From ea73fb27c7a3ef0189cf8a495b9357a6934e0ac1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20Kope=C4=8Dek?= Date: Thu, 20 Aug 2009 13:01:46 +0000 Subject: [PATCH] cleanup --- sudo-1.6.8p12-sudoers | 93 -------- sudo-1.6.9p12-noPam.patch | 12 - sudo-1.6.9p13-audit.patch | 373 -------------------------------- sudo-1.6.9p17-Makefile.patch | 12 - sudo-1.6.9p17-runas.patch | 23 -- sudo-1.6.9p4-getgrouplist.patch | 40 ---- sudo-1.6.9p4-login.patch | 110 ---------- sudo-1.7.1-sudoers | 95 -------- sudo.spec | 2 +- 9 files changed, 1 insertion(+), 759 deletions(-) delete mode 100644 sudo-1.6.8p12-sudoers delete mode 100644 sudo-1.6.9p12-noPam.patch delete mode 100644 sudo-1.6.9p13-audit.patch delete mode 100644 sudo-1.6.9p17-Makefile.patch delete mode 100644 sudo-1.6.9p17-runas.patch delete mode 100644 sudo-1.6.9p4-getgrouplist.patch delete mode 100644 sudo-1.6.9p4-login.patch delete mode 100644 sudo-1.7.1-sudoers diff --git a/sudo-1.6.8p12-sudoers b/sudo-1.6.8p12-sudoers deleted file mode 100644 index ed74e42..0000000 --- a/sudo-1.6.8p12-sudoers +++ /dev/null @@ -1,93 +0,0 @@ -## Sudoers allows particular users to run various commands as -## the root user, without needing the root password. -## -## Examples are provided at the bottom of the file for collections -## of related commands, which can then be delegated out to particular -## users or groups. -## -## This file must be edited with the 'visudo' command. - -## Host Aliases -## Groups of machines. You may prefer to use hostnames (perhaps using -## wildcards for entire domains) or IP addresses instead. -# Host_Alias FILESERVERS = fs1, fs2 -# Host_Alias MAILSERVERS = smtp, smtp2 - -## User Aliases -## These aren't often necessary, as you can use regular groups -## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname -## rather than USERALIAS -# User_Alias ADMINS = jsmith, mikem - - -## Command Aliases -## These are groups of related commands... - -## Networking -Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool - -## Installation and management of software -Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum - -## Services -Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig - -## Updating the locate database -Cmnd_Alias LOCATE = /usr/bin/updatedb - -## Storage -Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount - -## Delegating permissions -Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp - -## Processes -Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall - -## Drivers -Cmnd_Alias DRIVERS = /sbin/modprobe - -# Defaults specification - -# -# Disable "ssh hostname sudo ", because it will show the password in clear. -# You have to run "ssh -t hostname sudo ". -# -Defaults requiretty - -Defaults env_reset -Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS" -Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" -Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" -Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" -Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" - -## Next comes the main part: which users can run what software on -## which machines (the sudoers file can be shared between multiple -## systems). -## Syntax: -## -## user MACHINE=COMMANDS -## -## The COMMANDS section may have other options added to it. -## -## Allow root to run any commands anywhere -root ALL=(ALL) ALL - -## Allows members of the 'sys' group to run networking, software, -## service management apps and more. -# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS - -## Allows people in group wheel to run all commands -# %wheel ALL=(ALL) ALL - -## Same thing without a password -# %wheel ALL=(ALL) NOPASSWD: ALL - -## Allows members of the users group to mount and unmount the -## cdrom as root -# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom - -## Allows members of the users group to shutdown this system -# %users localhost=/sbin/shutdown -h now - diff --git a/sudo-1.6.9p12-noPam.patch b/sudo-1.6.9p12-noPam.patch deleted file mode 100644 index c57e171..0000000 --- a/sudo-1.6.9p12-noPam.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up sudo-1.6.9p12/configure.in.noPam sudo-1.6.9p12/configure.in ---- sudo-1.6.9p12/configure.in.noPam 2008-02-05 13:52:07.000000000 +0100 -+++ sudo-1.6.9p12/configure.in 2008-02-05 13:52:25.000000000 +0100 -@@ -1842,7 +1842,7 @@ if test ${with_pam-"no"} != "no"; then - yes) AC_MSG_RESULT(yes) - ;; - no) AC_MSG_RESULT(no) -- AC_DEFINE(NO_PAM_SESSION) -+ AC_DEFINE([NO_PAM_SESSION], [], [PAM session support disabled]) - ;; - *) AC_MSG_RESULT(no) - AC_MSG_WARN([Ignoring unknown argument to --enable-pam-session: $enableval]) diff --git a/sudo-1.6.9p13-audit.patch b/sudo-1.6.9p13-audit.patch deleted file mode 100644 index d8937e2..0000000 --- a/sudo-1.6.9p13-audit.patch +++ /dev/null @@ -1,373 +0,0 @@ -diff -up /dev/null sudo-1.6.9p17/audit_help.c ---- /dev/null 2008-08-23 21:55:45.734000982 +0200 -+++ sudo-1.6.9p17/audit_help.c 2008-09-02 15:49:38.000000000 +0200 -@@ -0,0 +1,140 @@ -+/* -+ * Audit helper functions used throughout sudo -+ * -+ * Copyright (C) 2007, Red Hat, Inc. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in the -+ * documentation and/or other materials provided with the distribution. -+ * 3. Neither the name of Julianne F. Haugh nor the names of its contributors -+ * may be used to endorse or promote products derived from this software -+ * without specific prior written permission. -+ * -+ * THIS SOFTWARE IS PROVIDED BY JULIE HAUGH AND CONTRIBUTORS ``AS IS'' AND -+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -+ * ARE DISCLAIMED. IN NO EVENT SHALL JULIE HAUGH OR CONTRIBUTORS BE LIABLE -+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -+ * SUCH DAMAGE. -+ */ -+ -+#include -+ -+#ifdef WITH_AUDIT -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#ifdef HAVE_SELINUX -+#include -+#endif -+ -+int audit_fd; -+ -+void audit_help_open (void) -+{ -+ audit_fd = audit_open (); -+ if (audit_fd < 0) { -+ /* You get these only when the kernel doesn't have -+ * audit compiled in. */ -+ if (errno == EINVAL || errno == EPROTONOSUPPORT || -+ errno == EAFNOSUPPORT) -+ return; -+ fprintf (stderr, "Cannot open audit interface - aborting.