diff --git a/.gitignore b/.gitignore index 59b3a3b..ffb92a8 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/sudo-1.8.19p2.tar.gz +SOURCES/sudo-1.8.23.tar.gz diff --git a/.sudo.metadata b/.sudo.metadata index e9bab31..30c3701 100644 --- a/.sudo.metadata +++ b/.sudo.metadata @@ -1 +1 @@ -78868ef825e7b6db246d99160ec16fd4e4c93f3f SOURCES/sudo-1.8.19p2.tar.gz +8db5a01eda3a14e8b40af7ee1ed6d38660463430 SOURCES/sudo-1.8.23.tar.gz diff --git a/SOURCES/sudo-1.8.18-testsuitefix.patch b/SOURCES/sudo-1.8.18-testsuitefix.patch deleted file mode 100644 index 6c60292..0000000 --- a/SOURCES/sudo-1.8.18-testsuitefix.patch +++ /dev/null @@ -1,189 +0,0 @@ -From ea44d916b9dffe0f33c3c62d1677567bf64a26b8 Mon Sep 17 00:00:00 2001 -From: Radovan Sroka -Date: Tue, 20 Sep 2016 15:07:53 +0200 -Subject: [PATCH 10/10] Fix upstream testsuite - ---- - plugins/sudoers/regress/sudoers/test2.in | 60 --------------------------- - plugins/sudoers/regress/sudoers/test2.in_ | 60 +++++++++++++++++++++++++++ - plugins/sudoers/regress/testsudoers/test3.sh | 13 ------ - plugins/sudoers/regress/testsudoers/test3.sh_ | 13 ++++++ - 4 files changed, 73 insertions(+), 73 deletions(-) - delete mode 100644 plugins/sudoers/regress/sudoers/test2.in - create mode 100644 plugins/sudoers/regress/sudoers/test2.in_ - delete mode 100755 plugins/sudoers/regress/testsudoers/test3.sh - create mode 100755 plugins/sudoers/regress/testsudoers/test3.sh_ - -diff --git a/plugins/sudoers/regress/sudoers/test2.in b/plugins/sudoers/regress/sudoers/test2.in -deleted file mode 100644 -index cfdfaa3..0000000 ---- a/plugins/sudoers/regress/sudoers/test2.in -+++ /dev/null -@@ -1,60 +0,0 @@ --# Check quoted user name in User_Alias --User_Alias UA1 = "foo" --User_Alias UA2 = "foo.bar" --User_Alias UA3 = "foo\"" --User_Alias UA4 = "foo:bar" --User_Alias UA5 = "foo:bar\"" -- --# Check quoted group name in User_Alias --User_Alias UA6 = "%baz" --User_Alias UA7 = "%baz.biz" -- --# Check quoted non-Unix group name in User_Alias --User_Alias UA8 = "%:C/non UNIX 0 c" --User_Alias UA9 = "%:C/non\'UNIX\'1 c" --User_Alias UA10 = "%:C/non\"UNIX\"0 c" --User_Alias UA11 = "%:C/non_UNIX_0 c" --User_Alias UA12 = "%:C/non\'UNIX_3 c" -- --# Check quoted user name in Runas_Alias --Runas_Alias RA1 = "foo" --Runas_Alias RA2 = "foo\"" --Runas_Alias RA3 = "foo:bar" --Runas_Alias RA4 = "foo:bar\"" -- --# Check quoted host name in Defaults --Defaults@"somehost" set_home --Defaults@"quoted\"" set_home -- --# Check quoted user name in Defaults --Defaults:"you" set_home --Defaults:"us\"" set_home --Defaults:"%them" set_home --Defaults:"%: non UNIX 0 c" set_home --Defaults:"+net" set_home -- --# Check quoted runas name in Defaults --Defaults>"someone" set_home --Defaults>"some one" set_home -- --# Check quoted command in Defaults --# XXX - not currently supported --#Defaults!"/bin/ls -l" set_home --#Defaults!"/bin/ls -l \"foo\"" set_home -- --# Check quoted user, runas and host name in Cmnd_Spec --"foo" "hosta" = ("root") ALL --"foo.bar" "hostb" = ("root") ALL --"foo\"" "hostc" = ("root") ALL --"foo:bar" "hostd" = ("root") ALL --"foo:bar\"" "hoste" = ("root") ALL -- --# Check quoted group/netgroup name in Cmnd_Spec --"%baz" "hosta" = ("root") ALL --"%baz.biz" "hostb" = ("root") ALL --"%:C/non UNIX 0 c" "hostc" = ("root") ALL --"%:C/non\'UNIX\'1 c" "hostd" = ("root") ALL --"%:C/non\"UNIX\"0 c" "hoste" = ("root") ALL --"%:C/non_UNIX_0 c" "hostf" = ("root") ALL --"%:C/non\'UNIX_3 c" "hostg" = ("root") ALL --"+netgr" "hosth" = ("root") ALL -diff --git a/plugins/sudoers/regress/sudoers/test2.in_ b/plugins/sudoers/regress/sudoers/test2.in_ -new file mode 100644 -index 0000000..cfdfaa3 ---- /dev/null -+++ b/plugins/sudoers/regress/sudoers/test2.in_ -@@ -0,0 +1,60 @@ -+# Check quoted user name in User_Alias -+User_Alias UA1 = "foo" -+User_Alias UA2 = "foo.bar" -+User_Alias UA3 = "foo\"" -+User_Alias UA4 = "foo:bar" -+User_Alias UA5 = "foo:bar\"" -+ -+# Check quoted group name in User_Alias -+User_Alias UA6 = "%baz" -+User_Alias UA7 = "%baz.biz" -+ -+# Check quoted non-Unix group name in User_Alias -+User_Alias UA8 = "%:C/non UNIX 0 c" -+User_Alias UA9 = "%:C/non\'UNIX\'1 c" -+User_Alias UA10 = "%:C/non\"UNIX\"0 c" -+User_Alias UA11 = "%:C/non_UNIX_0 c" -+User_Alias UA12 = "%:C/non\'UNIX_3 c" -+ -+# Check quoted user name in Runas_Alias -+Runas_Alias RA1 = "foo" -+Runas_Alias RA2 = "foo\"" -+Runas_Alias RA3 = "foo:bar" -+Runas_Alias RA4 = "foo:bar\"" -+ -+# Check quoted host name in Defaults -+Defaults@"somehost" set_home -+Defaults@"quoted\"" set_home -+ -+# Check quoted user name in Defaults -+Defaults:"you" set_home -+Defaults:"us\"" set_home -+Defaults:"%them" set_home -+Defaults:"%: non UNIX 0 c" set_home -+Defaults:"+net" set_home -+ -+# Check quoted runas name in Defaults -+Defaults>"someone" set_home -+Defaults>"some one" set_home -+ -+# Check quoted command in Defaults -+# XXX - not currently supported -+#Defaults!"/bin/ls -l" set_home -+#Defaults!"/bin/ls -l \"foo\"" set_home -+ -+# Check quoted user, runas and host name in Cmnd_Spec -+"foo" "hosta" = ("root") ALL -+"foo.bar" "hostb" = ("root") ALL -+"foo\"" "hostc" = ("root") ALL -+"foo:bar" "hostd" = ("root") ALL -+"foo:bar\"" "hoste" = ("root") ALL -+ -+# Check quoted group/netgroup name in Cmnd_Spec -+"%baz" "hosta" = ("root") ALL -+"%baz.biz" "hostb" = ("root") ALL -+"%:C/non UNIX 0 c" "hostc" = ("root") ALL -+"%:C/non\'UNIX\'1 c" "hostd" = ("root") ALL -+"%:C/non\"UNIX\"0 c" "hoste" = ("root") ALL -+"%:C/non_UNIX_0 c" "hostf" = ("root") ALL -+"%:C/non\'UNIX_3 c" "hostg" = ("root") ALL -+"+netgr" "hosth" = ("root") ALL -diff --git a/plugins/sudoers/regress/testsudoers/test3.sh b/plugins/sudoers/regress/testsudoers/test3.sh -deleted file mode 100755 -index c1251b9..0000000 ---- a/plugins/sudoers/regress/testsudoers/test3.sh -+++ /dev/null -@@ -1,13 +0,0 @@ --#!/bin/sh --# --# Test #include facility --# -- --MYUID=`\ls -lnd $TESTDIR/test3.d | awk '{print $3}'` --MYGID=`\ls -lnd $TESTDIR/test3.d | awk '{print $4}'` --exec 2>&1 --./testsudoers -U $MYUID -G $MYGID root id <&1 -+./testsudoers -U $MYUID -G $MYGID root id <= buf + sizeof(buf)) -+ break; -+ } -+ if (nread == 0 && memchr(buf, '\0', cp - buf) == NULL) { - /* - * Field 7 is the tty dev (0 if no tty). -- * Since the process name at field 2 "(comm)" may include spaces, -- * start at the last ')' found. -+ * Since the process name at field 2 "(comm)" may include -+ * whitespace (including newlines), start at the last ')' found. - */ -- char *cp = strrchr(line, ')'); -+ *cp = '\0'; -+ cp = strrchr(buf, ')'); - if (cp != NULL) { - char *ep = cp; - const char *errstr; -@@ -527,7 +539,8 @@ get_process_ttyname(char *name, size_t namelen) - errno = ENOENT; - - done: -- free(line); -+ if (fd != -1) -+ close(fd); - if (ret == NULL) - sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO|SUDO_DEBUG_ERRNO, - "unable to resolve tty via %s", path); diff --git a/SOURCES/sudo-1.8.19p2-display-privs.patch b/SOURCES/sudo-1.8.19p2-display-privs.patch deleted file mode 100644 index 234aa8d..0000000 --- a/SOURCES/sudo-1.8.19p2-display-privs.patch +++ /dev/null @@ -1,16 +0,0 @@ -diff -up ./plugins/sudoers/sudo_nss.c.display-privs ./plugins/sudoers/sudo_nss.c ---- ./plugins/sudoers/sudo_nss.c.display-privs 2017-01-13 23:30:15.000000000 -0500 -+++ ./plugins/sudoers/sudo_nss.c 2017-08-31 07:41:02.764738698 -0400 -@@ -348,7 +348,11 @@ display_privs(struct sudo_nss_list *snl, - sudo_lbuf_destroy(&defs); - sudo_lbuf_destroy(&privs); - -- debug_return_int(count > 0); -+/* -+ * This is ok, we return 1 which is success in this case -+ * and we don't want return failure even when there is nothing to print -+ */ -+ debug_return_int(1); - bad: - sudo_lbuf_destroy(&defs); - sudo_lbuf_destroy(&privs); diff --git a/SOURCES/sudo-1.8.19p2-error-warning-visudo-message.patch b/SOURCES/sudo-1.8.19p2-error-warning-visudo-message.patch deleted file mode 100644 index 6d52342..0000000 --- a/SOURCES/sudo-1.8.19p2-error-warning-visudo-message.patch +++ /dev/null @@ -1,53 +0,0 @@ -From daa728fd889680cf5294fbb0e836cade9fe1a6d8 Mon Sep 17 00:00:00 2001 -From: "Todd C. Miller" -Date: Wed, 22 Feb 2017 06:38:33 -0700 -Subject: [PATCH] Go back to using a Warning/Error prefix in the message - printed to stderr for alias problems. Requested by Tomas Sykora. - ---- - doc/visudo.cat | 10 +++++----- - doc/visudo.man.in | 12 ++++++------ - doc/visudo.mdoc.in | 12 ++++++------ - plugins/sudoers/regress/visudo/test2.err.ok | 2 +- - plugins/sudoers/regress/visudo/test3.err.ok | 4 ++-- - plugins/sudoers/visudo.c | 14 ++++++++++---- - 6 files changed, 30 insertions(+), 24 deletions(-) - -diff --git a/plugins/sudoers/visudo.c b/plugins/sudoers/visudo.c -index 4f192b2..4793d54 100644 ---- a/plugins/sudoers/visudo.c -+++ b/plugins/sudoers/visudo.c -@@ -1137,12 +1137,17 @@ check_alias(char *name, int type, char *file, int lineno, bool strict, bool quie - } else { - if (!quiet) { - if (errno == ELOOP) { -- sudo_warnx(U_("%s:%d cycle in %s \"%s\""), -+ fprintf(stderr, strict ? -+ U_("Error: %s:%d cycle in %s \"%s\"") : -+ U_("Warning: %s:%d cycle in %s \"%s\""), - file, lineno, alias_type_to_string(type), name); - } else { -- sudo_warnx(U_("%s:%d %s \"%s\" referenced but not defined"), -+ fprintf(stderr, strict ? -+ U_("Error: %s:%d %s \"%s\" referenced but not defined") : -+ U_("Warning: %s:%d %s \"%s\" referenced but not defined"), - file, lineno, alias_type_to_string(type), name); - } -+ fputc('\n', stderr); - if (strict && errorfile == NULL) { - errorfile = rcstr_addref(file); - errorlineno = lineno; -@@ -1292,8 +1297,9 @@ print_unused(void *v1, void *v2) - { - struct alias *a = (struct alias *)v1; - -- sudo_warnx_nodebug(U_("%s:%d unused %s \"%s\""), -+ fprintf(stderr, U_("Warning: %s:%d unused %s \"%s\""), - a->file, a->lineno, alias_type_to_string(a->type), a->name); -+ fputc('\n', stderr); - return 0; - } - --- -2.7.4 - diff --git a/SOURCES/sudo-1.8.19p2-fqdn-use-after-free.patch b/SOURCES/sudo-1.8.19p2-fqdn-use-after-free.patch deleted file mode 100644 index 1c44dcc..0000000 --- a/SOURCES/sudo-1.8.19p2-fqdn-use-after-free.patch +++ /dev/null @@ -1,124 +0,0 @@ -diff -up ./plugins/sudoers/sssd.c.fqdnafterfree ./plugins/sudoers/sssd.c ---- ./plugins/sudoers/sssd.c.fqdnafterfree 2017-01-14 05:30:15.000000000 +0100 -+++ ./plugins/sudoers/sssd.c 2017-04-25 14:23:39.655649726 +0200 -@@ -82,8 +82,8 @@ typedef void (*sss_sudo_free_values_t)(c - - struct sudo_sss_handle { - char *domainname; -- char *host; -- char *shost; -+ char *ipa_host; -+ char *ipa_shost; - struct passwd *pw; - void *ssslib; - sss_sudo_send_recv_t fn_send_recv; -@@ -385,7 +385,7 @@ sudo_sss_open(struct sudo_nss *nss) - debug_decl(sudo_sss_open, SUDOERS_DEBUG_SSSD); - - /* Create a handle container. */ -- handle = malloc(sizeof(struct sudo_sss_handle)); -+ handle = calloc(1, sizeof(struct sudo_sss_handle)); - if (handle == NULL) { - sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); - debug_return_int(ENOMEM); -@@ -447,9 +447,6 @@ sudo_sss_open(struct sudo_nss *nss) - debug_return_int(EFAULT); - } - -- handle->domainname = NULL; -- handle->host = user_runhost; -- handle->shost = user_srunhost; - handle->pw = sudo_user.pw; - nss->handle = handle; - -@@ -458,7 +455,7 @@ sudo_sss_open(struct sudo_nss *nss) - * in sssd.conf and use it in preference to user_runhost. - */ - if (strcmp(user_runhost, user_host) == 0) { -- if (get_ipa_hostname(&handle->shost, &handle->host) == -1) { -+ if (get_ipa_hostname(&handle->ipa_shost, &handle->ipa_host) == -1) { - sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); - free(handle); - debug_return_int(ENOMEM); -@@ -480,7 +477,10 @@ sudo_sss_close(struct sudo_nss *nss) - if (nss && nss->handle) { - handle = nss->handle; - sudo_dso_unload(handle->ssslib); -- free(nss->handle); -+ free(handle->ipa_host); -+ free(handle->ipa_shost); -+ free(handle); -+ nss->handle = NULL; - } - debug_return_int(0); - } -@@ -585,8 +585,9 @@ sudo_sss_checkpw(struct sudo_nss *nss, s - static int - sudo_sss_check_runas_user(struct sudo_sss_handle *handle, struct sss_sudo_rule *sss_rule, int group_matched) - { -- char **val_array = NULL; -- char *val; -+ const char *host = handle->ipa_host ? handle->ipa_host : user_runhost; -+ const char *shost = handle->ipa_shost ? handle->ipa_shost : user_srunhost; -+ char *val, **val_array = NULL; - int ret = false, i; - debug_decl(sudo_sss_check_runas_user, SUDOERS_DEBUG_SSSD); - -@@ -656,8 +657,8 @@ sudo_sss_check_runas_user(struct sudo_ss - switch (val[0]) { - case '+': - sudo_debug_printf(SUDO_DEBUG_DEBUG, "netgr_"); -- if (netgr_matches(val, def_netgroup_tuple ? handle->host : NULL, -- def_netgroup_tuple ? handle->shost : NULL, runas_pw->pw_name)) { -+ if (netgr_matches(val, def_netgroup_tuple ? host : NULL, -+ def_netgroup_tuple ? shost : NULL, runas_pw->pw_name)) { - sudo_debug_printf(SUDO_DEBUG_DEBUG, "=> match"); - ret = true; - } -@@ -762,7 +763,9 @@ sudo_sss_check_runas(struct sudo_sss_han - static bool - sudo_sss_check_host(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule) - { -- char **val_array, *val; -+ const char *host = handle->ipa_host ? handle->ipa_host : user_runhost; -+ const char *shost = handle->ipa_shost ? handle->ipa_shost : user_srunhost; -+ char *val, **val_array; - int matched = UNSPEC; - bool negated; - int i; -@@ -792,9 +795,9 @@ sudo_sss_check_host(struct sudo_sss_hand - - /* match any or address or netgroup or hostname */ - if (strcmp(val, "ALL") == 0 || addr_matches(val) || -- netgr_matches(val, handle->host, handle->shost, -+ netgr_matches(val, host, shost, - def_netgroup_tuple ? handle->pw->pw_name : NULL) || -- hostname_matches(handle->shost, handle->host, val)) { -+ hostname_matches(shost, host, val)) { - - matched = negated ? false : true; - } -@@ -816,9 +819,10 @@ sudo_sss_check_host(struct sudo_sss_hand - static bool - sudo_sss_check_user(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule) - { -- int ret = false; -+ const char *host = handle->ipa_host ? handle->ipa_host : user_runhost; -+ const char *shost = handle->ipa_shost ? handle->ipa_shost : user_srunhost; - char **val_array; -- int i; -+ int i, ret = false; - debug_decl(sudo_sss_check_user, SUDOERS_DEBUG_SSSD); - - if (!handle || !rule) -@@ -844,8 +848,8 @@ sudo_sss_check_user(struct sudo_sss_hand - switch (*val) { - case '+': - /* Netgroup spec found, check membership. */ -- if (netgr_matches(val, def_netgroup_tuple ? handle->host : NULL, -- def_netgroup_tuple ? handle->shost : NULL, handle->pw->pw_name)) { -+ if (netgr_matches(val, def_netgroup_tuple ? host : NULL, -+ def_netgroup_tuple ? shost : NULL, handle->pw->pw_name)) { - ret = true; - } - break; diff --git a/SOURCES/sudo-1.8.19p2-get_process_ttyname.patch b/SOURCES/sudo-1.8.19p2-get_process_ttyname.patch deleted file mode 100644 index 8d304d5..0000000 --- a/SOURCES/sudo-1.8.19p2-get_process_ttyname.patch +++ /dev/null @@ -1,76 +0,0 @@ -diff -ru sudo-1.8.20/src/ttyname.c sudo-1.8.20-Q/src/ttyname.c ---- sudo-1.8.20/src/ttyname.c 2017-05-10 08:38:44.000000000 -0700 -+++ sudo-1.8.20-Q/src/ttyname.c 2017-05-19 02:15:48.442705049 -0700 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2012-2016 Todd C. Miller -+ * Copyright (c) 2012-2017 Todd C. Miller - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above -@@ -159,6 +159,8 @@ - - static char *ignore_devs[] = { - "/dev/fd/", -+ "/dev/mqueue/", -+ "/dev/shm/", - "/dev/stdin", - "/dev/stdout", - "/dev/stderr", -@@ -493,28 +495,35 @@ - len = getline(&line, &linesize, fp); - fclose(fp); - if (len != -1) { -- /* Field 7 is the tty dev (0 if no tty) */ -- char *cp = line; -- char *ep = line; -- const char *errstr; -- int field = 0; -- while (*++ep != '\0') { -- if (*ep == ' ') { -- *ep = '\0'; -- if (++field == 7) { -- dev_t tdev = strtonum(cp, INT_MIN, INT_MAX, &errstr); -- if (errstr) { -- sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, -- "%s: tty device %s: %s", path, cp, errstr); -+ /* -+ * Field 7 is the tty dev (0 if no tty). -+ * Since the process name at field 2 "(comm)" may include spaces, -+ * start at the last ')' found. -+ */ -+ char *cp = strrchr(line, ')'); -+ if (cp != NULL) { -+ char *ep = cp; -+ const char *errstr; -+ int field = 1; -+ -+ while (*++ep != '\0') { -+ if (*ep == ' ') { -+ *ep = '\0'; -+ if (++field == 7) { -+ dev_t tdev = strtonum(cp, INT_MIN, INT_MAX, &errstr); -+ if (errstr) { -+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, -+ "%s: tty device %s: %s", path, cp, errstr); -+ } -+ if (tdev > 0) { -+ errno = serrno; -+ ret = sudo_ttyname_dev(tdev, name, namelen); -+ goto done; -+ } -+ break; - } -- if (tdev > 0) { -- errno = serrno; -- ret = sudo_ttyname_dev(tdev, name, namelen); -- goto done; -- } -- break; -+ cp = ep + 1; - } -- cp = ep + 1; - } - } - } - diff --git a/SOURCES/sudo-1.8.19p2-ignore-unknown-defaults.patch b/SOURCES/sudo-1.8.19p2-ignore-unknown-defaults.patch deleted file mode 100644 index aadb45d..0000000 --- a/SOURCES/sudo-1.8.19p2-ignore-unknown-defaults.patch +++ /dev/null @@ -1,142 +0,0 @@ -From 93cef1efac4e2b4930c23cdc35c0b916365ccabc Mon Sep 17 00:00:00 2001 -From: Tomas Sykora -Date: Tue, 21 Feb 2017 14:56:24 +0100 -Subject: [PATCH] Add ignore_unknown_defaults flag to ignore unknown Defaults - entries in sudoers instead of producing a warning. - -Patch: sudo-1.8.19p2-ignore-unknown-defaults.patch -Resolves: -rhbz#1413160 ---- - doc/sudoers.cat | 6 ++++++ - doc/sudoers.man.in | 11 +++++++++++ - doc/sudoers.mdoc.in | 10 ++++++++++ - plugins/sudoers/def_data.c | 4 ++++ - plugins/sudoers/def_data.h | 2 ++ - plugins/sudoers/def_data.in | 3 +++ - plugins/sudoers/defaults.c | 3 ++- - 7 files changed, 38 insertions(+), 1 deletion(-) - -diff --git a/doc/sudoers.cat b/doc/sudoers.cat -index 76dbf28..50cf78a 100644 ---- a/doc/sudoers.cat -+++ b/doc/sudoers.cat -@@ -1071,6 +1071,12 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS - meaningful for the cn=defaults section. This flag is - _o_f_f by default. - -+ ignore_unknown_defaults -+ If set, ssuuddoo will not produce a warning if it -+ encounters an unknown Defaults entry in the _^Hs_^Hu_^Hd_^Ho_^He_^Hr_^Hs -+ file or an unknown sudoOption in LDAP. This flag is -+ _o_f_f by default. -+ - insults If set, ssuuddoo will insult users when they enter an - incorrect password. This flag is _o_f_f by default. - -diff --git a/doc/sudoers.man.in b/doc/sudoers.man.in -index 8673da0..4be3760 100644 ---- a/doc/sudoers.man.in -+++ b/doc/sudoers.man.in -@@ -2266,6 +2266,17 @@ This flag is - \fIoff\fR - by default. - .TP 18n -+ignore_unknown_defaults -+If set, -+\fBsudo\fR -+will not produce a warning if it encounters an unknown Defaults entry -+in the -+\fIsudoers\fR -+file or an unknown sudoOption in LDAP. -+This flag is -+\fIoff\fR -+by default. -+.TP 18n - insults - If set, - \fBsudo\fR -diff --git a/doc/sudoers.mdoc.in b/doc/sudoers.mdoc.in -index 74b6f01..f3fe5e6 100644 ---- a/doc/sudoers.mdoc.in -+++ b/doc/sudoers.mdoc.in -@@ -2124,6 +2124,16 @@ section. - This flag is - .Em off - by default. -+.It ignore_unknown_defaults -+If set, -+.Nm sudo -+will not produce a warning if it encounters an unknown Defaults entry -+in the -+.Em sudoers -+file or an unknown sudoOption in LDAP. -+This flag is -+.Em off -+by default. - .It insults - If set, - .Nm sudo -diff --git a/plugins/sudoers/def_data.c b/plugins/sudoers/def_data.c -index 3926fed..3d787c2 100644 ---- a/plugins/sudoers/def_data.c -+++ b/plugins/sudoers/def_data.c -@@ -443,6 +443,10 @@ struct sudo_defs_types sudo_defs_table[] = { - N_("Don't pre-resolve all group names"), - NULL, - }, { -+ "ignore_unknown_defaults", T_FLAG, -+ N_("Ignore unknown Defaults entries in sudoers instead of producing a warning"), -+ NULL, -+ }, { - NULL, 0, NULL - } - }; -diff --git a/plugins/sudoers/def_data.h b/plugins/sudoers/def_data.h -index b5e61b4..f5773a3 100644 ---- a/plugins/sudoers/def_data.h -+++ b/plugins/sudoers/def_data.h -@@ -208,6 +208,8 @@ - #define def_cmnd_no_wait (sudo_defs_table[I_CMND_NO_WAIT].sd_un.flag) - #define I_LEGACY_GROUP_PROCESSING 104 - #define def_legacy_group_processing (sudo_defs_table[I_LEGACY_GROUP_PROCESSING].sd_un.flag) -+#define I_IGNORE_UNKNOWN_DEFAULTS 105 -+#define def_ignore_unknown_defaults (sudo_defs_table[I_IGNORE_UNKNOWN_DEFAULTS].sd_un.flag) - - enum def_tuple { - never, -diff --git a/plugins/sudoers/def_data.in b/plugins/sudoers/def_data.in -index f1c9265..8f63d70 100644 ---- a/plugins/sudoers/def_data.in -+++ b/plugins/sudoers/def_data.in -@@ -328,3 +328,6 @@ cmnd_no_wait - legacy_group_processing - T_FLAG - "Don't pre-resolve all group names" -+ignore_unknown_defaults -+ T_FLAG -+ "Ignore unknown Defaults entries in sudoers instead of producing a warning" -diff --git a/plugins/sudoers/defaults.c b/plugins/sudoers/defaults.c -index 9e60d94..5f93f80 100644 ---- a/plugins/sudoers/defaults.c -+++ b/plugins/sudoers/defaults.c -@@ -79,6 +79,7 @@ static struct strmap priorities[] = { - }; - - static struct early_default early_defaults[] = { -+ { I_IGNORE_UNKNOWN_DEFAULTS }, - #ifdef FQDN - { I_FQDN, true }, - #else -@@ -206,7 +207,7 @@ find_default(const char *name, const char *file, int lineno, bool quiet) - if (strcmp(name, sudo_defs_table[i].name) == 0) - debug_return_int(i); - } -- if (!quiet) { -+ if (!quiet && !def_ignore_unknown_defaults) { - if (lineno > 0) { - sudo_warnx(U_("%s:%d unknown defaults entry \"%s\""), - file, lineno, name); --- -2.7.4 - diff --git a/SOURCES/sudo-1.8.19p2-iolog-zombie.patch b/SOURCES/sudo-1.8.19p2-iolog-zombie.patch deleted file mode 100644 index ad10dc8..0000000 --- a/SOURCES/sudo-1.8.19p2-iolog-zombie.patch +++ /dev/null @@ -1,60 +0,0 @@ -diff -up sudo-1.8.19p2/src/exec.c.iolog-zombie sudo-1.8.19p2/src/exec.c ---- sudo-1.8.19p2/src/exec.c.iolog-zombie 2018-05-28 09:01:13.488647060 +0200 -+++ sudo-1.8.19p2/src/exec.c 2018-05-28 09:01:13.526646940 +0200 -@@ -534,7 +534,7 @@ sudo_execute(struct command_details *det - - if (log_io) { - /* Flush any remaining output and free pty-related memory. */ -- pty_close(cstat); -+ pty_close(ec.evbase,cstat); - } - - #ifdef HAVE_SELINUX -diff -up sudo-1.8.19p2/src/exec_pty.c.iolog-zombie sudo-1.8.19p2/src/exec_pty.c ---- sudo-1.8.19p2/src/exec_pty.c.iolog-zombie 2018-05-28 09:01:13.518646965 +0200 -+++ sudo-1.8.19p2/src/exec_pty.c 2018-05-28 09:01:13.527646937 +0200 -@@ -919,12 +919,19 @@ fork_pty(struct command_details *details - } - - void --pty_close(struct command_status *cstat) -+pty_close(struct sudo_event_base *evbase, struct command_status *cstat) - { - struct io_buffer *iob; - int n; - debug_decl(pty_close, SUDO_DEBUG_EXEC); - -+ /* Close the pty slave first so reads from the master don't block. */ -+ if (io_fds[SFD_SLAVE] != -1) { -+ ev_free_by_fd(evbase, io_fds[SFD_SLAVE]); -+ close(io_fds[SFD_SLAVE]); -+ io_fds[SFD_SLAVE] = -1; -+ } -+ - /* Flush any remaining output (the plugin already got it). */ - if (io_fds[SFD_USERTTY] != -1) { - n = fcntl(io_fds[SFD_USERTTY], F_GETFL, 0); -@@ -965,6 +972,11 @@ pty_close(struct command_status *cstat) - } - } - utmp_logout(slavename, cstat->type == CMD_WSTATUS ? cstat->val : 0); /* XXX - only if CD_SET_UTMP */ -+ -+ /* Close pty master. */ -+ if (io_fds[SFD_MASTER] != -1) -+ close(io_fds[SFD_MASTER]); -+ - debug_return; - } - -diff -up sudo-1.8.19p2/src/sudo_exec.h.iolog-zombie sudo-1.8.19p2/src/sudo_exec.h ---- sudo-1.8.19p2/src/sudo_exec.h.iolog-zombie 2017-01-14 05:30:15.000000000 +0100 -+++ sudo-1.8.19p2/src/sudo_exec.h 2018-05-28 09:01:13.527646937 +0200 -@@ -93,7 +93,7 @@ void handler(int s, siginfo_t *info, voi - #else - void handler(int s); - #endif --void pty_close(struct command_status *cstat); -+void pty_close(struct sudo_event_base *evbase, struct command_status *cstat); - void pty_setup(uid_t uid, const char *tty, const char *utmp_user); - void terminate_command(pid_t pid, bool use_pgrp); - diff --git a/SOURCES/sudo-1.8.19p2-iologflush.patch b/SOURCES/sudo-1.8.19p2-iologflush.patch deleted file mode 100644 index 213566f..0000000 --- a/SOURCES/sudo-1.8.19p2-iologflush.patch +++ /dev/null @@ -1,317 +0,0 @@ -diff -up ./doc/sudoers.cat.orig ./doc/sudoers.cat ---- ./doc/sudoers.cat.orig 2017-03-21 13:31:00.953951199 +0100 -+++ ./doc/sudoers.cat 2017-03-21 14:14:18.679116865 +0100 -@@ -1549,6 +1549,16 @@ SSUUDDOOEERRSS OOPPTTIIOONN - will be truncated and overwritten unless _i_o_l_o_g___f_i_l_e - ends in six or more Xs. - -+ iolog_flush If set, ssuuddoo will flush I/O log data to disk after each -+ write instead of buffering it. This makes it possible -+ to view the logs in real-time as the program is -+ executing but may significantly reduce the -+ effectiveness of I/O log compression. This flag is _o_f_f -+ by default. -+ -+ This setting is only supported by version 1.8.20 or -+ higher. -+ - iolog_group The group name to look up when setting the group ID on - new I/O log files and directories. By default, I/O log - files and directories inherit the group ID of the -@@ -2141,10 +2151,14 @@ II//OO LLOOGG FFIILLEESS - _s_t_d_e_r_r standard error to a pipe or redirected to a file - - All files other than _l_o_g are compressed in gzip format unless the -- _c_o_m_p_r_e_s_s___i_o option has been disabled. Due to buffering, the I/O log data -- will not be complete until the ssuuddoo command has completed. The output -- portion of an I/O log file can be viewed with the sudoreplay(1m) utility, -- which can also be used to list or search the available logs. -+ _c_o_m_p_r_e_s_s___i_o flag has been disabled. Due to buffering, it is not normally -+ possible to display the I/O logs in real-time as the program is executing -+ The I/O log data will not be complete until the program run by ssuuddoo has -+ exited or has been terminated by a signal. The _i_o_l_o_g___f_l_u_s_h flag can be -+ used to disable buffering, in which case I/O log data is written to disk -+ as soon as it is available. The output portion of an I/O log file can be -+ viewed with the sudoreplay(1m) utility, which can also be used to list or -+ search the available logs. - - Note that user input may contain sensitive information such as passwords - (even if they are not echoed to the screen), which will be stored in the -diff -up ./doc/sudoers.man.in.orig ./doc/sudoers.man.in ---- ./doc/sudoers.man.in.orig 2017-03-21 14:22:33.804283190 +0100 -+++ ./doc/sudoers.man.in 2017-03-21 14:22:21.136664667 +0100 -@@ -3199,6 +3199,19 @@ ends in six or - more - \fRX\fRs. - .TP 18n -+iolog_flush -+If set, -+\fBsudo\fR -+will flush I/O log data to disk after each write instead of buffering it. -+This makes it possible to view the logs in real-time as the program -+is executing but may significantly reduce the effectiveness of I/O -+log compression. -+This flag is -+\fIoff\fR -+by default. -+.sp -+This setting is only supported by version 1.8.20 or higher. -+.TP 18n - iolog_group - The group name to look up when setting the group ID on new I/O log - files and directories. -@@ -4298,10 +4311,16 @@ All files other than - \fIlog\fR - are compressed in gzip format unless the - \fIcompress_io\fR --option has been disabled. --Due to buffering, the I/O log data will not be complete until the -+flag has been disabled. -+Due to buffering, it is not normally possible to display the I/O logs in -+real-time as the program is executing -+The I/O log data will not be complete until the program run by - \fBsudo\fR --command has completed. -+has exited or has been terminated by a signal. -+The -+\fIiolog_flush\fR -+flag can be used to disable buffering, in which case I/O log data -+is written to disk as soon as it is available. - The output portion of an I/O log file can be viewed with the - sudoreplay(@mansectsu@) - utility, which can also be used to list or search the available logs. -diff -up ./doc/sudoers.mdoc.in.orig ./doc/sudoers.mdoc.in ---- ./doc/sudoers.mdoc.in.orig 2017-03-21 14:23:46.652089432 +0100 -+++ ./doc/sudoers.mdoc.in 2017-03-21 14:26:43.686758162 +0100 -@@ -2998,6 +2998,18 @@ overwritten unless - ends in six or - more - .Li X Ns s . -+.It iolog_flush -+If set, -+.Nm sudo -+will flush I/O log data to disk after each write instead of buffering it. -+This makes it possible to view the logs in real-time as the program -+is executing but may significantly reduce the effectiveness of I/O -+log compression. -+This flag is -+.Em off -+by default. -+.Pp -+This setting is only supported by version 1.8.20 or higher. - .It iolog_group - The group name to look up when setting the group ID on new I/O log - files and directories. -@@ -3991,10 +4003,16 @@ All files other than - .Pa log - are compressed in gzip format unless the - .Em compress_io --option has been disabled. --Due to buffering, the I/O log data will not be complete until the --.Nm sudo --command has completed. -+flag has been disabled. -+Due to buffering, it is not normally possible to display the I/O logs in -+real-time as the program is executing -+The I/O log data will not be complete until the program run by -+.Nm sudo -+has exited or has been terminated by a signal. -+The -+.Em iolog_flush -+flag can be used to disable buffering, in which case I/O log data -+is written to disk as soon as it is available. - The output portion of an I/O log file can be viewed with the - .Xr sudoreplay @mansectsu@ - utility, which can also be used to list or search the available logs. -diff -up ./plugins/sudoers/def_data.c.orig ./plugins/sudoers/def_data.c ---- ./plugins/sudoers/def_data.c.orig 2017-03-21 13:24:10.682064806 +0100 -+++ ./plugins/sudoers/def_data.c 2017-03-21 13:25:09.805322057 +0100 -@@ -447,6 +447,10 @@ struct sudo_defs_types sudo_defs_table[] - N_("Ignore unknown Defaults entries in sudoers instead of producing a warning"), - NULL, - }, { -+ "iolog_flush", T_FLAG, -+ N_("Flush I/O log data to disk immediately instead of buffering it"), -+ NULL, -+ }, { - NULL, 0, NULL - } - }; -diff -up ./plugins/sudoers/def_data.h.orig ./plugins/sudoers/def_data.h ---- ./plugins/sudoers/def_data.h.orig 2017-03-21 13:25:20.489006524 +0100 -+++ ./plugins/sudoers/def_data.h 2017-03-21 13:28:09.251022290 +0100 -@@ -210,6 +210,8 @@ - #define def_legacy_group_processing (sudo_defs_table[I_LEGACY_GROUP_PROCESSING].sd_un.flag) - #define I_IGNORE_UNKNOWN_DEFAULTS 105 - #define def_ignore_unknown_defaults (sudo_defs_table[I_IGNORE_UNKNOWN_DEFAULTS].sd_un.flag) -+#define I_IOLOG_FLUSH 106 -+#define def_iolog_flush (sudo_defs_table[I_IOLOG_FLUSH].sd_un.flag) - - enum def_tuple { - never, -diff -up ./plugins/sudoers/def_data.in.orig ./plugins/sudoers/def_data.in ---- ./plugins/sudoers/def_data.in.orig 2017-03-21 13:28:35.115258413 +0100 -+++ ./plugins/sudoers/def_data.in 2017-03-21 13:30:03.239655739 +0100 -@@ -331,3 +331,6 @@ legacy_group_processing - ignore_unknown_defaults - T_FLAG - "Ignore unknown Defaults entries in sudoers instead of producing a warning" -+iolog_flush -+ T_FLAG -+ "Flush I/O log data to disk immediately instead of buffering it" -diff -up ./plugins/sudoers/iolog.c.orig ./plugins/sudoers/iolog.c ---- ./plugins/sudoers/iolog.c.orig 2017-03-21 13:12:39.471464160 +0100 -+++ ./plugins/sudoers/iolog.c 2017-03-21 13:21:49.279230759 +0100 -@@ -709,6 +709,7 @@ iolog_deserialize_info(struct iolog_deta - - /* - * Write the "/log" file that contains the user and command info. -+ * This file is not compressed. - */ - static bool - write_info_log(char *pathbuf, size_t len, struct iolog_details *details, -@@ -747,6 +748,57 @@ write_info_log(char *pathbuf, size_t len - debug_return_bool(ret); - } - -+#ifdef HAVE_ZLIB_H -+static const char * -+gzstrerror(gzFile file) -+{ -+ int errnum; -+ -+ return gzerror(file, &errnum); -+} -+#endif /* HAVE_ZLIB_H */ -+ -+/* -+ * Write to an I/O log, compressing if iolog_compress is enabled. -+ * If def_iolog_flush is true, flush the buffer immediately. -+ */ -+static const char * -+iolog_write(const void *buf, unsigned int len, int idx) -+{ -+ const char *errstr = NULL; -+ debug_decl(iolog_write, SUDOERS_DEBUG_PLUGIN) -+ -+#ifdef HAVE_ZLIB_H -+ if (iolog_compress) { -+ if (gzwrite(io_log_files[idx].fd.g, buf, len) != (int)len) { -+ errstr = gzstrerror(io_log_files[idx].fd.g); -+ goto done; -+ } -+ if (def_iolog_flush) { -+ if (gzflush(io_log_files[idx].fd.g, Z_SYNC_FLUSH) != Z_OK) { -+ errstr = gzstrerror(io_log_files[idx].fd.g); -+ goto done; -+ } -+ } -+ } else -+#endif -+ { -+ if (fwrite(buf, 1, len, io_log_files[idx].fd.f) != len) { -+ errstr = strerror(errno); -+ goto done; -+ } -+ if (def_iolog_flush) { -+ if (fflush(io_log_files[idx].fd.f) != 0) { -+ errstr = strerror(errno); -+ goto done; -+ } -+ } -+ } -+ -+done: -+ debug_return_const_str(errstr); -+} -+ - static int - sudoers_io_open(unsigned int version, sudo_conv_t conversation, - sudo_printf_t plugin_printf, char * const settings[], -@@ -914,13 +966,15 @@ sudoers_io_version(int verbose) - - /* - * Generic I/O logging function. Called by the I/O logging entry points. -+ * Returns 1 on success and -1 on error. - */ - static int - sudoers_io_log(const char *buf, unsigned int len, int idx) - { - struct timeval now, delay; -+ char tbuf[1024]; - const char *errstr = NULL; -- int ret = true; -+ int ret = -1; - debug_decl(sudoers_io_version, SUDOERS_DEBUG_PLUGIN) - - if (io_log_files[idx].fd.v == NULL) { -@@ -931,41 +985,28 @@ sudoers_io_log(const char *buf, unsigned - - gettimeofday(&now, NULL); - --#ifdef HAVE_ZLIB_H -- if (iolog_compress) { -- if (gzwrite(io_log_files[idx].fd.g, (const voidp)buf, len) != (int)len) { -- int errnum; -+ /* Write I/O log file entry. */ -+ errstr = iolog_write(buf, len, idx); -+ if (errstr != NULL) -+ goto done; - -- errstr = gzerror(io_log_files[idx].fd.g, &errnum); -- ret = -1; -- } -- } else --#endif -- { -- if (fwrite(buf, 1, len, io_log_files[idx].fd.f) != len) { -- errstr = strerror(errno); -- ret = -1; -- } -- } -+ /* Write timing file entry. */ - sudo_timevalsub(&now, &last_time, &delay); --#ifdef HAVE_ZLIB_H -- if (iolog_compress) { -- if (gzprintf(io_log_files[IOFD_TIMING].fd.g, "%d %f %u\n", idx, -- delay.tv_sec + ((double)delay.tv_usec / 1000000), len) == 0) { -- int errnum; -- -- errstr = gzerror(io_log_files[IOFD_TIMING].fd.g, &errnum); -- ret = -1; -- } -- } else --#endif -- { -- if (fprintf(io_log_files[IOFD_TIMING].fd.f, "%d %f %u\n", idx, -- delay.tv_sec + ((double)delay.tv_usec / 1000000), len) < 0) { -- errstr = strerror(errno); -- ret = -1; -- } -+ len = (unsigned int)snprintf(tbuf, sizeof(tbuf), "%d %f %u\n", idx, -+ delay.tv_sec + ((double)delay.tv_usec / 1000000), len); -+ if (len >= sizeof(tbuf)) { -+ /* Not actually possible due to the size of tbuf[]. */ -+ errstr = strerror(EOVERFLOW); -+ goto done; - } -+ errstr = iolog_write(tbuf, len, IOFD_TIMING); -+ if (errstr != NULL) -+ goto done; -+ -+ /* Success. */ -+ ret = 1; -+ -+done: - last_time.tv_sec = now.tv_sec; - last_time.tv_usec = now.tv_usec; - -@@ -979,7 +1020,7 @@ sudoers_io_log(const char *buf, unsigned - - /* Ignore errors if they occur if the policy says so. */ - if (iolog_details.ignore_iolog_errors) -- ret = true; -+ ret = 1; - } - - debug_return_int(ret); diff --git a/SOURCES/sudo-1.8.19p2-iologtruncate.patch b/SOURCES/sudo-1.8.19p2-iologtruncate.patch deleted file mode 100644 index ee358eb..0000000 --- a/SOURCES/sudo-1.8.19p2-iologtruncate.patch +++ /dev/null @@ -1,171 +0,0 @@ -diff --git a/src/exec_pty.c b/src/exec_pty.c -index 7403506..56b2899 100644 ---- a/src/exec_pty.c -+++ b/src/exec_pty.c -@@ -711,8 +711,10 @@ io_buf_new(int rfd, int wfd, - int - fork_pty(struct command_details *details, int sv[], sigset_t *omask) - { -+ struct plugin_container *plugin; - struct command_status cstat; -- int io_pipe[3][2]; -+ int io_pipe[3][2] = { { -1, -1 }, { -1, -1 }, { -1, -1 } }; -+ bool interpose[3] = { false, false, false }; - sigaction_t sa; - sigset_t mask; - pid_t child; -@@ -738,6 +740,16 @@ fork_pty(struct command_details *details, int sv[], sigset_t *omask) - sigaddset(&ttyblock, SIGTTIN); - sigaddset(&ttyblock, SIGTTOU); - -+ /* Determine whether any of std{in,out,err} should be logged. */ -+ TAILQ_FOREACH(plugin, &io_plugins, entries) { -+ if (plugin->u.io->log_stdin) -+ interpose[STDIN_FILENO] = true; -+ if (plugin->u.io->log_stdout) -+ interpose[STDOUT_FILENO] = true; -+ if (plugin->u.io->log_stderr) -+ interpose[STDERR_FILENO] = true; -+ } -+ - /* - * Setup stdin/stdout/stderr for child, to be duped after forking. - * In background mode there is no stdin. -@@ -763,35 +775,64 @@ fork_pty(struct command_details *details, int sv[], sigset_t *omask) - } - - /* -- * If either stdin, stdout or stderr is not a tty we use a pipe -- * to interpose ourselves instead of duping the pty fd. -+ * If stdin, stdout or stderr is not a tty and logging is enabled, -+ * use a pipe to interpose ourselves instead of using the pty fd. - */ -- memset(io_pipe, 0, sizeof(io_pipe)); - if (io_fds[SFD_STDIN] == -1 || !isatty(STDIN_FILENO)) { -- sudo_debug_printf(SUDO_DEBUG_INFO, "stdin not a tty, creating a pipe"); -- pipeline = true; -- if (pipe(io_pipe[STDIN_FILENO]) != 0) -- sudo_fatal(U_("unable to create pipe")); -- io_buf_new(STDIN_FILENO, io_pipe[STDIN_FILENO][1], -- log_stdin, &iobufs); -- io_fds[SFD_STDIN] = io_pipe[STDIN_FILENO][0]; -- } -- if (io_fds[SFD_STDOUT] == -1 || !isatty(STDOUT_FILENO)) { -- sudo_debug_printf(SUDO_DEBUG_INFO, "stdout not a tty, creating a pipe"); -- pipeline = true; -- if (pipe(io_pipe[STDOUT_FILENO]) != 0) -- sudo_fatal(U_("unable to create pipe")); -- io_buf_new(io_pipe[STDOUT_FILENO][0], STDOUT_FILENO, -- log_stdout, &iobufs); -- io_fds[SFD_STDOUT] = io_pipe[STDOUT_FILENO][1]; -- } -- if (io_fds[SFD_STDERR] == -1 || !isatty(STDERR_FILENO)) { -- sudo_debug_printf(SUDO_DEBUG_INFO, "stderr not a tty, creating a pipe"); -- if (pipe(io_pipe[STDERR_FILENO]) != 0) -- sudo_fatal(U_("unable to create pipe")); -- io_buf_new(io_pipe[STDERR_FILENO][0], STDERR_FILENO, -- log_stderr, &iobufs); -- io_fds[SFD_STDERR] = io_pipe[STDERR_FILENO][1]; -+ if (!interpose[STDIN_FILENO]) { -+ /* Not logging stdin, do not interpose. */ -+ sudo_debug_printf(SUDO_DEBUG_INFO, -+ "stdin not a tty, not logging"); -+ io_fds[SFD_STDIN] = dup(STDIN_FILENO); -+ if (io_fds[SFD_STDIN] == -1) -+ sudo_fatal("dup"); -+ } else { -+ sudo_debug_printf(SUDO_DEBUG_INFO, -+ "stdin not a tty, creating a pipe"); -+ pipeline = true; -+ if (pipe(io_pipe[STDIN_FILENO]) != 0) -+ sudo_fatal(U_("unable to create pipe")); -+ io_buf_new(STDIN_FILENO, io_pipe[STDIN_FILENO][1], -+ log_stdin, &iobufs); -+ io_fds[SFD_STDIN] = io_pipe[STDIN_FILENO][0]; -+ } -+ } -+ if (io_fds[SFD_STDOUT] == -1 || !isatty(STDOUT_FILENO)) { -+ if (!interpose[STDOUT_FILENO]) { -+ /* Not logging stdout, do not interpose. */ -+ sudo_debug_printf(SUDO_DEBUG_INFO, -+ "stdout not a tty, not logging"); -+ io_fds[SFD_STDOUT] = dup(STDOUT_FILENO); -+ if (io_fds[SFD_STDOUT] == -1) -+ sudo_fatal("dup"); -+ } else { -+ sudo_debug_printf(SUDO_DEBUG_INFO, -+ "stdout not a tty, creating a pipe"); -+ pipeline = true; -+ if (pipe(io_pipe[STDOUT_FILENO]) != 0) -+ sudo_fatal(U_("unable to create pipe")); -+ io_buf_new(io_pipe[STDOUT_FILENO][0], STDOUT_FILENO, -+ log_stdout, &iobufs); -+ io_fds[SFD_STDOUT] = io_pipe[STDOUT_FILENO][1]; -+ } -+ } -+ if (io_fds[SFD_STDERR] == -1 || !isatty(STDERR_FILENO)) { -+ if (!interpose[STDERR_FILENO]) { -+ /* Not logging stderr, do not interpose. */ -+ sudo_debug_printf(SUDO_DEBUG_INFO, -+ "stderr not a tty, not logging"); -+ io_fds[SFD_STDERR] = dup(STDERR_FILENO); -+ if (io_fds[SFD_STDERR] == -1) -+ sudo_fatal("dup"); -+ } else { -+ sudo_debug_printf(SUDO_DEBUG_INFO, -+ "stderr not a tty, creating a pipe"); -+ if (pipe(io_pipe[STDERR_FILENO]) != 0) -+ sudo_fatal(U_("unable to create pipe")); -+ io_buf_new(io_pipe[STDERR_FILENO][0], STDERR_FILENO, -+ log_stderr, &iobufs); -+ io_fds[SFD_STDERR] = io_pipe[STDERR_FILENO][1]; -+ } - } - - /* We don't want to receive SIGTTIN/SIGTTOU, getting EIO is preferable. */ -@@ -1549,10 +1590,24 @@ exec_pty(struct command_details *details, - setpgid(0, self); - - /* Wire up standard fds, note that stdout/stderr may be pipes. */ -- if (dup2(io_fds[SFD_STDIN], STDIN_FILENO) == -1 || -- dup2(io_fds[SFD_STDOUT], STDOUT_FILENO) == -1 || -- dup2(io_fds[SFD_STDERR], STDERR_FILENO) == -1) -- sudo_fatal("dup2"); -+ if (io_fds[SFD_STDIN] != STDIN_FILENO) { -+ if (dup2(io_fds[SFD_STDIN], STDIN_FILENO) == -1) -+ sudo_fatal("dup2"); -+ if (io_fds[SFD_STDIN] != io_fds[SFD_SLAVE]) -+ close(io_fds[SFD_STDIN]); -+ } -+ if (io_fds[SFD_STDOUT] != STDOUT_FILENO) { -+ if (dup2(io_fds[SFD_STDOUT], STDOUT_FILENO) == -1) -+ sudo_fatal("dup2"); -+ if (io_fds[SFD_STDOUT] != io_fds[SFD_SLAVE]) -+ close(io_fds[SFD_STDOUT]); -+ } -+ if (io_fds[SFD_STDERR] != STDERR_FILENO) { -+ if (dup2(io_fds[SFD_STDERR], STDERR_FILENO) == -1) -+ sudo_fatal("dup2"); -+ if (io_fds[SFD_STDERR] != io_fds[SFD_SLAVE]) -+ close(io_fds[SFD_STDERR]); -+ } - - /* Wait for parent to grant us the tty if we are foreground. */ - if (foreground && !ISSET(details->flags, CD_EXEC_BG)) { -@@ -1561,15 +1616,9 @@ exec_pty(struct command_details *details, - nanosleep(&ts, NULL); - } - -- /* We have guaranteed that the slave fd is > 2 */ -+ /* Done with the pty slave, don't leak it. */ - if (io_fds[SFD_SLAVE] != -1) - close(io_fds[SFD_SLAVE]); -- if (io_fds[SFD_STDIN] != io_fds[SFD_SLAVE]) -- close(io_fds[SFD_STDIN]); -- if (io_fds[SFD_STDOUT] != io_fds[SFD_SLAVE]) -- close(io_fds[SFD_STDOUT]); -- if (io_fds[SFD_STDERR] != io_fds[SFD_SLAVE]) -- close(io_fds[SFD_STDERR]); - - /* Execute command; only returns on error. */ - exec_cmnd(details, cstat, errfd); diff --git a/SOURCES/sudo-1.8.19p2-lecture-boolean.patch b/SOURCES/sudo-1.8.19p2-lecture-boolean.patch deleted file mode 100644 index 482bc6b..0000000 --- a/SOURCES/sudo-1.8.19p2-lecture-boolean.patch +++ /dev/null @@ -1,54 +0,0 @@ -commit 631d458b6fc7341363a121c390e086cf676ecc83 -Author: Todd C. Miller -Date: Wed May 3 09:28:36 2017 -0600 - - Allow a tuple to be set to boolean true. Regression introduced by - refactor of set_default_entry() in sudo 1.8.18. - -diff --git a/plugins/sudoers/defaults.c b/plugins/sudoers/defaults.c -index 89788477..91b47eeb 100644 ---- a/plugins/sudoers/defaults.c -+++ b/plugins/sudoers/defaults.c -@@ -238,19 +238,31 @@ parse_default_entry(struct sudo_defs_types *def, const char *val, int op, - int rc; - debug_decl(parse_default_entry, SUDOERS_DEBUG_DEFAULTS) - -- if (val == NULL && !ISSET(def->type, T_FLAG)) { -- /* Check for bogus boolean usage or missing value if non-boolean. */ -- if (!ISSET(def->type, T_BOOL) || op != false) { -- if (!quiet) { -- if (lineno > 0) { -- sudo_warnx(U_("%s:%d no value specified for \"%s\""), -- file, lineno, def->name); -- } else { -- sudo_warnx(U_("%s: no value specified for \"%s\""), -- file, def->name); -+ /* -+ * If no value specified, the boolean flag must be set for non-flags. -+ * Only flags and tuples support boolean "true". -+ */ -+ if (val == NULL) { -+ switch (def->type & T_MASK) { -+ case T_FLAG: -+ break; -+ case T_TUPLE: -+ if (ISSET(def->type, T_BOOL)) -+ break; -+ /* FALLTHROUGH */ -+ default: -+ if (!ISSET(def->type, T_BOOL) || op != false) { -+ if (!quiet) { -+ if (lineno > 0) { -+ sudo_warnx(U_("%s:%d no value specified for \"%s\""), -+ file, lineno, def->name); -+ } else { -+ sudo_warnx(U_("%s: no value specified for \"%s\""), -+ file, def->name); -+ } - } -+ debug_return_bool(false); - } -- debug_return_bool(false); - } - } - diff --git a/SOURCES/sudo-1.8.19p2-lookup-issue-doc.patch b/SOURCES/sudo-1.8.19p2-lookup-issue-doc.patch deleted file mode 100644 index af85676..0000000 --- a/SOURCES/sudo-1.8.19p2-lookup-issue-doc.patch +++ /dev/null @@ -1,164 +0,0 @@ -diff -up ./doc/sudoers.cat.lookup ./doc/sudoers.cat ---- ./doc/sudoers.cat.lookup 2017-04-25 13:17:51.073190114 +0200 -+++ ./doc/sudoers.cat 2017-04-25 13:17:51.081190069 +0200 -@@ -1140,24 +1140,39 @@ SSUUDDOOEERRSS OOPPTTIIOONN - _o_n by default. - - match_group_by_gid -- By default, when matching groups, ssuuddooeerrss will first -- resolve all the user's group IDs to group names and -- then compare those group names to any group names -- listed in the _s_u_d_o_e_r_s file. This works well on systems -- where the number of groups listed in the _s_u_d_o_e_r_s file -- is larger than the number of groups a typical user -- belongs to. On systems where group lookups are slow, -- where users may belong to a large number of groups, and -- where the number of groups listed in the _s_u_d_o_e_r_s file -- is relatively small, it may be prohibitively expensive -- and running commands via ssuuddoo may take longer than -- normal. On such systems it may be faster to use the -+ By default, ssuuddooeerrss will look up each group the user is -+ a member of by group ID to determine the group name -+ (this is only done once). The resulting list of the -+ user's group names is used when matching groups listed -+ in the _s_u_d_o_e_r_s file. This works well on systems where -+ the number of groups listed in the _s_u_d_o_e_r_s file is -+ larger than the number of groups a typical user belongs -+ to. On systems where group lookups are slow, where -+ users may belong to a large number of groups, and where -+ the number of groups listed in the _s_u_d_o_e_r_s file is -+ relatively small, it may be prohibitively expensive and -+ running commands via ssuuddoo may take longer than normal. -+ On such systems it may be faster to use the - _m_a_t_c_h___g_r_o_u_p___b_y___g_i_d flag to avoid resolving the user's -- group IDs to group names and instead resolve all group -- names listed in the _s_u_d_o_e_r_s file, matching by group ID -- instead of by group name. The _m_a_t_c_h___g_r_o_u_p___b_y___g_i_d flag -- has no effect when _s_u_d_o_e_r_s data is stored in LDAP. -- This flag is _o_f_f by default. -+ group IDs to group names. In this case, ssuuddooeerrss must -+ look up any group name listed in the _s_u_d_o_e_r_s file and -+ use the group ID instead of the group name when -+ determining whether the user is a member of the group. -+ -+ Note that if _m_a_t_c_h___g_r_o_u_p___b_y___g_i_d is enabled, group -+ database lookups performed by ssuuddooeerrss will be keyed by -+ group name as opposed to group ID. On systems where -+ there are multiple sources for the group database, it -+ is possible to have conflicting group names or group -+ IDs in the local _/_e_t_c_/_g_r_o_u_p file and the remote group -+ database. On such systems, enabling or disabling -+ _m_a_t_c_h___g_r_o_u_p___b_y___g_i_d can be used to choose whether group -+ database queries are performed by name (enabled) or ID -+ (disabled), which may aid in working around group entry -+ conflicts. -+ -+ The _m_a_t_c_h___g_r_o_u_p___b_y___g_i_d flag has no effect when _s_u_d_o_e_r_s -+ data is stored in LDAP. This flag is _o_f_f by default. - - This setting is only supported by version 1.8.18 or - higher. -diff -up ./doc/sudoers.man.in.lookup ./doc/sudoers.man.in ---- ./doc/sudoers.man.in.lookup 2017-04-25 13:17:51.074190108 +0200 -+++ ./doc/sudoers.man.in 2017-04-25 13:17:51.082190064 +0200 -@@ -2423,10 +2423,12 @@ This flag is - by default. - .TP 18n - match_group_by_gid --By default, when matching groups, -+By default, - \fBsudoers\fR --will first resolve all the user's group IDs to group names and then --compare those group names to any group names listed in the -+will look up each group the user is a member of by group ID to -+determine the group name (this is only done once). -+The resulting list of the user's group names is used when matching -+groups listed in the - \fIsudoers\fR - file. - This works well on systems where the number of groups listed in the -@@ -2442,10 +2444,29 @@ running commands via - may take longer than normal. - On such systems it may be faster to use the - \fImatch_group_by_gid\fR --flag to avoid resolving the user's group IDs to group names and --instead resolve all group names listed in the -+flag to avoid resolving the user's group IDs to group names. -+In this case, -+\fBsudoers\fR -+must look up any group name listed in the - \fIsudoers\fR --file, matching by group ID instead of by group name. -+file and use the group ID instead of the group name when determining -+whether the user is a member of the group. -+.sp -+Note that if -+\fImatch_group_by_gid\fR -+is enabled, group database lookups performed by -+\fBsudoers\fR -+will be keyed by group name as opposed to group ID. -+On systems where there are multiple sources for the group database, -+it