rpms/sudo
5
0
Fork 0
Code Issues Pull Requests Releases Activity

- upgrade to upstream release

Browse Source
This commit is contained in:
Peter Vrabec 2007-08-20 12:11:21 +00:00
parent 05db95fdf1
commit 3b2065d554
10 changed files with 160 additions and 841 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.cvsignore
View File

@ -1,2 +1,2 @@
sudo-1.6.8p12.tar.gz sudo-1.6.9p4.tar.gz
sudo-1.6.8p12-sudoers sudo-1.6.8p12-sudoers

2
sources
View File

@ -1,2 +1,2 @@
b29893c06192df6230dd5f340f3badf5 sudo-1.6.8p12.tar.gz 5439d24b48db69d2b6b42e97b47fdfd6 sudo-1.6.9p4.tar.gz
3dad7cdd28925f9bdf387510961f8e9f sudo-1.6.8p12-sudoers 3dad7cdd28925f9bdf387510961f8e9f sudo-1.6.8p12-sudoers

17
sudo-1.6.8p12-env-reset.patch
View File

@ -1,17 +0,0 @@
--- sudo-1.6.8p12/sudoers.env_reset 2006-02-08 16:58:15.000000000 +0100
+++ sudo-1.6.8p12/sudoers 2006-02-08 16:59:02.000000000 +0100
@@ -13,6 +13,14 @@
# Defaults specification
+Defaults env_reset
+Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR \
+ LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \
+ LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \
+ LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \
+ LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS \
+ _XKB_CHARSET"
+
# Runas alias specification
# User privilege specification

61
sudo-1.6.8p12-getgrouplist.patch
View File

@ -1,61 +0,0 @@
--- sudo-1.6.8p12/configure.in.getgrouplist 2007-04-12 10:16:12.000000000 +0200
+++ sudo-1.6.8p12/configure.in 2007-04-12 10:18:16.000000000 +0200
@@ -1694,7 +1694,7 @@
dnl Function checks
dnl
AC_CHECK_FUNCS(strchr strrchr memchr memcpy memset sysconf tzset \
- strftime setrlimit initgroups fstat gettimeofday)
+ strftime setrlimit initgroups getgrouplist fstat gettimeofday)
AC_CHECK_FUNCS(seteuid, , [AC_DEFINE(NO_SAVED_IDS)])
if test -z "$SKIP_SETRESUID"; then
AC_CHECK_FUNCS(setresuid, [SKIP_SETREUID=yes])
--- sudo-1.6.8p12/configure.getgrouplist 2005-10-28 02:48:25.000000000 +0200
+++ sudo-1.6.8p12/configure 2007-04-12 10:18:16.000000000 +0200
@@ -24677,7 +24677,7 @@
for ac_func in strchr strrchr memchr memcpy memset sysconf tzset \
- strftime setrlimit initgroups fstat gettimeofday
+ strftime setrlimit initgroups getgrouplist fstat gettimeofday
do
as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
echo "$as_me:$LINENO: checking for $ac_func" >&5
--- sudo-1.6.8p12/check.c.getgrouplist 2005-03-25 02:55:31.000000000 +0100
+++ sudo-1.6.8p12/check.c 2007-04-12 10:18:16.000000000 +0200
@@ -299,6 +299,24 @@
return(TRUE);
}
+#ifdef HAVE_GETGROUPLIST
+ {
+ gid_t *grouplist, grouptmp;
+ int n_groups, i;
+ n_groups = 1;
+ if (getgrouplist(user_name, user_gid, &grouptmp, &n_groups) == -1) {
+ grouplist = (gid_t *) emalloc(sizeof(gid_t) * (n_groups + 1));
+ if (getgrouplist(user_name, user_gid, grouplist, &n_groups) > 0)
+ for (i = 0; i < n_groups; i++)
+ if (grouplist[i] == grp->gr_gid) {
+ free(grouplist);
+ return(TRUE);
+ }
+ free(grouplist);
+ }
+ }
+#endif
+
return(FALSE);
}
--- sudo-1.6.8p12/config.h.in.getgrouplist 2007-04-12 10:16:12.000000000 +0200
+++ sudo-1.6.8p12/config.h.in 2007-04-12 10:18:16.000000000 +0200
@@ -122,6 +122,9 @@
/* Define to 1 if you have the `getdomainname' function. */
#undef HAVE_GETDOMAINNAME
+/* Define to 1 if you have the `getgrouplist' function. */
+#undef HAVE_GETGROUPLIST
+
/* Define to 1 if you have the `getifaddrs' function. */
#undef HAVE_GETIFADDRS

611
sudo-1.6.8p12-ipv6.patch
View File

@ -1,611 +0,0 @@
--- sudo-1.6.8p12/Makefile.in.ipv6 2005-11-08 19:21:58.000000000 +0100
+++ sudo-1.6.8p12/Makefile.in 2006-07-16 23:33:58.000000000 +0200
@@ -187,14 +187,14 @@
@DEV@PARSESRCS = sudo.tab.h sudo.tab.c lex.yy.c def_data.c def_data.h
# Uncomment the following if you intend to modify parse.yacc
-@DEV@sudo.tab.c sudo.tab.h: parse.yacc
-@DEV@ rm -f sudo.tab.h sudo.tab.c
-@DEV@ $(YACC) -d -b sudo $(srcdir)/parse.yacc
+sudo.tab.c sudo.tab.h: parse.yacc
+ rm -f sudo.tab.h sudo.tab.c
+ $(YACC) -d -b sudo $(srcdir)/parse.yacc
# Uncomment the following if you intend to modify parse.lex
-@DEV@lex.yy.c: parse.lex
-@DEV@ rm -f lex.yy.c
-@DEV@ $(LEX) $(srcdir)/parse.lex
+lex.yy.c: parse.lex
+ rm -f lex.yy.c
+ $(LEX) $(srcdir)/parse.lex
# Uncomment the following if you intend to modify def_data.in
@DEV@def_data.h def_data.c: def_data.in
--- sudo-1.6.8p12/visudo.c.ipv6 2004-11-25 18:32:40.000000000 +0100
+++ sudo-1.6.8p12/visudo.c 2006-07-16 23:33:58.000000000 +0200
@@ -87,6 +87,7 @@
static int check_syntax __P((int));
int command_matches __P((char *, char *));
int addr_matches __P((char *));
+int addr6_matches __P((char *));
int hostname_matches __P((char *, char *, char *));
int netgr_matches __P((char *, char *, char *, char *));
int usergr_matches __P((char *, char *, struct passwd *));
@@ -515,6 +516,12 @@
return(TRUE);
}
+int addr6_matches(n)
+ char *n;
+{
+ return(TRUE);
+}
+
int
hostname_matches(s, l, p)
char *s, *l, *p;
--- sudo-1.6.8p12/parse.lex.ipv6 2004-05-17 22:51:13.000000000 +0200
+++ sudo-1.6.8p12/parse.lex 2006-07-16 23:33:58.000000000 +0200
@@ -84,6 +84,29 @@
OCTET (1?[0-9]{1,2})|(2[0-4][0-9])|(25[0-5])
DOTTEDQUAD {OCTET}(\.{OCTET}){3}
+
+IPV6_8HEX ([0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}
+
+IPV6_COMP0 :(:[0-9A-Fa-f]{1,4}){1,7}
+IPV6_COMP1 ([0-9A-Fa-f]{1,4}){1}:(:[0-9A-Fa-f]{1,4}){0,6}
+IPV6_COMP2 ([0-9A-Fa-f]{1,4}){2}:(:[0-9A-Fa-f]{1,4}){0,5}
+IPV6_COMP3 ([0-9A-Fa-f]{1,4}){3}:(:[0-9A-Fa-f]{1,4}){0,4}
+IPV6_COMP4 ([0-9A-Fa-f]{1,4}){4}:(:[0-9A-Fa-f]{1,4}){0,3}
+IPV6_COMP5 ([0-9A-Fa-f]{1,4}){5}:(:[0-9A-Fa-f]{1,4}){0,2}
+IPV6_COMP6 ([0-9A-Fa-f]{1,4}){6}:(:[0-9A-Fa-f]{1,4}){0,1}
+IPV6_COMPHEX {IPV6_COMP0}|{IPV6_COMP1}|{IPV6_COMP2}|{IPV6_COMP3}|{IPV6_COMP4}|{IPV6_COMP5}|{IPV6_COMP6}
+
+IPV6_6H4D [0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){5}{DOTTEDQUAD}
+
+IPV6_COMP6H4D0 ([0-9A-Fa-f]{1,4}){1}:(:[0-9A-Fa-f]{1,4}){1,4}:{DOTTEDQUAD}
+IPV6_COMP6H4D1 ([0-9A-Fa-f]{1,4}){2}:(:[0-9A-Fa-f]{1,4}){1,3}:{DOTTEDQUAD}
+IPV6_COMP6H4D2 ([0-9A-Fa-f]{1,4}){3}:(:[0-9A-Fa-f]{1,4}){1,2}:{DOTTEDQUAD}
+IPV6_COMP6H4D3 ([0-9A-Fa-f]{1,4}){4}:(:[0-9A-Fa-f]{1,4}){1}:{DOTTEDQUAD}
+IPV6_COMP6H4D {IPV6_COMP6H4D0}|{IPV6_COMP6H4D1}|{IPV6_COMP6H4D2}|{IPV6_COMP6H4D3}
+
+IPV6ADDR {IPV6_8HEX}|{IPV6_COMPHEX}|{IPV6_6H4D}|{IPV6_COMP6H4D}
+IPV6PREFIX [1-9]|[1-9][0-9]|10[0-9]|11[0-9]|12[0-8]
+
HOSTNAME [[:alnum:]_-]+
WORD ([^#>@!=:,\(\) \t\n\\]|\\[^\n])+
ENVAR ([^#!=, \t\n\\]|\\[^\n])([^#=, \t\n\\]|\\[^\n])*
@@ -253,6 +276,11 @@
LEXTRACE("NTWKADDR ");
return(NTWKADDR);
}
+{IPV6ADDR}(\/{IPV6PREFIX})? {
+ fill(yytext, yyleng);
+ LEXTRACE("NTWKADDR6 ");
+ return(NTWKADDR6);
+ }
<INITIAL>\( {
BEGIN GOTRUNAS;
--- sudo-1.6.8p12/ldap.c.ipv6 2006-07-16 23:45:35.000000000 +0200
+++ sudo-1.6.8p12/ldap.c 2006-07-16 23:59:56.000000000 +0200
@@ -160,6 +160,7 @@
if (
!strcasecmp(*p,"ALL") ||
addr_matches(*p) ||
+ addr6_matches(*p) ||
netgr_matches(*p,user_host,user_shost,NULL) ||
!hostname_matches(user_shost,user_host,*p)
)
--- sudo-1.6.8p12/parse.h.ipv6 2005-06-19 20:58:19.000000000 +0200
+++ sudo-1.6.8p12/parse.h 2006-07-16 23:33:58.000000000 +0200
@@ -93,6 +93,7 @@
* Prototypes
*/
int addr_matches __P((char *));
+int addr6_matches __P((char *));
int command_matches __P((char *, char *));
int hostname_matches __P((char *, char *, char *));
int netgr_matches __P((char *, char *, char *, char *));
--- sudo-1.6.8p12/interfaces.h.ipv6 2004-02-13 22:36:43.000000000 +0100
+++ sudo-1.6.8p12/interfaces.h 2006-07-16 23:33:58.000000000 +0200
@@ -27,8 +27,11 @@
* IP address and netmask pairs for checking against local interfaces.
*/
struct interface {
- struct in_addr addr;
+ struct in_addr addr; /* IPv4 */
struct in_addr netmask;
+ struct in6_addr addr6; /* IPv6 */
+ struct in6_addr netmask6;
+ sa_family_t sa_family; /* AF_INET ? AF_INET6 */
};
/*
--- sudo-1.6.8p12/parse.c.ipv6 2005-06-19 22:03:24.000000000 +0200
+++ sudo-1.6.8p12/parse.c 2006-07-16 23:57:20.000000000 +0200
@@ -370,38 +370,134 @@
int i;
char *m;
struct in_addr addr, mask;
+ struct addrinfo hints, *ai;
+
+ memset(&hints, '\0', sizeof(hints));
+ hints.ai_flags = AI_ADDRCONFIG | AI_NUMERICHOST;
+ hints.ai_family = AF_INET;
/* If there's an explicit netmask, use it. */
if ((m = strchr(n, '/'))) {
+
*m++ = '\0';
- addr.s_addr = inet_addr(n);
+ if (getaddrinfo(n, NULL, &hints, &ai)!=0)
+ return(FALSE);
+ memcpy(&addr.s_addr, &((struct sockaddr_in *)ai->ai_addr)->sin_addr,
+ sizeof(struct in_addr));
+ freeaddrinfo(ai);
+
if (strchr(m, '.'))
- mask.s_addr = inet_addr(m);
- else {
- i = 32 - atoi(m);
- mask.s_addr = 0xffffffff;
- mask.s_addr >>= i;
- mask.s_addr <<= i;
- mask.s_addr = htonl(mask.s_addr);
+ {
+ if (getaddrinfo(m, NULL, &hints, &ai)!=0)
+ return(FALSE);
+ memcpy(&mask.s_addr, /* IPv4 netmask from dotted quad */
+ &((struct sockaddr_in *)ai->ai_addr)->sin_addr,
+ sizeof(struct in_addr));
}
+ else
+ {
+ i = 32 - atoi(m); /* IPv4 netmask from CIDR */
+ mask.s_addr = 0xffffffff;
+ mask.s_addr >>= i;
+ mask.s_addr <<= i;
+ mask.s_addr = htonl(mask.s_addr);
+ }
+
*(m - 1) = '/';
- for (i = 0; i < num_interfaces; i++)
- if ((interfaces[i].addr.s_addr & mask.s_addr) == addr.s_addr)
- return(TRUE);
+ for (i = 0; i < num_interfaces; ++i)
+ if (interfaces[i].sa_family == AF_INET) /* IPv4 intf. only */
+ if ((interfaces[i].addr.s_addr & mask.s_addr) == addr.s_addr)
+ return (TRUE);
} else {
- addr.s_addr = inet_addr(n);
+ if (getaddrinfo(n, NULL, &hints, &ai)!=0)
+ return(FALSE);
+ memcpy(&addr.s_addr, &((struct sockaddr_in *)ai->ai_addr)->sin_addr,
+ sizeof(struct in_addr));
+ freeaddrinfo(ai);
for (i = 0; i < num_interfaces; i++)
- if (interfaces[i].addr.s_addr == addr.s_addr ||
- (interfaces[i].addr.s_addr & interfaces[i].netmask.s_addr)
- == addr.s_addr)
- return(TRUE);
+ if (interfaces[i].sa_family == AF_INET) /* IPv4 intf. only */
+ if (interfaces[i].addr.s_addr == addr.s_addr ||
+ (interfaces[i].addr.s_addr & interfaces[i].netmask.s_addr)
+ == addr.s_addr)
+ return(TRUE);
}
return(FALSE);
}
+int
+addr6_matches(n)
+char *n;
+{
+ int i, j;
+ uint32_t msk[4] = {0, 0, 0, 0}; /* 32x4 */
+ uint32_t addr[4], i_msk[4], i_addr[4];
+ char *m;
+ struct addrinfo hints, *ai;
+
+ memset(&hints, '\0', sizeof(hints));
+ hints.ai_flags = AI_ADDRCONFIG | AI_NUMERICHOST;
+ hints.ai_family = AF_INET6;
+
+ /* we have IPv6 prefix */
+ if ((m = strchr(n, '/'))) {
+ *m++ = '\0';
+ if (getaddrinfo(n, NULL, &hints, &ai)!=0)
+ return(FALSE);
+ memcpy(&addr, &((struct sockaddr_in6 *)ai->ai_addr)->sin6_addr, 16);
+ freeaddrinfo(ai);
+
+ for (i=0; i < (atoi(m)/32); ++i)
+ msk[i] = 0xffffffff;
+ if (atoi(m)<128 && (atoi(m) % 32))
+ {
+ msk[atoi(m)/32] = 0xffffffff;
+ msk[atoi(m)/32] >>= ( 32 - (atoi(m) % 32) );
+ msk[atoi(m)/32] <<= ( 32 - (atoi(m) % 32) );
+ }
+ for (i=0; i<4; ++i)
+ msk[i] = htonl(msk[i]);
+
+ *(m - 1) = '/';
+
+ for (i=0; i < num_interfaces; i++)
+ if (interfaces[i].sa_family == AF_INET6) /* compare only IPv6 intf. */
+ {
+ /* nasty */
+ memcpy(&i_addr, &interfaces[i].addr6, 16);
+ if ( ((i_addr[0] & msk[0]) == addr[0]) &&
+ ((i_addr[1] & msk[1]) == addr[1]) &&
+ ((i_addr[2] & msk[2]) == addr[2]) &&
+ ((i_addr[3] & msk[3]) == addr[3]))
+ return(TRUE);
+ }
+ } else {
+ if (getaddrinfo(n, NULL, &hints, &ai)!=0)
+ return(FALSE);
+ memcpy(&addr, &((struct sockaddr_in6 *)ai->ai_addr)->sin6_addr, 16);
+ freeaddrinfo(ai);
+
+ for (i=0; i < num_interfaces; ++i)
+ if (interfaces[i].sa_family == AF_INET6) /* IPv6 intf. only */
+ {
+ memcpy(&i_addr, &interfaces[i].addr6, 16);
+ if ((i_addr[0] == addr[0]) && (i_addr[1] == addr[1]) &&
+ (i_addr[2] == addr[2]) && (i_addr[3] == addr[3]))
+ return(TRUE); /* found my own address in sudoers */
+
+ memcpy(&i_msk, &interfaces[i].netmask6, 16);
+ if (((i_addr[0]&i_msk[0]) == addr[0]) &&
+ ((i_addr[1]&i_msk[1]) == addr[1]) &&
+ ((i_addr[2]&i_msk[2]) == addr[2]) &&
+ ((i_addr[3]&i_msk[3]) == addr[3]))
+ return(TRUE); /* found my netw. address in sudoers */
+ }
+ }
+ return(FALSE);
+}
+
/*
* Returns 0 if the hostname matches the pattern and non-zero otherwise.
*/
--- sudo-1.6.8p12/sudo.c.ipv6 2006-07-16 23:33:58.000000000 +0200
+++ sudo-1.6.8p12/sudo.c 2006-07-16 23:33:58.000000000 +0200
@@ -1007,24 +1007,34 @@
void
set_fqdn()
{
- struct hostent *hp;
+ struct addrinfo hints, *ai;
char *p;
- if (!(hp = gethostbyname(user_host))) {
- log_error(MSG_ONLY|NO_EXIT,
- "unable to lookup %s via gethostbyname()", user_host);
- } else {
- if (user_shost != user_host)
+ memset(&hints, '\0', sizeof(hints));
+ hints.ai_flags = AI_ADDRCONFIG;
+
+ if (getaddrinfo(user_host, NULL, &hints, &ai) != 0)
+ {
+ log_error(MSG_ONLY|NO_EXIT,
+ "unable to lookup %s via gethostbyname()", user_host);
+ }
+ else
+ {
+ char h_name[NI_MAXHOST];
+
+ if (user_host != user_host)
free(user_shost);
+
+ getnameinfo(ai->ai_addr, ai->ai_addrlen, h_name, sizeof(h_name), NULL, 0, 0);
free(user_host);
- user_host = estrdup(hp->h_name);
+ user_host = estrdup(h_name);
}
if ((p = strchr(user_host, '.'))) {
- *p = '\0';
- user_shost = estrdup(user_host);
- *p = '.';
+ *p = '\0';
+ user_shost = estrdup(user_host);
+ *p = '.';
} else {
- user_shost = user_host;
+ user_shost = user_host;
}
}
--- sudo-1.6.8p12/parse.yacc.ipv6 2005-06-19 20:24:32.000000000 +0200
+++ sudo-1.6.8p12/parse.yacc 2006-07-16 23:33:58.000000000 +0200
@@ -250,6 +250,7 @@
%token <tok> RUNASALIAS /* Runas_Alias keyword */
%token <tok> ':' '=' ',' '!' '+' '-' /* union member tokens */
%token <tok> ERROR
+%token <string> NTWKADDR6 /* IPv6 address */
/*
* NOTE: these are not true booleans as there are actually 4 possible values:
@@ -395,6 +396,13 @@
$$ = NOMATCH;
free($1);
}
+ | NTWKADDR6 {
+ if (addr6_matches($1))
+ $$ = TRUE;
+ else
+ $$ = NOMATCH;
+ free($1);
+ }
| NETGROUP {
if (netgr_matches($1, user_host, user_shost, NULL))
$$ = TRUE;
--- sudo-1.6.8p12/testsudoers.c.ipv6 2004-08-02 20:44:58.000000000 +0200
+++ sudo-1.6.8p12/testsudoers.c 2006-07-17 00:03:50.000000000 +0200
@@ -175,6 +175,10 @@
}
}
+/*
+ * Returns TRUE if "n" is one of our ip addresses or if
+ * "n" is a network that we are on, else returns FALSE.
+ */
int
addr_matches(n)
char *n;
@@ -182,39 +186,136 @@
int i;
char *m;
struct in_addr addr, mask;
+ struct addrinfo hints, *ai;
+
+ memset(&hints, '\0', sizeof(hints));
+ hints.ai_flags = AI_ADDRCONFIG | AI_NUMERICHOST;
+ hints.ai_family = AF_INET;
/* If there's an explicit netmask, use it. */
if ((m = strchr(n, '/'))) {
- *m++ = '\0';
- addr.s_addr = inet_addr(n);
- if (strchr(m, '.'))
- mask.s_addr = inet_addr(m);
- else {
- i = 32 - atoi(m);
- mask.s_addr = 0xffffffff;
- mask.s_addr >>= i;
- mask.s_addr <<= i;
- mask.s_addr = htonl(mask.s_addr);
- }
- *(m - 1) = '/';
- for (i = 0; i < num_interfaces; i++)
- if ((interfaces[i].addr.s_addr & mask.s_addr) == addr.s_addr)
- return(TRUE);
+ *m++ = '\0';
+ if (getaddrinfo(n, NULL, &hints, &ai)!=0)
+ return(FALSE);
+ memcpy(&addr.s_addr, &((struct sockaddr_in *)ai->ai_addr)->sin_addr,
+ sizeof(struct in_addr));
+ freeaddrinfo(ai);
+
+ if (strchr(m, '.'))
+ {
+ if (getaddrinfo(m, NULL, &hints, &ai)!=0)
+ return(FALSE);
+ memcpy(&mask.s_addr, /* IPv4 netmask from dotted quad */
+ &((struct sockaddr_in *)ai->ai_addr)->sin_addr,
+ sizeof(struct in_addr));
+ }
+ else
+ {
+ i = 32 - atoi(m); /* IPv4 netmask from CIDR */
+ mask.s_addr = 0xffffffff;
+ mask.s_addr >>= i;
+ mask.s_addr <<= i;
+ mask.s_addr = htonl(mask.s_addr);
+ }
+
+ *(m - 1) = '/';
+
+ for (i = 0; i < num_interfaces; ++i)
+ if (interfaces[i].sa_family == AF_INET) /* IPv4 intf. only */
+ if ((interfaces[i].addr.s_addr & mask.s_addr) == addr.s_addr)
+ return(TRUE);
} else {
- addr.s_addr = inet_addr(n);
-
- for (i = 0; i < num_interfaces; i++)
- if (interfaces[i].addr.s_addr == addr.s_addr ||
- (interfaces[i].addr.s_addr & interfaces[i].netmask.s_addr)
- == addr.s_addr)
- return(TRUE);
+ if (getaddrinfo(n, NULL, &hints, &ai)!=0)
+ return(FALSE);
+ memcpy(&addr.s_addr, &((struct sockaddr_in *)ai->ai_addr)->sin_addr,
+ sizeof(struct in_addr));
+ freeaddrinfo(ai);
+
+ for (i = 0; i < num_interfaces; i++)
+ if (interfaces[i].sa_family == AF_INET) /* IPv4 intf. only */
+ if (interfaces[i].addr.s_addr == addr.s_addr ||
+ (interfaces[i].addr.s_addr & interfaces[i].netmask.s_addr)
+ == addr.s_addr)
+ return(TRUE);
}
return(FALSE);
}
int
+addr6_matches(n)
+char *n;
+{
+ int i, j;
+ uint32_t msk[4] = {0, 0, 0, 0}; /* 32x4 */
+ uint32_t addr[4], i_msk[4], i_addr[4];
+ char *m;
+ struct addrinfo hints, *ai;
+
+ memset(&hints, '\0', sizeof(hints));
+ hints.ai_flags = AI_ADDRCONFIG | AI_NUMERICHOST;
+ hints.ai_family = AF_INET6;
+
+ /* we have IPv6 prefix */
+ if ((m = strchr(n, '/'))) {
+ *m++ = '\0';
+ if (getaddrinfo(n, NULL, &hints, &ai)!=0)
+ return(FALSE);
+ memcpy(&addr, &((struct sockaddr_in6 *)ai->ai_addr)->sin6_addr, 16);
+ freeaddrinfo(ai);
+
+ for (i=0; i < (atoi(m)/32); ++i)
+ msk[i] = 0xffffffff;
+ if (atoi(m)<128 && (atoi(m) % 32))
+ {
+ msk[atoi(m)/32] = 0xffffffff;
+ msk[atoi(m)/32] >>= ( 32 - (atoi(m) % 32) );
+ msk[atoi(m)/32] <<= ( 32 - (atoi(m) % 32) );
+ }
+ for (i=0; i<4; ++i)
+ msk[i] = htonl(msk[i]);
+
+ *(m - 1) = '/';
+
+ for (i=0; i < num_interfaces; i++)
+ if (interfaces[i].sa_family == AF_INET6) /* compare only IPv6 intf. */
+ {
+ /* nasty */
+ memcpy(&i_addr, &interfaces[i].addr6, 16);
+ if ( ((i_addr[0] & msk[0]) == addr[0]) &&
+ ((i_addr[1] & msk[1]) == addr[1]) &&
+ ((i_addr[2] & msk[2]) == addr[2]) &&
+ ((i_addr[3] & msk[3]) == addr[3]))
+ return (TRUE);
+ }
+ } else {
+ if (getaddrinfo(n, NULL, &hints, &ai)!=0)
+ return(FALSE);
+ memcpy(&addr, &((struct sockaddr_in6 *)ai->ai_addr)->sin6_addr, 16);
+ freeaddrinfo(ai);
+
+ for (i=0; i < num_interfaces; ++i)
+ if (interfaces[i].sa_family == AF_INET6) /* IPv6 intf. only */
+ {
+ memcpy(&i_addr, &interfaces[i].addr6, 16);
+ if ((i_addr[0] == addr[0]) && (i_addr[1] == addr[1]) &&
+ (i_addr[2] == addr[2]) && (i_addr[3] == addr[3]))
+ return (TRUE); /* found my own address in sudoers */
+
+ memcpy(&i_msk, &interfaces[i].netmask6, 16);
+ if (((i_addr[0]&i_msk[0]) == addr[0]) &&
+ ((i_addr[1]&i_msk[1]) == addr[1]) &&
+ ((i_addr[2]&i_msk[2]) == addr[2]) &&
+ ((i_addr[3]&i_msk[3]) == addr[3]))
+ return (TRUE); /* found my netw. address in sudoers */
+ }
+ }
+ return(FALSE);
+}
+
+
+int
hostname_matches(shost, lhost, pattern)
char *shost;
char *lhost;
--- sudo-1.6.8p12/interfaces.c.ipv6 2004-02-13 22:36:43.000000000 +0100
+++ sudo-1.6.8p12/interfaces.c 2006-07-16 23:33:58.000000000 +0200
@@ -102,7 +102,7 @@
load_interfaces()
{
struct ifaddrs *ifa, *ifaddrs;
- /* XXX - sockaddr_in6 sin6; */
+ struct sockaddr_in6 *sin6;
struct sockaddr_in *sin;
int i;
@@ -117,12 +117,15 @@
continue;
switch(ifa->ifa_addr->sa_family) {
- /* XXX - AF_INET6 */
case AF_INET:
num_interfaces++;
break;
+ case AF_INET6:
+ num_interfaces++;
+ break;
}
}
+
if (num_interfaces == 0)
return;
interfaces =
@@ -136,8 +139,8 @@
continue;
switch(ifa->ifa_addr->sa_family) {
- /* XXX - AF_INET6 */
case AF_INET:
+ interfaces[i].sa_family = AF_INET;
sin = (struct sockaddr_in *)ifa->ifa_addr;
memcpy(&interfaces[i].addr, &sin->sin_addr,
sizeof(struct in_addr));
@@ -146,6 +149,16 @@
sizeof(struct in_addr));
i++;
break;
+ case AF_INET6:
+ interfaces[i].sa_family = AF_INET6;
+ sin6 = (struct sockaddr_in6 *)ifa->ifa_addr;
+ memcpy(&interfaces[i].addr6, &sin6->sin6_addr,
+ sizeof(struct in6_addr));
+ sin6 = (struct sockaddr_in6 *)ifa->ifa_netmask;
+ memcpy(&interfaces[i].netmask6, &sin6->sin6_addr,
+ sizeof(struct in6_addr));
+ i++;
+ break;
}
}
#ifdef HAVE_FREEIFADDRS
@@ -306,10 +319,30 @@
void
dump_interfaces()
{
- int i;
+ int i, j, ip6_prefix=0; /* for counting IPv6 prefix length (in bits!!) */
+ uint8_t u6_addr8[16]; /* for storing IPv6 netmask */
puts("Local IP address and netmask pairs:");
for (i = 0; i < num_interfaces; i++)
- printf("\t%s / 0x%x\n", inet_ntoa(interfaces[i].addr),
- (unsigned int)ntohl(interfaces[i].netmask.s_addr));
+ {
+ char name[NI_MAXHOST], netmask[NI_MAXHOST];
+ ip6_prefix=0;
+
+ switch (interfaces[i].sa_family)
+ {
+ case AF_INET:
+ inet_ntop(AF_INET, &interfaces[i].addr, name, NI_MAXHOST);
+ inet_ntop(AF_INET, &interfaces[i].netmask, netmask, NI_MAXHOST);
+ printf("\t%s / %s\n", name, netmask);
+ break;
+ case AF_INET6:
+ inet_ntop(AF_INET6, &interfaces[i].addr6, name, NI_MAXHOST);
+ memcpy(u6_addr8, &interfaces[i].netmask6, 16);
+ for (j=0; j<16; ++j)
+ if (u6_addr8[j] == 255) /* 255 == 0xff */
+ ip6_prefix=ip6_prefix+8; /* eight bits */
+ printf("\t%s / %d\n", name, ip6_prefix);
+ break;
+ }
+ }
}

15
sudo-1.6.8p12-requiretty.patch
View File

@ -1,15 +0,0 @@
--- sudo-1.6.8p12/sudoers.tty 2006-05-29 15:10:30.000000000 +0200
+++ sudo-1.6.8p12/sudoers 2006-05-29 15:17:03.000000000 +0200
@@ -13,6 +13,12 @@
# Defaults specification
+#
+# Disable "ssh hostname sudo <cmd>", because it will show the password in clear.
+# You have to run "ssh -t hostname sudo <cmd>".
+#
+Defaults requiretty
+
Defaults env_reset
Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR \
LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \

32
sudo-1.6.8p8-pam-sess.patch
View File

@ -1,32 +0,0 @@
--- sudo-1.6.8p8/auth/pam.c.sess 2005-05-24 16:38:35.976866872 +0200
+++ sudo-1.6.8p8/auth/pam.c 2005-05-24 16:39:50.061604280 +0200
@@ -175,6 +175,8 @@
pam_prep_user(pw)
struct passwd *pw;
{
+ int error;
+
if (pamh == NULL)
pam_init(pw, NULL, NULL);
@@ -195,6 +197,20 @@
*/
(void) pam_setcred(pamh, PAM_ESTABLISH_CRED);
+ /*
+ * That's enough initialize PAM session in this function, because
+ * sudo calls it before exec()
+ */
+ if ((error = pam_open_session(pamh, 0))!=PAM_SUCCESS) {
+ pam_end(pamh, error);
+ return(AUTH_FAILURE);
+ }
+ /*
+ * For example settings from pam_limits are persistent after pam_session_close() and
+ * it's probably more clean call pam_close_session() than omit it.
+ */
+ pam_close_session(pamh, 0);
+
if (pam_end(pamh, PAM_SUCCESS | PAM_DATA_SILENT) == PAM_SUCCESS)
return(AUTH_SUCCESS);
else

61
sudo-1.6.9p4-getgrouplist.patch Normal file
View File

@ -0,0 +1,61 @@
--- sudo-1.6.9p4/configure.in.getgrouplist 2007-08-20 11:41:32.000000000 +0200
+++ sudo-1.6.9p4/configure.in 2007-08-20 13:24:30.000000000 +0200
@@ -1677,7 +1677,7 @@
dnl
AC_CHECK_FUNCS(strchr strrchr memchr memcpy memset sysconf tzset \
strftime setrlimit initgroups getgroups fstat gettimeofday \
- setlocale getaddrinfo)
+ setlocale getaddrinfo getgrouplist)
if test -z "$SKIP_SETRESUID"; then
AC_CHECK_FUNCS(setresuid, [SKIP_SETREUID=yes])
fi
--- sudo-1.6.9p4/configure.getgrouplist 2007-08-15 15:23:44.000000000 +0200
+++ sudo-1.6.9p4/configure 2007-08-20 13:26:25.000000000 +0200
@@ -14235,7 +14235,7 @@
for ac_func in strchr strrchr memchr memcpy memset sysconf tzset \
strftime setrlimit initgroups getgroups fstat gettimeofday \
- setlocale getaddrinfo
+ setlocale getaddrinfo getgrouplist
do
as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
echo "$as_me:$LINENO: checking for $ac_func" >&5
--- sudo-1.6.9p4/check.c.getgrouplist 2007-07-06 21:52:13.000000000 +0200
+++ sudo-1.6.9p4/check.c 2007-08-20 13:21:10.000000000 +0200
@@ -308,6 +308,24 @@
return(TRUE);
}
+#ifdef HAVE_GETGROUPLIST
+ {
+ gid_t *grouplist, grouptmp;
+ int n_groups, i;
+ n_groups = 1;
+ if (getgrouplist(user_name, user_gid, &grouptmp, &n_groups) == -1) {
+ grouplist = (gid_t *) emalloc(sizeof(gid_t) * (n_groups + 1));
+ if (getgrouplist(user_name, user_gid, grouplist, &n_groups) > 0)
+ for (i = 0; i < n_groups; i++)
+ if (grouplist[i] == grp->gr_gid) {
+ free(grouplist);
+ return(TRUE);
+ }
+ free(grouplist);
+ }
+ }
+#endif
+
return(FALSE);
}
--- sudo-1.6.9p4/config.h.in.getgrouplist 2007-08-20 11:41:32.000000000 +0200
+++ sudo-1.6.9p4/config.h.in 2007-08-20 13:21:10.000000000 +0200
@@ -140,6 +140,9 @@
/* Define to 1 if you have the `getgroups' function. */
#undef HAVE_GETGROUPS
+/* Define to 1 if you have the `getgrouplist' function. */
+#undef HAVE_GETGROUPLIST
+
/* Define to 1 if you have the `getifaddrs' function. */
#undef HAVE_GETIFADDRS

160
sudo-1.6.8p12-pam-login.patch → sudo-1.6.9p4-login.patch
View File

@ -1,6 +1,56 @@
--- sudo-1.6.8p12/configure.in.login 2006-07-16 15:25:33.000000000 +0200 --- sudo-1.6.9p4/auth/pam.c.login 2007-07-22 14:14:53.000000000 +0200
+++ sudo-1.6.8p12/configure.in 2006-07-16 15:49:08.000000000 +0200 +++ sudo-1.6.9p4/auth/pam.c 2007-08-20 11:08:33.000000000 +0200
@@ -357,6 +357,17 @@ @@ -89,7 +89,12 @@
if (auth != NULL)
auth->data = (VOID *) &pam_status;
pam_conv.conv = sudo_conv;
- pam_status = pam_start("sudo", pw->pw_name, &pam_conv, &pamh);
+#ifdef HAVE_PAM_LOGIN
+ if (ISSET(sudo_mode, MODE_LOGIN_SHELL))
+ pam_status = pam_start("sudo-i", pw->pw_name, &pam_conv, &pamh);
+ else
+#endif
+ pam_status = pam_start("sudo", pw->pw_name, &pam_conv, &pamh);
if (pam_status != PAM_SUCCESS) {
log_error(USE_ERRNO|NO_EXIT|NO_MAIL, "unable to initialize PAM");
return(AUTH_FATAL);
--- sudo-1.6.9p4/config.h.in.login 2007-08-15 15:22:19.000000000 +0200
+++ sudo-1.6.9p4/config.h.in 2007-08-20 11:08:34.000000000 +0200
@@ -266,6 +266,9 @@
/* Define to 1 if you use PAM authentication. */
#undef HAVE_PAM
+/* Define to 1 if you use specific PAM session for sodo -i. */
+#undef HAVE_PAM_LOGIN
+
/* Define to 1 if you have the <pam/pam_appl.h> header file. */
#undef HAVE_PAM_PAM_APPL_H
--- sudo-1.6.9p4/env.c.login 2007-07-31 20:04:31.000000000 +0200
+++ sudo-1.6.9p4/env.c 2007-08-20 11:24:48.000000000 +0200
@@ -104,7 +104,7 @@
/*
* Prototypes
*/
-char **rebuild_env __P((char **, int, int));
+char **rebuild_env __P((char **, int));
static void insert_env __P((char *, struct environment *, int));
static char *format_env __P((char *, ...));
@@ -391,9 +391,8 @@
* Also adds sudo-specific variables (SUDO_*).
*/
char **
-rebuild_env(envp, sudo_mode, noexec)
+rebuild_env(envp, noexec)
char **envp;
- int sudo_mode;
int noexec;
{
char **ep, *cp, *ps1;
--- sudo-1.6.9p4/configure.in.login 2007-08-15 15:48:51.000000000 +0200
+++ sudo-1.6.9p4/configure.in 2007-08-20 11:08:33.000000000 +0200
@@ -351,6 +351,17 @@
;; ;;
esac]) esac])
@ -18,99 +68,49 @@
AC_ARG_WITH(AFS, [ --with-AFS enable AFS support], AC_ARG_WITH(AFS, [ --with-AFS enable AFS support],
[case $with_AFS in [case $with_AFS in
yes) AC_DEFINE(HAVE_AFS) yes) AC_DEFINE(HAVE_AFS)
--- sudo-1.6.8p12/sudo.c.login 2006-07-16 15:39:26.000000000 +0200 --- sudo-1.6.9p4/sudo.h.login 2007-07-06 16:14:34.000000000 +0200
+++ sudo-1.6.8p12/sudo.c 2006-07-16 15:41:42.000000000 +0200 +++ sudo-1.6.9p4/sudo.h 2007-08-20 11:33:45.000000000 +0200
@@ -109,7 +109,7 @@ @@ -268,6 +268,7 @@
extern FILE *sudoers_fp;
extern int tgetpass_flags;
extern uid_t timestamp_uid;
+extern int sudo_mode;
#endif
#ifndef errno
extern int errno;
--- sudo-1.6.9p4/sudo.c.login 2007-08-15 15:48:56.000000000 +0200
+++ sudo-1.6.9p4/sudo.c 2007-08-20 11:34:07.000000000 +0200
@@ -122,7 +122,7 @@
static struct passwd *get_authpw __P((void)); static struct passwd *get_authpw __P((void));
extern int sudo_edit __P((int, char **)); extern int sudo_edit __P((int, char **, char **));
extern void list_matches __P((void)); extern void list_matches __P((void));
-extern char **rebuild_env __P((char **, int, int)); -extern char **rebuild_env __P((char **, int, int));
+extern char **rebuild_env __P((char **, int)); +extern char **rebuild_env __P((char **, int));
extern char **zero_env __P((char **)); extern void validate_env_vars __P((struct list_member *));
extern char **insert_env_vars __P((char **, struct list_member *));
extern struct passwd *sudo_getpwnam __P((const char *)); extern struct passwd *sudo_getpwnam __P((const char *));
extern struct passwd *sudo_getpwuid __P((uid_t)); @@ -153,6 +153,7 @@
@@ -140,6 +140,7 @@ char *login_style;
#endif /* HAVE_BSD_AUTH_H */ #endif /* HAVE_BSD_AUTH_H */
sigaction_t saved_sa_int, saved_sa_quit, saved_sa_tstp, saved_sa_chld; sigaction_t saved_sa_int, saved_sa_quit, saved_sa_tstp, saved_sa_chld;
void (*set_perms) __P((int));
+int sudo_mode; +int sudo_mode;
int int
@@ -151,7 +152,6 @@ @@ -164,7 +165,6 @@
int validated; int validated;
int fd; int fd;
int cmnd_status; int cmnd_status;
- int sudo_mode; - int sudo_mode;
int pwflag; int pwflag;
char **new_environ;
sigaction_t sa; sigaction_t sa;
@@ -368,7 +368,7 @@ extern int printmatches;
@@ -347,7 +347,7 @@
def_env_reset = FALSE;
/* Build a new environment that avoids any nasty bits if we have a cmnd. */ /* Build a new environment that avoids any nasty bits. */
if (ISSET(sudo_mode, MODE_RUN)) - environ = rebuild_env(environ, sudo_mode, ISSET(validated, FLAG_NOEXEC));
- new_environ = rebuild_env(envp, sudo_mode, ISSET(validated, FLAG_NOEXEC)); + environ = rebuild_env(envp, ISSET(validated, FLAG_NOEXEC));
+ new_environ = rebuild_env(envp, ISSET(validated, FLAG_NOEXEC));
else
new_environ = envp;
--- sudo-1.6.8p12/auth/pam.c.login 2006-07-16 15:41:59.000000000 +0200
+++ sudo-1.6.8p12/auth/pam.c 2006-07-16 15:45:15.000000000 +0200
@@ -89,7 +89,12 @@
if (auth != NULL)
auth->data = (VOID *) &pam_status;
pam_conv.conv = sudo_conv;
- pam_status = pam_start("sudo", pw->pw_name, &pam_conv, &pamh);
+#ifdef HAVE_PAM_LOGIN
+ if (ISSET(sudo_mode, MODE_LOGIN_SHELL))
+ pam_status = pam_start("sudo-i", pw->pw_name, &pam_conv, &pamh);
+ else
+#endif
+ pam_status = pam_start("sudo", pw->pw_name, &pam_conv, &pamh);
if (pam_status != PAM_SUCCESS) {
log_error(USE_ERRNO|NO_EXIT|NO_MAIL, "unable to initialize PAM");
return(AUTH_FATAL);
--- sudo-1.6.8p12/env.c.login 2006-07-16 15:40:14.000000000 +0200
+++ sudo-1.6.8p12/env.c 2006-07-16 15:57:19.000000000 +0200
@@ -77,7 +77,7 @@
/*
* Prototypes
*/
-char **rebuild_env __P((char **, int, int));
+char **rebuild_env __P((char **, int));
char **zero_env __P((char **));
static void insert_env __P((char *, int));
static char *format_env __P((char *, ...));
@@ -321,9 +321,8 @@
* Also adds sudo-specific variables (SUDO_*).
*/
char **
-rebuild_env(envp, sudo_mode, noexec)
+rebuild_env(envp, noexec)
char **envp;
- int sudo_mode;
int noexec;
{
char **ep, *cp, *ps1;
--- sudo-1.6.8p12/sudo.h.login 2006-07-16 15:59:08.000000000 +0200
+++ sudo-1.6.8p12/sudo.h 2006-07-16 15:59:38.000000000 +0200
@@ -251,6 +251,7 @@
extern FILE *sudoers_fp;
extern int tgetpass_flags;
extern uid_t timestamp_uid;
+extern int sudo_mode;
extern void (*set_perms) __P((int));
#endif
--- sudo-1.6.8p12/config.h.in.login 2006-07-16 15:32:09.000000000 +0200
+++ sudo-1.6.8p12/config.h.in 2006-07-16 15:32:56.000000000 +0200
@@ -230,6 +230,9 @@
/* Define to 1 if you use PAM authentication. */
#undef HAVE_PAM
+/* Define to 1 if you use specific PAM session for sodo -i. */
+#undef HAVE_PAM_LOGIN
+
/* Define to 1 if you have the <pam/pam_appl.h> header file. */
#undef HAVE_PAM_PAM_APPL_H
/* Fill in passwd struct based on user we are authenticating as. */
auth_pw = get_authpw();

38
sudo.spec
View File

@ -1,7 +1,7 @@
Summary: Allows restricted root access for specified users Summary: Allows restricted root access for specified users
Name: sudo Name: sudo
Version: 1.6.8p12 Version: 1.6.9p4
Release: 14%{?dist} Release: 1%{?dist}
License: BSD License: BSD
Group: Applications/System Group: Applications/System
URL: http://www.courtesan.com/sudo/ URL: http://www.courtesan.com/sudo/
@ -16,19 +16,12 @@ BuildRequires: openldap-devel
BuildRequires: flex BuildRequires: flex
BuildRequires: bison BuildRequires: bison
# 154511 - sudo does not use limits.conf
Patch2: sudo-1.6.8p8-pam-sess.patch
# don't strip # don't strip
Patch3: sudo-1.6.7p5-strip.patch Patch1: sudo-1.6.7p5-strip.patch
# Default sudoers: reset env. # use specific PAM session for sudo -i (#198755)
Patch4: sudo-1.6.8p12-env-reset.patch Patch2: sudo-1.6.9p4-login.patch
# Default sudoers; require tty (#190062) # the rest, see changelog
Patch5: sudo-1.6.8p12-requiretty.patch Patch3: sudo-1.6.9p4-getgrouplist.patch
# Use specific PAM session for sudo -i (#198755)
Patch6: sudo-1.6.8p12-pam-login.patch
# IPv6 support
Patch7: sudo-1.6.8p12-ipv6.patch
Patch8: sudo-1.6.8p12-getgrouplist.patch
%description %description
Sudo (superuser do) allows a system administrator to give certain Sudo (superuser do) allows a system administrator to give certain
@ -43,13 +36,9 @@ on many different machines.
%prep %prep
%setup -q %setup -q
%patch2 -p1 -b .sess %patch1 -p1 -b .strip
%patch3 -p1 -b .strip %patch2 -p1 -b .login
%patch4 -p1 -b .env_reset %patch3 -p1 -b .getgrouplist
%patch5 -p1 -b .tty
%patch6 -p1 -b .login
%patch7 -p1 -b .ipv6
%patch8 -p1 -b .getgrouplist
%build %build
%ifarch s390 s390x %ifarch s390 s390x
@ -75,6 +64,8 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE -DHAVE_PAM_LOGIN" LDFLAGS="-pie"
--with-ignore-dot \ --with-ignore-dot \
--with-tty-tickets \ --with-tty-tickets \
--with-ldap --with-ldap
# --without-kerb5 \
# --without-kerb4
make make
%install %install
@ -110,7 +101,7 @@ rm -rf $RPM_BUILD_ROOT
%files %files
%defattr(-,root,root) %defattr(-,root,root)
%doc BUGS CHANGES HISTORY LICENSE README RUNSON TODO TROUBLESHOOTING UPGRADE *.pod %doc BUGS CHANGES HISTORY LICENSE README TODO TROUBLESHOOTING UPGRADE *.pod
%attr(0440,root,root) %config(noreplace) /etc/sudoers %attr(0440,root,root) %config(noreplace) /etc/sudoers
%config(noreplace) /etc/pam.d/sudo %config(noreplace) /etc/pam.d/sudo
%config(noreplace) /etc/pam.d/sudo-i %config(noreplace) /etc/pam.d/sudo-i
@ -129,6 +120,9 @@ rm -rf $RPM_BUILD_ROOT
/bin/chmod 0440 /etc/sudoers || : /bin/chmod 0440 /etc/sudoers || :
%changelog %changelog
* Mon Aug 20 2007 Peter Vrabec <pvrabec@redhat.com> 1.6.9p4-1
- upgrade to upstream release
* Thu Apr 12 2007 Peter Vrabec <pvrabec@redhat.com> 1.6.8p12-14 * Thu Apr 12 2007 Peter Vrabec <pvrabec@redhat.com> 1.6.8p12-14
- also use getgrouplist() to determine group membership (#235915) - also use getgrouplist() to determine group membership (#235915)