From 885ce4ca3e6dd6a21ec604e19e001631b3c86875 Mon Sep 17 00:00:00 2001 From: Radovan Sroka Date: Tue, 15 Oct 2019 13:55:07 +0200 Subject: [PATCH 1/7] Rebase to 1.8.28 Resolves: rhbz#1761533 - set always_set_home by default Resolves: rhbz#1728687 - Sync sudoers options from rhel8 to fedora Resolves: rhbz#1761781 - CVE-2019-14287 Resolves: rhbz#1761584 --- .gitignore | 1 + sources | 2 +- sudo.spec | 16 ++++++++++++---- sudoers | 26 +++++++++++++++++++++++++- 4 files changed, 39 insertions(+), 6 deletions(-) diff --git a/.gitignore b/.gitignore index 96963ea..7cafc1c 100644 --- a/.gitignore +++ b/.gitignore @@ -17,3 +17,4 @@ /sudo-1.8.25.tar.gz /sudo-1.8.25p1.tar.gz /sudo-1.8.27.tar.gz +/sudo-1.8.28.tar.gz diff --git a/sources b/sources index c04905d..68032d5 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (sudo-1.8.27.tar.gz) = 0480def650ab880ab9e6c51c606a06897fd638f0381e99c038f5aa47d064aaa2fb35b73eee7f86e73185e18d5dbb8b6ba49c616b1785a1edb2dd6d7b2fa4fcac +SHA512 (sudo-1.8.28.tar.gz) = 09e589cdfd18d7c43b0859a0e11c008b3cb995ae4f8c89c717c5242db9e5696361eb574ebe74a0b5316afffb3a8037f7a7f3c249176e8ed9caffeb4cd860ddc7 diff --git a/sudo.spec b/sudo.spec index 2970bf7..282224b 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,9 +1,7 @@ -%global user millert - Summary: Allows restricted root access for specified users Name: sudo -Version: 1.8.27 -Release: 3%{?dist} +Version: 1.8.28 +Release: 1%{?dist} License: ISC URL: http://www.courtesan.com/sudo/ Source0: https://www.sudo.ws/dist/%{name}-%{version}.tar.gz @@ -196,6 +194,16 @@ EOF %{_mandir}/man8/sudo_plugin.8* %changelog +* Tue Oct 15 2019 Radovan Sroka - 1.8.28-1 +- rebase to 1.8.28 +Resolves: rhbz#1761533 +- set always_set_home by default +Resolves: rhbz#1728687 +- Sync sudoers options from rhel8 to fedora +Resolves: rhbz#1761781 +- CVE-2019-14287 +Resolves: rhbz#1761584 + * Sat Jul 27 2019 Fedora Release Engineering - 1.8.27-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild diff --git a/sudoers b/sudoers index 9d57af5..29775ad 100644 --- a/sudoers +++ b/sudoers @@ -30,7 +30,7 @@ # Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum ## Services -# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig +# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable ## Updating the locate database # Cmnd_Alias LOCATE = /usr/bin/updatedb @@ -54,6 +54,24 @@ # Defaults !visiblepw +# +# Preserving HOME has security implications since many programs +# use it when searching for configuration files. Note that HOME +# is already set when the the env_reset option is enabled, so +# this option is only effective for configurations where either +# env_reset is disabled or HOME is present in the env_keep list. +# +Defaults always_set_home +Defaults match_group_by_gid + +# Prior to version 1.8.15, groups listed in sudoers that were not +# found in the system group database were passed to the group +# plugin, if any. Starting with 1.8.15, only groups of the form +# %:group are resolved via the group plugin by default. +# We enable always_query_group_plugin to restore old behavior. +# Disable this option for new behavior. +Defaults always_query_group_plugin + Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" Defaults env_keep += "MAIL QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" @@ -61,6 +79,12 @@ Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" +# +# Adding HOME to env_keep may enable a user to run unrestricted +# commands via sudo. +# +# Defaults env_keep += "HOME" + Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin ## Next comes the main part: which users can run what software on From 4278f81f025cc11f8413b8478df9975d127aa1fa Mon Sep 17 00:00:00 2001 From: Radovan Sroka Date: Tue, 22 Oct 2019 14:18:07 +0200 Subject: [PATCH 2/7] Rebase to 1.8.28p1 Resolves: rhbz#176235 --- .gitignore | 1 + sources | 2 +- sudo.spec | 6 +++++- 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index 7cafc1c..990cfee 100644 --- a/.gitignore +++ b/.gitignore @@ -18,3 +18,4 @@ /sudo-1.8.25p1.tar.gz /sudo-1.8.27.tar.gz /sudo-1.8.28.tar.gz +/sudo-1.8.28p1.tar.gz diff --git a/sources b/sources index 68032d5..e2745d3 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (sudo-1.8.28.tar.gz) = 09e589cdfd18d7c43b0859a0e11c008b3cb995ae4f8c89c717c5242db9e5696361eb574ebe74a0b5316afffb3a8037f7a7f3c249176e8ed9caffeb4cd860ddc7 +SHA512 (sudo-1.8.28p1.tar.gz) = bda3de34c15fbb68fc29759542295560ccc1562b419d03709cea51613937e9b92ba689c79c3ef4858aeea90d3d1a4dc0148225b11b22cf82395ae1bad8cb1734 diff --git a/sudo.spec b/sudo.spec index 282224b..e8ca013 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,6 +1,6 @@ Summary: Allows restricted root access for specified users Name: sudo -Version: 1.8.28 +Version: 1.8.28p1 Release: 1%{?dist} License: ISC URL: http://www.courtesan.com/sudo/ @@ -194,6 +194,10 @@ EOF %{_mandir}/man8/sudo_plugin.8* %changelog +* Tue Oct 22 2019 Radovan Sroka - 1.8.28p1-1 +- rebase to 1.8.28p1 +Resolves: rhbz#1762350 + * Tue Oct 15 2019 Radovan Sroka - 1.8.28-1 - rebase to 1.8.28 Resolves: rhbz#1761533 From f1d474206ecf737741a7590ee37f1ec8c285ae4c Mon Sep 17 00:00:00 2001 From: Radovan Sroka Date: Mon, 11 Nov 2019 15:57:10 +0100 Subject: [PATCH 3/7] Rebase to 1.8.29 Resolves: rhbz#1766233 --- .gitignore | 1 + sources | 2 +- sudo.spec | 6 +++++- 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index 990cfee..cac4495 100644 --- a/.gitignore +++ b/.gitignore @@ -19,3 +19,4 @@ /sudo-1.8.27.tar.gz /sudo-1.8.28.tar.gz /sudo-1.8.28p1.tar.gz +/sudo-1.8.29.tar.gz diff --git a/sources b/sources index e2745d3..d6aec86 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (sudo-1.8.28p1.tar.gz) = bda3de34c15fbb68fc29759542295560ccc1562b419d03709cea51613937e9b92ba689c79c3ef4858aeea90d3d1a4dc0148225b11b22cf82395ae1bad8cb1734 +SHA512 (sudo-1.8.29.tar.gz) = ea780922b2afb47df4df4b533fb355fd916cb18a6bfd13c7ca36a25b03ef585d805648c6fa85692bea363b1f83664ac3bc622f99bcd149b3a86f70522eb4d340 diff --git a/sudo.spec b/sudo.spec index e8ca013..05495c7 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,6 +1,6 @@ Summary: Allows restricted root access for specified users Name: sudo -Version: 1.8.28p1 +Version: 1.8.29 Release: 1%{?dist} License: ISC URL: http://www.courtesan.com/sudo/ @@ -194,6 +194,10 @@ EOF %{_mandir}/man8/sudo_plugin.8* %changelog +* Mon Nov 11 2019 Radovan Sroka - 1.8.29-1 +- rebase to 1.8.29 +Resolves: rhbz#1766233 + * Tue Oct 22 2019 Radovan Sroka - 1.8.28p1-1 - rebase to 1.8.28p1 Resolves: rhbz#1762350 From ef428e03d8138c8584b62d638717c2cecb5053ae Mon Sep 17 00:00:00 2001 From: Cropi Date: Tue, 3 Mar 2020 12:48:10 +0100 Subject: [PATCH 4/7] Update to latest development version 1.9.0b1 --- .gitignore | 1 + sources | 2 +- sudo.spec | 32 ++++++++++++++++++++++++++++---- 3 files changed, 30 insertions(+), 5 deletions(-) diff --git a/.gitignore b/.gitignore index cac4495..0afd98f 100644 --- a/.gitignore +++ b/.gitignore @@ -20,3 +20,4 @@ /sudo-1.8.28.tar.gz /sudo-1.8.28p1.tar.gz /sudo-1.8.29.tar.gz +/sudo-1.9.0b1.tar.gz diff --git a/sources b/sources index d6aec86..0811552 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (sudo-1.8.29.tar.gz) = ea780922b2afb47df4df4b533fb355fd916cb18a6bfd13c7ca36a25b03ef585d805648c6fa85692bea363b1f83664ac3bc622f99bcd149b3a86f70522eb4d340 +SHA512 (sudo-1.9.0b1.tar.gz) = 7459d398514b54c6898a3eaebca141f39af661cda51c007e068bea1cc1860df1bc66ea13c752da8f6bf3d574ba92e337874b20279e1400cfea99982a469f5435 diff --git a/sudo.spec b/sudo.spec index 05495c7..cd7f31c 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,10 +1,10 @@ Summary: Allows restricted root access for specified users Name: sudo -Version: 1.8.29 -Release: 1%{?dist} +Version: 1.9.0 +Release: 0.1.b1%{?dist} License: ISC URL: http://www.courtesan.com/sudo/ -Source0: https://www.sudo.ws/dist/%{name}-%{version}.tar.gz +Source0: https://www.sudo.ws/dist/beta/%{name}-%{version}b1.tar.gz Source1: sudoers Requires: pam Recommends: vim-minimal @@ -45,7 +45,7 @@ The %{name}-devel package contains header files developing sudo plugins that use %{name}. %prep -%setup -q +%setup -q -n sudo-1.9.0b1 %patch1 -p1 -b .strip @@ -152,6 +152,7 @@ EOF %config(noreplace) /etc/pam.d/sudo-i %attr(0644,root,root) %{_tmpfilesdir}/sudo.conf %attr(0644,root,root) /etc/dnf/protected.d/sudo.conf +%attr(0644,root,root) /etc/sudo.conf %dir /var/db/sudo %dir /var/db/sudo/lectured %attr(4111,root,root) %{_bindir}/sudo @@ -160,6 +161,8 @@ EOF %attr(0755,root,root) %{_sbindir}/visudo %{_bindir}/cvtsudoers %dir %{_libexecdir}/sudo +%attr(0755,root,root) %{_sbindir}/sudo_logsrvd +%attr(0755,root,root) %{_sbindir}/sudo_sendlog %attr(0755,root,root) %{_libexecdir}/sudo/sesh %attr(0644,root,root) %{_libexecdir}/sudo/sudo_noexec.so %attr(0644,root,root) %{_libexecdir}/sudo/sudoers.so @@ -177,6 +180,11 @@ EOF %{_mandir}/man8/visudo.8* %{_mandir}/man1/cvtsudoers.1.gz %{_mandir}/man5/sudoers_timestamp.5.gz +%{_mandir}/man5/sudo_logsrv.proto.5.gz +%{_mandir}/man5/sudo_logsrvd.conf.5.gz +%{_mandir}/man8/sudo_logsrvd.8.gz +%{_mandir}/man8/sudo_plugin_python.8.gz +%{_mandir}/man8/sudo_sendlog.8.gz %dir %{_pkgdocdir}/ %{_pkgdocdir}/* %{!?_licensedir:%global license %%doc} @@ -194,6 +202,22 @@ EOF %{_mandir}/man8/sudo_plugin.8* %changelog +* Mon Feb 24 2020 Attila Lakatos - 1.9.0-0.1.b1 +- update to latest development version 1.9.0b1 +- added sudo_logsrvd and sudo_sendlog to files and their appropriate man pages +Resolves: rhbz#1787823 +- Stack based buffer overflow in when pwfeedback is enabled +Resolves: rhbz#1796945 +- fixes: CVE-2019-18634 +- By using ! character in the shadow file instead of a password hash can access to a run as all sudoer account +Resolves: rhbz#1786709 +- fixes CVE-2019-19234 +- attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user +Resolves: rhbz#1786705 +- fixes CVE-2019-19232 +- setrlimit(RLIMIT_CORE): Operation not permitted warning message fix +Resolves: rhbz#1773148 + * Mon Nov 11 2019 Radovan Sroka - 1.8.29-1 - rebase to 1.8.29 Resolves: rhbz#1766233 From 3b7c898b0a0c0b12afa94609674731da992ba92f Mon Sep 17 00:00:00 2001 From: alakatos Date: Wed, 25 Mar 2020 16:47:47 +0100 Subject: [PATCH 5/7] Update to latest development version 1.9.0b4 Resolves: rhbz#1816593 --- .gitignore | 1 + sources | 2 +- sudo.spec | 15 ++++++++++++--- 3 files changed, 14 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index 0afd98f..4aa0b81 100644 --- a/.gitignore +++ b/.gitignore @@ -21,3 +21,4 @@ /sudo-1.8.28p1.tar.gz /sudo-1.8.29.tar.gz /sudo-1.9.0b1.tar.gz +/sudo-1.9.0b4.tar.gz diff --git a/sources b/sources index 0811552..e6aeaa0 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (sudo-1.9.0b1.tar.gz) = 7459d398514b54c6898a3eaebca141f39af661cda51c007e068bea1cc1860df1bc66ea13c752da8f6bf3d574ba92e337874b20279e1400cfea99982a469f5435 +SHA512 (sudo-1.9.0b4.tar.gz) = 8f9da58ebb53d751746e8b271d9089a98cbbeb6e82691c3905c5ac11255bc70c7f467c0097d8dab2980fd94ffb8c438d03326f1bc98f0b580ec6e5b06227f559 diff --git a/sudo.spec b/sudo.spec index cd7f31c..7ae3cfc 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,10 +1,13 @@ +%global patchlevel b4 +%global upstream_version %{version}%{patchlevel} + Summary: Allows restricted root access for specified users Name: sudo Version: 1.9.0 -Release: 0.1.b1%{?dist} +Release: 0.1.%{patchlevel}%{?dist} License: ISC URL: http://www.courtesan.com/sudo/ -Source0: https://www.sudo.ws/dist/beta/%{name}-%{version}b1.tar.gz +Source0: https://www.sudo.ws/dist/beta/%{name}-%{upstream_version}.tar.gz Source1: sudoers Requires: pam Recommends: vim-minimal @@ -45,7 +48,7 @@ The %{name}-devel package contains header files developing sudo plugins that use %{name}. %prep -%setup -q -n sudo-1.9.0b1 +%setup -q -n %{name}-%{upstream_version} %patch1 -p1 -b .strip @@ -166,7 +169,9 @@ EOF %attr(0755,root,root) %{_libexecdir}/sudo/sesh %attr(0644,root,root) %{_libexecdir}/sudo/sudo_noexec.so %attr(0644,root,root) %{_libexecdir}/sudo/sudoers.so +%attr(0644,root,root) %{_libexecdir}/sudo/audit_json.so %attr(0644,root,root) %{_libexecdir}/sudo/group_file.so +%attr(0644,root,root) %{_libexecdir}/sudo/sample_approval.so %attr(0644,root,root) %{_libexecdir}/sudo/system_group.so %attr(0644,root,root) %{_libexecdir}/sudo/libsudo_util.so.?.?.? %{_libexecdir}/sudo/libsudo_util.so.? @@ -202,6 +207,10 @@ EOF %{_mandir}/man8/sudo_plugin.8* %changelog +* Wed Mar 25 2020 Attila Lakatos - 1.9.0-0.1.b4 +- update to latest development version 1.9.0b4 +Resolves: rhbz#1816593 + * Mon Feb 24 2020 Attila Lakatos - 1.9.0-0.1.b1 - update to latest development version 1.9.0b1 - added sudo_logsrvd and sudo_sendlog to files and their appropriate man pages From 4a1dd8c9f101e29882b083b41dde4aa98d0b37f5 Mon Sep 17 00:00:00 2001 From: Jens Petersen Date: Thu, 26 Mar 2020 18:53:44 +0800 Subject: [PATCH 6/7] upstream patch for setrlimit(RLIMIT_CORE) rootless container warnings (#1773148) --- sudo-1.9-RLIMIT_CORE.patch | 149 +++++++++++++++++++++++++++++++++++++ sudo.spec | 7 +- 2 files changed, 154 insertions(+), 2 deletions(-) create mode 100644 sudo-1.9-RLIMIT_CORE.patch diff --git a/sudo-1.9-RLIMIT_CORE.patch b/sudo-1.9-RLIMIT_CORE.patch new file mode 100644 index 0000000..28027c4 --- /dev/null +++ b/sudo-1.9-RLIMIT_CORE.patch @@ -0,0 +1,149 @@ + changeset 12288:1064b906ca68 + +Ignore a failure to restore the RLIMIT_CORE resource limit. +Linux containers don't allow RLIMIT_CORE to be set back to RLIM_INFINITY +if we set the limit to zero, even for root. This is not a problem +outside the container. +author Todd C. Miller +date Sat, 14 Mar 2020 11:13:55 -0600 +parents 72ca06a294b4 +children 40629e6fd692 +files src/limits.c +diffstat 1 files changed, 61 insertions(+), 10 deletions(-) [+] +line wrap: on + line diff + +--- a/src/limits.c Thu Mar 12 17:39:56 2020 -0600 ++++ b/src/limits.c Sat Mar 14 11:13:55 2020 -0600 +@@ -114,13 +114,21 @@ + + if (getrlimit(RLIMIT_CORE, &corelimit) == -1) + sudo_warn("getrlimit(RLIMIT_CORE)"); ++ sudo_debug_printf(SUDO_DEBUG_INFO, "RLIMIT_CORE [%lld, %lld] -> [0, 0]", ++ (long long)corelimit.rlim_cur, (long long)corelimit.rlim_max); + if (setrlimit(RLIMIT_CORE, &rl) == -1) + sudo_warn("setrlimit(RLIMIT_CORE)"); + #ifdef __linux__ + /* On Linux, also set PR_SET_DUMPABLE to zero (reset by execve). */ +- if ((dumpflag = prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)) == -1) ++ if ((dumpflag = prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)) == -1) { ++ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, ++ "prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)"); + dumpflag = 0; +- (void) prctl(PR_SET_DUMPABLE, 0, 0, 0, 0); ++ } ++ if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) == -1) { ++ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, ++ "prctl(PR_SET_DUMPABLE, %d, 0, 0, 0)", dumpflag); ++ } + #endif /* __linux__ */ + coredump_disabled = true; + +@@ -136,10 +144,20 @@ + debug_decl(restore_coredump, SUDO_DEBUG_UTIL); + + if (coredump_disabled) { +- if (setrlimit(RLIMIT_CORE, &corelimit) == -1) +- sudo_warn("setrlimit(RLIMIT_CORE)"); ++ /* ++ * Linux containers don't allow RLIMIT_CORE to be set back to ++ * RLIM_INFINITY if we set the limit to zero, even for root. ++ */ ++ if (setrlimit(RLIMIT_CORE, &corelimit) == -1) { ++ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, ++ "setrlimit(RLIMIT_CORE, [%lld, %lld])", ++ (long long)corelimit.rlim_cur, (long long)corelimit.rlim_max); ++ } + #ifdef __linux__ +- (void) prctl(PR_SET_DUMPABLE, dumpflag, 0, 0, 0); ++ if (prctl(PR_SET_DUMPABLE, dumpflag, 0, 0, 0) == -1) { ++ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, ++ "prctl(PR_SET_DUMPABLE, %d, 0, 0, 0)", dumpflag); ++ } + #endif /* __linux__ */ + } + debug_return; +@@ -162,8 +180,14 @@ + + if (getrlimit(RLIMIT_NPROC, &nproclimit) != 0) + sudo_warn("getrlimit(RLIMIT_NPROC)"); ++ sudo_debug_printf(SUDO_DEBUG_INFO, "RLIMIT_NPROC [%lld, %lld] -> [inf, inf]", ++ (long long)nproclimit.rlim_cur, (long long)nproclimit.rlim_max); + if (setrlimit(RLIMIT_NPROC, &rl) == -1) { + rl.rlim_cur = rl.rlim_max = nproclimit.rlim_max; ++ sudo_debug_printf(SUDO_DEBUG_INFO, ++ "RLIMIT_NPROC [%lld, %lld] -> [%lld, %lld]", ++ (long long)nproclimit.rlim_cur, (long long)nproclimit.rlim_max, ++ (long long)rl.rlim_cur, (long long)rl.rlim_max); + if (setrlimit(RLIMIT_NPROC, &rl) != 0) + sudo_warn("setrlimit(RLIMIT_NPROC)"); + } +@@ -180,8 +204,11 @@ + #ifdef __linux__ + debug_decl(restore_nproc, SUDO_DEBUG_UTIL); + +- if (setrlimit(RLIMIT_NPROC, &nproclimit) != 0) +- sudo_warn("setrlimit(RLIMIT_NPROC)"); ++ if (setrlimit(RLIMIT_NPROC, &nproclimit) != 0) { ++ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, ++ "setrlimit(RLIMIT_NPROC, [%lld, %lld])", ++ (long long)nproclimit.rlim_cur, (long long)nproclimit.rlim_max); ++ } + + debug_return; + #endif /* __linux__ */ +@@ -203,6 +230,11 @@ + struct saved_limit *lim = &saved_limits[idx]; + if (getrlimit(lim->resource, &lim->oldlimit) == -1) + continue; ++ sudo_debug_printf(SUDO_DEBUG_INFO, ++ "getrlimit(lim->name) -> [%lld, %lld]", ++ (long long)lim->oldlimit.rlim_cur, ++ (long long)lim->oldlimit.rlim_max); ++ + lim->saved = true; + if (lim->newlimit.rlim_cur != RLIM_INFINITY) { + /* Don't reduce the soft resource limit. */ +@@ -217,13 +249,28 @@ + lim->newlimit.rlim_max = lim->oldlimit.rlim_max; + } + if ((rc = setrlimit(lim->resource, &lim->newlimit)) == -1) { +- if (lim->fallback != NULL) +- rc = setrlimit(lim->resource, lim->fallback); ++ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, ++ "setrlimit(%s, [%lld, %lld])", lim->name, ++ (long long)lim->newlimit.rlim_cur, ++ (long long)lim->newlimit.rlim_max); ++ if (lim->fallback != NULL) { ++ if ((rc = setrlimit(lim->resource, lim->fallback)) == -1) { ++ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, ++ "setrlimit(%s, [%lld, %lld])", lim->name, ++ (long long)lim->fallback->rlim_cur, ++ (long long)lim->fallback->rlim_max); ++ } ++ } + if (rc == -1) { + /* Try setting new rlim_cur to old rlim_max. */ + lim->newlimit.rlim_cur = lim->oldlimit.rlim_max; + lim->newlimit.rlim_max = lim->oldlimit.rlim_max; +- rc = setrlimit(lim->resource, &lim->newlimit); ++ if ((rc = setrlimit(lim->resource, &lim->newlimit)) == -1) { ++ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, ++ "setrlimit(%s, [%lld, %lld])", lim->name, ++ (long long)lim->newlimit.rlim_cur, ++ (long long)lim->newlimit.rlim_max); ++ } + } + if (rc == -1) + sudo_warn("setrlimit(%s)", lim->name); +@@ -254,6 +301,10 @@ + if (rc != -1 || errno != EINVAL) + break; + ++ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, ++ "setrlimit(%s, [%lld, %lld])", lim->name, ++ (long long)rl.rlim_cur, (long long)rl.rlim_max); ++ + /* + * Soft limit could be lower than current resource usage. + * This can be an issue on NetBSD with RLIMIT_STACK and ASLR. diff --git a/sudo.spec b/sudo.spec index 7ae3cfc..f105a4f 100644 --- a/sudo.spec +++ b/sudo.spec @@ -27,6 +27,8 @@ BuildRequires: zlib-devel # don't strip Patch1: sudo-1.6.7p5-strip.patch +# https://www.sudo.ws/repos/sudo/rev/1064b906ca68 +Patch2: sudo-1.9-RLIMIT_CORE.patch %description Sudo (superuser do) allows a system administrator to give certain @@ -51,6 +53,7 @@ plugins that use %{name}. %setup -q -n %{name}-%{upstream_version} %patch1 -p1 -b .strip +%patch2 -p1 -b .orig %build # Remove bundled copy of zlib @@ -210,6 +213,8 @@ EOF * Wed Mar 25 2020 Attila Lakatos - 1.9.0-0.1.b4 - update to latest development version 1.9.0b4 Resolves: rhbz#1816593 +- setrlimit(RLIMIT_CORE): Operation not permitted warning message fix +Resolves: rhbz#1773148 * Mon Feb 24 2020 Attila Lakatos - 1.9.0-0.1.b1 - update to latest development version 1.9.0b1 @@ -224,8 +229,6 @@ Resolves: rhbz#1786709 - attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user Resolves: rhbz#1786705 - fixes CVE-2019-19232 -- setrlimit(RLIMIT_CORE): Operation not permitted warning message fix -Resolves: rhbz#1773148 * Mon Nov 11 2019 Radovan Sroka - 1.8.29-1 - rebase to 1.8.29 From 170c92e796c9a9ae81c146a158c621e7dc35cd56 Mon Sep 17 00:00:00 2001 From: Radovan Sroka Date: Tue, 15 Sep 2020 16:49:29 +0200 Subject: [PATCH 7/7] Rebase to 1.9.2 Resolves: rhbz#1859577 - added logsrvd subpackage - added openssl-devel buildrequires Resolves: rhbz#1860653 - fixed sudo runstatedir path - it was generated as /sudo instead of /run/sudo Resolves: rhbz#1868215 - added /var/lib/snapd/snap/bin to secure_path variable Resolves: rhbz#1691996 Signed-off-by: Radovan Sroka --- .gitignore | 1 + configure-runstatedir.patch | 43 +++++++++++ sources | 2 +- sudo-1.9-RLIMIT_CORE.patch | 149 ------------------------------------ sudo.spec | 59 +++++++++----- sudoers | 2 +- 6 files changed, 87 insertions(+), 169 deletions(-) create mode 100644 configure-runstatedir.patch delete mode 100644 sudo-1.9-RLIMIT_CORE.patch diff --git a/.gitignore b/.gitignore index 4aa0b81..cc45a89 100644 --- a/.gitignore +++ b/.gitignore @@ -22,3 +22,4 @@ /sudo-1.8.29.tar.gz /sudo-1.9.0b1.tar.gz /sudo-1.9.0b4.tar.gz +/sudo-1.9.2.tar.gz diff --git a/configure-runstatedir.patch b/configure-runstatedir.patch new file mode 100644 index 0000000..980e767 --- /dev/null +++ b/configure-runstatedir.patch @@ -0,0 +1,43 @@ +From 0d7a041f18c5016abb78b74f3cfa505797e704ee Mon Sep 17 00:00:00 2001 +From: Evan Anderson +Date: Sun, 6 Sep 2020 14:30:54 -0500 +Subject: [PATCH] configure: Fix runstatedir handling for distros that do not + support it + +runstatedir was added in yet-to-be released autoconf 2.70. Some distros +are shipping this addition in their autoconf packages, but others, such as Fedora, +are not. This causes the rundir variable to be set incorrectly if the configure script +is regenerated with an unpatched autoconf since the runstatedir variable set is deleted +after regeneration. This change works around that problem by checking that runstatedir +is non-empty before potentially using it to set the rundir variable +--- + configure | 2 +- + m4/sudo.m4 | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/configure b/configure +index 0f6ceb16c..2e0838e01 100755 +--- a/configure ++++ b/configure +@@ -26718,7 +26718,7 @@ EOF + $as_echo_n "checking for sudo run dir location... " >&6; } + if test -n "$with_rundir"; then + rundir="$with_rundir" +-elif test "$runstatedir" != '${localstatedir}/run'; then ++elif test -n "$runstatedir" && test "$runstatedir" != '${localstatedir}/run'; then + rundir="$runstatedir/sudo" + else + # No --with-rundir or --runstatedir specified +diff --git a/m4/sudo.m4 b/m4/sudo.m4 +index a5a972b3c..b3a40b208 100644 +--- a/m4/sudo.m4 ++++ b/m4/sudo.m4 +@@ -120,7 +120,7 @@ dnl + AC_DEFUN([SUDO_RUNDIR], [AC_MSG_CHECKING(for sudo run dir location) + if test -n "$with_rundir"; then + rundir="$with_rundir" +-elif test "$runstatedir" != '${localstatedir}/run'; then ++elif test -n "$runstatedir" && test "$runstatedir" != '${localstatedir}/run'; then + rundir="$runstatedir/sudo" + else + # No --with-rundir or --runstatedir specified diff --git a/sources b/sources index e6aeaa0..5185f4c 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (sudo-1.9.0b4.tar.gz) = 8f9da58ebb53d751746e8b271d9089a98cbbeb6e82691c3905c5ac11255bc70c7f467c0097d8dab2980fd94ffb8c438d03326f1bc98f0b580ec6e5b06227f559 +SHA512 (sudo-1.9.2.tar.gz) = 20afdf2604b1c93395157382b24f225cd1ff88d3a892362e2d69fecd240c4e7171f05032c08be1778cd1dea6e460025e4241f57272fac0ea3550e220b6d73d21 diff --git a/sudo-1.9-RLIMIT_CORE.patch b/sudo-1.9-RLIMIT_CORE.patch deleted file mode 100644 index 28027c4..0000000 --- a/sudo-1.9-RLIMIT_CORE.patch +++ /dev/null @@ -1,149 +0,0 @@ - changeset 12288:1064b906ca68 - -Ignore a failure to restore the RLIMIT_CORE resource limit. -Linux containers don't allow RLIMIT_CORE to be set back to RLIM_INFINITY -if we set the limit to zero, even for root. This is not a problem -outside the container. -author Todd C. Miller -date Sat, 14 Mar 2020 11:13:55 -0600 -parents 72ca06a294b4 -children 40629e6fd692 -files src/limits.c -diffstat 1 files changed, 61 insertions(+), 10 deletions(-) [+] -line wrap: on - line diff - ---- a/src/limits.c Thu Mar 12 17:39:56 2020 -0600 -+++ b/src/limits.c Sat Mar 14 11:13:55 2020 -0600 -@@ -114,13 +114,21 @@ - - if (getrlimit(RLIMIT_CORE, &corelimit) == -1) - sudo_warn("getrlimit(RLIMIT_CORE)"); -+ sudo_debug_printf(SUDO_DEBUG_INFO, "RLIMIT_CORE [%lld, %lld] -> [0, 0]", -+ (long long)corelimit.rlim_cur, (long long)corelimit.rlim_max); - if (setrlimit(RLIMIT_CORE, &rl) == -1) - sudo_warn("setrlimit(RLIMIT_CORE)"); - #ifdef __linux__ - /* On Linux, also set PR_SET_DUMPABLE to zero (reset by execve). */ -- if ((dumpflag = prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)) == -1) -+ if ((dumpflag = prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)) == -1) { -+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, -+ "prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)"); - dumpflag = 0; -- (void) prctl(PR_SET_DUMPABLE, 0, 0, 0, 0); -+ } -+ if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) == -1) { -+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, -+ "prctl(PR_SET_DUMPABLE, %d, 0, 0, 0)", dumpflag); -+ } - #endif /* __linux__ */ - coredump_disabled = true; - -@@ -136,10 +144,20 @@ - debug_decl(restore_coredump, SUDO_DEBUG_UTIL); - - if (coredump_disabled) { -- if (setrlimit(RLIMIT_CORE, &corelimit) == -1) -- sudo_warn("setrlimit(RLIMIT_CORE)"); -+ /* -+ * Linux containers don't allow RLIMIT_CORE to be set back to -+ * RLIM_INFINITY if we set the limit to zero, even for root. -+ */ -+ if (setrlimit(RLIMIT_CORE, &corelimit) == -1) { -+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, -+ "setrlimit(RLIMIT_CORE, [%lld, %lld])", -+ (long long)corelimit.rlim_cur, (long long)corelimit.rlim_max); -+ } - #ifdef __linux__ -- (void) prctl(PR_SET_DUMPABLE, dumpflag, 0, 0, 0); -+ if (prctl(PR_SET_DUMPABLE, dumpflag, 0, 0, 0) == -1) { -+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, -+ "prctl(PR_SET_DUMPABLE, %d, 0, 0, 0)", dumpflag); -+ } - #endif /* __linux__ */ - } - debug_return; -@@ -162,8 +180,14 @@ - - if (getrlimit(RLIMIT_NPROC, &nproclimit) != 0) - sudo_warn("getrlimit(RLIMIT_NPROC)"); -+ sudo_debug_printf(SUDO_DEBUG_INFO, "RLIMIT_NPROC [%lld, %lld] -> [inf, inf]", -+ (long long)nproclimit.rlim_cur, (long long)nproclimit.rlim_max); - if (setrlimit(RLIMIT_NPROC, &rl) == -1) { - rl.rlim_cur = rl.rlim_max = nproclimit.rlim_max; -+ sudo_debug_printf(SUDO_DEBUG_INFO, -+ "RLIMIT_NPROC [%lld, %lld] -> [%lld, %lld]", -+ (long long)nproclimit.rlim_cur, (long long)nproclimit.rlim_max, -+ (long long)rl.rlim_cur, (long long)rl.rlim_max); - if (setrlimit(RLIMIT_NPROC, &rl) != 0) - sudo_warn("setrlimit(RLIMIT_NPROC)"); - } -@@ -180,8 +204,11 @@ - #ifdef __linux__ - debug_decl(restore_nproc, SUDO_DEBUG_UTIL); - -- if (setrlimit(RLIMIT_NPROC, &nproclimit) != 0) -- sudo_warn("setrlimit(RLIMIT_NPROC)"); -+ if (setrlimit(RLIMIT_NPROC, &nproclimit) != 0) { -+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, -+ "setrlimit(RLIMIT_NPROC, [%lld, %lld])", -+ (long long)nproclimit.rlim_cur, (long long)nproclimit.rlim_max); -+ } - - debug_return; - #endif /* __linux__ */ -@@ -203,6 +230,11 @@ - struct saved_limit *lim = &saved_limits[idx]; - if (getrlimit(lim->resource, &lim->oldlimit) == -1) - continue; -+ sudo_debug_printf(SUDO_DEBUG_INFO, -+ "getrlimit(lim->name) -> [%lld, %lld]", -+ (long long)lim->oldlimit.rlim_cur, -+ (long long)lim->oldlimit.rlim_max); -+ - lim->saved = true; - if (lim->newlimit.rlim_cur != RLIM_INFINITY) { - /* Don't reduce the soft resource limit. */ -@@ -217,13 +249,28 @@ - lim->newlimit.rlim_max = lim->oldlimit.rlim_max; - } - if ((rc = setrlimit(lim->resource, &lim->newlimit)) == -1) { -- if (lim->fallback != NULL) -- rc = setrlimit(lim->resource, lim->fallback); -+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, -+ "setrlimit(%s, [%lld, %lld])", lim->name, -+ (long long)lim->newlimit.rlim_cur, -+ (long long)lim->newlimit.rlim_max); -+ if (lim->fallback != NULL) { -+ if ((rc = setrlimit(lim->resource, lim->fallback)) == -1) { -+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, -+ "setrlimit(%s, [%lld, %lld])", lim->name, -+ (long long)lim->fallback->rlim_cur, -+ (long long)lim->fallback->rlim_max); -+ } -+ } - if (rc == -1) { - /* Try setting new rlim_cur to old rlim_max. */ - lim->newlimit.rlim_cur = lim->oldlimit.rlim_max; - lim->newlimit.rlim_max = lim->oldlimit.rlim_max; -- rc = setrlimit(lim->resource, &lim->newlimit); -+ if ((rc = setrlimit(lim->resource, &lim->newlimit)) == -1) { -+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, -+ "setrlimit(%s, [%lld, %lld])", lim->name, -+ (long long)lim->newlimit.rlim_cur, -+ (long long)lim->newlimit.rlim_max); -+ } - } - if (rc == -1) - sudo_warn("setrlimit(%s)", lim->name); -@@ -254,6 +301,10 @@ - if (rc != -1 || errno != EINVAL) - break; - -+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, -+ "setrlimit(%s, [%lld, %lld])", lim->name, -+ (long long)rl.rlim_cur, (long long)rl.rlim_max); -+ - /* - * Soft limit could be lower than current resource usage. - * This can be an issue on NetBSD with RLIMIT_STACK and ASLR. diff --git a/sudo.spec b/sudo.spec index f105a4f..432c3d2 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,13 +1,10 @@ -%global patchlevel b4 -%global upstream_version %{version}%{patchlevel} - Summary: Allows restricted root access for specified users Name: sudo -Version: 1.9.0 -Release: 0.1.%{patchlevel}%{?dist} +Version: 1.9.2 +Release: 1%{?dist} License: ISC URL: http://www.courtesan.com/sudo/ -Source0: https://www.sudo.ws/dist/beta/%{name}-%{upstream_version}.tar.gz +Source0: https://www.sudo.ws/dist/beta/%{name}-%{version}.tar.gz Source1: sudoers Requires: pam Recommends: vim-minimal @@ -27,8 +24,7 @@ BuildRequires: zlib-devel # don't strip Patch1: sudo-1.6.7p5-strip.patch -# https://www.sudo.ws/repos/sudo/rev/1064b906ca68 -Patch2: sudo-1.9-RLIMIT_CORE.patch +Patch2: configure-runstatedir.patch %description Sudo (superuser do) allows a system administrator to give certain @@ -49,11 +45,22 @@ Requires: %{name} = %{version}-%{release} The %{name}-devel package contains header files developing sudo plugins that use %{name}. + +%package logsrvd +Summary: High-performance log server for %{name} +Requires: %{name} = %{version}-%{release} +BuildRequires: openssl-devel + + +%description logsrvd +%{name}-logsrvd is a high-performance log server that accepts event and I/O logs from sudo. +It can be used to implement centralized logging of sudo logs. + %prep -%setup -q -n %{name}-%{upstream_version} +%setup -q %patch1 -p1 -b .strip -%patch2 -p1 -b .orig +%patch2 -p1 -b .runstatedir %build # Remove bundled copy of zlib @@ -73,6 +80,7 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" --sbindir=%{_sbindir} \ --libdir=%{_libdir} \ --docdir=%{_pkgdocdir} \ + --enable-openssl \ --disable-root-mailer \ --with-logging=syslog \ --with-logfac=authpriv \ @@ -157,8 +165,8 @@ EOF %config(noreplace) /etc/pam.d/sudo %config(noreplace) /etc/pam.d/sudo-i %attr(0644,root,root) %{_tmpfilesdir}/sudo.conf -%attr(0644,root,root) /etc/dnf/protected.d/sudo.conf -%attr(0644,root,root) /etc/sudo.conf +%attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/sudo.conf +%attr(0640,root,root) %config(noreplace) /etc/sudo.conf %dir /var/db/sudo %dir /var/db/sudo/lectured %attr(4111,root,root) %{_bindir}/sudo @@ -167,8 +175,6 @@ EOF %attr(0755,root,root) %{_sbindir}/visudo %{_bindir}/cvtsudoers %dir %{_libexecdir}/sudo -%attr(0755,root,root) %{_sbindir}/sudo_logsrvd -%attr(0755,root,root) %{_sbindir}/sudo_sendlog %attr(0755,root,root) %{_libexecdir}/sudo/sesh %attr(0644,root,root) %{_libexecdir}/sudo/sudo_noexec.so %attr(0644,root,root) %{_libexecdir}/sudo/sudoers.so @@ -188,11 +194,7 @@ EOF %{_mandir}/man8/visudo.8* %{_mandir}/man1/cvtsudoers.1.gz %{_mandir}/man5/sudoers_timestamp.5.gz -%{_mandir}/man5/sudo_logsrv.proto.5.gz -%{_mandir}/man5/sudo_logsrvd.conf.5.gz -%{_mandir}/man8/sudo_logsrvd.8.gz %{_mandir}/man8/sudo_plugin_python.8.gz -%{_mandir}/man8/sudo_sendlog.8.gz %dir %{_pkgdocdir}/ %{_pkgdocdir}/* %{!?_licensedir:%global license %%doc} @@ -209,7 +211,28 @@ EOF %{_includedir}/sudo_plugin.h %{_mandir}/man8/sudo_plugin.8* +%files logsrvd +%attr(0640,root,root) %config(noreplace) /etc/sudo_logsrvd.conf +%attr(0755,root,root) %{_sbindir}/sudo_logsrvd +%attr(0755,root,root) %{_sbindir}/sudo_sendlog +%{_mandir}/man5/sudo_logsrv.proto.5.gz +%{_mandir}/man5/sudo_logsrvd.conf.5.gz +%{_mandir}/man8/sudo_logsrvd.8.gz +%{_mandir}/man8/sudo_sendlog.8.gz + %changelog +* Tue Sep 15 2020 Radovan Sroka - 1.9.2-1 +- rebase to 1.9.2 +Resolves: rhbz#1859577 +- added logsrvd subpackage +- added openssl-devel buildrequires +Resolves: rhbz#1860653 +- fixed sudo runstatedir path +- it was generated as /sudo instead of /run/sudo +Resolves: rhbz#1868215 +- added /var/lib/snapd/snap/bin to secure_path variable +Resolves: rhbz#1691996 + * Wed Mar 25 2020 Attila Lakatos - 1.9.0-0.1.b4 - update to latest development version 1.9.0b4 Resolves: rhbz#1816593 diff --git a/sudoers b/sudoers index 29775ad..5f621a8 100644 --- a/sudoers +++ b/sudoers @@ -85,7 +85,7 @@ Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY # # Defaults env_keep += "HOME" -Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin ## Next comes the main part: which users can run what software on ## which machines (the sudoers file can be shared between multiple