rpms
/
sudo
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import sudo-1.8.25p1-8.el8_1.1

This commit is contained in:
CentOS Sources 2020-02-13 04:09:18 -05:00 committed by Andrew Lukoshko
commit c6383df712
26 changed files with 3684 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
SOURCES/sudo-1.8.25p1.tar.gz

1
.sudo.metadata Normal file
View File

@ -0,0 +1 @@
dc49b91ffbd9cd5e1d1eaaf001c42f71f869f377 SOURCES/sudo-1.8.25p1.tar.gz

11
SOURCES/sudo-1.6.7p5-strip.patch Normal file
View File

@ -0,0 +1,11 @@
--- sudo-1.6.7p5/install-sh.strip 2005-07-21 14:28:25.000000000 +0200
+++ sudo-1.6.7p5/install-sh 2005-07-21 14:29:18.000000000 +0200
@@ -138,7 +138,7 @@
fi
;;
X-s)
- STRIPIT=true
+ #STRIPIT=true
;;
X--)
shift

27
SOURCES/sudo-1.7.2p1-envdebug.patch Normal file
View File

@ -0,0 +1,27 @@
From 44a602b49365969e56c63c9f12eda197e951302f Mon Sep 17 00:00:00 2001
From: Tomas Sykora <tosykora@redhat.com>
Date: Fri, 19 Aug 2016 14:07:35 +0200
Subject: [PATCH 02/10] Added "Enviroment debugging" message
rebased from:
Patch2: sudo-1.7.2p1-envdebug.patch
---
configure.ac | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
index 9feddfd..39a2d86 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1390,7 +1390,7 @@ AC_ARG_ENABLE(env_debug,
[AS_HELP_STRING([--enable-env-debug], [Whether to enable environment debugging.])],
[ case "$enableval" in
yes) AC_MSG_RESULT(yes)
- AC_DEFINE(ENV_DEBUG)
+ AC_DEFINE(ENV_DEBUG, [], [Environment debugging.])
;;
no) AC_MSG_RESULT(no)
;;
--
2.7.4

70
SOURCES/sudo-1.8.23-fix-double-quote-parsing-for-Defaults-values.patch Normal file
View File

@ -0,0 +1,70 @@
diff -up sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.json.ok.defaults-double-quote-fix sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.json.ok
--- sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.json.ok.defaults-double-quote-fix 2018-09-24 18:10:37.235000000 +0200
+++ sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.json.ok 2018-09-24 18:11:40.153000000 +0200
@@ -34,7 +34,7 @@
},
{
"Binding": [
- { "username": "%them" }
+ { "usergroup": "them" }
],
"Options": [
{ "set_home": true }
@@ -42,7 +42,7 @@
},
{
"Binding": [
- { "username": "%: non UNIX 0 c" }
+ { "nonunixgroup": " non UNIX 0 c" }
],
"Options": [
{ "set_home": true }
@@ -50,7 +50,7 @@
},
{
"Binding": [
- { "username": "+net" }
+ { "netgroup": "net" }
],
"Options": [
{ "set_home": true }
diff -up sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.toke.ok.defaults-double-quote-fix sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.toke.ok
--- sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.toke.ok.defaults-double-quote-fix 2018-09-24 18:10:25.216000000 +0200
+++ sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.toke.ok 2018-09-24 18:11:45.213000000 +0200
@@ -29,9 +29,9 @@ DEFAULTS_HOST BEGINSTR STRBODY ENDSTR WO
#
DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR
DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR
-DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR
-DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR
-DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR
+DEFAULTS_USER BEGINSTR STRBODY ENDSTR USERGROUP DEFVAR
+DEFAULTS_USER BEGINSTR STRBODY ENDSTR USERGROUP DEFVAR
+DEFAULTS_USER BEGINSTR STRBODY ENDSTR NETGROUP DEFVAR
#
DEFAULTS_RUNAS BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR
diff -up sudo-1.8.23/plugins/sudoers/toke.c.defaults-double-quote-fix sudo-1.8.23/plugins/sudoers/toke.c
--- sudo-1.8.23/plugins/sudoers/toke.c.defaults-double-quote-fix 2018-04-29 21:59:23.000000000 +0200
+++ sudo-1.8.23/plugins/sudoers/toke.c 2018-09-24 18:06:15.527000000 +0200
@@ -2395,7 +2395,7 @@ YY_RULE_SETUP
LEXTRACE("ERROR "); /* empty string */
LEXRETURN(ERROR);
}
- if (prev_state == INITIAL) {
+ if (prev_state == INITIAL || prev_state == GOTDEFS) {
switch (sudoerslval.string[0]) {
case '%':
if (sudoerslval.string[1] == '\0' ||
diff -up sudo-1.8.23/plugins/sudoers/toke.l.defaults-double-quote-fix sudo-1.8.23/plugins/sudoers/toke.l
--- sudo-1.8.23/plugins/sudoers/toke.l.defaults-double-quote-fix 2018-04-29 21:59:23.000000000 +0200
+++ sudo-1.8.23/plugins/sudoers/toke.l 2018-09-24 18:06:15.528000000 +0200
@@ -187,7 +187,7 @@ DEFVAR [a-z_]+
LEXTRACE("ERROR "); /* empty string */
LEXRETURN(ERROR);
}
- if (prev_state == INITIAL) {
+ if (prev_state == INITIAL || prev_state == GOTDEFS) {
switch (sudoerslval.string[0]) {
case '%':
if (sudoerslval.string[1] == '\0' ||

27
SOURCES/sudo-1.8.23-ldapsearchuidfix.patch Normal file
View File

@ -0,0 +1,27 @@
diff -up sudo-1.8.23/plugins/sudoers/ldap.c.ldapsearchuidfix sudo-1.8.23/plugins/sudoers/ldap.c
--- sudo-1.8.23/plugins/sudoers/ldap.c.ldapsearchuidfix 2018-04-29 21:59:31.000000000 +0200
+++ sudo-1.8.23/plugins/sudoers/ldap.c 2018-06-18 08:34:01.202686941 +0200
@@ -1189,8 +1189,8 @@ sudo_ldap_build_pass1(LDAP *ld, struct p
if (ldap_conf.search_filter)
sz += strlen(ldap_conf.search_filter);
- /* Then add (|(sudoUser=USERNAME)(sudoUser=ALL)) + NUL */
- sz += 29 + sudo_ldap_value_len(pw->pw_name);
+ /* Then add (|(sudoUser=USERNAME)(sudoUser=#uid)(sudoUser=ALL)) + NUL */
+ sz += 29 + (12 + MAX_UID_T_LEN) + sudo_ldap_value_len(pw->pw_name);
/* Add space for primary and supplementary groups and gids */
if ((grp = sudo_getgrgid(pw->pw_gid)) != NULL) {
@@ -1253,6 +1253,12 @@ sudo_ldap_build_pass1(LDAP *ld, struct p
CHECK_LDAP_VCAT(buf, pw->pw_name, sz);
CHECK_STRLCAT(buf, ")", sz);
+ /* Append user uid */
+ (void) snprintf(gidbuf, sizeof(gidbuf), "%u", (unsigned int)pw->pw_uid);
+ (void) strlcat(buf, "(sudoUser=#", sz);
+ (void) strlcat(buf, gidbuf, sz);
+ (void) strlcat(buf, ")", sz);
+
/* Append primary group and gid */
if (grp != NULL) {
CHECK_STRLCAT(buf, "(sudoUser=%", sz);

89
SOURCES/sudo-1.8.23-legacy-group-processing.patch Normal file
View File

@ -0,0 +1,89 @@
diff -up ./plugins/sudoers/cvtsudoers.c.legacy-processing ./plugins/sudoers/cvtsudoers.c
--- ./plugins/sudoers/cvtsudoers.c.legacy-processing 2018-09-26 12:27:13.087680204 +0200
+++ ./plugins/sudoers/cvtsudoers.c 2018-09-26 12:30:59.222466620 +0200
@@ -321,6 +321,15 @@ main(int argc, char *argv[])
sudo_fatalx("error: unhandled input %d", input_format);
}
+ /*
+ * cvtsudoers group filtering doesn't work if def_match_group_by_gid
+ * is set to true by default (at compile-time). It cannot be set to false
+ * because cvtsudoers doesn't apply the parsed Defaults.
+ *
+ * Related: sudo-1.8.23-legacy-group-processing.patch
+ */
+ def_match_group_by_gid = def_legacy_group_processing = false;
+
/* Apply filters. */
filter_userspecs(&parsed_policy, conf);
filter_defaults(&parsed_policy, conf);
diff -up ./plugins/sudoers/defaults.c.legacy-processing ./plugins/sudoers/defaults.c
--- ./plugins/sudoers/defaults.c.legacy-processing 2018-09-02 14:30:08.000000000 +0200
+++ ./plugins/sudoers/defaults.c 2018-09-26 12:27:13.087680204 +0200
@@ -86,6 +86,7 @@ static struct early_default early_defaul
{ I_FQDN },
#endif
{ I_MATCH_GROUP_BY_GID },
+ { I_LEGACY_GROUP_PROCESSING },
{ I_GROUP_PLUGIN },
{ I_RUNAS_DEFAULT },
{ I_SUDOERS_LOCALE },
@@ -487,6 +488,8 @@ init_defaults(void)
}
/* First initialize the flags. */
+ def_legacy_group_processing = true;
+ def_match_group_by_gid = true;
#ifdef LONG_OTP_PROMPT
def_long_otp_prompt = true;
#endif
diff -up ./plugins/sudoers/def_data.c.legacy-processing ./plugins/sudoers/def_data.c
--- ./plugins/sudoers/def_data.c.legacy-processing 2018-08-18 16:10:15.000000000 +0200
+++ ./plugins/sudoers/def_data.c 2018-09-26 12:27:13.087680204 +0200
@@ -494,6 +494,10 @@ struct sudo_defs_types sudo_defs_table[]
N_("Ignore case when matching group names"),
NULL,
}, {
+ "legacy_group_processing", T_FLAG,
+ N_("Don't pre-resolve all group names"),
+ NULL,
+ }, {
NULL, 0, NULL
}
};
diff -up ./plugins/sudoers/def_data.h.legacy-processing ./plugins/sudoers/def_data.h
--- ./plugins/sudoers/def_data.h.legacy-processing 2018-08-18 16:10:15.000000000 +0200
+++ ./plugins/sudoers/def_data.h 2018-09-26 12:27:13.087680204 +0200
@@ -226,6 +226,8 @@
#define def_case_insensitive_user (sudo_defs_table[I_CASE_INSENSITIVE_USER].sd_un.flag)
#define I_CASE_INSENSITIVE_GROUP 113
#define def_case_insensitive_group (sudo_defs_table[I_CASE_INSENSITIVE_GROUP].sd_un.flag)
+#define I_LEGACY_GROUP_PROCESSING 114
+#define def_legacy_group_processing (sudo_defs_table[I_LEGACY_GROUP_PROCESSING].sd_un.flag)
enum def_tuple {
never,
diff -up ./plugins/sudoers/def_data.in.legacy-processing ./plugins/sudoers/def_data.in
--- ./plugins/sudoers/def_data.in.legacy-processing 2018-08-18 16:10:15.000000000 +0200
+++ ./plugins/sudoers/def_data.in 2018-09-26 12:27:13.088680212 +0200
@@ -357,3 +357,6 @@ case_insensitive_user
case_insensitive_group
T_FLAG
"Ignore case when matching group names"
+legacy_group_processing
+ T_FLAG
+ "Don't pre-resolve all group names"
diff -up ./plugins/sudoers/sudoers.c.legacy-processing ./plugins/sudoers/sudoers.c
--- ./plugins/sudoers/sudoers.c.legacy-processing 2018-08-18 16:10:25.000000000 +0200
+++ ./plugins/sudoers/sudoers.c 2018-09-26 12:27:13.088680212 +0200
@@ -212,6 +212,10 @@ sudoers_policy_init(void *info, char * c
if (set_loginclass(runas_pw ? runas_pw : sudo_user.pw))
ret = true;
+ if (!def_match_group_by_gid || !def_legacy_group_processing) {
+ def_match_group_by_gid = false;
+ def_legacy_group_processing = false;
+ }
cleanup:
if (!restore_perms())
ret = -1;

61
SOURCES/sudo-1.8.23-nowaitopt.patch Normal file
View File

@ -0,0 +1,61 @@
diff -up sudo-1.8.23/plugins/sudoers/def_data.c.nowaitopt sudo-1.8.23/plugins/sudoers/def_data.c
--- sudo-1.8.23/plugins/sudoers/def_data.c.nowaitopt 2018-06-18 09:36:34.249307795 +0200
+++ sudo-1.8.23/plugins/sudoers/def_data.c 2018-06-18 09:43:12.122986032 +0200
@@ -498,6 +498,10 @@ struct sudo_defs_types sudo_defs_table[]
N_("Don't pre-resolve all group names"),
NULL,
}, {
+ "cmnd_no_wait", T_FLAG,
+ N_("Don't fork and wait for the command to finish, just exec it"),
+ NULL,
+ }, {
NULL, 0, NULL
}
};
diff -up sudo-1.8.23/plugins/sudoers/def_data.h.nowaitopt sudo-1.8.23/plugins/sudoers/def_data.h
--- sudo-1.8.23/plugins/sudoers/def_data.h.nowaitopt 2018-06-18 09:36:34.250307792 +0200
+++ sudo-1.8.23/plugins/sudoers/def_data.h 2018-06-18 09:43:44.541878327 +0200
@@ -228,6 +228,8 @@
#define def_case_insensitive_group (sudo_defs_table[I_CASE_INSENSITIVE_GROUP].sd_un.flag)
#define I_LEGACY_GROUP_PROCESSING 114
#define def_legacy_group_processing (sudo_defs_table[I_LEGACY_GROUP_PROCESSING].sd_un.flag)
+#define I_CMND_NO_WAIT 115
+#define def_cmnd_no_wait (sudo_defs_table[I_CMND_NO_WAIT].sd_un.flag)
enum def_tuple {
never,
diff -up sudo-1.8.23/plugins/sudoers/def_data.in.nowaitopt sudo-1.8.23/plugins/sudoers/def_data.in
--- sudo-1.8.23/plugins/sudoers/def_data.in.nowaitopt 2018-06-18 09:36:34.250307792 +0200
+++ sudo-1.8.23/plugins/sudoers/def_data.in 2018-06-18 09:45:00.076627403 +0200
@@ -360,3 +360,6 @@ case_insensitive_group
legacy_group_processing
T_FLAG
"Don't pre-resolve all group names"
+cmnd_no_wait
+ T_FLAG
+ "Don't fork and wait for the command to finish, just exec it"
diff -up sudo-1.8.23/plugins/sudoers/policy.c.nowaitopt sudo-1.8.23/plugins/sudoers/policy.c
diff -up sudo-1.8.23/plugins/sudoers/sudoers.c.nowaitopt sudo-1.8.23/plugins/sudoers/sudoers.c
--- sudo-1.8.23/plugins/sudoers/sudoers.c.nowaitopt 2018-06-18 11:31:51.883751328 +0200
+++ sudo-1.8.23/plugins/sudoers/sudoers.c 2018-06-18 11:31:03.670899166 +0200
@@ -213,6 +213,20 @@ sudoers_policy_init(void *info, char * c
def_match_group_by_gid = false;
def_legacy_group_processing = false;
}
+
+ /*
+ * Emulate cmnd_no_wait option by disabling PAM session, PTY allocation
+ * and I/O logging. This will cause sudo to execute the given command
+ * directly instead of forking a separate process for it.
+ */
+ if (def_cmnd_no_wait) {
+ def_pam_setcred = false;
+ def_pam_session = false;
+ def_use_pty = false;
+ def_log_input = false;
+ def_log_output = false;
+ }
+
cleanup:
if (!restore_perms())
ret = -1;

103
SOURCES/sudo-1.8.23-pam-expired-passwords.patch Normal file
View File

@ -0,0 +1,103 @@
# HG changeset patch
# User Todd C. Miller <Todd.Miller@sudo.ws>
# Date 1544201494 25200
# Node ID 656aa910fbaf0be517e012c9271c51eb85c1cca5
# Parent ef83f35c9cb090a8b4fd36942f1e47e65c285dce
The fix for bug #843 was incomplete and caused pam_end() to be called early.
sudo_pam_approval() must not set the global pam status to an error
value if it returns AUTH_SUCCESS. Otherwise, sudo_pam_cleanup()
will call pam_end() before sudo_pam_begin_session(). This resulted
in a NULL PAM handle being used in sudo_pam_begin_session().
diff -r ef83f35c9cb0 -r 656aa910fbaf plugins/sudoers/auth/pam.c
--- a/plugins/sudoers/auth/pam.c Wed Dec 05 10:43:14 2018 -0700
+++ b/plugins/sudoers/auth/pam.c Fri Dec 07 09:51:34 2018 -0700
@@ -210,59 +210,68 @@
sudo_pam_approval(struct passwd *pw, sudo_auth *auth, bool exempt)
{
const char *s;
+ int rc, status = AUTH_SUCCESS;
int *pam_status = (int *) auth->data;
debug_decl(sudo_pam_approval, SUDOERS_DEBUG_AUTH)
- *pam_status = pam_acct_mgmt(pamh, PAM_SILENT);
- switch (*pam_status) {
+ rc = pam_acct_mgmt(pamh, PAM_SILENT);
+ switch (rc) {
case PAM_SUCCESS:
- debug_return_int(AUTH_SUCCESS);
+ break;
case PAM_AUTH_ERR:
log_warningx(0, N_("account validation failure, "
"is your account locked?"));
- debug_return_int(AUTH_FATAL);
+ status = AUTH_FATAL;
+ break;
case PAM_NEW_AUTHTOK_REQD:
/* Ignore if user is exempt from password restrictions. */
if (exempt)
- debug_return_int(AUTH_SUCCESS);
+ break;
/* New password required, try to change it. */
log_warningx(0, N_("Account or password is "
"expired, reset your password and try again"));
- *pam_status = pam_chauthtok(pamh,
- PAM_CHANGE_EXPIRED_AUTHTOK);
- if (*pam_status == PAM_SUCCESS)
- debug_return_int(AUTH_SUCCESS);
- if ((s = pam_strerror(pamh, *pam_status)) == NULL)
+ rc = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
+ if (rc == PAM_SUCCESS)
+ break;
+ if ((s = pam_strerror(pamh, rc)) == NULL)
s = "unknown error";
log_warningx(0,
N_("unable to change expired password: %s"), s);
- debug_return_int(AUTH_FAILURE);
+ status = AUTH_FAILURE;
+ break;
case PAM_AUTHTOK_EXPIRED:
/* Ignore if user is exempt from password restrictions. */
if (exempt)
- debug_return_int(AUTH_SUCCESS);
+ break;
/* Password expired, cannot be updated by user. */
log_warningx(0,
N_("Password expired, contact your system administrator"));
- debug_return_int(AUTH_FATAL);
+ status = AUTH_FATAL;
+ break;
case PAM_ACCT_EXPIRED:
log_warningx(0,
N_("Account expired or PAM config lacks an \"account\" "
"section for sudo, contact your system administrator"));
- debug_return_int(AUTH_FATAL);
+ status = AUTH_FATAL;
+ break;
case PAM_AUTHINFO_UNAVAIL:
case PAM_MAXTRIES:
case PAM_PERM_DENIED:
- s = pam_strerror(pamh, *pam_status);
+ s = pam_strerror(pamh, rc);
log_warningx(0, N_("PAM account management error: %s"),
s ? s : "unknown error");
- debug_return_int(AUTH_FAILURE);
+ status = AUTH_FAILURE;
+ break;
default:
- s = pam_strerror(pamh, *pam_status);
+ s = pam_strerror(pamh, rc);
log_warningx(0, N_("PAM account management error: %s"),
s ? s : "unknown error");
- debug_return_int(AUTH_FATAL);
+ status = AUTH_FATAL;
+ break;
}
+ /* Ignore errors if user is exempt from password restrictions. */
+ *pam_status = exempt ? PAM_SUCCESS : rc;
+ debug_return_int(status);
}
int

32
SOURCES/sudo-1.8.23-sudoldapconfman.patch Normal file
View File

@ -0,0 +1,32 @@
diff -up sudo-1.8.23/doc/Makefile.in.sudoldapconfman sudo-1.8.23/doc/Makefile.in
--- sudo-1.8.23/doc/Makefile.in.sudoldapconfman 2018-04-29 21:59:31.000000000 +0200
+++ sudo-1.8.23/doc/Makefile.in 2018-05-17 13:56:24.693651178 +0200
@@ -345,10 +345,16 @@ install-doc: install-dirs
rm -f $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu)$(MANCOMPRESSEXT); \
echo ln -s sudo.$(mansectsu)$(MANCOMPRESSEXT) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu)$(MANCOMPRESSEXT); \
ln -s sudo.$(mansectsu)$(MANCOMPRESSEXT) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu)$(MANCOMPRESSEXT); \
+ rm -f $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform)$(MANCOMPRESSEXT); \
+ echo ln -s sudoers.ldap.$(mansectform)$(MANCOMPRESSEXT) $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform)$(MANCOMPRESSEXT); \
+ ln -s sudoers.ldap.$(mansectform)$(MANCOMPRESSEXT) $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform)$(MANCOMPRESSEXT); \
else \
rm -f $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu); \
echo ln -s sudo.$(mansectsu) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu); \
ln -s sudo.$(mansectsu) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu); \
+ rm -f $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform); \
+ echo ln -s sudoers.ldap.$(mansectform) $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform); \
+ ln -s sudoers.ldap.$(mansectform) $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform); \
fi
install-plugin:
@@ -363,8 +369,9 @@ uninstall:
$(DESTDIR)$(mandirsu)/visudo.$(mansectsu) \
$(DESTDIR)$(mandirform)/sudo.conf.$(mansectform) \
$(DESTDIR)$(mandirform)/sudoers.$(mansectform) \
- $(DESTDIR)$(mandirform)/sudoers_timestamp.$(mansectform)
- $(DESTDIR)$(mandirform)/sudoers.ldap.$(mansectform)
+ $(DESTDIR)$(mandirform)/sudoers_timestamp.$(mansectform) \
+ $(DESTDIR)$(mandirform)/sudoers.ldap.$(mansectform) \
+ $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform)
splint:

56
SOURCES/sudo-1.8.23-who-am-i.patch Normal file
View File

@ -0,0 +1,56 @@
commit b2f7983c84fd01e0b29895d7df776b4b162fd8a5
Author: Todd C. Miller <Todd.Miller@sudo.ws>
Date: Wed Jan 2 07:39:33 2019 -0700
Fix setting of utmp entry when running command in a pty.
Regression introduced in sudo 1.8.22.
diff --git a/src/exec_pty.c b/src/exec_pty.c
index cbcccca3..68312a98 100644
--- a/src/exec_pty.c
+++ b/src/exec_pty.c
@@ -140,7 +140,7 @@ pty_cleanup(void)
* and slavename globals.
*/
static bool
-pty_setup(uid_t uid, const char *tty)
+pty_setup(struct command_details *details, const char *tty)
{
debug_decl(pty_setup, SUDO_DEBUG_EXEC);
@@ -152,12 +152,15 @@ pty_setup(uid_t uid, const char *tty)
}
if (!get_pty(&io_fds[SFD_MASTER], &io_fds[SFD_SLAVE],
- slavename, sizeof(slavename), uid))
+ slavename, sizeof(slavename), details->euid))
sudo_fatal(U_("unable to allocate pty"));
/* Add entry to utmp/utmpx? */
- if (utmp_user != NULL)
+ if (ISSET(details->flags, CD_SET_UTMP)) {
+ utmp_user =
+ details->utmp_user ? details->utmp_user : user_details.username;
utmp_login(tty, slavename, io_fds[SFD_SLAVE], utmp_user);
+ }
sudo_debug_printf(SUDO_DEBUG_INFO,
"%s: %s fd %d, pty master fd %d, pty slave fd %d",
@@ -1302,12 +1305,11 @@ exec_pty(struct command_details *details, struct command_status *cstat)
/*
* Allocate a pty.
*/
- if (pty_setup(details->euid, user_details.tty)) {
- if (ISSET(details->flags, CD_SET_UTMP))
- utmp_user = details->utmp_user ? details->utmp_user : user_details.username;
- } else if (TAILQ_EMPTY(&io_plugins)) {
- /* Not logging I/O and didn't allocate a pty. */
- debug_return_bool(false);
+ if (!pty_setup(details, user_details.tty)) {
+ if (TAILQ_EMPTY(&io_plugins)) {
+ /* Not logging I/O and didn't allocate a pty. */
+ debug_return_bool(false);
+ }
}
/*

25
SOURCES/sudo-1.8.25-c-option-help.patch Normal file
View File

@ -0,0 +1,25 @@
From 142b370c1f928549db3b357a495d151c7cd87f65 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
Date: Tue, 11 Dec 2018 09:05:04 -0700
Subject: [PATCH 2/4] The -c option was missing from the help info; from
Radovan Sroka
---
plugins/sudoers/cvtsudoers.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/plugins/sudoers/cvtsudoers.c b/plugins/sudoers/cvtsudoers.c
index 795936c1..0221314b 100644
--- a/plugins/sudoers/cvtsudoers.c
+++ b/plugins/sudoers/cvtsudoers.c
@@ -1315,6 +1315,7 @@ help(void)
usage(0);
(void) puts(_("\nOptions:\n"
" -b, --base=dn the base DN for sudo LDAP queries\n"
+ " -c, --config=conf_file the path to the configuration file\n"
" -d, --defaults=deftypes only convert Defaults of the specified types\n"
" -e, --expand-aliases expand aliases when converting\n"
" -f, --output-format=format set output format: JSON, LDIF or sudoers\n"
--
2.17.2

1063
SOURCES/sudo-1.8.25-ipa-hostname.patch Normal file
View File

File diff suppressed because it is too large Load Diff

65
SOURCES/sudo-1.8.25-ldap-backend-parsing-1.patch Normal file
View File

@ -0,0 +1,65 @@
From e1a402f1d65f4f107a40237bc19384e43b334546 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
Date: Tue, 16 Oct 2018 12:49:34 -0600
Subject: [PATCH] sudo_ldap_parse_option() never returns '=' as the operator.
When parsing command_timeout, role, type, privs and limitprivs, check that
val is non-NULL instead. Found by PVS Studio.
---
plugins/sudoers/ldap_util.c | 37 ++++++++++++++-----------------------
1 file changed, 14 insertions(+), 23 deletions(-)
diff --git a/plugins/sudoers/ldap_util.c b/plugins/sudoers/ldap_util.c
index d9be95a61..fecb7a6c5 100644
--- a/plugins/sudoers/ldap_util.c
+++ b/plugins/sudoers/ldap_util.c
@@ -405,32 +405,23 @@ sudo_ldap_role_to_priv(const char *cn, void *hosts, void *runasusers,
int op;
op = sudo_ldap_parse_option(opt, &var, &val);
- if (strcmp(var, "command_timeout") == 0) {
- if (op == '=')
- cmndspec->timeout = parse_timeout(val);
+ if (strcmp(var, "command_timeout") == 0 && val != NULL) {
+ cmndspec->timeout = parse_timeout(val);
#ifdef HAVE_SELINUX
- } else if (strcmp(var, "role") == 0) {
- if (op == '=') {
- if ((cmndspec->role = strdup(val)) == NULL)
- goto oom;
- }
- } else if (strcmp(var, "type") == 0) {
- if (op == '=') {
- if ((cmndspec->type = strdup(val)) == NULL)
- goto oom;
- }
+ } else if (strcmp(var, "role") == 0 && val != NULL) {
+ if ((cmndspec->role = strdup(val)) == NULL)
+ goto oom;
+ } else if (strcmp(var, "type") == 0 && val != NULL) {
+ if ((cmndspec->type = strdup(val)) == NULL)
+ goto oom;
#endif /* HAVE_SELINUX */
#ifdef HAVE_PRIV_SET
- } else if (strcmp(var, "privs") == 0) {
- if (op == '=') {
- if ((cmndspec->privs = strdup(val)) == NULL)
- goto oom;
- }
- } else if (strcmp(var, "limitprivs") == 0) {
- if (op == '=') {
- if ((cmndspec->limitprivs = strdup(val)) == NULL)
- goto oom;
- }
+ } else if (strcmp(var, "privs") == 0 && val != NULL) {
+ if ((cmndspec->privs = strdup(val)) == NULL)
+ goto oom;
+ } else if (strcmp(var, "limitprivs") == 0 && val != NULL) {
+ if ((cmndspec->limitprivs = strdup(val)) == NULL)
+ goto oom;
#endif /* HAVE_PRIV_SET */
} else if (store_options) {
if (!sudo_ldap_add_default(var, val, op, source,
--
2.21.0

57
SOURCES/sudo-1.8.25-ldap-backend-parsing-2.patch Normal file
View File

@ -0,0 +1,57 @@
From 60f0d65e22ba93988229453eb013728e47e5f84e Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
Date: Wed, 17 Oct 2018 06:57:06 -0600
Subject: [PATCH] Fix expected test output now that command_timeout is parsed
correctly in LDIF.
---
.../regress/sudoers/test17.ldif2sudo.ok | 20 +++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/plugins/sudoers/regress/sudoers/test17.ldif2sudo.ok b/plugins/sudoers/regress/sudoers/test17.ldif2sudo.ok
index 6bc2a36ed..608f52fc4 100644
--- a/plugins/sudoers/regress/sudoers/test17.ldif2sudo.ok
+++ b/plugins/sudoers/regress/sudoers/test17.ldif2sudo.ok
@@ -1,29 +1,29 @@
Defaults command_timeout=2d8h10m59s
# sudoRole user0
-user0 ALL = /usr/bin/id, /usr/bin/who, /bin/ls
+user0 ALL = TIMEOUT=619830 /usr/bin/id, /usr/bin/who, /bin/ls
# sudoRole user1
-user1 ALL = /usr/bin/id
+user1 ALL = TIMEOUT=619830 /usr/bin/id
# sudoRole user2
-user2 ALL = /usr/bin/id
+user2 ALL = TIMEOUT=15030 /usr/bin/id
# sudoRole user3
-user3 ALL = /usr/bin/id
+user3 ALL = TIMEOUT=630 /usr/bin/id
# sudoRole user4
-user4 ALL = /usr/bin/id
+user4 ALL = TIMEOUT=1209600 /usr/bin/id
# sudoRole user5
-user5 ALL = /usr/bin/id
+user5 ALL = TIMEOUT=300 /usr/bin/id
# sudoRole user6
-user6 ALL = /usr/bin/id
+user6 ALL = TIMEOUT=30 /usr/bin/id
# sudoRole user7
-user7 ALL = /usr/bin/id
+user7 ALL = TIMEOUT=45 /usr/bin/id
# sudoRole user8
-user8 ALL = /usr/bin/id, /usr/bin/id, /usr/bin/id, /usr/bin/id, /usr/bin/id,\
- /usr/bin/id
+user8 ALL = TIMEOUT=619830 /usr/bin/id, /usr/bin/id, /usr/bin/id, /usr/bin/id,\
+ /usr/bin/id, /usr/bin/id
--
2.21.0

27
SOURCES/sudo-1.8.25-sudoreplay-missing-options-help.patch Normal file
View File

@ -0,0 +1,27 @@
diff -up ./plugins/sudoers/sudoreplay.c.sudoreplay-help ./plugins/sudoers/sudoreplay.c
--- ./plugins/sudoers/sudoreplay.c.sudoreplay-help 2018-12-11 18:12:56.715098760 +0100
+++ ./plugins/sudoers/sudoreplay.c 2018-12-11 18:18:34.345184173 +0100
@@ -1582,13 +1582,16 @@ help(void)
(void) printf(_("%s - replay sudo session logs\n\n"), getprogname());
usage(0);
(void) puts(_("\nOptions:\n"
- " -d, --directory=dir specify directory for session logs\n"
- " -f, --filter=filter specify which I/O type(s) to display\n"
- " -h, --help display help message and exit\n"
- " -l, --list list available session IDs, with optional expression\n"
- " -m, --max-wait=num max number of seconds to wait between events\n"
- " -s, --speed=num speed up or slow down output\n"
- " -V, --version display version information and exit"));
+ " -d, --directory=dir specify directory for session logs\n"
+ " -f, --filter=filter specify which I/O type(s) to display\n"
+ " -h, --help display help message and exit\n"
+ " -l, --list list available session IDs, with optional expression\n"
+ " -m, --max-wait=num max number of seconds to wait between events\n"
+ " -n, --non-interactive no prompts, session is sent to the standard output\n"
+ " -R, --no-resize do not attempt to re-size the terminal\n"
+ " -S, --suspend-wait wait while the command was suspended\n"
+ " -s, --speed=num speed up or slow down output\n"
+ " -V, --version display version information and exit"));
exit(0);
}

80
SOURCES/sudo-1.8.25-typos-manpages.patch Normal file
View File

@ -0,0 +1,80 @@
From 04a4b3c1fcc1526ff1ea73597a1764cb160d400b Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
Date: Tue, 11 Dec 2018 09:02:30 -0700
Subject: [PATCH 1/4] Fix some typos; reported by Radovan Sroka
---
doc/cvtsudoers.cat | 6 +++---
doc/cvtsudoers.man.in | 6 +++---
doc/cvtsudoers.mdoc.in | 6 +++---
3 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/doc/cvtsudoers.cat b/doc/cvtsudoers.cat
index 61bf3a28..9c1ef140 100644
--- a/doc/cvtsudoers.cat
+++ b/doc/cvtsudoers.cat
@@ -24,7 +24,7 @@ DDEESSCCRRIIPPTTIIOONN
--bb _d_n, ----bbaassee=_d_n
The base DN (distinguished name) that will be used when
performing LDAP queries. Typically this is of the form
- ou=SUDOers,dc=-mydomain,dc=com for the domain my-domain.com.
+ ou=SUDOers,dc=my-domain,dc=com for the domain my-domain.com.
If this option is not specified, the value of the
SUDOERS_BASE environment variable will be used instead. Only
necessary when converting to LDIF format.
@@ -60,7 +60,7 @@ DDEESSCCRRIIPPTTIIOONN
Expand aliases in _i_n_p_u_t___f_i_l_e. Aliases are preserved by
default when the output _f_o_r_m_a_t is JSON or sudoers.
- --ff _o_u_t_p_u_t___f_o_r_m_a_t, ----ffoorrmmaatt=_o_u_t_p_u_t___f_o_r_m_a_t
+ --ff _o_u_t_p_u_t___f_o_r_m_a_t, ----oouuttppuutt--ffoorrmmaatt=_o_u_t_p_u_t___f_o_r_m_a_t
Specify the output format (case-insensitive). The following
formats are supported:
diff --git a/doc/cvtsudoers.man.in b/doc/cvtsudoers.man.in
index b159ee5d..2f45ee1d 100644
--- a/doc/cvtsudoers.man.in
+++ b/doc/cvtsudoers.man.in
@@ -59,7 +59,7 @@ The options are as follows:
The base DN (distinguished name) that will be used when performing
LDAP queries.
Typically this is of the form
-\fRou=SUDOers,dc=-mydomain,dc=com\fR
+\fRou=SUDOers,dc=my-domain,dc=com\fR
for the domain
\fRmy-domain.com\fR.
If this option is not specified, the value of the
@@ -125,7 +125,7 @@ Aliases are preserved by default when the output
\fIformat\fR
is JSON or sudoers.
.TP 12n
-\fB\-f\fR \fIoutput_format\fR, \fB\--format\fR=\fIoutput_format\fR
+\fB\-f\fR \fIoutput_format\fR, \fB\--output-format\fR=\fIoutput_format\fR
Specify the output format (case-insensitive).
The following formats are supported:
.PP
diff --git a/doc/cvtsudoers.mdoc.in b/doc/cvtsudoers.mdoc.in
index 1812bc67..8261ddc6 100644
--- a/doc/cvtsudoers.mdoc.in
+++ b/doc/cvtsudoers.mdoc.in
@@ -57,7 +57,7 @@ The options are as follows:
The base DN (distinguished name) that will be used when performing
LDAP queries.
Typically this is of the form
-.Li ou=SUDOers,dc=-mydomain,dc=com
+.Li ou=SUDOers,dc=my-domain,dc=com
for the domain
.Li my-domain.com .
If this option is not specified, the value of the
@@ -110,7 +110,7 @@ Expand aliases in
Aliases are preserved by default when the output
.Ar format
is JSON or sudoers.
-.It Fl f Ar output_format , Fl -format Ns = Ns Ar output_format
+.It Fl f Ar output_format , Fl -output-format Ns = Ns Ar output_format
Specify the output format (case-insensitive).
The following formats are supported:
.Bl -tag -width 8n
--
2.17.2

96
SOURCES/sudo-1.8.28-CVE-strtouid-test.patch Normal file
View File

@ -0,0 +1,96 @@
diff -up ./lib/util/regress/atofoo/atofoo_test.c.CVE-strtouid-test ./lib/util/regress/atofoo/atofoo_test.c
--- ./lib/util/regress/atofoo/atofoo_test.c.CVE-strtouid-test 2018-04-29 21:59:23.000000000 +0200
+++ ./lib/util/regress/atofoo/atofoo_test.c 2019-10-16 09:38:31.851404545 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2014 Todd C. Miller <Todd.Miller@sudo.ws>
+ * Copyright (c) 2014-2019 Todd C. Miller <Todd.Miller@sudo.ws>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@@ -24,6 +24,7 @@
#else
# include "compat/stdbool.h"
#endif
+#include <errno.h>
#include "sudo_compat.h"
#include "sudo_util.h"
@@ -78,15 +79,20 @@ static struct strtoid_data {
id_t id;
const char *sep;
const char *ep;
+ int errnum;
} strtoid_data[] = {
- { "0,1", 0, ",", "," },
- { "10", 10, NULL, NULL },
- { "-2", -2, NULL, NULL },
+ { "0,1", 0, ",", ",", 0 },
+ { "10", 10, NULL, NULL, 0 },
+ { "-1", 0, NULL, NULL, EINVAL },
+ { "4294967295", 0, NULL, NULL, EINVAL },
+ { "4294967296", 0, NULL, NULL, ERANGE },
+ { "-2147483649", 0, NULL, NULL, ERANGE },
+ { "-2", -2, NULL, NULL, 0 },
#if SIZEOF_ID_T != SIZEOF_LONG_LONG
- { "-2", (id_t)4294967294U, NULL, NULL },
+ { "-2", (id_t)4294967294U, NULL, NULL, 0 },
#endif
- { "4294967294", (id_t)4294967294U, NULL, NULL },
- { NULL, 0, NULL, NULL }
+ { "4294967294", (id_t)4294967294U, NULL, NULL, 0 },
+ { NULL, 0, NULL, NULL, 0 }
};
static int
@@ -102,11 +108,23 @@ test_strtoid(int *ntests)
(*ntests)++;
errstr = "some error";
value = sudo_strtoid(d->idstr, d->sep, &ep, &errstr);
- if (errstr != NULL) {
- if (d->id != (id_t)-1) {
- sudo_warnx_nodebug("FAIL: %s: %s", d->idstr, errstr);
+ if (d->errnum != 0) {
+ if (errstr == NULL) {
+ sudo_warnx_nodebug("FAIL: %s: missing errstr for errno %d",
+ d->idstr, d->errnum);
+ errors++;
+ } else if (value != 0) {
+ sudo_warnx_nodebug("FAIL: %s should return 0 on error",
+ d->idstr);
+ errors++;
+ } else if (errno != d->errnum) {
+ sudo_warnx_nodebug("FAIL: %s: errno mismatch, %d != %d",
+ d->idstr, errno, d->errnum);
errors++;
}
+ } else if (errstr != NULL) {
+ sudo_warnx_nodebug("FAIL: %s: %s", d->idstr, errstr);
+ errors++;
} else if (value != d->id) {
sudo_warnx_nodebug("FAIL: %s != %u", d->idstr, (unsigned int)d->id);
errors++;
diff -up ./plugins/sudoers/regress/testsudoers/test5.out.ok.CVE-strtouid-test ./plugins/sudoers/regress/testsudoers/test5.out.ok
--- ./plugins/sudoers/regress/testsudoers/test5.out.ok.CVE-strtouid-test 2018-04-29 21:59:23.000000000 +0200
+++ ./plugins/sudoers/regress/testsudoers/test5.out.ok 2019-10-16 09:29:50.246761680 +0200
@@ -4,7 +4,7 @@ Parse error in sudoers near line 1.
Entries for user root:
Command unmatched
-testsudoers: test5.inc should be owned by gid 4294967295
+testsudoers: test5.inc should be owned by gid 4294967294
Parse error in sudoers near line 1.
Entries for user root:
diff -up ./plugins/sudoers/regress/testsudoers/test5.sh.CVE-strtouid-test ./plugins/sudoers/regress/testsudoers/test5.sh
--- ./plugins/sudoers/regress/testsudoers/test5.sh.CVE-strtouid-test 2018-04-29 21:59:23.000000000 +0200
+++ ./plugins/sudoers/regress/testsudoers/test5.sh 2019-10-16 09:29:50.246761680 +0200
@@ -24,7 +24,7 @@ EOF
# Test group writable
chmod 664 $TESTFILE
-./testsudoers -U $MYUID -G -1 root id <<EOF
+./testsudoers -U $MYUID -G -2 root id <<EOF
#include $TESTFILE
EOF

172
SOURCES/sudo-1.8.28-CVE-strtouid.patch Normal file
View File

@ -0,0 +1,172 @@
Treat an ID of -1 as invalid since that means "no change".
Fixes CVE-2019-14287.
Found by Joe Vennix from Apple Information Security.
diff -r fcd7a6d8330e lib/util/strtoid.c
--- a/lib/util/strtoid.c Fri Jan 11 13:31:15 2019 -0700
+++ b/lib/util/strtoid.c Thu Oct 10 09:52:12 2019 -0600
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2013-2016 Todd C. Miller <Todd.Miller@sudo.ws>
+ * Copyright (c) 2013-2019 Todd C. Miller <Todd.Miller@sudo.ws>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@@ -47,6 +47,27 @@
#include "sudo_util.h"
/*
+ * Make sure that the ID ends with a valid separator char.
+ */
+static bool
+valid_separator(const char *p, const char *ep, const char *sep)
+{
+ bool valid = false;
+ debug_decl(valid_separator, SUDO_DEBUG_UTIL)
+
+ if (ep != p) {
+ /* check for valid separator (including '\0') */
+ if (sep == NULL)
+ sep = "";
+ do {
+ if (*ep == *sep)
+ valid = true;
+ } while (*sep++ != '\0');
+ }
+ debug_return_bool(valid);
+}
+
+/*
* Parse a uid/gid in string form.
* If sep is non-NULL, it contains valid separator characters (e.g. comma, space)
* If endp is non-NULL it is set to the next char after the ID.
@@ -60,38 +81,35 @@ sudo_strtoid_v1(const char *p, const cha
char *ep;
id_t ret = 0;
long long llval;
- bool valid = false;
debug_decl(sudo_strtoid, SUDO_DEBUG_UTIL)
/* skip leading space so we can pick up the sign, if any */
while (isspace((unsigned char)*p))
p++;
- if (sep == NULL)
- sep = "";
+
+ /* While id_t may be 64-bit signed, uid_t and gid_t are 32-bit unsigned. */
errno = 0;
llval = strtoll(p, &ep, 10);
- if (ep != p) {
- /* check for valid separator (including '\0') */
- do {
- if (*ep == *sep)
- valid = true;
- } while (*sep++ != '\0');
+ if ((errno == ERANGE && llval == LLONG_MAX) || llval > (id_t)UINT_MAX) {
+ errno = ERANGE;
+ if (errstr != NULL)
+ *errstr = N_("value too large");
+ goto done;
}
- if (!valid) {
+ if ((errno == ERANGE && llval == LLONG_MIN) || llval < INT_MIN) {
+ errno = ERANGE;
+ if (errstr != NULL)
+ *errstr = N_("value too small");
+ goto done;
+ }
+
+ /* Disallow id -1, which means "no change". */
+ if (!valid_separator(p, ep, sep) || llval == -1 || llval == (id_t)UINT_MAX) {
if (errstr != NULL)
*errstr = N_("invalid value");
errno = EINVAL;
goto done;
}
- if (errno == ERANGE) {
- if (errstr != NULL) {
- if (llval == LLONG_MAX)
- *errstr = N_("value too large");
- else
- *errstr = N_("value too small");
- }
- goto done;
- }
ret = (id_t)llval;
if (errstr != NULL)
*errstr = NULL;
@@ -106,30 +124,15 @@ sudo_strtoid_v1(const char *p, const cha
{
char *ep;
id_t ret = 0;
- bool valid = false;
debug_decl(sudo_strtoid, SUDO_DEBUG_UTIL)
/* skip leading space so we can pick up the sign, if any */
while (isspace((unsigned char)*p))
p++;
- if (sep == NULL)
- sep = "";
+
errno = 0;
if (*p == '-') {
long lval = strtol(p, &ep, 10);
- if (ep != p) {
- /* check for valid separator (including '\0') */
- do {
- if (*ep == *sep)
- valid = true;
- } while (*sep++ != '\0');
- }
- if (!valid) {
- if (errstr != NULL)
- *errstr = N_("invalid value");
- errno = EINVAL;
- goto done;
- }
if ((errno == ERANGE && lval == LONG_MAX) || lval > INT_MAX) {
errno = ERANGE;
if (errstr != NULL)
@@ -142,28 +145,31 @@ sudo_strtoid_v1(const char *p, const cha
*errstr = N_("value too small");
goto done;
}
- ret = (id_t)lval;
- } else {
- unsigned long ulval = strtoul(p, &ep, 10);
- if (ep != p) {
- /* check for valid separator (including '\0') */
- do {
- if (*ep == *sep)
- valid = true;
- } while (*sep++ != '\0');
- }
- if (!valid) {
+
+ /* Disallow id -1, which means "no change". */
+ if (!valid_separator(p, ep, sep) || lval == -1) {
if (errstr != NULL)
*errstr = N_("invalid value");
errno = EINVAL;
goto done;
}
+ ret = (id_t)lval;
+ } else {
+ unsigned long ulval = strtoul(p, &ep, 10);
if ((errno == ERANGE && ulval == ULONG_MAX) || ulval > UINT_MAX) {
errno = ERANGE;
if (errstr != NULL)
*errstr = N_("value too large");
goto done;
}
+
+ /* Disallow id -1, which means "no change". */
+ if (!valid_separator(p, ep, sep) || ulval == UINT_MAX) {
+ if (errstr != NULL)
+ *errstr = N_("invalid value");
+ errno = EINVAL;
+ goto done;
+ }
ret = (id_t)ulval;
}
if (errstr != NULL)

158
SOURCES/sudo-1.8.29-CVE-2019-18634-part1.patch Normal file
View File

@ -0,0 +1,158 @@
diff -up ./src/tgetpass.c.bla ./src/tgetpass.c
--- ./src/tgetpass.c.bla 2018-08-18 16:10:15.000000000 +0200
+++ ./src/tgetpass.c 2020-02-05 17:15:16.216904891 +0100
@@ -44,11 +44,18 @@
#include "sudo.h"
#include "sudo_plugin.h"
+enum tgetpass_errval {
+ TGP_ERRVAL_NOERROR,
+ TGP_ERRVAL_TIMEOUT,
+ TGP_ERRVAL_NOPASSWORD,
+ TGP_ERRVAL_READERROR
+};
+
static volatile sig_atomic_t signo[NSIG];
static bool tty_present(void);
static void tgetpass_handler(int);
-static char *getln(int, char *, size_t, int);
+static char *getln(int, char *, size_t, int, enum tgetpass_errval *);
static char *sudo_askpass(const char *, const char *);
static int
@@ -77,6 +84,27 @@ suspend(int signo, struct sudo_conv_call
debug_return_int(ret);
}
+static void
+tgetpass_display_error(enum tgetpass_errval errval)
+{
+ debug_decl(tgetpass_display_error, SUDO_DEBUG_CONV)
+
+ switch (errval) {
+ case TGP_ERRVAL_NOERROR:
+ break;
+ case TGP_ERRVAL_TIMEOUT:
+ sudo_warnx(U_("timed out reading password"));
+ break;
+ case TGP_ERRVAL_NOPASSWORD:
+ sudo_warnx(U_("no password was provided"));
+ break;
+ case TGP_ERRVAL_READERROR:
+ sudo_warn(U_("unable to read password"));
+ break;
+ }
+ debug_return;
+}
+
/*
* Like getpass(3) but with timeout and echo flags.
*/
@@ -90,6 +118,7 @@ tgetpass(const char *prompt, int timeout
static const char *askpass;
static char buf[SUDO_CONV_REPL_MAX + 1];
int i, input, output, save_errno, neednl = 0, need_restart;
+ enum tgetpass_errval errval;
debug_decl(tgetpass, SUDO_DEBUG_CONV)
(void) fflush(stdout);
@@ -175,7 +204,7 @@ restart:
if (timeout > 0)
alarm(timeout);
- pass = getln(input, buf, sizeof(buf), ISSET(flags, TGP_MASK));
+ pass = getln(input, buf, sizeof(buf), ISSET(flags, TGP_MASK), &errval);
alarm(0);
save_errno = errno;
@@ -183,6 +212,7 @@ restart:
if (write(output, "\n", 1) == -1)
goto restore;
}
+ tgetpass_display_error(errval);
restore:
/* Restore old signal handlers. */
@@ -210,6 +240,8 @@ restore:
for (i = 0; i < NSIG; i++) {
if (signo[i]) {
switch (i) {
+ case SIGALRM:
+ break;
case SIGTSTP:
case SIGTTIN:
case SIGTTOU:
@@ -239,6 +271,7 @@ sudo_askpass(const char *askpass, const
{
static char buf[SUDO_CONV_REPL_MAX + 1], *pass;
struct sigaction sa, savechld;
+ enum tgetpass_errval errval;
int pfd[2], status;
pid_t child;
debug_decl(sudo_askpass, SUDO_DEBUG_CONV)
@@ -281,9 +314,11 @@ sudo_askpass(const char *askpass, const
/* Get response from child (askpass). */
(void) close(pfd[1]);
- pass = getln(pfd[0], buf, sizeof(buf), 0);
+ pass = getln(pfd[0], buf, sizeof(buf), 0, &errval);
(void) close(pfd[0]);
+ tgetpass_display_error(errval);
+
/* Wait for child to exit. */
for (;;) {
pid_t rv = waitpid(child, &status, 0);
@@ -305,7 +340,8 @@ sudo_askpass(const char *askpass, const
extern int sudo_term_erase, sudo_term_kill;
static char *
-getln(int fd, char *buf, size_t bufsiz, int feedback)
+getln(int fd, char *buf, size_t bufsiz, int feedback,
+ enum tgetpass_errval *errval)
{
size_t left = bufsiz;
ssize_t nr = -1;
@@ -313,7 +349,10 @@ getln(int fd, char *buf, size_t bufsiz,
char c = '\0';
debug_decl(getln, SUDO_DEBUG_CONV)
+ *errval = TGP_ERRVAL_NOERROR;
+
if (left == 0) {
+ *errval = TGP_ERRVAL_READERROR;
errno = EINVAL;
debug_return_str(NULL); /* sanity */
}
@@ -354,14 +393,27 @@ getln(int fd, char *buf, size_t bufsiz,
}
}
- debug_return_str_masked(nr == 1 ? buf : NULL);
+ if (nr != 1) {
+ if (nr == 0) {
+ *errval = TGP_ERRVAL_NOPASSWORD;
+ } else if (nr == -1) {
+ if (errno == EINTR) {
+ if (signo[SIGALRM] == 1)
+ *errval = TGP_ERRVAL_TIMEOUT;
+ } else {
+ *errval = TGP_ERRVAL_READERROR;
+ }
+ }
+ debug_return_str(NULL);
+ }
+
+ debug_return_str_masked(buf);
}
static void
tgetpass_handler(int s)
{
- if (s != SIGALRM)
- signo[s] = 1;
+ signo[s] = 1;
}
static bool

77
SOURCES/sudo-1.8.29-CVE-2019-18634-part2.patch Normal file
View File

@ -0,0 +1,77 @@
diff -up ./src/tgetpass.c.CVE-2019-18634 ./src/tgetpass.c
--- ./src/tgetpass.c.CVE-2019-18634 2020-02-05 17:16:07.601420697 +0100
+++ ./src/tgetpass.c 2020-02-05 17:22:34.206301510 +0100
@@ -55,7 +55,7 @@ static volatile sig_atomic_t signo[NSIG]
static bool tty_present(void);
static void tgetpass_handler(int);
-static char *getln(int, char *, size_t, int, enum tgetpass_errval *);
+static char *getln(int, char *, size_t, bool, enum tgetpass_errval *);
static char *sudo_askpass(const char *, const char *);
static int
@@ -118,6 +118,7 @@ tgetpass(const char *prompt, int timeout
static const char *askpass;
static char buf[SUDO_CONV_REPL_MAX + 1];
int i, input, output, save_errno, neednl = 0, need_restart;
+ bool feedback = ISSET(flags, TGP_MASK);
enum tgetpass_errval errval;
debug_decl(tgetpass, SUDO_DEBUG_CONV)
@@ -165,7 +166,7 @@ restart:
*/
if (!ISSET(flags, TGP_ECHO)) {
for (;;) {
- if (ISSET(flags, TGP_MASK))
+ if (feedback)
neednl = sudo_term_cbreak(input);
else
neednl = sudo_term_noecho(input);
@@ -179,6 +180,9 @@ restart:
}
}
}
+ /* Only use feedback mode when we can disable echo. */
+ if (!neednl)
+ feedback = false;
/*
* Catch signals that would otherwise cause the user to end
@@ -204,7 +208,7 @@ restart:
if (timeout > 0)
alarm(timeout);
- pass = getln(input, buf, sizeof(buf), ISSET(flags, TGP_MASK), &errval);
+ pass = getln(input, buf, sizeof(buf), feedback, &errval);
alarm(0);
save_errno = errno;
@@ -340,7 +344,7 @@ sudo_askpass(const char *askpass, const
extern int sudo_term_erase, sudo_term_kill;
static char *
-getln(int fd, char *buf, size_t bufsiz, int feedback,
+getln(int fd, char *buf, size_t bufsiz, bool feedback,
enum tgetpass_errval *errval)
{
size_t left = bufsiz;
@@ -366,15 +370,15 @@ getln(int fd, char *buf, size_t bufsiz,
while (cp > buf) {
if (write(fd, "\b \b", 3) == -1)
break;
- --cp;
+ cp--;
}
+ cp = buf;
left = bufsiz;
continue;
} else if (c == sudo_term_erase) {
if (cp > buf) {
- if (write(fd, "\b \b", 3) == -1)
- break;
- --cp;
+ ignore_result(write(fd, "\b \b", 3));
+ cp--;
left++;
}
continue;

90
SOURCES/sudo-1.8.6p7-logsudouser.patch Normal file
View File

@ -0,0 +1,90 @@
From 06b46ae226fecd4188af372ac0ccd7aa582e21c8 Mon Sep 17 00:00:00 2001
From: Tomas Sykora <tosykora@redhat.com>
Date: Wed, 17 Aug 2016 10:12:11 +0200
Subject: [PATCH] Sudo logs username root instead of realuser
RHEL7 sudo logs username root instead of realuser in /var/log/secure
Rebased from:
Patch50: sudo-1.8.6p7-logsudouser.patch
Resolves:
rhbz#1312486
---
plugins/sudoers/logging.c | 14 +++++++-------
plugins/sudoers/sudoers.h | 1 +
2 files changed, 8 insertions(+), 7 deletions(-)
diff --git a/plugins/sudoers/logging.c b/plugins/sudoers/logging.c
index 45cae67..74b2220 100644
--- a/plugins/sudoers/logging.c
+++ b/plugins/sudoers/logging.c
@@ -104,7 +104,7 @@ do_syslog(int pri, char *msg)
* Log the full line, breaking into multiple syslog(3) calls if necessary
*/
fmt = _("%8s : %s");
- maxlen = def_syslog_maxlen - (strlen(fmt) - 5 + strlen(user_name));
+ maxlen = def_syslog_maxlen - (strlen(fmt) - 5 + strlen(sudo_user_name));
for (p = msg; *p != '\0'; ) {
len = strlen(p);
if (len > maxlen) {
@@ -120,7 +120,7 @@ do_syslog(int pri, char *msg)
save = *tmp;
*tmp = '\0';
- mysyslog(pri, fmt, user_name, p);
+ mysyslog(pri, fmt, sudo_user_name, p);
*tmp = save; /* restore saved character */
@@ -128,11 +128,11 @@ do_syslog(int pri, char *msg)
for (p = tmp; *p == ' '; p++)
continue;
} else {
- mysyslog(pri, fmt, user_name, p);
+ mysyslog(pri, fmt, sudo_user_name, p);
p += len;
}
fmt = _("%8s : (command continued) %s");
- maxlen = def_syslog_maxlen - (strlen(fmt) - 5 + strlen(user_name));
+ maxlen = def_syslog_maxlen - (strlen(fmt) - 5 + strlen(sudo_user_name));
}
sudoers_setlocale(oldlocale, NULL);
@@ -179,10 +179,10 @@ do_logfile(const char *msg)
timestr = "invalid date";
if (def_log_host) {
len = asprintf(&full_line, "%s : %s : HOST=%s : %s",
- timestr, user_name, user_srunhost, msg);
+ timestr, sudo_user_name, user_srunhost, msg);
} else {
len = asprintf(&full_line, "%s : %s : %s",
- timestr, user_name, msg);
+ timestr, sudo_user_name, msg);
}
if (len == -1) {
sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
@@ -746,7 +746,7 @@ send_mail(const char *fmt, ...)
if ((timestr = get_timestr(time(NULL), def_log_year)) == NULL)
timestr = "invalid date";
- (void) fprintf(mail, "\n\n%s : %s : %s : ", user_host, timestr, user_name);
+ (void) fprintf(mail, "\n\n%s : %s : %s : ", user_host, timestr, sudo_user_name);
va_start(ap, fmt);
(void) vfprintf(mail, fmt, ap);
va_end(ap);
diff --git a/plugins/sudoers/sudoers.h b/plugins/sudoers/sudoers.h
index cfd5abb..c69a043 100644
--- a/plugins/sudoers/sudoers.h
+++ b/plugins/sudoers/sudoers.h
@@ -180,6 +180,7 @@ struct sudo_user {
/*
* Shortcuts for sudo_user contents.
*/
+#define sudo_user_name (sudo_user.pw->pw_name)
#define user_name (sudo_user.name)
#define user_uid (sudo_user.uid)
#define user_gid (sudo_user.gid)
--
2.7.4

86
SOURCES/sudo-ldap.conf Normal file
View File

@ -0,0 +1,86 @@
## BINDDN DN
## The BINDDN parameter specifies the identity, in the form of a Dis
## tinguished Name (DN), to use when performing LDAP operations. If
## not specified, LDAP operations are performed with an anonymous
## identity. By default, most LDAP servers will allow anonymous
## access.
##
#binddn uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
## BINDPW secret
## The BINDPW parameter specifies the password to use when performing
## LDAP operations. This is typically used in conjunction with the
## BINDDN parameter.
##
#bindpw secret
## SSL start_tls
## If the SSL parameter is set to start_tls, the LDAP server connec
## tion is initiated normally and TLS encryption is begun before the
## bind credentials are sent. This has the advantage of not requiring
## a dedicated port for encrypted communications. This parameter is
## only supported by LDAP servers that honor the start_tls extension,
## such as the OpenLDAP and Tivoli Directory servers.
##
#ssl start_tls
## TLS_CACERTFILE file name
## The path to a certificate authority bundle which contains the cer
## tificates for all the Certificate Authorities the client knows to
## be valid, e.g. /etc/ssl/ca-bundle.pem. This option is only sup
## ported by the OpenLDAP libraries. Netscape-derived LDAP libraries
## use the same certificate database for CA and client certificates
## (see TLS_CERT).
##
#tls_cacertfile /path/to/CA.crt
## TLS_CHECKPEER on/true/yes/off/false/no
## If enabled, TLS_CHECKPEER will cause the LDAP server's TLS certifi
## cated to be verified. If the server's TLS certificate cannot be
## verified (usually because it is signed by an unknown certificate
## authority), sudo will be unable to connect to it. If TLS_CHECKPEER
## is disabled, no check is made. Note that disabling the check cre
## ates an opportunity for man-in-the-middle attacks since the
## server's identity will not be authenticated. If possible, the CA's
## certificate should be installed locally so it can be verified.
## This option is not supported by the Tivoli Directory Server LDAP
## libraries.
#tls_checkpeer yes
##
## URI ldap[s]://[hostname[:port]] ...
## Specifies a whitespace-delimited list of one or more
## URIs describing the LDAP server(s) to connect to.
##
#uri ldap://ldapserver
##
## SUDOERS_BASE base
## The base DN to use when performing sudo LDAP queries.
## Multiple SUDOERS_BASE lines may be specified, in which
## case they are queried in the order specified.
##
#sudoers_base ou=SUDOers,dc=example,dc=com
##
## BIND_TIMELIMIT seconds
## The BIND_TIMELIMIT parameter specifies the amount of
## time to wait while trying to connect to an LDAP server.
##
#bind_timelimit 30
##
## TIMELIMIT seconds
## The TIMELIMIT parameter specifies the amount of time
## to wait for a response to an LDAP query.
##
#timelimit 30
##
## SUDOERS_DEBUG debug_level
## This sets the debug level for sudo LDAP queries. Debugging
## information is printed to the standard error. A value of 1
## results in a moderate amount of debugging information.
## A value of 2 shows the results of the matches themselves.
##
#sudoers_debug 1

57
SOURCES/sudo.conf Normal file
View File

@ -0,0 +1,57 @@
#
# Default /etc/sudo.conf file
#
# Format:
# Plugin plugin_name plugin_path plugin_options ...
# Path askpass /path/to/askpass
# Path noexec /path/to/sudo_noexec.so
# Debug sudo /var/log/sudo_debug all@warn
# Set disable_coredump true
#
# Sudo plugins:
#
# The plugin_path is relative to ${prefix}/libexec unless fully qualified.
# The plugin_name corresponds to a global symbol in the plugin
# that contains the plugin interface structure.
# The plugin_options are optional.
#
# The sudoers plugin is used by default if no Plugin lines are present.
Plugin sudoers_policy sudoers.so
Plugin sudoers_io sudoers.so
#
# Sudo askpass:
#
# An askpass helper program may be specified to provide a graphical
# password prompt for "sudo -A" support. Sudo does not ship with its
# own passpass program but can use the OpenSSH askpass.
#
# Use the OpenSSH askpass
#Path askpass /usr/X11R6/bin/ssh-askpass
#
# Use the Gnome OpenSSH askpass
#Path askpass /usr/libexec/openssh/gnome-ssh-askpass
#
# Sudo noexec:
#
# Path to a shared library containing dummy versions of the execv(),
# execve() and fexecve() library functions that just return an error.
# This is used to implement the "noexec" functionality on systems that
# support C<LD_PRELOAD> or its equivalent.
# The compiled-in value is usually sufficient and should only be changed
# if you rename or move the sudo_noexec.so file.
#
#Path noexec /usr/libexec/sudo_noexec.so
#
# Core dumps:
#
# By default, sudo disables core dumps while it is executing (they
# are re-enabled for the command that is run).
# To aid in debugging sudo problems, you may wish to enable core
# dumps by setting "disable_coredump" to false.
#
# Set to false here so as not to interfere with /proc/sys/fs/suid_dumpable
#
Set disable_coredump false

120
SOURCES/sudoers Normal file
View File

@ -0,0 +1,120 @@
## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
##
## Examples are provided at the bottom of the file for collections
## of related commands, which can then be delegated out to particular
## users or groups.
##
## This file must be edited with the 'visudo' command.
## Host Aliases
## Groups of machines. You may prefer to use hostnames (perhaps using
## wildcards for entire domains) or IP addresses instead.
# Host_Alias FILESERVERS = fs1, fs2
# Host_Alias MAILSERVERS = smtp, smtp2
## User Aliases
## These aren't often necessary, as you can use regular groups
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
## rather than USERALIAS
# User_Alias ADMINS = jsmith, mikem
## Command Aliases
## These are groups of related commands...
## Networking
# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool
## Installation and management of software
# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
## Services
# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable
## Updating the locate database
# Cmnd_Alias LOCATE = /usr/bin/updatedb
## Storage
# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount
## Delegating permissions
# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp
## Processes
# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall
## Drivers
# Cmnd_Alias DRIVERS = /sbin/modprobe
# Defaults specification
#
# Refuse to run if unable to disable echo on the tty.
#
Defaults !visiblepw
#
# Preserving HOME has security implications since many programs
# use it when searching for configuration files. Note that HOME
# is already set when the the env_reset option is enabled, so
# this option is only effective for configurations where either
# env_reset is disabled or HOME is present in the env_keep list.
#
Defaults always_set_home
Defaults match_group_by_gid
# Prior to version 1.8.15, groups listed in sudoers that were not
# found in the system group database were passed to the group
# plugin, if any. Starting with 1.8.15, only groups of the form
# %:group are resolved via the group plugin by default.
# We enable always_query_group_plugin to restore old behavior.
# Disable this option for new behavior.
Defaults always_query_group_plugin
Defaults env_reset
Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
#
# Adding HOME to env_keep may enable a user to run unrestricted
# commands via sudo.
#
# Defaults env_keep += "HOME"
Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin
## Next comes the main part: which users can run what software on
## which machines (the sudoers file can be shared between multiple
## systems).
## Syntax:
##
## user MACHINE=COMMANDS
##
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
## Allows members of the 'sys' group to run networking, software,
## service management apps and more.
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
## Allows people in group wheel to run all commands
%wheel ALL=(ALL) ALL
## Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
## Allows members of the users group to mount and unmount the
## cdrom as root
# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
## Allows members of the users group to shutdown this system
# %users localhost=/sbin/shutdown -h now
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d

1033
SPECS/sudo.spec Normal file
View File

File diff suppressed because it is too large Load Diff