Accepting request 964748 from Base:System

OBS-URL: https://build.opensuse.org/request/show/964748
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sudo?expand=0&rev=130

feature-upstream-restrict-sudo-U-other-l.patch

@@ -1,143 +0,0 @@
-From 9f695f0fcc749b3cdebc453ba4fdeae84114f3ae Mon Sep 17 00:00:00 2001
-From: "Todd C. Miller" <Todd.Miller@sudo.ws>
-Date: Mon, 14 Feb 2022 13:09:55 -0700
-Subject: [PATCH] Restrict "sudo -U other -l" to users with sudo ALL for root
- or "other". Having "sudo ALL" permissions in no longer sufficient to be able
- to list another user's privileges.  The invoking user must now have "sudo
- ALL" for root or the target user. GitHub issue #134
-
----
- docs/sudo.man.in         | 11 ++++++-----
- docs/sudo.mdoc.in        | 11 ++++++-----
- plugins/sudoers/parse.c  | 34 ++++++++++++++++++++++++----------
- plugins/sudoers/policy.c |  5 +++++
- 4 files changed, 41 insertions(+), 20 deletions(-)
-
-Index: sudo-1.9.9/docs/sudo.man.in
-===================================================================
---- sudo-1.9.9.orig/docs/sudo.man.in
-+++ sudo-1.9.9/docs/sudo.man.in
-@@ -664,11 +664,12 @@ option to list the privileges for
- \fIuser\fR
- instead of for the invoking user.
- The security policy may restrict listing other users' privileges.
--The
-+When using the
- \fIsudoers\fR
--policy only allows root or a user with the
--\fRALL\fR
--privilege on the current host to use this option.
-+policy, only root or a user with the ability to run any command as
-+either root or the specified
-+\fIuser\fR
-+on the current host may use this option.
- .TP 12n
- \fB\-T\fR \fItimeout\fR, \fB\--command-timeout\fR=\fItimeout\fR
- Used to set a timeout for the command.
-Index: sudo-1.9.9/docs/sudo.mdoc.in
-===================================================================
---- sudo-1.9.9.orig/docs/sudo.mdoc.in
-+++ sudo-1.9.9/docs/sudo.mdoc.in
-@@ -620,11 +620,12 @@ option to list the privileges for
- .Ar user
- instead of for the invoking user.
- The security policy may restrict listing other users' privileges.
--The
-+When using the
- .Em sudoers
--policy only allows root or a user with the
--.Li ALL
--privilege on the current host to use this option.
-+policy, only root or a user with the ability to run any command as
-+either root or the specified
-+.Ar user
-+on the current host may use this option.
- .It Fl T Ar timeout , Fl -command-timeout Ns = Ns Ar timeout
- Used to set a timeout for the command.
- If the timeout expires before the command has exited, the
-Index: sudo-1.9.9/plugins/sudoers/parse.c
-===================================================================
---- sudo-1.9.9.orig/plugins/sudoers/parse.c
-+++ sudo-1.9.9/plugins/sudoers/parse.c
-@@ -43,24 +43,26 @@ static int
- sudoers_lookup_pseudo(struct sudo_nss_list *snl, struct passwd *pw,
-     int validated, int pwflag)
- {
--    int match;
-+    struct passwd *root_pw = NULL;
-     struct sudo_nss *nss;
-     struct cmndspec *cs;
-     struct privilege *priv;
-     struct userspec *us;
-     struct defaults *def;
--    int nopass;
-+    int nopass, match = DENY;
-     enum def_tuple pwcheck;
-     debug_decl(sudoers_lookup_pseudo, SUDOERS_DEBUG_PARSER);
- 
-     pwcheck = (pwflag == -1) ? never : sudo_defs_table[pwflag].sd_un.tuple;
-     nopass = (pwcheck == never || pwcheck == all) ? true : false;
- 
--    if (list_pw == NULL)
--	SET(validated, FLAG_NO_CHECK);
-     CLR(validated, FLAG_NO_USER);
-     CLR(validated, FLAG_NO_HOST);
--    match = DENY;
-+    if (list_pw != NULL) {
-+	root_pw = sudo_getpwuid(ROOT_UID);
-+    } else {
-+	SET(validated, FLAG_NO_CHECK);
-+    }
-     TAILQ_FOREACH(nss, snl, entries) {
- 	if (nss->query(nss, pw) == -1) {
- 	    /* The query function should have printed an error message. */
-@@ -89,16 +91,28 @@ sudoers_lookup_pseudo(struct sudo_nss_li
- 		    }
- 		    if (match == ALLOW)
- 			continue;
--		    /* Only check the command when listing another user. */
-+
-+		    /* Only check runas/command when listing another user. */
- 		    if (user_uid == 0 || list_pw == NULL ||
--			user_uid == list_pw->pw_uid ||
--			cmnd_matches(nss->parse_tree, cs->cmnd, cs->runchroot,
--			NULL) == ALLOW)
--			    match = ALLOW;
-+			    user_uid == list_pw->pw_uid) {
-+			match = ALLOW;
-+			continue;
-+		    }
-+		    /* Runas user must match list user or root. */
-+		    if (userlist_matches(nss->parse_tree, list_pw,
-+			    cs->runasuserlist) == DENY ||
-+			    userlist_matches(nss->parse_tree, root_pw,
-+			    cs->runasuserlist) != ALLOW)
-+			continue;
-+		    if (cmnd_matches(nss->parse_tree, cs->cmnd, cs->runchroot,
-+			    NULL) == ALLOW)
-+			match = ALLOW;
- 		}
- 	    }
- 	}
-     }
-+    if (root_pw != NULL)
-+	sudo_pw_delref(root_pw);
-     if (match == ALLOW || user_uid == 0) {
- 	/* User has an entry for this host. */
- 	SET(validated, VALIDATE_SUCCESS);
-Index: sudo-1.9.9/plugins/sudoers/policy.c
-===================================================================
---- sudo-1.9.9.orig/plugins/sudoers/policy.c
-+++ sudo-1.9.9/plugins/sudoers/policy.c
-@@ -1217,6 +1217,11 @@ sudoers_policy_list(int argc, char * con
- 	    sudo_warnx(U_("unknown user %s"), list_user);
- 	    debug_return_int(-1);
- 	}
-+	/* A user may only list another user they have runas access to. */
-+	if (runas_pw != NULL)
-+	    sudo_pw_delref(runas_pw);
-+	runas_pw = list_pw;
-+	sudo_pw_addref(list_pw);
-     }
-     ret = sudoers_policy_main(argc, argv, I_LISTPW, NULL, verbose, NULL);
-     if (list_user) {

sudo-1.9.10.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:44a1461098e7c7b8e6ac597499c24fb2e43748c0c139a8b4944e57d1349a64f4
+size 4516568

sudo-1.9.9-honor-T_opt.patch

@@ -1,22 +0,0 @@
-From 1f3815c4fb3f282250ff30626979d224e30b4b05 Mon Sep 17 00:00:00 2001
-From: Jaroslav Jindrak <dzejrou@gmail.com>
-Date: Wed, 9 Feb 2022 17:37:26 +0100
-Subject: [PATCH] Do not unset user timeout when no default timeout is set.
-
----
- plugins/sudoers/policy.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/plugins/sudoers/policy.c b/plugins/sudoers/policy.c
-index 26c4be3fe..0482b58dd 100644
---- a/plugins/sudoers/policy.c
-+++ b/plugins/sudoers/policy.c
-@@ -865,7 +865,7 @@ sudoers_policy_store_result(bool accepted, char *argv[], char *envp[],
- 
-     if (def_command_timeout > 0 || user_timeout > 0) {
- 	int timeout = user_timeout;
--	if (timeout == 0 || def_command_timeout < timeout)
-+    if (timeout == 0 || (def_command_timeout > 0 && def_command_timeout < timeout))
- 	    timeout = def_command_timeout;
- 	if (asprintf(&command_info[info_len++], "timeout=%u", timeout) == -1)
- 	    goto oom;

sudo-1.9.9.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:6d6ee863a3bc26c87661093a74ec63e10fd031ceba714642d21636dfe25e3e00
-size 4456969

sudo.changes

@@ -1,3 +1,56 @@
+-------------------------------------------------------------------
+Thu Mar 24 08:18:58 UTC 2022 - Dirk Müller <dmueller@suse.com>
+
+- update to 1.9.10:
+  * Added new log_passwords and passprompt_regex sudoers options. If
+    log_passwords is disabled, sudo will attempt to prevent passwords from being
+    logged. If sudo detects any of the regular expressions in the passprompt_regex
+    list in the terminal output, sudo will log ‘*’ characters instead of the
+    terminal input until a newline or carriage return is found in the input or an
+    output character is received.
+  * Added new log_passwords and passprompt_regex settings to sudo_logsrvd that
+    operate like the sudoers options when logging terminal input.
+  * Fixed several few bugs in the cvtsudoers utility when merging multiple sudoers
+    sources.
+  * Fixed a bug in sudo_logsrvd parsing the sudo_logsrvd.conf file, where the
+    retry_interval in the [relay] section was not being recognized.
+  * Restored the pre-1.9.9 behavior of not performing authentication when sudo’s -n
+    option is specified. A new noninteractive_auth sudoers option has been added to
+    enable PAM authentication in non-interactive mode. GitHub issue #131.
+  * On systems with /proc, if the /proc/self/stat (Linux) or /proc/pid/psinfo
+    (other systems) file is missing or invalid, sudo will now check file
+    descriptors 0-2 to determine the user’s terminal. Bug #1020.
+  * Fixed a compilation problem on Debian kFreeBSD. Bug #1021.
+  * Fixed a crash in sudo_logsrvd when running in relay mode if an alert message is
+    received.
+  * Fixed an issue that resulting in “problem with defaults entries” email to be
+    sent if a user ran sudo when the sudoers entry in the nsswitch.conf file
+    includes “sss” but no sudo provider is configured in /etc/sssd/sssd.conf.
+  * Updated the warning displayed when the invoking user is not allowed to run
+    sudo. If sudo has been configured to send mail on failed attempts (see the
+    mail_* flags in sudoers), it will now print “This incident has been reported to
+    the administrator.” If the mailto or mailerpath sudoers settings are disabled,
+    the message will not be printed and no mail will be sent.
+  * Fixed a bug where the user-specified command timeout was not being honored if
+    the sudoers rule did not also specify a timeout.
+  * Added support for using POSIX extended regular expressions in sudoers rules. A
+    command and/or arguments in sudoers are treated as a regular expression if they
+    start with a ‘^’ character and end with a ‘$’. The command and arguments are
+    matched separately, either one (or both) may be a regular expression.
+  * A user may now only run sudo -U otheruser -l if they have a “sudo ALL”
+    privilege where the RunAs user contains either root or otheruser. Previously,
+    having “sudo ALL” was sufficient, regardless of the RunAs user. GitHub issue
+    #134.
+  * The sudo lecture is now displayed immediately before the password prompt. As a
+    result, sudo will no longer display the lecture unless the user needs to enter
+    a password. Authentication methods that don’t interact with the user via a
+    terminal do not trigger the lecture.
+  * Sudo now uses its own closefrom() emulation on Linux systems. The glibc version
+    may not work in a chroot jail where /proc is not available. If close_range(2)
+    is present, it will be used in preference to /proc/self/fd.
+- drop sudo-1.9.9-honor-T_opt.patch , feature-upstream-restrict-sudo-U-other-l.patch
+  (upstream) 
+
 -------------------------------------------------------------------
 Thu Mar  3 12:00:46 UTC 2022 - Jason Sikes <jsikes@suse.com>
 

sudo.spec

@@ -22,7 +22,7 @@
 %define use_usretc 1
 %endif
 Name:           sudo
-Version:        1.9.9
+Version:        1.9.10
 Release:        0
 Summary:        Execute some commands as root
 License:        ISC
@@ -38,8 +38,6 @@ Source6:        fate_313276_test.sh
 Source7:        README_313276.test
 # PATCH-OPENSUSE: the "SUSE" branding of the default sudo config
 Patch0:         sudo-sudoers.patch
-Patch1:         feature-upstream-restrict-sudo-U-other-l.patch
-Patch2:         sudo-1.9.9-honor-T_opt.patch
 BuildRequires:  audit-devel
 BuildRequires:  cyrus-sasl-devel
 BuildRequires:  groff