c10ea702eb
- Update to 1.9.14p1:
* Fixed an invalid free bug in sudo_logsrvd that was introduced
in version 1.9.14 which could cause sudo_logsrvd to crash.
* The sudoers plugin no longer tries to send the terminal name
to the log server when no terminal is present. This bug was
introduced in version 1.9.14.
* Fixed a bug where if the "intercept" or "log_subcmds" sudoers
option was enabled and a sub-command was run where the first
entry of the argument vector didn't match the command being run.
This resulted in commands like "sudo su -" being killed due to
the mismatch. Bug #1050.
* The sudoers plugin now canonicalizes command path names before
matching (where possible). This fixes a bug where sudo could
execute the wrong path if there are multiple symbolic links with
the same target and the same base name in sudoers that a user is
allowed to run. GitHub issue #228.
* Improved command matching when a chroot is specified in sudoers.
The sudoers plugin will now change the root directory id needed
before performing command matching. Previously, the root directory
was simply prepended to the path that was being processed.
* When NETGROUP_BASE is set in the ldap.conf file, sudo will now
perform its own netgroup lookups of the host name instead of
using the system innetgr(3) function. This guarantees that user
and host netgroup lookups are performed using the same LDAP
server (or servers).
* Fixed a bug introduced in sudo 1.9.13 that resulted in a missing
" ; " separator between environment variables and the command
in log entries.
* The visudo utility now displays a warning when it ignores a file
in an include dir such as /etc/sudoers.d.
OBS-URL: https://build.opensuse.org/request/show/1098344
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=241
87 lines
3.9 KiB
Diff
87 lines
3.9 KiB
Diff
Index: sudo-1.9.14p1/plugins/sudoers/sudoers.in
|
|
===================================================================
|
|
--- sudo-1.9.14p1.orig/plugins/sudoers/sudoers.in
|
|
+++ sudo-1.9.14p1/plugins/sudoers/sudoers.in
|
|
@@ -32,32 +32,23 @@
|
|
##
|
|
## Defaults specification
|
|
##
|
|
-## You may wish to keep some of the following environment variables
|
|
-## when running commands via sudo.
|
|
-##
|
|
-## Locale settings
|
|
-# Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET"
|
|
-##
|
|
-## Run X applications through sudo; HOME is used to find the
|
|
-## .Xauthority file. Note that other programs use HOME to find
|
|
-## configuration files and this may lead to privilege escalation!
|
|
-# Defaults env_keep += "HOME"
|
|
-##
|
|
-## X11 resource path settings
|
|
-# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH"
|
|
-##
|
|
-## Desktop path settings
|
|
-# Defaults env_keep += "QTDIR KDEDIR"
|
|
-##
|
|
-## Allow sudo-run commands to inherit the callers' ConsoleKit session
|
|
-# Defaults env_keep += "XDG_SESSION_COOKIE"
|
|
-##
|
|
-## Uncomment to enable special input methods. Care should be taken as
|
|
-## this may allow users to subvert the command being run via sudo.
|
|
-# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"
|
|
-##
|
|
-## Uncomment to use a hard-coded PATH instead of the user's to find commands
|
|
-# Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
|
|
+## Prevent environment variables from influencing programs in an
|
|
+## unexpected or harmful way (CVE-2005-2959, CVE-2005-4158, CVE-2006-0151)
|
|
+Defaults always_set_home
|
|
+Defaults env_reset
|
|
+## Change env_reset to !env_reset in previous line to keep all environment variables
|
|
+## Following list will no longer be necessary after this change
|
|
+Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
|
|
+## Comment out the preceding line and uncomment the following one if you need
|
|
+## to use special input methods. This may allow users to compromise the root
|
|
+## account if they are allowed to run commands without authentication.
|
|
+#Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"
|
|
+
|
|
+## Do not insult users when they enter an incorrect password.
|
|
+Defaults !insults
|
|
+
|
|
+## Use this PATH instead of the user's to find commands.
|
|
+Defaults secure_path="/usr/sbin:/usr/bin:/sbin:/bin"
|
|
##
|
|
## Uncomment to restore the historic behavior where a command is run in
|
|
## the user's own terminal.
|
|
@@ -72,10 +63,16 @@
|
|
## Set maxseq to a smaller number if you don't have unlimited disk space.
|
|
# Defaults log_output
|
|
# Defaults!/usr/bin/sudoreplay !log_output
|
|
-# Defaults!/usr/local/bin/sudoreplay !log_output
|
|
# Defaults!REBOOT !log_output
|
|
# Defaults maxseq = 1000
|
|
|
|
+## In the default (unconfigured) configuration, sudo asks for the root password.
|
|
+## This allows use of an ordinary user account for administration of a freshly
|
|
+## installed system. When configuring sudo, delete the two
|
|
+## following lines:
|
|
+Defaults targetpw # ask for the password of the target user i.e. root
|
|
+ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'!
|
|
+
|
|
##
|
|
## Runas alias specification
|
|
##
|
|
@@ -91,13 +88,5 @@ root ALL=(ALL:ALL) ALL
|
|
## Same thing without a password
|
|
# %wheel ALL=(ALL:ALL) NOPASSWD: ALL
|
|
|
|
-## Uncomment to allow members of group sudo to execute any command
|
|
-# %sudo ALL=(ALL:ALL) ALL
|
|
-
|
|
-## Uncomment to allow any user to run sudo if they know the password
|
|
-## of the user they are running the command as (root by default).
|
|
-# Defaults targetpw # Ask for the password of the target user
|
|
-# ALL ALL=(ALL:ALL) ALL # WARNING: only use this together with 'Defaults targetpw'
|
|
-
|
|
## Read drop-in files from @sysconfdir@/sudoers.d
|
|
@includedir @sysconfdir@/sudoers.d
|