From c6383df712088f18fdab0e5d098e5b7379e6ade4 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Thu, 13 Feb 2020 04:09:18 -0500 Subject: [PATCH] import sudo-1.8.25p1-8.el8_1.1 --- .gitignore | 1 + .sudo.metadata | 1 + SOURCES/sudo-1.6.7p5-strip.patch | 11 + SOURCES/sudo-1.7.2p1-envdebug.patch | 27 + ...le-quote-parsing-for-Defaults-values.patch | 70 ++ SOURCES/sudo-1.8.23-ldapsearchuidfix.patch | 27 + .../sudo-1.8.23-legacy-group-processing.patch | 89 ++ SOURCES/sudo-1.8.23-nowaitopt.patch | 61 + .../sudo-1.8.23-pam-expired-passwords.patch | 103 ++ SOURCES/sudo-1.8.23-sudoldapconfman.patch | 32 + SOURCES/sudo-1.8.23-who-am-i.patch | 56 + SOURCES/sudo-1.8.25-c-option-help.patch | 25 + SOURCES/sudo-1.8.25-ipa-hostname.patch | 1063 +++++++++++++++++ .../sudo-1.8.25-ldap-backend-parsing-1.patch | 65 + .../sudo-1.8.25-ldap-backend-parsing-2.patch | 57 + ...8.25-sudoreplay-missing-options-help.patch | 27 + SOURCES/sudo-1.8.25-typos-manpages.patch | 80 ++ SOURCES/sudo-1.8.28-CVE-strtouid-test.patch | 96 ++ SOURCES/sudo-1.8.28-CVE-strtouid.patch | 172 +++ .../sudo-1.8.29-CVE-2019-18634-part1.patch | 158 +++ .../sudo-1.8.29-CVE-2019-18634-part2.patch | 77 ++ SOURCES/sudo-1.8.6p7-logsudouser.patch | 90 ++ SOURCES/sudo-ldap.conf | 86 ++ SOURCES/sudo.conf | 57 + SOURCES/sudoers | 120 ++ SPECS/sudo.spec | 1033 ++++++++++++++++ 26 files changed, 3684 insertions(+) create mode 100644 .gitignore create mode 100644 .sudo.metadata create mode 100644 SOURCES/sudo-1.6.7p5-strip.patch create mode 100644 SOURCES/sudo-1.7.2p1-envdebug.patch create mode 100644 SOURCES/sudo-1.8.23-fix-double-quote-parsing-for-Defaults-values.patch create mode 100644 SOURCES/sudo-1.8.23-ldapsearchuidfix.patch create mode 100644 SOURCES/sudo-1.8.23-legacy-group-processing.patch create mode 100644 SOURCES/sudo-1.8.23-nowaitopt.patch create mode 100644 SOURCES/sudo-1.8.23-pam-expired-passwords.patch create mode 100644 SOURCES/sudo-1.8.23-sudoldapconfman.patch create mode 100644 SOURCES/sudo-1.8.23-who-am-i.patch create mode 100644 SOURCES/sudo-1.8.25-c-option-help.patch create mode 100644 SOURCES/sudo-1.8.25-ipa-hostname.patch create mode 100644 SOURCES/sudo-1.8.25-ldap-backend-parsing-1.patch create mode 100644 SOURCES/sudo-1.8.25-ldap-backend-parsing-2.patch create mode 100644 SOURCES/sudo-1.8.25-sudoreplay-missing-options-help.patch create mode 100644 SOURCES/sudo-1.8.25-typos-manpages.patch create mode 100644 SOURCES/sudo-1.8.28-CVE-strtouid-test.patch create mode 100644 SOURCES/sudo-1.8.28-CVE-strtouid.patch create mode 100644 SOURCES/sudo-1.8.29-CVE-2019-18634-part1.patch create mode 100644 SOURCES/sudo-1.8.29-CVE-2019-18634-part2.patch create mode 100644 SOURCES/sudo-1.8.6p7-logsudouser.patch create mode 100644 SOURCES/sudo-ldap.conf create mode 100644 SOURCES/sudo.conf create mode 100644 SOURCES/sudoers create mode 100644 SPECS/sudo.spec diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..9e53a0f --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/sudo-1.8.25p1.tar.gz diff --git a/.sudo.metadata b/.sudo.metadata new file mode 100644 index 0000000..a9c3233 --- /dev/null +++ b/.sudo.metadata @@ -0,0 +1 @@ +dc49b91ffbd9cd5e1d1eaaf001c42f71f869f377 SOURCES/sudo-1.8.25p1.tar.gz diff --git a/SOURCES/sudo-1.6.7p5-strip.patch b/SOURCES/sudo-1.6.7p5-strip.patch new file mode 100644 index 0000000..f9e2faa --- /dev/null +++ b/SOURCES/sudo-1.6.7p5-strip.patch @@ -0,0 +1,11 @@ +--- sudo-1.6.7p5/install-sh.strip 2005-07-21 14:28:25.000000000 +0200 ++++ sudo-1.6.7p5/install-sh 2005-07-21 14:29:18.000000000 +0200 +@@ -138,7 +138,7 @@ + fi + ;; + X-s) +- STRIPIT=true ++ #STRIPIT=true + ;; + X--) + shift diff --git a/SOURCES/sudo-1.7.2p1-envdebug.patch b/SOURCES/sudo-1.7.2p1-envdebug.patch new file mode 100644 index 0000000..94c719a --- /dev/null +++ b/SOURCES/sudo-1.7.2p1-envdebug.patch @@ -0,0 +1,27 @@ +From 44a602b49365969e56c63c9f12eda197e951302f Mon Sep 17 00:00:00 2001 +From: Tomas Sykora +Date: Fri, 19 Aug 2016 14:07:35 +0200 +Subject: [PATCH 02/10] Added "Enviroment debugging" message + +rebased from: +Patch2: sudo-1.7.2p1-envdebug.patch +--- + configure.ac | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/configure.ac b/configure.ac +index 9feddfd..39a2d86 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1390,7 +1390,7 @@ AC_ARG_ENABLE(env_debug, + [AS_HELP_STRING([--enable-env-debug], [Whether to enable environment debugging.])], + [ case "$enableval" in + yes) AC_MSG_RESULT(yes) +- AC_DEFINE(ENV_DEBUG) ++ AC_DEFINE(ENV_DEBUG, [], [Environment debugging.]) + ;; + no) AC_MSG_RESULT(no) + ;; +-- +2.7.4 + diff --git a/SOURCES/sudo-1.8.23-fix-double-quote-parsing-for-Defaults-values.patch b/SOURCES/sudo-1.8.23-fix-double-quote-parsing-for-Defaults-values.patch new file mode 100644 index 0000000..25bbfe9 --- /dev/null +++ b/SOURCES/sudo-1.8.23-fix-double-quote-parsing-for-Defaults-values.patch @@ -0,0 +1,70 @@ +diff -up sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.json.ok.defaults-double-quote-fix sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.json.ok +--- sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.json.ok.defaults-double-quote-fix 2018-09-24 18:10:37.235000000 +0200 ++++ sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.json.ok 2018-09-24 18:11:40.153000000 +0200 +@@ -34,7 +34,7 @@ + }, + { + "Binding": [ +- { "username": "%them" } ++ { "usergroup": "them" } + ], + "Options": [ + { "set_home": true } +@@ -42,7 +42,7 @@ + }, + { + "Binding": [ +- { "username": "%: non UNIX 0 c" } ++ { "nonunixgroup": " non UNIX 0 c" } + ], + "Options": [ + { "set_home": true } +@@ -50,7 +50,7 @@ + }, + { + "Binding": [ +- { "username": "+net" } ++ { "netgroup": "net" } + ], + "Options": [ + { "set_home": true } +diff -up sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.toke.ok.defaults-double-quote-fix sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.toke.ok +--- sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.toke.ok.defaults-double-quote-fix 2018-09-24 18:10:25.216000000 +0200 ++++ sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.toke.ok 2018-09-24 18:11:45.213000000 +0200 +@@ -29,9 +29,9 @@ DEFAULTS_HOST BEGINSTR STRBODY ENDSTR WO + # + DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR + DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR +-DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR +-DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR +-DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR ++DEFAULTS_USER BEGINSTR STRBODY ENDSTR USERGROUP DEFVAR ++DEFAULTS_USER BEGINSTR STRBODY ENDSTR USERGROUP DEFVAR ++DEFAULTS_USER BEGINSTR STRBODY ENDSTR NETGROUP DEFVAR + + # + DEFAULTS_RUNAS BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR +diff -up sudo-1.8.23/plugins/sudoers/toke.c.defaults-double-quote-fix sudo-1.8.23/plugins/sudoers/toke.c +--- sudo-1.8.23/plugins/sudoers/toke.c.defaults-double-quote-fix 2018-04-29 21:59:23.000000000 +0200 ++++ sudo-1.8.23/plugins/sudoers/toke.c 2018-09-24 18:06:15.527000000 +0200 +@@ -2395,7 +2395,7 @@ YY_RULE_SETUP + LEXTRACE("ERROR "); /* empty string */ + LEXRETURN(ERROR); + } +- if (prev_state == INITIAL) { ++ if (prev_state == INITIAL || prev_state == GOTDEFS) { + switch (sudoerslval.string[0]) { + case '%': + if (sudoerslval.string[1] == '\0' || +diff -up sudo-1.8.23/plugins/sudoers/toke.l.defaults-double-quote-fix sudo-1.8.23/plugins/sudoers/toke.l +--- sudo-1.8.23/plugins/sudoers/toke.l.defaults-double-quote-fix 2018-04-29 21:59:23.000000000 +0200 ++++ sudo-1.8.23/plugins/sudoers/toke.l 2018-09-24 18:06:15.528000000 +0200 +@@ -187,7 +187,7 @@ DEFVAR [a-z_]+ + LEXTRACE("ERROR "); /* empty string */ + LEXRETURN(ERROR); + } +- if (prev_state == INITIAL) { ++ if (prev_state == INITIAL || prev_state == GOTDEFS) { + switch (sudoerslval.string[0]) { + case '%': + if (sudoerslval.string[1] == '\0' || diff --git a/SOURCES/sudo-1.8.23-ldapsearchuidfix.patch b/SOURCES/sudo-1.8.23-ldapsearchuidfix.patch new file mode 100644 index 0000000..9698d23 --- /dev/null +++ b/SOURCES/sudo-1.8.23-ldapsearchuidfix.patch @@ -0,0 +1,27 @@ +diff -up sudo-1.8.23/plugins/sudoers/ldap.c.ldapsearchuidfix sudo-1.8.23/plugins/sudoers/ldap.c +--- sudo-1.8.23/plugins/sudoers/ldap.c.ldapsearchuidfix 2018-04-29 21:59:31.000000000 +0200 ++++ sudo-1.8.23/plugins/sudoers/ldap.c 2018-06-18 08:34:01.202686941 +0200 +@@ -1189,8 +1189,8 @@ sudo_ldap_build_pass1(LDAP *ld, struct p + if (ldap_conf.search_filter) + sz += strlen(ldap_conf.search_filter); + +- /* Then add (|(sudoUser=USERNAME)(sudoUser=ALL)) + NUL */ +- sz += 29 + sudo_ldap_value_len(pw->pw_name); ++ /* Then add (|(sudoUser=USERNAME)(sudoUser=#uid)(sudoUser=ALL)) + NUL */ ++ sz += 29 + (12 + MAX_UID_T_LEN) + sudo_ldap_value_len(pw->pw_name); + + /* Add space for primary and supplementary groups and gids */ + if ((grp = sudo_getgrgid(pw->pw_gid)) != NULL) { +@@ -1253,6 +1253,12 @@ sudo_ldap_build_pass1(LDAP *ld, struct p + CHECK_LDAP_VCAT(buf, pw->pw_name, sz); + CHECK_STRLCAT(buf, ")", sz); + ++ /* Append user uid */ ++ (void) snprintf(gidbuf, sizeof(gidbuf), "%u", (unsigned int)pw->pw_uid); ++ (void) strlcat(buf, "(sudoUser=#", sz); ++ (void) strlcat(buf, gidbuf, sz); ++ (void) strlcat(buf, ")", sz); ++ + /* Append primary group and gid */ + if (grp != NULL) { + CHECK_STRLCAT(buf, "(sudoUser=%", sz); diff --git a/SOURCES/sudo-1.8.23-legacy-group-processing.patch b/SOURCES/sudo-1.8.23-legacy-group-processing.patch new file mode 100644 index 0000000..8cb6a8f --- /dev/null +++ b/SOURCES/sudo-1.8.23-legacy-group-processing.patch @@ -0,0 +1,89 @@ +diff -up ./plugins/sudoers/cvtsudoers.c.legacy-processing ./plugins/sudoers/cvtsudoers.c +--- ./plugins/sudoers/cvtsudoers.c.legacy-processing 2018-09-26 12:27:13.087680204 +0200 ++++ ./plugins/sudoers/cvtsudoers.c 2018-09-26 12:30:59.222466620 +0200 +@@ -321,6 +321,15 @@ main(int argc, char *argv[]) + sudo_fatalx("error: unhandled input %d", input_format); + } + ++ /* ++ * cvtsudoers group filtering doesn't work if def_match_group_by_gid ++ * is set to true by default (at compile-time). It cannot be set to false ++ * because cvtsudoers doesn't apply the parsed Defaults. ++ * ++ * Related: sudo-1.8.23-legacy-group-processing.patch ++ */ ++ def_match_group_by_gid = def_legacy_group_processing = false; ++ + /* Apply filters. */ + filter_userspecs(&parsed_policy, conf); + filter_defaults(&parsed_policy, conf); +diff -up ./plugins/sudoers/defaults.c.legacy-processing ./plugins/sudoers/defaults.c +--- ./plugins/sudoers/defaults.c.legacy-processing 2018-09-02 14:30:08.000000000 +0200 ++++ ./plugins/sudoers/defaults.c 2018-09-26 12:27:13.087680204 +0200 +@@ -86,6 +86,7 @@ static struct early_default early_defaul + { I_FQDN }, + #endif + { I_MATCH_GROUP_BY_GID }, ++ { I_LEGACY_GROUP_PROCESSING }, + { I_GROUP_PLUGIN }, + { I_RUNAS_DEFAULT }, + { I_SUDOERS_LOCALE }, +@@ -487,6 +488,8 @@ init_defaults(void) + } + + /* First initialize the flags. */ ++ def_legacy_group_processing = true; ++ def_match_group_by_gid = true; + #ifdef LONG_OTP_PROMPT + def_long_otp_prompt = true; + #endif +diff -up ./plugins/sudoers/def_data.c.legacy-processing ./plugins/sudoers/def_data.c +--- ./plugins/sudoers/def_data.c.legacy-processing 2018-08-18 16:10:15.000000000 +0200 ++++ ./plugins/sudoers/def_data.c 2018-09-26 12:27:13.087680204 +0200 +@@ -494,6 +494,10 @@ struct sudo_defs_types sudo_defs_table[] + N_("Ignore case when matching group names"), + NULL, + }, { ++ "legacy_group_processing", T_FLAG, ++ N_("Don't pre-resolve all group names"), ++ NULL, ++ }, { + NULL, 0, NULL + } + }; +diff -up ./plugins/sudoers/def_data.h.legacy-processing ./plugins/sudoers/def_data.h +--- ./plugins/sudoers/def_data.h.legacy-processing 2018-08-18 16:10:15.000000000 +0200 ++++ ./plugins/sudoers/def_data.h 2018-09-26 12:27:13.087680204 +0200 +@@ -226,6 +226,8 @@ + #define def_case_insensitive_user (sudo_defs_table[I_CASE_INSENSITIVE_USER].sd_un.flag) + #define I_CASE_INSENSITIVE_GROUP 113 + #define def_case_insensitive_group (sudo_defs_table[I_CASE_INSENSITIVE_GROUP].sd_un.flag) ++#define I_LEGACY_GROUP_PROCESSING 114 ++#define def_legacy_group_processing (sudo_defs_table[I_LEGACY_GROUP_PROCESSING].sd_un.flag) + + enum def_tuple { + never, +diff -up ./plugins/sudoers/def_data.in.legacy-processing ./plugins/sudoers/def_data.in +--- ./plugins/sudoers/def_data.in.legacy-processing 2018-08-18 16:10:15.000000000 +0200 ++++ ./plugins/sudoers/def_data.in 2018-09-26 12:27:13.088680212 +0200 +@@ -357,3 +357,6 @@ case_insensitive_user + case_insensitive_group + T_FLAG + "Ignore case when matching group names" ++legacy_group_processing ++ T_FLAG ++ "Don't pre-resolve all group names" +diff -up ./plugins/sudoers/sudoers.c.legacy-processing ./plugins/sudoers/sudoers.c +--- ./plugins/sudoers/sudoers.c.legacy-processing 2018-08-18 16:10:25.000000000 +0200 ++++ ./plugins/sudoers/sudoers.c 2018-09-26 12:27:13.088680212 +0200 +@@ -212,6 +212,10 @@ sudoers_policy_init(void *info, char * c + if (set_loginclass(runas_pw ? runas_pw : sudo_user.pw)) + ret = true; + ++ if (!def_match_group_by_gid || !def_legacy_group_processing) { ++ def_match_group_by_gid = false; ++ def_legacy_group_processing = false; ++ } + cleanup: + if (!restore_perms()) + ret = -1; diff --git a/SOURCES/sudo-1.8.23-nowaitopt.patch b/SOURCES/sudo-1.8.23-nowaitopt.patch new file mode 100644 index 0000000..6406396 --- /dev/null +++ b/SOURCES/sudo-1.8.23-nowaitopt.patch @@ -0,0 +1,61 @@ +diff -up sudo-1.8.23/plugins/sudoers/def_data.c.nowaitopt sudo-1.8.23/plugins/sudoers/def_data.c +--- sudo-1.8.23/plugins/sudoers/def_data.c.nowaitopt 2018-06-18 09:36:34.249307795 +0200 ++++ sudo-1.8.23/plugins/sudoers/def_data.c 2018-06-18 09:43:12.122986032 +0200 +@@ -498,6 +498,10 @@ struct sudo_defs_types sudo_defs_table[] + N_("Don't pre-resolve all group names"), + NULL, + }, { ++ "cmnd_no_wait", T_FLAG, ++ N_("Don't fork and wait for the command to finish, just exec it"), ++ NULL, ++ }, { + NULL, 0, NULL + } + }; +diff -up sudo-1.8.23/plugins/sudoers/def_data.h.nowaitopt sudo-1.8.23/plugins/sudoers/def_data.h +--- sudo-1.8.23/plugins/sudoers/def_data.h.nowaitopt 2018-06-18 09:36:34.250307792 +0200 ++++ sudo-1.8.23/plugins/sudoers/def_data.h 2018-06-18 09:43:44.541878327 +0200 +@@ -228,6 +228,8 @@ + #define def_case_insensitive_group (sudo_defs_table[I_CASE_INSENSITIVE_GROUP].sd_un.flag) + #define I_LEGACY_GROUP_PROCESSING 114 + #define def_legacy_group_processing (sudo_defs_table[I_LEGACY_GROUP_PROCESSING].sd_un.flag) ++#define I_CMND_NO_WAIT 115 ++#define def_cmnd_no_wait (sudo_defs_table[I_CMND_NO_WAIT].sd_un.flag) + + enum def_tuple { + never, +diff -up sudo-1.8.23/plugins/sudoers/def_data.in.nowaitopt sudo-1.8.23/plugins/sudoers/def_data.in +--- sudo-1.8.23/plugins/sudoers/def_data.in.nowaitopt 2018-06-18 09:36:34.250307792 +0200 ++++ sudo-1.8.23/plugins/sudoers/def_data.in 2018-06-18 09:45:00.076627403 +0200 +@@ -360,3 +360,6 @@ case_insensitive_group + legacy_group_processing + T_FLAG + "Don't pre-resolve all group names" ++cmnd_no_wait ++ T_FLAG ++ "Don't fork and wait for the command to finish, just exec it" +diff -up sudo-1.8.23/plugins/sudoers/policy.c.nowaitopt sudo-1.8.23/plugins/sudoers/policy.c +diff -up sudo-1.8.23/plugins/sudoers/sudoers.c.nowaitopt sudo-1.8.23/plugins/sudoers/sudoers.c +--- sudo-1.8.23/plugins/sudoers/sudoers.c.nowaitopt 2018-06-18 11:31:51.883751328 +0200 ++++ sudo-1.8.23/plugins/sudoers/sudoers.c 2018-06-18 11:31:03.670899166 +0200 +@@ -213,6 +213,20 @@ sudoers_policy_init(void *info, char * c + def_match_group_by_gid = false; + def_legacy_group_processing = false; + } ++ ++ /* ++ * Emulate cmnd_no_wait option by disabling PAM session, PTY allocation ++ * and I/O logging. This will cause sudo to execute the given command ++ * directly instead of forking a separate process for it. ++ */ ++ if (def_cmnd_no_wait) { ++ def_pam_setcred = false; ++ def_pam_session = false; ++ def_use_pty = false; ++ def_log_input = false; ++ def_log_output = false; ++ } ++ + cleanup: + if (!restore_perms()) + ret = -1; diff --git a/SOURCES/sudo-1.8.23-pam-expired-passwords.patch b/SOURCES/sudo-1.8.23-pam-expired-passwords.patch new file mode 100644 index 0000000..bf2078a --- /dev/null +++ b/SOURCES/sudo-1.8.23-pam-expired-passwords.patch @@ -0,0 +1,103 @@ + +# HG changeset patch +# User Todd C. Miller +# Date 1544201494 25200 +# Node ID 656aa910fbaf0be517e012c9271c51eb85c1cca5 +# Parent ef83f35c9cb090a8b4fd36942f1e47e65c285dce +The fix for bug #843 was incomplete and caused pam_end() to be called early. +sudo_pam_approval() must not set the global pam status to an error +value if it returns AUTH_SUCCESS. Otherwise, sudo_pam_cleanup() +will call pam_end() before sudo_pam_begin_session(). This resulted +in a NULL PAM handle being used in sudo_pam_begin_session(). + +diff -r ef83f35c9cb0 -r 656aa910fbaf plugins/sudoers/auth/pam.c +--- a/plugins/sudoers/auth/pam.c Wed Dec 05 10:43:14 2018 -0700 ++++ b/plugins/sudoers/auth/pam.c Fri Dec 07 09:51:34 2018 -0700 +@@ -210,59 +210,68 @@ + sudo_pam_approval(struct passwd *pw, sudo_auth *auth, bool exempt) + { + const char *s; ++ int rc, status = AUTH_SUCCESS; + int *pam_status = (int *) auth->data; + debug_decl(sudo_pam_approval, SUDOERS_DEBUG_AUTH) + +- *pam_status = pam_acct_mgmt(pamh, PAM_SILENT); +- switch (*pam_status) { ++ rc = pam_acct_mgmt(pamh, PAM_SILENT); ++ switch (rc) { + case PAM_SUCCESS: +- debug_return_int(AUTH_SUCCESS); ++ break; + case PAM_AUTH_ERR: + log_warningx(0, N_("account validation failure, " + "is your account locked?")); +- debug_return_int(AUTH_FATAL); ++ status = AUTH_FATAL; ++ break; + case PAM_NEW_AUTHTOK_REQD: + /* Ignore if user is exempt from password restrictions. */ + if (exempt) +- debug_return_int(AUTH_SUCCESS); ++ break; + /* New password required, try to change it. */ + log_warningx(0, N_("Account or password is " + "expired, reset your password and try again")); +- *pam_status = pam_chauthtok(pamh, +- PAM_CHANGE_EXPIRED_AUTHTOK); +- if (*pam_status == PAM_SUCCESS) +- debug_return_int(AUTH_SUCCESS); +- if ((s = pam_strerror(pamh, *pam_status)) == NULL) ++ rc = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK); ++ if (rc == PAM_SUCCESS) ++ break; ++ if ((s = pam_strerror(pamh, rc)) == NULL) + s = "unknown error"; + log_warningx(0, + N_("unable to change expired password: %s"), s); +- debug_return_int(AUTH_FAILURE); ++ status = AUTH_FAILURE; ++ break; + case PAM_AUTHTOK_EXPIRED: + /* Ignore if user is exempt from password restrictions. */ + if (exempt) +- debug_return_int(AUTH_SUCCESS); ++ break; + /* Password expired, cannot be updated by user. */ + log_warningx(0, + N_("Password expired, contact your system administrator")); +- debug_return_int(AUTH_FATAL); ++ status = AUTH_FATAL; ++ break; + case PAM_ACCT_EXPIRED: + log_warningx(0, + N_("Account expired or PAM config lacks an \"account\" " + "section for sudo, contact your system administrator")); +- debug_return_int(AUTH_FATAL); ++ status = AUTH_FATAL; ++ break; + case PAM_AUTHINFO_UNAVAIL: + case PAM_MAXTRIES: + case PAM_PERM_DENIED: +- s = pam_strerror(pamh, *pam_status); ++ s = pam_strerror(pamh, rc); + log_warningx(0, N_("PAM account management error: %s"), + s ? s : "unknown error"); +- debug_return_int(AUTH_FAILURE); ++ status = AUTH_FAILURE; ++ break; + default: +- s = pam_strerror(pamh, *pam_status); ++ s = pam_strerror(pamh, rc); + log_warningx(0, N_("PAM account management error: %s"), + s ? s : "unknown error"); +- debug_return_int(AUTH_FATAL); ++ status = AUTH_FATAL; ++ break; + } ++ /* Ignore errors if user is exempt from password restrictions. */ ++ *pam_status = exempt ? PAM_SUCCESS : rc; ++ debug_return_int(status); + } + + int + diff --git a/SOURCES/sudo-1.8.23-sudoldapconfman.patch b/SOURCES/sudo-1.8.23-sudoldapconfman.patch new file mode 100644 index 0000000..d290162 --- /dev/null +++ b/SOURCES/sudo-1.8.23-sudoldapconfman.patch @@ -0,0 +1,32 @@ +diff -up sudo-1.8.23/doc/Makefile.in.sudoldapconfman sudo-1.8.23/doc/Makefile.in +--- sudo-1.8.23/doc/Makefile.in.sudoldapconfman 2018-04-29 21:59:31.000000000 +0200 ++++ sudo-1.8.23/doc/Makefile.in 2018-05-17 13:56:24.693651178 +0200 +@@ -345,10 +345,16 @@ install-doc: install-dirs + rm -f $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu)$(MANCOMPRESSEXT); \ + echo ln -s sudo.$(mansectsu)$(MANCOMPRESSEXT) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu)$(MANCOMPRESSEXT); \ + ln -s sudo.$(mansectsu)$(MANCOMPRESSEXT) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu)$(MANCOMPRESSEXT); \ ++ rm -f $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform)$(MANCOMPRESSEXT); \ ++ echo ln -s sudoers.ldap.$(mansectform)$(MANCOMPRESSEXT) $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform)$(MANCOMPRESSEXT); \ ++ ln -s sudoers.ldap.$(mansectform)$(MANCOMPRESSEXT) $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform)$(MANCOMPRESSEXT); \ + else \ + rm -f $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu); \ + echo ln -s sudo.$(mansectsu) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu); \ + ln -s sudo.$(mansectsu) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu); \ ++ rm -f $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform); \ ++ echo ln -s sudoers.ldap.$(mansectform) $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform); \ ++ ln -s sudoers.ldap.$(mansectform) $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform); \ + fi + + install-plugin: +@@ -363,8 +369,9 @@ uninstall: + $(DESTDIR)$(mandirsu)/visudo.$(mansectsu) \ + $(DESTDIR)$(mandirform)/sudo.conf.$(mansectform) \ + $(DESTDIR)$(mandirform)/sudoers.$(mansectform) \ +- $(DESTDIR)$(mandirform)/sudoers_timestamp.$(mansectform) +- $(DESTDIR)$(mandirform)/sudoers.ldap.$(mansectform) ++ $(DESTDIR)$(mandirform)/sudoers_timestamp.$(mansectform) \ ++ $(DESTDIR)$(mandirform)/sudoers.ldap.$(mansectform) \ ++ $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform) + + splint: + diff --git a/SOURCES/sudo-1.8.23-who-am-i.patch b/SOURCES/sudo-1.8.23-who-am-i.patch new file mode 100644 index 0000000..2be1c3c --- /dev/null +++ b/SOURCES/sudo-1.8.23-who-am-i.patch @@ -0,0 +1,56 @@ +commit b2f7983c84fd01e0b29895d7df776b4b162fd8a5 +Author: Todd C. Miller +Date: Wed Jan 2 07:39:33 2019 -0700 + + Fix setting of utmp entry when running command in a pty. + Regression introduced in sudo 1.8.22. + +diff --git a/src/exec_pty.c b/src/exec_pty.c +index cbcccca3..68312a98 100644 +--- a/src/exec_pty.c ++++ b/src/exec_pty.c +@@ -140,7 +140,7 @@ pty_cleanup(void) + * and slavename globals. + */ + static bool +-pty_setup(uid_t uid, const char *tty) ++pty_setup(struct command_details *details, const char *tty) + { + debug_decl(pty_setup, SUDO_DEBUG_EXEC); + +@@ -152,12 +152,15 @@ pty_setup(uid_t uid, const char *tty) + } + + if (!get_pty(&io_fds[SFD_MASTER], &io_fds[SFD_SLAVE], +- slavename, sizeof(slavename), uid)) ++ slavename, sizeof(slavename), details->euid)) + sudo_fatal(U_("unable to allocate pty")); + + /* Add entry to utmp/utmpx? */ +- if (utmp_user != NULL) ++ if (ISSET(details->flags, CD_SET_UTMP)) { ++ utmp_user = ++ details->utmp_user ? details->utmp_user : user_details.username; + utmp_login(tty, slavename, io_fds[SFD_SLAVE], utmp_user); ++ } + + sudo_debug_printf(SUDO_DEBUG_INFO, + "%s: %s fd %d, pty master fd %d, pty slave fd %d", +@@ -1302,12 +1305,11 @@ exec_pty(struct command_details *details, struct command_status *cstat) + /* + * Allocate a pty. + */ +- if (pty_setup(details->euid, user_details.tty)) { +- if (ISSET(details->flags, CD_SET_UTMP)) +- utmp_user = details->utmp_user ? details->utmp_user : user_details.username; +- } else if (TAILQ_EMPTY(&io_plugins)) { +- /* Not logging I/O and didn't allocate a pty. */ +- debug_return_bool(false); ++ if (!pty_setup(details, user_details.tty)) { ++ if (TAILQ_EMPTY(&io_plugins)) { ++ /* Not logging I/O and didn't allocate a pty. */ ++ debug_return_bool(false); ++ } + } + + /* diff --git a/SOURCES/sudo-1.8.25-c-option-help.patch b/SOURCES/sudo-1.8.25-c-option-help.patch new file mode 100644 index 0000000..5836052 --- /dev/null +++ b/SOURCES/sudo-1.8.25-c-option-help.patch @@ -0,0 +1,25 @@ +From 142b370c1f928549db3b357a495d151c7cd87f65 Mon Sep 17 00:00:00 2001 +From: "Todd C. Miller" +Date: Tue, 11 Dec 2018 09:05:04 -0700 +Subject: [PATCH 2/4] The -c option was missing from the help info; from + Radovan Sroka + +--- + plugins/sudoers/cvtsudoers.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/plugins/sudoers/cvtsudoers.c b/plugins/sudoers/cvtsudoers.c +index 795936c1..0221314b 100644 +--- a/plugins/sudoers/cvtsudoers.c ++++ b/plugins/sudoers/cvtsudoers.c +@@ -1315,6 +1315,7 @@ help(void) + usage(0); + (void) puts(_("\nOptions:\n" + " -b, --base=dn the base DN for sudo LDAP queries\n" ++ " -c, --config=conf_file the path to the configuration file\n" + " -d, --defaults=deftypes only convert Defaults of the specified types\n" + " -e, --expand-aliases expand aliases when converting\n" + " -f, --output-format=format set output format: JSON, LDIF or sudoers\n" +-- +2.17.2 + diff --git a/SOURCES/sudo-1.8.25-ipa-hostname.patch b/SOURCES/sudo-1.8.25-ipa-hostname.patch new file mode 100644 index 0000000..4186974 --- /dev/null +++ b/SOURCES/sudo-1.8.25-ipa-hostname.patch @@ -0,0 +1,1063 @@ +From e99082e05b9f0dd0e0f47fa1d2e1b9d922ea8c4c Mon Sep 17 00:00:00 2001 +From: "Todd C. Miller" +Date: Thu, 15 Aug 2019 14:20:12 -0600 +Subject: [PATCH] Fix special handling of ipa_hostname that was lost in sudo + 1.8.24. We now include the long and short hostname in sudo parser container. + +--- + plugins/sudoers/file.c | 2 +- + plugins/sudoers/gram.c | 215 ++++++++++++++++++++-------------------- + plugins/sudoers/gram.y | 9 +- + plugins/sudoers/ldap.c | 2 +- + plugins/sudoers/match.c | 23 +++-- + plugins/sudoers/parse.h | 3 +- + plugins/sudoers/sssd.c | 7 +- + 7 files changed, 140 insertions(+), 121 deletions(-) + +diff --git a/plugins/sudoers/file.c b/plugins/sudoers/file.c +index fff78a19..5028ce01 100644 +--- a/plugins/sudoers/file.c ++++ b/plugins/sudoers/file.c +@@ -85,7 +85,7 @@ sudo_file_open(struct sudo_nss *nss) + if (handle != NULL) { + handle->fp = open_sudoers(sudoers_file, false, NULL); + if (handle->fp != NULL) { +- init_parse_tree(&handle->parse_tree); ++ init_parse_tree(&handle->parse_tree, NULL, NULL); + } else { + free(handle); + handle = NULL; +diff --git a/plugins/sudoers/gram.c b/plugins/sudoers/gram.c +index 343e4299..6545e129 100644 +--- a/plugins/sudoers/gram.c ++++ b/plugins/sudoers/gram.c +@@ -106,7 +106,9 @@ char *errorfile = NULL; + struct sudoers_parse_tree parsed_policy = { + TAILQ_HEAD_INITIALIZER(parsed_policy.userspecs), + TAILQ_HEAD_INITIALIZER(parsed_policy.defaults), +- NULL /* aliases */ ++ NULL, /* aliases */ ++ NULL, /* lhost */ ++ NULL /* shost */ + }; + + /* +@@ -118,7 +120,7 @@ static bool add_userspec(struct member *, struct privilege *); + static struct defaults *new_default(char *, char *, short); + static struct member *new_member(char *, int); + static struct command_digest *new_digest(int, char *); +-#line 80 "gram.y" ++#line 82 "gram.y" + #ifndef YYSTYPE_DEFINED + #define YYSTYPE_DEFINED + typedef union { +@@ -135,7 +137,7 @@ typedef union { + int tok; + } YYSTYPE; + #endif /* YYSTYPE_DEFINED */ +-#line 133 "gram.c" ++#line 135 "gram.c" + #define COMMAND 257 + #define ALIAS 258 + #define DEFVAR 259 +@@ -675,7 +677,7 @@ short *yysslim; + YYSTYPE *yyvs; + unsigned int yystacksize; + int yyparse(void); +-#line 906 "gram.y" ++#line 908 "gram.y" + void + sudoerserror(const char *s) + { +@@ -1019,11 +1021,14 @@ free_userspec(struct userspec *us) + * Initialized a sudoers parse tree. + */ + void +-init_parse_tree(struct sudoers_parse_tree *parse_tree) ++init_parse_tree(struct sudoers_parse_tree *parse_tree, const char *lhost, ++ const char *shost) + { + TAILQ_INIT(&parse_tree->userspecs); + TAILQ_INIT(&parse_tree->defaults); + parse_tree->aliases = NULL; ++ parse_tree->shost = shost; ++ parse_tree->lhost = lhost; + } + + /* +@@ -1100,7 +1105,7 @@ init_options(struct command_options *opts) + opts->limitprivs = NULL; + #endif + } +-#line 1046 "gram.c" ++#line 1051 "gram.c" + /* allocate initial stack or double stack size, up to YYMAXDEPTH */ + #if defined(__cplusplus) || defined(__STDC__) + static int yygrowstack(void) +@@ -1309,23 +1314,23 @@ yyparse() + switch (yyn) + { + case 1: +-#line 178 "gram.y" ++#line 180 "gram.y" + { ; } + break; + case 5: +-#line 186 "gram.y" ++#line 188 "gram.y" + { + ; + } + break; + case 6: +-#line 189 "gram.y" ++#line 191 "gram.y" + { + yyerrok; + } + break; + case 7: +-#line 192 "gram.y" ++#line 194 "gram.y" + { + if (!add_userspec(yyvsp[-1].member, yyvsp[0].privilege)) { + sudoerserror(N_("unable to allocate memory")); +@@ -1334,73 +1339,73 @@ case 7: + } + break; + case 8: +-#line 198 "gram.y" ++#line 200 "gram.y" + { + ; + } + break; + case 9: +-#line 201 "gram.y" ++#line 203 "gram.y" + { + ; + } + break; + case 10: +-#line 204 "gram.y" ++#line 206 "gram.y" + { + ; + } + break; + case 11: +-#line 207 "gram.y" ++#line 209 "gram.y" + { + ; + } + break; + case 12: +-#line 210 "gram.y" ++#line 212 "gram.y" + { + if (!add_defaults(DEFAULTS, NULL, yyvsp[0].defaults)) + YYERROR; + } + break; + case 13: +-#line 214 "gram.y" ++#line 216 "gram.y" + { + if (!add_defaults(DEFAULTS_USER, yyvsp[-1].member, yyvsp[0].defaults)) + YYERROR; + } + break; + case 14: +-#line 218 "gram.y" ++#line 220 "gram.y" + { + if (!add_defaults(DEFAULTS_RUNAS, yyvsp[-1].member, yyvsp[0].defaults)) + YYERROR; + } + break; + case 