\n"); -+ exit (1); -+ } -+} -+ -+/* -+ * This function will log a message to the audit system using a predefined -+ * message format. Parameter usage is as follows: -+ * -+ * type - type of message: AUDIT_USER_CMD -+ * command - the command being logged -+ * params - parames of the command -+ * result - 1 is "success" and 0 is "failed" -+ * -+ */ -+void audit_logger (int type, const char *command, const char *params, int result) -+{ -+ int err; -+ char *msg; -+ -+ if( audit_fd < 0 ) -+ return; -+ else { -+ -+ if( params ) -+ err = asprintf(&msg, "%s %s", command, params); -+ else -+ err = asprintf(&msg, "%s", command); -+ if (err < 0) { -+ fprintf (stderr, "Memory allocation for audit message wasn’t possible.\n"); -+ return; -+ } -+ -+ err = audit_log_user_command (audit_fd, type, msg, NULL, result); -+ /* The kernel supports auditing and we had -+ enough privilege to write to the socket. */ -+ if( err <= 0 && !((errno == EPERM && getuid() > 0) || errno == ECONNREFUSED ) ) { -+ perror("audit_log_user_command()"); -+ } -+ -+ free(msg); -+ } -+} -+ -+#ifdef HAVE_SELINUX -+int send_audit_message(int success, security_context_t old_context, -+ security_context_t new_context, const char *ttyn) -+{ -+ char *msg = NULL; -+ int rc; -+ -+ if (audit_fd < 0) -+ return -1; -+ -+ if (asprintf(&msg, "newrole: old-context=%s new-context=%s", -+ old_context ? old_context : "?", -+ new_context ? new_context : "?") < 0) { -+ fprintf(stderr, "Error allocating memory.\n"); -+ rc = -1; -+ goto out; -+ } -+ -+ rc = audit_log_user_message(audit_fd, AUDIT_USER_ROLE_CHANGE, -+ msg, NULL, NULL, ttyn, success); -+ -+ if (rc <= 0) { -+ fprintf(stderr, "Error sending audit message.\n"); -+ rc = -1; -+ goto out; -+ } -+ rc = 0; -+ -+ out: -+ free(msg); -+ return rc; -+} -+#endif -+ -+#endif /* WITH_AUDIT */ -+ -+ -diff -up sudo-1.6.9p17/configure.in.audit sudo-1.6.9p17/configure.in ---- sudo-1.6.9p17/configure.in.audit 2008-09-02 15:48:46.000000000 +0200 -+++ sudo-1.6.9p17/configure.in 2008-09-02 15:48:46.000000000 +0200 -@@ -167,6 +167,10 @@ dnl - dnl Options for --with - dnl - -+AC_ARG_WITH(audit, -+ [AC_HELP_STRING([--with-audit], [use auditing support @<:@default=yes if found@:>@])], -+ [with_audit=$withval], [with_audit=yes]) -+ - AC_ARG_WITH(CC, [ --with-CC C compiler to use], - [case $with_CC in - yes) AC_MSG_ERROR(["must give --with-CC an argument."]) -@@ -1616,6 +1620,25 @@ dnl - : ${mansectsu='8'} - : ${mansectform='5'} - -+ -+AC_SUBST(LIBAUDIT) -+if test "$with_audit" = "yes"; then -+ # See if we have the audit library -+ AC_CHECK_HEADER(libaudit.h, [audit_header="yes"], [audit_header="no"]) -+ if test "$audit_header" = "yes"; then -+ AC_CHECK_LIB(audit, audit_log_user_command, -+ [AC_DEFINE(WITH_AUDIT, 1, [Define if you want to enable Audit messages]) -+ LIBAUDIT="-laudit"]) -+ fi -+ # See if we have the libcap library -+ AC_CHECK_HEADERS(sys/capability.h sys/prctl.h, [cap_header="yes"], [cap_header="no"]) -+ if test "$cap_header" = "yes"; then -+ AC_CHECK_LIB(cap, cap_init, -+ [AC_DEFINE(HAVE_LIBCAP, 1, [SELinux libcap support]) -+ SUDO_LIBS="${SUDO_LIBS} -lcap"]) -+ fi -+fi -+ - dnl - dnl Add in any libpaths or libraries specified via configure - dnl -diff -up sudo-1.6.9p17/Makefile.in.audit sudo-1.6.9p17/Makefile.in ---- sudo-1.6.9p17/Makefile.in.audit 2008-06-22 22:29:03.000000000 +0200 -+++ sudo-1.6.9p17/Makefile.in 2008-09-02 15:48:46.000000000 +0200 -@@ -121,11 +121,13 @@ HDRS = compat.h def_data.h defaults.h in - - AUTH_OBJS = sudo_auth.o @AUTH_OBJS@ - -+AUDIT_OBJS = audit_help.o -+ - PARSEOBJS = sudo.tab.o lex.yy.o alloc.o defaults.o - - SUDOBJS = check.o env.o getspwuid.o gettime.o goodpath.o fileops.o find_path.o \ - interfaces.o logging.o parse.o set_perms.o sudo.o sudo_edit.o \ -- tgetpass.o zero_bytes.o @SUDO_OBJS@ $(AUTH_OBJS) $(PARSEOBJS) -+ tgetpass.o zero_bytes.o @SUDO_OBJS@ $(AUTH_OBJS) $(PARSEOBJS) $(AUDIT_OBJS) - - VISUDOBJS = visudo.o fileops.o gettime.o goodpath.o find_path.o $(PARSEOBJS) - -@@ -277,6 +279,9 @@ securid5.o: $(authdir)/securid5.c $(AUTH - sia.o: $(authdir)/sia.c $(AUTHDEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/sia.c - -+audit_help.o: audit_help.c sudo.h -+ $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(LIBADUIT) $(srcdir)/audit_help.c -+ - sudo.man.in: $(srcdir)/sudo.pod - @rm -f $(srcdir)/$@ - ( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' sudo.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudo.pod | sed -e "s/(5)/($$mansectform)/" -e "s/(8)/($$mansectsu)/" | perl -p sudo.man.pl >> $@ ) -diff -up sudo-1.6.9p17/set_perms.c.audit sudo-1.6.9p17/set_perms.c ---- sudo-1.6.9p17/set_perms.c.audit 2007-11-28 00:41:23.000000000 +0100 -+++ sudo-1.6.9p17/set_perms.c 2008-09-02 15:48:46.000000000 +0200 -@@ -53,6 +53,10 @@ - #ifdef HAVE_LOGIN_CAP_H - # include - #endif -+#if defined(WITH_AUDIT) && defined(HAVE_LIBCAP) -+# include -+# include -+#endif - - #include "sudo.h" - -@@ -119,13 +123,46 @@ set_perms(perm) - break; - - case PERM_FULL_RUNAS: -- /* headed for exec(), assume euid == ROOT_UID */ -- runas_setup(); -- if (setresuid(def_stay_setuid ? -- user_uid : runas_pw->pw_uid, -- runas_pw->pw_uid, runas_pw->pw_uid)) -- err(1, "unable to change to runas uid"); -- break; -+#if defined(WITH_AUDIT) && defined(HAVE_LIBCAP) -+ { /* BEGIN CAP BLOCK */ -+ cap_t new_caps; -+ cap_value_t cap_list[] = { CAP_AUDIT_WRITE }; -+ -+ if (runas_pw->pw_uid != ROOT_UID) { -+ new_caps = cap_init (); -+ if (!new_caps) -+ err(1, "Error initing capabilities, aborting.\n"); -+ -+ if(cap_set_flag(new_caps, CAP_PERMITTED, 1, cap_list, CAP_SET) || -+ cap_set_flag(new_caps, CAP_EFFECTIVE, 1, cap_list, CAP_SET)) { -+ err(1, "Error setting capabilities, aborting\n"); -+ } -+ -+ if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0)) -+ err(1, "Error setting KEEPCAPS, aborting\n"); -+ } -+#endif -+ /* headed for exec(), assume euid == ROOT_UID */ -+ runas_setup (); -+ if (setresuid(def_stay_setuid ? -+ user_uid : runas_pw->pw_uid, -+ runas_pw->pw_uid, runas_pw->pw_uid)) -+ err(1, "unable to change to runas uid"); -+ -+#if defined(WITH_AUDIT) && defined(HAVE_LIBCAP) -+ if (runas_pw->pw_uid != ROOT_UID) { -+ if (prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0) < 0) -+ err(1, "Error resetting KEEPCAPS, aborting\n"); -+ -+ if (cap_set_proc(new_caps)) -+ err(1, "Error dropping capabilities, aborting\n"); -+ -+ if (cap_free (new_caps)) -+ err(1, "Error freeing caps\n"); -+ } -+ } /* END CAP BLOCK */ -+#endif -+ break; - - case PERM_SUDOERS: - /* assume euid == ROOT_UID, ruid == user */ -diff -up sudo-1.6.9p17/sudo.c.audit sudo-1.6.9p17/sudo.c ---- sudo-1.6.9p17/sudo.c.audit 2008-09-02 15:48:46.000000000 +0200 -+++ sudo-1.6.9p17/sudo.c 2008-09-02 15:48:46.000000000 +0200 -@@ -100,6 +100,10 @@ - # include - #endif - -+#ifdef WITH_AUDIT -+#include -+#endif -+ - #include "sudo.h" - #include "interfaces.h" - #include "version.h" -@@ -289,6 +293,10 @@ main(argc, argv, envp) - if (safe_cmnd == NULL) - safe_cmnd = estrdup(user_cmnd); - -+#if defined(WITH_AUDIT) -+ audit_help_open (); -+#endif -+ - /* - * Look up the timestamp dir owner if one is specified. - */ -@@ -435,6 +443,17 @@ main(argc, argv, envp) - (void) sigaction(SIGQUIT, &saved_sa_quit, NULL); - (void) sigaction(SIGTSTP, &saved_sa_tstp, NULL); - -+ if (access(safe_cmnd, X_OK) != 0) { -+ warn ("unable to execute %s", safe_cmnd); -+#ifdef WITH_AUDIT -+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0); -+#endif -+ exit(127); -+ } -+#ifdef WITH_AUDIT -+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 1); -+#endif -+ - #ifndef PROFILING - if (ISSET(sudo_mode, MODE_BACKGROUND) && fork() > 0) - exit(0); -@@ -458,10 +477,16 @@ main(argc, argv, envp) - NewArgv[1] = safe_cmnd; - execve(_PATH_BSHELL, NewArgv, environ); - } -+#ifdef WITH_AUDIT -+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0); -+#endif - warn("unable to execute %s", safe_cmnd); - exit(127); - } else if (ISSET(validated, FLAG_NO_USER) || (validated & FLAG_NO_HOST)) { - log_auth(validated, 1); -+#ifdef WITH_AUDIT -+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0); -+#endif - exit(1); - } else if (ISSET(validated, VALIDATE_NOT_OK)) { - if (def_path_info) { -@@ -482,6 +507,9 @@ main(argc, argv, envp) - /* Just tell the user they are not allowed to run foo. */ - log_auth(validated, 1); - } -+#ifdef WITH_AUDIT -+ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0); -+#endif - exit(1); - } else { - /* should never get here */ -diff -up sudo-1.6.9p17/sudo.h.audit sudo-1.6.9p17/sudo.h ---- sudo-1.6.9p17/sudo.h.audit 2008-09-02 15:48:46.000000000 +0200 -+++ sudo-1.6.9p17/sudo.h 2008-09-02 15:48:46.000000000 +0200 -@@ -23,6 +23,8 @@ - #ifndef _SUDO_SUDO_H - #define _SUDO_SUDO_H - -+#include -+ - #include - #include - #include "compat.h" -@@ -287,4 +289,10 @@ extern int sudo_mode; - extern int errno; - #endif - -+#ifdef WITH_AUDIT -+extern int audit_fd; -+extern void audit_help_open (void); -+extern void audit_logger (int, const char *, const char *, int); -+#endif -+ - #endif /* _SUDO_SUDO_H */ diff --git a/sudo-1.6.9p17-Makefile.patch b/sudo-1.6.9p17-Makefile.patch deleted file mode 100644 index ce8b241..0000000 --- a/sudo-1.6.9p17-Makefile.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up sudo-1.6.9p17/Makefile.in.modfix sudo-1.6.9p17/Makefile.in ---- sudo-1.6.9p17/Makefile.in.modfix 2009-02-24 04:31:34.000000000 +0100 -+++ sudo-1.6.9p17/Makefile.in 2009-02-24 04:31:17.000000000 +0100 -@@ -190,7 +190,7 @@ sudo_noexec.lo: $(srcdir)/sudo_noexec.c - $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/sudo_noexec.c - - sudo_noexec.la: sudo_noexec.lo -- $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -o $@ sudo_noexec.lo -avoid-version -rpath $(noexecdir) -+ $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -o $@ sudo_noexec.lo -module -avoid-version -rpath $(noexecdir) - - # Uncomment the following if you want "make distclean" to clean the parser - @DEV@PARSESRCS = sudo.tab.h sudo.tab.c lex.yy.c def_data.c def_data.h diff --git a/sudo-1.6.9p17-runas.patch b/sudo-1.6.9p17-runas.patch deleted file mode 100644 index 273e21d..0000000 --- a/sudo-1.6.9p17-runas.patch +++ /dev/null @@ -1,23 +0,0 @@ -Index: parse.c -=================================================================== -RCS file: /home/cvs/courtesan/sudo/parse.c,v -retrieving revision 1.160.2.21 -diff -u -r1.160.2.21 parse.c ---- parse.c 2 Nov 2008 14:35:53 -0000 1.160.2.21 -+++ parse.c 23 Jan 2009 19:16:55 -0000 -@@ -651,9 +651,11 @@ - /* - * If the user has a supplementary group vector, check it first. - */ -- for (i = 0; i < user_ngroups; i++) { -- if (grp->gr_gid == user_groups[i]) -- return(TRUE); -+ if (strcmp(user, user_name) == 0) { -+ for (i = 0; i < user_ngroups; i++) { -+ if (grp->gr_gid == user_groups[i]) -+ return(TRUE); -+ } - } - if (grp->gr_mem != NULL) { - for (cur = grp->gr_mem; *cur; cur++) { - diff --git a/sudo-1.6.9p4-getgrouplist.patch b/sudo-1.6.9p4-getgrouplist.patch deleted file mode 100644 index 4dbac19..0000000 --- a/sudo-1.6.9p4-getgrouplist.patch +++ /dev/null @@ -1,40 +0,0 @@ -diff -up sudo-1.6.9p17/configure.in.getgrouplist sudo-1.6.9p17/configure.in ---- sudo-1.6.9p17/configure.in.getgrouplist 2008-07-04 16:07:42.000000000 +0200 -+++ sudo-1.6.9p17/configure.in 2008-07-04 16:09:29.000000000 +0200 -@@ -1720,7 +1720,7 @@ dnl - AC_FUNC_GETGROUPS - AC_CHECK_FUNCS(strchr strrchr memchr memcpy memset sysconf tzset \ - strftime setrlimit initgroups getgroups fstat gettimeofday \ -- setlocale getaddrinfo setsid) -+ setlocale getaddrinfo setsid getgrouplist) - if test -z "$SKIP_SETRESUID"; then - AC_CHECK_FUNCS(setresuid, [SKIP_SETREUID=yes]) - fi -diff -up sudo-1.6.9p17/check.c.getgrouplist sudo-1.6.9p17/check.c ---- sudo-1.6.9p17/check.c.getgrouplist 2008-01-06 00:59:42.000000000 +0100 -+++ sudo-1.6.9p17/check.c 2008-07-04 16:08:40.000000000 +0200 -@@ -330,6 +330,24 @@ user_is_exempt() - return(TRUE); - } - -+#ifdef HAVE_GETGROUPLIST -+ { -+ gid_t *grouplist, grouptmp; -+ int n_groups, i; -+ n_groups = 1; -+ if (getgrouplist(user_name, user_gid, &grouptmp, &n_groups) == -1) { -+ grouplist = (gid_t *) emalloc(sizeof(gid_t) * (n_groups + 1)); -+ if (getgrouplist(user_name, user_gid, grouplist, &n_groups) > 0) -+ for (i = 0; i < n_groups; i++) -+ if (grouplist[i] == grp->gr_gid) { -+ free(grouplist); -+ return(TRUE); -+ } -+ free(grouplist); -+ } -+ } -+#endif -+ - return(FALSE); - } - diff --git a/sudo-1.6.9p4-login.patch b/sudo-1.6.9p4-login.patch deleted file mode 100644 index 962b74a..0000000 --- a/sudo-1.6.9p4-login.patch +++ /dev/null @@ -1,110 +0,0 @@ -diff -up sudo-1.6.9p17/auth/pam.c.login sudo-1.6.9p17/auth/pam.c ---- sudo-1.6.9p17/auth/pam.c.login 2008-02-22 21:19:45.000000000 +0100 -+++ sudo-1.6.9p17/auth/pam.c 2008-07-04 15:34:17.000000000 +0200 -@@ -98,7 +98,12 @@ pam_init(pw, promptp, auth) - if (auth != NULL) - auth->data = (VOID *) &pam_status; - pam_conv.conv = sudo_conv; -- pam_status = pam_start("sudo", pw->pw_name, &pam_conv, &pamh); -+#ifdef HAVE_PAM_LOGIN -+ if (ISSET(sudo_mode, MODE_LOGIN_SHELL)) -+ pam_status = pam_start("sudo-i", pw->pw_name, &pam_conv, &pamh); -+ else -+#endif -+ pam_status = pam_start("sudo", pw->pw_name, &pam_conv, &pamh); - if (pam_status != PAM_SUCCESS) { - log_error(USE_ERRNO|NO_EXIT|NO_MAIL, "unable to initialize PAM"); - return(AUTH_FATAL); -diff -up sudo-1.6.9p17/env.c.login sudo-1.6.9p17/env.c ---- sudo-1.6.9p17/env.c.login 2008-06-21 21:04:07.000000000 +0200 -+++ sudo-1.6.9p17/env.c 2008-07-04 15:34:17.000000000 +0200 -@@ -104,7 +104,7 @@ struct environment { - /* - * Prototypes - */ --char **rebuild_env __P((char **, int, int)); -+char **rebuild_env __P((char **, int)); - static void insert_env __P((char *, struct environment *, int)); - static char *format_env __P((char *, ...)); - -@@ -392,9 +392,8 @@ matches_env_keep(var) - * Also adds sudo-specific variables (SUDO_*). - */ - char ** --rebuild_env(envp, sudo_mode, noexec) -+rebuild_env(envp, noexec) - char **envp; -- int sudo_mode; - int noexec; - { - char **ep, *cp, *ps1; -diff -up sudo-1.6.9p17/configure.in.login sudo-1.6.9p17/configure.in ---- sudo-1.6.9p17/configure.in.login 2008-06-22 22:23:56.000000000 +0200 -+++ sudo-1.6.9p17/configure.in 2008-07-04 15:34:17.000000000 +0200 -@@ -366,6 +366,17 @@ AC_ARG_WITH(pam, [ --with-pam - ;; - esac]) - -+AC_ARG_WITH(pam-login, [ --with-pam-login enable specific PAM session for sudo -i], -+[case $with_pam_login in -+ yes) AC_DEFINE([HAVE_PAM_LOGIN], [], ["Define to 1 if you use specific PAM session for sodo -i."]) -+ AC_MSG_CHECKING(whether to use PAM login) -+ AC_MSG_RESULT(yes) -+ ;; -+ no) ;; -+ *) AC_MSG_ERROR(["--with-pam-login does not take an argument."]) -+ ;; -+esac]) -+ - AC_ARG_WITH(AFS, [ --with-AFS enable AFS support], - [case $with_AFS in - yes) AC_DEFINE(HAVE_AFS) -diff -up sudo-1.6.9p17/sudo.h.login sudo-1.6.9p17/sudo.h ---- sudo-1.6.9p17/sudo.h.login 2008-02-09 15:44:48.000000000 +0100 -+++ sudo-1.6.9p17/sudo.h 2008-07-04 15:34:17.000000000 +0200 -@@ -281,6 +281,7 @@ extern struct passwd *auth_pw; - extern FILE *sudoers_fp; - extern int tgetpass_flags; - extern uid_t timestamp_uid; -+extern int sudo_mode; - #endif - #ifndef errno - extern int errno; -diff -up sudo-1.6.9p17/sudo.c.login sudo-1.6.9p17/sudo.c ---- sudo-1.6.9p17/sudo.c.login 2008-06-21 21:04:07.000000000 +0200 -+++ sudo-1.6.9p17/sudo.c 2008-07-04 16:01:43.000000000 +0200 -@@ -125,7 +125,7 @@ static void usage_excl __P((int)); - static struct passwd *get_authpw __P((void)); - extern int sudo_edit __P((int, char **, char **)); - extern void list_matches __P((void)); --extern char **rebuild_env __P((char **, int, int)); -+extern char **rebuild_env __P((char **, int)); - extern void validate_env_vars __P((struct list_member *)); - extern char **insert_env_vars __P((char **, struct list_member *)); - extern struct passwd *sudo_getpwnam __P((const char *)); -@@ -156,7 +156,7 @@ login_cap_t *lc; - char *login_style; - #endif /* HAVE_BSD_AUTH_H */ - sigaction_t saved_sa_int, saved_sa_quit, saved_sa_tstp; -- -+int sudo_mode; - - int - main(argc, argv, envp) -@@ -167,7 +167,6 @@ main(argc, argv, envp) - int validated; - int fd; - int cmnd_status; -- int sudo_mode; - int pwflag; - sigaction_t sa; - extern int printmatches; -@@ -345,7 +344,7 @@ main(argc, argv, envp) - def_env_reset = FALSE; - - /* Build a new environment that avoids any nasty bits. */ -- environ = rebuild_env(environ, sudo_mode, ISSET(validated, FLAG_NOEXEC)); -+ environ = rebuild_env(envp, ISSET(validated, FLAG_NOEXEC)); - - /* Fill in passwd struct based on user we are authenticating as. */ - auth_pw = get_authpw(); diff --git a/sudo-1.7.1-sudoers b/sudo-1.7.1-sudoers deleted file mode 100644 index 6388725..0000000 --- a/sudo-1.7.1-sudoers +++ /dev/null @@ -1,95 +0,0 @@ -## Sudoers allows particular users to run various commands as -## the root user, without needing the root password. -## -## Examples are provided at the bottom of the file for collections -## of related commands, which can then be delegated out to particular -## users or groups. -## -## This file must be edited with the 'visudo' command. - -## Host Aliases -## Groups of machines. You may prefer to use hostnames (perhaps using -## wildcards for entire domains) or IP addresses instead. -# Host_Alias FILESERVERS = fs1, fs2 -# Host_Alias MAILSERVERS = smtp, smtp2 - -## User Aliases -## These aren't often necessary, as you can use regular groups -## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname -## rather than USERALIAS -# User_Alias ADMINS = jsmith, mikem - - -## Command Aliases -## These are groups of related commands... - -## Networking -Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool - -## Installation and management of software -Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum - -## Services -Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig - -## Updating the locate database -Cmnd_Alias LOCATE = /usr/bin/updatedb - -## Storage -Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount - -## Delegating permissions -Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp - -## Processes -Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall - -## Drivers -Cmnd_Alias DRIVERS = /sbin/modprobe - -# Defaults specification - -# -# Disable "ssh hostname sudo ", because it will show the password in clear. -# You have to run "ssh -t hostname sudo ". -# -Defaults requiretty - -Defaults env_reset -Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS" -Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" -Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" -Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" -Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" - -Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin - -## Next comes the main part: which users can run what software on -## which machines (the sudoers file can be shared between multiple -## systems). -## Syntax: -## -## user MACHINE=COMMANDS -## -## The COMMANDS section may have other options added to it. -## -## Allow root to run any commands anywhere -root ALL=(ALL) ALL - -## Allows members of the 'sys' group to run networking, software, -## service management apps and more. -# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS - -## Allows people in group wheel to run all commands -# %wheel ALL=(ALL) ALL - -## Same thing without a password -# %wheel ALL=(ALL) NOPASSWD: ALL - -## Allows members of the users group to mount and unmount the -## cdrom as root -# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom - -## Allows members of the users group to shutdown this system -# %users localhost=/sbin/shutdown -h now - diff --git a/sudo.spec b/sudo.spec index c9b4112..277d432 100644 --- a/sudo.spec +++ b/sudo.spec @@ -55,7 +55,7 @@ on many different machines. %patch8 -p1 -b .auditfix %build -#hande newer autoconf +# handle newer autoconf libtoolize --force && rm acsite.m4 && mv aclocal.m4 acinclude.m4 && autoreconf %ifarch s390 s390x sparc64