rpms/sudo
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Rebase to 1.9.1

Browse Source 
Resolves: rhbz#1848788
- fix rpmlint warnings
Resolves: rhbz#1817139
This commit is contained in:
alakatos 2020-07-10 09:44:22 +02:00
parent 72a557140c
commit 306df891f5
No known key found for this signature in database
GPG Key ID: E650CBBFEF3AAC4B
5 changed files with 32 additions and 162 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -22,3 +22,4 @@
/sudo-1.8.29.tar.gz /sudo-1.8.29.tar.gz
/sudo-1.9.0b1.tar.gz /sudo-1.9.0b1.tar.gz
/sudo-1.9.0b4.tar.gz /sudo-1.9.0b4.tar.gz
/sudo-1.9.1.tar.gz

2
sources
View File

@ -1 +1 @@
SHA512 (sudo-1.9.0b4.tar.gz) = 8f9da58ebb53d751746e8b271d9089a98cbbeb6e82691c3905c5ac11255bc70c7f467c0097d8dab2980fd94ffb8c438d03326f1bc98f0b580ec6e5b06227f559 SHA512 (sudo-1.9.1.tar.gz) = 7994c7d8f020188eda51787bb5f6fe7668518cc89b711e7840470db7e5bac1219490ffccc73854fecb14ceb3ffaf0fc605f3438c87b83f27921ea3626365105c

149
sudo-1.9-RLIMIT_CORE.patch
View File

@ -1,149 +0,0 @@
changeset 12288:1064b906ca68
Ignore a failure to restore the RLIMIT_CORE resource limit.
Linux containers don't allow RLIMIT_CORE to be set back to RLIM_INFINITY
if we set the limit to zero, even for root. This is not a problem
outside the container.
author Todd C. Miller <Todd.Miller@sudo.ws>
date Sat, 14 Mar 2020 11:13:55 -0600
parents 72ca06a294b4
children 40629e6fd692
files src/limits.c
diffstat 1 files changed, 61 insertions(+), 10 deletions(-) [+]
line wrap: on
line diff
--- a/src/limits.c Thu Mar 12 17:39:56 2020 -0600
+++ b/src/limits.c Sat Mar 14 11:13:55 2020 -0600
@@ -114,13 +114,21 @@
if (getrlimit(RLIMIT_CORE, &corelimit) == -1)
sudo_warn("getrlimit(RLIMIT_CORE)");
+ sudo_debug_printf(SUDO_DEBUG_INFO, "RLIMIT_CORE [%lld, %lld] -> [0, 0]",
+ (long long)corelimit.rlim_cur, (long long)corelimit.rlim_max);
if (setrlimit(RLIMIT_CORE, &rl) == -1)
sudo_warn("setrlimit(RLIMIT_CORE)");
#ifdef __linux__
/* On Linux, also set PR_SET_DUMPABLE to zero (reset by execve). */
- if ((dumpflag = prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)) == -1)
+ if ((dumpflag = prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)) == -1) {
+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
+ "prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)");
dumpflag = 0;
- (void) prctl(PR_SET_DUMPABLE, 0, 0, 0, 0);
+ }
+ if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) == -1) {
+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
+ "prctl(PR_SET_DUMPABLE, %d, 0, 0, 0)", dumpflag);
+ }
#endif /* __linux__ */
coredump_disabled = true;
@@ -136,10 +144,20 @@
debug_decl(restore_coredump, SUDO_DEBUG_UTIL);
if (coredump_disabled) {
- if (setrlimit(RLIMIT_CORE, &corelimit) == -1)
- sudo_warn("setrlimit(RLIMIT_CORE)");
+ /*
+ * Linux containers don't allow RLIMIT_CORE to be set back to
+ * RLIM_INFINITY if we set the limit to zero, even for root.
+ */
+ if (setrlimit(RLIMIT_CORE, &corelimit) == -1) {
+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
+ "setrlimit(RLIMIT_CORE, [%lld, %lld])",
+ (long long)corelimit.rlim_cur, (long long)corelimit.rlim_max);
+ }
#ifdef __linux__
- (void) prctl(PR_SET_DUMPABLE, dumpflag, 0, 0, 0);
+ if (prctl(PR_SET_DUMPABLE, dumpflag, 0, 0, 0) == -1) {
+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
+ "prctl(PR_SET_DUMPABLE, %d, 0, 0, 0)", dumpflag);
+ }
#endif /* __linux__ */
}
debug_return;
@@ -162,8 +180,14 @@
if (getrlimit(RLIMIT_NPROC, &nproclimit) != 0)
sudo_warn("getrlimit(RLIMIT_NPROC)");
+ sudo_debug_printf(SUDO_DEBUG_INFO, "RLIMIT_NPROC [%lld, %lld] -> [inf, inf]",
+ (long long)nproclimit.rlim_cur, (long long)nproclimit.rlim_max);
if (setrlimit(RLIMIT_NPROC, &rl) == -1) {
rl.rlim_cur = rl.rlim_max = nproclimit.rlim_max;
+ sudo_debug_printf(SUDO_DEBUG_INFO,
+ "RLIMIT_NPROC [%lld, %lld] -> [%lld, %lld]",
+ (long long)nproclimit.rlim_cur, (long long)nproclimit.rlim_max,
+ (long long)rl.rlim_cur, (long long)rl.rlim_max);
if (setrlimit(RLIMIT_NPROC, &rl) != 0)
sudo_warn("setrlimit(RLIMIT_NPROC)");
}
@@ -180,8 +204,11 @@
#ifdef __linux__
debug_decl(restore_nproc, SUDO_DEBUG_UTIL);
- if (setrlimit(RLIMIT_NPROC, &nproclimit) != 0)
- sudo_warn("setrlimit(RLIMIT_NPROC)");
+ if (setrlimit(RLIMIT_NPROC, &nproclimit) != 0) {
+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
+ "setrlimit(RLIMIT_NPROC, [%lld, %lld])",
+ (long long)nproclimit.rlim_cur, (long long)nproclimit.rlim_max);
+ }
debug_return;
#endif /* __linux__ */
@@ -203,6 +230,11 @@
struct saved_limit *lim = &saved_limits[idx];
if (getrlimit(lim->resource, &lim->oldlimit) == -1)
continue;
+ sudo_debug_printf(SUDO_DEBUG_INFO,
+ "getrlimit(lim->name) -> [%lld, %lld]",
+ (long long)lim->oldlimit.rlim_cur,
+ (long long)lim->oldlimit.rlim_max);
+
lim->saved = true;
if (lim->newlimit.rlim_cur != RLIM_INFINITY) {
/* Don't reduce the soft resource limit. */
@@ -217,13 +249,28 @@
lim->newlimit.rlim_max = lim->oldlimit.rlim_max;
}
if ((rc = setrlimit(lim->resource, &lim->newlimit)) == -1) {
- if (lim->fallback != NULL)
- rc = setrlimit(lim->resource, lim->fallback);
+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
+ "setrlimit(%s, [%lld, %lld])", lim->name,
+ (long long)lim->newlimit.rlim_cur,
+ (long long)lim->newlimit.rlim_max);
+ if (lim->fallback != NULL) {
+ if ((rc = setrlimit(lim->resource, lim->fallback)) == -1) {
+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
+ "setrlimit(%s, [%lld, %lld])", lim->name,
+ (long long)lim->fallback->rlim_cur,
+ (long long)lim->fallback->rlim_max);
+ }
+ }
if (rc == -1) {
/* Try setting new rlim_cur to old rlim_max. */
lim->newlimit.rlim_cur = lim->oldlimit.rlim_max;
lim->newlimit.rlim_max = lim->oldlimit.rlim_max;
- rc = setrlimit(lim->resource, &lim->newlimit);
+ if ((rc = setrlimit(lim->resource, &lim->newlimit)) == -1) {
+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
+ "setrlimit(%s, [%lld, %lld])", lim->name,
+ (long long)lim->newlimit.rlim_cur,
+ (long long)lim->newlimit.rlim_max);
+ }
}
if (rc == -1)
sudo_warn("setrlimit(%s)", lim->name);
@@ -254,6 +301,10 @@
if (rc != -1 || errno != EINVAL)
break;
+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
+ "setrlimit(%s, [%lld, %lld])", lim->name,
+ (long long)rl.rlim_cur, (long long)rl.rlim_max);
+
/*
* Soft limit could be lower than current resource usage.
* This can be an issue on NetBSD with RLIMIT_STACK and ASLR.

16
sudo.rpmlintrc Normal file
View File

@ -0,0 +1,16 @@
# Sudo allows restricted root access for specified users. In other words,
# it is a special package, which requires special permissions on on some
# of the installed files.
addFilter("missing-call-to-setgroups-before-setuid (/usr/bin/sudo|/usr/bin/sudoreplay|/usr/sbin/sudo_logsrvd|/usr/sbin/sudo_sendlog|/usr/libexec/sudo/sudoers.so|)$")
addFilter("non-readable (/etc/sudo.conf|/etc/sudo_logsrvd.conf|/etc/sudoers|/usr/bin/sudoreplay) .*$")
addFilter("non-standard-dir-perm (/etc/sudoers.d|/var/db/sudo|/var/db/sudo/lectured) .*$")
addFilter("setuid-binary /usr/bin/sudo .*$")
addFilter("non-standard-executable-perm (/usr/bin/sudo|/usr/bin/sudoreplay) .*$")
addFilter("wrong-file-end-of-line-encoding /usr/share/doc/sudo/schema.ActiveDirectory$")
addFilter("non-standard-dir-in-var db$")

26
sudo.spec
View File

@ -1,13 +1,10 @@
%global patchlevel b4
%global upstream_version %{version}%{patchlevel}
Summary: Allows restricted root access for specified users Summary: Allows restricted root access for specified users
Name: sudo Name: sudo
Version: 1.9.0 Version: 1.9.1
Release: 0.1.%{patchlevel}%{?dist} Release: 1%{?dist}
License: ISC License: ISC
URL: http://www.courtesan.com/sudo/ URL: http://www.courtesan.com/sudo/
Source0: https://www.sudo.ws/dist/beta/%{name}-%{upstream_version}.tar.gz Source0: https://www.sudo.ws/dist/%{name}-%{version}.tar.gz
Source1: sudoers Source1: sudoers
Requires: pam Requires: pam
Recommends: vim-minimal Recommends: vim-minimal
@ -27,8 +24,6 @@ BuildRequires: zlib-devel
# don't strip # don't strip
Patch1: sudo-1.6.7p5-strip.patch Patch1: sudo-1.6.7p5-strip.patch
# https://www.sudo.ws/repos/sudo/rev/1064b906ca68
Patch2: sudo-1.9-RLIMIT_CORE.patch
%description %description
Sudo (superuser do) allows a system administrator to give certain Sudo (superuser do) allows a system administrator to give certain
@ -50,10 +45,9 @@ The %{name}-devel package contains header files developing sudo
plugins that use %{name}. plugins that use %{name}.
%prep %prep
%setup -q -n %{name}-%{upstream_version} %setup -q
%patch1 -p1 -b .strip %patch1 -p1 -b .strip
%patch2 -p1 -b .orig
%build %build
# Remove bundled copy of zlib # Remove bundled copy of zlib
@ -152,13 +146,15 @@ EOF
%files -f sudo_all.lang %files -f sudo_all.lang
%defattr(-,root,root)
%attr(0440,root,root) %config(noreplace) /etc/sudoers %attr(0440,root,root) %config(noreplace) /etc/sudoers
%attr(0750,root,root) %dir /etc/sudoers.d/ %attr(0750,root,root) %dir /etc/sudoers.d/
%config(noreplace) /etc/pam.d/sudo %config(noreplace) /etc/pam.d/sudo
%config(noreplace) /etc/pam.d/sudo-i %config(noreplace) /etc/pam.d/sudo-i
%attr(0644,root,root) %{_tmpfilesdir}/sudo.conf %attr(0644,root,root) %{_tmpfilesdir}/sudo.conf
%attr(0644,root,root) /etc/dnf/protected.d/sudo.conf %attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/sudo.conf
%attr(0644,root,root) /etc/sudo.conf %attr(0640,root,root) %config(noreplace) /etc/sudo.conf
%attr(0640,root,root) %config(noreplace) /etc/sudo_logsrvd.conf
%dir /var/db/sudo %dir /var/db/sudo
%dir /var/db/sudo/lectured %dir /var/db/sudo/lectured
%attr(4111,root,root) %{_bindir}/sudo %attr(4111,root,root) %{_bindir}/sudo
@ -205,6 +201,12 @@ EOF
%{_mandir}/man8/sudo_plugin.8* %{_mandir}/man8/sudo_plugin.8*
%changelog %changelog
* Wed Jul 08 2020 Attila Lakatos <alakatos@redhat.com> - 1.9.1-1
- rebase to 1.9.1
Resolves: rhbz#1848788
- fix rpmlint errors
Resolves: rhbz#1817139
* Wed Mar 25 2020 Attila Lakatos <alakatos@redhat.com> - 1.9.0-0.1.b4 * Wed Mar 25 2020 Attila Lakatos <alakatos@redhat.com> - 1.9.0-0.1.b4
- update to latest development version 1.9.0b4 - update to latest development version 1.9.0b4
Resolves: rhbz#1816593 Resolves: rhbz#1816593