15: +-#line 222 "gram.y" ++#line 224 "gram.y" + { + if (!add_defaults(DEFAULTS_HOST, yyvsp[-1].member, yyvsp[0].defaults)) + YYERROR; + } + break; + case 16: +-#line 226 "gram.y" ++#line 228 "gram.y" + { + if (!add_defaults(DEFAULTS_CMND, yyvsp[-1].member, yyvsp[0].defaults)) + YYERROR; + } + break; + case 18: +-#line 233 "gram.y" ++#line 235 "gram.y" + { + HLTQ_CONCAT(yyvsp[-2].defaults, yyvsp[0].defaults, entries); + yyval.defaults = yyvsp[-2].defaults; + } + break; + case 19: +-#line 239 "gram.y" ++#line 241 "gram.y" + { + yyval.defaults = new_default(yyvsp[0].string, NULL, true); + if (yyval.defaults == NULL) { +@@ -1410,7 +1415,7 @@ case 19: + } + break; + case 20: +-#line 246 "gram.y" ++#line 248 "gram.y" + { + yyval.defaults = new_default(yyvsp[0].string, NULL, false); + if (yyval.defaults == NULL) { +@@ -1420,7 +1425,7 @@ case 20: + } + break; + case 21: +-#line 253 "gram.y" ++#line 255 "gram.y" + { + yyval.defaults = new_default(yyvsp[-2].string, yyvsp[0].string, true); + if (yyval.defaults == NULL) { +@@ -1430,7 +1435,7 @@ case 21: + } + break; + case 22: +-#line 260 "gram.y" ++#line 262 "gram.y" + { + yyval.defaults = new_default(yyvsp[-2].string, yyvsp[0].string, '+'); + if (yyval.defaults == NULL) { +@@ -1440,7 +1445,7 @@ case 22: + } + break; + case 23: +-#line 267 "gram.y" ++#line 269 "gram.y" + { + yyval.defaults = new_default(yyvsp[-2].string, yyvsp[0].string, '-'); + if (yyval.defaults == NULL) { +@@ -1450,14 +1455,14 @@ case 23: + } + break; + case 25: +-#line 277 "gram.y" ++#line 279 "gram.y" + { + HLTQ_CONCAT(yyvsp[-2].privilege, yyvsp[0].privilege, entries); + yyval.privilege = yyvsp[-2].privilege; + } + break; + case 26: +-#line 283 "gram.y" ++#line 285 "gram.y" + { + struct privilege *p = calloc(1, sizeof(*p)); + if (p == NULL) { +@@ -1472,21 +1477,21 @@ case 26: + } + break; + case 27: +-#line 297 "gram.y" ++#line 299 "gram.y" + { + yyval.member = yyvsp[0].member; + yyval.member->negated = false; + } + break; + case 28: +-#line 301 "gram.y" ++#line 303 "gram.y" + { + yyval.member = yyvsp[0].member; + yyval.member->negated = true; + } + break; + case 29: +-#line 307 "gram.y" ++#line 309 "gram.y" + { + yyval.member = new_member(yyvsp[0].string, ALIAS); + if (yyval.member == NULL) { +@@ -1496,7 +1501,7 @@ case 29: + } + break; + case 30: +-#line 314 "gram.y" ++#line 316 "gram.y" + { + yyval.member = new_member(NULL, ALL); + if (yyval.member == NULL) { +@@ -1506,7 +1511,7 @@ case 30: + } + break; + case 31: +-#line 321 "gram.y" ++#line 323 "gram.y" + { + yyval.member = new_member(yyvsp[0].string, NETGROUP); + if (yyval.member == NULL) { +@@ -1516,7 +1521,7 @@ case 31: + } + break; + case 32: +-#line 328 "gram.y" ++#line 330 "gram.y" + { + yyval.member = new_member(yyvsp[0].string, NTWKADDR); + if (yyval.member == NULL) { +@@ -1526,7 +1531,7 @@ case 32: + } + break; + case 33: +-#line 335 "gram.y" ++#line 337 "gram.y" + { + yyval.member = new_member(yyvsp[0].string, WORD); + if (yyval.member == NULL) { +@@ -1536,7 +1541,7 @@ case 33: + } + break; + case 35: +-#line 345 "gram.y" ++#line 347 "gram.y" + { + struct cmndspec *prev; + prev = HLTQ_LAST(yyvsp[-2].cmndspec, cmndspec, entries); +@@ -1590,7 +1595,7 @@ case 35: + } + break; + case 36: +-#line 398 "gram.y" ++#line 400 "gram.y" + { + struct cmndspec *cs = calloc(1, sizeof(*cs)); + if (cs == NULL) { +@@ -1642,7 +1647,7 @@ case 36: + } + break; + case 37: +-#line 449 "gram.y" ++#line 451 "gram.y" + { + yyval.digest = new_digest(SUDO_DIGEST_SHA224, yyvsp[0].string); + if (yyval.digest == NULL) { +@@ -1652,7 +1657,7 @@ case 37: + } + break; + case 38: +-#line 456 "gram.y" ++#line 458 "gram.y" + { + yyval.digest = new_digest(SUDO_DIGEST_SHA256, yyvsp[0].string); + if (yyval.digest == NULL) { +@@ -1662,7 +1667,7 @@ case 38: + } + break; + case 39: +-#line 463 "gram.y" ++#line 465 "gram.y" + { + yyval.digest = new_digest(SUDO_DIGEST_SHA384, yyvsp[0].string); + if (yyval.digest == NULL) { +@@ -1672,7 +1677,7 @@ case 39: + } + break; + case 40: +-#line 470 "gram.y" ++#line 472 "gram.y" + { + yyval.digest = new_digest(SUDO_DIGEST_SHA512, yyvsp[0].string); + if (yyval.digest == NULL) { +@@ -1682,13 +1687,13 @@ case 40: + } + break; + case 41: +-#line 479 "gram.y" ++#line 481 "gram.y" + { + yyval.member = yyvsp[0].member; + } + break; + case 42: +-#line 482 "gram.y" ++#line 484 "gram.y" + { + if (yyvsp[0].member->type != COMMAND) { + sudoerserror(N_("a digest requires a path name")); +@@ -1700,75 +1705,75 @@ case 42: + } + break; + case 43: +-#line 493 "gram.y" ++#line 495 "gram.y" + { + yyval.member = yyvsp[0].member; + yyval.member->negated = false; + } + break; + case 44: +-#line 497 "gram.y" ++#line 499 "gram.y" + { + yyval.member = yyvsp[0].member; + yyval.member->negated = true; + } + break; + case 45: +-#line 503 "gram.y" ++#line 505 "gram.y" + { + yyval.string = yyvsp[0].string; + } + break; + case 46: +-#line 508 "gram.y" ++#line 510 "gram.y" + { + yyval.string = yyvsp[0].string; + } + break; + case 47: +-#line 512 "gram.y" ++#line 514 "gram.y" + { + yyval.string = yyvsp[0].string; + } + break; + case 48: +-#line 517 "gram.y" ++#line 519 "gram.y" + { + yyval.string = yyvsp[0].string; + } + break; + case 49: +-#line 522 "gram.y" ++#line 524 "gram.y" + { + yyval.string = yyvsp[0].string; + } + break; + case 50: +-#line 527 "gram.y" ++#line 529 "gram.y" + { + yyval.string = yyvsp[0].string; + } + break; + case 51: +-#line 531 "gram.y" ++#line 533 "gram.y" + { + yyval.string = yyvsp[0].string; + } + break; + case 52: +-#line 536 "gram.y" ++#line 538 "gram.y" + { + yyval.runas = NULL; + } + break; + case 53: +-#line 539 "gram.y" ++#line 541 "gram.y" + { + yyval.runas = yyvsp[-1].runas; + } + break; + case 54: +-#line 544 "gram.y" ++#line 546 "gram.y" + { + yyval.runas = calloc(1, sizeof(struct runascontainer)); + if (yyval.runas != NULL) { +@@ -1786,7 +1791,7 @@ case 54: + } + break; + case 55: +-#line 559 "gram.y" ++#line 561 "gram.y" + { + yyval.runas = calloc(1, sizeof(struct runascontainer)); + if (yyval.runas == NULL) { +@@ -1798,7 +1803,7 @@ case 55: + } + break; + case 56: +-#line 568 "gram.y" ++#line 570 "gram.y" + { + yyval.runas = calloc(1, sizeof(struct runascontainer)); + if (yyval.runas == NULL) { +@@ -1810,7 +1815,7 @@ case 56: + } + break; + case 57: +-#line 577 "gram.y" ++#line 579 "gram.y" + { + yyval.runas = calloc(1, sizeof(struct runascontainer)); + if (yyval.runas == NULL) { +@@ -1822,7 +1827,7 @@ case 57: + } + break; + case 58: +-#line 586 "gram.y" ++#line 588 "gram.y" + { + yyval.runas = calloc(1, sizeof(struct runascontainer)); + if (yyval.runas != NULL) { +@@ -1840,13 +1845,13 @@ case 58: + } + break; + case 59: +-#line 603 "gram.y" ++#line 605 "gram.y" + { + init_options(&yyval.options); + } + break; + case 60: +-#line 606 "gram.y" ++#line 608 "gram.y" + { + yyval.options.notbefore = parse_gentime(yyvsp[0].string); + free(yyvsp[0].string); +@@ -1857,7 +1862,7 @@ case 60: + } + break; + case 61: +-#line 614 "gram.y" ++#line 616 "gram.y" + { + yyval.options.notafter = parse_gentime(yyvsp[0].string); + free(yyvsp[0].string); +@@ -1868,7 +1873,7 @@ case 61: + } + break; + case 62: +-#line 622 "gram.y" ++#line 624 "gram.y" + { + yyval.options.timeout = parse_timeout(yyvsp[0].string); + free(yyvsp[0].string); +@@ -1882,7 +1887,7 @@ case 62: + } + break; + case 63: +-#line 633 "gram.y" ++#line 635 "gram.y" + { + #ifdef HAVE_SELINUX + free(yyval.options.role); +@@ -1891,7 +1896,7 @@ case 63: + } + break; + case 64: +-#line 639 "gram.y" ++#line 641 "gram.y" + { + #ifdef HAVE_SELINUX + free(yyval.options.type); +@@ -1900,7 +1905,7 @@ case 64: + } + break; + case 65: +-#line 645 "gram.y" ++#line 647 "gram.y" + { + #ifdef HAVE_PRIV_SET + free(yyval.options.privs); +@@ -1909,7 +1914,7 @@ case 65: + } + break; + case 66: +-#line 651 "gram.y" ++#line 653 "gram.y" + { + #ifdef HAVE_PRIV_SET + free(yyval.options.limitprivs); +@@ -1918,97 +1923,97 @@ case 66: + } + break; + case 67: +-#line 659 "gram.y" ++#line 661 "gram.y" + { + TAGS_INIT(yyval.tag); + } + break; + case 68: +-#line 662 "gram.y" ++#line 664 "gram.y" + { + yyval.tag.nopasswd = true; + } + break; + case 69: +-#line 665 "gram.y" ++#line 667 "gram.y" + { + yyval.tag.nopasswd = false; + } + break; + case 70: +-#line 668 "gram.y" ++#line 670 "gram.y" + { + yyval.tag.noexec = true; + } + break; + case 71: +-#line 671 "gram.y" ++#line 673 "gram.y" + { + yyval.tag.noexec = false; + } + break; + case 72: +-#line 674 "gram.y" ++#line 676 "gram.y" + { + yyval.tag.setenv = true; + } + break; + case 73: +-#line 677 "gram.y" ++#line 679 "gram.y" + { + yyval.tag.setenv = false; + } + break; + case 74: +-#line 680 "gram.y" ++#line 682 "gram.y" + { + yyval.tag.log_input = true; + } + break; + case 75: +-#line 683 "gram.y" ++#line 685 "gram.y" + { + yyval.tag.log_input = false; + } + break; + case 76: +-#line 686 "gram.y" ++#line 688 "gram.y" + { + yyval.tag.log_output = true; + } + break; + case 77: +-#line 689 "gram.y" ++#line 691 "gram.y" + { + yyval.tag.log_output = false; + } + break; + case 78: +-#line 692 "gram.y" ++#line 694 "gram.y" + { + yyval.tag.follow = true; + } + break; + case 79: +-#line 695 "gram.y" ++#line 697 "gram.y" + { + yyval.tag.follow = false; + } + break; + case 80: +-#line 698 "gram.y" ++#line 700 "gram.y" + { + yyval.tag.send_mail = true; + } + break; + case 81: +-#line 701 "gram.y" ++#line 703 "gram.y" + { + yyval.tag.send_mail = false; + } + break; + case 82: +-#line 706 "gram.y" ++#line 708 "gram.y" + { + yyval.member = new_member(NULL, ALL); + if (yyval.member == NULL) { +@@ -2018,7 +2023,7 @@ case 82: + } + break; + case 83: +-#line 713 "gram.y" ++#line 715 "gram.y" + { + yyval.member = new_member(yyvsp[0].string, ALIAS); + if (yyval.member == NULL) { +@@ -2028,7 +2033,7 @@ case 83: + } + break; + case 84: +-#line 720 "gram.y" ++#line 722 "gram.y" + { + struct sudo_command *c = calloc(1, sizeof(*c)); + if (c == NULL) { +@@ -2046,7 +2051,7 @@ case 84: + } + break; + case 87: +-#line 741 "gram.y" ++#line 743 "gram.y" + { + const char *s; + s = alias_add(&parsed_policy, yyvsp[-2].string, HOSTALIAS, +@@ -2058,14 +2063,14 @@ case 87: + } + break; + case 89: +-#line 753 "gram.y" ++#line 755 "gram.y" + { + HLTQ_CONCAT(yyvsp[-2].member, yyvsp[0].member, entries); + yyval.member = yyvsp[-2].member; + } + break; + case 92: +-#line 763 "gram.y" ++#line 765 "gram.y" + { + const char *s; + s = alias_add(&parsed_policy, yyvsp[-2].string, CMNDALIAS, +@@ -2077,14 +2082,14 @@ case 92: + } + break; + case 94: +-#line 775 "gram.y" ++#line 777 "gram.y" + { + HLTQ_CONCAT(yyvsp[-2].member, yyvsp[0].member, entries); + yyval.member = yyvsp[-2].member; + } + break; + case 97: +-#line 785 "gram.y" ++#line 787 "gram.y" + { + const char *s; + s = alias_add(&parsed_policy, yyvsp[-2].string, RUNASALIAS, +@@ -2096,7 +2101,7 @@ case 97: + } + break; + case 100: +-#line 800 "gram.y" ++#line 802 "gram.y" + { + const char *s; + s = alias_add(&parsed_policy, yyvsp[-2].string, USERALIAS, +@@ -2108,28 +2113,28 @@ case 100: + } + break; + case 102: +-#line 812 "gram.y" ++#line 814 "gram.y" + { + HLTQ_CONCAT(yyvsp[-2].member, yyvsp[0].member, entries); + yyval.member = yyvsp[-2].member; + } + break; + case 103: +-#line 818 "gram.y" ++#line 820 "gram.y" + { + yyval.member = yyvsp[0].member; + yyval.member->negated = false; + } + break; + case 104: +-#line 822 "gram.y" ++#line 824 "gram.y" + { + yyval.member = yyvsp[0].member; + yyval.member->negated = true; + } + break; + case 105: +-#line 828 "gram.y" ++#line 830 "gram.y" + { + yyval.member = new_member(yyvsp[0].string, ALIAS); + if (yyval.member == NULL) { +@@ -2139,7 +2144,7 @@ case 105: + } + break; + case 106: +-#line 835 "gram.y" ++#line 837 "gram.y" + { + yyval.member = new_member(NULL, ALL); + if (yyval.member == NULL) { +@@ -2149,7 +2154,7 @@ case 106: + } + break; + case 107: +-#line 842 "gram.y" ++#line 844 "gram.y" + { + yyval.member = new_member(yyvsp[0].string, NETGROUP); + if (yyval.member == NULL) { +@@ -2159,7 +2164,7 @@ case 107: + } + break; + case 108: +-#line 849 "gram.y" ++#line 851 "gram.y" + { + yyval.member = new_member(yyvsp[0].string, USERGROUP); + if (yyval.member == NULL) { +@@ -2169,7 +2174,7 @@ case 108: + } + break; + case 109: +-#line 856 "gram.y" ++#line 858 "gram.y" + { + yyval.member = new_member(yyvsp[0].string, WORD); + if (yyval.member == NULL) { +@@ -2179,28 +2184,28 @@ case 109: + } + break; + case 111: +-#line 866 "gram.y" ++#line 868 "gram.y" + { + HLTQ_CONCAT(yyvsp[-2].member, yyvsp[0].member, entries); + yyval.member = yyvsp[-2].member; + } + break; + case 112: +-#line 872 "gram.y" ++#line 874 "gram.y" + { + yyval.member = yyvsp[0].member; + yyval.member->negated = false; + } + break; + case 113: +-#line 876 "gram.y" ++#line 878 "gram.y" + { + yyval.member = yyvsp[0].member; + yyval.member->negated = true; + } + break; + case 114: +-#line 882 "gram.y" ++#line 884 "gram.y" + { + yyval.member = new_member(yyvsp[0].string, ALIAS); + if (yyval.member == NULL) { +@@ -2210,7 +2215,7 @@ case 114: + } + break; + case 115: +-#line 889 "gram.y" ++#line 891 "gram.y" + { + yyval.member = new_member(NULL, ALL); + if (yyval.member == NULL) { +@@ -2220,7 +2225,7 @@ case 115: + } + break; + case 116: +-#line 896 "gram.y" ++#line 898 "gram.y" + { + yyval.member = new_member(yyvsp[0].string, WORD); + if (yyval.member == NULL) { +@@ -2229,7 +2234,7 @@ case 116: + } + } + break; +-#line 2175 "gram.c" ++#line 2180 "gram.c" + } + yyssp -= yym; + yystate = *yyssp; +diff --git a/plugins/sudoers/gram.y b/plugins/sudoers/gram.y +index 6f437062..e4a0b6d3 100644 +--- a/plugins/sudoers/gram.y ++++ b/plugins/sudoers/gram.y +@@ -63,7 +63,9 @@ char *errorfile = NULL; + struct sudoers_parse_tree parsed_policy = { + TAILQ_HEAD_INITIALIZER(parsed_policy.userspecs), + TAILQ_HEAD_INITIALIZER(parsed_policy.defaults), +- NULL /* aliases */ ++ NULL, /* aliases */ ++ NULL, /* lhost */ ++ NULL /* shost */ + }; + + /* +@@ -1246,11 +1248,14 @@ free_userspec(struct userspec *us) + * Initialized a sudoers parse tree. + */ + void +-init_parse_tree(struct sudoers_parse_tree *parse_tree) ++init_parse_tree(struct sudoers_parse_tree *parse_tree, const char *lhost, ++ const char *shost) + { + TAILQ_INIT(&parse_tree->userspecs); + TAILQ_INIT(&parse_tree->defaults); + parse_tree->aliases = NULL; ++ parse_tree->shost = shost; ++ parse_tree->lhost = lhost; + } + + /* +diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c +index 3bbd2523..1a4212bf 100644 +--- a/plugins/sudoers/ldap.c ++++ b/plugins/sudoers/ldap.c +@@ -1665,7 +1665,7 @@ sudo_ldap_open(struct sudo_nss *nss) + } + handle->ld = ld; + /* handle->pw = NULL; */ +- init_parse_tree(&handle->parse_tree); ++ init_parse_tree(&handle->parse_tree, NULL, NULL); + nss->handle = handle; + + done: +diff --git a/plugins/sudoers/match.c b/plugins/sudoers/match.c +index 1936d4b0..165a8f75 100644 +--- a/plugins/sudoers/match.c ++++ b/plugins/sudoers/match.c +@@ -72,8 +72,10 @@ int + user_matches(struct sudoers_parse_tree *parse_tree, const struct passwd *pw, + const struct member *m) + { +- struct alias *a; ++ const char *lhost = parse_tree->lhost ? parse_tree->lhost : user_runhost; ++ const char *shost = parse_tree->shost ? parse_tree->shost : user_srunhost; + int matched = UNSPEC; ++ struct alias *a; + debug_decl(user_matches, SUDOERS_DEBUG_MATCH) + + switch (m->type) { +@@ -82,8 +84,8 @@ user_matches(struct sudoers_parse_tree *parse_tree, const struct passwd *pw, + break; + case NETGROUP: + if (netgr_matches(m->name, +- def_netgroup_tuple ? user_runhost : NULL, +- def_netgroup_tuple ? user_srunhost : NULL, pw->pw_name)) ++ def_netgroup_tuple ? lhost : NULL, ++ def_netgroup_tuple ? shost : NULL, pw->pw_name)) + matched = !m->negated; + break; + case USERGROUP: +@@ -153,11 +155,13 @@ runaslist_matches(struct sudoers_parse_tree *parse_tree, + const struct member_list *user_list, const struct member_list *group_list, + struct member **matching_user, struct member **matching_group) + { ++ const char *lhost = parse_tree->lhost ? parse_tree->lhost : user_runhost; ++ const char *shost = parse_tree->shost ? parse_tree->shost : user_srunhost; ++ int user_matched = UNSPEC; ++ int group_matched = UNSPEC; + struct member *m; + struct alias *a; + int rc; +- int user_matched = UNSPEC; +- int group_matched = UNSPEC; + debug_decl(runaslist_matches, SUDOERS_DEBUG_MATCH) + + if (ISSET(sudo_user.flags, RUNAS_USER_SPECIFIED) || !ISSET(sudo_user.flags, RUNAS_GROUP_SPECIFIED)) { +@@ -175,8 +179,8 @@ runaslist_matches(struct sudoers_parse_tree *parse_tree, + break; + case NETGROUP: + if (netgr_matches(m->name, +- def_netgroup_tuple ? user_runhost : NULL, +- def_netgroup_tuple ? user_srunhost : NULL, ++ def_netgroup_tuple ? lhost : NULL, ++ def_netgroup_tuple ? shost : NULL, + runas_pw->pw_name)) + user_matched = !m->negated; + break; +@@ -309,7 +313,10 @@ int + hostlist_matches(struct sudoers_parse_tree *parse_tree, const struct passwd *pw, + const struct member_list *list) + { +- return hostlist_matches_int(parse_tree, pw, user_runhost, user_srunhost, list); ++ const char *lhost = parse_tree->lhost ? parse_tree->lhost : user_runhost; ++ const char *shost = parse_tree->shost ? parse_tree->shost : user_srunhost; ++ ++ return hostlist_matches_int(parse_tree, pw, lhost, shost, list); + } + + /* +diff --git a/plugins/sudoers/parse.h b/plugins/sudoers/parse.h +index 30813f6d..f5961f7f 100644 +--- a/plugins/sudoers/parse.h ++++ b/plugins/sudoers/parse.h +@@ -272,6 +272,7 @@ struct sudoers_parse_tree { + struct userspec_list userspecs; + struct defaults_list defaults; + struct rbtree *aliases; ++ const char *shost, *lhost; + }; + + /* alias.c */ +@@ -297,7 +298,7 @@ void free_userspec(struct userspec *us); + void free_userspecs(struct userspec_list *usl); + void free_default(struct defaults *def, struct member_list **binding); + void free_defaults(struct defaults_list *defs); +-void init_parse_tree(struct sudoers_parse_tree *parse_tree); ++void init_parse_tree(struct sudoers_parse_tree *parse_tree, const char *shost, const char *lhost); + void free_parse_tree(struct sudoers_parse_tree *parse_tree); + void reparent_parse_tree(struct sudoers_parse_tree *new_tree); + +diff --git a/plugins/sudoers/sssd.c b/plugins/sudoers/sssd.c +index 4f4464a6..69f6c1f9 100644 +--- a/plugins/sudoers/sssd.c ++++ b/plugins/sudoers/sssd.c +@@ -554,7 +554,6 @@ sudo_sss_open(struct sudo_nss *nss) + sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); + debug_return_int(ENOMEM); + } +- init_parse_tree(&handle->parse_tree); + + /* Load symbols */ + handle->ssslib = sudo_dso_load(path, SUDO_DSO_LAZY); +@@ -612,8 +611,6 @@ sudo_sss_open(struct sudo_nss *nss) + debug_return_int(EFAULT); + } + +- nss->handle = handle; +- + /* + * If runhost is the same as the local host, check for ipa_hostname + * in sssd.conf and use it in preference to user_runhost. +@@ -625,6 +622,10 @@ sudo_sss_open(struct sudo_nss *nss) + } + } + ++ /* The "parse tree" contains userspecs, defaults, aliases and hostnames. */ ++ init_parse_tree(&handle->parse_tree, handle->ipa_host, handle->ipa_shost); ++ nss->handle = handle; ++ + sudo_debug_printf(SUDO_DEBUG_DEBUG, "handle=%p", handle); + + debug_return_int(0); diff --git a/SOURCES/sudo-1.8.25-ldap-backend-parsing-1.patch b/SOURCES/sudo-1.8.25-ldap-backend-parsing-1.patch new file mode 100644 index 0000000..e2bda07 --- /dev/null +++ b/SOURCES/sudo-1.8.25-ldap-backend-parsing-1.patch @@ -0,0 +1,65 @@ +From e1a402f1d65f4f107a40237bc19384e43b334546 Mon Sep 17 00:00:00 2001 +From: "Todd C. Miller" +Date: Tue, 16 Oct 2018 12:49:34 -0600 +Subject: [PATCH] sudo_ldap_parse_option() never returns '=' as the operator. + When parsing command_timeout, role, type, privs and limitprivs, check that + val is non-NULL instead. Found by PVS Studio. + +--- + plugins/sudoers/ldap_util.c | 37 ++++++++++++++----------------------- + 1 file changed, 14 insertions(+), 23 deletions(-) + +diff --git a/plugins/sudoers/ldap_util.c b/plugins/sudoers/ldap_util.c +index d9be95a61..fecb7a6c5 100644 +--- a/plugins/sudoers/ldap_util.c ++++ b/plugins/sudoers/ldap_util.c +@@ -405,32 +405,23 @@ sudo_ldap_role_to_priv(const char *cn, void *hosts, void *runasusers, + int op; + + op = sudo_ldap_parse_option(opt, &var, &val); +- if (strcmp(var, "command_timeout") == 0) { +- if (op == '=') +- cmndspec->timeout = parse_timeout(val); ++ if (strcmp(var, "command_timeout") == 0 && val != NULL) { ++ cmndspec->timeout = parse_timeout(val); + #ifdef HAVE_SELINUX +- } else if (strcmp(var, "role") == 0) { +- if (op == '=') { +- if ((cmndspec->role = strdup(val)) == NULL) +- goto oom; +- } +- } else if (strcmp(var, "type") == 0) { +- if (op == '=') { +- if ((cmndspec->type = strdup(val)) == NULL) +- goto oom; +- } ++ } else if (strcmp(var, "role") == 0 && val != NULL) { ++ if ((cmndspec->role = strdup(val)) == NULL) ++ goto oom; ++ } else if (strcmp(var, "type") == 0 && val != NULL) { ++ if ((cmndspec->type = strdup(val)) == NULL) ++ goto oom; + #endif /* HAVE_SELINUX */ + #ifdef HAVE_PRIV_SET +- } else if (strcmp(var, "privs") == 0) { +- if (op == '=') { +- if ((cmndspec->privs = strdup(val)) == NULL) +- goto oom; +- } +- } else if (strcmp(var, "limitprivs") == 0) { +- if (op == '=') { +- if ((cmndspec->limitprivs = strdup(val)) == NULL) +- goto oom; +- } ++ } else if (strcmp(var, "privs") == 0 && val != NULL) { ++ if ((cmndspec->privs = strdup(val)) == NULL) ++ goto oom; ++ } else if (strcmp(var, "limitprivs") == 0 && val != NULL) { ++ if ((cmndspec->limitprivs = strdup(val)) == NULL) ++ goto oom; + #endif /* HAVE_PRIV_SET */ + } else if (store_options) { + if (!sudo_ldap_add_default(var, val, op, source, +-- +2.21.0 + diff --git a/SOURCES/sudo-1.8.25-ldap-backend-parsing-2.patch b/SOURCES/sudo-1.8.25-ldap-backend-parsing-2.patch new file mode 100644 index 0000000..0865e71 --- /dev/null +++ b/SOURCES/sudo-1.8.25-ldap-backend-parsing-2.patch @@ -0,0 +1,57 @@ +From 60f0d65e22ba93988229453eb013728e47e5f84e Mon Sep 17 00:00:00 2001 +From: "Todd C. Miller" +Date: Wed, 17 Oct 2018 06:57:06 -0600 +Subject: [PATCH] Fix expected test output now that command_timeout is parsed + correctly in LDIF. + +--- + .../regress/sudoers/test17.ldif2sudo.ok | 20 +++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/plugins/sudoers/regress/sudoers/test17.ldif2sudo.ok b/plugins/sudoers/regress/sudoers/test17.ldif2sudo.ok +index 6bc2a36ed..608f52fc4 100644 +--- a/plugins/sudoers/regress/sudoers/test17.ldif2sudo.ok ++++ b/plugins/sudoers/regress/sudoers/test17.ldif2sudo.ok +@@ -1,29 +1,29 @@ + Defaults command_timeout=2d8h10m59s + + # sudoRole user0 +-user0 ALL = /usr/bin/id, /usr/bin/who, /bin/ls ++user0 ALL = TIMEOUT=619830 /usr/bin/id, /usr/bin/who, /bin/ls + + # sudoRole user1 +-user1 ALL = /usr/bin/id ++user1 ALL = TIMEOUT=619830 /usr/bin/id + + # sudoRole user2 +-user2 ALL = /usr/bin/id ++user2 ALL = TIMEOUT=15030 /usr/bin/id + + # sudoRole user3 +-user3 ALL = /usr/bin/id ++user3 ALL = TIMEOUT=630 /usr/bin/id + + # sudoRole user4 +-user4 ALL = /usr/bin/id ++user4 ALL = TIMEOUT=1209600 /usr/bin/id + + # sudoRole user5 +-user5 ALL = /usr/bin/id ++user5 ALL = TIMEOUT=300 /usr/bin/id + + # sudoRole user6 +-user6 ALL = /usr/bin/id ++user6 ALL = TIMEOUT=30 /usr/bin/id + + # sudoRole user7 +-user7 ALL = /usr/bin/id ++user7 ALL = TIMEOUT=45 /usr/bin/id + + # sudoRole user8 +-user8 ALL = /usr/bin/id, /usr/bin/id, /usr/bin/id, /usr/bin/id, /usr/bin/id,\ +- /usr/bin/id ++user8 ALL = TIMEOUT=619830 /usr/bin/id, /usr/bin/id, /usr/bin/id, /usr/bin/id,\ ++ /usr/bin/id, /usr/bin/id +-- +2.21.0 + diff --git a/SOURCES/sudo-1.8.25-sudoreplay-missing-options-help.patch b/SOURCES/sudo-1.8.25-sudoreplay-missing-options-help.patch new file mode 100644 index 0000000..88fa081 --- /dev/null +++ b/SOURCES/sudo-1.8.25-sudoreplay-missing-options-help.patch @@ -0,0 +1,27 @@ +diff -up ./plugins/sudoers/sudoreplay.c.sudoreplay-help ./plugins/sudoers/sudoreplay.c +--- ./plugins/sudoers/sudoreplay.c.sudoreplay-help 2018-12-11 18:12:56.715098760 +0100 ++++ ./plugins/sudoers/sudoreplay.c 2018-12-11 18:18:34.345184173 +0100 +@@ -1582,13 +1582,16 @@ help(void) + (void) printf(_("%s - replay sudo session logs\n\n"), getprogname()); + usage(0); + (void) puts(_("\nOptions:\n" +- " -d, --directory=dir specify directory for session logs\n" +- " -f, --filter=filter specify which I/O type(s) to display\n" +- " -h, --help display help message and exit\n" +- " -l, --list list available session IDs, with optional expression\n" +- " -m, --max-wait=num max number of seconds to wait between events\n" +- " -s, --speed=num speed up or slow down output\n" +- " -V, --version display version information and exit")); ++ " -d, --directory=dir specify directory for session logs\n" ++ " -f, --filter=filter specify which I/O type(s) to display\n" ++ " -h, --help display help message and exit\n" ++ " -l, --list list available session IDs, with optional expression\n" ++ " -m, --max-wait=num max number of seconds to wait between events\n" ++ " -n, --non-interactive no prompts, session is sent to the standard output\n" ++ " -R, --no-resize do not attempt to re-size the terminal\n" ++ " -S, --suspend-wait wait while the command was suspended\n" ++ " -s, --speed=num speed up or slow down output\n" ++ " -V, --version display version information and exit")); + exit(0); + } + diff --git a/SOURCES/sudo-1.8.25-typos-manpages.patch b/SOURCES/sudo-1.8.25-typos-manpages.patch new file mode 100644 index 0000000..32c645e --- /dev/null +++ b/SOURCES/sudo-1.8.25-typos-manpages.patch @@ -0,0 +1,80 @@ +From 04a4b3c1fcc1526ff1ea73597a1764cb160d400b Mon Sep 17 00:00:00 2001 +From: "Todd C. Miller" +Date: Tue, 11 Dec 2018 09:02:30 -0700 +Subject: [PATCH 1/4] Fix some typos; reported by Radovan Sroka + +--- + doc/cvtsudoers.cat | 6 +++--- + doc/cvtsudoers.man.in | 6 +++--- + doc/cvtsudoers.mdoc.in | 6 +++--- + 3 files changed, 9 insertions(+), 9 deletions(-) + +diff --git a/doc/cvtsudoers.cat b/doc/cvtsudoers.cat +index 61bf3a28..9c1ef140 100644 +--- a/doc/cvtsudoers.cat ++++ b/doc/cvtsudoers.cat +@@ -24,7 +24,7 @@ DDEESSCCRRIIPPTTIIOONN + --bb _d_n, ----bbaassee=_d_n + The base DN (distinguished name) that will be used when + performing LDAP queries. Typically this is of the form +- ou=SUDOers,dc=-mydomain,dc=com for the domain my-domain.com. ++ ou=SUDOers,dc=my-domain,dc=com for the domain my-domain.com. + If this option is not specified, the value of the + SUDOERS_BASE environment variable will be used instead. Only + necessary when converting to LDIF format. +@@ -60,7 +60,7 @@ DDEESSCCRRIIPPTTIIOONN + Expand aliases in _i_n_p_u_t___f_i_l_e. Aliases are preserved by + default when the output _f_o_r_m_a_t is JSON or sudoers. + +- --ff _o_u_t_p_u_t___f_o_r_m_a_t, ----ffoorrmmaatt=_o_u_t_p_u_t___f_o_r_m_a_t ++ --ff _o_u_t_p_u_t___f_o_r_m_a_t, ----oouuttppuutt--ffoorrmmaatt=_o_u_t_p_u_t___f_o_r_m_a_t + Specify the output format (case-insensitive). The following + formats are supported: + +diff --git a/doc/cvtsudoers.man.in b/doc/cvtsudoers.man.in +index b159ee5d..2f45ee1d 100644 +--- a/doc/cvtsudoers.man.in ++++ b/doc/cvtsudoers.man.in +@@ -59,7 +59,7 @@ The options are as follows: + The base DN (distinguished name) that will be used when performing + LDAP queries. + Typically this is of the form +-\fRou=SUDOers,dc=-mydomain,dc=com\fR ++\fRou=SUDOers,dc=my-domain,dc=com\fR + for the domain + \fRmy-domain.com\fR. + If this option is not specified, the value of the +@@ -125,7 +125,7 @@ Aliases are preserved by default when the output + \fIformat\fR + is JSON or sudoers. + .TP 12n +-\fB\-f\fR \fIoutput_format\fR, \fB\--format\fR=\fIoutput_format\fR ++\fB\-f\fR \fIoutput_format\fR, \fB\--output-format\fR=\fIoutput_format\fR + Specify the output format (case-insensitive). + The following formats are supported: + .PP +diff --git a/doc/cvtsudoers.mdoc.in b/doc/cvtsudoers.mdoc.in +index 1812bc67..8261ddc6 100644 +--- a/doc/cvtsudoers.mdoc.in ++++ b/doc/cvtsudoers.mdoc.in +@@ -57,7 +57,7 @@ The options are as follows: + The base DN (distinguished name) that will be used when performing + LDAP queries. + Typically this is of the form +-.Li ou=SUDOers,dc=-mydomain,dc=com ++.Li ou=SUDOers,dc=my-domain,dc=com + for the domain + .Li my-domain.com . + If this option is not specified, the value of the +@@ -110,7 +110,7 @@ Expand aliases in + Aliases are preserved by default when the output + .Ar format + is JSON or sudoers. +-.It Fl f Ar output_format , Fl -format Ns = Ns Ar output_format ++.It Fl f Ar output_format , Fl -output-format Ns = Ns Ar output_format + Specify the output format (case-insensitive). + The following formats are supported: + .Bl -tag -width 8n +-- +2.17.2 + diff --git a/SOURCES/sudo-1.8.28-CVE-strtouid-test.patch b/SOURCES/sudo-1.8.28-CVE-strtouid-test.patch new file mode 100644 index 0000000..0ae387a --- /dev/null +++ b/SOURCES/sudo-1.8.28-CVE-strtouid-test.patch @@ -0,0 +1,96 @@ +diff -up ./lib/util/regress/atofoo/atofoo_test.c.CVE-strtouid-test ./lib/util/regress/atofoo/atofoo_test.c +--- ./lib/util/regress/atofoo/atofoo_test.c.CVE-strtouid-test 2018-04-29 21:59:23.000000000 +0200 ++++ ./lib/util/regress/atofoo/atofoo_test.c 2019-10-16 09:38:31.851404545 +0200 +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2014 Todd C. Miller ++ * Copyright (c) 2014-2019 Todd C. Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above +@@ -24,6 +24,7 @@ + #else + # include "compat/stdbool.h" + #endif ++#include + + #include "sudo_compat.h" + #include "sudo_util.h" +@@ -78,15 +79,20 @@ static struct strtoid_data { + id_t id; + const char *sep; + const char *ep; ++ int errnum; + } strtoid_data[] = { +- { "0,1", 0, ",", "," }, +- { "10", 10, NULL, NULL }, +- { "-2", -2, NULL, NULL }, ++ { "0,1", 0, ",", ",", 0 }, ++ { "10", 10, NULL, NULL, 0 }, ++ { "-1", 0, NULL, NULL, EINVAL }, ++ { "4294967295", 0, NULL, NULL, EINVAL }, ++ { "4294967296", 0, NULL, NULL, ERANGE }, ++ { "-2147483649", 0, NULL, NULL, ERANGE }, ++ { "-2", -2, NULL, NULL, 0 }, + #if SIZEOF_ID_T != SIZEOF_LONG_LONG +- { "-2", (id_t)4294967294U, NULL, NULL }, ++ { "-2", (id_t)4294967294U, NULL, NULL, 0 }, + #endif +- { "4294967294", (id_t)4294967294U, NULL, NULL }, +- { NULL, 0, NULL, NULL } ++ { "4294967294", (id_t)4294967294U, NULL, NULL, 0 }, ++ { NULL, 0, NULL, NULL, 0 } + }; + + static int +@@ -102,11 +108,23 @@ test_strtoid(int *ntests) + (*ntests)++; + errstr = "some error"; + value = sudo_strtoid(d->idstr, d->sep, &ep, &errstr); +- if (errstr != NULL) { +- if (d->id != (id_t)-1) { +- sudo_warnx_nodebug("FAIL: %s: %s", d->idstr, errstr); ++ if (d->errnum != 0) { ++ if (errstr == NULL) { ++ sudo_warnx_nodebug("FAIL: %s: missing errstr for errno %d", ++ d->idstr, d->errnum); ++ errors++; ++ } else if (value != 0) { ++ sudo_warnx_nodebug("FAIL: %s should return 0 on error", ++ d->idstr); ++ errors++; ++ } else if (errno != d->errnum) { ++ sudo_warnx_nodebug("FAIL: %s: errno mismatch, %d != %d", ++ d->idstr, errno, d->errnum); + errors++; + } ++ } else if (errstr != NULL) { ++ sudo_warnx_nodebug("FAIL: %s: %s", d->idstr, errstr); ++ errors++; + } else if (value != d->id) { + sudo_warnx_nodebug("FAIL: %s != %u", d->idstr, (unsigned int)d->id); + errors++; +diff -up ./plugins/sudoers/regress/testsudoers/test5.out.ok.CVE-strtouid-test ./plugins/sudoers/regress/testsudoers/test5.out.ok +--- ./plugins/sudoers/regress/testsudoers/test5.out.ok.CVE-strtouid-test 2018-04-29 21:59:23.000000000 +0200 ++++ ./plugins/sudoers/regress/testsudoers/test5.out.ok 2019-10-16 09:29:50.246761680 +0200 +@@ -4,7 +4,7 @@ Parse error in sudoers near line 1. + Entries for user root: + + Command unmatched +-testsudoers: test5.inc should be owned by gid 4294967295 ++testsudoers: test5.inc should be owned by gid 4294967294 + Parse error in sudoers near line 1. + + Entries for user root: +diff -up ./plugins/sudoers/regress/testsudoers/test5.sh.CVE-strtouid-test ./plugins/sudoers/regress/testsudoers/test5.sh +--- ./plugins/sudoers/regress/testsudoers/test5.sh.CVE-strtouid-test 2018-04-29 21:59:23.000000000 +0200 ++++ ./plugins/sudoers/regress/testsudoers/test5.sh 2019-10-16 09:29:50.246761680 +0200 +@@ -24,7 +24,7 @@ EOF + + # Test group writable + chmod 664 $TESTFILE +-./testsudoers -U $MYUID -G -1 root id < ++ * Copyright (c) 2013-2019 Todd C. Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above +@@ -47,6 +47,27 @@ + #include "sudo_util.h" + + /* ++ * Make sure that the ID ends with a valid separator char. ++ */ ++static bool ++valid_separator(const char *p, const char *ep, const char *sep) ++{ ++ bool valid = false; ++ debug_decl(valid_separator, SUDO_DEBUG_UTIL) ++ ++ if (ep != p) { ++ /* check for valid separator (including '\0') */ ++ if (sep == NULL) ++ sep = ""; ++ do { ++ if (*ep == *sep) ++ valid = true; ++ } while (*sep++ != '\0'); ++ } ++ debug_return_bool(valid); ++} ++ ++/* + * Parse a uid/gid in string form. + * If sep is non-NULL, it contains valid separator characters (e.g. comma, space) + * If endp is non-NULL it is set to the next char after the ID. +@@ -60,38 +81,35 @@ sudo_strtoid_v1(const char *p, const cha + char *ep; + id_t ret = 0; + long long llval; +- bool valid = false; + debug_decl(sudo_strtoid, SUDO_DEBUG_UTIL) + + /* skip leading space so we can pick up the sign, if any */ + while (isspace((unsigned char)*p)) + p++; +- if (sep == NULL) +- sep = ""; ++ ++ /* While id_t may be 64-bit signed, uid_t and gid_t are 32-bit unsigned. */ + errno = 0; + llval = strtoll(p, &ep, 10); +- if (ep != p) { +- /* check for valid separator (including '\0') */ +- do { +- if (*ep == *sep) +- valid = true; +- } while (*sep++ != '\0'); ++ if ((errno == ERANGE && llval == LLONG_MAX) || llval > (id_t)UINT_MAX) { ++ errno = ERANGE; ++ if (errstr != NULL) ++ *errstr = N_("value too large"); ++ goto done; + } +- if (!valid) { ++ if ((errno == ERANGE && llval == LLONG_MIN) || llval < INT_MIN) { ++ errno = ERANGE; ++ if (errstr != NULL) ++ *errstr = N_("value too small"); ++ goto done; ++ } ++ ++ /* Disallow id -1, which means "no change". */ ++ if (!valid_separator(p, ep, sep) || llval == -1 || llval == (id_t)UINT_MAX) { + if (errstr != NULL) + *errstr = N_("invalid value"); + errno = EINVAL; + goto done; + } +- if (errno == ERANGE) { +- if (errstr != NULL) { +- if (llval == LLONG_MAX) +- *errstr = N_("value too large"); +- else +- *errstr = N_("value too small"); +- } +- goto done; +- } + ret = (id_t)llval; + if (errstr != NULL) + *errstr = NULL; +@@ -106,30 +124,15 @@ sudo_strtoid_v1(const char *p, const cha + { + char *ep; + id_t ret = 0; +- bool valid = false; + debug_decl(sudo_strtoid, SUDO_DEBUG_UTIL) + + /* skip leading space so we can pick up the sign, if any */ + while (isspace((unsigned char)*p)) + p++; +- if (sep == NULL) +- sep = ""; ++ + errno = 0; + if (*p == '-') { + long lval = strtol(p, &ep, 10); +- if (ep != p) { +- /* check for valid separator (including '\0') */ +- do { +- if (*ep == *sep) +- valid = true; +- } while (*sep++ != '\0'); +- } +- if (!valid) { +- if (errstr != NULL) +- *errstr = N_("invalid value"); +- errno = EINVAL; +- goto done; +- } + if ((errno == ERANGE && lval == LONG_MAX) || lval > INT_MAX) { + errno = ERANGE; + if (errstr != NULL) +@@ -142,28 +145,31 @@ sudo_strtoid_v1(const char *p, const cha + *errstr = N_("value too small"); + goto done; + } +- ret = (id_t)lval; +- } else { +- unsigned long ulval = strtoul(p, &ep, 10); +- if (ep != p) { +- /* check for valid separator (including '\0') */ +- do { +- if (*ep == *sep) +- valid = true; +- } while (*sep++ != '\0'); +- } +- if (!valid) { ++ ++ /* Disallow id -1, which means "no change". */ ++ if (!valid_separator(p, ep, sep) || lval == -1) { + if (errstr != NULL) + *errstr = N_("invalid value"); + errno = EINVAL; + goto done; + } ++ ret = (id_t)lval; ++ } else { ++ unsigned long ulval = strtoul(p, &ep, 10); + if ((errno == ERANGE && ulval == ULONG_MAX) || ulval > UINT_MAX) { + errno = ERANGE; + if (errstr != NULL) + *errstr = N_("value too large"); + goto done; + } ++ ++ /* Disallow id -1, which means "no change". */ ++ if (!valid_separator(p, ep, sep) || ulval == UINT_MAX) { ++ if (errstr != NULL) ++ *errstr = N_("invalid value"); ++ errno = EINVAL; ++ goto done; ++ } + ret = (id_t)ulval; + } + if (errstr != NULL) diff --git a/SOURCES/sudo-1.8.29-CVE-2019-18634-part1.patch b/SOURCES/sudo-1.8.29-CVE-2019-18634-part1.patch new file mode 100644 index 0000000..5b71919 --- /dev/null +++ b/SOURCES/sudo-1.8.29-CVE-2019-18634-part1.patch @@ -0,0 +1,158 @@ +diff -up ./src/tgetpass.c.bla ./src/tgetpass.c +--- ./src/tgetpass.c.bla 2018-08-18 16:10:15.000000000 +0200 ++++ ./src/tgetpass.c 2020-02-05 17:15:16.216904891 +0100 +@@ -44,11 +44,18 @@ + #include "sudo.h" + #include "sudo_plugin.h" + ++enum tgetpass_errval { ++ TGP_ERRVAL_NOERROR, ++ TGP_ERRVAL_TIMEOUT, ++ TGP_ERRVAL_NOPASSWORD, ++ TGP_ERRVAL_READERROR ++}; ++ + static volatile sig_atomic_t signo[NSIG]; + + static bool tty_present(void); + static void tgetpass_handler(int); +-static char *getln(int, char *, size_t, int); ++static char *getln(int, char *, size_t, int, enum tgetpass_errval *); + static char *sudo_askpass(const char *, const char *); + + static int +@@ -77,6 +84,27 @@ suspend(int signo, struct sudo_conv_call + debug_return_int(ret); + } + ++static void ++tgetpass_display_error(enum tgetpass_errval errval) ++{ ++ debug_decl(tgetpass_display_error, SUDO_DEBUG_CONV) ++ ++ switch (errval) { ++ case TGP_ERRVAL_NOERROR: ++ break; ++ case TGP_ERRVAL_TIMEOUT: ++ sudo_warnx(U_("timed out reading password")); ++ break; ++ case TGP_ERRVAL_NOPASSWORD: ++ sudo_warnx(U_("no password was provided")); ++ break; ++ case TGP_ERRVAL_READERROR: ++ sudo_warn(U_("unable to read password")); ++ break; ++ } ++ debug_return; ++} ++ + /* + * Like getpass(3) but with timeout and echo flags. + */ +@@ -90,6 +118,7 @@ tgetpass(const char *prompt, int timeout + static const char *askpass; + static char buf[SUDO_CONV_REPL_MAX + 1]; + int i, input, output, save_errno, neednl = 0, need_restart; ++ enum tgetpass_errval errval; + debug_decl(tgetpass, SUDO_DEBUG_CONV) + + (void) fflush(stdout); +@@ -175,7 +204,7 @@ restart: + + if (timeout > 0) + alarm(timeout); +- pass = getln(input, buf, sizeof(buf), ISSET(flags, TGP_MASK)); ++ pass = getln(input, buf, sizeof(buf), ISSET(flags, TGP_MASK), &errval); + alarm(0); + save_errno = errno; + +@@ -183,6 +212,7 @@ restart: + if (write(output, "\n", 1) == -1) + goto restore; + } ++ tgetpass_display_error(errval); + + restore: + /* Restore old signal handlers. */ +@@ -210,6 +240,8 @@ restore: + for (i = 0; i < NSIG; i++) { + if (signo[i]) { + switch (i) { ++ case SIGALRM: ++ break; + case SIGTSTP: + case SIGTTIN: + case SIGTTOU: +@@ -239,6 +271,7 @@ sudo_askpass(const char *askpass, const + { + static char buf[SUDO_CONV_REPL_MAX + 1], *pass; + struct sigaction sa, savechld; ++ enum tgetpass_errval errval; + int pfd[2], status; + pid_t child; + debug_decl(sudo_askpass, SUDO_DEBUG_CONV) +@@ -281,9 +314,11 @@ sudo_askpass(const char *askpass, const + + /* Get response from child (askpass). */ + (void) close(pfd[1]); +- pass = getln(pfd[0], buf, sizeof(buf), 0); ++ pass = getln(pfd[0], buf, sizeof(buf), 0, &errval); + (void) close(pfd[0]); + ++ tgetpass_display_error(errval); ++ + /* Wait for child to exit. */ + for (;;) { + pid_t rv = waitpid(child, &status, 0); +@@ -305,7 +340,8 @@ sudo_askpass(const char *askpass, const + extern int sudo_term_erase, sudo_term_kill; + + static char * +-getln(int fd, char *buf, size_t bufsiz, int feedback) ++getln(int fd, char *buf, size_t bufsiz, int feedback, ++ enum tgetpass_errval *errval) + { + size_t left = bufsiz; + ssize_t nr = -1; +@@ -313,7 +349,10 @@ getln(int fd, char *buf, size_t bufsiz, + char c = '\0'; + debug_decl(getln, SUDO_DEBUG_CONV) + ++ *errval = TGP_ERRVAL_NOERROR; ++ + if (left == 0) { ++ *errval = TGP_ERRVAL_READERROR; + errno = EINVAL; + debug_return_str(NULL); /* sanity */ + } +@@ -354,14 +393,27 @@ getln(int fd, char *buf, size_t bufsiz, + } + } + +- debug_return_str_masked(nr == 1 ? buf : NULL); ++ if (nr != 1) { ++ if (nr == 0) { ++ *errval = TGP_ERRVAL_NOPASSWORD; ++ } else if (nr == -1) { ++ if (errno == EINTR) { ++ if (signo[SIGALRM] == 1) ++ *errval = TGP_ERRVAL_TIMEOUT; ++ } else { ++ *errval = TGP_ERRVAL_READERROR; ++ } ++ } ++ debug_return_str(NULL); ++ } ++ ++ debug_return_str_masked(buf); + } + + static void + tgetpass_handler(int s) + { +- if (s != SIGALRM) +- signo[s] = 1; ++ signo[s] = 1; + } + + static bool diff --git a/SOURCES/sudo-1.8.29-CVE-2019-18634-part2.patch b/SOURCES/sudo-1.8.29-CVE-2019-18634-part2.patch new file mode 100644 index 0000000..86743ba --- /dev/null +++ b/SOURCES/sudo-1.8.29-CVE-2019-18634-part2.patch @@ -0,0 +1,77 @@ +diff -up ./src/tgetpass.c.CVE-2019-18634 ./src/tgetpass.c +--- ./src/tgetpass.c.CVE-2019-18634 2020-02-05 17:16:07.601420697 +0100 ++++ ./src/tgetpass.c 2020-02-05 17:22:34.206301510 +0100 +@@ -55,7 +55,7 @@ static volatile sig_atomic_t signo[NSIG] + + static bool tty_present(void); + static void tgetpass_handler(int); +-static char *getln(int, char *, size_t, int, enum tgetpass_errval *); ++static char *getln(int, char *, size_t, bool, enum tgetpass_errval *); + static char *sudo_askpass(const char *, const char *); + + static int +@@ -118,6 +118,7 @@ tgetpass(const char *prompt, int timeout + static const char *askpass; + static char buf[SUDO_CONV_REPL_MAX + 1]; + int i, input, output, save_errno, neednl = 0, need_restart; ++ bool feedback = ISSET(flags, TGP_MASK); + enum tgetpass_errval errval; + debug_decl(tgetpass, SUDO_DEBUG_CONV) + +@@ -165,7 +166,7 @@ restart: + */ + if (!ISSET(flags, TGP_ECHO)) { + for (;;) { +- if (ISSET(flags, TGP_MASK)) ++ if (feedback) + neednl = sudo_term_cbreak(input); + else + neednl = sudo_term_noecho(input); +@@ -179,6 +180,9 @@ restart: + } + } + } ++ /* Only use feedback mode when we can disable echo. */ ++ if (!neednl) ++ feedback = false; + + /* + * Catch signals that would otherwise cause the user to end +@@ -204,7 +208,7 @@ restart: + + if (timeout > 0) + alarm(timeout); +- pass = getln(input, buf, sizeof(buf), ISSET(flags, TGP_MASK), &errval); ++ pass = getln(input, buf, sizeof(buf), feedback, &errval); + alarm(0); + save_errno = errno; + +@@ -340,7 +344,7 @@ sudo_askpass(const char *askpass, const + extern int sudo_term_erase, sudo_term_kill; + + static char * +-getln(int fd, char *buf, size_t bufsiz, int feedback, ++getln(int fd, char *buf, size_t bufsiz, bool feedback, + enum tgetpass_errval *errval) + { + size_t left = bufsiz; +@@ -366,15 +370,15 @@ getln(int fd, char *buf, size_t bufsiz, + while (cp > buf) { + if (write(fd, "\b \b", 3) == -1) + break; +- --cp; ++ cp--; + } ++ cp = buf; + left = bufsiz; + continue; + } else if (c == sudo_term_erase) { + if (cp > buf) { +- if (write(fd, "\b \b", 3) == -1) +- break; +- --cp; ++ ignore_result(write(fd, "\b \b", 3)); ++ cp--; + left++; + } + continue; diff --git a/SOURCES/sudo-1.8.6p7-logsudouser.patch b/SOURCES/sudo-1.8.6p7-logsudouser.patch new file mode 100644 index 0000000..c3742a0 --- /dev/null +++ b/SOURCES/sudo-1.8.6p7-logsudouser.patch @@ -0,0 +1,90 @@ +From 06b46ae226fecd4188af372ac0ccd7aa582e21c8 Mon Sep 17 00:00:00 2001 +From: Tomas Sykora +Date: Wed, 17 Aug 2016 10:12:11 +0200 +Subject: [PATCH] Sudo logs username root instead of realuser + +RHEL7 sudo logs username root instead of realuser in /var/log/secure + +Rebased from: +Patch50: sudo-1.8.6p7-logsudouser.patch + +Resolves: +rhbz#1312486 +--- + plugins/sudoers/logging.c | 14 +++++++------- + plugins/sudoers/sudoers.h | 1 + + 2 files changed, 8 insertions(+), 7 deletions(-) + +diff --git a/plugins/sudoers/logging.c b/plugins/sudoers/logging.c +index 45cae67..74b2220 100644 +--- a/plugins/sudoers/logging.c ++++ b/plugins/sudoers/logging.c +@@ -104,7 +104,7 @@ do_syslog(int pri, char *msg) + * Log the full line, breaking into multiple syslog(3) calls if necessary + */ + fmt = _("%8s : %s"); +- maxlen = def_syslog_maxlen - (strlen(fmt) - 5 + strlen(user_name)); ++ maxlen = def_syslog_maxlen - (strlen(fmt) - 5 + strlen(sudo_user_name)); + for (p = msg; *p != '\0'; ) { + len = strlen(p); + if (len > maxlen) { +@@ -120,7 +120,7 @@ do_syslog(int pri, char *msg) + save = *tmp; + *tmp = '\0'; + +- mysyslog(pri, fmt, user_name, p); ++ mysyslog(pri, fmt, sudo_user_name, p); + + *tmp = save; /* restore saved character */ + +@@ -128,11 +128,11 @@ do_syslog(int pri, char *msg) + for (p = tmp; *p == ' '; p++) + continue; + } else { +- mysyslog(pri, fmt, user_name, p); ++ mysyslog(pri, fmt, sudo_user_name, p); + p += len; + } + fmt = _("%8s : (command continued) %s"); +- maxlen = def_syslog_maxlen - (strlen(fmt) - 5 + strlen(user_name)); ++ maxlen = def_syslog_maxlen - (strlen(fmt) - 5 + strlen(sudo_user_name)); + } + + sudoers_setlocale(oldlocale, NULL); +@@ -179,10 +179,10 @@ do_logfile(const char *msg) + timestr = "invalid date"; + if (def_log_host) { + len = asprintf(&full_line, "%s : %s : HOST=%s : %s", +- timestr, user_name, user_srunhost, msg); ++ timestr, sudo_user_name, user_srunhost, msg); + } else { + len = asprintf(&full_line, "%s : %s : %s", +- timestr, user_name, msg); ++ timestr, sudo_user_name, msg); + } + if (len == -1) { + sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); +@@ -746,7 +746,7 @@ send_mail(const char *fmt, ...) + + if ((timestr = get_timestr(time(NULL), def_log_year)) == NULL) + timestr = "invalid date"; +- (void) fprintf(mail, "\n\n%s : %s : %s : ", user_host, timestr, user_name); ++ (void) fprintf(mail, "\n\n%s : %s : %s : ", user_host, timestr, sudo_user_name); + va_start(ap, fmt); + (void) vfprintf(mail, fmt, ap); + va_end(ap); +diff --git a/plugins/sudoers/sudoers.h b/plugins/sudoers/sudoers.h +index cfd5abb..c69a043 100644 +--- a/plugins/sudoers/sudoers.h ++++ b/plugins/sudoers/sudoers.h +@@ -180,6 +180,7 @@ struct sudo_user { + /* + * Shortcuts for sudo_user contents. + */ ++#define sudo_user_name (sudo_user.pw->pw_name) + #define user_name (sudo_user.name) + #define user_uid (sudo_user.uid) + #define user_gid (sudo_user.gid) +-- +2.7.4 + diff --git a/SOURCES/sudo-ldap.conf b/SOURCES/sudo-ldap.conf new file mode 100644 index 0000000..d8f8e4d --- /dev/null +++ b/SOURCES/sudo-ldap.conf @@ -0,0 +1,86 @@ +## BINDDN DN +## The BINDDN parameter specifies the identity, in the form of a Dis‐ +## tinguished Name (DN), to use when performing LDAP operations. If +## not specified, LDAP operations are performed with an anonymous +## identity. By default, most LDAP servers will allow anonymous +## access. +## +#binddn uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com + +## BINDPW secret +## The BINDPW parameter specifies the password to use when performing +## LDAP operations. This is typically used in conjunction with the +## BINDDN parameter. +## +#bindpw secret + +## SSL start_tls +## If the SSL parameter is set to start_tls, the LDAP server connec‐ +## tion is initiated normally and TLS encryption is begun before the +## bind credentials are sent. This has the advantage of not requiring +## a dedicated port for encrypted communications. This parameter is +## only supported by LDAP servers that honor the start_tls extension, +## such as the OpenLDAP and Tivoli Directory servers. +## +#ssl start_tls + +## TLS_CACERTFILE file name +## The path to a certificate authority bundle which contains the cer‐ +## tificates for all the Certificate Authorities the client knows to +## be valid, e.g. /etc/ssl/ca-bundle.pem. This option is only sup‐ +## ported by the OpenLDAP libraries. Netscape-derived LDAP libraries +## use the same certificate database for CA and client certificates +## (see TLS_CERT). +## +#tls_cacertfile /path/to/CA.crt + +## TLS_CHECKPEER on/true/yes/off/false/no +## If enabled, TLS_CHECKPEER will cause the LDAP server's TLS certifi‐ +## cated to be verified. If the server's TLS certificate cannot be +## verified (usually because it is signed by an unknown certificate +## authority), sudo will be unable to connect to it. If TLS_CHECKPEER +## is disabled, no check is made. Note that disabling the check cre‐ +## ates an opportunity for man-in-the-middle attacks since the +## server's identity will not be authenticated. If possible, the CA's +## certificate should be installed locally so it can be verified. +## This option is not supported by the Tivoli Directory Server LDAP +## libraries. +#tls_checkpeer yes + +## +## URI ldap[s]://[hostname[:port]] ... +## Specifies a whitespace-delimited list of one or more +## URIs describing the LDAP server(s) to connect to. +## +#uri ldap://ldapserver + +## +## SUDOERS_BASE base +## The base DN to use when performing sudo LDAP queries. +## Multiple SUDOERS_BASE lines may be specified, in which +## case they are queried in the order specified. +## +#sudoers_base ou=SUDOers,dc=example,dc=com + +## +## BIND_TIMELIMIT seconds +## The BIND_TIMELIMIT parameter specifies the amount of +## time to wait while trying to connect to an LDAP server. +## +#bind_timelimit 30 + +## +## TIMELIMIT seconds +## The TIMELIMIT parameter specifies the amount of time +## to wait for a response to an LDAP query. +## +#timelimit 30 + +## +## SUDOERS_DEBUG debug_level +## This sets the debug level for sudo LDAP queries. Debugging +## information is printed to the standard error. A value of 1 +## results in a moderate amount of debugging information. +## A value of 2 shows the results of the matches themselves. +## +#sudoers_debug 1 diff --git a/SOURCES/sudo.conf b/SOURCES/sudo.conf new file mode 100644 index 0000000..3047842 --- /dev/null +++ b/SOURCES/sudo.conf @@ -0,0 +1,57 @@ +# +# Default /etc/sudo.conf file +# +# Format: +# Plugin plugin_name plugin_path plugin_options ... +# Path askpass /path/to/askpass +# Path noexec /path/to/sudo_noexec.so +# Debug sudo /var/log/sudo_debug all@warn +# Set disable_coredump true +# +# Sudo plugins: +# +# The plugin_path is relative to ${prefix}/libexec unless fully qualified. +# The plugin_name corresponds to a global symbol in the plugin +# that contains the plugin interface structure. +# The plugin_options are optional. +# +# The sudoers plugin is used by default if no Plugin lines are present. +Plugin sudoers_policy sudoers.so +Plugin sudoers_io sudoers.so + +# +# Sudo askpass: +# +# An askpass helper program may be specified to provide a graphical +# password prompt for "sudo -A" support. Sudo does not ship with its +# own passpass program but can use the OpenSSH askpass. +# +# Use the OpenSSH askpass +#Path askpass /usr/X11R6/bin/ssh-askpass +# +# Use the Gnome OpenSSH askpass +#Path askpass /usr/libexec/openssh/gnome-ssh-askpass + +# +# Sudo noexec: +# +# Path to a shared library containing dummy versions of the execv(), +# execve() and fexecve() library functions that just return an error. +# This is used to implement the "noexec" functionality on systems that +# support C or its equivalent. +# The compiled-in value is usually sufficient and should only be changed +# if you rename or move the sudo_noexec.so file. +# +#Path noexec /usr/libexec/sudo_noexec.so + +# +# Core dumps: +# +# By default, sudo disables core dumps while it is executing (they +# are re-enabled for the command that is run). +# To aid in debugging sudo problems, you may wish to enable core +# dumps by setting "disable_coredump" to false. +# +# Set to false here so as not to interfere with /proc/sys/fs/suid_dumpable +# +Set disable_coredump false diff --git a/SOURCES/sudoers b/SOURCES/sudoers new file mode 100644 index 0000000..93e02ba --- /dev/null +++ b/SOURCES/sudoers @@ -0,0 +1,120 @@ +## Sudoers allows particular users to run various commands as +## the root user, without needing the root password. +## +## Examples are provided at the bottom of the file for collections +## of related commands, which can then be delegated out to particular +## users or groups. +## +## This file must be edited with the 'visudo' command. + +## Host Aliases +## Groups of machines. You may prefer to use hostnames (perhaps using +## wildcards for entire domains) or IP addresses instead. +# Host_Alias FILESERVERS = fs1, fs2 +# Host_Alias MAILSERVERS = smtp, smtp2 + +## User Aliases +## These aren't often necessary, as you can use regular groups +## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname +## rather than USERALIAS +# User_Alias ADMINS = jsmith, mikem + + +## Command Aliases +## These are groups of related commands... + +## Networking +# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool + +## Installation and management of software +# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum + +## Services +# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable + +## Updating the locate database +# Cmnd_Alias LOCATE = /usr/bin/updatedb + +## Storage +# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount + +## Delegating permissions +# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp + +## Processes +# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall + +## Drivers +# Cmnd_Alias DRIVERS = /sbin/modprobe + +# Defaults specification + +# +# Refuse to run if unable to disable echo on the tty. +# +Defaults !visiblepw + +# +# Preserving HOME has security implications since many programs +# use it when searching for configuration files. Note that HOME +# is already set when the the env_reset option is enabled, so +# this option is only effective for configurations where either +# env_reset is disabled or HOME is present in the env_keep list. +# +Defaults always_set_home +Defaults match_group_by_gid + +# Prior to version 1.8.15, groups listed in sudoers that were not +# found in the system group database were passed to the group +# plugin, if any. Starting with 1.8.15, only groups of the form +# %:group are resolved via the group plugin by default. +# We enable always_query_group_plugin to restore old behavior. +# Disable this option for new behavior. +Defaults always_query_group_plugin + +Defaults env_reset +Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" +Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" +Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" +Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" +Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" + +# +# Adding HOME to env_keep may enable a user to run unrestricted +# commands via sudo. +# +# Defaults env_keep += "HOME" + +Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin + +## Next comes the main part: which users can run what software on +## which machines (the sudoers file can be shared between multiple +## systems). +## Syntax: +## +## user MACHINE=COMMANDS +## +## The COMMANDS section may have other options added to it. +## +## Allow root to run any commands anywhere +root ALL=(ALL) ALL + +## Allows members of the 'sys' group to run networking, software, +## service management apps and more. +# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS + +## Allows people in group wheel to run all commands +%wheel ALL=(ALL) ALL + +## Same thing without a password +# %wheel ALL=(ALL) NOPASSWD: ALL + +## Allows members of the users group to mount and unmount the +## cdrom as root +# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom + +## Allows members of the users group to shutdown this system +# %users localhost=/sbin/shutdown -h now + +## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) +#includedir /etc/sudoers.d diff --git a/SPECS/sudo.spec b/SPECS/sudo.spec new file mode 100644 index 0000000..6cf7ccd --- /dev/null +++ b/SPECS/sudo.spec @@ -0,0 +1,1033 @@ +Summary: Allows restricted root access for specified users +Name: sudo +Version: 1.8.25p1 +Release: 8%{?dist}.1 +License: ISC +Group: Applications/System +URL: http://www.courtesan.com/sudo/ + +Source0: https://www.sudo.ws/dist/%{name}-%{version}.tar.gz +Source1: sudoers +Source2: sudo-ldap.conf +Source3: sudo.conf + +Requires: /etc/pam.d/system-auth +Requires: /usr/bin/vi +Requires(post): /bin/chmod + +BuildRequires: /usr/sbin/sendmail +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: bison +BuildRequires: flex +BuildRequires: gettext +BuildRequires: groff +BuildRequires: libtool +BuildRequires: audit-libs-devel +BuildRequires: libcap-devel +BuildRequires: libgcrypt-devel +BuildRequires: libselinux-devel +BuildRequires: openldap-devel +BuildRequires: pam-devel +BuildRequires: zlib-devel + +# don't strip +Patch1: sudo-1.6.7p5-strip.patch +# 881258 - rpmdiff: added missing sudo-ldap.conf manpage +Patch2: sudo-1.8.23-sudoldapconfman.patch +# env debug patch +Patch3: sudo-1.7.2p1-envdebug.patch +# 1247591 - Sudo taking a long time when user information is stored externally. +Patch4: sudo-1.8.23-legacy-group-processing.patch +# 1135539 - sudo with ldap doesn't work with 'user id' in sudoUser option +Patch5: sudo-1.8.23-ldapsearchuidfix.patch +# 840980 - sudo creates a new parent process +# Adds cmnd_no_wait Defaults option +Patch6: sudo-1.8.23-nowaitopt.patch +# 1312486 - RHEL7 sudo logs username "root" instead of realuser in /var/log/secure +Patch7: sudo-1.8.6p7-logsudouser.patch +# 1547974 - (sudo-rhel-7.6-rebase) Rebase sudo to latest stable upstream version +Patch8: sudo-1.8.23-fix-double-quote-parsing-for-Defaults-values.patch +# 1613327 - Man page scan results for sudo +Patch9: sudo-1.8.25-typos-manpages.patch +Patch10: sudo-1.8.25-c-option-help.patch +Patch11: sudo-1.8.25-sudoreplay-missing-options-help.patch + +# RHEL 8.1 +# 1673886 - Problem with sudo-1.8.23 and 'who am i' +Patch12: sudo-1.8.23-who-am-i.patch +# 1676819 - Backporting sudo bug with expired passwords +Patch13: sudo-1.8.23-pam-expired-passwords.patch +# 1738326 - The LDAP backend is not properly parsing sudoOptions, resulting in +# selinux roles not being applied +# https://www.sudo.ws/repos/sudo/rev/10f8cff7cce7 +Patch14: sudo-1.8.25-ldap-backend-parsing-1.patch +# 1738326 - The LDAP backend is not properly parsing sudoOptions, resulting in +# selinux roles not being applied +# https://www.sudo.ws/repos/sudo/rev/ba6cfd26330e +Patch15: sudo-1.8.25-ldap-backend-parsing-2.patch +# 738662 - sudo ipa_hostname not honored +# Fix special handling of ipa_hostname that was lost in sudo +Patch16: sudo-1.8.25-ipa-hostname.patch + +# 1760696 - CVE-2019-14287 sudo: Privilege escalation via 'Runas' specification with 'ALL' keyword [rhel-7.8] +Patch17: sudo-1.8.28-CVE-strtouid.patch +Patch18: sudo-1.8.28-CVE-strtouid-test.patch + +# 1798092 - CVE-2019-18634 sudo: Stack based buffer overflow in when pwfeedback is enabled [rhel-8.1.0.z] +Patch19: sudo-1.8.29-CVE-2019-18634-part1.patch +Patch20: sudo-1.8.29-CVE-2019-18634-part2.patch + +%description +Sudo (superuser do) allows a system administrator to give certain +users (or groups of users) the ability to run some (or all) commands +as root while logging all commands and arguments. Sudo operates on a +per-command basis. It is not a replacement for the shell. Features +include: the ability to restrict what commands a user may run on a +per-host basis, copious logging of each command (providing a clear +audit