rebase to 1.8.1p2

removed .sudoi patch
fixed typo: RELPRO -> RELRO
added -devel subpackage for the sudo_plugin.h header file
use default ldap configuration files again
This commit is contained in:
Daniel Kopecek 2011-07-12 13:20:39 +02:00
parent c973b40001
commit 269d3c7dce
6 changed files with 77 additions and 115 deletions

1
.gitignore vendored
View File

@ -4,3 +4,4 @@ sudo-1.7.2p2-sudoers
/sudo-1.7.2p2-sudoers
/sudo-1.7.4p4-sudoers
/sudo-1.7.4p5.tar.gz
/sudo-1.8.1p2.tar.gz

View File

@ -1,2 +1,2 @@
4c8105507363371dea89ceb7c92187dd sudo-1.7.4p5.tar.gz
e8330f0e63b0ecb2e12b5c76922818cc sudo-1.8.1p2.tar.gz
56f74aed3a7b32f2b01a34d65ac86f85 sudo-1.7.4p4-sudoers

View File

@ -1,42 +0,0 @@
diff -up sudo-1.7.4p4/configure.in.getgrouplist sudo-1.7.4p4/configure.in
--- sudo-1.7.4p4/configure.in.getgrouplist 2011-01-11 10:45:49.170262147 +0100
+++ sudo-1.7.4p4/configure.in 2011-01-11 10:45:49.176261407 +0100
@@ -1913,7 +1913,7 @@ AC_FUNC_GETGROUPS
AC_CHECK_FUNCS(strchr strrchr memchr memcpy memset sysconf tzset \
strftime setrlimit initgroups getgroups fstat gettimeofday \
regcomp setlocale getaddrinfo setenv vhangup \
- mbr_check_membership setrlimit64)
+ mbr_check_membership setrlimit64 getgrouplist)
AC_CHECK_FUNCS(getline, [], [
AC_LIBOBJ(getline)
AC_CHECK_FUNCS(fgetln)
diff -up sudo-1.7.4p4/pwutil.c.getgrouplist sudo-1.7.4p4/pwutil.c
--- sudo-1.7.4p4/pwutil.c.getgrouplist 2010-08-06 15:44:30.000000000 +0200
+++ sudo-1.7.4p4/pwutil.c 2011-01-11 11:42:16.771282451 +0100
@@ -628,5 +628,26 @@ user_in_group(pw, group)
}
#endif /* HAVE_MBR_CHECK_MEMBERSHIP */
+#ifdef HAVE_GETGROUPLIST
+ if (user_ngroups >= 0 &&
+ strcmp(pw->pw_name, list_pw ? list_pw->pw_name : user_name) == 0)
+ {
+ gid_t *grouplist, grouptmp;
+ int n_groups, i;
+ n_groups = 1;
+
+ if (getgrouplist(user_name, user_gid, &grouptmp, &n_groups) == -1) {
+ grouplist = (gid_t *) emalloc(sizeof(gid_t) * (n_groups + 1));
+ if (getgrouplist(user_name, user_gid, grouplist, &n_groups) > 0)
+ for (i = 0; i < n_groups; i++)
+ if (grouplist[i] == grp->gr_gid) {
+ free(grouplist);
+ return(TRUE);
+ }
+ free(grouplist);
+ }
+ }
+#endif /* HAVE_GETGROUPLIST */
+
return(FALSE);
}

