- update to new upstream version
- new command available: sudoreplay - use native audit support - corrected license field value: BSD -> ISC
This commit is contained in:
parent
c9cd6fce71
commit
520e07da9c
2
.gitignore
vendored
2
.gitignore
vendored
@ -1,2 +1,4 @@
|
||||
sudo-1.7.2p6.tar.gz
|
||||
sudo-1.7.2p2-sudoers
|
||||
/sudo-1.7.4p4.tar.gz
|
||||
/sudo-1.7.2p2-sudoers
|
||||
|
2
sources
2
sources
@ -1,2 +1,2 @@
|
||||
c4f1a43e8ba94f6bf06d2211442148c4 sudo-1.7.2p6.tar.gz
|
||||
55d9906535d70a1de347cd3d3550ee87 sudo-1.7.4p4.tar.gz
|
||||
d657d8d55ecdf88a2d11da73ac5662a4 sudo-1.7.2p2-sudoers
|
||||
|
17
sudo-1.7.4p3-m4path.patch
Normal file
17
sudo-1.7.4p3-m4path.patch
Normal file
@ -0,0 +1,17 @@
|
||||
diff -up sudo-1.7.4p3/aclocal.m4.m4path sudo-1.7.4p3/aclocal.m4
|
||||
--- sudo-1.7.4p3/aclocal.m4.m4path 2010-09-07 13:11:59.095198365 +0200
|
||||
+++ sudo-1.7.4p3/aclocal.m4 2010-09-07 13:12:25.718209211 +0200
|
||||
@@ -368,8 +368,8 @@ EOF
|
||||
dnl
|
||||
dnl Pull in libtool macros
|
||||
dnl
|
||||
-m4_include([libtool.m4])
|
||||
-m4_include([ltoptions.m4])
|
||||
-m4_include([ltsugar.m4])
|
||||
-m4_include([ltversion.m4])
|
||||
-m4_include([lt~obsolete.m4])
|
||||
+m4_include([m4/libtool.m4])
|
||||
+m4_include([m4/ltoptions.m4])
|
||||
+m4_include([m4/ltsugar.m4])
|
||||
+m4_include([m4/ltversion.m4])
|
||||
+m4_include([m4/lt~obsolete.m4])
|
67
sudo-1.7.4p3-sudolist.patch
Normal file
67
sudo-1.7.4p3-sudolist.patch
Normal file
@ -0,0 +1,67 @@
|
||||
diff -up sudo-1.7.4p3/parse.c.orig sudo-1.7.4p3/parse.c
|
||||
--- sudo-1.7.4p3/parse.c.orig 2010-09-07 15:00:12.728260953 +0200
|
||||
+++ sudo-1.7.4p3/parse.c 2010-09-07 15:00:38.950188803 +0200
|
||||
@@ -158,8 +158,8 @@ sudo_file_lookup(nss, validated, pwflag)
|
||||
|
||||
/*
|
||||
* Only check the actual command if pwflag is not set.
|
||||
- * It is set for the "validate", "list" and "kill" pseudo-commands.
|
||||
- * Always check the host and user.
|
||||
+ * It is set for the "sudovalidate", "sudolist" and "sudokill"
|
||||
+ * pseudo-commands. Always check the host and user.
|
||||
*/
|
||||
if (pwflag) {
|
||||
int nopass;
|
||||
diff -up sudo-1.7.4p3/sudo.c.orig sudo-1.7.4p3/sudo.c
|
||||
--- sudo-1.7.4p3/sudo.c.orig 2010-09-07 14:57:08.201198517 +0200
|
||||
+++ sudo-1.7.4p3/sudo.c 2010-09-07 14:55:47.208260545 +0200
|
||||
@@ -232,7 +232,7 @@ main(argc, argv, envp)
|
||||
|
||||
pwflag = 0;
|
||||
if (ISSET(sudo_mode, MODE_SHELL))
|
||||
- user_cmnd = "shell";
|
||||
+ user_cmnd = "sudoshell";
|
||||
else if (ISSET(sudo_mode, MODE_EDIT))
|
||||
user_cmnd = "sudoedit";
|
||||
else {
|
||||
@@ -245,12 +245,12 @@ main(argc, argv, envp)
|
||||
break;
|
||||
case MODE_VALIDATE:
|
||||
case MODE_VALIDATE|MODE_INVALIDATE:
|
||||
- user_cmnd = "validate";
|
||||
+ user_cmnd = "sudovalidate";
|
||||
pwflag = I_VERIFYPW;
|
||||
break;
|
||||
case MODE_KILL:
|
||||
case MODE_INVALIDATE:
|
||||
- user_cmnd = "kill";
|
||||
+ user_cmnd = "sudokill";
|
||||
pwflag = -1;
|
||||
break;
|
||||
case MODE_LISTDEFS:
|
||||
@@ -259,7 +259,7 @@ main(argc, argv, envp)
|
||||
break;
|
||||
case MODE_LIST:
|
||||
case MODE_LIST|MODE_INVALIDATE:
|
||||
- user_cmnd = "list";
|
||||
+ user_cmnd = "sudolist";
|
||||
pwflag = I_LISTPW;
|
||||
break;
|
||||
case MODE_CHECK:
|
||||
@@ -701,13 +701,13 @@ init_vars(envp)
|
||||
set_perms(PERM_ROOT);
|
||||
|
||||
/*
|
||||
- * If we were given the '-e', '-i' or '-s' options we need to redo
|
||||
+ * If we were given the '-e', '-i', '-l' or '-s' options we need to redo
|
||||
* NewArgv and NewArgc.
|
||||
*/
|
||||
- if (ISSET(sudo_mode, MODE_EDIT)) {
|
||||
+ if (ISSET(sudo_mode, MODE_EDIT|MODE_LIST)) {
|
||||
NewArgv--;
|
||||
NewArgc++;
|
||||
- NewArgv[0] = "sudoedit";
|
||||
+ NewArgv[0] = user_cmnd;
|
||||
} else if (ISSET(sudo_mode, MODE_SHELL)) {
|
||||
char **av;
|
||||
|
39
sudo-1.7.4p4-getgrouplist.patch
Normal file
39
sudo-1.7.4p4-getgrouplist.patch
Normal file
@ -0,0 +1,39 @@
|
||||
diff -up sudo-1.7.4p4/configure.in.getgrouplist sudo-1.7.4p4/configure.in
|
||||
--- sudo-1.7.4p4/configure.in.getgrouplist 2010-09-07 15:53:38.400260828 +0200
|
||||
+++ sudo-1.7.4p4/configure.in 2010-09-07 15:54:48.751188374 +0200
|
||||
@@ -1913,7 +1913,7 @@ AC_FUNC_GETGROUPS
|
||||
AC_CHECK_FUNCS(strchr strrchr memchr memcpy memset sysconf tzset \
|
||||
strftime setrlimit initgroups getgroups fstat gettimeofday \
|
||||
regcomp setlocale getaddrinfo setenv vhangup \
|
||||
- mbr_check_membership setrlimit64)
|
||||
+ mbr_check_membership setrlimit64 getgrouplist)
|
||||
AC_CHECK_FUNCS(getline, [], [
|
||||
AC_LIBOBJ(getline)
|
||||
AC_CHECK_FUNCS(fgetln)
|
||||
diff -up sudo-1.7.4p4/pwutil.c.getgrouplist sudo-1.7.4p4/pwutil.c
|
||||
--- sudo-1.7.4p4/pwutil.c.getgrouplist 2010-09-07 15:53:26.816198477 +0200
|
||||
+++ sudo-1.7.4p4/pwutil.c 2010-09-07 15:54:16.990188543 +0200
|
||||
@@ -628,5 +628,23 @@ user_in_group(pw, group)
|
||||
}
|
||||
#endif /* HAVE_MBR_CHECK_MEMBERSHIP */
|
||||
|
||||
+#ifdef HAVE_GETGROUPLIST
|
||||
+ {
|
||||
+ gid_t *grouplist, grouptmp;
|
||||
+ int n_groups, i;
|
||||
+ n_groups = 1;
|
||||
+ if (getgrouplist(user_name, user_gid, &grouptmp, &n_groups) == -1) {
|
||||
+ grouplist = (gid_t *) emalloc(sizeof(gid_t) * (n_groups + 1));
|
||||
+ if (getgrouplist(user_name, user_gid, grouplist, &n_groups) > 0)
|
||||
+ for (i = 0; i < n_groups; i++)
|
||||
+ if (grouplist[i] == grp->gr_gid) {
|
||||
+ free(grouplist);
|
||||
+ return(TRUE);
|
||||
+ }
|
||||
+ free(grouplist);
|
||||
+ }
|
||||
+ }
|
||||
+#endif /* HAVE_GETGROUPLIST */
|
||||
+
|
||||
return(FALSE);
|
||||
}
|
45
sudo.spec
45
sudo.spec
@ -1,8 +1,8 @@
|
||||
Summary: Allows restricted root access for specified users
|
||||
Name: sudo
|
||||
Version: 1.7.2p6
|
||||
Release: 2%{?dist}
|
||||
License: BSD
|
||||
Version: 1.7.4p4
|
||||
Release: 1%{?dist}
|
||||
License: ISC
|
||||
Group: Applications/System
|
||||
URL: http://www.courtesan.com/sudo/
|
||||
Source0: http://www.courtesan.com/sudo/dist/sudo-%{version}.tar.gz
|
||||
@ -22,17 +22,14 @@ BuildRequires: sendmail
|
||||
|
||||
# don't strip
|
||||
Patch1: sudo-1.6.7p5-strip.patch
|
||||
# use specific PAM session for sudo -i (#198755)
|
||||
Patch2: sudo-1.7.2p1-login.patch
|
||||
# configure.in fix
|
||||
Patch3: sudo-1.7.2p1-envdebug.patch
|
||||
Patch4: sudo-1.7.1-libtool.patch
|
||||
Patch2: sudo-1.7.2p1-envdebug.patch
|
||||
# add m4/ to paths in aclocal.m4
|
||||
Patch3: sudo-1.7.4p3-m4path.patch
|
||||
# don't emalloc(0)
|
||||
Patch4: sudo-1.7.4p3-sudolist.patch
|
||||
# getgrouplist() to determine group membership (#235915)
|
||||
Patch5: sudo-1.7.2p4-getgrouplist.patch
|
||||
# audit support improvement
|
||||
Patch6: sudo-1.7.2p6-audit.patch
|
||||
# insufficient environment sanitization issue (#598154)
|
||||
Patch7: sudo-1.7.2p2-envsanitize.patch
|
||||
Patch5: sudo-1.7.4p4-getgrouplist.patch
|
||||
|
||||
%description
|
||||
Sudo (superuser do) allows a system administrator to give certain
|
||||
@ -47,17 +44,16 @@ on many different machines.
|
||||
|
||||
%prep
|
||||
%setup -q
|
||||
|
||||
%patch1 -p1 -b .strip
|
||||
%patch2 -p1 -b .login
|
||||
%patch3 -p1 -b .envdebug
|
||||
%patch4 -p1 -b .libtool
|
||||
%patch2 -p1 -b .envdebug
|
||||
%patch3 -p1 -b .m4path
|
||||
%patch4 -p1 -b .sudolist
|
||||
%patch5 -p1 -b .getgrouplist
|
||||
%patch6 -p1 -b .audit
|
||||
%patch7 -p1 -b .envsanitize
|
||||
|
||||
%build
|
||||
# handle newer autoconf
|
||||
rm acsite.m4
|
||||
rm -f acsite.m4
|
||||
mv aclocal.m4 acinclude.m4
|
||||
autoreconf -fv --install
|
||||
|
||||
@ -73,6 +69,7 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie"
|
||||
--prefix=%{_prefix} \
|
||||
--sbindir=%{_sbindir} \
|
||||
--libdir=%{_libdir} \
|
||||
--docdir=%{_datadir}/doc/%{name}-%{version} \
|
||||
--with-logging=syslog \
|
||||
--with-logfac=authpriv \
|
||||
--with-pam \
|
||||
@ -84,7 +81,7 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie"
|
||||
--with-ldap \
|
||||
--with-selinux \
|
||||
--with-passprompt="[sudo] password for %p: " \
|
||||
--with-audit
|
||||
--with-linux-audit
|
||||
# --without-kerb5 \
|
||||
# --without-kerb4
|
||||
make
|
||||
@ -122,7 +119,7 @@ rm -rf $RPM_BUILD_ROOT
|
||||
|
||||
%files
|
||||
%defattr(-,root,root)
|
||||
%doc ChangeLog WHATSNEW HISTORY LICENSE README* TROUBLESHOOTING UPGRADE
|
||||
%doc ChangeLog NEWS HISTORY LICENSE README* TROUBLESHOOTING UPGRADE
|
||||
%doc sudoers.ldap.pod schema.* sudoers2ldif sample.*
|
||||
%attr(0440,root,root) %config(noreplace) /etc/sudoers
|
||||
%attr(0750,root,root) %dir /etc/sudoers.d/
|
||||
@ -131,6 +128,7 @@ rm -rf $RPM_BUILD_ROOT
|
||||
%dir /var/run/sudo
|
||||
%attr(4111,root,root) %{_bindir}/sudo
|
||||
%attr(4111,root,root) %{_bindir}/sudoedit
|
||||
%attr(0111,root,root) %{_bindir}/sudoreplay
|
||||
%attr(0755,root,root) %{_sbindir}/visudo
|
||||
%attr(0755,root,root) %{_libexecdir}/sesh
|
||||
%{_libexecdir}/sudo_noexec.*
|
||||
@ -138,6 +136,7 @@ rm -rf $RPM_BUILD_ROOT
|
||||
%{_mandir}/man5/sudoers.ldap.5*
|
||||
%{_mandir}/man8/sudo.8*
|
||||
%{_mandir}/man8/sudoedit.8*
|
||||
%{_mandir}/man8/sudoreplay.8*
|
||||
%{_mandir}/man8/visudo.8*
|
||||
|
||||
# Make sure permissions are ok even if we're updating
|
||||
@ -145,6 +144,12 @@ rm -rf $RPM_BUILD_ROOT
|
||||
/bin/chmod 0440 /etc/sudoers || :
|
||||
|
||||
%changelog
|
||||
* Tue Sep 7 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.4p4-1
|
||||
- update to new upstream version
|
||||
- new command available: sudoreplay
|
||||
- use native audit support
|
||||
- corrected license field value: BSD -> ISC
|
||||
|
||||
* Wed Jun 2 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.2p6-2
|
||||
- added patch that fixes insufficient environment sanitization issue (#598154)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user