update to 1.8.11

- major changes & fixes: - when running a command in the background, sudo will now forward SIGINFO to the command - the passwords in ldap.conf and ldap.secret may now be encoded in base64. - SELinux role changes are now audited. For sudoedit, we now audit the actual editor being run, instead of just the sudoedit command. - it is now possible to match an environment variable's value as well as its name using env_keep and env_check - new files created via sudoedit as a non-root user now have the proper group id - sudoedit now works correctly in conjunction with sudo's SELinux RBAC support - it is now possible to disable network interface probing in sudo.conf by changing the value of the probe_interfaces setting - when listing a user's privileges (sudo -l), the sudoers plugin will now prompt for the user's password even if the targetpw, rootpw or runaspw options are set. - the new use_netgroups sudoers option can be used to explicitly enable or disable netgroups support - visudo can now export a sudoers file in JSON format using the new -x flag - added patch to read ldap.conf more closely to nss_ldap - require /usr/bin/vi instead of vim-minimal - include pam.d/system-auth in PAM session phase from pam.d/sudo - include pam.d/sudo in PAM session phase from pam.d/sudo-i
2014-09-30 15:45:25 +02:00 · 2014-09-30 15:45:25 +02:00 · a5f9360d9a
commit a5f9360d9a
parent 71fccff302
2 changed files with 89 additions and 18 deletions
--- a/sudo-1.8.11b4-ldapconfpatch.patch
+++ b/sudo-1.8.11b4-ldapconfpatch.patch
@ -0,0 +1,54 @@
 diff -up sudo-1.8.11b4/plugins/sudoers/ldap.c.ldapconfpatch sudo-1.8.11b4/plugins/sudoers/ldap.c
 --- sudo-1.8.11b4/plugins/sudoers/ldap.c.ldapconfpatch	2014-07-22 22:52:34.000000000 +0200
 +++ sudo-1.8.11b4/plugins/sudoers/ldap.c	2014-09-15 11:22:11.122094452 +0200
@@ -1550,6 +1550,33 @@ sudo_check_krb5_ccname(const char *ccnam
 }
 #endif /* HAVE_LDAP_SASL_INTERACTIVE_BIND_S */
 +/*
 + * Read a line of input, remove whole line comments and strip off leading
 + * and trailing spaces.  Returns static storage that is reused.
 + */
 +static char *
 +sudo_ldap_parseln(fp)
 +    FILE *fp;
 +{
 +    size_t len;
 +    char *cp = NULL;
 +    static char buf[LINE_MAX];
 +
 +    if (fgets(buf, sizeof(buf), fp) != NULL) {
 +	/* Remove comments */
 +	if (*buf == '#')
 +	    *buf = '\0';
 +
 +	/* Trim leading and trailing whitespace/newline */
 +	len = strlen(buf);
 +	while (len > 0 && isspace((unsigned char)buf[len - 1]))
 +	    buf[--len] = '\0';
 +	for (cp = buf; isblank(*cp); cp++)
 +	    continue;
 +    }
 +    return(cp);
 +}
 +
 static bool
 sudo_ldap_read_config(void)
 {
@@ -1575,7 +1602,7 @@ sudo_ldap_read_config(void)
     if ((fp = fopen(path_ldap_conf, "r")) == NULL)
 	debug_return_bool(false);
 -    while (sudo_parseln(&line, &linesize, NULL, fp) != -1) {
 +    while ((line = sudo_ldap_parseln(fp)) != NULL) {
 	if (*line == '\0')
 	    continue;		/* skip empty line */
@@ -1595,7 +1622,6 @@ sudo_ldap_read_config(void)
 	if (!sudo_ldap_parse_keyword(keyword, value, ldap_conf_global))
 	    sudo_ldap_parse_keyword(keyword, value, ldap_conf_conn);
     }
 -    free(line);
     fclose(fp);
     if (!ldap_conf.host)
--- a/sudo.spec
+++ b/sudo.spec
@ -1,14 +1,15 @@
 Summary: Allows restricted root access for specified users
 Name: sudo
-Version: 1.8.8
+Version: 1.8.11
-Release: 7%{?dist}
+Release: 1%{?dist}
 License: ISC
 Group: Applications/System
 URL: http://www.courtesan.com/sudo/
 Source0: http://www.courtesan.com/sudo/dist/sudo-%{version}.tar.gz
 Source1: sudo-1.8.8-sudoers
 Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
-Requires: /etc/pam.d/system-auth, vim-minimal
+Requires: /etc/pam.d/system-auth
 Requires: /usr/bin/vi
 Requires(post): /bin/chmod
 BuildRequires: pam-devel
@ -25,14 +26,8 @@ BuildRequires: zlib-devel
 # don't strip
 Patch1: sudo-1.6.7p5-strip.patch
-# configure.in fix
+# Patch to read ldap.conf more closely to nss_ldap
-Patch2: sudo-1.7.2p1-envdebug.patch
+Patch2: sudo-1.8.11b4-ldapconfpatch.patch
 # Fix several issues in the sssd code
 Patch3: sudo-1.8.8-sssdfixes.patch
 # Don't accept invalid number in uid/gid specifications
 Patch4: sudo-1.8.8-strictuidgid.patch
 # Fix several issues found by the clang static analyzer
 Patch5: sudo-1.8.8-clangbugs.patch
 %description
 Sudo (superuser do) allows a system administrator to give certain
@ -58,10 +53,7 @@ plugins that use %{name}.
 %setup -q
 %patch1 -p1 -b .strip
-%patch2 -p1 -b .envdebug
+%patch2 -p1 -b .ldapconfpatch
 %patch3 -p1 -b .sssdfixes
 %patch4 -p1 -b .strictuidgid
 %patch5 -p1 -b .clangbugs
 %build
 # Remove bundled copy of zlib
@ -129,6 +121,7 @@ account    include      system-auth
 password   include      system-auth
 session    optional     pam_keyinit.so revoke
 session    required     pam_limits.so
 session    include      system-auth
 EOF
 cat > $RPM_BUILD_ROOT/etc/pam.d/sudo-i << EOF
@ -137,7 +130,7 @@ auth       include      sudo
 account    include      sudo
 password   include      sudo
 session    optional     pam_keyinit.so force revoke
-session    required     pam_limits.so
+session    include      sudo
 EOF
@ -161,6 +154,7 @@ rm -rf $RPM_BUILD_ROOT
 %attr(0644,root,root) %{_libexecdir}/sudo/sudoers.so
 %attr(0644,root,root) %{_libexecdir}/sudo/group_file.so
 %attr(0644,root,root) %{_libexecdir}/sudo/system_group.so
 %attr(0644,root,root) %{_libexecdir}/sudo/libsudo_util.so.*
 %{_mandir}/man5/sudoers.5*
 %{_mandir}/man5/sudoers.ldap.5*
 %{_mandir}/man5/sudo.conf.5*
@ -184,10 +178,33 @@ rm -rf $RPM_BUILD_ROOT
 %doc plugins/sample/sample_plugin.c
 %{_includedir}/sudo_plugin.h
 %{_mandir}/man8/sudo_plugin.8*
 %attr(0644,root,root) %{_libexecdir}/sudo/libsudo_util.so
 %attr(0644,root,root) %{_libexecdir}/sudo/*.la
 %changelog
-* Mon Aug 18 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.8.8-7
+* Tue Sep 30 2014 Daniel Kopecek <dkopecek@redhat.com> - 1.8.11-1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+- update to 1.8.11
 - major changes & fixes:
  - when running a command in the background, sudo will now forward
    SIGINFO to the command
  - the passwords in ldap.conf and ldap.secret may now be encoded in base64. 
  - SELinux role changes are now audited. For sudoedit, we now audit
    the actual editor being run, instead of just the sudoedit command. 
  - it is now possible to match an environment variable's value as well as
    its name using env_keep and env_check
  - new files created via sudoedit as a non-root user now have the proper group id
  - sudoedit now works correctly in conjunction with sudo's SELinux RBAC support
  - it is now possible to disable network interface probing in sudo.conf by
    changing the value of the probe_interfaces setting
  - when listing a user's privileges (sudo -l), the sudoers plugin will now prompt
    for the user's password even if the targetpw, rootpw or runaspw options are set.
  - the new use_netgroups sudoers option can be used to explicitly enable or disable
    netgroups support
  - visudo can now export a sudoers file in JSON format using the new -x flag
 - added patch to read ldap.conf more closely to nss_ldap
 - require /usr/bin/vi instead of vim-minimal
 - include pam.d/system-auth in PAM session phase from pam.d/sudo
 - include pam.d/sudo in PAM session phase from pam.d/sudo-i
 * Tue Aug  5 2014 Tom Callaway <spot@fedoraproject.org> - 1.8.8-6
 - fix license handling