From 921bef68a54605ce0462cb5a169a799ad855cd8a1171b393d5295c2d48f7224b Mon Sep 17 00:00:00 2001 From: Kristyna Streitova Date: Mon, 16 Nov 2020 19:04:11 +0000 Subject: [PATCH] Accepting request 848421 from home:kstreitova:branches:Base:System - Update to 1.9.3p1 * Fixed a regression introduced in sudo 1.9.3 where the configure script would not detect the crypt(3) function if it was present in the C library, not an additional library. * Fixed a regression introduced in sudo 1.8.23 with shadow passwd file authentication on OpenBSD. BSD authentication was not affected. * Sudo now logs when a user-specified command-line option is rejected by a sudoers rule. Previously, these conditions were written to the audit log, but the default sudo log file. Affected command line arguments include -C (--close-from), -D (--chdir), -R (--chroot), -g (--group) and -u (--user). - News in 1.9.3 * Fixed building the Python plugin on systems with a compiler that doesn't support symbol hiding. * Sudo now uses a linker script to hide symbols even when the compiler has native symbol hiding support. This should make it easier to detect omissions in the symbol exports file, regardless of the platform. * Fixed the libssl dependency in Debian packages for older releases that use libssl1.0.0. * Sudo and visudo now provide more detailed messages when a syntax error is detected in sudoers. The offending line and token are now displayed. If the parser was generated by GNU bison, additional information about what token was expected is also displayed. Bug #841. * Sudoers rules must now end in either a newline or the end-of-file. Previously, it was possible to have multiple rules on a single line, separated by white space. The use of an end-of-line terminator makes it possible to display accurate error messages. OBS-URL: https://build.opensuse.org/request/show/848421 OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=183 --- sudo-1.9.2.tar.gz | 3 -- sudo-1.9.2.tar.gz.sig | Bin 566 -> 0 bytes sudo-1.9.3p1-pam_xauth.patch | 12 ++++++ sudo-1.9.3p1.tar.gz | 3 ++ sudo-1.9.3p1.tar.gz.sig | Bin 0 -> 566 bytes sudo.changes | 69 +++++++++++++++++++++++++++++++++++ sudo.spec | 4 +- 7 files changed, 87 insertions(+), 4 deletions(-) delete mode 100644 sudo-1.9.2.tar.gz delete mode 100644 sudo-1.9.2.tar.gz.sig create mode 100644 sudo-1.9.3p1-pam_xauth.patch create mode 100644 sudo-1.9.3p1.tar.gz create mode 100644 sudo-1.9.3p1.tar.gz.sig diff --git a/sudo-1.9.2.tar.gz b/sudo-1.9.2.tar.gz deleted file mode 100644 index c985321..0000000 --- a/sudo-1.9.2.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:7c98d201f181c47152711b9f391e0f6b5545f3ef8926298a3e8bc6288e118314 -size 3890859 diff --git a/sudo-1.9.2.tar.gz.sig b/sudo-1.9.2.tar.gz.sig deleted file mode 100644 index a63d6cad642e99718f6c5ef639724b3de3f95cc97287a35e4af4ae3211748426..0000000000000000000000000000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 566 zcmV-60?GY}0y6{v0SEvc79j*#(do>(D>r8Z{nJ~i^uQs`q;UHM0$&%T!2k*g5UKRQ zA4W3EIz(j3Ta7@e+jwqDE2TQt+VFf9_L{pPvKz%ktn;ah4K< z|KwD6j!JHo9Lwuy3!>fVnkRO1pJcXq`8rLXFUV_gImhO+N7- zeouB+ze^96>ij(U00;UBS;!JkfJ7EWWF2fknQ5y&09Y7o>4MGd(As17yOf8>IQpaw z$VC+#toZ`eLX((Fsl(Sd&5^O9Lbt|k7f%1ZE{Ke!9WCPH&aMhG%a2Sg%5fJW85(U; zaq<3k%wk2fF7#wt#K#BLEi21W({ZP!IJ*yq zeuD@=g&UcRS?GC!gQwy+J{*EdT^{n5#~ZsNwxpsdRM0vzw(=QeXza)2TT2k4o|py2 zLJ>m4^wwV0hkac`7G(TyTWVc>>aN|xieH8d<9}3kpgSnUlxRGZ8ieZVr0HID_F|fB z)Nw>elit5gWGIf+EwOFrCAmVE`g3e^79p|&cfdlfu%0v|??3fso_2EGL+i2wiq diff --git a/sudo-1.9.3p1-pam_xauth.patch b/sudo-1.9.3p1-pam_xauth.patch new file mode 100644 index 0000000..6ce1e79 --- /dev/null +++ b/sudo-1.9.3p1-pam_xauth.patch @@ -0,0 +1,12 @@ +--- a/src/sudo.c Wed Nov 11 09:34:50 2020 -0700 ++++ b/src/sudo.c Wed Nov 11 09:34:50 2020 -0700 +@@ -297,9 +297,6 @@ + SET(command_details.flags, CD_LOGIN_SHELL); + if (ISSET(sudo_mode, MODE_BACKGROUND)) + SET(command_details.flags, CD_BACKGROUND); +- /* Become full root (not just setuid) so user cannot kill us. */ +- if (setuid(ROOT_UID) == -1) +- sudo_warn("setuid(%d)", ROOT_UID); + if (ISSET(command_details.flags, CD_SUDOEDIT)) { + status = sudo_edit(&command_details); + } else { diff --git a/sudo-1.9.3p1.tar.gz b/sudo-1.9.3p1.tar.gz new file mode 100644 index 0000000..ed78f04 --- /dev/null +++ b/sudo-1.9.3p1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:dcb9de53e45e1c39042074b847f5e0d8ae1890725dd6a9d9101a81569e6eb49e +size 3958071 diff --git a/sudo-1.9.3p1.tar.gz.sig b/sudo-1.9.3p1.tar.gz.sig new file mode 100644 index 0000000000000000000000000000000000000000000000000000000000000000..7e945230bb19d85bb8d38560caa750b5c65a128551fca846c3860b6568e47f15 GIT binary patch literal 566 zcmV-60?GY}0y6{v0SEvc79j*#(do>(D>r8Z{nJ~i^uQs`q;UHM0$*#GMgR&45UKRQ zAJ?Ie@?JxTnFwQ70l7Z@%Wl94y2`LoDKeWIi)wrNbS)>@ zDI%r;-+&^!k@hYFN$b~T$3HJr26I^!FAF~|1lnxbn;Wv{8-bRB+e*OueydltP?hV9 z512s*f5iqVds#d56Feb`t`Y)>i=Wo$36fr)_sP?kM1R51V<`}m+DHXr)KKr6HIvZ + +- Update to 1.9.3p1 + * Fixed a regression introduced in sudo 1.9.3 where the configure + script would not detect the crypt(3) function if it was present + in the C library, not an additional library. + * Fixed a regression introduced in sudo 1.8.23 with shadow passwd + file authentication on OpenBSD. BSD authentication was not + affected. + * Sudo now logs when a user-specified command-line option is + rejected by a sudoers rule. Previously, these conditions were + written to the audit log, but the default sudo log file. Affected + command line arguments include -C (--close-from), -D (--chdir), + -R (--chroot), -g (--group) and -u (--user). + +- News in 1.9.3 + * Fixed building the Python plugin on systems with a compiler that + doesn't support symbol hiding. + * Sudo now uses a linker script to hide symbols even when the + compiler has native symbol hiding support. This should make it + easier to detect omissions in the symbol exports file, regardless + of the platform. + * Fixed the libssl dependency in Debian packages for older releases + that use libssl1.0.0. + * Sudo and visudo now provide more detailed messages when a syntax + error is detected in sudoers. The offending line and token are + now displayed. If the parser was generated by GNU bison, + additional information about what token was expected is also + displayed. Bug #841. + * Sudoers rules must now end in either a newline or the end-of-file. + Previously, it was possible to have multiple rules on a single + line, separated by white space. The use of an end-of-line + terminator makes it possible to display accurate error messages. + * Sudo no longer refuses to run if a syntax error in the sudoers + file is encountered. The entry with the syntax error will be + discarded and sudo will continue to parse the file. This makes + recovery from a syntax error less painful on systems where sudo + is the primary method of superuser access. The historic behavior + can be restored by add "error_recovery=false" to the sudoers + plugin's optional arguments in sudo.conf. Bug #618. + * Fixed the sample_approval plugin's symbol exports file for systems + where the compiler doesn't support symbol hiding. + * Fixed a regression introduced in sudo 1.9.1 where arguments to + the "sudoers_policy" plugin in sudo.conf were not being applied. + The sudoers file is now parsed by the "sudoers_audit" plugin, + which is loaded implicitly when "sudoers_policy" is listed in + sudo.conf. Starting with sudo 1.9.3, if there are plugin arguments + for "sudoers_policy" but "sudoers_audit" is not listed, those + arguments will be applied to "sudoers_audit" instead. + * The user's resource limits are now passed to sudo plugins in + the user_info[] list. A plugin cannot determine the limits + itself because sudo changes the limits while it runs to prevent + resource starvation. + * It is now possible to set the working directory or change the + root directory on a per-command basis using the CWD and CHROOT + options. There are also new Defaults settings, runchroot and + runcwd, that can be used to set the working directory or root + directory on a more global basis. + * New -D (--chdir) and -R (--chroot) command line options can be + used to set the working directory or root directory if the sudoers + file allows it. This functionality is not enabled by default + and must be explicitly enabled in the sudoers file. + +- add sudo-1.9.3p1-pam_xauth.patch to stay setuid until just before + executing the command. Fixes a problem with pam_xauth which + checks effective and real uids to get the real identity of the + user [bsc#1174593] + ------------------------------------------------------------------- Mon Sep 7 08:01:05 UTC 2020 - Marco Varlese diff --git a/sudo.spec b/sudo.spec index 6a1f26c..24e18c5 100644 --- a/sudo.spec +++ b/sudo.spec @@ -22,7 +22,7 @@ %define use_usretc 1 %endif Name: sudo -Version: 1.9.2 +Version: 1.9.3p1 Release: 0 Summary: Execute some commands as root License: ISC @@ -38,6 +38,7 @@ Source6: fate_313276_test.sh Source7: README_313276.test # PATCH-OPENSUSE: the "SUSE" branding of the default sudo config Patch0: sudo-sudoers.patch +Patch1: sudo-1.9.3p1-pam_xauth.patch BuildRequires: audit-devel BuildRequires: cyrus-sasl-devel BuildRequires: groff @@ -89,6 +90,7 @@ Tests for fate#313276 %prep %setup -q %patch0 -p1 +%patch1 -p1 %build %ifarch s390 s390x %{sparc}