rpms/sudo
7
0
Fork 0
Code Issues Pull Requests Releases Activity

cleanup

Browse Source
This commit is contained in:
Daniel Kopeček 2009-08-20 13:01:46 +00:00
parent 1c09726f73
commit ea73fb27c7
9 changed files with 1 additions and 759 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

93
sudo-1.6.8p12-sudoers
View File

@ -1,93 +0,0 @@
## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
##
## Examples are provided at the bottom of the file for collections
## of related commands, which can then be delegated out to particular
## users or groups.
##
## This file must be edited with the 'visudo' command.
## Host Aliases
## Groups of machines. You may prefer to use hostnames (perhaps using
## wildcards for entire domains) or IP addresses instead.
# Host_Alias FILESERVERS = fs1, fs2
# Host_Alias MAILSERVERS = smtp, smtp2
## User Aliases
## These aren't often necessary, as you can use regular groups
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
## rather than USERALIAS
# User_Alias ADMINS = jsmith, mikem
## Command Aliases
## These are groups of related commands...
## Networking
Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool
## Installation and management of software
Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
## Services
Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig
## Updating the locate database
Cmnd_Alias LOCATE = /usr/bin/updatedb
## Storage
Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount
## Delegating permissions
Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp
## Processes
Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall
## Drivers
Cmnd_Alias DRIVERS = /sbin/modprobe
# Defaults specification
#
# Disable "ssh hostname sudo <cmd>", because it will show the password in clear.
# You have to run "ssh -t hostname sudo <cmd>".
#
Defaults requiretty
Defaults env_reset
Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"
Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
## Next comes the main part: which users can run what software on
## which machines (the sudoers file can be shared between multiple
## systems).
## Syntax:
##
## user MACHINE=COMMANDS
##
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
## Allows members of the 'sys' group to run networking, software,
## service management apps and more.
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
## Allows people in group wheel to run all commands
# %wheel ALL=(ALL) ALL
## Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
## Allows members of the users group to mount and unmount the
## cdrom as root
# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
## Allows members of the users group to shutdown this system
# %users localhost=/sbin/shutdown -h now

12
sudo-1.6.9p12-noPam.patch
View File

@ -1,12 +0,0 @@
diff -up sudo-1.6.9p12/configure.in.noPam sudo-1.6.9p12/configure.in
--- sudo-1.6.9p12/configure.in.noPam 2008-02-05 13:52:07.000000000 +0100
+++ sudo-1.6.9p12/configure.in 2008-02-05 13:52:25.000000000 +0100
@@ -1842,7 +1842,7 @@ if test ${with_pam-"no"} != "no"; then
yes) AC_MSG_RESULT(yes)
;;
no) AC_MSG_RESULT(no)
- AC_DEFINE(NO_PAM_SESSION)
+ AC_DEFINE([NO_PAM_SESSION], [], [PAM session support disabled])
;;
*) AC_MSG_RESULT(no)
AC_MSG_WARN([Ignoring unknown argument to --enable-pam-session: $enableval])

