Accepting request 403502 from home:stroeder:branches:Base:System

update to upstream release 1.8.17 OBS-URL: https://build.opensuse.org/request/show/403502 OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=103
2016-06-19 21:14:17 +00:00 · 2016-06-19 21:14:17 +00:00 · 2edf02caab
commit 2edf02caab
parent 3f2b10cef4
7 changed files with 54 additions and 106 deletions
--- a/sudo-1.8.16-pam_groups.patch
+++ b/sudo-1.8.16-pam_groups.patch
@ -1,100 +0,0 @@
 # HG changeset patch
 # User Todd C. Miller <Todd.Miller@courtesan.com>
 # Date 1461862918 21600
 # Node ID 814cda6025419e40b417f7d797757e11259feef2
 # Parent  ef0a5428a5744ca1c7fcb1874d1fff37becc6a90
 Do group setup in policy_init_session() before calling out to the
 plugin.  This makes it possible for the pam_group module to change
 the group in pam_setcred().  It's a bit bogus since pam_setcred()
 is documented as not changing the group or user ID, but pam_group
 is shipped with stock Linux-PAM so we need to support it.
 diff -r ef0a5428a574 -r 814cda602541 src/sudo.c
 --- a/src/sudo.c	Tue Apr 26 14:39:42 2016 -0600
 +++ b/src/sudo.c	Thu Apr 28 11:01:58 2016 -0600
@@ -939,7 +939,8 @@
 }
 /*
 - * Setup the execution environment immediately prior to the call to execve()
 + * Setup the execution environment immediately prior to the call to execve().
 + * Group setup is performed by policy_init_session(), called earlier.
  * Returns true on success and false on failure.
  */
 bool
@@ -1018,30 +1019,6 @@
 #endif /* HAVE_LOGIN_CAP_H */
     }
 -    /*
 -     * Set groups, including supplementary group vector.
 -     */
 -    if (!ISSET(details->flags, CD_PRESERVE_GROUPS)) {
 -	if (details->ngroups >= 0) {
 -	    if (sudo_setgroups(details->ngroups, details->groups) < 0) {
 -		sudo_warn(U_("unable to set supplementary group IDs"));
 -		goto done;
 -	    }
 -	}
 -    }
 -#ifdef HAVE_SETEUID
 -    if (ISSET(details->flags, CD_SET_EGID) && setegid(details->egid)) {
 -	sudo_warn(U_("unable to set effective gid to runas gid %u"),
 -	    (unsigned int)details->egid);
 -	goto done;
 -    }
 -#endif
 -    if (ISSET(details->flags, CD_SET_GID) && setgid(details->gid)) {
 -	sudo_warn(U_("unable to set gid to runas gid %u"),
 -	    (unsigned int)details->gid);
 -	goto done;
 -    }
 -
     if (ISSET(details->flags, CD_SET_PRIORITY)) {
 	if (setpriority(PRIO_PROCESS, 0, details->priority) != 0) {
 	    sudo_warn(U_("unable to set process priority"));
@@ -1365,6 +1342,35 @@
     int rval = true;
     debug_decl(policy_init_session, SUDO_DEBUG_PCOMM)
 +    /*
 +     * We set groups, including supplementary group vector,
 +     * as part of the session setup.  This allows for dynamic
 +     * groups to be set via pam_group(8) in pam_setcred(3).
 +     */
 +    if (!ISSET(details->flags, CD_PRESERVE_GROUPS)) {
 +	if (details->ngroups >= 0) {
 +	    if (sudo_setgroups(details->ngroups, details->groups) < 0) {
 +		sudo_warn(U_("unable to set supplementary group IDs"));
 +		rval = -1;
 +		goto done;
 +	    }
 +	}
 +    }
 +#ifdef HAVE_SETEUID
 +    if (ISSET(details->flags, CD_SET_EGID) && setegid(details->egid)) {
 +	sudo_warn(U_("unable to set effective gid to runas gid %u"),
 +	    (unsigned int)details->egid);
 +	rval = -1;
 +	goto done;
 +    }
 +#endif
 +    if (ISSET(details->flags, CD_SET_GID) && setgid(details->gid)) {
 +	sudo_warn(U_("unable to set gid to runas gid %u"),
 +	    (unsigned int)details->gid);
 +	rval = -1;
 +	goto done;
 +    }
 +
     if (policy_plugin.u.policy->init_session) {
 	/*
 	 * Backwards compatibility for older API versions
@@ -1381,6 +1387,7 @@
 	}
 	sudo_debug_set_active_instance(sudo_debug_instance);
     }
 +done:
     debug_return_int(rval);
 }
--- a/sudo-1.8.16.tar.gz
+++ b/sudo-1.8.16.tar.gz
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:2d83826fc5125bf073acc203dbda1cf2abeee017090ccc9dddb0431a53d5064d
 size 2707358
--- a/sudo-1.8.16.tar.gz.sig
+++ b/sudo-1.8.16.tar.gz.sig
--- a/sudo-1.8.17.tar.gz
+++ b/sudo-1.8.17.tar.gz
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:62b12c4fa9a3ad4f20f6e7576bc6405b2ec8d76222ea44a1c94830c68cccec8c
 size 2786216
--- a/sudo-1.8.17.tar.gz.sig
+++ b/sudo-1.8.17.tar.gz.sig
--- a/sudo.changes
+++ b/sudo.changes
@ -1,3 +1,53 @@
 -------------------------------------------------------------------
 Sun Jun 19 14:01:44 UTC 2016 - michael@stroeder.com
 - removed obsolete patch sudo-1.8.16-pam_groups.patch
 - update to 1.8.17:
 * On AIX, if /etc/security/login.cfg has auth_type set to PAM_AUTH
   but pam_start(3) fails, fall back to AIX authentication.
   Bug #740.
 * Sudo now takes all sudoers sources into account when determining
   whether or not "sudo -l" or "sudo -b" should prompt for a password.
   In other words, if both file and ldap sudoers sources are in
   specified in /etc/nsswitch.conf, "sudo -v" will now require that
   all entries in both sources be have NOPASSWD (file) or !authenticate
   (ldap) in the entries.
 * Sudo now ignores SIGPIPE until the command is executed.  Previously,
   SIGPIPE was only ignored in a few select places.  Bug #739.
 * Fixed a bug introduced in sudo 1.8.14 where (non-syslog) log
   file entries were missing the newline when loglinelen is set to
   a non-positive number.  Bug #742.
 * Unix groups are now set before the plugin session intialization
   code is run.  This makes it possible to use dynamic groups with
   the Linux-PAM pam_group module.
 * Fixed a bug where a debugging statement could dereference a NULL
   pointer when looking up a group that doesn't exist.  Bug #743.
 * Sudo has been run through the Coverity code scanner.  A number of
   minor bugs have been fixed as a result.  None were security issues.
 * SELinux support, which was broken in 1.8.16, has been repaired.
 * Fixed a bug when logging I/O where all output buffers might not
   get flushed at exit.
 * Forward slashes are no longer escaped in the JSON output of
   "visudo -x".  This was never required by the standard and not
   escaping them improves readability of the output.
 * Sudo no longer treats PAM_SESSION_ERR as a fatal error when
   opening the PAM session.  Other errors from pam_open_session()
   are still treated as fatal.  This avoids the "policy plugin
   failed session initialization" error message seen on some systems.
 * Korean translation for sudo and sudoers from translationproject.org.
 * Fixed a bug on AIX where the stack size hard resource limit was
   being set to 2GB instead of 4GB on 64-bit systems.
 * The SSSD backend now properly supports "sudo -U otheruser -l".
 * The SSSD backend now uses the value of "ipa_hostname"
   from sssd.conf, if specified, when matching the host name.
 * Fixed a hang on some systems when the command is being run in
   a pty and it failed to execute.
 * When performing a wildcard match in sudoers, check for an exact
   string match if the user command was fully-qualified (or resolved
   via the PATH).  This fixes an issue executing scripts on Linux
   when there are multiple wildcard matches with the same base name.
   Bug #746.
 -------------------------------------------------------------------
 Mon May 23 08:22:12 UTC 2016 - egeorget@openmailbox.org
--- a/sudo.spec
+++ b/sudo.spec
@ -17,7 +17,7 @@
 Name:           sudo
-Version:        1.8.16
+Version:        1.8.17
 Release:        0
 Summary:        Execute some commands as root
 License:        ISC
@ -33,7 +33,6 @@ Source6:        %{name}.keyring
 Patch0:         sudoers2ldif-env.patch
 # PATCH-OPENSUSE: the "SUSE" branding of the default sudo config
 Patch1:         sudo-sudoers.patch
 Patch2:         sudo-1.8.16-pam_groups.patch
 BuildRequires:  audit-devel
 BuildRequires:  cyrus-sasl-devel
 BuildRequires:  groff
@ -75,7 +74,6 @@ Tests for fate#313276
 %setup -q
 %patch0 -p1
 %patch1 -p1
 %patch2 -p1
 %build
 %ifarch s390 s390x %sparc