From 8729726fc17c029678991ffe5f8dc339a5740fcf Mon Sep 17 00:00:00 2001 From: Daniel Kopecek Date: Tue, 1 Oct 2013 00:09:16 +0200 Subject: [PATCH] update to 1.8.8 - major changes & fixes: - LDAP SASL support now works properly with Kerberos - root may no longer change its SELinux role without entering a password - user messages are now always displayed in the user's locale, even when the same message is being logged or mailed in a different locale. - log files created by sudo now explicitly have the group set to group ID 0 rather than relying on BSD group semantics - sudo now stores its libexec files in a sudo subdirectory instead of in libexec itself - system_group and group_file sudoers group provider plugins are now installed by default - the paths to ldap.conf and ldap.secret may now be specified as arguments to the sudoers plugin in the sudo.conf file - ...and many new features and settings. See the upstream ChangeLog for the full list. - several sssd support fixes - added patch to make uid/gid specification parsing more strict (don't accept an invalid number as uid/gid) - use the _pkgdocdir macro (see https://fedoraproject.org/wiki/Changes/UnversionedDocdirs) - fixed several bugs found by the clang static analyzer - added %post dependency on chmod --- .gitignore | 1 + sources | 2 +- sudo-1.8.8-clangbugs.patch | 60 +++++++++++++++++ sudo-1.8.8-sssdfixes.patch | 119 ++++++++++++++++++++++++++++++++++ sudo-1.8.8-strictuidgid.patch | 53 +++++++++++++++ sudo.spec | 58 ++++++++++++++--- 6 files changed, 282 insertions(+), 11 deletions(-) create mode 100644 sudo-1.8.8-clangbugs.patch create mode 100644 sudo-1.8.8-sssdfixes.patch create mode 100644 sudo-1.8.8-strictuidgid.patch diff --git a/.gitignore b/.gitignore index 44949ff..420d45e 100644 --- a/.gitignore +++ b/.gitignore @@ -10,3 +10,4 @@ sudo-1.7.2p2-sudoers /sudo-1.8.6.tar.gz /sudo-1.8.6p3.tar.gz /sudo-1.8.6p7.tar.gz +/sudo-1.8.8.tar.gz diff --git a/sources b/sources index 95bc198..97b27b4 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ 56f74aed3a7b32f2b01a34d65ac86f85 sudo-1.7.4p4-sudoers -126abfa2e841139e774d4c67d80f0e5b sudo-1.8.6p7.tar.gz +fc4f074090afd56d9ff4ff4e97321971 sudo-1.8.8.tar.gz diff --git a/sudo-1.8.8-clangbugs.patch b/sudo-1.8.8-clangbugs.patch new file mode 100644 index 0000000..9d4f1cb --- /dev/null +++ b/sudo-1.8.8-clangbugs.patch @@ -0,0 +1,60 @@ +diff -up sudo-1.8.8/plugins/sudoers/auth/pam.c.clangbugs sudo-1.8.8/plugins/sudoers/auth/pam.c +--- sudo-1.8.8/plugins/sudoers/auth/pam.c.clangbugs 2013-09-30 23:41:07.899529555 +0200 ++++ sudo-1.8.8/plugins/sudoers/auth/pam.c 2013-09-30 23:41:58.988707761 +0200 +@@ -246,6 +246,7 @@ sudo_pam_begin_session(struct passwd *pw + (void) pam_end(pamh, *pam_status | PAM_DATA_SILENT); + pamh = NULL; + status = AUTH_FAILURE; ++ goto done; + } + } + +diff -up sudo-1.8.8/plugins/sudoers/sssd.c.clangbugs sudo-1.8.8/plugins/sudoers/sssd.c +--- sudo-1.8.8/plugins/sudoers/sssd.c.clangbugs 2013-09-30 23:44:20.404200629 +0200 ++++ sudo-1.8.8/plugins/sudoers/sssd.c 2013-09-30 23:49:05.998194738 +0200 +@@ -310,11 +310,10 @@ static int sudo_sss_close(struct sudo_ns + debug_decl(sudo_sss_close, SUDO_DEBUG_SSSD); + + if (nss && nss->handle) { +- handle = nss->handle; +- dlclose(handle->ssslib); ++ handle = nss->handle; ++ dlclose(handle->ssslib); ++ efree(nss->handle); + } +- +- efree(nss->handle); + debug_return_int(0); + } + +@@ -705,17 +704,21 @@ sudo_sss_result_get(struct sudo_nss *nss + sudo_sss_result_filterp, _SUDO_SSS_FILTER_INCLUDE, NULL); + + if (f_sss_result != NULL) { +- if (f_sss_result->num_rules > 0) { +- if (state != NULL) { +- sudo_debug_printf(SUDO_DEBUG_DEBUG, "state |= HOSTMATCH"); +- *state |= _SUDO_SSS_STATE_HOSTMATCH; ++ if (f_sss_result->num_rules > 0) { ++ if (state != NULL) { ++ sudo_debug_printf(SUDO_DEBUG_DEBUG, "state |= HOSTMATCH"); ++ *state |= _SUDO_SSS_STATE_HOSTMATCH; ++ } + } +- } +- } + +- sudo_debug_printf(SUDO_DEBUG_DEBUG, +- "u_sss_result=(%p, %u) => f_sss_result=(%p, %u)", u_sss_result, +- u_sss_result->num_rules, f_sss_result, f_sss_result->num_rules); ++ sudo_debug_printf(SUDO_DEBUG_DEBUG, ++ "u_sss_result=(%p, %u) => f_sss_result=(%p, %u)", u_sss_result, ++ u_sss_result->num_rules, f_sss_result, f_sss_result->num_rules); ++ } else { ++ sudo_debug_printf(SUDO_DEBUG_DEBUG, ++ "u_sss_result=(%p, %u) => f_sss_result=NULL", ++ u_sss_result, u_sss_result->num_rules); ++ } + + handle->fn_free_result(u_sss_result); + diff --git a/sudo-1.8.8-sssdfixes.patch b/sudo-1.8.8-sssdfixes.patch new file mode 100644 index 0000000..31edde6 --- /dev/null +++ b/sudo-1.8.8-sssdfixes.patch @@ -0,0 +1,119 @@ +diff -up sudo-1.8.8/plugins/sudoers/sssd.c.sssdfixes sudo-1.8.8/plugins/sudoers/sssd.c +--- sudo-1.8.8/plugins/sudoers/sssd.c.sssdfixes 2013-09-30 23:18:49.641913457 +0200 ++++ sudo-1.8.8/plugins/sudoers/sssd.c 2013-09-30 23:25:54.819376696 +0200 +@@ -534,30 +534,31 @@ sudo_sss_check_runas_group(struct sudo_s + * Walk through search results and return true if we have a runas match, + * else false. RunAs info is optional. + */ +-static int ++static bool + sudo_sss_check_runas(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule) + { +- int ret; ++ bool ret; + debug_decl(sudo_sss_check_runas, SUDO_DEBUG_SSSD); + + if (rule == NULL) +- debug_return_int(false); ++ debug_return_bool(false); + + ret = sudo_sss_check_runas_user(handle, rule) != false && + sudo_sss_check_runas_group(handle, rule) != false; + +- debug_return_int(ret); ++ debug_return_bool(ret); + } + +-static int ++static bool + sudo_sss_check_host(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule) + { + char **val_array, *val; +- int ret = false, i; ++ bool ret = false; ++ int i; + debug_decl(sudo_sss_check_host, SUDO_DEBUG_SSSD); + + if (rule == NULL) +- debug_return_int(ret); ++ debug_return_bool(ret); + + /* get the values from the rule */ + switch (handle->fn_get_values(rule, "sudoHost", &val_array)) +@@ -566,10 +567,10 @@ sudo_sss_check_host(struct sudo_sss_hand + break; + case ENOENT: + sudo_debug_printf(SUDO_DEBUG_INFO, "No result."); +- debug_return_int(false); ++ debug_return_bool(false); + default: + sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoHost): != 0"); +- debug_return_int(ret); ++ debug_return_bool(ret); + } + + /* walk through values */ +@@ -589,7 +590,52 @@ sudo_sss_check_host(struct sudo_sss_hand + + handle->fn_free_values(val_array); + +- debug_return_int(ret); ++ debug_return_bool(ret); ++} ++ ++/* ++ * Look for netgroup specifcations in the sudoUser attribute and ++ * if found, filter according to netgroup membership. ++ * returns: ++ * true -> netgroup spec found && negroup member ++ * false -> netgroup spec found && not a meber of netgroup ++ * true -> netgroup spec not found (filtered by SSSD already, netgroups are an exception) ++ */ ++bool sudo_sss_filter_user_netgroup(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule) ++{ ++ bool ret = false, netgroup_spec_found = false; ++ char **val_array, *val; ++ int i; ++ debug_decl(sudo_sss_check_user_netgroup, SUDO_DEBUG_SSSD); ++ ++ if (!handle || !rule) ++ debug_return_bool(ret); ++ ++ switch (handle->fn_get_values(rule, "sudoUser", &val_array)) { ++ case 0: ++ break; ++ case ENOENT: ++ sudo_debug_printf(SUDO_DEBUG_INFO, "No result."); ++ debug_return_bool(ret); ++ default: ++ sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoUser): != 0"); ++ debug_return_bool(ret); ++ } ++ ++ for (i = 0; val_array[i] != NULL && !ret; ++i) { ++ val = val_array[i]; ++ if (*val == '+') { ++ netgroup_spec_found = true; ++ } ++ sudo_debug_printf(SUDO_DEBUG_DEBUG, "val[%d]=%s", i, val); ++ if (strcmp(val, "ALL") == 0 || netgr_matches(val, NULL, NULL, user_name)) { ++ ret = true; ++ sudo_debug_printf(SUDO_DEBUG_DIAG, ++ "sssd/ldap sudoUser '%s' ... MATCH! (%s)", val, user_name); ++ } ++ } ++ handle->fn_free_values(val_array); ++ debug_return_bool(netgroup_spec_found ? ret : true); + } + + static int +@@ -599,7 +645,8 @@ sudo_sss_result_filterp(struct sudo_sss_ + (void)unused; + debug_decl(sudo_sss_result_filterp, SUDO_DEBUG_SSSD); + +- if (sudo_sss_check_host(handle, rule)) ++ if (sudo_sss_check_host(handle, rule) && ++ sudo_sss_filter_user_netgroup(handle, rule)) + debug_return_int(1); + else + debug_return_int(0); diff --git a/sudo-1.8.8-strictuidgid.patch b/sudo-1.8.8-strictuidgid.patch new file mode 100644 index 0000000..ebb14ff --- /dev/null +++ b/sudo-1.8.8-strictuidgid.patch @@ -0,0 +1,53 @@ +diff -up sudo-1.8.8/plugins/sudoers/match.c.strictuidgid sudo-1.8.8/plugins/sudoers/match.c +--- sudo-1.8.8/plugins/sudoers/match.c.strictuidgid 2013-09-30 23:30:12.359263967 +0200 ++++ sudo-1.8.8/plugins/sudoers/match.c 2013-09-30 23:31:04.335443002 +0200 +@@ -777,14 +777,16 @@ hostname_matches(char *shost, char *lhos + bool + userpw_matches(char *sudoers_user, char *user, struct passwd *pw) + { +- debug_decl(userpw_matches, SUDO_DEBUG_MATCH) +- +- if (pw != NULL && *sudoers_user == '#') { +- uid_t uid = (uid_t) atoi(sudoers_user + 1); +- if (uid == pw->pw_uid) +- debug_return_bool(true); +- } +- debug_return_bool(strcmp(sudoers_user, user) == 0); ++ debug_decl(userpw_matches, SUDO_DEBUG_MATCH) ++ if (pw != NULL && *sudoers_user == '#') { ++ char *end = NULL; ++ uid_t uid = (uid_t) strtol(sudoers_user + 1, &end, 10); ++ if (end != NULL && (sudoers_user[1] != '\0' && *end == '\0')) { ++ if (uid == pw->pw_uid) ++ debug_return_bool(true); ++ } ++ } ++ debug_return_bool(strcmp(sudoers_user, user) == 0); + } + + /* +@@ -794,14 +796,16 @@ userpw_matches(char *sudoers_user, char + bool + group_matches(char *sudoers_group, struct group *gr) + { +- debug_decl(group_matches, SUDO_DEBUG_MATCH) +- +- if (*sudoers_group == '#') { +- gid_t gid = (gid_t) atoi(sudoers_group + 1); +- if (gid == gr->gr_gid) +- debug_return_bool(true); +- } +- debug_return_bool(strcmp(gr->gr_name, sudoers_group) == 0); ++ debug_decl(group_matches, SUDO_DEBUG_MATCH) ++ if (*sudoers_group == '#') { ++ char *end = NULL; ++ gid_t gid = (gid_t) strtol(sudoers_group + 1, &end, 10); ++ if (end != NULL && (sudoers_group[1] != '\0' && *end == '\0')) { ++ if (gid == gr->gr_gid) ++ debug_return_bool(true); ++ } ++ } ++ debug_return_bool(strcmp(gr->gr_name, sudoers_group) == 0); + } + + /* diff --git a/sudo.spec b/sudo.spec index f12c88a..aefcc1e 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,7 +1,7 @@ Summary: Allows restricted root access for specified users Name: sudo -Version: 1.8.6p7 -Release: 2%{?dist} +Version: 1.8.8 +Release: 1%{?dist} License: ISC Group: Applications/System URL: http://www.courtesan.com/sudo/ @@ -9,6 +9,7 @@ Source0: http://www.courtesan.com/sudo/dist/sudo-%{version}.tar.gz Source1: sudo-1.7.4p4-sudoers Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Requires: /etc/pam.d/system-auth, vim-minimal +Requires(post): /bin/chmod BuildRequires: pam-devel BuildRequires: groff @@ -26,6 +27,12 @@ BuildRequires: zlib-devel Patch1: sudo-1.6.7p5-strip.patch # configure.in fix Patch2: sudo-1.7.2p1-envdebug.patch +# Fix several issues in the sssd code +Patch3: sudo-1.8.8-sssdfixes.patch +# Don't accept invalid number in uid/gid specifications +Patch4: sudo-1.8.8-strictuidgid.patch +# Fix several issues found by the clang static analyzer +Patch5: sudo-1.8.8-clangbugs.patch %description Sudo (superuser do) allows a system administrator to give certain @@ -52,6 +59,9 @@ plugins that use %{name}. %patch1 -p1 -b .strip %patch2 -p1 -b .envdebug +%patch3 -p1 -b .sssdfixes +%patch4 -p1 -b .strictuidgid +%patch5 -p1 -b .clangbugs %build autoreconf -I m4 -fv --install @@ -68,7 +78,7 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" --prefix=%{_prefix} \ --sbindir=%{_sbindir} \ --libdir=%{_libdir} \ - --docdir=%{_datadir}/doc/%{name}-%{version} \ + --docdir=%{_pkgdocdir} \ --with-logging=syslog \ --with-logfac=authpriv \ --with-pam \ @@ -95,10 +105,10 @@ install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo install -p -d -m 750 $RPM_BUILD_ROOT/etc/sudoers.d install -p -c -m 0440 %{SOURCE1} $RPM_BUILD_ROOT/etc/sudoers -chmod +x $RPM_BUILD_ROOT%{_libexecdir}/*.so # for stripping, reset in %%files +chmod +x $RPM_BUILD_ROOT%{_libexecdir}/sudo/*.so # for stripping, reset in %%files # Remove execute permission on this script so we don't pull in perl deps -chmod -x $RPM_BUILD_ROOT%{_docdir}/sudo-*/sudoers2ldif +chmod -x $RPM_BUILD_ROOT%{_pkgdocdir}/sudoers2ldif %find_lang sudo %find_lang sudoers @@ -140,17 +150,20 @@ rm -rf $RPM_BUILD_ROOT %attr(4111,root,root) %{_bindir}/sudoedit %attr(0111,root,root) %{_bindir}/sudoreplay %attr(0755,root,root) %{_sbindir}/visudo -%attr(0755,root,root) %{_libexecdir}/sesh -%attr(0644,root,root) %{_libexecdir}/sudo_noexec.so -%attr(0644,root,root) %{_libexecdir}/sudoers.so +%attr(0755,root,root) %{_libexecdir}/sudo/sesh +%attr(0644,root,root) %{_libexecdir}/sudo/sudo_noexec.so +%attr(0644,root,root) %{_libexecdir}/sudo/sudoers.so +%attr(0644,root,root) %{_libexecdir}/sudo/group_file.so +%attr(0644,root,root) %{_libexecdir}/sudo/system_group.so %{_mandir}/man5/sudoers.5* %{_mandir}/man5/sudoers.ldap.5* +%{_mandir}/man5/sudo.conf.5* %{_mandir}/man8/sudo.8* %{_mandir}/man8/sudoedit.8* %{_mandir}/man8/sudoreplay.8* %{_mandir}/man8/visudo.8* -%dir %{_docdir}/sudo-%{version} -%{_docdir}/sudo-%{version}/* +%dir %{_pkgdocdir}/ +%{_pkgdocdir}/* # Make sure permissions are ok even if we're updating @@ -164,6 +177,31 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/sudo_plugin.8* %changelog +* Mon Sep 30 2013 Daniel Kopecek - 1.8.8-1 +- update to 1.8.8 +- major changes & fixes: + - LDAP SASL support now works properly with Kerberos + - root may no longer change its SELinux role without entering a password + - user messages are now always displayed in the user's locale, even when + the same message is being logged or mailed in a different locale. + - log files created by sudo now explicitly have the group set to group + ID 0 rather than relying on BSD group semantics + - sudo now stores its libexec files in a sudo subdirectory instead of in + libexec itself + - system_group and group_file sudoers group provider plugins are now + installed by default + - the paths to ldap.conf and ldap.secret may now be specified as arguments + to the sudoers plugin in the sudo.conf file + - ...and many new features and settings. See the upstream ChangeLog for the + full list. +- several sssd support fixes +- added patch to make uid/gid specification parsing more strict (don't accept + an invalid number as uid/gid) +- use the _pkgdocdir macro + (see https://fedoraproject.org/wiki/Changes/UnversionedDocdirs) +- fixed several bugs found by the clang static analyzer +- added %%post dependency on chmod + * Sun Aug 04 2013 Fedora Release Engineering - 1.8.6p7-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild