Kristyna Streitova
ac3c196343
- Update to 1.8.31
Major changes between version 1.8.31 and 1.8.30:
* This version fixes a potential security issue that can lead to
a buffer overflow if the pwfeedback option is enabled in
sudoers [CVE-2019-18634] [bsc#1162202]
* The sudoedit_checkdir option now treats a user-owned directory
as writable, even if it does not have the write bit set at the
time of check. Symbolic links will no longer be followed by
sudoedit in any user-owned directory. Bug #912.
* Fixed a crash introduced in sudo 1.8.30 when suspending sudo
at the password prompt. Bug #914.
* Fixed compilation on systems where the mmap MAP_ANON flag is
not available. Bug #915.
Major changes between version 1.8.30 and 1.8.29:
* Sudo now closes file descriptors before changing uids. This
prevents a non-root process from interfering with sudo's ability
to close file descriptors on systems that support the prlimit(2)
system call.
* Sudo now treats an attempt to run sudo sudoedit as simply
sudoedit If the sudoers file contains a fully-qualified path
to sudoedit, sudo will now treat it simply as sudoedit
(with no path). Visudo will will now treat a fully-qualified
path to sudoedit as an error. Bug #871.
* Fixed a bug introduced in sudo 1.8.28 where sudo would warn
about a missing /etc/environment file on AIX and Linux when
PAM is not enabled. Bug #907.
* Fixed a bug on Linux introduced in sudo 1.8.29 that prevented
the askpass program from running due to an unlimited stack size
resource limit. Bug #908.
* If a group provider plugin has optional arguments, the argument
OBS-URL: https://build.opensuse.org/request/show/772142
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=160
116 lines
4.5 KiB
Diff
116 lines
4.5 KiB
Diff
Index: sudo-1.8.31/plugins/sudoers/sudoers.in
|
|
===================================================================
|
|
--- sudo-1.8.31.orig/plugins/sudoers/sudoers.in
|
|
+++ sudo-1.8.31/plugins/sudoers/sudoers.in
|
|
@@ -32,30 +32,23 @@
|
|
##
|
|
## Defaults specification
|
|
##
|
|
-## You may wish to keep some of the following environment variables
|
|
-## when running commands via sudo.
|
|
-##
|
|
-## Locale settings
|
|
-# Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET"
|
|
-##
|
|
-## Run X applications through sudo; HOME is used to find the
|
|
-## .Xauthority file. Note that other programs use HOME to find
|
|
-## configuration files and this may lead to privilege escalation!
|
|
-# Defaults env_keep += "HOME"
|
|
-##
|
|
-## X11 resource path settings
|
|
-# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH"
|
|
-##
|
|
-## Desktop path settings
|
|
-# Defaults env_keep += "QTDIR KDEDIR"
|
|
-##
|
|
-## Allow sudo-run commands to inherit the callers' ConsoleKit session
|
|
-# Defaults env_keep += "XDG_SESSION_COOKIE"
|
|
-##
|
|
-## Uncomment to enable special input methods. Care should be taken as
|
|
-## this may allow users to subvert the command being run via sudo.
|
|
-# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"
|
|
-##
|
|
+## Prevent environment variables from influencing programs in an
|
|
+## unexpected or harmful way (CVE-2005-2959, CVE-2005-4158, CVE-2006-0151)
|
|
+Defaults always_set_home
|
|
+## Path that will be used for every command run from sudo
|
|
+Defaults secure_path="/usr/sbin:/usr/bin:/sbin:/bin"
|
|
+Defaults env_reset
|
|
+## Change env_reset to !env_reset in previous line to keep all environment variables
|
|
+## Following list will no longer be necessary after this change
|
|
+Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_ATIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
|
|
+## Comment out the preceding line and uncomment the following one if you need
|
|
+## to use special input methods. This may allow users to compromise the root
|
|
+## account if they are allowed to run commands without authentication.
|
|
+#Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_ATIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
|
|
+
|
|
+## Do not insult users when they enter an incorrect password.
|
|
+Defaults !insults
|
|
+
|
|
## Uncomment to use a hard-coded PATH instead of the user's to find commands
|
|
# Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
|
|
##
|
|
@@ -66,9 +59,15 @@
|
|
## sudoreplay and reboot. Use sudoreplay to play back logged sessions.
|
|
# Defaults log_output
|
|
# Defaults!/usr/bin/sudoreplay !log_output
|
|
-# Defaults!/usr/local/bin/sudoreplay !log_output
|
|
# Defaults!REBOOT !log_output
|
|
|
|
+## In the default (unconfigured) configuration, sudo asks for the root password.
|
|
+## This allows use of an ordinary user account for administration of a freshly
|
|
+## installed system. When configuring sudo, delete the two
|
|
+## following lines:
|
|
+Defaults targetpw # ask for the password of the target user i.e. root
|
|
+ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'!
|
|
+
|
|
##
|
|
## Runas alias specification
|
|
##
|
|
@@ -84,14 +83,6 @@ root ALL=(ALL) ALL
|
|
## Same thing without a password
|
|
# %wheel ALL=(ALL) NOPASSWD: ALL
|
|
|
|
-## Uncomment to allow members of group sudo to execute any command
|
|
-# %sudo ALL=(ALL) ALL
|
|
-
|
|
-## Uncomment to allow any user to run sudo if they know the password
|
|
-## of the user they are running the command as (root by default).
|
|
-# Defaults targetpw # Ask for the password of the target user
|
|
-# ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw'
|
|
-
|
|
## Read drop-in files from @sysconfdir@/sudoers.d
|
|
## (the '#' here does not indicate a comment)
|
|
#includedir @sysconfdir@/sudoers.d
|
|
Index: sudo-1.8.31/doc/sudoers.mdoc.in
|
|
===================================================================
|
|
--- sudo-1.8.31.orig/doc/sudoers.mdoc.in
|
|
+++ sudo-1.8.31/doc/sudoers.mdoc.in
|
|
@@ -1985,7 +1985,7 @@ is present in the
|
|
.Em env_keep
|
|
list, both of which are strongly discouraged.
|
|
This flag is
|
|
-.Em off
|
|
+.Em on
|
|
by default.
|
|
.It authenticate
|
|
If set, users must authenticate themselves via a password (or other
|
|
@@ -2376,7 +2376,7 @@ If set,
|
|
.Nm sudo
|
|
will insult users when they enter an incorrect password.
|
|
This flag is
|
|
-.Em @insults@
|
|
+.Em off
|
|
by default.
|
|
.It log_allowed
|
|
If set,
|
|
@@ -3009,7 +3009,7 @@ database as an argument to the
|
|
.Fl u
|
|
option.
|
|
This flag is
|
|
-.Em off
|
|
+.Em on
|
|
by default.
|
|
.It tty_tickets
|
|
If set, users must authenticate on a per-tty basis.
|