rpms/sudo
7
0
Fork 0
Code Issues Pull Requests Releases Activity

RHEL 10.0 ERRATUM

Browse Source 
- sudo-1.9.15-2.p5.el10: RHEL SAST Automation: address 4 High impact true positive(s)
Resolves: RHEL-44436
- sudo subpackage sudo-logsrvd should not be built
Resolves: RHEL-52864
This commit is contained in:
Radovan Sroka 2024-08-19 07:21:14 +02:00
parent f089015077
commit 8469017bb7
3 changed files with 159 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
coverity.patch Normal file
View File

@ -0,0 +1,37 @@
diff -up ./plugins/sudoers/auth/pam.c.fix ./plugins/sudoers/auth/pam.c
--- ./plugins/sudoers/auth/pam.c.fix 2024-08-19 06:34:03.914643249 +0200
+++ ./plugins/sudoers/auth/pam.c 2024-08-19 06:48:46.136167294 +0200
@@ -454,11 +454,6 @@ sudo_pam_begin_session(const struct sudo
if (pw == NULL) {
if (pamh != NULL) {
rc = pam_end(pamh, PAM_SUCCESS | PAM_DATA_SILENT);
- if (rc != PAM_SUCCESS) {
- errstr = sudo_pam_strerror(pamh, rc);
- sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
- "pam_end: %s", errstr);
- }
pamh = NULL;
}
goto done;
@@ -517,11 +512,6 @@ sudo_pam_begin_session(const struct sudo
errstr = sudo_pam_strerror(pamh, rc);
log_warningx(ctx, 0, N_("%s: %s"), "pam_open_session", errstr);
rc = pam_end(pamh, *pam_status | PAM_DATA_SILENT);
- if (rc != PAM_SUCCESS) {
- errstr = sudo_pam_strerror(pamh, rc);
- sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
- "pam_end: %s", errstr);
- }
pamh = NULL;
status = AUTH_ERROR;
goto done;
@@ -577,9 +567,6 @@ sudo_pam_end_session(sudo_auth *auth)
}
rc = pam_end(pamh, PAM_SUCCESS | PAM_DATA_SILENT);
if (rc != PAM_SUCCESS) {
- errstr = sudo_pam_strerror(pamh, rc);
- sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
- "pam_end: %s", errstr);
status = AUTH_ERROR;
}
pamh = NULL;

86
sudo-ldap.conf Normal file
View File

@ -0,0 +1,86 @@
## BINDDN DN
## The BINDDN parameter specifies the identity, in the form of a Dis
## tinguished Name (DN), to use when performing LDAP operations. If
## not specified, LDAP operations are performed with an anonymous
## identity. By default, most LDAP servers will allow anonymous
## access.
##
#binddn uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
## BINDPW secret
## The BINDPW parameter specifies the password to use when performing
## LDAP operations. This is typically used in conjunction with the
## BINDDN parameter.
##
#bindpw secret
## SSL start_tls
## If the SSL parameter is set to start_tls, the LDAP server connec
## tion is initiated normally and TLS encryption is begun before the
## bind credentials are sent. This has the advantage of not requiring
## a dedicated port for encrypted communications. This parameter is
## only supported by LDAP servers that honor the start_tls extension,
## such as the OpenLDAP and Tivoli Directory servers.
##
#ssl start_tls
## TLS_CACERTFILE file name
## The path to a certificate authority bundle which contains the cer
## tificates for all the Certificate Authorities the client knows to
## be valid, e.g. /etc/ssl/ca-bundle.pem. This option is only sup
## ported by the OpenLDAP libraries. Netscape-derived LDAP libraries
## use the same certificate database for CA and client certificates
## (see TLS_CERT).
##
#tls_cacertfile /path/to/CA.crt
## TLS_CHECKPEER on/true/yes/off/false/no
## If enabled, TLS_CHECKPEER will cause the LDAP server's TLS certifi
## cated to be verified. If the server's TLS certificate cannot be
## verified (usually because it is signed by an unknown certificate
## authority), sudo will be unable to connect to it. If TLS_CHECKPEER
## is disabled, no check is made. Note that disabling the check cre
## ates an opportunity for man-in-the-middle attacks since the
## server's identity will not be authenticated. If possible, the CA's
## certificate should be installed locally so it can be verified.
## This option is not supported by the Tivoli Directory Server LDAP
## libraries.
#tls_checkpeer yes
##
## URI ldap[s]://[hostname[:port]] ...
## Specifies a whitespace-delimited list of one or more
## URIs describing the LDAP server(s) to connect to.
##
#uri ldap://ldapserver
##
## SUDOERS_BASE base
## The base DN to use when performing sudo LDAP queries.
## Multiple SUDOERS_BASE lines may be specified, in which
## case they are queried in the order specified.
##
#sudoers_base ou=SUDOers,dc=example,dc=com
##
## BIND_TIMELIMIT seconds
## The BIND_TIMELIMIT parameter specifies the amount of
## time to wait while trying to connect to an LDAP server.
##
#bind_timelimit 30
##
## TIMELIMIT seconds
## The TIMELIMIT parameter specifies the amount of time
## to wait for a response to an LDAP query.
##
#timelimit 30
##
## SUDOERS_DEBUG debug_level
## This sets the debug level for sudo LDAP queries. Debugging
## information is printed to the standard error. A value of 1
## results in a moderate amount of debugging information.
## A value of 2 shows the results of the matches themselves.
##
#sudoers_debug 1

70
sudo.spec
View File

@ -13,6 +13,7 @@ License: ISC
URL: https://www.sudo.ws URL: https://www.sudo.ws
Source0: %{url}/dist/%{name}-%{version}%{?extraver}.tar.gz Source0: %{url}/dist/%{name}-%{version}%{?extraver}.tar.gz
Source1: sudoers Source1: sudoers
Source2: sudo-ldap.conf
Requires: pam Requires: pam
Recommends: system-default-editor Recommends: system-default-editor
Recommends: %{name}-python-plugin%{?_isa} = %{version}-%{release} Recommends: %{name}-python-plugin%{?_isa} = %{version}-%{release}
@ -30,6 +31,9 @@ BuildRequires: systemd-rpm-macros
BuildRequires: gettext BuildRequires: gettext
BuildRequires: zlib-devel BuildRequires: zlib-devel
Patch1: coverity.patch
%description %description
Sudo (superuser do) allows a system administrator to give certain Sudo (superuser do) allows a system administrator to give certain
users (or groups of users) the ability to run some (or all) commands users (or groups of users) the ability to run some (or all) commands
@ -49,17 +53,6 @@ Requires: %{name} = %{version}-%{release}
The %{name}-devel package contains header files developing sudo The %{name}-devel package contains header files developing sudo
plugins that use %{name}. plugins that use %{name}.
%package logsrvd
Summary: High-performance log server for %{name}
Requires: %{name} = %{version}-%{release}
BuildRequires: openssl-devel
%description logsrvd
%{name}-logsrvd is a high-performance log server that accepts event and I/O logs from sudo.
It can be used to implement centralized logging of sudo logs.
%package python-plugin %package python-plugin
Summary: Python plugin for %{name} Summary: Python plugin for %{name}
Requires: %{name} = %{version}-%{release} Requires: %{name} = %{version}-%{release}
@ -84,24 +77,28 @@ F_PIE=-fpie
export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now"
%configure \ %configure \
--prefix=%{_prefix} \ --prefix=%{_prefix} \
--sbindir=%{_sbindir} \ --sbindir=%{_sbindir} \
--libdir=%{_libdir} \ --libdir=%{_libdir} \
--docdir=%{_pkgdocdir} \ --docdir=%{_pkgdocdir} \
--enable-tmpfiles.d=%{_tmpfilesdir} \ --enable-tmpfiles.d=%{_tmpfilesdir} \
--enable-openssl \ --disable-openssl \
--disable-root-mailer \ --disable-root-mailer \
--disable-intercept \ --enable-intercept \
--disable-log-server \
--disable-log-client \
--with-logging=syslog \ --with-logging=syslog \
--with-logfac=authpriv \ --with-logfac=authpriv \
--with-pam \ --with-pam \
--with-pam-login \ --with-pam-login \
--with-editor=%{_bindir}/nano:%{_bindir}/vim:%{_bindir}/vi \ --with-editor=/usr/bin/vi \
--with-env-editor \ --with-env-editor \
--with-ignore-dot \ --with-ignore-dot \
--with-tty-tickets \ --with-tty-tickets \
--with-ldap \ --with-ldap \
--with-ldap-conf-file="%{_sysconfdir}/sudo-ldap.conf" \
--with-selinux \ --with-selinux \
--with-sendmail=/usr/sbin/sendmail \ --with-sendmail=/usr/sbin/sendmail \
--with-passprompt="[sudo] password for %p: " \ --with-passprompt="[sudo] password for %p: " \
@ -109,8 +106,7 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now"
--enable-zlib=system \ --enable-zlib=system \
--with-linux-audit \ --with-linux-audit \
--with-sssd --with-sssd
# --without-kerb5 \
# --without-kerb4
make make
%check %check
@ -118,6 +114,10 @@ make check
%install %install
rm -rf $RPM_BUILD_ROOT rm -rf $RPM_BUILD_ROOT
# Update README.LDAP (#736653)
sed -i 's|/etc/ldap\.conf|%{_sysconfdir}/sudo-ldap.conf|g' README.LDAP.md
make install DESTDIR="$RPM_BUILD_ROOT" install_uid=`id -u` install_gid=`id -g` sudoers_uid=`id -u` sudoers_gid=`id -g` make install DESTDIR="$RPM_BUILD_ROOT" install_uid=`id -u` install_gid=`id -g` sudoers_uid=`id -u` sudoers_gid=`id -g`
chmod 755 $RPM_BUILD_ROOT%{_bindir}/* $RPM_BUILD_ROOT%{_sbindir}/* chmod 755 $RPM_BUILD_ROOT%{_bindir}/* $RPM_BUILD_ROOT%{_sbindir}/*
@ -125,6 +125,17 @@ install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo
install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo/lectured install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo/lectured
install -p -d -m 750 $RPM_BUILD_ROOT/etc/sudoers.d install -p -d -m 750 $RPM_BUILD_ROOT/etc/sudoers.d
install -p -c -m 0440 %{SOURCE1} $RPM_BUILD_ROOT/etc/sudoers install -p -c -m 0440 %{SOURCE1} $RPM_BUILD_ROOT/etc/sudoers
install -p -c -m 0640 %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/sudo-ldap.conf
# create sudo-ldap.conf man
echo ".so man5/sudoers.ldap.5" > sudo-ldap.conf.5
gzip sudo-ldap.conf.5
install -p -c -m 0644 sudo-ldap.conf.5.gz $RPM_BUILD_ROOT/%{_mandir}/man5/sudo-ldap.conf.5.gz
rm -f sudo-ldap.conf.5.gz
# we are not building sendlog so we don't need this
rm -rf $RPM_BUILD_ROOT/%{_mandir}/man8/sudo_sendlog.8
#add sudo to protected packages #add sudo to protected packages
install -p -d -m 755 $RPM_BUILD_ROOT/etc/dnf/protected.d/ install -p -d -m 755 $RPM_BUILD_ROOT/etc/dnf/protected.d/
touch sudo.conf touch sudo.conf
@ -134,9 +145,6 @@ rm -f sudo.conf
chmod +x $RPM_BUILD_ROOT%{_libexecdir}/sudo/*.so # for stripping, reset in %%files chmod +x $RPM_BUILD_ROOT%{_libexecdir}/sudo/*.so # for stripping, reset in %%files
# Don't package LICENSE as a doc
rm -rf $RPM_BUILD_ROOT%{_pkgdocdir}/LICENSE
# Remove examples; Examples can be found in man pages too. # Remove examples; Examples can be found in man pages too.
rm -rf $RPM_BUILD_ROOT%{_datadir}/examples/sudo rm -rf $RPM_BUILD_ROOT%{_datadir}/examples/sudo
@ -172,62 +180,56 @@ session optional pam_keyinit.so force revoke
session include sudo session include sudo
EOF EOF
%files -f sudo_all.lang %files -f sudo_all.lang
%defattr(-,root,root) %defattr(-,root,root)
%attr(0440,root,root) %config(noreplace) /etc/sudoers %attr(0440,root,root) %config(noreplace) /etc/sudoers
%attr(0640,root,root) %config(noreplace) /etc/sudo.conf
%attr(0640,root,root) %config(noreplace) %{_sysconfdir}/sudo-ldap.conf
%attr(0750,root,root) %dir /etc/sudoers.d/ %attr(0750,root,root) %dir /etc/sudoers.d/
%config(noreplace) /etc/pam.d/sudo %config(noreplace) /etc/pam.d/sudo
%config(noreplace) /etc/pam.d/sudo-i %config(noreplace) /etc/pam.d/sudo-i
%attr(0644,root,root) %{_tmpfilesdir}/sudo.conf %attr(0644,root,root) %{_tmpfilesdir}/sudo.conf
%attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/sudo.conf %attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/sudo.conf
%attr(0640,root,root) %config(noreplace) /etc/sudo.conf
%dir /var/db/sudo %dir /var/db/sudo
%dir /var/db/sudo/lectured %dir /var/db/sudo/lectured
%attr(4111,root,root) %{_bindir}/sudo %attr(4111,root,root) %{_bindir}/sudo
%{_bindir}/sudoedit %{_bindir}/sudoedit
%{_bindir}/cvtsudoers
%attr(0111,root,root) %{_bindir}/sudoreplay %attr(0111,root,root) %{_bindir}/sudoreplay
%attr(0755,root,root) %{_sbindir}/visudo %attr(0755,root,root) %{_sbindir}/visudo
%{_bindir}/cvtsudoers
%dir %{_libexecdir}/sudo %dir %{_libexecdir}/sudo
%attr(0755,root,root) %{_libexecdir}/sudo/sesh %attr(0755,root,root) %{_libexecdir}/sudo/sesh
%attr(0644,root,root) %{_libexecdir}/sudo/sudo_noexec.so %attr(0644,root,root) %{_libexecdir}/sudo/sudo_noexec.so
%attr(0644,root,root) %{_libexecdir}/sudo/sudoers.so
%attr(0644,root,root) %{_libexecdir}/sudo/audit_json.so %attr(0644,root,root) %{_libexecdir}/sudo/audit_json.so
%attr(0644,root,root) %{_libexecdir}/sudo/sudoers.so
%attr(0644,root,root) %{_libexecdir}/sudo/group_file.so %attr(0644,root,root) %{_libexecdir}/sudo/group_file.so
%attr(0644,root,root) %{_libexecdir}/sudo/system_group.so %attr(0644,root,root) %{_libexecdir}/sudo/system_group.so
%attr(0644,root,root) %{_libexecdir}/sudo/sudo_intercept.so
%attr(0644,root,root) %{_libexecdir}/sudo/libsudo_util.so.?.?.? %attr(0644,root,root) %{_libexecdir}/sudo/libsudo_util.so.?.?.?
%{_libexecdir}/sudo/libsudo_util.so.? %{_libexecdir}/sudo/libsudo_util.so.?
%{_libexecdir}/sudo/libsudo_util.so %{_libexecdir}/sudo/libsudo_util.so
%{_mandir}/man5/sudoers.5* %{_mandir}/man5/sudoers.5*
%{_mandir}/man5/sudoers.ldap.5* %{_mandir}/man5/sudoers.ldap.5*
%{_mandir}/man5/sudo-ldap.conf.5*
%{_mandir}/man5/sudo.conf.5* %{_mandir}/man5/sudo.conf.5*
%{_mandir}/man8/sudo.8* %{_mandir}/man8/sudo.8*
%{_mandir}/man8/sudoedit.8* %{_mandir}/man8/sudoedit.8*
%{_mandir}/man8/sudoreplay.8* %{_mandir}/man8/sudoreplay.8*
%{_mandir}/man8/visudo.8* %{_mandir}/man8/visudo.8*
%{_mandir}/man1/cvtsudoers.1.gz %{_mandir}/man1/cvtsudoers.1*
%{_mandir}/man5/sudoers_timestamp.5.gz %{_mandir}/man5/sudoers_timestamp.5*
%dir %{_pkgdocdir}/ %dir %{_pkgdocdir}/
%{_pkgdocdir}/* %{_pkgdocdir}/*
%{!?_licensedir:%global license %%doc} %{!?_licensedir:%global license %%doc}
%license LICENSE.md %license LICENSE.md
%exclude %{_pkgdocdir}/ChangeLog %exclude %{_pkgdocdir}/ChangeLog
%files devel %files devel
%doc plugins/sample/sample_plugin.c %doc plugins/sample/sample_plugin.c
%{_includedir}/sudo_plugin.h %{_includedir}/sudo_plugin.h
%{_mandir}/man5/sudo_plugin.5* %{_mandir}/man5/sudo_plugin.5*
%files logsrvd
%attr(0640,root,root) %config(noreplace) /etc/sudo_logsrvd.conf
%attr(0755,root,root) %{_sbindir}/sudo_logsrvd
%attr(0755,root,root) %{_sbindir}/sudo_sendlog
%{_mandir}/man5/sudo_logsrv.proto.5.gz
%{_mandir}/man5/sudo_logsrvd.conf.5.gz
%{_mandir}/man8/sudo_logsrvd.8.gz
%{_mandir}/man8/sudo_sendlog.8.gz
%files python-plugin %files python-plugin
%{_mandir}/man5/sudo_plugin_python.5.gz %{_mandir}/man5/sudo_plugin_python.5.gz
%attr(0644,root,root) %{_libexecdir}/sudo/python_plugin.so %attr(0644,root,root) %{_libexecdir}/sudo/python_plugin.so