Compare commits
6 commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
74fbecc114 |
||
|
481e766270 |
||
|
|
7df67e16f7 |
||
|
3e5ff76d08 | ||
|
77bc95ad05 |
||
|
|
8afd87a1ac |
4 changed files with 103 additions and 7 deletions
6
.gitignore
vendored
6
.gitignore
vendored
|
|
@ -20,3 +20,9 @@
|
||||||
/sudo-1.8.28.tar.gz
|
/sudo-1.8.28.tar.gz
|
||||||
/sudo-1.8.28p1.tar.gz
|
/sudo-1.8.28p1.tar.gz
|
||||||
/sudo-1.8.29.tar.gz
|
/sudo-1.8.29.tar.gz
|
||||||
|
/sudo-1.9.0b1.tar.gz
|
||||||
|
/sudo-1.9.0b4.tar.gz
|
||||||
|
/sudo-1.9.2.tar.gz
|
||||||
|
/sudo-1.9.3p1.tar.gz
|
||||||
|
/sudo-1.9.5p1.tar.gz
|
||||||
|
/sudo-1.9.5p2.tar.gz
|
||||||
|
|
|
||||||
2
sources
2
sources
|
|
@ -1 +1 @@
|
||||||
SHA512 (sudo-1.8.29.tar.gz) = ea780922b2afb47df4df4b533fb355fd916cb18a6bfd13c7ca36a25b03ef585d805648c6fa85692bea363b1f83664ac3bc622f99bcd149b3a86f70522eb4d340
|
SHA512 (sudo-1.9.5p2.tar.gz) = f0fe914963c31a6f8ab6c86847ff6cdd125bd5a839b27f46dcae03963f4fc413b3d4cca54c1979feb825c8479b44c7df0642c07345c941eecf6f9f1e03ea0e27
|
||||||
|
|
|
||||||
100
sudo.spec
100
sudo.spec
|
|
@ -1,13 +1,14 @@
|
||||||
Summary: Allows restricted root access for specified users
|
Summary: Allows restricted root access for specified users
|
||||||
Name: sudo
|
Name: sudo
|
||||||
Version: 1.8.29
|
Version: 1.9.5p2
|
||||||
Release: 2%{?dist}
|
Release: 1%{?dist}
|
||||||
License: ISC
|
License: ISC
|
||||||
URL: http://www.courtesan.com/sudo/
|
URL: https://www.sudo.ws
|
||||||
Source0: https://www.sudo.ws/dist/%{name}-%{version}.tar.gz
|
Source0: %{url}/dist/%{name}-%{version}.tar.gz
|
||||||
Source1: sudoers
|
Source1: sudoers
|
||||||
Requires: pam
|
Requires: pam
|
||||||
Recommends: vim-minimal
|
Recommends: vim-minimal
|
||||||
|
Recommends: %{name}-python-plugin%{?_isa} = %{version}-%{release}
|
||||||
Requires(post): coreutils
|
Requires(post): coreutils
|
||||||
|
|
||||||
BuildRequires: pam-devel
|
BuildRequires: pam-devel
|
||||||
|
|
@ -44,6 +45,26 @@ Requires: %{name} = %{version}-%{release}
|
||||||
The %{name}-devel package contains header files developing sudo
|
The %{name}-devel package contains header files developing sudo
|
||||||
plugins that use %{name}.
|
plugins that use %{name}.
|
||||||
|
|
||||||
|
|
||||||
|
%package logsrvd
|
||||||
|
Summary: High-performance log server for %{name}
|
||||||
|
Requires: %{name} = %{version}-%{release}
|
||||||
|
BuildRequires: openssl-devel
|
||||||
|
|
||||||
|
|
||||||
|
%description logsrvd
|
||||||
|
%{name}-logsrvd is a high-performance log server that accepts event and I/O logs from sudo.
|
||||||
|
It can be used to implement centralized logging of sudo logs.
|
||||||
|
|
||||||
|
%package python-plugin
|
||||||
|
Summary: Python plugin for %{name}
|
||||||
|
Requires: %{name} = %{version}-%{release}
|
||||||
|
BuildRequires: python3-devel
|
||||||
|
|
||||||
|
|
||||||
|
%description python-plugin
|
||||||
|
%{name}-python-plugin allows using sudo plugins written in Python.
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q
|
%setup -q
|
||||||
|
|
||||||
|
|
@ -67,6 +88,7 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now"
|
||||||
--sbindir=%{_sbindir} \
|
--sbindir=%{_sbindir} \
|
||||||
--libdir=%{_libdir} \
|
--libdir=%{_libdir} \
|
||||||
--docdir=%{_pkgdocdir} \
|
--docdir=%{_pkgdocdir} \
|
||||||
|
--enable-openssl \
|
||||||
--disable-root-mailer \
|
--disable-root-mailer \
|
||||||
--with-logging=syslog \
|
--with-logging=syslog \
|
||||||
--with-logfac=authpriv \
|
--with-logfac=authpriv \
|
||||||
|
|
@ -79,6 +101,7 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now"
|
||||||
--with-ldap \
|
--with-ldap \
|
||||||
--with-selinux \
|
--with-selinux \
|
||||||
--with-passprompt="[sudo] password for %p: " \
|
--with-passprompt="[sudo] password for %p: " \
|
||||||
|
--enable-python \
|
||||||
--with-linux-audit \
|
--with-linux-audit \
|
||||||
--with-sssd
|
--with-sssd
|
||||||
# --without-kerb5 \
|
# --without-kerb5 \
|
||||||
|
|
@ -151,7 +174,8 @@ EOF
|
||||||
%config(noreplace) /etc/pam.d/sudo
|
%config(noreplace) /etc/pam.d/sudo
|
||||||
%config(noreplace) /etc/pam.d/sudo-i
|
%config(noreplace) /etc/pam.d/sudo-i
|
||||||
%attr(0644,root,root) %{_tmpfilesdir}/sudo.conf
|
%attr(0644,root,root) %{_tmpfilesdir}/sudo.conf
|
||||||
%attr(0644,root,root) /etc/dnf/protected.d/sudo.conf
|
%attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/sudo.conf
|
||||||
|
%attr(0640,root,root) %config(noreplace) /etc/sudo.conf
|
||||||
%dir /var/db/sudo
|
%dir /var/db/sudo
|
||||||
%dir /var/db/sudo/lectured
|
%dir /var/db/sudo/lectured
|
||||||
%attr(4111,root,root) %{_bindir}/sudo
|
%attr(4111,root,root) %{_bindir}/sudo
|
||||||
|
|
@ -163,7 +187,9 @@ EOF
|
||||||
%attr(0755,root,root) %{_libexecdir}/sudo/sesh
|
%attr(0755,root,root) %{_libexecdir}/sudo/sesh
|
||||||
%attr(0644,root,root) %{_libexecdir}/sudo/sudo_noexec.so
|
%attr(0644,root,root) %{_libexecdir}/sudo/sudo_noexec.so
|
||||||
%attr(0644,root,root) %{_libexecdir}/sudo/sudoers.so
|
%attr(0644,root,root) %{_libexecdir}/sudo/sudoers.so
|
||||||
|
%attr(0644,root,root) %{_libexecdir}/sudo/audit_json.so
|
||||||
%attr(0644,root,root) %{_libexecdir}/sudo/group_file.so
|
%attr(0644,root,root) %{_libexecdir}/sudo/group_file.so
|
||||||
|
%attr(0644,root,root) %{_libexecdir}/sudo/sample_approval.so
|
||||||
%attr(0644,root,root) %{_libexecdir}/sudo/system_group.so
|
%attr(0644,root,root) %{_libexecdir}/sudo/system_group.so
|
||||||
%attr(0644,root,root) %{_libexecdir}/sudo/libsudo_util.so.?.?.?
|
%attr(0644,root,root) %{_libexecdir}/sudo/libsudo_util.so.?.?.?
|
||||||
%{_libexecdir}/sudo/libsudo_util.so.?
|
%{_libexecdir}/sudo/libsudo_util.so.?
