rebase to 1.8.1p2
removed .sudoi patch fixed typo: RELPRO -> RELRO added -devel subpackage for the sudo_plugin.h header file use default ldap configuration files again
This commit is contained in:
parent
c973b40001
commit
269d3c7dce
1
.gitignore
vendored
1
.gitignore
vendored
@ -4,3 +4,4 @@ sudo-1.7.2p2-sudoers
|
||||
/sudo-1.7.2p2-sudoers
|
||||
/sudo-1.7.4p4-sudoers
|
||||
/sudo-1.7.4p5.tar.gz
|
||||
/sudo-1.8.1p2.tar.gz
|
||||
|
2
sources
2
sources
@ -1,2 +1,2 @@
|
||||
4c8105507363371dea89ceb7c92187dd sudo-1.7.4p5.tar.gz
|
||||
e8330f0e63b0ecb2e12b5c76922818cc sudo-1.8.1p2.tar.gz
|
||||
56f74aed3a7b32f2b01a34d65ac86f85 sudo-1.7.4p4-sudoers
|
||||
|
@ -1,42 +0,0 @@
|
||||
diff -up sudo-1.7.4p4/configure.in.getgrouplist sudo-1.7.4p4/configure.in
|
||||
--- sudo-1.7.4p4/configure.in.getgrouplist 2011-01-11 10:45:49.170262147 +0100
|
||||
+++ sudo-1.7.4p4/configure.in 2011-01-11 10:45:49.176261407 +0100
|
||||
@@ -1913,7 +1913,7 @@ AC_FUNC_GETGROUPS
|
||||
AC_CHECK_FUNCS(strchr strrchr memchr memcpy memset sysconf tzset \
|
||||
strftime setrlimit initgroups getgroups fstat gettimeofday \
|
||||
regcomp setlocale getaddrinfo setenv vhangup \
|
||||
- mbr_check_membership setrlimit64)
|
||||
+ mbr_check_membership setrlimit64 getgrouplist)
|
||||
AC_CHECK_FUNCS(getline, [], [
|
||||
AC_LIBOBJ(getline)
|
||||
AC_CHECK_FUNCS(fgetln)
|
||||
diff -up sudo-1.7.4p4/pwutil.c.getgrouplist sudo-1.7.4p4/pwutil.c
|
||||
--- sudo-1.7.4p4/pwutil.c.getgrouplist 2010-08-06 15:44:30.000000000 +0200
|
||||
+++ sudo-1.7.4p4/pwutil.c 2011-01-11 11:42:16.771282451 +0100
|
||||
@@ -628,5 +628,26 @@ user_in_group(pw, group)
|
||||
}
|
||||
#endif /* HAVE_MBR_CHECK_MEMBERSHIP */
|
||||
|
||||
+#ifdef HAVE_GETGROUPLIST
|
||||
+ if (user_ngroups >= 0 &&
|
||||
+ strcmp(pw->pw_name, list_pw ? list_pw->pw_name : user_name) == 0)
|
||||
+ {
|
||||
+ gid_t *grouplist, grouptmp;
|
||||
+ int n_groups, i;
|
||||
+ n_groups = 1;
|
||||
+
|
||||
+ if (getgrouplist(user_name, user_gid, &grouptmp, &n_groups) == -1) {
|
||||
+ grouplist = (gid_t *) emalloc(sizeof(gid_t) * (n_groups + 1));
|
||||
+ if (getgrouplist(user_name, user_gid, grouplist, &n_groups) > 0)
|
||||
+ for (i = 0; i < n_groups; i++)
|
||||
+ if (grouplist[i] == grp->gr_gid) {
|
||||
+ free(grouplist);
|
||||
+ return(TRUE);
|
||||
+ }
|
||||
+ free(grouplist);
|
||||
+ }
|
||||
+ }
|
||||
+#endif /* HAVE_GETGROUPLIST */
|
||||
+
|
||||
return(FALSE);
|
||||
}
|
@ -1,57 +0,0 @@
|
||||
--- env.c Wed Aug 18 15:27:03 2010
|
||||
+++ env.c Tue Sep 14 11:41:50 2010
|
||||
@@ -608,10 +608,16 @@
|
||||
#ifdef ENV_DEBUG
|
||||
memset(env.envp, 0, env.env_size * sizeof(char *));
|
||||
#endif
|
||||
- if (def_env_reset || ISSET(sudo_mode, MODE_LOGIN_SHELL)) {
|
||||
- /* Reset HOME based on target user unless keeping old value. */
|
||||
- reset_home = TRUE;
|
||||
|
||||
+ /* Reset HOME based on target user if configured to. */
|
||||
+ if (ISSET(sudo_mode, MODE_RUN)) {
|
||||
+ if (def_always_set_home ||
|
||||
+ ISSET(sudo_mode, MODE_RESET_HOME | MODE_LOGIN_SHELL) ||
|
||||
+ (ISSET(sudo_mode, MODE_SHELL) && def_set_home))
|
||||
+ reset_home = TRUE;
|
||||
+ }
|
||||
+
|
||||
+ if (def_env_reset || ISSET(sudo_mode, MODE_LOGIN_SHELL)) {
|
||||
/* Pull in vars we want to keep from the old environment. */
|
||||
for (ep = old_envp; *ep; ep++) {
|
||||
int keepit;
|
||||
@@ -696,6 +702,11 @@
|
||||
if (!ISSET(didvar, DID_USERNAME))
|
||||
sudo_setenv("USERNAME", user_name, FALSE);
|
||||
}
|
||||
+
|
||||
+ /* If we didn't keep HOME, reset it based on target user. */
|
||||
+ if (!ISSET(didvar, KEPT_HOME))
|
||||
+ reset_home = TRUE;
|
||||
+
|
||||
/*
|
||||
* Set MAIL to target user in -i mode or if MAIL is not preserved
|
||||
* from user's environment.
|
||||
@@ -709,13 +720,6 @@
|
||||
sudo_putenv(cp, ISSET(didvar, DID_MAIL), TRUE);
|
||||
}
|
||||
} else {
|
||||
- /* Reset HOME based on target user if configured to. */
|
||||
- if (ISSET(sudo_mode, MODE_RUN)) {
|
||||
- if (def_always_set_home || ISSET(sudo_mode, MODE_RESET_HOME) ||
|
||||
- (ISSET(sudo_mode, MODE_SHELL) && def_set_home))
|
||||
- reset_home = TRUE;
|
||||
- }
|
||||
-
|
||||
/*
|
||||
* Copy environ entries as long as they don't match env_delete or
|
||||
* env_check.
|
||||
@@ -765,7 +769,7 @@
|
||||
}
|
||||
|
||||
/* Set $HOME to target user if not preserving user's value. */
|
||||
- if (reset_home && !ISSET(didvar, KEPT_HOME))
|
||||
+ if (reset_home)
|
||||
sudo_setenv("HOME", runas_pw->pw_dir, TRUE);
|
||||
|
||||
/* Provide default values for $TERM and $PATH if they are not set. */
|
44
sudo-1.8.1p2-getgrouplist.patch
Normal file
44
sudo-1.8.1p2-getgrouplist.patch
Normal file
@ -0,0 +1,44 @@
|
||||
diff -up sudo-1.8.1p2/configure.in.getgrouplist sudo-1.8.1p2/configure.in
|
||||
--- sudo-1.8.1p2/configure.in.getgrouplist 2011-07-12 12:13:29.562597933 +0200
|
||||
+++ sudo-1.8.1p2/configure.in 2011-07-12 12:15:27.116597851 +0200
|
||||
@@ -2007,7 +2007,7 @@ dnl
|
||||
AC_FUNC_GETGROUPS
|
||||
AC_CHECK_FUNCS(strrchr sysconf tzset strftime initgroups getgroups fstat \
|
||||
regcomp setlocale nl_langinfo getaddrinfo mbr_check_membership \
|
||||
- setrlimit64 sysctl)
|
||||
+ setrlimit64 sysctl getgrouplist)
|
||||
AC_CHECK_FUNCS(getline, [], [
|
||||
AC_LIBOBJ(getline)
|
||||
AC_CHECK_FUNCS(fgetln)
|
||||
diff -up sudo-1.8.1p2/plugins/sudoers/pwutil.c.getgrouplist sudo-1.8.1p2/plugins/sudoers/pwutil.c
|
||||
--- sudo-1.8.1p2/plugins/sudoers/pwutil.c.getgrouplist 2011-07-12 12:13:17.346597942 +0200
|
||||
+++ sudo-1.8.1p2/plugins/sudoers/pwutil.c 2011-07-12 12:19:02.171597700 +0200
|
||||
@@ -711,6 +711,28 @@ user_in_group(struct passwd *pw, const c
|
||||
}
|
||||
#endif /* HAVE_MBR_CHECK_MEMBERSHIP */
|
||||
|
||||
+#ifdef HAVE_GETGROUPLIST
|
||||
+ if (user_ngroups >= 0 &&
|
||||
+ strcmp(pw->pw_name, list_pw ? list_pw->pw_name : user_name) == 0)
|
||||
+ {
|
||||
+ gid_t *grouplist, grouptmp;
|
||||
+ int n_groups, i;
|
||||
+ n_groups = 1;
|
||||
+
|
||||
+ if (getgrouplist(user_name, user_gid, &grouptmp, &n_groups) == -1) {
|
||||
+ grouplist = (gid_t *) emalloc(sizeof(gid_t) * (n_groups + 1));
|
||||
+ if (getgrouplist(user_name, user_gid, grouplist, &n_groups) > 0)
|
||||
+ for (i = 0; i < n_groups; i++)
|
||||
+ if (grouplist[i] == grp->gr_gid) {
|
||||
+ free(grouplist);
|
||||
+ retval = TRUE;
|
||||
+ goto done;
|
||||
+ }
|
||||
+ free(grouplist);
|
||||
+ }
|
||||
+ }
|
||||
+#endif /* HAVE_GETGROUPLIST */
|
||||
+
|
||||
done:
|
||||
if (grp != NULL)
|
||||
gr_delref(grp);
|
46
sudo.spec
46
sudo.spec
@ -1,7 +1,7 @@
|
||||
Summary: Allows restricted root access for specified users
|
||||
Name: sudo
|
||||
Version: 1.7.4p5
|
||||
Release: 4%{?dist}
|
||||
Version: 1.8.1p2
|
||||
Release: 1%{?dist}
|
||||
License: ISC
|
||||
Group: Applications/System
|
||||
URL: http://www.courtesan.com/sudo/
|
||||
@ -28,9 +28,7 @@ Patch2: sudo-1.7.2p1-envdebug.patch
|
||||
Patch3: sudo-1.7.4p3-m4path.patch
|
||||
# getgrouplist() to determine group membership (#235915)
|
||||
# - version with CVE-2009-0034 fixed
|
||||
Patch4: sudo-1.7.4p4-getgrouplist-fixed.patch
|
||||
# reset HOME when using the `-i' option (#635250)
|
||||
Patch5: sudo-1.7.4p4-sudoi.patch
|
||||
Patch4: sudo-1.8.1p2-getgrouplist.patch
|
||||
|
||||
%description
|
||||
Sudo (superuser do) allows a system administrator to give certain
|
||||
@ -43,19 +41,24 @@ audit trail of who did what), a configurable timeout of the sudo
|
||||
command, and the ability to use the same configuration file (sudoers)
|
||||
on many different machines.
|
||||
|
||||
%package devel
|
||||
Summary: Development files for %{name}
|
||||
Group: Development/Libraries
|
||||
Requires: %{name} = %{version}-%{release}
|
||||
|
||||
%description devel
|
||||
The %{name}-devel package contains header files developing sudo
|
||||
plugins that use %{name}.
|
||||
|
||||
%prep
|
||||
%setup -q
|
||||
|
||||
%patch1 -p1 -b .strip
|
||||
%patch2 -p1 -b .envdebug
|
||||
%patch3 -p1 -b .m4path
|
||||
%patch4 -p1 -b .getgrouplist-fixed
|
||||
%patch5 -p0 -b .sudoi
|
||||
%patch4 -p1 -b .getgrouplist
|
||||
|
||||
%build
|
||||
# handle newer autoconf
|
||||
rm -f acsite.m4
|
||||
mv aclocal.m4 acinclude.m4
|
||||
autoreconf -fv --install
|
||||
|
||||
%ifarch s390 s390x sparc64
|
||||
@ -80,8 +83,6 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now"
|
||||
--with-ignore-dot \
|
||||
--with-tty-tickets \
|
||||
--with-ldap \
|
||||
--with-ldap-conf-file="%{_sysconfdir}/nss_ldap.conf" \
|
||||
--with-ldap-secret-file="%{_sysconfdir}/nss_ldap.secret" \
|
||||
--with-selinux \
|
||||
--with-passprompt="[sudo] password for %p: " \
|
||||
--with-linux-audit
|
||||
@ -122,8 +123,9 @@ rm -rf $RPM_BUILD_ROOT
|
||||
|
||||
%files
|
||||
%defattr(-,root,root)
|
||||
%doc ChangeLog NEWS HISTORY LICENSE README* TROUBLESHOOTING UPGRADE
|
||||
%doc schema.* sudoers2ldif sample.*
|
||||
%doc ChangeLog NEWS README* MANIFEST
|
||||
%doc doc/HISTORY doc/LICENSE doc/TROUBLESHOOTING doc/UPGRADE
|
||||
%doc doc/schema.* plugins/sudoers/sudoers2ldif doc/sample.*
|
||||
%attr(0440,root,root) %config(noreplace) /etc/sudoers
|
||||
%attr(0750,root,root) %dir /etc/sudoers.d/
|
||||
%config(noreplace) /etc/pam.d/sudo
|
||||
@ -135,6 +137,7 @@ rm -rf $RPM_BUILD_ROOT
|
||||
%attr(0755,root,root) %{_sbindir}/visudo
|
||||
%attr(0755,root,root) %{_libexecdir}/sesh
|
||||
%{_libexecdir}/sudo_noexec.*
|
||||
%{_libexecdir}/sudoers.*
|
||||
%{_mandir}/man5/sudoers.5*
|
||||
%{_mandir}/man5/sudoers.ldap.5*
|
||||
%{_mandir}/man8/sudo.8*
|
||||
@ -146,9 +149,22 @@ rm -rf $RPM_BUILD_ROOT
|
||||
%post
|
||||
/bin/chmod 0440 /etc/sudoers || :
|
||||
|
||||
%files devel
|
||||
%defattr(-,root,root,-)
|
||||
%doc plugins/{sample,sample_group}
|
||||
%{_includedir}/sudo_plugin.h
|
||||
%{_mandir}/man8/sudo_plugin.8*
|
||||
|
||||
%changelog
|
||||
* Tue Jul 12 2011 Daniel Kopecek <dkopecek@redhat.com> - 1.8.1p2-1
|
||||
- rebase to 1.8.1p2
|
||||
- removed .sudoi patch
|
||||
- fixed typo: RELPRO -> RELRO
|
||||
- added -devel subpackage for the sudo_plugin.h header file
|
||||
- use default ldap configuration files again
|
||||
|
||||
* Fri Jun 3 2011 Daniel Kopecek <dkopecek@redhat.com> - 1.7.4p5-4
|
||||
- build with RELPRO
|
||||
- build with RELRO
|
||||
|
||||
* Wed Feb 09 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.7.4p5-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
|
||||
|
Loading…
Reference in New Issue
Block a user