pool/sudo
SHA256
17
0
Fork 1
Code Issues Pull Requests Activity
Files
slfo-1.2
sudo/sudo.spec
Simon Lees 391a744635 - Update to 1.9.17p1 
* Fix a possible local privilege escalation via the --host option
    [bsc#1245274, CVE-2025-32462]
  * Fix a possible local privilege Escalation via chroot option
    [bsc#1245275, CVE-2025-32463]
- Update to 1.9.17
  * Sudo now uses the NODEV macro consistently. Bug #1074.
    Fixed a bug where the ALL command in a sudoers rule would 
    override a previous NOSETENV tag. Command tags are inherited from
    previous Cmnds in a Cmnd_Spec_List. There is a special case for 
    the SETENV tag with the ALL command, where SETENV is implied if
    no explicit SETENV or NOSETENV tag is specified. This special 
    case did not take into account that a NOSETENV tag that was inherited 
    should override this behavior.
  * If sudo is run via ssh without a terminal and a password is required,
    it now suggest using ssh’s -t option.
  * Fixed the display of timeout values in the sudo -V output on systems
    without a C99-compliant snprintf() function.
  * Quieted a number of minor Coverity warnings.
  * Fixed a problem running sudo from a serial console on Linux when the
    command is run in a pseudo-terminal (the default).
  * Fixed a crash in sudo which could occur if there was a fatal error
    after the user was validated but before the command was actually run.
  * Fixed a number of man page style warnings. The “lint” make target in
    the docs directory will now run groff with warnings enabled if it is
    available. Bug #1075.
  * The ignore_dot sudoers setting is now on by default. There is now a
    --disable-ignore-dot configure option to disable it. The 
    --with-ignore-dot configure option has been deprecated.
  * Fixed a problem with the pwfeedback option where an initial backspace
    would reduce the maximum length allowed for the password. 
    GitHub issue #439.
  * Fixed minor grammar and spelling problems in the man pages.
  * Fixed a bug where a user could avoid entering a password for sudo -l
    command if they specified their own user or group name via the -u or
    -g options.
  * Avoid potential password guessing based on timing attacks on the 
    strcmp() function on systems without PAM or a crypt() function where
    plaintext passwords are stored in the shadow password file.
  * Fixed a potential information leak where sudo -l command could be used
    to determine whether an executable exists in a directory that they do
    not have search access to.
  * Sudo uses TCSAFLUSH, not TCSADRAIN, when disabling echo once again.
    A long time ago sudo changed from using TCSAFLUSH to TCSADRAIN due
    to some systems having bugs related to TCSAFLUSH. That should no longer
    be a concern. Using TCSAFLUSH ensures that password input that has been
    received by the kernel, but not yet read by sudo, will be discarded and
    not echoed.
  * Added the SUDO_TTY environment variable if the user has a terminal. 
    This can be used to find the user’s original tty device when sudo runs
    the command in its own pseudo-terminal. GitHub issue #447.
  * New Cantonese translation for sudo.

OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=258
2025-06-30 20:28:18 +00:00

342 lines
11 KiB
RPMSpec
Raw Permalink Blame History

#
# spec file for package sudo
#
# Copyright (c) 2025 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%if %{defined _distconfdir} && 0%{?suse_version} >= 1600
%define confdir %{_distconfdir}
%define confmode 0444
%else
%define confdir %{_sysconfdir}
%define confmode 0440
%endif
Name: sudo
Version: 1.9.17p1
Release: 0
Summary: Execute some commands as root
License: ISC
Group: System/Base
URL: https://www.sudo.ws/
Source0: https://www.sudo.ws/dist/%{name}-%{version}.tar.gz
Source1: https://www.sudo.ws/dist/%{name}-%{version}.tar.gz.sig
Source2: %{name}.keyring
Source3: sudo.pamd
Source4: sudo-i.pamd
Source5: README.SUSE
Source6: fate_313276_test.sh
Source7: README_313276.test
Source8: 50-wheel-auth-self.conf
Source9: 51-wheel.rules
Source10: system-group-sudo.conf
# PATCH-OPENSUSE: the "SUSE" branding of the default sudo config
Patch0: sudo-sudoers.patch
BuildRequires: audit-devel
BuildRequires: cyrus-sasl-devel
BuildRequires: groff
BuildRequires: libopenssl-devel
BuildRequires: libselinux-devel
BuildRequires: openldap2-devel
BuildRequires: pam-devel
BuildRequires: python3-devel
BuildRequires: systemd-rpm-macros
BuildRequires: sysuser-tools
BuildRequires: zlib-devel
Requires(pre): coreutils
Requires(pre): permissions
Recommends: sudo-plugin-python
%description
Sudo is a command that allows users to execute some commands as root.
%if %{defined _distconfdir}
Sudo reads either %{_sysconfdir}/sudoers or %{_distconfdir}/sudoers
(in that order, whichever one it finds first), to determine what users have
%else
The %{_sysconfdir}/sudoers file specifies which users have
%endif
access to sudo and which commands they can run. Sudo logs all its
activities to syslogd, so the system administrator can keep an eye on
things. Sudo asks for the password to initialize a check period of a
given time N (where N is defined at installation and is set to 5
minutes by default). Administrators can edit the sudoers file with 'visudo'.
%package plugin-python
Summary: Plugin API for python
Group: System/Base
Requires: %{name} = %{version}
%description plugin-python
This package contains the sudo plugin which allows to write sudo plugins
in python. The API closely follows the C sudo plugin API described by
sudo_plugin(5).
%package devel
Summary: Header files needed for sudo plugin development
Group: Development/Libraries/C and C++
Requires: %{name} = %{version}
%description devel
These header files are needed for building of sudo plugins.
%package test
Summary: Tests for the package
Group: Development/Tools/Other
Requires: %{name} = %{version}
%description test
Tests for fate#313276
%package policy-wheel-auth-self
Summary: Users in the wheel group can authenticate as admin
Group: System/Base
Requires: %{name} = %{version}
Requires: group(wheel)
%description policy-wheel-auth-self
Sudo authentication policy that allows users in the wheel group to
authenticate as root with their own password
%package policy-sudo-auth-self
Summary: Users in the sudo group can authenticate as admin
Group: System/Base
Requires: %{name} = %{version}
Requires: group(sudo)
%description policy-sudo-auth-self
Sudo authentication policy that allows users in the sudo group to
authenticate as root with their own password
%package -n system-group-sudo
Summary: System group 'sudo'
Group: System/Fhs
%{sysusers_requires}
%description -n system-group-sudo
This package provides the system group 'sudo'.
%prep
%autosetup -p1
%build
%sysusers_generate_pre %{SOURCE10} sudo system-group-sudo.conf
%ifarch s390 s390x %{sparc}
F_PIE=-fPIE
%else
F_PIE=-fpie
%endif
export CFLAGS="%{optflags} -Wall $F_PIE -DLDAP_DEPRECATED"
export LDFLAGS="-pie"
%configure \
--libexecdir=%{_libexecdir}/sudo \
--docdir=%{_docdir}/%{name} \
--with-noexec=%{_libexecdir}/sudo/sudo_noexec.so \
--enable-tmpfiles.d=%{_tmpfilesdir} \
%if %{defined _distconfdir}
--prefix=/usr \
--sysconfdir=%{_distconfdir} \
--enable-adminconf=%{_sysconfdir} \
%endif
--with-pam \
--with-pam-login \
--with-ldap \
--with-selinux \
--with-linux-audit \
--with-logfac=auth \
--with-all-insults \
--with-ignore-dot \
--with-tty-tickets \
--enable-shell-sets-home \
--enable-warnings \
--enable-python \
--enable-openssl \
--with-sendmail=%{_sbindir}/sendmail \
--with-sudoers-mode=0440 \
--with-env-editor \
--without-secure-path \
--with-passprompt="[sudo] password for %%p: " \
--with-rundir=%{_localstatedir}/lib/sudo \
--with-sssd
%if 0%{?sle_version} < 150000
# the SLES12 way
%make_build
%else
# -B required to make every build give the same result - maybe from bad build deps in Makefiles?
%make_build -B
%endif
%install
%make_install install_uid=`id -u` install_gid=`id -g`
%if 0%{?suse_version} <= 1500
sed -i '/^session/s/common-session-nonlogin/common-session/g' %{SOURCE3}
%endif
%if %{defined _distconfdir}
install -d -m 755 %{buildroot}%{_pam_vendordir}
install -m 644 %{SOURCE3} %{buildroot}%{_pam_vendordir}/sudo
install -m 644 %{SOURCE4} %{buildroot}%{_pam_vendordir}/sudo-i
%else
install -d -m 755 %{buildroot}%{_sysconfdir}/pam.d
install -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/pam.d/sudo
install -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/pam.d/sudo-i
%endif
rm -f %{buildroot}%{_bindir}/sudoedit
ln -sf %{_bindir}/sudo %{buildroot}%{_bindir}/sudoedit
install -d -m 755 %{buildroot}%{_sysconfdir}/openldap/schema
install -m 644 %{SOURCE5} %{buildroot}%{_docdir}/%{name}/
rm -f %{buildroot}%{_docdir}/%{name}/sample.pam
rm -f %{buildroot}%{_docdir}/%{name}/sample.syslog.conf
rm -f %{buildroot}%{_docdir}/%{name}/schema.OpenLDAP
rm -f %{buildroot}%{confdir}/sudoers.dist
%if %{defined _distconfdir}
# Move /etc to /usr/etc/
mkdir -p %{buildroot}%{_distconfdir}/sudoers.d %{buildroot}%{_sysconfdir}/sudoers.d
chmod 644 %{buildroot}%{_distconfdir}/sudoers
echo "@includedir /etc/sudoers.d" >> %{buildroot}%{_distconfdir}/sudoers
%endif
install -D -m 644 %{SOURCE8} %{buildroot}%{confdir}/sudoers.d/50-wheel-auth-self
install -D -m 644 %{SOURCE9} %{buildroot}/usr/share/polkit-1/rules.d/51-wheel.rules
sed -e 's/wheel/sudo/g' < %{SOURCE8} > %{buildroot}%{confdir}/sudoers.d/50-sudo-auth-self
sed -e 's/wheel/sudo/g' < %{SOURCE9} > %{buildroot}/usr/share/polkit-1/rules.d/51-sudo.rules
install -D -m 644 %{SOURCE10} %{buildroot}%{_sysusersdir}/system-group-sudo.conf
%find_lang %{name}
%find_lang sudoers
cat sudoers.lang >> %{name}.lang
# tests
install -d -m 755 %{buildroot}%{_localstatedir}/lib/tests/sudo
install -m 755 %{SOURCE6} %{buildroot}%{_localstatedir}/lib/tests/sudo
install -m 755 %{SOURCE7} %{buildroot}%{_localstatedir}/lib/tests/sudo
install -d %{buildroot}%{_licensedir}/%{name}
rm -fv %{buildroot}%{_docdir}/%{name}/LICENSE.md
%if %{defined _distconfdir}
%pre
# move outdated pam.d/*.rpmsave files away
for i in sudo sudo-i ; do
test -f %{_sysconfdir}/pam.d/${i}.rpmsave && mv -v %{_sysconfdir}/pam.d/${i}.rpmsave %{_sysconfdir}/pam.d/${i}.rpmsave.old ||:
done
%posttrans
# Migration to /usr/etc.
for i in sudo sudo-i ; do
test -f %{_sysconfdir}/pam.d/${i}.rpmsave && mv -v %{_sysconfdir}/pam.d/${i}.rpmsave %{_sysconfdir}/pam.d/${i} ||:
done
test -f %{_sysconfdir}/sudoers.rpmsave && mv -v %{_sysconfdir}/sudoers.rpmsave %{_sysconfdir}/sudoers ||:
%endif
%post
[ -e %{_sysconfdir}/sudoers ] && chmod 0440 %{_sysconfdir}/sudoers
%if 0%{?suse_version} <= 1130
%run_permissions
%else
%set_permissions %{_bindir}/sudo
%endif
%tmpfiles_create %{_tmpfilesdir}/sudo.conf
%verifyscript
%verify_permissions -e %{_bindir}/sudo
%pre -n system-group-sudo -f sudo.pre
%files -f %{name}.lang
%license LICENSE.md
%doc %{_docdir}/%{name}
%{_mandir}/man1/cvtsudoers.1%{?ext_man}
%{_mandir}/man5/sudoers.5%{?ext_man}
%{_mandir}/man5/sudo.conf.5%{?ext_man}
%{_mandir}/man5/sudoers.ldap.5%{?ext_man}
%{_mandir}/man5/sudoers_timestamp.5%{?ext_man}
%{_mandir}/man8/sudo.8%{?ext_man}
%{_mandir}/man8/sudoedit.8%{?ext_man}
%{_mandir}/man8/sudoreplay.8%{?ext_man}
%{_mandir}/man8/visudo.8%{?ext_man}
%{_mandir}/man5/sudo_logsrv.proto.5%{?ext_man}
%{_mandir}/man5/sudo_logsrvd.conf.5%{?ext_man}
%{_mandir}/man8/sudo_logsrvd.8%{?ext_man}
%{_mandir}/man8/sudo_sendlog.8%{?ext_man}
%{!?_distconfdir:%config(noreplace)} %attr(%confmode,root,root) %{confdir}/sudoers
%attr(0750,root,root) %dir %{confdir}/sudoers.d
%{?_distconfdir:%attr(0750,root,root) %dir %{_sysconfdir}/sudoers.d}
%attr(0644,root,root) %config(noreplace) %{confdir}/sudo.conf
%attr(0644,root,root) %config(noreplace) %{confdir}/sudo_logsrvd.conf
%if %{defined _distconfdir}
%{_pam_vendordir}/sudo
%{_pam_vendordir}/sudo-i
%else
%config(noreplace) %{_sysconfdir}/pam.d/sudo
%config(noreplace) %{_sysconfdir}/pam.d/sudo-i
%endif
%attr(4755,root,root) %{_bindir}/sudo
%{_bindir}/sudoedit
%{_bindir}/sudoreplay
%{_bindir}/cvtsudoers
%{_sbindir}/visudo
%{_sbindir}/sudo_logsrvd
%{_sbindir}/sudo_sendlog
%dir %{_libexecdir}/%{name}
%{_libexecdir}/%{name}/sesh
%{_libexecdir}/%{name}/sudo_noexec.so
%dir %{_libexecdir}/%{name}/%{name}
%{_libexecdir}/%{name}/%{name}/sudoers.so
%{_libexecdir}/%{name}/%{name}/group_file.so
%{_libexecdir}/%{name}/%{name}/system_group.so
%{_libexecdir}/%{name}/%{name}/audit_json.so
%{_libexecdir}/%{name}/%{name}/sudo_intercept.so
%{_libexecdir}/%{name}/libsudo_util.so.*
%attr(0711,root,root) %dir %ghost %{_localstatedir}/lib/%{name}
%attr(0700,root,root) %dir %ghost %{_localstatedir}/lib/%{name}/ts
%dir %{_tmpfilesdir}
%{_tmpfilesdir}/sudo.conf
%files plugin-python
%{_mandir}/man5/sudo_plugin_python.5%{?ext_man}
%{_libexecdir}/%{name}/%{name}/python_plugin.so
%files devel
%doc plugins/sample/sample_plugin.c
%{_includedir}/sudo_plugin.h
%{_mandir}/man5/sudo_plugin.5%{?ext_man}
%attr(0644,root,root) %{_libexecdir}/%{name}/libsudo_util.so
%{_libexecdir}/%{name}/sudo/*.la
%{_libexecdir}/%{name}/*.la
%files test
%{_localstatedir}/lib/tests
%files policy-wheel-auth-self
%{confdir}/sudoers.d/50-wheel-auth-self
%dir /usr/share/polkit-1
%dir %attr(0555,root,root) /usr/share/polkit-1/rules.d
/usr/share/polkit-1/rules.d/51-wheel.rules
%files policy-sudo-auth-self
%{confdir}/sudoers.d/50-sudo-auth-self
%dir /usr/share/polkit-1
%dir %attr(0555,root,root) /usr/share/polkit-1/rules.d
/usr/share/polkit-1/rules.d/51-sudo.rules
%files -n system-group-sudo
%defattr(-,root,root)
%{_sysusersdir}/system-group-sudo.conf
%changelog
Reference in New Issue View Git Blame Copy Permalink