|
|
1b092f |
Summary: Allows restricted root access for specified users
|
|
|
1b092f |
Name: sudo
|
|
|
0e1944 |
Version: 1.8.19p2
|
|
|
97c789 |
Release: 11%{?dist}
|
|
|
1b092f |
License: ISC
|
|
|
1b092f |
Group: Applications/System
|
|
|
1b092f |
URL: http://www.courtesan.com/sudo/
|
|
|
1b092f |
Source0: http://www.courtesan.com/sudo/dist/sudo-%{version}.tar.gz
|
|
|
a67eaf |
Source1: sudoers
|
|
|
a67eaf |
Source2: sudo-ldap.conf
|
|
|
a67eaf |
Source3: sudo.conf
|
|
|
1b092f |
Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
|
|
0e1944 |
Requires: /etc/pam.d/system-auth, vim-minimal, libgcrypt
|
|
|
1b092f |
|
|
|
1b092f |
BuildRequires: pam-devel
|
|
|
1b092f |
BuildRequires: groff
|
|
|
1b092f |
BuildRequires: openldap-devel
|
|
|
1b092f |
BuildRequires: flex
|
|
|
1b092f |
BuildRequires: bison
|
|
|
1b092f |
BuildRequires: automake autoconf libtool
|
|
|
1b092f |
BuildRequires: audit-libs-devel libcap-devel
|
|
|
0e1944 |
BuildRequires: libgcrypt-devel
|
|
|
1b092f |
BuildRequires: libselinux-devel
|
|
|
1b092f |
BuildRequires: /usr/sbin/sendmail
|
|
|
1b092f |
BuildRequires: gettext
|
|
|
1b092f |
BuildRequires: zlib-devel
|
|
|
72fdaf |
BuildRequires: libgcrypt-devel
|
|
|
1b092f |
|
|
|
1b092f |
# don't strip
|
|
|
1b092f |
Patch1: sudo-1.6.7p5-strip.patch
|
|
|
1b092f |
# configure.in fix
|
|
|
1b092f |
Patch2: sudo-1.7.2p1-envdebug.patch
|
|
|
1b092f |
# 840980 - sudo creates a new parent process
|
|
|
1b092f |
# Adds cmnd_no_wait Defaults option
|
|
|
0e1944 |
Patch3: sudo-1.8.6p3-nowaitopt.patch
|
|
|
1b092f |
# 881258 - rpmdiff: added missing sudo-ldap.conf manpage
|
|
|
0e1944 |
Patch4: sudo-1.8.6p7-sudoldapconfman.patch
|
|
|
523624 |
# 1092499 - Regression in sudo 1.8.6p3-7 package, double quotes are not accepted in sudoers
|
|
|
0e1944 |
Patch5: sudo-1.8.6p3-doublequotefix.patch
|
|
|
72fdaf |
# 1183818 - backport of command digest specification feature
|
|
|
0e1944 |
Patch6: sudo-1.8.6p7-digest-backport.patch
|
|
|
72fdaf |
# 1135539 - sudo with ldap doesn't work with 'user id' in sudoUser option
|
|
|
0e1944 |
Patch7: sudo-1.8.6p7-ldapsearchuidfix.patch
|
|
|
a67eaf |
# 1312486 - RHEL7 sudo logs username "root" instead of realuser in /var/log/secure
|
|
|
0e1944 |
Patch8: sudo-1.8.6p7-logsudouser.patch
|
|
|
0e1944 |
# fix upstream testsuite - disabling 2 tests, working only with non-root user
|
|
|
0e1944 |
Patch9: sudo-1.8.18-testsuitefix.patch
|
|
|
0e1944 |
# 1413160 - backport ignore_unknown_defaults flag
|
|
|
0e1944 |
Patch10: sudo-1.8.19p2-ignore-unknown-defaults.patch
|
|
|
0e1944 |
# 1424575 - backport visudo severity of the message
|
|
|
0e1944 |
Patch11: sudo-1.8.19p2-error-warning-visudo-message.patch
|
|
|
0e1944 |
# 1369856 - synchronous (real-time) writes in sudo i/o logs
|
|
|
0e1944 |
Patch12: sudo-1.8.19p2-iologflush.patch
|
|
|
0e1944 |
# 1293306 - Sudo group lookup issue.
|
|
|
0e1944 |
Patch13: sudo-1.8.19p2-lookup-issue-doc.patch
|
|
|
0e1944 |
# 1360687 - sudo rhel-7 rebase - comment11
|
|
|
0e1944 |
Patch14: sudo-1.8.19p2-upstream-testsuitefix.patch
|
|
|
0e1944 |
# 1360687 - sudo rhel-7 rebase - comment13
|
|
|
0e1944 |
Patch15: sudo-1.8.19p2-fqdn-use-after-free.patch
|
|
|
0e1944 |
# 1360687 - sudo rhel-7 rebase - comment13
|
|
|
0e1944 |
Patch16: sudo-1.8.19p2-lecture-boolean.patch
|
|
|
0e1944 |
# 1455402 - CVE-2017-1000367: Privilege escalation in via improper get_process_ttyname() parsing
|
|
|
0e1944 |
Patch17: sudo-1.8.19p2-get_process_ttyname.patch
|
|
|
0e1944 |
# 1459152 - CVE-2017-1000368: Privilege escalation via improper get_process_ttyname() parsing (insufficient fix for CVE-2017-1000367)
|
|
|
0e1944 |
Patch18: sudo-1.8.19p2-CVE-2017-1000368.patch
|
|
|
1b092f |
|
|
|
1b092f |
%description
|
|
|
1b092f |
Sudo (superuser do) allows a system administrator to give certain
|
|
|
1b092f |
users (or groups of users) the ability to run some (or all) commands
|
|
|
1b092f |
as root while logging all commands and arguments. Sudo operates on a
|
|
|
1b092f |
per-command basis. It is not a replacement for the shell. Features
|
|
|
1b092f |
include: the ability to restrict what commands a user may run on a
|
|
|
1b092f |
per-host basis, copious logging of each command (providing a clear
|
|
|
1b092f |
audit trail of who did what), a configurable timeout of the sudo
|
|
|
1b092f |
command, and the ability to use the same configuration file (sudoers)
|
|
|
1b092f |
on many different machines.
|
|
|
1b092f |
|
|
|
1b092f |
%package devel
|
|
|
1b092f |
Summary: Development files for %{name}
|
|
|
1b092f |
Group: Development/Libraries
|
|
|
1b092f |
Requires: %{name} = %{version}-%{release}
|
|
|
1b092f |
|
|
|
1b092f |
%description devel
|
|
|
1b092f |
The %{name}-devel package contains header files developing sudo
|
|
|
1b092f |
plugins that use %{name}.
|
|
|
1b092f |
|
|
|
1b092f |
%prep
|
|
|
1b092f |
%setup -q
|
|
|
1b092f |
|
|
|
1b092f |
%patch1 -p1 -b .strip
|
|
|
1b092f |
%patch2 -p1 -b .envdebug
|
|
|
0e1944 |
%patch3 -p1 -b .nowaitopt
|
|
|
0e1944 |
%patch4 -p1 -b .sudoldapconfman
|
|
|
0e1944 |
%patch5 -p1 -b .doublequotefix
|
|
|
0e1944 |
%patch6 -p1 -b .digest-backport
|
|
|
0e1944 |
%patch7 -p1 -b .ldapsearchuidfix
|
|
|
0e1944 |
%patch8 -p1 -b .logsudouser
|
|
|
0e1944 |
%patch9 -p1 -b .testsuite
|
|
|
0e1944 |
%patch10 -p1 -b .ignoreunknowndefaults
|
|
|
0e1944 |
%patch11 -p1 -b .errorwarningvisudomsg
|
|
|
0e1944 |
%patch12 -p1 -b .iologflush
|
|
|
0e1944 |
%patch13 -p1 -b .lookup
|
|
|
0e1944 |
%patch14 -p1 -b .testsuite
|
|
|
0e1944 |
%patch15 -p1 -b .fqdnafterfree
|
|
|
0e1944 |
%patch16 -p1 -b .lecture
|
|
|
0e1944 |
%patch17 -p1 -b .get_process_ttyname
|
|
|
0e1944 |
%patch18 -p1 -b .CVE-2017-1000368
|
|
|
1b092f |
|
|
|
1b092f |
%build
|
|
|
1b092f |
autoreconf -I m4 -fv --install
|
|
|
1b092f |
|
|
|
1b092f |
%ifarch s390 s390x sparc64
|
|
|
1b092f |
F_PIE=-fPIE
|
|
|
1b092f |
%else
|
|
|
1b092f |
F_PIE=-fpie
|
|
|
1b092f |
%endif
|
|
|
1b092f |
|
|
|
1b092f |
export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" SHLIB_MODE=755
|
|
|
1b092f |
|
|
|
1b092f |
%configure \
|
|
|
1b092f |
--prefix=%{_prefix} \
|
|
|
1b092f |
--sbindir=%{_sbindir} \
|
|
|
1b092f |
--libdir=%{_libdir} \
|
|
|
1b092f |
--docdir=%{_datadir}/doc/%{name}-%{version} \
|
|
|
1b092f |
--with-logging=syslog \
|
|
|
1b092f |
--with-logfac=authpriv \
|
|
|
1b092f |
--with-pam \
|
|
|
1b092f |
--with-pam-login \
|
|
|
1b092f |
--with-editor=/bin/vi \
|
|
|
1b092f |
--with-env-editor \
|
|
|
0e1944 |
--with-gcrypt \
|
|
|
1b092f |
--with-ignore-dot \
|
|
|
1b092f |
--with-tty-tickets \
|
|
|
1b092f |
--with-ldap \
|
|
|
1b092f |
--with-ldap-conf-file="%{_sysconfdir}/sudo-ldap.conf" \
|
|
|
1b092f |
--with-selinux \
|
|
|
1b092f |
--with-passprompt="[sudo] password for %p: " \
|
|
|
1b092f |
--with-linux-audit \
|
|
|
0e1944 |
--with-sssd
|
|
|
1b092f |
# --without-kerb5 \
|
|
|
1b092f |
# --without-kerb4
|
|
|
1b092f |
make
|
|
|
1b092f |
|
|
|
0e1944 |
make check
|
|
|
0e1944 |
|
|
|
1b092f |
%install
|
|
|
1b092f |
rm -rf $RPM_BUILD_ROOT
|
|
|
1b092f |
|
|
|
1b092f |
# Update README.LDAP (#736653)
|
|
|
1b092f |
sed -i 's|/etc/ldap\.conf|%{_sysconfdir}/sudo-ldap.conf|g' README.LDAP
|
|
|
1b092f |
|
|
|
1b092f |
make install DESTDIR="$RPM_BUILD_ROOT" install_uid=`id -u` install_gid=`id -g` sudoers_uid=`id -u` sudoers_gid=`id -g`
|
|
|
1b092f |
chmod 755 $RPM_BUILD_ROOT%{_bindir}/* $RPM_BUILD_ROOT%{_sbindir}/*
|
|
|
1b092f |
install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo
|
|
|
0e1944 |
install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo/lectured
|
|
|
1b092f |
install -p -d -m 750 $RPM_BUILD_ROOT/etc/sudoers.d
|
|
|
1b092f |
install -p -c -m 0440 %{SOURCE1} $RPM_BUILD_ROOT/etc/sudoers
|
|
|
1b092f |
install -p -c -m 0640 %{SOURCE3} $RPM_BUILD_ROOT/etc/sudo.conf
|
|
|
1b092f |
install -p -c -m 0640 %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/sudo-ldap.conf
|
|
|
1b092f |
|
|
|
1b092f |
# Remove execute permission on this script so we don't pull in perl deps
|
|
|
1b092f |
chmod -x $RPM_BUILD_ROOT%{_docdir}/sudo-*/sudoers2ldif
|
|
|
1b092f |
|
|
|
0e1944 |
#Remove all .la files
|
|
|
0e1944 |
find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';'
|
|
|
0e1944 |
|
|
|
1b092f |
%find_lang sudo
|
|
|
1b092f |
%find_lang sudoers
|
|
|
1b092f |
|
|
|
1b092f |
cat sudo.lang sudoers.lang > sudo_all.lang
|
|
|
1b092f |
rm sudo.lang sudoers.lang
|
|
|
1b092f |
|
|
|
1b092f |
mkdir -p $RPM_BUILD_ROOT/etc/pam.d
|
|
|
1b092f |
cat > $RPM_BUILD_ROOT/etc/pam.d/sudo << EOF
|
|
|
1b092f |
#%%PAM-1.0
|
|
|
1b092f |
auth include system-auth
|
|
|
1b092f |
account include system-auth
|
|
|
1b092f |
password include system-auth
|
|
|
1b092f |
session optional pam_keyinit.so revoke
|
|
|
1b092f |
session required pam_limits.so
|
|
|
1b092f |
EOF
|
|
|
1b092f |
|
|
|
1b092f |
cat > $RPM_BUILD_ROOT/etc/pam.d/sudo-i << EOF
|
|
|
1b092f |
#%%PAM-1.0
|
|
|
1b092f |
auth include sudo
|
|
|
1b092f |
account include sudo
|
|
|
1b092f |
password include sudo
|
|
|
1b092f |
session optional pam_keyinit.so force revoke
|
|
|
1b092f |
session required pam_limits.so
|
|
|
1b092f |
EOF
|
|
|
1b092f |
|
|
|
1b092f |
|
|
|
1b092f |
%clean
|
|
|
1b092f |
rm -rf $RPM_BUILD_ROOT
|
|
|
1b092f |
|
|
|
1b092f |
%files -f sudo_all.lang
|
|
|
1b092f |
%defattr(-,root,root)
|
|
|
1b092f |
%attr(0440,root,root) %config(noreplace) /etc/sudoers
|
|
|
1b092f |
%attr(0640,root,root) %config(noreplace) /etc/sudo.conf
|
|
|
1b092f |
%attr(0640,root,root) %config(noreplace) %{_sysconfdir}/sudo-ldap.conf
|
|
|
1b092f |
%attr(0750,root,root) %dir /etc/sudoers.d/
|
|
|
1b092f |
%config(noreplace) /etc/pam.d/sudo
|
|
|
1b092f |
%config(noreplace) /etc/pam.d/sudo-i
|
|
|
0e1944 |
%attr(0644,root,root) %{_tmpfilesdir}/sudo.conf
|
|
|
1b092f |
%dir /var/db/sudo
|
|
|
0e1944 |
%dir /var/db/sudo/lectured
|
|
|
1b092f |
%attr(4111,root,root) %{_bindir}/sudo
|
|
|
0e1944 |
%{_bindir}/sudoedit
|
|
|
1b092f |
%attr(0111,root,root) %{_bindir}/sudoreplay
|
|
|
1b092f |
%attr(0755,root,root) %{_sbindir}/visudo
|
|
|
0e1944 |
%attr(0755,root,root) %{_libexecdir}/sudo/sesh
|
|
|
0e1944 |
%attr(0644,root,root) %{_libexecdir}/sudo/sudo_noexec.so
|
|
|
0e1944 |
%attr(0644,root,root) %{_libexecdir}/sudo/sudoers.so
|
|
|
0e1944 |
%attr(0644,root,root) %{_libexecdir}/sudo/group_file.so
|
|
|
0e1944 |
%attr(0644,root,root) %{_libexecdir}/sudo/system_group.so
|
|
|
0e1944 |
%attr(0644,root,root) %{_libexecdir}/sudo/libsudo_util.so.?.?.?
|
|
|
0e1944 |
%{_libexecdir}/sudo/libsudo_util.so.?
|
|
|
97c789 |
%{_libexecdir}/sudo/libsudo_util.so
|
|
|
1b092f |
%{_mandir}/man5/sudoers.5*
|
|
|
1b092f |
%{_mandir}/man5/sudoers.ldap.5*
|
|
|
1b092f |
%{_mandir}/man5/sudo-ldap.conf.5*
|
|
|
1b092f |
%{_mandir}/man5/sudo.conf.5*
|
|
|
1b092f |
%{_mandir}/man8/sudo.8*
|
|
|
1b092f |
%{_mandir}/man8/sudoedit.8*
|
|
|
1b092f |
%{_mandir}/man8/sudoreplay.8*
|
|
|
1b092f |
%{_mandir}/man8/visudo.8*
|
|
|
1b092f |
%dir %{_docdir}/sudo-%{version}
|
|
|
1b092f |
%{_docdir}/sudo-%{version}/*
|
|
|
1b092f |
|
|
|
1b092f |
|
|
|
1b092f |
# Make sure permissions are ok even if we're updating
|
|
|
1b092f |
%post
|
|
|
1b092f |
/bin/chmod 0440 /etc/sudoers || :
|
|
|
1b092f |
|
|
|
1b092f |
%files devel
|
|
|
1b092f |
%defattr(-,root,root,-)
|
|
|
1b092f |
%doc plugins/sample/sample_plugin.c
|
|
|
1b092f |
%{_includedir}/sudo_plugin.h
|
|
|
1b092f |
%{_mandir}/man8/sudo_plugin.8*
|
|
|
1b092f |
|
|
|
1b092f |
%changelog
|
|
|
97c789 |
* Fri Aug 18 2017 Daniel Kopecek <dkopecek@redhat.com> - 1.8.19p2-11
|
|
|
97c789 |
- Moved libsudo_util.so from the -devel sub-package to main package
|
|
|
97c789 |
Resolves: rhbz#1482929
|
|
|
97c789 |
|
|
|
0e1944 |
* Wed Jun 07 2017 Daniel Kopecek <dkopecek@redhat.com> - 1.8.19p2-10
|
|
|
0e1944 |
- RHEL 7.4 erratum
|
|
|
0e1944 |
- Fix CVE-2017-1000368
|
|
|
0e1944 |
Resolves: rhbz#1459411
|
|
|
0e1944 |
|
|
|
0e1944 |
* Tue Jun 06 2017 Radovan Sroka <rsroka@redhat.com> - 1.8.19p2-9
|
|
|
0e1944 |
- RHEL 7.4 erratum
|
|
|
0e1944 |
- removed patch for output truncation (1454571) which introduced regression
|
|
|
0e1944 |
Resolves: rhbz#1360687
|
|
|
0e1944 |
|
|
|
0e1944 |
* Thu May 25 2017 Jakub Jelen <jjelen@redhat.com> - 1.8.19p2-8
|
|
|
0e1944 |
- RHEL 7.4 erratum
|
|
|
0e1944 |
- Fixes CVE-2017-1000367: Privilege escalation in via improper get_process_ttyname() parsing
|
|
|
0e1944 |
Resolves: rhbz#1455402
|
|
|
0e1944 |
|
|
|
0e1944 |
* Tue May 23 2017 Daniel Kopecek <dkopecek@redhat.com> - 1.8.19p2-7
|
|
|
0e1944 |
- RHEL 7.4 erratum
|
|
|
0e1944 |
- added patch to fix output truncation (in some cases) when log_output
|
|
|
0e1944 |
option is enabled
|
|
|
0e1944 |
Resolves: rhbz#1454571
|
|
|
0e1944 |
|
|
|
0e1944 |
* Thu May 04 2017 Radovan Sroka <rsroka@redhat.com> - 1.8.19p2-6
|
|
|
0e1944 |
- RHEL 7.4 erratum
|
|
|
0e1944 |
- added patch that fixes lecture option used as bolean
|
|
|
0e1944 |
Resolves rhbz#1360687
|
|
|
0e1944 |
|
|
|
0e1944 |
* Tue Apr 25 2017 Radovan Sroka <rsroka@redhat.com> - 1.8.19p2-5
|
|
|
0e1944 |
- RHEL 7.4 erratum
|
|
|
0e1944 |
- added doc patch about sudo lookup issue
|
|
|
0e1944 |
Resolves: rhbz#1293306
|
|
|
0e1944 |
- added test suite patch
|
|
|
0e1944 |
Resolves: rhbz#1360687
|
|
|
0e1944 |
- fixed use after free fqdn problem
|
|
|
0e1944 |
Resolves: rhbz#1360687
|
|
|
0e1944 |
|
|
|
0e1944 |
* Tue Mar 21 2017 Tomas Sykora <tosykora@redhat.com> - 1.8.19p2-4
|
|
|
0e1944 |
- RHEL 7.4 erratum
|
|
|
0e1944 |
- fixed cmnd_no_wait patch
|
|
|
0e1944 |
- backported iolog_flush sudoers default
|
|
|
0e1944 |
Resolves: rhbz#1369856
|
|
|
0e1944 |
Resolves: rhbz#1425853
|
|
|
0e1944 |
|
|
|
0e1944 |
* Wed Mar 08 2017 Tomas Sykora <tosykora@redhat.com> - 1.8.19p2-3
|
|
|
0e1944 |
- RHEL 7.4 eratum
|
|
|
0e1944 |
- Fixes semicolon typo in digest backport patch from the previous build
|
|
|
0e1944 |
Resolves: rhbz#1360687
|
|
|
0e1944 |
|
|
|
0e1944 |
* Wed Mar 08 2017 Tomas Sykora <tosykora@redhat.com> - 1.8.19p2-2
|
|
|
0e1944 |
- RHEL 7.4 erratum
|
|
|
0e1944 |
- Fixes coverity scan issues created by our patches:
|
|
|
0e1944 |
- fixed resource leaks and a compiler warning in digest backport patch
|
|
|
0e1944 |
- removed needless code from cmnd_no_wait patch causing clang warning
|
|
|
0e1944 |
- format of the last changelog message causes problems to rhpkg push,
|
|
|
0e1944 |
so don't use that as a commit message
|
|
|
0e1944 |
Resolves: rhbz#1360687
|
|
|
f48767 |
|
|
|
0e1944 |
* Wed Mar 01 2017 Tomas Sykora <tosykora@redhat.com> - 1.8.19p2-1
|
|
|
0e1944 |
- RHEL 7.4 erratum
|
|
|
0e1944 |
- Resolves: rhbz#1360687 - rebase to 1.8.19p2
|
|
|
0e1944 |
- Resolves: rhbz#1123526 - performance improvement
|
|
|
0e1944 |
- Resolves: rhbz#1308789 - add MAIL and NOMAIL tags
|
|
|
0e1944 |
- Resolves: rhbz#1348504 - sudo now parses sudoers with sudoers locale
|
|
|
0e1944 |
- Resolves: rhbz#1374417 - "sudo -l command" indicated that the command
|
|
|
0e1944 |
was runnable even if denied by sudoers when using LDAP or SSSD backend.
|
|
|
0e1944 |
- Resolves: rhbz#1387303 - add ignore_iolog_errors option
|
|
|
0e1944 |
- Resolves: rhbz#1389360 - wrong log file group ownership
|
|
|
0e1944 |
- Resolves: rhbz#1389735 - add iolog_group, iolog_mode, iolog_user options
|
|
|
0e1944 |
- Resolves: rhbz#1397169 - maxseq and ignore_iolog_errors options
|
|
|
0e1944 |
- Resolves: rhbz#1403051 - add support for querying netgroups directly via LDAP
|
|
|
0e1944 |
- Resolves: rhbz#1410086 - race condition while creating /var/log/sudo-io dir
|
|
|
0e1944 |
- Resolves: rhbz#1413160 - add ignore_unknown_defaults flag
|
|
|
0e1944 |
- Resolves: rhbz#1254772 - ability to export sudoers in json format
|
|
|
0e1944 |
- Resolves: rhbz#1417187 - wrong reference to config file in systax error message
|
|
|
0e1944 |
- Resolves: rhbz#1424575 - visudo was not printing severity of error/warning message
|
|
|
63ace7 |
|
|
|
84fdb2 |
* Wed Nov 23 2016 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-21
|
|
|
84fdb2 |
- Update noexec syscall blacklist
|
|
|
84fdb2 |
- Fixes CVE-2016-7032 and CVE-2016-7076
|
|
|
0e1944 |
Resolves: rhbz#1391940
|
|
|
84fdb2 |
|
|
|
a67eaf |
* Tue Jul 19 2016 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-20
|
|
|
a67eaf |
- RHEL 7.3 erratum
|
|
|
a67eaf |
- fixed visudo's -q flag
|
|
|
a67eaf |
Resolves: rhbz#1350828
|
|
|
a67eaf |
|
|
|
a67eaf |
* Tue Jun 14 2016 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-19
|
|
|
a67eaf |
- RHEL 7.3 erratum
|
|
|
a67eaf |
- removed INPUTRC from env_keep to prevent a potential info leak
|
|
|
a67eaf |
Resolves: rhbz#1340700
|
|
|
a67eaf |
|
|
|
a67eaf |
* Wed May 11 2016 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-18
|
|
|
a67eaf |
- RHEL 7.3 erratum
|
|
|
a67eaf |
- removed requiretty flag from the default sudoers policy
|
|
|
a67eaf |
- backported pam_service and pam_login_service defaults options
|
|
|
a67eaf |
- implemented netgroup_tuple defaults option for changing netgroup
|
|
|
a67eaf |
processing semantics
|
|
|
a67eaf |
- fixed user matching logic in the LDAP nss backend
|
|
|
a67eaf |
- don't allow visudo to accept an invalid sudoers file
|
|
|
a67eaf |
- fixed a bug causing that non-root users can list privileges of
|
|
|
a67eaf |
other users
|
|
|
a67eaf |
- modified digest check documentation to mention the raciness of
|
|
|
a67eaf |
the checking mechanism
|
|
|
a67eaf |
Resolves: rhbz#1196451
|
|
|
a67eaf |
Resolves: rhbz#1247230
|
|
|
a67eaf |
Resolves: rhbz#1334331
|
|
|
a67eaf |
Resolves: rhbz#1334360
|
|
|
a67eaf |
Resolves: rhbz#1261998
|
|
|
a67eaf |
Resolves: rhbz#1313364
|
|
|
a67eaf |
Resolves: rhbz#1312486
|
|
|
a67eaf |
Resolves: rhbz#1268958
|
|
|
a67eaf |
Resolves: rhbz#1335039
|
|
|
a67eaf |
Resolves: rhbz#1335042
|
|
|
a67eaf |
Resolves: rhbz#1335045
|
|
|
a67eaf |
Resolves: rhbz#1273243
|
|
|
a67eaf |
Resolves: rhbz#1299883
|
|
|
a67eaf |
|
|
|
a67eaf |
* Mon Feb 15 2016 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-17
|
|
|
3f2bfe |
- fixed bug in closefrom_override defaults option
|
|
|
a67eaf |
Resolves: rhbz#1297062
|
|
|
3f2bfe |
|
|
|
72fdaf |
* Tue Sep 1 2015 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-16
|
|
|
72fdaf |
- RHEL 7.2 erratum
|
|
|
72fdaf |
- show the digest type in warning messages
|
|
|
72fdaf |
Resolves: rhbz#1183818
|
|
|
72fdaf |
|
|
|
72fdaf |
* Tue Sep 1 2015 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-15
|
|
|
72fdaf |
- RHEL 7.2 erratum
|
|
|
72fdaf |
- fixed compilation of testing binaries during make check
|
|
|
72fdaf |
- added legacy group processing patch
|
|
|
72fdaf |
- replaced buggy base64 decoder with a public domain implementation
|
|
|
72fdaf |
Resolves: rhbz#1254621
|
|
|
72fdaf |
Resolves: rhbz#1183818
|
|
|
72fdaf |
Resolves: rhbz#1247591
|
|
|
72fdaf |
|
|
|
72fdaf |
* Tue Jul 7 2015 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-14
|
|
|
72fdaf |
- RHEL 7.2 erratum
|
|
|
72fdaf |
- backported command digest specification
|
|
|
72fdaf |
- fixed CVE-2014-9680 sudo: unsafe handling of TZ environment variable
|
|
|
72fdaf |
- fixed typos in sudoers.ldap man page
|
|
|
72fdaf |
- fixed handling of double-quoted sudoOption values in ldap, sssd sources
|
|
|
72fdaf |
- fixed numeric uid specification support in ldap source
|
|
|
72fdaf |
- fixed authentication flag logic in ldap source
|
|
|
72fdaf |
- added the systemctl command to the SERVICES alias in the default sudoers file
|
|
|
72fdaf |
Resolves: rhbz#1144446
|
|
|
72fdaf |
Resolves: rhbz#1235570
|
|
|
72fdaf |
Resolves: rhbz#1138259
|
|
|
72fdaf |
Resolves: rhbz#1183818
|
|
|
72fdaf |
Resolves: rhbz#1233607
|
|
|
72fdaf |
Resolves: rhbz#1144419
|
|
|
72fdaf |
Resolves: rhbz#1135539
|
|
|
72fdaf |
Resolves: rhbz#1215400
|
|
|
72fdaf |
|
|
|
523624 |
* Tue Sep 30 2014 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-13
|
|
|
523624 |
- RHEL 7.1 erratum
|
|
|
523624 |
- fixed issues found by covscan/clang-analyzer
|
|
|
523624 |
Resolves: rhbz#1147616
|
|
|
523624 |
|
|
|
523624 |
* Mon Sep 29 2014 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-12
|
|
|
523624 |
- RHEL 7.1 erratum
|
|
|
523624 |
- don't retry authentication when ctrl-c pressed
|
|
|
523624 |
- fix double-quote processing in Defaults options
|
|
|
523624 |
- handle the "(none)" hostname correctly
|
|
|
523624 |
- SSSD: fix sudoUser netgroup specification filtering
|
|
|
523624 |
- SSSD: list correct user when -U <user> -l specified
|
|
|
523624 |
- SSSD: show rule names on long listing (-ll)
|
|
|
523624 |
- fix infinite loop when duplicate entries are specified on the
|
|
|
523624 |
sudoers nsswitch.conf line
|
|
|
523624 |
Resolves: rhbz#1084488
|
|
|
523624 |
Resolves: rhbz#1088464
|
|
|
523624 |
Resolves: rhbz#1088825
|
|
|
523624 |
Resolves: rhbz#1092499
|
|
|
523624 |
Resolves: rhbz#1093099
|
|
|
523624 |
Resolves: rhbz#1096813
|
|
|
523624 |
Resolves: rhbz#1147497
|
|
|
523624 |
Resolves: rhbz#1147557
|
|
|
523624 |
|
|
|
9c2f35 |
* Wed Feb 26 2014 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-11
|
|
|
9c2f35 |
- Fixed incorrect login shell path construction in sesh
|
|
|
9c2f35 |
(thanks fkrska@redhat.com for the patch)
|
|
|
9c2f35 |
Resolves: rhbz#1065418
|
|
|
9c2f35 |
|
|
|
9c2f35 |
* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 1.8.6p7-10
|
|
|
9c2f35 |
- Mass rebuild 2014-01-24
|
|
|
9c2f35 |
|
|
|
9c2f35 |
* Wed Jan 15 2014 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-9
|
|
|
9c2f35 |
- allow the wheel group to use sudo
|
|
|
9c2f35 |
Resolves: rhbz#994623
|
|
|
9c2f35 |
|
|
|
9c2f35 |
* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 1.8.6p7-8
|
|
|
9c2f35 |
- Mass rebuild 2013-12-27
|
|
|
9c2f35 |
|
|
|
1b092f |
* Fri Nov 08 2013 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-7
|
|
|
1b092f |
- dropped wrong patch and fixed patch comments
|
|
|
1b092f |
Resolves: rhbz#1000389
|
|
|
1b092f |
|
|
|
1b092f |
* Thu Nov 07 2013 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-6
|
|
|
1b092f |
- fixed alias cycle detection code
|
|
|
1b092f |
- added debug messages for tracing of netgroup matching
|
|
|
1b092f |
- fixed aborting on realloc when displaying allowed commands
|
|
|
1b092f |
- sssd: filter netgroups in the sudoUser attribute
|
|
|
1b092f |
- parse uids/gids more strictly
|
|
|
1b092f |
- added debug messages to trace netgroup matching
|
|
|
1b092f |
Resolves: rhbz#1026904
|
|
|
1b092f |
Resolves: rhbz#1026890
|
|
|
1b092f |
Resolves: rhbz#1007014
|
|
|
1b092f |
Resolves: rhbz#1026894
|
|
|
1b092f |
Resolves: rhbz#1000389
|
|
|
1b092f |
Resolves: rhbz#994566
|
|
|
1b092f |
|
|
|
1b092f |
* Mon Aug 05 2013 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-5
|
|
|
1b092f |
- added standalone manpage for sudo.conf and sudo-ldap.conf
|
|
|
1b092f |
- spec file cleanup
|
|
|
1b092f |
Resolves: rhbz#881258
|
|
|
1b092f |
|
|
|
1b092f |
* Mon Jul 29 2013 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-4
|
|
|
1b092f |
- added RHEL 6 patches
|
|
|
1b092f |
|
|
|
1b092f |
* Wed Jul 24 2013 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-3
|
|
|
1b092f |
- synced sudoers, configure options & configuration files with
|
|
|
1b092f |
expected RHEL configuration
|
|
|
1b092f |
Resolves: rhbz#969373
|
|
|
1b092f |
Resolves: rhbz#971009
|
|
|
1b092f |
Resolves: rhbz#965124
|
|
|
1b092f |
Resolves: rhbz#971013
|
|
|
1b092f |
Resolves: rhbz#839705
|
|
|
1b092f |
|
|
|
1b092f |
* Thu Apr 11 2013 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-2
|
|
|
1b092f |
- depend on /usr/sbin/sendmail instead of the sendmail package
|
|
|
1b092f |
Resolves: rhbz#927842
|
|
|
1b092f |
|
|
|
1b092f |
* Thu Feb 28 2013 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-1
|
|
|
1b092f |
- update to 1.8.6p7
|
|
|
1b092f |
- fixes CVE-2013-1775 and CVE-2013-1776
|
|
|
1b092f |
- fixed several packaging issues (thanks to ville.skytta@iki.fi)
|
|
|
1b092f |
- build with system zlib.
|
|
|
1b092f |
- let rpmbuild strip libexecdir/*.so.
|
|
|
1b092f |
- own the %%{_docdir}/sudo-* dir.
|
|
|
1b092f |
- fix some rpmlint warnings (spaces vs tabs, unescaped macros).
|
|
|
1b092f |
- fix bogus %%changelog dates.
|
|
|
1b092f |
|
|
|
1b092f |
* Fri Feb 15 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.8.6p3-3
|
|
|
1b092f |
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
|
|
|
1b092f |
|
|
|
1b092f |
* Mon Nov 12 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p3-2
|
|
|
1b092f |
- added upstream patch for a regression
|
|
|
1b092f |
- don't include arch specific files in the -devel subpackage
|
|
|
1b092f |
- ship only one sample plugin in the -devel subpackage
|
|
|
1b092f |
|
|
|
1b092f |
* Tue Sep 25 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p3-1
|
|
|
1b092f |
- update to 1.8.6p3
|
|
|
1b092f |
- drop -pipelist patch (fixed in upstream)
|
|
|
1b092f |
|
|
|
1b092f |
* Thu Sep 6 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6-1
|
|
|
1b092f |
- update to 1.8.6
|
|
|
1b092f |
|
|
|
1b092f |
* Thu Jul 26 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.5-4
|
|
|
1b092f |
- added patches that fix & improve SSSD support (thanks to pbrezina@redhat.com)
|
|
|
1b092f |
- re-enabled SSSD support
|
|
|
1b092f |
- removed libsss_sudo dependency
|
|
|
1b092f |
|
|
|
1b092f |
* Tue Jul 24 2012 Bill Nottingham <notting@redhat.com> - 1.8.5-3
|
|
|
1b092f |
- flip sudoers2ldif executable bit after make install, not in setup
|
|
|
1b092f |
|
|
|
1b092f |
* Sat Jul 21 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.8.5-2
|
|
|
1b092f |
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
|
|
|
1b092f |
|
|
|
1b092f |
* Thu May 17 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.5-1
|
|
|
1b092f |
- update to 1.8.5
|
|
|
1b092f |
- fixed CVE-2012-2337
|
|
|
1b092f |
- temporarily disabled SSSD support
|
|
|
1b092f |
|
|
|
1b092f |
* Wed Feb 29 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.3p1-6
|
|
|
1b092f |
- fixed problems with undefined symbols (rhbz#798517)
|
|
|
1b092f |
|
|
|
1b092f |
* Wed Feb 22 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.3p1-5
|
|
|
1b092f |
- SSSD patch update
|
|
|
1b092f |
|
|
|
1b092f |
* Tue Feb 7 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.3p1-4
|
|
|
1b092f |
- added SSSD support
|
|
|
1b092f |
|
|
|
1b092f |
* Thu Jan 26 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.3p1-3
|
|
|
1b092f |
- added patch for CVE-2012-0809
|
|
|
1b092f |
|
|
|
1b092f |
* Sat Jan 14 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.8.3p1-2
|
|
|
1b092f |
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
|
|
|
1b092f |
|
|
|
1b092f |
* Thu Nov 10 2011 Daniel Kopecek <dkopecek@redhat.com> - 1.8.3p1-1
|
|
|
1b092f |
- update to 1.8.3p1
|
|
|
1b092f |
- disable output word wrapping if the output is piped
|
|
|
1b092f |
|
|
|
1b092f |
* Wed Sep 7 2011 Peter Robinson <pbrobinson@fedoraproject.org> - 1.8.1p2-2
|
|
|
1b092f |
- Remove execute bit from sample script in docs so we don't pull in perl
|
|
|
1b092f |
|
|
|
1b092f |
* Tue Jul 12 2011 Daniel Kopecek <dkopecek@redhat.com> - 1.8.1p2-1
|
|
|
1b092f |
- rebase to 1.8.1p2
|
|
|
1b092f |
- removed .sudoi patch
|
|
|
1b092f |
- fixed typo: RELPRO -> RELRO
|
|
|
1b092f |
- added -devel subpackage for the sudo_plugin.h header file
|
|
|
1b092f |
- use default ldap configuration files again
|
|
|
1b092f |
|
|
|
1b092f |
* Fri Jun 3 2011 Daniel Kopecek <dkopecek@redhat.com> - 1.7.4p5-4
|
|
|
1b092f |
- build with RELRO
|
|
|
1b092f |
|
|
|
1b092f |
* Wed Feb 09 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.7.4p5-3
|
|
|
1b092f |
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
|
|
|
1b092f |
|
|
|
1b092f |
* Mon Jan 17 2011 Daniel Kopecek <dkopecek@redhat.com> - 1.7.4p5-2
|
|
|
1b092f |
- rebase to 1.7.4p5
|
|
|
1b092f |
- fixed sudo-1.7.4p4-getgrouplist.patch
|
|
|
1b092f |
- fixes CVE-2011-0008, CVE-2011-0010
|
|
|
1b092f |
|
|
|
1b092f |
* Tue Nov 30 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.4p4-5
|
|
|
1b092f |
- anybody in the wheel group has now root access (using password) (rhbz#656873)
|
|
|
1b092f |
- sync configuration paths with the nss_ldap package (rhbz#652687)
|
|
|
1b092f |
|
|
|
1b092f |
* Wed Sep 29 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.4p4-4
|
|
|
1b092f |
- added upstream patch to fix rhbz#638345
|
|
|
1b092f |
|
|
|
1b092f |
* Mon Sep 20 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.4p4-3
|
|
|
1b092f |
- added patch for #635250
|
|
|
1b092f |
- /var/run/sudo -> /var/db/sudo in .spec
|
|
|
1b092f |
|
|
|
1b092f |
* Tue Sep 7 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.4p4-2
|
|
|
1b092f |
- sudo now uses /var/db/sudo for timestamps
|
|
|
1b092f |
|
|
|
1b092f |
* Tue Sep 7 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.4p4-1
|
|
|
1b092f |
- update to new upstream version
|
|
|
1b092f |
- new command available: sudoreplay
|
|
|
1b092f |
- use native audit support
|
|
|
1b092f |
- corrected license field value: BSD -> ISC
|
|
|
1b092f |
|
|
|
1b092f |
* Wed Jun 2 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.2p6-2
|
|
|
1b092f |
- added patch that fixes insufficient environment sanitization issue (#598154)
|
|
|
1b092f |
|
|
|
1b092f |
* Wed Apr 14 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.2p6-1
|
|
|
1b092f |
- update to new upstream version
|
|
|
1b092f |
- merged .audit and .libaudit patch
|
|
|
1b092f |
- added sudoers.ldap.5* to files
|
|
|
1b092f |
|
|
|
1b092f |
* Mon Mar 1 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.2p5-2
|
|
|
1b092f |
- update to new upstream version
|
|
|
1b092f |
|
|
|
1b092f |
* Tue Feb 16 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.2p2-5
|
|
|
1b092f |
- fixed no valid sudoers sources found (#558875)
|
|
|
1b092f |
|
|
|
1b092f |
* Wed Feb 10 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.2p2-4
|
|
|
1b092f |
- audit related Makefile.in and configure.in corrections
|
|
|
1b092f |
- added --with-audit configure option
|
|
|
1b092f |
- removed call to libtoolize
|
|
|
1b092f |
|
|
|
1b092f |
* Wed Feb 10 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.2p2-3
|
|
|
1b092f |
- fixed segfault when #include directive is used in cycles (#561336)
|
|
|
1b092f |
|
|
|
1b092f |
* Fri Jan 8 2010 Ville Skyttä <ville.skytta@iki.fi> - 1.7.2p2-2
|
|
|
1b092f |
- Add /etc/sudoers.d dir and use it in default config (#551470).
|
|
|
1b092f |
- Drop *.pod man page duplicates from docs.
|
|
|
1b092f |
|
|
|
1b092f |
* Thu Jan 07 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.2p2-1
|
|
|
1b092f |
- new upstream version 1.7.2p2-1
|
|
|
1b092f |
- commented out unused aliases in sudoers to make visudo happy (#550239)
|
|
|
1b092f |
|
|
|
1b092f |
* Fri Aug 21 2009 Tomas Mraz <tmraz@redhat.com> - 1.7.1-7
|
|
|
1b092f |
- rebuilt with new audit
|
|
|
1b092f |
|
|
|
1b092f |
* Thu Aug 20 2009 Daniel Kopecek <dkopecek@redhat.com> 1.7.1-6
|
|
|
1b092f |
- moved secure_path from compile-time option to sudoers file (#517428)
|
|
|
1b092f |
|
|
|
1b092f |
* Sun Jul 26 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.7.1-5
|
|
|
1b092f |
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
|
|
|
1b092f |
|
|
|
1b092f |
* Thu Jul 09 2009 Daniel Kopecek <dkopecek@redhat.com> 1.7.1-4
|
|
|
1b092f |
- moved the closefrom() call before audit_help_open() (sudo-1.7.1-auditfix.patch)
|
|
|
1b092f |
- epoch number sync
|
|
|
1b092f |
|
|
|
1b092f |
* Mon Jun 22 2009 Daniel Kopecek <dkopecek@redhat.com> 1.7.1-1
|
|
|
1b092f |
- updated sudo to version 1.7.1
|
|
|
1b092f |
- fixed small bug in configure.in (sudo-1.7.1-conffix.patch)
|
|
|
1b092f |
|
|
|
1b092f |
* Tue Feb 24 2009 Daniel Kopecek <dkopecek@redhat.com> 1.6.9p17-6
|
|
|
1b092f |
- fixed building with new libtool
|
|
|
1b092f |
- fix for incorrect handling of groups in Runas_User
|
|
|
1b092f |
- added /usr/local/sbin to secure-path
|
|
|
1b092f |
|
|
|
1b092f |
* Tue Jan 13 2009 Daniel Kopecek <dkopecek@redhat.com> 1.6.9p17-3
|
|
|
1b092f |
- build with sendmail installed
|
|
|
1b092f |
- Added /usr/local/bin to secure-path
|
|
|
1b092f |
|
|
|
1b092f |
* Tue Sep 02 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p17-2
|
|
|
1b092f |
- adjust audit patch, do not scream when kernel is
|
|
|
1b092f |
compiled without audit netlink support (#401201)
|
|
|
1b092f |
|
|
|
1b092f |
* Fri Jul 04 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p17-1
|
|
|
1b092f |
- upgrade
|
|
|
1b092f |
|
|
|
1b092f |
* Wed Jun 18 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p13-7
|
|
|
1b092f |
- build with newer autoconf-2.62 (#449614)
|
|
|
1b092f |
|
|
|
1b092f |
* Tue May 13 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p13-6
|
|
|
1b092f |
- compiled with secure path (#80215)
|
|
|
1b092f |
|
|
|
1b092f |
* Mon May 05 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p13-5
|
|
|
1b092f |
- fix path to updatedb in /etc/sudoers (#445103)
|
|
|
1b092f |
|
|
|
1b092f |
* Mon Mar 31 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p13-4
|
|
|
1b092f |
- include ldap files in rpm package (#439506)
|
|
|
1b092f |
|
|
|
1b092f |
* Thu Mar 13 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p13-3
|
|
|
1b092f |
- include [sudo] in password prompt (#437092)
|
|
|
1b092f |
|
|
|
1b092f |
* Tue Mar 04 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p13-2
|
|
|
1b092f |
- audit support improvement
|
|
|
1b092f |
|
|
|
1b092f |
* Thu Feb 21 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p13-1
|
|
|
1b092f |
- upgrade to the latest upstream release
|
|
|
1b092f |
|
|
|
1b092f |
* Wed Feb 06 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p12-1
|
|
|
1b092f |
- upgrade to the latest upstream release
|
|
|
1b092f |
- add selinux support
|
|
|
1b092f |
|
|
|
1b092f |
* Mon Feb 04 2008 Dennis Gilmore <dennis@ausil.us> 1.6.9p4-6
|
|
|
1b092f |
- sparc64 needs to be in the -fPIE list with s390
|
|
|
1b092f |
|
|
|
1b092f |
* Mon Jan 07 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p4-5
|
|
|
1b092f |
- fix complains about audit_log_user_command(): Connection
|
|
|
1b092f |
refused (#401201)
|
|
|
1b092f |
|
|
|
1b092f |
* Wed Dec 05 2007 Release Engineering <rel-eng at fedoraproject dot org> - 1.6.9p4-4
|
|
|
1b092f |
- Rebuild for deps
|
|
|
1b092f |
|
|
|
1b092f |
* Wed Dec 05 2007 Release Engineering <rel-eng at fedoraproject dot org> - 1.6.9p4-3
|
|
|
1b092f |
- Rebuild for openssl bump
|
|
|
1b092f |
|
|
|
1b092f |
* Thu Aug 30 2007 Peter Vrabec <pvrabec@redhat.com> 1.6.9p4-2
|
|
|
1b092f |
- fix autotools stuff and add audit support
|
|
|
1b092f |
|
|
|
1b092f |
* Mon Aug 20 2007 Peter Vrabec <pvrabec@redhat.com> 1.6.9p4-1
|
|
|
1b092f |
- upgrade to upstream release
|
|
|
1b092f |
|
|
|
1b092f |
* Thu Apr 12 2007 Peter Vrabec <pvrabec@redhat.com> 1.6.8p12-14
|
|
|
1b092f |
- also use getgrouplist() to determine group membership (#235915)
|
|
|
1b092f |
|
|
|
1b092f |
* Mon Feb 26 2007 Peter Vrabec <pvrabec@redhat.com> 1.6.8p12-13
|
|
|
1b092f |
- fix some spec file issues
|
|
|
1b092f |
|
|
|
1b092f |
* Thu Dec 14 2006 Peter Vrabec <pvrabec@redhat.com> 1.6.8p12-12
|
|
|
1b092f |
- fix rpmlint issue
|
|
|
1b092f |
|
|
|
1b092f |
* Thu Oct 26 2006 Peter Vrabec <pvrabec@redhat.com> 1.6.8p12-11
|
|
|
1b092f |
- fix typo in sudoers file (#212308)
|
|
|
1b092f |
|
|
|
1b092f |
* Sun Oct 01 2006 Jesse Keating <jkeating@redhat.com> - 1.6.8p12-10
|
|
|
1b092f |
- rebuilt for unwind info generation, broken in gcc-4.1.1-21
|
|
|
1b092f |
|
|
|
1b092f |
* Thu Sep 21 2006 Peter Vrabec <pvrabec@redhat.com> 1.6.8p12-9
|
|
|
1b092f |
- fix sudoers file, X apps didn't work (#206320)
|
|
|
1b092f |
|
|
|
1b092f |
* Tue Aug 08 2006 Peter Vrabec <pvrabec@redhat.com> 1.6.8p12-8
|
|
|
1b092f |
- use Red Hat specific default sudoers file
|
|
|
1b092f |
|
|
|
1b092f |
* Sun Jul 16 2006 Karel Zak <kzak@redhat.com> 1.6.8p12-7
|
|
|
1b092f |
- fix #198755 - make login processes (sudo -i) initialise session keyring
|
|
|
1b092f |
(thanks for PAM config files to David Howells)
|
|
|
1b092f |
- add IPv6 support (patch by Milan Zazrivec)
|
|
|
1b092f |
|
|
|
1b092f |
* Wed Jul 12 2006 Jesse Keating <jkeating@redhat.com> - 1.6.8p12-6.1
|
|
|
1b092f |
- rebuild
|
|
|
1b092f |
|
|
|
1b092f |
* Mon May 29 2006 Karel Zak <kzak@redhat.com> 1.6.8p12-6
|
|
|
1b092f |
- fix #190062 - "ssh localhost sudo su" will show the password in clear
|
|
|
1b092f |
|
|
|
1b092f |
* Tue May 23 2006 Karel Zak <kzak@redhat.com> 1.6.8p12-5
|
|
|
1b092f |
- add LDAP support (#170848)
|
|
|
1b092f |
|
|
|
1b092f |
* Fri Feb 10 2006 Jesse Keating <jkeating@redhat.com> - 1.6.8p12-4.1
|
|
|
1b092f |
- bump again for double-long bug on ppc(64)
|
|
|
1b092f |
|
|
|
1b092f |
* Wed Feb 8 2006 Karel Zak <kzak@redhat.com> 1.6.8p12-4
|
|
|
1b092f |
- reset env. by default
|
|
|
1b092f |
|
|
|
1b092f |
* Tue Feb 07 2006 Jesse Keating <jkeating@redhat.com> - 1.6.8p12-3.1
|
|
|
1b092f |
- rebuilt for new gcc4.1 snapshot and glibc changes
|
|
|
1b092f |
|
|
|
1b092f |
* Mon Jan 23 2006 Dan Walsh <dwalsh@redhat.com> 1.6.8p12-3
|
|
|
1b092f |
- Remove selinux patch. It has been decided that the SELinux patch for sudo is
|
|
|
1b092f |
- no longer necessary. In tageted policy it had no effect. In strict/MLS policy
|
|
|
1b092f |
- We require the person using sudo to execute newrole before using sudo.
|
|
|
1b092f |
|
|
|
1b092f |
* Fri Dec 09 2005 Jesse Keating <jkeating@redhat.com>
|
|
|
1b092f |
- rebuilt
|
|
|
1b092f |
|
|
|
1b092f |
* Fri Nov 25 2005 Karel Zak <kzak@redhat.com> 1.6.8p12-1
|
|
|
1b092f |
- new upstream version 1.6.8p12
|
|
|
1b092f |
|
|
|
1b092f |
* Tue Nov 8 2005 Karel Zak <kzak@redhat.com> 1.6.8p11-1
|
|
|
1b092f |
- new upstream version 1.6.8p11
|
|
|
1b092f |
|
|
|
1b092f |
* Thu Oct 13 2005 Tomas Mraz <tmraz@redhat.com> 1.6.8p9-6
|
|
|
1b092f |
- use include instead of pam_stack in pam config
|
|
|
1b092f |
|
|
|
1b092f |
* Tue Oct 11 2005 Karel Zak <kzak@redhat.com> 1.6.8p9-5
|
|
|
1b092f |
- enable interfaces in selinux patch
|
|
|
1b092f |
- merge sudo-1.6.8p8-sesh-stopsig.patch to selinux patch
|
|
|
1b092f |
|
|
|
1b092f |
* Mon Sep 19 2005 Karel Zak <kzak@redhat.com> 1.6.8p9-4
|
|
|
1b092f |
- fix debuginfo
|
|
|
1b092f |
|
|
|
1b092f |
* Mon Sep 19 2005 Karel Zak <kzak@redhat.com> 1.6.8p9-3
|
|
|
1b092f |
- fix #162623 - sesh hangs when child suspends
|
|
|
1b092f |
|
|
|
1b092f |
* Mon Aug 1 2005 Dan Walsh <dwalsh@redhat.com> 1.6.8p9-2
|
|
|
1b092f |
- Add back in interfaces call, SELinux has been fixed to work around
|
|
|
1b092f |
|
|
|
1b092f |
* Tue Jun 21 2005 Karel Zak <kzak@redhat.com> 1.6.8p9-1
|
|
|
1b092f |
- new version 1.6.8p9 (resolve #161116 - CAN-2005-1993 sudo trusted user arbitrary command execution)
|
|
|
1b092f |
|
|
|
1b092f |
* Tue May 24 2005 Karel Zak <kzak@redhat.com> 1.6.8p8-2
|
|
|
1b092f |
- fix #154511 - sudo does not use limits.conf
|
|
|
1b092f |
|
|
|
1b092f |
* Mon Apr 4 2005 Thomas Woerner <twoerner@redhat.com> 1.6.8p8-1
|
|
|
1b092f |
- new version 1.6.8p8: new sudoedit and sudo_noexec
|
|
|
1b092f |
|
|
|
1b092f |
* Wed Feb 9 2005 Thomas Woerner <twoerner@redhat.com> 1.6.7p5-31
|
|
|
1b092f |
- rebuild
|
|
|
1b092f |
|
|
|
1b092f |
* Mon Oct 4 2004 Thomas Woerner <twoerner@redhat.com> 1.6.7p5-30.1
|
|
|
1b092f |
- added missing BuildRequires for libselinux-devel (#132883)
|
|
|
1b092f |
|
|
|
1b092f |
* Wed Sep 29 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-30
|
|
|
1b092f |
- Fix missing param error in sesh
|
|
|
1b092f |
|
|
|
1b092f |
* Mon Sep 27 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-29
|
|
|
1b092f |
- Remove full patch check from sesh
|
|
|
1b092f |
|
|
|
1b092f |
* Thu Jul 8 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-28
|
|
|
1b092f |
- Fix selinux patch to switch to root user
|
|
|
1b092f |
|
|
|
1b092f |
* Tue Jun 15 2004 Elliot Lee <sopwith@redhat.com>
|
|
|
1b092f |
- rebuilt
|
|
|
1b092f |
|
|
|
1b092f |
* Tue Apr 13 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-26
|
|
|
1b092f |
- Eliminate tty handling from selinux
|
|
|
1b092f |
|
|
|
1b092f |
* Thu Apr 1 2004 Thomas Woerner <twoerner@redhat.com> 1.6.7p5-25
|
|
|
1b092f |
- fixed spec file: sesh in file section with selinux flag (#119682)
|
|
|
1b092f |
|
|
|
1b092f |
* Tue Mar 30 2004 Colin Walters <walters@redhat.com> 1.6.7p5-24
|
|
|
1b092f |
- Enhance sesh.c to fork/exec children itself, to avoid
|
|
|
1b092f |
having sudo reap all domains.
|
|
|
1b092f |
- Only reinstall default signal handlers immediately before
|
|
|
1b092f |
exec of child with SELinux patch
|
|
|
1b092f |
|
|
|
1b092f |
* Thu Mar 18 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-23
|
|
|
1b092f |
- change to default to sysadm_r
|
|
|
1b092f |
- Fix tty handling
|
|
|
1b092f |
|
|
|
1b092f |
* Thu Mar 18 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-22
|
|
|
1b092f |
- Add /bin/sesh to run selinux code.
|
|
|
1b092f |
- replace /bin/bash -c with /bin/sesh
|
|
|
1b092f |
|
|
|
1b092f |
* Tue Mar 16 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-21
|
|
|
1b092f |
- Hard code to use "/bin/bash -c" for selinux
|
|
|
1b092f |
|
|
|
1b092f |
* Tue Mar 16 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-20
|
|
|
1b092f |
- Eliminate closing and reopening of terminals, to match su.
|
|
|
1b092f |
|
|
|
1b092f |
* Mon Mar 15 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-19
|
|
|
1b092f |
- SELinux fixes to make transitions work properly
|
|
|
1b092f |
|
|
|
1b092f |
* Fri Mar 5 2004 Thomas Woerner <twoerner@redhat.com> 1.6.7p5-18
|
|
|
1b092f |
- pied sudo
|
|
|
1b092f |
|
|
|
1b092f |
* Fri Feb 13 2004 Elliot Lee <sopwith@redhat.com>
|
|
|
1b092f |
- rebuilt
|
|
|
1b092f |
|
|
|
1b092f |
* Tue Jan 27 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-16
|
|
|
1b092f |
- Eliminate interfaces call, since this requires big SELinux privs
|
|
|
1b092f |
- and it seems to be useless.
|
|
|
1b092f |
|
|
|
1b092f |
* Tue Jan 27 2004 Karsten Hopp <karsten@redhat.de> 1.6.7p5-15
|
|
|
1b092f |
- visudo requires vim-minimal or setting EDITOR to something useful (#68605)
|
|
|
1b092f |
|
|
|
1b092f |
* Mon Jan 26 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-14
|
|
|
1b092f |
- Fix is_selinux_enabled call
|
|
|
1b092f |
|
|
|
1b092f |
* Tue Jan 13 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-13
|
|
|
1b092f |
- Clean up patch on failure
|
|
|
1b092f |
|
|
|
1b092f |
* Tue Jan 6 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-12
|
|
|
1b092f |
- Remove sudo.te for now.
|
|
|
1b092f |
|
|
|
1b092f |
* Fri Jan 2 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-11
|
|
|
1b092f |
- Fix usage message
|
|
|
1b092f |
|
|
|
1b092f |
* Mon Dec 22 2003 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-10
|
|
|
1b092f |
- Clean up sudo.te to not blow up if pam.te not present
|
|
|
1b092f |
|
|
|
1b092f |
* Thu Dec 18 2003 Thomas Woerner <twoerner@redhat.com>
|
|
|
1b092f |
- added missing BuildRequires for groff
|
|
|
1b092f |
|
|
|
1b092f |
* Tue Dec 16 2003 Jeremy Katz <katzj@redhat.com> 1.6.7p5-9
|
|
|
1b092f |
- remove left-over debugging code
|
|
|
1b092f |
|
|
|
1b092f |
* Tue Dec 16 2003 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-8
|
|
|
1b092f |
- Fix terminal handling that caused Sudo to exit on non selinux machines.
