From ce887bfd0e79ac3aea1df49481d87fe2205a324b Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Apr 10 2018 05:15:37 +0000 Subject: import sudo-1.8.19p2-13.el7 --- diff --git a/SOURCES/sudo-1.8.19p2-display-privs.patch b/SOURCES/sudo-1.8.19p2-display-privs.patch new file mode 100644 index 0000000..234aa8d --- /dev/null +++ b/SOURCES/sudo-1.8.19p2-display-privs.patch @@ -0,0 +1,16 @@ +diff -up ./plugins/sudoers/sudo_nss.c.display-privs ./plugins/sudoers/sudo_nss.c +--- ./plugins/sudoers/sudo_nss.c.display-privs 2017-01-13 23:30:15.000000000 -0500 ++++ ./plugins/sudoers/sudo_nss.c 2017-08-31 07:41:02.764738698 -0400 +@@ -348,7 +348,11 @@ display_privs(struct sudo_nss_list *snl, + sudo_lbuf_destroy(&defs); + sudo_lbuf_destroy(&privs); + +- debug_return_int(count > 0); ++/* ++ * This is ok, we return 1 which is success in this case ++ * and we don't want return failure even when there is nothing to print ++ */ ++ debug_return_int(1); + bad: + sudo_lbuf_destroy(&defs); + sudo_lbuf_destroy(&privs); diff --git a/SOURCES/sudo-1.8.19p2-iologtruncate.patch b/SOURCES/sudo-1.8.19p2-iologtruncate.patch new file mode 100644 index 0000000..ee358eb --- /dev/null +++ b/SOURCES/sudo-1.8.19p2-iologtruncate.patch @@ -0,0 +1,171 @@ +diff --git a/src/exec_pty.c b/src/exec_pty.c +index 7403506..56b2899 100644 +--- a/src/exec_pty.c ++++ b/src/exec_pty.c +@@ -711,8 +711,10 @@ io_buf_new(int rfd, int wfd, + int + fork_pty(struct command_details *details, int sv[], sigset_t *omask) + { ++ struct plugin_container *plugin; + struct command_status cstat; +- int io_pipe[3][2]; ++ int io_pipe[3][2] = { { -1, -1 }, { -1, -1 }, { -1, -1 } }; ++ bool interpose[3] = { false, false, false }; + sigaction_t sa; + sigset_t mask; + pid_t child; +@@ -738,6 +740,16 @@ fork_pty(struct command_details *details, int sv[], sigset_t *omask) + sigaddset(&ttyblock, SIGTTIN); + sigaddset(&ttyblock, SIGTTOU); + ++ /* Determine whether any of std{in,out,err} should be logged. */ ++ TAILQ_FOREACH(plugin, &io_plugins, entries) { ++ if (plugin->u.io->log_stdin) ++ interpose[STDIN_FILENO] = true; ++ if (plugin->u.io->log_stdout) ++ interpose[STDOUT_FILENO] = true; ++ if (plugin->u.io->log_stderr) ++ interpose[STDERR_FILENO] = true; ++ } ++ + /* + * Setup stdin/stdout/stderr for child, to be duped after forking. + * In background mode there is no stdin. +@@ -763,35 +775,64 @@ fork_pty(struct command_details *details, int sv[], sigset_t *omask) + } + + /* +- * If either stdin, stdout or stderr is not a tty we use a pipe +- * to interpose ourselves instead of duping the pty fd. ++ * If stdin, stdout or stderr is not a tty and logging is enabled, ++ * use a pipe to interpose ourselves instead of using the pty fd. + */ +- memset(io_pipe, 0, sizeof(io_pipe)); + if (io_fds[SFD_STDIN] == -1 || !isatty(STDIN_FILENO)) { +- sudo_debug_printf(SUDO_DEBUG_INFO, "stdin not a tty, creating a pipe"); +- pipeline = true; +- if (pipe(io_pipe[STDIN_FILENO]) != 0) +- sudo_fatal(U_("unable to create pipe")); +- io_buf_new(STDIN_FILENO, io_pipe[STDIN_FILENO][1], +- log_stdin, &iobufs); +- io_fds[SFD_STDIN] = io_pipe[STDIN_FILENO][0]; +- } +- if (io_fds[SFD_STDOUT] == -1 || !isatty(STDOUT_FILENO)) { +- sudo_debug_printf(SUDO_DEBUG_INFO, "stdout not a tty, creating a pipe"); +- pipeline = true; +- if (pipe(io_pipe[STDOUT_FILENO]) != 0) +- sudo_fatal(U_("unable to create pipe")); +- io_buf_new(io_pipe[STDOUT_FILENO][0], STDOUT_FILENO, +- log_stdout, &iobufs); +- io_fds[SFD_STDOUT] = io_pipe[STDOUT_FILENO][1]; +- } +- if (io_fds[SFD_STDERR] == -1 || !isatty(STDERR_FILENO)) { +- sudo_debug_printf(SUDO_DEBUG_INFO, "stderr not a tty, creating a pipe"); +- if (pipe(io_pipe[STDERR_FILENO]) != 0) +- sudo_fatal(U_("unable to create pipe")); +- io_buf_new(io_pipe[STDERR_FILENO][0], STDERR_FILENO, +- log_stderr, &iobufs); +- io_fds[SFD_STDERR] = io_pipe[STDERR_FILENO][1]; ++ if (!interpose[STDIN_FILENO]) { ++ /* Not logging stdin, do not interpose. */ ++ sudo_debug_printf(SUDO_DEBUG_INFO, ++ "stdin not a tty, not logging"); ++ io_fds[SFD_STDIN] = dup(STDIN_FILENO); ++ if (io_fds[SFD_STDIN] == -1) ++ sudo_fatal("dup"); ++ } else { ++ sudo_debug_printf(SUDO_DEBUG_INFO, ++ "stdin not a tty, creating a pipe"); ++ pipeline = true; ++ if (pipe(io_pipe[STDIN_FILENO]) != 0) ++ sudo_fatal(U_("unable to create pipe")); ++ io_buf_new(STDIN_FILENO, io_pipe[STDIN_FILENO][1], ++ log_stdin, &iobufs); ++ io_fds[SFD_STDIN] = io_pipe[STDIN_FILENO][0]; ++ } ++ } ++ if (io_fds[SFD_STDOUT] == -1 || !isatty(STDOUT_FILENO)) { ++ if (!interpose[STDOUT_FILENO]) { ++ /* Not logging stdout, do not interpose. */ ++ sudo_debug_printf(SUDO_DEBUG_INFO, ++ "stdout not a tty, not logging"); ++ io_fds[SFD_STDOUT] = dup(STDOUT_FILENO); ++ if (io_fds[SFD_STDOUT] == -1) ++ sudo_fatal("dup"); ++ } else { ++ sudo_debug_printf(SUDO_DEBUG_INFO, ++ "stdout not a tty, creating a pipe"); ++ pipeline = true; ++ if (pipe(io_pipe[STDOUT_FILENO]) != 0) ++ sudo_fatal(U_("unable to create pipe")); ++ io_buf_new(io_pipe[STDOUT_FILENO][0], STDOUT_FILENO, ++ log_stdout, &iobufs); ++ io_fds[SFD_STDOUT] = io_pipe[STDOUT_FILENO][1]; ++ } ++ } ++ if (io_fds[SFD_STDERR] == -1 || !isatty(STDERR_FILENO)) { ++ if (!interpose[STDERR_FILENO]) { ++ /* Not logging stderr, do not interpose. */ ++ sudo_debug_printf(SUDO_DEBUG_INFO, ++ "stderr not a tty, not logging"); ++ io_fds[SFD_STDERR] = dup(STDERR_FILENO); ++ if (io_fds[SFD_STDERR] == -1) ++ sudo_fatal("dup"); ++ } else { ++ sudo_debug_printf(SUDO_DEBUG_INFO, ++ "stderr not a tty, creating a pipe"); ++ if (pipe(io_pipe[STDERR_FILENO]) != 0) ++ sudo_fatal(U_("unable to create pipe")); ++ io_buf_new(io_pipe[STDERR_FILENO][0], STDERR_FILENO, ++ log_stderr, &iobufs); ++ io_fds[SFD_STDERR] = io_pipe[STDERR_FILENO][1]; ++ } + } + + /* We don't want to receive SIGTTIN/SIGTTOU, getting EIO is preferable. */ +@@ -1549,10 +1590,24 @@ exec_pty(struct command_details *details, + setpgid(0, self); + + /* Wire up standard fds, note that stdout/stderr may be pipes. */ +- if (dup2(io_fds[SFD_STDIN], STDIN_FILENO) == -1 || +- dup2(io_fds[SFD_STDOUT], STDOUT_FILENO) == -1 || +- dup2(io_fds[SFD_STDERR], STDERR_FILENO) == -1) +- sudo_fatal("dup2"); ++ if (io_fds[SFD_STDIN] != STDIN_FILENO) { ++ if (dup2(io_fds[SFD_STDIN], STDIN_FILENO) == -1) ++ sudo_fatal("dup2"); ++ if (io_fds[SFD_STDIN] != io_fds[SFD_SLAVE]) ++ close(io_fds[SFD_STDIN]); ++ } ++ if (io_fds[SFD_STDOUT] != STDOUT_FILENO) { ++ if (dup2(io_fds[SFD_STDOUT], STDOUT_FILENO) == -1) ++ sudo_fatal("dup2"); ++ if (io_fds[SFD_STDOUT] != io_fds[SFD_SLAVE]) ++ close(io_fds[SFD_STDOUT]); ++ } ++ if (io_fds[SFD_STDERR] != STDERR_FILENO) { ++ if (dup2(io_fds[SFD_STDERR], STDERR_FILENO) == -1) ++ sudo_fatal("dup2"); ++ if (io_fds[SFD_STDERR] != io_fds[SFD_SLAVE]) ++ close(io_fds[SFD_STDERR]); ++ } + + /* Wait for parent to grant us the tty if we are foreground. */ + if (foreground && !ISSET(details->flags, CD_EXEC_BG)) { +@@ -1561,15 +1616,9 @@ exec_pty(struct command_details *details, + nanosleep(&ts, NULL); + } + +- /* We have guaranteed that the slave fd is > 2 */ ++ /* Done with the pty slave, don't leak it. */ + if (io_fds[SFD_SLAVE] != -1) + close(io_fds[SFD_SLAVE]); +- if (io_fds[SFD_STDIN] != io_fds[SFD_SLAVE]) +- close(io_fds[SFD_STDIN]); +- if (io_fds[SFD_STDOUT] != io_fds[SFD_SLAVE]) +- close(io_fds[SFD_STDOUT]); +- if (io_fds[SFD_STDERR] != io_fds[SFD_SLAVE]) +- close(io_fds[SFD_STDERR]); + + /* Execute command; only returns on error. */ + exec_cmnd(details, cstat, errfd); diff --git a/SOURCES/sudo-1.8.19p2-manpage-use_pty.patch b/SOURCES/sudo-1.8.19p2-manpage-use_pty.patch new file mode 100644 index 0000000..acb4daa --- /dev/null +++ b/SOURCES/sudo-1.8.19p2-manpage-use_pty.patch @@ -0,0 +1,206 @@ +diff -up ./doc/sudoers.cat.manpage ./doc/sudoers.cat +--- ./doc/sudoers.cat.manpage 2017-09-11 15:16:47.443869930 +0200 ++++ ./doc/sudoers.cat 2017-09-11 15:42:15.140500826 +0200 +@@ -1088,13 +1088,19 @@ SSUUDDOOEERRSS OOPPTTIIOONN + connected to the user's tty, due to I/O redirection or + because the command is part of a pipeline, that input + is also captured and stored in a separate log file. +- For more information, see the _I_/_O _L_O_G _F_I_L_E_S section. +- This flag is _o_f_f by default. ++ Anything sent to the standard input will be consumed, ++ regardless of whether or not the command run via ssuuddoo ++ is actually reading the standard input. This may have ++ unexpected results when using ssuuddoo in a shell script ++ that expects to process the standard input. For more ++ information about I/O logging, see the _I_/_O _L_O_G _F_I_L_E_S ++ section. This flag is _o_f_f by default. + + log_output If set, ssuuddoo will run the command in a pseudo-tty and + log all output that is sent to the screen, similar to +- the script(1) command. For more information, see the +- _I_/_O _L_O_G _F_I_L_E_S section. This flag is _o_f_f by default. ++ the script(1) command. For more information about I/O ++ logging, see the _I_/_O _L_O_G _F_I_L_E_S section. This flag is ++ _o_f_f by default. + + log_year If set, the four-digit year will be logged in the (non- + syslog) ssuuddoo log file. This flag is _o_f_f by default. +@@ -1396,13 +1402,18 @@ SSUUDDOOEERRSS OOPPTTIIOONN + not needed, this option can be disabled to reduce the + load on the LDAP server. This flag is _o_n by default. + +- use_pty If set, ssuuddoo will run the command in a pseudo-pty even +- if no I/O logging is being gone. A malicious program +- run under ssuuddoo could conceivably fork a background +- process that retains to the user's terminal device +- after the main program has finished executing. Use of +- this option will make that impossible. This flag is +- _o_f_f by default. ++ use_pty If set, and ssuuddoo is running in a terminal, the command ++ will be run in a pseudo-pty (even if no I/O logging is ++ being done). If the ssuuddoo process is not attached to a ++ terminal, _u_s_e___p_t_y has no effect. ++ ++ A malicious program run under ssuuddoo may be capable of ++ injecting injecting commands into the user's terminal ++ or running a background process that retains access to ++ the user's terminal device even after the main program ++ has finished executing. By running the command in a ++ separate pseudo-pty, this attack is no longer possible. ++ This flag is _o_f_f by default. + + utmp_runas If set, ssuuddoo will store the name of the runas user when + updating the utmp (or utmpx) file. By default, ssuuddoo +@@ -2135,11 +2146,11 @@ LLOOGG FFOORRMMAATT + + II//OO LLOOGG FFIILLEESS + When I/O logging is enabled, ssuuddoo will run the command in a pseudo-tty +- and log all user input and/or output. I/O is logged to the directory +- specified by the _i_o_l_o_g___d_i_r option (_/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o by default) using a +- unique session ID that is included in the ssuuddoo log line, prefixed with +- ``TSID=''. The _i_o_l_o_g___f_i_l_e option may be used to control the format of +- the session ID. ++ and log all user input and/or output, depending on which options are ++ are enabled. I/O is logged to the directory specified by the _i_o_l_o_g___d_i_r ++ option (_/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o by default) using a unique session ID that is ++ included in the ssuuddoo log line, prefixed with "TSID=". The _i_o_l_o_g___f_i_l_e ++ option may be used to control the format of the session ID. + + Each I/O log is stored in a separate directory that contains the + following files: +diff -up ./doc/sudoers.man.in.manpage ./doc/sudoers.man.in +--- ./doc/sudoers.man.in.manpage 2017-09-11 15:16:47.444869925 +0200 ++++ ./doc/sudoers.man.in 2017-09-11 15:16:47.456869864 +0200 +@@ -2300,7 +2300,14 @@ will run the command in a pseudo-tty and + If the standard input is not connected to the user's tty, due to + I/O redirection or because the command is part of a pipeline, that + input is also captured and stored in a separate log file. +-For more information, see the ++Anything sent to the standard input will be consumed, regardless of ++whether or not the command run via ++\fBsudo\fR ++is actually reading the standard input. ++This may have unexpected results when using ++\fBsudo\fR ++in a shell script that expects to process the standard input. ++For more information about I/O logging, see the + \fII/O LOG FILES\fR + section. + This flag is +@@ -2314,7 +2321,7 @@ will run the command in a pseudo-tty and + to the screen, similar to the + script(1) + command. +-For more information, see the ++For more information about I/O logging, see the + \fII/O LOG FILES\fR + section. + This flag is +@@ -2934,14 +2941,24 @@ This flag is + by default. + .TP 18n + use_pty +-If set, ++If set, and + \fBsudo\fR +-will run the command in a pseudo-pty even if no I/O logging is being gone. ++is running in a terminal, the command will be run in a pseudo-pty ++(even if no I/O logging is being done). ++If the ++\fBsudo\fR ++process is not attached to a terminal, ++\fIuse_pty\fR ++has no effect. ++.sp + A malicious program run under + \fBsudo\fR +-could conceivably fork a background process that retains to the user's +-terminal device after the main program has finished executing. +-Use of this option will make that impossible. ++may be capable of injecting injecting commands into the user's ++terminal or running a background process that retains access to the ++user's terminal device even after the main program has finished ++executing. ++By running the command in a separate pseudo-pty, this attack is ++no longer possible. + This flag is + \fIoff\fR + by default. +@@ -4281,7 +4298,8 @@ word wrap will be disabled. + .SH "I/O LOG FILES" + When I/O logging is enabled, + \fBsudo\fR +-will run the command in a pseudo-tty and log all user input and/or output. ++will run the command in a pseudo-tty and log all user input and/or output, ++depending on which options are enabled. + I/O is logged to the directory specified by the + \fIiolog_dir\fR + option +diff -up ./doc/sudoers.mdoc.in.manpage ./doc/sudoers.mdoc.in +--- ./doc/sudoers.mdoc.in.manpage 2017-09-11 15:16:47.445869920 +0200 ++++ ./doc/sudoers.mdoc.in 2017-09-11 15:16:47.456869864 +0200 +@@ -2155,7 +2155,14 @@ will run the command in a pseudo-tty and + If the standard input is not connected to the user's tty, due to + I/O redirection or because the command is part of a pipeline, that + input is also captured and stored in a separate log file. +-For more information, see the ++Anything sent to the standard input will be consumed, regardless of ++whether or not the command run via ++.Nm sudo ++is actually reading the standard input. ++This may have unexpected results when using ++.Nm sudo ++in a shell script that expects to process the standard input. ++For more information about I/O logging, see the + .Sx "I/O LOG FILES" + section. + This flag is +@@ -2168,7 +2175,7 @@ will run the command in a pseudo-tty and + to the screen, similar to the + .Xr script 1 + command. +-For more information, see the ++For more information about I/O logging, see the + .Sx "I/O LOG FILES" + section. + This flag is +@@ -2752,14 +2759,24 @@ This flag is + .Em on + by default. + .It use_pty +-If set, ++If set, and + .Nm sudo +-will run the command in a pseudo-pty even if no I/O logging is being gone. ++is running in a terminal, the command will be run in a pseudo-pty ++(even if no I/O logging is being done). ++If the ++.Nm sudo ++process is not attached to a terminal, ++.Em use_pty ++has no effect. ++.Pp + A malicious program run under + .Nm sudo +-could conceivably fork a background process that retains to the user's +-terminal device after the main program has finished executing. +-Use of this option will make that impossible. ++may be capable of injecting injecting commands into the user's ++terminal or running a background process that retains access to the ++user's terminal device even after the main program has finished ++executing. ++By running the command in a separate pseudo-pty, this attack is ++no longer possible. + This flag is + .Em off + by default. +@@ -3976,7 +3993,8 @@ word wrap will be disabled. + .Sh I/O LOG FILES + When I/O logging is enabled, + .Nm sudo +-will run the command in a pseudo-tty and log all user input and/or output. ++will run the command in a pseudo-tty and log all user input and/or output, ++depending on which options are enabled. + I/O is logged to the directory specified by the + .Em iolog_dir + option diff --git a/SOURCES/sudo-1.8.19p2-sssd-double-free.patch b/SOURCES/sudo-1.8.19p2-sssd-double-free.patch new file mode 100644 index 0000000..d53eb4c --- /dev/null +++ b/SOURCES/sudo-1.8.19p2-sssd-double-free.patch @@ -0,0 +1,44 @@ + +# HG changeset patch +# User Todd C. Miller +# Date 1511893724 25200 +# Node ID 14dacdea331942a38d443a75d1b08f67eafaa5eb +# Parent b456101fe5091540e9f6429db7568fa32b6d4da8 +Avoid a double free when ipa_hostname is set in sssd.conf and it +is an unqualified host name. From Daniel Kopecek. + +Also move the "unable to allocate memory" warning into get_ipa_hostname() +itself to make it easier to see where the allocation failed in the +debug log. + +diff -r b456101fe509 -r 14dacdea3319 plugins/sudoers/sssd.c +--- a/plugins/sudoers/sssd.c Tue Nov 28 09:48:43 2017 -0700 ++++ b/plugins/sudoers/sssd.c Tue Nov 28 11:28:44 2017 -0700 +@@ -349,6 +349,8 @@ + *lhostp = lhost; + ret = true; + } else { ++ sudo_warnx(U_("%s: %s"), __func__, ++ U_("unable to allocate memory")); + free(shost); + free(lhost); + ret = -1; +@@ -456,7 +458,6 @@ + */ + if (strcmp(user_runhost, user_host) == 0) { + if (get_ipa_hostname(&handle->ipa_shost, &handle->ipa_host) == -1) { +- sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); + free(handle); + debug_return_int(ENOMEM); + } +@@ -478,7 +479,8 @@ + handle = nss->handle; + sudo_dso_unload(handle->ssslib); + free(handle->ipa_host); +- free(handle->ipa_shost); ++ if (handle->ipa_host != handle->ipa_shost) ++ free(handle->ipa_shost); + free(handle); + nss->handle = NULL; + } + diff --git a/SOURCES/sudo-1.8.19p2-sudo-l-sssd.patch b/SOURCES/sudo-1.8.19p2-sudo-l-sssd.patch new file mode 100644 index 0000000..62d0cf2 --- /dev/null +++ b/SOURCES/sudo-1.8.19p2-sudo-l-sssd.patch @@ -0,0 +1,113 @@ +From 1f37620953699fe71b09760fe01e33eb6ada771c Mon Sep 17 00:00:00 2001 +From: "Todd C. Miller" +Date: Wed, 15 Nov 2017 12:27:39 -0700 +Subject: [PATCH] When checking the results for "sudo -l" and "sudo -v", keep + checking even after we get a match since the value of doauth may depend on + evaluating all the results. From Radovan Sroka of RedHat. + +In list (-l) or verify (-v) mode, if we have a match but authentication +is required, clear FLAG_NOPASSWD so that when listpw/verifypw is +set to "all" and there are multiple sudoers sources a password will +be required unless none of the entries in all sources require +authentication. From Radovan Sroka of RedHat + +Avoid calling cmnd_matches() in list/verify mode if we already have +a match. +--- + plugins/sudoers/ldap.c | 5 ++++- + plugins/sudoers/parse.c | 10 +++++++--- + plugins/sudoers/sssd.c | 5 ++++- + 3 files changed, 15 insertions(+), 5 deletions(-) + +diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c +index 46309cba..c5c18360 100644 +--- a/plugins/sudoers/ldap.c ++++ b/plugins/sudoers/ldap.c +@@ -3320,12 +3320,13 @@ sudo_ldap_lookup(struct sudo_nss *nss, int ret, int pwflag) + (pwcheck == all && doauth != true)) { + doauth = !!sudo_ldap_check_bool(ld, entry, "authenticate"); + } ++ if (matched == true) ++ continue; + /* Only check the command when listing another user. */ + if (user_uid == 0 || list_pw == NULL || + user_uid == list_pw->pw_uid || + sudo_ldap_check_command(ld, entry, NULL) == true) { + matched = true; +- break; + } + } + if (matched == true || user_uid == 0) { +@@ -3339,6 +3340,8 @@ sudo_ldap_lookup(struct sudo_nss *nss, int ret, int pwflag) + case any: + if (doauth == false) + SET(ret, FLAG_NOPASSWD); ++ else ++ CLR(ret, FLAG_NOPASSWD); + break; + default: + break; +diff --git a/plugins/sudoers/parse.c b/plugins/sudoers/parse.c +index 749a3eb2..a12e88c5 100644 +--- a/plugins/sudoers/parse.c ++++ b/plugins/sudoers/parse.c +@@ -182,14 +182,16 @@ sudo_file_lookup(struct sudo_nss *nss, int validated, int pwflag) + if (hostlist_matches(sudo_user.pw, &priv->hostlist) != ALLOW) + continue; + TAILQ_FOREACH(cs, &priv->cmndlist, entries) { ++ if ((pwcheck == any && cs->tags.nopasswd == true) || ++ (pwcheck == all && cs->tags.nopasswd != true)) ++ nopass = cs->tags.nopasswd; ++ if (match == ALLOW) ++ continue; + /* Only check the command when listing another user. */ + if (user_uid == 0 || list_pw == NULL || + user_uid == list_pw->pw_uid || + cmnd_matches(cs->cmnd) == ALLOW) + match = ALLOW; +- if ((pwcheck == any && cs->tags.nopasswd == true) || +- (pwcheck == all && cs->tags.nopasswd != true)) +- nopass = cs->tags.nopasswd; + } + } + } +@@ -202,6 +204,8 @@ sudo_file_lookup(struct sudo_nss *nss, int validated, int pwflag) + SET(validated, FLAG_CHECK_USER); + else if (nopass == true) + SET(validated, FLAG_NOPASSWD); ++ else ++ CLR(validated, FLAG_NOPASSWD); + debug_return_int(validated); + } + +diff --git a/plugins/sudoers/sssd.c b/plugins/sudoers/sssd.c +index 65b4d875..09ca9fee 100644 +--- a/plugins/sudoers/sssd.c ++++ b/plugins/sudoers/sssd.c +@@ -1321,12 +1321,13 @@ sudo_sss_lookup(struct sudo_nss *nss, int ret, int pwflag) + (pwcheck == all && doauth != true)) { + doauth = !!sudo_sss_check_bool(handle, rule, "authenticate"); + } ++ if (matched == true) ++ continue; + /* Only check the command when listing another user. */ + if (user_uid == 0 || list_pw == NULL || + user_uid == list_pw->pw_uid || + sudo_sss_check_command(handle, rule, NULL) == true) { + matched = true; +- break; + } + } + } +@@ -1341,6 +1342,8 @@ sudo_sss_lookup(struct sudo_nss *nss, int ret, int pwflag) + case any: + if (doauth == false) + SET(ret, FLAG_NOPASSWD); ++ else ++ CLR(ret, FLAG_NOPASSWD); + break; + default: + break; +-- +2.14.3 + diff --git a/SOURCES/sudo-1.8.21-ldap-pass2-filter.patch b/SOURCES/sudo-1.8.21-ldap-pass2-filter.patch new file mode 100644 index 0000000..8da9603 --- /dev/null +++ b/SOURCES/sudo-1.8.21-ldap-pass2-filter.patch @@ -0,0 +1,19 @@ +diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c +index f21a99ee..83202e28 100644 +--- a/plugins/sudoers/ldap.c ++++ b/plugins/sudoers/ldap.c +@@ -1847,12 +1847,10 @@ sudo_ldap_build_pass2(void) + ldap_conf.timed ? timebuffer : "", + (ldap_conf.timed || ldap_conf.search_filter) ? ")" : ""); + } else { +- len = asprintf(&filt, "%s%s(sudoUser=*)(sudoUser=%s*)%s%s", +- (ldap_conf.timed || ldap_conf.search_filter) ? "(&" : "", ++ len = asprintf(&filt, "(&%s(sudoUser=*)(sudoUser=%s*)%s)", + ldap_conf.search_filter ? ldap_conf.search_filter : "", + query_netgroups ? "+" : "%:", +- ldap_conf.timed ? timebuffer : "", +- (ldap_conf.timed || ldap_conf.search_filter) ? ")" : ""); ++ ldap_conf.timed ? timebuffer : ""); + } + if (len == -1) + sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); diff --git a/SPECS/sudo.spec b/SPECS/sudo.spec index c3a1a52..01af92f 100644 --- a/SPECS/sudo.spec +++ b/SPECS/sudo.spec @@ -1,7 +1,7 @@ Summary: Allows restricted root access for specified users Name: sudo Version: 1.8.19p2 -Release: 11%{?dist} +Release: 13%{?dist} License: ISC Group: Applications/System URL: http://www.courtesan.com/sudo/ @@ -63,6 +63,18 @@ Patch16: sudo-1.8.19p2-lecture-boolean.patch Patch17: sudo-1.8.19p2-get_process_ttyname.patch # 1459152 - CVE-2017-1000368: Privilege escalation via improper get_process_ttyname() parsing (insufficient fix for CVE-2017-1000367) Patch18: sudo-1.8.19p2-CVE-2017-1000368.patch +# 1485397 - sudo breaking who ldap and local users after upgrade +Patch19: sudo-1.8.21-ldap-pass2-filter.patch +# 1458696 - successful sudo -l returns non-zero if asking for other user +Patch20: sudo-1.8.19p2-display-privs.patch +# 1454571 - Sudo, with I/O Logging log_output option enabled, truncate output in case of cycle over standard input +Patch21: sudo-1.8.19p2-iologtruncate.patch +# 1490358 - Update use_pty and IO logging man page +Patch22: sudo-1.8.19p2-manpage-use_pty.patch +# 1505409 - Regression in "sudo -l" when using IPA / sssd +Patch23: sudo-1.8.19p2-sudo-l-sssd.patch +# 1518104 - sudo crashed: double free or corruption (fasttop) +Patch24: sudo-1.8.19p2-sssd-double-free.patch %description Sudo (superuser do) allows a system administrator to give certain @@ -105,6 +117,12 @@ plugins that use %{name}. %patch16 -p1 -b .lecture %patch17 -p1 -b .get_process_ttyname %patch18 -p1 -b .CVE-2017-1000368 +%patch19 -p1 -b .ldap-pass2-filter +%patch20 -p1 -b .display-privs +%patch21 -p1 -b .iologtruncate +%patch22 -p1 -b .manpage +%patch23 -p1 -b .sudo-l +%patch24 -p1 -b .double-free %build autoreconf -I m4 -fv --install @@ -239,9 +257,32 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/sudo_plugin.8* %changelog -* Fri Aug 18 2017 Daniel Kopecek - 1.8.19p2-11 +* Thu Nov 30 2017 Radovan Sroka 1.8.19p2-13 +- RHEL 7.5 erratum +- Fixed sudo -l checking results whether user should be authenticated +- Enabled LDAP filter patch +- Fixed double free in sssd + + Resolves: rhbz#1505409 + Resolves: rhbz#1511850 + Resolves: rhbz#1518104 + +* Mon Oct 02 2017 Radovan Sroka 1.8.19p2-12 +- RHEL 7.5 erratum +- Fixed exit codes for `sudo -l -U ` +- Fixed truncated output when log_output is enabled +- Updated use_pty and IO logging manpage + + Resolves: rhbz#1458696 + Resolves: rhbz#1454571 + Resolves: rhbz#1490358 + +- Fixed second pass LDAP filter expression in the sudoers ldap backend + - inclomplete patch for rhbz#1485397 + +* Mon Aug 14 2017 Daniel Kopecek - 1.8.19p2-11 - Moved libsudo_util.so from the -devel sub-package to main package - Resolves: rhbz#1482929 + Resolves: rhbz#1481225 * Wed Jun 07 2017 Daniel Kopecek - 1.8.19p2-10 - RHEL 7.4 erratum