rpms
/
sudo
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import sudo-1.8.29-2.el8

This commit is contained in:
CentOS Sources 2020-01-21 17:36:43 -05:00 committed by Stepan Oksanichenko
parent dad17e46d8
commit 4714f80dc5
12 changed files with 85 additions and 468 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/sudo-1.8.25p1.tar.gz
SOURCES/sudo-1.8.29.tar.gz

2
.sudo.metadata
View File

@ -1 +1 @@
dc49b91ffbd9cd5e1d1eaaf001c42f71f869f377 SOURCES/sudo-1.8.25p1.tar.gz
fdce342856f1803478eb549479190370001dca95 SOURCES/sudo-1.8.29.tar.gz

70
SOURCES/sudo-1.8.23-fix-double-quote-parsing-for-Defaults-values.patch
View File

@ -1,70 +0,0 @@
diff -up sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.json.ok.defaults-double-quote-fix sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.json.ok
--- sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.json.ok.defaults-double-quote-fix 2018-09-24 18:10:37.235000000 +0200
+++ sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.json.ok 2018-09-24 18:11:40.153000000 +0200
@@ -34,7 +34,7 @@
},
{
"Binding": [
- { "username": "%them" }
+ { "usergroup": "them" }
],
"Options": [
{ "set_home": true }
@@ -42,7 +42,7 @@
},
{
"Binding": [
- { "username": "%: non UNIX 0 c" }
+ { "nonunixgroup": " non UNIX 0 c" }
],
"Options": [
{ "set_home": true }
@@ -50,7 +50,7 @@
},
{
"Binding": [
- { "username": "+net" }
+ { "netgroup": "net" }
],
"Options": [
{ "set_home": true }
diff -up sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.toke.ok.defaults-double-quote-fix sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.toke.ok
--- sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.toke.ok.defaults-double-quote-fix 2018-09-24 18:10:25.216000000 +0200
+++ sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.toke.ok 2018-09-24 18:11:45.213000000 +0200
@@ -29,9 +29,9 @@ DEFAULTS_HOST BEGINSTR STRBODY ENDSTR WO
#
DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR
DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR
-DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR
-DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR
-DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR
+DEFAULTS_USER BEGINSTR STRBODY ENDSTR USERGROUP DEFVAR
+DEFAULTS_USER BEGINSTR STRBODY ENDSTR USERGROUP DEFVAR
+DEFAULTS_USER BEGINSTR STRBODY ENDSTR NETGROUP DEFVAR
#
DEFAULTS_RUNAS BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR
diff -up sudo-1.8.23/plugins/sudoers/toke.c.defaults-double-quote-fix sudo-1.8.23/plugins/sudoers/toke.c
--- sudo-1.8.23/plugins/sudoers/toke.c.defaults-double-quote-fix 2018-04-29 21:59:23.000000000 +0200
+++ sudo-1.8.23/plugins/sudoers/toke.c 2018-09-24 18:06:15.527000000 +0200
@@ -2395,7 +2395,7 @@ YY_RULE_SETUP
LEXTRACE("ERROR "); /* empty string */
LEXRETURN(ERROR);
}
- if (prev_state == INITIAL) {
+ if (prev_state == INITIAL || prev_state == GOTDEFS) {
switch (sudoerslval.string[0]) {
case '%':
if (sudoerslval.string[1] == '\0' ||
diff -up sudo-1.8.23/plugins/sudoers/toke.l.defaults-double-quote-fix sudo-1.8.23/plugins/sudoers/toke.l
--- sudo-1.8.23/plugins/sudoers/toke.l.defaults-double-quote-fix 2018-04-29 21:59:23.000000000 +0200
+++ sudo-1.8.23/plugins/sudoers/toke.l 2018-09-24 18:06:15.528000000 +0200
@@ -187,7 +187,7 @@ DEFVAR [a-z_]+
LEXTRACE("ERROR "); /* empty string */
LEXRETURN(ERROR);
}
- if (prev_state == INITIAL) {
+ if (prev_state == INITIAL || prev_state == GOTDEFS) {
switch (sudoerslval.string[0]) {
case '%':
if (sudoerslval.string[1] == '\0' ||