|
|
|
1b092f |
|
|
|
1b092f |
* Mon Dec 15 2003 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-7
|
|
|
1b092f |
- Remove sudo_var_run_t which is now pam_var_run_t
|
|
|
1b092f |
|
|
|
1b092f |
* Fri Dec 12 2003 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-6
|
|
|
1b092f |
- Fix terminal handling and policy
|
|
|
1b092f |
|
|
|
1b092f |
* Thu Dec 11 2003 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-5
|
|
|
1b092f |
- Fix policy
|
|
|
1b092f |
|
|
|
1b092f |
* Thu Nov 13 2003 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-4.sel
|
|
|
1b092f |
- Turn on SELinux support
|
|
|
1b092f |
|
|
|
1b092f |
* Tue Jul 29 2003 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-3
|
|
|
1b092f |
- Add support for SELinux
|
|
|
1b092f |
|
|
|
1b092f |
* Wed Jun 04 2003 Elliot Lee <sopwith@redhat.com>
|
|
|
1b092f |
- rebuilt
|
|
|
1b092f |
|
|
|
1b092f |
* Mon May 19 2003 Thomas Woerner <twoerner@redhat.com> 1.6.7p5-1
|
|
|
1b092f |
|
|
|
1b092f |
* Wed Jan 22 2003 Tim Powers <timp@redhat.com>
|
|
|
1b092f |
- rebuilt
|
|
|
1b092f |
|
|
|
1b092f |
* Tue Nov 12 2002 Nalin Dahyabhai <nalin@redhat.com> 1.6.6-2
|
|
|
1b092f |
- remove absolute path names from the PAM configuration, ensuring that the
|
|
|
1b092f |
right modules get used for whichever arch we're built for
|
|
|
1b092f |
- don't try to install the FAQ, which isn't there any more
|
|
|
1b092f |
|
|
|
1b092f |
* Thu Jun 27 2002 Bill Nottingham <notting@redhat.com> 1.6.6-1
|
|
|
1b092f |
- update to 1.6.6
|
|
|
1b092f |
|
|
|
1b092f |
* Fri Jun 21 2002 Tim Powers <timp@redhat.com>
|
|
|
1b092f |
- automated rebuild
|
|
|
1b092f |
|
|
|
1b092f |
* Thu May 23 2002 Tim Powers <timp@redhat.com>
|
|
|
1b092f |
- automated rebuild
|
|
|
1b092f |
|
|
|
1b092f |
* Thu Apr 18 2002 Bernhard Rosenkraenzer <bero@redhat.com> 1.6.5p2-2
|
|
|
1b092f |
- Fix bug #63768
|
|
|
1b092f |
|
|
|
1b092f |
* Thu Mar 14 2002 Bernhard Rosenkraenzer <bero@redhat.com> 1.6.5p2-1
|
|
|
1b092f |
- 1.6.5p2
|
|
|
1b092f |
|
|
|
1b092f |
* Fri Jan 18 2002 Bernhard Rosenkraenzer <bero@redhat.com> 1.6.5p1-1
|
|
|
1b092f |
- 1.6.5p1
|
|
|
1b092f |
- Hope this "a new release per day" madness stops ;)
|
|
|
1b092f |
|
|
|
1b092f |
* Thu Jan 17 2002 Bernhard Rosenkraenzer <bero@redhat.com> 1.6.5-1
|
|
|
1b092f |
- 1.6.5
|
|
|
1b092f |
|
|
|
1b092f |
* Tue Jan 15 2002 Bernhard Rosenkraenzer <bero@redhat.com> 1.6.4p1-1
|
|
|
1b092f |
- 1.6.4p1
|
|
|
1b092f |
|
|
|
1b092f |
* Mon Jan 14 2002 Bernhard Rosenkraenzer <bero@redhat.com> 1.6.4-1
|
|
|
1b092f |
- Update to 1.6.4
|
|
|
1b092f |
|
|
|
1b092f |
* Mon Jul 23 2001 Bernhard Rosenkraenzer <bero@redhat.com> 1.6.3p7-2
|
|
|
1b092f |
- Add build requirements (#49706)
|
|
|
1b092f |
- s/Copyright/License/
|
|
|
1b092f |
- bzip2 source
|
|
|
1b092f |
|
|
|
1b092f |
* Sat Jun 16 2001 Than Ngo <than@redhat.com>
|
|
|
1b092f |
- update to 1.6.3p7
|
|
|
1b092f |
- use %%{_tmppath}
|
|
|
1b092f |
|
|
|
1b092f |
* Fri Feb 23 2001 Bernhard Rosenkraenzer <bero@redhat.com>
|
|
|
1b092f |
- 1.6.3p6, fixes buffer overrun
|
|
|
1b092f |
|
|
|
1b092f |
* Tue Oct 10 2000 Bernhard Rosenkraenzer <bero@redhat.com>
|
|
|
1b092f |
- 1.6.3p5
|
|
|
1b092f |
|
|
|
1b092f |
* Wed Jul 12 2000 Prospector <bugzilla@redhat.com>
|
|
|
1b092f |
- automatic rebuild
|
|
|
1b092f |
|
|
|
1b092f |
* Tue Jun 06 2000 Karsten Hopp <karsten@redhat.de>
|
|
|
1b092f |
- fixed owner of sudo and visudo
|
|
|
1b092f |
|
|
|
1b092f |
* Thu Jun 1 2000 Nalin Dahyabhai <nalin@redhat.com>
|
|
|
1b092f |
- modify PAM setup to use system-auth
|
|
|
1b092f |
- clean up buildrooting by using the makeinstall macro
|
|
|
1b092f |
|
|
|
1b092f |
* Tue Apr 11 2000 Bernhard Rosenkraenzer <bero@redhat.com>
|
|
|
1b092f |
- initial build in main distrib
|
|
|
1b092f |
- update to 1.6.3
|
|
|
1b092f |
- deal with compressed man pages
|
|
|
1b092f |
|
|
|
1b092f |
* Tue Dec 14 1999 Preston Brown <pbrown@redhat.com>
|
|
|
1b092f |
- updated to 1.6.1 for Powertools 6.2
|
|
|
1b092f |
- config files are now noreplace.
|
|
|
1b092f |
|
|
|
1b092f |
* Thu Jul 22 1999 Tim Powers <timp@redhat.com>
|
|
|
1b092f |
- updated to 1.5.9p2 for Powertools 6.1
|
|
|
1b092f |
|
|
|
1b092f |
* Wed May 12 1999 Bill Nottingham <notting@redhat.com>
|
|
|
1b092f |
- sudo is configured with pam. There's no pam.d file. Oops.
|
|
|
1b092f |
|
|
|
1b092f |
* Mon Apr 26 1999 Preston Brown <pbrown@redhat.com>
|
|
|
1b092f |
- upgraded to 1.59p1 for powertools 6.0
|
|
|
1b092f |
|
|
|
1b092f |
* Tue Oct 27 1998 Preston Brown <pbrown@redhat.com>
|
|
|
1b092f |
- fixed so it doesn't find /usr/bin/vi first, but instead /bin/vi (always installed)
|
|
|
1b092f |
|
|
|
1b092f |
* Thu Oct 08 1998 Michael Maher <mike@redhat.com>
|
|
|
1b092f |
- built package for 5.2
|
|
|
1b092f |
|
|
|
1b092f |
* Mon May 18 1998 Michael Maher <mike@redhat.com>
|
|
|
1b092f |
- updated SPEC file
|
|
|
1b092f |
|
|
|
1b092f |
* Thu Jan 29 1998 Otto Hammersmith <otto@redhat.com>
|
|
|
1b092f |
- updated to 1.5.4
|
|
|
1b092f |
|
|
|
1b092f |
* Tue Nov 18 1997 Otto Hammersmith <otto@redhat.com>
|
|
|
1b092f |
- built for glibc, no problems
|
|
|
1b092f |
|
|
|
1b092f |
* Fri Apr 25 1997 Michael Fulbright <msf@redhat.com>
|
|
|
1b092f |
- Fixed for 4.2 PowerTools
|
|
|
1b092f |
- Still need to be pamified
|
|
|
1b092f |
- Still need to move stmp file to /var/log
|
|
|
1b092f |
|
|
|
1b092f |
* Mon Feb 17 1997 Michael Fulbright <msf@redhat.com>
|
|
|
1b092f |
- First version for PowerCD.
|
|
|
1b092f |
|