373
sudo-1.6.9p13-audit.patch
View File

@ -1,373 +0,0 @@
diff -up /dev/null sudo-1.6.9p17/audit_help.c
--- /dev/null 2008-08-23 21:55:45.734000982 +0200
+++ sudo-1.6.9p17/audit_help.c 2008-09-02 15:49:38.000000000 +0200
@@ -0,0 +1,140 @@
+/*
+ * Audit helper functions used throughout sudo
+ *
+ * Copyright (C) 2007, Red Hat, Inc.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of Julianne F. Haugh nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY JULIE HAUGH AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL JULIE HAUGH OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <config.h>
+
+#ifdef WITH_AUDIT
+
+#include <stdlib.h>
+#include <syslog.h>
+#include <stdarg.h>
+#include <libaudit.h>
+#include <errno.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/types.h>
+
+#ifdef HAVE_SELINUX
+#include <selinux/selinux.h>
+#endif
+
+int audit_fd;
+
+void audit_help_open (void)
+{
+ audit_fd = audit_open ();
+ if (audit_fd < 0) {
+ /* You get these only when the kernel doesn't have
+ * audit compiled in. */
+ if (errno == EINVAL || errno == EPROTONOSUPPORT ||
+ errno == EAFNOSUPPORT)
+ return;
+ fprintf (stderr, "Cannot open audit interface - aborting.\n");
+ exit (1);
+ }
+}
+
+/*
+ * This function will log a message to the audit system using a predefined
+ * message format. Parameter usage is as follows:
+ *
+ * type - type of message: AUDIT_USER_CMD
+ * command - the command being logged
+ * params - parames of the command
+ * result - 1 is "success" and 0 is "failed"
+ *
+ */
+void audit_logger (int type, const char *command, const char *params, int result)
+{
+ int err;
+ char *msg;
+
+ if( audit_fd < 0 )
+ return;
+ else {
+
+ if( params )
+ err = asprintf(&msg, "%s %s", command, params);
+ else
+ err = asprintf(&msg, "%s", command);
+ if (err < 0) {
+ fprintf (stderr, "Memory allocation for audit message wasnt possible.\n");
+ return;
+ }
+
+ err = audit_log_user_command (audit_fd, type, msg, NULL, result);
+ /* The kernel supports auditing and we had
+ enough privilege to write to the socket. */
+ if( err <= 0 && !((errno == EPERM && getuid() > 0) || errno == ECONNREFUSED ) ) {
+ perror("audit_log_user_command()");
+ }
+
+ free(msg);
+ }
+}
+
+#ifdef HAVE_SELINUX
+int send_audit_message(int success, security_context_t old_context,
+ security_context_t new_context, const char *ttyn)
+{
+ char *msg = NULL;
+ int rc;
+
+ if (audit_fd < 0)
+ return -1;
+
+ if (asprintf(&msg, "newrole: old-context=%s new-context=%s",
+ old_context ? old_context : "?",
+ new_context ? new_context : "?") < 0) {
+ fprintf(stderr, "Error allocating memory.\n");
+ rc = -1;
+ goto out;
+ }
+
+ rc = audit_log_user_message(audit_fd, AUDIT_USER_ROLE_CHANGE,
+ msg, NULL, NULL, ttyn, success);
+
+ if (rc <= 0) {
+ fprintf(stderr, "Error sending audit message.\n");
+ rc = -1;
+ goto out;
+ }
+ rc = 0;
+
+ out:
+ free(msg);
+ return rc;
+}
+#endif
+
+#endif /* WITH_AUDIT */
+
+
diff -up sudo-1.6.9p17/configure.in.audit sudo-1.6.9p17/configure.in
--- sudo-1.6.9p17/configure.in.audit 2008-09-02 15:48:46.000000000 +0200
+++ sudo-1.6.9p17/configure.in 2008-09-02 15:48:46.000000000 +0200
@@ -167,6 +167,10 @@ dnl
dnl Options for --with
dnl
+AC_ARG_WITH(audit,
+ [AC_HELP_STRING([--with-audit], [use auditing support @<:@default=yes if found@:>@])],
