From 520e07da9c0f76146fcbc90b2c5b8954efb9d737 Mon Sep 17 00:00:00 2001 From: dnk Date: Tue, 7 Sep 2010 16:28:31 +0200 Subject: [PATCH] - update to new upstream version - new command available: sudoreplay - use native audit support - corrected license field value: BSD -> ISC --- .gitignore | 2 + sources | 2 +- sudo-1.7.4p3-m4path.patch | 17 +++++++++ sudo-1.7.4p3-sudolist.patch | 67 +++++++++++++++++++++++++++++++++ sudo-1.7.4p4-getgrouplist.patch | 39 +++++++++++++++++++ sudo.spec | 45 ++++++++++++---------- 6 files changed, 151 insertions(+), 21 deletions(-) create mode 100644 sudo-1.7.4p3-m4path.patch create mode 100644 sudo-1.7.4p3-sudolist.patch create mode 100644 sudo-1.7.4p4-getgrouplist.patch diff --git a/.gitignore b/.gitignore index 79d1947..caa2d6c 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,4 @@ sudo-1.7.2p6.tar.gz sudo-1.7.2p2-sudoers +/sudo-1.7.4p4.tar.gz +/sudo-1.7.2p2-sudoers diff --git a/sources b/sources index e8d3499..e748005 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -c4f1a43e8ba94f6bf06d2211442148c4 sudo-1.7.2p6.tar.gz +55d9906535d70a1de347cd3d3550ee87 sudo-1.7.4p4.tar.gz d657d8d55ecdf88a2d11da73ac5662a4 sudo-1.7.2p2-sudoers diff --git a/sudo-1.7.4p3-m4path.patch b/sudo-1.7.4p3-m4path.patch new file mode 100644 index 0000000..b1f8e1b --- /dev/null +++ b/sudo-1.7.4p3-m4path.patch @@ -0,0 +1,17 @@ +diff -up sudo-1.7.4p3/aclocal.m4.m4path sudo-1.7.4p3/aclocal.m4 +--- sudo-1.7.4p3/aclocal.m4.m4path 2010-09-07 13:11:59.095198365 +0200 ++++ sudo-1.7.4p3/aclocal.m4 2010-09-07 13:12:25.718209211 +0200 +@@ -368,8 +368,8 @@ EOF + dnl + dnl Pull in libtool macros + dnl +-m4_include([libtool.m4]) +-m4_include([ltoptions.m4]) +-m4_include([ltsugar.m4]) +-m4_include([ltversion.m4]) +-m4_include([lt~obsolete.m4]) ++m4_include([m4/libtool.m4]) ++m4_include([m4/ltoptions.m4]) ++m4_include([m4/ltsugar.m4]) ++m4_include([m4/ltversion.m4]) ++m4_include([m4/lt~obsolete.m4]) diff --git a/sudo-1.7.4p3-sudolist.patch b/sudo-1.7.4p3-sudolist.patch new file mode 100644 index 0000000..e75b445 --- /dev/null +++ b/sudo-1.7.4p3-sudolist.patch @@ -0,0 +1,67 @@ +diff -up sudo-1.7.4p3/parse.c.orig sudo-1.7.4p3/parse.c +--- sudo-1.7.4p3/parse.c.orig 2010-09-07 15:00:12.728260953 +0200 ++++ sudo-1.7.4p3/parse.c 2010-09-07 15:00:38.950188803 +0200 +@@ -158,8 +158,8 @@ sudo_file_lookup(nss, validated, pwflag) + + /* + * Only check the actual command if pwflag is not set. +- * It is set for the "validate", "list" and "kill" pseudo-commands. +- * Always check the host and user. ++ * It is set for the "sudovalidate", "sudolist" and "sudokill" ++ * pseudo-commands. Always check the host and user. + */ + if (pwflag) { + int nopass; +diff -up sudo-1.7.4p3/sudo.c.orig sudo-1.7.4p3/sudo.c +--- sudo-1.7.4p3/sudo.c.orig 2010-09-07 14:57:08.201198517 +0200 ++++ sudo-1.7.4p3/sudo.c 2010-09-07 14:55:47.208260545 +0200 +@@ -232,7 +232,7 @@ main(argc, argv, envp) + + pwflag = 0; + if (ISSET(sudo_mode, MODE_SHELL)) +- user_cmnd = "shell"; ++ user_cmnd = "sudoshell"; + else if (ISSET(sudo_mode, MODE_EDIT)) + user_cmnd = "sudoedit"; + else { +@@ -245,12 +245,12 @@ main(argc, argv, envp) + break; + case MODE_VALIDATE: + case MODE_VALIDATE|MODE_INVALIDATE: +- user_cmnd = "validate"; ++ user_cmnd = "sudovalidate"; + pwflag = I_VERIFYPW; + break; + case MODE_KILL: + case MODE_INVALIDATE: +- user_cmnd = "kill"; ++ user_cmnd = "sudokill"; + pwflag = -1; + break; + case MODE_LISTDEFS: +@@ -259,7 +259,7 @@ main(argc, argv, envp) + break; + case MODE_LIST: + case MODE_LIST|MODE_INVALIDATE: +- user_cmnd = "list"; ++ user_cmnd = "sudolist"; + pwflag = I_LISTPW; + break; + case MODE_CHECK: +@@ -701,13 +701,13 @@ init_vars(envp) + set_perms(PERM_ROOT); + + /* +- * If we were given the '-e', '-i' or '-s' options we need to redo ++ * If we were given the '-e', '-i', '-l' or '-s' options we need to redo + * NewArgv and NewArgc. + */ +- if (ISSET(sudo_mode, MODE_EDIT)) { ++ if (ISSET(sudo_mode, MODE_EDIT|MODE_LIST)) { + NewArgv--; + NewArgc++; +- NewArgv[0] = "sudoedit"; ++ NewArgv[0] = user_cmnd; + } else if (ISSET(sudo_mode, MODE_SHELL)) { + char **av; + diff --git a/sudo-1.7.4p4-getgrouplist.patch b/sudo-1.7.4p4-getgrouplist.patch new file mode 100644 index 0000000..dd584e7 --- /dev/null +++ b/sudo-1.7.4p4-getgrouplist.patch @@ -0,0 +1,39 @@ +diff -up sudo-1.7.4p4/configure.in.getgrouplist sudo-1.7.4p4/configure.in +--- sudo-1.7.4p4/configure.in.getgrouplist 2010-09-07 15:53:38.400260828 +0200 ++++ sudo-1.7.4p4/configure.in 2010-09-07 15:54:48.751188374 +0200 +@@ -1913,7 +1913,7 @@ AC_FUNC_GETGROUPS + AC_CHECK_FUNCS(strchr strrchr memchr memcpy memset sysconf tzset \ + strftime setrlimit initgroups getgroups fstat gettimeofday \ + regcomp setlocale getaddrinfo setenv vhangup \ +- mbr_check_membership setrlimit64) ++ mbr_check_membership setrlimit64 getgrouplist) + AC_CHECK_FUNCS(getline, [], [ + AC_LIBOBJ(getline) + AC_CHECK_FUNCS(fgetln) +diff -up sudo-1.7.4p4/pwutil.c.getgrouplist sudo-1.7.4p4/pwutil.c +--- sudo-1.7.4p4/pwutil.c.getgrouplist 2010-09-07 15:53:26.816198477 +0200 ++++ sudo-1.7.4p4/pwutil.c 2010-09-07 15:54:16.990188543 +0200 +@@ -628,5 +628,23 @@ user_in_group(pw, group) + } + #endif /* HAVE_MBR_CHECK_MEMBERSHIP */ + ++#ifdef HAVE_GETGROUPLIST ++ { ++ gid_t *grouplist, grouptmp; ++ int n_groups, i; ++ n_groups = 1; ++ if (getgrouplist(user_name, user_gid, &grouptmp, &n_groups) == -1) { ++ grouplist = (gid_t *) emalloc(sizeof(gid_t) * (n_groups + 1)); ++ if (getgrouplist(user_name, user_gid, grouplist, &n_groups) > 0) ++ for (i = 0; i < n_groups; i++) ++ if (grouplist[i] == grp->gr_gid) { ++ free(grouplist); ++ return(TRUE); ++ } ++ free(grouplist); ++ } ++ } ++#endif /* HAVE_GETGROUPLIST */ ++ + return(FALSE); + } diff --git a/sudo.spec b/sudo.spec index c234515..abb7a27 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,8 +1,8 @@ Summary: Allows restricted root access for specified users Name: sudo -Version: 1.7.2p6 -Release: 2%{?dist} -License: BSD +Version: 1.7.4p4 +Release: 1%{?dist} +License: ISC Group: Applications/System URL: http://www.courtesan.com/sudo/ Source0: http://www.courtesan.com/sudo/dist/sudo-%{version}.tar.gz @@ -22,17 +22,14 @@ BuildRequires: sendmail # don't strip Patch1: sudo-1.6.7p5-strip.patch -# use specific PAM session for sudo -i (#198755) -Patch2: sudo-1.7.2p1-login.patch # configure.in fix -Patch3: sudo-1.7.2p1-envdebug.patch -Patch4: sudo-1.7.1-libtool.patch +Patch2: sudo-1.7.2p1-envdebug.patch +# add m4/ to paths in aclocal.m4 +Patch3: sudo-1.7.4p3-m4path.patch +# don't emalloc(0) +Patch4: sudo-1.7.4p3-sudolist.patch # getgrouplist() to determine group membership (#235915) -Patch5: sudo-1.7.2p4-getgrouplist.patch -# audit support improvement -Patch6: sudo-1.7.2p6-audit.patch -# insufficient environment sanitization issue (#598154) -Patch7: sudo-1.7.2p2-envsanitize.patch +Patch5: sudo-1.7.4p4-getgrouplist.patch %description Sudo (superuser do) allows a system administrator to give certain @@ -47,17 +44,16 @@ on many different machines. %prep %setup -q + %patch1 -p1 -b .strip -%patch2 -p1 -b .login -%patch3 -p1 -b .envdebug -%patch4 -p1 -b .libtool +%patch2 -p1 -b .envdebug +%patch3 -p1 -b .m4path +%patch4 -p1 -b .sudolist %patch5 -p1 -b .getgrouplist -%patch6 -p1 -b .audit -%patch7 -p1 -b .envsanitize %build # handle newer autoconf -rm acsite.m4 +rm -f acsite.m4 mv aclocal.m4 acinclude.m4 autoreconf -fv --install @@ -73,6 +69,7 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie" --prefix=%{_prefix} \ --sbindir=%{_sbindir} \ --libdir=%{_libdir} \ + --docdir=%{_datadir}/doc/%{name}-%{version} \ --with-logging=syslog \ --with-logfac=authpriv \ --with-pam \ @@ -84,7 +81,7 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie" --with-ldap \ --with-selinux \ --with-passprompt="[sudo] password for %p: " \ - --with-audit + --with-linux-audit # --without-kerb5 \ # --without-kerb4 make @@ -122,7 +119,7 @@ rm -rf $RPM_BUILD_ROOT %files %defattr(-,root,root) -%doc ChangeLog WHATSNEW HISTORY LICENSE README* TROUBLESHOOTING UPGRADE +%doc ChangeLog NEWS HISTORY LICENSE README* TROUBLESHOOTING UPGRADE %doc sudoers.ldap.pod schema.* sudoers2ldif sample.* %attr(0440,root,root) %config(noreplace) /etc/sudoers %attr(0750,root,root) %dir /etc/sudoers.d/ @@ -131,6 +128,7 @@ rm -rf $RPM_BUILD_ROOT %dir /var/run/sudo %attr(4111,root,root) %{_bindir}/sudo %attr(4111,root,root) %{_bindir}/sudoedit +%attr(0111,root,root) %{_bindir}/sudoreplay %attr(0755,root,root) %{_sbindir}/visudo %attr(0755,root,root) %{_libexecdir}/sesh %{_libexecdir}/sudo_noexec.* @@ -138,6 +136,7 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man5/sudoers.ldap.5* %{_mandir}/man8/sudo.8* %{_mandir}/man8/sudoedit.8* +%{_mandir}/man8/sudoreplay.8* %{_mandir}/man8/visudo.8* # Make sure permissions are ok even if we're updating @@ -145,6 +144,12 @@ rm -rf $RPM_BUILD_ROOT /bin/chmod 0440 /etc/sudoers || : %changelog +* Tue Sep 7 2010 Daniel Kopecek - 1.7.4p4-1 +- update to new upstream version +- new command available: sudoreplay +- use native audit support +- corrected license field value: BSD -> ISC + * Wed Jun 2 2010 Daniel Kopecek - 1.7.2p6-2 - added patch that fixes insufficient environment sanitization issue (#598154)