diff --git a/sudo-1.9.8p2.tar.gz b/sudo-1.9.8p2.tar.gz deleted file mode 100644 index a05ea02..0000000 --- a/sudo-1.9.8p2.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:9e3b8b8da7def43b6e60c257abe80467205670fd0f7c081de1423c414b680f2d -size 4302256 diff --git a/sudo-1.9.8p2.tar.gz.sig b/sudo-1.9.8p2.tar.gz.sig deleted file mode 100644 index ffe9371..0000000 Binary files a/sudo-1.9.8p2.tar.gz.sig and /dev/null differ diff --git a/sudo-1.9.9.tar.gz b/sudo-1.9.9.tar.gz new file mode 100644 index 0000000..69e033b --- /dev/null +++ b/sudo-1.9.9.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6d6ee863a3bc26c87661093a74ec63e10fd031ceba714642d21636dfe25e3e00 +size 4456969 diff --git a/sudo-1.9.9.tar.gz.sig b/sudo-1.9.9.tar.gz.sig new file mode 100644 index 0000000..f89246d Binary files /dev/null and b/sudo-1.9.9.tar.gz.sig differ diff --git a/sudo-sudoers.patch b/sudo-sudoers.patch index 2484adb..3db0d09 100644 --- a/sudo-sudoers.patch +++ b/sudo-sudoers.patch @@ -1,7 +1,7 @@ -Index: sudo-1.8.31/plugins/sudoers/sudoers.in +Index: sudo-1.9.9/plugins/sudoers/sudoers.in =================================================================== ---- sudo-1.8.31.orig/plugins/sudoers/sudoers.in -+++ sudo-1.8.31/plugins/sudoers/sudoers.in +--- sudo-1.9.9.orig/plugins/sudoers/sudoers.in ++++ sudo-1.9.9/plugins/sudoers/sudoers.in @@ -32,30 +32,23 @@ ## ## Defaults specification @@ -67,48 +67,17 @@ Index: sudo-1.8.31/plugins/sudoers/sudoers.in ## ## Runas alias specification ## -@@ -84,13 +84,5 @@ +@@ -84,13 +83,5 @@ root ALL=(ALL:ALL) ALL ## Same thing without a password - # %wheel ALL=(ALL) NOPASSWD: ALL + # %wheel ALL=(ALL:ALL) NOPASSWD: ALL -## Uncomment to allow members of group sudo to execute any command --# %sudo ALL=(ALL) ALL +-# %sudo ALL=(ALL:ALL) ALL - -## Uncomment to allow any user to run sudo if they know the password -## of the user they are running the command as (root by default). -# Defaults targetpw # Ask for the password of the target user --# ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw' +-# ALL ALL=(ALL:ALL) ALL # WARNING: only use this together with 'Defaults targetpw' - ## Read drop-in files from @sysconfdir@/sudoers.d @includedir @sysconfdir@/sudoers.d -Index: sudo-1.8.31/doc/sudoers.mdoc.in -=================================================================== ---- sudo-1.8.31.orig/doc/sudoers.mdoc.in -+++ sudo-1.8.31/doc/sudoers.mdoc.in -@@ -1985,7 +1985,7 @@ is present in the - .Em env_keep - list, both of which are strongly discouraged. - This flag is --.Em off -+.Em on - by default. - .It authenticate - If set, users must authenticate themselves via a password (or other -@@ -2376,7 +2376,7 @@ If set, - .Nm sudo - will insult users when they enter an incorrect password. - This flag is --.Em @insults@ -+.Em off - by default. - .It log_allowed - If set, -@@ -3009,7 +3009,7 @@ database as an argument to the - .Fl u - option. - This flag is --.Em off -+.Em on - by default. - .It tty_tickets - If set, users must authenticate on a per-tty basis. diff --git a/sudo.changes b/sudo.changes index 692583d..29d806a 100644 --- a/sudo.changes +++ b/sudo.changes @@ -1,3 +1,98 @@ +------------------------------------------------------------------- +Tue Feb 1 02:27:04 UTC 2022 - Simon Lees + +- Update to 1.9.9 + * Sudo can now be built with OpenSSL 3.0 without generating + warnings about deprecated OpenSSL APIs. + * A digest can now be specified along with the ALL command in + the LDAP and SSSD back-ends. Sudo 1.9.0 introduced support for + this in the sudoers file but did not include corresponding + changes for the other back-ends. + * visudo now only warns about an undefined alias or a cycle in + an alias once for each alias. + * The sudoRole cn was truncated by a single character in warning + messages. GitHub issue #115. + * The cvtsudoers utility has new --group-file and --passwd-file + options to use a custom passwd or group file when the + --match-local option is also used. + * The cvtsudoers utility can now filter or match based on a command. + * The cvtsudoers utility can now produce output in csv + (comma-separated value) format. This can be used to help generate + entitlement reports. + * Fixed a bug in sudo_logsrvd that could result in the connection + being dropped for very long command lines. + * Fixed a bug where sudo_logsrvd would not accept a restore point + of zero. + * Fixed a bug in visudo where the value of the editor setting was + not used if it did not match the user’s EDITOR environment + variable. This was only a problem if the env_editor setting was + not enabled. Bug #1000. + * Sudo now builds with the -fcf-protection compiler option and the + -z now linker option if supported. + * The output of sudoreplay -l now more closely matches the + traditional sudo log format. + * The sudo_sendlog utility will now use the full contents of the + log.json file, if present. This makes it possible to send + sudo-format I/O logs that use the newer log.json format to + sudo_logsrvd without losing any information. + * Fixed compilation of the arc4random_buf() replacement on systems + with arc4random() but no arc4random_buf(). Bug #1008. + * Sudo now uses its own getentropy() by default on Linux. The GNU + libc version of getentropy() will fail on older kernels that + don’t support the getrandom() system call. + * It is now possible to build sudo with WolfSSL’s OpenSSL + compatibility layer by using the --enable-wolfssl configure + option. + * Fixed a bug related to Daylight Saving Time when parsing + timestamps in Generalized Time format. This affected the NOTBEFORE + and NOTAFTER options in sudoers. Bug #1006. + * Added the -O and -P options to visudo, which can be used to check + or set the owner and permissions. This can be used in conjunction + with the -c option to check that the sudoers file ownership and + permissions are correct. Bug #1007. + * It is now possible to set resource limits in the sudoers file + itself. The special values default and “user” refer to the + default system limit and invoking user limit respectively. The + core dump size limit is now set to 0 by default unless overridden + by the sudoers file. + * The cvtsudoers utility can now merge multiple sudoers sources into + a single, combined sudoers file. If there are conflicting entries, + cvtsudoers will attempt to resolve them but manual intervention + may be required. The merging of sudoers rules is currently fairly + simplistic but will be improved in a future release. + * Sudo was parsing but not applying the “deref” and “tls_reqcert” + ldap.conf settings. This meant the options were effectively ignored + which broke dereferencing of aliases in LDAP. Bug #1013. + * Clarified in the sudo man page that the security policy may + override the user’s PATH environment variable. Bug #1014. + * When sudo is run in non-interactive mode (with the -n option), it + will now attempt PAM authentication and only exit with an error if + user interaction is required. This allows PAM modules that don’t + interact with the user to succeed. Previously, sudo would not + attempt authentication if the -n option was specified. Bug #956 + and GitHub issue #83. + * Fixed a regression introduced in version 1.9.1 when sudo is built + with the --with-fqdn configure option. The local host name was + being resolved before the sudoers file was processed, making it + impossible to disable DNS lookups by negating the fqdn sudoers + option. Bug #1016. + * Added support for negated sudoUser attributes in the LDAP and SSSD + sudoers back ends. A matching sudoUser that is negated will cause + the sudoRole containing it to be ignored. + * Fixed a bug where the stack resource limit could be set to a value + smaller than that of the invoking user and not be reset before the + command was run. Bug #1016. +- sudo no longer ships schema for LDAP. +- sudo-feature-negated-LDAP-users.patch dropped, included upstream +- refreshed sudo-sudoers.patch + +------------------------------------------------------------------- +Thu Jan 27 03:00:26 UTC 2022 - Simon Lees + +- Add support in the LDAP filter for negated users, patch taken + from upstream (jsc#20068) + * Adds sudo-feature-negated-LDAP-users.patch + ------------------------------------------------------------------- Wed Sep 22 12:27:51 UTC 2021 - Kristyna Streitova @@ -78,7 +173,7 @@ Wed Sep 22 12:27:51 UTC 2021 - Kristyna Streitova ------------------------------------------------------------------- Fri Jul 30 07:35:39 UTC 2021 - peter czanik -- update to 1.9.7p2 +- update to 1.9.7p2 - enabled openssl support for secure central session recording collection (without it's clear text) - fixed SLES12 build @@ -197,8 +292,8 @@ Wed May 12 15:22:11 UTC 2021 - Kristyna Streitova Bug #820. * Corrected the description of which groups may be specified via the -g option in the Runas_Spec section. Bug #975. - - + + ------------------------------------------------------------------- Sat Mar 20 18:25:12 UTC 2021 - Dirk Müller diff --git a/sudo.spec b/sudo.spec index 48730b6..9bb97bc 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,7 +1,7 @@ # # spec file for package sudo # -# Copyright (c) 2021 SUSE LLC +# Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -22,7 +22,7 @@ %define use_usretc 1 %endif Name: sudo -Version: 1.9.8p2 +Version: 1.9.9 Release: 0 Summary: Execute some commands as root License: ISC @@ -88,8 +88,7 @@ Requires: %{name} = %{version} Tests for fate#313276 %prep -%setup -q -%patch0 -p1 +%autosetup -p1 %build %ifarch s390 s390x %{sparc} @@ -140,7 +139,6 @@ install -m 644 %{SOURCE4} %{buildroot}%{_distconfdir}/pam.d/sudo-i rm -f %{buildroot}%{_bindir}/sudoedit ln -sf %{_bindir}/sudo %{buildroot}%{_bindir}/sudoedit install -d -m 755 %{buildroot}%{_sysconfdir}/openldap/schema -install -m 644 doc/schema.OpenLDAP %{buildroot}%{_sysconfdir}/openldap/schema/sudo.schema install -m 644 %{SOURCE5} %{buildroot}%{_docdir}/%{name}/ rm -f %{buildroot}%{_docdir}/%{name}/sample.pam rm -f %{buildroot}%{_docdir}/%{name}/sample.syslog.conf @@ -154,9 +152,10 @@ cat sudoers.lang >> %{name}.lang install -d -m 755 %{buildroot}%{_localstatedir}/lib/tests/sudo install -m 755 %{SOURCE6} %{buildroot}%{_localstatedir}/lib/tests/sudo install -m 755 %{SOURCE7} %{buildroot}%{_localstatedir}/lib/tests/sudo -install -d %{buildroot}%{_docdir}/%{name}-test -install -m 644 %{buildroot}%{_docdir}/%{name}/LICENSE %{buildroot}%{_docdir}/%{name}-test/LICENSE -rm -fv %{buildroot}%{_docdir}/%{name}/LICENSE + +install -d %{buildroot}%{_licensedir}/%{name} +install -m 644 %{buildroot}%{_docdir}/%{name}/LICENSE.md %{buildroot}%{_licensedir}/%{name}/LICENSE.md +rm -fv %{buildroot}%{_docdir}/%{name}/LICENSE.md %if %{defined use_usretc} %pre @@ -185,7 +184,7 @@ chmod 0440 %{_sysconfdir}/sudoers %verify_permissions -e %{_bindir}/sudo %files -f %{name}.lang -%license doc/LICENSE +%license doc/LICENSE.md %doc %{_docdir}/%{name} %{_mandir}/man1/cvtsudoers.1%{?ext_man} %{_mandir}/man5/sudoers.5%{?ext_man} @@ -213,9 +212,6 @@ chmod 0440 %{_sysconfdir}/sudoers %config(noreplace) %{_sysconfdir}/pam.d/sudo-i %endif %attr(4755,root,root) %{_bindir}/sudo -%dir %{_sysconfdir}/openldap -%dir %{_sysconfdir}/openldap/schema -%attr(0444,root,root) %config %{_sysconfdir}/openldap/schema/sudo.schema %{_bindir}/sudoedit %{_bindir}/sudoreplay %{_bindir}/cvtsudoers @@ -252,6 +248,5 @@ chmod 0440 %{_sysconfdir}/sudoers %files test %{_localstatedir}/lib/tests -%{_docdir}/%{name}-test/ %changelog