diff --git a/.gitignore b/.gitignore index f68bf75..04f884a 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ /sudo-1.8.16.tar.gz +/sudo-1.8.17p1.tar.gz diff --git a/sources b/sources index 41f39d1..9534406 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -a977449587dc857e129bb20555b46af4 sudo-1.8.16.tar.gz +50a840a688ceb6fa3ab24fc0adf4fa23 sudo-1.8.17p1.tar.gz diff --git a/sudo-1.7.2p1-envdebug.patch b/sudo-1.7.2p1-envdebug.patch deleted file mode 100644 index e189c98..0000000 --- a/sudo-1.7.2p1-envdebug.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up sudo-1.7.2p1/configure.in.envdebug sudo-1.7.2p1/configure.in ---- sudo-1.7.2p1/configure.in.envdebug 2009-10-30 12:18:09.000000000 +0100 -+++ sudo-1.7.2p1/configure.in 2009-10-30 12:19:01.000000000 +0100 -@@ -1214,7 +1214,7 @@ AC_ARG_ENABLE(env_debug, - [AS_HELP_STRING([--enable-env-debug], [Whether to enable environment debugging.])], - [ case "$enableval" in - yes) AC_MSG_RESULT(yes) -- AC_DEFINE(ENV_DEBUG) -+ AC_DEFINE(ENV_DEBUG, [], [Environment debugging.]) - ;; - no) AC_MSG_RESULT(no) - ;; diff --git a/sudo-1.8.11p2-auditfix.patch b/sudo-1.8.11p2-auditfix.patch deleted file mode 100644 index 963ef4e..0000000 --- a/sudo-1.8.11p2-auditfix.patch +++ /dev/null @@ -1,17 +0,0 @@ -diff -up sudo-1.8.11p2/plugins/sudoers/linux_audit.c.auditfix sudo-1.8.11p2/plugins/sudoers/linux_audit.c ---- sudo-1.8.11p2/plugins/sudoers/linux_audit.c.auditfix 2014-11-03 12:44:53.674230966 +0100 -+++ sudo-1.8.11p2/plugins/sudoers/linux_audit.c 2014-11-03 12:45:13.407021599 +0100 -@@ -57,10 +57,10 @@ linux_audit_open(void) - au_fd = audit_open(); - if (au_fd == -1) { - /* Kernel may not have audit support. */ -- if (errno != EINVAL && errno != EPROTONOSUPPORT && errno != EAFNOSUPPORT) { -- sudo_warn(U_("unable to open audit system")); -+ if (errno == EINVAL || errno == EPROTONOSUPPORT || errno == EAFNOSUPPORT) - au_fd = AUDIT_NOT_CONFIGURED; -- } -+ else -+ sudo_warn(U_("unable to open audit system")); - } else { - (void)fcntl(au_fd, F_SETFD, FD_CLOEXEC); - } diff --git a/sudo-1.8.14p1-docpassexpire.patch b/sudo-1.8.14p1-docpassexpire.patch deleted file mode 100644 index cb7fe8a..0000000 --- a/sudo-1.8.14p1-docpassexpire.patch +++ /dev/null @@ -1,38 +0,0 @@ -diff -up sudo-1.8.14b4/doc/sudoers.cat.docpassexpire sudo-1.8.14b4/doc/sudoers.cat ---- sudo-1.8.14b4/doc/sudoers.cat.docpassexpire 2015-06-09 00:47:07.000000000 +0200 -+++ sudo-1.8.14b4/doc/sudoers.cat 2015-07-14 13:11:11.116000185 +0200 -@@ -1328,8 +1328,8 @@ SSUUDDOOEERRSS OOPPTTIIOONN - fractional component if minute granularity is - insufficient, for example 2.5. The default is 5. Set - this to 0 to always prompt for a password. If set to a -- value less than 0 the user's time stamp will never -- expire. This can be used to allow users to create or -+ value less than 0 the user's time stamp will not -+ expire until reboot. This can be used to allow users to create or - delete their own time stamps via ``sudo -v'' and ``sudo - -k'' respectively. - -diff -up sudo-1.8.14b4/doc/sudoers.man.in.docpassexpire sudo-1.8.14b4/doc/sudoers.man.in ---- sudo-1.8.14b4/doc/sudoers.man.in.docpassexpire 2015-07-14 13:11:11.116000185 +0200 -+++ sudo-1.8.14b4/doc/sudoers.man.in 2015-07-14 13:14:17.261222481 +0200 -@@ -2822,7 +2822,7 @@ Set this to - to always prompt for a password. - If set to a value less than - \fR0\fR --the user's time stamp will never expire. -+the user's time stamp will not expire until reboot. - This can be used to allow users to create or delete their own time stamps via - \(Lq\fRsudo -v\fR\(Rq - and -diff -up sudo-1.8.14b4/doc/sudoers.mdoc.in.docpassexpire sudo-1.8.14b4/doc/sudoers.mdoc.in ---- sudo-1.8.14b4/doc/sudoers.mdoc.in.docpassexpire 2015-04-07 18:15:50.000000000 +0200 -+++ sudo-1.8.14b4/doc/sudoers.mdoc.in 2015-07-14 13:11:11.117000176 +0200 -@@ -2647,7 +2647,7 @@ Set this to - to always prompt for a password. - If set to a value less than - .Li 0 --the user's time stamp will never expire. -+the user's time stamp will not expire until reboot. - This can be used to allow users to create or delete their own time stamps via - .Dq Li sudo -v - and diff --git a/sudo-1.8.14p3-initialization.patch b/sudo-1.8.14p3-initialization.patch deleted file mode 100644 index 75da7fd..0000000 --- a/sudo-1.8.14p3-initialization.patch +++ /dev/null @@ -1,122 +0,0 @@ -diff -up ./lib/util/strsplit.c.initialization ./lib/util/strsplit.c ---- ./lib/util/strsplit.c.initialization 2015-07-22 14:22:49.000000000 +0200 -+++ ./lib/util/strsplit.c 2015-08-18 13:28:28.141319501 +0200 -@@ -37,6 +37,10 @@ sudo_strsplit_v1(const char *str, const - const char *cp, *s; - debug_decl(sudo_strsplit, SUDO_DEBUG_UTIL) - -+ /* exclusion of two NULLs at the same time */ -+ if (str == NULL && *last == NULL) -+ debug_return_ptr(NULL); -+ - /* If no str specified, use last ptr (if any). */ - if (str == NULL) - str = *last; -diff -up ./lib/util/sudo_conf.c.initialization ./lib/util/sudo_conf.c ---- ./lib/util/sudo_conf.c.initialization 2015-07-22 14:22:49.000000000 +0200 -+++ ./lib/util/sudo_conf.c 2015-08-18 13:28:28.142319494 +0200 -@@ -161,7 +161,7 @@ static int - parse_path(const char *entry, const char *conf_file, unsigned int lineno) - { - const char *entry_end = entry + strlen(entry); -- const char *ep, *name, *path; -+ const char *ep = NULL, *name, *path; - struct sudo_conf_path_table *cur; - size_t namelen; - debug_decl(parse_path, SUDO_DEBUG_UTIL) -@@ -208,7 +208,7 @@ parse_debug(const char *entry, const cha - { - struct sudo_conf_debug *debug_spec; - struct sudo_debug_file *debug_file = NULL; -- const char *ep, *path, *progname, *flags; -+ const char *ep = NULL, *path, *progname, *flags; - const char *entry_end = entry + strlen(entry); - size_t pathlen, prognamelen; - debug_decl(parse_debug, SUDO_DEBUG_UTIL) -@@ -278,7 +278,7 @@ static int - parse_plugin(const char *entry, const char *conf_file, unsigned int lineno) - { - struct plugin_info *info = NULL; -- const char *ep, *path, *symbol; -+ const char *ep = NULL, *path, *symbol; - const char *entry_end = entry + strlen(entry); - char **options = NULL; - size_t pathlen, symlen; -diff -up ./plugins/sudoers/editor.c.initialization ./plugins/sudoers/editor.c ---- ./plugins/sudoers/editor.c.initialization 2015-07-22 14:22:49.000000000 +0200 -+++ ./plugins/sudoers/editor.c 2015-08-18 13:28:28.142319494 +0200 -@@ -45,7 +45,7 @@ resolve_editor(const char *ed, size_t ed - int *argc_out, char ***argv_out, char * const *whitelist) - { - char **nargv, *editor, *editor_path = NULL; -- const char *cp, *ep, *tmp; -+ const char *cp, *ep = NULL, *tmp; - const char *edend = ed + edlen; - struct stat user_editor_sb; - int nargc; -diff -up ./plugins/sudoers/interfaces.c.initialization ./plugins/sudoers/interfaces.c ---- ./plugins/sudoers/interfaces.c.initialization 2015-07-22 14:22:50.000000000 +0200 -+++ ./plugins/sudoers/interfaces.c 2015-08-18 13:28:28.142319494 +0200 -@@ -109,7 +109,7 @@ get_interfaces(void) - void - dump_interfaces(const char *ai) - { -- const char *cp, *ep; -+ const char *cp, *ep = NULL; - const char *ai_end = ai + strlen(ai); - debug_decl(set_interfaces, SUDOERS_DEBUG_NETIF) - -diff -up ./plugins/sudoers/sudoers.c.initialization ./plugins/sudoers/sudoers.c ---- ./plugins/sudoers/sudoers.c.initialization 2015-07-22 14:22:50.000000000 +0200 -+++ ./plugins/sudoers/sudoers.c 2015-08-18 13:28:28.142319494 +0200 -@@ -1186,7 +1186,7 @@ sudoers_cleanup(void) - static char * - find_editor(int nfiles, char **files, int *argc_out, char ***argv_out) - { -- const char *cp, *ep, *editor = NULL; -+ const char *cp, *ep = NULL, *editor = NULL; - char *editor_path = NULL, **ev, *ev0[4]; - debug_decl(find_editor, SUDOERS_DEBUG_PLUGIN) - -diff -up ./plugins/sudoers/sudoreplay.c.initialization ./plugins/sudoers/sudoreplay.c ---- ./plugins/sudoers/sudoreplay.c.initialization 2015-07-22 14:22:49.000000000 +0200 -+++ ./plugins/sudoers/sudoreplay.c 2015-08-18 13:39:53.776411920 +0200 -@@ -189,7 +189,7 @@ main(int argc, char *argv[]) - int ch, idx, plen, exitcode = 0, rows = 0, cols = 0; - bool def_filter = true, listonly = false; - const char *decimal, *id, *user = NULL, *pattern = NULL, *tty = NULL; -- char *cp, *ep, path[PATH_MAX]; -+ char *cp, *ep = NULL, path[PATH_MAX]; - struct log_info *li; - double max_wait = 0; - debug_decl(main, SUDO_DEBUG_MAIN) -@@ -225,6 +225,8 @@ main(int argc, char *argv[]) - /* Set the replay filter. */ - def_filter = false; - for (cp = strtok_r(optarg, ",", &ep); cp; cp = strtok_r(NULL, ",", &ep)) { -+ if (ep == NULL) -+ sudo_fatalx(U_("invalid filter option: %s"), optarg); - if (strcmp(cp, "stdout") == 0) - io_log_files[IOFD_STDOUT].enabled = true; - else if (strcmp(cp, "stderr") == 0) -diff -up ./plugins/sudoers/visudo.c.initialization ./plugins/sudoers/visudo.c ---- ./plugins/sudoers/visudo.c.initialization 2015-07-22 14:22:50.000000000 +0200 -+++ ./plugins/sudoers/visudo.c 2015-08-18 13:28:28.142319494 +0200 -@@ -287,7 +287,7 @@ get_editor(int *editor_argc, char ***edi - - /* Build up editor whitelist from def_editor unless env_editor is set. */ - if (!def_env_editor) { -- const char *cp, *ep; -+ const char *cp, *ep = NULL; - const char *def_editor_end = def_editor + strlen(def_editor); - - /* Count number of entries in whitelist and split into a list. */ -@@ -325,7 +325,7 @@ get_editor(int *editor_argc, char ***edi - if (editor_path == NULL) { - /* def_editor could be a path, split it up, avoiding strtok() */ - const char *def_editor_end = def_editor + strlen(def_editor); -- const char *cp, *ep; -+ const char *cp, *ep = NULL; - for (cp = sudo_strsplit(def_editor, def_editor_end, ":", &ep); - cp != NULL; cp = sudo_strsplit(NULL, def_editor_end, ":", &ep)) { - editor_path = resolve_editor(cp, (size_t)(ep - cp), 2, files, diff --git a/sudo-1.8.16-seshargsfix.patch b/sudo-1.8.16-seshargsfix.patch deleted file mode 100644 index 725fe75..0000000 --- a/sudo-1.8.16-seshargsfix.patch +++ /dev/null @@ -1,41 +0,0 @@ -diff -up sudo-1.8.16/src/selinux.c.seshargsfix sudo-1.8.16/src/selinux.c ---- sudo-1.8.16/src/selinux.c.seshargsfix 2016-03-17 17:13:10.000000000 +0100 -+++ sudo-1.8.16/src/selinux.c 2016-05-13 11:14:04.628296996 +0200 -@@ -378,7 +378,7 @@ selinux_execve(int fd, const char *path, - { - char **nargv; - const char *sesh; -- int argc, serrno; -+ int argc, nargc, serrno; - debug_decl(selinux_execve, SUDO_DEBUG_SELINUX) - - sesh = sudo_conf_sesh_path(); -@@ -409,9 +409,7 @@ selinux_execve(int fd, const char *path, - */ - for (argc = 0; argv[argc] != NULL; argc++) - continue; -- if (fd != -1) -- argc++; -- nargv = reallocarray(NULL, argc + 2, sizeof(char *)); -+ nargv = reallocarray(NULL, argc + 3, sizeof(char *)); - if (nargv == NULL) { - sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); - debug_return; -@@ -420,13 +418,13 @@ selinux_execve(int fd, const char *path, - nargv[0] = *argv[0] == '-' ? "-sesh-noexec" : "sesh-noexec"; - else - nargv[0] = *argv[0] == '-' ? "-sesh" : "sesh"; -- argc = 1; -- if (fd != -1 && asprintf(&nargv[argc++], "--execfd=%d", fd) == -1) { -+ nargc = 1; -+ if (fd != -1 && asprintf(&nargv[nargc++], "--execfd=%d", fd) == -1) { - sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); - debug_return; - } -- nargv[argc] = (char *)path; -- memcpy(&nargv[argc + 1], &argv[argc], argc * sizeof(char *)); /* copies NULL */ -+ nargv[nargc++] = (char *)path; -+ memcpy(&nargv[nargc], &argv[1], argc * sizeof(char *)); /* copies NULL */ - - /* sesh will handle noexec for us. */ - sudo_execve(-1, sesh, nargv, envp, false); diff --git a/sudo-1.8.8-clangbugs.patch b/sudo-1.8.8-clangbugs.patch deleted file mode 100644 index 9d4f1cb..0000000 --- a/sudo-1.8.8-clangbugs.patch +++ /dev/null @@ -1,60 +0,0 @@ -diff -up sudo-1.8.8/plugins/sudoers/auth/pam.c.clangbugs sudo-1.8.8/plugins/sudoers/auth/pam.c ---- sudo-1.8.8/plugins/sudoers/auth/pam.c.clangbugs 2013-09-30 23:41:07.899529555 +0200 -+++ sudo-1.8.8/plugins/sudoers/auth/pam.c 2013-09-30 23:41:58.988707761 +0200 -@@ -246,6 +246,7 @@ sudo_pam_begin_session(struct passwd *pw - (void) pam_end(pamh, *pam_status | PAM_DATA_SILENT); - pamh = NULL; - status = AUTH_FAILURE; -+ goto done; - } - } - -diff -up sudo-1.8.8/plugins/sudoers/sssd.c.clangbugs sudo-1.8.8/plugins/sudoers/sssd.c ---- sudo-1.8.8/plugins/sudoers/sssd.c.clangbugs 2013-09-30 23:44:20.404200629 +0200 -+++ sudo-1.8.8/plugins/sudoers/sssd.c 2013-09-30 23:49:05.998194738 +0200 -@@ -310,11 +310,10 @@ static int sudo_sss_close(struct sudo_ns - debug_decl(sudo_sss_close, SUDO_DEBUG_SSSD); - - if (nss && nss->handle) { -- handle = nss->handle; -- dlclose(handle->ssslib); -+ handle = nss->handle; -+ dlclose(handle->ssslib); -+ efree(nss->handle); - } -- -- efree(nss->handle); - debug_return_int(0); - } - -@@ -705,17 +704,21 @@ sudo_sss_result_get(struct sudo_nss *nss - sudo_sss_result_filterp, _SUDO_SSS_FILTER_INCLUDE, NULL); - - if (f_sss_result != NULL) { -- if (f_sss_result->num_rules > 0) { -- if (state != NULL) { -- sudo_debug_printf(SUDO_DEBUG_DEBUG, "state |= HOSTMATCH"); -- *state |= _SUDO_SSS_STATE_HOSTMATCH; -+ if (f_sss_result->num_rules > 0) { -+ if (state != NULL) { -+ sudo_debug_printf(SUDO_DEBUG_DEBUG, "state |= HOSTMATCH"); -+ *state |= _SUDO_SSS_STATE_HOSTMATCH; -+ } - } -- } -- } - -- sudo_debug_printf(SUDO_DEBUG_DEBUG, -- "u_sss_result=(%p, %u) => f_sss_result=(%p, %u)", u_sss_result, -- u_sss_result->num_rules, f_sss_result, f_sss_result->num_rules); -+ sudo_debug_printf(SUDO_DEBUG_DEBUG, -+ "u_sss_result=(%p, %u) => f_sss_result=(%p, %u)", u_sss_result, -+ u_sss_result->num_rules, f_sss_result, f_sss_result->num_rules); -+ } else { -+ sudo_debug_printf(SUDO_DEBUG_DEBUG, -+ "u_sss_result=(%p, %u) => f_sss_result=NULL", -+ u_sss_result, u_sss_result->num_rules); -+ } - - handle->fn_free_result(u_sss_result); - diff --git a/sudo-1.8.8-sssdfixes.patch b/sudo-1.8.8-sssdfixes.patch deleted file mode 100644 index 31edde6..0000000 --- a/sudo-1.8.8-sssdfixes.patch +++ /dev/null @@ -1,119 +0,0 @@ -diff -up sudo-1.8.8/plugins/sudoers/sssd.c.sssdfixes sudo-1.8.8/plugins/sudoers/sssd.c ---- sudo-1.8.8/plugins/sudoers/sssd.c.sssdfixes 2013-09-30 23:18:49.641913457 +0200 -+++ sudo-1.8.8/plugins/sudoers/sssd.c 2013-09-30 23:25:54.819376696 +0200 -@@ -534,30 +534,31 @@ sudo_sss_check_runas_group(struct sudo_s - * Walk through search results and return true if we have a runas match, - * else false. RunAs info is optional. - */ --static int -+static bool - sudo_sss_check_runas(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule) - { -- int ret; -+ bool ret; - debug_decl(sudo_sss_check_runas, SUDO_DEBUG_SSSD); - - if (rule == NULL) -- debug_return_int(false); -+ debug_return_bool(false); - - ret = sudo_sss_check_runas_user(handle, rule) != false && - sudo_sss_check_runas_group(handle, rule) != false; - -- debug_return_int(ret); -+ debug_return_bool(ret); - } - --static int -+static bool - sudo_sss_check_host(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule) - { - char **val_array, *val; -- int ret = false, i; -+ bool ret = false; -+ int i; - debug_decl(sudo_sss_check_host, SUDO_DEBUG_SSSD); - - if (rule == NULL) -- debug_return_int(ret); -+ debug_return_bool(ret); - - /* get the values from the rule */ - switch (handle->fn_get_values(rule, "sudoHost", &val_array)) -@@ -566,10 +567,10 @@ sudo_sss_check_host(struct sudo_sss_hand - break; - case ENOENT: - sudo_debug_printf(SUDO_DEBUG_INFO, "No result."); -- debug_return_int(false); -+ debug_return_bool(false); - default: - sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoHost): != 0"); -- debug_return_int(ret); -+ debug_return_bool(ret); - } - - /* walk through values */ -@@ -589,7 +590,52 @@ sudo_sss_check_host(struct sudo_sss_hand - - handle->fn_free_values(val_array); - -- debug_return_int(ret); -+ debug_return_bool(ret); -+} -+ -+/* -+ * Look for netgroup specifcations in the sudoUser attribute and -+ * if found, filter according to netgroup membership. -+ * returns: -+ * true -> netgroup spec found && negroup member -+ * false -> netgroup spec found && not a meber of netgroup -+ * true -> netgroup spec not found (filtered by SSSD already, netgroups are an exception) -+ */ -+bool sudo_sss_filter_user_netgroup(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule) -+{ -+ bool ret = false, netgroup_spec_found = false; -+ char **val_array, *val; -+ int i; -+ debug_decl(sudo_sss_check_user_netgroup, SUDO_DEBUG_SSSD); -+ -+ if (!handle || !rule) -+ debug_return_bool(ret); -+ -+ switch (handle->fn_get_values(rule, "sudoUser", &val_array)) { -+ case 0: -+ break; -+ case ENOENT: -+ sudo_debug_printf(SUDO_DEBUG_INFO, "No result."); -+ debug_return_bool(ret); -+ default: -+ sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoUser): != 0"); -+ debug_return_bool(ret); -+ } -+ -+ for (i = 0; val_array[i] != NULL && !ret; ++i) { -+ val = val_array[i]; -+ if (*val == '+') { -+ netgroup_spec_found = true; -+ } -+ sudo_debug_printf(SUDO_DEBUG_DEBUG, "val[%d]=%s", i, val); -+ if (strcmp(val, "ALL") == 0 || netgr_matches(val, NULL, NULL, user_name)) { -+ ret = true; -+ sudo_debug_printf(SUDO_DEBUG_DIAG, -+ "sssd/ldap sudoUser '%s' ... MATCH! (%s)", val, user_name); -+ } -+ } -+ handle->fn_free_values(val_array); -+ debug_return_bool(netgroup_spec_found ? ret : true); - } - - static int -@@ -599,7 +645,8 @@ sudo_sss_result_filterp(struct sudo_sss_ - (void)unused; - debug_decl(sudo_sss_result_filterp, SUDO_DEBUG_SSSD); - -- if (sudo_sss_check_host(handle, rule)) -+ if (sudo_sss_check_host(handle, rule) && -+ sudo_sss_filter_user_netgroup(handle, rule)) - debug_return_int(1); - else - debug_return_int(0); diff --git a/sudo-1.8.8-strictuidgid.patch b/sudo-1.8.8-strictuidgid.patch deleted file mode 100644 index ebb14ff..0000000 --- a/sudo-1.8.8-strictuidgid.patch +++ /dev/null @@ -1,53 +0,0 @@ -diff -up sudo-1.8.8/plugins/sudoers/match.c.strictuidgid sudo-1.8.8/plugins/sudoers/match.c ---- sudo-1.8.8/plugins/sudoers/match.c.strictuidgid 2013-09-30 23:30:12.359263967 +0200 -+++ sudo-1.8.8/plugins/sudoers/match.c 2013-09-30 23:31:04.335443002 +0200 -@@ -777,14 +777,16 @@ hostname_matches(char *shost, char *lhos - bool - userpw_matches(char *sudoers_user, char *user, struct passwd *pw) - { -- debug_decl(userpw_matches, SUDO_DEBUG_MATCH) -- -- if (pw != NULL && *sudoers_user == '#') { -- uid_t uid = (uid_t) atoi(sudoers_user + 1); -- if (uid == pw->pw_uid) -- debug_return_bool(true); -- } -- debug_return_bool(strcmp(sudoers_user, user) == 0); -+ debug_decl(userpw_matches, SUDO_DEBUG_MATCH) -+ if (pw != NULL && *sudoers_user == '#') { -+ char *end = NULL; -+ uid_t uid = (uid_t) strtol(sudoers_user + 1, &end, 10); -+ if (end != NULL && (sudoers_user[1] != '\0' && *end == '\0')) { -+ if (uid == pw->pw_uid) -+ debug_return_bool(true); -+ } -+ } -+ debug_return_bool(strcmp(sudoers_user, user) == 0); - } - - /* -@@ -794,14 +796,16 @@ userpw_matches(char *sudoers_user, char - bool - group_matches(char *sudoers_group, struct group *gr) - { -- debug_decl(group_matches, SUDO_DEBUG_MATCH) -- -- if (*sudoers_group == '#') { -- gid_t gid = (gid_t) atoi(sudoers_group + 1); -- if (gid == gr->gr_gid) -- debug_return_bool(true); -- } -- debug_return_bool(strcmp(gr->gr_name, sudoers_group) == 0); -+ debug_decl(group_matches, SUDO_DEBUG_MATCH) -+ if (*sudoers_group == '#') { -+ char *end = NULL; -+ gid_t gid = (gid_t) strtol(sudoers_group + 1, &end, 10); -+ if (end != NULL && (sudoers_group[1] != '\0' && *end == '\0')) { -+ if (gid == gr->gr_gid) -+ debug_return_bool(true); -+ } -+ } -+ debug_return_bool(strcmp(gr->gr_name, sudoers_group) == 0); - } - - /* diff --git a/sudo.spec b/sudo.spec index d86bffe..b0a0802 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,7 +1,7 @@ Summary: Allows restricted root access for specified users Name: sudo -Version: 1.8.16 -Release: 4%{?dist} +Version: 1.8.17p1 +Release: 1%{?dist} License: ISC Group: Applications/System URL: http://www.courtesan.com/sudo/ @@ -28,12 +28,6 @@ BuildRequires: zlib-devel Patch1: sudo-1.6.7p5-strip.patch # Patch to read ldap.conf more closely to nss_ldap Patch2: sudo-1.8.14p1-ldapconfpatch.patch -# Patch makes changes in documentation bz:1162070 -Patch3: sudo-1.8.14p1-docpassexpire.patch -# Patch initialize variable before executing sudo_strsplit -Patch4: sudo-1.8.14p3-initialization.patch -# 1328735 - Weird sudo issue that seems to be selinux related -Patch5: sudo-1.8.16-seshargsfix.patch %description Sudo (superuser do) allows a system administrator to give certain @@ -60,9 +54,6 @@ plugins that use %{name}. %patch1 -p1 -b .strip %patch2 -p1 -b .ldapconfpatch -%patch3 -p1 -b .docpassexpire -%patch4 -p1 -b .initialization -%patch5 -p1 -b .seshargsfix %build # Remove bundled copy of zlib @@ -108,6 +99,7 @@ make install DESTDIR="$RPM_BUILD_ROOT" install_uid=`id -u` install_gid=`id -g` s chmod 755 $RPM_BUILD_ROOT%{_bindir}/* $RPM_BUILD_ROOT%{_sbindir}/* install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo +install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo/lectured install -p -d -m 750 $RPM_BUILD_ROOT/etc/sudoers.d install -p -c -m 0440 %{SOURCE1} $RPM_BUILD_ROOT/etc/sudoers @@ -163,6 +155,7 @@ rm -rf $RPM_BUILD_ROOT %config(noreplace) /etc/pam.d/sudo-i %attr(0644,root,root) %{_tmpfilesdir}/sudo.conf %dir /var/db/sudo +%dir /var/db/sudo/lectured %attr(4111,root,root) %{_bindir}/sudo %{_bindir}/sudoedit %attr(0111,root,root) %{_bindir}/sudoreplay @@ -201,6 +194,11 @@ rm -rf $RPM_BUILD_ROOT %{_libexecdir}/sudo/libsudo_util.so %changelog +* Fri Jun 24 2016 Daniel Kopecek 1.8.17p1-1 +- update to 1.8.17p1 +- install the /var/db/sudo/lectured + Resolves: rhbz#1321414 + * Tue May 31 2016 Daniel Kopecek 1.8.16-4 - removed INPUTRC from env_keep to prevent a possible info leak Resolves: rhbz#1340701