Dirk Mueller
07a0c03b9a
Update to upstream release 1.8.7, obsoleted patches. OBS-URL: https://build.opensuse.org/request/show/181200 OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=53
1021 lines
43 KiB
Plaintext
1021 lines
43 KiB
Plaintext
-------------------------------------------------------------------
|
|
Thu Jun 27 18:03:10 UTC 2013 - michael@stroeder.com
|
|
|
|
- Update to upstream release 1.8.7
|
|
* especially all local patches are obsoleted by upstream fixes
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Mar 1 11:12:28 UTC 2013 - vcizek@suse.com
|
|
|
|
- added two security fixes:
|
|
* CVE-2013-1775 (bnc#806919)
|
|
+ sudo-1.8.6p3-CVE-2013-1775.patch
|
|
* CVE-2013-1776 (bnc#806921)
|
|
+ sudo-1.8.6p3-CVE-2013-1776.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Dec 3 10:58:10 UTC 2012 - cfarrell@suse.com
|
|
|
|
- license update: ISC
|
|
Look at the license file
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Nov 4 20:32:52 UTC 2012 - crrodriguez@opensuse.org
|
|
|
|
- sudo 1.8.6p3
|
|
* Support for using the System Security Services Daemon (SSSD) as a source of sudoers data
|
|
* Fixed a race condition that could cause sudo to receive SIGTTOU (and stop)
|
|
when resuming a shell that was run via sudo when I/O logging (and use_pty) is not enabled.
|
|
* The sudoers plugin now takes advantage of symbol visibility controls when supported by the compiler or linker.
|
|
* Sending SIGTSTP directly to the sudo process will now suspend
|
|
the running command when I/O logging (and use_pty) is not enabled.
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Oct 26 15:34:58 UTC 2012 - coolo@suse.com
|
|
|
|
- add explicit buildrequire on groff
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jun 13 19:08:05 CEST 2012 - vuntz@opensuse.org
|
|
|
|
- Update to version 1.8.5p2:
|
|
+ Fixed use of the SUDO_ASKPASS environment variable which was
|
|
broken in Sudo 1.8.5.
|
|
+ Fixed a problem reading the sudoers file when the file mode is
|
|
more restrictive than the expected mode. For example, when the
|
|
expected sudoers file mode is 0440 but the actual mode is 0400.
|
|
- Changes from version 1.8.5p1:
|
|
+ Fixed a bug that prevented files in an include directory from
|
|
being evaluated.
|
|
|
|
-------------------------------------------------------------------
|
|
Wed May 16 15:27:32 UTC 2012 - vcizek@suse.com
|
|
|
|
- update to 1.8.5
|
|
Some of the changes:
|
|
* /etc/environment is no longer read directly on Linux systems when
|
|
PAM is used. Sudo now merges the PAM environment into the user's
|
|
environment which is typically set by the pam_env module.
|
|
* The plugin API has been extended
|
|
* The policy plugin's init_session function is now called by the
|
|
parent sudo process, not the child process that executes the command
|
|
This allows the PAM session to be open and closed in the same process,
|
|
which some PAM modules require.
|
|
* A new group provider plugin, system_group, is included
|
|
* Fixed a potential security issue in the matching of hosts against
|
|
an IPv4 network specified in sudoers.The flaw may allow a user who
|
|
is authorized to run commands on hosts belonging to one IPv4
|
|
network to run commands on a different host (CVE-2012-2337)
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Mar 9 14:19:44 UTC 2012 - vcizek@suse.com
|
|
|
|
- update to 1.8.4p2
|
|
Some of the changes:
|
|
* The -D flag in sudo has been replaced with a more general
|
|
debugging framework that is configured in sudo.conf.
|
|
* Fixed a crash with sudo -i when a runas group was specified
|
|
without a runas user.
|
|
* New Serbian and Spanish translations for sudo from translationproject.org.
|
|
LDAP-based sudoers may now access by group ID in addition to group name.
|
|
* visudo will now fix the mode on the sudoers file even if no
|
|
changes are made unless the -f option is specified.
|
|
* On systems that use login.conf, sudo -i now sets environment
|
|
variables based on login.conf
|
|
* values in the LDAP search expression are now escaped as per RFC 4515
|
|
* The deprecated "noexec_file" sudoers option is no longer supported.
|
|
* Fixed a race condition when I/O logging is not enabled that could
|
|
result in tty-generated signals (e.g. control-C) being received
|
|
by the command twice.
|
|
* visudo -c will now list any include files that were checked in
|
|
addition to the main sudoers file when everything parses OK.
|
|
* Users that only have read-only access to the sudoers file may
|
|
now run visudo -c. Previously, write permissions were required
|
|
even though no writing is down in check-only mode.
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jan 31 12:30:58 UTC 2012 - vcizek@suse.com
|
|
|
|
- update to 1.8.3p2
|
|
* Fixed a format string vulnerability when the sudo binary
|
|
(or a symbolic link to the sudo binary) contains printf
|
|
format escapes and the -D (debugging) flag is used.
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jan 25 15:09:14 UTC 2012 - vcizek@suse.com
|
|
|
|
- honour global CFLAGS and LDFLAGS when compiling sesh,
|
|
to avoid rpmlint error (bnc#743157)
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jan 4 16:54:23 UTC 2012 - vcizek@suse.com
|
|
|
|
- update to sudo-1.8.3p1
|
|
* Fixed a crash in the monitor process on Solaris when NOPASSWD
|
|
was specified or when authentication was disabled.
|
|
* Fixed matching of a Runas_Alias in the group section of a Runas_Spec.
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Dec 28 06:45:07 UTC 2011 - aj@suse.de
|
|
|
|
- Set timedir correctly
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Oct 24 08:42:33 UTC 2011 - vcizek@suse.com
|
|
|
|
- update to sudo-1.8.3
|
|
- Fixed expansion of strftime() escape sequences
|
|
in the log_dir sudoers setting.
|
|
- Esperanto, Italian and Japanese
|
|
translations from translationproject.org.
|
|
- Added --enable-werror configure option for gcc's
|
|
-Werror flag. - Visudo no longer
|
|
assumes all editors support the +linenumber command line argument.
|
|
It now uses a whitelist of editors known to support the option.
|
|
- Fixed matching of network addresses when a netmask is specified but
|
|
the address is not the first one in the CIDR block.
|
|
- The configure script now check whether or not errno.h declares the
|
|
errno variable. Previously, sudo would always declare errno itself
|
|
for older systems that don't declare it in errno.h.
|
|
- The NOPASSWD tag is now honored for denied commands too,
|
|
which matches historic sudo behavior (prior to sudo 1.7.0).
|
|
- Sudo now honors the DEREF
|
|
setting in ldap.conf which controls how alias dereferencing is done
|
|
during an LDAP search.
|
|
- A symbol conflict with the
|
|
pam_ssh_agent_auth PAM module that would cause a crash been
|
|
resolved.
|
|
- The inability to load a group provider plugin is no
|
|
longer a fatal error.
|
|
- A potential crash in the utmp handling
|
|
code has been fixed.
|
|
- Two PAM session issues have been resolved.
|
|
In previous versions of sudo, the PAM session was opened as one
|
|
user and closed as another. Additionally, if no authentication was
|
|
performed, the PAM session would never be closed.
|
|
- The LOGNAME,
|
|
USER and USERNAME environment variables are preserved correctly
|
|
again in sudoedit mode.
|
|
- grp-include.patch no longer needed
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Oct 13 00:59:49 UTC 2011 - prusnak@opensuse.org
|
|
|
|
- updated to sudo-1.8.2
|
|
* Sudo, visudo, sudoreplay and the sudoers plug-in now have natural
|
|
language support (NLS). This can be disabled by passing configure
|
|
the --disable-nls option. Sudo will use gettext(), if available,
|
|
to display translated messages. All translations are coordinated
|
|
via The Translation Project, http://translationproject.org/.
|
|
* Plug-ins are now loaded with the RTLD_GLOBAL flag instead of
|
|
RTLD_LOCAL. This fixes missing symbol problems in PAM modules
|
|
on certain platforms, such as FreeBSD and SuSE Linux Enterprise.
|
|
* I/O logging is now supported for commands run in background mode
|
|
(using sudo's -b flag).
|
|
* Group ownership of the sudoers file is now only enforced when
|
|
the file mode on sudoers allows group readability or writability.
|
|
* Visudo now checks the contents of an alias and warns about cycles
|
|
when the alias is expanded.
|
|
* If the user specifes a group via sudo's -g option that matches
|
|
the target user's group in the password database, it is now
|
|
allowed even if no groups are present in the Runas_Spec.
|
|
* The sudo Makefiles now have more complete dependencies which are
|
|
automatically generated instead of being maintained manually.
|
|
* The "use_pty" sudoers option is now correctly passed back to the
|
|
sudo front end. This was missing in previous versions of sudo
|
|
1.8 which prevented "use_pty" from being honored.
|
|
* "sudo -i command" now works correctly with the bash version
|
|
2.0 and higher. Previously, the .bash_profile would not be
|
|
sourced prior to running the command unless bash was built with
|
|
NON_INTERACTIVE_LOGIN_SHELLS defined.
|
|
* When matching groups in the sudoers file, sudo will now match
|
|
based on the name of the group instead of the group ID. This can
|
|
substantially reduce the number of group lookups for sudoers
|
|
files that contain a large number of groups.
|
|
* Multi-factor authentication is now supported on AIX.
|
|
* Added support for non-RFC 4517 compliant LDAP servers that require
|
|
that seconds be present in a timestamp, such as Tivoli Directory Server.
|
|
* If the group vector is to be preserved, the PATH search for the
|
|
command is now done with the user's original group vector.
|
|
* For LDAP-based sudoers, the "runas_default" sudoOption now works
|
|
properly in a sudoRole that contains a sudoCommand.
|
|
* Spaces in command line arguments for "sudo -s" and "sudo -i" are
|
|
now escaped with a backslash when checking the security policy.
|
|
- added missing include (grp-include.patch)
|
|
|
|
-------------------------------------------------------------------
|
|
Fri May 20 12:10:45 UTC 2011 - puzel@novell.com
|
|
|
|
- update to sudo-1.8.1p2
|
|
- Two-character CIDR-style IPv4 netmasks are now matched
|
|
correctly in the sudoers file.
|
|
- A non-existent includedir is now treated the same as an empty
|
|
directory and not reported as an error.
|
|
- Removed extraneous parens in LDAP filter when
|
|
sudoers_search_filter is enabled that can cause an LDAP search
|
|
error.
|
|
- A new LDAP setting, sudoers_search_filter, has been added to
|
|
ldap.conf. This setting can be used to restrict the set of
|
|
records returned by the LDAP query. Based on changes from
|
|
Matthew Thomas.
|
|
- White space is now permitted within a User_List when used in
|
|
conjunction with a per-user Defaults definition.
|
|
- A group ID (%#gid) may now be specified in a User_List or
|
|
Runas_List. Likewise, for non-Unix groups the syntax is
|
|
%:#gid.
|
|
- Support for double-quoted words in the sudoers file has been
|
|
fixed. The change in 1.7.5 for escaping the double quote
|
|
character caused the double quoting to only be available at the
|
|
beginning of an entry.
|
|
- The fix for resuming a suspended shell in 1.7.5 caused problems
|
|
with resuming non-shells on Linux. Sudo will now save the
|
|
process group ID of the program it is running on suspend and
|
|
restore it when resuming, which fixes both problems.
|
|
- A bug that could result in corrupted output in "sudo -l" has
|
|
been fixed.
|
|
- Sudo will now create an entry in the utmp (or utmpx) file when
|
|
allocating a pseudo-tty (e.g. when logging I/O). The
|
|
"set_utmp" and "utmp_runas" sudoers file options can be used to
|
|
control this. Other policy plugins may use the "set_utmp" and
|
|
"utmp_user" entries in the command_info list.
|
|
- The sudoreplay utility now supports arbitrary session IDs.
|
|
Previously, it would only work with the base-36 session IDs
|
|
that the sudoers plugin uses by default.
|
|
- Sudo now passes "run_shell=true" to the policy plugin in the
|
|
settings list when sudo's -s command line option is specified.
|
|
The sudoers policy plugin uses this to implement the "set_home"
|
|
sudoers option which was missing from sudo 1.8.0.
|
|
- The "noexec" functionality has been moved out of the sudoers
|
|
policy plugin and into the sudo front-end, which matches the
|
|
behavior documented in the plugin writer's guide. As a result,
|
|
the path to the noexec file is now specified in the sudo.conf
|
|
file instead of the sudoers file.
|
|
- The exit values for "sudo -l", "sudo -v" and "sudo -l command"
|
|
have been fixed in the sudoers policy plugin.
|
|
- Sudo now parses command line arguments before loading any
|
|
plugins. This allows "sudo -V" or "sudo -h" to work even if
|
|
there is a problem with sudo.conf
|
|
- drop sudo-dont-ignore-LDFLAGS.patch (merged upstream)
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Mar 17 10:24:49 UTC 2011 - puzel@novell.com
|
|
|
|
- update to sudo-1.8.0
|
|
* Sudo has been refactored to use a modular framework that can
|
|
support third-party policy and I/O logging plugins.
|
|
* Defaults settings that are tied to a user, host or command may
|
|
now include the negation operator. For example:
|
|
Defaults:!millert lecture
|
|
will match any user but millert.
|
|
* The default PATH environment variable, used when no PATH
|
|
variable exists, now includes /usr/sbin and /sbin.
|
|
* Support for logging I/O for the command being run.
|
|
* Sudo will now use the Linux audit system.
|
|
+ See /usr/share/doc/packages/sudo/NEWS for full list
|
|
- new configure script flags: enable-warnings, with-linux-audit,
|
|
docdir, with-sendmail
|
|
- BuildRequires += audit-devel
|
|
- BuildRequires -= postfix
|
|
- PreReq += permissions
|
|
- add sudo-dont-ignore-LDFLAGS.patch
|
|
- drop sudo-1.7.1-defaults.diff (insults disabled in sudoers)
|
|
- drop sudo-1.7.1-__P.diff (no more __P in sudo sources)
|
|
- drop sudo-1.7.1-strip.diff (sudo no longer strips binaries)
|
|
- drop sudo-CVE-2011-0010.patch (in upstream)
|
|
- drop sudo-1.7.1-secure_path.diff (sudo now adds /sbin and
|
|
/usr/sbin to $PATH if it is empty)
|
|
- drop sudo-1.7.1-pam_rhost.diff (fixed in upstream)
|
|
- sudo-1.7.1-sudoers.diff renamed to sudo-sudoers.patch
|
|
- sudo-1.7.1-env.diff renamed to sudoers2ldif-env.patch
|
|
- do not package *.pod files
|
|
- use %verifyscript
|
|
- timestamp directory moved from /var/run/sudo to /var/lib/sudo
|
|
- better commented default /etc/sudoers
|
|
- packaged /etc/sudoers.d directory
|
|
- new sudo-devel subpackage
|
|
- cleaned specfile
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jan 27 09:18:05 UTC 2011 - cprause@novell.com
|
|
|
|
- added openldap schema file (bnc#667558)
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jan 13 10:11:35 UTC 2011 - puzel@novell.com
|
|
|
|
- add sudo-CVE-2011-0010.patch (bnc#663881)
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jun 28 06:38:35 UTC 2010 - jengelh@medozas.de
|
|
|
|
- use %_smp_mflags
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jun 15 21:23:02 UTC 2010 - pascal.bleser@opensuse.org
|
|
|
|
- update to 1.7.2p7:
|
|
* portability fixes
|
|
|
|
- changes from 1.7.2p6:
|
|
* Handle duplicate variables in the environment
|
|
* visudo: fix a crash when checking a sudoers file that has aliases
|
|
that reference themselves
|
|
* aliases: fix use after free in error message when a duplicate
|
|
alias exists
|
|
* visudo: prevent NULL dereference in printf()
|
|
|
|
- removed sudo-CVE-2010-1163.patch (merged upstream)
|
|
|
|
- removed sudo-CVE-2010-1646.patch (merged upstream)
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jun 2 10:32:42 UTC 2010 - puzel@novell.com
|
|
|
|
- add sudo-CVE-2010-1646.patch (bnc#594738)
|
|
|
|
-------------------------------------------------------------------
|
|
Tue May 18 15:52:10 UTC 2010 - puzel@novell.com
|
|
|
|
- add sudo-CVE-2010-1163.patch (bnc#594738)
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Feb 24 16:19:35 UTC 2010 - prusnak@suse.cz
|
|
|
|
- updated to 1.7.2p4
|
|
* Fixed the expansion of the %h escape in #include file names
|
|
introduced in sudo 1.7.1.
|
|
* Fixed a a bug where the negation operator in a Cmnd_List
|
|
was not being honored.
|
|
* No longer produce a parse error when #includedir references
|
|
a directory that contains no valid filenames.
|
|
* The sudo.man.pl and sudoers.man.pl files are now included
|
|
in the distribution for people who wish to regenerate the man pages.
|
|
* Fixed the emulation of krb5_get_init_creds_opt_alloc() for MIT kerberos.
|
|
* When authenticating via PAM, set PAM_RUSER and PAM_RHOST early
|
|
so they can be used during authentication.
|
|
* Fix printing of entries with multiple host entries on
|
|
a single line.
|
|
* Fix use after free when sending error messages via email.
|
|
* Use setrlimit64(), if available, instead of setrlimit()
|
|
when setting AIX resource limits since rlim_t is 32bits.
|
|
* Fix size arg when realloc()ing include stack.
|
|
* Avoid a duplicate fclose() of the sudoers file.
|
|
* Fix a bug that could allow users with permission to run sudoedit
|
|
to run arbitrary commands.
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jan 26 22:48:31 CET 2010 - jengelh@medozas.de
|
|
|
|
- SPARC requires large PIE model
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jul 13 14:43:20 CEST 2009 - prusnak@suse.cz
|
|
|
|
- updated to 1.7.2
|
|
* A new #includedir directive is available in sudoers. This can be
|
|
used to implement an /etc/sudo.d directory. Files in an includedir
|
|
are not edited by visudo unless they contain a syntax error.
|
|
* The -g option did not work properly when only setting the group
|
|
(and not the user). Also, in -l mode the wrong user was displayed
|
|
for sudoers entries where only the group was allowed to be set.
|
|
* Fixed a problem with the alias checking in visudo which
|
|
could prevent visudo from exiting.
|
|
* Sudo will now correctly parse the shell-style /etc/environment
|
|
file format used by pam_env on Linux.
|
|
* When doing password and group database lookups, sudo will only
|
|
cache an entry by name or by id, depending on how the entry was
|
|
looked up. Previously, sudo would cache by both name and id
|
|
from a single lookup, but this breaks sites that have multiple
|
|
password or group database names that map to the same uid or
|
|
gid.
|
|
* User and group names in sudoers may now be enclosed in double
|
|
quotes to avoid having to escape special characters.
|
|
* BSM audit fixes when changing to a non-root uid.
|
|
* Experimental non-Unix group support. Currently only works with
|
|
Quest Authorization Services and allows Active Directory groups
|
|
fixes for Minix-3.
|
|
* For Netscape/Mozilla-derived LDAP SDKs the certificate and key
|
|
paths may be specified as a directory or a file. However, version
|
|
5.0 of the SDK only appears to support using a directory (despite
|
|
documentation to the contrary). If SSL client initialization
|
|
fails and the certificate or key paths look like they could be
|
|
default file name, strip off the last path element and try again.
|
|
* A setenv() compatibility fix for Linux systems, where a NULL
|
|
value is treated the same as an empty string and the variable
|
|
name is checked against the NULL pointer.
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Apr 27 17:37:00 CEST 2009 - prusnak@suse.cz
|
|
|
|
- updated to 1.7.1
|
|
* A new Defaults option "pwfeedback" will cause sudo to provide visual
|
|
feedback when the user is entering a password.
|
|
* A new Defaults option "fast_glob" will cause sudo to use the fnmatch()
|
|
function for file name globbing instead of glob(). When this option
|
|
is enabled, sudo will not check the file system when expanding wildcards.
|
|
This is faster but a side effect is that relative paths with wildcard
|
|
will no longer work.
|
|
* The file name specified with the #include directive may now include
|
|
a %h escape which is expanded to the short form of hostname.
|
|
* The -k flag may now be specified along with a command, causing the
|
|
user's timestamp file to be ignored.
|
|
* The unused alias checks in visudo now handle the case of an alias
|
|
referring to another alias.
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jan 26 13:54:15 CET 2009 - prusnak@suse.cz
|
|
|
|
- updated to 1.7.0
|
|
* Rewritten parser that converts sudoers into a set of data structures.
|
|
This eliminates a number of ordering issues and makes it possible to
|
|
apply sudoers Defaults entries before searching for the command. It
|
|
also adds support for per-command Defaults specifications.
|
|
* Sudoers now supports a #include facility to allow the inclusion of
|
|
other sudoers-format files.
|
|
* Sudo's -l (list) flag has been enhanced:
|
|
o applicable Defaults options are now listed
|
|
o a command argument can be specified for testing whether a user may run
|
|
a specific command.
|
|
o a new -U flag can be used in conjunction with sudo -l to allow root
|
|
(or a user with sudo ALL) to list another user's privileges.
|
|
* A new -g flag has been added to allow the user to specify a primary group
|
|
to run the command as. The sudoers syntax has been extended to include
|
|
a group section in the Runas specification.
|
|
* A uid may now be used anywhere a username is valid.
|
|
* The secure_path run-time Defaults option has been restored.
|
|
* Password and group data is now cached for fast lookups.
|
|
* The file descriptor at which sudo starts closing all open files is now
|
|
configurable via sudoers and, optionally, the command line.
|
|
* visudo will now warn about aliases that are defined but not used.
|
|
* The -i and -s command line flags now take an optional command to be run
|
|
via the shell. Previously, the argument was passed to the shell as
|
|
a script to run.
|
|
* Improved LDAP support. SASL authentication may now be used in conjunction
|
|
when connecting to an LDAP server. The krb5_ccname parameter in ldap.conf
|
|
may be used to enable Kerberos.
|
|
* Support for /etc/nsswitch.conf. LDAP users may now use nsswitch.conf
|
|
to specify the sudoers order. E.g.:
|
|
|
|
sudoers: ldap files
|
|
|
|
to check LDAP, then /etc/sudoers. The default is files, even when LDAP
|
|
support is compiled in. This differs from sudo 1.6 where LDAP was always
|
|
consulted first.
|
|
* Support for /etc/environment on AIX and Linux. If sudo is run with the -i
|
|
flag, the contents of /etc/environment are used to populate the new
|
|
environment that is passed to the command being run.
|
|
* Sudo now ignores user .ldaprc files as well as system LDAP defaults.
|
|
All LDAP configuration is now in /etc/ldap.conf (or whichever file was
|
|
specified by configure's --with-ldap-conf-file option). If you are using
|
|
TLS, you may now need to specify:
|
|
|
|
tls_checkpeer no
|
|
|
|
in sudo's ldap.conf unless ldap.conf references a valid certificate
|
|
authority file(s).
|
|
* If no terminal is available or if the new -A flag is specified, sudo
|
|
will use a helper program to read the password if one is configured.
|
|
Typically, this is a graphical password prompter such as ssh-askpass.
|
|
* A new Defaults option, "mailfrom" that sets the value of the "From:"
|
|
field in the warning/error mail. If unspecified, the login name of
|
|
the invoking user is used.
|
|
* Resource limits are now set to the default value for the user the command
|
|
is being run as on AIX systems.
|
|
* A new Defaults option, "env_file" that refers to a file containing
|
|
environment variables to be set in the command being run.
|
|
* A new -n flag is available which may be used to indicate that sudo should
|
|
not prompt the user for a password and, instead, exit with an error if
|
|
authentication is required.
|
|
* A new Defaults option, "sudoers_locale" that can be used to set the locale
|
|
to be used when parsing the sudoers file.
|
|
* sudoedit now checks the EDITOR and VISUAL environment variables to make sure
|
|
sudoedit is not re-invoking itself (or sudo). This allows one to set EDITOR
|
|
to sudoedit without getting into an infinite loop for programs that need
|
|
to invoke an editor such as crontab(1). Also added SUDO_EDITOR environment
|
|
variable which is used by sudoedit in preference to EDITOR/VISUAL.
|
|
* The versions of glob(3) and fnmatch(3) bundled with sudo now support POSIX
|
|
character classes.
|
|
* If sudo needs to prompt for a password and it is unable to disable echo
|
|
(and no askpass program is defined), it will refuse to run unless the
|
|
"visiblepw" Defaults option has been specified.
|
|
* Prior to version 1.7.0, hitting enter/return at the Password: prompt would
|
|
exit sudo. In sudo 1.7.0 and beyond, this is treated as an empty password.
|
|
To exit sudo, the user must now press ^C or ^D at the prompt.
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Aug 20 15:41:38 CEST 2008 - prusnak@suse.cz
|
|
|
|
- enabled SELinux support [Fate#303662]
|
|
- added comment about !env_reset into sudoers file
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Aug 6 19:35:05 CEST 2008 - prusnak@suse.cz
|
|
|
|
- updated to 1.6.9p17
|
|
* The -i flag should imply resetting the environment, as it did in
|
|
sudo version prior to 1.6.9. Also, the -i and -E flags are
|
|
mutually exclusive.
|
|
* Fixed the configure test for dirfd() under Linux.
|
|
* Fixed test for whether -lintl is required to link.
|
|
* Changed how sudo handles the child process when sending mail.
|
|
This fixes a problem on Linux with the mail_always option.
|
|
* Fixed a problem with line continuation characters inside of
|
|
quoted strings.
|
|
|
|
- updated to 1.6.9p16
|
|
* There was a missing space before the ldap libraries in the Makefile
|
|
for some configurations.
|
|
* LDAPS_PORT may not be defined on older Solaris LDAP SDKs.
|
|
* If the LDAP server could not be contacted and the user was not present
|
|
in sudoers, a syntax error in sudoers was incorrectly reported.
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jul 30 11:37:52 CEST 2008 - prusnak@suse.cz
|
|
|
|
- fix note in manpage (added to sudoers.diff) [bnc#404710]
|
|
- added commented 'session optional pam_xauth.so' to pam [bnc#402818]
|
|
|
|
-------------------------------------------------------------------
|
|
Tue May 6 09:43:22 CEST 2008 - prusnak@suse.cz
|
|
|
|
- do not set PAM_RHOST (pam_rhost.diff) [bnc#386587]
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Apr 24 11:15:40 CEST 2008 - prusnak@suse.cz
|
|
|
|
- updated to 1.6.9p15
|
|
* updated libtool to version 1.5.26
|
|
* fixed printing of default SELinux role and type in -V mode
|
|
* the HOME environment variable is once again preserved by default,
|
|
as per the documentation
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Mar 19 16:54:10 CET 2008 - prusnak@suse.cz
|
|
|
|
- updated to 1.6.9p14
|
|
* Moved LDAP options into a table for simplified parsing/setting.
|
|
* Fixed a problem with how some LDAP options were being applied.
|
|
* Added support for connecting directly to LDAP servers via SSL
|
|
in addition to the existing start_tls support.
|
|
* Fixed a compilation problem on SCO related to how they
|
|
store the high resolution timestamps in struct stat.
|
|
* Avoid checking the passwd file group multiple times
|
|
in the LDAP query when the user's passwd group is also
|
|
listed in the supplemental group vector.
|
|
* The URI specifier can now be used in ldap.conf even when
|
|
the LDAP SDK doesn't support ldap_initialize().
|
|
* New %p prompt escape that expands to the user whose password
|
|
is being prompted, as specified by the rootpw, targetpw and
|
|
runaspw sudoers flags. Based on a diff from Patrick Schoenfeld.
|
|
* Added a configure check for the ber_set_option() function.
|
|
* Fixed a compilation problem with the HP-UX K&R C compiler.
|
|
* Revamped the Kerberos 5 ticket verification code.
|
|
* Added support for the checkpeer ldap.conf variable for
|
|
netscape-based LDAP SDKs.
|
|
* Fixed a problem where an incomplete password could be echoed
|
|
to the screen if there was a read timeout.
|
|
* Sudo will now set the nproc resource limit to unlimited on Linux
|
|
systems to work around Linux's setuid() resource limit semantics.
|
|
On PAM systems the resource limits will be reset by pam_limits.so
|
|
before the command is executed.
|
|
* SELinux support that can be used to implement role based access
|
|
control (RBAC). A role and (optional) type may be specified
|
|
in sudoers or on the command line. These are then used in the
|
|
security context that the command is run as.
|
|
* Fixed a Kerberos 5 compilation problem with MIT Kerberos.
|
|
* Fixed an invalid assumption in the PAM conversation function
|
|
introduced in version 1.6.9p9. The conversation function may
|
|
be called for non-password reading purposes as well.
|
|
* Fixed freeing an uninitialized pointer in -l mode, introduced in
|
|
version 1.6.9p13.
|
|
* Check /etc/sudoers after LDAP even if the user was found in LDAP.
|
|
This allows Defaults options in /etc/sudoers to take effect.
|
|
* Add missing checks for enforcing mode in SELinux RBAC mode.
|
|
- dropped obsoleted patch:
|
|
* prompt.patch (included in update)
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Dec 4 14:41:14 CET 2007 - prusnak@suse.cz
|
|
|
|
- updated to 1.6.9p9
|
|
* the ALL command in sudoers now implies SETENV permissions
|
|
* the command search is now performed using the target user's
|
|
auxiliary group vector too
|
|
* when determining if the PAM prompt is the default "Password: ",
|
|
compare the localized version if possible
|
|
* added passprompt_override flag to sudoers to cause sudo's prompt
|
|
to be used in all cases, also set when the -p flag is used
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Nov 6 11:11:13 CET 2007 - prusnak@suse.cz
|
|
|
|
- updated to 1.6.9p8
|
|
* fixed a bug where a sudoers entry with no runas user specified
|
|
was treated differently from a line with the default runas user
|
|
explicitly specified
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Oct 30 12:17:37 CET 2007 - prusnak@suse.cz
|
|
|
|
- updated to 1.6.9p7
|
|
* go back to using TCSAFLUSH instead of TCSADRAIN when turning off
|
|
echo during password reading
|
|
* fixed a configure bug that was preventing the addition of -lutil
|
|
for login.conf support on FreeBSD and NetBSD
|
|
* add configure check for struct in6_addr since some systems define
|
|
AF_INET6 but have no real IPv6 support
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Oct 10 11:45:19 CEST 2007 - prusnak@suse.cz
|
|
|
|
- update to 1.6.9p6
|
|
* worked around bugs in the session support of some PAM
|
|
implementations
|
|
* the full tty path is now passed to PAM as well
|
|
* sudo now only prints the password prompt if the process is in
|
|
the foreground
|
|
* inttypes.h is now included when appropriate if it is present
|
|
* simplified alias allocation in the parser
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Sep 25 12:07:05 CEST 2007 - prusnak@suse.cz
|
|
|
|
- update to 1.6.9p5
|
|
* fixed a bug related to supplemental group matching
|
|
* added IPv6 support from YOSHIFUJI Hideaki
|
|
* fixed the sudo_noexec installation path
|
|
* fixed a compilation error on old K&R-style compilers
|
|
* fixed a bug in the IP address matching introduced by the IPV6 merge
|
|
* for "visudo -f file" we now use the permissions of the original file
|
|
and not the hard-coded sudoers owner/group/mode
|
|
(this makes it possible to use visudo with a revision control system)
|
|
* fixed sudoedit when used on a non-existent file
|
|
* regenerated configure using autoconf 2.6.1 and libtool 1.5.24
|
|
* groups and netgroups are now valid in an LDAP sudoRunas statement
|
|
- dropped obsolete patches:
|
|
* groupmatch.patch (included in update)
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Aug 28 11:41:51 CEST 2007 - prusnak@suse.cz
|
|
|
|
- build --without-secure-path
|
|
- hardcoded secure path changed to /usr/sbin:/bin:/usr/bin:/sbin
|
|
(secure_path.diff)
|
|
- user can now add PATH variable to env_keep in /etc/sudoers
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Aug 14 11:02:58 CEST 2007 - prusnak@suse.cz
|
|
|
|
- added XDG_SESSION_COOKIE to env_keep variables [#298943]
|
|
- fixed supplemental group matching (groupmatch.patch)
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Aug 11 13:06:53 CEST 2007 - schwab@suse.de
|
|
|
|
- Avoid command line parsing bug in autoconf < 2.59c.
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jul 31 10:18:36 CEST 2007 - prusnak@suse.cz
|
|
|
|
- updated to 1.6.9p2
|
|
* fixed a crash in the error logging function
|
|
* worked around a crash when no tty was present in some PAM
|
|
implementations
|
|
* fixed updating of the saved environment when the environ pointer
|
|
gets changed out from underneath us
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jul 24 15:49:47 CEST 2007 - prusnak@suse.cz
|
|
|
|
- updated to 1.6.9
|
|
* added to the list of variables to remove from the environment
|
|
* fixed a Kerberos V security issue that could allow a user to
|
|
authenticate using a fake KDC
|
|
* PAM is now the default on systems where it is supported
|
|
* removed POSIX saved uid use; the stay_setuid option now requires
|
|
the setreuid() or setresuid() functions to work
|
|
* fixed fd leak when lecture file option is enabled
|
|
* PAM fixes
|
|
* security fix for Kerberos5
|
|
* fixed securid5 authentication
|
|
* added fcntl F_CLOSEM support to closefrom()
|
|
* sudo now uses the supplemental group vector for matching
|
|
* added more environment variables to remove by default
|
|
* mail from sudo now includes an Auto-Submitted: auto-generated header
|
|
* reworked the environment handling code
|
|
* remove the --with-execv option, it was not useful
|
|
* use TCSADRAIN instead of TCSAFLUSH in tgetpass() since some OSes
|
|
have issues with TCSAFLUSH
|
|
* use glob(3) instead of fnmatch(3) for matching pathnames
|
|
* reworked the syslog long line splitting code based on changes
|
|
from Eygene Ryabinkin
|
|
* visudo will now honor command line arguments in the EDITOR or VISUAL
|
|
environment variables if env_editor is enabled
|
|
* LDAP now honors rootbinddn, timelimit and bind_timelimit in /etc/ldap.conf
|
|
* For LDAP, do a sub tree search instead of a base search (one level in
|
|
the tree only) for sudo right objects
|
|
* env_reset option is now enabled by default
|
|
* moved LDAP schema data into separate files
|
|
* sudo no longer assumes that gr_mem in struct group is non-NULL
|
|
* added support for setting environment variables on the command line
|
|
if the command has the SETENV attribute set in sudoers
|
|
* added a -E flag to preserve the environment if the SETENV attribute
|
|
has been set
|
|
* sudoers2ldif script now parses Runas users
|
|
* -- flag now behaves as documented
|
|
* sudo -k/-K no longer cares if the timestamp is in the future
|
|
* when searching for the command, sudo now uses the effective gid of
|
|
the runas user
|
|
* sudo no longer updates the timestamp if not validated by sudoers
|
|
* now rebuild environment regardless of how sudo was invoked
|
|
* more accurate usage() when called as sudoedit
|
|
* command line environment variables are now treated like normal
|
|
environment variables unless the SETENV tag is set
|
|
* better explanation of environment handling in the sudo man page
|
|
- changed '/usr/bin/env perl' to '/usr/bin/env' in sudoers2ldif
|
|
script (env.diff)
|
|
- dropped obsoleted patches:
|
|
* sudo-1.6.8p12-conf.diff
|
|
* sudo-1.6.8p12-configure.diff
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jul 17 10:57:40 CEST 2007 - prusnak@suse.cz
|
|
|
|
- added note about special input method variables into /etc/sudoers
|
|
(sudoers.diff) [#222728]
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jan 26 13:16:15 CET 2007 - prusnak@suse.cz
|
|
|
|
- packaged script sudoers2ldif
|
|
* can be used for importing /etc/sudoers to LDAP
|
|
* more info at http://www.sudo.ws/sudo/readme_ldap.html
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jan 24 10:36:48 CET 2007 - prusnak@suse.cz
|
|
|
|
- added sudoers permission change to %post section of spec file
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Nov 30 14:12:34 CET 2006 - prusnak@suse.cz
|
|
|
|
- package /etc/sudoers as 0440 [Fate#300934]
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Nov 29 18:29:23 CET 2006 - prusnak@suse.cz
|
|
|
|
- protect locale-related environment variables from resetting (sudoers.diff) [#222728]
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Oct 4 19:35:18 CEST 2006 - mjancar@suse.cz
|
|
|
|
- enable LDAP support (#159774)
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jun 14 16:55:52 CEST 2006 - schwab@suse.de
|
|
|
|
- Fix quoting in configure script.
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Mar 8 15:22:15 CET 2006 - mjancar@suse.cz
|
|
|
|
- don't limit access to local group users (#151938)
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jan 27 09:23:26 CET 2006 - mjancar@suse.cz
|
|
|
|
- set environment and sudo search PATH to SECURE_PATH
|
|
only when env_reset (#145687)
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jan 26 13:28:28 CET 2006 - schwab@suse.de
|
|
|
|
- Fix syntax error in /etc/sudoers.
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jan 26 12:03:48 CET 2006 - mjancar@suse.cz
|
|
|
|
- fix PATH always reset (#145687)
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jan 25 21:41:52 CET 2006 - mls@suse.de
|
|
|
|
- converted neededforbuild to BuildRequires
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Jan 15 20:40:26 CET 2006 - schwab@suse.de
|
|
|
|
- Don't strip binaries.
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jan 10 16:31:46 CET 2006 - mjancar@suse.cz
|
|
|
|
- fix CVE-2005-4158 (#140300)
|
|
* compile with --with-secure-path
|
|
* use always_set_home and env_reset by default
|
|
- document purpose of the default asking for root password
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Dec 21 19:55:27 CET 2005 - mjancar@suse.cz
|
|
|
|
- update to 1.6.8p12
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Dec 9 10:01:27 CET 2005 - ro@suse.de
|
|
|
|
- disabled selinux
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Aug 2 20:42:18 CEST 2005 - mjancar@suse.cz
|
|
|
|
- update to 1.6.8p9
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jun 20 11:50:45 CEST 2005 - anicka@suse.cz
|
|
|
|
- build position independent binaries
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Feb 28 15:30:42 CET 2005 - ro@suse.de
|
|
|
|
- update to 1.6.8p7
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Nov 15 14:58:45 CET 2004 - kukuk@suse.de
|
|
|
|
- Use common PAM config files
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Sep 13 16:00:56 CEST 2004 - ro@suse.de
|
|
|
|
- undef __P first
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Apr 6 07:12:34 CEST 2004 - kukuk@suse.de
|
|
|
|
- fix default permissions of sudo
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Mar 26 01:18:52 CET 2004 - ro@suse.de
|
|
|
|
- added postfix to neededforbuild
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Feb 25 13:02:03 CET 2004 - lnussel@suse.de
|
|
|
|
- Add comment and warning for 'Defaults targetpw' to config file
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jan 29 15:57:53 CET 2004 - kukuk@suse.de
|
|
|
|
- Fix sudo configuration broken by last patch
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jan 28 10:55:29 CET 2004 - kukuk@suse.de
|
|
|
|
- Add SELinux patch
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jan 22 18:45:07 CET 2004 - ro@suse.de
|
|
|
|
- package /etc/sudoers as 0640
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jan 16 13:26:31 CET 2004 - kukuk@suse.de
|
|
|
|
- Add pam-devel to neededforbuild
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Jan 11 09:29:32 CET 2004 - adrian@suse.de
|
|
|
|
- build as user
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Nov 7 16:20:57 CET 2003 - schwab@suse.de
|
|
|
|
- Fix quoting in configure script.
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Sep 10 11:06:04 CEST 2003 - mjancar@suse.cz
|
|
|
|
- move the defaults to better place in /etc/sudoers (#30282)
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Aug 25 15:21:16 CEST 2003 - mjancar@suse.cz
|
|
|
|
- update to 1.6.7p5
|
|
* Fixed a problem with large numbers
|
|
of environment variables.
|
|
- more useful defaults (#28056)
|
|
|
|
-------------------------------------------------------------------
|
|
Wed May 14 10:44:53 CEST 2003 - mjancar@suse.cz
|
|
|
|
- update to version 1.6.7p4
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Feb 7 13:49:00 CET 2003 - kukuk@suse.de
|
|
|
|
- Use pam_unix2.so instead of pam_unix.so
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jun 5 15:18:21 CEST 2002 - pmladek@suse.cz
|
|
|
|
- updated to version 1.6.6
|
|
- removed obsolete heap-overflow fix in prompt patch
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Apr 22 14:56:46 CEST 2002 - pmladek@suse.cz
|
|
|
|
- fixed a heap-overflow (prompt patch)
|
|
- fixed prompt behaviour, %% is always translated to % (prompt patch)
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Feb 12 12:23:08 CET 2002 - pmladek@suse.cz
|
|
|
|
- insults are really off by default now [#13134]
|
|
- sudo.pamd moved from patch to sources
|
|
- used %defattr(-,root,root)
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jan 24 10:17:00 CET 2002 - postadal@suse.cz
|
|
|
|
- updated to version 1.6.5p2
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jan 17 18:47:02 CET 2002 - pmladek@suse.cz
|
|
|
|
- updated to version 1.6.5p1
|
|
- removed obsolete security patch (to do not run mailer as root),
|
|
sudo runs mailer again as root but with hard-coded environment
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jan 2 12:36:17 CET 2002 - pmladek@suse.cz
|
|
|
|
- aplied security patch from Sebastian Krahmer <krahmer@suse.de>
|
|
to do not run mailer as root
|
|
- NOTIFY_BY_EMAIL enabled
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Oct 30 22:58:33 CET 2001 - bjacke@suse.de
|
|
|
|
- make /etc/sudoers (noreplace)
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Aug 15 16:17:35 CEST 2001 - pmladek@suse.cz
|
|
|
|
- updated to version 1.6.3p7
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Aug 14 18:05:55 CEST 2001 - ro@suse.de
|
|
|
|
- Don't use absolute paths to PAM modules in PAM config files
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Feb 27 11:17:10 CET 2001 - pblaha@suse.cz
|
|
|
|
- update on 1.6.3p6 for fix potential security problems
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jun 26 17:39:24 CEST 2000 - schwab@suse.de
|
|
|
|
- Add %suse_update_config.
|
|
|
|
-------------------------------------------------------------------
|
|
Thu May 4 15:57:08 CEST 2000 - smid@suse.cz
|
|
|
|
- upgrade to 1.6.3
|
|
- buildroot added
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Apr 4 17:55:40 CEST 2000 - uli@suse.de
|
|
|
|
- added "--with-env-editor" to configure call
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Mar 1 16:08:27 CET 2000 - schwab@suse.de
|
|
|
|
- Specfile cleanup, remove Makefile.Linux
|
|
- /usr/man -> /usr/share/man
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Sep 13 17:23:57 CEST 1999 - bs@suse.de
|
|
|
|
- ran old prepare_spec on spec file to switch to new prepare_spec.
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jun 9 17:19:36 MEST 1999 - kukuk@suse.de
|
|
|
|
- update to version 1.5.9p1
|
|
- enable PAM
|
|
|
|
----------------------------------------------------------------------------
|
|
Wed Nov 6 00:13:26 CET 1996 - florian@suse.de
|
|
|
|
|
|
- update to version 1.5.2
|
|
|
|
- sudo has changed a lot, please check the sudo documentation
|
|
|
|
|