pool/sudo
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
sudo/sudo-sudoers.patch
Dirk Mueller 7c6c82c48c Accepting request 738914 from home:vitezslav_cizek:branches:Base:System 
- Update to 1.8,28p1
  * The fix for Bug #869 caused "sudo -v" to prompt for a password
    when "verifypw" is set to "all" (the default) and all of the
    user's sudoers entries are marked with NOPASSWD.  Bug #901.

- Update to 1.8.28
 * Fixed CVE-2019-14287 (bsc#1153674),
   a bug where a sudo user may be able to
   run a command as root when the Runas specification explicitly
   disallows root access as long as the ALL keyword is listed first.
   * Sudo will now only set PAM_TTY to the empty string when no
   terminal is present on Solaris and Linux.  This workaround is
   only needed on those systems which may have PAM modules that
   misbehave when PAM_TTY is not set.
 * The mailerflags sudoers option now has a default value even if
   sendmail support was disabled at configure time.  Fixes a crash
   when the mailerpath sudoers option is set but mailerflags is not.
   Bug #878.
 * Sudo will now filter out last login messages on HP-UX unless it
   a shell is being run via "sudo -s" or "sudo -i".  Otherwise,
   when trusted mode is enabled, these messages will be displayed
   for each command.
 * Sudo has a new -B command line option that will ring the terminal
   bell when prompting for a password.
 * Sudo no longer refuses to prompt for a password when it cannot
   determine the user's terminal as long as it can open /dev/tty.
   This allows sudo to function on systems where /proc is unavailable,
   such as when running in a chroot environment.
 * The "env_editor" sudoers flag is now on by default.  This makes
   source builds more consistent with the packages generated by

OBS-URL: https://build.opensuse.org/request/show/738914
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=156
2019-10-28 10:04:59 +00:00

116 lines
4.7 KiB
Diff
Raw Blame History

Index: sudo-1.8.28/plugins/sudoers/sudoers.in
===================================================================
--- sudo-1.8.28.orig/plugins/sudoers/sudoers.in 2019-10-14 17:00:02.176362373 +0200
+++ sudo-1.8.28/plugins/sudoers/sudoers.in 2019-10-14 17:00:04.688378325 +0200
@@ -32,30 +32,23 @@
##
## Defaults specification
##
-## You may wish to keep some of the following environment variables
-## when running commands via sudo.
-##
-## Locale settings
-# Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET"
-##
-## Run X applications through sudo; HOME is used to find the
-## .Xauthority file. Note that other programs use HOME to find
-## configuration files and this may lead to privilege escalation!
-# Defaults env_keep += "HOME"
-##
-## X11 resource path settings
-# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH"
-##
-## Desktop path settings
-# Defaults env_keep += "QTDIR KDEDIR"
-##
-## Allow sudo-run commands to inherit the callers' ConsoleKit session
-# Defaults env_keep += "XDG_SESSION_COOKIE"
-##
-## Uncomment to enable special input methods. Care should be taken as
-## this may allow users to subvert the command being run via sudo.
-# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"
-##
+## Prevent environment variables from influencing programs in an
+## unexpected or harmful way (CVE-2005-2959, CVE-2005-4158, CVE-2006-0151)
+Defaults always_set_home
+## Path that will be used for every command run from sudo
+Defaults secure_path="/usr/sbin:/usr/bin:/sbin:/bin"
+Defaults env_reset
+## Change env_reset to !env_reset in previous line to keep all environment variables
+## Following list will no longer be necessary after this change
+Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_ATIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
+## Comment out the preceding line and uncomment the following one if you need
+## to use special input methods. This may allow users to compromise the root
+## account if they are allowed to run commands without authentication.
+#Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_ATIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
+
+## Do not insult users when they enter an incorrect password.
+Defaults !insults
+
## Uncomment to use a hard-coded PATH instead of the user's to find commands
# Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
##
@@ -66,9 +59,15 @@
## sudoreplay and reboot. Use sudoreplay to play back logged sessions.
# Defaults log_output
# Defaults!/usr/bin/sudoreplay !log_output
-# Defaults!/usr/local/bin/sudoreplay !log_output
# Defaults!REBOOT !log_output
+## In the default (unconfigured) configuration, sudo asks for the root password.
+## This allows use of an ordinary user account for administration of a freshly
+## installed system. When configuring sudo, delete the two
+## following lines:
+Defaults targetpw # ask for the password of the target user i.e. root
+ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'!
+
##
## Runas alias specification
##
@@ -84,14 +83,6 @@ root ALL=(ALL) ALL
## Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
-## Uncomment to allow members of group sudo to execute any command
-# %sudo ALL=(ALL) ALL
-
-## Uncomment to allow any user to run sudo if they know the password
-## of the user they are running the command as (root by default).
-# Defaults targetpw # Ask for the password of the target user
-# ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw'
-
## Read drop-in files from @sysconfdir@/sudoers.d
## (the '#' here does not indicate a comment)
#includedir @sysconfdir@/sudoers.d
Index: sudo-1.8.28/doc/sudoers.mdoc.in
===================================================================
--- sudo-1.8.28.orig/doc/sudoers.mdoc.in 2019-10-14 17:00:02.176362373 +0200
+++ sudo-1.8.28/doc/sudoers.mdoc.in 2019-10-14 17:03:30.841685660 +0200
@@ -1972,7 +1972,7 @@ is present in the
.Em env_keep
list, both of which are strongly discouraged.
This flag is
-.Em off
+.Em on
by default.
.It authenticate
If set, users must authenticate themselves via a password (or other
@@ -2364,7 +2364,7 @@ If set,
.Nm sudo
will insult users when they enter an incorrect password.
This flag is
-.Em @insults@
+.Em off
by default.
.It log_host
If set, the host name will be logged in the (non-syslog)
@@ -2941,7 +2941,7 @@ database as an argument to the
.Fl u
option.
This flag is
-.Em off
+.Em on
by default.
.It tty_tickets
If set, users must authenticate on a per-tty basis.
Reference in New Issue View Git Blame Copy Permalink