diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..59b3a3b --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/sudo-1.8.19p2.tar.gz diff --git a/.sudo.metadata b/.sudo.metadata new file mode 100644 index 0000000..e9bab31 --- /dev/null +++ b/.sudo.metadata @@ -0,0 +1 @@ +78868ef825e7b6db246d99160ec16fd4e4c93f3f SOURCES/sudo-1.8.19p2.tar.gz diff --git a/README.md b/README.md deleted file mode 100644 index 0e7897f..0000000 --- a/README.md +++ /dev/null @@ -1,5 +0,0 @@ -The master branch has no content - -Look at the c7 branch if you are working with CentOS-7, or the c4/c5/c6 branch for CentOS-4, 5 or 6 - -If you find this file in a distro specific branch, it means that no content has been checked in yet diff --git a/SOURCES/sudo-1.6.7p5-strip.patch b/SOURCES/sudo-1.6.7p5-strip.patch new file mode 100644 index 0000000..ba00efc --- /dev/null +++ b/SOURCES/sudo-1.6.7p5-strip.patch @@ -0,0 +1,27 @@ +From 8a045c3880e06f5fcf69a73c4029d6725e17f7bc Mon Sep 17 00:00:00 2001 +From: Tomas Sykora +Date: Fri, 19 Aug 2016 13:49:25 +0200 +Subject: [PATCH 01/10] We do not strip + +rebased from: +Patch1: sudo-1.6.7p5-strip.patch +--- + install-sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/install-sh b/install-sh +index 6944fba..49d383a 100755 +--- a/install-sh ++++ b/install-sh +@@ -147,7 +147,7 @@ while ${MORETODO} ; do + fi + ;; + X-s) +- STRIPIT=true ++ #STRIPIT=true + ;; + X--) + shift +-- +2.7.4 + diff --git a/SOURCES/sudo-1.7.2p1-envdebug.patch b/SOURCES/sudo-1.7.2p1-envdebug.patch new file mode 100644 index 0000000..94c719a --- /dev/null +++ b/SOURCES/sudo-1.7.2p1-envdebug.patch @@ -0,0 +1,27 @@ +From 44a602b49365969e56c63c9f12eda197e951302f Mon Sep 17 00:00:00 2001 +From: Tomas Sykora +Date: Fri, 19 Aug 2016 14:07:35 +0200 +Subject: [PATCH 02/10] Added "Enviroment debugging" message + +rebased from: +Patch2: sudo-1.7.2p1-envdebug.patch +--- + configure.ac | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/configure.ac b/configure.ac +index 9feddfd..39a2d86 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1390,7 +1390,7 @@ AC_ARG_ENABLE(env_debug, + [AS_HELP_STRING([--enable-env-debug], [Whether to enable environment debugging.])], + [ case "$enableval" in + yes) AC_MSG_RESULT(yes) +- AC_DEFINE(ENV_DEBUG) ++ AC_DEFINE(ENV_DEBUG, [], [Environment debugging.]) + ;; + no) AC_MSG_RESULT(no) + ;; +-- +2.7.4 + diff --git a/SOURCES/sudo-1.8.18-testsuitefix.patch b/SOURCES/sudo-1.8.18-testsuitefix.patch new file mode 100644 index 0000000..6c60292 --- /dev/null +++ b/SOURCES/sudo-1.8.18-testsuitefix.patch @@ -0,0 +1,189 @@ +From ea44d916b9dffe0f33c3c62d1677567bf64a26b8 Mon Sep 17 00:00:00 2001 +From: Radovan Sroka +Date: Tue, 20 Sep 2016 15:07:53 +0200 +Subject: [PATCH 10/10] Fix upstream testsuite + +--- + plugins/sudoers/regress/sudoers/test2.in | 60 --------------------------- + plugins/sudoers/regress/sudoers/test2.in_ | 60 +++++++++++++++++++++++++++ + plugins/sudoers/regress/testsudoers/test3.sh | 13 ------ + plugins/sudoers/regress/testsudoers/test3.sh_ | 13 ++++++ + 4 files changed, 73 insertions(+), 73 deletions(-) + delete mode 100644 plugins/sudoers/regress/sudoers/test2.in + create mode 100644 plugins/sudoers/regress/sudoers/test2.in_ + delete mode 100755 plugins/sudoers/regress/testsudoers/test3.sh + create mode 100755 plugins/sudoers/regress/testsudoers/test3.sh_ + +diff --git a/plugins/sudoers/regress/sudoers/test2.in b/plugins/sudoers/regress/sudoers/test2.in +deleted file mode 100644 +index cfdfaa3..0000000 +--- a/plugins/sudoers/regress/sudoers/test2.in ++++ /dev/null +@@ -1,60 +0,0 @@ +-# Check quoted user name in User_Alias +-User_Alias UA1 = "foo" +-User_Alias UA2 = "foo.bar" +-User_Alias UA3 = "foo\"" +-User_Alias UA4 = "foo:bar" +-User_Alias UA5 = "foo:bar\"" +- +-# Check quoted group name in User_Alias +-User_Alias UA6 = "%baz" +-User_Alias UA7 = "%baz.biz" +- +-# Check quoted non-Unix group name in User_Alias +-User_Alias UA8 = "%:C/non UNIX 0 c" +-User_Alias UA9 = "%:C/non\'UNIX\'1 c" +-User_Alias UA10 = "%:C/non\"UNIX\"0 c" +-User_Alias UA11 = "%:C/non_UNIX_0 c" +-User_Alias UA12 = "%:C/non\'UNIX_3 c" +- +-# Check quoted user name in Runas_Alias +-Runas_Alias RA1 = "foo" +-Runas_Alias RA2 = "foo\"" +-Runas_Alias RA3 = "foo:bar" +-Runas_Alias RA4 = "foo:bar\"" +- +-# Check quoted host name in Defaults +-Defaults@"somehost" set_home +-Defaults@"quoted\"" set_home +- +-# Check quoted user name in Defaults +-Defaults:"you" set_home +-Defaults:"us\"" set_home +-Defaults:"%them" set_home +-Defaults:"%: non UNIX 0 c" set_home +-Defaults:"+net" set_home +- +-# Check quoted runas name in Defaults +-Defaults>"someone" set_home +-Defaults>"some one" set_home +- +-# Check quoted command in Defaults +-# XXX - not currently supported +-#Defaults!"/bin/ls -l" set_home +-#Defaults!"/bin/ls -l \"foo\"" set_home +- +-# Check quoted user, runas and host name in Cmnd_Spec +-"foo" "hosta" = ("root") ALL +-"foo.bar" "hostb" = ("root") ALL +-"foo\"" "hostc" = ("root") ALL +-"foo:bar" "hostd" = ("root") ALL +-"foo:bar\"" "hoste" = ("root") ALL +- +-# Check quoted group/netgroup name in Cmnd_Spec +-"%baz" "hosta" = ("root") ALL +-"%baz.biz" "hostb" = ("root") ALL +-"%:C/non UNIX 0 c" "hostc" = ("root") ALL +-"%:C/non\'UNIX\'1 c" "hostd" = ("root") ALL +-"%:C/non\"UNIX\"0 c" "hoste" = ("root") ALL +-"%:C/non_UNIX_0 c" "hostf" = ("root") ALL +-"%:C/non\'UNIX_3 c" "hostg" = ("root") ALL +-"+netgr" "hosth" = ("root") ALL +diff --git a/plugins/sudoers/regress/sudoers/test2.in_ b/plugins/sudoers/regress/sudoers/test2.in_ +new file mode 100644 +index 0000000..cfdfaa3 +--- /dev/null ++++ b/plugins/sudoers/regress/sudoers/test2.in_ +@@ -0,0 +1,60 @@ ++# Check quoted user name in User_Alias ++User_Alias UA1 = "foo" ++User_Alias UA2 = "foo.bar" ++User_Alias UA3 = "foo\"" ++User_Alias UA4 = "foo:bar" ++User_Alias UA5 = "foo:bar\"" ++ ++# Check quoted group name in User_Alias ++User_Alias UA6 = "%baz" ++User_Alias UA7 = "%baz.biz" ++ ++# Check quoted non-Unix group name in User_Alias ++User_Alias UA8 = "%:C/non UNIX 0 c" ++User_Alias UA9 = "%:C/non\'UNIX\'1 c" ++User_Alias UA10 = "%:C/non\"UNIX\"0 c" ++User_Alias UA11 = "%:C/non_UNIX_0 c" ++User_Alias UA12 = "%:C/non\'UNIX_3 c" ++ ++# Check quoted user name in Runas_Alias ++Runas_Alias RA1 = "foo" ++Runas_Alias RA2 = "foo\"" ++Runas_Alias RA3 = "foo:bar" ++Runas_Alias RA4 = "foo:bar\"" ++ ++# Check quoted host name in Defaults ++Defaults@"somehost" set_home ++Defaults@"quoted\"" set_home ++ ++# Check quoted user name in Defaults ++Defaults:"you" set_home ++Defaults:"us\"" set_home ++Defaults:"%them" set_home ++Defaults:"%: non UNIX 0 c" set_home ++Defaults:"+net" set_home ++ ++# Check quoted runas name in Defaults ++Defaults>"someone" set_home ++Defaults>"some one" set_home ++ ++# Check quoted command in Defaults ++# XXX - not currently supported ++#Defaults!"/bin/ls -l" set_home ++#Defaults!"/bin/ls -l \"foo\"" set_home ++ ++# Check quoted user, runas and host name in Cmnd_Spec ++"foo" "hosta" = ("root") ALL ++"foo.bar" "hostb" = ("root") ALL ++"foo\"" "hostc" = ("root") ALL ++"foo:bar" "hostd" = ("root") ALL ++"foo:bar\"" "hoste" = ("root") ALL ++ ++# Check quoted group/netgroup name in Cmnd_Spec ++"%baz" "hosta" = ("root") ALL ++"%baz.biz" "hostb" = ("root") ALL ++"%:C/non UNIX 0 c" "hostc" = ("root") ALL ++"%:C/non\'UNIX\'1 c" "hostd" = ("root") ALL ++"%:C/non\"UNIX\"0 c" "hoste" = ("root") ALL ++"%:C/non_UNIX_0 c" "hostf" = ("root") ALL ++"%:C/non\'UNIX_3 c" "hostg" = ("root") ALL ++"+netgr" "hosth" = ("root") ALL +diff --git a/plugins/sudoers/regress/testsudoers/test3.sh b/plugins/sudoers/regress/testsudoers/test3.sh +deleted file mode 100755 +index c1251b9..0000000 +--- a/plugins/sudoers/regress/testsudoers/test3.sh ++++ /dev/null +@@ -1,13 +0,0 @@ +-#!/bin/sh +-# +-# Test #include facility +-# +- +-MYUID=`\ls -lnd $TESTDIR/test3.d | awk '{print $3}'` +-MYGID=`\ls -lnd $TESTDIR/test3.d | awk '{print $4}'` +-exec 2>&1 +-./testsudoers -U $MYUID -G $MYGID root id <&1 ++./testsudoers -U $MYUID -G $MYGID root id <= buf + sizeof(buf)) ++ break; ++ } ++ if (nread == 0 && memchr(buf, '\0', cp - buf) == NULL) { + /* + * Field 7 is the tty dev (0 if no tty). +- * Since the process name at field 2 "(comm)" may include spaces, +- * start at the last ')' found. ++ * Since the process name at field 2 "(comm)" may include ++ * whitespace (including newlines), start at the last ')' found. + */ +- char *cp = strrchr(line, ')'); ++ *cp = '\0'; ++ cp = strrchr(buf, ')'); + if (cp != NULL) { + char *ep = cp; + const char *errstr; +@@ -527,7 +539,8 @@ get_process_ttyname(char *name, size_t namelen) + errno = ENOENT; + + done: +- free(line); ++ if (fd != -1) ++ close(fd); + if (ret == NULL) + sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO|SUDO_DEBUG_ERRNO, + "unable to resolve tty via %s", path); diff --git a/SOURCES/sudo-1.8.19p2-display-privs.patch b/SOURCES/sudo-1.8.19p2-display-privs.patch new file mode 100644 index 0000000..234aa8d --- /dev/null +++ b/SOURCES/sudo-1.8.19p2-display-privs.patch @@ -0,0 +1,16 @@ +diff -up ./plugins/sudoers/sudo_nss.c.display-privs ./plugins/sudoers/sudo_nss.c +--- ./plugins/sudoers/sudo_nss.c.display-privs 2017-01-13 23:30:15.000000000 -0500 ++++ ./plugins/sudoers/sudo_nss.c 2017-08-31 07:41:02.764738698 -0400 +@@ -348,7 +348,11 @@ display_privs(struct sudo_nss_list *snl, + sudo_lbuf_destroy(&defs); + sudo_lbuf_destroy(&privs); + +- debug_return_int(count > 0); ++/* ++ * This is ok, we return 1 which is success in this case ++ * and we don't want return failure even when there is nothing to print ++ */ ++ debug_return_int(1); + bad: + sudo_lbuf_destroy(&defs); + sudo_lbuf_destroy(&privs); diff --git a/SOURCES/sudo-1.8.19p2-error-warning-visudo-message.patch b/SOURCES/sudo-1.8.19p2-error-warning-visudo-message.patch new file mode 100644 index 0000000..6d52342 --- /dev/null +++ b/SOURCES/sudo-1.8.19p2-error-warning-visudo-message.patch @@ -0,0 +1,53 @@ +From daa728fd889680cf5294fbb0e836cade9fe1a6d8 Mon Sep 17 00:00:00 2001 +From: "Todd C. Miller" +Date: Wed, 22 Feb 2017 06:38:33 -0700 +Subject: [PATCH] Go back to using a Warning/Error prefix in the message + printed to stderr for alias problems. Requested by Tomas Sykora. + +--- + doc/visudo.cat | 10 +++++----- + doc/visudo.man.in | 12 ++++++------ + doc/visudo.mdoc.in | 12 ++++++------ + plugins/sudoers/regress/visudo/test2.err.ok | 2 +- + plugins/sudoers/regress/visudo/test3.err.ok | 4 ++-- + plugins/sudoers/visudo.c | 14 ++++++++++---- + 6 files changed, 30 insertions(+), 24 deletions(-) + +diff --git a/plugins/sudoers/visudo.c b/plugins/sudoers/visudo.c +index 4f192b2..4793d54 100644 +--- a/plugins/sudoers/visudo.c ++++ b/plugins/sudoers/visudo.c +@@ -1137,12 +1137,17 @@ check_alias(char *name, int type, char *file, int lineno, bool strict, bool quie + } else { + if (!quiet) { + if (errno == ELOOP) { +- sudo_warnx(U_("%s:%d cycle in %s \"%s\""), ++ fprintf(stderr, strict ? ++ U_("Error: %s:%d cycle in %s \"%s\"") : ++ U_("Warning: %s:%d cycle in %s \"%s\""), + file, lineno, alias_type_to_string(type), name); + } else { +- sudo_warnx(U_("%s:%d %s \"%s\" referenced but not defined"), ++ fprintf(stderr, strict ? ++ U_("Error: %s:%d %s \"%s\" referenced but not defined") : ++ U_("Warning: %s:%d %s \"%s\" referenced but not defined"), + file, lineno, alias_type_to_string(type), name); + } ++ fputc('\n', stderr); + if (strict && errorfile == NULL) { + errorfile = rcstr_addref(file); + errorlineno = lineno; +@@ -1292,8 +1297,9 @@ print_unused(void *v1, void *v2) + { + struct alias *a = (struct alias *)v1; + +- sudo_warnx_nodebug(U_("%s:%d unused %s \"%s\""), ++ fprintf(stderr, U_("Warning: %s:%d unused %s \"%s\""), + a->file, a->lineno, alias_type_to_string(a->type), a->name); ++ fputc('\n', stderr); + return 0; + } + +-- +2.7.4 + diff --git a/SOURCES/sudo-1.8.19p2-fqdn-use-after-free.patch b/SOURCES/sudo-1.8.19p2-fqdn-use-after-free.patch new file mode 100644 index 0000000..1c44dcc --- /dev/null +++ b/SOURCES/sudo-1.8.19p2-fqdn-use-after-free.patch @@ -0,0 +1,124 @@ +diff -up ./plugins/sudoers/sssd.c.fqdnafterfree ./plugins/sudoers/sssd.c +--- ./plugins/sudoers/sssd.c.fqdnafterfree 2017-01-14 05:30:15.000000000 +0100 ++++ ./plugins/sudoers/sssd.c 2017-04-25 14:23:39.655649726 +0200 +@@ -82,8 +82,8 @@ typedef void (*sss_sudo_free_values_t)(c + + struct sudo_sss_handle { + char *domainname; +- char *host; +- char *shost; ++ char *ipa_host; ++ char *ipa_shost; + struct passwd *pw; + void *ssslib; + sss_sudo_send_recv_t fn_send_recv; +@@ -385,7 +385,7 @@ sudo_sss_open(struct sudo_nss *nss) + debug_decl(sudo_sss_open, SUDOERS_DEBUG_SSSD); + + /* Create a handle container. */ +- handle = malloc(sizeof(struct sudo_sss_handle)); ++ handle = calloc(1, sizeof(struct sudo_sss_handle)); + if (handle == NULL) { + sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); + debug_return_int(ENOMEM); +@@ -447,9 +447,6 @@ sudo_sss_open(struct sudo_nss *nss) + debug_return_int(EFAULT); + } + +- handle->domainname = NULL; +- handle->host = user_runhost; +- handle->shost = user_srunhost; + handle->pw = sudo_user.pw; + nss->handle = handle; + +@@ -458,7 +455,7 @@ sudo_sss_open(struct sudo_nss *nss) + * in sssd.conf and use it in preference to user_runhost. + */ + if (strcmp(user_runhost, user_host) == 0) { +- if (get_ipa_hostname(&handle->shost, &handle->host) == -1) { ++ if (get_ipa_hostname(&handle->ipa_shost, &handle->ipa_host) == -1) { + sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); + free(handle); + debug_return_int(ENOMEM); +@@ -480,7 +477,10 @@ sudo_sss_close(struct sudo_nss *nss) + if (nss && nss->handle) { + handle = nss->handle; + sudo_dso_unload(handle->ssslib); +- free(nss->handle); ++ free(handle->ipa_host); ++ free(handle->ipa_shost); ++ free(handle); ++ nss->handle = NULL; + } + debug_return_int(0); + } +@@ -585,8 +585,9 @@ sudo_sss_checkpw(struct sudo_nss *nss, s + static int + sudo_sss_check_runas_user(struct sudo_sss_handle *handle, struct sss_sudo_rule *sss_rule, int group_matched) + { +- char **val_array = NULL; +- char *val; ++ const char *host = handle->ipa_host ? handle->ipa_host : user_runhost; ++ const char *shost = handle->ipa_shost ? handle->ipa_shost : user_srunhost; ++ char *val, **val_array = NULL; + int ret = false, i; + debug_decl(sudo_sss_check_runas_user, SUDOERS_DEBUG_SSSD); + +@@ -656,8 +657,8 @@ sudo_sss_check_runas_user(struct sudo_ss + switch (val[0]) { + case '+': + sudo_debug_printf(SUDO_DEBUG_DEBUG, "netgr_"); +- if (netgr_matches(val, def_netgroup_tuple ? handle->host : NULL, +- def_netgroup_tuple ? handle->shost : NULL, runas_pw->pw_name)) { ++ if (netgr_matches(val, def_netgroup_tuple ? host : NULL, ++ def_netgroup_tuple ? shost : NULL, runas_pw->pw_name)) { + sudo_debug_printf(SUDO_DEBUG_DEBUG, "=> match"); + ret = true; + } +@@ -762,7 +763,9 @@ sudo_sss_check_runas(struct sudo_sss_han + static bool + sudo_sss_check_host(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule) + { +- char **val_array, *val; ++ const char *host = handle->ipa_host ? handle->ipa_host : user_runhost; ++ const char *shost = handle->ipa_shost ? handle->ipa_shost : user_srunhost; ++ char *val, **val_array; + int matched = UNSPEC; + bool negated; + int i; +@@ -792,9 +795,9 @@ sudo_sss_check_host(struct sudo_sss_hand + + /* match any or address or netgroup or hostname */ + if (strcmp(val, "ALL") == 0 || addr_matches(val) || +- netgr_matches(val, handle->host, handle->shost, ++ netgr_matches(val, host, shost, + def_netgroup_tuple ? handle->pw->pw_name : NULL) || +- hostname_matches(handle->shost, handle->host, val)) { ++ hostname_matches(shost, host, val)) { + + matched = negated ? false : true; + } +@@ -816,9 +819,10 @@ sudo_sss_check_host(struct sudo_sss_hand + static bool + sudo_sss_check_user(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule) + { +- int ret = false; ++ const char *host = handle->ipa_host ? handle->ipa_host : user_runhost; ++ const char *shost = handle->ipa_shost ? handle->ipa_shost : user_srunhost; + char **val_array; +- int i; ++ int i, ret = false; + debug_decl(sudo_sss_check_user, SUDOERS_DEBUG_SSSD); + + if (!handle || !rule) +@@ -844,8 +848,8 @@ sudo_sss_check_user(struct sudo_sss_hand + switch (*val) { + case '+': + /* Netgroup spec found, check membership. */ +- if (netgr_matches(val, def_netgroup_tuple ? handle->host : NULL, +- def_netgroup_tuple ? handle->shost : NULL, handle->pw->pw_name)) { ++ if (netgr_matches(val, def_netgroup_tuple ? host : NULL, ++ def_netgroup_tuple ? shost : NULL, handle->pw->pw_name)) { + ret = true; + } + break; diff --git a/SOURCES/sudo-1.8.19p2-get_process_ttyname.patch b/SOURCES/sudo-1.8.19p2-get_process_ttyname.patch new file mode 100644 index 0000000..8d304d5 --- /dev/null +++ b/SOURCES/sudo-1.8.19p2-get_process_ttyname.patch @@ -0,0 +1,76 @@ +diff -ru sudo-1.8.20/src/ttyname.c sudo-1.8.20-Q/src/ttyname.c +--- sudo-1.8.20/src/ttyname.c 2017-05-10 08:38:44.000000000 -0700 ++++ sudo-1.8.20-Q/src/ttyname.c 2017-05-19 02:15:48.442705049 -0700 +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2012-2016 Todd C. Miller ++ * Copyright (c) 2012-2017 Todd C. Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above +@@ -159,6 +159,8 @@ + + static char *ignore_devs[] = { + "/dev/fd/", ++ "/dev/mqueue/", ++ "/dev/shm/", + "/dev/stdin", + "/dev/stdout", + "/dev/stderr", +@@ -493,28 +495,35 @@ + len = getline(&line, &linesize, fp); + fclose(fp); + if (len != -1) { +- /* Field 7 is the tty dev (0 if no tty) */ +- char *cp = line; +- char *ep = line; +- const char *errstr; +- int field = 0; +- while (*++ep != '\0') { +- if (*ep == ' ') { +- *ep = '\0'; +- if (++field == 7) { +- dev_t tdev = strtonum(cp, INT_MIN, INT_MAX, &errstr); +- if (errstr) { +- sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, +- "%s: tty device %s: %s", path, cp, errstr); ++ /* ++ * Field 7 is the tty dev (0 if no tty). ++ * Since the process name at field 2 "(comm)" may include spaces, ++ * start at the last ')' found. ++ */ ++ char *cp = strrchr(line, ')'); ++ if (cp != NULL) { ++ char *ep = cp; ++ const char *errstr; ++ int field = 1; ++ ++ while (*++ep != '\0') { ++ if (*ep == ' ') { ++ *ep = '\0'; ++ if (++field == 7) { ++ dev_t tdev = strtonum(cp, INT_MIN, INT_MAX, &errstr); ++ if (errstr) { ++ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, ++ "%s: tty device %s: %s", path, cp, errstr); ++ } ++ if (tdev > 0) { ++ errno = serrno; ++ ret = sudo_ttyname_dev(tdev, name, namelen); ++ goto done; ++ } ++ break; + } +- if (tdev > 0) { +- errno = serrno; +- ret = sudo_ttyname_dev(tdev, name, namelen); +- goto done; +- } +- break; ++ cp = ep + 1; + } +- cp = ep + 1; + } + } + } + diff --git a/SOURCES/sudo-1.8.19p2-ignore-unknown-defaults.patch b/SOURCES/sudo-1.8.19p2-ignore-unknown-defaults.patch new file mode 100644 index 0000000..aadb45d --- /dev/null +++ b/SOURCES/sudo-1.8.19p2-ignore-unknown-defaults.patch @@ -0,0 +1,142 @@ +From 93cef1efac4e2b4930c23cdc35c0b916365ccabc Mon Sep 17 00:00:00 2001 +From: Tomas Sykora +Date: Tue, 21 Feb 2017 14:56:24 +0100 +Subject: [PATCH] Add ignore_unknown_defaults flag to ignore unknown Defaults + entries in sudoers instead of producing a warning. + +Patch: sudo-1.8.19p2-ignore-unknown-defaults.patch +Resolves: +rhbz#1413160 +--- + doc/sudoers.cat | 6 ++++++ + doc/sudoers.man.in | 11 +++++++++++ + doc/sudoers.mdoc.in | 10 ++++++++++ + plugins/sudoers/def_data.c | 4 ++++ + plugins/sudoers/def_data.h | 2 ++ + plugins/sudoers/def_data.in | 3 +++ + plugins/sudoers/defaults.c | 3 ++- + 7 files changed, 38 insertions(+), 1 deletion(-) + +diff --git a/doc/sudoers.cat b/doc/sudoers.cat +index 76dbf28..50cf78a 100644 +--- a/doc/sudoers.cat ++++ b/doc/sudoers.cat +@@ -1071,6 +1071,12 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS + meaningful for the cn=defaults section. This flag is + _o_f_f by default. + ++ ignore_unknown_defaults ++ If set, ssuuddoo will not produce a warning if it ++ encounters an unknown Defaults entry in the _^Hs_^Hu_^Hd_^Ho_^He_^Hr_^Hs ++ file or an unknown sudoOption in LDAP. This flag is ++ _o_f_f by default. ++ + insults If set, ssuuddoo will insult users when they enter an + incorrect password. This flag is _o_f_f by default. + +diff --git a/doc/sudoers.man.in b/doc/sudoers.man.in +index 8673da0..4be3760 100644 +--- a/doc/sudoers.man.in ++++ b/doc/sudoers.man.in +@@ -2266,6 +2266,17 @@ This flag is + \fIoff\fR + by default. + .TP 18n ++ignore_unknown_defaults ++If set, ++\fBsudo\fR ++will not produce a warning if it encounters an unknown Defaults entry ++in the ++\fIsudoers\fR ++file or an unknown sudoOption in LDAP. ++This flag is ++\fIoff\fR ++by default. ++.TP 18n + insults + If set, + \fBsudo\fR +diff --git a/doc/sudoers.mdoc.in b/doc/sudoers.mdoc.in +index 74b6f01..f3fe5e6 100644 +--- a/doc/sudoers.mdoc.in ++++ b/doc/sudoers.mdoc.in +@@ -2124,6 +2124,16 @@ section. + This flag is + .Em off + by default. ++.It ignore_unknown_defaults ++If set, ++.Nm sudo ++will not produce a warning if it encounters an unknown Defaults entry ++in the ++.Em sudoers ++file or an unknown sudoOption in LDAP. ++This flag is ++.Em off ++by default. + .It insults + If set, + .Nm sudo +diff --git a/plugins/sudoers/def_data.c b/plugins/sudoers/def_data.c +index 3926fed..3d787c2 100644 +--- a/plugins/sudoers/def_data.c ++++ b/plugins/sudoers/def_data.c +@@ -443,6 +443,10 @@ struct sudo_defs_types sudo_defs_table[] = { + N_("Don't pre-resolve all group names"), + NULL, + }, { ++ "ignore_unknown_defaults", T_FLAG, ++ N_("Ignore unknown Defaults entries in sudoers instead of producing a warning"), ++ NULL, ++ }, { + NULL, 0, NULL + } + }; +diff --git a/plugins/sudoers/def_data.h b/plugins/sudoers/def_data.h +index b5e61b4..f5773a3 100644 +--- a/plugins/sudoers/def_data.h ++++ b/plugins/sudoers/def_data.h +@@ -208,6 +208,8 @@ + #define def_cmnd_no_wait (sudo_defs_table[I_CMND_NO_WAIT].sd_un.flag) + #define I_LEGACY_GROUP_PROCESSING 104 + #define def_legacy_group_processing (sudo_defs_table[I_LEGACY_GROUP_PROCESSING].sd_un.flag) ++#define I_IGNORE_UNKNOWN_DEFAULTS 105 ++#define def_ignore_unknown_defaults (sudo_defs_table[I_IGNORE_UNKNOWN_DEFAULTS].sd_un.flag) + + enum def_tuple { + never, +diff --git a/plugins/sudoers/def_data.in b/plugins/sudoers/def_data.in +index f1c9265..8f63d70 100644 +--- a/plugins/sudoers/def_data.in ++++ b/plugins/sudoers/def_data.in +@@ -328,3 +328,6 @@ cmnd_no_wait + legacy_group_processing + T_FLAG + "Don't pre-resolve all group names" ++ignore_unknown_defaults ++ T_FLAG ++ "Ignore unknown Defaults entries in sudoers instead of producing a warning" +diff --git a/plugins/sudoers/defaults.c b/plugins/sudoers/defaults.c +index 9e60d94..5f93f80 100644 +--- a/plugins/sudoers/defaults.c ++++ b/plugins/sudoers/defaults.c +@@ -79,6 +79,7 @@ static struct strmap priorities[] = { + }; + + static struct early_default early_defaults[] = { ++ { I_IGNORE_UNKNOWN_DEFAULTS }, + #ifdef FQDN + { I_FQDN, true }, + #else +@@ -206,7 +207,7 @@ find_default(const char *name, const char *file, int lineno, bool quiet) + if (strcmp(name, sudo_defs_table[i].name) == 0) + debug_return_int(i); + } +- if (!quiet) { ++ if (!quiet && !def_ignore_unknown_defaults) { + if (lineno > 0) { + sudo_warnx(U_("%s:%d unknown defaults entry \"%s\""), + file, lineno, name); +-- +2.7.4 + diff --git a/SOURCES/sudo-1.8.19p2-iologflush.patch b/SOURCES/sudo-1.8.19p2-iologflush.patch new file mode 100644 index 0000000..213566f --- /dev/null +++ b/SOURCES/sudo-1.8.19p2-iologflush.patch @@ -0,0 +1,317 @@ +diff -up ./doc/sudoers.cat.orig ./doc/sudoers.cat +--- ./doc/sudoers.cat.orig 2017-03-21 13:31:00.953951199 +0100 ++++ ./doc/sudoers.cat 2017-03-21 14:14:18.679116865 +0100 +@@ -1549,6 +1549,16 @@ SSUUDDOOEERRSS OOPPTTIIOONN + will be truncated and overwritten unless _i_o_l_o_g___f_i_l_e + ends in six or more Xs. + ++ iolog_flush If set, ssuuddoo will flush I/O log data to disk after each ++ write instead of buffering it. This makes it possible ++ to view the logs in real-time as the program is ++ executing but may significantly reduce the ++ effectiveness of I/O log compression. This flag is _o_f_f ++ by default. ++ ++ This setting is only supported by version 1.8.20 or ++ higher. ++ + iolog_group The group name to look up when setting the group ID on + new I/O log files and directories. By default, I/O log + files and directories inherit the group ID of the +@@ -2141,10 +2151,14 @@ II//OO LLOOGG FFIILLEESS + _s_t_d_e_r_r standard error to a pipe or redirected to a file + + All files other than _l_o_g are compressed in gzip format unless the +- _c_o_m_p_r_e_s_s___i_o option has been disabled. Due to buffering, the I/O log data +- will not be complete until the ssuuddoo command has completed. The output +- portion of an I/O log file can be viewed with the sudoreplay(1m) utility, +- which can also be used to list or search the available logs. ++ _c_o_m_p_r_e_s_s___i_o flag has been disabled. Due to buffering, it is not normally ++ possible to display the I/O logs in real-time as the program is executing ++ The I/O log data will not be complete until the program run by ssuuddoo has ++ exited or has been terminated by a signal. The _i_o_l_o_g___f_l_u_s_h flag can be ++ used to disable buffering, in which case I/O log data is written to disk ++ as soon as it is available. The output portion of an I/O log file can be ++ viewed with the sudoreplay(1m) utility, which can also be used to list or ++ search the available logs. + + Note that user input may contain sensitive information such as passwords + (even if they are not echoed to the screen), which will be stored in the +diff -up ./doc/sudoers.man.in.orig ./doc/sudoers.man.in +--- ./doc/sudoers.man.in.orig 2017-03-21 14:22:33.804283190 +0100 ++++ ./doc/sudoers.man.in 2017-03-21 14:22:21.136664667 +0100 +@@ -3199,6 +3199,19 @@ ends in six or + more + \fRX\fRs. + .TP 18n ++iolog_flush ++If set, ++\fBsudo\fR ++will flush I/O log data to disk after each write instead of buffering it. ++This makes it possible to view the logs in real-time as the program ++is executing but may significantly reduce the effectiveness of I/O ++log compression. ++This flag is ++\fIoff\fR ++by default. ++.sp ++This setting is only supported by version 1.8.20 or higher. ++.TP 18n + iolog_group + The group name to look up when setting the group ID on new I/O log + files and directories. +@@ -4298,10 +4311,16 @@ All files other than + \fIlog\fR + are compressed in gzip format unless the + \fIcompress_io\fR +-option has been disabled. +-Due to buffering, the I/O log data will not be complete until the ++flag has been disabled. ++Due to buffering, it is not normally possible to display the I/O logs in ++real-time as the program is executing ++The I/O log data will not be complete until the program run by + \fBsudo\fR +-command has completed. ++has exited or has been terminated by a signal. ++The ++\fIiolog_flush\fR ++flag can be used to disable buffering, in which case I/O log data ++is written to disk as soon as it is available. + The output portion of an I/O log file can be viewed with the + sudoreplay(@mansectsu@) + utility, which can also be used to list or search the available logs. +diff -up ./doc/sudoers.mdoc.in.orig ./doc/sudoers.mdoc.in +--- ./doc/sudoers.mdoc.in.orig 2017-03-21 14:23:46.652089432 +0100 ++++ ./doc/sudoers.mdoc.in 2017-03-21 14:26:43.686758162 +0100 +@@ -2998,6 +2998,18 @@ overwritten unless + ends in six or + more + .Li X Ns s . ++.It iolog_flush ++If set, ++.Nm sudo ++will flush I/O log data to disk after each write instead of buffering it. ++This makes it possible to view the logs in real-time as the program ++is executing but may significantly reduce the effectiveness of I/O ++log compression. ++This flag is ++.Em off ++by default. ++.Pp ++This setting is only supported by version 1.8.20 or higher. + .It iolog_group + The group name to look up when setting the group ID on new I/O log + files and directories. +@@ -3991,10 +4003,16 @@ All files other than + .Pa log + are compressed in gzip format unless the + .Em compress_io +-option has been disabled. +-Due to buffering, the I/O log data will not be complete until the +-.Nm sudo +-command has completed. ++flag has been disabled. ++Due to buffering, it is not normally possible to display the I/O logs in ++real-time as the program is executing ++The I/O log data will not be complete until the program run by ++.Nm sudo ++has exited or has been terminated by a signal. ++The ++.Em iolog_flush ++flag can be used to disable buffering, in which case I/O log data ++is written to disk as soon as it is available. + The output portion of an I/O log file can be viewed with the + .Xr sudoreplay @mansectsu@ + utility, which can also be used to list or search the available logs. +diff -up ./plugins/sudoers/def_data.c.orig ./plugins/sudoers/def_data.c +--- ./plugins/sudoers/def_data.c.orig 2017-03-21 13:24:10.682064806 +0100 ++++ ./plugins/sudoers/def_data.c 2017-03-21 13:25:09.805322057 +0100 +@@ -447,6 +447,10 @@ struct sudo_defs_types sudo_defs_table[] + N_("Ignore unknown Defaults entries in sudoers instead of producing a warning"), + NULL, + }, { ++ "iolog_flush", T_FLAG, ++ N_("Flush I/O log data to disk immediately instead of buffering it"), ++ NULL, ++ }, { + NULL, 0, NULL + } + }; +diff -up ./plugins/sudoers/def_data.h.orig ./plugins/sudoers/def_data.h +--- ./plugins/sudoers/def_data.h.orig 2017-03-21 13:25:20.489006524 +0100 ++++ ./plugins/sudoers/def_data.h 2017-03-21 13:28:09.251022290 +0100 +@@ -210,6 +210,8 @@ + #define def_legacy_group_processing (sudo_defs_table[I_LEGACY_GROUP_PROCESSING].sd_un.flag) + #define I_IGNORE_UNKNOWN_DEFAULTS 105 + #define def_ignore_unknown_defaults (sudo_defs_table[I_IGNORE_UNKNOWN_DEFAULTS].sd_un.flag) ++#define I_IOLOG_FLUSH 106 ++#define def_iolog_flush (sudo_defs_table[I_IOLOG_FLUSH].sd_un.flag) + + enum def_tuple { + never, +diff -up ./plugins/sudoers/def_data.in.orig ./plugins/sudoers/def_data.in +--- ./plugins/sudoers/def_data.in.orig 2017-03-21 13:28:35.115258413 +0100 ++++ ./plugins/sudoers/def_data.in 2017-03-21 13:30:03.239655739 +0100 +@@ -331,3 +331,6 @@ legacy_group_processing + ignore_unknown_defaults + T_FLAG + "Ignore unknown Defaults entries in sudoers instead of producing a warning" ++iolog_flush ++ T_FLAG ++ "Flush I/O log data to disk immediately instead of buffering it" +diff -up ./plugins/sudoers/iolog.c.orig ./plugins/sudoers/iolog.c +--- ./plugins/sudoers/iolog.c.orig 2017-03-21 13:12:39.471464160 +0100 ++++ ./plugins/sudoers/iolog.c 2017-03-21 13:21:49.279230759 +0100 +@@ -709,6 +709,7 @@ iolog_deserialize_info(struct iolog_deta + + /* + * Write the "/log" file that contains the user and command info. ++ * This file is not compressed. + */ + static bool + write_info_log(char *pathbuf, size_t len, struct iolog_details *details, +@@ -747,6 +748,57 @@ write_info_log(char *pathbuf, size_t len + debug_return_bool(ret); + } + ++#ifdef HAVE_ZLIB_H ++static const char * ++gzstrerror(gzFile file) ++{ ++ int errnum; ++ ++ return gzerror(file, &errnum); ++} ++#endif /* HAVE_ZLIB_H */ ++ ++/* ++ * Write to an I/O log, compressing if iolog_compress is enabled. ++ * If def_iolog_flush is true, flush the buffer immediately. ++ */ ++static const char * ++iolog_write(const void *buf, unsigned int len, int idx) ++{ ++ const char *errstr = NULL; ++ debug_decl(iolog_write, SUDOERS_DEBUG_PLUGIN) ++ ++#ifdef HAVE_ZLIB_H ++ if (iolog_compress) { ++ if (gzwrite(io_log_files[idx].fd.g, buf, len) != (int)len) { ++ errstr = gzstrerror(io_log_files[idx].fd.g); ++ goto done; ++ } ++ if (def_iolog_flush) { ++ if (gzflush(io_log_files[idx].fd.g, Z_SYNC_FLUSH) != Z_OK) { ++ errstr = gzstrerror(io_log_files[idx].fd.g); ++ goto done; ++ } ++ } ++ } else ++#endif ++ { ++ if (fwrite(buf, 1, len, io_log_files[idx].fd.f) != len) { ++ errstr = strerror(errno); ++ goto done; ++ } ++ if (def_iolog_flush) { ++ if (fflush(io_log_files[idx].fd.f) != 0) { ++ errstr = strerror(errno); ++ goto done; ++ } ++ } ++ } ++ ++done: ++ debug_return_const_str(errstr); ++} ++ + static int + sudoers_io_open(unsigned int version, sudo_conv_t conversation, + sudo_printf_t plugin_printf, char * const settings[], +@@ -914,13 +966,15 @@ sudoers_io_version(int verbose) + + /* + * Generic I/O logging function. Called by the I/O logging entry points. ++ * Returns 1 on success and -1 on error. + */ + static int + sudoers_io_log(const char *buf, unsigned int len, int idx) + { + struct timeval now, delay; ++ char tbuf[1024]; + const char *errstr = NULL; +- int ret = true; ++ int ret = -1; + debug_decl(sudoers_io_version, SUDOERS_DEBUG_PLUGIN) + + if (io_log_files[idx].fd.v == NULL) { +@@ -931,41 +985,28 @@ sudoers_io_log(const char *buf, unsigned + + gettimeofday(&now, NULL); + +-#ifdef HAVE_ZLIB_H +- if (iolog_compress) { +- if (gzwrite(io_log_files[idx].fd.g, (const voidp)buf, len) != (int)len) { +- int errnum; ++ /* Write I/O log file entry. */ ++ errstr = iolog_write(buf, len, idx); ++ if (errstr != NULL) ++ goto done; + +- errstr = gzerror(io_log_files[idx].fd.g, &errnum); +- ret = -1; +- } +- } else +-#endif +- { +- if (fwrite(buf, 1, len, io_log_files[idx].fd.f) != len) { +- errstr = strerror(errno); +- ret = -1; +- } +- } ++ /* Write timing file entry. */ + sudo_timevalsub(&now, &last_time, &delay); +-#ifdef HAVE_ZLIB_H +- if (iolog_compress) { +- if (gzprintf(io_log_files[IOFD_TIMING].fd.g, "%d %f %u\n", idx, +- delay.tv_sec + ((double)delay.tv_usec / 1000000), len) == 0) { +- int errnum; +- +- errstr = gzerror(io_log_files[IOFD_TIMING].fd.g, &errnum); +- ret = -1; +- } +- } else +-#endif +- { +- if (fprintf(io_log_files[IOFD_TIMING].fd.f, "%d %f %u\n", idx, +- delay.tv_sec + ((double)delay.tv_usec / 1000000), len) < 0) { +- errstr = strerror(errno); +- ret = -1; +- } ++ len = (unsigned int)snprintf(tbuf, sizeof(tbuf), "%d %f %u\n", idx, ++ delay.tv_sec + ((double)delay.tv_usec / 1000000), len); ++ if (len >= sizeof(tbuf)) { ++ /* Not actually possible due to the size of tbuf[]. */ ++ errstr = strerror(EOVERFLOW); ++ goto done; + } ++ errstr = iolog_write(tbuf, len, IOFD_TIMING); ++ if (errstr != NULL) ++ goto done; ++ ++ /* Success. */ ++ ret = 1; ++ ++done: + last_time.tv_sec = now.tv_sec; + last_time.tv_usec = now.tv_usec; + +@@ -979,7 +1020,7 @@ sudoers_io_log(const char *buf, unsigned + + /* Ignore errors if they occur if the policy says so. */ + if (iolog_details.ignore_iolog_errors) +- ret = true; ++ ret = 1; + } + + debug_return_int(ret); diff --git a/SOURCES/sudo-1.8.19p2-iologtruncate.patch b/SOURCES/sudo-1.8.19p2-iologtruncate.patch new file mode 100644 index 0000000..ee358eb --- /dev/null +++ b/SOURCES/sudo-1.8.19p2-iologtruncate.patch @@ -0,0 +1,171 @@ +diff --git a/src/exec_pty.c b/src/exec_pty.c +index 7403506..56b2899 100644 +--- a/src/exec_pty.c ++++ b/src/exec_pty.c +@@ -711,8 +711,10 @@ io_buf_new(int rfd, int wfd, + int + fork_pty(struct command_details *details, int sv[], sigset_t *omask) + { ++ struct plugin_container *plugin; + struct command_status cstat; +- int io_pipe[3][2]; ++ int io_pipe[3][2] = { { -1, -1 }, { -1, -1 }, { -1, -1 } }; ++ bool interpose[3] = { false, false, false }; + sigaction_t sa; + sigset_t mask; + pid_t child; +@@ -738,6 +740,16 @@ fork_pty(struct command_details *details, int sv[], sigset_t *omask) + sigaddset(&ttyblock, SIGTTIN); + sigaddset(&ttyblock, SIGTTOU); + ++ /* Determine whether any of std{in,out,err} should be logged. */ ++ TAILQ_FOREACH(plugin, &io_plugins, entries) { ++ if (plugin->u.io->log_stdin) ++ interpose[STDIN_FILENO] = true; ++ if (plugin->u.io->log_stdout) ++ interpose[STDOUT_FILENO] = true; ++ if (plugin->u.io->log_stderr) ++ interpose[STDERR_FILENO] = true; ++ } ++ + /* + * Setup stdin/stdout/stderr for child, to be duped after forking. + * In background mode there is no stdin. +@@ -763,35 +775,64 @@ fork_pty(struct command_details *details, int sv[], sigset_t *omask) + } + + /* +- * If either stdin, stdout or stderr is not a tty we use a pipe +- * to interpose ourselves instead of duping the pty fd. ++ * If stdin, stdout or stderr is not a tty and logging is enabled, ++ * use a pipe to interpose ourselves instead of using the pty fd. + */ +- memset(io_pipe, 0, sizeof(io_pipe)); + if (io_fds[SFD_STDIN] == -1 || !isatty(STDIN_FILENO)) { +- sudo_debug_printf(SUDO_DEBUG_INFO, "stdin not a tty, creating a pipe"); +- pipeline = true; +- if (pipe(io_pipe[STDIN_FILENO]) != 0) +- sudo_fatal(U_("unable to create pipe")); +- io_buf_new(STDIN_FILENO, io_pipe[STDIN_FILENO][1], +- log_stdin, &iobufs); +- io_fds[SFD_STDIN] = io_pipe[STDIN_FILENO][0]; +- } +- if (io_fds[SFD_STDOUT] == -1 || !isatty(STDOUT_FILENO)) { +- sudo_debug_printf(SUDO_DEBUG_INFO, "stdout not a tty, creating a pipe"); +- pipeline = true; +- if (pipe(io_pipe[STDOUT_FILENO]) != 0) +- sudo_fatal(U_("unable to create pipe")); +- io_buf_new(io_pipe[STDOUT_FILENO][0], STDOUT_FILENO, +- log_stdout, &iobufs); +- io_fds[SFD_STDOUT] = io_pipe[STDOUT_FILENO][1]; +- } +- if (io_fds[SFD_STDERR] == -1 || !isatty(STDERR_FILENO)) { +- sudo_debug_printf(SUDO_DEBUG_INFO, "stderr not a tty, creating a pipe"); +- if (pipe(io_pipe[STDERR_FILENO]) != 0) +- sudo_fatal(U_("unable to create pipe")); +- io_buf_new(io_pipe[STDERR_FILENO][0], STDERR_FILENO, +- log_stderr, &iobufs); +- io_fds[SFD_STDERR] = io_pipe[STDERR_FILENO][1]; ++ if (!interpose[STDIN_FILENO]) { ++ /* Not logging stdin, do not interpose. */ ++ sudo_debug_printf(SUDO_DEBUG_INFO, ++ "stdin not a tty, not logging"); ++ io_fds[SFD_STDIN] = dup(STDIN_FILENO); ++ if (io_fds[SFD_STDIN] == -1) ++ sudo_fatal("dup"); ++ } else { ++ sudo_debug_printf(SUDO_DEBUG_INFO, ++ "stdin not a tty, creating a pipe"); ++ pipeline = true; ++ if (pipe(io_pipe[STDIN_FILENO]) != 0) ++ sudo_fatal(U_("unable to create pipe")); ++ io_buf_new(STDIN_FILENO, io_pipe[STDIN_FILENO][1], ++ log_stdin, &iobufs); ++ io_fds[SFD_STDIN] = io_pipe[STDIN_FILENO][0]; ++ } ++ } ++ if (io_fds[SFD_STDOUT] == -1 || !isatty(STDOUT_FILENO)) { ++ if (!interpose[STDOUT_FILENO]) { ++ /* Not logging stdout, do not interpose. */ ++ sudo_debug_printf(SUDO_DEBUG_INFO, ++ "stdout not a tty, not logging"); ++ io_fds[SFD_STDOUT] = dup(STDOUT_FILENO); ++ if (io_fds[SFD_STDOUT] == -1) ++ sudo_fatal("dup"); ++ } else { ++ sudo_debug_printf(SUDO_DEBUG_INFO, ++ "stdout not a tty, creating a pipe"); ++ pipeline = true; ++ if (pipe(io_pipe[STDOUT_FILENO]) != 0) ++ sudo_fatal(U_("unable to create pipe")); ++ io_buf_new(io_pipe[STDOUT_FILENO][0], STDOUT_FILENO, ++ log_stdout, &iobufs); ++ io_fds[SFD_STDOUT] = io_pipe[STDOUT_FILENO][1]; ++ } ++ } ++ if (io_fds[SFD_STDERR] == -1 || !isatty(STDERR_FILENO)) { ++ if (!interpose[STDERR_FILENO]) { ++ /* Not logging stderr, do not interpose. */ ++ sudo_debug_printf(SUDO_DEBUG_INFO, ++ "stderr not a tty, not logging"); ++ io_fds[SFD_STDERR] = dup(STDERR_FILENO); ++ if (io_fds[SFD_STDERR] == -1) ++ sudo_fatal("dup"); ++ } else { ++ sudo_debug_printf(SUDO_DEBUG_INFO, ++ "stderr not a tty, creating a pipe"); ++ if (pipe(io_pipe[STDERR_FILENO]) != 0) ++ sudo_fatal(U_("unable to create pipe")); ++ io_buf_new(io_pipe[STDERR_FILENO][0], STDERR_FILENO, ++ log_stderr, &iobufs); ++ io_fds[SFD_STDERR] = io_pipe[STDERR_FILENO][1]; ++ } + } + + /* We don't want to receive SIGTTIN/SIGTTOU, getting EIO is preferable. */ +@@ -1549,10 +1590,24 @@ exec_pty(struct command_details *details, + setpgid(0, self); + + /* Wire up standard fds, note that stdout/stderr may be pipes. */ +- if (dup2(io_fds[SFD_STDIN], STDIN_FILENO) == -1 || +- dup2(io_fds[SFD_STDOUT], STDOUT_FILENO) == -1 || +- dup2(io_fds[SFD_STDERR], STDERR_FILENO) == -1) +- sudo_fatal("dup2"); ++ if (io_fds[SFD_STDIN] != STDIN_FILENO) { ++ if (dup2(io_fds[SFD_STDIN], STDIN_FILENO) == -1) ++ sudo_fatal("dup2"); ++ if (io_fds[SFD_STDIN] != io_fds[SFD_SLAVE]) ++ close(io_fds[SFD_STDIN]); ++ } ++ if (io_fds[SFD_STDOUT] != STDOUT_FILENO) { ++ if (dup2(io_fds[SFD_STDOUT], STDOUT_FILENO) == -1) ++ sudo_fatal("dup2"); ++ if (io_fds[SFD_STDOUT] != io_fds[SFD_SLAVE]) ++ close(io_fds[SFD_STDOUT]); ++ } ++ if (io_fds[SFD_STDERR] != STDERR_FILENO) { ++ if (dup2(io_fds[SFD_STDERR], STDERR_FILENO) == -1) ++ sudo_fatal("dup2"); ++ if (io_fds[SFD_STDERR] != io_fds[SFD_SLAVE]) ++ close(io_fds[SFD_STDERR]); ++ } + + /* Wait for parent to grant us the tty if we are foreground. */ + if (foreground && !ISSET(details->flags, CD_EXEC_BG)) { +@@ -1561,15 +1616,9 @@ exec_pty(struct command_details *details, + nanosleep(&ts, NULL); + } + +- /* We have guaranteed that the slave fd is > 2 */ ++ /* Done with the pty slave, don't leak it. */ + if (io_fds[SFD_SLAVE] != -1) + close(io_fds[SFD_SLAVE]); +- if (io_fds[SFD_STDIN] != io_fds[SFD_SLAVE]) +- close(io_fds[SFD_STDIN]); +- if (io_fds[SFD_STDOUT] != io_fds[SFD_SLAVE]) +- close(io_fds[SFD_STDOUT]); +- if (io_fds[SFD_STDERR] != io_fds[SFD_SLAVE]) +- close(io_fds[SFD_STDERR]); + + /* Execute command; only returns on error. */ + exec_cmnd(details, cstat, errfd); diff --git a/SOURCES/sudo-1.8.19p2-lecture-boolean.patch b/SOURCES/sudo-1.8.19p2-lecture-boolean.patch new file mode 100644 index 0000000..482bc6b --- /dev/null +++ b/SOURCES/sudo-1.8.19p2-lecture-boolean.patch @@ -0,0 +1,54 @@ +commit 631d458b6fc7341363a121c390e086cf676ecc83 +Author: Todd C. Miller +Date: Wed May 3 09:28:36 2017 -0600 + + Allow a tuple to be set to boolean true. Regression introduced by + refactor of set_default_entry() in sudo 1.8.18. + +diff --git a/plugins/sudoers/defaults.c b/plugins/sudoers/defaults.c +index 89788477..91b47eeb 100644 +--- a/plugins/sudoers/defaults.c ++++ b/plugins/sudoers/defaults.c +@@ -238,19 +238,31 @@ parse_default_entry(struct sudo_defs_types *def, const char *val, int op, + int rc; + debug_decl(parse_default_entry, SUDOERS_DEBUG_DEFAULTS) + +- if (val == NULL && !ISSET(def->type, T_FLAG)) { +- /* Check for bogus boolean usage or missing value if non-boolean. */ +- if (!ISSET(def->type, T_BOOL) || op != false) { +- if (!quiet) { +- if (lineno > 0) { +- sudo_warnx(U_("%s:%d no value specified for \"%s\""), +- file, lineno, def->name); +- } else { +- sudo_warnx(U_("%s: no value specified for \"%s\""), +- file, def->name); ++ /* ++ * If no value specified, the boolean flag must be set for non-flags. ++ * Only flags and tuples support boolean "true". ++ */ ++ if (val == NULL) { ++ switch (def->type & T_MASK) { ++ case T_FLAG: ++ break; ++ case T_TUPLE: ++ if (ISSET(def->type, T_BOOL)) ++ break; ++ /* FALLTHROUGH */ ++ default: ++ if (!ISSET(def->type, T_BOOL) || op != false) { ++ if (!quiet) { ++ if (lineno > 0) { ++ sudo_warnx(U_("%s:%d no value specified for \"%s\""), ++ file, lineno, def->name); ++ } else { ++ sudo_warnx(U_("%s: no value specified for \"%s\""), ++ file, def->name); ++ } + } ++ debug_return_bool(false); + } +- debug_return_bool(false); + } + } + diff --git a/SOURCES/sudo-1.8.19p2-lookup-issue-doc.patch b/SOURCES/sudo-1.8.19p2-lookup-issue-doc.patch new file mode 100644 index 0000000..af85676 --- /dev/null +++ b/SOURCES/sudo-1.8.19p2-lookup-issue-doc.patch @@ -0,0 +1,164 @@ +diff -up ./doc/sudoers.cat.lookup ./doc/sudoers.cat +--- ./doc/sudoers.cat.lookup 2017-04-25 13:17:51.073190114 +0200 ++++ ./doc/sudoers.cat 2017-04-25 13:17:51.081190069 +0200 +@@ -1140,24 +1140,39 @@ SSUUDDOOEERRSS OOPPTTIIOONN + _o_n by default. + + match_group_by_gid +- By default, when matching groups, ssuuddooeerrss will first +- resolve all the user's group IDs to group names and +- then compare those group names to any group names +- listed in the _s_u_d_o_e_r_s file. This works well on systems +- where the number of groups listed in the _s_u_d_o_e_r_s file +- is larger than the number of groups a typical user +- belongs to. On systems where group lookups are slow, +- where users may belong to a large number of groups, and +- where the number of groups listed in the _s_u_d_o_e_r_s file +- is relatively small, it may be prohibitively expensive +- and running commands via ssuuddoo may take longer than +- normal. On such systems it may be faster to use the ++ By default, ssuuddooeerrss will look up each group the user is ++ a member of by group ID to determine the group name ++ (this is only done once). The resulting list of the ++ user's group names is used when matching groups listed ++ in the _s_u_d_o_e_r_s file. This works well on systems where ++ the number of groups listed in the _s_u_d_o_e_r_s file is ++ larger than the number of groups a typical user belongs ++ to. On systems where group lookups are slow, where ++ users may belong to a large number of groups, and where ++ the number of groups listed in the _s_u_d_o_e_r_s file is ++ relatively small, it may be prohibitively expensive and ++ running commands via ssuuddoo may take longer than normal. ++ On such systems it may be faster to use the + _m_a_t_c_h___g_r_o_u_p___b_y___g_i_d flag to avoid resolving the user's +- group IDs to group names and instead resolve all group +- names listed in the _s_u_d_o_e_r_s file, matching by group ID +- instead of by group name. The _m_a_t_c_h___g_r_o_u_p___b_y___g_i_d flag +- has no effect when _s_u_d_o_e_r_s data is stored in LDAP. +- This flag is _o_f_f by default. ++ group IDs to group names. In this case, ssuuddooeerrss must ++ look up any group name listed in the _s_u_d_o_e_r_s file and ++ use the group ID instead of the group name when ++ determining whether the user is a member of the group. ++ ++ Note that if _m_a_t_c_h___g_r_o_u_p___b_y___g_i_d is enabled, group ++ database lookups performed by ssuuddooeerrss will be keyed by ++ group name as opposed to group ID. On systems where ++ there are multiple sources for the group database, it ++ is possible to have conflicting group names or group ++ IDs in the local _/_e_t_c_/_g_r_o_u_p file and the remote group ++ database. On such systems, enabling or disabling ++ _m_a_t_c_h___g_r_o_u_p___b_y___g_i_d can be used to choose whether group ++ database queries are performed by name (enabled) or ID ++ (disabled), which may aid in working around group entry ++ conflicts. ++ ++ The _m_a_t_c_h___g_r_o_u_p___b_y___g_i_d flag has no effect when _s_u_d_o_e_r_s ++ data is stored in LDAP. This flag is _o_f_f by default. + + This setting is only supported by version 1.8.18 or + higher. +diff -up ./doc/sudoers.man.in.lookup ./doc/sudoers.man.in +--- ./doc/sudoers.man.in.lookup 2017-04-25 13:17:51.074190108 +0200 ++++ ./doc/sudoers.man.in 2017-04-25 13:17:51.082190064 +0200 +@@ -2423,10 +2423,12 @@ This flag is + by default. + .TP 18n + match_group_by_gid +-By default, when matching groups, ++By default, + \fBsudoers\fR +-will first resolve all the user's group IDs to group names and then +-compare those group names to any group names listed in the ++will look up each group the user is a member of by group ID to ++determine the group name (this is only done once). ++The resulting list of the user's group names is used when matching ++groups listed in the + \fIsudoers\fR + file. + This works well on systems where the number of groups listed in the +@@ -2442,10 +2444,29 @@ running commands via + may take longer than normal. + On such systems it may be faster to use the + \fImatch_group_by_gid\fR +-flag to avoid resolving the user's group IDs to group names and +-instead resolve all group names listed in the ++flag to avoid resolving the user's group IDs to group names. ++In this case, ++\fBsudoers\fR ++must look up any group name listed in the + \fIsudoers\fR +-file, matching by group ID instead of by group name. ++file and use the group ID instead of the group name when determining ++whether the user is a member of the group. ++.sp ++Note that if ++\fImatch_group_by_gid\fR ++is enabled, group database lookups performed by ++\fBsudoers\fR ++will be keyed by group name as opposed to group ID. ++On systems where there are multiple sources for the group database, ++it is possible to have conflicting group names or group IDs in the local ++\fI/etc/group\fR ++file and the remote group database. ++On such systems, enabling or disabling ++\fImatch_group_by_gid\fR ++can be used to choose whether group database queries are performed ++by name (enabled) or ID (disabled), which may aid in working around ++group entry conflicts. ++.sp + The + \fImatch_group_by_gid\fR + flag has no effect when +diff -up ./doc/sudoers.mdoc.in.lookup ./doc/sudoers.mdoc.in +--- ./doc/sudoers.mdoc.in.lookup 2017-04-25 13:17:51.075190102 +0200 ++++ ./doc/sudoers.mdoc.in 2017-04-25 13:17:51.082190064 +0200 +@@ -2268,10 +2268,12 @@ This flag is + .Em @mail_no_user@ + by default. + .It match_group_by_gid +-By default, when matching groups, ++By default, + .Nm +-will first resolve all the user's group IDs to group names and then +-compare those group names to any group names listed in the ++will look up each group the user is a member of by group ID to ++determine the group name (this is only done once). ++The resulting list of the user's group names is used when matching ++groups listed in the + .Em sudoers + file. + This works well on systems where the number of groups listed in the +@@ -2287,10 +2289,29 @@ running commands via + may take longer than normal. + On such systems it may be faster to use the + .Em match_group_by_gid +-flag to avoid resolving the user's group IDs to group names and +-instead resolve all group names listed in the ++flag to avoid resolving the user's group IDs to group names. ++In this case, ++.Nm ++must look up any group name listed in the + .Em sudoers +-file, matching by group ID instead of by group name. ++file and use the group ID instead of the group name when determining ++whether the user is a member of the group. ++.Pp ++Note that if ++.Em match_group_by_gid ++is enabled, group database lookups performed by ++.Nm ++will be keyed by group name as opposed to group ID. ++On systems where there are multiple sources for the group database, ++it is possible to have conflicting group names or group IDs in the local ++.Pa /etc/group ++file and the remote group database. ++On such systems, enabling or disabling ++.Em match_group_by_gid ++can be used to choose whether group database queries are performed ++by name (enabled) or ID (disabled), which may aid in working around ++group entry conflicts. ++.Pp + The + .Em match_group_by_gid + flag has no effect when diff --git a/SOURCES/sudo-1.8.19p2-manpage-use_pty.patch b/SOURCES/sudo-1.8.19p2-manpage-use_pty.patch new file mode 100644 index 0000000..acb4daa --- /dev/null +++ b/SOURCES/sudo-1.8.19p2-manpage-use_pty.patch @@ -0,0 +1,206 @@ +diff -up ./doc/sudoers.cat.manpage ./doc/sudoers.cat +--- ./doc/sudoers.cat.manpage 2017-09-11 15:16:47.443869930 +0200 ++++ ./doc/sudoers.cat 2017-09-11 15:42:15.140500826 +0200 +@@ -1088,13 +1088,19 @@ SSUUDDOOEERRSS OOPPTTIIOONN + connected to the user's tty, due to I/O redirection or + because the command is part of a pipeline, that input + is also captured and stored in a separate log file. +- For more information, see the _I_/_O _L_O_G _F_I_L_E_S section. +- This flag is _o_f_f by default. ++ Anything sent to the standard input will be consumed, ++ regardless of whether or not the command run via ssuuddoo ++ is actually reading the standard input. This may have ++ unexpected results when using ssuuddoo in a shell script ++ that expects to process the standard input. For more ++ information about I/O logging, see the _I_/_O _L_O_G _F_I_L_E_S ++ section. This flag is _o_f_f by default. + + log_output If set, ssuuddoo will run the command in a pseudo-tty and + log all output that is sent to the screen, similar to +- the script(1) command. For more information, see the +- _I_/_O _L_O_G _F_I_L_E_S section. This flag is _o_f_f by default. ++ the script(1) command. For more information about I/O ++ logging, see the _I_/_O _L_O_G _F_I_L_E_S section. This flag is ++ _o_f_f by default. + + log_year If set, the four-digit year will be logged in the (non- + syslog) ssuuddoo log file. This flag is _o_f_f by default. +@@ -1396,13 +1402,18 @@ SSUUDDOOEERRSS OOPPTTIIOONN + not needed, this option can be disabled to reduce the + load on the LDAP server. This flag is _o_n by default. + +- use_pty If set, ssuuddoo will run the command in a pseudo-pty even +- if no I/O logging is being gone. A malicious program +- run under ssuuddoo could conceivably fork a background +- process that retains to the user's terminal device +- after the main program has finished executing. Use of +- this option will make that impossible. This flag is +- _o_f_f by default. ++ use_pty If set, and ssuuddoo is running in a terminal, the command ++ will be run in a pseudo-pty (even if no I/O logging is ++ being done). If the ssuuddoo process is not attached to a ++ terminal, _u_s_e___p_t_y has no effect. ++ ++ A malicious program run under ssuuddoo may be capable of ++ injecting injecting commands into the user's terminal ++ or running a background process that retains access to ++ the user's terminal device even after the main program ++ has finished executing. By running the command in a ++ separate pseudo-pty, this attack is no longer possible. ++ This flag is _o_f_f by default. + + utmp_runas If set, ssuuddoo will store the name of the runas user when + updating the utmp (or utmpx) file. By default, ssuuddoo +@@ -2135,11 +2146,11 @@ LLOOGG FFOORRMMAATT + + II//OO LLOOGG FFIILLEESS + When I/O logging is enabled, ssuuddoo will run the command in a pseudo-tty +- and log all user input and/or output. I/O is logged to the directory +- specified by the _i_o_l_o_g___d_i_r option (_/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o by default) using a +- unique session ID that is included in the ssuuddoo log line, prefixed with +- ``TSID=''. The _i_o_l_o_g___f_i_l_e option may be used to control the format of +- the session ID. ++ and log all user input and/or output, depending on which options are ++ are enabled. I/O is logged to the directory specified by the _i_o_l_o_g___d_i_r ++ option (_/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o by default) using a unique session ID that is ++ included in the ssuuddoo log line, prefixed with "TSID=". The _i_o_l_o_g___f_i_l_e ++ option may be used to control the format of the session ID. + + Each I/O log is stored in a separate directory that contains the + following files: +diff -up ./doc/sudoers.man.in.manpage ./doc/sudoers.man.in +--- ./doc/sudoers.man.in.manpage 2017-09-11 15:16:47.444869925 +0200 ++++ ./doc/sudoers.man.in 2017-09-11 15:16:47.456869864 +0200 +@@ -2300,7 +2300,14 @@ will run the command in a pseudo-tty and + If the standard input is not connected to the user's tty, due to + I/O redirection or because the command is part of a pipeline, that + input is also captured and stored in a separate log file. +-For more information, see the ++Anything sent to the standard input will be consumed, regardless of ++whether or not the command run via ++\fBsudo\fR ++is actually reading the standard input. ++This may have unexpected results when using ++\fBsudo\fR ++in a shell script that expects to process the standard input. ++For more information about I/O logging, see the + \fII/O LOG FILES\fR + section. + This flag is +@@ -2314,7 +2321,7 @@ will run the command in a pseudo-tty and + to the screen, similar to the + script(1) + command. +-For more information, see the ++For more information about I/O logging, see the + \fII/O LOG FILES\fR + section. + This flag is +@@ -2934,14 +2941,24 @@ This flag is + by default. + .TP 18n + use_pty +-If set, ++If set, and + \fBsudo\fR +-will run the command in a pseudo-pty even if no I/O logging is being gone. ++is running in a terminal, the command will be run in a pseudo-pty ++(even if no I/O logging is being done). ++If the ++\fBsudo\fR ++process is not attached to a terminal, ++\fIuse_pty\fR ++has no effect. ++.sp + A malicious program run under + \fBsudo\fR +-could conceivably fork a background process that retains to the user's +-terminal device after the main program has finished executing. +-Use of this option will make that impossible. ++may be capable of injecting injecting commands into the user's ++terminal or running a background process that retains access to the ++user's terminal device even after the main program has finished ++executing. ++By running the command in a separate pseudo-pty, this attack is ++no longer possible. + This flag is + \fIoff\fR + by default. +@@ -4281,7 +4298,8 @@ word wrap will be disabled. + .SH "I/O LOG FILES" + When I/O logging is enabled, + \fBsudo\fR +-will run the command in a pseudo-tty and log all user input and/or output. ++will run the command in a pseudo-tty and log all user input and/or output, ++depending on which options are enabled. + I/O is logged to the directory specified by the + \fIiolog_dir\fR + option +diff -up ./doc/sudoers.mdoc.in.manpage ./doc/sudoers.mdoc.in +--- ./doc/sudoers.mdoc.in.manpage 2017-09-11 15:16:47.445869920 +0200 ++++ ./doc/sudoers.mdoc.in 2017-09-11 15:16:47.456869864 +0200 +@@ -2155,7 +2155,14 @@ will run the command in a pseudo-tty and + If the standard input is not connected to the user's tty, due to + I/O redirection or because the command is part of a pipeline, that + input is also captured and stored in a separate log file. +-For more information, see the ++Anything sent to the standard input will be consumed, regardless of ++whether or not the command run via ++.Nm sudo ++is actually reading the standard input. ++This may have unexpected results when using ++.Nm sudo ++in a shell script that expects to process the standard input. ++For more information about I/O logging, see the + .Sx "I/O LOG FILES" + section. + This flag is +@@ -2168,7 +2175,7 @@ will run the command in a pseudo-tty and + to the screen, similar to the + .Xr script 1 + command. +-For more information, see the ++For more information about I/O logging, see the + .Sx "I/O LOG FILES" + section. + This flag is +@@ -2752,14 +2759,24 @@ This flag is + .Em on + by default. + .It use_pty +-If set, ++If set, and + .Nm sudo +-will run the command in a pseudo-pty even if no I/O logging is being gone. ++is running in a terminal, the command will be run in a pseudo-pty ++(even if no I/O logging is being done). ++If the ++.Nm sudo ++process is not attached to a terminal, ++.Em use_pty ++has no effect. ++.Pp + A malicious program run under + .Nm sudo +-could conceivably fork a background process that retains to the user's +-terminal device after the main program has finished executing. +-Use of this option will make that impossible. ++may be capable of injecting injecting commands into the user's ++terminal or running a background process that retains access to the ++user's terminal device even after the main program has finished ++executing. ++By running the command in a separate pseudo-pty, this attack is ++no longer possible. + This flag is + .Em off + by default. +@@ -3976,7 +3993,8 @@ word wrap will be disabled. + .Sh I/O LOG FILES + When I/O logging is enabled, + .Nm sudo +-will run the command in a pseudo-tty and log all user input and/or output. ++will run the command in a pseudo-tty and log all user input and/or output, ++depending on which options are enabled. + I/O is logged to the directory specified by the + .Em iolog_dir + option diff --git a/SOURCES/sudo-1.8.19p2-sssd-double-free.patch b/SOURCES/sudo-1.8.19p2-sssd-double-free.patch new file mode 100644 index 0000000..d53eb4c --- /dev/null +++ b/SOURCES/sudo-1.8.19p2-sssd-double-free.patch @@ -0,0 +1,44 @@ + +# HG changeset patch +# User Todd C. Miller +# Date 1511893724 25200 +# Node ID 14dacdea331942a38d443a75d1b08f67eafaa5eb +# Parent b456101fe5091540e9f6429db7568fa32b6d4da8 +Avoid a double free when ipa_hostname is set in sssd.conf and it +is an unqualified host name. From Daniel Kopecek. + +Also move the "unable to allocate memory" warning into get_ipa_hostname() +itself to make it easier to see where the allocation failed in the +debug log. + +diff -r b456101fe509 -r 14dacdea3319 plugins/sudoers/sssd.c +--- a/plugins/sudoers/sssd.c Tue Nov 28 09:48:43 2017 -0700 ++++ b/plugins/sudoers/sssd.c Tue Nov 28 11:28:44 2017 -0700 +@@ -349,6 +349,8 @@ + *lhostp = lhost; + ret = true; + } else { ++ sudo_warnx(U_("%s: %s"), __func__, ++ U_("unable to allocate memory")); + free(shost); + free(lhost); + ret = -1; +@@ -456,7 +458,6 @@ + */ + if (strcmp(user_runhost, user_host) == 0) { + if (get_ipa_hostname(&handle->ipa_shost, &handle->ipa_host) == -1) { +- sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); + free(handle); + debug_return_int(ENOMEM); + } +@@ -478,7 +479,8 @@ + handle = nss->handle; + sudo_dso_unload(handle->ssslib); + free(handle->ipa_host); +- free(handle->ipa_shost); ++ if (handle->ipa_host != handle->ipa_shost) ++ free(handle->ipa_shost); + free(handle); + nss->handle = NULL; + } + diff --git a/SOURCES/sudo-1.8.19p2-sudo-l-sssd.patch b/SOURCES/sudo-1.8.19p2-sudo-l-sssd.patch new file mode 100644 index 0000000..62d0cf2 --- /dev/null +++ b/SOURCES/sudo-1.8.19p2-sudo-l-sssd.patch @@ -0,0 +1,113 @@ +From 1f37620953699fe71b09760fe01e33eb6ada771c Mon Sep 17 00:00:00 2001 +From: "Todd C. Miller" +Date: Wed, 15 Nov 2017 12:27:39 -0700 +Subject: [PATCH] When checking the results for "sudo -l" and "sudo -v", keep + checking even after we get a match since the value of doauth may depend on + evaluating all the results. From Radovan Sroka of RedHat. + +In list (-l) or verify (-v) mode, if we have a match but authentication +is required, clear FLAG_NOPASSWD so that when listpw/verifypw is +set to "all" and there are multiple sudoers sources a password will +be required unless none of the entries in all sources require +authentication. From Radovan Sroka of RedHat + +Avoid calling cmnd_matches() in list/verify mode if we already have +a match. +--- + plugins/sudoers/ldap.c | 5 ++++- + plugins/sudoers/parse.c | 10 +++++++--- + plugins/sudoers/sssd.c | 5 ++++- + 3 files changed, 15 insertions(+), 5 deletions(-) + +diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c +index 46309cba..c5c18360 100644 +--- a/plugins/sudoers/ldap.c ++++ b/plugins/sudoers/ldap.c +@@ -3320,12 +3320,13 @@ sudo_ldap_lookup(struct sudo_nss *nss, int ret, int pwflag) + (pwcheck == all && doauth != true)) { + doauth = !!sudo_ldap_check_bool(ld, entry, "authenticate"); + } ++ if (matched == true) ++ continue; + /* Only check the command when listing another user. */ + if (user_uid == 0 || list_pw == NULL || + user_uid == list_pw->pw_uid || + sudo_ldap_check_command(ld, entry, NULL) == true) { + matched = true; +- break; + } + } + if (matched == true || user_uid == 0) { +@@ -3339,6 +3340,8 @@ sudo_ldap_lookup(struct sudo_nss *nss, int ret, int pwflag) + case any: + if (doauth == false) + SET(ret, FLAG_NOPASSWD); ++ else ++ CLR(ret, FLAG_NOPASSWD); + break; + default: + break; +diff --git a/plugins/sudoers/parse.c b/plugins/sudoers/parse.c +index 749a3eb2..a12e88c5 100644 +--- a/plugins/sudoers/parse.c ++++ b/plugins/sudoers/parse.c +@@ -182,14 +182,16 @@ sudo_file_lookup(struct sudo_nss *nss, int validated, int pwflag) + if (hostlist_matches(sudo_user.pw, &priv->hostlist) != ALLOW) + continue; + TAILQ_FOREACH(cs, &priv->cmndlist, entries) { ++ if ((pwcheck == any && cs->tags.nopasswd == true) || ++ (pwcheck == all && cs->tags.nopasswd != true)) ++ nopass = cs->tags.nopasswd; ++ if (match == ALLOW) ++ continue; + /* Only check the command when listing another user. */ + if (user_uid == 0 || list_pw == NULL || + user_uid == list_pw->pw_uid || + cmnd_matches(cs->cmnd) == ALLOW) + match = ALLOW; +- if ((pwcheck == any && cs->tags.nopasswd == true) || +- (pwcheck == all && cs->tags.nopasswd != true)) +- nopass = cs->tags.nopasswd; + } + } + } +@@ -202,6 +204,8 @@ sudo_file_lookup(struct sudo_nss *nss, int validated, int pwflag) + SET(validated, FLAG_CHECK_USER); + else if (nopass == true) + SET(validated, FLAG_NOPASSWD); ++ else ++ CLR(validated, FLAG_NOPASSWD); + debug_return_int(validated); + } + +diff --git a/plugins/sudoers/sssd.c b/plugins/sudoers/sssd.c +index 65b4d875..09ca9fee 100644 +--- a/plugins/sudoers/sssd.c ++++ b/plugins/sudoers/sssd.c +@@ -1321,12 +1321,13 @@ sudo_sss_lookup(struct sudo_nss *nss, int ret, int pwflag) + (pwcheck == all && doauth != true)) { + doauth = !!sudo_sss_check_bool(handle, rule, "authenticate"); + } ++ if (matched == true) ++ continue; + /* Only check the command when listing another user. */ + if (user_uid == 0 || list_pw == NULL || + user_uid == list_pw->pw_uid || + sudo_sss_check_command(handle, rule, NULL) == true) { + matched = true; +- break; + } + } + } +@@ -1341,6 +1342,8 @@ sudo_sss_lookup(struct sudo_nss *nss, int ret, int pwflag) + case any: + if (doauth == false) + SET(ret, FLAG_NOPASSWD); ++ else ++ CLR(ret, FLAG_NOPASSWD); + break; + default: + break; +-- +2.14.3 + diff --git a/SOURCES/sudo-1.8.19p2-upstream-testsuitefix.patch b/SOURCES/sudo-1.8.19p2-upstream-testsuitefix.patch new file mode 100644 index 0000000..ef2946c --- /dev/null +++ b/SOURCES/sudo-1.8.19p2-upstream-testsuitefix.patch @@ -0,0 +1,14 @@ +diff -up ./plugins/sudoers/regress/visudo/test2.err.ok.orig ./plugins/sudoers/regress/visudo/test2.err.ok +--- ./plugins/sudoers/regress/visudo/test2.err.ok.orig 2017-04-10 10:12:53.003000000 -0400 ++++ ./plugins/sudoers/regress/visudo/test2.err.ok 2017-04-10 10:13:36.771000000 -0400 +@@ -1 +1 @@ +-visudo: stdin:1 cycle in User_Alias "FOO" ++Error: stdin:1 cycle in User_Alias "FOO" +diff -up ./plugins/sudoers/regress/visudo/test3.err.ok.orig ./plugins/sudoers/regress/visudo/test3.err.ok +--- ./plugins/sudoers/regress/visudo/test3.err.ok.orig 2017-04-10 10:13:12.141000000 -0400 ++++ ./plugins/sudoers/regress/visudo/test3.err.ok 2017-04-10 10:13:56.842000000 -0400 +@@ -1,2 +1,2 @@ +-visudo: stdin:1 unused User_Alias "A" +-visudo: stdin:2 unused User_Alias "B" ++Warning: stdin:1 unused User_Alias "A" ++Warning: stdin:2 unused User_Alias "B" diff --git a/SOURCES/sudo-1.8.21-ldap-pass2-filter.patch b/SOURCES/sudo-1.8.21-ldap-pass2-filter.patch new file mode 100644 index 0000000..8da9603 --- /dev/null +++ b/SOURCES/sudo-1.8.21-ldap-pass2-filter.patch @@ -0,0 +1,19 @@ +diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c +index f21a99ee..83202e28 100644 +--- a/plugins/sudoers/ldap.c ++++ b/plugins/sudoers/ldap.c +@@ -1847,12 +1847,10 @@ sudo_ldap_build_pass2(void) + ldap_conf.timed ? timebuffer : "", + (ldap_conf.timed || ldap_conf.search_filter) ? ")" : ""); + } else { +- len = asprintf(&filt, "%s%s(sudoUser=*)(sudoUser=%s*)%s%s", +- (ldap_conf.timed || ldap_conf.search_filter) ? "(&" : "", ++ len = asprintf(&filt, "(&%s(sudoUser=*)(sudoUser=%s*)%s)", + ldap_conf.search_filter ? ldap_conf.search_filter : "", + query_netgroups ? "+" : "%:", +- ldap_conf.timed ? timebuffer : "", +- (ldap_conf.timed || ldap_conf.search_filter) ? ")" : ""); ++ ldap_conf.timed ? timebuffer : ""); + } + if (len == -1) + sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); diff --git a/SOURCES/sudo-1.8.6p3-doublequotefix.patch b/SOURCES/sudo-1.8.6p3-doublequotefix.patch new file mode 100644 index 0000000..c028017 --- /dev/null +++ b/SOURCES/sudo-1.8.6p3-doublequotefix.patch @@ -0,0 +1,46 @@ +From 1b16310c7ec5ba23fbe066c7d000016e534b4448 Mon Sep 17 00:00:00 2001 +From: Tomas Sykora +Date: Tue, 16 Aug 2016 09:54:06 +0200 +Subject: [PATCH] Double quotes are not accepted in sudoers + +Regression in sudo 1.8.6p3-7 package, double quotes are not accepted in sudoers + +Rebased from: +Patch25: sudo-1.8.6p3-doublequotefix.patch + +Resolves: +rhbz#1092499 +--- + plugins/sudoers/toke.c | 2 +- + plugins/sudoers/toke.l | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/plugins/sudoers/toke.c b/plugins/sudoers/toke.c +index e5b4d97..3b510bb 100644 +--- a/plugins/sudoers/toke.c ++++ b/plugins/sudoers/toke.c +@@ -2385,7 +2385,7 @@ YY_RULE_SETUP + LEXTRACE("ERROR "); /* empty string */ + LEXRETURN(ERROR); + } +- if (prev_state == INITIAL) { ++ if (prev_state == INITIAL || prev_state == GOTDEFS) { + switch (sudoerslval.string[0]) { + case '%': + if (sudoerslval.string[1] == '\0' || +diff --git a/plugins/sudoers/toke.l b/plugins/sudoers/toke.l +index b63edd0..82724aa 100644 +--- a/plugins/sudoers/toke.l ++++ b/plugins/sudoers/toke.l +@@ -185,7 +185,7 @@ DEFVAR [a-z_]+ + LEXTRACE("ERROR "); /* empty string */ + LEXRETURN(ERROR); + } +- if (prev_state == INITIAL) { ++ if (prev_state == INITIAL || prev_state == GOTDEFS) { + switch (sudoerslval.string[0]) { + case '%': + if (sudoerslval.string[1] == '\0' || +-- +2.7.4 + diff --git a/SOURCES/sudo-1.8.6p3-nowaitopt.patch b/SOURCES/sudo-1.8.6p3-nowaitopt.patch new file mode 100644 index 0000000..df51500 --- /dev/null +++ b/SOURCES/sudo-1.8.6p3-nowaitopt.patch @@ -0,0 +1,161 @@ +From 9b1f0f16bfe7552810b4adb6b17ac3674da660f9 Mon Sep 17 00:00:00 2001 +From: Tomas Sykora +Date: Mon, 15 Aug 2016 15:13:31 +0200 +Subject: [PATCH] Backport direct exec of command from sudo + +Added cmnd_no_wait option +Sudo does not run command in a new child process, +when cmnd_no_wait is enabled. + +!!! +Upstream can do that too now in 1.8.17 with combination of +pam_session, pam_setcred and use_pty option. +They must be disabled and I/O logging must not be configured. +See "man sudoers". + +rebased from: +Patch8: sudo-1.8.6p3-nowaitopt.patch + +Resolves: +rhbz#840980 +--- + plugins/sudoers/def_data.c | 4 ++++ + plugins/sudoers/def_data.h | 2 ++ + plugins/sudoers/def_data.in | 3 +++ + plugins/sudoers/policy.c | 4 ++++ + src/exec.c | 34 ++++++++++++++++++++++++++++++++++ + src/sudo.c | 5 +++++ + src/sudo.h | 1 + + 7 files changed, 53 insertions(+) + +diff --git a/plugins/sudoers/def_data.c b/plugins/sudoers/def_data.c +index 00caa8b..d8b1ada 100644 +--- a/plugins/sudoers/def_data.c ++++ b/plugins/sudoers/def_data.c +@@ -435,6 +435,10 @@ struct sudo_defs_types sudo_defs_table[] = { + N_("File mode to use for the I/O log files: 0%o"), + NULL, + }, { ++ "cmnd_no_wait", T_FLAG, ++ N_("Don't fork and wait for the command to finish, just exec it"), ++ NULL, ++ }, { + NULL, 0, NULL + } + }; +diff --git a/plugins/sudoers/def_data.h b/plugins/sudoers/def_data.h +index d83d2c3..1b6be3d 100644 +--- a/plugins/sudoers/def_data.h ++++ b/plugins/sudoers/def_data.h +@@ -204,6 +204,8 @@ + #define def_iolog_group (sudo_defs_table[I_IOLOG_GROUP].sd_un.str) + #define I_IOLOG_MODE 102 + #define def_iolog_mode (sudo_defs_table[I_IOLOG_MODE].sd_un.mode) ++#define I_CMND_NO_WAIT 103 ++#define def_cmnd_no_wait (sudo_defs_table[I_CMND_NO_WAIT].sd_un.flag) + + enum def_tuple { + never, +diff --git a/plugins/sudoers/def_data.in b/plugins/sudoers/def_data.in +index 9f069f1..5200fe3 100644 +--- a/plugins/sudoers/def_data.in ++++ b/plugins/sudoers/def_data.in +@@ -322,3 +322,6 @@ iolog_group + iolog_mode + T_MODE + "File mode to use for the I/O log files: 0%o" ++cmnd_no_wait ++ T_FLAG ++ "Don't fork and wait for the command to finish, just exec it" +diff --git a/plugins/sudoers/policy.c b/plugins/sudoers/policy.c +index 4ee1e28..93df1dd 100644 +--- a/plugins/sudoers/policy.c ++++ b/plugins/sudoers/policy.c +@@ -564,6 +564,10 @@ sudoers_policy_exec_setup(char *argv[], char *envp[], mode_t cmnd_umask, + if ((command_info[info_len++] = strdup("use_pty=true")) == NULL) + goto oom; + } ++ if (def_cmnd_no_wait) { ++ if ((command_info[info_len++] = strdup("cmnd_no_wait=true")) == NULL) ++ goto oom; ++ } + if (def_utmp_runas) { + if ((command_info[info_len++] = sudo_new_key_val("utmp_user", runas_pw->pw_name)) == NULL) + goto oom; +diff --git a/src/exec.c b/src/exec.c +index 56da013..08bc86d 100644 +--- a/src/exec.c ++++ b/src/exec.c +@@ -384,6 +384,41 @@ sudo_execute(struct command_details *details, struct command_status *cstat) + } + + /* ++ * If we don't want to wait for the command to exit, then just exec it. ++ * THIS WILL BREAK SEVERAL THINGS including SELinux, PAM sessions and I/O ++ * logging. Implemented because of rhbz#840980 (backwards compatibility). ++ * In 1.8.x branch this is even harder to get back, since the nowait code ++ * was completely removed. ++ */ ++ if (details->flags & CD_DONTWAIT) { ++ if (exec_setup(details, NULL, -1) == true) { ++ restore_signals(); ++ /* headed for execve() */ ++ sudo_debug_execve(SUDO_DEBUG_INFO, details->command, ++ details->argv, details->envp); ++ if (details->closefrom >= 0) { ++ closefrom(details->closefrom); ++ } ++#ifdef HAVE_SELINUX ++ if (ISSET(details->flags, CD_RBAC_ENABLED)) { ++ selinux_execve(-1, details->command, details->argv, details->envp, ++ ISSET(details->flags, CD_NOEXEC)); ++ } else ++#endif ++ { ++ sudo_execve(-1, details->command, details->argv, details->envp, ++ ISSET(details->flags, CD_NOEXEC)); ++ } ++ sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to exec %s: %s", ++ details->command, strerror(errno)); ++ } ++ cstat->type = CMD_ERRNO; ++ cstat->val = errno; ++ return 127; ++ } ++ ++ ++ /* + * We communicate with the child over a bi-directional pair of sockets. + * Parent sends signal info to child and child sends back wait status. + */ +diff --git a/src/sudo.c b/src/sudo.c +index 5dd090d..0606a19 100644 +--- a/src/sudo.c ++++ b/src/sudo.c +@@ -670,6 +670,11 @@ command_info_to_details(char * const info[], struct command_details *details) + sudo_fatalx(U_("%s: %s"), info[i], U_(errstr)); + break; + } ++ if (strncmp("cmnd_no_wait=", info[i], sizeof("cmnd_no_wait=") - 1) == 0) { ++ if (sudo_strtobool(info[i] + sizeof("cmnd_no_wait=") - 1) == true) ++ SET(details->flags, CD_DONTWAIT); ++ break; ++ } + break; + case 'e': + SET_FLAG("exec_background=", CD_EXEC_BG) +diff --git a/src/sudo.h b/src/sudo.h +index 3ac2c9d..f07ba11 100644 +--- a/src/sudo.h ++++ b/src/sudo.h +@@ -130,6 +130,7 @@ struct user_details { + #define CD_SUDOEDIT_FOLLOW 0x10000 + #define CD_SUDOEDIT_CHECKDIR 0x20000 + #define CD_SET_GROUPS 0x40000 ++#define CD_DONTWAIT 0x80000 + + struct preserved_fd { + TAILQ_ENTRY(preserved_fd) entries; +-- +2.7.4 + diff --git a/SOURCES/sudo-1.8.6p7-digest-backport.patch b/SOURCES/sudo-1.8.6p7-digest-backport.patch new file mode 100644 index 0000000..a814b2c --- /dev/null +++ b/SOURCES/sudo-1.8.6p7-digest-backport.patch @@ -0,0 +1,435 @@ +From c8a6eecf768d8102a9a77f5fdb5b516e571d462e Mon Sep 17 00:00:00 2001 +From: Radovan Sroka +Date: Tue, 23 Aug 2016 13:43:08 +0200 +Subject: [PATCH] Using libgcrypt + +Using libgcrypt and not sudo implementation of SHA... + +Rebased patch of digest backport. +Added option --with-gcrypt + +Rebased from: +Patch35: sudo-1.8.6p7-digest-backport.patch + +Resolves: +rhbz#1183818 +--- + configure.ac | 16 +++++++ + plugins/sudoers/Makefile.in | 9 +++- + plugins/sudoers/filedigest.c | 104 +++++++++++++++++++++++++++++++++++++++++++ + plugins/sudoers/filedigest.h | 17 +++++++ + plugins/sudoers/match.c | 94 ++++++++++++++++++++++++++++++-------- + 5 files changed, 219 insertions(+), 21 deletions(-) + create mode 100644 plugins/sudoers/filedigest.c + create mode 100644 plugins/sudoers/filedigest.h + +diff --git a/configure.ac b/configure.ac +index 13c3c1b..54929b2 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -35,6 +35,7 @@ AC_SUBST([SUDO_OBJS]) + AC_SUBST([LIBS]) + AC_SUBST([SUDO_LIBS]) + AC_SUBST([SUDOERS_LIBS]) ++AC_SUBST([LIBPARSESUDOERS_LIBS]) + AC_SUBST([STATIC_SUDOERS]) + AC_SUBST([NET_LIBS]) + AC_SUBST([AFS_LIBS]) +@@ -1517,6 +1518,19 @@ AC_ARG_WITH(selinux, [AS_HELP_STRING([--with-selinux], [enable SELinux support]) + ;; + esac], [with_selinux=no]) + ++AC_ARG_WITH(gcrypt, [AS_HELP_STRING([--with-gcrypt], [enable libgcrypt support])], ++[case $with_gcrypt in ++ yes) ++ AC_DEFINE(HAVE_LIBGCRYPT) ++ LIBPARSESUDOERS_LIBS="${LIBPARSESUDOERS_LIBS} -lgcrypt" ++ AC_CHECK_LIB([gcrypt], [gcry_md_open], ++ [AC_DEFINE(HAVE_GCRY_MD_OPEN)]) ++ ;; ++ no) ;; ++ *) AC_MSG_ERROR(["--with-gcrypt does not take an argument."]) ++ ;; ++esac]) ++ + dnl + dnl gss_krb5_ccache_name() may not work on Heimdal so we don't use it by default + dnl +@@ -4344,6 +4358,8 @@ AH_TEMPLATE(HAVE_PROJECT_H, [Define to 1 if you have the header file + AH_TEMPLATE(HAVE_SECURID, [Define to 1 if you use SecurID for authentication.]) + AH_TEMPLATE(HAVE_SELINUX, [Define to 1 to enable SELinux RBAC support.]) + AH_TEMPLATE(HAVE_SETKEYCREATECON, [Define to 1 if you have the `setkeycreatecon' function.]) ++AH_TEMPLATE(HAVE_LIBGCRYPT, [Define to 1 to enable libgcrypt support.]) ++AH_TEMPLATE(HAVE_GCRY_MD_OPEN, [Define to 1 if you have the `gcry_md_open' function.]) + AH_TEMPLATE(HAVE_SHL_LOAD, [Define to 1 if you have the `shl_load' function.]) + AH_TEMPLATE(HAVE_SKEY, [Define to 1 if you use S/Key.]) + AH_TEMPLATE(HAVE_SKEYACCESS, [Define to 1 if your S/Key library has skeyaccess().]) +diff --git a/plugins/sudoers/Makefile.in b/plugins/sudoers/Makefile.in +index f36f9ef..32c0ed0 100644 +--- a/plugins/sudoers/Makefile.in ++++ b/plugins/sudoers/Makefile.in +@@ -55,6 +55,7 @@ LT_LIBS = $(top_builddir)/lib/util/libsudo_util.la + LIBS = $(LT_LIBS) + NET_LIBS = @NET_LIBS@ + SUDOERS_LIBS = @SUDOERS_LIBS@ @AFS_LIBS@ @GETGROUPS_LIB@ $(LIBS) $(NET_LIBS) @ZLIB@ @LIBMD@ ++LIBPARSESUDOERS_LIBS = @LIBPARSESUDOERS_LIBS@ + REPLAY_LIBS = @REPLAY_LIBS@ @ZLIB@ + VISUDO_LIBS = $(NET_LIBS) @LIBMD@ + TESTSUDOERS_LIBS = $(NET_LIBS) @LIBMD@ +@@ -153,7 +154,7 @@ AUTH_OBJS = sudo_auth.lo @AUTH_OBJS@ + LIBPARSESUDOERS_OBJS = alias.lo audit.lo base64.lo defaults.lo hexchar.lo \ + gram.lo match.lo match_addr.lo pwutil.lo pwutil_impl.lo \ + rcstr.lo redblack.lo sudoers_debug.lo timestr.lo \ +- toke.lo toke_util.lo ++ toke.lo toke_util.lo filedigest.lo + + SUDOERS_OBJS = $(AUTH_OBJS) boottime.lo check.lo editor.lo env.lo find_path.lo \ + gc.lo goodpath.lo group_plugin.lo interfaces.lo iolog.lo \ +@@ -217,7 +218,7 @@ Makefile: $(srcdir)/Makefile.in + (cd $(top_builddir) && ./config.status --file plugins/sudoers/Makefile) + + libparsesudoers.la: $(LIBPARSESUDOERS_OBJS) +- $(LIBTOOL) $(LTFLAGS) --mode=link $(CC) -o $@ $(LIBPARSESUDOERS_OBJS) -no-install ++ $(LIBTOOL) --mode=link $(CC) -o $@ $(LIBPARSESUDOERS_OBJS) $(LIBPARSESUDOERS_LIBS) -no-install + + sudoers.la: $(SUDOERS_OBJS) $(LT_LIBS) libparsesudoers.la @LT_LDDEP@ + case "$(LT_LDFLAGS)" in \ +@@ -656,6 +657,10 @@ env.lo: $(srcdir)/env.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \ + $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(srcdir)/env.c ++filedigest.lo: $(srcdir)/filedigest.c $(top_builddir)/config.h \ ++ $(incdir)/sudo_debug.h ++ $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/filedigest.c ++filedigest.o: filedigest.lo + find_path.lo: $(srcdir)/find_path.c $(devdir)/def_data.h \ + $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \ + $(incdir)/sudo_conf.h $(incdir)/sudo_debug.h \ +diff --git a/plugins/sudoers/filedigest.c b/plugins/sudoers/filedigest.c +new file mode 100644 +index 0000000..c173741 +--- /dev/null ++++ b/plugins/sudoers/filedigest.c +@@ -0,0 +1,104 @@ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include "filedigest.h" ++#include "sudo_compat.h" ++#include "sudo_debug.h" ++ ++#if defined(HAVE_LIBGCRYPT) ++#include ++ ++static int sudo_filedigest_gcrypt(int fd, int algo, unsigned char **dvalue, size_t *dvalue_size) ++{ ++ char buffer[4096]; ++ gcry_md_hd_t ctx; ++ int gcry_algo; ++ debug_decl(sudo_filedigest_gcrypt, SUDO_DEBUG_UTIL); ++ ++ switch(algo) { ++ case SUDO_DIGEST_SHA224: ++ gcry_algo = GCRY_MD_SHA224; break; ++ case SUDO_DIGEST_SHA256: ++ gcry_algo = GCRY_MD_SHA256; break; ++ case SUDO_DIGEST_SHA384: ++ gcry_algo = GCRY_MD_SHA384; break; ++ case SUDO_DIGEST_SHA512: ++ gcry_algo = GCRY_MD_SHA512; break; ++ default: ++ debug_return_int(-1); ++ } ++ ++ gcry_md_open(&ctx, gcry_algo, 0); ++ ++ /* Read block of data from fd and digest them */ ++ while (1) { ++ const ssize_t read_bytes = read(fd, buffer, sizeof buffer); ++ ++ if (read_bytes < 0) { ++ /* Error */ ++ gcry_md_close(ctx); ++ debug_return_int(-1); ++ } ++ else if (read_bytes > 0) { ++ /* Some data read -- update the digest */ ++ gcry_md_write(ctx, buffer, (size_t)read_bytes); ++ } ++ else { ++ /* EOF */ ++ break; ++ } ++ } ++ ++ /* ++ * All data digested. Finalize the digest value. ++ */ ++ const unsigned char *value = gcry_md_read(ctx, gcry_algo); ++ ++ if (value == NULL) { ++ debug_return_int(-1); ++ } ++ ++ /* ++ * Make a copy of the digest value. The pointer ++ * returned from gcry_md_read cannot be used after ++ * gcry_md_close was called ++ */ ++ (*dvalue_size) = gcry_md_get_algo_dlen(gcry_algo); ++ (*dvalue) = malloc(*dvalue_size); ++ ++ if (*dvalue == NULL) { ++ debug_return_int(-1); ++ } ++ ++ memcpy(*dvalue, value, *dvalue_size); ++ gcry_md_close(ctx); ++ ++ debug_return_int(0); ++} ++#endif ++ ++#include ++ ++int sudo_filedigest(const char *path, int algo, unsigned char **dvalue, size_t *dvalue_size) ++{ ++ int rc = -1; ++ int fd = -1; ++ debug_decl(sudo_filedigest, SUDO_DEBUG_UTIL); ++ ++ if ((fd = open(path, O_RDONLY)) < 0) { ++ debug_return_int(rc); ++ } ++ ++#if defined(HAVE_LIBGCRYPT) ++ rc = sudo_filedigest_gcrypt(fd, algo, dvalue, dvalue_size); ++ close(fd); ++#else ++ rc = -1; ++ errno = ENOTSUP; ++#endif ++ debug_return_int(rc); ++} +diff --git a/plugins/sudoers/filedigest.h b/plugins/sudoers/filedigest.h +new file mode 100644 +index 0000000..437f02f +--- /dev/null ++++ b/plugins/sudoers/filedigest.h +@@ -0,0 +1,17 @@ ++#include ++ ++#define SUDO_DIGEST_SHA224 0 ++#define SUDO_DIGEST_SHA256 1 ++#define SUDO_DIGEST_SHA384 2 ++#define SUDO_DIGEST_SHA512 3 ++#define SUDO_DIGEST_INVALID 4 ++ ++#define SUDO_SHA224_DIGEST_LENGTH 28 ++#define SUDO_SHA256_DIGEST_LENGTH 32 ++#define SUDO_SHA384_DIGEST_LENGTH 48 ++#define SUDO_SHA512_DIGEST_LENGTH 64 ++ ++/* ++ * Compute a digest of a given file. Returns 0 on success, -1 otherwise. ++ */ ++int sudo_filedigest(const char *path, int algo, unsigned char **dvalue, size_t *dvalue_size); +diff --git a/plugins/sudoers/match.c b/plugins/sudoers/match.c +index 1916bde..2a9ea4b 100644 +--- a/plugins/sudoers/match.c ++++ b/plugins/sudoers/match.c +@@ -62,6 +62,7 @@ + + #include "sudoers.h" + #include "parse.h" ++#include "filedigest.h" + #include + + #ifdef HAVE_FNMATCH +@@ -576,6 +577,7 @@ command_matches_normal(const char *sudoers_cmnd, const char *sudoers_args, const + } + #else /* !SUDOERS_NAME_MATCH */ + ++#ifndef HAVE_LIBGCRYPT /* !!! */ + static struct digest_function { + const char *digest_name; + const unsigned int digest_len; +@@ -616,24 +618,43 @@ static struct digest_function { + NULL + } + }; ++#endif /* !HAVE_LIBGCRYPT */ ++ ++static const char *digesttype2str(int digest_type) ++{ ++ switch(digest_type) { ++ case SUDO_DIGEST_SHA224: ++ return "SHA224"; ++ case SUDO_DIGEST_SHA256: ++ return "SHA256"; ++ case SUDO_DIGEST_SHA384: ++ return "SHA384"; ++ case SUDO_DIGEST_SHA512: ++ return "SHA512"; ++ } ++ return ""; ++} + + static bool + digest_matches(const char *file, const struct sudo_digest *sd, int *fd) + { +- unsigned char file_digest[SHA512_DIGEST_LENGTH]; +- unsigned char sudoers_digest[SHA512_DIGEST_LENGTH]; ++ unsigned char * file_digest = NULL; ++ unsigned char * sudoers_digest = NULL; ++ size_t digest_size; + unsigned char buf[32 * 1024]; +- struct digest_function *func = NULL; + #ifdef HAVE_FEXECVE + bool first = true; + bool is_script = false; + #endif /* HAVE_FEXECVE */ + size_t nread; +- SHA2_CTX ctx; + FILE *fp; + unsigned int i; + debug_decl(digest_matches, SUDOERS_DEBUG_MATCH) + ++#ifndef HAVE_LIBGCRYPT /* !!! */ ++ ++ SHA2_CTX ctx; ++ struct digest_function *func = NULL; + for (i = 0; digest_functions[i].digest_name != NULL; i++) { + if (sd->digest_type == i) { + func = &digest_functions[i]; +@@ -644,9 +665,33 @@ digest_matches(const char *file, const struct sudo_digest *sd, int *fd) + sudo_warnx(U_("unsupported digest type %d for %s"), sd->digest_type, file); + debug_return_bool(false); + } +- if (strlen(sd->digest_str) == func->digest_len * 2) { ++ ++ digest_size = func->digest_len; ++ ++ file_digest = malloc(digest_size); ++ if (file_digest == NULL) { ++ debug_return_bool(false); ++ } ++ ++#elif HAVE_LIBGCRYPT ++ ++ if (sudo_filedigest(file, sd->digest_type, ++ &file_digest, &digest_size) != 0) { ++ sudo_warnx(U_("Cannot compute digest type %d for %s"), sd->digest_type, file); ++ goto clean_up; ++ } ++ ++#endif /* !HAVE_LIBGCRYPT */ ++ ++ sudoers_digest = malloc(digest_size); ++ if (sudoers_digest == NULL) { ++ free(file_digest); ++ debug_return_bool(false); ++ } ++ ++ if (strlen(sd->digest_str) == digest_size * 2) { + /* Convert the command digest from ascii hex to binary. */ +- for (i = 0; i < func->digest_len; i++) { ++ for (i = 0; i < digest_size ; i++) { + const int h = hexchar(&sd->digest_str[i + i]); + if (h == -1) + goto bad_format; +@@ -654,11 +699,11 @@ digest_matches(const char *file, const struct sudo_digest *sd, int *fd) + } + } else { + size_t len = base64_decode(sd->digest_str, sudoers_digest, +- sizeof(sudoers_digest)); +- if (len != func->digest_len) { ++ digest_size); ++ if (len != digest_size) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, +- "incorrect length for digest, expected %u, got %zu", +- func->digest_len, len); ++ "incorrect length for digest, expected %zu, got %zu", ++ digest_size, len); + goto bad_format; + } + } +@@ -666,10 +711,11 @@ digest_matches(const char *file, const struct sudo_digest *sd, int *fd) + if ((fp = fopen(file, "r")) == NULL) { + sudo_debug_printf(SUDO_DEBUG_INFO, "unable to open %s: %s", + file, strerror(errno)); +- debug_return_bool(false); ++ goto clean_up; + } +- ++#ifndef HAVE_LIBGCRYPT + func->init(&ctx); ++#endif /* !HAVE_LIBGCRYPT */ + while ((nread = fread(buf, 1, sizeof(buf), fp)) != 0) { + #ifdef HAVE_FEXECVE + /* Check for #! cookie and set is_script. */ +@@ -679,21 +725,24 @@ digest_matches(const char *file, const struct sudo_digest *sd, int *fd) + is_script = true; + } + #endif /* HAVE_FEXECVE */ ++#ifndef HAVE_LIBGCRYPT + func->update(&ctx, buf, nread); ++#endif /* !HAVE_LIBGCRYPT */ + } + if (ferror(fp)) { + sudo_warnx(U_("%s: read error"), file); + fclose(fp); +- debug_return_bool(false); ++ goto clean_up; + } ++#ifndef HAVE_LIBGCRYPT + func->final(file_digest, &ctx); +- +- if (memcmp(file_digest, sudoers_digest, func->digest_len) != 0) { ++#endif /* !HAVE_LIBGCRYPT */ ++ if (memcmp(file_digest, sudoers_digest, digest_size) != 0) { + fclose(fp); + sudo_debug_printf(SUDO_DEBUG_DIAG|SUDO_DEBUG_LINENO, + "%s digest mismatch for %s, expecting %s", +- func->digest_name, file, sd->digest_str); +- debug_return_bool(false); ++ digesttype2str(sd->digest_type), file, sd->digest_str); ++ goto clean_up; + } + + #ifdef HAVE_FEXECVE +@@ -705,7 +754,7 @@ digest_matches(const char *file, const struct sudo_digest *sd, int *fd) + sudo_debug_printf(SUDO_DEBUG_INFO, "unable to dup %s: %s", + file, strerror(errno)); + fclose(fp); +- debug_return_bool(false); ++ goto clean_up; + } + /* + * Shell scripts go through namei twice and so we can't set the close +@@ -715,10 +764,17 @@ digest_matches(const char *file, const struct sudo_digest *sd, int *fd) + (void)fcntl(*fd, F_SETFD, FD_CLOEXEC); + #endif /* HAVE_FEXECVE */ + fclose(fp); ++ free(file_digest); ++ free(sudoers_digest); + debug_return_bool(true); + bad_format: + sudo_warnx(U_("digest for %s (%s) is not in %s form"), file, +- sd->digest_str, func->digest_name); ++ sd->digest_str, digesttype2str(sd->digest_type)); ++clean_up: ++ if (file_digest) ++ free(file_digest); ++ if (sudoers_digest) ++ free(sudoers_digest); + debug_return_bool(false); + } + +-- +2.7.4 + diff --git a/SOURCES/sudo-1.8.6p7-ldapsearchuidfix.patch b/SOURCES/sudo-1.8.6p7-ldapsearchuidfix.patch new file mode 100644 index 0000000..d3991f0 --- /dev/null +++ b/SOURCES/sudo-1.8.6p7-ldapsearchuidfix.patch @@ -0,0 +1,119 @@ +From b1f3fcf8d6e9a8e5326771a12fac8e08ed81f766 Mon Sep 17 00:00:00 2001 +From: Tomas Sykora +Date: Fri, 19 Aug 2016 10:21:27 +0200 +Subject: [PATCH] Sudo with ldap doesn't work with 'user id' + +in sudoUser option. + +Rebased from: +Patch39: sudo-1.8.6p7-ldapsearchuidfix.patch + +Resolves: +rhbz#1135539 +--- + plugins/sudoers/def_data.c | 4 ++++ + plugins/sudoers/def_data.h | 2 ++ + plugins/sudoers/def_data.in | 3 +++ + plugins/sudoers/defaults.c | 2 ++ + plugins/sudoers/ldap.c | 10 ++++++++-- + plugins/sudoers/sudoers.c | 4 ++++ + 6 files changed, 23 insertions(+), 2 deletions(-) + +diff --git a/plugins/sudoers/def_data.c b/plugins/sudoers/def_data.c +index d8b1ada..3926fed 100644 +--- a/plugins/sudoers/def_data.c ++++ b/plugins/sudoers/def_data.c +@@ -439,6 +439,10 @@ struct sudo_defs_types sudo_defs_table[] = { + N_("Don't fork and wait for the command to finish, just exec it"), + NULL, + }, { ++ "legacy_group_processing", T_FLAG, ++ N_("Don't pre-resolve all group names"), ++ NULL, ++ }, { + NULL, 0, NULL + } + }; +diff --git a/plugins/sudoers/def_data.h b/plugins/sudoers/def_data.h +index 1b6be3d..5246e41 100644 +--- a/plugins/sudoers/def_data.h ++++ b/plugins/sudoers/def_data.h +@@ -206,6 +206,8 @@ + #define def_iolog_mode (sudo_defs_table[I_IOLOG_MODE].sd_un.mode) + #define I_CMND_NO_WAIT 103 + #define def_cmnd_no_wait (sudo_defs_table[I_CMND_NO_WAIT].sd_un.flag) ++#define I_LEGACY_GROUP_PROCESSING 104 ++#define def_legacy_group_processing (sudo_defs_table[I_LEGACY_GROUP_PROCESSING].sd_un.flag) + + enum def_tuple { + never, +diff --git a/plugins/sudoers/def_data.in b/plugins/sudoers/def_data.in +index 5200fe3..f1c9265 100644 +--- a/plugins/sudoers/def_data.in ++++ b/plugins/sudoers/def_data.in +@@ -325,3 +325,6 @@ iolog_mode + cmnd_no_wait + T_FLAG + "Don't fork and wait for the command to finish, just exec it" ++legacy_group_processing ++ T_FLAG ++ "Don't pre-resolve all group names" +diff --git a/plugins/sudoers/defaults.c b/plugins/sudoers/defaults.c +index 5eaf8ea..9e60d94 100644 +--- a/plugins/sudoers/defaults.c ++++ b/plugins/sudoers/defaults.c +@@ -450,6 +450,8 @@ init_defaults(void) + } + + /* First initialize the flags. */ ++ def_legacy_group_processing = true; ++ def_match_group_by_gid = true; + #ifdef LONG_OTP_PROMPT + def_long_otp_prompt = true; + #endif +diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c +index 3fe27c7..96a0709 100644 +--- a/plugins/sudoers/ldap.c ++++ b/plugins/sudoers/ldap.c +@@ -1666,8 +1666,8 @@ sudo_ldap_build_pass1(LDAP *ld, struct passwd *pw) + if (ldap_conf.search_filter) + sz += strlen(ldap_conf.search_filter); + +- /* Then add (|(sudoUser=USERNAME)(sudoUser=ALL)) + NUL */ +- sz += 29 + sudo_ldap_value_len(pw->pw_name); ++ /* Then add (|(sudoUser=USERNAME)(sudoUser=#uid)(sudoUser=ALL)) + NUL */ ++ sz += 29 + (12 + MAX_UID_T_LEN) + sudo_ldap_value_len(pw->pw_name); + + /* Add space for primary and supplementary groups and gids */ + if ((grp = sudo_getgrgid(pw->pw_gid)) != NULL) { +@@ -1730,6 +1730,12 @@ sudo_ldap_build_pass1(LDAP *ld, struct passwd *pw) + CHECK_LDAP_VCAT(buf, pw->pw_name, sz); + CHECK_STRLCAT(buf, ")", sz); + ++ /* Append user uid */ ++ (void) snprintf(gidbuf, sizeof(gidbuf), "%u", (unsigned int)pw->pw_uid); ++ (void) strlcat(buf, "(sudoUser=#", sz); ++ (void) strlcat(buf, gidbuf, sz); ++ (void) strlcat(buf, ")", sz); ++ + /* Append primary group and gid */ + if (grp != NULL) { + CHECK_STRLCAT(buf, "(sudoUser=%", sz); +diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c +index 539177a..673ee5d 100644 +--- a/plugins/sudoers/sudoers.c ++++ b/plugins/sudoers/sudoers.c +@@ -208,6 +208,10 @@ sudoers_policy_init(void *info, char * const envp[]) + if (set_loginclass(runas_pw ? runas_pw : sudo_user.pw)) + ret = true; + ++ if (!def_match_group_by_gid || !def_legacy_group_processing) { ++ def_match_group_by_gid = false; ++ def_legacy_group_processing = false; ++ } + cleanup: + if (!restore_perms()) + ret = -1; +-- +2.7.4 + diff --git a/SOURCES/sudo-1.8.6p7-logsudouser.patch b/SOURCES/sudo-1.8.6p7-logsudouser.patch new file mode 100644 index 0000000..c3742a0 --- /dev/null +++ b/SOURCES/sudo-1.8.6p7-logsudouser.patch @@ -0,0 +1,90 @@ +From 06b46ae226fecd4188af372ac0ccd7aa582e21c8 Mon Sep 17 00:00:00 2001 +From: Tomas Sykora +Date: Wed, 17 Aug 2016 10:12:11 +0200 +Subject: [PATCH] Sudo logs username root instead of realuser + +RHEL7 sudo logs username root instead of realuser in /var/log/secure + +Rebased from: +Patch50: sudo-1.8.6p7-logsudouser.patch + +Resolves: +rhbz#1312486 +--- + plugins/sudoers/logging.c | 14 +++++++------- + plugins/sudoers/sudoers.h | 1 + + 2 files changed, 8 insertions(+), 7 deletions(-) + +diff --git a/plugins/sudoers/logging.c b/plugins/sudoers/logging.c +index 45cae67..74b2220 100644 +--- a/plugins/sudoers/logging.c ++++ b/plugins/sudoers/logging.c +@@ -104,7 +104,7 @@ do_syslog(int pri, char *msg) + * Log the full line, breaking into multiple syslog(3) calls if necessary + */ + fmt = _("%8s : %s"); +- maxlen = def_syslog_maxlen - (strlen(fmt) - 5 + strlen(user_name)); ++ maxlen = def_syslog_maxlen - (strlen(fmt) - 5 + strlen(sudo_user_name)); + for (p = msg; *p != '\0'; ) { + len = strlen(p); + if (len > maxlen) { +@@ -120,7 +120,7 @@ do_syslog(int pri, char *msg) + save = *tmp; + *tmp = '\0'; + +- mysyslog(pri, fmt, user_name, p); ++ mysyslog(pri, fmt, sudo_user_name, p); + + *tmp = save; /* restore saved character */ + +@@ -128,11 +128,11 @@ do_syslog(int pri, char *msg) + for (p = tmp; *p == ' '; p++) + continue; + } else { +- mysyslog(pri, fmt, user_name, p); ++ mysyslog(pri, fmt, sudo_user_name, p); + p += len; + } + fmt = _("%8s : (command continued) %s"); +- maxlen = def_syslog_maxlen - (strlen(fmt) - 5 + strlen(user_name)); ++ maxlen = def_syslog_maxlen - (strlen(fmt) - 5 + strlen(sudo_user_name)); + } + + sudoers_setlocale(oldlocale, NULL); +@@ -179,10 +179,10 @@ do_logfile(const char *msg) + timestr = "invalid date"; + if (def_log_host) { + len = asprintf(&full_line, "%s : %s : HOST=%s : %s", +- timestr, user_name, user_srunhost, msg); ++ timestr, sudo_user_name, user_srunhost, msg); + } else { + len = asprintf(&full_line, "%s : %s : %s", +- timestr, user_name, msg); ++ timestr, sudo_user_name, msg); + } + if (len == -1) { + sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); +@@ -746,7 +746,7 @@ send_mail(const char *fmt, ...) + + if ((timestr = get_timestr(time(NULL), def_log_year)) == NULL) + timestr = "invalid date"; +- (void) fprintf(mail, "\n\n%s : %s : %s : ", user_host, timestr, user_name); ++ (void) fprintf(mail, "\n\n%s : %s : %s : ", user_host, timestr, sudo_user_name); + va_start(ap, fmt); + (void) vfprintf(mail, fmt, ap); + va_end(ap); +diff --git a/plugins/sudoers/sudoers.h b/plugins/sudoers/sudoers.h +index cfd5abb..c69a043 100644 +--- a/plugins/sudoers/sudoers.h ++++ b/plugins/sudoers/sudoers.h +@@ -180,6 +180,7 @@ struct sudo_user { + /* + * Shortcuts for sudo_user contents. + */ ++#define sudo_user_name (sudo_user.pw->pw_name) + #define user_name (sudo_user.name) + #define user_uid (sudo_user.uid) + #define user_gid (sudo_user.gid) +-- +2.7.4 + diff --git a/SOURCES/sudo-1.8.6p7-sudoldapconfman.patch b/SOURCES/sudo-1.8.6p7-sudoldapconfman.patch new file mode 100644 index 0000000..8d46dbe --- /dev/null +++ b/SOURCES/sudo-1.8.6p7-sudoldapconfman.patch @@ -0,0 +1,50 @@ +From 447b3f0c91f019c1d30b5703c61316b583f5bce1 Mon Sep 17 00:00:00 2001 +From: Tomas Sykora +Date: Mon, 15 Aug 2016 15:15:40 +0200 +Subject: [PATCH] RHEL7 failed RPMdiff testing + +Package sudo-1.8.3p1-7.el7 failed RHEL7 RPMdiff testing + +Rebased from: +Patch16: sudo-1.8.6p7-sudoldapconfman.patch + +Resolves: +rhbz#881258 +--- + doc/Makefile.in | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/doc/Makefile.in b/doc/Makefile.in +index a6f2ea2..e27c6e0 100644 +--- a/doc/Makefile.in ++++ b/doc/Makefile.in +@@ -319,10 +319,16 @@ install-doc: install-dirs + rm -f $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu)$(MANCOMPRESSEXT); \ + echo ln -s sudo.$(mansectsu)$(MANCOMPRESSEXT) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu)$(MANCOMPRESSEXT); \ + ln -s sudo.$(mansectsu)$(MANCOMPRESSEXT) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu)$(MANCOMPRESSEXT); \ ++ rm -f $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform)$(MANCOMPRESSEXT); \ ++ echo ln -s sudoers.ldap.$(mansectform)$(MANCOMPRESSEXT) $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform)$(MANCOMPRESSEXT); \ ++ ln -s sudoers.ldap.$(mansectform)$(MANCOMPRESSEXT) $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform)$(MANCOMPRESSEXT); \ + else \ + rm -f $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu); \ + echo ln -s sudo.$(mansectsu) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu); \ + ln -s sudo.$(mansectsu) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu); \ ++ rm -f $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform); \ ++ echo ln -s sudoers.ldap.$(mansectform) $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform); \ ++ ln -s sudoers.ldap.$(mansectform) $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform); \ + fi + + install-plugin: +@@ -336,7 +342,8 @@ uninstall: + $(DESTDIR)$(mandirsu)/visudo.$(mansectsu) \ + $(DESTDIR)$(mandirform)/sudo.conf.$(mansectform) \ + $(DESTDIR)$(mandirform)/sudoers.$(mansectform) \ +- $(DESTDIR)$(mandirform)/sudoers.ldap.$(mansectform) ++ $(DESTDIR)$(mandirform)/sudoers.ldap.$(mansectform) \ ++ $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform) + + splint: + +-- +2.7.4 + diff --git a/SOURCES/sudo-ldap.conf b/SOURCES/sudo-ldap.conf new file mode 100644 index 0000000..d8f8e4d --- /dev/null +++ b/SOURCES/sudo-ldap.conf @@ -0,0 +1,86 @@ +## BINDDN DN +## The BINDDN parameter specifies the identity, in the form of a Dis‐ +## tinguished Name (DN), to use when performing LDAP operations. If +## not specified, LDAP operations are performed with an anonymous +## identity. By default, most LDAP servers will allow anonymous +## access. +## +#binddn uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com + +## BINDPW secret +## The BINDPW parameter specifies the password to use when performing +## LDAP operations. This is typically used in conjunction with the +## BINDDN parameter. +## +#bindpw secret + +## SSL start_tls +## If the SSL parameter is set to start_tls, the LDAP server connec‐ +## tion is initiated normally and TLS encryption is begun before the +## bind credentials are sent. This has the advantage of not requiring +## a dedicated port for encrypted communications. This parameter is +## only supported by LDAP servers that honor the start_tls extension, +## such as the OpenLDAP and Tivoli Directory servers. +## +#ssl start_tls + +## TLS_CACERTFILE file name +## The path to a certificate authority bundle which contains the cer‐ +## tificates for all the Certificate Authorities the client knows to +## be valid, e.g. /etc/ssl/ca-bundle.pem. This option is only sup‐ +## ported by the OpenLDAP libraries. Netscape-derived LDAP libraries +## use the same certificate database for CA and client certificates +## (see TLS_CERT). +## +#tls_cacertfile /path/to/CA.crt + +## TLS_CHECKPEER on/true/yes/off/false/no +## If enabled, TLS_CHECKPEER will cause the LDAP server's TLS certifi‐ +## cated to be verified. If the server's TLS certificate cannot be +## verified (usually because it is signed by an unknown certificate +## authority), sudo will be unable to connect to it. If TLS_CHECKPEER +## is disabled, no check is made. Note that disabling the check cre‐ +## ates an opportunity for man-in-the-middle attacks since the +## server's identity will not be authenticated. If possible, the CA's +## certificate should be installed locally so it can be verified. +## This option is not supported by the Tivoli Directory Server LDAP +## libraries. +#tls_checkpeer yes + +## +## URI ldap[s]://[hostname[:port]] ... +## Specifies a whitespace-delimited list of one or more +## URIs describing the LDAP server(s) to connect to. +## +#uri ldap://ldapserver + +## +## SUDOERS_BASE base +## The base DN to use when performing sudo LDAP queries. +## Multiple SUDOERS_BASE lines may be specified, in which +## case they are queried in the order specified. +## +#sudoers_base ou=SUDOers,dc=example,dc=com + +## +## BIND_TIMELIMIT seconds +## The BIND_TIMELIMIT parameter specifies the amount of +## time to wait while trying to connect to an LDAP server. +## +#bind_timelimit 30 + +## +## TIMELIMIT seconds +## The TIMELIMIT parameter specifies the amount of time +## to wait for a response to an LDAP query. +## +#timelimit 30 + +## +## SUDOERS_DEBUG debug_level +## This sets the debug level for sudo LDAP queries. Debugging +## information is printed to the standard error. A value of 1 +## results in a moderate amount of debugging information. +## A value of 2 shows the results of the matches themselves. +## +#sudoers_debug 1 diff --git a/SOURCES/sudo.conf b/SOURCES/sudo.conf new file mode 100644 index 0000000..3047842 --- /dev/null +++ b/SOURCES/sudo.conf @@ -0,0 +1,57 @@ +# +# Default /etc/sudo.conf file +# +# Format: +# Plugin plugin_name plugin_path plugin_options ... +# Path askpass /path/to/askpass +# Path noexec /path/to/sudo_noexec.so +# Debug sudo /var/log/sudo_debug all@warn +# Set disable_coredump true +# +# Sudo plugins: +# +# The plugin_path is relative to ${prefix}/libexec unless fully qualified. +# The plugin_name corresponds to a global symbol in the plugin +# that contains the plugin interface structure. +# The plugin_options are optional. +# +# The sudoers plugin is used by default if no Plugin lines are present. +Plugin sudoers_policy sudoers.so +Plugin sudoers_io sudoers.so + +# +# Sudo askpass: +# +# An askpass helper program may be specified to provide a graphical +# password prompt for "sudo -A" support. Sudo does not ship with its +# own passpass program but can use the OpenSSH askpass. +# +# Use the OpenSSH askpass +#Path askpass /usr/X11R6/bin/ssh-askpass +# +# Use the Gnome OpenSSH askpass +#Path askpass /usr/libexec/openssh/gnome-ssh-askpass + +# +# Sudo noexec: +# +# Path to a shared library containing dummy versions of the execv(), +# execve() and fexecve() library functions that just return an error. +# This is used to implement the "noexec" functionality on systems that +# support C or its equivalent. +# The compiled-in value is usually sufficient and should only be changed +# if you rename or move the sudo_noexec.so file. +# +#Path noexec /usr/libexec/sudo_noexec.so + +# +# Core dumps: +# +# By default, sudo disables core dumps while it is executing (they +# are re-enabled for the command that is run). +# To aid in debugging sudo problems, you may wish to enable core +# dumps by setting "disable_coredump" to false. +# +# Set to false here so as not to interfere with /proc/sys/fs/suid_dumpable +# +Set disable_coredump false diff --git a/SOURCES/sudoers b/SOURCES/sudoers new file mode 100644 index 0000000..2fdc62f --- /dev/null +++ b/SOURCES/sudoers @@ -0,0 +1,112 @@ +## Sudoers allows particular users to run various commands as +## the root user, without needing the root password. +## +## Examples are provided at the bottom of the file for collections +## of related commands, which can then be delegated out to particular +## users or groups. +## +## This file must be edited with the 'visudo' command. + +## Host Aliases +## Groups of machines. You may prefer to use hostnames (perhaps using +## wildcards for entire domains) or IP addresses instead. +# Host_Alias FILESERVERS = fs1, fs2 +# Host_Alias MAILSERVERS = smtp, smtp2 + +## User Aliases +## These aren't often necessary, as you can use regular groups +## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname +## rather than USERALIAS +# User_Alias ADMINS = jsmith, mikem + + +## Command Aliases +## These are groups of related commands... + +## Networking +# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool + +## Installation and management of software +# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum + +## Services +# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable + +## Updating the locate database +# Cmnd_Alias LOCATE = /usr/bin/updatedb + +## Storage +# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount + +## Delegating permissions +# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp + +## Processes +# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall + +## Drivers +# Cmnd_Alias DRIVERS = /sbin/modprobe + +# Defaults specification + +# +# Refuse to run if unable to disable echo on the tty. +# +Defaults !visiblepw + +# +# Preserving HOME has security implications since many programs +# use it when searching for configuration files. Note that HOME +# is already set when the the env_reset option is enabled, so +# this option is only effective for configurations where either +# env_reset is disabled or HOME is present in the env_keep list. +# +Defaults always_set_home +Defaults match_group_by_gid + +Defaults env_reset +Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" +Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" +Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" +Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" +Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" + +# +# Adding HOME to env_keep may enable a user to run unrestricted +# commands via sudo. +# +# Defaults env_keep += "HOME" + +Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin + +## Next comes the main part: which users can run what software on +## which machines (the sudoers file can be shared between multiple +## systems). +## Syntax: +## +## user MACHINE=COMMANDS +## +## The COMMANDS section may have other options added to it. +## +## Allow root to run any commands anywhere +root ALL=(ALL) ALL + +## Allows members of the 'sys' group to run networking, software, +## service management apps and more. +# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS + +## Allows people in group wheel to run all commands +%wheel ALL=(ALL) ALL + +## Same thing without a password +# %wheel ALL=(ALL) NOPASSWD: ALL + +## Allows members of the users group to mount and unmount the +## cdrom as root +# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom + +## Allows members of the users group to shutdown this system +# %users localhost=/sbin/shutdown -h now + +## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) +#includedir /etc/sudoers.d diff --git a/SPECS/sudo.spec b/SPECS/sudo.spec new file mode 100644 index 0000000..01af92f --- /dev/null +++ b/SPECS/sudo.spec @@ -0,0 +1,1013 @@ +Summary: Allows restricted root access for specified users +Name: sudo +Version: 1.8.19p2 +Release: 13%{?dist} +License: ISC +Group: Applications/System +URL: http://www.courtesan.com/sudo/ +Source0: http://www.courtesan.com/sudo/dist/sudo-%{version}.tar.gz +Source1: sudoers +Source2: sudo-ldap.conf +Source3: sudo.conf +Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) +Requires: /etc/pam.d/system-auth, vim-minimal, libgcrypt + +BuildRequires: pam-devel +BuildRequires: groff +BuildRequires: openldap-devel +BuildRequires: flex +BuildRequires: bison +BuildRequires: automake autoconf libtool +BuildRequires: audit-libs-devel libcap-devel +BuildRequires: libgcrypt-devel +BuildRequires: libselinux-devel +BuildRequires: /usr/sbin/sendmail +BuildRequires: gettext +BuildRequires: zlib-devel +BuildRequires: libgcrypt-devel + +# don't strip +Patch1: sudo-1.6.7p5-strip.patch +# configure.in fix +Patch2: sudo-1.7.2p1-envdebug.patch +# 840980 - sudo creates a new parent process +# Adds cmnd_no_wait Defaults option +Patch3: sudo-1.8.6p3-nowaitopt.patch +# 881258 - rpmdiff: added missing sudo-ldap.conf manpage +Patch4: sudo-1.8.6p7-sudoldapconfman.patch +# 1092499 - Regression in sudo 1.8.6p3-7 package, double quotes are not accepted in sudoers +Patch5: sudo-1.8.6p3-doublequotefix.patch +# 1183818 - backport of command digest specification feature +Patch6: sudo-1.8.6p7-digest-backport.patch +# 1135539 - sudo with ldap doesn't work with 'user id' in sudoUser option +Patch7: sudo-1.8.6p7-ldapsearchuidfix.patch +# 1312486 - RHEL7 sudo logs username "root" instead of realuser in /var/log/secure +Patch8: sudo-1.8.6p7-logsudouser.patch +# fix upstream testsuite - disabling 2 tests, working only with non-root user +Patch9: sudo-1.8.18-testsuitefix.patch +# 1413160 - backport ignore_unknown_defaults flag +Patch10: sudo-1.8.19p2-ignore-unknown-defaults.patch +# 1424575 - backport visudo severity of the message +Patch11: sudo-1.8.19p2-error-warning-visudo-message.patch +# 1369856 - synchronous (real-time) writes in sudo i/o logs +Patch12: sudo-1.8.19p2-iologflush.patch +# 1293306 - Sudo group lookup issue. +Patch13: sudo-1.8.19p2-lookup-issue-doc.patch +# 1360687 - sudo rhel-7 rebase - comment11 +Patch14: sudo-1.8.19p2-upstream-testsuitefix.patch +# 1360687 - sudo rhel-7 rebase - comment13 +Patch15: sudo-1.8.19p2-fqdn-use-after-free.patch +# 1360687 - sudo rhel-7 rebase - comment13 +Patch16: sudo-1.8.19p2-lecture-boolean.patch +# 1455402 - CVE-2017-1000367: Privilege escalation in via improper get_process_ttyname() parsing +Patch17: sudo-1.8.19p2-get_process_ttyname.patch +# 1459152 - CVE-2017-1000368: Privilege escalation via improper get_process_ttyname() parsing (insufficient fix for CVE-2017-1000367) +Patch18: sudo-1.8.19p2-CVE-2017-1000368.patch +# 1485397 - sudo breaking who ldap and local users after upgrade +Patch19: sudo-1.8.21-ldap-pass2-filter.patch +# 1458696 - successful sudo -l returns non-zero if asking for other user +Patch20: sudo-1.8.19p2-display-privs.patch +# 1454571 - Sudo, with I/O Logging log_output option enabled, truncate output in case of cycle over standard input +Patch21: sudo-1.8.19p2-iologtruncate.patch +# 1490358 - Update use_pty and IO logging man page +Patch22: sudo-1.8.19p2-manpage-use_pty.patch +# 1505409 - Regression in "sudo -l" when using IPA / sssd +Patch23: sudo-1.8.19p2-sudo-l-sssd.patch +# 1518104 - sudo crashed: double free or corruption (fasttop) +Patch24: sudo-1.8.19p2-sssd-double-free.patch + +%description +Sudo (superuser do) allows a system administrator to give certain +users (or groups of users) the ability to run some (or all) commands +as root while logging all commands and arguments. Sudo operates on a +per-command basis. It is not a replacement for the shell. Features +include: the ability to restrict what commands a user may run on a +per-host basis, copious logging of each command (providing a clear +audit trail of who did what), a configurable timeout of the sudo +command, and the ability to use the same configuration file (sudoers) +on many different machines. + +%package devel +Summary: Development files for %{name} +Group: Development/Libraries +Requires: %{name} = %{version}-%{release} + +%description devel +The %{name}-devel package contains header files developing sudo +plugins that use %{name}. + +%prep +%setup -q + +%patch1 -p1 -b .strip +%patch2 -p1 -b .envdebug +%patch3 -p1 -b .nowaitopt +%patch4 -p1 -b .sudoldapconfman +%patch5 -p1 -b .doublequotefix +%patch6 -p1 -b .digest-backport +%patch7 -p1 -b .ldapsearchuidfix +%patch8 -p1 -b .logsudouser +%patch9 -p1 -b .testsuite +%patch10 -p1 -b .ignoreunknowndefaults +%patch11 -p1 -b .errorwarningvisudomsg +%patch12 -p1 -b .iologflush +%patch13 -p1 -b .lookup +%patch14 -p1 -b .testsuite +%patch15 -p1 -b .fqdnafterfree +%patch16 -p1 -b .lecture +%patch17 -p1 -b .get_process_ttyname +%patch18 -p1 -b .CVE-2017-1000368 +%patch19 -p1 -b .ldap-pass2-filter +%patch20 -p1 -b .display-privs +%patch21 -p1 -b .iologtruncate +%patch22 -p1 -b .manpage +%patch23 -p1 -b .sudo-l +%patch24 -p1 -b .double-free + +%build +autoreconf -I m4 -fv --install + +%ifarch s390 s390x sparc64 +F_PIE=-fPIE +%else +F_PIE=-fpie +%endif + +export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" SHLIB_MODE=755 + +%configure \ + --prefix=%{_prefix} \ + --sbindir=%{_sbindir} \ + --libdir=%{_libdir} \ + --docdir=%{_datadir}/doc/%{name}-%{version} \ + --with-logging=syslog \ + --with-logfac=authpriv \ + --with-pam \ + --with-pam-login \ + --with-editor=/bin/vi \ + --with-env-editor \ + --with-gcrypt \ + --with-ignore-dot \ + --with-tty-tickets \ + --with-ldap \ + --with-ldap-conf-file="%{_sysconfdir}/sudo-ldap.conf" \ + --with-selinux \ + --with-passprompt="[sudo] password for %p: " \ + --with-linux-audit \ + --with-sssd +# --without-kerb5 \ +# --without-kerb4 +make + +make check + +%install +rm -rf $RPM_BUILD_ROOT + +# Update README.LDAP (#736653) +sed -i 's|/etc/ldap\.conf|%{_sysconfdir}/sudo-ldap.conf|g' README.LDAP + +make install DESTDIR="$RPM_BUILD_ROOT" install_uid=`id -u` install_gid=`id -g` sudoers_uid=`id -u` sudoers_gid=`id -g` +chmod 755 $RPM_BUILD_ROOT%{_bindir}/* $RPM_BUILD_ROOT%{_sbindir}/* +install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo +install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo/lectured +install -p -d -m 750 $RPM_BUILD_ROOT/etc/sudoers.d +install -p -c -m 0440 %{SOURCE1} $RPM_BUILD_ROOT/etc/sudoers +install -p -c -m 0640 %{SOURCE3} $RPM_BUILD_ROOT/etc/sudo.conf +install -p -c -m 0640 %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/sudo-ldap.conf + +# Remove execute permission on this script so we don't pull in perl deps +chmod -x $RPM_BUILD_ROOT%{_docdir}/sudo-*/sudoers2ldif + +#Remove all .la files +find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';' + +%find_lang sudo +%find_lang sudoers + +cat sudo.lang sudoers.lang > sudo_all.lang +rm sudo.lang sudoers.lang + +mkdir -p $RPM_BUILD_ROOT/etc/pam.d +cat > $RPM_BUILD_ROOT/etc/pam.d/sudo << EOF +#%%PAM-1.0 +auth include system-auth +account include system-auth +password include system-auth +session optional pam_keyinit.so revoke +session required pam_limits.so +EOF + +cat > $RPM_BUILD_ROOT/etc/pam.d/sudo-i << EOF +#%%PAM-1.0 +auth include sudo +account include sudo +password include sudo +session optional pam_keyinit.so force revoke +session required pam_limits.so +EOF + + +%clean +rm -rf $RPM_BUILD_ROOT + +%files -f sudo_all.lang +%defattr(-,root,root) +%attr(0440,root,root) %config(noreplace) /etc/sudoers +%attr(0640,root,root) %config(noreplace) /etc/sudo.conf +%attr(0640,root,root) %config(noreplace) %{_sysconfdir}/sudo-ldap.conf +%attr(0750,root,root) %dir /etc/sudoers.d/ +%config(noreplace) /etc/pam.d/sudo +%config(noreplace) /etc/pam.d/sudo-i +%attr(0644,root,root) %{_tmpfilesdir}/sudo.conf +%dir /var/db/sudo +%dir /var/db/sudo/lectured +%attr(4111,root,root) %{_bindir}/sudo +%{_bindir}/sudoedit +%attr(0111,root,root) %{_bindir}/sudoreplay +%attr(0755,root,root) %{_sbindir}/visudo +%attr(0755,root,root) %{_libexecdir}/sudo/sesh +%attr(0644,root,root) %{_libexecdir}/sudo/sudo_noexec.so +%attr(0644,root,root) %{_libexecdir}/sudo/sudoers.so +%attr(0644,root,root) %{_libexecdir}/sudo/group_file.so +%attr(0644,root,root) %{_libexecdir}/sudo/system_group.so +%attr(0644,root,root) %{_libexecdir}/sudo/libsudo_util.so.?.?.? +%{_libexecdir}/sudo/libsudo_util.so.? +%{_libexecdir}/sudo/libsudo_util.so +%{_mandir}/man5/sudoers.5* +%{_mandir}/man5/sudoers.ldap.5* +%{_mandir}/man5/sudo-ldap.conf.5* +%{_mandir}/man5/sudo.conf.5* +%{_mandir}/man8/sudo.8* +%{_mandir}/man8/sudoedit.8* +%{_mandir}/man8/sudoreplay.8* +%{_mandir}/man8/visudo.8* +%dir %{_docdir}/sudo-%{version} +%{_docdir}/sudo-%{version}/* + + +# Make sure permissions are ok even if we're updating +%post +/bin/chmod 0440 /etc/sudoers || : + +%files devel +%defattr(-,root,root,-) +%doc plugins/sample/sample_plugin.c +%{_includedir}/sudo_plugin.h +%{_mandir}/man8/sudo_plugin.8* + +%changelog +* Thu Nov 30 2017 Radovan Sroka 1.8.19p2-13 +- RHEL 7.5 erratum +- Fixed sudo -l checking results whether user should be authenticated +- Enabled LDAP filter patch +- Fixed double free in sssd + + Resolves: rhbz#1505409 + Resolves: rhbz#1511850 + Resolves: rhbz#1518104 + +* Mon Oct 02 2017 Radovan Sroka 1.8.19p2-12 +- RHEL 7.5 erratum +- Fixed exit codes for `sudo -l -U ` +- Fixed truncated output when log_output is enabled +- Updated use_pty and IO logging manpage + + Resolves: rhbz#1458696 + Resolves: rhbz#1454571 + Resolves: rhbz#1490358 + +- Fixed second pass LDAP filter expression in the sudoers ldap backend + - inclomplete patch for rhbz#1485397 + +* Mon Aug 14 2017 Daniel Kopecek - 1.8.19p2-11 +- Moved libsudo_util.so from the -devel sub-package to main package + Resolves: rhbz#1481225 + +* Wed Jun 07 2017 Daniel Kopecek - 1.8.19p2-10 +- RHEL 7.4 erratum +- Fix CVE-2017-1000368 + Resolves: rhbz#1459411 + +* Tue Jun 06 2017 Radovan Sroka - 1.8.19p2-9 +- RHEL 7.4 erratum +- removed patch for output truncation (1454571) which introduced regression + Resolves: rhbz#1360687 + +* Thu May 25 2017 Jakub Jelen - 1.8.19p2-8 +- RHEL 7.4 erratum +- Fixes CVE-2017-1000367: Privilege escalation in via improper get_process_ttyname() parsing + Resolves: rhbz#1455402 + +* Tue May 23 2017 Daniel Kopecek - 1.8.19p2-7 +- RHEL 7.4 erratum +- added patch to fix output truncation (in some cases) when log_output + option is enabled + Resolves: rhbz#1454571 + +* Thu May 04 2017 Radovan Sroka - 1.8.19p2-6 +- RHEL 7.4 erratum +- added patch that fixes lecture option used as bolean + Resolves rhbz#1360687 + +* Tue Apr 25 2017 Radovan Sroka - 1.8.19p2-5 +- RHEL 7.4 erratum +- added doc patch about sudo lookup issue + Resolves: rhbz#1293306 +- added test suite patch + Resolves: rhbz#1360687 +- fixed use after free fqdn problem + Resolves: rhbz#1360687 + +* Tue Mar 21 2017 Tomas Sykora - 1.8.19p2-4 +- RHEL 7.4 erratum +- fixed cmnd_no_wait patch +- backported iolog_flush sudoers default + Resolves: rhbz#1369856 + Resolves: rhbz#1425853 + +* Wed Mar 08 2017 Tomas Sykora - 1.8.19p2-3 +- RHEL 7.4 eratum +- Fixes semicolon typo in digest backport patch from the previous build + Resolves: rhbz#1360687 + +* Wed Mar 08 2017 Tomas Sykora - 1.8.19p2-2 +- RHEL 7.4 erratum +- Fixes coverity scan issues created by our patches: + - fixed resource leaks and a compiler warning in digest backport patch + - removed needless code from cmnd_no_wait patch causing clang warning + - format of the last changelog message causes problems to rhpkg push, + so don't use that as a commit message + Resolves: rhbz#1360687 + +* Wed Mar 01 2017 Tomas Sykora - 1.8.19p2-1 +- RHEL 7.4 erratum + - Resolves: rhbz#1360687 - rebase to 1.8.19p2 + - Resolves: rhbz#1123526 - performance improvement + - Resolves: rhbz#1308789 - add MAIL and NOMAIL tags + - Resolves: rhbz#1348504 - sudo now parses sudoers with sudoers locale + - Resolves: rhbz#1374417 - "sudo -l command" indicated that the command + was runnable even if denied by sudoers when using LDAP or SSSD backend. + - Resolves: rhbz#1387303 - add ignore_iolog_errors option + - Resolves: rhbz#1389360 - wrong log file group ownership + - Resolves: rhbz#1389735 - add iolog_group, iolog_mode, iolog_user options + - Resolves: rhbz#1397169 - maxseq and ignore_iolog_errors options + - Resolves: rhbz#1403051 - add support for querying netgroups directly via LDAP + - Resolves: rhbz#1410086 - race condition while creating /var/log/sudo-io dir + - Resolves: rhbz#1413160 - add ignore_unknown_defaults flag + - Resolves: rhbz#1254772 - ability to export sudoers in json format + - Resolves: rhbz#1417187 - wrong reference to config file in systax error message + - Resolves: rhbz#1424575 - visudo was not printing severity of error/warning message + +* Wed Nov 23 2016 Daniel Kopecek - 1.8.6p7-21 +- Update noexec syscall blacklist +- Fixes CVE-2016-7032 and CVE-2016-7076 + Resolves: rhbz#1391940 + +* Tue Jul 19 2016 Daniel Kopecek - 1.8.6p7-20 +- RHEL 7.3 erratum + - fixed visudo's -q flag + Resolves: rhbz#1350828 + +* Tue Jun 14 2016 Daniel Kopecek - 1.8.6p7-19 +- RHEL 7.3 erratum + - removed INPUTRC from env_keep to prevent a potential info leak + Resolves: rhbz#1340700 + +* Wed May 11 2016 Daniel Kopecek - 1.8.6p7-18 +- RHEL 7.3 erratum + - removed requiretty flag from the default sudoers policy + - backported pam_service and pam_login_service defaults options + - implemented netgroup_tuple defaults option for changing netgroup + processing semantics + - fixed user matching logic in the LDAP nss backend + - don't allow visudo to accept an invalid sudoers file + - fixed a bug causing that non-root users can list privileges of + other users + - modified digest check documentation to mention the raciness of + the checking mechanism + Resolves: rhbz#1196451 + Resolves: rhbz#1247230 + Resolves: rhbz#1334331 + Resolves: rhbz#1334360 + Resolves: rhbz#1261998 + Resolves: rhbz#1313364 + Resolves: rhbz#1312486 + Resolves: rhbz#1268958 + Resolves: rhbz#1335039 + Resolves: rhbz#1335042 + Resolves: rhbz#1335045 + Resolves: rhbz#1273243 + Resolves: rhbz#1299883 + +* Mon Feb 15 2016 Daniel Kopecek - 1.8.6p7-17 +- fixed bug in closefrom_override defaults option + Resolves: rhbz#1297062 + +* Tue Sep 1 2015 Daniel Kopecek - 1.8.6p7-16 +- RHEL 7.2 erratum + - show the digest type in warning messages + Resolves: rhbz#1183818 + +* Tue Sep 1 2015 Daniel Kopecek - 1.8.6p7-15 +- RHEL 7.2 erratum + - fixed compilation of testing binaries during make check + - added legacy group processing patch + - replaced buggy base64 decoder with a public domain implementation + Resolves: rhbz#1254621 + Resolves: rhbz#1183818 + Resolves: rhbz#1247591 + +* Tue Jul 7 2015 Daniel Kopecek - 1.8.6p7-14 +- RHEL 7.2 erratum + - backported command digest specification + - fixed CVE-2014-9680 sudo: unsafe handling of TZ environment variable + - fixed typos in sudoers.ldap man page + - fixed handling of double-quoted sudoOption values in ldap, sssd sources + - fixed numeric uid specification support in ldap source + - fixed authentication flag logic in ldap source + - added the systemctl command to the SERVICES alias in the default sudoers file + Resolves: rhbz#1144446 + Resolves: rhbz#1235570 + Resolves: rhbz#1138259 + Resolves: rhbz#1183818 + Resolves: rhbz#1233607 + Resolves: rhbz#1144419 + Resolves: rhbz#1135539 + Resolves: rhbz#1215400 + +* Tue Sep 30 2014 Daniel Kopecek - 1.8.6p7-13 +- RHEL 7.1 erratum + - fixed issues found by covscan/clang-analyzer + Resolves: rhbz#1147616 + +* Mon Sep 29 2014 Daniel Kopecek - 1.8.6p7-12 +- RHEL 7.1 erratum + - don't retry authentication when ctrl-c pressed + - fix double-quote processing in Defaults options + - handle the "(none)" hostname correctly + - SSSD: fix sudoUser netgroup specification filtering + - SSSD: list correct user when -U -l specified + - SSSD: show rule names on long listing (-ll) + - fix infinite loop when duplicate entries are specified on the + sudoers nsswitch.conf line + Resolves: rhbz#1084488 + Resolves: rhbz#1088464 + Resolves: rhbz#1088825 + Resolves: rhbz#1092499 + Resolves: rhbz#1093099 + Resolves: rhbz#1096813 + Resolves: rhbz#1147497 + Resolves: rhbz#1147557 + +* Wed Feb 26 2014 Daniel Kopecek - 1.8.6p7-11 +- Fixed incorrect login shell path construction in sesh + (thanks fkrska@redhat.com for the patch) + Resolves: rhbz#1065418 + +* Fri Jan 24 2014 Daniel Mach - 1.8.6p7-10 +- Mass rebuild 2014-01-24 + +* Wed Jan 15 2014 Daniel Kopecek - 1.8.6p7-9 +- allow the wheel group to use sudo + Resolves: rhbz#994623 + +* Fri Dec 27 2013 Daniel Mach - 1.8.6p7-8 +- Mass rebuild 2013-12-27 + +* Fri Nov 08 2013 Daniel Kopecek - 1.8.6p7-7 +- dropped wrong patch and fixed patch comments + Resolves: rhbz#1000389 + +* Thu Nov 07 2013 Daniel Kopecek - 1.8.6p7-6 +- fixed alias cycle detection code +- added debug messages for tracing of netgroup matching +- fixed aborting on realloc when displaying allowed commands +- sssd: filter netgroups in the sudoUser attribute +- parse uids/gids more strictly +- added debug messages to trace netgroup matching + Resolves: rhbz#1026904 + Resolves: rhbz#1026890 + Resolves: rhbz#1007014 + Resolves: rhbz#1026894 + Resolves: rhbz#1000389 + Resolves: rhbz#994566 + +* Mon Aug 05 2013 Daniel Kopecek - 1.8.6p7-5 +- added standalone manpage for sudo.conf and sudo-ldap.conf +- spec file cleanup + Resolves: rhbz#881258 + +* Mon Jul 29 2013 Daniel Kopecek - 1.8.6p7-4 +- added RHEL 6 patches + +* Wed Jul 24 2013 Daniel Kopecek - 1.8.6p7-3 +- synced sudoers, configure options & configuration files with + expected RHEL configuration + Resolves: rhbz#969373 + Resolves: rhbz#971009 + Resolves: rhbz#965124 + Resolves: rhbz#971013 + Resolves: rhbz#839705 + +* Thu Apr 11 2013 Daniel Kopecek - 1.8.6p7-2 +- depend on /usr/sbin/sendmail instead of the sendmail package + Resolves: rhbz#927842 + +* Thu Feb 28 2013 Daniel Kopecek - 1.8.6p7-1 +- update to 1.8.6p7 +- fixes CVE-2013-1775 and CVE-2013-1776 +- fixed several packaging issues (thanks to ville.skytta@iki.fi) + - build with system zlib. + - let rpmbuild strip libexecdir/*.so. + - own the %%{_docdir}/sudo-* dir. + - fix some rpmlint warnings (spaces vs tabs, unescaped macros). + - fix bogus %%changelog dates. + +* Fri Feb 15 2013 Fedora Release Engineering - 1.8.6p3-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Mon Nov 12 2012 Daniel Kopecek - 1.8.6p3-2 +- added upstream patch for a regression +- don't include arch specific files in the -devel subpackage +- ship only one sample plugin in the -devel subpackage + +* Tue Sep 25 2012 Daniel Kopecek - 1.8.6p3-1 +- update to 1.8.6p3 +- drop -pipelist patch (fixed in upstream) + +* Thu Sep 6 2012 Daniel Kopecek - 1.8.6-1 +- update to 1.8.6 + +* Thu Jul 26 2012 Daniel Kopecek - 1.8.5-4 +- added patches that fix & improve SSSD support (thanks to pbrezina@redhat.com) +- re-enabled SSSD support +- removed libsss_sudo dependency + +* Tue Jul 24 2012 Bill Nottingham - 1.8.5-3 +- flip sudoers2ldif executable bit after make install, not in setup + +* Sat Jul 21 2012 Fedora Release Engineering - 1.8.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Thu May 17 2012 Daniel Kopecek - 1.8.5-1 +- update to 1.8.5 +- fixed CVE-2012-2337 +- temporarily disabled SSSD support + +* Wed Feb 29 2012 Daniel Kopecek - 1.8.3p1-6 +- fixed problems with undefined symbols (rhbz#798517) + +* Wed Feb 22 2012 Daniel Kopecek - 1.8.3p1-5 +- SSSD patch update + +* Tue Feb 7 2012 Daniel Kopecek - 1.8.3p1-4 +- added SSSD support + +* Thu Jan 26 2012 Daniel Kopecek - 1.8.3p1-3 +- added patch for CVE-2012-0809 + +* Sat Jan 14 2012 Fedora Release Engineering - 1.8.3p1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Thu Nov 10 2011 Daniel Kopecek - 1.8.3p1-1 +- update to 1.8.3p1 +- disable output word wrapping if the output is piped + +* Wed Sep 7 2011 Peter Robinson - 1.8.1p2-2 +- Remove execute bit from sample script in docs so we don't pull in perl + +* Tue Jul 12 2011 Daniel Kopecek - 1.8.1p2-1 +- rebase to 1.8.1p2 +- removed .sudoi patch +- fixed typo: RELPRO -> RELRO +- added -devel subpackage for the sudo_plugin.h header file +- use default ldap configuration files again + +* Fri Jun 3 2011 Daniel Kopecek - 1.7.4p5-4 +- build with RELRO + +* Wed Feb 09 2011 Fedora Release Engineering - 1.7.4p5-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Mon Jan 17 2011 Daniel Kopecek - 1.7.4p5-2 +- rebase to 1.7.4p5 +- fixed sudo-1.7.4p4-getgrouplist.patch +- fixes CVE-2011-0008, CVE-2011-0010 + +* Tue Nov 30 2010 Daniel Kopecek - 1.7.4p4-5 +- anybody in the wheel group has now root access (using password) (rhbz#656873) +- sync configuration paths with the nss_ldap package (rhbz#652687) + +* Wed Sep 29 2010 Daniel Kopecek - 1.7.4p4-4 +- added upstream patch to fix rhbz#638345 + +* Mon Sep 20 2010 Daniel Kopecek - 1.7.4p4-3 +- added patch for #635250 +- /var/run/sudo -> /var/db/sudo in .spec + +* Tue Sep 7 2010 Daniel Kopecek - 1.7.4p4-2 +- sudo now uses /var/db/sudo for timestamps + +* Tue Sep 7 2010 Daniel Kopecek - 1.7.4p4-1 +- update to new upstream version +- new command available: sudoreplay +- use native audit support +- corrected license field value: BSD -> ISC + +* Wed Jun 2 2010 Daniel Kopecek - 1.7.2p6-2 +- added patch that fixes insufficient environment sanitization issue (#598154) + +* Wed Apr 14 2010 Daniel Kopecek - 1.7.2p6-1 +- update to new upstream version +- merged .audit and .libaudit patch +- added sudoers.ldap.5* to files + +* Mon Mar 1 2010 Daniel Kopecek - 1.7.2p5-2 +- update to new upstream version + +* Tue Feb 16 2010 Daniel Kopecek - 1.7.2p2-5 +- fixed no valid sudoers sources found (#558875) + +* Wed Feb 10 2010 Daniel Kopecek - 1.7.2p2-4 +- audit related Makefile.in and configure.in corrections +- added --with-audit configure option +- removed call to libtoolize + +* Wed Feb 10 2010 Daniel Kopecek - 1.7.2p2-3 +- fixed segfault when #include directive is used in cycles (#561336) + +* Fri Jan 8 2010 Ville Skyttä - 1.7.2p2-2 +- Add /etc/sudoers.d dir and use it in default config (#551470). +- Drop *.pod man page duplicates from docs. + +* Thu Jan 07 2010 Daniel Kopecek - 1.7.2p2-1 +- new upstream version 1.7.2p2-1 +- commented out unused aliases in sudoers to make visudo happy (#550239) + +* Fri Aug 21 2009 Tomas Mraz - 1.7.1-7 +- rebuilt with new audit + +* Thu Aug 20 2009 Daniel Kopecek 1.7.1-6 +- moved secure_path from compile-time option to sudoers file (#517428) + +* Sun Jul 26 2009 Fedora Release Engineering - 1.7.1-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Thu Jul 09 2009 Daniel Kopecek 1.7.1-4 +- moved the closefrom() call before audit_help_open() (sudo-1.7.1-auditfix.patch) +- epoch number sync + +* Mon Jun 22 2009 Daniel Kopecek 1.7.1-1 +- updated sudo to version 1.7.1 +- fixed small bug in configure.in (sudo-1.7.1-conffix.patch) + +* Tue Feb 24 2009 Daniel Kopecek 1.6.9p17-6 +- fixed building with new libtool +- fix for incorrect handling of groups in Runas_User +- added /usr/local/sbin to secure-path + +* Tue Jan 13 2009 Daniel Kopecek 1.6.9p17-3 +- build with sendmail installed +- Added /usr/local/bin to secure-path + +* Tue Sep 02 2008 Peter Vrabec 1.6.9p17-2 +- adjust audit patch, do not scream when kernel is + compiled without audit netlink support (#401201) + +* Fri Jul 04 2008 Peter Vrabec 1.6.9p17-1 +- upgrade + +* Wed Jun 18 2008 Peter Vrabec 1.6.9p13-7 +- build with newer autoconf-2.62 (#449614) + +* Tue May 13 2008 Peter Vrabec 1.6.9p13-6 +- compiled with secure path (#80215) + +* Mon May 05 2008 Peter Vrabec 1.6.9p13-5 +- fix path to updatedb in /etc/sudoers (#445103) + +* Mon Mar 31 2008 Peter Vrabec 1.6.9p13-4 +- include ldap files in rpm package (#439506) + +* Thu Mar 13 2008 Peter Vrabec 1.6.9p13-3 +- include [sudo] in password prompt (#437092) + +* Tue Mar 04 2008 Peter Vrabec 1.6.9p13-2 +- audit support improvement + +* Thu Feb 21 2008 Peter Vrabec 1.6.9p13-1 +- upgrade to the latest upstream release + +* Wed Feb 06 2008 Peter Vrabec 1.6.9p12-1 +- upgrade to the latest upstream release +- add selinux support + +* Mon Feb 04 2008 Dennis Gilmore 1.6.9p4-6 +- sparc64 needs to be in the -fPIE list with s390 + +* Mon Jan 07 2008 Peter Vrabec 1.6.9p4-5 +- fix complains about audit_log_user_command(): Connection + refused (#401201) + +* Wed Dec 05 2007 Release Engineering - 1.6.9p4-4 +- Rebuild for deps + +* Wed Dec 05 2007 Release Engineering - 1.6.9p4-3 +- Rebuild for openssl bump + +* Thu Aug 30 2007 Peter Vrabec 1.6.9p4-2 +- fix autotools stuff and add audit support + +* Mon Aug 20 2007 Peter Vrabec 1.6.9p4-1 +- upgrade to upstream release + +* Thu Apr 12 2007 Peter Vrabec 1.6.8p12-14 +- also use getgrouplist() to determine group membership (#235915) + +* Mon Feb 26 2007 Peter Vrabec 1.6.8p12-13 +- fix some spec file issues + +* Thu Dec 14 2006 Peter Vrabec 1.6.8p12-12 +- fix rpmlint issue + +* Thu Oct 26 2006 Peter Vrabec 1.6.8p12-11 +- fix typo in sudoers file (#212308) + +* Sun Oct 01 2006 Jesse Keating - 1.6.8p12-10 +- rebuilt for unwind info generation, broken in gcc-4.1.1-21 + +* Thu Sep 21 2006 Peter Vrabec 1.6.8p12-9 +- fix sudoers file, X apps didn't work (#206320) + +* Tue Aug 08 2006 Peter Vrabec 1.6.8p12-8 +- use Red Hat specific default sudoers file + +* Sun Jul 16 2006 Karel Zak 1.6.8p12-7 +- fix #198755 - make login processes (sudo -i) initialise session keyring + (thanks for PAM config files to David Howells) +- add IPv6 support (patch by Milan Zazrivec) + +* Wed Jul 12 2006 Jesse Keating - 1.6.8p12-6.1 +- rebuild + +* Mon May 29 2006 Karel Zak 1.6.8p12-6 +- fix #190062 - "ssh localhost sudo su" will show the password in clear + +* Tue May 23 2006 Karel Zak 1.6.8p12-5 +- add LDAP support (#170848) + +* Fri Feb 10 2006 Jesse Keating - 1.6.8p12-4.1 +- bump again for double-long bug on ppc(64) + +* Wed Feb 8 2006 Karel Zak 1.6.8p12-4 +- reset env. by default + +* Tue Feb 07 2006 Jesse Keating - 1.6.8p12-3.1 +- rebuilt for new gcc4.1 snapshot and glibc changes + +* Mon Jan 23 2006 Dan Walsh 1.6.8p12-3 +- Remove selinux patch. It has been decided that the SELinux patch for sudo is +- no longer necessary. In tageted policy it had no effect. In strict/MLS policy +- We require the person using sudo to execute newrole before using sudo. + +* Fri Dec 09 2005 Jesse Keating +- rebuilt + +* Fri Nov 25 2005 Karel Zak 1.6.8p12-1 +- new upstream version 1.6.8p12 + +* Tue Nov 8 2005 Karel Zak 1.6.8p11-1 +- new upstream version 1.6.8p11 + +* Thu Oct 13 2005 Tomas Mraz 1.6.8p9-6 +- use include instead of pam_stack in pam config + +* Tue Oct 11 2005 Karel Zak 1.6.8p9-5 +- enable interfaces in selinux patch +- merge sudo-1.6.8p8-sesh-stopsig.patch to selinux patch + +* Mon Sep 19 2005 Karel Zak 1.6.8p9-4 +- fix debuginfo + +* Mon Sep 19 2005 Karel Zak 1.6.8p9-3 +- fix #162623 - sesh hangs when child suspends + +* Mon Aug 1 2005 Dan Walsh 1.6.8p9-2 +- Add back in interfaces call, SELinux has been fixed to work around + +* Tue Jun 21 2005 Karel Zak 1.6.8p9-1 +- new version 1.6.8p9 (resolve #161116 - CAN-2005-1993 sudo trusted user arbitrary command execution) + +* Tue May 24 2005 Karel Zak 1.6.8p8-2 +- fix #154511 - sudo does not use limits.conf + +* Mon Apr 4 2005 Thomas Woerner 1.6.8p8-1 +- new version 1.6.8p8: new sudoedit and sudo_noexec + +* Wed Feb 9 2005 Thomas Woerner 1.6.7p5-31 +- rebuild + +* Mon Oct 4 2004 Thomas Woerner 1.6.7p5-30.1 +- added missing BuildRequires for libselinux-devel (#132883) + +* Wed Sep 29 2004 Dan Walsh 1.6.7p5-30 +- Fix missing param error in sesh + +* Mon Sep 27 2004 Dan Walsh 1.6.7p5-29 +- Remove full patch check from sesh + +* Thu Jul 8 2004 Dan Walsh 1.6.7p5-28 +- Fix selinux patch to switch to root user + +* Tue Jun 15 2004 Elliot Lee +- rebuilt + +* Tue Apr 13 2004 Dan Walsh 1.6.7p5-26 +- Eliminate tty handling from selinux + +* Thu Apr 1 2004 Thomas Woerner 1.6.7p5-25 +- fixed spec file: sesh in file section with selinux flag (#119682) + +* Tue Mar 30 2004 Colin Walters 1.6.7p5-24 +- Enhance sesh.c to fork/exec children itself, to avoid + having sudo reap all domains. +- Only reinstall default signal handlers immediately before + exec of child with SELinux patch + +* Thu Mar 18 2004 Dan Walsh 1.6.7p5-23 +- change to default to sysadm_r +- Fix tty handling + +* Thu Mar 18 2004 Dan Walsh 1.6.7p5-22 +- Add /bin/sesh to run selinux code. +- replace /bin/bash -c with /bin/sesh + +* Tue Mar 16 2004 Dan Walsh 1.6.7p5-21 +- Hard code to use "/bin/bash -c" for selinux + +* Tue Mar 16 2004 Dan Walsh 1.6.7p5-20 +- Eliminate closing and reopening of terminals, to match su. + +* Mon Mar 15 2004 Dan Walsh 1.6.7p5-19 +- SELinux fixes to make transitions work properly + +* Fri Mar 5 2004 Thomas Woerner 1.6.7p5-18 +- pied sudo + +* Fri Feb 13 2004 Elliot Lee +- rebuilt + +* Tue Jan 27 2004 Dan Walsh 1.6.7p5-16 +- Eliminate interfaces call, since this requires big SELinux privs +- and it seems to be useless. + +* Tue Jan 27 2004 Karsten Hopp 1.6.7p5-15 +- visudo requires vim-minimal or setting EDITOR to something useful (#68605) + +* Mon Jan 26 2004 Dan Walsh 1.6.7p5-14 +- Fix is_selinux_enabled call + +* Tue Jan 13 2004 Dan Walsh 1.6.7p5-13 +- Clean up patch on failure + +* Tue Jan 6 2004 Dan Walsh 1.6.7p5-12 +- Remove sudo.te for now. + +* Fri Jan 2 2004 Dan Walsh 1.6.7p5-11 +- Fix usage message + +* Mon Dec 22 2003 Dan Walsh 1.6.7p5-10 +- Clean up sudo.te to not blow up if pam.te not present + +* Thu Dec 18 2003 Thomas Woerner +- added missing BuildRequires for groff + +* Tue Dec 16 2003 Jeremy Katz 1.6.7p5-9 +- remove left-over debugging code + +* Tue Dec 16 2003 Dan Walsh 1.6.7p5-8 +- Fix terminal handling that caused Sudo to exit on non selinux machines. + +* Mon Dec 15 2003 Dan Walsh 1.6.7p5-7 +- Remove sudo_var_run_t which is now pam_var_run_t + +* Fri Dec 12 2003 Dan Walsh 1.6.7p5-6 +- Fix terminal handling and policy + +* Thu Dec 11 2003 Dan Walsh 1.6.7p5-5 +- Fix policy + +* Thu Nov 13 2003 Dan Walsh 1.6.7p5-4.sel +- Turn on SELinux support + +* Tue Jul 29 2003 Dan Walsh 1.6.7p5-3 +- Add support for SELinux + +* Wed Jun 04 2003 Elliot Lee +- rebuilt + +* Mon May 19 2003 Thomas Woerner 1.6.7p5-1 + +* Wed Jan 22 2003 Tim Powers +- rebuilt + +* Tue Nov 12 2002 Nalin Dahyabhai 1.6.6-2 +- remove absolute path names from the PAM configuration, ensuring that the + right modules get used for whichever arch we're built for +- don't try to install the FAQ, which isn't there any more + +* Thu Jun 27 2002 Bill Nottingham 1.6.6-1 +- update to 1.6.6 + +* Fri Jun 21 2002 Tim Powers +- automated rebuild + +* Thu May 23 2002 Tim Powers +- automated rebuild + +* Thu Apr 18 2002 Bernhard Rosenkraenzer 1.6.5p2-2 +- Fix bug #63768 + +* Thu Mar 14 2002 Bernhard Rosenkraenzer 1.6.5p2-1 +- 1.6.5p2 + +* Fri Jan 18 2002 Bernhard Rosenkraenzer 1.6.5p1-1 +- 1.6.5p1 +- Hope this "a new release per day" madness stops ;) + +* Thu Jan 17 2002 Bernhard Rosenkraenzer 1.6.5-1 +- 1.6.5 + +* Tue Jan 15 2002 Bernhard Rosenkraenzer 1.6.4p1-1 +- 1.6.4p1 + +* Mon Jan 14 2002 Bernhard Rosenkraenzer 1.6.4-1 +- Update to 1.6.4 + +* Mon Jul 23 2001 Bernhard Rosenkraenzer 1.6.3p7-2 +- Add build requirements (#49706) +- s/Copyright/License/ +- bzip2 source + +* Sat Jun 16 2001 Than Ngo +- update to 1.6.3p7 +- use %%{_tmppath} + +* Fri Feb 23 2001 Bernhard Rosenkraenzer +- 1.6.3p6, fixes buffer overrun + +* Tue Oct 10 2000 Bernhard Rosenkraenzer +- 1.6.3p5 + +* Wed Jul 12 2000 Prospector +- automatic rebuild + +* Tue Jun 06 2000 Karsten Hopp +- fixed owner of sudo and visudo + +* Thu Jun 1 2000 Nalin Dahyabhai +- modify PAM setup to use system-auth +- clean up buildrooting by using the makeinstall macro + +* Tue Apr 11 2000 Bernhard Rosenkraenzer +- initial build in main distrib +- update to 1.6.3 +- deal with compressed man pages + +* Tue Dec 14 1999 Preston Brown +- updated to 1.6.1 for Powertools 6.2 +- config files are now noreplace. + +* Thu Jul 22 1999 Tim Powers +- updated to 1.5.9p2 for Powertools 6.1 + +* Wed May 12 1999 Bill Nottingham +- sudo is configured with pam. There's no pam.d file. Oops. + +* Mon Apr 26 1999 Preston Brown +- upgraded to 1.59p1 for powertools 6.0 + +* Tue Oct 27 1998 Preston Brown +- fixed so it doesn't find /usr/bin/vi first, but instead /bin/vi (always installed) + +* Thu Oct 08 1998 Michael Maher +- built package for 5.2 + +* Mon May 18 1998 Michael Maher +- updated SPEC file + +* Thu Jan 29 1998 Otto Hammersmith +- updated to 1.5.4 + +* Tue Nov 18 1997 Otto Hammersmith +- built for glibc, no problems + +* Fri Apr 25 1997 Michael Fulbright +- Fixed for 4.2 PowerTools +- Still need to be pamified +- Still need to move stmp file to /var/log + +* Mon Feb 17 1997 Michael Fulbright +- First version for PowerCD. +