27
SOURCES/sudo-1.8.23-ldapsearchuidfix.patch
View File

@ -1,27 +0,0 @@
diff -up sudo-1.8.23/plugins/sudoers/ldap.c.ldapsearchuidfix sudo-1.8.23/plugins/sudoers/ldap.c
--- sudo-1.8.23/plugins/sudoers/ldap.c.ldapsearchuidfix 2018-04-29 21:59:31.000000000 +0200
+++ sudo-1.8.23/plugins/sudoers/ldap.c 2018-06-18 08:34:01.202686941 +0200
@@ -1189,8 +1189,8 @@ sudo_ldap_build_pass1(LDAP *ld, struct p
if (ldap_conf.search_filter)
sz += strlen(ldap_conf.search_filter);
- /* Then add (|(sudoUser=USERNAME)(sudoUser=ALL)) + NUL */
- sz += 29 + sudo_ldap_value_len(pw->pw_name);
+ /* Then add (|(sudoUser=USERNAME)(sudoUser=#uid)(sudoUser=ALL)) + NUL */
+ sz += 29 + (12 + MAX_UID_T_LEN) + sudo_ldap_value_len(pw->pw_name);
/* Add space for primary and supplementary groups and gids */
if ((grp = sudo_getgrgid(pw->pw_gid)) != NULL) {
@@ -1253,6 +1253,12 @@ sudo_ldap_build_pass1(LDAP *ld, struct p
CHECK_LDAP_VCAT(buf, pw->pw_name, sz);
CHECK_STRLCAT(buf, ")", sz);
+ /* Append user uid */
+ (void) snprintf(gidbuf, sizeof(gidbuf), "%u", (unsigned int)pw->pw_uid);
+ (void) strlcat(buf, "(sudoUser=#", sz);
+ (void) strlcat(buf, gidbuf, sz);
+ (void) strlcat(buf, ")", sz);
+
/* Append primary group and gid */
if (grp != NULL) {
CHECK_STRLCAT(buf, "(sudoUser=%", sz);

52
SOURCES/sudo-1.8.23-legacy-group-processing.patch
View File

@ -1,7 +1,7 @@
diff -up ./plugins/sudoers/cvtsudoers.c.legacy-processing ./plugins/sudoers/cvtsudoers.c
--- ./plugins/sudoers/cvtsudoers.c.legacy-processing 2018-09-26 12:27:13.087680204 +0200
+++ ./plugins/sudoers/cvtsudoers.c 2018-09-26 12:30:59.222466620 +0200
@@ -321,6 +321,15 @@ main(int argc, char *argv[])
--- ./plugins/sudoers/cvtsudoers.c.legacy-processing 2019-10-28 13:28:52.000000000 +0100
+++ ./plugins/sudoers/cvtsudoers.c 2019-10-30 13:32:43.309480623 +0100
@@ -347,6 +347,15 @@ main(int argc, char *argv[])
sudo_fatalx("error: unhandled input %d", input_format);
}
@ -18,9 +18,9 @@ diff -up ./plugins/sudoers/cvtsudoers.c.legacy-processing ./plugins/sudoers/cvts
filter_userspecs(&parsed_policy, conf);
filter_defaults(&parsed_policy, conf);
diff -up ./plugins/sudoers/defaults.c.legacy-processing ./plugins/sudoers/defaults.c
--- ./plugins/sudoers/defaults.c.legacy-processing 2018-09-02 14:30:08.000000000 +0200
+++ ./plugins/sudoers/defaults.c 2018-09-26 12:27:13.087680204 +0200
@@ -86,6 +86,7 @@ static struct early_default early_defaul
--- ./plugins/sudoers/defaults.c.legacy-processing 2019-10-28 13:28:52.000000000 +0100
+++ ./plugins/sudoers/defaults.c 2019-10-30 13:32:43.309480623 +0100
@@ -93,6 +93,7 @@ static struct early_default early_defaul
{ I_FQDN },
#endif
{ I_MATCH_GROUP_BY_GID },
@ -28,7 +28,7 @@ diff -up ./plugins/sudoers/defaults.c.legacy-processing ./plugins/sudoers/defaul
{ I_GROUP_PLUGIN },
{ I_RUNAS_DEFAULT },
{ I_SUDOERS_LOCALE },
@@ -487,6 +488,8 @@ init_defaults(void)
@@ -494,6 +495,8 @@ init_defaults(void)
}
/* First initialize the flags. */
@ -38,10 +38,10 @@ diff -up ./plugins/sudoers/defaults.c.legacy-processing ./plugins/sudoers/defaul
def_long_otp_prompt = true;
#endif
diff -up ./plugins/sudoers/def_data.c.legacy-processing ./plugins/sudoers/def_data.c
--- ./plugins/sudoers/def_data.c.legacy-processing 2018-08-18 16:10:15.000000000 +0200
+++ ./plugins/sudoers/def_data.c 2018-09-26 12:27:13.087680204 +0200
@@ -494,6 +494,10 @@ struct sudo_defs_types sudo_defs_table[]
N_("Ignore case when matching group names"),
--- ./plugins/sudoers/def_data.c.legacy-processing 2019-10-30 13:32:43.309480623 +0100
+++ ./plugins/sudoers/def_data.c 2019-10-30 13:37:25.914602825 +0100
@@ -506,6 +506,10 @@ struct sudo_defs_types sudo_defs_table[]
N_("Log when a command is denied by sudoers"),
NULL,
}, {
+ "legacy_group_processing", T_FLAG,
@ -52,31 +52,31 @@ diff -up ./plugins/sudoers/def_data.c.legacy-processing ./plugins/sudoers/def_da
}
};
diff -up ./plugins/sudoers/def_data.h.legacy-processing ./plugins/sudoers/def_data.h
--- ./plugins/sudoers/def_data.h.legacy-processing 2018-08-18 16:10:15.000000000 +0200
+++ ./plugins/sudoers/def_data.h 2018-09-26 12:27:13.087680204 +0200
@@ -226,6 +226,8 @@
#define def_case_insensitive_user (sudo_defs_table[I_CASE_INSENSITIVE_USER].sd_un.flag)
#define I_CASE_INSENSITIVE_GROUP 113
#define def_case_insensitive_group (sudo_defs_table[I_CASE_INSENSITIVE_GROUP].sd_un.flag)
+#define I_LEGACY_GROUP_PROCESSING 114
--- ./plugins/sudoers/def_data.h.legacy-processing 2019-10-30 13:32:43.310480638 +0100
+++ ./plugins/sudoers/def_data.h 2019-10-30 13:40:59.651713757 +0100
@@ -232,6 +232,8 @@
#define def_log_allowed (sudo_defs_table[I_LOG_ALLOWED].sd_un.flag)
#define I_LOG_DENIED 116
#define def_log_denied (sudo_defs_table[I_LOG_DENIED].sd_un.flag)
+#define I_LEGACY_GROUP_PROCESSING 117
+#define def_legacy_group_processing (sudo_defs_table[I_LEGACY_GROUP_PROCESSING].sd_un.flag)
enum def_tuple {
never,
diff -up ./plugins/sudoers/def_data.in.legacy-processing ./plugins/sudoers/def_data.in
--- ./plugins/sudoers/def_data.in.legacy-processing 2018-08-18 16:10:15.000000000 +0200
+++ ./plugins/sudoers/def_data.in 2018-09-26 12:27:13.088680212 +0200
@@ -357,3 +357,6 @@ case_insensitive_user
case_insensitive_group
--- ./plugins/sudoers/def_data.in.legacy-processing 2019-10-30 13:32:43.310480638 +0100
+++ ./plugins/sudoers/def_data.in 2019-10-30 13:42:20.915896239 +0100
@@ -366,3 +366,6 @@ log_allowed
log_denied
T_FLAG
"Ignore case when matching group names"
"Log when a command is denied by sudoers"
+legacy_group_processing
+ T_FLAG
+ "Don't pre-resolve all group names"
diff -up ./plugins/sudoers/sudoers.c.legacy-processing ./plugins/sudoers/sudoers.c
--- ./plugins/sudoers/sudoers.c.legacy-processing 2018-08-18 16:10:25.000000000 +0200
+++ ./plugins/sudoers/sudoers.c 2018-09-26 12:27:13.088680212 +0200
@@ -212,6 +212,10 @@ sudoers_policy_init(void *info, char * c
--- ./plugins/sudoers/sudoers.c.legacy-processing 2019-10-28 13:28:53.000000000 +0100
+++ ./plugins/sudoers/sudoers.c 2019-10-30 13:32:43.310480638 +0100
@@ -221,6 +221,10 @@ sudoers_policy_init(void *info, char * c
if (set_loginclass(runas_pw ? runas_pw : sudo_user.pw))
ret = true;

39
SOURCES/sudo-1.8.23-nowaitopt.patch
View File

@ -1,7 +1,7 @@
diff -up sudo-1.8.23/plugins/sudoers/def_data.c.nowaitopt sudo-1.8.23/plugins/sudoers/def_data.c
--- sudo-1.8.23/plugins/sudoers/def_data.c.nowaitopt 2018-06-18 09:36:34.249307795 +0200
+++ sudo-1.8.23/plugins/sudoers/def_data.c 2018-06-18 09:43:12.122986032 +0200
@@ -498,6 +498,10 @@ struct sudo_defs_types sudo_defs_table[]
diff -up ./plugins/sudoers/def_data.c.nowait ./plugins/sudoers/def_data.c
--- ./plugins/sudoers/def_data.c.nowait 2019-10-30 13:43:48.376168944 +0100
+++ ./plugins/sudoers/def_data.c 2019-10-30 13:43:48.378168973 +0100
@@ -510,6 +510,10 @@ struct sudo_defs_types sudo_defs_table[]
N_("Don't pre-resolve all group names"),
NULL,
}, {
@ -12,33 +12,32 @@ diff -up sudo-1.8.23/plugins/sudoers/def_data.c.nowaitopt sudo-1.8.23/plugins/su
NULL, 0, NULL
}
};
diff -up sudo-1.8.23/plugins/sudoers/def_data.h.nowaitopt sudo-1.8.23/plugins/sudoers/def_data.h
--- sudo-1.8.23/plugins/sudoers/def_data.h.nowaitopt 2018-06-18 09:36:34.250307792 +0200
+++ sudo-1.8.23/plugins/sudoers/def_data.h 2018-06-18 09:43:44.541878327 +0200
@@ -228,6 +228,8 @@
#define def_case_insensitive_group (sudo_defs_table[I_CASE_INSENSITIVE_GROUP].sd_un.flag)
#define I_LEGACY_GROUP_PROCESSING 114
diff -up ./plugins/sudoers/def_data.h.nowait ./plugins/sudoers/def_data.h
--- ./plugins/sudoers/def_data.h.nowait 2019-10-30 13:43:48.378168973 +0100
+++ ./plugins/sudoers/def_data.h 2019-10-30 13:45:38.425770365 +0100
@@ -234,6 +234,8 @@
#define def_log_denied (sudo_defs_table[I_LOG_DENIED].sd_un.flag)
#define I_LEGACY_GROUP_PROCESSING 117
#define def_legacy_group_processing (sudo_defs_table[I_LEGACY_GROUP_PROCESSING].sd_un.flag)
+#define I_CMND_NO_WAIT 115
+#define I_CMND_NO_WAIT 118
+#define def_cmnd_no_wait (sudo_defs_table[I_CMND_NO_WAIT].sd_un.flag)
enum def_tuple {
never,
diff -up sudo-1.8.23/plugins/sudoers/def_data.in.nowaitopt sudo-1.8.23/plugins/sudoers/def_data.in
--- sudo-1.8.23/plugins/sudoers/def_data.in.nowaitopt 2018-06-18 09:36:34.250307792 +0200
+++ sudo-1.8.23/plugins/sudoers/def_data.in 2018-06-18 09:45:00.076627403 +0200
@@ -360,3 +360,6 @@ case_insensitive_group
diff -up ./plugins/sudoers/def_data.in.nowait ./plugins/sudoers/def_data.in
--- ./plugins/sudoers/def_data.in.nowait 2019-10-30 13:43:48.376168944 +0100
+++ ./plugins/sudoers/def_data.in 2019-10-30 13:43:48.379168987 +0100
@@ -369,3 +369,6 @@ log_denied
legacy_group_processing
T_FLAG
"Don't pre-resolve all group names"
+cmnd_no_wait
+ T_FLAG
+ "Don't fork and wait for the command to finish, just exec it"
diff -up sudo-1.8.23/plugins/sudoers/policy.c.nowaitopt sudo-1.8.23/plugins/sudoers/policy.c
diff -up sudo-1.8.23/plugins/sudoers/sudoers.c.nowaitopt sudo-1.8.23/plugins/sudoers/sudoers.c
--- sudo-1.8.23/plugins/sudoers/sudoers.c.nowaitopt 2018-06-18 11:31:51.883751328 +0200
+++ sudo-1.8.23/plugins/sudoers/sudoers.c 2018-06-18 11:31:03.670899166 +0200
@@ -213,6 +213,20 @@ sudoers_policy_init(void *info, char * c
diff -up ./plugins/sudoers/sudoers.c.nowait ./plugins/sudoers/sudoers.c
--- ./plugins/sudoers/sudoers.c.nowait 2019-10-30 13:43:48.376168944 +0100
+++ ./plugins/sudoers/sudoers.c 2019-10-30 13:43:48.379168987 +0100
@@ -225,6 +225,20 @@ sudoers_policy_init(void *info, char * c
def_match_group_by_gid = false;
def_legacy_group_processing = false;
}

103
SOURCES/sudo-1.8.23-pam-expired-passwords.patch
View File

@ -1,103 +0,0 @@
# HG changeset patch
# User Todd C. Miller <Todd.Miller@sudo.ws>
# Date 1544201494 25200
# Node ID 656aa910fbaf0be517e012c9271c51eb85c1cca5
# Parent ef83f35c9cb090a8b4fd36942f1e47e65c285dce
The fix for bug #843 was incomplete and caused pam_end() to be called early.
sudo_pam_approval() must not set the global pam status to an error
value if it returns AUTH_SUCCESS. Otherwise, sudo_pam_cleanup()
will call pam_end() before sudo_pam_begin_session(). This resulted
in a NULL PAM handle being used in sudo_pam_begin_session().
diff -r ef83f35c9cb0 -r 656aa910fbaf plugins/sudoers/auth/pam.c
--- a/plugins/sudoers/auth/pam.c Wed Dec 05 10:43:14 2018 -0700
+++ b/plugins/sudoers/auth/pam.c Fri Dec 07 09:51:34 2018 -0700
@@ -210,59 +210,68 @@
sudo_pam_approval(struct passwd *pw, sudo_auth *auth, bool exempt)
{
const char *s;
+ int rc, status = AUTH_SUCCESS;
int *pam_status = (int *) auth->data;
debug_decl(sudo_pam_approval, SUDOERS_DEBUG_AUTH)
- *pam_status = pam_acct_mgmt(pamh, PAM_SILENT);
- switch (*pam_status) {
+ rc = pam_acct_mgmt(pamh, PAM_SILENT);
+ switch (rc) {
case PAM_SUCCESS:
- debug_return_int(AUTH_SUCCESS);
+ break;
case PAM_AUTH_ERR:
log_warningx(0, N_("account validation failure, "
"is your account locked?"));
- debug_return_int(AUTH_FATAL);
+ status = AUTH_FATAL;
+ break;
case PAM_NEW_AUTHTOK_REQD:
/* Ignore if user is exempt from password restrictions. */
if (exempt)
- debug_return_int(AUTH_SUCCESS);
+ break;
/* New password required, try to change it. */
log_warningx(0, N_("Account or password is "
"expired, reset your password and try again"));
- *pam_status = pam_chauthtok(pamh,
- PAM_CHANGE_EXPIRED_AUTHTOK);
- if (*pam_status == PAM_SUCCESS)
- debug_return_int(AUTH_SUCCESS);
- if ((s = pam_strerror(pamh, *pam_status)) == NULL)
+ rc = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
+ if (rc == PAM_SUCCESS)
+ break;
+ if ((s = pam_strerror(pamh, rc)) == NULL)
s = "unknown error";
log_warningx(0,
N_("unable to change expired password: %s"), s);
- debug_return_int(AUTH_FAILURE);
+ status = AUTH_FAILURE;
+ break;
case PAM_AUTHTOK_EXPIRED:
/* Ignore if user is exempt from password restrictions. */
if (exempt)
- debug_return_int(AUTH_SUCCESS);
+ break;
/* Password expired, cannot be updated by user. */
log_warningx(0,
N_("Password expired, contact your system administrator"));
- debug_return_int(AUTH_FATAL);
+ status = AUTH_FATAL;
+ break;
case PAM_ACCT_EXPIRED:
log_warningx(0,
N_("Account expired or PAM config lacks an \"account\" "
"section for sudo, contact your system administrator"));
- debug_return_int(AUTH_FATAL);
+ status = AUTH_FATAL;
+ break;
case PAM_AUTHINFO_UNAVAIL:
case PAM_MAXTRIES:
case PAM_PERM_DENIED:
- s = pam_strerror(pamh, *pam_status);
+ s = pam_strerror(pamh, rc);
log_warningx(0, N_("PAM account management error: %s"),
s ? s : "unknown error");
- debug_return_int(AUTH_FAILURE);
+ status = AUTH_FAILURE;
+ break;
default:
- s = pam_strerror(pamh, *pam_status);
+ s = pam_strerror(pamh, rc);
log_warningx(0, N_("PAM account management error: %s"),
s ? s : "unknown error");
- debug_return_int(AUTH_FATAL);
+ status = AUTH_FATAL;
+ break;
}
+ /* Ignore errors if user is exempt from password restrictions. */
+ *pam_status = exempt ? PAM_SUCCESS : rc;
+ debug_return_int(status);
}
int

56
SOURCES/sudo-1.8.23-who-am-i.patch
View File

@ -1,56 +0,0 @@
commit b2f7983c84fd01e0b29895d7df776b4b162fd8a5
Author: Todd C. Miller <Todd.Miller@sudo.ws>
Date: Wed Jan 2 07:39:33 2019 -0700
Fix setting of utmp entry when running command in a pty.
Regression introduced in sudo 1.8.22.
diff --git a/src/exec_pty.c b/src/exec_pty.c
index cbcccca3..68312a98 100644
--- a/src/exec_pty.c
+++ b/src/exec_pty.c
@@ -140,7 +140,7 @@ pty_cleanup(void)
* and slavename globals.
*/
static bool
-pty_setup(uid_t uid, const char *tty)
+pty_setup(struct command_details *details, const char *tty)
{
debug_decl(pty_setup, SUDO_DEBUG_EXEC);
@@ -152,12 +152,15 @@ pty_setup(uid_t uid, const char *tty)
}
if (!get_pty(&io_fds[SFD_MASTER], &io_fds[SFD_SLAVE],
- slavename, sizeof(slavename), uid))
+ slavename, sizeof(slavename), details->euid))
sudo_fatal(U_("unable to allocate pty"));
/* Add entry to utmp/utmpx? */
- if (utmp_user != NULL)
+ if (ISSET(details->flags, CD_SET_UTMP)) {
+ utmp_user =
+ details->utmp_user ? details->utmp_user : user_details.username;
utmp_login(tty, slavename, io_fds[SFD_SLAVE], utmp_user);
+ }
sudo_debug_printf(SUDO_DEBUG_INFO,
"%s: %s fd %d, pty master fd %d, pty slave fd %d",
@@ -1302,12 +1305,11 @@ exec_pty(struct command_details *details, struct command_status *cstat)
/*
* Allocate a pty.
*/
- if (pty_setup(details->euid, user_details.tty)) {
- if (ISSET(details->flags, CD_SET_UTMP))
- utmp_user = details->utmp_user ? details->utmp_user : user_details.username;
- } else if (TAILQ_EMPTY(&io_plugins)) {
- /* Not logging I/O and didn't allocate a pty. */
- debug_return_bool(false);
+ if (!pty_setup(details, user_details.tty)) {
+ if (TAILQ_EMPTY(&io_plugins)) {
+ /* Not logging I/O and didn't allocate a pty. */
+ debug_return_bool(false);
+ }
}
/*

25
SOURCES/sudo-1.8.25-c-option-help.patch
View File

@ -1,25 +0,0 @@
From 142b370c1f928549db3b357a495d151c7cd87f65 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
Date: Tue, 11 Dec 2018 09:05:04 -0700
Subject: [PATCH 2/4] The -c option was missing from the help info; from
Radovan Sroka
---
plugins/sudoers/cvtsudoers.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/plugins/sudoers/cvtsudoers.c b/plugins/sudoers/cvtsudoers.c
index 795936c1..0221314b 100644
--- a/plugins/sudoers/cvtsudoers.c
+++ b/plugins/sudoers/cvtsudoers.c
@@ -1315,6 +1315,7 @@ help(void)
usage(0);
(void) puts(_("\nOptions:\n"
" -b, --base=dn the base DN for sudo LDAP queries\n"
+ " -c, --config=conf_file the path to the configuration file\n"
" -d, --defaults=deftypes only convert Defaults of the specified types\n"
" -e, --expand-aliases expand aliases when converting\n"
" -f, --output-format=format set output format: JSON, LDIF or sudoers\n"
--
2.17.2

27
SOURCES/sudo-1.8.25-sudoreplay-missing-options-help.patch
View File

@ -1,27 +0,0 @@
diff -up ./plugins/sudoers/sudoreplay.c.sudoreplay-help ./plugins/sudoers/sudoreplay.c
--- ./plugins/sudoers/sudoreplay.c.sudoreplay-help 2018-12-11 18:12:56.715098760 +0100
+++ ./plugins/sudoers/sudoreplay.c 2018-12-11 18:18:34.345184173 +0100
@@ -1582,13 +1582,16 @@ help(void)
(void) printf(_("%s - replay sudo session logs\n\n"), getprogname());
usage(0);
(void) puts(_("\nOptions:\n"
- " -d, --directory=dir specify directory for session logs\n"
- " -f, --filter=filter specify which I/O type(s) to display\n"
- " -h, --help display help message and exit\n"
- " -l, --list list available session IDs, with optional expression\n"
- " -m, --max-wait=num max number of seconds to wait between events\n"
- " -s, --speed=num speed up or slow down output\n"
- " -V, --version display version information and exit"));
+ " -d, --directory=dir specify directory for session logs\n"
+ " -f, --filter=filter specify which I/O type(s) to display\n"
+ " -h, --help display help message and exit\n"
+ " -l, --list list available session IDs, with optional expression\n"
+ " -m, --max-wait=num max number of seconds to wait between events\n"
+ " -n, --non-interactive no prompts, session is sent to the standard output\n"
+ " -R, --no-resize do not attempt to re-size the terminal\n"
+ " -S, --suspend-wait wait while the command was suspended\n"
+ " -s, --speed=num speed up or slow down output\n"
+ " -V, --version display version information and exit"));
exit(0);
}

80
SOURCES/sudo-1.8.25-typos-manpages.patch
View File

@ -1,80 +0,0 @@
From 04a4b3c1fcc1526ff1ea73597a1764cb160d400b Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
Date: Tue, 11 Dec 2018 09:02:30 -0700
Subject: [PATCH 1/4] Fix some typos; reported by Radovan Sroka
---
doc/cvtsudoers.cat | 6 +++---
doc/cvtsudoers.man.in | 6 +++---
doc/cvtsudoers.mdoc.in | 6 +++---
3 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/doc/cvtsudoers.cat b/doc/cvtsudoers.cat
index 61bf3a28..9c1ef140 100644
--- a/doc/cvtsudoers.cat
+++ b/doc/cvtsudoers.cat
@@ -24,7 +24,7 @@ DDEESSCCRRIIPPTTIIOONN
--bb _d_n, ----bbaassee=_d_n
The base DN (distinguished name) that will be used when
performing LDAP queries. Typically this is of the form
- ou=SUDOers,dc=-mydomain,dc=com for the domain my-domain.com.
+ ou=SUDOers,dc=my-domain,dc=com for the domain my-domain.com.
If this option is not specified, the value of the
SUDOERS_BASE environment variable will be used instead. Only
necessary when converting to LDIF format.
@@ -60,7 +60,7 @@ DDEESSCCRRIIPPTTIIOONN
Expand aliases in _i_n_p_u_t___f_i_l_e. Aliases are preserved by
default when the output _f_o_r_m_a_t is JSON or sudoers.
- --ff _o_u_t_p_u_t___f_o_r_m_a_t, ----ffoorrmmaatt=_o_u_t_p_u_t___f_o_r_m_a_t
+ --ff _o_u_t_p_u_t___f_o_r_m_a_t, ----oouuttppuutt--ffoorrmmaatt=_o_u_t_p_u_t___f_o_r_m_a_t
Specify the output format (case-insensitive). The following
formats are supported:
diff --git a/doc/cvtsudoers.man.in b/doc/cvtsudoers.man.in
index b159ee5d..2f45ee1d 100644
--- a/doc/cvtsudoers.man.in
+++ b/doc/cvtsudoers.man.in
@@ -59,7 +59,7 @@ The options are as follows:
The base DN (distinguished name) that will be used when performing
LDAP queries.
Typically this is of the form
-\fRou=SUDOers,dc=-mydomain,dc=com\fR
+\fRou=SUDOers,dc=my-domain,dc=com\fR
for the domain
\fRmy-domain.com\fR.
If this option is not specified, the value of the
@@ -125,7 +125,7 @@ Aliases are preserved by default when the output
\fIformat\fR
is JSON or sudoers.
.TP 12n
-\fB\-f\fR \fIoutput_format\fR, \fB\--format\fR=\fIoutput_format\fR
+\fB\-f\fR \fIoutput_format\fR, \fB\--output-format\fR=\fIoutput_format\fR
Specify the output format (case-insensitive).
The following formats are supported:
.PP
diff --git a/doc/cvtsudoers.mdoc.in b/doc/cvtsudoers.mdoc.in
index 1812bc67..8261ddc6 100644
--- a/doc/cvtsudoers.mdoc.in
+++ b/doc/cvtsudoers.mdoc.in
@@ -57,7 +57,7 @@ The options are as follows:
The base DN (distinguished name) that will be used when performing
LDAP queries.
Typically this is of the form
-.Li ou=SUDOers,dc=-mydomain,dc=com
+.Li ou=SUDOers,dc=my-domain,dc=com
for the domain
.Li my-domain.com .
If this option is not specified, the value of the
@@ -110,7 +110,7 @@ Expand aliases in
Aliases are preserved by default when the output
.Ar format
is JSON or sudoers.
-.It Fl f Ar output_format , Fl -format Ns = Ns Ar output_format
+.It Fl f Ar output_format , Fl -output-format Ns = Ns Ar output_format
Specify the output format (case-insensitive).
The following formats are supported:
.Bl -tag -width 8n
--
2.17.2

70
SPECS/sudo.spec
View File

@ -1,7 +1,7 @@
Summary: Allows restricted root access for specified users
Name: sudo
Version: 1.8.25p1
Release: 5%{?dist}
Version: 1.8.29
Release: 2%{?dist}
License: ISC
Group: Applications/System
URL: http://www.courtesan.com/sudo/
@ -39,25 +39,11 @@ Patch2: sudo-1.8.23-sudoldapconfman.patch
Patch3: sudo-1.7.2p1-envdebug.patch
# 1247591 - Sudo taking a long time when user information is stored externally.
Patch4: sudo-1.8.23-legacy-group-processing.patch
# 1135539 - sudo with ldap doesn't work with 'user id' in sudoUser option
Patch5: sudo-1.8.23-ldapsearchuidfix.patch
# 840980 - sudo creates a new parent process
# Adds cmnd_no_wait Defaults option
Patch6: sudo-1.8.23-nowaitopt.patch
Patch5: sudo-1.8.23-nowaitopt.patch
# 1312486 - RHEL7 sudo logs username "root" instead of realuser in /var/log/secure
Patch7: sudo-1.8.6p7-logsudouser.patch
# 1547974 - (sudo-rhel-7.6-rebase) Rebase sudo to latest stable upstream version
Patch8: sudo-1.8.23-fix-double-quote-parsing-for-Defaults-values.patch
# 1613327 - Man page scan results for sudo
Patch9: sudo-1.8.25-typos-manpages.patch
Patch10: sudo-1.8.25-c-option-help.patch
Patch11: sudo-1.8.25-sudoreplay-missing-options-help.patch
# RHEL 8.1
# 1673886 - Problem with sudo-1.8.23 and 'who am i'
Patch12: sudo-1.8.23-who-am-i.patch
# 1676819 - Backporting sudo bug with expired passwords
Patch13: sudo-1.8.23-pam-expired-passwords.patch
Patch6: sudo-1.8.6p7-logsudouser.patch
%description
Sudo (superuser do) allows a system administrator to give certain
@ -86,17 +72,8 @@ plugins that use %{name}.
%patch2 -p1 -b .sudoldapconfman
%patch3 -p1 -b .env-debug
%patch4 -p1 -b .legacy-processing
%patch5 -p1 -b .ldap-search-uid
%patch6 -p1 -b .nowait
%patch7 -p1 -b .logsudouser
%patch8 -p1 -b .double-quote
%patch9 -p1 -b .typos
%patch10 -p1 -b .c-option
%patch11 -p1 -b .sudoreplay-help
%patch12 -p1 -b .whoami
%patch13 -p1 -b .pam-expired
%patch5 -p1 -b .nowait
%patch6 -p1 -b .logsudouser
%build
# Remove bundled copy of zlib
@ -256,21 +233,50 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man8/sudo_plugin.8*
%changelog
* Wed Oct 30 2019 Radovan Sroka <rsroka@redhat.com> - 1.8.29-2
- RHEL 8.2 ERRATUM
- rebase to 1.8.29
Resolves: rhbz#1733961
Resolves: rhbz#1651662
* Fri Oct 25 2019 Radovan Sroka <rsroka@redhat.com> - 1.8.28p1-1
- RHEL 8.2 ERRATUM
- rebase to 1.8.28p1
Resolves: rhbz#1733961
- fixed man page for always_set_home
Resolves: rhbz#1576880
- sudo does not work with notbefore/after
Resolves: rhbz#1679508
- NOTBEFORE showing value of sudoNotAfter Ldap attribute
Resolves: rhbz#1715516
- CVE-2019-14287 sudo
- Privilege escalation via 'Runas' specification with 'ALL' keyword
Resolves: rhbz#1760697
* Fri Aug 16 2019 Radovan Sroka <rsroka@redhat.com> - 1.8.25-7
- RHEL 8.1 ERRATUM
- sudo ipa_hostname not honored
Resolves: rhbz#1738662
* Mon Aug 12 2019 Radovan Sroka <rsroka@redhat.com> - 1.8.25-6
- RHEL 8.1 ERRATUM
- Fixed The LDAP backend which is not properly parsing sudoOptions,
resulting in selinux roles not being applied
Resolves: rhbz#1738326
* Tue May 28 2019 Radovan Sroka <rsroka@redhat.com> - 1.8.25-5
- RHEL 8.1 ERRATUM
- Fixed problem with sudo-1.8.23 and 'who am i'
Resolves: rhbz#1673886
- Backporting sudo bug with expired passwords
Resolves: rhbz#1676819
- Added baseos CI into gating.yaml
Resolves: rhbz#1682511
* Tue Dec 11 2018 Radovan Sroka <rsroka@redhat.com> - 1.8.25-4
- Fix most of the man page scans problems
- Resolves: rhbz#1613327
* Fri Oct 12 2018 Daniel Kopecek <dkopecek@redhat.com> - 1.8.25-3
- bump release for new build after gating tests fixes
- bump release for new build
Resolves: rhbz#1625683
* Thu Oct 11 2018 Daniel Kopecek <dkopecek@redhat.com> - 1.8.25-2