diff --git a/sudo-1.9.2.tar.gz b/sudo-1.9.2.tar.gz deleted file mode 100644 index c985321..0000000 --- a/sudo-1.9.2.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:7c98d201f181c47152711b9f391e0f6b5545f3ef8926298a3e8bc6288e118314 -size 3890859 diff --git a/sudo-1.9.2.tar.gz.sig b/sudo-1.9.2.tar.gz.sig deleted file mode 100644 index a63d6ca..0000000 Binary files a/sudo-1.9.2.tar.gz.sig and /dev/null differ diff --git a/sudo-1.9.3p1-pam_xauth.patch b/sudo-1.9.3p1-pam_xauth.patch new file mode 100644 index 0000000..6ce1e79 --- /dev/null +++ b/sudo-1.9.3p1-pam_xauth.patch @@ -0,0 +1,12 @@ +--- a/src/sudo.c Wed Nov 11 09:34:50 2020 -0700 ++++ b/src/sudo.c Wed Nov 11 09:34:50 2020 -0700 +@@ -297,9 +297,6 @@ + SET(command_details.flags, CD_LOGIN_SHELL); + if (ISSET(sudo_mode, MODE_BACKGROUND)) + SET(command_details.flags, CD_BACKGROUND); +- /* Become full root (not just setuid) so user cannot kill us. */ +- if (setuid(ROOT_UID) == -1) +- sudo_warn("setuid(%d)", ROOT_UID); + if (ISSET(command_details.flags, CD_SUDOEDIT)) { + status = sudo_edit(&command_details); + } else { diff --git a/sudo-1.9.3p1.tar.gz b/sudo-1.9.3p1.tar.gz new file mode 100644 index 0000000..ed78f04 --- /dev/null +++ b/sudo-1.9.3p1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:dcb9de53e45e1c39042074b847f5e0d8ae1890725dd6a9d9101a81569e6eb49e +size 3958071 diff --git a/sudo-1.9.3p1.tar.gz.sig b/sudo-1.9.3p1.tar.gz.sig new file mode 100644 index 0000000..7e94523 Binary files /dev/null and b/sudo-1.9.3p1.tar.gz.sig differ diff --git a/sudo.changes b/sudo.changes index 1469713..94aabd4 100644 --- a/sudo.changes +++ b/sudo.changes @@ -1,3 +1,72 @@ +------------------------------------------------------------------- +Fri Nov 13 21:26:58 UTC 2020 - Kristyna Streitova + +- Update to 1.9.3p1 + * Fixed a regression introduced in sudo 1.9.3 where the configure + script would not detect the crypt(3) function if it was present + in the C library, not an additional library. + * Fixed a regression introduced in sudo 1.8.23 with shadow passwd + file authentication on OpenBSD. BSD authentication was not + affected. + * Sudo now logs when a user-specified command-line option is + rejected by a sudoers rule. Previously, these conditions were + written to the audit log, but the default sudo log file. Affected + command line arguments include -C (--close-from), -D (--chdir), + -R (--chroot), -g (--group) and -u (--user). + +- News in 1.9.3 + * Fixed building the Python plugin on systems with a compiler that + doesn't support symbol hiding. + * Sudo now uses a linker script to hide symbols even when the + compiler has native symbol hiding support. This should make it + easier to detect omissions in the symbol exports file, regardless + of the platform. + * Fixed the libssl dependency in Debian packages for older releases + that use libssl1.0.0. + * Sudo and visudo now provide more detailed messages when a syntax + error is detected in sudoers. The offending line and token are + now displayed. If the parser was generated by GNU bison, + additional information about what token was expected is also + displayed. Bug #841. + * Sudoers rules must now end in either a newline or the end-of-file. + Previously, it was possible to have multiple rules on a single + line, separated by white space. The use of an end-of-line + terminator makes it possible to display accurate error messages. + * Sudo no longer refuses to run if a syntax error in the sudoers + file is encountered. The entry with the syntax error will be + discarded and sudo will continue to parse the file. This makes + recovery from a syntax error less painful on systems where sudo + is the primary method of superuser access. The historic behavior + can be restored by add "error_recovery=false" to the sudoers + plugin's optional arguments in sudo.conf. Bug #618. + * Fixed the sample_approval plugin's symbol exports file for systems + where the compiler doesn't support symbol hiding. + * Fixed a regression introduced in sudo 1.9.1 where arguments to + the "sudoers_policy" plugin in sudo.conf were not being applied. + The sudoers file is now parsed by the "sudoers_audit" plugin, + which is loaded implicitly when "sudoers_policy" is listed in + sudo.conf. Starting with sudo 1.9.3, if there are plugin arguments + for "sudoers_policy" but "sudoers_audit" is not listed, those + arguments will be applied to "sudoers_audit" instead. + * The user's resource limits are now passed to sudo plugins in + the user_info[] list. A plugin cannot determine the limits + itself because sudo changes the limits while it runs to prevent + resource starvation. + * It is now possible to set the working directory or change the + root directory on a per-command basis using the CWD and CHROOT + options. There are also new Defaults settings, runchroot and + runcwd, that can be used to set the working directory or root + directory on a more global basis. + * New -D (--chdir) and -R (--chroot) command line options can be + used to set the working directory or root directory if the sudoers + file allows it. This functionality is not enabled by default + and must be explicitly enabled in the sudoers file. + +- add sudo-1.9.3p1-pam_xauth.patch to stay setuid until just before + executing the command. Fixes a problem with pam_xauth which + checks effective and real uids to get the real identity of the + user [bsc#1174593] + ------------------------------------------------------------------- Mon Sep 7 08:01:05 UTC 2020 - Marco Varlese diff --git a/sudo.spec b/sudo.spec index 6a1f26c..24e18c5 100644 --- a/sudo.spec +++ b/sudo.spec @@ -22,7 +22,7 @@ %define use_usretc 1 %endif Name: sudo -Version: 1.9.2 +Version: 1.9.3p1 Release: 0 Summary: Execute some commands as root License: ISC @@ -38,6 +38,7 @@ Source6: fate_313276_test.sh Source7: README_313276.test # PATCH-OPENSUSE: the "SUSE" branding of the default sudo config Patch0: sudo-sudoers.patch +Patch1: sudo-1.9.3p1-pam_xauth.patch BuildRequires: audit-devel BuildRequires: cyrus-sasl-devel BuildRequires: groff @@ -89,6 +90,7 @@ Tests for fate#313276 %prep %setup -q %patch0 -p1 +%patch1 -p1 %build %ifarch s390 s390x %{sparc}