From e25038bfb0c755b36db765e1aaf02ded61980975 Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Thu, 30 Aug 2007 16:21:58 +0000 Subject: [PATCH] fix autotools stuff and add audit support --- sudo-1.6.9p4-audit.patch | 398 ++++++++++++++++++++++++++ sudo-1.6.9p4-autotoolsRecursion.patch | 41 +++ sudo-1.6.9p4-getgrouplist.patch | 24 +- sudo-1.6.9p4-getprpwnam.patch | 12 + sudo-1.6.9p4-login.patch | 14 +- sudo.spec | 21 +- 6 files changed, 469 insertions(+), 41 deletions(-) create mode 100644 sudo-1.6.9p4-audit.patch create mode 100644 sudo-1.6.9p4-autotoolsRecursion.patch create mode 100644 sudo-1.6.9p4-getprpwnam.patch diff --git a/sudo-1.6.9p4-audit.patch b/sudo-1.6.9p4-audit.patch new file mode 100644 index 0000000..6775ef7 --- /dev/null +++ b/sudo-1.6.9p4-audit.patch @@ -0,0 +1,398 @@ +diff -up sudo-1.6.9p4/audit_help.c.audit sudo-1.6.9p4/audit_help.c +--- sudo-1.6.9p4/audit_help.c.audit 2007-08-30 20:06:30.000000000 +0400 ++++ sudo-1.6.9p4/audit_help.c 2007-08-30 20:06:30.000000000 +0400 +@@ -0,0 +1,81 @@ ++/* ++ * Audit helper functions used throughout sudo ++ * ++ * Copyright (C) 2007, Red Hat, Inc. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * 3. Neither the name of Julianne F. Haugh nor the names of its contributors ++ * may be used to endorse or promote products derived from this software ++ * without specific prior written permission. ++ * ++ * THIS SOFTWARE IS PROVIDED BY JULIE HAUGH AND CONTRIBUTORS ``AS IS'' AND ++ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ++ * ARE DISCLAIMED. IN NO EVENT SHALL JULIE HAUGH OR CONTRIBUTORS BE LIABLE ++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL ++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS ++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT ++ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY ++ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF ++ * SUCH DAMAGE. ++ */ ++ ++#include ++ ++#ifdef WITH_AUDIT ++ ++#include ++#include ++#include ++#include ++#include ++#include ++ ++int audit_fd; ++ ++void audit_help_open (void) ++{ ++ audit_fd = audit_open (); ++ if (audit_fd < 0) { ++ /* You get these only when the kernel doesn't have ++ * audit compiled in. */ ++ if (errno == EINVAL || errno == EPROTONOSUPPORT || ++ errno == EAFNOSUPPORT) ++ return; ++ fprintf (stderr, "Cannot open audit interface - aborting.\n"); ++ exit (1); ++ } ++} ++ ++/* ++ * This function will log a message to the audit system using a predefined ++ * message format. Parameter usage is as follows: ++ * ++ * type - type of message: AUDIT_USER_CMD ++ * command - the command being logged ++ * result - 1 is "success" and 0 is "failed" ++ * ++ */ ++void audit_logger (int type, const char *command, int result) ++{ ++ int err; ++ ++ if (audit_fd < 0) ++ return; ++ else { ++ err = audit_log_user_command (audit_fd, type, command, NULL, result); ++ if( err <= 0 ) ++ perror("audit_log_user_command()"); ++ } ++} ++ ++#endif /* WITH_AUDIT */ ++ +diff -up sudo-1.6.9p4/Makefile.in.audit sudo-1.6.9p4/Makefile.in +--- sudo-1.6.9p4/Makefile.in.audit 2007-08-15 18:16:57.000000000 +0400 ++++ sudo-1.6.9p4/Makefile.in 2007-08-30 20:06:30.000000000 +0400 +@@ -118,11 +118,13 @@ HDRS = compat.h def_data.h defaults.h in + + AUTH_OBJS = sudo_auth.o @AUTH_OBJS@ + ++AUDIT_OBJS = audit_help.o ++ + PARSEOBJS = sudo.tab.o lex.yy.o alloc.o defaults.o + + SUDOBJS = check.o env.o getspwuid.o gettime.o goodpath.o fileops.o find_path.o \ + interfaces.o logging.o parse.o set_perms.o sudo.o sudo_edit.o \ +- tgetpass.o zero_bytes.o @SUDO_OBJS@ $(AUTH_OBJS) $(PARSEOBJS) ++ tgetpass.o zero_bytes.o @SUDO_OBJS@ $(AUTH_OBJS) $(PARSEOBJS) $(AUDIT_OBJS) + + VISUDOBJS = visudo.o fileops.o gettime.o goodpath.o find_path.o $(PARSEOBJS) + +@@ -273,6 +275,9 @@ securid5.o: $(authdir)/securid5.c $(AUTH + sia.o: $(authdir)/sia.c $(AUTHDEP) + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/sia.c + ++audit_help.o: audit_help.c sudo.h ++ $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(LIBADUIT) $(srcdir)/audit_help.c ++ + sudo.man.in: $(srcdir)/sudo.pod + @rm -f $(srcdir)/$@ + ( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e 1d -e '/^=pod/q' -e 's/^/.\\" /p' sudo.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudo.pod | sed -e "s/(5)/($$mansectform)/" -e "s/(8)/($$mansectsu)/" >> $@ ) +diff -up sudo-1.6.9p4/sudo.h.audit sudo-1.6.9p4/sudo.h +--- sudo-1.6.9p4/sudo.h.audit 2007-08-30 20:06:30.000000000 +0400 ++++ sudo-1.6.9p4/sudo.h 2007-08-30 20:06:30.000000000 +0400 +@@ -23,6 +23,8 @@ + #ifndef _SUDO_SUDO_H + #define _SUDO_SUDO_H + ++#include ++ + #include + #include + #include "compat.h" +@@ -274,4 +276,10 @@ extern int sudo_mode; + extern int errno; + #endif + ++#ifdef WITH_AUDIT ++extern int audit_fd; ++extern void audit_help_open (void); ++extern void audit_logger (int, const char *, int); ++#endif ++ + #endif /* _SUDO_SUDO_H */ +diff -up sudo-1.6.9p4/sudo.c.audit sudo-1.6.9p4/sudo.c +--- sudo-1.6.9p4/sudo.c.audit 2007-08-30 20:06:30.000000000 +0400 ++++ sudo-1.6.9p4/sudo.c 2007-08-30 20:18:26.000000000 +0400 +@@ -97,6 +97,10 @@ + # include + #endif + ++#ifdef WITH_AUDIT ++#include ++#endif ++ + #include "sudo.h" + #include "interfaces.h" + #include "version.h" +@@ -292,6 +296,10 @@ main(argc, argv, envp) + if (safe_cmnd == NULL) + safe_cmnd = estrdup(user_cmnd); + ++#if defined(WITH_AUDIT) ++ audit_help_open (); ++#endif ++ + /* + * Look up the timestamp dir owner if one is specified. + */ +@@ -302,9 +310,13 @@ main(argc, argv, envp) + pw = getpwuid(atoi(def_timestampowner + 1)); + else + pw = getpwnam(def_timestampowner); +- if (!pw) ++ if (!pw) { ++#if defined(WITH_AUDIT) ++ audit_logger(AUDIT_USER_CMD, user_cmnd, 0); ++#endif + log_error(0, "timestamp owner (%s): No such user", + def_timestampowner); ++ } + timestamp_uid = pw->pw_uid; + } + +@@ -314,15 +326,22 @@ main(argc, argv, envp) + exit(0); + } + +- if (ISSET(validated, VALIDATE_ERROR)) ++ if (ISSET(validated, VALIDATE_ERROR)) { ++#if defined(WITH_AUDIT) ++ audit_logger(AUDIT_USER_CMD, user_cmnd, 0); ++#endif + log_error(0, "parse error in %s near line %d", _PATH_SUDOERS, + errorlineno); ++ } + + /* Is root even allowed to run sudo? */ + if (user_uid == 0 && !def_root_sudo) { + (void) fprintf(stderr, + "Sorry, %s has been configured to not allow root to run it.\n", + getprogname()); ++#if defined(WITH_AUDIT) ++ audit_logger(AUDIT_USER_CMD, user_cmnd, 0); ++#endif + exit(1); + } + +@@ -336,8 +355,12 @@ main(argc, argv, envp) + + /* Bail if a tty is required and we don't have one. */ + if (def_requiretty) { +- if ((fd = open(_PATH_TTY, O_RDWR|O_NOCTTY)) == -1) ++ if ((fd = open(_PATH_TTY, O_RDWR|O_NOCTTY)) == -1) { ++#if defined(WITH_AUDIT) ++ audit_logger(AUDIT_USER_CMD, user_cmnd, 0); ++#endif + log_error(NO_MAIL, "sorry, you must have a tty to run sudo"); ++ } + else + (void) close(fd); + } +@@ -370,17 +393,27 @@ main(argc, argv, envp) + /* Finally tell the user if the command did not exist. */ + if (cmnd_status == NOT_FOUND_DOT) { + warnx("ignoring `%s' found in '.'\nUse `sudo ./%s' if this is the `%s' you wish to run.", user_cmnd, user_cmnd, user_cmnd); ++#if defined(WITH_AUDIT) ++ audit_logger(AUDIT_USER_CMD, user_cmnd, 0); ++#endif + exit(1); + } else if (cmnd_status == NOT_FOUND) { + warnx("%s: command not found", user_cmnd); ++#if defined(WITH_AUDIT) ++ audit_logger(AUDIT_USER_CMD, user_cmnd, 0); ++#endif + exit(1); + } + + /* If user specified env vars make sure sudoers allows it. */ + if (ISSET(sudo_mode, MODE_RUN) && !ISSET(validated, FLAG_SETENV)) { +- if (ISSET(sudo_mode, MODE_PRESERVE_ENV)) ++ if (ISSET(sudo_mode, MODE_PRESERVE_ENV)) { ++#if defined(WITH_AUDIT) ++ audit_logger(AUDIT_USER_CMD, user_cmnd, 0); ++#endif + log_error(NO_MAIL, + "sorry, you are not allowed to preserve the environment"); ++ } + else + validate_env_vars(sudo_user.env_vars); + } +@@ -439,11 +472,23 @@ main(argc, argv, envp) + (void) sigaction(SIGTSTP, &saved_sa_tstp, NULL); + (void) sigaction(SIGCHLD, &saved_sa_chld, NULL); + ++ if (access(safe_cmnd, X_OK) != 0) { ++ warn ("unable to execute %s", safe_cmnd); ++#ifdef WITH_AUDIT ++ audit_logger(AUDIT_USER_CMD, safe_cmnd, 0); ++#endif ++ exit(127); ++ } ++#ifdef WITH_AUDIT ++ audit_logger(AUDIT_USER_CMD, safe_cmnd, 1); ++#endif ++ + #ifndef PROFILING + if (ISSET(sudo_mode, MODE_BACKGROUND) && fork() > 0) + exit(0); +- else ++ else { + execve(safe_cmnd, NewArgv, environ); ++ } + #else + exit(0); + #endif /* PROFILING */ +@@ -456,6 +501,9 @@ main(argc, argv, envp) + NewArgv[1] = safe_cmnd; + execve(_PATH_BSHELL, NewArgv, environ); + } ++#ifdef WITH_AUDIT ++ audit_logger(AUDIT_USER_CMD, safe_cmnd, 0); ++#endif + warn("unable to execute %s", safe_cmnd); + exit(127); + } else if (ISSET(validated, FLAG_NO_USER) || (validated & FLAG_NO_HOST)) { +diff -up sudo-1.6.9p4/configure.in.audit sudo-1.6.9p4/configure.in +--- sudo-1.6.9p4/configure.in.audit 2007-08-30 20:06:30.000000000 +0400 ++++ sudo-1.6.9p4/configure.in 2007-08-30 20:06:30.000000000 +0400 +@@ -150,6 +150,10 @@ dnl + dnl Options for --with + dnl + ++AC_ARG_WITH(audit, ++ [AC_HELP_STRING([--with-audit], [use auditing support @<:@default=yes if found@:>@])], ++ [with_audit=$withval], [with_audit=yes]) ++ + AC_ARG_WITH(CC, [ --with-CC C compiler to use], + [case $with_CC in + yes) AC_MSG_ERROR(["must give --with-CC an argument."]) +@@ -1579,6 +1583,25 @@ dnl + : ${mansectsu='8'} + : ${mansectform='5'} + ++ ++AC_SUBST(LIBAUDIT) ++if test "$with_audit" = "yes"; then ++ # See if we have the audit library ++ AC_CHECK_HEADER(libaudit.h, [audit_header="yes"], [audit_header="no"]) ++ if test "$audit_header" = "yes"; then ++ AC_CHECK_LIB(audit, audit_log_user_command, ++ [AC_DEFINE(WITH_AUDIT, 1, [Define if you want to enable Audit messages]) ++ LIBAUDIT="-laudit"]) ++ fi ++ # See if we have the libcap library ++ AC_CHECK_HEADERS(sys/capability.h sys/prctl.h, [cap_header="yes"], [cap_header="no"]) ++ if test "$cap_header" = "yes"; then ++ AC_CHECK_LIB(cap, cap_init, ++ [AC_DEFINE(HAVE_LIBCAP, 1, [SELinux libcap support]) ++ SUDO_LIBS="${SUDO_LIBS} -lcap"]) ++ fi ++fi ++ + dnl + dnl Add in any libpaths or libraries specified via configure + dnl +diff -up sudo-1.6.9p4/set_perms.c.audit sudo-1.6.9p4/set_perms.c +--- sudo-1.6.9p4/set_perms.c.audit 2007-07-06 18:16:22.000000000 +0400 ++++ sudo-1.6.9p4/set_perms.c 2007-08-30 20:06:30.000000000 +0400 +@@ -53,6 +53,10 @@ + #ifdef HAVE_LOGIN_CAP_H + # include + #endif ++#if defined(WITH_AUDIT) && defined(HAVE_LIBCAP) ++# include ++# include ++#endif + + #include "sudo.h" + +@@ -101,22 +105,55 @@ set_perms(perm) + if (setresuid(user_uid, user_uid, user_uid)) + err(1, "setresuid(user_uid, user_uid, user_uid)"); + break; +- ++ ++ case PERM_FULL_RUNAS: ++#if defined(WITH_AUDIT) && defined(HAVE_LIBCAP) ++ { /* BEGIN CAP BLOCK */ ++ cap_t new_caps; ++ cap_value_t cap_list[] = { CAP_AUDIT_WRITE }; ++ ++ if (runas_pw->pw_uid != ROOT_UID) { ++ new_caps = cap_init (); ++ if (!new_caps) ++ err(1, "Error initing capabilities, aborting.\n"); ++ ++ if(cap_set_flag(new_caps, CAP_PERMITTED, 1, cap_list, CAP_SET) || ++ cap_set_flag(new_caps, CAP_EFFECTIVE, 1, cap_list, CAP_SET)) { ++ err(1, "Error setting capabilities, aborting\n"); ++ } ++ ++ if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0)) ++ err(1, "Error setting KEEPCAPS, aborting\n"); ++ } ++#endif ++ /* headed for exec(), assume euid == ROOT_UID */ ++ runas_setup (); ++ if (setresuid(def_stay_setuid ? ++ user_uid : runas_pw->pw_uid, ++ runas_pw->pw_uid, runas_pw->pw_uid)) ++ err(1, "unable to change to runas uid"); ++ ++#if defined(WITH_AUDIT) && defined(HAVE_LIBCAP) ++ if (runas_pw->pw_uid != ROOT_UID) { ++ if (prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0) < 0) ++ err(1, "Error resetting KEEPCAPS, aborting\n"); ++ ++ if (cap_set_proc(new_caps)) ++ err(1, "Error dropping capabilities, aborting\n"); ++ ++ if (cap_free (new_caps)) ++ err(1, "Error freeing caps\n"); ++ } ++ } /* END CAP BLOCK */ ++#endif ++ break; ++ + case PERM_RUNAS: + (void) setresgid(-1, runas_pw->pw_gid, -1); + if (setresuid(-1, runas_pw->pw_uid, -1)) + err(1, "unable to change to runas uid"); + break; + +- case PERM_FULL_RUNAS: +- /* headed for exec(), assume euid == ROOT_UID */ +- runas_setup(); +- if (setresuid(def_stay_setuid ? +- user_uid : runas_pw->pw_uid, +- runas_pw->pw_uid, runas_pw->pw_uid)) +- err(1, "unable to change to runas uid"); +- break; +- + case PERM_SUDOERS: + /* assume euid == ROOT_UID, ruid == user */ + if (setresgid(-1, SUDOERS_GID, -1)) diff --git a/sudo-1.6.9p4-autotoolsRecursion.patch b/sudo-1.6.9p4-autotoolsRecursion.patch new file mode 100644 index 0000000..09e862d --- /dev/null +++ b/sudo-1.6.9p4-autotoolsRecursion.patch @@ -0,0 +1,41 @@ +diff -up sudo-1.6.9p4/acsite.m4.autotoolsRecursion sudo-1.6.9p4/acsite.m4 +--- sudo-1.6.9p4/acsite.m4.autotoolsRecursion 2007-08-27 12:33:37.000000000 +0400 ++++ sudo-1.6.9p4/acsite.m4 2007-08-27 12:33:52.000000000 +0400 +@@ -6319,19 +6319,32 @@ m4_define([lt_join], + ]) + + ++# lt_car(LIST) ++# lt_cdr(LIST) ++# ------------ ++# Manipulate m4 lists. ++# These macros are necessary as long as will still need to support ++# Autoconf-2.59 which quotes differently. ++m4_define([lt_car], [[$1]]) ++m4_define([lt_cdr], ++[m4_if([$#], 0, [m4_fatal([$0: cannot be called without arguments])], ++ [$#], 1, [], ++ [m4_dquote(m4_shift($@))])]) ++ ++ + # lt_combine(SEP, PREFIX-LIST, INFIX, SUFFIX1, [SUFFIX2...]) + # ---------------------------------------------------------- + # Produce a SEP delimited list of all paired combinations of elements of + # PREFIX-LIST with SUFFIX1 through SUFFIXn. Each element of the list + # has the form PREFIXmINFIXSUFFIXn. + m4_define([lt_combine], +-[m4_if([$2], [[]], [], +- [lt_join(m4_quote(m4_default([$1], [, ])), +- _$0([$1], m4_car($2)[$3], m4_shiftn(3, $@)), +- $0([$1], m4_cdr($2), m4_shiftn(2, $@)))])]) ++[m4_if([$2], [], [], ++ [lt_join(m4_quote(m4_default([$1], [[, ]])), ++ _$0([$1], lt_car($2)[$3], m4_shiftn(3, $@)), ++ $0([$1], lt_cdr($2), m4_shiftn(2, $@)))])]) + m4_define([_lt_combine], + [m4_if([$3], [], [], +- [lt_join(m4_quote(m4_default([$1], [, ])), ++ [lt_join(m4_quote(m4_default([$1], [[, ]])), + [$2$3], + $0([$1], [$2], m4_shiftn(3, $@)))])[]dnl + ]) diff --git a/sudo-1.6.9p4-getgrouplist.patch b/sudo-1.6.9p4-getgrouplist.patch index 43b5a4e..78a988e 100644 --- a/sudo-1.6.9p4-getgrouplist.patch +++ b/sudo-1.6.9p4-getgrouplist.patch @@ -9,17 +9,6 @@ if test -z "$SKIP_SETRESUID"; then AC_CHECK_FUNCS(setresuid, [SKIP_SETREUID=yes]) fi ---- sudo-1.6.9p4/configure.getgrouplist 2007-08-15 15:23:44.000000000 +0200 -+++ sudo-1.6.9p4/configure 2007-08-20 13:26:25.000000000 +0200 -@@ -14235,7 +14235,7 @@ - - for ac_func in strchr strrchr memchr memcpy memset sysconf tzset \ - strftime setrlimit initgroups getgroups fstat gettimeofday \ -- setlocale getaddrinfo -+ setlocale getaddrinfo getgrouplist - do - as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` - echo "$as_me:$LINENO: checking for $ac_func" >&5 --- sudo-1.6.9p4/check.c.getgrouplist 2007-07-06 21:52:13.000000000 +0200 +++ sudo-1.6.9p4/check.c 2007-08-20 13:21:10.000000000 +0200 @@ -308,6 +308,24 @@ @@ -47,15 +36,4 @@ return(FALSE); } ---- sudo-1.6.9p4/config.h.in.getgrouplist 2007-08-20 11:41:32.000000000 +0200 -+++ sudo-1.6.9p4/config.h.in 2007-08-20 13:21:10.000000000 +0200 -@@ -140,6 +140,9 @@ - /* Define to 1 if you have the `getgroups' function. */ - #undef HAVE_GETGROUPS - -+/* Define to 1 if you have the `getgrouplist' function. */ -+#undef HAVE_GETGROUPLIST -+ - /* Define to 1 if you have the `getifaddrs' function. */ - #undef HAVE_GETIFADDRS - + diff --git a/sudo-1.6.9p4-getprpwnam.patch b/sudo-1.6.9p4-getprpwnam.patch new file mode 100644 index 0000000..f99b6d9 --- /dev/null +++ b/sudo-1.6.9p4-getprpwnam.patch @@ -0,0 +1,12 @@ +diff -up sudo-1.6.9p4/configure.in.getprpwnam sudo-1.6.9p4/configure.in +--- sudo-1.6.9p4/configure.in.getprpwnam 2007-08-27 13:24:54.000000000 +0400 ++++ sudo-1.6.9p4/configure.in 2007-08-27 13:25:48.000000000 +0400 +@@ -1975,7 +1975,7 @@ if test "$CHECKSHADOW" = "true"; then + AC_CHECK_FUNCS(getspnam, [CHECKSHADOW="false"], [AC_CHECK_LIB(gen, getspnam, AC_DEFINE(HAVE_GETSPNAM) [SUDO_LIBS="${SUDO_LIBS} -lgen"; LIBS="${LIBS} -lgen"])]) + fi + if test "$CHECKSHADOW" = "true"; then +- AC_CHECK_FUNC(getprpwnam, [AC_DEFINE(HAVE_GETPRPWNAM) [CHECKSHADOW="false"; SECUREWARE=1], AC_CHECK_LIB(sec, getprpwnam, AC_DEFINE(HAVE_GETPRPWNAM) [CHECKSHADOW="false"; SECUREWARE=1; SUDO_LIBS="${SUDO_LIBS} -lsec"; LIBS="${LIBS} -lsec"], AC_CHECK_LIB(security, getprpwnam, AC_DEFINE(HAVE_GETPRPWNAM) [CHECKSHADOW="false"; SECUREWARE=1; SUDO_LIBS="${SUDO_LIBS} -lsecurity"; LIBS="${LIBS} -lsecurity"], AC_CHECK_LIB(prot, getprpwnam, AC_DEFINE(HAVE_GETPRPWNAM) [CHECKSHADOW="false"; SECUREWARE=1; SUDO_LIBS="${SUDO_LIBS} -lprot"; LIBS="${LIBS} -lprot"])))]) ++ AC_CHECK_FUNC(getprpwnam, [AC_DEFINE(HAVE_GETPRPWNAM) CHECKSHADOW="false"; SECUREWARE=1], [AC_CHECK_LIB(sec, getprpwnam, [AC_DEFINE(HAVE_GETPRPWNAM) CHECKSHADOW="false"; SECUREWARE=1; SUDO_LIBS="${SUDO_LIBS} -lsec"; LIBS="${LIBS} -lsec"], [AC_CHECK_LIB(security, getprpwnam, [AC_DEFINE(HAVE_GETPRPWNAM) CHECKSHADOW="false"; SECUREWARE=1; SUDO_LIBS="${SUDO_LIBS} -lsecurity"; LIBS="${LIBS} -lsecurity"], [AC_CHECK_LIB(prot, getprpwnam, [AC_DEFINE(HAVE_GETPRPWNAM) CHECKSHADOW="false"; SECUREWARE=1; SUDO_LIBS="${SUDO_LIBS} -lprot"; LIBS="${LIBS} -lprot"])])])]) + fi + if test -n "$SECUREWARE"; then + AC_CHECK_FUNCS(bigcrypt set_auth_parameters initprivs) diff --git a/sudo-1.6.9p4-login.patch b/sudo-1.6.9p4-login.patch index 9ebfd6b..1c62966 100644 --- a/sudo-1.6.9p4-login.patch +++ b/sudo-1.6.9p4-login.patch @@ -14,18 +14,6 @@ if (pam_status != PAM_SUCCESS) { log_error(USE_ERRNO|NO_EXIT|NO_MAIL, "unable to initialize PAM"); return(AUTH_FATAL); ---- sudo-1.6.9p4/config.h.in.login 2007-08-15 15:22:19.000000000 +0200 -+++ sudo-1.6.9p4/config.h.in 2007-08-20 11:08:34.000000000 +0200 -@@ -266,6 +266,9 @@ - /* Define to 1 if you use PAM authentication. */ - #undef HAVE_PAM - -+/* Define to 1 if you use specific PAM session for sodo -i. */ -+#undef HAVE_PAM_LOGIN -+ - /* Define to 1 if you have the header file. */ - #undef HAVE_PAM_PAM_APPL_H - --- sudo-1.6.9p4/env.c.login 2007-07-31 20:04:31.000000000 +0200 +++ sudo-1.6.9p4/env.c 2007-08-20 11:24:48.000000000 +0200 @@ -104,7 +104,7 @@ @@ -56,7 +44,7 @@ +AC_ARG_WITH(pam-login, [ --with-pam-login enable specific PAM session for sudo -i], +[case $with_pam_login in -+ yes) AC_DEFINE(HAVE_PAM_LOGIN) ++ yes) AC_DEFINE([HAVE_PAM_LOGIN], [], ["Define to 1 if you use specific PAM session for sodo -i."]) + AC_MSG_CHECKING(whether to use PAM login) + AC_MSG_RESULT(yes) + ;; diff --git a/sudo.spec b/sudo.spec index ab68822..1953d12 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,7 +1,7 @@ Summary: Allows restricted root access for specified users Name: sudo Version: 1.6.9p4 -Release: 1%{?dist} +Release: 2%{?dist} License: BSD Group: Applications/System URL: http://www.courtesan.com/sudo/ @@ -15,6 +15,8 @@ BuildRequires: groff BuildRequires: openldap-devel BuildRequires: flex BuildRequires: bison +BuildRequires: automake autoconf libtool +BuildRequires: audit-libs-devel libcap-devel # don't strip Patch1: sudo-1.6.7p5-strip.patch @@ -22,6 +24,9 @@ Patch1: sudo-1.6.7p5-strip.patch Patch2: sudo-1.6.9p4-login.patch # the rest, see changelog Patch3: sudo-1.6.9p4-getgrouplist.patch +Patch4: sudo-1.6.9p4-autotoolsRecursion.patch +Patch5: sudo-1.6.9p4-getprpwnam.patch +Patch6: sudo-1.6.9p4-audit.patch %description Sudo (superuser do) allows a system administrator to give certain @@ -39,6 +44,11 @@ on many different machines. %patch1 -p1 -b .strip %patch2 -p1 -b .login %patch3 -p1 -b .getgrouplist +%patch4 -p1 -b .autotoolsRecursion +%patch5 -p1 -b .getprpwnam +%patch6 -p1 -b .audit + +autoreconf %build %ifarch s390 s390x @@ -47,10 +57,7 @@ F_PIE=-fPIE F_PIE=-fpie %endif -# Note: there is a problem rebuild the ./configure script (for pam-login patch), -# so we use -DHAVE_PAM_LOGIN rather than --with-pam-login... -# (it's workaround that should be fixed) -export CFLAGS="$RPM_OPT_FLAGS $F_PIE -DHAVE_PAM_LOGIN" LDFLAGS="-pie" +export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie" %configure \ --prefix=%{_prefix} \ @@ -59,6 +66,7 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE -DHAVE_PAM_LOGIN" LDFLAGS="-pie" --with-logging=syslog \ --with-logfac=authpriv \ --with-pam \ + --with-pam-login \ --with-editor=/bin/vi \ --with-env-editor \ --with-ignore-dot \ @@ -120,6 +128,9 @@ rm -rf $RPM_BUILD_ROOT /bin/chmod 0440 /etc/sudoers || : %changelog +* Thu Aug 30 2007 Peter Vrabec 1.6.9p4-2 +- fix autotools stuff and add audit support + * Mon Aug 20 2007 Peter Vrabec 1.6.9p4-1 - upgrade to upstream release