+ [with_audit=$withval], [with_audit=yes])
+
AC_ARG_WITH(CC, [ --with-CC C compiler to use],
[case $with_CC in
yes) AC_MSG_ERROR(["must give --with-CC an argument."])
@@ -1616,6 +1620,25 @@ dnl
: ${mansectsu='8'}
: ${mansectform='5'}
+
+AC_SUBST(LIBAUDIT)
+if test "$with_audit" = "yes"; then
+ # See if we have the audit library
+ AC_CHECK_HEADER(libaudit.h, [audit_header="yes"], [audit_header="no"])
+ if test "$audit_header" = "yes"; then
+ AC_CHECK_LIB(audit, audit_log_user_command,
+ [AC_DEFINE(WITH_AUDIT, 1, [Define if you want to enable Audit messages])
+ LIBAUDIT="-laudit"])
+ fi
+ # See if we have the libcap library
+ AC_CHECK_HEADERS(sys/capability.h sys/prctl.h, [cap_header="yes"], [cap_header="no"])
+ if test "$cap_header" = "yes"; then
+ AC_CHECK_LIB(cap, cap_init,
+ [AC_DEFINE(HAVE_LIBCAP, 1, [SELinux libcap support])
+ SUDO_LIBS="${SUDO_LIBS} -lcap"])
+ fi
+fi
+
dnl
dnl Add in any libpaths or libraries specified via configure
dnl
diff -up sudo-1.6.9p17/Makefile.in.audit sudo-1.6.9p17/Makefile.in
--- sudo-1.6.9p17/Makefile.in.audit 2008-06-22 22:29:03.000000000 +0200
+++ sudo-1.6.9p17/Makefile.in 2008-09-02 15:48:46.000000000 +0200
@@ -121,11 +121,13 @@ HDRS = compat.h def_data.h defaults.h in
AUTH_OBJS = sudo_auth.o @AUTH_OBJS@
+AUDIT_OBJS = audit_help.o
+
PARSEOBJS = sudo.tab.o lex.yy.o alloc.o defaults.o
SUDOBJS = check.o env.o getspwuid.o gettime.o goodpath.o fileops.o find_path.o \
interfaces.o logging.o parse.o set_perms.o sudo.o sudo_edit.o \
- tgetpass.o zero_bytes.o @SUDO_OBJS@ $(AUTH_OBJS) $(PARSEOBJS)
+ tgetpass.o zero_bytes.o @SUDO_OBJS@ $(AUTH_OBJS) $(PARSEOBJS) $(AUDIT_OBJS)
VISUDOBJS = visudo.o fileops.o gettime.o goodpath.o find_path.o $(PARSEOBJS)
@@ -277,6 +279,9 @@ securid5.o: $(authdir)/securid5.c $(AUTH
sia.o: $(authdir)/sia.c $(AUTHDEP)
$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/sia.c
+audit_help.o: audit_help.c sudo.h
+ $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(LIBADUIT) $(srcdir)/audit_help.c
+
sudo.man.in: $(srcdir)/sudo.pod
@rm -f $(srcdir)/$@
( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' sudo.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudo.pod | sed -e "s/(5)/($$mansectform)/" -e "s/(8)/($$mansectsu)/" | perl -p sudo.man.pl >> $@ )
diff -up sudo-1.6.9p17/set_perms.c.audit sudo-1.6.9p17/set_perms.c
--- sudo-1.6.9p17/set_perms.c.audit 2007-11-28 00:41:23.000000000 +0100
+++ sudo-1.6.9p17/set_perms.c 2008-09-02 15:48:46.000000000 +0200
@@ -53,6 +53,10 @@
#ifdef HAVE_LOGIN_CAP_H
# include <login_cap.h>
#endif
+#if defined(WITH_AUDIT) && defined(HAVE_LIBCAP)
+# include <sys/prctl.h>
+# include <sys/capability.h>
+#endif
#include "sudo.h"
@@ -119,13 +123,46 @@ set_perms(perm)
break;
case PERM_FULL_RUNAS:
- /* headed for exec(), assume euid == ROOT_UID */
- runas_setup();
- if (setresuid(def_stay_setuid ?
- user_uid : runas_pw->pw_uid,
- runas_pw->pw_uid, runas_pw->pw_uid))
- err(1, "unable to change to runas uid");
- break;
+#if defined(WITH_AUDIT) && defined(HAVE_LIBCAP)
+ { /* BEGIN CAP BLOCK */
+ cap_t new_caps;
+ cap_value_t cap_list[] = { CAP_AUDIT_WRITE };
+
+ if (runas_pw->pw_uid != ROOT_UID) {
+ new_caps = cap_init ();
+ if (!new_caps)
+ err(1, "Error initing capabilities, aborting.\n");
+
+ if(cap_set_flag(new_caps, CAP_PERMITTED, 1, cap_list, CAP_SET) ||
