From 8afd87a1ac891672e38e8817ad2d6e648b19536a Mon Sep 17 00:00:00 2001 From: Cropi Date: Tue, 3 Mar 2020 12:48:10 +0100 Subject: [PATCH 1/6] Update to latest development version 1.9.0b1 --- .gitignore | 1 + sources | 2 +- sudo.spec | 32 ++++++++++++++++++++++++++++---- 3 files changed, 30 insertions(+), 5 deletions(-) diff --git a/.gitignore b/.gitignore index cac4495..0afd98f 100644 --- a/.gitignore +++ b/.gitignore @@ -20,3 +20,4 @@ /sudo-1.8.28.tar.gz /sudo-1.8.28p1.tar.gz /sudo-1.8.29.tar.gz +/sudo-1.9.0b1.tar.gz diff --git a/sources b/sources index d6aec86..0811552 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (sudo-1.8.29.tar.gz) = ea780922b2afb47df4df4b533fb355fd916cb18a6bfd13c7ca36a25b03ef585d805648c6fa85692bea363b1f83664ac3bc622f99bcd149b3a86f70522eb4d340 +SHA512 (sudo-1.9.0b1.tar.gz) = 7459d398514b54c6898a3eaebca141f39af661cda51c007e068bea1cc1860df1bc66ea13c752da8f6bf3d574ba92e337874b20279e1400cfea99982a469f5435 diff --git a/sudo.spec b/sudo.spec index f929cc0..149038d 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,10 +1,10 @@ Summary: Allows restricted root access for specified users Name: sudo -Version: 1.8.29 -Release: 2%{?dist} +Version: 1.9.0 +Release: 0.1.b1%{?dist} License: ISC URL: http://www.courtesan.com/sudo/ -Source0: https://www.sudo.ws/dist/%{name}-%{version}.tar.gz +Source0: https://www.sudo.ws/dist/beta/%{name}-%{version}b1.tar.gz Source1: sudoers Requires: pam Recommends: vim-minimal @@ -45,7 +45,7 @@ The %{name}-devel package contains header files developing sudo plugins that use %{name}. %prep -%setup -q +%setup -q -n sudo-1.9.0b1 %patch1 -p1 -b .strip @@ -152,6 +152,7 @@ EOF %config(noreplace) /etc/pam.d/sudo-i %attr(0644,root,root) %{_tmpfilesdir}/sudo.conf %attr(0644,root,root) /etc/dnf/protected.d/sudo.conf +%attr(0644,root,root) /etc/sudo.conf %dir /var/db/sudo %dir /var/db/sudo/lectured %attr(4111,root,root) %{_bindir}/sudo @@ -160,6 +161,8 @@ EOF %attr(0755,root,root) %{_sbindir}/visudo %{_bindir}/cvtsudoers %dir %{_libexecdir}/sudo +%attr(0755,root,root) %{_sbindir}/sudo_logsrvd +%attr(0755,root,root) %{_sbindir}/sudo_sendlog %attr(0755,root,root) %{_libexecdir}/sudo/sesh %attr(0644,root,root) %{_libexecdir}/sudo/sudo_noexec.so %attr(0644,root,root) %{_libexecdir}/sudo/sudoers.so @@ -177,6 +180,11 @@ EOF %{_mandir}/man8/visudo.8* %{_mandir}/man1/cvtsudoers.1.gz %{_mandir}/man5/sudoers_timestamp.5.gz +%{_mandir}/man5/sudo_logsrv.proto.5.gz +%{_mandir}/man5/sudo_logsrvd.conf.5.gz +%{_mandir}/man8/sudo_logsrvd.8.gz +%{_mandir}/man8/sudo_plugin_python.8.gz +%{_mandir}/man8/sudo_sendlog.8.gz %dir %{_pkgdocdir}/ %{_pkgdocdir}/* %{!?_licensedir:%global license %%doc} @@ -189,6 +197,22 @@ EOF %{_mandir}/man8/sudo_plugin.8* %changelog +* Mon Feb 24 2020 Attila Lakatos - 1.9.0-0.1.b1 +- update to latest development version 1.9.0b1 +- added sudo_logsrvd and sudo_sendlog to files and their appropriate man pages +Resolves: rhbz#1787823 +- Stack based buffer overflow in when pwfeedback is enabled +Resolves: rhbz#1796945 +- fixes: CVE-2019-18634 +- By using ! character in the shadow file instead of a password hash can access to a run as all sudoer account +Resolves: rhbz#1786709 +- fixes CVE-2019-19234 +- attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user +Resolves: rhbz#1786705 +- fixes CVE-2019-19232 +- setrlimit(RLIMIT_CORE): Operation not permitted warning message fix +Resolves: rhbz#1773148 + * Fri Jan 31 2020 Fedora Release Engineering - 1.8.29-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild From 77bc95ad059c4d3089e9a05f93274ebfc7804f8c Mon Sep 17 00:00:00 2001 From: alakatos Date: Wed, 25 Mar 2020 16:47:47 +0100 Subject: [PATCH 2/6] Update to latest development version 1.9.0b4 Resolves: rhbz#1816593 --- .gitignore | 1 + sources | 2 +- sudo.spec | 15 ++++++++++++--- 3 files changed, 14 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index 0afd98f..4aa0b81 100644 --- a/.gitignore +++ b/.gitignore @@ -21,3 +21,4 @@ /sudo-1.8.28p1.tar.gz /sudo-1.8.29.tar.gz /sudo-1.9.0b1.tar.gz +/sudo-1.9.0b4.tar.gz diff --git a/sources b/sources index 0811552..e6aeaa0 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (sudo-1.9.0b1.tar.gz) = 7459d398514b54c6898a3eaebca141f39af661cda51c007e068bea1cc1860df1bc66ea13c752da8f6bf3d574ba92e337874b20279e1400cfea99982a469f5435 +SHA512 (sudo-1.9.0b4.tar.gz) = 8f9da58ebb53d751746e8b271d9089a98cbbeb6e82691c3905c5ac11255bc70c7f467c0097d8dab2980fd94ffb8c438d03326f1bc98f0b580ec6e5b06227f559 diff --git a/sudo.spec b/sudo.spec index 149038d..34f0d33 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,10 +1,13 @@ +%global patchlevel b4 +%global upstream_version %{version}%{patchlevel} + Summary: Allows restricted root access for specified users Name: sudo Version: 1.9.0 -Release: 0.1.b1%{?dist} +Release: 0.1.%{patchlevel}%{?dist} License: ISC URL: http://www.courtesan.com/sudo/ -Source0: https://www.sudo.ws/dist/beta/%{name}-%{version}b1.tar.gz +Source0: https://www.sudo.ws/dist/beta/%{name}-%{upstream_version}.tar.gz Source1: sudoers Requires: pam Recommends: vim-minimal @@ -45,7 +48,7 @@ The %{name}-devel package contains header files developing sudo plugins that use %{name}. %prep -%setup -q -n sudo-1.9.0b1 +%setup -q -n %{name}-%{upstream_version} %patch1 -p1 -b .strip @@ -166,7 +169,9 @@ EOF %attr(0755,root,root) %{_libexecdir}/sudo/sesh %attr(0644,root,root) %{_libexecdir}/sudo/sudo_noexec.so %attr(0644,root,root) %{_libexecdir}/sudo/sudoers.so +%attr(0644,root,root) %{_libexecdir}/sudo/audit_json.so %attr(0644,root,root) %{_libexecdir}/sudo/group_file.so +%attr(0644,root,root) %{_libexecdir}/sudo/sample_approval.so %attr(0644,root,root) %{_libexecdir}/sudo/system_group.so %attr(0644,root,root) %{_libexecdir}/sudo/libsudo_util.so.?.?.? %{_libexecdir}/sudo/libsudo_util.so.? @@ -197,6 +202,10 @@ EOF %{_mandir}/man8/sudo_plugin.8* %changelog +* Wed Mar 25 2020 Attila Lakatos - 1.9.0-0.1.b4 +- update to latest development version 1.9.0b4 +Resolves: rhbz#1816593 + * Mon Feb 24 2020 Attila Lakatos - 1.9.0-0.1.b1 - update to latest development version 1.9.0b1 - added sudo_logsrvd and sudo_sendlog to files and their appropriate man pages From 3e5ff76d08bffdc8db27045c65b2e23d87521dd9 Mon Sep 17 00:00:00 2001 From: Jens Petersen Date: Thu, 26 Mar 2020 18:53:44 +0800 Subject: [PATCH 3/6] upstream patch for setrlimit(RLIMIT_CORE) rootless container warnings (#1773148) --- sudo-1.9-RLIMIT_CORE.patch | 149 +++++++++++++++++++++++++++++++++++++ sudo.spec | 7 +- 2 files changed, 154 insertions(+), 2 deletions(-) create mode 100644 sudo-1.9-RLIMIT_CORE.patch diff --git a/sudo-1.9-RLIMIT_CORE.patch b/sudo-1.9-RLIMIT_CORE.patch new file mode 100644 index 0000000..28027c4 --- /dev/null +++ b/sudo-1.9-RLIMIT_CORE.patch @@ -0,0 +1,149 @@ + changeset 12288:1064b906ca68 + +Ignore a failure to restore the RLIMIT_CORE resource limit. +Linux containers don't allow RLIMIT_CORE to be set back to RLIM_INFINITY +if we set the limit to zero, even for root. This is not a problem +outside the container. +author Todd C. Miller +date Sat, 14 Mar 2020 11:13:55 -0600 +parents 72ca06a294b4 +children 40629e6fd692 +files src/limits.c +diffstat 1 files changed, 61 insertions(+), 10 deletions(-) [+] +line wrap: on + line diff + +--- a/src/limits.c Thu Mar 12 17:39:56 2020 -0600 ++++ b/src/limits.c Sat Mar 14 11:13:55 2020 -0600 +@@ -114,13 +114,21 @@ + + if (getrlimit(RLIMIT_CORE, &corelimit) == -1) + sudo_warn("getrlimit(RLIMIT_CORE)"); ++ sudo_debug_printf(SUDO_DEBUG_INFO, "RLIMIT_CORE [%lld, %lld] -> [0, 0]", ++ (long long)corelimit.rlim_cur, (long long)corelimit.rlim_max); + if (setrlimit(RLIMIT_CORE, &rl) == -1) + sudo_warn("setrlimit(RLIMIT_CORE)"); + #ifdef __linux__ + /* On Linux, also set PR_SET_DUMPABLE to zero (reset by execve). */ +- if ((dumpflag = prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)) == -1) ++ if ((dumpflag = prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)) == -1) { ++ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, ++ "prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)"); + dumpflag = 0; +- (void) prctl(PR_SET_DUMPABLE, 0, 0, 0, 0); ++ } ++ if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) == -1) { ++ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, ++ "prctl(PR_SET_DUMPABLE, %d, 0, 0, 0)", dumpflag); ++ } + #endif /* __linux__ */ + coredump_disabled = true; + +@@ -136,10 +144,20 @@ + debug_decl(restore_coredump, SUDO_DEBUG_UTIL); + + if (coredump_disabled) { +- if (setrlimit(RLIMIT_CORE, &corelimit) == -1) +- sudo_warn("setrlimit(RLIMIT_CORE)"); ++ /* ++ * Linux containers don't allow RLIMIT_CORE to be set back to ++ * RLIM_INFINITY if we set the limit to zero, even for root. ++ */ ++ if (setrlimit(RLIMIT_CORE, &corelimit) == -1) { ++ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, ++ "setrlimit(RLIMIT_CORE, [%lld, %lld])", ++ (long long)corelimit.rlim_cur, (long long)corelimit.rlim_max); ++ } + #ifdef __linux__ +- (void) prctl(PR_SET_DUMPABLE, dumpflag, 0, 0, 0); ++ if (prctl(PR_SET_DUMPABLE, dumpflag, 0, 0, 0) == -1) { ++ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, ++ "prctl(PR_SET_DUMPABLE, %d, 0, 0, 0)", dumpflag); ++ } + #endif /* __linux__ */ + } + debug_return; +@@ -162,8 +180,14 @@ + + if (getrlimit(RLIMIT_NPROC, &nproclimit) != 0) + sudo_warn("getrlimit(RLIMIT_NPROC)"); ++ sudo_debug_printf(SUDO_DEBUG_INFO, "RLIMIT_NPROC [%lld, %lld] -> [inf, inf]", ++ (long long)nproclimit.rlim_cur, (long long)nproclimit.rlim_max); + if (setrlimit(RLIMIT_NPROC, &rl) == -1) { + rl.rlim_cur = rl.rlim_max = nproclimit.rlim_max; ++ sudo_debug_printf(SUDO_DEBUG_INFO, ++ "RLIMIT_NPROC [%lld, %lld] -> [%lld, %lld]", ++ (long long)nproclimit.rlim_cur, (long long)nproclimit.rlim_max, ++ (long long)rl.rlim_cur, (long long)rl.rlim_max); + if (setrlimit(RLIMIT_NPROC, &rl) != 0) + sudo_warn("setrlimit(RLIMIT_NPROC)"); + } +@@ -180,8 +204,11 @@ + #ifdef __linux__ + debug_decl(restore_nproc, SUDO_DEBUG_UTIL); + +- if (setrlimit(RLIMIT_NPROC, &nproclimit) != 0) +- sudo_warn("setrlimit(RLIMIT_NPROC)"); ++ if (setrlimit(RLIMIT_NPROC, &nproclimit) != 0) { ++ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, ++ "setrlimit(RLIMIT_NPROC, [%lld, %lld])", ++ (long long)nproclimit.rlim_cur, (long long)nproclimit.rlim_max); ++ } + + debug_return; + #endif /* __linux__ */ +@@ -203,6 +230,11 @@ + struct saved_limit *lim = &saved_limits[idx]; + if (getrlimit(lim->resource, &lim->oldlimit) == -1) + continue; ++ sudo_debug_printf(SUDO_DEBUG_INFO, ++ "getrlimit(lim->name) -> [%lld, %lld]", ++ (long long)lim->oldlimit.rlim_cur, ++ (long long)lim->oldlimit.rlim_max); ++ + lim->saved = true; + if (lim->newlimit.rlim_cur != RLIM_INFINITY) { + /* Don't reduce the soft resource limit. */ +@@ -217,13 +249,28 @@ + lim->newlimit.rlim_max = lim->oldlimit.rlim_max; + } + if ((rc = setrlimit(lim->resource, &lim->newlimit)) == -1) { +- if (lim->fallback != NULL) +- rc = setrlimit(lim->resource, lim->fallback); ++ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, ++ "setrlimit(%s, [%lld, %lld])", lim->name, ++ (long long)lim->newlimit.rlim_cur, ++ (long long)lim->newlimit.rlim_max); ++ if (lim->fallback != NULL) { ++ if ((rc = setrlimit(lim->resource, lim->fallback)) == -1) { ++ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, ++ "setrlimit(%s, [%lld, %lld])", lim->name, ++ (long long)lim->fallback->rlim_cur, ++ (long long)lim->fallback->rlim_max); ++ } ++ } + if (rc == -1) { + /* Try setting new rlim_cur to old rlim_max. */ + lim->newlimit.rlim_cur = lim->oldlimit.rlim_max; + lim->newlimit.rlim_max = lim->oldlimit.rlim_max; +- rc = setrlimit(lim->resource, &lim->newlimit); ++ if ((rc = setrlimit(lim->resource, &lim->newlimit)) == -1) { ++ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, ++ "setrlimit(%s, [%lld, %lld])", lim->name, ++ (long long)lim->newlimit.rlim_cur, ++ (long long)lim->newlimit.rlim_max); ++ } + } + if (rc == -1) + sudo_warn("setrlimit(%s)", lim->name); +@@ -254,6 +301,10 @@ + if (rc != -1 || errno != EINVAL) + break; + ++ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, ++ "setrlimit(%s, [%lld, %lld])", lim->name, ++ (long long)rl.rlim_cur, (long long)rl.rlim_max); ++ + /* + * Soft limit could be lower than current resource usage. + * This can be an issue on NetBSD with RLIMIT_STACK and ASLR. diff --git a/sudo.spec b/sudo.spec index 34f0d33..b87f494 100644 --- a/sudo.spec +++ b/sudo.spec @@ -27,6 +27,8 @@ BuildRequires: zlib-devel # don't strip Patch1: sudo-1.6.7p5-strip.patch +# https://www.sudo.ws/repos/sudo/rev/1064b906ca68 +Patch2: sudo-1.9-RLIMIT_CORE.patch %description Sudo (superuser do) allows a system administrator to give certain @@ -51,6 +53,7 @@ plugins that use %{name}. %setup -q -n %{name}-%{upstream_version} %patch1 -p1 -b .strip +%patch2 -p1 -b .orig %build # Remove bundled copy of zlib @@ -205,6 +208,8 @@ EOF * Wed Mar 25 2020 Attila Lakatos - 1.9.0-0.1.b4 - update to latest development version 1.9.0b4 Resolves: rhbz#1816593 +- setrlimit(RLIMIT_CORE): Operation not permitted warning message fix +Resolves: rhbz#1773148 * Mon Feb 24 2020 Attila Lakatos - 1.9.0-0.1.b1 - update to latest development version 1.9.0b1 @@ -219,8 +224,6 @@ Resolves: rhbz#1786709 - attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user Resolves: rhbz#1786705 - fixes CVE-2019-19232 -- setrlimit(RLIMIT_CORE): Operation not permitted warning message fix -Resolves: rhbz#1773148 * Fri Jan 31 2020 Fedora Release Engineering - 1.8.29-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild From 7df67e16f7748e9506b7f2d47c6ef1472595fa0c Mon Sep 17 00:00:00 2001 From: Radovan Sroka Date: Tue, 15 Sep 2020 16:49:29 +0200 Subject: [PATCH 4/6] Rebase to 1.9.2 Resolves: rhbz#1859577 - added logsrvd subpackage - added openssl-devel buildrequires Resolves: rhbz#1860653 - fixed sudo runstatedir path - it was generated as /sudo instead of /run/sudo Resolves: rhbz#1868215 - added /var/lib/snapd/snap/bin to secure_path variable Resolves: rhbz#1691996 Signed-off-by: Radovan Sroka --- .gitignore | 1 + configure-runstatedir.patch | 43 +++++++++++ sources | 2 +- sudo-1.9-RLIMIT_CORE.patch | 149 ------------------------------------ sudo.spec | 59 +++++++++----- sudoers | 2 +- 6 files changed, 87 insertions(+), 169 deletions(-) create mode 100644 configure-runstatedir.patch delete mode 100644 sudo-1.9-RLIMIT_CORE.patch diff --git a/.gitignore b/.gitignore index 4aa0b81..cc45a89 100644 --- a/.gitignore +++ b/.gitignore @@ -22,3 +22,4 @@ /sudo-1.8.29.tar.gz /sudo-1.9.0b1.tar.gz /sudo-1.9.0b4.tar.gz +/sudo-1.9.2.tar.gz diff --git a/configure-runstatedir.patch b/configure-runstatedir.patch new file mode 100644 index 0000000..980e767 --- /dev/null +++ b/configure-runstatedir.patch @@ -0,0 +1,43 @@ +From 0d7a041f18c5016abb78b74f3cfa505797e704ee Mon Sep 17 00:00:00 2001 +From: Evan Anderson +Date: Sun, 6 Sep 2020 14:30:54 -0500 +Subject: [PATCH] configure: Fix runstatedir handling for distros that do not + support it + +runstatedir was added in yet-to-be released autoconf 2.70. Some distros +are shipping this addition in their autoconf packages, but others, such as Fedora, +are not. This causes the rundir variable to be set incorrectly if the configure script +is regenerated with an unpatched autoconf since the runstatedir variable set is deleted +after regeneration. This change works around that problem by checking that runstatedir +is non-empty before potentially using it to set the rundir variable +--- + configure | 2 +- + m4/sudo.m4 | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/configure b/configure +index 0f6ceb16c..2e0838e01 100755 +--- a/configure ++++ b/configure +@@ -26718,7 +26718,7 @@ EOF + $as_echo_n "checking for sudo run dir location... " >&6; } + if test -n "$with_rundir"; then + rundir="$with_rundir" +-elif test "$runstatedir" != '${localstatedir}/run'; then ++elif test -n "$runstatedir" && test "$runstatedir" != '${localstatedir}/run'; then + rundir="$runstatedir/sudo" + else + # No --with-rundir or --runstatedir specified +diff --git a/m4/sudo.m4 b/m4/sudo.m4 +index a5a972b3c..b3a40b208 100644 +--- a/m4/sudo.m4 ++++ b/m4/sudo.m4 +@@ -120,7 +120,7 @@ dnl + AC_DEFUN([SUDO_RUNDIR], [AC_MSG_CHECKING(for sudo run dir location) + if test -n "$with_rundir"; then + rundir="$with_rundir" +-elif test "$runstatedir" != '${localstatedir}/run'; then ++elif test -n "$runstatedir" && test "$runstatedir" != '${localstatedir}/run'; then + rundir="$runstatedir/sudo" + else + # No --with-rundir or --runstatedir specified diff --git a/sources b/sources index e6aeaa0..5185f4c 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (sudo-1.9.0b4.tar.gz) = 8f9da58ebb53d751746e8b271d9089a98cbbeb6e82691c3905c5ac11255bc70c7f467c0097d8dab2980fd94ffb8c438d03326f1bc98f0b580ec6e5b06227f559 +SHA512 (sudo-1.9.2.tar.gz) = 20afdf2604b1c93395157382b24f225cd1ff88d3a892362e2d69fecd240c4e7171f05032c08be1778cd1dea6e460025e4241f57272fac0ea3550e220b6d73d21 diff --git a/sudo-1.9-RLIMIT_CORE.patch b/sudo-1.9-RLIMIT_CORE.patch deleted file mode 100644 index 28027c4..0000000 --- a/sudo-1.9-RLIMIT_CORE.patch +++ /dev/null @@ -1,149 +0,0 @@ - changeset 12288:1064b906ca68 - -Ignore a failure to restore the RLIMIT_CORE resource limit. -Linux containers don't allow RLIMIT_CORE to be set back to RLIM_INFINITY -if we set the limit to zero, even for root. This is not a problem -outside the container. -author Todd C. Miller -date Sat, 14 Mar 2020 11:13:55 -0600 -parents 72ca06a294b4 -children 40629e6fd692 -files src/limits.c -diffstat 1 files changed, 61 insertions(+), 10 deletions(-) [+] -line wrap: on - line diff - ---- a/src/limits.c Thu Mar 12 17:39:56 2020 -0600 -+++ b/src/limits.c Sat Mar 14 11:13:55 2020 -0600 -@@ -114,13 +114,21 @@ - - if (getrlimit(RLIMIT_CORE, &corelimit) == -1) - sudo_warn("getrlimit(RLIMIT_CORE)"); -+ sudo_debug_printf(SUDO_DEBUG_INFO, "RLIMIT_CORE [%lld, %lld] -> [0, 0]", -+ (long long)corelimit.rlim_cur, (long long)corelimit.rlim_max); - if (setrlimit(RLIMIT_CORE, &rl) == -1) - sudo_warn("setrlimit(RLIMIT_CORE)"); - #ifdef __linux__ - /* On Linux, also set PR_SET_DUMPABLE to zero (reset by execve). */ -- if ((dumpflag = prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)) == -1) -+ if ((dumpflag = prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)) == -1) { -+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, -+ "prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)"); - dumpflag = 0; -- (void) prctl(PR_SET_DUMPABLE, 0, 0, 0, 0); -+ } -+ if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) == -1) { -+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, -+ "prctl(PR_SET_DUMPABLE, %d, 0, 0, 0)", dumpflag); -+ } - #endif /* __linux__ */ - coredump_disabled = true; - -@@ -136,10 +144,20 @@ - debug_decl(restore_coredump, SUDO_DEBUG_UTIL); - - if (coredump_disabled) { -- if (setrlimit(RLIMIT_CORE, &corelimit) == -1) -- sudo_warn("setrlimit(RLIMIT_CORE)"); -+ /* -+ * Linux containers don't allow RLIMIT_CORE to be set back to -+ * RLIM_INFINITY if we set the limit to zero, even for root. -+ */ -+ if (setrlimit(RLIMIT_CORE, &corelimit) == -1) { -+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, -+ "setrlimit(RLIMIT_CORE, [%lld, %lld])", -+ (long long)corelimit.rlim_cur, (long long)corelimit.rlim_max); -+ } - #ifdef __linux__ -- (void) prctl(PR_SET_DUMPABLE, dumpflag, 0, 0, 0); -+ if (prctl(PR_SET_DUMPABLE, dumpflag, 0, 0, 0) == -1) { -+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, -+ "prctl(PR_SET_DUMPABLE, %d, 0, 0, 0)", dumpflag); -+ } - #endif /* __linux__ */ - } - debug_return; -@@ -162,8 +180,14 @@ - - if (getrlimit(RLIMIT_NPROC, &nproclimit) != 0) - sudo_warn("getrlimit(RLIMIT_NPROC)"); -+ sudo_debug_printf(SUDO_DEBUG_INFO, "RLIMIT_NPROC [%lld, %lld] -> [inf, inf]", -+ (long long)nproclimit.rlim_cur, (long long)nproclimit.rlim_max); - if (setrlimit(RLIMIT_NPROC, &rl) == -1) { - rl.rlim_cur = rl.rlim_max = nproclimit.rlim_max; -+ sudo_debug_printf(SUDO_DEBUG_INFO, -+ "RLIMIT_NPROC [%lld, %lld] -> [%lld, %lld]", -+ (long long)nproclimit.rlim_cur, (long long)nproclimit.rlim_max, -+ (long long)rl.rlim_cur, (long long)rl.rlim_max); - if (setrlimit(RLIMIT_NPROC, &rl) != 0) - sudo_warn("setrlimit(RLIMIT_NPROC)"); - } -@@ -180,8 +204,11 @@ - #ifdef __linux__ - debug_decl(restore_nproc, SUDO_DEBUG_UTIL); - -- if (setrlimit(RLIMIT_NPROC, &nproclimit) != 0) -- sudo_warn("setrlimit(RLIMIT_NPROC)"); -+ if (setrlimit(RLIMIT_NPROC, &nproclimit) != 0) { -+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, -+ "setrlimit(RLIMIT_NPROC, [%lld, %lld])", -+ (long long)nproclimit.rlim_cur, (long long)nproclimit.rlim_max); -+ } - - debug_return; - #endif /* __linux__ */ -@@ -203,6 +230,11 @@ - struct saved_limit *lim = &saved_limits[idx]; - if (getrlimit(lim->resource, &lim->oldlimit) == -1) - continue; -+ sudo_debug_printf(SUDO_DEBUG_INFO, -+ "getrlimit(lim->name) -> [%lld, %lld]", -+ (long long)lim->oldlimit.rlim_cur, -+ (long long)lim->oldlimit.rlim_max); -+ - lim->saved = true; - if (lim->newlimit.rlim_cur != RLIM_INFINITY) { - /* Don't reduce the soft resource limit. */ -@@ -217,13 +249,28 @@ - lim->newlimit.rlim_max = lim->oldlimit.rlim_max; - } - if ((rc = setrlimit(lim->resource, &lim->newlimit)) == -1) { -- if (lim->fallback != NULL) -- rc = setrlimit(lim->resource, lim->fallback); -+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, -+ "setrlimit(%s, [%lld, %lld])", lim->name, -+ (long long)lim->newlimit.rlim_cur, -+ (long long)lim->newlimit.rlim_max); -+ if (lim->fallback != NULL) { -+ if ((rc = setrlimit(lim->resource, lim->fallback)) == -1) { -+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, -+ "setrlimit(%s, [%lld, %lld])", lim->name, -+ (long long)lim->fallback->rlim_cur, -+ (long long)lim->fallback->rlim_max); -+ } -+ } - if (rc == -1) { - /* Try setting new rlim_cur to old rlim_max. */ - lim->newlimit.rlim_cur = lim->oldlimit.rlim_max; - lim->newlimit.rlim_max = lim->oldlimit.rlim_max; -- rc = setrlimit(lim->resource, &lim->newlimit); -+ if ((rc = setrlimit(lim->resource, &lim->newlimit)) == -1) { -+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, -+ "setrlimit(%s, [%lld, %lld])", lim->name, -+ (long long)lim->newlimit.rlim_cur, -+ (long long)lim->newlimit.rlim_max); -+ } - } - if (rc == -1) - sudo_warn("setrlimit(%s)", lim->name); -@@ -254,6 +301,10 @@ - if (rc != -1 || errno != EINVAL) - break; - -+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, -+ "setrlimit(%s, [%lld, %lld])", lim->name, -+ (long long)rl.rlim_cur, (long long)rl.rlim_max); -+ - /* - * Soft limit could be lower than current resource usage. - * This can be an issue on NetBSD with RLIMIT_STACK and ASLR. diff --git a/sudo.spec b/sudo.spec index b87f494..dda1983 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,13 +1,10 @@ -%global patchlevel b4 -%global upstream_version %{version}%{patchlevel} - Summary: Allows restricted root access for specified users Name: sudo -Version: 1.9.0 -Release: 0.1.%{patchlevel}%{?dist} +Version: 1.9.2 +Release: 1%{?dist} License: ISC URL: http://www.courtesan.com/sudo/ -Source0: https://www.sudo.ws/dist/beta/%{name}-%{upstream_version}.tar.gz +Source0: https://www.sudo.ws/dist/beta/%{name}-%{version}.tar.gz Source1: sudoers Requires: pam Recommends: vim-minimal @@ -27,8 +24,7 @@ BuildRequires: zlib-devel # don't strip Patch1: sudo-1.6.7p5-strip.patch -# https://www.sudo.ws/repos/sudo/rev/1064b906ca68 -Patch2: sudo-1.9-RLIMIT_CORE.patch +Patch2: configure-runstatedir.patch %description Sudo (superuser do) allows a system administrator to give certain @@ -49,11 +45,22 @@ Requires: %{name} = %{version}-%{release} The %{name}-devel package contains header files developing sudo plugins that use %{name}. + +%package logsrvd +Summary: High-performance log server for %{name} +Requires: %{name} = %{version}-%{release} +BuildRequires: openssl-devel + + +%description logsrvd +%{name}-logsrvd is a high-performance log server that accepts event and I/O logs from sudo. +It can be used to implement centralized logging of sudo logs. + %prep -%setup -q -n %{name}-%{upstream_version} +%setup -q %patch1 -p1 -b .strip -%patch2 -p1 -b .orig +%patch2 -p1 -b .runstatedir %build # Remove bundled copy of zlib @@ -73,6 +80,7 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" --sbindir=%{_sbindir} \ --libdir=%{_libdir} \ --docdir=%{_pkgdocdir} \ + --enable-openssl \ --disable-root-mailer \ --with-logging=syslog \ --with-logfac=authpriv \ @@ -157,8 +165,8 @@ EOF %config(noreplace) /etc/pam.d/sudo %config(noreplace) /etc/pam.d/sudo-i %attr(0644,root,root) %{_tmpfilesdir}/sudo.conf -%attr(0644,root,root) /etc/dnf/protected.d/sudo.conf -%attr(0644,root,root) /etc/sudo.conf +%attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/sudo.conf +%attr(0640,root,root) %config(noreplace) /etc/sudo.conf %dir /var/db/sudo %dir /var/db/sudo/lectured %attr(4111,root,root) %{_bindir}/sudo @@ -167,8 +175,6 @@ EOF %attr(0755,root,root) %{_sbindir}/visudo %{_bindir}/cvtsudoers %dir %{_libexecdir}/sudo -%attr(0755,root,root) %{_sbindir}/sudo_logsrvd -%attr(0755,root,root) %{_sbindir}/sudo_sendlog %attr(0755,root,root) %{_libexecdir}/sudo/sesh %attr(0644,root,root) %{_libexecdir}/sudo/sudo_noexec.so %attr(0644,root,root) %{_libexecdir}/sudo/sudoers.so @@ -188,11 +194,7 @@ EOF %{_mandir}/man8/visudo.8* %{_mandir}/man1/cvtsudoers.1.gz %{_mandir}/man5/sudoers_timestamp.5.gz -%{_mandir}/man5/sudo_logsrv.proto.5.gz -%{_mandir}/man5/sudo_logsrvd.conf.5.gz -%{_mandir}/man8/sudo_logsrvd.8.gz %{_mandir}/man8/sudo_plugin_python.8.gz -%{_mandir}/man8/sudo_sendlog.8.gz %dir %{_pkgdocdir}/ %{_pkgdocdir}/* %{!?_licensedir:%global license %%doc} @@ -204,7 +206,28 @@ EOF %{_includedir}/sudo_plugin.h %{_mandir}/man8/sudo_plugin.8* +%files logsrvd +%attr(0640,root,root) %config(noreplace) /etc/sudo_logsrvd.conf +%attr(0755,root,root) %{_sbindir}/sudo_logsrvd +%attr(0755,root,root) %{_sbindir}/sudo_sendlog +%{_mandir}/man5/sudo_logsrv.proto.5.gz +%{_mandir}/man5/sudo_logsrvd.conf.5.gz +%{_mandir}/man8/sudo_logsrvd.8.gz +%{_mandir}/man8/sudo_sendlog.8.gz + %changelog +* Tue Sep 15 2020 Radovan Sroka - 1.9.2-1 +- rebase to 1.9.2 +Resolves: rhbz#1859577 +- added logsrvd subpackage +- added openssl-devel buildrequires +Resolves: rhbz#1860653 +- fixed sudo runstatedir path +- it was generated as /sudo instead of /run/sudo +Resolves: rhbz#1868215 +- added /var/lib/snapd/snap/bin to secure_path variable +Resolves: rhbz#1691996 + * Wed Mar 25 2020 Attila Lakatos - 1.9.0-0.1.b4 - update to latest development version 1.9.0b4 Resolves: rhbz#1816593 diff --git a/sudoers b/sudoers index 29775ad..5f621a8 100644 --- a/sudoers +++ b/sudoers @@ -85,7 +85,7 @@ Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY # # Defaults env_keep += "HOME" -Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin ## Next comes the main part: which users can run what software on ## which machines (the sudoers file can be shared between multiple From 481e766270f27ad0d6532532a0e020ec275f706a Mon Sep 17 00:00:00 2001 From: Radovan Sroka Date: Mon, 5 Oct 2020 13:34:24 +0200 Subject: [PATCH 5/6] Rebase to 1.9.5p1 Resolves: rhbz#1902758 - updated sudo url - enabled python module as a subpackage Resolves: rhbz#1909299 - fixed double free in sss_to_sudoers Resolves: rhbz#1885874 - fixed CVE-2021-23239 sudo: possible directory existence test due to race condition in sudoedit Resolves: rhbz#1915055 - fixed CVE-2021-23240 sudo: symbolic link attack in SELinux-enabled sudoedit Resolves: rhbz#1915054 Signed-off-by: Radovan Sroka --- .gitignore | 2 ++ configure-runstatedir.patch | 43 ------------------------------------- sources | 2 +- sudo.spec | 39 +++++++++++++++++++++++++++------ 4 files changed, 35 insertions(+), 51 deletions(-) delete mode 100644 configure-runstatedir.patch diff --git a/.gitignore b/.gitignore index cc45a89..5e9fd62 100644 --- a/.gitignore +++ b/.gitignore @@ -23,3 +23,5 @@ /sudo-1.9.0b1.tar.gz /sudo-1.9.0b4.tar.gz /sudo-1.9.2.tar.gz +/sudo-1.9.3p1.tar.gz +/sudo-1.9.5p1.tar.gz diff --git a/configure-runstatedir.patch b/configure-runstatedir.patch deleted file mode 100644 index 980e767..0000000 --- a/configure-runstatedir.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 0d7a041f18c5016abb78b74f3cfa505797e704ee Mon Sep 17 00:00:00 2001 -From: Evan Anderson -Date: Sun, 6 Sep 2020 14:30:54 -0500 -Subject: [PATCH] configure: Fix runstatedir handling for distros that do not - support it - -runstatedir was added in yet-to-be released autoconf 2.70. Some distros -are shipping this addition in their autoconf packages, but others, such as Fedora, -are not. This causes the rundir variable to be set incorrectly if the configure script -is regenerated with an unpatched autoconf since the runstatedir variable set is deleted -after regeneration. This change works around that problem by checking that runstatedir -is non-empty before potentially using it to set the rundir variable ---- - configure | 2 +- - m4/sudo.m4 | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/configure b/configure -index 0f6ceb16c..2e0838e01 100755 ---- a/configure -+++ b/configure -@@ -26718,7 +26718,7 @@ EOF - $as_echo_n "checking for sudo run dir location... " >&6; } - if test -n "$with_rundir"; then - rundir="$with_rundir" --elif test "$runstatedir" != '${localstatedir}/run'; then -+elif test -n "$runstatedir" && test "$runstatedir" != '${localstatedir}/run'; then - rundir="$runstatedir/sudo" - else - # No --with-rundir or --runstatedir specified -diff --git a/m4/sudo.m4 b/m4/sudo.m4 -index a5a972b3c..b3a40b208 100644 ---- a/m4/sudo.m4 -+++ b/m4/sudo.m4 -@@ -120,7 +120,7 @@ dnl - AC_DEFUN([SUDO_RUNDIR], [AC_MSG_CHECKING(for sudo run dir location) - if test -n "$with_rundir"; then - rundir="$with_rundir" --elif test "$runstatedir" != '${localstatedir}/run'; then -+elif test -n "$runstatedir" && test "$runstatedir" != '${localstatedir}/run'; then - rundir="$runstatedir/sudo" - else - # No --with-rundir or --runstatedir specified diff --git a/sources b/sources index 5185f4c..9d9c821 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (sudo-1.9.2.tar.gz) = 20afdf2604b1c93395157382b24f225cd1ff88d3a892362e2d69fecd240c4e7171f05032c08be1778cd1dea6e460025e4241f57272fac0ea3550e220b6d73d21 +SHA512 (sudo-1.9.5p1.tar.gz) = 0168f0b61a6c2d2f60a92b5b4d3c3254aed4116decabac3821d9ac2fd7f74bb7b019e35bb8955335315b3b00ddf4e4acd82540df0addc1d9bf4f44b60447a878 diff --git a/sudo.spec b/sudo.spec index dda1983..f5c2639 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,13 +1,14 @@ Summary: Allows restricted root access for specified users Name: sudo -Version: 1.9.2 +Version: 1.9.5p1 Release: 1%{?dist} License: ISC -URL: http://www.courtesan.com/sudo/ -Source0: https://www.sudo.ws/dist/beta/%{name}-%{version}.tar.gz +URL: https://www.sudo.ws +Source0: %{url}/dist/%{name}-%{version}.tar.gz Source1: sudoers Requires: pam Recommends: vim-minimal +Recommends: %{name}-python-plugin%{?_isa} = %{version}-%{release} Requires(post): coreutils BuildRequires: pam-devel @@ -24,7 +25,6 @@ BuildRequires: zlib-devel # don't strip Patch1: sudo-1.6.7p5-strip.patch -Patch2: configure-runstatedir.patch %description Sudo (superuser do) allows a system administrator to give certain @@ -56,11 +56,19 @@ BuildRequires: openssl-devel %{name}-logsrvd is a high-performance log server that accepts event and I/O logs from sudo. It can be used to implement centralized logging of sudo logs. +%package python-plugin +Summary: Python plugin for %{name} +Requires: %{name} = %{version}-%{release} +BuildRequires: python3-devel + + +%description python-plugin +%{name}-python-plugin allows using sudo plugins written in Python. + %prep %setup -q %patch1 -p1 -b .strip -%patch2 -p1 -b .runstatedir %build # Remove bundled copy of zlib @@ -80,7 +88,7 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" --sbindir=%{_sbindir} \ --libdir=%{_libdir} \ --docdir=%{_pkgdocdir} \ - --enable-openssl \ + --enable-openssl \ --disable-root-mailer \ --with-logging=syslog \ --with-logfac=authpriv \ @@ -93,6 +101,7 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" --with-ldap \ --with-selinux \ --with-passprompt="[sudo] password for %p: " \ + --enable-python \ --with-linux-audit \ --with-sssd # --without-kerb5 \ @@ -194,7 +203,6 @@ EOF %{_mandir}/man8/visudo.8* %{_mandir}/man1/cvtsudoers.1.gz %{_mandir}/man5/sudoers_timestamp.5.gz -%{_mandir}/man8/sudo_plugin_python.8.gz %dir %{_pkgdocdir}/ %{_pkgdocdir}/* %{!?_licensedir:%global license %%doc} @@ -215,7 +223,24 @@ EOF %{_mandir}/man8/sudo_logsrvd.8.gz %{_mandir}/man8/sudo_sendlog.8.gz +%files python-plugin +%{_mandir}/man8/sudo_plugin_python.8.gz +%attr(0644,root,root) %{_libexecdir}/sudo/python_plugin.so + %changelog +* Mon Jan 18 2021 Radovan Sroka - 1.9.5p1-1 +- rebase to 1.9.5p1 +- updated sudo url +Resolves: rhbz#1902758 +- enabled python plugin as a subpackage +Resolves: rhbz#1909299 +- fixed double free in sss_to_sudoers +Resolves: rhbz#1885874 +- fixed CVE-2021-23239 sudo: possible directory existence test due to race condition in sudoedit +Resolves: rhbz#1915055 +- fixed CVE-2021-23240 sudo: symbolic link attack in SELinux-enabled sudoedit +Resolves: rhbz#1915054 + * Tue Sep 15 2020 Radovan Sroka - 1.9.2-1 - rebase to 1.9.2 Resolves: rhbz#1859577 From 74fbecc114b34bcfd74c59dd6a2f1bf818769aee Mon Sep 17 00:00:00 2001 From: Matthew Miller Date: Tue, 26 Jan 2021 14:00:13 -0500 Subject: [PATCH 6/6] Rebase to 1.9.5p2 Resolves: rhbz#1920611 - CVE-2021-3156 sudo: Heap buffer overflow in argument parsing Resolves: rhbz#1920618 --- .gitignore | 1 + sources | 2 +- sudo.spec | 8 +++++++- 3 files changed, 9 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index 5e9fd62..8ab0a58 100644 --- a/.gitignore +++ b/.gitignore @@ -25,3 +25,4 @@ /sudo-1.9.2.tar.gz /sudo-1.9.3p1.tar.gz /sudo-1.9.5p1.tar.gz +/sudo-1.9.5p2.tar.gz diff --git a/sources b/sources index 9d9c821..e39bcb4 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (sudo-1.9.5p1.tar.gz) = 0168f0b61a6c2d2f60a92b5b4d3c3254aed4116decabac3821d9ac2fd7f74bb7b019e35bb8955335315b3b00ddf4e4acd82540df0addc1d9bf4f44b60447a878 +SHA512 (sudo-1.9.5p2.tar.gz) = f0fe914963c31a6f8ab6c86847ff6cdd125bd5a839b27f46dcae03963f4fc413b3d4cca54c1979feb825c8479b44c7df0642c07345c941eecf6f9f1e03ea0e27 diff --git a/sudo.spec b/sudo.spec index f5c2639..acd2ff1 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,6 +1,6 @@ Summary: Allows restricted root access for specified users Name: sudo -Version: 1.9.5p1 +Version: 1.9.5p2 Release: 1%{?dist} License: ISC URL: https://www.sudo.ws @@ -228,6 +228,12 @@ EOF %attr(0644,root,root) %{_libexecdir}/sudo/python_plugin.so %changelog +* Tue Jan 26 2021 Matthew Miller - 1.9.5p2-1 +- rebase to 1.9.5p2 +Resolves: rhbz#1920611 +- fixed CVE-2021-3156 sudo: Heap buffer overflow in argument parsing +Resolves: rhbz#1920618 + * Mon Jan 18 2021 Radovan Sroka - 1.9.5p1-1 - rebase to 1.9.5p1 - updated sudo url