Accepting request 950730 from Base:System

OBS-URL: https://build.opensuse.org/request/show/950730
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sudo?expand=0&rev=127

sudo-1.9.8p2.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:9e3b8b8da7def43b6e60c257abe80467205670fd0f7c081de1423c414b680f2d
-size 4302256

sudo-1.9.9.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6d6ee863a3bc26c87661093a74ec63e10fd031ceba714642d21636dfe25e3e00
+size 4456969

sudo-sudoers.patch

@@ -1,7 +1,7 @@
-Index: sudo-1.8.31/plugins/sudoers/sudoers.in
+Index: sudo-1.9.9/plugins/sudoers/sudoers.in
 ===================================================================
---- sudo-1.8.31.orig/plugins/sudoers/sudoers.in
+--- sudo-1.9.9.orig/plugins/sudoers/sudoers.in
-+++ sudo-1.8.31/plugins/sudoers/sudoers.in
++++ sudo-1.9.9/plugins/sudoers/sudoers.in
 @@ -32,30 +32,23 @@
  ##
  ## Defaults specification
@@ -67,48 +67,17 @@ Index: sudo-1.8.31/plugins/sudoers/sudoers.in
  ##
  ## Runas alias specification
  ##
-@@ -84,13 +84,5 @@
+@@ -84,13 +83,5 @@ root ALL=(ALL:ALL) ALL
  ## Same thing without a password
- # %wheel ALL=(ALL) NOPASSWD: ALL
+ # %wheel ALL=(ALL:ALL) NOPASSWD: ALL
  
 -## Uncomment to allow members of group sudo to execute any command
--# %sudo	ALL=(ALL) ALL
+-# %sudo	ALL=(ALL:ALL) ALL
 -
 -## Uncomment to allow any user to run sudo if they know the password
 -## of the user they are running the command as (root by default).
 -# Defaults targetpw  # Ask for the password of the target user
--# ALL ALL=(ALL) ALL  # WARNING: only use this together with 'Defaults targetpw'
+-# ALL ALL=(ALL:ALL) ALL  # WARNING: only use this together with 'Defaults targetpw'
 -
  ## Read drop-in files from @sysconfdir@/sudoers.d
  @includedir @sysconfdir@/sudoers.d
-Index: sudo-1.8.31/doc/sudoers.mdoc.in
-===================================================================
---- sudo-1.8.31.orig/doc/sudoers.mdoc.in
-+++ sudo-1.8.31/doc/sudoers.mdoc.in
-@@ -1985,7 +1985,7 @@ is present in the
- .Em env_keep
- list, both of which are strongly discouraged.
- This flag is
--.Em off
-+.Em on
- by default.
- .It authenticate
- If set, users must authenticate themselves via a password (or other
-@@ -2376,7 +2376,7 @@ If set,
- .Nm sudo
- will insult users when they enter an incorrect password.
- This flag is
--.Em @insults@
-+.Em off
- by default.
- .It log_allowed
- If set,
-@@ -3009,7 +3009,7 @@ database as an argument to the
- .Fl u
- option.
- This flag is
--.Em off
-+.Em on
- by default.
- .It tty_tickets
- If set, users must authenticate on a per-tty basis.

sudo.changes

@@ -1,3 +1,98 @@
+-------------------------------------------------------------------
+Tue Feb  1 02:27:04 UTC 2022 - Simon Lees <simonf.lees@suse.com>
+
+- Update to 1.9.9
+   * Sudo can now be built with OpenSSL 3.0 without generating
+     warnings about deprecated OpenSSL APIs.
+   * A digest can now be specified along with the ALL command in
+     the LDAP and SSSD back-ends. Sudo 1.9.0 introduced support for
+     this in the sudoers file but did not include corresponding
+     changes for the other back-ends.
+   * visudo now only warns about an undefined alias or a cycle in
+     an alias once for each alias.
+   * The sudoRole cn was truncated by a single character in warning
+     messages. GitHub issue #115.
+   * The cvtsudoers utility has new --group-file and --passwd-file
+     options to use a custom passwd or group file when the
+     --match-local option is also used.
+   * The cvtsudoers utility can now filter or match based on a command.
+   * The cvtsudoers utility can now produce output in csv
+     (comma-separated value) format. This can be used to help generate
+     entitlement reports.
+   * Fixed a bug in sudo_logsrvd that could result in the connection
+     being dropped for very long command lines.
+   * Fixed a bug where sudo_logsrvd would not accept a restore point
+     of zero.
+   * Fixed a bug in visudo where the value of the editor setting was
+     not used if it did not match the user’s EDITOR environment
+     variable. This was only a problem if the env_editor setting was
+     not enabled. Bug #1000.
+   * Sudo now builds with the -fcf-protection compiler option and the
+     -z now linker option if supported.
+   * The output of sudoreplay -l now more closely matches the
+     traditional sudo log format.
+   * The sudo_sendlog utility will now use the full contents of the
+     log.json file, if present. This makes it possible to send
+     sudo-format I/O logs that use the newer log.json format to
+     sudo_logsrvd without losing any information.
+   * Fixed compilation of the arc4random_buf() replacement on systems
+     with arc4random() but no arc4random_buf(). Bug #1008.
+   * Sudo now uses its own getentropy() by default on Linux. The GNU
+     libc version of getentropy() will fail on older kernels that
+     don’t support the getrandom() system call.
+   * It is now possible to build sudo with WolfSSL’s OpenSSL
+     compatibility layer by using the --enable-wolfssl configure
+     option.
+   * Fixed a bug related to Daylight Saving Time when parsing
+     timestamps in Generalized Time format. This affected the NOTBEFORE
+     and NOTAFTER options in sudoers. Bug #1006.
+   * Added the -O and -P options to visudo, which can be used to check
+     or set the owner and permissions. This can be used in conjunction
+     with the -c option to check that the sudoers file ownership and
+     permissions are correct. Bug #1007.
+   * It is now possible to set resource limits in the sudoers file
+     itself. The special values default and “user” refer to the
+     default system limit and invoking user limit respectively. The
+     core dump size limit is now set to 0 by default unless overridden
+     by the sudoers file.
+   * The cvtsudoers utility can now merge multiple sudoers sources into
+     a single, combined sudoers file. If there are conflicting entries,
+     cvtsudoers will attempt to resolve them but manual intervention
+     may be required. The merging of sudoers rules is currently fairly
+     simplistic but will be improved in a future release.
+   * Sudo was parsing but not applying the “deref” and “tls_reqcert”
+     ldap.conf settings. This meant the options were effectively ignored
+     which broke dereferencing of aliases in LDAP. Bug #1013.
+   * Clarified in the sudo man page that the security policy may
+     override the user’s PATH environment variable. Bug #1014.
+   * When sudo is run in non-interactive mode (with the -n option), it
+     will now attempt PAM authentication and only exit with an error if
+     user interaction is required. This allows PAM modules that don’t
+     interact with the user to succeed. Previously, sudo would not
+     attempt authentication if the -n option was specified. Bug #956
+     and GitHub issue #83.
+   * Fixed a regression introduced in version 1.9.1 when sudo is built
+     with the --with-fqdn configure option. The local host name was
+     being resolved before the sudoers file was processed, making it
+     impossible to disable DNS lookups by negating the fqdn sudoers
+     option. Bug #1016.
+   * Added support for negated sudoUser attributes in the LDAP and SSSD
+     sudoers back ends. A matching sudoUser that is negated will cause
+     the sudoRole containing it to be ignored.
+   * Fixed a bug where the stack resource limit could be set to a value
+     smaller than that of the invoking user and not be reset before the
+     command was run. Bug #1016.
+- sudo no longer ships schema for LDAP.
+- sudo-feature-negated-LDAP-users.patch dropped, included upstream
+- refreshed sudo-sudoers.patch
+
+-------------------------------------------------------------------
+Thu Jan 27 03:00:26 UTC 2022 - Simon Lees <sflees@suse.de>
+
+- Add support in the LDAP filter for negated users, patch taken
+  from upstream (jsc#20068)
+  * Adds sudo-feature-negated-LDAP-users.patch
+
 -------------------------------------------------------------------
 Wed Sep 22 12:27:51 UTC 2021 - Kristyna Streitova <kstreitova@suse.com>
 

sudo.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package sudo
 #
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -22,7 +22,7 @@
 %define use_usretc 1
 %endif
 Name:           sudo
-Version:        1.9.8p2
+Version:        1.9.9
 Release:        0
 Summary:        Execute some commands as root
 License:        ISC
@@ -88,8 +88,7 @@ Requires:       %{name} = %{version}
 Tests for fate#313276
 
 %prep
-%setup -q
+%autosetup -p1
-%patch0 -p1
 
 %build
 %ifarch s390 s390x %{sparc}
@@ -140,7 +139,6 @@ install -m 644 %{SOURCE4} %{buildroot}%{_distconfdir}/pam.d/sudo-i
 rm -f %{buildroot}%{_bindir}/sudoedit
 ln -sf %{_bindir}/sudo %{buildroot}%{_bindir}/sudoedit
 install -d -m 755 %{buildroot}%{_sysconfdir}/openldap/schema
-install -m 644 doc/schema.OpenLDAP %{buildroot}%{_sysconfdir}/openldap/schema/sudo.schema
 install -m 644 %{SOURCE5} %{buildroot}%{_docdir}/%{name}/
 rm -f %{buildroot}%{_docdir}/%{name}/sample.pam
 rm -f %{buildroot}%{_docdir}/%{name}/sample.syslog.conf
@@ -154,9 +152,10 @@ cat sudoers.lang >> %{name}.lang
 install -d -m 755 %{buildroot}%{_localstatedir}/lib/tests/sudo
 install -m 755 %{SOURCE6} %{buildroot}%{_localstatedir}/lib/tests/sudo
 install -m 755 %{SOURCE7} %{buildroot}%{_localstatedir}/lib/tests/sudo
-install -d %{buildroot}%{_docdir}/%{name}-test
+
-install -m 644 %{buildroot}%{_docdir}/%{name}/LICENSE %{buildroot}%{_docdir}/%{name}-test/LICENSE
+install -d %{buildroot}%{_licensedir}/%{name}
-rm -fv %{buildroot}%{_docdir}/%{name}/LICENSE
+install -m 644 %{buildroot}%{_docdir}/%{name}/LICENSE.md %{buildroot}%{_licensedir}/%{name}/LICENSE.md
+rm -fv %{buildroot}%{_docdir}/%{name}/LICENSE.md
 
 %if %{defined use_usretc}
 %pre
@@ -185,7 +184,7 @@ chmod 0440 %{_sysconfdir}/sudoers
 %verify_permissions -e %{_bindir}/sudo
 
 %files -f %{name}.lang
-%license doc/LICENSE
+%license doc/LICENSE.md
 %doc %{_docdir}/%{name}
 %{_mandir}/man1/cvtsudoers.1%{?ext_man}
 %{_mandir}/man5/sudoers.5%{?ext_man}
@@ -213,9 +212,6 @@ chmod 0440 %{_sysconfdir}/sudoers
 %config(noreplace) %{_sysconfdir}/pam.d/sudo-i
 %endif
 %attr(4755,root,root) %{_bindir}/sudo
-%dir %{_sysconfdir}/openldap
-%dir %{_sysconfdir}/openldap/schema
-%attr(0444,root,root) %config %{_sysconfdir}/openldap/schema/sudo.schema
 %{_bindir}/sudoedit
 %{_bindir}/sudoreplay
 %{_bindir}/cvtsudoers
@@ -252,6 +248,5 @@ chmod 0440 %{_sysconfdir}/sudoers
 
 %files test
 %{_localstatedir}/lib/tests
-%{_docdir}/%{name}-test/
 
 %changelog