From 523624f1f38000c73e27c7aad2d0e607e8392c7e Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Mar 05 2015 13:28:51 +0000 Subject: import sudo-1.8.6p7-13.el7 --- diff --git a/SOURCES/sudo-1.8.6p3-authinterrupt.patch b/SOURCES/sudo-1.8.6p3-authinterrupt.patch new file mode 100644 index 0000000..18923d4 --- /dev/null +++ b/SOURCES/sudo-1.8.6p3-authinterrupt.patch @@ -0,0 +1,26 @@ +diff -up sudo-1.8.6p3/plugins/sudoers/auth/pam.c.authinterrupt sudo-1.8.6p3/plugins/sudoers/auth/pam.c +--- sudo-1.8.6p3/plugins/sudoers/auth/pam.c.authinterrupt 2014-05-22 13:46:31.204706184 +0200 ++++ sudo-1.8.6p3/plugins/sudoers/auth/pam.c 2014-05-22 13:47:06.729830043 +0200 +@@ -167,13 +167,13 @@ sudo_pam_verify(struct passwd *pw, char + /* FALLTHROUGH */ + case PAM_AUTH_ERR: + case PAM_AUTHINFO_UNAVAIL: ++ case PAM_PERM_DENIED: + if (getpass_error) { + /* error or ^C from tgetpass() */ + debug_return_int(AUTH_INTR); + } + /* FALLTHROUGH */ + case PAM_MAXTRIES: +- case PAM_PERM_DENIED: + debug_return_int(AUTH_FAILURE); + default: + if ((s = pam_strerror(pamh, *pam_status))) +@@ -343,6 +343,7 @@ converse(int num_msg, PAM_CONST struct p + if (pass == NULL) { + /* Error (or ^C) reading password, don't try again. */ + getpass_error = 1; ++ ret = PAM_CONV_ERR; + #if (defined(__darwin__) || defined(__APPLE__)) && !defined(OPENPAM_VERSION) + pass = ""; + #else diff --git a/SOURCES/sudo-1.8.6p3-doublequotefix.patch b/SOURCES/sudo-1.8.6p3-doublequotefix.patch new file mode 100644 index 0000000..4ac2d50 --- /dev/null +++ b/SOURCES/sudo-1.8.6p3-doublequotefix.patch @@ -0,0 +1,24 @@ +diff -up sudo-1.8.6p3/plugins/sudoers/toke.c.doublequotefix sudo-1.8.6p3/plugins/sudoers/toke.c +--- sudo-1.8.6p3/plugins/sudoers/toke.c.doublequotefix 2014-05-19 14:28:27.536399410 +0200 ++++ sudo-1.8.6p3/plugins/sudoers/toke.c 2014-05-19 14:29:51.084714355 +0200 +@@ -1851,7 +1851,7 @@ YY_RULE_SETUP + LEXTRACE("ERROR "); /* empty string */ + LEXRETURN(ERROR); + } +- if (prev_state == INITIAL) { ++ if (prev_state == INITIAL || prev_state == GOTDEFS) { + switch (yylval.string[0]) { + case '%': + if (yylval.string[1] == '\0' || +diff -up sudo-1.8.6p3/plugins/sudoers/toke.l.doublequotefix sudo-1.8.6p3/plugins/sudoers/toke.l +--- sudo-1.8.6p3/plugins/sudoers/toke.l.doublequotefix 2014-05-19 14:28:36.932438977 +0200 ++++ sudo-1.8.6p3/plugins/sudoers/toke.l 2014-05-19 14:29:27.769626995 +0200 +@@ -197,7 +197,7 @@ DEFVAR [a-z_]+ + LEXTRACE("ERROR "); /* empty string */ + LEXRETURN(ERROR); + } +- if (prev_state == INITIAL) { ++ if (prev_state == INITIAL || prev_state == GOTDEFS) { + switch (yylval.string[0]) { + case '%': + if (yylval.string[1] == '\0' || diff --git a/SOURCES/sudo-1.8.6p3-netgrfilterfix.patch b/SOURCES/sudo-1.8.6p3-netgrfilterfix.patch new file mode 100644 index 0000000..0118511 --- /dev/null +++ b/SOURCES/sudo-1.8.6p3-netgrfilterfix.patch @@ -0,0 +1,92 @@ +diff -up sudo-1.8.6p3/plugins/sudoers/sssd.c.netgrfilterfix sudo-1.8.6p3/plugins/sudoers/sssd.c +--- sudo-1.8.6p3/plugins/sudoers/sssd.c.netgrfilterfix 2014-07-30 13:29:47.713823996 +0200 ++++ sudo-1.8.6p3/plugins/sudoers/sssd.c 2014-07-30 13:30:08.917436088 +0200 +@@ -614,16 +615,13 @@ sudo_sss_check_host(struct sudo_sss_hand + } + + /* +- * Look for netgroup specifcations in the sudoUser attribute and +- * if found, filter according to netgroup membership. +- * returns: +- * true -> netgroup spec found && negroup member +- * false -> netgroup spec found && not a meber of netgroup +- * true -> netgroup spec not found (filtered by SSSD already, netgroups are an exception) ++ * SSSD doesn't handle netgroups, we have to ensure they are correctly filtered ++ * in sudo. The rules may contain mixed sudoUser specification so we have to check ++ * not only for netgroup membership but also for user and group matches. + */ +-bool sudo_sss_filter_user_netgroup(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule) ++bool sudo_sss_filter_sudoUser(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule) + { +- bool ret = false, netgroup_spec_found = false; ++ bool ret = false; + char **val_array, *val; + int i; + debug_decl(sudo_sss_check_user_netgroup, SUDO_DEBUG_SSSD); +@@ -641,21 +639,48 @@ bool sudo_sss_filter_user_netgroup(struc + sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoUser): != 0"); + debug_return_bool(ret); + } +- ++ /* ++ * Scan sudoUser values and look for netgroup specs. ++ * Netgroup-only rule specification should be filtered ++ * out if the user isn't member of any specified netgroup. ++ */ + for (i = 0; val_array[i] != NULL && !ret; ++i) { + val = val_array[i]; +- if (*val == '+') { +- netgroup_spec_found = true; +- } + sudo_debug_printf(SUDO_DEBUG_DEBUG, "val[%d]=%s", i, val); +- if (strcmp(val, "ALL") == 0 || netgr_matches(val, NULL, NULL, user_name)) { +- ret = true; +- sudo_debug_printf(SUDO_DEBUG_DIAG, +- "sssd/ldap sudoUser '%s' ... MATCH! (%s)", val, user_name); ++ if (*val == '+') { ++ /* Netgroup spec found, check netgroup membership */ ++ if (netgr_matches(val, NULL, NULL, handle->pw->pw_name)) { ++ ret = true; ++ sudo_debug_printf(SUDO_DEBUG_DIAG, ++ "sssd/ldap sudoUser '%s' ... MATCH! (%s)", val, handle->pw->pw_name); ++ } ++ } else { ++ /* ++ * Non-netgroup sudoUser value ++ */ ++ if (strcmp(val, "ALL") == 0) { ++ ret = true; ++ } else { ++ const char *match_val = (*val == '!' ? val + 1 : val); ++ const bool negated = (*val == '!' ? true : false); ++ const bool group_spec = (*match_val == '%' ? true : false); ++ ++ if (group_spec) { ++ if (usergr_matches(match_val, ++ handle->pw->pw_name, handle->pw)) { ++ ret = !negated; ++ } ++ } else { ++ if (userpw_matches(match_val, ++ handle->pw->pw_name, handle->pw)) { ++ ret = !negated; ++ } ++ } ++ } + } + } + handle->fn_free_values(val_array); +- debug_return_bool(netgroup_spec_found ? ret : true); ++ debug_return_bool(ret); + } + + static int +@@ -666,7 +691,7 @@ sudo_sss_result_filterp(struct sudo_sss_ + debug_decl(sudo_sss_result_filterp, SUDO_DEBUG_SSSD); + + if (sudo_sss_check_host(handle, rule) && +- sudo_sss_filter_user_netgroup(handle, rule)) ++ sudo_sss_filter_sudoUser(handle, rule)) + debug_return_int(1); + else + debug_return_int(0); diff --git a/SOURCES/sudo-1.8.6p3-nonehostname.patch b/SOURCES/sudo-1.8.6p3-nonehostname.patch new file mode 100644 index 0000000..5e170d2 --- /dev/null +++ b/SOURCES/sudo-1.8.6p3-nonehostname.patch @@ -0,0 +1,13 @@ +diff -up sudo-1.8.6p3/plugins/sudoers/match.c.nonehostname sudo-1.8.6p3/plugins/sudoers/match.c +--- sudo-1.8.6p3/plugins/sudoers/match.c.nonehostname 2014-05-19 12:50:08.412313041 +0200 ++++ sudo-1.8.6p3/plugins/sudoers/match.c 2014-05-19 12:50:17.787348134 +0200 +@@ -727,7 +727,8 @@ netgr_matches(char *netgr, char *lhost, + /* get the domain name (if any) */ + if (!initialized) { + domain = (char *) emalloc(MAXHOSTNAMELEN + 1); +- if (getdomainname(domain, MAXHOSTNAMELEN + 1) == -1 || *domain == '\0') { ++ if (getdomainname(domain, MAXHOSTNAMELEN + 1) == -1 || *domain == '\0' ++ || strncmp (domain, "(none)", 7) == 0) { + efree(domain); + domain = NULL; + } diff --git a/SOURCES/sudo-1.8.6p3-sssdrulenames.patch b/SOURCES/sudo-1.8.6p3-sssdrulenames.patch new file mode 100644 index 0000000..84081d1 --- /dev/null +++ b/SOURCES/sudo-1.8.6p3-sssdrulenames.patch @@ -0,0 +1,22 @@ +diff -up sudo-1.8.6p3/plugins/sudoers/sssd.c.rulenames sudo-1.8.6p3/plugins/sudoers/sssd.c +--- sudo-1.8.6p3/plugins/sudoers/sssd.c.rulenames 2014-05-21 12:33:21.000768420 +0200 ++++ sudo-1.8.6p3/plugins/sudoers/sssd.c 2014-05-21 12:38:13.779864718 +0200 +@@ -1180,6 +1180,18 @@ sudo_sss_display_entry_long(struct sudo_ + int count = 0, i; + debug_decl(sudo_sss_display_entry_long, SUDO_DEBUG_SSSD); + ++ switch(handle->fn_get_values(rule, "cn", &val_array)) { ++ case 0: ++ if (val_array[0]) { ++ lbuf_append(lbuf, _("\nSSSD Role: %s\n"), val_array[0]); ++ } ++ handle->fn_free_values(val_array); ++ val_array = NULL; ++ break; ++ default: ++ lbuf_append(lbuf, _("\nSSSD Role: UNKNOWN\n")); ++ } ++ + /* get the RunAsUser Values from the entry */ + lbuf_append(lbuf, " RunAsUsers: "); + switch (handle->fn_get_values(rule, "sudoRunAsUser", &val_array)) { diff --git a/SOURCES/sudo-1.8.6p7-clangfixes.patch b/SOURCES/sudo-1.8.6p7-clangfixes.patch new file mode 100644 index 0000000..70d9aff --- /dev/null +++ b/SOURCES/sudo-1.8.6p7-clangfixes.patch @@ -0,0 +1,46 @@ +diff -up sudo-1.8.6p7/plugins/sudoers/sssd.c.clangfixes sudo-1.8.6p7/plugins/sudoers/sssd.c +--- sudo-1.8.6p7/plugins/sudoers/sssd.c.clangfixes 2014-09-30 10:31:43.920885432 +0200 ++++ sudo-1.8.6p7/plugins/sudoers/sssd.c 2014-09-30 10:32:39.413228871 +0200 +@@ -313,9 +313,9 @@ static int sudo_sss_close(struct sudo_ns + if (nss && nss->handle) { + handle = nss->handle; + dlclose(handle->ssslib); ++ efree(nss->handle); + } + +- efree(nss->handle); + debug_return_int(0); + } + +@@ -755,12 +755,15 @@ sudo_sss_result_get(struct sudo_nss *nss + *state |= _SUDO_SSS_STATE_HOSTMATCH; + } + } ++ sudo_debug_printf(SUDO_DEBUG_DEBUG, ++ "u_sss_result=(%p, %u) => f_sss_result=(%p, %u)", u_sss_result, ++ u_sss_result->num_rules, f_sss_result, f_sss_result->num_rules); ++ } else { ++ sudo_debug_printf(SUDO_DEBUG_DEBUG, ++ "u_sss_result=(%p, %u) => f_sss_result=NULL", u_sss_result, ++ u_sss_result->num_rules); + } + +- sudo_debug_printf(SUDO_DEBUG_DEBUG, +- "u_sss_result=(%p, %u) => f_sss_result=(%p, %u)", u_sss_result, +- u_sss_result->num_rules, f_sss_result, f_sss_result->num_rules); +- + handle->fn_free_result(u_sss_result); + + debug_return_ptr(f_sss_result); +diff -up sudo-1.8.6p7/plugins/sudoers/visudo.c.clangfixes sudo-1.8.6p7/plugins/sudoers/visudo.c +--- sudo-1.8.6p7/plugins/sudoers/visudo.c.clangfixes 2014-09-30 10:34:08.689174020 +0200 ++++ sudo-1.8.6p7/plugins/sudoers/visudo.c 2014-09-30 11:00:15.215654285 +0200 +@@ -544,7 +544,7 @@ reparse_sudoers(char *editor, char *args + continue; + edit_sudoers(sp, editor, args, errorlineno); + } +- } while (parse_error); ++ } while (parse_error && sp != NULL); + + debug_return; + } diff --git a/SOURCES/sudo-1.8.6p7-constwarnfix.patch b/SOURCES/sudo-1.8.6p7-constwarnfix.patch new file mode 100644 index 0000000..5e3a6f6 --- /dev/null +++ b/SOURCES/sudo-1.8.6p7-constwarnfix.patch @@ -0,0 +1,104 @@ +diff -up sudo-1.8.6p7/plugins/sudoers/match.c.constwarnfix sudo-1.8.6p7/plugins/sudoers/match.c +--- sudo-1.8.6p7/plugins/sudoers/match.c.constwarnfix 2014-09-29 15:55:50.996485025 +0200 ++++ sudo-1.8.6p7/plugins/sudoers/match.c 2014-09-29 15:55:51.002484954 +0200 +@@ -599,7 +599,7 @@ command_matches_dir(char *sudoers_dir, s + * Returns true if the hostname matches the pattern, else false + */ + bool +-hostname_matches(char *shost, char *lhost, char *pattern) ++hostname_matches(const char *shost, const char *lhost, const char *pattern) + { + debug_decl(hostname_matches, SUDO_DEBUG_MATCH) + +@@ -621,7 +621,7 @@ hostname_matches(char *shost, char *lhos + * else returns false. + */ + bool +-userpw_matches(char *sudoers_user, char *user, struct passwd *pw) ++userpw_matches(const char *sudoers_user, const char *user, const struct passwd *pw) + { + debug_decl(userpw_matches, SUDO_DEBUG_MATCH) + if (pw != NULL && *sudoers_user == '#') { +@@ -640,7 +640,7 @@ userpw_matches(char *sudoers_user, char + * else returns false. + */ + bool +-group_matches(char *sudoers_group, struct group *gr) ++group_matches(const char *sudoers_group, const struct group *gr) + { + debug_decl(group_matches, SUDO_DEBUG_MATCH) + if (*sudoers_group == '#') { +@@ -659,7 +659,7 @@ group_matches(char *sudoers_group, struc + * else returns false. + */ + bool +-usergr_matches(char *group, char *user, struct passwd *pw) ++usergr_matches(const char *group, const char *user, const struct passwd *pw) + { + int matched = false; + struct passwd *pw0 = NULL; +@@ -707,7 +707,7 @@ done: + * XXX - swap order of host & shost + */ + bool +-netgr_matches(char *netgr, char *lhost, char *shost, char *user) ++netgr_matches(const char *netgr, const char *lhost, const char *shost, const char *user) + { + static char *domain; + #ifdef HAVE_GETDOMAINNAME +diff -up sudo-1.8.6p7/plugins/sudoers/parse.h.constwarnfix sudo-1.8.6p7/plugins/sudoers/parse.h +--- sudo-1.8.6p7/plugins/sudoers/parse.h.constwarnfix 2014-09-29 15:55:50.992485072 +0200 ++++ sudo-1.8.6p7/plugins/sudoers/parse.h 2014-09-29 15:55:51.002484954 +0200 +@@ -188,11 +188,11 @@ bool addr_matches(char *n); + + /* match.c */ + bool command_matches(char *sudoers_cmnd, char *sudoers_args); +-bool group_matches(char *sudoers_group, struct group *gr); +-bool hostname_matches(char *shost, char *lhost, char *pattern); +-bool netgr_matches(char *netgr, char *lhost, char *shost, char *user); +-bool usergr_matches(char *group, char *user, struct passwd *pw); +-bool userpw_matches(char *sudoers_user, char *user, struct passwd *pw); ++bool group_matches(const char *sudoers_group, const struct group *gr); ++bool hostname_matches(const char *shost, const char *lhost, const char *pattern); ++bool netgr_matches(const char *netgr, const char *lhost, const char *shost, const char *user); ++bool usergr_matches(const char *group, const char *user, const struct passwd *pw); ++bool userpw_matches(const char *sudoers_user, const char *user, const struct passwd *pw); + int cmnd_matches(struct member *m); + int cmndlist_matches(struct member_list *list); + int hostlist_matches(struct member_list *list); +diff -up sudo-1.8.6p7/plugins/sudoers/pwutil.c.constwarnfix sudo-1.8.6p7/plugins/sudoers/pwutil.c +--- sudo-1.8.6p7/plugins/sudoers/pwutil.c.constwarnfix 2013-02-25 20:42:44.000000000 +0100 ++++ sudo-1.8.6p7/plugins/sudoers/pwutil.c 2014-09-29 15:55:51.003484942 +0200 +@@ -841,7 +841,7 @@ sudo_endgrent(void) + } + + struct group_list * +-sudo_get_grlist(struct passwd *pw) ++sudo_get_grlist(const struct passwd *pw) + { + struct cache_item key, *item; + struct rbnode *node; +@@ -905,7 +905,7 @@ done: + } + + bool +-user_in_group(struct passwd *pw, const char *group) ++user_in_group(const struct passwd *pw, const char *group) + { + struct group_list *grlist; + struct group *grp = NULL; +diff -up sudo-1.8.6p7/plugins/sudoers/sudoers.h.constwarnfix sudo-1.8.6p7/plugins/sudoers/sudoers.h +--- sudo-1.8.6p7/plugins/sudoers/sudoers.h.constwarnfix 2013-02-25 20:49:09.000000000 +0100 ++++ sudo-1.8.6p7/plugins/sudoers/sudoers.h 2014-09-29 15:55:51.003484942 +0200 +@@ -288,9 +288,9 @@ __dso_public struct group *sudo_getgrgid + __dso_public struct group *sudo_getgrnam(const char *); + __dso_public void sudo_gr_addref(struct group *); + __dso_public void sudo_gr_delref(struct group *); +-bool user_in_group(struct passwd *, const char *); ++bool user_in_group(const struct passwd *, const char *); + struct group *sudo_fakegrnam(const char *); +-struct group_list *sudo_get_grlist(struct passwd *pw); ++struct group_list *sudo_get_grlist(const struct passwd *pw); + struct passwd *sudo_fakepwnam(const char *, gid_t); + struct passwd *sudo_fakepwnamid(const char *user, uid_t uid, gid_t gid); + struct passwd *sudo_getpwnam(const char *); diff --git a/SOURCES/sudo-1.8.6p7-duplicatenssfix.patch b/SOURCES/sudo-1.8.6p7-duplicatenssfix.patch new file mode 100644 index 0000000..547eb41 --- /dev/null +++ b/SOURCES/sudo-1.8.6p7-duplicatenssfix.patch @@ -0,0 +1,47 @@ +diff -up sudo-1.8.6p7/plugins/sudoers/sudo_nss.c.duplicatenssfix sudo-1.8.6p7/plugins/sudoers/sudo_nss.c +--- sudo-1.8.6p7/plugins/sudoers/sudo_nss.c.duplicatenssfix 2014-09-29 15:30:35.243303099 +0200 ++++ sudo-1.8.6p7/plugins/sudoers/sudo_nss.c 2014-09-29 15:33:13.669439300 +0200 +@@ -88,16 +88,16 @@ sudo_read_nss(void) + for ((cp = strtok(cp + 8, " \t")); cp != NULL; (cp = strtok(NULL, " \t"))) { + if (strcasecmp(cp, "files") == 0 && !saw_files) { + tq_append(&snl, &sudo_nss_file); +- got_match = true; ++ got_match = saw_files = true; + #ifdef HAVE_LDAP + } else if (strcasecmp(cp, "ldap") == 0 && !saw_ldap) { + tq_append(&snl, &sudo_nss_ldap); +- got_match = true; ++ got_match = saw_ldap = true; + #endif + #ifdef HAVE_SSSD + } else if (strcasecmp(cp, "sss") == 0 && !saw_sss) { + tq_append(&snl, &sudo_nss_sss); +- got_match = true; ++ got_match = saw_sss = true; + #endif + } else if (strcasecmp(cp, "[NOTFOUND=return]") == 0 && got_match) { + /* NOTFOUND affects the most recent entry */ +@@ -171,20 +171,20 @@ sudo_read_nss(void) + if (!saw_files && strncasecmp(cp, "files", 5) == 0 && + (isspace((unsigned char)cp[5]) || cp[5] == '\0')) { + tq_append(&snl, &sudo_nss_file); +- got_match = true; ++ got_match = saw_files = true; + ep = &cp[5]; + #ifdef HAVE_LDAP + } else if (!saw_ldap && strncasecmp(cp, "ldap", 4) == 0 && + (isspace((unsigned char)cp[4]) || cp[4] == '\0')) { + tq_append(&snl, &sudo_nss_ldap); +- got_match = true; ++ got_match = saw_ldap = true; + ep = &cp[4]; + #endif + #ifdef HAVE_SSSD + } else if (!saw_sss && strncasecmp(cp, "sss", 3) == 0 && + (isspace((unsigned char)cp[3]) || cp[3] == '\0')) { + tq_append(&snl, &sudo_nss_sss); +- got_match = true; ++ got_match = saw_sss = true; + ep = &cp[3]; + #endif + } else { diff --git a/SOURCES/sudo-1.8.6p7-ipahostname.patch b/SOURCES/sudo-1.8.6p7-ipahostname.patch new file mode 100644 index 0000000..c17b78b --- /dev/null +++ b/SOURCES/sudo-1.8.6p7-ipahostname.patch @@ -0,0 +1,192 @@ +diff -up sudo-1.8.6p7/configure.in.ipahostname sudo-1.8.6p7/configure.in +--- sudo-1.8.6p7/configure.in.ipahostname 2014-09-29 11:14:38.393846226 +0200 ++++ sudo-1.8.6p7/configure.in 2014-09-29 11:14:38.428845807 +0200 +@@ -309,7 +309,7 @@ dnl Handle SSSD support. + dnl + AC_ARG_WITH(sssd, [AS_HELP_STRING([--with-sssd], [enable SSSD support])], + [case $with_sssd in +- yes) SUDOERS_OBJS="${SUDOERS_OBJS} sssd.lo" ++ yes) SUDOERS_OBJS="${SUDOERS_OBJS} sssd.lo ipa_hostname.lo" + AC_DEFINE(HAVE_SSSD) + ;; + no) ;; +diff -up sudo-1.8.6p7/plugins/sudoers/ipa_hostname.c.ipahostname sudo-1.8.6p7/plugins/sudoers/ipa_hostname.c +--- sudo-1.8.6p7/plugins/sudoers/ipa_hostname.c.ipahostname 2014-09-29 11:14:38.429845795 +0200 ++++ sudo-1.8.6p7/plugins/sudoers/ipa_hostname.c 2014-09-29 11:14:38.429845795 +0200 +@@ -0,0 +1,88 @@ ++/* ++ * Copyright 2013 Red Hat Inc., Durham, North Carolina. ++ * All Rights Reserved. ++ * ++ * This library is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU Lesser General Public ++ * License as published by the Free Software Foundation; either ++ * version 2.1 of the License, or (at your option) any later version. ++ * ++ * This library is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * Lesser General Public License for more details. ++ * ++ * You should have received a copy of the GNU Lesser General Public ++ * License along with this library; if not, write to the Free Software ++ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA ++ * ++ * Authors: ++ * Daniel Kopecek ++ */ ++#define _GNU_SOURCE ++#include ++#include ++#include ++#include ++#include ++ ++static const char *sssd_conf_path = "/etc/sssd/sssd.conf"; ++ ++char *ipa_hostname(void) ++{ ++ static char hname[MAXHOSTNAMELEN+1]; ++ size_t hname_len = 0; ++ char *line = NULL; ++ ssize_t line_len = 0; ++ size_t line_buflen = 0; ++ FILE *fp; ++ ++ if ((fp = fopen(sssd_conf_path, "r")) == NULL) ++ return NULL; ++ while ((line_len = getline(&line, &line_buflen, fp)) > 0) { ++ char *keyword_loc; ++ if ((keyword_loc = strstr(line, "ipa_hostname")) != NULL) { ++ size_t i; ++ char *value_loc; ++ size_t value_len; ++ ++ value_loc = keyword_loc + strlen("ipa_hostname") + 1; ++ value_len = line_len - (size_t)(value_loc - line); ++ ++ /* Skip spaces and the assignment operator */ ++ for (i = 0; i < value_len; ++i) { ++ if (isspace(value_loc[i]) || value_loc[i] == '=') { ++ continue; ++ } else { ++ break; ++ } ++ } ++ ++ value_loc += i; ++ value_len -= i; ++ ++ if (value_len <= MAXHOSTNAMELEN) { ++ memcpy(hname, value_loc, value_len * sizeof(char)); ++ free(line); ++ fclose(fp); ++ hname_len = value_len; ++ hname[hname_len] = '\0'; ++ /* Remove spaces from the end of the string */ ++ for (i = hname_len - 1; i > 0; --i) { ++ if (isspace(hname[i])) { ++ hname[i] = '\0'; ++ --hname_len; ++ } else { ++ break; ++ } ++ } ++ return hname; ++ } ++ } ++ free(line); ++ line = NULL; ++ } ++ ++ fclose(fp); ++ return NULL; ++} +diff -up sudo-1.8.6p7/plugins/sudoers/ipa_hostname.h.ipahostname sudo-1.8.6p7/plugins/sudoers/ipa_hostname.h +--- sudo-1.8.6p7/plugins/sudoers/ipa_hostname.h.ipahostname 2014-09-29 11:14:38.429845795 +0200 ++++ sudo-1.8.6p7/plugins/sudoers/ipa_hostname.h 2014-09-29 11:14:38.429845795 +0200 +@@ -0,0 +1,27 @@ ++/* ++ * Copyright 2013 Red Hat Inc., Durham, North Carolina. ++ * All Rights Reserved. ++ * ++ * This library is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU Lesser General Public ++ * License as published by the Free Software Foundation; either ++ * version 2.1 of the License, or (at your option) any later version. ++ * ++ * This library is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * Lesser General Public License for more details. ++ * ++ * You should have received a copy of the GNU Lesser General Public ++ * License along with this library; if not, write to the Free Software ++ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA ++ * ++ * Authors: ++ * Daniel Kopecek ++ */ ++#ifndef _IPA_HOSTNAME_H_ ++#define _IPA_HOSTNAME_H_ ++ ++char *ipa_hostname(void); ++ ++#endif /* _IPA_HOSTNAME_H_ */ +diff -up sudo-1.8.6p7/plugins/sudoers/Makefile.in.ipahostname sudo-1.8.6p7/plugins/sudoers/Makefile.in +--- sudo-1.8.6p7/plugins/sudoers/Makefile.in.ipahostname 2014-09-29 11:14:38.429845795 +0200 ++++ sudo-1.8.6p7/plugins/sudoers/Makefile.in 2014-09-29 11:16:54.923210160 +0200 +@@ -728,6 +728,9 @@ sia.lo: $(authdir)/sia.c $(top_builddir) + $(devdir)/def_data.h $(srcdir)/logging.h $(srcdir)/sudo_nss.h \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_debug.h $(incdir)/gettext.h + $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(authdir)/sia.c ++ipa_hostname.lo: $(srcdir)/ipa_hostname.c $(srcdir)/ipa_hostname.h ++ $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/ipa_hostname.c ++ + sssd.lo: $(srcdir)/sssd.c $(top_builddir)/config.h \ + $(top_srcdir)/compat/dlfcn.h $(srcdir)/sudoers.h \ + $(top_srcdir)/compat/stdbool.h $(top_builddir)/pathnames.h \ +diff -up sudo-1.8.6p7/plugins/sudoers/sssd.c.ipahostname sudo-1.8.6p7/plugins/sudoers/sssd.c +--- sudo-1.8.6p7/plugins/sudoers/sssd.c.ipahostname 2014-09-29 11:14:38.424845855 +0200 ++++ sudo-1.8.6p7/plugins/sudoers/sssd.c 2014-09-29 11:14:38.429845795 +0200 +@@ -60,6 +60,7 @@ + #include "parse.h" + #include "lbuf.h" + #include "sudo_debug.h" ++#include "ipa_hostname.h" + + /* SSSD <--> SUDO interface - do not change */ + struct sss_sudo_attr { +@@ -549,6 +550,24 @@ sudo_sss_check_runas(struct sudo_sss_han + debug_return_bool(ret); + } + ++static bool sudo_sss_ipa_hostname_matches(const char *hostname_val) ++{ ++ bool ret = false; ++ char *ipa_hostname_val; ++ debug_decl(sudo_sss_ipa_hostname_matches, SUDO_DEBUG_SSSD) ++ ++ if ((ipa_hostname_val = ipa_hostname()) != NULL) { ++ ret = hostname_matches(ipa_hostname_val, ipa_hostname_val, hostname_val) || \ ++ netgr_matches(hostname_val, ipa_hostname_val, ipa_hostname_val, NULL); ++ } ++ ++ sudo_debug_printf(SUDO_DEBUG_TRACE, "IPA hostname (%s) matches %s => %s", ++ ipa_hostname_val ? ipa_hostname_val : "", hostname_val, ++ ret ? "true" : "false"); ++ ++ debug_return_bool(ret); ++} ++ + static bool + sudo_sss_check_host(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule) + { +@@ -580,6 +599,7 @@ sudo_sss_check_host(struct sudo_sss_hand + + /* match any or address or netgroup or hostname */ + if (!strcmp(val, "ALL") || addr_matches(val) || ++ sudo_sss_ipa_hostname_matches(val) || + netgr_matches(val, user_host, user_shost, NULL) || + hostname_matches(user_shost, user_host, val)) + ret = true; diff --git a/SPECS/sudo.spec b/SPECS/sudo.spec index cbde546..2884d13 100644 --- a/SPECS/sudo.spec +++ b/SPECS/sudo.spec @@ -1,7 +1,7 @@ Summary: Allows restricted root access for specified users Name: sudo Version: 1.8.6p7 -Release: 11%{?dist} +Release: 13%{?dist} License: ISC Group: Applications/System URL: http://www.courtesan.com/sudo/ @@ -69,6 +69,27 @@ Patch20: sudo-1.8.6p3-lbufexpandcode.patch Patch21: sudo-1.8.6p3-cycledetect.patch # 1065418 - -sesh replaces /path/to/myshell with /path/to-myshell instead of -myshell Patch22: sudo-1.8.6p7-sesh_loginshell.patch +# 1084488 - sudo should use ipa_hostname in IPA backend when defined +Patch23: sudo-1.8.6p7-ipahostname.patch +# 1096813 - sudo does not handle the "(none)" string, when no domainname is set, which +# breaks when nscd is enabled +Patch24: sudo-1.8.6p3-nonehostname.patch +# 1092499 - Regression in sudo 1.8.6p3-7 package, double quotes are not accepted in sudoers +Patch25: sudo-1.8.6p3-doublequotefix.patch +# 1088464 - sudo -ll does not list the rule names when sssd is used. +Patch26: sudo-1.8.6p3-sssdrulenames.patch +# 1088825 - With sudo-1.8.6p3-12.el6.x86_64 version, If a sudo rules contains +netgroup +# in sudoUser attribute it result in access denied +# 1147557 - sudo -U listing shows incorrect list when sssd is used. +Patch27: sudo-1.8.6p3-netgrfilterfix.patch +# 1093099 - pam_faillock causes sudo to lock user when user aborts password prompt +Patch28: sudo-1.8.6p3-authinterrupt.patch +# 1147497 - duplicate sss module in nsswitch breaks sudo +Patch29: sudo-1.8.6p7-duplicatenssfix.patch +# Fix compiler warnings about discarting const qualifiers +Patch30: sudo-1.8.6p7-constwarnfix.patch +# 1147616 - New defect found in sudo-1.8.6p7-12.el7 +Patch31: sudo-1.8.6p7-clangfixes.patch %description Sudo (superuser do) allows a system administrator to give certain @@ -115,6 +136,15 @@ plugins that use %{name}. %patch20 -p1 -b .lbufexpandcode %patch21 -p1 -b .cycledetect %patch22 -p1 -b .sesh_loginshell +%patch23 -p1 -b .ipahostname +%patch24 -p1 -b .nonehostname +%patch25 -p1 -b .doublequotefix +%patch26 -p1 -b .sssdrulenames +%patch27 -p1 -b .netgrfilterfix +%patch28 -p1 -b .authinterrupt +%patch29 -p1 -b .duplicatenssfix +%patch30 -p1 -b .constwarnfix +%patch31 -p1 -b .clangfixes %build autoreconf -I m4 -fv --install @@ -235,6 +265,30 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/sudo_plugin.8* %changelog +* Tue Sep 30 2014 Daniel Kopecek - 1.8.6p7-13 +- RHEL 7.1 erratum + - fixed issues found by covscan/clang-analyzer + Resolves: rhbz#1147616 + +* Mon Sep 29 2014 Daniel Kopecek - 1.8.6p7-12 +- RHEL 7.1 erratum + - don't retry authentication when ctrl-c pressed + - fix double-quote processing in Defaults options + - handle the "(none)" hostname correctly + - SSSD: fix sudoUser netgroup specification filtering + - SSSD: list correct user when -U -l specified + - SSSD: show rule names on long listing (-ll) + - fix infinite loop when duplicate entries are specified on the + sudoers nsswitch.conf line + Resolves: rhbz#1084488 + Resolves: rhbz#1088464 + Resolves: rhbz#1088825 + Resolves: rhbz#1092499 + Resolves: rhbz#1093099 + Resolves: rhbz#1096813 + Resolves: rhbz#1147497 + Resolves: rhbz#1147557 + * Wed Feb 26 2014 Daniel Kopecek - 1.8.6p7-11 - Fixed incorrect login shell path construction in sesh (thanks fkrska@redhat.com for the patch)