|
||||||
|
|
@ -188,7 +214,71 @@ EOF
|
||||||
%{_includedir}/sudo_plugin.h
|
%{_includedir}/sudo_plugin.h
|
||||||
%{_mandir}/man8/sudo_plugin.8*
|
%{_mandir}/man8/sudo_plugin.8*
|
||||||
|
|
||||||
|
%files logsrvd
|
||||||
|
%attr(0640,root,root) %config(noreplace) /etc/sudo_logsrvd.conf
|
||||||
|
%attr(0755,root,root) %{_sbindir}/sudo_logsrvd
|
||||||
|
%attr(0755,root,root) %{_sbindir}/sudo_sendlog
|
||||||
|
%{_mandir}/man5/sudo_logsrv.proto.5.gz
|
||||||
|
%{_mandir}/man5/sudo_logsrvd.conf.5.gz
|
||||||
|
%{_mandir}/man8/sudo_logsrvd.8.gz
|
||||||
|
%{_mandir}/man8/sudo_sendlog.8.gz
|
||||||
|
|
||||||
|
%files python-plugin
|
||||||
|
%{_mandir}/man8/sudo_plugin_python.8.gz
|
||||||
|
%attr(0644,root,root) %{_libexecdir}/sudo/python_plugin.so
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Jan 26 2021 Matthew Miller <mattdm@fedoraproject.org> - 1.9.5p2-1
|
||||||
|
- rebase to 1.9.5p2
|
||||||
|
Resolves: rhbz#1920611
|
||||||
|
- fixed CVE-2021-3156 sudo: Heap buffer overflow in argument parsing
|
||||||
|
Resolves: rhbz#1920618
|
||||||
|
|
||||||
|
* Mon Jan 18 2021 Radovan Sroka <rsroka@redhat.com> - 1.9.5p1-1
|
||||||
|
- rebase to 1.9.5p1
|
||||||
|
- updated sudo url
|
||||||
|
Resolves: rhbz#1902758
|
||||||
|
- enabled python plugin as a subpackage
|
||||||
|
Resolves: rhbz#1909299
|
||||||
|
- fixed double free in sss_to_sudoers
|
||||||
|
Resolves: rhbz#1885874
|
||||||
|
- fixed CVE-2021-23239 sudo: possible directory existence test due to race condition in sudoedit
|
||||||
|
Resolves: rhbz#1915055
|
||||||
|
- fixed CVE-2021-23240 sudo: symbolic link attack in SELinux-enabled sudoedit
|
||||||
|
Resolves: rhbz#1915054
|
||||||
|
|
||||||
|
* Tue Sep 15 2020 Radovan Sroka <rsroka@redhat.com> - 1.9.2-1
|
||||||
|
- rebase to 1.9.2
|
||||||
|
Resolves: rhbz#1859577
|
||||||
|
- added logsrvd subpackage
|
||||||
|
- added openssl-devel buildrequires
|
||||||
|
Resolves: rhbz#1860653
|
||||||
|
- fixed sudo runstatedir path
|
||||||
|
- it was generated as /sudo instead of /run/sudo
|
||||||
|
Resolves: rhbz#1868215
|
||||||
|
- added /var/lib/snapd/snap/bin to secure_path variable
|
||||||
|
Resolves: rhbz#1691996
|
||||||
|
|
||||||
|
* Wed Mar 25 2020 Attila Lakatos <alakatos@redhat.com> - 1.9.0-0.1.b4
|
||||||
|
- update to latest development version 1.9.0b4
|
||||||
|
Resolves: rhbz#1816593
|
||||||
|
- setrlimit(RLIMIT_CORE): Operation not permitted warning message fix
|
||||||
|
Resolves: rhbz#1773148
|
||||||
|
|
||||||
|
* Mon Feb 24 2020 Attila Lakatos <alakatos@redhat.com> - 1.9.0-0.1.b1
|
||||||
|
- update to latest development version 1.9.0b1
|
||||||
|
- added sudo_logsrvd and sudo_sendlog to files and their appropriate man pages
|
||||||
|
Resolves: rhbz#1787823
|
||||||
|
- Stack based buffer overflow in when pwfeedback is enabled
|
||||||
|
Resolves: rhbz#1796945
|
||||||
|
- fixes: CVE-2019-18634
|
||||||
|
- By using ! character in the shadow file instead of a password hash can access to a run as all sudoer account
|
||||||
|
Resolves: rhbz#1786709
|
||||||
|
- fixes CVE-2019-19234
|
||||||
|
- attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user
|
||||||
|
Resolves: rhbz#1786705
|
||||||
|
- fixes CVE-2019-19232
|
||||||
|
|
||||||
* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.29-2
|
* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.29-2
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
||||||
|
|
||||||
|
|
|
||||||
2
sudoers
2
sudoers
|
|
@ -85,7 +85,7 @@ Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY
|
||||||
#
|
#
|
||||||
# Defaults env_keep += "HOME"
|
# Defaults env_keep += "HOME"
|
||||||
|
|
||||||
Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
|
Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin
|
||||||
|
|
||||||
## Next comes the main part: which users can run what software on
|
## Next comes the main part: which users can run what software on
|
||||||
## which machines (the sudoers file can be shared between multiple
|
## which machines (the sudoers file can be shared between multiple
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue