From 19b1d360de3b019307554190e9b54824b6818a00 Mon Sep 17 00:00:00 2001 From: Cropi Date: Tue, 3 Mar 2020 12:48:10 +0100 Subject: [PATCH 01/61] Update to latest development version 1.9.0b1 --- .gitignore | 1 + sources | 2 +- sudo.spec | 32 ++++++++++++++++++++++++++++---- 3 files changed, 30 insertions(+), 5 deletions(-) diff --git a/.gitignore b/.gitignore index cac4495..0afd98f 100644 --- a/.gitignore +++ b/.gitignore @@ -20,3 +20,4 @@ /sudo-1.8.28.tar.gz /sudo-1.8.28p1.tar.gz /sudo-1.8.29.tar.gz +/sudo-1.9.0b1.tar.gz diff --git a/sources b/sources index d6aec86..0811552 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (sudo-1.8.29.tar.gz) = ea780922b2afb47df4df4b533fb355fd916cb18a6bfd13c7ca36a25b03ef585d805648c6fa85692bea363b1f83664ac3bc622f99bcd149b3a86f70522eb4d340 +SHA512 (sudo-1.9.0b1.tar.gz) = 7459d398514b54c6898a3eaebca141f39af661cda51c007e068bea1cc1860df1bc66ea13c752da8f6bf3d574ba92e337874b20279e1400cfea99982a469f5435 diff --git a/sudo.spec b/sudo.spec index f929cc0..149038d 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,10 +1,10 @@ Summary: Allows restricted root access for specified users Name: sudo -Version: 1.8.29 -Release: 2%{?dist} +Version: 1.9.0 +Release: 0.1.b1%{?dist} License: ISC URL: http://www.courtesan.com/sudo/ -Source0: https://www.sudo.ws/dist/%{name}-%{version}.tar.gz +Source0: https://www.sudo.ws/dist/beta/%{name}-%{version}b1.tar.gz Source1: sudoers Requires: pam Recommends: vim-minimal @@ -45,7 +45,7 @@ The %{name}-devel package contains header files developing sudo plugins that use %{name}. %prep -%setup -q +%setup -q -n sudo-1.9.0b1 %patch1 -p1 -b .strip @@ -152,6 +152,7 @@ EOF %config(noreplace) /etc/pam.d/sudo-i %attr(0644,root,root) %{_tmpfilesdir}/sudo.conf %attr(0644,root,root) /etc/dnf/protected.d/sudo.conf +%attr(0644,root,root) /etc/sudo.conf %dir /var/db/sudo %dir /var/db/sudo/lectured %attr(4111,root,root) %{_bindir}/sudo @@ -160,6 +161,8 @@ EOF %attr(0755,root,root) %{_sbindir}/visudo %{_bindir}/cvtsudoers %dir %{_libexecdir}/sudo +%attr(0755,root,root) %{_sbindir}/sudo_logsrvd +%attr(0755,root,root) %{_sbindir}/sudo_sendlog %attr(0755,root,root) %{_libexecdir}/sudo/sesh %attr(0644,root,root) %{_libexecdir}/sudo/sudo_noexec.so %attr(0644,root,root) %{_libexecdir}/sudo/sudoers.so @@ -177,6 +180,11 @@ EOF %{_mandir}/man8/visudo.8* %{_mandir}/man1/cvtsudoers.1.gz %{_mandir}/man5/sudoers_timestamp.5.gz +%{_mandir}/man5/sudo_logsrv.proto.5.gz +%{_mandir}/man5/sudo_logsrvd.conf.5.gz +%{_mandir}/man8/sudo_logsrvd.8.gz +%{_mandir}/man8/sudo_plugin_python.8.gz +%{_mandir}/man8/sudo_sendlog.8.gz %dir %{_pkgdocdir}/ %{_pkgdocdir}/* %{!?_licensedir:%global license %%doc} @@ -189,6 +197,22 @@ EOF %{_mandir}/man8/sudo_plugin.8* %changelog +* Mon Feb 24 2020 Attila Lakatos - 1.9.0-0.1.b1 +- update to latest development version 1.9.0b1 +- added sudo_logsrvd and sudo_sendlog to files and their appropriate man pages +Resolves: rhbz#1787823 +- Stack based buffer overflow in when pwfeedback is enabled +Resolves: rhbz#1796945 +- fixes: CVE-2019-18634 +- By using ! character in the shadow file instead of a password hash can access to a run as all sudoer account +Resolves: rhbz#1786709 +- fixes CVE-2019-19234 +- attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user +Resolves: rhbz#1786705 +- fixes CVE-2019-19232 +- setrlimit(RLIMIT_CORE): Operation not permitted warning message fix +Resolves: rhbz#1773148 + * Fri Jan 31 2020 Fedora Release Engineering - 1.8.29-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild From 8afd87a1ac891672e38e8817ad2d6e648b19536a Mon Sep 17 00:00:00 2001 From: Cropi Date: Tue, 3 Mar 2020 12:48:10 +0100 Subject: [PATCH 02/61] Update to latest development version 1.9.0b1 --- .gitignore | 1 + sources | 2 +- sudo.spec | 32 ++++++++++++++++++++++++++++---- 3 files changed, 30 insertions(+), 5 deletions(-) diff --git a/.gitignore b/.gitignore index cac4495..0afd98f 100644 --- a/.gitignore +++ b/.gitignore @@ -20,3 +20,4 @@ /sudo-1.8.28.tar.gz /sudo-1.8.28p1.tar.gz /sudo-1.8.29.tar.gz +/sudo-1.9.0b1.tar.gz diff --git a/sources b/sources index d6aec86..0811552 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (sudo-1.8.29.tar.gz) = ea780922b2afb47df4df4b533fb355fd916cb18a6bfd13c7ca36a25b03ef585d805648c6fa85692bea363b1f83664ac3bc622f99bcd149b3a86f70522eb4d340 +SHA512 (sudo-1.9.0b1.tar.gz) = 7459d398514b54c6898a3eaebca141f39af661cda51c007e068bea1cc1860df1bc66ea13c752da8f6bf3d574ba92e337874b20279e1400cfea99982a469f5435 diff --git a/sudo.spec b/sudo.spec index f929cc0..149038d 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,10 +1,10 @@ Summary: Allows restricted root access for specified users Name: sudo -Version: 1.8.29 -Release: 2%{?dist} +Version: 1.9.0 +Release: 0.1.b1%{?dist} License: ISC URL: http://www.courtesan.com/sudo/ -Source0: https://www.sudo.ws/dist/%{name}-%{version}.tar.gz +Source0: https://www.sudo.ws/dist/beta/%{name}-%{version}b1.tar.gz Source1: sudoers Requires: pam Recommends: vim-minimal @@ -45,7 +45,7 @@ The %{name}-devel package contains header files developing sudo plugins that use %{name}. %prep -%setup -q +%setup -q -n sudo-1.9.0b1 %patch1 -p1 -b .strip @@ -152,6 +152,7 @@ EOF %config(noreplace) /etc/pam.d/sudo-i %attr(0644,root,root) %{_tmpfilesdir}/sudo.conf %attr(0644,root,root) /etc/dnf/protected.d/sudo.conf +%attr(0644,root,root) /etc/sudo.conf %dir /var/db/sudo %dir /var/db/sudo/lectured %attr(4111,root,root) %{_bindir}/sudo @@ -160,6 +161,8 @@ EOF %attr(0755,root,root) %{_sbindir}/visudo %{_bindir}/cvtsudoers %dir %{_libexecdir}/sudo +%attr(0755,root,root) %{_sbindir}/sudo_logsrvd +%attr(0755,root,root) %{_sbindir}/sudo_sendlog %attr(0755,root,root) %{_libexecdir}/sudo/sesh %attr(0644,root,root) %{_libexecdir}/sudo/sudo_noexec.so %attr(0644,root,root) %{_libexecdir}/sudo/sudoers.so @@ -177,6 +180,11 @@ EOF %{_mandir}/man8/visudo.8* %{_mandir}/man1/cvtsudoers.1.gz %{_mandir}/man5/sudoers_timestamp.5.gz +%{_mandir}/man5/sudo_logsrv.proto.5.gz +%{_mandir}/man5/sudo_logsrvd.conf.5.gz +%{_mandir}/man8/sudo_logsrvd.8.gz +%{_mandir}/man8/sudo_plugin_python.8.gz +%{_mandir}/man8/sudo_sendlog.8.gz %dir %{_pkgdocdir}/ %{_pkgdocdir}/* %{!?_licensedir:%global license %%doc} @@ -189,6 +197,22 @@ EOF %{_mandir}/man8/sudo_plugin.8* %changelog +* Mon Feb 24 2020 Attila Lakatos - 1.9.0-0.1.b1 +- update to latest development version 1.9.0b1 +- added sudo_logsrvd and sudo_sendlog to files and their appropriate man pages +Resolves: rhbz#1787823 +- Stack based buffer overflow in when pwfeedback is enabled +Resolves: rhbz#1796945 +- fixes: CVE-2019-18634 +- By using ! character in the shadow file instead of a password hash can access to a run as all sudoer account +Resolves: rhbz#1786709 +- fixes CVE-2019-19234 +- attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user +Resolves: rhbz#1786705 +- fixes CVE-2019-19232 +- setrlimit(RLIMIT_CORE): Operation not permitted warning message fix +Resolves: rhbz#1773148 + * Fri Jan 31 2020 Fedora Release Engineering - 1.8.29-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild From 94269e7c2044623024151e5ca41dfdb6cc35233f Mon Sep 17 00:00:00 2001 From: Jens Petersen Date: Tue, 24 Mar 2020 17:24:41 +0800 Subject: [PATCH 03/61] update to 1.9.0b4 --- sudo.spec | 49 ++++++++++++++++++++++++++++--------------------- 1 file changed, 28 insertions(+), 21 deletions(-) diff --git a/sudo.spec b/sudo.spec index 149038d..b55d7a7 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,14 +1,16 @@ +%global patchlevel b4 +%global upstream_version %{version}%{patchlevel} + Summary: Allows restricted root access for specified users Name: sudo Version: 1.9.0 -Release: 0.1.b1%{?dist} +Release: 0.1.%{patchlevel}%{?dist} License: ISC URL: http://www.courtesan.com/sudo/ -Source0: https://www.sudo.ws/dist/beta/%{name}-%{version}b1.tar.gz +Source0: https://www.sudo.ws/dist/beta/%{name}-%{upstream_version}.tar.gz Source1: sudoers Requires: pam Recommends: vim-minimal -Requires(post): coreutils BuildRequires: pam-devel BuildRequires: groff @@ -45,7 +47,7 @@ The %{name}-devel package contains header files developing sudo plugins that use %{name}. %prep -%setup -q -n sudo-1.9.0b1 +%setup -q -n %{name}-%{upstream_version} %patch1 -p1 -b .strip @@ -92,7 +94,7 @@ make check rm -rf $RPM_BUILD_ROOT make install DESTDIR="$RPM_BUILD_ROOT" install_uid=`id -u` install_gid=`id -g` sudoers_uid=`id -u` sudoers_gid=`id -g` -chmod 755 $RPM_BUILD_ROOT%{_bindir}/* $RPM_BUILD_ROOT%{_sbindir}/* +chmod 755 $RPM_BUILD_ROOT%{_bindir}/* $RPM_BUILD_ROOT%{_sbindir}/* install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo/lectured install -p -d -m 750 $RPM_BUILD_ROOT/etc/sudoers.d @@ -166,7 +168,9 @@ EOF %attr(0755,root,root) %{_libexecdir}/sudo/sesh %attr(0644,root,root) %{_libexecdir}/sudo/sudo_noexec.so %attr(0644,root,root) %{_libexecdir}/sudo/sudoers.so +%attr(0644,root,root) %{_libexecdir}/sudo/audit_json.so %attr(0644,root,root) %{_libexecdir}/sudo/group_file.so +%attr(0644,root,root) %{_libexecdir}/sudo/sample_approval.so %attr(0644,root,root) %{_libexecdir}/sudo/system_group.so %attr(0644,root,root) %{_libexecdir}/sudo/libsudo_util.so.?.?.? %{_libexecdir}/sudo/libsudo_util.so.? @@ -197,13 +201,17 @@ EOF %{_mandir}/man8/sudo_plugin.8* %changelog +* Tue Mar 24 2020 Jens Petersen - 1.9.0-0.1.b4 +- update to 1.9.0 beta4 +- https://www.sudo.ws/pipermail/sudo-workers/2020-March/001279.html + * Mon Feb 24 2020 Attila Lakatos - 1.9.0-0.1.b1 - update to latest development version 1.9.0b1 - added sudo_logsrvd and sudo_sendlog to files and their appropriate man pages Resolves: rhbz#1787823 - Stack based buffer overflow in when pwfeedback is enabled Resolves: rhbz#1796945 -- fixes: CVE-2019-18634 +- fixes: CVE-2019-18634 - By using ! character in the shadow file instead of a password hash can access to a run as all sudoer account Resolves: rhbz#1786709 - fixes CVE-2019-19234 @@ -239,7 +247,7 @@ Resolves: rhbz#1761584 * Sun Mar 31 2019 Marek Tamaskovic 1.8.27-2 - resolves rhbz#1676925 -- Removed PS1, PS2 from sudoers +- Removed PS1, PS2 from sudoers * Mon Mar 11 2019 Radovan Sroka 1.8.27-1 - rebase sudo to 1.8.27 @@ -275,7 +283,7 @@ Resolves: rhbz#1761584 * Thu Sep 21 2017 Marek Tamaskovic - 1.8.21p2-1 - update to 1.8.21p2 -- Moved libsudo_util.so from the -devel sub-package to main package (1481225) +- Moved libsudo_util.so from the -devel sub-package to main package (1481225) * Wed Sep 06 2017 Matthew Miller - 1.8.20p2-4 - replace file-based requirements with package-level ones: @@ -364,7 +372,7 @@ Resolves: rhbz#1761584 * Mon Aug 24 2015 Radovan Sroka 1.8.14p3-2 - add patch that resolves initialization problem before sudo_strsplit call -- add patch that resolves deadcode in visudo.c +- add patch that resolves deadcode in visudo.c - add patch that removes extra while in visudo.c and sudoers.c * Mon Jul 27 2015 Radovan Sroka 1.8.14p3-1 @@ -400,9 +408,9 @@ Resolves: rhbz#1761584 - major changes & fixes: - when running a command in the background, sudo will now forward SIGINFO to the command - - the passwords in ldap.conf and ldap.secret may now be encoded in base64. + - the passwords in ldap.conf and ldap.secret may now be encoded in base64. - SELinux role changes are now audited. For sudoedit, we now audit - the actual editor being run, instead of just the sudoedit command. + the actual editor being run, instead of just the sudoedit command. - it is now possible to match an environment variable's value as well as its name using env_keep and env_check - new files created via sudoedit as a non-root user now have the proper group id @@ -502,7 +510,7 @@ Resolves: rhbz#1761584 * Thu May 17 2012 Daniel Kopecek - 1.8.5-1 - update to 1.8.5 - fixed CVE-2012-2337 -- temporarily disabled SSSD support +- temporarily disabled SSSD support * Wed Feb 29 2012 Daniel Kopecek - 1.8.3p1-6 - fixed problems with undefined symbols (rhbz#798517) @@ -521,7 +529,7 @@ Resolves: rhbz#1761584 * Thu Nov 10 2011 Daniel Kopecek - 1.8.3p1-1 - update to 1.8.3p1 -- disable output word wrapping if the output is piped +- disable output word wrapping if the output is piped * Wed Sep 7 2011 Peter Robinson - 1.8.1p2-2 - Remove execute bit from sample script in docs so we don't pull in perl @@ -656,7 +664,7 @@ Resolves: rhbz#1761584 - sparc64 needs to be in the -fPIE list with s390 * Mon Jan 07 2008 Peter Vrabec 1.6.9p4-5 -- fix complains about audit_log_user_command(): Connection +- fix complains about audit_log_user_command(): Connection refused (#401201) * Wed Dec 05 2007 Release Engineering - 1.6.9p4-4 @@ -758,7 +766,7 @@ Resolves: rhbz#1761584 - rebuild * Mon Oct 4 2004 Thomas Woerner 1.6.7p5-30.1 -- added missing BuildRequires for libselinux-devel (#132883) +- added missing BuildRequires for libselinux-devel (#132883) * Wed Sep 29 2004 Dan Walsh 1.6.7p5-30 - Fix missing param error in sesh @@ -785,7 +793,7 @@ Resolves: rhbz#1761584 exec of child with SELinux patch * Thu Mar 18 2004 Dan Walsh 1.6.7p5-23 -- change to default to sysadm_r +- change to default to sysadm_r - Fix tty handling * Thu Mar 18 2004 Dan Walsh 1.6.7p5-22 @@ -793,7 +801,7 @@ Resolves: rhbz#1761584 - replace /bin/bash -c with /bin/sesh * Tue Mar 16 2004 Dan Walsh 1.6.7p5-21 -- Hard code to use "/bin/bash -c" for selinux +- Hard code to use "/bin/bash -c" for selinux * Tue Mar 16 2004 Dan Walsh 1.6.7p5-20 - Eliminate closing and reopening of terminals, to match su. @@ -818,7 +826,7 @@ Resolves: rhbz#1761584 - Fix is_selinux_enabled call * Tue Jan 13 2004 Dan Walsh 1.6.7p5-13 -- Clean up patch on failure +- Clean up patch on failure * Tue Jan 6 2004 Dan Walsh 1.6.7p5-12 - Remove sudo.te for now. @@ -941,7 +949,7 @@ Resolves: rhbz#1761584 - fixed so it doesn't find /usr/bin/vi first, but instead /bin/vi (always installed) * Thu Oct 08 1998 Michael Maher -- built package for 5.2 +- built package for 5.2 * Mon May 18 1998 Michael Maher - updated SPEC file @@ -953,10 +961,9 @@ Resolves: rhbz#1761584 - built for glibc, no problems * Fri Apr 25 1997 Michael Fulbright -- Fixed for 4.2 PowerTools +- Fixed for 4.2 PowerTools - Still need to be pamified - Still need to move stmp file to /var/log * Mon Feb 17 1997 Michael Fulbright - First version for PowerCD. - From bb269d08fa5b3d7d47e25cf5fd706d5ca7a6685d Mon Sep 17 00:00:00 2001 From: alakatos Date: Wed, 25 Mar 2020 16:10:12 +0100 Subject: [PATCH 04/61] Revert "update to 1.9.0b4" This reverts commit 94269e7c2044623024151e5ca41dfdb6cc35233f. --- sudo.spec | 49 +++++++++++++++++++++---------------------------- 1 file changed, 21 insertions(+), 28 deletions(-) diff --git a/sudo.spec b/sudo.spec index b55d7a7..149038d 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,16 +1,14 @@ -%global patchlevel b4 -%global upstream_version %{version}%{patchlevel} - Summary: Allows restricted root access for specified users Name: sudo Version: 1.9.0 -Release: 0.1.%{patchlevel}%{?dist} +Release: 0.1.b1%{?dist} License: ISC URL: http://www.courtesan.com/sudo/ -Source0: https://www.sudo.ws/dist/beta/%{name}-%{upstream_version}.tar.gz +Source0: https://www.sudo.ws/dist/beta/%{name}-%{version}b1.tar.gz Source1: sudoers Requires: pam Recommends: vim-minimal +Requires(post): coreutils BuildRequires: pam-devel BuildRequires: groff @@ -47,7 +45,7 @@ The %{name}-devel package contains header files developing sudo plugins that use %{name}. %prep -%setup -q -n %{name}-%{upstream_version} +%setup -q -n sudo-1.9.0b1 %patch1 -p1 -b .strip @@ -94,7 +92,7 @@ make check rm -rf $RPM_BUILD_ROOT make install DESTDIR="$RPM_BUILD_ROOT" install_uid=`id -u` install_gid=`id -g` sudoers_uid=`id -u` sudoers_gid=`id -g` -chmod 755 $RPM_BUILD_ROOT%{_bindir}/* $RPM_BUILD_ROOT%{_sbindir}/* +chmod 755 $RPM_BUILD_ROOT%{_bindir}/* $RPM_BUILD_ROOT%{_sbindir}/* install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo/lectured install -p -d -m 750 $RPM_BUILD_ROOT/etc/sudoers.d @@ -168,9 +166,7 @@ EOF %attr(0755,root,root) %{_libexecdir}/sudo/sesh %attr(0644,root,root) %{_libexecdir}/sudo/sudo_noexec.so %attr(0644,root,root) %{_libexecdir}/sudo/sudoers.so -%attr(0644,root,root) %{_libexecdir}/sudo/audit_json.so %attr(0644,root,root) %{_libexecdir}/sudo/group_file.so -%attr(0644,root,root) %{_libexecdir}/sudo/sample_approval.so %attr(0644,root,root) %{_libexecdir}/sudo/system_group.so %attr(0644,root,root) %{_libexecdir}/sudo/libsudo_util.so.?.?.? %{_libexecdir}/sudo/libsudo_util.so.? @@ -201,17 +197,13 @@ EOF %{_mandir}/man8/sudo_plugin.8* %changelog -* Tue Mar 24 2020 Jens Petersen - 1.9.0-0.1.b4 -- update to 1.9.0 beta4 -- https://www.sudo.ws/pipermail/sudo-workers/2020-March/001279.html - * Mon Feb 24 2020 Attila Lakatos - 1.9.0-0.1.b1 - update to latest development version 1.9.0b1 - added sudo_logsrvd and sudo_sendlog to files and their appropriate man pages Resolves: rhbz#1787823 - Stack based buffer overflow in when pwfeedback is enabled Resolves: rhbz#1796945 -- fixes: CVE-2019-18634 +- fixes: CVE-2019-18634 - By using ! character in the shadow file instead of a password hash can access to a run as all sudoer account Resolves: rhbz#1786709 - fixes CVE-2019-19234 @@ -247,7 +239,7 @@ Resolves: rhbz#1761584 * Sun Mar 31 2019 Marek Tamaskovic 1.8.27-2 - resolves rhbz#1676925 -- Removed PS1, PS2 from sudoers +- Removed PS1, PS2 from sudoers * Mon Mar 11 2019 Radovan Sroka 1.8.27-1 - rebase sudo to 1.8.27 @@ -283,7 +275,7 @@ Resolves: rhbz#1761584 * Thu Sep 21 2017 Marek Tamaskovic - 1.8.21p2-1 - update to 1.8.21p2 -- Moved libsudo_util.so from the -devel sub-package to main package (1481225) +- Moved libsudo_util.so from the -devel sub-package to main package (1481225) * Wed Sep 06 2017 Matthew Miller - 1.8.20p2-4 - replace file-based requirements with package-level ones: @@ -372,7 +364,7 @@ Resolves: rhbz#1761584 * Mon Aug 24 2015 Radovan Sroka 1.8.14p3-2 - add patch that resolves initialization problem before sudo_strsplit call -- add patch that resolves deadcode in visudo.c +- add patch that resolves deadcode in visudo.c - add patch that removes extra while in visudo.c and sudoers.c * Mon Jul 27 2015 Radovan Sroka 1.8.14p3-1 @@ -408,9 +400,9 @@ Resolves: rhbz#1761584 - major changes & fixes: - when running a command in the background, sudo will now forward SIGINFO to the command - - the passwords in ldap.conf and ldap.secret may now be encoded in base64. + - the passwords in ldap.conf and ldap.secret may now be encoded in base64. - SELinux role changes are now audited. For sudoedit, we now audit - the actual editor being run, instead of just the sudoedit command. + the actual editor being run, instead of just the sudoedit command. - it is now possible to match an environment variable's value as well as its name using env_keep and env_check - new files created via sudoedit as a non-root user now have the proper group id @@ -510,7 +502,7 @@ Resolves: rhbz#1761584 * Thu May 17 2012 Daniel Kopecek - 1.8.5-1 - update to 1.8.5 - fixed CVE-2012-2337 -- temporarily disabled SSSD support +- temporarily disabled SSSD support * Wed Feb 29 2012 Daniel Kopecek - 1.8.3p1-6 - fixed problems with undefined symbols (rhbz#798517) @@ -529,7 +521,7 @@ Resolves: rhbz#1761584 * Thu Nov 10 2011 Daniel Kopecek - 1.8.3p1-1 - update to 1.8.3p1 -- disable output word wrapping if the output is piped +- disable output word wrapping if the output is piped * Wed Sep 7 2011 Peter Robinson - 1.8.1p2-2 - Remove execute bit from sample script in docs so we don't pull in perl @@ -664,7 +656,7 @@ Resolves: rhbz#1761584 - sparc64 needs to be in the -fPIE list with s390 * Mon Jan 07 2008 Peter Vrabec 1.6.9p4-5 -- fix complains about audit_log_user_command(): Connection +- fix complains about audit_log_user_command(): Connection refused (#401201) * Wed Dec 05 2007 Release Engineering - 1.6.9p4-4 @@ -766,7 +758,7 @@ Resolves: rhbz#1761584 - rebuild * Mon Oct 4 2004 Thomas Woerner 1.6.7p5-30.1 -- added missing BuildRequires for libselinux-devel (#132883) +- added missing BuildRequires for libselinux-devel (#132883) * Wed Sep 29 2004 Dan Walsh 1.6.7p5-30 - Fix missing param error in sesh @@ -793,7 +785,7 @@ Resolves: rhbz#1761584 exec of child with SELinux patch * Thu Mar 18 2004 Dan Walsh 1.6.7p5-23 -- change to default to sysadm_r +- change to default to sysadm_r - Fix tty handling * Thu Mar 18 2004 Dan Walsh 1.6.7p5-22 @@ -801,7 +793,7 @@ Resolves: rhbz#1761584 - replace /bin/bash -c with /bin/sesh * Tue Mar 16 2004 Dan Walsh 1.6.7p5-21 -- Hard code to use "/bin/bash -c" for selinux +- Hard code to use "/bin/bash -c" for selinux * Tue Mar 16 2004 Dan Walsh 1.6.7p5-20 - Eliminate closing and reopening of terminals, to match su. @@ -826,7 +818,7 @@ Resolves: rhbz#1761584 - Fix is_selinux_enabled call * Tue Jan 13 2004 Dan Walsh 1.6.7p5-13 -- Clean up patch on failure +- Clean up patch on failure * Tue Jan 6 2004 Dan Walsh 1.6.7p5-12 - Remove sudo.te for now. @@ -949,7 +941,7 @@ Resolves: rhbz#1761584 - fixed so it doesn't find /usr/bin/vi first, but instead /bin/vi (always installed) * Thu Oct 08 1998 Michael Maher -- built package for 5.2 +- built package for 5.2 * Mon May 18 1998 Michael Maher - updated SPEC file @@ -961,9 +953,10 @@ Resolves: rhbz#1761584 - built for glibc, no problems * Fri Apr 25 1997 Michael Fulbright -- Fixed for 4.2 PowerTools +- Fixed for 4.2 PowerTools - Still need to be pamified - Still need to move stmp file to /var/log * Mon Feb 17 1997 Michael Fulbright - First version for PowerCD. + From 8fc22fffbc522c3baf214250a8814a9c28513e56 Mon Sep 17 00:00:00 2001 From: alakatos Date: Wed, 25 Mar 2020 16:47:47 +0100 Subject: [PATCH 05/61] Update to latest development version 1.9.0b4 Resolves: rhbz#1816593 --- .gitignore | 1 + sources | 2 +- sudo.spec | 15 ++++++++++++--- 3 files changed, 14 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index 0afd98f..4aa0b81 100644 --- a/.gitignore +++ b/.gitignore @@ -21,3 +21,4 @@ /sudo-1.8.28p1.tar.gz /sudo-1.8.29.tar.gz /sudo-1.9.0b1.tar.gz +/sudo-1.9.0b4.tar.gz diff --git a/sources b/sources index 0811552..e6aeaa0 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (sudo-1.9.0b1.tar.gz) = 7459d398514b54c6898a3eaebca141f39af661cda51c007e068bea1cc1860df1bc66ea13c752da8f6bf3d574ba92e337874b20279e1400cfea99982a469f5435 +SHA512 (sudo-1.9.0b4.tar.gz) = 8f9da58ebb53d751746e8b271d9089a98cbbeb6e82691c3905c5ac11255bc70c7f467c0097d8dab2980fd94ffb8c438d03326f1bc98f0b580ec6e5b06227f559 diff --git a/sudo.spec b/sudo.spec index 149038d..34f0d33 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,10 +1,13 @@ +%global patchlevel b4 +%global upstream_version %{version}%{patchlevel} + Summary: Allows restricted root access for specified users Name: sudo Version: 1.9.0 -Release: 0.1.b1%{?dist} +Release: 0.1.%{patchlevel}%{?dist} License: ISC URL: http://www.courtesan.com/sudo/ -Source0: https://www.sudo.ws/dist/beta/%{name}-%{version}b1.tar.gz +Source0: https://www.sudo.ws/dist/beta/%{name}-%{upstream_version}.tar.gz Source1: sudoers Requires: pam Recommends: vim-minimal @@ -45,7 +48,7 @@ The %{name}-devel package contains header files developing sudo plugins that use %{name}. %prep -%setup -q -n sudo-1.9.0b1 +%setup -q -n %{name}-%{upstream_version} %patch1 -p1 -b .strip @@ -166,7 +169,9 @@ EOF %attr(0755,root,root) %{_libexecdir}/sudo/sesh %attr(0644,root,root) %{_libexecdir}/sudo/sudo_noexec.so %attr(0644,root,root) %{_libexecdir}/sudo/sudoers.so +%attr(0644,root,root) %{_libexecdir}/sudo/audit_json.so %attr(0644,root,root) %{_libexecdir}/sudo/group_file.so +%attr(0644,root,root) %{_libexecdir}/sudo/sample_approval.so %attr(0644,root,root) %{_libexecdir}/sudo/system_group.so %attr(0644,root,root) %{_libexecdir}/sudo/libsudo_util.so.?.?.? %{_libexecdir}/sudo/libsudo_util.so.? @@ -197,6 +202,10 @@ EOF %{_mandir}/man8/sudo_plugin.8* %changelog +* Wed Mar 25 2020 Attila Lakatos - 1.9.0-0.1.b4 +- update to latest development version 1.9.0b4 +Resolves: rhbz#1816593 + * Mon Feb 24 2020 Attila Lakatos - 1.9.0-0.1.b1 - update to latest development version 1.9.0b1 - added sudo_logsrvd and sudo_sendlog to files and their appropriate man pages From 77bc95ad059c4d3089e9a05f93274ebfc7804f8c Mon Sep 17 00:00:00 2001 From: alakatos Date: Wed, 25 Mar 2020 16:47:47 +0100 Subject: [PATCH 06/61] Update to latest development version 1.9.0b4 Resolves: rhbz#1816593 --- .gitignore | 1 + sources | 2 +- sudo.spec | 15 ++++++++++++--- 3 files changed, 14 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index 0afd98f..4aa0b81 100644 --- a/.gitignore +++ b/.gitignore @@ -21,3 +21,4 @@ /sudo-1.8.28p1.tar.gz /sudo-1.8.29.tar.gz /sudo-1.9.0b1.tar.gz +/sudo-1.9.0b4.tar.gz diff --git a/sources b/sources index 0811552..e6aeaa0 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (sudo-1.9.0b1.tar.gz) = 7459d398514b54c6898a3eaebca141f39af661cda51c007e068bea1cc1860df1bc66ea13c752da8f6bf3d574ba92e337874b20279e1400cfea99982a469f5435 +SHA512 (sudo-1.9.0b4.tar.gz) = 8f9da58ebb53d751746e8b271d9089a98cbbeb6e82691c3905c5ac11255bc70c7f467c0097d8dab2980fd94ffb8c438d03326f1bc98f0b580ec6e5b06227f559 diff --git a/sudo.spec b/sudo.spec index 149038d..34f0d33 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,10 +1,13 @@ +%global patchlevel b4 +%global upstream_version %{version}%{patchlevel} + Summary: Allows restricted root access for specified users Name: sudo Version: 1.9.0 -Release: 0.1.b1%{?dist} +Release: 0.1.