Accepting request 1031218 from home:jsikes:branches:Base:System

Update to 1.9.12! Enjoy.

OBS-URL: https://build.opensuse.org/request/show/1031218
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=219

sudo-1.9.10-update_sudouser_to_utf8.patch

@@ -1,116 +0,0 @@
-From 7f9ea23e7447b8e1308fc282cd13b6cf5d39d3c4 Mon Sep 17 00:00:00 2001
-From: William Brown <wbrown@suse.de>
-Date: Mon, 25 Jul 2022 15:21:39 +1000
-Subject: [PATCH] Update sudoUser to be utf8 in ldap schemas
-
-In most unix-style LDAP servers, uid is a utf8 string defined by
-OID 1.3.6.1.4.1.1466.115.121.1.15. However, sudoUser was defined
-as an IA5 String (OID 1.3.6.1.4.1.1466.115.121.1.26) which meant
-that sudoUser could only represent a subset of possible values.
-
-In some cases when using sudoers.ldap, the uid from the machine
-which was utf8 was fed back into sudo which would then issue a
-search for sudoUsers. If this uid contained utf8 characters, the
-ldap server would refuse to match into sudoUsers because these
-were limited to IA5.
-
-This is a safe-forward upgrade as IA5 is a subset of UTF8 meaning
-that this change will not impact existing deployments and their
-rules.
----
- docs/schema.OpenLDAP | 14 +++++++-------
- docs/schema.iPlanet  |  6 +++---
- docs/schema.olcSudo  | 14 +++++++-------
- 3 files changed, 17 insertions(+), 17 deletions(-)
-
-diff --git a/docs/schema.OpenLDAP b/docs/schema.OpenLDAP
-index e1d525f84..451c5250a 100644
---- a/docs/schema.OpenLDAP
-+++ b/docs/schema.OpenLDAP
-@@ -7,9 +7,9 @@
- attributetype ( 1.3.6.1.4.1.15953.9.1.1
-     NAME 'sudoUser'
-     DESC 'User(s) who may  run sudo'
--    EQUALITY caseExactIA5Match
--    SUBSTR caseExactIA5SubstringsMatch
--    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-+    EQUALITY caseExactMatch
-+    SUBSTR caseExactSubstringsMatch
-+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
- 
- attributetype ( 1.3.6.1.4.1.15953.9.1.2
-     NAME 'sudoHost'
-@@ -39,14 +39,14 @@ attributetype ( 1.3.6.1.4.1.15953.9.1.5
- attributetype ( 1.3.6.1.4.1.15953.9.1.6
-     NAME 'sudoRunAsUser'
-     DESC 'User(s) impersonated by sudo'
--    EQUALITY caseExactIA5Match
--    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-+    EQUALITY caseExactMatch
-+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
- 
- attributetype ( 1.3.6.1.4.1.15953.9.1.7
-     NAME 'sudoRunAsGroup'
-     DESC 'Group(s) impersonated by sudo'
--    EQUALITY caseExactIA5Match
--    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-+    EQUALITY caseExactMatch
-+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
- 
- attributetype ( 1.3.6.1.4.1.15953.9.1.8
-     NAME 'sudoNotBefore'
-diff --git a/docs/schema.iPlanet b/docs/schema.iPlanet
-index e51286436..56ad02bc0 100644
---- a/docs/schema.iPlanet
-+++ b/docs/schema.iPlanet
-@@ -1,11 +1,11 @@
- dn: cn=schema
--attributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may  run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
-+attributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may  run sudo' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'SUDO' )
- attributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
- attributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
- attributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo (deprecated)' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
- attributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
--attributeTypes: ( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
--attributeTypes: ( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
-+attributeTypes: ( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'User(s) impersonated by sudo' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'SUDO' )
-+attributeTypes: ( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'SUDO' )
- attributeTypes: ( 1.3.6.1.4.1.15953.9.1.8 NAME 'sudoNotBefore' DESC 'Start of time interval for which the entry is valid' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
- attributeTypes: ( 1.3.6.1.4.1.15953.9.1.9 NAME 'sudoNotAfter' DESC 'End of time interval for which the entry is valid' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
- attributeTypes: ( 1.3.6.1.4.1.15953.9.1.10 NAME 'sudoOrder' DESC 'an integer to order the sudoRole entries' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
-diff --git a/docs/schema.olcSudo b/docs/schema.olcSudo
-index 8748dfc2a..8948ca4ae 100644
---- a/docs/schema.olcSudo
-+++ b/docs/schema.olcSudo
-@@ -9,9 +9,9 @@ cn: sudoschema
- olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.1
-     NAME 'sudoUser'
-     DESC 'User(s) who may  run sudo'
--    EQUALITY caseExactIA5Match
--    SUBSTR caseExactIA5SubstringsMatch
--    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-+    EQUALITY caseExactMatch
-+    SUBSTR caseExactSubstringsMatch
-+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
- #
- olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.2
-     NAME 'sudoHost'
-@@ -41,14 +41,14 @@ olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.5
- olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.6
-     NAME 'sudoRunAsUser'
-     DESC 'User(s) impersonated by sudo'
--    EQUALITY caseExactIA5Match
--    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-+    EQUALITY caseExactMatch
-+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
- #
- olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.7
-     NAME 'sudoRunAsGroup'
-     DESC 'Group(s) impersonated by sudo'
--    EQUALITY caseExactIA5Match
--    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-+    EQUALITY caseExactMatch
-+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
- #
- olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.8
-     NAME 'sudoNotBefore'

