RHEL 10.0 ERRATUM

- sudo-1.9.15-2.p5.el10: RHEL SAST Automation: address 4 High impact true positive(s) Resolves: RHEL-44436 - sudo subpackage sudo-logsrvd should not be built Resolves: RHEL-52864
2024-08-19 07:21:14 +02:00 · 2024-08-19 07:21:14 +02:00 · 8469017bb7
commit 8469017bb7
parent f089015077
3 changed files with 159 additions and 34 deletions
--- a/coverity.patch
+++ b/coverity.patch
@ -0,0 +1,37 @@
+diff -up ./plugins/sudoers/auth/pam.c.fix ./plugins/sudoers/auth/pam.c
+--- ./plugins/sudoers/auth/pam.c.fix	2024-08-19 06:34:03.914643249 +0200
+++ ./plugins/sudoers/auth/pam.c	2024-08-19 06:48:46.136167294 +0200
+@@ -454,11 +454,6 @@ sudo_pam_begin_session(const struct sudo
+     if (pw == NULL) {
+ 	if (pamh != NULL) {
+ 	    rc = pam_end(pamh, PAM_SUCCESS | PAM_DATA_SILENT);
+-	    if (rc != PAM_SUCCESS) {
+-		errstr = sudo_pam_strerror(pamh, rc);
+-		sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
+-		    "pam_end: %s", errstr);
+-	    }
+ 	    pamh = NULL;
+ 	}
+ 	goto done;
+@@ -517,11 +512,6 @@ sudo_pam_begin_session(const struct sudo
+ 	    errstr = sudo_pam_strerror(pamh, rc);
+ 	    log_warningx(ctx, 0, N_("%s: %s"), "pam_open_session", errstr);
+ 	    rc = pam_end(pamh, *pam_status | PAM_DATA_SILENT);
+-	    if (rc != PAM_SUCCESS) {
+-		errstr = sudo_pam_strerror(pamh, rc);
+-		sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
+-		    "pam_end: %s", errstr);
+-	    }
+ 	    pamh = NULL;
+ 	    status = AUTH_ERROR;
+ 	    goto done;
+@@ -577,9 +567,6 @@ sudo_pam_end_session(sudo_auth *auth)
+ 	}
+ 	rc = pam_end(pamh, PAM_SUCCESS | PAM_DATA_SILENT);
+ 	if (rc != PAM_SUCCESS) {
+-	    errstr = sudo_pam_strerror(pamh, rc);
+-	    sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
+-		"pam_end: %s", errstr);
+ 	    status = AUTH_ERROR;
+ 	}
+ 	pamh = NULL;
--- a/sudo-ldap.conf
+++ b/sudo-ldap.conf
@ -0,0 +1,86 @@
+## BINDDN DN
+##  The BINDDN parameter specifies the identity, in the form of a Dis‐
+##  tinguished Name (DN), to use when performing LDAP operations.  If
+##  not specified, LDAP operations are performed with an anonymous
+##  identity.  By default, most LDAP servers will allow anonymous
+##  access.
+##
+#binddn uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
+
+## BINDPW secret
+##  The BINDPW parameter specifies the password to use when performing
+##  LDAP operations.  This is typically used in conjunction with the
+##  BINDDN parameter.
+##
+#bindpw secret
+
+## SSL start_tls
+##  If the SSL parameter is set to start_tls, the LDAP server connec‐
+##  tion is initiated normally and TLS encryption is begun before the
+##  bind credentials are sent.  This has the advantage of not requiring
+##  a dedicated port for encrypted communications.  This parameter is
+##  only supported by LDAP servers that honor the start_tls extension,
+##  such as the OpenLDAP and Tivoli Directory servers.
+##
+#ssl start_tls
+
+## TLS_CACERTFILE file name
+##  The path to a certificate authority bundle which contains the cer‐
+##  tificates for all the Certificate Authorities the client knows to
+##  be valid, e.g. /etc/ssl/ca-bundle.pem.  This option is only sup‐
+##  ported by the OpenLDAP libraries.  Netscape-derived LDAP libraries
+##  use the same certificate database for CA and client certificates
+##  (see TLS_CERT).
+##
+#tls_cacertfile /path/to/CA.crt
+
+## TLS_CHECKPEER on/true/yes/off/false/no
+##  If enabled, TLS_CHECKPEER will cause the LDAP server's TLS certifi‐
+##  cated to be verified.  If the server's TLS certificate cannot be
+##  verified (usually because it is signed by an unknown certificate
+##  authority), sudo will be unable to connect to it.  If TLS_CHECKPEER
+##  is disabled, no check is made.  Note that disabling the check cre‐
+##  ates an opportunity for man-in-the-middle attacks since the
+##  server's identity will not be authenticated.  If possible, the CA's
+##  certificate should be installed locally so it can be verified.
+##  This option is not supported by the Tivoli Directory Server LDAP
+##  libraries.
+#tls_checkpeer yes
+
+##
+## URI ldap[s]://[hostname[:port]] ...
+##  Specifies a whitespace-delimited list of one or more
+##  URIs describing the LDAP server(s) to connect to. 
+##
+#uri ldap://ldapserver
+
+##
+## SUDOERS_BASE base
+##  The base DN to use when performing sudo LDAP queries.
+##  Multiple SUDOERS_BASE lines may be specified, in which
+##  case they are queried in the order specified.
+##
+#sudoers_base ou=SUDOers,dc=example,dc=com
+
+##
+## BIND_TIMELIMIT seconds
+##  The BIND_TIMELIMIT parameter specifies the amount of
+##  time to wait while trying to connect to an LDAP server.
+##
+#bind_timelimit 30
+
+##
+## TIMELIMIT seconds
+##  The TIMELIMIT parameter specifies the amount of time
+##  to wait for a response to an LDAP query.
+##
+#timelimit 30
+
+##
+## SUDOERS_DEBUG debug_level
+##  This sets the debug level for sudo LDAP queries. Debugging
+##  information is printed to the standard error. A value of 1
+##  results in a moderate amount of debugging information.
+##  A value of 2 shows the results of the matches themselves.
+##
+#sudoers_debug 1
--- a/sudo.spec
+++ b/sudo.spec
@ -13,6 +13,7 @@ License: ISC
 URL: https://www.sudo.ws
 Source0: %{url}/dist/%{name}-%{version}%{?extraver}.tar.gz
 Source1: sudoers
+Source2: sudo-ldap.conf
 Requires: pam
 Recommends: system-default-editor
 Recommends: %{name}-python-plugin%{?_isa} = %{version}-%{release}
@ -30,6 +31,9 @@ BuildRequires: systemd-rpm-macros
 BuildRequires: gettext
 BuildRequires: zlib-devel

+
+Patch1: coverity.patch
+
 %description
 Sudo (superuser do) allows a system administrator to give certain
 users (or groups of users) the ability to run some (or all) commands
@ -49,17 +53,6 @@ Requires:       %{name} = %{version}-%{release}
 The %{name}-devel package contains header files developing sudo
 plugins that use %{name}.

-
-%package        logsrvd
-Summary:        High-performance log server for %{name}
-Requires:       %{name} = %{version}-%{release}
-BuildRequires:  openssl-devel
-
-
-%description    logsrvd
-%{name}-logsrvd is a high-performance log server that accepts event and I/O logs from sudo.
-It can be used to implement centralized logging of sudo logs.
-
 %package        python-plugin
 Summary:        Python plugin for %{name}
 Requires:       %{name} = %{version}-%{release}
@ -84,24 +77,28 @@ F_PIE=-fpie

 export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now"

+
 %configure \
        --prefix=%{_prefix} \
        --sbindir=%{_sbindir} \
        --libdir=%{_libdir} \
        --docdir=%{_pkgdocdir} \
        --enable-tmpfiles.d=%{_tmpfilesdir} \
-        --enable-openssl \
+        --disable-openssl \
        --disable-root-mailer \
-        --disable-intercept \
+        --enable-intercept \
+        --disable-log-server \
+        --disable-log-client \
        --with-logging=syslog \
        --with-logfac=authpriv \
        --with-pam \
        --with-pam-login \
-        --with-editor=%{_bindir}/nano:%{_bindir}/vim:%{_bindir}/vi \
+        --with-editor=/usr/bin/vi \
        --with-env-editor \
        --with-ignore-dot \
        --with-tty-tickets \
        --with-ldap \
+        --with-ldap-conf-file="%{_sysconfdir}/sudo-ldap.conf" \
        --with-selinux \
        --with-sendmail=/usr/sbin/sendmail \
        --with-passprompt="[sudo] password for %p: " \
@ -109,8 +106,7 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now"
        --enable-zlib=system \
        --with-linux-audit \
        --with-sssd
-#       --without-kerb5 \
-#       --without-kerb4
+
 make

 %check
@ -118,6 +114,10 @@ make check

 %install
 rm -rf $RPM_BUILD_ROOT
+
+# Update README.LDAP (#736653)
+sed -i 's|/etc/ldap\.conf|%{_sysconfdir}/sudo-ldap.conf|g' README.LDAP.md
+
 make install DESTDIR="$RPM_BUILD_ROOT" install_uid=`id -u` install_gid=`id -g` sudoers_uid=`id -u` sudoers_gid=`id -g`

 chmod 755 $RPM_BUILD_ROOT%{_bindir}/* $RPM_BUILD_ROOT%{_sbindir}/*
@ -125,6 +125,17 @@ install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo
 install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo/lectured
 install -p -d -m 750 $RPM_BUILD_ROOT/etc/sudoers.d
 install -p -c -m 0440 %{SOURCE1} $RPM_BUILD_ROOT/etc/sudoers
+install -p -c -m 0640 %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/sudo-ldap.conf
+
+# create sudo-ldap.conf man
+echo ".so man5/sudoers.ldap.5" > sudo-ldap.conf.5
+gzip sudo-ldap.conf.5
+install -p -c -m 0644 sudo-ldap.conf.5.gz $RPM_BUILD_ROOT/%{_mandir}/man5/sudo-ldap.conf.5.gz
+rm -f sudo-ldap.conf.5.gz
+
+# we are not building sendlog so we don't need this
+rm -rf $RPM_BUILD_ROOT/%{_mandir}/man8/sudo_sendlog.8
+
 #add sudo to protected packages
 install -p -d -m 755 $RPM_BUILD_ROOT/etc/dnf/protected.d/
 touch sudo.conf
@ -134,9 +145,6 @@ rm -f sudo.conf

 chmod +x $RPM_BUILD_ROOT%{_libexecdir}/sudo/*.so # for stripping, reset in %%files

-# Don't package LICENSE as a doc
-rm -rf $RPM_BUILD_ROOT%{_pkgdocdir}/LICENSE
-
 # Remove examples; Examples can be found in man pages too.
 rm -rf $RPM_BUILD_ROOT%{_datadir}/examples/sudo

@ -172,62 +180,56 @@ session    optional     pam_keyinit.so force revoke
 session    include      sudo
 EOF

-
 %files -f sudo_all.lang
 %defattr(-,root,root)
 %attr(0440,root,root) %config(noreplace) /etc/sudoers
+%attr(0640,root,root) %config(noreplace) /etc/sudo.conf
+%attr(0640,root,root) %config(noreplace) %{_sysconfdir}/sudo-ldap.conf
 %attr(0750,root,root) %dir /etc/sudoers.d/
 %config(noreplace) /etc/pam.d/sudo
 %config(noreplace) /etc/pam.d/sudo-i
 %attr(0644,root,root) %{_tmpfilesdir}/sudo.conf
 %attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/sudo.conf
-%attr(0640,root,root) %config(noreplace) /etc/sudo.conf
 %dir /var/db/sudo
 %dir /var/db/sudo/lectured
 %attr(4111,root,root) %{_bindir}/sudo
 %{_bindir}/sudoedit
+%{_bindir}/cvtsudoers
 %attr(0111,root,root) %{_bindir}/sudoreplay
 %attr(0755,root,root) %{_sbindir}/visudo
-%{_bindir}/cvtsudoers
 %dir %{_libexecdir}/sudo
 %attr(0755,root,root) %{_libexecdir}/sudo/sesh
 %attr(0644,root,root) %{_libexecdir}/sudo/sudo_noexec.so
-%attr(0644,root,root) %{_libexecdir}/sudo/sudoers.so
 %attr(0644,root,root) %{_libexecdir}/sudo/audit_json.so
+%attr(0644,root,root) %{_libexecdir}/sudo/sudoers.so
 %attr(0644,root,root) %{_libexecdir}/sudo/group_file.so
 %attr(0644,root,root) %{_libexecdir}/sudo/system_group.so
+%attr(0644,root,root) %{_libexecdir}/sudo/sudo_intercept.so
 %attr(0644,root,root) %{_libexecdir}/sudo/libsudo_util.so.?.?.?
 %{_libexecdir}/sudo/libsudo_util.so.?
 %{_libexecdir}/sudo/libsudo_util.so
 %{_mandir}/man5/sudoers.5*
 %{_mandir}/man5/sudoers.ldap.5*
+%{_mandir}/man5/sudo-ldap.conf.5*
 %{_mandir}/man5/sudo.conf.5*
 %{_mandir}/man8/sudo.8*
 %{_mandir}/man8/sudoedit.8*
 %{_mandir}/man8/sudoreplay.8*
 %{_mandir}/man8/visudo.8*
-%{_mandir}/man1/cvtsudoers.1.gz
-%{_mandir}/man5/sudoers_timestamp.5.gz
+%{_mandir}/man1/cvtsudoers.1*
+%{_mandir}/man5/sudoers_timestamp.5*
 %dir %{_pkgdocdir}/
 %{_pkgdocdir}/*
 %{!?_licensedir:%global license %%doc}
 %license LICENSE.md
 %exclude %{_pkgdocdir}/ChangeLog

+
 %files devel
 %doc plugins/sample/sample_plugin.c
 %{_includedir}/sudo_plugin.h
 %{_mandir}/man5/sudo_plugin.5*

-%files logsrvd
-%attr(0640,root,root) %config(noreplace) /etc/sudo_logsrvd.conf
-%attr(0755,root,root) %{_sbindir}/sudo_logsrvd
-%attr(0755,root,root) %{_sbindir}/sudo_sendlog
-%{_mandir}/man5/sudo_logsrv.proto.5.gz
-%{_mandir}/man5/sudo_logsrvd.conf.5.gz
-%{_mandir}/man8/sudo_logsrvd.8.gz
-%{_mandir}/man8/sudo_sendlog.8.gz
-
 %files python-plugin
 %{_mandir}/man5/sudo_plugin_python.5.gz
 %attr(0644,root,root) %{_libexecdir}/sudo/python_plugin.so