is possible to have conflicting group names or group IDs in the local -+\fI/etc/group\fR -+file and the remote group database. -+On such systems, enabling or disabling -+\fImatch_group_by_gid\fR -+can be used to choose whether group database queries are performed -+by name (enabled) or ID (disabled), which may aid in working around -+group entry conflicts. -+.sp - The - \fImatch_group_by_gid\fR - flag has no effect when -diff -up ./doc/sudoers.mdoc.in.lookup ./doc/sudoers.mdoc.in ---- ./doc/sudoers.mdoc.in.lookup 2017-04-25 13:17:51.075190102 +0200 -+++ ./doc/sudoers.mdoc.in 2017-04-25 13:17:51.082190064 +0200 -@@ -2268,10 +2268,12 @@ This flag is - .Em @mail_no_user@ - by default. - .It match_group_by_gid --By default, when matching groups, -+By default, - .Nm --will first resolve all the user's group IDs to group names and then --compare those group names to any group names listed in the -+will look up each group the user is a member of by group ID to -+determine the group name (this is only done once). -+The resulting list of the user's group names is used when matching -+groups listed in the - .Em sudoers - file. - This works well on systems where the number of groups listed in the -@@ -2287,10 +2289,29 @@ running commands via - may take longer than normal. - On such systems it may be faster to use the - .Em match_group_by_gid --flag to avoid resolving the user's group IDs to group names and --instead resolve all group names listed in the -+flag to avoid resolving the user's group IDs to group names. -+In this case, -+.Nm -+must look up any group name listed in the - .Em sudoers --file, matching by group ID instead of by group name. -+file and use the group ID instead of the group name when determining -+whether the user is a member of the group. -+.Pp -+Note that if -+.Em match_group_by_gid -+is enabled, group database lookups performed by -+.Nm -+will be keyed by group name as opposed to group ID. -+On systems where there are multiple sources for the group database, -+it is possible to have conflicting group names or group IDs in the local -+.Pa /etc/group -+file and the remote group database. -+On such systems, enabling or disabling -+.Em match_group_by_gid -+can be used to choose whether group database queries are performed -+by name (enabled) or ID (disabled), which may aid in working around -+group entry conflicts. -+.Pp - The - .Em match_group_by_gid - flag has no effect when diff --git a/SOURCES/sudo-1.8.19p2-manpage-use_pty.patch b/SOURCES/sudo-1.8.19p2-manpage-use_pty.patch deleted file mode 100644 index acb4daa..0000000 --- a/SOURCES/sudo-1.8.19p2-manpage-use_pty.patch +++ /dev/null @@ -1,206 +0,0 @@ -diff -up ./doc/sudoers.cat.manpage ./doc/sudoers.cat ---- ./doc/sudoers.cat.manpage 2017-09-11 15:16:47.443869930 +0200 -+++ ./doc/sudoers.cat 2017-09-11 15:42:15.140500826 +0200 -@@ -1088,13 +1088,19 @@ SSUUDDOOEERRSS OOPPTTIIOONN - connected to the user's tty, due to I/O redirection or - because the command is part of a pipeline, that input - is also captured and stored in a separate log file. -- For more information, see the _I_/_O _L_O_G _F_I_L_E_S section. -- This flag is _o_f_f by default. -+ Anything sent to the standard input will be consumed, -+ regardless of whether or not the command run via ssuuddoo -+ is actually reading the standard input. This may have -+ unexpected results when using ssuuddoo in a shell script -+ that expects to process the standard input. For more -+ information about I/O logging, see the _I_/_O _L_O_G _F_I_L_E_S -+ section. This flag is _o_f_f by default. - - log_output If set, ssuuddoo will run the command in a pseudo-tty and - log all output that is sent to the screen, similar to -- the script(1) command. For more information, see the -- _I_/_O _L_O_G _F_I_L_E_S section. This flag is _o_f_f by default. -+ the script(1) command. For more information about I/O -+ logging, see the _I_/_O _L_O_G _F_I_L_E_S section. This flag is -+ _o_f_f by default. - - log_year If set, the four-digit year will be logged in the (non- - syslog) ssuuddoo log file. This flag is _o_f_f by default. -@@ -1396,13 +1402,18 @@ SSUUDDOOEERRSS OOPPTTIIOONN - not needed, this option can be disabled to reduce the - load on the LDAP server. This flag is _o_n by default. - -- use_pty If set, ssuuddoo will run the command in a pseudo-pty even -- if no I/O logging is being gone. A malicious program -- run under ssuuddoo could conceivably fork a background -- process that retains to the user's terminal device -- after the main program has finished executing. Use of -- this option will make that impossible. This flag is -- _o_f_f by default. -+ use_pty If set, and ssuuddoo is running in a terminal, the command -+ will be run in a pseudo-pty (even if no I/O logging is -+ being done). If the ssuuddoo process is not attached to a -+ terminal, _u_s_e___p_t_y has no effect. -+ -+ A malicious program run under ssuuddoo may be capable of -+ injecting injecting commands into the user's terminal -+ or running a background process that retains access to -+ the user's terminal device even after the main program -+ has finished executing. By running the command in a -+ separate pseudo-pty, this attack is no longer possible. -+ This flag is _o_f_f by default. - - utmp_runas If set, ssuuddoo will store the name of the runas user when - updating the utmp (or utmpx) file. By default, ssuuddoo -@@ -2135,11 +2146,11 @@ LLOOGG FFOORRMMAATT - - II//OO LLOOGG FFIILLEESS - When I/O logging is enabled, ssuuddoo will run the command in a pseudo-tty -- and log all user input and/or output. I/O is logged to the directory -- specified by the _i_o_l_o_g___d_i_r option (_/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o by default) using a -- unique session ID that is included in the ssuuddoo log line, prefixed with -- ``TSID=''. The _i_o_l_o_g___f_i_l_e option may be used to control the format of -- the session ID. -+ and log all user input and/or output, depending on which options are -+ are enabled. I/O is logged to the directory specified by the _i_o_l_o_g___d_i_r -+ option (_/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o by default) using a unique session ID that is -+ included in the ssuuddoo log line, prefixed with "TSID=". The _i_o_l_o_g___f_i_l_e -+ option may be used to control the format of the session ID. - - Each I/O log is stored in a separate directory that contains the - following files: -diff -up ./doc/sudoers.man.in.manpage ./doc/sudoers.man.in ---- ./doc/sudoers.man.in.manpage 2017-09-11 15:16:47.444869925 +0200 -+++ ./doc/sudoers.man.in 2017-09-11 15:16:47.456869864 +0200 -@@ -2300,7 +2300,14 @@ will run the command in a pseudo-tty and - If the standard input is not connected to the user's tty, due to - I/O redirection or because the command is part of a pipeline, that - input is also captured and stored in a separate log file. --For more information, see the -+Anything sent to the standard input will be consumed, regardless of -+whether or not the command run via -+\fBsudo\fR -+is actually reading the standard input. -+This may have unexpected results when using -+\fBsudo\fR -+in a shell script that expects to process the standard input. -+For more information about I/O logging, see the - \fII/O LOG FILES\fR - section. - This flag is -@@ -2314,7 +2321,7 @@ will run the command in a pseudo-tty and - to the screen, similar to the - script(1) - command. --For more information, see the -+For more information about I/O logging, see the - \fII/O LOG FILES\fR - section. - This flag is -@@ -2934,14 +2941,24 @@ This flag is - by default. - .TP 18n - use_pty --If set, -+If set, and - \fBsudo\fR --will run the command in a pseudo-pty even if no I/O logging is being gone. -+is running in a terminal, the command will be run in a pseudo-pty -+(even if no I/O logging is being done). -+If the -+\fBsudo\fR -+process is not attached to a terminal, -+\fIuse_pty\fR -+has no effect. -+.sp - A malicious program run under - \fBsudo\fR --could conceivably fork a background process that retains to the user's --terminal device after the main program has finished executing. --Use of this option will make that impossible. -+may be capable of injecting injecting commands into the user's -+terminal or running a background process that retains access to the -+user's terminal device even after the main program has finished -+executing. -+By running the command in a separate pseudo-pty, this attack is -+no longer possible. - This flag is - \fIoff\fR - by default. -@@ -4281,7 +4298,8 @@ word wrap will be disabled. - .SH "I/O LOG FILES" - When I/O logging is enabled, - \fBsudo\fR --will run the command in a pseudo-tty and log all user input and/or output. -+will run the command in a pseudo-tty and log all user input and/or output, -+depending on which options are enabled. - I/O is logged to the directory specified by the - \fIiolog_dir\fR - option -diff -up ./doc/sudoers.mdoc.in.manpage ./doc/sudoers.mdoc.in ---- ./doc/sudoers.mdoc.in.manpage 2017-09-11 15:16:47.445869920 +0200 -+++ ./doc/sudoers.mdoc.in 2017-09-11 15:16:47.456869864 +0200 -@@ -2155,7 +2155,14 @@ will run the command in a pseudo-tty and - If the standard input is not connected to the user's tty, due to - I/O redirection or because the command is part of a pipeline, that - input is also captured and stored in a separate log file. --For more information, see the -+Anything sent to the standard input will be consumed, regardless of -+whether or not the command run via -+.Nm sudo -+is actually reading the standard input. -+This may have unexpected results when using -+.Nm sudo -+in a shell script that expects to process the standard input. -+For more information about I/O logging, see the - .Sx "I/O LOG FILES" - section. - This flag is -@@ -2168,7 +2175,7 @@ will run the command in a pseudo-tty and - to the screen, similar to the - .Xr script 1 - command. --For more information, see the -+For more information about I/O logging, see the - .Sx "I/O LOG FILES" - section. - This flag is -@@ -2752,14 +2759,24 @@ This flag is - .Em on - by default. - .It use_pty --If set, -+If set, and - .Nm sudo --will run the command in a pseudo-pty even if no I/O logging is being gone. -+is running in a terminal, the command will be run in a pseudo-pty -+(even if no I/O logging is being done). -+If the -+.Nm sudo -+process is not attached to a terminal, -+.Em use_pty -+has no effect. -+.Pp - A malicious program run under - .Nm sudo --could conceivably fork a background process that retains to the user's --terminal device after the main program has finished executing. --Use of this option will make that impossible. -+may be capable of injecting injecting commands into the user's -+terminal or running a background process that retains access to the -+user's terminal device even after the main program has finished -+executing. -+By running the command in a separate pseudo-pty, this attack is -+no longer possible. - This flag is - .Em off - by default. -@@ -3976,7 +3993,8 @@ word wrap will be disabled. - .Sh I/O LOG FILES - When I/O logging is enabled, - .Nm sudo --will run the command in a pseudo-tty and log all user input and/or output. -+will run the command in a pseudo-tty and log all user input and/or output, -+depending on which options are enabled. - I/O is logged to the directory specified by the - .Em iolog_dir - option diff --git a/SOURCES/sudo-1.8.19p2-sssd-double-free.patch b/SOURCES/sudo-1.8.19p2-sssd-double-free.patch deleted file mode 100644 index d53eb4c..0000000 --- a/SOURCES/sudo-1.8.19p2-sssd-double-free.patch +++ /dev/null @@ -1,44 +0,0 @@ - -# HG changeset patch -# User Todd C. Miller -# Date 1511893724 25200 -# Node ID 14dacdea331942a38d443a75d1b08f67eafaa5eb -# Parent b456101fe5091540e9f6429db7568fa32b6d4da8 -Avoid a double free when ipa_hostname is set in sssd.conf and it -is an unqualified host name. From Daniel Kopecek. - -Also move the "unable to allocate memory" warning into get_ipa_hostname() -itself to make it easier to see where the allocation failed in the -debug log. - -diff -r b456101fe509 -r 14dacdea3319 plugins/sudoers/sssd.c ---- a/plugins/sudoers/sssd.c Tue Nov 28 09:48:43 2017 -0700 -+++ b/plugins/sudoers/sssd.c Tue Nov 28 11:28:44 2017 -0700 -@@ -349,6 +349,8 @@ - *lhostp = lhost; - ret = true; - } else { -+ sudo_warnx(U_("%s: %s"), __func__, -+ U_("unable to allocate memory")); - free(shost); - free(lhost); - ret = -1; -@@ -456,7 +458,6 @@ - */ - if (strcmp(user_runhost, user_host) == 0) { - if (get_ipa_hostname(&handle->ipa_shost, &handle->ipa_host) == -1) { -- sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); - free(handle); - debug_return_int(ENOMEM); - } -@@ -478,7 +479,8 @@ - handle = nss->handle; - sudo_dso_unload(handle->ssslib); - free(handle->ipa_host); -- free(handle->ipa_shost); -+ if (handle->ipa_host != handle->ipa_shost) -+ free(handle->ipa_shost); - free(handle); - nss->handle = NULL; - } - diff --git a/SOURCES/sudo-1.8.19p2-sudo-l-sssd.patch b/SOURCES/sudo-1.8.19p2-sudo-l-sssd.patch deleted file mode 100644 index 62d0cf2..0000000 --- a/SOURCES/sudo-1.8.19p2-sudo-l-sssd.patch +++ /dev/null @@ -1,113 +0,0 @@ -From 1f37620953699fe71b09760fe01e33eb6ada771c Mon Sep 17 00:00:00 2001 -From: "Todd C. Miller" -Date: Wed, 15 Nov 2017 12:27:39 -0700 -Subject: [PATCH] When checking the results for "sudo -l" and "sudo -v", keep - checking even after we get a match since the value of doauth may depend on - evaluating all the results. From Radovan Sroka of RedHat. - -In list (-l) or verify (-v) mode, if we have a match but authentication -is required, clear FLAG_NOPASSWD so that when listpw/verifypw is -set to "all" and there are multiple sudoers sources a password will -be required unless none of the entries in all sources require -authentication. From Radovan Sroka of RedHat - -Avoid calling cmnd_matches() in list/verify mode if we already have -a match. ---- - plugins/sudoers/ldap.c | 5 ++++- - plugins/sudoers/parse.c | 10 +++++++--- - plugins/sudoers/sssd.c | 5 ++++- - 3 files changed, 15 insertions(+), 5 deletions(-) - -diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c -index 46309cba..c5c18360 100644 ---- a/plugins/sudoers/ldap.c -+++ b/plugins/sudoers/ldap.c -@@ -3320,12 +3320,13 @@ sudo_ldap_lookup(struct sudo_nss *nss, int ret, int pwflag) - (pwcheck == all && doauth != true)) { - doauth = !!sudo_ldap_check_bool(ld, entry, "authenticate"); - } -+ if (matched == true) -+ continue; - /* Only check the command when listing another user. */ - if (user_uid == 0 || list_pw == NULL || - user_uid == list_pw->pw_uid || - sudo_ldap_check_command(ld, entry, NULL) == true) { - matched = true; -- break; - } - } - if (matched == true || user_uid == 0) { -@@ -3339,6 +3340,8 @@ sudo_ldap_lookup(struct sudo_nss *nss, int ret, int pwflag) - case any: - if (doauth == false) - SET(ret, FLAG_NOPASSWD); -+ else -+ CLR(ret, FLAG_NOPASSWD); - break; - default: - break; -diff --git a/plugins/sudoers/parse.c b/plugins/sudoers/parse.c -index 749a3eb2..a12e88c5 100644 ---- a/plugins/sudoers/parse.c -+++ b/plugins/sudoers/parse.c -@@ -182,14 +182,16 @@ sudo_file_lookup(struct sudo_nss *nss, int validated, int pwflag) - if (hostlist_matches(sudo_user.pw, &priv->hostlist) != ALLOW) - continue; - TAILQ_FOREACH(cs, &priv->cmndlist, entries) { -+ if ((pwcheck == any && cs->tags.nopasswd == true) || -+ (pwcheck == all && cs->tags.nopasswd != true)) -+ nopass = cs->tags.nopasswd; -+ if (match == ALLOW) -+ continue; - /* Only check the command when listing another user. */ - if (user_uid == 0 || list_pw == NULL || - user_uid == list_pw->pw_uid || - cmnd_matches(cs->cmnd) == ALLOW) - match = ALLOW; -- if ((pwcheck == any && cs->tags.nopasswd == true) || -- (pwcheck == all && cs->tags.nopasswd != true)) -- nopass = cs->tags.nopasswd; - } - } - } -@@ -202,6 +204,8 @@ sudo_file_lookup(struct sudo_nss *nss, int validated, int pwflag) - SET(validated, FLAG_CHECK_USER); - else if (nopass == true) - SET(validated, FLAG_NOPASSWD); -+ else -+ CLR(validated, FLAG_NOPASSWD); - debug_return_int(validated); - } - -diff --git a/plugins/sudoers/sssd.c b/plugins/sudoers/sssd.c -index 65b4d875..09ca9fee 100644 ---- a/plugins/sudoers/sssd.c -+++ b/plugins/sudoers/sssd.c -@@ -1321,12 +1321,13 @@ sudo_sss_lookup(struct sudo_nss *nss, int ret, int pwflag) - (pwcheck == all && doauth != true)) { - doauth = !!sudo_sss_check_bool(handle, rule, "authenticate"); - } -+ if (matched == true) -+ continue; - /* Only check the command when listing another user. */ - if (user_uid == 0 || list_pw == NULL || - user_uid == list_pw->pw_uid || - sudo_sss_check_command(handle, rule, NULL) == true) { - matched = true; -- break; - } - } - } -@@ -1341,6 +1342,8 @@ sudo_sss_lookup(struct sudo_nss *nss, int ret, int pwflag) - case any: - if (doauth == false) - SET(ret, FLAG_NOPASSWD); -+ else -+ CLR(ret, FLAG_NOPASSWD); - break; - default: - break; --- -2.14.3 - diff --git a/SOURCES/sudo-1.8.19p2-upstream-testsuitefix.patch b/SOURCES/sudo-1.8.19p2-upstream-testsuitefix.patch deleted file mode 100644 index ef2946c..0000000 --- a/SOURCES/sudo-1.8.19p2-upstream-testsuitefix.patch +++ /dev/null @@ -1,14 +0,0 @@ -diff -up ./plugins/sudoers/regress/visudo/test2.err.ok.orig ./plugins/sudoers/regress/visudo/test2.err.ok ---- ./plugins/sudoers/regress/visudo/test2.err.ok.orig 2017-04-10 10:12:53.003000000 -0400 -+++ ./plugins/sudoers/regress/visudo/test2.err.ok 2017-04-10 10:13:36.771000000 -0400 -@@ -1 +1 @@ --visudo: stdin:1 cycle in User_Alias "FOO" -+Error: stdin:1 cycle in User_Alias "FOO" -diff -up ./plugins/sudoers/regress/visudo/test3.err.ok.orig ./plugins/sudoers/regress/visudo/test3.err.ok ---- ./plugins/sudoers/regress/visudo/test3.err.ok.orig 2017-04-10 10:13:12.141000000 -0400 -+++ ./plugins/sudoers/regress/visudo/test3.err.ok 2017-04-10 10:13:56.842000000 -0400 -@@ -1,2 +1,2 @@ --visudo: stdin:1 unused User_Alias "A" --visudo: stdin:2 unused User_Alias "B" -+Warning: stdin:1 unused User_Alias "A" -+Warning: stdin:2 unused User_Alias "B" diff --git a/SOURCES/sudo-1.8.21-ldap-pass2-filter.patch b/SOURCES/sudo-1.8.21-ldap-pass2-filter.patch deleted file mode 100644 index 8da9603..0000000 --- a/SOURCES/sudo-1.8.21-ldap-pass2-filter.patch +++ /dev/null @@ -1,19 +0,0 @@ -diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c -index f21a99ee..83202e28 100644 ---- a/plugins/sudoers/ldap.c -+++ b/plugins/sudoers/ldap.c -@@ -1847,12 +1847,10 @@ sudo_ldap_build_pass2(void) - ldap_conf.timed ? timebuffer : "", - (ldap_conf.timed || ldap_conf.search_filter) ? ")" : ""); - } else { -- len = asprintf(&filt, "%s%s(sudoUser=*)(sudoUser=%s*)%s%s", -- (ldap_conf.timed || ldap_conf.search_filter) ? "(&" : "", -+ len = asprintf(&filt, "(&%s(sudoUser=*)(sudoUser=%s*)%s)", - ldap_conf.search_filter ? ldap_conf.search_filter : "", - query_netgroups ? "+" : "%:", -- ldap_conf.timed ? timebuffer : "", -- (ldap_conf.timed || ldap_conf.search_filter) ? ")" : ""); -+ ldap_conf.timed ? timebuffer : ""); - } - if (len == -1) - sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); diff --git a/SOURCES/sudo-1.8.23-Ignore-PAM_NEW_AUTHTOK_REQD-and-PAM_AUTHTOK_EXPIRED.patch b/SOURCES/sudo-1.8.23-Ignore-PAM_NEW_AUTHTOK_REQD-and-PAM_AUTHTOK_EXPIRED.patch new file mode 100644 index 0000000..826e734 --- /dev/null +++ b/SOURCES/sudo-1.8.23-Ignore-PAM_NEW_AUTHTOK_REQD-and-PAM_AUTHTOK_EXPIRED.patch @@ -0,0 +1,161 @@ +From 0f303a2de843c31afb03b558dfb7287be79e6e17 Mon Sep 17 00:00:00 2001 +From: "Todd C. Miller" +Date: Thu, 26 Jul 2018 12:31:29 -0600 +Subject: [PATCH] Ignore PAM_NEW_AUTHTOK_REQD and PAM_AUTHTOK_EXPIRED errors + from pam_acct_mgmt() if authentication is disabled for the user. Bug #843 + +--- + plugins/sudoers/auth/bsdauth.c | 2 +- + plugins/sudoers/auth/pam.c | 10 +++++++++- + plugins/sudoers/auth/sudo_auth.c | 4 ++-- + plugins/sudoers/auth/sudo_auth.h | 6 +++--- + plugins/sudoers/check.c | 4 +++- + plugins/sudoers/sudoers.h | 2 +- + 6 files changed, 19 insertions(+), 9 deletions(-) + +diff --git a/plugins/sudoers/auth/bsdauth.c b/plugins/sudoers/auth/bsdauth.c +index 444cd337..390263d3 100644 +--- a/plugins/sudoers/auth/bsdauth.c ++++ b/plugins/sudoers/auth/bsdauth.c +@@ -168,7 +168,7 @@ bsdauth_verify(struct passwd *pw, char *prompt, sudo_auth *auth, struct sudo_con + } + + int +-bsdauth_approval(struct passwd *pw, sudo_auth *auth) ++bsdauth_approval(struct passwd *pw, sudo_auth *auth, bool exempt) + { + struct bsdauth_state *state = auth->data; + debug_decl(bsdauth_approval, SUDOERS_DEBUG_AUTH) +diff --git a/plugins/sudoers/auth/pam.c b/plugins/sudoers/auth/pam.c +index 347289da..a4749448 100644 +--- a/plugins/sudoers/auth/pam.c ++++ b/plugins/sudoers/auth/pam.c +@@ -202,7 +202,7 @@ sudo_pam_verify(struct passwd *pw, char *prompt, sudo_auth *auth, struct sudo_co + } + + int +-sudo_pam_approval(struct passwd *pw, sudo_auth *auth) ++sudo_pam_approval(struct passwd *pw, sudo_auth *auth, bool exempt) + { + const char *s; + int *pam_status = (int *) auth->data; +@@ -217,6 +217,10 @@ sudo_pam_approval(struct passwd *pw, sudo_auth *auth) + "is your account locked?")); + debug_return_int(AUTH_FATAL); + case PAM_NEW_AUTHTOK_REQD: ++ /* Ignore if user is exempt from password restrictions. */ ++ if (exempt) ++ debug_return_int(AUTH_SUCCESS); ++ /* New password required, try to change it. */ + log_warningx(0, N_("Account or password is " + "expired, reset your password and try again")); + *pam_status = pam_chauthtok(pamh, +@@ -229,6 +233,10 @@ sudo_pam_approval(struct passwd *pw, sudo_auth *auth) + N_("unable to change expired password: %s"), s); + debug_return_int(AUTH_FAILURE); + case PAM_AUTHTOK_EXPIRED: ++ /* Ignore if user is exempt from password restrictions. */ ++ if (exempt) ++ debug_return_int(AUTH_SUCCESS); ++ /* Password expired, cannot be updated by user. */ + log_warningx(0, + N_("Password expired, contact your system administrator")); + debug_return_int(AUTH_FATAL); +diff --git a/plugins/sudoers/auth/sudo_auth.c b/plugins/sudoers/auth/sudo_auth.c +index 6ef9bd72..5d9382dc 100644 +--- a/plugins/sudoers/auth/sudo_auth.c ++++ b/plugins/sudoers/auth/sudo_auth.c +@@ -163,7 +163,7 @@ sudo_auth_init(struct passwd *pw) + * Returns true on success, false on failure and -1 on error. + */ + int +-sudo_auth_approval(struct passwd *pw, int validated) ++sudo_auth_approval(struct passwd *pw, int validated, bool exempt) + { + sudo_auth *auth; + debug_decl(sudo_auth_approval, SUDOERS_DEBUG_AUTH) +@@ -171,7 +171,7 @@ sudo_auth_approval(struct passwd *pw, int validated) + /* Call approval routines. */ + for (auth = auth_switch; auth->name; auth++) { + if (auth->approval && !IS_DISABLED(auth)) { +- int status = (auth->approval)(pw, auth); ++ int status = (auth->approval)(pw, auth, exempt); + if (status != AUTH_SUCCESS) { + /* Assume error msg already printed. */ + log_auth_failure(validated, 0); +diff --git a/plugins/sudoers/auth/sudo_auth.h b/plugins/sudoers/auth/sudo_auth.h +index ea5ed9cd..9ae69cd5 100644 +--- a/plugins/sudoers/auth/sudo_auth.h ++++ b/plugins/sudoers/auth/sudo_auth.h +@@ -31,7 +31,7 @@ typedef struct sudo_auth { + int (*init)(struct passwd *pw, struct sudo_auth *auth); + int (*setup)(struct passwd *pw, char **prompt, struct sudo_auth *auth); + int (*verify)(struct passwd *pw, char *p, struct sudo_auth *auth, struct sudo_conv_callback *callback); +- int (*approval)(struct passwd *pw, struct sudo_auth *auth); ++ int (*approval)(struct passwd *pw, struct sudo_auth *auth, bool exempt); + int (*cleanup)(struct passwd *pw, struct sudo_auth *auth); + int (*begin_session)(struct passwd *pw, char **user_env[], struct sudo_auth *auth); + int (*end_session)(struct passwd *pw, struct sudo_auth *auth); +@@ -56,7 +56,7 @@ extern sudo_conv_t sudo_conv; + /* Prototypes for standalone methods */ + int bsdauth_init(struct passwd *pw, sudo_auth *auth); + int bsdauth_verify(struct passwd *pw, char *prompt, sudo_auth *auth, struct sudo_conv_callback *callback); +-int bsdauth_approval(struct passwd *pw, sudo_auth *auth); ++int bsdauth_approval(struct passwd *pw, sudo_auth *auth, bool exempt); + int bsdauth_cleanup(struct passwd *pw, sudo_auth *auth); + int sudo_aix_init(struct passwd *pw, sudo_auth *auth); + int sudo_aix_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_conv_callback *callback); +@@ -67,7 +67,7 @@ int sudo_fwtk_cleanup(struct passwd *pw, sudo_auth *auth); + int sudo_pam_init(struct passwd *pw, sudo_auth *auth); + int sudo_pam_init_quiet(struct passwd *pw, sudo_auth *auth); + int sudo_pam_verify(struct passwd *pw, char *prompt, sudo_auth *auth, struct sudo_conv_callback *callback); +-int sudo_pam_approval(struct passwd *pw, sudo_auth *auth); ++int sudo_pam_approval(struct passwd *pw, sudo_auth *auth, bool exempt); + int sudo_pam_cleanup(struct passwd *pw, sudo_auth *auth); + int sudo_pam_begin_session(struct passwd *pw, char **user_env[], sudo_auth *auth); + int sudo_pam_end_session(struct passwd *pw, sudo_auth *auth); +diff --git a/plugins/sudoers/check.c b/plugins/sudoers/check.c +index ed49d63a..486a80d8 100644 +--- a/plugins/sudoers/check.c ++++ b/plugins/sudoers/check.c +@@ -175,6 +175,7 @@ check_user(int validated, int mode) + { + struct passwd *auth_pw; + int ret = -1; ++ bool exempt = false; + debug_decl(check_user, SUDOERS_DEBUG_AUTH) + + /* +@@ -194,6 +195,7 @@ check_user(int validated, int mode) + sudo_debug_printf(SUDO_DEBUG_INFO, "%s: %s", __func__, + !def_authenticate ? "authentication disabled" : + "user exempt from authentication"); ++ exempt = true; + ret = true; + goto done; + } +@@ -218,7 +220,7 @@ check_user(int validated, int mode) + done: + if (ret == true) { + /* The approval function may disallow a user post-authentication. */ +- ret = sudo_auth_approval(auth_pw, validated); ++ ret = sudo_auth_approval(auth_pw, validated, exempt); + } + sudo_auth_cleanup(auth_pw); + sudo_pw_delref(auth_pw); +diff --git a/plugins/sudoers/sudoers.h b/plugins/sudoers/sudoers.h +index 57db74c1..956cb084 100644 +--- a/plugins/sudoers/sudoers.h ++++ b/plugins/sudoers/sudoers.h +@@ -265,7 +265,7 @@ int verify_user(struct passwd *pw, char *prompt, int validated, struct sudo_conv + int sudo_auth_begin_session(struct passwd *pw, char **user_env[]); + int sudo_auth_end_session(struct passwd *pw); + int sudo_auth_init(struct passwd *pw); +-int sudo_auth_approval(struct passwd *pw, int validated); ++int sudo_auth_approval(struct passwd *pw, int validated, bool exempt); + int sudo_auth_cleanup(struct passwd *pw); + + /* set_perms.c */ +-- +2.13.6 + diff --git a/SOURCES/sudo-1.8.23-fix-double-quote-parsing-for-Defaults-values.patch b/SOURCES/sudo-1.8.23-fix-double-quote-parsing-for-Defaults-values.patch new file mode 100644 index 0000000..25bbfe9 --- /dev/null +++ b/SOURCES/sudo-1.8.23-fix-double-quote-parsing-for-Defaults-values.patch @@ -0,0 +1,70 @@ +diff -up sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.json.ok.defaults-double-quote-fix sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.json.ok +--- sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.json.ok.defaults-double-quote-fix 2018-09-24 18:10:37.235000000 +0200 ++++ sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.json.ok 2018-09-24 18:11:40.153000000 +0200 +@@ -34,7 +34,7 @@ + }, + { + "Binding": [ +- { "username": "%them" } ++ { "usergroup": "them" } + ], + "Options": [ + { "set_home": true } +@@ -42,7 +42,7 @@ + }, + { + "Binding": [ +- { "username": "%: non UNIX 0 c" } ++ { "nonunixgroup": " non UNIX 0 c" } + ], + "Options": [ + { "set_home": true } +@@ -50,7 +50,7 @@ + }, + { + "Binding": [ +- { "username": "+net" } ++ { "netgroup": "net" } + ], + "Options": [ + { "set_home": true } +diff -up sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.toke.ok.defaults-double-quote-fix sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.toke.ok +--- sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.toke.ok.defaults-double-quote-fix 2018-09-24 18:10:25.216000000 +0200 ++++ sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.toke.ok 2018-09-24 18:11:45.213000000 +0200 +@@ -29,9 +29,9 @@ DEFAULTS_HOST BEGINSTR STRBODY ENDSTR WO + # + DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR + DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR +-DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR +-DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR +-DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR ++DEFAULTS_USER BEGINSTR STRBODY ENDSTR USERGROUP DEFVAR ++DEFAULTS_USER BEGINSTR STRBODY ENDSTR USERGROUP DEFVAR ++DEFAULTS_USER BEGINSTR STRBODY ENDSTR NETGROUP DEFVAR + + # + DEFAULTS_RUNAS BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR +diff -up sudo-1.8.23/plugins/sudoers/toke.c.defaults-double-quote-fix sudo-1.8.23/plugins/sudoers/toke.c +--- sudo-1.8.23/plugins/sudoers/toke.c.defaults-double-quote-fix 2018-04-29 21:59:23.000000000 +0200 ++++ sudo-1.8.23/plugins/sudoers/toke.c 2018-09-24 18:06:15.527000000 +0200 +@@ -2395,7 +2395,7 @@ YY_RULE_SETUP + LEXTRACE("ERROR "); /* empty string */ + LEXRETURN(ERROR); + } +- if (prev_state == INITIAL) { ++ if (prev_state == INITIAL || prev_state == GOTDEFS) { + switch (sudoerslval.string[0]) { + case '%': + if (sudoerslval.string[1] == '\0' || +diff -up sudo-1.8.23/plugins/sudoers/toke.l.defaults-double-quote-fix sudo-1.8.23/plugins/sudoers/toke.l +--- sudo-1.8.23/plugins/sudoers/toke.l.defaults-double-quote-fix 2018-04-29 21:59:23.000000000 +0200 ++++ sudo-1.8.23/plugins/sudoers/toke.l 2018-09-24 18:06:15.528000000 +0200 +@@ -187,7 +187,7 @@ DEFVAR [a-z_]+ + LEXTRACE("ERROR "); /* empty string */ + LEXRETURN(ERROR); + } +- if (prev_state == INITIAL) { ++ if (prev_state == INITIAL || prev_state == GOTDEFS) { + switch (sudoerslval.string[0]) { + case '%': + if (sudoerslval.string[1] == '\0' || diff --git a/SOURCES/sudo-1.8.23-ldapsearchuidfix.patch b/SOURCES/sudo-1.8.23-ldapsearchuidfix.patch new file mode 100644 index 0000000..9698d23 --- /dev/null +++ b/SOURCES/sudo-1.8.23-ldapsearchuidfix.patch @@ -0,0 +1,27 @@ +diff -up sudo-1.8.23/plugins/sudoers/ldap.c.ldapsearchuidfix sudo-1.8.23/plugins/sudoers/ldap.c +--- sudo-1.8.23/plugins/sudoers/ldap.c.ldapsearchuidfix 2018-04-29 21:59:31.000000000 +0200 ++++ sudo-1.8.23/plugins/sudoers/ldap.c 2018-06-18 08:34:01.202686941 +0200 +@@ -1189,8 +1189,8 @@ sudo_ldap_build_pass1(LDAP *ld, struct p + if (ldap_conf.search_filter) + sz += strlen(ldap_conf.search_filter); + +- /* Then add (|(sudoUser=USERNAME)(sudoUser=ALL)) + NUL */ +- sz += 29 + sudo_ldap_value_len(pw->pw_name); ++ /* Then add (|(sudoUser=USERNAME)(sudoUser=#uid)(sudoUser=ALL)) + NUL */ ++ sz += 29 + (12 + MAX_UID_T_LEN) + sudo_ldap_value_len(pw->pw_name); + + /* Add space for primary and supplementary groups and gids */ + if ((grp = sudo_getgrgid(pw->pw_gid)) != NULL) { +@@ -1253,6 +1253,12 @@ sudo_ldap_build_pass1(LDAP *ld, struct p + CHECK_LDAP_VCAT(buf, pw->pw_name, sz); + CHECK_STRLCAT(buf, ")", sz); + ++ /* Append user uid */ ++ (void) snprintf(gidbuf, sizeof(gidbuf), "%u", (unsigned int)pw->pw_uid); ++ (void) strlcat(buf, "(sudoUser=#", sz); ++ (void) strlcat(buf, gidbuf, sz); ++ (void) strlcat(buf, ")", sz); ++ + /* Append primary group and gid */ + if (grp != NULL) { + CHECK_STRLCAT(buf, "(sudoUser=%", sz); diff --git a/SOURCES/sudo-1.8.23-legacy-group-processing.patch b/SOURCES/sudo-1.8.23-legacy-group-processing.patch new file mode 100644 index 0000000..f838215 --- /dev/null +++ b/SOURCES/sudo-1.8.23-legacy-group-processing.patch @@ -0,0 +1,89 @@ +diff -up sudo-1.8.23/plugins/sudoers/cvtsudoers.c.legacy-group-processing sudo-1.8.23/plugins/sudoers/cvtsudoers.c +--- sudo-1.8.23/plugins/sudoers/cvtsudoers.c.legacy-group-processing 2018-06-28 11:24:25.966475241 +0200 ++++ sudo-1.8.23/plugins/sudoers/cvtsudoers.c 2018-06-28 11:26:40.215025493 +0200 +@@ -321,6 +321,15 @@ main(int argc, char *argv[]) + sudo_fatalx("error: unhandled input %d", input_format); + } + ++ /* ++ * cvtsudoers group filtering doesn't work if def_match_group_by_gid ++ * is set to true by default (at compile-time). It cannot be set to false ++ * because cvtsudoers doesn't apply the parsed Defaults. ++ * ++ * Related: sudo-1.8.23-legacy-group-processing.patch ++ */ ++ def_match_group_by_gid = def_legacy_group_processing = false; ++ + /* Apply filters. */ + filter_userspecs(conf); + filter_defaults(conf); +diff -up sudo-1.8.23/plugins/sudoers/defaults.c.legacy-group-processing sudo-1.8.23/plugins/sudoers/defaults.c +--- sudo-1.8.23/plugins/sudoers/defaults.c.legacy-group-processing 2018-04-29 21:59:31.000000000 +0200 ++++ sudo-1.8.23/plugins/sudoers/defaults.c 2018-06-28 11:24:25.966475241 +0200 +@@ -87,6 +87,7 @@ static struct early_default early_defaul + { I_FQDN }, + #endif + { I_MATCH_GROUP_BY_GID }, ++ { I_LEGACY_GROUP_PROCESSING }, + { I_GROUP_PLUGIN }, + { I_RUNAS_DEFAULT }, + { I_SUDOERS_LOCALE }, +@@ -488,6 +489,8 @@ init_defaults(void) + } + + /* First initialize the flags. */ ++ def_legacy_group_processing = true; ++ def_match_group_by_gid = true; + #ifdef LONG_OTP_PROMPT + def_long_otp_prompt = true; + #endif +diff -up sudo-1.8.23/plugins/sudoers/def_data.c.legacy-group-processing sudo-1.8.23/plugins/sudoers/def_data.c +--- sudo-1.8.23/plugins/sudoers/def_data.c.legacy-group-processing 2018-04-29 21:59:31.000000000 +0200 ++++ sudo-1.8.23/plugins/sudoers/def_data.c 2018-06-28 11:24:25.966475241 +0200 +@@ -494,6 +494,10 @@ struct sudo_defs_types sudo_defs_table[] + N_("Ignore case when matching group names"), + NULL, + }, { ++ "legacy_group_processing", T_FLAG, ++ N_("Don't pre-resolve all group names"), ++ NULL, ++ }, { + NULL, 0, NULL + } + }; +diff -up sudo-1.8.23/plugins/sudoers/def_data.h.legacy-group-processing sudo-1.8.23/plugins/sudoers/def_data.h +--- sudo-1.8.23/plugins/sudoers/def_data.h.legacy-group-processing 2018-04-29 21:59:31.000000000 +0200 ++++ sudo-1.8.23/plugins/sudoers/def_data.h 2018-06-28 11:24:25.967475238 +0200 +@@ -226,6 +226,8 @@ + #define def_case_insensitive_user (sudo_defs_table[I_CASE_INSENSITIVE_USER].sd_un.flag) + #define I_CASE_INSENSITIVE_GROUP 113 + #define def_case_insensitive_group (sudo_defs_table[I_CASE_INSENSITIVE_GROUP].sd_un.flag) ++#define I_LEGACY_GROUP_PROCESSING 114 ++#define def_legacy_group_processing (sudo_defs_table[I_LEGACY_GROUP_PROCESSING].sd_un.flag) + + enum def_tuple { + never, +diff -up sudo-1.8.23/plugins/sudoers/def_data.in.legacy-group-processing sudo-1.8.23/plugins/sudoers/def_data.in +--- sudo-1.8.23/plugins/sudoers/def_data.in.legacy-group-processing 2018-04-29 21:59:31.000000000 +0200 ++++ sudo-1.8.23/plugins/sudoers/def_data.in 2018-06-28 11:24:25.967475238 +0200 +@@ -357,3 +357,6 @@ case_insensitive_user + case_insensitive_group + T_FLAG + "Ignore case when matching group names" ++legacy_group_processing ++ T_FLAG ++ "Don't pre-resolve all group names" +diff -up sudo-1.8.23/plugins/sudoers/sudoers.c.legacy-group-processing sudo-1.8.23/plugins/sudoers/sudoers.c +--- sudo-1.8.23/plugins/sudoers/sudoers.c.legacy-group-processing 2018-04-29 21:59:31.000000000 +0200 ++++ sudo-1.8.23/plugins/sudoers/sudoers.c 2018-06-28 11:24:25.967475238 +0200 +@@ -209,6 +209,10 @@ sudoers_policy_init(void *info, char * c + if (set_loginclass(runas_pw ? runas_pw : sudo_user.pw)) + ret = true; + ++ if (!def_match_group_by_gid || !def_legacy_group_processing) { ++ def_match_group_by_gid = false; ++ def_legacy_group_processing = false; ++ } + cleanup: + if (!restore_perms()) + ret = -1; diff --git a/SOURCES/sudo-1.8.23-nowaitopt.patch b/SOURCES/sudo-1.8.23-nowaitopt.patch new file mode 100644 index 0000000..6406396 --- /dev/null +++ b/SOURCES/sudo-1.8.23-nowaitopt.patch @@ -0,0 +1,61 @@ +diff -up sudo-1.8.23/plugins/sudoers/def_data.c.nowaitopt sudo-1.8.23/plugins/sudoers/def_data.c +--- sudo-1.8.23/plugins/sudoers/def_data.c.nowaitopt 2018-06-18 09:36:34.249307795 +0200 ++++ sudo-1.8.23/plugins/sudoers/def_data.c 2018-06-18 09:43:12.122986032 +0200 +@@ -498,6 +498,10 @@ struct sudo_defs_types sudo_defs_table[] + N_("Don't pre-resolve all group names"), + NULL, + }, { ++ "cmnd_no_wait", T_FLAG, ++ N_("Don't fork and wait for the command to finish, just exec it"), ++ NULL, ++ }, { + NULL, 0, NULL + } + }; +diff -up sudo-1.8.23/plugins/sudoers/def_data.h.nowaitopt sudo-1.8.23/plugins/sudoers/def_data.h +--- sudo-1.8.23/plugins/sudoers/def_data.h.nowaitopt 2018-06-18 09:36:34.250307792 +0200 ++++ sudo-1.8.23/plugins/sudoers/def_data.h 2018-06-18 09:43:44.541878327 +0200 +@@ -228,6 +228,8 @@ + #define def_case_insensitive_group (sudo_defs_table[I_CASE_INSENSITIVE_GROUP].sd_un.flag) + #define I_LEGACY_GROUP_PROCESSING 114 + #define def_legacy_group_processing (sudo_defs_table[I_LEGACY_GROUP_PROCESSING].sd_un.flag) ++#define I_CMND_NO_WAIT 115 ++#define def_cmnd_no_wait (sudo_defs_table[I_CMND_NO_WAIT].sd_un.flag) + + enum def_tuple { + never, +diff -up sudo-1.8.23/plugins/sudoers/def_data.in.nowaitopt sudo-1.8.23/plugins/sudoers/def_data.in +--- sudo-1.8.23/plugins/sudoers/def_data.in.nowaitopt 2018-06-18 09:36:34.250307792 +0200 ++++ sudo-1.8.23/plugins/sudoers/def_data.in 2018-06-18 09:45:00.076627403 +0200 +@@ -360,3 +360,6 @@ case_insensitive_group + legacy_group_processing + T_FLAG + "Don't pre-resolve all group names" ++cmnd_no_wait ++ T_FLAG ++ "Don't fork and wait for the command to finish, just exec it" +diff -up sudo-1.8.23/plugins/sudoers/policy.c.nowaitopt sudo-1.8.23/plugins/sudoers/policy.c +diff -up sudo-1.8.23/plugins/sudoers/sudoers.c.nowaitopt sudo-1.8.23/plugins/sudoers/sudoers.c +--- sudo-1.8.23/plugins/sudoers/sudoers.c.nowaitopt 2018-06-18 11:31:51.883751328 +0200 ++++ sudo-1.8.23/plugins/sudoers/sudoers.c 2018-06-18 11:31:03.670899166 +0200 +@@ -213,6 +213,20 @@ sudoers_policy_init(void *info, char * c + def_match_group_by_gid = false; + def_legacy_group_processing = false; + } ++ ++ /* ++ * Emulate cmnd_no_wait option by disabling PAM session, PTY allocation ++ * and I/O logging. This will cause sudo to execute the given command ++ * directly instead of forking a separate process for it. ++ */ ++ if (def_cmnd_no_wait) { ++ def_pam_setcred = false; ++ def_pam_session = false; ++ def_use_pty = false; ++ def_log_input = false; ++ def_log_output = false; ++ } ++ + cleanup: + if (!restore_perms()) + ret = -1; diff --git a/SOURCES/sudo-1.8.23-sudoldapconfman.patch b/SOURCES/sudo-1.8.23-sudoldapconfman.patch new file mode 100644 index 0000000..3b52ea8 --- /dev/null +++ b/SOURCES/sudo-1.8.23-sudoldapconfman.patch @@ -0,0 +1,32 @@ +diff -up sudo-1.8.23/doc/Makefile.in.sudoldapconfman sudo-1.8.23/doc/Makefile.in +--- sudo-1.8.23/doc/Makefile.in.sudoldapconfman 2018-05-23 13:38:08.347538854 +0200 ++++ sudo-1.8.23/doc/Makefile.in 2018-05-23 13:38:12.806523146 +0200 +@@ -345,10 +345,16 @@ install-doc: install-dirs + rm -f $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu)$(MANCOMPRESSEXT); \ + echo ln -s sudo.$(mansectsu)$(MANCOMPRESSEXT) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu)$(MANCOMPRESSEXT); \ + ln -s sudo.$(mansectsu)$(MANCOMPRESSEXT) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu)$(MANCOMPRESSEXT); \ ++ rm -f $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform)$(MANCOMPRESSEXT); \ ++ echo ln -s sudoers.ldap.$(mansectform)$(MANCOMPRESSEXT) $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform)$(MANCOMPRESSEXT); \ ++ ln -s sudoers.ldap.$(mansectform)$(MANCOMPRESSEXT) $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform)$(MANCOMPRESSEXT); \ + else \ + rm -f $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu); \ + echo ln -s sudo.$(mansectsu) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu); \ + ln -s sudo.$(mansectsu) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu); \ ++ rm -f $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform); \ ++ echo ln -s sudoers.ldap.$(mansectform) $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform); \ ++ ln -s sudoers.ldap.$(mansectform) $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform); \ + fi + + install-plugin: +@@ -363,8 +369,9 @@ uninstall: + $(DESTDIR)$(mandirsu)/visudo.$(mansectsu) \ + $(DESTDIR)$(mandirform)/sudo.conf.$(mansectform) \ + $(DESTDIR)$(mandirform)/sudoers.$(mansectform) \ +- $(DESTDIR)$(mandirform)/sudoers_timestamp.$(mansectform) +- $(DESTDIR)$(mandirform)/sudoers.ldap.$(mansectform) ++ $(DESTDIR)$(mandirform)/sudoers_timestamp.$(mansectform) \ ++ $(DESTDIR)$(mandirform)/sudoers.ldap.$(mansectform) \ ++ $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform) + + splint: + diff --git a/SOURCES/sudo-1.8.6p3-doublequotefix.patch b/SOURCES/sudo-1.8.6p3-doublequotefix.patch deleted file mode 100644 index c028017..0000000 --- a/SOURCES/sudo-1.8.6p3-doublequotefix.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 1b16310c7ec5ba23fbe066c7d000016e534b4448 Mon Sep 17 00:00:00 2001 -From: Tomas Sykora -Date: Tue, 16 Aug 2016 09:54:06 +0200 -Subject: [PATCH] Double quotes are not accepted in sudoers - -Regression in sudo 1.8.6p3-7 package, double quotes are not accepted in sudoers - -Rebased from: -Patch25: sudo-1.8.6p3-doublequotefix.patch - -Resolves: -rhbz#1092499 ---- - plugins/sudoers/toke.c | 2 +- - plugins/sudoers/toke.l | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/plugins/sudoers/toke.c b/plugins/sudoers/toke.c -index e5b4d97..3b510bb 100644 ---- a/plugins/sudoers/toke.c -+++ b/plugins/sudoers/toke.c -@@ -2385,7 +2385,7 @@ YY_RULE_SETUP - LEXTRACE("ERROR "); /* empty string */ - LEXRETURN(ERROR); - } -- if (prev_state == INITIAL) { -+ if (prev_state == INITIAL || prev_state == GOTDEFS) { - switch (sudoerslval.string[0]) { - case '%': - if (sudoerslval.string[1] == '\0' || -diff --git a/plugins/sudoers/toke.l b/plugins/sudoers/toke.l -index b63edd0..82724aa 100644 ---- a/plugins/sudoers/toke.l -+++ b/plugins/sudoers/toke.l -@@ -185,7 +185,7 @@ DEFVAR [a-z_]+ - LEXTRACE("ERROR "); /* empty string */ - LEXRETURN(ERROR); - } -- if (prev_state == INITIAL) { -+ if (prev_state == INITIAL || prev_state == GOTDEFS) { - switch (sudoerslval.string[0]) { - case '%': - if (sudoerslval.string[1] == '\0' || --- -2.7.4 - diff --git a/SOURCES/sudo-1.8.6p3-nowaitopt.patch b/SOURCES/sudo-1.8.6p3-nowaitopt.patch deleted file mode 100644 index df51500..0000000 --- a/SOURCES/sudo-1.8.6p3-nowaitopt.patch +++ /dev/null @@ -1,161 +0,0 @@ -From 9b1f0f16bfe7552810b4adb6b17ac3674da660f9 Mon Sep 17 00:00:00 2001 -From: Tomas Sykora -Date: Mon, 15 Aug 2016 15:13:31 +0200 -Subject: [PATCH] Backport direct exec of command from sudo - -Added cmnd_no_wait option -Sudo does not run command in a new child process, -when cmnd_no_wait is enabled. - -!!! -Upstream can do that too now in 1.8.17 with combination of -pam_session, pam_setcred and use_pty option. -They must be disabled and I/O logging must not be configured. -See "man sudoers". - -rebased from: -Patch8: sudo-1.8.6p3-nowaitopt.patch - -Resolves: -rhbz#840980 ---- - plugins/sudoers/def_data.c | 4 ++++ - plugins/sudoers/def_data.h | 2 ++ - plugins/sudoers/def_data.in | 3 +++ - plugins/sudoers/policy.c | 4 ++++ - src/exec.c | 34 ++++++++++++++++++++++++++++++++++ - src/sudo.c | 5 +++++ - src/sudo.h | 1 + - 7 files changed, 53 insertions(+) - -diff --git a/plugins/sudoers/def_data.c b/plugins/sudoers/def_data.c -index 00caa8b..d8b1ada 100644 ---- a/plugins/sudoers/def_data.c -+++ b/plugins/sudoers/def_data.c -@@ -435,6 +435,10 @@ struct sudo_defs_types sudo_defs_table[] = { - N_("File mode to use for the I/O log files: 0%o"), - NULL, - }, { -+ "cmnd_no_wait", T_FLAG, -+ N_("Don't fork and wait for the command to finish, just exec it"), -+ NULL, -+ }, { - NULL, 0, NULL - } - }; -diff --git a/plugins/sudoers/def_data.h b/plugins/sudoers/def_data.h -index d83d2c3..1b6be3d 100644 ---- a/plugins/sudoers/def_data.h -+++ b/plugins/sudoers/def_data.h -@@ -204,6 +204,8 @@ - #define def_iolog_group (sudo_defs_table[I_IOLOG_GROUP].sd_un.str) - #define I_IOLOG_MODE 102 - #define def_iolog_mode (sudo_defs_table[I_IOLOG_MODE].sd_un.mode) -+#define I_CMND_NO_WAIT 103 -+#define def_cmnd_no_wait (sudo_defs_table[I_CMND_NO_WAIT].sd_un.flag) - - enum def_tuple { - never, -diff --git a/plugins/sudoers/def_data.in b/plugins/sudoers/def_data.in -index 9f069f1..5200fe3 100644 ---- a/plugins/sudoers/def_data.in -+++ b/plugins/sudoers/def_data.in -@@ -322,3 +322,6 @@ iolog_group - iolog_mode - T_MODE - "File mode to use for the I/O log files: 0%o" -+cmnd_no_wait -+ T_FLAG -+ "Don't fork and wait for the command to finish, just exec it" -diff --git a/plugins/sudoers/policy.c b/plugins/sudoers/policy.c -index 4ee1e28..93df1dd 100644 ---- a/plugins/sudoers/policy.c -+++ b/plugins/sudoers/policy.c -@@ -564,6 +564,10 @@ sudoers_policy_exec_setup(char *argv[], char *envp[], mode_t cmnd_umask, - if ((command_info[info_len++] = strdup("use_pty=true")) == NULL) - goto oom; - } -+ if (def_cmnd_no_wait) { -+ if ((command_info[info_len++] = strdup("cmnd_no_wait=true")) == NULL) -+ goto oom; -+ } - if (def_utmp_runas) { - if ((command_info[info_len++] = sudo_new_key_val("utmp_user", runas_pw->pw_name)) == NULL) - goto oom; -diff --git a/src/exec.c b/src/exec.c -index 56da013..08bc86d 100644 ---- a/src/exec.c -+++ b/src/exec.c -@@ -384,6 +384,41 @@ sudo_execute(struct command_details *details, struct command_status *cstat) - } - - /* -+ * If we don't want to wait for the command to exit, then just exec it. -+ * THIS WILL BREAK SEVERAL THINGS including SELinux, PAM sessions and I/O -+ * logging. Implemented because of rhbz#840980 (backwards compatibility). -+ * In 1.8.x branch this is even harder to get back, since the nowait code -+ * was completely removed. -+ */ -+ if (details->flags & CD_DONTWAIT) { -+ if (exec_setup(details, NULL, -1) == true) { -+ restore_signals(); -+ /* headed for execve() */ -+ sudo_debug_execve(SUDO_DEBUG_INFO, details->command, -+ details->argv, details->envp); -+ if (details->closefrom >= 0) { -+ closefrom(details->closefrom); -+ } -+#ifdef HAVE_SELINUX -+ if (ISSET(details->flags, CD_RBAC_ENABLED)) { -+ selinux_execve(-1, details->command, details->argv, details->envp, -+ ISSET(details->flags, CD_NOEXEC)); -+ } else -+#endif -+ { -+ sudo_execve(-1, details->command, details->argv, details->envp, -+ ISSET(details->flags, CD_NOEXEC)); -+ } -+ sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to exec %s: %s", -+ details->command, strerror(errno)); -+ } -+ cstat->type = CMD_ERRNO; -+ cstat->val = errno; -+ return 127; -+ } -+ -+ -+ /* - * We communicate with the child over a bi-directional pair of sockets. - * Parent sends signal info to child and child sends back wait status. - */ -diff --git a/src/sudo.c b/src/sudo.c -index 5dd090d..0606a19 100644 ---- a/src/sudo.c -+++ b/src/sudo.c -@@ -670,6 +670,11 @@ command_info_to_details(char * const info[], struct command_details *details) - sudo_fatalx(U_("%s: %s"), info[i], U_(errstr)); - break; - } -+ if (strncmp("cmnd_no_wait=", info[i], sizeof("cmnd_no_wait=") - 1) == 0) { -+ if (sudo_strtobool(info[i] + sizeof("cmnd_no_wait=") - 1) == true) -+ SET(details->flags, CD_DONTWAIT); -+ break; -+ } - break; - case 'e': - SET_FLAG("exec_background=", CD_EXEC_BG) -diff --git a/src/sudo.h b/src/sudo.h -index 3ac2c9d..f07ba11 100644 ---- a/src/sudo.h -+++ b/src/sudo.h -@@ -130,6 +130,7 @@ struct user_details { - #define CD_SUDOEDIT_FOLLOW 0x10000 - #define CD_SUDOEDIT_CHECKDIR 0x20000 - #define CD_SET_GROUPS 0x40000 -+#define CD_DONTWAIT 0x80000 - - struct preserved_fd { - TAILQ_ENTRY(preserved_fd) entries; --- -2.7.4 - diff --git a/SOURCES/sudo-1.8.6p7-digest-backport.patch b/SOURCES/sudo-1.8.6p7-digest-backport.patch deleted file mode 100644 index a814b2c..0000000 --- a/SOURCES/sudo-1.8.6p7-digest-backport.patch +++ /dev/null @@ -1,435 +0,0 @@ -From c8a6eecf768d8102a9a77f5fdb5b516e571d462e Mon Sep 17 00:00:00 2001 -From: Radovan Sroka -Date: Tue, 23 Aug 2016 13:43:08 +0200 -Subject: [PATCH] Using libgcrypt - -Using libgcrypt and not sudo implementation of SHA... - -Rebased patch of digest backport. -Added option --with-gcrypt - -Rebased from: -Patch35: sudo-1.8.6p7-digest-backport.patch - -Resolves: -rhbz#1183818 ---- - configure.ac | 16 +++++++ - plugins/sudoers/Makefile.in | 9 +++- - plugins/sudoers/filedigest.c | 104 +++++++++++++++++++++++++++++++++++++++++++ - plugins/sudoers/filedigest.h | 17 +++++++ - plugins/sudoers/match.c | 94 ++++++++++++++++++++++++++++++-------- - 5 files changed, 219 insertions(+), 21 deletions(-) - create mode 100644 plugins/sudoers/filedigest.c - create mode 100644 plugins/sudoers/filedigest.h - -diff --git a/configure.ac b/configure.ac -index 13c3c1b..54929b2 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -35,6 +35,7 @@ AC_SUBST([SUDO_OBJS]) - AC_SUBST([LIBS]) - AC_SUBST([SUDO_LIBS]) - AC_SUBST([SUDOERS_LIBS]) -+AC_SUBST([LIBPARSESUDOERS_LIBS]) - AC_SUBST([STATIC_SUDOERS]) - AC_SUBST([NET_LIBS]) - AC_SUBST([AFS_LIBS]) -@@ -1517,6 +1518,19 @@ AC_ARG_WITH(selinux, [AS_HELP_STRING([--with-selinux], [enable SELinux support]) - ;; - esac], [with_selinux=no]) - -+AC_ARG_WITH(gcrypt, [AS_HELP_STRING([--with-gcrypt], [enable libgcrypt support])], -+[case $with_gcrypt in -+ yes) -+ AC_DEFINE(HAVE_LIBGCRYPT) -+ LIBPARSESUDOERS_LIBS="${LIBPARSESUDOERS_LIBS} -lgcrypt" -+ AC_CHECK_LIB([gcrypt], [gcry_md_open], -+ [AC_DEFINE(HAVE_GCRY_MD_OPEN)]) -+ ;; -+ no) ;; -+ *) AC_MSG_ERROR(["--with-gcrypt does not take an argument."]) -+ ;; -+esac]) -+ - dnl - dnl gss_krb5_ccache_name() may not work on Heimdal so we don't use it by default - dnl -@@ -4344,6 +4358,8 @@ AH_TEMPLATE(HAVE_PROJECT_H, [Define to 1 if you have the header file - AH_TEMPLATE(HAVE_SECURID, [Define to 1 if you use SecurID for authentication.]) - AH_TEMPLATE(HAVE_SELINUX, [Define to 1 to enable SELinux RBAC support.]) - AH_TEMPLATE(HAVE_SETKEYCREATECON, [Define to 1 if you have the `setkeycreatecon' function.]) -+AH_TEMPLATE(HAVE_LIBGCRYPT, [Define to 1 to enable libgcrypt support.]) -+AH_TEMPLATE(HAVE_GCRY_MD_OPEN, [Define to 1 if you have the `gcry_md_open' function.]) - AH_TEMPLATE(HAVE_SHL_LOAD, [Define to 1 if you have the `shl_load' function.]) - AH_TEMPLATE(HAVE_SKEY, [Define to 1 if you use S/Key.]) - AH_TEMPLATE(HAVE_SKEYACCESS, [Define to 1 if your S/Key library has skeyaccess().]) -diff --git a/plugins/sudoers/Makefile.in b/plugins/sudoers/Makefile.in -index f36f9ef..32c0ed0 100644 ---- a/plugins/sudoers/Makefile.in -+++ b/plugins/sudoers/Makefile.in -@@ -55,6 +55,7 @@ LT_LIBS = $(top_builddir)/lib/util/libsudo_util.la - LIBS = $(LT_LIBS) - NET_LIBS = @NET_LIBS@ - SUDOERS_LIBS = @SUDOERS_LIBS@ @AFS_LIBS@ @GETGROUPS_LIB@ $(LIBS) $(NET_LIBS) @ZLIB@ @LIBMD@ -+LIBPARSESUDOERS_LIBS = @LIBPARSESUDOERS_LIBS@ - REPLAY_LIBS = @REPLAY_LIBS@ @ZLIB@ - VISUDO_LIBS = $(NET_LIBS) @LIBMD@ - TESTSUDOERS_LIBS = $(NET_LIBS) @LIBMD@ -@@ -153,7 +154,7 @@ AUTH_OBJS = sudo_auth.lo @AUTH_OBJS@ - LIBPARSESUDOERS_OBJS = alias.lo audit.lo base64.lo defaults.lo hexchar.lo \ - gram.lo match.lo match_addr.lo pwutil.lo pwutil_impl.lo \ - rcstr.lo redblack.lo sudoers_debug.lo timestr.lo \ -- toke.lo toke_util.lo -+ toke.lo toke_util.lo filedigest.lo - - SUDOERS_OBJS = $(AUTH_OBJS) boottime.lo check.lo editor.lo env.lo find_path.lo \ - gc.lo goodpath.lo group_plugin.lo interfaces.lo iolog.lo \ -@@ -217,7 +218,7 @@ Makefile: $(srcdir)/Makefile.in - (cd $(top_builddir) && ./config.status --file plugins/sudoers/Makefile) - - libparsesudoers.la: $(LIBPARSESUDOERS_OBJS) -- $(LIBTOOL) $(LTFLAGS) --mode=link $(CC) -o $@ $(LIBPARSESUDOERS_OBJS) -no-install -+ $(LIBTOOL) --mode=link $(CC) -o $@ $(LIBPARSESUDOERS_OBJS) $(LIBPARSESUDOERS_LIBS) -no-install - - sudoers.la: $(SUDOERS_OBJS) $(LT_LIBS) libparsesudoers.la @LT_LDDEP@ - case "$(LT_LDFLAGS)" in \ -@@ -656,6 +657,10 @@ env.lo: $(srcdir)/env.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \ - $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ - $(top_builddir)/pathnames.h - $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(srcdir)/env.c -+filedigest.lo: $(srcdir)/filedigest.c $(top_builddir)/config.h \ -+ $(incdir)/sudo_debug.h -+ $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/filedigest.c -+filedigest.o: filedigest.lo - find_path.lo: $(srcdir)/find_path.c $(devdir)/def_data.h \ - $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \ - $(incdir)/sudo_conf.h $(incdir)/sudo_debug.h \ -diff --git a/plugins/sudoers/filedigest.c b/plugins/sudoers/filedigest.c -new file mode 100644 -index 0000000..c173741 ---- /dev/null -+++ b/plugins/sudoers/filedigest.c -@@ -0,0 +1,104 @@ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include "filedigest.h" -+#include "sudo_compat.h" -+#include "sudo_debug.h" -+ -+#if defined(HAVE_LIBGCRYPT) -+#include -+ -+static int sudo_filedigest_gcrypt(int fd, int algo, unsigned char **dvalue, size_t *dvalue_size) -+{ -+ char buffer[4096]; -+ gcry_md_hd_t ctx; -+ int gcry_algo; -+ debug_decl(sudo_filedigest_gcrypt, SUDO_DEBUG_UTIL); -+ -+ switch(algo) { -+ case SUDO_DIGEST_SHA224: -+ gcry_algo = GCRY_MD_SHA224; break; -+ case SUDO_DIGEST_SHA256: -+ gcry_algo = GCRY_MD_SHA256; break; -+ case SUDO_DIGEST_SHA384: -+ gcry_algo = GCRY_MD_SHA384; break; -+ case SUDO_DIGEST_SHA512: -+ gcry_algo = GCRY_MD_SHA512; break; -+ default: -+ debug_return_int(-1); -+ } -+ -+ gcry_md_open(&ctx, gcry_algo, 0); -+ -+ /* Read block of data from fd and digest them */ -+ while (1) { -+ const ssize_t read_bytes = read(fd, buffer, sizeof buffer); -+ -+ if (read_bytes < 0) { -+ /* Error */ -+ gcry_md_close(ctx); -+ debug_return_int(-1); -+ } -+ else if (read_bytes > 0) { -+ /* Some data read -- update the digest */ -+ gcry_md_write(ctx, buffer, (size_t)read_bytes); -+ } -+ else { -+ /* EOF */ -+ break; -+ } -+ } -+ -+ /* -+ * All data digested. Finalize the digest value. -+ */ -+ const unsigned char *value = gcry_md_read(ctx, gcry_algo); -+ -+ if (value == NULL) { -+ debug_return_int(-1); -+ } -+ -+ /* -+ * Make a copy of the digest value. The pointer -+ * returned from gcry_md_read cannot be used after -+ * gcry_md_close was called -+ */ -+ (*dvalue_size) = gcry_md_get_algo_dlen(gcry_algo); -+ (*dvalue) = malloc(*dvalue_size); -+ -+ if (*dvalue == NULL) { -+ debug_return_int(-1); -+ } -+ -+ memcpy(*dvalue, value, *dvalue_size); -+ gcry_md_close(ctx); -+ -+ debug_return_int(0); -+} -+#endif -+ -+#include -+ -+int sudo_filedigest(const char *path, int algo, unsigned char **dvalue, size_t *dvalue_size) -+{ -+ int rc = -1; -+ int fd = -1; -+ debug_decl(sudo_filedigest, SUDO_DEBUG_UTIL); -+ -+ if ((fd = open(path, O_RDONLY)) < 0) { -+ debug_return_int(rc); -+ } -+ -+#if defined(HAVE_LIBGCRYPT) -+ rc = sudo_filedigest_gcrypt(fd, algo, dvalue, dvalue_size); -+ close(fd); -+#else -+ rc = -1; -+ errno = ENOTSUP; -+#endif -+ debug_return_int(rc); -+} -diff --git a/plugins/sudoers/filedigest.h b/plugins/sudoers/filedigest.h -new file mode 100644 -index 0000000..437f02f ---- /dev/null -+++ b/plugins/sudoers/filedigest.h -@@ -0,0 +1,17 @@ -+#include -+ -+#define SUDO_DIGEST_SHA224 0 -+#define SUDO_DIGEST_SHA256 1 -+#define SUDO_DIGEST_SHA384 2 -+#define SUDO_DIGEST_SHA512 3 -+#define SUDO_DIGEST_INVALID 4 -+ -+#define SUDO_SHA224_DIGEST_LENGTH 28 -+#define SUDO_SHA256_DIGEST_LENGTH 32 -+#define SUDO_SHA384_DIGEST_LENGTH 48 -+#define SUDO_SHA512_DIGEST_LENGTH 64 -+ -+/* -+ * Compute a digest of a given file. Returns 0 on success, -1 otherwise. -+ */ -+int sudo_filedigest(const char *path, int algo, unsigned char **dvalue, size_t *dvalue_size); -diff --git a/plugins/sudoers/match.c b/plugins/sudoers/match.c -index 1916bde..2a9ea4b 100644 ---- a/plugins/sudoers/match.c -+++ b/plugins/sudoers/match.c -@@ -62,6 +62,7 @@ - - #include "sudoers.h" - #include "parse.h" -+#include "filedigest.h" - #include - - #ifdef HAVE_FNMATCH -@@ -576,6 +577,7 @@ command_matches_normal(const char *sudoers_cmnd, const char *sudoers_args, const - } - #else /* !SUDOERS_NAME_MATCH */ - -+#ifndef HAVE_LIBGCRYPT /* !!! */ - static struct digest_function { - const char *digest_name; - const unsigned int digest_len; -@@ -616,24 +618,43 @@ static struct digest_function { - NULL - } - }; -+#endif /* !HAVE_LIBGCRYPT */ -+ -+static const char *digesttype2str(int digest_type) -+{ -+ switch(digest_type) { -+ case SUDO_DIGEST_SHA224: -+ return "SHA224"; -+ case SUDO_DIGEST_SHA256: -+ return "SHA256"; -+ case SUDO_DIGEST_SHA384: -+ return "SHA384"; -+ case SUDO_DIGEST_SHA512: -+ return "SHA512"; -+ } -+ return ""; -+} - - static bool - digest_matches(const char *file, const struct sudo_digest *sd, int *fd) - { -- unsigned char file_digest[SHA512_DIGEST_LENGTH]; -- unsigned char sudoers_digest[SHA512_DIGEST_LENGTH]; -+ unsigned char * file_digest = NULL; -+ unsigned char * sudoers_digest = NULL; -+ size_t digest_size; - unsigned char buf[32 * 1024]; -- struct digest_function *func = NULL; - #ifdef HAVE_FEXECVE - bool first = true; - bool is_script = false; - #endif /* HAVE_FEXECVE */ - size_t nread; -- SHA2_CTX ctx; - FILE *fp; - unsigned int i; - debug_decl(digest_matches, SUDOERS_DEBUG_MATCH) - -+#ifndef HAVE_LIBGCRYPT /* !!! */ -+ -+ SHA2_CTX ctx; -+ struct digest_function *func = NULL; - for (i = 0; digest_functions[i].digest_name != NULL; i++) { - if (sd->digest_type == i) { - func = &digest_functions[i]; -@@ -644,9 +665,33 @@ digest_matches(const char *file, const struct sudo_digest *sd, int *fd) - sudo_warnx(U_("unsupported digest type %d for %s"), sd->digest_type, file); - debug_return_bool(false); - } -- if (strlen(sd->digest_str) == func->digest_len * 2) { -+ -+ digest_size = func->digest_len; -+ -+ file_digest = malloc(digest_size); -+ if (file_digest == NULL) { -+ debug_return_bool(false); -+ } -+ -+#elif HAVE_LIBGCRYPT -+ -+ if (sudo_filedigest(file, sd->digest_type, -+ &file_digest, &digest_size) != 0) { -+ sudo_warnx(U_("Cannot compute digest type %d for %s"), sd->digest_type, file); -+ goto clean_up; -+ } -+ -+#endif /* !HAVE_LIBGCRYPT */ -+ -+ sudoers_digest = malloc(digest_size); -+ if (sudoers_digest == NULL) { -+ free(file_digest); -+ debug_return_bool(false); -+ } -+ -+ if (strlen(sd->digest_str) == digest_size * 2) { - /* Convert the command digest from ascii hex to binary. */ -- for (i = 0; i < func->digest_len; i++) { -+ for (i = 0; i < digest_size ; i++) { - const int h = hexchar(&sd->digest_str[i + i]); - if (h == -1) - goto bad_format; -@@ -654,11 +699,11 @@ digest_matches(const char *file, const struct sudo_digest *sd, int *fd) - } - } else { - size_t len = base64_decode(sd->digest_str, sudoers_digest, -- sizeof(sudoers_digest)); -- if (len != func->digest_len) { -+ digest_size); -+ if (len != digest_size) { - sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, -- "incorrect length for digest, expected %u, got %zu", -- func->digest_len, len); -+ "incorrect length for digest, expected %zu, got %zu", -+ digest_size, len); - goto bad_format; - } - } -@@ -666,10 +711,11 @@ digest_matches(const char *file, const struct sudo_digest *sd, int *fd) - if ((fp = fopen(file, "r")) == NULL) { - sudo_debug_printf(SUDO_DEBUG_INFO, "unable to open %s: %s", - file, strerror(errno)); -- debug_return_bool(false); -+ goto clean_up; - } -- -+#ifndef HAVE_LIBGCRYPT - func->init(&ctx); -+#endif /* !HAVE_LIBGCRYPT */ - while ((nread = fread(buf, 1, sizeof(buf), fp)) != 0) { - #ifdef HAVE_FEXECVE - /* Check for #! cookie and set is_script. */ -@@ -679,21 +725,24 @@ digest_matches(const char *file, const struct sudo_digest *sd, int *fd) - is_script = true; - } - #endif /* HAVE_FEXECVE */ -+#ifndef HAVE_LIBGCRYPT - func->update(&ctx, buf, nread); -+#endif /* !HAVE_LIBGCRYPT */ - } - if (ferror(fp)) { - sudo_warnx(U_("%s: read error"), file); - fclose(fp); -- debug_return_bool(false); -+ goto clean_up; - } -+#ifndef HAVE_LIBGCRYPT - func->final(file_digest, &ctx); -- -- if (memcmp(file_digest, sudoers_digest, func->digest_len) != 0) { -+#endif /* !HAVE_LIBGCRYPT */ -+ if (memcmp(file_digest, sudoers_digest, digest_size) != 0) { - fclose(fp); - sudo_debug_printf(SUDO_DEBUG_DIAG|SUDO_DEBUG_LINENO, - "%s digest mismatch for %s, expecting %s", -- func->digest_name, file, sd->digest_str); -- debug_return_bool(false); -+ digesttype2str(sd->digest_type), file, sd->digest_str); -+ goto clean_up; - } - - #ifdef HAVE_FEXECVE -@@ -705,7 +754,7 @@ digest_matches(const char *file, const struct sudo_digest *sd, int *fd) - sudo_debug_printf(SUDO_DEBUG_INFO, "unable to dup %s: %s", - file, strerror(errno)); - fclose(fp); -- debug_return_bool(false); -+ goto clean_up; - } - /* - * Shell scripts go through namei twice and so we can't set the close -@@ -715,10 +764,17 @@ digest_matches(const char *file, const struct sudo_digest *sd, int *fd) - (void)fcntl(*fd, F_SETFD, FD_CLOEXEC); - #endif /* HAVE_FEXECVE */ - fclose(fp); -+ free(file_digest); -+ free(sudoers_digest); - debug_return_bool(true); - bad_format: - sudo_warnx(U_("digest for %s (%s) is not in %s form"), file, -- sd->digest_str, func->digest_name); -+ sd->digest_str, digesttype2str(sd->digest_type)); -+clean_up: -+ if (file_digest) -+ free(file_digest); -+ if (sudoers_digest) -+ free(sudoers_digest); - debug_return_bool(false); - } - --- -2.7.4 - diff --git a/SOURCES/sudo-1.8.6p7-ldapsearchuidfix.patch b/SOURCES/sudo-1.8.6p7-ldapsearchuidfix.patch deleted file mode 100644 index d3991f0..0000000 --- a/SOURCES/sudo-1.8.6p7-ldapsearchuidfix.patch +++ /dev/null @@ -1,119 +0,0 @@ -From b1f3fcf8d6e9a8e5326771a12fac8e08ed81f766 Mon Sep 17 00:00:00 2001 -From: Tomas Sykora -Date: Fri, 19 Aug 2016 10:21:27 +0200 -Subject: [PATCH] Sudo with ldap doesn't work with 'user id' - -in sudoUser option. - -Rebased from: -Patch39: sudo-1.8.6p7-ldapsearchuidfix.patch - -Resolves: -rhbz#1135539 ---- - plugins/sudoers/def_data.c | 4 ++++ - plugins/sudoers/def_data.h | 2 ++ - plugins/sudoers/def_data.in | 3 +++ - plugins/sudoers/defaults.c | 2 ++ - plugins/sudoers/ldap.c | 10 ++++++++-- - plugins/sudoers/sudoers.c | 4 ++++ - 6 files changed, 23 insertions(+), 2 deletions(-) - -diff --git a/plugins/sudoers/def_data.c b/plugins/sudoers/def_data.c -index d8b1ada..3926fed 100644 ---- a/plugins/sudoers/def_data.c -+++ b/plugins/sudoers/def_data.c -@@ -439,6 +439,10 @@ struct sudo_defs_types sudo_defs_table[] = { - N_("Don't fork and wait for the command to finish, just exec it"), - NULL, - }, { -+ "legacy_group_processing", T_FLAG, -+ N_("Don't pre-resolve all group names"), -+ NULL, -+ }, { - NULL, 0, NULL - } - }; -diff --git a/plugins/sudoers/def_data.h b/plugins/sudoers/def_data.h -index 1b6be3d..5246e41 100644 ---- a/plugins/sudoers/def_data.h -+++ b/plugins/sudoers/def_data.h -@@ -206,6 +206,8 @@ - #define def_iolog_mode (sudo_defs_table[I_IOLOG_MODE].sd_un.mode) - #define I_CMND_NO_WAIT 103 - #define def_cmnd_no_wait (sudo_defs_table[I_CMND_NO_WAIT].sd_un.flag) -+#define I_LEGACY_GROUP_PROCESSING 104 -+#define def_legacy_group_processing (sudo_defs_table[I_LEGACY_GROUP_PROCESSING].sd_un.flag) - - enum def_tuple { - never, -diff --git a/plugins/sudoers/def_data.in b/plugins/sudoers/def_data.in -index 5200fe3..f1c9265 100644 ---- a/plugins/sudoers/def_data.in -+++ b/plugins/sudoers/def_data.in -@@ -325,3 +325,6 @@ iolog_mode - cmnd_no_wait - T_FLAG - "Don't fork and wait for the command to finish, just exec it" -+legacy_group_processing -+ T_FLAG -+ "Don't pre-resolve all group names" -diff --git a/plugins/sudoers/defaults.c b/plugins/sudoers/defaults.c -index 5eaf8ea..9e60d94 100644 ---- a/plugins/sudoers/defaults.c -+++ b/plugins/sudoers/defaults.c -@@ -450,6 +450,8 @@ init_defaults(void) - } - - /* First initialize the flags. */ -+ def_legacy_group_processing = true; -+ def_match_group_by_gid = true; - #ifdef LONG_OTP_PROMPT - def_long_otp_prompt = true; - #endif -diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c -index 3fe27c7..96a0709 100644 ---- a/plugins/sudoers/ldap.c -+++ b/plugins/sudoers/ldap.c -@@ -1666,8 +1666,8 @@ sudo_ldap_build_pass1(LDAP *ld, struct passwd *pw) - if (ldap_conf.search_filter) - sz += strlen(ldap_conf.search_filter); - -- /* Then add (|(sudoUser=USERNAME)(sudoUser=ALL)) + NUL */ -- sz += 29 + sudo_ldap_value_len(pw->pw_name); -+ /* Then add (|(sudoUser=USERNAME)(sudoUser=#uid)(sudoUser=ALL)) + NUL */ -+ sz += 29 + (12 + MAX_UID_T_LEN) + sudo_ldap_value_len(pw->pw_name); - - /* Add space for primary and supplementary groups and gids */ - if ((grp = sudo_getgrgid(pw->pw_gid)) != NULL) { -@@ -1730,6 +1730,12 @@ sudo_ldap_build_pass1(LDAP *ld, struct passwd *pw) - CHECK_LDAP_VCAT(buf, pw->pw_name, sz); - CHECK_STRLCAT(buf, ")", sz); - -+ /* Append user uid */ -+ (void) snprintf(gidbuf, sizeof(gidbuf), "%u", (unsigned int)pw->pw_uid); -+ (void) strlcat(buf, "(sudoUser=#", sz); -+ (void) strlcat(buf, gidbuf, sz); -+ (void) strlcat(buf, ")", sz); -+ - /* Append primary group and gid */ - if (grp != NULL) { - CHECK_STRLCAT(buf, "(sudoUser=%", sz); -diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c -index 539177a..673ee5d 100644 ---- a/plugins/sudoers/sudoers.c -+++ b/plugins/sudoers/sudoers.c -@@ -208,6 +208,10 @@ sudoers_policy_init(void *info, char * const envp[]) - if (set_loginclass(runas_pw ? runas_pw : sudo_user.pw)) - ret = true; - -+ if (!def_match_group_by_gid || !def_legacy_group_processing) { -+ def_match_group_by_gid = false; -+ def_legacy_group_processing = false; -+ } - cleanup: - if (!restore_perms()) - ret = -1; --- -2.7.4 - diff --git a/SOURCES/sudo-1.8.6p7-sudoldapconfman.patch b/SOURCES/sudo-1.8.6p7-sudoldapconfman.patch deleted file mode 100644 index 8d46dbe..0000000 --- a/SOURCES/sudo-1.8.6p7-sudoldapconfman.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 447b3f0c91f019c1d30b5703c61316b583f5bce1 Mon Sep 17 00:00:00 2001 -From: Tomas Sykora -Date: Mon, 15 Aug 2016 15:15:40 +0200 -Subject: [PATCH] RHEL7 failed RPMdiff testing - -Package sudo-1.8.3p1-7.el7 failed RHEL7 RPMdiff testing - -Rebased from: -Patch16: sudo-1.8.6p7-sudoldapconfman.patch - -Resolves: -rhbz#881258 ---- - doc/Makefile.in | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/doc/Makefile.in b/doc/Makefile.in -index a6f2ea2..e27c6e0 100644 ---- a/doc/Makefile.in -+++ b/doc/Makefile.in -@@ -319,10 +319,16 @@ install-doc: install-dirs - rm -f $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu)$(MANCOMPRESSEXT); \ - echo ln -s sudo.$(mansectsu)$(MANCOMPRESSEXT) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu)$(MANCOMPRESSEXT); \ - ln -s sudo.$(mansectsu)$(MANCOMPRESSEXT) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu)$(MANCOMPRESSEXT); \ -+ rm -f $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform)$(MANCOMPRESSEXT); \ -+ echo ln -s sudoers.ldap.$(mansectform)$(MANCOMPRESSEXT) $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform)$(MANCOMPRESSEXT); \ -+ ln -s sudoers.ldap.$(mansectform)$(MANCOMPRESSEXT) $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform)$(MANCOMPRESSEXT); \ - else \ - rm -f $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu); \ - echo ln -s sudo.$(mansectsu) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu); \ - ln -s sudo.$(mansectsu) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu); \ -+ rm -f $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform); \ -+ echo ln -s sudoers.ldap.$(mansectform) $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform); \ -+ ln -s sudoers.ldap.$(mansectform) $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform); \ - fi - - install-plugin: -@@ -336,7 +342,8 @@ uninstall: - $(DESTDIR)$(mandirsu)/visudo.$(mansectsu) \ - $(DESTDIR)$(mandirform)/sudo.conf.$(mansectform) \ - $(DESTDIR)$(mandirform)/sudoers.$(mansectform) \ -- $(DESTDIR)$(mandirform)/sudoers.ldap.$(mansectform) -+ $(DESTDIR)$(mandirform)/sudoers.ldap.$(mansectform) \ -+ $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform) - - splint: - --- -2.7.4 - diff --git a/SOURCES/sudoers b/SOURCES/sudoers index 2fdc62f..93e02ba 100644 --- a/SOURCES/sudoers +++ b/SOURCES/sudoers @@ -64,6 +64,14 @@ Defaults !visiblepw Defaults always_set_home Defaults match_group_by_gid +# Prior to version 1.8.15, groups listed in sudoers that were not +# found in the system group database were passed to the group +# plugin, if any. Starting with 1.8.15, only groups of the form +# %:group are resolved via the group plugin by default. +# We enable always_query_group_plugin to restore old behavior. +# Disable this option for new behavior. +Defaults always_query_group_plugin + Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" diff --git a/SPECS/sudo.spec b/SPECS/sudo.spec index c8d2f64..2dd0195 100644 --- a/SPECS/sudo.spec +++ b/SPECS/sudo.spec @@ -1,7 +1,7 @@ Summary: Allows restricted root access for specified users Name: sudo -Version: 1.8.19p2 -Release: 14%{?dist} +Version: 1.8.23 +Release: 3%{?dist} License: ISC Group: Applications/System URL: http://www.courtesan.com/sudo/ @@ -9,74 +9,48 @@ Source0: http://www.courtesan.com/sudo/dist/sudo-%{version}.tar.gz Source1: sudoers Source2: sudo-ldap.conf Source3: sudo.conf -Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) -Requires: /etc/pam.d/system-auth, vim-minimal, libgcrypt +Requires: /etc/pam.d/system-auth +Requires: /usr/bin/vi -BuildRequires: pam-devel -BuildRequires: groff -BuildRequires: openldap-devel -BuildRequires: flex +BuildRequires: /usr/sbin/sendmail +BuildRequires: autoconf +BuildRequires: automake BuildRequires: bison -BuildRequires: automake autoconf libtool -BuildRequires: audit-libs-devel libcap-devel +BuildRequires: flex +BuildRequires: gettext +BuildRequires: groff +BuildRequires: libtool +BuildRequires: audit-libs-devel +BuildRequires: libcap-devel +BuildRequires: libgcrypt-devel BuildRequires: libgcrypt-devel BuildRequires: libselinux-devel -BuildRequires: /usr/sbin/sendmail -BuildRequires: gettext +BuildRequires: openldap-devel +BuildRequires: pam-devel BuildRequires: zlib-devel -BuildRequires: libgcrypt-devel # don't strip Patch1: sudo-1.6.7p5-strip.patch # configure.in fix Patch2: sudo-1.7.2p1-envdebug.patch -# 840980 - sudo creates a new parent process -# Adds cmnd_no_wait Defaults option -Patch3: sudo-1.8.6p3-nowaitopt.patch # 881258 - rpmdiff: added missing sudo-ldap.conf manpage -Patch4: sudo-1.8.6p7-sudoldapconfman.patch -# 1092499 - Regression in sudo 1.8.6p3-7 package, double quotes are not accepted in sudoers -Patch5: sudo-1.8.6p3-doublequotefix.patch -# 1183818 - backport of command digest specification feature -Patch6: sudo-1.8.6p7-digest-backport.patch +Patch3: sudo-1.8.23-sudoldapconfman.patch +# 1247591 - Sudo taking a long time when user information is stored externally. +Patch4: sudo-1.8.23-legacy-group-processing.patch # 1135539 - sudo with ldap doesn't work with 'user id' in sudoUser option -Patch7: sudo-1.8.6p7-ldapsearchuidfix.patch +Patch5: sudo-1.8.23-ldapsearchuidfix.patch # 1312486 - RHEL7 sudo logs username "root" instead of realuser in /var/log/secure -Patch8: sudo-1.8.6p7-logsudouser.patch -# fix upstream testsuite - disabling 2 tests, working only with non-root user -Patch9: sudo-1.8.18-testsuitefix.patch -# 1413160 - backport ignore_unknown_defaults flag -Patch10: sudo-1.8.19p2-ignore-unknown-defaults.patch -# 1424575 - backport visudo severity of the message -Patch11: sudo-1.8.19p2-error-warning-visudo-message.patch -# 1369856 - synchronous (real-time) writes in sudo i/o logs -Patch12: sudo-1.8.19p2-iologflush.patch -# 1293306 - Sudo group lookup issue. -Patch13: sudo-1.8.19p2-lookup-issue-doc.patch -# 1360687 - sudo rhel-7 rebase - comment11 -Patch14: sudo-1.8.19p2-upstream-testsuitefix.patch -# 1360687 - sudo rhel-7 rebase - comment13 -Patch15: sudo-1.8.19p2-fqdn-use-after-free.patch -# 1360687 - sudo rhel-7 rebase - comment13 -Patch16: sudo-1.8.19p2-lecture-boolean.patch -# 1455402 - CVE-2017-1000367: Privilege escalation in via improper get_process_ttyname() parsing -Patch17: sudo-1.8.19p2-get_process_ttyname.patch -# 1459152 - CVE-2017-1000368: Privilege escalation via improper get_process_ttyname() parsing (insufficient fix for CVE-2017-1000367) -Patch18: sudo-1.8.19p2-CVE-2017-1000368.patch -# 1485397 - sudo breaking who ldap and local users after upgrade -Patch19: sudo-1.8.21-ldap-pass2-filter.patch -# 1458696 - successful sudo -l returns non-zero if asking for other user -Patch20: sudo-1.8.19p2-display-privs.patch -# 1454571 - Sudo, with I/O Logging log_output option enabled, truncate output in case of cycle over standard input -Patch21: sudo-1.8.19p2-iologtruncate.patch -# 1490358 - Update use_pty and IO logging man page -Patch22: sudo-1.8.19p2-manpage-use_pty.patch -# 1505409 - Regression in "sudo -l" when using IPA / sssd -Patch23: sudo-1.8.19p2-sudo-l-sssd.patch -# 1518104 - sudo crashed: double free or corruption (fasttop) -Patch24: sudo-1.8.19p2-sssd-double-free.patch -# 1560657 - sudo blocks in poll() for /dev/ptmx with iolog enabled -Patch25: sudo-1.8.19p2-iolog-zombie.patch +Patch6: sudo-1.8.6p7-logsudouser.patch +# 840980 - sudo creates a new parent process +# Adds cmnd_no_wait Defaults option +Patch7: sudo-1.8.23-nowaitopt.patch +# 1533964 - sudo skips PAM account module in case NOPASSWD is used in sudoers +# This is fix of a regression in the referenced feature request. It was fixed +# in newer versions of sudo and we backport it to prevent future regression +# bz in RHEL. The feature itself was delivered via the rebase to 1.8.23. +Patch8: sudo-1.8.23-Ignore-PAM_NEW_AUTHTOK_REQD-and-PAM_AUTHTOK_EXPIRED.patch +# 1547974 - (sudo-rhel-7.6-rebase) Rebase sudo to latest stable upstream version +Patch9: sudo-1.8.23-fix-double-quote-parsing-for-Defaults-values.patch %description Sudo (superuser do) allows a system administrator to give certain @@ -103,29 +77,13 @@ plugins that use %{name}. %patch1 -p1 -b .strip %patch2 -p1 -b .envdebug -%patch3 -p1 -b .nowaitopt -%patch4 -p1 -b .sudoldapconfman -%patch5 -p1 -b .doublequotefix -%patch6 -p1 -b .digest-backport -%patch7 -p1 -b .ldapsearchuidfix -%patch8 -p1 -b .logsudouser -%patch9 -p1 -b .testsuite -%patch10 -p1 -b .ignoreunknowndefaults -%patch11 -p1 -b .errorwarningvisudomsg -%patch12 -p1 -b .iologflush -%patch13 -p1 -b .lookup -%patch14 -p1 -b .testsuite -%patch15 -p1 -b .fqdnafterfree -%patch16 -p1 -b .lecture -%patch17 -p1 -b .get_process_ttyname -%patch18 -p1 -b .CVE-2017-1000368 -%patch19 -p1 -b .ldap-pass2-filter -%patch20 -p1 -b .display-privs -%patch21 -p1 -b .iologtruncate -%patch22 -p1 -b .manpage -%patch23 -p1 -b .sudo-l -%patch24 -p1 -b .double-free -%patch25 -p1 -b .iolog-zombie +%patch3 -p1 -b .sudoldapconfman +%patch4 -p1 -b .legacy-group-processing +%patch5 -p1 -b .ldapsearchuidfix +%patch6 -p1 -b .logsudouser +%patch7 -p1 -b .nowaitopt +%patch8 -p1 -b .pam-mgmt-ignore-errors +%patch9 -p1 -b .defaults-double-quote-fix %build autoreconf -I m4 -fv --install @@ -147,9 +105,9 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" SHL --with-logfac=authpriv \ --with-pam \ --with-pam-login \ - --with-editor=/bin/vi \ + --with-editor=/usr/bin/vi \ --with-env-editor \ - --with-gcrypt \ + --enable-gcrypt \ --with-ignore-dot \ --with-tty-tickets \ --with-ldap \ @@ -158,32 +116,33 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" SHL --with-passprompt="[sudo] password for %p: " \ --with-linux-audit \ --with-sssd -# --without-kerb5 \ -# --without-kerb4 + make +%check make check %install -rm -rf $RPM_BUILD_ROOT +rm -rf %{buildroot} # Update README.LDAP (#736653) sed -i 's|/etc/ldap\.conf|%{_sysconfdir}/sudo-ldap.conf|g' README.LDAP -make install DESTDIR="$RPM_BUILD_ROOT" install_uid=`id -u` install_gid=`id -g` sudoers_uid=`id -u` sudoers_gid=`id -g` -chmod 755 $RPM_BUILD_ROOT%{_bindir}/* $RPM_BUILD_ROOT%{_sbindir}/* -install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo -install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo/lectured -install -p -d -m 750 $RPM_BUILD_ROOT/etc/sudoers.d -install -p -c -m 0440 %{SOURCE1} $RPM_BUILD_ROOT/etc/sudoers -install -p -c -m 0640 %{SOURCE3} $RPM_BUILD_ROOT/etc/sudo.conf -install -p -c -m 0640 %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/sudo-ldap.conf +make install DESTDIR="%{buildroot}" install_uid=`id -u` install_gid=`id -g` sudoers_uid=`id -u` sudoers_gid=`id -g` + +chmod 755 %{buildroot}%{_bindir}/* %{buildroot}%{_sbindir}/* +install -p -d -m 700 %{buildroot}%{_localstatedir}/db/sudo +install -p -d -m 700 %{buildroot}%{_localstatedir}/db/sudo/lectured +install -p -d -m 750 %{buildroot}%{_sysconfdir}/sudoers.d +install -p -c -m 0440 %{SOURCE1} %{buildroot}%{_sysconfdir}/sudoers +install -p -c -m 0640 %{SOURCE3} %{buildroot}%{_sysconfdir}/sudo.conf +install -p -c -m 0640 %{SOURCE2} %{buildroot}%{_sysconfdir}/sudo-ldap.conf -# Remove execute permission on this script so we don't pull in perl deps -chmod -x $RPM_BUILD_ROOT%{_docdir}/sudo-*/sudoers2ldif +# Remove upstream sudoers file +rm -f %{buildroot}%{_sysconfdir}/sudoers.dist -#Remove all .la files -find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';' +# Remove all .la files +find %{buildroot} -name '*.la' -exec rm -f {} ';' %find_lang sudo %find_lang sudoers @@ -191,42 +150,44 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';' cat sudo.lang sudoers.lang > sudo_all.lang rm sudo.lang sudoers.lang -mkdir -p $RPM_BUILD_ROOT/etc/pam.d -cat > $RPM_BUILD_ROOT/etc/pam.d/sudo << EOF +mkdir -p %{buildroot}%{_sysconfdir}/pam.d +cat > %{buildroot}%{_sysconfdir}/pam.d/sudo << EOF #%%PAM-1.0 auth include system-auth account include system-auth password include system-auth session optional pam_keyinit.so revoke session required pam_limits.so +session include system-auth EOF -cat > $RPM_BUILD_ROOT/etc/pam.d/sudo-i << EOF +cat > %{buildroot}%{_sysconfdir}/pam.d/sudo-i << EOF #%%PAM-1.0 auth include sudo account include sudo password include sudo session optional pam_keyinit.so force revoke session required pam_limits.so +session include sudo EOF - %clean -rm -rf $RPM_BUILD_ROOT +rm -rf %{buildroot} %files -f sudo_all.lang %defattr(-,root,root) -%attr(0440,root,root) %config(noreplace) /etc/sudoers -%attr(0640,root,root) %config(noreplace) /etc/sudo.conf +%attr(0440,root,root) %config(noreplace) %{_sysconfdir}/sudoers +%attr(0640,root,root) %config(noreplace) %{_sysconfdir}/sudo.conf %attr(0640,root,root) %config(noreplace) %{_sysconfdir}/sudo-ldap.conf -%attr(0750,root,root) %dir /etc/sudoers.d/ -%config(noreplace) /etc/pam.d/sudo -%config(noreplace) /etc/pam.d/sudo-i +%attr(0750,root,root) %dir %{_sysconfdir}/sudoers.d/ +%config(noreplace) %{_sysconfdir}/pam.d/sudo +%config(noreplace) %{_sysconfdir}/pam.d/sudo-i %attr(0644,root,root) %{_tmpfilesdir}/sudo.conf -%dir /var/db/sudo -%dir /var/db/sudo/lectured +%dir %{_localstatedir}/db/sudo +%dir %{_localstatedir}/db/sudo/lectured %attr(4111,root,root) %{_bindir}/sudo %{_bindir}/sudoedit +%{_bindir}/cvtsudoers %attr(0111,root,root) %{_bindir}/sudoreplay %attr(0755,root,root) %{_sbindir}/visudo %attr(0755,root,root) %{_libexecdir}/sudo/sesh @@ -245,13 +206,14 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/sudoedit.8* %{_mandir}/man8/sudoreplay.8* %{_mandir}/man8/visudo.8* +%{_mandir}/man1/cvtsudoers.1.gz +%{_mandir}/man5/sudoers_timestamp.5.gz %dir %{_docdir}/sudo-%{version} %{_docdir}/sudo-%{version}/* - # Make sure permissions are ok even if we're updating %post -/bin/chmod 0440 /etc/sudoers || : +/bin/chmod 0440 %{_sysconfdir}/sudoers || : %files devel %defattr(-,root,root,-) @@ -260,9 +222,25 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/sudo_plugin.8* %changelog -* Mon May 28 2018 Daniel Kopecek - 1.8.19p2-14 -- Fixed deadlocking after command termination when iolog is enabled - Resolves: rhbz#1582155 +* Mon Sep 24 2018 Daniel Kopecek 1.8.23-3 +- RHEL-7.6 erratum + Resolves: rhbz#1547974 - Rebase sudo to latest stable upstream version + +* Fri Sep 21 2018 Daniel Kopecek 1.8.23-2 +- RHEL-7.6 erratum + Resolves: rhbz#1533964 - sudo skips PAM account module in case NOPASSWD is used in sudoers + Resolves: rhbz#1506025 - Latest update broke sudo for ldap users. + Resolves: rhbz#1502630 - inclusion of system-auth for session hooks missing in sudo PAM snippets + +* Thu Jun 28 2018 Daniel Kopecek 1.8.23-1 +- RHEL-7.6 erratum + Resolves: rhbz#1547974 - Rebase sudo to latest stable upstream version (1.8.23) + Resolves: rhbz#1502630 - inclusion of system-auth for session hooks missing in sudo PAM snippets + Resolves: rhbz#1506025 - Latest update broke sudo for ldap users. + Resolves: rhbz#1533964 - sudo skips PAM account module in case NOPASSWD is used in sudoers + Resolves: rhbz#1548380 - RFE: Create flag to filter to sudo -l output + Resolves: rhbz#1510002 - Ensure that the command input (stdin) eating behaviour of Default log_input is documented + Resolves: rhbz#1596032 - Why does sudo package depend on vim-minimal? * Thu Nov 30 2017 Radovan Sroka 1.8.19p2-13 - RHEL 7.5 erratum