- update to new upstream version

- new command available: sudoreplay
- use native audit support
- corrected license field value: BSD -> ISC
This commit is contained in:
dnk 2010-09-07 16:28:31 +02:00
parent c9cd6fce71
commit 520e07da9c
6 changed files with 151 additions and 21 deletions

2
.gitignore vendored
View File

@ -1,2 +1,4 @@
sudo-1.7.2p6.tar.gz
sudo-1.7.2p2-sudoers
/sudo-1.7.4p4.tar.gz
/sudo-1.7.2p2-sudoers

View File

@ -1,2 +1,2 @@
c4f1a43e8ba94f6bf06d2211442148c4 sudo-1.7.2p6.tar.gz
55d9906535d70a1de347cd3d3550ee87 sudo-1.7.4p4.tar.gz
d657d8d55ecdf88a2d11da73ac5662a4 sudo-1.7.2p2-sudoers

17
sudo-1.7.4p3-m4path.patch Normal file
View File

@ -0,0 +1,17 @@
diff -up sudo-1.7.4p3/aclocal.m4.m4path sudo-1.7.4p3/aclocal.m4
--- sudo-1.7.4p3/aclocal.m4.m4path 2010-09-07 13:11:59.095198365 +0200
+++ sudo-1.7.4p3/aclocal.m4 2010-09-07 13:12:25.718209211 +0200
@@ -368,8 +368,8 @@ EOF
dnl
dnl Pull in libtool macros
dnl
-m4_include([libtool.m4])
-m4_include([ltoptions.m4])
-m4_include([ltsugar.m4])
-m4_include([ltversion.m4])
-m4_include([lt~obsolete.m4])
+m4_include([m4/libtool.m4])
+m4_include([m4/ltoptions.m4])
+m4_include([m4/ltsugar.m4])
+m4_include([m4/ltversion.m4])
+m4_include([m4/lt~obsolete.m4])

View File

@ -0,0 +1,67 @@
diff -up sudo-1.7.4p3/parse.c.orig sudo-1.7.4p3/parse.c
--- sudo-1.7.4p3/parse.c.orig 2010-09-07 15:00:12.728260953 +0200
+++ sudo-1.7.4p3/parse.c 2010-09-07 15:00:38.950188803 +0200
@@ -158,8 +158,8 @@ sudo_file_lookup(nss, validated, pwflag)
/*
* Only check the actual command if pwflag is not set.
- * It is set for the "validate", "list" and "kill" pseudo-commands.
- * Always check the host and user.
+ * It is set for the "sudovalidate", "sudolist" and "sudokill"
+ * pseudo-commands. Always check the host and user.
*/
if (pwflag) {
int nopass;
diff -up sudo-1.7.4p3/sudo.c.orig sudo-1.7.4p3/sudo.c
--- sudo-1.7.4p3/sudo.c.orig 2010-09-07 14:57:08.201198517 +0200
+++ sudo-1.7.4p3/sudo.c 2010-09-07 14:55:47.208260545 +0200
@@ -232,7 +232,7 @@ main(argc, argv, envp)
pwflag = 0;
if (ISSET(sudo_mode, MODE_SHELL))
- user_cmnd = "shell";
+ user_cmnd = "sudoshell";
else if (ISSET(sudo_mode, MODE_EDIT))
user_cmnd = "sudoedit";
else {
@@ -245,12 +245,12 @@ main(argc, argv, envp)
break;
case MODE_VALIDATE:
case MODE_VALIDATE|MODE_INVALIDATE:
- user_cmnd = "validate";
+ user_cmnd = "sudovalidate";
pwflag = I_VERIFYPW;
break;
case MODE_KILL:
case MODE_INVALIDATE:
- user_cmnd = "kill";
+ user_cmnd = "sudokill";
pwflag = -1;
break;
case MODE_LISTDEFS:
@@ -259,7 +259,7 @@ main(argc, argv, envp)
break;
case MODE_LIST:
case MODE_LIST|MODE_INVALIDATE:
- user_cmnd = "list";
+ user_cmnd = "sudolist";
pwflag = I_LISTPW;
break;
case MODE_CHECK:
@@ -701,13 +701,13 @@ init_vars(envp)
set_perms(PERM_ROOT);
/*
- * If we were given the '-e', '-i' or '-s' options we need to redo
+ * If we were given the '-e', '-i', '-l' or '-s' options we need to redo
* NewArgv and NewArgc.
*/
- if (ISSET(sudo_mode, MODE_EDIT)) {
+ if (ISSET(sudo_mode, MODE_EDIT|MODE_LIST)) {
NewArgv--;
NewArgc++;
- NewArgv[0] = "sudoedit";
+ NewArgv[0] = user_cmnd;
} else if (ISSET(sudo_mode, MODE_SHELL)) {
char **av;

View File

@ -0,0 +1,39 @@
diff -up sudo-1.7.4p4/configure.in.getgrouplist sudo-1.7.4p4/configure.in
--- sudo-1.7.4p4/configure.in.getgrouplist 2010-09-07 15:53:38.400260828 +0200
+++ sudo-1.7.4p4/configure.in 2010-09-07 15:54:48.751188374 +0200
@@ -1913,7 +1913,7 @@ AC_FUNC_GETGROUPS
AC_CHECK_FUNCS(strchr strrchr memchr memcpy memset sysconf tzset \
strftime setrlimit initgroups getgroups fstat gettimeofday \
regcomp setlocale getaddrinfo setenv vhangup \
- mbr_check_membership setrlimit64)
+ mbr_check_membership setrlimit64 getgrouplist)
AC_CHECK_FUNCS(getline, [], [
AC_LIBOBJ(getline)
AC_CHECK_FUNCS(fgetln)
diff -up sudo-1.7.4p4/pwutil.c.getgrouplist sudo-1.7.4p4/pwutil.c
--- sudo-1.7.4p4/pwutil.c.getgrouplist 2010-09-07 15:53:26.816198477 +0200
+++ sudo-1.7.4p4/pwutil.c 2010-09-07 15:54:16.990188543 +0200
@@ -628,5 +628,23 @@ user_in_group(pw, group)
}
#endif /* HAVE_MBR_CHECK_MEMBERSHIP */
+#ifdef HAVE_GETGROUPLIST
+ {
+ gid_t *grouplist, grouptmp;
+ int n_groups, i;
+ n_groups = 1;
+ if (getgrouplist(user_name, user_gid, &grouptmp, &n_groups) == -1) {
+ grouplist = (gid_t *) emalloc(sizeof(gid_t) * (n_groups + 1));
+ if (getgrouplist(user_name, user_gid, grouplist, &n_groups) > 0)
+ for (i = 0; i < n_groups; i++)
+ if (grouplist[i] == grp->gr_gid) {
+ free(grouplist);
+ return(TRUE);
+ }
+ free(grouplist);
+ }
+ }
+#endif /* HAVE_GETGROUPLIST */
+
return(FALSE);
}

View File

@ -1,8 +1,8 @@
Summary: Allows restricted root access for specified users
Name: sudo
Version: 1.7.2p6
Release: 2%{?dist}
License: BSD
Version: 1.7.4p4
Release: 1%{?dist}
License: ISC
Group: Applications/System
URL: http://www.courtesan.com/sudo/
Source0: http://www.courtesan.com/sudo/dist/sudo-%{version}.tar.gz
@ -22,17 +22,14 @@ BuildRequires: sendmail
# don't strip
Patch1: sudo-1.6.7p5-strip.patch
# use specific PAM session for sudo -i (#198755)
Patch2: sudo-1.7.2p1-login.patch
# configure.in fix
Patch3: sudo-1.7.2p1-envdebug.patch
Patch4: sudo-1.7.1-libtool.patch
Patch2: sudo-1.7.2p1-envdebug.patch
# add m4/ to paths in aclocal.m4
Patch3: sudo-1.7.4p3-m4path.patch
# don't emalloc(0)
Patch4: sudo-1.7.4p3-sudolist.patch
# getgrouplist() to determine group membership (#235915)
Patch5: sudo-1.7.2p4-getgrouplist.patch
# audit support improvement
Patch6: sudo-1.7.2p6-audit.patch
# insufficient environment sanitization issue (#598154)
Patch7: sudo-1.7.2p2-envsanitize.patch
Patch5: sudo-1.7.4p4-getgrouplist.patch
%description
Sudo (superuser do) allows a system administrator to give certain
@ -47,17 +44,16 @@ on many different machines.
%prep
%setup -q
%patch1 -p1 -b .strip
%patch2 -p1 -b .login
%patch3 -p1 -b .envdebug
%patch4 -p1 -b .libtool
%patch2 -p1 -b .envdebug
%patch3 -p1 -b .m4path
%patch4 -p1 -b .sudolist
%patch5 -p1 -b .getgrouplist
%patch6 -p1 -b .audit
%patch7 -p1 -b .envsanitize
%build
# handle newer autoconf
rm acsite.m4
rm -f acsite.m4
mv aclocal.m4 acinclude.m4
autoreconf -fv --install
@ -73,6 +69,7 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie"
--prefix=%{_prefix} \
--sbindir=%{_sbindir} \
--libdir=%{_libdir} \
--docdir=%{_datadir}/doc/%{name}-%{version} \
--with-logging=syslog \
--with-logfac=authpriv \
--with-pam \
@ -84,7 +81,7 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie"
--with-ldap \
--with-selinux \
--with-passprompt="[sudo] password for %p: " \
--with-audit
--with-linux-audit
# --without-kerb5 \
# --without-kerb4
make
@ -122,7 +119,7 @@ rm -rf $RPM_BUILD_ROOT
%files
%defattr(-,root,root)
%doc ChangeLog WHATSNEW HISTORY LICENSE README* TROUBLESHOOTING UPGRADE
%doc ChangeLog NEWS HISTORY LICENSE README* TROUBLESHOOTING UPGRADE
%doc sudoers.ldap.pod schema.* sudoers2ldif sample.*
%attr(0440,root,root) %config(noreplace) /etc/sudoers
%attr(0750,root,root) %dir /etc/sudoers.d/
@ -131,6 +128,7 @@ rm -rf $RPM_BUILD_ROOT
%dir /var/run/sudo
%attr(4111,root,root) %{_bindir}/sudo
%attr(4111,root,root) %{_bindir}/sudoedit
%attr(0111,root,root) %{_bindir}/sudoreplay
%attr(0755,root,root) %{_sbindir}/visudo
%attr(0755,root,root) %{_libexecdir}/sesh
%{_libexecdir}/sudo_noexec.*
@ -138,6 +136,7 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man5/sudoers.ldap.5*
%{_mandir}/man8/sudo.8*
%{_mandir}/man8/sudoedit.8*
%{_mandir}/man8/sudoreplay.8*
%{_mandir}/man8/visudo.8*
# Make sure permissions are ok even if we're updating
@ -145,6 +144,12 @@ rm -rf $RPM_BUILD_ROOT
/bin/chmod 0440 /etc/sudoers || :
%changelog
* Tue Sep 7 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.4p4-1
- update to new upstream version
- new command available: sudoreplay
- use native audit support
- corrected license field value: BSD -> ISC
* Wed Jun 2 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.2p6-2
- added patch that fixes insufficient environment sanitization issue (#598154)