View File

@ -1,57 +0,0 @@
--- env.c Wed Aug 18 15:27:03 2010
+++ env.c Tue Sep 14 11:41:50 2010
@@ -608,10 +608,16 @@
#ifdef ENV_DEBUG
memset(env.envp, 0, env.env_size * sizeof(char *));
#endif
- if (def_env_reset || ISSET(sudo_mode, MODE_LOGIN_SHELL)) {
- /* Reset HOME based on target user unless keeping old value. */
- reset_home = TRUE;
+ /* Reset HOME based on target user if configured to. */
+ if (ISSET(sudo_mode, MODE_RUN)) {
+ if (def_always_set_home ||
+ ISSET(sudo_mode, MODE_RESET_HOME | MODE_LOGIN_SHELL) ||
+ (ISSET(sudo_mode, MODE_SHELL) && def_set_home))
+ reset_home = TRUE;
+ }
+
+ if (def_env_reset || ISSET(sudo_mode, MODE_LOGIN_SHELL)) {
/* Pull in vars we want to keep from the old environment. */
for (ep = old_envp; *ep; ep++) {
int keepit;
@@ -696,6 +702,11 @@
if (!ISSET(didvar, DID_USERNAME))
sudo_setenv("USERNAME", user_name, FALSE);
}
+
+ /* If we didn't keep HOME, reset it based on target user. */
+ if (!ISSET(didvar, KEPT_HOME))
+ reset_home = TRUE;
+
/*
* Set MAIL to target user in -i mode or if MAIL is not preserved
* from user's environment.
@@ -709,13 +720,6 @@
sudo_putenv(cp, ISSET(didvar, DID_MAIL), TRUE);
}
} else {
- /* Reset HOME based on target user if configured to. */
- if (ISSET(sudo_mode, MODE_RUN)) {
- if (def_always_set_home || ISSET(sudo_mode, MODE_RESET_HOME) ||
- (ISSET(sudo_mode, MODE_SHELL) && def_set_home))
- reset_home = TRUE;
- }
-
/*
* Copy environ entries as long as they don't match env_delete or
* env_check.
@@ -765,7 +769,7 @@
}
/* Set $HOME to target user if not preserving user's value. */
- if (reset_home && !ISSET(didvar, KEPT_HOME))
+ if (reset_home)
sudo_setenv("HOME", runas_pw->pw_dir, TRUE);
/* Provide default values for $TERM and $PATH if they are not set. */

View File

@ -0,0 +1,44 @@
diff -up sudo-1.8.1p2/configure.in.getgrouplist sudo-1.8.1p2/configure.in
--- sudo-1.8.1p2/configure.in.getgrouplist 2011-07-12 12:13:29.562597933 +0200
+++ sudo-1.8.1p2/configure.in 2011-07-12 12:15:27.116597851 +0200
@@ -2007,7 +2007,7 @@ dnl
AC_FUNC_GETGROUPS
AC_CHECK_FUNCS(strrchr sysconf tzset strftime initgroups getgroups fstat \
regcomp setlocale nl_langinfo getaddrinfo mbr_check_membership \
- setrlimit64 sysctl)
+ setrlimit64 sysctl getgrouplist)
AC_CHECK_FUNCS(getline, [], [
AC_LIBOBJ(getline)
AC_CHECK_FUNCS(fgetln)
diff -up sudo-1.8.1p2/plugins/sudoers/pwutil.c.getgrouplist sudo-1.8.1p2/plugins/sudoers/pwutil.c
--- sudo-1.8.1p2/plugins/sudoers/pwutil.c.getgrouplist 2011-07-12 12:13:17.346597942 +0200
+++ sudo-1.8.1p2/plugins/sudoers/pwutil.c 2011-07-12 12:19:02.171597700 +0200
@@ -711,6 +711,28 @@ user_in_group(struct passwd *pw, const c
}
#endif /* HAVE_MBR_CHECK_MEMBERSHIP */
+#ifdef HAVE_GETGROUPLIST
+ if (user_ngroups >= 0 &&
+ strcmp(pw->pw_name, list_pw ? list_pw->pw_name : user_name) == 0)
+ {
+ gid_t *grouplist, grouptmp;
+ int n_groups, i;
+ n_groups = 1;
+
+ if (getgrouplist(user_name, user_gid, &grouptmp, &n_groups) == -1) {
+ grouplist = (gid_t *) emalloc(sizeof(gid_t) * (n_groups + 1));
+ if (getgrouplist(user_name, user_gid, grouplist, &n_groups) > 0)
+ for (i = 0; i < n_groups; i++)
+ if (grouplist[i] == grp->gr_gid) {
+ free(grouplist);
+ retval = TRUE;
+ goto done;
+ }
+ free(grouplist);
+ }
+ }
+#endif /* HAVE_GETGROUPLIST */
+
done:
if (grp != NULL)
gr_delref(grp);

View File

@ -1,7 +1,7 @@
Summary: Allows restricted root access for specified users
Name: sudo
Version: 1.7.4p5
Release: 4%{?dist}
Version: 1.8.1p2
Release: 1%{?dist}
License: ISC
Group: Applications/System
URL: http://www.courtesan.com/sudo/
@ -28,9 +28,7 @@ Patch2: sudo-1.7.2p1-envdebug.patch
Patch3: sudo-1.7.4p3-m4path.patch
# getgrouplist() to determine group membership (#235915)
# - version with CVE-2009-0034 fixed
Patch4: sudo-1.7.4p4-getgrouplist-fixed.patch
# reset HOME when using the `-i' option (#635250)
Patch5: sudo-1.7.4p4-sudoi.patch
Patch4: sudo-1.8.1p2-getgrouplist.patch
%description
Sudo (superuser do) allows a system administrator to give certain
@ -43,19 +41,24 @@ audit trail of who did what), a configurable timeout of the sudo
command, and the ability to use the same configuration file (sudoers)
on many different machines.
%package devel
Summary: Development files for %{name}
Group: Development/Libraries
Requires: %{name} = %{version}-%{release}
%description devel
The %{name}-devel package contains header files developing sudo
plugins that use %{name}.
%prep
%setup -q
%patch1 -p1 -b .strip
%patch2 -p1 -b .envdebug
%patch3 -p1 -b .m4path
%patch4 -p1 -b .getgrouplist-fixed
%patch5 -p0 -b .sudoi
%patch4 -p1 -b .getgrouplist
%build
# handle newer autoconf
rm -f acsite.m4
mv aclocal.m4 acinclude.m4
autoreconf -fv --install
%ifarch s390 s390x sparc64
@ -80,8 +83,6 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now"
--with-ignore-dot \
--with-tty-tickets \
--with-ldap \
--with-ldap-conf-file="%{_sysconfdir}/nss_ldap.conf" \
--with-ldap-secret-file="%{_sysconfdir}/nss_ldap.secret" \
--with-selinux \
--with-passprompt="[sudo] password for %p: " \
--with-linux-audit
@ -122,8 +123,9 @@ rm -rf $RPM_BUILD_ROOT
%files
%defattr(-,root,root)
%doc ChangeLog NEWS HISTORY LICENSE README* TROUBLESHOOTING UPGRADE
%doc schema.* sudoers2ldif sample.*
%doc ChangeLog NEWS README* MANIFEST
%doc doc/HISTORY doc/LICENSE doc/TROUBLESHOOTING doc/UPGRADE
%doc doc/schema.* plugins/sudoers/sudoers2ldif doc/sample.*
%attr(0440,root,root) %config(noreplace) /etc/sudoers
%attr(0750,root,root) %dir /etc/sudoers.d/
%config(noreplace) /etc/pam.d/sudo
@ -135,6 +137,7 @@ rm -rf $RPM_BUILD_ROOT
%attr(0755,root,root) %{_sbindir}/visudo
%attr(0755,root,root) %{_libexecdir}/sesh
%{_libexecdir}/sudo_noexec.*
%{_libexecdir}/sudoers.*
%{_mandir}/man5/sudoers.5*
%{_mandir}/man5/sudoers.ldap.5*
%{_mandir}/man8/sudo.8*
@ -146,9 +149,22 @@ rm -rf $RPM_BUILD_ROOT
%post
/bin/chmod 0440 /etc/sudoers || :
%files devel
%defattr(-,root,root,-)
%doc plugins/{sample,sample_group}
%{_includedir}/sudo_plugin.h
%{_mandir}/man8/sudo_plugin.8*
%changelog
* Tue Jul 12 2011 Daniel Kopecek <dkopecek@redhat.com> - 1.8.1p2-1
- rebase to 1.8.1p2
- removed .sudoi patch
- fixed typo: RELPRO -> RELRO
- added -devel subpackage for the sudo_plugin.h header file
- use default ldap configuration files again
* Fri Jun 3 2011 Daniel Kopecek <dkopecek@redhat.com> - 1.7.4p5-4
- build with RELPRO
- build with RELRO
* Wed Feb 09 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.7.4p5-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild