import sudo-1.8.29-2.el8
This commit is contained in:
parent
dad17e46d8
commit
4714f80dc5
|
@ -1 +1 @@
|
|||
SOURCES/sudo-1.8.25p1.tar.gz
|
||||
SOURCES/sudo-1.8.29.tar.gz
|
||||
|
|
|
@ -1 +1 @@
|
|||
dc49b91ffbd9cd5e1d1eaaf001c42f71f869f377 SOURCES/sudo-1.8.25p1.tar.gz
|
||||
fdce342856f1803478eb549479190370001dca95 SOURCES/sudo-1.8.29.tar.gz
|
||||
|
|
|
@ -1,70 +0,0 @@
|
|||
diff -up sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.json.ok.defaults-double-quote-fix sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.json.ok
|
||||
--- sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.json.ok.defaults-double-quote-fix 2018-09-24 18:10:37.235000000 +0200
|
||||
+++ sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.json.ok 2018-09-24 18:11:40.153000000 +0200
|
||||
@@ -34,7 +34,7 @@
|
||||
},
|
||||
{
|
||||
"Binding": [
|
||||
- { "username": "%them" }
|
||||
+ { "usergroup": "them" }
|
||||
],
|
||||
"Options": [
|
||||
{ "set_home": true }
|
||||
@@ -42,7 +42,7 @@
|
||||
},
|
||||
{
|
||||
"Binding": [
|
||||
- { "username": "%: non UNIX 0 c" }
|
||||
+ { "nonunixgroup": " non UNIX 0 c" }
|
||||
],
|
||||
"Options": [
|
||||
{ "set_home": true }
|
||||
@@ -50,7 +50,7 @@
|
||||
},
|
||||
{
|
||||
"Binding": [
|
||||
- { "username": "+net" }
|
||||
+ { "netgroup": "net" }
|
||||
],
|
||||
"Options": [
|
||||
{ "set_home": true }
|
||||
diff -up sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.toke.ok.defaults-double-quote-fix sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.toke.ok
|
||||
--- sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.toke.ok.defaults-double-quote-fix 2018-09-24 18:10:25.216000000 +0200
|
||||
+++ sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.toke.ok 2018-09-24 18:11:45.213000000 +0200
|
||||
@@ -29,9 +29,9 @@ DEFAULTS_HOST BEGINSTR STRBODY ENDSTR WO
|
||||
#
|
||||
DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR
|
||||
DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR
|
||||
-DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR
|
||||
-DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR
|
||||
-DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR
|
||||
+DEFAULTS_USER BEGINSTR STRBODY ENDSTR USERGROUP DEFVAR
|
||||
+DEFAULTS_USER BEGINSTR STRBODY ENDSTR USERGROUP DEFVAR
|
||||
+DEFAULTS_USER BEGINSTR STRBODY ENDSTR NETGROUP DEFVAR
|
||||
|
||||
#
|
||||
DEFAULTS_RUNAS BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR
|
||||
diff -up sudo-1.8.23/plugins/sudoers/toke.c.defaults-double-quote-fix sudo-1.8.23/plugins/sudoers/toke.c
|
||||
--- sudo-1.8.23/plugins/sudoers/toke.c.defaults-double-quote-fix 2018-04-29 21:59:23.000000000 +0200
|
||||
+++ sudo-1.8.23/plugins/sudoers/toke.c 2018-09-24 18:06:15.527000000 +0200
|
||||
@@ -2395,7 +2395,7 @@ YY_RULE_SETUP
|
||||
LEXTRACE("ERROR "); /* empty string */
|
||||
LEXRETURN(ERROR);
|
||||
}
|
||||
- if (prev_state == INITIAL) {
|
||||
+ if (prev_state == INITIAL || prev_state == GOTDEFS) {
|
||||
switch (sudoerslval.string[0]) {
|
||||
case '%':
|
||||
if (sudoerslval.string[1] == '\0' ||
|
||||
diff -up sudo-1.8.23/plugins/sudoers/toke.l.defaults-double-quote-fix sudo-1.8.23/plugins/sudoers/toke.l
|
||||
--- sudo-1.8.23/plugins/sudoers/toke.l.defaults-double-quote-fix 2018-04-29 21:59:23.000000000 +0200
|
||||
+++ sudo-1.8.23/plugins/sudoers/toke.l 2018-09-24 18:06:15.528000000 +0200
|
||||
@@ -187,7 +187,7 @@ DEFVAR [a-z_]+
|
||||
LEXTRACE("ERROR "); /* empty string */
|
||||
LEXRETURN(ERROR);
|
||||
}
|
||||
- if (prev_state == INITIAL) {
|
||||
+ if (prev_state == INITIAL || prev_state == GOTDEFS) {
|
||||
switch (sudoerslval.string[0]) {
|
||||
case '%':
|
||||
if (sudoerslval.string[1] == '\0' ||
|
|
@ -1,27 +0,0 @@
|
|||
diff -up sudo-1.8.23/plugins/sudoers/ldap.c.ldapsearchuidfix sudo-1.8.23/plugins/sudoers/ldap.c
|
||||
--- sudo-1.8.23/plugins/sudoers/ldap.c.ldapsearchuidfix 2018-04-29 21:59:31.000000000 +0200
|
||||
+++ sudo-1.8.23/plugins/sudoers/ldap.c 2018-06-18 08:34:01.202686941 +0200
|
||||
@@ -1189,8 +1189,8 @@ sudo_ldap_build_pass1(LDAP *ld, struct p
|
||||
if (ldap_conf.search_filter)
|
||||
sz += strlen(ldap_conf.search_filter);
|
||||
|
||||
- /* Then add (|(sudoUser=USERNAME)(sudoUser=ALL)) + NUL */
|
||||
- sz += 29 + sudo_ldap_value_len(pw->pw_name);
|
||||
+ /* Then add (|(sudoUser=USERNAME)(sudoUser=#uid)(sudoUser=ALL)) + NUL */
|
||||
+ sz += 29 + (12 + MAX_UID_T_LEN) + sudo_ldap_value_len(pw->pw_name);
|
||||
|
||||
/* Add space for primary and supplementary groups and gids */
|
||||
if ((grp = sudo_getgrgid(pw->pw_gid)) != NULL) {
|
||||
@@ -1253,6 +1253,12 @@ sudo_ldap_build_pass1(LDAP *ld, struct p
|
||||
CHECK_LDAP_VCAT(buf, pw->pw_name, sz);
|
||||
CHECK_STRLCAT(buf, ")", sz);
|
||||
|
||||
+ /* Append user uid */
|
||||
+ (void) snprintf(gidbuf, sizeof(gidbuf), "%u", (unsigned int)pw->pw_uid);
|
||||
+ (void) strlcat(buf, "(sudoUser=#", sz);
|
||||
+ (void) strlcat(buf, gidbuf, sz);
|
||||
+ (void) strlcat(buf, ")", sz);
|
||||
+
|
||||
/* Append primary group and gid */
|
||||
if (grp != NULL) {
|
||||
CHECK_STRLCAT(buf, "(sudoUser=%", sz);
|
|
@ -1,7 +1,7 @@
|
|||
diff -up ./plugins/sudoers/cvtsudoers.c.legacy-processing ./plugins/sudoers/cvtsudoers.c
|
||||
--- ./plugins/sudoers/cvtsudoers.c.legacy-processing 2018-09-26 12:27:13.087680204 +0200
|
||||
+++ ./plugins/sudoers/cvtsudoers.c 2018-09-26 12:30:59.222466620 +0200
|
||||
@@ -321,6 +321,15 @@ main(int argc, char *argv[])
|
||||
--- ./plugins/sudoers/cvtsudoers.c.legacy-processing 2019-10-28 13:28:52.000000000 +0100
|
||||
+++ ./plugins/sudoers/cvtsudoers.c 2019-10-30 13:32:43.309480623 +0100
|
||||
@@ -347,6 +347,15 @@ main(int argc, char *argv[])
|
||||
sudo_fatalx("error: unhandled input %d", input_format);
|
||||
}
|
||||
|
||||
|
@ -18,9 +18,9 @@ diff -up ./plugins/sudoers/cvtsudoers.c.legacy-processing ./plugins/sudoers/cvts
|
|||
filter_userspecs(&parsed_policy, conf);
|
||||
filter_defaults(&parsed_policy, conf);
|
||||
diff -up ./plugins/sudoers/defaults.c.legacy-processing ./plugins/sudoers/defaults.c
|
||||
--- ./plugins/sudoers/defaults.c.legacy-processing 2018-09-02 14:30:08.000000000 +0200
|
||||
+++ ./plugins/sudoers/defaults.c 2018-09-26 12:27:13.087680204 +0200
|
||||
@@ -86,6 +86,7 @@ static struct early_default early_defaul
|
||||
--- ./plugins/sudoers/defaults.c.legacy-processing 2019-10-28 13:28:52.000000000 +0100
|
||||
+++ ./plugins/sudoers/defaults.c 2019-10-30 13:32:43.309480623 +0100
|
||||
@@ -93,6 +93,7 @@ static struct early_default early_defaul
|
||||
{ I_FQDN },
|
||||
#endif
|
||||
{ I_MATCH_GROUP_BY_GID },
|
||||
|
@ -28,7 +28,7 @@ diff -up ./plugins/sudoers/defaults.c.legacy-processing ./plugins/sudoers/defaul
|
|||
{ I_GROUP_PLUGIN },
|
||||
{ I_RUNAS_DEFAULT },
|
||||
{ I_SUDOERS_LOCALE },
|
||||
@@ -487,6 +488,8 @@ init_defaults(void)
|
||||
@@ -494,6 +495,8 @@ init_defaults(void)
|
||||
}
|
||||
|
||||
/* First initialize the flags. */
|
||||
|
@ -38,10 +38,10 @@ diff -up ./plugins/sudoers/defaults.c.legacy-processing ./plugins/sudoers/defaul
|
|||
def_long_otp_prompt = true;
|
||||
#endif
|
||||
diff -up ./plugins/sudoers/def_data.c.legacy-processing ./plugins/sudoers/def_data.c
|
||||
--- ./plugins/sudoers/def_data.c.legacy-processing 2018-08-18 16:10:15.000000000 +0200
|
||||
+++ ./plugins/sudoers/def_data.c 2018-09-26 12:27:13.087680204 +0200
|
||||
@@ -494,6 +494,10 @@ struct sudo_defs_types sudo_defs_table[]
|
||||
N_("Ignore case when matching group names"),
|
||||
--- ./plugins/sudoers/def_data.c.legacy-processing 2019-10-30 13:32:43.309480623 +0100
|
||||
+++ ./plugins/sudoers/def_data.c 2019-10-30 13:37:25.914602825 +0100
|
||||
@@ -506,6 +506,10 @@ struct sudo_defs_types sudo_defs_table[]
|
||||
N_("Log when a command is denied by sudoers"),
|
||||
NULL,
|
||||
}, {
|
||||
+ "legacy_group_processing", T_FLAG,
|
||||
|
@ -52,31 +52,31 @@ diff -up ./plugins/sudoers/def_data.c.legacy-processing ./plugins/sudoers/def_da
|
|||
}
|
||||
};
|
||||
diff -up ./plugins/sudoers/def_data.h.legacy-processing ./plugins/sudoers/def_data.h
|
||||
--- ./plugins/sudoers/def_data.h.legacy-processing 2018-08-18 16:10:15.000000000 +0200
|
||||
+++ ./plugins/sudoers/def_data.h 2018-09-26 12:27:13.087680204 +0200
|
||||
@@ -226,6 +226,8 @@
|
||||
#define def_case_insensitive_user (sudo_defs_table[I_CASE_INSENSITIVE_USER].sd_un.flag)
|
||||
#define I_CASE_INSENSITIVE_GROUP 113
|
||||
#define def_case_insensitive_group (sudo_defs_table[I_CASE_INSENSITIVE_GROUP].sd_un.flag)
|
||||
+#define I_LEGACY_GROUP_PROCESSING 114
|
||||
--- ./plugins/sudoers/def_data.h.legacy-processing 2019-10-30 13:32:43.310480638 +0100
|
||||
+++ ./plugins/sudoers/def_data.h 2019-10-30 13:40:59.651713757 +0100
|
||||
@@ -232,6 +232,8 @@
|
||||
#define def_log_allowed (sudo_defs_table[I_LOG_ALLOWED].sd_un.flag)
|
||||
#define I_LOG_DENIED 116
|
||||
#define def_log_denied (sudo_defs_table[I_LOG_DENIED].sd_un.flag)
|
||||
+#define I_LEGACY_GROUP_PROCESSING 117
|
||||
+#define def_legacy_group_processing (sudo_defs_table[I_LEGACY_GROUP_PROCESSING].sd_un.flag)
|
||||
|
||||
enum def_tuple {
|
||||
never,
|
||||
diff -up ./plugins/sudoers/def_data.in.legacy-processing ./plugins/sudoers/def_data.in
|
||||
--- ./plugins/sudoers/def_data.in.legacy-processing 2018-08-18 16:10:15.000000000 +0200
|
||||
+++ ./plugins/sudoers/def_data.in 2018-09-26 12:27:13.088680212 +0200
|
||||
@@ -357,3 +357,6 @@ case_insensitive_user
|
||||
case_insensitive_group
|
||||
--- ./plugins/sudoers/def_data.in.legacy-processing 2019-10-30 13:32:43.310480638 +0100
|
||||
+++ ./plugins/sudoers/def_data.in 2019-10-30 13:42:20.915896239 +0100
|
||||
@@ -366,3 +366,6 @@ log_allowed
|
||||
log_denied
|
||||
T_FLAG
|
||||
"Ignore case when matching group names"
|
||||
"Log when a command is denied by sudoers"
|
||||
+legacy_group_processing
|
||||
+ T_FLAG
|
||||
+ "Don't pre-resolve all group names"
|
||||
diff -up ./plugins/sudoers/sudoers.c.legacy-processing ./plugins/sudoers/sudoers.c
|
||||
--- ./plugins/sudoers/sudoers.c.legacy-processing 2018-08-18 16:10:25.000000000 +0200
|
||||
+++ ./plugins/sudoers/sudoers.c 2018-09-26 12:27:13.088680212 +0200
|
||||
@@ -212,6 +212,10 @@ sudoers_policy_init(void *info, char * c
|
||||
--- ./plugins/sudoers/sudoers.c.legacy-processing 2019-10-28 13:28:53.000000000 +0100
|
||||
+++ ./plugins/sudoers/sudoers.c 2019-10-30 13:32:43.310480638 +0100
|
||||
@@ -221,6 +221,10 @@ sudoers_policy_init(void *info, char * c
|
||||
if (set_loginclass(runas_pw ? runas_pw : sudo_user.pw))
|
||||
ret = true;
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
diff -up sudo-1.8.23/plugins/sudoers/def_data.c.nowaitopt sudo-1.8.23/plugins/sudoers/def_data.c
|
||||
--- sudo-1.8.23/plugins/sudoers/def_data.c.nowaitopt 2018-06-18 09:36:34.249307795 +0200
|
||||
+++ sudo-1.8.23/plugins/sudoers/def_data.c 2018-06-18 09:43:12.122986032 +0200
|
||||
@@ -498,6 +498,10 @@ struct sudo_defs_types sudo_defs_table[]
|
||||
diff -up ./plugins/sudoers/def_data.c.nowait ./plugins/sudoers/def_data.c
|
||||
--- ./plugins/sudoers/def_data.c.nowait 2019-10-30 13:43:48.376168944 +0100
|
||||
+++ ./plugins/sudoers/def_data.c 2019-10-30 13:43:48.378168973 +0100
|
||||
@@ -510,6 +510,10 @@ struct sudo_defs_types sudo_defs_table[]
|
||||
N_("Don't pre-resolve all group names"),
|
||||
NULL,
|
||||
}, {
|
||||
|
@ -12,33 +12,32 @@ diff -up sudo-1.8.23/plugins/sudoers/def_data.c.nowaitopt sudo-1.8.23/plugins/su
|
|||
NULL, 0, NULL
|
||||
}
|
||||
};
|
||||
diff -up sudo-1.8.23/plugins/sudoers/def_data.h.nowaitopt sudo-1.8.23/plugins/sudoers/def_data.h
|
||||
--- sudo-1.8.23/plugins/sudoers/def_data.h.nowaitopt 2018-06-18 09:36:34.250307792 +0200
|
||||
+++ sudo-1.8.23/plugins/sudoers/def_data.h 2018-06-18 09:43:44.541878327 +0200
|
||||
@@ -228,6 +228,8 @@
|
||||
#define def_case_insensitive_group (sudo_defs_table[I_CASE_INSENSITIVE_GROUP].sd_un.flag)
|
||||
#define I_LEGACY_GROUP_PROCESSING 114
|
||||
diff -up ./plugins/sudoers/def_data.h.nowait ./plugins/sudoers/def_data.h
|
||||
--- ./plugins/sudoers/def_data.h.nowait 2019-10-30 13:43:48.378168973 +0100
|
||||
+++ ./plugins/sudoers/def_data.h 2019-10-30 13:45:38.425770365 +0100
|
||||
@@ -234,6 +234,8 @@
|
||||
#define def_log_denied (sudo_defs_table[I_LOG_DENIED].sd_un.flag)
|
||||
#define I_LEGACY_GROUP_PROCESSING 117
|
||||
#define def_legacy_group_processing (sudo_defs_table[I_LEGACY_GROUP_PROCESSING].sd_un.flag)
|
||||
+#define I_CMND_NO_WAIT 115
|
||||
+#define I_CMND_NO_WAIT 118
|
||||
+#define def_cmnd_no_wait (sudo_defs_table[I_CMND_NO_WAIT].sd_un.flag)
|
||||
|
||||
enum def_tuple {
|
||||
never,
|
||||
diff -up sudo-1.8.23/plugins/sudoers/def_data.in.nowaitopt sudo-1.8.23/plugins/sudoers/def_data.in
|
||||
--- sudo-1.8.23/plugins/sudoers/def_data.in.nowaitopt 2018-06-18 09:36:34.250307792 +0200
|
||||
+++ sudo-1.8.23/plugins/sudoers/def_data.in 2018-06-18 09:45:00.076627403 +0200
|
||||
@@ -360,3 +360,6 @@ case_insensitive_group
|
||||
diff -up ./plugins/sudoers/def_data.in.nowait ./plugins/sudoers/def_data.in
|
||||
--- ./plugins/sudoers/def_data.in.nowait 2019-10-30 13:43:48.376168944 +0100
|
||||
+++ ./plugins/sudoers/def_data.in 2019-10-30 13:43:48.379168987 +0100
|
||||
@@ -369,3 +369,6 @@ log_denied
|
||||
legacy_group_processing
|
||||
T_FLAG
|
||||
"Don't pre-resolve all group names"
|
||||
+cmnd_no_wait
|
||||
+ T_FLAG
|
||||
+ "Don't fork and wait for the command to finish, just exec it"
|
||||
diff -up sudo-1.8.23/plugins/sudoers/policy.c.nowaitopt sudo-1.8.23/plugins/sudoers/policy.c
|
||||
diff -up sudo-1.8.23/plugins/sudoers/sudoers.c.nowaitopt sudo-1.8.23/plugins/sudoers/sudoers.c
|
||||
--- sudo-1.8.23/plugins/sudoers/sudoers.c.nowaitopt 2018-06-18 11:31:51.883751328 +0200
|
||||
+++ sudo-1.8.23/plugins/sudoers/sudoers.c 2018-06-18 11:31:03.670899166 +0200
|
||||
@@ -213,6 +213,20 @@ sudoers_policy_init(void *info, char * c
|
||||
diff -up ./plugins/sudoers/sudoers.c.nowait ./plugins/sudoers/sudoers.c
|
||||
--- ./plugins/sudoers/sudoers.c.nowait 2019-10-30 13:43:48.376168944 +0100
|
||||
+++ ./plugins/sudoers/sudoers.c 2019-10-30 13:43:48.379168987 +0100
|
||||
@@ -225,6 +225,20 @@ sudoers_policy_init(void *info, char * c
|
||||
def_match_group_by_gid = false;
|
||||
def_legacy_group_processing = false;
|
||||
}
|
||||
|
|
|
@ -1,103 +0,0 @@
|
|||
|
||||
# HG changeset patch
|
||||
# User Todd C. Miller <Todd.Miller@sudo.ws>
|
||||
# Date 1544201494 25200
|
||||
# Node ID 656aa910fbaf0be517e012c9271c51eb85c1cca5
|
||||
# Parent ef83f35c9cb090a8b4fd36942f1e47e65c285dce
|
||||
The fix for bug #843 was incomplete and caused pam_end() to be called early.
|
||||
sudo_pam_approval() must not set the global pam status to an error
|
||||
value if it returns AUTH_SUCCESS. Otherwise, sudo_pam_cleanup()
|
||||
will call pam_end() before sudo_pam_begin_session(). This resulted
|
||||
in a NULL PAM handle being used in sudo_pam_begin_session().
|
||||
|
||||
diff -r ef83f35c9cb0 -r 656aa910fbaf plugins/sudoers/auth/pam.c
|
||||
--- a/plugins/sudoers/auth/pam.c Wed Dec 05 10:43:14 2018 -0700
|
||||
+++ b/plugins/sudoers/auth/pam.c Fri Dec 07 09:51:34 2018 -0700
|
||||
@@ -210,59 +210,68 @@
|
||||
sudo_pam_approval(struct passwd *pw, sudo_auth *auth, bool exempt)
|
||||
{
|
||||
const char *s;
|
||||
+ int rc, status = AUTH_SUCCESS;
|
||||
int *pam_status = (int *) auth->data;
|
||||
debug_decl(sudo_pam_approval, SUDOERS_DEBUG_AUTH)
|
||||
|
||||
- *pam_status = pam_acct_mgmt(pamh, PAM_SILENT);
|
||||
- switch (*pam_status) {
|
||||
+ rc = pam_acct_mgmt(pamh, PAM_SILENT);
|
||||
+ switch (rc) {
|
||||
case PAM_SUCCESS:
|
||||
- debug_return_int(AUTH_SUCCESS);
|
||||
+ break;
|
||||
case PAM_AUTH_ERR:
|
||||
log_warningx(0, N_("account validation failure, "
|
||||
"is your account locked?"));
|
||||
- debug_return_int(AUTH_FATAL);
|
||||
+ status = AUTH_FATAL;
|
||||
+ break;
|
||||
case PAM_NEW_AUTHTOK_REQD:
|
||||
/* Ignore if user is exempt from password restrictions. */
|
||||
if (exempt)
|
||||
- debug_return_int(AUTH_SUCCESS);
|
||||
+ break;
|
||||
/* New password required, try to change it. */
|
||||
log_warningx(0, N_("Account or password is "
|
||||
"expired, reset your password and try again"));
|
||||
- *pam_status = pam_chauthtok(pamh,
|
||||
- PAM_CHANGE_EXPIRED_AUTHTOK);
|
||||
- if (*pam_status == PAM_SUCCESS)
|
||||
- debug_return_int(AUTH_SUCCESS);
|
||||
- if ((s = pam_strerror(pamh, *pam_status)) == NULL)
|
||||
+ rc = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
|
||||
+ if (rc == PAM_SUCCESS)
|
||||
+ break;
|
||||
+ if ((s = pam_strerror(pamh, rc)) == NULL)
|
||||
s = "unknown error";
|
||||
log_warningx(0,
|
||||
N_("unable to change expired password: %s"), s);
|
||||
- debug_return_int(AUTH_FAILURE);
|
||||
+ status = AUTH_FAILURE;
|
||||
+ break;
|
||||
case PAM_AUTHTOK_EXPIRED:
|
||||
/* Ignore if user is exempt from password restrictions. */
|
||||
if (exempt)
|
||||
- debug_return_int(AUTH_SUCCESS);
|
||||
+ break;
|
||||
/* Password expired, cannot be updated by user. */
|
||||
log_warningx(0,
|
||||
N_("Password expired, contact your system administrator"));
|
||||
- debug_return_int(AUTH_FATAL);
|
||||
+ status = AUTH_FATAL;
|
||||
+ break;
|
||||
case PAM_ACCT_EXPIRED:
|
||||
log_warningx(0,
|
||||
N_("Account expired or PAM config lacks an \"account\" "
|
||||
"section for sudo, contact your system administrator"));
|
||||
- debug_return_int(AUTH_FATAL);
|
||||
+ status = AUTH_FATAL;
|
||||
+ break;
|
||||
case PAM_AUTHINFO_UNAVAIL:
|
||||
case PAM_MAXTRIES:
|
||||
case PAM_PERM_DENIED:
|
||||
- s = pam_strerror(pamh, *pam_status);
|
||||
+ s = pam_strerror(pamh, rc);
|
||||
log_warningx(0, N_("PAM account management error: %s"),
|
||||
s ? s : "unknown error");
|
||||
- debug_return_int(AUTH_FAILURE);
|
||||
+ status = AUTH_FAILURE;
|
||||
+ break;
|
||||
default:
|
||||
- s = pam_strerror(pamh, *pam_status);
|
||||
+ s = pam_strerror(pamh, rc);
|
||||
log_warningx(0, N_("PAM account management error: %s"),
|
||||
s ? s : "unknown error");
|
||||
- debug_return_int(AUTH_FATAL);
|
||||
+ status = AUTH_FATAL;
|
||||
+ break;
|
||||
}
|
||||
+ /* Ignore errors if user is exempt from password restrictions. */
|
||||
+ *pam_status = exempt ? PAM_SUCCESS : rc;
|
||||
+ debug_return_int(status);
|
||||
}
|
||||
|
||||
int
|
||||
|
|
@ -1,56 +0,0 @@
|
|||
commit b2f7983c84fd01e0b29895d7df776b4b162fd8a5
|
||||
Author: Todd C. Miller <Todd.Miller@sudo.ws>
|
||||
Date: Wed Jan 2 07:39:33 2019 -0700
|
||||
|
||||
Fix setting of utmp entry when running command in a pty.
|
||||
Regression introduced in sudo 1.8.22.
|
||||
|
||||
diff --git a/src/exec_pty.c b/src/exec_pty.c
|
||||
index cbcccca3..68312a98 100644
|
||||
--- a/src/exec_pty.c
|
||||
+++ b/src/exec_pty.c
|
||||
@@ -140,7 +140,7 @@ pty_cleanup(void)
|
||||
* and slavename globals.
|
||||
*/
|
||||
static bool
|
||||
-pty_setup(uid_t uid, const char *tty)
|
||||
+pty_setup(struct command_details *details, const char *tty)
|
||||
{
|
||||
debug_decl(pty_setup, SUDO_DEBUG_EXEC);
|
||||
|
||||
@@ -152,12 +152,15 @@ pty_setup(uid_t uid, const char *tty)
|
||||
}
|
||||
|
||||
if (!get_pty(&io_fds[SFD_MASTER], &io_fds[SFD_SLAVE],
|
||||
- slavename, sizeof(slavename), uid))
|
||||
+ slavename, sizeof(slavename), details->euid))
|
||||
sudo_fatal(U_("unable to allocate pty"));
|
||||
|
||||
/* Add entry to utmp/utmpx? */
|
||||
- if (utmp_user != NULL)
|
||||
+ if (ISSET(details->flags, CD_SET_UTMP)) {
|
||||
+ utmp_user =
|
||||
+ details->utmp_user ? details->utmp_user : user_details.username;
|
||||
utmp_login(tty, slavename, io_fds[SFD_SLAVE], utmp_user);
|
||||
+ }
|
||||
|
||||
sudo_debug_printf(SUDO_DEBUG_INFO,
|
||||
"%s: %s fd %d, pty master fd %d, pty slave fd %d",
|
||||
@@ -1302,12 +1305,11 @@ exec_pty(struct command_details *details, struct command_status *cstat)
|
||||
/*
|
||||
* Allocate a pty.
|
||||
*/
|
||||
- if (pty_setup(details->euid, user_details.tty)) {
|
||||
- if (ISSET(details->flags, CD_SET_UTMP))
|
||||
- utmp_user = details->utmp_user ? details->utmp_user : user_details.username;
|
||||
- } else if (TAILQ_EMPTY(&io_plugins)) {
|
||||
- /* Not logging I/O and didn't allocate a pty. */
|
||||
- debug_return_bool(false);
|
||||
+ if (!pty_setup(details, user_details.tty)) {
|
||||
+ if (TAILQ_EMPTY(&io_plugins)) {
|
||||
+ /* Not logging I/O and didn't allocate a pty. */
|
||||
+ debug_return_bool(false);
|
||||
+ }
|
||||
}
|
||||
|
||||
/*
|
|
@ -1,25 +0,0 @@
|
|||
From 142b370c1f928549db3b357a495d151c7cd87f65 Mon Sep 17 00:00:00 2001
|
||||
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
|
||||
Date: Tue, 11 Dec 2018 09:05:04 -0700
|
||||
Subject: [PATCH 2/4] The -c option was missing from the help info; from
|
||||
Radovan Sroka
|
||||
|
||||
---
|
||||
plugins/sudoers/cvtsudoers.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/plugins/sudoers/cvtsudoers.c b/plugins/sudoers/cvtsudoers.c
|
||||
index 795936c1..0221314b 100644
|
||||
--- a/plugins/sudoers/cvtsudoers.c
|
||||
+++ b/plugins/sudoers/cvtsudoers.c
|
||||
@@ -1315,6 +1315,7 @@ help(void)
|
||||
usage(0);
|
||||
(void) puts(_("\nOptions:\n"
|
||||
" -b, --base=dn the base DN for sudo LDAP queries\n"
|
||||
+ " -c, --config=conf_file the path to the configuration file\n"
|
||||
" -d, --defaults=deftypes only convert Defaults of the specified types\n"
|
||||
" -e, --expand-aliases expand aliases when converting\n"
|
||||
" -f, --output-format=format set output format: JSON, LDIF or sudoers\n"
|
||||
--
|
||||
2.17.2
|
||||
|
|
@ -1,27 +0,0 @@
|
|||
diff -up ./plugins/sudoers/sudoreplay.c.sudoreplay-help ./plugins/sudoers/sudoreplay.c
|
||||
--- ./plugins/sudoers/sudoreplay.c.sudoreplay-help 2018-12-11 18:12:56.715098760 +0100
|
||||
+++ ./plugins/sudoers/sudoreplay.c 2018-12-11 18:18:34.345184173 +0100
|
||||
@@ -1582,13 +1582,16 @@ help(void)
|
||||
(void) printf(_("%s - replay sudo session logs\n\n"), getprogname());
|
||||
usage(0);
|
||||
(void) puts(_("\nOptions:\n"
|
||||
- " -d, --directory=dir specify directory for session logs\n"
|
||||
- " -f, --filter=filter specify which I/O type(s) to display\n"
|
||||
- " -h, --help display help message and exit\n"
|
||||
- " -l, --list list available session IDs, with optional expression\n"
|
||||
- " -m, --max-wait=num max number of seconds to wait between events\n"
|
||||
- " -s, --speed=num speed up or slow down output\n"
|
||||
- " -V, --version display version information and exit"));
|
||||
+ " -d, --directory=dir specify directory for session logs\n"
|
||||
+ " -f, --filter=filter specify which I/O type(s) to display\n"
|
||||
+ " -h, --help display help message and exit\n"
|
||||
+ " -l, --list list available session IDs, with optional expression\n"
|
||||
+ " -m, --max-wait=num max number of seconds to wait between events\n"
|
||||
+ " -n, --non-interactive no prompts, session is sent to the standard output\n"
|
||||
+ " -R, --no-resize do not attempt to re-size the terminal\n"
|
||||
+ " -S, --suspend-wait wait while the command was suspended\n"
|
||||
+ " -s, --speed=num speed up or slow down output\n"
|
||||
+ " -V, --version display version information and exit"));
|
||||
exit(0);
|
||||
}
|
||||
|
|
@ -1,80 +0,0 @@
|
|||
From 04a4b3c1fcc1526ff1ea73597a1764cb160d400b Mon Sep 17 00:00:00 2001
|
||||
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
|
||||
Date: Tue, 11 Dec 2018 09:02:30 -0700
|
||||
Subject: [PATCH 1/4] Fix some typos; reported by Radovan Sroka
|
||||
|
||||
---
|
||||
doc/cvtsudoers.cat | 6 +++---
|
||||
doc/cvtsudoers.man.in | 6 +++---
|
||||
doc/cvtsudoers.mdoc.in | 6 +++---
|
||||
3 files changed, 9 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/doc/cvtsudoers.cat b/doc/cvtsudoers.cat
|
||||
index 61bf3a28..9c1ef140 100644
|
||||
--- a/doc/cvtsudoers.cat
|
||||
+++ b/doc/cvtsudoers.cat
|
||||
@@ -24,7 +24,7 @@ DDEESSCCRRIIPPTTIIOONN
|
||||
--bb _d_n, ----bbaassee=_d_n
|
||||
The base DN (distinguished name) that will be used when
|
||||
performing LDAP queries. Typically this is of the form
|
||||
- ou=SUDOers,dc=-mydomain,dc=com for the domain my-domain.com.
|
||||
+ ou=SUDOers,dc=my-domain,dc=com for the domain my-domain.com.
|
||||
If this option is not specified, the value of the
|
||||
SUDOERS_BASE environment variable will be used instead. Only
|
||||
necessary when converting to LDIF format.
|
||||
@@ -60,7 +60,7 @@ DDEESSCCRRIIPPTTIIOONN
|
||||
Expand aliases in _i_n_p_u_t___f_i_l_e. Aliases are preserved by
|
||||
default when the output _f_o_r_m_a_t is JSON or sudoers.
|
||||
|
||||
- --ff _o_u_t_p_u_t___f_o_r_m_a_t, ----ffoorrmmaatt=_o_u_t_p_u_t___f_o_r_m_a_t
|
||||
+ --ff _o_u_t_p_u_t___f_o_r_m_a_t, ----oouuttppuutt--ffoorrmmaatt=_o_u_t_p_u_t___f_o_r_m_a_t
|
||||
Specify the output format (case-insensitive). The following
|
||||
formats are supported:
|
||||
|
||||
diff --git a/doc/cvtsudoers.man.in b/doc/cvtsudoers.man.in
|
||||
index b159ee5d..2f45ee1d 100644
|
||||
--- a/doc/cvtsudoers.man.in
|
||||
+++ b/doc/cvtsudoers.man.in
|
||||
@@ -59,7 +59,7 @@ The options are as follows:
|
||||
The base DN (distinguished name) that will be used when performing
|
||||
LDAP queries.
|
||||
Typically this is of the form
|
||||
-\fRou=SUDOers,dc=-mydomain,dc=com\fR
|
||||
+\fRou=SUDOers,dc=my-domain,dc=com\fR
|
||||
for the domain
|
||||
\fRmy-domain.com\fR.
|
||||
If this option is not specified, the value of the
|
||||
@@ -125,7 +125,7 @@ Aliases are preserved by default when the output
|
||||
\fIformat\fR
|
||||
is JSON or sudoers.
|
||||
.TP 12n
|
||||
-\fB\-f\fR \fIoutput_format\fR, \fB\--format\fR=\fIoutput_format\fR
|
||||
+\fB\-f\fR \fIoutput_format\fR, \fB\--output-format\fR=\fIoutput_format\fR
|
||||
Specify the output format (case-insensitive).
|
||||
The following formats are supported:
|
||||
.PP
|
||||
diff --git a/doc/cvtsudoers.mdoc.in b/doc/cvtsudoers.mdoc.in
|
||||
index 1812bc67..8261ddc6 100644
|
||||
--- a/doc/cvtsudoers.mdoc.in
|
||||
+++ b/doc/cvtsudoers.mdoc.in
|
||||
@@ -57,7 +57,7 @@ The options are as follows:
|
||||
The base DN (distinguished name) that will be used when performing
|
||||
LDAP queries.
|
||||
Typically this is of the form
|
||||
-.Li ou=SUDOers,dc=-mydomain,dc=com
|
||||
+.Li ou=SUDOers,dc=my-domain,dc=com
|
||||
for the domain
|
||||
.Li my-domain.com .
|
||||
If this option is not specified, the value of the
|
||||
@@ -110,7 +110,7 @@ Expand aliases in
|
||||
Aliases are preserved by default when the output
|
||||
.Ar format
|
||||
is JSON or sudoers.
|
||||
-.It Fl f Ar output_format , Fl -format Ns = Ns Ar output_format
|
||||
+.It Fl f Ar output_format , Fl -output-format Ns = Ns Ar output_format
|
||||
Specify the output format (case-insensitive).
|
||||
The following formats are supported:
|
||||
.Bl -tag -width 8n
|
||||
--
|
||||
2.17.2
|
||||
|
|
@ -1,7 +1,7 @@
|
|||
Summary: Allows restricted root access for specified users
|
||||
Name: sudo
|
||||
Version: 1.8.25p1
|
||||
Release: 5%{?dist}
|
||||
Version: 1.8.29
|
||||
Release: 2%{?dist}
|
||||
License: ISC
|
||||
Group: Applications/System
|
||||
URL: http://www.courtesan.com/sudo/
|
||||
|
@ -39,25 +39,11 @@ Patch2: sudo-1.8.23-sudoldapconfman.patch
|
|||
Patch3: sudo-1.7.2p1-envdebug.patch
|
||||
# 1247591 - Sudo taking a long time when user information is stored externally.
|
||||
Patch4: sudo-1.8.23-legacy-group-processing.patch
|
||||
# 1135539 - sudo with ldap doesn't work with 'user id' in sudoUser option
|
||||
Patch5: sudo-1.8.23-ldapsearchuidfix.patch
|
||||
# 840980 - sudo creates a new parent process
|
||||
# Adds cmnd_no_wait Defaults option
|
||||
Patch6: sudo-1.8.23-nowaitopt.patch
|
||||
Patch5: sudo-1.8.23-nowaitopt.patch
|
||||
# 1312486 - RHEL7 sudo logs username "root" instead of realuser in /var/log/secure
|
||||
Patch7: sudo-1.8.6p7-logsudouser.patch
|
||||
# 1547974 - (sudo-rhel-7.6-rebase) Rebase sudo to latest stable upstream version
|
||||
Patch8: sudo-1.8.23-fix-double-quote-parsing-for-Defaults-values.patch
|
||||
# 1613327 - Man page scan results for sudo
|
||||
Patch9: sudo-1.8.25-typos-manpages.patch
|
||||
Patch10: sudo-1.8.25-c-option-help.patch
|
||||
Patch11: sudo-1.8.25-sudoreplay-missing-options-help.patch
|
||||
|
||||
# RHEL 8.1
|
||||
# 1673886 - Problem with sudo-1.8.23 and 'who am i'
|
||||
Patch12: sudo-1.8.23-who-am-i.patch
|
||||
# 1676819 - Backporting sudo bug with expired passwords
|
||||
Patch13: sudo-1.8.23-pam-expired-passwords.patch
|
||||
Patch6: sudo-1.8.6p7-logsudouser.patch
|
||||
|
||||
%description
|
||||
Sudo (superuser do) allows a system administrator to give certain
|
||||
|
@ -86,17 +72,8 @@ plugins that use %{name}.
|
|||
%patch2 -p1 -b .sudoldapconfman
|
||||
%patch3 -p1 -b .env-debug
|
||||
%patch4 -p1 -b .legacy-processing
|
||||
%patch5 -p1 -b .ldap-search-uid
|
||||
%patch6 -p1 -b .nowait
|
||||
%patch7 -p1 -b .logsudouser
|
||||
%patch8 -p1 -b .double-quote
|
||||
|
||||
%patch9 -p1 -b .typos
|
||||
%patch10 -p1 -b .c-option
|
||||
%patch11 -p1 -b .sudoreplay-help
|
||||
|
||||
%patch12 -p1 -b .whoami
|
||||
%patch13 -p1 -b .pam-expired
|
||||
%patch5 -p1 -b .nowait
|
||||
%patch6 -p1 -b .logsudouser
|
||||
|
||||
%build
|
||||
# Remove bundled copy of zlib
|
||||
|
@ -256,21 +233,50 @@ rm -rf $RPM_BUILD_ROOT
|
|||
%{_mandir}/man8/sudo_plugin.8*
|
||||
|
||||
%changelog
|
||||
* Wed Oct 30 2019 Radovan Sroka <rsroka@redhat.com> - 1.8.29-2
|
||||
- RHEL 8.2 ERRATUM
|
||||
- rebase to 1.8.29
|
||||
Resolves: rhbz#1733961
|
||||
Resolves: rhbz#1651662
|
||||
|
||||
* Fri Oct 25 2019 Radovan Sroka <rsroka@redhat.com> - 1.8.28p1-1
|
||||
- RHEL 8.2 ERRATUM
|
||||
- rebase to 1.8.28p1
|
||||
Resolves: rhbz#1733961
|
||||
- fixed man page for always_set_home
|
||||
Resolves: rhbz#1576880
|
||||
- sudo does not work with notbefore/after
|
||||
Resolves: rhbz#1679508
|
||||
- NOTBEFORE showing value of sudoNotAfter Ldap attribute
|
||||
Resolves: rhbz#1715516
|
||||
- CVE-2019-14287 sudo
|
||||
- Privilege escalation via 'Runas' specification with 'ALL' keyword
|
||||
Resolves: rhbz#1760697
|
||||
|
||||
* Fri Aug 16 2019 Radovan Sroka <rsroka@redhat.com> - 1.8.25-7
|
||||
- RHEL 8.1 ERRATUM
|
||||
- sudo ipa_hostname not honored
|
||||
Resolves: rhbz#1738662
|
||||
|
||||
* Mon Aug 12 2019 Radovan Sroka <rsroka@redhat.com> - 1.8.25-6
|
||||
- RHEL 8.1 ERRATUM
|
||||
- Fixed The LDAP backend which is not properly parsing sudoOptions,
|
||||
resulting in selinux roles not being applied
|
||||
Resolves: rhbz#1738326
|
||||
|
||||
* Tue May 28 2019 Radovan Sroka <rsroka@redhat.com> - 1.8.25-5
|
||||
- RHEL 8.1 ERRATUM
|
||||
- Fixed problem with sudo-1.8.23 and 'who am i'
|
||||
Resolves: rhbz#1673886
|
||||
- Backporting sudo bug with expired passwords
|
||||
Resolves: rhbz#1676819
|
||||
- Added baseos CI into gating.yaml
|
||||
Resolves: rhbz#1682511
|
||||
|
||||
* Tue Dec 11 2018 Radovan Sroka <rsroka@redhat.com> - 1.8.25-4
|
||||
- Fix most of the man page scans problems
|
||||
- Resolves: rhbz#1613327
|
||||
|
||||
* Fri Oct 12 2018 Daniel Kopecek <dkopecek@redhat.com> - 1.8.25-3
|
||||
- bump release for new build after gating tests fixes
|
||||
- bump release for new build
|
||||
Resolves: rhbz#1625683
|
||||
|
||||
* Thu Oct 11 2018 Daniel Kopecek <dkopecek@redhat.com> - 1.8.25-2
|
||||
|
|
Loading…
Reference in New Issue