Marcus Meissner
27d016fa1b
- update to 1.8.9p3
- set secure_path to /usr/sbin:/usr/bin:/sbin:/bin
- changes since 1.8.8:
* Fixed a bug introduced in sudo 1.8.9 that prevented the tty name
from being resolved properly on Linux systems. Bug #630.
* Updated config.guess, config.sub and libtool to support the ppc64le
architecture (IBM PowerPC Little Endian).
* Fixed a problem with gcc 4.8's handling of bit fields that could
lead to the noexec flag being enabled even when it was not
explicitly set.
* Reworked sudo's main event loop to use a simple event subsystem
using poll(2) or select(2) as the back end.
* It is now possible to statically compile the sudoers plugin into
the sudo binary without disabling shared library support. The
sudo.conf file may still be used to configure other plugins.
* Sudo can now be compiled again with a C preprocessor that does
not support variadic macros.
* Visudo can now export a sudoers file in JSON format using the
new -x flag.
* The locale is now set correctly again for visudo and sudoreplay.
* The plugin API has been extended to allow the plugin to exclude
specific file descriptors from the "closefrom" range.
* There is now a workaround for a Solaris-specific problem where
NOEXEC was overriding traditional root DAC behavior.
* Add user netgroup filtering for SSSD. Previously, rules for
a netgroup were applied to all even when they did not belong
to the specified netgroup.
* On systems with BSD login classes, if the user specified a group
(not a user) to run the command as, it was possible to specify
a different login class even when the command was not run as the
OBS-URL: https://build.opensuse.org/request/show/213857
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=65
114 lines
4.6 KiB
Diff
114 lines
4.6 KiB
Diff
Index: sudo-1.8.9p3/plugins/sudoers/sudoers.in
|
|
===================================================================
|
|
--- sudo-1.8.9p3.orig/plugins/sudoers/sudoers.in 2014-01-07 19:08:50.000000000 +0100
|
|
+++ sudo-1.8.9p3/plugins/sudoers/sudoers.in 2014-01-14 12:06:45.178813991 +0100
|
|
@@ -31,37 +31,38 @@
|
|
##
|
|
## Defaults specification
|
|
##
|
|
-## You may wish to keep some of the following environment variables
|
|
-## when running commands via sudo.
|
|
-##
|
|
-## Locale settings
|
|
-# Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET"
|
|
-##
|
|
-## Run X applications through sudo; HOME is used to find the
|
|
-## .Xauthority file. Note that other programs use HOME to find
|
|
-## configuration files and this may lead to privilege escalation!
|
|
-# Defaults env_keep += "HOME"
|
|
-##
|
|
-## X11 resource path settings
|
|
-# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH"
|
|
-##
|
|
-## Desktop path settings
|
|
-# Defaults env_keep += "QTDIR KDEDIR"
|
|
-##
|
|
-## Allow sudo-run commands to inherit the callers' ConsoleKit session
|
|
-# Defaults env_keep += "XDG_SESSION_COOKIE"
|
|
-##
|
|
-## Uncomment to enable special input methods. Care should be taken as
|
|
-## this may allow users to subvert the command being run via sudo.
|
|
-# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"
|
|
+## Prevent environment variables from influencing programs in an
|
|
+## unexpected or harmful way (CVE-2005-2959, CVE-2005-4158, CVE-2006-0151)
|
|
+Defaults always_set_home
|
|
+## Path that will be used for every command run from sudo
|
|
+Defaults secure_path="/usr/sbin:/usr/bin:/sbin:/bin"
|
|
+Defaults env_reset
|
|
+## Change env_reset to !env_reset in previous line to keep all environment variables
|
|
+## Following list will no longer be necessary after this change
|
|
+
|
|
+Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
|
|
+## Comment out the preceding line and uncomment the following one if you need
|
|
+## to use special input methods. This may allow users to compromise the root
|
|
+## account if they are allowed to run commands without authentication.
|
|
+#Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"
|
|
+
|
|
+## Do not insult users when they enter an incorrect password.
|
|
+Defaults !insults
|
|
+
|
|
##
|
|
## Uncomment to enable logging of a command's output, except for
|
|
## sudoreplay and reboot. Use sudoreplay to play back logged sessions.
|
|
# Defaults log_output
|
|
# Defaults!/usr/bin/sudoreplay !log_output
|
|
-# Defaults!/usr/local/bin/sudoreplay !log_output
|
|
# Defaults!/sbin/reboot !log_output
|
|
|
|
+## In the default (unconfigured) configuration, sudo asks for the root password.
|
|
+## This allows use of an ordinary user account for administration of a freshly
|
|
+## installed system. When configuring sudo, delete the two
|
|
+## following lines:
|
|
+Defaults targetpw # ask for the password of the target user i.e. root
|
|
+ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'!
|
|
+
|
|
##
|
|
## Runas alias specification
|
|
##
|
|
@@ -77,14 +78,6 @@ root ALL=(ALL) ALL
|
|
## Same thing without a password
|
|
# %wheel ALL=(ALL) NOPASSWD: ALL
|
|
|
|
-## Uncomment to allow members of group sudo to execute any command
|
|
-# %sudo ALL=(ALL) ALL
|
|
-
|
|
-## Uncomment to allow any user to run sudo if they know the password
|
|
-## of the user they are running the command as (root by default).
|
|
-# Defaults targetpw # Ask for the password of the target user
|
|
-# ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw'
|
|
-
|
|
## Read drop-in files from @sysconfdir@/sudoers.d
|
|
## (the '#' here does not indicate a comment)
|
|
#includedir @sysconfdir@/sudoers.d
|
|
Index: sudo-1.8.9p3/doc/sudoers.mdoc.in
|
|
===================================================================
|
|
--- sudo-1.8.9p3.orig/doc/sudoers.mdoc.in 2014-01-07 19:08:50.000000000 +0100
|
|
+++ sudo-1.8.9p3/doc/sudoers.mdoc.in 2014-01-14 11:46:33.718336561 +0100
|
|
@@ -1609,7 +1609,7 @@ is present in the
|
|
.Em env_keep
|
|
list.
|
|
This flag is
|
|
-.Em off
|
|
+.Em on
|
|
by default.
|
|
.It authenticate
|
|
If set, users must authenticate themselves via a password (or other
|
|
@@ -1910,7 +1910,7 @@ If set,
|
|
.Nm sudo
|
|
will insult users when they enter an incorrect password.
|
|
This flag is
|
|
-.Em @insults@
|
|
+.Em off
|
|
by default.
|
|
.It log_host
|
|
If set, the host name will be logged in the (non-syslog)
|
|
@@ -2363,7 +2363,7 @@ database as an argument to the
|
|
.Fl u
|
|
option.
|
|
This flag is
|
|
-.Em off
|
|
+.Em on
|
|
by default.
|
|
.It tty_tickets
|
|
If set, users must authenticate on a per-tty basis.
|