failure in the strsig_test regress test on FreeBSD.
  * Sudo now includes a logging daemon, sudo_logsrvd, which can be
    used to implement centralized logging of I/O logs.  TLS connections
    are supported when sudo is configured with the --enable-openssl
    option.  For more information, see the sudo_logsrvd, logsrvd.conf
    and sudo_logsrv.proto manuals as well as the log_servers setting
    in the sudoers manual.
    The --disable-log-server and --disable-log-client configure
    options can be used to disable building the I/O log server and/or
    remote I/O log support in the sudoers plugin.
  * The new sudo_sendlog utility can be used to test sudo_logsrvd
    or send existing sudo I/O logs to a centralized server.
  * It is now possible to write sudo plugins in Python 3 when sudo
    is configured with the --enable-python> option.  See the
    sudo_plugin_python.man.html manual for details.
    Sudo 1.9.0 comes with several Python example plugins that get
    installed sudo's examples directory.
    The sudo blog article "What's new in sudo 1.9: Python"
    (https://blog.sudo.ws/posts/2020/01/whats-new-in-sudo-1.9-python/)
    includes a simple tutorial on writing python plugins.
  * Sudo now supports an "audit" plugin type.  An audit plugin
    receives accept, reject, exit and error messages and can be used
    to implement custom logging that is independent of the underlying
    security policy.   Multiple audit plugins may be specified in
    the sudo.conf file.  A sample audit plugin is included that
    writes logs in JSON format.
  * Sudo now supports an "approval" plugin type.  An approval plugin
    is run only after the main security policy (such as sudoers) accepts
    a command to be run.  The approval policy may perform additional

OBS-URL: https://build.opensuse.org/request/show/794915
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=164
2020-04-17 16:50:20 +00:00
1d4f8044cd Accepting request 785827 from home:polslinux:branches:Base:System
- Update to 1.8.31p1
  * Sudo once again ignores a failure to restore the RLIMIT_CORE
    resource limit, as it did prior to version 1.8.29.
    Linux containers don't allow RLIMIT_CORE to be set back to
    RLIM_INFINITY if we set the limit to zero, even for root,
    which resulted in a warning from sudo.

OBS-URL: https://build.opensuse.org/request/show/785827
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=162
2020-03-17 10:42:59 +00:00