%{patchlevel}%{?dist} License: ISC URL: http://www.courtesan.com/sudo/ -Source0: https://www.sudo.ws/dist/beta/%{name}-%{version}b1.tar.gz +Source0: https://www.sudo.ws/dist/beta/%{name}-%{upstream_version}.tar.gz Source1: sudoers Requires: pam Recommends: vim-minimal @@ -45,7 +48,7 @@ The %{name}-devel package contains header files developing sudo plugins that use %{name}. %prep -%setup -q -n sudo-1.9.0b1 +%setup -q -n %{name}-%{upstream_version} %patch1 -p1 -b .strip @@ -166,7 +169,9 @@ EOF %attr(0755,root,root) %{_libexecdir}/sudo/sesh %attr(0644,root,root) %{_libexecdir}/sudo/sudo_noexec.so %attr(0644,root,root) %{_libexecdir}/sudo/sudoers.so +%attr(0644,root,root) %{_libexecdir}/sudo/audit_json.so %attr(0644,root,root) %{_libexecdir}/sudo/group_file.so +%attr(0644,root,root) %{_libexecdir}/sudo/sample_approval.so %attr(0644,root,root) %{_libexecdir}/sudo/system_group.so %attr(0644,root,root) %{_libexecdir}/sudo/libsudo_util.so.?.?.? %{_libexecdir}/sudo/libsudo_util.so.? @@ -197,6 +202,10 @@ EOF %{_mandir}/man8/sudo_plugin.8* %changelog +* Wed Mar 25 2020 Attila Lakatos - 1.9.0-0.1.b4 +- update to latest development version 1.9.0b4 +Resolves: rhbz#1816593 + * Mon Feb 24 2020 Attila Lakatos - 1.9.0-0.1.b1 - update to latest development version 1.9.0b1 - added sudo_logsrvd and sudo_sendlog to files and their appropriate man pages From 5d1ef1f39f1a21269e9f81cb0f143afb10b0fb6a Mon Sep 17 00:00:00 2001 From: Jens Petersen Date: Thu, 26 Mar 2020 18:53:05 +0800 Subject: [PATCH 07/61] remove trailing whitespaces --- sudo.spec | 33 ++++++++++++++++----------------- 1 file changed, 16 insertions(+), 17 deletions(-) diff --git a/sudo.spec b/sudo.spec index 34f0d33..613bf89 100644 --- a/sudo.spec +++ b/sudo.spec @@ -95,7 +95,7 @@ make check rm -rf $RPM_BUILD_ROOT make install DESTDIR="$RPM_BUILD_ROOT" install_uid=`id -u` install_gid=`id -g` sudoers_uid=`id -u` sudoers_gid=`id -g` -chmod 755 $RPM_BUILD_ROOT%{_bindir}/* $RPM_BUILD_ROOT%{_sbindir}/* +chmod 755 $RPM_BUILD_ROOT%{_bindir}/* $RPM_BUILD_ROOT%{_sbindir}/* install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo/lectured install -p -d -m 750 $RPM_BUILD_ROOT/etc/sudoers.d @@ -212,7 +212,7 @@ Resolves: rhbz#1816593 Resolves: rhbz#1787823 - Stack based buffer overflow in when pwfeedback is enabled Resolves: rhbz#1796945 -- fixes: CVE-2019-18634 +- fixes: CVE-2019-18634 - By using ! character in the shadow file instead of a password hash can access to a run as all sudoer account Resolves: rhbz#1786709 - fixes CVE-2019-19234 @@ -248,7 +248,7 @@ Resolves: rhbz#1761584 * Sun Mar 31 2019 Marek Tamaskovic 1.8.27-2 - resolves rhbz#1676925 -- Removed PS1, PS2 from sudoers +- Removed PS1, PS2 from sudoers * Mon Mar 11 2019 Radovan Sroka 1.8.27-1 - rebase sudo to 1.8.27 @@ -284,7 +284,7 @@ Resolves: rhbz#1761584 * Thu Sep 21 2017 Marek Tamaskovic - 1.8.21p2-1 - update to 1.8.21p2 -- Moved libsudo_util.so from the -devel sub-package to main package (1481225) +- Moved libsudo_util.so from the -devel sub-package to main package (1481225) * Wed Sep 06 2017 Matthew Miller - 1.8.20p2-4 - replace file-based requirements with package-level ones: @@ -373,7 +373,7 @@ Resolves: rhbz#1761584 * Mon Aug 24 2015 Radovan Sroka 1.8.14p3-2 - add patch that resolves initialization problem before sudo_strsplit call -- add patch that resolves deadcode in visudo.c +- add patch that resolves deadcode in visudo.c - add patch that removes extra while in visudo.c and sudoers.c * Mon Jul 27 2015 Radovan Sroka 1.8.14p3-1 @@ -409,9 +409,9 @@ Resolves: rhbz#1761584 - major changes & fixes: - when running a command in the background, sudo will now forward SIGINFO to the command - - the passwords in ldap.conf and ldap.secret may now be encoded in base64. + - the passwords in ldap.conf and ldap.secret may now be encoded in base64. - SELinux role changes are now audited. For sudoedit, we now audit - the actual editor being run, instead of just the sudoedit command. + the actual editor being run, instead of just the sudoedit command. - it is now possible to match an environment variable's value as well as its name using env_keep and env_check - new files created via sudoedit as a non-root user now have the proper group id @@ -511,7 +511,7 @@ Resolves: rhbz#1761584 * Thu May 17 2012 Daniel Kopecek - 1.8.5-1 - update to 1.8.5 - fixed CVE-2012-2337 -- temporarily disabled SSSD support +- temporarily disabled SSSD support * Wed Feb 29 2012 Daniel Kopecek - 1.8.3p1-6 - fixed problems with undefined symbols (rhbz#798517) @@ -530,7 +530,7 @@ Resolves: rhbz#1761584 * Thu Nov 10 2011 Daniel Kopecek - 1.8.3p1-1 - update to 1.8.3p1 -- disable output word wrapping if the output is piped +- disable output word wrapping if the output is piped * Wed Sep 7 2011 Peter Robinson - 1.8.1p2-2 - Remove execute bit from sample script in docs so we don't pull in perl @@ -665,7 +665,7 @@ Resolves: rhbz#1761584 - sparc64 needs to be in the -fPIE list with s390 * Mon Jan 07 2008 Peter Vrabec 1.6.9p4-5 -- fix complains about audit_log_user_command(): Connection +- fix complains about audit_log_user_command(): Connection refused (#401201) * Wed Dec 05 2007 Release Engineering - 1.6.9p4-4 @@ -767,7 +767,7 @@ Resolves: rhbz#1761584 - rebuild * Mon Oct 4 2004 Thomas Woerner 1.6.7p5-30.1 -- added missing BuildRequires for libselinux-devel (#132883) +- added missing BuildRequires for libselinux-devel (#132883) * Wed Sep 29 2004 Dan Walsh 1.6.7p5-30 - Fix missing param error in sesh @@ -794,7 +794,7 @@ Resolves: rhbz#1761584 exec of child with SELinux patch * Thu Mar 18 2004 Dan Walsh 1.6.7p5-23 -- change to default to sysadm_r +- change to default to sysadm_r - Fix tty handling * Thu Mar 18 2004 Dan Walsh 1.6.7p5-22 @@ -802,7 +802,7 @@ Resolves: rhbz#1761584 - replace /bin/bash -c with /bin/sesh * Tue Mar 16 2004 Dan Walsh 1.6.7p5-21 -- Hard code to use "/bin/bash -c" for selinux +- Hard code to use "/bin/bash -c" for selinux * Tue Mar 16 2004 Dan Walsh 1.6.7p5-20 - Eliminate closing and reopening of terminals, to match su. @@ -827,7 +827,7 @@ Resolves: rhbz#1761584 - Fix is_selinux_enabled call * Tue Jan 13 2004 Dan Walsh 1.6.7p5-13 -- Clean up patch on failure +- Clean up patch on failure * Tue Jan 6 2004 Dan Walsh 1.6.7p5-12 - Remove sudo.te for now. @@ -950,7 +950,7 @@ Resolves: rhbz#1761584 - fixed so it doesn't find /usr/bin/vi first, but instead /bin/vi (always installed) * Thu Oct 08 1998 Michael Maher -- built package for 5.2 +- built package for 5.2 * Mon May 18 1998 Michael Maher - updated SPEC file @@ -962,10 +962,9 @@ Resolves: rhbz#1761584 - built for glibc, no problems * Fri Apr 25 1997 Michael Fulbright -- Fixed for 4.2 PowerTools +- Fixed for 4.2 PowerTools - Still need to be pamified - Still need to move stmp file to /var/log * Mon Feb 17 1997 Michael Fulbright - First version for PowerCD. - From 72a557140c58070edcc5a7382baa7758d98f3c94 Mon Sep 17 00:00:00 2001 From: Jens Petersen Date: Thu, 26 Mar 2020 18:53:44 +0800 Subject: [PATCH 08/61] upstream patch for setrlimit(RLIMIT_CORE) rootless container warnings (#1773148) --- sudo-1.9-RLIMIT_CORE.patch | 149 +++++++++++++++++++++++++++++++++++++ sudo.spec | 7 +- 2 files changed, 154 insertions(+), 2 deletions(-) create mode 100644 sudo-1.9-RLIMIT_CORE.patch diff --git a/sudo-1.9-RLIMIT_CORE.patch b/sudo-1.9-RLIMIT_CORE.patch new file mode 100644 index 0000000..28027c4 --- /dev/null +++ b/sudo-1.9-RLIMIT_CORE.patch @@ -0,0 +1,149 @@ + changeset 12288:1064b906ca68 + +Ignore a failure to restore the RLIMIT_CORE resource limit. +Linux containers don't allow RLIMIT_CORE to be set back to RLIM_INFINITY +if we set the limit to zero, even for root. This is not a problem +outside the container. +author Todd C. Miller +date Sat, 14 Mar 2020 11:13:55 -0600 +parents 72ca06a294b4 +children 40629e6fd692 +files src/limits.c +diffstat 1 files changed, 61 insertions(+), 10 deletions(-) [+] +line wrap: on + line diff + +--- a/src/limits.c Thu Mar 12 17:39:56 2020 -0600 ++++ b/src/limits.c Sat Mar 14 11:13:55 2020 -0600 +@@ -114,13 +114,21 @@ + + if (getrlimit(RLIMIT_CORE, &corelimit) == -1) + sudo_warn("getrlimit(RLIMIT_CORE)"); ++ sudo_debug_printf(SUDO_DEBUG_INFO, "RLIMIT_CORE [%lld, %lld] -> [0, 0]", ++ (long long)corelimit.rlim_cur, (long long)corelimit.rlim_max); + if (setrlimit(RLIMIT_CORE, &rl) == -1) + sudo_warn("setrlimit(RLIMIT_CORE)"); + #ifdef __linux__ + /* On Linux, also set PR_SET_DUMPABLE to zero (reset by execve). */ +- if ((dumpflag = prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)) == -1) ++ if ((dumpflag = prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)) == -1) { ++ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, ++ "prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)"); + dumpflag = 0; +- (void) prctl(PR_SET_DUMPABLE, 0, 0, 0, 0); ++ } ++ if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) == -1) { ++ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, ++ "prctl(PR_SET_DUMPABLE, %d, 0, 0, 0)", dumpflag); ++ } + #endif /* __linux__ */ + coredump_disabled = true; + +@@ -136,10 +144,20 @@ + debug_decl(restore_coredump, SUDO_DEBUG_UTIL); + + if (coredump_disabled) { +- if (setrlimit(RLIMIT_CORE, &corelimit) == -1) +- sudo_warn("setrlimit(RLIMIT_CORE)"); ++ /* ++ * Linux containers don't allow RLIMIT_CORE to be set back to ++ * RLIM_INFINITY if we set the limit to zero, even for root. ++ */ ++ if (setrlimit(RLIMIT_CORE, &corelimit) == -1) { ++ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, ++ "setrlimit(RLIMIT_CORE, [%lld, %lld])", ++ (long long)corelimit.rlim_cur, (long long)corelimit.rlim_max); ++ } + #ifdef __linux__ +- (void) prctl(PR_SET_DUMPABLE, dumpflag, 0, 0, 0); ++ if (prctl(PR_SET_DUMPABLE, dumpflag, 0, 0, 0) == -1) { ++ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, ++ "prctl(PR_SET_DUMPABLE, %d, 0, 0, 0)", dumpflag); ++ } + #endif /* __linux__ */ + } + debug_return; +@@ -162,8 +180,14 @@ + + if (getrlimit(RLIMIT_NPROC, &nproclimit) != 0) + sudo_warn("getrlimit(RLIMIT_NPROC)"); ++ sudo_debug_printf(SUDO_DEBUG_INFO, "RLIMIT_NPROC [%lld, %lld] -> [inf, inf]", ++ (long long)nproclimit.rlim_cur, (long long)nproclimit.rlim_max); + if (setrlimit(RLIMIT_NPROC, &rl) == -1) { + rl.rlim_cur = rl.rlim_max = nproclimit.rlim_max; ++ sudo_debug_printf(SUDO_DEBUG_INFO, ++ "RLIMIT_NPROC [%lld, %lld] -> [%lld, %lld]", ++ (long long)nproclimit.rlim_cur, (long long)nproclimit.rlim_max, ++ (long long)rl.rlim_cur, (long long)rl.rlim_max); + if (setrlimit(RLIMIT_NPROC, &rl) != 0) + sudo_warn("setrlimit(RLIMIT_NPROC)"); + } +@@ -180,8 +204,11 @@ + #ifdef __linux__ + debug_decl(restore_nproc, SUDO_DEBUG_UTIL); + +- if (setrlimit(RLIMIT_NPROC, &nproclimit) != 0) +- sudo_warn("setrlimit(RLIMIT_NPROC)"); ++ if (setrlimit(RLIMIT_NPROC, &nproclimit) != 0) { ++ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, ++ "setrlimit(RLIMIT_NPROC, [%lld, %lld])", ++ (long long)nproclimit.rlim_cur, (long long)nproclimit.rlim_max); ++ } + + debug_return; + #endif /* __linux__ */ +@@ -203,6 +230,11 @@ + struct saved_limit *lim = &saved_limits[idx]; + if (getrlimit(lim->resource, &lim->oldlimit) == -1) + continue; ++ sudo_debug_printf(SUDO_DEBUG_INFO, ++ "getrlimit(lim->name) -> [%lld, %lld]", ++ (long long)lim->oldlimit.rlim_cur, ++ (long long)lim->oldlimit.rlim_max); ++ + lim->saved = true; + if (lim->newlimit.rlim_cur != RLIM_INFINITY) { + /* Don't reduce the soft resource limit. */ +@@ -217,13 +249,28 @@ + lim->newlimit.rlim_max = lim->oldlimit.rlim_max; + } + if ((rc = setrlimit(lim->resource, &lim->newlimit)) == -1) { +- if (lim->fallback != NULL) +- rc = setrlimit(lim->resource, lim->fallback); ++ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, ++ "setrlimit(%s, [%lld, %lld])", lim->name, ++ (long long)lim->newlimit.rlim_cur, ++ (long long)lim->newlimit.rlim_max); ++ if (lim->fallback != NULL) { ++ if ((rc = setrlimit(lim->resource, lim->fallback)) == -1) { ++ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, ++ "setrlimit(%s, [%lld, %lld])", lim->name, ++ (long long)lim->fallback->rlim_cur, ++ (long long)lim->fallback->rlim_max); ++ } ++ } + if (rc == -1) { + /* Try setting new rlim_cur to old rlim_max. */ + lim->newlimit.rlim_cur = lim->oldlimit.rlim_max; + lim->newlimit.rlim_max = lim->oldlimit.rlim_max; +- rc = setrlimit(lim->resource, &lim->newlimit); ++ if ((rc = setrlimit(lim->resource, &lim->newlimit)) == -1) { ++ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, ++ "setrlimit(%s, [%lld, %lld])", lim->name, ++ (long long)lim->newlimit.rlim_cur, ++ (long long)lim->newlimit.rlim_max); ++ } + } + if (rc == -1) + sudo_warn("setrlimit(%s)", lim->name); +@@ -254,6 +301,10 @@ + if (rc != -1 || errno != EINVAL) + break; + ++ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, ++ "setrlimit(%s, [%lld, %lld])", lim->name, ++ (long long)rl.rlim_cur, (long long)rl.rlim_max); ++ + /* + * Soft limit could be lower than current resource usage. + * This can be an issue on NetBSD with RLIMIT_STACK and ASLR. diff --git a/sudo.spec b/sudo.spec index 613bf89..bac08cd 100644 --- a/sudo.spec +++ b/sudo.spec @@ -27,6 +27,8 @@ BuildRequires: zlib-devel # don't strip Patch1: sudo-1.6.7p5-strip.patch +# https://www.sudo.ws/repos/sudo/rev/1064b906ca68 +Patch2: sudo-1.9-RLIMIT_CORE.patch %description Sudo (superuser do) allows a system administrator to give certain @@ -51,6 +53,7 @@ plugins that use %{name}. %setup -q -n %{name}-%{upstream_version} %patch1 -p1 -b .strip +%patch2 -p1 -b .orig %build # Remove bundled copy of zlib @@ -205,6 +208,8 @@ EOF * Wed Mar 25 2020 Attila Lakatos - 1.9.0-0.1.b4 - update to latest development version 1.9.0b4 Resolves: rhbz#1816593 +- setrlimit(RLIMIT_CORE): Operation not permitted warning message fix +Resolves: rhbz#1773148 * Mon Feb 24 2020 Attila Lakatos - 1.9.0-0.1.b1 - update to latest development version 1.9.0b1 @@ -219,8 +224,6 @@ Resolves: rhbz#1786709 - attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user Resolves: rhbz#1786705 - fixes CVE-2019-19232 -- setrlimit(RLIMIT_CORE): Operation not permitted warning message fix -Resolves: rhbz#1773148 * Fri Jan 31 2020 Fedora Release Engineering - 1.8.29-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild From 3e5ff76d08bffdc8db27045c65b2e23d87521dd9 Mon Sep 17 00:00:00 2001 From: Jens Petersen Date: Thu, 26 Mar 2020 18:53:44 +0800 Subject: [PATCH 09/61] upstream patch for setrlimit(RLIMIT_CORE) rootless container warnings (#1773148) --- sudo-1.9-RLIMIT_CORE.patch | 149 +++++++++++++++++++++++++++++++++++++ sudo.spec | 7 +- 2 files changed, 154 insertions(+), 2 deletions(-) create mode 100644 sudo-1.9-RLIMIT_CORE.patch diff --git a/sudo-1.9-RLIMIT_CORE.patch b/sudo-1.9-RLIMIT_CORE.patch new file mode 100644 index 0000000..28027c4 --- /dev/null +++ b/sudo-1.9-RLIMIT_CORE.patch @@ -0,0 +1,149 @@ + changeset 12288:1064b906ca68 + +Ignore a failure to restore the RLIMIT_CORE resource limit. +Linux containers don't allow RLIMIT_CORE to be set back to RLIM_INFINITY +if we set the limit to zero, even for root. This is not a problem +outside the container. +author Todd C. Miller +date Sat, 14 Mar 2020 11:13:55 -0600 +parents 72ca06a294b4 +children 40629e6fd692 +files src/limits.c +diffstat 1 files changed, 61 insertions(+), 10 deletions(-) [+] +line wrap: on + line diff + +--- a/src/limits.c Thu Mar 12 17:39:56 2020 -0600 ++++ b/src/limits.c Sat Mar 14 11:13:55 2020 -0600 +@@ -114,13 +114,21 @@ + + if (getrlimit(RLIMIT_CORE, &corelimit) == -1) + sudo_warn("getrlimit(RLIMIT_CORE)"); ++ sudo_debug_printf(SUDO_DEBUG_INFO, "RLIMIT_CORE [%lld, %lld] -> [0, 0]", ++ (long long)corelimit.rlim_cur, (long long)corelimit.rlim_max); + if (setrlimit(RLIMIT_CORE, &rl) == -1) + sudo_warn("setrlimit(RLIMIT_CORE)"); + #ifdef __linux__ + /* On Linux, also set PR_SET_DUMPABLE to zero (reset by execve). */ +- if ((dumpflag = prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)) == -1) ++ if ((dumpflag = prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)) == -1) { ++ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, ++ "prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)"); + dumpflag = 0; +- (void) prctl(PR_SET_DUMPABLE, 0, 0, 0, 0); ++ } ++ if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) == -1) { ++ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, ++ "prctl(PR_SET_DUMPABLE, %d, 0, 0, 0)", dumpflag); ++ } + #endif /* __linux__ */ + coredump_disabled = true; + +@@ -136,10 +144,20 @@ + debug_decl(restore_coredump, SUDO_DEBUG_UTIL); + + if (coredump_disabled) { +- if (setrlimit(RLIMIT_CORE, &corelimit) == -1) +- sudo_warn("setrlimit(RLIMIT_CORE)"); ++ /* ++ * Linux containers don't allow RLIMIT_CORE to be set back to ++ * RLIM_INFINITY if we set the limit to zero, even for root. ++ */ ++ if (setrlimit(RLIMIT_CORE, &corelimit) == -1) { ++ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, ++ "setrlimit(RLIMIT_CORE, [%lld, %lld])", ++ (long long)corelimit.rlim_cur, (long long)corelimit.rlim_max); ++ } + #ifdef __linux__ +- (void) prctl(PR_SET_DUMPABLE, dumpflag, 0, 0, 0); ++ if (prctl(PR_SET_DUMPABLE, dumpflag, 0, 0, 0) == -1) { ++ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, ++ "prctl(PR_SET_DUMPABLE, %d, 0, 0, 0)", dumpflag); ++ } + #endif /* __linux__ */ + } + debug_return; +@@ -162,8 +180,14 @@ + + if (getrlimit(RLIMIT_NPROC, &nproclimit) != 0) + sudo_warn("getrlimit(RLIMIT_NPROC)"); ++ sudo_debug_printf(SUDO_DEBUG_INFO, "RLIMIT_NPROC [%lld, %lld] -> [inf, inf]", ++ (long long)nproclimit.rlim_cur, (long long)nproclimit.rlim_max); + if (setrlimit(RLIMIT_NPROC, &rl) == -1) { + rl.rlim_cur = rl.rlim_max = nproclimit.rlim_max; ++ sudo_debug_printf(SUDO_DEBUG_INFO, ++ "RLIMIT_NPROC [%lld, %lld] -> [%lld, %lld]", ++ (long long)nproclimit.rlim_cur, (long long)nproclimit.rlim_max, ++ (long long)rl.rlim_cur, (long long)rl.rlim_max); + if (setrlimit(RLIMIT_NPROC, &rl) != 0) + sudo_warn("setrlimit(RLIMIT_NPROC)"); + } +@@ -180,8 +204,11 @@ + #ifdef __linux__ + debug_decl(restore_nproc, SUDO_DEBUG_UTIL); + +- if (setrlimit(RLIMIT_NPROC, &nproclimit) != 0) +- sudo_warn("setrlimit(RLIMIT_NPROC)"); ++ if (setrlimit(RLIMIT_NPROC, &nproclimit) != 0) { ++ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, ++ "setrlimit(RLIMIT_NPROC, [%lld, %lld])", ++ (long long)nproclimit.rlim_cur, (long long)nproclimit.rlim_max); ++ } + + debug_return; + #endif /* __linux__ */ +@@ -203,6 +230,11 @@ + struct saved_limit *lim = &saved_limits[idx]; + if (getrlimit(lim->resource, &lim->oldlimit) == -1) + continue; ++ sudo_debug_printf(SUDO_DEBUG_INFO, ++ "getrlimit(lim->name) -> [%lld, %lld]", ++ (long long)lim->oldlimit.rlim_cur, ++ (long long)lim->oldlimit.rlim_max); ++ + lim->saved = true; + if (lim->newlimit.rlim_cur != RLIM_INFINITY) { + /* Don't reduce the soft resource limit. */ +@@ -217,13 +249,28 @@ + lim->newlimit.rlim_max = lim->oldlimit.rlim_max; + } + if ((rc = setrlimit(lim->resource, &lim->newlimit)) == -1) { +- if (lim->fallback != NULL) +- rc = setrlimit(lim->resource, lim->fallback); ++ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, ++ "setrlimit(%s, [%lld, %lld])", lim->name, ++ (long long)lim->newlimit.rlim_cur, ++ (long long)lim->newlimit.rlim_max); ++ if (lim->fallback != NULL) { ++ if ((rc = setrlimit(lim->resource, lim->fallback)) == -1) { ++ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, ++ "setrlimit(%s, [%lld, %lld])", lim->name, ++ (long long)lim->fallback->rlim_cur, ++ (long long)lim->fallback->rlim_max); ++ } ++ } + if (rc == -1) { + /* Try setting new rlim_cur to old rlim_max. */ + lim->newlimit.rlim_cur = lim->oldlimit.rlim_max; + lim->newlimit.rlim_max = lim->oldlimit.rlim_max; +- rc = setrlimit(lim->resource, &lim->newlimit); ++ if ((rc = setrlimit(lim->resource, &lim->newlimit)) == -1) { ++ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, ++ "setrlimit(%s, [%lld, %lld])", lim->name, ++ (long long)lim->newlimit.rlim_cur, ++ (long long)lim->newlimit.rlim_max); ++ } + } + if (rc == -1) + sudo_warn("setrlimit(%s)", lim->name); +@@ -254,6 +301,10 @@ + if (rc != -1 || errno != EINVAL) + break; + ++ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, ++ "setrlimit(%s, [%lld, %lld])", lim->name, ++ (long long)rl.rlim_cur, (long long)rl.rlim_max); ++ + /* + * Soft limit could be lower than current resource usage. + * This can be an issue on NetBSD with RLIMIT_STACK and ASLR. diff --git a/sudo.spec b/sudo.spec index 34f0d33..b87f494 100644 --- a/sudo.spec +++ b/sudo.spec @@ -27,6 +27,8 @@ BuildRequires: zlib-devel # don't strip Patch1: sudo-1.6.7p5-strip.patch +# https://www.sudo.ws/repos/sudo/rev/1064b906ca68 +Patch2: sudo-1.9-RLIMIT_CORE.patch %description Sudo (superuser do) allows a system administrator to give certain @@ -51,6 +53,7 @@ plugins that use %{name}. %setup -q -n %{name}-%{upstream_version} %patch1 -p1 -b .strip +%patch2 -p1 -b .orig %build # Remove bundled copy of zlib @@ -205,6 +208,8 @@ EOF * Wed Mar 25 2020 Attila Lakatos - 1.9.0-0.1.b4 - update to latest development version 1.9.0b4 Resolves: rhbz#1816593 +- setrlimit(RLIMIT_CORE): Operation not permitted warning message fix +Resolves: rhbz#1773148 * Mon Feb 24 2020 Attila Lakatos - 1.9.0-0.1.b1 - update to latest development version 1.9.0b1 @@ -219,8 +224,6 @@ Resolves: rhbz#1786709 - attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user Resolves: rhbz#1786705 - fixes CVE-2019-19232 -- setrlimit(RLIMIT_CORE): Operation not permitted warning message fix -Resolves: rhbz#1773148 * Fri Jan 31 2020 Fedora Release Engineering - 1.8.29-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild From 306df891f5c3e911a02ad4d8d11e4e524f807efc Mon Sep 17 00:00:00 2001 From: alakatos Date: Fri, 10 Jul 2020 09:44:22 +0200 Subject: [PATCH 10/61] Rebase to 1.9.1 Resolves: rhbz#1848788 - fix rpmlint warnings Resolves: rhbz#1817139 --- .gitignore | 1 + sources | 2 +- sudo-1.9-RLIMIT_CORE.patch | 149 ------------------------------------- sudo.rpmlintrc | 16 ++++ sudo.spec | 26 ++++--- 5 files changed, 32 insertions(+), 162 deletions(-) delete mode 100644 sudo-1.9-RLIMIT_CORE.patch create mode 100644 sudo.rpmlintrc diff --git a/.gitignore b/.gitignore index 4aa0b81..e7db9cd 100644 --- a/.gitignore +++ b/.gitignore @@ -22,3 +22,4 @@ /sudo-1.8.29.tar.gz /sudo-1.9.0b1.tar.gz /sudo-1.9.0b4.tar.gz +/sudo-1.9.1.tar.gz diff --git a/sources b/sources index e6aeaa0..35fc51b 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (sudo-1.9.0b4.tar.gz) = 8f9da58ebb53d751746e8b271d9089a98cbbeb6e82691c3905c5ac11255bc70c7f467c0097d8dab2980fd94ffb8c438d03326f1bc98f0b580ec6e5b06227f559 +SHA512 (sudo-1.9.1.tar.gz) = 7994c7d8f020188eda51787bb5f6fe7668518cc89b711e7840470db7e5bac1219490ffccc73854fecb14ceb3ffaf0fc605f3438c87b83f27921ea3626365105c diff --git a/sudo-1.9-RLIMIT_CORE.patch b/sudo-1.9-RLIMIT_CORE.patch deleted file mode 100644 index 28027c4..0000000 --- a/sudo-1.9-RLIMIT_CORE.patch +++ /dev/null @@ -1,149 +0,0 @@ - changeset 12288:1064b906ca68 - -Ignore a failure to restore the RLIMIT_CORE resource limit. -Linux containers don't allow RLIMIT_CORE to be set back to RLIM_INFINITY -if we set the limit to zero, even for root. This is not a problem -outside the container. -author Todd C. Miller -date Sat, 14 Mar 2020 11:13:55 -0600 -parents 72ca06a294b4 -children 40629e6fd692 -files src/limits.c -diffstat 1 files changed, 61 insertions(+), 10 deletions(-) [+] -line wrap: on - line diff - ---- a/src/limits.c Thu Mar 12 17:39:56 2020 -0600 -+++ b/src/limits.c Sat Mar 14 11:13:55 2020 -0600 -@@ -114,13 +114,21 @@ - - if (getrlimit(RLIMIT_CORE, &corelimit) == -1) - sudo_warn("getrlimit(RLIMIT_CORE)"); -+ sudo_debug_printf(SUDO_DEBUG_INFO, "RLIMIT_CORE [%lld, %lld] -> [0, 0]", -+ (long long)corelimit.rlim_cur, (long long)corelimit.rlim_max); - if (setrlimit(RLIMIT_CORE, &rl) == -1) - sudo_warn("setrlimit(RLIMIT_CORE)"); - #ifdef __linux__ - /* On Linux, also set PR_SET_DUMPABLE to zero (reset by execve). */ -- if ((dumpflag = prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)) == -1) -+ if ((dumpflag = prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)) == -1) { -+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, -+ "prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)"); - dumpflag = 0; -- (void) prctl(PR_SET_DUMPABLE, 0, 0, 0, 0); -+ } -+ if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) == -1) { -+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, -+ "prctl(PR_SET_DUMPABLE, %d, 0, 0, 0)", dumpflag); -+ } - #endif /* __linux__ */ - coredump_disabled = true; - -@@ -136,10 +144,20 @@ - debug_decl(restore_coredump, SUDO_DEBUG_UTIL); - - if (coredump_disabled) { -- if (setrlimit(RLIMIT_CORE, &corelimit) == -1) -- sudo_warn("setrlimit(RLIMIT_CORE)"); -+ /* -+ * Linux containers don't allow RLIMIT_CORE to be set back to -+ * RLIM_INFINITY if we set the limit to zero, even for root. -+ */ -+ if (setrlimit(RLIMIT_CORE, &corelimit) == -1) { -+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, -+ "setrlimit(RLIMIT_CORE, [%lld, %lld])", -+ (long long)corelimit.rlim_cur, (long long)corelimit.rlim_max); -+ } - #ifdef __linux__ -- (void) prctl(PR_SET_DUMPABLE, dumpflag, 0, 0, 0); -+ if (prctl(PR_SET_DUMPABLE, dumpflag, 0, 0, 0) == -1) { -+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, -+ "prctl(PR_SET_DUMPABLE, %d, 0, 0, 0)", dumpflag); -+ } - #endif /* __linux__ */ - } - debug_return; -@@ -162,8 +180,14 @@ - - if (getrlimit(RLIMIT_NPROC, &nproclimit) != 0) - sudo_warn("getrlimit(RLIMIT_NPROC)"); -+ sudo_debug_printf(SUDO_DEBUG_INFO, "RLIMIT_NPROC [%lld, %lld] -> [inf, inf]", -+ (long long)nproclimit.rlim_cur, (long long)nproclimit.rlim_max); - if (setrlimit(RLIMIT_NPROC, &rl) == -1) { - rl.rlim_cur = rl.rlim_max = nproclimit.rlim_max; -+ sudo_debug_printf(SUDO_DEBUG_INFO, -+ "RLIMIT_NPROC [%lld, %lld] -> [%lld, %lld]", -+ (long long)nproclimit.rlim_cur, (long long)nproclimit.rlim_max, -+ (long long)rl.rlim_cur, (long long)rl.rlim_max); - if (setrlimit(RLIMIT_NPROC, &rl) != 0) - sudo_warn("setrlimit(RLIMIT_NPROC)"); - } -@@ -180,8 +204,11 @@ - #ifdef __linux__ - debug_decl(restore_nproc, SUDO_DEBUG_UTIL); - -- if (setrlimit(RLIMIT_NPROC, &nproclimit) != 0) -- sudo_warn("setrlimit(RLIMIT_NPROC)"); -+ if (setrlimit(RLIMIT_NPROC, &nproclimit) != 0) { -+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, -+ "setrlimit(RLIMIT_NPROC, [%lld, %lld])", -+ (long long)nproclimit.rlim_cur, (long long)nproclimit.rlim_max); -+ } - - debug_return; - #endif /* __linux__ */ -@@ -203,6 +230,11 @@ - struct saved_limit *lim = &saved_limits[idx]; - if (getrlimit(lim->resource, &lim->oldlimit) == -1) - continue; -+ sudo_debug_printf(SUDO_DEBUG_INFO, -+ "getrlimit(lim->name) -> [%lld, %lld]", -+ (long long)lim->oldlimit.rlim_cur, -+ (long long)lim->oldlimit.rlim_max); -+ - lim->saved = true; - if (lim->newlimit.rlim_cur != RLIM_INFINITY) { - /* Don't reduce the soft resource limit. */ -@@ -217,13 +249,28 @@ - lim->newlimit.rlim_max = lim->oldlimit.rlim_max; - } - if ((rc = setrlimit(lim->resource, &lim->newlimit)) == -1) { -- if (lim->fallback != NULL) -- rc = setrlimit(lim->resource, lim->fallback); -+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, -+ "setrlimit(%s, [%lld, %lld])", lim->name, -+ (long long)lim->newlimit.rlim_cur, -+ (long long)lim->newlimit.rlim_max); -+ if (lim->fallback != NULL) { -+ if ((rc = setrlimit(lim->resource, lim->fallback)) == -1) { -+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, -+ "setrlimit(%s, [%lld, %lld])", lim->name, -+ (long long)lim->fallback->rlim_cur, -+ (long long)lim->fallback->rlim_max); -+ } -+ } - if (rc == -1) { - /* Try setting new rlim_cur to old rlim_max. */ - lim->newlimit.rlim_cur = lim->oldlimit.rlim_max; - lim->newlimit.rlim_max = lim->oldlimit.rlim_max; -- rc = setrlimit(lim->resource, &lim->newlimit); -+ if ((rc = setrlimit(lim->resource, &lim->newlimit)) == -1) { -+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, -+ "setrlimit(%s, [%lld, %lld])", lim->name, -+ (long long)lim->newlimit.rlim_cur, -+ (long long)lim->newlimit.rlim_max); -+ } - } - if (rc == -1) - sudo_warn("setrlimit(%s)", lim->name); -@@ -254,6 +301,10 @@ - if (rc != -1 || errno != EINVAL) - break; - -+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, -+ "setrlimit(%s, [%lld, %lld])", lim->name, -+ (long long)rl.rlim_cur, (long long)rl.rlim_max); -+ - /* - * Soft limit could be lower than current resource usage. - * This can be an issue on NetBSD with RLIMIT_STACK and ASLR. diff --git a/sudo.rpmlintrc b/sudo.rpmlintrc new file mode 100644 index 0000000..d7c57d7 --- /dev/null +++ b/sudo.rpmlintrc @@ -0,0 +1,16 @@ +# Sudo allows restricted root access for specified users. In other words, +# it is a special package, which requires special permissions on on some +# of the installed files. +addFilter("missing-call-to-setgroups-before-setuid (/usr/bin/sudo|/usr/bin/sudoreplay|/usr/sbin/sudo_logsrvd|/usr/sbin/sudo_sendlog|/usr/libexec/sudo/sudoers.so|)$") + +addFilter("non-readable (/etc/sudo.conf|/etc/sudo_logsrvd.conf|/etc/sudoers|/usr/bin/sudoreplay) .*$") + +addFilter("non-standard-dir-perm (/etc/sudoers.d|/var/db/sudo|/var/db/sudo/lectured) .*$") + +addFilter("setuid-binary /usr/bin/sudo .*$") + +addFilter("non-standard-executable-perm (/usr/bin/sudo|/usr/bin/sudoreplay) .*$") + +addFilter("wrong-file-end-of-line-encoding /usr/share/doc/sudo/schema.ActiveDirectory$") + +addFilter("non-standard-dir-in-var db$") diff --git a/sudo.spec b/sudo.spec index bac08cd..af5f14d 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,13 +1,10 @@ -%global patchlevel b4 -%global upstream_version %{version}%{patchlevel} - Summary: Allows restricted root access for specified users Name: sudo -Version: 1.9.0 -Release: 0.1.%{patchlevel}%{?dist} +Version: 1.9.1 +Release: 1%{?dist} License: ISC URL: http://www.courtesan.com/sudo/ -Source0: https://www.sudo.ws/dist/beta/%{name}-%{upstream_version}.tar.gz +Source0: https://www.sudo.ws/dist/%{name}-%{version}.tar.gz Source1: sudoers Requires: pam Recommends: vim-minimal @@ -27,8 +24,6 @@ BuildRequires: zlib-devel # don't strip Patch1: sudo-1.6.7p5-strip.patch -# https://www.sudo.ws/repos/sudo/rev/1064b906ca68 -Patch2: sudo-1.9-RLIMIT_CORE.patch %description Sudo (superuser do) allows a system administrator to give certain @@ -50,10 +45,9 @@ The %{name}-devel package contains header files developing sudo plugins that use %{name}. %prep -%setup -q -n %{name}-%{upstream_version} +%setup -q %patch1 -p1 -b .strip -%patch2 -p1 -b .orig %build # Remove bundled copy of zlib @@ -152,13 +146,15 @@ EOF %files -f sudo_all.lang +%defattr(-,root,root) %attr(0440,root,root) %config(noreplace) /etc/sudoers %attr(0750,root,root) %dir /etc/sudoers.d/ %config(noreplace) /etc/pam.d/sudo %config(noreplace) /etc/pam.d/sudo-i %attr(0644,root,root) %{_tmpfilesdir}/sudo.conf -%attr(0644,root,root) /etc/dnf/protected.d/sudo.conf -%attr(0644,root,root) /etc/sudo.conf +%attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/sudo.conf +%attr(0640,root,root) %config(noreplace) /etc/sudo.conf +%attr(0640,root,root) %config(noreplace) /etc/sudo_logsrvd.conf %dir /var/db/sudo %dir /var/db/sudo/lectured %attr(4111,root,root) %{_bindir}/sudo @@ -205,6 +201,12 @@ EOF %{_mandir}/man8/sudo_plugin.8* %changelog +* Wed Jul 08 2020 Attila Lakatos - 1.9.1-1 +- rebase to 1.9.1 +Resolves: rhbz#1848788 +- fix rpmlint errors +Resolves: rhbz#1817139 + * Wed Mar 25 2020 Attila Lakatos - 1.9.0-0.1.b4 - update to latest development version 1.9.0b4 Resolves: rhbz#1816593 From c5932df566ecf6acb9f85b8d71964ee41f7c2937 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 29 Jul 2020 11:37:20 +0000 Subject: [PATCH 11/61] - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- sudo.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/sudo.spec b/sudo.spec index af5f14d..560e0ef 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,7 +1,7 @@ Summary: Allows restricted root access for specified users Name: sudo Version: 1.9.1 -Release: 1%{?dist} +Release: 2%{?dist} License: ISC URL: http://www.courtesan.com/sudo/ Source0: https://www.sudo.ws/dist/%{name}-%{version}.tar.gz @@ -201,6 +201,9 @@ EOF %{_mandir}/man8/sudo_plugin.8* %changelog +* Wed Jul 29 2020 Fedora Release Engineering - 1.9.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + * Wed Jul 08 2020 Attila Lakatos - 1.9.1-1 - rebase to 1.9.1 Resolves: rhbz#1848788 From 845456e9a79f728323f9f6d8927c5ac7f1481ed4 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Sat, 1 Aug 2020 09:14:45 +0000 Subject: [PATCH 12/61] - Second attempt - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- sudo.spec | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/sudo.spec b/sudo.spec index 560e0ef..7381722 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,7 +1,7 @@ Summary: Allows restricted root access for specified users Name: sudo Version: 1.9.1 -Release: 2%{?dist} +Release: 3%{?dist} License: ISC URL: http://www.courtesan.com/sudo/ Source0: https://www.sudo.ws/dist/%{name}-%{version}.tar.gz @@ -201,6 +201,10 @@ EOF %{_mandir}/man8/sudo_plugin.8* %changelog +* Sat Aug 01 2020 Fedora Release Engineering - 1.9.1-3 +- Second attempt - Rebuilt for + https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + * Wed Jul 29 2020 Fedora Release Engineering - 1.9.1-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild From 35c555c44a10f64ddf2ce568ccbe4e219034d893 Mon Sep 17 00:00:00 2001 From: Radovan Sroka Date: Tue, 15 Sep 2020 16:49:29 +0200 Subject: [PATCH 13/61] Rebase to 1.9.2 Resolves: rhbz#1859577 - added logsrvd subpackage - added openssl-devel buildrequires Resolves: rhbz#1860653 - fixed sudo runstatedir path - it was generated as /sudo instead of /run/sudo Resolves: rhbz#1868215 - added /var/lib/snapd/snap/bin to secure_path variable Resolves: rhbz#1691996 Signed-off-by: Radovan Sroka --- .gitignore | 1 + configure-runstatedir.patch | 43 ++++++++++++++++++++++++++++++++++ sources | 2 +- sudo.spec | 46 +++++++++++++++++++++++++++++-------- sudoers | 2 +- 5 files changed, 83 insertions(+), 11 deletions(-) create mode 100644 configure-runstatedir.patch diff --git a/.gitignore b/.gitignore index e7db9cd..4c5f1eb 100644 --- a/.gitignore +++ b/.gitignore @@ -23,3 +23,4 @@ /sudo-1.9.0b1.tar.gz /sudo-1.9.0b4.tar.gz /sudo-1.9.1.tar.gz +/sudo-1.9.2.tar.gz diff --git a/configure-runstatedir.patch b/configure-runstatedir.patch new file mode 100644 index 0000000..980e767 --- /dev/null +++ b/configure-runstatedir.patch @@ -0,0 +1,43 @@ +From 0d7a041f18c5016abb78b74f3cfa505797e704ee Mon Sep 17 00:00:00 2001 +From: Evan Anderson +Date: Sun, 6 Sep 2020 14:30:54 -0500 +Subject: [PATCH] configure: Fix runstatedir handling for distros that do not + support it + +runstatedir was added in yet-to-be released autoconf 2.70. Some distros +are shipping this addition in their autoconf packages, but others, such as Fedora, +are not. This causes the rundir variable to be set incorrectly if the configure script +is regenerated with an unpatched autoconf since the runstatedir variable set is deleted +after regeneration. This change works around that problem by checking that runstatedir +is non-empty before potentially using it to set the rundir variable +--- + configure | 2 +- + m4/sudo.m4 | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/configure b/configure +index 0f6ceb16c..2e0838e01 100755 +--- a/configure ++++ b/configure +@@ -26718,7 +26718,7 @@ EOF + $as_echo_n "checking for sudo run dir location... " >&6; } + if test -n "$with_rundir"; then + rundir="$with_rundir" +-elif test "$runstatedir" != '${localstatedir}/run'; then ++elif test -n "$runstatedir" && test "$runstatedir" != '${localstatedir}/run'; then + rundir="$runstatedir/sudo" + else + # No --with-rundir or --runstatedir specified +diff --git a/m4/sudo.m4 b/m4/sudo.m4 +index a5a972b3c..b3a40b208 100644 +--- a/m4/sudo.m4 ++++ b/m4/sudo.m4 +@@ -120,7 +120,7 @@ dnl + AC_DEFUN([SUDO_RUNDIR], [AC_MSG_CHECKING(for sudo run dir location) + if test -n "$with_rundir"; then + rundir="$with_rundir" +-elif test "$runstatedir" != '${localstatedir}/run'; then ++elif test -n "$runstatedir" && test "$runstatedir" != '${localstatedir}/run'; then + rundir="$runstatedir/sudo" + else + # No --with-rundir or --runstatedir specified diff --git a/sources b/sources index 35fc51b..5185f4c 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (sudo-1.9.1.tar.gz) = 7994c7d8f020188eda51787bb5f6fe7668518cc89b711e7840470db7e5bac1219490ffccc73854fecb14ceb3ffaf0fc605f3438c87b83f27921ea3626365105c +SHA512 (sudo-1.9.2.tar.gz) = 20afdf2604b1c93395157382b24f225cd1ff88d3a892362e2d69fecd240c4e7171f05032c08be1778cd1dea6e460025e4241f57272fac0ea3550e220b6d73d21 diff --git a/sudo.spec b/sudo.spec index 7381722..050f34a 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,7 +1,7 @@ Summary: Allows restricted root access for specified users Name: sudo -Version: 1.9.1 -Release: 3%{?dist} +Version: 1.9.2 +Release: 1%{?dist} License: ISC URL: http://www.courtesan.com/sudo/ Source0: https://www.sudo.ws/dist/%{name}-%{version}.tar.gz @@ -24,6 +24,7 @@ BuildRequires: zlib-devel # don't strip Patch1: sudo-1.6.7p5-strip.patch +Patch2: configure-runstatedir.patch %description Sudo (superuser do) allows a system administrator to give certain @@ -44,10 +45,22 @@ Requires: %{name} = %{version}-%{release} The %{name}-devel package contains header files developing sudo plugins that use %{name}. + +%package logsrvd +Summary: High-performance log server for %{name} +Requires: %{name} = %{version}-%{release} +BuildRequires: openssl-devel + + +%description logsrvd +%{name}-logsrvd is a high-performance log server that accepts event and I/O logs from sudo. +It can be used to implement centralized logging of sudo logs. + %prep %setup -q %patch1 -p1 -b .strip +%patch2 -p1 -b .runstatedir %build # Remove bundled copy of zlib @@ -67,6 +80,7 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" --sbindir=%{_sbindir} \ --libdir=%{_libdir} \ --docdir=%{_pkgdocdir} \ + --enable-openssl \ --disable-root-mailer \ --with-logging=syslog \ --with-logfac=authpriv \ @@ -154,7 +168,6 @@ EOF %attr(0644,root,root) %{_tmpfilesdir}/sudo.conf %attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/sudo.conf %attr(0640,root,root) %config(noreplace) /etc/sudo.conf -%attr(0640,root,root) %config(noreplace) /etc/sudo_logsrvd.conf %dir /var/db/sudo %dir /var/db/sudo/lectured %attr(4111,root,root) %{_bindir}/sudo @@ -163,8 +176,6 @@ EOF %attr(0755,root,root) %{_sbindir}/visudo %{_bindir}/cvtsudoers %dir %{_libexecdir}/sudo -%attr(0755,root,root) %{_sbindir}/sudo_logsrvd -%attr(0755,root,root) %{_sbindir}/sudo_sendlog %attr(0755,root,root) %{_libexecdir}/sudo/sesh %attr(0644,root,root) %{_libexecdir}/sudo/sudo_noexec.so %attr(0644,root,root) %{_libexecdir}/sudo/sudoers.so @@ -184,11 +195,7 @@ EOF %{_mandir}/man8/visudo.8* %{_mandir}/man1/cvtsudoers.1.gz %{_mandir}/man5/sudoers_timestamp.5.gz -%{_mandir}/man5/sudo_logsrv.proto.5.gz -%{_mandir}/man5/sudo_logsrvd.conf.5.gz -%{_mandir}/man8/sudo_logsrvd.8.gz %{_mandir}/man8/sudo_plugin_python.8.gz -%{_mandir}/man8/sudo_sendlog.8.gz %dir %{_pkgdocdir}/ %{_pkgdocdir}/* %{!?_licensedir:%global license %%doc} @@ -200,7 +207,28 @@ EOF %{_includedir}/sudo_plugin.h %{_mandir}/man8/sudo_plugin.8* +%files logsrvd +%attr(0640,root,root) %config(noreplace) /etc/sudo_logsrvd.conf +%attr(0755,root,root) %{_sbindir}/sudo_logsrvd +%attr(0755,root,root) %{_sbindir}/sudo_sendlog +%{_mandir}/man5/sudo_logsrv.proto.5.gz +%{_mandir}/man5/sudo_logsrvd.conf.5.gz +%{_mandir}/man8/sudo_logsrvd.8.gz +%{_mandir}/man8/sudo_sendlog.8.gz + %changelog +* Tue Sep 15 2020 Radovan Sroka - 1.9.2-1 +- rebase to 1.9.2 +Resolves: rhbz#1859577 +- added logsrvd subpackage +- added openssl-devel buildrequires +Resolves: rhbz#1860653 +- fixed sudo runstatedir path +- it was generated as /sudo instead of /run/sudo +Resolves: rhbz#1868215 +- added /var/lib/snapd/snap/bin to secure_path variable +Resolves: rhbz#1691996 + * Sat Aug 01 2020 Fedora Release Engineering - 1.9.1-3 - Second attempt - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild diff --git a/sudoers b/sudoers index 29775ad..5f621a8 100644 --- a/sudoers +++ b/sudoers @@ -85,7 +85,7 @@ Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY # # Defaults env_keep += "HOME" -Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin ## Next comes the main part: which users can run what software on ## which machines (the sudoers file can be shared between multiple From 7df67e16f7748e9506b7f2d47c6ef1472595fa0c Mon Sep 17 00:00:00 2001 From: Radovan Sroka Date: Tue, 15 Sep 2020 16:49:29 +0200 Subject: [PATCH 14/61] Rebase to 1.9.2 Resolves: rhbz#1859577 - added logsrvd subpackage - added openssl-devel buildrequires Resolves: rhbz#1860653 - fixed sudo runstatedir path - it was generated as /sudo instead of /run/sudo Resolves: rhbz#1868215 - added /var/lib/snapd/snap/bin to secure_path variable Resolves: rhbz#1691996 Signed-off-by: Radovan Sroka --- .gitignore | 1 + configure-runstatedir.patch | 43 +++++++++++ sources | 2 +- sudo-1.9-RLIMIT_CORE.patch | 149 ------------------------------------ sudo.spec | 59 +++++++++----- sudoers | 2 +- 6 files changed, 87 insertions(+), 169 deletions(-) create mode 100644 configure-runstatedir.patch delete mode 100644 sudo-1.9-RLIMIT_CORE.patch diff --git a/.gitignore b/.gitignore index 4aa0b81..cc45a89 100644 --- a/.gitignore +++ b/.gitignore @@ -22,3 +22,4 @@ /sudo-1.8.29.tar.gz /sudo-1.9.0b1.tar.gz /sudo-1.9.0b4.tar.gz +/sudo-1.9.2.tar.gz diff --git a/configure-runstatedir.patch b/configure-runstatedir.patch new file mode 100644 index 0000000..980e767 --- /dev/null +++ b/configure-runstatedir.patch @@ -0,0 +1,43 @@ +From 0d7a041f18c5016abb78b74f3cfa505797e704ee Mon Sep 17 00:00:00 2001 +From: Evan Anderson +Date: Sun, 6 Sep 2020 14:30:54 -0500 +Subject: [PATCH] configure: Fix runstatedir handling for distros that do not + support it + +runstatedir was added in yet-to-be released autoconf 2.70. Some distros +are shipping this addition in their autoconf packages, but others, such as Fedora, +are not. This causes the rundir variable to be set incorrectly if the configure script +is regenerated with an unpatched autoconf since the runstatedir variable set is deleted +after regeneration. This change works around that problem by checking that runstatedir +is non-empty before potentially using it to set the rundir variable +--- + configure | 2 +- + m4/sudo.m4 | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/configure b/configure +index 0f6ceb16c..2e0838e01 100755 +--- a/configure ++++ b/configure +@@ -26718,7 +26718,7 @@ EOF + $as_echo_n "checking for sudo run dir location... " >&6; } + if test -n "$with_rundir"; then + rundir="$with_rundir" +-elif test "$runstatedir" != '${localstatedir}/run'; then ++elif test -n "$runstatedir" && test "$runstatedir" != '${localstatedir}/run'; then + rundir="$runstatedir/sudo" + else + # No --with-rundir or --runstatedir specified +diff --git a/m4/sudo.m4 b/m4/sudo.m4 +index a5a972b3c..b3a40b208 100644 +--- a/m4/sudo.m4 ++++ b/m4/sudo.m4 +@@ -120,7 +120,7 @@ dnl + AC_DEFUN([SUDO_RUNDIR], [AC_MSG_CHECKING(for sudo run dir location) + if test -n "$with_rundir"; then + rundir="$with_rundir" +-elif test "$runstatedir" != '${localstatedir}/run'; then ++elif test -n "$runstatedir" && test "$runstatedir" != '${localstatedir}/run'; then + rundir="$runstatedir/sudo" + else + # No --with-rundir or --runstatedir specified diff --git a/sources b/sources index e6aeaa0..5185f4c 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (sudo-1.9.0b4.tar.gz) = 8f9da58ebb53d751746e8b271d9089a98cbbeb6e82691c3905c5ac11255bc70c7f467c0097d8dab2980fd94ffb8c438d03326f1bc98f0b580ec6e5b06227f559 +SHA512 (sudo-1.9.2.tar.gz) = 20afdf2604b1c93395157382b24f225cd1ff88d3a892362e2d69fecd240c4e7171f05032c08be1778cd1dea6e460025e4241f57272fac0ea3550e220b6d73d21 diff --git a/sudo-1.9-RLIMIT_CORE.patch b/sudo-1.9-RLIMIT_CORE.patch deleted file mode 100644 index 28027c4..0000000 --- a/sudo-1.9-RLIMIT_CORE.patch +++ /dev/null @@ -1,149 +0,0 @@ - changeset 12288:1064b906ca68 - -Ignore a failure to restore the RLIMIT_CORE resource limit. -Linux containers don't allow RLIMIT_CORE to be set back to RLIM_INFINITY -if we set the limit to zero, even for root. This is not a problem -outside the container. -author Todd C. Miller -date Sat, 14 Mar 2020 11:13:55 -0600 -parents 72ca06a294b4 -children 40629e6fd692 -files src/limits.c -diffstat 1 files changed, 61 insertions(+), 10 deletions(-) [+] -line wrap: on - line diff - ---- a/src/limits.c Thu Mar 12 17:39:56 2020 -0600 -+++ b/src/limits.c Sat Mar 14 11:13:55 2020 -0600 -@@ -114,13 +114,21 @@ - - if (getrlimit(RLIMIT_CORE, &corelimit) == -1) - sudo_warn("getrlimit(RLIMIT_CORE)"); -+ sudo_debug_printf(SUDO_DEBUG_INFO, "RLIMIT_CORE [%lld, %lld] -> [0, 0]", -+ (long long)corelimit.rlim_cur, (long long)corelimit.rlim_max); - if (setrlimit(RLIMIT_CORE, &rl) == -1) - sudo_warn("setrlimit(RLIMIT_CORE)"); - #ifdef __linux__ - /* On Linux, also set PR_SET_DUMPABLE to zero (reset by execve). */ -- if ((dumpflag = prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)) == -1) -+ if ((dumpflag = prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)) == -1) { -+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, -+ "prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)"); - dumpflag = 0; -- (void) prctl(PR_SET_DUMPABLE, 0, 0, 0, 0); -+ } -+ if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) == -1) { -+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, -+ "prctl(PR_SET_DUMPABLE, %d, 0, 0, 0)", dumpflag); -+ } - #endif /* __linux__ */ - coredump_disabled = true; - -@@ -136,10 +144,20 @@ - debug_decl(restore_coredump, SUDO_DEBUG_UTIL); - - if (coredump_disabled) { -- if (setrlimit(RLIMIT_CORE, &corelimit) == -1) -- sudo_warn("setrlimit(RLIMIT_CORE)"); -+ /* -+ * Linux containers don't allow RLIMIT_CORE to be set back to -+ * RLIM_INFINITY if we set the limit to zero, even for root. -+ */ -+ if (setrlimit(RLIMIT_CORE, &corelimit) == -1) { -+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, -+ "setrlimit(RLIMIT_CORE, [%lld, %lld])", -+ (long long)corelimit.rlim_cur, (long long)corelimit.rlim_max); -+ } - #ifdef __linux__ -- (void) prctl(PR_SET_DUMPABLE, dumpflag, 0, 0, 0); -+ if (prctl(PR_SET_DUMPABLE, dumpflag, 0, 0, 0) == -1) { -+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, -+ "prctl(PR_SET_DUMPABLE, %d, 0, 0, 0)", dumpflag); -+ } - #endif /* __linux__ */ - } - debug_return; -@@ -162,8 +180,14 @@ - - if (getrlimit(RLIMIT_NPROC, &nproclimit) != 0) - sudo_warn("getrlimit(RLIMIT_NPROC)"); -+ sudo_debug_printf(SUDO_DEBUG_INFO, "RLIMIT_NPROC [%lld, %lld] -> [inf, inf]", -+ (long long)nproclimit.rlim_cur, (long long)nproclimit.rlim_max); - if (setrlimit(RLIMIT_NPROC, &rl) == -1) { - rl.rlim_cur = rl.rlim_max = nproclimit.rlim_max; -+ sudo_debug_printf(SUDO_DEBUG_INFO, -+ "RLIMIT_NPROC [%lld, %lld] -> [%lld, %lld]", -+ (long long)nproclimit.rlim_cur, (long long)nproclimit.rlim_max, -+ (long long)rl.rlim_cur, (long long)rl.rlim_max); - if (setrlimit(RLIMIT_NPROC, &rl) != 0) - sudo_warn("setrlimit(RLIMIT_NPROC)"); - } -@@ -180,8 +204,11 @@ - #ifdef __linux__ - debug_decl(restore_nproc, SUDO_DEBUG_UTIL); - -- if (setrlimit(RLIMIT_NPROC, &nproclimit) != 0) -- sudo_warn("setrlimit(RLIMIT_NPROC)"); -+ if (setrlimit(RLIMIT_NPROC, &nproclimit) != 0) { -+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, -+ "setrlimit(RLIMIT_NPROC, [%lld, %lld])", -+ (long long)nproclimit.rlim_cur, (long long)nproclimit.rlim_max); -+ } - - debug_return; - #endif /* __linux__ */ -@@ -203,6 +230,11 @@ - struct saved_limit *lim = &saved_limits[idx]; - if (getrlimit(lim->resource, &lim->oldlimit) == -1) - continue; -+ sudo_debug_printf(SUDO_DEBUG_INFO, -+ "getrlimit(lim->name) -> [%lld, %lld]", -+ (long long)lim->oldlimit.rlim_cur, -+ (long long)lim->oldlimit.rlim_max); -+ - lim->saved = true; - if (lim->newlimit.rlim_cur != RLIM_INFINITY) { - /* Don't reduce the soft resource limit. */ -@@ -217,13 +249,28 @@ - lim->newlimit.rlim_max = lim->oldlimit.rlim_max; - } - if ((rc = setrlimit(lim->resource, &lim->newlimit)) == -1) { -- if (lim->fallback != NULL) -- rc = setrlimit(lim->resource, lim->fallback); -+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, -+ "setrlimit(%s, [%lld, %lld])", lim->name, -+ (long long)lim->newlimit.rlim_cur, -+ (long long)lim->newlimit.rlim_max); -+ if (lim->fallback != NULL) { -+ if ((rc = setrlimit(lim->resource, lim->fallback)) == -1) { -+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, -+ "setrlimit(%s, [%lld, %lld])", lim->name, -+ (long long)lim->fallback->rlim_cur, -+ (long long)lim->fallback->rlim_max); -+ } -+ } - if (rc == -1) { - /* Try setting new rlim_cur to old rlim_max. */ - lim->newlimit.rlim_cur = lim->oldlimit.rlim_max; - lim->newlimit.rlim_max = lim->oldlimit.rlim_max; -- rc = setrlimit(lim->resource, &lim->newlimit); -+ if ((rc = setrlimit(lim->resource, &lim->newlimit)) == -1) { -+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, -+ "setrlimit(%s, [%lld, %lld])", lim->name, -+ (long long)lim->newlimit.rlim_cur, -+ (long long)lim->newlimit.rlim_max); -+ } - } - if (rc == -1) - sudo_warn("setrlimit(%s)", lim->name); -@@ -254,6 +301,10 @@ - if (rc != -1 || errno != EINVAL) - break; - -+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, -+ "setrlimit(%s, [%lld, %lld])", lim->name, -+ (long long)rl.rlim_cur, (long long)rl.rlim_max); -+ - /* - * Soft limit could be lower than current resource usage. - * This can be an issue on NetBSD with RLIMIT_STACK and ASLR. diff --git a/sudo.spec b/sudo.spec index b87f494..dda1983 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,13 +1,10 @@ -%global patchlevel b4 -%global upstream_version %{version}%{patchlevel} - Summary: Allows restricted root access for specified users Name: sudo -Version: 1.9.0 -Release: 0.1.%{patchlevel}%{?dist} +Version: 1.9.2 +Release: 1%{?dist} License: ISC URL: http://www.courtesan.com/sudo/ -Source0: https://www.sudo.ws/dist/beta/%{name}-%{upstream_version}.tar.gz +Source0: https://www.sudo.ws/dist/beta/%{name}-%{version}.tar.gz Source1: sudoers Requires: pam Recommends: vim-minimal @@ -27,8 +24,7 @@ BuildRequires: zlib-devel # don't strip Patch1: sudo-1.6.7p5-strip.patch -# https://www.sudo.ws/repos/sudo/rev/1064b906ca68 -Patch2: sudo-1.9-RLIMIT_CORE.patch +Patch2: configure-runstatedir.patch %description Sudo (superuser do) allows a system administrator to give certain @@ -49,11 +45,22 @@ Requires: %{name} = %{version}-%{release} The %{name}-devel package contains header files developing sudo plugins that use %{name}. + +%package logsrvd +Summary: High-performance log server for %{name} +Requires: %{name} = %{version}-%{release} +BuildRequires: openssl-devel + + +%description logsrvd +%{name}-logsrvd is a high-performance log server that accepts event and I/O logs from sudo. +It can be used to implement centralized logging of sudo logs. + %prep -%setup -q -n %{name}-%{upstream_version} +%setup -q %patch1 -p1 -b .strip -%patch2 -p1 -b .orig +%patch2 -p1 -b .runstatedir %build # Remove bundled copy of zlib @@ -73,6 +80,7 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" --sbindir=%{_sbindir} \ --libdir=%{_libdir} \ --docdir=%{_pkgdocdir} \ + --enable-openssl \ --disable-root-mailer \ --with-logging=syslog \ --with-logfac=authpriv \ @@ -157,8 +165,8 @@ EOF %config(noreplace) /etc/pam.d/sudo %config(noreplace) /etc/pam.d/sudo-i %attr(0644,root,root) %{_tmpfilesdir}/sudo.conf -%attr(0644,root,root) /etc/dnf/protected.d/sudo.conf -%attr(0644,root,root) /etc/sudo.conf +%attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/sudo.conf +%attr(0640,root,root) %config(noreplace) /etc/sudo.conf %dir /var/db/sudo %dir /var/db/sudo/lectured %attr(4111,root,root) %{_bindir}/sudo @@ -167,8 +175,6 @@ EOF %attr(0755,root,root) %{_sbindir}/visudo %{_bindir}/cvtsudoers %dir %{_libexecdir}/sudo -%attr(0755,root,root) %{_sbindir}/sudo_logsrvd -%attr(0755,root,root) %{_sbindir}/sudo_sendlog %attr(0755,root,root) %{_libexecdir}/sudo/sesh %attr(0644,root,root) %{_libexecdir}/sudo/sudo_noexec.so %attr(0644,root,root) %{_libexecdir}/sudo/sudoers.so @@ -188,11 +194,7 @@ EOF %{_mandir}/man8/visudo.8* %{_mandir}/man1/cvtsudoers.1.gz %{_mandir}/man5/sudoers_timestamp.5.gz -%{_mandir}/man5/sudo_logsrv.proto.5.gz -%{_mandir}/man5/sudo_logsrvd.conf.5.gz -%{_mandir}/man8/sudo_logsrvd.8.gz %{_mandir}/man8/sudo_plugin_python.8.gz -%{_mandir}/man8/sudo_sendlog.8.gz %dir %{_pkgdocdir}/ %{_pkgdocdir}/* %{!?_licensedir:%global license %%doc} @@ -204,7 +206,28 @@ EOF %{_includedir}/sudo_plugin.h %{_mandir}/man8/sudo_plugin.8* +%files logsrvd +%attr(0640,root,root) %config(noreplace) /etc/sudo_logsrvd.conf +%attr(0755,root,root) %{_sbindir}/sudo_logsrvd +%attr(0755,root,root) %{_sbindir}/sudo_sendlog +%{_mandir}/man5/sudo_logsrv.proto.5.gz +%{_mandir}/man5/sudo_logsrvd.conf.5.gz +%{_mandir}/man8/sudo_logsrvd.8.gz +%{_mandir}/man8/sudo_sendlog.8.gz + %changelog +* Tue Sep 15 2020 Radovan Sroka - 1.9.2-1 +- rebase to 1.9.2 +Resolves: rhbz#1859577 +- added logsrvd subpackage +- added openssl-devel buildrequires +Resolves: rhbz#1860653 +- fixed sudo runstatedir path +- it was generated as /sudo instead of /run/sudo +Resolves: rhbz#1868215 +- added /var/lib/snapd/snap/bin to secure_path variable +Resolves: rhbz#1691996 + * Wed Mar 25 2020 Attila Lakatos - 1.9.0-0.1.b4 - update to latest development version 1.9.0b4 Resolves: rhbz#1816593 diff --git a/sudoers b/sudoers index 29775ad..5f621a8 100644 --- a/sudoers +++ b/sudoers @@ -85,7 +85,7 @@ Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY # # Defaults env_keep += "HOME" -Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin ## Next comes the main part: which users can run what software on ## which machines (the sudoers file can be shared between multiple From 68203ed1a2fac7aff1b57189e8c217db89e5fe4a Mon Sep 17 00:00:00 2001 From: Radovan Sroka Date: Mon, 5 Oct 2020 13:34:24 +0200 Subject: [PATCH 15/61] Rebase to 1.9.3p1 Signed-off-by: Radovan Sroka --- .gitignore | 1 + configure-runstatedir.patch | 43 ------------------------------------- sources | 2 +- sudo.spec | 12 ++++++++--- 4 files changed, 11 insertions(+), 47 deletions(-) delete mode 100644 configure-runstatedir.patch diff --git a/.gitignore b/.gitignore index 4c5f1eb..cbf6389 100644 --- a/.gitignore +++ b/.gitignore @@ -24,3 +24,4 @@ /sudo-1.9.0b4.tar.gz /sudo-1.9.1.tar.gz /sudo-1.9.2.tar.gz +/sudo-1.9.3p1.tar.gz diff --git a/configure-runstatedir.patch b/configure-runstatedir.patch deleted file mode 100644 index 980e767..0000000 --- a/configure-runstatedir.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 0d7a041f18c5016abb78b74f3cfa505797e704ee Mon Sep 17 00:00:00 2001 -From: Evan Anderson -Date: Sun, 6 Sep 2020 14:30:54 -0500 -Subject: [PATCH] configure: Fix runstatedir handling for distros that do not - support it - -runstatedir was added in yet-to-be released autoconf 2.70. Some distros -are shipping this addition in their autoconf packages, but others, such as Fedora, -are not. This causes the rundir variable to be set incorrectly if the configure script -is regenerated with an unpatched autoconf since the runstatedir variable set is deleted -after regeneration. This change works around that problem by checking that runstatedir -is non-empty before potentially using it to set the rundir variable ---- - configure | 2 +- - m4/sudo.m4 | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/configure b/configure -index 0f6ceb16c..2e0838e01 100755 ---- a/configure -+++ b/configure -@@ -26718,7 +26718,7 @@ EOF - $as_echo_n "checking for sudo run dir location... " >&6; } - if test -n "$with_rundir"; then - rundir="$with_rundir" --elif test "$runstatedir" != '${localstatedir}/run'; then -+elif test -n "$runstatedir" && test "$runstatedir" != '${localstatedir}/run'; then - rundir="$runstatedir/sudo" - else - # No --with-rundir or --runstatedir specified -diff --git a/m4/sudo.m4 b/m4/sudo.m4 -index a5a972b3c..b3a40b208 100644 ---- a/m4/sudo.m4 -+++ b/m4/sudo.m4 -@@ -120,7 +120,7 @@ dnl - AC_DEFUN([SUDO_RUNDIR], [AC_MSG_CHECKING(for sudo run dir location) - if test -n "$with_rundir"; then - rundir="$with_rundir" --elif test "$runstatedir" != '${localstatedir}/run'; then -+elif test -n "$runstatedir" && test "$runstatedir" != '${localstatedir}/run'; then - rundir="$runstatedir/sudo" - else - # No --with-rundir or --runstatedir specified diff --git a/sources b/sources index 5185f4c..2a74432 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (sudo-1.9.2.tar.gz) = 20afdf2604b1c93395157382b24f225cd1ff88d3a892362e2d69fecd240c4e7171f05032c08be1778cd1dea6e460025e4241f57272fac0ea3550e220b6d73d21 +SHA512 (sudo-1.9.3p1.tar.gz) = 3ad13fd03e5b371fd6bf7909731ffc11431d2182a744b654f7e5d4b810e47955d49bc78f551afe13ec56acbce694139c33a15bc022cea41b17af5496b8b7f89f diff --git a/sudo.spec b/sudo.spec index 050f34a..0089dfe 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,6 +1,6 @@ Summary: Allows restricted root access for specified users Name: sudo -Version: 1.9.2 +Version: 1.9.3p1 Release: 1%{?dist} License: ISC URL: http://www.courtesan.com/sudo/ @@ -21,10 +21,10 @@ BuildRequires: libselinux-devel BuildRequires: sendmail BuildRequires: gettext BuildRequires: zlib-devel +BuildRequires: python3-devel # don't strip Patch1: sudo-1.6.7p5-strip.patch -Patch2: configure-runstatedir.patch %description Sudo (superuser do) allows a system administrator to give certain @@ -60,7 +60,6 @@ It can be used to implement centralized logging of sudo logs. %setup -q %patch1 -p1 -b .strip -%patch2 -p1 -b .runstatedir %build # Remove bundled copy of zlib @@ -93,6 +92,7 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" --with-ldap \ --with-selinux \ --with-passprompt="[sudo] password for %p: " \ + --enable-python \ --with-linux-audit \ --with-sssd # --without-kerb5 \ @@ -181,6 +181,7 @@ EOF %attr(0644,root,root) %{_libexecdir}/sudo/sudoers.so %attr(0644,root,root) %{_libexecdir}/sudo/audit_json.so %attr(0644,root,root) %{_libexecdir}/sudo/group_file.so +%attr(0644,root,root) %{_libexecdir}/sudo/python_plugin.so %attr(0644,root,root) %{_libexecdir}/sudo/sample_approval.so %attr(0644,root,root) %{_libexecdir}/sudo/system_group.so %attr(0644,root,root) %{_libexecdir}/sudo/libsudo_util.so.?.?.? @@ -217,6 +218,11 @@ EOF %{_mandir}/man8/sudo_sendlog.8.gz %changelog +* Mon Oct 05 2020 Radovan Sroka - 1.9.3p1-1 +- rebase to 1.9.3p1 +- enable python modules +Resolves: rhbz#1881112 + * Tue Sep 15 2020 Radovan Sroka - 1.9.2-1 - rebase to 1.9.2 Resolves: rhbz#1859577 From 47a5b50ae2e3559901b5d2068a6e27b9f1219644 Mon Sep 17 00:00:00 2001 From: Michel Alexandre Salim Date: Thu, 3 Dec 2020 16:09:48 -0800 Subject: [PATCH 16/61] Update sudo URL http://www.courtesan.com/sudo/ redirects to https://www.sudo.ws/sudo/ (which is identical to https://www.sudo.ws). The latter is also the website referenced in the tarball's README. Signed-off-by: Michel Alexandre Salim --- sudo.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sudo.spec b/sudo.spec index 0089dfe..156d1b8 100644 --- a/sudo.spec +++ b/sudo.spec @@ -3,8 +3,8 @@ Name: sudo Version: 1.9.3p1 Release: 1%{?dist} License: ISC -URL: http://www.courtesan.com/sudo/ -Source0: https://www.sudo.ws/dist/%{name}-%{version}.tar.gz +URL: https://www.sudo.ws +Source0: %{url}/dist/%{name}-%{version}.tar.gz Source1: sudoers Requires: pam Recommends: vim-minimal From f6041d82cfc1be91f4fb7895b9a1bd4fb649f094 Mon Sep 17 00:00:00 2001 From: Tom Stellard Date: Fri, 8 Jan 2021 22:03:13 +0000 Subject: [PATCH 17/61] Add BuildRequires: make https://fedoraproject.org/wiki/Changes/Remove_make_from_BuildRoot --- sudo.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/sudo.spec b/sudo.spec index 156d1b8..4fde64f 100644 --- a/sudo.spec +++ b/sudo.spec @@ -10,6 +10,7 @@ Requires: pam Recommends: vim-minimal Requires(post): coreutils +BuildRequires: make BuildRequires: pam-devel BuildRequires: groff BuildRequires: openldap-devel From e30e387ccfdc7d03e9dbbff6cbf746352b30d52d Mon Sep 17 00:00:00 2001 From: Jonathan Lebon Date: Wed, 13 Jan 2021 13:51:24 -0500 Subject: [PATCH 18/61] Split out -python-plugin subpackage This will allow environments where Python is not desirable to still make use of sudo, such as Fedora CoreOS and other variants which value minimalism. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1909299 --- sudo.spec | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/sudo.spec b/sudo.spec index 4fde64f..78843a0 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,13 +1,14 @@ Summary: Allows restricted root access for specified users Name: sudo Version: 1.9.3p1 -Release: 1%{?dist} +Release: 2%{?dist} License: ISC URL: https://www.sudo.ws Source0: %{url}/dist/%{name}-%{version}.tar.gz Source1: sudoers Requires: pam Recommends: vim-minimal +Recommends: %{name}-python-plugin%{?_isa} = %{version}-%{release} Requires(post): coreutils BuildRequires: make @@ -22,7 +23,6 @@ BuildRequires: libselinux-devel BuildRequires: sendmail BuildRequires: gettext BuildRequires: zlib-devel -BuildRequires: python3-devel # don't strip Patch1: sudo-1.6.7p5-strip.patch @@ -57,6 +57,15 @@ BuildRequires: openssl-devel %{name}-logsrvd is a high-performance log server that accepts event and I/O logs from sudo. It can be used to implement centralized logging of sudo logs. +%package python-plugin +Summary: Python plugin for %{name} +Requires: %{name} = %{version}-%{release} +BuildRequires: python3-devel + + +%description python-plugin +%{name}-python-plugin allows using sudo plugins written in Python. + %prep %setup -q @@ -182,7 +191,6 @@ EOF %attr(0644,root,root) %{_libexecdir}/sudo/sudoers.so %attr(0644,root,root) %{_libexecdir}/sudo/audit_json.so %attr(0644,root,root) %{_libexecdir}/sudo/group_file.so -%attr(0644,root,root) %{_libexecdir}/sudo/python_plugin.so %attr(0644,root,root) %{_libexecdir}/sudo/sample_approval.so %attr(0644,root,root) %{_libexecdir}/sudo/system_group.so %attr(0644,root,root) %{_libexecdir}/sudo/libsudo_util.so.?.?.? @@ -197,7 +205,6 @@ EOF %{_mandir}/man8/visudo.8* %{_mandir}/man1/cvtsudoers.1.gz %{_mandir}/man5/sudoers_timestamp.5.gz -%{_mandir}/man8/sudo_plugin_python.8.gz %dir %{_pkgdocdir}/ %{_pkgdocdir}/* %{!?_licensedir:%global license %%doc} @@ -218,7 +225,15 @@ EOF %{_mandir}/man8/sudo_logsrvd.8.gz %{_mandir}/man8/sudo_sendlog.8.gz +%files python-plugin +%{_mandir}/man8/sudo_plugin_python.8.gz +%attr(0644,root,root) %{_libexecdir}/sudo/python_plugin.so + %changelog +* Wed Jan 13 2021 Jonathan Lebon - 1.9.3p1-2 +- split out Python modules into separate subpackage +Resolves: rhbz#1909299 + * Mon Oct 05 2020 Radovan Sroka - 1.9.3p1-1 - rebase to 1.9.3p1 - enable python modules From a0dc0e6d59bb356662e4bd11a804d109619a2a45 Mon Sep 17 00:00:00 2001 From: Radovan Sroka Date: Mon, 18 Jan 2021 21:07:57 +0100 Subject: [PATCH 19/61] Rebase to 1.9.5p1 Resolves: rhbz#1902758 - fixed double free in sss_to_sudoers Resolves: rhbz#1885874 - fixed CVE-2021-23239 sudo: possible directory existence test due to race condition in sudoedit Resolves: rhbz#1915055 - fixed CVE-2021-23240 sudo: symbolic link attack in SELinux-enabled sudoedit Resolves: rhbz#1915054 Signed-off-by: Radovan Sroka --- .gitignore | 1 + sources | 2 +- sudo.spec | 14 ++++++++++++-- 3 files changed, 14 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index cbf6389..9ea49f6 100644 --- a/.gitignore +++ b/.gitignore @@ -25,3 +25,4 @@ /sudo-1.9.1.tar.gz /sudo-1.9.2.tar.gz /sudo-1.9.3p1.tar.gz +/sudo-1.9.5p1.tar.gz diff --git a/sources b/sources index 2a74432..9d9c821 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (sudo-1.9.3p1.tar.gz) = 3ad13fd03e5b371fd6bf7909731ffc11431d2182a744b654f7e5d4b810e47955d49bc78f551afe13ec56acbce694139c33a15bc022cea41b17af5496b8b7f89f +SHA512 (sudo-1.9.5p1.tar.gz) = 0168f0b61a6c2d2f60a92b5b4d3c3254aed4116decabac3821d9ac2fd7f74bb7b019e35bb8955335315b3b00ddf4e4acd82540df0addc1d9bf4f44b60447a878 diff --git a/sudo.spec b/sudo.spec index 78843a0..779cfc9 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,7 +1,7 @@ Summary: Allows restricted root access for specified users Name: sudo -Version: 1.9.3p1 -Release: 2%{?dist} +Version: 1.9.5p1 +Release: 1%{?dist} License: ISC URL: https://www.sudo.ws Source0: %{url}/dist/%{name}-%{version}.tar.gz @@ -230,6 +230,16 @@ EOF %attr(0644,root,root) %{_libexecdir}/sudo/python_plugin.so %changelog +* Mon Jan 18 2021 Radovan Sroka - 1.9.5p1-1 +- rebase to 1.9.5p1 +Resolves: rhbz#1902758 +- fixed double free in sss_to_sudoers +Resolves: rhbz#1885874 +- fixed CVE-2021-23239 sudo: possible directory existence test due to race condition in sudoedit +Resolves: rhbz#1915055 +- fixed CVE-2021-23240 sudo: symbolic link attack in SELinux-enabled sudoedit +Resolves: rhbz#1915054 + * Wed Jan 13 2021 Jonathan Lebon - 1.9.3p1-2 - split out Python modules into separate subpackage Resolves: rhbz#1909299 From 481e766270f27ad0d6532532a0e020ec275f706a Mon Sep 17 00:00:00 2001 From: Radovan Sroka Date: Mon, 5 Oct 2020 13:34:24 +0200 Subject: [PATCH 20/61] Rebase to 1.9.5p1 Resolves: rhbz#1902758 - updated sudo url - enabled python module as a subpackage Resolves: rhbz#1909299 - fixed double free in sss_to_sudoers Resolves: rhbz#1885874 - fixed CVE-2021-23239 sudo: possible directory existence test due to race condition in sudoedit Resolves: rhbz#1915055 - fixed CVE-2021-23240 sudo: symbolic link attack in SELinux-enabled sudoedit Resolves: rhbz#1915054 Signed-off-by: Radovan Sroka --- .gitignore | 2 ++ configure-runstatedir.patch | 43 ------------------------------------- sources | 2 +- sudo.spec | 39 +++++++++++++++++++++++++++------ 4 files changed, 35 insertions(+), 51 deletions(-) delete mode 100644 configure-runstatedir.patch diff --git a/.gitignore b/.gitignore index cc45a89..5e9fd62 100644 --- a/.gitignore +++ b/.gitignore @@ -23,3 +23,5 @@ /sudo-1.9.0b1.tar.gz /sudo-1.9.0b4.tar.gz /sudo-1.9.2.tar.gz +/sudo-1.9.3p1.tar.gz +/sudo-1.9.5p1.tar.gz diff --git a/configure-runstatedir.patch b/configure-runstatedir.patch deleted file mode 100644 index 980e767..0000000 --- a/configure-runstatedir.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 0d7a041f18c5016abb78b74f3cfa505797e704ee Mon Sep 17 00:00:00 2001 -From: Evan Anderson -Date: Sun, 6 Sep 2020 14:30:54 -0500 -Subject: [PATCH] configure: Fix runstatedir handling for distros that do not - support it - -runstatedir was added in yet-to-be released autoconf 2.70. Some distros -are shipping this addition in their autoconf packages, but others, such as Fedora, -are not. This causes the rundir variable to be set incorrectly if the configure script -is regenerated with an unpatched autoconf since the runstatedir variable set is deleted -after regeneration. This change works around that problem by checking that runstatedir -is non-empty before potentially using it to set the rundir variable ---- - configure | 2 +- - m4/sudo.m4 | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/configure b/configure -index 0f6ceb16c..2e0838e01 100755 ---- a/configure -+++ b/configure -@@ -26718,7 +26718,7 @@ EOF - $as_echo_n "checking for sudo run dir location... " >&6; } - if test -n "$with_rundir"; then - rundir="$with_rundir" --elif test "$runstatedir" != '${localstatedir}/run'; then -+elif test -n "$runstatedir" && test "$runstatedir" != '${localstatedir}/run'; then - rundir="$runstatedir/sudo" - else - # No --with-rundir or --runstatedir specified -diff --git a/m4/sudo.m4 b/m4/sudo.m4 -index a5a972b3c..b3a40b208 100644 ---- a/m4/sudo.m4 -+++ b/m4/sudo.m4 -@@ -120,7 +120,7 @@ dnl - AC_DEFUN([SUDO_RUNDIR], [AC_MSG_CHECKING(for sudo run dir location) - if test -n "$with_rundir"; then - rundir="$with_rundir" --elif test "$runstatedir" != '${localstatedir}/run'; then -+elif test -n "$runstatedir" && test "$runstatedir" != '${localstatedir}/run'; then - rundir="$runstatedir/sudo" - else - # No --with-rundir or --runstatedir specified diff --git a/sources b/sources index 5185f4c..9d9c821 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (sudo-1.9.2.tar.gz) = 20afdf2604b1c93395157382b24f225cd1ff88d3a892362e2d69fecd240c4e7171f05032c08be1778cd1dea6e460025e4241f57272fac0ea3550e220b6d73d21 +SHA512 (sudo-1.9.5p1.tar.gz) = 0168f0b61a6c2d2f60a92b5b4d3c3254aed4116decabac3821d9ac2fd7f74bb7b019e35bb8955335315b3b00ddf4e4acd82540df0addc1d9bf4f44b60447a878 diff --git a/sudo.spec b/sudo.spec index dda1983..f5c2639 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,13 +1,14 @@ Summary: Allows restricted root access for specified users Name: sudo -Version: 1.9.2 +Version: 1.9.5p1 Release: 1%{?dist} License: ISC -URL: http://www.courtesan.com/sudo/ -Source0: https://www.sudo.ws/dist/beta/%{name}-%{version}.tar.gz +URL: https://www.sudo.ws +Source0: %{url}/dist/%{name}-%{version}.tar.gz Source1: sudoers Requires: pam Recommends: vim-minimal +Recommends: %{name}-python-plugin%{?_isa} = %{version}-%{release} Requires(post): coreutils BuildRequires: pam-devel @@ -24,7 +25,6 @@ BuildRequires: zlib-devel # don't strip Patch1: sudo-1.6.7p5-strip.patch -Patch2: configure-runstatedir.patch %description Sudo (superuser do) allows a system administrator to give certain @@ -56,11 +56,19 @@ BuildRequires: openssl-devel %{name}-logsrvd is a high-performance log server that accepts event and I/O logs from sudo. It can be used to implement centralized logging of sudo logs. +%package python-plugin +Summary: Python plugin for %{name} +Requires: %{name} = %{version}-%{release} +BuildRequires: python3-devel + + +%description python-plugin +%{name}-python-plugin allows using sudo plugins written in Python. + %prep %setup -q %patch1 -p1 -b .strip -%patch2 -p1 -b .runstatedir %build # Remove bundled copy of zlib @@ -80,7 +88,7 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" --sbindir=%{_sbindir} \ --libdir=%{_libdir} \ --docdir=%{_pkgdocdir} \ - --enable-openssl \ + --enable-openssl \ --disable-root-mailer \ --with-logging=syslog \ --with-logfac=authpriv \ @@ -93,6 +101,7 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" --with-ldap \ --with-selinux \ --with-passprompt="[sudo] password for %p: " \ + --enable-python \ --with-linux-audit \ --with-sssd # --without-kerb5 \ @@ -194,7 +203,6 @@ EOF %{_mandir}/man8/visudo.8* %{_mandir}/man1/cvtsudoers.1.gz %{_mandir}/man5/sudoers_timestamp.5.gz -%{_mandir}/man8/sudo_plugin_python.8.gz %dir %{_pkgdocdir}/ %{_pkgdocdir}/* %{!?_licensedir:%global license %%doc} @@ -215,7 +223,24 @@ EOF %{_mandir}/man8/sudo_logsrvd.8.gz %{_mandir}/man8/sudo_sendlog.8.gz +%files python-plugin +%{_mandir}/man8/sudo_plugin_python.8.gz +%attr(0644,root,root) %{_libexecdir}/sudo/python_plugin.so + %changelog +* Mon Jan 18 2021 Radovan Sroka - 1.9.5p1-1 +- rebase to 1.9.5p1 +- updated sudo url +Resolves: rhbz#1902758 +- enabled python plugin as a subpackage +Resolves: rhbz#1909299 +- fixed double free in sss_to_sudoers +Resolves: rhbz#1885874 +- fixed CVE-2021-23239 sudo: possible directory existence test due to race condition in sudoedit +Resolves: rhbz#1915055 +- fixed CVE-2021-23240 sudo: symbolic link attack in SELinux-enabled sudoedit +Resolves: rhbz#1915054 + * Tue Sep 15 2020 Radovan Sroka - 1.9.2-1 - rebase to 1.9.2 Resolves: rhbz#1859577 From 36f24bedc668548d167e5236825983c1155bdc6a Mon Sep 17 00:00:00 2001 From: Matthew Miller Date: Tue, 26 Jan 2021 14:00:13 -0500 Subject: [PATCH 21/61] update to 1.9.5p2 to address bug 1920618 - CVE-2021-3156 sudo: Heap buffer overflow in argument parsing --- .gitignore | 1 + sources | 2 +- sudo.spec | 6 +++++- 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index 9ea49f6..eb540df 100644 --- a/.gitignore +++ b/.gitignore @@ -26,3 +26,4 @@ /sudo-1.9.2.tar.gz /sudo-1.9.3p1.tar.gz /sudo-1.9.5p1.tar.gz +/sudo-1.9.5p2.tar.gz diff --git a/sources b/sources index 9d9c821..e39bcb4 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (sudo-1.9.5p1.tar.gz) = 0168f0b61a6c2d2f60a92b5b4d3c3254aed4116decabac3821d9ac2fd7f74bb7b019e35bb8955335315b3b00ddf4e4acd82540df0addc1d9bf4f44b60447a878 +SHA512 (sudo-1.9.5p2.tar.gz) = f0fe914963c31a6f8ab6c86847ff6cdd125bd5a839b27f46dcae03963f4fc413b3d4cca54c1979feb825c8479b44c7df0642c07345c941eecf6f9f1e03ea0e27 diff --git a/sudo.spec b/sudo.spec index 779cfc9..ed546f3 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,6 +1,6 @@ Summary: Allows restricted root access for specified users Name: sudo -Version: 1.9.5p1 +Version: 1.9.5p2 Release: 1%{?dist} License: ISC URL: https://www.sudo.ws @@ -230,6 +230,10 @@ EOF %attr(0644,root,root) %{_libexecdir}/sudo/python_plugin.so %changelog +* Tue Jan 26 2021 Matthew Miller - 1.9.5p2-1 +- rebase to 1.9.5p2 +Resolves: 1920618 + * Mon Jan 18 2021 Radovan Sroka - 1.9.5p1-1 - rebase to 1.9.5p1 Resolves: rhbz#1902758 From 571662fc2efb75cca738d11d48fe95bf6a86a483 Mon Sep 17 00:00:00 2001 From: Matthew Miller Date: Tue, 26 Jan 2021 14:52:06 -0500 Subject: [PATCH 22/61] update rhbz entries in changelog --- sudo.spec | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/sudo.spec b/sudo.spec index ed546f3..446b638 100644 --- a/sudo.spec +++ b/sudo.spec @@ -232,7 +232,9 @@ EOF %changelog * Tue Jan 26 2021 Matthew Miller - 1.9.5p2-1 - rebase to 1.9.5p2 -Resolves: 1920618 +Resolves: rhbz#1920611 +- fixed CVE-2021-3156 sudo: Heap buffer overflow in argument parsing +Resolves: rhbz#1920618 * Mon Jan 18 2021 Radovan Sroka - 1.9.5p1-1 - rebase to 1.9.5p1 From 74fbecc114b34bcfd74c59dd6a2f1bf818769aee Mon Sep 17 00:00:00 2001 From: Matthew Miller Date: Tue, 26 Jan 2021 14:00:13 -0500 Subject: [PATCH 23/61] Rebase to 1.9.5p2 Resolves: rhbz#1920611 - CVE-2021-3156 sudo: Heap buffer overflow in argument parsing Resolves: rhbz#1920618 --- .gitignore | 1 + sources | 2 +- sudo.spec | 8 +++++++- 3 files changed, 9 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index 5e9fd62..8ab0a58 100644 --- a/.gitignore +++ b/.gitignore @@ -25,3 +25,4 @@ /sudo-1.9.2.tar.gz /sudo-1.9.3p1.tar.gz /sudo-1.9.5p1.tar.gz +/sudo-1.9.5p2.tar.gz diff --git a/sources b/sources index 9d9c821..e39bcb4 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (sudo-1.9.5p1.tar.gz) = 0168f0b61a6c2d2f60a92b5b4d3c3254aed4116decabac3821d9ac2fd7f74bb7b019e35bb8955335315b3b00ddf4e4acd82540df0addc1d9bf4f44b60447a878 +SHA512 (sudo-1.9.5p2.tar.gz) = f0fe914963c31a6f8ab6c86847ff6cdd125bd5a839b27f46dcae03963f4fc413b3d4cca54c1979feb825c8479b44c7df0642c07345c941eecf6f9f1e03ea0e27 diff --git a/sudo.spec b/sudo.spec index f5c2639..acd2ff1 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,6 +1,6 @@ Summary: Allows restricted root access for specified users Name: sudo -Version: 1.9.5p1 +Version: 1.9.5p2 Release: 1%{?dist} License: ISC URL: https://www.sudo.ws @@ -228,6 +228,12 @@ EOF %attr(0644,root,root) %{_libexecdir}/sudo/python_plugin.so %changelog +* Tue Jan 26 2021 Matthew Miller - 1.9.5p2-1 +- rebase to 1.9.5p2 +Resolves: rhbz#1920611 +- fixed CVE-2021-3156 sudo: Heap buffer overflow in argument parsing +Resolves: rhbz#1920618 + * Mon Jan 18 2021 Radovan Sroka - 1.9.5p1-1 - rebase to 1.9.5p1 - updated sudo url From 5590a6628da4a613e991c45f576e95729bd33568 Mon Sep 17 00:00:00 2001 From: Python Maint Date: Fri, 4 Jun 2021 21:15:47 +0200 Subject: [PATCH 24/61] Rebuilt for Python 3.10 --- sudo.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/sudo.spec b/sudo.spec index 446b638..421a2a8 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,7 +1,7 @@ Summary: Allows restricted root access for specified users Name: sudo Version: 1.9.5p2 -Release: 1%{?dist} +Release: 2%{?dist} License: ISC URL: https://www.sudo.ws Source0: %{url}/dist/%{name}-%{version}.tar.gz @@ -230,6 +230,9 @@ EOF %attr(0644,root,root) %{_libexecdir}/sudo/python_plugin.so %changelog +* Fri Jun 04 2021 Python Maint - 1.9.5p2-2 +- Rebuilt for Python 3.10 + * Tue Jan 26 2021 Matthew Miller - 1.9.5p2-1 - rebase to 1.9.5p2 Resolves: rhbz#1920611 From e9983f0902856ed85921077d5493e5afa8ce2a20 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 23 Jul 2021 18:25:32 +0000 Subject: [PATCH 25/61] - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- sudo.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/sudo.spec b/sudo.spec index 421a2a8..e1e3e6e 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,7 +1,7 @@ Summary: Allows restricted root access for specified users Name: sudo Version: 1.9.5p2 -Release: 2%{?dist} +Release: 3%{?dist} License: ISC URL: https://www.sudo.ws Source0: %{url}/dist/%{name}-%{version}.tar.gz @@ -230,6 +230,9 @@ EOF %attr(0644,root,root) %{_libexecdir}/sudo/python_plugin.so %changelog +* Fri Jul 23 2021 Fedora Release Engineering - 1.9.5p2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + * Fri Jun 04 2021 Python Maint - 1.9.5p2-2 - Rebuilt for Python 3.10 From d8c0683b917be33ef9d9440b20ef9ba92204f4ff Mon Sep 17 00:00:00 2001 From: Peter Czanik Date: Thu, 5 Aug 2021 08:25:56 +0200 Subject: [PATCH 26/61] - update to 1.9.7p2 - follow up path change in strip patch - added --enable-zlib=system configure parameter, so sudo uses system zlib, autoconf is no more needed Signed-off-by: Peter Czanik --- sudo-1.6.7p5-strip.patch | 4 ++-- sudo.spec | 16 ++++++++++++---- 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/sudo-1.6.7p5-strip.patch b/sudo-1.6.7p5-strip.patch index f9e2faa..f690659 100644 --- a/sudo-1.6.7p5-strip.patch +++ b/sudo-1.6.7p5-strip.patch @@ -1,5 +1,5 @@ ---- sudo-1.6.7p5/install-sh.strip 2005-07-21 14:28:25.000000000 +0200 -+++ sudo-1.6.7p5/install-sh 2005-07-21 14:29:18.000000000 +0200 +--- sudo-1.6.7p5/scripts/install-sh.strip 2005-07-21 14:28:25.000000000 +0200 ++++ sudo-1.6.7p5/scripts/install-sh 2005-07-21 14:29:18.000000000 +0200 @@ -138,7 +138,7 @@ fi ;; diff --git a/sudo.spec b/sudo.spec index e1e3e6e..ceb4c24 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,7 +1,7 @@ Summary: Allows restricted root access for specified users Name: sudo -Version: 1.9.5p2 -Release: 3%{?dist} +Version: 1.9.7p2 +Release: 1%{?dist} License: ISC URL: https://www.sudo.ws Source0: %{url}/dist/%{name}-%{version}.tar.gz @@ -17,7 +17,8 @@ BuildRequires: groff BuildRequires: openldap-devel BuildRequires: flex BuildRequires: bison -BuildRequires: automake autoconf libtool +# BuildRequires: automake autoconf libtool +BuildRequires: libtool BuildRequires: audit-libs-devel libcap-devel BuildRequires: libselinux-devel BuildRequires: sendmail @@ -74,7 +75,7 @@ BuildRequires: python3-devel %build # Remove bundled copy of zlib rm -rf zlib/ -autoreconf -I m4 -fv --install +#autoreconf -I m4 -fv --install %ifarch s390 s390x sparc64 F_PIE=-fPIE @@ -103,6 +104,7 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" --with-selinux \ --with-passprompt="[sudo] password for %p: " \ --enable-python \ + --enable-zlib=system \ --with-linux-audit \ --with-sssd # --without-kerb5 \ @@ -230,6 +232,12 @@ EOF %attr(0644,root,root) %{_libexecdir}/sudo/python_plugin.so %changelog +* Fri Jul 30 2021 Peter Czanik - 1.9.7p2-1 +- update to 1.9.7p2 +- follow up path change in strip patch +- added --enable-zlib=system configure parameter, so sudo uses system zlib, + autoconf is no more needed + * Fri Jul 23 2021 Fedora Release Engineering - 1.9.5p2-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild From dd1363faa35f510c1556d506257c06ae7a83bce9 Mon Sep 17 00:00:00 2001 From: Matthew Miller Date: Sat, 7 Aug 2021 12:43:08 -0400 Subject: [PATCH 27/61] update sources file for previous PR --- sources | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sources b/sources index e39bcb4..3bae7ed 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (sudo-1.9.5p2.tar.gz) = f0fe914963c31a6f8ab6c86847ff6cdd125bd5a839b27f46dcae03963f4fc413b3d4cca54c1979feb825c8479b44c7df0642c07345c941eecf6f9f1e03ea0e27 +SHA512 (sudo-1.9.7p2.tar.gz) = 39184127122014d0d1d194d455644191009835ffdcc0efda3a99028fe346ca3ff6b15341016f85029556e9f1f9deeaf83b52160effc47d1a5713affb36b99386 From 442af28d89abad6b461155b5d38dfacaf68cba99 Mon Sep 17 00:00:00 2001 From: Matthew Miller Date: Sat, 7 Aug 2021 12:49:06 -0400 Subject: [PATCH 28/61] - drop obsolete requirement for post script that doesn't exist anymore (thanks @scfc) - remove commented-out lines from prior PR --- sudo.spec | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/sudo.spec b/sudo.spec index ceb4c24..d2e2cd9 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,7 +1,7 @@ Summary: Allows restricted root access for specified users Name: sudo Version: 1.9.7p2 -Release: 1%{?dist} +Release: 2%{?dist} License: ISC URL: https://www.sudo.ws Source0: %{url}/dist/%{name}-%{version}.tar.gz @@ -9,7 +9,6 @@ Source1: sudoers Requires: pam Recommends: vim-minimal Recommends: %{name}-python-plugin%{?_isa} = %{version}-%{release} -Requires(post): coreutils BuildRequires: make BuildRequires: pam-devel @@ -17,7 +16,6 @@ BuildRequires: groff BuildRequires: openldap-devel BuildRequires: flex BuildRequires: bison -# BuildRequires: automake autoconf libtool BuildRequires: libtool BuildRequires: audit-libs-devel libcap-devel BuildRequires: libselinux-devel @@ -75,7 +73,6 @@ BuildRequires: python3-devel %build # Remove bundled copy of zlib rm -rf zlib/ -#autoreconf -I m4 -fv --install %ifarch s390 s390x sparc64 F_PIE=-fPIE @@ -232,6 +229,11 @@ EOF %attr(0644,root,root) %{_libexecdir}/sudo/python_plugin.so %changelog +* Sat Aug 7 2021 Matthew Miller - 1.9.7p2-2 +- drop obsolete requirement for post script that doesn't exist anymore + (thanks @scfc) +- remove commented-out lines from prior PR + * Fri Jul 30 2021 Peter Czanik - 1.9.7p2-1 - update to 1.9.7p2 - follow up path change in strip patch From f02ed1c65ea5e8e513344d1b251e0dcdd8188ac0 Mon Sep 17 00:00:00 2001 From: Matthew Miller Date: Wed, 25 Aug 2021 11:03:18 -0400 Subject: [PATCH 29/61] enable rpmautospec (https://docs.pagure.org/Fedora-Infra.rpmautospec/) --- changelog | 833 +++++++++++++++++++++++++++++++++++++++++++++++++++++ sudo.spec | 836 +----------------------------------------------------- 2 files changed, 835 insertions(+), 834 deletions(-) create mode 100644 changelog diff --git a/changelog b/changelog new file mode 100644 index 0000000..2345722 --- /dev/null +++ b/changelog @@ -0,0 +1,833 @@ +* Sat Aug 7 2021 Matthew Miller - 1.9.7p2-2 +- drop obsolete requirement for post script that doesn't exist anymore + (thanks @scfc) +- remove commented-out lines from prior PR + +* Fri Jul 30 2021 Peter Czanik - 1.9.7p2-1 +- update to 1.9.7p2 +- follow up path change in strip patch +- added --enable-zlib=system configure parameter, so sudo uses system zlib, + autoconf is no more needed + +* Fri Jul 23 2021 Fedora Release Engineering - 1.9.5p2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Fri Jun 04 2021 Python Maint - 1.9.5p2-2 +- Rebuilt for Python 3.10 + +* Tue Jan 26 2021 Matthew Miller - 1.9.5p2-1 +- rebase to 1.9.5p2 +Resolves: rhbz#1920611 +- fixed CVE-2021-3156 sudo: Heap buffer overflow in argument parsing +Resolves: rhbz#1920618 + +* Mon Jan 18 2021 Radovan Sroka - 1.9.5p1-1 +- rebase to 1.9.5p1 +Resolves: rhbz#1902758 +- fixed double free in sss_to_sudoers +Resolves: rhbz#1885874 +- fixed CVE-2021-23239 sudo: possible directory existence test due to race condition in sudoedit +Resolves: rhbz#1915055 +- fixed CVE-2021-23240 sudo: symbolic link attack in SELinux-enabled sudoedit +Resolves: rhbz#1915054 + +* Wed Jan 13 2021 Jonathan Lebon - 1.9.3p1-2 +- split out Python modules into separate subpackage +Resolves: rhbz#1909299 + +* Mon Oct 05 2020 Radovan Sroka - 1.9.3p1-1 +- rebase to 1.9.3p1 +- enable python modules +Resolves: rhbz#1881112 + +* Tue Sep 15 2020 Radovan Sroka - 1.9.2-1 +- rebase to 1.9.2 +Resolves: rhbz#1859577 +- added logsrvd subpackage +- added openssl-devel buildrequires +Resolves: rhbz#1860653 +- fixed sudo runstatedir path +- it was generated as /sudo instead of /run/sudo +Resolves: rhbz#1868215 +- added /var/lib/snapd/snap/bin to secure_path variable +Resolves: rhbz#1691996 + +* Sat Aug 01 2020 Fedora Release Engineering - 1.9.1-3 +- Second attempt - Rebuilt for + https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Wed Jul 29 2020 Fedora Release Engineering - 1.9.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Wed Jul 08 2020 Attila Lakatos - 1.9.1-1 +- rebase to 1.9.1 +Resolves: rhbz#1848788 +- fix rpmlint errors +Resolves: rhbz#1817139 + +* Wed Mar 25 2020 Attila Lakatos - 1.9.0-0.1.b4 +- update to latest development version 1.9.0b4 +Resolves: rhbz#1816593 +- setrlimit(RLIMIT_CORE): Operation not permitted warning message fix +Resolves: rhbz#1773148 + +* Mon Feb 24 2020 Attila Lakatos - 1.9.0-0.1.b1 +- update to latest development version 1.9.0b1 +- added sudo_logsrvd and sudo_sendlog to files and their appropriate man pages +Resolves: rhbz#1787823 +- Stack based buffer overflow in when pwfeedback is enabled +Resolves: rhbz#1796945 +- fixes: CVE-2019-18634 +- By using ! character in the shadow file instead of a password hash can access to a run as all sudoer account +Resolves: rhbz#1786709 +- fixes CVE-2019-19234 +- attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user +Resolves: rhbz#1786705 +- fixes CVE-2019-19232 + +* Fri Jan 31 2020 Fedora Release Engineering - 1.8.29-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Mon Nov 11 2019 Radovan Sroka - 1.8.29-1 +- rebase to 1.8.29 +Resolves: rhbz#1766233 + +* Tue Oct 22 2019 Radovan Sroka - 1.8.28p1-1 +- rebase to 1.8.28p1 +Resolves: rhbz#1762350 + +* Tue Oct 15 2019 Radovan Sroka - 1.8.28-1 +- rebase to 1.8.28 +Resolves: rhbz#1761533 +- set always_set_home by default +Resolves: rhbz#1728687 +- Sync sudoers options from rhel8 to fedora +Resolves: rhbz#1761781 +- CVE-2019-14287 +Resolves: rhbz#1761584 + +* Sat Jul 27 2019 Fedora Release Engineering - 1.8.27-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Sun Mar 31 2019 Marek Tamaskovic 1.8.27-2 +- resolves rhbz#1676925 +- Removed PS1, PS2 from sudoers + +* Mon Mar 11 2019 Radovan Sroka 1.8.27-1 +- rebase sudo to 1.8.27 + +* Sun Feb 03 2019 Fedora Release Engineering - 1.8.25p1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Mon Oct 01 2018 Radovan Sroka 1.8.25p1-1 +- rebase sudo to 1.8.25p1 + +* Mon Sep 10 2018 Radovan Sroka 1.8.25-1 +- rebase sudo to latest stawble version +- install /etc/dnf/protected.d/sudo instead of /etc/yum/protected.d/sudo (1626968) + +* Sat Jul 14 2018 Fedora Release Engineering - 1.8.23-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Tue Jul 03 2018 Matthew Miller - 1.8.23-2 +- remove defattr, as default is now sane + +* Wed May 09 2018 Daniel Kopecek - 1.8.23-1 +- update to 1.8.23 + +* Wed Apr 18 2018 Daniel Kopecek - 1.8.23-0.1.b3 +- update to 1.8.23b3 + +* Fri Feb 09 2018 Fedora Release Engineering - 1.8.22-0.2.b1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Thu Dec 14 2017 Radovan Sroka - 1.8.22b1-1 +- update to 1.8.22b1 +- Added /usr/local/sbin and /usr/local/bin to secure path rhbz#1166185 + +* Thu Sep 21 2017 Marek Tamaskovic - 1.8.21p2-1 +- update to 1.8.21p2 +- Moved libsudo_util.so from the -devel sub-package to main package (1481225) + +* Wed Sep 06 2017 Matthew Miller - 1.8.20p2-4 +- replace file-based requirements with package-level ones: +- /etc/pam.d/system-auth to 'pam' +- /bin/chmod to 'coreutils' (bug #1488934) +- /usr/bin/vi to vim-minimal +- ... and make vim-minimal "recommends" instead of "requires", because + other editors can be configured. + +* Thu Aug 03 2017 Fedora Release Engineering - 1.8.20p2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 1.8.20p2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Thu Jun 01 2017 Daniel Kopecek 1.8.20p2-1 +- update to 1.8.20p2 + +* Wed May 31 2017 Daniel Kopecek 1.8.20p1-1 +- update to 1.8.20p1 +- fixes CVE-2017-1000367 + Resolves: rhbz#1456884 + +* Fri Apr 07 2017 Jiri Vymazal - 1.8.20-0.1.b1 +- update to latest development version 1.8.20b1 +- added sudo to dnf/yum protected packages + Resolves: rhbz#1418756 + +* Mon Feb 13 2017 Tomas Sykora - 1.8.19p2-1 +- update to 1.8.19p2 + +* Sat Feb 11 2017 Fedora Release Engineering - 1.8.19-0.3.20161108git738c3cb +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Tue Nov 08 2016 Daniel Kopecek 1.8.19-0.2.20161108git738c3cb +- update to latest development version +- fixes CVE-2016-7076 + +* Fri Sep 23 2016 Radovan Sroka 1.8.19-0.1.20160923git90e4538 +- we were not able to update from rc and beta versions to stable one +- so this is a new snapshot package which resolves it + +* Wed Sep 21 2016 Radovan Sroka 1.8.18-1 +- update to 1.8.18 + +* Fri Sep 16 2016 Radovan Sroka 1.8.18rc4-1 +- update to 1.8.18rc4 + +* Wed Sep 14 2016 Radovan Sroka 1.8.18rc2-1 +- update to 1.8.18rc2 +- dropped sudo-1.8.14p1-ldapconfpatch.patch + upstreamed --> https://www.sudo.ws/pipermail/sudo-workers/2016-September/001006.html + +* Fri Aug 26 2016 Radovan Sroka 1.8.18b2-1 +- update to 1.8.18b2 +- added --disable-root-mailer as configure option + Resolves: rhbz#1324091 + +* Fri Jun 24 2016 Daniel Kopecek 1.8.17p1-1 +- update to 1.8.17p1 +- install the /var/db/sudo/lectured + Resolves: rhbz#1321414 + +* Tue May 31 2016 Daniel Kopecek 1.8.16-4 +- removed INPUTRC from env_keep to prevent a possible info leak + Resolves: rhbz#1340701 + +* Fri May 13 2016 Daniel Kopecek 1.8.16-3 +- fixed upstream patch for rhbz#1328735 + +* Thu May 12 2016 Daniel Kopecek 1.8.16-2 +- fixed invalid sesh argument array construction + +* Mon Apr 04 2016 Daniel Kopecek 1.8.16-1 +- update to 1.8.16 + +* Fri Feb 05 2016 Fedora Release Engineering - 1.8.15-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Thu Nov 5 2015 Daniel Kopecek 1.8.15-1 +- update to 1.8.15 +- fixes CVE-2015-5602 + +* Mon Aug 24 2015 Radovan Sroka 1.8.14p3-3 +- enable upstream test suite + +* Mon Aug 24 2015 Radovan Sroka 1.8.14p3-2 +- add patch that resolves initialization problem before sudo_strsplit call +- add patch that resolves deadcode in visudo.c +- add patch that removes extra while in visudo.c and sudoers.c + +* Mon Jul 27 2015 Radovan Sroka 1.8.14p3-1 +- update to 1.8.14p3 + +* Mon Jul 20 2015 Radovan Sroka 1.8.14p1-1 +- update to 1.8.14p1-1 +- rebase sudo-1.8.14b3-ldapconfpatch.patch -> sudo-1.8.14p1-ldapconfpatch.patch +- rebase sudo-1.8.14b4-docpassexpire.patch -> sudo-1.8.14p1-docpassexpire.patch + +* Tue Jul 14 2015 Radovan Sroka 1.8.12-2 +- add patch3 sudo.1.8.14b4-passexpire.patch that makes change in documentation about timestamp_time +- Resolves: rhbz#1162070 + +* Fri Jul 10 2015 Radovan Sroka - 1.8.14b4-1 +- Update to 1.8.14b4 +- Add own %%{_tmpfilesdir}/sudo.conf + +* Fri Jun 19 2015 Fedora Release Engineering - 1.8.12-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Wed Feb 18 2015 Daniel Kopecek - 1.8.12 +- update to 1.8.12 +- fixes CVE-2014-9680 + +* Mon Nov 3 2014 Daniel Kopecek - 1.8.11p2-1 +- update to 1.8.11p2 +- added patch to fix upstream bug #671 -- exiting immediately + when audit is disabled + +* Tue Sep 30 2014 Daniel Kopecek - 1.8.11-1 +- update to 1.8.11 +- major changes & fixes: + - when running a command in the background, sudo will now forward + SIGINFO to the command + - the passwords in ldap.conf and ldap.secret may now be encoded in base64. + - SELinux role changes are now audited. For sudoedit, we now audit + the actual editor being run, instead of just the sudoedit command. + - it is now possible to match an environment variable's value as well as + its name using env_keep and env_check + - new files created via sudoedit as a non-root user now have the proper group id + - sudoedit now works correctly in conjunction with sudo's SELinux RBAC support + - it is now possible to disable network interface probing in sudo.conf by + changing the value of the probe_interfaces setting + - when listing a user's privileges (sudo -l), the sudoers plugin will now prompt + for the user's password even if the targetpw, rootpw or runaspw options are set. + - the new use_netgroups sudoers option can be used to explicitly enable or disable + netgroups support + - visudo can now export a sudoers file in JSON format using the new -x flag +- added patch to read ldap.conf more closely to nss_ldap +- require /usr/bin/vi instead of vim-minimal +- include pam.d/system-auth in PAM session phase from pam.d/sudo +- include pam.d/sudo in PAM session phase from pam.d/sudo-i + +* Tue Aug 5 2014 Tom Callaway - 1.8.8-6 +- fix license handling + +* Sun Jun 08 2014 Fedora Release Engineering - 1.8.8-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Sat May 31 2014 Peter Robinson 1.8.8-4 +- Drop ChangeLog, we ship NEWS + +* Mon Mar 10 2014 Daniel Kopecek - 1.8.8-3 +- remove bundled copy of zlib before compilation +- drop the requiretty Defaults setting from sudoers + +* Sat Jan 25 2014 Ville Skyttä - 1.8.8-2 +- Own the %%{_libexecdir}/sudo dir. + +* Mon Sep 30 2013 Daniel Kopecek - 1.8.8-1 +- update to 1.8.8 +- major changes & fixes: + - LDAP SASL support now works properly with Kerberos + - root may no longer change its SELinux role without entering a password + - user messages are now always displayed in the user's locale, even when + the same message is being logged or mailed in a different locale. + - log files created by sudo now explicitly have the group set to group + ID 0 rather than relying on BSD group semantics + - sudo now stores its libexec files in a sudo subdirectory instead of in + libexec itself + - system_group and group_file sudoers group provider plugins are now + installed by default + - the paths to ldap.conf and ldap.secret may now be specified as arguments + to the sudoers plugin in the sudo.conf file + - ...and many new features and settings. See the upstream ChangeLog for the + full list. +- several sssd support fixes +- added patch to make uid/gid specification parsing more strict (don't accept + an invalid number as uid/gid) +- use the _pkgdocdir macro + (see https://fedoraproject.org/wiki/Changes/UnversionedDocdirs) +- fixed several bugs found by the clang static analyzer +- added %%post dependency on chmod + +* Sun Aug 04 2013 Fedora Release Engineering - 1.8.6p7-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Thu Feb 28 2013 Daniel Kopecek - 1.8.6p7-1 +- update to 1.8.6p7 +- fixes CVE-2013-1775 and CVE-2013-1776 +- fixed several packaging issues (thanks to ville.skytta@iki.fi) + - build with system zlib. + - let rpmbuild strip libexecdir/*.so. + - own the %%{_docdir}/sudo-* dir. + - fix some rpmlint warnings (spaces vs tabs, unescaped macros). + - fix bogus %%changelog dates. + +* Fri Feb 15 2013 Fedora Release Engineering - 1.8.6p3-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Mon Nov 12 2012 Daniel Kopecek - 1.8.6p3-2 +- added upstream patch for a regression +- don't include arch specific files in the -devel subpackage +- ship only one sample plugin in the -devel subpackage + +* Tue Sep 25 2012 Daniel Kopecek - 1.8.6p3-1 +- update to 1.8.6p3 +- drop -pipelist patch (fixed in upstream) + +* Thu Sep 6 2012 Daniel Kopecek - 1.8.6-1 +- update to 1.8.6 + +* Thu Jul 26 2012 Daniel Kopecek - 1.8.5-4 +- added patches that fix & improve SSSD support (thanks to pbrezina@redhat.com) +- re-enabled SSSD support +- removed libsss_sudo dependency + +* Tue Jul 24 2012 Bill Nottingham - 1.8.5-3 +- flip sudoers2ldif executable bit after make install, not in setup + +* Sat Jul 21 2012 Fedora Release Engineering - 1.8.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Thu May 17 2012 Daniel Kopecek - 1.8.5-1 +- update to 1.8.5 +- fixed CVE-2012-2337 +- temporarily disabled SSSD support + +* Wed Feb 29 2012 Daniel Kopecek - 1.8.3p1-6 +- fixed problems with undefined symbols (rhbz#798517) + +* Wed Feb 22 2012 Daniel Kopecek - 1.8.3p1-5 +- SSSD patch update + +* Tue Feb 7 2012 Daniel Kopecek - 1.8.3p1-4 +- added SSSD support + +* Thu Jan 26 2012 Daniel Kopecek - 1.8.3p1-3 +- added patch for CVE-2012-0809 + +* Sat Jan 14 2012 Fedora Release Engineering - 1.8.3p1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Thu Nov 10 2011 Daniel Kopecek - 1.8.3p1-1 +- update to 1.8.3p1 +- disable output word wrapping if the output is piped + +* Wed Sep 7 2011 Peter Robinson - 1.8.1p2-2 +- Remove execute bit from sample script in docs so we don't pull in perl + +* Tue Jul 12 2011 Daniel Kopecek - 1.8.1p2-1 +- rebase to 1.8.1p2 +- removed .sudoi patch +- fixed typo: RELPRO -> RELRO +- added -devel subpackage for the sudo_plugin.h header file +- use default ldap configuration files again + +* Fri Jun 3 2011 Daniel Kopecek - 1.7.4p5-4 +- build with RELRO + +* Wed Feb 09 2011 Fedora Release Engineering - 1.7.4p5-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Mon Jan 17 2011 Daniel Kopecek - 1.7.4p5-2 +- rebase to 1.7.4p5 +- fixed sudo-1.7.4p4-getgrouplist.patch +- fixes CVE-2011-0008, CVE-2011-0010 + +* Tue Nov 30 2010 Daniel Kopecek - 1.7.4p4-5 +- anybody in the wheel group has now root access (using password) (rhbz#656873) +- sync configuration paths with the nss_ldap package (rhbz#652687) + +* Wed Sep 29 2010 Daniel Kopecek - 1.7.4p4-4 +- added upstream patch to fix rhbz#638345 + +* Mon Sep 20 2010 Daniel Kopecek - 1.7.4p4-3 +- added patch for #635250 +- /var/run/sudo -> /var/db/sudo in .spec + +* Tue Sep 7 2010 Daniel Kopecek - 1.7.4p4-2 +- sudo now uses /var/db/sudo for timestamps + +* Tue Sep 7 2010 Daniel Kopecek - 1.7.4p4-1 +- update to new upstream version +- new command available: sudoreplay +- use native audit support +- corrected license field value: BSD -> ISC + +* Wed Jun 2 2010 Daniel Kopecek - 1.7.2p6-2 +- added patch that fixes insufficient environment sanitization issue (#598154) + +* Wed Apr 14 2010 Daniel Kopecek - 1.7.2p6-1 +- update to new upstream version +- merged .audit and .libaudit patch +- added sudoers.ldap.5* to files + +* Mon Mar 1 2010 Daniel Kopecek - 1.7.2p5-2 +- update to new upstream version + +* Tue Feb 16 2010 Daniel Kopecek - 1.7.2p2-5 +- fixed no valid sudoers sources found (#558875) + +* Wed Feb 10 2010 Daniel Kopecek - 1.7.2p2-4 +- audit related Makefile.in and configure.in corrections +- added --with-audit configure option +- removed call to libtoolize + +* Wed Feb 10 2010 Daniel Kopecek - 1.7.2p2-3 +- fixed segfault when #include directive is used in cycles (#561336) + +* Fri Jan 8 2010 Ville Skyttä - 1.7.2p2-2 +- Add /etc/sudoers.d dir and use it in default config (#551470). +- Drop *.pod man page duplicates from docs. + +* Thu Jan 07 2010 Daniel Kopecek - 1.7.2p2-1 +- new upstream version 1.7.2p2-1 +- commented out unused aliases in sudoers to make visudo happy (#550239) + +* Fri Aug 21 2009 Tomas Mraz - 1.7.1-7 +- rebuilt with new audit + +* Thu Aug 20 2009 Daniel Kopecek 1.7.1-6 +- moved secure_path from compile-time option to sudoers file (#517428) + +* Sun Jul 26 2009 Fedora Release Engineering - 1.7.1-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Thu Jul 09 2009 Daniel Kopecek 1.7.1-4 +- moved the closefrom() call before audit_help_open() (sudo-1.7.1-auditfix.patch) +- epoch number sync + +* Mon Jun 22 2009 Daniel Kopecek 1.7.1-1 +- updated sudo to version 1.7.1 +- fixed small bug in configure.in (sudo-1.7.1-conffix.patch) + +* Tue Feb 24 2009 Daniel Kopecek 1.6.9p17-6 +- fixed building with new libtool +- fix for incorrect handling of groups in Runas_User +- added /usr/local/sbin to secure-path + +* Tue Jan 13 2009 Daniel Kopecek 1.6.9p17-3 +- build with sendmail installed +- Added /usr/local/bin to secure-path + +* Tue Sep 02 2008 Peter Vrabec 