Compare commits

...
Sign in to create a new pull request.

13 commits

Author SHA1 Message Date
Daniel Kopecek
d088f1eb8e - added upstream patch to fix rhbz#638345 2010-09-29 10:49:15 +02:00
Daniel Kopecek
9047f16049 - added patch for #635250 2010-09-20 08:46:34 +02:00
Daniel Kopecek
0134e1a84e - update to new upstream version
- sudo now uses /var/db/sudo for timestamps
- new command available: sudoreplay
- use native audit support
- corrected license field value: BSD -> ISC
- added env_keep += HOME (see rhbz#614025) for
  backwards compatibility
- added Defaults !visiblepw
2010-09-08 11:12:26 +02:00
Fedora Release Engineering
9bd1d833d5 dist-git conversion 2010-07-29 13:19:28 +00:00
Daniel Kopeček
a93dd6f1ef - added patch that fixes insufficient environment sanitization issue
(#598154)
2010-06-02 09:15:33 +00:00
Daniel Kopeček
38e2ad5da2 - update to new upstream version
- merged .audit and .libaudit patch
- added sudoers.ldap.5* to files
2010-04-14 14:18:21 +00:00
Daniel Kopeček
c469ac7739 update to new upstream version 2010-03-01 12:11:53 +00:00
Daniel Kopeček
18d9847564 - fixed no valid sudoers sources found (#558875)
- audit related Makefile.in and configure.in corrections
- added --with-audit configure option
- removed call to libtoolize
2010-02-16 23:01:10 +00:00
Daniel Kopeček
a2527eab18 - fixed segfault when #include directive is used in cycles (#561336)
- Add /etc/sudoers.d dir and use it in default config (#551470).
- Drop *.pod man page duplicates from docs.
----------------------------------------------------------------------
2010-02-10 12:38:53 +00:00
Daniel Kopeček
7811bd5ace - commented out unused aliases in sudoers to make visudo happy (#550239) 2010-01-07 15:58:51 +00:00
Daniel Kopeček
7894a246b9 - new upstream version 1.7.2p2 2010-01-07 15:43:09 +00:00
Bill Nottingham
b656b35afe Fix typo that causes a failure to update the common directory. (releng
#2781)
2009-11-26 01:44:56 +00:00
Jesse Keating
76ed82c2ef Initialize branch F-12 for sudo 2009-09-29 06:58:03 +00:00
18 changed files with 296 additions and 674 deletions

View file

@ -1,2 +0,0 @@
sudo-1.7.1.tar.gz
sudo-1.7.1-sudoers

4
.gitignore vendored Normal file
View file

@ -0,0 +1,4 @@
sudo-1.7.2p6.tar.gz
sudo-1.7.2p2-sudoers
/sudo-1.7.4p4.tar.gz
/sudo-1.7.4p4-sudoers

View file

@ -1,21 +0,0 @@
# Makefile for source rpm: sudo
# $Id: Makefile,v 1.1 2004/09/09 12:46:19 cvsdist Exp $
NAME := sudo
SPECFILE = $(firstword $(wildcard *.spec))
define find-makefile-common
for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done
endef
MAKEFILE_COMMON := $(shell $(find-makefile-common))
ifeq ($(MAKEFILE_COMMON),)
# attempt a checkout
define checkout-makefile-common
test -f CVS/Root && { cvs -Q -d $$(cat CVS/Root) checkout common && echo "common/Makefile.common" ; } || { echo "ERROR: I can't figure out how to checkout the 'common' module." ; exit -1 ; } >&2
endef
MAKEFILE_COMMON := $(shell $(checkout-makefile-common))
endif
include $(MAKEFILE_COMMON)

View file

@ -1,2 +1,2 @@
af672524b2c854a67612bf4c743f58b8 sudo-1.7.1.tar.gz
02d6d836b41e3049fc33d56cef2e6c4e sudo-1.7.1-sudoers
55d9906535d70a1de347cd3d3550ee87 sudo-1.7.4p4.tar.gz
874abe2dd29da4a8d773c4db8460fa27 sudo-1.7.4p4-sudoers

View file

@ -1,389 +0,0 @@
diff -up /dev/null sudo-1.7.1/audit_help.c
--- /dev/null 2009-06-19 12:23:43.376002420 +0200
+++ sudo-1.7.1/audit_help.c 2009-06-22 14:24:48.000000000 +0200
@@ -0,0 +1,136 @@
+/*
+ * Audit helper functions used throughout sudo
+ *
+ * Copyright (C) 2007, Red Hat, Inc.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of Julianne F. Haugh nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY JULIE HAUGH AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL JULIE HAUGH OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <config.h>
+
+#ifdef WITH_AUDIT
+#include <stdlib.h>
+#include <syslog.h>
+#include <stdarg.h>
+#include <libaudit.h>
+#include <errno.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/types.h>
+
+#ifdef HAVE_SELINUX
+#include <selinux/selinux.h>
+#endif
+
+int audit_fd;
+
+void audit_help_open (void)
+{
+ audit_fd = audit_open ();
+ if (audit_fd < 0) {
+ /* You get these only when the kernel doesn't have
+ * audit compiled in. */
+ if (errno == EINVAL || errno == EPROTONOSUPPORT ||
+ errno == EAFNOSUPPORT)
+ return;
+ fprintf (stderr, "Cannot open audit interface - aborting.\n");
+ exit (1);
+ }
+}
+
+/*
+ * This function will log a message to the audit system using a predefined
+ * message format. Parameter usage is as follows:
+ *
+ * type - type of message: AUDIT_USER_CMD
+ * command - the command being logged
+ * params - parames of the command
+ * result - 1 is "success" and 0 is "failed"
+ *
+ */
+void audit_logger (int type, const char *command, const char *params, int result)
+{
+ int err;
+ char *msg;
+
+ if( audit_fd < 0 )
+ return;
+ else {
+
+ if( params )
+ err = asprintf(&msg, "%s %s", command, params);
+ else
+ err = asprintf(&msg, "%s", command);
+ if (err < 0) {
+ fprintf (stderr, "Memory allocation for audit message wasnt possible.\n");
+ return;
+ }
+
+ err = audit_log_user_command (audit_fd, type, msg, NULL, result);
+ /* The kernel supports auditing and we had
+ enough privilege to write to the socket. */
+ if( err <= 0 && !((errno == EPERM && getuid() > 0) || errno == ECONNREFUSED ) ) {
+ perror("audit_log_user_command()");
+ }
+
+ free(msg);
+ }
+}
+
+#ifdef HAVE_SELINUX
+int send_audit_message(int success, security_context_t old_context,
+ security_context_t new_context, const char *ttyn)
+{
+ char *msg = NULL;
+ int rc;
+
+ if (audit_fd < 0)
+ return -1;
+
+ if (asprintf(&msg, "newrole: old-context=%s new-context=%s",
+ old_context ? old_context : "?",
+ new_context ? new_context : "?") < 0) {
+ fprintf(stderr, "Error allocating memory.\n");
+ rc = -1;
+ goto out;
+ }
+
+ rc = audit_log_user_message(audit_fd, AUDIT_USER_ROLE_CHANGE,
+ msg, NULL, NULL, ttyn, success);
+
+ if (rc <= 0) {
+ fprintf(stderr, "Error sending audit message.\n");
+ rc = -1;
+ goto out;
+ }
+ rc = 0;
+
+ out:
+ free(msg);
+ return rc;
+}
+#endif
+#endif /* WITH_AUDIT */
diff -up sudo-1.7.1/configure.in.audit sudo-1.7.1/configure.in
--- sudo-1.7.1/configure.in.audit 2009-06-22 14:24:48.000000000 +0200
+++ sudo-1.7.1/configure.in 2009-06-22 14:26:42.000000000 +0200
@@ -179,6 +179,10 @@ dnl
dnl Options for --with
dnl
+AC_ARG_WITH(audit,
+ [AC_HELP_STRING([--with-audit], [use auditing support @<:@default=yes if found@:>@])],
+ [with_audit=$withval], [with_audit=yes])
+
AC_ARG_WITH(CC, [ --with-CC C compiler to use],
[case $with_CC in
yes) AC_MSG_ERROR(["must give --with-CC an argument."])
@@ -1706,6 +1710,24 @@ dnl
: ${mansectsu='8'}
: ${mansectform='5'}
+AC_SUBST(LIBAUDIT)
+if test "$with_audit" = "yes"; then
+ # See if we have the audit library
+ AC_CHECK_HEADER(libaudit.h, [audit_header="yes"], [audit_header="no"])
+ if test "$audit_header" = "yes"; then
+ AC_CHECK_LIB(audit, audit_log_user_command,
+ [AC_DEFINE(WITH_AUDIT, 1, [Define if you want to enable Audit messages])
+ LIBAUDIT="-laudit"])
+ fi
+ # See if we have the libcap library
+ AC_CHECK_HEADERS(sys/capability.h sys/prctl.h, [cap_header="yes"], [cap_header="no"])
+ if test "$cap_header" = "yes"; then
+ AC_CHECK_LIB(cap, cap_init,
+ [AC_DEFINE(HAVE_LIBCAP, 1, [SELinux libcap support])
+ SUDO_LIBS="${SUDO_LIBS} -lcap"])
+ fi
+fi
+
dnl
dnl Add in any libpaths or libraries specified via configure
dnl
diff -up sudo-1.7.1/Makefile.in.audit sudo-1.7.1/Makefile.in
--- sudo-1.7.1/Makefile.in.audit 2009-06-22 14:24:48.000000000 +0200
+++ sudo-1.7.1/Makefile.in 2009-06-22 14:24:48.000000000 +0200
@@ -125,6 +125,8 @@ HDRS = bsm_audit.h compat.h def_data.h d
AUTH_OBJS = sudo_auth.o @AUTH_OBJS@
+AUDIT_OBJS = audit_help.o
+
# Note: gram.o must come first here
COMMON_OBJS = gram.o alias.o alloc.o defaults.o error.o list.o match.o \
toke.o redblack.o zero_bytes.o
@@ -132,7 +134,7 @@ COMMON_OBJS = gram.o alias.o alloc.o def
SUDO_OBJS = $(COMMON_OBJS) $(AUTH_OBJS) @SUDO_OBJS@ audit.o check.o env.o \
getspwuid.o gettime.o goodpath.o fileops.o find_path.o \
interfaces.o lbuf.o logging.o parse.o pwutil.o set_perms.o \
- sudo.o sudo_edit.o sudo_nss.o term.o tgetpass.o
+ sudo.o sudo_edit.o sudo_nss.o term.o tgetpass.o $(AUDIT_OBJS)
VISUDO_OBJS = $(COMMON_OBJS) visudo.o fileops.o gettime.o goodpath.o \
find_path.o pwutil.o
@@ -361,6 +363,9 @@ securid5.o: $(authdir)/securid5.c $(AUTH
sia.o: $(authdir)/sia.c $(AUTHDEP)
$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/sia.c
+audit_help.o: audit_help.c sudo.h
+ $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(LIBADUIT) $(srcdir)/audit_help.c
+
sudo.man.in: $(srcdir)/sudo.pod
@rm -f $(srcdir)/$@
( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' sudo.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudo.pod | sed -e "s/(5)/($$mansectform)/" -e "s/(8)/($$mansectsu)/" | perl -p sudo.man.pl >> $@ )
diff -up sudo-1.7.1/set_perms.c.audit sudo-1.7.1/set_perms.c
--- sudo-1.7.1/set_perms.c.audit 2008-03-06 18:19:56.000000000 +0100
+++ sudo-1.7.1/set_perms.c 2009-06-22 14:24:48.000000000 +0200
@@ -48,6 +48,10 @@
#ifdef HAVE_LOGIN_CAP_H
# include <login_cap.h>
#endif
+#if defined(WITH_AUDIT) && defined(HAVE_LIBCAP)
+# include <sys/prctl.h>
+# include <sys/capability.h>
+#endif
#include "sudo.h"
@@ -126,16 +130,59 @@ set_perms(perm)
break;
case PERM_FULL_RUNAS:
- /* headed for exec(), assume euid == ROOT_UID */
- runas_setup();
- if (setresuid(def_stay_setuid ?
- user_uid : runas_pw->pw_uid,
- runas_pw->pw_uid, runas_pw->pw_uid)) {
- errstr = "unable to change to runas uid";
- goto bad;
- }
+#if defined(WITH_AUDIT) && defined(HAVE_LIBCAP)
+ { /* BEGIN CAP BLOCK */
+ cap_t new_caps;
+ cap_value_t cap_list[] = { CAP_AUDIT_WRITE };
+
+ if (runas_pw->pw_uid != ROOT_UID) {
+ new_caps = cap_init ();
+ if (!new_caps) {
+ errstr = "Error initing capabilities, aborting.\n";
+ goto bad;
+ }
+
+ if(cap_set_flag(new_caps, CAP_PERMITTED, 1, cap_list, CAP_SET) ||
+ cap_set_flag(new_caps, CAP_EFFECTIVE, 1, cap_list, CAP_SET)) {
+ errstr = "Error setting capabilities, aborting\n";
+ goto bad;
+ }
+
+ if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0)) {
+ errstr = "Error setting KEEPCAPS, aborting\n";
+ goto bad;
+ }
+ }
+#endif
+ /* headed for exec(), assume euid == ROOT_UID */
+ runas_setup();
+ if (setresuid(def_stay_setuid ?
+ user_uid : runas_pw->pw_uid,
+ runas_pw->pw_uid, runas_pw->pw_uid)) {
+ errstr = "unable to change to runas uid";
+ goto bad;
+ }
+
+#if defined(WITH_AUDIT) && defined(HAVE_LIBCAP)
+ if (runas_pw->pw_uid != ROOT_UID) {
+ if (prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0) < 0) {
+ errstr = "Error resetting KEEPCAPS, aborting\n";
+ goto bad;
+ }
+
+ if (cap_set_proc(new_caps)) {
+ errstr = "Error dropping capabilities, aborting\n";
+ goto bad;
+ }
+
+ if (cap_free (new_caps)) {
+ errstr = "Error freeing caps\n";
+ goto bad;
+ }
+ }
+ } /* END CAP BLOCK */
+#endif
break;
-
case PERM_SUDOERS:
/* assume euid == ROOT_UID, ruid == user */
if (setresgid(-1, SUDOERS_GID, -1))
diff -up sudo-1.7.1/sudo.c.audit sudo-1.7.1/sudo.c
--- sudo-1.7.1/sudo.c.audit 2009-06-22 14:24:48.000000000 +0200
+++ sudo-1.7.1/sudo.c 2009-06-22 14:24:48.000000000 +0200
@@ -95,6 +95,10 @@
# include <selinux/selinux.h>
#endif
+#ifdef WITH_AUDIT
+#include <libaudit.h>
+#endif
+
#include <sudo_usage.h>
#include "sudo.h"
#include "lbuf.h"
@@ -360,6 +364,10 @@ main(argc, argv, envp)
if (safe_cmnd == NULL)
safe_cmnd = estrdup(user_cmnd);
+#if defined(WITH_AUDIT)
+ audit_help_open ();
+#endif
+
#ifdef HAVE_SETLOCALE
setlocale(LC_ALL, "");
#endif
@@ -521,7 +529,18 @@ main(argc, argv, envp)
(void) sigaction(SIGINT, &saved_sa_int, NULL);
(void) sigaction(SIGQUIT, &saved_sa_quit, NULL);
(void) sigaction(SIGTSTP, &saved_sa_tstp, NULL);
-
+
+ if (access(safe_cmnd, X_OK) != 0) {
+ warn ("unable to execute %s", safe_cmnd);
+#ifdef WITH_AUDIT
+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0);
+#endif
+ exit(127);
+ }
+#ifdef WITH_AUDIT
+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 1);
+#endif
+
/* Close the password and group files and free up memory. */
sudo_endpwent();
sudo_endgrent();
@@ -554,11 +573,17 @@ main(argc, argv, envp)
NewArgv[1] = safe_cmnd;
execv(_PATH_BSHELL, NewArgv);
}
+#ifdef WITH_AUDIT
+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0);
+#endif
warning("unable to execute %s", safe_cmnd);
exit(127);
} else if (ISSET(validated, FLAG_NO_USER | FLAG_NO_HOST)) {
audit_failure(NewArgv, "No user or host");
log_denial(validated, 1);
+#ifdef WITH_AUDIT
+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0);
+#endif
exit(1);
} else {
if (def_path_info) {
@@ -580,6 +605,9 @@ main(argc, argv, envp)
log_denial(validated, 1);
}
audit_failure(NewArgv, "validation failure");
+#ifdef WITH_AUDIT
+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0);
+#endif
exit(1);
}
exit(0); /* not reached */
diff -up sudo-1.7.1/sudo.h.audit sudo-1.7.1/sudo.h
--- sudo-1.7.1/sudo.h.audit 2009-06-22 14:24:48.000000000 +0200
+++ sudo-1.7.1/sudo.h 2009-06-22 14:24:48.000000000 +0200
@@ -24,6 +24,8 @@
#ifndef _SUDO_SUDO_H
#define _SUDO_SUDO_H
+#include <config.h>
+
#include <pathnames.h>
#include <limits.h>
#include "compat.h"
@@ -338,4 +340,10 @@ extern int sudo_mode;
extern int errno;
#endif
+#ifdef WITH_AUDIT
+extern int audit_fd;
+extern void audit_help_open (void);
+extern void audit_logger (int, const char *, const char *, int);
+#endif
+
#endif /* _SUDO_SUDO_H */

View file

@ -1,48 +0,0 @@
diff -up sudo-1.7.1/audit_help.c.auditfix sudo-1.7.1/audit_help.c
--- sudo-1.7.1/audit_help.c.auditfix 2009-07-09 15:05:14.000000000 +0200
+++ sudo-1.7.1/audit_help.c 2009-07-09 15:04:33.000000000 +0200
@@ -45,7 +45,7 @@
#include <selinux/selinux.h>
#endif
-int audit_fd;
+int audit_fd = -1;
void audit_help_open (void)
{
diff -up sudo-1.7.1/sudo.c.auditfix sudo-1.7.1/sudo.c
--- sudo-1.7.1/sudo.c.auditfix 2009-07-09 14:35:50.000000000 +0200
+++ sudo-1.7.1/sudo.c 2009-07-09 15:02:41.000000000 +0200
@@ -363,10 +363,6 @@ main(argc, argv, envp)
}
if (safe_cmnd == NULL)
safe_cmnd = estrdup(user_cmnd);
-
-#if defined(WITH_AUDIT)
- audit_help_open ();
-#endif
#ifdef HAVE_SETLOCALE
setlocale(LC_ALL, "");
@@ -529,7 +525,12 @@ main(argc, argv, envp)
(void) sigaction(SIGINT, &saved_sa_int, NULL);
(void) sigaction(SIGQUIT, &saved_sa_quit, NULL);
(void) sigaction(SIGTSTP, &saved_sa_tstp, NULL);
+
+ closefrom(def_closefrom + 1);
+#if defined(WITH_AUDIT)
+ audit_help_open ();
+#endif
if (access(safe_cmnd, X_OK) != 0) {
warn ("unable to execute %s", safe_cmnd);
#ifdef WITH_AUDIT
@@ -545,8 +546,6 @@ main(argc, argv, envp)
sudo_endpwent();
sudo_endgrent();
- closefrom(def_closefrom + 1);
-
#ifndef PROFILING
if (ISSET(sudo_mode, MODE_BACKGROUND) && fork() > 0) {
syslog(LOG_AUTH|LOG_ERR, "fork");

View file

@ -1,12 +0,0 @@
diff -up sudo-1.7.1/configure.in.conffix sudo-1.7.1/configure.in
--- sudo-1.7.1/configure.in.conffix 2009-06-22 15:45:51.000000000 +0200
+++ sudo-1.7.1/configure.in 2009-06-22 15:45:30.000000000 +0200
@@ -2473,7 +2473,7 @@ if test ${with_ldap-'no'} != "no"; then
AC_MSG_RESULT([yes])
AC_DEFINE(HAVE_LBER_H)])
- AC_CHECK_HEADERS([sasl/sasl.h] [sasl.h], [AC_CHECK_FUNCS(ldap_sasl_interactive_bind_s), [break]])
+ AC_CHECK_HEADERS([sasl/sasl.h] [sasl.h], [AC_CHECK_FUNCS(ldap_sasl_interactive_bind_s)], [break])
AC_CHECK_HEADERS([ldap_ssl.h] [mps/ldap_ssl.h], [break], [], [#include <ldap.h>])
AC_CHECK_FUNCS(ldap_initialize ldap_start_tls_s ldapssl_init ldapssl_set_strength ldap_search_ext_s ldap_unbind_ext_s ldap_str2dn ldap_create ldap_sasl_bind_s ldap_ssl_client_init ldap_start_tls_s_np)

View file

@ -1,12 +0,0 @@
diff -up sudo-1.7.1/configure.in.envdebug sudo-1.7.1/configure.in
--- sudo-1.7.1/configure.in.envdebug 2009-05-02 21:25:56.000000000 +0200
+++ sudo-1.7.1/configure.in 2009-05-02 21:27:17.000000000 +0200
@@ -1192,7 +1192,7 @@ AC_ARG_ENABLE(env_debug,
[ --enable-env-debug Whether to enable environment debugging.],
[ case "$enableval" in
yes) AC_MSG_RESULT(yes)
- AC_DEFINE(ENV_DEBUG)
+ AC_DEFINE(ENV_DEBUG, [], [Environment debugging.])
;;
no) AC_MSG_RESULT(no)
;;

View file

@ -1,40 +0,0 @@
diff -up sudo-1.7.1/check.c.getgrouplist sudo-1.7.1/check.c
--- sudo-1.7.1/check.c.getgrouplist 2009-05-02 21:48:17.000000000 +0200
+++ sudo-1.7.1/check.c 2009-05-02 21:49:04.000000000 +0200
@@ -353,6 +353,24 @@ user_is_exempt()
return(TRUE);
}
+#ifdef HAVE_GETGROUPLIST
+ {
+ gid_t *grouplist, grouptmp;
+ int n_groups, i;
+ n_groups = 1;
+ if (getgrouplist(user_name, user_gid, &grouptmp, &n_groups) == -1) {
+ grouplist = (gid_t *) emalloc(sizeof(gid_t) * (n_groups + 1));
+ if (getgrouplist(user_name, user_gid, grouplist, &n_groups) > 0)
+ for (i = 0; i < n_groups; i++)
+ if (grouplist[i] == grp->gr_gid) {
+ free(grouplist);
+ return(TRUE);
+ }
+ free(grouplist);
+ }
+ }
+#endif
+
return(FALSE);
}
diff -up sudo-1.7.1/configure.in.getgrouplist sudo-1.7.1/configure.in
--- sudo-1.7.1/configure.in.getgrouplist 2009-05-02 21:48:13.000000000 +0200
+++ sudo-1.7.1/configure.in 2009-05-02 21:50:05.000000000 +0200
@@ -1809,7 +1809,7 @@ dnl
AC_FUNC_GETGROUPS
AC_CHECK_FUNCS(strchr strrchr memchr memcpy memset sysconf tzset \
strftime setrlimit initgroups getgroups fstat gettimeofday \
- setlocale getaddrinfo setsid setenv)
+ setlocale getaddrinfo setsid setenv getgrouplist)
AC_CHECK_FUNCS(unsetenv, SUDO_FUNC_UNSETENV_VOID)
SUDO_FUNC_PUTENV_CONST
if test -z "$SKIP_SETRESUID"; then

View file

@ -1,12 +0,0 @@
diff -up sudo-1.7.1/Makefile.in.libtool sudo-1.7.1/Makefile.in
--- sudo-1.7.1/Makefile.in.libtool 2009-05-02 21:35:55.000000000 +0200
+++ sudo-1.7.1/Makefile.in 2009-05-02 21:36:04.000000000 +0200
@@ -198,7 +198,7 @@ sudo_noexec.lo: $(srcdir)/sudo_noexec.c
$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/sudo_noexec.c
sudo_noexec.la: sudo_noexec.lo
- $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -o $@ sudo_noexec.lo -avoid-version -rpath $(noexecdir)
+ $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -o $@ sudo_noexec.lo -module -avoid-version -rpath $(noexecdir)
# Uncomment the following if you want "make distclean" to clean the parser
@DEV@GENERATED = gram.h gram.c toke.c def_data.c def_data.h

View file

@ -1,111 +0,0 @@
diff -up sudo-1.7.1/auth/pam.c.login sudo-1.7.1/auth/pam.c
--- sudo-1.7.1/auth/pam.c.login 2009-05-02 21:01:17.000000000 +0200
+++ sudo-1.7.1/auth/pam.c 2009-05-02 21:07:42.000000000 +0200
@@ -100,7 +100,13 @@ pam_init(pw, promptp, auth)
if (auth != NULL)
auth->data = (void *) &pam_status;
pam_conv.conv = sudo_conv;
- pam_status = pam_start("sudo", pw->pw_name, &pam_conv, &pamh);
+#ifdef HAVE_PAM_LOGIN
+ if (ISSET(sudo_mode, MODE_LOGIN_SHELL))
+ pam_status = pam_start("sudo-i", pw->pw_name, &pam_conv, &pamh);
+ else
+#endif
+ pam_status = pam_start("sudo", pw->pw_name, &pam_conv, &pamh);
+
if (pam_status != PAM_SUCCESS) {
log_error(USE_ERRNO|NO_EXIT|NO_MAIL, "unable to initialize PAM");
return(AUTH_FATAL);
diff -up sudo-1.7.1/configure.in.login sudo-1.7.1/configure.in
--- sudo-1.7.1/configure.in.login 2009-05-02 21:01:33.000000000 +0200
+++ sudo-1.7.1/configure.in 2009-05-02 21:13:59.000000000 +0200
@@ -393,6 +393,17 @@ AC_ARG_WITH(pam, [ --with-pam
;;
esac])
+AC_ARG_WITH(pam-login, [ --with-pam-login enable specific PAM session for sudo -i],
+[case $with_pam_login in
+ yes) AC_DEFINE([HAVE_PAM_LOGIN], [], ["Define to 1 if you use specific PAM session for sodo -i."])
+ AC_MSG_CHECKING(whether to use PAM login)
+ AC_MSG_RESULT(yes)
+ ;;
+ no) ;;
+ *) AC_MSG_ERROR(["--with-pam-login does not take an argument."])
+ ;;
+esac])
+
AC_ARG_WITH(AFS, [ --with-AFS enable AFS support],
[case $with_AFS in
yes) AC_DEFINE(HAVE_AFS)
diff -up sudo-1.7.1/env.c.login sudo-1.7.1/env.c
--- sudo-1.7.1/env.c.login 2009-05-02 21:01:24.000000000 +0200
+++ sudo-1.7.1/env.c 2009-05-02 21:12:28.000000000 +0200
@@ -101,7 +101,7 @@ struct environment {
/*
* Prototypes
*/
-void rebuild_env __P((int, int));
+void rebuild_env __P((int));
static void sudo_setenv __P((const char *, const char *, int));
static void sudo_putenv __P((char *, int, int));
@@ -550,8 +550,7 @@ matches_env_keep(var)
* Also adds sudo-specific variables (SUDO_*).
*/
void
-rebuild_env(sudo_mode, noexec)
- int sudo_mode;
+rebuild_env(noexec)
int noexec;
{
char **old_envp, **ep, *cp, *ps1;
diff -up sudo-1.7.1/sudo.c.login sudo-1.7.1/sudo.c
--- sudo-1.7.1/sudo.c.login 2009-05-02 21:01:49.000000000 +0200
+++ sudo-1.7.1/sudo.c 2009-05-02 21:18:18.000000000 +0200
@@ -123,7 +123,7 @@ static void usage_excl __P((int))
__attribute__((__noreturn__));
static struct passwd *get_authpw __P((void));
extern int sudo_edit __P((int, char **, char **));
-extern void rebuild_env __P((int, int));
+extern void rebuild_env __P((int));
void validate_env_vars __P((struct list_member *));
void insert_env_vars __P((struct list_member *));
@@ -154,6 +154,8 @@ login_cap_t *lc;
char *login_style;
#endif /* HAVE_BSD_AUTH_H */
sigaction_t saved_sa_int, saved_sa_quit, saved_sa_tstp;
+
+int sudo_mode;
static char *runas_user;
static char *runas_group;
static struct sudo_nss_list *snl;
@@ -169,7 +171,7 @@ main(argc, argv, envp)
char **envp;
{
int sources = 0, validated;
- int fd, cmnd_status, sudo_mode, pwflag, rc = 0;
+ int fd, cmnd_status, pwflag, rc = 0;
sigaction_t sa;
struct sudo_nss *nss;
#if defined(SUDO_DEVEL) && defined(__OpenBSD__)
@@ -408,7 +410,7 @@ main(argc, argv, envp)
def_env_reset = FALSE;
/* Build a new environment that avoids any nasty bits. */
- rebuild_env(sudo_mode, def_noexec);
+ rebuild_env(def_noexec);
/* Fill in passwd struct based on user we are authenticating as. */
auth_pw = get_authpw();
diff -up sudo-1.7.1/sudo.h.login sudo-1.7.1/sudo.h
--- sudo-1.7.1/sudo.h.login 2009-05-02 21:01:42.000000000 +0200
+++ sudo-1.7.1/sudo.h 2009-05-02 21:14:58.000000000 +0200
@@ -332,6 +332,7 @@ extern struct passwd *auth_pw, *list_pw;
extern int tgetpass_flags;
extern int long_list;
extern uid_t timestamp_uid;
+extern int sudo_mode;
#endif
#ifndef errno
extern int errno;

View file

@ -0,0 +1,12 @@
diff -up sudo-1.7.2p1/configure.in.envdebug sudo-1.7.2p1/configure.in
--- sudo-1.7.2p1/configure.in.envdebug 2009-10-30 12:18:09.000000000 +0100
+++ sudo-1.7.2p1/configure.in 2009-10-30 12:19:01.000000000 +0100
@@ -1214,7 +1214,7 @@ AC_ARG_ENABLE(env_debug,
[AS_HELP_STRING([--enable-env-debug], [Whether to enable environment debugging.])],
[ case "$enableval" in
yes) AC_MSG_RESULT(yes)
- AC_DEFINE(ENV_DEBUG)
+ AC_DEFINE(ENV_DEBUG, [], [Environment debugging.])
;;
no) AC_MSG_RESULT(no)
;;

17
sudo-1.7.4p3-m4path.patch Normal file
View file

@ -0,0 +1,17 @@
diff -up sudo-1.7.4p3/aclocal.m4.m4path sudo-1.7.4p3/aclocal.m4
--- sudo-1.7.4p3/aclocal.m4.m4path 2010-09-07 13:11:59.095198365 +0200
+++ sudo-1.7.4p3/aclocal.m4 2010-09-07 13:12:25.718209211 +0200
@@ -368,8 +368,8 @@ EOF
dnl
dnl Pull in libtool macros
dnl
-m4_include([libtool.m4])
-m4_include([ltoptions.m4])
-m4_include([ltsugar.m4])
-m4_include([ltversion.m4])
-m4_include([lt~obsolete.m4])
+m4_include([m4/libtool.m4])
+m4_include([m4/ltoptions.m4])
+m4_include([m4/ltsugar.m4])
+m4_include([m4/ltversion.m4])
+m4_include([m4/lt~obsolete.m4])

View file

@ -0,0 +1,67 @@
diff -up sudo-1.7.4p3/parse.c.orig sudo-1.7.4p3/parse.c
--- sudo-1.7.4p3/parse.c.orig 2010-09-07 15:00:12.728260953 +0200
+++ sudo-1.7.4p3/parse.c 2010-09-07 15:00:38.950188803 +0200
@@ -158,8 +158,8 @@ sudo_file_lookup(nss, validated, pwflag)
/*
* Only check the actual command if pwflag is not set.
- * It is set for the "validate", "list" and "kill" pseudo-commands.
- * Always check the host and user.
+ * It is set for the "sudovalidate", "sudolist" and "sudokill"
+ * pseudo-commands. Always check the host and user.
*/
if (pwflag) {
int nopass;
diff -up sudo-1.7.4p3/sudo.c.orig sudo-1.7.4p3/sudo.c
--- sudo-1.7.4p3/sudo.c.orig 2010-09-07 14:57:08.201198517 +0200
+++ sudo-1.7.4p3/sudo.c 2010-09-07 14:55:47.208260545 +0200
@@ -232,7 +232,7 @@ main(argc, argv, envp)
pwflag = 0;
if (ISSET(sudo_mode, MODE_SHELL))
- user_cmnd = "shell";
+ user_cmnd = "sudoshell";
else if (ISSET(sudo_mode, MODE_EDIT))
user_cmnd = "sudoedit";
else {
@@ -245,12 +245,12 @@ main(argc, argv, envp)
break;
case MODE_VALIDATE:
case MODE_VALIDATE|MODE_INVALIDATE:
- user_cmnd = "validate";
+ user_cmnd = "sudovalidate";
pwflag = I_VERIFYPW;
break;
case MODE_KILL:
case MODE_INVALIDATE:
- user_cmnd = "kill";
+ user_cmnd = "sudokill";
pwflag = -1;
break;
case MODE_LISTDEFS:
@@ -259,7 +259,7 @@ main(argc, argv, envp)
break;
case MODE_LIST:
case MODE_LIST|MODE_INVALIDATE:
- user_cmnd = "list";
+ user_cmnd = "sudolist";
pwflag = I_LISTPW;
break;
case MODE_CHECK:
@@ -701,13 +701,13 @@ init_vars(envp)
set_perms(PERM_ROOT);
/*
- * If we were given the '-e', '-i' or '-s' options we need to redo
+ * If we were given the '-e', '-i', '-l' or '-s' options we need to redo
* NewArgv and NewArgc.
*/
- if (ISSET(sudo_mode, MODE_EDIT)) {
+ if (ISSET(sudo_mode, MODE_EDIT|MODE_LIST)) {
NewArgv--;
NewArgc++;
- NewArgv[0] = "sudoedit";
+ NewArgv[0] = user_cmnd;
} else if (ISSET(sudo_mode, MODE_SHELL)) {
char **av;

View file

@ -0,0 +1,15 @@
diff -r 9a328aa25c53 -r a686884684ca linux_audit.c
--- a/linux_audit.c Fri Sep 17 12:13:17 2010 -0400
+++ b/linux_audit.c Tue Sep 21 07:56:36 2010 -0400
@@ -81,9 +81,9 @@
}
*--cp = '\0';
- /* Log command, ignoring EPERM on error. */
+ /* Log command, ignoring ECONNREFUSED on error. */
rc = audit_log_user_command(au_fd, AUDIT_USER_CMD, command, NULL, result);
- if (rc <= 0)
+ if (rc <= 0 && errno != ECONNREFUSED)
warning("unable to send audit message");
efree(command);

View file

@ -0,0 +1,39 @@
diff -up sudo-1.7.4p4/configure.in.getgrouplist sudo-1.7.4p4/configure.in
--- sudo-1.7.4p4/configure.in.getgrouplist 2010-09-07 15:53:38.400260828 +0200
+++ sudo-1.7.4p4/configure.in 2010-09-07 15:54:48.751188374 +0200
@@ -1913,7 +1913,7 @@ AC_FUNC_GETGROUPS
AC_CHECK_FUNCS(strchr strrchr memchr memcpy memset sysconf tzset \
strftime setrlimit initgroups getgroups fstat gettimeofday \
regcomp setlocale getaddrinfo setenv vhangup \
- mbr_check_membership setrlimit64)
+ mbr_check_membership setrlimit64 getgrouplist)
AC_CHECK_FUNCS(getline, [], [
AC_LIBOBJ(getline)
AC_CHECK_FUNCS(fgetln)
diff -up sudo-1.7.4p4/pwutil.c.getgrouplist sudo-1.7.4p4/pwutil.c
--- sudo-1.7.4p4/pwutil.c.getgrouplist 2010-09-07 15:53:26.816198477 +0200
+++ sudo-1.7.4p4/pwutil.c 2010-09-07 15:54:16.990188543 +0200
@@ -628,5 +628,23 @@ user_in_group(pw, group)
}
#endif /* HAVE_MBR_CHECK_MEMBERSHIP */
+#ifdef HAVE_GETGROUPLIST
+ {
+ gid_t *grouplist, grouptmp;
+ int n_groups, i;
+ n_groups = 1;
+ if (getgrouplist(user_name, user_gid, &grouptmp, &n_groups) == -1) {
+ grouplist = (gid_t *) emalloc(sizeof(gid_t) * (n_groups + 1));
+ if (getgrouplist(user_name, user_gid, grouplist, &n_groups) > 0)
+ for (i = 0; i < n_groups; i++)
+ if (grouplist[i] == grp->gr_gid) {
+ free(grouplist);
+ return(TRUE);
+ }
+ free(grouplist);
+ }
+ }
+#endif /* HAVE_GETGROUPLIST */
+
return(FALSE);
}

57
sudo-1.7.4p4-sudoi.patch Normal file
View file

@ -0,0 +1,57 @@
--- env.c Wed Aug 18 15:27:03 2010
+++ env.c Tue Sep 14 11:41:50 2010
@@ -608,10 +608,16 @@
#ifdef ENV_DEBUG
memset(env.envp, 0, env.env_size * sizeof(char *));
#endif
- if (def_env_reset || ISSET(sudo_mode, MODE_LOGIN_SHELL)) {
- /* Reset HOME based on target user unless keeping old value. */
- reset_home = TRUE;
+ /* Reset HOME based on target user if configured to. */
+ if (ISSET(sudo_mode, MODE_RUN)) {
+ if (def_always_set_home ||
+ ISSET(sudo_mode, MODE_RESET_HOME | MODE_LOGIN_SHELL) ||
+ (ISSET(sudo_mode, MODE_SHELL) && def_set_home))
+ reset_home = TRUE;
+ }
+
+ if (def_env_reset || ISSET(sudo_mode, MODE_LOGIN_SHELL)) {
/* Pull in vars we want to keep from the old environment. */
for (ep = old_envp; *ep; ep++) {
int keepit;
@@ -696,6 +702,11 @@
if (!ISSET(didvar, DID_USERNAME))
sudo_setenv("USERNAME", user_name, FALSE);
}
+
+ /* If we didn't keep HOME, reset it based on target user. */
+ if (!ISSET(didvar, KEPT_HOME))
+ reset_home = TRUE;
+
/*
* Set MAIL to target user in -i mode or if MAIL is not preserved
* from user's environment.
@@ -709,13 +720,6 @@
sudo_putenv(cp, ISSET(didvar, DID_MAIL), TRUE);
}
} else {
- /* Reset HOME based on target user if configured to. */
- if (ISSET(sudo_mode, MODE_RUN)) {
- if (def_always_set_home || ISSET(sudo_mode, MODE_RESET_HOME) ||
- (ISSET(sudo_mode, MODE_SHELL) && def_set_home))
- reset_home = TRUE;
- }
-
/*
* Copy environ entries as long as they don't match env_delete or
* env_check.
@@ -765,7 +769,7 @@
}
/* Set $HOME to target user if not preserving user's value. */
- if (reset_home && !ISSET(didvar, KEPT_HOME))
+ if (reset_home)
sudo_setenv("HOME", runas_pw->pw_dir, TRUE);
/* Provide default values for $TERM and $PATH if they are not set. */

108
sudo.spec
View file

@ -1,12 +1,12 @@
Summary: Allows restricted root access for specified users
Name: sudo
Version: 1.7.1
Release: 7%{?dist}
License: BSD
Version: 1.7.4p4
Release: 3%{?dist}
License: ISC
Group: Applications/System
URL: http://www.courtesan.com/sudo/
Source0: http://www.courtesan.com/sudo/dist/sudo-%{version}.tar.gz
Source1: sudo-1.7.1-sudoers
Source1: sudo-1.7.4p4-sudoers
Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: /etc/pam.d/system-auth, vim-minimal
@ -22,15 +22,18 @@ BuildRequires: sendmail
# don't strip
Patch1: sudo-1.6.7p5-strip.patch
# use specific PAM session for sudo -i (#198755)
Patch2: sudo-1.7.1-login.patch
# the rest, see changelog
Patch3: sudo-1.7.1-envdebug.patch
Patch4: sudo-1.7.1-libtool.patch
Patch5: sudo-1.7.1-getgrouplist.patch
Patch6: sudo-1.7.1-audit.patch
Patch7: sudo-1.7.1-conffix.patch
Patch8: sudo-1.7.1-auditfix.patch
# configure.in fix
Patch2: sudo-1.7.2p1-envdebug.patch
# add m4/ to paths in aclocal.m4
Patch3: sudo-1.7.4p3-m4path.patch
# don't emalloc(0)
Patch4: sudo-1.7.4p3-sudolist.patch
# getgrouplist() to determine group membership (#235915)
Patch5: sudo-1.7.4p4-getgrouplist.patch
# reset HOME when using the `-i' option (#635250)
Patch6: sudo-1.7.4p4-sudoi.patch
# Ignore ECONREFUSED from audit_log_user_command()
Patch7: sudo-1.7.4p4-auditconn.patch
%description
Sudo (superuser do) allows a system administrator to give certain
@ -45,18 +48,20 @@ on many different machines.
%prep
%setup -q
%patch1 -p1 -b .strip
%patch2 -p1 -b .login
%patch3 -p1 -b .envdebug
%patch4 -p1 -b .libtool
%patch2 -p1 -b .envdebug
%patch3 -p1 -b .m4path
%patch4 -p1 -b .sudolist
%patch5 -p1 -b .getgrouplist
%patch6 -p1 -b .audit
%patch7 -p1 -b .conffix
%patch8 -p1 -b .auditfix
%patch6 -p0 -b .sudoi
%patch7 -p1 -b .auditconn
%build
# handle newer autoconf
libtoolize --force && rm acsite.m4 && mv aclocal.m4 acinclude.m4 && autoreconf
rm -f acsite.m4
mv aclocal.m4 acinclude.m4
autoreconf -fv --install
%ifarch s390 s390x sparc64
F_PIE=-fPIE
@ -70,6 +75,7 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie"
--prefix=%{_prefix} \
--sbindir=%{_sbindir} \
--libdir=%{_libdir} \
--docdir=%{_datadir}/doc/%{name}-%{version} \
--with-logging=syslog \
--with-logfac=authpriv \
--with-pam \
@ -80,7 +86,8 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie"
--with-tty-tickets \
--with-ldap \
--with-selinux \
--with-passprompt="[sudo] password for %p: "
--with-passprompt="[sudo] password for %p: " \
--with-linux-audit
# --without-kerb5 \
# --without-kerb4
make
@ -89,7 +96,8 @@ make
rm -rf $RPM_BUILD_ROOT
make install DESTDIR="$RPM_BUILD_ROOT" install_uid=`id -u` install_gid=`id -g` sudoers_uid=`id -u` sudoers_gid=`id -g`
chmod 755 $RPM_BUILD_ROOT%{_bindir}/* $RPM_BUILD_ROOT%{_sbindir}/*
install -p -d -m 700 $RPM_BUILD_ROOT/var/run/sudo
install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo
install -p -d -m 750 $RPM_BUILD_ROOT/etc/sudoers.d
install -p -c -m 0440 %{SOURCE1} $RPM_BUILD_ROOT/etc/sudoers
mkdir -p $RPM_BUILD_ROOT/etc/pam.d
@ -117,20 +125,24 @@ rm -rf $RPM_BUILD_ROOT
%files
%defattr(-,root,root)
%doc ChangeLog WHATSNEW HISTORY LICENSE README* TROUBLESHOOTING UPGRADE
%doc *.pod schema.* sudoers2ldif sample.*
%doc ChangeLog NEWS HISTORY LICENSE README* TROUBLESHOOTING UPGRADE
%doc sudoers.ldap.pod schema.* sudoers2ldif sample.*
%attr(0440,root,root) %config(noreplace) /etc/sudoers
%attr(0750,root,root) %dir /etc/sudoers.d/
%config(noreplace) /etc/pam.d/sudo
%config(noreplace) /etc/pam.d/sudo-i
%dir /var/run/sudo
%dir /var/db/sudo
%attr(4111,root,root) %{_bindir}/sudo
%attr(4111,root,root) %{_bindir}/sudoedit
%attr(0111,root,root) %{_bindir}/sudoreplay
%attr(0755,root,root) %{_sbindir}/visudo
%attr(0755,root,root) %{_libexecdir}/sesh
%{_libexecdir}/sudo_noexec.*
%{_mandir}/man5/sudoers.5*
%{_mandir}/man5/sudoers.ldap.5*
%{_mandir}/man8/sudo.8*
%{_mandir}/man8/sudoedit.8*
%{_mandir}/man8/sudoreplay.8*
%{_mandir}/man8/visudo.8*
# Make sure permissions are ok even if we're updating
@ -138,6 +150,52 @@ rm -rf $RPM_BUILD_ROOT
/bin/chmod 0440 /etc/sudoers || :
%changelog
* Wed Sep 29 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.4p4-3
- added upstream patch to fix rhbz#638345
* Mon Sep 20 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.4p4-2
- added patch for #635250
* Wed Sep 8 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.4p4-1
- update to new upstream version
- sudo now uses /var/db/sudo for timestamps
- new command available: sudoreplay
- use native audit support
- corrected license field value: BSD -> ISC
- added env_keep += HOME (see rhbz#614025) for
backwards compatibility
- added Defaults !visiblepw
* Wed Jun 2 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.2p6-2
- added patch that fixes insufficient environment sanitization issue (#598154)
* Wed Apr 14 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.2p6-1
- update to new upstream version
- merged .audit and .libaudit patch
- added sudoers.ldap.5* to files
* Mon Mar 1 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.2p5-1
- update to new upstream version
* Tue Feb 16 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.2p2-4
- fixed no valid sudoers sources found (#558875)
- audit related Makefile.in and configure.in corrections
- added --with-audit configure option
- removed call to libtoolize
* Wed Feb 10 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.2p2-3
- fixed segfault when #include directive is used in cycles (#561336)
* Wed Feb 10 2010 Ville Skyttä <ville.skytta@iki.fi> - 1.7.2p2-3
- Add /etc/sudoers.d dir and use it in default config (#551470).
- Drop *.pod man page duplicates from docs.
* Fri Jan 07 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.2p2-2
- commented out unused aliases in sudoers to make visudo happy (#550239)
* Fri Jan 07 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.2p2-1
- new upstream version 1.7.2p2
* Fri Aug 21 2009 Tomas Mraz <tmraz@redhat.com> - 1.7.1-7
- rebuilt with new audit