sudo-1.9.11p3.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:4687e7d2f56721708f59cca2e1352c056cb23de526c22725615a42bb094f1f70
-size 4826520

sudo-1.9.12.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:de15733888170c56834daafd34bf983db10fb21039742fcfc396bd32168d6362
+size 4906320

sudo.changes

@@ -1,3 +1,86 @@
+-------------------------------------------------------------------
+Tue Oct 25 23:41:55 UTC 2022 - Jason Sikes <jsikes@suse.com>
+
+- Update to 1.9.12:
+  * Dropped sudo-1.9.10-update_sudouser_to_utf8.patch
+  * Changes in Sudo 1.9.12:
+    * Fixed a bug when logging the command’s exit status in intercept mode.
+      The wrong command could be logged with the exit status.
+    * For ptrace-based intercept mode, sudo will now attempt to verify that
+      the command path name, arguments and environment have not changed from
+      the time when they were authorized by the security policy. The new
+      intercept_verify sudoers setting can be used to control this behavior.
+    * Fixed running commands with a relative path (e.g. ./foo) in intercept
+      mode. Previously, this would fail if sudo’s current working directory
+      was different from that of the command.
+    * Sudo now supports passing the execve(2) system call the NULL pointer
+      for the argv and/or envp arguments when in intercept mode. Linux treats
+      a NULL pointer like an empty array.
+    * The sudoers LDAP schema now allows sudoUser, sudoRunasUser and
+      sudoRunasGroup to include UTF-8 characters, not just 7-bit ASCII.
+    * Fixed a problem with sudo -i on SELinux when the target user’s home
+      directory is not searchable by sudo. GitHub issue #160.
+    * Neovim has been added to the list of visudo editors that support passing
+      the line number on the command line.
+    * Fixed a bug in sudo’s SHA384 and SHA512 message digest padding.
+    * Added a new -N (no-update) command line option to sudo which can be used
+      to prevent sudo from updating the user’s cached credentials. It is now
+      possible to determine whether or not a user’s cached credentials are
+      currently valid by running:
+      $ sudo -Nnv
+      and checking the exit value. One use case for this is to indicate in a
+      shell prompt that sudo is “active” for the user.
+    * PAM approval modules are no longer invoked when running sub-commands in
+      intercept mode unless the intercept_authenticate option is set. There is
+      a substantial performance penalty for calling into PAM for each command
+      run. PAM approval modules are still called for the initial command.
+    * Intercept mode on Linux now uses process_vm_readv(2) and process_vm_writev(2)
+      if available.
+    * The XDG_CURRENT_DESKTOP environment variable is now preserved by default.
+      This makes it possible for graphical applications to choose the correct
+      theme when run via sudo.
+    * On 64-bit systems, if sudo fails to load a sudoers group plugin, it will
+      use system-specific heuristics to try to locate a 64-bit version of the plugin.
+    * The cvtsudoers manual now documents the JSON and CSV output formats.
+      GitHub issue #172.
+    * Fixed a bug where sub-commands were not being logged to a remote log server
+      when log_subcmds was enabled. GitHub issue #174.
+    * The new log_stdin, log_stdout, log_stderr, log_ttyin, and log_ttyout
+      sudoers settings can be used to support more fine-grained I/O logging.
+      The sudo front-end no longer allocates a pseudo-terminal when running a
+      command if the I/O logging plugin requests logging of stdin, stdout, or
+      stderr but not terminal input/output.
+    * Quieted a libgcrypt run-time initialization warning. This fixes Debian
+      bug #1019428 and Ubuntu bug #1397663.
+    * Fixed a bug in visudo that caused literal backslashes to be removed from
+      the EDITOR environment variable. GitHub issue #179.
+    * The sudo Python plugin now implements the find_spec method instead of the
+      the deprecated find_module. This fixes a test failure when a newer version
+      of setuptools that doesn’t include find_module is found on the system.
+    * Fixed a bug introduced in sudo 1.9.9 where sudo_logsrvd created the process
+      ID file, usually /var/run/sudo/sudo_logsrvd.pid, as a directory instead of a
+      plain file. The same bug could result in I/O log directories that end in six
+      or more X’s being created literally in addition to the name being used as a
+      template for the mkdtemp(3) function.
+    * Fixed a long-standing bug where a sudoers rule with a command line argument
+      of “”, which indicates the command may be run with no arguments, would also
+      match a literal "" on the command line. GitHub issue #182.
+    * Added the -I option to visudo which only edits the main sudoers file. Include
+      files are not edited unless a syntax error is found.
+    * Fixed sudo -l -U otheruser output when the runas list is empty. Previously,
+      sudo would list the invoking user instead of the list user. GitHub issue #183.
+    * Fixed the display of command tags and options in sudo -l output when the RunAs
+      user or group changes. A new line is started for RunAs changes which means we
+      need to display the command tags and options again. GitHub issue #184.
+    * The sesh helper program now uses getopt_long(3) to parse the command line options.
+    * The embedded copy of zlib has been updated to version 1.2.13.
+    * Fixed a bug that prevented event log data from being sent to the log server when
+      I/O logging was not enabled. This only affected systems without PAM or
+      configurations where the pam_session and pam_setcred options were disabled in
+      the sudoers file.
+    * Fixed a bug where sudo -l output included a carriage return after the newline.
+      This is only needed when displaying to a terminal in raw mode. Bug #1042.
+
 -------------------------------------------------------------------
 Sat Sep 10 01:48:29 UTC 2022 - Jason Sikes <jsikes@suse.com>
 

sudo.spec

@@ -17,7 +17,7 @@
 
 
 Name:           sudo
-Version:        1.9.11p3
+Version:        1.9.12
 Release:        0
 Summary:        Execute some commands as root
 License:        ISC
@@ -33,7 +33,6 @@ Source6:        fate_313276_test.sh
 Source7:        README_313276.test
 # PATCH-OPENSUSE: the "SUSE" branding of the default sudo config
 Patch0:         sudo-sudoers.patch
-Patch1:         sudo-1.9.10-update_sudouser_to_utf8.patch
 BuildRequires:  audit-devel
 BuildRequires:  cyrus-sasl-devel
 BuildRequires:  groff
@@ -121,7 +120,7 @@ export LDFLAGS="-pie"
     --with-sssd
 %if 0%{?sle_version} < 150000
 # the SLES12 way
-make %{?_smp_mflags} V=1
+%make_build
 %else
 # -B required to make every build give the same result - maybe from bad build deps in Makefiles?
 %make_build -B
@@ -227,7 +226,6 @@ chmod 0440 %{_sysconfdir}/sudoers
 %{_libexecdir}/%{name}/%{name}/group_file.so
 %{_libexecdir}/%{name}/%{name}/system_group.so
 %{_libexecdir}/%{name}/%{name}/audit_json.so
-%{_libexecdir}/%{name}/%{name}/sample_approval.so
 %{_libexecdir}/%{name}/%{name}/sudo_intercept.so
 %{_libexecdir}/%{name}/libsudo_util.so.*
 %attr(0711,root,root) %dir %ghost %{_localstatedir}/lib/%{name}