01793c9cfc
- Update to 1.9.15p2:
* Fixed a bug on BSD systems where sudo would not restore the
terminal settings on exit if the terminal had parity enabled.
GitHub issue #326.
- Update to 1.9.15p1:
* Fixed a bug introduced in sudo 1.9.15 that prevented LDAP-based
sudoers from being able to read the ldap.conf file.
GitHub issue #325.
- Update to 1.9.15:
* Fixed an undefined symbol problem on older versions of macOS
when "intercept" or "log_subcmds" are enabled in sudoers.
GitHub issue #276.
* Fixed "make check" failure related to getpwent(3) wrapping
on NetBSD.
* Fixed the warning message for "sudo -l command" when the command
is not permitted. There was a missing space between "list" and
the actual command due to changes in sudo 1.9.14.
* Fixed a bug where output could go to the wrong terminal if
"use_pty" is enabled (the default) and the standard input, output
or error is redirected to a different terminal. Bug #1056.
* The visudo utility will no longer create an empty file when the
specified sudoers file does not exist and the user exits the
editor without making any changes. GitHub issue #294.
* The AIX and Solaris sudo packages on www.sudo.ws now support
"log_subcmds" and "intercept" with both 32-bit and 64-bit
binaries. Previously, they only worked when running binaries
with the same word size as the sudo binary. GitHub issue #289.
* The sudoers source is now logged in the JSON event log. This
makes it possible to tell which rule resulted in a match.
* Running "sudo -ll command" now produces verbose output that
OBS-URL: https://build.opensuse.org/request/show/1128140
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=247
90 lines
4.0 KiB
Diff
90 lines
4.0 KiB
Diff
Index: sudo-1.9.15p2/plugins/sudoers/sudoers.in
|
|
===================================================================
|
|
--- sudo-1.9.15p2.orig/plugins/sudoers/sudoers.in
|
|
+++ sudo-1.9.15p2/plugins/sudoers/sudoers.in
|
|
@@ -41,32 +41,23 @@
|
|
##
|
|
## Defaults specification
|
|
##
|
|
-## You may wish to keep some of the following environment variables
|
|
-## when running commands via sudo.
|
|
-##
|
|
-## Locale settings
|
|
-# Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET"
|
|
-##
|
|
-## Run X applications through sudo; HOME is used to find the
|
|
-## .Xauthority file. Note that other programs use HOME to find
|
|
-## configuration files and this may lead to privilege escalation!
|
|
-# Defaults env_keep += "HOME"
|
|
-##
|
|
-## X11 resource path settings
|
|
-# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH"
|
|
-##
|
|
-## Desktop path settings
|
|
-# Defaults env_keep += "QTDIR KDEDIR"
|
|
-##
|
|
-## Allow sudo-run commands to inherit the callers' ConsoleKit session
|
|
-# Defaults env_keep += "XDG_SESSION_COOKIE"
|
|
-##
|
|
-## Uncomment to enable special input methods. Care should be taken as
|
|
-## this may allow users to subvert the command being run via sudo.
|
|
-# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"
|
|
-##
|
|
-## Uncomment to use a hard-coded PATH instead of the user's to find commands
|
|
-# Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
|
|
+## Prevent environment variables from influencing programs in an
|
|
+## unexpected or harmful way (CVE-2005-2959, CVE-2005-4158, CVE-2006-0151)
|
|
+Defaults always_set_home
|
|
+Defaults env_reset
|
|
+## Change env_reset to !env_reset in previous line to keep all environment variables
|
|
+## Following list will no longer be necessary after this change
|
|
+Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
|
|
+## Comment out the preceding line and uncomment the following one if you need
|
|
+## to use special input methods. This may allow users to compromise the root
|
|
+## account if they are allowed to run commands without authentication.
|
|
+#Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"
|
|
+
|
|
+## Do not insult users when they enter an incorrect password.
|
|
+Defaults !insults
|
|
+
|
|
+## Use this PATH instead of the user's to find commands.
|
|
+Defaults secure_path="/usr/sbin:/usr/bin:/sbin:/bin"
|
|
##
|
|
## Uncomment to restore the historic behavior where a command is run in
|
|
## the user's own terminal.
|
|
@@ -81,7 +72,6 @@
|
|
## Set maxseq to a smaller number if you don't have unlimited disk space.
|
|
# Defaults log_output
|
|
# Defaults!/usr/bin/sudoreplay !log_output
|
|
-# Defaults!/usr/local/bin/sudoreplay !log_output
|
|
# Defaults!REBOOT !log_output
|
|
# Defaults maxseq = 1000
|
|
##
|
|
@@ -95,6 +85,12 @@
|
|
## slower by these options and also can clutter up the logs.
|
|
# Defaults!PKGMAN !intercept, !log_subcmds
|
|
|
|
+## In the default (unconfigured) configuration, sudo asks for the root password.
|
|
+## This allows use of an ordinary user account for administration of a freshly
|
|
+## installed system.
|
|
+Defaults targetpw # ask for the password of the target user i.e. root
|
|
+ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'!
|
|
+
|
|
##
|
|
## Runas alias specification
|
|
##
|
|
@@ -110,13 +106,5 @@ root ALL=(ALL:ALL) ALL
|
|
## Same thing without a password
|
|
# %wheel ALL=(ALL:ALL) NOPASSWD: ALL
|
|
|
|
-## Uncomment to allow members of group sudo to execute any command
|
|
-# %sudo ALL=(ALL:ALL) ALL
|
|
-
|
|
-## Uncomment to allow any user to run sudo if they know the password
|
|
-## of the user they are running the command as (root by default).
|
|
-# Defaults targetpw # Ask for the password of the target user
|
|
-# ALL ALL=(ALL:ALL) ALL # WARNING: only use this together with 'Defaults targetpw'
|
|
-
|
|
## Read drop-in files from @sysconfdir@/sudoers.d
|
|
@includedir @sysconfdir@/sudoers.d
|