+ cap_set_flag(new_caps, CAP_EFFECTIVE, 1, cap_list, CAP_SET)) {
+ err(1, "Error setting capabilities, aborting\n");
+ }
+
+ if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0))
+ err(1, "Error setting KEEPCAPS, aborting\n");
+ }
+#endif
+ /* headed for exec(), assume euid == ROOT_UID */
+ runas_setup ();
+ if (setresuid(def_stay_setuid ?
+ user_uid : runas_pw->pw_uid,
+ runas_pw->pw_uid, runas_pw->pw_uid))
+ err(1, "unable to change to runas uid");
+
+#if defined(WITH_AUDIT) && defined(HAVE_LIBCAP)
+ if (runas_pw->pw_uid != ROOT_UID) {
+ if (prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0) < 0)
+ err(1, "Error resetting KEEPCAPS, aborting\n");
+
+ if (cap_set_proc(new_caps))
+ err(1, "Error dropping capabilities, aborting\n");
+
+ if (cap_free (new_caps))
+ err(1, "Error freeing caps\n");
+ }
+ } /* END CAP BLOCK */
+#endif
+ break;
case PERM_SUDOERS:
/* assume euid == ROOT_UID, ruid == user */
diff -up sudo-1.6.9p17/sudo.c.audit sudo-1.6.9p17/sudo.c
--- sudo-1.6.9p17/sudo.c.audit 2008-09-02 15:48:46.000000000 +0200
+++ sudo-1.6.9p17/sudo.c 2008-09-02 15:48:46.000000000 +0200
@@ -100,6 +100,10 @@
# include <selinux/selinux.h>
#endif
+#ifdef WITH_AUDIT
+#include <libaudit.h>
+#endif
+
#include "sudo.h"
#include "interfaces.h"
#include "version.h"
@@ -289,6 +293,10 @@ main(argc, argv, envp)
if (safe_cmnd == NULL)
safe_cmnd = estrdup(user_cmnd);
+#if defined(WITH_AUDIT)
+ audit_help_open ();
+#endif
+
/*
* Look up the timestamp dir owner if one is specified.
*/
@@ -435,6 +443,17 @@ main(argc, argv, envp)
(void) sigaction(SIGQUIT, &saved_sa_quit, NULL);
(void) sigaction(SIGTSTP, &saved_sa_tstp, NULL);
+ if (access(safe_cmnd, X_OK) != 0) {
+ warn ("unable to execute %s", safe_cmnd);
+#ifdef WITH_AUDIT
+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0);
+#endif
+ exit(127);
+ }
+#ifdef WITH_AUDIT
+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 1);
+#endif
+
#ifndef PROFILING
if (ISSET(sudo_mode, MODE_BACKGROUND) && fork() > 0)
exit(0);
@@ -458,10 +477,16 @@ main(argc, argv, envp)
NewArgv[1] = safe_cmnd;
execve(_PATH_BSHELL, NewArgv, environ);
}
+#ifdef WITH_AUDIT
+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0);
+#endif
warn("unable to execute %s", safe_cmnd);
exit(127);
} else if (ISSET(validated, FLAG_NO_USER) || (validated & FLAG_NO_HOST)) {
log_auth(validated, 1);
+#ifdef WITH_AUDIT
+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0);
+#endif
exit(1);
} else if (ISSET(validated, VALIDATE_NOT_OK)) {
if (def_path_info) {
@@ -482,6 +507,9 @@ main(argc, argv, envp)
/* Just tell the user they are not allowed to run foo. */
log_auth(validated, 1);
}
+#ifdef WITH_AUDIT
+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0);
+#endif
exit(1);
} else {
/* should never get here */
diff -up sudo-1.6.9p17/sudo.h.audit sudo-1.6.9p17/sudo.h
--- sudo-1.6.9p17/sudo.h.audit 2008-09-02 15:48:46.000000000 +0200
+++ sudo-1.6.9p17/sudo.h 2008-09-02 15:48:46.000000000 +0200
@@ -23,6 +23,8 @@
#ifndef _SUDO_SUDO_H
#define _SUDO_SUDO_H
+#include <config.h>
+
#include <pathnames.h>
#include <limits.h>
#include "compat.h"
@@ -287,4 +289,10 @@ extern int sudo_mode;
extern int errno;
#endif
+#ifdef WITH_AUDIT
+extern int audit_fd;
+extern void audit_help_open (void);
+extern void audit_logger (int, const char *, const char *, int);
+#endif
+
#endif /* _SUDO_SUDO_H */

12
sudo-1.6.9p17-Makefile.patch
View File

@ -1,12 +0,0 @@
diff -up sudo-1.6.9p17/Makefile.in.modfix sudo-1.6.9p17/Makefile.in
--- sudo-1.6.9p17/Makefile.in.modfix 2009-02-24 04:31:34.000000000 +0100
+++ sudo-1.6.9p17/Makefile.in 2009-02-24 04:31:17.000000000 +0100
@@ -190,7 +190,7 @@ sudo_noexec.lo: $(srcdir)/sudo_noexec.c
$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/sudo_noexec.c
sudo_noexec.la: sudo_noexec.lo
- $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -o $@ sudo_noexec.lo -avoid-version -rpath $(noexecdir)
+ $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -o $@ sudo_noexec.lo -module -avoid-version -rpath $(noexecdir)
# Uncomment the following if you want "make distclean" to clean the parser
@DEV@PARSESRCS = sudo.tab.h sudo.tab.c lex.yy.c def_data.c def_data.h

23
sudo-1.6.9p17-runas.patch
View File

@ -1,23 +0,0 @@
Index: parse.c
===================================================================
RCS file: /home/cvs/courtesan/sudo/parse.c,v
retrieving revision 1.160.2.21
diff -u -r1.160.2.21 parse.c
--- parse.c 2 Nov 2008 14:35:53 -0000 1.160.2.21
+++ parse.c 23 Jan 2009 19:16:55 -0000
@@ -651,9 +651,11 @@
/*
* If the user has a supplementary group vector, check it first.
*/
- for (i = 0; i < user_ngroups; i++) {
- if (grp->gr_gid == user_groups[i])
- return(TRUE);
+ if (strcmp(user, user_name) == 0) {
+ for (i = 0; i < user_ngroups; i++) {
+ if (grp->gr_gid == user_groups[i])
+ return(TRUE);
+ }
}
if (grp->gr_mem != NULL) {
for (cur = grp->gr_mem; *cur; cur++) {

40
sudo-1.6.9p4-getgrouplist.patch
View File

@ -1,40 +0,0 @@
diff -up sudo-1.6.9p17/configure.in.getgrouplist sudo-1.6.9p17/configure.in
--- sudo-1.6.9p17/configure.in.getgrouplist 2008-07-04 16:07:42.000000000 +0200
+++ sudo-1.6.9p17/configure.in 2008-07-04 16:09:29.000000000 +0200
@@ -1720,7 +1720,7 @@ dnl
AC_FUNC_GETGROUPS
AC_CHECK_FUNCS(strchr strrchr memchr memcpy memset sysconf tzset \
strftime setrlimit initgroups getgroups fstat gettimeofday \
- setlocale getaddrinfo setsid)
+ setlocale getaddrinfo setsid getgrouplist)
if test -z "$SKIP_SETRESUID"; then
AC_CHECK_FUNCS(setresuid, [SKIP_SETREUID=yes])
fi
diff -up sudo-1.6.9p17/check.c.getgrouplist sudo-1.6.9p17/check.c
--- sudo-1.6.9p17/check.c.getgrouplist 2008-01-06 00:59:42.000000000 +0100
+++ sudo-1.6.9p17/check.c 2008-07-04 16:08:40.000000000 +0200
@@ -330,6 +330,24 @@ user_is_exempt()
return(TRUE);
}
+#ifdef HAVE_GETGROUPLIST
+ {
+ gid_t *grouplist, grouptmp;
+ int n_groups, i;
+ n_groups = 1;
+ if (getgrouplist(user_name, user_gid, &grouptmp, &n_groups) == -1) {
+ grouplist = (gid_t *) emalloc(sizeof(gid_t) * (n_groups + 1));
+ if (getgrouplist(user_name, user_gid, grouplist, &n_groups) > 0)
+ for (i = 0; i < n_groups; i++)
+ if (grouplist[i] == grp->gr_gid) {
+ free(grouplist);
+ return(TRUE);
+ }
+ free(grouplist);
+ }
+ }
+#endif
+
return(FALSE);
}

110
sudo-1.6.9p4-login.patch
View File

@ -1,110 +0,0 @@
diff -up sudo-1.6.9p17/auth/pam.c.login sudo-1.6.9p17/auth/pam.c
--- sudo-1.6.9p17/auth/pam.c.login 2008-02-22 21:19:45.000000000 +0100
+++ sudo-1.6.9p17/auth/pam.c 2008-07-04 15:34:17.000000000 +0200
@@ -98,7 +98,12 @@ pam_init(pw, promptp, auth)
if (auth != NULL)
auth->data = (VOID *) &pam_status;
pam_conv.conv = sudo_conv;
- pam_status = pam_start("sudo", pw->pw_name, &pam_conv, &pamh);
+#ifdef HAVE_PAM_LOGIN
+ if (ISSET(sudo_mode, MODE_LOGIN_SHELL))
+ pam_status = pam_start("sudo-i", pw->pw_name, &pam_conv, &pamh);
+ else
+#endif
+ pam_status = pam_start("sudo", pw->pw_name, &pam_conv, &pamh);
if (pam_status != PAM_SUCCESS) {
log_error(USE_ERRNO|NO_EXIT|NO_MAIL, "unable to initialize PAM");
return(AUTH_FATAL);
diff -up sudo-1.6.9p17/env.c.login sudo-1.6.9p17/env.c
--- sudo-1.6.9p17/env.c.login 2008-06-21 21:04:07.000000000 +0200
+++ sudo-1.6.9p17/env.c 2008-07-04 15:34:17.000000000 +0200
@@ -104,7 +104,7 @@ struct environment {
/*
* Prototypes
*/
-char **rebuild_env __P((char **, int, int));
+char **rebuild_env __P((char **, int));
static void insert_env __P((char *, struct environment *, int));
static char *format_env __P((char *, ...));
@@ -392,9 +392,8 @@ matches_env_keep(var)
* Also adds sudo-specific variables (SUDO_*).
*/
char **
-rebuild_env(envp, sudo_mode, noexec)
+rebuild_env(envp, noexec)
char **envp;
- int sudo_mode;
int noexec;
{
char **ep, *cp, *ps1;
diff -up sudo-1.6.9p17/configure.in.login sudo-1.6.9p17/configure.in
--- sudo-1.6.9p17/configure.in.login 2008-06-22 22:23:56.000000000 +0200
+++ sudo-1.6.9p17/configure.in 2008-07-04 15:34:17.000000000 +0200
@@ -366,6 +366,17 @@ AC_ARG_WITH(pam, [ --with-pam
;;
esac])
+AC_ARG_WITH(pam-login, [ --with-pam-login enable specific PAM session for sudo -i],
+[case $with_pam_login in
+ yes) AC_DEFINE([HAVE_PAM_LOGIN], [], ["Define to 1 if you use specific PAM session for sodo -i."])
+ AC_MSG_CHECKING(whether to use PAM login)
+ AC_MSG_RESULT(yes)
+ ;;
+ no) ;;
+ *) AC_MSG_ERROR(["--with-pam-login does not take an argument."])
+ ;;
+esac])
+
AC_ARG_WITH(AFS, [ --with-AFS enable AFS support],
[case $with_AFS in
yes) AC_DEFINE(HAVE_AFS)
diff -up sudo-1.6.9p17/sudo.h.login sudo-1.6.9p17/sudo.h
--- sudo-1.6.9p17/sudo.h.login 2008-02-09 15:44:48.000000000 +0100
+++ sudo-1.6.9p17/sudo.h 2008-07-04 15:34:17.000000000 +0200
@@ -281,6 +281,7 @@ extern struct passwd *auth_pw;
extern FILE *sudoers_fp;
extern int tgetpass_flags;
extern uid_t timestamp_uid;
+extern int sudo_mode;
#endif
#ifndef errno
extern int errno;
diff -up sudo-1.6.9p17/sudo.c.login sudo-1.6.9p17/sudo.c
--- sudo-1.6.9p17/sudo.c.login 2008-06-21 21:04:07.000000000 +0200
+++ sudo-1.6.9p17/sudo.c 2008-07-04 16:01:43.000000000 +0200
@@ -125,7 +125,7 @@ static void usage_excl __P((int));
static struct passwd *get_authpw __P((void));
extern int sudo_edit __P((int, char **, char **));
extern void list_matches __P((void));
-extern char **rebuild_env __P((char **, int, int));
+extern char **rebuild_env __P((char **, int));
extern void validate_env_vars __P((struct list_member *));
extern char **insert_env_vars __P((char **, struct list_member *));
extern struct passwd *sudo_getpwnam __P((const char *));
@@ -156,7 +156,7 @@ login_cap_t *lc;
char *login_style;
#endif /* HAVE_BSD_AUTH_H */
sigaction_t saved_sa_int, saved_sa_quit, saved_sa_tstp;
-
+int sudo_mode;
int
main(argc, argv, envp)
@@ -167,7 +167,6 @@ main(argc, argv, envp)
int validated;
int fd;
int cmnd_status;
- int sudo_mode;
int pwflag;
sigaction_t sa;
extern int printmatches;
@@ -345,7 +344,7 @@ main(argc, argv, envp)
def_env_reset = FALSE;
/* Build a new environment that avoids any nasty bits. */
- environ = rebuild_env(environ, sudo_mode, ISSET(validated, FLAG_NOEXEC));
+ environ = rebuild_env(envp, ISSET(validated, FLAG_NOEXEC));
/* Fill in passwd struct based on user we are authenticating as. */
auth_pw = get_authpw();

95
sudo-1.7.1-sudoers
View File

@ -1,95 +0,0 @@
## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
##
## Examples are provided at the bottom of the file for collections
## of related commands, which can then be delegated out to particular
## users or groups.
##
## This file must be edited with the 'visudo' command.
## Host Aliases
## Groups of machines. You may prefer to use hostnames (perhaps using
## wildcards for entire domains) or IP addresses instead.
# Host_Alias FILESERVERS = fs1, fs2
# Host_Alias MAILSERVERS = smtp, smtp2
## User Aliases
## These aren't often necessary, as you can use regular groups
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
## rather than USERALIAS
# User_Alias ADMINS = jsmith, mikem
## Command Aliases
## These are groups of related commands...
## Networking
Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool
## Installation and management of software
Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
## Services
Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig
## Updating the locate database
Cmnd_Alias LOCATE = /usr/bin/updatedb
## Storage
Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount
## Delegating permissions
Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp
## Processes
Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall
## Drivers
Cmnd_Alias DRIVERS = /sbin/modprobe
# Defaults specification
#
# Disable "ssh hostname sudo <cmd>", because it will show the password in clear.
# You have to run "ssh -t hostname sudo <cmd>".
#
Defaults requiretty
Defaults env_reset
Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"
Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin
## Next comes the main part: which users can run what software on
## which machines (the sudoers file can be shared between multiple
## systems).
## Syntax:
##
## user MACHINE=COMMANDS
##
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
## Allows members of the 'sys' group to run networking, software,
## service management apps and more.
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
## Allows people in group wheel to run all commands
# %wheel ALL=(ALL) ALL
## Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
## Allows members of the users group to mount and unmount the
## cdrom as root
# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
## Allows members of the users group to shutdown this system
# %users localhost=/sbin/shutdown -h now

2
sudo.spec
View File

@ -55,7 +55,7 @@ on many different machines.
%patch8 -p1 -b .auditfix
%build
#hande newer autoconf
# handle newer autoconf
libtoolize --force && rm acsite.m4 && mv aclocal.m4 acinclude.m4 && autoreconf
%ifarch s390 s390x sparc64