diff --git a/.gitignore b/.gitignore index 7770bdb..352f8f8 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,4 @@ sudo-1.7.2p2-sudoers /sudo-1.7.2p2-sudoers /sudo-1.7.4p4-sudoers /sudo-1.7.4p5.tar.gz +/sudo-1.8.1p2.tar.gz diff --git a/sources b/sources index c05bae3..a86ed7d 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -4c8105507363371dea89ceb7c92187dd sudo-1.7.4p5.tar.gz +e8330f0e63b0ecb2e12b5c76922818cc sudo-1.8.1p2.tar.gz 56f74aed3a7b32f2b01a34d65ac86f85 sudo-1.7.4p4-sudoers diff --git a/sudo-1.7.4p4-getgrouplist-fixed.patch b/sudo-1.7.4p4-getgrouplist-fixed.patch deleted file mode 100644 index 7d4fa21..0000000 --- a/sudo-1.7.4p4-getgrouplist-fixed.patch +++ /dev/null @@ -1,42 +0,0 @@ -diff -up sudo-1.7.4p4/configure.in.getgrouplist sudo-1.7.4p4/configure.in ---- sudo-1.7.4p4/configure.in.getgrouplist 2011-01-11 10:45:49.170262147 +0100 -+++ sudo-1.7.4p4/configure.in 2011-01-11 10:45:49.176261407 +0100 -@@ -1913,7 +1913,7 @@ AC_FUNC_GETGROUPS - AC_CHECK_FUNCS(strchr strrchr memchr memcpy memset sysconf tzset \ - strftime setrlimit initgroups getgroups fstat gettimeofday \ - regcomp setlocale getaddrinfo setenv vhangup \ -- mbr_check_membership setrlimit64) -+ mbr_check_membership setrlimit64 getgrouplist) - AC_CHECK_FUNCS(getline, [], [ - AC_LIBOBJ(getline) - AC_CHECK_FUNCS(fgetln) -diff -up sudo-1.7.4p4/pwutil.c.getgrouplist sudo-1.7.4p4/pwutil.c ---- sudo-1.7.4p4/pwutil.c.getgrouplist 2010-08-06 15:44:30.000000000 +0200 -+++ sudo-1.7.4p4/pwutil.c 2011-01-11 11:42:16.771282451 +0100 -@@ -628,5 +628,26 @@ user_in_group(pw, group) - } - #endif /* HAVE_MBR_CHECK_MEMBERSHIP */ - -+#ifdef HAVE_GETGROUPLIST -+ if (user_ngroups >= 0 && -+ strcmp(pw->pw_name, list_pw ? list_pw->pw_name : user_name) == 0) -+ { -+ gid_t *grouplist, grouptmp; -+ int n_groups, i; -+ n_groups = 1; -+ -+ if (getgrouplist(user_name, user_gid, &grouptmp, &n_groups) == -1) { -+ grouplist = (gid_t *) emalloc(sizeof(gid_t) * (n_groups + 1)); -+ if (getgrouplist(user_name, user_gid, grouplist, &n_groups) > 0) -+ for (i = 0; i < n_groups; i++) -+ if (grouplist[i] == grp->gr_gid) { -+ free(grouplist); -+ return(TRUE); -+ } -+ free(grouplist); -+ } -+ } -+#endif /* HAVE_GETGROUPLIST */ -+ - return(FALSE); - } diff --git a/sudo-1.7.4p4-sudoi.patch b/sudo-1.7.4p4-sudoi.patch deleted file mode 100644 index 52b8d85..0000000 --- a/sudo-1.7.4p4-sudoi.patch +++ /dev/null @@ -1,57 +0,0 @@ ---- env.c Wed Aug 18 15:27:03 2010 -+++ env.c Tue Sep 14 11:41:50 2010 -@@ -608,10 +608,16 @@ - #ifdef ENV_DEBUG - memset(env.envp, 0, env.env_size * sizeof(char *)); - #endif -- if (def_env_reset || ISSET(sudo_mode, MODE_LOGIN_SHELL)) { -- /* Reset HOME based on target user unless keeping old value. */ -- reset_home = TRUE; - -+ /* Reset HOME based on target user if configured to. */ -+ if (ISSET(sudo_mode, MODE_RUN)) { -+ if (def_always_set_home || -+ ISSET(sudo_mode, MODE_RESET_HOME | MODE_LOGIN_SHELL) || -+ (ISSET(sudo_mode, MODE_SHELL) && def_set_home)) -+ reset_home = TRUE; -+ } -+ -+ if (def_env_reset || ISSET(sudo_mode, MODE_LOGIN_SHELL)) { - /* Pull in vars we want to keep from the old environment. */ - for (ep = old_envp; *ep; ep++) { - int keepit; -@@ -696,6 +702,11 @@ - if (!ISSET(didvar, DID_USERNAME)) - sudo_setenv("USERNAME", user_name, FALSE); - } -+ -+ /* If we didn't keep HOME, reset it based on target user. */ -+ if (!ISSET(didvar, KEPT_HOME)) -+ reset_home = TRUE; -+ - /* - * Set MAIL to target user in -i mode or if MAIL is not preserved - * from user's environment. -@@ -709,13 +720,6 @@ - sudo_putenv(cp, ISSET(didvar, DID_MAIL), TRUE); - } - } else { -- /* Reset HOME based on target user if configured to. */ -- if (ISSET(sudo_mode, MODE_RUN)) { -- if (def_always_set_home || ISSET(sudo_mode, MODE_RESET_HOME) || -- (ISSET(sudo_mode, MODE_SHELL) && def_set_home)) -- reset_home = TRUE; -- } -- - /* - * Copy environ entries as long as they don't match env_delete or - * env_check. -@@ -765,7 +769,7 @@ - } - - /* Set $HOME to target user if not preserving user's value. */ -- if (reset_home && !ISSET(didvar, KEPT_HOME)) -+ if (reset_home) - sudo_setenv("HOME", runas_pw->pw_dir, TRUE); - - /* Provide default values for $TERM and $PATH if they are not set. */ diff --git a/sudo-1.8.1p2-getgrouplist.patch b/sudo-1.8.1p2-getgrouplist.patch new file mode 100644 index 0000000..6ccfe5e --- /dev/null +++ b/sudo-1.8.1p2-getgrouplist.patch @@ -0,0 +1,44 @@ +diff -up sudo-1.8.1p2/configure.in.getgrouplist sudo-1.8.1p2/configure.in +--- sudo-1.8.1p2/configure.in.getgrouplist 2011-07-12 12:13:29.562597933 +0200 ++++ sudo-1.8.1p2/configure.in 2011-07-12 12:15:27.116597851 +0200 +@@ -2007,7 +2007,7 @@ dnl + AC_FUNC_GETGROUPS + AC_CHECK_FUNCS(strrchr sysconf tzset strftime initgroups getgroups fstat \ + regcomp setlocale nl_langinfo getaddrinfo mbr_check_membership \ +- setrlimit64 sysctl) ++ setrlimit64 sysctl getgrouplist) + AC_CHECK_FUNCS(getline, [], [ + AC_LIBOBJ(getline) + AC_CHECK_FUNCS(fgetln) +diff -up sudo-1.8.1p2/plugins/sudoers/pwutil.c.getgrouplist sudo-1.8.1p2/plugins/sudoers/pwutil.c +--- sudo-1.8.1p2/plugins/sudoers/pwutil.c.getgrouplist 2011-07-12 12:13:17.346597942 +0200 ++++ sudo-1.8.1p2/plugins/sudoers/pwutil.c 2011-07-12 12:19:02.171597700 +0200 +@@ -711,6 +711,28 @@ user_in_group(struct passwd *pw, const c + } + #endif /* HAVE_MBR_CHECK_MEMBERSHIP */ + ++#ifdef HAVE_GETGROUPLIST ++ if (user_ngroups >= 0 && ++ strcmp(pw->pw_name, list_pw ? list_pw->pw_name : user_name) == 0) ++ { ++ gid_t *grouplist, grouptmp; ++ int n_groups, i; ++ n_groups = 1; ++ ++ if (getgrouplist(user_name, user_gid, &grouptmp, &n_groups) == -1) { ++ grouplist = (gid_t *) emalloc(sizeof(gid_t) * (n_groups + 1)); ++ if (getgrouplist(user_name, user_gid, grouplist, &n_groups) > 0) ++ for (i = 0; i < n_groups; i++) ++ if (grouplist[i] == grp->gr_gid) { ++ free(grouplist); ++ retval = TRUE; ++ goto done; ++ } ++ free(grouplist); ++ } ++ } ++#endif /* HAVE_GETGROUPLIST */ ++ + done: + if (grp != NULL) + gr_delref(grp); diff --git a/sudo.spec b/sudo.spec index cca9415..147c24a 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,7 +1,7 @@ Summary: Allows restricted root access for specified users Name: sudo -Version: 1.7.4p5 -Release: 4%{?dist} +Version: 1.8.1p2 +Release: 1%{?dist} License: ISC Group: Applications/System URL: http://www.courtesan.com/sudo/ @@ -28,9 +28,7 @@ Patch2: sudo-1.7.2p1-envdebug.patch Patch3: sudo-1.7.4p3-m4path.patch # getgrouplist() to determine group membership (#235915) # - version with CVE-2009-0034 fixed -Patch4: sudo-1.7.4p4-getgrouplist-fixed.patch -# reset HOME when using the `-i' option (#635250) -Patch5: sudo-1.7.4p4-sudoi.patch +Patch4: sudo-1.8.1p2-getgrouplist.patch %description Sudo (superuser do) allows a system administrator to give certain @@ -43,19 +41,24 @@ audit trail of who did what), a configurable timeout of the sudo command, and the ability to use the same configuration file (sudoers) on many different machines. +%package devel +Summary: Development files for %{name} +Group: Development/Libraries +Requires: %{name} = %{version}-%{release} + +%description devel +The %{name}-devel package contains header files developing sudo +plugins that use %{name}. + %prep %setup -q %patch1 -p1 -b .strip %patch2 -p1 -b .envdebug %patch3 -p1 -b .m4path -%patch4 -p1 -b .getgrouplist-fixed -%patch5 -p0 -b .sudoi +%patch4 -p1 -b .getgrouplist %build -# handle newer autoconf -rm -f acsite.m4 -mv aclocal.m4 acinclude.m4 autoreconf -fv --install %ifarch s390 s390x sparc64 @@ -80,8 +83,6 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" --with-ignore-dot \ --with-tty-tickets \ --with-ldap \ - --with-ldap-conf-file="%{_sysconfdir}/nss_ldap.conf" \ - --with-ldap-secret-file="%{_sysconfdir}/nss_ldap.secret" \ --with-selinux \ --with-passprompt="[sudo] password for %p: " \ --with-linux-audit @@ -122,8 +123,9 @@ rm -rf $RPM_BUILD_ROOT %files %defattr(-,root,root) -%doc ChangeLog NEWS HISTORY LICENSE README* TROUBLESHOOTING UPGRADE -%doc schema.* sudoers2ldif sample.* +%doc ChangeLog NEWS README* MANIFEST +%doc doc/HISTORY doc/LICENSE doc/TROUBLESHOOTING doc/UPGRADE +%doc doc/schema.* plugins/sudoers/sudoers2ldif doc/sample.* %attr(0440,root,root) %config(noreplace) /etc/sudoers %attr(0750,root,root) %dir /etc/sudoers.d/ %config(noreplace) /etc/pam.d/sudo @@ -135,6 +137,7 @@ rm -rf $RPM_BUILD_ROOT %attr(0755,root,root) %{_sbindir}/visudo %attr(0755,root,root) %{_libexecdir}/sesh %{_libexecdir}/sudo_noexec.* +%{_libexecdir}/sudoers.* %{_mandir}/man5/sudoers.5* %{_mandir}/man5/sudoers.ldap.5* %{_mandir}/man8/sudo.8* @@ -146,9 +149,22 @@ rm -rf $RPM_BUILD_ROOT %post /bin/chmod 0440 /etc/sudoers || : +%files devel +%defattr(-,root,root,-) +%doc plugins/{sample,sample_group} +%{_includedir}/sudo_plugin.h +%{_mandir}/man8/sudo_plugin.8* + %changelog +* Tue Jul 12 2011 Daniel Kopecek - 1.8.1p2-1 +- rebase to 1.8.1p2 +- removed .sudoi patch +- fixed typo: RELPRO -> RELRO +- added -devel subpackage for the sudo_plugin.h header file +- use default ldap configuration files again + * Fri Jun 3 2011 Daniel Kopecek - 1.7.4p5-4 -- build with RELPRO +- build with RELRO * Wed Feb 09 2011 Fedora Release Engineering - 1.7.4p5-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild