diff --git a/.gitignore b/.gitignore index 96963ea..cc45a89 100644 --- a/.gitignore +++ b/.gitignore @@ -17,3 +17,9 @@ /sudo-1.8.25.tar.gz /sudo-1.8.25p1.tar.gz /sudo-1.8.27.tar.gz +/sudo-1.8.28.tar.gz +/sudo-1.8.28p1.tar.gz +/sudo-1.8.29.tar.gz +/sudo-1.9.0b1.tar.gz +/sudo-1.9.0b4.tar.gz +/sudo-1.9.2.tar.gz diff --git a/configure-runstatedir.patch b/configure-runstatedir.patch new file mode 100644 index 0000000..980e767 --- /dev/null +++ b/configure-runstatedir.patch @@ -0,0 +1,43 @@ +From 0d7a041f18c5016abb78b74f3cfa505797e704ee Mon Sep 17 00:00:00 2001 +From: Evan Anderson +Date: Sun, 6 Sep 2020 14:30:54 -0500 +Subject: [PATCH] configure: Fix runstatedir handling for distros that do not + support it + +runstatedir was added in yet-to-be released autoconf 2.70. Some distros +are shipping this addition in their autoconf packages, but others, such as Fedora, +are not. This causes the rundir variable to be set incorrectly if the configure script +is regenerated with an unpatched autoconf since the runstatedir variable set is deleted +after regeneration. This change works around that problem by checking that runstatedir +is non-empty before potentially using it to set the rundir variable +--- + configure | 2 +- + m4/sudo.m4 | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/configure b/configure +index 0f6ceb16c..2e0838e01 100755 +--- a/configure ++++ b/configure +@@ -26718,7 +26718,7 @@ EOF + $as_echo_n "checking for sudo run dir location... " >&6; } + if test -n "$with_rundir"; then + rundir="$with_rundir" +-elif test "$runstatedir" != '${localstatedir}/run'; then ++elif test -n "$runstatedir" && test "$runstatedir" != '${localstatedir}/run'; then + rundir="$runstatedir/sudo" + else + # No --with-rundir or --runstatedir specified +diff --git a/m4/sudo.m4 b/m4/sudo.m4 +index a5a972b3c..b3a40b208 100644 +--- a/m4/sudo.m4 ++++ b/m4/sudo.m4 +@@ -120,7 +120,7 @@ dnl + AC_DEFUN([SUDO_RUNDIR], [AC_MSG_CHECKING(for sudo run dir location) + if test -n "$with_rundir"; then + rundir="$with_rundir" +-elif test "$runstatedir" != '${localstatedir}/run'; then ++elif test -n "$runstatedir" && test "$runstatedir" != '${localstatedir}/run'; then + rundir="$runstatedir/sudo" + else + # No --with-rundir or --runstatedir specified diff --git a/sources b/sources index c04905d..5185f4c 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (sudo-1.8.27.tar.gz) = 0480def650ab880ab9e6c51c606a06897fd638f0381e99c038f5aa47d064aaa2fb35b73eee7f86e73185e18d5dbb8b6ba49c616b1785a1edb2dd6d7b2fa4fcac +SHA512 (sudo-1.9.2.tar.gz) = 20afdf2604b1c93395157382b24f225cd1ff88d3a892362e2d69fecd240c4e7171f05032c08be1778cd1dea6e460025e4241f57272fac0ea3550e220b6d73d21 diff --git a/sudo.spec b/sudo.spec index 2970bf7..432c3d2 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,12 +1,10 @@ -%global user millert - Summary: Allows restricted root access for specified users Name: sudo -Version: 1.8.27 -Release: 3%{?dist} +Version: 1.9.2 +Release: 1%{?dist} License: ISC URL: http://www.courtesan.com/sudo/ -Source0: https://www.sudo.ws/dist/%{name}-%{version}.tar.gz +Source0: https://www.sudo.ws/dist/beta/%{name}-%{version}.tar.gz Source1: sudoers Requires: pam Recommends: vim-minimal @@ -26,6 +24,7 @@ BuildRequires: zlib-devel # don't strip Patch1: sudo-1.6.7p5-strip.patch +Patch2: configure-runstatedir.patch %description Sudo (superuser do) allows a system administrator to give certain @@ -46,10 +45,22 @@ Requires: %{name} = %{version}-%{release} The %{name}-devel package contains header files developing sudo plugins that use %{name}. + +%package logsrvd +Summary: High-performance log server for %{name} +Requires: %{name} = %{version}-%{release} +BuildRequires: openssl-devel + + +%description logsrvd +%{name}-logsrvd is a high-performance log server that accepts event and I/O logs from sudo. +It can be used to implement centralized logging of sudo logs. + %prep %setup -q %patch1 -p1 -b .strip +%patch2 -p1 -b .runstatedir %build # Remove bundled copy of zlib @@ -69,6 +80,7 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" --sbindir=%{_sbindir} \ --libdir=%{_libdir} \ --docdir=%{_pkgdocdir} \ + --enable-openssl \ --disable-root-mailer \ --with-logging=syslog \ --with-logfac=authpriv \ @@ -153,7 +165,8 @@ EOF %config(noreplace) /etc/pam.d/sudo %config(noreplace) /etc/pam.d/sudo-i %attr(0644,root,root) %{_tmpfilesdir}/sudo.conf -%attr(0644,root,root) /etc/dnf/protected.d/sudo.conf +%attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/sudo.conf +%attr(0640,root,root) %config(noreplace) /etc/sudo.conf %dir /var/db/sudo %dir /var/db/sudo/lectured %attr(4111,root,root) %{_bindir}/sudo @@ -165,7 +178,9 @@ EOF %attr(0755,root,root) %{_libexecdir}/sudo/sesh %attr(0644,root,root) %{_libexecdir}/sudo/sudo_noexec.so %attr(0644,root,root) %{_libexecdir}/sudo/sudoers.so +%attr(0644,root,root) %{_libexecdir}/sudo/audit_json.so %attr(0644,root,root) %{_libexecdir}/sudo/group_file.so +%attr(0644,root,root) %{_libexecdir}/sudo/sample_approval.so %attr(0644,root,root) %{_libexecdir}/sudo/system_group.so %attr(0644,root,root) %{_libexecdir}/sudo/libsudo_util.so.?.?.? %{_libexecdir}/sudo/libsudo_util.so.? @@ -179,6 +194,7 @@ EOF %{_mandir}/man8/visudo.8* %{_mandir}/man1/cvtsudoers.1.gz %{_mandir}/man5/sudoers_timestamp.5.gz +%{_mandir}/man8/sudo_plugin_python.8.gz %dir %{_pkgdocdir}/ %{_pkgdocdir}/* %{!?_licensedir:%global license %%doc} @@ -195,7 +211,66 @@ EOF %{_includedir}/sudo_plugin.h %{_mandir}/man8/sudo_plugin.8* +%files logsrvd +%attr(0640,root,root) %config(noreplace) /etc/sudo_logsrvd.conf +%attr(0755,root,root) %{_sbindir}/sudo_logsrvd +%attr(0755,root,root) %{_sbindir}/sudo_sendlog +%{_mandir}/man5/sudo_logsrv.proto.5.gz +%{_mandir}/man5/sudo_logsrvd.conf.5.gz +%{_mandir}/man8/sudo_logsrvd.8.gz +%{_mandir}/man8/sudo_sendlog.8.gz + %changelog +* Tue Sep 15 2020 Radovan Sroka - 1.9.2-1 +- rebase to 1.9.2 +Resolves: rhbz#1859577 +- added logsrvd subpackage +- added openssl-devel buildrequires +Resolves: rhbz#1860653 +- fixed sudo runstatedir path +- it was generated as /sudo instead of /run/sudo +Resolves: rhbz#1868215 +- added /var/lib/snapd/snap/bin to secure_path variable +Resolves: rhbz#1691996 + +* Wed Mar 25 2020 Attila Lakatos - 1.9.0-0.1.b4 +- update to latest development version 1.9.0b4 +Resolves: rhbz#1816593 +- setrlimit(RLIMIT_CORE): Operation not permitted warning message fix +Resolves: rhbz#1773148 + +* Mon Feb 24 2020 Attila Lakatos - 1.9.0-0.1.b1 +- update to latest development version 1.9.0b1 +- added sudo_logsrvd and sudo_sendlog to files and their appropriate man pages +Resolves: rhbz#1787823 +- Stack based buffer overflow in when pwfeedback is enabled +Resolves: rhbz#1796945 +- fixes: CVE-2019-18634 +- By using ! character in the shadow file instead of a password hash can access to a run as all sudoer account +Resolves: rhbz#1786709 +- fixes CVE-2019-19234 +- attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user +Resolves: rhbz#1786705 +- fixes CVE-2019-19232 + +* Mon Nov 11 2019 Radovan Sroka - 1.8.29-1 +- rebase to 1.8.29 +Resolves: rhbz#1766233 + +* Tue Oct 22 2019 Radovan Sroka - 1.8.28p1-1 +- rebase to 1.8.28p1 +Resolves: rhbz#1762350 + +* Tue Oct 15 2019 Radovan Sroka - 1.8.28-1 +- rebase to 1.8.28 +Resolves: rhbz#1761533 +- set always_set_home by default +Resolves: rhbz#1728687 +- Sync sudoers options from rhel8 to fedora +Resolves: rhbz#1761781 +- CVE-2019-14287 +Resolves: rhbz#1761584 + * Sat Jul 27 2019 Fedora Release Engineering - 1.8.27-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild diff --git a/sudoers b/sudoers index 9d57af5..5f621a8 100644 --- a/sudoers +++ b/sudoers @@ -30,7 +30,7 @@ # Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum ## Services -# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig +# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable ## Updating the locate database # Cmnd_Alias LOCATE = /usr/bin/updatedb @@ -54,6 +54,24 @@ # Defaults !visiblepw +# +# Preserving HOME has security implications since many programs +# use it when searching for configuration files. Note that HOME +# is already set when the the env_reset option is enabled, so +# this option is only effective for configurations where either +# env_reset is disabled or HOME is present in the env_keep list. +# +Defaults always_set_home +Defaults match_group_by_gid + +# Prior to version 1.8.15, groups listed in sudoers that were not +# found in the system group database were passed to the group +# plugin, if any. Starting with 1.8.15, only groups of the form +# %:group are resolved via the group plugin by default. +# We enable always_query_group_plugin to restore old behavior. +# Disable this option for new behavior. +Defaults always_query_group_plugin + Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" Defaults env_keep += "MAIL QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" @@ -61,7 +79,13 @@ Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" -Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +# +# Adding HOME to env_keep may enable a user to run unrestricted +# commands via sudo. +# +# Defaults env_keep += "HOME" + +Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin ## Next comes the main part: which users can run what software on ## which machines (the sudoers file can be shared between multiple