trail of who did what), a configurable timeout of the sudo +command, and the ability to use the same configuration file (sudoers) +on many different machines. + +%package devel +Summary: Development files for %{name} +Group: Development/Libraries +Requires: %{name} = %{version}-%{release} + +%description devel +The %{name}-devel package contains header files developing sudo +plugins that use %{name}. + +%prep +%setup -q + +%patch1 -p1 -b .strip +%patch2 -p1 -b .sudoldapconfman +%patch3 -p1 -b .env-debug +%patch4 -p1 -b .legacy-processing +%patch5 -p1 -b .ldap-search-uid +%patch6 -p1 -b .nowait +%patch7 -p1 -b .logsudouser +%patch8 -p1 -b .double-quote + +%patch9 -p1 -b .typos +%patch10 -p1 -b .c-option +%patch11 -p1 -b .sudoreplay-help + +%patch12 -p1 -b .whoami +%patch13 -p1 -b .pam-expired +%patch14 -p1 -b .ldap-backend1 +%patch15 -p1 -b .ldap-backend2 +%patch16 -p1 -b .ipa-hostname + +%patch17 -p1 -b .cve-strtouid +%patch18 -p1 -b .cve-strtouid-test + +%patch19 -p1 -b .CVE-2019-18634-part1 +%patch20 -p1 -b .CVE-2019-18634-part2 + +%build +# Remove bundled copy of zlib +rm -rf zlib/ +autoreconf -I m4 -fv --install + +%ifarch s390 s390x sparc64 +F_PIE=-fPIE +%else +F_PIE=-fpie +%endif + +export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" + +%configure \ + --prefix=%{_prefix} \ + --sbindir=%{_sbindir} \ + --libdir=%{_libdir} \ + --docdir=%{_pkgdocdir} \ + --disable-root-mailer \ + --with-logging=syslog \ + --with-logfac=authpriv \ + --with-pam \ + --with-pam-login \ + --with-editor=/bin/vi \ + --with-env-editor \ + --with-ignore-dot \ + --with-tty-tickets \ + --with-ldap \ + --with-ldap-conf-file="%{_sysconfdir}/sudo-ldap.conf" \ + --with-selinux \ + --with-passprompt="[sudo] password for %p: " \ + --with-linux-audit \ + --with-sssd +# --without-kerb5 \ +# --without-kerb4 +make + +%check +make check + +%install +rm -rf $RPM_BUILD_ROOT + +# Update README.LDAP (#736653) +sed -i 's|/etc/ldap\.conf|%{_sysconfdir}/sudo-ldap.conf|g' README.LDAP + +make install DESTDIR="$RPM_BUILD_ROOT" install_uid=`id -u` install_gid=`id -g` sudoers_uid=`id -u` sudoers_gid=`id -g` +chmod 755 $RPM_BUILD_ROOT%{_bindir}/* $RPM_BUILD_ROOT%{_sbindir}/* +install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo +install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo/lectured +install -p -d -m 750 $RPM_BUILD_ROOT/etc/sudoers.d +install -p -c -m 0440 %{SOURCE1} $RPM_BUILD_ROOT/etc/sudoers +install -p -c -m 0640 %{SOURCE3} $RPM_BUILD_ROOT/etc/sudo.conf +install -p -c -m 0640 %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/sudo-ldap.conf + +# Add sudo to protected packages +install -p -d -m 755 $RPM_BUILD_ROOT/etc/dnf/protected.d/ +touch sudo.conf +echo sudo > sudo.conf +install -p -c -m 0644 sudo.conf $RPM_BUILD_ROOT/etc/dnf/protected.d/ +rm -f sudo.conf + +chmod +x $RPM_BUILD_ROOT%{_libexecdir}/sudo/*.so # for stripping, reset in %%files + +# Don't package LICENSE as a doc +rm -rf $RPM_BUILD_ROOT%{_pkgdocdir}/LICENSE + +# Remove examples; Examples can be found in man pages too. +rm -rf $RPM_BUILD_ROOT%{_datadir}/examples/sudo + +# Remove all .la files +find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';' + +# Remove sudoers.dist +rm -f $RPM_BUILD_ROOT%{_sysconfdir}/sudoers.dist + +%find_lang sudo +%find_lang sudoers + +cat sudo.lang sudoers.lang > sudo_all.lang +rm sudo.lang sudoers.lang + +mkdir -p $RPM_BUILD_ROOT/etc/pam.d +cat > $RPM_BUILD_ROOT/etc/pam.d/sudo << EOF +#%%PAM-1.0 +auth include system-auth +account include system-auth +password include system-auth +session include system-auth +EOF + +cat > $RPM_BUILD_ROOT/etc/pam.d/sudo-i << EOF +#%%PAM-1.0 +auth include sudo +account include sudo +password include sudo +session optional pam_keyinit.so force revoke +session include sudo +EOF + + +%clean +rm -rf $RPM_BUILD_ROOT + +%files -f sudo_all.lang +%defattr(-,root,root) +%attr(0440,root,root) %config(noreplace) /etc/sudoers +%attr(0640,root,root) %config(noreplace) /etc/sudo.conf +%attr(0640,root,root) %config(noreplace) %{_sysconfdir}/sudo-ldap.conf +%attr(0750,root,root) %dir /etc/sudoers.d/ +%config(noreplace) /etc/pam.d/sudo +%config(noreplace) /etc/pam.d/sudo-i +%attr(0644,root,root) %{_tmpfilesdir}/sudo.conf +%attr(0644,root,root) /etc/dnf/protected.d/sudo.conf +%dir /var/db/sudo +%dir /var/db/sudo/lectured +%attr(4111,root,root) %{_bindir}/sudo +%{_bindir}/sudoedit +%{_bindir}/cvtsudoers +%attr(0111,root,root) %{_bindir}/sudoreplay +%attr(0755,root,root) %{_sbindir}/visudo +%dir %{_libexecdir}/sudo +%attr(0755,root,root) %{_libexecdir}/sudo/sesh +%attr(0644,root,root) %{_libexecdir}/sudo/sudo_noexec.so +%attr(0644,root,root) %{_libexecdir}/sudo/sudoers.so +%attr(0644,root,root) %{_libexecdir}/sudo/group_file.so +%attr(0644,root,root) %{_libexecdir}/sudo/system_group.so +%attr(0644,root,root) %{_libexecdir}/sudo/libsudo_util.so.?.?.? +%{_libexecdir}/sudo/libsudo_util.so.? +%{_libexecdir}/sudo/libsudo_util.so +%{_mandir}/man5/sudoers.5* +%{_mandir}/man5/sudoers.ldap.5* +%{_mandir}/man5/sudo-ldap.conf.5* +%{_mandir}/man5/sudo.conf.5* +%{_mandir}/man8/sudo.8* +%{_mandir}/man8/sudoedit.8* +%{_mandir}/man8/sudoreplay.8* +%{_mandir}/man8/visudo.8* +%{_mandir}/man1/cvtsudoers.1* +%{_mandir}/man5/sudoers_timestamp.5* +%dir %{_pkgdocdir}/ +%{_pkgdocdir}/* +%{!?_licensedir:%global license %%doc} +%license doc/LICENSE +%exclude %{_pkgdocdir}/ChangeLog + + +# Make sure permissions are ok even if we're updating +%post +/bin/chmod 0440 /etc/sudoers || : + +%files devel +%defattr(-,root,root,-) +%doc plugins/sample/sample_plugin.c +%{_includedir}/sudo_plugin.h +%{_mandir}/man8/sudo_plugin.8* + +%changelog +* Wed Feb 05 2020 Radovan Sroka - 1.8.25p1-8.1 +- RHEL 8.1.0.Z ERRATUM +- CVE-2019-18634 +Resolves: rhbz#1798092 + +* Fri Oct 18 2019 Marek Tamaskovic - 1.8.25p1-8 +- RHEL-8.1.0 +- fixed CVE-2019-14287 + Resolves: rhbz#1760696 + +* Fri Aug 16 2019 Radovan Sroka - 1.8.25-7 +- RHEL 8.1 ERRATUM +- sudo ipa_hostname not honored +Resolves: rhbz#1738662 + +* Mon Aug 12 2019 Radovan Sroka - 1.8.25-6 +- RHEL 8.1 ERRATUM +- Fixed The LDAP backend which is not properly parsing sudoOptions, + resulting in selinux roles not being applied +Resolves: rhbz#1738326 + +* Tue May 28 2019 Radovan Sroka - 1.8.25-5 +- RHEL 8.1 ERRATUM +- Fixed problem with sudo-1.8.23 and 'who am i' +Resolves: rhbz#1673886 +- Backporting sudo bug with expired passwords +Resolves: rhbz#1676819 + +* Tue Dec 11 2018 Radovan Sroka - 1.8.25-4 +- Fix most of the man page scans problems +- Resolves: rhbz#1613327 + +* Fri Oct 12 2018 Daniel Kopecek - 1.8.25-3 +- bump release for new build +Resolves: rhbz#1625683 + +* Thu Oct 11 2018 Daniel Kopecek - 1.8.25-2 +- Depend explicitly on /usr/sbin/sendmail instead of sendmail (rhel-7 sync) +- Simplified pam configuration file by removing duplicate pam stack entries +Resolves: rhbz#1633144 + +* Wed Sep 26 2018 Radovan Sroka - 1.8.25-1 +- rebase to the new upstream version 1.8.25p1 +- sync patches with rhel-7.6 +- sync sudoers with rhel-7.6 + resolves: rhbz#1633144 + +* Mon Sep 10 2018 Radovan Sroka - 1.8.23-2 +- install /etc/dnf/protected.d/sudo instead of /etc/yum/protected.d/sudo + resolves: rhbz#1626972 + +* Thu May 17 2018 Daniel Kopecek - 1.8.23-1 +- Packaging update for RHEL 8.0 (sync with latest RHEL 7 state) + +* Fri Feb 09 2018 Fedora Release Engineering - 1.8.22-0.2.b1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Thu Dec 14 2017 Radovan Sroka - 1.8.22b1-1 +- update to 1.8.22b1 +- Added /usr/local/sbin and /usr/local/bin to secure path rhbz#1166185 + +* Thu Sep 21 2017 Marek Tamaskovic - 1.8.21p2-1 +- update to 1.8.21p2 +- Moved libsudo_util.so from the -devel sub-package to main package (1481225) + +* Wed Sep 06 2017 Matthew Miller - 1.8.20p2-4 +- replace file-based requirements with package-level ones: +- /etc/pam.d/system-auth to 'pam' +- /bin/chmod to 'coreutils' (bug #1488934) +- /usr/bin/vi to vim-minimal +- ... and make vim-minimal "recommends" instead of "requires", because + other editors can be configured. + +* Thu Aug 03 2017 Fedora Release Engineering - 1.8.20p2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 1.8.20p2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Thu Jun 01 2017 Daniel Kopecek 1.8.20p2-1 +- update to 1.8.20p2 + +* Wed May 31 2017 Daniel Kopecek 1.8.20p1-1 +- update to 1.8.20p1 +- fixes CVE-2017-1000367 + Resolves: rhbz#1456884 + +* Fri Apr 07 2017 Jiri Vymazal - 1.8.20-0.1.b1 +- update to latest development version 1.8.20b1 +- added sudo to dnf/yum protected packages + Resolves: rhbz#1418756 + +* Mon Feb 13 2017 Tomas Sykora - 1.8.19p2-1 +- update to 1.8.19p2 + +* Sat Feb 11 2017 Fedora Release Engineering - 1.8.19-0.3.20161108git738c3cb +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Tue Nov 08 2016 Daniel Kopecek 1.8.19-0.2.20161108git738c3cb +- update to latest development version +- fixes CVE-2016-7076 + +* Fri Sep 23 2016 Radovan Sroka 1.8.19-0.1.20160923git90e4538 +- we were not able to update from rc and beta versions to stable one +- so this is a new snapshot package which resolves it + +* Wed Sep 21 2016 Radovan Sroka 1.8.18-1 +- update to 1.8.18 + +* Fri Sep 16 2016 Radovan Sroka 1.8.18rc4-1 +- update to 1.8.18rc4 + +* Wed Sep 14 2016 Radovan Sroka 1.8.18rc2-1 +- update to 1.8.18rc2 +- dropped sudo-1.8.14p1-ldapconfpatch.patch + upstreamed --> https://www.sudo.ws/pipermail/sudo-workers/2016-September/001006.html + +* Fri Aug 26 2016 Radovan Sroka 1.8.18b2-1 +- update to 1.8.18b2 +- added --disable-root-mailer as configure option + Resolves: rhbz#1324091 + +* Fri Jun 24 2016 Daniel Kopecek 1.8.17p1-1 +- update to 1.8.17p1 +- install the /var/db/sudo/lectured + Resolves: rhbz#1321414 + +* Tue May 31 2016 Daniel Kopecek 1.8.16-4 +- removed INPUTRC from env_keep to prevent a possible info leak + Resolves: rhbz#1340701 + +* Fri May 13 2016 Daniel Kopecek 1.8.16-3 +- fixed upstream patch for rhbz#1328735 + +* Thu May 12 2016 Daniel Kopecek 1.8.16-2 +- fixed invalid sesh argument array construction + +* Mon Apr 04 2016 Daniel Kopecek 1.8.16-1 +- update to 1.8.16 + +* Fri Feb 05 2016 Fedora Release Engineering - 1.8.15-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Thu Nov 5 2015 Daniel Kopecek 1.8.15-1 +- update to 1.8.15 +- fixes CVE-2015-5602 + +* Mon Aug 24 2015 Radovan Sroka 1.8.14p3-3 +- enable upstream test suite + +* Mon Aug 24 2015 Radovan Sroka 1.8.14p3-2 +- add patch that resolves initialization problem before sudo_strsplit call +- add patch that resolves deadcode in visudo.c +- add patch that removes extra while in visudo.c and sudoers.c + +* Mon Jul 27 2015 Radovan Sroka 1.8.14p3-1 +- update to 1.8.14p3 + +* Mon Jul 20 2015 Radovan Sroka 1.8.14p1-1 +- update to 1.8.14p1-1 +- rebase sudo-1.8.14b3-ldapconfpatch.patch -> sudo-1.8.14p1-ldapconfpatch.patch +- rebase sudo-1.8.14b4-docpassexpire.patch -> sudo-1.8.14p1-docpassexpire.patch + +* Tue Jul 14 2015 Radovan Sroka 1.8.12-2 +- add patch3 sudo.1.8.14b4-passexpire.patch that makes change in documentation about timestamp_time +- Resolves: rhbz#1162070 + +* Fri Jul 10 2015 Radovan Sroka - 1.8.14b4-1 +- Update to 1.8.14b4 +- Add own %%{_tmpfilesdir}/sudo.conf + +* Fri Jun 19 2015 Fedora Release Engineering - 1.8.12-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Wed Feb 18 2015 Daniel Kopecek - 1.8.12 +- update to 1.8.12 +- fixes CVE-2014-9680 + +* Mon Nov 3 2014 Daniel Kopecek - 1.8.11p2-1 +- update to 1.8.11p2 +- added patch to fix upstream bug #671 -- exiting immediately + when audit is disabled + +* Tue Sep 30 2014 Daniel Kopecek - 1.8.11-1 +- update to 1.8.11 +- major changes & fixes: + - when running a command in the background, sudo will now forward + SIGINFO to the command + - the passwords in ldap.conf and ldap.secret may now be encoded in base64. + - SELinux role changes are now audited. For sudoedit, we now audit + the actual editor being run, instead of just the sudoedit command. + - it is now possible to match an environment variable's value as well as + its name using env_keep and env_check + - new files created via sudoedit as a non-root user now have the proper group id + - sudoedit now works correctly in conjunction with sudo's SELinux RBAC support + - it is now possible to disable network interface probing in sudo.conf by + changing the value of the probe_interfaces setting + - when listing a user's privileges (sudo -l), the sudoers plugin will now prompt + for the user's password even if the targetpw, rootpw or runaspw options are set. + - the new use_netgroups sudoers option can be used to explicitly enable or disable + netgroups support + - visudo can now export a sudoers file in JSON format using the new -x flag +- added patch to read ldap.conf more closely to nss_ldap +- require /usr/bin/vi instead of vim-minimal +- include pam.d/system-auth in PAM session phase from pam.d/sudo +- include pam.d/sudo in PAM session phase from pam.d/sudo-i + +* Tue Aug 5 2014 Tom Callaway - 1.8.8-6 +- fix license handling + +* Sun Jun 08 2014 Fedora Release Engineering - 1.8.8-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Sat May 31 2014 Peter Robinson 1.8.8-4 +- Drop ChangeLog, we ship NEWS + +* Mon Mar 10 2014 Daniel Kopecek - 1.8.8-3 +- remove bundled copy of zlib before compilation +- drop the requiretty Defaults setting from sudoers + +* Sat Jan 25 2014 Ville Skyttä - 1.8.8-2 +- Own the %%{_libexecdir}/sudo dir. + +* Mon Sep 30 2013 Daniel Kopecek - 1.8.8-1 +- update to 1.8.8 +- major changes & fixes: + - LDAP SASL support now works properly with Kerberos + - root may no longer change its SELinux role without entering a password + - user messages are now always displayed in the user's locale, even when + the same message is being logged or mailed in a different locale. + - log files created by sudo now explicitly have the group set to group + ID 0 rather than relying on BSD group semantics + - sudo now stores its libexec files in a sudo subdirectory instead of in + libexec itself + - system_group and group_file sudoers group provider plugins are now + installed by default + - the paths to ldap.conf and ldap.secret may now be specified as arguments + to the sudoers plugin in the sudo.conf file + - ...and many new features and settings. See the upstream ChangeLog for the + full list. +- several sssd support fixes +- added patch to make uid/gid specification parsing more strict (don't accept + an invalid number as uid/gid) +- use the _pkgdocdir macro + (see https://fedoraproject.org/wiki/Changes/UnversionedDocdirs) +- fixed several bugs found by the clang static analyzer +- added %%post dependency on chmod + +* Sun Aug 04 2013 Fedora Release Engineering - 1.8.6p7-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Thu Feb 28 2013 Daniel Kopecek - 1.8.6p7-1 +- update to 1.8.6p7 +- fixes CVE-2013-1775 and CVE-2013-1776 +- fixed several packaging issues (thanks to ville.skytta@iki.fi) + - build with system zlib. + - let rpmbuild strip libexecdir/*.so. + - own the %%{_docdir}/sudo-* dir. + - fix some rpmlint warnings (spaces vs tabs, unescaped macros). + - fix bogus %%changelog dates. + +* Fri Feb 15 2013 Fedora Release Engineering - 1.8.6p3-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Mon Nov 12 2012 Daniel Kopecek - 1.8.6p3-2 +- added upstream patch for a regression +- don't include arch specific files in the -devel subpackage +- ship only one sample plugin in the -devel subpackage + +* Tue Sep 25 2012 Daniel Kopecek - 1.8.6p3-1 +- update to 1.8.6p3 +- drop -pipelist patch (fixed in upstream) + +* Thu Sep 6 2012 Daniel Kopecek - 1.8.6-1 +- update to 1.8.6 + +* Thu Jul 26 2012 Daniel Kopecek - 1.8.5-4 +- added patches that fix & improve SSSD support (thanks to pbrezina@redhat.com) +- re-enabled SSSD support +- removed libsss_sudo dependency + +* Tue Jul 24 2012 Bill Nottingham - 1.8.5-3 +- flip sudoers2ldif executable bit after make install, not in setup + +* Sat Jul 21 2012 Fedora Release Engineering - 1.8.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Thu May 17 2012 Daniel Kopecek - 1.8.5-1 +- update to 1.8.5 +- fixed CVE-2012-2337 +- temporarily disabled SSSD support + +* Wed Feb 29 2012 Daniel Kopecek - 1.8.3p1-6 +- fixed problems with undefined symbols (rhbz#798517) + +* Wed Feb 22 2012 Daniel Kopecek - 1.8.3p1-5 +- SSSD patch update + +* Tue Feb 7 2012 Daniel Kopecek - 1.8.3p1-4 +- added SSSD support + +* Thu Jan 26 2012 Daniel Kopecek - 1.8.3p1-3 +- added patch for CVE-2012-0809 + +* Sat Jan 14 2012 Fedora Release Engineering - 1.8.3p1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Thu Nov 10 2011 Daniel Kopecek - 1.8.3p1-1 +- update to 1.8.3p1 +- disable output word wrapping if the output is piped + +* Wed Sep 7 2011 Peter Robinson - 1.8.1p2-2 +- Remove execute bit from sample script in docs so we don't pull in perl + +* Tue Jul 12 2011 Daniel Kopecek - 1.8.1p2-1 +- rebase to 1.8.1p2 +- removed .sudoi patch +- fixed typo: RELPRO -> RELRO +- added -devel subpackage for the sudo_plugin.h header file +- use default ldap configuration files again + +* Fri Jun 3 2011 Daniel Kopecek - 1.7.4p5-4 +- build with RELRO + +* Wed Feb 09 2011 Fedora Release Engineering - 1.7.4p5-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Mon Jan 17 2011 Daniel Kopecek - 1.7.4p5-2 +- rebase to 1.7.4p5 +- fixed sudo-1.7.4p4-getgrouplist.patch +- fixes CVE-2011-0008, CVE-2011-0010 + +* Tue Nov 30 2010 Daniel Kopecek - 1.7.4p4-5 +- anybody in the wheel group has now root access (using password) (rhbz#656873) +- sync configuration paths with the nss_ldap package (rhbz#652687) + +* Wed Sep 29 2010 Daniel Kopecek - 1.7.4p4-4 +- added upstream patch to fix rhbz#638345 + +* Mon Sep 20 2010 Daniel Kopecek - 1.7.4p4-3 +- added patch for #635250 +- /var/run/sudo -> /var/db/sudo in .spec + +* Tue Sep 7 2010 Daniel Kopecek - 1.7.4p4-2 +- sudo now uses /var/db/sudo for timestamps + +* Tue Sep 7 2010 Daniel Kopecek - 1.7.4p4-1 +- update to new upstream version +- new command available: sudoreplay +- use native audit support +- corrected license field value: BSD -> ISC + +* Wed Jun 2 2010 Daniel Kopecek - 1.7.2p6-2 +- added patch that fixes insufficient environment sanitization issue (#598154) + +* Wed Apr 14 2010 Daniel Kopecek - 1.7.2p6-1 +- update to new upstream version +- merged .audit and .libaudit patch +- added sudoers.ldap.5* to files + +* Mon Mar 1 2010 Daniel Kopecek - 1.7.2p5-2 +- update to new upstream version + +* Tue Feb 16 2010 Daniel Kopecek - 1.7.2p2-5 +- fixed no valid sudoers sources found (#558875) + +* Wed Feb 10 2010 Daniel Kopecek - 1.7.2p2-4 +- audit related Makefile.in and configure.in corrections +- added --with-audit configure option +- removed call to libtoolize + +* Wed Feb 10 2010 Daniel Kopecek - 1.7.2p2-3 +- fixed segfault when #include directive is used in cycles (#561336) + +* Fri Jan 8 2010 Ville Skyttä - 1.7.2p2-2 +- Add /etc/sudoers.d dir and use it in default config (#551470). +- Drop *.pod man page duplicates from docs. + +* Thu Jan 07 2010 Daniel Kopecek - 1.7.2p2-1 +- new upstream version 1.7.2p2-1 +- commented out unused aliases in sudoers to make visudo happy (#550239) + +* Fri Aug 21 2009 Tomas Mraz - 1.7.1-7 +- rebuilt with new audit + +* Thu Aug 20 2009 Daniel Kopecek 1.7.1-6 +- moved secure_path from compile-time option to sudoers file (#517428) + +* Sun Jul 26 2009 Fedora Release Engineering - 1.7.1-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Thu Jul 09 2009 Daniel Kopecek 1.7.1-4 +- moved the closefrom() call before audit_help_open() (sudo-1.7.1-auditfix.patch) +- epoch number sync + +* Mon Jun 22 2009 Daniel Kopecek 1.7.1-1 +- updated sudo to version 1.7.1 +- fixed small bug in configure.in (sudo-1.7.1-conffix.patch) + +* Tue Feb 24 2009 Daniel Kopecek 1.6.9p17-6 +- fixed building with new libtool +- fix for incorrect handling of groups in Runas_User +- added /usr/local/sbin to secure-path + +* Tue Jan 13 2009 Daniel Kopecek 1.6.9p17-3 +- build with sendmail installed +- Added /usr/local/bin to secure-path + +* Tue Sep 02 2008 Peter Vrabec 1.6.9p17-2 +- adjust audit patch, do not scream when kernel is + compiled without audit netlink support (#401201) + +* Fri Jul 04 2008 Peter Vrabec 1.6.9p17-1 +- upgrade + +* Wed Jun 18 2008 Peter Vrabec 1.6.9p13-7 +- build with newer autoconf-2.62 (#449614) + +* Tue May 13 2008 Peter Vrabec 1.6.9p13-6 +- compiled with secure path (#80215) + +* Mon May 05 2008 Peter Vrabec 1.6.9p13-5 +- fix path to updatedb in /etc/sudoers (#445103) + +* Mon Mar 31 2008 Peter Vrabec 1.6.9p13-4 +- include ldap files in rpm package (#439506) + +* Thu Mar 13 2008 Peter Vrabec 1.6.9p13-3 +- include [sudo] in password prompt (#437092) + +* Tue Mar 04 2008 Peter Vrabec 1.6.9p13-2 +- audit support improvement + +* Thu Feb 21 2008 Peter Vrabec 1.6.9p13-1 +- upgrade to the latest upstream release + +* Wed Feb 06 2008 Peter Vrabec 1.6.9p12-1 +- upgrade to the latest upstream release +- add selinux support + +* Mon Feb 04 2008 Dennis Gilmore 1.6.9p4-6 +- sparc64 needs to be in the -fPIE list with s390 + +* Mon Jan 07 2008 Peter Vrabec 1.6.9p4-5 +- fix complains about audit_log_user_command(): Connection + refused (#401201) + +* Wed Dec 05 2007 Release Engineering - 1.6.9p4-4 +- Rebuild for deps + +* Wed Dec 05 2007 Release Engineering - 1.6.9p4-3 +- Rebuild for openssl bump + +* Thu Aug 30 2007 Peter Vrabec 1.6.9p4-2 +- fix autotools stuff and add audit support + +* Mon Aug 20 2007 Peter Vrabec 1.6.9p4-1 +- upgrade to upstream release + +* Thu Apr 12 2007 Peter Vrabec 1.6.8p12-14 +- also use getgrouplist() to determine group membership (#235915) + +* Mon Feb 26 2007 Peter Vrabec 1.6.8p12-13 +- fix some spec file issues + +* Thu Dec 14 2006 Peter Vrabec 1.6.8p12-12 +- fix rpmlint issue + +* Thu Oct 26 2006 Peter Vrabec 1.6.8p12-11 +- fix typo in sudoers file (#212308) + +* Sun Oct 01 2006 Jesse Keating - 1.6.8p12-10 +- rebuilt for unwind info generation, broken in gcc-4.1.1-21 + +* Thu Sep 21 2006 Peter Vrabec 1.6.8p12-9 +- fix sudoers file, X apps didn't work (#206320) + +* Tue Aug 08 2006 Peter Vrabec 1.6.8p12-8 +- use Red Hat specific default sudoers file + +* Sun Jul 16 2006 Karel Zak 1.6.8p12-7 +- fix #198755 - make login processes (sudo -i) initialise session keyring + (thanks for PAM config files to David Howells) +- add IPv6 support (patch by Milan Zazrivec) + +* Wed Jul 12 2006 Jesse Keating - 1.6.8p12-6.1 +- rebuild + +* Mon May 29 2006 Karel Zak 1.6.8p12-6 +- fix #190062 - "ssh localhost sudo su" will show the password in clear + +* Tue May 23 2006 Karel Zak 1.6.8p12-5 +- add LDAP support (#170848) + +* Fri Feb 10 2006 Jesse Keating - 1.6.8p12-4.1 +- bump again for double-long bug on ppc(64) + +* Wed Feb 8 2006 Karel Zak 1.6.8p12-4 +- reset env. by default + +* Tue Feb 07 2006 Jesse Keating - 1.6.8p12-3.1 +- rebuilt for new gcc4.1 snapshot and glibc changes + +* Mon Jan 23 2006 Dan Walsh 1.6.8p12-3 +- Remove selinux patch. It has been decided that the SELinux patch for sudo is +- no longer necessary. In tageted policy it had no effect. In strict/MLS policy +- We require the person using sudo to execute newrole before using sudo. + +* Fri Dec 09 2005 Jesse Keating +- rebuilt + +* Fri Nov 25 2005 Karel Zak 1.6.8p12-1 +- new upstream version 1.6.8p12 + +* Tue Nov 8 2005 Karel Zak 1.6.8p11-1 +- new upstream version 1.6.8p11 + +* Thu Oct 13 2005 Tomas Mraz 1.6.8p9-6 +- use include instead of pam_stack in pam config + +* Tue Oct 11 2005 Karel Zak 1.6.8p9-5 +- enable interfaces in selinux patch +- merge sudo-1.6.8p8-sesh-stopsig.patch to selinux patch + +* Mon Sep 19 2005 Karel Zak 1.6.8p9-4 +- fix debuginfo + +* Mon Sep 19 2005 Karel Zak 1.6.8p9-3 +- fix #162623 - sesh hangs when child suspends + +* Mon Aug 1 2005 Dan Walsh 1.6.8p9-2 +- Add back in interfaces call, SELinux has been fixed to work around + +* Tue Jun 21 2005 Karel Zak 1.6.8p9-1 +- new version 1.6.8p9 (resolve #161116 - CAN-2005-1993 sudo trusted user arbitrary command execution) + +* Tue May 24 2005 Karel Zak 1.6.8p8-2 +- fix #154511 - sudo does not use limits.conf + +* Mon Apr 4 2005 Thomas Woerner 1.6.8p8-1 +- new version 1.6.8p8: new sudoedit and sudo_noexec + +* Wed Feb 9 2005 Thomas Woerner 1.6.7p5-31 +- rebuild + +* Mon Oct 4 2004 Thomas Woerner 1.6.7p5-30.1 +- added missing BuildRequires for libselinux-devel (#132883) + +* Wed Sep 29 2004 Dan Walsh 1.6.7p5-30 +- Fix missing param error in sesh + +* Mon Sep 27 2004 Dan Walsh 1.6.7p5-29 +- Remove full patch check from sesh + +* Thu Jul 8 2004 Dan Walsh 1.6.7p5-28 +- Fix selinux patch to switch to root user + +* Tue Jun 15 2004 Elliot Lee +- rebuilt + +* Tue Apr 13 2004 Dan Walsh 1.6.7p5-26 +- Eliminate tty handling from selinux + +* Thu Apr 1 2004 Thomas Woerner 1.6.7p5-25 +- fixed spec file: sesh in file section with selinux flag (#119682) + +* Tue Mar 30 2004 Colin Walters 1.6.7p5-24 +- Enhance sesh.c to fork/exec children itself, to avoid + having sudo reap all domains. +- Only reinstall default signal handlers immediately before + exec of child with SELinux patch + +* Thu Mar 18 2004 Dan Walsh 1.6.7p5-23 +- change to default to sysadm_r +- Fix tty handling + +* Thu Mar 18 2004 Dan Walsh 1.6.7p5-22 +- Add /bin/sesh to run selinux code. +- replace /bin/bash -c with /bin/sesh + +* Tue Mar 16 2004 Dan Walsh 1.6.7p5-21 +- Hard code to use "/bin/bash -c" for selinux + +* Tue Mar 16 2004 Dan Walsh 1.6.7p5-20 +- Eliminate closing and reopening of terminals, to match su. + +* Mon Mar 15 2004 Dan Walsh 1.6.7p5-19 +- SELinux fixes to make transitions work properly + +* Fri Mar 5 2004 Thomas Woerner 1.6.7p5-18 +- pied sudo + +* Fri Feb 13 2004 Elliot Lee +- rebuilt + +* Tue Jan 27 2004 Dan Walsh 1.6.7p5-16 +- Eliminate interfaces call, since this requires big SELinux privs +- and it seems to be useless. + +* Tue Jan 27 2004 Karsten Hopp 1.6.7p5-15 +- visudo requires vim-minimal or setting EDITOR to something useful (#68605) + +* Mon Jan 26 2004 Dan Walsh 1.6.7p5-14 +- Fix is_selinux_enabled call + +* Tue Jan 13 2004 Dan Walsh 1.6.7p5-13 +- Clean up patch on failure + +* Tue Jan 6 2004 Dan Walsh 1.6.7p5-12 +- Remove sudo.te for now. + +* Fri Jan 2 2004 Dan Walsh 1.6.7p5-11 +- Fix usage message + +* Mon Dec 22 2003 Dan Walsh 1.6.7p5-10 +- Clean up sudo.te to not blow up if pam.te not present + +* Thu Dec 18 2003 Thomas Woerner +- added missing BuildRequires for groff + +* Tue Dec 16 2003 Jeremy Katz 1.6.7p5-9 +- remove left-over debugging code + +* Tue Dec 16 2003 Dan Walsh 1.6.7p5-8 +- Fix terminal handling that caused Sudo to exit on non selinux machines. + +* Mon Dec 15 2003 Dan Walsh 1.6.7p5-7 +- Remove sudo_var_run_t which is now pam_var_run_t + +* Fri Dec 12 2003 Dan Walsh 1.6.7p5-6 +- Fix terminal handling and policy + +* Thu Dec 11 2003 Dan Walsh 1.6.7p5-5 +- Fix policy + +* Thu Nov 13 2003 Dan Walsh 1.6.7p5-4.sel +- Turn on SELinux support + +* Tue Jul 29 2003 Dan Walsh 1.6.7p5-3 +- Add support for SELinux + +* Wed Jun 04 2003 Elliot Lee +- rebuilt + +* Mon May 19 2003 Thomas Woerner 1.6.7p5-1 + +* Wed Jan 22 2003 Tim Powers +- rebuilt + +* Tue Nov 12 2002 Nalin Dahyabhai 1.6.6-2 +- remove absolute path names from the PAM configuration, ensuring that the + right modules get used for whichever arch we're built for +- don't try to install the FAQ, which isn't there any more + +* Thu Jun 27 2002 Bill Nottingham 1.6.6-1 +- update to 1.6.6 + +* Fri Jun 21 2002 Tim Powers +- automated rebuild + +* Thu May 23 2002 Tim Powers +- automated rebuild + +* Thu Apr 18 2002 Bernhard Rosenkraenzer 1.6.5p2-2 +- Fix bug #63768 + +* Thu Mar 14 2002 Bernhard Rosenkraenzer 1.6.5p2-1 +- 1.6.5p2 + +* Fri Jan 18 2002 Bernhard Rosenkraenzer 1.6.5p1-1 +- 1.6.5p1 +- Hope this "a new release per day" madness stops ;) + +* Thu Jan 17 2002 Bernhard Rosenkraenzer 1.6.5-1 +- 1.6.5 + +* Tue Jan 15 2002 Bernhard Rosenkraenzer 1.6.4p1-1 +- 1.6.4p1 + +* Mon Jan 14 2002 Bernhard Rosenkraenzer 1.6.4-1 +- Update to 1.6.4 + +* Mon Jul 23 2001 Bernhard Rosenkraenzer 1.6.3p7-2 +- Add build requirements (#49706) +- s/Copyright/License/ +- bzip2 source + +* Sat Jun 16 2001 Than Ngo +- update to 1.6.3p7 +- use %%{_tmppath} + +* Fri Feb 23 2001 Bernhard Rosenkraenzer +- 1.6.3p6, fixes buffer overrun + +* Tue Oct 10 2000 Bernhard Rosenkraenzer +- 1.6.3p5 + +* Wed Jul 12 2000 Prospector +- automatic rebuild + +* Tue Jun 06 2000 Karsten Hopp +- fixed owner of sudo and visudo + +* Thu Jun 1 2000 Nalin Dahyabhai +- modify PAM setup to use system-auth +- clean up buildrooting by using the makeinstall macro + +* Tue Apr 11 2000 Bernhard Rosenkraenzer +- initial build in main distrib +- update to 1.6.3 +- deal with compressed man pages + +* Tue Dec 14 1999 Preston Brown +- updated to 1.6.1 for Powertools 6.2 +- config files are now noreplace. + +* Thu Jul 22 1999 Tim Powers +- updated to 1.5.9p2 for Powertools 6.1 + +* Wed May 12 1999 Bill Nottingham +- sudo is configured with pam. There's no pam.d file. Oops. + +* Mon Apr 26 1999 Preston Brown +- upgraded to 1.59p1 for powertools 6.0 + +* Tue Oct 27 1998 Preston Brown +- fixed so it doesn't find /usr/bin/vi first, but instead /bin/vi (always installed) + +* Thu Oct 08 1998 Michael Maher +- built package for 5.2 + +* Mon May 18 1998 Michael Maher +- updated SPEC file + +* Thu Jan 29 1998 Otto Hammersmith +- updated to 1.5.4 + +* Tue Nov 18 1997 Otto Hammersmith +- built for glibc, no problems + +* Fri Apr 25 1997 Michael Fulbright +- Fixed for 4.2 PowerTools +- Still need to be pamified +- Still need to move stmp file to /var/log + +* Mon Feb 17 1997 Michael Fulbright +- First version for PowerCD.