1.6.9p17-2 +- adjust audit patch, do not scream when kernel is + compiled without audit netlink support (#401201) + +* Fri Jul 04 2008 Peter Vrabec 1.6.9p17-1 +- upgrade + +* Wed Jun 18 2008 Peter Vrabec 1.6.9p13-7 +- build with newer autoconf-2.62 (#449614) + +* Tue May 13 2008 Peter Vrabec 1.6.9p13-6 +- compiled with secure path (#80215) + +* Mon May 05 2008 Peter Vrabec 1.6.9p13-5 +- fix path to updatedb in /etc/sudoers (#445103) + +* Mon Mar 31 2008 Peter Vrabec 1.6.9p13-4 +- include ldap files in rpm package (#439506) + +* Thu Mar 13 2008 Peter Vrabec 1.6.9p13-3 +- include [sudo] in password prompt (#437092) + +* Tue Mar 04 2008 Peter Vrabec 1.6.9p13-2 +- audit support improvement + +* Thu Feb 21 2008 Peter Vrabec 1.6.9p13-1 +- upgrade to the latest upstream release + +* Wed Feb 06 2008 Peter Vrabec 1.6.9p12-1 +- upgrade to the latest upstream release +- add selinux support + +* Mon Feb 04 2008 Dennis Gilmore 1.6.9p4-6 +- sparc64 needs to be in the -fPIE list with s390 + +* Mon Jan 07 2008 Peter Vrabec 1.6.9p4-5 +- fix complains about audit_log_user_command(): Connection + refused (#401201) + +* Wed Dec 05 2007 Release Engineering - 1.6.9p4-4 +- Rebuild for deps + +* Wed Dec 05 2007 Release Engineering - 1.6.9p4-3 +- Rebuild for openssl bump + +* Thu Aug 30 2007 Peter Vrabec 1.6.9p4-2 +- fix autotools stuff and add audit support + +* Mon Aug 20 2007 Peter Vrabec 1.6.9p4-1 +- upgrade to upstream release + +* Thu Apr 12 2007 Peter Vrabec 1.6.8p12-14 +- also use getgrouplist() to determine group membership (#235915) + +* Mon Feb 26 2007 Peter Vrabec 1.6.8p12-13 +- fix some spec file issues + +* Thu Dec 14 2006 Peter Vrabec 1.6.8p12-12 +- fix rpmlint issue + +* Thu Oct 26 2006 Peter Vrabec 1.6.8p12-11 +- fix typo in sudoers file (#212308) + +* Sun Oct 01 2006 Jesse Keating - 1.6.8p12-10 +- rebuilt for unwind info generation, broken in gcc-4.1.1-21 + +* Thu Sep 21 2006 Peter Vrabec 1.6.8p12-9 +- fix sudoers file, X apps didn't work (#206320) + +* Tue Aug 08 2006 Peter Vrabec 1.6.8p12-8 +- use Red Hat specific default sudoers file + +* Sun Jul 16 2006 Karel Zak 1.6.8p12-7 +- fix #198755 - make login processes (sudo -i) initialise session keyring + (thanks for PAM config files to David Howells) +- add IPv6 support (patch by Milan Zazrivec) + +* Wed Jul 12 2006 Jesse Keating - 1.6.8p12-6.1 +- rebuild + +* Mon May 29 2006 Karel Zak 1.6.8p12-6 +- fix #190062 - "ssh localhost sudo su" will show the password in clear + +* Tue May 23 2006 Karel Zak 1.6.8p12-5 +- add LDAP support (#170848) + +* Fri Feb 10 2006 Jesse Keating - 1.6.8p12-4.1 +- bump again for double-long bug on ppc(64) + +* Wed Feb 8 2006 Karel Zak 1.6.8p12-4 +- reset env. by default + +* Tue Feb 07 2006 Jesse Keating - 1.6.8p12-3.1 +- rebuilt for new gcc4.1 snapshot and glibc changes + +* Mon Jan 23 2006 Dan Walsh 1.6.8p12-3 +- Remove selinux patch. It has been decided that the SELinux patch for sudo is +- no longer necessary. In tageted policy it had no effect. In strict/MLS policy +- We require the person using sudo to execute newrole before using sudo. + +* Fri Dec 09 2005 Jesse Keating +- rebuilt + +* Fri Nov 25 2005 Karel Zak 1.6.8p12-1 +- new upstream version 1.6.8p12 + +* Tue Nov 8 2005 Karel Zak 1.6.8p11-1 +- new upstream version 1.6.8p11 + +* Thu Oct 13 2005 Tomas Mraz 1.6.8p9-6 +- use include instead of pam_stack in pam config + +* Tue Oct 11 2005 Karel Zak 1.6.8p9-5 +- enable interfaces in selinux patch +- merge sudo-1.6.8p8-sesh-stopsig.patch to selinux patch + +* Mon Sep 19 2005 Karel Zak 1.6.8p9-4 +- fix debuginfo + +* Mon Sep 19 2005 Karel Zak 1.6.8p9-3 +- fix #162623 - sesh hangs when child suspends + +* Mon Aug 1 2005 Dan Walsh 1.6.8p9-2 +- Add back in interfaces call, SELinux has been fixed to work around + +* Tue Jun 21 2005 Karel Zak 1.6.8p9-1 +- new version 1.6.8p9 (resolve #161116 - CAN-2005-1993 sudo trusted user arbitrary command execution) + +* Tue May 24 2005 Karel Zak 1.6.8p8-2 +- fix #154511 - sudo does not use limits.conf + +* Mon Apr 4 2005 Thomas Woerner 1.6.8p8-1 +- new version 1.6.8p8: new sudoedit and sudo_noexec + +* Wed Feb 9 2005 Thomas Woerner 1.6.7p5-31 +- rebuild + +* Mon Oct 4 2004 Thomas Woerner 1.6.7p5-30.1 +- added missing BuildRequires for libselinux-devel (#132883) + +* Wed Sep 29 2004 Dan Walsh 1.6.7p5-30 +- Fix missing param error in sesh + +* Mon Sep 27 2004 Dan Walsh 1.6.7p5-29 +- Remove full patch check from sesh + +* Thu Jul 8 2004 Dan Walsh 1.6.7p5-28 +- Fix selinux patch to switch to root user + +* Tue Jun 15 2004 Elliot Lee +- rebuilt + +* Tue Apr 13 2004 Dan Walsh 1.6.7p5-26 +- Eliminate tty handling from selinux + +* Thu Apr 1 2004 Thomas Woerner 1.6.7p5-25 +- fixed spec file: sesh in file section with selinux flag (#119682) + +* Tue Mar 30 2004 Colin Walters 1.6.7p5-24 +- Enhance sesh.c to fork/exec children itself, to avoid + having sudo reap all domains. +- Only reinstall default signal handlers immediately before + exec of child with SELinux patch + +* Thu Mar 18 2004 Dan Walsh 1.6.7p5-23 +- change to default to sysadm_r +- Fix tty handling + +* Thu Mar 18 2004 Dan Walsh 1.6.7p5-22 +- Add /bin/sesh to run selinux code. +- replace /bin/bash -c with /bin/sesh + +* Tue Mar 16 2004 Dan Walsh 1.6.7p5-21 +- Hard code to use "/bin/bash -c" for selinux + +* Tue Mar 16 2004 Dan Walsh 1.6.7p5-20 +- Eliminate closing and reopening of terminals, to match su. + +* Mon Mar 15 2004 Dan Walsh 1.6.7p5-19 +- SELinux fixes to make transitions work properly + +* Fri Mar 5 2004 Thomas Woerner 1.6.7p5-18 +- pied sudo + +* Fri Feb 13 2004 Elliot Lee +- rebuilt + +* Tue Jan 27 2004 Dan Walsh 1.6.7p5-16 +- Eliminate interfaces call, since this requires big SELinux privs +- and it seems to be useless. + +* Tue Jan 27 2004 Karsten Hopp 1.6.7p5-15 +- visudo requires vim-minimal or setting EDITOR to something useful (#68605) + +* Mon Jan 26 2004 Dan Walsh 1.6.7p5-14 +- Fix is_selinux_enabled call + +* Tue Jan 13 2004 Dan Walsh 1.6.7p5-13 +- Clean up patch on failure + +* Tue Jan 6 2004 Dan Walsh 1.6.7p5-12 +- Remove sudo.te for now. + +* Fri Jan 2 2004 Dan Walsh 1.6.7p5-11 +- Fix usage message + +* Mon Dec 22 2003 Dan Walsh 1.6.7p5-10 +- Clean up sudo.te to not blow up if pam.te not present + +* Thu Dec 18 2003 Thomas Woerner +- added missing BuildRequires for groff + +* Tue Dec 16 2003 Jeremy Katz 1.6.7p5-9 +- remove left-over debugging code + +* Tue Dec 16 2003 Dan Walsh 1.6.7p5-8 +- Fix terminal handling that caused Sudo to exit on non selinux machines. + +* Mon Dec 15 2003 Dan Walsh 1.6.7p5-7 +- Remove sudo_var_run_t which is now pam_var_run_t + +* Fri Dec 12 2003 Dan Walsh 1.6.7p5-6 +- Fix terminal handling and policy + +* Thu Dec 11 2003 Dan Walsh 1.6.7p5-5 +- Fix policy + +* Thu Nov 13 2003 Dan Walsh 1.6.7p5-4.sel +- Turn on SELinux support + +* Tue Jul 29 2003 Dan Walsh 1.6.7p5-3 +- Add support for SELinux + +* Wed Jun 04 2003 Elliot Lee +- rebuilt + +* Mon May 19 2003 Thomas Woerner 1.6.7p5-1 + +* Wed Jan 22 2003 Tim Powers +- rebuilt + +* Tue Nov 12 2002 Nalin Dahyabhai 1.6.6-2 +- remove absolute path names from the PAM configuration, ensuring that the + right modules get used for whichever arch we're built for +- don't try to install the FAQ, which isn't there any more + +* Thu Jun 27 2002 Bill Nottingham 1.6.6-1 +- update to 1.6.6 + +* Fri Jun 21 2002 Tim Powers +- automated rebuild + +* Thu May 23 2002 Tim Powers +- automated rebuild + +* Thu Apr 18 2002 Bernhard Rosenkraenzer 1.6.5p2-2 +- Fix bug #63768 + +* Thu Mar 14 2002 Bernhard Rosenkraenzer 1.6.5p2-1 +- 1.6.5p2 + +* Fri Jan 18 2002 Bernhard Rosenkraenzer 1.6.5p1-1 +- 1.6.5p1 +- Hope this "a new release per day" madness stops ;) + +* Thu Jan 17 2002 Bernhard Rosenkraenzer 1.6.5-1 +- 1.6.5 + +* Tue Jan 15 2002 Bernhard Rosenkraenzer 1.6.4p1-1 +- 1.6.4p1 + +* Mon Jan 14 2002 Bernhard Rosenkraenzer 1.6.4-1 +- Update to 1.6.4 + +* Mon Jul 23 2001 Bernhard Rosenkraenzer 1.6.3p7-2 +- Add build requirements (#49706) +- s/Copyright/License/ +- bzip2 source + +* Sat Jun 16 2001 Than Ngo +- update to 1.6.3p7 +- use %%{_tmppath} + +* Fri Feb 23 2001 Bernhard Rosenkraenzer +- 1.6.3p6, fixes buffer overrun + +* Tue Oct 10 2000 Bernhard Rosenkraenzer +- 1.6.3p5 + +* Wed Jul 12 2000 Prospector +- automatic rebuild + +* Tue Jun 06 2000 Karsten Hopp +- fixed owner of sudo and visudo + +* Thu Jun 1 2000 Nalin Dahyabhai +- modify PAM setup to use system-auth +- clean up buildrooting by using the makeinstall macro + +* Tue Apr 11 2000 Bernhard Rosenkraenzer +- initial build in main distrib +- update to 1.6.3 +- deal with compressed man pages + +* Tue Dec 14 1999 Preston Brown +- updated to 1.6.1 for Powertools 6.2 +- config files are now noreplace. + +* Thu Jul 22 1999 Tim Powers +- updated to 1.5.9p2 for Powertools 6.1 + +* Wed May 12 1999 Bill Nottingham +- sudo is configured with pam. There's no pam.d file. Oops. + +* Mon Apr 26 1999 Preston Brown +- upgraded to 1.59p1 for powertools 6.0 + +* Tue Oct 27 1998 Preston Brown +- fixed so it doesn't find /usr/bin/vi first, but instead /bin/vi (always installed) + +* Thu Oct 08 1998 Michael Maher +- built package for 5.2 + +* Mon May 18 1998 Michael Maher +- updated SPEC file + +* Thu Jan 29 1998 Otto Hammersmith +- updated to 1.5.4 + +* Tue Nov 18 1997 Otto Hammersmith +- built for glibc, no problems + +* Fri Apr 25 1997 Michael Fulbright +- Fixed for 4.2 PowerTools +- Still need to be pamified +- Still need to move stmp file to /var/log + +* Mon Feb 17 1997 Michael Fulbright +- First version for PowerCD. diff --git a/sudo.spec b/sudo.spec index d2e2cd9..762cc13 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,7 +1,7 @@ Summary: Allows restricted root access for specified users Name: sudo Version: 1.9.7p2 -Release: 2%{?dist} +Release: %autorelease License: ISC URL: https://www.sudo.ws Source0: %{url}/dist/%{name}-%{version}.tar.gz @@ -229,836 +229,4 @@ EOF %attr(0644,root,root) %{_libexecdir}/sudo/python_plugin.so %changelog -* Sat Aug 7 2021 Matthew Miller - 1.9.7p2-2 -- drop obsolete requirement for post script that doesn't exist anymore - (thanks @scfc) -- remove commented-out lines from prior PR - -* Fri Jul 30 2021 Peter Czanik - 1.9.7p2-1 -- update to 1.9.7p2 -- follow up path change in strip patch -- added --enable-zlib=system configure parameter, so sudo uses system zlib, - autoconf is no more needed - -* Fri Jul 23 2021 Fedora Release Engineering - 1.9.5p2-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild - -* Fri Jun 04 2021 Python Maint - 1.9.5p2-2 -- Rebuilt for Python 3.10 - -* Tue Jan 26 2021 Matthew Miller - 1.9.5p2-1 -- rebase to 1.9.5p2 -Resolves: rhbz#1920611 -- fixed CVE-2021-3156 sudo: Heap buffer overflow in argument parsing -Resolves: rhbz#1920618 - -* Mon Jan 18 2021 Radovan Sroka - 1.9.5p1-1 -- rebase to 1.9.5p1 -Resolves: rhbz#1902758 -- fixed double free in sss_to_sudoers -Resolves: rhbz#1885874 -- fixed CVE-2021-23239 sudo: possible directory existence test due to race condition in sudoedit -Resolves: rhbz#1915055 -- fixed CVE-2021-23240 sudo: symbolic link attack in SELinux-enabled sudoedit -Resolves: rhbz#1915054 - -* Wed Jan 13 2021 Jonathan Lebon - 1.9.3p1-2 -- split out Python modules into separate subpackage -Resolves: rhbz#1909299 - -* Mon Oct 05 2020 Radovan Sroka - 1.9.3p1-1 -- rebase to 1.9.3p1 -- enable python modules -Resolves: rhbz#1881112 - -* Tue Sep 15 2020 Radovan Sroka - 1.9.2-1 -- rebase to 1.9.2 -Resolves: rhbz#1859577 -- added logsrvd subpackage -- added openssl-devel buildrequires -Resolves: rhbz#1860653 -- fixed sudo runstatedir path -- it was generated as /sudo instead of /run/sudo -Resolves: rhbz#1868215 -- added /var/lib/snapd/snap/bin to secure_path variable -Resolves: rhbz#1691996 - -* Sat Aug 01 2020 Fedora Release Engineering - 1.9.1-3 -- Second attempt - Rebuilt for - https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild - -* Wed Jul 29 2020 Fedora Release Engineering - 1.9.1-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild - -* Wed Jul 08 2020 Attila Lakatos - 1.9.1-1 -- rebase to 1.9.1 -Resolves: rhbz#1848788 -- fix rpmlint errors -Resolves: rhbz#1817139 - -* Wed Mar 25 2020 Attila Lakatos - 1.9.0-0.1.b4 -- update to latest development version 1.9.0b4 -Resolves: rhbz#1816593 -- setrlimit(RLIMIT_CORE): Operation not permitted warning message fix -Resolves: rhbz#1773148 - -* Mon Feb 24 2020 Attila Lakatos - 1.9.0-0.1.b1 -- update to latest development version 1.9.0b1 -- added sudo_logsrvd and sudo_sendlog to files and their appropriate man pages -Resolves: rhbz#1787823 -- Stack based buffer overflow in when pwfeedback is enabled -Resolves: rhbz#1796945 -- fixes: CVE-2019-18634 -- By using ! character in the shadow file instead of a password hash can access to a run as all sudoer account -Resolves: rhbz#1786709 -- fixes CVE-2019-19234 -- attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user -Resolves: rhbz#1786705 -- fixes CVE-2019-19232 - -* Fri Jan 31 2020 Fedora Release Engineering - 1.8.29-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild - -* Mon Nov 11 2019 Radovan Sroka - 1.8.29-1 -- rebase to 1.8.29 -Resolves: rhbz#1766233 - -* Tue Oct 22 2019 Radovan Sroka - 1.8.28p1-1 -- rebase to 1.8.28p1 -Resolves: rhbz#1762350 - -* Tue Oct 15 2019 Radovan Sroka - 1.8.28-1 -- rebase to 1.8.28 -Resolves: rhbz#1761533 -- set always_set_home by default -Resolves: rhbz#1728687 -- Sync sudoers options from rhel8 to fedora -Resolves: rhbz#1761781 -- CVE-2019-14287 -Resolves: rhbz#1761584 - -* Sat Jul 27 2019 Fedora Release Engineering - 1.8.27-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild - -* Sun Mar 31 2019 Marek Tamaskovic 1.8.27-2 -- resolves rhbz#1676925 -- Removed PS1, PS2 from sudoers - -* Mon Mar 11 2019 Radovan Sroka 1.8.27-1 -- rebase sudo to 1.8.27 - -* Sun Feb 03 2019 Fedora Release Engineering - 1.8.25p1-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild - -* Mon Oct 01 2018 Radovan Sroka 1.8.25p1-1 -- rebase sudo to 1.8.25p1 - -* Mon Sep 10 2018 Radovan Sroka 1.8.25-1 -- rebase sudo to latest stawble version -- install /etc/dnf/protected.d/sudo instead of /etc/yum/protected.d/sudo (1626968) - -* Sat Jul 14 2018 Fedora Release Engineering - 1.8.23-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild - -* Tue Jul 03 2018 Matthew Miller - 1.8.23-2 -- remove defattr, as default is now sane - -* Wed May 09 2018 Daniel Kopecek - 1.8.23-1 -- update to 1.8.23 - -* Wed Apr 18 2018 Daniel Kopecek - 1.8.23-0.1.b3 -- update to 1.8.23b3 - -* Fri Feb 09 2018 Fedora Release Engineering - 1.8.22-0.2.b1 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild - -* Thu Dec 14 2017 Radovan Sroka - 1.8.22b1-1 -- update to 1.8.22b1 -- Added /usr/local/sbin and /usr/local/bin to secure path rhbz#1166185 - -* Thu Sep 21 2017 Marek Tamaskovic - 1.8.21p2-1 -- update to 1.8.21p2 -- Moved libsudo_util.so from the -devel sub-package to main package (1481225) - -* Wed Sep 06 2017 Matthew Miller - 1.8.20p2-4 -- replace file-based requirements with package-level ones: -- /etc/pam.d/system-auth to 'pam' -- /bin/chmod to 'coreutils' (bug #1488934) -- /usr/bin/vi to vim-minimal -- ... and make vim-minimal "recommends" instead of "requires", because - other editors can be configured. - -* Thu Aug 03 2017 Fedora Release Engineering - 1.8.20p2-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild - -* Thu Jul 27 2017 Fedora Release Engineering - 1.8.20p2-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild - -* Thu Jun 01 2017 Daniel Kopecek 1.8.20p2-1 -- update to 1.8.20p2 - -* Wed May 31 2017 Daniel Kopecek 1.8.20p1-1 -- update to 1.8.20p1 -- fixes CVE-2017-1000367 - Resolves: rhbz#1456884 - -* Fri Apr 07 2017 Jiri Vymazal - 1.8.20-0.1.b1 -- update to latest development version 1.8.20b1 -- added sudo to dnf/yum protected packages - Resolves: rhbz#1418756 - -* Mon Feb 13 2017 Tomas Sykora - 1.8.19p2-1 -- update to 1.8.19p2 - -* Sat Feb 11 2017 Fedora Release Engineering - 1.8.19-0.3.20161108git738c3cb -- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild - -* Tue Nov 08 2016 Daniel Kopecek 1.8.19-0.2.20161108git738c3cb -- update to latest development version -- fixes CVE-2016-7076 - -* Fri Sep 23 2016 Radovan Sroka 1.8.19-0.1.20160923git90e4538 -- we were not able to update from rc and beta versions to stable one -- so this is a new snapshot package which resolves it - -* Wed Sep 21 2016 Radovan Sroka 1.8.18-1 -- update to 1.8.18 - -* Fri Sep 16 2016 Radovan Sroka 1.8.18rc4-1 -- update to 1.8.18rc4 - -* Wed Sep 14 2016 Radovan Sroka 1.8.18rc2-1 -- update to 1.8.18rc2 -- dropped sudo-1.8.14p1-ldapconfpatch.patch - upstreamed --> https://www.sudo.ws/pipermail/sudo-workers/2016-September/001006.html - -* Fri Aug 26 2016 Radovan Sroka 1.8.18b2-1 -- update to 1.8.18b2 -- added --disable-root-mailer as configure option - Resolves: rhbz#1324091 - -* Fri Jun 24 2016 Daniel Kopecek 1.8.17p1-1 -- update to 1.8.17p1 -- install the /var/db/sudo/lectured - Resolves: rhbz#1321414 - -* Tue May 31 2016 Daniel Kopecek 1.8.16-4 -- removed INPUTRC from env_keep to prevent a possible info leak - Resolves: rhbz#1340701 - -* Fri May 13 2016 Daniel Kopecek 1.8.16-3 -- fixed upstream patch for rhbz#1328735 - -* Thu May 12 2016 Daniel Kopecek 1.8.16-2 -- fixed invalid sesh argument array construction - -* Mon Apr 04 2016 Daniel Kopecek 1.8.16-1 -- update to 1.8.16 - -* Fri Feb 05 2016 Fedora Release Engineering - 1.8.15-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild - -* Thu Nov 5 2015 Daniel Kopecek 1.8.15-1 -- update to 1.8.15 -- fixes CVE-2015-5602 - -* Mon Aug 24 2015 Radovan Sroka 1.8.14p3-3 -- enable upstream test suite - -* Mon Aug 24 2015 Radovan Sroka 1.8.14p3-2 -- add patch that resolves initialization problem before sudo_strsplit call -- add patch that resolves deadcode in visudo.c -- add patch that removes extra while in visudo.c and sudoers.c - -* Mon Jul 27 2015 Radovan Sroka 1.8.14p3-1 -- update to 1.8.14p3 - -* Mon Jul 20 2015 Radovan Sroka 1.8.14p1-1 -- update to 1.8.14p1-1 -- rebase sudo-1.8.14b3-ldapconfpatch.patch -> sudo-1.8.14p1-ldapconfpatch.patch -- rebase sudo-1.8.14b4-docpassexpire.patch -> sudo-1.8.14p1-docpassexpire.patch - -* Tue Jul 14 2015 Radovan Sroka 1.8.12-2 -- add patch3 sudo.1.8.14b4-passexpire.patch that makes change in documentation about timestamp_time -- Resolves: rhbz#1162070 - -* Fri Jul 10 2015 Radovan Sroka - 1.8.14b4-1 -- Update to 1.8.14b4 -- Add own %%{_tmpfilesdir}/sudo.conf - -* Fri Jun 19 2015 Fedora Release Engineering - 1.8.12-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild - -* Wed Feb 18 2015 Daniel Kopecek - 1.8.12 -- update to 1.8.12 -- fixes CVE-2014-9680 - -* Mon Nov 3 2014 Daniel Kopecek - 1.8.11p2-1 -- update to 1.8.11p2 -- added patch to fix upstream bug #671 -- exiting immediately - when audit is disabled - -* Tue Sep 30 2014 Daniel Kopecek - 1.8.11-1 -- update to 1.8.11 -- major changes & fixes: - - when running a command in the background, sudo will now forward - SIGINFO to the command - - the passwords in ldap.conf and ldap.secret may now be encoded in base64. - - SELinux role changes are now audited. For sudoedit, we now audit - the actual editor being run, instead of just the sudoedit command. - - it is now possible to match an environment variable's value as well as - its name using env_keep and env_check - - new files created via sudoedit as a non-root user now have the proper group id - - sudoedit now works correctly in conjunction with sudo's SELinux RBAC support - - it is now possible to disable network interface probing in sudo.conf by - changing the value of the probe_interfaces setting - - when listing a user's privileges (sudo -l), the sudoers plugin will now prompt - for the user's password even if the targetpw, rootpw or runaspw options are set. - - the new use_netgroups sudoers option can be used to explicitly enable or disable - netgroups support - - visudo can now export a sudoers file in JSON format using the new -x flag -- added patch to read ldap.conf more closely to nss_ldap -- require /usr/bin/vi instead of vim-minimal -- include pam.d/system-auth in PAM session phase from pam.d/sudo -- include pam.d/sudo in PAM session phase from pam.d/sudo-i - -* Tue Aug 5 2014 Tom Callaway - 1.8.8-6 -- fix license handling - -* Sun Jun 08 2014 Fedora Release Engineering - 1.8.8-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild - -* Sat May 31 2014 Peter Robinson 1.8.8-4 -- Drop ChangeLog, we ship NEWS - -* Mon Mar 10 2014 Daniel Kopecek - 1.8.8-3 -- remove bundled copy of zlib before compilation -- drop the requiretty Defaults setting from sudoers - -* Sat Jan 25 2014 Ville Skyttä - 1.8.8-2 -- Own the %%{_libexecdir}/sudo dir. - -* Mon Sep 30 2013 Daniel Kopecek - 1.8.8-1 -- update to 1.8.8 -- major changes & fixes: - - LDAP SASL support now works properly with Kerberos - - root may no longer change its SELinux role without entering a password - - user messages are now always displayed in the user's locale, even when - the same message is being logged or mailed in a different locale. - - log files created by sudo now explicitly have the group set to group - ID 0 rather than relying on BSD group semantics - - sudo now stores its libexec files in a sudo subdirectory instead of in - libexec itself - - system_group and group_file sudoers group provider plugins are now - installed by default - - the paths to ldap.conf and ldap.secret may now be specified as arguments - to the sudoers plugin in the sudo.conf file - - ...and many new features and settings. See the upstream ChangeLog for the - full list. -- several sssd support fixes -- added patch to make uid/gid specification parsing more strict (don't accept - an invalid number as uid/gid) -- use the _pkgdocdir macro - (see https://fedoraproject.org/wiki/Changes/UnversionedDocdirs) -- fixed several bugs found by the clang static analyzer -- added %%post dependency on chmod - -* Sun Aug 04 2013 Fedora Release Engineering - 1.8.6p7-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild - -* Thu Feb 28 2013 Daniel Kopecek - 1.8.6p7-1 -- update to 1.8.6p7 -- fixes CVE-2013-1775 and CVE-2013-1776 -- fixed several packaging issues (thanks to ville.skytta@iki.fi) - - build with system zlib. - - let rpmbuild strip libexecdir/*.so. - - own the %%{_docdir}/sudo-* dir. - - fix some rpmlint warnings (spaces vs tabs, unescaped macros). - - fix bogus %%changelog dates. - -* Fri Feb 15 2013 Fedora Release Engineering - 1.8.6p3-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild - -* Mon Nov 12 2012 Daniel Kopecek - 1.8.6p3-2 -- added upstream patch for a regression -- don't include arch specific files in the -devel subpackage -- ship only one sample plugin in the -devel subpackage - -* Tue Sep 25 2012 Daniel Kopecek - 1.8.6p3-1 -- update to 1.8.6p3 -- drop -pipelist patch (fixed in upstream) - -* Thu Sep 6 2012 Daniel Kopecek - 1.8.6-1 -- update to 1.8.6 - -* Thu Jul 26 2012 Daniel Kopecek - 1.8.5-4 -- added patches that fix & improve SSSD support (thanks to pbrezina@redhat.com) -- re-enabled SSSD support -- removed libsss_sudo dependency - -* Tue Jul 24 2012 Bill Nottingham - 1.8.5-3 -- flip sudoers2ldif executable bit after make install, not in setup - -* Sat Jul 21 2012 Fedora Release Engineering - 1.8.5-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild - -* Thu May 17 2012 Daniel Kopecek - 1.8.5-1 -- update to 1.8.5 -- fixed CVE-2012-2337 -- temporarily disabled SSSD support - -* Wed Feb 29 2012 Daniel Kopecek - 1.8.3p1-6 -- fixed problems with undefined symbols (rhbz#798517) - -* Wed Feb 22 2012 Daniel Kopecek - 1.8.3p1-5 -- SSSD patch update - -* Tue Feb 7 2012 Daniel Kopecek - 1.8.3p1-4 -- added SSSD support - -* Thu Jan 26 2012 Daniel Kopecek - 1.8.3p1-3 -- added patch for CVE-2012-0809 - -* Sat Jan 14 2012 Fedora Release Engineering - 1.8.3p1-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild - -* Thu Nov 10 2011 Daniel Kopecek - 1.8.3p1-1 -- update to 1.8.3p1 -- disable output word wrapping if the output is piped - -* Wed Sep 7 2011 Peter Robinson - 1.8.1p2-2 -- Remove execute bit from sample script in docs so we don't pull in perl - -* Tue Jul 12 2011 Daniel Kopecek - 1.8.1p2-1 -- rebase to 1.8.1p2 -- removed .sudoi patch -- fixed typo: RELPRO -> RELRO -- added -devel subpackage for the sudo_plugin.h header file -- use default ldap configuration files again - -* Fri Jun 3 2011 Daniel Kopecek - 1.7.4p5-4 -- build with RELRO - -* Wed Feb 09 2011 Fedora Release Engineering - 1.7.4p5-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild - -* Mon Jan 17 2011 Daniel Kopecek - 1.7.4p5-2 -- rebase to 1.7.4p5 -- fixed sudo-1.7.4p4-getgrouplist.patch -- fixes CVE-2011-0008, CVE-2011-0010 - -* Tue Nov 30 2010 Daniel Kopecek - 1.7.4p4-5 -- anybody in the wheel group has now root access (using password) (rhbz#656873) -- sync configuration paths with the nss_ldap package (rhbz#652687) - -* Wed Sep 29 2010 Daniel Kopecek - 1.7.4p4-4 -- added upstream patch to fix rhbz#638345 - -* Mon Sep 20 2010 Daniel Kopecek - 1.7.4p4-3 -- added patch for #635250 -- /var/run/sudo -> /var/db/sudo in .spec - -* Tue Sep 7 2010 Daniel Kopecek - 1.7.4p4-2 -- sudo now uses /var/db/sudo for timestamps - -* Tue Sep 7 2010 Daniel Kopecek - 1.7.4p4-1 -- update to new upstream version -- new command available: sudoreplay -- use native audit support -- corrected license field value: BSD -> ISC - -* Wed Jun 2 2010 Daniel Kopecek - 1.7.2p6-2 -- added patch that fixes insufficient environment sanitization issue (#598154) - -* Wed Apr 14 2010 Daniel Kopecek - 1.7.2p6-1 -- update to new upstream version -- merged .audit and .libaudit patch -- added sudoers.ldap.5* to files - -* Mon Mar 1 2010 Daniel Kopecek - 1.7.2p5-2 -- update to new upstream version - -* Tue Feb 16 2010 Daniel Kopecek - 1.7.2p2-5 -- fixed no valid sudoers sources found (#558875) - -* Wed Feb 10 2010 Daniel Kopecek - 1.7.2p2-4 -- audit related Makefile.in and configure.in corrections -- added --with-audit configure option -- removed call to libtoolize - -* Wed Feb 10 2010 Daniel Kopecek - 1.7.2p2-3 -- fixed segfault when #include directive is used in cycles (#561336) - -* Fri Jan 8 2010 Ville Skyttä - 1.7.2p2-2 -- Add /etc/sudoers.d dir and use it in default config (#551470). -- Drop *.pod man page duplicates from docs. - -* Thu Jan 07 2010 Daniel Kopecek - 1.7.2p2-1 -- new upstream version 1.7.2p2-1 -- commented out unused aliases in sudoers to make visudo happy (#550239) - -* Fri Aug 21 2009 Tomas Mraz - 1.7.1-7 -- rebuilt with new audit - -* Thu Aug 20 2009 Daniel Kopecek 1.7.1-6 -- moved secure_path from compile-time option to sudoers file (#517428) - -* Sun Jul 26 2009 Fedora Release Engineering - 1.7.1-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild - -* Thu Jul 09 2009 Daniel Kopecek 1.7.1-4 -- moved the closefrom() call before audit_help_open() (sudo-1.7.1-auditfix.patch) -- epoch number sync - -* Mon Jun 22 2009 Daniel Kopecek 1.7.1-1 -- updated sudo to version 1.7.1 -- fixed small bug in configure.in (sudo-1.7.1-conffix.patch) - -* Tue Feb 24 2009 Daniel Kopecek 1.6.9p17-6 -- fixed building with new libtool -- fix for incorrect handling of groups in Runas_User -- added /usr/local/sbin to secure-path - -* Tue Jan 13 2009 Daniel Kopecek 1.6.9p17-3 -- build with sendmail installed -- Added /usr/local/bin to secure-path - -* Tue Sep 02 2008 Peter Vrabec 1.6.9p17-2 -- adjust audit patch, do not scream when kernel is - compiled without audit netlink support (#401201) - -* Fri Jul 04 2008 Peter Vrabec 1.6.9p17-1 -- upgrade - -* Wed Jun 18 2008 Peter Vrabec 1.6.9p13-7 -- build with newer autoconf-2.62 (#449614) - -* Tue May 13 2008 Peter Vrabec 1.6.9p13-6 -- compiled with secure path (#80215) - -* Mon May 05 2008 Peter Vrabec 1.6.9p13-5 -- fix path to updatedb in /etc/sudoers (#445103) - -* Mon Mar 31 2008 Peter Vrabec 1.6.9p13-4 -- include ldap files in rpm package (#439506) - -* Thu Mar 13 2008 Peter Vrabec 1.6.9p13-3 -- include [sudo] in password prompt (#437092) - -* Tue Mar 04 2008 Peter Vrabec 1.6.9p13-2 -- audit support improvement - -* Thu Feb 21 2008 Peter Vrabec 1.6.9p13-1 -- upgrade to the latest upstream release - -* Wed Feb 06 2008 Peter Vrabec 1.6.9p12-1 -- upgrade to the latest upstream release -- add selinux support - -* Mon Feb 04 2008 Dennis Gilmore 1.6.9p4-6 -- sparc64 needs to be in the -fPIE list with s390 - -* Mon Jan 07 2008 Peter Vrabec 1.6.9p4-5 -- fix complains about audit_log_user_command(): Connection - refused (#401201) - -* Wed Dec 05 2007 Release Engineering - 1.6.9p4-4 -- Rebuild for deps - -* Wed Dec 05 2007 Release Engineering - 1.6.9p4-3 -- Rebuild for openssl bump - -* Thu Aug 30 2007 Peter Vrabec 1.6.9p4-2 -- fix autotools stuff and add audit support - -* Mon Aug 20 2007 Peter Vrabec 1.6.9p4-1 -- upgrade to upstream release - -* Thu Apr 12 2007 Peter Vrabec 1.6.8p12-14 -- also use getgrouplist() to determine group membership (#235915) - -* Mon Feb 26 2007 Peter Vrabec 1.6.8p12-13 -- fix some spec file issues - -* Thu Dec 14 2006 Peter Vrabec 1.6.8p12-12 -- fix rpmlint issue - -* Thu Oct 26 2006 Peter Vrabec 1.6.8p12-11 -- fix typo in sudoers file (#212308) - -* Sun Oct 01 2006 Jesse Keating - 1.6.8p12-10 -- rebuilt for unwind info generation, broken in gcc-4.1.1-21 - -* Thu Sep 21 2006 Peter Vrabec 1.6.8p12-9 -- fix sudoers file, X apps didn't work (#206320) - -* Tue Aug 08 2006 Peter Vrabec 1.6.8p12-8 -- use Red Hat specific default sudoers file - -* Sun Jul 16 2006 Karel Zak 1.6.8p12-7 -- fix #198755 - make login processes (sudo -i) initialise session keyring - (thanks for PAM config files to David Howells) -- add IPv6 support (patch by Milan Zazrivec) - -* Wed Jul 12 2006 Jesse Keating - 1.6.8p12-6.1 -- rebuild - -* Mon May 29 2006 Karel Zak 1.6.8p12-6 -- fix #190062 - "ssh localhost sudo su" will show the password in clear - -* Tue May 23 2006 Karel Zak 1.6.8p12-5 -- add LDAP support (#170848) - -* Fri Feb 10 2006 Jesse Keating - 1.6.8p12-4.1 -- bump again for double-long bug on ppc(64) - -* Wed Feb 8 2006 Karel Zak 1.6.8p12-4 -- reset env. by default - -* Tue Feb 07 2006 Jesse Keating - 1.6.8p12-3.1 -- rebuilt for new gcc4.1 snapshot and glibc changes - -* Mon Jan 23 2006 Dan Walsh 1.6.8p12-3 -- Remove selinux patch. It has been decided that the SELinux patch for sudo is -- no longer necessary. In tageted policy it had no effect. In strict/MLS policy -- We require the person using sudo to execute newrole before using sudo. - -* Fri Dec 09 2005 Jesse Keating -- rebuilt - -* Fri Nov 25 2005 Karel Zak 1.6.8p12-1 -- new upstream version 1.6.8p12 - -* Tue Nov 8 2005 Karel Zak 1.6.8p11-1 -- new upstream version 1.6.8p11 - -* Thu Oct 13 2005 Tomas Mraz 1.6.8p9-6 -- use include instead of pam_stack in pam config - -* Tue Oct 11 2005 Karel Zak 1.6.8p9-5 -- enable interfaces in selinux patch -- merge sudo-1.6.8p8-sesh-stopsig.patch to selinux patch - -* Mon Sep 19 2005 Karel Zak 1.6.8p9-4 -- fix debuginfo - -* Mon Sep 19 2005 Karel Zak 1.6.8p9-3 -- fix #162623 - sesh hangs when child suspends - -* Mon Aug 1 2005 Dan Walsh 1.6.8p9-2 -- Add back in interfaces call, SELinux has been fixed to work around - -* Tue Jun 21 2005 Karel Zak 1.6.8p9-1 -- new version 1.6.8p9 (resolve #161116 - CAN-2005-1993 sudo trusted user arbitrary command execution) - -* Tue May 24 2005 Karel Zak 1.6.8p8-2 -- fix #154511 - sudo does not use limits.conf - -* Mon Apr 4 2005 Thomas Woerner 1.6.8p8-1 -- new version 1.6.8p8: new sudoedit and sudo_noexec - -* Wed Feb 9 2005 Thomas Woerner 1.6.7p5-31 -- rebuild - -* Mon Oct 4 2004 Thomas Woerner 1.6.7p5-30.1 -- added missing BuildRequires for libselinux-devel (#132883) - -* Wed Sep 29 2004 Dan Walsh 1.6.7p5-30 -- Fix missing param error in sesh - -* Mon Sep 27 2004 Dan Walsh 1.6.7p5-29 -- Remove full patch check from sesh - -* Thu Jul 8 2004 Dan Walsh 1.6.7p5-28 -- Fix selinux patch to switch to root user - -* Tue Jun 15 2004 Elliot Lee -- rebuilt - -* Tue Apr 13 2004 Dan Walsh 1.6.7p5-26 -- Eliminate tty handling from selinux - -* Thu Apr 1 2004 Thomas Woerner 1.6.7p5-25 -- fixed spec file: sesh in file section with selinux flag (#119682) - -* Tue Mar 30 2004 Colin Walters 1.6.7p5-24 -- Enhance sesh.c to fork/exec children itself, to avoid - having sudo reap all domains. -- Only reinstall default signal handlers immediately before - exec of child with SELinux patch - -* Thu Mar 18 2004 Dan Walsh 1.6.7p5-23 -- change to default to sysadm_r -- Fix tty handling - -* Thu Mar 18 2004 Dan Walsh 1.6.7p5-22 -- Add /bin/sesh to run selinux code. -- replace /bin/bash -c with /bin/sesh - -* Tue Mar 16 2004 Dan Walsh 1.6.7p5-21 -- Hard code to use "/bin/bash -c" for selinux - -* Tue Mar 16 2004 Dan Walsh 1.6.7p5-20 -- Eliminate closing and reopening of terminals, to match su. - -* Mon Mar 15 2004 Dan Walsh 1.6.7p5-19 -- SELinux fixes to make transitions work properly - -* Fri Mar 5 2004 Thomas Woerner 1.6.7p5-18 -- pied sudo - -* Fri Feb 13 2004 Elliot Lee -- rebuilt - -* Tue Jan 27 2004 Dan Walsh 1.6.7p5-16 -- Eliminate interfaces call, since this requires big SELinux privs -- and it seems to be useless. - -* Tue Jan 27 2004 Karsten Hopp 1.6.7p5-15 -- visudo requires vim-minimal or setting EDITOR to something useful (#68605) - -* Mon Jan 26 2004 Dan Walsh 1.6.7p5-14 -- Fix is_selinux_enabled call - -* Tue Jan 13 2004 Dan Walsh 1.6.7p5-13 -- Clean up patch on failure - -* Tue Jan 6 2004 Dan Walsh 1.6.7p5-12 -- Remove sudo.te for now. - -* Fri Jan 2 2004 Dan Walsh 1.6.7p5-11 -- Fix usage message - -* Mon Dec 22 2003 Dan Walsh 1.6.7p5-10 -- Clean up sudo.te to not blow up if pam.te not present - -* Thu Dec 18 2003 Thomas Woerner -- added missing BuildRequires for groff - -* Tue Dec 16 2003 Jeremy Katz 1.6.7p5-9 -- remove left-over debugging code - -* Tue Dec 16 2003 Dan Walsh 1.6.7p5-8 -- Fix terminal handling that caused Sudo to exit on non selinux machines. - -* Mon Dec 15 2003 Dan Walsh 1.6.7p5-7 -- Remove sudo_var_run_t which is now pam_var_run_t - -* Fri Dec 12 2003 Dan Walsh 1.6.7p5-6 -- Fix terminal handling and policy - -* Thu Dec 11 2003 Dan Walsh 1.6.7p5-5 -- Fix policy - -* Thu Nov 13 2003 Dan Walsh 1.6.7p5-4.sel -- Turn on SELinux support - -* Tue Jul 29 2003 Dan Walsh 1.6.7p5-3 -- Add support for SELinux - -* Wed Jun 04 2003 Elliot Lee -- rebuilt - -* Mon May 19 2003 Thomas Woerner 1.6.7p5-1 - -* Wed Jan 22 2003 Tim Powers -- rebuilt - -* Tue Nov 12 2002 Nalin Dahyabhai 1.6.6-2 -- remove absolute path names from the PAM configuration, ensuring that the - right modules get used for whichever arch we're built for -- don't try to install the FAQ, which isn't there any more - -* Thu Jun 27 2002 Bill Nottingham 1.6.6-1 -- update to 1.6.6 - -* Fri Jun 21 2002 Tim Powers -- automated rebuild - -* Thu May 23 2002 Tim Powers -- automated rebuild - -* Thu Apr 18 2002 Bernhard Rosenkraenzer 1.6.5p2-2 -- Fix bug #63768 - -* Thu Mar 14 2002 Bernhard Rosenkraenzer 1.6.5p2-1 -- 1.6.5p2 - -* Fri Jan 18 2002 Bernhard Rosenkraenzer 1.6.5p1-1 -- 1.6.5p1 -- Hope this "a new release per day" madness stops ;) - -* Thu Jan 17 2002 Bernhard Rosenkraenzer 1.6.5-1 -- 1.6.5 - -* Tue Jan 15 2002 Bernhard Rosenkraenzer 1.6.4p1-1 -- 1.6.4p1 - -* Mon Jan 14 2002 Bernhard Rosenkraenzer 1.6.4-1 -- Update to 1.6.4 - -* Mon Jul 23 2001 Bernhard Rosenkraenzer 1.6.3p7-2 -- Add build requirements (#49706) -- s/Copyright/License/ -- bzip2 source - -* Sat Jun 16 2001 Than Ngo -- update to 1.6.3p7 -- use %%{_tmppath} - -* Fri Feb 23 2001 Bernhard Rosenkraenzer -- 1.6.3p6, fixes buffer overrun - -* Tue Oct 10 2000 Bernhard Rosenkraenzer -- 1.6.3p5 - -* Wed Jul 12 2000 Prospector -- automatic rebuild - -* Tue Jun 06 2000 Karsten Hopp -- fixed owner of sudo and visudo - -* Thu Jun 1 2000 Nalin Dahyabhai -- modify PAM setup to use system-auth -- clean up buildrooting by using the makeinstall macro - -* Tue Apr 11 2000 Bernhard Rosenkraenzer -- initial build in main distrib -- update to 1.6.3 -- deal with compressed man pages - -* Tue Dec 14 1999 Preston Brown -- updated to 1.6.1 for Powertools 6.2 -- config files are now noreplace. - -* Thu Jul 22 1999 Tim Powers -- updated to 1.5.9p2 for Powertools 6.1 - -* Wed May 12 1999 Bill Nottingham -- sudo is configured with pam. There's no pam.d file. Oops. - -* Mon Apr 26 1999 Preston Brown -- upgraded to 1.59p1 for powertools 6.0 - -* Tue Oct 27 1998 Preston Brown -- fixed so it doesn't find /usr/bin/vi first, but instead /bin/vi (always installed) - -* Thu Oct 08 1998 Michael Maher -- built package for 5.2 - -* Mon May 18 1998 Michael Maher -- updated SPEC file - -* Thu Jan 29 1998 Otto Hammersmith -- updated to 1.5.4 - -* Tue Nov 18 1997 Otto Hammersmith -- built for glibc, no problems - -* Fri Apr 25 1997 Michael Fulbright -- Fixed for 4.2 PowerTools -- Still need to be pamified -- Still need to move stmp file to /var/log - -* Mon Feb 17 1997 Michael Fulbright -- First version for PowerCD. +%autochangelog From 9c56ac9403da53f8578cfaa1422f2e14063b2dd2 Mon Sep 17 00:00:00 2001 From: Sahana Prasad Date: Tue, 14 Sep 2021 19:15:57 +0200 Subject: [PATCH 30/61] Rebuilt with OpenSSL 3.0.0 From bf29ad1a05ee6269f683e63afeb7291fd9f84f0a Mon Sep 17 00:00:00 2001 From: Matthew Miller Date: Sun, 3 Oct 2021 15:51:02 -0400 Subject: [PATCH 31/61] Update to 1.9.8p2, and include new sudo_intercept.so --- .gitignore | 1 + sources | 2 +- sudo.spec | 3 ++- 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index eb540df..95a08a0 100644 --- a/.gitignore +++ b/.gitignore @@ -27,3 +27,4 @@ /sudo-1.9.3p1.tar.gz /sudo-1.9.5p1.tar.gz /sudo-1.9.5p2.tar.gz +/sudo-1.9.8p2.tar.gz diff --git a/sources b/sources index 3bae7ed..0004df8 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (sudo-1.9.7p2.tar.gz) = 39184127122014d0d1d194d455644191009835ffdcc0efda3a99028fe346ca3ff6b15341016f85029556e9f1f9deeaf83b52160effc47d1a5713affb36b99386 +SHA512 (sudo-1.9.8p2.tar.gz) = 899b252e8c219226f658dff3dd34c97b07d42004998b45175b4c0c4de42a6bf9f909598e99b4056fa1171e63378e203854b0f8608b0f5c1b00e9d3677818f6d3 diff --git a/sudo.spec b/sudo.spec index 762cc13..6028dd8 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,6 +1,6 @@ Summary: Allows restricted root access for specified users Name: sudo -Version: 1.9.7p2 +Version: 1.9.8p2 Release: %autorelease License: ISC URL: https://www.sudo.ws @@ -192,6 +192,7 @@ EOF %attr(0644,root,root) %{_libexecdir}/sudo/group_file.so %attr(0644,root,root) %{_libexecdir}/sudo/sample_approval.so %attr(0644,root,root) %{_libexecdir}/sudo/system_group.so +%attr(0644,root,root) %{_libexecdir}/sudo/sudo_intercept.so %attr(0644,root,root) %{_libexecdir}/sudo/libsudo_util.so.?.?.? %{_libexecdir}/sudo/libsudo_util.so.? %{_libexecdir}/sudo/libsudo_util.so From b9a4f24d9542bfb531b285113b77a6bf31525db7 Mon Sep 17 00:00:00 2001 From: Matthew Miller Date: Sun, 3 Oct 2021 16:18:20 -0400 Subject: [PATCH 32/61] rhbz#1328973 -- make nano the default with fallback to vim and vi in that order and make nano the "Recommends" instead of vim-minimal. --- sudo.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sudo.spec b/sudo.spec index 6028dd8..bb95586 100644 --- a/sudo.spec +++ b/sudo.spec @@ -7,7 +7,7 @@ URL: https://www.sudo.ws Source0: %{url}/dist/%{name}-%{version}.tar.gz Source1: sudoers Requires: pam -Recommends: vim-minimal +Recommends: nano Recommends: %{name}-python-plugin%{?_isa} = %{version}-%{release} BuildRequires: make @@ -93,7 +93,7 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" --with-logfac=authpriv \ --with-pam \ --with-pam-login \ - --with-editor=/bin/vi \ + --with-editor=%{_bindir}/nano:%{_bindir}/vim:%{_bindir}/vi \ --with-env-editor \ --with-ignore-dot \ --with-tty-tickets \ From 206108fe35cd653fae69a004bb8e16bfea25b29c Mon Sep 17 00:00:00 2001 From: Radovan Sroka Date: Wed, 6 Oct 2021 17:15:52 +0200 Subject: [PATCH 33/61] Set up update workflow with %autorelease macro - removed stri patch that was not relevant - intercept feature is not compatible with selinux rbac support so we do not build it anymore Signed-off-by: Radovan Sroka --- sudo.spec | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/sudo.spec b/sudo.spec index bb95586..fbadf99 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,10 +1,18 @@ + +# comment out if no extra version +%global extraver p2 + Summary: Allows restricted root access for specified users Name: sudo -Version: 1.9.8p2 -Release: %autorelease +Version: 1.9.8 +# remove -b 3 after rebase !!! +# use "-p -e % {?extraver}" when beta +# use "-e % {?extraver}"" when patch version +# use nothing special when normal version +Release: %autorelease -b 3 License: ISC URL: https://www.sudo.ws -Source0: %{url}/dist/%{name}-%{version}.tar.gz +Source0: %{url}/dist/%{name}-%{version}%{?extraver}.tar.gz Source1: sudoers Requires: pam Recommends: nano @@ -23,9 +31,6 @@ BuildRequires: sendmail BuildRequires: gettext BuildRequires: zlib-devel -# don't strip -Patch1: sudo-1.6.7p5-strip.patch - %description Sudo (superuser do) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands @@ -66,9 +71,7 @@ BuildRequires: python3-devel %{name}-python-plugin allows using sudo plugins written in Python. %prep -%setup -q - -%patch1 -p1 -b .strip +%setup -q -n %{name}-%{version}%{?extraver} %build # Remove bundled copy of zlib @@ -89,6 +92,7 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" --docdir=%{_pkgdocdir} \ --enable-openssl \ --disable-root-mailer \ + --disable-intercept \ --with-logging=syslog \ --with-logfac=authpriv \ --with-pam \ @@ -192,7 +196,6 @@ EOF %attr(0644,root,root) %{_libexecdir}/sudo/group_file.so %attr(0644,root,root) %{_libexecdir}/sudo/sample_approval.so %attr(0644,root,root) %{_libexecdir}/sudo/system_group.so -%attr(0644,root,root) %{_libexecdir}/sudo/sudo_intercept.so %attr(0644,root,root) %{_libexecdir}/sudo/libsudo_util.so.?.?.? %{_libexecdir}/sudo/libsudo_util.so.? %{_libexecdir}/sudo/libsudo_util.so From c3febb3692e207c7ab11d3be865d4714baf3fa66 Mon Sep 17 00:00:00 2001 From: Radovan Sroka Date: Wed, 6 Oct 2021 19:17:44 +0200 Subject: [PATCH 34/61] Rebuild. previously built with wrong version Signed-off-by: Radovan Sroka --- sudo.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sudo.spec b/sudo.spec index fbadf99..ba67a9b 100644 --- a/sudo.spec +++ b/sudo.spec @@ -9,7 +9,7 @@ Version: 1.9.8 # use "-p -e % {?extraver}" when beta # use "-e % {?extraver}"" when patch version # use nothing special when normal version -Release: %autorelease -b 3 +Release: %autorelease -e %{?extraver} -b 3 License: ISC URL: https://www.sudo.ws Source0: %{url}/dist/%{name}-%{version}%{?extraver}.tar.gz From 23fd9b0822dcfce0a854779b1f43beaa434a5991 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Sat, 22 Jan 2022 01:48:40 +0000 Subject: [PATCH 35/61] - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild Signed-off-by: Fedora Release Engineering From 4a2b9f551b84a3192c65d99bc43e912166466ed4 Mon Sep 17 00:00:00 2001 From: Matthew Miller Date: Mon, 6 Jun 2022 12:54:31 -0400 Subject: [PATCH 36/61] recommend system-default-editor instead of nano specifically --- sudo.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sudo.spec b/sudo.spec index ba67a9b..1f35743 100644 --- a/sudo.spec +++ b/sudo.spec @@ -15,7 +15,7 @@ URL: https://www.sudo.ws Source0: %{url}/dist/%{name}-%{version}%{?extraver}.tar.gz Source1: sudoers Requires: pam -Recommends: nano +Recommends: system-default-editor Recommends: %{name}-python-plugin%{?_isa} = %{version}-%{release} BuildRequires: make From 7a172559a329f8ea21cd73e2547d3729abd3b4cb Mon Sep 17 00:00:00 2001 From: Python Maint Date: Mon, 13 Jun 2022 15:38:33 +0200 Subject: [PATCH 37/61] Rebuilt for Python 3.11 From d9475dd3d99b30ca954ca330510e09a701ebb887 Mon Sep 17 00:00:00 2001 From: Radovan Sroka Date: Wed, 22 Jun 2022 15:57:57 +0200 Subject: [PATCH 38/61] Update to 1.9.11p3 Resolves: rhbz#2047541 Resolves: rhbz#2062150 Signed-off-by: Radovan Sroka --- .gitignore | 1 + sources | 2 +- sudo.spec | 10 +++++----- 3 files changed, 7 insertions(+), 6 deletions(-) diff --git a/.gitignore b/.gitignore index 95a08a0..fe1779d 100644 --- a/.gitignore +++ b/.gitignore @@ -28,3 +28,4 @@ /sudo-1.9.5p1.tar.gz /sudo-1.9.5p2.tar.gz /sudo-1.9.8p2.tar.gz +/sudo-1.9.11p3.tar.gz diff --git a/sources b/sources index 0004df8..88162bb 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (sudo-1.9.8p2.tar.gz) = 899b252e8c219226f658dff3dd34c97b07d42004998b45175b4c0c4de42a6bf9f909598e99b4056fa1171e63378e203854b0f8608b0f5c1b00e9d3677818f6d3 +SHA512 (sudo-1.9.11p3.tar.gz) = ad5c3d623547d1e3016e1a721676fee6d6b7348e77b2c234041e0af40c7220e8934c8c27beef0d12fa6df11708d37de711dacfefc135d26de46abca7f91c55d1 diff --git a/sudo.spec b/sudo.spec index 1f35743..703e52c 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,10 +1,10 @@ # comment out if no extra version -%global extraver p2 +%global extraver p3 Summary: Allows restricted root access for specified users Name: sudo -Version: 1.9.8 +Version: 1.9.11 # remove -b 3 after rebase !!! # use "-p -e % {?extraver}" when beta # use "-e % {?extraver}"" when patch version @@ -211,13 +211,13 @@ EOF %dir %{_pkgdocdir}/ %{_pkgdocdir}/* %{!?_licensedir:%global license %%doc} -%license doc/LICENSE +%license LICENSE.md %exclude %{_pkgdocdir}/ChangeLog %files devel %doc plugins/sample/sample_plugin.c %{_includedir}/sudo_plugin.h -%{_mandir}/man8/sudo_plugin.8* +%{_mandir}/man5/sudo_plugin.5* %files logsrvd %attr(0640,root,root) %config(noreplace) /etc/sudo_logsrvd.conf @@ -229,7 +229,7 @@ EOF %{_mandir}/man8/sudo_sendlog.8.gz %files python-plugin -%{_mandir}/man8/sudo_plugin_python.8.gz +%{_mandir}/man5/sudo_plugin_python.5.gz %attr(0644,root,root) %{_libexecdir}/sudo/python_plugin.so %changelog From e56d19d93d738b690fef4cb9a0ee5a40d8de6733 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Sat, 23 Jul 2022 09:34:59 +0000 Subject: [PATCH 39/61] Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild Signed-off-by: Fedora Release Engineering From 61dacac7f9af6e92bb128db8df856009cbd4c5be Mon Sep 17 00:00:00 2001 From: Radovan Sroka Date: Thu, 19 Jan 2023 14:19:32 +0100 Subject: [PATCH 40/61] Rebase to sudo 1.9.12p2 - sudo-1.9.12p2 is available Resolves: rhbz#2137775 - sudo: arbitrary file write with privileges of the RunAs user Resolves: CVE-2023-22809 Signed-off-by: Radovan Sroka --- .gitignore | 1 + sources | 2 +- sudo.spec | 14 ++++++-------- 3 files changed, 8 insertions(+), 9 deletions(-) diff --git a/.gitignore b/.gitignore index fe1779d..3d050b5 100644 --- a/.gitignore +++ b/.gitignore @@ -29,3 +29,4 @@ /sudo-1.9.5p2.tar.gz /sudo-1.9.8p2.tar.gz /sudo-1.9.11p3.tar.gz +/sudo-1.9.12p2.tar.gz diff --git a/sources b/sources index 88162bb..f68ca42 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (sudo-1.9.11p3.tar.gz) = ad5c3d623547d1e3016e1a721676fee6d6b7348e77b2c234041e0af40c7220e8934c8c27beef0d12fa6df11708d37de711dacfefc135d26de46abca7f91c55d1 +SHA512 (sudo-1.9.12p2.tar.gz) = 5e035246137d5820691f7ddfc13faec3886e3cf1563ed56633667d86ab4f1306f34cc0e27808f56790b6c6a4614826e54c5b7e47b31eb009b96dde3e52170c45 diff --git a/sudo.spec b/sudo.spec index 703e52c..f0f1e53 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,15 +1,14 @@ - # comment out if no extra version -%global extraver p3 +%global extraver p2 Summary: Allows restricted root access for specified users Name: sudo -Version: 1.9.11 +Version: 1.9.12 # remove -b 3 after rebase !!! # use "-p -e % {?extraver}" when beta # use "-e % {?extraver}"" when patch version # use nothing special when normal version -Release: %autorelease -e %{?extraver} -b 3 +Release: %autorelease -e %{?extraver} License: ISC URL: https://www.sudo.ws Source0: %{url}/dist/%{name}-%{version}%{?extraver}.tar.gz @@ -90,7 +89,7 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" --sbindir=%{_sbindir} \ --libdir=%{_libdir} \ --docdir=%{_pkgdocdir} \ - --enable-openssl \ + --enable-openssl \ --disable-root-mailer \ --disable-intercept \ --with-logging=syslog \ @@ -104,8 +103,8 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" --with-ldap \ --with-selinux \ --with-passprompt="[sudo] password for %p: " \ - --enable-python \ - --enable-zlib=system \ + --enable-python \ + --enable-zlib=system \ --with-linux-audit \ --with-sssd # --without-kerb5 \ @@ -194,7 +193,6 @@ EOF %attr(0644,root,root) %{_libexecdir}/sudo/sudoers.so %attr(0644,root,root) %{_libexecdir}/sudo/audit_json.so %attr(0644,root,root) %{_libexecdir}/sudo/group_file.so -%attr(0644,root,root) %{_libexecdir}/sudo/sample_approval.so %attr(0644,root,root) %{_libexecdir}/sudo/system_group.so %attr(0644,root,root) %{_libexecdir}/sudo/libsudo_util.so.?.?.? %{_libexecdir}/sudo/libsudo_util.so.? From 8d3c03b4da2e952682b05abc69fe7f7ba121a000 Mon Sep 17 00:00:00 2001 From: Radovan Sroka Date: Wed, 1 Mar 2023 17:42:19 +0100 Subject: [PATCH 41/61] Rebase to sudo 1.9.13p2 - sudo-1.9.13p2 is available Resolves: rhbz#2169840 - sudo: double free with per-command chroot sudoers rules Resolves: CVE-2023-27320 Signed-off-by: Radovan Sroka --- .gitignore | 1 + sources | 2 +- sudo.spec | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index 3d050b5..224d9ce 100644 --- a/.gitignore +++ b/.gitignore @@ -30,3 +30,4 @@ /sudo-1.9.8p2.tar.gz /sudo-1.9.11p3.tar.gz /sudo-1.9.12p2.tar.gz +/sudo-1.9.13p2.tar.gz diff --git a/sources b/sources index f68ca42..d221fe6 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (sudo-1.9.12p2.tar.gz) = 5e035246137d5820691f7ddfc13faec3886e3cf1563ed56633667d86ab4f1306f34cc0e27808f56790b6c6a4614826e54c5b7e47b31eb009b96dde3e52170c45 +SHA512 (sudo-1.9.13p2.tar.gz) = b3015a114fd518afd644c9934f2461046f1116506723217603af1a952bdb436689761b4d009dfe32b725bad2e0ebcaf19db72febfaa63895ba004256fea12bef diff --git a/sudo.spec b/sudo.spec index f0f1e53..7a10271 100644 --- a/sudo.spec +++ b/sudo.spec @@ -3,7 +3,7 @@ Summary: Allows restricted root access for specified users Name: sudo -Version: 1.9.12 +Version: 1.9.13 # remove -b 3 after rebase !!! # use "-p -e % {?extraver}" when beta # use "-e % {?extraver}"" when patch version From 025901c345374ddb0c882308c8c02fb702b306ed Mon Sep 17 00:00:00 2001 From: Florian Weimer Date: Wed, 26 Apr 2023 11:41:20 +0200 Subject: [PATCH 42/61] Port configure script to C99 Related to: --- sudo-configure-c99.patch | 65 ++++++++++++++++++++++++++++++++++++++++ sudo.spec | 3 +- 2 files changed, 67 insertions(+), 1 deletion(-) create mode 100644 sudo-configure-c99.patch diff --git a/sudo-configure-c99.patch b/sudo-configure-c99.patch new file mode 100644 index 0000000..69a0cd2 --- /dev/null +++ b/sudo-configure-c99.patch @@ -0,0 +1,65 @@ +Avoid implicit function declarations, so that the configure probe +results do not change with future compilers. + +Submitted upstream for discussion: + + + + +diff --git a/configure b/configure +index d406eb77a22d3c3c..29483788443d2b21 100755 +--- a/configure ++++ b/configure +@@ -31220,10 +31220,13 @@ else case e in #( + /* end confdefs.h. */ + #include + #include ++ ++void *volatile ptr; ++ + int + main (void) + { +-(void)ldap_init(0, 0) ++ptr = (void *) ldap_msgfree + ; + return 0; + } +@@ -33914,7 +33917,7 @@ then : + else case e in #( + e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext + /* end confdefs.h. */ +- ++#include + + int + main (void) +diff --git a/m4/hardening.m4 b/m4/hardening.m4 +index f7d2a8c2911ed9d6..1ebfd9fdaf461285 100644 +--- a/m4/hardening.m4 ++++ b/m4/hardening.m4 +@@ -10,7 +10,7 @@ AC_DEFUN([SUDO_CHECK_HARDENING], [ + [sudo_cv_use_fortify_source], + [AC_LINK_IFELSE([ + AC_LANG_PROGRAM( +- [[]], [[char buf[4]; (void)sprintf(buf, "%s", "foo");]] ++ [[#include ]], [[char buf[4]; (void)sprintf(buf, "%s", "foo");]] + )], + [sudo_cv_use_fortify_source=yes], + [sudo_cv_use_fortify_source=no] +diff --git a/m4/ldap.m4 b/m4/ldap.m4 +index 78c21e0bc0a1f65f..a6361df044d84f92 100644 +--- a/m4/ldap.m4 ++++ b/m4/ldap.m4 +@@ -52,7 +52,10 @@ AC_DEFUN([SUDO_CHECK_LDAP], [ + #include ]) + AC_CACHE_CHECK([whether lber.h is needed when including ldap.h], [sudo_cv_header_lber_h], [ + AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include +-#include ]], [[(void)ldap_init(0, 0)]])], [ ++#include ++ ++void *volatile ptr; ++]], [[ptr = (void *) ldap_msgfree]])], [ + # No need to explicitly include lber.h when including ldap.h. + sudo_cv_header_lber_h=no + ], [ diff --git a/sudo.spec b/sudo.spec index 7a10271..315ea49 100644 --- a/sudo.spec +++ b/sudo.spec @@ -13,6 +13,7 @@ License: ISC URL: https://www.sudo.ws Source0: %{url}/dist/%{name}-%{version}%{?extraver}.tar.gz Source1: sudoers +Patch0: sudo-configure-c99.patch Requires: pam Recommends: system-default-editor Recommends: %{name}-python-plugin%{?_isa} = %{version}-%{release} @@ -70,7 +71,7 @@ BuildRequires: python3-devel %{name}-python-plugin allows using sudo plugins written in Python. %prep -%setup -q -n %{name}-%{version}%{?extraver} +%autosetup -p1 -n %{name}-%{version}%{?extraver} %build # Remove bundled copy of zlib From 85dfa5defb283f16ce10eeab0e334265cdd65d51 Mon Sep 17 00:00:00 2001 From: Python Maint Date: Tue, 13 Jun 2023 20:59:29 +0200 Subject: [PATCH 43/61] Rebuilt for Python 3.12 From 06544f1ab28b4ec2d854755252fa7b1aa72ca14a Mon Sep 17 00:00:00 2001 From: Radovan Sroka Date: Tue, 20 Jun 2023 14:59:34 +0200 Subject: [PATCH 44/61] - migrated to SPDX license Signed-off-by: Radovan Sroka From 328503ded5ac0f20a51309a87f0f65e09ee3c7ab Mon Sep 17 00:00:00 2001 From: Leigh Scott Date: Thu, 6 Jul 2023 14:20:50 +0100 Subject: [PATCH 45/61] Rebuilt for Python 3.12 From 347c83287d756eddc76727ff8915a92c96c33aa2 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Sat, 22 Jul 2023 02:42:07 +0000 Subject: [PATCH 46/61] Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild Signed-off-by: Fedora Release Engineering From da01b87507f57dc956dcba8e559ca01d2f955458 Mon Sep 17 00:00:00 2001 From: Yaakov Selkowitz Date: Mon, 24 Jul 2023 22:07:19 -0400 Subject: [PATCH 47/61] Rebase to 1.9.14p3 - sudo-1_9_14p2 is available Resolves: rhbz#2175672 - sudo fails to build with Python 3.12: FAILED: testcase check_example_group_plugin_is_able_to_debug() Resolves: rhbz#2186412 Signed-off-by: Yaakov Selkowitz --- .gitignore | 1 + sources | 2 +- sudo-configure-c99.patch | 65 ---------------------------------------- sudo.spec | 5 ++-- 4 files changed, 4 insertions(+), 69 deletions(-) delete mode 100644 sudo-configure-c99.patch diff --git a/.gitignore b/.gitignore index 224d9ce..01b9ff5 100644 --- a/.gitignore +++ b/.gitignore @@ -31,3 +31,4 @@ /sudo-1.9.11p3.tar.gz /sudo-1.9.12p2.tar.gz /sudo-1.9.13p2.tar.gz +/sudo-1.9.14p3.tar.gz diff --git a/sources b/sources index d221fe6..fc05228 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (sudo-1.9.13p2.tar.gz) = b3015a114fd518afd644c9934f2461046f1116506723217603af1a952bdb436689761b4d009dfe32b725bad2e0ebcaf19db72febfaa63895ba004256fea12bef +SHA512 (sudo-1.9.14p3.tar.gz) = d4af836e3316c35d8b81a2c869ca199e8f2d5cb26dbd98b8ad031f29be62b154452afdf5a506ddabad21b80e5988a49f1f7c8f1ec44718ffcbd7e89ccbdef612 diff --git a/sudo-configure-c99.patch b/sudo-configure-c99.patch deleted file mode 100644 index 69a0cd2..0000000 --- a/sudo-configure-c99.patch +++ /dev/null @@ -1,65 +0,0 @@ -Avoid implicit function declarations, so that the configure probe -results do not change with future compilers. - -Submitted upstream for discussion: - - - - -diff --git a/configure b/configure -index d406eb77a22d3c3c..29483788443d2b21 100755 ---- a/configure -+++ b/configure -@@ -31220,10 +31220,13 @@ else case e in #( - /* end confdefs.h. */ - #include - #include -+ -+void *volatile ptr; -+ - int - main (void) - { --(void)ldap_init(0, 0) -+ptr = (void *) ldap_msgfree - ; - return 0; - } -@@ -33914,7 +33917,7 @@ then : - else case e in #( - e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext - /* end confdefs.h. */ -- -+#include - - int - main (void) -diff --git a/m4/hardening.m4 b/m4/hardening.m4 -index f7d2a8c2911ed9d6..1ebfd9fdaf461285 100644 ---- a/m4/hardening.m4 -+++ b/m4/hardening.m4 -@@ -10,7 +10,7 @@ AC_DEFUN([SUDO_CHECK_HARDENING], [ - [sudo_cv_use_fortify_source], - [AC_LINK_IFELSE([ - AC_LANG_PROGRAM( -- [[]], [[char buf[4]; (void)sprintf(buf, "%s", "foo");]] -+ [[#include ]], [[char buf[4]; (void)sprintf(buf, "%s", "foo");]] - )], - [sudo_cv_use_fortify_source=yes], - [sudo_cv_use_fortify_source=no] -diff --git a/m4/ldap.m4 b/m4/ldap.m4 -index 78c21e0bc0a1f65f..a6361df044d84f92 100644 ---- a/m4/ldap.m4 -+++ b/m4/ldap.m4 -@@ -52,7 +52,10 @@ AC_DEFUN([SUDO_CHECK_LDAP], [ - #include ]) - AC_CACHE_CHECK([whether lber.h is needed when including ldap.h], [sudo_cv_header_lber_h], [ - AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include --#include ]], [[(void)ldap_init(0, 0)]])], [ -+#include -+ -+void *volatile ptr; -+]], [[ptr = (void *) ldap_msgfree]])], [ - # No need to explicitly include lber.h when including ldap.h. - sudo_cv_header_lber_h=no - ], [ diff --git a/sudo.spec b/sudo.spec index 315ea49..3237084 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,9 +1,9 @@ # comment out if no extra version -%global extraver p2 +%global extraver p3 Summary: Allows restricted root access for specified users Name: sudo -Version: 1.9.13 +Version: 1.9.14 # remove -b 3 after rebase !!! # use "-p -e % {?extraver}" when beta # use "-e % {?extraver}"" when patch version @@ -13,7 +13,6 @@ License: ISC URL: https://www.sudo.ws Source0: %{url}/dist/%{name}-%{version}%{?extraver}.tar.gz Source1: sudoers -Patch0: sudo-configure-c99.patch Requires: pam Recommends: system-default-editor Recommends: %{name}-python-plugin%{?_isa} = %{version}-%{release} From 462f43c97aa9bd80e22243a82d454b8ad949c6fd Mon Sep 17 00:00:00 2001 From: Radovan Sroka Date: Wed, 24 Jan 2024 10:59:51 +0100 Subject: [PATCH 48/61] Rabase to 1.9.15p5 - sudo-1_9_15p5 is available Resolves: rhbz#2248505 - TRIAGE CVE-2023-42465 sudo: Targeted Corruption of Register and Stack Variables Resolves: rhbz#2255569 Signed-off-by: Radovan Sroka --- .gitignore | 2 ++ sources | 2 +- sudo-1.6.7p5-strip.patch | 11 ----------- sudo.spec | 4 ++-- 4 files changed, 5 insertions(+), 14 deletions(-) delete mode 100644 sudo-1.6.7p5-strip.patch diff --git a/.gitignore b/.gitignore index 01b9ff5..842ab45 100644 --- a/.gitignore +++ b/.gitignore @@ -32,3 +32,5 @@ /sudo-1.9.12p2.tar.gz /sudo-1.9.13p2.tar.gz /sudo-1.9.14p3.tar.gz +/sudo-1.9.15p4.tar.gz +/sudo-1.9.15p5.tar.gz diff --git a/sources b/sources index fc05228..a9b6cfd 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (sudo-1.9.14p3.tar.gz) = d4af836e3316c35d8b81a2c869ca199e8f2d5cb26dbd98b8ad031f29be62b154452afdf5a506ddabad21b80e5988a49f1f7c8f1ec44718ffcbd7e89ccbdef612 +SHA512 (sudo-1.9.15p5.tar.gz) = ebac69719de2fe7bd587924701bdd24149bf376a68b17ec02f69b2b96d4bb6fa5eb8260a073ec5ea046d3ac69bb5b1c0b9d61709fe6a56f1f66e40817a70b15a diff --git a/sudo-1.6.7p5-strip.patch b/sudo-1.6.7p5-strip.patch deleted file mode 100644 index f690659..0000000 --- a/sudo-1.6.7p5-strip.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- sudo-1.6.7p5/scripts/install-sh.strip 2005-07-21 14:28:25.000000000 +0200 -+++ sudo-1.6.7p5/scripts/install-sh 2005-07-21 14:29:18.000000000 +0200 -@@ -138,7 +138,7 @@ - fi - ;; - X-s) -- STRIPIT=true -+ #STRIPIT=true - ;; - X--) - shift diff --git a/sudo.spec b/sudo.spec index 3237084..e755179 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,9 +1,9 @@ # comment out if no extra version -%global extraver p3 +%global extraver p5 Summary: Allows restricted root access for specified users Name: sudo -Version: 1.9.14 +Version: 1.9.15 # remove -b 3 after rebase !!! # use "-p -e % {?extraver}" when beta # use "-e % {?extraver}"" when patch version From df275faeadacae6c625a5ec30f448b01a698ddea Mon Sep 17 00:00:00 2001 From: Yaakov Selkowitz Date: Thu, 8 Feb 2024 16:46:56 -0500 Subject: [PATCH 49/61] Avoid sendmail build dependency sudo should be compatible with any MTA, any of which in Fedora provide /usr/sbin/sendmail, and is used at build time only to determine its location. Instead of generalizing the build requirement (e.g. for RHEL 10 which includes only postfix), we can just tell sudo its location during configure, in which case it is not needed at all to build. However, doing so uncovered that systemd's presence was being relied upon without being specified. This too can be avoided by using the macros to define the proper tmpfiles location during configure. --- sudo.spec | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/sudo.spec b/sudo.spec index e755179..e2c4ba9 100644 --- a/sudo.spec +++ b/sudo.spec @@ -26,7 +26,7 @@ BuildRequires: bison BuildRequires: libtool BuildRequires: audit-libs-devel libcap-devel BuildRequires: libselinux-devel -BuildRequires: sendmail +BuildRequires: systemd-rpm-macros BuildRequires: gettext BuildRequires: zlib-devel @@ -89,6 +89,7 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" --sbindir=%{_sbindir} \ --libdir=%{_libdir} \ --docdir=%{_pkgdocdir} \ + --enable-tmpfiles.d=%{_tmpfilesdir} \ --enable-openssl \ --disable-root-mailer \ --disable-intercept \ @@ -102,6 +103,7 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" --with-tty-tickets \ --with-ldap \ --with-selinux \ + --with-sendmail=/usr/sbin/sendmail \ --with-passprompt="[sudo] password for %p: " \ --enable-python \ --enable-zlib=system \ From 545c191f72083b8ef9b7ce26706e8a17ca537d20 Mon Sep 17 00:00:00 2001 From: Adam Williamson Date: Thu, 2 May 2024 23:09:47 -0700 Subject: [PATCH 50/61] Backport upstream fix for tests with Python 3.13+ --- ...traces-use-in-addition-to-when-under.patch | 41 +++++++++++++++++++ sudo.spec | 6 +++ 2 files changed, 47 insertions(+) create mode 100644 0001-Python-3.12-backtraces-use-in-addition-to-when-under.patch diff --git a/0001-Python-3.12-backtraces-use-in-addition-to-when-under.patch b/0001-Python-3.12-backtraces-use-in-addition-to-when-under.patch new file mode 100644 index 0000000..2c9ce75 --- /dev/null +++ b/0001-Python-3.12-backtraces-use-in-addition-to-when-under.patch @@ -0,0 +1,41 @@ +From 89918caf5a349cac4e2a56ba503d7476c6f16067 Mon Sep 17 00:00:00 2001 +From: "Todd C. Miller" +Date: Thu, 2 May 2024 20:02:43 -0600 +Subject: [PATCH] Python 3.12 backtraces use '~' in addition to '^' when + underlining. GitHub issue #374 + +--- + plugins/python/regress/testhelpers.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/plugins/python/regress/testhelpers.c b/plugins/python/regress/testhelpers.c +index ee55fb901..0f28d01e9 100644 +--- a/plugins/python/regress/testhelpers.c ++++ b/plugins/python/regress/testhelpers.c +@@ -27,19 +27,19 @@ struct TestData data; + + /* + * Starting with Python 3.11, backtraces may contain a line with +- * '^' characters to bring attention to the important part of the +- * line. ++ * '~' and '^' characters to bring attention to the important part ++ * of the line. + */ + static void + remove_underline(char *output) + { + char *cp, *ep; + +- // Remove lines that only consist of '^' and white space. ++ // Remove lines that only consist of '~', '^' and white space. + cp = output; + ep = output + strlen(output); + for (;;) { +- size_t len = strspn(cp, "^ \t"); ++ size_t len = strspn(cp, "~^ \t"); + if (len > 0 && cp[len] == '\n') { + /* Prune out lines that are "underlining". */ + memmove(cp, cp + len + 1, (size_t)(ep - cp)); +-- +2.44.0 + diff --git a/sudo.spec b/sudo.spec index e2c4ba9..6f483cb 100644 --- a/sudo.spec +++ b/sudo.spec @@ -17,6 +17,12 @@ Requires: pam Recommends: system-default-editor Recommends: %{name}-python-plugin%{?_isa} = %{version}-%{release} +# https://github.com/sudo-project/sudo/commit/89918caf5a349cac4e2a56ba503d7476c6f16067 +# https://github.com/sudo-project/sudo/issues/374 +# https://bugzilla.redhat.com/show_bug.cgi?id=2245820 +# Fix tests with Python 3.13+ +Patch: 0001-Python-3.12-backtraces-use-in-addition-to-when-under.patch + BuildRequires: make BuildRequires: pam-devel BuildRequires: groff From 47db28a6937258900d879ee298e681ff7708d750 Mon Sep 17 00:00:00 2001 From: Python Maint Date: Fri, 7 Jun 2024 09:11:33 +0200 Subject: [PATCH 51/61] Rebuilt for Python 3.13 From f5682491133aea55fb176ca8c381afd8bb1dc411 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Sat, 20 Jul 2024 06:36:47 +0000 Subject: [PATCH 52/61] Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild From ac16a17374c5799d7f570330d5e9c72291bb8466 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Sun, 19 Jan 2025 11:50:30 +0000 Subject: [PATCH 53/61] Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild From e2e397029e0d35046a4cf891e075d24c7540da4f Mon Sep 17 00:00:00 2001 From: Yaakov Selkowitz Date: Wed, 26 Feb 2025 12:59:14 -0500 Subject: [PATCH 54/61] Fix build with GCC 15 GCC 15 defaults to C23, which changes the interpretation of function declarations without parameters to be `void` rather than of an unknown number and type (as in K&R). The sudoers plugin relies on the older behaviour for its hook functions. --- sudo.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sudo.spec b/sudo.spec index 6f483cb..4175d8c 100644 --- a/sudo.spec +++ b/sudo.spec @@ -88,7 +88,7 @@ F_PIE=-fPIE F_PIE=-fpie %endif -export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" +export CFLAGS="$RPM_OPT_FLAGS $F_PIE -std=gnu17" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" %configure \ --prefix=%{_prefix} \ From 770b8e2647c61512b8508c61bb3a55318f31d9b1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 24 Sep 2024 16:46:11 +0200 Subject: [PATCH 55/61] Move yum/dnf protection removal config file under /usr https://github.com/uapi-group/specifications/issues/76 Actually, add a new file under /usr, but keep the old file in /etc because it's still needed for dnf. The new file in the new location is useful because it means that we get the correct behaviour even when /etc is emptied (on systems with new dnf version). dnf5 reads the new location: https://github.com/rpm-software-management/dnf5/issues/1107 https://github.com/rpm-software-management/dnf5/pull/1110 --- sudo.spec | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/sudo.spec b/sudo.spec index 6f483cb..63fb36f 100644 --- a/sudo.spec +++ b/sudo.spec @@ -131,12 +131,15 @@ install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo/lectured install -p -d -m 750 $RPM_BUILD_ROOT/etc/sudoers.d install -p -c -m 0440 %{SOURCE1} $RPM_BUILD_ROOT/etc/sudoers -#add sudo to protected packages -install -p -d -m 755 $RPM_BUILD_ROOT/etc/dnf/protected.d/ -touch sudo.conf -echo sudo > sudo.conf -install -p -c -m 0644 sudo.conf $RPM_BUILD_ROOT/etc/dnf/protected.d/ -rm -f sudo.conf +# Add sudo to protected packages. Old location for yum/dnf. +mkdir -p $RPM_BUILD_ROOT/etc/dnf/protected.d/ +echo "sudo" >$RPM_BUILD_ROOT/etc/dnf/protected.d/sudo.conf +# Add sudo to protected packages. New location for dnf5. +mkdir -p $RPM_BUILD_ROOT/usr/share/dnf5/libdnf.conf.d/ +cat >$RPM_BUILD_ROOT/usr/share/dnf5/libdnf.conf.d/protect-sudo.conf < Date: Mon, 2 Jun 2025 20:53:02 +0200 Subject: [PATCH 56/61] Rebuilt for Python 3.14 From 9641cbaa6b0934d03f4e0398261eef8509f282dc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= Date: Sat, 5 Jul 2025 11:46:27 +0200 Subject: [PATCH 57/61] Rebase to sudo 1.9.17p1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - sudo-1_9_16p2 is available Resolves: rhbz#2309626 - sudo: LPE via host option Resolves: CVE-2025-32462 - Properly apply system buildflags - Use new build macros, drop unneeded %%defattr Signed-off-by: Björn Esser --- .gitignore | 1 + ...traces-use-in-addition-to-when-under.patch | 41 ------------------- sources | 2 +- sudo.spec | 26 +++--------- 4 files changed, 7 insertions(+), 63 deletions(-) delete mode 100644 0001-Python-3.12-backtraces-use-in-addition-to-when-under.patch diff --git a/.gitignore b/.gitignore index 842ab45..e4940ce 100644 --- a/.gitignore +++ b/.gitignore @@ -34,3 +34,4 @@ /sudo-1.9.14p3.tar.gz /sudo-1.9.15p4.tar.gz /sudo-1.9.15p5.tar.gz +/sudo-1.9.17p1.tar.gz diff --git a/0001-Python-3.12-backtraces-use-in-addition-to-when-under.patch b/0001-Python-3.12-backtraces-use-in-addition-to-when-under.patch deleted file mode 100644 index 2c9ce75..0000000 --- a/0001-Python-3.12-backtraces-use-in-addition-to-when-under.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 89918caf5a349cac4e2a56ba503d7476c6f16067 Mon Sep 17 00:00:00 2001 -From: "Todd C. Miller" -Date: Thu, 2 May 2024 20:02:43 -0600 -Subject: [PATCH] Python 3.12 backtraces use '~' in addition to '^' when - underlining. GitHub issue #374 - ---- - plugins/python/regress/testhelpers.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/plugins/python/regress/testhelpers.c b/plugins/python/regress/testhelpers.c -index ee55fb901..0f28d01e9 100644 ---- a/plugins/python/regress/testhelpers.c -+++ b/plugins/python/regress/testhelpers.c -@@ -27,19 +27,19 @@ struct TestData data; - - /* - * Starting with Python 3.11, backtraces may contain a line with -- * '^' characters to bring attention to the important part of the -- * line. -+ * '~' and '^' characters to bring attention to the important part -+ * of the line. - */ - static void - remove_underline(char *output) - { - char *cp, *ep; - -- // Remove lines that only consist of '^' and white space. -+ // Remove lines that only consist of '~', '^' and white space. - cp = output; - ep = output + strlen(output); - for (;;) { -- size_t len = strspn(cp, "^ \t"); -+ size_t len = strspn(cp, "~^ \t"); - if (len > 0 && cp[len] == '\n') { - /* Prune out lines that are "underlining". */ - memmove(cp, cp + len + 1, (size_t)(ep - cp)); --- -2.44.0 - diff --git a/sources b/sources index a9b6cfd..86f8d45 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (sudo-1.9.15p5.tar.gz) = ebac69719de2fe7bd587924701bdd24149bf376a68b17ec02f69b2b96d4bb6fa5eb8260a073ec5ea046d3ac69bb5b1c0b9d61709fe6a56f1f66e40817a70b15a +SHA512 (sudo-1.9.17p1.tar.gz) = 1a9fb27a117b54adf5c99443b3375f7e0eaaf3a2d5a3d409f7c7b10c43432eb301d721df93fb1a8a2e45bf4a4957288d4f153359fc018af00973be57f62a1ebc diff --git a/sudo.spec b/sudo.spec index 4175d8c..73b3930 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,9 +1,9 @@ # comment out if no extra version -%global extraver p5 +%global extraver p1 Summary: Allows restricted root access for specified users Name: sudo -Version: 1.9.15 +Version: 1.9.17 # remove -b 3 after rebase !!! # use "-p -e % {?extraver}" when beta # use "-e % {?extraver}"" when patch version @@ -17,12 +17,6 @@ Requires: pam Recommends: system-default-editor Recommends: %{name}-python-plugin%{?_isa} = %{version}-%{release} -# https://github.com/sudo-project/sudo/commit/89918caf5a349cac4e2a56ba503d7476c6f16067 -# https://github.com/sudo-project/sudo/issues/374 -# https://bugzilla.redhat.com/show_bug.cgi?id=2245820 -# Fix tests with Python 3.13+ -Patch: 0001-Python-3.12-backtraces-use-in-addition-to-when-under.patch - BuildRequires: make BuildRequires: pam-devel BuildRequires: groff @@ -82,14 +76,6 @@ BuildRequires: python3-devel # Remove bundled copy of zlib rm -rf zlib/ -%ifarch s390 s390x sparc64 -F_PIE=-fPIE -%else -F_PIE=-fpie -%endif - -export CFLAGS="$RPM_OPT_FLAGS $F_PIE -std=gnu17" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" - %configure \ --prefix=%{_prefix} \ --sbindir=%{_sbindir} \ @@ -117,14 +103,13 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE -std=gnu17" LDFLAGS="-pie -Wl,-z,relro -Wl, --with-sssd # --without-kerb5 \ # --without-kerb4 -make +%make_build %check -make check +%make_build check %install -rm -rf $RPM_BUILD_ROOT -make install DESTDIR="$RPM_BUILD_ROOT" install_uid=`id -u` install_gid=`id -g` sudoers_uid=`id -u` sudoers_gid=`id -g` +%make_install install_uid=`id -u` install_gid=`id -g` sudoers_uid=`id -u` sudoers_gid=`id -g` chmod 755 $RPM_BUILD_ROOT%{_bindir}/* $RPM_BUILD_ROOT%{_sbindir}/* install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo @@ -180,7 +165,6 @@ EOF %files -f sudo_all.lang -%defattr(-,root,root) %attr(0440,root,root) %config(noreplace) /etc/sudoers %attr(0750,root,root) %dir /etc/sudoers.d/ %config(noreplace) /etc/pam.d/sudo From 04179b541723d5914c5ce01021dd7a2a7a68eaf6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= Date: Sat, 5 Jul 2025 12:22:08 +0200 Subject: [PATCH 58/61] Re-apply changes from commit e2e397029e0d35046a4cf891e075d24c7540da4f MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Björn Esser --- sudo.spec | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sudo.spec b/sudo.spec index 73b3930..9e72bb5 100644 --- a/sudo.spec +++ b/sudo.spec @@ -76,6 +76,8 @@ BuildRequires: python3-devel # Remove bundled copy of zlib rm -rf zlib/ +export CFLAGS="$RPM_OPT_FLAGS -std=gnu17" + %configure \ --prefix=%{_prefix} \ --sbindir=%{_sbindir} \ From 1899e2aa8d10783369a1d840c2fc30cf86a6e782 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= Date: Mon, 7 Jul 2025 13:10:49 +0200 Subject: [PATCH 59/61] Drop '-std=gnu17' from CFLAGS, as C23 builds fine now MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This was introduced in commit e2e397029e0d35046a4cf891e075d24c7540da4f for an older version of sudo that was FTBFS for GCC 15 defaulting to C23. Signed-off-by: Björn Esser --- sudo.spec | 2 -- 1 file changed, 2 deletions(-) diff --git a/sudo.spec b/sudo.spec index 9e72bb5..73b3930 100644 --- a/sudo.spec +++ b/sudo.spec @@ -76,8 +76,6 @@ BuildRequires: python3-devel # Remove bundled copy of zlib rm -rf zlib/ -export CFLAGS="$RPM_OPT_FLAGS -std=gnu17" - %configure \ --prefix=%{_prefix} \ --sbindir=%{_sbindir} \ From 81e84c1f0692ac90603c7cbeaeeb2b891a852e45 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 25 Jul 2025 18:50:05 +0000 Subject: [PATCH 60/61] Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild From 2ead99a2b1915e06b2918b5547d0587fbe678e0e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alejandro=20L=C3=B3pez?= Date: Tue, 21 Oct 2025 10:16:55 +0200 Subject: [PATCH 61/61] Rebase to 1.9.17p2 - sudo-1.9.17p2 is available Resolves: rhbz#2383665 --- .gitignore | 1 + sources | 2 +- sudo.spec | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index e4940ce..b0986fa 100644 --- a/.gitignore +++ b/.gitignore @@ -35,3 +35,4 @@ /sudo-1.9.15p4.tar.gz /sudo-1.9.15p5.tar.gz /sudo-1.9.17p1.tar.gz +/sudo-1.9.17p2.tar.gz diff --git a/sources b/sources index 86f8d45..54e59ea 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (sudo-1.9.17p1.tar.gz) = 1a9fb27a117b54adf5c99443b3375f7e0eaaf3a2d5a3d409f7c7b10c43432eb301d721df93fb1a8a2e45bf4a4957288d4f153359fc018af00973be57f62a1ebc +SHA512 (sudo-1.9.17p2.tar.gz) = c8abd6ca56e54a081c9ef1e9f6579d1db5b93ff857e60d1f58d1f425d7dc23c31c58d40b7819780688f66dfdf87a1f3bbe0a78387b007e2beb1b0e546203ea93 diff --git a/sudo.spec b/sudo.spec index e321ec4..be44d00 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,5 +1,5 @@ # comment out if no extra version -%global extraver p1 +%global extraver p2 Summary: Allows restricted root access for specified users Name: sudo