update to 1.8.11

- major changes & fixes: - when running a command in the background, sudo will now forward SIGINFO to the command - the passwords in ldap.conf and ldap.secret may now be encoded in base64. - SELinux role changes are now audited. For sudoedit, we now audit the actual editor being run, instead of just the sudoedit command. - it is now possible to match an environment variable's value as well as its name using env_keep and env_check - new files created via sudoedit as a non-root user now have the proper group id - sudoedit now works correctly in conjunction with sudo's SELinux RBAC support - it is now possible to disable network interface probing in sudo.conf by changing the value of the probe_interfaces setting - when listing a user's privileges (sudo -l), the sudoers plugin will now prompt for the user's password even if the targetpw, rootpw or runaspw options are set. - the new use_netgroups sudoers option can be used to explicitly enable or disable netgroups support - visudo can now export a sudoers file in JSON format using the new -x flag - added patch to read ldap.conf more closely to nss_ldap - require /usr/bin/vi instead of vim-minimal - include pam.d/system-auth in PAM session phase from pam.d/sudo - include pam.d/sudo in PAM session phase from pam.d/sudo-i
2014-09-30 15:45:25 +02:00 · 2014-09-30 15:45:25 +02:00 · a5f9360d9a
commit a5f9360d9a
parent 71fccff302
2 changed files with 89 additions and 18 deletions
--- a/sudo-1.8.11b4-ldapconfpatch.patch
+++ b/sudo-1.8.11b4-ldapconfpatch.patch
@ -0,0 +1,54 @@
+diff -up sudo-1.8.11b4/plugins/sudoers/ldap.c.ldapconfpatch sudo-1.8.11b4/plugins/sudoers/ldap.c
+--- sudo-1.8.11b4/plugins/sudoers/ldap.c.ldapconfpatch	2014-07-22 22:52:34.000000000 +0200
+++ sudo-1.8.11b4/plugins/sudoers/ldap.c	2014-09-15 11:22:11.122094452 +0200
+@@ -1550,6 +1550,33 @@ sudo_check_krb5_ccname(const char *ccnam
+ }
+ #endif /* HAVE_LDAP_SASL_INTERACTIVE_BIND_S */
+ 
+/*
+ * Read a line of input, remove whole line comments and strip off leading
+ * and trailing spaces.  Returns static storage that is reused.
+ */
+static char *
+sudo_ldap_parseln(fp)
+    FILE *fp;
+{
+    size_t len;
+    char *cp = NULL;
+    static char buf[LINE_MAX];
+
+    if (fgets(buf, sizeof(buf), fp) != NULL) {
+	/* Remove comments */
+	if (*buf == '#')
+	    *buf = '\0';
+
+	/* Trim leading and trailing whitespace/newline */
+	len = strlen(buf);
+	while (len > 0 && isspace((unsigned char)buf[len - 1]))
+	    buf[--len] = '\0';
+	for (cp = buf; isblank(*cp); cp++)
+	    continue;
+    }
+    return(cp);
+}
+
+ static bool
+ sudo_ldap_read_config(void)
+ {
+@@ -1575,7 +1602,7 @@ sudo_ldap_read_config(void)
+     if ((fp = fopen(path_ldap_conf, "r")) == NULL)
+ 	debug_return_bool(false);
+ 
+-    while (sudo_parseln(&line, &linesize, NULL, fp) != -1) {
+    while ((line = sudo_ldap_parseln(fp)) != NULL) {
+ 	if (*line == '\0')
+ 	    continue;		/* skip empty line */
+ 
+@@ -1595,7 +1622,6 @@ sudo_ldap_read_config(void)
+ 	if (!sudo_ldap_parse_keyword(keyword, value, ldap_conf_global))
+ 	    sudo_ldap_parse_keyword(keyword, value, ldap_conf_conn);
+     }
+-    free(line);
+     fclose(fp);
+ 
+     if (!ldap_conf.host)
--- a/sudo.spec
+++ b/sudo.spec
@ -1,14 +1,15 @@
 Summary: Allows restricted root access for specified users
 Name: sudo
-Version: 1.8.8
-Release: 7%{?dist}
+Version: 1.8.11
+Release: 1%{?dist}
 License: ISC
 Group: Applications/System
 URL: http://www.courtesan.com/sudo/
 Source0: http://www.courtesan.com/sudo/dist/sudo-%{version}.tar.gz
 Source1: sudo-1.8.8-sudoers
 Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
-Requires: /etc/pam.d/system-auth, vim-minimal
+Requires: /etc/pam.d/system-auth
+Requires: /usr/bin/vi
 Requires(post): /bin/chmod

 BuildRequires: pam-devel
@ -25,14 +26,8 @@ BuildRequires: zlib-devel

 # don't strip
 Patch1: sudo-1.6.7p5-strip.patch
-# configure.in fix
-Patch2: sudo-1.7.2p1-envdebug.patch
-# Fix several issues in the sssd code
-Patch3: sudo-1.8.8-sssdfixes.patch
-# Don't accept invalid number in uid/gid specifications
-Patch4: sudo-1.8.8-strictuidgid.patch
-# Fix several issues found by the clang static analyzer
-Patch5: sudo-1.8.8-clangbugs.patch
+# Patch to read ldap.conf more closely to nss_ldap
+Patch2: sudo-1.8.11b4-ldapconfpatch.patch

 %description
 Sudo (superuser do) allows a system administrator to give certain
@ -58,10 +53,7 @@ plugins that use %{name}.
 %setup -q

 %patch1 -p1 -b .strip
-%patch2 -p1 -b .envdebug
-%patch3 -p1 -b .sssdfixes
-%patch4 -p1 -b .strictuidgid
-%patch5 -p1 -b .clangbugs
+%patch2 -p1 -b .ldapconfpatch

 %build
 # Remove bundled copy of zlib
@ -129,6 +121,7 @@ account    include      system-auth
 password   include      system-auth
 session    optional     pam_keyinit.so revoke
 session    required     pam_limits.so
+session    include      system-auth
 EOF

 cat > $RPM_BUILD_ROOT/etc/pam.d/sudo-i << EOF
@ -137,7 +130,7 @@ auth       include      sudo
 account    include      sudo
 password   include      sudo
 session    optional     pam_keyinit.so force revoke
-session    required     pam_limits.so
+session    include      sudo
 EOF


@ -161,6 +154,7 @@ rm -rf $RPM_BUILD_ROOT
 %attr(0644,root,root) %{_libexecdir}/sudo/sudoers.so
 %attr(0644,root,root) %{_libexecdir}/sudo/group_file.so
 %attr(0644,root,root) %{_libexecdir}/sudo/system_group.so
+%attr(0644,root,root) %{_libexecdir}/sudo/libsudo_util.so.*
 %{_mandir}/man5/sudoers.5*
 %{_mandir}/man5/sudoers.ldap.5*
 %{_mandir}/man5/sudo.conf.5*
@ -184,10 +178,33 @@ rm -rf $RPM_BUILD_ROOT
 %doc plugins/sample/sample_plugin.c
 %{_includedir}/sudo_plugin.h
 %{_mandir}/man8/sudo_plugin.8*
+%attr(0644,root,root) %{_libexecdir}/sudo/libsudo_util.so
+%attr(0644,root,root) %{_libexecdir}/sudo/*.la

 %changelog
-* Mon Aug 18 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.8.8-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+* Tue Sep 30 2014 Daniel Kopecek <dkopecek@redhat.com> - 1.8.11-1
+- update to 1.8.11
+- major changes & fixes:
+  - when running a command in the background, sudo will now forward
+    SIGINFO to the command
+  - the passwords in ldap.conf and ldap.secret may now be encoded in base64. 
+  - SELinux role changes are now audited. For sudoedit, we now audit
+    the actual editor being run, instead of just the sudoedit command. 
+  - it is now possible to match an environment variable's value as well as
+    its name using env_keep and env_check
+  - new files created via sudoedit as a non-root user now have the proper group id
+  - sudoedit now works correctly in conjunction with sudo's SELinux RBAC support
+  - it is now possible to disable network interface probing in sudo.conf by
+    changing the value of the probe_interfaces setting
+  - when listing a user's privileges (sudo -l), the sudoers plugin will now prompt
+    for the user's password even if the targetpw, rootpw or runaspw options are set.
+  - the new use_netgroups sudoers option can be used to explicitly enable or disable
+    netgroups support
+  - visudo can now export a sudoers file in JSON format using the new -x flag
+- added patch to read ldap.conf more closely to nss_ldap
+- require /usr/bin/vi instead of vim-minimal
+- include pam.d/system-auth in PAM session phase from pam.d/sudo
+- include pam.d/sudo in PAM session phase from pam.d/sudo-i

 * Tue Aug  5 2014 Tom Callaway <spot@fedoraproject.org> - 1.8.8-6
 - fix license handling